AWS Solutions Architect - Quiz

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

True or False. Roles can be assigned ONLY WHEN EC2 is provisioned.

True

What's the timeout on messages?

12 hours

MS SQL servers Port #

1433

In S3 what does RRS stand for?

Reduced Redundancy Storage

Which of the following is a petabyte scale data transfer solution

Snowball

True/False, you can pause an Elastic Transcoder pipeline

True

Using SAML (Security Assertion Markup Language 2.0) you can give your federated users single sign-on (SSO) access to the AWS Management Console.

True

How many read replica's of your production database can you have?

Up to 5

S3 Encryption

Upload/download through SSL Encrypted Points

How to improve disk IO for DB on EC2?

Use multiple volumes and configure them as RAID 0 or 1 array

Elasticache creates _______________ cache in cloud.

in-memory

Every subnet in your VPC must be associated with exactly _______ route table at a time.

one

what is an iop

one input/output operation on a block of up to 256 kb in size

By default, SQS automatically deletes messages that have been in the queue for more than ____ days.

4 days.

What is a security group?

A virtual firewall!

What is AWS Lambda?

A code execution service

What is CloudFront?

AWS's CDN service

What is SQS?

Amazon Simple Queuing service

A Provisioned IOPS volume must be at leastGB in size A. 1 B. 50 C. 20 D. 10

D

SQS is meant to do what to workflows?

Decouple events from tasks

If I want to run a database on an EC2 instance, which is the most recommended Amazon storage option?

EBS

What filesystem does EFS support?

NFSv4

AWS DNS service is known as

Route53

Will SQS FIFO queues duplicate message?

The queue itself will never introduce a duplicate, however the creator of a message might!

Redshift Security

Transit - SSL Rest - AES-256

How much data can you store in S3?

There is no limit

Route53 is Amazon's DNS Service.

True

VPC stands for

Virtual Private Cloud

User

end-user

Provisional IOPS SSD EBS Storage

• storage designed for NoSQL and other databases

By default how many VPCs can you have per region in your AWS account? A.1 B.2 C.5 D.10

C

Credential reports are downloaded as ________ files.

CSV

AWS NoSQL product offering is known as

DynamoDB

Is IAM regional or universal?

Universal- it applies to all resources across an account

AWS DNS service is known as a. CloudDNS b. CloudFront c. CloudTrail d. Route53

d

what security groups does RDS use

ec2 instance sgs, db sgs, vpc sgs

Read Only Access

read only

virtual private cloud

virtual network; subset of public cloud that has highly restricted, secure access.

You grant AWS Lambda permission to access a DynamoDB Stream using an IAM role known as the ____________________.

"execution role"

Each SQS message can have up to _____ attributes

10

SSH Port #

22

#VPC per region allowed

5

Message are delivered to servers at least how many times?

At least once- however it could be more then once

SWF is task oriented API, SQS is ____________ oriented API

Message

Redshift available in ______ AZs.

Only 1

Security Groups are Stateless or Stateful?

Stateful

TXT Records

Text records

What are typical cause for a System Status Check failure?

The following are examples of problems that can cause system status checks to fail: - Loss of network connectivity - Loss of system power - Software issues on the physical host - Hardware issues on the physical host that impact network reachability

How many ENI can you attach to an instance?

The maximum number of network interfaces that you can use varies by instance type.

Glacier Vault

Vaults are containers for archives. Each AWS account can have up to 1,000 vaults. You can control access to your vaults and the actions allowed using IAM policies or vault access policies. Vaults Locks

What is a VPC?

Virtual Private Cloud

Is data transfer from cloudfront to origin billed?

yes this is billed at the "Regional Data Transfer Out to Origin" (per gb) rates

are invalidation requests billed in cloudfront?

yes, first 1k per month are free, $0.005 per request afterwards

IAM Policies

Understanding how access management works under IAM begins with understanding policies. A policy is a JSON document that fully defines a set of permissions to access and manipulate AWS resources. Policy documents contain one or more permissions, with each permission defining: - *Effect*—A single word: Allow or Deny. - *Service*—For what service does this permission apply? Most AWS Cloud services support granting access through IAM, including IAM itself. - *Resource*—The resource value specifies the specific AWS infrastructure for which this permission applies. This is specified as an Amazon Resource Name (ARN). The format for an ARN varies slightly between services, but the basic format is: "arn:aws:service:region:account-id:[resourcetype:]resource". For some services, wildcard values are allowed; for instance, an Amazon S3 ARN could have a resource of foldername\* to indicate all objects in the specified folder. Table 6.3 displays some sample ARNs. - *Action*—The action value specifies the subset of actions within a service that the permission allows or denies. For instance, a permission may grant access to any read-based action for Amazon S3. A set of actions can be specified with an enumerated list or by using wildcards (Read*). - *Condition*—The condition value optionally defines one or more additional restrictions that limit the actions allowed by the permission. For instance, the permission might contain a condition that limits the ability to access a resource to calls that come from a specific IP address range. Another condition could restrict the permission only to apply during a specific time interval. There are many types of permissions that allow a rich variety of functionality that varies between services. See the IAM documentation for lists of supported conditions for each service.

(Y/N) Are S3 buckets region depend?

Yes. Amazon S3 creates bucket in a region you specify. You can choose any AWS region that is geographically close to you to optimize latency, minimize costs, or address regulatory requirements. For example, if you reside in Europe, you might find it advantageous to create buckets in the EU (Ireland) or EU (Frankfurt) regions. For a list of AWS Amazon S3 regions, go to Regions and Endpoints in the AWS General Reference.

Is DynamoDB data saved across AZs?

Yes. It automatically saves to all AZs in the region. No need to specify.

Type of Databases

- *Relational*: RDS: Relational Database Service. Oracle, MySQL, PostgreSQL, Microsoft SQL Server. Aurora & Maria DB. - *NoSQL*: DynamoDB - *Data Ware Houses*: Amazon RedShift

Network Security Measures at AWS

- *Secure Network Architecture*: network devices are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. - *Secure Access Points*: AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called Application Programming Interface (API) endpoints, and they permit secure HTTP access (HTTPS), which allows you to establish a secure communication session with your storage or compute instances within AWS. - *Transmission Protection*: HTTPS is available on all APIs. AWS also offers VPCs

Route 53 routing policy types

- *Simple*: This is the default routing policy when you create a new resource. Use a simple routing policy when you have a single resource that performs a given function for your domain (for example, one web server that serves content for the example.com website). In this case, Amazon Route 53 responds to DNS queries based only on the values in the resource record - *Weighted*: Use the weighted routing policy when you have multiple resources that perform the same function (such as web servers that serve the same website), and you want Amazon Route 53 to route traffic to those resources in proportions that you specify. For example, you may use this - *Latency-Based*: Latency-based routing allows you to route your traffic based on the lowest network latency for your end user (for example, using the AWS region that will give them the fastest response time). - *Failover*: Use a failover routing policy to configure active-passive failover, in which one resource takes all the traffic when it's available and the other resource takes all the traffic when the first resource isn't available. Note that you can't create failover resource record sets for private hosted zones. - *Geolocation*: lets you choose where Amazon Route 53 will send your traffic based on the geographic location of your users (the location from which DNS queries originate). For example, you might want all queries from Europe to be routed to a fleet of Amazon EC2 instances that are specifically configured for your European customers, with local languages and pricing in Euros.

What type of notifications can SNS send out?

- HTTP - HTTPS - Email - Email-JSON - SQS message - Application messages

What information is available in ec2 instance local metadata endpoint

- Host Name - AMI - private/public ips - instance id - availability zone

Architecture Best Practice: Loose coupling sets you free

- IT systems should be designed in a way that reduces interdependencies, so that a change or a failure in one component does not cascade to other components. - API GW helps you decouple (through the use of technology agnostic APIs) - SQS or Kinesis can be used if interaction doesn't need an immediate response

What types of load balancers does ELB provide?

- Internet-facing load balancer - Internal load balancer - HTTPS Load Balancer

What are the 3 Autoscaling processes?

- Launch, - Terminate, and - Availability Zone Rebalance (AZRebalance). Auto Scaling performs various processes, such as Launch, Terminate, and Availability Zone Rebalance (AZRebalance). The AZRebalance process type seeks to maintain a balanced number of instances across Availability Zones within a region. If the user suspends the Terminate process, the AZRebalance process can cause the Auto Scaling group to grow up to ten percent larger than the maximum size. This is because Auto Scaling allows groups to temporarily grow larger than the maximum size during rebalancing activities. If Auto Scaling cannot terminate instances, the Auto Scaling group could remain up to ten percent larger than the maximum size until the user resumes the Terminate process type.

The __1__ standard AWS Trusted Advisor Checks are __2__

1/ four 2/ Service Limits, Security Groups (specific ports unrestricted), IAM Use, MFA on Root Account.

The Trusted Advisor service provides insight regarding which four categories of an AWS account? A. Security, fault tolerance, high availability, and connectivity B. Security, access control, high availability, and performance C. Performance, cost optimization, security, and fault tolerance D. Performance, cost optimization, access control, and connectivity

C

The AWS platform consists of how many regions currently?

13

For how many days does CloudWatch store the metric data?

14 days

SQS MAX retention period is ____________.

14 days

What is SQS's retention period for message?

14 days

The range of a temporary security token lifetime is _____ to _____.

15 minutes & 36 hours

what is the static ip for ec2 instance metadata

169.254.169.254

what is the max capacity for a physical storage device in the AWS Import/Export service

16TB

Maximum size of ec2 instance metadata

16kb, can be executed as a script via #!

What types of EC2 instance status checks are there?

1: System Status Checks 2: instance Status Checks

What is the data processing engine behind Amazon Elastic MapReduce (Amazon EMR)? 1. Apache Hadoop 2. Apache Hive 3. Apache Pig 4. Apache HBase

1?

What is the primary use case of Amazon Kinesis Firehose? 1. Ingest huge streams of data and allow custom processing of data in flight. 2. Ingest huge streams of data and store it to Amazon Simple Storage Service (Amazon S3), Amazon Redshift, or Amazon Elasticsearch Service. 3. Generate a huge stream of data from an Amazon S3 bucket. 4. Generate a huge stream of data from Amazon DynamoDB.

1?

Which of the following is true if you stop an Amazon Elastic Compute Cloud (Amazon EC2) instance with an Elastic IP address in an Amazon Virtual Private Cloud (Amazon VPC)? 1. The instance is disassociated from its Elastic IP address and must be re-attached when the instance is restarted. 2. The instance remains associated with its Elastic IP address. 3. The Elastic IP address is released from your account. 4. The instance is disassociated from the Elastic IP address temporarily while you restart the instance.

1?

Identity & Access Management

- integrates with AD - Temporary Access, Multifactor Authentication options - User/Group/Roles access - Password rotation policy

Simple Notification Service

- push messaging service • Topic is an "access point" • Publish messages from app to subscriber • Unlike SQS; it Uses push mechanism • Simple APIs • Multiple protocols

S3 Object Storage Features

- up to 5 TB files - unlimited storage files stored in buckets (directories) - regionally unique namespace for each bucket - 99.99% Availability - spreads across AZs - 99.999999999% durability (RAID 1) collects Metadata on each storge

Amazon S3 provides four different access control mechanisms:

-AWS Identity and Access Management (IAM) policies, -Access Control Lists (ACLs), -Bucket policies, and -Query string authentication.

In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service's resources instead of to IAM users or groups. Resource-based permissions are supported by:

-Amazon S3, -Amazon SNS, -Amazon SQS, -Amazon Glacier and -Amazon EBS.

Why Redshift is 10 times faster?

-Columnar queries requiring less IOs -Sequential data storage so storing in specific area in disks -RS uses less space -Massive Parallel Processing

In regards to IAM you can edit user properties later, but you cannot use the console to change the___________ . A. user name B. password C. default group

A

In the Amazon RDS which uses the SQL Server engine, what is the maximumsize for a Microsoft SQL Server DB Instance with SQL Server Express edition? A. 10 GB per DB B. 100 GB per DB C. 2 TB per DB D. 1TB per DB

A

Is the SQL Server Audit feature supported in the Amazon RDS SQL Server engine? A. No B. Yes

A

Is the encryption of connections between my application and my DB Instance using SSL for the MySQL server engines available? A. Yes B. Only in VPC C. Only in certain regions D. No

A

Is there a limit to the number of groups you can have? A. Yes for all users B. Yes for all users except root C. No D.Yes unless special permission granted

A

My Read Replica appears "stuck" after a Multi-AZ failover and is unable to obtain or apply updates from the source DB Instance. What do I do? A. You will need to delete the Read Replica and create a new one to replace it. B. You will need to disassociate the DB Engine and re associate it. C. The instance should be deployed to Single AZ and then moved to Multi-AZ once again D. You will need to delete the DB Instance and create a new one to replace it

A

MySQL installations default to port . A. 3306 B. 443 C. 80 D. 1158

A

REST or Query requests are HTTP or HTTPS requests that use an HTTP verb (such as GET or POST) and a parameter named Action or Operation that specifies the API you are calling. A. FALSE B. TRUE

A

Regarding the attaching of ENI to an instance, what does 'warm attach' refer to? A. Attaching an ENI to an instance when it is stopped. B. This question doesn't make sense. C. Attaching an ENI to an instance when it is running D. Attaching an ENI to an instance during the launch process

A

Resources that are created in AWS are identified by a unique identifier called an _ A:Amazon Resource Name

A

Select the correct set of options. These are the initial settings for the default security group: A. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other B. Allow all inbound traffic, Allow no outbound traffic and Allow instances associated with this security group to talk to each other C. Allow no inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other D. Allow all inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other

A

Select the most correct answer: The device name /dev/sda1 (within Amazon EC2 ) is _____ A:Reserved for the root device

A

The Amazon EC2 web service can be accessed using the web services messaging protocol. This interface is described by a Web Services Description Language (WSDL) document. A. SOAP B. DCOM C. CORBA D. XML-RPC

A

(T/F) When you create a bucket it is private by default

Yes. You need to make it public if you wish it to be so.

Enhanced networking is available only for ...

... instances launched in an Amazon Virtual Private Cloud (Amazon VPC)

When the user account has reached the maximum number of EC2 instances ...

... it will not be allowed to launch an instance. AWS will throw an 'InstanceLimitExceeded' error

Instance Root device is /dev/_______

/dev/sda1

Sizes of S3 files can range from ___ to ____

0 bytes to 5 TERRA bytes

1 Subnet = _____ AZ

1

How many Internet Gateways allowed per VPC?

1

How many internet gateways can I attach to my custom VPC

1

Which of the following use cases is well suited for Amazon Redshift? 1. A 5ooTB data warehouse used for market analytics 2. A NoSQL, unstructured database workload 3. A high traffic, e-commerce web application 4. An in-memory cache

1

Which DNS record can be used to store human-readable information about a server, network, and other accounting data with a host? 1. A TXT record 2. <p class="Option"><span lang="EN-US">An MX record</span> 3. <p class="Option"><span lang="EN-US">An SPF record</span> 4. A PTR record

1 <p class="Answer"><strong><span lang="EN-US">A.</span></strong><br><p class="Explanation"><span lang="EN-US">A TXT record is used to store arbitrary and unformatted text with a host.</span>

The SQL Server _____ feature is an efficient means of copying data from a sourcedatabase to your DB Instance. It writes the data that you specify to a data file, such as anASCII file. A. bulk copy B. group copy C. dual copy D. mass copy

A

CloudFront Cache Control

1/ Cache Control Once requested and served from an edge location, objects stay in the cache until they expire or are evicted to make room for more frequently requested content. Once an object expires, the next request results in Amazon CloudFront forwarding the request to the origin to verify that the object is unchanged or to fetch a new version if it has changed. 2/ By default, objects expire from the cache after 24 hours. 3/ Optionally, you can control how long objects stay in an Amazon CloudFront cache before expiring. To do this, you can choose to use Cache-Control headers set by your origin server or you can set the minimum, maximum, and default Time to Live (TIL) for objects in your Amazon C1oudFront distribution. 4/ You can also remove copies of an object from all Amazon CloudFront edge locations at any time by calling the invalidation Application Program Interface (API). This feature removes the object from every Amazon CloudFront edge location regardless of the expiration period you set for that object on your origin server.

What are the types of storage that can be used with Amazon EMR?

1/ HDFS: HDFS is the standard file system that comes with Hadoop. All data is replicated across multiple instances to ensure durability. Amazon EMR can use Amazon EC2 instance storage or Amazon EBS for HDFS. 2/ EMRFS: EMR File System (EMRFS) EMRFS is an implementation of HDFS that allows clusters to store data on Amazon S3.

What are two important OpsWorks use case?

1/ Hosting Multi-Tier Web Applications 2/ Support Continuous Integration

What is an important difference between Memcached and Redis?

1/ Unlike Memcached, Redis supports the ability to persist the in-memory data onto disk. 2/ Redis clusters also can support up to five read replicas to offload read requests 3/ Redis also has advanced features that make it easy to sort and rank data. Some common use cases include building a leaderboard for a mobile application or serving as a high-speed message broker in a distributed system.

How many outstanding VPC peering connections are possible by default? A. 3 B. 10 C. 25 D. 30

C. 25 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

What is the total throughput per Elastic File System? A. 3 GBp/s B. 1 GBp/s C. 100 MBp/s D. 40 MBp/s

C. 3 GBp/s http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many Internet gateways can you have per region? A. 1 B. 3 C. 5 D. 50

C. 5 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many security groups can you apply to a Elastic Load Balancer? A. 1 B. 3 C. 5 D. 16

C. 5 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

You need to monitor the performance of your EC2 virtual servers (including metrics such as CPU Utilization, Disk IO etc). What service would be suit this requirement?

CloudWatch

What AWS CloudWatch features allows you to respond to changes in your AWS environment?

CloudWatch Events

CloudWatch default monitoring concept.

CloudWatch doesn't monitor everything out of the box, for EC2 instances, for example, it doesn't monitor things like disk space or memory usage

In Amazon CloudFront, to create signed URLs, an AWS account must have at least one active ________________.

Cloudfront Keypair

A user of your web-site makes a HTTP request to access static resource on your server. The request is automatically redirected to the nearest CloudFront server. For some reason the requested resource does not exist on the CloudFront server. Which of the following is true?

Cloudfront will query the origin server and then cache the resource on the edge location.

In Amazon EC2 Container Service components, what is the name of a logical grouping of container instances on which you can place tasks?

Cluster

In order to enable encryption at rest using EC2 and Elastic Block Store you need to

Configure encryption when creating the EBS volume

VPC Peering

Connecting VPCs to each other

__________________ enables you to consolidate payment for multiple AWS accounts within your company by designating a single paying account.

Consolidated Billing. Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your "Paying Account". Consolidated Billing is offered at no additional charge.

If an Auto Scaling group is launching more than one instance, the ______________ period for each instance starts after that instance is launched.

Cool down period. The group remains locked until the last instance that was launched has completed its cool down period.

Amazon SWF is designed to help users

Coordinate synchronous and asynchronous tasks

If you terminate Instance Store volume instance, you lose data. Correct?

Correct

Does DynamoDB allow you to scale your DB without any down time?

Correct, this is a service not an "instance"

Is it possible to transfer DNS names into Route53?

Correct, you can also purchase DNS names in route53 as well

Does route53 support health checks?

Correct- this is how you would use failover routing

Your company has deployed their production environment on AWS and now need to access this via a bastion host using Windows Remote Desktop protocol. What do you recommenced they do to achieve this?

Create a bastion host in a public subnet and then open the RDP port up to the bastion security group. Lock the RDP protocol down so that only users with IP address ranges from your office can RDP in to this bastion host.

You are a developer at a fast growing start up. Traditionally you have been using the root account to log in to the AWS console but as you have taken on more staff, to prevent dangerous mistakes you will now need to stop sharing the root account. What should you do so that everyone can access the AWS resources? (select 2)

Create a customized sign in link such as yourcompany.signin.aws.amazon.com/console for your new users to use to sign in with. and Create individual user accounts with minimum necessary rights and tell the staff to log in to the console using the credentials provided.

How can you encrypt old existing DB?

Create new DB with encryption and then import data.

How do you get your instance meta data?

Curl http://169.254.196.254/latest/meta-data/

The new DB Instance that is created when you promote a Read Replica retains the backup window period. A. TRUE B. FALSE

A

What are the four levels of AWS Premium Support? A. Basic, Developer, Business, Enterprise B. Basic, Startup, Business, Enterprise C. Free, Bronze, Silver, Gold D. All support is free

A

What does the "Server Side Encryption" option on Amazon S3 provide? A. It provides an encrypted virtual disk in the Cloud. B. It doesn't exist for Amazon S3, but only for Amazon EC2. C. It encrypts the files that you send to Amazon S3, on the server side. D. It allows to upload files using an SSL endpoint, for a secure transfer.

A

What is an isolated database environment running in the cloud (Amazon RDS) called? A. DB Instance B. DB Unit C. DB Server D. DB Volume

A

What is one key difference between an Amazon EBS-backed and an instance-store backedinstance? A. Amazon EBS-backed instances can be stopped and restarted. B. Instance-store backed instances can be stopped and restarted. C. Auto scaling requires using Amazon EBS-backed instances. D. Virtual Private Cloud requires EBS backed instances.

A

What is the charge for the data transfer incurred in replicating data between your primary and standby? A. No charge. It is free. B. Double the standard data transfer charge C. Same as the standard data transfer charge D. Half of the standard data transfer charge

A

What is the default maximum number of MFA devices in use per AWS account (at the root account level)? A. 1 B. 5 C. 15 D. 10

A

How many Elastic IP by default in Amazon Account? A. 1 Elastic IP B. 3 Elastic IP C. 5 Elastic IP D. 0 Elastic IP

D

If you are using Amazon RDS Provisioned IOPS storage with MySQL and Oracle database engines, you can scale the throughput of your database Instance by specifying the IOPS rate from. A. 1,000 to 1, 00, 000 B. 100 to 1, 000 C. 10, 000 to 1, 00, 000 D. 1, 000 to 10, 000

D

If you're unable to connect via SSH to your EC2 instance, which of the following should you check and possibly correct to restore connectivity? A. Adjust Security Group to permit egress traffic over TCP port 443 from your IP. B. Configure the IAM role to permit changes to security group settings. C. Modify the instance security group to allow ingress of ICMP packets from your IP. D. Adjust the instance's Security Group to permit ingress traffic over port 22 from your IP. E. Apply the most recently released Operating System security patches.

D

How many virtual private gateways are possible per region? A. 32 B. 1 C. 10 D. 5

D. 5 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many CloudWatch rules are possible per account? A. 100 B. 10 C. 36 D. 50

D. 50 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

SWF Long Polling

Deciders and activity workers communicate with Amazon SWF using long polling. The decider or activity worker periodically initiates communication with Amazon SWF, notifying Amazon SWF of its availability to accept a task, and then specifies a task list to get tasks from. Long polling works well for high-volume task processing. Deciders and activity workers can manage their own capacity.

Can you detach primary network interface from instance?

No. Every instance in a VPC has a default network interface, called the primary network interface (eth0). You cannot detach a primary network interface from an instance. You can create and attach additional network interfaces.

True or False. When deploying databases on your own EC2 instances, it is recommended that you deploy these on magnetic storage rather than SSD as you get better performance.

False

True or False. When using a custom VPC and placing an EC2 instance into a public subnet, it will automatically be internet accessible (ie. you don't need to apply an elastic IP or ELB to the instance).

False

True or False. You can RDP or SSH into an RDS instance to see what is going on with the operating system.

False

True or False. You can conduct your own vulnerability scans within your own VPC without alerting AWS first.

False

Using the console, I can add a role to an EC2 instance, after that instance has been created and powered up.

False

When creating a new security group, all in bound traffic is allowed by default.

False

When deploying databases on your own EC2 instances, it is recommended that you deploy these on magnetic storage rather than SSD storage as you get better performance.

False

When using a custom VPC and placing an EC2 instance in to a public subnet, it will be automatically internet accessible (ie you do not need to apply an elastic IP address or ELB to the instance)

False

When you add a rule to an RDS security group you need to specify a port number or protocol?

False

You can RDP or SSH in to an RDS instance to see what is going on with the operating system.

False

You can have 1 subnet stretched across multiple availability zones.

False

(T/F) An ENI can have as many public IP addresses associated (at least as many as your account is allowed to have)

False They can have one public IP address and multiple private IP addresses. If there are multiple private IP addresses, one of them is primary.

DynamoDB reads and writes are uniform across all regions? True False

False http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

Can a Security Group be associated to several Network ACLs?

No. Network ACLs can span several AZs, while SGs cannot... BUT! One Network ACL can be associated to several Subnets.

Can resource record sets in a hosted zone have a different domain suffix (for example, www.blog. acme.com and www.acme.ca)?

No. The resource record sets contained in a hosted zone must share the same suffix. For example, the example.com hosted zone can contain resource record sets for www.example.com and www.aws.example.com subdomains, but it cannot contain resource record sets for a www.example.ca subdomain.

Non-Relational

NoSQL Databases (e.g. DynamoDB, MongoDB

An EC2 instance has basic monitoring enabled on it. Which of the following aggregate statistics are available for the instance? Average, Detailed, None.

None

Redshift Availability

Not across AZs; can restore snapshot to new AZ

Does AWS make it easy to encrypt at rest data?

Yes - encrypted EBS, S3 https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What is the name of licensing model in which I can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS? A. Bring Your Own License B. Role Bases License C. Enterprise License D. License Included

A

What is the type of monitoring data (for Amazon EBS volumes) which is available automatically in 5-minute periods at no charge called? A. Basic B. Primary C. Detailed D. Local

A

When creation of an EBS snapshot is initiated, but not completed, the EBS volume: A. Can be used while the snapshot is in progress. B. Cannot be detached or attached to an EC2 instance until the snapshot completes C. Can be used in read-only mode while the snapshot is in progress. D. Cannot be used until the snapshot completes.

A

When should I choose Provisioned IOPS over Standard RDS storage? A. If you use production online transaction processing (OLTP) workloads. B. If you have batch-oriented workloads C. If you have workloads that are not sensitive to consistent performance

A

When using consolidated billing there are two account types. What are they? A. Paying account and Linked account B. Parent account and Child account C. Main account and Sub account. D. Main account and Secondary account.

A

When will you incur costs with an Elastic IP address (EIP)? A. When an EIP is allocated. B. When it is allocated and associated with a running instance. C. When it is allocated and associated with a stopped instance. D. Costs are incurred regardless of whether the EIP is associated with a running

A

When you put objects in Amazon S3, what is the indication that an object was successfully stored? A. A HTTP 200 result code and MD5 checksum, taken together, indicate that the operationwas successful. B. Amazon S3 is engineered for 99.999999999% durability. Therefore there is no need to confirm that data was inserted. C. A success code is inserted into the S3 object metadata. D. Each S3 account has a special bucket named _s3_logs. Success codes are written to this bucket with a timestamp and checksum.

A

When you view the block device mapping for your instance, you can see only the EBS volumes, not the instance store volumes. A:TRUE

A

Which Amazon service can I use to define a virtual network that closely resembles a traditional data center? A. Amazon VPC B. Amazon ServiceBus C. Amazon EMR D. Amazon RDS

A

Which DNS name can only be resolved within Amazon EC2? A. Internal DNS name B. External DNS name C. Global DNS name D. Private DNS name

A

Which of the following features ensures even distribution of traffic to Amazon EC2 instances in multiple Availability Zones registered with a load balancer? A. Elastic Load Balancing request routing B. An Amazon Route 53 weighted routing policy C. Elastic Load Balancing cross-zone load balancing D. An Amazon Route 53 latency routing policy

A

Is it possible to encrypt RDS instance data at rest?

Yes AWS supports at rest encrypting using one of there key management services

Can RDS DB save data across AZs?

Yes it supports Multi-AZ. You can also select specific AZ (if Multi-AZ is not opted).

Can you access Amazon EBS Snapshots?

Yes through the AWS APIs/CLI & AWS Console

Does taking a snapshot from a Redis database have performance impacts?

Yes! Snapshots require compute and memory resources to perform and can potentially have a performance impact on heavily used clusters. Amazon ElastiCache will try different backup techniques depending on the amount of memory currently available. A best practice is to set up a replication group and perform a snapshot against one of the read replicas instead of the primary node.

Is there a wait period to retrieve data from Amazon's Glacier?

Yes, 3-5 hours

Does cloudfront have a free usage teir?

Yes, 50 GB data transfer out, 2,000,000 http/https requests per month for 1 year

If an Amazon EBS volume is an additional partition (ie not the root volume), can I detach it without stopping the instance?

Yes, although it may take some time

Does AWS stripe RDS data across multiple EBS volumes?

Yes, but depends on the instance size, Amazon handles everything and this is transparent to the end user

Can you version items in S3?

Yes, but not by default you have to activate it. Once active you cannot turn it off- but only disable it.

Is bittorrent allowed for storing to S3?

Yes, but only for objects up to 5gb in size

Can you make snapshots available in the AWS market places?

Yes, but only if un-encrypted

Can you share snapshots with other AWS accounts?

Yes, but only if un-encrypted

Can you reboot EC2 instance that is backed by instance store volumes without losing your data?

Yes, but you cannot shut it down

Is it possible to clear a CloudFront distribution edge location cache?

Yes, but you'll be charged

Does amazon offer any backup solution by default for RDS instances?

Yes, by default automated backups are done everyday with a 1 day retention period

Can you create your custom password policies in IAM?

Yes, character length and expiration

Do you have to enable RDS multi-AZ functionality?

Yes, it's not enabled by default

Is it possible to encrypt data inflight between application/web servers and an RDS instance?

Yes, on these DB types: - MySQL - MariaDB - SQL - PostgreSQL - Oracle

Does AWS make it easy to encrypt data in transit?

Yes, s3 with SSL https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Can you setup access control lists for your data in S3?

Yes, some built in to S3, and others with IAM

Is RDS data synchronously updated between RDS instances within a region? (multi-AZ)

Yes, this is why you're given a DNS endpoint- AWS automatically goes in and changes your DNS endpoint

Is it possible to tell AWS when you would prefer your RDS instance to patch?

Yes, when you create the instance- if you don't specify a time a 30 minute window is chosen for you

How can you recover an S3 file even after it has been deleted?

Yes, with versioning turned on a "delete" is simply a cap on the file

Is it possible to publish your own metrics to CloudWatch?

Yes, you can publish your own metrics to CloudWatch with the put-metric-data command (or its Query API equivalent PutMetricData).

Is it possible to permanently delete an object in S3-IA using life-cycle management rules?

Yes, you can use life-cycle management rules to delete objects in any storage tier

Is it possible to move a RDS instance that is not within a VPC (AWS Classic) into a VPC?

Yes, you can use the AWS console for this- or you can take a snapshot and redeploy the box within your VPC

Can you replicate S3 data across regions?

Yes, you have to enable versioning on the source bucket and destination bucket

Can CloudFront cache copies of static content closer to your end users?

Yes- and is specifically called out in the performance efficiency pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Can you configure more than one load balancer with an autoscaling group?

Yes. Auto Scaling integrates with Elastic Load Balancing to enable you to attach one or more load balancers to an existing Auto Scaling group. After you attach the load balancer, it automatically registers the instances in the group and distributes incoming traffic across the instances.

DomainKeys Identified Mail (DKIM) is supported?

Yes. DomainKeys Identified Mail (DKIM) is a standard that allows senders to sign their email messages and ISPs, and use those signatures to verify that those messages are legitimate and have not been modified by a third party in transit.

Can user select metrics across resources and graph them on a single graph?

Yes. Also it is not required that they should be of the same instance. They can be of different instances with the same AMI or based on some other dimension.

Does AWS CloudFormation support Amazon EC2 tagging?

Yes. In AWS CloudFormation, Amazon EC2 resources that support the tagging feature can also be tagged in an AWS template. The tag values can refer to template parameters, other resource names, resource attribute values (e.g. addresses), or values computed by simple functions (e.g., a concatenated list of strings).

Can user disable Alarms?

Yes. The user can disable or enable the CloudWatch alarm using the DisableAlarmActions and EnableAlarmActions APIs or the mon-disable-alarm-actions and mon-enable-alarm-actions commands.

Can you create an Auto Scaling group directly from an EC2 instance?

Yes. You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

Does MFA Delete exist?

Yes. MFA Delete adds another layer of data protection on top of bucket versioning. MFA Delete requires additional authentication in order to permanently delete an object version or change the versioning state of a bucket. In addition to your normal security credentials, MFA Delete requires an authentication code (a temporary, one-time password) generated by a hardware or virtual Multi- Factor Authentication (MFA) device. Note that MFA Delete can only be enabled by the root account.

Does CloudWatch support custom metrics?

Yes. AWS CloudWatch supports the custom metrics. The user has to always include the namespace as part of the request. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish the data to CloudWatch as single data points or as an aggregated set of data points called a statistic set.

spot instances: how are you billed if the market price goes above your bid price but you terminate the instance yourself

You are billed for the full hour of the latest market price

How many instances can I run in Amazon EC2?

You are limited to running up to 20 On-Demand instances, purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic Spot limit per region. https://aws.amazon.com/ec2/faqs/#How_many_instances_can_I_run_in_Amazon_EC2

How can you audit an S3 bucket?

You can access logs on buckets. Logs can be saved within your account or sent to another account.

Redis Multi-AZ replication group

You can also create a Multi-AZ replication group that allows you to increase availability and minimize the loss of data. Multi-AZ simplifies the process of dealing with a failure by automating the replacement and failover from the primary node. In the event the primary node fails or can't be reached, Multi-AZ will select and promote a read replica to become the new primary, and a new node will be provisioned to replace the failed one. Amazon ElastiCache will then update the Domain Name System (DNS) entry of the new primary node to allow your application to continue processing without any configuration change and with only a short disruption

Direct Connect

a dedicated network connection from your premises to AWS

Massively Parallel Processing

a form of multiprocessing that speeds processing by linking hundreds or thousands of processors to operate at the same time, or in parallel, with each processor having its own bus, memory, disks, copy of the operating system and applications

security group

a semi-stateful firewall with 1 or more rules that permit a certain protocol to reach a destination port range from a source IP range or another group

AWS Lambda

a service to run code without managing compute resources in response to events and triggers

*Each decision task and activity task* is identified by _____

a unique task token. The task token is generated by Amazon SWF and is returned with other information about the task in the response from Po11ForDecisionTask or Po11ForActivityTask.

Import/Export

accelerates moving of data by using AWS internal network through physical device

S3 buckets can create __________ logs that can be saved in separate bucket

access

How is EBS data replicated

across different physical hardware but within the same AZ

Auto-scaling

allows provisional deployment and collection of virtual instances to handle load traffic

What does the launch configuration specify?

ami, instance type, key pair, security group, block device mapping.

The user can configure the AutoScaling group to automatically scale up and then scale down based on the various specified CloudWatch monitoring conditions. CloudWatch provides _____________ of the AutoScaling group metrics in this case.

an average

(DynamoDB) By default, a GetItem operation performs ______ consistent read. You can optionally request ______ consistent read instead; this will consume additional read capacity units, but it will return the most up-to-date version of the item

an eventually, a strongly

What is a local secondary index in DynamoDB

an index that has the same hash key as the the table but a different range key. It is "local" because every partition of a local secondary index is scoped to a table partition that has the same hash key

What is a global secondary index in DynamoDB

an index with a hash and range key that can be different from those on the table. A global secondary index is "global" because queries on the index can span all the data in a table across all partitions

How are spot instances priced if the bid price increases above your bid

any previous hours are billed normally and you are not billed for the partial hour in which your instance was terminated

AWS Glacier

archiving storage service

How are SQS messages delivered

at least once delivery, best effort ordering but exact order not guaranteed

Security Group Availability

available across AZs

Subnet availability

available in 1 AZ

In EBS volumes, If your I/O latency is higher than you require, check your _________________________________.

average queue length

A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e.,Access Key ID/Secret Access Key combination) are not compromised? a. Enable Multi-Factor Authentication for your AWS root account. b. Assign an IAM role to the Amazon EC2 instance. c. Store the AWS Access Key ID/Secret Access Key combination in software comments. d. Assign an IAM user to the Amazon EC2 Instance.

b

A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex queries and table joins. Which configuration provides the solution for the company's requirements? a. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone b. Amazon RDS for MySQL with Multi-AZ c. Amazon ElastiCache d. Amazon DynamoDB

b

Amazon SWF is designed to help users: a. Manage user identification and authorization b. Coordinate synchronous and asynchronous tasks c. Secure their VPCs d. Help users store file based objects

b

Amazon's EBS volumes are a. Object based storage b. Block based storage c. Encrypted by default d. Not suitable for databases

b

What is Amazon RedShift?

petabyte scale data warehouse service https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

what restrictions are there on placement group names

placement group names must be unique across the given AWS account

Elastic Beanstalk

platform to develop scalable web apps

What does automated backups provide to RDS instances?

point-in-time recovery of an RDS instance

All new S3 buckets are what by default when first created?

private

By default S3 new bucket is _____________.

private

Elastic MapReduce

processes vast amounts of data using Hadoop across clusters of EC2 instances

Amazon Machine Image

provides the information required to launch an instance.

Elastic Cloud Compute

provisional virtual compute instances

By default, uploaded file in bucket is not _________, same with overwrite.

public

You can publish your own metrics to CloudWatch with the _____________________ command (or its Query API equivalent PutMetricData).

put-metric-data

What is the best way to determine private/public ip on ec2 instance?

query local instance metadata at 169.254.169.254 (static for every ec2 instance)

AWS Kinesis

real-time streaming data processing

A disassociated Elastic IP address remains allocated to your account until you explicitly ______________ it.

release

A Records

resolve host names to IP addresses.

Elasticache access control is done by _____

restricting inbound network access to the cluster. Access to your Amazon ElastiCache cluster is controlled primarily by restricting inbound network access to your cluster. Inbound network traffic is restricted through the use of security groups. Each security group defines one or more inbound rules that restrict the source traffic. When deployed inside of a Virtual Private Cloud (VPC), each node will be issued a private IP address within one or more subnets that you select. Individual nodes can never be accessed from the Internet or from Amazon EC2 instances outside the VPC. You can further restrict network ingress at the subnet level by modifying the network Access Control Lists (ACIs).

In CloudFormation, If any of the services fails to launch, CloudFormation will _______________ all the changes and terminate or delete all the created services.

rollback

CNAME Records

routes domain names domain names

MX Records

routes to Mail host

Does s3 or EBS support versioning?

s3 https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What best practices does AWS recommend you automate in their pillars of a well-architected framework?

security best practices https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Availability Zone

separate data centers contained in a region

PTR Records

servers a domain name when given an IP

Sticky session feature is also known as __________________________.

session affinity

To maximize both durability and availability of their Amazon EBS data, the user should frequently create ______________ of the Amazon EBS volumes.

snapshots

What affect do snapshots have on EBS volumes

snapshots can slightly degrade EBS performance so should be scheduled for periods of low utilization

SRV Recrods

specifies location of data using hostname and port

Role

state/function of user or AWS instance; cannot be given after an EC2 instance has been created

You can use the _______________, which enables the load balancer to bind a user's session to a specific application instance. This ensures that all requests coming from the user during the session will be sent to the same application instance.

sticky session

Charge for reserved instances is ____ if reservation is cancelled

still charged

Compute Node

store data and perform queries and computations (128 max nodes)

The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency situations. To perform this, the user can __________ one or more scaling processes at any time. Once it is completed, the user can resume all the suspended processes.

suspend

In Multi-AZ DB, updates to your DB Instance are ___________________ replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

synchronously

What is a Gateway Cached Volume?

with an on-prem AWS appliance (a VM)- you cache the most frequently used data on-prem the rest lives in S3

Can a placement group span VPCs?

yes as long as VPCs are peered and all instances are in the same availability zone. However you will not get full bisection bandwidth between instances across peered VPCs

Can you attach an ENI in one subnet to an instance in another subnet?

yes as long as both the ENI and instance are in the same VPC and availability zone

Can you force a failover with RDS in multi-az configuration

yes by rebooting the primary RDS instance. this will trigger an automatic failover to the standby. DNS is automatically updated though your application will need to handle recreating its DB connection

how are you billed for spot instances?

you are billed at the market spot price up to your bid price. You are never billed above your bid price

How is Virtual Tape Shelf usage billed with AWS storage gateway

you are billed for the virtual tape data you store in glacier and the portion of virtual tape capacity that you use, not the size of the virtual tape

What is client side encryption?

you encrypt the data before handing it off to S3 (or any other vendor)

How is the AWS CloudHSM managed

you, the customer must initialize and manage the HSM partitions on a CloudHSM. When provisioning a CloudHSM you receive administrator credentials you can use to create HSM partitions. Then you can configure clients for EC2 instances to use the APIs from the HSM

*EC2 Pricing*

• (1) *On Demand*: Pay-per-hour. New Apps. Unpredictable usage patterns/workloads that cannot be interrupted. • (2) *Reserved*: Reserve capacity over significant period of time. Apps w/ steady/predictable usage patterns over time. Significant discount ≤ 70% / 3yrs... even more if upfront payment. • (3) *Spot*: For computing w/ flexible start/stop times. Bid on pricing. When Bid ≥ Spot = provisioned. When Spot < Bid = terminated. • (4) *Dedicated Host*: Physical machine; pay per hour. For regulatory requirements or when licensing prevents use of virtual machine / multi-tenancy deployments.

EBS Snapshots

• (backups) of an EBS volume stored redundantly in multiple Availability Zones. • You cannot delete a snapshot of an EBS Volume that is used as the root device of a registered AMI • You must de-register the AMI before being able to delete the root device

*S3 Encryption*

• *In Transit (1)*: Secured using *SSL* / *TLS* • *Data at Rest (4)*: - Server Side: (1) S3 Managed Keys - *SSE-S3* (2) AWS KMS Managed Keys - *SSE-KMS* (Provides Audit Trail) (3) SSE using customer provided keys - *SSE-C* - Client Side: (4) Encrypt Client Side then ⇪ to S3

General Purpose EBS Storage

• 99.999% Availability • 3 IOPS per GB • Burst up to IOPS

EC2 Placement Groups

• A logical grouping of instances within a single AZ • Recommended for low latency, high network throughput or both • ALWAYS within 1 AZ • Name must be unique • Must be of type Compute, GPU, Memory, Storage Optimized instances • Can't merge or move instances into them

*S3 Cross Region Replication*

• Both Source & Target Bucket must have *versioning on* • Only *updates* to objects & *new* objects replicated • Permissions & Delete Markers *are* replicated • No Transitive Replication • Objects deleted from Source *are* deleted from Target • Markers/Version deleted from Source are *not* deleted from Target

S3 Security

• Buckets are private by default •Can enable Access Control Lists • Integrates with IAM • Endpoints encrypted by SSL

Can an Amazon EBS root volume persist independently from the life of the EC2 instance? e.g. if I terminated an EC2 instance, would that EBS root volume remain?

Only if instructed to when created.

Can you use Cloudwatch to measure memory and CPU usage of your EC2 instances?

Only on Linux EC2 instances.

When can you give an EC2 instance a role?

Only upon creation

With which AWS orchestration service can you implement Chef recipes?

Opsworks

You need a configuration management service to allow your system administrators to configure and operate your web applications using Chef. Which AWS service would best suit your needs?

Opsworks

You need to import several hundred megabytes of data from a local Oracle database to an Amazon RDS DB instance. What does AWS recommend you use to accomplish this?

Oracle Data Pump

What is the recommended way to export several hundred MBs of data from a local Oracle database to AWS

Oracle Data Pump for databases that are several hundred MBs to several TBs. For databases < 20 MB, you can import via Oracle SQL Developer tool

Small data around 20 mb can be imported in Oracle by

Oracle SQL Developer

Large data around 1 TB can be imported in Oracle by ________________

Oracle data pump

What types of RDS databases are currently available?

Oracle, SQL, MySQL, Postgres

Which of the following is not a component of IAM?

Organizational Units

Origins When you create a distribution, you must specify the DNS domain name of the origin—the Amazon S3 bucket or HTTP server —from which you want Amazon C1oudFront to get the definitive version of your objects (web files). For example:

Origins When you create a distribution, you must specify the DNS domain name of the origin—the Amazon S3 bucket or HTTP server —from which you want Amazon C1oudFront to get the definitive version of your objects (web files). For example:

Eventual consistency for what in S3?

PUTS and Deletes (object updates and removals)

Types of Virtualizations on EC2?

Para-Virtual (PV) & Hardware Virtual Machine (HVM)

What AWS pillar focuses on efficient use of computing resources?

Performance pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

SWF Workers

Performs tasks

A __________ is a document that provides a formal statement of one or more permissions.

Policy

Which of the following requires a custom CloudWatch metric to monitor? A. Memory Utilization of an EC2 instance B. CPU Utilization of an EC2 instance C. Disk usageactivity of an EC2 instance D. Data transfer of an EC2 instance

A

Which procedure for backing up a relational database on EC2 that is using a set of RAlDed EBS volumes for storage minimizes the time during which the database cannot be written to and results in a consistent backup? A. 1. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes B. 1. Stop the EC2 Instance. 2. Snapshot the EBS volumes C. 1. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O D. 1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Resume disk I/O E. 1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk I/O

A

How are the EBS snapshots saved on Amazon S3? A. Exponentially B. Incrementally C. EBS snapshots are not stored in the Amazon S3 D. Decrementally

B

If I modify a DB Instance or the DB parameter group associated with the instance, should I reboot the instance for the changes to take effect? A. No B. Yes

B

If I want to run a database in an Amazon instance, which is the most recommended Amazon storage option? A. Amazon Instance Storage B. Amazon EBS C. You can't run a database inside an Amazon instance. D. Amazon S3

B

If an Amazon EBS volume is the root device of an instance, can I detach it without stopping the instance? A. Yes but only if Windows instance B. No C. Yes D. Yes but only if a Linux instance

B

If you add a tag that has the same key as an existing tag on a DB Instance,the new value overwrites the old value. A. FALSE B. TRUE

B

If you have chosen Multi-AZ deployment, in the event of a planned or unplanned outage of your primary DB Instance, Amazon RDS automatically switches to the standby replica. The automatic failover mechanism simply changes the record of the main DB Instance to point to the standby DB Instance. A. DNAME B. CNAME C. TXT D. MX

B

If your DB instance runs out of storage space or file system resources, its status will change to_____ and your DB Instance will no longer be available. A storage-overflow B storage-full C storage-exceed D storage-overage

B

In the Amazon cloud watch, which metric should I be checking to ensure that your DB Instance has enough free storage space? A FreeStorage B FreeStorageVolume C FreeStorageSpace D FreeStorageAllocation

B

Is Federated Storage Engine currently supported by Amazon RDS for MySQL? A. Only for Oracle RDS instances B. No C. Yes D. Only in VPC

B

Is it possible to access your EBS snapshots? A. Yes, through the Amazon S3 APIs. B. Yes, through the Amazon EC2 APIs. C. No, EBS snapshots cannot be accessed; they can only be used to create a new EBS volume. D. EBS doesn't provide snapshots.

B

Location of Instances are A. Regional B. based on Availability Zone C. Global

B

Making your snapshot public shares all snapshot data with everyone. Can the snapshots with AWS Marketplace product codes be made public? A. No B. Yes

B

Please select the Amazon EC2 resource which cannot be tagged. A. images (AMIs, kernels, RAM disks) B. Amazon EBS volumes C. Elastic IP addresses D. VPCs

C

Security groups act like a firewall at the instance level, whereas are an additional layer of security that act at the subnet level. A. DB Security Groups B. VPC Security Groups C. network ACLs

C

Select the correct set of steps for exposing the snapshot only to specific AWS accounts A. Select public for all the accounts and check mark those accounts with whom you want to expose the snapshots and click save. B. SelectPrivate, enter the IDs of those AWS accounts, and clickSave. C. SelectPublic, enter the IDs of those AWS accounts, and clickSave. D. SelectPublic, mark the IDs of those AWS accounts as private, and clickSave.

C

Select the incorrect statement A. In Amazon EC2, the private IP addresses only returned to Amazon EC2 when the instance is stopped or terminated B. In Amazon VPC, an instance retains its private IP addresses when the instance is stopped. C. In Amazon VPC, an instance does NOT retain its private IP addresses when the instance is stopped. D. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime

C

AWS KMS: Data Keys

Data keys are generated by CMKs in AWS KMS and are then used to encrypt or decrypt larger amounts of data *outside* of the service. CMKs can never leave AWS KMS unencrypted, but data keys can leave the service unencrypted.

How long does data persist on instance store volumes?

Data persists when instance is running Data is deleted when the instance is terminated or if it fails (such as if an underlying drive has issues).

Security in the cloud is composed of what four areas?

Data protection Privilege management Infrastructure protection Detective controls https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Gateway-Cached volumes

Data resides in S3, often accessed data is cached on Storage Gateway appliance

Gateway-Stored volumes

Data resides in Storage Gateway appliance and is asynchronously backed up to S3.

(T/F) Redis replication between clusters is real-time

False. It's important to keep in mind that replication between the clusters is performed asynchronously and there will be a small delay before data is available on all cluster nodes.

(T/F) When you delete a DB Instance, all manual snapshots are deleted.

False. When you delete a DB Instance, all automated backup snapshots are deleted and cannot be recovered. Manual snapshots, however, are not deleted.

(T/F) Once reserved you cannot change anything to your instances for the duration of the contract

False. When your computing needs change, you can modify your Reserved Instances and continue to benefit from your capacity reservation. Modification does not change the remaining term of your Reserved Instances; their end dates remain the same. There is no fee, and you do not receive any new bills or invoices. Modification is separate from purchasing and does not affect how you use, purchase, or sell Reserved Instances. You can modify your whole reservation, or just a subset, in one or more of the following ways: - Switch Availability Zones within the same region. - Change between EC2-VPC and EC2-Classic. - Change the instance type within the same instance family (Linux instances only).

(T/F) You can add up to 50 inbound and 50 outbound rules to each security group. So you cannot apply more than 100 rules to an instance.

False. You can add up to 50 inbound and 50 outbound rules to each security group. If you need to apply more than 100 rules to an instance, you can associate up to five security groups with each network interface.

What are the options for AWS storage gateway?

Gateway-Stored Volumes (cloud/s3 as backup), Gateway-Cached Volumes (cloud as primary, Gateway-Virtual Tape Library (VTL)

What are the key differences between gateway-cached volumes and gateway-stored volumes

Gateway-stored lets you store all your data locally in storage volumes and the gateway periodically takes snapshots as incremental backups and stores them to S3. Gateway-cached lets you create volumes backed by S3 and mount them as iSCSI (internet small computer systems interface) devices in your own-premise servers, only a small amount of frequently accessed items is stored locally in a cache on your on-premise storage hardware

What are 3 EBS volume types?

General Purpose SSD < 10k IOPs Provisioned IOPs SSD > 10k IOPs DB's Magnetic (std) Cheap, File Service

General Purpose SSD

General-purpose SSD volumes offer cost-effective storage that is ideal for a broad range of workloads. They deliver strong performance at a moderate price point that is suitable for a wide range of workloads. A general-purpose SSD volume can range in size from 1 GB to 16 TB and provides a baseline performance of three IOPS per gigabyte provisioned, capping at 10,000 IOPS. For instance, if you provision a 1 TB volume, you can expect a baseline performance of 3,000 IOPS. A 5 TB volume will not provide a 15,000 IOPS baseline, as it would hit the cap at 10,000 IOPS.

In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch, what are these?

Private IP Address & Public IP Address

(T/F) CloudWatch can monitor EC2 CPU usage and Memory consumption

True and False! AWS CloudWatch cannot in itself monitor these, but you can define custom metrics and use the CloudWatch API to publish the metrics to CloudWatch. Henceforth CloudWatch can monitor them.

(T/F) You cannot restore from a DB snapshot to an existing DB Instance; a new DB Instance is created when you restore.

True

(T/F) You must first allocate an EIP for use within a VPC and then assign it to an instance.

True

(T/F) is changed. You can also perform a manual failover of the DB Instance.

True

All subnets in default VPC route out to the internet. True or False

True

Amazon CloudFront can work with non-AWS origin servers too.

True

Amazon S3 buckets in all other regions (other than US Standard) provide read-after-write consistency for PUTS of new objects.

True

Amazon SWF ensures that a task is assigned only once and is never duplicated.

True

Amazon's SQS service guarantees a message will be delivered at least once.

True

An Elastic IP address is associated with your AWS account. True or False?

True

Are RDS Reserved instances are available for multi-AZ deployments

True

Automated backups are enabled by default for a new DB Instance?

True

Every Amazon SES sender has a unique set of sending limits. True or False.

True

I can change the permissions to a role, even if that role is already assigned to an existing EC2 instance, and these changes will take effect immediately.

True

It is possible to transfer a reserved instance from one Availability Zone to another.

True

MFA can be used for object deletion in S3. True or False.

True

RDS DB Snapshots dont get deleted when instance deleted. True or False.

True

SWF ensures no duplication of tasks. SQS needs coding to prevent msg duplication processing. True or False

True

SWF tracks tasks, SQS needs coding to track processing. True or False

True

Security Group is implemented on Instances. NACL is implemented on subnets. True or False

True

The AWS platform is certified PCI DSS 1.0 compliant

True

True or False. You can't terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier.

True

True or False. You cannot add existing instance in the placement group. But you can add a new instance while launching it into a placement group.

True

True or False. Automated backups are enabled by default for new DB Instance?

True

True or False. Reserved instances are available for multi-AZ deployments.

True

True or False. The AWS platform is certified PCI DSS 1.0 compliant.

True

True or False. When I create a new security group, all outbound traffic is allowed by default.

True

True or False: You cannot switch roles on an AWS resource when signed in as root user?

True

When I create a new security group, all outbound traffic is allowed by default

True

When creating an RDS instance you can select which availability zone in which to deploy your instance.

True

When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones.

True

You can add multiple volumes to an EC2 instance and then create your own RAID 5/RAID 10/RAID 0 configurations using those volumes.

True

You can disassociate an Elastic IP address from a resource, and reassociate it with a different resource. True or False

True

You cannot have more than one VPC peering connection between the same two VPCs at the same time. True or False

True

(T/F) SQS delivers messages exactly once

True (and False). Although most of the time each message will be delivered to your application exactly once, you should design your system to be idempotent (that is, it must not be adversely affected if it processes the same message more than once).

You need to implement an automated service that will scan your AWS environment and tell you ways that you can improve your security as well as how to save costs. Which service should you use?

Trusted Advisor

How should you configure Route53 to failover when backed by ELB

Turn "Evaluate Target Health" on and turn "Associate with Health Check" off

The 'estimated charges monitoring' is now enabled with alarms setup. Can one disable the 'estimated charges monitoring'?

No. Once estimated charges monitoring is enabled, it cannot be disabled. But alarms can be deleted.

*S3 Security*

• Buckets default to Private • Control Access via: Bucket Policy (Bucket-wide) and/or ACL (down to individual Objects) • Buckets can log *all* access requests to another S3 Bucket (even on another AWS account)

*CloudFront CDN Overview*

• Collection of Distributed Servers where content is served to Edge Locations allowing for lower latency based on User's Location relative to Origin • Origin: *S3* Bucket, *EC2* Instance, *ELB*, or *Route53* • Distributions: *Web* & *RTMP* (Media Streaming) • Edge Locations are Read/Write-able; Objects PUT to EL are sent to Origin • Objects cached for life of TTL (b/w 0s⇢365 days w/ default @ 24hrs) • Clearing/Updating cached Objects inside of TTL incurs cost

Cloud Front CDN

• Distributed servers that serve web-pages locally across geographic locations • Origin is where the file came from • Web Distribution • RTMP - Media Streaming

S3 Use Cases

• File shares • Backup/archiving • CDN origin • Hosting Static Files/Websites

*S3 Buckets*

• Global Namespace (DNS Compliant) • Supports: Versioning, Lifecycle Management & Permissions (Object ACL's) • *100* buckets per account (default) • File Size: Min = *0 bytes* / Max = *5TB* • Objects *> 5GB* must use Multipart Upload API

Magnetic EBS Storage

• Lowest cost • Infrequent access

What is the difference between Multi AZ vs Read-Replicas?

• Multi-AZ serves for failover/DR needs whereas Read Replica is for performance, scaling needs • Multi-AZ retains endpoint whereas each RR has unique endpoint

S3 Functionality

• Multipart uploads • Cloud Front CDN Integration • Resume/Stopped file uploads • Eventual Consistency

*S3 Lifecycle Management*

• Objects stored in Glacier incur min. *90-day* stg. cost • Objects can be transitioned from S3⇢S3-IA after *30 days* • Objects can be transitioned from S3-IA⇢Glacier after *30 days* • Allows for permanent deletion of Objects

*S3 Versioning*

• Once turned on cannot be turned off • Must update permissions on each object version • Version deleted cannot be restored • Object deleted can be restored (delete marker to permanently delete)

*CloudFront Security*

• Restrict viewer access to S3 by using pre-signed URLs / Signed Cookies / Removing Read Access on S3 • HTTPS: Use default Certificate or import via ACM • Geo-Restriction limits access by black/white-listing countries

When will instance launch and then terminate?

"AMI is missing part", "Corrupt Snapshot" or "Volume limit has reached"

What are the security options with S3 buckets?

(1) Bucket ACL (2) Bucket policies

What are 2 major data Import/Export solutions?

(1) Import/Export Disk (2) Import/Export Snowball

Charges on Elastic transcoder mainly look at-

(1) Length in time of transcoded file (2) Resolution Quality

CloudFront Origin can be:

(1) S3 bucket (2) EC2 instance (3) Elastic Load Balancer (4) Route53

Explain Redshift configuration.

(1) Single Node (for small user) (2) Multi Node (for large users) (a) Leader Node and (b) Compute Node

What are the VPC peering conditions/requirements?

(1) VPC peering can be done within VPCs in single region only (2) VPC peering done through internal IPs (3) VPCs cannot have overlapping or matching CIDRs (4) VPCs cannot do transitive peering

CloudFront Edge is used for which 2 types of distributions?

(1) Web distribution (2) RTMP for streaming media file

List 3 SWF actors.

(1) Workflow Starters (2) Deciders (3) Activity Workers

What are 2 types of Elasticaches?

(A) Memcached Widely adopted, work seamlessly with other services,won't work in Multi-AZ (B) Redis Supports Key-value (sorted lists), will work in Multi-AZ

What are 3 Storage Gateway options?

(a) Gateway Stored Volumes Entire data at your local site. Asyn replication to AWS S3. (b) Gateway Cached Volumes Frequently used at local site. Entire data on AWS. Save space locally, shaky internet lose data access. (c) Gateway Virtual Tape Library Physical tape data at local site saved to VTL on S3 or Virtual Tape Shelf on Glacier. Access VTL via your backup applications like NetBackup etc.

For S3 data, the consistencies are-

* Read & Write consistency for NEW PUT objects. * Eventual consistency for PUT Overwrite & DELETE.

IAM Principal

*A principal is an IAM entity that is allowed to interact with AWS resources*. A principal can be permanent or temporary, and it can represent a human or an application. There are three types of principals: root users, IAM users, and roles / temporary security tokens.

Lifecycle management applies to bucket with objects >= ____________ size.

128kb

What is a limitation of the HTTPS Load Balancers?

*Elastic Load Balancing does not support Server Name Indication (SNI) on your load balancer*. This means that if you want to host multiple websites on a fleet of Amazon EC2 instances behind Elastic Load Balancing with a single SSL certificate, you will need to add a Subject Alternative Name (SAN) for each website to the certificate to avoid site users seeing a warning message when the site is accessed.

What types of secondary indexes are supported by DynamoDB?

*Global Secondary Index* - The global secondary index is an index with a partition and sort key that can be different from those on the table. You can create or delete a global secondary index on a table at any time. *Local Secondary Index* - The local secondary index is an index that has the same partition key attribute as the primary key of the table, but a different sort key. You can only create a local secondary index when you create a table.

Amazon RDS Oracle and Microsoft SQL Server licenses

*Licensing* Amazon RDS Oracle and Microsoft SQL Server are commercial software products that require appropriate licenses to operate in the cloud. AWS offers two licensing models: License Included and Bring Your Own License (BYOL). *License Included* In the License Included model, the license is held by AWS and is included in the Amazon RDS instance price. For Oracle, License Included provides licensing for Standard Edition One. For SQL Server, License Included provides licensing for SQL Server Express Edition, Web Edition, and Standard Edition. *Bring Your Own License (BYOL)* In the BYOL model, you provide your own license. For Oracle, you must have the appropriate Oracle Database license for the DB Instance class and Oracle Database edition you want to run. You can bring over Standard Edition One, Standard Edition, and Enterprise Edition. For SQL Server, you provide your own license under the Microsoft License Mobility program. You can bring over Microsoft SQL Standard Edition and also Enterprise Edition. You are responsible for tracking and managing how licenses are allocated.

What types of primary keys are supported by DynamoDB?

*Partition Key* - The primary key is made of one attribute, a partition (or hash) key. Amazon DynamoDB builds an unordered hash index on this primary key attribute. *Partition and Sort Key* - The primary key is made of two attributes. The first attribute is the partition key and the second one is the sort (or range) key. Each item in the table is uniquely identified by the combination of its partition and sort key values. It is possible for two items to have the same partition key value, but those two items must have different sort key values. Furthermore, each primary key attribute must be defined as type string, number, or binary.

Amazon Aurora - Primary and Replica

*Primary Instance* This is the main instance, which supports both read and write workloads. When you modify your data, you are modifying the primary instance. Each Amazon Aurora DB cluster has one primary instance. *Amazon Aurora Replica* This is a secondary instance that supports only read operations. Each DB cluster can have up to 15 Amazon Aurora Replicas in addition to the primary instance. By using multiple Amazon Aurora Replicas, you can distribute the read workload among various instances, increasing performance. You can also locate your Amazon Aurora Replicas in multiple Availability Zones to increase your database availability.

*Storage Gateway Types*

*Three* interfaces: *file*, *volume*, & *tape*. Each gateway you have can provide *one* type of interface: *File* gateway enables you to store and retrieve objects in S3 using file protocols, such as NFS. Objects written through file gateway can be directly accessed in S3. *Volume* gateway provides block storage to your applications using the iSCSI protocol. Data on the volumes is stored in S3. To access your iSCSI volumes in AWS, you can take EBS snapshots which can be used to create EBS volumes. In the *cached volume mode*, your data is stored in S3 and a cache of the frequently accessed data is maintained locally by the gateway. In the *stored volume mode*, data is stored on your local storage with volumes backed up asynchronously as EBS snapshots stored in S3. *Tape* gateway provides your backup application with an iSCSI virtual tape library (VTL) interface, consisting of a virtual media changer, virtual tape drives, and virtual tapes. Virtual tape data is stored in S3 or can be archived to Glacier.

What are the ways that IAM authenticates a principal?

*User Name/Password*—When a principal represents a human interacting with the console, the human will provide a user name/ password pair to verify their identity. IAM allows you to create a password policy enforcing password complexity and expiration. *Access Key*—An access key is a combination of an access key ID (20 characters) and an access secret key (40 characters). When a program is manipulating the AWS infrastructure via the API, it will use these values to sign the underlying REST calls to the services. The AWS SDKs and tools handle all the intricacies of signing the REST calls, so using an access key will almost always be a matter of providing the values to the SDK or tool. *Access Key/Session Token*—When a process operates under an assumed role, the temporary security token provides an access key for authentication. In addition to the access key (remember that it consists of two parts), the token also includes a session token. Calls to AWS must include both the two-part access key and the session token to authenticate.

Elasticache Vertical Scaling

*Vertical Scaling* Support for vertical scaling is more limited (than Horizontal Scaling) with Amazon ElastiCache. If you like to change the cache node type and scale the compute resources vertically, the service does not directly allow you to resize your cluster in this manner. You can, however, quickly spin up a new cluster with the desired cache node types and start redirecting traffic to the new cluster. It's important to understand that a new Memcached cluster always starts empty, while a Redis cluster can be initialized from a backup.

Give three typical use case for IAM Roles & temporary security tokens

- *Amazon EC2 Roles*: Granting permissions to applications running on an Amazon EC2 instance. - *Cross-Account Access*: Granting permissions to users from other AWS accounts, whether you control those accounts or not. - *Federation*: Granting permissions to users authenticated by a trusted external system

What are the Amazon Kinesis components?

- *Amazon Kinesis Firehose*: A service enabling you to load massive volumes of streaming data into AWS - *Amazon Kinesis Streams*: A service enabling you to build custom applications for more complex analysis of streaming data in real time - *Amazon Kinesis Analytics*: A service enabling you to easily analyze streaming data real time with standard SQL

AWS Network Monitoring and Protection

- *Distributed Denial of Service (DDoS) Attacks*: Proprietary DDoS mitigation techniques are used - *Man in the Middle (MITM) Attacks*: all APIs are available via SSL - *IP Spoofing*: EC2 instances cannot send spoofed network traffic - *Port Scanning*: serious violation of the AWS Acceptable Use Policy. At the same time often inefficient if the Security Groups are not too permissive - * Packet Sniffing by other Tenants*: Two virtual instances (even owned by the same customer) located on the same physical host cannot listen to each other's traffic. To be even safer, always encrypt sensitive traffic

DNS Record Types

- *Start of Authority (SOA) Record*: A Start of Authority (SOA) record is mandatory in all zone files, and it identifies the base DNS information about the domain. Each zone contains a single SOA record. - *A and AAAA*: Both types of address records map a host to an IP address. The A record is used to map a host to an IPv4 IP address, while AAAA records are used to map a host to an IPv6 address. - *A Canonical Name (CNAME) record* is a type of resource record in the DNS that defines an alias for the CNAME for your server (the domain name defined in an A or AAAA record). - *Mail Exchange (MX) records* are used to define the mail servers used for a domain and ensure that email messages are routed correctly. The MX record should point to a host defined by an A or AAAA record and not one defined by a CNAME. - *Name Server (NS) records* are used by TLD servers to direct traffic to the DNS server that contains the authoritative DNS records. - *A Pointer (PTR) record* is essentially the reverse of an A record. PTR records map an IP address to a DNS name, and they are mainly used to check if the server name is associated with the IP address from where the connection was initiated. - *Sender Policy Framework (SPF) records* are used by mail servers to combat spam. An SPF record tells a mail server what IP addresses are authorized to send an email from your domain name. - *Text (TXT) records* are used to hold text information. This record provides the ability to associate some arbitrary and unformatted text with a host or other name, such as human readable information about a server, network, data center, and other accounting information. - *A Service (SRV) record* is a specification of data in the DNS defining the location (the host name and port number) of servers for specified services. The idea behind SRV is that, given a domain name (for example, example.com) and a service name (for example, web [HTTP], which runs on a protocol [TCP]), a DNS query may be issued to find the host name that provides such a service for the domain, which may or may not be within the domain.

How many Aurora replica's can you have

- 15 Aurora replicas - You can also have 5 MySQL replicas of your Aurora DB

RDS Availability

- 2 copies stored in each AZ -Minimum of 3 AZs - Can lose 2 copies w/o affecting write availability - Can lose 3 copies w/o affecting read availability -self-healing

RDS Features

- 3 TB Max Volume - Backup Retention Period - Max 35 days - Not allowed to RDP/SSH into underlying server - resizable instances - New endpoint from snapshot restoration - Cannot use secondary database as read node - 30,000 max IOPS

VPC Restrictions

- 5 Elastic IPs - 5 Internet Gateways - 5 VPCs per region - 50 VPN connections per region - 50 customer gateways per region - 200 route tables per region - 100 security groups per VPC

What are the differences between a NAT an a Bastion?

- A NAT is used to provide internet traffic to EC2 instances in private subnets - A Bastion is used to securely administer EC2 instances (using SSH or RDP) in private subnets. In Australia we call them jump boxes.

How can you use AWS Lambda?

- As an event-drive compute service (run your code as an event response, for example: S3 upload, EC2 instance shutdown) - A compute service to run code in response to HTTP requests using AWS API gateway (think server-less architecture)

What two solutions does AWS offer for DB backups?

- Automatic backups - Database Snapshots

What comes with FREE tier CloudWatch?

- Basic monitoring metrics (at five-minute frequency), - 10 metrics - 10 alarms, and - 1 million API requests each month

You can secure a S3 bucket using what?

- Bucket policies - Access control lists

What four areas define Performance Efficiency?

- Compute - Storage - Database - Space-time trade off https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What are the four design principles of the Performance pillar?

- Democratize advanced technologies - Go global in minutes - User server-less architecture - Experiment more often https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

DynamoDB has what type of consistency model for replicated data?

- Eventual consistency for reads (default) - Strong consistency for

Reliability of the cloud is composed of what three areas?

- Foundations - Change management - Failure management https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Local Instance Storage v. EBS

- Local Instance - stored locally; data is lost when instance is terminated - EBS - persists independently of instance's life; EBS Snapshots are backed up incrementally - You cannot mount 1 EBS instance to 2 EC2 instances

What are the four areas of cost optimization in the cloud?

- Matched supply and demand - Cost-effective resources - Expense awareness - Optimizing overtime https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What two caching engines does AWS Elasticache support?

- Memcached - Redis

What RDS types support cross region read replica replication?

- MySQL - MariaDB - PostgreSQL

AWS Aurora

- MySQL compatible - 5x better performance - 1/10 price

DynamoDB

- NOSQL Database; slightly differs from MongoDB in that you can't have embedded data structures (key-value store) - backed up across 3 random AZs

what cloudwatch metrics are available for Cloudfront by default? Does these count against cloudwatch limits?

- Requests (# requests for http & https) - BytesDownloaded (for GET, HEAD, OPTIONS, and PUT) - BytesUploaded: for POST & PUT, to origin from cloudfront, - TotalErrorRate: % of all requests where statusCode is 4xx or 5xx - 4xxErrorRate: % of requests where statusCode is 4xx - 5xxErrorRate: % of requests where statusCode is 5xx - these metrics do not count against cloudwatch limits

What can you use as a CloudFront origin source?

- S3 bucket - EC2 instance - Elastic Load-balancer - Route53

What database types does RDS support?

- SQL - MySQL - PostgreSQL - Oracle - Aurora (AWS's DB type) - MariaDB

EBS consists of what two physical storage types?

- SSD - Magnetic

What are the Data Types supported by DynamoDB?

- Scalar Data Types -- String -- Number -- Binary -- Boolean -- Null - Set Data Types -- String Set -- Number Set -- Binary Set - Document Data Types -- List -- Map

What are some use cases where deploying one or more read replica DB Instances is helpful?

- Scale beyond the capacity of a single DB Instance for read-heavy workloads. - Handle read traffic while the source DB Instance is unavailable. For example, due to I/O suspension for backups or scheduled maintenance, you can direct read traffic to a replica. - Offload reporting or data warehousing scenarios against a replica instead of the primary DB Instance

RDS Scaling

- Scales in 10 GB increments to 64TB - Compute up to 32 vCPUs and 244 GB Memory

What do you need to do to improve performance of your RDS instance?

- Shut it down and purchase a larger instance type - add read replicas

What are the 5 AWS DNS LB'ing methods?

- Simple - Weighted - Latency - Failover - Geolocation

What two configurations does RedShift support?

- Single node (up to 160Gb), the leader node and compute node are on the same platform - Multi-node, Leader-node manages connections and receives queries, compute-node- stores data, and performs computations.

What are the three pricing options for EC2 instances?

- Spot - On-demand - Reserved

S3 Storage Types

- Standard - 99.99% availability | 99.^9% durability - Reduced Redundancy - 99.99% availability | 99.99% durability

Is SQS FIFO?

- Standard queues are not - FIFO queues are (this is a new service!)

What are the components of an IAM Policy

- Statement Id - Effect - Service - Resource - Action - Condition

Describe the structure of a DynamoDB database

- Tables have Items - Items have a Primary Key and attributes - Attributes are key/value pairs - Values are either single valued or multi-valued (sets)

What are four design principles of the reliability pillar?

- Test recovery procedures (test your DR plans *******...) - Automate recovery from a failure - Scale horizontally to increase aggregate system availability - Stop guessing at capacity https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What are the Cost Optimization pillar design principles?

- Transparently attribute expenses - Use managed services to reduce cost of ownership - Trade capital expense for operational expense - Benefit from economies of scale - Stop spending money on datacenter operations https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Associating Policies with Principals

- User Policy - Managed Policies - Group Policy

IAM consists of what four items?

- Users - Groups - Roles - Policy Documents

Vertical and horizontal DB scaling

- Vertical: you can add memory, change the instance type, change the storage type and class - Horizontal: -- for NoSQL sharding is used -- read replicas can be used to offload read transactions from the primary database and increase the overall number of transactions

What are important things about a NAT Gateway?

- Very new, may not be in the exams yet. - Preferred by the enterprise - Scale automatically up to 1O Gbps - No need to patch - Not associated with security groups - Automatically assigned a public ip address - Remember to update your route tables. - No need to disable Source/Destination Checks

What types of CloudFront distributions are there?

- Web - RTMP (streaming media)

What are important things to remember about a NAT instance?

- When creating a NAT instance, Disable Source/Destination Check on the Instance - NAT instance must be in a public subnet - There must be a route out of the private subnet to the NAT instance, in order for this to work - The amount of traffic that NAT instances supports, depends on the instance size. If you are bottlenecking, increase the instance size - You can create high availability using Autoscaling Groups, multiple subnets in different AZ's and a script to automate failover - a NAT instance always sits behind a Security Group

DNS Failover

- When failing over Time to Live (TTL) should be as low as possible

When would you want to consider using a read replica?

- When you can not scale beyond the available compute and or IO - most of your content is read data (business reporting, OLAP, etc...) - Still provide reads while the primary DB is locked for a backup (locked meaning no reads or writes)

What are three SWF actors?

- Work Flow Starters - Deciders - Activity Workers

What are important limitation of VPC peering?

- You cannot create a peering connection between Amazon VPCS that have matching or overlapping CIDR blocks. - You cannot create a peering connection between Amazon VPCs in different regions. - Amazon VPC peering connections do not support transitive routing. - You cannot have more than one peering connection between the same two Amazon VPCS at the same time.

Access Control Lists

- acts like firewall for subnet - across multiple subnets - overrules security groups - rules evaluated from lowest to greatest - default traffic permissions denies inbound and outbound

Multi-AZ RDS

- allows you to create a highly available database cluster across multiple availability zones - makes what used to be a very challenging task a simple admin task - lets you meet the most demanding RTO & RPO targets by using synchronous replication --> minimizes RPO & RTO to minutes - automatically performs failover in the event that any of the following occur: -- Loss of availability in the primary AZ -- Loss of network connectivity to the primary DB -- Compute unit failure on primary DB -- Storage failure on primary database

New users are assigned what when first created?

- an Access key ID - Secrete access keys

S3 Versioning

- can preserve, and restore from every version of an object stored - once enabled can't be disabled -delete a delete marker to restore file

What are the three EC2 Instances Pricing Options?

1. On-Demand Instances 2. Reserved Instances 3. Spot Instances

You work for a large media organisation who has traditionally stored all their media on large SAN arrays. After evaluating AWS they have decided to move their storage to the cloud. Staff will store their personal data on S3 and will have to use their Active Directory credentials in order to authenticate. This will be stored in a single S3 bucket, and each staff member will have their own folder within that bucket named after their employee ID. What steps below should you take in order to help set this up (choose 3).

-Create an IAM role -Create either a federation proxy or identity provider -Use AWS security token service to create temporary tokens

EBS data can be protected at REST via these 3 options:

-Data Encryption (Windows / Linux / third party based), -Data Replication (AWS internally replicates data for redundancy), and -Data Snapshot (for point in time backup).

Amazon CloudFront billing is mainly affected by:

-Data Transfer Out -Edge Location Traffic -Distribution -Requests -Dedicated IP SSL Certificates

what are the primary drivers of cloudfront billing

-Data Transfer out to internet, -Data transfer out to origin -Edge Location Traffic distribution, -# requests, -Dedicated IP SSL Certs

You have been engaged as a consultant by company that generates utility bills and publishes them on-line. The PDF images are generated and are store on a high performance DRS instance. On average invoices are viewed by customers only once per month. Recently the number of customers has increased by 3x and the wait time to view the invoices has increased to unacceptable levels. The CTO is unwilling to alter the codebase more than necessary this quarter, but needs to return performance to an acceptable level before the end of the month print run. Which of the following solutions are options you would feel comfortable proposing to the CTO and GM. (select 3)

-Evaluate the options & Risk/Benefit of trying to upgrade the RDS instance. -Create RDS Read-Replicas and additional Web/App instances across all the available AZs. -Use an ELB to spread the load.

What AWS storage options are supported for AWS Import/Export

-Import to S3 -Export from S3 -Import to EBS -Import to Glacier -Export from EBS/Glacier not supported

DynamoDB support both __________ and ___________ atomic operations.

-Increment -Decrement

Auto Scaling supports three types of scaling. Which ones?

-Manual scaling -Scaling based on condition (e.g. CPU utilization is up or down, etc.) -Scaling based on time (e.g. First day of the quarter, 6 am every day, etc.)

What are EC2 purchase options?

-On Demand -Spot -Reserved

In Amazon VPC, you can assign any Private IP address to your instance as long as it is:

-Part of the associated subnet's IP address range -Not reserved by Amazon for IP networking purposes -Not currently assigned to another interface

What are the valid states for an EMR cluster

-STARTING -BOOTSTRAPPING -RUNNING -WAITING -TERMINATING -TERMINATED -TERMINATED_WITH_ERRORS -STOPPED is not a valid state

What are Route53 routing policies?

-Simple -Weighted -Latency -Failover -Geo Location

What are Create VPC Wizard Options?

-VPC with a Single Public Subnet Only -VPC with Public and Private Subnets -VPC with Public and Private Subnets and Hardware VPN Access -VPC with a Private Subnet Only and Hardware VPN Access

Explain Elastic Network Interface (ENI)

-You can attach a network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach). You can detach secondary (ethN) network interfaces when the instance is running or stopped. However, you can't detach the primary (eth0) interface. -You can attach a network interface in one subnet to an instance in another subnet in the same VPC; however, both the network interface and the instance must reside in the same Availability Zone. -When launching an instance from the CLI or API, you can specify the network interfaces to attach to the instance for both the primary (eth0) and additional network interfaces.

What are a few reasons why an Amazon EBS-backed instance might immediately terminate?

-You've reached your volume limit. -The AMI is missing a required part. -The snapshot is corrupt.

Amazon RDS provides Amazon CloudWatch metrics for your DB Instance deployments at no additional charge. You can use the AWS Management Console to view key operational metrics for your DB Instance deployments, including ____________________________________________.

-compute/memory/storage capacity utilization, -I/O activity, and -DB Instance connections.

<p class="Question"><span lang="EN-US">Your company works with data that requires frequent audits of your AWS environment to ensure compliance with internal policies and best practices. In order to perform these audits, you need access to historical configurations of your resources to evaluate relevant configuration changes. Which service will provide the necessary information for your audits?</span> 1. AWS Config 2. AWS Key Management Service (AWS KMS) 3. <p class="Option"><span lang="EN-US">AWS CloudTrail</span> 4. <p class="Option"><span lang="EN-US">AWS OpsWorks</span>

1 <p class="Answer"><strong><span lang="EN-US">A.</span></strong><br><p class="Explanation"><span lang="EN-US">AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing.</span>

When you create a new Amazon Simple Notification Service (Amazon SNS) topic, which of the following is created automatically? 1. An Amazon Resource Name (ARN) 2. A subscriber 3. An Amazon Simple Queue Service (Amazon SQS) queue to deliver your Amazon SNS topic 4. A message

1 <p class="Answer"><strong><span lang="EN-US">A.</span></strong><br><p class="Explanation"><span lang="EN-US">When you create a new Amazon SNS topic, an Amazon ARN is created automatically.</span>

Which security scheme is used by the AWS Multi-Factor Authentication (AWS MFA) token? 1. Time-Based One-Time Password (TOTP) 2. Perfect Forward Secrecy (PFC) 3. Ephemeral Diffie Hellman (EDH) 4. Split-Key Encryption (SKE)

1 <strong>A.</strong><br>A virtual MFA device uses a software application that generates six-digit authentication codes that are compatible with the TOTP standard, as described in RFC 6238.

<p class="Question"><span lang="EN-US">Which AWS service records Application Program Interface (API) calls made on your account and delivers log files to your Amazon Simple Storage Service (Amazon S3) bucket?<o:p></o:p></span> 1. <p class="Option"><span lang="EN-US">AWS CloudTrail<o:p></o:p></span> 2. <p class="Option"><span lang="EN-US">Amazon CloudWatch<o:p></o:p></span> 3. Amazon Kinesis 4. AWS Data Pipeline

1 <strong>A.</strong><br>AWS CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS Cloud service.

AWS provides IT control information to customers in which of the following ways? 1. By using specific control definitions or through general control standard compliance 2. By using specific control definitions or through SAS 70 3. By using general control standard compliance and by complying with ISO 27001 4. By complying with ISO 27001 and SOC 1 Type II

1 <strong>A.</strong><br>AWS provides IT control information to customers through either specific control definitions or general control standard compliance.

Which Amazon Relational Database Service (Amazon RDS) database engines support Multi-AZ? 1. All of them 2. Microsoft SQL Server, MySQL, and Oracle 3. Oracle, Amazon Aurora, and PostgreSQL 4. MySQL

1 <strong>A.</strong><br>All Amazon RDS database engines support Multi-AZ deployment.

You are creating an Amazon DynamoDB table that will contain messages for a social chat application. This table will have the following attributes: Username (String), Timestamp (Number), Message (String). Which attribute should you use as the partition key? The sort key? 1. Username, Timestamp 2. Username, Message 3. Timestamp, Message 4. Message, Timestamp

1 <strong>A.</strong><br>Using the Username as a partition key will evenly spread your users across the partitions. Messages are often filtered down by time range, so Timestamp makes sense as a sort key.

You are changing your application to move session state information off the individual Amazon Elastic Compute Cloud (Amazon EC2) instances to take advantage of the elasticity and cost benefits provided by Auto Scaling. Which of the following AWS Cloud services is best suited as an alternative for storing session state information? 1. Amazon DynamoDB 2. Amazon Redshift 3. Amazon Storage Gateway 4. Amazon Kinesis

1 <strong>A.</strong><br>Amazon DynamoDB is a NoSQL database store that is a great choice as an alternative due to its scalability, high-availability, and durability characteristics. Many platforms provide open-source, drop-in replacement libraries that allow you to store native sessions in Amazon DynamoDB. Amazon DynamoDB is a great candidate for a session storage solution in a share-nothing, distributed architecture.

Your company runs an Amazon Elastic Compute Cloud (Amazon EC2) instance periodically to perform a batch processing job on a large and growing filesystem. At the end of the batch job, you shut down the Amazon EC2 instance to save money but need to persist the filesystem on the Amazon EC2 instance from the previous batch runs. What AWS Cloud service can you leverage to meet these requirements? 1. Amazon Elastic Block Store (Amazon EBS) 2. Amazon DynamoDB 3. Amazon Glacier 4. AWS CloudFormation

1 <strong>A.</strong><br>Amazon EBS provides persistent block-level storage volumes for use with Amazon EC2 instances on the AWS Cloud. Amazon DynamoDB, Amazon Glacier, and AWS CloudFormation do not provide persistent block-level storage for Amazon EC2 instances. Amazon DynamoDB provides managed NoSQL databases. Amazon Glacier provides low-cost archival storage. AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources.

You are working for a small organization without a dedicated database administrator on staff. You need to install Microsoft SQL Server Enterprise edition quickly to support an accounting back office application on Amazon Relational Database Service (Amazon RDS). What should you do? 1. Launch an Amazon RDS DB Instance, and select Microsoft SQL Server Enterprise Edition under the Bring Your Own License (BYOL) model. 2. Provision SQL Server Enterprise Edition using the License Included option from the Amazon RDS Console. 3. SQL Server Enterprise edition is only available via the Command Line Interface (CLI). Install the command-line tools on your laptop, and then provision your new Amazon RDS Instance using the CLI. 4. You cannot use SQL Server Enterprise edition on Amazon RDS. You should install this on to a dedicated Amazon Elastic Compute Cloud (Amazon EC2) Instance.

1 <strong>A.</strong><br>Amazon RDS supports Microsoft SQL Server Enterprise edition and the license is available only under the BYOL model.

Which AWS Cloud service is best suited for Online Analytics Processing (OLAP)? 1. Amazon Redshift 2. Amazon Relational Database Service (Amazon RDS) 3. Amazon Glacier 4. Amazon DynamoDB

1 <strong>A.</strong><br>Amazon Redshift is best suited for traditional OLAP transactions. While Amazon RDS can also be used for OLAP, Amazon Redshift is purpose-built as an OLAP data warehouse.

Which encryption algorithm is used by Amazon Simple Storage Service (Amazon S3) to encrypt data at rest with Service-Side Encryption (SSE)? 1. Advanced Encryption Standard (AES)-256 2. RSA 1024 3. RSA 2048 4. AES-128

1 <strong>A.</strong><br>Amazon S3 SSE uses one of the strongest block ciphers available, 256-bit AES.

A week before Cyber Monday last year, your corporate data center experienced a failed air conditioning unit that caused flooding into the server racks. The resulting outage cost your company significant revenue. Your CIO mandated a move to the cloud, but he is still concerned about catastrophic failures in a data center. What can you do to alleviate his concerns? 1. Distribute the architecture across multiple Availability Zones. 2. Use an Amazon Virtual Private Cloud (Amazon VPC) with subnets. 3. Launch the compute for the processing services in a placement group. 4. Purchase Reserved Instances for the processing services instances.

1 <strong>A.</strong><br>An Availability Zone consists of one or more physical data centers. Availability Zones within a region provide inexpensive, low-latency network connectivity to other zones in the same region. This allows you to distribute your application across data centers. In the event of a catastrophic failure in a data center, the application will continue to handle requests.

Which of the following are features of enhanced networking? (Choose 3 answers) 1. More Packets Per Second (PPS) 2. Lower latency 3. Multiple network interfaces 4. Border Gateway Protocol (BGP) routing 5. Less jitter

1,2,5 <strong>A,B,E.</strong><br>These are the benefits of enhanced networking.

You want to host multiple Hypertext Transfer Protocol Secure (HTTPS) websites on a fleet of Amazon EC2 instances behind an Elastic Load Balancing load balancer with a single X.509 certificate. How must you configure the Secure Sockets Layer (SSL) certificate so that clients connecting to the load balancer are not presented with a warning when they connect? 1. Create one SSL certificate with a Subject Alternative Name (SAN) value for each website name. 2. Create one SSL certificate with the Server Name Indication (SNI) value checked. 3. Create multiple SSL certificates with a SAN value for each website name. 4. Create SSL certificates for each Availability Zone with a SAN value for each website name.

1 <strong>A.</strong><br>An SSL certificate must specify the name of the website in either the subject name or listed as a value in the SAN extension of the certificate in order for connecting clients to not receive a warning.

Your website is hosted on a fleet of web servers that are load balanced across multiple Availability Zones using an Elastic Load Balancer (ELB). What type of record set in Amazon Route 53 can be used to point myawesomeapp.com to your website? 1. Type A Alias resource record set 2. MX record set 3. TXT record set 4. CNAME record set

1 <strong>A.</strong><br>An alias resource record set can point to an ELB. You cannot create a CNAME record at the top node of a Domain Name Service (DNS) namespace, also known as the zone apex, as the case in this example. Alias resource record sets can save you time because Amazon Route 53 automatically recognizes changes in the resource record sets to which the alias resource record set refers.

Each AWS region is composed of two or more locations that offer organizations the ability to operate production systems that are more highly available, fault tolerant, and scalable than would be possible using a single data center. What are these locations called? 1. Availability zones 2. Replication areas 3. Geographic districts 4. Compute centers

1 <strong>A.</strong><br>An availability zone is a distinct location within a region that is insulated from failures in other availability zones and provides inexpensive, low-latency network connectivity to other availability zones in the same region. Replication areas, geographic districts, and compute centers are not terms used to describe AWS data center locations.

Which feature of AWS is designed to permit calls to the platform from an Amazon Elastic Compute Cloud (Amazon EC2) instance without needing access keys placed on the instance? 1. AWS Identity and Access Management (IAM) instance profile 2. IAM groups 3. IAM roles 4. Amazon EC2 key pairs

1 <strong>A.</strong><br>An instance profile is a container for an IAM role that you can use to pass role information to an Amazon EC2 instance when the instance starts.

Your company experiences fluctuations in traffic patterns to their e-commerce website based on flash sales. What service can help your company dynamically match the required compute capacity to the spike in traffic during flash sales? 1. Auto Scaling 2. Amazon Glacier 3. Amazon Simple Notification Service (Amazon SNS) 4. Amazon Virtual Private Cloud (Amazon VPC)

1 <strong>A.</strong><br>Auto Scaling helps maintain application availability and allows organizations to scale Amazon Elastic Compute Cloud (Amazon EC2) capacity up or down automatically according to conditions defined for the particular workload. Not only can it be used to help ensure that the desired number of Amazon EC2 instances are running, but it also allows resources to scale in and out to match the demands of dynamic workloads. Amazon Glacier, Amazon SNS, and Amazon VPC do not provide services to scale compute capacity automatically.

Which of the following statements is true? 1. IT governance is still the customer&rsquo;s responsibility, despite deploying their IT estate onto the AWS platform. 2. The AWS platform is PCI DSS-compliant to Level 1. Customers can deploy their web applications to this platform, and they will be PCI DSS-compliant automatically. 3. The shared responsibility model applies to IT security only; it does not relate to governance. 4. AWS doesn&rsquo;t take risk management very seriously, and it&rsquo;s up to the customer to mitigate risks to the AWS infrastructure.

1 <strong>A.</strong><br>IT governance is still the customer&rsquo;s responsibility.

Your company provides media content via the Internet to customers through a paid subscription model. You leverage Amazon CloudFront to distribute content to your customers with low latency. What approach can you use to serve this private content securely to your paid subscribers? 1. Provide signed Amazon CloudFront URLs to authenticated users to access the paid content. 2. Use HTTPS requests to ensure that your objects are encrypted when Amazon CloudFront serves them to viewers. 3. Configure Amazon CloudFront to compress the media files automatically for paid subscribers. 4. Use the Amazon CloudFront geo restriction feature to restrict access to all of the paid subscription media at the country level.

1 <strong>A.</strong><br>Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, such as users who have paid a fee. To serve this private content securely using Amazon CloudFront, you can require that users access your private content by using special Amazon CloudFront-signed URLs or signed cookies.

Of the following options, what is an efficient way to fanout a single Amazon Simple Notification Service (Amazon SNS) message to multiple Amazon Simple Queue Service (Amazon SQS) queues? 1. Create an Amazon SNS topic using Amazon SNS. Then create and subscribe multiple Amazon SQS queues sent to the Amazon SNS topic. 2. Create one Amazon SQS queue that subscribes to multiple Amazon SNS topics. 3. Amazon SNS allows exactly one subscriber to each topic, so fanout is not possible. 4. Create an Amazon SNS topic using Amazon SNS. Create an application that subscribes to that topic and duplicates the message. Send copies to multiple Amazon SQS queues.

1 <strong>A.</strong><br>Multiple queues can subscribe to an Amazon SNS topic, which can enable parallel asynchronous processing.

Which of the following is an optional security control that can be applied at the subnet layer of a VPC? 1. Network ACL 2. Security Group 3. Firewall 4. Web application firewall

1 <strong>A.</strong><br>Network ACLs are associated to a VPC subnet to control traffic flow.

Using the correctly decrypted Administrator password and RDP, you cannot log in to a Windows instance you just launched. Which of the following is a possible reason? 1. There is no security group rule that allows RDP access over port 3389 from your IP address. 2. The instance is a Reserved Instance. 3. The instance is not using enhanced networking. 4. The instance is not an Amazon EBS-optimized instance.

1 <strong>A.</strong><br>None of the other options will have any effect on the ability to connect.

Which of the following are the minimum required elements to create an Auto Scaling launch configuration? 1. Launch configuration name, Amazon Machine Image (AMI), and instance type 2. Launch configuration name, AMI, instance type, and key pair 3. Launch configuration name, AMI, instance type, key pair, and security group 4. Launch configuration name, AMI, instance type, key pair, security group, and block device mapping

1 <strong>A.</strong><br>Only the launch configuration name, AMI, and instance type are needed to create an Auto Scaling launch configuration. Identifying a key pair, security group, and a block device mapping are optional elements for an Auto Scaling launch configuration.

How many nodes can you add to an Amazon ElastiCache cluster running Redis? 1. 1 2. 5 3. 20 4. 100

1 <strong>A.</strong><br>Redis clusters can only contain a single node; however, you can group multiple clusters together into a replication group.

Which protocol is used by DNS when response data size exceeds 512 bytes? 1. Transmission Control Protocol (TCP) 2. Hyper Text Transfer Protocol (HTTP) 3. <p class="Option"><span lang="EN-US">File Transfer Protocol (FTP)</span> 4. User Datagram Protocol (UDP)

1 <strong>A.</strong><br>The TCP protocol is used by DNS server when the response data size exceeds 512 bytes or for tasks such as zone transfers.

What is the default limit for the number of Amazon VPCs that a customer may have in a region? 1. 5 2. 6 3. 7 4. There is no default maximum number of VPCs within a region.

1 <strong>A.</strong><br>The default limit for the number of Amazon VPCs that a customer may have in a region is 5.

What is the default time for an Amazon Simple Queue Service (Amazon SQS) visibility timeout? 1. 30 seconds 2. 60 seconds 3. 1 hour 4. 12 hours

1 <strong>A.</strong><br>The default time for an Amazon SQS visibility timeout is 30 seconds.

What is the maximum size IP address range that you can have in an Amazon VPC? 1. /16 2. /24 3. /28 4. /30

1 <strong>A.</strong><br>The maximum size subnet that you can have in a VPC is /16.

You have built a large web application that uses Amazon ElastiCache using Memcached to store frequent query results. You plan to expand both the web fleet and the cache fleet multiple times over the next year to accommodate increased user traffic. How do you minimize the amount of changes required when a scaling event occurs? 1. Configure AutoDiscovery on the client side 2. Configure AutoDiscovery on the server side 3. Update the configuration file each time a new cluster 4. Use an Elastic Load Balancer to proxy the requests

1 <strong>A.</strong><br>When the clients are configured to use AutoDiscovery, they can discover new cache nodes as they are added or removed. AutoDiscovery must be configured on each client and is not active server side. Updating the configuration file each time will be very difficult to manage. Using an Elastic Load Balancer is not recommended for this scenario.

To help prevent data loss due to the failure of any single hardware component, Amazon Elastic Block Storage (Amazon EBS) automatically replicates EBS volume data to which of the following? 1. Amazon EBS replicates EBS volume data within the same Availability Zone in a region. 2. Amazon EBS replicates EBS volume data across other Availability Zones within the same region. 3. Amazon EBS replicates EBS volume data across Availability Zones in the same region and in Availability Zones in one other region. 4. Amazon EBS replicates EBS volume data across Availability Zones in the same region and in Availability Zones in every other region.

1 <strong>A.</strong><br>When you create an Amazon EBS volume in an Availability Zone, it is automatically replicated within that Availability Zone to prevent data loss due to failure of any single hardware component. An EBS Snapshot creates a copy of an EBS volume to Amazon S3 so that copies of the volume can reside in different Availability Zones within a region.

What happens when you create a new Amazon VPC? 1. A main route table is created by default. 2. Three subnets are created by default&mdash;one for each Availability Zone. 3. Three subnets are created by default in one Availability Zone. 4. An IGW is created by default.

1 <strong>A.</strong><br>When you create an Amazon VPC, a route table is created by default. You must manually create subnets and an IGW.

A firm is moving its testing platform to AWS to provide developers with instant access to clean test and development environments. The primary requirement for the firm is to make environments easily reproducible and fungible. What service will help the firm meet their requirements? 1. AWS CloudFormation 2. <p class="Option"><span lang="EN-US">AWS Config</span> 3. <p class="Option"><span lang="EN-US">Amazon Redshift</span> 4. AWS Trusted Advisor

1 <strong>A.</strong><br>With AWS CloudFormation, you can reuse your template to set up your resources consistently and repeatedly. Just describe your resources once and then provision the same resources over and over in multiple stacks

Your team is building an order processing system that will span multiple Availability Zones. During testing, the team wanted to test how the application will react to a database failover. How can you enable this type of test? 1. Force a Multi-AZ failover from one Availability Zone to another by rebooting the primary instance using the Amazon RDS console. 2. Terminate the DB instance, and create a new one. Update the connection string. 3. Create a support case asking for a failover. 4. It is not possible to test a failover.

1 <strong>A.</strong><br>You can force a failover from one Availability Zone to another by rebooting the primary instance in the AWS Management Console. This is often how people test a failover in the real world. There is no need to create a support case.

How many IGWs can you attach to an Amazon VPC at any one time? 1. 1 2. 2 3. 3 4. 4

1 <strong>A.</strong><br>You may only have one IGW for each Amazon VPC.

What are some of the key characteristics of Amazon Simple Storage Service (Amazon S3)? (Choose 3 answers) 1. All objects have a URL. 2. Amazon S3 can store unlimited amounts of data. 3. Objects are world-readable by default. 4. Amazon S3 uses a REST (Representational State Transfer) Application Program Interface (API). 5. You must pre-allocate the storage in a bucket.

1,2,4 <strong>A,B,D.</strong><br>C and E are incorrect—objects are private by default, and storage in a bucket does not need to be pre-allocated.

DirectConnect offer _________ and _________ speeds

1 GBps and 10 GBps speeds

What is the maximum response time for a Business Level Premium Support Case?

1 Hour

What is the minimum file size that I can store on S3?

1 byte

S3 file/object can be from ___________ to ____________ size.

1 byte to 5TB

RDS: _____ day(s) of backups will be retained by default, but you can modify the retention period up to a maximum of _____ day(s).

1 day, 35 days

What is the maximum response time with Business Support plan

1 hour

A user is sending custom data metrics to CloudWatch. What is the time stamp for each data point allowed for the custom metric?

1 millisecond (or 1/1000 second) CloudWatch aggregates the data by each minute and generates a metric for that.

What should be the minimum duration when setting an alarm on a detailed monitoring metric in CloudWatch?

1 min Statistics represents data aggregation of the metric data values over a specific period of time. The user can specify the start and end times that CloudWatch will use for the data aggregation of the statistics. The starting and ending points can be as close together as 60 seconds or as far apart as two weeks.

What is CloudWatch's detailed polling interval?

1 minute, this adds additional costs

What is SWF's retention period?

1 year

SWF workflow executions can span up to _____________.

1 yr

What administrative tasks are handled by AWS for Amazon Relational Database Service (Amazon RDS) databases? (Choose 3 answers) 1. Regular backups of the database 2. Deploying virtual infrastructure 3. Deploying the schema (for example, tables and stored procedures) 4. Patching the operating system and database software 5. Setting up non-admin database accounts and privileges

1&2&4?

Which of the following are true about the AWS shared responsibility model? (Choose 3 answers) 1. AWS is responsible for all infrastructure components (that is, AWS Cloud services) that support customer deployments. 2. The customer is responsible for the components from the guest operating system upward (including updates, security patches, and antivirus software). 3. The customer may rely on AWS to manage the security of their workloads deployed on AWS. 4. While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. 5. The customer must audit the AWS data centers personally to confirm the compliance of AWS systems and services.

1&2&4?

Amazon CloudWatch offers which types of monitoring plans? (Choose 2 answers) 1. Basic 2. Detailed 3. Diagnostic 4. Precognitive 5. Retroactive

1&2?

Amazon Simple Storage Service (Amazon S3) is an eventually consistent storage system. For what kinds of operations is it possible to get stale data as a result of eventual consistency? 1. GET after PUT of a new object 2. GET or LIST after a DELETE 3. GET after overwrite PUT (PUT to an existing key) 4. DELETE after GET of new object

1&3?

Which of the following statements about Amazon DynamoDB secondary indexes is true? 1. There can be many per table, and they can be created at any time. 2. There can only be one per table, and it must be created when the table is created. 3. There can be many per table, and they can be created at any time. 4. There can only be one per table, and it must be created when the table is created.

1&3?

You are creating a High-Performance Computing (HPC) cluster and need very low latency and high bandwidth between instances. What combination of the following will allow this? (Choose 3 answers) 1. Use an instance type with 10 Gbps network performance. 2. Put the instances in a placement group. 3. Use Dedicated Instances. 4. Enable enhanced networking on the instances. 5. Use Reserved Instances.

1,2,4 <strong>A,B,D.</strong><br>The other answers have nothing to do with networking.

Your company wants to host its secure web application in AWS. The internal security policies consider any connections to or from the web server as insecure and require application data protection. What approaches should you use to protect data in transit for the application? (Choose 2 answers) 1. Use BitLocker to encrypt data. 2. Use HTTPS with server certificate authentication. 3. Use an AWS Identity and Access Management (IAM) role. 4. Use Secure Sockets Layer (SSL) / Transport 5. Layer Security (TLS) for database connection. 6. Use XML for data transfer from client to server.

1&5?

Which cache engines does Amazon ElastiCache support? (Choose 2 answers) 1. Memcached 2. Redis 3. Membase 4. Couchbase

1,2 <strong>A,B.</strong><br>Amazon ElastiCache supports both Memcached and Redis. Amazon ElastiCache supports both Memcached and Redis. You can run self-managed installations of Membase and Couchbase using Amazon Elastic Compute Cloud (Amazon EC2).

You are building a large order processing system and are responsible for securing the database. Which actions will you take to protect the data? (Choose 3 answers) 1. Adjust AWS Identity and Access Management (IAM) permissions for administrators. 2. Configure security groups and network Access Control Lists (ACLs) to limit network access. 3. Configure database users, and grant permissions to database objects. 4. Install anti-virus software on the Amazon RDS DB Instance.

1,2,3 <strong>A,B,C.</strong><br />Protecting your database requires a multilayered approach that secures the infrastructure, the network, and the database itself. Amazon RDS is a managed service and direct access to the OS is not available.

AWS communicates with customers regarding its security and control environment through a variety of different mechanisms. Which of the following are valid mechanisms? (Choose three) 1. Obtaining industry certifications and independent third-party attestations 2. Publishing information about security and AWS control practices via the website, whitepapers, and blogs 3. Directly providing customers with certificates, reports, and other documentation (under NDA in some cases) 4. Allowing customers' auditors direct access to AWS data centers, infrastructure, and senior staff

1,2,3 <strong>A,B,C.</strong><br>Answers A through C describe valid mechanisms that AWS uses to communicate with customers regarding its security and control environment. AWS does not allow customers' auditors direct access to AWS data centers, infrastructure, or staff.

In Amazon Simple Workflow Service (Amazon SWF), which of the following are actors? (Choose 3 answers) 1. Activity workers 2. Workflow starters 3. Deciders 4. Activity tasks

1,2,3 <strong>A,B,C.</strong><br>In Amazon SWF, actors can be activity workers, workflow starters, or deciders.

Which of the following objects are good candidates to store in a cache? (Choose 3 answers) 1. Session state 2. Shopping cart 3. Product catalog 4. Bank account balance

1,2,3 <strong>A,B,C.</strong><br>Many types of objects are good candidates to cache because they have the potential to be accessed by numerous users repeatedly. Even the balance of a bank account could be cached for short periods of time if the back-end database query is slow to respond.

Your team manages a popular website running Amazon Relational Database Service (Amazon RDS) MySQL backend. The Marketing department has just informed you about an upcoming television commercial that will drive thousands of new visitors to the website. How can you prepare your database to handle the load? (Choose 3 answers) 1. Vertically scale the DB Instance by selecting a more powerful instance class. 2. Create read replicas to offload read requests and update your application. 3. Upgrade the storage from Magnetic volumes to General Purpose Solid State Drive (SSD) volumes. 4. Upgrade to Amazon Redshift for faster columnar storage.

1,2,3 <strong>A,B,C.</strong><br>Vertically scaling up is one of the simpler options that can give you additional processing power without making any architectural changes. Read replicas require some application changes but let you scale processing power horizontally. Finally, busy databases are often I/O- bound, so upgrading storage to General Purpose (SSD) or Provisioned IOPS (SSD) can often allow for additional request processing.

Your AWS account administrator left your company today. The administrator had access to the root user and a personal IAM administrator account. With these accounts, he generated other IAM accounts and keys. Which of the following should you do today to protect your AWS infrastructure? (Choose 4 answers) 1. Change the password and add MFA to the root user. 2. Put an IP restriction on the root user. 3. Rotate keys and change passwords for IAM accounts. 4. Delete all IAM accounts. 5. Delete the administrator's personal IAM account. 6. Relaunch all Amazon EC2 instances with new roles.

1,2,3,5 <strong>A,B,C,E.</strong><br>Locking down your root user and all accounts to which the administrator had access is the key here. Deleting all IAM accounts is not necessary, and it would cause great disruption to your operations. Amazon EC2 roles use temporary security tokens, so relaunching Amazon EC2 instances is not necessary.

What must be done to host a static website in an Amazon Simple Storage Service (Amazon S3) bucket? (Choose 3 answers) 1. Configure the bucket for static hosting and specify an index and error document. 2. Create a bucket with the same name as the website. 3. Enable File Transfer Protocol (FTP) on the bucket. 4. Make the objects in the bucket world-readable. 5. Enable HTTP on the bucket.

1,2,4 <strong>A,B,D.</strong><br>A, B, and D are required, and normally you also set a friendly CNAME to the bucket URL. Amazon S3 does not support FTP transfers, and HTTP does not need to be enabled.

Which of the following is a valid report, certification, or third-party attestation for AWS? (Choose three) 1. SOC 1 2. PCI DSS Level 1 3. SOC 4 4. ISO 27001

1,2,4 <strong>A,B,D.</strong><br>There is no such thing as a SOC 4 report, therefore answer C is incorrect.

You need to implement a service to scan Application Program Interface (API) calls and related events&rsquo; history to your AWS account. This service will detect things like unused permissions, overuse of privileged accounts, and anomalous logins. Which of the following AWS Cloud services can be leveraged to implement this service? (Choose 3 answers) 1. AWS CloudTrail 2. Amazon Simple Storage Service (Amazon S3) 3. Amazon Route 53 4. Auto Scaling 5. AWS Lambda

1,2,5 <strong>A,B,E.</strong><br>You can enable AWS CloudTrail in your AWS account to get logs of API calls and related events' history in your account. AWS CloudTrail records all of the API access events as objects in an Amazon S3 bucket that you specify at the time you enable AWS CloudTrail. You can take advantage of Amazon S3's bucket notification feature by directing Amazon S3 to publish object-created events to AWS Lambda. Whenever AWS CloudTrail writes logs to your Amazon S3 bucket, Amazon S3 can then invoke your AWS Lambda function by passing the Amazon S3 object-created event as a parameter. The AWS Lambda function code can read the log object and process the access records logged by AWS CloudTrail.

What properties of an Amazon VPC must be specified at the time of creation? (Choose 2 answers) 1. The CIDR block representing the IP address range 2. One or more subnets for the Amazon VPC 3. The region for the Amazon VPC 4. Amazon VPC Peering relationships

1,3 <strong>A, C.</strong><br>A, C &ndash; The CIDR block is specified upon creation and cannot <a name="_GoBack"></a>be changed. An Amazon VPC is associated with exactly one region which must be specified upon creation. You can add a subnet to an Amazon VPC any time after it has been created, provided its address range falls within the Amazon VPC CIDR block and does not overlap with the address range of any existing CIDR block. You can set up peering relationships between Amazon VPCs after they have been created.

Which of the following are good use cases for Amazon CloudFront? (Choose 2 answers) 1. A popular software download site that supports users around the world, with dynamic content that changes rapidly 2. A corporate website that serves training videos to employees. Most employees are located in two corporate campuses in the same city. 3. A heavily used video and music streaming service that requires content to be delivered only to paid subscribers 4. A corporate HR website that supports a global workforce. Because the site contains sensitive data, all users must connect through a corporate Virtual Private Network (VPN).

1,3 <strong>A, C.</strong><br>The site in A is &ldquo;popular&rdquo; and supports &ldquo;users around the world,&rdquo; key indicators that CloudFront is appropriate. Similarly, the site in C is &ldquo;heavily used,&rdquo; and requires private content, which is supported by Amazon CloudFront. Both B and D are corporate use cases where the requests come from a single geographic location or appear to come from one (because of the VPN). These use cases will generally not see benefit from Amazon CloudFront.

When building a Distributed Denial of Service (DDoS)-resilient architecture, how does Amazon Virtual Private Cloud (Amazon VPC) help minimize the attack surface area? (Choose 2 answers) 1. Reduces the number of necessary Internet entry points 2. Combines end user traffic with management traffic 3. Obfuscates necessary Internet entry points to the level that untrusted end users cannot access them 4. Adds non-critical Internet entry points to the architecture 5. Scales the network to absorb DDoS attacks

1,3 <strong>A,C.</strong><br />The attack surface is composed of the different Internet entry points that allow access to your application. The strategy to minimize the attack surface area is to (a) reduce the number of necessary Internet entry points, (b) eliminate non-critical Internet entry points, (c) separate end user traffic from management traffic, (d) obfuscate necessary Internet entry points to the level that untrusted end users cannot access them, and (e) decouple Internet entry points to minimize the effects of attacks. This strategy can be accomplished with Amazon VPC.

With regard to vulnerability scans and threat assessments of the AWS platform, which of the following statements are true? (Choose two.) 1. AWS regularly performs scans of public-facing endpoint IP addresses for vulnerabilities. 2. Scans performed by AWS include customer instances. 3. AWS security notifies the appropriate parties to remediate any identified vulnerabilities. 4. Customers can perform their own scans at any time without advance notice.

1,3 <strong>A,C.</strong><br>AWS regularly scans public-facing, non-customer endpoint IP addresses and notifies appropriate parties. AWS does not scan customer instances, and customers must request the ability to perform their own scans in advance, therefore answers A and C are correct.

Which of the following are IAM security features? (Choose 2 answers) 1. Password policies 2. Amazon DynamoDB global secondary indexes 3. MFA 4. Consolidated Billing

1,3 <strong>A,C.</strong><br>Amazon DynamoDB global secondary indexes are a performance feature of Amazon DynamoDB; Consolidated Billing is an accounting feature allowing all bills to roll up under a single account. While both are very valuable features, neither is a security feature.

Amazon Kinesis Firehose receives stream data and stores it in __1__, __2__, __3__.

1/ Amazon S3, 2/ Amazon Redshift, or 3/ Amazon Elasticsearch

Amazon Glacier is well-suited to data that is which of the following? (Choose 2 answers) 1. Is infrequently or rarely accessed 2. Must be immediately available when needed 3. Is available after a three- to five-hour restore period 4. Is frequently erased within 30 days

1,3 <strong>A,C.</strong><br>Amazon Glacier is optimized for long-term archival storage and is not suited to data that needs immediate access or short-lived data that is erased within 90 days.

An Auto Scaling group may use: (Choose 2 answers) 1. On-Demand Instances 2. Stopped instances 3. Spot Instances 4. On-premises instances 5. Already running instances if they use the same Amazon Machine Image (AMI) as the Auto Scaling group's launch configuration and are not already part of another Auto Scaling group

1,3 <strong>A,C.</strong><br>An Auto Scaling group may use On-Demand and Spot Instances. An Auto Scaling group may not use already stopped instances, instances running someplace other than AWS, and already running instances not started by the Auto Scaling group itself.

You have a workload that requires 15,000 consistent IOPS for data that must be durable. What combination of the following steps do you need? (Choose 2 answers) 1. Use an Amazon Elastic Block Store (Amazon EBS)-optimized instance. 2. Use an instance store. 3. Use a Provisioned IOPS SSD volume. 4. Use a magnetic volume.

1,3 <strong>A,C.</strong><br>B and D are incorrect because an instance store will not be durable and a magnetic volume offers an average of 100 IOPS. Amazon EBS-optimized instances reserve network bandwidth on the instance for IO, and Provisioned IOPS SSD volumes provide the highest consistent IOPS.

Which of the following are found in an IAM policy? (Choose 2 answers) 1. Service Name 2. Region 3. Action 4. Password

1,3 <strong>A,C.</strong><br>IAM policies are independent of region, so no region is specified in the policy. IAM policies are about authorization for an already-authenticated principal, so no password is needed.

Which of the following are features of Amazon Elastic Block Store (Amazon EBS)? (Choose 2 answers) 1. Data stored on Amazon EBS is automatically replicated within an Availability Zone. 2. Amazon EBS data is automatically backed up to tape. 3. Amazon EBS volumes can be encrypted transparently to workloads on the attached instance. 4. Data on an Amazon EBS volume is lost when the attached instance is stopped.

1,3 <strong>A,C.</strong><br>There are no tapes in the AWS infrastructure. Amazon EBS volumes persist when the instance is stopped. The data is automatically replicated within an availability zone. Amazon EBS volumes can be encrypted upon creation and used by an instance in the same manner as if they were not encrypted.

You have purchased an m3.xlarge Linux Reserved instance in us-east-1a. In which ways can you modify this reservation? (Choose 2 answers) 1. Change it into two m3.large instances. 2. Change it to a Windows instance. 3. Move it to us-east-1b. 4. Change it to an m4.xlarge.

1,3 <strong>A,C.</strong><br>You can change the instance type only within the same instance type family, or you can change the availability zone. You cannot change the operating system nor the instance type family.

What are use cases where CloudFront would be inappropriate?

1/ All users are in one geographical location 2/ All users -even if they are geographically distributed- come through a corporate VPN

Elastic Load Balancing health checks may be: (Choose 3 answers) 1. A ping 2. A key pair verification 3. A connection attempt 4. A page request 5. An Amazon Elastic Compute Cloud (Amazon EC2) instance status check

1,3,4 <strong>A,C,D.</strong><br>An Elastic Load Balancing health check may be a ping, a connection attempt, or a page that is checked.

Which of the following techniques can you use to help you meet Recovery Point Objective (RPO) and Recovery Time Objective (RTO) requirements? (Choose 3 answers) 1. DB snapshots 2. DB option groups 3. Read replica 4. Multi-AZ deployment

1,3,4 <strong>A,C,D.</strong><br>DB snapshots allow you to back up and recover your data, while read replicas and a Multi-AZ deployment allow you to replicate your data and reduce the time to failover.

Your security team is very concerned about the vulnerability of the IAM administrator user accounts (the accounts used to configure all IAM features and accounts). What steps can be taken to lock down these accounts? (Choose 3 answers) 1. Add multi-factor authentication (MFA) to the accounts. 2. Limit logins to a particular U.S. state. 3. Implement a password policy on the AWS account. 4. Apply a source IP address condition to the policy that only grants permissions when the user is on the corporate network. 5. Add a CAPTCHA test to the accounts.

1,3,4 <strong>A,C,D.</strong><br>Neither B nor E are features supported by IAM.

Which of the following are features of Amazon Simple Notification Service (Amazon SNS)? (Choose 3 answers) 1. Publishers 2. Readers 3. Subscribers 4. Topic

1,3,4 <strong>A,C,D.</strong><br>Publishers, subscribers, and topics are the correct answers. You have subscribers to an Amazon SNS topic, not readers.

Which of the following are based on temporary security tokens? (Choose 2 answers) 1. Amazon EC2 roles 2. MFA 3. Root user 4. Federation

1,4 <strong>A,D.</strong><br>Amazon EC2 roles provide a temporary token to applications running on the instance; federation maps policies to identities from other sources via temporary tokens.

Which of the following are required elements of an Auto Scaling group? (Choose 2 answers) 1. Minimum size 2. Health checks 3. Desired capacity 4. Launch configuration

1,4 <strong>A,D.</strong><br>An Auto Scaling group must have a minimum size and a launch configuration defined in order to be created. Health checks and a desired capacity are optional.

Your e-commerce site was designed to be stateless and currently runs on a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances. In an effort to control cost and increase availability, you have a requirement to scale the fleet based on CPU and network utilization to match the demand curve for your site. What services do you need to meet this requirement? (Choose 2 answers) 1. Amazon CloudWatch 2. Amazon DynamoDB 3. Elastic Load Balancing 4. Auto Scaling 5. Amazon Simple Storage Service (Amazon S3)

1,4 <strong>A,D.</strong><br>Auto Scaling enables you to follow the demand curve for your applications closely, reducing the need to provision Amazon EC2 capacity manually in advance. For example, you can set a condition to add new Amazon EC2 instances in increments to the Auto Scaling group when the average CPU and network utilization of your Amazon EC2 fleet monitored in Amazon CloudWatch is high; similarly, you can set a condition to remove instances in the same increments when CPU and network utilization are low.

What are the AWS Lambda Deployment Limits?

1. Lambda function deployment package size (.zip/.jar file) --> 50 MB 2. Total size of all the deployment packages that can be uploaded per region --> 75 GB 3. Size of code/dependencies that you can zip into a deployment package (uncompressed zip/jar size) --> 250 MB 4. Total size of environment variables set --> 4 KB

What are the Auto Scaling Components?

1. Launch Configuration 2. Auto Scaling group 3. Scaling Policy

To transition a file from S3 to S3-IA what is the minimum file size?

128Kb

What is needed before you can enable cross-region replication on an Amazon Simple Storage Service (Amazon S3) bucket? (Choose 2 answers) 1. Enable versioning on the bucket. 2. Enable a lifecycle rule to migrate data to the second region. 3. Enable static website hosting. 4. Create an AWS Identity and Access Management (IAM) policy to allow Amazon S3 to replicate objects on your behalf.

1,4 <strong>A,D.</strong><br>You must enable versioning before you can enable cross-region replication, and Amazon S3 must have IAM permissions to perform the replication. Lifecycle rules migrate data from one storage class to another, not from one bucket to another. Static website hosting is not a prerequisite for replication.

Which of the following AWS cloud services are designed according to the Multi-AZ principle? (Choose 2 answers) 1. Amazon DynamoDB 2. Amazon ElastiCache 3. Elastic Load Balancing 4. Amazon Virtual Private Cloud (Amazon VPC) 5. Amazon Simple Storage Service (Amazon S3)

1,5 <strong>A,E.</strong><br>Amazon DynamoDB runs across AWS proven, high-availability data centers. The service replicates data across three facilities in an AWS region to provide fault tolerance in the event of a server failure or Availability Zone outage. Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects. Your data is redundantly stored across multiple facilities and multiple devices in each facility. While Elastic Load Balancing and Amazon ElastiCache can be deployed across multiple Availability Zones, you must explicitly take such steps when creating them.

Amazon CloudWatch supports which types of monitoring plans? (Choose 2 answers) 1. Basic monitoring, which is free 2. Basic monitoring, which has an additional cost 3. Ad hoc monitoring, which is free 4. Ad hoc monitoring, which has an additional cost 5. Detailed monitoring, which is free 6. Detailed monitoring, which has an additional cost

1,6 <strong>A,F.</strong><br>Amazon CloudWatch has two plans: basic, which is free, and detailed, which has an additional cost. There is no ad hoc plan for Amazon CloudWatch.

Which of the following statements about Auto Scaling groups is inaccurate? 1. When you create an Auto Scaling group, you can optionally specify a launch configuration. 2. An Auto Scaling group maintains the desired capacity by performing periodic health checks on the instances in the group. 3. You can use scaling policies to increase or decrease the number of running EC2 instances. 4. You can manually change the size of an existing Auto Scaling group.

1.

What are the Auto Scaling plans?

1. *Maintain current instance levels*: when a bad instance is found it is killed and a new one is launched automatically. 2. *Manual Scaling*: you specify the increase or decrease of instances and Auto Scaling starts new or kills of instances. 3. *Scheduled Scaling*: scaling actions are performed automatically as a function of time and date. 4. *Dynamic Scaling*: lets you define parameters that control the Auto Scaling process in a scaling policy.

What kind of SWF actors are there?

1. *starters* - any application that can initiate workflow executions 2. *deciders* - the logic that coordinates the tasks in a workflow is called the decider 3. *activity worker* - a single computer process (or thread) that performs the activity tasks in your workflow

What kind of SWF tasks are there?

1. Activity Tasks 2. AWS Lambda Tasks 3. Decision Tasks

What are some notable differences between glacier and S3?

1. Amazon Glacier supports 40TB archives versus 5TB objects in Amazon S3. 2. Archives in Amazon Glacier are identified by system-generated archive IDs, while Amazon S3 lets you use "friendly" key names. 3. Amazon Glacier archives are automatically encrypted, while encryption at rest is optional in Amazon S3. However, by using Amazon Glacier as an Amazon S3 storage class together with object lifecycle policies, you can use the Amazon S3 interface to get most of the benefits of Amazon Glacier without learning a new interface.

You can use the Amazon CloudFront distribution domain name as-is, or you can create a user-friendly DNS name in your own domain by creating a __1__ record in Amazon Route 53 or another DNS service. The __1__ is automatically redirected to your Amazon C1oudFront distribution domain name.

1. CNAME

SQS message lifecycle

1. Component 1 sends Message A to a queue, and the message is redundantly distributed across the Amazon SQS servers. 2. When Component 2 is ready to process a message, it retrieves messages from the queue, and Message A is returned. While Message A is being processed, it remains in the queue and is not returned to subsequently receive requests for the duration of the visibility timeout. 3. Component 2 deletes Message A from the queue to prevent the message from being received and processed again after the visibility timeout expires.

You can specify Route 53 geographic locations by __1__, __2__, __3__

1. Continent 2. Country 3. State in the United States

What are the Architecture best practices?

1. Design for failure and nothing will fail 2. Implement elasticity 3. Leverage different storage options 4. Build security in every layer 5. Think parallel 6. Loose coupling sets you free 7. Don't fear constraints

There are three configurations for AWS Storage Gateway: __1__, __2__, __3__.

1. Gateway-Cached volumes, 2. Gateway-Stored volumes, and 3. Gateway-Virtual Tape Libraries (VTL)

Explain how you can grant applications access to AWS services in a secure way. Also explain why this is a secure way.

1. How: it's best done using roles and assigning them to the EC2 instances (or lambda function). 2. why: because using access keys (or worse: username & password) requires you to store the key where the application (and thus other) have access to. Furthermore the access key is vulnerable to being intercepted while transiting between the application and the service. When the application running on the instance uses the Application Programming Interface (API) to access the Amazon S3 bucket, it assumes the role assigned to the instance and obtains a temporary token that it sends to the API. The process of obtaining the temporary

What are my options if I want to move an application which manages identities (of the users using the application)?

1. If you are migrating an existing on-premises application that already has its own user repository and authentication / authorization mechanism, then that should continue to work when you deploy on AWS and is probably the right choice. 2. If your application identities are based on Active Directory, your on-premises Active Directory can be extended into the cloud to continue to fill that need. A great solution for using Active Directory in the cloud is AWS Directory Service, which is an Active Directory-compatible directory service that can work on its own or integrate with your on-premises Active Directory. 3. if you are working with a mobile app, consider Amazon Cognito for identity management for mobile applications.

How are multiple permissions resolved in AWS IAM?

1. Initially the request is denied by default. 2. All the appropriate policies are evaluated; if there is an explicit "deny" found in any policy, the request is denied and evaluation stops. 3. If no explicit "deny" is found and an explicit "allow" is found in any policy, the request is allowed. 4. If there are no explicit "allow" or "deny" permissions found, then the default "deny" is maintained and the request is denied. The only exception to this rule is if an AssumeRo1e call includes a role and a policy, the policy cannot expand the privileges of the role (for example, the policy cannot override any permission that is denied by default in the role).

Architecture Best Practice: Build security in every layer

1. Inventory your data, prioritize it by value, and apply the appropriate level of encryption for the data in transit and at rest. 2. Build defense in depth: VPC, SubNet, Security Groups, Routing Controls, WAF against SQL Injection, IAM, encryption. - Offload Security Responsibility to AWS - Reduce Privileged Access: use IAM roles, for mobile apps use Cognito, for employees use federated access to give access to resources through temporary tokens, - grant the least privilege required - Use CloudFormation templates to implement security controls - Services like AWS Config Rules, Amazon Inspector, and AWS Trusted Advisor continually monitor for compliance or vulnerabilities giving you a clear overview of which IT resources are or are not in compliance. - implement extensive logging for your applications using CloudWatch and for actual AWS API calls use CloudTrail

How can instances be addressed?

1. Public DNS name. 2. Public IP 3. Elastic IP 1. *Public Domain Name System (DNS) Name*—When you launch an instance, AWS creates a DNS name that can be used to access the instance. This DNS name is generated automatically and cannot be specified by the customer. The name can be found in the Description tab of the AWS Management Console or via the Command Line Interface (CLI) or Application 2. *Public IP*—A launched instance may also have a public IP address assigned. This IP address is assigned from the addresses reserved by AWS and cannot be specified. This IP address is unique on the Internet, persists only while the instance is running, and cannot be transferred to another instance. 3. *Elastic IP*—An elastic IP address is an address unique on the Internet that you reserve independently and associate with an Amazon EC2 instance. While similar to a public IP, there are some key differences. This IP address persists until the customer releases it and is not tied to the lifetime or state of an individual instance. Because it can be transferred to a replacement instance in the event of an instance failure, it is a public address that can be shared externally without coupling clients to a particular instance.

What is the S3 data consistency model?

1. Read after Write consistency for PUTs of NEW objects 2. Eventual consistency for overwrite PUTs and DELETEs (can take some time to propagate).

What are the options to encrypt data at rest in S3?

1. SSE-S3 (AWS-Managed Keys) 2. SSE-KMS (AWS KMS Keys) 3. SSE-C (Customer-Provided Keys) 4. Client-Side Encryption

What types of AWS Import/Export are there?

1. Snowball 2. Import/Export Disk 2. Snowmobile

What are the available lifecycle actions on a running EC2 instance?

1. Stop 2. Reboot 3. Terminate Except for "Reboot" all ephemeral data is lost after triggering the action.

What Lambda metrics are recorded by CloudWatch?

1. Total invocations, 2. Errors, 3. Duration, and 4. Throttles

There are three core concepts that you need to understand in order to start using CloudFront: __1__, __2__, __3__

1. distributions, 2. origins, and 3. cache control

DynamoDB Stream records are organized into __1__. Each shard acts as a container for multiple stream records and contains information on accessing and iterating through the records. __1__ live for a maximum of __2__ and, with fluctuating load levels, could be split one or more times before they are eventually closed.

1. groups, also referred to as shards 2. 24 hours

RDS security best practices

1. protect access to your infrastructure resources using AWS IAM policies that limit which actions AWS administrators can perform 2. Deploy the RDS instances into PRIVATE subnets within a VPC that limits access to the DB Instance 3. limit inbound traffic to a short list of source IP addresses 4. at DB level use engine-specific access control and user mgmt mechanisms 5. give DB users strong passwords 6. use in transit and at rest encryption to protect the data

When a table is created, Amazon DynamoDB configures the table's partitions based on __1__. One single partition can hold about __2__ of data and supports a maximum of __3__ read capacity units or __4__ write capacity units. For partitions that are not fully using their provisioned capacity, Amazon DynamoDB provides some burst capacity to handle spikes in traffic. A portion of your unused capacity will be reserved to handle bursts for short periods.

1. the desired read and write capacity 2. 10GB 3. 3,000 4. 1,000

How can you control AIM?

1. through the AWS Admin Console 2. through the AWS CLI 3. using the AWS SDKs or APIs

Architecture Best Practice: what are the elasticity related questions I need to ask myself when designing a cloud architecture?

1. what components or layers in my application architecture can become elastic? 2. What will it take to make that component elastic? 3. what will be the impact of implementing elasticity to my overall system architecture?

When configuring a NAT Instance what are important attention points?

1. you have to disable the "source/destination" check in order for traffic to go through the instance 2. you have to allow "HTTP" & "HTTPS" in the NAT Instance's Security Group if you want instances "behind" the NAT to be able to reach the internet through those protocols 3. if you want to make the NAT Instance resilient you'll need to use auto scaling groups and such (this is not automatically foreseen)

What are the types of Directory Services offered by AWS Directory Service?

1/ *MS Active Directory*: managed Microsoft Active (Enterprise) Directory hosted on the AWS cloud. 2/ *Simple AD*: Microsoft Active Directory compatible directory from AWS Directory Service that is powered by Samba 4. 3/ *AD Connector*: a proxy service for connecting your on-premises Microsoft Active Directory to the AWS cloud without requiring complex directory synchronization or the cost and complexity of hosting a federation infrastructure.

The maximum length of an SQS message ID is __1__ characters. The maximum length of a receipt handle is __2__ characters.

1/ 100 2/ 1,024

Four AWS services that are directly related to the specific security purposes: __1__, __2__, __3__, and __4__

1/ AWS Directory Service for identity management, 2/ AWS Key Management Service (KMS), 3/ AWS CloudHSM for key management, and 4/ AWS CloudTrai1 for auditing.

Amazon SNS consists of two types of clients: __1__ and __2__

1/ publishers (sometimes known as producers) and 2/ subscribers (sometimes known as consumers). Publishers communicate to subscribers asynchronously by sending a message to a topic. A topic is simply a logical access point/ communication channel that contains a list of subscribers and the methods used to communicate to them. When you send a message to a topic, it is automatically forwarded to each subscriber of that topic using the communication method configured for that subscriber.

Amazon SQS uses three identifiers that you need to be familiar with: __1__, __2__, __3__

1/ queue URLs, 2/ message IDs, and 3/ receipt handles.

When you use AWS CloudFormafion, you work with __1__, __2__, __3__

1/ templates: describe the resources to create 2/ stacks: the instantiation of templates 3/ parameters: the customization of templates (e.g. region, VPC id...)

What are the types of Hadoop clusters?

1/ transient: a cluster that is started when needed and stopped when done --> both HDFS or EMRFS are an option 2/ persistent: a cluster that continues to run 24x7 once it's been started. Such a cluster needs low latency and persistent storage --> HDFS + EBS or instance storage

Which types of applications can Elastic Beanstalk deploy

1/ web server tier applications: a web application that handles HTTP(S) requests 2/ worker tier applications: runs background jobs

NAT Gateways can scale up to _________ gbps.

10

What is the maximum number of dimensions that a user can assign to a CloudWatch metric?

10 A dimension is a key-value pair used to uniquely identify a metric. CloudWatch can aggregate the data based on the dimension. One metric can have a maximum of 10 dimensions.

What comes with FREE CloudWatch service?

10 CloudWatch metrics, 10 alarms, 1,000,000 API requests, and 1,000 Amazon SNS email notifications per customer per month for free.

Max DB size allowed for SQL Server Express edition?

10 GB

What is the maximum database size for RDS SQL Server Express

10 gb per database

Placement groups help high network bandwidth up to ______ gbps.

10 gbps

As per AWS SLA if the instance is attached to an EBS-Optimized instance, then the Provisioned IOPS volumes are designed to deliver within _____% of the provisioned IOPS performance 99.9% of the time in a given year.

10%. Thus, if the user has created a volume of 1000 IOPS, the user will get a minimum 900 IOPS 99.9% time of the year.

How many S3 buckets can I have per account by default?

100

What is the maximum number of launch configurations per region?

100

The max number of Glacier Vaults per account is _____

1000

Redshift uses ___________ block size for columnar storage.

1024 kb (1 mb)

Amazon's Redshift uses which block size for its columnar storage?

1024KB / 1MB

In RDS what is the maximum size for a Microsoft SQL Server DB with SQL Server Express edition?

10GB per Database

What is the network bandwidth between instances in a placement group within a single VPC?

10Gbps, given you choose an instance type that supports enhanced networking

Amazon SQS supports up to _____ maximum visibility timeout.

12 hours'

SQS visibility timeout is ________________.

12 hrs

You can have up to _____ SQS messages in flight at any given time.

120,000

You have an application that will run on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The application will make requests to Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Using best practices, what type of AWS Identity and Access Management (IAM) identity should you create for your application to access the identified services? 1. IAM role 2. IAM user 3. IAM group 4. IAM directory

1?

How small can an S3 file be?

1B

If the result set for a DynamoDB Query or a Scan exceeds _____, you can page through the results in ______ increments.

1MB, 1MB

CloudWatch stores your metric data for _______weeks.

2

The default maximum number of Access Keys per user is ___

2

<p class="Question"><span lang="EN-US">Your company&rsquo;s IT management team is looking for an online tool to provide recommendations to save money, improve system availability and performance, and to help close security gaps. What can help the management team?</span> 1. <p class="Option"><span lang="EN-US">Cloud-init</span> 2. <p class="Option"><span lang="EN-US">AWS Trusted Advisor</span> 3. AWS Config 4. Configuration Recorder

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">AWS Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. AWS Trusted Advisor draws upon best practices learned from the aggregated operational history of serving hundreds of thousands of AWS customers.</span>

Which port number is used to serve requests by DNS? 1. 22 2. 53 3. 161 4. 389

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">DNS uses port number 53 to serve requests.</span>

Where do you register a domain name? 1. With your local government authority 2. With a domain registrar 3. With InterNIC directly 4. With the Internet Assigned Numbers Authority (IANA)

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">Domain names are registered with a domain registrar, which then registers the name to InterNIC.</span>

Your company wants to extend their existing Microsoft Active Directory capability into an Amazon Virtual Private Cloud (Amazon VPC) without establishing a trust relationship with the existing on-premises Active Directory. Which of the following is the best approach to achieve this goal? 1. Create and connect an AWS Directory Service AD Connector. 2. Create and connect an AWS Directory Service Simple AD. 3. Create and connect an AWS Directory Service for Microsoft Active Directory (Enterprise Edition). 4. None of the above.

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">Simple AD is a Microsoft Active Directory-compatible directory that is powered by Samba 4. Simple AD supports commonly used Active Directory features such as user accounts, group memberships, domain-joining Amazon Elastic Compute Cloud (Amazon EC2) instances running Linux and Microsoft Windows, Kerberos-based Single Sign-On (SSO), and group policies.</span>

In Amazon Simple Workflow Service (Amazon SWF), a decider is responsible for what? 1. Executing each step of the work 2. Defining work coordination logic by specifying work sequencing, timing, and failure conditions 3. Executing your workflow 4. Registering activities and workflow with Amazon SWF

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">The decider schedules the activity tasks and provides input data to the activity workers. The decider also processes events that arrive while the workflow is in progress and closes the workflow when the objective has been completed.</span>

Which of the following is the name of the security model employed by AWS with its customers? 1. The shared secret model 2. The shared responsibility model 3. The shared secret key model 4. The secret key responsibility model

2 <strong>B.</strong><br>The shared responsibility model is the name of the model employed by AWS with its customers.

By default each Subnet would allow __________ IP addresses.

251

<p class="Question"><span lang="EN-US">What are the different hosted zones that can be created in Amazon Route 53?</span><br><p class="Question"><span lang="EN-US">(1) Public hosted zone</span><br><p class="Question"><span lang="EN-US">(2) Global hosted zone</span><br><p class="Question"><span lang="EN-US">(3) Private hosted zone</span> 1. 1 and 2 2. 1 and 3 3. <p class="Option"><span lang="EN-US">2 and 3</span> 4. 1, 2, and 3

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">Using Amazon Route 53, you can create two types of hosted zones: public hosted zones and private hosted zones.</span>

<p class="Question"><span lang="EN-US">You host a web application across multiple AWS regions in the world, and you need to configure your DNS so that your end users will get the fastest network performance possible. Which routing policy should you apply?</span> 1. <p class="Option"><span lang="EN-US">Geolocation routing</span> 2. Latency-based routing 3. <p class="Option"><span lang="EN-US">Simple routing</span> 4. <p class="Option"><span lang="EN-US">Weighted routing</span>

2 <p class="Answer"><strong><span lang="EN-US">B.</span></strong><br><p class="Explanation"><span lang="EN-US">You want your users to have the fastest network access possible. To do this, you would use latency-based routing. Geolocation routing would not achieve this as well as latency-based routing, which is specifically geared toward measuring the latency and thus would direct you to the AWS region in which you would have the lowest latency.</span>

Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS? 1. A VPC peering connection 2. A DHCP option set 3. A routing rule 4. An IGW

2 <strong>B.</strong><br>A DHCP option set allows customers to define DNS servers for DNS name resolution, establish domain names for instances within an Amazon VPC, define NTP servers, and define the NetBIOS name servers.

What is the deployment term for an environment that extends an existing on-premises infrastructure into the cloud to connect cloud resources to internal systems? 1. All-in deployment 2. Hybrid deployment 3. On-premises deployment 4. Scatter deployment

2 <strong>B.</strong><br>A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud. An all-in deployment refers to an environment that exclusively runs in the cloud. An on-premises deployment refers to an environment that runs exclusively in an organization's data center.

Which of the following Amazon Virtual Private Cloud (Amazon VPC) elements acts as a stateless firewall? 1. Security group 2. Network Access Control List (ACL) 3. Network Address Translation (NAT) instance 4. An Amazon VPC endpoint

2 <strong>B.</strong><br>A network ACL is an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your Amazon VPC.

Which of the following best describes the risk and compliance communication responsibilities of customers to AWS? 1. AWS and customers both communicate their security and control environment information to each other at all times. 2. AWS publishes information about the AWS security and control practices online, and directly to customers under NDA. Customers do not need to communicate their use and configurations to AWS. 3. Customers communicate their use and configurations to AWS at all times. AWS does not communicate AWS security and control practices to customers for security reasons. 4. Both customers and AWS keep their security and control practices entirely confidential and do not share them in order to ensure the greatest security for all parties.

2 <strong>B.</strong><br>AWS publishes information publicly online and directly to customers under NDA, but customers are not required to share their use and configuration information with AWS, therefore answer B is correct.

How large can a SQS message be in size?

256 Kb

Which is an operational process performed by AWS for data security? 1. Advanced Encryption Standard (AES)-256 encryption of data stored on any shared storage device 2. Decommissioning of storage devices using industry-standard practices 3. Background virus scans of Amazon Elastic Block Store (Amazon EBS) volumes and Amazon EBS snapshots 4. Replication of data across multiple AWS regions 5. Secure wiping of Amazon EBS data when an Amazon EBS volume is unmounted

2 <strong>B.</strong><br>All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

You are running a suite of microservices on AWS Lambda that provide the business logic and access to data stored in Amazon DynamoDB for your task management system. You need to create well-defined RESTful Application Program Interfaces (APIs) for these microservices that will scale with traffic to support a new mobile application. What AWS Cloud service can you use to create the necessary RESTful APIs? 1. Amazon Kinesis 2. Amazon API Gateway 3. Amazon Cognito 4. Amazon Elastic Compute Cloud (Amazon EC2) Container Registry

2 <strong>B.</strong><br>Amazon API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale. You can create an API that acts as a &ldquo;front door&rdquo; for applications to access data, business logic, or functionality from your code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

You are building a media-sharing web application that serves video files to end users on both PCs and mobile devices. The media files are stored as objects in an Amazon Simple Storage Service (Amazon S3) bucket, but are to be delivered through Amazon CloudFront. What is the simplest way to ensure that only Amazon CloudFront has access to the objects in the Amazon S3 bucket? 1. Create Signed URLs for each Amazon S3 object. 2. <p class="Option"><span lang="EN-US">Use an Amazon CloudFront Origin Access Identifier (OAI).</span> 3. <p class="Option"><span lang="EN-US">Use public and private keys with signed cookies.</span> 4. <p class="Option"><span lang="EN-US">Use an AWS Identity and Access Management (IAM) bucket policy.</span>

2 <strong>B.</strong><br>Amazon CloudFront OAI is a special identity that can be used to restrict access to an Amazon S3 bucket only to an Amazon CloudFront distribution. Signed URLs, signed cookies, and IAM bucket policies can help to protect content served through Amazon CloudFront, but OAIs are the simplest way to ensure that only Amazon CloudFront has access to a bucket.

Which of the following AWS Cloud services is a fully managed NoSQL database service? 1. Amazon Simple Queue Service (Amazon SQS) 2. Amazon DynamoDB 3. Amazon ElastiCache 4. Amazon Relational Database Service (Amazon RDS)

2 <strong>B.</strong><br>Amazon DynamoDB is a fully managed, fast, and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. Amazon SQS, Amazon ElastiCache, and Amazon RDS do not provide a NoSQL database service. Amazon SQS is a managed message queuing service. Amazon ElastiCache is a service that provides in-memory cache in the cloud. Finally, Amazon RDS provides managed relational databases.

Government regulations require that your company maintain all correspondence for a period of seven years for compliance reasons. What is the best storage mechanism to keep this data secure in a cost-effective manner? 1. Amazon S3 2. Amazon Glacier 3. Amazon EBS 4. Amazon EFS

2 <strong>B.</strong><br>Amazon Glacier enables businesses and organizations to retain data for months, years, or decades, easily and cost effectively. With Amazon Glacier, customers can retain more of their data for future analysis or reference, and they can focus on their business instead of operating and maintaining their storage infrastructure. Customers can also use Amazon Glacier Vault Lock to meet regulatory and compliance archiving requirements.

Your company has 50,000 weather stations around the country that send updates every 2 seconds. What service will enable you to ingest this stream of data and store it to Amazon Simple Storage Service (Amazon S3) for future processing? 1. Amazon Simple Queue Service (Amazon SQS) 2. Amazon Kinesis Firehose 3. Amazon Elastic Compute Cloud (Amazon EC2) 4. Amazon Data Pipeline

2 <strong>B.</strong><br>Amazon Kinesis Firehose allows you to ingest massive streams of data and store the data on Amazon S3 (as well as Amazon Redshift and Amazon Elasticsearch).

Which AWS database service is best suited for traditional Online Transaction Processing (OLTP)? 1. Amazon Redshift 2. Amazon Relational Database Service (Amazon RDS) 3. Amazon Glacier 4. Elastic Database

2 <strong>B.</strong><br>Amazon RDS is best suited for traditional OLTP transactions. Amazon Redshift, on the other hand, is designed for OLAP workloads. Amazon Glacier is designed for cold archival storage.

Your company has 100TB of financial records that need to be stored for seven years by law. Experience has shown that any record more than one-year old is unlikely to be accessed. Which of the following storage plans meets these needs in the most cost efficient manner? 1. Store the data on Amazon Elastic Block Store (Amazon EBS) volumes attached to t2.micro instances. 2. Store the data on Amazon Simple Storage Service (Amazon S3) with lifecycle policies that change the storage class to Amazon Glacier after one year and delete the object after seven years. 3. Store the data in Amazon DynamoDB and run daily script to delete data older than seven years. 4. Store the data in Amazon Elastic MapReduce (Amazon EMR).

2 <strong>B.</strong><br>Amazon S3 is the most cost effective storage on AWS, and lifecycle policies are a simple and effective feature to address the business requirements.

Your company provides transcoding services for amateur producers to format their short films to a variety of video formats. Which service provides the best option for storing the videos? 1. Amazon Glacier 2. Amazon Simple Storage Service (Amazon S3) 3. Amazon Relational Database Service (Amazon RDS) 4. AWS Storage Gateway

2 <strong>B.</strong><br>Amazon S3 provides highly durable and available storage for a variety of content. Amazon S3 can be used as a big data object store for all of the videos. Amazon S3&rsquo;s low cost combined with its design for durability of 99.999999999% and for up to 99.99% availability make it a great storage choice for transcoding services.

You have a popular web application that accesses data stored in an Amazon Simple Storage Service (Amazon S3) bucket. You expect the access to be very read-intensive, with expected request rates of up to 500 GETs per second from many clients. How can you increase the performance and scalability of Amazon S3 in this case? 1. Turn on cross-region replication to ensure that data is served from multiple locations. 2. Ensure randomness in the namespace by including a hash prefix to key names. 3. Turn on server access logging. 4. Ensure that key names are sequential to enable pre-fetch.

2 <strong>B.</strong><br>Amazon S3 scales automatically, but for request rates over 100 GETS per second, it helps to make sure there is some randomness in the key space. Replication and logging will not affect performance or scalability. Using sequential key names could have a negative effect on performance or scalability.

A media sharing application is producing a very high volume of data in a very short period of time. Your back-end services are unable to manage the large volume of transactions. What option provides a way to manage the flow of transactions to your back-end services? 1. Store the inbound transactions in an Amazon Relational Database Service (Amazon RDS) instance so that your back-end services can retrieve them as time permits. 2. Use an Amazon Simple Queue Service (Amazon SQS) queue to buffer the inbound transactions. 3. Use an Amazon Simple Notification Service (Amazon SNS) topic to buffer the inbound transactions. 4. Store the inbound transactions in an Amazon Elastic MapReduce (Amazon EMR) cluster so that your back-end services can retrieve them as time permits.

2 <strong>B.</strong><br>Amazon SQS is a fast, reliable, scalable, and fully managed message queuing service. Amazon SQS should be used to decouple the large volume of inbound transactions, allowing the back-end services to manage the level of throughput without losing messages.

Your company provides a mobile voting application for a popular TV show, and 5 to 25 million viewers all vote in a 15-second timespan. What mechanism can you use to decouple the voting application from your back-end services that tally the votes? 1. AWS CloudTrail 2. Amazon Simple Queue Service (Amazon SQS) 3. Amazon Redshift 4. Amazon Simple Notification Service (Amazon SNS)

2 <strong>B.</strong><br>Amazon SQS is a fast, reliable, scalable, fully managed message queuing service that allows organizations to decouple the components of a cloud application. With Amazon SQS, organizations can transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be always available. AWS CloudTrail records AWS API calls, and Amazon Redshift is a data warehouse, neither of which would be useful as an architecture component for decoupling components. Amazon SNS provides a messaging bus complement to Amazon SQS; however, it doesn't provide the decoupling of components necessary for this scenario.

You are designing a new application, and you need to ensure that the components of your application are not tightly coupled. You are trying to decide between the different AWS cloud services to use to achieve this goal. Your requirements are that messages between your application components may not be delivered more than once, tasks must be completed in either a synchronous or asynchronous fashion, and there must be some form of application logic that decides what do when tasks have been completed. What application service should you use? 1. Amazon Simple Queue Service (Amazon SQS) 2. Amazon Simple Workflow Service (Amazon SWF) 3. Amazon Simple Storage Service (Amazon S3) 4. Amazon Simple Email Service (Amazon SES)

2 <strong>B.</strong><br>Amazon SWF would best serve your purpose in this scenario because it helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud.

Which of the following statements best describes an availability zone? 1. Each availability zone consists of a single discrete data center with redundant power and networking/connectivity. 2. Each availability zone consists of multiple discrete data centers with redundant power and networking/connectivity. 3. Each availability zone consists of multiple discrete regions, each with a single data center with redundant power and networking/connectivity. 4. Each availability zone consists of multiple discrete data centers with shared power and redundant networking/connectivity.

2 <strong>B.</strong><br>An availability zone consists of multiple discrete data centers, each with their own redundant power and networking/connectivity, therefore answer B is correct.

Which Amazon VPC feature allows you to create a dual-homed instance? 1. EIP address 2. ENI 3. Security groups 4. CGW

2 <strong>B.</strong><br>Attaching an ENI associated with a different subnet to an instance can make the instance dual-homed.

For an application running in the ap-northeast-1 region with three Availability Zones (ap-northeast-1a, ap-northeast-1b, and ap-northeast-1c), which instance deployment provides high availability for the application that normally requires nine running Amazon Elastic Compute Cloud (Amazon EC2) instances but can run on a minimum of 65 percent capacity while Auto Scaling launches replacement instances in the remaining Availability Zones? 1. Deploy the application on four servers in ap-northeast-1a and five servers in ap-northeast-1b, and keep five stopped instances in ap-northeast-1a as reserve. 2. Deploy the application on three servers in ap-northeast-1a, three servers in ap-northeast-1b, and three servers in ap-northeast-1c. 3. Deploy the application on six servers in ap-northeast-1b and three servers in ap-northeast-1c. 4. Deploy the application on nine servers in ap-northeast-1b, and keep nine stopped instances in ap-northeast-1a as reserve.

2 <strong>B.</strong><br>Auto Scaling will provide high availability across three Availability Zones with three Amazon EC2 instances in each and keep capacity above the required minimum capacity, even in the event of an entire Availability Zone becoming unavailable.

How many types of secondary indices are supported in DynamoDB

2: local and global

Every user you create in the IAM system starts with. A. full permissions B. no permissions C. partial permissions

B

Your company has 30 years of financial records that take up 15TB of on-premises storage. It is regulated that you maintain these records, but in the year you have worked for the company no one has ever requested any of this data. Given that the company data center is already filling the bandwidth of its Internet connection, what is an alternative way to store the data on the most appropriate cloud storage? 1. AWS Import/Export to Amazon Simple Storage Service (Amazon S3) 2. AWS Import/Export to Amazon Glacier 3. Amazon Kinesis 4. Amazon Elastic MapReduce (AWS EMR)

2 <strong>B.</strong><br>Because the Internet connection is full, the best solution will be based on using AWS Import/Export to ship the data. The most appropriate storage location for data that must be stored, but is very rarely accessed, is Amazon Glacier.

You have been using Amazon Relational Database Service (Amazon RDS) for the last year to run an important application with automated backups enabled. One of your team members is performing routine maintenance and accidentally drops an important table, causing an outage. How can you recover the missing data while minimizing the duration of the outage? 1. Perform an undo operation and recover the table. 2. Restore the database from a recent automated DB snapshot. 3. Restore only the dropped table from the DB snapshot. 4. The data cannot be recovered.

2 <strong>B.</strong><br>DB Snapshots can be used to restore a complete copy of the database at a specific point in time. Individual tables cannot be extracted from a snapshot.

How is data stored in Amazon Simple Storage Service (Amazon S3) for high durability? 1. Data is automatically replicated to other regions. 2. Data is automatically replicated within a region. 3. Data is replicated only if versioning is enabled on the bucket. 4. Data is automatically backed up on tape and restored if needed.

2 <strong>B.</strong><br>Data is automatically replicated within a region. Replication to other regions and versioning are optional. Amazon S3 data is not backed up to tape.

Which of the following is the name of the feature within Amazon Virtual Private Cloud (Amazon VPC) that allows you to launch Amazon Elastic Compute Cloud (Amazon EC2) instances on hardware dedicated to a single customer? 1. Amazon VPC-based tenancy 2. Dedicated tenancy 3. Default tenancy 4. Host-based tenancy

2 <strong>B.</strong><br>Dedicated instances are physically isolated at the host hardware level from your instances that aren&rsquo;t dedicated instances and from instances that belong to other AWS accounts.

You are building the database tier for an enterprise application that gets occasional activity throughout the day. Which storage type should you select as your default option? 1. Magnetic storage 2. General Purpose Solid State Drive (SSD) 3. Provisioned IOPS (SSD) 4. Storage Area Network (SAN)-attached

2 <strong>B.</strong><br>General Purpose (SSD) volumes are generally the right choice for databases that have bursts of activity.

You have launched an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance into EC2-Classic, and the instance has successfully passed the System Status Check and Instance Status Check. You attempt to securely connect to the instance via Secure Shell (SSH) and receive the response, &ldquo;WARNING: UNPROTECTED PRIVATE KEY FILE,&rdquo; after which the login fails. Which of the following is the cause of the failed login? 1. You are using the wrong private key. 2. The permissions for the private key are too insecure for the key to be trusted. 3. A security group rule is blocking the connection. 4. A security group rule has not been associated with the private key.

2 <strong>B.</strong><br>If your private key can be read or written to by anyone but you, then SSH ignores your key.

You are responsible for your company&rsquo;s AWS resources, and you notice a significant amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates the source of the traffic is scanning for open ports on your EC2-VPC instances. Which one of the following resources can deny the traffic from reaching the instances? 1. Security group 2. Network ACL 3. NAT instance 4. An Amazon VPC endpoint

2 <strong>B.</strong><br>Network ACL rules can deny traffic.

You are designing an e-commerce web application that will scale to potentially hundreds of thousands of concurrent users. Which database technology is best suited to hold the session state for large numbers of concurrent users? 1. Relational database using Amazon Relational Database Service (Amazon RDS) 2. NoSQL database table using Amazon DynamoDB 3. Data warehouse using Amazon Redshift 4. Amazon Simple Storage Service (Amazon S3)

2 <strong>B.</strong><br>NoSQL databases like Amazon DynamoDB excel at scaling to hundreds of thousands of requests with key/value access to user profile and session.

In RDS, changes to the backup window take effect

Immediately

You have valuable media files hosted on AWS and want them to be served only to authenticated users of your web application. You are concerned that your content could be stolen and distributed for free. How can you protect your content? 1. Use static web hosting. 2. Generate pre-signed URLs for content in the web application. 3. Use AWS Identity and Access Management (IAM) policies to restrict access. 4. Use logging to track your content.

2 <strong>B.</strong><br>Pre-signed URLs allow you to grant time-limited permission to download objects from an Amazon Simple Storage Service (Amazon S3) bucket. Static web hosting generally requires world-read access to all content. AWS IAM policies do not know who the authenticated users of the web app are. Logging can help track content loss, but not prevent it.

Which Amazon Relational Database Service (Amazon RDS) database engines support read replicas? 1. Microsoft SQL Server and Oracle 2. MySQL, MariaDB, PostgreSQL, and Aurora 3. Aurora, Microsoft SQL Server, and Oracle 4. MySQL and PostgreSQL

2 <strong>B.</strong><br>Read replicas are supported by MySQL, MariaDB, PostgreSQL, and Aurora.

Which DNS records are commonly used to stop email spoofing and spam? 1. MX records 2. <p class="Option"><span lang="EN-US">SPF records</span> 3. A records 4. C names

2 <strong>B.</strong><br>SPF records are used to verify authorized senders of mail from your domain.

What aspect of an Amazon VPC is stateful? 1. Network ACLs 2. Security groups 3. Amazon DynamoDB 4. Amazon S3

2 <strong>B.</strong><br>Security groups are stateful, whereas network ACLs are stateless.

Your order-processing application processes orders extracted from a queue with two Reserved Instances processing 10 orders/minute. If an order fails during processing, then it is returned to the queue without penalty. Due to a weekend sale, the queues have several hundred orders backed up. While the backup is not catastrophic, you would like to drain it so that customers get their confirmation emails faster. What is a cost-effective way to drain the queue for orders? 1. Create more queues. 2. Deploy additional Spot Instances to assist in processing the orders. 3. Deploy additional Reserved Instances to assist in processing the orders. 4. Deploy additional On-Demand Instances to assist in processing the orders.

2 <strong>B.</strong><br>Spot Instances are a very cost-effective way to address temporary compute needs that are not urgent and are tolerant of interruption. That&rsquo;s exactly the workload described here. Reserved Instances are inappropriate for temporary workloads. On-Demand Instances are good for temporary workloads, but don&rsquo;t offer the cost savings of Spot Instances. Adding more queues is a non-responsive answer as it would not address the problem.

Which type of DNS record should you use to resolve a domain name to another domain name? 1. An A record 2. <p class="Option"><span lang="EN-US">A CNAME record</span> 3. An SPF record 4. A PTR record

2 <strong>B.</strong><br>The CNAME record maps a name to another name. It should be used only when there are no other records on that name.

The AWS control environment is in place for the secure delivery of AWS Cloud service offerings. Which of the following does the collective control environment NOT explicitly include? 1. People 2. Energy 3. Technology 4. Processes

2 <strong>B.</strong><br>The collective control environment includes people, processes, and technology necessary to establish and maintain an environment that supports the operating effectiveness of AWS control framework. Energy is not a discretely identified part of the control environment, therefore B is the correct answer.

What is the default message retention period for Amazon Simple Queue Service (Amazon SQS)? 1. 30 minutes 2. 4 days 3. 30 seconds 4. <p class="Option"><span lang="EN-US">14 days</span>

2 <strong>B.</strong><br>The default message retention period that can be set in Amazon SQS is four days.

You have created an Elastic Load Balancing load balancer listening on port 80, and you registered it with a single Amazon Elastic Compute Cloud (Amazon EC2) instance also listening on port 80. A client makes a request to the load balancer with the correct protocol and port for the load balancer. In this scenario, how many connections does the balancer maintain? 1. 1 2. 2 3. 3 4. 4

2 <strong>B.</strong><br>The load balancer maintains two separate connections: one connection with the client and one connection with the Amazon EC2 instance.

What is the longest time available for an Amazon Simple Queue Service (Amazon SQS) long polling timeout? 1. 10 seconds 2. 20 seconds 3. 30 seconds 4. 1 hour

2 <strong>B.</strong><br>The maximum time for an Amazon SQS long polling timeout is 20 seconds.

Max Provisioned Storage (PIOPS) volume allowed for MySQL/Oracle instance?

6TB

You are restoring an Amazon Elastic Block Store (Amazon EBS) volume from a snapshot. How long will it be before the data is available? 1. It depends on the provisioned size of the volume. 2. The data will be available immediately. 3. It depends on the amount of data stored on the volume. 4. It depends on whether the attached instance is an Amazon EBS-optimized instance.

2 <strong>B.</strong><br>The volume is created immediately but the data is loaded lazily. This means that the volume can be accessed upon creation, and if the data being requested has not yet been restored, it will be restored upon first request.

How are you billed for elastic IP addresses? 1. Hourly when they are associated with an instance 2. Hourly when they are not associated with an instance 3. Based on the data that flows through them 4. Based on the instance type to which they are attached

2 <strong>B.</strong><br>There is a very small hourly charge for allocated elastic IP addresses that are not associated with an instance.

You need to take a snapshot of an Amazon Elastic Block Store (Amazon EBS) volume. How long will the volume be unavailable? 1. It depends on the provisioned size of the volume. 2. The volume will be available immediately. 3. It depends on the amount of data stored on the volume. 4. It depends on whether the attached instance is an Amazon EBS-optimized instance.

2 <strong>B.</strong><br>There is no delay in processing when commencing a snapshot.

You are a solutions architect who is working for a mobile application company that wants to use Amazon Simple Workflow Service (Amazon SWF) for their new takeout ordering application. They will have multiple workflows that will need to interact. What should you advise them to do in structuring the design of their Amazon SWF environment? 1. Use multiple domains, each containing a single workflow, and design the workflows to interact across the different domains. 2. Use a single domain containing multiple workflows. In this manner, the workflows will be able to interact. 3. Use a single domain with a single workflow and collapse all activities to within this single workflow. 4. Workflows cannot interact with each other; they would be better off using Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) for their application.

2 <strong>B.</strong><br>Use a single domain with multiple workflows. Workflows within separate domains cannot interact.

You are rolling out A and B test versions of a web application to see which version results in the most sales. You need 10 percent of your traffic to go to version A, 10 percent to go to version B, and the rest to go to your current production version. Which routing policy should you choose to achieve this? 1. <p class="Option"><span lang="EN-US">Simple routing</span> 2. Weighted routing 3. Geolocation routing 4. Failover routing

2 <strong>B.</strong><br>Weighted routing would best achieve this objective because it allows you to specify which percentage of traffic is directed to each endpoint.

You are responsible for the application logging solution for your company&rsquo;s existing applications running on multiple Amazon EC2 instances. Which of the following is the best approach for aggregating the application logs within AWS? 1. Amazon CloudWatch custom metrics 2. Amazon CloudWatch Logs Agent 3. An Elastic Load Balancing listener 4. An internal Elastic Load Balancing load balancer

2 <strong>B.</strong><br>You can use the Amazon CloudWatch Logs Agent installer on existing Amazon EC2 instances to install and configure the CloudWatch Logs Agent.

AWS Auto Scaling supports ______ metrics and ____ dimensions.

7 metrics and 1 dimension.

Under what circumstances will Amazon Elastic Compute Cloud (Amazon EC2) instance store data not be preserved? 1. The associated security groups are changed. 2. The instance is stopped or rebooted. 3. The instance is rebooted or terminated. 4. The instance is stopped or terminated. 5. None of the above

2&3&4?

An Amazon Elastic Compute Cloud (Amazon EC2) instance in an Amazon Virtual Private Cloud (Amazon VPC) subnet can send and receive traffic from the Internet when which of the following conditions are met? (Choose 3 answers) 1. Network Access Control Lists (ACLS) and security group rules disallow all traffic except relevant Internet traffic. 2. Network ACLs and security group rules allow relevant Internet traffic. 3. Attach an Internet Gateway (IGW) to the Amazon VPC and create a subnet route table to send all non-local traffic to that IGW. 4. Attach a Virtual Private Gateway (VPG) to the Amazon VPC and create subnet routes to send all non-local traffic to that VPG. 5. The Amazon EC2 instance has a public IP address or Elastic IP (EIP) address. 6. The Amazon EC2 instance does not need a public IP or Elastic IP when using Amazon VPC.

2&3&6?

If you launch five Amazon Elastic Compute Cloud (Amazon EC2) instances in an Amazon Virtual Private Cloud (Amazon VPC) without specifying a security group, the instances will be launched into a default security group that provides which of the following? (Choose 3 answers) 1. The five Amazon EC2 instances can communicate with each other. 2. The five Amazon EC2 instances cannot communicate with each other. 3. All inbound traffic will be allowed to the five Amazon EC2 instances. 4. No inbound traffic will be allowed to the five Amazon EC2 instances. 5. All outbound traffic will be allowed from the five Amazon EC2 instances. 6. No outbound traffic will be allowed from the five Amazon EC2 instances.

2&4&6?

<p class="Question"><span lang="EN-US">You are trying to decrypt ciphertext with AWS KMS and the decryption operation is failing. Which of the following are possible causes? (Choose 2 answers)<o:p></o:p></span> 1. <p class="Option"><span lang="EN-US">The private key does not match the public key in the ciphertext.<o:p></o:p></span> 2. <p class="Option"><span lang="EN-US">The plaintext was encrypted along with an encryption context, and you are not providing the identical encryption context when calling the Decrypt API.<o:p></o:p></span> 3. <p class="Option"><span lang="EN-US">The ciphertext you are trying to decrypt is not valid.<o:p></o:p></span> 4. <p class="Option"><span lang="EN-US">You are not providing the correct symmetric key to the Decrypt API.<o:p></o:p></span>

2,3 <strong>B, C.</strong><br>Encryption context is a set of key/value pairs that you can pass to AWS KMS when you call the Encrypt, Decrypt, ReEncrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext APIs. Although the encryption context is not included in the ciphertext, it is cryptographically bound to the ciphertext during encryption and must be passed again when you call the Decrypt (or ReEncrypt) API. Invalid ciphertext for decryption is plaintext that has been encrypted in a different AWS account or ciphertext that has been altered since it was originally encrypted.

You want to grant the individuals on your network team the ability to fully manipulate Amazon EC2 instances. Which of the following accomplish this goal? (Choose 2 answers) 1. Create a new policy allowing EC2:* actions, and name the policy <strong>NetworkTeam</strong>. 2. Assign the managed policy, EC2FullAccess, to a group named NetworkTeam, and assign all the team members&rsquo; IAM user accounts to that group. 3. Create a new policy that grants EC2:* actions on all resources, and assign that policy to each individual&rsquo;s IAM user account on the network team. 4. Create a NetworkTeam IAM group, and have each team member log in to the AWS Management Console using the user name/password for the group.

2,3 <strong>B,C.</strong><br>Access requires an appropriate policy associated with a principal. Response A is merely a policy with no principal, and response D is not a principal as IAM groups do not have user names and passwords. Response B is the best solution; response C will also work but it is much harder to manage.

Which of the following are benefits of using Amazon EC2 roles? (Choose 2 answers) 1. No policies are required. 2. Credentials do not need to be stored on the Amazon EC2 instance. 3. Key rotation is not necessary. 4. Integration with Active Directory is automatic.

2,3 <strong>B,C.</strong><br>Amazon EC2 roles must still be assigned a policy. Integration with Active Directory involves integration between Active Directory and IAM via SAML.

An application currently uses Memcached to cache frequently used database queries. Which steps are required to migrate the application to use Amazon ElastiCache with minimal changes? (Choose 2 answers) 1. Recompile the application to use the Amazon ElastiCache libraries. 2. Update the configuration file with the endpoint for the Amazon ElastiCache cluster. 3. Configure a security group to allow access from the application servers. 4. Connect to the Amazon ElastiCache nodes using Secure Shell (SSH) and install the latest version of Memcached.

2,3 <strong>B,C.</strong><br>Amazon ElastiCache is Application Programming Interface (API)-compatible with existing Memcached clients and does not require the application to be recompiled or linked against the libraries. Amazon ElastiCache manages the deployment of the Amazon ElastiCache binaries.

Which of the following cache engines are supported by Amazon ElastiCache? (Choose 2 answers) 1. MySQL 2. Memcached 3. Redis 4. Couchbase

2,3 <strong>B,C.</strong><br>Amazon ElastiCache supports Memcached and Redis cache engines. MySQL is not a cache engine, and Couchbase is not supported.

How can you back up data stored in Amazon ElastiCache running Redis? (Choose 2 answers) 1. Create an image of the Amazon Elastic Compute Cloud (Amazon EC2) instance. 2. Configure automatic snapshots to back up the cache environment every night. 3. Create a snapshot manually. 4. Redis clusters cannot be backed up.

2,3 <strong>B,C.</strong><br>Amazon ElastiCache with the Redis engine allows for both manual and automatic snapshots. Memcached does not have a backup function.

Which of the following workloads are a good fit for running on Amazon Redshift? (Choose 2 answers) 1. Transactional database supporting a busy e-commerce order processing website 2. Reporting database supporting back-office analytics 3. Data warehouse used to aggregate multiple disparate data sources 4. Manage session state and user profile data for thousands of concurrent users

2,3 <strong>B,C.</strong><br>Amazon Redshift is an Online Analytical Processing (OLAP) data warehouse designed for analytics, Extract, Transform, Load (ETL), and high-speed querying. It is not well suited for running transactional applications that require high volumes of small inserts or updates.

Amazon Simple Storage Service (Amazon S3) is an eventually consistent storage system. For what kinds of operations is it possible to get stale data as a result of eventual consistency? (Choose 2 answers) 1. GET after PUT of a new object 2. GET or LIST after a DELETE 3. GET after overwrite PUT (PUT to an existing key) 4. DELETE after PUT of new object

2,3 <strong>B,C.</strong><br>Amazon S3 provides read-after-write consistency for PUTs to new objects (new key), but eventual consistency for GETs and DELETEs of existing objects (existing key).

What are some reasons to enable cross-region replication on an Amazon Simple Storage Service (Amazon S3) bucket? (Choose 2 answers) 1. You want a backup of your data in case of accidental deletion. 2. You have a set of users or customers who can access the second bucket with lower latency. 3. For compliance reasons, you need to store data in a location at least 300 miles away from the first region. 4. Your data needs at least five nines of durability.

2,3 <strong>B,C.</strong><br>Cross-region replication can help lower latency and satisfy compliance requirements on distance. Amazon S3 is designed for eleven nines durability for objects in a single region, so a second region does not significantly increase durability. Cross-region replication does not protect against accidental deletion.

Which of the following are true of instance stores? (Choose 2 answers) 1. Automatic backups 2. Data is lost when the instance stops. 3. Very high IOPS 4. Charge is based on the total amount of storage provisioned.

2,3 <strong>B,C.</strong><br>Instance stores are low-durability, high-IOPS storage that is included for free with the hourly cost of an instance.

Which of the following options will help increase the availability of a web server farm? (Choose 2 answers) 1. Use Amazon CloudFront to deliver content to the end users with low latency and high data transfer speeds. 2. Launch the web server instances across multiple Availability Zones. 3. Leverage Auto Scaling to recover from failed instances. 4. Deploy the instances in an Amazon Virtual Private Cloud (Amazon VPC). 5. Add more CPU and RAM to each instance.

2,3 <strong>B,C.</strong><br>Launching instances across multiple Availability Zones helps ensure the application is isolated from failures in a single Availability Zone, allowing the application to achieve higher availability. Whether you are running one Amazon EC2 instance or thousands, you can use Auto Scaling to detect impaired Amazon EC2 instances and unhealthy applications and replace the instances without your intervention. This ensures that your application is getting the compute capacity that you expect, thereby maintaining your availability.

Which of the following methods will allow an application using an AWS SDK to be authenticated as a principal to access AWS Cloud services? (Choose 2 answers) 1. Create an IAM user and store the user name and password for the user in the application&rsquo;s configuration. 2. Create an IAM user and store both parts of the access key for the user in the application&rsquo;s configuration. 3. Run the application on an Amazon EC2 instance with an assigned IAM role. 4. Make all the API calls over an SSL connection.

2,3 <strong>B,C.</strong><br>Programmatic access is authenticated with an access key, not with user names/passwords. IAM roles provide a temporary security token to an application using an SDK.

VM Import/Export can import existing virtual machines as: (Choose 2 answers) 1. Amazon Elastic Block Store (Amazon EBS) volumes 2. Amazon Elastic Compute Cloud (Amazon EC2) instances 3. Amazon Machine Images (AMIs) 4. Security groups

2,3 <strong>B,C.</strong><br>These are the possible outputs of VM Import/Export.

By default, the CloudFront cache invalidates after _____

24 hours.

Amazon DynamoDB Streams makes it easy to get a list of item modifications for the last _____.

24-hour period

How can you secure an Amazon ElastiCache cluster? (Choose 3 answers) 1. Change the Memcached root password. 2. Restrict Application Programming Interface (API) actions using AWS Identity and Access Management (IAM) policies. 3. Restrict network access using security groups. 4. Restrict network access using a network Access Control List (ACL).

2,3,4 <strong>B,C,D.</strong><br>Limit access at the network level using security groups or network ACLs, and limit infrastructure changes using IAM.

What origin servers are supported by Amazon CloudFront? (Choose 3 answers) 1. An Amazon Route 53 Hosted Zone 2. <p class="Option"><span lang="EN-US">An Amazon Simple Storage Service (Amazon S3) bucket</span> 3. An HTTP server running on Amazon Elastic Compute Cloud (Amazon EC2) 4. An Amazon EC2 Auto Scaling Group 5. <p class="Option"><span lang="EN-US">An HTTP server running on-premises</span>

2,3,5 <strong>B, C, E.</strong><br>Amazon CloudFront can use an Amazon S3 bucket or any HTTP server, whether or not it is running in Amazon EC2. A Route 53 Hosted Zone is a set of DNS resource records, while an Auto Scaling Group launches or terminates Amazon EC2 instances automatically. Neither can be specified as an origin server for a distribution.

Amazon Simple Storage Service (S3) bucket policies can restrict access to an Amazon S3 bucket and objects by which of the following? (Choose 3 answers) 1. Company name 2. IP address range 3. AWS account 4. Country of origin 5. Objects with a specific prefix

2,3,5 <strong>B,C,E.</strong><br>Amazon S3 bucket policies cannot specify a company name or a country or origin, but they can specify request IP range, AWS account, and a prefix for objects that can be accessed.

Which features can be used to restrict access to Amazon Simple Storage Service (Amazon S3) data? (Choose 3 answers) 1. Enable static website hosting on the bucket. 2. Create a pre-signed URL for an object. 3. Use an Amazon S3 Access Control List (ACL) on a bucket or object. 4. Use a lifecycle policy. 5. Use an Amazon S3 bucket policy.

2,3,5 <strong>B,C,E.</strong><br>Static website hosting does not restrict data access, and neither does an Amazon S3 lifecycle policy.

Which of the following are best practices for managing AWS Identity and Access Management (IAM) user access keys? (Choose 3 answers) 1. Embed access keys directly into application code. 2. Use different access keys for different applications. 3. Rotate access keys periodically. 4. Keep unused access keys for an indefinite period of time. 5. Configure Multi-Factor Authentication (MFA) for your most sensitive operations.

2,3,5 <strong>B,C,E.</strong><br>You should protect AWS user access keys like you would your credit card numbers or any other sensitive secret. Use different access keys for different applications so that you can isolate the permissions and revoke the access keys for individual applications if an access key is exposed. Remember to change access keys on a regular basis. For increased security, it is recommended to configure MFA for any sensitive operations. Remember to remove any IAM users that are no longer needed so that the user's access to your resources is removed. Always avoid having to embed access keys in an application.

(DynamoDB) Using the Batchwriteltem action, you can perform up to _____ item creates or updates with a single operation. This allows you to minimize the overhead of each individual call when processing large numbers of items.

25

When an Amazon Elastic Compute Cloud (Amazon EC2) instance registered with an Elastic Load Balancing load balancer using connection draining is deregistered or unhealthy, which of the following will happen? (Choose 2 answers) 1. Immediately close all existing connections to that instance. 2. Keep the connections open to that instance, and attempt to complete in-flight requests. 3. Redirect the requests to a user-defined error page like "Oops this is embarrassing" or "Under Construction." 4. Forcibly close all connections to that instance after a timeout period. 5. Leave the connections open as long as the load balancer is running.

2,4 <strong>B,C.</strong><br>When connection draining is enabled, the load balancer will stop sending requests to a deregistered or unhealthy instance and attempt to complete in-flight requests until a connection draining timeout period is reached, which is 300 seconds by default.

DynamoDB tables may contain sensitive data that needs to be protected. Which of the following is a way for you to protect DynamoDB table content? (Choose 2 answers) 1. DynamoDB encrypts all data server-side by default so nothing is required. 2. DynamoDB can store data encrypted with a client-side encryption library solution before storing the data in DynamoDB. 3. DynamoDB obfuscates all data stored so encryption is not required 4. DynamoDB can be used with the AWS Key Management Service to encrypt the data before storing the data in DynamoDB. 5. DynamoDB should not be used to store sensitive information requiring protection.

2,4 <strong>B,D.</strong><br>Amazon DynamoDB does not have a server-side feature to encrypt items within a table. You need to use a solution outside of DynamoDB such as a client-side library to encrypt items before storing them, or a key management service like AWS Key Management Service to manage keys that are used to encrypt items before storing them in DynamoDB.

Which of the following are not appropriates use cases for Amazon Simple Storage Service (Amazon S3)? (Choose 2 answers) 1. Storing web content 2. Storing a file system mounted to an Amazon Elastic Compute Cloud (Amazon EC2) instance 3. Storing backups for a relational database 4. Primary storage for a database 5. Storing logs for analytics

2,4 <strong>B,D.</strong><br>Amazon S3 cannot be mounted to an Amazon EC2 instance like a file system and should not serve as primary database storage.

Which of the following actions can be authorized by IAM? (Choose 2 answers) 1. Installing ASP.NET on a Windows Server 2. Launching an Amazon Linux EC2 instance 3. Querying an Oracle database 4. Adding a message to an Amazon Simple Queue Service (Amazon SQS) queue

2,4 <strong>B,D.</strong><br>IAM controls access to AWS resources only. Installing ASP.NET will require Windows operating system authorization, and querying an Oracle database will require Oracle authorization.

Which of the following can be used to address an Amazon Elastic Compute Cloud (Amazon EC2) instance over the web? (Choose 2 answers) 1. Windows machine name 2. Public DNS name 3. Amazon EC2 instance ID 4. Elastic IP address

2,4 <strong>B,D.</strong><br>Neither the Windows machine name nor the Amazon EC2 instance ID can be resolved into an IP address to access the instance.

Which of the following options are valid properties of an Amazon Simple Queue Service (Amazon SQS) message? (Choose 2 answers) 1. Destination 2. Message ID 3. Type 4. Body

2,4 <strong>B,D.</strong><br>The valid properties of an SQS message are Message ID and Body. Each message receives a system-assigned Message ID that Amazon SQS returns to you in the SendMessage response. The Message Body is composed of name/value pairs and the unstructured, uninterpreted content.

Which of the following statements about Amazon DynamoDB tables are true? (Choose 2 answers) 1. Global secondary indexes can only be created when the table is being created. 2. Local secondary indexes can only be created when the table is being created. 3. You can only have one global secondary index. 4. You can only have one local secondary index.

2,4 <strong>B,D.</strong><br>You can only have a single local secondary index, and it must be created at the same time the table is created. You can create many global secondary indexes after the table has been created.

Auto Scaling supports which of the following plans for Auto Scaling groups? (Choose 3 answers) 1. Predictive 2. Manual 3. Preemptive 4. Scheduled 5. Dynamic 6. End-user request driven

2,4,5 <strong>B,D,E.</strong><br>Auto Scaling supports maintaining the current size of an Auto Scaling group using four plans: maintain current levels, manual scaling, scheduled scaling, and dynamic scaling.

Your compliance department has mandated a new requirement that all data on Amazon Elastic Block Storage (Amazon EBS) volumes must be encrypted. Which of the following steps would you follow for your existing Amazon EBS volumes to comply with the new requirement? (Choose 3 answers) 1. Move the existing Amazon EBS volume into an Amazon Virtual Private Cloud (Amazon VPC). 2. Create a new Amazon EBS volume with encryption enabled. 3. Modify the existing Amazon EBS volume properties to enable encryption. 4. Attach an Amazon EBS volume with encryption enabled to the instance that hosts the data, then migrate the data to the encryption-enabled Amazon EBS volume. 5. Copy the data from the unencrypted Amazon EBS volume to the Amazon EBS volume with encryption enabled.

2,4,5 <strong>B,D,E.</strong><br>There is no direct way to encrypt an existing unencrypted volume. However, you can migrate data between encrypted and unencrypted volumes.

When designing a loosely coupled system, which AWS services provide an intermediate durable storage layer between components? (Choose 2 answers) 1. Amazon CloudFront 2. Amazon Kinesis 3. Amazon Route 53 4. AWS CloudFormation 5. Amazon Simple Queue Service (Amazon SQS)

2,5 <strong>B,E.</strong><br>Amazon Kinesis is a platform for streaming data on AWS, offering powerful services to make it easy to load and analyze streaming data. Amazon SQS is a fast, reliable, scalable, and fully managed message queuing service. Amazon SQS makes it simple and cost-effective to decouple the components of a cloud application.

Which of the following will occur when an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance in an Amazon VPC with an associated EIP is stopped and started? (Choose two) 1. The EIP will be dissociated from the instance. 2. All data on instance-store devices will be lost. 3. All data on Amazon EBS devices will be lost. 4. The ENI is detached. 5. The underlying host for the instance is changed.

2,5 <strong>B,E.</strong><br>In the EC2-Classic network, the EIP will be disassociated with the instance; in the EC2-VPC network, the EIP remains associated with the instance. Regardless of the underlying network, a stop/start of an Amazon EBS-backed Amazon EC2 instance always changes the host computer.

Which of the following are characteristics of the Auto Scaling service on AWS? (Choose 3 answers) 1. Sends traffic to healthy instances 2. Responds to changing conditions by adding or terminating Amazon Elastic Compute Cloud (Amazon EC2) instances 3. Collects and tracks metrics and sets alarms 4. Delivers push notifications 5. Launches instances from a specified Amazon Machine Image (AMI) 6. Enforces a minimum number of running Amazon EC2 instances

2,5,6 <strong>B,E,F.</strong><br>Auto Scaling responds to changing conditions by adding or terminating instances, launches instances from an AMI specified in the launch configuration associated with the Auto Scaling group, and enforces a minimum number of instances in the min-size parameter of the Auto Scaling group.

Elastic Load Balancing supports which of the following types of load balancers? (Choose 3 answers) 1. Cross-region 2. Internet-facing 3. Interim 4. Itinerant 5. Internal 6. Hypertext Transfer Protocol Secure (HTTPS) using Secure Sockets Layer (SSL)

2,5,6 <strong>B,E,F.</strong><br>Elastic Load Balancing supports Internet-facing, internal, and HTTPS load balancers.

Which of the following statements about Amazon S3 is inaccurate? 1. If you make any changes to a file stored in Amazon S3, the entire file must be updated. 2. Your Amazon S3 buckets are stored within VPCs. 3. Amazon S3 objects include both a file and any metadata that describes the file. 4. You do not pay transfer costs for objects uploaded to your buckets.

2.

Max # of Autoscaling groups you can create

20

With SQS long polling, you send a WaitTimeSeconds argument to ReceiveMessage of up to _____.

20 seconds

max length of a cloudfront request

20,480 bytes including headers and query string

what HTTP return code will you get if an file was successfully uploaded to S3 through the API?

200

Like many other AWS Cloud services, Amazon SQS is accessed through HTTP request-response, and a typical Amazon SQS request-response takes a bit less than _____ from Amazon Elastic Compute Cloud (Amazon EC2)

20ms Like many other AWS Cloud services, Amazon SQS is accessed through HTTP request-response, and a typical Amazon SQS request-response takes a bit less than 20ms from Amazon Elastic Compute Cloud (Amazon EC2). This means that from a single thread, you can, on average, issue 50+ Application Programming Interface (API) requests per second (a bit fewer for batch API requests, but those do more work). The throughput scales horizontally, so the more threads and hosts you add, the higher the throughput. Using this scaling model, some AWS customers have queues that process thousands of messages every second.

customer using CloudHSM in govcloud, what ports should must be open

22 for ssh or 3389 for RDP

what ports are needed for ssh, Microsoft SQL Server and inbound RDP traffic from Microsoft Terminal Gateway

22, 1433, 3389

Objects in CloudFront are cached for how long?

24 hours by default, but you can modify this

How is data stored in Amazon Simple Storage Service (Amazon S3) for high durability? 1. Data is automatically replicated to other regions. 2. Data is automatically replicated to different Availability Zones within a region. 3. Data is replicated only if versioning is enabled on the bucket. 4. Data is automatically backed up on tape and restored if needed.

2?

Which process in an Amazon Simple Workflow Service (Amazon SWF) workflow implements a task? 1. Decider 2. Activity worker 3. Workflow starter 4. Business rule

2?

DynamoDB data is saved to how many geo data centers?

3

Which of the following statements about Amazon Elastic Cloud Compute (EC2) is inaccurate? 1. Amazon EC2 instances are launched with Amazon Machine Images. 2. Linux, Windows batch, or PowerShell scripts can be run when an Amazon EC2 instance is launched by supplying them as user data. 3. Amazon EC2 instances can be moved between Amazon VPCs while in a running state. 4. Amazon EC2 instances must be associated with at least one security group.

3

Which of these are not a type of Amazon EBS volume? 1. Magnetic 2. General Purpose SSD 3. High Capacity SSD 4. Provisioned IOPS SSD

3

Which of the following are AWS Key Management Service (AWS KMS) keys that will never exit AWS unencrypted? 1. AWS KMS data keys 2. <p class="Option"><span lang="EN-US">Envelope encryption keys<o:p></o:p></span> 3. AWS KMS Customer Master Keys (CMKs) 4. <p class="Option"><span lang="EN-US">A and C<o:p></o:p></span>

3 <p class="Answer"><strong><span lang="EN-US">C.</span></strong><br><p class="Explanation"><span lang="EN-US">AWS KMS CMKs are the fundamental resources that AWS KMS manages. CMKs can never leave AWS KMS unencrypted, but data keys can.</span>

<p class="Question"><span lang="EN-US">Your organization uses Chef heavily for its deployment automation. What AWS Cloud service provides integration with Chef recipes to start new application server instances, configure application server software, and deploy applications?</span> 1. <p class="Option"><span lang="EN-US">AWS Elastic Beanstalk</span> 2. Amazon Kinesis 3. <p class="Option"><span lang="EN-US">AWS OpsWorks</span> 4. AWS CloudFormation

3 <p class="Answer"><strong><span lang="EN-US">C.</span></strong><br><p class="Explanation"><span lang="EN-US">AWS OpsWorks uses Chef recipes to start new app server instances, configure application server software, and deploy applications. Organizations can leverage Chef recipes to automate operations like software configurations, package installations, database setups, server scaling, and code deployment.</span>

Which type of record is commonly used to route traffic to an IPv6 address? 1. An A record 2. A CNAME 3. An AAAA record 4. An MX record

3 <p class="Answer"><strong><span lang="EN-US">C.</span></strong><br><p class="Explanation"><span lang="EN-US">An AAAA record is used to route traffic to an IPv6 address, whereas an A record is used to route traffic to an IPv4 address.</span>

Which resource record set would not be allowed for the hosted zone example.com? 1. <p class="Option"><u><span class="InlineURL"><span lang="EN-US">www.example.com</span></span></u> 2. <p class="Option"><u><span class="InlineURL"><span lang="EN-US">www.aws.example.com</span></span></u> 3. <u>www.example.ca</u> 4. <u>www.beta.example.com</u>

3 <p class="Answer"><strong><span lang="EN-US">C.</span></strong><br><p class="Explanation"><span lang="EN-US">The resource record sets contained in a hosted zone must share the same suffix.</span>

What is Availability & Durability for S3-IA object?

99.9% availability 99. 11 9's durability

A cell phone company is running dynamic-content television commercials for a contest. They want their website to handle traffic spikes that come after a commercial airs. The website is interactive, offering personalized content to each visitor based on location, purchase history, and the current commercial airing. Which architecture will configure Auto Scaling to scale out to respond to spikes of demand, while minimizing costs during quiet periods? 1. Set the minimum size of the Auto Scaling group so that it can handle high traffic volumes without needing to scale out. 2. Create an Auto Scaling group large enough to handle peak traffic loads, and then stop some instances. Configure Auto Scaling to scale out when traffic increases using the stopped instances, so new capacity will come online quickly. 3. <p class="Option"><span lang="EN-US">Configure Auto Scaling to scale out as traffic increases. Configure the launch configuration to start new instances from a preconfigured Amazon Machine Image (AMI).</span> 4. <p class="Option"><span lang="EN-US">Use Amazon CloudFront and Amazon Simple Storage Service (Amazon S3) to cache changing content, with the Auto Scaling group set as the origin. Configure Auto Scaling to have sufficient instances necessary to initially populate CloudFront and Amazon ElastiCache, and then scale in after the cache is fully populated.<span class="AnswerChar"><o:p></o:p></span></span>

3 <p class="Option"><strong><span class="AnswerChar"><span lang="EN-US">C.</span></span></strong><span class="AnswerChar"><span lang="EN-US"><o:p></o:p></span></span><br><p class="Explanation"><span lang="EN-US">Auto Scaling is designed to scale out based on an event like increased traffic while being cost effective when not needed.</span>

You have a workload that requires 1 TB of durable block storage at 1,500 IOPS during normal use. Every night there is an Extract, Transform, Load (ETL) task that requires 3,000 IOPS for 15 minutes. What is the most appropriate volume type for this workload? 1. Use a Provisioned IOPS SSD volume at 3,000 IOPS. 2. Use an instance store. 3. Use a general-purpose SSD volume. 4. Use a magnetic volume.

3 <strong>C.</strong><br>A short period of heavy traffic is exactly the use case for the bursting nature of general-purpose SSD volumes&mdash;the rest of the day is more than enough time to build up enough IOPS credits to handle the nightly task. Instance stores are not durable, magnetic volumes cannot provide enough IOPS, and to set up a Provisioned IOPS SSD volume to handle the peak would mean spending money for more IOPS than you need.

Your company data center is completely full, but the sales group has determined a need to store 200TB of product video. The videos were created over the last several years, with the most recent being accessed by sales the most often. The data must be accessed locally, but there is no space in the data center to install local storage devices to store this data. What AWS Cloud service will meet sales&rsquo; requirements? 1. <p class="Option"><span lang="EN-US">AWS Storage Gateway Gateway-Stored volumes</span> 2. <p class="Option"><span lang="EN-US">Amazon Elastic Compute Cloud (Amazon EC2) instances with attached Amazon EBS Volumes</span> 3. AWS Storage Gateway Gateway-Cached volumes 4. <p class="Option"><span lang="EN-US">AWS Import/Export Disk</span>

3 <strong>C.</strong><br>AWS Storage Gateway allows you to access data in Amazon S3 locally, with the Gateway-Cached volume configuration allowing you to expand a relatively small amount of local storage into Amazon S3.

When it comes to risk management, which of the following is true? 1. AWS does not develop a strategic business plan; risk management and mitigation is entirely the responsibility of the customer. 2. AWS has developed a strategic business plan to identify any risks and implemented controls to mitigate or manage those risks. Customers do not need to develop and maintain their own risk management plans. 3. AWS has developed a strategic business plan to identify any risks and has implemented controls to mitigate or manage those risks. Customers should also develop and maintain their own risk management plans to ensure they are compliant with any relevant controls and certifications. 4. Neither AWS nor the customer needs to worry about risk management, so no plan is needed from either party.

3 <strong>C.</strong><br>AWS has developed a strategic business plan, and customers should also develop and maintain their own risk management plans, therefore answer C is correct.

You create a new subnet and then add a route to your route table that routes traffic out from that subnet to the Internet using an IGW. What type of subnet have you created? 1. An internal subnet 2. A private subnet 3. An external subnet 4. A public subnet

4 <strong>D.</strong><br>By creating a route out to the Internet using an IGW, you have made this subnet public.

Which AWS Cloud service allows organizations to gain system-wide visibility into resource utilization, application performance, and operational health? 1. AWS Identity and Access Management (IAM) 2. Amazon Simple Notification Service (Amazon SNS) 3. Amazon CloudWatch 4. AWS CloudFormation

3 <strong>C.</strong><br>Amazon CloudWatch is a monitoring service for AWS Cloud resources and the applications organizations run on AWS. It allows organizations to collect and track metrics, collect and monitor log files, and set alarms. AWS IAM, Amazon SNS, and AWS CloudFormation do not provide visibility into resource utilization, application performance, and the operational health of your AWS resources.

What combination of services enable you to copy daily 50TB of data to Amazon storage, process the data in Hadoop, and store the results in a large data warehouse? 1. Amazon Kinesis, Amazon Data Pipeline, Amazon Elastic MapReduce (Amazon EMR), and Amazon Elastic Compute Cloud (Amazon EC2) 2. Amazon Elastic Block Store (Amazon EBS), Amazon Data Pipeline, Amazon EMR, and Amazon Redshift 3. Amazon Simple Storage Service (Amazon S3), Amazon Data Pipeline, Amazon EMR, and Amazon Redshift 4. Amazon S3, Amazon Simple Workflow, Amazon EMR, and Amazon DynamoDB

3 <strong>C.</strong><br>Amazon Data Pipeline allows you to run regular Extract, Transform, Load (ETL) jobs on Amazon and on-premises data sources. The best storage for large data is Amazon S3, and Amazon Redshift is a large-scale data warehouse service.

Your WordPress website is hosted on a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances that leverage Auto Scaling to provide high availability. To ensure that the content of the WordPress site is sustained through scale up and scale down events, you need a common file system that is shared between more than one Amazon EC2 instance. Which AWS Cloud service can meet this requirement? 1. Amazon CloudFront 2. Amazon ElastiCache 3. Amazon Elastic File System (Amazon EFS) 4. Amazon Elastic Beanstalk

3 <strong>C.</strong><br>Amazon EFS is a file storage service for Amazon EC2 instances. Multiple Amazon EC2 instances can access an Amazon EFS file system at the same time, providing a common data source for the content of the WordPress site running on more than one instance.

Which of the following describes how Amazon Elastic MapReduce (Amazon EMR) protects access to the cluster? 1. The master node and the slave nodes are launched into an Amazon Virtual Private Cloud (Amazon VPC). 2. The master node supports a Virtual Private Network (VPN) connection from the key specified at cluster launch. 3. The master node is launched into a security group that allows Secure Shell (SSH) and service access, while the slave nodes are launched into a separate security group that only permits communication with the master node. 4. The master node and slave nodes are launched into a security group that allows SSH and service access.

3 <strong>C.</strong><br>Amazon EMR starts your instances in two Amazon Elastic Compute Cloud (Amazon EC2) security groups, one for the master and another for the slaves. The master security group has a port open for communication with the service. It also has the SSH port open to allow you to securely connect to the instances via SSH using the key specified at startup. The slaves start in a separate security group, which only allows interaction with the master instance. By default, both security groups are set up to prevent access from external sources, including Amazon EC2 instances belonging to other customers. Because these are security groups in your account, you can reconfigure them using the standard Amazon EC2 tools or dashboard.

You are working on a mobile gaming application and are building the leaderboard feature to track the top scores across millions of users. Which AWS services are best suited for this use case? 1. Amazon Redshift 2. Amazon ElastiCache using Memcached 3. Amazon ElastiCache using Redis 4. Amazon Simple Storage Service (S3)

3 <strong>C.</strong><br>Amazon ElastiCache with Redis provides native functions that simplify the development of leaderboards. With Memcached, it is more difficult to sort and rank large datasets. Amazon Redshift and Amazon S3 are not designed for high volumes of small reads and writes, typical of a mobile game.

What is the availability on RRS?

99.99%

Your e-commerce application provides daily and <em>ad hoc</em> reporting to various business units on customer purchases. This is resulting in an extremely high level of read traffic to your MySQL Amazon Relational Database Service (Amazon RDS) instance. What can you do to scale up read traffic without impacting your database&rsquo;s performance? 1. Increase the allocated storage for the Amazon RDS instance. 2. Modify the Amazon RDS instance to be a Multi-AZ deployment. 3. Create a read replica for an Amazon RDS instance. 4. Change the Amazon RDS instance DB engine version.

3 <strong>C.</strong><br>Amazon RDS read replicas provide enhanced performance and durability for Amazon RDS instances. This replication feature makes it easy to scale out elastically beyond the capacity constraints of a single Amazon RDS instance for read-heavy database workloads. You can create one or more replicas of a given source Amazon RDS instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput.

Which is a function that Amazon Route 53 does not perform? 1. Domain registration 2. DNS service 3. <p class="Option"><span lang="EN-US">Load balancing</span> 4. Health checks

3 <strong>C.</strong><br>Amazon Route 53 performs three main functions: domain registration, DNS service, and health checking.

To have a record of who accessed your Amazon Simple Storage Service (Amazon S3) data and from where, you should do what? 1. Enable versioning on the bucket. 2. Enable website hosting on the bucket. 3. Enable server access logs on the bucket. 4. Create an AWS Identity and Access Management (IAM) bucket policy. 5. Enable Amazon CloudWatch logs.

3 <strong>C.</strong><br>Amazon S3 server access logs store a record of what requestor accessed the objects in your bucket, including the requesting IP address.

What AWS Cloud service provides a logically isolated section of the AWS Cloud where organizations can launch AWS resources in a virtual network that they define? 1. Amazon Simple Workflow Service (Amazon SWF) 2. Amazon Route 53 3. Amazon Virtual Private Cloud (Amazon VPC) 4. AWS CloudFormation

3 <strong>C.</strong><br>Amazon VPC lets organizations provision a logically isolated section of the AWS Cloud where they can launch AWS resources in a virtual network that they define. Amazon SWF, Amazon Route 53, and AWS CloudFormation do not provide a virtual network. Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. Amazon Route 53 provides a highly available and scalable cloud Domain Name System (DNS) web service. Amazon CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources.

Which technology does Amazon WorkSpaces use to provide data security? 1. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 2. Advanced Encryption Standard (AES)-256 3. PC-over-IP (PCoIP) 4. AES-128

3 <strong>C.</strong><br>Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without transmitting actual data.

What is the format of an IAM policy? 1. XML 2. Key/value pairs 3. JSON 4. Tab-delimited text

3 <strong>C.</strong><br>An IAM policy is a JSON document.

Your company collects information from the point of sale registers at all of its franchise locations. Each month these processes collect 200TB of information stored in Amazon Simple Storage Service (Amazon S3). Analytics jobs taking 24 hours are performed to gather knowledge from this data. Which of the following will allow you to perform these analytics in a cost-effective way? 1. Copy the data to a persistent Amazon Elastic MapReduce (Amazon EMR) cluster, and run the MapReduce jobs. 2. Create an application that reads the information of the Amazon S3 bucket and runs it through an Amazon Kinesis stream. 3. Run a transient Amazon EMR cluster, and run the MapReduce jobs against the data directly in Amazon S3. 4. Launch a d2.8xlarge (32 vCPU, 244GB RAM) Amazon Elastic Compute Cloud (Amazon EC2) instance, and run an application to read and process each object sequentially.

3 <strong>C.</strong><br>Because the job is run monthly, a persistent cluster will incur unnecessary compute costs during the rest of the month. Amazon Kinesis is not appropriate because the company is running analytics as a batch job and not on a stream. A single large instance does not scale out to accommodate the large compute needs.

What is the availability on S3?

99.99%

What is the durability on RRS?

99.99%

What is it called when you move data from S3 to S3-IA automatically?

Life-cycling

A Database security group controls network access to a database instance that is inside a Virtual Private Cloud (VPC) and by default allows access from? 1. Access from any IP address for the standard ports that the database uses is provided by default. 2. Access from any IP address for any port is provided by default in the DB security group. 3. No access is provided by default, and any access must be explicitly added with a rule to the DB security group. 4. Access for the database connection string is provided by default in the DB security group.

3 <strong>C.</strong><br>By default, network access is turned off to a DB Instance. You can specify rules in a security group that allows access from an IP address range, port, or Amazon Elastic Compute Cloud (Amazon EC2) security group.

Which of the following is NOT a recommended approach for customers trying to achieve strong compliance and governance over an entire IT control environment? 1. Take a holistic approach: Review information available from AWS together with all other information, and document all compliance requirements. 2. Verify that all control objectives are met and all key controls are designed and operating effectively. 3. Implement generic control objectives that are not specifically designed to meet their organization&rsquo;s compliance requirements. 4. Identify and document controls owned by all third parties.

3 <strong>C.</strong><br>Customers should ensure that they implement control objectives that are designed to meet their organization&rsquo;s own unique compliance requirements, therefore answer C is correct.

Which Amazon Elastic Compute Cloud (Amazon EC2) feature ensures that your instances will not share a physical host with instances from any other AWS customer? 1. Amazon Virtual Private Cloud (VPC) 2. Placement groups 3. Dedicated Instances 4. Reserved Instances

3 <strong>C.</strong><br>Dedicated Instances will not share hosts with other accounts.

As a Solutions Architect, how should you architect systems on AWS? 1. You should architect for least cost. 2. You should architect your AWS usage to take advantage of Amazon Simple Storage Service&rsquo;s (Amazon S3) durability. 3. You should architect your AWS usage to take advantage of multiple regions and Availability Zones. 4. You should architect with Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling to ensure capacity is available when needed.

3 <strong>C.</strong><br>Distributing applications across multiple Availability Zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.

How many access keys may an AWS Identity and Access Management (IAM) user have active at one time? 1. 0 2. 1 3. 2 4. 3

3 <strong>C.</strong><br>IAM permits users to have no more than two active access keys at one time.

Your company requires that all data sent to external storage be encrypted before being sent. Which Amazon Simple Storage Service (Amazon S3) encryption solution will meet this requirement? 1. Server-Side Encryption (SSE) with AWS-managed keys (SSE-S3) 2. SSE with customer-provided keys (SSE-C) 3. Client-side encryption with customer-managed keys 4. Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)

3 <strong>C.</strong><br>If data must be encrypted before being sent to Amazon S3, client-side encryption must be used.

Based on the following Amazon Simple Storage Service (Amazon S3) URL, which one of the following statements is correct?<br /><br />https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc<br> <br>(NOTE: This link is only an example URL for this question, and is not intended to be a real or live link.) 1. The object "myfile.doc" is stored in the folder "folderx" in the bucket "bucket1.abc.com." 2. The object "myfile.doc" is stored in the bucket "bucket1.abc.com." 3. The object "folderx/myfile.doc" is stored in the bucket "bucket1.abc.com." 4. The object "myfile.doc" is stored in the bucket "bucket1."

3 <strong>C.</strong><br>In a URL, the bucket name precedes the string "s3.amazonaws.com/," and the object key is everything after that. There is no folder structure in Amazon S3.

You are a solutions architect working for a media company that hosts its website on AWS. Currently, there is a single Amazon Elastic Compute Cloud (Amazon EC2) Instance on AWS with MySQL installed locally to that Amazon EC2 Instance. You have been asked to make the company&rsquo;s production environment more resilient and to increase performance. You suggest that the company split out the MySQL database onto an Amazon RDS Instance with Multi-AZ enabled. This addresses the company&rsquo;s increased resiliency requirements. Now you need to suggest how you can increase performance. Ninety-nine percent of the company&rsquo;s end users are magazine subscribers who will be reading additional articles on the website, so only one percent of end users will need to write data to the site. What should you suggest to increase performance? 1. Alter the connection string so that if a user is going to write data, it is written to the secondary copy of the Multi-AZ database. 2. Alter the connection string so that if a user is going to write data, it is written to the primary copy of the Multi-AZ database. 3. Recommend that the company use read replicas, and distribute the traffic across multiple read replicas. 4. Migrate the MySQL database to Amazon Redshift to take advantage of columnar storage and maximize performance.

3 <strong>C.</strong><br>In this scenario, the best idea is to use read replicas to scale out the database and thus maximize read performance. When using Multi-AZ, the secondary database is not accessible and all reads and writes must go to the primary or any read replicas.

Your company stores documents in Amazon Simple Storage Service (Amazon S3), but it wants to minimize cost. Most documents are used actively for only about a month, then much less frequently. However, all data needs to be available within minutes when requested. How can you meet these requirements? 1. Migrate the data to Amazon S3 Reduced Redundancy Storage (RRS) after 30 days. 2. Migrate the data to Amazon Glacier after 30 days. 3. Migrate the data to Amazon S3 Standard &ndash; Infrequent Access (IA) after 30 days. 4. Turn on versioning, then migrate the older version to Amazon Glacier.

3 <strong>C.</strong><br>Migrating the data to Amazon S3 Standard-IA after 30 days using a lifecycle policy is correct. Amazon S3 RRS should only be used for easily replicated data, not critical data. Migration to Amazon Glacier might minimize storage costs if retrievals are infrequent, but documents would not be available in minutes when needed.

Can an Amazon Simple Notification Service (Amazon SNS) message be deleted after being published to a topic? 1. Only if a subscriber(s) has/have not read the message yet 2. Only if the Amazon SNS recall message parameter has been set 3. No. After a message has been successfully published to a topic, it cannot be recalled. 4. Yes. However it can be deleted only if the subscribers are Amazon SQS queues.

3 <strong>C.</strong><br>No. After a message has been successfully published to a topic, it cannot be recalled.

You are building a photo management application that maintains metadata on millions of images in an Amazon DynamoDB table. When a photo is retrieved, you want to display the metadata next to the image. Which Amazon DynamoDB operation will you use to retrieve the metadata attributes from the table? 1. Scan operation 2. Search operation 3. Query operation 4. Find operation

3 <strong>C.</strong><br>Query is the most efficient operation to find a single item in a large table.

How does Amazon Simple Queue Service (Amazon SQS) deliver messages? 1. Last In, First Out (LIFO) 2. First In, First Out (FIFO) 3. Sequentially 4. Amazon SQS doesn&rsquo;t guarantee delivery of your messages in any particular order.

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">Amazon SQS does not guarantee in what order your messages will be delivered.</span>

Your web application needs four instances to support steady traffic nearly all of the time. On the last day of each month, the traffic triples. What is a cost-effective way to handle this traffic pattern? 1. Run 12 Reserved Instances all of the time. 2. Run four On-Demand Instances constantly, then add eight more On-Demand Instances on the last day of each month. 3. Run four Reserved Instances constantly, then add eight On-Demand Instances on the last day of each month. 4. Run four On-Demand Instances constantly, then add eight Reserved Instances on the last day of each month.

3 <strong>C.</strong><br>Reserved Instances provide cost savings when you can commit to running instances full time, such as to handle the base traffic. On-Demand Instances provide the flexibility to handle traffic spikes, such as on the last day of the month.

You have launched a Windows Amazon Elastic Compute Cloud (Amazon EC2) instance and specified an Amazon EC2 key pair for the instance at launch. Which of the following accurately describes how to log in to the instance? 1. Use the Amazon EC2 key pair to securely connect to the instance via Secure Shell (SSH). 2. Use your AWS Identity and Access Management (IAM) user X.509 certificate to log in to the instance. 3. Use the Amazon EC2 key pair to decrypt the administrator password and then securely connect to the instance via Remote Desktop Protocol (RDP) as the administrator. 4. A key pair is not needed. Securely connect to the instance via RDP.

3 <strong>C.</strong><br>The administrator password is encrypted with the public key of the key pair, and you provide the private key to decrypt the password. Then log in to the instance as the administrator with the decrypted password.

How many nodes can you add to an Amazon ElastiCache cluster running Memcached? 1. 1 2. 5 3. 20 4. 100

3 <strong>C.</strong><br>The default limit is 20 nodes per cluster.

What should you do in order to grant a different AWS account permission to your Amazon Simple Queue Service (Amazon SQS) queue? 1. Share credentials to your AWS account and have the other account&rsquo;s applications use your account&rsquo;s credentials to access the Amazon SQS queue. 2. Create a user for that account in AWS Identity and Access Management (IAM) and establish an IAM policy that grants access to the queue. 3. Create an Amazon SQS policy that grants the other account access. 4. Amazon Virtual Private Cloud (Amazon VPC) peering must be used to achieve this.

3 <strong>C.</strong><br>The main difference between Amazon SQS policies and IAM policies is that an Amazon SQS policy enables you to grant a different AWS account permission to your Amazon SQS queues, but an IAM policy does not.

What is the minimum size subnet that you can have in an Amazon VPC? 1. /24 2. /26 3. /28 4. /30

3 <strong>C.</strong><br>The minimum size subnet that you can have in an Amazon VPC is /28.

How can you connect to a new Linux instance using SSH? 1. Decrypt the root password. 2. Using a certificate 3. Using the private half of the instance's key pair 4. Using Multi-Factor Authentication (MFA)

3 <strong>C.</strong><br>The public half of the key pair is stored on the instance, and the private half can then be used to connect via SSH.

Which of the following statements is true when it comes to the AWS shared responsibility model? 1. The shared responsibility model is limited to security considerations only; it does not extend to IT controls. 2. The shared responsibility model is only applicable for customers who want to be compliant with SOC 1 Type II. 3. The shared responsibility model is not just limited to security considerations; it also extends to IT controls. 4. The shared responsibility model is only applicable for customers who want to be compliant with ISO 27001.

3 <strong>C.</strong><br>The shared responsibility model can include IT controls, and it is not just limited to security considerations. Therefore, answer C is correct.

Can an Amazon Simple Notification Service (Amazon SNS) topic be recreated with a previously used topic name? 1. Yes. The topic name should typically be available after 24 hours after the previous topic with the same name has been deleted. 2. Yes. The topic name should typically be available after 1&ndash;3 hours after the previous topic with the same name has been deleted. 3. Yes. The topic name should typically be available after 30&ndash;60 seconds after the previous topic with the same name has been deleted. 4. At this time, this feature is not supported.

3 <strong>C.</strong><br>Topic names should typically be available for reuse approximately 30&ndash;60 seconds after the previous topic with the same name has been deleted. The exact time will depend on the number of subscriptions active on the topic; topics with a few subscribers will be available instantly for reuse, while topics with larger subscriber lists may take longer.

What is Availability & Durability for S3 object?

99.99% availability 99. 11 9's durability

What is Availability & Durability for RRS object?

99.99% availability 99.99% durability

Your web application front end consists of multiple Amazon Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer. You have configured the load balancer to perform health checks on these Amazon EC2 instances. If an instance fails to pass health checks, which statement will be true? 1. The instance is replaced automatically by the load balancer. 2. The instance is terminated automatically by the load balancer. 3. The load balancer stops sending traffic to the instance that failed its health check. 4. The instance is quarantined by the load balancer for root cause analysis.

3 <strong>C.</strong><br>When Amazon EC2 instances fail the requisite number of consecutive health checks, the load balancer stops sending traffic to the Amazon EC2 instance.

You create a new VPC in US-East-1 and provision three subnets inside this Amazon VPC. Which of the following statements is true? 1. By default, these subnets will not be able to communicate with each other; you will need to create routes. 2. All subnets are public by default. 3. All subnets will be able to communicate with each other by default. 4. Each subnet will have identical CIDR blocks.

3 <strong>C.</strong><br>When you provision an Amazon VPC, all subnets can communicate with each other by default.

Your Amazon Virtual Private Cloud (Amazon VPC) includes multiple private subnets. The instances in these private subnets must access third-party payment Application Program Interfaces (APIs) over the Internet. Which option will provide highly available Internet access to the instances in the private subnets? 1. Create an AWS Storage Gateway in each Availability Zone and configure your routing to ensure that resources use the AWS Storage Gateway in the same Availability Zone. 2. Create a customer gateway in each Availability Zone and configure your routing to ensure that resources use the customer gateway in the same Availability Zone. 3. Create a Network Address Translation (NAT) gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone. 4. Create a NAT gateway in one Availability Zone and configure your routing to ensure that resources use that NAT gateway in all the Availability Zones.

3 <strong>C.</strong><br>You can use a NAT gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances. If you have resources in multiple Availability Zones and they share one NAT gateway, resources in the other Availability Zones lose Internet access in the event that the NAT gateway&rsquo;s Availability Zone is down. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.

Which of the following must be configured on an Elastic Load Balancing load balancer to accept incoming traffic? 1. A port 2. A network interface 3. A listener 4. An instance

3 <strong>C.</strong><br>You configure your load balancer to accept incoming traffic by specifying one or more listeners.

You are a solutions architect working for a large travel company that is migrating its existing server estate to AWS. You have recommended that they use a custom Amazon VPC, and they have agreed to proceed. They will need a public subnet for their web servers and a private subnet in which to place their databases. They also require that the web servers and database servers be highly available and that there be a minimum of two web servers and two database servers each. How many subnets should you have to maintain high availability? 1. 2 2. 3 3. 4 4. 1

3 <strong>C.</strong><br>You need two public subnets (one for each Availability Zone) and two private subnets (one for each Availability Zone). Therefore, you need four subnets.

You have created a custom Amazon VPC with both private and public subnets. You have created a NAT instance and deployed this instance to a public subnet. You have attached an EIP address and added your NAT to the route table. Unfortunately, instances in your private subnet still cannot access the Internet. What may be the cause of this? 1. Your NAT is in a public subnet, but it needs to be in a private subnet. 2. Your NAT should be behind an Elastic Load Balancer. 3. You should disable source/destination checks on the NAT. 4. Your NAT has been deployed on a Windows instance, but your other instances are Linux. You should redeploy the NAT onto a Linux instance.

3 <strong>C.</strong><br>You should disable source/destination checks on the NAT.

In S3 the durability of my files is

99.999999999 percent

You have an application that for legal reasons must be hosted in the United States when U.S. citizens access it. The application must be hosted in the European Union when citizens of the EU access it. For all other citizens of the world, the application must be hosted in Sydney. Which routing policy should you choose in order to achieve this? 1. Latency-based routing 2. Simple routing 3. Geolocation routing 4. Failover routing

3 <strong>C.</strong><br>You should route your traffic based on where your end users are located. The best routing policy to achieve this is geolocation routing.

Which DNS record should you use to configure the transmission of email to your intended mail server? 1. SPF records 2. <span style="font-size: 13px;">A records</span> 3. MX records 4. <p class="Option"><span lang="EN-US">SOA record</span>

3 <strong>C.</strong><br>You would use Mail eXchange (MX) records to define which inbound destination mail server should be used.

What performance does general purpose SSD storage offer in RDS?

3 IOPS per GB of storage, but will burst up to 3000 IOPS

(T/F) Instance status checks are done every 60 seconds

True

When using Amazon Relational Database Service (Amazon RDS) Multi-AZ, how can you offload read requests from the primary? (Choose 2 answers) 1. Configure the connection string of the clients to connect to the secondary node and perform reads while the primary is used for writes. 2. Amazon RDS automatically sends writes to the primary and sends reads to the secondary. 3. Add a read replica DB instance, and configure the client&rsquo;s application logic to use a read-replica. 4. Create a caching environment using ElastiCache to cache frequently used data. Update the application logic to read/write from the cache.

3,4 <strong>C,D.</strong><br>Amazon RDS allows for the creation of one or more read-replicas for many engines that can be used to handle reads. Another common pattern is to create a cache using Memcached and Amazon ElastiCache to store frequently used queries. The secondary slave DB Instance is not accessible and cannot be used to offload queries.

Which of the following must be specified when launching a new Amazon Elastic Compute Cloud (Amazon EC2) Windows instance? (Choose 2 answers) 1. The Amazon EC2 instance ID 2. Password for the administrator account 3. Amazon EC2 instance type 4. Amazon Machine Image (AMI)

3,4 <strong>C,D.</strong><br>The Amazon EC2 instance ID will be assigned by AWS as part of the launch process. The administrator password is assigned by AWS and encrypted via the public key. The instance type defines the virtual hardware and the AMI defines the initial software state. You must specify both upon launch.

Which statements about Amazon Glacier are true? (Choose 3 answers) 1. Amazon Glacier stores data in objects that live in archives. 2. Amazon Glacier archives are identified by user-specified key names. 3. Amazon Glacier archives take three to five hours to restore. 4. Amazon Glacier vaults can be locked. 5. Amazon Glacier can be used as a standalone service and as an Amazon S3 storage class.

3,4,5 <strong>C,D,E.</strong><br>Amazon Glacier stores data in archives, which are contained in vaults. Archives are identified by system-created archive IDs, not key names.

You have a web application that contains both static content in an Amazon Simple Storage Service (Amazon S3) bucket&mdash;primarily images and CSS files&mdash;and also dynamic content currently served by a PHP web app running on Amazon Elastic Compute Cloud (Amazon EC2). What features of Amazon CloudFront can be used to support this application with a single Amazon CloudFront distribution? (Choose 2 answers) 1. <p class="Option"><span lang="EN-US">Multiple Origin Access Identifiers</span> 2. <p class="Option"><span lang="EN-US">Multiple signed URLs</span> 3. <p class="Option"><span lang="EN-US">Multiple origins</span> 4. <p class="Option"><span lang="EN-US">Multiple edge locations</span> 5. Multiple cache behaviors

3,5 <p class="Answer"><strong><span lang="EN-US">C, E.</span></strong><br><p class="Explanation"><span lang="EN-US">Using multiple origins and setting multiple cache behaviors allow you to serve static and dynamic content from the same distribution. Origin Access Identifiers and signed URLs support serving private content from Amazon CloudFront, while multiple edge locations are simply how Amazon CloudFront serves any content.</span>

Which protocol is primarily used by DNS to serve requests? 1. Transmission Control Protocol (TCP) 2. Hyper Text Transfer Protocol (HTTP) 3. File Transfer Protocol (FTP) 4. User Datagram Protocol (UDP)

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">DNS primarily uses UDP to serve requests.</span>

Your application stores critical data in Amazon Simple Storage Service (Amazon S3), which must be protected against inadvertent or intentional deletion. How can this data be protected? (Choose 2 answers) 1. Use cross-region replication to copy data to another bucket automatically. 2. Set a vault lock. 3. Enable versioning on the bucket. 4. Use a lifecycle policy to migrate data to Amazon Glacier. 5. Enable MFA Delete on the bucket.

3,5 <strong>C,E.</strong><br>Versioning protects data against inadvertent or intentional deletion by storing all versions of the object, and MFA Delete requires a one-time code from a Multi-Factor Authentication (MFA) device to delete objects. Cross-region replication and migration to the Amazon Glacier storage class do not protect against deletion. Vault locks are a feature of Amazon Glacier, not a feature of Amazon S3.

Glacier data retrieval can take ___________ hours.

3-5 hours

What do I have to pay if I run an on-demand instance for one hour and a half? 1. 1 time the hourly rate? 2. 1,5 time the hourly rate? 3. 2 times the hourly rate?

3. 2 hours Pricing is per instance-hour consumed for each instance, from the time an instance is launched until it is terminated or stopped. Each partial instance-hour consumed will be billed as a full hour.

RDS: Automated backups will occur daily during a configurable _____-minute maintenance window called the backup window.

30

How long must you wait to transition a file to S3-IA via life-cycle management?

30 days after the files creation

How longmust you waitto transition a file from S3-IA to Glacier?

30 days after the item was sent to S3-IA

Max IOs allowed in MySQL/Oracle instance?

30k

MySQL installations default to port number

3306

Microsoft Terminal Services gateway Port #

3389

In RDS, what is the maximum value I can set for my backup retention period?

35 Days

Which Amazon Elastic Compute Cloud (Amazon EC2) pricing model allows you to pay a set hourly price for compute, giving you full control over when the instance launches and terminates? 1. Spot instances 2. Reserved instance 3. On Demand instances 4. Dedicated instances

3?

Your company needs to provide streaming access to videos to authenticated users around the world. What is a good way to accomplish this? 1. Use Amazon Simple Storage Service (Amazon S3) buckets in each region with website hosting enabled. 2. Store the videos on Amazon Elastic Block Store (Amazon EBS) volumes. 3. Enable Amazon CloudFront with geolocation and signed URLs. 4. Run a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances to host the videos.

3?

1,024 KB I/O operation would count as ______ IOPS.

4

Instance Types are defined according to which dimensions?

4 1. Virtual CPUs 2. Memory 3. Storage 4. Network Performance

<p class="Question"><span lang="EN-US">Which cryptographic method is used by AWS Key Management Service (AWS KMS) to encrypt data?<o:p></o:p></span> 1. <p class="Option"><span lang="EN-US">Password-based encryption<o:p></o:p></span> 2. Asymmetric 3. Shared secret 4. Envelope encryption

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">AWS KMS uses envelope encryption to protect data. AWS KMS creates a data key, encrypts it under a Customer Master Key (CMK), and returns plaintext and encrypted versions of the data key to you. You use the plaintext key to encrypt data and store the encrypted key alongside the encrypted data. You can retrieve a plaintext data key only if you have the encrypted data key and you have permission to use the corresponding master key.</span>

Which of the following is not a supported Amazon Simple Notification Service (Amazon SNS) protocol? 1. HTTPS 2. AWS Lambda 3. Email-JSON 4. Amazon DynamoDB

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">Amazon DynamoDB is not a supported Amazon SNS protocol.</span>

<p class="Question"><span lang="EN-US">Amazon Route 53 cannot route queries to which AWS resource?</span> 1. <p class="Option"><span lang="EN-US">Amazon CloudFront distribution</span> 2. Elastic Load Balancing load balancer 3. Amazon EC2 4. AWS OpsWorks

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">Amazon Route 53 can route queries to a variety of AWS resources such as an Amazon CloudFront distribution, an Elastic Load Balancing load balancer, an Amazon EC2 instance, a website hosted in an Amazon S3 bucket, and an Amazon Relational Database (Amazon RDS).</span>

If I want my instance to run on a single-tenant hardware, which value do I have to set the instance's tenancy attribute to? A. dedicated B. isolated C. one D. reserved

A

Your company has its primary production site in Western Europe and its DR site in the Asia Pacific. You need to configure DNS so that if your primary site becomes unavailable, you can fail DNS over to the secondary site. Which DNS routing policy would best achieve this? 1. <p class="Option"><span lang="EN-US">Weighted routing</span> 2. Geolocation routing 3. Simple routing 4. <p class="Option"><span lang="EN-US">Failover routing</span>

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">Failover-based routing would best achieve this objective.</span>

What is the longest time available for an Amazon Simple Queue Service (Amazon SQS) visibility timeout? 1. 30 seconds 2. 60 seconds 3. 1 hour 4. 12 hours

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">The maximum time for an Amazon SQS visibility timeout is 12 hours.</span>

<p class="Question"><span lang="EN-US">When configuring Amazon Route 53 as your DNS service for an existing domain, which is the first step that needs to be performed?</span> 1. Create hosted zones. 2. <p class="Option"><span lang="EN-US">Create resource record sets.</span> 3. <p class="Option"><span lang="EN-US">Register a domain with Amazon Route 53.</span> 4. Transfer domain registration from current registrar to Amazon Route 53.

4 <p class="Answer"><strong><span lang="EN-US">D.</span></strong><br><p class="Explanation"><span lang="EN-US">You must first transfer the existing domain registration from another registrar to Amazon Route 53 to configure it as your DNS service.</span>

Which of the following is the Amazon side of an Amazon VPN connection? 1. An EIP 2. A CGW 3. An IGW 4. A VPG

4 <strong>D.</strong><br>A CGW is the customer side of a VPN connection, and an IGW connects a network to the Internet. A VPG is the Amazon side of a VPN connection.

Which type of DNS record should you use to resolve an IP address to a domain name? 1. <p class="Option"><span lang="EN-US">An A record</span> 2. A C Name 3. An SPF record 4. A PTR record

4 <strong>D.</strong><br>A PTR record is used to resolve an IP address to a domain name, and it is commonly referred to as &ldquo;reverse DNS.&rdquo;

Which of the following describes a physical location around the world where AWS clusters data centers? 1. Endpoint 2. Collection 3. Fleet 4. Region

4 <strong>D.</strong><br>A region is a named set of AWS resources in the same geographical area. A region comprises at least two availability zones. Endpoint, Collection, and Fleet do not describe a physical location around the world where AWS clusters data centers.

Why is the launch configuration referenced by the Auto Scaling group instead of being part of the Auto Scaling group? 1. It allows you to change the Amazon Elastic Compute Cloud (Amazon EC2) instance type and Amazon Machine Image (AMI) without disrupting the Auto Scaling group. 2. It facilitates rolling out a patch to an existing set of instances managed by an Auto Scaling group. 3. It allows you to change security groups associated with the instances launched without having to make changes to the Auto Scaling group. 4. All of the above 5. None of the above

4 <strong>D.</strong><br>A, B, and C are all true statements about launch configurations being loosely coupled and referenced by the Auto Scaling group instead of being part of the Auto Scaling group.

All of the website deployments are currently done by your company&rsquo;s development team. With a surge in website popularity, the company is looking for ways to be more agile with deployments. What AWS Cloud service can help the developers focus more on writing code instead of spending time managing and configuring servers, databases, load balancers, firewalls, and networks? 1. AWS Config 2. <p class="Option"><span lang="EN-US">AWS Trusted Advisor</span> 3. Amazon Kinesis 4. <p class="Option"><span lang="EN-US">AWS Elastic Beanstalk</span>

4 <strong>D.</strong><br>AWS Elastic Beanstalk is the fastest and simplest way to get an application up and running on AWS. Developers can simply upload their application code, and the service automatically handles all the details such as resource provisioning, load balancing, Auto Scaling, and monitoring.

Which of the following can be accomplished through bootstrapping? 1. Install the most current security updates. 2. Install the current version of the application. 3. Configure Operating System (OS) services. 4. All of the above.

4 <strong>D.</strong><br>Bootstrapping runs the provided script, so anything you can accomplish in a script you can accomplish during bootstrapping.

What type of AWS Elastic Beanstalk environment tier provisions resources to support a web application that handles background processing tasks? 1. Web server environment tier 2. Worker environment tier 3. Database environment tier 4. Batch environment tier

?

Your company provides an online photo sharing service. The development team is looking for ways to deliver image files with the lowest latency to end users so the website content is delivered with the best possible performance. What service can help speed up distribution of these image files to end users around the world? 1. Amazon Elastic Compute Cloud (Amazon EC2) 2. Amazon Route 53 3. AWS Storage Gateway 4. Amazon CloudFront

4 <strong>D.</strong><br>Amazon CloudFront is a web service that provides a CDN to speed up distribution of your static and dynamic web content—for example, .html, .css, .php, image, and media files—to end users. Amazon CloudFront delivers content through a worldwide network of edge locations. Amazon EC2, Amazon Route 53, and AWS Storage Gateway do not provide CDN services that are required to meet the needs for the photo sharing service.

How long does Amazon CloudWatch keep metric data? 1. 1 day 2. 2 days 3. 1 week 4. 2 weeks

4 <strong>D.</strong><br>Amazon CloudWatch metric data is kept for 2 weeks.

In the basic monitoring package for Amazon Elastic Compute Cloud (Amazon EC2), what Amazon CloudWatch metrics are available? 1. Web server visible metrics such as number of failed transaction requests 2. Operating system visible metrics such as memory utilization 3. Database visible metrics such as number of connections 4. Hypervisor visible metrics such as CPU utilization

4 <strong>D.</strong><br>Amazon CloudWatch metrics provide hypervisor visible metrics.

Which of the following public identity providers are supported by Amazon Cognito Identity? 1. Amazon 2. Google 3. Facebook 4. All of the above

4 <strong>D.</strong><br>Amazon Cognito Identity supports public identity providers—Amazon, Facebook, and Google—as well as unauthenticated identities.

Which AWS database service is best suited for non-relational databases? 1. Amazon Redshift 2. Amazon Relational Database Service (Amazon RDS) 3. Amazon Glacier 4. Amazon DynamoDB

4 <strong>D.</strong><br>Amazon DynamoDB is best suited for non-relational databases. Amazon RDS and Amazon Redshift are both structured relational databases.

Which of the following Amazon VPC resources would you use in order for EC2-VPC instances to send traffic directly to Amazon S3? 1. Amazon S3 gateway 2. IGW 3. CGW 4. VPC endpoint

4 <strong>D.</strong><br>An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT device, VPN connection, or AWS Direct Connect.

You need a secure way to distribute your AWS credentials to an application running on Amazon Elastic Compute Cloud (Amazon EC2) instances in order to access supplementary AWS Cloud services. What approach provides your application access to use short-term credentials for signing requests while protecting those credentials from other users? 1. Add your credentials to the UserData parameter of each Amazon EC2 instance. 2. Use a configuration file to store your access and secret keys on the Amazon EC2 instances. 3. Specify your access and secret keys directly in your application. 4. Provision the Amazon EC2 instances with an instance profile that has the appropriate privileges.

4 <strong>D.</strong><br>An instance profile is a container for an AWS Identity and Access Management (IAM) role that you can use to pass role information to an Amazon EC2 instance when the instance starts. The IAM role should have a policy attached that only allows access to the AWS Cloud services necessary to perform its function.

Which of the following statements is true when it comes to the risk and compliance advantages of the AWS environment? 1. Workloads must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations. 2. The critical components of a workload must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations, but the non-critical components do not. 3. The non-critical components of a workload must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations, but the critical components do not. 4. Few, many, or all components of a workload can be moved to the AWS Cloud, but it is the customer&rsquo;s responsibility to ensure that their entire workload remains compliant with various certifications and third-party attestations.

4 <strong>D.</strong><br>Any number of components of a workload can be moved into AWS, but it is the customer&rsquo;s responsibility to ensure that the entire workload remains compliant with various certifications and third-party attestations.

Who is responsible for the configuration of security groups in an AWS environment? 1. The customer and AWS are both jointly responsible for ensuring that security groups are correctly and securely configured. 2. AWS is responsible for ensuring that all security groups are correctly and securely configured. Customers do not need to worry about security group configuration. 3. Neither AWS nor the customer is responsible for the configuration of security groups; security groups are intelligently and automatically configured using traffic heuristics. 4. AWS provides the security group functionality as a service, but the customer is responsible for correctly and securely configuring their own security groups.

4 <strong>D.</strong><br>Customers are responsible for ensuring all of their security group configurations are appropriate for their own applications, therefore answer D is correct.

Which of the following Elastic Load Balancing options ensure that the load balancer determines which cipher is used for a Secure Sockets Layer (SSL) connection? 1. Client Server Cipher Suite 2. Server Cipher Only 3. First Server Cipher 4. Server Order Preference

4 <strong>D.</strong><br>Elastic Load Balancing supports the Server Order Preference option for negotiating connections between a client and a load balancer. During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client&rsquo;s list that matches any one of the load balancer&rsquo;s ciphers is selected for the SSL connection. If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client&rsquo;s list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.

Which of the following is the security protocol supported by Amazon VPC? 1. SSH 2. Advanced Encryption Standard (AES) 3. Point-to-Point Tunneling Protocol (PPTP) 4. IPsec

4 <strong>D.</strong><br>IPsec is the security protocol supported by Amazon VPC.

Your application polls an Amazon Simple Queue Service (Amazon SQS) queue frequently and returns immediately, often with empty ReceiveMessageResponses. What is one thing that can be done to reduce Amazon SQS costs? 1. Pricing on Amazon SQS does not include a cost for service requests; therefore, there is no concern. 2. Increase the timeout value for short polling to wait for messages longer before returning a response. 3. Change the message visibility value to a higher number. 4. Use long polling by supplying a WaitTimeSeconds of greater than 0 seconds when calling ReceiveMessage.

4 <strong>D.</strong><br>Long polling allows your application to poll the queue, and, if nothing is there, Amazon Elastic Compute Cloud (Amazon EC2) waits for an amount of time you specify (between 1 and 20 seconds). If a message arrives in that time, it is delivered to your application as soon as possible. If a message does not arrive in that time, you need to execute the ReceiveMessage function again.

Which of the following describes the scheme used by an Amazon Redshift cluster leveraging AWS Key Management Service (AWS KMS) to encrypt data-at-rest? 1. Amazon Redshift uses a one-tier, key-based architecture for encryption. 2. Amazon Redshift uses a two-tier, key-based architecture for encryption. 3. Amazon Redshift uses a three-tier, key-based architecture for encryption. 4. Amazon Redshift uses a four-tier, key-based architecture for encryption.

4 <strong>D.</strong><br>When you choose AWS KMS for key management with Amazon Redshift, there is a four-tier hierarchy of encryption keys. These keys are the master key, a cluster key, a database key, and data encryption keys.

If I write the below command, what does it do? ec2-run ami-e3a5408a -n 20 -g appserver A:Start twenty instances as members ofappservergroup.

A

(T/F) Peering can only be done between VPCs within the same region

True

You are a system administrator whose company has moved its production database to AWS. Your company monitors its estate using Amazon CloudWatch, which sends alarms using Amazon Simple Notification Service (Amazon SNS) to your mobile phone. One night, you get an alert that your primary Amazon Relational Database Service (Amazon RDS) Instance has gone down. You have Multi-AZ enabled on this instance. What should you do to ensure the failover happens quickly? 1. Update your Domain Name System (DNS) to point to the secondary instance&rsquo;s new IP address, forcing your application to fail over to the secondary instance. 2. Connect to your server using Secure Shell (SSH) and update your connection strings so that your application can communicate to the secondary instance instead of the failed primary instance. 3. Take a snapshot of the secondary instance and create a new instance using this snapshot, then update your connection string to point to the new instance. 4. No action is necessary. Your connection string points to the database endpoint, and AWS automatically updates this endpoint to point to your secondary instance.

4 <strong>D.</strong><br>Monitor the environment while Amazon RDS attempts to recover automatically. AWS will update the DB endpoint to point to the secondary instance automatically.

How many VPC Peering connections are required for four VPCs located within the same AWS region to be able to send traffic to each of the others. 1. 3 2. 4 3. 5 4. 6

4 <strong>D.</strong><br>Six VPC Peering connections are needed for each of the four VPCs to send traffic to the other.

Which service allows you to process nearly limitless streams of data in flight? 1. Amazon Kinesis Firehose 2. Amazon Elastic MapReduce (Amazon EMR) 3. Amazon Redshift 4. Amazon Kinesis Streams

4 <strong>D.</strong><br>The Amazon Kinesis services enable you to work with large data streams. Within the Amazon Kinesis family of services, Amazon Kinesis Firehose saves streams to AWS storage services, while Amazon Kinesis Streams provide the ability to process the data in the stream.

Which of the following is the most recent version of the AWS digital signature calculation process? 1. Signature Version 1 2. Signature Version 2 3. Signature Version 3 4. Signature Version 4

4 <strong>D.</strong><br>The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS Software Development Kits (SDKs), those tools automatically sign requests for you based on credentials that you specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.

You create an Auto Scaling group in a new region that is configured with a minimum size value of 10, a maximum size value of 100, and a desired capacity value of 50. However, you notice that 30 of the Amazon Elastic Compute Cloud (Amazon EC2) instances within the Auto Scaling group fail to launch. Which of the following is the cause of this behavior? 1. You cannot define an Auto Scaling group larger than 20. 2. The Auto Scaling group maximum value cannot be more than 20. 3. You did not attach an Elastic Load Balancing load balancer to the Auto Scaling group. 4. You have not raised your default Amazon EC2 capacity (20) for the new region.

4 <strong>D.</strong><br>The default Amazon EC2 instance limit for all regions is 20.

What is the longest configurable message retention period for Amazon Simple Queue Service (Amazon SQS)? 1. 30 minutes 2. 4 days 3. 30 seconds 4. 14 days

4 <strong>D.</strong><br>The longest configurable message retention period for Amazon SQS is 14 days.

Which DNS record must all zones have by default? 1. SPF 2. TXT 3. MX 4. SOA

4 <strong>D.</strong><br>The start of a zone is defined by the SOA; therefore, all zones must have an SOA record by default.

Your instance is associated with two security groups. The first allows Remote Desktop Protocol (RDP) access over port 3389 from Classless Inter-Domain Routing (CIDR) block 72.14.0.0/16. The second allows HTTP access over port 80 from CIDR block 0.0.0.0/0. What traffic can reach your instance? 1. RDP and HTTP access from CIDR block 0.0.0.0/0 2. No traffic is allowed. 3. RDP and HTTP traffic from 72.14.0.0/16 4. RDP traffic over port 3389 from 72.14.0.0/16 and HTTP traffic over port 80 from 0.0.00/0

4 <strong>D.</strong><br>When there are multiple security groups associated with an instance, all the rules are aggregated.

What AWS service allows you to create dashboards displaying performance metrics of your AWS environment?

CloudWatch

Amazon Simple Notification Service (Amazon SNS) is a push notification service that lets you send individual or multiple messages to large numbers of recipients. What types of clients are supported? 1. Java and JavaScript clients that support publisher and subscriber types 2. Producers and consumers supported by C and C++ clients 3. Mobile and AMQP support for publisher and subscriber client types 4. Publisher and subscriber client types

4 <strong>D.</strong><br>With Amazon SNS, you send individual or multiple messages to large numbers of recipients using publisher and subscriber client types.

In what ways does Amazon Simple Storage Service (Amazon S3) object storage differ from block and file storage? (Choose 2 answers) 1. Amazon S3 stores data in fixed size blocks. 2. Objects are identified by a numbered address. 3. Objects can be any size. 4. Objects contain both data and metadata. 5. Objects are stored in buckets.

4,5 <strong>D,E.</strong><br>Objects are stored in buckets, and objects contain both data and metadata.

Which of the following features are not configurable via the Amazon Virtual Private Cloud (VPC) dashboard: 1. Subnets 2. Network ACLs 3. Internet Gateways 4. Network Interfaces

4.

By default how many RDS instances can you have?

40, and of those 40, 10 may be Oracle or SQL (in the included license model) all 40 can be Aurora, MySQL, MariaDB Oracle, SQL Server, or PostgreSQL under the BOYL model You can request more via a support ticket

Elastic Load Balancing allows you to distribute traffic across which of the following? 1. Only within a single Availability Zone 2. Multiple Availability Zones within a region 3. Multiple Availability Zones within and between regions 4. Multiple Availability Zones within and between regions and on-premises virtualized instances running OpenStack

4?

Under a single AWS account, you have set up an Auto Scaling group with a maximum capacity of 50 Amazon Elastic Compute Cloud (Amazon EC2) instances in us-west-2. When you scale out, however, it only increases to 20 Amazon EC2 instances. What is the likely cause? 1. Auto Scaling has a hard limit of 20 Amazon EC2 instances. 2. If not specified, the Auto Scaling group maximum capacity defaults to 20 Amazon EC2 instances. 3. The Auto Scaling group desired capacity is set to 20, so Auto Scaling stopped at 20 Amazon EC2 instances. 4. You have exceeded the default Amazon EC2 instance limit of 20 per region.

4?

What Amazon Relational Database Service (Amazon RDS) feature provides the high availability for your database? 1. Regular maintenance windows 2. Security groups 3. Automated backups 4. Multi-AZ deployment

4?

Your company has 17TB of financial trading records that need to be stored for seven years by law. Experience has shown that any record more than a year old is unlikely to be accessed. Which of the following storage plans meets these needs in the most cost-efficient manner? 1. Store the data on Amazon Elastic Block Store (Amazon EBS) volume attached to t2.large instances. 2. Store the data on Amazon Simple Storage Service (Amazon S3) with lifecycle policies that change the storage class to Amazon Glacier after one year, and delete the object after seven years. 3. Store the data in Amazon DynamoDB, and delete data older than seven years. 4. Store the data in an Amazon Glacier Vault Lock.

4?

CMKs can be used inside of AWS KMS to encrypt or decrypt up to _____ of data directly.

4KB

How many VPC's am I allowed in each AWS Region by default?

5

What max limit of Read Replicas in RDS?

5

You can add up to ____ Security Groups with each network interface

5

What are the compute families?

5 1. t2 & m4 & m3: General Purpose 2. c4 & c3: Compute optimized 2. r3 & r4 & x1: memoRyX optimized 3. i2 & d2: iStorage optimized (for fast SSD access) 4. p2 & g2: Accelerated Computing. g=Gpu Base.

An instance has enabled basic monitoring only for CloudWatch. When setting the alarm action for that instance, what should be the minimum period of the metric?

5 mins

In CloudWatch, Standard Monitoring is _______ mins and Detailed Monitoring is _______ mins.

5 mins 1 min (std metrics shown at 1min intervals on chart)

What is CloudWatch's standard polling interval?

5 minutes

What is the default cool down period for an autoscaling group

5 minutes

You can add ____ inbound and ____ outbound rules to each Security Group

50, 50

What is the default number of Route53 domain names you can have?

50, but you can raise that number by contacting AWS support

You can create up to _____ security groups per VPC

500

In EC2-Classic, you can associate an instance with up to ____ security groups and add up to ____ rules to a security group.

500 100

Each snowball can contain ________ of data.

50TB

How large can an S3 file be?

5TB

S3 max file size

5TB

storage range for single RDS db instance

5gb to 6 tb

An Auto Scaling group with a capacity of 5 instances receives a trigger from the Cloudwatch Alarm to increase the capacity by 1. The cool down period is 5 minutes. Cloudwatch sends another trigger after 2 minutes to decrease the capacity by 1. What will be the count of instances at the end of 4 minutes?

6

How many copies of my data does RDS - Aurora store by default?

6

You have been asked to create VPC for your company. The VPC must support both Internet-facing web applications (ie they need to be publicly accessible) and internal private applications (i.e. they are not publicly accessible and can be accessed only over VPN). The internal private applications must be inside a private subnet. Both the internet-facing and private applications must be able to leverage at least three Availability Zones for high availability. At a minimum, how many subnets must you create within your VPC to achieve this?

6

If you are using Amazon RDS Provisioned IOPS storage with MySQL and Oracle database engines what is the maximum size RDS volume you can have by default?

6TB

When a request is made to an AWS Cloud service, the request is evaluated to decide whether it should be allowed or denied. The evaluation logic follows which of the following rules? (Choose 3 answers) 1. An explicit allow overrides any denies. 2. By default, all requests are denied. 3. An explicit allow overrides the default. 4. An explicit deny overrides any allows. 5. By default, all requests are allowed.

?

A VPC public subnet is one that: A.Has at least one route in its associated routing table that uses an Internet Gateway (IGW). B.Includes a route in its associated routing table via a Network Address Translation (NAT) instance. C.Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0. D.Has the Public Subnet option selected in its configuration.

A

A company is building a two-tier web application to serve dynamic transaction-based content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What services should you leverage to enable an elastic and scalable web tier? A.Elastic Load Balancing, Amazon EC2, and Auto Scaling B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3 C. Amazon RDS with Multi-AZ and Auto Scaling D. Amazon EC2, Amazon DynamoDB, and Amazon S3

A

A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure mat AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised? A. Enable Multi-Factor Authentication for your AWS root account. B. Assign an IAM role to the Amazon EC2 instance. C. Store the AWS Access Key ID/Secret Access Key combination in software comments. D. Assign an IAM user to the Amazon EC2 Instance.

A

A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements? A. Enable AWS CloudTrail for the load balancer. B. Enable access logs on the load balancer. C. Install the Amazon CloudWatch Logs agent on the load balancer. D. Enable Amazon CloudWatch metrics on the load balancer.

A

A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits. Which of the following will meet the Customer requirement? A. Enable AWS CloudTrail to audit all Amazon S3 bucket access. B. Enable server access logging for all required Amazon S3 buckets. C. Enable the Requester Pays option to track access via AWS Billing D. Enable Amazon S3 event notifications for Put and Post.

A

A group can contain many users. Can a user belong to multiple groups? A. Yes always B. No C. Yes but only if they are using two factor authentication D. Yes but only in VPC

A

A___________is a document that provides a formal statement of one or more permissions. A. policy B. permission C. Role D. resource

A

A__________is an individual, system, or application that interacts with AWS programmatically. A. user B. AWS Account C. Group D. Role

A

After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue? A. Disabling the Source/Destination Check attribute on the NAT instance B. Attaching an Elastic IP address to the instance in the private subnet C. Attaching asecond Elastic Network Interface (ENI) to the NAT instance, and placing it in the private subnet D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet

A

Amazon EC2 has no Amazon Resource Names (ARNs) because you can't specify a particularAmazon EC2 resource in an IAM policy. A. TRUE B. FALSE

A

Amazon RDS automated backups and DB Snapshots are currently supported for only the ______ storage engine A:InnoDB

A

Amazon RDS creates an SSL certificate and installs the certificate on the DB Instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The__________ is stored at https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem. A. private key B. foreign key C. public key D. protected key

A

Because of the extensibility limitations of striped storage attached to Windows Server, Amazon RDS does not currently support increasing storage on a ______DB Instance. A. SQL Server B. MySQL C. Oracle

A

By default, EBS volumes that are created and attached to an instance at launch are deleted when that instance is terminated. You can modify this behaviour by changing the value of the flag_____ to false when you launch the instance A:DeleteOnTermination

A

Can I attach more than one policy to a particular entity? A. Yes always B. Only if within GovCloud C. No D. Only if within VPC

A

Can I initiate a "forced failover" for my Oracle Multi-AZ DB Instance deployment? A. Yes B. Only in certain regions C. Only in VPC D. No

A

Can a 'user' be associated with multiple AWS accounts? A. No B. Yes

A

Can the string value of 'Key' be prefixed with laws? A. No B. Only for EC2 not S3 C. Yes D. Only for S3 not EC

A

Does AWS Direct Connect allow you access to all Availabilities Zones within a Region? A. Depends on the type of connection B. No C. Yes D. Only when there's just one availability zone in a region. If there are more than one, only one availability zone can be accessed directly.

A

Does Route 53 support MX Records? A. Yes. B. It supports CNAME records, but not MX records. C. No D. Only Primary MX records. Secondary MX records are not supported.

A

HTTP Query-based requests are HTTP requests that use the HTTP verb GET or POST and a Query parameter named . A. Action B. Value C. Reset D. Retrieve

A

How many relational database engines does RDS currently support? A:Three: MySQL, Oracle and Microsoft SQL Server.

A

If I have multiple Read Replicas for my master DB Instance and I promote one of them, what happens to the rest of the Read Replicas? A. The remaining Read Replicas will still replicate from the older master DB Instance B. The remaining Read Replicas will be deleted C. The remaining Read Replicas will be combined to one read replica

A

Which route must be added to your routing table in order to allow connections to the Internet from your subnet? A.Destination: 0.0.0.0/0 --> Target: your Internet gateway B.Destination: 192.168.1.257/0 --> Target: your Internet gateway C.Destination: 0.0.0.0/33 --> Target: your virtual private gateway D.Destination: 0.0.0.0/0 --> Target: 0.0.0.0/24 E.Destination: 10.0.0.0/32 --> Target: your virtual private gateway

A

You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery truck once every three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you use to implement data ingestion? A. Amazon Kinesis B. AWS Data Pipeline C. Amazon AppStream D. Amazon Simple Queue Service

A

You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance? A. Use multi-part upload. B. Add a random prefix to the key names. C. Amazon S3 will automatically manage performance at this scale. D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names

A

You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement? A. Security Group Inbound Rule: Protocol - TCP. Port Range - 22, Source 72.34.51.100/32 B. Security Group Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32 C. Network ACL Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32 D. Network ACL Inbound Rule: Protocol - TCP, Port Range-22, Source 72.34.51.100/0

A

You have a distributed application that periodically processes large volumes of data across multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance failures. You are required to accomplish this task in the most cost- effective way. Which of the following will meet your requirements? A. Spot Instances B. Reserved instances C. Dedicated instances D. On-Demand instances

A

You have an EC2 Security Group with several running EC2 instances. You change the Security Group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same Security Group. The new rules apply: A. Immediately to all instances in the security group. B. Immediately to the new instances only. C.Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply. D. To all instances, but it may take several minutes for old instances to see the changes.

A

What does an AWS Region consist of?

A distinct location within a geographic area designed to provide high availability to a specific geography.

What is Amazon DynamoDB?

A fully manged NoSQL database that provides single digit millisecond latency (whatever the hell that means...) https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary private IP address assigned, an internet gateway is attached to the VPC, and the public route table is configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow all outbound traffic but cannot access the internet. Why is the Internet unreachable from this instance? A. The instance does not have a public IP address. B. The internet gateway security group must allow all outbound traffic. C. The instance security group must allow all inbound traffic. D. The instance "Source/Destination check" property must be enabled.

A

You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this? A. Remove public read access and use signed URLs with expiry dates. B. Use CloudFront distributions for static content. C. Block the IPs of the offending websites in Security Groups. D. Store photos on an EBS volume of the web server.

A

_____ embodies the "share-nothing" architecture and essentially involves breaking a large database into several smaller databases. Common ways to split a database include 1)splitting tables that are not joined in the same query onto different hosts or 2)duplicating a table across multiple hosts and then using a hashing algorithm to determine which host receives a given update. A Sharding B Failure recovery C Federation D DDL operations

A

cloudformation fails. You use the exact same CloudFormation template in production so the failure is something to do with your new AWS account. The CloudFormation template is trying to launch 60 new EC2 instances in a single availability zone. A.For all new AWS accounts there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased. B.For all new AWS accounts there is a soft limit of 20 EC2 instances per availability zone. You should submit the limit increase form and retry the template after your limit has been increased. C.You cannot launch more than 20 instances in your default VPC, instead reconfigure the CloudFormation template to provision the instances in a custom VPC. D.You cannot launch more than 20 instances in your default VPC, instead reconfigure the CloudFormation template to provision the instances in a custom VPC.

A

There are two types of hosted zones: __1__ and __2__.

A *private hosted zone* is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more Amazon Virtual Private Clouds (Amazon VPCs). A *public hosted zone* is a container that holds information about how you want to route traffic on the Internet for a domain (for example, example.com) and its subdomains (for example, apex.example.com and acme.example.com).

NAT Gateway

A NAT gateway is an Amazon managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

What is A record and AAAA record?

A Record = Address Record (IPv4 32 bit) AAAA Record = IPv6 128 bits

What is Bastion Server?

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.

What does a "domain" refer to in Amazon SWF?

A collection of related workflows

What is CloudWatch dimension?

A dimension is a name/value pair that helps you to uniquely identify a metric. Every metric has specific characteristics that describe it, and you can think of dimensions as categories for those characteristics.

Bootstrapping

A great benefit of the cloud is the ability to script virtual hardware management in a manner that is not possible with on-premises hardware. In order to realize the value of this, there has to be some way to configure instances and install applications programmatically when an instance is launched. The process of providing code to be run on an instance at launch is called bootstrapping.

Simple Queue Service

A highly available hosted buffer for storing messages between computers/devices. It asynchronously pulls messages and does not preserve order. Timer (30 seconds default; Max 12 hours) is used for processing messages and starts once message is delivered to compute resource. It's billed in 64 KB chunks. It operates as follows: • Asynchronously pulls message from queue -> Retrieves named file -> Processes the conversion -> Writes image back to S3 -> Writes "task complete" -> Deletes original message; and finishes task -> Checks for more messages

Hosted Zone

A hosted zone is a collection of resource record sets hosted by Amazon Route 53. Like a traditional DNS zone file, a hosted zone represents resource record sets that are managed together under a single domain name. Each hosted zone has its own metadata and configuration information.

Auto Scaling Components - Launch Configuration

A launch configuration is the template that Auto Scaling uses to create new instances, and it is composed of: 1. the configuration name, 2. Amazon Machine Image (AMI), 3. Amazon EC2 instance type, 4. security group, and 5. instance key pair. Each Auto Scaling group can have only one launch configuration at a time.

What is CloudWatch metric?

A metric is the fundamental concept in CloudWatch and represents a time-ordered set of data points.

Eventual Consistency

A model for database consistency in which updates to the database will propagate through the system

Network Access Control List (Network ACLs)

A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level. A network ACL is a numbered list of rules that AWS evaluates in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. Amazon VPCs are created with a modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic. When you create a custom network ACL, its initial configuration will deny all inbound and outbound traffic until you create rules that allow otherwise.

NAT Instance

A network address translation (NAT) instance is an Amazon Linux Amazon Machine Image (AMI) that is designed to accept traffic from instances within a private subnet, translate the source IP address to the public IP address of the NAT instance, and forward the traffic to the IGW. In addition, the NAT instance maintains the state of the forwarded traffic in order to return response traffic from the Internet to the proper instance in the private subnet.

Elastic Load Balancer

A network device designed for managing the optimal distribution of workloads across multiple computing resources automatically provisioned through AWS

What is Import/Export SnowBall?

A physical device that copies your data to be sent back to AWS and imported

What is an Edge location?

A physical location where content will be cached

Placement Group

A placement group is a logical grouping of instances within a single Availability Zone. Placement groups enable applications to participate in a low-latency, 10 Gbps network. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. Remember that this represents network connectivity between instances. To fully use this network performance for your placement group, choose an instance type that supports enhanced networking and 10 Gbps network performance.

What is an AWS region?

A region is a geographical area that consists of different availability zones. Each region consists of 2 (or more) Availability Zones.

What is a read replica?

A replicated copy of a production RDS instance

CloudFormation stack

A stack is the "implementation" of one or more "Templates". When you use AWS CloudFormation, you manage related resources as a single unit called a stack. You create, update, and delete a collection of resources by creating, updating, and deleting stacks. All of the resources in a stack are defined by the stack's AWS CloudFormation template. Suppose you created a template that includes an Auto Scaling group, Elastic Load Balancing load balancer, and an Amazon RDS database instance. To create those resources, you create a stack by submitting your template that defines those resources, and AWS CloudFormation handles all of the provisioning for you. After all of the resources have been created, AWS CloudFormation reports that your stack has been created. You can then start using the resources in your stack. If stack creation fails, AWS CloudFormafion rolls back your changes by deleting the resources that it created.

What is AWS Kinesis?

A steaming data analytics tool for things like, clickstreams, application logs, and social media

To use the AWS VPN CloudHub, you must create:

A virtual private gateway with multiple customer gateways, each with unique Border Gateway Protocol (BGP) Autonomous System Numbers (ASNs).

*Storage Gateway*

A web service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's on-premises IT environment and AWS's storage infrastructure via the internet or Direct Connect.

*EC2*

A web service that provides resizable compute capacity in the cloud. allows you to obtain and configure capacity with minimal friction. allowing you to quickly scale capacity, both up and down, as your computing requirements change.

Zone File

A zone file is a simple text file that contains the mappings between domain names and IP addresses. This is how a DNS server finally identifies which IP address should be contacted when a user requests a certain domain name. Zone files reside in name servers and generally define the resources available under a specific domain, or the place where one can go to get that information.

For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an appropriate solution? Choose 2 answers A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet of sensors B. Managing a multi-step and multi-decision checkout process of an e-commerce website C. Orchestrating the execution of distributed and auditable business processes D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs E. Using as a distributed session store for your web application

A,B

Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? Choose 2 answers A. Supported on all Amazon EBS volume types B. Snapshots are automatically encrypted C. Available to all instance types D. Existing volumes can be encrypted E. shared volumes can be encrypted

A,B

You have developed a new web application in us-west-2 that requires six Amazon Elastic Compute Cloud (EC2) instances running at all times. You have three availability zones available in that region (us-west-2a, us-west-2b, and us-west-2c). You need 100 percent fault tolerance if any single Availability Zone in us-west-2 becomes unavailable. A.Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances B.Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances

A,B

A company is storing data on Amazon Simple Storage Service (S3). The company's security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers A. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys. B. Use Amazon S3 server-side encryption with customer-provided keys. C. Use Amazon S3 server-side encryption with EC2 key pair. D.Use Amazon S3 bucket policies to restrict access to the data at rest. E. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key. F. Use SSL to encrypt the data while in transit to Amazon S3.

A,B,E

You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers A. Amazon EC2 placement groups B. Enhanced networking C. Amazon PV AMI D. Amazon HVM AMI E. Amazon Linux F. Amazon VPC

A,B,E

Which of the following statements are true about Amazon Route 53 resource records? Choose 2 answers A. An Alias record can map one DNS name to another Amazon Route 53 DNS name. B. A CNAME record can be created for your zone apex. C. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere. D. TTL can be set for an Alias record in Amazon Route 53. E. An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.

A,C

You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer's DNS name. Which options are probable causes of this behavior? Choose 2 answers A. The load balancer was not configured to use a public subnet with an Internet gateway configured B. The Amazon EC2 instances do not have a dynamically allocated private IP address C. The security groups or network ACLs are not property configured for web traffic. D. The load balancer is not configured in a private subnet with a NAT instance. E. The VPC does not have a VGW configured.

A,C

You need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2 answers A. Set permissions on the object to public read during upload. B. Configure the bucket ACL to set all objects to public read. C. Configure the bucket policy to set all objects to public read. D. Use AWS Identity and Access Management roles to set the bucket to public read. E. Amazon S3 objects default to public read, so no action is needed.

A,C

You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: "Network error: Connection timed out" or "Error connecting to [instance], reason: > Connection timed out: connect," You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? Choose 2 answers A. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch. B. Verify that your IAM user policy has permission to launch Amazon EC2 instances. C. Verify that you are connecting with the appropriate user name for your AMI. D. Verify that the Amazon EC2 Instance was launched with the proper IAM role. E. Verify that your federation trust to AWS has been established.

A,C

In AWS, which security aspects are the customer's responsibility? Choose 4 answers A. Security Group and ACL (Access Control List) settings B. Decommissioning storage devices C. Patch management on the EC2 instance's operating system D. Life-cycle management of IAM credentials E. Controlling physical access to compute resources F. Encryption of EBS (Elastic Block Storage) volumes

A,C,D,F

A company is preparing to give AWS Management Console access to developers Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? Choose 2 answers A. AWS Directory Service AD Connector B. AWS Directory Service Simple AD C. AWS Identity and Access Management groups D. AWS identity and Access Management roles E. AWS identity and Access Management users

A,D

Which of the following notification endpoints or clients are supported by Amazon Simple Notification Service? Choose 2 answers A. Email B. CloudFront distribution C. File Transfer Protocol D. Short Message Service E. Simple Network Management Protocol

A,D

What AWS service should you use if you want alarms to trigger when a specific performance threshold is hit?

CloudWatch

Which of the following services natively encrypts data at rest within an AWS region? Choose 2 answers A. AWS Storage Gateway B. Amazon DynamoDB C. Amazon CloudFront D. Amazon Glacier E. Amazon Simple Queue Service

A,D

A customer implemented AWS Storage Gateway with a gateway-cached volume at their main office. An event takes the link between the main and branch office offline. Which methods will enable the branch office to access their data? Choose 3 answers A. Use a HTTPS GET to the Amazon S3 bucket where the files are located. B. Restore by implementing a lifecycle policy on the Amazon S3 bucket. C. Make an Amazon Glacier Restore API call to load the files into another Amazon S3 bucket within four to six hours. D. Launch a new AWS Storage Gateway instance AMI in Amazon EC2, and restore from a gateway snapshot. E. Create an Amazon EBS volume from a gateway snapshot, and mount it to an Amazon EC2 instance. F. Launch an AWS Storage Gateway virtual iSCSI device at the branch office, and restore from a gateway snapshot.

A,D,F

Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. Choose 2 answers A. Create an IAM Role that allows write access to the DynamoDB table. B. Add an IAM Role to a running EC2 instance. C. Create an IAM User that allows write access to the DynamoDB table. D. Add an IAM User to a running EC2 instance. E. Launch an EC2 Instance with the IAM Role included in the launch configuration.

A,E

How many Auto Scaling groups are available by default in Auto Scaling? A. 20 B. 30 C. 55 D. 10

A. 20 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many network interfaces are possible per region? A. 350 B. 100 C. 64 D. 32

A. 350 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many active VPC peering connections can you have per VPC? A. 50 B. 10 C. 5 D. 3

A. 50 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many customer gateways can you have per region? A. 50 B. 5 C. 10 D. 12

A. 50 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many security groups can you have per VPC? (per region) A. 500 B. 50 C. 250 D. No limit

A. 500 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

What is Database Migrations Service storage limit? A. 6 TB B. 5 TB C. 2TB D. 1000TB

A. 6 TB http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

Can you read or write to a CloudFront Edge location?

Both, you can read and write to edge locations. Writes will updated the origin source.

Amazon Aurora

Amazon Aurora offers enterprise-grade commercial database technology while offering the simplicity and cost effectiveness of an open source database. This is achieved by redesigning the internal components of MySQL to take a more service-oriented approach.

Which AWS compute service is specifically designed to assist you in processing large data sets?

Elastic Map Reduce

True or False. In RDS, you are responsible for maintaining OS & application security patching, antivirus, etc.

False

Can we attach an EBS volume to more than one EC2 instance at the same time? A. Yes. B. No C. Only EC2-optimized EBS volumes. D. Only in read mode

B

Amazon Cloud Watch

Amazon Cloud Watch is a service that *monitors* AWS Cloud resources and applications running on AWS. It *collects and tracks metrics*, *collects and monitors log files*, and *sets alarms*. Amazon CloudWatch has a basic level of monitoring for no cost and a more detailed level of monitoring for an additional cost.

(T/F) There is a one-to-one relationship between network interfaces and EIPs.

True

How granular are S3 Access Control Lists?

ACL's go down to the individual file level

You can create ___________ from a snapshot and make it private/public.

AMI

Why cant you see your AMI when you are trying to launch an instance?

AMIs are regional. You can launch it from the region it resides in. But one can copy AMI to other region using console, CLI or AWS API.

VPC comes with Default Network ACL that ________ all Inbound and Outbound traffic.

Allows

Which is NOT a feature of IAM?

Allows you to setup biometric authentication, so that no passwords are required

AWS CloudFormation

AWS CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. AWS CloudFormation allows organizations to deploy, modify, and update resources in a controlled and predictable way, in effect applying version control to AWS infrastructure the same way one would do with software.

Explain CloudFormation service.

AWS CloudFormation is an application management tool which provides application modeling, deployment, configuration, management and related activities. The AWS CloudFormation stack is a collection of AWS resources which are created and managed as a single unit when AWS CloudFormation instantiates a template. If any of the services fails to launch, CloudFormation will rollback all the changes and terminate or delete all the created services.

AWS HSM

AWS CloudHSM allows you to protect your encryption keys within HSMS that are designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption in a way that ensures that only you have access to the keys. AWS CloudHSM helps you comply with strict key management requirements within the AWS cloud without sacrificing application performance.

How does AWS CloudTrail deliver events?

AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and *delivers log files to an Amazon S3 bucket that you specify*. Optionally, you can configure AWS CloudTrail to *deliver events to a log group monitored by Amazon CloudWatch Logs*. You can also choose to *receive Amazon Simple Notification Service (Amazon SNS) notifications* each time a log file is delivered to your bucket.

AWS CloudTrail

AWS CloudTrail provides visibility into user activity by recording API calls made on your account. AWS CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. AWS CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

AWS Cloudwatch can be accessed from ________________

AWS Console, API and CLI AWS console of Android and iOS.

AWS Config

AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.

AWS Account Security Features

AWS Credentials: passwords, MFA, Access Keys.

Which AWS service automate the movement and transformation of data?

AWS Data Pipeline

AWS Data Pipeline

AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services, and also on-premises data sources, at specified intervals. With AWS Data Pipeline, you can regularly access your data where it's stored, transform and process it at scale, and efficiently transfer the results to AWS services such as Amazon S3, Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, and Amazon EMR.

AWS Directory Service

AWS Directory Service is a managed service offering that provides directories that contain information about your organization, including users, groups, computers, and other resources. As a managed offering, AWS Directory Service is designed to reduce identity management tasks, thereby allowing you to focus more of your time and resources on your business. There is no need to build out your own complex, highly- available directory topology because each directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail. In addition, data replication and automated daily snapshots are configured for you. There is no software to install, and AWS handles all of the patching and software updates.

Elastic Beanstalk

AWS Elastic Beanstalk is the fastest and simplest way to get an application up and running on AWS. Developers can simply upload their application code, and the service automatically handles all of the details, such as resource provisioning, load balancing, Auto Scaling, and monitoring.

which AWS service do you use to manage SSL server certificates

AWS Identity & Access Management (IAM)

AWS Import/Export

AWS Import/Export is a service that accelerates transferring data into and out of AWS using physical storage appliances, bypassing the Internet.

Envelope Encryption

AWS KMS uses envelope encryption to protect data. AWS KMS creates a data key, encrypts it under a CMK, and returns plaintext and encrypted versions of the data key to you. You use the plaintext key to encrypt data and store the encrypted key alongside the encrypted data. The key should be removed from memory as soon as is practical after use. You can retrieve a plaintext data key only if you have the encrypted data key and you have permission to use the corresponding master key.

AWS Key Management Service

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS lets you create keys that can never be exported from the service and that can be used to encrypt and decrypt data based on policies you define.

Redshift Key Management

AWS Key Management or Hardware security module

AWS OpsWork

AWS OpsWorks is a configuration management service that helps you configure and operate applications using Chef.

What is an added advantage w.r.t. monitoring when using OpsWorks?

AWS OpsWorks sends all of your resource metrics to Amazon CloudWatch, making it easy to view graphs and set alarms to help you troubleshoot and take automated action based on the state of your resources. AWS OpsWorks provides many custom metrics, such as CPU idle, memory total, average load for one minute, and more. Each instance in the stack has detailed monitoring to provide insights into your workload.

AWS Storage Gateway

AWS Storage Gateway is a service connecting an on-premises software appliance with cloud- based storage to provide seamless and secure integration between an organization's on- premises IT environment and AWS storage infrastructure. The service enables you to store data securely on the AWS cloud in a scalable and cost-effective manner. AWS Storage Gateway supports industry-standard storage protocols that work with your existing applications. It provides low-latency performance by caching frequently accessed data on-premises while encrypting and storing all of your data in Amazon S3 or Amazon Glacier.

How does AWS distribute the Storage Gateway?

AWS Storage Gateway' s software appliance is available for download as a Virtual Machine (VM) image that you install on a host in your data center and then register with your AWS account through the AWS Management Console. The storage associated with the appliance is exposed as an iSCSI device that can be mounted by your on-premises applications.

how is authentication managed in AWS Storage Gateway

AWS Storage gateway offers CHAP (challenge-handshake authenticate protocol) to prevent man in the middle attacks

How is AWS storage gateway setup?

AWS Storage gateway runs as a virtual machine (VM) either on premise or in EC2 via an AMI.

AWS Trust Advisor

AWS Trusted Advisor draws upon best practices learned from the aggregated operational history of serving over a million AWS customers. AWS Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. You can view the overall status of your AWS resources and savings estimations on the AWS Trusted Advisor dashboard.

AWS Trusted Advisor provides best practices in _____

AWS Trusted Advisor provides best practices in four categories: - cost optimization, - security, - fault tolerance - performance improvement Everyone has access to four basic checks in Security and Performance at no cost. For access to the 50+ checks in all four categories you need to upgrade

Your manager has just given you access to multiple VPN connections that someone else has recently set up between all your company's offices. She needs you to make sure that the communication between the VPNs is secure. Which of the following services would be best for providing a low-cost hub-and-spoke model for primary or backup connectivity between these remote offices?

AWS VPN CloudHub

AWS Command Line

AWS [options] <command> <subcommand> [parameters]

Web Identity Federation

AWS allows authentication w/ web companies like Facebook, Google, Amazon to verify identity. - Use of Access Token to obtain temporary security credentials is needed - API: "CallAssumeRolewithWebIdentity"

AWS Federated Security

AWS authenticates through SAML w/ AD FIRST then assigned credential to AWS

What happens when the instance price exceeds your spot price in EC2?

AWS automatically shuts down your instance

How is data wiped from AWS managed storage

AWS decomissions storage devices using DoD 5220.22-M or NIST 800-88 to destroy data devices.

How can you get AWS to encrypt your root volume?

AWS does NOT encrypt root volumes- if you want to encrypt a root volume you'll need to use 3rd party tools

Shared Security Approach

AWS manages the cloud; you get to define and control everything in it

A user is trying to launch a similar EC2 instance from an existing instance with the option "Launch More like this". The AMI of the selected instance is deleted. What will happen in this case?

AWS will throw an error saying that the AMI is deregistered or not available.

What is AWS Elasticache service?

AWS's DB cahcing service

What is AWS' RedShift?

AWS's data warehouse solution

What is Import/Export?

AWS's method of physically imaging your disk to - EBS - S3 - Glacier

What is CloudWatch?

AWS's performance monitoring system, you can also store syslog data in cloud watch

Do the Amazon EBS volumes persist independently from the running life of an Amazon EC2 instance? A. Only if instructed to when created B. Yes C. No

B

Power User Access allows....

Access to all AWS services except for management of groups and users within IAM.

What is the access key id and secrete access keys used for?

Access to the AWS API and command line

Having set up a website to automatically be redirected to a backup website if it fails, you realize that there are different types of failovers that are possible. You need all your resources to be available the majority of the time. Using Amazon Route 53 which configuration would best suit this requirement?

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it's unhealthy and stop including it when responding to queries.

You are hosting a MySQL database on the root volume of an EC2 instance. The database is using a large amount of IOPs and you need to increase the IOPs available to it. What should you do?

Add 4 additional EBS SSD volumes and create a RAID 10 using these volumes.

How to add Disk I/O

Add EBS Volumes and RAID across

A new user has started at your work and it is your job to give them administrator access to the AWS console. You have set them up with a user name, access key ID, secret access key and you have generated a password for them. They are able to log in to the AWS console, but they cannot do anything. What should you do next?

Add them to the Administrators group, where your other administrator users belong.

What level of access does the "root" account have?

Administrator Access

IAM Authorization

After IAM has authenticated a principal, it must then manage the access of that principal to protect your AWS infrastructure. The process of specifying exactly what actions a principal can and cannot perform is called authorization. *Authorization is handled in IAM by defining specific privileges in policies and associating those policies with principals*.

EC2-Classic Instances Security Groups

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.

SWF Workflow Execution Closure

After you start a workflow execution, it is open. An open workflow execution can be closed as completed, canceled, failed, or timed out. It can also be continued as a new execution, or it can be terminated. The decider, the person administering the workflow, or Amazon SWF can close a workflow execution.

_________________ statistics are available only for the instances that have enabled detailed monitoring.

Aggregate. Instances that use basic monitoring are not included in the aggregates.

CNAME cant be used for Naked Domain but ______________ can be used.

Alias Record

S3 Pre-Signed URLs

All Amazon S3 objects by default are private, meaning that only the owner has access. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials to grant time-limited permission to download the objects. When you create a pre-signed URL for your object, you must provide your security credentials and specify a bucket name, an object key, the HTTP method (GET to download the object), and an expiration date and time. The pre-signed URLs are valid only for the specified duration. This is particularly useful to protect against "content scraping" of web content such as media files stored in Amazon S3.

What happens to instance store volumes if the underling hyper-visor fails?

All data is lost

What happens to instance store volumes with the instance is stopped?

All data is lost

How do you make a role region agnostic?

All roles are account wide- nothing further is needed to be done to make them apply between regions

In security groups, all outbound traffic is ___________ by default.

Allowed

What is CloudWatch

Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.

DynamoDB Streams

Amazon DynamoDB Streams makes it easy to get a list of item modifications for the last 24-hour period. For example, you might need to calculate metrics on a rolling basis and update a dashboard, or maybe synchronize two tables or log activity and changes to an audit trail. With Amazon DynamoDB Streams, these types of applications become easier to build.

What are DynamoDB's search capabilities?

Amazon DynamoDB gives you *two operations, Query and Scan*, that can be used to search a table or an index. *A Query operation* is the primary search operation you can use to find items in a table or a secondary index using only primary key attribute values. Each Query requires a partition key attribute name and a distinct value to search. You can optionally provide a sort key value and use a comparison operator to refine the search results. Results are automatically sorted by the primary key and are limited to 1MB. In contrast to a Query, *a Scan operation* will read every item in a table or a secondary index. By default, a Scan operation returns all of the data attributes for every item in the table or index. Each request can return up to 1MB of data. Items can be filtered out using expressions, but this can be a resource-intensive operation. If the result set for a Query or a Scan exceeds 1MB, you can page through the results in 1MB increments.

What is DynamoDB?

Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. Its flexible data model and reliable performance make it a great fit for mobile, web, gaming, ad-tech, IoT, and many other applications.

DynamoDB

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and low-latency performance that scales with ease. - data is stored on high-performance SSD disk drives - performance metrics can be monitored using Amazon CloudWatch

How long do Spot Instances run?

Amazon EC2 instances, and the customer will only pay the Spot price for the hours that instance(s) run. The instances will run until: - The customer terminates them. - The Spot price goes above the customer's bid price. - There is not enough unused capacity to meet the demand for Spot Instances. If Amazon EC2 needs to terminate a Spot Instance, the instance will receive a termination notice providing a two-minute warning prior to Amazon EC2 terminating the instance.

Elasticache scaling

Amazon ElastiCache allows you to adjust the size of your environment to meet the needs of workloads as they evolve over time. Adding additional cache nodes allows you to easily expand horizontally and meet higher levels of read or write performance. You can also select different classes of cache nodes to scale vertically.

Elastic Map Reduce

Amazon Elastic MapReduce (Amazon EMR) provides you with a fully managed, on-demand Hadoop framework. Amazon EMR reduces the complexity and up-front costs of setting up Hadoop and, combined with the scale of AWS, gives you the ability to spin up large Hadoop clusters instantly and start processing within minutes.

_____________________ gives developers an easy, cost-effective way to convert media files to playback on various devices.

Amazon Elastic Transcoder

Amazon Elastic Transcoder

Amazon Elastic Transcoder lets you convert digital media stored in Amazon S3 into the audio and video codecs and the containers required by consumer playback devices. For example, you can convert large, high-quality digital media files into formats that users can play back on mobile devices, tablets, web browsers, and connected televisions.

What can you create virtual tape libraries?

Amazon Glacier

Amazon Kinesis Analytics

Amazon Kinesis Analytics is the easiest way to process streaming data in real time with standard SQL without having to learn new programming languages or processing frameworks. Amazon Kinesis Analytics enables you to create and run SQL queries on streaming data so that you can gain actionable insights and respond to your business and customer needs promptly. Amazon Kinesis Analytics takes care of everything required to run your queries continuously and scales automatically to match the volume and throughput rate of your incoming data. With Amazon Kinesis Analytics, you only pay for the resources your queries consume. There is no minimum fee or setup cost.

Amazon Kinesis Streams

Amazon Kinesis Streams enable you to collect and process large streams of data records in real time. Using AWS SDKs, you can create an Amazon Kinesis Streams application that processes the data as it moves through the stream. Because response time for data intake and processing is in near real time, the processing is typically lightweight. Amazon Kinesis Streams can scale to support nearly limitless data streams by distributing incoming data across a number of shards. If any shard becomes too busy, it can be further divided into more shards to distribute the load further. The processing is then executed on consumers, which read data from the shards and run the Amazon Kinesis Streams application.

Amazon Kinesis

Amazon Kinesis is a platform for handling massive streaming data on AWS, offering powerful services to make it easy to load and analyze streaming data and also providing the ability for you to build custom streaming data applications for specialized needs.

What is Kinesis service?

Amazon Kinesis is a platform for streaming data on AWS, offering powerful services to make it easy to load and analyze streaming data, and also providing the ability for you to build custom streaming data applications for specialized needs.

What is the difference between Kinesis & SQS?

Amazon Kinesis is differentiated from Amazon's Simple Queue Service (SQS) in that Kinesis is used to enable real-time processing of streaming big data. SQS, on the other hand, is used as a message queue to store messages transmitted between distributed application components.

What does AMI stand for?

Amazon Machine Image

RDS Backup and Recovery

Amazon RDS provides a consistent operational model for backup and recovery procedures across the different database engines. Amazon RDS provides two mechanisms for backing up the database: automated backups and manual snapshots. By using a combination of both techniques, you can design a backup recovery model to protect your application data. Each organization typically will define a Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for important applications based on the criticality of the application and the expectations of the users. It's common for enterprise systems to have an RPO measured in minutes and an RTO measured in hours or even days, while some critical applications may have much lower tolerances.

How does Multi-AZ RDS perform a failover?

Amazon RDS will automatically fail over to the standby instance without user intervention. The DNS name remains the same, but the Amazon RDS service changes the CNAME to point to the standby.

Redshift Details.

Amazon Redshift achieves efficient storage and optimum query performance through a combination of massively parallel processing, columnar data storage, and very efficient, targeted data compression encoding schemes. Columnar storage for database tables is an important factor in optimizing analytic query performance because it drastically reduces the overall disk I/O requirements and reduces the amount of data you need to load from disk.

ARN

Amazon Resource Name

ARN stands for

Amazon Resource Name

What are the main functions of Route 53?

Amazon Route 53 performs three main functions: - *Domain registration*—Amazon Route 53 lets you register domain names, such as example.com. - *DNS service*—Amazon Route 53 translates friendly domain names like www.example.com into IP addresses like 192.0.2.1. Amazon Route 53 responds to DNS queries using a global network of authoritative DNS servers, which reduces latency. To comply with DNS standards, responses sent over User Datagram Protocol (UDP) are limited to 512 bytes in size. Responses exceeding 512 bytes are truncated, and the resolver must re-issue the request over TCP. - *Health checking*—Amazon Route 53 sends automated requests over the Internet to your application to verify that it's reachable, available, and functional.

SQS Message Attributes

Amazon SQS provides support for message attributes. Message attributes allow you to provide structured metadata items (such as timestamps, geospatial data, signatures, and identifiers) about the message. Message attributes are optional and separate from, but sent along with, the message body. The receiver of the message can use this information to help decide how to handle the message without having to process the message body first. Each message can have up to 10 attributes. To specify message attributes, you can use the AWS Management Console, AWS Software Development Kits (SDKs), or a query API.

SWF Actors

Amazon SWF consists of a number of different types of programmatic features known as actors. Actors can be workflow *starters*, *deciders*, or *activity workers*. These actors communicate with Amazon SWF through its API. You can develop actors in any programming language.

SWF Object Identifiers

Amazon SWF objects are uniquely identified by workflow type, activity type, decision and activity tasks, and workflow execution: - *A registered workflow type* is identified by its domain, name, and version. Workflow types are specified in the call to RegisterWorkf1owType. - *A registered activity type* is identified by its domain, name, and version. Activity types are specified in the call to RegisterActivityType. - *Each decision task and activity* task is identified by a unique task token. The task token is generated by Amazon SWF and is returned with other information about the task in the response from Po11ForDecisionTask or Po11ForActivityTask. Although the token is most commonly used by the process that received the task, that process could pass the token to another process, which could then report the completion or failure of the task. - *A single execution of a workflow* is identified by the domain, workflow ID, and run ID. The first two are parameters that are passed to StartWorkf1owExecution. The run ID is returned by StartWorkf1owExecution.

What is RDS

Amazon's Relational Database service

What is Amazon Glacier?

Amazon's long term storage- archiving service

SWF task

An *activity task* tells an activity worker to perform its function, such as to check inventory or charge a credit card. The activity task contains all the information that the activity worker needs to perform its function. An *AWS Lambda task* is similar to an activity task, but executes an AWS Lambda function instead of a traditional Amazon SWF activity. For more information about how to define an AWS Lambda task, see the AWS documentation on AWS Lambda tasks. A *decision task* tells a decider that the state of the workflow execution has changed so that the decider can determine the next activity that needs to be performed. The decision task contains the current workflow history.

What is Amazon Glacier?

An AWS service designed for long term data archival.

What happens when you create a topic on Amazon SNS?

An Amazon Resource Name is created

VPC EndPoints

An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect. You can create multiple endpoints for a single service, and you can use different route tables to enforce different access policies from different subnets to the same service. Amazon VPC endpoints currently support communication with Amazon Simple Storage Service (Amazon S3), and other services are expected to be added in the future.

VPC Peering

An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon VPC in another AWS account within a single region. A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.

Auto Scaling Components - Auto Scaling Group

An Auto Scaling group is a collection of Amazon EC2 instances managed by the Auto Scaling service. Each Auto Scaling group contains configuration options that control when Auto Scaling should launch new instances and terminate existing instances. An Auto Scaling group must contain a name and a minimum and maximum number of instances that can be in the group. You can optionally specify desired capacity, which is the number of instances that the group must have at all times. If you don't specify a desired capacity, the default desired capacity is the minimum number of instances that you specify.

What is ENI?

An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. Network interfaces are available only for instances running in a VPC. (not for EC2 classic instances)

A user has enabled instance termination protection for the spot instance. If Auto Scaling wants to terminate that instance due to a Cloudwatch trigger, what will happen?

Autoscaling will REMOVE instance from Autoscaling group.

Individual instances are provisioned in

Availability Zones

Automated Backups (RDS)

An automated backup is an Amazon RDS feature that continuously tracks changes and backs up your database. Amazon RDS creates a storage volume snapshot of your DB Instance, backing up the entire DB Instance and not just individual databases. You can set the backup retention period when you create a DB Instance. One day of backups will be retained by default, but you can modify the retention period up to a maximum of 35 days. Keep in mind that when you delete a DB Instance, all automated backup snapshots are deleted and cannot be recovered. Manual snapshots, however, are not deleted. Automated backups will occur daily during a configurable 30-minute maintenance window called the backup window. Automated backups are kept for a configurable number of days, called the backup retention period. You can restore your DB Instance to any specific time during this retention period, creating a new DB Instance.

Instance Stores

An instance store (sometimes referred to as ephemeral storage) provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. An instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers. The size and type of instance stores available with an Amazon EC2 instance depend on the instance type. At this writing, storage available with various instance types ranges from no instance stores up to 24 2 TB instance stores. The instance type also determines the type of hardware for the instance store volumes. While some provide Hard Disk Drive (HDD) instance stores, other instance types use Solid State Drives (SSDS) to deliver very high random I / 0 performance.

Explain the need for Cross Account access.

An organization has multiple AWS accounts to isolate a development environment from a testing or production environment. At times the users from one account need to access resources in the other account, such as promoting an update from the development environment to the production environment. In this case the IAM role with cross account access will provide a solution. Cross account access lets one account share access to their resources with users in the other AWS accounts.

IAM Cross-Account Access

Another common use case for IAM roles is to grant access to AWS resources to IAM users in other AWS accounts. These accounts may be other AWS accounts controlled by your company or outside agents like customers or suppliers. You can set up an IAM role with the permissions you want to grant to users in the other account, then users in the other account can assume that role to access your resources. This is highly recommended as a best practice, as opposed to distributing access keys outside your organization.

You have developed a new web application in us-west-2 that requires six Amazon Elastic Compute Cloud (EC2) instances running at all times. You have three availability zones available in that region (us-west-2a, us-west-2b, and us-west-2c). You need 100 percent fault tolerance if any single Availability Zone in us-west-2 becomes unavailable. How would you do this, each answer has 2 parts, select the answer with BOTH parts correct.

Answer 1 - Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances. Answer 2 - Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances.

if i/o latency is higher than expected on EBS volumes, what should you check

Average Queue Length. if AQL is high, consider provisioning more IOPS

How granular is IAM when it comes to applications?

Applications can be granted access to AWS resources whether they are running on-premises or in the cloud.

You work for a famous bakery who are deploying a hybrid cloud approach. Their legacy IBM AS400 servers will remain on premise within their own datacenter however they will need to be able to communicate to the AWS environment over a site to site VPN connection. What do you need to do to establish the VPN connection?

Assign a public IP address to your Amazon VPC Gateway.

Why would you want to associate multiple private addresses to an ENI?

Assigning a second network interface to an instance via an EN I allows it to be dual-homed (have network presence in different subnets).

Where does "Automate responses to security events" appear?

At the security pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Where does "Enable traceability" appear?

At the security pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Where does "Focus on securing your system" appear?

At the security pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Where does "Apply security at all layers" appear?

At the security pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Which technologies does Elastic Beanstalk support?

At the time of this writing, AWS Elastic Beanstalk provides platform support for 1/ programming languages: Java, Node.js, PHP, Python, Ruby, and Go 2/ web containers Tomcat, Passenger, Puma, and Docker.

What DB Engines are supported with RDS

Aurora (MySQL compatible), MySql, PostgreSQL, MS SQL Server, Oracle, MariaDB

In which screen does a user select the Availability Zones while configuring Auto Scaling?

Auto Scaling group

What does autoscaling group contain?

Auto Scaling group contains a collection of EC2 instances that share similar characteristics and are treated as a logical grouping for the purposes of instance scaling and management.

Auto Scaling

Auto Scaling is a service that allows you to maintain the availability of your applications by scaling Amazon EC2 capacity up or down in accordance with conditions you set.

What AWS service allows for cost-effective resource utilization?

Auto-scaling https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

RDS: Automate Backups

Automated backups will occur daily during a configurable 30-minute maintenance window called the backup window. Automated backups are kept for a configurable number of days, called the backup retention period. You can restore your DB Instance to any specific time during this retention period, creating a new DB Instance.

A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower Overall CPU resources for the web tier? A. Amazon EBS volume B. Amazon S3 C. Amazon EC2 instance store D. Amazon RDS instance

B

A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this? A. Create a new IAM role and associated policies within the new region B. Assign the existing IAM role to the Amazon EC2 instances in the new region C. Copy the IAM role and associated policies to the new region and attach it to the instances D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

B

A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimumnumber of subnets that need to be configured in the VPC? A. 1 B. 2 C. 3 D. 4

B

A_________is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources. A. user B. AWS Account C. resource D. permission

B

Amazon RDS automated backups and DB Snapshots are currently supported for only the __________ storage engine A. MyISAM B. InnoDB

B

Amazon S3 doesn't automatically give a user who creates permission to perform other actions on that bucket or object. A. a file B. a bucket or object C. a bucket or file D. a object or file

B

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance's security group is configured toallow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance? A. The outbound security group needs to be modified to allow outbound traffic. B. The outbound network ACL needs to be modified to allow outbound traffic. C. Nothing, it can be accessed from any IP address using SSH. D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic

B

Before I delete an EBS volume, what can I do if I want to recreate the volume later? A. Create a copy of the EBS volume (not a snapshot) B. Store a snapshot of the volume C. Download the content to an EC2 instance D. Back up thedata in to a physical disk

B

By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates? A. Remain as is B. Terminate C. Hibernate D. Pause

B

Can I detach the primary (eth0) network interface when the instance is running or stopped? A. Yes, You can. B. No. You cannot C. Depends on the state of the interface at the time

B

Can I encrypt connections between my application and my DB Instance using SSL? A. No B. Yes C. Only in VPC D. Only in certain regions

B

Can I test my DB Instance against a new version before upgrading? A. No B. Yes C. Only in VPC

B

Please select the most correct answer regarding the persistence of the Amazon Instance Store A. The data on an instance store volume persists only during the life of the associated Amazon EC2 instance B. The data on an instance store volume is lost when the security group rule of the associated instance is changed. C. The data on an instance store volume persists even after associated Amazon EC2 instance is deleted

B

To ensure failover capabilities, consider using a ______for incoming traffic on a network interface. A. primary public IP B. secondary private IP C. secondary public IP D. add on secondary IP

B

True or False: Common points of failures like generators and cooling equipment are shared across Availability Zones. A. TRUE B. FALSE

B

What does Amazon SES stand for? A. Simple Elastic Server B. Simple Email Service C. Software Email Solution D. Software Enabled Server

B

What happens when you create a topic on Amazon SNS? A. The topic is created, and it has the name you specified for it. B. An ARN (Amazon Resource Name) is created. C. You can create a topic on Amazon SQS, not on Amazon SNS. D. This question doesn't make sense.

B

What is a placement group? A. A collection of Auto Scaling groups in the same region B. A feature that enables EC2 instances to interact with each other via high bandwidth, low latency connections C. A collection of authorized CloudFront edge locations for a distribution D. A collection of Elastic Load Balancers in the same Region or Availability Zone

B

What is the maximum response time for a Business level Premium Support case? A. 120 seconds B. 1 hour C. 10 minutes D. 12 hours

B

Which set of Amazon S3 features helps to prevent and recover from accidental data loss? A. Object lifecycle and service access logging B. Object versioning and Multi-factor authentication C. Access controls and server-side encryption D. Website hosting and Amazon S3 policies

B

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service? A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials. B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP. C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials. D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated. E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types

B

Will I be charged if the DB instance is idle? A. No B. Yes C. Only is running in GovCloud D. Only if running in VPC

B

You are configuring your company's application to use Auto Scaling and need to move user state information. Which of the following AWS services provides a shared data store with durability and low latency? A. AWS ElastiCache Memcached B. Amazon Simple Storage Service C. Amazon EC2 instance storage D. Amazon DynamoDB

B

You can modify the backup retention period; valid values are 0 (for no backup retention) to a maximum of________ days. A. 45 B. 35 C. 15 D. 5

B

You have a content management system running on an Amazon EC2 instance that is approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance? A. Create a load balancer, and register the Amazon EC2 instance with it B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action D. Create a launch configuration from the instance using the CreateLaunchConfiguration action

B

True or False. The service to allow Big Data Processing on the AWS platform is known as AWS "Elastic Big Data".

False

You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer than expected, resulting in poor application performance. Which method will help improve performance of your application? A. Enable enhanced networking B. Use Amazon S3 multipart upload C. Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency. D. Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBSoptimized instance

B

You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the internet. What should you do to enable Internet access? A. Deploy a NAT instance into the public subnet. B.Assign an Elastic IP address to the fourth instance. C. Configure a publically routable IP Address in the host OS of the fourth instance. D. Modify the routing table for the public subnet.

B

You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this? A. User data B. EC2Config service C. IAM roles D. AWS Config

B

You work for a famous bakery who are deploying a hybrid cloud approach. Their legacy IBM AS400 servers will remain on premise within their own datacenter however they will need to be able to communicate to the AWS environment over a site to site VPN connection. What do you need to do to establish the VPN connection? A.Connect to the environment using AWS Direct Connect. B.Assign a public IP address to your Amazon VPC Gateway. C.Create a dedicated NAT and deploy this to the public subnet. D.Update your route table to add a route for the NAT to 0.0.0.0/0

B

________ is a durable, block-level storage volume that you can attach to a single, running Amazon EC2 instance. A. Amazon S3 B. Amazon EBS C. None of these D. All of these

B

A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increases the fault tolerance of the connection to VPC-1? Choose 2 answers A. Establish a hardware VPN over the internet between VPC-2 ana the on-premises network. B. Establish a hardware VPN over the internet between VPC-1 and the on-premises network. C. Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2. D. Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1. E. Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

B,C

When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions? Choose 2 answers A. Amazon DynamoDB B. Amazon Elastic Compute Cloud (EC2) C. Amazon Elastic Load Balancing D. Amazon Simple Notification Service (SNS) E. Amazon Simple Storage Service (S3)

B,C

A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this? Choose 2 answers A. Amazon Simple Email Service B. Amazon CloudWatch C. Amazon Simple Queue Service D. Amazon Route 53 E. Amazon Simple Notification Service

B,E

Which of the following are characteristics of Amazon VPC subnets? Choose 2 A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment. B. Each subnet maps to a single Availability Zone. C. CIDR block mask of/25 is the smallest range supported. D. By default, all subnets can route between each other, whether they are private or public. E. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP

B,E

Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? Choose 2 answers A. Amazon Relational Database Service B. Amazon Elastic Map Reduce C. Amazon ElastiCache D. Amazon DynamoDB E. AWS Elastic Beanstalk

B,E

How many VPN connections per VPC are available by default? A. 5 B. 10 C. 32 D. 64

B. 10 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many CloudFront Origins are possible per distribution? A. No limit B. 25 C. 4 D. 1

B. 25 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

Whats the maximum transfer rate per CloudFront distribution? A. 1 Gbp/s B. 40 Gbp/s C. 6 Gbp/s D. 20 Gbp/s

B. 40 Gbp/s http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many virtual interfaces are possible per Direct Connect connection? A. 10 B. 5 C. 50 D. 15

B. 5 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many default Elastic IPs are available per region? A. 4 B. 5 C. 3 D. 10

B. 5 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many VPN connections per region are possible? A. 5 B. 50 C. 32 D. 64

B. 50 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many rules per security group are possible? A. 500 (1000 in/out) B. 50 (100 in/out) C. 250 (500 in/out) D. No limit

B. 50 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

True or False. When creating a new security group, all inbound traffic is allowed by default.

False

S3 versioning applies to __________.

Bucket

Can I delete a snapshot of an EBS Volume that is used as the root device of a registered AMI?

No

Give example of bucket URL.

Bucket URL: s3-[region-name].amazonaws.com/[bucket-name] Eg: https://s3-sa-east-1.amazonaws.com/nankosp/

What options should be enabled on S3 to protect data at rest

Bucket permissions, Encrypted (client side and server side), bucket versioning, and MFA based delete

Can I move a reserved instance from one region to another?

No

Can a placement group be deployed across multiple Availability Zones?

No

Please select the Amazon EC2 resource which can be tagged. A. key pairs B. Elastic IP addresses C. placement groups D. Amazon EBS snapshots

C

Can you attach an EBS volume to more than one EC2 instance at the same time?

No

How many network interfaces are possible per EC2 instance? A. 4 B. Varies by instance type C. 2 D. 1

B. Varies by instance type http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

What is AWS suggestion for backups of databases stored on EBS

Backup to S3 via the database management system so that distributions transactions and logs are checkpointed

What does Amazon manage with an RDS instance?

Backups, patching, for multi-AZ instances- AWS manages synchronization, and automatic failover

What are the four levels of AWS premium support?

Basic, Developer, Business, Enterprise

CloudFormation Change Set

Because environments are dynamic in nature, you inevitably will need to update your stack's resources from time to time. There is no need to create a new stack and delete the old one; you can simply modify the existing stack's template. To update a stack, create a change set by submitting a modified version of the original stack template, different input parameter values, or both. AWS CloudFormation compares the modified template with the original template and generates a change set. The change set lists the proposed changes. After reviewing the changes, you can execute the change set to update your stack.

What are ephemeral ports?

Best to open ports 1024-65535 in a VPC if you expect several clients over several protocols to access the VPC.

You need to block a specific IP address, how do you go about it?

Block IP Addresses using network ACL's not Security Groups. Security Groups cannot deny (only allow) network traffic, NACL's can do both.

Amazon's EBS volumes are

Block based storage

In security groups, all inbound traffic is __________ by default.

Blocked

You are a solutions architect who works with a large digital media company. The company has decided that they want to operate within the Japanese region and they need a bucket called "testbucket" set up immediately to test their web application on. You log in to the AWS console and try to create this bucket in the Japanese region however you are told that the bucket name is already taken. What should you do to resolve this?

Bucketnames are global, not regional. This is a popular bucket name and is already taken. You should choose another bucket name.

Files in S3 are stored in what?

Buckets

S3 files are stored in _________

Buckets

What is the idle timeout time of the ELB? Can this be changed?

By default, Elastic Load Balancing sets the idle timeout to 60 seconds for both connections. If an HTTP request doesn't complete within the idle timeout period, the load balancer closes the connection, even if data is still being transferred. You can change the idle timeout setting for the connections to ensure that lengthy operations, such as file uploads, have time to complete.

DynamoDB's consistency model

By default, a GetItem operation performs an eventually consistent read. You can optionally request a strongly consistent read instead; this will consume additional read capacity units, but it will return the most up-to-date version of the item.

Sticky Sessions

By default, a load balancer routes each request independently to the registered instance with the smallest load. However, you can use the sticky session feature (also known as session affinity), which enables the load balancer to bind a user's session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance.

A company needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging existing security controls. Which set of AWS services and features will meet the company's requirements? A. Virtual Private Network connection. AWS Directory Services, and ClassicLink B. Virtual Private Network connection. AWS Directory Services, and Amazon Workspaces C. AWS Directory Service, Amazon Workspaces, and AWS Identity and Access Management D. Amazon Elastic Compute Cloud, and AWS Identity and Access Management

C

A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer? A. Create an A record pointing to the IP address of the load balancer B. Create a CNAME record pointing to the load balancer DNS name. C. Create a CNAME record aliased to the load balancer DNS name. D. Create an A record aliased to the load balancer DNS name

C

A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated? A. A single facility in eu-west-1 and a single facility in eu-central-1 B. A single facility in eu-west-1 and a single facility in us-east-1 C. Multiple facilities in eu-west-1 D. A single facility in eu-west-1

C

A t2.medium EC2 instance type must be launched with what type of Amazon Machine Image (AMI)? A. An Instance store Hardware Virtual Machine AMI B. An Instance store Paravirtual AMI C. An Amazon EBS-backed Hardware Virtual Machine AMI D. An Amazon EBS-backed Paravirtual AMI

C

After an Amazon VPC instance is launched, can I change the VPC security groups it belongs to? A. No. You cannot. B. Yes. You can. C. Only if you are the root user D. Only if the tag "VPC_Change_Group" is true

C

Are you able to integrate a multi-factor token service with the AWS Platform? A. No, you cannot integrate multi-factor token devices with the AWS platform. B. Yes, you can integrate private multi-factor token devices to authenticate users tothe AWS platform. C. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform.

C

Are you able to integrate a multi-factor token service with the AWS Platform? A. Yes, you can integrate private multi-factor token devices to authenticate users to the AWS platform. B. No, you cannot integrate multi-factor token devices with the AWS platform. C. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform.

C

Can you conduct your own vulnerability scans within your own VPC without alerting AWS first?

No

Can I delete a snapshot of the root device of an EBS volume used by a registered AMI? A. Only via API B. Only via Console C. Yes D. No

C

Can I initiate a "forced failover" for my MySQL Multi-AZ DB Instance deployment? A. Only in certain regions B. Only in VPC C. Yes D. No

C

Can I test my DB Instance against a new version before upgrading? A. Only in VPC B. No C. Yes

C

Do the Amazon EBS volumes persist independently from the running life of an Amazon EC2 instance? A. No B. Only if instructed to when created C. Yes

C

Do the system resources on the Micro instance meet the recommended configuration for Oracle? A. Yes completely B. Yes but only for certain situations C. Not in any circumstance

C

Does Dynamic DB support in-place atomic updates? A. It is not defined B. No C. Yes D. It does support in-place non-atomic updates

C

How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another? A. Detach the volume and attach it to another EC2 instance in the other AZ. B. Simply create a new volume in the other AZ and specify the original volume as the source. C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ. D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.

C

If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance a predetermined private IP address you should: A. Launch the instance from a private Amazon Machine Image (AMI). B. Assign a group of sequential Elastic IP address to the instances. C. Launch the instances in the Amazon Virtual Private Cloud (VPC). D. Launch the instances in a Placement Group. E. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.

C

In a management network scenario the which interface on the instance handles public-facing traffic? A Primary network interface B Subnet interface C Secondary network interface

C

In the Amazon RDS Oracle DB engine, the Database Diagnostic Pack and the Database Tuning Pack are only available with _________ A. Oracle Standard Edition B. Oracle Express Edition C. Oracle Enterprise Edition D. None of these

C

In the Launch Db Instance Wizard, where can I select the backup and maintenance options? A. Under DB INSTANCE DETAILS B. Under REVIEW C. Under MANAGEMENT OPTIONS D. Under ENGINE SELECTION

C

Is decreasing the storage size of a DB Instance permitted? A. Depends on the RDMS used B. Yes C. No

C

It is advised that you watch the Amazon CloudWatch "_______ " metric (available via the AWS Management Console or Amazon Cloud Watch APIs) carefully and recreate the Read Replica should it fall behind due to replication errors. A. Write Lag B. Read Replica C. Replica Lag D. Single Replica

C

Can you data Import/Export to EBS via Snowball?

No

The_______service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console. A. Amazon RDS B. AWS Integrity Management C. AWS Identity and Access Management D. Amazon EMR

C

To help you manage your Amazon EC2 instances, images, and other Amazon EC2 resources, you can assign your own metadata to each resource in the form of ________. A. special filters B. functions C. tags D. wildcards

C

What can I access by visiting the URL: http://status.aws.amazon.com/? A. Amazon Cloud Watch B. Status of the Amazon RDS DB C. AWS Service Health Dashboard D. AWS Cloud Monitor

C

What does Amazon Elasticache provide? A. A service by this name doesn't exist. Perhaps you mean Amazon CloudCache. B. A virtual server with a huge amount of memory. C. A managed In-memory cache service. D. AnAmazon EC2 instance with the Memcached software already pre-installed.

C

What does Amazon Route53 provide? A. A global Content Delivery Network. B. None of these. C. A scalable Domain Name System. D. An SSH endpoint for Amazon EC2.

C

What is the charge for the data transfer incurred in replicating data between your primary and standby? A. Same as the standard data transfer charge B. Double the standard data transfer charge C.No charge. It is free D. Half of the standard data transfer charge

C

What is the minimum time Interval for the data that Amazon CloudWatch receives and aggregates? A. One second B. Five seconds C. One minute D. Three minutes E. Five minutes

C

When an EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes? A. Data is automatically saved in an EBS volume. B. Data is unavailable until the instance is restarted. C. Data will be deleted and will no longer be accessible. D. Data is automatically saved as an EBS snapshot.

C

When automatic failover occurs, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can use them to return information about events related to your DB Instance A. FetchFailure B. DescriveFailure C. DescribeEvents D. FetchEvents

C

When you add a rule to a DB security group, you do not need to specify port number or protocol. A. Depends on the RDMS used B. TRUE C. FALSE

C

When you use the AWS Management Console to delete an IAM user, IAM also deletes anysigning certificates and any access keys belonging to the user. A. FALSE B. This is configurable C. TRUE

C

Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties? A. Instance user data B. Resource tags C. Instance metadata D. Amazon Machine Image

C

How many CloudFormation stacks can you have? A. 30 B. No limit C. 200 D. 10

C. 200 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

Which of the following approaches provides the lowest cost for Amazon Elastic Block Store snapshots while giving you the ability to fully restore data? A. Maintain two snapshots: the original snapshot and the latest incremental snapshot. B. Maintain a volume snapshot; subsequent snapshots will overwrite one another C. Maintain a single snapshot the latest snapshot is both Incremental and complete. D. Maintain the most current snapshot, archive the original and incremental to Amazon Glacier.

C

Which of the following services do you get OS level access to? A.RDS & EC2 B.DynamoDB & RDS C.EC2 & Elastic Map Reduce (EMR) D.EC2 & RedShift

C

Will I be alerted when automatic failover occurs? A. Only if SNS configured B. No C. Yes D. Only if Cloudwatch configured

C

With which AWS orchestration service can you implement Chef recipes? A.CloudFormation B.Elastic Beanstalk C.Opsworks D.Lambda

C

You are building a solution for a customer to extend their on-premises data center to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement? A. Amazon VPC peering B. Elastic IP Addresses C. AWS Direct Connect D. Amazon VPC virtual private gateway

C

You are building an automated transcription service in which Amazon EC2 worker instances process an uploaded audio file and generate a text file. You must store both of these files in the same durable storage until the text file is retrieved. You do not know what the storage capacity requirements are. Which storage option is both cost-efficient and scalable? A. Multiple Amazon EBS volume with snapshots B. A single Amazon Glacier vault C. A single Amazon S3 bucket D. Multiple instance stores

C

You are deploying an application to collect votes for a very popular television show. Millions of users will submit votes using mobile devices. The votes must be collected into a durable, scalable, and highly available data store for real-time public tabulation. Which service should you use? A. Amazon DynamoDB B. Amazon Redshift C. Amazon Kinesis D. Amazon Simple Queue Service

C

You are designing an image sharing website that will distribute images across the world. You need maximise performance so that your end users can download frequently accessed images as fast as possible. What AWS technology should you implement? A.Glacier B.Global Load Balancing (GLB) C.CloudFront D.Autoscaling

C

You have a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances. Which of the following architectural choices should you make? A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer. B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer. C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer. D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.

C

What are characteristics of Amazon S3? Choose 2 answers A. S3 allows you to store objects of virtually unlimited size. B. S3 offers Provisioned IOPS. C. S3 allows you to store unlimited amounts of data. D. S3 should be used to host a relational database. E. Objects are directly accessible via a URL

C,E

Your application provides data transformation services. Files containing data to be transformed are first uploaded to Amazon S3 and then transformed by a fleet of spot EC2 instances. Files submitted by your premium customers must be transformed with the highest priority. How should you implement such a system? A. Use a DynamoDB table with an attribute defining the priority level. Transformation instances will scan the table for tasks, sorting the results by priority level. B. Use Route 53 latency based-routing to send high priority tasks to the closest transformation instances. C. Use two SQS queues, one for high priority messages, the other for default priority. Transformation instances first poll the high priority queue; if there is no message, they poll the default priority queue. D. Use a single SQS queue. Each message contains the priority level. Transformation instances poll high-priority messages first.

C

In reviewing the Auto Scaling events for your application you notice that your application is scaling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity? Choose 2 answers A. Modify the Auto Scaling group termination policy to terminate the oldest instance first. B. Modify the Auto Scaling policy to use scheduled scaling actions C. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. D. Modify the Auto Scaling group cool-down timers. E. Modify the Auto Scaling group termination policy to terminate the newest instance first.

C,D

Which of the following are characteristics of a reserved instance? Choose 3 answers A. It can be migrated across Availability Zones B. It is specific to an Amazon Machine Image (AMI) C. It can be applied to instances launched by Auto Scaling D. It is specific to an instance Type E. It can be used to lower Total Cost of Ownership (TCO) of a system

C,D,E

An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto Scaling needs to terminate an EC2 instance by default, AutoScaling will: Choose 2 answers A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating the instance. B. Terminate the instance with the least active network connections. If multiple instances meet this criterion, one will be randomly selected. C. Send an SNS notification, if configured to do so. D. Terminate an instance in the AZ which currently has 2 running EC2 instances. E. Randomly selectone of the 3 AZs, and then terminate an instance in that AZ.

C,E

Which of the following are valid statements about Amazon S3? Choose 2 answers A. S3 provides read-after-write consistency for any type of PUT or DELETE. B. Consistency is not guaranteed for any type of PUT or DELETE. C. A successful response to a PUT request only occurs when a complete object is saved. D. Partially saved objects are immediately readable with a GET after an overwrite PUT. E. S3 provides eventual consistency for overwrite PUTS and DELETES.

C,E

Which of the following are true regarding AWS CloudTrail? Choose 3 answers A. CloudTrail is enabled globally B. CloudTrail is enabled by default C. CloudTrail is enabled on a per-region basis D. CloudTrail is enabled on a per-service basis. E. Logs can be delivered to a single Amazon S3 bucket for aggregation. F. CloudTrail is enabled for all available services within a region. G. Logs can only be processed and delivered to the region in which they are generated.

C,E,F

Which of the following are use cases for Amazon DynamoDB? Choose 3 answers A. Storing BLOB data. B. Managing web sessions. C. Storing JSON documents. D. Storing metadata for Amazon S3 objects. E. Running relational joins and complex updates. F. Storing large amounts of infrequently accessed data.

C,E,F

How many Auto Scaling Launch configurations are available by default? A. 44 B. 10 C. 100 D. No limit

C. 100 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many advertised BGP routes are possible per route table? (propagated routes) A. 1000 B. 50 C. 100 D. 20

C. 100 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many request per second are possible per CloudFront distribution? A. 1,000,000 B. 3,000 C. 100,000 D. 10,000

C. 100,000 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

What is the maximum number of security groups per network interface? A. 3 B. 1 C. 16 D. 5

C. 16 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many rules per Network ACL are possible? A. 32 B. 33 C. 20 D. 30

C. 20 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many Network ACL's can you have per VPC? A. 50 B. 100 C. 200 D. 1

C. 200 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

Can you data Import/Export to Glacier via Snowball?

No

(T/F) Ephemeral Data is lost whether you Stop, Reboot or Terminate an EC2 instance.

False. In case of a reboot the data is preserved.

Can you move reserved instance from one region to another?

No

Can you share encrypted snapshots?

No

Does Route 53 support Domain Name System Security Extensions (DNSSEC) at this time?

No

(T/F) All logs, backups, and snapshots are encrypted for an Amazon RDS Instance

False. only for an *encrypted* Amazon RDS Instance

What Storage Gateway is best used when you don't have a reliable internet connection?

Gateway Stored Volumes as it stores all your data locally

*S3 Transfer Acceleration*

CloudFront Edge Network to accelerate uploads to S3 - uses a distinct URL to upload directly to edge location, which then transfers to S3 using AWS backbone network.

How can you clear CloudFront cache?

CloudFront cache get cleared when TTL expires, but it can be manually cleared as well for a charge.

In what circumstances would I choose provisioned IOPS in RDS over standard storage?

If you use production online transaction processing

*CloudFront*

CloudFront provides a way to distribute content with low latency and high data transfer speeds, delivering content to end-users using a global network of edge locations.

Auditing user access/API calls etc across the entire AWS estate can be achieved by using:

CloudTrail

To get a history of all EC2 API calls (including VPC and EBS) made on your account, you simply turn on ___________ in the AWS Management Console.

CloudTrail

You need to supply auditors with logs as to who provisions which resources on your AWS platform. Which service would best suit this?

CloudTrail

You have created a new subdomain for your popular website and you need this subdomain to point to an Elastic Load Balancer using Route53. Which DNS record set should you create?

CNAME

What format are cloudfront-cloudwatch metrics delivered in?

CSV, headers: Version, Report, DistributionID, StartDateUTC, EndDateUTC, GeneratedTimeUTC, Granularity eg "ONE_MINUTE", Data: DistributionID, FriendlyName, TimeBucket, Requests, BytesDownloaded, BytesUploaded, TotalErrorRatePct, 4xxErrorRatePct, 5xxErrorRatePct

Explain S3's *Client-Side Encryption*

Client-side encryption refers to encrypting data on the client side of your application before sending it to Amazon S3. You have the following two options for using data encryption keys: - Use an AWS KMS-managed customer master key. - Use a client-side master key. When using client-side encryption, you retain end-to-end control of the encryption process, including management of the encryption keys.

Which AWS service is used as CDN to distribute content around the world?

CloudFront

Customer Master Keys (CMKs)

Customer Managed Keys AWS KMS uses a type of key called a Customer Master Key (CMK) to encrypt and decrypt data. CMKs are the fundamental resources that AWS KMS manages. They can be used inside of AWS KMS to encrypt or decrypt up to 4 KB of data directly. They can also be used to encrypt generated data keys that are then used to encrypt or decrypt larger amounts of data outside of the service. CMKs can never leave AWS I(MS unencrypted, but data keys can leave the service unencrypted.

Shared Responsibility Model

Customer: responsible for security "in" the cloud AWS: responsible for security "of" the cloud

A US-based company is expanding their web presence into Europe. The company wants to extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west- 1) region. Which of the following options would enable an equivalent experience for users on both continents? A. Use a public-facing load balancer per region to load-balance web traffic, and enable HTTP health checks. B. Use a public-facing load balancer per region to load-balance web traffic, and enable sticky sessions. C. Use Amazon Route 53, and apply a geolocation routing policy to distribute traffic across both regions. D. Use Amazon Route 53, and apply a weighted routing policy to distribute traffic across both regions.

D

A client application requires operating system privileges on a relational database server. What is an appropriate configuration for a highly available database architecture? A. A standalone Amazon EC2 instance B. Amazon RDS in a Multi-AZ configuration C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones

D

A company has a workflow that sends video files from their on-premise system to AWS for transcoding. They use EC2 worker instances that pull transcoding jobs from SQS. Why is SQS an appropriate service for this scenario? A. SQS guarantees the order of the messages. B. SQS synchronously provides transcoding output. C. SQS checks the health of the worker instances. D. SQS helps to facilitate horizontal scaling of encoding tasks.

D

A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex queries and table joins. Which configuration provides the solution for the company's requirements? A. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone B. Amazon RDS for MySQL with Multi-AZ C. Amazon ElastiCache D. Amazon DynamoDB

D

A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume. The customer is becoming increasingly constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed data. Which AWS Storage Gateway configuration meets the customer requirements? A. Gateway-Cached volumes with snapshots scheduled to Amazon S3 B. Gateway-Stored volumes with snapshots scheduled to Amazon S3 C. Gateway-Virtual Tape Library with snapshots to Amazon S3 D. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

D

A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-securitygroup with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement? A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC. B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere. C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses. D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.

D

If an Amazon EBS volume is the root device of an instance, can I detach it without stopping the instance?

No

A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as part of their backup and archive infrastructure. The customer plans to use third-party software to support this integration. Which approach will limit the access of the third party software to only the Amazon S3 bucket named "companybackup"? A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive "company-backup" B. A custom bucket policy limited to the Amazon S3 API in "company-backup" C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive "company-backup". D. A custom IAM user policy limited to the Amazon S3 API in "company-backup".

D

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations? A. SAML-based Identity Federation B. Cross-Account Access C. AWS Identity and Access Management roles D. Web Identity Federation

D

A__________is a storage device that moves data in sequences of bytes or bits (blocks). Hint: These devices support random access and generally use buffered I/O. A. block map B. storage block C. mapping device D. block device

D

After creating a new IAM user which of the following must be done before they can successfully make API calls? A. Add a password to the user. B. Enable Multi-Factor Authentication for the user. C. Assign a Password Policy to the user. D. Create a set of Access Keys for the user.

D

Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications.What is the monthly charge for using the public data sets? A. A 1 time charge of 10$ for all the datasets. B. 1$ per dataset per month C. 10$ per month for all the datasets D. There is no charge for using the public data sets

D

Amazon RDS supports SOAP only through___________ A. HTTP or HTTPS B. TCP/IP C. HTTP D. HTTPS

D

An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume? A. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Re-mount the Amazon EBS volume. B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume. C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume. D. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume

D

Can I use Provisioned IOPS with VPC? A. Only Oracle based RDS B. No C. Only with MSSQL based RDS D. Yes for all RDS instances

D

Can the string value of 'Key' be prefixed with :aws:"? A. Only in GovCloud B. Only for S3 not EC2 C. Yes D. No

D

Does Amazon Route 53 support NS Records? A. Yes, it supports Name Service records. B. No C. It supports only MX records. D. Yes, it supports Name Server records.

D

In order to optimize performance for a compute cluster that requires low inter-node latency, which of the following feature should you use? A. Multiple Availability Zones B. AWS Direct Connect C. EC2 Dedicated Instances D. Placement Groups E. VPC private subnets

D

In the context of MySQL, version numbers are organized as MySQL version = X.Y.Z. What does X denote here? A. release level B. minor version C. version number D. major version

D

Is creating a Read Replica of another Read Replica supported? A. Only in VPC B. Yes C. Only in certain regions D. No

D

Is there a limit to the number of groups you can have? A. Yes for all users except root . B. No C. Yes unless special permission granted D. Yes for all users

D

Is there any way to own a direct connection to Amazon Web Services? A. You can create an encrypted tunnel to VPC, but you don't own the connection. B. Yes, it's called Amazon Dedicated Connection. C. No, AWS only allows access from the public Internet. D. Yes, it's called Direct Connect

D

Per the AWS Acceptable Use Policy, penetration testing of EC2 instances: A. May be performed by AWS, and will be performed by AWS upon customer request. B. May be performed by AWS, and is periodically performed by AWS. C. Are expressly prohibited under all circumstances. D. May be performed by the customer on their own instances with prior authorization from AWS. E. May be performed by the customer on their own instances, only if performed from EC2 instances

D

What does Amazon CloudFormation provide? A. None of these. B. The ability to setup Autoscaling for Amazon EC2 instances. C. A template to map network resources for Amazon Web Services. D. A templated resource creation for Amazon Web Services.

D

What does Amazon EBS stand for? A. Elastic Block Storage B. Elastic Business Server C. Elastic Blade Server D. Elastic Block Store

D

What does Amazon ELB stand for? A. Elastic Linux Box. B. Encrypted Linux Box. C. Encrypted Load Balancing. D. Elastic Load Balancing.

D

What is a Security Group? A. None of these. B. A list of users that can access Amazon EC2 instances. C. An Access Control List (ACL) for AWS resources. D. A firewall for inbound traffic, built-in around every Amazon EC2 instance.

D

What is the maximum response time for a Business level Premium Support case? A. 30 minutes B. You always get instant responses (within a few seconds). C. 10 minutes D. 1 hour

D

What's an ECU? A. Extended Cluster User. B. None of these. C. Elastic Computer Usage. D. Elastic Compute Unit.

D

When an EC2 instance that is backed by an S3-based AMI is terminated, what happens to the data on the root volume? A. Data is automatically saved as an EBS snapshot. B. Data is automatically saved as an EBS volume. C. Data is unavailable until the instance is restarted. D. Data is automatically deleted.

D

In RDS when using multiple availability zones, can you use the secondary database as an independent read node?

No

When youre size the Amazon RDS DB instance, Amazon RDS will perform the upgrade during the next maintenance window. If you want the upgrade to be performed now, rather than waiting for the maintenance window, specify the_________ option. A. ApplyNow B. ApplySoon C. ApplyThis D. ApplyImmediately

D

Which AWS instance address has the following characteristics? :"If you stop an instance, its Elastic IP address is unmapped, and you must remap it when you restart the instance." A Both A and B B None of these C VPC Addresses D EC2 Addresses

D

Which Amazon storage do you think is the best for my database-style applications that frequently encounter many random reads and writes across the dataset? A. None of these. B. Amazon Instance Storage C. Any of these D. Amazon EBS

D

Which of the following is not a responsibility of Amazon's under the shared responsibility model? A.Data centre security B.Hypervisor patching C.OS level patching for RDS D.OS level patching for EC2

D

While creating an Amazon RDS DB, your first task is to set up a DB that controls what IP addresses or EC2 instances have access to your DB Instance. A. Security Pool B. Secure Zone C. Security Token Pool D.Security Group

D

Within the IAM service a GROUP is regarded as a: A. A collection of AWS accounts B. It's the group of EC2 machines that gain the permissions specified in the GROUP. C. There's no GROUP in IAM, but only USERS and RESOURCES. D. A collection of users.

D

Without_____________ , you must either create multiple AWS accounts-each with its own billing and subscriptions to AWS products-or your employees must share the security credentials of a single AWS account. A. Amazon RDS B. Amazon Glacier C. Amazon EMR D. Amazon IAM

D

You are a solutions architect who has been asked to do some consulting for a US company that produces re-useable rocket parts. They have a new web application that needs to be built and this application must be stateless. Which three services could you use to achieve this? A.AWS Storage Gateway, Elasticache & ELB B.ELB, Elasticache & RDS C.Cloudwatch, RDS & DynamoDb D.RDS, DynamoDB & Elasticache

D

You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier? A. Amazon Glacier multipart upload B. AWS Storage Gateway C. VM Import/Export D. AWS Import/Export

D

You are working with a customer who is using Chef configuration management in their data center. Which service is designed to let the customer leverage existing Chef recipes in AWS? A. Amazon Simple Workflow Service B. AWS Elastic Beanstalk C. AWS CloudFormation D. AWS OpsWorks

D

You can use_________and_________to help secure the instances in your VPC. A. security groups and multi-factor authentication B. security groups and 2-Factor authentication C. security groups and biometric authentication D. security groups and network ACLs

D

You have decided to change the instance type for instances running in your application tier that is using Auto Scaling. In which area below would you change the instance type definition? A. Auto Scaling policy B. Auto Scaling group C. Auto Scaling tags D. Auto Scaling launch configuration

D

You launch an Amazon EC2 instance without an assigned AVVS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it? A. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping. B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance. C. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned. D. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned.

D

You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and network access control lists are property configured. Instances in a private subnet can access the NAT. The NAT can access the Internet. However, private instances cannot access the Internet. What additional step is required to allow access from the private instances? A. Enable Source/Destination Check on the private Instances. B. Enable Source/Destination Check on the NAT instance. C. Disable Source/Destination Check on the private instances. D. Disable Source/Destination Check on the NAT instance.

D

You work for a toy company that has a busy online store. As you are approaching christmas you find that your store is getting more and more traffic. You ensure that the web tier of your store is behind an Auto Scaling group, however you notice that the web tier is frequently scaling, sometimes multiple times in an hour, only to scale back after peak usage. You need to prevent this so that Auto Scaling does not scale as rapidly, just to scale back again. What option would help you to achieve this? A.Configure Auto Scaling to terminate your oldest instances first, then adjust your CloudWatch alarm. B.Configure Auto Scaling to terminate your newest instances first, then adjust your CloudWatch alarm. C.Change your Auto Scaling so that it only scales at scheduled times. D.Modify the Auto Scaling group cool-down timers & modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.

D

Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured ELB to perform health checks on these EC2 instances, if an instance fails to pass health checks, which statement will be true? A. The instance gets terminated automatically by the ELB. B. The instance gets quarantined by the ELB for root cause analysis. C. The instance is replaced automatically by the ELB. D. The ELB stops sending traffic to the instance that failed its health check.

D

What are the AWS instance types?

D - Dense Storage I - IOPS (high speed storage) R - memoRy optimized T - Trivial general purpose M - Multi-purpose C - Compute optimized G - GPU

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers A. Use AWS Consolidated Billing and disable AWS root account access for the child accounts. B. Enable IAM cross-account access for all corporate IT administrators in each child account. C. Create separate VPCs for each division within the corporate IT AWS account. D. Use AWS Consolidated Billing to link the divisions' accounts to a parent corporate account. E. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account's Amazon S3 'Log' bucket.

D,E

Which of the following instance types are available as Amazon EBS-backed only? Choose 2 answers A. General purpose T2 B. General purpose M3 C. Compute-optimized C4 D. Compute-optimized C3 E. Storage-optimized 12

D,E

You are using an m1.small EC2 Instance with one 300 GB EBS volume to host a relational database. You determined that write throughput to the database needs to be increased. Which of the following approaches can help achieve this? Choose 2 answers A. Use an array of EBS volumes. B. Enable Multi-AZ mode. C. Place the instance in an Auto Scaling Groups D. Add an EBS volume and place into RAID 5. E. Increase the size of the EC2 Instance. F. Put the database behind an Elastic Load Balancer.

D,E

You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers A. AWS Storage Gateway B. Amazon CloudWatch C. Elastic Load Balancing D. Amazon ElastiCache E. Amazon Relational Database Service (RDS) F. Amazon DynamoDB

D,E,F

What is the default number of security groups you can have per network interface? A. 3 B. 1 C. 16 D. 5

D. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How long do you have to accpet an unaccepted VPC peering connection? A. 3 days B. 1 hour C. 1 day D. 1 Week

D. 1 Week (168 hours) http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many routes are possible per Direct Connect BGP session? A. 25 B. 1 C. 40 D. 100

D. 100 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many SSL certificates can you have when using dedicated IP address space in CloudFront? A. None B. No limit C. 5 D. 2

D. 2 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many Elastic Load Balancers can you have per region (total, meaning classic + applicatio)? A. 5 B. 10 C. 15 D. 20

D. 20 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

How many route tables are possible per VPC? A. 1 B. 30 C. 150 D. 200

D. 200 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

How many VPCs can you have per region? A. No Limit B. 10 C. 3 D. 5

D. 5 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

What is AWS's security model?

Shared Responsibility https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

(T/F) With no rules applied to it, an Amazon EC2 security group will deny all traffic by default.

True

What key phrase does AWS use to categorize organizational data on levels of sensitivity?

Data classification https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Explain DynamoDB model.

DynamoDB Data Model: (a) "Table", a collection of Items; (b) "Items", with Keys and one or more Attribute; (c) "Attribute", with Name and Value.

A _____ for a VPC is a collection of subnets (typically private) that you may want to designate for your backend RDS DB Instances.

DB Subnet Group

In terms of security groups, RDS uses?

DB security groups, EC2 security groups and VPC security groups

With connection draining, what is the DEFAULT and MAX timeout period when ELB stops sending requests to unhealthy or deregistering instances?

DEFAULT: 5 mins MAX: 60 mins

What database service would you use to migrate databases from Oracle to MySQL

DMS

When you create an RDS instance- what type of end point do you get?

DNS end point

What is instance meta data?

Data about your instance, such as host-name and IP to name only two

SQS Delay Queues

Delay queues allow you to postpone the delivery of new messages in a queue for a specific number of seconds. If you create a delay queue, any message that you send to that queue will be invisible to consumers for the duration of the delay period.

What are the similarities and what's the difference between a Delay Queue and the visibility timeout?

Delay queues are similar to visibility timeouts in that both features make messages unavailable to consumers for a specific period of time. The difference is that a delay queue hides a message when it is first added to the queue, whereas a visibility timeout hides a message only after that message is retrieved from the queue.

What is CloudTrail integration with CloudWatch Logs?

Delivers API activity captured by CloudTrail to a CloudWatch Logs log stream

By default, newly created Network ACL _______ all Inbound and Outbound traffic.

Denies

What are the RDS storage options?

Depending on the database engine and workload, you can scale up to 4 to 6TB in provisioned storage and up to 30,000 IOPS. Amazon RDS supports three storage types: Magnetic, General Purpose (Solid State Drive [SSD]), and Provisioned IOPS (SSD). The table highlights the relative size, performance, and cost differences between types.

How do you you avoid downtime when AWS patches your RDS instance?

Deploy a HA RDS cluster- AWS will not patch all AZ's at the same time

You work for a cosmetic company which has their production website on AWS. The site itself is in a two-tier configuration with web servers in the front end and database servers at the back end. The site uses using Elastic Load Balancing and Auto Scaling. The databases maintain consistency by replicating changes to each other as and when they occur. This requires the databases to have extremely low latency. Your website needs to be highly redundant and must be designed so that if one availability zone goes offline and Auto Scaling cannot launch new instances in the remaining Availability Zones the site will not go offline. How can the current architecture be enhanced to ensure this?

Deploy your site in three different AZ's within the same region. Configure the Auto Scaling minimum to handle 50 percent of the peak load per zone.

One of your users is trying to upload a 7.5GB file to S3 however they keep getting the following error message - "Your proposed upload exceeds the maximum allowed object size.". What is a possible solution for this?_

Design your application to use the multi-part upload API for all objects

_One of your users is trying to upload a 7.5GB file to S3 however they keep getting the following error message - "Your proposed upload exceeds the maximum allowed object size.". What is a possible solution for this?_

Design your application to use the multi-part upload API for all objects

You need to add a route to your routing table in order to allow connections to the internet from your subnet. What route should you add?

Destination: 0.0.0.0/0 --> Target: your Internet gateway

Opsworks

DevOps Application Management Service

You have launched a NAT instance in to a public subnet and you have configured all relevant security groups, network ACL's and routing policies to allow this NAT to function. However EC2 instances in the private subnet still cannot communicate out to the internet. What trouble shooting steps should you take to resolve this issue?

Disable the Source/Destination Check on your NAT instance.

Which statement best describes Availability Zones?

Distinct locations from within an AWS region that are engineered to be isolated from failures.

AWS Data Pipeline preconditions

Distributed data flows often have dependencies; just because an activity is scheduled to run does not mean that there is data waiting to be processed. For situations like this, AWS Data Pipeline supports preconditions, which are conditional statements that must be true before an activity can run. These include scenarios such as whether an Amazon S3 key is present, whether an Amazon DynamoDB table contains any data, and so forth.

AWS uses the techniques detailed in _____________ ("National Industrial Security Program Operating Manual ") or ______________ ("Guidelines for Media Sanitization") to destroy data as part of the decommissioning process.

DoD 5220.22-M NIST 800-88

In Amazon EC2 Container Service, _____________ is the only container platform supported by EC2 Container Service presently.

Docker

DNS

Domain Name Service

SWF Domains

Domains provide a way of scoping Amazon SWF resources within your AWS account. You must specify a domain for all the components of a workflow, such as the workflow type and activity types. It is possible to have more than one workflow in a domain; however, workflows in different domains cannot interact with one another.

You working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security.

Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it.

Due to international monetary regulations issued by the IMF a large multi-national banking organization requires that all data their end customers customers that live within Australia must not leave the Australian jurisdiction and also data for customers that reside in Japan must not leave the Japanese jurisdiction without explicit permission from the IMF. While registering, a user must include their residential address as part of their user profile. What steps should be taken to enforce these regulations on a web-based application running on EC2?

Due to the strict regulations, you should use a third party data provider to verify the users location based on their profile. It would not be appropriate to rely on latency based routing as this would not always be 100% accurate.

What AWS service is best suited for non relational databases?

DynamoDB

What service is amazon's No-SQL database service?

DynamoDB

How can you secure data at rest on an EBS volume? A. Attach the volume to an instance using EC2's SSL interface. B. Write the data randomly instead of sequentially. C. Encrypt the volume using the S3 server-side encryption service. D. Create an IAM policy that restricts read and write access to the volume. E. Use an encrypted file system on top of the EBS volume.

E

What underlying AWS storage service supports RDS?

EBS

What would be a cost effective EC2 pricing model for 1 hour long daily batch processes on EC2 for the next year

EBS backed instances with on-demand instance pricing. Reserved instances only make sense if the user can keep instances busy for at least 30-40% of the time

Where do EBS snapshots live?

EBS snapshots live on S3

List services that support resource-based permissions

EC2 (some), S3, SNS, SQS, Glacier, EBS

A placement group is ideal for

EC2 instances that require high network throughput and low latency across a single availability zone.

If you're using EC2-Classic, you must use security groups created specifically for the _______________.

EC2-Classic

If you wanted to mount a volume to more then one EC2 instance what AWS service would you use?

EFS

Which AWS service is effectively a NAS in the cloud, allowing you to connect it to multiple EC2 instances at once?

EFS

what service would be best for processing large amounts of data easily, data pipeline or EMR?

EMR

Data Pipeline

ETL process for Cloud & on-premise resources

Transfer Acceleration uses CloudFront network to upload data to ____________ which will upload to S3.

Edge location

Using _________________, you can not only improve load and response times to user actions and queries, but also reduce the cost associated with scaling web applications.

ElastiCache

What AWS service improves certain database queries?

ElastiCache https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Which AWS service is specifically designed for developers to upload their code to and then it will automatically handle the provisioning of those resources that are required to host that code?

Elastic Beanstalk

What is the difference between Elastic Beanstalk & CloudFormation?

Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring based on the code you upload to it, where as CloudFormation is an automated provisioning engine designed to deploy entire cloud environments via a JSON script.

What does EBS stand for?

Elastic Block Storage

EBS

Elastic Block Store.

What does EFS stand for?

Elastic File System- this functions like NAS

EIPs

Elastic IP Addresses AWS maintains a pool of public IP addresses in each region and makes them available for you to associate to resources within your Amazon VPCs. An Elastic IPAddresses (EIP) is a static, public IP address in the pool for the region that you can allocate to your account (pull from the pool) and release (return to the pool). EIPs

What is an important limitation of ELB in VPCs (that doesn't exist for Classic)?

Elastic Load Balancing in Amazon VPC supports IPv4 addresses only. Elastic Load Balancing in EC2-Classic supports both IPv4 and IPv6 addresses.

Elastic Load Balancing

Elastic Load Balancing is a highly available service that distributes traffic across Amazon Elastic Compute Cloud (Amazon EC2) instances and includes options that provide flexibility and control of incoming requests to Amazon EC2 instances.

Health Checks

Elastic Load Balancing supports health checks to test the status of the Amazon EC2 instances behind an Elastic Load Balancing load balancer. The status of the instances that are healthy at the time of the health check is Inservice. The status of any instances that are unhealthy at the time of the health check is OutOfService. The load balancer performs health checks on all registered instances to determine whether the instance is in a healthy state or an unhealthy state. A health check is a ping, a connection attempt, or a page that is checked periodically.

What protocols does Elastic Load Balancing support?

Elastic Load Balancing supports the following protocols: - HTTP - HTTPS - TCP - SSL

EMR

Elastic Map Reduce

What is Elastic MapReduce (EMR) service?

Elastic MapReduce (Amazon EMR) is a web service that makes it easy to process large amounts of data efficiently. Amazon EMR uses Hadoop processing combined with several AWS products to do such tasks as web indexing, data mining, log file analysis, machine learning, scientific simulation, and data warehousing.

ENI

Elastic Network Interfaces An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC. ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses. If there are multiple private IP addresses, one of them is primary.

You are a digital media agency and you need to convert your media files in to different formats to suit different devices. Which AWS service should you consider using to meet these needs?

Elastic Transcoder

Architecture Best Practice: Implement elasticity

Elasticity is the capacity of increasing and decreasing the performance of a system in response to increasing or decreasing demand or based on manual or time constraints. - Vertical Scaling: better for statefull applications - Horizontal Scaling: best with stateless applications or applications that defer their state - Deployment Automation: -- Take the time to automate deployments; avoid human errors and long lead times make it hard to have a scaling system. -- Bootstrap your instances:

You are a solutions architect working for a biotech company who is pioneering research in immunotherapy. They have developed a new cancer treatment that may be able to cure up to 94% of cancers. They store their research data on S3, however recently an intern accidentally deleted some critical files. You've been asked to prevent this from happening in the future. What options below can prevent this?

Enable S3 versioning on the bucket & enable Enable Multifactor Authentication (MFA) on the bucket.

You have created a new AWS account for your company and you have also configured multi-factor authentication on the root account. You are about to create your new users. What strategy should you consider in order to ensure that there is good security on this account.

Enact a strong password policy, so that your users have to change their passwords every 45 days and must use a combination of capital and lower case letters, numbers and special symbols for all passwords.

If you want your application to check whether a request generated an error then you look for an ______ node in the response from the Amazon RDS API

Error

What is Autoscaling Termination Policy?

Even though the user has configured the termination policy, before AutoScaling selects an instance to terminate, it first identifies the Availability Zone that has more instances than the other Availability Zones used by the group. Within the selected Availability Zone, it identifies the instance that matches the specified termination policy.

What are the limitations from SES

Every Amazon SES sender has a unique set of limits

AWS Data Pipeline - pipeline

Everything in AWS Data Pipeline starts with the pipeline itself. A pipeline schedules and runs tasks according to the pipeline definition. The scheduling is flexible and can run every 15 minutes, every day, every week, and so forth. The pipeline interacts with data stored in data nodes. Data nodes are locations where the pipeline reads input data or writes output data, such as Amazon S3, a MySQL database, or an Amazon Redshift cluster. Data nodes can be on AWS or on your premises. The pipeline will execute activities that represent common scenarios, such as moving data from one location to another, running Hive queries, and so forth. Activities may require additional resources to run, such as an Amazon EMR cluster or an Amazon EC2 instance. In these situations, AWS Data Pipeline will automatically launch the required resources and tear them down when the activity is completed.

Migrating existing SQL databases into RDS

Existing databases can be migrated to Amazon RDS using native tools and techniques that vary depending on the engine. For example with MySQL, you can export a backup using mysqldump and import the file into Amazon RDS MySQL. You can also use the AWS Database Migration Service, which gives you a graphical interface that simplifies the migration of both schema and data between databases. AWS Database Migration Service also helps convert databases from one database engine to another.

Sub domain, TLF, SLD, host, FQDN, root explain

FDQN = fully qualified domain name (and must ed with '.' !) TLD = Top-Level Domain SLD = Second-Level Domain

How long does Multi-AZ RDS failover take?

Failover between the primary and the secondary instance is fast, and the time automatic failover takes to complete is typically one to two minutes.

Amazon S3 buckets in all other regions (other than US Standard) do not provide eventual consistency for overwrite PUTS and DELETES.

False

Amazon S3 buckets in the sa-east-1 region do not provide eventual consistency

False

Amazon SWF restrict me to use specific programming languages.

False

Amazon's Glacier service is a Content Distribution Network which integrates with S3

False

As the AWS platform is PCI DSS 1.0 compliant, I can immediately deploy a website to it that can take and store credit card details. I do not need to get any kind of delta accreditation from a QSA.

False

By default, EC2 instances pull SQS messages from an SQS queue on a FIFO (First In First out) basis.

False

In RDS, you are responsibly for maintaining OS & Application security patching, antivirus etc

False

Placement Groups can be created across 2 or more Availability Zones.

False

The difference between S3 and EBS is that EBS is object based where as S3 is block based.

False

The service to allow Big Data Processing on the AWS platform is known as AWS "Elastic Big Data"

False

To save administration headaches, Amazon recommend that you leave all security groups in web facing subnets open on port 22 to 0.0.0.0/0 CIDR, that way you can connect where ever you are in the world.

False

True or False. AWS recommends providing EC2 instances with credentials so they can access other resources (such as S3 buckets) instead of assigning roles.

False

True or False. Amazon recommends that you leave all security groups in web facing subnets open on port 22 to 0.0.0.0/0 CIDR, that way you can connect wherever you are in the world.

False

True or False. Amazon's Glacier service is a Content Distribution Network which integrates with S3.

False

True or False. As the AWS is PCI DSS 1.00 compliant, I can immediately deploy a website to it that takes credit card details. I do not need any kind of delta accreditation from a QSA.

False

(T/F) Dedicated Instances are sometimes also called Dedicated Host

False! *Dedicated Instances* run on hardware that's dedicated to a single customer. As a customer runs more Dedicated Instances, more underlying hardware may be dedicated to their account. Other instances in the account (those not designated as dedicated) will run on shared tenancy and will be isolated at the hardware level from the Dedicated Instances in the account. An Amazon EC2 *Dedicated Host* is a physical server with Amazon EC2 instance capacity fully dedicated to a single customer's use. Dedicated Hosts can help you address licensing requirements and reduce costs by allowing you to use your existing server-bound software licenses. The customer has complete control over which specific host runs an instance at launch. This differs from Dedicated Instances in that a Dedicated Instance can launch on any hardware that has been dedicated to the account.

(T/F) UserData is stored with the instance in an encrypted form

False! UserData is stored with the instance and is not encrypted, so it is important to not include any secrets such as passwords or keys in the UserData.

True/False, a Elastic Transcoder pipeline can only process 1 job at a time

False, a pipeline can process multiple jobs at once and jobs may complete in a order different than that in which they were submitted

True/False, VPC security groups support allow and deny rules

False, security groups are DENY by default and only support ALLOW rules

(T/F) Memcached snapshots can be used to recover a crashed Memcached cluster

False. Amazon ElastiCache clusters running Redis allow you to persist your data from in-memory to disk and create a snapshot. Each snapshot is a full clone of the data that can be used to recover to a specific point in time or to create a copy for other purposes. Snapshots cannot be created for clusters using the Memcached engine because it is a purely in-memory key/value store and always starts empty. Amazon ElastiCache uses the native backup capabilities of Redis and will generate a standard Redis database backup file that gets stored in Amazon Simple Storage Service (Amazon S3).

SQS delivers messages in FIFO fashion

False. Amazon SQS is engineered to be highly available and to deliver messages reliably and efficiently; however, the service does not guarantee First In, First Out (FIFO) delivery of messages. For many distributed applications, each message can stand on its own and, if all messages are delivered, the order is not important. If your system requires that order be preserved, you can place sequencing information in each message so that you can reorder the messages when they are retrieved from the queue.

(T/F) You can replicate EBS for improved performance.

False. Each Amazon EBS volume *is automatically replicated* within its Availability Zone to protect you from component failure, offering high availability and durability.

(T/F) you need to select specific RDS instance types in order to control the storage characteristics used.

False. Independent from the DB Instance class that you select, you can also control the size and performance characteristics of the storage used.

(T/F) You can create two geolocation resource record sets that specify the same geographic location.

False. You cannot create two geolocation resource record sets that specify the same geographic location. You also cannot create geolocation resource record sets that have the same values for "Name" and "Type" as the "Name" and "Type" of non-geolocation resource record sets.

(T/F) Elastic Transcoder can transcode video, audio and image files

False. not images files!

(T/F) The Multi-AZ RDS improves DB performance

False. only during backups will I/O be better than the non-MAZ case (because backups are made on the stand-by). It is important to remember that Multi-AZ deployments are for disaster recovery only; they are not meant to enhance database performance. The standby DB Instance is not available to offline queries from the primary master DB Instance. To improve database performance using multiple DB Instances, use read replicas or other DB caching technologies such as Amazon ElastiCache.

(T/F) You can aggregate CloudWatch Metrics across regions

False. Amazon C1oudWatch does not aggregate data across regions but can aggregate across Availability Zones within a region.

(T/F) Amazon Route 53 is a recursive DNS system

False. Amazon Route 53 is an authoritative DNS system. An authoritative DNS system provides an update mechanism that developers use to manage their public DNS names. It then answers DNS queries, translating domain names into IP addresses so that computers can communicate with each other.

(T/F) Auto Scaling Group can use both On-Demand or Spot Instances

False. An Auto Scaling group can use *either* On-Demand *or* Spot Instances as the Amazon EC2 instances it manages. A launch configuration can reference On-Demand Instances or Spot Instance, but not both.

(T/F) When using Auto Scaling you can shortly go beyond certain service limits

False. Auto Scaling may cause you to reach limits of other services, such as the default number of Amazon EC2 instances you can currently launch within a region, which is 20. When building more complex architectures with AWS, it is important to keep in mind the service limits for all AWS Cloud services you are using.

(T/F) By default inbound SSH traffic is allowed in a Security Group

False. By default, no inbound traffic is allowed until you add inbound rules to the security group.

(T/F) EIPs can be transferred to a different region if not needed anymore in the region it was created in

False. EIPs are specific to a region (that is, an EIP in one region cannot be assigned to an instance within an Amazon VPC in a different region).

(T/F) EIPs remain associated with your AWS account until they are no longer associated with an instance release them.

False. EIPs remain associated with your AWS account until you explicitly release them.

(T/F) IAM is an identity store/ authorization system for your infrastructure and applications.

False. IAM is not an identity store/ authorization system for your applications. The permissions that you assign are permissions to manipulate AWS infrastructure, not permissions within your application.

(T/F) Elastic Load Balancing can be done across regions

False. The Elastic Load Balancing service allows you to distribute traffic across a group of Amazon EC2 instances in one or more Availability Zones, enabling you to achieve high availability in your applications in a region.

(T/F) Placement Groups are multi-AZ but single Region

False. They are single-region, single-AZ.

(T/F) S3 bucket names can contain lower and upper case characters

False. only lower caps and numbers and underscore.

(T/F) Updates made to the source database are synchronously copied to the read replicas

False. they are *a*synchronously copied to the read replicas

AWS Security Features

Firewalls, Subnets TLS Encryption Direct connections DDos Mitigation Deployment Management Inventory/Config Management Template Management Data Encryption Key Management HSMs IAM Multi-Factor Authentication Integrated/Federated Directories Monitoring & Logging

What kind of files can you store in S3?

Flat files

Your company has decided to set up a new AWS account for test and dev purposes. They already use AWS for production, but would like a new account dedicated for test and dev so as to not accidentally break the production environment. You launch an exact replica of your production environment using a cloudformation template that your company uses in production. However cloudformation fails. You use the exact same CloudFormation template in production so the failure is something to do with your new AWS account. The CloudFormation template is trying to launch 60 new EC2 instances in a single availability zone. After some research you discover that the problem is;

For all new AWS accounts there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.

What is CloudTrail used for?

For auditing

Which instance type do I need to take if I need improved network performance?

For workloads requiring greater network performance, many instance types support enhanced networking. Enhanced networking reduces the impact of virtualization on network performance by enabling a capability called Single Root I/O Virtualization (SR-IOV). This results in more Packets Per Second (PPS), lower latency, and less jitter. At the time of this writing, there are instance types that support enhanced networking in the C3, C4, D2, 12, M4, and R3 families (consult the AWS documentation for a current list). Enabling enhanced networking on an instance involves ensuring the correct drivers are installed and modifying an instance attribute. *Enhanced networking is available only for instances launched in an Amazon Virtual Private Cloud (Amazon VPC)*.

If your volume stays in the detaching state, you can force the detachment by clicking ________________.

Force detach

What cloud reliability design principle is handled by AWS's seeming-less unlimited capacity? (part of the three reliability areas)

Foundations- AWS handles the pipes into there DC, storage capacity, and compute service levels so you don't have to think about them! https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

In Redshift console, which unit is used for the "WriteThroughput" metric?

GB/s in RedShift Bytes/s in CloudWatch

Max File Size for Cloudfront objects

GET, POST, PUT = 20GB per object

What is Ganglia?

Ganglia is a EMR cluster monitoring tool.

With Storage Gateways, if your internet connection is not reliable, use _____________________________.

Gateway Stored Volumes

What are possible issues with Route 53 geographic locations?

Geolocation works by mapping IP addresses to locations. You should be cautious, however, as some IP addresses aren't mapped to geographic locations. Even if you create geolocation resource record sets that cover all seven continents, Amazon Route 53 will receive some DNS queries from locations that it can't identify. In this case, you can create a default resource record set that handles both queries from IP addresses that aren't mapped to any location and queries that come from locations for which you haven't created geolocation resource record sets. If you don't create a default resource record set, Amazon Route 53 returns a "no answer" response for queries from those locations.

Which AWS service would be the best choice for long term data archival?

Glacier

Which of the following services is not supported by Cloudformation: EC2, autoscaling, ELB, Kinesis, Glacier

Glacier

You work for a health insurance company who collects large amounts of documents regarding patients health records. This data will be used usually only once when assessing a customer and will then need to be securely stored for a period of 7 years. In some rare cases you may need to retrieve this data within 24 hours of a claim being lodged. Which storage solution would best suit this scenario? You need to keep your costs as low as possible.

Glacier

You have uploaded a file to S3. What HTTP code would indicate that the upload was successful?

HTTP 200

What protocols does ELB support

HTTP, HTTPS, TCP, and SSL. Allowed ports at 25,80,443,465,587, and 1024-65535

AWS Config - Config Rule

Helps pinpoint which configuration change caused a resource to drift out of compliance. An AWS Config Rule represents desired configuration settings for specific AWS resources or for an entire AWS account. While AWS Config continuously tracks your resource configuration changes, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant and notifies you

Amazon SQS is a distributed queuing system that is optimized for _____________________ scalability.

Horizontal

What are 3 considerations to take when it comes to Auto Scaling?

How long does it take to redeploy the code and configure an instance? How are new launch configurations tested? How are new launch configurations deployed while phasing out the older ones?

What happens to the I/O operations while you take a database snapshot/Backup.

I/O operations to the database are suspended for the duration of the snapshot if it is a single AZ RDS instance.

I can enable multifactor authentication by using

IAM

IAM Identity Providers

IAM Identity Providers provide the ability to federate these outside identities with IAM and assign privileges to those users authenticated outside of IAM.

Which statement best describes IAM

IAM allows you to manage users, groups and roles and their corresponding level of access to the AWS Platform.

What are the types of IAM Identity Providers?

IAM can integrate with two different types of outside Identity Providers (IdP). For federating web identities such as Facebook, Google, or Login with Amazon, IAM supports integration via OpenID Connect (OIDC). This allows IAM to grant privileges to users authenticated with some of the major web—based IdPs. For federating internal identities, such as Active Directory or LDAP, IAM supports integration via Security Assertion Markup Language 2.0 (SAML). A SAML-compliant IdP such as Active Directory Federation Services (ADFS) is used to federate the internal directory to IAM. (Instructions for configuring many compatible products can be found on the AWS website.) In each case, federation works by returning a temporary token associated with a role to the IdP for the authenticated identity to use for calls to the AWS API. The actual role returned is determined via information received from the IdP, either attributes of the user in the on-premises identity store or the user name and authenticating service of the web identity store.

What mechanisms are available to secure sensitive data on S3

IAM polices, ACLs (for specific objects), bucket policies, and query string authentication (ie: presigned urls)

At times the users from one account need to access resources in the other account, such as promoting an update from the development environment to the production environment. An organization has three separate AWS accounts, one each for development, testing, and production. The organization wants the testing team to have access to certain AWS resources in the production account. How can the organization achieve this?

IAM role with cross account access will provide a solution

What happens to the I/O operations while you take a database snapshot?

IO operations suspended

Communication between the load balancer and its back-end instances uses only _______________ (which IP).

IPv4

Elastic IP: EC2-Classic v/s EC2-VPN

If your account supports EC2-Classic, there's one pool of Elastic IP addresses for use with the EC2-Classic platform and another for use with the EC2-VPC platform.

You need to create new users to access the AWS console and to set password rotation policies for these new users. Which AWS service would best fit your requirements?

Identity Access Management (IAM)

What does IAM stand for?

Identity and Access Management

What AWS service manages user and group privileges?

Identity and Access Management (IAM) https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

IAM

Identity and Access Management. IAM is a powerful service that allows you to control how people and programs are allowed to manipulate your AWS infrastructure. IAM uses traditional identity concepts such as users, groups, and access control policies to control who can use your AWS account, what services and resources they can use, and how they can use them. The control provided by IAM is granular enough to limit a single user to the ability to perform a single action on a specific resource from a specific IP address during a specific time window. Applications can be granted access to AWS resources whether they are running on-premises or in the cloud.

SQS dead letter queue

If a message has been retrieved but not processed properly after a configurable number of times (between 1-1000) then AWS can automatically drive the message to a queue of your choosing (which is then considered a dead letter queue).

Charge/Billing question If data is transferred between instances in different availability zones, _____.

If data is transferred between instances in different availability zones, each instance is charged for its data in and data out.

Compare the number maximum of IPv4 and IPv6 addresses

If each IPv4 address were one grain of sand, you would have enough addresses to fill approximately one dump truck with sand. If each IPv6 address were one grain of sand, you would have enough sand to equal the approximate size of the sun.

How does Auto Scale determine when to scale in if there are multiple instances using oldest launch config?

If multiple instances using oldest launch config, terminate instance closest to next billing hour. If not, terminate instance.

IAM user only having CloudWatch access has setup the alarm action which stops the EC2 instances when the CPU utilization is below the threshold limit. What will happen in this case?

If the IAM user has read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm. However, the stop or terminate actions will not be performed on the Amazon EC2 instance.

A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling terminate process only for a while. What might the Availability Zone Rebalancing process (AZRebalance) consequently cause during this period?

If the user suspends the Terminate process, the AZRebalance process can cause the Auto Scaling group to grow up to ten percent larger than the maximum size.

How does Auto Scale determine when to scale in if there are multiple instances in multiple AZs?

If there are multiple instances in multiple AZs, select AZs with most instances. If not, select instances with oldest launch config.

Architecture Best Practice: Design for failure and nothing will fail

If you design architectures around the assumption that any component will eventually fail, systems won't fail when an individual component does. So use Load Balancers, Auto Scaling Groups, Multi-AZ RDS etc etc

You are a security architect working for a large antivirus company. The production environment has recently been moved to AWS and is in a public subnet. You are able to view the production environment over HTTP however when your customers try to update their virus definition files over a custom port, that port is blocked. You log in to the console and you allow traffic in over the custom port. How long will this take to take effect?

Immediately

What is an additional way to secure IAM for both the root login and new users alike?

Implement multi-factor Authentication for all accounts.

How is SQS Billed?

In 64Kb "chunks"

Amazon Glacier Archive max size = ____

In Amazon Glacier, data is stored in archives. An archive can contain up to 4oTB of data, and you can have an unlimited number of archives. Each archive is assigned a unique archive ID at the time of creation. (Unlike an Amazon S3 object key, you cannot specify a user-friendly archive name.) All archives are automatically encrypted, and archives are immutable—after an archive is created, it cannot be modified.

Select the incorrect statement;

In Amazon VPC, an instance does NOT retain its private IP

In EC2-Classic - you can ____________ rules. But you cant _________ outbound rules.

In EC2-Classic - you can add/remove rules. But you cant change outbound rules.

Where does AWS store RDS automated backups and snapshots?

In S3

By definition a public subnet within a VPC is one that;

In it's routing table it has at least one route that uses an Internet Gateway (IGW).

ELB: the status of healthy instances is ______ while the status of unhealthy instances is _____

InService, OutOfService

Route53 does not support zone apex records (or naked domain names)

Incorrect

If you restart Instance Store volume instance, you lose data. Correct?

Incorrect.

A company of 100 people makes use of a single m4.medium NAT instance inside a VPC. This NAT instance then allows individual EC2 instances in private subnets to communicate out to the internet without being directly accessible via the internet. As the company size has grown over the last year they are finding the amount of traffic going through the NAT instance is overwhelming and is causing very bad performance degradation. What could you do to solve this problem?

Increase the class size of the NAT instance from an m4.medium to an m4.xLarge.

EBS Snapshots are backed up to S3 in what manner?

Incrementally

You are a student currently learning about the different AWS services. Your employer asks you to tell him a bit about Amazon's glacier service. Which of the following best describes the use cases for Glacier?

Infrequently accessed data & data archives

Instance Billing Starts -> _____________ Instance Billing Ends -> _____________

Instance Billing Starts -> when boot sequence of an AMI initiates Instance Billing Ends -> when the instance shuts down

Which DNS name can only be resolved within Amazon EC2?

Internal DNS Name

VPC peering is done through _______________ IPs.

Internal IPs

When if Termination Protection disregarded?

It does not prevent termination triggered by 1. an OS shutdown command, 2. termination from an AutoScaling group, or 3. termination of a Spot Instance due to Spot price changes

Architecture Best Practice: Think Parallel

It is advisable not only to implement parallelization wherever possible, but also to automate it because the cloud allows you to create a repeatable process very easily.

Architecture Best Practice: Leverage different storage options

It is important from a cost, performance and, functional aspect to leverage different storage options; one size does not fit all! Amazon S3: Your web application needs large—scale storage capacity and performance. -or- You need cloud storage with high data durability to support backup and active archives for disaster recovery. Amazon Glacier You require cloud storage for data archiving Amazon and long—term backup. Amazon CloudFront: You require a content delivery network to deliver entire websites, including dynamic, static, streaming, and interactive content using a global network of edge locations. Amazon DynamoDB: You require a fast and flexible NoSQL database with a flexible data model and reliable performance. Amazon EBS: You need reliable block storage to run mission-critical applications such as Oracle, Amazon SAP, Microsoft Exchange, and Microsoft SharePoint. Amazon RDS: You need a highly available, scalable, and secure MySQL database without the time- consuming administrative tasks. Amazon Redshift: You need a fast, powerful, fully—managed, petabyte-scale data warehouse to support business analytics of your e-commerce application. Amazon ElastiCache: You need a Redis cluster to store session Amazon information for your web application. Amazon EFS You need a common file system for your Elastic File application that is shared between more than System one Amazon EC2 instance.

(T/F) When an IAM user is created, it has neither an access key nor a password

It is important to note that when an IAM user is created, it has neither an access key nor a password, and the IAM administrator can set up either or both. This adds an extra layer of security in that console users cannot use their credentials to run a program that accesses your AWS infrastructure.

Explain Range GETs

It is possible to download (GET) only a portion of an object in both Amazon S3 and Amazon Glacier by using something called a Range GET. Using the Range HTTP header in the GET request or equivalent parameters in one of the SDK wrapper libraries, you specify a range of bytes of the object. This can be useful in dealing with large objects when you have poor connectivity or to download only a known portion of a large Amazon Glacier backup.

A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to randomness. What is recommended for this case?

It is recommended that the user should publish zeroes for those periods.

By default, newly created users have _____ permission to do anything in AWS.

No

What is CNAME?

It stands for Canonical Name . It resolves domain name to another name . It cant be used for Naked Domain, also costs $$ with Route53.

How does an Auto Scaling Group determine whether an instance is healthy or not?

It uses one or more of the following checks: 1. EC2 Instance Status Checks: Instances are considered *un*healthy when their instance status is anything other than *running* or its system status is *impaired* 2. ELB Status Checks: if you have attached a load balancer to your ASG then you can optionally have the ASG include the results of the ELB health checks when determining the health status of an instance 3. Custom Health Checks

What is AWS Storage Gateway?

It's an on-premise virtual appliance that can be used to cache S3 locally at a customers site.

What is the root account?

Its the account that is made when you first setup an AWS. It has complete admin access.

In what language are policy documents written in?

JSON

JSON stands for ...

JSON (JavaScript Object Notation)

What are the elements of Elastic Transcoder

Jobs, Pipelines, Presets, and Notifications. ARNS are not part of Elastic Transcoder

What AWS service is used for collating large amounts of data streamed from multiple sources?

Kinesis

Which AWS service allows you to run code without having to worry about provisioning any underlying resources (such as virtual machines, databases etc)

Lambda

How does AWS want you to grant access to AWS resources?

Least privileged https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

DynamoDB supports two types of secondary indexes:

Local secondary index — an index that has the same hash key as the table, but a different range key. A local secondary index is "local" in the sense that every partition of a local secondary index is scoped to a table partition that has the same hash key. Global secondary index — an index with a hash and range key that can be different from those on the table. A global secondary index is considered "global" because queries on the index can span all of the data in a table, across all partitions.

What service does CloudTrail provide?

Logs API calls - includes things like source IP, time, parameters, and response elements https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Bucket name is unique and it is ___________case.

Lowercase

In AWS CloudHSM, you can perform a remote backup/restore of a Luna SA partition if you have purchased a ____________________ .

Luna Backup HSM

What is the difference between an M1 & M3 instance

M3 has more swap space

What can you add to S3 to increase security when deleting an item when versioning is turned on?

MFA

What should you always have setup on your root account?

MFA

_________________volumes are ideal for workloads where data is accessed infrequently, and applications where the lowest storage cost is important.

Magnetic volumes

How does RDS expose features and common configuration settings?

Many features and common configuration settings are exposed and managed *using DB parameter groups* and *DB option groups*. - *A DB parameter group* acts as a container for engine configuration values that can be applied to one or more DB Instances. You may change the DB parameter group for an existing instance, but a reboot is required. - *A DB opfion group* acts as a container for engine features, which is empty by default. In order to enable specific features of a DB engine (for example, Oracle Statspack, Microsoft SQL Server Mirroring), you create a new DB option group and configure the settings accordingly.

IAM Federation

Many organizations already have an identity repository outside of AWS and would rather leverage that repository than create a new and largely duplicate repository of IAM users. Similarly, web-based applications may want to leverage web-based identities such as Facebook, Google, or Login with Amazon. IAM Identity Providers provide the ability to federate these outside identities with IAM and assign privileges to those users authenticated outside of IAM.

You are a systems administrator and you need to monitor the health of your production environment. You decide to do this using Cloud Watch, however you notice that you cannot see the health of every important metric in the default dash board. Which of the following metrics do you need to design a custom cloud watch metric for, when monitoring the health of your EC2 instances?

Memory usage

What are RDS Automated Backups Retention periods?

Min Retention period = 1 Max Retention period = 35 Default Retention period = 7

You work for a toy company that has a busy online store. As you are approaching christmas you find that your store is getting more and more traffic. You ensure that the web tier of your store is behind an Auto Scaling group, however you notice that the web tier is frequently scaling, sometimes multiple times in an hour, only to scale back after peak usage. You need to prevent this so that Auto Scaling does not scale as rapidly, just to scale back again. What option would help you to achieve this?

Modify the Auto Scaling group cool-down timers & modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.

System Status Checks (EC2 instance status)

Monitor the AWS systems required to use your instance to ensure they are working properly. These checks detect problems with your instance that require AWS involvement to repair. When a system status check fails, you can choose to wait for AWS to fix the issue, or you can resolve it yourself (for example, by stopping and starting an instance, or by terminating and replacing an instance). The following are examples of problems that can cause system status checks to fail: - Loss of network connectivity - Loss of system power - Software issues on the physical host - Hardware issues on the physical host that impact network reachability

Instance Status Checks (EC2 Instance Status)

Monitor the software and network configuration of your individual instance. These checks detect problems that require your involvement to repair. When an instance status check fails, typically you will need to address the problem yourself (for example, by rebooting the instance or by making instance configuration changes). The following are examples of problems that can cause instance status checks to fail: - Failed system status checks - Incorrect networking or startup configuration - Exhausted memory - Corrupted file system - Incompatible kernel

With provisioned SSD (IO1) how many IOPS can you have?

More then 10,000 IOPS

Can I directly access the event logs for my Database Instance?

MySQL or Amazon RDS for MariaDB, you can use the mysqlbinlog utility to download or stream binary logs from your DB Instance.

Which database engines currently support read-replicas?

MySql, PostgreSql, MariaDB, AuroraDB

Main differences between NAT instances and NAT Gateway

NAT Gateway is: 1. simpler to manage 2. highly available within an availability zone

With CloudWatch custom metrics, what is required with the request?

Namespace

If you need to block IP addresses, _______________ is preferred way as compared to Security groups.

Network ACL

Security groups act like a firewall at the instance level whereas ___ are an additional layer of security that act at the subnet level

Network ACLs

An AWS VPC is a component of which AWS service?

Networking Service

When you restore RDS backup or snapshot, it creates ________________ instance with new endpoint.

New DB

Can I change the EC2 security groups after an instance is launched in EC2-Classic?

No

When replicating data from your primary RDS instance to your secondary RDS instance, what is the charge?

No Charge, Its free

Every user you create in the IAM systems starts with _____

No Permissions

DynamoDB is what type of DB?

No SQL

New users have access to what resources by default?

No access (no permissions in IAM)

By default when you create a new user in the IAM console, what level of access do they have?

No access to all AWS services.

What is Lambda service?

No provisioning of EC2 instances, no patches, OS, scaling etc. You upload code Event driven compute service

Can you launch a AMI you own from a different region?

No, AMI's are region dependent- however you can share them between regions/accounts

Can you limit user access to CloudWatch data for a specific load balancer

No, IAM is not supported for granular CloudWatch data by resource since there are no specific CloudWatch Resource ARNs by which to limit.

Is adding another ENI do a dual homed instance a valid method to increase network bandwidth?

No, additional network interfaces do not increase network bandwidth. They may be useful for poor-mans HA

Is it possible to run EC2 instances in Edge locations?

No, edge locations are separate from regions and availability zones

Can you prioritize a SQS message?

No, if you need to prioritize work create additional queues

Can EFS only scale up to 1 TB in total size?

No, it can scale to multiple petabytes

Can EFS only support 100 concurrent NFS connections at any given point?

No, it can support thousands

is an elastic load balancer part of a subnet?

No, it is at most part of a VPC. When EC2 Classic LB then it balances over EC2 instances, when VPC LB it balances over EC2 instances *in SubNets*. But the ELB itself is not part of any SubNets

Is termination protection turned on by default when creating a new instance?

No, it's disabled by default

Can a placement group span multiple availability zones?

No, placement groups are restricted to a single availability zone.

Is it possible to use the standby RDS instance in a multi-AZ deployment as a read replica?

No, the standby instance is not addressable

Can you have up to 3 VPC peering connections between the same 2 VPCs at once

No, you can only have 1 VPC peering connection between the same 2 VPCs at once

Can you move an existing EC2 instance into a placement group

No, you could create an AMI from your existing instance and then launch a new instance into the placement group from that AMI

If AWS automatically terminates your instance are you liable for the entire hour?

No, you get the hour they terminated the instance for free

Is VPC peering transitive? I.e. Peering between A&B and between B&C means automatic peering between A&C?

No.

Cloud Search

cloud search service that allows customers to integrate search functionality into websites or applications

can you create VPC peering connections between VPCs in different regions

Not yet...see https://aws.amazon.com/about-aws/whats-new/2014/03/24/announcing-vpc-peering/

What happens if a policy overrides a permission in a roles?

Nothing, a policy cannot expand the privileges of a role of an AssumeRole call.

What do you have to do to get EFS to store you data across multiple AZ's?

Nothing, this is the default behavior

By default in EC2, termination protection is ________.

OFF

By default, S3 versioning is set to _________.

OFF

In order to track requests to your Amazon S3 bucket, you can enable Amazon S3 server access logs. Logging is ___ by default.

OFF. Logging is off by default, but it can easily be enabled. When you enable logging for a bucket (the source bucket), you must choose where the logs will be stored (the target bucket). You can store access logs in the same bucket or in a different bucket.

If instance is within Alarm threshold and stopped within the alarm watch period for some reason. What will be the status of the alarm then?

OK

Amazon CloudWatch Alarms have three possible states:

OK: The metric is within the defined threshold ALARM: The metric is outside of the defined threshold INSUFFICIENT_DATA: The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state

What type of database is Redshift?

OLAP (Online analytics processing)

Redshift

OLAP Data-warehousing Database that is a petabyte-scale data warehouse service in the cloud; It is 10x faster than traditional data warehousing

SQL, Oracle, and Aurora are what type of RDS database?

OLTP (Online transaction processing)

Amazon's S3 is

Object Based Storage

When are using the different termination policies useful?

OldestInstance => useful when changing to a different instance type. NewestInstance => useful when testing a new instance or launch configuration. OldestLaunchConfiguration => useful to phase out older launch configuration. ClosestToNextInstanceHour => helps to reduce cost.

What are the different termination policies?

OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour

Auto backup must be turned _______ for Read Replica.

On

RSA2048SSH key is used to gain first access to Amazon EC2 instances. How is this different for linux and windows instances?

On a Linux instance, access is granted through showing possession of the SSH private key. On a Windows instance, access is granted by showing possession of the SSH private key in order to decrypt the administrator password. The public key is embedded in your instance, and you use the private key to sign in securely without a password.

UserData

One of the parameters when an instance is launched is a string value called UserData. This string is passed to the operating system to be executed as part of the launch process the first time the instance is booted. On Linux instances this can be shell script, and on Windows instances this can be a batch style script or a PowerShell script. The script can perform tasks such as: - Applying patches and updates to the OS - Enrolling in a directory service - Installing application software - Copying a longer script or program from storage to be run on the instance - Installing Chef or Puppet and assigning the instance a role so the configuration management software can configure the instance

a table can only have _____ local secondary index(es), and it can have _____ global secondary index(es).

One, Multiple

What does it mean to say snapshots are incremental?

Only blocks that have changed are stored between snapshots of an EBS volume

CloudWatch Frequency

Provides Real-time Monitoring - Standard Monitoring - Poles EC2 instance every 5 minutes - Detailed Monitoring - every minute on the minute

Provisioned IOPS SSD

Provisioned IOPS SSD volumes are designed to meet the needs of I/O-intensive workloads, particularly database workloads that are sensitive to storage performance and consistency in random access I/O throughput. While they are the most expensive Amazon EBS volume type per gigabyte, they provide the highest performance of any Amazon EBS volume type in a predictable manner. A Provisioned IOPS SSD volume can range in size from 4 GB to 16 TB. When you provision a Provisioned IOPS SSD volume, you specify not just the size, but also the desired number of IOPS, up to the lower of the maximum of 30 times the number of GB of the volume, or 20,000 IOPS. You can stripe multiple volumes together in a RAID 0 configuration for larger size and greater performance. Amazon EBS delivers within 10 percent of the provisioned IOPS performance 99.9 percent of the time over a given year.

Is SQS a push or pull based service?

Pull

Is SNS a push or pull based service?

Push

In terms of increasing capacity, DynamoDB supports ________________ scaling.

Pushbutton. (quick & easy)

You need a service to aggregate your data from multiple data sources (such as S3, DynamoDB, RDS) etc and then to provide some business intelligence based on this data. What AWS service would best fit?

Quick Sight

The user can join multiple provisioned IOPS volumes together in a _______ configuration to achieve better fault tolerance.

RAID 1

RAID ___ and RAID ___ are not recommended for EBS.

RAID 5 and RAID 6 are not recommended for Amazon EBS

which RAID setup is not recommended by AWS

RAID 5 and RAID 6 because the parity write operations of these modes can consume some of the IOPS available, thus reducing performance

How do you take snapshot of RAID volumes?

RAID has cache so you need to: 1. Freeze the file system or 2. Unmount RAID or 3. Shutdown EC2 And then take Snapshot

What AWS DB platform is most suitable for OLTP?

RDS

When does automatic failover happen in case of Multi-AZ RDS?

RDS automatically performs failover in the event that any of the following occur: -- Loss of availability in the primary AZ -- Loss of network connectivity to the primary DB -- Compute unit failure on primary DB -- Storage failure on primary database

Storage size for RDS Automated Backups is same as ___________ size.

RDS instance

You are a solutions architect who has been asked to do some consulting for a US company that produces re-useable rocket parts. They have a new web application that needs to be built and this application must be stateless. Which three services could you use to achieve this?

RDS, DynamoDB & Elasticache.

When we need to store temporary data that can be reproduced if lost, ____________ is suggested storage option.

RRS (for example thumbnails)

Group

collection of users

If all AZs have same number of instances, how does Autoscaling terminate an instance?

Random instance from Random Availability Zone.

Amazon's product debut conference is held in Las Vegas each year and is known as

Re-Invent

S3 has what consistency model for PUTS of new objects

Read After Write Consistency

EFS data is stored across Multi-AZ and carries ___________________________________ consistency.

Read after Write

NS Records

Records that list the DNS servers for a Web site.

What does RPO stand for?

Recovery Point Objective (asses a systems fitness) https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

RPO

Recovery Point Objective. RPO is defined as the maximum period of data loss that is acceptable in the event of a failure or incident. For example, many systems back up transaction logs every 15 minutes to allow them to minimize data loss in the event of an accidental deletion or hardware failure.

What does RTO stand for?

Recovery Time Objective (how long till the system is serviceable) https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

RTO

Recovery Time Objective. RTO is defined as the maximum amount of downtime that is permitted to recover from backup and to resume processing. For large databases in particular, it can take hours to restore from a full backup. In the event of a hardware failure, you can reduce your RTO to minutes by failing over to a secondary node. You should create a recovery plan that, at a minimum, lets you recover from a recent backup.

Amazon's Elasticache uses which two engines?

Redis & Memcached

What AWS service is best used for Business Intelligence Tools/Data Warehousing?

Redshift

What AWS service would you use primarily for data warehousing?

Redshift

What are Redshift charges?

Redshift charges for: 1. Compute node, 2. Backups and, 3. Data transfer (within VPC)

What does RRS stand for when talking about S3?

Reduced Redundancy Storage

Raid 0-6 explain

Redundant Array of Inexpensive Disks Raid 0: Striping - writing data to two disks, thus writing twice as fast as writing it to one disk Raid 1: Mirroring - writing the same data to two disks for Raid 2 & Raid 3: special types of striping not (2) or rarely (3) used anymore Raid 4: block-level striping with distributed parity (not widely used) Raid 5: RAID 5 consists of block-level striping with distributed parity. Unlike RAID 4, parity information is distributed among the drives, requiring all drives but one to be present to operate. Raid 6: RAID 6 consists of block-level striping with double distributed parity. Double parity provides fault tolerance up to two failed drives. This makes larger RAID groups more practical, especially for high-availability systems, as large-capacity drives take longer to restore.

Route 53 Routing logic for multi-region setup

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify.

What AWS service consists of the following database services; SQL, MySQL, MariaDB, PostgreSQL, Aurora, Oracle?

Relational Database Service (RDS)

What AWS provides fully managed databases?

Relational Database Service (RDS) https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

You run a popular photo sharing website that is based off S3. You generate revenue from your website via paid for adverts, however you have discovered that other websites are linking directly to the images on your site, and not to the HTML pages that serve the content. This means that people are not seeing your adverts and every time a request is made to S3 to serve an image it is costing your business money. How could you resolve this issue?

Remove the ability for images to be served publicly to the site and then used signed URL's with expiry dates.

How does AWS encourage you to recover from a failure?

Replace and review- Meaning it's easier to redeploy a replacement server to fix production and review why the other server failed out of band https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Elasticache replication and Multi-AZ

Replication is a useful technique to provide rapid recovery in the event of a node failure, and also to serve up very high volumes of read queries beyond the capabilities of a single node. Amazon ElastiCache clusters running Redis support both of these design requirements. Unlike Redis, cache clusters running Memcached are standalone in-memory services without any redundant data protection services.

What are Reservation IDs?

Reservation IDs apply to all instances, and are different from Reserved Instances. Every instance launched by EC2 has a reservation ID.

What is the cheapest pricing option for EC2 instances?

Reserved

You need to create a JSON-formatted text file for AWS CloudFormation. This is your first template and the only thing you know is that the templates include several major sections but there is only one that is required for it to work. What is the only section required?

Resources

You have an EC2 instance which needs to find out both its private IP address and its public IP address. To do this you need to:

Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/

how are cloudfront requests billed

per 10k requests, pricing varies by region

_________ more secure than saving Secret credentials on EC2.

Roles

Roles/Temporary Security Tokens

Roles and temporary security tokens are very important for advanced IAM usage, but many AWS users find them confusing. Roles are used to grant specific privileges to specific actors for a set duration of time. These actors can be authenticated by AWS or some trusted external system. When one of these actors assumes a role, AWS provides the actor with a temporary security token from the AWS Security Token Service (SIS) that the actor can use to access AWS Cloud services. Requesting a temporary security token requires specifying how long the token will exist before it expires. The range of a temporary security token lifetime is 15 minutes to 36 hours.

What is the difference between Root users and Power users?

Root User: Account has complete Admin access Power User: Access to all AWS services except for management of groups and users within IAM.

What is the default termination behavior for EBS back root volumes in EC2?

Root volumes are deleted when the instance is terminated

Amazon's highly scaleable DNS service is known as...

Route 53

AAAA Records

Routes IPv6s to Domain name

Where would be a durable place to store flat files on the AWS platform?

S3

You need to use an Object based storage solution to store your critical, non replaceable data in a cost effective way. This data will be frequently updated and will need some form of version control enabled on it. Which S3 storage solution should you use?

S3

What storage system in Amazon is a key value store?

S3 Key - name value - data (binary)

What service does AWS use SSE on by default?

S3 https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What S3 storage tier is best suited for frequently accessed data?

S3 (standard S3, nothing fancy)

You work for a busy digital marketing company who currently store their data on premise. They are looking to migrate to AWS S3 and to store their data in buckets. Each bucket will be named after their individual customers, followed by a random series of letters and numbers. Once written to S3 the data is rarely changed, as it has already been sent to the end customer for them to use as they see fit. However on some occasions, customers may need certain files updated quickly, and this may be for work that has been done months or even years ago. You would need to be able to access this data immediately to make changes in that case, but you must also keep your storage costs extremely low. The data is not easily reproducible if lost. Which S3 storage class should you choose to minimise costs and to maximise retrieval times?

S3 - IA

You run a meme creation website that frequently generates meme images. The original images are stored in S3 and the meta data about the memes are stored in DynamoDB. You need to store the memes themselves in a low cost storage solution. If an object is lost, you have created a Lambda function that will automatically recreate this meme using the original file in S3 and the metadata in DynamoDB. Which storage solution should you consider to store this non-critical, easily reproducible data on in the most cost effective solution as possible?

S3 - RRS

You work for a major news network in Europe. They have just released a new app which allows users to report on events as and when they happen using their mobile phone. Users are able to upload pictures from the app and then other users will be able to view these pics. Your organisation expects this app to grow very quickly, essentially doubling it's user base every month. The app uses S3 to store the media and you are expecting sudden and large increases in traffic to S3 when a major news event takes place (as people will be uploading content in huge numbers). You need to keep your storage costs to a minimum however and it does not matter if some objects are lost. Which storage media should you use to keep costs as low as possible?

S3 - Reduced Redundancy Storage (RRS).

What would you use to list your AWS Import/Export jobs?

S3 Rest API or Command line

What end points does import/export SnowBall support?

S3 only

With Import/Export what end points can you export images to?

S3 only

What S3 tier charges access fees to retrieve data?

S3-IA

What S3 storage tier is best suited for data that's infrequently accessed data?

S3-IA (S3-infrequently accessed)

What S3 storage tier is best suited for data that's easily reproducible?

S3-RRS (reduced redundancy storage)

Amazon will not immediately grant unlimited Amazon SES usage to new users. New users are initially placed in the _______________________.

SES Sandbox One of the restrictions is that you can only send a maximum of 200 messages per 24-hour period.

List SNS subscribers.

SMS, Email, SQS, Lambda

You need to enable a way so that your system administrators can receive notifications for events that happen on your AWS environment (such as alarms etc), what service should you use?

SNS

What is the difference between SNS and SQS?

SNS is push notification service, where as SQS is message system that requires worker nodes to poll the queue.

Amazon RDS do not allow storage size increase for ________________ DB.

SQL Server

Amazon RDS does not currently support increasing storage on a ____ Db instance

SQL Server

What application service allows you to decouple your infrastructure using messaged based queues?

SQS

DynamoDB uses what type of physical storage platform?

SSD

What is an example of in-transit encryption?

SSL/TLS

What does SWF do that SQS does not?

SWF ensures a task is only completed once

Route 53

Scalable DNS and Domain Name Registration - Named after DNS Port - Globally configured - Can set up Public or Private Zones

What are the differences between ScaleIn and ScaleOut?

ScaleIn refers to Auto Scaling events that involve creating new instances. ScaleOut refers to Auto Scaling events that involve terminating instances.

What are the four pillars of a well-architected framework?

Security Reliability Performance Efficiency Cost Optimization https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

SAML

Security Assertions Markup Language

VPC Components

Security Groups, subnets, control lists, IP ranges, Route Tables, Internet Gateways

What is the difference between a Security Group and a 'typical' Firewall?

Security groups are applied at the instance level, as opposed to a traditional on-premises firewall that protects at the perimeter. The effect of this is that instead of having to breach a single perimeter to access all the instances in your security group, an attacker would have to breach the security group repeatedly for each individual instance.

What's is an important difference between "stateful" security groups and "stateless" Network ACLs?

Security groups are stateful. This means that responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules and vice versa. This is an important difference between security ?? This means that if I have an inbound rule allowing SSH and no outbound rule allowing SSH, that I will be able to connect from the outside using SSH (responses will be allowed), but I won't be able to set up an SSH connection from the instance, though.

A user is sending a custom metric to CloudWatch. If the call to the CloudWatch APIs has different dimensions, but the same metric name, how will CloudWatch treat all the requests?

Separate metrics. If the user is making 4 calls with the same metric name but a separate dimension, it will create 4 separate metrics.

What is SSE-C

Server Side Encryption of S3- you create and manage the master and sub keys

What is SSE?

Service Side Encryption https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What is SSE-S3

Service Side Encryption of S3- Amazon encrypts your data using AES256 and manages the encryption keys (they even encrypt the key with a rotating set of keys)

What is SSE-KMS

Service Side Encryption of S3- you create CME's (customer master keys) and AWS creates keys from those. This is all done within AWS's key management system

_You have a client who is considering moving to AWS services and do not yet have an account. What is the first thing the company should do to set up an AWS Account?

Set up an account using their company email address.

What does Amazon SES stand for?

Simple Email Service

What does SNS stand for

Simple Notification Serivce

SNS

Simple Notification Service (PUSH). Amazon SNS follows the publish-subscribe (pub-sub) messaging paradigm, with notifications being delivered to clients using a push mechanism that eliminates the need to check periodically (or poll) for new information and updates. For example, you can send notifications to Apple, Android, Fire OS, and Windows devices. In China, you can send messages to Android devices with Baidu Cloud Push. You can use Amazon SNS to send Short Message Service (SMS) messages to mobile device users in the United States or to email recipients worldwide.

SQS

Simple Queue Service (POLLING). Amazon SQS is a fast, reliable, scalable, and fully managed message queuing service. Amazon SQS makes it simple and cost effective to decouple the components of a cloud application. You can use Amazon SQS to transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be continuously available.

What does S3 stand for?

Simple Storage Service

You have been asked to identify a service on AWS that is a durable key value store. Which of the services below meets this definition?

Simple Storage Service (S3)

*S3*

Simple Storage Service - AWS' object-based storage service offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.

What does S3 stand for?

Simple Storage Solution

What does Amazon SWF stand for?

Simple Work Flow

SWF

Simple WorkFlow

What is SWF

Simple Workflow Service

Which one is faster, simpler and cost effective? Import/Export Disk OR Snowball.

Snowball

*Snowball*

Snowball is a data transport solution that accelerates moving data into and out of AWS using storage appliances designed to be secure for physical transport. It uses secure appliances and the Snowball client to accelerate *petabyte-scale data transfers* into and out of AWS. (Next version of Import/Export Gateway)

what is the best instance purchasing option for 10 minute batch job that runs once/twice a month with 15 X-Large instances

Spot Instances

An application that applies water marks to images runs on a fleet of EC2 instances. Each instance polls an SQS queue to find out which image should be water marked, and then runs a watermarking process using a unique algorithm. If this process is interrupted, the image will be watermarked by another EC2 instance based on the SQS Queue. You have a large backlog of images after your site went viral on social media. These images need to be watermarked and would like to reduce this backlog by adding more instances. You will need these instances only until the backlog is reduced. Which type of Amazon EC2 instances should you use to reduce the backlog in the most cost efficient way?

Spot instances

Network ACLs are Stateless or Stateful?

Stateless

What should you do before taking a snapshot of a root volume?

Stop the instance

Instance Store volume instances cannot be _______________.

Stopped

What service connects an on-premise software appliance (or virtual machine) with cloud based storage?

Storage Gateway

____________________________ is VM/Software Appliance between your company data center and AWS (S3 or Glacier).

Storage Gateway

1 NACL allowed per _________.

Subnet

If you enable versioning ON, you cannot turn it off. You can ____________ it.

Suspend

What term does CloudFront use to describe how long an object will cache in a distribution?

TTL, once the TTL is exceeded CloudFront will refresh its cache from the origin

To help you manage your Amazon EC2 instances you can assign your own metadata in the form of

Tags

SWF Task Lists

Task lists provide a way of organizing the various tasks associated with a workflow. You could think of task lists as similar to dynamic queues. When a task is scheduled in Amazon SWF, you can specify a queue (task list) to put it in. Similarly, when you poll Amazon SWF for a task, you determine which queue (task list) to get the task from. Task lists provide a flexible mechanism to route tasks to workers as your use case necessitates. Task lists are dynamic in that you don't need to register a task list or explicitly create it through an action—simply scheduling a task creates the task list if it doesn't already exist.

Who maintains full control over uploaded data to AWS?

The AWS customer https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Amazon Machine Images (AMIs)

The Amazon Machine Image (AMI) defines the initial software that will be on an instance when it is launched. An AMI defines every aspect of the software state at instance launch, including: - The Operating System (OS) and its configuration - The initial state of any patches - Application or system software All AMIs are based on x86 OSs, either Linux or Windows.

(T/F) Elastic Load Balancing can only be done with VPC-EC2 instances, not with EC2-Classic instances

The Application Load Balancer is VPC only. The classic load balancer can be used in either cases (VPC or Classic)

Route53 is named so because

The DNS Port is on Port 53 and Route53 is a DNS Service

What is ELB connection draining?

The Elastic Load Balancer connection draining feature causes the load balancer to stop sending new requests to the back-end instances when the instances are deregistering or become unhealthy, while ensuring that in-flight requests continue to be served.

What one of the four AWS well-architected pillars encompasses the ability of a system to recover from failure?

The Reliability pillar https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

If you have multiple VPN connections, you can provide secure communication between sites using the __________________.

The VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing Internet connections who'd like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.

Gateway Virtual Tape Library

The VTL interface lets you leverage your existing tape-based backup application infrastructure to store data on virtual tape cartridges that you create on your Gateway-VTL.

What does the Cost Optimization pillar cover?

The ability to avoid or eliminate unneeded costs or sub-optimal resources https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Explain the color coding of AWS Trusted Advisor

The color coding reflects the following information: - Red: Action recommended - Yellow: Investigation recommended - Green: No problem detected

How granular is IAM when it comes to users?

The control provided by IAM is granular enough to ... limit a single user to ... the ability to perform a single action ... on a specific resource ... from a specific IP address ... during a specific time window

What's the difference between a host name and a sub domain?

The difference between a host name and a subdomain is that a host defines a computer or resource, while a subdomain extends the parent domain. Subdomains are a method of subdividing the domain itself.

What are typical cause for a Instance Status Check failure?

The following are examples of problems that can cause instance status checks to fail: - Failed system status checks - Incorrect networking or startup configuration - Exhausted memory - Corrupted file system - Incompatible kernel

An EC2 instance is connected to an ENI on a subnet. What happens when you attach another ENI from a different subnet to the same instance

The instance follows the rules of both subnets

What is a CloudFront distribution?

The name given to the cloudfront CDN you create, it also contains a collection of Edge locations

What account type does AWS specifically state should have MFA enabled?

The root account https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What is privilege management a key feature of?

The secuirty pillar (any information security program really...) https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

What is a origin?

The source of a file or website that AWS use use at it's edge locations (CDN endpoints)

AWS OpsWork - Stack

The stack is the core AWS OpsWorks component. It is basically a container for AWS resources—Amazon EC2 instances, Amazon RDS database instances, and so on—that have a common purpose and make sense to be logically managed together. The stack helps you manage these resources as a group and defines some default configuration settings, such as the Amazon EC2 instances' operating system and AWS region. If you want to isolate some stack components from direct user interaction, you can run the stack in an Amazon Virtual Private Cloud (Amazon VPC). Each stack lets you grant users permission to access the stack and specify what actions they can take.

With Amazon CloudWatch, each metric data point must be marked with a time stamp. A user is sending the data to CloudWatch using the CloudWatch API. The user is sending data 90 minutes in the future. What will CloudWatch do in this case?

The time stamp sent by the user can be up to two weeks in the past and up to two hours into the future.

SWF Workflow History

The workflow history is a detailed, complete, and consistent record of every event that occurred since the workflow execution started. An event represents a discrete change in your workflow execution's state, such as scheduled and completed activities, task timeouts, and signals.

How can i obtain AMIs?

There are four sources of AMIs: 1. Published by AWS 2. The AWS Marketplace 3. Generated from Existing Instances 4. Uploaded Virtual Servers 1. *Published by AWS*—AWS publishes AMIs with versions of many different OSs, both Linux and Windows. These include multiple distributions of Linux (including Ubuntu, Red Hat, and Amazon's own distribution) and Windows 2008 and Windows 2012. Launching an instance based on one of these AMIs will result in the default OS settings, similar to installing an OS from the standard OS ISO image. As with any OS installation, you should immediately apply all appropriate patches upon launch. 2. *The AWS Marketplace*—AWS Marketplace is an online store that helps customers find, buy, and immediately start using the software and services that run on Amazon EC2. Many AWS partners have made their software available in the AWS Marketplace. This provides two benefits: the customer does not need to install the software, and the license agreement is appropriate for the cloud. Instances launched from an AWS Marketplace AMI incur the standard hourly cost of the instance type plus an additional per-hour charge for the additional software (some open-source AWS Marketplace packages have no additional software charge). 3. *Generated from Existing Instances*—An AMI can be created from an existing Amazon EC2 instance. This is a very common source of AMIs. Customers launch an instance from a published AMI, and then the instance is configured to meet all the customer's corporate standards for updates, management, security, and so on. An AMI is then generated from the configured instance and used to generate all instances of that OS. In this way, all new instances follow the corporate standard and it is more difficult for individual projects to launch non-conforming instances. 4. *Uploaded Virtual Servers*—Using AWS VM Import/ Export service, customers can create images from various virtualization formats, including raw, VHD, VMDK, and OVA. The current list of supported OSs (Linux and Windows) can be found in the AWS documentation. It is incumbent on the customers to remain compliant with the licensing terms of their OS vendor.

(T/F) You can move EIPs from one instance to another, either in the same Amazon VPC or a different Amazon VPC within the same region.

True

Dedicated Tenancy

will make all EC2 instances deployed on dedicated hardware

What are the types of IAM principles?

There are three types of principals: root users, IAM users, and roles / temporary security tokens.

What factors influence the cost of the reservation for reserved instances?

There are two factors: 1. The duration: 1 or 3 years 2. the payment option: All Upfront, Partial Upfront, no upfront

Snapshots of encrypted volumes are what automatically?

They are encrypted

Volumes restored from encrypted snapshots are what automatically?

They are encrypted

What's special to the S3 namespaces?

They are universal across accounts and regions, names must therefor be unique globally

What does a decider do in SWF?

Think of a decider as a "if then else" statement

Explain S3's *SSE-S3 (AWS-Managed Keys)*

This is a fully integrated "check-box-style" encryption solution where AWS handles the key management and key protection for Amazon S3. Every object is encrypted with a unique key. The actual object key itself is then further encrypted by a separate master key. A new master key is issued at least monthly, with AWS rotating the keys. Encrypted data, encryption keys, and master keys are all stored separately on secure hosts, further enhancing protection.

Explain S3's *SSE-KMS (AWS KMS Keys)*

This is a fully integrated solution where Amazon handles your key management and protection for Amazon S3, but where you manage the keys. SSE-KMS offers several additional benefits compared to SSE-S3. Using SSE-KMS, there are separate permissions for using the master key, which provide protection against unauthorized access to your objects stored in Amazon S3 and an additional layer of control. AWS KMS also provides auditing, so you can see who used your key to access which object and when they tried to access this object. AWS KMS also allows you to view any failed attempts to access data from users who did not have permission to decrypt the data.

What does a work flow starter do in SWF?

This is an application that starts a workflow request. For example a customer ordered something from an e-commerce web site

What does an activity worker do in SWF?

This is the application, or person, that carries out a specific task

Explain S3's *SSE-C (Customer-Provided Keys)*

This is used when you want to maintain your own encryption keys but don't want to manage or implement your own client-side encryption library. With SSE-C, AWS will do the encryption/ decryption of your objects while you maintain full control of the keys used to encrypt/ decrypt the objects in Amazon S3.

Connection Draining for Classic Load Balancer

To ensure that a Classic Load Balancer stops sending requests to instances that are de-registering or unhealthy, while keeping the existing connections open, use connection draining. This enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy. When you enable connection draining, you can specify a maximum time for the load balancer to keep connections alive before reporting the instance as de-registered. The maximum timeout value can be set between 1 and 3,600 seconds (the default is 300 seconds). When the maximum time limit is reached, the load balancer forcibly closes connections to the de-registering instance.

Cross-Zone Load Balancing

To ensure that request traffic is routed evenly across all back-end instances for your load balancer, regardless of the Availability Zone in which they are located, you should enable cross- zone load balancing on your load balancer. Cross-zone load balancing reduces the need to maintain equivalent numbers of back-end instances in each Availability Zone and improves your application's ability to handle the loss of one or more back-end instances. *However, it is still recommended that you maintain approximately equivalent numbers of instances in each Availability Zone for higher fault tolerance.*

VPC Flow Logs

To log all your VPC traffic to CloudWatch.

What should you do to enjoy maximum read/write throughput to a DynamoDB table?

To maximize Amazon DynamoDB throughput, create tables with a partition key that has a large number of distinct values and ensure that the values are requested fairly uniformly. Adding a random element that can be calculated or hashed is one common technique to improve partition distribution.

AWS sets service limits for what reason?

To prevent you from accidentally over provisioning your account https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

CloudFront Distributions

To use Amazon C1oudFront, you start by creating a distribution, which is identified by a DNS domain name such as d111111abcdef8.cloudfront.net.

What are CloudTrail trails?

Trails are log files that you deliver to a bucket. There're two types: 1. A trail that applies to all regions: it collects all the events in all the regions and then places them in a logfile in one bucket 2. A trail that applies to one region: it collects all the events in one selected regions and then places them in a logfile in one bucket

RDS

Transactional Databases; (e.g. MySQL, SQL, Postgres, Oracle)

(T/F) Amazon EBS volumes do not lose your data when the instance they are attached to is stopped.

True

(T/F) Amazon RDS instances require security groups to be accessible, even though they are a managed service.

True

(T/F) Amazon RDS is built using Amazon Elastic Block Store (Amazon EBS)

True

(T/F) Amazon RDS provides a consistent operational model for backup and recovery procedures across the different database engines

True

(T/F) An Amazon CloudFront distribution can easily be set up to serve dynamic content.

True

(T/F) An Amazon CloudFront distribution can easily be set up to use more than one origin server.

True

(T/F) CMKs can never leave AWS KMS unencrypted, but data keys can leave the service unencrypted.

True

(T/F) CreateDBSnapshot action. Unlike automated snapshots that are deleted after the retention period, manual DB snapshots are kept until you explicitly delete them with the Amazon RDS console or the De1eteDBSnapshot action.

True

(T/F) EIPs remain associated with your AWS account until you explicitly release them.

True

(T/F) Each Auto Scaling group can have only one launch configuration at a time.

True

(T/F) For your AWS account, you can have AWS create an X.5o9 certificate and private key that you can download, or you can upload your own certificate by using the Security Credentials page.

True

(T/F) Security groups can be changed while an instance is running

True and False. Security Groups If an instance is running in an Amazon VPC (discussed in Chapter 4), you can change which security groups are associated with an instance while the instance is running. For instances outside of an Amazon VPC (called EC2-Classic), the association of the security groups cannot be changed after launch.

There is a limit to the number of domain names that you can manage using Route 53.

True and False. There is a limit of 50 domain names however this limit can be raised by contacting AWS support.

(T/F) One of the functions of Route 53 is health checking of your applications.

True! Amazon Route 53 sends automated requests over the Internet to your application to verify that it's reachable, available, and functional.

(T/F) IAM is not operating system identity management

True! Remember that under the shared responsibility model, you are in control of your operating system console and configuration. Whatever mechanism you currently use to control access to your server infrastructure will continue to work on Amazon Elastic Compute Cloud (Amazon EC2) instances, whether that is managing individual machine login accounts or a directory service such as Active Directory or Lightweight Directory Access Protocol (LDAP). You can run an Active Directory or LDAP server on Amazon EC2, or you can extend your on-premises system into the cloud. AWS Directory Service will also work well to provide Active Directory functionality in the cloud as a service, whether standalone or integrated with your existing Active Directory.

(T/F) Read replicas can be in a different region than the source database

True! It is even one of the big advantages of read replicas. You can create one or more replicas of a database within a single AWS Region or across multiple AWS Regions. To enhance your disaster recovery capabilities or reduce global latencies, you can use cross-region read replicas to serve read traffic from a region closest to your global users or migrate your databases across AWS Regions.

True/False, VPC nACLs support allow and deny rules

True, network access control lists at as a subnet firewall controlling both inbound/outbound traffic with allow/deny rules

(T/F) If turned on in an existing bucket, cross-region replication will only replicate new objects. Existing objects will not be replicated and must be copied to the new bucket via a separate command.

True.

(T/F) You can only attach volumes to instances if they are in the same region AND availability zone

True.

(T/F) AWS Trust Advisor can be accessed through the console as well as through APIs

True. AWS Trusted Advisor is accessed in the AWS Management Console. Additionally, programmatic access to AWS Trusted Advisor is available with the AWS Support API.

(T/F) There are charges for EIPs allocated to your account, even when they are not associated with a resource.

True. An Elastic IP address doesn't incur charges as long as the following conditions are true: - The Elastic IP address is associated with an Amazon EC2 instance. - The instance associated with the Elastic IP address is running. - The instance has only one Elastic IP address attached to it. If you've stopped or terminated an EC2 instance with an associated Elastic IP address and you don't need that Elastic IP address any more, consider disassociating or releasing the Elastic IP address by following the instructions at Working with Elastic IP Addresses.

(T/F) Amazon CloudFront will help speed up the download of these files to end users.

True. This is a typical use case of CloudFront: Distributing Sofiware or Other Large Files

(T/F) you can change the instance class and the balance of compute of memory, and Amazon RDS will migrate your data to a larger or smaller instance class.

True. As your needs change over time, you can change the instance class and the balance of compute of memory, and Amazon RDS will migrate your data to a larger or smaller instance class.

(T/F) CloudTrail log files are encrypted using Amazon S3 SSE

True. By default, your log files are encrypted using Amazon S3 SSE. You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically.

Backing up Multi-AZ databases is

True. For busy databases, use Multi-AZ to minimize the performance impact of a snapshot. During the backup window, storage I/O may be suspended while your data is being backed up, and you may experience elevated latency. This I/O suspension typically lasts for the duration of the snapshot. This period of I/O suspension is shorter for Mulfi-AZ DB deployments because the backup is taken from the standby, but latency can occur during the backup process.

(T/F) Hadoop data can be stored on EBS or Instance Storage

True. If it is stored on Instance Storage and the instance goes down, the data is lost. So , as always, if you want data to persist us EBS.

(T/F) Changing the instance type of a running instance is not possible

True. Instances can be resized using the AWS Management Console, CLI, or API. To resize an instance, *set the state to Stopped*. Choose the "Change Instance Type" function in the tool of your choice (the instance type is listed as an Instance Setting in the console and an Instance Attribute in the CLI) and select the desired instance type. Restart the instance and the process is complete.

(T/F) An IAM Policy condition can limit the ability to access a resource to calls that come from a specific IP address.

True. The condition value optionally defines one or more additional restrictions that limit the actions allowed by the permission. For instance, the permission might contain a condition that limits the ability to access a resource to calls that come from a specific IP address range. Another condition could restrict the permission only to apply during a specific time interval. There are many types of permissions that allow a rich variety of functionality that varies between services. See the IAM documentation for lists of supported conditions for each service.

(T/F) Amazon SQS does not return success to a SendMessage API call until the message is durably stored in Amazon SQS.

True. This makes the programming model very simple with no doubt about the safety of messages, unlike the situation with an asynchronous messaging model. If you don't need a durable messaging system, however, you can build an asynchronous, client-side batching on top of Amazon SQS libraries that delays enqueue of messages to Amazon SQS and transmits a set of messages in a batch. Please be aware that with a client-side batching approach, you could potentially lose messages when your client process or client host dies for any reason.

(T/F) Distributing Instances Across Availability Zones is possible with Auto Scaling

True. You need to configure the ASG to be multi zone.

(T/F) Customer Master Keys are used to encrypt data up to 8KB inside AWS KMS.

True/False. Customer Master Keys are used to encrypt data up to *4KB* inside AWS KMS.

(T/F) When you delete a DB Instance, all automated backup snapshots are deleted and cannot be recovered.

True. When you delete a DB Instance, all automated backup snapshots are deleted and cannot be recovered. Manual snapshots, however, are not deleted.

(T/F) You can turn an existing queue into a delay queue

True. You can also turn an existing queue into a delay queue by using SetQueueAttributes to set the queue's DelaySeconds attribute. The default value for Delayseconds is 0.

(T/F) Route 53 Geolocation routing can be used to restrict distribution of content

True. You can use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights.

(T/F) A recommended best practice is to scale out quickly and scale in slowly.

True. A recommended best practice is to scale out quickly and scale in slowly so you can respond to bursts or spikes but avoid inadvertently terminating Amazon EC2 instances too quickly, only having to launch more Amazon EC2 instances if the burst is sustained. Auto Scaling also supports a cooldown period, which is a configurable setting that determines when to suspend scaling activities for a short time for an Auto Scaling group.

(T/F) New Security Groups allow all outbound traffic by default

True. By default, new security groups have an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only.

(T/F) load balancer names can only contain alphanumeric characters, hyphens and not start with a hyphen

True. Cert ELB --> wrong format Cert-ELB --> OK

(T/F) You can associate more than one scaling policy with an Auto Scaling group.

True. For example, you can create a policy using the trigger for CPU utilization, called CPULoad, and the CloudWatch metric CPUUtilization to specify scaling out if CPU utilization is greater than 75 percent for two minutes. You could attach another policy to the same Auto Scaling group to scale in if CPU utilization is less than 40 percent for 20 minutes.

(T/F) A database snapshot is initiated by you and can be created as frequently as you want

True. The other kind is called "Automated Backup" (and not snapshot).

(T/F) Users can connect to the AWS console using their corporate credentials

True. By setting up AD Connector! AD Connector forwards sign-in requests to your Active Directory domain controllers for authentication and provides the ability for applications to query the directory for data. *After setup, your users can use their existing corporate credentials to log on to AWS applications*, such as Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. *With the proper IAM permissions, they can also access the AWS Management Console* and manage AWS resources such as Amazon EC2 instances or Amazon S3 buckets.

(T/F) Instance Stores are the same a Ephemeral Storage

True. Sometimes we refer to Instance Store as "ephemeral storage"

Snapshots can be shared on other AWS accounts or made public. Can you share encrypted or unencrypted snapshots?

Unencrypted

S3's name space is what?

Universal, meaning you cannot "test-bucket" can be used once across ALL of AWS' user base regardless of region

Amazon S3 provides

Unlimited Storage

Architecture Best Practice: being stateless is cool, but how?

Use a session cookie in the client and defer the state in a database, in DynamoDB, or even in ElastiCache

What does RDS snapshots provide to RDS instances?

User initiated snapshots of a known good state of a database (note, this is done by the user!)

A user wants to increase the durability and availability of the EBS volume. Which actions should he perform?

User should frequently create snapshots of the Amazon EBS volumes.

IAM Users

Users are persistent identities set up through the IAM service to represent individual people or applications. You may create separate IAM users for each member of your operations team so they can interact with the console and use the CLI. You might also create dev, test, and production users for applications that need to access AWS Cloud services (although you will see later in this chapter that IAM roles may be a better solution for that use case).

You run an automobile reselling company that has a popular online store on AWS. The application sits behind an Auto Scaling group and requires new instances of the Auto Scaling group to identify their public and private IP addresses. How can you achieve this?

Using a Curl or Get Command to get the latest meta-data from http://169.254.169.254/latest/meta-data/

What is VPC peering?

VPC peering allows you to connect one VPC with another via a direct network route using private IP addresses

Describe Gateway-Virtual Tape Library

VTL, configure each Gateway-VTL with up to 10 drives per gateway, 1 media changer, and up to 1500 virtual tape cartridges. Each virtual tape drive responds to the SCSI command set so existing on-prem solutions work without modification

AWS Managed VPN: the part at AWS' side is called _____ and the part at the customer's side is called ______.

Virtual Private Gateway (VPG), Customer Gateway

Termination Protection

When an Amazon EC2 instance is no longer needed, the state can be set to Terminated and the instance will be shut down and removed from the AWS infrastructure. In order to prevent termination via the AWS Management Console, CLI, or API, termination protection can be enabled for an instance. While enabled, calls to terminate the instance will fail unfil termination protection is disabled. This helps to prevent accidental termination through human error. Note that this just protects from termination calls from the AWS Management Console, CLI, or API. It does not prevent termination triggered by an OS shutdown command, termination from an AutoScaling group (discussed in Chapter 5), or termination of a Spot Instance due to Spot price changes (discussed in the next section).

Explain the Shared Responsibility Model

While AWS manages security *of* the cloud, security *in* the cloud is the responsibility of the customer. *Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks*, no differently than they would for applications in an on-site datacenter.

Launching EC2 instance with availability zone. What is the right way to implement?

When launching an instance with EC2, AWS recommends not to select the availability zone (AZ). AWS specifies that the default Availability Zone should be accepted. This is because it enables AWS to select the best Availability Zone based on the system health and available capacity. If the user launches additional instances, only then an Availability Zone should be specified. This is to specify the same or different AZ from the running instances.

What is Auto scaling rebalancing?

When rebalancing, Auto Scaling launches new instances before terminating the old ones, so that rebalancing does not compromise the performance or availability of your application. Because Auto Scaling attempts to launch new instances before terminating the old ones, being at or near the specified maximum capacity could impede or completely halt rebalancing activities. To avoid this problem, the system can temporarily exceed the specified maximum capacity of a group by a 10 percent margin (or by a 1-instance margin, whichever is greater) during a rebalancing activity.

RDS: daily backups and transaction logs

When using automated backups, Amazon RDS combines the daily backups performed during your predefined maintenance window in conjunction with transaction logs to enable you to restore your DB Instance to any point during your retention period, typically up to the last five minutes.

Route 53 routing policies

When you create a resource record set, you choose a routing policy, which determines how Amazon Route 53 responds to queries. Routing policy options are simple, weighted, latency- based, failover, and geolocation. When specified, Amazon Route 53 evaluates a resource's relative weight, the client's network latency to the resource, or the client's geographical location when deciding which resource to send back in a DNS response. Routing policies can be associated with health checks, so resource health status is considered before it even becomes a candidate in a conditional decision tree. A description of possible routing policies and more on health checking is covered in this section.

Provisioned Capacity DynamoDB

When you create an Amazon DynamoDB table, you are required to provision a certain amount of read and write capacity to handle your expected workloads. Based on your configuration settings, DynamoDB will then provision the right amount of infrastructure capacity to meet your requirements with sustained, low-latency response times. Overall capacity is measured in read and write capacity units. These values can later be scaled up or down by using an UpdateTable action.

IAM Root User

When you first create an AWS account, you begin with only a single sign—in principal that has complete access to all AWS Cloud services and resources in the account. This principal is called the root user. As long as you have an open account with AWS, the root user for that relationship will persist. The root user can be used for both console and programmatic access to AWS resources.

Amazon Aurora Cluster

When you first create an Amazon Aurora instance, you create a DB cluster. A DB cluster has one or more instances and includes a cluster volume that manages the data for those instances. An Amazon Aurora cluster volume is a virtual database storage volume that spans multiple Availability Zones, with each Availability Zone having a copy of the cluster data. An Amazon Aurora DB cluster consists of two different types of instances: - *Primary Instance* - *Amazon Aurora Replica*

When do you want to use an Alias Record in route53?

When you have a naked domain name

Proxy Protocol

When you use TCP or SSL for both front-end and back-end connections, your load balancer forwards requests to the back-end instances without modifying the request headers. If you enable Proxy Protocol, a human-readable header is added to the request header with connection information such as the source IP address, destination IP address, and port numbers. The header is then sent to the back-end instance as part of the request.

[Storage Gateway] Virtual Tape Shelf

When your tape software ejects a tape, it is archived on a Virtual Tape Shelf (VTS) and stored in Amazon Glacier. You're allowed 1 VTS per AWS region, but multiple gateways in the same region can share a VTS.

While configuring a security group, the user needs to specify the IP address in _________ notation.

While configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40.

Elasticache: design for failure

While it is unlikely, you should plan for the potential failure of an individual cache node. For Memcached clusters, you can decrease the impact of the failure of a cache node by using a larger number of nodes with a smaller capacity, instead of a few large nodes.

When you create a new user, that user;

Will be able to interact with AWS using their access key ID and secret access key, using the API, CLI or AWS SDK's

Elasticache

With Amazon E1astiCache, you can choose from a Memcached or Redis protocol-compliant cache engine and quickly launch a cluster within minutes. Because Amazon E1astiCache is a managed service, you can start using the service today with very few or no modifications to your existing applications that use Memcached or Redis. Because Amazon E1astiCache is protocol- compliant with both of these engines, you only need to change the endpoint in your configuration files.

DNS Failover

With DNS Failover, Amazon Route 53 can help detect an outage of your website and redirect your end users to alternate locations where your application is operating properly. When you enable this feature, Route 53 uses health checks—regularly making Internet requests to your application's endpoints from multiple locations around the world—to determine whether each endpoint of your application is up or down. To enable DNS Failover for an ELB endpoint, create an Alias record pointing to the ELB and set the "Evaluate Target Health" parameter to true. Route 53 creates and manages the health checks for your ELB automatically. You do not need to create your own Route 53 health check of the ELB. You also do not need to associate your resource record set for the ELB with your own health check, because Route 53 automatically associates it with the health checks that Route 53 manages on your behalf. The ELB health check will also inherit the health of your backend instances behind that ELB.

Elastic IP address

With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.

What is a Gateway Virtual Tape Library (VTL)?

With an on-prem AWS appliance (a VM)- you backup popular backup applications like, NetBackUp, Backup Exec, and Veam... This service is meant to replace physical tape libraries

What is a Gateway Stored Volume?

With an on-prem AWS appliance (a VM)- your define a volume that is then backed up to S3 asynchronously over the internet

SQS Long Polling

With long polling, you send a WaitTimeSeconds argument to ReceiveMessage of up to 20 seconds. If there is no message in the queue, then the call will wait up to WaitTimeSeconds for a message to appear before returning. If a message appears before the time expires, the call will return the message right away. Long polling drastically reduces the amount of load on your client.

Does AWS S3 support auditing features?

Yes https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Your client has been experiencing problems with their aging in-house infrastructure and are extremely concerned about maintaining their on-line presence while still managing the cost. After extensive discussions about the impact of being off-line and the cost of DR, the board has directed you to prepare a proposal that achieves an RTO of 20 hours, an RPO or 1 hour, and keeps costs of achieving that to a minimum. They have also directed the use of AWS Storage Gateway to mitigate the risk of a expected catastrophic NAS failure. Which of the following solutions best meet the requirements

Work with the customer's engineers to identify the key servers and data. Help them to setup an AWS account with IAM users, groups, and roles. Encourage key managers and engineers to do some of the 'A Cloud Guru' courses to help them come up to speed. Build templates of the critical web/app servers and save these as AMIs. Agree the RDS specifications that would meet requirements. Set up the Storage Gateway and the Snapshot schedule to meet the RPO. Document, script or automate the steps to initiate the RDS instance, the EC2 instances, the steps to restore the latest data from the Storage Gateway snapshots into RDS, plus any DNS changes. Test the process with each of the Operations team shifts.

Your company is interested in implementing a VDI solution to replace their local desktop environment. Which AWS service should you consider?

Workspaces

X.5o9 certificates are used to _____

X.5o9 certificates are used to sign SOAP—based requests. X.5o9 certificates contain a public key that is associated with a private key. When you create a request, you create a digital signature with your private key and then include that signature in the request, along with your certificate. AWS verifies that you're the sender

What is the underlying Hypervisor for EC2?

Xen

Can the names I give to S3 files be of any impact to performance?

YES! S3 uses the filename of the objects you store to distribute them across the S3 infrastructure. If you use names that are to similar (like log files that get the timestamp as names for instance) then these files will be stored at the same location and may cause a performance bottleneck at that location!

Can I "force" a failover for any RDS instance that has Multi-AZ configured?

Yes

Can SNS trigger Lambda functions?

Yes

Can you have read replicas of read replicas?

Yes

Can you move reserved instance from one AZ to another one in same region?

Yes

Can you storage meta data on your S3 data?

Yes

Does DynamoDB support in-place atomic updates?

Yes

Does Route53 support MX Records?

Yes

Does route53 support MX records?

Yes

If you terminate a spot instance are you liable for the entire hour?

Yes

Is DomainKeys Identified Mail (DKIM) supported in AWS?

Yes

Is it possible to have AWS encrypt non-root volumes?

Yes

Is it possible to have more then one origin in a CloudFront distribution?

Yes

Is it possible to promote a read replica to its own database?

Yes

Is it possible to use security groups to control access to and from a RDS instance

Yes

Auto Scaling Components - Scaling Policy

You can associate Amazon C1oudWatch alarms and scaling policies with an Auto Scaling group to adjust Auto Scaling dynamically. When a threshold is crossed, Amazon CloudWatch sends alarms to trigger changes (scaling in or out) to the number of Amazon EC2 instances currently receiving traffic behind a load balancer. After the Amazon CloudWatch alarm sends a message to the Auto Scaling group, Auto Scaling executes the associated policy to scale your group. The policy is a set of instructions that tells Auto Scaling whether to scale out, launching new Amazon EC2 instances referenced in the associated launch configuration, or to scale in and terminate instances.

Glacier Vault Lock

You can easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a vault lock policy. You can specify controls such as Write Once Read Many (WORM) in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.

Which of the following statements is true of Amazon EC2 security groups?

You can freely add and remove rules from a group, but you can't change the outbound rules for EC2-Classic.

How many times can you mount the same EBS volume?

You can only mount a EBS volume to one machine at a time

(T/F) You can use AWS OpsWorks or IAM to manage user permissions.

You can use AWS OpsWorks or IAM to manage user permissions. Note that the two options are not mutually exclusive; it is sometimes desirable to use both.

SQS Access Control

You can use the normal IAM stuff to grant other accounts access to your queues, but this can be difficult or not feasible. Amazon SQS Access Control allows you to assign policies to queues that grant specific interactions to other accounts without that account having to assume IAM roles from your account. These policies are written in the same JSON language as IAM. For example, the following sample policy gives the developer with AWS account number 111122223333 the SendMessage permission for the queue named 444455556666/queue1 in the US East (N. Virginia) region.

How do you make workflows in different SWF Domains communicate with one another?

You can't!

You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator and they will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are and you have provided the new user with their secret access key and their access key id. However when they go to log in to the AWS console, they cannot sign in. What could be the cause of this?

You cannot log in to the AWS console using the Access Key ID and Secret Access Key, instead you must generate a password for the user and supply the user with this password, as well as the unique link to sign in to the AWS console.

CloudFormation template

You create AWS CloudFormation templates to define your AWS resources and their properties. A template is a text file whose format complies with the J SON standard. AWS CloudFormation uses these templates as blueprints for building your AWS resources.

How do you use SNS?

You create a topic and then add subscribers to a topic

AWS OpsWork - Layers

You define the elements of a stack by adding one or more layers. A layer represents a set of resources that serve a particular purpose, such as load balancing, web applications, or hosting a database server. You can customize or extend layers by modifying the default configurations or adding Chef recipes to perform tasks such as installing additional packages. Layers give you complete control over which packages are installed, how they are configured, how applications are deployed, and more.

Where can you get an ELB's public IP address?

You don't it's DNS name only- the IPs change over time

How do you add instances of an auto scaling group to an Elastic Load Balancer?

You don't! it is done automatically, you just need to configure the load balancer in you auto scaling group.

How do you change an EC2 instance role after it has been provisioned?

You don't, EC2 roles are only assignable at creation time

You work for a construction company that has their production environment in AWS. The production environment consists of 3 identical web servers that are launched from a standard Amazon linux AMI using Auto Scaling. The web servers are launched in to the same public subnet and belong to the same security group. They also sit behind the same ELB. You decide to do some test and dev and you launch a 4th EC2 instance in to the same subnet and same security group. Annoyingly your 4th instance does not appear to have internet connectivity. What could be the cause of this?

You have not assigned an elastic IP address to this instance.

What happens if you lose your access key/id?

You have to regenerate them- there only displayed at user creation time

You can seamlessly join an EC2 instance to your directory domain. What connectivity do you need to be able to connect remotely to this instance?

You must have IP connectivity to the instances from the network you are connecting from

What are you billed on for RDS instances?

You pay for what you use- but AWS's standard instance billing rates apply here: - Instance hours (multiple instances incur multiple hours) - Storage (GB's per month) - I/O a month - Provisioned IOPS a month - Backup storage - Data transfer (internet in and out)

How do you pay for EFS storage?

You pay for what you use- meaning you don't pre-provision storage

What performance does provisioned IOPS SSD storage offer in RDS?

You pick the rate

What is Origin Access Identity (OAI) in CloudFront?

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users' behalf. If your users try to access objects using Amazon S3 URLs, they're denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don't.

Connection Draining

You should enable connection draining to ensure that the load balancer stops sending requests to instances that are deregistering or unhealthy, while keeping the existing connections open. This enables the load balancer to complete in-flight requests made to these instances.

You work in the genomics industry and you process large amounts of genomic data using a nightly Elastic Map Reduce (EMR) job. This job processes a single 3 Tb file which is stored on S3. The EMR job runs on 3 on-demand core nodes and four on-demand task nodes. The EMR job is now taking longer than anticipated and you have been asked to advise how to reduced the completion time?

You should reduce the input split size in the MapReduce job configuration and then adjust the number of simultaneous mapper tasks so that more tasks can be processed at once.

Architecture Best Practice: Don't fear constraints

You should understand that the cloud provides abstract resources that become powerful when you combine them with the on—demand provisioning model. You should not be afraid and constrained when using cloud resources because even if you might not get an exact replica of your on—premises hardware in the cloud environment, you have the ability to get more of those resources in the cloud to compensate.

Explain how encryption with Data Keys works

You use data keys to encrypt large data objects within your own application outside AWS KMS. When you call GenerateDataKey, AWS KMS returns a plaintext version of the key and ciphertext that contains the key encrypted under the specified CMK. AWS KMS tracks which CMK was used to encrypt the data key. You use the plaintext data key in your application to encrypt data, and you typically store the encrypted key alongside your encrypted data. Security best practices suggest that you should remove the plaintext key from memory as soon as is practical after use. To decrypt data in your application, pass the encrypted data key to the Decrypt function. AWS KMS uses the associated CMK to decrypt and retrieve your plaintext data key. Use the plaintext key to decrypt your data, and then remove the key from memory.

You are a solutions architect working for a large engineering company who are moving their existing legacy hardware to AWS. You have configured their first AWS account and you have set up IAM. Your company will be primarily based in Andorra, however they will have a small subsidiary operating out of South Korea and you will need an AWS environment configured there as well. Which of the following statements is true;

You will need to configure Users and Policy Documents only once, as these are applied globally.

What do you have to physically send to AWS to use AWS's import/export?

Your HDD

5. How can the domain's zone apex, for example, "myzoneapexdomain.com", be pointed towards an Elastic Load Balancer? a. By using an Amazon Route 53 Alias record b. By using an AAAA record c. By using an Amazon Route 53 CNAME record d. By using an A record

a

A _____ is a document that provides a formal statement of one or more permissions. a. Policy b. User c. Group d. Role

a

What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN? a. Assign a static internet-routable IP address to an Amazon VPC customer gateway b. Use a dedicated network address translation instance in the pubic subnet c. Modify the main route table to allow traffic to a network address translation instance

a

A company has an AWS account that contains 3 VPCs (dev, tst, prd) in the same region. Tst is peered to both prd and dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor releases from dev to prd to speed up time to market. Which of the following options helps accomplish this? a. Create a new peering connection between prd and dev along with appropriate routes b. Create a new entry to prd in the dev route table using the peering connection as the target c. Attach a second gateway to dev. Add a new entry in the prd route table identifying the gateway as the target d. The VPCs have non-overlapping CIDR blocks in teh same account. The route tables contain local routes for all VPCs

a

A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume. The customer is becoming increasingly constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed data. Which AWS Storage Gateway configuration meets the customer requirements? a. Gateway-Cached volumes with snapshots scheduled to Amazon S3 b. Gateway-Stored volumes with snapshots scheduled to Amazon S3 c. Gateway-Virtual Tape Library with snapshots to Amazon S3 d. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

a

Amazon S3 is a. Object Based Storage b. Block Based Storage c. A Data Warehouse Solution d. Suitable for data archival, not frequently used files.

a

An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the latest PHP installable from S3 and setup the ELB. Which of the below mentioned AWS services meets the requirement for making an orderly deployment of the software? a. AWS Elastic Beanstalk b. AWS Cloudfront c. AWS Cloudformation d. AWS DevOps

a

Can I "force" a failover for any RDS instance that has Multi-AZ configured? a. Yes b. No c. Only for Oracle RDS instances

a

Can you access Amazon EBS Snapshots? a. Yes, through the AWS APIs/CLI & AWS Console b. No c. Depends on the region d. EBS does not have snapshot functionality

a

If an Amazon EBS volume is an additional partition (ie. not the root volume), can I detach it without stopping the instance? a. Yes, but it may take some time b. No, you still need to stop the instance

a

In RDS, what is the maximum size for a Microsoft SQL Server DB Instance with SQL server Express edition? a. 10GB/db b. 100GB/db c. 1TB/db d. 2TB/db

a

In S3 RRS, the durability of my files is a. 99.99% b. 99.99999999% c. 99% d. 100%

a

In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch, what are these? a. Private IP and Public IP b. Public IP and Secret IP c. Elastic IP and Public IP d. IPv6 and Elastic IP

a

In what circumstances would I choose provisioned IOPS in RDS over standard storage? a. If you use production online transaction processing b. If you have workloads that are not sensitive to latency/lag c. If your business was trying to save money d. If this was a test DB

a

Which DNS name can only be resolved within amazon EC2? a. Internal DNS Name b. External DNS Name c. Global DNS Name d. Private DNS Name

a

You are deploying an application to collect votes for a very popular television show. Millions of users will submit votes using mobile devices. The votes must be collected into a durable, scalable, and highly available data store for real-time public tabulation. Which service should you use? a. Amazon DynamoDB b. Amazon Redshift c. Amazon Kinesis d. Amazon Simple Queue Service

a

You have a VPC with 1 private subnet and 1 public subnet with a NAT server. You are creating a group of EC2 instances that configure themselves at startup via downloading a bootstrapping script from S3 that deploys an application via GIT. Which setup provides the highest level of security? a. EC2 instances in private subnet, no EIPs, route outgoing traffic via the NAT b. EC2 instances in public subnet, no EIPs, route outgoing traffic via the Internet Gateway (IGW) c. EC2 instances in private subnet, assign EIPs, route outgoing traffic via the Internet Gateway (IGW) d. EC2 instances in public subnet, assign EIPs, route outgoing traffic via the NAT

a

You have a load balancer configured for VPC, and all back-end EC2 instances are in service. Your web browser is timing out when connecting to the load balancers' DNS name. Which options are probable causes of this behavior? Choose 2 a. Load balancer was not configured to use a public subnet with an internet gateway configured b. EC2 instances do not have a dynamically allocated private IP address c. Security groups or network ACLs are not properly configured for web traffic d. Load balancer is not configured in a private subnet with a NAT instance e. VPC does not have a VGW configured

a c

Which 2 services provide Native encryption? a. Glacier b. EC2 c. IAM d. Storage Gateway

a d

Your company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2 answers) a. Deploy ElasticCache in-memory cache running in each availability zone b. Implement sharding to distribute load to multiple RDS MySQL instances c. Increase the RDS MySQL Instance size and Implement provisioned IOPS d. Add an RDS MySQL read replica in each availability zone

a d

You are tasked with moving a legacy application from a virtual machine running inside your datacenter to an Amazon VPC unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. even worse there is no documentation for it. what will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? Choose 3 answers a. An AWS Direct connect link between the VPC and the network housing the internal services. b. An Internet gateway to allow a VPN Connection c. AN Elastic IP address on the VPC Instance d. AN IP Address space that does not conflict with the one on-premises e. Entries in Amazon Route 53 that allow the instance to resolve its dependencies IP address f. A VM Import of the current Virtual Machine

a d f

Cloudfront Edge location

a CDN endpoint

Region

a Geographical location that has 2 or more availability zones

What AWS service lets you create your own private environment in the AWS cloud?

a VPC https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

As an application has increased in popularity, reports of performance issues have grown. The current configuration initiates scaling actions based on Avg CPU utilization; however during reports of slowness, CloudWatch graphs have shown that Avg CPU remains steady at 40 percent. This is well below the alarm threshold of 60 percent. Your developers have discovered that, due to the unique design of the application, performance degradation occurs on an instance when it is processing more than 200 threads. What is the best way to ensure that your application scales to match demand? a. Launch two to six additional instances outside of the AutoScaling group to handle the additional load. b. Populate a custom CloudWatch metric for concurrent sessions and initiate scaling actions based on that metric instead of on CPU use. c. Empirically determine the expected CPU use for 200 concurrent sessions and adjust the CloudWatch alarm threshold to be that CPU use. d. Add a script to each instance to detect the number of concurrent sessions. If the number of sessions remains over 200 for five minutes, have the instance increase the desired capacity of the AutoScaling group by one.

b

Company "ABC" needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this? a. Create a new IAM role and associated policies within the new region b. Assign the existing IAM role to the Amazon EC2 instances in the new region c. Copy the IAM role and associated policies to the new region and attach it to the instances d. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

b

How many copies of my data does RDS - Aurora store by default? a. 3 b. 6 c. 2 d. 1

b

I can enable multi-factor authentication by using a. RDS b. IAM c. DynamoDB d. Account Settings

b

If an Amazon EBS volume is the root device of an instance, can I detach it without stopping the instance? a. Yes b. No

b

If you want your application to check whether a request generated an error, then you look for an ____ node in the response from the Amazon RDS API a. Incorrect b. Error c. False d. True

b

In S3 the durability of my files is a. 99.99% b. 99.999999999% c. 99% d. 100%

b

Individual instances are provisioned in a. Regions only, you cannot choose anything below this b. Availability Zones c. Global

b

MySQL installations default to port number a. 1433 b. 3306 c. 3389 d. 80

b

Out of the stripping options available for the EBS volumes, which one has the following disadvantage : 'Doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe.' ? a. Raid 0 b. RAID 1+0 (RAID 10) c. Raid 1 d. Raid 2

b

Simple Email Service

bulk and transactional email-sending service for the cloud

What is the difference between Elastic Beanstalk and CloudFormation? a. Elastic Beanstalk is a monitoring tool to view performance of your AWS resources. CloudFormation is an automated provisioning engine to deploy entire cloud environments via JSON. b. Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring based on the code you upload to it. CloudFormation is an automated provisioning engine to deploy entire cloud environments via JSON. c. There is no difference. d. Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring based on the code you upload to it. CloudFormation is a security service designed to harden your cloud against an attack, like a DDOS.

b

You have a video transcoding application running on Amazon EC2. Each instance polls a queue to find out which video should be transcoded, and then runs a transcoding process. If this process is interrupted, the video will be transcoded by another instance based on the queuing system. You have a large backlog of videos which need to be transcoded and would like to reduce this backlog by adding more instances. You will need these instances only until the backlog is reduced. Which type of Amazon EC2 instances should you use to reduce the backlog in the most cost efficient way? a. Reserved instances b. Spot instances c. Dedicated instances d. On-demand instances

b

You need to design a VPC for a web-application consisting of an ELB a fleet of web application servers, and an RDS DB. The entire infrastructure must be distributed over 2 AZ. Which VPC configuration works while assuring the DB is not available from the internet? a. One Public Subnet for ELB one Public Subnet for the web-servers, and one private subnet for the DB b. One Public Subnet for ELB two Private Subnets for the web-servers, and two private subnets for the RDS c. Two Public Subnets for ELB two private Subnet for the web-servers, and two private subnet for the RDS d. Two Public Subnets for ELB two Public Subnet for the web-servers, and two public subnets for the RDS

b

Your customer is willing to consolidate their log streams (access logs application logs security logs etc.) in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data samples extracted from the last 12 hours? What is the best approach to meet your customer's requirements? a. Send all the log events to Amazon SQS. Setup an Auto Scaling group of EC2 servers to consume the logs and apply the heuristics. b. Send all the log events to Amazon Kinesis develop a client process to apply heuristics on the logs c. Configure Amazon Cloud Trail to receive custom logs, use EMR to apply heuristics the logs d. Setup an Auto Scaling group of EC2 syslogd servers, store the logs on S3 use EMR to apply heuristics on the logs

b

Instance 1 and 2 are running in two different subnets (A and B) of a VPC. Instance 1 is not able to ping instance 2. What are 2 possible reasons? a. The routing table of subnet A has no target route to subnet B b. The security group attached to instance 2 does not allow inbound ICMP traffic c. The policy linked to the IAM role on instance 1 is not configured correctly d. The NACL on subnet B doesn't allow outbound ICMP traffic

b d

elastic block storage

block level storage for use with EC2 instances allowing the install of different file system

By default, a network ACL that you create ____________ all inbound and outbound traffic until you add rules.

blocks

Move from Magnetic to SSD

by creating a volume from a Snapshot

How do you simulate a HA RDS failover?

by rebooting the production RDS image

An application requires OS privileges on a database host. Which one is best choice of High Available DB? a. Amazon EC2 instances in a replication configuration utilizing a single AZ b. A standalone Amazon EC2 instance c. Amazon EC2 instances in a replication configuration utilizing two different AZ d. Amazon RDS in a Multi-AZ configuration

c

An organization has established an Internet-based VPN connection between their on-premises data center and AWS. They are considering migrating from VPN to AWS DirectConnect. Which operational concern should drive an organization to consider switching from an Internet-based VPN connection to AWS DirectConnect? a. AWS DirectConnect provides greater redundancy than an Internet-based VPN connection. b. AWS DirectConnect provides greater resiliency than an Internet-based VPN connection. c. AWS DirectConnect provides greater bandwidth than an Internet-based VPN connection. d. AWS DirectConnect provides greater control of network provider selection than an Internet-based VPN connection.

c

Can I move a reserved instance from one region to another? a. Yes b. Only in the US c. No d. Depends on the region

c

EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes? a. Data is automatically saved in an EBS volume. b. Data is unavailable until the instance is restarted. c. Data will be deleted and will no longer be accessible. e. Data is automatically saved as an EBS snapshot.

c

EC2 instances are launched from Amazon Machine Images (AMI). An AMI can a. Be used to launch EC2 instances in any AWS region b. Only launch EC2 instances in the same Country as the AMI is stored c. Only launch EC2 instances in the same AWS region as the AMI is stored d. Only launch EC2 instances in the same AWS AZ as the AMI is stored

c

Every user you create in the IAM system starts with ____ a. Full permissions b. Partial permissions c. No permissions

c

In RDS, changes to the backup window take effect a. After 30 mins b. The next day c. Immediately d. you cannot back up in RDS

c

In RDS, what is the maximum value I can set for my backup retention period? a. 15 days b. 30 days c. 35 days d. 45 days

c

The AWS platform consists of how many regions currently? a. 5 b. 10 c. 11 d. 12

c

To help manage your Amazon EC2 instances, you can assign you own metadata in the form of a. Wildcards b. Certificates c. Tags d. Notes

c

What is the underlying Hypervisor for EC2? a. Hyper-V b. ESX c. Xen d. OVM

c

Which of the following approaches provides the lowest cost for Amazon Elastic Block Store snapshots while giving you the ability to fully restore data? a. Maintain two snapshots: the original snapshot and the latest incremental snapshot. b. Maintain a volume snapshot; subsequent snapshots will overwrite one another c. Maintain a single snapshot the latest snapshot is both Incremental and complete. d. Maintain the most current snapshot, archive the original and incremental to Amazon Glacier.

c

Which of the following is part of the failover process for a Multi-Availability Zone Amazon Relational Database Service (RDS) instance? a. The failed RDS DB instance reboots. b. The IP of the primary DB instance is switched to the standby DB instance. c. The DNS record for the RDS endpoint is changed from primary to standby. d. A new DB instance is created in the standby availability zone.

c

An auto-scaling group spans 3 AZs and has 4 running EC2 instances. When auto-scaling needs to terminate an instance by default, autoscaling will (select 2): a. Allow >= 5mins for Windows/Linux shutdown scripts to complete before terminating b. Terminate the instance with the least active network connections c. Send an SNS notification if configured to do so d. Terminate an instance in the AZ which currently has 2 running instances e. Randomly select one of the 3 AZs and terminate an instance

c d

To be prepared for a security assessment, an organization should implement which two configuration management practices? Choose 2 answers a. Determine whether remote administrative access is performed securely. b. Verify that all Amazon Simple Storage Service (S3) bucket policies and ACLs correctly implement your security policies. c. Determine whether unnecessary users and services have been identified on all Amazon-published AMIs. d. Verify that AWS Trusted Advisor has identified and disabled all unnecessary users and services on your Amazon Elastic Compute Cloud (EC2) instances.

c d

Auto Scaling group _____________ span multiple regions.

cannot

Each Read Replica _____________ have multi-AZ.

cannot

If the elastic IP is a part of EC2 Classic it __________ be assigned to a VPC instance.

cannot

The Elastic Load Balancer _______________________ feature causes the load balancer to stop sending new requests to the back-end instances when the instances are deregistering or become unhealthy, while ensuring that in-flight requests continue to be served.

connection draining

Storage Gateway

connects on-premise storage appliance to AWS Cloud Storage

Identity Access Management

controls AWS services and resources through users, groups and roles

How is the Auto-Scaling cooldown period calculated

cool-down period for each instance starts after the instance is launched. the group remains locked until the last launched instance completes its cool down period

How can an organization allow testers to access resources in another production AWS account

create IAM Roles with cross account access

When controlling access to Amazon EC2 resources, each Amazon EBS Snapshot has a ______ attribute that controls which AWS accounts can use the snapshot.

createVolumePermission

What is the command/URL to check instance meta data?

curl http://169.254.169.254/ latest/meta-data

A customer has a web application that uses cookie-based sessions to track logged-in users. It is deployed on AWS using Elastic Load Balancing and Auto Scaling. When load increases, Auto Scaling launches new instances, but the load on the other instances does not decrease; this causes all existing users to have a slow experience. What could be the cause of the poor user experience? a. The ELB DNS record's TTL is set too high. b. The new instances are not being added to the ELB during the Auto Scaling cooldown period. c. The website uses the dynamic content feature of Amazon CloudFront which is keeping connections alive to the ELB. d. The ELB is continuing to send requests with previously established sessions to the same backend instances rather than spreading them out to the new instances.

d

A_____is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources a. user b. AWS Account c. resource d. Permission

d

Amazon RDS does not currently support increasing storage on a ___ DB instance. a. MySQL b. Aurora c. Oracle d. MSSQL

d

Auditing user access/API calls, etc., across the entire AWS estate can be achieved using a. CloudFront b. CloudWatch c. CloudFlare d. CloudTrail

d

For the EBS volumes, which has the following disadvantage : 'Doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe. a. Raid 0 b. Raid 1+0 [Raid 10] c. Raid 1 d. Raid 5

d

If I want to run a database on an EC2 instance, which is the most recommended Amazon storage option? a. RDS b. S3 c. Glacier d. EBS

d

In S3 with RRS the availability is a. 99.999999999% b. 100% c. 99% d. 99.99%

d

In S3, what does RRS stand for? a. Relational Reduced Storage b. Reactive Replicating Storage c. Reduced Replication Storage d. Reduced Redundancy Storage

d

What are the 4 level of AWS premium support? a. It's an IAAS platform, there sis no support b. Free, Bronze, Silver, Gold c. Basic, Startup, Business, Enterprise d. Basic, Developer, Business, Enterprise

d

What does EBS stand for? a. Energetic Block Storage b. Elastic Based Storage c. Equal Block Storage d. Elastic Block Storage

d

What is the maximum response time for a Business Level Premium support case? a. 1 day b. 12 hrs c. 15 mins d. 1 hr

d

What types of RDS databases are currently available a. Aurora, MySQL, MSSQL, Cassandra b. PostGres, Cassandra, MongoDB, Aurora c. Oracle, MSSQL, MySQL, Cassandra d. Oracle, MSSQL, MySQL, Postgres

d

When an EC2 instance that is backed by an S3-based AMI is terminated, what happens to the data on the root volume? a. Data is automatically saved as an EBS snapshot. b. Data is automatically saved as an EBS volume. c. Data is unavailable until the instance is restarted. d. Data is automatically deleted.

d

Which feature support optimize performance for a compute cluster that requires low inter-node latency? a. Multiple Availability Zones b. AWS Direct Connect c. EC2 Dedicated Instances d. Placement Groups e. VPC private subnets

d

Which procedure for backing up a relational database on EC2 that is using a set of RAlDed EBS volumes for storage minimizes the time during which the database cannot be written to and results in a consistent backup? a. 1. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes b. 1. Stop the EC2 Instance. 2. Snapshot the EBS volumes c. 1. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O d. 1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Resume disk I/O e. 1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk I/O

d

Which statement best describes Availability Zones a. Content distribution network which is used to distribute content to users b. A restricted area designed specifically for creating VPCs c. Two zones containing compute resources that are designed to maintain synchronized copies of data within each other d. Distinct locations from within an AWS region that are engineered to be isolated from failures

d

You are putting together a wordpress site for a local charity and you are using a combination of Route53, Elastic Load Balancers, EC2 & RDS. You launch your EC2 instance, download wordpress and setup the configuration files connection string so that it can communicate to RDS. When you browse to your URL however, nothing happens. Which of the following could NOT be the cause of this. a. You have forgotten to open port 80/443 on your security group in which the EC2 instance is placed. b. Your elastic load balancer has a health check which is checking a webpage that does not exist, therefore your EC2 instance is not in service. c. You have not configured an ALIAS for your A record to point to your elastic load balancer d. You have locked port 22 down to your specific IP address therefore users cannot access your site using HTTP/HTTPS

d

You are working with a customer who has 10 TB of archival data that they want to migrate to Glacier. The customer has a 1-Mbps connection to the internet. Which service or feature provides the fastest method of getting data into Amazon Glacier? a. Glacier multipart upload b. AWS Storage Gateway c. VM Import/Export d. AWS Import/Export

d

how is data transfer from aws origins (list) to cloudfront billed

data transfer from ec2 or s3 origins to cloudfront (aka "origin fetches") is free as of Dec 1st, 2014

Glacier Data Archival

database solution for infrequent access and that allow for retrieval times b/w 3-5 hours

Is data transfer from origin to cloudfront billed?

depends if origin is AWS based or third party. Any origin specific costs associated with fetching data from origin are billed separately.

What does not affect cloudfront billing?

distribution type

What are the key takeaways of the IAM Credentials reported

downloaded as csv file, can be generated as often as once every 4 hours, downloaded access to report can be granted to external audition.

Describe AWS storage gateway parameters

each gateway can have up to: 20 stored volumes, 20 cached volumes, or 1500 virtual tape cartridges

While creating the snapshots using the command line tools, which command should I be using?

ec2-create-snapshot

How durable is S3?

eleven nines of durability https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

S3 Lifecycle Management

enables you to automatically archive your objects to the Glacier Storage Class and/or remove them after a specified time period.

Workspaces

end-user computing

From what services I can block incoming/outgoing IPs? a. Security Groups b. DNS c. ELB? d. VPC subnet? e. IGW? f. NACL

f

(T/F) Amazon DynamoDB allows you to host MySQL, SQL Server, and Oracle databases.

false

(T/F) The Amazon Simple Storage Service (S3) data model enables you to organize data as folders in highly durable Amazon Elastic Block Store (EBS) volumes.

false

Power User Access

full access except user and group management

Simple Storage Service

fully redundant data storage for object-based storage

To retrieve instance metadata or userdata you will need to use the following IP Address:

http://169.254.169.254

What is the S3 URL format?

https://s3-[re-gio-n].amazonaws.com/[bucketname] https://s3-eu-west-1.amazonaws.com/acloudguru

How does the url of a bucket called "taahr" created in Frankurt look like?

https://s3-eu-central-1.amazonaws.com/taahr

You have been asked by your company to create an S3 bucket with the name "acloudguru1234" in the EU West region. What would be the URL for this bucket?

https://s3-eu-west-1.amazonaws.com/acloudguru1234

_You have been asked by your company to create an S3 bucket with the name "acloudguru1234" in the EU West region. What would be the URL for this bucket?

https://s3-eu-west-1.amazonaws.com/acloudguru1234

SOA Records

identifies base DNS info

SPF Records

identifies which mail servers are permitted to send emails on behalf of your domain

how would you implement search for S3 metadata

implement a db system to store S3 metadata and allow queries. S3 does not support any query facility out of the box

Elasticache

in memory cache environments (Memcached, Redis) that helps improve performance of web apps

Instance Snapshot save _____________ blocks to S3.

incremental

*A registered activity type* is identified by _____

its domain, name, and version. Activity types are specified in the call to RegisterActivityType.

*A registered workflow type* is identified by _____

its domain, name, and version. Workflow types are specified in the call to RegisterWorkf1owType.

What are the 8 Auto Scaling Processes?

launch, terminate, healthcheck, replaceunhealthy, azrebalance, alarmnotification, scheduledactions, addtoloadbalancer

what elements are available in an IAM Credentials report?

list of all users and the status of their various credentials: - passwords - access keys - MFA devices - signing certificates

Cloud Trail

logging/auditing service; records API calls

RDS storage types

magnetic, General purpose SDD, Provisioned IOPS ssd

Leader Node

manages client connection and receives queries

Cloud Formation

manages/creates templates of AWS resources

Elastic Transcoder

media transcoder

You can __________ the rules for a security group at any time.

modify

What service does CloudWatch provide?

monitores system vitals like CPU, disk, network I/O- also provides a vector for auto scaling https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Cloud Watch

monitoring service for AWS resources and your applications

A user has configured an EC2 instance in the US-East-1a zone. The user has enabled detailed monitoring of the instance. The user is trying to get the data from CloudWatch using a CLI. What CloudWatch endpoint URL should the user use?

monitoring.us-east-1.amazonaws.com The CloudWatch resources are always region specific and they will have the end point as region specific.

list characteristics of a scalable application

more resources = more performance, handles heterogeneity, operationally efficient, resilient, more cost effective as service grows

Given a VPC with 10.201.0.0/16, subnet 10.201.31.0/24, explain why private IP 10.201.31.6 cannot be assigned

most likely this IP address is already in use by another interface

Give example of Static S3 website URL.

mysite.com.s3-website-us-east-1.amazonaws.com

What's the simplest way to import data to a MySQL RDS instance?

mysqldump, or mysqlimport utilities

what happens if an IAM credentials report is downloaded within the last n hours

n = 4. If within the last 4 hours, the same report is downloaded, if older than 4 hours a new report is generated then downloaded

read after rights for what in S3?

new objects (puts of new objects)

can placement groups be merged

no

Does CloudSearch hook into the Google Search Engine

no, CloudSearch is a standalone managed solution to make your website/application searchable

Does Route53 support DNSSEC

no, this is a limitation of the Route53 service

By default, a network ACL that you create is _______________ with a subnet.

not associated

S3 is ______ based

object

how is spot pricing calculated

on the start of every hour, you will pay this exact price for the next hour of instance use

How many databases can a single RDS instance support?

one or more

S3 has eventual consistency for which HTTP Methods?

overwrite PUTS and DELETES

Simple Workflow Service

task coordination and state management service for cloud applications • 12 month Timer • Differs from SQS in that it can be performed by human actions rather than automated computer action • Can be used in warehouses and distribution systems • Ensures task is only assigned once and never duplicated • Delivered once and only once

(t/f) S3 provides unlimited storage

the file size is limited and the number of buckets is limited (50 by default per account), but not the total size of buckets

Auto Scaling Group - If you don't specify a desired capacity, the default desired capacity is ___ of instances that you specify.

the minimum number

Amazon DynamoDB decides which partition to store the item in based on _____

the partition key. The partition key is used to distribute the new item among all of the available partitions, and items with the same partition key will be stored on the same partition.

What are the benefits of bootstrapping your instances?

they include: - Recreate environments with minimal effort - Maintain more control over you abstract, cloud based resources - Reduce human-induced deployment errors - create self-healing and self-discoverable environment that is more resilient to hardware failure

How many geographically distinct areas is DynamoDB spread across?

three datacenters

Given a Route53 latency record set from your domain to machines in Virginia and Sydney, how would a user request in the US be routed

to Virginia because latency will be lower

The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants ______.

to read or modify a table directly without a middle tier service

How many copies of your data does Aurora keep by default?

two copies within each AZ with a minimum of three AZ's, therefore there are at least six copies of your data. This is of the storage medium- not the instance itself

Max Objects per cloudfront distribution

unlimited

SQS supports an ____________ number of queues and ____________ number of messages per queue for each user.

unlimited

What are SQS service limits

unlimited queues, unlimited messages per queue, queues are region specific, message payload up to 256kb of text, each 64kb chunk is billed as 1 request, batch size up to 10 messages, 1 batch request = same price as single message request, messages retained for up to 14 days

With general purpose SSD how many IOPS can you have? (GP2)

up to 10,000 IOPS

How many Redshift compute nodes can you have

up to 128

Immediate (Strong) Consistency

updates to a database is streamed consistently and non-writing nodes cannot read until the writing is complete

Customer in Japan, website in us-west-1, where to store s3 objects?

us-west-1

Instead of invalidating CloudFront objects manually or programmatically, it is a best practice to _____

use a version identifier as part of the object (file) path name.

Administrator Access

user that has full control

How is data in AWS Storage Gateway protected

via AES-256 encryption on S3, only changed data is uploaded to S3 to minimize internet traffice

When do we say that an SQS message is in flight?

when it is in a (non-delay) queue and is not being processed.

Why might cloudwatch metrics from a Cloudfront distribution in the Asia Pacific (Sydney) region not appear in the Cloudwatch Console

while cloudfront is a global service, metrics are only available when you view the us-east-1 (Virginia) region in the AWS console

*S3 Object Storage Classes*

•*S3*: Durability = 11 x 9 / Availability = 99.99% •*S3-IA*: Durability = 11 x 9 / Availability = 99.90% •*RRS*: Durability = 99.99% / Availability = 99.99% •*Glacier*: Durability = 11 x 9 / Availability = 24hrs

EC2 Tier Options

•Free Tier •On Demand - Fixed rate per hour; no long-term commitments •Reserved - Capacity reservation with discount for 1 or 3 year teams •Spot - Applications who use large amounts of computing that can have flexible start & end times and needing low compute prices


Ensembles d'études connexes

Ch. 6 Current Digital Forensics Tools

View Set

Chapter 15: Structure and function of the Neurologic System

View Set

CP AMERICAN HISTORY: Chapter 20.1 Notes

View Set

MSII Prep U Ch. 65 Assessment of Neurologic Function

View Set