General Flashcards

Question

What is an Interface VPC Endpoint?

Answer 1

An Interface VPC Endpoint is an elastic network interface (ENI) in your VPC that privately connects you to AWS services or powered-by-PrivateLink services without using the internet. Each endpoint is powered by AWS PrivateLink. Traffic stays within the AWS network (no public IPs). Use case: Access S3, DynamoDB, or Secrets Manager privately from a Lambda function inside a VPC, without needing a NAT gateway.

Answer 2

An Elastic Network Interface (ENI) is a virtual network card in AWS attached to an EC2 instance. - Has its own private IP, MAC address, security groups, etc. - Can be attached/detached from EC2 instances. Use case: Use a secondary ENI to move a static IP between EC2 instances for high availability or failover.

Answer 3

A MAC address (Media Access Control address) is a unique hardware identifier for a network interface. - Assigned at the data link layer (Layer 2). - Format: 00:1A:2B:3C:4D:5E - Used for local network communication (e.g. within a VPC or LAN). Use case: Devices use MAC addresses to identify each other on the same subnet before assigning IP addresses.

Answer 4

Static IP: A fixed IP address that doesn’t change. General concept used across networks. Elastic IP (EIP): AWS-specific static IPv4 address you can: - Allocate to your account - Remap between EC2 instances - Retain even if an instance stops/starts Key difference: An Elastic IP is a static IP with AWS-specific control, designed for cloud flexibility (e.g. failover, reassignment).

Answer 5

Summary: - IPv4 is legacy, limited, and uses NAT. - IPv6 is modern, abundant, and designed for future scalability. IPv4: - Address size: 32-bit (e.g. 192.0.2.1) - Total addresses: ~4.3 billion - Format: Decimal, dotted notation - NAT needed: Yes (due to shortage) - Adoption: Widely used IPv6: - 128-bit (e.g. 2001:0db8::1) - Total addresses: ~340 undecillion - Format: Hexadecimal, colon-separated - NAT needed: No (more addresses) - Adoption: Growing adoption

Answer 6

SQL Injection: Use AWS WAF for basic protection, and secure your app logic for full coverage. - Use WAF (Web Application Firewall) with managed rules for SQLi protection. - Use Amazon RDS or Aurora with prepared statements (via your app code). XXS: - Use AWS WAF with XSS managed rules. - Ensure app code properly sanitizes/escapes output (AWS WAF can't sanitize responses). - Set CSP headers via CloudFront or API Gateway for frontend protection. (CSP (Content Security Policy) headers are HTTP headers that control which content (scripts, styles, etc.) the browser is allowed to load.)

Answer 7

The canonical name record (CNAME) is switched from the primary to standby instance. In Amazon RDS, the CNAME is the endpoint DNS name that always points to the current primary instance. Use case: Your app connects using the RDS CNAME so it doesn’t need changes if AWS promotes a standby during Multi-AZ failover. i.e. If your RDS instance fails, AWS promotes a standby. The CNAME stays the same, so your app keeps working without changing the connection string.

Answer 8

No, since IP addresses are per subnet, and subnets cannot span multiple AZs. RDS IP addresses can change during failover. Instead, AWS updates the RDS endpoint (CNAME) to point to the new primary. Your app should always connect using the RDS endpoint, not the IP address.

Answer 9

IPv4 Use Case: Most current networks (home, business, cloud) still use IPv4 due to compatibility. Example: A company sets up a website using an IPv4 address like 192.168.1.1, accessible to most users worldwide. IPv6 Use Case: Needed for large-scale IoT or future-proof networking. Example: A smart city deploys millions of IoT sensors (streetlights, cameras) using IPv6, ensuring each device gets a unique address without NAT.

Answer 10

RDS Proxy & Lambda – Improves DB efficiency for Lambda. Example: Lambda functions connect to RDS via RDS Proxy to manage connections efficiently. RDS Proxy is a managed database connection pooler for RDS and Aurora. In the context of AWS Lambda: - Lambdas scale quickly, causing too many DB connections. - RDS Proxy manages and reuses connections efficiently. - Prevents database overload and improves failover handling. Use case: A high-traffic Lambda function queries RDS without exhausting DB connections by routing through RDS Proxy.

Answer 11

No, RDS Proxy is not used with DynamoDB. - RDS Proxy is for relational databases (RDS, Aurora). - DynamoDB is a NoSQL service that doesn't use persistent connections, so it doesn't need a proxy. For DynamoDB, use SDK calls directly with built-in connection management and retry logic.

Answer 12

Direct Connect: - For fast, dedicated on-premises to AWS connectivity. - Example: A bank uses Direct Connect for a high-speed, low-latency link between its data center and AWS for secure transactions. NAT Gateway: - Let private subnets reach the internet. For secure outbound internet access from a private subnet. - Example: A private EC2 instance uses a NAT Gateway to download OS updates from the internet without exposing itself. VPC Endpoint: - Let VPCs privately access AWS services. For private access to AWS services without using the internet. More cost effective than a NAT gateway - Example: A Lambda function in a private subnet accesses an S3 bucket via a VPC Endpoint without internet exposure.

Answer 13

AWS Shield & WAF can stop DDoS attacks Example: - Use Shield Advanced for DDoS mitigation on CloudFront distributions. Shield protects against large-scale DDoS attacks automatically, - WAF lets you define rules to block specific web threats like SQL injection and XSS. WAF also allows you to rate limits at the application layer (7) to limit ddos. However for large scale network/transport layer ddos attacks (layer 3 / 4) use Shield. Shield Advanced also provides attack analytics and response support, which WAF lacks.

Answer 14

- Parameter Store stores config or secrets, optionally encrypted. - Secrets Manager stores sensitive secrets with rotation. Example: - Parameter Store stores config or secrets, optionally encrypted. - Store API keys in Secrets Manager - Encrypt with KMS. SSM Parameter Store: - Stores values?: Yes (plain or encrypted) - secrets/API keys without rotation - Encryption: Optional. Use SecureString with KMS for encrypted values. - Auto rotation: No - Best for: Configs, app settings , used with Lambda - Cost: Free (standard), paid tier Secrets Manager: - Stores values?: Yes (encrypted secrets) - Encryption: Always (uses KMS) - Auto rotation: Yes - Best for: Passwords, tokens, API keys - Cost: Paid (per secret + API calls) KMS: - Stores values?: No – stores keys, not values - Encryption: Manages encryption keys - Auto rotation: No (rotation for keys only) - Best for: Encrypting data (e.g. in S3, RDS) - Cost: Paid per key usage

Answer 15

In RDS failover: - Primary and standby have different IPs, each tied to a different Availability Zone subnet. - During failover, DNS (CNAME) is updated to point to the new primary’s IP. - The IPs themselves don’t move; they're fixed to the subnet of each DB instance. Summary: Failover = CNAME shifts, IPs are subnet-bound and do not transfer between DBs.

Answer 16

NACLs: - Level: Subnet-level - Stateful: ❌ No – rules must allow both directions - Rules apply to: Allow + deny rules. Default allows all inbound and outbound traffic, with an implicit deny for unmatched traffic (custom NACL have no rules, - all traffic is denied by default). - Default behaviour: Allow all unless denied (default NACL) - Rule evaluation: Rules evaluated in number order - Use case: Broad subnet-level filtering (e.g. deny IPs) Security Groups: - Level: Instance-level - Stateful: ✅ Yes – return traffic is auto-allowed - Rules apply to: Only allowed traffic. Default allows all outbound traffic, blocks all inbound traffic unless explicitly allowed. - Default behaviour: Deny all unless allowed - Rule evaluation: All rules are evaluated - Use case: Control access to EC2 Example: NACL allows/block rules at the subnet level, Security Group controls instance access.

Answer 17

NLBs preserve the source IP, allowing trusted IP filtering in downstream security groups or app logic. Elastic IPs can be assigned to NLBs, making it easy for clients to whitelist known IPs (e.g. for secure payment API access). In contrast, ALBs use NAT and do not preserve the client IP at the network layer, so trusted IP filtering must be done using AWS WAF or application-level checks via the X-Forwarded-For header.

Answer 18

AWS DMS uses Change Data Capture (CDC) to replicate ongoing changes from the source to the target database in real time. Enables minimal downtime by keeping the target in sync during migration CDC captures inserts, updates, and deletes, ensuring a smooth cutover with up-to-date data. Example: Continuously replicate changes during a live database migration.

Answer 19

AWS Global Accelerator is a networking service that improves performance and availability for global users by routing traffic over the AWS global network instead of the public internet. Key features: - Provides static IP addresses for your application. - Automatically routes traffic to the nearest healthy AWS endpoint (e.g. ALB, NLB, EC2, or IP). - Reduces latency and jitter by using the AWS backbone. - Supports health checks and automatic failover between regions. Use case example: Speed up global access to a multi-region application by routing users through the closest AWS edge location (or the closest healthy region).

Answer 20

Static Anycast IPs are fixed IP addresses that are advertised from multiple locations (edge or regional), allowing users to reach the nearest endpoint via the same IP. In AWS (e.g. with Global Accelerator): - You get two static Anycast IPs. - These IPs don’t change and are routed globally. - Traffic is automatically directed to the closest healthy AWS region or endpoint, improving performance and availability. Benefit: You can provide a single, stable IP to clients worldwide while leveraging AWS’s global infrastructure for fast, resilient routing. Use case example: You run a multi-region web app serving users in the US, Europe, and Asia. By placing your app behind AWS Global Accelerator with static Anycast IPs, users are automatically routed to the nearest healthy region, reducing latency and ensuring high availability—all through a single, fixed IP.

Answer 21

A VPC Interface Endpoint is an ENI (Elastic Network Interface) in your VPC that privately connects to AWS services or powered-by-PrivateLink services without using the public internet. - Uses an ENI with a private IP. - Enables secure, private access to AWS services (e.g. API Gateway, CloudWatch). - Needed for services requiring complex networking, beyond what gateway endpoints support. Use case: Access API Gateway privately from EC2 instances in a VPC without sending traffic over the internet, using a VPC Interface Endpoint.

Answer 22

A Gateway Endpoint allows private access to S3 or DynamoDB from your VPC without using the internet or a NAT gateway. A route to AWS services (e.g., S3, DynamoDB) using a gateway; no ENI, works by updating the route table. Use case: An app in a private subnet uploads files to S3 using a Gateway Endpoint, avoiding NAT gateway costs and keeping traffic within AWS.

Answer 23

**VPC Interface Endpoint** Type: ENI (Elastic Network Interface) Services Supported: Many (e.g. API Gateway, CloudWatch) Connectivity: Private IP via ENI Cost: Charged per hour + data Use Cases: Complex services needing ENIs **Gateway Endpoint** Type: Route table entry Services Supported: Only S3 and DynamoDB Connectivity: Route traffic via VPC route table Cost: Free Use Cases: High-throughput access to S3/DynamoDB Practical Use Cases: Interface Endpoint: Access API Gateway from private EC2 instances without internet/NAT, e.g. securely calling internal APIs via PrivateLink. Gateway Endpoint: Upload logs from private EC2 instances to S3 using private routing, avoiding NAT gateway and internet exposure.

Answer 24

Use ENI when: - You need private access to services (e.g. via Interface Endpoints). - You require multiple IPs, MACs, or security groups on one instance. - You’re building network appliances (firewalls, proxies). - You want failover or move networking between EC2s. Don't use ENI when: - A single IP and basic networking is enough. - You're accessing S3/DynamoDB — use a Gateway Endpoint instead. - You don’t need custom networking, the default ENI is sufficient.

Answer 25

Amazon FSx for Lustre is a fully managed high-performance file system optimized for fast processing of large data sets, such as machine learning, HPC, and big data workloads. Key points: - Integrates with Amazon S3 (can link files directly). - Delivers sub-millisecond latency and hundreds of GB/s throughput. - Supports POSIX-compliant file access. Use case: Train ML models on EC2 using training data stored in S3, with FSx for Lustre providing fast, temporary local access.

Answer 26

**AWS Regional Services (resources exist in a specific region):** - EC2 - S3 - RDS - Lambda - VPC - DynamoDB - EKS / ECS - CloudWatch - SQS / SNS - API Gateway - ELB (ALB/NLB) Route Tables, Security Groups ***AWS Global Services (not tied to a specific region):** - IAM - Route 53 - CloudFront - AWS WAF (global when used with CloudFront) - AWS Global Accelerator - AWS Organizations - AWS Control Tower - AWS Artifact - AWS Shield (Standard & Advanced)

Answer 27

Amazon EventBridge is a serverless event bus that lets you connect application components using events. It routes events from AWS services, custom applications, or SaaS platforms to targets like Lambda, Step Functions, SNS, etc. Amazon EventBridge Practical Example (with Macie): Use Amazon Macie to detect sensitive data (like PII) in S3. When Macie finds such data, it emits a SensitiveData event to Amazon EventBridge. You configure a rule to match this event type and forward it to an Amazon SNS topic, which sends an alert (e.g., email) to your security team. This automates detection and alerting for sensitive data exposure.

Answer 28

ApproximateAgeOfOldestMessage is an Amazon SQS metric that shows how long the oldest unprocessed message has been in the queue. Practical Example: If your backend EC2 app processes time-sensitive SQS messages, and the ApproximateAgeOfOldestMessage grows too high, it means processing is delayed. To fix this, create an AMI of your EC2 instance, launch an Auto Scaling Group, and use a target tracking policy based on this metric. This scales out EC2 instances automatically to keep message age low and ensure timely processing.

Answer 29

A Site-to-Site VPN connects two networks (e.g., on-premises and AWS VPC) over the public internet using an IPsec VPN tunnel, allowing secure communication between them. Practical Example: A company with an on-premises data center sets up a Site-to-Site VPN to its AWS VPC so internal applications hosted in AWS can access on-prem databases securely, as if they were on the same network.

Answer 30

A Transit VPC (self-managed - not by AWS) is a hub-and-spoke network architecture in AWS where a central VPC (the hub) connects multiple other VPCs (spokes) and remote networks using VPNs or AWS Direct Connect. Practical Example: An enterprise with multiple VPCs across regions and on-prem data centers uses a Transit VPC to simplify routing and centralize network management. All VPCs connect to the Transit VPC, which acts as the routing hub, reducing the need for complex peering between every VPC.

Answer 31

Transit Gateway (fully managed by AWS) with Equal-Cost Multipath (ECMP) routing enables traffic distribution across multiple VPN or Direct Connect links that have the same destination and cost. Practical Example: You connect your on-premises network to AWS using multiple VPN tunnels for redundancy and higher throughput. Transit Gateway with ECMP spreads traffic evenly across these tunnels, improving performance and fault tolerance.

Answer 32

- Scheduled Scaling – Scale at set times (e.g., add instances at 8 AM weekdays). - Simple Scaling – Add/remove instances based on a single threshold (e.g., CPU > 70%). - Step Scaling – Vary scaling based on how much a metric exceeds a threshold. - Target Tracking – Auto-adjust to keep a metric at a target (e.g., keep CPU at 50%).

Answer 33

AWS Batch is a fully managed service that runs batch computing jobs at any scale using EC2 or Fargate. Practical Example: Process thousands of video files overnight by submitting jobs to AWS Batch, which automatically provisions compute and scales based on job demand.

Answer 34

Fargate has limited processing power and lacks built-in task management and scheduling, requiring external systems and adding complexity. A better solution is to use AWS Batch. AWS Batch handles job scheduling, scales compute for complex workloads, and supports high-performance EC2 instance - ideal for large or timed simulations.

Answer 35

Use a Transit Gateway with ECMP and attach multiple VPN tunnels. This allows throughput to scale beyond the 1.25 Gbps per tunnel limit. Transit Gateway with ECMP (Equal-Cost Multipath) allows traffic to be split across multiple VPN or Direct Connect tunnels that have equal routing cost. Use Case: To increase VPN throughput, create multiple VPN tunnels to a Transit Gateway with ECMP, enabling bandwidth scaling beyond the 1.25 Gbps per tunnel limit.

Answer 36

In AWS WAF, create a web ACL rule that allows approved IP addresses using an IP Set. Add another WAF rule with a geo match condition to block requests from the specific country. Note: Do not use CloudFront geo restriction, as it blocks requests before WAF can evaluate them.

Answer 37

No, NAT Gateways are fully managed resources. You cannot access nor modify the underlying instance that hosts it.

Answer 38

A burstable instance type in AWS (e.g., T4g, T3, T3a) is a cost-effective EC2 instance that provides baseline CPU performance with the ability to burst to higher performance for short periods using CPU credits. Ideal for workloads with occasional spikes (e.g. dev/test, small web servers).

Answer 39

Gateway VPC Endpoint: Use to let private subnets access S3/DynamoDB without NAT or internet; cheap and scalable for data-heavy access. Free. Interface VPC Endpoint: Use to access most AWS services privately (e.g., Secrets Manager, SSM); needed when no gateway option exists. Costs money, billed for hourly usage and data processing. VPC Endpoint Service: Use to expose your own service privately to other VPCs/accounts via PrivateLink; ideal for SaaS or internal APIs. *** More Details ***: 1. Gateway VPC Endpoint What: Route-based access to AWS services via the VPC route table. Services supported: Only S3 and DynamoDB Why use: - Cheapest (no data processing fees) - Scales automatically - Lets private subnets access S3/DynamoDB without NAT Gateway ✅ Use when: You need scalable, cheap access to S3/DynamoDB from private subnets. 🧠 Example: An app in a private subnet uploads files to S3 with no internet access. 2. Interface VPC Endpoint (powered by PrivateLink) What: An ENI (elastic network interface) in your VPC with a private IP that connects to AWS services. Services supported: Most AWS services (SSM, CloudWatch, Secrets Manager, etc.) Why use: - Secure, private connectivity to services over the AWS network - Works for services not supported by Gateway endpoints - Allows fine-grained security via Security Groups ✅ Use when: You need private access to non-S3/DynamoDB AWS services 🧠 Example: EC2 in private subnet talks to Secrets Manager over an interface endpoint. 3. VPC Endpoint Service (PrivateLink – Provider side) What: Lets you expose your own service (hosted in a VPC) to other VPCs/accounts via PrivateLink. Why use: - You control access to your service - Consumers connect via Interface VPC endpoints (no public IPs) ✅ Use when: You're a SaaS provider or internal platform team exposing services privately. 🧠 Example: Your org runs a shared internal API behind a load balancer, and dev teams in other VPCs access it privately.

Answer 40

AWS EMR (Elastic MapReduce) is a managed service for running big data frameworks like Spark and Hadoop. Use case: Use EMR to run Spark jobs that process TBs of clickstream data and store output in S3.

Answer 41

- HTTP and HTTPs health checks: Application Load Balancer - TCP health checks: Network Load Balancer and Classic Load Balancers - FTP health checks: Not supported - ICMP health checks: Not supported

Answer 42

Consumers of Kinesis Data Streams include: - AWS Lambda – for real-time processing (e.g. filtering, transformation) - Kinesis Data Firehose – for delivering data to S3, Redshift, or Elasticsearch - Kinesis Data Analytics – for running SQL queries on streaming data - EC2 or ECS apps – custom consumers using the Kinesis SDK - Amazon MSK / Kafka apps – via Kinesis-Kafka connectors (if integrated) You can store Kinesis Data Streams results in: - Amazon S3 – for durable, scalable storage - Amazon Redshift – for analytics and BI - Amazon OpenSearch Service – for search and visualization - Amazon DynamoDB – for fast lookups - Custom databases or systems – via Lambda or EC2 apps (e.g., PostgreSQL, MongoDB)

Answer 43

A NAT Gateway is set up in a public subnet. It allows private subnet instances to access the internet via a route pointing to it, while still blocking inbound traffic. A NAT Instance must also be placed in a public subnet, with a public IP and a route to the internet gateway. It serves the same purpose but requires manual management. More detail: **Nat Gateway**: - A NAT Gateway is a managed AWS service that allows instances in private subnets to access the internet (for software updates, API calls, etc.) without exposing them to inbound traffic. - It's scalable, fault-tolerant, and used in production environments where reliability and minimal maintenance are needed. **NAT Instance**: - A NAT Instance is a self-managed EC2 instance configured to do the same — enable outbound internet access for private subnets — but you must handle its setup, scaling, patching, and availability yourself. - It's used when you need custom routing, monitoring, or lower costs at the expense of more operational effort.

Answer 44

- Maintains application availability by automatically adding/removing EC2 instances. - Fleet management: Ensures health and availability of EC2 fleet. - Dynamic scaling: Reacts to real-time demand changes. - Predictive scaling: Anticipates demand and pre-scales accordingly. - Dynamic + Predictive scaling: Can be used together for faster scaling.

Answer 45

- Uses step adjustments: Multiple scaling actions based on alarm breach size (specifically step scaling policies in CloudWatch alarms that trigger Auto Scaling actions) - Can define warm-up time: Time for a new instance to become effective (in seconds).

Answer 46

- Aggregate data from multiple data sources in a single API call. - Improve performance and user experience by avoiding multiple API requests. - Use Pipeline functions to streamline data retrieval and transformation. - Ideal for joining data from multiple database tables.

Answer 47

- Managed service for building scalable GraphQL APIs. -Supports integration with DynamoDB, Lambda, and HTTP APIs. -Developers can write resolvers in JavaScript using the APPSYNC_JS runtime.

Answer 48

- Edge-optimized API Gateway + Lambda ❌ Improves connection time via CloudFront for geographically distributed users, 🚫 Doesn't solve data access/multiplexing across multiple DynamoDB tables. - DynamoDB connector for Athena Federated Query ❌ Read-only access – supports querying but 🚫 No write capability, violating the requirement to write data. - CloudFront Functions ❌ Designed for lightweight edge logic (e.g., URL rewrites, headers). 🚫 Cannot access or aggregate data from DynamoDB.

Answer 49

The diagram shows a practical example of an AWS AppSync pipeline resolver being used to fetch data from multiple DynamoDB tables in a single GraphQL query — specifically to get a user's friends and then get each friend’s posts. What’s Happening (Step-by-Step): Client sends a query to AppSync (e.g., getFriendsPosts(userId: "123")). AppSync Pipeline Resolver starts: A "Before Mapping Template" runs some initial logic using VTL (Velocity Template Language). Think of this as pre-processing before calling any data sources. Function 1: Get List of Friends A request mapping template queries the Users table to get the list of the user’s friends. The response template formats the result — a list of friend IDs. Function 2: Get Friends' Posts The request resolver iterates over the list of friend IDs, builds a filter expression, and performs a scan on the Posts table to get all posts made by those friends. A response mapping template formats this result too. "After Mapping Template" runs any final transformation on the full data (e.g., sorting, renaming fields) before sending it back to the client. Client gets the response — likely a structured JSON with all the posts made by the user's friends. ✅ Why This is Useful No need for multiple API calls from the frontend — it's all handled server-side. Efficient: AppSync handles the orchestration. Clean: Each function in the pipeline has a clear, modular responsibility. Secure and scalable: Only authorized queries are processed, and it can handle large volumes. Let me know if you want a flashcard version of this too.

Answer 50

❌ Not due to AMI, instance type, or subnet ✅ Likely due to incorrect health check configuration in the Target Group Health checks must match a running path/endpoint on the instance (e.g., /health returning 200)

Answer 51

- ALB nodes periodically send health check requests to targets - Checks use the path/port defined in the Target Group - Instance must return healthy response (e.g., 200) to be considered "InService" - ALB only routes traffic to healthy targets in enabled AZs - Health check connection is closed after each check

Answer 52

❌ Wrong AMI ❌ Incorrect instance type ❌ Wrong subnet ✅ These don’t directly affect health check results if the app is up and responding correctly

Answer 53

ReceiveMessageWaitTimeSeconds. If set to greater than 0, long polling is enabled. - Default is 0, which means short polling is used.

Answer 54

It can return empty responses more often, leading to wasted CPU cycles and increased costs. - Long polling reduces empty responses by waiting until a message is available before returning a response. - Long polling eliminates false empty responses by querying all servers instead of a subset. - Use long polling reducing costs and avoiding - unnecessary polling during low traffic periods is a priority.

Answer 55

Use AWS AppSync to develop the GraphQL API and configure a custom domain using AppSync’s built-in feature. - AppSync is a serverless GraphQL and Pub/Sub API service. - Supports integration with DynamoDB, Lambda, and HTTP APIs. - You can assign a custom domain and SSL certificate (via ACM) for HTTPS access. - Automatically provisions two endpoints: one for GraphQL (https://.../graphql) and one for real-time updates (wss://.../graphql). - Alternatives like Elastic Beanstalk, VMware Cloud on AWS, and EKS on Fargate/Outposts are not suitable because they are not fully serverless or do not support GraphQL use cases directly (note that Fargate is serverless but Outposts is not)

Answer 56

-Capture events using Amazon EventBridge and set an Amazon SNS topic as the target for notifications. -Create an AWS Lambda function that refreshes AWS Trusted Advisor Service Limits checks and runs every 24 hours. -The Lambda function retrieves up-to-date quota usage via Trusted Advisor APIs. -Trusted Advisor Service Limits checks can publish metrics to CloudWatch, enabling alerts via SNS. -This solution can be deployed via AWS’s Quota Monitor CloudFormation template.

Answer 57

-Creating an SNS topic alone is incomplete without a source like EventBridge or Lambda to trigger notifications. -Calling DescribeTrustedAdvisorChecks only lists available checks, not specific service limit data. -Trusted Advisor APIs require Business or Enterprise Support plans — Developer plan is insufficient. -AWS Config managed rules are for compliance, not real-time quota monitoring, and add cost/complexity.

Answer 58

Add a lifecycle hook to the Auto Scaling group for the Terminating state to move instances to Terminating:Wait. Use a CloudWatch Events rule (now called EventBridge) for the EC2 Instance-terminate Lifecycle Action event. Trigger a Lambda function that uses the CloudWatch agent to push logs to CloudWatch Logs. After logs are uploaded, resume instance termination.

Answer 59

Pending:Wait is used during scale-out (launch) events, not for terminating instances. You must use Terminating:Wait for scale-in log collection before instance termination.

Answer 60

The Pending:Wait state is used during instance launch (scale-out), not during termination (scale-in). For delaying termination to collect logs, use the Terminating:Wait state instead. Using Pending:Wait would result in no delay during termination and lost logs.

Answer 61

AWS Step Functions is not designed to collect or forward logs from EC2 instances. The preferred and simpler method is using the CloudWatch agent, which natively pushes logs to CloudWatch Logs. Step Functions would add unnecessary complexity without providing log collection capabilities.

Answer 62

This method requires writing and managing a custom script, increasing setup complexity. The scenario calls for the easiest solution, which is better handled with CloudWatch agent. Also, using the EC2 Instance Terminate Successful event is less appropriate than using the EC2 Instance-terminate Lifecycle Action event for timely log collection.

Answer 63

Use Amazon ECS as the container management service. Use Reserved EC2 Instances for mission-critical batch jobs to ensure reliability. Use Spot EC2 Instances for non-essential batch jobs to save costs. This hybrid approach ensures both cost-efficiency and availability for different workload priorities. Scheduled Reserved Instances can be used for predictable, recurring mission-critical workloads.

Answer 64

On-Demand Instances cost more than Reserved or Spot Instances. It’s more cost-effective to use Reserved for mission-critical and Spot for non-essential jobs.

Answer 65

A: The visibility timeout is a period during which Amazon SQS prevents other consumers from receiving and processing a message that has already been retrieved by one consumer. Prevents duplicate processing by other consumers. The message remains in the queue but is hidden from other consumers. Default visibility timeout is 30 seconds. Maximum visibility timeout is 12 hours. The consumer must explicitly delete the message after processing to remove it from the queue.

Answer 66

A: Because SQS is a distributed system and there’s no guarantee the consumer has successfully received or processed the message. Connectivity issues or application errors can prevent successful processing. Ensures reliability by requiring the consumer to explicitly delete the message after processing.

Answer 67

A: SQS automatically deletes messages that remain in the queue for longer than the retention period (default: 4 days, max: 14 days). If a message is received by a consumer, it is not automatically deleted — the consumer must explicitly delete it after processing. SQS uses a visibility timeout (default: 30 seconds) to hide received messages temporarily from other consumers. If the consumer fails to delete the message before visibility timeout expires, the message becomes visible again.

Answer 68

A: Create an A record (Alias) pointing to the DNS name of the load balancer. Use an alias record because ALB IP addresses can change due to scaling or updates. Alias records in Route 53 allow pointing directly to AWS resources, such as ELB DNS names. Zone apex refers to the root domain (e.g., example.com), not a subdomain like www.example.com.

Answer 69

A record to an IP address is incorrect because ALB IPs are not static. CNAME records are not allowed at the zone apex (e.g., example.com). Alias records are the correct way to route traffic from a zone apex to an ALB DNS name.

Answer 70

Think of your domain like a house address: The zone apex is the main address: example.com Subdomains are like rooms in the house: www.example.com, shop.example.com You can't put a CNAME (nickname) on the main house — only on the rooms. But with Route 53, you can use an Alias as a special kind of nickname that works at the main address. The zone apex is the root or top node of a DNS zone — typically the domain name without any subdomain. Example: For the domain example.com, the zone apex is example.com (not www.example.com or api.example.com). DNS restrictions prohibit using CNAME records at the zone apex. Route 53 Alias records allow routing from the zone apex to AWS resources (like ALBs), bypassing the CNAME restriction.

Answer 71

It’s like giving directions to a friend using a landmark (DNS name) instead of a fixed address (IP), because the address might change. An A record alias points your domain (like example.com) to the DNS name of the load balancer (like my-alb-123456.elb.amazonaws.com). Unlike regular A records, it doesn’t use a fixed IP (since ALB IPs change). Route 53 Alias records handle this automatically and are allowed at the zone apex. *** Analogy** Imagine your website is like a storefront. You want people to find your main entrance (tutorialsdojo.com). Behind the scenes, your web servers sit behind a reception desk (the Load Balancer). The receptionist (ALB) has a name (DNS name), but their desk location (IP) changes often. Here’s the problem: You can’t put a CNAME (nickname) on your front sign (tutorialsdojo.com) — DNS rules don’t allow it. You also can’t write the receptionist’s IP directly, because it moves. The solution: Route 53 gives you an Alias A record — like a smart sign that always points to the receptionist by name, and automatically tracks their location. Summary: Use an Alias A record at your zone apex (tutorialsdojo.com) to point to the Load Balancer’s DNS name, because: IPs change, CNAMEs aren't allowed at the root, and Alias records handle all that for you.

Answer 72

A: Weighted routing policy Lets you assign weights to each record to control traffic distribution (e.g., 1 and 255 = 1/256 vs. 255/256). Useful for load balancing or gradual rollout of changes (e.g., blue/green deployments). Setting a weight to 0 means no traffic is sent to that resource. You can adjust traffic over time by changing the weights.

Answer 73

Latency: Routes based on lowest network latency to the user, not on traffic percentages. Failover: Used for active-passive setups, not for splitting traffic. Geolocation: Routes traffic based on user location, not for controlling traffic share between resources.

Answer 74

A: Enable Enhanced Networking with Elastic Network Adapter (ENA) Provides higher bandwidth, higher PPS, and lower inter-instance latency. Uses SR-IOV for efficient virtualization and reduced CPU overhead. Supported on t3a.medium and Windows. No additional cost to enable.

Answer 75

A. Elastic Fabric Adapter's (EFA) OS-bypass capabilities are not supported on Windows. On Windows, EFA behaves like a regular ENA — no added performance. t3a.medium instances are not supported with EFA. A. Virtual Function VF interface is not supported on t3a.medium instances. It does not provide full ENA-level enhanced networking for these instances. A: AWS ParallelCluster is a cluster management tool, not a networking enhancement. It simplifies deployment but does not improve performance like ENA or EFA.

Answer 76

**Elastic Network Adapter (ENA): High-performance network interface supporting enhanced networking (up to 100 Gbps). Use case: Ideal for general-purpose and HPC workloads on supported EC2 instances needing high bandwidth and low latency (e.g. windows machines etc). ** Elastic Fabric Adapter (EFA) Advanced network interface with OS-bypass for ultra-low latency and high throughput. Use case: Best for Linux-based HPC or ML apps requiring tightly-coupled, low-latency communication (e.g., CFD, MPI apps). ** Intel 82599 Virtual Function (VF) Interface: Legacy enhanced networking option using SR-IOV, supports select instance types. Use case: Used with older instances for better network performance when ENA isn’t supported. ***AWS ParallelCluster: Open-source tool to easily deploy and manage HPC clusters on AWS. Use case: Automates setup of compute, storage, and job schedulers for research and simulation workloads (e.g., genomics, FEA).

Answer 77

Data at rest inside the volume. Data in transit between the volume and the EC2 instance. All snapshots created from the volume. All volumes created from those snapshots. Encryption occurs on the EC2 host for security at rest and in transit.

Answer 78

Encrypting an EBS volume protects both data at rest and in transit. Snapshots and volumes created from encrypted volumes are also encrypted automatically.

Answer 79

A: AWS CloudTrail Records API calls and actions made via the AWS SDK, CLI, or Management Console. Logs include user/account info, source IP, and timestamp of calls. Ensures auditability and supports compliance requirements. Stores logs durably in Amazon S3. **Not suitable** Amazon CloudWatch: Used for monitoring metrics, not tracking API activity. AWS X-Ray: Designed for tracing requests in microservices, not logging AWS API calls. Amazon API Gateway: Manages custom APIs, not internal AWS service calls from the SDK.

Answer 80

Amazon Aurora is fully managed and compatible with MySQL and PostgreSQL. It supports ACID-compliant transactions and complex queries. It offers high throughput: up to 5x faster than MySQL and 3x faster than PostgreSQL. Aurora's distributed storage scales automatically up to 64 TiB. Aurora automates clustering and replication, reducing admin complexity.

Answer 81

Redshift: Amazon Redshift is optimized for OLAP workloads, not OLTP. It does not support complex, high-frequency transactional processing. It does not scale automatically to support exponential database growth. DynamoDB: DynamoDB is ACID-compliant but not ideal for complex queries. It is better suited for simple key-value or document-based access patterns. It is not optimized for relational OLTP workloads. Amazon RDS: While RDS supports ACID-compliant relational databases, it lacks Aurora’s auto-scaling storage. Aurora's distributed and high-performance storage engine makes it better suited for large, growing databases. Aurora provides higher throughput and automates clustering and replication more efficiently than RDS.

Answer 82

Use AWS Schema Conversion Tool (SCT) to convert the source schema and application code to match the target PostgreSQL database. Then use AWS Database Migration Service (DMS) to migrate data from the on-premises Oracle database to the PostgreSQL database in AWS. DMS handles data migration securely with minimal downtime and supports both homogeneous and heterogeneous migrations. Heterogeneous migrations require a two-step process: schema/code transformation (SCT) followed by data migration (DMS).

Answer 83

(1) Launch Template + DMS: Launch Templates are for EC2 instance configuration, not database schema conversion. They cannot be used to transform schemas for heterogeneous database migrations. (2) Amazon Neptune + AWS Batch: Amazon Neptune is a graph database, not designed for relational schema conversion. AWS Batch is not a migration tool; it’s used for running batch computing jobs. (3) Manual transformation + RDS migration: AWS does support heterogeneous migrations using the AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS). Manual transformation is unnecessary when using these purpose-built services.

Answer 84

Adjust the cooldown period of the Auto Scaling group to prevent rapid scaling actions. Set the CloudWatch alarm threshold higher to reduce sensitivity to minor metric fluctuations. This approach helps smooth out scaling behavior and reduces unnecessary instance launches and terminations. Preserves elasticity by allowing scaling, but in a more controlled and cost-effective way.

Answer 85

(1) Upgrading the instance type: Increases per-instance cost, contradicting the goal of cost optimization. Does not address rapid scaling behavior. (2) Increasing the base number of instances: Keeps more instances running at all times, raising costs during low demand. Reduces elasticity instead of preserving it. (3) Adding provisioned IOPS: Targets storage performance, not scaling behavior. Adds additional cost and does not solve rapid scaling issues.

Answer 86

Q: What is the most cost-effective solution for processing 1 MB of daily health data from a wearable device using 512 MB of memory within 10 seconds? A: Use AWS Lambda with a Python library for processing. Lambda charges based on the number of requests and compute time (GB-seconds). Suitable for lightweight, fast-running tasks like summarizing 1 MB of data. Lambda integrates seamlessly with S3 where the data is stored. Serverless model ensures automatic scaling and no infrastructure management.

Answer 87

(1) AWS Glue PySpark job: Overkill for small-scale processing. Minimum billing duration of 1 minute makes it inefficient for <10 second jobs. (2) Amazon Data Firehose + EC2: Firehose is built for continuous data streaming, not suitable for 1 MB/day. EC2 requires instance management and incurs ongoing costs. (3) Amazon Redshift + Lambda: Redshift is a powerful data warehouse, but unnecessary and costly for such small data volumes. Storing 1 MB/day in Redshift adds expense without performance benefit over S3 + Lambda.

Answer 88

Amazon FSx for Windows File Server is the correct choice. Provides fully managed Windows file servers with native support for SMB protocol, NTFS, Active Directory, and DFS. Ideal for "lift-and-shift" of business-critical Windows workloads. Optimized for Windows-based applications needing scalable and high-performance storage.

Answer 89

(1) Amazon S3 Glacier Deep Archive: Designed for long-term archival, not active file system access. No support for SMB, NTFS, or Windows-specific features. (2) AWS DataSync: Used for data transfer, not persistent storage. Does not offer SMB or NTFS file system compatibility. (3) Amazon FSx for Lustre: Designed for Linux-based HPC workloads, not Windows applications. Lacks support for Windows-specific features like NTFS and Active Directory.

Answer 90

Use tags on EC2 instances to label them as "UAT" or "Production." Create IAM policies with conditions based on resource tags to allow or deny access. This ensures fine-grained control over which users can interact with specific resources. IAM policies must explicitly grant permissions based on the aws:ResourceTag condition key.

Answer 91

(1) Separate VPCs with VPC peering: VPC peering is a network-level configuration, not an access control mechanism. Does not restrict IAM user access to EC2 instances. (2) AWS Resource Access Manager (RAM): RAM is used for sharing resources across AWS accounts or organizations. It does not manage user permissions within a single account. Still requires custom IAM policies to restrict access. (3) Separate Availability Zones with MFA: Availability Zones improve fault tolerance, not access restrictions. MFA enhances login security but doesn’t restrict resource-level access. IAM policies with tag conditions are still needed for access control.

Answer 92

Install the Kubernetes Metrics Server and activate Horizontal Pod Autoscaling to scale pods based on CPU utilization. Use Karpenter to dynamically provision and scale Amazon EC2 nodes to match workload demands. These tools together allow automated horizontal scaling of both the pods and underlying infrastructure. Karpenter integrates natively with AWS and is more responsive and easier to manage than older tools like Cluster Autoscaler.

Answer 93

(1) Vertical Pod Autoscaler: Supports vertical scaling (changing CPU/memory), not horizontal scaling (adding/removing pods). The scenario requires scaling in and out, which is handled by horizontal solutions. (2) CloudWatch Alarms: Can trigger scaling actions but lacks the dynamic responsiveness of native Kubernetes autoscaling. May result in delayed scaling and poor performance during sudden traffic spikes. (3) Cluster Autoscaler: Manages EKS node scaling but is generally slower to react and requires more manual tuning. Karpenter offers more automated, flexible, and efficient scaling with lower operational overhead.

Answer 94

Use AWS DataSync to move existing health records from on-premises storage to AWS quickly and efficiently. Store the records in a new Amazon S3 bucket designed to scale with growing data volumes. Enable Amazon S3 Object Lock to enforce WORM (Write Once Read Many) protection, ensuring records cannot be modified or deleted. Enable AWS CloudTrail with Data Events to capture all object-level access and operations for full auditing and compliance.

Answer 95

(1) AWS Storage Gateway + CloudTrail Management Events: Storage Gateway is for integration or replication, not for immediate bulk data migration. Management Events only log control-plane actions, not object-level access in S3. (2) Storage Gateway + EC2/EBS + S3 Server Access Logging: Storing sensitive records in EC2/EBS lacks the scalability and compliance features of S3. Server Access Logging provides limited auditing; CloudTrail offers more granular control. Again, Storage Gateway is inappropriate for migrating large, obsolete datasets. (3) DataSync + CloudTrail Management Events: While DataSync is the correct tool for migration, Management Events won’t log access to individual S3 objects. Management Events only log control-plane actions, not object-level access in S3. To meet auditing requirements, you must enable CloudTrail Data Events for detailed tracking.

Answer 96

Block the identified IP addresses using a Network Access Control List (ACL). NACLs act as stateless firewalls at the subnet level and evaluate rules in order. You can quickly deny inbound traffic from specific IPs without reconfiguring the instances. This provides an immediate and temporary mitigation while longer-term solutions (WAF, GuardDuty, Shield Advanced) are implemented.

Answer 97

(1) Placing instances in private subnets: Disconnects EC2 instances from the Internet, making them inaccessible even to admins. Requires subnet and route table changes, which is not quick. (2) Removing the Internet Gateway: Immediately blocks all Internet access, including legitimate administrative access. Not a selective or temporary solution. (3) Assigning static Anycast IPs: Anycast IPs are used with AWS Global Accelerator, not for securing EC2 SSH access. Does not prevent brute force attacks or control IP-level access.

Answer 98

Use Amazon EKS to deploy the Kubernetes-based application. Create node groups in AWS Wavelength Zones to run workloads at the 5G network edge, minimizing latency. Use the aws-auth ConfigMap to enable RBAC access to IAM users and roles. AWS Wavelength embeds AWS infrastructure inside telecom providers’ data centers to avoid internet hops and deliver ultralow latency. Amazon EKS uses IAM for authentication and Kubernetes RBAC for authorization via the AWS IAM Authenticator.

Answer 99

AmazonEKSConnectorAgentRole is only for connecting external clusters and does not manage IAM or RBAC. AWS Control Tower is used for multi-account setup and does not provide RBAC access to EKS. VPC endpoints are not supported in AWS Wavelength Zones. You should use the aws-auth ConfigMap, not install aws-iam-authenticator manually, for enabling RBAC in EKS. Fargate profiles must use a different IAM role than EC2 node groups to follow proper EKS security configuration.

Answer 100

Add an outbound rule to the Network ACL to allow SSH (TCP port 22) since NACLs are stateless and require both inbound and outbound rules. Inbound SSH is already allowed by the NACL and Security Group, so no change needed there. Security Groups are stateful, so no outbound rule is required in the SG for the response traffic. Without the outbound NACL rule, SSH response traffic is blocked, preventing connection. Both inbound and outbound rules are required in NACLs for bidirectional traffic like SSH.

Answer 101

Amazon DynamoDB is the ideal choice. It is fully managed, meaning AWS handles all infrastructure management. Supports both document and key-value store models. Delivers single-digit millisecond latency at any scale. Ideal for startups with limited operational resources.

Answer 102

Amazon Neptune is a graph database, not suited for general-purpose NoSQL needs. Amazon Aurora is a relational database, not NoSQL. Amazon SimpleDB is NoSQL but has limits on storage and request capacity per table. Only DynamoDB offers unlimited table storage with full AWS-managed infrastructure.

Answer 103

Create an S3 Gateway VPC Endpoint and remove the NAT instance. Gateway endpoints support S3 and DynamoDB, and incur no hourly or data processing charges. Allows private access to S3 without using public IPs, NAT gateways, or NAT instances. Keeps traffic within the AWS network, improving security and reducing cost. Ideal for workloads needing scalable, low-cost, high-throughput access to S3.

Answer 104

NAT Gateway still incurs hourly and data processing charges, making it more costly than a Gateway endpoint. Using a smaller NAT instance may reduce cost slightly, but it’s still not as cost-effective as using a Gateway endpoint. S3 Interface Endpoint incurs charges per hour and per GB processed, while S3 Gateway Endpoints are free to use. Gateway endpoints are optimized for S3/DynamoDB, whereas interface endpoints are used for most other AWS services.

Answer 105

No action is needed; Amazon S3 now automatically supports high request rates. Each S3 prefix supports at least 3,500 PUT and 5,500 GET requests per second. Performance scales per prefix, and there's no limit to the number of prefixes. No need to randomize object key prefixes for performance reasons. This improvement applies automatically in all AWS Regions. N.B.The prefix could be images/2025/july/ The object key is the full string images/2025/july/photo.jpg

Answer 106

Random prefixes are no longer needed—S3 now automatically supports high request rates. Predictable/sequential prefixes can lead to partition hotspots and degrade performance. Byte-range fetches allow partial object downloads but cannot retrieve multiple ranges in one request. S3 now handles performance scaling without requiring manual key design or optimization. These methods are outdated or misapplied in the context of modern S3 performance architecture. N.B. The prefix could be images/2025/july/ The object key is the full string images/2025/july/photo.jpg

Answer 107

Improve efficiency when you only need part of a large file. Enable parallel downloads by fetching different byte ranges concurrently. Speed up retries by re-downloading only the failed part of the object.

Answer 108

Zeroization occurs after more than two failed admin login attempts, wiping all keys and data. Amazon cannot recover your keys—they do not have access to your HSM or credentials. All keys, certificates, and data on the HSM are permanently lost. No recovery is possible without a prior backup or second HSM with replicated keys. Always store backups and use multiple HSMs in separate AZs in production clusters.

Answer 109

Use at least two HSMs in separate Availability Zones to prevent single-point failure. Avoid repeated failed admin logins—more than 2 failures will zeroize the HSM. Secure your admin credentials and limit access using security group rules. Amazon does not manage or store your keys, so all key management is your responsibility. Daily backups are critical to prevent key loss in case of HSM failure.

Answer 110

Use an AWS Storage Gateway hardware appliance for the on-premises physical server. Configure it as a File Gateway to support NFS and SMB protocols. Store application data in the File Gateway, which stores backups in Amazon S3. The hardware appliance comes preloaded with Storage Gateway software. Enables durable, cloud-backed storage for non-virtualized physical environments.

Answer 111

A VM-based gateway does not meet the requirement for a dedicated physical appliance. Volume Gateway uses iSCSI, not NFS, so it doesn't satisfy the file system protocol requirement. Only File Gateway supports NFS/SMB protocols for storing/retrieving objects in S3. Volume Gateway is better suited for block storage, not for file-based access needed in this scenario. The hardware appliance is the only option that supports physical deployments with File Gateway.

Answer 112

Use an Application Load Balancer (ALB) with Weighted Target Groups to distribute traffic between on-prem and AWS targets. ALB supports IP-based target groups, so you can include on-premises IPs via Direct Connect. Use Amazon Route 53 with a Weighted Routing Policy to split DNS traffic between AWS and on-prem endpoints. You can adjust traffic weights gradually and shift all traffic to AWS post-migration. Both methods support zero-downtime migrations and progressive traffic shifting.

Answer 113

Network Load Balancer (NLB) does not support Weighted Target Groups, so it cannot balance traffic by percentage. Route 53 Failover Routing Policy is for active-passive failover, not proportional traffic distribution. AWS Global Accelerator supports traffic weights but does not support on-prem endpoints or Direct Connect Gateway as valid targets. Direct Connect Gateway is only for routing to multiple VPCs, not for directly connecting on-premises workloads via Global Accelerator. AnyCast IPs cannot be assigned to on-prem resources—only AWS-provided static IPs are valid for Global Accelerator.

Answer 114

Use Amazon Kinesis for real-time collection, processing, and analysis of streaming data. Supports log stream consolidation from multiple sources (e.g., access, app, security logs). Enables real-time analytics using heuristics as data arrives. Allows retrieval of data from the last 12–24 hours, ideal for validation and backtracking. Suited for workloads involving log monitoring, ML, IoT, clickstream analysis, and more.

Answer 115

Services like Amazon S3, CloudWatch Logs, or Athena are good for batch processing or querying, not real-time streaming. They do not support instant processing or reacting to data as it arrives. Kinesis is purpose-built for real-time data ingestion and stream processing, making it the best fit for this use case. Only Kinesis provides the latency, scale, and retrieval window (up to 24 hours) required for the scenario.

Answer 116

Use AWS CloudTrail to log API activity across AWS services. Configure CloudTrail to use AWS KMS encryption for log files stored in S3. KMS provides enhanced security and access control beyond default S3 encryption. Logs include details about creation, modification, and deletion of resources. CloudTrail logs can be stored indefinitely, with optional lifecycle rules for archiving or deletion.

Answer 117

CloudTrail stores logs in S3, not directly in Glacier, so encrypting Glacier is irrelevant. SSE-S3 encryption is enabled by default, so manually enabling it provides no additional benefit. SSE-S3 uses AES-256, not AES-128—specifying AES-128 is invalid for S3 server-side encryption. Only AWS KMS integration adds additional key management capabilities and fine-grained access controls.

General Flashcards

(142 cards)