WGU D341 AWS
AWS WAF
The AWS Web Application Firewall (WAF) is a managed firewall service allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define.
AWS Systems Manager
The AWS Systems Manager provides a single pane of glass that allows for full visibility of the resources within an organization's infrastructure.
74.76.58.81 10.1.101.112 54036 22 What are the source and destination ports and IPs?
soruce port - 22 source ip 74.76.58.81 destination port - 54036 destination ip 10.1.101.112
What two services protect againt DDoS attacks?
AWS WAF and AWS Shield
What is the default network interface called?
Eth0
Simple Routing
Simple routing: Provides one response for each DNS request.
S3 Cross-Region Replication
you can also replicate any data in S3 to another bucket in another S3 region easily by enabling cross-region replication.
Name the types of metrics that can be collected by CloudWatch.
. Answer: CloudWatch can collect standard, detailed, and custom metrics.
The VPC and subnet ranges are restricted to sizes between /xx and /xx
/16 and /28
Amazon CloudTrail:
Amazon CloudTrail: The API call logging service. Every call in the AWS environment is an API call; thus, CloudTrail enables you to maintain a complete record of actions against your AWS infrastructure.
Are ACM certificates globally accepted?
ACM certificates are regional resources and must be imported into each region in which they are used.
What AWS Service allows you to create a snapshot of your environment so you can easily assess, audit, and evaluate the state of all the AWS resources within your account or organization?
AWS Config, you can create a configuration snapshot of your environment so you can easily assess, audit, and evaluate the state of all the AWS resources within your account or organization. Over time, configuration snapshots can be compared against a desired state, thus allowing you to maintain an auditable record of compliance for your application infrastructure in AWS.
AWS Config:
AWS Config: A configuration state recording service that can detect state changes, perform alerting based on rules, and provide resource inventory and relationship mapping.
Amazon API Gateway
Amazon API Gateway: A fully managed API management and deployment service.
Amazon Athena:
Amazon Athena: A serverless interactive query service that gives you the ability to query static data on S3 via SQL.
Amazon ElastiCache:
Amazon ElastiCache: A fully managed instance-based caching service for deployment of Redis or Memcached in-memory data stores in AWS.
Amazon Elastic Block Storage (EBS):
Amazon Elastic Block Storage (EBS): This solution provides block-accessible, network-attached, persistent storage for volumes that you can connect to EC2 instances and ECS containers.
Amazon Elastic Cloud Computing (EC2)
Amazon Elastic Cloud Computing (EC2): Provides the ability to deploy and operate virtual machines running Linux and Windows in the AWS cloud.
Amazon Elastic Container Service (ECS):
Amazon Elastic Container Service (ECS): Provides the ability to deploy, orchestrate, and operate containers in the AWS cloud.
Amazon Elastic File System (EFS):
Amazon Elastic File System (EFS): This solution provides a network-attached file system that supports the NFS protocol and allows you to share files among EC2 instances, ECS containers, and other services.
Amazon Elastic Kubernetes Service (EKS):
Amazon Elastic Kubernetes Service (EKS): Provides the ability to deploy, orchestrate, and operate Kubernetes clusters in the AWS cloud.
Amazon Elastic Map Reduce (EMR):
Amazon Elastic Map Reduce (EMR): A service that provides the ability to run open-source big data workloads in the AWS cloud.
There are four general ways to set up the backup of your environment that will also support full disaster recovery:
Backup and restore Pilot light Warm standby Multisite active-active
CloudWatch:
CloudWatch: This metrics and log collection service can monitor, analyze, and alert.
How much data can you store in DynamoDB? How many AZs is DynamoDB replicated across in a region??
DynamoDB supports storing any amount of data and is distributed and replicated across three or more availability zones in the region
Analytics phase
During the Analytics phase, you should develop procedures on how the data will be analyzed
Failover routing
Failover routing: Provides responses based on the health of two or more DNS targets.
What file formats can CloudFormation use to provision resources?
JSON or YAML
Multisite Active-Active
Last but not least is the multisite active-active approach. In this scenario, there is more than one production site in more than one region. All of the production sites are able to receive traffic and respond to requests at any time and can be balanced to ensure that the application never experiences any downtime.
Which services can log the http status code of the server's respone?
Much like ALB access logs and CloudWatch, the CloudFront logs also include the HTTP status code of the server's response. This is a critical tool for analyzing the success of requests.
Aurora natively supports which two databases?
MySQL and PostgreSQL
What are the 6 metric CloudFront publishes?
Requests Bytes Downloaded Bytes Uploaded Total Error Rate 4xx Error Rate 5xx Error Rate
What must the customer ensure if a snapshot of an EBS attached volume is taken while it is attached to an EC2 instance?
The customer is in full control of the instance and must ensure that if a snapshot is taken of the EBS volume, writes to the selected EBS volume must be momentarily paused, and all data in memory is committed to disk before the snapshot is started.
What is the only AWS service that has a 100 percent SLA defined? What service can make an application available across multiple regions?
To make an application available across regions, you can utilize the Route 53 DNS service. The Route 53 service is a next-generation managed DNS cloud solution that enables you to manage DNS through the AWS API. Route 53 is the only AWS service that has a 100 percent SLA defined.
What are the two ways that data in a CloudFront Edge are removed?
Waiting for the TTL is one way to expire undesired content from the cache at the edge locations, but you can speed up this process by using an invalidation. Invalidations can be expensive and are resource intensive.
Weighted routing
Weighted routing: Provides responses based on the weight of the values for each record. This policy is useful for DR, testing, and deployment.
Can an S3 origin be the receiver of CloudFront logs?
You should not choose a bucket that is an S3 origin to contain these logs
VPC flow logs
can be used to monitor the network traffic in your Amazon VPC
Real-Time Processing and Alarming
monitoring tools that are provided by AWS allow you to process events in real time and generate alarms. It is during this phase that you determine which effects to process and produce alarms.
All data in CloudWatch is recorded with a specific __________ format.
namespace
1. What speeds are available with a dedicated Direct Connect circuit? 2. What are the key differences between a dedicated versus hosted Direct Connect circuit?
1. Answer: 1 Gbps, 10 Gbps, 100 Gbps 2. Answer: A dedicated connection is a 1, 10, or 100 Gbps connection dedicated to a single customer. Hosted connections are sourced from an AWS Direct Connect Partner and can support lower bandwidth options for cost savings.
1. What type of Route 53 record can be used to send requests to a CloudFront distribution? 2. What is the purpose of a Route 53 private hosted zone?
1. Answer: A Route 53 A record with an alias target can be used to send traffic to other AWS services like CloudFront. 2. Answer: A private hosted zone defines how Route 53 should respond to DNS queries for a domain and its subdomains within a VPC.
1. How is traffic directed to the CloudFront Edge locations? 2. What are some options to remove outdated data from the CloudFront cache more quickly?
1. Answer: A Route 53 DNS record is used to redirect website traffic to a CloudFront distribution. 2. Answer: You can create an invalidation to remove objects from the cache. You can also create a new version of an object with a new name and update your website to reflect the new object.
1. You have deployed an Auto Scaling Group (ASG) of EC2 instances behind an Application Load Balancer (ALB). Instances are distributed across three AZs. A Route 53 alias record is used for DNS and points to the load balancer. You must now gradually migrate this traffic to a new ALB and ASG. If an AZ fails, traffic must continue to flow to the surviving instances. What is the ideal way to accomplish this migration? (Choose two.) A. Use a weighted routing policy to send a portion of traffic to the new ALB. B. Use the ALB to detect and recover from an AZ failure. C. Use Route 53 failover routing to detect and recover from an AZ failure. D. Use a latency-based routing policy to send a portion of traffic to the new ALB.
1. Answer: A and B are correct. Weighted routing allows you to begin this transition with a smaller percentage of traffic and gradually move all traffic to the new ALB. The ALB handles availability within a region. Route 53 handles availability across regions.
1. You are using VPC flow logs to confirm the correct operation of a security group. You are unable to locate the correct log group in CloudWatch. What are potential causes for this issue? (Choose two.) A. You need to wait longer for the logs to show up. B. The CloudFront log group has been configured without the correct permissions. C. The flow log has not captured any traffic. D. The flow log is not configured with an S3 bucket.
1. Answer: A and C are correct. Flow logs are aggregated every 10 minutes by default. You may need to wait longer to see the traffic reflected in the flow logs. If there has not been any relevant traffic, there will not be flow log entries.
1. Physical connectivity for a Direct Connect circuit has been successfully established, but the VIF does not come up. What are some possible causes? (Choose two.) A. 802.1Q misconfiguration B. Improper cross-connect C. VLAN misconfiguration D. Improper routing configuration
1. Answer: A and C are correct. Layer 2 issues are typically due to some sort of Layer 2 misconfiguration involving VLANs, 802.1Q trunks, or ARP.
1. You have been asked to configure the AWS CLI to be used for a new IAM account. Which of the following account parameters need to be generated to correctly configure the AWS CLI? (Choose two.) A. Access key ID B. Authorization ID key C. Secret access key D. User control key
1. Answer: A and C are correct. The AWS CLI configuration requires information about a user account, including the account access key ID and secret access key, which is generated when creating the user account.
1. You have been instructed to eliminate any inefficiencies in the following deployment: Web tier: EC2 autoscaling group scaling on CPU usage, 30% floor, 70% ceiling, minimum 1, maximum 10. App tier: EC2 autoscaling group scaling on CPU usage, 20% floor, 80% ceiling, minimum 1, maximum 6. Cache tier: 1 ElastiCache Memcached cluster with 2 partitions Database tier: Multi-AZ MySQL RDS with 3 read replicas Which of the following would allow you to cost optimize the cluster? (Choose all that apply.) A. Evaluate whether all RDS read replicas are required. B. Evaluate the maximum on the App and Web EC2 autoscaling groups. C. Evaluate the partition configuration of the ElastiCache cluster. D. Evaluate the network performance if the app tier matches the network performance of the database tier.
1. Answer: A and C are correct. You should always evaluate whether the read replicas and caching clusters you deployed are required and properly scaled.
1. You have an S3 bucket that is the origin for a CloudFront distribution. Which actions must you take to ensure that users access objects in the bucket by using only CloudFront URLs? (Choose two). A. Create an OAI that is associated with the CloudFront distribution. B. Configure a IAM policy that identifies the OAI as a resource. C. Create an OAI that is associated with the bucket. D. Configure a bucket policy that identifies the OAI as a resource. E. Configure a bucket policy that identifies the OAI as the principal and the bucket as the resource.
1. Answer: A and E are correct. The OAI is a user that is associated with a CloudFront distribution. The bucket policy identifies this user as the principal and grants it access to a resource (the S3 bucket).
1. What task must be completed by the colocation provider for Direct Connect physical connectivity to be established? 2. A VPN connection establishment is failing during phase 1. What are some possible causes of this issue?
1. Answer: A cross-connect must be made between your device and the Direct Connect hardware. 2. Answer: IKE negotiation may fail due to a physical customer gateway that does not meet the AWS VPN requirements. Also a misconfigured preshared key prevents phase 1 from completing.
1. You need to be able to detect a change in the number of EC2 instances running in your application and send the information about the change to your Zendesk ticketing platform. Which service would allow you to achieve this functionality? (Choose all that apply.) A. EventBridge B. CloudWatch Events C. EC2 AutoScaling D. Systems Manager Automation
1. Answer: A is correct. A third-party SaaS provider like Zendesk provides the ability to integrate AWS events with their applications through EventBridge.
1. Your company was recently a target of a malicious actor due to a misconfiguration of an S3 bucket ACL, making it publicly accessible. The CISO has instructed you that all S3 buckets need to be private. How would you discover public S3 buckets in your account and automatically remediate this issue? A. Use AWS Config with the built-in s3-bucket-public-read-prohibited rule and enable automatic remediation. B. Use AWS Config with the built-in s3-bucket-public-read-prohibited rule and use an AWS Lambda for remediation. C. Use AWS Config with the built-in s3-bucket-public-read-prohibited rule and use an AWS Systems Manager for remediation. D. Use AWS Config with the built-in s3-bucket-public-read-prohibited rule and remediate the buckets manually.
1. Answer: A is correct. AWS Config with the built-in s3-bucket-public-read-prohibited rule allows for automatic remediation of S3 buckets that have a publicly accessible ACL or policy attached.
1. You need to provide permissions to a user account. According to AWS, which type of policy would be considered the best to use? A. AWS-managed policies B. Customer-managed policies C. Inline policies D. Scoped policies
1. Answer: A is correct. AWS-managed policies have been vetted and reviewed by multiple individuals. Customer-managed policies are created by you and are more likely to contain errors or allow for unauthorized access. Inline policies apply to a single account and are difficult to see and manage. There is no such thing as scoped policies.
1. Which AWS service enables you to easily deploy a horizontally scalable in-memory caching cluster? A. ElastiCache Memcached B. ElastiCache Redis, Cluster mode enabled C. ElastiCache Redis, Cluster mode disabled D. CloudFront
1. Answer: A is correct. ElastiCache Memcached is a high-performance, distributed, in-memory key-value store that can scale horizontally.
1. Which of the following Route 53 routing approaches could you use to send customers from a country to a region within that country? A. Geolocation B. Geoproximity C. Weighted routing D. Static routing
1. Answer: A is correct. Geolocation can determine the country where the request originated and respond with the endpoint address that resides in the appropriate region within that country.
1. What is a key difference between AWS Shield and the AWS WAF? A. AWS Shield is included at no additional cost; the AWS WAF charges for each web ACL. B. The AWS WAF cannot be configured on CloudFront. C. The AWS WAF cannot be configured on a load balancer. D. The AWS WAF does not offer managed rules.
1. Answer: A is correct. The AWS WAF can be configured on CloudFront and on the Application Load Balancer. You are charged for each web ACL configured on AWS WAF.
1. You need to determine how much a department is spending on EC2 instances each month. Which tool will help you solve this problem? A. Cost allocation tags B. Trusted Advisor C. AWS Compute Optimizer D. AWS Budgets 2. Which of the following is not considered an advantage of managed services? A. Scalability B. Minimized downtime C. Greater control over resources D. Lower costs
1. Answer: A is correct. With cost allocation tags, you can associate a tag for the department on all of its EC2 instances and then enable cost allocation reports to see the resulting costs each month. 2. Answer: C is correct. Because AWS manages parts of the resource, you don't gain greater control over the resource but rather have less control. The other answers are all advantages of managed services.
1. You have an application hosted on an EC2 instance that needs access to other resources in your AWS account. What IAM feature can you use to provide this access? 2. What is the default password length for AWS accounts?
1. Answer: A role. 2. Answer: Eight characters.
1. A _____ is a collection of hot fixes.
1. Answer: A rollup is a collection of hot fixes. In some cases, the rollup might contain more than just security updates, but the main focus is to address a collection of security or critical issues with a single update.
1. You have a group of EC2 instances in a private subnet. You must configure a NAT gateway to allow these instances to have Internet access. Does the route table of the private subnet need to be modified for this configuration to work? 2. A new subnet has been created within a VPC. The administrator has not assigned a route table to the new subnet. What is the result of this configuration?
1. Answer: A route entry must be added to the route table associated with the private subnet. You should create a default route that points to the NAT gateway. The NAT gateway must be placed in a public subnet. 2. Answer: The main route table is assigned to this subnet. Every VPC has a main route table that you can modify. The main route table is used by default for all subnets. However, this may create security concerns, especially if the main route table has a route to the Internet gateway.
1. How many components does a cost allocation tag have? 2. What is an example of one of the EC2 checks that Trusted Advisor performs for cost optimization?
1. Answer: A tag has two components: a key and a value. 2. Answer: Low Utilization of Amazon EC2 Instances, Amazon EC2 Reserved Instance Lease Expiration, or Amazon EC2 Reserved Instance Optimization.
1. Which types of connections are supported by a transit gateway? (Choose three.) A. VPN to a physical datacenter B. Direct Connect gateway C. Internet gateway D. Transitive connections between multiple VPCs E. NAT gateway 2. You must create a VPC peering connection between your VPC and a customer's VPC. Your VPC has a CIDR range of 10.1.0.0/16. The customer VPC has a CIDR range of 10.2.0.0/16. What must be configured to allow EC2 instances in these VPCs to communicate? (Choose three.) A. Configure a route in each VPC pointing to the CIDR range of the other VPC. B. Configure a NAT gateway to present a public IP address for the instances that must communicate. C. Configure an Internet gateway on each of the VPCs. D. Configure the appropriate entries in NACLs and security groups. E. A VPC peering connection request must be sent to the customer, and the customer AWS account must accept the request.
1. Answer: A, B, and D are correct. A transit gateway allows the connected VPCs to communicate and allows attachments to an on-premises datacenter through either a VPC or Direct Connect. 2. Answer: A, D, and E are correct. A VPC peering connection must be established by sending a request to the customer account. After that request has been accepted, configure the necessary routes to send traffic over the VPC peering connection. Finally, open the necessary holes in the firewall to allow the desired traffic through.
1. Which configurations must be completed to allow S3 static website hosting? (Choose three.) A. Enable static website hosting on the bucket. B. Manually create a bucket website endpoint. C. Configure the bucket policy to allow public read access. D. Configure the IAM policy to allow public read access. E. Configure the bucket permissions to allow public access.
1. Answer: A, C, and E are correct. To enable website hosting on S3, you must configure the bucket permissions to allow public access, enable static website hosting on the bucket, and configure the bucket policy to allow public read access.
1. What are the three primary methods to interact with AWS resources and services? 2. Which IaaC AWS tool can you use to configure an EC2 instance using a YAML-formatted configuration file?
1. Answer: AWS CLI, the Management Console, and SDK 2. Answer: AWS CloudFormation
1. What is the difference between AWS Shield Standard and AWS Shield Advanced? 2. What types of attacks does AWS Shield Standard protect against?
1. Answer: AWS Shield Standard is automatically enabled free of charge. AWS Shield Advanced is optional and provides additional protections against more sophisticated and larger attacks. 2. Answer: AWS Shield Standard protects against common infrastructure layer attacks like UDP floods and state exhaustion attacks like TCP SYN floods.
1. Which security solution can apply rate-based rules to stop DDoS or bruteforce attacks? 2. On which services can the AWS WAF be deployed?
1. Answer: AWS WAF 2. Answer: CloudFront, Application Load Balancer, AppSync, and the API gateway
1. Which traffic is allowed by a new security group by default? 2. Is a network access control list stateless or stateful?
1. Answer: All outbound traffic is allowed, and all inbound traffic is blocked. 2. Answer: An NACL is stateless, which means it does not dynamically allow return traffic for existing connections.
1. What is the primary purpose of a CloudFront Origin Access Identity? 2. What security configuration must be performed on the S3 bucket to make the OAI effective?
1. Answer: An Origin Access Identity (OAI) is used to restrict access to an S3 bucket to a CloudFront distribution and to block direct access to the bucket domain name. 2. Answer: A bucket policy must be configured that limits access to the objects to the OAI user.
1. Which options can be used to monitor logs from the AWS Network Firewall? (Choose two.) A. Logs can be stored in a DynamoDB table and queried. B. Logs can be stored in an S3 bucket. C. Kinesis Firehose can be used to port logs to a third-party provider. D. Redshift can be used to port logs to a third-party provider.
1. Answer: B and C are correct. AWS Network Firewall activity can be logged to an Amazon S3 bucket or to Amazon Kinesis Firehose.
1. What are the minimum requirements for an S3 bucket that will be used to store ELB access logs? (Choose two.) A. It must be in the same AZ as the ELB. B. It must be in the same region as the ELB. C. The bucket policy must be configured to grant write permissions to ELB logs. D. Encryption must be manually enabled on the bucket. 2. Which information can be found in ELB access logs? (Choose three.) A. The client's IP address B. Latency C. The ELB IP address D. Server responses
1. Answer: B and C are correct. The S3 bucket must be in the same region as the ELB. The bucket policy must be configured to allow ELB access logs to write to the bucket. 2. Answer: A, B, and D are correct. ELB access logs capture details of requests sent to your load balancer such as the time of the request, the client IP, latency, and server responses.
2 123456789010 eni-1234a5aa123456789 17.14.10.2 172.16.10.12 49754 3389 6 20 4249 1418123456 1418123456 REJECT OK Which statements regarding this flow log are correct? A. The traffic is being blocked by the AWS WAF at CloudFront. B. The destination port is 3389, and 17.14.10.12 is the source IP address. C. The source port is 3389, and 17.14.10.12 is the source IP address. D. The traffic is being rejected by either a security group or a network ACL.
1. Answer: B and D are correct. You can configure the AWS WAF to send logging information using Kinesis. AWS WAF logs do not show up in your flow logs. Flow logs contain traffic flows through the NACL and security groups.
1. A company currently accesses sensitive data in an S3 bucket over the Internet. Which option would allow you to access this data over Direct Connect instead? A. Configure an AWS private VIF and allow routes to AWS public resources to be learned via BGP. B. Configure an AWS public VIF and allow routes to AWS public resources to be learned via BGP. C. Configure an AWS private VIF and configure static summary routes to AWS public resources. D. Configure an AWS public VIF and configure static summary routes to AWS public resources. 2. What is the primary benefit of Direct Connect versus a managed site-to-site VPN? A. Increased redundancy and resiliency B. Support of the BGP routing protocol C. Additional support for DNS option sets D. Higher bandwidth and more predictable throughput
1. Answer: B is correct. A public virtual interface can access all AWS public services over Direct Connect. Routes to public prefixes are learned via BGP route advertisements. 2. Answer: D is correct. The maximum bandwidth of a VPN is 1.25 Gbps, and performance over the Internet is unpredictable. Direct Connect supports speeds up to 100 Gbps and traffic flows over the AWS backbone network.
1. You are an employee of an insurance company. You have been tasked with selecting a storage solution for scans of legal documents like contracts, terms and conditions, and signature pages that are a required part of any insurance agreement. The documents must be stored with the highest possible durability and must be retained for 10 years. The documents need to be made available within 72 hours for a yearly compliance evaluation and in case of legal proceedings requiring these documents. Which datastore would you choose? A. S3 Infrequent Access B. Glacier C. Glacier Deep Archive D. S3 Infrequent Access—One Zone
1. Answer: B is correct. Because these documents will only be recovered very rarely, Glacier Deep Archive is the best and most cost-effective solution for storing documents that need to be recovered within 12 hours or more.
1. You are examining a route table in your VPC and find the following route entry: "Destination : 10.0.0.0/24 and Target : Local". What type of route is this? A. An automatically created route entry for traffic within the AZ B. An automatically created route entry for traffic within the VPC C. A default route for traffic destined for the Internet D. A user-defined route for traffic between subnets within a VPC
1. Answer: B is correct. Every route table within a VPC is automatically populated with a local route. This route is used for communication within the VPC.
1. You have been asked to make an application highly available across us-east-1 and us-west-2 AWS regions. The application currently uses a MySQL RDS Multi-AZ back end. What would be the most cost-effective solution to support the application requirements? A. Set the Multi-AZ primary replica to us-east-1a AZ and the secondary replica to us-west-2a AZ. B. Create a read replica of the primary in the other region. C. Convert the database to Aurora multiregional deployment. Deploy the primary instance in us-east-1a AZ and a secondary instance in us-west-2a AZ. D. Convert the database to DynamoDB global tables.
1. Answer: B is correct. The application can easily be made highly available by creating a read replica in the other region. If the primary region fails, the read replica can be promoted to primary and the application requests redirected to the other region.
1. You have been asked to operate an existing application with a pilot light backup/DR strategy. Production is in us-west-2, and the pilot light is deployed in eu-west-1. Your complete customer base resides in the continental US. The application has an RPO of 90 minutes and RTO of 1 hour. The budget for the application regularly breaches 90 percent of allocated cost before the end of month. You do not know much else about the application. Based on the information provided, which of the following changes should be implemented in your opinion? A. The RPO can be improved by using warm standby. B. The backup/DR region should be changed. C. The cost can be improved by moving to backup/restore. D. Leave the application as is.
1. Answer: B is correct. The region should be changed to a US region. Because all the clients reside in the continental US, replicating to an EU region might breach possible data residency laws and make the application less functional in the case of a disaster, due to the network distance and increased latency from the US to EU.
1. You want to identify and count requests that are hitting a web application from varying on-premises datacenters. All datacenters are in the same country but have different IP address ranges. There is no identifying information in the header to indicate which datacenter is the origin. What condition of the web ACL could be used to determine this? A. Destination IP match B. Source IP match C. Geo match D. String match 2. You need visibility into traffic that is reaching a set of EC2 web servers and must block SQL injection attacks before they can reach the instances. Where can you configure the AWS WAF with a SQL injection rule to accomplish this? (Choose all that apply.) A. CloudFront B. Classic Load Balancer C. Application Load Balancer D. Auto Scaling Group
1. Answer: B is correct. The source IP address could be used to determine how many requests are coming from each datacenter. 2. Answer: A and C are correct. The AWS WAF can be configured on a CloudFront distribution, an Amazon API Gateway REST API, and an Application Load Balancer. It cannot be configured on a Classic Load Balancer.
1. An organization has configured a VPC with an Internet gateway and redundant private and public subnets in different AZs. A virtual private gateway has been deployed in the VPC, and a dual-tunnel VPN connection has been established to a router in the datacenter. NAT gateways have been created in both AZs. Identify each single point of failure in this design. (Choose all that apply.) A. Virtual private gateway B. Physical router C. IGW D. NAT gateway
1. Answer: B is correct. The virtual private gateway and IGW are automatically redundant across AZs. NAT gateways are redundant within an AZ and have been created in both AZs. The only single point of failure is the router in the datacenter.
1. An S3 bucket contains sensitive data. You must restrict access to this bucket to a set of EC2 instances in a private subnet. What actions should you take to meet these requirements? (Choose three.) A. Create an interface endpoint and a NAT gateway to connect to the bucket from the VPC. B. Update the route table to point S3 traffic to a gateway VPC endpoint. C. Configure a transit gateway to allow the VPC endpoint to communicate with S3. D. Configure the bucket policy to allow access only to the VPC endpoint. E. Create a gateway endpoint to connect to the bucket from the VPC.
1. Answer: B, D, and E are correct. A gateway endpoint connects to DynamoDB or S3. NAT gateways or Internet gateways are not required. You can also configure the S3 bucket policy to limit access to only the traffic coming through the VPC endpoint.
1. Which data fields can be viewed in both CloudWatch and Application Load Balancer logs? (Choose three.) A. The destination target group B. IP and port of the requesting client C. The distribution associated with the request D. The HTTP response code E. The date and time of the request
1. Answer: B, D, and E are correct. CloudWatch logs do not display the target group of the ALB. ALB logs do not display the CloudFront distribution.
1. Which pillar of the AWS Well-Architected Framework has the design principle of "Experiment more often"? A. Reliability B. Operational Excellence C. Performance Efficiency D. Cost Optimization 2. Which of the following is not considered an advantage of enhanced networking? A. Larger packet sizes B. Higher bandwidth C. Higher PPS D. Consistently lower inter-instance latencies
1. Answer: C is correct. "Experiment more often" is one of the five design principles of the Performance Efficiency pillar. Other design principles for Performance Efficiency include democratize advanced technologies, go global in minutes, use serverless architectures, and consider mechanical sympathy. 2. Answer: A is correct. Enhanced networking does not allow for larger packet sizes, but the rest of the answers are advantages of enhanced networking.
1. You have been asked to deploy some new features in a build for beta testers to review. Which of the following would be the best build environment to utilize for this scenario? A. Stable. B. LTS. C. Canary. D. Blue/green. E. None of these answers are correct.
1. Answer: C is correct. In a canary release, new features are released to a specific set of beta testers to determine whether the new features have any negative impact on the software.
1. Which of the following S3 tiers is most appropriate for archives that need to be restored in less than seven hours? A. S3 Infrequent Access B. S3 Infrequent Access-One Zone C. Glacier D. Glacier Deep Archive
1. Answer: C is correct. The Glacier service can restore any number of archives in less than seven hours.
1. Which of the following are not characteristics of a scalable/elastic application? A. Synchronous request handling in the compute layer B. Session persistence in an external database C. Session persistence in the compute layer D. Asynchronous request offloading to a message queue
1. Answer: C is correct. The compute layer should be made stateless. Any persistence in the compute layer hinders scalability and elasticity and potentially causes disruption in the application operation. If an instance in a cluster is lost, all the sessions on the instances are lost with it, meaning all the users connected to that particular instance have to log in and start working with the application from scratch.
1. You are the administrator of a hybrid-cloud application that uses S3 as the central store for all the data being shared across the platforms. The Internet users are always directed to the AWS portion of the application, whereas the on-premises users are always directed to the local application running on the on-premises servers. Recently, the security team has pointed out that user credentials are hard-coded in the application, and an update was made to the application to use roles instead of the user access key and secret key coded into the application. Your team has already updated and tested the role that will be used within your application and found no issues. The last step is to update the S3 bucket policy to reflect the change. After you update the bucket policy, the on-premises users report receiving a 403 response when trying to retrieve documents from within the application. Interestingly, the Internet users don't seem to have any issues accessing those same documents. What would be the most likely cause for this issue based on the problem description? A. The S3 bucket policy is incorrectly written. B. The application on the on-premises servers needs to be updated. C. The role needs to be assumed on the on-premises servers. D. The role is not attached to the EC2 instances.
1. Answer: C is correct. The issue is a 403 - permission denied. Because the web users are able to access the document and the issue is isolated to the on-premises servers, the on-premises servers are not correctly authenticated. The policy now allows the role to access the bucket instead of the user and is correctly configured. The role must have been attached to the EC2 instances because they allow web users to access the document. The most likely issue is that the role has not been assumed on the on-premises servers.
1. You need to monitor the total HTTP response codes from the origin that result in a 4xx or 5xx error. Which metric should you use? A. Cache hit rate B. Healthy host count C. Total error rate D. HTTP error rate
1. Answer: C is correct. The percentage of requests to the origin that result in a 4xx or 5xx error is shown in the total error rate.
1. You have configured a network access control list to permit inbound traffic to an EC2 web server from a set of customer IP addresses. The NACL is configured to block all outbound traffic. What is the result of this configuration? A. Users from the permitted IP addresses can access the web server. The web server can also initiate a connection to the customer IP addresses. B. Users from the permitted IP addresses can access the web server without issues, but the web server cannot initiate a connection to the customer IP addresses. C. Users from the permitted IP addresses cannot access the web server. D. Users from the permitted IP address range can access the web server only if a security group rule is created to allow it.
1. Answer: C is correct. Users from the permitted IP addresses cannot establish connectivity with the web server. The NACL is not stateful, and therefore, return traffic from the web server instance can never reach the customer IP addresses because all outbound (return) traffic is blocked.
1. What information is captured in a CloudTrail log? 2. What is the default retention of the default CloudTrail trail?
1. Answer: CloudTrail logs record information about who requested the action, where the request originated from, when it was requested, what was requested, and the full response. 2. Answer: The default CloudTrail trail tracks events for the past 90 days.
1. What configuration tasks must be completed to enable flow logs on a VPC and view them in CloudWatch logs? 2. How frequently are flow logs aggregated by default?
1. Answer: Create an IAM policy and role, a CloudWatch log group, and a VPC flow log. 2. Answer: Flow logs aggregated once per 10 minutes by default.
1. Your organization has multiple AWS accounts for different purposes. You use a dedicated account to manage all Route 53 configurations including domains and public hosted zones. There is also a different AWS account in which an auto scaling group of web servers runs behind an Internet-facing ELB. How can you configure Route 53 to send all traffic for example.com to the web servers? A. This configuration is possible only if you configure Route 53 and the ELB in the same AWS account. B. Configure an A record in Route 53 pointed to the IP address of the ELB in the other AWS account. C. Configure a CNAME record in Route 53 pointed to the ELB in the other AWS account. D. Configure an alias record in Route 53 pointed to the ELB in the other AWS account.
1. Answer: D is correct. A CNAME record cannot be used for the zone apex (example.com). The IP address of the ELB may change, so you should point to the DNS name of the ELB.
1. Which of the following AWS services does not make use of ACM certificates? A. Elastic Load Balancing B. Amazon API Gateway C. AWS CloudFormation D. AWS CodeCommit
1. Answer: D is correct. ACM certificates are used by the following services: Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, AWS Elastic Beanstalk, AWS CloudFormation, AWS App Runner, and AWS Nitro Enclaves.
1. You have been put in charge of designing a monitoring platform for an application for a large enterprise. The monitoring system needs to be highly available and should allow for collecting metrics from your custom application running on EC2 with an interval of one second. Which of the following solutions would be the easiest to implement the required monitoring environment? A. Unfortunately, this is not possible in AWS due to the high availability and metric collection frequency. B. Use a custom monitoring solution on two or more EC2 instances in two availability zones to make the monitoring system highly available. Configure the custom agent to send the specific application metrics with a one-second interval. C. Use CloudWatch. Install CloudWatch agents on the EC2 instance that hosts the application. Configure the agents to send the specific application metrics with the default interval. D. Use CloudWatch. Install CloudWatch agents on the EC2 instance that hosts the application. Configure the agents to send the specific application metrics with a one-second interval.
1. Answer: D is correct. CloudWatch is inherently highly available due to its regional scope. The CloudWatch agent needs to be configured to send custom metrics in a one-second interval to comply with the application requirements.
1. Your website has a mix of static and dynamic content. A CloudFront distribution is being used to speed up the delivery of static assets such as images and videos. All static content is reachable through a subdomain called static.sample.com. Which Route 53 option should be used to configure this? A. Create a CNAME record for sample.com that points to an alias record for the CloudFront distribution domain name. B. Create a CNAME record for static.sample.com that points to an alias record for the CloudFront distribution domain name. C. Create an A record for sample.com that points to an alias record for the CloudFront distribution domain name. D. Create an A record for static.sample.com that points to an alias record for the CloudFront distribution domain name.
1. Answer: D is correct. Use Route 53 to create an alias record that points to the domain name of the CloudFront distribution. An alias record is similar to a CNAME record but can be created for subdomains or the zone apex. Route 53 responds to DNS queries that match and responds with the domain name that is associated with your distribution.
1. You have created a VPC with a CIDR range that does not provide enough addresses. Which method should be used to resolve this issue? A. Modify the existing CIDR range using the AWS CLI. B. Place the VPC in maintenance mode and perform a batch re-addressing using CloudFormation. C. Create a new VPC and perform a live migration to relocate EC2 instances to it. D. Associate a secondary IPv4 CIDR block with your VPC.
1. Answer: D is correct. You cannot resize a CIDR block after it has been created. You can add a secondary CIDR block to an existing VPC. Local routes for the secondary CIDR block are automatically generated.
1. You have deployed a set of 10 EC2 instances with the intention to make your application highly available. Your instances have been evenly deployed into us-west-2a. You would like to use the Network Load Balancer to make the application highly available. What would be the result of this configuration? 2. You have been asked to ensure your application is able to withstand a regional outage. Which service can be used in AWS to load-balance traffic between two regions in a 50-50 percent fashion?
1. Answer: Deploying the instances in only one availability zone (us-west-2a) is not optimal because it would make the application highly available but not resilient to an availability zone outage. Deploy the instances into two availability zones in us-west-2. 2. Answer: Route 53 with weighted routing would be the correct solution to allow for sending traffic to both regions. Because 50-50 is required, both region endpoints need to be added to the weighted record with equal weights.
1. Your organization requires you to capture a comprehensive auditable log of the state of your AWS account over time. What would be the simplest way to capture the state for auditing purposes? 2. What would be the easiest way to perform remediation of an issue found in AWS Config?
1. Answer: Enable AWS Config Configuration Recorder to start collecting configuration snapshots on your account. AWS Config snapshots allow you to maintain an auditable record of the state of your infrastructure in AWS. 2. Answer: You can enable automatic remediation directly in AWS Config if the remediation is supported as an action for the config rule. In case there is no remediation supported, you can create a notification to another service that will perform remediation or notify an administrator for human intervention.
1. You operate a 99.9 percent HA application in an AWS region. You have received an SLA update for your application that has raised the three nine requirements to a four nine requirement. What would be the correct course of action in this scenario? 2. When is an application considered to be both highly available and resilient?
1. Answer: Establish another full replica of the application to increase the availability to four nines. 2. Answer: The application requires at least two complete replicas to be deployed. Each replica must be able to handle the failure of the other replica and accept 100 percent of the network traffic at all times.
1. In what way do CloudWatch Events and EventBridge differ from each other? 2. True or false: In AWS you can build both serverless and traditional, instance-based applications that can respond to infrastructure, application, and third-party events.
1. Answer: EventBridge offers integration of AWS events as well as any application and third-party provider events on the event bus. CloudWatch Alarms only supports AWS events by default; however, custom event patterns can be established. 2. Answer: True. With EventBridge and Systems Manager Automation, you can build traditional, instance-based applications and create automation scenarios that are able to respond to real-time events from the EventBridge.
1. True or False: To make an S3 bucket on a standard tier highly available, you must ensure it is replicated across at least one more availability zone. 2. True or False: Moving an object from S3 Standard to S3 Infrequent Access requires you to download and delete the object from S344 Standard and upload it to S3 Infrequent Access.
1. Answer: False. The S3 Standard tier is automatically replicated across at least three availability zones. 2. Answer: False. The object can be life-cycled based on time, or intelligent tiering can be used to move the object automatically.
1. True or False: The only way to synchronize files to S3 is to maintain a list of changed files and then issue an S3 copy operation of the changed files to backup changes to S3. 2. Which service offers the cheapest option for data storage in AWS?
1. Answer: False. You can use S3 sync or AWS DataSync to synchronize files in a local directory with S3 or vice versa. 2. Answer: Glacier Deep Archive offers the lowest-cost storage at less than $1 per terabyte per month. However, the retrieval times of Deep Archive are longer, so it might not be a viable solution for backups with short RTOs.
1. You have implemented autoscaling on both the web and app tier of your three-tier application, but in times of high read requests, the application seems to be performing slowly or even times out. What could you do to make the application more responsive? 2. You have been tasked with deploying a reliable caching solution that can handle multiple different data types and deliver microsecond to millisecond response performance. Which AWS service would you recommend? 3. True or False: To deliver static content to the user in the fastest possible manner, use a web server with lots of memory and utilize server-side caching.
1. Answer: Implement the read cache to offload the database that seems to be bottlenecking the read requests. 2. Answer: ElastiCache Redis would support all the required features. 3. Answer: False. Static content should be delivered via a content delivery network (CDN). In AWS, you can use CloudFront to deliver static content through more than 200 geographically distributed locations across the globe.
1. Name one benefit and one drawback of increasing the TTL on objects in a CloudFront distribution. 2. What does the total error rate metric for a CloudFront distribution indicate?
1. Answer: Increasing the TTL means CloudFront will reach out to the origin for updated content less often, resulting in fewer cache misses. The drawback is that your users are more likely to get stale data from the cache. 2. Answer: The total error rate metric indicates the percentage of requests to the origin that result in a 400-type or 500-type response.
1. What is the difference between a gateway endpoint and an interface endpoint? 2. Is an Internet gateway required when using a VPC endpoint?
1. Answer: Interface endpoints connect to a vast array of AWS services powered by PrivateLink. Gateway endpoints connect to S3 or DynamoDB. 2. Answer: No, the private Amazon backbone network is used.
1. Does geolocation-based routing consider latency as a factor for routing decisions? 2. Can failover routing be combined with other routing policies?
1. Answer: No. Geolocation routing is based only on the physical location of the DNS request. 2. Answer: Yes. Failover routing can be configured in a simple active/standby configuration, but it can also be used with other routing policies like weighted or geolocation routing.
1. What is the maximum number of primary nodes supported in a Multi-AZ RDS MySQL cluster? 2. How many read replicas are supported on DynamoDB global tables?
1. Answer: One. A Multi-AZ has the primary replica for SQL reads and writes in one AZ and a secondary inaccessible synchronous replica in another AZ. 2. Answer: None. DynamoDB global tables are designed with replica tables, which are all primary. Any writes to any of the regions are replicated to all other regions across the globe within one second.
1. You are using the AWS Network Firewall with the AWS Firewall Manager. What is the scope of the policies that you create? 2. Does the AWS Network Firewall protect from DDoS attacks?
1. Answer: Policies can be applied across multiple VPCs and AWS accounts. 2. Answer: No, the AWS Network Firewall does not mitigate volumetric attacks that generate massive amounts of traffic or requests. The AWS WAF and AWS Shield can be used to mitigate those types of attacks.
1. Which deployment should contain the live solution that your organization uses? 2. What is an LTS build?
1. Answer: Production. 2. Answer: An LTS build is a stable build that should be supported for a longer than average period of time.
1. Should you use Route 53 when configuring a static website in S3? 2. Which security configurations must be made prior to using S3 to host a static website?
1. Answer: Route 53 can be used if you wish to use DNS to direct requests for your website to an S3 bucket endpoint. 2. Answer: You must configure the bucket permissions to allow public access and the bucket policy to allow public read access.
1. What three services must be configured to be able to perform comprehensive AWS WAF ACL logging? 2. What is the purpose on the Kinesis Data Firehose when configuring AWS WAF ACL logging?
1. Answer: The AWS WAF web ACL, Kinesis Data Firehose, and S3. 2. Answer: The logs are received by Kinesis Data Firehose, which can trim the logs and reduce the amount of data that gets stored in S3.
1. Your three-tier application has been connected to a business intelligence (BI) forecasting platform. While the forecasts are improving business practices, the users of your application are reporting the performance has decreased. The web and app tier are scaling appropriately, and the caching cluster is at about 40 percent capacity. What could be the cause of the slowdown seen by the users, and how could you resolve it? 2. True or False: Aurora natively supports both MySQL and PostgreSQL.
1. Answer: The BI platform has introduced additional load on the database. Because the BI forecasting requires access to most or all of the dataset, the cache cannot be used to offload the required reads. To mitigate, implement a database read replica. 2. Answer: True. The two engines are fully supported at the time of writing. Other database engines might be supported in the future.
1. What security configuration task must be completed for ELB access logs to function? 2. Are ELB access logs useful for troubleshooting issues such as spikes in request counts and Layer 7 access codes?
1. Answer: The logs are sent to an S3 bucket. The S3 bucket policy must be configured to grant ELB access logs write permissions. 2. Answer: Yes, ELB access logs capture request details and server responses.
1. Which components need to be considered as dynamically changing over time when backing up your application? 2. How often must a backup be taken, and how quickly must the application be recovered if it has a recovery-point objective (RPO) of 30 minutes and a recovery-time objective (RTO) of 1 hour? 3. Is it possible to retain a backup of an RDS database for an indefinite amount of time?
1. Answer: The state of the application and the data. All stateful services should be backed up regularly. If a service is stateless, no backup is required because the objects in that service can be re-created with either an original image or an orchestration template. 2. Answer: The application needs to be backed up at least once every 30 minutes (more is recommended if financially viable) to meet the RPO. The application needs to be recovered and operational within 1 hour to meet the RTO. 3. Answer: Manual RDS snapshots can be taken of the RDS database and retained indefinitely.
1. You have issued a request to download an object on an S3 bucket. Your request receives a 403 HTTP response. What could be the cause of the bad response? 2. True or False: You need to enable the EC2 instance health monitoring first before you can create a CloudWatch Alarm based on the state of the instance check.
1. Answer: There is an issue in the user, group, role, or bucket policy. All polices in AWS combine with equal weight, and a denial to a resource in one policy has a global effect on the request. 2. Answer: False. EC2 instances have the automatic health check configured; health monitoring can be used directly in CloudWatch Alarms to trigger an alert based on the health check.
1. Can a VPC peering connection span multiple AWS regions and accounts? 2. An organization is connecting many VPCs using VPC peering connections. This solution has become overly complex and must be simplified. Which AWS networking product provides a solution to this issue?
1. Answer: Yes, VPC peering connections can be created with VPCs in different regions. A VPC peering connection can be established with a VPC in a different account, but the owner of the other account must accept your peering connection request. 2. Answer: The AWS Transit Gateway provides a highly available and scalable service that can be used to connect many VPCs. This eliminates the need for a complex full-mesh network of VPC peering connections and instead creates a simple hub-and-spoke topology.
1. You are required to deploy an application with a highly available persistent datastore. In how many availability zones must you deploy your application storage system to achieve this at a minimum?
1. Answer: You can use the EBS service to create a highly available persistent volume.
1. You need to troubleshoot the success of connections using HTTP response codes. Which logs should you review? 2. When you enable logging on a CloudFront distribution, what configuration changes are required on the destination S3 bucket?
1. Answer: You should review the CloudFront and Application Load Balancer logs. 2. Answer: The destination bucket ACL is automatically updated to allow log delivery.
2. You are creating a security group that allows monitoring software to communicate with EC2 instances using ICMP. The monitoring software will initiate communication to the EC2 instances. Which statements regarding this configuration are correct? (Choose two.) A. You need to configure the security group to allow the necessary incoming traffic. B. ICMP cannot be tracked by a security group because it is a connectionless protocol. C. You need to allow outbound ICMP on the security group. D. You do not need to allow outbound ICMP on the security group.
2. Answer: A and D are correct. ICMP traffic can be tracked by a security group. A security group is stateful and dynamically allows return traffic. Therefore, you do not need to allow outbound ICMP on the security group.
2. What types of traffic can be inspected by the AWS Network Firewall? (Choose two.) A. HTTPS (SNI)/HTTP protocol URL filtering B. Deep packet inspection for encrypted traffic C. DDoS mitigation D. Domain, port, protocol, IP addresses, and pattern matching
2. Answer: A and D are correct. The AWS Network Firewall supports outbound traffic control using HTTPS (SNI)/HTTP protocol URL filtering, access control lists (ACLs), DNS queries, and protocol detection. AWS Network Firewall rules can be based on domain, port, protocol, IP addresses, and pattern matching.
2. Which of the following services would you recommend to use for security incident alerting? A. Store the logs to CloudWatch Logs. Use an alert pattern in CloudWatch Alarms and send the alerts via SNS. B. Store the logs to CloudWatch Logs. Use an alert pattern in CloudWatch Logs Insights to trigger security incident alerts. C. Store the logs to CloudWatch Logs Insights. Use an alert pattern in CloudWatch Logs Insights to trigger security incident alerts. D. Store the logs to CloudWatch Logs Insights. Use an alert pattern in CloudWatch Alarms and send the alerts via SNS.
2. Answer: A is correct. CloudWatch Logs stores logs. CloudWatch Alarms can be configured to trigger on a pattern-matching condition (for example, a certain number of failed login attempts in a certain amount of time). CloudWatch Logs Insights can be used later to determine the cause of the issue; however, it cannot be used in the real-time alerting chain.
2. A DDoS attack from many different source IP addresses is reaching web servers running on EC2. You cannot create firewall rules for every source IP address because there are too many to manually track. How can you mitigate this attack? A. Use a rate limit rule on the AWS WAF. B. Use a dynamic rule in a security group that matches the attack pattern. C. Create a dynamic NACL list based on the contents of VPC flow logs. D. Block entire malicious subnets in the necessary security groups.
2. Answer: A is correct. Rate-based rules track the number of requests from incoming IP addresses. When the configured limit is exceeded, the rule action is enforced on the offending IP addresses.
2. Which of the following credentials cannot be stored in the AWS Secrets Manager? A. IAM passwords B. AWS RDS databases C. OAuth tokens D. Secure Shell (SSH) keys
2. Answer: A is correct. The AWS Secrets Manager can store credentials for the following: AWS RDS databases, AWS DocumentDB database, AWS Redshift clusters, Non-AWS databases, application programming interface (API) keys, OAuth tokens, and Secure Shell (SSH) keys.
2. You have deployed an Aurora database primary instance in availability zone us-east-1a. What steps need to be taken to make the data in the Aurora database highly available? A. None. B. Deploy a read replica to us-east-1b. C. Turn on Multi-AZ. D. Create a snapshot of the database volume.
2. Answer: A is correct. The Aurora database has a cluster volume that is replicated six times across three availability zones. After a database is created, the volume itself is automatically made highly available. If the single instance fails or the availability zone where the single instance resides is unavailable, a new instance creation is attempted by the Aurora service. However, there is no guarantee that the launch will succeed; this is why in production it is recommended to keep an Aurora read replica instance in another AZ so that it can be quickly promoted to primary in case of failure.
2. The TTL has expired on an object that is cached by a CloudFront distribution. However, the cached file still matches the most current version in the origin. How will CloudFront handle the next request for this file? A. CloudFront forwards the request to the origin server, which returns the status code 304 Not Modified. B. CloudFront forwards the request to the origin server, which returns the status code 200 OK. C. CloudFront forwards the request to the origin server, which returns the status code 304 Not Modified and sends the latest version of the file to the CloudFront distribution. D. CloudFront forwards the request to the origin server, which returns the status code 200 OK and sends the latest version of the file to the CloudFront distribution.
2. Answer: A is correct. When the TTL on a file expires, CloudFront forwards the next incoming request to the origin server. If CloudFront has the latest version, the origin returns the status code 304 Not Modified.
2. Which of the following are required to enable the application to scale automatically with AWS AutoScaling? (Choose three.) A. EC2 Launch Configuration B. Scaling Policy C. EC2 User Data D. DynamoDB E. CloudWatch Alarm F. AutoScaling Group
2. Answer: A, B, and F are correct. To create an autoscaling configuration on EC2, you need an EC2 Launch Configuration that defines how to configure the EC2 instances that are launched; a scaling policy that determines the scaling thresholds; and an autoscaling group that determines the minimum, maximum, and desired numbers of instances.
2. Which of the following services can you use to make your application highly available within a region? (Choose all that apply.) A. ELB Classic B. NLB C. ALB D. Route 53
2. Answer: A, C, and D are correct. The NLB can balance traffic within only one availability zone. ALB and ELB Classic can both send traffic to multiple AZs. Route 53 can be used to balance traffic across two endpoints in two availability zones with weighted routing as well.
2. You have an RDS instance running in AWS account #1. A new application is being deployed in a new VPC within AWS account #2. A Route 53 private hosted zone exists in AWS account #1. What must be done to allow the VPC in AWS account #2 to be associated with the private hosted zone? (Choose two.) A. Create a VPC peering connection. B. Authorize the association between the private hosted zone in account #1 and the VPC in account #2. C. Run a command to create the association between the private hosted zone in account #1 and the VPC in account #2. D. Configure a public hosted zone that will be available to both VPCs.
2. Answer: B and C are correct. You must first authorize the association of the VPC and the hosted zone. You do this with the aws route53 create-vpc-association-authorization command. Next, you establish the association with the aws route53 associate-vpc-with-hosted-zone command.
2. You have just decreased the TTL on a CloudFront distribution. Which of the following results may occur? (Choose two.) A. Outdated content may persist for longer. B. The cache hit ratio of the CloudFront distribution may drop. C. CloudFront needs to retrieve less content from the origin. D. Outdated content is purged from the cache more quickly.
2. Answer: B and D are correct. Because the TTL is lower, the CloudFront distribution checks for outdated content more frequently. This results in more cache misses but also purges outdated content from the cache more quickly.
2. You must configure a Route 53 domain name (example.com) to route traffic to a static website hosted on EC2. If the EC2 instance is down, Route 53 should redirect requests to a static website in Amazon S3. Which configurations are required? (Choose two.) A. Configure weighted routing in Route 53 with a health check being performed against the EC2 IP address and the S3 bucket. B. Create an alias record for the S3 bucket as the secondary. C. Create a CNAME record for the S3 bucket as the secondary. D. Configure failover routing in Route 53 with a health check being performed against the EC2 IP address.
2. Answer: B and D are correct. When a Route 53 health check against the EC2 instance returns unhealthy, the static website in S3 is what users see. When your health check returns healthy again, traffic is automatically routed back to the EC2 instance. There is no need for a health check on the S3 static website. An alias record must be used for the zone apex.
2. You have been asked to perform an inventory of EC2 instances in your AWS account. What would be the simplest way to determine the number and types of instances and which Amazon Machine Image (AMI) is being used across all regions? A. Use AWS Systems Manager Automation to create a snapshot of the environment. B. Use AWS Config to create a snapshot of the environment. C. Use the AWS CLI and issue a list-instances command. Repeat for all regions. D. Use the AWS SDK to write code to perform the list-instances API call. Create a Lambda function and invoke it. Repeat for all regions.
2. Answer: B is correct. An AWS Config snapshot is the simplest way to capture the number, type, and AMI being used by your EC2 instances across all regions.
2. Which service would you use to notify a security response team of a critical CloudTrail event? A. CloudWatch Logs Insights B. CloudWatch Alarms C. CloudTrail Notifications D. CloudTrail Alarms
2. Answer: B is correct. CloudTrail can be integrated with CloudWatch Alarms that can be triggered when an event or a specific pattern of events is captured by CloudTrail.
2. A restaurant hosts a website in the us-west-1 region that highlights locations on the West Coast. Visitors from California should be directed to this website. They are preparing to open a new set of locations on the East Coast and want to host a different version of the website in us-east-1. All visitors from Florida should be directed to the website in us-east-1. Visitors from all other states should get the website that is hosted in us-west-1. Which routing policy should be used? A. Geoproximity routing B. Geolocation routing C. Latency-based routing D. Weighted routing
2. Answer: B is correct. Geolocation routing lets you choose the resource record that will be returned based on the geographic location (state, nation, or continent) where DNS queries originate from.
2. You have configured a CloudFront distribution to cache static content from an Apache2 web server. The content on the web server is refreshed every 15 minutes when the application is updated. However, the users are complaining that they seem to see updates only every 2 hours or so. What is most likely the problem, and how would you resolve this issue? A. CloudFront TTL is too long. Set the Min TTL to 15 minutes. This will ensure the content is refreshed every 15 minutes. B. Origin TTL is too long. Set the Max TTL to 15 minutes. This will ensure the content is refreshed every 15 minutes. C. Origin TTL does not exist. Set the Default TTL to 15 minutes. This will ensure the content is refreshed every 15 minutes. D. CloudFront TTL does not exist. Set the TTL to enabled and Default TTL to 15 minutes. This will ensure the content is refreshed every 15 minutes.
2. Answer: B is correct. Max TTL defines the longest possible cache TTL and is used to override any cache-control headers defined at the origin server that are likely to be misconfigured.
2. Based on the figure shown, what is the most likely cause of the failed connection? 74.76.58.81 10.1.101.112 56071 22 x x xxx xxxxxxxxx xxxx REJECT OK A. A security group is blocking incoming traffic from source IP 10.1.101.112. B. A security group is blocking incoming traffic on port 22. C. A security group is blocking outgoing traffic on port 22. D. A security group is blocking outgoing traffic on port 6.
2. Answer: B is correct. Traffic is incoming from public IP 74.76.58.81, 10.1.101.112 is the destination IP, and port 22 is the source port.
2. You have been asked to propose a solution to scale the read portion of an application database back end in the most cost-effective manner possible. Your application runs Linux LAMP stack with a 30 GB MySQL RDS Multi-AZ back end. The read-heavy operations are very predictable and occur during a particularly heavy four-hour operation each week and require the whole dataset. Which option would you recommend? A. Replace the RDS MySQL with Aurora MySQL and let Aurora add read replicas automatically as needed. B. Point the read-heavy operation at the RDS Multi-AZ replica in the other availability zone. C. Deploy a read replica in RDS. Point the application at the RDS read replica. Terminate the read replica after the read-heavy operation is complete. Repeat the process with a script next week. D. Deploy a read replica in RDS. Point the application at the RDS read replica. Create a script that powers off the read replica after the read-heavy operation is complete and powers it on before the next operation with enough time to synchronize the changes.
2. Answer: C is correct. Although A and D are possible solutions, deploying a read replica on a weekly basis would be the most cost-effective way to achieve this goal because the operation is sparse in nature and lasts for only four hours. Deploying a read replica is performed from a snapshot and can be just as fast or even faster than replicating a week's worth of data to the powered-off replica. Although the charges of powered-off instances are reduced, they are not zero. Remember also that you can stop a DB instance for up to seven days. If you don't manually start your DB instance after seven days, your DB instance is automatically started so that it doesn't fall behind any required maintenance updates. B is impossible because a Multi-AZ replica is not accessible for any SQL operations.
2. You manage an application that creates an output file every second with UNIX date stamp as its name. You have been asked to write a script that will ensure these files are sent to S3 in the order that they were created within 5 seconds of their creation. You have decided to try S3 sync, but it seems S3 sync is not suitable for this task. What is the reason? A. S3 sync takes longer than 5 seconds to synchronize the files to S3. B. S3 sync is not suitable for large numbers of unique files. C. S3 sync uploads files in a random manner. D. S3 sync changes the filename of the uploaded files.
2. Answer: C is correct. S3 sync uploads files in a random manner. Because the preservation of order needs to be retained, creating a custom script that will upload files in order is required.
2. Which of the following is not an MFA category? A. Something that the user has B. Something that the user knows C. Something that the user does D. Something that the user is
2. Answer: C is correct. Something that the user does is not an MFA category. The rest of the answers are valid categories.
2. You have an EIP associated with a secondary ENI on an EC2 instance. What happens to the EIP if you terminate the instance? A. The EIP is released. B. The EIP remains associated with the terminated instance. C. The EIP is still allocated to your AWS account, and you are still billed for it. D. The EIP is still allocated to your AWS account, but you are billed for it only if it is associated with a running instance.
2. Answer: C is correct. The EIP remains associated with your AWS account, and you are billed for it. You must release the EIP to stop incurring charges.
2. You have been asked to select a backup/DR strategy for a mission-critical application. The RPO for the application is defined as 5 minutes, and the RTO is defined as 10 minutes. You have already set up an RDS read replica that shows a lag of less than 45 seconds in a secondary region. The design must meet the requirements and be cost-effective. What approach would you use to deploy the application components? A. Deploy a multisite active-active design to minimize the disruption of the mission-critical application. B. Deploy a warm standby to fail over the mission-critical application in case of a disaster. C. Deploy a pilot light scenario with powered-off copies of the production EC2 instances. Powering them on always meets or exceeds the RTO of the mission-critical application. D. Deploy a pilot light scenario with the same AMIs being used by the production EC2 instances. Deploying the AMIs into EC2 always meets or exceeds the RTO of the mission-critical application.
2. Answer: C is correct. The RPO is ensured with the RDS read replica. The most cost-effective solution to meet the RTO is to use a pilot light with powered-off instances. They boot up within minutes and ensure the application can be recovered and online within the RTO. Powered-off instances can also be started and updated during regular update periods, ensuring that they are up to date in case of a disaster. Deploying from an AMI might take longer than 10 minutes during recovery, due to the fact that the AMI might be out of data. Because the RTO is 10 minutes, A and B are not cost effective.
2. Which of the following are valid AWS CLI commands? A. aws ec2 --instance-ids i-1234567890abcdef0 terminate-instances B. aws terminate-instances ec2 --instance-ids i-1234567890abcdef0 C. aws ec2 terminate-instances --instance-ids i-1234567890abcdef0 D. aws --instance-ids i-1234567890abcdef0 terminate-instances ec2
2. Answer: C is correct. The top-level command (ec2) should be next after aws. The secondary command (terminate-instances) should be after the primary command. The options/argument pair (--instance-ids i-1234567890abcdef0) follows the secondary command
2. You have created a private subnet in a VPC. Application servers in the private subnet require Internet access for updates. Which statement regarding this configuration is correct? A. A NAT gateway is automatically created for each private subnet. B. A NAT instance is automatically created and runs on EC2. C. To allow Internet access, you should create a NAT gateway within a public subnet and update the route table used by the private subnet. D. To allow Internet access, you should enable NAT on the Internet gateway and update the route table used by the private subnet. .
2. Answer: C is correct. To allow Internet access, you should create a NAT gateway. You should modify the route table associated with the private subnet and create a default route that forwards traffic to the NAT gateway.
. Which service would you use to analyze the cause of an issue that occurred within your application yesterday?
2. Answer: CloudWatch Logs Insights enables you to discover causes for past issues.
2. You have been asked to select a security approach for an S3 bucket. The bucket has two types of users: an owner with unlimited security and writers who deposit work results with a unique filename based on the node name and time. Writers are not allowed to ever read any of the files on S3, even the ones they created. A. This is not possible on S3 because all writers would need read/write permissions. B. Create an S3 bucket ACL for the writers with write-only permissions. C. Create S3 object ACLs for each possible object with write-only permissions. D. Create an S3 bucket policy for the writers with write-only permissions.
2. Answer: D is correct. A bucket policy allows you to create a write-only (PutObjects API) rule that allows the writers to only create new files.
2. You have been asked to deploy an application into production. The production requirement is that four nodes must always be available in the VPC. Which of the following deployments would ensure you meet the requirements? A. Deploy four instances into two VPC subnets and span them across two availability zones. B. Deploy four instances into three VPC subnets. Ensure subnets are created in two availability zones. C. Deploy six instances into four VPC subnets in one availability zone. D. Deploy six instances into three VPC subnets. Ensure the subnets are created in three availability zones.
2. Answer: D is correct. Having six instances across three availability zones ensures you always have four instances available, even if a complete availability zone is lost.
2. You have been asked to collect the 400-type and 500-type errors from a third-party application running on your Linux on-premises servers. Your company would like you to deliver the errors to AWS and tie them into a CloudWatch Alarm. What would be the simplest way to achieve this? A. Install the AWS CLI and copy the logs to an S3 bucket with the aws s3 cp command. Create an S3 trigger to a Lambda function that forwards the logs to CloudWatch for analysis and configure a CloudWatch Alarm to trigger on the specific log pattern. B. Install the S3 CLI and copy the logs to an S3 bucket with the s3 cp command. Create an S3 trigger to a Lambda function that forwards the logs to CloudWatch for analysis and configure a CloudWatch Alarm to trigger on the specific log pattern. C. Install the CloudWatch agent and point the logs to an S3 bucket. Create an S3 trigger to a Lambda function that forwards the logs to CloudWatch for analysis and create a CloudWatch Alarm to trigger on the specific log pattern. D. Install the CloudWatch agent and point it to the application logs. Create a CloudWatch Alarm to trigger on the specific log pattern.
2. Answer: D is correct. Installing the CloudWatch agent is the simplest way to deliver the logs to CloudWatch. The metrics or logs collected can then be used directly on CloudWatch Alarms. It would also be possible to create the solution as described in A, but that approach is unnecessarily complicated.
3. You have public and private subnets in a VPC. In the public subnet, you have a bastion host that is accessible over port 3389. The network for the public subnet is 192.168.10.0/24. In the private network, you have an application server that must be accessible from the bastion host on port 80. The private subnet is network 192.168.20.0/24. A NAT gateway is used to provide Internet access to the private subnet. You are creating a security group for the application servers. Which statements must be manually configured for the security group? (Choose all that apply.) A. Allow port 80 inbound from the bastion host. B. Allow ports 80 and 3389 inbound from the bastion host. C. Allow outbound traffic to the Internet from the application server via the NAT gateway. D. Allow ports 80 and 3389 outbound to the bastion host
3. Answer: A is correct. Traffic from the bastion host to the application server is on port 80. You do not need to manually allow any outbound traffic because a security group allows all outbound traffic by default.
3. Which of the following is not an EBS metric? A. Read bandwidth B. Read throughput C. Average queue length D. Average transport time
3. Answer: D is correct. Average transport time is not an EBS metric. The rest of the answers are all valid EBS metrics.
3. True or False: After you assess that your application is fully scalable and elastic, you only need to maintain the application as is in the cloud.
3. Answer: False. The application should periodically be reassessed for scalability and elasticity because both the application requirements and the SLA might have changed.
4. True or False: AutoScaling supports only dynamic, scheduled, and predictive scaling.
4. Answer: False. Autoscaling also supports manual scaling by setting the desired number of instances in the autoscaling group.
400 error code
400 - bad request: Any 400 error includes a message like InvalidAction, MessageRejected, or RequestExpired. Specific responses by some services also indicate throttling. In case of throttling, you should retry the requests with exponential back-off.
403
403 - access denied: All IAM polices apply with equal weight, and a deny in one policy denies an action across all policies. Check all the policies attached to the user, group, or role. Check any inline policies and resource policies attached to buckets, queues, and so on.
404
404 - page not found: This error indicates the object, instance, or resource specified in the query does not exist.
500
500 - internal failure: This error indicates an internal error on an operational service on the AWS side. You can immediately retry the request and will probably succeed on the second try. If not, retry with exponential back-off.
503
503 - service unavailable: These errors are rare because they indicate a major failure in an AWS service. You can retry your request using exponential back-off. This way you ensure the request will succeed at some point after the issue is resolved.
SAML
: SAML stands for Security Assertion Markup Language. Identity providers (IDPs) that use SAML include Active Directory and Okta.
DynamoDB Global Tables
A DynamoDB global table is a collection of DynamoDB regional tables (called replica tables) that are replicated multidirectionally. To create a global table, you need to first create replica tables in each of the regions where you want to run your application. The replica tables are connected to the global table, and each replica is now subscribed to all other replicas' changes. All changes are replicated across the globe with a consistency window of one second. A write to one of the tables is replicated across all other regions within one second.
A VPC endpoint
A VPC endpoint is a virtual interface that allows resources inside a VPC to communicate with other AWS resources outside the VPC without traversing the Internet. For example, you can connect to an S3 bucket over the AWS private backbone using a VPC endpoint.
A VPC peering connection is used to? What is transitive peering? Is it supported in vpc peering?
A VPC peering connection is used to establish a connection between two VPCs over the global AWS backbone network without the requirement for a VPN.
Can a VPC span multiple Availability Zones? Can a subnet span multiple availability zones?
A VPC spans all of the availability zones (AZs) in the region but cannot span multiple regions. Each subnet is local to an AZ.
What type of document is a bucket policy written in?
A bucket policy is a JSON-formatted document with the same structure as inline IAM polices. It allows you to granularly control each API action against the bucket or object
A default _______ is automatically created in every AWS region for your AWS account
A default VPC is automatically created in every AWS region for your AWS account
A gateway endpoint
A gateway endpoint connects to DynamoDB or S3
Software Site-to-Site VPN
A software VPN appliance (such as OpenVPN) runs on an EC2 instance in the AWS VPC.
What is a stack?
A stack is a group or collection of AWS resources that you want to manage as a single unit.
Warm Standby
A warm standby elaborates on the pilot light strategy by having a small subset of AWS services operational at all times. This is particularly important when the RPO and RTO are very low and the whole application needs to be up and running within a few minutes at worst. In case of a disaster, the warm standby can be made primary and scaled out to support production traffic. This solution is rather costlier because it does require you to have an active, lower-capacity site always up and running.
AWS CloudFormation
AWS CloudFormation, an Infrastructure as Code (IaC) solution, is designed to make the managing of AWS Resources less time consuming.
AWS CloudFormation:
AWS CloudFormation: The standard way to interact with the AWS services through a specification document. CloudFormation provides the ability to implement an Infrastructure as Code (IaC) approach when deploying your applications.
AWS Cognito:
AWS Cognito: A centralized authentication service for mobile and web users that can easily be federated with external directories through OpenID Connect, OAuth 2.0, and SAML 2.0.
AWS Cost Explorer
AWS Cost Explorer is a tool that allows you to view your AWS costs by service in an easy-to-see graphic
AWS Device Farm:
AWS Device Farm: A tool for testing an application on mobile devices in the Amazon cloud at scale before deploying them to production.
AWS Fargate
AWS Fargate: AWS Fargate is a serverless compute resource that utilizes containers. It is considered a managed service because Amazon takes care of the management of software patching, securing the container, and scaling.
AWS Glue:
AWS Glue: A serverless ETL and catalog service that provides the ability to manage data at scale and execute data transformation at a very low cost.
AWS Internet of Things (IoT) Services
AWS Internet of Things (IoT) Services: A set of services designed to provide everything required to run IoT, including the FreeRTOS operating system and components that help manage and work with IoT devices at any scale.
AWS OpsWorks
AWS OpsWorks: A managed service for running Chef- and Puppet-compatible configuration management services in the AWS cloud.
AWS Pinpoint:
AWS Pinpoint: A service that allows developers to easily engage users on their devices with targeted, segmented (ML) marketing using email, SMS, and mobile push.
AWS SageMaker:
AWS SageMaker: Powerful tools that allow developers to design, build, and train machine learning models quickly
AWS Shield Advanced
AWS Shield Advanced is a paid service. It provides mitigations against large and sophisticated DDoS attacks AWS Shield Advanced includes 24/7 access to the AWS DDoS Response Team (DRT). This includes live support from a team of AWS DDoS experts Most attacks (99 percent) on CloudFront or Route 53 are mitigated within 1 second.
AWS Shield
AWS Shield is a managed DDoS protection service. It is available in two different offerings: Standard and Advanced
AWS Snow Family
AWS Snow Family: These data transfer devices allow for physically moving data from on-premises to the cloud at any scale.
AWS Storage Gateway
AWS Storage Gateway: This hybrid storage solution exposes AWS as storage services to on-premises servers.
AWS Systems Manager
AWS Systems Manager: A managed service for deployment, maintenance, and management of fleets of Linux and Windows servers in the AWS cloud as well as on-premises.
How does AWS WAF support against DDoS attack?
AWS WAF also supports rate-based rules that can help protect against DDoS and brute-force attacks. Rate-based rules are triggered when the number of requests from an IP address exceed a defined threshold.
What is the automated method for rotating keys called?
AWS doesn't provide an automated method of rotating keys, so you need to manually deactivate older keys and create new keys using this Security Credentials tab for each user.
IAM Roles
AWS services sometimes need to access AWS resources, much like a user. But you can't assign a user account credentials to an AWS service. Instead, you use a role, which provides temporary permissions for an entity when the entity assumes the role.
What are the equivalent of username and password for AWS?
Access Keys As previously mentioned, when you create a user account, you have the option to create a key pair for authentication. One key is called the access key ID, and the other is called the secret access key. This is similar to a username and password in the sense that both keys are used to authenticate a user when the user needs programmatic access to their AWS account.
Amazon Aurora
Amazon Aurora is the next-generation open-source engine with native support for both MySQL and PostgreSQL engines.
Amazon Cloud Hardware Security Module (CloudHSM):
Amazon Cloud Hardware Security Module (CloudHSM): This is a cloud-enabled hardware security device.
Amazon CloudWatch:
Amazon CloudWatch: The AWS cloud monitoring service, which allows for storing metrics and logs from any device running on AWS or on-premises.
Amazon DocumentDB:
Amazon DocumentDB: A fully managed instance-based nonrelational document database service in AWS.
Amazon DynamoDB:
Amazon DynamoDB: A fully managed cloud native, serverless nonrelational key-value and document database service in AWS.
Amazon Elastic Load Balancing (ELB):
Amazon Elastic Load Balancing (ELB): This service allows load balancing of traffic across multiple EC2 instances, ECS containers, or other IP addressable targets.
Amazon Elastic Transcoder:
Amazon Elastic Transcoder: A cost-effective and scalable fully managed media transcoding service.
Amazon Glacier
Amazon Glacier: This archive storage solution can be automatically integrated with S3.
Amazon GuardDuty
Amazon GuardDuty is a tool that performs threat detection functions in your AWS infrastructure
Amazon Identity and Access Management (IAM)
Amazon Identity and Access Management (IAM): This service allows for control of access to AWS as well as access to an application in one place.
Amazon Inspector
Amazon Inspector is a tool that helps you determine security vulnerabilities on applications that you deploy on an EC2 instance within AWS. To use Amazon Inspector, you first install an agent on the EC2 instance
Amazon Inspector:
Amazon Inspector: This tool provides an assessment of services running in AWS with a prioritized, actionable list for remediation.
Amazon Key Management Service (KMS):
Amazon Key Management Service (KMS): This service enables you to define a unified way to manage encryption keys for AWS services and applications.
Amazon Keyspaces:
Amazon Keyspaces: A fully managed serverless Cassandra nonrelational database service in AWS.
Amazon Kinesis:
Amazon Kinesis: A fully managed set of services that offer the ability to capture, process, and store streaming data at any scale.
Amazon Lambda:
Amazon Lambda: Provides the ability to process simple functions in the AWS cloud.
Amazon Neptune:
Amazon Neptune: A fully managed instance-based graphing database service in AWS.
Amazon QLDB:
Amazon QLDB: A fully managed serverless ledger database service in AWS.
Amazon RDS
Amazon RDS: This service is considered a managed service because Amazon sets up the database that you choose (Aurora, MySQL, MariaDB, Oracle, SQL Server, or PostgreSQL) and provides a way to automate management tasks, like performing backups of your database, patching the database software, and providing data replication.
Amazon RedShift:
Amazon RedShift: A fully managed instance-based data warehousing service for deployment of petabyte-scale data clusters at very low cost.
Amazon Relational Database Service (RDS):
Amazon Relational Database Service (RDS): A fully managed instance-based relational database service for deployment and managing of Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server databases in AWS.
Amazon S3
Amazon S3 is a fully managed, serverless object storage service accessible via HTTP and HTTPS
Amazon Simple Storage Service (S3):
Amazon Simple Storage Service (S3): This solution is designed to store unlimited amounts of data; S3 is the ultimate object storage system. All objects in S3 are accessible via standard HTTP requests.
Amazon Web Application Firewall (WAF):
Amazon Web Application Firewall (WAF): This service protects web applications from attacks using exploits and security vulnerabilities.
AWS-Managed VPN
An AWS-managed VPN is an IPsec VPN connection between your datacenter and an AWS VPC. The VPN terminates on a virtual private gateway in the AWS VPC
What is an elastic IP address? What happens to an elastic IP when the instance is terminated or stopped?
An Elastic IP (EIP) address is a public IP address that can be associated with an ENI. This dedicated IP address is not released, even if the associated instance is stopped or terminated, as long as the ENI remains.
Elastic Network Interfaces
An Elastic Network Interface (ENI) is a virtual network interface in a VPC
Long-Term Support (LTS)
An LTS build is a stable build that should be supported for a longer than average period of time.
What is an OAI? What does it do? How do you make it work?
An Origin Access Identity (OAI) is used to restrict access to an S3 bucket. If a bucket is serving as the origin for a CloudFront distribution, there may be no legitimate reason to access the contents of the bucket directly using the S3 bucket domain The result of this configuration is a special user (OAI) that will be created for CloudFront. You must now configure the S3 bucket permissions so that only the OAI can access the restricted content. This is done by configuring an S3 bucket policy and identifying the OAI as a principal.
What does an RTO of 1 hour mean?
An RTO of one hour means that you need to bring the application back to the state before the event within at most one hour
What can be used as a low-cost static backup for a primary website in the event of an outage by configuring failover routing in Route 53?
An S3 static website does not require any servers and is a managed service. It can be used as a low-cost static backup for a primary website in the event of an outage by configuring failover routing in Route 53.
Active-Passive
An active-passive upgrade is similar to using a blue/green deployment. With an active-passive upgrade, the upgrade is deployed to the active environment and the passive environment is not changed.
What is an additional benefit of caching with Elasticache?
An additional benefit of caching with ElastiCache is that the two engines used, Memcached and Redis, are both in-memory datastores. In comparison with databases where response latencies are measured in milliseconds to seconds, the response times from in-memory databases are measured in microseconds to milliseconds
What is an Alias record? Can you create a CNAME record for the Zone Apex?
An alias record is a DNS record type that is unique to Route 53. An alias record is used to forward traffic to an AWS service, such as a CloudFront distribution, an Elastic Load Balancer, or an S3 bucket You can create an alias record at the zone apex. For example, if you register the domain rickcrisci.link, the zone apex is rickcrisci.link. You cannot create a CNAME record for the zone apex.
What is an example of sideloaded caching? What does it do?
An example of a sideloaded caching solution is ElastiCache. First, you set up the caching cluster with ElastiCache and a database. The database can be DynamoDB, RDS, or any other database because ElastiCache is not a purpose-built solution like DAX. Second, you have to configure the application to look for any content in the cache first. If the cache contains the content, you get a cache hit, and the content is returned to the application with very low latency.
What is an example of in-line caching? What does it do?
An example of an in-line caching solution is the DynamoDB Accelerator (DAX) service. With DAX, you can simply address all reads and writes to the DAX cluster, which is connected to the DynamoDB table in the back end. DAX automatically forwards any writes to DynamoDB, and all reads deliver the data straight from the cache in case of a cache hit or forward the read request to the DynamoDB back end transparently. Any responses and items received from DynamoDB are thus cached in the response or item cache.
What is predictive scaling?
Another AutoScaling feature is predictive scaling, which uses machine learning to learn the scaling pattern of your application based on the minimum amount of historical data. The machine learning component then predicts the scaling after reviewing CW data from the previous 14 days to account for daily and weekly spikes as it learns the patterns on a longer time scale.
Transit Gateway
As you add more VPC peerings, this architecture can become very complex. The transit gateway can resolve this issue by allowing many VPCs to connect to it in a hub-and-spoke topology.
If you would like to assign a static public IP to an instance and have the public IP assigned to the instance or application persistently through reboots, what must you do?
Assign and attach an Elastic IP address to an instance. Elastic IPs are persistent regardless of the state of the instance, and they can also be detached and reattached to any instance in your VPC.
How many replicas can Aurora have in a region?
Aurora supports up to 15 read replicas per region
Systems Manager Automation does what 4 things?
Automating provisioning and configuration of instances Enhancing the security of your environment by implementing automated responses to security-related events Enhancing the security of your environment by implementing automated responses to security-related events Reacting to changes in your environment through integration with Amazon EventBridge support
Are Secrets a global resource?
By default, secrets are region-based resources. AWS provides a feature called multi-region secrets to allow you to replicate secrets across multiple regions
Due to a recent security incident where several EC2 instances were terminated by a rogue employee, your CISO has tasked you with ensuring all destructive requests against the EC2 service are logged and maintained for a long period of time. You also need to ensure the logs are stored securely in a centralized S3 bucket. Your CISO is also worried about tampering with the logs and would like to prevent that. You have chosen to use CloudTrail as the service to provide this feature. How would you configure CloudTrail to comply with the requirements? A. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the default S3 location. CloudTrail ensures all EC2 actions use integrity validation on the default S3 bucket. B. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the default S3 location. Enable integrity validation on the trail. C. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the designated central S3 location. Enable integrity validation on the trail. D. Set the default CloudTrail. CloudTrail ensures all default actions use integrity validation by default.
C. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the designated central S3 location. Enable integrity validation on the trail.
What are the four types of Load Balancers in AWS?
Classic Load Balancer Application Load Balancer (ALB) Network Load Balancer (NLB) Gateway Load Balancer (GLB)
What are the 4 different types of caching?
Client-side caching Server-side caching Edge caching Database caching
What two services does AWS provide that enable you to capture metrics and logs to perform monitoring and alerting?
Cloud Watch and Cloud Trail
You can use a ______________template to deploy all network components. If a failure or human error occurs during an update, you can simply roll back any changes or even redeploy the entire environment through the original ______________ template to recover the objects.
CloudFormation
What is cloud front? What does cloud front always begin with?
CloudFront is a content delivery network service that speeds up delivery of your static and dynamic web content. CloudFront always begins with an origin. In this case, assume the origin is content in an S3 bucket
Amazon CloudFront
CloudFront is a global content delivery network that can offload static content from the data origin and deliver any cached content from a location that is geographically much closer to the user.
CloudFront Security
CloudFront is also inherently secure against distributed denial-of-service (DDoS) attacks because the content is distributed to more than 200 locations around the globe. An attacker would need to have a massive, globally distributed botnet to be able to attack your application
How do http status codes work with CloudFront logs? What code do you get if the content is the same? What code do you get if the content is different?
CloudFront serves the cached version of a file from an edge location until the file expires. After a file expires, CloudFront forwards the request to the origin server. When a cache miss occurs, the content must be retrieved from the origin. To the origin, this appears as a web request. The origin may return an HTTP error code (4xx or 5xx status codes). CloudFront may still have the latest version, in which case the origin returns the status code 304 Not Modified. If a newer version exists in the origin, the origin returns the status code 200 OK and the latest version of the file.
How does CloudTrail enforce security?
CloudTrail also enforces automatic encryption at rest and in transit by default and is configurable with a custom KMS key for even more control over key management
CloudTrail:
CloudTrail: This service tracks all requests to the AWS APIs, giving you a complete audit trail of all actions to AWS accounts.
CloudWatch Logs Insights
CloudWatch Logs Insights provides a simple-to-use interface where you can run SQL-like queries to search and filter through the log content, run simple transformations, and visualize the data
Name one service that allows you to trigger alerts when a certain condition is present?
CloudWatch service enables you to trigger alerts when a certain condition is present for a certain number of CloudWatch checks
The three primary placement strategies that you can use when defining a placement group are: What do they entail?
Cluster: You use this method when you want your EC2 instances to be physically close to each other within an availability zone (AZ). This reduces latency issues when communicating between the instances via the network. Partition: This strategy creates logical partitions so a group of instances within one partition does not share hardware with a group of instances in another partition. Spread: This strategy ensures that a small group of instances is spread across different hardware. It is similar to the default behavior of how AWS places EC2 instances, but when you have a lot of EC2 instances, the default behavior can result in some instances sharing underlying hardware; however, this method is designed to make sure that the group of instances does not share hardware
What does compute optimizer use to analyze logs?
Compute Optimizer requires Amazon CloudWatch monitoring
What are the 5 categories for Trusted Advisor?
Cost optimization Performance Security Fault tolerance Service limits
What do you do after associating the EC2 role with the IAM policy when configuring VPC flow logs?
Create the CloudWatch log group.
What allows a service to survive a regional outage and can be used to mitigate any disaster situation?
Cross-Region Replicatoin
Cloudwatch operates at what level? A. Global B. Regional C. AZ D. Subnet
Data in CloudWatch is stored to a regional repository, meaning all monitoring for a region is completely isolated from any other regions and inherently highly available
What happens to data in the Cloudfront if the data in the origin is changed before the TTL expires?
Data that is stored in the CloudFront Edge locations is considered current for a specific amount of time, as defined by the TTL. If data changes in the origin (for example, a video file is replaced in an S3 bucket), those changes are not visible to the end user until the TTL expires, and the cached version of the object is replaced.
AWS Compute Optimizer
Determining whether a compute resource is cost-effective can be difficult without metrics. The AWS Compute Optimizer performs metric checks on AWS compute resources and generates recommendations that are designed to help you reduce your AWS costs
What are dimensions? How many dimensions does cloudwatch allow you to create? Do built-in dimensions count toward this maximum?
Dimensions are key:value pairs assigned to metrics to allow for a more granular analysis of those metrics within a specific namespace CloudWatch allows you to create 10 dimensions for each metric. However, some services have built-in dimensions, and they also count against the limit of 10.
Storage phase
During the Storage phase, you should also consider where the data will be stored and who should have access to the data
Amazon DynamoDB
DynamoDB is a serverless NoSQL solution that uses a standard HTTPS access model to access table data. A table in DynamoDB is a collection of items that is regionally bound.
What is DynamoDB's built-in solution for backups?
DynamoDB, the built-in solution is table backups. A table backup is a point-in-time copy of the DynamoDB table that can be used to restore both the complete table and specific items
EC2 AMI
EC2 AMI, or Amazon Machine Image, is used to launch an EC2 instance.
What AWS service can be used to monitor EC2 instance health checks?
EC2 instance health check failure: All instances have an automatic health check configured. This can be monitored with CloudWatch, and you can create an alarm that informs you of any issues of this type.
Amazon Elastic File System (EFS)
EFS: The Amazon Elastic File System is a storage location where you can place files. It is considered a managed service because it grows automatically in size as needed and you don't need to manage provisioning, patching, or maintaining EFS.
ELB Classic
ELB Classic is the previous-generation load-balancing service that still provides a robust and simple-to-use load balancer to forward traffic to one or more availability zones within a region. ELB Classic is also supported on the EC2 Classic network. Neither one of these services is intended for use with modern, highly available, resilient architectures, and they are provided at this point merely for backward compatibility.
Each subnet is mapped to an __. A VPC exists inside a single AWS _____ and cannot span multiple ________. Instances can be spread across multiple ___ within a ______ by placing the VMs on different _______.
Each subnet is mapped to an AZ. A VPC exists inside a single AWS region and cannot span multiple regions. Instances can be spread across multiple AZs within a region by placing the VMs on different subnets.
ElastiCache
ElastiCache is a managed service that can deploy clusters of in-memory data stores. They can be used to perform server-side and database caching.
Several AWS services can make use of ACM certificates, including the following:
Elastic Load Balancing Amazon CloudFront Amazon API Gateway AWS Elastic Beanstalk AWS CloudFormation AWS App Runner AWS Nitro Enclaves
What integrates with integrates with EC2, ECS, EKS, and other AWS services and enables you to distribute traffic across multiple instances of your application for high availability?
Elastic Load Balancing (ELB)
What is the difference between EventBridge and CloudWatch Event?
Eventbridge is the successor of CloudWatch events. It can integrate with more than just AWS services and applications, extending event recognition to 3rd party SaaS Applications and service providers.
What are the 3 retrieval categories for Glacier?
Expedited retrieval: Retrieval of archives up to 250 MB takes 1-5 minutes. Standard retrieval: Retrieval of archives takes 3-5 hours. Bulk retrieval: Retrieval of large numbers of archives takes 5-12 hours.
Can users reset their own IAM passwords?
For the exam, recall that the ability for users to reset their own IAM passwords is not enabled by default.
What are the different volume types for EBS performance optimization?
General-Purpose SSD: Cost-effective storage devices that provide decent speed. These are also often referred to as gp2 and gp3; the main difference is that gp3 has a better maximum throughput per volume. Provisioned IOPS SSD: Higher cost but faster storage devices. These are also often referred to as io1 and io2; the main difference is that io2 has slightly better durability. Magnetic: The slowest volume types, which should be used only when data is not accessed frequently.
Geolocation
Geolocation: Can force users from certain regions or countries into specific AWS regions. This policy is great for compliance and custom regional traffic shaping.
Geoproximity
Geoproximity: Can route users from locations nearby to the closest region. This policy is independent of the country of region and merely depends on the distance to the region.
What is the archving tier of S3 in AWS?
Glacier
What happens if the primary RDS database fails?
If the primary fails, the service detects the failure and promotes the secondary into the primary role. A new secondary is deployed in another AZ from the most recent snapshot and synchronized with the new primary.
How can you remove a file from CloudFront Edge caches before it expires?
If you need to remove a file from CloudFront edge caches before it expires, you can perform an invalidation.
Amazon RDS
In AWS the Amazon Relational Database Service (RDS) allows you to deploy, manage, and operate traditional relational databases with managed options for elasticity, scalability, as well as high availability and resilience.
AWS Elastic Beanstalk
In other words, the goal of CloudFormation is to make it easy to manage the infrastructure resources (EC2 instances, database resources, and so on). With Elastic Beanstalk, the focus is on the application, and the infrastructure is automatically provisioned as needed by Elastic Beanstalk. If you are asked an exam question that is related to provisioning infrastructure components, think AWS CloudFormation. If the question is related to deploying applications, think AWS Elastic Beanstalk.
Aggregation phase
In the Aggregation phase, you determine which sources of monitoring data provide you with a more complete view of your AWS environment. For example, an EC2 instance that is used to run a web server uses data that is stored on an EBS volume. As a result, monitoring the EC2 instance performance and the performance of the EBS volume can provide the best overall view of the solution's performance efficiency.
What are the two types of Database Caching:
In-line caching: This approach utilizes a service that manages the reads and writes to and from the database. Side-loaded caching: This approach is performed by an application that is aware of the cache and database as two distinct entities. All reads and writes to and from the cache and the database are managed within the application because both the cache and database are two distinct entities.
What is Systems Manager Incident Manager?
Incident Manager: This tool allows you to see incidents related to the availability and performance of applications. The tool also allows you to configure automatic responses to incidents.
How do you improve a hit ratio?
Increasing the TTL is one way to improve this ratio because CloudFront will reach out to the origin for updated content less often. Of course, this means that your users are more likely to get stale data from the cache.
Interface endpoints
Interface endpoints connect to services powered by PrivateLink
Route 53
It allows users to register domain names, apply routing policies, and perform infrastructure health checks on their web services
Latency-based routing
Latency-based routing: Measures the latency from the client to the DNS target and delivers the response with the lowest latency target.
What is Amazon EFS/FSx's built-in solution for backups?
Like with S3, his means that you are required to select and maintain a backup scenario for EFS/FSx. You can use AWS DataSync service because it can incrementally copy any changes to S3
Difference between a managed vpn and a software site-to-site vpn
Managed VPN: An IPsec VPN connection between a CGW in a physical datacenter and an AWS-managed virtual private gateway. Software site-to-site VPN: An IPsec VPN connection between a CGW in a physical datacenter and a customer-managed EC2 instance.
What are the 6 databases supported by RDS?
MySQL SQL Server Oracle MariaDB PostgreSQL forgot the last one...
Canary
New features are released to a specific set of beta testers to determine if the new features have any negative impact on the software. The features are provided in the new beta builds in a very specific manner and typically spread out over several beta releases. This allows the developers some insight as to which new features may have caused an issue and allows the developers the time to fix the issues before releasing the software in a stable build.
What do you do after configuring an IAM policy for VPC flow logs?
Next you create an EC2 Role that uses the IAM policy.
Enhanced Networking
On some EC2 instance types, you can enable a feature called enhanced networking at no cost if the operating system that is running on the EC2 instance is Linux or Windows. This feature results in higher performance by making use of a technology called SR-IOV (Single Root—Input/Output Virtualization). Higher bandwidth Higher packets per second (PPS) Consistently lower inter-instance latencies
What is one big benefit of read replicas over caching?
One big benefit of read replicas is that the whole database is replicated to the read replica, not just frequently read items. This means that read replicas can be used where the reads are frequently distributed across the majority of the data in the database
What mitigates the concern that individuals or groups in your organization will use too many resource, resulting in a higher bill?
One of the concerns your organization may have is that an individual or group may use too many resources, resulting in a high bill. You can use AWS Budgets to prevent this from happening
What's one reason you might not see any cost allocation tags? Where are they stored?
One reason you might not see any cost allocation tags is that Cost Explorer hasn't been enabled. The cost allocation report is stored in a CVS-formatted file in the S3 bucket that you specify. The report denotes the costs associated with each cost allocation tag.
OpenID Connect
OpenID Connect: This is another standard that is popular with Google and Salesforce.
Operational Excellence pillar
Operational Excellence pillar: "The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations."
What are the values ComputeOptimizer returns?
Over-provisioned Under-provisioned Optimized
Performance Efficiency pillar
Performance Efficiency pillar: "The performance efficiency pillar focuses on structured and streamlined allocation of IT and computing resources. Key topics include selecting resource types and sizes optimized for workload requirements, monitoring performance, and maintaining efficiency as business needs evolve."
What are phase 1 and 2 of establishing an IPSEC VPN connection?
Phase 1 of VPN establishment is IKE and relies on supported hardware and a correct preshared key. Phase 2 of VPN establishment is the IPsec tunnel and relies on the correct hashing and encryption algorithms.
Pilot Light
Pilot light builds on the backup and restore approach, by providing some services that can be easily and quickly started in case of a disaster. The RPO can be lowered from hours to minutes by ensuring you replicate data more often or even by replicating a database to a cross-region read replica. This approach ensures that the loss of data is minimal and could be as low as a few minutes or even seconds, but the RPO/RTO goal of a pilot light should always be set to the "worst-case scenario" of perhaps tens of minutes. The cost of the pilot light strategy can be very low
What is the difference between a public hosted zone and a private hosted zone?
Public hosted zones are used to connect the public ip address of an ec2 instance to the internet. Private hosted zones are used to connect the private IP to the rest of the resources within the cloud. Both are done with Route 53
What are the RDS features that can be used to optimize the performance of any of the databases managed by RDS?
RDS Performance Insights: This optional feature enables you to identify where bottlenecks are impacting database performance. RDS Proxy: This service makes use of a collection of connections to the database that are maintained to provide multiple paths to communicate to the RDS database instance. This improves application performance by reducing the increase in CPU and memory utilization when new connections to a database instance are created.
What is a tag? After applying a tag to a resource what can you generate in relation to budget? What does a ____ ______ ____ start as? How do you save the ____ _____ reports?
Recall that a tag is metadata that can be used to group resources for a variety of different functions, including automation tasks, and to group resources by business unit. A cost allocation tag starts as a regular resource tag. Typically, these tags can be assigned when creating a resource or after the resource has already been created. Note that this feature requires an S3 bucket to save the cost allocation reports.
Rolling Upgrades
Rolling upgrades (also called continuous delivery) is the process of frequently providing updates to software. With this upgrade method, there are not specific release points (although it is common for rolling upgrades to happen nightly), but rather when the developer is ready, a new upgrade is released. One advantage of a rolling upgrade is that new features are more rapidly released to customers. However, rolling upgrades may be more susceptible to bugs.
What is Amazon S3's built-in solution for backups?
S3 does not have a backup solution; instead, you can version objects; this means that when an object is re-uploaded and has changed, a complete copy of that object is created in S3 with an incremented version identifier. S3 is also highly durable and is able to life-cycle data to Glacier. This means that S3 itself can also be used as a backup solution.
S3 Sync
S3 sync is an AWS CLI feature that can be a great option when you simply want to copy a large number of files from your production server to AWS. S3 sync creates a synchronization list of files on the local directory with an S3 bucket. The synchronization can also be done in both directions. All you need is a single AWS CLI command, and the data can easily be synchronized.
What are the performance optimization options for buckets?
S3 transfer acceleration: Uses Amazon CloudFront to enable access to bucket contents from edge locations in different geographic locations in the world. S3 multipart uploads: Allows for larger objects to be uploaded in separate parts, which improves performance as the parts are uploaded in parallel.
What is a SDK?
SDK: A software developer kit provides software developers with the tools needed to communicate with AWS. SDKs are written for specific languages, and at the time of writing this book, the following languages have an AWS SDK: JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, and C++.
What's the difference between Parameter Store and Secrets Manager?
Secrets Manager is designed specifically for confidential information, such as database credentials, API keys, or passwords. Parameter Store is designed for a wider range of configuration data, not just secrets.
What are the 7 Route 53 Routing Policies?
Simple Routing Weighted Routing Failover Routing Latency-based Routing Gelocation Routing Geoproximity Routing Multivalue Answer Routing
Staging
Some organizations utilize a staging environment to replicate the production environment
What interval are standard metrics usually collected at? What interval are detailed metrics usually collected at?
Standard metrics are usually collected with an interval of five minutes, whereas the services that support detailed metrics enable you to collect the data in one-minute intervals.
What are the two retrieval options for Glacier Deep?
Standard retrieval: Default option for retrieval of archives takes 12 hours. Bulk retrieval: Retrieval of large amounts of archives occurs within 48 hours.
How many addresses are reserved by AWS? What are they?
Subnet Broadcasts Router IPAM (DHCP/DNS) Reserved Address
Systems Manager
Systems Manager is a set of AWS tools that offers comprehensive configuration management of fleets of servers.
The accounts where stacks are created by the StackSet are called ______ accounts.
Target
ALB (Application Load Balancer)
The ALB is the next-generation layer 7 load-balancing solution from AWS that can handle HTTP and HTTPS traffic. The service can understand the application request, and based on the pattern of the request, can route the request to multiple back ends
AWS Certificate Manager
The AWS Certificate Manager (ACM) allows you to manage certificates. This service provided by AWS allows you to perform the following primary tasks:Request a certificate; Import a certificate; Create a private certificate
AWS Resource Access Manager
The AWS Resource Access Manager (RAM) allows you to share resources across multiple AWS accounts
AWS Secrets Manager What are a few services with interoperability with Secrets Manager?
The AWS Secrets Manager is designed to store and manage credential data. AWS RDS databases AWS DocumentDB databases AWS Redshift clusters
AWS Security Hub
The AWS Security Hub allows you to execute security checks across your AWS environment automatically. It also allows you to gather alerts from the following security policies into a central view: Amazon GuardDuty Amazon Inspector IAM Access Analyzer Amazon Macie IAM Firewall Manager Amazon System Manager
AWS WAF
The AWS Web Application Firewall (WAF) protects your resources and stops malicious traffic. Rules can be created based on conditions like HTTP headers, HTTP body, URI strings, SQL injection, and cross-site scripting
What are the 5 services that AutoScaling can scale?
The AutoScaling service can scale the following AWS services: EC2: Add or remove instances from an EC2 AutoScaling group. EC2 Spot Fleets: Add or remove instances from a Spot Fleet request. ECS: Increase or decrease the number of containers in an ECS service. DynamoDB: Increase or decrease the provisioned read and write capacity. RDS Aurora: Add or remove Aurora read replicas from an Aurora DB cluster.
Are Elastic Load Balancers (ELB GLB NLB) restricted to a Region?
The ELB service can deliver both single zone and multizone application high availability, but the load balancer service cannot be deployed across regions.
Gateway Load Balancer (GLB)
The GLB is designed to distribute traffic across third-party virtual appliances. The GLB can be used to seamlessly scale third-party virtual appliances and make third-party applications much more elastic.
AWS Key Management Service (KMS)
The Key Management Service (KMS) allows you to create encryption keys and control their access.
NLB (Network Load Balancer)
The NLB is the next-generation layer 4 load-balancing solution from AWS that can handle TCP, UDP, and SSL/TLS traffic. The NLB is designed to deliver very high network throughput and very low latencies with the capability to serve tens of millions of responses per second.
An OAI restricts access to the Origin to only what? Users can only access objects restricted by an OAI from where?
The OAI restricts bucket access so that only the CloudFront distribution has direct access to objects. Users can access these objects only through a web resource tha is part of a CloudFront distribution.
What is required for ELB to use S3 buckets for logging?
The S3 bucket that is used for ELB access logs must be in the same region as the bucket and must have a bucket policy that allows write permissions on the ELB access logs.
AWS DataSync
The S3 sync approach requires you to do a bit of scripting, and this can be difficult to manage at scale. To avoid having to create your own scripting, you can use the AWS DataSync service. DataSync can synchronize file systems in the production location with other file systems in the backup location or with S3. The DataSync service requires you to use a DataSync agent that has access to the source file system. The DataSync agent uses a secure connection to the DataSync service and employs traffic optimization when transferring data. DataSync can be up to 10 times faster than other solutions for transferring data, making it a great solution to choose when syncing data from on-premises file systems to AWS.
What are the steps in creating an AWS Budget?
The first step of this tool is to create a budget type (Cost Budget is the most commonly used type) The next step is to set up your budget. In the third step, you can set up alerts. These alerts can be used to notify you if you are getting close to your budget maximum. Alerts can be either mailed to individuals, sent via Amazon SNS A fourth option step is to attach an action to an alert. For example, you could create an action that would automatically stop a specific EC2 instance.
What is the first step in configuring VPC flow logs?
The first step required in configuring VPC flow logs is to create the appropriate IAM role. This role must have the permissions to publish VPC flow logs to CloudWatch logs
Generation Phase
The focus of the Generation phase is to determine the scope of what you will monitor
What recieves logs from AWS WAF and what does it do with them?
The logs are received by Kinesis Data Firehose, which can be used to trim the logs and reduce the amount of data that gets stored. The logs are commonly stored in S3 after being processed by Kinesis.
What is a hit ratio?
The percentage of requests that are served by CloudFront (without pulling content from the origin) is called the cache hit ratio
Backup and Restore
The simplest option is backup and restore. All stateful AWS services support some sort of backup. Backup and restore can be a great strategy when the RPO and RTO are long (typically hours) because the approach is very low cost and also very easy to implement.
What is the simplest practice for metric and log collection when running your application on EC2 instances or on-premise servers?
The simplest practice for metric and log collection when running your application on EC2 instances or on-premise servers would be using the CloudWatch agent. The agent can collect data from any source within the operating system and forward that data to CloudWatch as metric or log data. An even better approach is coding API calls to the CloudWatch API within the application code so that the application is able to self-report metrics regardless of the environment where it runs.
What are the 5 general approaches to scaling database performance?
There are five general approaches to scaling database performance: Vertical scaling: You can add more CPU and RAM to the primary instance. Horizontal scaling: You can add more instances to a database cluster to increase the available CPU and RAM, but this approach is not always supported. Sharding: When horizontal scaling is not supported, you can distribute the dataset across multiple primary database engines, thus achieving higher write performance. Caching: You can add a caching cluster to offload reads, which can be expensive. Read replicas: You can add read replicas to offload read traffic, possibly asynchronous.
What are the five key features of Amazon GaurdDuty?
There are several key features for Amazon GuardDuty, including the following: Account-level threat detection to determine whether AWS accounts may have been compromised The ability to create automated threat response actions Monitoring of potential reconnaissance attempts Monitoring of possible EC2 instance compromises Monitoring of possible S3 bucket compromises
AWS Shield Standard
This basic protection level defends against frequently occurring network and transport layer DDoS attacks.
Amazon CloudFront:
This caching and CDN service is available in the AWS cloud.
AWS Site-to-Site VPN
This component of the VPC provides the capability for establishing VPN connections with on-premises sites.
Amazon Route 53:
This is the next-generation, API-addressable DNS service from AWS.
AWS Direct Connect:
This private optical fiber connection service connects on-premise sites with AWS.
Amazon Virtual Private Cloud (VPC)
This service allows you to connect applications with private network ranges, connect those private ranges with the Internet, and assign public IP addresses.
Trusted Advisor
This tool performs checks on your AWS account for five categories. One of those categories is cost optimization
What are the 3 things you need to create an AutoScaling configuration on EC2?
To create an autoscaling configuration on EC2, you need the following: EC2 Launch template: Specifies the instance type, AMI, key pair, block device mapping, and other features the instance should be created with. Scaling policy: Defines a trigger that specifies a metric ceiling (for scaling out) and floor (for scaling in). Any breach of the floor or ceiling for a certain period of time triggers autoscaling. EC2 AutoScaling group: Defines scaling limits and the minimum, maximum, and desired numbers of instances. You need to provide a launch configuration and a scaling policy to apply during a scaling event.
What are the two types of url that can be used to access an S3 bucket?
Two types of URLs can be used to access an S3 bucket: Virtual-hosted-style URLs (current) Path-style URLs (currently expecting deprecation)
What are flow logs? Do they provide realtime streaming?
VPC flow logs are used to capture information about the IP traffic flowing in or out of network interfaces in a VPC. Flow logs can be created for an entire VPC, a subnet, or an individual interface. Flow logs do not provide the ability to view a real-time stream of traffic.
What type of deployment is weighted routing best for?
Weighted routing is ideal for a blue/green deployment. The blue environment represents the established, reliable configuration. DNS can be used to switch traffic from the blue environment to the green or to roll back to the blue if necessary. Weighted routing allows you to begin this transition with a smaller percentage of traffic.
When RAM is used without AWS Organizations, resources can be ______ _______ with other ___ ________.
When RAM is used without AWS Organizations, resources can be directly shared with other AWS accounts.
Client-Side Caching
When a client requests the contents of the application from a server, you should ensure that components that are static or change infrequently are reused with client-side caching. Modern browsers have this capability built in, and you can use it by specifying cache control headers within your web server or the service that delivers the content, such as S3.
Server-Side Caching
When a feature, a module, or certain content stored within the web service is requested frequently, you typically use server-side caching to reduce the need for the server to look for the feature on disk. The first time the feature is requested and the response assembled, the server caches the response in memory so it can be delivered with much lower latency than if it were read from disk and reassembled each time. There is a limitation to the amount of memory the server has, and of course, server-side caching is traditionally limited to each instance. However, in AWS, you can use the ElastiCache service to provide a shared, network-attached, in-memory datastore that can fulfill the needs of caching any kind of content you would usually cache in memory.
Edge Caching
When content is delivered frequently to multiple users, you can employ edge caching or what is more commonly referred to as a content delivery network. In AWS, you can use the Amazon CloudFront service to deliver frequently used content in a highly efficient manner to millions of users around the globe while at the same time offloading multiple same requests off the application or back end.
When RAM is used with AWS Organizations, resources can be shared with an ____________ ____, __________ ___ _____, or individual ___ _____.
When it is used with AWS Organizations, resources can be shared with an organization unit (OU), individual IAM roles, or individual IAM users.
Blue/Green
When using a blue/green deployment, you have two identical environments: production and staging. The production environment is live and used actively within your organization. The staging area is used in the final phase of deploying a new version of the solution. This means that changes made within your QA environment are applied to the staging environment, and some final tests are performed.
What is the default retention period for CloudWatch metrics? What is the retention period for CloudWatch Logs?
While the default metrics retention period is 15 months, the retention of logs in CloudWatch is indefinite.
What service interoperates with CloudTrail to trigger alarms for events?
You can also configure CloudWatch Alarms for CloudTrail events and thus forward information on any critical CloudWatch events to a notification email, text message, or another service that will perform remediation.
What can you create and attach to an ec2 instance to place it in a different subnet than the default interface?
You can create an ENI and attach it to an EC2 instance as a secondary interface. The ENI can be placed in a different subnet than eth0, giving the instance access to multiple subnets, such as management and traffic subnets.
You can enable standard logs on a __________ distribution and deliver them to an __ ______. Real-time logs are also possible and enable you to view request information within _______ of the requests occurring.
You can enable standard logs on a CloudFront distribution and deliver them to an S3 bucket. Real-time logs are also possible and enable you to view request information within seconds of the requests occurring.
CloudFormation StackSets
a tool that allows you to manage stacks that manage resources across multiple accounts and AWS regions
What does an RPO of 1 hour mean?
an RPO of one hour means that you can lose no more than one hour's worth of data. You should thus select a backup procedure that will capture data every hour at a minimum
What happens if you add more files to the directory or change the content of those files and then rerun the s3 sync command?
only the files that have changed are copied over.
What are the step to configure AWS WAF ACL comprehensive logging?
the first step is to create the S3 bucket that the data will be stored in You must configure an access policy to allow Kinesis Data Firehose to write to the S3 bucket. The next step is to create a Kinesis Data Firehose and give it the necessary IAM role to write to the S3 bucket. Finally, you must associate the AWS WAF with the Kinesis Data Firehose and enable logging.