All Domains: Missed Questions - Pracitce Test #1

What is throttling in Amazon API Gateway?

Limits the number of API requests per second to prevent overload and ensure stability

How can API Gateway caching improve performance?

By provisioning a cache per stage, it reduces traffic to the backend and speeds up responses.

What happens when API Gateway requests exceed the throttling limit?

Requests over the limit get an HTTP 429 response; client SDKs retry automatically.

What are temporary credentials in AWS?

Short-lived credentials for identity federation, delegation, and cross-account access.

What is enterprise identity federation?

Lets users sign in to AWS using their existing corporate credentials (like Active Directory) instead of creating separate AWS accounts

How does AWS STS support SAML 2.0?

It lets you leverage Microsoft AD or other SAML 2.0 identity providers for temporary access.

Why not use third-party SSO for enterprise identity federation in AWS?

AWS provides built-in tools; 3rd-party SSO is unnecessary for granting access.

What is a database schema?

A model or structure of data in a database that defines how data is organized.

Why choose NoSQL over relational databases?

Better for unstructured data, can add more servers to grow (horizontal scaling), flexible design, fast with large workloads

What is Amazon DynamoDB?

NoSQL database that stores data as key-value pairs, fast and scales automatically

Why doesn’t Amazon RDS scale as well as DynamoDB?

Relational databases normalize data, require multiple queries, expensive joins, and ACID compliance slows writes.

What is a VPC endpoint?

Allows private access to AWS services without using the public internet.

Why use VPC endpoints for S3 and DynamoDB?

Private, secure, fast access to S3 and DynamoDB without using the internet

What is Amazon EventBridge?

A serverless event bus that connects applications and AWS services for event-driven architectures.

How can EventBridge trigger ECS tasks?

By creating rules that respond to events, such as S3 object uploads, targeting ECS tasks.

What is AWS WAF (web app firewall)?

Monitors and protects HTTP(S) requests for AWS services.

What is a web ACL in AWS WAF?

A Web Access Control List defines rules to block, allow, count, or apply CAPTCHA to requests.

What is an AWS WAF rule?

A set of conditions that allows, blocks, or counts web requests to protect applications

Why use AWS Managed Rules for WAF?

Prebuilt WAF rules for common threats (SQL injection, XSS, bots, known CVEs), easier setup and management.

What is an Auto Scaling group?

A collection of EC2 instances managed together to maintain capacity and scale automatically.

What are step scaling and simple scaling policies?

Step scaling: adjusts capacity in steps based on how much a metric changes.

Simple scaling: adds or removes a fixed amount of capacity when a condition is met.

What is a target tracking scaling policy?

Adjusts group capacity automatically to maintain a specific metric target (like CPU or request count).

What is hot, warm, and cold storage?

Hot: frequently accessed; Warm: less frequent; Cold: rarely accessed and cheaper to store.

What is Amazon FSx for Lustre?

A high-performance, parallel file system for fast processing of workloads.

What is Amazon FSx for Windows File Server?

A managed Windows file system supporting SMB protocol for cloud migration.

What is Amazon S3?

Scalable object storage with different tiers for hot, warm, and cold data.

How can Lambda@Edge customize content delivery?

Run functions closer to viewers to modify requests/responses and implement origin failover.

What is the default termination policy in Auto Scaling?

shuts down oldest instances first to keep AZs balanced and use EC2 efficiently

What is Amazon API Gateway?

Service to create, deploy, and manage APIs so apps can securely talk to backend services at any scale.

What is a canary release deployment strategy?

Deploy new API versions to a subset of users, test, then gradually roll out to all.

What metrics can Amazon CloudWatch collect by default?

CPU, network, disk performance, and disk reads/writes for EC2 instances.

How to collect memory, disk, and log metrics in CloudWatch?

Install the CloudWatch agent on EC2 instances to gather custom metrics.

What is a DynamoDB stream?

real-time log of changes (inserts, updates, deletes) made to items in a DynamoDB table

What is a Multi-AZ RDS deployment?

Provides synchronous standby replica in a different Availability Zone for high availability.

What is Enhanced Monitoring in RDS?

Real-time OS metrics for managed DB (CPU, memory, disk)

What is Amazon FSx for NetApp ONTAP?

High-performance, Multi-AZ file storage supporting file and block protocols for Windows Server.

What is a file gateway in AWS Storage Gateway?

On-prem gateway, access cloud via NFS/SMB, stores files as S3 objects, supports lifecycle to Glacier

What does the Redis AUTH command do?

Requires clients to authenticate with a password before accessing the Redis database

How do you require password authentication on a Redis cluster?

Use the AUTH command to require clients to provide a password before accessing the database

How do you secure file storage with Amazon FSx for Windows File Server?

Create a file system using Amazon FSx for Windows File Server and join it to an Active Directory domain in AWS.

What are Amazon S3 access points used for?

Simplify and manage access to shared S3 buckets with unique names and policies

How can you restrict S3 bucket access to a VPC?

Configure an Amazon S3 Access Point for the S3 bucket to restrict data access to a particular VPC only.

How do you enforce WORM storage in S3?

Turn on S3 Object Lock in Compliance mode with a set time to stop any changes or deletions

What is CORS (Cross-origin resource sharing) in Amazon S3?

Lets web apps from one domain (website) access S3 resources in another domain (another website)

How do you enable cross-origin requests on an S3 bucket?

Enable Cross-origin resource sharing (CORS) configuration in the bucket.

How can AWS Lambda integrate with Aurora MySQL?

You can create a native function or stored procedure that invokes an AWS Lambda function, which can then send event notifications to an Amazon SQS queue.

Why is partition key design important in DynamoDB?

Partition keys with low cardinality can create "hot" partitions, throttling and inefficiently using provisioned I/O capacity.

How should you choose partition keys in DynamoDB?

Use attributes with lots of unique values so data spreads evenly

What is scheduled scaling in Amazon EC2 Auto Scaling?

Automatically changes capacity at specific times by setting start time and desired/min/max sizes (predictable lead changes)

How do you configure scheduled scaling?

Set start time + new min/max/desired sizes for Auto Scaling group

What is an AWS KMS custom key store?

It combines AWS CloudHSM controls with KMS integration, allowing key material to be generated and stored in your CloudHSM cluster.

Why use a custom KMS key store?

To maintain full control over encryption keys, manage key lifecycle independently, and enable independent auditing beyond AWS CloudTrail.

How should you create a KMS key for full control?

Use AWS Key Management Service to create a KMS key in a custom key store and store the non-extractable key material in AWS CloudHSM.

How does Aurora handle multiple DB instances?

Aurora uses endpoints to abstract connections, with the primary instance handling writes and replicas handling read-only queries.

What is a custom Aurora endpoint used for?

Directs traffic to specific DB instances in an Aurora cluster (e.g., only readers, certain replicas, or custom group).

How do you share AWS resources across accounts?

Use AWS Resource Access Manager (RAM) to share resources and AWS Organizations to consolidate and manage multiple accounts.

How can AWS Glue optimize data storage?

Convert CSV files to Apache Parquet format using an ETL job and store the output in S3, with S3 Event Notifications triggering the job.

How do you manage long-term storage for S3 objects?

Use S3 lifecycle policies to transition objects to S3 Glacier or S3 Standard-IA after a specified period, like 2 years.

What EC2 metrics are available in Amazon CloudWatch?

CPU, memory, disk, network, and status checks for EC2 instances

How do you monitor memory usage on an EC2 instance?

Set up a custom metric for Memory Utilization using CloudWatch Agent or CloudWatch Monitoring Scripts.

What is AWS Artifact used for?

Provides on-demand access to AWS security and compliance reports and select online agreements.

How do you give IAM users access to AWS Artifact?

Grant IAM users non-admin permissions to AWS Artifact using IAM permissions to restrict access to other AWS services.

How can you serve private content securely using CloudFront?

Use signed URLs or signed cookies so only authorized users can access the content

What is client-side encryption in S3?

Encrypting data before sending it to Amazon S3 using an AWS KMS key or a client-side master key.

How does client-side encryption with a master key work?

Client encrypts data with a data key, then encrypts the data key with the master key

How do you enable WORM protection with S3 Object Lock?

Enable S3 Object Lock on the bucket and choose compliance mode with a retention period.

What are the retention modes of S3 Object Lock?

Governance mode: protects objects from most users, can be overridden by admins.
Compliance mode: prevents all changes/deletions until retention period ends.

How is a legal hold different from a retention period?

Legal Hold: stops deletion until you remove it.
Retention period: stops changes or deletion for a set time you choose.

How can you anonymize PII in real-time data streaming?

Ingest data using Amazon Kinesis Data Streams, process with AWS Lambda to anonymize PII, then store in Amazon DynamoDB.

What is AWS Transfer for SFTP used for?

Lets you transfer files to and from S3 using the SFTP protocol

How do you combine AWS Transfer for SFTP with S3 lifecycle policies?

Create an S3 bucket with encryption, use AWS Transfer for SFTP to upload files, and configure a lifecycle rule to delete files after a set period.

How do you protect S3 objects from accidental deletion?

Enable Versioning and MFA Delete to recover or secure objects from accidental deletion or overwrite.

What does MFA Delete require?

Two forms of authentication: security credentials and the concatenation of a valid serial number, a space, and the six-digit code from an approved authentication device.

How can you use Microsoft Active Directory for API access to AWS?

Set up SAML 2.0-Based Federation using Microsoft Active Directory Federation Service (AD FS).

What is SAML 2.0-based federation used for in AWS?

It enables federated single sign-on (SSO) so users can log into AWS Management Console or call APIs without creating individual IAM users.

How do IAM policies manage access in AWS?

IAM policies define permissions for actions and are attached to users, groups, roles, or resources; permissions are evaluated when requests are made.

What are the types of IAM policies?

Identity-based (attached to users, groups, roles)

Resource-based (attached directly to resources, like S3 buckets)

What permissions does an IAM policy with s3:GetObject, s3:PutObject, and s3:ListBucket grant?

Read, write, and list access to objects in an S3 bucket.

How does Amazon RDS Multi-AZ deployment improve availability?

Creates a primary DB instance and synchronously replicates to a standby in another AZ; automatic failover ensures high availability.

How do you migrate an on-premises Oracle database to AWS with minimal downtime?

Use AWS Database Migration Service (DMS) to migrate to Amazon RDS for Oracle in a Multi-AZ deployment.

How can you deploy a .NET application to AWS?

Use Elastic Beanstalk, EC2, or container services (ECS/EKS) to run .NET apps in the cloud

How do you prevent accidental deletion in S3 buckets?

Enable S3 Versioning and Multi-Factor Authentication (MFA) Delete on the bucket.

Why is using S3 Infrequent Access storage alone not sufficient for accidental deletion prevention?

It only lowers storage cost but doesn’t protect objects from being deleted

When should you use Amazon EFS instead of EBS or S3?

When multiple EC2 instances need concurrent, shared access to file data across multiple Availability Zones.

How do Amazon RDS Multi-AZ deployments handle failover?

Automatically promotes a standby replica to primary in case of planned maintenance or unexpected failures.

How do you ensure high availability with EC2 Auto Scaling?

Create an Auto Scaling group with minimum and maximum capacities, deploy instances across multiple Availability Zones to maintain fault tolerance.

How do you choose between Amazon EBS and S3 for workloads?

Use EBS for persistent block storage (EC2), S3 for object storage and backups, and S3 Glacier for long-term archival storage.