AWS Solutions Architect Associate Flashcards - Quizlet

9/29/23, 12:33 AM AWS Solutions Architect Associate Flashcards | Quizlet
AWS Solutions Architect Associate

9 studiers in 3 days 3.4 (5 reviews)
Terms in this set (686)
Individual parts up the infrastructure have no knowledge of how the

What is loosely coupled architecture?
other parts work. Communicate through well-defined services.
At any given time, the system server does not know the status of the
What is a stateless system? clients communicating with it. Output of the system depends solely on
the inputs.
a system of hardware and software that stores user data in many

What is a Content Delivery Network
different geographical locations and makes those data available on
(CDN)?
demand
Processing method whereby each policy must be read and applied

What is synchronous processing?
completely before the next policy can be invoked.
Method of processing multiple scripts at the same time without waiting

What is asynchronous processing?
for the outcome of a previously launched script to occur.
updates will propagate through system; eventually all data copies will
What is eventual consistency?
be consistent
A special type of firewall that looks more deeply into packets that carry
What is a web application firewall (WAF)?
HTTP traffic.
Add to a class or folder
What is the OSI (Open Systems Application, Presentation, Session, Transport,

Print Network, Data Link,
Interconnect) Model? Physical
Combine
Embed
A data table stored in a router that lists the routes to particular network
What is a routing table?
destinations
Report
Enables a load balancer to lock a user down to a specific web server

What are sticky sessions?
(instance) for the session.
Dubbed the "protocol of the Internet," this path-vector routing

What is BGP (Border Gateway Protocol)? protocol is the only current EGP and is capable of considering many
factors in its routing metrics.
Image baseline with an operating system and applications along with

any custom configuration. ID is a region-based value, even for
What is an Amazon Machine Image (AMI)?
standard images; custom images must be copied to other region
before it can be used.
https://quizlet.com/471719460/aws-solutions-architect-associate-flash-cards/ 1/53
What is an EC2 instance type? Defines size of instance based on different parameters.
What are ECU's? EC2 compute units for an instance
General Purpose
Compute Optimized
What are the available EC2 Instance Type
Accelerated Computing
Families?
Memory optimized
Storage optimized
What is the general purpose EC2 instance instances with a balance of compute, memory and networking
family? resources, and can be used for a variety of diverse workloads.
What is the compute optimized EC2 instances ideal for compute bound applications that benefit from high
instance family? performance processors. batch, media transcoding, HPC
What is the memory optimized EC2 instances designed to deliver fast performance for workloads that
instance family? process large data sets in memory. Enterprise apps like SharePoint
instances that use hardware accelerators, or co-processors, to perform

What is the accelerated computing EC2
functions, such as floating point number calculations, graphics
instance family?
processing, or data pattern matching
What is the storage optimized EC2 instance instances designed for workloads that require high, sequential read
family? and write access to very large data sets on local storage
1. On-demand
2. Reserved
What are the EC2 instance purchase
3. Scheduled
options?
4. Spot
5. On-demand capacity reservations
The default EC2 instance launched anytime. Can be used as long as

What is an EC2 on-demand instance? needed. Flat rate based on instance type. Paid by second. Ideal for
short-term uses.
EC2 instance purchased for set period time (1-3 year) for discount. Paid
What is an EC2 reserved instance? all upfront (largest discount), partial upfront, no upfront. Long term
predictable workloads.
EC2 instance paid on recurring scheduled, daily, weekly, or monthly.

What is an EC2 scheduled instance?
Charged whether used or not.
EC2 instance bid for unused compute resources. Not guaranteed for
What is an EC2 spot Instance? fixed period of time. Good for batch jobs, background processing.
Instances can be terminated.
What are on-demand capacity Reserve capacity based on instance type, platform, tenancy, and AZ.
AWS Solutions Architect Associate Can be combined with reserved instance discount.
reservations?
What is EC2 shared tenancy? Where underlying host is shared by multiple customers.
When instances are hosted on hardware no other customer can

What is EC2 dedicated tenancy?
access; but may run other AWS services used by your account.
EC2 hosting model offering additional visibility and control of the

What is EC2 dedicated hosts?
physical host; allow reuse of existing licenses.
What is EC2 user data? Performs functions or runs scripts upon first boot of EC2 instance.
What are EC2 key pairs? Public and private key pair allowing connection to an EC2 instance(s)
If failed, likely underlying host issue. Loss of power, network, etc. AWS
What is the EC2 system status check? components. Stop/restart instance to go to new physical host. Do NOT
reboot.
Checks the health of the individual EC2 instance. Incorrect network

What is the EC2 instance status check?
config, incompatible kernel, etc.
a highly scalable, high performance container management service

What is the EC2 Container Service (ECS)? that supports Docker containers and allows you to easily run
applications on a managed cluster of Amazon EC2 instances
Engine used to enable ECS to run containers without having to

What is AWS Fargate?
manage instances and clusters.
Fargate Launch
What are the available ECS launch options?
EC2 Launch
ECS launch option giving control over:

* cpu and memory
What is ECS Fargate Launch?
* network and IAM policies
* packaged container
ECS launch option giving control over:

* EC2 instance type
What is ECS EC2 Launch?
* All patching and scaling of instances
* How many containers should be in a cluster
Clusters only scale in single region but multiple AZs. Clusters are
How is ECS scaled?
dynamically scalable.
What is Amazon Elastic Container Registry Provides secure location to store and deploy docker images, ties
(ECR)? closely to ECS.

Registry
Repository Policies
What are ECR components? Authorization Token
Repository
Image
What is the ECR registry? stores docker images in ECR
What are ECR repository policies? ECS resource-based policies
What are ECR authorization tokens? Translates docker AWS token into a docker login command
What are ECR repositories? store docker image objects and can have multiple per registry
What is the Elastic Container Service for Managed service for the Kubernetes control plane or management
Kubernetes (EKS)? infrastructure. Customer provisions and maintains the worker nodes
an open source system for automating deployment, scaling, and

What is Kubernetes? management of containerized applications. container-runtime
agnostic.
1. Create EKS service role (can be shared)

2. Create EKS cluster VPC (CloudFormation STack)
3. Install kubectl and AWS-IAM-Authenticator
What are the steps to deploying an EKS
4. Create EKS cluster
cluster?
5. Configure kubctl to EKS
6. Provision and configure worker nodes (CloudFormation)
7. Configure worker nodes to join EKS cluster
* Upload code with environment configurations

* auto provisions AWS resources for the web application such as
What is AWS Elastic Beanstalk? EC2,S3,Auto Scaling) to support web app.
* Some control still given to customer for resources that are deployed.
* Service is free, just charged for deployed resources.
Serverless compute service to run code without having to manage

What is AWS Lambda?
EC2 instances
- Execution duration per 100ms of use only when code is running

What are the charges for Lambda? - number of times code runs (first million free)
- MB of RAM reserved
What is AWS Batch? Manage and run batch computing in AWS.
Specialist use cases which require vast amounts of compute power

What is batch computing? across a cluster of compute resources to complete batch processing
executing a series of tasks.

Easiest way to launch and manage a virtual private server with AWS.
What is Amazon Lightsail? Include: virtual machine, SSD based storage, data transfer, DNS
management, and static IP address.
Daemon that must be running on your container instances so that they

What is the Amazon ECS container agent?
can register into an Amazon ECS cluster
Defines:
What are ECR repository policies? * User access to the ECR repository
* User actions within the ECR repository
What is the benefit to Lambda functions To rapidly launch and scale as many as needed
being stateless?
Are ECS clusters zone or region specific? Regional part of ECS
Amazon EC2 instance with a configuration that Amazon may not

What is a shared AMI? provide itself, but which another developer has created for a specific
purpose.
EC2 purchase option below allows customers to select and control a

What is a dedicated host instance? specific, physical server within an AWS data center servers solely for
their use?
What are AWS Lambda downstream AWS tools and/or entities required for a function to execute its code
resources?
You want to receive alerts when your containers, managed with

What is AWS CloudWatch? Amazon ECS, need to scale up or down. Which tool is most
appropriate for this task?
What is the relationship between ECR An ECR registry contains multiple repositories, which contain multiple
components? Docker images.
An AWS service that integrates with Lambda to send data to your

What is a Lambda function event source? function. Lambda can monitor some services while others can invoke
Lambda.
Where the following options are visible:

1. Family
What is the EC2 instance type selection 2. Instance type
screen? 3. Storage type
4. vCPUs
5. Memory
What is an EC2 instance? An EC2 virtual computing environment
* discounts for high volume service usage

What are two ways to reduce AWS pricing?
AWS Solutions Architect Associate * reserved instances
If you determine that the resources on a EBS Volume

launched Amazon EC2 instance are
insufficient to handle the workload of an
application, you can resize the instance
without performing any migration as long as
your root device is a(n) ____________.
An Amazon EC2 instance store providing temporary block-level

What is EC2 ephemeral storage?
storage for your instance ideal for non-persistent data.
What is an EC2 cluster placement group? Designed for law latency, high network throughput within single AZ.
Designed to keep MULTIPLE EC2 instance groups on separate

What is an EC2 partition placement group?
hosts/racks. Can span AZs.
Designed to keep SINGLE EC2 instances on separate hosts/racks from

What is an EC2 spread placement group?
other EC2 instance. Can span AZs.
There must be sufficient capacity to restart these, otherwise it mail fail.

Try again later.
What are some limitations to EC2 Unique names per Account

placement groups?
Instance types must be the same
No medium, nano, or micro
Allows patching, reporting, compliance of large groups of EC2

instances. Built-in scripted commands. Can also work with on-prem
What is AWS systems manager? instances.
No additional cost!
Templates are on S3. Storage is ephemeral, so data is deleted during

What are instance store-backed AMIs?
termination.
EC2 instances limited to:

What are the operations supported for
* terminate
instance store-backed EC2 instances?
* restart (preserves data)
How can an EBS volume be attached to a unmount in OS, detach, attach to new instance
different instance?
1. Dedicated instances
What are the 3 tenancy options for EC2
2. Shared tenancy
instances?
3. Dedicated hosts
What are the offering classes for reserved * Standard: Can only be modified (best savings)
instances? * Convertible: Can be exchanged for different instance
By the second (1 minute billing unit) or hourly for however long the
instance is run. price set per instance type.
How is on demand priced?

If hourly charged for full hour
Transition from stopped to started charges full hour
How do spot instances work with Create launch configuration with bid price
Autoscaling? If market price goes above bid, instances terminated
If you over-purchase reserved instances, Sell on Amazon Marketplace

how can you minimize the loss?
Are you charged for a stopped EC2 No

instance?
Manage the control and flow of inbound requests to a group of targets

What is Elastic Load Balancer (ELB)?
distributing them evenly
EC2 Instances
Containers
What are some common ELB targets?
Lambda functions
Can be across different AZs
Benefits of AWS ELB? It auto scales and is HA
Application
What are the ELB types? Network
Classic
Operates at request level

What is the Application Load Balancer
For HTTP or HTTPS
(ALB)?
Advanced routing and TLS termination
Ultra-high performance and static IP addresses for your application.

Operating at the connection level
What is the Network Load Balancer (NLB)?
Capable of handling millions of requests per second while maintaining
ultra-low latencies.
What is the Classic Load Balancer? For legacy EC2, operates at both request and connection level
Listener
Target Group
What are the ELB components?
Rules
Health Checks
- At least 1 required
What is the ELB Listener? - Listens on a port
AWS Solutions Architect Associate - Uses conditions to route traffic to resources

Resources to route traffic to and associated with listener configuration

What is the ELB Target Group?
and associated rules
Associated to listener and help define how an incoming request gets

What are ELB rules?
routed to which target group. Really just a set of conditions.
What are ELB health checks? Sets target as healthy or not based on checks.
Has both Internet IP and local IP. Uses local IP to communicate to

What is an Internet-Facing ELB?
resources.
What is an Internal ELB? ELB with local IP only
Required to define AZs that ELB will operate in and one will be placed
What are ELB nodes?
in each AZ.
Gives the ability to truly have the ELB evenly distribute requests evenly
across the targets when one AZ may have fewer resources than
What is Cross-zone load balancing?
another so that load is not disproportionate on resources in smaller
AZ.
Provision, manage, and deploy Secure

what is the AWS Certificate Manager Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use
(ACM)? with AWS services including ELB. Can upload own or use ACM to
create.
What is the OSI layer where the ALB Layer 7 (HTTP, FTP, NFS)
operates?
For purely application architectures, which Application Load Balancer

ELB should you use?
At which OSI layer does the Network Load Layer 4 (TCP/TLS/UDP)

Balancer operate?
If an application requires a static IP address The Network Load Balancer

or to preserve source IP, which ELB should
you use?
How long are TCP connections kept with Duration of the request
the NLB?
What are the protocols the classic load This load balancer supports TCP, SSL/TLS, HTTP(S)
balancer supports?
What are the use-cases for the classic load When you have instances running in the EC2-classic network
balancer?

Allows you to dynamically increase and decrease the number of EC2

What is EC2 auto scaling? instances in response to demand based on metrics (CPU, .response
times, memory usage)
This service provides the following benefits:
What are the advantages of EC2 auto

* Automation
scaling?
* Customer satisfaction (performance issues)
* Cost reduction (only pay for demand)
This service has the following components:
What are the components of auto scaling. 1. Launch Configuration or Launch Template
2. Group
3. Scaling Options
AMI
Instance type
Spot instances or not
What are the options provided by an auto
Public IPs
scaling launch template/configuration?
User Data
Storage Volume configuration
Security Groups
What is the difference between a template Templates is newer and more advanced
and a launch configuration? Config can be shared
What is the relationship between ELBs and * ASGs are associated to ELB's target group
Auto Scaling groups? * ELB detects the instances and starts to distribute traffic.
Accessible within an instance and can provide details about the

What is EC2 instance metadata?
instance from the cli.
* data stored in chunks known as blocks

What is block storage (generically)? * blocks stored in volume attached to single instance
* very low latency
* data stored as files within directories

What is file storage (generically)? * data stored in file system
* shared access for multiple users
- objects stored in flat address namespace

What is object storage (generically)? - objects referenced by unique key
- object can have associated metadata to help categorize and identify

* managed object storage

* highly available and durable
What is S3 (simple storage service)? * unlimited storage capacity
* highly scalable
* largest file size = 5 TB
Is S3 region or zone based? Region
What is durability? That the data exists and not lost though maybe not accessible
What is availability? That data or service is accessible when needed
How does S3 make data available and When adding data to S3 in a region it is replicated to multiple AZs
durable?
99.99% (standard)
What is the availability of the different S3
99.9% (stanard-IA)
tiers?
99.5% (one zone-IA)
What is the durability of all S3 tiers? 11 9s, 99.9999999%
Where objects are stored

What is an S3 bucket? Must be globally unique
Data can be uploaded into folders within
Where do S3 features operate? At the bucket level, not folder level (object storage)
* Standard
* IA (infrequent access)
* Intelligent Tiering
What are the 6 S3 storage classes/tiers?
* One Zone - IA (formerly reduced redundancy)
* Glacier
* Glacier Deep Archive (12 hr retrieval)Does sqa
What is the S3 storage class designed for S3 standard for this type of access
frequent access?
Standard-IA
Which S3 storage classes are for infrequent
One zone-IA
access?
Glacier
retrieval free (per GB)

What are the differences for S3 infrequent long lived data
access? secondary backups
One zone IA has lower availability (99.5%)

- data accessed > 30 days moved to IA tier

- good for unpredictable access patterns
How does S3 intelligent tiering work?
- no retrieval costs, but small monthly cost for monitoring and objects
> 128 KB
- control access to data in bucket

What are S3 bucket policies?
- very granular down to time for access, IPs, etc
- control access user users outside own AWS account

What are S3 Access Control Lists? - not as granular as bucket policies
- broad permissions such as `list objects`, `write objects`
- SSE-S3 (S3 managed keys)

- SSE-KMS (KMS managed keys)
What are the S3 encryption options? - SSE-C (customer managed keys)
- CSE-KMS (KMS managed client side encryption)
- CSE-C (Customer managed client side encryption)
Is S3 versioning enabled by default? No
Can S3 versioning be disabled after it is No

enabled?
Is there an added cost for versioning? Yes, charged for each version of the object
* Data backup
Common S3 use-cases * Static content and websites (via url or CloudFront)
* Large data sets (scientific, computational) b/c horizontal scaling
* Requests (per 10K)

AWS additional costs
* Data transfer (in free, out costs)
- data archive for longer-term

- dynamic and fast changing data
S3 anti-patterns
- when a file system required
- structured data with queries
- very low cost, longer term, durable storage (cold) for long term
What is Glacier? backup and archival
- does not provide instant access to data (several hours)
What is the durability of Glacier? 11 9s
What is a glacier vault? A regional container for glacier archives
* any object saved as an archive

What is a glacier archive?
* unlimited archives per vault

* dashboard only allows for creation of vaults

Glacier access / retrieval
* other access must be done via APIs or AWS SDKs
- access to subset of an archive (< 250 MB)

Glacier retrieval methods (expedited) - $0.03 per GB and $0.01 per request
- available 1-5 minutes
- retrieve any data

Glacier retrieval methods (standard) - 3-5 hour availability
- $0.01 per GB and $0.05 per 1000 requests
* used to retrieve petabytes

Glacier retrieval methods (bulk) * data within 5-12 hours
* $0.0025 per GB and $0.025 per 1000 requests
How is glacier data encrypted? AES-256 by default and controlled by AWS
* Vault access policies - resource based

* Vault lock policies
How is Glacier secured? * Vault can have only 1 access policy
* Vault lock policies cannot be changed once set, helps with
compliance
* Single cost regardless of amount

Glacier pricing * Transfer in is free
* Price varies between regions
* ephemeral storage for EC2 instances local to EC2 host

* temporary data (no critical data)
What is EC2 Instance Storage?
* stopped / terminated instances delete data
* rebooted instances maintain data
* Free
Benefits of EC2 instance storage? * Very high I/O speed
* cache or buffer
* persistent and durable block-level storage for EC2 instances

* primarily for rapidly changing data
* used to retain data including PII
* operates as separate service to EC2
What is Elastic Block Storage (EBS)?
* act as network attached storage devices
* a single volume can only be attached to a single EC2
* an EC2 can be attached to multiple volumes
* can have backup snapshots and encryption.
* Point in time copies of EBS volumes

* Can be manual or scheduled
What are EBS snapshots?
* New volumes can be created from existing snapshots
* Snapshots can be copied to other Regions
General purpose SSD (gp2) - single digit millisecond latency, burst of

3000 IOPs
What are the EBS SSD volume types and
API names? Provisioned IOPS (io1) - predicable performance for high I/O
workloads. IOPS rate specified when creating volume, 4 - 16TB in size.
20K IOPS max
Cold HDD (sc1) - Lowest cost, large workloads accessed infrequently,

high throughput capabilities, no boot volumes
What are the EBS HDD volume types and
API names?
Throughput optimized HDD (st1) - Frequently accessed data, large
datasets with high throughput (log processing), no boot volumes
- At rest and in-transit

- Managed by EBS using KMS
How is encryption done in EBS?
-AES-256
- Only available on select instance types
What EC2 instances can an EBS volume be Only those in the same AZ
attached to?
* per seconds of usage, at per GB per month rate

How are EBS volumes billed?
* charged for size of volume regardless of usage
* temporary storage
What are EBS anti-patterns? * multi-instance storage
* very high durability and availability
* file level storage

* highly available and durable
* concurrent access by 1000s of instances
What is the AWS elastic filesystem (EFS)
* ability to create shared filesystems
* highly scalable
* limitless storage
- EFS is a regional service and exists in a VPC

- mount targets are created in AZs with EC2 instances
How is EFS made available to EC2 instances
- NFS v4 and 4.1 supported (no Windows)
in multiple AZs?
- NFS client required on OS
- SGs used to control access
What performance configurations are * General purpose - lowest latency, most cases, 7000 ops per second
available for EFS? * Max I/O - concurrent access of 1000s of instances
What encryption methods are available to * Encryption at rest

EFS? * Encryption in transit over TLS
How can data from on-prem or EC2 be EFS FileSync feature using an agent
moved into EFS?
- no charges for data transfer

EFS pricing - no charges for requests
- charged for consumption per GB-months
* Data archive
What are EFS anti-patterns? * Relational databases
* Temporary storage
- Content Delivery Network (CDN)

- Distributes data requested through web sites closer to end user via
What is AWS Cloud Front?
edge locations
- Cached data, not durable
* Sites deployed in highly populated areas around globe

What are AWS Edge Locations? * Not used for infrastructure (EBS, EC2)
* Used for cached data from services like Cloud Front
* for streaming via RTMP protocol

What is a Cloud Front RTMP distribution?
* only S3 buckets as source
- specify origin location

How are Cloud Front distributions - specify specific cache behaviors
configured? - define which edge locations
- association to AWS WAF
- on-premise software appliance integrating local storage to AWS

What is the AWS storage gateway?
- file, volume (cached or stored) and tape gateway
What are the file gateway features? - flat files, stored directly in S3
- entire dataset is stored on site and is asynchronously backed up to S3

- backups are stored as EBS snapshots
What are the stored volume gateway
features
- entire dataset is stored on S3 and the most frequently accessed data

is cached on site
What are the cached volume gateway
features?
Spin up instances from AMI and create volumes from the EBS
Stored volume or cached volume use case
snapshots from on-prem
* storage gateway acting as VTL

What is a Gateway Virtual Tape Library?
AWS Solutions Architect Associate * virtual tapes backed by S3
1. Storage
Storage gateway pricing 2. Requests ($0.01 per GB written, max $125/month)
3. Data transfer
* Physical appliance sent by Amazon

* Securely transfer large amounts of data in/out of AWS.
* RJ45 and SFP interfaces
What is AWS Snowball?
* All data encrypted with KMS key
* End-to-end tracking
* HIPAA compliant
When to use snowball? When data retrieval will take more than a week or for compliance
* shipping costs
Snowball pricing
* each data transfer job
What is an inappropriate use case for critical data

Amazon EC2 instance store volumes?
What is a "Key" for an Amazon S3 object? A unique identifier for an object in a bucket
In Amazon CloudFront, when using a Sent to your origin servers running within or outside of AWS.
network of edge locations around the
world, requests for your dynamic content
are ___________.
Use _______ if low storage cost is paramount, Amazon Glacier

your data is rarely retrieved, and data
retrieval times of several hours are
acceptable.
EBS automatically encrypts volumes restored from encrypted

How is EBS encryption handled with
snapshots.
snapshots?
EBS automatically encrypts snapshots of encrypted volumes.
In AWS Storage Gateway, using a tape S3 and Glacier

gateway's virtual tape library (VTL), you can
cost-effectively and durably archive backup
data in_______________.
You have decided to use AWS Storage Stored volume gateway

Gateway, but want all data within the
gateway to be retrievable to on-premise
employees with minimal latency. Which type
of storage gateway would best suit you?
Which network connections are used by both RJ45 and SFP+ with either a fiber or copper interface
AWS Snowball to minimize data transfer
times?
A(n) ________________ is temporary disk storage Instance store volume

and is deleted when your host instance is
stopped or terminated.
A user has launched a dedicated EBS- The volume will be created in the same AZ, exists outside of the tenant
backed instance. You are curious where the hardware
EBS volume for this instance will be created.
Which statement is correct about the EBS
volume's creation?
A user has moved an object to Glacier using * The user can change the duration of the restore
the S3 object lifecycle rules. The user * You are billed for both the Glacier and S3 objects
requests to restore the archive after 6 * The restored object's storage class remain Glacier
months. When the restore request is
completed, the user accesses the restored
object. What is true about the restored
object?
What are some differences between S3 - Bucket policies can only control access to S3 buckets (objects inherit)
bucket policies and IAM policies? - Bucket policies have principal element (implicit on IAM)
What does the Server-side encryption Server-side encryption protects data at rest using Amazon S3-
provide in Amazon S3? managed encryption keys (SSE-S3).
- A mount target must be placed within a VPC to communicate with

How must an Amazon EFS mount target be EC2 instances in that VPC,
configured within your AWS infrastructure? - Recommended you create a mount target within each availability
zone (AZ) within a VPC
Which AWS service focuses on distributing Amazon cloud front

content rather than simply storing it?
In Amazon Elastic File System (EFS), which Max I/O mode

of the following performance modes is
ideal for applications where tens, hundreds,
or thousands of Elastic Compute Cloud
(EC2) instances access a file system?
By default, who owns the right to create an The bucket owner (account)
object in a bucket?
Which of the following methods is used to * S3 API

move data to and from Amazon S3 to your * CLI
instances? * PowerShell Tools

If you determine that the resources on a EBS Volume

launched Amazon EC2 instance are
insufficient to handle the workload of an
application, you can resize the instance
without performing any migration as long as
your root device is a(n) ____________.
1 Key (file name)

2 Data
What are the 5 main components of an S3
3 Metadata
object?
4 Version ID
5 Subresources (ACLs, Torrents)
What is the availability of S3 infrequent 99.9%

access?
* compliance of keeping data a specific distance from source

What are some use-cases for S3 Cross
* ensuring low latency to on-prem data centers
Replication (CRR)?
* DR protection
What is a good way to increase upload Enable multipart upload

speeds to S3?
- Object size is unknown

When should multipart upload be used? - Object size > 5GB (required, 5GB is largest put size)
- Objects > 100 MB
What are the main factors making S3 * unlimited number of files in a bucket
extremely scalable? * asynchronous replication to all AZs in a region
What features of S3 allow auditing of * S3 event notifications

bucket actions but must be specifically * S3 access logs
enabled?
- create a CMK in one account and grant other accounts user role
How can encrypted snapshots and AMIs be
- customer encryption key sallow the sharing of AMIs with encrypted
shared across AWS accounts?
volumes
If a user in Account A is trying to access AWS will check policies in Account A (parent account) ensuring the
resources in Account B, what is the first step user has permission.
in validating this is allowed?
1. Turn on log delivery by adding logging configuration (source)

What steps are required to enable access
2. Grant S3 Log Delivery group write permission on the bucket where
logging on a bucket?
logs will be saved (target)
What tool can be used to select the Storage Class Analysis Tool
appropriate S3 storage tier?

What is transfer acceleration? Uses edge locations to give closer upload location. Uses unique URL.
Allows transition of data to infrequent access storage or Glacier from

What are lifecycle rules in S3?
or expire data.. Works in conjunction with versions.
Introduce randomness in key name prefixes to distribute data across

How can mixed request types with high IO
more than one partition. E.g. a 3-4 key hexadecimal hash. E.g. 4 chars
be optimized in S3?
of MD5 hash of keyname + timestamp key name
What are advantages of S3 for a global - Scale to handle any load

website that requires scale? - Integrated with CloudFront to deliver content globally
You have a large number of objects stored CloudFront

on Amazon S3 and you noticed that the
majority of the workload consists of GET
requests.Which service is recommended by
AWS to use for performance optimization?
Which S3 and Glacier options charge per * Glacier

GB retrieval fees? * S3 standard-infrequent access
Does the cost of using a cloud database Yes

include licensing?
What are the two families of databases Relational and Non-relational

offered?
Structured data commonly supporting SQL operations.

Use a schema to define tables
What are relational databases? Maintains relationships between tables based on keys
Views and SPs abstract complex relationships
More complex and larger footprint
OLTP solution supporting
- SQL
- MySQL
- PostreSQL
What is AWS RDS?
- Oracle
- Aurora
- MariaDB
AWS is responsible for patching database and OS. It is NOT serverless.
Simple tabular structure

No schema required
What is a non-relational database? Fast and secure focus
Generally lack processing engine, so lighter in design
Scale faster
Relational uses persistent network connections

What are some differences in working with Non uses RESTful approach
a non-relational database? Non can be queried with key conditions and expression attributes
Every table must have a primary key
Which database type is good for storing Non-relational

non-structure data (e.g. images)
How are joins and relationships generally In application code

handled for non-relational datbases?
What non-relational databases are DynamoDB

provided by AWS? Amazon Elasticache
Cloud-native object and document object store

What is DynamoDB?
High volumes of records and transactions
* A cache service running either Redis or Memcache.d cache engines

What is Elasticache? * Caches read requests between user-facing app front-end and
service/application/database
What are the differences between Redis * Redis has more features (multi-AZ, backup/restore)
and memcache.d * Memcache.d is simple (large nodes, quick scaling)
* Graph database for storing relationships and querying a graph

What is Amazon Neptune? quickly.
* Knowledge graphs, network security, recommendation engines
* Scale components (memory, CPU, IOPs, etc)

* Auto-backup and patching
What are the benefits of RDS?
* High availability within a region
* Automatic failure detection and recovery
How can RDS for MySQL be customized? Via parameter groups
Can storage for MySQL be scaled in real Yes, without outage

time?
How is PIT recovery done with Microsoft Via transaction log backups
SQL
What MS SQL availability feature is not Always on

supported by RDS?
What are the licensing models for RDS for * BYO - bring your own
Oracle? * Standard Editions and Enterprise Editions
What is MariaDB? Community fork of MySQL

What is PostreSQL? * Well suited for compliance (HIPAA, PHI, FedRAMP)
Which Amazon RDS database engine offers Microsoft SQL Server

high availability with server mirroring (as
opposed to Multi-AZ)?
* Amazon fork of MySQL or PostgreSQL

What is Amazon Aurora?
* Cloud native and high performance
A cache is generally designed to reduce the workload for an application.

____________________.
Which Amazon RDS database engine offers Aurora

multi-AZ deployments by default?
Amazon RDS makes it possible to scale Your can increase or decrease specific database configurations
components of the service. What does this independently.
mean?
What AWS database service offers a non- Amazon Neptune

relational database optimized for storing
and navigating billions of relationships with
millisecond query latency?
1. synchronous replication
What are the main benefits of a multi-AZ
2.failover
RDS deployment?
3. high availability
What is the RDS performance feature? read replicas
What is the best way to ensure RDS write Select a DB instance class optimized for Provisioned IOPS
performance?
How may copies of DynamoDb data are Data is replicated between 3 AZs
kept?
strings
binary
boolean
What are the data types in DynamoDB
number
plus sets, lists, maps containing those types
What is a composite key in DynamoDb? The combination of the partition key and the sort key.
How is throughput capacity configured for Read capacity units

DynamoDb? Write capacity units

What happens if you exceed capacity units limited burst capacity and then throughput throttled
in DynamoDb?
* A query searches on a single partition key, can be limited to a range

of sort keys, and filtered on any attribute
What is a scan vs a query in DynamoDb?
* A scan searches across all partition keys, can be filtered on any
attribute (lots of read capacity units)
* Creates an index table (taking up space) with the partition key and
indexed attribute
What are secondary indexes in * Requires read and write capacity units
DynamoDB? * Additional attributes / sort keys can be specified
* Basically like creating additional tables, but AWS auto updates them
based on main table
What is the most common use-case for Read caching to increase database and web application performance
ElastiCache?
every time you create, update or delete records from the table,
What are DynamoDB streams? DynamoDB will write a new stream record containing the
corresponding record data
OLAP is abbreviation of Online Analytical Processing and is for

What is OLAP?
evaluating multidimensional data.
Which RDS offering supports data Redshift

warehousing requirements (OLAP)?
Which RDS offering does not support read SQL Server

replicas?
Serverless interactive query service using standard SQL and executes

What is Amazon Athena? queries in parallel. Can be used against S3 buckets. Queried results
can be stored in S3.
Managed service of scalable EC2 cluster to process and run big data
What is Elastic Map Reduce (EMR)?
frameworks.
* supports read replicas (15)

What makes Aurora a good optimized * fastest asynchronous replication
solution? * no data loss on failover
* automated failover
A web service that records AWS Application Program Interface (API)

What is AWS CloudTrail?
calls for your account and delivers log files to you.
1. AWS Service Health Dashboard

What are two AWS Health Dashboards
2. Personal Health Dashboard

What is the AWS Service Health Dashboard Provides a complete health check of all sercies in all regions
What is the URL for the Service Health http://status.aws.amazon.com

Dashboard?
Notifies you of any service interruptions that may affect the resources
What is the personal health dashboard?
and services that you are using within your AWS account
What is the URL of the Personal Health phd.aws.amazon.com

Dashboard?
* Capture resource changes of CI

* Resource inventory
* Store configuration history
* Snapshot of configurations
What is AWS Config?
* Notify on change
* Compliance checks
* Security analysis
* Identify reslationships
What tool would you use with AWS Config AWS CloudTrail
to tell who made a change?
What is the boundary of AWS Config? Region-specific
What are API calls captured as in Events

CloudTrail?
S3 bucket
Where are CloudTrail logs stored?
Optionally CloudWatch logs
* Security analysis (notify of threshold breaches)

What are some use-cases for CloudTrail * Root-cause analysis by identifying change made
data? * Track changes to resources
* Evidence for compliance and governance controls
Recommends improvements based on best practices across AWS

What is AWS Trusted Advisor?
account
1. Cost optimization
What categories does Trusted Advisor 2. Performance
cover? 3. Security
4. Fault Tolerance
What are the limitations of Trusted Advisor? Requires Business and Enterprise support plans for ALL checks (50+)

1 Security Groups - Specific ports

2 EBS public snapshots
What are the 6 free core checks of Trusted 3 RDS public snapshots
Advisor? 4 IAM Use
5 MFA on root account
6 Service Limits
- Free feature
What are Trusted Advisor Notifications? - Tracks resource check changes and cost savings estimates
- Can exclude some resources
* Monitor resources via a series of metrics individual to each service.

* Each service sends metrics to CloudWatch
What is AWS CloudWatch?
* Can react to events and dynamically adjust any availability or
scalability issue
Basic Monitoring (Default): Every 5 minutes

What are the two modes of CloudWatch?
Detailed Monitoring: 1 minute intervals at additional cost
What is the retention of CloudWatch? two weeks
What are CloudWatch alarms? Trigger on events within environment via notifications
OK
What are CloudWatch alarm states? Alarm
Insufficient Data
What is CloudWatch logging? Can capture all the logs across application and web servers
How often are CloudTrail logs created? Every 5 minutes
What is the boundary of CloudTrail? Global service supporting all regions
What types of security control assessments 1. External vulnerability assessment

should be done against web applications in 2. External penetration tests
EC2? 3. Internal grey/white-box review
What best describes a forecast in AWS A prediction of your AWS usage for up to the next three or twelve
billing account using Cost Explorer? months
What is the recommended way to see - cost allocation tags

detailed billing information such as to - AWS billing reports
separate specific instances?
* Isolated segment of AWS Cloud

What is a Virtual Private Cloud (VPC)? * Infrastructure deployed in a VPC (networking, DB, compute)
* 5 per region per AWS account

What information is needed to create a Name

VPC? CIDR Block Address
What are VPC Subnets? Public or private networks created out of the VPC CIDR block range
1. Internet Gateway added (IGW) to VPC

What makes a VPC Subnet public? 2. Route table on public subnet given route to IGW
* 0.0.0.0/0: igw-xxxx after local
What is the default route on all subnet route Local: allows all subnets to communicate to each other
tables?
What is the scope of a subnet? Availability Zone (Subnet)
What is the scope of a VPC? Region (VPC)
Five total, first 4 and last
x.x.x.0: Network
What are the reserved IP addresses for AWS
x.x.x.1: AWS Routing
subnets?
x.x.x.2: AWS DNS
x.x.x.3: AWS Future
x.x.x.last: Broadcast
* associated to subnets
* rule # allows ordering
What are network access control lists * inbound: protocol/port range/source/allow or deny
(NACLs)? * outbound: protocol/port range/dest/allow or deny
* default rule "*" can be deny at bottom
* stateless: need specific rules for return
* associated to instances ENI

* protocol/port range/source
What are Security Groups?
* if no rule drop by default
* stateful: don't need rule for return traffic
- NACLs hit first because associated to subnet

How do NACLs work with Security Groups?
- Security Groups hit next
* Sits in public subnet (one per)

* Assigned EIP and has route to IGW
What is a NAT Gateway?
* Private subnet route table for 0.0.0.0/0 added to NAT-GW
* No inbound traffic, so keeps ecurity of private subnets
- Allows access to EC2 instances in private subnet

What are Bastion Hosts? - Sits in public subnet - allows range of IPs
- Jump to instances on private subnet from bastion SG

Where should private keys for private EC2 On local workstation and use ssh agent forwarding
instances be stored when using bastion
hosts to access private instances?
- Customer Gateway (at data center)

- Virtual Private Gateway in VPC
What are the components of an AWS VPN?
- Tunnel is initiated from Customer Gateway
- Subnet route table with dest with dc subnet and target of vgw
What is a benefit of BGP in VPN customer Routes can be dynamically propagated

gateway?
* Connects data center directly to AWS

What is AWS Direct Connect? * Useful for high throughput workloads
* Very stable connection
- Connect one VPC to another via a direct route using private IP

addresses
What is VPC Peering? - 1 to 1 connection only, so can become unwieldy
- Must have unique subnet CIDRs
- Can be inter-region
1 VPC requester
How is a VPC peering relationship set up? 2 VPC acceptor
3 Routing tables updated with dest to pcx
- Allows one to many connections via a central hub

- Each VPC or remote location gets a single connection to Transit
What is the AWS Transit Gateway? Gateway
- All routing managed centrally in hub
- Allows for central monitoring
How do remote locations connect to Transit Either via VPN or Direct Connect
Gateways?
When specifying a CIDR block address for /28 to /16

your VPC, what is the range of netmasks
allowed?
What type of resources can AWS Direct Only resources within a VPC
Connect communicate with through a
private virtual interface?
Which is a VPN component that serves as virtual private gateway

an AWS-managed VPC endpoint within the
VPN connection?
How is a private subnet indicated? No route to an internet gateway or virtual private gateway

A route table can be assigned to ____________ multiple, one

subnet(s). A subnet can be assigned to
____________ route table(s).
To enable access to or from the Internet for ensure that your subnet's route table points to the Internet Gateway.
instances in a VPC subnet, you must:
When a VPC is created an implicit router with the main route table is
What is the implicit router? created and neither can be deleted. You can just create new route
tables and associate subnets with those instead.
Yes, once a customer route table is tested, it can be marked as the

Can a custom route table be configured as
main route table - any implicit associations will then point to the new
the main route table?
route table.
Can the local route be deleted? No
* NAT gateways are in each AZ whereas Intances use failover script

What are the benefits of a NAT Gateway (better HA)
over a NAT Instance? * NAT gateways are scalable, Instances depend on Instance type
* NAT gateways are full managed
How long it will take to recover to restore a business process to its

What is RTO (recovery time objective)?
service level (as defined by SLA).
What is (RPO) Recovery point objective? Acceptable amount of data loss as measured in time.
details how a company recovers and restores critical business

Business Continuity Planning
operations and systems after a disaster or extended disruption
1. Retention time
Backup / Restore considerations 2. Security measures
3. Test recovery
Data is mirrored and environment is scripted as template to be built out

What is the Pilot light DR strategy?
and scaled.
1. EC2 instances
2. Software packages
How is a Pilot light set up? 3. Create and maintain AMIs for key services
4. Regularly run/test/apply software updates or configs
5. Automate as much as possible
1. Backup/restore
2. Pilot light
What are the 4 AWS DR strategies?
3. Warm standby
4. Multi-site (preferred, more $$)

1. A scaled down version of fully functional environment is always

running in the cloud
What is a warm standby DR strategy? 2. Maybe a slave DB
3. System configs/patches are done in line with production
4. Scale horizontally
1. Mirror of production in AWS.

2. Uses DNS weighting to distribute to both sites
What is multi-site DR strategy?
3. Automated failover
4. DNS is updated to point all traffic in DR scenario
atomic updates to both

What is synchronous replication? RDS uses this
bandwidth and latency dependent
What is asynchronous replication? non-atomic updates to secondary as network permits
1. AWS import/export snowball for S3 / Glacier

AWS Data recovery tools
2. AWS storage gateway (cached, stored, VTL)
1. Availability Zones
What are the 4 components of the AWS 2. Regions
Global Infrastructure? 3. Edge locations
4. Regional Edge Caches
* Physical data centers of AWS

* One AZ may be multiple data centers
* AZs are linked by highly resilient low latency private connections
What is an availability zone (AZ)?
* Compute, storage, networks, and data resources provisioned in AZs
* Each AZ is separated by power, network, etc
* Best practice is to use 2 or more AZs
* Physical geographical location made up of data centers (AZs)

* Each region is independent and isolated from another
What is a region? * collection of at least two AZs
* Help maintain data compliance laws
* Not all services available in all regions
What are the paths of communication Between regions is over the public Internet
between regions, availability zones? Between AZs is on AWS backbone
What are global services? Services that are not tied to a region (e.g. IAM)
* Globally deployed in highly populated areas

* AWS resources not provisioned here
What are edge locations?
* Used to cache data and reduce latency
* Form a global content delivery network (CDN)

* sits between CloudFront origin servers and edge locations

* larger cache-width than edge locations
What are regional edge caches? * data retained longer
* edge locations can retrieve cached data from these (reduced
latency)
Allows you to connect to AWS managed services via a private network.

What is a VPC Endpoint?
Policies supported.
Can you change the subnet size of a VPC No

after creating?
* route table (default provided)

What must each subnet be associated with?
* network access control list (default provided)
How are network access control lists read? In order, lowest number to highest.
Can multiples subnets be associated with a Yes

single NACL?
Can a subnet be associated to multiple No

NACLs?
What traffic is allowed by default for a Outbound traffic

security group?
What traffic is denied by default for a Inbound traffic

security group?
What are security groups associated with? Network interfaces
What are benefits of elastic load balancer * Internal or external facing

(ELB)? * Can balance between AZs
Does ELB manage scaling? No, that is done by autoscaling
Does ELB terminate or stop instances? No, that is done by autoscaling
* spiky or unpredictable TCP traffic

What are good use cases for network load
* need static or elastic IP per AZ
balancer?
* containers
What is a good use for the application load * containers

balancer? * ssl offload
What is a good use for the classic load * flexible cipher support
balancer? * ssl offload

1. Amazon published
What are the types of Amazon Machine 2. Partner published
Images (AMIs)? 3. Community published
4. Private (from own snapshots)
What are network choices for EC2? Low, Medium, High, 10Gb, 25Gb
Where are the OS parts for an instance S3, so takes longer to boot than EBS backed
store EC2 instance stored?
What is the minimum billing unit for EC2? With per second, 1 minute is smallest unit
By default, what happens to the root device Deleted

volume for EBS backed EC2 instance when
the instance is terminated?
- Create CloudWatch alarm for StatusCheckFailed_System status

How can you recover an EC2 instance from
check
physical host failure (network, hardware,
- Set action on alarm to recover instance, it will be restarted on new
software)?
hardware
- must be shared tenancy

What are limitations of EC2 instance
- must be in VPC
recovery from system failures?
- must be using EBS
* Public IP that can be programatically mapped between instances in a

What is an elastic IP address (EIP)? region.
* Associated with AWS account
What is the maximum number of EIPs per 5

VPC per region?
Is there a charge for an EIP? Only if associated to non-running instance
- Message queue service

- Pull based (polling)
What is Amazon Simple Queue service
- Message order not guaranteed
(SQS)?
- Messages might be retrieved more than once
- Provides loose coupling
4 days
What is the default retention time of SQS?
can be 1 minute to 14 days
- Highly available DNS server

- Supports geographical routing based on user's location
What is Route53?
- Healthchecks allow for DNS failover
- Weighted routing can be used for blue/green deployments

- monitoring service to monitor AWS resources + apps

- each service sends service-specific metrics
What is Amazon CloudWatch?
- custom metrics possible
- can monitor on-prem via agent
- uses health checks to ensure at least 1 EC2 instance always running

- can launch additional EC2 instances based on demand and then
What is Amazon Auto Scaling? scale back down
- can use CloudWatch metrics
- can be based on date/time
1. Launch configuration / template

What are the components of Auto Scaling? 2. Auto Scale Group
3. Scaling Plan
a launch configuration is how you configure a single EC2 instance to

What is a launch configuration?
be replicated in the event of a autoscaling. specify AMI, user data, etc
What is an Auto Scale Group? The groups specifies the min/max numbers
What is the Scaling Plan? Sets how scale-out and scale-in should happen. By how many?
1. AZ imbalance, AZ with most instances then oldest launch config

How does Auto Scaling termination decide
2. Instance with nearest billing hour
which instance to terminate?
3. Random
1. HTML has cloudfront URLs for resources

2. DNS routes to nearest Edge
How does CloudFront work from user
3. If in edge cache returns resource
perspective?
4. If not in edge cache, edge requests from origin
5. Edge Starts streaming to use after first byte received
- outbound data transfer

How is CloudFront priced? - HTTP requests
- traffic to the origin
What are some additional CloudFront Cache invalidation requests (TTL)

charges? Custom SSL IP (for support of older non-SNI)
How can you restrict access to data in Restrict S3 bucket access when configuring CloudFront
CloudFront when using signed URLs or
signed cookies?
What is a CloudFront Web Distribution? A CloudFront instance for web sites.
What is the level of detail and availability for daily @ 60 days

CloudFront reports? hourly @ 14 days

1. Use S3, xfer from S3 to CF is free

2. Control access to content on S3
What are static asset best practices for 3. Control access to content on CloudFront (signed)
CloudFront? 4. Edge caching with high TTLs and no header/cookie forwarding by
default
5. Versioning with filenames/directories names
What are dynamic asset best practices for 1. Cache everything, use popular objects report
CloudFront? 2. Use multiple cache behaviors
What are streaming asset best practices for 1. Set right TTLs (low for manifest, high media files)
CloudFront? 2. Use HTTP streaming protocols
Use Route53 with health checks

How to ensure CloudFront origin is
Monitoring with CloudWatch
resilient?
More caching = higher availability
* Enable end-to-end HTTPS

How to ensure security with CloudWatch? * Use IAM
* Use CloudTrail
After processing a message in SQS, what Delete the SQS message

should the application do?
Does SQS guarantee a one time message No

processing?
- only objects restricted to CloudFront but that don't require a signed

In Amazon CloudFront, Public URLs allow
URL
users to access___?
- objects with no restrictions
What control mechanisms of CloudFront * geo-restriction based on ip addres

can be used to meet restricted access * signed URLs
requirements such as for premium
subscribers and specific countries?
What directives tells Amazon CloudFront to Cache-Control: max-age=3600

keep an associated object in the
CloudFront edge cache for one hour?
- Offsite backup
- No scalability constraints
What are some benefits of Cloud Storage
- No CAPEX costs
for DR/Backup?
- High durability and availability
- Enhanced security features
- Access and review AWS Compliance Reports

What is AWS Artifact? - Good for auditors to validate compliance
- Accessed via the AWS Management Console
What is ciphertext? Message in its encrypted form
An encryption method in which the same key is used to encrypt and

What is symmetric encryption?
decrypt a message
An encryption method in which two keys (one private, one public to

What is asymmetric encryption?
encrypt) are used to encrypt and decrypt a message
What is the weakness of symmetric Third party could intercept the single key giving them access to the
cryptography? data.
In asymmetric cryptography which key is Private

required to decrypt the data?
Which cryptography algorithms are fastest? Symmetric
With SSE when is an object in S3 Before written to physical disk

encrypted?
Blowfish
What are common symmetric encryption
AES
algorithms?
DES
What are common asymmetric encryption RSA

algorithms? DSA
How does S3 SSE encrypt data? Using AES-256, symmetric
How can you ensure objects are always Add policy to deny putObject when server side encryption header not
encrypted before adding to bucket? present
With S3 SSE-C where is encryption Within S3 service, customer provided keys send with data
decryption handled?
SSE-KMS
Which encryption methods does Athena
SSE-S3
support?
CSE-KMS
Use S3
Does EMR encrypt data at rest by default?
EBS encryption using customer AMI
When can RDS encryption be enabled? Only at RDS creation
What type of encryption does RDS use? AES-256
Which S3 SSE method allows customer- SSE-KMS and SSE-C

provided keys?
What does the customer master key (CMK) The data key, not the data itself
encrypt?
What are the two common permissions kms:Decrypt

need to query and encrypt data? kms:GenerateKey
How is EMR encryption shared among Via a security configuration which specifies policies and methods (at
other clusters? rest, in transit, etc)
Is KMS multi-region? No, it is region specific
1. Customer Master Keys (CMK)

2. Data Encryption Keys (DEK)
What are the 4 main components of KMS?
3. Key Policies
4. Grants
What is the primary use of a CMK? To generate, encrypt, and decrypt DEKs
- Customer managed (generated by KMS or imported)

What are the types of CMKs?
- AWS managed CMKs
What is the purpose of AWS managed - Used by other AWS services interacting with KMS
CMKs? - Created automatically when first called
What is the purpose of customer managed More flexibility and control, can be used for same purposes as AWS
CMKs? managed
When one key encrypts another key. For example.
1. Master key used to create plain DEK and encrypted version of DEK in
What is envelope encryption? memory
2. plain DEK is used to encrypt plaintext
3. Ciphertext and encrypted DEK stored on disk
4. DEK cleared from memory
- Resource-based policy applied to a CMK.

What is a KMS key policy? - Required
- Allows principals to access keys.
Resource based policy for CMK allowing delegation a subset of own

What is a KMS Grant?
access to a CMK for principals
Like other services in AWS, can KMS be No, to manage CMKs, you must use a key policy associated to your
governed only by IAM policy? CMK
1. Using key policies

What are the 3 ways of managing access to
2. Using key policies with IAM
keys?
3. Using key policies with grants
By default who is granted full access to root user of the AWS account
CMKs?
Users who can manage keys but not (by default) use them for
What are CMK key administrators?
encryption/decryption.
Those who can use the keys for encryption and delegate subset of
What are CMK users?
their own permissions to another principal, such as a service.
What is required to use key policies with root of account must have full KMS access to the CMK
IAM policies?
* arn, permissions, policies remain the same

* only backing key changed
How does automatic key rotation work?
* older backing keys retained to decrypt data encrypted prior to
rotation
What is the automatic key rotation 365 days with no other opption
timeframe?
- requires new CMK

- applications need to be updated with new CMK-ID
How does manual key rotation work?
- to simplify use Alias names and point alias to new CMK
- Keep older CMKs around for older data
What is the durability difference between KMS has higher durability, in case of region-wide failure would need to
external key material and KMS generated re-upload customer generated key material
key material?
- KMS enforces a scheduled deletion process (7-30 days)

- Put into pending deletion and not usable
What is the process for deleting a CMK? - Analyze CloudTrail logs
- Set up CloudWatch alarms to see if key in use
- If not confident, disable it
A string of characters used with an encryption algorithm to create

What is an encryption key?
ciphertext
How are CMKs created within KMS FIPS 140-2 validated cryptographic modules
protected?
Can disabled KMS CMKs be rotated? no
The backing key. Completes and implements the encryption and

What is key material?
decryption process on behalf of the CMK itself.
What is the main overall purpose of AWS Manage and control security permissions
IAM?
Entity that defines a set of permissions for making AWS service

What are IAM Roles?
requests. Other entities assume these temporarily.
What are IAM Policy Permissions? JSON policies that define what resources can/can't be accessed
Is IAM region specific? No it is global
Programatic (access key ID, secret access key)

What are access types for IAM users?
AWS Management Console (password)
- Password
- MFA
What security credentials can be associated - Signing Certificates
to an IAM user? - Access Keys
- SSH Public Keys
- HTTPS Git Credentials
What feature of an IAM user shows the Access Advisor

permissions they have and last time used?
- IAM Users
What is an IAM group comprised of?
- Customer or AWS-managed policies
What is the best practice for allowing AWS Assign a role rather than storing credentials
resources access to other AWS resources?
1. AWS Service Role (e.g. EC2, Lambda)

2. AWS Service-Linked Role (specific hard coded roles, not
changeable)
What are the 4 types of roles?
3. Cross-Account Access (owned or external owned / trusted and
trusting)
4. Identity Provider Access (web identity (OIDC), SAML SSO, SAML API)
What is the basic, required structured of an Version and at least one statement
IAM policy?
- Sid: Unique identifier

- Action: service:action
What are the possible elements within an - Effect: allow/deny
IAM policy statement. - Resource: ARN(s)
- Condition: Option element controlling when permission will be
effective (condition + key:value pair)
Inline is embedded in a specific user, group, or role and directly

What are IAM inline policies (vs managed)? attached to IAM object. Not available for reuse. Used in limited use-
cases for one-off for a particular IAM object.
By default, what IAM permissions are Deny

applied?
When will access be allowed by an IAM Only when and explicit "Allow" has been specified
policy?
If an explicit deny is set for a specific The deny

resource and an explicit allow is set for the
same resource, which takes precedence?
Access and manage AWS resources even without account in IAM.

What is Identify Federation?
SAML or OpenID Connect.
- Security Token Service

What is the STS service?
- Grants users limited and temporary access to AWS resources.
What role does the STS service play in After login to the IdP, redirected to STS to get a temporary credential
federated login? and assumed role
Encryption keys in KMS primarily used to encrypt data encryption keys

What are customer master keys (CMK)?
(DEK)
Which IAM policy type can control which Resource policy rule
Amazon S3 buckets can trigger which AWS
Lambda functions?
By default, all requests receive a ______ in Default deny

IAM except for requests that use the AWS
account's root security credentials.
A(n) _____ is a document that provides a Policy

formal statement of one or more
permissions.
Which type of IAM role is pre-defined, and AWS Service-Linked Role

can only be edited in a limited number of
cases?
What is authentication? The process of verifying the identity of a user who logs on to a system.
What is authorization? Authorization determines the privileges of authenticated clients.
The mechanism of accessing a secured resource. E.G. IAM Roles,

What is access control?
Federation, NACLs, Security Groups
1. Create new Access Key

2. Apply new Access Key to system/application
What are the 5 steps to rotate an access
3. Mark original Access Key as inactive
key?
4. Test and verify new access key is working
5. Delete old Access Key

What is a more secure and efficient Assign the instance to an IAM Role
alternative to storing access keys on EC2
instances?
Key pair auth to Linux or for decrypting administrator password for

What is instance authentication?
Windows.
What entities are IAM policies applied to? Users, Groups and Roles and can govern access to any AWS resource
1. Edit JSON manually

What are the 3 ways to create a policy? 2. Use the IAM Policy Generator
3. Copy / Edit existing policy
What additional attribute is required for an The principal attribute since these are applied to buckets and we need
S3 bucket policy? to know the principals
- Set at object level whereas Bucket polices are only at bucket level.
What are S3 Access Control Lists? - ACLs are less granular
- Different format than Bucket or IAM policies
- Least-privileged
How does AWS handle conflicting
- By default access denied
permissions between Bucket policies, IAM,
- Must be an allow within a policy
and ACLs?
- A deny will overrule any allow
- Tracking actions a user performs during a sessions while

authenticated
What is Accounting?
- Can be sued to determine costs incurred by that identity
- Used for billing / planning / resource management
Only root, but must be activated

By default who has access to billing 1. Login as root
information? 2. Select account
3. Activate it
- Helps manage cost and usage

What are budgets? - Can send alerts via SNS when thresholds are reached
- Can measure usage and alert (api calls) for security
Tags show up under Cost Allocation Tagging and can be used in

How can tags be used in billing?
billing reports
Accounts are linked specifically for billing purposes? One paying

What is Consolidated Billing?
account. Nothing else is shared between accounts.

Using CloudTrail filters to sort on :
Time Range
How can CloudTrail activity be located
Event Name
quickly?
Username
Resource name
Resource type
1. Configure an internal SAML-based IdP

What is required to set up SAML-based
2. Create SAML provider in IAM
federation?
3. Create roles that map to groups in the IdP identity store
Request all must have the AWS Access Key Id, HMAC-SHA1 signature,
and time stamps.
When accessing AWS resources using the 1. Client creates HMAC-SHA1 signature using <request contents> +
REST API, how are requests authenticated? <secret access key>
2. AWS retrieves your secret access key from access key id
2. AWS creates HMAC-SHA1 signature
3. Compares signatures
How can master account be used to control Create IAM users in master account, create cross-account roles.
resources in child accounts?
* Run on separate infrastructure instances often in customer VPC

* AWS is responsible for managing OS and platform
* Managed service provided by AWS for actual application which are
What is a container service?
seen as 'containers
* Customer has security responsibilities (network, IAM)
* RDS, EMR, Elastic Beanstalk
* Service is removed from the platform or management layer

* Accessed via endpoints using AWS APIs
What is an abstract service? * Abstracted service provide a multi-tenant platform, underlying
infrastructure is shared
* S3, DynamoDB, Glacier, SQS
1. Infrastructure Service Model

What are the three AWS shared
2. Container Service Model
responsibility models?
3. Abstract Service Model
Is EMR encrypted by default? No
What are some options for encrypting data - LUKS (linux unified key setup)
at rest for EMR when using EBS? - Open-Source HDFS encryption
- Use S3 SSE-S3/KMS and configure EMR security conf

What are some options for encrypting data
- Use S3 and CSE
at rest for EMR when not using EBS?
- Encrypt before storing in S3

- RDS level encryption leveraging KMS

What are options for encrypting data at rest
- Oracle and SQL Server TDE
for RDS?
- MySQL and Microsoft SQL specific methods
- By default both Glacier and DynamoDB encrypts data at rest using

SSE
What are options for encrypting data at rest
- Each archive in Glacier generates a new key and data is encrypted
with Glacier and DynamoDB?
using AES-256
- DynamoDB can also use KMS`
- Using TLS between the app and RDS, varies by database backend
How is data in transit protected for RDS? - Oracle also supports Native Network Encryption (NNE) exclusive of
TLS
- Open-Source HDFS
How is data in transit protected in EMR? - Hadoop encrypted shuffle using TLS
- S3 or DynamoDB are sent over TLS
How is data in transit protected in S3 or Requires HTTPS and TLS connections

DynamoDB?
What is a way to restrict network access to Apply allowed IPs in the IAM policy's conditions block.
an AWS abstract service?
What is an optional and additional security MFA delete

mechanism in S3 to protect against
deletes?
How can you add an ssh key to your ssh-add <path_to_key>

authentication agent and verify? ssh-add -L
How can you SSH into a host forwarding ssh -A user@host

your private key (for jumping)
Regions
Availability Zones
VPCs
Elastic Load Balancers
Simple queue service
What are the high availability top 10?
Elastic cloud compute
Elastic IP address
Route53
CloudWatch
Autoscaling
What components differentiate cloud from Autoscaling combined with CloudWatch alarms to trigger scale-in and
traditional data center architecture? scale-out

What tool can help with cost-optimization Simple monthly calculator

by comparing instances types and other
options?
What is the AWS auto-scaling response to Will first launch new instances in the healthy AZ before terminating
an unhealthy AZ? unhealthy instances.
1. AMI
2. Instance Type
3. Instance Details
What are the screens for launching an EC2
4. Storage
instance?
5. Tags
6. Security Group
7. Review and Launch
Required elements:
What are the required elements of an Auto Minimum Size
Scaling group? Launch Configuration
(Health checks and desired capacity optional)
Required elements:
What are the required elements of an Auto
AMI
Scaling launch configuration?
Instance Type
What is the default max number of instances 20

launched per region in an Auto Scaling
group?
What is the default max number of launch 100

configs per region?
What is the service that terminates an ELB checks health

unhealthy instance in an HA configuration? Auto Scaling group terminates
Allows a set date/time to increase the auto scale group based on

What is Auto Scaling scheduled scaling?
predictive traffic patterns
LAUNCH
TERMINATE
HEALTHCHECK
What are the auto scaling methods? REPLACEUNHEALTHY
AZREBALANCE
ALARMNOTIFICATION (from CloudWatch)
ADDTOLOADBALANCER
What can be done to auto scaling They can be suspended

methods?

What is the reason an Auto Scaling group TERMINATE has been suspended
may exceed the maximum size?
What is the location Auto Scaling will The AZ with the fewest instances
launch an instance by default?
What is the location where EBS-backed Replicated within a single AZ. 5-9's durability
volumes are stored?
Can a security group be associated to more Yes

than one ENI?
What is the level of AWS support to get a Enterprise

TAM? $15,000/month
Professional
What is the level of AWS support for
$100/month starting
production workloads?
1 hour response
What compliance framework does IAM PCI DSS

support?
1. Users
2. Groups
What are the 4 key components of IAM?
3. Roles
4. Policies
What permissions do new IAM users have? None
What is the method for creating alerts when CloudWatch > Billing > Create Alarm > SNS Topic
a bill goes over a certain amount?
What is the HTTP code for a successful 200

upload to S3?
What is the consistency model for data in * Read after write for PUTS of new objects
S3? * Eventual for overwrite PUTS and DELETES
What are two ways to secure S3 data? Bucket policies and ACLs
* Storage
* Requests
* Storage Management (tiering)
What are the various S3 charges?
* Data transfer
* Cross region replication
* Transfer acceleration
What are the valid object sizes for S3? 0 byes to 5TB
What is the S3 namespace? universal namespace
What is the default connection draining time 300 seconds

for AWS load balancers?
What are the load balancers that support ALB or NLB

containers?
What is the load balancer that supports ALB

HTTP/2 and host based routing?
What is the restriction of aggregation for Across AZs

CloudWatch alarms?
Co-ordinates tasks across distributed components and consists of

What is the simple workflow service (SWF)? workers, workflow starters, or deciders. Human interaction can be a
part.
Publisher
What are the elements of SNS? Subscriber
Topic
- HTTP(s)
- SMS
- Email ( json)
What are the SNS notifcation methods?
- SQS
- Lambda
- Mobile push
What are the security tests allowed under * Port scans not allowed
the AWS usage policy? * PEN testing allowed with permission
- Reboot: Stay the same

What are the private/public IP behaviors for
- Stop/Start: Private stays, Public changes (unless EIP)
EC2 based on action?
- Terminate: EIP disassociated
- Reboot: Remains associated

What are the EIP behaviors for EC2 based
- Stop/Start: EC2-classic disassociated, VPC remains associated
on action?
- Terminate: EIP disassociated
- Reboot: Instance billing hour doesn't change

What are the billing behaviors for EC2 - Stop/start: Stop incurring charges when state=stopped, new hour
based on actions? charge from stopped to running
- Terminate: Stop incurring when state=shutting-down
What CloudWatch metric is not collected Memory

by default and requires an agent?
AWS
What isSolutions Architect
SNS (Simple Notification Associate A push service to send time sensitive messages
Service)?
What is a limitation of S3 versioning being It cannot be disabled, only suspended

enabled?
What is a way that S3 versioning can be S3 versioning stores all versions of an object (including all writes and
used as a backup tool? deletes)
What is the result of turning on S3 cross Existing objects are not replicated, only new versions are.
region replication for a bucket with existing
objects?
What is the behavior of delete markers and Deleted objects and delete markers are not replicated
deleted objects with S3 cross region
replication?
Can be:
- S3
What is a CloudFront origin? - EC2 instance
- ELB
- Route53
What are Edge locations, read only or Can be written to (see S3 acceleration)
read/write?
Can cached objects in Edge Locations be Yes, but there is a charge to invalidate a cached object before its TTL
cleared? expires
What are the file size limitations of S3? 0 bytes to 5 TB
What are the number of buckets allowed 100

per account by default?
What is the PUTS per second limit on S3? 3500 - raised to eliminate the key hashing design
Full access to all AWS services except the management of groups and
What is the limit to the Power User role?
users in IAM.
Which login method is enabled by default neither, you have to select one or both
on a new IAM user?
What are the methods to give users access - CloudFront signed cookies
to private files in S3 when using - CloudFront signed URLs
CloudFront? - CloudFront Origin Access Identity
What is the charge of AWS terminating a You will not be charged for the partial hour unless you terminate the
spot instance? instance
Can EC2 root device volumes be Yes

encrypted?
What is the state of EC2 termination disabled

protection by default?
What is the default action for the root delete on instance termination
volume on an EBS-backed volume for
instance termination?
What is the default action for non-root EC2 preserved on instance termination
EBS volumes upon instance termination?
Can additional EBS volumes (non-root) be yes

encrypted?
What is the delay on changes to security none, happen immediately

groups?
How many security groups can an EC2 multiple

instance be associated with?
How can you add deny rules to a Security You cannot, they deny be default and only allow rules
Group?
Where do EBS snapshots live? EBS snapshots live on S3
How are AMIs created? Either from EBS volumes or snapshots
What is best practice for taking snapshots Stop the instance so that the snapshot is consistent
of EBS volumes that serve as root devices?
What are the operations permitted to EBS Resize, change storage type (tier)
volumes on the fly?
- Take a snapshot
What is the method for moving an EC2
- Create AMI from the snapshot
volume from one AZ to another?
- Use the AMI to launch the EC2 instance in new AZ
- Take a snapshot
What is the method for moving an EC2 - Create AMI from the snapshot
volume from one Region to another? - Copy the AMI to another region
- Launch EC2 instance using AMI in new region
What is the effects on an instance-store All data will be lost

backed EC2 instance if the underlying host
fails?
What is the method of encrypting Nothing, they are encrypted automatically

snapshots of an encrypted EBS volume?

What is the process for sharing encrypted Must be unencrypted

snapshots?
What is the process for encrypting a root - Make a snapshot of the root device volume
device volume that already exists - Create a copy of the Snapshot and specify encryption
unencrypted? - Create an AMI from the encrypted snapshot
What are the fundamental differences - CloudTrail is for auditing

between CloudWatch and CloudTrail? - CloudWatch is for performance
What is the reason for assigning a role to an - much more secure, no stored key
EC2 instance vs storing AWS credentials? - easier to manage
What is the address to get metadata or - curl http://169_254_169_254/latest/meta-data

userdata from within an instance? - curl http://169_254_169_254/latest/user-data
1. Clustered
What are the 3 types of EC2 placement
2. Spread
groups?
3. Partitioned
What are EBS snapshots, incremental or incremental - only the changes

full?
Connection string is a DNS record

How does RDS multi-az failover work?
AWS updates DNS record to point to new IP
- Enabled by default
What are the backup options for RDS? - Automated backup
- Database snapshots (manual)
What is a requirement before RDS read Must have backups turned on

replicas can be enabled?
What are the availability options for RDS - can be multi-az

read replicas? - can be enabled in a different region
What happens when you promote an RDS Read replica is no longer a replica but a stand alone database
read replica to master?
How can a failover of RDS multi-az be Can be forced by rebooting the RDS instance and selecting failover
done?
automated backups
What else is encrypted once encryption is
read replicas
enabled for RDS?
snapshots
What are the consistency options available - strongly consistent reads

for DynamoDB? - eventually consistent reads (default)
Only available in 1 AZ
What is the availability limit of RedShift?
Can asynchronously replicate snapshots to S3 in another region
enabled by default with 1 day retention

What are the backup options for RedShift?
up to 35 days
At least 3:
What is the number of copies of data that

- Original
RedShift keeps?
- replica on compute nodes
- S3
- Data replicated to 3 AZs minimum

What is the method Aurora uses to ensure
- 2 copies of data in each AZ
high availability?
- Total of 6 copies of data
- MySQL
What are the two types of Aurora replicas?
- Aurora (supports automated failover)
Where can Aurora snapshots be shared? With other AWS accounts
Either
What is the process for migrating from - Create an Aurora read replica from MySQL
MySQL to Aura - Promote Aurora writer
Or create snapshot and restore to Aurora
- JSON
What are the data formats supported by
- Apache Parquet
Athena?
- Apache ORC
What is the maximum sized RDS volume for 16TB

provisioned IOPS storage by default?
What the the way ELBs are resolving using ELSs do not have pre-defined IP addresses; you resolve them using a
IPs? DNS name
What is the type of DNS record you have to A (alias) record; CNAMEs do not support naked domain names
use for a naked domain (e.g.
microsoft.com)?
When given a choice, what is the type of An A record and not a CNAME
DNS record you should use?
When buying a domain name from AWS 3 days

Route 53 how long might the domain
registration take?

-Simple
-Weighted
-Latency
What are the available Route53 routing
-Failover
policies?
-Geo Location
-Geo proximity (traffic flow only)
- Multivalue answer routing
What is the Route53 Simple Routing Policy? One record with multiple IPs returned randomly
What is the Route53 weighted routing Adds up the weights of each record set and then apportions
policy?
What is the Route53 latency-based routing route traffic based on the lowest network latency for your end user
policy?
Used when you want an active/passive site with fail-over based on

What are Route53 failover routing policies?
health checks.
What are Route53 geolocation routing Choose where traffic will be sent based on the geographic location of
policies? your users.
What are Route53 multivalue answer Similar to simple routing but allows you to check the health of each
policies? resource so that only healthy are returned.
You have created a subdomain for a CNAME

website and need it to point to an ELB, what
type of record should be created?
A subnet can belong to ___ AZs and and AZ one

can have ___ subnets multiple
What type of peering may exists between non-transitive

VPCs?
- default route table

What are the only components created by
- nacl
default in a new VPC?
- default security group
What is the max number of IGWs per VPC? 1
Can security groups span VPCs? no
What additional step must be taken when Disable source/destination check

creating a NAT instance?
What is the subnet where a NAT instance or public

gateway lives?
What is a way to create HA with a NAT Use autoscaling groups, multiple subnets in different AZ and a script to
instance? automate failover
Inside the availability zone only; for full HA create additional NAT
Where are NAT gateways redundant?
gateways in each AZ and configure route tables appropriately
What type of NAT product is associated NAT instances only; NAT gateways are not associated with security
with a security group? groups
What are the rules for the default network allows all inbound and outbound traffic
ACL?
What is the state of a newly created denies all inbound and outbound traffic
network ACL?
What happens if you do not associate a it will be associated with the default NACL
subnet with a network ACL?
Which security entity can block IPs? network ACLs but not security groups
When creating a public facing ELB, what is 2

the minimum number of public subnets?
- cannot enable for peered VPCs unless they are in the same account
What are some limitations of VPC flow
- flow logs cannot be tagged
logs?
- once created, cannot be changed including IAM role
- internal AWS DNS

- Windows license activation
What traffic types are not monitored with
- metadata 169.254.169.254
VPC flow logs?
- DHCP
- traffic to reserved IPs
Can a NAT gateway be used as a bastion No

host?
Attach an ENI to an instance then you can communicate to AWS

What is a VPC interface endpoint?
services via the Amazon internal network
- VPC endpoint that does not depend on an ENI

What is a VPC gateway endpoint? - Creates a route in your route table.
- Currently works with S3 and DynamoDB
What is the error from ELB that indicates a Error 504

problem with your application?
What are the possible instance status values - InService

reported in ELB? - OutOfService
What is the difference between sticky In classic pins traffic to EC2 instance
sessions on Application Load Balancers vs In ALB pins traffic to target group
Classic Load Balancers?
Allows you to direct traffic to different EC2 instances based on the URL
What are ELB path patterns?
contained in the request
What is the header to check for client IP x-forwarded-for

when using a classic load balancer?
What is AWS quick start? Pre-defined Elastic Beanstalk configurations
What is the message size by default for 256 KB

SQS?
The amount of time a message is invisible to the queue after a reader

What is SQS VisibilityTimeout? picks it up. If processed within timeout deleted; otherwise available
again. Can result in dupes
What is the SQS visibility timeout max? 12 hours
Way to save money on requests, response not returned until a

What is SQS Long Polling?
message appears, or time out.
What is the max workflow execution of 1 year

SWF?
What is the API difference between SWF SWF is task oriented whereas SQS is message oriented
and SQS?
- Workflow starters (website or person)

What is are SWF components (actors)? - Deciders (controls flow)
- Activity workers (does work)
instant push-based delivery (no polling)

What are benefits of SNS?
simple apis
What is elastic transcoder? Converts media formats into different formats for various devices
- Front door for APIs.

What is API Gateway? - Distributes traffic to lambda, EC2 or dynamoDB.
- Exposes HTTPS endpoints to define RESTful API.
Same origin policy is a web standard that doesn't allow apps from
What is the same-origin policy? different domains to interact and exchange data. Purpose is to protect
the end user data.

Cross-origin resource sharing (CORS) is a mechanism that allows

restricted resources (e.g. fonts) on a web page to be requested from
What is CORS?
another domain outside the domain from which the resource
originated
What is the likely problem if you see the enable CORS on API Gateway
error "Origin policy cannot be read at the
remote resource"
What is a way to increase performance and Enable caching and TTL

reduce costs with API gateway?
What is Amazon kinesis? Platform for streaming data
- Kinesis streams
What are the 3 types of kinesis? - Kinesis firehose
- Kinesis analytics
- Uses shards
What is the use case for Kinesis streams? - Data has persistence (1 to 7 days)
- Custom apps
- No data persistence, must act on it as soon as it comes in such as run

lambda function
What is the use case for Kinesis firehose?
- auto scales
- simple integration with AWS resources
What is the use case for Kinesis analytics? Analize data within firehose or streams
Web identity federation service:
What is Amazon Cognito?

User auth with web id provider then gets temporary AWS cred with
IAM role
Contains user data from AWS, Facebook, Google, etc like passwords.
What are Cognito user pools?
Handle user registration.
Granting of access to an AWS resource via IAM role to give access to

What are Cognito identity pools?
resources
What is the difference between SQS FIFO maintains order and only delivers messages once
standard queue and FIFO?
Where is CORS enforced? by the client / browser
How does API gateway scale? automatically
How does lambda scale? Out (not up)

1 event = 1 function
What are the features of lambda functions? lambda functions can trigger other functions so 1 event can equal x
functions
What is AWS x-ray? Can help debug Lambda functions
API Gateway
ALB
AWS IoT
Alexa
CloudWatch Events and Logs
CodeCommit
What are the AWS lambda triggers?
Cognito
DynamoDB
Kinesis
S3
SNS
SQS
What is traditional architecture vs ELB > EC2 > RDS

serverless? API Gateway > Lambda > DynamoDB
https://myBucket.s3.amazonaws.com
What is the URL pattern of an S3 bucket in
https://s3.amazonaws.com/myBucket (old)
us west 1 name "myBucket" be?
https://s3-us-west-1.amazonaws.com/myBucket (old)
What are the underlying hypervisors for Xen

AWS? Nitro
(T/F) standard reserved instances can be False

moved between regions.
What are two ways to have tiered cloud - Use file gateway presented with NFS using S3 IA
storage presenting to on-prem Mac / Linux - Use EFS and IA
machines?
- Cold (sc1)
What are the lowest cost EBS options?
- Throughput optimized (st1)
Which AWS cli command creates a aws ec2 create-snapshot

snapshot of an EBS volume?
What is the max running instances per AZ 7

for spread placement group?
- Stripe volumes together (RAID 0)

What are ways to increase EBS
- Select EC2 instances that can be optimized for EBS
performance?
- Schedule snapshots of HDD volumes for low use periods

What is the maximum backup retention of 35 days

RDS?
What is the record type to use in Route 53 CNAME because ELB is an A record
when routing a website subdomain to
Elastic Load Balancer?
What is the default limit on domains 50 (can be raised)

managed by Route 53?
- allows IPv6 traffic out of VPC

What is an egress-only Internet Gateway?
- prevents IPv6 traffic from coming into VPC
- Subnet
What are the levels at which VPC flow logs
- Network Interface
may be created?
- VPC
What is the easiest way to assign a public IP create and EIP and assign it to the instance
to an instance in a public subnet in a
customer VPC if you forget at launch?
EC2
Which AWS compute services support
ECS
multi-threaded processing?
Lambda
What is the only S3 tier that does not offer 11 Reduced redundancy (legacy)
9s?
Where are VPC flow logs saved? CloudWatch
What is an IAM "Owner" in AWS? The identity and email address used to create the accont
What is the combined (value and name) 400 KB

limit of a DynamoDB record?
Works around eventual consistency by hiding a message from

What is the SQS DelaySeconds parameter?
consumers for a period of time.
When consumer polls a queue, allows it to wait the period of time for
What is the SQS WaitTime parameter?
one or more messages to be available.
When should RDS backups be scheduled? During daily low IOPs
What RDS techniques can be used to scale Sharding

horizontally? Read replicas
What is the usage threshold for when When it will be used 30-40% of the year
reserved instance is recommended?
How should an RDS instance with equal vertically

read/write requirements be scaled?

AWS Solutions Architect Associate Flashcards - Quizlet

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS Solutions Architect Associate Flashcards - Quizlet

Uploaded by

Copyright:

Available Formats

9/29/23, 12:33 AM AWS Solutions Architect Associate Flashcards | Quizlet

AWS Solutions Architect Associate

Terms in this set (686)

Individual parts up the infrastructure have no knowledge of how the

a system of hardware and software that stores user data in many

Processing method whereby each policy must be read and applied

Method of processing multiple scripts at the same time without waiting

What is the OSI (Open Systems Application, Presentation, Session, Transport,

Enables a load balancer to lock a user down to a specific web server

Dubbed the "protocol of the Internet," this path-vector routing

Image baseline with an operating system and applications along with

What are ECU's? EC2 compute units for an instance

instances that use hardware accelerators, or co-processors, to perform

The default EC2 instance launched anytime. Can be used as long as

EC2 instance paid on recurring scheduled, daily, weekly, or monthly.

When instances are hosted on hardware no other customer can

EC2 hosting model offering additional visibility and control of the

Checks the health of the individual EC2 instance. Incorrect network

a highly scalable, high performance container management service

Engine used to enable ECS to run containers without having to

ECS launch option giving control over:

ECS launch option giving control over:

AWS Solutions Architect Associate

What is the ECR registry? stores docker images in ECR

What are ECR repository policies? ECS resource-based policies

an open source system for automating deployment, scaling, and

1. Create EKS service role (can be shared)

* Upload code with environment configurations

Serverless compute service to run code without having to manage

- Execution duration per 100ms of use only when code is running

What is AWS Batch? Manage and run batch computing in AWS.

Specialist use cases which require vast amounts of compute power

AWS Solutions Architect Associate

Daemon that must be running on your container instances so that they

Are ECS clusters zone or region specific? Regional part of ECS

Amazon EC2 instance with a configuration that Amazon may not

EC2 purchase option below allows customers to select and control a

You want to receive alerts when your containers, managed with

An AWS service that integrates with Lambda to send data to your

Where the following options are visible:

What is an EC2 instance? An EC2 virtual computing environment

* discounts for high volume service usage

If you determine that the resources on a EBS Volume

An Amazon EC2 instance store providing temporary block-level

Designed to keep MULTIPLE EC2 instance groups on separate

Designed to keep SINGLE EC2 instances on separate hosts/racks from

There must be sufficient capacity to restart these, otherwise it mail fail.

What are some limitations to EC2 Unique names per Account

No medium, nano, or micro

Allows patching, reporting, compliance of large groups of EC2

Templates are on S3. Storage is ephemeral, so data is deleted during

EC2 instances limited to:

How is on demand priced?

Transition from stopped to started charges full hour

If you over-purchase reserved instances, Sell on Amazon Marketplace

Are you charged for a stopped EC2 No

Manage the control and flow of inbound requests to a group of targets

Benefits of AWS ELB? It auto scales and is HA

Operates at request level

Ultra-high performance and static IP addresses for your application.

AWS Solutions Architect Associate - Uses conditions to route traffic to resources

Resources to route traffic to and associated with listener configuration