• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/262

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

262 Cards in this Set

  • Front
  • Back

True or False?




AWS Identity and Access Management (IAM) is region specific.

Answer: FALSE

Question: How do you create a 'Root' account?

Answer: It is automatically created as the first account used to sign up for AWS.



True or False?




New users are only allowed read permission to the selected region by default.

Answer: FALSE




IAM is not based on region and new users have no permissions by default. All permission must be assigned.

Question: You created a new IAM user and gave the employee the username and password. The employee reports that she cannot call the API. Why is this?

Answer: The API requires the Access Key and Secret Key. The API cannot be called with a username and password.

Question: An employee reports they lost their Access/Secret Keys and is requests you send them to her. How do you resend the keys?

Answer: The keys cannot be regenerated. It is recommended that they be stored in a secured location.

Question: Name the 4 types of IAM resources.

Answer: Users, Roles, Groups, Policies

True or False?




Power Users can administer other users.

Answer: FALSE




Power Users can do everything EXCEPT administer other users.

True or False?




S3 is an Object-based storage.

Answer:




TRUE




Simple Storage Services is a key-pair object based storage.

Question:




What is the S3 maximum object size?

Answer:




5 TB

True or False?




You can install applications and operating systems using S3 storage.

Answer:




False. Simple Storage Service is a key-pair object based storage that does not support the installation of applications or operating systems.

Question:




What is the maximum size of an S3 bucket?

Answer:




There is no maximum size.

Question:




What is the AWS stated durability and availability for S3?

Answer:




Durability - 11 9's (99.999999999%)


Availability - 4 9's (99.99%)

True or False?




S3 bucket names can be duplicated but only if in different regions.

Answer:




FALSE




S3 bucket names must be globally unique due to a universal namespace.

Question:




What is the URL format for a newly created S3 bucket.

Answer:




Path-style URL: https://S3.amazonaws.com/{BucketName}




Virtual Hosted Styel URL: https://{BucketName}.s3.amazonaws.com




If not in US East then S3 must be followed by aregion name.



Question:




What is the return code to indicate a successful upload to S3?

Answer:




HTTP 200

Question:




What can you enable to increase the speed of file uploads to S3?

Answer:




Multi-part upload.

Question:




What is the maximum number of S3 buckets?

Answer:




There is no maximum but a limit is set at 100 that can be overrode by calling AWS.

Question:




What type of consistency exists for new 'put's?

Answer:




Read after Write Consistency.

Question:




What type of consistency exists for overwrite 'put' or deletes?

Answer:




Eventual Consistency.

Question:




Describe the S3 metadata.

Answer:


Key - Name


Value - Bytes of data


VersionID


Metadata - date updated, last version


Subresources - ACL, torrents

Question:


What can you do to spread file storage across the S3 infrastructure?

Answer:




Objects are stored hierarchically so objects with the same name are grouped together. Placing a number at the start of each file name encourages the files to be spread out.

Question:




List the 4 Tiers of S3 storage.

Answer:


S3 - Can survive loss of 2 facilities.


S3 IA - Infrequent Access but needed imediately, charged for each retrieval, can survive loss of 2 facilities.


Reduced Redundancy - For use with easily reproducible data like thumbnails. Can sustain loss of 1 facility. Durability of 4 9's (99.99%)


Glacier - Archival $.01/GB, 3-5 hours to restore, must store for a minimum of 90 days.

Question:




What feature allows you to create rules to move data between the S3 storage tiers?

Answer:




Lifecycle Management

Question:




What must be enabled to define lifecycle rules based on previous version numbers?

Answer:




Bucket object versioning. Can be applied to current and previous versions.

Question:




Why can't you create a lifecycle rule to move a file to S3 IA after it is 7 days old?

Answer:




S3 IA (Infrequent Access) requires that the file be larger than 128 KB and older than 30 days.

Question:




How long must a file be in S3 IA (Infrequent Access) before it can be moved to Glacier tier?

Answer:




30 days

True or False?




After enabling versioning you can change your mind and disable versioning.

Answer:




FALSE




You can suspend versioning but you cannot disable it.

True or False?




When you delete an object with prior versions all versions are deleted.

Answer:




FALSE




All version are kept even if you delete and object.

Quesiton:




What can you enable to help prevent accidental deletion of objects?

Answer:




MFA - Multi Factor Authentication

Question:




What happens when you delete the 'Delete' marker on a file object?

Answer:




The object is restored.

Question:




How is S3 encrypted in Transit?

Answer:




SSL/TLS

Question:




What are the 3 options for server side encryption at rest?

Answer:




1. S3 Managed Keys (SSE-S3)


2. AWS Key Management Service (SSE-KMS), provides audit trail of key usage.


3. Customer Provided Keys (SSE-C)

Question:


What is the default setting for an S3 Bucket ACL?

Answer:




Private

True or False:




When enabling logging you can specify a different bucket than the bucket being logged.

Answer:




TRUE

True or False?




When you enable replication only new or modified files will be replicated. Current files will not be replicated until they are updated.

Answer:




TRUE

True or False:




You can setup replication to copy to multiple buckets.

Answer:




FALSE

Question:




What is the name for a CloudFront location.

Answer:




Edge Location. They are different that Regions and Availability Zones.

Question:




Name the four resource types than can be used as a CloudFront origin.

Answer:




The Cloudfront Origin, or original file location can be S3, Ec2 instance, ELB or Route 53.

Question:




What is a CloudFront Distribution?

Answer:




A CloudFront Distribution is the name of a collection of Edge Locations.

Question:




Name the 2 types of Cloudfront distributions.

Answer:




Web (websites) and RTMP (media)

True or False:




If a file is written to an Edge Location of a Cloudfront distribution and it does not exist at the Origin it will be copied back to the Origin.

Answer:




TRUE

Question:




You realized that a file in the Cloudfront distribution needs to be updated immediately. Can this be done or do you need to wait for the TTL to expire?

Answer:




You can "INVALIDATE" the file immediately but you will be charged a fee if it is before the TTL expires.

Question:




What are the two methods for restricting access to files in a Cloudfront distribution?

Answer:




Signed URLs and Cookies

True or False:




Cloudfront Distributions have the option of user configurable White and Blacklists.

Answer:




TRUE

Question:




Name the 3 types of AWS Storage Gateways.

Answer:




File Gateway - NFS


Volume Gateway - iSCSI


Tape Gateway - VTL

Question:




Name the 2 types of Volume Gateways.

Answer:




Gateway Stored Voulmes - Stored locally with EBS snapshots stored on AWS


Gateway Cached Volumes - Frequently used files cached locally with files stored on S3

Question:




What is the name of the bulk file transfer service?

Answer:




Snowball (previously Import/Export)

Question:




Why use Snowball or Internet transfer?

Answer:




For Petabyte scale transfers Snowball is 1/5 the cost of Internet transfer and includes Encryption and Chain of Custody.

Question:




What are the 3 types of Snowball?

Answer:




Snowball - Petabyte scale file transfer


Snowball Edge - include compute (aws in a box)


Snowmobile - Exabyte scale in shipping container

Question:




What is the value of S3 file transfer acceleration?

Answer:




It depends on the region. Use the included tester to determine value.

Question:




Name the 4 purchasing types of EC2 (Elastic Cloud Compute).

Answer:




On Demand, Reserved, Spot, Dedicated

Question:




Government standards restrict multi tenant virtual servers. What type of EC2 instance should you purchase?

Answer:




Dedicated Host - charged per hour

Question:




What EC2 type should you choose when attempting to reduce the costs, is non-production, and can be shutdown without notice?

Answer:




SPOT Instances - Charged by the house on a bid basis. If shutdown by AWS you are not charged for that hour. If shutdown by you then AWS charges you for the full hour.

Question:




You are expecting seasonal heavy traffic. What is the recommended EC2 type to handle the demand.

Answer:




On Demand can spin up and down at any time. Pay per hour.

Question:




You anticipate a specific usage percentage such as 50% or 100%. What EC2 type can reduce your costs for 1 or 3 year commitments?

Answer:




Reserved Instances

Question:




List the EC2 Family Instance Types.

Answer:




Dr. Mc Gift Px




D - Dense Storage, R - Ram, M - Main, C - Compute, G - Graphics, I - IOPS, F - Fild Programmable Gate Array, T - Affordable (T2 micro), P - media, X - Extreme memory

Question:




Name the service used to sync AWS IAM with existing on-premise Microsoft Active Directory without a federation infrastructure?

Answer:




AD Connector

Question:




Describe the ENI (Elastic Network Interface) behavior at shutdown.

Answer:




If ENI is created automatically via the console it is automatically terminated (deleted) at shutdown. If the ENI was manually added via the command line then it will NOT be automatically terminated.

Question:




What is the name of the storage associated with EC2 instances that support applications and operating systems?

Answer:




EBS (Elastic Block Storage)

Question:




Name the 5 types of EBS storage:

Answer:




GP2 - General Purpose SSD


IO1 - Provisioned IOPS SSD


ST1 - Throughput Optimized HDD


SC1 - Cold Storage HDD


Magnetic Standard HDD





Question:




What EBS type is the lowest cost that is still bootable?

Answer:




Magnetic Standard HDD

Question:




What EBS type is the lowest overall cost optimized for infrequent file server use but cannot be booted?

Answer:




SC1 - Cold Storage HDD

Question:




What EBS type is for data-warehouses, logs, and big data but cannot be booted.

Answer:




ST1 - Throughput Optimized HDD

Question:




What EBS type is the best balance of price and performance?

Answer:




GP2 - General Purpose SSD, 3 IOPS per GB up to 10 Gbs, can burst to 3K IOPS for 1 GB

Question:




What EBS type is best for databases and nosql?

Answer:




IO1 - Provisioned IOPS SSD, select if you need more than 10K IOPS, 20K IOPS max

True of False:




EBS volumes can connect to multiple EC2 instances.

Answer:




FALSE

True or False:




EBS volumes are configured to delete on termination by default.

Answer:




TRUE

True or False:




EBS root volumes from Amazon AMI's can be encrypted.

Answer:




FALSE - However you can create a custom AMI from the instance or use 3rd party encryption such as bitlocker.

Question:




What is the default setting for EC2 Termination Protection?

Answer:




EC2 Termination Protection is off by default.

Question:




Describe a snapshot.

Answer:




Point in time incremental snapshot of an EBS volume stored in S3.

True or False?




You can publicly share your encrypted and un-encrypted EBS volumes?

Answer:




FALSE




You cannot publicly share encrypted EBS volumes.

True or False?




Snapshots of encrypted volumes are automatically un-encrypted to perform the snapshot.

Answer:




FALSE




The snapshot remains encrypted.

True or False?




When restoring an EBS volume from an encrypted snapshot the restore volume will remain encrypted.

Answer:




TRUE

Question:




Name the 2 types of EC2 Status Checks.

Answer:




System and Instance

Question:




How does a EC2 System Status Check vary from an EC2 Instance Status Check?

Answer:




System - Power, Networking, Software system on VM Host are working correctly. If this fails restart the EC2 instance to migrate to a new host.




Instance - Checks if traffic to instance OS is working correctly. If this fails, reboot or modify the OS.

Question:




What is the difference between a Security Group and NACL's?

Answer:




Security groups are like a stateful firewall for EC2. NACL's are like a stateLESS firewall for VPC's.

Question:




What is the difference between a stateful and stateless firewall?

Answer:




A stateful firewall creates an INBOUND rule that implies a matching OUTBOUND rule.




A stateless firewall requires you to create both the INBOUND and OUTBOUND rules.

Question:




What is the settings of the Default Security Group?

Answer:




All traffic is allowed on all ports.

True or False?




When creating a custom Security Group you can DENY traffic for INCOMING rule only.

Answer:




FALSE




You can only specify ALLOW rules for Security Groups. The default setting is to DENY all traffic.

True or False?




Changes to a Security Group to block an IP Address are applied immediately.

Answer:




FALSE




While changes to security groups are applied immediately you cannot block an IP address.

True or False?




You can assign multiple Security Groups to an EC2 instance AND you can assign multiple EC2 instances to a single Security Group.

Answer:




TRUE

Question:




You want to block a specific IP Address. Can you do that with Security Groups, NACL's or both?

Answer:




You can specify Accept and Deny rules for IP Addresses on NACL's. You cannot specify Deny or IP Addresses for Security Groups.

Question:




What port needs to be opened for RDP?

Answer:




3389 - RDP (Remote Desktop Protocol)



Quesiton:




What port needs to be opened for MySQL or Aurora?

Answer:




3306 - MySQL and Aurora (AWS version of MySQL)

True or False:




When creating an EBS volume you must specify that it is created in an Availability Zone that matches the EC2 instance you will attach.

Answer:




TRUE

Question:




You need more IOPS for an unsupported database. What can you do.

Answer:




Create multiple EBS volumes and then use the OS features to create a RAID 0 or RAID 10 array.

Question:




How do you force an application consistent snapshot?

Answer:




Shutdown the application and Un-mount the RAID array.


-OR-


Shutdown the associated EC2 instance.

Question:




Name and describe the 4 types of RAID arrays.

Answer:




RAID 0 - Stripped, no redundancy, good performance


RAID 1 - Mirrored, redundancy but no added performance


RAID 5 - Good for read, bad for writes, should not be used on AWS


RAID 10 - Stripped and Mirrored, good redundancy and performance

Question:




What is the Bash command to raise right to Super User?

Answer:




Sudo su


(Super User Do Super User)

Question:




What is the Bash command to automatically update the system?

Answer:




yum update -y


(Launch YUM, update the repository, confirm yes)

Question:




What is the Bash command to automatically check the system on startup to ensure the Apache web server service is started?

Answer:




chkconfig httpd on


(Tell chkconfig to turn on httpd)

Question:




What is the bash command to control the state of HTTPD (or any service)?

Answer:




Service httpd start


(can use start, stop, and restart)

Question:




What is the Bash command to install Apache?

Answer:




yum install httpd24 -y


(Launch Yum, install latest version of Apache, confirm yes)

Question:




What is the Bash command to list the connected EBS volumes?

Answer:




lsblk




(ls - list, blk - block storage)

Question:




What is the bash command to connect an EC2 file system with an EBS volume device listed as /dev/xvdf?

Answer:




mount -t ext4 /dev/xvdf


(mounts the device /dev/xvdf and formats it in the ext4 file format)

Question:




What is the bash command to disconnect the block device /dev/xvdf?

Answer:




umount /dev/xvdf




(un-mounts /dev/xvdf)

Question:




What is an AMI?

Answer:




An AMI (Amazon Machine Image) is a temple of an EC2 instance.

Question:




Name the 3 types of resources included in an AMI.

Answer:




Root Volume (Os and applications)


Launch Permissions (which AMI accounts can use it)


Block Device Mappings (what EBS volumes to attach at launch)

True or False:




An instance can only be launched in the same Region as the AMI.

Answer:




TRUE




You can include the AMI in multiple regions.

Question:




What are the best practices before setting an AMI for public use?

Answer:




1. Disable services that authenticate in clear text.


2. Do not start unnecessary services (only application and admin (ssh/rdp))


3. Delete AWS credentials, 3rd party credentials, & additional certs.


4. Software is not configured with default internal credentials


5. Ensure follow Amazon acceptable use policy

Question:




What are the 2 categories of AMI's?

Answer:




EBS - Root device is EBS created from snapshot, can be stopped and moved without losing data




Instance - Root device is ephemeral created from template, cannot be stopped without losing data.

True or False?




Rebooting an EBS AMI Instance will not lose data but rebooting an Instance AMI will lose data.

Answer:




FALSE




Rebooting will NOT lose data for either AMI type but stopping an Instance AMI will lose data.

True or False?




By default both an EBS and Instance AMI root volume will be deleted on termination.

Answer:




TRUE




You can change the default for EBS.

Question:




What layer of the OSI stack does an Application Load Balancer and a Classic Load Balancer live?

Answer:




Application - Layer 7




Classic - Layer 4

Question:




How many subnets can be used in a Classic Load Balancer?

Answer:




Only 1 subnet per Availability Zone however you must use 2 or more AZ's to increase availability.

Question:




Name the two possible status values of a monitored ELB.

Answer:




InService




OutofService

True or False?




An ELB is assigned a DNS name and a public IP Address.

Answer:




TRUE




However, the public IP address is not displayed in the console and you are discouraged from using it since the public IP address can change without notice.

Question:




What is the purpose of CloudWatch?

Answer:




Performance Monitoring

Quesiton:




What is the purpose of CloudTrail

Answer:




Auditing

Question:




What are the 4 default EC2 CloudWatch metrics?

Answer:




Disk, CPU, Network, Status




Not RAM - it is a custom metric (charged)

Question:




What are the 2 types of CloudWatch monitoring and what time interval do they allow?

Answer:




Standard - 5 min intervals (free)


Detailed - 1 min intervals (charged)

Question:




Describe CloudWatch alarms.

Answer:




Send notifications via SNS based on thresholds.

Question:




Describe CloudWatch Events.

Answer:




Trigger responses bases on state change.

Question:




Describe CloudWatch Logs.

Answer:




Aggregate, monitor and store logs.

Quesiton:




What is the AWS CLI command to set the Access Keys.

Answer:




aws configure

Question:




What is the AWS CLI command to list the S3 buckets.

Answer:




aws S3 ls

Question:




What is the AWS CLI command to list all EC2 running instances and what format is returned?

Answer:




aws ecs describe-instances




Results returned as JSON

Question:




What is the AWS CLI command to shutdown an Instance ID?

Answer:




Instance ID is returned from the aws ec2 describe-instances command.




aws ec2 terminate-instances --instance-ids {id}

Question:




What is the Bash command to list meta-data items from within an EC2 instance?

Answer:




Curl http://169.254.169.254/latest/meta-data




You can specify specific meta-data by adding to the url. For example, the public ip address:


Curl http://169.254.169.254/latest/meta-dat/public-ip4

Question:




When and how can you associate a role with an EC2 instance?

Answer:




Before launch - console and cli


After lanunch - only cli

Question:




You set and EC2 instance to have a specific role. When you connect via CLI do you still need to run aws configure?

Answer:




Yes, but only for setting the region. You do not set the access keys.

Question:




What is considered more safe? Access with secret keys, access with Roles or both?

Answer:




Access via roles is considered to be safer than with secret keys. They are also considered to be easier to manage.

True or False?




When assigning a Role you need to specify the region.

Answer:




FALSE




Roles are Global.

True or False?




You can add additional policies to already assigned roles.

Answer:




TRUE

Question:




What is the name for a logical grouping of ec2 instances in a single AZ?

Answer:




Placement Group

Question:




What is the purpose of creating a Placement Group?

Answer:




High network performance with low latency and 10 GB network throughput.

True or False?




A Placement Group name is global.

Answer:




FALSE




A Placement Group name is not Global, Regional or AZ specific but it must be unique within an


AWS Account.

True or False:




I can't MERGE Placement Groups but I can MOVE instances into a Placement Group.

Answer:




FALSE




You can neither MERGE Placement Groups or MOVE instances into a Placement Group. One workaround is to create an AMI from an instance and then launch a new instance as part of a Placement Group.

Question:




How is EFS fundamentally different than EBS for EC2 instances.

Answer:




EFS volumes can grow and shrink automatically with demand and EFS can connect to multiple EC2 instances simultaneously.

Question:




What is the file format, scale and connection limit for EFS?

Answer:




Format - NFS4


Scale - Petabyte


Connections - thousands of concurrent connections

Question:




What instance types can be used in Placement Groups?

Answer:




Types - Compute, GPU, Memory, Storage


AWS recommends homogeneous instance types.

Question:




What storage type and consistency is EFS?

Answer:




Block storage like EBS.


Read after Write consistency like S3.

True or False:




Data is store across multiple AZ's when using EFS.

Answer:




TRUE

Question:




Describe Lambda.

Answer:




Event driven server-less code execution.

Question:




What 4 languages are supported by Lambda?

Answer:




Lambda support nodes.js, C#, java, and python.

Question:




How many addresses are supported by IPv4 and IPv6

Answer:




IPv4 - 4 Billion


IPv6 - 340 Undecillion

Question:




What are the part of an SOA (Start of Authority)?

Answer:




Name of server for the zone


Administer of the zone


Current Version


TTL (Time to Live)

Question:




What is a Route 53 NS?

Answer:




The NS (Name Server) is a record pointing to the DNS server.

Question:




What is a Route 53 A record.

Answer:




The A record is the address record mapping a DNS name to an IP address.

Question:




What is a TTL?

Answer:




TTL is the Time To Live. In Route 53 it specifies how long to cache the DNS record on the resolving server or local machine.

Question:




What is a CName?

Answer:




The Canonical Name is used to resolve one DNS name to a second domain name. It CANNOT be used for Zone Apex records unlike ALIAS.

Question:




What is an ALIAS record?

Answer:




An AWS specific DNS record to map resources to ELB's, Cloudfront or S3 buckets. CAN be used for Zone Apex records unlike CNAME. You are not charged for ALIAS lookups.

Question:




What record type should you select for an ELB?

Answer:




Use an ALIAS record.

Question:




Name the 5 types of Route 53 Routing Policies.

Answer:




Simple - default, single resource used


Weighted - Percentage based for multiple ELB's, select for A/B testing.


Latency - Lowest latency directed to Region with fastest response time


Failover - Active/Passive


Geolocation - route traffic based on geolocation

Question:




What is the limit for the number of domain you can manage via Route 53?

Answer:




There is no technical limit however if you wish to manage more than 50 domains you need to call Aws first.

Question:




Name the 7 AWS database services.

Answer:




RDS (Relational Database Service), DynamoDB (noSQL), Elasticache (inmemory cache), RedShift (datawarehousing), DMS (Database Migration Services), EMR (Elastic Map Reduce), Kinesis (Steaming Data Processing)

Question:




Name the 6 types of RDS databases.

Answer:




MSSQL, MySql, Aurora, Postgres, Oracle, Maria

Question:




What RDS Database supports mirroring?

Answer:




MSSQL

Question:




What RDS databases support multi Availability Zones?

Answer:




MySQL, Oracle, PostgreSQL, Aurora, Maria

Question:




What RDS databases support Read Replicas?

Answer:




MySQL, PostgreSQL, Maria

Question:




What database service supports both documents and key/value data models?

Answer:




DynamoDB

Question:




Name the Elasticache service that provides inmemory key/value store?

Answer:




Redis

Question:




Name the Elasticache service that provides an in-memory object caching service.

Answer:




Memcache

Question:




Describe AWS Redshift service.

Answer:




OLAP service for large data sets and management reports.

Question:




What is the purpose of AWS DMS?

Answer:




DMS (Data Migration Service) migration to a cloud database including a conversion schema.

Question:




What AWS service runs Hadoop clustering for big-data analytics?

Answer:




EMR (Elastic Map Reduce)

Question:




What AWS service is designed to handle large amounts of data streaming at low cost?

Answer:




Kinesis

Question:




You create an RDS instance but cannot access it from your EC2 instance. What do you need to do?

Answer:




Open port 3306 inbound to your security group.

Question:




What are automated backups?

Answer:




A full backup plus transaction logs enabled by default that allow you to recover your database to any point in time down to the second within a 'retention period'.

Question:




What is the possible configuration for the automated backups 'retention period'?

Answer:




Between 1 and 35 days.

Question:




How are automated backups stored?

Answer:




Store in S3 with free storage up to the size of your DB.

Question:




When do automated backups occur?

Answer:




You define a windows. I/O is suspended which may cause elevated latency.

Question:




What are database snapshots?

Answer:




A manual DB backup that survives deletion of the RDS instance.

True or False?




When you restore a DB Automated Backup or a DB Snapshot a new instance is created with a new DNS name.

Answer:




TRUE

Question:




What DB's support Encryption?

Answer:




MySQL, Oracle, SQL Server, PostgreSQL, Maria DB

True or False:




Encryption at rest is supported at instance creation and an option to enable on existing DB's.

Answer:




FALSE




You cannot enable encryption on an existing DB. You must create a new encrypted RDS instance and migrate data to it.

Question:




What service is required to configure RDS encryption?

Answer:




KMS - Key Management Service

True or False:




Once an RDS instance is encrypted, the automated backups, snapshots, and read replicas are also automatically encrypted?

Answer:




TRUE

Question:




What is RDS Multi-AZ (Availability Zone)?

Answer:




Creates an exact copy of database in a different AZ. Replication is automatic. If a service interruption occurs AWS will automatically failover to the standby server using the same connection string.

True or False:




Multi-AZ RDS provides a performance improvement.

Answer:




FALSE




Multi-AZ is for DR/BC only. Performance improvement come from Read Replicas.

Question:




What databases support Read Replicas?

Answer:




MySQL, ProstgreSQL (same region only), MariaDB

Question:




What is an RDS Read Replica?

Answer:




A read only copy of production database for performance reasons (scaling). Updates are Asynchronous.

True or False?




You must have automatic backups turned on to deploy a Read Replica?

Answer:




TRUE

Question:




What are the maximum number of Read Replicas?

Answer:




5. You can create a read replica of a read replica but it will create significant latency.

True or False?




Read Replicas all share the same DNS end point.

Answer:




FALSE




Each Read Replica has its own DNS end point.

Question:




Can Read Replicas have Multi-AZ and vice versa?

Answer:




No. A Read Replica cannot have Multi-AZ but a Multi-AZ can have a Read Replica.

Question:




Can you write to a Read Replica?

Answer:




No but you can promote a Read Replica to its own database but this will break the replication.

Question:




You want 'push button' scaling for your database without any down time. What database service supports this capability.

Answer:




Dynamo DB

Question:




Define DynamoDB.

Answer:




NoSQL DB service for applications requiring single-digit millisecond latency, fully managed.

Question:




How is DynamoDB data stored?

Answer:




Stored on SSD drives in 3 distinct data centers.

Question:




Describe the 2 DynamoDB consistency models.

Answer:




Eventual Consistent Reads (Default) - Within 1 second, best read performance




Strongly Consistent Reads - reflects all writes prior to returning read which is a little slower

Question:




Name the 2 types of Redshift nodes.

Answer:




Single Node (160GB)




Multi Node

Question:




What is the purpose of a Redshift Leader Node?

Answer:




Accept client connections and receive queries.

Question:




What is the purpose of a Redshift Compute Node?

Answer:




Store data and perform queries. (128 node max)

Question:




Describe the Redshift OLAP data structure.

Answer:




Columnar, not row based. Data stored sequentially in columns and only data from column needed are pulled resulting in less I/O required. Automatic compression and does not require indexes.

Question:




Define Redshift MPP.

Answer:




Massively Parallel Processing - Redshift spreads load across all nodes. Adding nodes increases performance.

Question:




How is Redshift encrypted.

Answer:




SSL - In transit


AES-256 - At rest





Question:




How is Key Management handled in Redshift?

Answer:




Key Management handled by Redshift by default or create your own keys through HSM or AWS Key Management Service.

True or False:




Redshift support Multi-AZ.

FALSE:




Redshift is in only 1 AZ. A snapshot can be restored to a new AZ in the event of an outage.

Question:




List the two types of Elasticache.

Answer:




Memcached - protocol compliant object cacheing




Redist - In memory key-value store. Supports Master/Slave replication and multiAZ.

Question:




What service would you select to improve performance of a ready heavy application with infrequent changes?

Answer:




Elasticache

Question:




What service would you select to improve performance of application that is suffering from repeated management OLAP queries?

Answer:




Redshift

Question:




What service would you select to improve performance of a read heavy RDS instance?

Answer:




Read Replicas

Question:




Describe Aurora.

Answer:




MySQL compatible database with 5x the performance for 1/10th the cost of commercial. High-end availability of commercial db's and cost effectiveness of open source db's.

True or False:




Aurora data is stored in 1 AV.

Answer:




FALSE




2 copies are kept in each of 3 AZ.

Question:




What is the maximum number of replicas that can be created for Aurora?

Answer:




Aurora Replicas (15) - fail over is automatic




MySQL Read Replicas (5) - fail over is manual

True or False:




When adding a rule to an RDS Security
Group you must specify the port number.

Answer:




FALSE

True or False?




In a multi-az the secondary database can be used as a read node.

Answer:




FALSE

True or False:




A subnet can span multiple AZ.

Answer:




FALSE




A VPC Subnet cannot span multiple Availability Zones but NACL's and SG's can.

True or False?




If your connection is slow, adding an additional Internet Gateway to your VPC will increase bandwidth. It will also give you redundancy.

Answer:




FALSE




You can only have one IG per VPC.

True or False?




The default VPC is automatically created for you and all subnets are public having access to the Internet.

Answer:




TRUE

Question:




What is VPC Peering?

Answer:




Connecting multiple VPC's via private IP's that do not transit the Internet. Can connect to other Account VPC's.

True or False?




VPC Peering is Transative meaning that if A is connected to B and B is connected to C then A is connected to C.`

Answer:




FALSE




VPC Peering is in a star configuration.

Question:




List the 5 resources of a VPC.

Answer:




IG, Subnet, NACL, Routes, Security Group

Question:




Name the two types of firewalls and their state status.

Answer:




Security Groups - State-full (Rule In Implies Rule Out)




Network Access Control Lists (NACL) - Stateless (Rule in does not automatically create a rule out)

Question:




What three resources are automatically created when you create a VPC?

Answer:




Route Table (Main), NACL (Default), and Security Group (Default)

Question:




How many addresses does AWS reserve by default for a subnet?

Answer:




3 (Not counting 0 & 255)


.1 - VPC Router


.2 - DNS


.3 - Future use




This leaves 251 available.

True or False?




VPC NACL's and Security Groups can cross AZ's.

Answer:




TRUE




Network Access Control Lists and Security groups can span Availability Zones however VPC Subnets are restricted to a single Availability Zone.

Question:




Name the 2 types of NAT.

Answer:




NAT Instance - old way, single point of failure, behind the SG in public subnet




NAT Gateway - scale automatically, no SG's, auto maintained, in front of SG in public subnet

Question:




You add a NAT Instance to your public subnet. You are prompted to enable source/destination check. Should you accept?

Answer:




No

Question:




You NAT Instance is not able to handle the load. What do you do?

Answer:




Scale up by changing instance size or family.

Question:




Had do you add redundancy to NAT Instance?

Answer:




Create autoscaling groups to launch additional in a different AZ and a script to automate failover.

Question:




After adding a NAT Instance what else must you add?

Answer:




A route from the private subnet to the NAT Instance and a public IP.

Question:




At what level are SG's and NACL's created?

Answer:




SG - Instance Level, stateful, all rules processed, manually applied to an instance




NACL - Subnet, stateless, rules processed in number order, auto applied to all instances in subnet

Question:




When creating a custom NACL is traffic automatically allowed?

Answer:




Custom NACL - denied by default




Default NACL - allowed by default

Question:




Can a NACL be assigned to multiple subnets?


Can a Subnet be assigned to multple NACLs?

Answer:




A NACL can be assigned to multiple subnets.


A Subnet cannot be assigne to multiple NACLs.




1 Subnet = 1 AZ = 1 NACL

Question:




You create a custom NACL and add inbound and outbound rules but it still will not pass traffic. What else do you need to add?

Answer:




Ephemeral Ports (1024-65535)

Question:




You want to block a specific IP address. Should you use NACL, SG, or both?

Answer:




Only NACL supports specifying a specific IP.

Question:




How do you create a high availability Bastion host?

Answer:




2+ Bastion hosts in 2+ Public Subnets with Autoscaling groups with minimum 1 so that if it goes down Autoscaling will deplay a second in a different public subnet.

Question:




What needs to be done to create a VPC Flow Log?

Answer:




Create a flow log from VPC, create a Role, select a Cloudwatch log to accept the flow.

Question:




How do you log all traffic within a VPC?

Answer:




Enable flow logs.

True or False?




VPC's can span multiple AZ's and Regions.

Answer:




False, VPC's cannot span regions.

Question:




What happens if you do not specify a NACL for a subnet?

Answer:




The subnet is automatically associated with the default NACL.

Question:




How many subnets are needed for a resilient architecture?

Answer:




2-Public, 1-Private


ELB must be pointed to the two public subnets (AZ's)

Question:




How do you make Bastion hosts resilient?

Answer:




Put behind an autoscaling group with minimum 2 and Route 53 to fail over.

Question:




How do you make a NAT Instance resilient?

Answer:




1 NAT instance in each of public subnets, each with public IP's, custom script to fail between the two.

Question:




How many VPC's are allowed in each Region?

Answer:




5

Question:




What is the maximum size and format of messages in SQS?

Answer:




SQS (Simple Queue Services) can contain up to 256KB of text in any format.

Question:




Which service should you use if the producer is producing faster than the consumer or if either is only intermittently connected?

Answer:




SQS (Simple Queue Services) can be used to handle auto-scaling or fail-over.

True or False?




SQS ensures FIFO sequencing.

Answer:




FALSE




SQS is engineered for 'at least once' reliable delivery but does not guarantee FIFO. You must add your own sequencing if required.

Question:




Which direction does SQS operate?

Answer:




SQS always responds to pull messages. It never Puts.

Question:




How long is the SQS 'visibility timeout'?

Answer:




30 seconds default and 12 hours max before becoming visible to receive again.

Question:




SQS is designed for delivery 'at least once'. What does this imply for application coding.

Answer:




You should assume you will get the message once but might get it multiple times. Therefore, code such that repeating the same message will not cause any errors.

Question:




What is the charge for SQS?



Answer:




First 1 million request are free. $.50 / 1 million requests thereafter. A request can have between 1-10 messages up to a maximum payload of 256 KB. Billed at 64KB chunks so a single request of 256KB is billed as 4 requests.

Question:




What is the retention period comparing SQS to SWF?

Answer:




SQS - 14 days


SWF - 1 year

Question:




Describe the differences in orientation of the API's of SQS vs SWF.

Answer:




SQS is message based.


SWF is task based.

Question:




Describe the differences in item duplication of SQS vs SWF.

Answer:




SQS - 'at least once', may be duplicated


SWF - only once, never duplicated

Question:




Describe the differences in event tracking in SQS vs SWF.

Answer:




SQS - track you own events


SWF -tacks tasks and events for you

Question:




List the 3 Actors in SWF.

Answer:




Starters


Deciders


Workers

Question:




Describe the difference between SQS and SNS for message delivery.

Answer:




SQS - polling


SNS - push

Question:




Describe the API Gateway.

Answer:




Fully managed service to publish, maintain, monitor and secure API at any scale.

Question:




What do you do if you receive an error "Origin policy cannot be read at the remote resource"?

Answer:




Enable CORS (Cross Origin Resource Sharing) on the API Gateway.

Question:




How can you improve performance with API Gateway.

Answer:




Enable Caching.

Question:




How can you prevent misuse of your API with the API Gateway?

Answer:




Enable throttling.

Question:




How do you configure scaling for the API Gateway?

Answer:




It is automatic, no configuration needed.

Question:




How can you create prioritization with SQS?

Answer:




Setup multiple Queues.

Question:




Name the types of SNS Subscribers.

Answer:


HTTP, HTTPS, Email, Email-JSON, SMS, SQS, Application, Lamda

Question:




What is a SWF domain?

Answer:




Collection of related workflows.

Question:




What is streaming data?

Answer:




Continuously generated small chunks of data sent by thousands of simultaneous sources.

Question:




Identify the 3 types of Kinesis services.

Answer:




Streams - multiple shards for capacity (1 day to 1 week)




Firehose - optional analysis to S3




Analytics - SQL queries across streams and firehose

EC2 

EC2

01. Compute




(elastic compute cloud) - virtual server

EC2 Container Service 

EC2 Container Service

01. Compute




(EC2 container service) - Docker on a cluster

Elastic Beanstalk

Elastic Beanstalk

01. Compute




AWS for beginners. Developers upload code and AWS provisions resources to run the code. Lots of program languages supported, including PHP, Python, Java, etc…

VPC

VPC

04. Networking & Content Delivery




(virtual private cloud) - think of as your virtual datacenter

Direct Connect

Direct Connect

04. Networking & Content Delivery




connect to AWS without Internet using dark fiber

Route 53

Route 53

04. Networking & Content Delivery




AWS DNS

Lambda

Lambda

01. Compute




revolutionary and POWERFUL. Serverless service to run code without provisioning resources. Minimizes cost.

S3

S3

02. Storage




(simple storage service) - Object based storage for flat files. Cannot run databases or OSes on object storage.

CloudFront

CloudFront

04. Networking & Content Delivery




Content Delivery Network (CDN). Edge locations.

Elastic File System

Elastic File System

02. Storage




block level NAS

Glacier

Glacier

02. Storage




archive and backup ≥ 4 hours to restore

Snowball

Snowball

05. Migration




suitcase device to transfer lots of external data in/out of AWS