Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
466 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
What are the characteristics of scalable applications?
|
– Scaling resources equals an increase in performance
– A scalable service handled homogeneity – A scalable service is efficient – A scalable service is resilient – It should be cheaper as it grows |
|
|
|
What is the difference in Scale–Up vs Scale–Out?
|
Scale up (vertical scaling) – bigger and bigger hardware
Scale out – the solution scales horizontally. Distributed application |
|
|
|
How do you Design for failure?
(5 Ideas) |
– BROSQ
– Have a coherent automated backup and restore strategy – Build process threads that resume on reboot – Allow system state to re–synch by reloading messages firm queues – Keep pre–configured and pre–optimized virtual instances to support 2 & 3 on launch or boot – Avoid in memory sessions or stateful user context, use data stores. |
|
|
|
What are AWS Best Practices?
|
– Failover gracefully using ElasticIPs
– Use Multiple AZs – Maintan an AMI for restoring or cloning across AZs – Maintain multiple Database slaves across AZs and setup hot replication – Use CloudWatch and setup Auto–scaling group. – Use EBS and setup cron jobs to create incremental snapshots in S3 (persisted independently of the instances) – Use RDS and set the retention time for backups for automated backups – Decouple your components – Keep dynamic data close to compute and static data close to end–users |
|
|
|
How are Message Queues used?
|
– To isolate components
– To buffer between components |
|
|
|
What are the 3 ways to Scale?
|
– Proactive cyclic scaling : Periodic scaling at fixed intervals (daily, weekly, monthly, quarterly)
– Proactive event–based scaling : Scaling when you expect a big surge of traffic, e.g. marketing campaigns – Auto–scaling based on demand – By monitoring your service you send triggers to scale up or down |
|
|
|
How do you Automate Infrastructure?
|
– Create a library of "recipes"
– Manage the configuration and deployment process using agents bundled inside an AMI – Bootstrap your instances |
|
|
|
How to Bootstrap your instances?
|
– Instances should ask "who am I and what is my role" at boot.
– Every instance should have a role. – The role could be passed in as a launch parameter. – On boot instances should grab resource (code, scripts, configuration) based on role and "attach" itself to a cluster. |
|
|
|
What are the Benefits of Boostrapping?
|
– Recreate Dev, Stage, Prod env with minimal effort
– More control over abstract resources – Reduce human deployment errors – Create self–healing and self–discoverable environment |
|
|
|
AWS Taticts to automate infrastructure
|
– Define auto–scaling groups for different clusters.
– Monitor system metrics and take appropriate actions (scale or send notifications) – Store and retrieve machine configuration dynamically (SimpleDB). – Simple DB can be used to store IP address, machine name and role – Design a build process that dumps the latest builds to an S3 bucket – Invest in resource management tools – Chef, Puppet, etc – Bundle "Just Enough Operating System" in an AMI – Reduce bundling and boot times by booting from EBS and attaching multiple EBS volumes to the instance – App components should not assume the health or location of any hardware. |
|
|
|
How do you leverage Parallelism?
|
– Multi–thread S3 requests
– Multi–thread SimpleDB and BATCHPUT requests – Create JobFlow using MapReduce – Use ELB to spread load across multiple app servers |
|
|
|
What does AMI stand for?
|
Amazon Machine Image
|
|
|
|
What is an AMI?
|
– A bundle of operating system and applications and associated configuration settings
– There is a community AMI for NAT |
|
|
|
What is an ACL?
|
Access Control List
|
|
|
|
ACLs are _______
|
– Stateless traffic filters and works on the Subnet level
– Allow all traffic in and out by default – Explicit rules are numbered – The lowest explicit rule executes first – DENY always overrides an ALLOW |
|
|
|
What is AppStream?
|
Amazon AppStream enables you to stream your existing Windows applications from the cloud, reaching more users on more devices, without code modifications. With Amazon AppStream, your application will be deployed and rendered on AWS infrastructure and the output is streamed to mass–market devices, such as personal computers, tablets, and mobile phones.
|
|
|
|
AppStream is good for ______
|
– Stream resource intensive apps or games from the cloud
– AppStream deploys apps into an GPU accelerated EC2 instance – AppStream uses CloudFormation – Supports the STX protocol |
|
|
|
What is Autoscaling?
|
Auto Scaling helps you maintain application availability and allows you to scale your Amazon EC2 capacity up or down automatically according to conditions you define
|
|
|
|
What are 6 Autoscaling features?
|
– Using Cloudwatch metrics automatically expand application capacity by starting new instances – enabled by CloudWatch and carries no additional fees.
– Can be used without ELBs – AWS will make temporary credentials available to instances that have Roles assigned to them – Temporary credentials are rotated several times a day – Access to the AutoScaling API is granted via IAM. – You can create users and give them specific access to the AutoScaling APIs – Sits on top of the Launch Configuration |
|
|
|
What is Aurora?
|
Amazon Aurora is a MySQL–compatible relational database management system (RDBMS) that combines the speed and availability of high–end commercial databases with the simplicity and cost–effectiveness of open source databases. Amazon Aurora provides up to five times better performance than MySQL at a price point one tenth that of a commercial RDBMS while delivering similar performance and availability.
|
|
|
|
Aurora is ______
|
– Compatible with MySQL
– 4 times faster – Starts at 10GB up to 64GB in 10GB increments – 2 copies of the data is stored in each AZ across a minimum of 3 AZs – You can lose 2 copies without affecting write availability – You can lose 3 copies without affecting read availability |
|
|
|
What is an Availability Zone?
|
An Availability Zone is engineered to be isolated from failures in other Availability Zones, and to provide inexpensive, low–latency network connectivity to other zones in the same region
|
//fce-study.netdna-ssl.com/2/images/upload-flashcards/88/37/80/10883780_m.png
|
|
|
What is CloudWatch?
|
CloudWatch is a monitoring service
CloudWatch collects and tracks metrics, collect and monitor log files, and set alarms. |
|
|
|
What are 4 features of CloudWatch?
|
– A monitoring service for AWS services.
– Allows alarms to be set. – Accessed from AWS Console, API, SDK or CLI – Can monitor your guest OS, application, and custom log files for the software installed on your EC2 instances |
|
|
|
What is CloudFormation?
|
AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application.
|
|
|
|
What are 7 CloudFormation features?
|
– Provision, Update, Deploy a template and it's related resources (stack)
– Accessed via Management Console, CLI or API – Sort of like Infrastructure version control – Stack names must not contain spaces – The "Ref" function sets the resource property to the value of another resource – A stack creation that depends on a dependent resource that does not exist will cause stack creation to fail – KeyPairs must be created in the same region where you're creating the stack |
|
|
|
CloudFormation template is composed of ___
|
– AWSTemplateFormatVersion
– Description – Parameters : Used to pass sensitive parameters to the CF script like usernames and passwords – Mappings : Like a switch statement for selecting the correct AMI for the Region – Conditions : Conditional statements that create resources based on a condition – Resources : Only required section of the CF template – Resource declarations beings with a string that specifies the logical Name for the resource – Outputs : Returns these values using cfn–describe–stacks to the AWS console outputs tab |
|
|
|
What is CloudFront?
|
– A content distribution network with 14 edge locations around the world.
– CloudFront can deliver content from your own domain name with a Server Name Identification (SNI) Custom SSL option, otherwise CloudFront delivers content from dxxxx.cloudfront.net/ – No guarantee of durability of content held at CloudFront locations – There is a private cloud front feature which must be enabled. If this feature is not enabled in CF access is public – Access via HTTP and/or HTTPS (configurable) – Require HTTPS is also configurable – HTTP and HTTPS access can be configured on a per object basis – CloudFront origins can be configured to retrieve objects using the same (HTTP,HTTPS) protocol as used by the requestor – TTL as low as 0 seconds – no–cache – CouldFront can serve content from non–AWS servers – CF can set different cache behaviours based on URL |
|
|
|
Two types of CloudFront distributions?
|
– Web
– RTMP (Flash) |
|
|
|
CloudFront supports _____ content
|
– Dynamic
– Static – Streaming |
|
|
|
CloudFront is used with ______ services.
|
– S3
– EC2 – ELB –Route 53 |
|
|
|
What are 4 CloudFront pragmas?
|
– no–cache
– no–store – If–Modified–Since – If–Non–Match |
|
|
|
How does CloudFront handle stale content?
|
CloudFront will serve stale content if the source is not available
|
|
|
|
Where are CloudFront custom Error Pages stored?
|
Hosted on S3
|
|
|
|
Where are CloudFront Logs stored?
|
CloudFront logs can be stored in S3 if configured
|
|
|
|
What is CloudFront 'Origin Access Identities'?
|
CloudFront can create 'Origin Access Identities' associated with a distribution. When an Origin Access Identity is associated with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects from Amazon S3. You can then use Amazon S3’s ACL feature, which limits access to that Origin Access Identity so the original copy of the object is not publicly readable
|
|
|
|
What is CloudHSM?
|
A Hardware Security Module in the cloud
|
|
|
|
What is the CloudHSM Hardware?
|
Uses Luna SA HSM from SafeNet
|
|
|
|
What is CloudHSM used for
|
– Used for storing encryption keys
– DRM – PKI : authentication, authorization, document signing |
|
|
|
Are CloudHSM Multi–Tennant
|
CouldHSM devices are single tennant
|
|
|
|
Who admins CloudHSM?
|
– Amazon maintains the cryptographic domain
– Amazon maintains the HSM but can't access they keys |
|
|
|
CloudHSM Features
|
– Replicated in multiple AZs
– Generate, Store and Manage keys on the HSM – CloudHSM service is designed to be used with Amazon EC2 and VPC, providing the appliance with its own private IP within a private subnet |
|
|
|
What are the steps to Terminate CloudHSM?
|
When your CloudHSM subscription ends and you have confirmed that the contents of the HSM are no longer needed, you must delete each partition and its contents as well as any logs. As part of the decommissioning process, AWS zeroizes the appliance, permanently erasing all key material.
|
|
|
|
What is CloudSearch?
|
Custom search service for a website or application
|
|
|
|
What are some CloudSearch Features?
|
– Data that needs to be indexed must be uploaded to CloudSearch
– Scales as the amount of data changes – Scales as the query rate changes – Access to search domain endpoints are restricted by IP address. Only authorized hosts can submit documents and send search requests. – CloudSearch configuration service endpoint : cloudsearch.us–east–1.amazonaws.com – The CloudSearch document service endpoint is accessed through a domain specific endpoint – The CloudSearch search service endpoint is accessed through a domain specific endpoint |
|
|
|
What is CloudTrail?
|
CloudTrail is Logging.
CloudTrail is a service that logs AWS API Calls from all sources calls and delivers log files to you |
|
|
|
What does CloudTrail Log?
|
– Identity of caller
– Time of call – Source IP – Request params – Response elements – Used for Auditing, compliance and security tracking – Logs to S3 every 5 minutes to the bucket of your choice – Logs for multiple regions can be combined in a single bucket – Log files are stored indefinitely – Logs are encrypted using S3's Server Side Encryption |
|
|
|
What is Cognito?
|
Amazon Cognito is a service that makes it easy to save mobile user data, such as app preferences or game state, in the AWS Cloud without writing any backend code or managing any infrastructure. Cognito offers mobile identity management and data synchronization across devices. You can save data locally on users’ devices allowing your applications to work even when the devices are offline.
|
|
|
|
What are some Cognito Features?
|
– Identity to Facebook, Google, Amazon
– To begin using Amazon Cognito, you create an identity pool through the Amazon Cognito console – Temporary security credentials expire after 12 hours – Cognito stores data locally as well as in the service, your end users can continue to interact with their data even when they are offline – Cognito's sync facility compares the local version of the data to the cloud version, and pushes up or pulls down deltas as needed – Amazon Cognito does not receive or store user credentials—only the OAuth or OpenID Connect token received from the identity provider – Once Cognito receives the token, it returns a new Cognito ID for the user and a set of temporary, limited–privilege AWS credentials – Each Cognito identity has access only to its own data in the sync store, and this data is encrypted when stored |
|
|
|
What is DirectConnect?
|
A dedicated network connection to AWS
– Uses 802.1q VLANs – This dedicated connection can be partitioned into multiple virtual interfaces |
|
|
|
What is DataPipeline?
|
AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on–premise data sources, at specified intervals
|
|
|
|
What are some DataPipeline features?
|
– Allows you to move data between different Compute and Storage services and on–premise data at specified intervals
– One IAM Role governs the Pipeline while another governs the pipelines resources. |
|
|
|
What is DevPay?
|
Amazon DevPay is a simple–to–use online billing and account management service that makes it easy for businesses to sell applications that are built in, or run on top of, Amazon Web Services.
|
|
|
|
What is DynamoDB?
|
Managed NoSQL
|
|
|
|
What are some Features of DynamoDB?
|
– Low latency
– Store unlimited amounts of data – Eventual consistency (default) with strongly–consistent reads (optional) |
|
|
|
What transactions are atomic for DynamoDB?
|
Atomic transactions for
– Put – Update – Delete – Increment – Decrement – Conditional operations |
|
|
|
What are the DynamoDb Data Types?
|
– Number
– String – Binary |
|
|
|
What are some DynamoDB Features?
|
– Primary key : single attribute hash key or composite hash–range key
– Scale capacity of a table up or down with no downtime – Data stored on SSD storage – Accessible from internet and inside EC2 – Does not store nested data objects |
|
|
|
What access controls does DynamoDB support?
|
DynamoDB has fine grained access controls
Access can be restricted to Items (rows) or it's Attributes (columns) or to both Items and Attributes |
//fce-study.netdna-ssl.com/2/images/upload-flashcards/88/53/01/10885301_m.png
|
|
|
Does DynamoDB support federated identities?
|
Yes. – DynamoDB can use web federated identities from Amazon, Facebook or Google
– Users can sign in to and Identity Provider and then obtain temporary credentials to access the specific DyDB table |
|
|
|
What sort of signature is required with DynamoDB?
|
– A valid HMAC–SHA256 signature is required on each request as part of the header if manual HTTP POST request are made.
– Temporary credentials as required for manual requests |
|
|
|
How are DynamoDB backups configured?
|
Automatic backups are configured with a special AWS Data Pipeline
|
|
|
|
What kind of Backups does DynamoDB support?
|
– Full
– Incremental – Same or different region – Used for DR – Federated across multiple regions for multi–region application support |
|
|
|
What is ElastiCache?
|
ElastiCache is a web service that makes it easy to deploy, operate, and scale an in–memory cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in–memory caches, instead of relying entirely on slower disk–based databases
|
|
|
|
What caching engines are supported in ElastiCache?
|
– Redis
– Memcached |
|
|
|
What are some ElastiCache features?
|
– A Cache Cluster is comprised of several Cache Nodes
|
|
|
|
What is an ElastiCache Node?
|
– A Cache Node is a fixed–size of secure, network attached RAM.
– Each node has it's own DNS name and Port – Multiple types of cache nodes are supported with varying amounts of memory |
|
|
|
How is access to ElastiCache managed?
|
– Access to Cache Clusters is handled using Cache Security Groups.
– By default network access is turned off to your Cache Clusters. – Access must be specifically granted hosts in specific EC2 Security GroupsTo allow network access to your Cache Cluster |
|
|
|
How do you create a ElastiCache Security Group?
|
– Create a Cache Security Group and use the Authorize Cache Security Group Ingress API or CLI command to authorize the desired EC2 security group
|
|
|
|
What is the Backup policy for ElastiCache?
|
– Elasticache for Redis provides backup (snapshots) and restore to S3
– Automatic snapshots are bound by the retention period you specify – Mnaual snapshots are stored until you delete them |
|
|
|
What is Elastic Beanstalk?
|
– A manged service for deploying and scaling applications.
– Beanstalk manages the resources required for app deployment – The ElasticBeanstalk service is free |
|
|
|
What are some Elastic Beanstalk features?
|
– Manages capacity provisioning
– Load balancing – Auto–scaling – Health monitoring – All provisioned services are accessible |
|
|
|
Is it possible to override Elastic Beanstalk configurations?
|
Yes. The Elastic Beanstalk console allows you to manually override the default settings for AWS resources.
|
|
|
|
How are Access Keys handled with Elastic Beanstalk?
|
You can pass AWS access key and secret key to your application using Elastic Beanstalk environment variables
|
|
|
|
What are the access levels for Elastic Beanstalk?
|
Elastic Beanstalk has a read only template and a full access template
|
|
|
|
What can a Elastic Beanstalk template configure?
|
– HTTPS on load balancer
– Emails through SNS via HTTPS – Adjusting app server settings – Passing environment variables including Secret Access Key – Log rotation hourly to S3 – Access monitoring |
CPU Load
|
|
|
What is Elastic Block Store?
|
Volumes of of network–attached persistent storage attached to EC2 instances
|
|
|
|
What are the types of Elastic Block Stores?
|
– Standard : I/O performance not critical (100 IOPS avg to 100's in burst)
– Provisioned IOPS : SSD – low–latency 30 IOPS/Gb |
|
|
|
What is an IOPS?
|
– IOPS are I/O Operations
– IOPS are measured in 16KB increments – 1000 IOPS @ 16KB/s == 500 IOPS @ 32KB/s |
|
|
|
What is the size range for Elastic Block Stores?
|
1GB to 1TB
|
|
|
|
What is the backup policy for Elastic Block Store?
|
EBS is not automatically backed up
|
|
|
|
How can you backup Elastic Block Store?
|
Elastic Block Store can be snapshoted to S3
|
|
|
|
Can the same Elastic Block Store volume be mounted to multiple EC2 instances?
|
No
|
|
|
|
Can multiple Elastic Block Store volumes be mounted to a single EC2 instances?
|
Yes
|
|
|
|
What is the Elastic Block Store replication policy?
|
Elastic Block Store volumes are automatically replicated within the same AZ
|
|
|
|
Are Elastic Block Store volumes replicated across regions?
|
No. EBS snapshots are stored in only 1 region
|
|
|
|
How are EBS volumes on EC2 instances backed up?
|
AWS does not backup data on EBS volumes attached to EC2 instances.
|
|
|
|
What encryption standard is used for Elastic Block Store?
|
AES–256
– Only available on larger,powerful instance types (m3,c3,r3,g2) |
|
|
|
What is an Elastic Compute Instance?
|
A web service that provides re–sizable computer capacity in the cloud
|
|
|
|
What are the types of EC2 Instances?
|
– On–demand : instances paid for by hour with no long term commitments (variable cost)
– Reserved Instances : Make a 'low' one time payment for each instance with a discounted hourly charge (50–70% lower than on–demand). Used for steady state workloads – Spot instances : Bid on un–used capacity, spot price set by EC2 and fluctuates based on supply and demand – Dedicated : Dedicated hardware run within your VPC |
|
|
|
What are some EC2 Features?
|
– Local storage will persist only as long as the instance is alive
– Customers are responsible for patching the os – Instances can't send spoofed traffic – Port scanning is a violation of the TOS – Roles can only be assigned to EC2 instances at creation time (Non–VPC). You can not add or change existing roles, but you can change the permissions of an already assigned role. – Network interfaces can be put into promiscious mode but the Hypervisor will not deliver any traffic not intended for the interface. Even two interfaces on the same host can't listen in on each other. |
|
|
|
Where are EC2 keys stored?
|
– Linux : New instances created with cloud–init
– Linux EC2 key pair located |
– in ~/.ssh/authorized_keys
Windows |
|
|
What is the EC2 lifecycle?
|
//fce-study.netdna-ssl.com/2/images/upload-flashcards/88/60/99/10886099_m.png
|
|
|
|
What is an Elastic IP?
|
– An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing
– An EIP is associated with your AWS account |
|
|
|
What is an Elastic Load Balancer ?
|
Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud. It enables you to achieve greater levels of fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.
|
|
|
|
What are the features of an Elastic Load Balancer?
|
– High Availability
– Health Checks – Security Features – SSL Offloading – Sticky Sessions – IPv4 & IPv6 – Layer 4 or 7 load balancing – Operational Monitoring – Logging |
|
|
|
What are the security features of an Elastic Load Balancer?
|
– ELB can allow for specific protocols / ciphers in it's configuration
– When the ELB Server Order Preference is set the ELB will select the cipher based on the ELBs prioritization rather than the clients' – Can use Perfect Forward Secrecy – user session keys are not stored anywhere (empheral). This prevents decrypting of captured data. – If you use an EC2 instance then your EC2 instances do not need an ElasticIP – Allows EC2 instances to see the IP address of the connecting client with either HTTPS or TCP load balancing. Normally the IP address of the load balancer is seen by the client. – ELB can balance the following ports – 25, 80, 443, and 1024–65535 – Connection Draining allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy back–end instance. |
|
|
|
What is Connection Draining?
|
Connection Draining allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy back–end instance.
|
|
|
|
What is Elastic MapReduce?
|
Amazon Elastic MapReduce (Amazon EMR) is a web service that makes it easy to quickly and cost–effectively process vast amounts of data
|
|
|
|
What does loosely coupled mean in AWS?
|
– Design each component such that it exposes a service interface that is responsible for it's scalability in all appropriate dimensions and interacts asynchronously
– Bundle the logical construct of a component in an AMI so it can be deployed easily – Make applications stateless as possible store session state outside of the component (in Amazon Simple DB, if appropriate) |
|
|
|
What AWS components make up Elastic Map Reduce?
|
A Hadoop framework running on the EC2 and S3 infrastructure
|
|
|
|
Where is Elastic Map Reduce data stored?
|
S3
|
|
|
|
How many Security Groups does EMR created?
|
EMR creates 2 security groups one for the master and one for the slaves
|
|
|
|
What is a JobFlow?
|
JobFlow is a sequence of MapReduce steps
|
|
|
|
What is Elastic Transcode?
|
Amazon Elastic Transcoder is media transcoding in the cloud. It is designed to be a highly scalable, easy to use and a cost effective way for developers and businesses to convert (or “transcode”) media files from their source format into versions that will playback on devices like smartphones, tablets and PCs.
|
|
|
|
What are the features of Elastic Transcode?
|
– Reads input from an S3 bucket
– Writes output to the same or another S3 bucket – Only uses SSL endpoints – Buckets can be in any region – You can pause and resume pipelines if needed |
|
|
|
How does Elastic Transcoder send notifications?
|
– Transcoder uses SNS to notify job start, end and warning conditions
|
|
|
|
What other frameworks can Elastic Map Reduce use?
|
– HBase
– Impala – Spark – Presto |
|
|
|
What is Glacier?
|
Amazon Glacier is a secure, durable, and extremely low–cost storage service for data archiving and online backup
|
|
|
|
What are Glacier files called?
|
Archives, which are stored in Vaults
|
|
|
|
How many items can a Glacier Archive store?
|
Archives can store one or several files
|
|
|
|
What is the max size of a Glacier Archive?
|
Each archive can be up to 40TB
|
|
|
|
What is the maximum Vault size in Glacier?
|
Max of 1000 vaults per region
|
|
|
|
What is the Glacier durability?
|
11 9's
|
|
|
|
What is the Glacier Encryption level?
|
AES–256
|
|
|
|
What is the Glacier recovery time and recovery window?
|
Recovery time about 3–5 hours and is available for 24 hours
|
|
|
|
How are files accessed from Glacier?
|
Recovery is via an HTTP GET method
|
|
|
|
How are large uploads verified in Glacier?
|
– Data uploaded to Glacier is verified with a Tree hash
– The hash consists of every 1MB arranged in a tree |
|
|
|
What is the size of the largest single upload in Glacier?
|
The largest archive that can be uploaded in a single Upload request is 4 gigabytes
|
|
|
|
How are large archives handled in Glacier?
|
Multipart upload for any archive > 100Mb to 40,000 GB
|
|
|
|
Is there a limit to the number of Archives in a Vault?
|
You can store an unlimited number of archives in a single vault
|
|
|
|
Does Glacier have data validation?
|
Glacier performs regular, systematic data integrity checks and is built to be automatically self–healing
|
|
|
|
How is access to Glacier controlled?
|
To control access to your data in Amazon Glacier, you can use AWS IAM to specify which users within your account have rights to operations on a given vault.
|
|
|
|
What is GovCloud?
|
GovCloud is an isolated AZ, it allows US government agencies and contractors to comply with International Traffic in Arms (ITAR) and Federal Risk and Authorization Management Program (FedRamp)
|
|
|
|
What is AWS Identity and Access Management (IAM)?
|
You can use IAM to securely control individual and group access to your AWS resources. You can create and manage user identities ("IAM users") and grant permissions for those IAM users to access your resources. You can also grant permissions for users outside of AWS ("federated users").
|
|
|
|
What is an IAM Group?
|
A group is a collection of IAM users. Group membership is managed as a simple list
– Users can be added to or removed from a group – A user can belong to multiple groups – Groups cannot belong to other groups – Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user – Groups do not have security credentials, and cannot access web services directly; they exist solely to make it easier to manage user permissions |
|
|
|
IAM – Can a collection of users be structured in a hierarchical way, such as in LDAP
|
Yes. Users and groups can be organized under paths, similar to object paths in Amazon S3—for example /mycompany/division/project/joe.
|
|
|
|
Can IAM users be defined regionally?
|
Not initially. Users are global entities, like an AWS account is today. No region is required to be specified when defining user permissions. Users are able to use AWS services in any geographic region.
|
|
|
|
Can IAM users have individual EC2 SSH keys?
|
Not in the initial release. IAM does not affect EC2 SSH keys or Windows RDP certificates. This means that although each user has separate credentials for accessing web service APIs, they must share SSH keys that are common across the AWS account under which the user has been defined.
|
|
|
|
Do IAM user names have to be email addresses?
|
No, but they can be. User names are just ASCII strings that are unique within a given AWS account. The AWS account holder can assign names using any naming convention they choose, including email addresses.
|
|
|
|
What character sets can I use for IAM user names?
|
IAM entities support only ASCII characters.
|
|
|
|
How are user passwords set?
|
An initial password can be set for an IAM user via the IAM console, AWS CLI, or IAM APIs. User passwords never appear in clear text after the initial provisioning, and are never displayed or returned via an API call. IAM users can manage their passwords via the My Password page in the IAM console. Users access this page by selecting the Security Credentials option in the AWS Management Console dropdown list in the upper right–hand corner.
|
|
|
|
Can I define a password policy for my user’s passwords?
|
Yes, you can enforce strong passwords, like requiring minimum length or at least one number. You can also enforce automatic password expiration, prevent re–use of old passwords, and require a password reset upon next AWS sign in. For details, see Setting an Account Policy Password for IAM Users.
|
|
|
|
Can I set usage quotas on IAM users?
|
No. All limits are on the AWS account as a whole. For example, if your AWS Account has a limit of 20 Amazon EC2 instances, IAM users with EC2 permissions can start instances up to the limit. You cannot limit what an individual user can do.
|
|
|
|
What is an IAM role?
|
A role is an AWS Identity and Access Management (IAM) entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, roles are assumed by trusted entities, such as IAM users, applications or AWS services like EC2.
|
|
|
|
What problems do IAM roles solve?
|
IAM roles allow you to delegate access with defined permissions to trusted entities without having to share long–term access keys. You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, or to an AWS service like EC2.
|
|
|
|
How do I get started with IAM roles?
|
You create a role in a way similar to how you create a user—name the role and attach a policy to it. For details, see Creating IAM Roles.
|
|
|
|
How do I assume an IAM role?
|
You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
|
|
|
|
How many IAM roles can I assume?
|
There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
|
|
|
|
How much do IAM roles cost?
|
IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.
|
|
|
|
How are IAM roles managed?
|
You can create and manage IAM roles via the IAM APIs, AWS CLI, or IAM console, which gives you a point–and–click, web–based interface.
|
|
|
|
What is the difference between an IAM role and an IAM user?
|
An IAM user has permanent long–term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service like EC2.
|
|
|
|
What is the difference between an IAM role and an IAM group?
|
An IAM group is a collection of IAM users that share the same permissions. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an IAM entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services like EC2.
|
|
|
|
When should I use an IAM user, IAM group or IAM role?
|
An IAM user has permanent long–term credentials and is used to directly interact with AWS services. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an AWS Identity and Access Management (IAM) entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services, they are meant to be “assumed” by authorized entities, such as IAM users, applications or AWS services like EC2. IAM roles are used to delegate access within or between AWS accounts.
|
|
|
|
Can an IAM role be added to an IAM group?
|
Not at this time.
|
|
|
|
How many policies can be attached to an IAM role?
|
You can add as many policies as needed to an IAM role, as long as the total size of all the policies doesn't exceed 10 KB.
|
|
|
|
How many IAM roles can I create?
|
You are limited to 250 IAM roles under your AWS account. If you need more roles, submit the IAM limit increase request form with your use case and your IAM role increase will be considered.
|
|
|
|
What is IAM roles for EC2 instances?
|
IAM roles for EC2 instances enables your applications running on EC2 to make requests to AWS services such as Amazon S3, Amazon SQS, and Amazon SNS without you having to copy AWS access keys to every instance. For details, see Using IAM Roles to Delegate Permissions to Applications that Run on Amazon EC2.
|
|
|
|
What are the features of IAM roles for EC2 instances?
|
IAM roles for EC2 instances provides the following features:
– AWS temporary security credentials to use when making requests from running EC2 instances to AWS services. – Automatic rotation of the AWS temporary security credentials. – Granular AWS service permissions for applications running on EC2 instances. |
|
|
|
What problem does IAM roles for EC2 instances solve?
|
IAM roles for EC2 instances simplifies management and deployment of AWS access keys to EC2 instances. Using this feature, you associate an IAM role with an instance. Then your EC2 instance will provide the temporary security credentials to applications running on the instance, and the applications can use these credentials to securely make requests to the AWS service resources defined in the role.
|
|
|
|
Can I use the same IAM role on multiple EC2 instances?
|
Yes
|
|
|
|
Can I change the IAM role on a running EC2 instance?
|
No, at this time you cannot change the IAM role on a running EC2 instance. You can change the permissions on the IAM role associated with a running instance, and the updated permissions will take effect almost immediately.
|
|
|
|
Can I associate an IAM role with an already running EC2 instance?
|
No. You can associate only one IAM role with an EC2 instance.
|
|
|
|
Can I use an IAM role with other services that launch EC2 instances?
|
Yes. Auto Scaling and AWS CloudFormation also support IAM roles. Other services will add support over time.
|
|
|
|
Can I associate an IAM role with an Auto Scaling group?
|
Yes. You can add an IAM role as an additional parameter in an Auto Scaling launch configuration and create an Auto Scaling group with that launch configuration. All EC2 instances launched in an Auto Scaling group that is associated with an IAM role will be launched with the role as an input parameter.
|
|
|
|
Can I associate more than one IAM role with an EC2 instance?
|
No. You can only associate one IAM role with an EC2 instance at this time.
|
|
|
|
What happens if I delete an IAM role that is associated with a running EC2 instance?
|
Any application running on that instance that's using the role will be denied access immediately.
|
|
|
|
Can I control which IAM roles an IAM user can associate with an EC2 instance?
|
Yes. For details, see Using IAM Roles to Delegate Permissions to Applications that Run on Amazon EC2.
|
|
|
|
Which permissions are required to launch EC2 instances with an IAM role?
|
An IAM user must be granted two distinct permissions to successfully launch EC2 instances with roles:
– Permission to launch EC2 instances. – Permission to associate an IAM role with EC2 instances. |
|
|
|
Who can access the IAM access keys on the EC2 instance?
|
Any local user on the instance can access the access keys associated with the IAM role.
|
|
|
|
How do I use the IAM role with my application on the EC2 instance?
|
If you develop your application with the AWS SDK, the AWS SDK will automatically use the AWS access keys that have been made available on the EC2 instance. If you are not using the AWS SDK, you can retrieve the access keys from the EC2 Instance Metadata Service.
|
|
|
|
When are IAM temporary security credentials made available on EC2 instances?
|
New temporary security credentials are made available no later than five minutes before the existing temporary security credentials expire.
|
|
|
|
What are temporary security credentials?
|
Temporary security credentials consist of the AWS acccess key ID, secret access key, and security token. Temporary security credentials are valid for a specified duration and for a specific set of permissions. Temporary security credentials are sometimes simply referred to as tokens. Tokens can be requested for IAM users or for federated users you manage in your own corporate directory.
|
|
|
|
What are the benefits of temporary security credentials?
|
– Extend your internal user directories to enable federation to AWS, enabling your employees and applications to securely access AWS service APIs without needing to create an AWS identity for them.
– Request temporary security credentials for an unlimited number of federated users. – Configure the time period after which temporary security credentials expire, offering improved security when accessing AWS service APIs through mobile devices where there is a risk of losing the device. |
|
|
|
How can I request temporary security credentials for federated users?
|
You can call the GetFederationToken or an AssumeRole STS APIs.
|
|
|
|
How can IAM users request temporary security credentials for their own use?
|
IAM users can request temporary security credentials for their own use by calling the AWS STS GetSessionToken API.
– The default expiration for these temporary credentials is 12 hours – The minimum is 1 hour – The maximum is 36 hours. |
|
|
|
How can temporary security credentials be used to call AWS service APIs?
|
– Use the AccessKeyID and SecretAccessKey to sign AWS service API requests as before.
– Pass the token as an additional parameter for every request made to AWS service APIs. – For Amazon S3: via the "x–amz– security–token" HTTP header. – For other AWS services: via the SecurityToken parameter. |
|
|
|
What is the maximum size of the access policy that can be specified when requesting temporary security credentials (either GetFederationToken or AssumeRole)?
|
450 bytes compressed.
|
|
|
|
Can a temporary security credential be revoked prior to its expiration?
|
No. When requesting temporary credentials we recommend the following:
– When creating temporary security credentials, set the expiration to a value that is appropriate for your application. – Because root account permissions cannot be restricted, use an IAM user and not the root account for creating temporary security credentials. You can revoke permissions of the IAM user that issued the original call to request it. This action will almost immediately revoke privileges for all temporary security credentials issued by that IAM user |
|
|
|
Can temporary security credentials be reactivated or have their expiration extended?
|
No. It is a good practice to actively check the expiration and request a new temporary security credential before the old one expires. This rotation process is automatically managed for you when temporary security credentials are used in roles for EC2 instances.
|
|
|
|
Are temporary security credentials supported in all regions?
|
Customers can request tokens from AWS STS endpoints in all regions, including AWS GovCloud (US) and China (Beijing) regions. Temporary credentials from AWS GovCloud (US) and China (Beijing) can be used only in the region from which they originated. Temporary credentials requested from any other region such as US East or EU (Ireland) can be used in all regions except AWS GovCloud (US) and China (Beijing).
|
|
|
|
Can I restrict the use of temporary security credentials to a region or a subset of regions?
|
No. You cannot restrict the temporary security credentials to a particular region or subset of regions, except the temporary security credentials from AWS GovCloud (US) and China (Beijing), which can be used only in the respective regions from which they originated.
|
|
|
|
What is AWS STS?
|
he AWS Security Token Service (STS) is a web service that enables you to request temporary, limited–privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)
|
|
|
|
What do I need to do before I can start using an AWS STS endpoint?
|
AWS STS endpoints in US East, AWS GovCloud (US), and China (Beijing) regions are always active and you can start using them without any further actions.
|
|
|
|
What is identity federation?
|
Web identity federation allows you to create AWS–powered mobile apps that use public identity providers (such as Amazon Cognito,Login with Amazon, Facebook, Google or any OpenID Connect compatible provider) for authentication. With web identity federation, you have an easy way to integrate sign–in from public identity providers into your apps without having to write any server–side code and without distributing long–term AWS security credentials with the app.
|
|
|
|
Does AWS support SAML?
|
Yes, AWS supports the Security Assertion Markup Language (SAML) 2.0.
|
|
|
|
What SAML profiles does AWS support?
|
The AWS single sign–on (SSO) endpoint supports the identity provider initiated HTTP–POST binding WebSSO SAML Profile. This enables a federated user to log into to the AWS Management Console using a SAML assertion. A SAML assertion can also be used to request temporary security credentials using the AssumeRoleWithSAML API.
|
|
|
|
Can federated users access AWS APIs?
|
Yes. You can programmatically request temporary security credentials for your federated users to provide them secure and direct access to AWS APIs
|
|
|
|
How do I control what a federated user is allowed to do when signed into the console?
|
When you request temporary security credentials for your federated user using an AssumeRole API, you can optionally include an access policy with the request. The federated user’s privileges will be the intersection of permissions granted by the access policy passed with the request and the access policy attached to the IAM role that was assumed.
|
|
|
|
Which identity providers does web identity federation support?
|
Web identity federation supports Amazon Cognito, Login with Amazon, Facebook, Google, and any OpenID Connect compatible provider.
|
|
|
|
How do permissions work?
|
Use policies to assign permissions to IAM users, groups, and roles. By default, IAM users, groups, and roles have no permissions; the account owner or an IAM user with sufficient permissions must use a policy to grant permissions to an IAM user, group, or role.
|
|
|
|
How do I assign permissions using a policy?
|
You can assign permissions using the AWS Management Console, the IAM API, or the AWS CLI. The account owner and IAM users who have been granted the necessary permissions can create policies and assign them to IAM users, groups, and roles. There are two types of policies in IAM: inline policies and managed policies.
|
|
|
|
What are inline policies?
|
Inline policies are policies that you create along with an IAM user, group, or role. To edit an inline policy, you must edit all of the IAM users, groups, and roles in which it is embedded.
|
|
|
|
What are managed policies?
|
Managed policies are standalone policies that you can create, edit, and manage separately from the IAM users, groups, and roles to which they are attached. After you attach a managed policy to multiple IAM users, groups, or roles, you can update that policy in one place and the permissions apply to all attached entities
|
|
|
|
What is the difference between assigning permissions using IAM groups and assigning permissions using managed policies?
|
You can use IAM groups to collect IAM users and define common permissions for those users. You can use managed policies to share permissions across IAM users, groups, and roles.
|
|
|
|
What are the IAM Access levels
|
– Admin : full access
– Power User : Full access except management of user and groups – Read only – Granular |
|
|
|
Does IAM cover the marketplace?
|
IAM is integrated in the Marketplace so you can control who can buy and run software, running on EC2 instances, from the marketplace
|
|
|
|
Can IAM Cross Accounts?
|
Yes. For organizations who use multiple AWS Accounts to manage their resources, you can set up roles to provide users who have permissions in one account to access resources under another account
|
|
|
|
What make up a temporary credential?
|
The temporary credentials include a security token, an Access Key ID, and a Secret Access Key.
When the user makes calls to your resources, the user passes in the token and Access Key ID, and signs the request with the Secret Access Key. |
|
|
|
What do IAM Roles enable?
|
Roles allow resources (EC2) to access other resources (S3) without requiring user credentials to be stored in EC2
|
|
|
|
How does an Internet Gateway work?
|
Each instance that needs access must have an Elastic IP or route through a NAT instance (which has an EIP)
|
|
|
|
What is an Internet Gateway?
|
An internet gateway allows for internet access, it may be attached to a VPC to enable direct connectivity to S3 other AWS services and the Internet
|
|
|
|
What is Kenesis?
|
Real–time processing of streaming data at massive scale
|
|
|
|
How is data stored in Kenesis ?
|
– Data is replicated across 3 facilities in a region
– Kinesis data is only stored for 24 hours before being deleted – A Kinesis application can pass along a record to another Kinesis stream, write to a S3 bucket, Redshift or DynamoDB |
|
|
|
What does Kinesis use for a unique identifier?
|
Kinesis data records contain a sequence number, a partition key, and a data blob, which is an un–interpreted, immutable sequence of bytes
|
|
|
|
Can Kinesis do data transoformation?
|
No. Kinesis service does not inspect, interpret, or change the data in the blob
|
|
|
|
How can app read from a Kinesis stream?
|
A Kinesis application uses the Amazon Kinesis Client Library to read from the Amazon Kinesis stream
|
|
|
|
What does the Kinesis Client libaray provide?
|
The Kinesis Client Library takes care of a variety of details for you including failover, recovery, and load balancing, allowing your application to focus on processing the data as it becomes available
|
|
|
|
What is Lambda?
|
AWS Lambda is a compute service that runs your code in response to events and automatically manages the compute resources for you
|
|
|
|
What events can trigger an AWS Lambda function?
|
You can use AWS Lambda to respond to:– Table updates in Amazon DynamoDB
– S3 buckets item modification – SNS notifications – Messages arriving in a Kinesis stream – AWS API call logs created by AWS CloudTrail – Client data synchronization events in Cognito, – Custom Events from mobile applications, web applications, or other web services. |
|
|
|
Can I access the infrastructure that AWS Lambda runs on?
|
No. AWS Lambda operates the compute infrastructure on your behalf, allowing it to perform health checks, apply security patches, and do other routine maintenance
|
|
|
|
How does Lambda isolate my code?
|
Each AWS Lambda function runs in its own isolated environment, with its own resources and file system view. AWS Lambda uses the same techniques as Amazon EC2 to provide security and separation at the infrastructure and execution levels.
|
|
|
|
Will AWS Lambda reuse function instances?
|
To improve performance, AWS Lambda may choose to retain an instance of your function and reuse it to serve a subsequent request, rather than creating a new copy. Your code should not assume that this will always happen.
|
|
|
|
What if I need scratch space on disk for my AWS Lambda function?
|
Each Lambda function receives 500MB of non–persistent disk space in its own /tmp directory.
|
|
|
|
What is a Network Access Control List?
|
NACL is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC
|
//fce-study.netdna-ssl.com/2/images/upload-flashcards/90/89/95/10908995_m.png
|
|
|
What is OpsWorks?
|
AWS OpsWorks is an application management service that makes it easy to deploy and operate applications of all shapes and sizes. You can define the application’s architecture and the specification of each component including package installation, software configuration and resources such as storage
|
|
|
|
What is used for OpsWorks orchestration?
|
OpsWorks uses Chef in the background on the instances
|
|
|
|
Is OpsWorks restricted to the AWS environment?
|
OpsWorks can manage boxes outside of the AWS environment (multi–cloud)
|
|
|
|
How does OpsWorks retrieve source from Git?
|
AWS OpsWorks allows you to require the use of a deploy key to retrieve apps from a Github repository. A deploy key is an SSH key with no password that allows AWS OpsWorks to asynchronously deploy apps or cookbooks from a private Github repository without requiring any further input from you.
|
|
|
|
Does OpsWorks access give you access to the underlying EC2 instances?
|
No. You even have the flexibility to give users access to AWS OpsWorks but deny them direct access to dependent services such as Amazon EC2
|
|
|
|
What is RedShift?
|
Amazon Redshift is a fast, fully managed, petabyte–scale data warehouse solution that makes it simple and cost–effective to efficiently analyze all your data using your existing business intelligence tools.
|
|
|
|
What are the two types of Nodes in RedShift?
|
– Leader nodes
– Compute nodes |
|
|
|
What are the differences in billing for RedShift Node types?
|
You are only charged for compute nodes, leader nodes (1 node) is not billed
|
|
|
|
What does a RedShift Leader Node do?
|
– Manages connections
– Parses queries – Builds execution plans – Manages query execution in compute nodes |
|
|
|
How can you access a RedShift Leader Node?
|
The leader node of each cluster is accessible through ODBC and JDBC endpoints, using standard PostgreSQL drivers
|
|
|
|
How can you access RedShift Compute nodes?
|
The compute nodes run on a separate, isolated network and are never accessed directly
|
|
|
|
What does a RedShift Compute Node do?
|
The compute nodes store data, perform computations, and run queries as directed by the leader node
|
|
|
|
How does RedShift improve performance?
|
To reduce IO & increase performanceRedshift uses :
– Columnar storage – Data compression – Zone maps |
|
|
|
Are RedShift clusters visible by everyone?
|
No. By default, clusters that you create are closed to everyone
|
|
|
|
Can RedShift run in a VPC?
|
Yes. You can run Redshift inside an Amazon VPC to isolate your data warehouse cluster in your own virtual network and connect it to your existing IT infrastructure using industry–standard encrypted IPsec VPN
|
|
|
|
How granular is RedShift's permissions?
|
In Redshift, you grant database user permissions on a per–cluster basis instead of on a per–table basis. However, a user can see data only in the table rows that were generated by his own activities; rows generated by other users are not visible to him.
|
|
|
|
Who can grant rights in RedShift?
|
Only a superuser or the owner of an object can query, modify, or grant permissions on the object
|
|
|
|
How is data distributed in RedShift?
|
Amazon Redshift distributes your data across all compute nodes in a cluster. When you run a cluster with at least two compute nodes, data on each node will always be mirrored on disks on another node
|
|
|
|
Is RedShift data backed up?
|
Yes. All data written to a node in your cluster is continuously backed up to Amazon S3 using snapshots which last 1 to 35 days
|
|
|
|
What is the difference between User generated Snapshots and AWS generated Snapshots?
|
User Generated Snapshots are stored until you remove them.
AWS generated Snapshots are stored for the retention period. Normally 1–35 days. |
|
|
|
Is RedShift data encrypted?
|
Redshift can encrypt data at rest with AES–256 block encryption keys
|
|
|
|
What is the Encryption Key levels in RedShift?
|
– Data key encryption : keys encrypt each data block with a randomly–generated AES– 256 key.
– Database key encryption: Encrypts the Data keys in the cluster. Randomly–generated AES– 256 key. Stored on a separate network, on disk, from the Redshift cluster and encrypted by a master key. – Cluster key encryption : The cluster key encrypts the database key for the Amazon Redshift cluster. – Master key encryption : The master key encrypts the cluster key if it is stored in the HSM |
|
|
|
What is an AWS Region?
|
– A region is a separate geographic area
– Each region has multiple, isolated locations known as Availability Zones – Resources aren't replicated across regions unless you do so specifically. |
|
|
|
What is the Relational Database Service?
|
Amazon RDS gives you online access to the capabilities of a MySQL, Oracle, Microsoft SQL Server, PostgreSQL, or Amazon Aurorarelational database management system
|
|
|
|
What is an RDS Master Account?
|
The master user account is used only within RDS to control access to your DB Instance(s). This is separate from
|
|
|
|
Is there a charge for CloudWatch metrics for RDS?
|
No. CloudWatch metrics available at no extra charge
|
|
|
|
What is a Read–Replica?
|
In RDS a Read–Replica is a standby copy of a database that is used for servicing read requests.
|
|
|
|
What are the network requirements for a MultiAZ RDS deployment?
|
– Each DB Subnet Group should have at least one subnet for every availability zone in a given region
|
|
|
|
What is a DB Subnet Group?
|
A DB Subnet Group is a specialized Security Group.
It holds a collections of subnets that you may want to designate for your RDS DB Instances in a VPC |
|
|
|
Which RDS databases support Bring–your–own–license?
|
– Oracle
– MS SQL |
|
|
|
What is the Maximum RDS retention?
|
35 days
|
|
|
|
Can MS SQL RDS Storage be resized?
|
No. The only way to increase is export and re–import.
|
|
|
|
Can MySQL RDS Storage be resized?
|
Yes.
|
|
|
|
Can a single–AZ RDS instance be made multi–AZ
|
Yes. A single–AZ deployment can be promoted to mulit–AZ
|
|
|
|
What is the Max database size with Oracle and MS SQL?
|
3 TB
|
|
|
|
What happens to I/O operations during an RDS snapshot?
|
I/O operations are suspended for the duration of the snapshot. I/O suspension is avoided in multi–AZ deployments since the backup is taken from the standby
|
|
|
|
What is the deafult access for an RDS Security Group?
|
Deny All.
Access can be granted via – IP – Security Groups |
|
|
|
Does RDS support Transparent Data Encryption?
|
Yes.
– MS SQL Enterprise – Oracle Advanced Security version |
|
|
|
Does MySQL support Transparent Data Encryption?
|
MySQL has no 'at–rest' encryption.
|
|
|
|
What are the 2 RDS backup options?
|
– Automated backups (35 days)
– DB snapshots (indefinitely) |
|
|
|
What is the restore granularity of an RDS backup?
|
Snapshot restores can be for any second up to the last 5 minutes of the retention period
|
|
|
|
What AWS Service does RDS use for Notification events?
|
SNS via email or text
|
|
|
|
How are Reserved Instances purchased
|
From the :
– Management Console – EC2 API |
|
|
|
What are the 5 restrictions of a Reserved Instance.
|
– 20 RIs per month
– A RI is for a specific instance family – A RI is for a specific region – A RI can not be cancelled – The RI payment is non refundable |
|
|
|
What is Route 53?
|
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service.
|
|
|
|
What are the Routing Types associated with Route 53?
|
– Latency
– Geolocation – Weighted Round Robin |
|
|
|
Is Route 53 restricted to AWS?
|
No. Route 53 can manage domains outside of AWS
|
|
|
|
What is the limit of Route 53?
|
– 500 hosted zones
– 100 Resource records per Resource record set – 10,000 resource record sets per hosted zone – 100 Weighted resource record sets – 50 active Health checks |
|
|
|
Does Route 53 allow private domain registrations?
|
Yes
|
|
|
|
What support does Route 53 have with other AWS services?
|
– ELB integraion
– S3 Zone Apex support – CloudFront Zone Apex support – Health checks for websites over http and https |
|
|
|
What is the minimum TTL for Route 53?
|
There is no default TTL in Route 53.
Can be low as 0 but that can cause issues. |
|
|
|
What is 'Reduced Redundancy' in S3?
|
A lower reliability and lower availability for S3.
–99.99% availability – 99.99% durability |
|
|
|
What is S3's SLA?
|
– 99.999999999% durability
– 99.99% availability |
|
|
|
What is S3?
|
A highly durable and distributed data store. Can be accessed via simple Web Services interface (HTTP verbs)
|
|
|
|
Can files in S3 be modified?
|
No
|
|
|
|
What is Lifecycle Management?
|
Rules that define how data moves from S3 to Glacier
|
|
|
|
How is encryption handled in S3?
|
– Files are encrypted with AES–256
– Metadata is not encrypted – Bucket policies can enforce that only encrypted content can be uploaded to a bucket |
|
|
|
How can data in S3 be further protected?
|
Data can be
– Versioned – Delete Protection with MFA |
|
|
|
What is the default access for S3 buckets? Public or Private?
|
Private by default
|
|
|
|
How do you remove S3 versioning?
|
S3 versioning can only be disabled never removed.
|
|
|
|
What is an S3 Bucket Policy?
|
Bucket Policies can be used to add or deny permissions across some or all of the objects within a single bucket.
|
|
|
|
What AWS resources do Bucket Policies apply?
|
– Users
– Groups – Buckets |
|
|
|
How can public S3 buckets be further restricted?
|
– Request time – Date Condition
– SSL enabled – Boolean Condition – Requester's IP – IP Address Condition – Requester's client application – String Conditions – Query string authentication allows access through URLs that are valid for a predefined period of time |
|
|
|
Does S3 allow for resumable uploads?
|
Yes.
|
|
|
|
How does S3 handle large file uploads?
|
S3 allows multi–part uploads
– Suggested for file > 100M – Required for file > 5G |
|
|
|
How is encryption handled in S3?
|
– Client side : S3 Encryption Client uses a unique key for every object
– Server side : request encryption when writing the object. Decryption is automatic on retrieval. |
|
|
|
Is S3 PUT & COPY asynchronous?
|
No. PUT and COPY synchronously store copies in multiple facilities before returning a SUCCESS
|
|
|
|
Does S3 verify data?
|
S3 regularly verifies integrity of data stored using checksums
|
|
|
|
How does S3 prevent transmission errors?
|
S3 calculates checksums on all network traffic to when storing and retrieving S3 assets
|
|
|
|
What are the logging options for S3?
|
S3 logging can be enabled on bucket and the logs are delivered to a specified S3 bucket
|
|
|
|
Can S3 support cross region replication?
|
Yes as of 3/25/15
|
|
|
|
What configuration is needed if serving content from S3 to a website domain?
|
To use content stored in S3 in websites the Cross–Origin Resource Sharing (CORS) needs to be enabled
|
|
|
|
What is a Security Group?
|
A Security Group act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
|
//fce-study.netdna-ssl.com/2/images/upload-flashcards/90/89/74/10908974_m.png
|
|
|
What are 5 Security Group features?
|
– Operates at the instance level (first layer of defense)
– Supports ALLOW rules only – Is stateful: Return traffic is automatically allowed, regardless of any rules – No shortcut : Evaluate all rules before deciding whether to allow traffic – Applies to an instance only |
|
|
|
What are 5 Network ACL features?
|
– Operates at the subnet level (second layer of defense)
– Supports allow rules and deny rules – Is stateless: Return traffic must be explicitly allowed by rules –We process rules in number order when deciding whether to allow traffic – Automatically applies to all instances in the subnets it's associated with |
|
|
|
What is Amazon Simple Email Service?
|
Amazon Simple Email Service (Amazon SES) is a cost–effective outbound–only email–sending service built on the reliable and scalable infrastructure
|
|
|
|
What are the 4 security features of SES?
|
– Content–filtering technologies to prevent viruses or malware from being sent
– Feedback loops from ISPs – Checks the quality of emails being sent – Supports Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) |
|
|
|
What is SimpleDB?
|
Amazon SimpleDB is a highly available and flexible non–relational data store.
– No–sql (key, value) database |
|
|
|
What is Simple Notification Service?
|
Amazon Simple Notification Service (Amazon SNS) is a fast, flexible, fully managed push notification service that lets you send individual messages or to fan–out messages to large numbers of recipients.
|
|
|
|
What platforms does SNS support?
|
– iOS
– Android – Fire – Windows – China Android (Baidu Cloud Push) |
|
|
|
What is Simple Queue Service?
|
Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, fully managed message queuing service
|
|
|
|
What are the primary features of SQS?
|
– Provides 'at least once' delivery
– Messages can contain up to 256 KB of text –A single request can have 1–10 messages – SQS can trigger AutoScaling in EC2 |
|
|
|
How do services read from SQS?
|
Services pull (poll) SQS
|
|
|
|
What is the 'Visability Timout' for SQL
|
That is the time that a mesage is invisible for after being pulled by a client. If not deleted during the Timeout it becomes visible again.
– 32 seconds default – 12 hour max |
|
|
|
Is SQS data encrypted?
|
No. You have to encrypt it before placing it on the Queue.
|
|
|
|
How long are messages stored in SQS?
|
Message retention :
– 4 days default – 60 seconds minimum – 14 days maximum Set with SetQueueAttributes |
|
|
|
What is Simple Workflow Service?
|
Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully–managed state tracker and task coordinator in the Cloud
|
|
|
|
What are the Simple Workflow Service features?
|
– SWF manages coordination of tasks
– Task coordination and state management service for cloud applications – Can include tasks performed by human actions – SWF ensures a task is assigned only once (never duplicated) |
|
|
|
What is the maximum length of a SWF task?
|
– Tasks can run as long as 12 months
|
|
|
|
Can you change the restore type of an EBS snaptshot?
|
Yes. A magnetic snapshot can be restored to SSD and vice versa.
|
|
|
|
What is a 'Spot Instance'
|
Bid on excess EC2 capacity. When your bit exceeds the spot price your instances can run.
|
|
|
|
How many spot instances can you request?
|
– 5 per region
– This is a soft limit |
|
|
|
Will the price I’m charged for a running Spot Instance change during its instance–hour as the Spot Price changes?
|
No. The price per instance–hour for a Spot Instance is set at the beginning of each instance–hour for the entire hour. Any changes to the Spot Price will not be reflected until the next instance–hour begins.
|
|
|
|
Will I be charged if my Spot Instance is terminated by Amazon EC2 before the hour is up?
|
No. If the Spot Instance is terminated by Amazon EC2, you will not be charged for a partial hour of usage. However, if you terminate the instance yourself, you will be charged for any hour in which the instance ran.
|
|
|
|
What is a Spot fleet?
|
A Spot fleet is a collection of Spot Instances working as part of the same distributed application, like a batch processing job, a Hadoop workflow, or an HPC grid computing job. A Spot fleet can consist of Spot Instances of different instance types, configurations, and AMIs.
|
|
|
|
What is a Storage Gateway?
|
The AWS Storage Gateway is a service connecting an on–premises software appliance with cloud–based storage to provide seamless and secure integration between the IT environment and AWS’s storage infrastructure
|
|
|
|
What are the 3 configurations for the Storage Gateway
|
– Gateway–Stored volumes : cloud is the backup, data is stored locally and then pushed to S3 and made available in an EBS format
– Gateway–Cached volumes : cloud is the primary, stored in S3 and available via iSCSI. Working data is cached locally – Gateway–Virtual–Tape library – existing on–premise backup |
|
|
|
What are the features of the Storage Gateway Virtual Tape Library
|
– 10 Virtual Tape drives / gateway which responds to iSCSI commands
– 1 media changer – 1500 virtual tape cartridges (150 TB) |
|
|
|
How do you connect a Storage Gateway appliance to AWS?
|
The Storage Gateway must be activated, this associates the SGW with your AWS account
|
|
|
|
How are Storage Gateway snapshots stored?
|
Point–in–time snapshots of on prem data – encrypted automatically, stored as EBS snapshots
|
|
|
|
What is the security around iSCSI
|
CHAP. Prevents replay.
|
|
|
|
What is a Virtual Private Cloud?
|
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define
|
|
|
|
What are the 4 settings for a Default VPC
|
– All subnets have an internet gateway attached
– Each EC2 instance is multi–homed (public and private IP address) – If deleted the only way to restore the default VPC is to call Amazon – The IP address range for each VPC is set at creation time |
|
|
|
How many IP addresses are available in a subnet?
|
– 251
AWS reserves in a CIDR subnet : – The first 3 IPs – The last IP address |
|
|
|
How many route tables can a subnet be associated with?
|
1
|
|
|
|
How many Elastic IPs are allowed per VPC
|
– 5
|
|
|
|
How many VPCs are allowed per region?
|
– 5
– Soft Limit – The Internet Gateway is tied to this |
|
|
|
How many Internet Gateways are allowed per region?
|
– 5– Tied to the VPC limit
|
|
|
|
How many subnets are allowed per VPC?
|
– 200
– Soft limit |
|
|
|
How many Virtual Private Gateways are allowed per region?
|
– 5
– Soft limit – Only one Gateway can be attached to a VPC at a time. |
|
|
|
How many Virtual Private Gateways can be attached to the same VPC?
|
– 1
|
|
|
|
How many Customer Gateways are avaialble per region?
|
– 500
|
|
|
|
How many VPN connections are allowed per region?
|
– 50
– Soft limit |
|
|
|
How many VPN connections are allowed per VPC?
|
– 10
– Soft limit |
|
|
|
How many Routes tables are allowed per VPC?
|
– 200
– Including the main route table |
|
|
|
Can you associate more than one route table to a subnet in a VPC?
|
Yes
|
|
|
|
How many Entries are allowed per Route Table?
|
– 50
– Soft limit – There is a performance impact |
|
|
|
How many Security Groups are allowed per VPC?
|
– 100
– Soft Limit |
|
|
|
What is the difference between EC2–Classic and VPC Elastic IPs
|
They are separate pools of IP addressesq
|
|
|
|
How is the Public and Private addresses on the EC2 instanced mapped?
|
It's mapped via NAT
|
|
|
|
How many Rules are allowed per Security Group?
|
– 50
– Soft limit – Total can not exceed 250 |
|
|
|
How many Security Groups are allowed per network interface
|
– 5
– Max of 16 |
|
|
|
What is the limit for VPC peering connections per VPC?
|
– 50
– Soft limit – Max 125 |
|
|
|
Can VPCs be peered via private addresses?
|
Yes
|
|
|
|
Can you VPC Peer with other AWS accounts?
|
Yes
|
|
|
|
How can you link EC2–Classic with VPCs
|
Use ClassicLink
|
|
|
|
What are the 4 vpc Templates in the AWS console?
|
– Single Public subnet
– Public and Private subnets – Public and Private subnetwith VPN – Private subnet with hardware VPN |
|
|
|
How are VPC Security Groups different to EC2 Security Groups?
|
VPC security groups have additional capabilities that Amazon EC2 security groups do not have, such as being able to change the security group after the instance is launched and being able to specify any protocol with a standard protocol number (as opposed to just TCP, UDP, or ICMP)
|
|
|
|
What are the 5 things that Amazon does fo you when creating a Default VPC?
|
Create :
– A default subnet in each Availability Zone – An Internet gateway connected to the default VPC – Create a Main route table that sends all traffic destined for the Internet to the Internet gateway – A default security group and associate it with your default VPC – A default network access control list (ACL) and associate it with your default VPC |
|
|
|
What is a Virtual Private Gateway?
|
A VPN Endpoint at AWS
|
//fce-study.netdna-ssl.com/2/images/upload-flashcards/91/18/12/10911812_m.png
|
|
|
Is Virtual Private Gateway traffic segregated?
|
–Network traffic within each virtual private gateway is isolated from network traffic within all other virtual private gateways
|
|
|
|
What is Zocalo?
|
– Now calledWorkDocs
– A fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that improve user productivity. |
|
|
|
What is AWS Import / Export
|
AWS Import/Export accelerates moving large amounts of data into and out of the AWS cloud using portable storage devices for transport
|
|
|
|
What is Amazon Workspaces?
|
Amazon WorkSpaces is a managed desktop computing service in the cloud
|
|
|
|
What are 5 WorkDocs features?
|
–Users can comment on files
– Versioning – Cross platform support including tablets – Directory Integration – Control the location where data is shared |
|
|
|
How long can AWS passwords be?
|
128 chars
|
|
|
|
If you enable MFA authentication does it automatically protect the APIs?
|
No. You must enable a MFA–Authentication requirement to an IAM access policy
|
|
|
|
What is TOTP?
|
Time–Based One Time Password
|
|
|
|
What is the shared responsibility model?
|
AWS responsible for the Physical and Services layer
Customer responsible for the OS (EC2), Platform and Data |
|
|
|
How is hardware decomissioned?
|
All decommissioned devices are degaussed and physically destroyed
|
|
|
|
Does AWS test your code?
|
Deployed code undergoes penetration testing.
|
|
|
|
How to protect Data at Rest
|
– Encrypt– Backup
– Repilcate |
|
|
|
What are the 2 types of DR configurations?
|
– Piliot Light
– Warm Standby |
|
|
|
What is 'Warm Standby' DR?
|
– Duplicate critical systems in AWS
– Not scaled to full prod load – Used for non–prod work such as QA, testing, etc – Scaled up quickly – Add instances behind a ELB – Resize small instances to larger instances |
|
|
|
What is ' Piliot Light' DR?
|
– Critical core elements of your system are already configured and running in AWS
– Rapidly provision a full scale prod environment around the critical core |
|
|
|
What is Bootstraping?
|
Configuring raw EC2 instances with additional software, service packs and patches
|
|
|
|
What is the EC2 Metadata Service?
|
Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories
|
|
|
|
What subnet is the EC2 Metadata service located on?
|
169.254.169.254/latest/meta–data/
|
|
|
|
Can users add to the EC2 Metadata?
|
– Yes– 16K limit on data
– Base64 encoded before submitting via API – Data is decoded before presenting to the Instance – Only happens at Launch |
|
|
|
What is the difference between CloudTrail and CloudWatch
|
CloudTrail show user activity calls from API, Console
CloudWatch show EC2 instance logs |
|
|
|
What's the difference between CloudFormation and OpsWorks
|
CloudFormation is for infrastructure
OpsWorks is for Applications |
|
|
|
What is IAM?
|
IAM is the management console for managing access to AWS resources in an organization.
|
|
|
|
What 3 things does IAM consist of?
|
– Users
– Groups – Roles |
|
|
|
What is an IAM user?
|
An individual
|
|
|
|
What is an IAM group?
|
Collections of users with one set of permissions.
|
|
|
|
What is a unique feature of an IAM Role?
|
A Role allows addition both Users and AWS resources
|
|
|
|
How long does it take to restore data from Glacier?
|
3–5 Hours
|
|
|
|
How do I delete a vault?
|
You may delete any Glacier vault that does not contain any archives using the AWS Management Console, the Amazon Glacier APIs or the SDKs. Once a vault has been deleted, you can then re–create a vault with the same name. If your vault contains archives, you must delete all the archives before deleting the vault.
|
|
|
|
What size is the largest archive that can be uploaded in a single request?
|
4 GB
|
|
|
|
Is there a minimum time that a Glacier archive needs to exist before deletion to prevent charges?
|
Yes. Archives that are deleted within 3 months of being uploaded will be charged a deletion fee
|
|
|
|
Can I retrieve part of an archive?
|
Yes. Range retrievals enable you to retrieve a specific range of an archive. You provide a byte range that can start at zero (which would be the beginning of your archive), or at any 1MB interval
|
|
|
|
How long is a Glacier Retrieval good for?
|
24 Hours
|
|
|
|
How does Glacier send notification?
|
SNS
|
|
|
|
What AWS services serve as CloudFront origins?
|
– S3
– EC2 – EBS – HTTP/S URL |
|
|
|
How many S3 buckets can an Account have by default?
|
100
|
|
|
|
What is a Placement Group?
|
A placement group is a logical grouping of instances within a single Availability Zone. Using placement groups enables applications to participate in a low–latency, 10 Gbps network
|
|
|
|
eAre DynamoDB tables stored in a single or multiple AZs
|
DynamoDB Tables are stored across multiple AZs automatically.
|
|
|
|
What is the maximum RDS volume size?
|
2TB
|
|
|
|
In a VPC can subnets map to multiple AZs
|
No. Subnets exist in a single AZ
|
|
|
|
In a VPC can subnets span multiple AZs
|
No. Subnets exist in a single AZ
|
|
|
|
Are newly created Internet Gateways attached to the Default VPC?
|
No. Newly created Internet Gateways are in a 'Detached' state
|
|
|
|
How many Internet Gateways can be attached to one VPC?
|
1
|
|
|
|
How many VPCs do you get per region?
|
5
Soft limit |
|
|
|
How many Subnets do you get per VPC?
|
200
|
|
|
|
How many Internet Gateways do you get per Region?
|
5
|
|
|
|
How many Virtual Private Gateways do you get per Region?
|
5
|
|
|
|
How many Customer Gateways do you get per Region?
|
50
|
|
|
|
How many VPN connections do you get per region?
|
50
|
|
|
|
How many VPN connections do you get per VPC (per Virtual Private Gateway)?
|
10
|
|
|
|
How many Route tables do you get per VPC?
|
200
Including the main roue table |
|
|
|
How many entries do you get per Route Table?
|
50
|
|
|
|
How many Elastic IPs do you get per Region per Account?
|
5
|
|
|
|
How many Security Groups are there per VPC?
|
100
|
|
|
|
How many Rules do you get per Security Group?
|
50
|
|
|
|
How many Security Groups do you get per Interface?
|
5
Max 16 Soft Limit |
|
|
|
How many network interfaces can you get per VPC?
|
100
|
|
|
|
How many Network ACLS do you get per VPC?
|
200
|
|
|
|
How many Rules do you get per Network ACL?
|
20
|
|
|
|
How many BGP Routes do you get per VPN connection?
|
100
|
|
|
|
How many Active VPC peering connections do you get per VPC?
|
50
|
|
|
|
How many outstanding VPC Peering requests are allowed?
|
25
|
|
|
|
How long before a VPC peering connection request expires?
|
1 Week
|
|
|
|
How many VPC endpoints do you get per region?
|
20
|
|
|
|
Does a Route table automatically get created when you create a new VPC?
|
Yes.
|
|
|
|
When creating a NAT Instance there is one additional Action that needs to be performed. What is that Action?
|
Disable the Source/Destination Check
|
|
|
|
If a NAT instance has poor performance what should you do?
|
Use a larger instance. Larger instances have higher network throughput.
|
|
|
|
What is the default inbound and outbound rule for a new NACL?
|
Deny inbound and Deny outbound
|
|
|
|
Can multiple Network Access Control Lists be associated with one subnet?
|
No. NACLs are like firewalls you can have only 1 per subnet.
|
|
|
|
Can a NACL be associated with multiple subnets?
|
Yes
|
|
|
|
Does SQS guarantee First In First Out
|
No. SQS does not guarantee FIFO.
|
|
|
|
What is the delivery difference between SQS and SWS
|
SQS delivers 'At least once'
SWS delivers 'Only once' |
|
|
|
Is SNS Push or Pull
|
Push
|
|
|
|
Is SQS Push or Pull
|
Pull
|
|
|
|
What data consistency model does Amazon S3 employ?
|
Amazon S3 buckets in the US Standard region provide eventual consistency. Amazon S3 buckets in all other regions provide read–after–write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES
|
|
|
|
Which CloudWatch metric requires a custom monitor?
|
Memory Usage
|
|
|
|
The Amazon AppStream web service is a resource–based API that uses ……… Language.
|
The Amazon AppStream web service is a resource–based API that uses Hypertext Application Language (HAL). HAL provides a standard way for expressing the resources and relationships of an API as hyperlinks. Using HAL, you use HTTP methods (GET, PUT, POST, DELETE) to submit requests and receive information about the API in the response. Applications can use the information returned to explore the functionality of the API.
|
|
|
|
The ______ element of an IAM policy is required and specifies whether you want the statement to result in an allow or an explicit deny.
|
The Effect element included within the statements of an IAM policy is always required, and specifies whether the current statement is to result in an allow or an explicit deny
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html |
|
|
|
What does ENI stand for?
|
Elastic Network Interface (ENI)
|
|
|
|
Each host in Amazon AppStream runs on a very large instance type called ………, which provides large amount of parallel processing power.
|
Graphics Processing Unit (GPU)
|
|
|
|
What is the maximum amount of vaults that a user can create in Glacier?
|
1000
|
|
|
|
Amazon CloudFront gets your web content from ______ and serves it to viewers via a world–wide network.
|
CloudFront gets your web content from your origins (S3 or HTTP endpoint)
|
|
|
|
……… is a client application that you can install in a WorkSpace that you launch, which continuously, automatically, and securely backs up documents from a WorkSpace to Amazon Simple Storage Service (S3).
|
WorkSpaces Sync is a client application that you can install in a WorkSpace that you launch, which continuously, automatically, and securely backs up documents from a WorkSpace to Amazon Simple Storage Service (S3). You can also install WorkSpaces Sync on a Mac or PC to sync documents to or from a WorkSpace so that users can always have access to their data regardless of the desktop computer you are using.
|
|
|
|
An organization has three separate AWS accounts, one each for development, testing and production. The organization wants the testing team to have access to certain AWS resources of the production account. How can the organization achieve this?
|
IAM role with cross account access will provide a solution
|
|
|
|
Does the special AWS Region, called GovCloud, support SQL Server DB engine?
|
GovCloud supports the SQL Server DB engine.
|
|
|
|
When using Amazon SimpleDB , can you change your data model on the fly?
|
The flexibility of Amazon SimpleDB allows you to change your data model on the fly, adding or removing attributes without breaking a rigid schema.
|
|
|
|
Every time you create a user, group, or server certificate through the IAM API or CLI a/ an ______ is returned to you so you can reference the newly created entity in future operations.
|
Every time you create: a user, a group, a role, or in general any entity using the CLI or the IAM API a unique id, among other data, is returned to you so you can uniquely reference the entity later and prevent possible naming conflicts.
|
|
|
|
What dictates optimal performance for Amazon WorkSpaces?
|
For optimal performance, the round trip time (RTT) from the client's network to the region that your WorkSpaces are in should be less than 100ms.
|
|
|
|
n Amazon CloudFront, when you want to analyze Access Logs of a single stream more quickly and accurately for a given period, it is recommended to
|
In Amazon CloudFront, because logs for a single stream can get recorded in multiple files, Amazon recommends that you combine all the log files you receive for a given period into one file. You can then analyze the data for that period more quickly and accurately.
|
|
|
|
What file format is used to deploy Lambda code
|
To create a deployment package, you write code and create libraries in a directory. You install the libraries by running the npm install in the directory. You then bundle the directory content into a .zip file
|
|
|
|
To create a deployment package, you write code and create libraries in a directory. You install the libraries by running the npm install in the directory. You then bundle the directory content into a .zip file
|
One of the Amazon AppStream component is Amazon AppStream Host which hosts your application on EC2 instances. Each host runs on a very large instance type called a GPU instance. Each GPU instance provide large amounts of parallel processing power.
|
|
|
|
In Amazon CloudFront what is the maximum length of a path pattern in characters
|
In Amazon CloudFront, the maximum length of a path pattern is 255 characters.
A–Z, a–z, (case sensitive) 0–9_ – . * $ / ~ " ' @ : + &, passed and returned as & |
|
|
|
What are Amazon WorkSpaces restrictions?
|
– User Access Control is not supported on your WorkSpaces. If you or your users change the UAC settings on a WorkSpace, you may not be able to connect to the WorkSpace
– Firewalls: You should not install any type of security or firewall software. – Network Interfaces: Do not modify or delete any of the network interfaces attached to a WorkSpace. Doing so may cause the WorkSpace to become unreachable. |
|
|
|
True or False: Amazon DevPay and Amazon FPS both leverage the Amazon Payments infrastructure to process payments from your customers and provide you with an easy way to charge Amazon’s tens of millions of customers.
|
True. Amazon DevPay and Amazon FPS both leverage the Amazon Payments infrastructure to process payments
|
|
|
|
Which AWS service metrics support aggregation of statistics?
|
Aggregate statistics help a user generate aggregation of data for statistics, such as average, samplecount, min and max. The aggregation of statistics is available for the Auto Scaling group as well as for the EC2 instances.
|
|
|
|
What is FPS?
|
Flexible Payments Service
|
|
|
|
How is Flexible Payment Service used?
|
With Amazon FPS, developers can accept payments on their website for selling goods or services, raise donations, execute recurring payments, and send payments.
|
|
|
|
AWS Lambda allows you to add custom logic to AWS resources such as Amazon S3 buckets and Amazon ____________ tables,
|
AWS Lambda allows you to add custom logic to AWS resources such as Amazon S3 buckets and Amazon DynamoDB tables,
|
|
|
|
When changing content served by CloudFront how long might old content be served?
|
By default, Amazon CloudFront caches objects in edge locations for 24 hours
|
|
|
|
Queries to Alias records are free for which services?
|
Queries to Alias records that are mapped to Elastic Load Balancers, Amazon CloudFront distributions and Amazon S3 website buckets are free.
|
|
|
|
With regard to RDS, will I be alerted when automatic failover occurs?
|
Yes. With regard to RDS, you will be alerted when an automatic failover occurs.
|
|
|
|
How is the Management Network Interface for WorkSpaces used?
|
The management network interface is used for interactive streaming of the WorkSpace desktop with the Amazon WorkSpaces client application
|
|
|
|
What is the maximum number of EC2 units with AutoScaling?
|
100
|
|
|
|
SimpleDB exposes logic for consistency characteristics for what kind of request?
|
Read
|
|
|
|
Can you update an AutoScaling Launch Config?
|
No. The Launch config is immutable.
|
|
|
|
What is Lambda's availability?
|
99.99%
|
|
|
|
What is the maximum size for Instance Store–backed storage?
|
10GB
|
|
|
|
How can you test SimpleDB without any coding?
|
Use Amazon SimpleDB scratchpad
|
|
|
|
Is "Number” is not an allowed unit for CloudWatch Metrics?
|
No.
|
|
|
|
What kind of Route 53 record allows you to set multiple answers to a single DNS name?
|
Weighted resource record sets
|
|
|
|
What is the maximum size of a TXT Route 53 Record?
|
255 chars
|
|
|
|
Do you receive CloudFront logs if no users access your content during a given hour?
|
No.
|
|
|
|
Regarding AWS Elastic Beanstalk CLI, which one of the following statements is correct?
|
In AWS Elastic Beanstalk CLI, a single–instance environment contains one Amazon EC2 instance with an Elastic IP address. A single–instance environment doesn't have a load balancer
|
|
|
|
What does a Route 53 SOA record identify?
|
In Amazon Route 53, the SOA record identifies the base DNS information about the domain, for example:ns–2048.awsdns–64.net. hostmaster.example.com. 1 7200 900 1209600 86400
|
|
|
|
Can I use the AWS IAM system to Allow or Deny access to a specific DB Instance (not through API)?
|
Yes. You can use the AWS IAM system to allow or deny access to a specific DB Instance.
|
|
|
|
Which is the correct sequence of events when Auto Scaling discovers that an instance is unhealthy?
1. Launch a new instance 2. Terminate the old instance |
1 then 2
|
|
|
|
What is the format of a Route 53 'A' Record?
|
It's an IP address
192.0.2.1 |
|
|
|
What are the valid characters for a CloudWatch Metric?
|
"0–9A–Za–z" plus "."(period), "–" (hyphen), "_" (underscore), "/" (slash), "#" (hash), and ":" (colon)
|
|
|
|
How many read consistency options does Amazon SimpleDB support?
|
2
– Eventually Consistently Read – Consistent Read http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/ConsistencySummary.html |
|
|
|
What is a CloudWatch Metric?
|
A metric is a data point at a particular moment.
|
|
|
|
Does AppStream use the open–source Opus audio codec?
|
Yes
|
|
|
|
Might you have to obtain a license for MPEG–LA for apps in AppStream?
|
Yes
|
|
|
|
Does AppStream use client binaries, open source packages provided in the SDK?
|
Yes
|
|
|
|
Do you need to obtain licenses for the OS that you use to run your app in AppStream?
|
No
|
|
|
|
Are Instance Profiles managed for you when using the CLI or API?
|
No. You have to manually create the Instance Profiles for each role.
|
|
|
|
For S3 static hosting is the Bucket Name part of the parameter list? What is?
|
No.
– Index document – Error document – Redirection Rules |
|
|
|
What is an AutoScaling administrative suspension?
|
When AutoScaling continuously fails to launch an instance.
|
|
|
|
Is an EIP available in EC2 Classic?
|
No.
|
|
|
|
What is a NS Record in Route 53?
|
A Name Server record
|
|
|
|
What services are supported by CloudWatch
|
– EC2
– EMR – AutoScaling – DynamoDB – RDS – RedShift – OpsWorks |
|
|
|
Does AutoScaling allow for Manual Scaling?
|
Yes
|
|
|
|
Dynamo DB max item size, irrespective of the number of items
|
400 kb
|
|
