Aws Q&a
Aws Q&a
EC2 instances have their own hourly charges that are pro-rated
to nearest second (with a one minute minimum). Data Transfer
charges depends on the destination: for same region it is usually
1 cent per GB, to another region it is usually 2 cent per GB and
outgoing to internet at 9 cent per GB. Incoming data from
internet is free. EBS Storage costs are separate based on GB of
storage allocated.
You have a Deny policy for all actions when access is not made
from 85.154.120.55
Amazon Route 53 does not have a default TTL for any record type
An application uses Geo Location Based Routing on Route 53. Route 53 receives a DNS
Query and it is unable to detect requester’s Geo location.How will Route 53 respond in this
case?
You have enabled cross region replication for your S3 bucket. If
you delete a specific object version in the source bucket, what
is the behavior observed in replicated bucket?
You need to have three separate queues one for each priority.
Application logic should process messages by priority.
FIFO/Group ID can be used for separating messages into different
FIFO queues. However, there is no guarantee that highest priority
messages will be returned first
An application polls SQS Standard Queue for processing pending messages. Application
polls with a batch size set to 10 and long polling wait time set to 10 seconds.There is only
one message currently available in the queueWhat will happen when the application makes
a long polling receive request?
Standard Queue offers best effort ordering and in rare cases, can
send duplicate messages
1. Message 1, Group ID 1
When launching spot instances, max price you are willing to pay
must be above spot price and there should be enough spot
capacity available to fulfill your request. On-Demand launch may
fail if there are temporary capacity constraints Each account
comes with default limits based on instance type and region. You
can request amazon to increase the soft limit for your account.
You can check your limits EC2 management Console -> Select
Limits in the navigation pane All these issues can prevent a
successful launch of an EC2 instance
SPOT BLOCK
For license that are tied to hardware socket and cores, you can
use either dedicated hosts or bare metal instances
Master node controls and directs the cluster. When master node
terminates, it ends the EMR cluster. Since the data is critical, we
cannot use spot instance for master node. Core node process
data and store using HDFS. When you terminate a core instance,
there is a risk of data loss. We cannot use spot instance for core
node as the question mentions that data is critical. Task nodes
process data but do not hold persistent data in HDFS. If a task
node terminates, there is no risk of data loss. Adding additional
spot capacity to task nodes is a great way to speed up data
processing
You have a fleet of hundreds of EC2 instances. If there are problems with AWS managed
items like Physical host, network connectivity to host, and system power, how would you be
able to track it?
A: CloudWatch Logs
Alarm is associated with one metric. So, we need one alarm per
metric.
This is a paid offering and gives you EC2 metrics at a 1 minute rate
CloudTrail helps audit the API calls made within your account, so
the database deletion API call will appear here (regardless if made
from the console, the CLI, or an SDK)
For random I/O, you would need SSD based storage. Depending
on IOPS required for your application, you can choose various
options at different price points and durability characteristics:
General Purpose, Provisioned IOPS and SSD Instance Store
You can use either classic or network load balancer for load
balancing your TCP application. For newer applications,
AWS recommends using Network Load Balancer.
Application load balancer is used only for HTTP/HTTPS
based applications.
Your application demand is stable, and you are not expecting any changes in
demand soon. There are six EC2 instances currently handling all the
requests.Given this scenario would you still use auto scaling?
Auto scaling can monitor health of your instances and
replace them if they are not healthy
You are using Kinesis Firehose for your streaming data collection
and usage. You are expecting a 10x increase in data
collection. What are your options to increase scalability and
throughput?
A building has several sensors to monitor air quality. These sensors publish data to AWS
Kinesis streams for analysis. You would like to analyze the daily air quality trend over the
past one year across all sensors. This analysis would be considered as:
An online gaming platform uses DynamoDB table for keeping track of scores.
The Primary key consists of PlayerID as hash key and GameTitle as sort key.There are no
other indexes defined for that table. To find the top 10 high scoring players for a game:
DynamoDB has to scan the entire table to find the answer
Since there is no secondary index defined for game title and top
score, it has to scan the entire table. To speed-up, you can
create a secondary index based on these two attributes.
Reference:
https://docs.aws.amazon.com/amazondynamodb/latest/developer
guide/BestPractices.html
You are developing a mobile application that customizes user experience based on
logged on user. Your application needs to scale to very large number of concurrent
users with consistent millisecond latency. What backend store can you use for storing
user sessions?
Reference:
https://docs.aws.amazon.com/AmazonCloudFront/latest/Developer
Guide/DownloadDistS3AndCustomOrigins.html
Now you created a new IAM account with the same name Alice.
S3 has a finance bucket that granted access to original Alice
using the ARN: arn:aws:iam::123456789012:user/Alice; this
permission still exists as part of bucket level policy.
The newly joined Alice also has the same ARN; would she be able
to access the S3 finance bucket?
False :
When an IAM entity is deleted, managed policy associated with it
is automatically deleted
A: 302 MB
Version stores complete data for every object upload
You can use tiered storage to keep the costs low. Standard
storage class is ideal for files that are accessed frequently
Standard-Infrequent Access is ideal for files that are accessed
infrequently and needs to be available immediately Glacier is
suitable for long term archiving at very low costs Standard One
Zone- Infrequent Access is similar to Standard-Infrequent
Access, however, files are replicated only inside a single
availability zone and cost 20% less than standard-IA. However,
this is not suitable for critical data as one availability zone failure
can cause disruption to business
How do you prove your identity with Amazon SES and ISPs when
you are sending emails from your application?
No
Reference:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
intrinsic-function-reference-findinmap.html
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" },
"64"]}
How can you query the endpoint from the database resource?
How can you query the endpoint from the database resource?
You can use GetAtt function to query the value of an attribute from
a resource in the template. Reference:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
intrinsic-function-reference-getatt.html
Swap Environment URL option in Elastic Beanstalk is convenient
for handling blue/green deployment scenarios. It allows you to:
Change a new environment to a production environment
TRUE: Before deleting your resource in your existing stack, you can
optionally snapshot the supported resources
Send the response to Load Balancer node and Load balancer sends
the response to the client
You want to ensure only certain IP ranges are able to access your
elastic load balancer.
Your legal department has asked your team to ensure that project
documents are not deleted or tampered with. They have further
asked for a 5 year retention window. Your team is currently using
Glacier for storing the project documents. What option would you
pick to enforce this policy?
Use Vault Lock to implement write once, read many type policies
Your team wants is using Glacier for low cost storage. You get
frequent requests for retrieving a small portion of archive (few 10s
of MBs). These requests need to be met in under 30 minutes. What
retrieval option can you use?
So you can basically customize your alarm any time you want.
https://aws.amazon.com/premiumsupport/knowledge-center/?nc2=h_m_ma
This is the way to save further costs as we know we will run 2 EC2
instances no matter what.
EBS volumes are created for a specific AZ and can only be attached
to one EC2 instance at a time. This will not help make our
application stateles
You are looking to store shared software updates data across 100s
of EC2 instances. The software updates should be dynamically
loaded on the EC2 instances and shouldn't require heavy
operations. What do you suggest?
A: EFS is a network file system (NFS) and allows to mount the same
file system to 100s of EC2 instances. Publishing software updates
their allow each EC2 instance to access them.
As a solution architect managing a complex ERP software suite,
you are orchestrating a migration to the AWS cloud. The software
traditionally takes well over an hour to setup on a Linux machine,
and you would like to make sure your application does leverage the
ASG feature of auto scaling based on the demand. How do you
recommend you speed up the installation process?
Golden AMI are a standard in making sure save the state after the
installation or pulling dependencies so that future instances can
boot up from that AMI quickly.
A: Multi site
You have provisioned an 8TB gp2 EBS volume and you are running out of IOPS. What is
NOT a way to increase performance?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Instance
Storage.html#instance-store-lifetime The data in an instance
store persists only during the lifetime of its associated instance.
If an instance reboots (intentionally or unintentionally), data in
the instance store persists. However, data in the instance store
is lost under any of the following circumstances: The underlying
disk drive fails The instance stops The instance terminates
If you restart the instance, no data will be lost. If you stop the
instance, data will be lost
RAID 1
You would like to have the same data being accessible as an
NFS drive cross AZ on all your EC2 instances. What do you
recommend?
A: Mount EFS
And that's the default policy, you can always change that, but the
default is find the AZ that hat the most number of instances. In our
case, this is availability Zone A, because it has four EC 2 instances.
So it's definitely going to be one of these four EC 2 instance, that's
going to be terminated.
You quickly created an ELB and it turns out your users are
complaining about the fact that sometimes, the servers just don't
work. You realise that indeed, your servers do crash from time to
time. How to protect your users from seeing these crashes?
Because the ASG has been configured to leverage the ALB health
checks, unhealthy instances will be terminated
You would like to expose a fixed static IP to your end users for
compliance purposes, so they can write firewall rules that will be
stable and approved by regulators. Which Load Balancer should
you use?
The AZ-B will terminate the instance with the oldest launch
configuration
Make sure you remember the Default Termination Policy for ASG. It
tries to balance across AZ first, and then delete based on the age of
the launch configuration.
So TTL is basically a way for web browsers and clients to cache the
response of a DNS query. And the reason we do this is not to
overload the DNS.
So we have Route 53, and that's our DNS for us,
With Client Side Encryption you fully manage the keys and perform
the encryption yourself, which is against the requirements of the
question
With Client Side Encryption you perform the encryption yourself and
send the encrypted data to AWS directly. AWS does not know your
encryption keys and cannot decrypt your data.
The bucket policy allows our users to read / write files in the
bucket, yet we were not able to perform a PutObject API call.
You have a website that loads files from another S3 bucket. When
you try the URL of the files directly in your Chrome browser it
works, but when the website you're visiting tries to load these files
it doesn't. What's the problem?
you're going to get the role name, my first EC2 role. So my first EC2
role and what we get out of this is an access key. A secret access
key and a token, and so behind the scenes, when you attach an IAM
role, to an EC2 instance, the way for it to perform API goals is that
it queries this whole URL right here, which it gets an access key ID,
a secret access key and a token. And it turns out that this is a short
lived credentials. So as you can see, there is an expiration date
in here and that's usually something like one hour. And so the idea
is that your EC2 instance gets temporary credentials through the
IAM role that it got attached to it. So this is basically how the IAM
roles work
IAM roles are the right way to provide credentials and permissions
to an EC2 instance
I should ask an administrator to attach a Policy to the IAM Role on
my EC2 Instance that authorises it to do the API call
Even better would be to create a user specifically for that one on-
premise server
I should run `aws configure` and put my credentials there. Invalidate
them when I'm done
Server side encryptions means the server will encrypt the data for
us. We don't need to encrypt it beforehand
STS will allow us to get cross account access through the creation
of a role in our account authorized to access a role in another
account. See more here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-
account-with-roles.html
OS patching is Amazon's responsibility for RDS. But if we use EC2,
it is our responsibility
Under the shared responsibility model, what are you responsible for in RDS?
You have a mobile application and would like to give your users
access to their own personal space in Amazon S3. How do you
achieve that?
PostgreSQL
Which RDS database technology does NOT support IAM authentication?
Oracle
The DNS protocol does not allow you to create a CNAME record for
the top node of a DNS namespace (mycoolcompany.com), also
known as the zone apex
After updating a Route 53 record to point "myapp.mydomain.com"
from an old Load Balancer to a new load balancer, it looks like the
users are still not redirected to your new load balancer. You are
wondering why...
DNS records have a TTL (Time to Live) in order for clients to know
for how long to caches these values and not overload the DNS with
DNS requests. TTL should be set to strike a balance between how
long the value should be cached vs how much pressure should go
on the DNS.
You want your users to get the best possible user experience and
that means minimizing the response time from your servers to your
users. Which routing policy will help?
Latency will evaluate the latency results and help your users get a
DNS response that will minimize their latency (e.g. response time)
You have purchased a domain on Godaddy and would like to use it
with Route 53. What do you need to change to make this work?
Maybe sometimes you need more consistent network experience, because you're
experiencing data drops, you're experiencing connection shutdowns, you want to
have realtime data feeds
on your application, they're shutting down too often. Direct Connect is a great
option for this.
Or maybe you want to just have a hybrid environment (on prem + cloud )
helloare you there
security groups are stateful and if traffic can go out, then it can go back in
bb
CIDR not should overlap, and the max CIDR size in AWS is /16
Route tables must be updated in both VPC that are peered to communicate
Which are the only two services that have a Gateway Endpoint instead of an
Interface Endpoint as a VPC endpoint? ANS: s3 and Dynamo DB, all the other
ones have an interface endpoint (powered by Private Link - means a private IP)
With SSE-S3 you let go of the management of the encryption keys
Client side enc: Here you have full control over the encryption keys, and you must
do the encryption yourself
SSE-C: Here you have full control over the encryption keys, and let AWS do the
encryption
https://atom.io/packages/language-yaml
https://atom.io/ text editor for YAML
No Echo will ensure your parameter will not appear in any log, like a password!
MFA Delete forces users to use MFA tokens before deleting objects. It's an extra
level of security to prevent accidental deletes
You are preparing for the biggest day of sale of the year, where your traffic will
increase by 100x. You have already setup SQS standard queue. What should you
do? A: SQS scales automatically
Delay queues let you postpone the delivery of new messages to a queue for a
number of seconds. If you create a delay queue, any messages that you send to the
queue remain invisible to consumers for the duration of the delay period. The
default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes
S3 Access Logs log all the requests made to buckets, and Athena can then be used
to run serverless analytics on top of the logs files
• S3 CRR is used to replicate data from an S3 bucket to another one in a different
region
Pre-Signed URL are temporary and grant time-limited access to some actions in
your S3 bucket.
• INSTANT (10 secs) is NOT a Glacier retrieval mode
You need to move hundreds of Terabytes into the cloud in S3, and after that pre-
process it using many EC2 instances in order to clean the data. You have a 1
Gbit/s broadband and would like to optimise the process of moving the data and
pre-processing it, in order to save time. What do you recommend?
Your SQS costs are extremely high. Upon closer look, you notice that your
consumers are polling SQS too often and getting empty data as a result. What
should you do?
Long polling helps reduce the cost of using Amazon SQS by eliminating the number
of empty responses (when there are no messages available for a ReceiveMessage
request) and false empty responses (when messages are available but aren't
included in a response)
ANS: Snowball Edge is the right answer as it comes with computing capabilities
and allows use to pre-process the data while it's being moved in Snowball, so we
save time on the pre-processing side as well.
CloudFront Signed URL are commonly used to distribute paid content through
dynamic CloudFront Signed URL generation. Q: Which features allows us to
distribute paid content from S3 securely, globally, if the S3 bucket is secured to
only exchange data with CloudFront?
S3 CRR allows you to replicate the data from one bucket in a region to another
bucket in another region
• Geo Restriction allows you to specify a list of whitelisted or blacklisted countries
in your CloudFront distribution. Q: How can you ensure that only users who access
our website through Canada are authorized in CloudFront?
You'd like to send a message to 3 different applications all using SQS. You should
This is a common pattern as only one message is sent to SNS and then "fan out" to
multiple SQS queues
You have a Kinesis stream usually receiving 5MB/s of data and sending out 8 MB/s
of data. You have provisioned 6 shards. Some days, your traffic spikes up to 2
times and you get a throughput exception. You should add more shards
Each shard allows for 1MB/s incoming and 2MB/s outgoing of data
You are sending a clickstream for your users navigating your website, all the way
to Kinesis. It seems that the users data is not ordered in Kinesis, and the data for
one individual user is spread across many shards. How to fix that problem?
By providing a partition key we ensure the data is ordered for our users
• Kinesis Analytics is the product to use, with Kinesis Streams as the underlying
source of data
K streams + firehose is a perfect combo of technology for loading data near real-
time in S3 and Redshift
You want to send email notifications to your users. You should use SNS
Has that feature by default
You'd like to have a dynamic DB_URL variable loaded in your Lambda code
Environment variables allow for your Lambda to have dynamic variables from
within
A DynamoDB table has been provisioned with 10 RCU and 10 WCU. You would
like to increase the RCU to sustain more read traffic. What is true about RCU and
WCU?
You would like to automate sending welcome emails to the users who subscribe to
the Users table in DynamoDB. How can you achieve that? Enable DB streams and
have lambda fns recieve events in real time
Amazon Cognito Sync is an AWS service and client library that enables cross-
device syncing of application-related user data
This would work but require a lot more manual work --DB user table with
Lambda authorizer
As a solutions architect, you have been tasked to implement a fully Serverless REST
API. Which technology choices do you recommend? API gateway + lambda
Lambda does not have an out of the box caching feature (it's often paired with API
gateway for that)
Which service allows to federate mobile users and generate temporary credentials
so that they can access their own S3 bucket sub-folder? cognito in combination
with STS
You would like to distribute your static content which currently lives in Amazon
S3 to multiple regions around the world, such as the US, France and Australia.
What do you recommend? cloudfront
You have hosted a DynamoDB table in ap-northeast-1 and would like to make it
available in eu-west-1. What must be enabled first to create a DynamoDB Global
Table?
A: Streams enable DynamoDB to get a changelog and use that changelog to
replicate data across regions
You would like to create a micro service whose sole purpose is to encode video files
with your specific algorithm from S3 back into S3. You would like to make that
micro-service reliable and retry upon failure. Processing a video may take over 25
minutes. The service is asynchronous and it should be possible for the service to be
stopped for a day and resume the next day from the videos that haven't been
encoded yet. Which of the following service would you recommend to implement
this service?
SQS allows you to retain messages for days and process them later, while we take
down our EC2 instances
You would like to distribute paid software installation files globally for your
customers that have indeed purchased the content. The software may be
purchased by different users, and you want to protect the download URL with
security including IP restriction. Which solution do you recommend A:
Cloudfront pre s urls This will have security including IP restriction
You are a photo hosting service and publish every month a master pack of
beautiful mountains images, that are over 50 GB in size and downloaded from all
around the world. The content is currently hosted on EFS and distributed by ELB
and EC2 instances. You are experiencing high load each month and very high
network costs. What can you recommend that won't force an application refactor
and reduce network costs and EC2 load dramatically?
A: CloudFront can be used in front of an ELB
You would like to deliver big data streams in real time to multiple consuming
applications, with replay features. Which technology do you recommend? Kenisis
Data streams
https://www.cyberciti.biz/tips/top-linux-monitoring-tools.html
https://www.hackerearth.com/practice/python/getting-started/input-and-
output/tutorial/
https://github.com/awslabs/aws-cloudformation-templates
https://github.com/awslabs/aws-cloudformation-
templates/blob/master/aws/solutions/WordPress_Single_Instance.yaml
https://github.com/cloudtools/troposphere
https://github.com/londonappbrewery/Flutter-Course-Resources
keybr.com