AWS Solutions Architect - Associate Exam

Are Network ACLs stateful or stateless?

Stateless. Responses to allowed inbound traffic are subject to rules for outbound traffic

Are security groups stateful or stateless?

Stateful - you only specify an inbound port, and the traffic will automatically be let back out

What are the 4 steps to secure an AWS Account?

Enable Multi-Factor Authentication on the root account, create IAM group for administrative activity and assign permissions to that group, create user accounts for admins, add users to the admin IAM group

How can you allow public access to an S3 bucket?

You have to allow public access on both the bucket and its objects

Can you apply Object Locks to S3 objects, buckets, or both?

Both

(True/False) You can attach and detach roles to running EC2 instances without having to stop or terminate them.

True

What is a bootstrap script?

A script that runs when the EC2 instance first runs, run by the root user

What are the four types of instances that can be launched in a placement group?

Compute optimized, GPU, Memory optimized, and Storage optimized

If you need storage suitable for big data, data warehouses, or ETL, which EBS type should you choose?

Throughput Optimized HDD - st1

If you need a highly scalable shared storage using NFS, what AWS service should you use?

AWS EFS

If you have bottlenecks in performance in your RDS, what should you consider doing?

Create a read replica

What database(s) is Aurora compatible with?

MySQL and PostgreSQL

If you need a relatively simple, cost-effective option for infrequent, intermittent or unpredictable workloads, which AWS database should you choose?

Aurora Serverless

Define strongly consistent reads?

Returns a results that reflects all writes that received a successful response prior to the read.

If you need to migrate a big data Cassandra cluster to AWS, what database should you use?

AWS Keyspaces

How can you enable instances in a private subnet to send outbound traffic to the internet using IPv4, while preventing the internet from establishing connections to the instances?

Use a public NAT (Network Address Translation) Gateway

(True/False) You can set SNS notifications to alert you about failed health checks.

True

(True/False) The standard metric is delivered every five minutes.

True

If you need a real-time logging service, what AWS service should you use?

Kinesis

(True/False) Auto scaling groups should be spread out over 2+ Availability Zones.

True

If you need a managed messaging broker service, what service should you use?

Amazon MQ

What 2 types of MQ engines are supported?

RabbitMQ and ActiveMQ

(True/False) If you see messaging protocols like JMS, AMQP 0-9-1, AMQP 1.0, MQTT, OpenWire, or STOMP, then you should look for an answer involving AWS Batch.

False, look for an answer with Amazon MQ

If you need a serverless ETL service, what service should you choose?

Glue

(True/False) Snowcones are perfect for moving many terabytes of data.

False, use Snowball

How can you accomplish client-side encryption for S3?

Encrypt the files yourself before you upload to S3

(True/False) AWS EC2 - dedicated instances and dedicated hosts are interchangeable terms meaning the same thing.

False. Dedicated instances run on dedicated hardware, but that hardware is not locked down to you, so it could switch to a different machine if you stop/start an instance. This is unlike a dedicated host where the same physical server is dedicated to you every time.

If you have a large deployment, which AWS Outpost service should you choose?

AWS Outposts rack

If you need better compliance and auditing over your backup policies, which AWS service should you choose?

AWS Backup

(True/False) You can't share Aurora snapshots with other AWS accounts.

False

If you see a scenario talking about graph databases, what AWS database should you use?

Neptune

(True/False) You can only use Amazon Managed Service for Prometheus for Amazon EKS clusters.

False, you can also implement this on your own self-managed cluster.

If you need serverless SQL commands or querying data in S3, what AWS service should you choose?

Athena

What is Trusted Advisor?

An online resource that inspects and provides recommendations to improve performance, security, and cost optimization

If you need engagement with customers, possibly using machine learning to predict engagement interactions, what service should you use?

Pinpoint

How are NACL rules evaluated?

By rule number lowest to highest, and immediately executed when a matching rule is found

What service would you use to manage dedicated hardware security module instances, for generation and storage of encryption keys?

AWS CloudHSM

In what EC2 states can you change security groups?

Running or Stopped

What AWS service should you choose for management of exchange of data between SaaS vendors and AWS services?

AWS AppFlow

What AWS service should you use for integrating Apache Kafka for messaging?

AWS MSK

If you have a requirement for auto scaling with EC2, and need to accommodate high traffic with extreme performance, what type of Load Balancer should you choose?

Network Load Balancer

Which of the following will preserve data on the instance store volume storage: Reboot, Stop, Terminate, Hardware Failure?

Only Reboot will preserve data

What is the default termination policy for Auto Scaling (which instance will be deleted)?

The instance with the oldest launch configuration will be deleted

How can you set up RDS for multi-region DR?

Create a cross-region read replica and promote to be standalone in the event of a failure

What AWS service should you use for generation of detailed reports in CSV format to S3?

AWS Cost and Usage Reports

Which AWS service provides a connection between an on-prem network and VPC, using secure and private connection with IPsec and TLS?

AWS VPN

If you need 50 TB of data transferred, with incredibly fast speeds, which AWS Snow service should you choose?

AWS Snowball Edge

What is a Region?

physical location in the world that consists of two or more Availability Zones

What is an Availability Zone (AZ)?

one or more discrete data centers housed in separate facilities

What is an Edge Location?

Endpoints for AWS that are used for caching content

AWS Shared Responsibility Model - What is AWS Responsibility?

Management of data centers, security cameras, cabling, patching RDS OS

AWS Shared Responsibility Model - What is Your Responsibility?

Security groups, IAM users, patching EC2 OS, patching databases on EC2

In the context of the AWS Shared Responsibility Model, what is a shared responsibility between you and AWS?

Encryption

Is AWS IAM a universal or regional service?

Universal - regions do not apply

What permissions are missing from the root user on creation?

None - the root account has complete administrative access

What permissions does a user have on creation?

No permissions

What is the biggest size file you can put in S3?

5 TB

What is the limit on total volume of storage for S3?

Unlimited

Is AWS S3 a universal or regional service?

Universal - regions do not apply

What will a successful CLI/APU upload to S3 generate?

HTTP 200 Status Code

Based on the S3 file mybucket.s3.us-east-1.amazonaws.com/myfile.jpg, what is the name of the bucket?

mybucket

Based on the S3 file mybucket.s3.us-east-1.amazonaws.com/myfile.jpg, what is the key?

myfile.jpg

What is an AWS S3 Key?

The object name (e.g., myfile.jpg)

What is an AWS S3 Value?

The data itself, which is made up of a sequence of bytes

What does an AWS S3 Version ID allow you to do?

Store multiple versions of the same object

What is AWS S3 Metadata?

Data about the data you are storing

Are AWS S3 buckets public or private by default?

Private

What is an S3 Object ACL?

S3 access control lists that manage access to buckets and objects

Are S3 Access Control Lists (ACLs) enabled or disabled by default?

disabled

If you're more interested in "What can this user do in AWS S3", should you use IAM policies, ACLs, or S3 bucket policies?

IAM policies

If you're more interested in "Who can access this S3 bucket", should you use IAM policies, ACLs, or S3 bucket policies?

S3 Bucket Policies

What AWS service could you use to host a static website in a cost-effective way?

AWS S3

How can you scale AWS S3?

You don't need to, S3 automatically scales with demand

How do you disable versioning in AWS S3 once it's been turned on?

You can't - it can only be suspended

What 2 features can you use to prevent accidental deletion in AWS S3?

Use MFA and versioning

Which S3 storage class is least durable?

One Zone-Infrequent Access

Which S3 storage class is suitable for most workloads?

Standard

Which S3 storage class is suitable for long-term, infrequently accessed critical data?

Standard-Infrequent Access

Which S3 storage class is suitable for long-term, infrequently accessed, non-critical data?

One Zone-Infrequent Access

Which S3 storage class is suitable for long-term data archiving that occasionally needs to be accessed within a few hours or minutes?

Glacier Flexible Retrieval

Which S3 storage class is suitable for rarely accessed data archiving with a default retrieval time of 12 hours?

Glacier Deep Archive

Which S3 storage class is suitable for unknown or unpredictable access patterns?

Intelligent Tiering

Which S3 storage class is suitable for long-lived data that is rarely accessed and requires milliseconds retrieval?

Glacier Instant Retrieval

What feature can help automate moving objects between storage tiers in S3?

Lifecycle Management rules

What does a WORM model stand for?

Write once, read many

How can you accomplish a WORM model in S3?

Use an S3 Object Lock

What are the two modes to select from for S3 Object Locks?

Governance mode and Compliance mode

What is a Compliance mode for S3 Object Locks?

A protected object version cannot be overwritten or deleted by any user

Which user(s) can overwrite a file that has an S3 Object Lock on it in Compliance mode?

No users

What is a Governance mode for S3 Object Locks?

You need special permissions to overwrite or delete an object or alter the lock settings

If you need a WORM model in S3 Glacier, what feature can you use?

S3 Glacier Vault Lock

What is S3 Glacier Vault Lock?

It allows you to enforce compliance controls for individual Glacier vaults with a vault lock policy. Once locked, the policy can no longer be changed.

What are the options for encrypting S3 in transit?

SSL/TLS or HTTPS

What are the options for encryption S3 at rest?

Server-side encryption (SSE) is possible using SSE-S3, SSE-KMS, SSE-C

How can you enforce encryption with a bucket policy?

You can deny all PUT requests that don't include the x-amz-server-side-encryption parameter in the request header

Based on the S3 file mybucket.s3.us-east-1.amazonaws.com/folder1/subfolder1/myfile.jpg, what is the prefix?

folder1/subfolder1

How many PUT/COPY/POST/DELETE requests can you get per second, per S3 prefix?

3500

How many GET/HEAD requests can you get per second, per S3 prefix?

5500

In terms of S3 performance, is it preferred to put all files in the same prefix or use many prefixes?

You get better performance by spreading your reads across different prefixes

(True/False) You can request a quota increase for KMS.

False