Practice Exam 4 Flashcards

Question

An Electronic Design Automation (EDA) application produces massive volumes of data that can be divided into two categories. The 'hot data' needs to be both processed and stored quickly in a parallel and distributed fashion. The 'cold data' needs to be kept for reference with quick access for reads and updates at a low cost. Which of the following AWS services is BEST suited to accelerate the aforementioned chip design process?

Answer 1

Amazon FSx for Lustre Amazon FSx for Lustre * Makes it easy and cost-effective to launch and run the world’s most popular high-performance file system. * It is used for workloads such as machine learning, high-performance computing (HPC), video processing, and financial modeling. * The open-source Lustre file system is designed for applications that require fast storage – where you want your storage to keep up with your compute. * FSx for Lustre integrates with Amazon S3, making it easy to process data sets with the Lustre file system. * When linked to an S3 bucket, an FSx for Lustre file system transparently presents S3 objects as files and allows you to write changed data back to S3. * FSx for Lustre provides the ability to both process the 'hot data' in a parallel and distributed fashion as well as easily store the 'cold data' on Amazon S3. ***Therefore this option is the BEST fit for the given problem statement.***

Answer 2

Amazon Neptune * Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. * The core of Amazon Neptune is a purpose-built, high-performance graph database engine optimized for storing billions of relationships and querying the graph with milliseconds latency. * Neptune powers graph use cases such as recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security. * Amazon Neptune is highly available, with read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across Availability Zones. * Neptune is secure with support for HTTPS encrypted client connections and encryption at rest. * Neptune is fully managed, so you no longer need to worry about database management tasks such as hardware provisioning, software patching, setup, configuration, or backups. * Amazon Neptune can quickly and easily process large sets of user-profiles and interactions to build social networking applications. * Neptune enables highly interactive graph queries with high throughput to bring social features into your applications. ***For example, if you are building a social feed into your application, you can use Neptune to provide results that prioritize showing your users the latest updates from their family, from friends whose updates they ‘Like,’ and from friends who live close to them.***

Answer 3

Leverage AWS Database Migration Service (AWS DMS) as a bridge between Amazon S3 and Amazon Kinesis Data Streams * You can achieve this by using AWS Database Migration Service (AWS DMS). * AWS DMS enables you to seamlessly migrate data from supported sources to relational databases, data warehouses, streaming platforms, and other data stores in AWS cloud. * The given requirement needs the functionality to be implemented in the least possible time. * You can use AWS DMS for such data-processing requirements. * AWS DMS lets you expand the existing application to stream data from Amazon S3 into Amazon Kinesis Data Streams for real-time analytics without writing and maintaining new code. * AWS DMS supports specifying Amazon S3 as the source and streaming services like Kinesis and Amazon Managed Streaming of Kafka (Amazon MSK) as the target. * AWS DMS allows migration of full and change data capture (CDC) files to these services. * AWS DMS performs this task out of box without any complex configuration or code development. * You can also configure an AWS DMS replication instance to scale up or down depending on the workload. * AWS DMS supports Amazon S3 as the source and Kinesis as the target, so data stored in an S3 bucket is streamed to Kinesis. * Several consumers, such as AWS Lambda, Amazon Kinesis Data Firehose, Amazon Kinesis Data Analytics, and the Kinesis Consumer Library (KCL), can consume the data concurrently to perform real-time analytics on the dataset. ***Each AWS service in this architecture can scale independently as needed.***

Answer 4

1. Chef 2. Puppet * AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. * Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. * OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed and managed across your Amazon EC2 instances or on-premises compute environments.

Answer 5

Consolidated billing has not been enabled. * All the AWS accounts should fall under a single consolidated billing for the monthly fee to be charged only once * If your organization has multiple AWS accounts, then you can subscribe multiple AWS Accounts to AWS Shield Advanced by individually enabling it on each account using the AWS Management Console or API. * You will pay the monthly fee once as long as the AWS accounts are all under a single consolidated billing, and you own all the AWS accounts and resources in those accounts.

Answer 6

ElastiCache for Redis **Amazon ElastiCache for Redis** * Is a blazing fast in-memory data store that provides sub-millisecond latency to power internet-scale real-time applications. * Amazon ElastiCache for Redis is a great choice for real-time transactional and analytical processing use cases such as caching, chat/messaging, gaming leaderboards, geospatial, machine learning, media streaming, queues, real-time analytics, and session store. * ElastiCache for Redis supports replication, high availability, and cluster sharding right out of the box. * Amazon ElastiCache for Redis is also HIPAA Eligible Service.

Answer 7

Set up a read replica and modify the application to use the appropriate endpoint * An Amazon Aurora DB cluster consists of one or more DB instances and a cluster volume that manages the data for those DB instances. * An Aurora cluster volume is a virtual database storage volume that spans multiple Availability Zones, with each Availability Zone having a copy of the DB cluster data. **Two types of DB instances make up an Aurora DB cluster:** **Primary DB instance** * Supports read and write operations, and performs all of the data modifications to the cluster volume. * Each Aurora DB cluster has one primary DB instance. **Aurora Replica** * Connects to the same storage volume as the primary DB instance and supports only read operations. * Each Aurora DB cluster can have up to 15 Aurora Replicas in addition to the primary DB instance. * Aurora automatically fails over to an Aurora Replica in case the primary DB instance becomes unavailable. * You can specify the failover priority for Aurora Replicas. * Aurora Replicas can also offload read workloads from the primary DB instance. Aurora Replicas have two main purposes. * You can issue queries to them to scale the read operations for your application. * You typically do so by connecting to the reader endpoint of the cluster. * That way, Aurora can spread the load for read-only connections across as many Aurora Replicas as you have in the cluster. * Aurora Replicas also help to increase availability. * If the writer instance in a cluster becomes unavailable, Aurora automatically promotes one of the reader instances to take its place as the new writer. * While setting up a Multi-AZ deployment for Aurora, you create an Aurora replica or reader node in a different AZ. ***You use the reader endpoint for read-only connections for your Aurora cluster.*** * This endpoint uses a load-balancing mechanism to help your cluster handle a query-intensive workload. * The reader endpoint is the endpoint that you supply to applications that do reporting or other read-only operations on the cluster. * The reader endpoint load-balances connections to available Aurora Replicas in an Aurora DB cluster.

Answer 8

Use EC2 dedicated hosts * You can use Dedicated Hosts to launch Amazon EC2 instances on physical servers that are dedicated for your use. * Dedicated Hosts give you additional visibility and control over how instances are placed on a physical server, and you can reliably use the same physical server over time. As a result, ***Dedicated Hosts enable you to use your existing server-bound software licenses like Windows Server and address corporate compliance and regulatory requirements.***

Answer 9

1. Delete the existing standard queue and recreate it as a FIFO queue 2. Make sure that the name of the FIFO queue ends with the .fifo suffix 3. Make sure that the throughput for the target FIFO queue does not exceed 3,000 messages per second **Amazon Simple Queue Service (SQS)** * Is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. * SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. * Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. **SQS offers two types of message queues.** **Standard queues** * Offer maximum throughput, best-effort ordering, and at-least-once delivery. **SQS FIFO queues** * Are designed to guarantee that messages are processed exactly once, in the exact order that they are sent. * By default, FIFO queues support up to 3,000 messages per second with batching, or up to 300 messages per second (300 send, receive, or delete operations per second) without batching. * Therefore, using batching you can meet a throughput requirement of upto 3,000 messages per second. * The name of a FIFO queue must end with the .fifo suffix. * The suffix counts towards the 80-character queue name limit. * To determine whether a queue is FIFO, you can check whether the queue name ends with the suffix. * If you have an existing application that uses standard queues and you want to take advantage of the ordering or exactly-once processing features of FIFO queues, you need to configure the queue and your application correctly. * You can't convert an existing standard queue into a FIFO queue. * To make the move, you must either create a new FIFO queue for your application or delete your existing standard queue and recreate it as a FIFO queue.

Answer 10

By default, Lambda functions always operate from an AWS-owned VPC and hence have access to any public internet address or public AWS APIs. * Once a Lambda function is VPC-enabled, it will need a route through a NAT gateway in a public subnet to access public resources * Lambda functions always operate from an AWS-owned VPC. * By default, your function has the full ability to make network requests to any public internet address — this includes access to any of the public AWS APIs. ***For example, your function can interact with AWS DynamoDB APIs to PutItem or Query for records.*** * You should only enable your functions for VPC access when you need to interact with a private resource located in a private subnet. * An RDS instance is a good example. * Once your function is VPC-enabled, all network traffic from your function is subject to the routing rules of your VPC/Subnet. * If your function needs to interact with a public resource, you will need a route through a NAT gateway in a public subnet. * Since Lambda functions can scale extremely quickly, its a good idea to deploy a CloudWatch Alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceeds the expected threshold * Since Lambda functions can scale extremely quickly, this means you should have controls in place to notify you when you have a spike in concurrency. * A good idea is to deploy a CloudWatch Alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceeds your threshold. * You should create an AWS Budget so you can monitor costs on a daily basis. * If you intend to reuse code in more than one Lambda function, you should consider creating a Lambda Layer for the reusable code * You can configure your Lambda function to pull in additional code and content in the form of layers. * A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies. * With layers, you can use libraries in your function without needing to include them in your deployment package. * Layers let you keep your deployment package small, which makes development easier. * A function can use up to 5 layers at a time. * You can create layers, or use layers published by AWS and other AWS customers. * Layers support resource-based policies for granting layer usage permissions to specific AWS accounts, AWS Organizations, or all accounts. * The total unzipped size of the function and all layers can't exceed the unzipped deployment package size limit of 250 MB.

Answer 11

1. NAT instance can be used as a bastion server 2. Security Groups can be associated with a NAT instance 3. NAT instance supports port forwarding A NAT instance or a NAT Gateway can be used in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet.

Answer 12

Use Amazon GuardDuty to monitor any malicious activity on data stored in S3. Use Amazon Macie to identify any sensitive data stored on S3 **Amazon GuardDuty** * Offers threat detection that enables you to continuously monitor and protect your AWS accounts, workloads, and data stored in Amazon S3. * GuardDuty analyzes continuous streams of meta-data generated from your account and network activity found in AWS CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs. * It also uses integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately. **Amazon Macie** * Is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data on Amazon S3. * Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers. * It also gives you constant visibility of the data security and data privacy of your data stored in Amazon S3.

Answer 13

Use VPC endpoint to access Amazon SQS AWS customers can access Amazon Simple Queue Service (Amazon SQS) from their Amazon Virtual Private Cloud (Amazon VPC) using VPC endpoints, without using public IPs, and without needing to traverse the public internet. **VPC endpoints for Amazon SQS** * Are powered by AWS PrivateLink, a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services. * Amazon VPC endpoints are easy to configure. * They also provide reliable connectivity to Amazon SQS without requiring an internet gateway, Network Address Translation (NAT) instance, VPN connection, or AWS Direct Connect connection. * With VPC endpoints, the data between your Amazon VPC and Amazon SQS queue is transferred within the Amazon network, helping protect your instances from internet traffic. **AWS PrivateLink** * Simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. * AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. * AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

Answer 14

Use the Auto Scaling group lifecycle hook to put the instance in a wait state and launch a custom script that installs the proprietary forensic tools and performs a pre-activation status check **An Auto Scaling group** * Contains a collection of Amazon EC2 instances that are treated as a logical grouping for automatic scaling and management. **Auto Scaling group lifecycle hooks** * Enable you to perform custom actions as the Auto Scaling group launches or terminates instances. * Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. * When an instance is paused, it remains in a wait state either until you complete the lifecycle action using the complete-lifecycle-action command or the CompleteLifecycleAction operation, or until the timeout period ends (one hour by default). ***For example, you could install or configure software on newly launched instances, or download log files from an instance before it terminates.***

Answer 15

Traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance **A Network Load Balancer** * Functions at the fourth layer of the Open Systems Interconnection (OSI) model. * It can handle millions of requests per second. * After the load balancer receives a connection request, it selects a target from the target group for the default rule. * It attempts to open a TCP connection to the selected target on the port specified in the listener configuration. **Request Routing and IP Addresses** * If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. * The load balancer rewrites the destination IP address from the data packet before forwarding it to the target instance. * If you specify targets using IP addresses, you can route traffic to an instance using any private IP address from one or more network interfaces. * This enables multiple applications on an instance to use the same port. * Note that each network interface can have its security group. * The load balancer rewrites the destination IP address before forwarding it to the target.

Answer 16

Blue/green deployment is a technique for releasing applications by shifting traffic between two identical environments running different versions of the application: * "Blue" is the currently running version * "Green" the new version. * This type of deployment allows you to test features in the green environment without impacting the currently running version of your application. * When you’re satisfied that the green version is working properly, you can gradually reroute the traffic from the old blue environment to the new green environment. ***Blue/green deployments can mitigate common risks associated with deploying software, such as downtime and rollback capability.*** * Use AWS Global Accelerator to distribute a portion of traffic to a particular deployment * AWS Global Accelerator is a network layer service that directs traffic to optimal endpoints over the AWS global network, this improves the availability and performance of your internet applications. * It provides two static anycast IP addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers, Elastic IP addresses or Amazon EC2 instances, in a single or in multiple AWS regions. * AWS Global Accelerator uses endpoint weights to determine the proportion of traffic that is directed to endpoints in an endpoint group, and traffic dials to control the percentage of traffic that is directed to an endpoint group (an AWS region where your application is deployed). * While relying on the DNS service is a great option for blue/green deployments, it may not fit use-cases that require a fast and controlled transition of the traffic. * Some client devices and internet resolvers cache DNS answers for long periods; this DNS feature improves the efficiency of the DNS service as it reduces the DNS traffic across the Internet, and serves as a resiliency technique by preventing authoritative name-server overloads. * The downside of this in blue/green deployments is that you don’t know how long it will take before all of your users receive updated IP addresses when you update a record, change your routing preference or when there is an application failure. **With AWS Global Accelerator** * You can shift traffic gradually or all at once between the blue and the green environment and vice-versa without being subject to DNS caching on client devices and internet resolvers, traffic dials and endpoint weights changes are effective within seconds.

Answer 17

A process replaces an existing object and immediately tries to read it. Amazon S3 always returns the latest version of the object * Amazon S3 delivers strong read-after-write consistency automatically, without changes to performance or availability, without sacrificing regional isolation for applications, and at no additional cost. * After a successful write of a new object or an overwrite of an existing object, any subsequent read request immediately receives the latest version of the object. * S3 also provides strong consistency for list operations, so after a write, you can immediately perform a listing of the objects in a bucket with any changes reflected. * Strong read-after-write consistency helps when you need to immediately read an object after a write. * For example, strong read-after-write consistency when you often read and list immediately after writing objects. ***To summarize, all S3 GET, PUT, and LIST operations, as well as operations that change object tags, ACLs, or metadata, are strongly consistent. What you write is what you will read, and the results of a LIST will be an accurate reflection of what’s in the bucket.***

Answer 18

1. Create a new launch configuration to use the correct instance type. 2. Modify the Auto Scaling group to use this new launch configuration. 3. Delete the old launch configuration as it is no longer needed * A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances. * When you create a launch configuration, you specify information for the instances. * Include the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. **It is not possible to modify a launch configuration once it is created**. * The correct option is to create a new launch configuration to use the correct instance type. * Then modify the Auto Scaling group to use this new launch configuration. * Lastly to clean-up, just delete the old launch configuration as it is no longer needed.

Answer 19

X-Ray AWS X-Ray * Helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. * With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. * X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components. * You can use X-Ray to collect data across AWS Accounts. * The X-Ray agent can assume a role to publish data into an account different from the one in which it is running. * This enables you to publish data from various components of your application into a central account.

Answer 20

Use AWS Cost Explorer Resource Optimization to get a report of EC2 instances that are either idle or have low utilization and use AWS Compute Optimizer to look at instance type recommendations **AWS Cost Explorer** * Helps you identify under-utilized EC2 instances that may be downsized on an instance by instance basis within the same instance family, * Also understand the potential impact on your AWS bill by taking into account your Reserved Instances and Savings Plans. **AWS Compute Optimizer** * Recommends optimal AWS Compute resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics. * Compute Optimizer helps you choose the optimal Amazon EC2 instance types, including those that are part of an Amazon EC2 Auto Scaling group, based on your utilization data.

Practice Exam 4 Flashcards

(44 cards)