Aws Certified Solutions Architect Professional (+ Review) Flashcards
IAM: Enables AWS customers to manage users and permissions
AWS Identity and Access Management (IAM)
IAM: Gives the Admins group permission to access all account resources, except your AWS account information
Administrator Access
IAM: Every user you create in the IAM system starts with
No permissions
IAM: Groups can't
be nested at all
IAM: Is targeted at organizations with multiple users or systems that use AWS products
AWS Identity and Access Management
IAM: AutoScaling group of EC2 Instances, customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid, and x.509 certificates must be designed by the customer's Key management service in order to be trusted for authentication
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance
IAM: AWS API access credentials
Console passwords, Access keys & Signing certificates
IAM: The organization wants that each user can change their password but cannot change their access keys.
Root account owner can set the policy from the IAM console under the password policy screen
IAM: A new policy which will change the access of an IAM user
Use the IAM groups and add users as per their role to different groups and apply policy to group
IAM: Either use frequently rotated passwords or one-time access credentials in addition to username/password
Configure MFA on the root account and for privileged IAM users, Assign IAM users and groups configured with policies granting least privilege access
IAM: preparing for a security assessment of your use of AWS
Configure MFA on the root account and for privileged IAM users, Assign IAM users and groups configured with policies granting least privilege access
IAM: company wants their EC2 instances in the new region to have the same privileges
Assign the existing IAM role to the Amazon EC2 instances in the new region
!AM: creating a new IAM user which of the following must be done before they can successfully make API calls
Create a set of Access Keys for the user
IAM: limitations
100 groups per AWS account, 5000 IAM users, 250 roles
IAM: a group is
a collection of users
IAM: set up AWS access for each department
Create IAM groups based on the permission and assign IAM users to the groups
IAM: EC2 instances best practices
latest patch of OS, Disable the password-based login (use keys), revoke the access rights of the individual user when they are not required to connect to EC2.
IAM: access to various AWS services
Assign an IAM role to the Amazon EC2 instance
IAM: AWS Management Console access to developers, mandates identity federation and role-based access control, roles assigned by groups in Active Directory
AWS Directory Service AD Connector, AWS identity and Access Management roles
IAM: Admin control of resources
Enable IAM cross-account access for all corporate IT administrators in each child account, Use AWS Consolidated Billing to link the divisions' accounts to a parent corporate account
IAM: an application deployed on an EC2 instance to write data to a DynamoDB table
Create an IAM Role that allows write access to the DynamoDB table, Add an IAM Role to a running EC2 instance
IAM:
...
IAM: migrate your Development (Dev) and Test environments to AWS, separate accounts, will link each accounts bill to a Master AWS account using Consolidated Billing, administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts
Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
IAM: CloudFormation to deploy a three tier web application, DynamoDB for storage, allow the application instance access to the DynamoDB tables without exposing API credentials
Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance
IAM: Before generating the URL the application should verify the existence of the file in S3
Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role's credentials from the EC2 Instance metadata
IAM: third-party SaaS application needs assess
Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application
IAM: application on EC2, makes calls to DynamoDB to fetch certain data, uses DynamoDB SDK to connect with from the EC2 instance
The user should attach an IAM role with DynamoDB access to the EC2 instance
IAM: security team would like to be able to delegate user authorization to the individual development teams but independently apply restrictions to the users permissions based on factors such as the users device and location
Add additional IAM policies to the application IAM roles that deny user privileges based on information security policy...policy with deny rules based on location, device and more restrictive wins
IAM: an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch
Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
IAM: each of 10 IAM users to have access to a separate DynamoDB table all in same group
Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
IAM: each IAM user accesses the IAM console only within the organization and not from outside
Create an IAM policy with a condition which denies access when the IP address range is not from the organization
IAM: policy evaluation logic
By default, all requests are denied, An explicit allow overrides default deny
IAM: Move FTP servers with 250 customers to AWS, to upload and download large graphic files, scalable, cost low, maintain customer privacy
Use an S3 client instead of an FTP client. Create a single S3 bucket. Create an IAM user for each customer. Put the IAM Users in a Group that has an IAM policy that permits access to subdirectories within the bucket via use of the 'username' Policy variable.
IAM: two permission types used by AWS
User-based and Resource-based
IAM: policy used for cross account access
Trust policy, Permissions Policy
VPC: VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database, only accept traffic from predefined customer IP addresses
Configure your web servers to filter traffic based on the ELB's "X-forwarded-for" header, ⢠Configure ELB security groups to allow traffic from your customers' IPs and implicit deny all outbound traffic (note deny all doesn't work for stateless nacl)
VPC: patch update, private subnet connect to the internet
Use NAT with an elastic IP
VPC: public and private subnets using the VPC wizard
VPC bounds the main route table with a private subnet and a custom route table with a public subnet
VPC: user change the size of the VPC
Old Answer - It is not possible to change the size of the VPC once it has been created (NOTE - You can now increase the VPC size)
VPC: user created vpc with public and private subnets, CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24, host a web server public subnet (port 80) and a DB server private subnet (port 3306), NAT instance, for NAT security use
For Inbound allow Source: 20.0.1.0/24 on port 80, For Outbound allow Destination: 0.0.0.0/0 on port 80, For Outbound allow Destination: 0.0.0.0/0 on port 443 (not Inbound allow Source: 20.0.0.0/24 on port 80)
VPC: public and private subnets using the VPC wizard, CIDR 20.0.0.0/16, public subnet CIDR 20.0.1.0/24, host a web server in the public subnet (port 80), a DB server in the private subnet (port 3306), security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp) - required in the web server security group (WebSecGrp)
Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound
VPC: VPC with CIDR 20.0.0.0/16. created one subnet with CIDR 20.0.0.0/16 by mistake, trying to create another subnet of CIDR 20.0.0.1/24
It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created
VPC: a VPC with CIDR 20.0.0.0/16, a private subnet (20.0.1.0/24) and a public subnet (20.0.0.0/24), data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24, private subnet wants to communicate with the data centre
It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24 (CIDR block is overlapping)
VPC: a VPC with public and private subnets using the VPC wizard, CIDR 20.0.0.0/16, private subnet CIDR 20.0.0.0/24, NAT instance ID is i-a12345, entries required in the main route table attached with the private subnet to allow instances to connect with the internet
Destination: 0.0.0.0/0 and Target: i-a12345
VPC: a VPC with CIDR 20.0.0.0/16 using the wizard, a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user's data centre, data centre has CIDR 172.28.0.0/12 and a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet
Destination: 0.0.0.0/0 and Target: i-12345, Destination: 172.28.0.0/12 and Target: vgw-12345, ⢠Destination: 20.0.0.0/16 and Target: local (not Destination: 20.0.1.0/24 and Target: i-12345)
VPC: VPC with CIDR 20.0.0.0/16 and a public subnet uses CIDR 20.0.1.0/24, host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306), security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp).
Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp)
VPC: A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The internet gateway has also been created.
The internet gateway is not configured with the route table
VPC: A user has created a public subnet with VPC and launched an EC2 instance within it
It will not allow the user to delete the subnet until the instances are terminated
VPC: a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25,
20.0.0.255 can't be assigned to an instance
VPC: a VPC with CIDR 20.0.0.0/16, ublic and VPN only subnets along with hardware VPN access to connect to the user's datacenter, make it so that all traffic coming to the public subnet follows the organization's proxy policy
Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway
VPC: a VPC with CIDR 20.0.0.0/16 using the wizard, public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user's data centre
Destination: 0.0.0.0/0 and Target: vgw-12345 is valid for main route table
VPC: When attached to an Amazon VPC which two components provide connectivity with external networks
Virtual Private Gateway (VGW), Internet Gateway (IGW),
VPC: web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible.
4 subnets required (2 public subnets for web instances in multiple AZs and 2 private subnets for RDS Multi-AZ)
VPC: a VPC for a web-application consisting of an Elastic Load Balancer (ELB), a fleet of web/application servers, and an RDS database The entire Infrastructure must be distributed over 2 availability zones.
Two public subnets for ELB two private subnets for the web-servers and two private subnets for RDS
VPC: deployed a three-tier web application in a VPC with a CIDR block of 10.0.0.0/28, initially deploy two web servers, two application servers, two database servers and one NAT instance to a total of seven EC2 instances. Application and database servers are deployed across two availability zones (AZs). You also deploy an ELB in front of the two web servers, and use Route53 for DNS Web (raffle gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch.
The ELB has scaled-up. Adding more instances to handle the traffic reducing the number of available private IP addresses for new instance launches, AWS reserves the first four and the last IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances
VPC: A user wants to access RDS from an EC2 instance using IP addresses. Both RDS and EC2 are in the same region, but different AZs.
Configure the Private IP of the Instance in RDS security group
VPC: In regards to VPC
You can associate multiple subnets with the same Route Table
VPC: design a VPC for a web-application consisting of an ELB a fleet of web application servers, and an RDS DB. The entire infrastructure must be distributed over 2 AZ
Two Public Subnets for ELB, two private Subnet for the web-servers, and two private subnet for the RDS
VPC: VPC with one private subnet and one public subnet with a Network Address Translator (NAT) server. You are creating a group of Amazon Elastic Cloud Compute (EC2) instances that configure themselves at startup via downloading a bootstrapping script from S3 that deploys an application via GIT. Which setup provides the highest level of security?
Amazon EC2 instances in private subnet, no EIPs, route outgoing traffic via the NAT
VPC: A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks.
Create a new peering connection Between Prod and Dev along with appropriate routes
VPC: extend two existing data centers into AWS to support a highly available application that depends on existing, on-premises resources located in multiple data centers and static content from S3, presently dual-tunnel VPN connection between your CGW and VGW
Add another CGW in a different data center and create another dual-tunnel VPN connection
VPC: for business travelers who must be able to connect to it from their hotel rooms, cafes, public Wi-Fi hotspots, and elsewhere on the Internet, not application on the Internet
Configure an SSL VPN solution in a public subnet of your VPC, then install and configure SSL VPN client software on all user computers. Create a private subnet in your VPC and place your application servers in it
VPC: establishing IPSec tunnels over the internet, using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways
Data encryption across the Internet but not end-to-end.
VPC: development environment needs a source code repository, a project management system with a MySQL database resources for performing the builds and a storage location for QA to pick up builds from, concerns are cost, security and how to integrate with existing on-premises applications such as their LDAP and email servers, which cannot move off-premises, and goal is to transition to a continuous integration model of development on AWS with multiple builds triggered within the same day
A VPC with a VPN Gateway back to their on-premises servers, Amazon EC2 for the source-code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, SQS for a build queue, An Auto Scaling group of EC2 instances for performing builds and S3 for the build output (VPN gateway is required for secure connectivity. SQS for build queue and EC2 for builds)
VPC: CIDR 20.0.0.0/16 (public and private), to host a web server in the public subnet port 80 (CIDR 20.0.0.0/24) and a DB server in the private subnet port 3306 (CIDR 20.0.0.0/24) to configure a security group of the NAT instance...
For Outbound allow Destination: 0.0.0.0/0 on port 80 & 443, For Inbound allow Source: 20.0.1.0/24 on port 80 (Allow inbound HTTP traffic from servers in the private subnett)
VPC: EC2 instances are behind a public facing ELB, autoscaling, application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size, need s to communicate with the payment service over the Internet, which requires whitelisting of all public IP addresses (4 whitelisting IP addresses are allowed at a time and can be added through an API).
Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the NAT instances (NAT used not just for patching)
VPC: numerous port scans coming in from a specific IP address block
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block
VPC: in vpc establish separate security zones and enforce network traffic rules across different zones to limit Instance communications...
Configure instances to use pre-set IP addresses with an IP address range every security zone. Configure NACL to explicitly allow or deny communication between the different IP address ranges, as required for interzone communication
VPC: in vpc can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else...
Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP (is stateful, so just allow outbound ICMP from monitoring and inbound ICMP on monitored instance)
VPC: configure instances of the same subnet communicate with each other
Configure the security group itself as the source and allow traffic on all the protocols and ports
VPC: designing a data leak prevention solution, VPC Instances to be able to access software depots and distributions on the Internet for product updates, depots and distributions are accessible via third party CDNs by their URLs and you want to explicitly deny any other outbound connections from your VPC instances to hosts on the Internet
Configure a web proxy server in your VPC and enforce URL-based rules for outbound access and remove default routes. (Security group and NACL cannot have URLs in the rules nor does the route)
VPC: running a multi-tier web application farm (VPC) not connected to their corporate network, presently connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets using bastion-security-group with Microsoft Remote Desktop Protocol (RDP), but wants to further limit administrative access to all of the instances in the VPC...
Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses
VPC: highly availabl bastion host ...
Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1
VPC: migration of an ecommerce platform to 3- tier VPC - IGW ig-2d8bc445NACL acl-2080c448Subnets and Route Tables:Web server's subnet-258bc44dApplication server's subnet-248DC44cDatabase server's subnet-9189c6f9Route Tables:rtb-2i8bc449rtb-238bc44bAssociations:Subnet-258bc44d: rtb-2i8bc449Subnet-248DC44c: rtb-238bc44bSubnet-9189c6f9: rtb-238bc44bWeb servers must have direct access to the internet Application and database servers cannot have direct access to the internet, configuration to allow the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet...
Create a Bastion and NAT instance in subnet-258bc44d and add a route from rtb-238bc44b to the NAT instance. (Bastion and NAT should be in the public subnet. As Web Server has direct access to Internet, the subnet subnet-258bc44d should be public and Route rtb-2i8bc449 pointing to IGW. Route rtb-238bc44b for private subnets should point to NAT for outgoing internet access)
VPC: a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host.
Requirements can be met by using Security Group Inbound Rule: Protocol - TCP. Port Range - 22, Source 72.34.51.100/32
EC2: A user has launched two EBS backed EC2 instances in the US-East-1a region, how to change the zone of one of the instances.
Create an AMI of the running instance and launch the instance in a separate AZ
EC2: A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR) for that instance by creating another small instance in Europe. How can the user achieve DR
Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from the EU AMI
EC2: George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George's account from the US West region
No, copy AMI does not copy the permission
EC2: instance types are available as Amazon EBS-backed
General purpose (lowest cost) T2, Compute-optimized C4
EC2: 132. A t2.medium EC2 instance type must be launched with what type (AMI)
An Amazon EBS-backed Hardware Virtual Machine AMI
EC2: network throughput bottleneck on your m1.small EC2 instance when uploading data Into Amazon S3 In the same region
larger Instance
EC2: write throughput to the database needs to be increased
Use an array of EBS volumes (Striping to increase throughput)
EC2: database requires random read IO disk performance up to a 100,000 IOPS at 4KB block side per node
High I/O Quadruple Extra Large (hi1.4xlarge) using instance storage
EC2: some machines are failing to successfully download some software updates, but not all of their updates within the maintenance window The download URLs used for these updates are correctly listed in the proxy's whitelist configuration and you are able to access them manually using a web browser on the instances
You are running the proxy on an undersized EC2 instance type so network throughput is not sufficient for all instances to download their updates in time or you are running the proxy on a affluently-sized EC2 instance in a private subnet and its network throughput is being throttled by a NAT running on an undersized EC2 instance
EC2: application requires disk performance of at least 100,000 IOPS in addition; the storage layer must be able to survive the loss of an individual disk, EC2 instance, or Availability Zone without any data loss. The volume you provide must have a capacity of at least 3TB...
Instantiate an i2.8xlarge instance in us-east-1a. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the Instance Configure synchronous block-level replication to an identically configured Instance in us-east-1b (ex, another AV)
EC2: web application where web servers on EC2, Auto Scaling group, monitoring over the last 6 months shows that 6 web servers are necessary to handle the minimum load. During the day up to 12 servers are needed Five to six days per year, the number of web servers required might go up to 15, optimize for cost and HA
6 Reserved instances (heavy utilization). 6 Reserved instances (medium utilization), rest covered by On-Demand instances (don't go for spot as availability not guaranteed)
EC2: user is running one instance for only 3 hours every day. The user wants to save some cost with the instance...
The user should not use RI; instead only go with the on-demand pricing (seems question before the introduction of the Scheduled Reserved instances in Jan 2016, which can be used in this case)
EC2: an internal audit and has been determined to require dedicated hardware for one instance (move this instance to single-tenant hardware)...
Stop the instance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance
EC2: regular analytics reports from your company's log files, log data is collected in Amazon S3 and processed by daily Amazon Elastic Map Reduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse.
Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs. Use Reserved instances for Amazon Redshift (Combination of the Spot and reserved with guarantee performance and help reduce cost. Also, RRS would reduce cost and guarantee data integrity, which is different from data durability, as opposed to just spot for EMR)
EC2: one-time launch of an Elastic MapReduce cluster, minimize the costs, ingest 200TB of genomics data with a total of 100 Amazon EC2 instances and run for around four hours resulting data set must be stored temporarily until archived into an Amazon RDS Oracle instance
Store ingest and output files in Amazon S3. Deploy on-demand for the master and core nodes and spot for the task nodes.
EC2: web front-end utilizes an Elastic Load Balancer and Auto scaling across 3 availability zones. During peak load web servers operate at 90% utilization and leverage a combination of heavy utilization reserved instances for steady state load and on-demand and spot instances for peak load, create a cost effective architecture to allow the application to recover quickly in the event that an availability zone is unavailable during peak load
Increase auto scaling capacity and scaling thresholds to allow the web-front to cost-effectively scale across all availability zones to lower aggregate utilization levels that will allow an availability zone to fail during peak load without affecting the applications availability. (Ideal for HA to reduce and distribute load)
EC2: software needs to be online continuously during the day every day of the week, and has a very static requirement for compute resources. You also have other, unrelated batch jobs that need to run once per day at any time of your choosing, minimize cost
Purchase a Heavy Utilization Reserved Instance to run the accounting software. Turn it off after hours. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs. (Because the instance will always be online during the day, in a predictable manner, and there are sequences of batch jobs to perform at any time, we should run the batch jobs when the account software is off. We can achieve Heavy Utilization by alternating these times, so we should purchase the reservation as such, as this represents the lowest cost. There is no such thing a "Full" level utilization purchases on EC2.)
EC2: How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on?
Query the local instance metadata. The base URI for all requests for instance metadata is http://169.254.169.254/latest/
EC2: . In order to optimize performance for a compute cluster that requires low inter-node latency, which feature in the following list should you use
Placement Groups
EC2: to achieve gigabit network throughput on EC2? You already selected cluster-compute, 10GB instances with enhanced networking, and your workload is already network-bound, but you are not seeing 10 gigabit speeds.
Use a placement group for your instances so the instances are physically near each other in the same Availability Zone. (You are not guaranteed 10 gigabit performance, except within a placement group. Using placement groups enables applications to participate in a low-latency, 10 Gbps network)
...
...
EC2: You need the absolute highest possible network performance for a cluster computing application. You already selected homogeneous instance types supporting 10 gigabit enhanced networking, made sure that your workload was network bound, and put the instances in a placement group.
Use 9001 MTU instead of 1500 for Jumbo Frames, to raise packet body to packet overhead ratios. (For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible, and they are recommended in this case)
EC2: . A user has launched an EC2 instance from an instance store backed AMI. The user has attached an additional instance store volume to the instance. The user wants to create an AMI from the running instance. Will the AMI have the additional instance store volume data?
Yes, the block device mapping will have information about the additional instance store volume
EC2: When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the data on the root volume?
Data is automatically deleted
EC2: A user has launched an EC2 instance from an instance store backed AMI. If the user restarts the instance, what will happen to the ephemeral storage data?
The data is preserved
EC2: When an EC2 EBS-backed instance is stopped, what happens to the data on any ephemeral store volumes?
Data will be deleted and will no longer be accessible
EC2: Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started? EC
All data on instance-store devices will be lost, the underlying host for the instance is changed
EBS: encryption of sensitive data at rest.
Implement third party volume encryption tools, Encrypt data inside your applications before storing it on EBS, Encrypt data using native data encryption drivers at the file system level
EBS: 184. How can you secure data at rest on an EBS volume?
Use an encrypted file system on top of the EBS volume
EBS: A user has deployed an application on an EBS backed EC2 instance. For a better performance of application, it requires dedicated EC2 to EBS traffic. How can the user achieve this?
Launch the EC2 instance as EBS optimized with PIOPS EBS
EBS: running a database on an EC2 instance, with the data stored on Elastic Block Store (EBS) for persistence At times throughout the day, you are seeing large variance in the response times of the database queries Looking into the instance with the isolate command you see a lot of wait time on the disk volume that the database's data is stored on.
Move the database to an EBS-Optimized Instance, Use Provisioned IOPs EBS
EBS: Your data management software system requires mountable disks and a real filesystem, so you cannot use S3 for storage. You need persistence, so you will be using AWS EBS Volumes for your system. The system needs as low-cost storage as possible, and access is not frequent or high throughput, and is mostly sequential reads.
standard (Standard or Magnetic volumes are suited for cold workloads where data is infrequently accessed, or scenarios where the lowest storage cost is important)
EBS: 200. Which EBS volume type is best for high performance NoSQL cluster deployments
io1 (io1 volumes, or Provisioned IOPS (PIOPS) SSDs, are best for: Critical business applications that require sustained IOPS performance, or more than 10,000 IOPS or 160 MiB/s of throughput per volume, like large database workloads, such as MongoDB.)
EBS: A user is trying to create a PIOPS EBS volume with 8 GB size and 200 IOPS. Will AWS create the volume?
Yes, since the ratio between EBS and IOPS is less than 30
EBS: An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume?
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
EBS: lowest cost for Amazon Elastic Block Store snapshots while giving you the ability to fully restore data
Maintain a single snapshot the latest snapshot is both Incremental and complete
EBS: Which procedure for backing up a relational database on EC2 that is using a set of RAIDed EBS volumes for storage minimizes the time during which the database cannot be written to and results in a consistent backup?
Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk I/O
EBS: How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another?
Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ
EBS: Why are more frequent snapshots of EBS Volumes faster?
The snapshots are incremental so that only the blocks on the device that have changed after your last snapshot are saved in the new snapshot.
EBS: There is a very serious outage at AWS. EC2 is not affected, but your EC2 instance deployment scripts stopped working in the region with the outage. What might be the issue?
S3 is unavailable, so you can't create EBS volumes from a snapshot you use to deploy new volumes. (EBS volume snapshots are stored in S3. If S3 is unavailable, snapshots are unavailable)
EBS: running a database on an EC2 instance, with the data stored on Elastic Block Store (EBS) for persistence At times throughout the day, you are seeing large variance in the response times of the database queries Looking into the instance with the isolate command you see a lot of wait time on the disk volume that the database's data is stored on.
Move the database to an EBS-Optimized Instance, Use Provisioned IOPs EBS
EBS: A user has deployed an application on an EBS backed EC2 instance. For a better performance of application, it requires dedicated EC2 to EBS traffic. How can the user achieve this?
Launch the EC2 instance as EBS optimized with PIOPS EBS
EBS: launched an EC2 instance with four (4) 500 GB EBS Provisioned IOPS volumes attached. The EC2 Instance is EBS-Optimized and supports 500 Mbps throughput between EC2 and EBS. The two EBS volumes are configured as a single RAID 0 device, and each Provisioned IOPS volume is provisioned with 4,000 IOPS (4000 16KB reads or writes) for a total of 16,000 random IOPS on the instance. The EC2 Instance initially delivers the expected 16,000 IOPS random read and write performance. Sometime later in order to increase the total random I/O performance of the instance, you add an additional two 500 GB EBS Provisioned IOPS volumes to the RAID. Each volume is provisioned to 4,000 IOPS like the original four for a total of 24,000 IOPS on the EC2 instance Monitoring shows that the EC2 instance CPU utilization increased from 50% to 70%, but the total random IOPS measured at the instance level does not increase at all. What is the problem and a valid solution?
EBS-Optimized throughput limits the total IOPS that can be utilized use an EBS-Optimized instance that provides larger throughput. (EC2 Instance types have limit on max throughput and would require larger instance types to provide 24000 IOPS)
EBS: Migrate legacy, The VM's single 10GB VMDK is almost full. The virtual network interface still uses the 10Mbps driver, which leaves your 100Mbps WAN connection completely underutilized. It is currently running on a highly customized Windows VM within a VMware environment: You do not have the installation media. This is a mission critical application with an RTO (Recovery Time Objective) of 8 hours. RPO (Recovery Point Objective) of 1 hour. How could you best migrate this application to AWS while meeting your business continuity requirements?
Use the EC2 VM Import Connector for vCenter to import the VM into EC2
EBS: moving a legacy application from a virtual machine running inside your datacenter to an Amazon VPC. Unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured?
An AWS Direct Connect link between the VPC and the network housing the internal services (VPN or a DX for communication), An IP address space that does not conflict with the one on-premises (IP address cannot conflict), ⢠A VM Import of the current virtual machine (VM Import to copy the VM to AWS as there is no documentation it can't be configured from scratch)
EC2: to ensure the highest network performance (packets per second), lowest latency, and lowest jitter
Enhanced networking (provides network ⢠Amazon VPC (Enhanced networking works only in VPC)
EC2: host a web server as well as an app server on a single EC2 instance, which is a part of the public subnet of a VPC, setup to have two separate public IPs and separate security groups for both the application as well as the web server
Launch a VPC instance with two network interfaces. Assign a separate security group and elastic IP to them (AWS cannot assign public IPs for instance with multiple ENIs)
EC2: organization wants to implement two separate SSLs for the separate modules although it is already using VPC
Create a VPC instance, which will have multiple network interfaces with multiple elastic IP addresses
EC2: You launch an Amazon EC2 instance without an assigned AWS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role
Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance. (As per AWS latest enhancement, this is possible now)
EC2: items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table...
Create an IAM Role that allows write access to the DynamoDB table, Add an IAM Role to a running EC2 instance. (As per AWS latest enhancement, this is possible now)
EC2: an application, which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data
The user should attach an IAM role with DynamoDB access to the EC2 instance
EC2: is leveraging IAM Roles for EC2 for accessing object stored in S3. Which two of the following IAM policies control access to you S3 objects
An IAM trust policy allows the EC2 instance to assume an EC2 instance role, An IAM access policy allows the EC2 role to access S3 objects
EC2: an application running on an EC2 Instance, which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3
Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role's credentials from the EC2 Instance metadata
EC2: 256. What does the following command do with respect to the Amazon EC2 security groups? ec2-revoke RevokeSecurityGroupIngress
Removes one or more rules from a security group
EC2: running a batch process on EBS backed EC2 instances. The batch process starts a few instances to process Hadoop Map reduce jobs, which can run between 50 - 600 minutes or sometimes for more time. The user wants to configure that the instance gets terminated only when the process is completed. How can the user configure this with CloudWatch?
Setup the CloudWatch action to terminate the instance when the CPU utilization is less than 5%
EC2: trying to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: "Network error: Connection timed out" or "Error connecting to instance], reason: -> Connection timed out: connect," You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks
Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch, ⢠Verify that you are connecting with the appropriate user name for your AMI
S3: A user wants to upload a complete folder to AWS S3 using the S3 Management console
Use the Enable Enhanced Uploader option from the S3 console while uploading objects (NOTE - Its no longer supported by AWS)
S3: You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business.
Remove public read access and use signed URLs with expiry dates
S3: Your customer needs to create an application to allow contractors to upload videos to Amazon Simple Storage Service (S3) so they can be transcoded into a different format. She creates AWS Identity and Access Management (IAM) users for her application developers, and in just one week, they have the application hosted on a fleet of Amazon Elastic Compute Cloud (EC2) instances. The attached IAM role is assigned to the instances. As expected, a contractor who authenticates to the application is given a pre-signed URL that points to the location for video upload. However, contractors are reporting that they cannot upload their videos{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:", "Resource": "" } ] }
The application is not using valid security credentials to generate the pre-signed URL, The pre-signed URL has expired
S3: A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits
Enable server access logging for all required Amazon S3 buckets
S3: While testing the new web fonts, Company ABCD recognized the web fonts are being blocked by the browser
Configure the abcdfonts bucket to allow cross-origin requests by creating a CORS configuration
S3: Your department creates regular analytics reports from your company's log files. All log data is collected in Amazon S3 and processed by daily Amazon Elastic Map Reduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse, optimize costs...
Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs. Use Reserved instances for Amazon Redshift (Combination of the Spot and reserved with guarantee performance and help reduce cost. Also, RRS would reduce cost and guarantee data integrity, which is different from data durability )
S3:the one-time launch of an Elastic MapReduce cluster minimize the costs, cluster ingest 200TB of genomics data with a total of 100 Amazon EC2 instances and is expected to run for around four hours. The resulting data set must be stored temporarily until archived into an Amazon RDS Oracle instance
Store ingest and output files in Amazon S3. Deploy on-demand for the master and core nodes and spot for the task nodes.
S3: features helps to prevent and recover from accidental data loss
Enable versioning on your S3 Buckets, ⢠Configure your S3 Buckets with MFA delete
S3: user has not enabled versioning on an S3 bucket
version ID will be null
S3: object is stored in the Standard S3 storage class and you want to move it to Glacier
Create a lifecycle policy that will migrate it after a minimum of 30 days. (Any object uploaded to S3 must first be placed into either the Standard, Reduced Redundancy, or Infrequent Access storage class. Once in S3 the only way to move the object to glacier is through a lifecycle policy)
S3: a large amount of aerial image data to S3, have used a dedicated group of servers to oaten process this data and used Rabbit MQ, an open source messaging system, to get job information to the servers. Once processed the data would go to tape and be shipped offsite, minimize cost
Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS. Once data is processed, change the storage class of the S3 objects to Glacier (Glacier suitable for Tape backup)
S3: a proprietary data store on-premises that must be backed up daily by dumping the data store contents to a single compressed 50GB file and sending the file to AWS. Your SLAs state that any dump file backed up within the past 7 days can be retrieved within 2 hours, all data must be held indefinitely. The time required to restore the data store from a backup is approximately 1 hour, on-,premise network connection is capable of sustaining 1gbps to AWS, cost effective
Transfer the daily backup files to S3 and use appropriate bucket lifecycle policies to send to Glacier (Store in S3 for seven days and then archive to Glacier) Note:Storage Gateway with Gateway-Cached Volumes isn't cost effective.
S3: restrict access to data
Set an S3 ACL on the bucket or the object, Set an S3 bucket policy
S3: is a valid ID to grant permission to other AWS accounts
Canonical user ID
S3: prevent an IP address block from accessing public objects in an S3 bucket
Create a bucket policy and apply it to the bucket
S3: user wants to make the objects public
Set the AWS bucket policy which marks all objects as public
S3: serve static assets for your public-facing web application
Set permissions on the object to public read during upload, Configure the bucket policy to set all objects to public read
S3: best suitable to allow access to the log bucket
Provide ACL for the logging group
S3: A bucket owner has allowed another account's IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B
AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object
S3: data is encrypted at rest
Use Amazon S3 server-side encryption with AWS Key Management Service managed keys, Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
S3: 311. You are designing a personal document-archiving solution for your global enterprise with thousands of employee. Each employee has potentially gigabytes of data to be backed up in this archiving solution. The solution will be exposed to the employees as an application, where they can just drag and drop their files to the archiving system. Employees can retrieve their archives through a web interface. The corporate network has high bandwidth AWS DirectConnect connectivity to AWS. You have regulatory requirements that all data needs to be encrypted before being uploaded to the cloud. How do you implement this in a highly available and cost efficient way
⢠Manage encryption keys in amazon Key Management Service (KMS), upload to amazon simple storage service (s3) with client-side encryption using a KMS customer master key ID and configure Amazon S3 lifecycle policies to store each object using the amazon glacier storage tier. (with CSE-KMS the encryption happens at client side before the object is upload to S3 and KMS is cost effective as well)
S3: enabled server side encryption with S3
S3 manages encryption and decryption automatically
S3: When uploading an object, what request header can be explicitly specified in a request to Amazon S3 to encrypt object data when saved on the server side
x-amz-server-side-encryption
S3: 314. A media company produces new video files on-premises every day with a total size of around 100GB after compression. All files have a size of 1-2 GB and need to be uploaded to Amazon S3 every night in a fixed time window between 3am and 5am. Current upload takes almost 3 hours, although less than half of the available bandwidth is used
Upload the files in parallel to S3 using multipart upload
S3: 150 PUT requests per second
Add a random prefix to the key names.
S3: protection against accidental loss of data stored in Amazon S3
Set bucket policies to restrict deletes, and also enable versioning
S3: an aggressive marketing plan, and expect to double their current installation base every six months. Due to the nature of their business, they are expecting sudden and large increases to traffic to and from S3
You must find out total number of requests per second at peak usage (# of customers doesn't matter, Size does not relate to the key namespace design but the count does, S3 provided unlimited storage the key namespace design would depend on the number)
S3: business model to support both free tier and premium tier users. The premium tier users will be allowed to store up to 200GB of data and free tier customers will be allowed to store only 5GB. The customer expects that billions of files will be stored. All users need to be alerted when approaching 75 percent quota utilization and again at 90 percent quota use.
Utilize the amazon simple workflow service activity worker that updates the users data counter in amazon dynamo DB. The activity worker will use simple email service to send an email if the counter increases above the appropriate thresholdsm (List operations on S3 not feasible, RDS but with so many objects )
S3: the web application allow users to upload large files while resuming and pausing the upload as needed, files are uploaded to your php front end backed by Elastic Load Balancing and an autoscaling fleet of amazon elastic compute cloud (EC2) instances that scale upon average of bytes received (NetworkIn). After a file has been uploaded. it is copied to amazon simple storage service(S3). Amazon EC2 instances use an AWS Identity and Access Management (AMI) role that allows Amazon S3 uploads, scale have increased significantly, forcing you to increase the auto scaling groups Max parameter, optimize
Re-architect your ingest pattern, have the app authenticate against your identity provider as a broker fetching temporary AWS credentials from AWS Secure token service (GetFederation Token). Securely pass the credentials and S3 endpoint/prefix to your app. Implement client-side logic that used the S3 multipart upload API to directly upload the file to Amazon S3 using the given credentials and S3 Prefix. (multipart allows one to start uploading directly to S3 before the actual size is known or complete data is downloaded)
RDS: multi-tier web application on AWS, add a reporting tier to the application, reporting tier will aggregate and publish status reports every 30 minutes from user-generated information that is being stored in your web applications database, you have Multi-AZ RDS MySQL instance for the database tierand ElastiCache as a database caching layer between the application tier and database tier.
Launch a RDS Read Replica connected to your Multi-AZ master database and generate reports by querying the Read Replica.
RDS: company has limited staff and requires high availability
Amazon RDS for MySQL with Multi-AZ
RDS:
...
RDS: a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model, read contention
Deploy ElastiCache in-memory cache running in each availability zone, Add an RDS MySQL read replica in each availability zone
RDS: a multi-regional deployment, a 3-tier architecture and currently uses MySQL 5.6 for data persistence, each region has deployed its own database, In the HQ region you run an hourly batch process reading data from every region to compute cross-regional reports that are sent by email to all offices this batch process must be completed as fast as possible to quickly optimize logistics
For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region
RDS: to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails
The canonical name record (CNAME) is changed from primary to standby
RDS: Large analytics jobs on the database are likely to cause other applications to not be able to get the query results they need to, before time out. Also, as your data grows, these analytics jobs will start to take more time, increasing the negative effect on the other applications
Create RDS Read-Replicas for the analytics work
RDS: promote one of them, what happens to the rest of the Read Replicas
The remaining Read Replicas will still replicate from the older master DB Instance
RDS: operating at 10% writes and 90% reads, based on your logging
Create read replicas for RDS since the load is mostly reads
RDS: My Read Replica appears "stuck" after a Multi-AZ failover and is unable to obtain or apply updates from the source DB Instance
delete the Read Replica and create a new one to replace it
RDS: running a batch analysis every hour on their main transactional DB running on an RDS MySQL instance to populate their central Data Warehouse running on Redshift. During the execution of the batch their transactional applications are very slow. When the batch completes they need to update the top management dashboard with the new data. The dashboard is produced by another system running on-premises that is currently started when a manually-sent email notifies that an update is required
Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard
RDS: When should I choose Provisioned IOPS over Standard RDS storage
If you use production online transaction processing (OLTP) workloads
RDS:
...
RDS:
...
RBS
...
RBS: Which Amazon RDS feature will allow you to reliably restore your database to within 5 minutes
RDS automated backup
RDS: user will not use the DB for the next 3 months
Create a snapshot of RDS to launch in the future and terminate the instance now
RDS: in a public subnet
Security risk...Making RDS accessible to the public internet in a public subnet poses a security risk, by making your database directly addressable and spammable. DB instances deployed within a VPC can be configured to be accessible from the Internet or from EC2 instances outside the VPC. If a VPC security group specifies a port access such as TCP port 22, you would not be able to access the DB instance because the firewall for the DB instance provides access only via the IP addresses specified by the DB security groups the instance is a member of and the port defined when the DB instance was created.
RDS: three CloudWatch RDS metrics will allow you to identify if the database is the bottleneck
The number of outstanding IOs waiting to access the disk, The amount of write latency, The amount of time a Read Replica DB Instance lags behind the source DB Instance
RDS: In the Amazon CloudWatch, which metric should I be checking to ensure that your DB Instance has enough free storage space?
FreeStorageSpace
RDS: running a database on an EC2 instance, data stored on Elastic Block Store (EBS) for persistence, large variance in the response times of the database queries, with instance isolate command you see a lot of wait time on the disk volume that the database's data is stored on
Move the database to an EBS-Optimized Instance, Use Provisioned IOPs EBS
SQS: a workflow that sends video files from their on-premise system to AWS for transcoding. They use EC2 worker instances that pull transcoding jobs from SQS
SQS helps to facilitate horizontal scaling of encoding tasks
SQS: Automate the process of sending an email notification to administrators when the CPU utilization reaches 70% on production servers (Amazon EC2 instances)
CloudWatch + SNS + SES
SQS: Coordinate work across distributed web services to process employee's expense reports
SWF - Steps in order and might need manual steps
SQS: Distribute static web content to end users with low latency across multiple countries
CloudFront + S3
SQS: Files submitted by your premium customers must be transformed with the highest priority
Use two SQS queues, one for high priority messages, and the other for default priority. Transformation instances first poll the high priority queue; if there is no message, they poll the default priority queue
SQS: consumers of queue is down for 3 days and then becomes available
Yes, since SQS by default stores message for 4 days
SQS: queue named "queue2" in US-East region with AWS SQS
http://sqs.us-east-1.amazonaws.com/123456789012/queue2
SQS: A user has created a photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to enhance the picture accordingly.
SQS makes process scalable
SQS: a batch processing solution using Simple Queue Service (SQS) to set up a message queue between EC2 instances, which are used as batch processors. Cloud Watch monitors the number of Job requests (queued messages) and an Auto Scaling group adds or deletes batch servers automatically based on parameters set in Cloud Watch alarms.
Coordinate number of EC2 instances with number of job requests automatically thus Improving cost effectiveness
SQS: How does Amazon SQS allow multiple readers to access the same message queue without losing messages or processing them many times?
Amazon SQS queue has a configurable visibility timeout
SQS: A user has created photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to enhance the picture accordingly.
Use SQS to make a scalable
SQS: How do you configure SQS to support longer message retention
Set the MessageRetentionPeriod attribute using the SetQueueAttributes method
SQS: How long can you keep your Amazon SQS messages in Amazon SQS queues?
From 60 secs up to 2 weeks
SQS: When a Simple Queue Service message triggers a task that takes 5 minutes to complete, which process below will result in successful processing of the message and remove it from the queue while minimizing the chances of duplicate processing?
Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue
SQS: You need to process long-running jobs once and only once
Use an SQS queue and set the visibility timeout to long enough for jobs to process
SQS: an asynchronous processing application using an Auto Scaling Group and an SQS Queue. The Auto Scaling Group scales according to the depth of the job queue. The completion velocity of the jobs has gone down, the Auto Scaling Group size has maxed out, but the inbound job velocity did not increase.
Some of the new jobs coming in are malformed and unprocessable. (As other options would cause the job to stop processing completely, the only reasonable option seems that some of the recent messages must be malformed and unprocessable)
SQS: You are getting a lot of empty receive requests when using Amazon SQS. This is making a lot of unnecessary network load on your instances. What can you do to reduce this load?
Use as long of a poll as possible, instead of short polls
DX: operational concern should drive an organization to consider switching from an Internet-based VPN connection to AWS Direct Connect
Direct Connect provides greater bandwidth than an Internet-based VPN connection.
DX: A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being advertised from the customer's end, however the customer is unable to connect from EC2 instances inside its VPC to servers residing in its datacenter.
Enable route propagation to the Virtual Private Gateway (VGW), Modify the Instances VPC subnet route table by adding a route back to the customer's on-premises environment
DX: A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1?
Establish a hardware VPN over the internet between VPC-1 and the on-premises network, ⢠Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1
DX:
...
DX:
...
DX: from dynamically routed VPN, you provisioned a Direct Connect connection and would like to start using the new connection. After configuring Direct Connect settings in the AWS Console
Update your VPC route tables to point to the Direct Connect connection configure your Direct Connect router with the appropriate settings verify network traffic is leveraging Direct Connect and then delete the VPN connection
DX: You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet as well as from an on-premises network The on-premises network is connected to your VPC over an AWS Direct Connect link. How would you design routing to meet the above requirements
Configure a single routing table with a default route via the internet gateway. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.
DX: implementing AWS Direct Connect. You intend to use AWS public service end points such as Amazon S3, across the AWS Direct Connect link. You want other Internet traffic to use your existing link to an Internet Service Provider. What is the correct way to configure AWS Direct Connect for access to services such as Amazon S3?
Create a public interface on your AWS Direct Connect link. Redistribute BGP routes into your existing routing infrastructure advertise specific routes for your network to AWS
DX: Create a public interface on your AWS Direct Connect link. Redistribute BGP routes into your existing routing infrastructure advertise specific routes for your network to AWS
Provision a VPN connection between a VPC and existing on -premises equipment, submit a DirectConnect partner request to provision cross connects between your data center and the DirectConnect location, then cut over from the VPN connection to one or more DirectConnect connections as needed.
DX: app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured
An AWS Direct Connect link between the VPC and the network housing the internal services (VPN or a DX for communication), An IP address space that does not conflict with the one on-premises (IP address cannot conflict), A VM Import of the current virtual machine (VM Import to copy the VM to AWS as there is no documentation it can't be configured from scratch)
SG: Which of the following services natively encrypts data at rest within an AWS region?
AWS Storage Gateway, Amazon Glacier
SG: What does the AWS Storage Gateway provide
It allows to integrate on-premises IT environments with Cloud Storage
SG: running an application on-premises due to its dependency on non-x86 hardware and want to use AWS for data backup. Your backup application is only able to write to POSIX-compatible block-based storage. You have 140TB of data and would like to mount it as a single folder on your file server. Users must be able to access portions of this data while the backups are taking place.
Use Storage Gateway and configure it to use Gateway Stored volumes (Data is hosted on the On-premise server as well. The requirement for 140TB is for file server On-Premise more to confuse and not in AWS. Just need a backup solution hence stored instead of cached volumes)
SG: . A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume, constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed data
Gateway-Cached volumes with snapshots scheduled to Amazon S3
SG: A customer implemented AWS Storage Gateway with a gateway-cached volume at their main office. An event takes the link between the main and branch office offline. Which methods will enable the branch office to access their data
Launch a new AWS Storage Gateway instance AMI in Amazon EC2, and restore from a gateway snapshot, Create an Amazon EBS volume from a gateway snapshot, and mount it to an Amazon EC2 instance, Launch an AWS Storage Gateway virtual iSCSI device at the branch office, and restore from a gateway snapshot
SG: You have a proprietary data store on-premises that must be backed up daily by dumping the data store contents to a single compressed 50GB file and sending the file to AWS. Your SLAs state that any dump file backed up within the past 7 days can be retrieved within 2 hours. Your compliance department has stated that all data must be held indefinitely. The time required to restore the data store from a backup is approximately 1 hour. Your on-premise network connection is capable of sustaining 1gbps to AWS. Which backup methods to AWS would be most cost-effective while still meeting all of your requirements
Transfer the daily backup files to S3 and use appropriate bucket lifecycle policies to send to Glacier (Store in S3 for seven days and then archive to Glacier)
ELB: A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario?
By default ELB will select the latest version of the policy
ELB: A user has configured ELB with a TCP listener at ELB as well as on the back-end instances. The user wants to enable a proxy protocol to capture the source and destination IP information in the header.
If the end user is requesting behind a proxy server then the user should not enable a proxy protocol on ELB (double proxy)
A user has enabled session stickiness with ELB. The user does not want ELB to manage the cookie; instead he wants the application to manage the cookie. What will happen when the server instance, which is bound to a cookie, crashes?
The session will not be sticky until a new cookie is inserted
ELB: A user has launched an ELB which has 5 instances registered with it. The user deletes the ELB by mistake. What will happen to the instances?
Instances will keep running
ELB: A customer has a web application that uses cookie based sessions to track logged in users. It is deployed on AWS using ELB and Auto Scaling. The customer observes that when load increases Auto Scaling launches new Instances but the load on the existing Instances does not decrease, causing all existing users to have a sluggish experience.
ELB's behavior when sticky sessions are enabled causes ELB to send requests in the same session to the same backend, the web application uses long polling such as comet or websockets. Thereby keeping a connection open to a web server for a long time
ELB: A customer has an online store that uses the cookie-based sessions to track logged-in customers. It is deployed on AWS using ELB and autoscaling. When the load increases, Auto scaling automatically launches new web servers, but the load on the web servers do not decrease. This causes the customers a poor experience.
ELB is configured to send requests with previously established sessions
ELB: a multi-platform web application for AWS. The application will run on EC2 instances and will be accessed from PCs, tablets and smart phones. Separate sticky session and SSL certificate setups are required for different platform types.
Assign multiple ELBs to an EC2 instance or group of EC2 instances running the common components of the web application, one ELB for each platform type. Session stickiness and SSL termination are done at the ELBs. (Session stickiness requires HTTPS listener with SSL termination on the ELB and ELB does not support multiple SSL certs so one is required for each cert)
ELB: migrating a legacy client-server application, specific DNS domain, a 2-tier architecture, multiple application servers and a database server, remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A Multi-AZ RDS MySQL instance will be used for the database.
File a change request to implement Proxy Protocol support in the application. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different AZs. (ELB with TCP listener and proxy protocol will allow IP to be passed )
ELB: web-style application with a stateless but CPU and memory-intensive web tier running on a cc2 8xlarge EC2 instance inside of a VPC. The instance when under load is having problems returning requests within the SLA as defined by your business The application maintains its state in a DynamoDB table, but the data tier is properly provisioned and responses are consistently fast
Add another cc2 8xlarge application instance, and put both behind an Elastic Load Balancer
ELB: even distribution of traffic to Amazon EC2 instances in multiple Availability Zones registered with a load balancer
cross-zone load balancing
ELB: Your application currently leverages AWS Auto Scaling to grow and shrink as load Increases/ decreases and has been performing well. Your marketing team expects a steady ramp up in traffic to follow an upcoming campaign that will result in a 20x growth in traffic over 4 weeks. Your forecast for the approximate number of Amazon EC2 instances necessary to meet the peak demand is 175. What should you do to avoid potential service disruptions during the ramp up in traffic
Check the service limits in Trusted Advisor and adjust as necessary so the forecasted count remains within limits.
ELB: a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances
Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer
ELB:You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be resilient. Which of the following options would you consider for configuring the web server infrastructure
Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it. (terminate SSL on the instance using client-side certificate), Configure your Web servers with EIPs. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers. (Remove ELB and use Web Servers directly with Route 53)
ELB: App contains protected health information, must use encryption at rest and in transit, a three-tier architecture where data flows through the load balancer and is stored on Amazon EBS volumes for processing, and the results are stored in Amazon S3 using the AWS SDK,
Use TCP load balancing on the load balancer, SSL termination on the Amazon EC2 instances, OS-level disk encryption on the Amazon EBS volumes, and Amazon S3 with server-side encryption, Use SSL termination on the load balancer, an SSL listener on the Amazon EC2 instances, Amazon EBS encryption on EBS volumes containing PHI, and Amazon S3 with server-side encryption.
ELB: ensure that load-testing HTTP requests are evenly distributed across the four web servers
Re-configure the load-testing software to re-resolve DNS for each web request, Use a third-party load-testing service which offers globally distributed test clients
ELB: the product grows even more popular and you need additional capacity As a result, your company purchases two c3.2xlarge medium utilization RIs You register the two c3.2xlarge instances with your ELB and quickly find that the ml large instances are at 100% of capacity and the c3.2xlarge instances have significant capacity that's unused
Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round robin
ELB: header received at the EC2 instance identifies the port used by the client while requesting ELB
X-Forwarded-Port
ELB: A user is configuring the HTTPS protocol on a front end ELB and the SSL protocol for the back-end listener in ELB
It will not allow you to create this configuration (Will give error "Load Balancer protocol is an application layer protocol, but instance protocol is not. Both the Load Balancer protocol and the instance protocol should be at the same layer. Please fix.")
ELB: A user has configured a website and launched it using the Apache web server on port 80. The user is using ELB with the EC2 instances for Load Balancing. What should the user do to ensure that the EC2 instances accept requests only from ELB
Configure the security group of EC2, which allows access to the ELB source security group
ELB: AWS Elastic Load Balancer supports SSL termination
For all regions
ELB: customer needs to capture all client connection information from their load balancer every five minutes
Enable access logs on the load balancer
53: true about Amazon Route 53 resource records
An Alias record can map one DNS name to another Amazon Route 53 DNS name, an Amazon Route 53 CNAME record can point to any DNS record hosted anywhere
53: A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer
Create an A record aliased to the load balancer DNS name
53: How can the domain's zone apex for example "myzoneapexdomain com" be pointed towards an Elastic Load Balancer
By using an Amazon Route 53 Alias record
Consolidated Billing: You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.
Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
Consolidated Billing: . A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions.
Enable IAM cross-account access for all corporate IT administrators in each child account. (provides IT goverance), use AWS Consolidated Billing to link the divisions' accounts to a parent corporate account (will provide cost oversight)
Consolidated Billing An organization has 10 departments. The organization wants to track the AWS usage of each department. Which of the below mentioned options meets the requirement
Create separate accounts for each department, but use consolidated billing for payment and tracking
Consolidated Billing: An organization has added 3 of his AWS accounts to consolidated billing. One of the AWS accounts has purchased a Reserved Instance (RI) of a small instance size in the us-east-1a zone. All other AWS accounts are running instances of a small size in the same zone. What will happen in this case for the RI pricing
Any single instance from all the three accounts can get the benefit of AWS RI pricing if they are running in the same zone and are of the same size
53: Your API requires the ability to stay online during AWS regional failures. Your API does not store any state, it only aggregates data from other sources - you do not have a database. What is a simple but effective way to achieve this uptime goal?
Create a Route53 Latency Based Routing Record with Failover and point it to two identical deployments of your stateless API in two different regions. Make sure both regions use Auto Scaling Groups behind ELBs.
53: Your company is moving towards tracking web page users with a small tracking image loaded on each page. Currently you are serving this image out of us-east, but are starting to get concerned about the time it takes to load the image for users on the west coast. What are the two best ways to speed up serving this image?
Use Route 53's Latency Based Routing and serve the image out of us-west-2 as well as us-east-1, Serve the image out through CloudFront
CW: EC2 instances and DynamoDB tables deployed to several AWS Regions. In order to monitor the performance of the application globally, you would like to see two graphs 1) Avg CPU Utilization across all EC2 instances and 2) Number of Throttled Requests for all DynamoDB tables.
Use the CloudWatch CLI tools to pull the respective metrics from each regional endpoint. Aggregate the data offline & store it for graphing in CloudWatch
CW: A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team.
Amazon CloudWatch, Amazon Simple Notification Service
CW: You have been asked to make sure your AWS Infrastructure costs do not exceed the budget set per project for each month.
Set up CloudWatch billing alerts for all AWS resources used by each account, with email notifications when it hits 50%. 80% and 90% of its budgeted monthly spend
CW:You have a high security requirement for your AWS accounts. What is the most rapid and sophisticated setup you can use to react to AWS API calls to your account
CloudWatch Events Rules, which trigger based on all AWS API calls, submitting all events to an AWS Kinesis Stream for arbitrary downstream analysis. (CloudWatch Events allow subscription to AWS API calls, and direction of these events into Kinesis Streams. This allows a unified, near real-time stream for all API calls, which can be analyzed with any tool(s))
CW: You are hired as the new head of operations for a SaaS company. Your CTO has asked you to make debugging any part of your entire operation simpler and as fast as possible. She complains that she has no idea what is going on in the complex, service-oriented architecture, because the developers just log to disk, and it's very hard to find errors in logs on so many services.
Begin using CloudWatch Logs on every service. Stream all Log Groups into an AWS Elasticsearch Service Domain running Kibana 4 and perform log analysis on a search cluster. (ELK - Elasticsearch, Kibana stack is designed specifically for real-time, ad-hoc log analysis and aggregation)
CW:you also need to watch the watcher -the monitoring instance itself - and be notified if it becomes unhealthy.
Set a CloudWatch alarm based on EC2 system and instance status checks and have the alarm notify your operations team of any detected problem with the monitoring instance.
SNS: A user wants to make so that whenever the CPU utilization of the AWS EC2 instance is above 90%, the redlight of his bedroom turns on.
AWS CloudWatch + AWS SNS
SNS: to send direct notification messages to individual devices each device registration identifier or token needs to be registered with SNS
Call the CreatePlatformEndpoint API function to register multiple device tokens.
SNS: running a batch analysis every hour on their main transactional DB running on an RDS MySQL instance to populate their central Data Warehouse running on Redshift. During the execution of the batch their transactional applications are very slow. When the batch completes they need to update the top management dashboard with the new data. The dashboard is produced by another system running on-premises that is currently started when a manually-sent email notifies that an update is required The on-premises system cannot be modified because is managed by another team.
Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard
SNS: valid SNS delivery transports
HTTP, SMS
EBS vs Instance Store: provides the fastest storage medium
⢠SSD Instance (ephemeral) store (SSD Instance Storage provides 100,000 IOPS on some instance types, much faster than any network-attached storage)
IDS/IPS: implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC.
Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection
IDS/IPS:
Implement IDS/IPS agents on each Instance running In VPC, Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server
ELB & AS: leverage to enable an elastic and scalable web tier
Elastic Load Balancing, Amazon EC2, and Auto Scaling
ELB & AS: a lot of EC2 instances but may need to add more when the average utilization of your Amazon EC2 fleet is high and conversely remove them when CPU utilization is low
Auto Scaling, Amazon CloudWatch and Elastic Load Balancing
ELB & AS: A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling AddToLoadBalancer, which adds instances to the load balancer. process for a while. What will happen to the instances launched during the suspension period
The instances will not be registered with ELB and the user has to manually register when the process is resumed
ELB & AS: You have an Auto Scaling group associated with an Elastic Load Balancer (ELB). You have noticed that instances launched via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instances are not being terminated.
Add an Elastic Load Balancing health check to your Auto Scaling group
ELB & AS: You are responsible for a web application that consists of an Elastic Load Balancing (ELB) load balancer in front of an Auto Scaling group of Amazon Elastic Compute Cloud (EC2) instances. For a recent deployment of a new version of the application, a new Amazon Machine Image (AMI) was created, and the Auto Scaling group was updated with a new launch configuration that refers to this new AMI. During the deployment, you received complaints from users that the website was responding with errors. All instances passed the ELB health checks.
Set the Elastic Load Balancing health check configuration to target a part of the application that fully tests application health and returns an error if the tests fail, Create a new launch configuration that refers to the new AMI, and associate it with the group. Double the size of the group, wait for the new instances to become healthy, and reduce back to the original size. If new instances do not become healthy, associate the previous launch configuration.
CF: users upload two million blog entries a month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication; this drops to no updates after 6 months
Create a CloudFront distribution with S3 access restricted only to the CloudFront identity and partition the blog entry's location in S3 according to the month it was uploaded to be used with CloudFront behaviors
CF: a large burst in web traffic, quickly improve your infrastructures
Offload traffic from on-premises environment Setup a CloudFront distribution and configure CloudFront to cache objects from a custom origin Choose to customize your object cache behavior, and select a TTL that objects should exist in cache.
CF: to distribute confidential training videos to employees
Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
CF: to deliver high-definition raw video for preproduction and dubbing to customer all around the world, and they require the ability to limit downloads per customer and video file to a configurable number
Enable URL parameter forwarding, let the authentication backend count the number of downloads per customer in RDS, and return the content S3 URL unless the download limit is reached, Configure a list of trusted signers, let the authentication backend count the number of download requests per customer in RDS, and return a dynamically signed URL unless the download limit is reached.
CF: a video on-demand streaming platform
Store the video contents to Amazon S3 as an origin server. Configure the Amazon CloudFront distribution with a download option to stream the video contents
CF: Anywhere in the world, your users can see local news on of topics they choose.
Use an Amazon Cloud Front distribution for uploading the content to a central Amazon Simple Storage Service (S3) bucket and for content delivery.
CF: To enable end-to-end HTTPS connections from the user's browser to the origin via CloudFront, which of the following options are valid
Use 3rd-party CA certificate in the origin and CloudFront default certificate in CloudFront, Use 3rd-party CA certificate in both origin and CloudFront (Origin cannot be self signed, CloudFront cert cannot be applied to origin)
CF: serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video
Elastic Transcoder to transcode original high-resolution MP4 videos to HLS. S3 to host videos with lifecycle Management to archive original flies to Glacier after a few days. CloudFront to serve HLS transcoded videos from S3
CF: You are designing a service that aggregates clickstream data in batch and delivers reports to subscribers via email only once per week. Data is extremely spikey, geographically distributed, high-scale, and unpredictable
⢠Use a CloudFront distribution with access log delivery to S3. Clicks should be recorded as query string GETs to the distribution. Reports are built and sent by periodically running EMR jobs over the access logs in S3. (CloudFront is a Gigabit-Scale HTTP(S) global request distribution service and works fine with peaks higher than 10 Gbps or 15,000 RPS. It can handle scale, geo-spread, spikes, and unpredictability. Access Logs will contain the GET data and work just fine for batch analysis and email using EMR. Other streaming options are expensive as not required as the need is to batch analyze)
CF: Your application consists of 10% writes and 90% reads. You currently service all requests through a Route53 Alias Record directed towards an AWS ELB, which sits in front of an EC2 Auto Scaling Group. Your system is getting very expensive when there are large traffic spikes during certain news events, during which many more people request to read similar data all at the same time.
Create a CloudFront Distribution and direct Route53 to the Distribution. Use the ELB as an Origin and specify Cache Behaviors to proxy cache requests, which can be served late. (CloudFront can serve request from cache and multiple cache behavior can be defined based on rules for a given URL pattern based on file extensions, file names, or any portion of a URL. Each cache behavior can include the CloudFront configuration values: origin server name, viewer connection protocol, minimum expiration period, query string parameters, cookies, and trusted signers for private content.)
EBS: QA team lead points out that you need to roll a sanitized set of production data into your environment on a nightly basis
Create your RDS instance separately and pass its DNS name to your app's DB connection string as an environment variable. Create a security group for client machines and add it as a valid source for DB traffic to the security group of the RDS instance itself. (Security group allows instances to access the RDS with new instances launched without any changes)
EBS: migration of a web application to AWS. The application consists of Linux web servers running a custom web server. You are required to save the logs generated from the application to a durable location.
Create a Dockerfile for the application. Create an AWS Elastic Beanstalk application using the Docker platform and the Dockerfile. Enable logging the Docker configuration to automatically publish the application logs. Enable log file rotation to Amazon S3. (Use Docker configuration with awslogs and EB with Docker), Use VM import/Export to import a virtual machine image of the server into AWS as an AMI. Create an Amazon Elastic Compute Cloud (EC2) instance from AMI, and install and configure the Amazon CloudWatch Logs agent. Create a new AMI from the instance. Create an AWS Elastic Beanstalk application using the AMI platform and the new AMI. (Use VM Import/Export to create AMI and CloudWatch logs agent to log)
EBS: What AWS products and features can be deployed by Elastic Beanstalk
Auto scaling groups, Elastic Load Balancers, RDS Instances
AS: a memory issue in the application which is causing CPU utilization to go above 90%. The higher CPU usage triggers an event for Auto Scaling as per the scaling policy. If the user wants to find the root cause inside the application without triggering a scaling activity, how can he achieve this
Suspend the scaling process until research is completed
AS: one web application where they have an Elastic Load Balancer in front of web instances in an Auto Scaling Group. When you check the metrics for the ELB in CloudWatch you see four healthy instances in Availability Zone (AZ) A and zero in AZ B. There are zero unhealthy instances
Make sure Auto Scaling is configured to launch in both AZs
AS: leverage Amazon VPC EC2 and SQS to implement an application that submits and receives millions of messages per second to a message queue. You want to ensure your application has sufficient bandwidth between your EC2 instances and SQS
Launch application instances in private subnets with an Auto Scaling group and Auto Scaling triggers configured to watch the SQS queue size
AS: highest on Thursday and Friday between 8 AM to 6 PM
Schedule Auto Scaling to scale up by 8 AM Thursday and scale down after 6 PM on Friday
AS: A sys admin is maintaining an application on AWS. The application is installed on EC2 and user has configured ELB and Auto Scaling. Considering future load increase, the user is planning to launch new servers proactively so that they get registered with ELB
Increase the desired capacity of the Auto Scaling group
AS: your application is scaling up and down multiple times in the same hour
Modify the Amazon CloudWatch alarm period that triggers your auto scaling scale down policy, Modify the Auto scaling group cool down timers
AS: critical two tier web app currently deployed in two availability zones in a single region, using Elastic Load Balancing and Auto Scaling, synchronous replication (very low latency connectivity) at the database layer, application needs to remain fully available even if one application Availability Zone goes off-line, and Auto scaling cannot launch new instances in the remaining Availability Zones
Deploy in three AZs, with Auto Scaling minimum set to handle 50% peak load per zone
AS: a launch configuration for Auto Scaling where CloudWatch detailed monitoring is disabled
Create a new Launch Config with detail monitoring enabled and update the Auto Scaling group
AS: an Auto Scaling group with default configurations from CLI. The user wants to setup the CloudWatch alarm on the EC2 instances, which are launched by the Auto Scaling group. The user has setup an alarm to monitor the CPU utilization every minute
It will fetch the data at every minute as detailed monitoring on EC2 will be enabled by the default launch configuration of Auto Scaling
AS: Auto Scaling with ELB on the EC2 instances. The user wants to configure that whenever the CPU utilization is below 10%, Auto Scaling should remove one instance
Configure CloudWatch to send a notification to the Auto Scaling group when the CPU Utilization is less than 10% and configure the Auto Scaling policy to remove the instance
AS: determine total number of instances in an Auto Scaling group including pending, terminating and running instances
GroupTotalInstances
AS: order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders taking up to 6 months you expect 10 orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months, checked for consistency then dispatched to your manufacturing plant for production quality control packaging shipment and payment processing. If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step. Customers are notified via email about order status and any critical issues with their orders such as payment failure, Elastic Beanstalk for your website with an RDS MySQL
Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=1 use SES to send emails to customers.
SWF: use cases are Simple Workflow Service (SWF) and Amazon EC2 are appropriate solutions
Managing a multi-step and multi-decision checkout process of an e-commerce website, Orchestrating the execution of distributed and auditable business processes
SWF: . appropriate use cases for SWF with Amazon EC2
(1) Video encoding using Amazon S3 and Amazon EC2, large videos are uploaded to Amazon S3 in chunks. Application is built as a workflow where each video file is handled as one workflow execution, and (2) Processing large product catalogs using Amazon Mechanical Turk. While validating data in large catalogs, the products in the catalog are processed in batches. Different batches can be processed concurrently (orchestrating batching)
SWF: data rich and complex including assessments to ensure that the custom electronics and materials used to assemble the helmets are to the highest standards Assessments are a mixture of human and automated assessments you need to add a new set of assessment to model the failure modes of the custom electronics using GPUs with CUD across a cluster of servers with low latency networking
Use Amazon Simple Workflow (SWF) to manage assessments, movement of data & meta-data. Use an autoscaling group of G2 instances in a placement group. (Human and automated assessments with GPU and low latency networking)
Services: services allow the customer to retain full administrative privileges of the underlying EC2 instances
Amazon Elastic Map Reduce, AWS Elastic Beanstalk
Services: services provide root access
Elastic Beanstalk, EC2, Opswork
CF: You need to create a Route53 record automatically in CloudFormation when not running in production during all launches of a Template.
Use a <code>Parameter</code> for <code>environment</code>, and add a <code>Condition</code> on the Route53 <code>Resource</code> in the template to create the record only when <code>environment</code> is not <code>production</code>. (Best way to do this is with one template, and a Condition on the resource. Route53 does not allow null strings for Refer link)
CF: Intrinsic Functions
Fn::Base64, Fn::And, Fn::Equals, Fn::If, Fn::Not, Fn::Or, Fn::FindInMap, Fn::GetAtt, Fn::GetAZs, Fn::Join, Fn::Select
CF: a failure state in AWS CloudFormation
ROLLBACK_IN_PROGRESS means an UpdateStack operation failed and the stack is in the process of trying to return to the valid, pre-update state
CF: returns the URL of a load balanced web site created in CloudFormation with an AWS::ElasticLoadBalancing::LoadBalancer resource name "ElasticLoad Balancer
"Fn::Join" : ["". [ "http://", {"Fn::GetAtt" : [ "ElasticLoadBalancer","DNSName"]}]]
CF: outages that occur because of accidental inconsistencies between Staging and Production, which sometimes cause unexpected behaviors in Production even when Staging tests pass, using Docker to get high consistency between Staging and Production for the application environment on your EC2 instances, there are many service components you may use beyond EC2 virtual machines
Develop models of your entire cloud system in CloudFormation. Use this model in Staging and Production to achieve greater parity. (Only CloudFormation's JSON Templates allow declarative version control of repeatedly deployable models of entire AWS clouds),
CF: automate 3 layers of a large cloud deployment. You want to be able to track this deployment's evolution as it changes over time, and carefully control any alterations
Use CloudFormation Nested Stack Templates, with three child stacks to represent the three logical layers of your cloud. (CloudFormation allows source controlled, declarative templates as the basis for stack automation and Nested Stacks help achieve clean separation of layers while simultaneously providing a method to control all layers at once when needed)
CF: You need to run a very large batch data processing job one time per day. The source data exists entirely in S3, and the output of the processing job should also be written to S3 when finished. If you need to version control this processing job and all setup and teardown logic for the system, what approach should you use
Model an AWS EMR job in AWS CloudFormation. (EMR cluster can be modeled using CloudFormation)
CF: circular dependency in AWS CloudFormation
When Resources form a DependOn loop. (Refer link, to resolve a dependency error, add a DependsOn attribute to resources that depend on other resources in the template. Some cases for e.g. EIP and VPC with IGW where EIP depends on IGW need explicitly declaration for the resources to be created in correct order)
CF: deploy an AWS stack in a repeatable manner across multiple environments. You have selected CloudFormation as the right tool to accomplish this, but have found that there is a resource type you need to create and model, but is unsupported by CloudFormation
Create a CloudFormation Custom Resource Type by implementing create, update, and delete functionality, either by subscribing a Custom Resource Provider to an SNS topic, or by implementing the logic in AWS Lambda
CF: A test run usually takes between 15 and 30 minutes. Once the tests are done, the AWS CloudFormation stacks are torn down immediately. The test results written to the Amazon RDS database must remain accessible for visualization and analysis.
deletion policy of type Retain or Snapshot
CF: instantiate new tracking systems in any region without any manual intervention and therefore adopted AWS CloudFormation
Use the built-in function of AWS CloudFormation to set the AvailabilityZone attribute of the ELB resource, Use the built-in Mappings and FindInMap functions of AWS CloudFormation to refer to the AMI ID set in the ImageId attribute of the Auto Scaling::LaunchConfiguration resource.
CF: The user wants the stack creation of ELB and AutoScaling to wait until the EC2 instance is launched and configured properly
The user can use the WaitCondition resource to hold the creation of the other dependent resources
CF: to deploy exact copies of different versions of your infrastructure, stage changes into different environments, revert back to previous versions, and identify what versions are running at any particular time
â¢=Use AWS CloudFormation and a version control system like GIT to deploy and manage your infrastructure
CF: Both IAM groups are attached to IAM policies that grant rights to perform the necessary task of each group as well as the creation, update and deletion of CloudFormation stacks
Network stack updates will fail upon attempts to delete a subnet with EC2 instances (Subnets cannot be deleted with instances in them), Restricting the launch of EC2 instances into VPCs requires resource level permissions in the IAM policy of the application group (IAM permissions need to be given explicitly to launch instances )
Tags: An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones
Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags (possible using ResourceTag condition)
Tags: find the separate cost for the production and development instances
User should use Cost Allocation Tags and AWS billing reports
Tags: administrator mistakenly terminated several production EC2 instances
Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources. (Identify production resources using tags and add explicit deny)
Kinesis: votes must be collected into a durable, scalable, and highly available data store for real-time public tabulation
⢠Amazon DynamoDB
Kinesis: 30kb of biometric data In JSON format every 2 seconds to a collection platform that will process and analyze the data providing health trending information back to the pet owners and veterinarians via a web portal Management has tasked you to architect the collection platform ensuring the following requirements are met
Utilize Amazon Kinesis to collect the inbound sensor data, analyze the data with Kinesis clients and save the results to a Redshift cluster using EMR
Kinesis: consolidate their log streams (access logs, application logs, security logs etc.) in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics
Send all the log events to Amazon Kinesis develop a client process to apply heuristics on the logs (Can perform real time analysis and stores data for 24 hours which can be extended to 7 days)
Kinesis: You require the ability to analyze a customer's clickstream data on a website so they can do behavioral analysis. Your customer needs to know what sequence of pages and ads their customer clicked on. This data will be used in real time to modify the page layouts as customers click through the site to increase stickiness and advertising click-through
⢠Push web clicks by session to Amazon Kinesis and analyze behavior using Kinesis workers
Kinesis: Your social media monitoring application uses a Python app running on AWS Elastic Beanstalk to inject tweets, Facebook updates and RSS feeds into an Amazon Kinesis stream. A second AWS Elastic Beanstalk app generates key performance indicators into an Amazon DynamoDB table and powers a dashboard application, prevent any data
Add a third AWS Elastic Beanstalk app that uses the Amazon Kinesis S3 connector to archive data from Amazon Kinesis into Amazon S3.
Kinesis: replicate API calls across two systems in real time
AWS Kinesis (AWS Kinesis is an event stream service. Streams can act as buffers and transport across systems for in-order programmatic events, making it ideal for replicating API calls across systems)
Kinesis: perform ad-hoc business analytics queries on well-structured data. Data comes in constantly at a high velocity. Your business intelligence team can understand SQL. What AWS service(s) should you look to first
Kinesis Firehose + RedShift (Kinesis Firehose provides a managed service for aggregating streaming data and inserting it into RedShift. RedShift also supports ad-hoc queries over well-structured data using a SQL-compliant wire protocol, so the business team should be able to adopt this system easily. Refer link)
DDB: use cases for Amazon DynamoDB
Managing web sessions, Storing JSON documents, Storing metadata for Amazon S3 objects, massive amount of "hot" data and require very low latency, a rapid ingestion of clickstream in order to collect data about user behavior
DDB: Activation data is very important for your company and must be analyzed daily with a MapReduce job. The execution time of the data analysis process must be less than three hours per day. Devices are usually sold evenly during the year, but when a new device model is out, there is a predictable peak in activation's, that is, for a few days there are 10 times or even 100 times more activation's than in average day.
Amazon DynamoDB and Amazon Elastic MapReduce with Spot instances
DDB: ProvisionedThroughputExceededException
You're exceeding your capacity on a particular Hash Key (Hash key determines the partition and hence the performance)
DDB: store each user's highest score for each game, with many games, all of which have relatively similar usage levels and numbers of players. You need to be able to look up the highest score for any game.
GameID as the hash key, HighestScore as the range key. (hash (partition) key should be the GameID, and there should be a range key for ordering HighestScore. Refer link)
DDB: Item attributes consist of individual name, office identifier, and cumulative daily hours. Managers run reports for ranges of names working in their office. One query is. "Return all Items in this office for names starting with A through E".
a range index on the name attribute, and a hash index on the office identifier
DDB: You are inserting 1000 new items every second in a DynamoDB table. Once an hour these items are analyzed and then are no longer needed. You need to minimize provisioned throughput, storage, and API calls. Given these requirements, what is the most efficient way to manage these Items after the analysis
Delete the table and create a new table per hour
DDB: Which of the following is an example of a good DynamoDB hash key schema for provisioned throughput efficiency
User ID, where the application has many different users.
DDB: What is the data model of DynamoDB
"Table", a collection of Items; "Items", with Keys and one or more Attribute; and "Attribute", with Name and Value.
DDB: at least 100K sensors, which needs to be supported by the backend. You also need to store sensor data for at least two years to be able to compare year over year Improvements. To secure funding, you have to make sure that the platform meets these requirements and leaves room for further scaling
Ingest data into a DynamoDB table and move old data to a Redshift cluster (Handle 10K IOPS ingestion and store data into Redshift for analysis)
DDB: stores data coming from more than 10,000 sensors. Each sensor has a unique ID and will send a datapoint (approximately 1KB) every 10 minutes throughout the day. Each datapoint contains the information coming from the sensor as well as a timestamp. This company would like to query information coming from a particular sensor for the past week very rapidly and want to delete all the data that is older than 4 weeks. Using Amazon DynamoDB
One table for each week, with a primary key that is the sensor ID and a hash key that is the timestamp (Composite key with Sensor ID and timestamp would help for faster queries)
DDB: a file-sharing service. This service will have millions of files in it. Revenue for the service will come from fees based on how much storage a user is using. You also want to store metadata on each file, such as title, description and whether the object is public or private.
Store all files in Amazon S3. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
DDB: Global secondary index
An index with a hash and range key that can be different from those on the table
OpsWorks: describe how to add a backend database server to an OpsWorks stack
Add a new database layer and then add recipes to the deploy actions of the database and App Server layers, Set up the connection between the app server and the RDS layer by using a custom recipe. The recipe configures the app server as required, typically by creating a configuration file. The recipe gets the connection data such as the host and database name from a set of attributes in the stack configuration and deployment JSON that AWS OpsWorks installs on every instance, the variables that characterize the RDS database connectionâhost, user, and so onâare set using the corresponding values from the deploy JSON's [:deploy][:app_name][:database] attributes
OpsWorks: migration of a highly trafficked node.js application to AWS. In order to comply with organizational standards Chef recipes must be used to configure the application servers that host this application and to support application lifecycle events
Create a new stack within Opsworks add the appropriate layers to the stack and deploy the application
OpsWorks: with an Elastic Load Balancer, an Auto-Scaling group of Java/Tomcat application-servers, and DynamoDB as data store, a new chat feature has been implemented in node.js and waits to be integrated in the architecture
Create one AWS Ops Works stack, create two AWS Ops Works layers create one custom recipe (Single environment stack, two layers for java and node.js application using built-in recipes and custom recipe for DynamoDB connectivity only as other configuration. Refer link)
OpsWorks: You decide to write a script to be run as soon as a new Amazon Linux AMI is released.
Create a new stack and layers with identical configuration, add instances with the latest Amazon Linux AMI specified as a custom AMI to the new layer, switch DNS to the new stack, and tear down the old stack. (Blue-Green Deployment), Add new instances with the latest Amazon Linux AMI specified as a custom AMI to all AWS OpsWorks layers of your stack, and terminate the old ones.
OpsWorks: OpsWorks, which of the following is not an instance type you can allocate in a stack layer
Spot instances (Does not support spot instance directly but can be used with auto scaling)
WAF: questionable log entries and suspect someone is attempting to gain unauthorized access
Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would then pass the traffic to the current web tier. Web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
EC: suitable for storing session state data
RDS, DyanmoDB, Elasticache
EC: Which statement best describes ElastiCache
Offload the read traffic from your database in order to reduce latency caused by read-heavy workload
EC: website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency mode, read contention
Deploy ElastiCache in-memory cache running in each availability zone, Add an RDS MySQL read replica in each availability zone
EC: using ElastiCache Memcached to store session state and cache database queries in your infrastructure. You notice in CloudWatch that Evictions and Get Misses are both very high
Increase the number of nodes in your cluster, Increase the size of the nodes in the cluster
EC: application currently uses multicast to share session state between web servers
⢠Store session state in Amazon ElastiCache for Redis (scalable and makes the web applications stateless)
EC: to support a 24-hour flash sale, which one of the following methods best describes a strategy to lower the latency while keeping up with unusually heavy traffic
Use ElastiCache as in-memory storage on top of DynamoDB to store user sessions (scalable, faster read/writes and in memory storage)
EC:database CPU is often above 80% usage and 90% of I/O operations on the database are reads. To improve performance you recently added a single-node Memcached ElastiCache Cluster to cache frequent DB query results. In the next weeks the overall workload is expected to grow by 30%, high availability
You should deploy two Memcached ElastiCache Clusters in different AZs because the RDS Instance will not be able to handle the load if the cache node fails.
EC: read only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically.
Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch and RDS with read replicas.
EMR: a large amount of data, which is stored on Amazon S3 using Amazon Elastic Map Reduce. You are using the cc2.8xlarge instance type, who's CPUs are mostly idle during processing.
Use smaller instances that have higher aggregate I/O performance
EMR: A customer's nightly EMR job processes a single 2-TB data file stored on Amazon Simple Storage Service (S3). The Amazon Elastic Map Reduce (EMR) job runs on two On-Demand core nodes and three On-Demand task nodes. Which of the following may help reduce the EMR job completion time?
Change the input split size in the MapReduce job configuration, Adjust the number of simultaneous mapper tasks.
EMR: creates regular analytics reports from your company's log files. All log data is collected in Amazon S3 and processed by daily Amazon Elastic Map Reduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse. Your CFO requests that you optimize the cost structure for this system, lower cost.
Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs. Use Reserved instances for Amazon Redshift (Combination of the Spot and reserved with guarantee performance and help reduce cost. Also, RRS would reduce cost and guarantee data integrity, which is different from data durability)
EMR: the one-time launch of an Elastic MapReduce cluster, minimize the costs, designed to ingest 200TB of genomics data with a total of 100 Amazon EC2 instances and is expected to run for around four hours. The resulting data set must be stored temporarily until archived into an Amazon RDS Oracle instance
Store ingest and output files in Amazon S3. Deploy on-demand for the master and core nodes and spot for the task nodes.
Redshift: 787. With which AWS services CloudHSM can be used
RDS, Amazon Redshift
EMR: a pilot deployment of around 100 sensors for 3 months. Each sensor uploads 1KB of sensor data every minute to a backend hosted on AWS. During the pilot, you measured a peak of 10 IOPS on the database, and you stored an average of 3GB of sensor data per month in the database. The current deployment consists of a load-balanced auto scaled Ingestion layer using EC2 instances and a PostgreSQL RDS database with 500GB standard storage. The pilot is considered a success and your CEO has managed to get the attention or some potential investors. The business plan requires a deployment of at least 100K sensors, which needs to be supported by the backend, You also need to store sensor data for at least two years
Ingest data into a DynamoDB table and move old data to a Redshift cluster (Handle 10K IOPS ingestion and store data into Redshift for analysis)
CF: want to be able to deploy exact copies of different versions of your infrastructure, stage changes into different environments, revert back to previous versions, and identify what versions are running at any particular time
Use AWS CloudFormation and a version control system like GIT to deploy and manage your infrastructure.
DS: heavily dependent on low latency connectivity to LDAP for authentication. Your security policy requires minimal changes to the company's existing application user management processes.
Establish a VPN connection between your data center and AWS create a LDAP replica on AWS and configure your application to use the LDAP replica for authentication (RODCs low latency and minimal setup)
AD: they want to make their internal Microsoft Active Directory available to any applications running on AWS
Using VPC, they could create an extension to their data center and make use of resilient hardware IPSEC tunnels; they could then have two domain controller instances that are joined to their existing domain and reside within different subnets, in different Availability Zones (highly available with 2 AZ's, secure with VPN connection and minimal changes)
AD: needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging existing security controls. Which set of AWS services and features will meet the company's requirements
Virtual Private Network connection. AWS Directory Services, and Amazon Workspaces (WorkSpaces for Virtual desktops, and AWS Directory Services to authenticate to an existing on-premises AD through VPN)
run a 2000-engineer organization. You are about to begin using AWS at a large scale for the first time. You want to integrate with your existing identity management system running on Microsoft Active Directory, because your organization is a power-user of Active Directory
Use a large AWS Directory Service AD Connector. (AD Connector can be used as power-user of Microsoft Active Directory. Simple AD only works with a subset of AD functionality)
CT: a reliable and durable logging solution to track changes made to your EC2, IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend
Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles, S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Single New bucket with global services option for IAM and MFA delete for confidentiality)
CT: make sure that you know what all users of your AWS account are doing to change resources at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource type group as possible
Create a global AWS CloudTrail Trail. Configure a script to aggregate the log data delivered to S3 once per week and deliver this to the CTO.
CT: out-of-the-box user configurable automatic backup-as-a-service and backup rotation options
Amazon RDS, Redshift
CT: automate many routine systems administrator backup and recovery activities. Your current plan is to leverage AWS-managed solutions as much as possible and automate the rest with the AWS CLI and scripts
Creating daily EBS snapshots with a monthly rotation of snapshots
ET: Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video.
Elastic Transcoder to transcode original high-resolution MP4 videos to HLS. S3 to host videos with lifecycle Management to archive original flies to Glacier after a few days. CloudFront to serve HLS transcoded videos from S3
Migration: You must architect the migration of a web application to AWS. The application consists of Linux web servers running a custom web server. You are required to save the logs generated from the application to a durable location.
Create a Dockerfile for the application. Create an AWS Elastic Beanstalk application using the Docker platform and the Dockerfile. Enable logging the Docker configuration to automatically publish the application logs. Enable log file rotation to Amazon S3. (Use Docker configuration with aws logs and EB with Docker), Use VM import/Export to import a virtual machine image of the server into AWS as an AMI. Create an Amazon Elastic Compute Cloud (EC2) instance from AMI, and install and configure the Amazon CloudWatch Logs agent. Create a new AMI from the instance. Create an AWS Elastic Beanstalk application using the AMI platform and the new AMI. (Use VM Import/Export to create AMI and CloudWatch logs agent to log)
Migration: allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured
An AWS Direct Connect link between the VPC and the network housing the internal services, An IP address space that does not conflict with the one on-premises, A VM Import of the current virtual machine
KMS: regulatory requirements that all data needs to be encrypted before being uploaded to the cloud.
c. Manage encryption keys in amazon Key Management Service (KMS), upload to amazon simple storage service (s3) with client-side encryption using a KMS customer master key ID and configure Amazon S3 lifecycle policies to store each object using the amazon glacier storage tier. (With CSE-KMS the encryption happens at client side before the object is upload to S3 and KMS is cost effective as well)
KMS: that is composed of an Auto Scaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance-id. In addition an x 509 certificates must be designed by the customer's Key management service in order to be trusted for authentication
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
Recovery Time Objective of 2 hours and a Recovery Point Objective of 24 hours. They should synchronize their data on a regular basis and be able to provision the web application rapidly using CloudFormation. The objective is to minimize changes to the existing web application, control the throughput of DynamoDB used for the synchronization of data and synchronize only the modified elements. Which design would you choose to meet these requirements
Use AWS data Pipeline to schedule a DynamoDB cross region copy once a day. Create a 'Lastupdated' attribute in your DynamoDB table that would represent the timestamp of the last update and use it as a filter.
Glacier: Each drug trial test may generate up to several thousands of files, with compressed file sizes ranging from 1 byte to 100MB. Once archived, data rarely needs to be restored, and on the rare occasion when restoration is needed, the company has 24 hours to restore specific files that match certain metadata. Searches must be possible by numeric file ID, drug name, participant names, date ranges, and other metadata. Which is the most cost-effective architectural approach that can meet the requirements
First, compress and then concatenate all files for a completed drug trial test into a single Amazon Glacier archive. Store the associated byte ranges for the compressed files along with other search metadata in an Amazon RDS database with regular snapshotting. When restoring data, query the database for files that match the search criteria, and create restored files from the retrieved byte ranges.
Glacier:
...
ES: ad-hoc analysis on log data, including searching quickly for specific error codes and reference numbers. Which should you evaluate first
AWS Elasticsearch Service
ES: She complains that she has no idea what is going on in the complex, service-oriented architecture, because the developers just log to disk, and it's very hard to find errors in logs on so many services.
Begin using CloudWatch Logs on every service. Stream all Log Groups into an AWS Elasticsearch Service Domain running Kibana 4 and perform log analysis on a search cluster. (AWS Elasticsearch with Kibana stack is designed specifically for real-time, ad-hoc log analysis and aggregation)
SES: implement an order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders taking up to 6 months you expect 10 orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months. Orders coming in are checked for consistency men dispatched to your manufacturing plant for production quality control packaging shipment and payment processing If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step Customers are notified via email about order status
Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=1 use SES to send emails to customers.
CS: 728. A newspaper organization has an on-premises application which allows the public to search its back catalogue and retrieve individual newspaper pages via a website written in Java. They have scanned the old newspapers into JPEGs (approx. 17TB) and used Optical Character Recognition (OCR) to populate a commercial search product. The hosting platform and software is now end of life and the organization wants to migrate its archive to AWS and produce a cost efficient architecture and still be designed for availability and durability.
Use S3 with standard redundancy to store and serve the scanned files, use CloudSearch for query processing, and use Elastic Beanstalk to host the website across multiple availability zones. (Cost effective S3 storage, CloudSearch for Search and Highly available and durable web application)
ECS: Your security team requires each Amazon ECS task to have an IAM policy that limits the task's privileges to only those required for its use of AWS services. How can you achieve this?
Use IAM roles for Amazon ECS tasks to associate a specific IAM role with each ECS task definition
ECS: You need a solution to distribute traffic evenly across all of the containers for a task running on Amazon ECS. Your task definitions define dynamic host port mapping for your containers. What AWS feature provides this functionally?
Application Load Balancers support dynamic host port mapping
Lambda: Your serverless architecture using AWS API Gateway, AWS Lambda, and AWS DynamoDB experienced a large increase in traffic to a sustained 400 requests per second, and dramatically increased in failure rates. Your requests, during normal operation, last 500 milliseconds on average. Your DynamoDB table did not exceed 50% of provisioned throughput, and Table primary keys are designed correctly. What is the most likely issue?
You did not request a limit increase on concurrent Lambda function executions. (AWS API Gateway by default throttles at 500 requests per second steady-state, and 1000 requests per second at spike. Lambda, by default, throttles at 100 concurrent requests for safety. At 500 milliseconds (half of a second) per request, you can expect to support 200 requests per second at 100 concurrency. This is less than the 400 requests per second your system now requires. Make a limit increase request via the AWS Support Console.)
Authentication: An AWS customer is deploying a web application that is composed of a front-end running on Amazon EC2 and of confidential data that is stored on Amazon S3. The customer security policy that all access operations to this sensitive data must be authenticated and authorized by a centralized access management system that is operated by a separate security team. In addition, the web application team that owns and administers the EC2 web front-end instances is prohibited from having any ability to access the data that circumvents this centralized access management system.
Configure the web application to authenticate end-users against the centralized access management system. Have the web application provision trusted users STS tokens entitling the download of approved data directly from Amazon S3 (Controlled access and admins cannot access the data as it needs authentication)