This blog is for training to pass the Amazon Web Services Associate exam. Here are some details about the exam.
1. The pass mark varies depending on how many people are passing, it was at 65 % however it can go up or down. I have heard anecdotely it is currently between 66 - 68% to pass.
2. It is broken down into the following areas:
1.0 Designing highly available, cost efficient, fault tolerant, scalable systems : 60%
2.0 Implementation/Deployment: 10%
3.0 Security: 20%
4.0 Troubleshooting: 10%
3. The sample questions poorly reflect the questions in the exam itself. The questions are much harder than the sample questions.
I had the following question topics in the exam:
AES 256 bit encryption. SSE that transparently handles encryption and decryption. encryption is set in header and files are encrypted with a key then that key is ecrypted with a master key when you put an item. When you get an item its automatically decrypted AWS put decrypt in he header for you automatically.
2. Route 53 - CNAME, Alias, Hosted Zones
CNAME - Used to re-direct one name to another name, cannot be on the apex.
Alias - Used to send to ELB, S3 static website. Can be used on the apex. E.g. example.com -> elb.aws.amazon.com.
Hosted Zones - Start with a Start of Authroity record which specifies wich NS, MX, CNAME, Alias, A, AAAA records are available.
3. Manage resources and allocate billing
Paying account and linked accounts, can have a total of 20 linked accounts. Paying account never has access to resources of linked accounts and cant do anything in the console. Just takes care of billing.
4. Direct Connect - How to connect multiple office branches
Direct connect provides better consistency than site to site vpn and faster network throughput. It provides a way to use AWS direct connect services without using the internet. Traffic is delivered through a private network. In some cases it can reduce costs and improve bandwith and provide a better network experience.
5. Dynamo DB - Latency, Performance, connection to EC2 (User or roles?)
Single digit millisecond latency at any scale.
Replicated across 3 AZs. Eventual consistent reads for the best read performance (usually reached within a second) or strongly consistent reads, not the same performance but more or less guarantee that everyone will always have the same copy of the data.
Write and reads can handle one write or read per second. Need to divide by 24/60/60 to get requests per seconds. E.g. 1 million would be 1000000 / 20 /60 /60 = 11.6 requests per second.
A Bastion host is an unprotected server typically in the DMZ that has a specific task in mind and disables all other tasks. It has been configured to withstand attacks. It requires you to be able to SSH or RDP into it.
8. S3 backed AMI for EC2 instances
Instance store not EBS. All parts of AMI are stored in S3, EBS boots faster as it only loads what it needs to boot, instance store takes longer to boot but it runs faster for a short period of time while EBS retrieves the rest of the AMI.
9. CloudFront template settings
Only type is required. Rest are optional.
10. Which services have data encrypted at rest
11. Choose between RDS/S3/EBS/Instance store
RDS - Long term store, make sure to disable delete root device, all other devices are saved on terminate.
Instance store - Ephemeral storage, you can reboot but you cannot stop/terminate. Everything gets deleted.
S3 - Used for static content. Puts of up to 100/second and gets of up to 300/second. Contact AWS if expecting more.
You can peer VPCs, up to 5, if you peer a and b, then b and c, a cannot access c. Must be given permission to join. Can be revoked on either side at any time. Instances behave as if they wre in a single network you can access private ips. You can only pair VPCs within a single region (Ireland) but across multi azs.
13. AD integration - Simple AD?
Two types of AD, AD Connector which connects to your On Prem Ad and Simple AD which lets you configure some options in he AWS console, this is limited compared with AD Connector.
14. Linux SSH UDP or TCP?
SSH is over TCP but you can encapsulate UDP protocols in TCP. TCP is like a telephone call (direct), UDP is like the post office (you send packets out and specify where they should go).
15. Link between S3 and EBS
Store AMI and Snapshots on on S3.
16. Take Snapshots from Ec2, what is the lifecycle? Stop instance, backup etc etc.
Stop the instance, unmount (linux), create the snapshot, restart instance.
17. What happens to EBS backed instance when it’s terminated?
IF it is the root volume and has terminate enabled then the root will be deleted but all subsequent drives will be kept. If you disable terminate then the root volume will be kept.
18. IAM user roles and policies (Whats the difference and when would you use each? Access to Dynamo DB
You create a user. Roles let you create users and assign resources, A group lets you add users under one shared permissions model.
19. Increased latency between applications, deal with Peak usage.
20. Restrict access to S3 bucket, difference between roles, policies and users
Bucket policies & Bucket access control list
21. Can you migrate EBS volume to new AZ, how and when?
Yes, EBS snapshot copy or stop instance, take snapshot and deploy to new az.
22. What happens when you take a snapshot of EBS, whats the process?
Stop instance, wait until stopped, take snapshot, wait until taken, start instance.
23. Reserved/On Demand/Instance when would you use each? There is an application that runs at night for a lot of data, whats the most cost efficient option? Autoscaling?
http://stackoverflow.com/questions/25278901/s3-hos...
https://forums.aws.amazon.com/message.jspa?message...
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide...
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide...
Study White papers and FAQ
25 You have a VPC that is built in a single region and it currently makes use of 2 availability zones. In this VPC you have deployed a very important two-tier web application.Your web application uses using Elastic Load Balancing and Auto Scaling. The application depends on synchronous replication (which requires a very low latency connectivity) to the database. The application needs to remain fully available even if one application Availability Zone goes down, and Auto Scaling cannot launch new instances in the remaining Availability Zones. How can the current architecture be enhanced to ensure this?
A. Deploy your web application into three AZ's. Set your Auto Scaling policy minimum to handle 50 percent peak load per zone.Correct. In this scenario if you lost an availability zone, you would still have 2 other Availability Zones available each that is configured to handle 50% peak load per zone. 50% + 50% = 100%.
26. You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to $0.06/hr and your spot Instance is terminated by AWS. What was the total EC2 compute cost of running your Spot Instance?A. $0.00B. $0.02C $0.03D. $0.05E. $0.06
If AWS terminates the spot instance then they dont charge you so A is the answer.
27. In reviewing the Auto Scaling events for your application you notice that your application is scalling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity?
A. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.
B. Modify the Auto Scalling group termination policy to terminate the newest instance first.
C. Modify the Auto Scalling group cool-down timers.
D. Modify the Auto Scaling policy to use scheduled scalling actions.
E. Modify the Auto Scalling group termination policy to terminate the oldest instance first.
28. You are deploying an application on Amazon Elastic Cloud Compute (EC2) that must call AWS APIs. What method of securely passing credentials to the application should you use?A. Use AWS Identity and Access Management roles for EC2 instances.B. Pass API credentials to the instance using instance userdata.C. Store API credentials as an object in Amazon Simple Storage Service.D. Embed the API credentials into your JAR files.
Answer is A, use identity and access management roles for EC2 Instances.
29. What type of advise will AWS Trusted Advisor suggest?
Should be Cost optimization, Fault Tolerant, Performance & Security.
30. API Call returns human unreadable message, what can be used to decoded the message.
32. Autoscaling (Several questions on this)
36. Multi AZ architecture
read the FAQs for VPC, Direct Connect, IAM, RDS and EC2
-Couple of questions on SWF and SNS.
-Active Directory what is needed to setup in AWS for accessing AWS resources.
- Two scenarios questions on using ALIAS in VPC
- questions on encryption, at rest, Natively
- Two questions on consolidated account and monitoring.
- High availability and Scaling scenarios.
37. An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic.
The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?
The outbound security group needs to be modified to allow outbound traffic.
The outbound network ACL needs to be modified to allow outbound traffic.
Nothing, it can be accessed from any IP address using SSH.
Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
Answer is 2, secdurity groups are stateful which means they return traffic automatically, network ACLs are stateless which means they need to explicitly allow outbound traffic.
2087
dededos
dailybridgerton
janainaart
kaledo-art
snowghoul
kianamaiart
vaporwave