General Questions

What is a X forwarded for header?

• Identify the originating IP address of a client through a load balancer.
• If you need the IPV four address of your end, user, look for the X forwarded for header.

What is an OSI model

• A conceptual framework which describes the functions of a network.
• Beginning with the Application layer which directly serves the end, user, down to physical layer.
• What the end user sees HTTP, web browsers.
• Different layers of the model are as follows.
• Presentation layer
• Data is in a usable format, encryption, SSH.
• Session Layer
• Maintains connections and sessions.
• Transport layer
• Transmits data using TCP and UDP.
• Network layer
• Logically routs packets based on IP address.
• Data Link layer
• Physically transmits data based on MAC addresses.
• Physical layer
• Transmits bits and bytes over physical devices.

What is the difference between IOPS and throughput?

IOPS

• Measures the number of read and write operations per second.
• Important metrics for Quick transactions, low latency apps, transactional workloads.
• The ability to action reads and writes very quickly.
• Choose provisioned IOPS SSD(io1 or io2).

Throughput

• Measures the number of bits read or written by second(MB/s).
• Important metric for large data sets, large I/O sizes, complex queries.
• The ability to deal with large data sets.
• Choose throughput optimised HDD(st1).

Which of the following strategies does AWS use to deliver the promised levels of Dynamo DB performance?

DynamoDB makes use of parallel processing to achieve predictable performance. You visualise each partition as an independent DB server of fixed size. Each responsible for a defined block of data. In SQL terminology it is called sharding.

AWS DynamoDB delivers predictable performance brought on by the use of Solid State Drives, better known as SSDs.

How does AWS deliver high availability for DynamoDB?

Being automatically replicated across multiple AZs makes DynamoDB highly available.

What are the available AWS Support Plans?

Basic (included for all AWS customers), Developer, Business, and Enterprise are the available AWS Support Plans. Reference: Compare AWS Support Plans

What is the maximum Visibility Timeout of an SQS message in a FIFO queue?

12 hours

The visibility timeout controls how long a message is invisible in the queue while it is being worked on by a processing instance. This interval should not be confused with how long the message can remain in the queue.

Route 53, the AWS implementation of DNS, supports a number of Routing policies. Which are valid Policy types?

• Latency Routing Policy
• Failover Routing Policy
• Geoproximity Routing Policy
• Geolocation Routing Policy
• Simple Routing Policy

Route 53 provides an advanced level of service and sophistication going beyond the basic service of the normal DNS implementation.

Which database technologies are supported by RDS?

RDS supports the MariaDB, PostgreSQL, MySQL, SQLServer, Oracle, and Aurora database engines.

Which options are valid to protect your Amazon S3 data at rest using server-side encryption?

When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. For more information, see Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3).

With Server-Side Encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects. For more information, see Protecting data using server-side encryption with customer-provided encryption keys (SSE-C).

Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail that shows when your CMK was used and by whom. Additionally, you can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).

When editing Amazon S3 bucket permissions (policies and ACLs), to whom does the concept of the "resource owner" refer?

The "resource owner" concept comes into play especially when setting or locking down access to various objects. Reference: Amazon S3 bucket and object ownership

What is true about Amazon S3 URLs for accessing a bucket?

Path-Style URLs will be eventually deprecated. Virtual-host-style URLs are strongly recommended.
Reference: Amazon S3 Path Deprecation Plan – The Rest of the Story.

Both virtual-host-style and Path-Style URLs are supported, but path-style URLs will be eventually deprecated in favor of virtual hosted-style URLs for S3 bucket access. DNS compliant names are also recommended.
Reference: Virtual hosting of buckets.

Both Virtual-host-Style and Path-Style URLs are supported, but path-style URLs will be eventually deprecated in favor of virtual hosted-style URLs for S3 bucket access. DNS compliant names are also recommended.
Reference: Virtual hosting of buckets.

Which of the following AWS services allow native encryption of data, while at rest?

EBS, S3 and EFS all allow the user to configure encryption at rest using either the AWS Key Management Service (KMS) or, in some cases, using customer provided keys. The exception on the list is Elasticache for Memcached which does not offer a native encryption service, although Elasticache for Redis does.

When using a Dedicated Instance, which of the following tenancy attributes are you able to transition between by stopping the instance and starting it again?

Dedicated & Host

The tenancy of an instance can only be changed between variants of ‘dedicated' tenancy hosting. It cannot be changed from or to default tenancy hosting. Dedicated Instances.

Which of the following Amazon S3 Storage Classes offer 99.999999999% (11 x 9s) durability?

Currently the S3 Classes are; Standard, Standard-Infrequent Access, One Zone-Infrequent Access, Reduced Redundancy Storage and for archive, Glacier & Glacier Deep Archive. Reduced Redundancy Storage is the only S3 Class that does not offer 99.999999999% durability and therefore any of the answers that contain Reduced Redundancy Storage cannot be correct.

When it comes to Security Groups within a custom VPC, which statements are correct?

Security Groups are stateful and updates are applied immediately.

By definition, a public subnet within a VPC is one that?

Has at least one route in its routing table that uses an Internet Gateway (IGW).

Which of the Special features only relate to Spread Placement Groups?

Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone and therefore this is the only correct option. Deploying instances in a single Availability Zone is unique to Cluster Placement Groups only and therefore is not correct. The other two remaining options are common to all placement group types and so are not specific to Spread Placement Groups.

Which of the following are valid Route 53 routing policies?

Route 53 has the following routing policies - Simple, Weighted, Latency, Failover, Multivalue answer, Geoproximity. and Geolocation

You successfully configure VPC Peering between VPC A and VPC B. You then establish an IGW and a Direct Connect connection in VPC B. Can instances in VPC A connect to your corporate office via the Direct Connect service, and connect to the Internet via the IGW?

VPC peering only routes traffic between source and destination VPCs. VPC peering does not support edge to edge routing. Reference: Unsupported VPC peering configurations.

You have provisioned a custom VPC with a subnet that has a CIDR block of 10.0.3.0/28 address range. Inside this subnet, you have 2 web servers, 2 application servers, 2 database servers, and a NAT. You have configured an Autoscaling group on the two web servers to automatically scale when the CPU utilization goes above 90%. Several days later you notice that autoscaling is no longer deploying new instances into the subnet, despite the CPU utilization of all web servers being at 100%. Which of the following answers may offer an explanation?

A /28 subnet will only have 16 addresses available. AWS reserve both the first four and last IP addresses in each subnet’s CIDR block. It is likely that your autoscaling group has provisioned too many EC2 instances and you have run out of internal private IP addresses.

You're building out a single-region application in us-west-2. However, disaster recovery is a strong consideration, and you need to build the application so that if us-west-2 becomes unavailable, you can fail-over to us-west-1. Your application relies exclusively on pre-built AMI's, and has specific launch permissions, custom tags, and security group rules. In order to run your application leveraging those AMI's in your backup region, which process would you follow?

Copy the AMI from us-west-2 to us-west-1. After the copy operation is complete, apply launch permissions, user-defined tags, and security group configurations.

AWS does not copy launch permissions, user-defined tags, or security group rules from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and security group configurations to the new AMI.

What is the maximum response time for a Business Level 'production down' Support Case?

The business support plan has a maximum response time of < 1 hour for "production system down" cases.