Your development team has created a gaming application that uses DynamoDB to store user statistics and provide fast game updates back to users. The team has begun testing the application but needs a consistent data set to perform tests with. The testing process alters the dataset, so the baseline data needs to be retrieved upon each new test. Which AWS service can meet this need by exporting data from DynamoDB and importing data into DynamoDB?
Elastic Map Reduce
- You can use Amazon EMR with a customized version of Hive that includes connectivity to DynamoDB to perform operations on data stored in DynamoDB:
- Loading DynamoDB data into the Hadoop Distributed File System (HDFS) and using it as input into an Amazon EMR cluster
- Querying live DynamoDB data using SQL-like statements (HiveQL)
- Joining data stored in DynamoDB and exporting it or querying against the joined data
- Exporting data stored in DynamoDB to Amazon S3
- Importing data stored in Amazon S3 to DynamoDB
You have configured an Auto Scaling Group of EC2 instances fronted by an Application Load Balancer and backed by an RDS database. You want to begin monitoring the EC2 instances using CloudWatch metrics. Which metric is not readily available out of the box?
Memory utilization
Memory utilization is not available as an out of the box metric in CloudWatch.
You can, however, collect memory metrics when you configure a custom metric for CloudWatch.
Types of custom metrics that you can set up include:
- Memory utilization
- Disk swap utilization
- Disk space utilization
- Page file utilization
- Log collection
You are working as a Solutions Architect in a large healthcare organization. You have many Auto Scaling Groups that utilize launch configurations. Many of these launch configurations are similar yet have subtle differences. You’d like to use multiple versions of these launch configurations. An ideal approach would be to have a default launch configuration and then have additional versions that add additional features. Which option best meets these requirements?
Use launch templates instead
- A launch template is similar to a launch configuration, in that it specifies instance configuration information.
- Included are the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances.
- However, defining a launch template instead of a launch configuration allows you to have multiple versions of a template.
- With versioning, you can create a subset of the full set of parameters and then reuse it to create other templates or template versions.
- For example, you can create a default template that defines common configuration parameters and allow the other parameters to be specified as part of another version of the same template.
Your company is currently building out a second AWS region. Following best practices, they’ve been using CloudFormation to make the migration easier. They’ve run into a problem with the template though. Whenever the template is created in the new region, it’s still referencing the AMI in the old region. What steps can you take to automatically select the correct AMI when the template is deployed?
Create a mapping in the template. Define the unique AMI value per region.
- This is exactly what mappings are built for.
- By using mappings, you easily automate this issue away.
- Make sure to copy your AMI to the region before you try and run the template, though, as AMIs are region specific.
Your company is using a hybrid configuration because there are some legacy applications which are not easily converted and migrated to AWS. And with this configuration comes a typical scenario where the legacy apps must maintain the same private ip address and MAC address. You are attempting to convert the application to the Cloud and have configured an EC2 instance to house the application. What you are currently testing is removing the ENI from the legacy instance and attaching it to the EC2 instance. You want to attempt a warm attach. What does this mean?
Attach the ENI to an instance when it is stopped.
Some best practices for configuring network interfaces:
- attach a network interface to an instance when it’s running (hot attach),
- when it’s stopped (warm attach),
- when the instance is being launched (cold attach).
- You can detach secondary network interfaces when the instance is running or stopped.
- However, you can’t detach the primary network interface.
- You can move a network interface from one instance to another, if the instances are in the same Availability Zone and VPC but in different subnets.
- When launching an instance using the CLI, API, or an SDK, you can specify the primary network interface and additional network interfaces.
- Launching an Amazon Linux or Windows Server instance with multiple network interfaces automatically configures interfaces, private IPv4 addresses, and route tables on the operating system of the instance.
- A warm or hot attach of an additional network interface may require you to manually bring up the second interface, configure the private IPv4 address, and modify the route table accordingly.
- Instances running Amazon Linux or Windows Server automatically recognize the warm or hot attach and configure themselves.
- Attaching another network interface to an instance (for example, a NIC teaming configuration) cannot be used as a method to increase or double the network bandwidth to or from the dual-homed instance.
- If you attach two or more network interfaces from the same subnet to an instance, you may encounter networking issues such as asymmetric routing.
- If possible, use a secondary private IPv4 address on the primary network interface instead.
A company has an Auto Scaling Group of EC2 instances hosting their retail sales application. Any significant downtime for this application can result in large losses of profit. Therefore the architecture also includes an Application Load Balancer and an RDS database in a Multi-AZ deployment. What will happen to preserve high availability if the primary database fails?
The CNAME is switched from the primary db instance to the secondary.
- Amazon RDS Multi-AZ deployments provide enhanced availability and durability for RDS database (DB) instances, making them a natural fit for production database workloads.
- When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ).
- Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable.
- In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete.
- Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention.
- Failover is automatically handled by Amazon RDS so that you can resume database operations as quickly as possible without administrative intervention.
- When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
You work for an online retailer where any downtime at all can cause a significant loss of revenue. You have architected your application to be deployed on an Auto Scaling Group of EC2 instances behind a load balancer. You have configured and deployed these resources using a CloudFormation template. The Auto Scaling Group is configured with default settings, and a simple CPU utilization scaling policy. You have also set up multiple Availability Zones for high availability. The Load Balancer does health checks against an html file generated by script. When you begin performing load testing on your application and notice in CloudWatch that the load balancer is not sending traffic to one of your EC2 instances. What could be the problem?
The EC2 instance has failed the load balancer health check.
- The load balancer will route the incoming requests only to the healthy instances.
- The EC2 instance may have passed status check and be considered health to the Auto Scaling Group, but the ELB may not use it if the ELB health check has not been met.
- The ELB health check has a default of 30 seconds between checks, and a default of 3 checks before making a decision.
- Therefore the instance could be visually available but unused for at least 90 seconds before the GUI would show it as failed.
- In CloudWatch where the issue was noticed it would appear to be a healthy EC2 instance but with no traffic. Which is what was observed.
Your boss has tasked you with decoupling your existing web frontend from the backend. Both applications run on EC2 instances. After you investigate the existing architecture, you find that (on average) the backend resources are processing about 5,000 requests per second and will need something that supports their extreme level of message processing. It’s also important that each request is processed only 1 time. What can you do to decouple these resources?
Use SQS Standard. Include a unique ordering ID in each message, and have the backend application use this to deduplicate messages.
- This would be a great choice, as SQS Standard can handle this level of extreme performance.
- If the application didn’t require this level of performance, then SQS FIFO would be the better and easier choice.
You have just started work at a small startup in the Seattle area. Your first job is to help containerize your company’s microservices and move them to AWS. The team has selected ECS as their orchestration service of choice. You’ve discovered the code currently uses access keys and secret access keys in order to communicate with S3. How can you best handle this authentication for the newly containerized application?
Attach a role with the appropriate permissions to the task definition in ECS.
- It’s always a good idea to use roles over hard-coded credentials.
- One of the best parts of using ECS is the ease of attaching roles to your containers.
- This allows the container to have an individual role even if it’s running with other containers on the same EC2 instance.
A team of architects is designing a new AWS environment for a company which wants to migrate to the Cloud. The architects are considering the use of EC2 instances with instance store volumes. The architects realize that the data on the instance store volumes are ephemeral. Which action will not cause the data to be deleted on an instance store volume?
Reboot
- Some Amazon Elastic Compute Cloud (Amazon EC2) instance types come with a form of directly attached, block-device storage known as the instance store.
- The instance store is ideal for temporary storage, because the data stored in instance store volumes is not persistent through instance stops, terminations, or hardware failures.
A software gaming company has produced an online racing game that uses CloudFront for fast delivery to worldwide users. The game also uses DynamoDB for storing in-game and historical user data. The DynamoDB table has a preconfigured read and write capacity. Users have been reporting slowdown issues, and an analysis has revealed the DynamoDB table has begun throttling during peak traffic times. What step can you take to improve game performance?
Adjust your auto scaling thresholds to scale more aggressively.
- Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf in response to actual traffic patterns.
- This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic without throttling.
- When the workload decreases, Application Auto Scaling decreases the throughput so you don’t pay for unused provisioned capacity.
- Note that if you use the AWS Management Console to create a table or a global secondary index, DynamoDB auto scaling is enabled by default.
- You can modify your auto scaling settings at any time.
A professional baseball league has chosen to use a key-value and document database for storage, processing, and data delivery. Many of the data requirements involve high-speed processing of data such as a Doppler radar system which samples the position of the baseball 2000 times per second. Which AWS data storage can meet these requirements?
DynamoDB
- Amazon DynamoDB is a NoSQL database that supports key-value and document data models
- enables developers to build modern, serverless applications that can start small and scale globally to support petabytes of data and tens of millions of read and write requests per second.
- DynamoDB is designed to run high-performance, internet-scale applications that would overburden traditional relational databases.
Your team has provisioned an Auto Scaling Groups in a single Region. The Auto Scaling Group at max capacity would total 40 EC2 instances between them. However, you notice that the Auto Scaling Groups will only scale out to a portion of that number of instances at any one time. What could be the problem?
There is a vCPU-based on-demand instance limit per region
- Your AWS account has default quotas, formerly referred to as limits, for each AWS service.
- Unless otherwise noted, each quota is Region-specific.
- You can request increases for some quotas, and other quotas cannot be increased.
- Remember that each EC2 instance can have a variance of the number of vCPUs, depending on its type and your configuration, so it’s always wise to calculate your vCPU needs to make sure you are not going to hit quotas easily.
- Service Quotas is an AWS service that helps you manage your quotas for over 100 AWS services from one location.
- Along with looking up the quota values, you can also request a quota increase from the Service Quotas console.
You work for an advertising company that has a real-time bidding application. You are also using CloudFront on the front end to accommodate a worldwide user base. Your users begin complaining about response times and pauses in real-time bidding. What is the best service that can be used to reduce DynamoDB response times by an order of magnitude (milliseconds to microseconds)?
DAX
- Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that can reduce Amazon DynamoDB response times from milliseconds to microseconds, even at millions of requests per second.
- While DynamoDB offers consistent single-digit millisecond latency, DynamoDB with DAX takes performance to the next level with response times in microseconds for millions of requests per second for read-heavy workloads.
- With DAX, your applications remain fast and responsive, even when a popular event or news story drives unprecedented request volumes your way.
- No tuning required.
Your company uses IoT devices installed in businesses to provide those business real-time data for analysis. You have decided to use AWS Kinesis Data Firehose to stream the data to multiple backend storing services for analytics. Which service listed is not a viable solution to stream the real time data to?
Athena
- Amazon Athena is correct because Amazon Kinesis Data Firehose cannot load streaming data to Athena.
- Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools.
- It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using today.
- It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration.
- It can also batch, compress, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.
You work for an oil and gas company as a lead in data analytics. The company is using IoT devices to better understand their assets in the field (for example, pumps, generators, valve assemblies, and so on). Your task is to monitor the IoT devices in real-time to provide valuable insight that can help you maintain the reliability, availability, and performance of your IoT devices. What tool can you use to process streaming data in real time with standard SQL without having to learn new programming languages or processing frameworks?
Kinesis Data Analytics
- Monitoring IoT devices in real-time can provide valuable insight that can help you maintain the reliability, availability, and performance of your IoT devices.
- You can track time series data on device connectivity and activity.
- This insight can help you react quickly to changing conditions and emerging situations.
- Amazon Web Services (AWS) offers a comprehensive set of powerful, flexible, and simple-to-use services that enable you to extract insights and actionable information in real time.
- Amazon Kinesis is a platform for streaming data on AWS, offering key capabilities to cost-effectively process streaming data at any scale.
- Kinesis capabilities include Amazon Kinesis Data Analytics, the easiest way to process streaming data in real time with standard SQL without having to learn new programming languages or processing frameworks.
An Application Load Balancer is fronting an Auto Scaling Group of EC2 instances, and the instances are backed by an RDS database. The Auto Scaling Group has been configured to use the Default Termination Policy. You are testing the Auto Scaling Group and have triggered a scale-in. Which instance will be terminated first?
The instance launched from the oldest launch configuration
What do we know?
- The ASG is using the Default Termination Policy.
- The default termination policy is designed to help ensure that your instances span Availability Zones evenly for high availability.
- The default policy is kept generic and flexible to cover a range of scenarios.
- The default termination policy behavior is as follows:
- Determine which Availability Zones have the most instances, and at least one instance that is not protected from scale in.
- Determine which instances to terminate so as to align the remaining instances to the allocation strategy for the on-demand or spot instance that is terminating.
- This only applies to an Auto Scaling Group that specifies allocation strategies.
- For example, after your instances launch, you change the priority order of your preferred instance types. When a scale-in event occurs, Amazon EC2 Auto Scaling tries to gradually shift the on-demand instances away from instance types that are lower priority. Determine whether any of the instances use the oldest launch template or configuration: [For Auto Scaling Groups that use a launch template] Determine whether any of the instances use the oldest launch template unless there are instances that use a launch configuration. Amazon EC2 Auto Scaling terminates instances that use a launch configuration before instances that use a launch template. [For Auto Scaling Groups that use a launch configuration] Determine whether any of the instances use the oldest launch configuration. After applying all of the above criteria, if there are multiple unprotected instances to terminate, determine which instances are closest to the next billing hour. If there are multiple unprotected instances closest to the next billing hour, terminate one of these instances at random.
You have configured an Auto Scaling Group of EC2 instances. You have begun testing the scaling of the Auto Scaling Group using a stress tool to force the CPU utilization metric being used to force scale out actions. The stress tool is also being manipulated by removing stress to force a scale in. But you notice that these actions are only taking place in five-minute intervals. What is happening?
The Auto Scaling Group is following the default cooldown procedure.
- The cooldown period helps you prevent your Auto Scaling group from launching or terminating additional instances before the effects of previous activities are visible.
- You can configure the length of time based on your instance startup time or other application needs.
- When you use simple scaling, after the Auto Scaling group scales using a simple scaling policy, it waits for a cooldown period to complete before any further scaling activities due to simple scaling policies can start.
- An adequate cooldown period helps to prevent the initiation of an additional scaling activity based on stale metrics.
- By default, all simple scaling policies use the default cooldown period associated with your Auto Scaling Group, but you can configure a different cooldown period for certain policies, as described in the following sections.
- Note that Amazon EC2 Auto Scaling honors cooldown periods when using simple scaling policies, but not when using other scaling policies or scheduled scaling.
- A default cooldown period automatically applies to any scaling activities for simple scaling policies, and you can optionally request to have it apply to your manual scaling activities.
- When you use the AWS Management Console to update an Auto Scaling Group, or when you use the AWS CLI or an AWS SDK to create or update an Auto Scaling Group, you can set the optional default cooldown parameter.
- If a value for the default cooldown period is not provided, its default value is 300 seconds.
You have been given an assignment to configure Network ACLs in your VPC. Before configuring the NACLs, you need to understand how the NACLs are evaluated. How are NACL rules evaluated?
NACL rules are evaluated by rule number from lowest to highest and executed immediately when a matching rule is found.
- You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC.
- When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it’s associated with.
- A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
- You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
The following are the parts of a network ACL rule:
- Rules are evaluated starting with the lowest-numbered rule.
- As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that might contradict it.
- The type of traffic, for example, SSH. You can also specify all traffic or a custom range.
- You can specify any protocol that has a standard protocol number.
- Port range. The listening port or port range for the traffic.
- Source. [Inbound rules only] The source of the traffic (CIDR range).
- Destination. [Outbound rules only] The destination for the traffic (CIDR range).
- Allow/Deny. Whether to allow or deny the specified traffic.
You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. Which statement is true about NACLs?
The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.
- Your VPC automatically comes with a modifiable default network ACL.
- By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
- You can create a custom network ACL and associate it with a subnet.
- By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
A consultant hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. What is true of security groups?
You can specify allow rules but not deny rules
The following are the basic characteristics of security groups for your VPC:
- There are quotas on the number of security groups that you can create per VPC
- the number of rules that you can add to each security group,
- the number of security groups that you can associate with a network interface.
- You can specify allow rules, but not deny rules.
- You can specify separate rules for inbound and outbound traffic.
- When you create a security group, it has no inbound rules.
- Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
- By default, a security group includes an outbound rule that allows all outbound traffic.
- You can remove the rule and add outbound rules that allow specific outbound traffic only.
- If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
- Security groups are stateful.
- If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
- Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
An international company has many clients around the world. These clients need to transfer gigabytes to terabytes of data quickly and on a regular basis to an S3 bucket. Which S3 feature will enable these long distance data transfers in a secure and fast manner?
Transfer Acceleration
You might want to use Transfer Acceleration on a bucket for various reasons, including the following:
- You have customers that upload to a centralized bucket from all over the world.
- You transfer gigabytes to terabytes of data on a regular basis across continents.
- You are unable to utilize all of your available bandwidth over the Internet when uploading to Amazon S3
An organization of about 100 employees has performed the initial setup of users in IAM. All users except administrators have the same basic privileges. But now it has been determined that 50 employees will have extra restrictions on EC2. They will be unable to launch new instances or alter the state of existing instances. What will be the quickest way to implement these restrictions?
Create the appropriate policy. Create a new group for the restricted users. Place the restricted users in the new group and attach the policy to the group.
- You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.
- A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.
- AWS evaluates these policies when an IAM principal (user or role) makes a request.
- Permissions in the policies determine whether the request is allowed or denied.
- Most policies are stored in AWS as JSON documents.
AWS supports six types of policies:
- identity-based policies,
- resource-based policies,
- permissions boundaries,
- Organizations
- SCPs
- ACLs
- session policies.
- IAM policies define permissions for an action regardless of the method that you use to perform the operation.
- For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.
- When you create an IAM user, you can choose to allow console or programmatic access.
- If console access is allowed, the IAM user can sign in to the console using a user name and password.
- Or if programmatic access is allowed, the user can use access keys to work with the CLI or API.
A small company has nearly 200 users who already have AWS accounts in the company AWS environment. A new S3 bucket has been created which will allow roughly a third of all users access to sensitive information in the bucket. What is the most time efficient way to get these users access to the bucket?
Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.
An IAM group is a collection of IAM users.
Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
Note that a group is not truly an “identity” in IAM because it cannot be identified as a Principal in a permission policy.
It is simply a way to attach policies to multiple users at one time.
Following are some important characteristics of groups:
- A group can contain many users, and a user can belong to multiple groups.
- Groups can’t be nested; they can contain only users, not other groups.
- There’s no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
- There’s a limit to the number of groups you can have, and a limit to how many groups a user can be in.
-
Chapter 3 - AWS Fundamentals6
-
Quiz - Chapter 3 - AWS Fundamental Building Blocks5
-
Chapter 4 - Identity and Access Management (IAM)2
-
Quiz Chapter 4 - Identity and Access Management5
-
Chapter 5 - S3 Overview15
-
Quiz - Chapter 5 - S3 Overview7
-
Chapter 6 - Elastic Compute Cloud (EC2)4
-
Quiz - Chapter 6 - Elastic Compute Cloud (EC2)7
-
Chapter 7 - Elastic Block Storage and Elastic File System4
-
Quiz - Chapter 7 - EBS and EFS8
-
Chapter 8 - Databases10
-
Quiz - Chapter 8 - Databases8
-
Chapter 9 - VPC overview5
-
Quiz - Chapter 9 - VPC Overview10
-
Chapter 10 - Route 5313
-
Quiz - Chapter 10 - Route 539
-
Chapter 11 - Elastic Load Balancing10
-
Quiz - Chapter 11 - Elastic Load Balancers7
-
Chapter 12 - Monitoring2
-
Quiz - Chapter 12 - Monitoring4
-
Chapter 13 - High Availability and Scaling5
-
Quiz - Chapter 13 - HA and Scaling8
-
Chapter 14 - Decoupling Workflows overview8
-
Quiz - Chapter 14 - Decoupling Workflows9
-
Chapter 15 - Big Data7
-
Quiz - Chapter 15 - Big Data8
-
Chapter 16 - Serverless Overview5
-
Quiz - Chapter 16 - Serverless Overview8
-
Chapter 17 - Security13
-
Quiz - Chapter 17 - Security10
-
Chapter 18 - Why Do We Automate4
-
Quiz - Chapter 18 - Why Do We Automate7
-
Chapter 19 - Caching Overview3
-
Quiz - Chapter 19 - Caching Overview6
-
Chapter 20 - Governance8
-
Quiz - Chapter 20 - Governance8
-
Chapter 21 - Migration7
-
Quiz - Chapter 21 - Migration5
-
Practice Exam 131
-
Practice Exam 229
-
Practice Exam 316
-
Practice Exam 444
-
Quiz Challenge 143
-
Quiz Challenge 243
-
Quiz Challenge 36
-
Key Terms0
-
Udemy Exam 138
-
Udemy Exam 234
-
Udemy Exam 336
-
Udemy Exam 434
-
Udemy Exam 537
