Following topics are exam questions collected through Internet and should be evaluated as so. Answers are mine and have been checked with answers collected through the internet, but might still be wrong.
Scenario about Load balancing (ELB)
A startup s photo-sharing site is deployed in a VPC. An ELB distributes web traffic across two subnets. ELB session stickiness is configured to use the AWS-generated session cookie, with a session TTL of 5 minutes. The webserver Auto Scaling Group is configured as: min-size=4, max-size=4. The startups preparing for a public launch, by running load-testing software installed on a single EC2 instance running in us-west-2a. After 60 minutes of load-testing, the webserver logs show:Which recommendations can help ensure load-testing HTTP requests are evenly distributed across the four webservers? Choose 2 answers.
A. Re-configure the load-testing software to re-resolve DNS for each web request.
B. Use a 3rd-party load-testing service which offers globally-distributed test clients.
C. Configure ELB and Auto Scaling to distribute across us-west-2a and us-west-2c.
D. Configure ELB session stickiness to use the app-specific session cookie.
E. Launch and run the load-tester EC2 instance from us-east-1 instead.
Why?
https://aws.amazon.com/articles/1636185810492479
“If you do not ensure that DNS is re-resolved or use multiple test clients to simulate increased load, the test may continue to hit a single IP address when Elastic Load Balancing has actually allocated many more IP addresses. Because your end users will not all be resolving to that single IP address, your test will not be a realistic sampling of real-world behaviour.”
Load Testing with Session Affinity
If your configuration leverages session affinity, then it is important for the load generator to use multiple clients, so that Elastic Load Balancing can behave as it would in the real world. If you do not make these adjustments, then Elastic Load Balancing will always send requests to the same back-end servers, potentially overwhelming the back-end servers well before Elastic Load Balancing has to scale to meet the load. To test in this scenario, you will need to use a load testing solution that uses multiple clients to generate the load.
Securing data at rest on EBS volumes
How can you secure data at rest on an EBS volume?
A. Write the data randomly instead of sequentially.
B. Use an encrypted file system on top of the EBS volume.
C. Encrypt the volume using the S3 server-side encryption service.
D. Create an IAM policy that restricts read and write access to the volume.
E. Attach the volume to an instance using EC2’s SSL interface.
B. Use an encrypted file system on top of the EBS volume.
C. Encrypt the volume using the S3 server-side encryption service.
D. Create an IAM policy that restricts read and write access to the volume.
E. Attach the volume to an instance using EC2’s SSL interface.
Why?
"Another option would be to use file system-level encryption, which works by stacking an encrypted file system on top of an existing file system"
EBS vs Instance-store
What is one key difference between an Amazon EBS-backed and an instance-store backed instance?
A. Virtual Private Cloud requires EBS backed instances
B. Amazon EBS-backed instances can be stopped and restarted
C. Auto scaling requires using Amazon EBS-backed instances.
D. Instance-store backed instances can be stopped and restarted.
Why?
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html
Storage for the Root Device, Stopped state
Instance store: Cannot be in stopped state; instances are running or terminated vs
EBS-Backed: Can be placed in stopped state where instance is not running, but the root volume is persisted in Amazon EBSService identification
Which of the following services are key/value stores? Choose 3 answersA. Amazon ElastiCache
B. Simple Notification Service
C. DynamoDB
D. Simple Workflow Service
E. Simple Storage Service
Why? SNS is sending messages and SWF is meant for tasks
NAT instances
After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the Internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?A.Attaching a second Elastic Network interface (ENI) to the NAT instance, and placing it in the private subnet
B. Attaching an Elastic IP address to the instance in the private subnet
C. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet
D. Disabling the Source/Destination Check attribute on the NAT instance
Why?
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.
AWS free tools
Which of the following services are included at no additional cost with the use of the AWS
platform? Choose 2 answers
A. CloudFormation
B. Simple Workflow Service
C. Elastic Load Balancing
D. Elastic Compute Cloud
E. Simple Storage Service
F. Auto Scaling
Why? Auto Scaling and CloudFormation are not resources. They are tools to create resources.
Instance Metadata
How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on?
A. Query the appropriate Amazon CloudWatch metric.
B. Use ipconfig or ifconfig command.
C. Query the local instance userdata.
D. Query the local instance metadata.
Why?
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
To view all categories of instance metadata from within a running instance, use the following URL:
http://169.254.169.254/latest/meta-data/
Amazon VPC problem solving
You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the Internet. What should you do to enable internet access?
A. Deploy a NAT instance into the public subnet.
B. Modify the routing table for the public subnet
C. Configure a publically routable IP Address In the host OS of the fourth instance.
D. Assign an Elastic IP address to the fourth instance.
Why?
Ruling out
A. NAT would not solve anything.
B. Routing already works for other instances
C. This not how you add IP address to instance
SWF
Which of the following statements about SWF are true? Choose 3 answers
A. SWF uses deciders and workers to complete tasks
B. SWF requires at least 1 EC2 instance per domain
C. SWF triggers SNS notifications on task assignment
D. SWF requires an S3 bucket for workflow storage
E. SWF tasks are assigned once and never duplicated
F. SWF workflow executions can last up to a year
Why?
A. http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dg-intro-to-swf.html
An activity worker is a program that receives activity tasks, performs them, and provides results back.
The coordination logic in a workflow is contained in a software program called a decider. The decider schedules activity tasks, provides input data to the activity workers, processes events that arrive while the workflow is in progress, and ultimately ends (or closes) the workflow when the objective has been completed.
E. http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-task-lists.html
A task is always scheduled on only one task list; tasks are not shared across lists.
F. http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dg-limits.html
Maximum workflow execution time – 1 year
Responsibilities
In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
A. Decommissioning storage devices
B. Patch management on the EC2 instance’s operating system
C. Controlling physical access to compute resources
D. Security Group and ACL (Access Control List) settings
E. Life-cycle management of IAM credentials
F. Encryption of EBS (Elastic Block Storage) volumes
Why?
Decommissioning storage devices and controlling physical access to compute resources is not customer's responsibility as those are PHYSICAL assets
A. Decommissioning storage devices
B. Patch management on the EC2 instance’s operating system
C. Controlling physical access to compute resources
D. Security Group and ACL (Access Control List) settings
E. Life-cycle management of IAM credentials
F. Encryption of EBS (Elastic Block Storage) volumes
Why?
Decommissioning storage devices and controlling physical access to compute resources is not customer's responsibility as those are PHYSICAL assets
ElasticCache as Session state store
You have written an application that uses the Elastic Load Balancing service to spread traffic to several web servers. Your users complain that they are sometimes forced to login again in the middle of using your application, after they have already togged in. This is not behavior you have designed. What is a possible solution to prevent this happening?
A. Use instance memory to save session state.
B. Use instance storage to save session state.
C. Use EBS to save session state
D. Use ElastiCache to save session state.
E. Use Glacier to save session slate.
Why?
https://blogs.aws.amazon.com/net/post/TxMREMF0459SXT/ElastiCache-as-an-ASP-NET-Session-Store
ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud. ElastiCache supports both Memcached and Redis cache clusters. While either technology can store ASP.NET session state, Microsoft offers a provider for Redis, and I will focus on Redis here.
EC2 API calls
Which EC2 API call would you use to retrieve a list of Amazon Machine Images (AMIs)?
A. DescribeInstances
B. You cannot retrieve a list of AMIs as there are over 10,000 AMIs
C. GetAMls
D. DescribeImages
E. DescribeAMls
Why?
http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html
Describes one or more of the images (AMIs, AKIs, and ARIs) available to you. Images available to you include public images, private images that you own, and private images owned by other AWS accounts but for which you have explicit launch permissions.
Public AMI
EC2 instances are launched from Amazon Machine images (AMIS). A given public AMI can:
A. be used to launch EC2 Instances in any AWS region.
B. only be used to launch EC2 instances in the same country as the AMI is stored.
C. only be used to launch EC2 instances in the same AWS region as the AMI is stored.
D. only be used to launch EC2 instances in the same AWS availability zone as the AMI is stored
Why?
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
AMIs are a regional resource. Therefore, sharing an AMI makes it available in that region. To make an AMI available in a different region, copy the AMI to the region and then share it. For more inforamation, see Copying an AMI.
LDAP federation
A corporate web application is deployed within an Amazon VPC, and is connected to the corporate data center via IPSec VPN. The application must authenticate against the on-premise LDAP server. Once authenticated, logged-in users can only access an S3 keyspace specific to the user. Which two approaches can satisfy the objectives? Choose 2 answers
A. The application authenticates against LDAP, and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM Role. The application can use the temporary credentials to access the appropriate S3 bucket.
B. Develop an identity broker which authenticates against IAM Security Token Service to assume an IAM Role to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.
C. The application authenticates against IAM Security Token Service using the LDAP credentials. The application uses those temporary AWS security credentials to access the appropriate S3 bucket.
D. The application authenticates against LDAP. The application then calls the IAM Security Service to login to IAM using the LDAP credentials. The application can use the IAM temporary credentials to access the appropriate S3 bucket.
E. Develop an identity broker which authenticates against LDAP, and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
Why?
Because the application must authenticate against LDAP
B – there are no LDAP authentication, so this is incorrect
C – you cannot authenticate with STS directly using LDAP
D – same, it’s using LDAP credentials to logon directly, cannot be done
No comments:
Post a Comment