1
Q
At which OSI layer does an Application Load Balancer (ALB) operate?
A
Layer 7 – the application layer.
2
Q
What types of targets can an ALB route traffic to?
A
EC2 instances, ECS tasks, Lambda functions, and private IP addresses.
3
Q
Where are health checks configured for an ALB?
A
At the Target Group level, using HTTP or HTTPS.
4
Q
Is cross-zone load balancing enabled or disabled by default on an ALB?
A
Enabled by default.
5
Q
Can you attach an Elastic IP address directly to an ALB?
A
No, Elastic IPs cannot be attached to ALBs.
6
Q
In which type of subnet must an ALB be placed to be Internet-facing?
A
A public subnet.
7
Q
Which extra protocol does ALB support that is useful for microservices?
A
gRPC.
8
Q
Can ALBs do weighted routing across target groups?
A
Yes, ALBs support Weighted Target Group routing.
9
Q
At which OSI layer does a Network Load Balancer (NLB) operate?
A
Layer 4 – the transport layer.
10
Q
Which protocols does an NLB support?
A
TCP and UDP.
11
Q
What is special about the IP addressing of an NLB?
A
It exposes one static IP per Availability Zone, which can also be an Elastic IP.
12
Q
What kinds of targets can an NLB have?
A
EC2 instances, private IP addresses, and ALBs.
13
Q
Which health check protocols does NLB support?
A
TCP, HTTP, and HTTPS.
14
Q
Is cross-zone load balancing enabled or disabled by default on an NLB?
A
Disabled by default.
15
Q
At which OSI layer does a Gateway Load Balancer (GWLB) operate?
A
Layer 3 – the network layer.
16
Q
What is the main use case for a GWLB?
A
Routing traffic through 3rd-party virtual appliances such as security appliances for inspection before reaching servers.
17
Q
Which encapsulation protocol and port does GWLB use?
A
GENEVE protocol on port 6081.
18
Q
What target types does GWLB support?
A
EC2 instances and private IP addresses.
19
Q
Is cross-zone load balancing enabled or disabled by default on GWLB?
A
Disabled by default.
20
Q
Are ELBs region-scoped or global?
A
They are region-scoped; ELBs are region bound.
21
Q
Do ELBs have security groups?
A
Yes, ALBs and Classic Load Balancers use security groups.
22
Q
What is cross-zone load balancing?
A
Even distribution of traffic across all targets in all enabled Availability Zones for the load balancer.
23
Q
What are sticky sessions and why are they used?
A
Sticky sessions (session affinity) ensure a client is consistently routed to the same backend instance, often for session persistence.
24
Q
Which load balancer types support sticky sessions?
A
Classic Load Balancer, ALB, and NLB.
25
How does an ALB implement stickiness?
Using cookies that can have a configurable expiration time.
26
What are the two broad categories of cookies used by ALB for stickiness?
Application-based cookies and load balancer–generated (duration-based) cookies.
27
What naming constraints apply to ALB custom cookies?
Custom cookies cannot be named AWSALB, AWSALBAPP, or AWSALBTG.
28
What is the name of the ALB-generated application cookie?
AWSALBAPP.
29
What is the name of the ALB-generated duration-based cookie?
AWSALB.
30
What is Server Name Indication (SNI) used for with SSL/TLS?
Allowing multiple TLS certificates (for different domain names) on a single server endpoint/IP.
31
What is connection draining / deregistration delay in ELB?
A grace period allowing in-flight requests to complete on a target before it is deregistered.
32
What is the default and allowed range for connection draining time?
Default is 300 seconds; configurable from 0 to 3600 seconds (0 disables it).
33
What does an Auto Scaling Group (ASG) use to define EC2 configuration?
Launch templates (preferred) or launch configurations (legacy).
34
How does an ASG know when to scale?
Using Auto Scaling policies, often driven by CloudWatch alarms.
35
What ASG instance state temporarily removes an instance from load balancing and scaling?
The Standby state.
36
What are the three main categories of ASG scaling policies?
Dynamic scaling, scheduled scaling, and predictive scaling.
37
What are the two main types of dynamic scaling policies?
Target tracking scaling and simple/step scaling.
38
Why are launch templates preferred over launch configurations for ASG?
They support multiple instance types, On-Demand + Spot capacity, and more advanced features.
39
List the key termination policy order considerations in ASG.
Instance allocation strategy, then oldest launch configuration, then oldest launch template, then next billing hour.
40
List the standard ASG instance lifecycle states (high level).
Pending, InService, Terminating, Terminated, and Standby.
41
What are the two lifecycle hook types for ASG?
autoscaling:EC2_INSTANCE_LAUNCHING and autoscaling:EC2_INSTANCE_TERMINATING.
42
What happens to an instance when a launch lifecycle hook is configured?
It transitions Pending → Pending:Wait → (lifecycle action complete) → Pending:Proceed → InService.
43
What happens to an instance when a terminate lifecycle hook is configured?
It transitions Terminating → Terminating:Wait → (lifecycle action complete) → Terminating:Proceed → Terminated.
44
What is the purpose of the ASG cooldown period?
To prevent additional scaling actions until the effects of previous scaling activities are realized.
45
What is the default ASG cooldown time?
300 seconds (5 minutes).
46
What type of database is DynamoDB?
A fully managed, serverless, highly available NoSQL key-value and document database.
47
How does DynamoDB achieve high availability?
By replicating data across multiple Availability Zones within a region.
48
What are DynamoDB’s scalar data types?
String, Number, Binary, Boolean, and Null.
49
What are DynamoDB’s document data types?
List and Map.
50
What are DynamoDB’s set data types?
String Set, Number Set, and Binary Set.
51
What are the two capacity modes for DynamoDB?
Provisioned mode and On-demand mode.
52
When would you prefer provisioned mode?
When workloads are predictable and you can pre-define RCU/WCU (optionally with autoscaling).
53
When would you prefer on-demand mode?
When workloads are unpredictable or have spiky traffic; capacity scales automatically.
54
What is DynamoDB Accelerator (DAX) used for?
It is a fully managed, in-memory cache for DynamoDB that reduces read latency to microseconds.
55
What is the default TTL for DAX cached items?
5 minutes by default.
56
What do DynamoDB Streams capture?
A time-ordered sequence of item-level changes: inserts, updates, and deletes.
57
What is the main use case of DynamoDB Global Tables?
Multi-region, active-active replication to provide low-latency access in multiple regions.
58
What must be enabled before using Global Tables?
DynamoDB Streams on the table.
59
What does DynamoDB TTL do?
Automatically deletes items after a specified expiry timestamp.
60
What backup options exist for DynamoDB?
Point-in-time recovery (PITR) and on-demand backups.
61
How does DynamoDB integrate with S3?
You can import/export tables to/from Amazon S3 (PITR must be enabled).
62
Why are high-cardinality partition keys recommended in DynamoDB?
They produce many distinct hash values and spread data evenly across partitions to avoid hot partitions.
63
What is a low-cardinality attribute and why is it bad as a partition key?
An attribute with few unique values (e.g., status); it can concentrate traffic on a small number of partitions and create hot spots.
64
How does RDS storage autoscaling behave?
It automatically increases storage up to a configured maximum when free storage is <10% for at least 5 minutes and 6 hours have passed since the last modification.
65
How many read replicas can an RDS instance have?
Up to 15 read replicas.
66
What replication modes and scopes do RDS read replicas support?
Asynchronous replication within an AZ, across AZs, or across regions.
67
Can RDS read replicas be promoted to standalone DBs?
Yes, any read replica can be promoted to its own standalone database.
68
Do RDS read replicas share the same endpoint as the primary?
No, each read replica has its own endpoint and the application must handle routing reads.
69
Are there data transfer charges for RDS read replicas within the same region?
No, there are no data transfer charges within the same region.
70
What is the purpose of RDS Multi-AZ?
Providing high availability and automatic failover, not read scaling.
71
How is replication done in Multi-AZ RDS?
Synchronously to a standby instance in another Availability Zone.
72
Can Multi-AZ RDS standbys be used for read scaling?
No, Multi-AZ standbys are for high availability only.
73
What makes RDS Custom different from standard RDS?
It provides OS-level and database-level access (e.g., for Oracle/SQL Server) while AWS still manages the underlying infrastructure.
74
Can you SSH into RDS Custom?
Yes, you can SSH into the underlying EC2 instance, which is not possible with standard RDS.
75
What are the two RDS backup types?
Automated backups and manual snapshots.
76
How often are RDS automated backups taken?
Daily full backups with transaction logs captured every 5 minutes.
77
What is the maximum retention period for RDS automated backups?
Up to 35 days (1–35 days; 0 disables backups).
78
How long are manual RDS snapshots kept?
As long as you keep them; retention is user-managed.
79
Are backups available for Multi-AZ deployments?
Yes, backups and snapshots can be created in Multi-AZ configurations.
80
Do stopped RDS instances still incur storage costs?
Yes, you still pay for storage when an RDS instance is stopped.
81
How do you encrypt an existing unencrypted RDS database?
Take a snapshot → copy the snapshot as encrypted → restore a new DB from the encrypted snapshot → delete the old unencrypted DB.
82
What does RDS Enhanced Monitoring provide beyond CloudWatch?
Real-time OS-level metrics including per-process and per-thread CPU usage.
83
Which engines support IAM DB Authentication?
MySQL and PostgreSQL (including compatible Aurora engines).
84
How long is an IAM DB auth token valid?
15 minutes.
85
What are two ways to use SSL encryption with RDS?
Force SSL via the rds.force_ssl parameter or configure SSL from individual clients using certificates.
86
What must you do after changing rds.force_ssl?
Reboot the DB instance because it is a static parameter.
87
What is RDS Proxy?
A managed, highly available, serverless connection pooler/proxy for RDS and Aurora databases.
88
Is RDS Proxy publicly accessible?
No, it is accessed from within your VPC only.
89
How does Aurora store data?
In a shared storage volume with up to six copies of your data across three Availability Zones, auto-growing in 10 GB increments up to 128 TB.
90
How many replicas can Aurora have?
Up to 15 read replicas with sub-10 ms replication lag.
91
How does Aurora pricing compare to standard RDS?
Aurora is roughly 20% more expensive than standard RDS.
92
How many endpoints does a typical Aurora cluster expose?
One writer endpoint (for read/write) and one reader endpoint (load balanced across read replicas).
93
Does Aurora support cross-region replication and auto scaling of replicas?
Yes, it supports cross-region replication and reader auto scaling.
94
What is an Aurora custom endpoint used for?
To create an endpoint from a subset of replicas, e.g. dedicated for analytics or dev/test workloads.
95
What is Aurora Serverless used for?
A pay-per-second, auto-scaling Aurora configuration that adjusts capacity based on usage.
96
Can you convert an existing provisioned Aurora cluster directly to Aurora Serverless?
No, you cannot change an existing provisioned cluster to serverless in place.
97
In Global Aurora, how many primary and secondary regions are allowed?
One primary read-write region and up to five secondary read-only regions.
98
How many read replicas per secondary region does Global Aurora support?
Up to 16 read replicas per secondary region.
99
What is the typical RTO for promoting a Global Aurora secondary region?
Less than one minute.
100
How does Aurora DB cloning work?
The clone initially shares storage with the source; new or changed data is written to new storage, making cloning fast and space-efficient.
101
What is the backup retention configuration for Aurora automated backups?
Between 1 and 35 days; automated backups cannot be disabled.
102
How is failover priority determined among Aurora read replicas?
By failover tier (lower number is higher priority), then by instance size (larger is higher priority).
103
What can Aurora MySQL native functions do with AWS Lambda?
Invoke a Lambda function whenever a row is modified in a table, acting like a trigger.
104
What happens in Aurora Single-Instance failure?
Aurora tries to create a new instance in the same AZ on a best-effort basis.
105
What happens when an Aurora primary with a read replica fails?
Aurora flips the cluster CNAME to a healthy replica which is promoted to primary, typically within about 30 seconds.
106
What happens when Aurora Serverless fails?
Aurora automatically recreates the DB instance in another Availability Zone.
107
Which engines support Aurora IAM DB Authentication?
Aurora MySQL and Aurora PostgreSQL.
108
How long is the IAM DB auth token valid for Aurora?
15 minutes.
109
Which engines does ElastiCache support?
Redis and Memcached.
110
Give common ElastiCache Redis use cases.
Gaming leaderboards, application cache, and geospatial data.
111
Give common ElastiCache Memcached use cases.
Simple distributed cache, user sessions, and database caching.
112
Which Redis data structure is commonly used for leaderboards?
Sorted sets.
113
Does ElastiCache support Multi-AZ and read replicas?
Yes; Redis supports Multi-AZ with up to 5 read replicas.
114
What type of database is Amazon Neptune?
A managed graph database service.
115
What is Amazon DocumentDB designed to be compatible with?
It is designed to be compatible with MongoDB.
116
What is Amazon Keyspaces?
A managed, serverless, Apache Cassandra–compatible database service.
117
What kind of service is Route 53?
A highly available, scalable, fully managed authoritative DNS service.
118
What is special about Route 53’s SLA?
It is the only AWS service that offers a 100% availability SLA.
119
What does an A record map?
A hostname to an IPv4 address.
120
What does an AAAA record map?
A hostname to an IPv6 address.
121
What does a CNAME record map and can it be used at the zone apex?
It maps a hostname to another hostname and cannot be used at the zone apex.
122
What is an Alias record in Route 53 used for?
To map a DNS name to AWS resources (e.g., ALB, CloudFront) and it can be used at the zone apex.
123
What is an NS record used for in Route 53?
It lists the name servers for the hosted zone.
124
What are the two kinds of Route 53 hosted zones?
Public hosted zones and private hosted zones (within a VPC).
125
Roughly how much does a hosted zone cost per month?
About $0.50 per hosted zone per month.
126
Name at least three Route 53 routing policies.
Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, IP-based, and Multi-value.
127
What is the difference between active-active and active-passive failover?
Active-active: both endpoints serve traffic. Active-passive: primary serves traffic and secondary is used only during failover.
128
What name must an S3 bucket have to be used for static website hosting with Route 53?
The bucket name must exactly match the domain name.
129
What are the two ECS launch types?
EC2 launch type and Fargate launch type.
130
Who manages the infrastructure in ECS EC2 launch type?
You do; you provision and manage the EC2 instances that run the ECS agent.
131
Who manages the infrastructure in ECS Fargate launch type?
AWS; you only define and run tasks without managing servers.
132
What are the two key IAM roles in ECS?
The EC2 Instance Profile (for the host) and the ECS Task Role (for containers).
133
What storage options can ECS tasks use?
EBS volumes on EC2 instances or EFS, including Fargate + EFS (serverless).
134
What is AWS Application Auto Scaling for ECS?
It scales the desired number of ECS tasks based on scaling policies.
135
What is Cluster Capacity Provider in ECS used for?
To automatically provision and scale the EC2 infrastructure (via an Auto Scaling Group) for ECS tasks.
136
What is Amazon ECR?
Elastic Container Registry, a managed Docker image registry backed by S3.
137
What compute options can EKS use for worker nodes?
EC2 instances or AWS Fargate for serverless pods.
138
Name the three main EKS node types.
Managed node groups, self-managed nodes, and Fargate nodes.
139
What storage types can EKS workloads use?
EBS, EFS, FSx for Lustre, and FSx for NetApp ONTAP.
140
What is Karpenter in EKS?
A cluster autoscaler that automatically adjusts the number and type of nodes based on pod demands.
141
What does Horizontal Pod Autoscaler (HPA) do?
It automatically scales the number of pods in a workload based on metrics such as CPU utilization (requires Metrics Server).
142
What is ECS Anywhere / EKS Anywhere?
Extensions that let you run ECS/EKS on your own infrastructure (on-premises, edge, or other clouds).
143
What is AWS App Runner?
A fully managed service to build, deploy, and auto-scale web applications and APIs from source code or container images with minimal configuration.
144
What is AWS Elastic Beanstalk?
A PaaS that deploys, manages, and scales applications while managing underlying infrastructure but still allowing customization.
145
How is Lambda priced at a high level?
You pay per request and per compute duration (GB-seconds).
146
What is the free tier for Lambda requests?
1,000,000 requests per month.
147
What is the free compute quota for Lambda?
400,000 GB-seconds of compute time per month.
148
Where do Lambda functions run by default regarding VPC?
Outside of your VPC by default.
149
What happens when you put a Lambda function in a VPC?
Lambda creates ENIs in your subnets to allow network access, which can increase cold-start latency.
150
What is the maximum Lambda execution timeout?
900 seconds (15 minutes).
151
What is the range of memory allocation for Lambda?
128 MB to 10 GB, in 1 MB increments.
152
What is the size limit for a zipped Lambda deployment package?
50 MB (compressed).
153
What is the limit for uncompressed Lambda code and dependencies?
250 MB uncompressed.
154
What is the size range for /tmp storage in a Lambda function?
Between 512 MB and 10 GB.
155
What is the default concurrency limit per region for Lambda?
1,000 concurrent executions (can be increased).
156
What is Lambda SnapStart and for which runtime is it designed?
A feature for Java that pre-initializes the function at publish time, snapshots its state, and uses that snapshot for faster cold starts.
157
What is required when running Lambda from a container image?
The container image must be built from an AWS-provided base image tailored for Lambda.
158
What are the three API Gateway endpoint types?
Edge-optimized, Regional, and Private.
159
When should you use Edge-optimized endpoints?
For globally distributed clients; requests are routed through CloudFront edge locations.
160
When should you use Regional endpoints?
For clients in the same region or when you want to manage your own CloudFront distribution.
161
What is a Private API Gateway endpoint?
An endpoint accessible only from your VPC via an interface VPC endpoint and resource policies.
162
What are the three main API Gateway auth methods?
IAM roles, Cognito authorizers, and custom authorizers.
163
What additional features does API Gateway support to protect APIs?
API caching and request throttling.
164
What does AWS Step Functions do?
Orchestrates serverless workflows using visual state machines, often chaining Lambda functions and other services.
165
What is Cognito User Pools used for?
Managing user sign-up/sign-in and profiles for web and mobile applications.
166
What is Cognito Identity Pools used for?
Providing temporary AWS credentials to users so they can access AWS resources directly.
167
How can Cognito integrate with other AWS services for auth?
By integrating with API Gateway and Application Load Balancer as an identity provider.
168
What is Amazon Athena?
A serverless, interactive query service to analyze data in Amazon S3 using SQL.
169
Which data formats does Athena support?
CSV, JSON, ORC, Avro, Parquet, and others.
170
How is Athena priced?
Approximately $5 per terabyte of data scanned.
171
Name three ways to reduce Athena costs and improve performance.
Use columnar formats (Parquet/ORC), compress data, partition datasets, and use larger files (over ~128 MB).
172
What is Athena federated query?
Running SQL queries across multiple data sources (relational, NoSQL, object, on-prem) via Lambda data source connectors.
173
What kind of workload is Redshift optimized for?
OLAP/data warehousing and analytics at petabyte scale using columnar storage.
174
Name the two Redshift modes.
Provisioned clusters and Serverless.
175
What are Redshift’s two main node roles?
Leader nodes (query planning and results aggregation) and compute nodes (execute queries).
176
How often are Redshift automated snapshots typically taken?
Automatically every 8 hours or every 5 GB of data, with a retention window of 1–35 days.
177
How can you load data into Redshift?
Using the COPY command from S3 (with or without enhanced VPC routing), via Kinesis Data Firehose, or JDBC from EC2.
178
What is Redshift Spectrum?
A feature that lets you query data directly in S3 without loading it into Redshift tables.
179
What is Amazon OpenSearch commonly used for?
Full-text search, log analytics, and as a search engine complementing other databases.
180
What ingestion sources does OpenSearch commonly support?
Kinesis Data Firehose, AWS IoT, and CloudWatch Logs.
181
What is Amazon EMR used for?
A managed big data platform for frameworks such as Spark, Hadoop, HBase, Presto, and Flink on EC2.
182
Name the three EMR node types.
Master node, Core node, and Task node.
183
Which EMR node types are typically long-running?
Master and Core nodes; Task nodes are usually Spot and transient.
184
What are the main EMR cluster modes?
Long-running clusters and transient clusters.
185
What is Amazon QuickSight?
A serverless BI service for dashboards and reporting using the SPICE in-memory engine.
186
What is AWS Glue?
A managed, serverless ETL service for discovering, transforming, and loading data.
187
What do Glue Job Bookmarks do?
They track which data has already been processed, preventing re-processing of old files.
188
What are Glue Elastic Views?
Serverless materialized views that combine and replicate data across multiple data stores using SQL.
189
What is Glue DataBrew?
A visual data preparation tool with pre-built transformations.
190
What is Glue Studio?
A GUI for visually authoring, running, and monitoring AWS Glue ETL jobs.
191
What is Glue Streaming ETL built on?
Apache Spark Structured Streaming; it works with Kinesis, Kafka, and MSK.
192
What is AWS Lake Formation built on top of and what is it used for?
It is built on AWS Glue and is used to build secure data lakes in S3 with centralized access control and governance.
193
What is Amazon MSK?
A managed service for Apache Kafka, an alternative to Amazon Kinesis for streaming workloads.
194
What is MSK Serverless?
A mode where MSK automatically provisions and scales compute and storage without capacity management.
195
What is AWS Data Exchange used for?
Finding, subscribing to, and using third-party datasets in AWS.
196
What is AWS Data Pipeline used for?
Orchestrating complex, scheduled data movement and transformation workflows across AWS and on-premises.
197
What does a CloudWatch metric namespace represent?
It is a container for metrics for a specific service or application.
198
What is a metric dimension in CloudWatch?
An attribute used to categorize a metric, such as instance ID or environment.
199
How many dimensions can a CloudWatch metric have?
Up to 30 dimensions.
200
What are CloudWatch Metric Streams?
Real-time streaming of CloudWatch metrics to destinations such as Kinesis Data Firehose or third-party tools.
201
How are CloudWatch Logs organized?
Into log groups and log streams.
202
Can CloudWatch Logs be encrypted?
Yes, they are encrypted by default and can be configured to use KMS CMKs.
203
Name some destinations you can send CloudWatch Logs to.
S3 (export), Kinesis Data Streams, Kinesis Data Firehose, Lambda, and OpenSearch.
204
Name three common CloudWatch log sources.
EC2 instances (via agents), Lambda functions, VPC Flow Logs, Elastic Beanstalk, ECS, API Gateway, Route 53, and CloudTrail.
205
What is CloudWatch Logs Insights?
A query language and console for searching and analyzing log data.
206
How long can it take for log data to be available for S3 export from CloudWatch Logs?
Up to 12 hours.
207
What is the CloudWatch Logs API for export tasks?
CreateExportTask.
208
What are CloudWatch Logs Subscriptions used for?
Streaming log events in near real-time to Kinesis Streams, Kinesis Firehose, or Lambda with optional filtering and cross-account support.
209
What’s the difference between the older CloudWatch Logs agent and the Unified agent?
The Logs agent only collects logs; the Unified agent collects both logs and system metrics such as CPU, RAM, and disk.
210
What are the three CloudWatch alarm states?
OK, INSUFFICIENT_DATA, and ALARM.
211
What actions can CloudWatch alarms trigger?
EC2 actions (stop, terminate, reboot, recover), Auto Scaling policies, and SNS notifications.
212
What is a Composite Alarm?
An alarm that combines multiple alarms using AND/OR conditions.
213
What is EC2 Recovery via CloudWatch?
Automatic recovery of an impaired instance to healthy hardware, preserving instance ID, private IPs, and EBS volumes.
214
Name four CloudWatch 'Insights' features.
Container Insights, Lambda Insights, Contributor Insights, and Application Insights.
215
What does AWS CloudTrail provide?
Governance, compliance, and audit logging of API calls and account activity.
216
What are the three CloudTrail event types?
Management events, Data events, and Insights events.
217
How long are CloudTrail events stored by default?
90 days (you must deliver logs to S3 to keep them longer).
218
What is AWS Config used for?
Recording configuration changes and evaluating the compliance of AWS resources over time.
219
What are AWS Config Rules?
Managed or custom rules that evaluate resource configurations for compliance.
220
How is AWS Config priced at a high level?
Per configuration item recorded and per rule evaluation; there is no free tier.
221
What are common Config remediation options?
Using SSM Automation Documents for auto-remediation, triggered by Config, and EventBridge notifications.
222
What is AWS Trusted Advisor?
A recommendation tool for cost optimization, performance, security, and resilience; it can also check service quotas.
223
What is AWS X-Ray used for?
Distributed tracing to analyze requests, latency, and errors across components, producing a service map.
224
What is Recovery Point Objective (RPO)?
The maximum acceptable time between the last backup and a disaster (i.e., how much data you can afford to lose).
225
What is Recovery Time Objective (RTO)?
The maximum acceptable time to restore service after a disaster.
226
List the four AWS DR strategies from cheapest to most expensive.
Backup & Restore, Pilot Light, Warm Standby, and Hot/Multi-Site.
227
What is Backup & Restore’s RPO/RTO profile?
It has the highest RPO and RTO (slowest recovery), but is the cheapest approach.
228
What is a Pilot Light strategy?
A minimal core of the application is always running in the cloud, and other components are started during a disaster.
229
What is Warm Standby?
A scaled-down but fully functional copy of the production environment is always running.
230
What is Hot/Multi-Site?
Full-scale production is running in multiple locations (e.g., on-premises and AWS) simultaneously.
231
What does AWS Database Migration Service (DMS) do?
Migrates databases between different engines (homogeneous or heterogeneous) using replication tasks.
232
What is AWS Schema Conversion Tool (SCT) used for?
Converting database schemas between different engines (e.g., Oracle to PostgreSQL).
233
How is DMS deployed?
You run a replication instance (EC2) that performs full-load and change data capture (CDC).
234
Does DMS support Multi-AZ?
Yes, for high availability of the replication instance.
235
What non-database sources/targets can DMS use?
Amazon S3 and Amazon Kinesis can be used as source or target.
236
Name two options to migrate MySQL RDS to Aurora.
Restore an RDS snapshot as an Aurora cluster or create an Aurora read replica from RDS MySQL and promote it when lag is 0.
237
Name two options to migrate external MySQL into Aurora.
Backup to S3 and import, or use mysqldump directly into Aurora (or use DMS).
238
How can you migrate PostgreSQL into Aurora PostgreSQL?
Restore RDS PostgreSQL snapshot as Aurora or backup to S3 and import via the aws_s3 extension (or use DMS).
239
What is AWS Backup used for?
Centralized, policy-based backup orchestration across many AWS services.
240
Name three AWS services supported by AWS Backup.
EC2/EBS, S3, RDS/Aurora/DynamoDB, EFS, FSx, DocumentDB, Neptune, and Storage Gateway (any three).
241
What is a Backup Plan in AWS Backup?
A set of rules defining backup frequency, backup window, lifecycle transitions, and retention period.
242
What is Backup Vault Lock?
A WORM feature on a backup vault; even the root user cannot delete backups once the vault is locked.
243
What does Application Discovery Service (ADS) do?
Discovers on-premises inventory, usage, and dependency data for migration planning.
244
What’s the difference between agentless and agent-based discovery in ADS?
Agentless uses a connector (e.g., VMware) for inventory and performance; agent-based collects detailed OS, process, and network data.
245
What is AWS Application Migration Service (MGN)?
A lift-and-shift migration service that replicates physical, virtual, or cloud servers to run natively on AWS, replacing SMS/CloudEndure.
246
Name three main EC2 storage options.
EBS, EFS, and Instance Store.
247
Are EBS volumes AZ-bound or region-wide?
They are bound to a single Availability Zone.
248
What happens to an EC2 root EBS volume by default on instance termination?
By default it is deleted unless the DeleteOnTermination flag is disabled.
249
Which EBS volume types can be used as root volumes?
gp2, gp3, io1, and io2.
250
Can you modify EBS volume size, type, or IOPS while in use?
Yes, EBS supports live modification of these attributes.
251
What are the main EBS SSD types and their high-level differences?
gp2 (IOPS scales with size), gp3 (baseline 3,000 IOPS and configurable IOPS/throughput), and io1/io2 (provisioned IOPS).
252
What is the IOPS limit for gp2?
Up to 16,000 IOPS (3 IOPS per GiB).
253
What is gp3’s baseline and max IOPS?
Baseline 3,000 IOPS and configurable up to 16,000 IOPS, with up to 1,000 MiB/s throughput.
254
What are io2 Block Express characteristics?
4 GiB to 64 TiB, sub-millisecond latency, up to 256,000 IOPS and 1000:1 IOPS:GiB ratio.
255
Can EBS volumes be used while a snapshot is in progress?
Yes, the volume remains usable during snapshot creation.
256
What is Fast Snapshot Restore (FSR)?
A feature that pre-initializes snapshots so restored volumes have no first-use latency.
257
What is EBS Multi-Attach and which types support it?
Attaching a single volume to multiple instances (up to 16) in the same AZ; supported only by io1 and io2.
258
What are the main characteristics of EFS?
Network file system (NFS), multi-AZ, mountable by multiple EC2 instances, Linux-only, and pay-per-use with security groups controlling access.
259
What are the EFS performance modes?
General Purpose and Max I/O.
260
What are the EFS throughput modes?
Bursting, Provisioned, and Elastic.
261
Name the three EFS storage tiers.
Standard, Infrequent Access (IA), and Archive.
262
What is EFS One Zone IA?
A cheaper, single-AZ IA storage tier for less critical data.
263
What happens to Instance Store data when an instance is stopped?
Data is lost; Instance Store is ephemeral.
264
What is RAID 0 used for in EBS/Instance Store?
Striping data across volumes for higher throughput (no redundancy).
265
What is RAID 1 used for?
Mirroring data across volumes for redundancy (no throughput gain).
266
List the main EC2 instance families and their primary focus.
M/T (general purpose), C (compute-optimized), R (memory-optimized), G/P (GPU/accelerated computing), I (storage-optimized).
267
What tenancy options exist for EC2?
Default (shared), Dedicated Instances, and Dedicated Hosts.
268
What is special about Dedicated Hosts vs Dedicated Instances?
Dedicated Hosts give physical host visibility and placement control for licensing; Dedicated Instances only ensure hardware isolation.
269
What do Security Groups control and at which level?
They control inbound and outbound traffic at the instance/ENI level; they are stateful and allow-only.
270
Name the main EC2 purchasing options.
On-Demand, Reserved Instances, Savings Plans, Spot Instances, Dedicated Hosts, Dedicated Instances, and Capacity Reservations.
271
What are Spot Fleet allocation strategies?
lowestPrice, diversified, capacityOptimized, and priceCapacityOptimized.
272
What is a key warning with cancelling Spot requests?
Cancelling the request does not terminate running Spot instances; you must terminate them separately.
273
What is a Capacity Reservation?
A guarantee of capacity in a specific AZ for a specified period; you pay regardless of whether the instances are running.
274
What are the three EC2 placement group strategies?
Cluster, Spread, and Partition.
275
What is the main use case for a Cluster placement group?
Low-latency, high-throughput HPC workloads within a single Availability Zone using similar instance types.
276
How many instances per AZ are allowed in a Spread placement group?
Up to seven instances per AZ.
277
What is a Partition placement group used for?
Large distributed and replicated workloads, where partitions map to different racks and spread failure domains.
278
What is an ENI and its key properties?
An Elastic Network Interface; a virtual NIC bound to one AZ that can have multiple private IPs, security groups, and one Elastic IP per private IP.
279
What happens on EC2 Stop vs Terminate vs Hibernate?
Stop: EBS persists, instance store lost, host may change. Terminate: instance and associated volumes are deleted (if configured). Hibernate: RAM state is saved to encrypted EBS and restored on start.
280
What are some constraints for EC2 Hibernate?
RAM must be under 150 GB, root volume must be encrypted EBS, and hibernation must be enabled at launch.
281
What does an AMI contain?
The OS, configuration, and one or more snapshots for root and additional volumes.
282
Can you copy an AMI backed by an encrypted snapshot to become unencrypted?
No, copying an encrypted AMI cannot produce an unencrypted snapshot.
283
What is ENA vs EFA?
ENA provides up to 100 Gbps enhanced networking (including Windows); EFA is optimized for HPC and only works on Linux.
284
What is AWS Batch used for?
A managed service for running batch processing jobs at scale, handling job queues and compute provisioning.
285
What is AWS ParallelCluster used for?
An open-source toolkit for deploying and managing HPC clusters on AWS.
286
In which EC2 states are you billed?
Running, and Stopping (to hibernate); terminated reserved instances still incur RI charges.
287
What is AWS Outposts?
AWS-managed hardware that extends AWS infrastructure and services to your on-premises environment.
288
What is AWS Wavelength?
AWS infrastructure embedded in 5G provider networks for ultra-low-latency applications.
289
What can IAM groups contain?
Only IAM users; groups cannot contain other groups.
290
How is permission applied in IAM?
Through policies attached to users, groups, or roles; AWS follows the principle of least privilege.
291
What is the default IAM evaluation logic?
Deny by default; explicit Allow grants access unless an explicit Deny is present.
292
Name two MFA options for IAM.
Authenticator apps (TOTP) and U2F/FIDO security keys; hardware MFA fobs are also available.
293
What is the IAM credentials report?
An account-level report of all IAM users and their credential status.
294
What is IAM Access Advisor?
A tool that shows which services a user or role has used and when, to help trim permissions.
295
What does AWS Organizations manage?
Multiple AWS accounts under one management account, organized into Organizational Units (OUs) with central governance.
296
Do Service Control Policies (SCPs) apply to the management account?
No, SCPs do not restrict the management account.
297
Do SCPs affect service-linked roles?
No, service-linked roles are not affected by SCPs.
298
Name some services that support resource-based policies.
Amazon S3, SNS, SQS, Lambda, API Gateway, and KMS.
299
What are IAM Permission Boundaries used for?
To define the maximum permissions an IAM user or role can have, even if additional policies are attached.
300
What is IAM Identity Center (AWS SSO)?
A central service for single sign-on to AWS accounts and business applications, integrating with external IdPs.
301
What does AWS Control Tower do?
Sets up and governs a secure, multi-account AWS environment based on best practices using AWS Organizations.
302
What is a Preventive Guardrail in Control Tower?
A guardrail implemented via SCPs that prevents non-compliant actions, such as restricting regions.
303
What is a Detective Guardrail?
A guardrail implemented using AWS Config to detect and report non-compliant resources.
304
What is AWS Resource Access Manager (RAM) used for?
Sharing AWS resources such as subnets, transit gateways, and Route 53 Resolver rules across accounts.
305
Name three AWS Directory options.
AWS Managed Microsoft AD, AD Connector, and Simple AD.
306
What is federation in AWS?
Granting access to AWS resources using external identity providers without creating IAM users.
307
Name three federation options.
Federation with IAM Identity Center, federation with IAM roles (SAML/OIDC), and federation via Cognito identity pools.
308
What is Amazon CloudFront?
AWS’s content delivery network (CDN) that caches content at edge locations.
309
Name four possible CloudFront origins.
S3, EC2, Application Load Balancer, and any HTTP endpoint.
310
When is CloudFront recommended in front of S3 for large files?
Typically when files are under about 1 GB, though it can be used with larger files with optimizations.
311
How can CloudFront handle sensitive data in payloads?
By using field-level encryption for specific content fields.
312
What are the three CloudFront price classes?
All edge locations, Price Class 200 (excluding most expensive regions), and Price Class 100 (cheapest regions only).
313
What is a CloudFront cache invalidation?
An operation that removes or refreshes objects in cache so updated content is served from the origin.
314
What are CloudFront Functions used for?
Lightweight JavaScript functions to modify viewer requests and responses at the edge with sub-millisecond startup.
315
What is Lambda@Edge used for?
More powerful request and response manipulation at CloudFront edge locations for both viewer and origin events.
316
What is Origin Access Identity (OAI)?
A special principal used by a CloudFront distribution to securely access S3 buckets that block public access.
317
What is Origin Access Control (OAC)?
The newer, preferred mechanism to restrict S3 origins to specific CloudFront distributions with signed requests.
318
What AWS services can mitigate DDoS at the edge?
CloudFront, Global Accelerator, and Route 53 (often with AWS Shield).
319
What is AWS Global Accelerator?
A networking service that provides two anycast static IPs and routes traffic over the AWS global network to your application endpoints.
320
How does Global Accelerator differ from CloudFront?
Global Accelerator optimizes TCP/UDP network paths and doesn’t cache; CloudFront is a caching CDN.
321
What is the maximum size of a single S3 object?
5 TB.
322
When must you use multipart upload in S3?
For objects larger than 5 GB (recommended for large objects generally).
323
What does S3 Block Public Access do?
Provides a central control to block public access to buckets and objects at the account and bucket level.
324
What does S3 Versioning do when you overwrite an object?
It preserves the previous version and makes the new version the current one.
325
When you delete an object in a versioned bucket, what actually happens?
A delete marker is added; previous versions remain retrievable.
326
Can S3 versioning be fully disabled after it is enabled?
No; it can only be suspended, not disabled.
327
What is a fundamental requirement for S3 replication?
Bucket versioning must be enabled on both the source and destination buckets.
328
Are existing objects automatically replicated when enabling S3 replication?
No, only new objects are replicated; use S3 Batch Replication for existing objects.
329
What is Glacier Instant Retrieval good for?
Archive data that needs millisecond retrieval and is accessed roughly once per quarter, with a 90-day minimum storage duration.
330
What retrieval modes exist for Glacier Flexible Retrieval?
Expedited (1–5 minutes), Standard (3–5 hours), and Bulk (5–12 hours); all have a 90-day minimum storage duration.
331
What is Glacier Deep Archive’s minimum storage duration?
180 days, with Standard retrieval around 12 hours and Bulk up to 48 hours.
332
What are the Intelligent-Tiering storage tiers?
Frequent Access, Infrequent Access (after 30 days idle), Archive Instant Access (after 90 days idle), and optional Archive/Deep Archive tiers configurable from 90–700+ days.
333
What is Provisioned Capacity for Glacier Flexible Expedited retrievals?
A capacity reservation that guarantees at least three expedited retrievals every five minutes with up to 150 MB/s throughput.
334
What are the two types of S3 lifecycle rules?
Transition rules (moving objects between storage classes) and Expiration rules (deleting objects).
335
What does Requester Pays do in S3?
Shifts data transfer and request costs to the requester; the requester must include x-amz-request-payer.
336
Which services can receive S3 event notifications?
Amazon SNS, Amazon SQS (standard), and AWS Lambda.
337
What are the S3 per-prefix performance limits?
Approximately 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per prefix.
338
Name three techniques to improve S3 performance.
Use multipart upload, S3 Transfer Acceleration, S3 byte-range fetches, and distribute objects across multiple prefixes.
339
What are the three main S3 server-side encryption options?
SSE-S3, SSE-KMS, and SSE-C.
340
What is MFA Delete in S3?
An extra protection requiring MFA for permanent deletion of versions or changing versioning state; only the root user can enable/disable it.
341
What are S3 Access Logs used for?
Capturing detailed records of requests to a bucket for audit and analytics.
342
What are S3 pre-signed URLs?
Time-limited URLs granting temporary access to specific objects.
343
What is S3 Glacier Vault Lock?
A WORM policy for Glacier vaults; once locked, the policy cannot be changed and objects cannot be deleted before retention.
344
What is S3 Object Lock?
Per-object-version WORM protection on a versioned bucket that prevents deletion for a retention period.
345
What are the two S3 Object Lock modes?
Compliance mode (no one can override) and Governance mode (privileged users can override).
346
What is a Legal Hold in S3 Object Lock?
An indefinite protection that prevents deletion, independent of retention period; requires special permission to set/remove.
347
What do S3 Access Points do?
Provide per-application endpoints with their own policies and DNS names for shared buckets, simplifying bucket policies.
348
What are S3 Object Lambda Access Points?
Access points that invoke a Lambda function to transform data before returning the object to the caller.
349
What are Snowcone and Snowball Edge used for?
Offline data migration and edge computing; Snowcone handles up to ~14 TB, Snowball Edge up to ~80–210 TB and supports clustering.
350
What is Snowmobile used for?
Moving petabytes to exabytes of data using truck-mounted storage containers.
351
Can Snowball Edge load directly to Glacier?
No, data lands in S3 first; you can transition to Glacier via lifecycle rules.
352
What is Amazon FSx generally?
A family of fully managed, high-performance file systems (Lustre, Windows File Server, NetApp ONTAP, and OpenZFS).
353
What is AWS Storage Gateway?
A hybrid storage service bridging on-premises data with AWS using file, volume, and tape gateways.
354
What is the difference between Cached and Stored Volume Gateway?
Cached mode keeps only hot data on-prem and stores full data in S3; Stored mode keeps the full dataset on-prem with async backup to AWS.
355
What is AWS Transfer Family?
A managed service for transferring files into and out of S3 or EFS using FTP, FTPS, or SFTP.
356
What is AWS DataSync used for?
High-speed, scheduled data transfer between on-prem and AWS or across AWS services; it is the only transfer service that can write directly to S3 Glacier.
357
How many VPCs per region can you create by default?
Five VPCs per region (soft limit).
358
What is the largest and smallest VPC CIDR allowed?
/16 (65,536 IPs) and /28 (16 IPs).
359
Name the three RFC1918 private IP ranges.
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
360
How many IPs does AWS reserve in each subnet and which ones?
Five IPs: network address (.0), VPC router (.1), DNS (.2), future use (.3), and broadcast (.255).
361
Can a subnet span multiple Availability Zones?
No, each subnet resides entirely in a single Availability Zone.
362
What is a key feature of the default VPC?
It has an Internet Gateway attached and subnets with auto-assigned public IPs.
363
What is an Internet Gateway?
A VPC resource that enables communication between instances in the VPC and the Internet.
364
When does a subnet become public?
When its route table has a route to an Internet Gateway.
365
What is a Bastion Host used for?
An SSH or RDP jump host in a public subnet used to reach instances in private subnets.
366
What is a NAT Instance vs a NAT Gateway?
A NAT Instance is a manually managed EC2-based NAT; NAT Gateway is a managed, scalable, highly available NAT service per AZ.
367
Why must Source/Destination Check be disabled on a NAT Instance?
So it can forward traffic that is not destined for itself.
368
What are NAT Gateway throughput characteristics?
Starts at 5 Gbps and automatically scales up to 100 Gbps.
369
Can instances in the same subnet as a NAT Gateway use that NAT?
No, NAT Gateway is for private subnets that route traffic to it; instances in the same subnet use the Internet Gateway.
370
Compare Security Groups vs NACLs.
Security Groups are instance-level, stateful, and allow-only; NACLs are subnet-level, stateless, and support both allow and deny rules.
371
What is the default behavior of the default NACL vs a newly created NACL?
The default NACL allows all traffic; a new NACL denies all traffic until rules are added.
372
Why must ephemeral ports be allowed in NACLs?
Because NACLs are stateless and must allow both inbound and outbound ephemeral port ranges for return traffic.
373
What are the requirements for VPC peering?
Non-overlapping CIDRs, the connection is not transitive, and route tables on both sides must be updated.
374
What is a VPC Endpoint?
A private connection from your VPC to supported AWS services without using public IPs, the Internet, or NAT.
375
What is the difference between Interface and Gateway endpoints?
Interface endpoints create ENIs with private IPs, use security groups, and support most services via PrivateLink; Gateway endpoints are free, route-table targets that support S3 and DynamoDB in the same region.
376
What is a VPC Flow Log?
A log of IP traffic to and from ENIs, subnets, or VPCs, delivered to S3, CloudWatch Logs, or Kinesis Data Firehose.
377
What is required to create a Site-to-Site VPN?
A Virtual Private Gateway (VGW) on the AWS side and a Customer Gateway (CGW) on the customer side.
378
What is VPN CloudHub used for?
Connecting multiple sites to a single VGW in a hub-and-spoke topology.
379
What is AWS Direct Connect?
A dedicated private network link between the customer data center and an AWS Direct Connect location.
380
What is a Direct Connect Gateway used for?
Connecting a single DX connection to multiple VPCs across regions.
381
Does Direct Connect encrypt traffic by default?
No, DX traffic is private but not encrypted; you add a VPN over DX for encryption.
382
What does a Transit Gateway provide?
Hub-and-spoke transitive routing between VPCs, VPNs, and Direct Connect; it is regional and shareable across accounts and regions.
383
What is VPC Traffic Mirroring used for?
Copying traffic from ENIs to monitoring or security appliances for deep inspection.
384
What is an Egress-Only Internet Gateway used for?
Allowing outbound-only IPv6 Internet access while blocking inbound IPv6 connections from the Internet.
385
What does AWS Network Firewall protect?
Entire VPC traffic at layers 3–7 with centrally managed rules, integrating with AWS Firewall Manager.
386
What is AWS Cost Explorer used for?
Visualizing and analyzing AWS cost and usage over time with hourly and resource-level granularity.
387
How far ahead can Cost Explorer forecast usage?
Up to 12 months based on historical usage.
388
Does Cost Explorer have an API?
Yes, it provides an API with pagination support.
389
What does AWS Cost Anomaly Detection do?
Monitors spending using machine learning to detect abnormal costs and send alerts with root-cause analysis.
390
What entities can Cost Anomaly Detection monitor?
AWS services, member accounts, cost allocation tags, and cost categories.
391
How can you receive Cost Anomaly Detection alerts?
Through Amazon SNS, either as individual alerts or daily/weekly summaries.
AWS SAA-C03 Study
flashcards
Decks in class (1)
# Cards
