Knowt
Note
Studied by 45 peopleNoteStudied by 14 peopleNoteStudied by 2 peopleNoteStudied by 10 peopleNoteStudied by 2 peopleNoteStudied by 8 people
SAA-C03 Anki Flashcards
Which AWS service can you use to setup your password rotation policy?
IAM
What are the caching engines supported by ElastiCache?
ElastiCache supports two open-source in-memory caching engines. Memcache and redis
Does Route53 support MX records?
Yes.
Why is ElastiCache useful?
ElastiCache improves application performance by allowing you to retrieve information from fast, managed, in-memory caches instead of relying on slower disk-based databases.
What is DMS used for?
Database Migration Service (DMS) allows you to migrate your production database to AWS. The migration complexities are managed by AWS while ensuring that changes to the source database are automatically replicated to the target.
What are the two different types of backups for AWS?
Automated Backups and Database Snapshots
What is the retention period for 'Automated Backups'?
Retention period for Automated RDS backups can be between 1 and 35 days
Does 'Automated Backups' take a daily or hourly snapshot?
Automated Backups will take a full daily snapshot and will also store transaction logs throughout the day. This allows you to do a point-in-time recovery down to a second, within the retention period.
Where are the 'Automated Backups' of RDS stored?
It is stored in S3 and you get free storage space equal to the size of your database.
How do 'automated backups' and 'DB snapshots' differ in terms of start times?
'Automated backups' are enabled by default. 'DB snapshots' are done manually when user initiates them.
How should you determine your RDS backup window?
You should set it for when the db will not be used much (like 3am). During the backup window, storage I/O might be suspended and users will experience elevated latency. So you shouldn't backup during peak times.
Automated backups are deleted after RDS instance is deleted. True or False.
True. On the contrary, DB snapshots are stored even after you delete the original RDS instance.
Can you encrypt an existing RDS instance using AWS KMS?
No. Existing instances cannot be encrypted. Create new db instance with encryption enabled and migrate data into it.
How is RDS encryption performed?
Encryption at rest is done using AWS Key Management Service (KMS)
What databases are supported for RDS encryption?
Encryption at rest is supported for MOMPS - MySQL, Oracle, MariaDB, PostGreSQL and SQL server (except aurora)
What does 'migrate snapshot' do?
You can migrate data to a different provider. For eg., from MySql to Aurora.
What does 'copy snapshot' do?
Copies your db data to another region
How do you 'scale up' ie upgrade hardware for your RDS instance?
Create a snapshot. In the 'restore snapshot' screen, you can specify a different machine type to restore into.
What is the advantage of multi-AZ deployment?
If instance in US-EAST-1 fails, dns automatically points to copy of instance in US-EAST-2. No need to update any connection strings.
When will AWS failover to the standby RDS instance?
When there is planned DB maintenance, DB instance failure or AZ failure, RDS will automatically failover to the standby so that db operations aren't affected.
Multi-AZ RDS helps in performance improvement. True or False.
False. Multi-AZ RDS is only for disaster recovery. Read Replicas are used for performance improvement.
Read Replicas are used for disaster recovery. True or False.
False. Read Replicas are only used for performance improvement. Multi-AZ RDS is used for disaster recovery.
Aurora supports multi-AZ by default. True or False.
True. By default, six copies of your data are maintained.
How many read replicas can you have of your main database?
Upto five
Can you have read replicas of read replicas?
Yes. You can scale out your system by making read replicas of read replicas.
How does read replica give performance improvement?
Read replicas of the main db can handle 'read-only' queries. So you can lighten the load on the main db. You just need to change the connection string.
Can you configure the secondary instance in a multi-AZ deployment to serve as the read replica?
No. Secondary instance can be accessed only during failover. It can't be used as read replica to improve performance.
What kind of applications make sense to have read replicas?
When there is read-heavy database workloads. I.e minimal writes and lots of reads.
Is generation of read replicas from main db - synchronous or asynchronous?
Asynchronous. In multi-AZ, the data is migrated immediately?
What is the disadvantage of having read replicas of read replicas?
Latency might increase
Automatic backups must be turned on in order to deploy read replica. True or False.
True
Can you have Read Replicas with multi-AZ deployment?
No. You can create read replicas of the multi-AZ main database.
Why would you want to promote a read replica?
If you want to start writing to a read replica, you can promote it to be a new database. This will break the replication.
Read replicas have their own dns endpoint. True or False.
True.
Which DBs support read replicas in a second region?
MySQL and MariaDB
Which DBs support read replica in another AZ?
Oracle doesn't support read replicas. Only cross-region deployment is limited to MySql and MariaDB.
What does 'push button' scaling mean? Does RDS support it?
DynamoDB offers 'push button' scaling, ie you can scale your db on the fly without any downtime. RDS doesn't support it. You have to shutdown instance and use bigger instance size or add a read replica.
What is the latency supported by dynamoDB?
DynamoDB supports single-digit millisecond latency
Is DynamoDB considered document store or key-value database?
DynamoDB supports both document and key-value data models
What media is DynamoDB stored on?
SSD storage
How many areas is a DynamoDB instance spread across?
Three geographically distinct data centres
What are the two consistency models available for DynamoDB?
Eventual Consistent Read and Strongly Consistent Read
What does 'eventual consistent read' mean?
Consistency across all copies of the data is usually reached within a second. Repeating a read after a short time will return the updated data.
What does 'strongly consistent read' mean?
Strongly consistent read returns a result that reflects all writes that received a successful response prior to the read.
Which consistency model provides 'best read performance'?
Eventual Consistent Reads gives best read performance as application doesn't have to wait for writes to complete before reading.
What is the dynamoDB pricing model?
Storage costs - 0.25 per GB per month. Provisioned Throughput Capacity - write throughput ($0.0065 per hour for every 10 units) - read throughput ($0.0065 per hour for every 50 units)
How many writes can one Write Capacity Unit handle?
One Write Capacity Unit can handle One Write per second
How many reads can one Read Capacity Unit handle?
One Read Capacity Unit can handle One read per second.
What scale of data does RedShift handle?
Petabyte-scale data
What does the 'single node' configuration support?
In RedShift, if you start with 'single node' you get 160GB
What are the components of Multi-Node?
In RedShift, multi-node consists of 'Leader Node' and 'Compute Node'
What does the 'Leader Node' do?
In RedShift multi-node, the Leader node manages client connections and receives queries
What does the 'Compute Node' do?
In RedShift multi-node, each 'Compute Node' stores data and performs queries and computations. You can have up to 128 Compute Nodes.
What is Columnar Data storage?
Instead of storing data as a series of rows like RDS, RedShift organizes the data by column.
Columnar data storage is ideal for transaction processing. True or False.
False. Row-based storage is ideal for transaction processing. Columnar storage is better for data warehousing and analytics.
Why does columnar data storage provide better performance for analytics?
Analytic queries involve aggregates performed over large data sets. As columnar data is stored sequentially on media, columnar systems require far fewer I/Os and thus provide better performance.
Row-based data can be compressed more than columnar data. True or False?
False. Columnar data can be compressed much more as similar data is stored sequentially on disk.
What is MPP?
RedShift uses MPP (massively parallel processing) to automatically distribute data and query load across all nodes. As your dw grows, you can add nodes as needed to maintain your query performance.
You are charged only for compute node hours. True or False.
True. You will not be charged for leader node hours.
How is RedShift cost charged?
Based on 'Compute Node Hours' (total number of hours you run across all compute nodes for the billing period).
Are you charged for 'data transfer' in RedShift?
Yes. But only for the data within the VPC.
Does RedShift allow multi-AZ deployment?
No. It is confined to one AZ. You can restore snapshots to new AZs in event of an outage.
What are some types of applications that can take advantage of ElastiCache?
Read-heavy applications like social networking, gaming, media sharing and Q&A portals
What types of data should be stored in elasticache?
- results of I/O intensive operations like database queries - results of computationally-intensive calculations (like recommendation engine)
What is initial size and increments available for aurora?
Starts with 10Gb, scales in 10Gb increments to 64Tb (storage autoscaling)
What is the maximum size allowed for aurora instance?
64Tb
What is the minimum number of AZs used for aurora instance?
Minimum of 3 AZs with 2 copies of data each. On minimum, you have six copies of your data.
What does self-healing mean with respect to aurora?
Data blocks and disks are continuously scanned for errors and repaired automatically
What are the two types of aurora replicas?
- aurora replicas (currently 15) - mysql read replicas (currently 5)
What is the default internal IP used for your vpc?
10.0.0.0/16 ==> 10.0.0.0 to 10.0.255.255
One subnet can exist in two availability zones. True or False.
False. One subnet equals one availability zone.
One network ACL can span across multiple AZs. True or False.
True. One Network ACL or Security Group can span across multiple AZs.
How many public and private subnets are provided in default VPC?
Default VPC has only one public subnet (which has a route out to the internet)
In a VPC, an EC2 instance has either public or private IP address. True or False.
Each EC2 instance has both a public and private IP address
What is VPC peering?
Allows you to connect one VPC with another via a direct network route using private IP addresses. You can peer VPCs with other AWS Accounts as well as with other VPCs in the same account.
Is transitive peering allowed for VPCs?
No. Peering is in a star configuration (1 central VPC with 4 others)
One public subnet is created by default when you create a VPC. True or False.
True. Default Network ACL, route table and security group are created. But no subnets or internet gateways are created when you create a vpc.
Can one Availability Zone span multiple subnets?
Yes. You can create one or more subnets within a AZ.
Can you boost internet bandwidth by attaching multiple Internet Gateways to VPC?
No. Only one IGW can be attached for given VPC.
Why do you need to create second route table before creating subnet?
Subnet needs route table to be attached to IGW in order to access internet. If main route table is attached to IGW, all subnets will be internet-accessible by default. To avoid such exposure, we need to create second route table and attach it to IGW.
Are tasks duplicated in SWF?
Never. SWF ensures that a task is assigned only once and is never duplicated.
What is the 'Auto-assign public IP' setting for subnets used for?
Enables EC2 instances launched in that subnet to automatically get a public IP
Why do we need NAT instance or NAT gateway while using a private subnet?
Instances in private subnet might need to get something from internet (eg. mysql installation file). But we need to prevent internet users from directly connecting to instances within the private subnet.
What are the advantages of NAT gateways?
- scale automatically - no need to put behind security groups - patches and updates are handled automatically for you
What is a NAT instance?
A NAT instance is a EC2 instance that will act as a gateway to the internet (for other instances within a private subnet)
What is the source/destination check?
Any instance needs to be the source or destination of internet traffic. A NAT instance (basically a EC2 instance) needs to pass traffic along. So while configuring a NAT instance, source/destination check must be disabled.
What settings do you need in security group for NAT gateway?
NAT gateways are not setup behind security groups. Only NAT instances are done so.
What settings do you need in security group for NAT instance?
You need to allow SSH(22), HTTP(80) and HTTPS(443) traffic
How do you connect private subnet with NAT instance?
NAT instance is in public subnet. In default route table, for destination '0.0.0.0/0' (all outgoing traffic), the target will be the NAT instance. This will provide a route to internet for instances in private subnet.
What is the main disadvantage of NAT instance?
If NAT instance goes down, all instances in private subnet lose internet connectivity. A NAT instance is a single-point of failure.
What area of the VPC is a NAT gateway placed in?
public subnet
How do you resolve bottlenecking with a NAT instance?
You have to increase the instance size
What are the first and second layers of defense for your EC2 instance?
First layer - security group. Second layer - network ACL.
Do 'security groups' support 'deny' rules?
No they support only 'allow' rules. Network ACLs have allow and deny rules.
When you create a custom NACL, is outbound traffic allowed automatically?
No. A custom NACL will block all inbound and outbound traffic. You have to setup the rules. Default NACL allows all traffic automatically.
In the default Network ACL, all traffic is allowed automatically. True or False.
True. Default NACL allows all traffic automatically. A custom NACL will block all inbound and outbound traffic.
Can one subnet be associated to multiple Network ACLs?
No. One subnet can talk to only one NACL. One NACL can span multiple subnets.
Can Security Groups and NACLs span across subnets or AZs?
Security Groups and NACLs can span across subnets and AZs. But one subnet can talk to only one security group or NACL.
What are the types of Actors in SWF?
workflow starters; deciders; activity workers
What are ephemeral ports?
You need to setup custom tcp rule in NACL to allow TCP traffic from the port range (1024-65535)
Lower-numbered rules take preference for NACL. True or False.
True. If rule 99 blocks traffic for one IP and rule 100 allows traffic for all IPs, end result will be that the traffic will be blocked for that one IP.
What happens if you don't explicitly associate a subnet with a NACL?
The subnet is automatically associated with the default network ACL.
How do you block traffic from a set of IP addresses to your instance?
Use Network ACL deny rules. You can't use security groups as they have only 'allow' rules.
What is the main difference between NAT instance and Bastion?
EC2 instances in private subnet use NAT instance to connect to internet. Internet user can connect to bastion in public subnet to connect to instances in private subnet (mostly for administration tasks to harden them)
What is the toughest part of maintaining a highly-available set of NAT instances?
Toughest part is to write a script to manage failover to other instances. You can put one NAT instance in each subnet or AZ to have minimum availability.
What are VPC flow logs?
Flow logs enable you to capture IP traffic flow information for the network interfaces in your resources.
What is the size of the message that you can put in SQS?
256KB of text in any format
What formats are supported for SQS messages?
SQS messages can contain upto 256KB of text in any format
Why doesn't SQS guarantee FIFO order for messages?
SQS is engineered to be always available and deliver messages. A resulting trade-off is that SQS does not guarantee FIFO delivery of messages.
How can you order the messages received from SQS?
You can place sequencing information in each message, so that you can reorder the messages when the queue returns them.
In SQS, when does the 'visibility timeout clock' start?
SQS 'visibility timeout clock' for a message starts as soon as a component retrieves that message from the queue.
What happens if 'visibility timeout period' in SQS has expired?
If 'visibility timeout period' has expired, it means that the previous component that read the message has encountered an exception and was not able to gracefully delete the message. So another component can now retrieve the message and retry the processing.
In SQS, what is the default visibility time out for messages?
12 hours
How many messages can a single request to SQS have?
A single request can have from 1 to 10 messages, up to a maximum total payload of 256KB. Each '64KB' chunk of payload is billed as one request.
What are tasks in SWF?
Tasks represent invocations of various processing steps in an application, which can be performed by executable code, web service calls, human actions, and scripts.
What is retention period for SQS?
14 days
What is the retention period for SWF?
Up to one year for workflow executions in SWF. A task can remain in 'pending' state for 1 year.
Can one topic support deliveries to multiple endpoints?
Yes. SNS topic can group together different endpoints like iOS, Android and SMS
What is amazon API gateway?
Fully managed service for developers to publish, maintain, monitor and secure APIs at any scale
Why is API caching needed?
If API caching is enabled in API gateway, you can reduce the number of calls made to the endpoint and improve latency.
What is the security risk in API gateway?
Since API gateway scales easily, it might be subject to attacks. You can throttle requests as part of API gateway to prevent attacks.
What is the same origin policy?
Browser permits scripts contained in webpage1 to access data in webpage2, only if both web pages have the same origin
How can you legitimately work around the same-origin policy?
CORS (cross-origin resource sharing) allows restricted resources on a webpage to be requested from outside domain.
What is CORS?
CORS (cross-origin resource sharing) allows restricted resources on a webpage to be requested from outside domain. It is a legitimate way to get around the same-origin security restriction.
What are the features of Streaming Data?
Data generated continuously by thousands of data sources, which typically send in the data simultaneously, and in small sizes (KBs)
What is the basic function of Kinesis?
Kinesis makes it easy to load and analyze streaming data.
What are the three core Kinesis services?
Kinesis Streams; Kinesis Firehose; Kinesis Analytics
How is the data capacity of the stream calculated?
The total capacity of the stream is sum of the capacities of its shards.
What is the advantage of Kinesis Firehose over Streams?
You don't have to do sharding in Firehose. It is managed for you.
How does Firehose retention compare to Kinesis Streams retention?
In Streams, retention can be increased from 3 to 7 days. Firehose doesn't have retention.
What are the pillars of well-architected framework?
security, reliability, performance efficiency, cost optimization, operational excellence
SQS message is billed once for every 256KB of text. True or False.
False. Even though there is one message of 256KB, it is basically 4 requests for billing. 64KB is the billing unit.
In SQS, what is the maximum long polling timeout?
20 seconds
What is the billing rate for SQS?
First million requests are free, then $0.50 per every million requests
In SNS, different recipients are charged different rates. True or False.
True. $0.06 per 100k notifications for HTTP. $2 per 100k notifications for Email.
Compare maximum processing time limits for SWF and SQS
Maximum workflow processing for SWF can be 1 year. For SQS, max is 12 hours.
IAM provides temporary access for users/devices and services where necessary. True or False.
True.
What is the default error handling behavior for CloudFormation?
By default, all allocated resources are rolled-back on error.
CloudFront is free, but BeanStalk is not. True or False.
False. Use of CloudFront, BeanStalk and AutoScaling is free. But you pay for the AWS resources that these services create.
Which is more efficient - query or scan?
Query. Query finds items using only primary key attribute values. Scan operation examines every item.
How many PUTS are needed for creating a 5TB file in S3?
Largest object in single PUT is 5GB. So you need to use multi-part upload to upload 1000 such objects to create 5TB file.
How can you enable httpS url for static website hosting in s3?
Using cloudFront
What SSE provides audit trail of keys?
SSE - KMS (AWS key management services)
What are the reserved IPs in a CIDR block?
(.0, .1, .2, .3 and .255). So for CIDR block /24: (2^8 - 5) = (256 - 5) = 251 available IP address space
What is default behavior for security group?
By default, all inbound deny; all outbound allow
What is default behavior for ACL?
For default ACL, all inbound and outbound rules are allowed by default (associated with all subnets in VPC by default). For custom ACL, all inbound and outbound traffic is denied by default (not associated with any subnet).
How is pricing calculated for elastic transcoder?
Minutes needed for transcoding and resolution at which transcoding takes place
Which service needs 'recipes' and 'cookbooks'?
Opsworks - orchestration service that uses Chef recipes
What are the types of SWF actors?
Workflow Starters, Deciders and Activity Workers
What is AWS Organizations?
Relatively new - account mgmt svc that helps consolidate multiple AWS accounts into an organization that you create and centrally manage
What different types of AutoScaling plans?
Main Current Instance Levels, Manual Scaling, Scheduled Scaling, and Dynamic Scaling
Can I peer my VPC with a VPC belonging to another AWS account?
Yes. But other owner has to accept your peering request.
Peered VPCs can have overlapping IP ranges. True or False.
False
What are AS lifecycle hooks used for?
Auto Scaling lifecycle hooks enable you to perform custom actions as Auto Scaling launches or terminates instances. For example, you could install or configure software on newly launched instances, or download log files from an instance before it terminates.
What should you do if you need to launch from different AMI in your AS?
Remember if you want AS to launch different AMI’s than the one set up please remember you can’t modify Launch Configuration, which is the template for AS you must create new LC and then assign it to your AS, all the new instances will be launched with new AMI and all the previous one will still be running.
What can we use other than NAT instance and NAT gateway to give secure outbound internet connect to our private subnet?
Bastion host (aka jump server)
Can VPC span multiple availability zones?
Yes. But a subnet cannot span multiple AZs.
Will you be charged for network bandwidth between instances in different subnets?
Yes, if the instances reside in subnets in different AZs
Subnet ID is not listed for an EC2 instance. What does it indicate?
Instance is not within a VPC. It's a EC2-Classic instance.
Can I boot EC2 instance from EBS volume within a VPC?
Yes. But instance launched in VPC maintains same IP address when stopped and restarted, unlike those launched outside VPC. IP addresses of stopped instances in a subnet are considered unavailable.
How many default VPCs can you have?
You can have one default VPC in each AWS region
Can I have more than two network interfaces attached to my EC2 instance?
The total number of network interfaces that can be attached to an EC2 instance depends on the instance type.
Can I attach a network interface in one AZ to an instance in another AZ?
Network interfaces can only be attached to instances residing in the same AZ.
Can I attach a network interface in one VPC to an instance in another VPC?
Network interfaces can only be attached to instances in same VPC as the interface
Can I use ENI as a way to host multiple websites requiring separate IP addresses on a single instance?
Yes, but not suited for multiple interfaces. Instead assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed.
Will I get charged for EIP that is associated to a network interface (but NI isn't attached to a running instance) ?
Yes. Amazon wants to conserve the number of EIPs due to IPv4 shortage.
Can I detach the interface (eth0) on my EC2 instance?
No. You can attach/detach secondary interfaces (eth1-ethn), but not the primary eth0 interface
Can I create peering connection to a VPC in a different region?
No. Peering connections are only available between VPCs in the same region.
Is VPC peering traffic within the region encrypted?
No. It is private and isolated similar to how traffic between two instances in same VPC is private and isolated.
How can I test out a new DB version?
Create a DB snapshot of your existing DB instance; restore from snapshot to create new instance; initiate a version upgrade for the new DB instance; if everything looks ok, you can upgrade original instance
Why does I/O requests increase when you shift DB instance to multi-AZ deployment?
Write I/O usage associated with DB updates will double as RDS synchronously replicates your data to the standby DB instance. Read I/O usage will remain the same.
How do you choose among the different RDS storage types?
- Provisioned IOPS SSD storage is suited for high-performance OLTP workloads - General Purpose SSD storage is suited for DB workloads with moderate I/O requirements - Magnetic storage is for small DB workloads where data is accessed less frequently
How much free backup storage is provided in RDS?
Free backup storage is limited to the size of the provisioned DB storage over the month
What happens to the existing DB instance when you perform a restore operation from its snapshot ?
When you 'restore', a new DB instance is created with a new endpoint. The old DB instance can be deleted. This helps you created multiple DB instances from a specific DB snapshot or point-in-time copy.
Why/how should DB subnet group set up?
Each DB subnet group should have at least one subnet for every AZ in a region. When creating DB instance in VPC, you will need to select a DB subnet group. RDS then uses that and your preferred AZ to select a subnet and IP address within that subnet.
Why is it recommended to use DNS name to connect to your DB instance?
Because the underlying IP address can change (eg during failover)
How can you access an object in S3 without using any EC2 instance?
Each S3 object has its own unique HTTP url. So it can be delivered directly to any client.
How does multipart upload help?
Using S3 multipart upload you can get improved throughput and quick recovery from network issues. Multiple parts of single object can be uploaded in parallel. Failed uploads of smaller parts can be restarted instead of re-uploading of entire object.
What are the pricing components of S3?
storage (per GB per month); data transfer in or out (per GB per month) and requests (per thousand requests per month)
What are 'Burst Credits' used for?
EFS can drive throughput continuously at its baseline rate. It collects burst credits when it's inactive or throughput is below its baseline rate. The collected burst credits allow EFS to drive throughput above its baseline rate to handle spiky nature of file-based workloads.
What are resource groups used for?
Resource groups make it easy to group your resources using the tags that are assigned to them. You can group resources that share one or more tags.
What is the advantage of VPC peering?
Instances in either VPC can communicate with each other as if they are within the same network
What hardware is used for VPC peering?
There is no hardware. There is no single point of connection (that can fail) between peered VPCs.
What is the AWS equivalent of a traditional data center?
AZ (availability zone)
How is Direct Connect different from VPN connection?
VPN Connections can be configured quickly and is routed through the internet. Direct Connection doesn't involve the Internet; instead it needs dedicated, private network connections between intranet and amazon VPC.
What does STS do?
Security Token Service (STS) grants users limited and temporary access to AWS resources.
What is federation?
combining of joining a list of users in one domain (such as IAM) with list of users in another domain (such as Active Directory, Facebook etc)
What is Identity Broker?
service that allows you to take an identity from point A and join it (federate it) to point B
What is the order in which Identity Broker authenticates?
Identity Broker always authenticates with LDAP first, then with STS. The user credentials are checked against company LDAP and corresponding IAM credentials are passed to STS.
What API is used behind the scenes by SAML to request temporary credentials from AWS?
The 'AssumeRoleWithSAML' API is used to request temporary security credentials and then construct a sign-in URL for the AWS management console
What is a workspace?
cloud-based replacement for a traditional (mac/win) desktop
What are the two purposes of internet gateway?
provide target in VPC route tables for internet-routable traffic and to perform NAT for instances that have been assigned public IP addresses
What is secondary index?
In DynamoDB, secondary index is a data structure that contains a subset of attributes from a table, along with an alternate key to support query operations. You can query using the alt key defined by the secondary index
Why is it called 'global' secondary index?
A Global Secondary Index is an index with a hash and range key that can be different from those in the table. It is considered "global" because queries on the index can span all of the data in a table, across all partitions. Remember that indexes must be created at the same time you create a table. You cannot add, edit or delete any secondary index to an existing table.
Why are Global Indexes considered additional DynamoDB tables?
All Global Indexes are additional DynamoDB tables that are automatically syncronized when you add new items to the main table.
How does SQS long polling work?
Regular short polling returns immediately. Long polling doesn't return a response until a message arrives in the message queue, or the long poll times out.
How long can messages live in SQS queue?
Min - 1minute. Max - 14 days.
What is multivalue answer routing policy?
Use when you want Amazon Route 53 to respond to DNS queries with up to eight healthy records selected at random.
What is max ratio of IOPS to volume size?
1:50. For 8 GiB, max IOPs will be 400.
What needs to be done if launched instance is not getting a DNS name?
The VPC configuration needs to be changed. The DNS hostnames option of the VPC should be set to 'Yes'.
In a CIDR block of 10.0.1.0/28, how many IPs are available for allocation to instances?
16 - 5 = 11. Five instances are reserved for AWS.
Can EFS be shared across VPCs?
No. Only across availability zones in a single VPC.
Why is resharding needed for kinesis streams?
To adapt to changes in rate of data flow. Split shards to increase capacity of stream. Merge shards to reduce capacity.
What does a resource record set consist of?
Each resource record set includes the name of a domain or a subdomain, a record type (for example, a resource record set with a type of MX routes email), and other information applicable to the record type (for MX records, the host name of one or more mail servers and a priority for each server).
How many AZ in each region?
each region has two or more AZ (availability zones)
There are more Regions than Edge Locations. True or False.
False. There are many more Edge Locations than Regions. (currently ~50)
In AWS, what are Edge Locations?
Edge Locations are CDN endpoints for CloudFront
What is Direct Connect?
Means to create direct connection between corporate data center and AWS without using public internet. Data is transferred on private connection.
What is Route53?
Amazon DNS service. Port 53 is the port at which DNS service is available.
What does ECS stand for?
EC2 Container Service
What is EC2 Container Service used for?
Highly-scalable container management service that helps manage docker containers on cluster of EC2 instances
What is the AWS service that can be used for 'serverless' computing?
AWS Lambda
What does S3 stand for?
Simple Storage Service
S3 storage can be bought in increments of 1GB or 10GB?
In S3, you pay only for storage that you use.
What does RDS stand for?
Relational Database Service
Which service is used for reducing load on RDS instances?
ElastiCache. Results of queries run on RDS can be cached.
What is Amazon's data warehousing service?
RedShift
Which AWS service is used for handling streaming data?
Kinesis
What is AWS Inspector?
Agent that you install on your VM and generates security reports about the VM
What is Certificate Manager?
gives SSL certificates for your domain names
What is AWS Directory Service?
way to use Microsoft ActiveDirectory with AWS
What is WAF used for?
Web application Firewall (WAF) is used to provide application-level security to your website.
What is the difference between firewalls and WAF?
Traditional firewall provides network-level protection. WAF provides application-level protection.
What is the Artifacts service?
In AWS Console, when you go to 'compliance & reports', you can get artifacts like ISO9001 certification, PCI DSS Attestation etc.
Does IAM give centralized control or shared access of your AWS Account?
Both centralized control and shared access.
What does it mean that IAM supports Identity Federation?
Ability to plugin aws into existing security setups like ActiveDirectory, Facebook, LinkedIn etc to provide a seamless experience
Which of the following can be set up in IAM? Users, Teams, Customers, Roles, Groups
Users, Roles, Groups
In IAM, what is a policy?
Policy is a document that defines one or more permissions. It can be attached to User/Group/Role.
What are some steps that you need to take to improve security of root account? (5 possible steps)
- activate MFA on root account - create individual IAM users - delete root access keys - use groups to assign permissions - apply IAM password policy
Why is AccessKey created when you create IAM user?
AccessKeyID and SecretAccessKey can be used by IAM user to access AWS resources. IAM username and password will be used to log onto AWS console.
What are Access Keys used for ?
Use access keys to make secure REST or HTTP Query protocol requests to AWS service APIs. Access Keys should not be shared. And they should be frequently rotated for additional security.
What permissions does a newly created IAM user have? read; read/write; access; none
No permissions. All new users need to have permissions granted.
What format is IAM policy document written in?
JSON
How do you attach policy to a user?
In policies page, select policy and click on 'Attach Policy'. Then you can select user/group/role. Best practice is to attach policy to group instead of user.
What are the different types of IAM Roles?
AWS Service Roles; Role for Cross-Account Access; Role for Identity Provider Access
How is the IAM permission to allow all access on all resources defined?
{"Effect":"Allow", "Action":"*", "Resource":"*"}
Which unit does IAM apply to? Region / Availability Zone / Subnet?
IAM in universal. It does not apply to regions at this time.
Which is the AWS user that has complete admin access?
The 'root account' - the account created when you first setup your AWS account.
You can use the secret access key when you login to the AWS console for the first time. True or False?
False. You can use accessKeys only to access AWS via the APIs and CLI.
What is the difference between 'IAM account sign-in URL' and 'Root account sign-in URL'?
After root account is created, you can customize 'IAM account sign-in URL' and send it to individual users.
What does 'power user' access allow?
Access to all AWS services except for management of groups and users within IAM
Is S3 object-based or block-based storage?
S3 is object-based storage.
Can you install databases or OS on S3? Only OS; Both OS and DB; None
None. S3 only allows to upload files. S3 is object-based storage.
What are the min and max file sizes allowed to be uploaded to S3?
S3 files can be from 1byte to 5TB.
How much storage space does S3 give you? 100TB; 1 petabyte; 10 petabytes
S3 provides unlimited storage.
What does it mean that S3 is a universal namespace?
S3 bucket names must be unique globally (not just within regions)
In S3, for PUTS of new Objects do we get 'read after write' or 'eventual' consistency?
In S3, we get 'read after write' consistency for PUTS of new Objects. Objects are available to be read immediately after write completes.
In S3, when do we get eventual consistency?
We get eventual consistency for overwrite PUTS and DELETES. It can take some time to propagate, unlike PUTS of new objects.
What is key and value of a S3 object?
Key - name of the object. Value - the actual data (sequence of bytes).
In addition to key and value, what are other attributes a S3 object has?
Version ID (important for versioning); Metadata (data about stored data)
In S3, what is the guaranteed availability and durability?
S3 availability - 99.99%, durability - 99.999-999-999% (eleven nines)
What does lifecycle management involve in S3?
Using lifecycle management, you can create rules to move your S3 objects between the different storage tiers
How can you protect the objects that you store in S3?
Encryption; you can version the objects; control access using Bucket Policies and ACLs
Does S3 support encrypted objects to be stored? Yes; No; Only in special buckets
yes
How resilient is S3 storage?
S3 stores data across multiple devices in multiple facilities. It is designed to sustain the loss of TWO facilities concurrently.
What is S3 - IA storage tier used for ?
S3 - IA (infrequently accessed) tier is used for data that is accessed less frequently (~once a month or year) but requires rapid access when needed.
What are the cost differences between S3 and S3-IA?
S3-IA is lower fees than S3, but you are charged a retrieval fee.
How long does it take to retrieve objects from S3-IA tier? 10min; 1hour; 6hours
Immediate access similar to regular S3 tier.
How long does it take to retrieve objects from Glacier tier? 10min; 1hour; 3hours
3 - 5 hours
Which is the cheapest S3 tier?
Glacier. Suitable for archival only. Takes 3-5 hours to restore from Glacier.
What is the difference between S3-IA and RRS?
Reduced Redundancy Storage has only 4nines durability. Suitable for storing objects (like thumbnails) that can be regenerated if lost. S3-IA has 11nines durability.
What is the difference between S3-IA and Glacier?
S3-IA supports immediate access. Glacier takes 3-5 hours to let you access. Glacier is cheaper than S3-IA.
What is the availability and durability of S3-RRS?
RRS is designed to provide 99.99% availability and 99.99% durability.
What is the difference in 'concurrent facility fault tolerance' for S3-IA and RRS?
S3 - standard and IA can handle loss of TWO concurrent facilities. RRS can handle only loss of ONE facility.
What is the availability and durability for S3-IA?
S3-IA : Durability - 99.999-999-999 (elevenNines) Availability - 99.9%
What is the cost for Glacier service?
$0.01 per GB per month
What contributes to charges under S3?
amount of storage; number of requests; data transfer pricing
Which service should you use for storing easily reproducible data?
S3-RRS should be used for storing easily reproducible data like thumbnails. It's not as durable as S3 or S3-IA.
Is Snapweed45671 a valid bucket name?
No. Bucket name can only have lowercase letters.
Can you run a website out of a S3 bucket?
Yes. But it can only be a static website. You cannot run server-side scripts.
What can S3 event notifications be used for?
Event notifications let you send alerts or trigger workflows. Notifications can be sent via SNS, SQS or lambda functions.
For S3 bucket, why can't you allow anonymous access if 'Requester Pays' is setup?
In 'Requester Pays' setup, the access cost is borne by the user. So when an S3 object is accessed, aws needs to know who requested access in order to bill them.
In S3 bucket, what is 'cross-region replication'?
If 'cross-region replication' is setup, changes to S3 bucket in one region will be propagated to a bucket in another region. Versioning needs to be setup for this to happen.
How long should you wait before trying to access a file that was uploaded to a S3 bucket?
Object will be available immediately if permissions have been updated to make it public. New objects are private by default.
How do you change the storage tier of a bucket?
A bucket can contain objects in different tiers (S3,RRS,S3-IA). Select object in bucket in left pane and change tier in 'Details' section in right pane.
What is the difference between disabling and suspending Bucket Versioning?
Once versioning is enabled for a bucket; it cannot be disabled, only suspended.
Why is Versioning used for S3 buckets?
Versioning allows you to preserve, retrieve and restore every version of every object stored in the bucket. This helps to recover objects lost due to accidental overwrites or expirations.
Why is Versioning used for S3 files?
Versioning is set only for buckets, not individual files.
What is shown in versioning history of a file if you delete it from a bucket?
Versioning history will show details of original upload and the 'delete marker'. If you delete the 'delete marker', the file will be restored.
What happens when you delete the 'Delete Marker' in the version history of a file in a S3 bucket?
If you delete the 'delete marker', the file will be restored.
Why do you need to access IAM when you are setting up Cross Region Replication in your S3 bucket?
S3 needs replication access to resources in your account in order to replicate objects in the destination bucket.
Can you take snapshot of running root EBS volume?
No. Instance has to be stopped before taking the snapshot.
How long does cross-region replication take to replicate your bucket once you enable it?
Existing objects will not be replicated. CRR replicates every future upload of every object to another bucket.
How can you hinder a rogue user who wants to delete a file in a S3 bucket?
Use Versioning's MFA delete capability to provide an additional layer of security.
Why is Versioning not a good idea for large files like videos?
Versioning creates multiple copies of the file with slight changes. So you will pay for all the copies of the same file. For large files, these costs can add up.
What are valid values for 'Source' field in Cross-Region Replication and Lifecycle?
You can use the whole bucket. Or all files starting with the given prefix.
What are 'Lifecycle Rules' used for in S3 buckets?
Lifecycle rules will help you manage your storage costs by controlling the lifecycle of your objects. Rules can automatically transition objects to cheaper tiers or even delete them after a specified time period.
Why can't a user create a lifecycle rule to move an object to S3-IA 30 days after creation and to glacier 40 days after creation.
S3-IA has a 30-day minimum retention period and 128KB minimum object size. So object can be moved to glacier only 60 days after creation.
What does setting 'Expire' do when you enable Versioning and Lifecycle Rules?
You can create a rule to expire current version, which will add a delete marker to the version history. If you need to permanently delete the file, you can add a rule on previous versions to be deleted after 'n' days.
What are the three main criteria used by CDN to deliver web content?
location of user; origin of webpage; content delivery server
What is an edge location in CDN?
A edge location is a location where content will be cached. It's different from Region or AZ.
What are four possible origins of content in AWS CloudFront?
S3 bucket; EC2 instance; ELB; Route 53
What is a distribution in CDN?
A collection of edge locations served by the CDN.
Why doesn't CDN speed up file access for first user?
When first user requests file from edge location, it is transferred from origin server similar to non-CDN access. But when second user queries edge location, they see the speed-up.
What types of webcontent can CloudFront deliver? Static; Dynamic; Both
CloudFront can deliver entire websites including dynamic, static, streaming and interactive content using a global network of edge locations.
CloudFront can work with any non-AWS origin server. True or False?
True.
What is RTMP?
RTMP is used in CloudFront for media streaming
What are the two types of distributions used in CDN?
web distribution and RTMP
Edge locations support only READ access. True or False.
False. In addition to get, user can also put. End user can put an object on edge location, which will then be propagated to the origin server.
How long are objects cached in edge location?
Objects are cached for the specified TTL (Time to Live)
What is difference between origin domain and origin path in CDN?
Origin domain is a S3 bucket or other source. Origin path is the subset of the files in the origin server (specified by prefix) that will be distributed by the CDN.
What is the default TTL in CDN?
one day. 86400 seconds.
What is the min, max and default TTL in CDN?
0, 365 days and 1 day
How is access restricted to viewers in CDN?
You can restrict viewer access using 'signed URL' or 'signed cookies'.
Why are CNAMEs used in CDN?
CNAMEs are 'Alternate Domain Names'. Gives a user-friendly name to your CloudFront distribution.
How can you block CDN from serving content to a particular country?
Using 'Geo-Restriction' settings, you can blacklist a country.
By default, all newly created S3 buckets are : open/public/private?
PRIVATE
What are two ways to set up access control to your S3 buckets?
Bucket Policies and Access Control Lists
How do you configure bucket-wide access control?
Use bucket policies
How do you configure access control policy for individual files in bucket?
Access Control Lists
Where are S3 access logs are stored?
S3 buckets can log all incoming requests to another S3 bucket
What are two types of S3 encryption?
In-transit and data at rest
How is in-transit encryption handled in S3?
Using SSL ie https connections
What are the types of at-rest encryption used in S3?
client-side encryption; server-side encryption (SSE-S3, SSE-KMS, SSE-C)
What are the types of server-side at-rest encryption used in S3?
SSE-S3 (s3 managed keys); SSE-KMS (AWS key management service); SSE-C (encryption with customer provided keys)
What is AWS Storage Gateway?
AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to integrate corporate IT environment with AWS storage.
What software does AWS Storage Gateway need in the corporate datacenter?
AWS SG needs to be installed in a host that is controlled by the hypervisor to start the data storage. SG supports either VMware ESXi or Microsoft Hyper-V.
What are the types of Storage Gateways?
Gateway Stored Volumes; Gateway Cached Volumes; Virtual Tape Library (VTL)
How does Gateway Stored Volumes work?
Entire data is kept onsite. SG then backs it up asynchronously to S3. GSV provides durable and inexpensive off-site backups that you can recover locally or into EC2.
Where is the entire corporate dataset stored in Gateway Storage Volumes?
On-premise. Storage gateway makes off-site backups to AWS.
Where is the entire corporate dataset stored in Gateway Cached Volumes?
In AWS S3. Only most frequently accessed data is stored locally.
What is the disadvantage of using Gateway Cached Volumes?
If internet connectivity is lost, you might not be able to access your data.
If you don't want to buy additional SAN arrays, which Storage Gateway should you choose?
Gateway Cached volumes
Where is the entire corporate data stored in Gateway Storage and Gateway Cached volumes?
On-premise and AWS-S3 respectively
Where are the tapes stored in Storage Gateway Virtual Tape Library (VTL)?
Either in VTLibrary backed by S3 or VTShelf backed by Glacier.
How can you access the data in Virtual Tape Library?
VTL exposes industry-standard iSCSI interface that can be invoked through backup applications like NetBackup, Backup Exec, Veam etc.
What is the iSCSI interface in VTL used for ?
You can access data stored in VTL using backup applications like NetBackup, Veam
What NetBackup, BAckup Exec and Veam used for?
They are backup applications that can read the data stored in Storage Gateway Virtual Tape Libraries (VTL) using the exposed iSCSI interface.
What are the two types of Import/Export ?
Import/Export Disk and Import/Export Snowball
How does Import/Export disk work?
Import/Export disk involves using portable storage devices for transport. Data is directly transferred from device into AWS using amazon's network instead of using the internet.
When do you need to think of using Amazon Snowball?
When you need to transfer petabytes of data to AWS, you can use Amazon Snowball.
What security measures are used with Amazon Snowball?
- tamper-resistant enclosures; 256-bit encryption - full chain-of-custody of your data using industry-standard Trusted Platform Module (TPM) - software erasure of appliance after transfer is completed.
What service is TPM used with?
Amazon Snowball uses TPM (Trusted Platform Module) to ensure security and full chain-of-custody of your data when it is transferred to AWS.
How much data can one Snowball machine handle?
50TB per snowball.
What is advantage of Snowball over Import/Export Disks?
No need to purchase hardware or write new code to transfer data. Multiple snowball appliances can be used in parallel for larger workloads.
Which one should you prefer - Import/Export disk or Snowball?
Snowball
What is advantage of Import/Export Disk over Snowball?
In I/E, you can import to EBS, S3 or Glacier. In snowball, you can import and export only to S3. Snowball is available only in US for now.
Which storage can you export to Import/Export Disk?
Only data from S3 can exported to Import/Export Disk. Data can be imported into EBS, S3 and Glacier.
What is Transfer Acceleration used for?
S3 Transfer Acceleration uses the CloudFront Edge Network to accelerate uploads to S3. Instead of direct upload to S3, you can upload to edge location which then transfers it to S3.
How do you setup Transfer Acceleration?
When you select a S3 bucket, 'Transfer Acceleration' is a setting in the right pane. You get a URL for the endpoint that can be used to upload files to edge location.
What might be the reason if you see similar speed results with or without Transfer Acceleration?
Your local upload bandwidth or some system constraint might be limiting your speed of S3 transfers.
How many S3 buckets can I have per account by default? 10/20/50/100
100
What is EC2?
Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud
Why is EC2 useful?
EC2 reduces time needed to obtain and boot new server instances to minutes, allowing you to scale up and down, as computing requirements change
How does EC2 change the economics of servers?
You pay only for the capacity that you use. You don't have spend upfront to get hardware and set them up.
What are the EC2 pricing options?
- On-demand (fixed rate by the hour with no commitment) - Reserved (discount for capacity reservation for 1 or 3 years) - Spot (you can bid what you want for capacity if your application have flexible start and end times. AWS will inform you an hour before termination if price rises)
When will you prefer on-demand over spot pricing?
When your application cannot be interrupted or if they have unpredictable workloads
When you will prefer reserved pricing over on-demand pricing?
When you have steady-state, stable, predictable usage for the next 1 or 3 years.
When will you prefer spot pricing over on-demand pricing?
When you have applications that can be interrupted and can have flexible start and end times. When you want to ensure the lowest unit price to keep overall costs down for applications like genomics.
When will you not be charged for Spot usage of EC2?
If spot instance is terminated by EC2, you will not be charged for partial hour of usage. But if you terminate the instance yourself, you will be charged for any hour in which the instance ran.
What is the lowest-cost general purpose EC2 instance?
T2 (usually used for web servers or small DBs)
What are the EC2 instances optimized for memory, graphics and compute?
M3,M4 ; G2; R3
Describe the EC2 instances using the DIRTMCG acronym
D - density(for hadoop); I - IOPS; R - RAM; T - (dirT cheap general purpose); M - Main choice for general purpose; C - Compute; G - Graphics
What is EBS used for?
EBS allows you to create storage volumes, attach them to EC2 instances and run a db or other software like a general purpose block device.
How are EBS instances made resilient?
EBS volumes are placed in a specific AZ, where they are automatically replicated to protect you from the failure of a single component.
An EC2 instance can have multiple EBS attached to it. True or False.
True.
What are the different types of EBS volumes?
General Purpose SSD (GP2), Magnetic (Standard), Provisioned IOPS SSD (I01)
When will you choose Magnetic EBS volume?
Magnetic EBS volumes are used when you want to have the lowest storage costs and for workloads where data is accessed infrequently.
Can you keep root volume even after EC2 instance is deleted? A) No. Can't keep it after termination b) Yes. But only if it's a SSD
Uncheck 'Delete on Termination' when specifying storage volume type while configuring your EC2 instance.
Can you encrypt EC2 root volume?
No. By default, it is un-encrypted. You have to use third-party tools like bitlocket to encrypt it.
Can I attach security group after EC2 instance is created?
No. Must be specified during creation process.
What are the port numbers to be specified in security group for SSH,HTTP and RDP?
22, 80 and 3389
Is there any way to encrypt the EC2 root volume?
AWS doesn't allow it. You might be able to do it using third-party tools like Microsoft BitLocker.
Why is key pair created when you create a EC2 instance?
AWS stores the public key. You can store the private key in the machine from which you will connect to the EC2 instance. It lets you to SSH into that instance.
When user tries to terminate EC2 instance, she is not able to. What might be the reason?
EC2 instance might have 'termination protection' turned on. She has to go into settings, disable termination protection and try the termination again.
When EBS-backed instance is terminated, what happens to root volume on instance termination?
Default action is for root EBS volume to be deleted when instance is terminated.
When you make a change to a security group, how long is the delay before it becomes effective? - 1 minute - 5 minutes
No delay. Effective immediately.
How can you deny HTTP connections to your EC2 security group?
Inbound rules in security group can only allow connections. You cannot deny any connections. So you shouldn't have any rules (or just SSH rules) in order to deny http connection.
In EC2 security group, if I have inbound rule for HTTP connections, but no outbound rules, what will happen?
If inbound rule is setup in security group for any type of connection, corresponding outbound rule is allowed. This is the 'stateful' nature of security groups.
What is the default behavior when security group is setup?
All inbound traffic is blocked. All outbound traffic is allowed.
Why are 'Security Groups' called stateful?
If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out.
What types of rules do 'Security Groups' support? 1) allow 2) deny 3) both
Security Groups support 'Allow' rules
What is the difference between EC2 volumes and snapshots?
Volumes exist on EBS. Snapshots (backups of volumes) exist on S3.
Snapshots are incremental. Explain.
Only the blocks that have changed since your last snapshot are moved to S3.
How can you convert EBS volume from magnetic to SSD?
Take snapshot of magnetic volume. When you click 'Create Volume' to create a volume from the snapshot, specify 'SSD' as the type of the new volume.
Can snapshots be shared?
Yes, but only if they are unencrypted. They can be shared with other AWS accounts or made public.
How can you convert an encrypted volume to unencrypted?
Volumes restored from encrypted snapshots are encrypted automatically. So you can't convert encrypted volume to unencrypted.
What does RAID stand for?
Redundant Array of Independent Disks
What are two common ways of using RAID?
RAID 0 and RAID 1
When is RAID0 better than RAID1?
RAID0 stripes together multiple disks to act as one logical disk. This provides better performance than RAID1.
When is RAID1 better than RAID0?
RAID0 stripes together multiple disks to act as one logical disk. So it isn't as resilient as RAID1 (which has two disks as mirrors of each other to improve redundancy)
When do you need to create RAID in AWS?
When the disk I/O of the EBS volume is not sufficient for your application needs, you need to create an array of disks in RAID.
What is RAID10?
Combination of RAID0 and RAID1. It is striped and mirrored. It provides good redundancy and performance.
Why do we need to stop RAID before taking snapshot?
The raw disks might have caches and other interdependencies. To take an application consistent snapshot, easiest way is to shutdown associated EC2 instance.
What is the easiest way to take an application consistent snapshot of EBS volumes?
Shutdown associated EC2 instance and then take the snapshot
You can launch only instances from the same AMI in your account? True or False.
False. You can launch instances from as many different AMIs as you need.
What are the three components of an AMI?
- template for root volume (OS, AppServer and applications) - launch permissions that control which AWS accounts can use the AMI to launch instances - Block device mapping that specifies the volumes to attach to the instance when it's launched
How do you create AMI from EBS?
Take snapshot of EBS volume. Then from that snapshot, select 'Create Image from EBS snapshot'
How wide can AMIs be used to launch instances? - Availability Zone - Region - Global
You can only launch an AMI from the region in which it is stored.
How can you share an AMI with an user in another region?
You can copy AMIs to other regions using the console, command-line or Amazon EC2 API
What are the root device types available for AMIs?
EBS and Instance Store
Can you attach instance store volumes after EC2 instance is launched?
No. You can only attach additional EBS volumes after launching an instance.
Can you attach EBS volumes after EC2 instance is launched?
yes
Can you stop an EC2 instance with instance-store root volume?
No. You can only reboot or terminate.
What happens if the hypervisor controlling your instance-store EC2 instance is degraded?
You cannot stop the instance and take snapshots. So basically it's lost.
How can you detach root volume in an instance-store EC2 instance?
You cannot. Only EBS volumes can be detached.
Where is the EBS volume for an instance launched from an AMI created from?
It's created from an Amazon EBS snapshot
Where is the instance-store volume for an instance launched from an AMI created from?
The instance-store volume is created from a template stored in Amazon S3.
If you need very fast provisioning, which AMI root device type should you use?
EBS snapshots can be used to quickly create EBS volumes during provisioning. So you should use EBS root device type.
Will you lose the data in ephemeral storage on an EC2 if you reboot?
No. You cannot stop/start the ephemeral storage instance-store. But you can reboot it without losing the data.
What is the difference between 'load balancer protocol' and 'instance protocol'?
In ELB settings you can set up a mapping between the protocol the ELB receives (load balancer protocol) to the protocol invoked on the instance (instance protocol).
Why do you need to setup healthChecks when configuring ELB?
ELB automatically performs health checks on your instances and automatically removes the ones which fail the health check.
What is the relation between 'Healthy Check Interval' and 'Healthy Threshold'?
ELB checks health of instance for every 'health check interval'. If the check is successful 'healthy threshold' number of times, instance is transitioned from being unhealthy to healthy.
What is the difference between 'unhealthy' and 'healthy' thresholds?
If health check fails 'unhealthy' number of times, instance is moved out of ELB. If health check succeeds 'healthy' number of times, instance is moved back into ELB.
Do ELB's have private or public IPs assigned to them?
ELB's don't have public IP assigned to them. They only have DNS names (A-Records) assigned to them. EC2 instances behind ELB can have public IPs.
How do you setup detailed CloudWatch monitoring for your EC2 instance?
During instance creation, you can select checkbox "Enable CloudWatch detailed monitoring"
What is the difference between basic and detailed CloudWatch monitoring?
Instance data is aggregated every 5 minutes for Basic and 1 minute for Detailed. There is no cost for basic monitoring.
Which metric is not available in cloudwatch monitoring?
Memory usage metrics is not available. CPUUtilization, DiskRead, DiskWrite, Network metrics are available.
What are CloudWatch Events used for?
CloudWatch Events help you to respond to state changes in your AWS resources. Change in resources create events that can trigger other actions. Eg. periodically invoke a built-in target to create an EBS snapshot.
What is CloudWatch logs used for?
Useful for application-level monitoring by storing and aggregating logs. E.g., you can monitor HTTP response codes in Apache logs.
What are CloudWatch alarms used for?
If metric exceeds threshold, cloudwatch can send an alarm to your email or a SNS topic.
You can assign IAM role to an EC2 instance after it's created. True or False.
False
What is 'aws configure' used for?
Configure credentials in terminal window used to connect to EC2 instance
Which password do you need to provide when running aws configure?
The accessId and secret access key that were given the user was created
What does the command 'aws s3 ls' do?
Lists all available S3 buckets
How is my EC2 instance able to run 'aws s3 ls' even though I haven't run 'aws configure'?
When EC2 instance was created with IAM role that allows access to s3
Which is universal in scope? - Users - Roles
Both. You can use a role like 's3-admin-access' in any region.
What is the url for getting instance metadata?
After you login to EC2 instance using Terminal, type curl http://169.254.169.254/latest/meta-data/
What is the way to get the public-IP using instance metadata?
curl http:/169.254.169.254/latest/meta-data/public-ipv4
Is url right? http://169.254.169.254/latest/user-data
No. It should be http://169.254.169.254/latest/meta-data
What is the health check grace period?
Length of time that AutoScaling waits before checking an instance's health status. Grace period begins when instance comes into service. Default is 300 seconds.
What is autoScaling policy?
A set of instructions on handling cloudWatch alarms to increase or decrease the number of instances in the autoScaling group.
What type of applications are 'placement groups' recommended for?
Applications that benefit from low network latency, high network throughput or both
What type of network does a placement group provide for applications?
Using placement groups enables applications to participate in a low-latency, 10 Gbps network.
What are some sample applications that can be run on placement groups?
cassandra; hadoop; grid computing
What is the typical network throughput of a placement group?
10Gbps network
Why can't placement groups span multiple availability zones?
Since we are trying to reduce network latency, placement group needs to be within a single availability zone.
What is a possible reason for not being able to add a T2 micro to a placement group?
Only certain types of instances can be launched in a placement group - C, G, memory-optimized, storage-optimized
How much storage does EFS scale up to?
EFS can scale up to petabytes
What is the initial size of EFS? 8 GB 16 GB 64 GB 1 TB
None. You don't have to do any pre-provisioning. You can just start putting in data.
What are the programming languages supported by Lambda?
javascript
What is the availability guarantee for Lambda?
Lambda is designed to provide 99.99% availability for both the service itself and the function that it operates
What are some common examples of top-level domain names?
.com, .edu, .gov
What does NS stand for?
NS stands for Name Server records and are used by Top-Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records.
What does CName stand for?
CName - Canonical Name
What is a key difference between CNAME and Alias Records?
A CNAME can't be used for naked domain names (zone apex). You can't have a CNAME for http://acloud.guru, it must be either an A record or an Alias.
Why are Alias records useful?
Alias record can point to a resource set like ELB. Whenever the resource set changes, Route53 automatically recognizes the changes that the A-record points to.
Which is the better choice - Alias Record or CNAME?
Alias record. You won't be charged for it.
When you create a 'Hosted Zone' how many records are created?
Two records are created - NS and SOA
Why do you need to create 'A' record for your hosted zone?
To direct the dns name to the resource set (usually the ELB)
What are the different routing policies?
- Simple - Weighted - Latency - Failover - Geolocation
What is the 'simple' routing policy?
used when you have a single resource that performs a given function for your domain, for e.g one web server that serves content for a website
What is the default routing policy?
Simple routing policy.
When is I01 appropriate?
EBS Provisioned IOPS SSD (I01) is used when you need more than 10,000 IOPS. It's designed for I/O intensive applications like relational or NoSQL databases
What are the IOPS values available for GP2 volumes?
3 IOPS per GB upto 10,000 IOPS and the ability to burst upto 3000 IOPS for short periods for volumes under 1Gib.
Which volume type has the lowest cost per GB?
Magnetic (Standard) volume type
What is 'User Data' section in EC2 instance creation used for?
for running any custom scripts when EC2 instance starts up
Termination protection is turned off by default. True or False.
True
What is 'weighted' routing policy?
Lets you split traffic based on different weights assigned. 10% of traffic to US-EAST-1 and 90% to EU-WEST-1.
What is latency-based routing?
Allows you to route traffic based on lowest network latency for the end-user (ie which region will give them the fastest response time)
What is 'Failover' routing policy?
used when you want to create an active/passive setup. Primary site is US-West-1. Secondary DR site is US-East-1.
What is Geolocation routing?
Route53 routing policy where traffic is routed based on the geographic location of your users.
Which is more costly A-Records or CNAME?
Every time a CNAME request comes to Amazon DNS, there is a charge. But Alias record requests are free.
What are some resource record sets that you might add for a hosted zone?
Route internet traffic for example.com to the IP address of a host in your data center. Route email for that domain (ichiro@example.com) to a mail server (mail.example.com).
What is AWS service for content delivery?
CloudFront is the CDN service in AWS
What is the availability of GP2?
EBS general purpose SSD (GP2) has 99.999% availability
Which EBS volume type is suitable for handling a file server?
Magnetic (Standard) is appropriate for handling a file server where data is accessed infrequently
Which one should I choose if I need to share it between multiple EC2 instances? EBS or EFS?
EFS
What is the charge if AWS terminates your spot instance?
you get the hour it was terminated in for free
What the factors involved in Lambda pricing?
Number of requests and time taken for request execution
What are 'Dedicated Hosts'?
Type of EC2 instance
What is 'Dedicated Hosts' needed for?
Due to regulatory concerns, you might not be able to place your EC2 instances in a multi-tenancy environment. So AWS can provide dedicated hosts for your use.
How many connections can EFS support?
EFS can support thousands of concurrent NFS connections
What is CName used for?
A CName can be used to resolve one domain name to another.
What are Alias records?
Alias (A) records are used to map resource record sets in your hosted zone to ELBs, CloudFront distributions or S3 buckets that are configured as websites. Like CNAME records, you can use Alias records to map one DNS name (exam.com) to another 'target' DNS name (elb1234.elb.amazonaws.com)
Can EBS instances be shared by different EC2 instances?
No. EBS acts like a virtual disk that can be connected to only one computer at a time.
NoteStudied by 45 peopleNoteStudied by 14 peopleNoteStudied by 2 peopleNoteStudied by 10 peopleNoteStudied by 2 peopleNoteStudied by 8 people