AWS Certified SysOps Administrator Notes

Monitoring for availability and performance

  1. What best describes burstable performance for t2.micro instances?
    • Burstable performance gives you a baseline and CPU credits that allow you to burst above this baseline if needed.
  2. Which of the following metrics do not get automatically reported to Amazon CloudWatch from Amazon EC2?
    • The amount of memory being used
    • The amount of swap space used
    • How much disk space is available
  3. You currently have Nginx webservers on EC2 instances which receive requests from your ELB.  Those Nginx webservers return results from your PHP application.  This application connects to an RDS database instance to read and write data.  However, a few months ago, you realize that ElastiCache with Redis caching engine could reduce the load on your RDS database by caching some of the popular data.  Fast-forward to today, and your ElastiCache Redis cluster is under a lot of load and needs to scale.  Which of these is the best way to scale your cluster?
    • If the load is read-heavy, scale by adding read replicas to your cache cluster.  If the load is write-heavy, scale vertically by increasing the node size.
  4. What are the two different kinds of status checks when it comes to Amazon EC2 instances?
    • System status check
    • Instance status check
  5. Which of these are true when it comes to the differences between EBS-backed storage and SSD-backed instance store?
    • SSD-backed instance store is usually faster because it is physically attached to the host computer, while EBS volumes transfer data over the network which adds latency., SSD-backed instance store is ephemeral while EBS-backed storage is persistent.

Monitoring and Metrics

  1. One of your instances is not responding.  After investigation you see that the instance system status checks indicates a problem.  What would be the best method for attempting to fix a failing system status check?
    • Stop adn then restart the instance so it can be launched on a new host.
  2. You’ve been tasked with optimizing costs in your companies AWS environment.  After logging in, you discover that there are 3 unused elastic IP addresses, 6 RDS instances that have not had a DB connection for over 7 days, 5 instances that are running at an average CPU utilization of <5% and one EC2 instance running at 80% utilization.  Your company has not purchased any reserved instances but is highly concerned over AWS costs.  As a SysOps administrator you know that you can easily help reduce costs and make the company happy again, select all of the statements below that you might do in order to optimize costs quickly.
    • Remove all unassigned Elastic IP addresses and create snapshots of all unused EBS volumes and terminate the volumes
    • Reduce instance size for underutilized instances or combine the instances and terminate the unused
    • Create a snapshot of RDS instances that have 0 DB connections after 7 days and terminate the RDS instances
      • Cost optimization includes the process of terminating or stopping unused resources such as idle Elastic Load Balancers that do not have any backing instances, removing unassociated Elastic IP Addresses, resizing instances, and purchasing reserved instances.  There are many more ways of optimizing costs.
  3. In order to monitor operating system-level metrics such as disk usage, swap usage, and memory usage, you must install EC2 monitoring scripts.  These scripts put custom metric data into Amazon CloudWatch.  What do you need to do in order to give the instance permissions to put those custom metrics in CloudWatch?
    • Assign a role to the EC2 instance which will be sending custom metrics to CloudWatch.
      • The question asks what permissions are required to give the “instance permissions to put metric data on CloudWatch.  In order for an instance to have this permission, you would need to assign a role to the EC2 instance.  The role needs to have permission, you would need to assign a role to the EC2 instance.  The role needs to have permissions to “put” data on Amazon CloudWatch.
  4. You’ve created a CloudWatch alarm to monitor ElastiCache evictions.  The CloudWatch larm begins to alert you that the number of evictions has surpassed your applications requirements.  How might you go about resolving the high eviction amount issue?
    • Increase the size of the ElastiCache instance
    • Adding another nude to the ElastiCache cluster
      • Increased evictions generally means there is a low amount of free memory in order to cache new information.  Evictions mean that the caching engine must remove old data to make room for new data.  In order to resolve this issue you will need to increase capacity or add nodes to the caching cluster.
  5. It is TRUE that AWS allows billing metrics across all consolidated billing accounts from the payer account.

Scalability & Elasticity

  1. Your organization is running an application on EC2 instances which transfers large amounts of data to their respective EBS volumes.  You’ve noticed that the data being transferred from some instances is exceeding bandwidth capacity which is causing performance issues.  Which of these solutions would help the most?
    • Change the instance size and type.  Bandwidth capacity is dependent upon the instance size and the instance type.
    • Change to an EBS-optimized instance type and enable EBS optimization if it is not already enabled.
  2. Your current application architecture is not scalable.  You’re running one large EC2 instance for your application, webserver, and database.  Whenever that instance has an issue or receives more traffic than it can handle, your users are unable to access your e-commerce platform, which is costing thousands of dollars each time there is an outage.  So, to solve this, you break apart the database and setup Amazon RDS.  You then configure Auto Scaling for your backend instances with an Elastic Load Balancer to distribute the load, and you soon realize that users are constantly losing their sessions and shopping cart information while browsing your e-commerce website.  What is causing the issue and how can you solve the problem?
    • You realize that each time a page loads (and a request is sent), the ELB sends the request to a different backend instance, and since sessions are stored on each instance, the user gets logged out and loses their session.  You fix the issue by storing the session information in ElastiCache since this gives us a central location for the application to get and set sessions.
      • Setting this up with ElastiCache is the best option, because that way we can still spread the load evenly across backend instances without losing session data, and we also don’t put a lot more load on our RDS database.  Storing session data and retrieving it from the database is usually not recommended.  Setting up ELB stickiness would not evenly distribute the load, and so it is best to avoid it if we have other options.
  3. You just joined an established company and are in charge of finding ways to optimize costs without compromising performance or causing downtime.  You notice that the company is using Auto Scaling to keep a minimum amount of instances running at all times, while also providing the possibility to add more instances if the ELB latency metric increases over a period of 1 minute.  At that point, the Auto Scaling group will add 2 more instances in order to ensure that there are plenty of extra resources to handle more load.  This is great, but it is not optimized for cost yet.  What can you do to reduce costs without losing elasticity or causing downtime?
    • Purchase reserved instances for the minimum amount of instances and then use on-demand instances for instances launched by Auto Scaling beyond the minimum requirement.
      • This is the best option to both meet the requirements (elasticity and no downtime) and also to lower costs over time.

More Notes

  1. You have an Amazon VPC that has a private and public subnet in which you have a NAT instance server.  You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script form S3 that deploys an application via GIT.  Which one of the following setups would give us the highest level of security?
    • EC2 Instances in our private subnet
    • No EIP’s
    • Route outgoing traffic via the NAT
      • EC2 instances in this example do not need to be in the public subnet, because the private subnet has access to resources in the public subnet, and therefore can access the NAT instance.  That way we can make sure those EC2 instances are hidden from public access.
  2. How might you assign permissions to an EC2 instance so that the EC2 custom CloudWatch metric scripts can send the required data to Amazon CloudWatch?
    • Assign an IAM role to the EC2 instance at creation time with permissions to write to CloudWatch
  3. In your LAMP application, you have some developers that say they would like access to your logs.  However, since you are using an AWS AutoScaling group, your instances are constantly being re-created.  What would you do to make sure that these developers can access these log files?
    • Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer access.
  4. It is TRUE that in order for reserved instances to reduce the cost of running instances, those instances must match the exact specifications of the reserved instance including: Region, Availability Zone, and instance type.
  5. You notice that several of your AWS environment’s CloudWatch metrics consistently have a value of zero.  Which of these are you most likely to be concerned about and take action?
    • RDS DatabaseConnections
      • Zero connections to a database for a long period of time may mean you are paying for a database that is not in use.  If you cannot find anyone with a legitimate use case for the database, you may want to consider taking a snapshot of it and terminating it.  Zero is an ideal value for the other metrics listed.
  6. If you have enabled a CloudWatch metric on your Redis Elasticache cluster.  Your alarm is triggered due to an increased amount of evictions.  How might you go about solving the increased eviction errors from the ElastiCache cluster ?
    • Increase the size of you node
  7. You have created an application that utilizes AutoScaling behind an Elastic Load Balancer.  You notice that users’ sessions are not evenly distributed on the newly spun up instances.  What could be a reason that your users’ web sessions are stuck on one instance and not using others?
    • Your ELB is sending all the sessions to the old instance and not evenly sending sessions to all new instances that are spun up during AutoScaling because of sticky sessions .
      • If sticky sessions are enabled on the Elastics Load Balance then the load balance will “remember” what instance that request was sent to an will continue to send that request to the same instance.
  8. Your supervisor sends you a list of several processes in your AWS environment that she would like you to automate via scripts.  Which of the following list items should you set as the highest priority?
    • Implement CloudWatch alerts for EC2 instances memory usage.
  9. It is FLASE that in a Network ACL an explicit Deny always overrides an explicit Allow.
  10. A colleague noticed that CloudWatch was reporting that there has not been any connections to one of your MySQL databases for several months.  You decide to terminate the database.  Two months after the database was terminated, you get a call from a very upset user who needs information from that database to run end-of-year reports.  What can you do?
    • If you took a manual snapshot of the database, you can restore the database from that snapshot.
      • Manual snapshots persist even after a database is terminated.  There is not an expiration period for manual snapshots.  While automated backups do have a maximum retention period of 35 days, they are deleted at the time a database is terminated.
  11. You have decided to extend your onsite data center to Amazon Web Services by creating a VPC.  You already have multiple DNS servers on premises.  You are using these DNS servers to host DNS records for your internal applications.  You have a corporate security network policy that says that a DNS name for an internal application can only be resolved internally and never publicly over the internet.  Your existing on-premises data center is already connected to your VPC using IPSec VPN.  You are deploying new applications within your AWS service that needs to resolve these new applications by name.  How might you set up the scalable DNS architecture?
    • Create a DNS option set that includes both the DHCP options with domain-nameservers=AmazonProvidedDNS and your internal DNS servers.
  12. Which of the following would you be likely to schedule during a maintenance window (rather than during business hours) when working in a Multi-AZ RDS environment?
    • All of these.
      • While patches and upgrades can be performed with minimal downtime in a Multi-AZ environment, any work that requires a failover of the database or functional changes to the database or underlying OS can still impact connectivity and should be performed during a maintenance window.
  13. Your application in AWS need to authenticate against LDAP credentials that are in your on-premises data center.  You need low latency between the AWS app authenticating and your credential.  How can you achieve this?
    • If you don’t already have a secure tunnel, create a VPN between your on-premises data center and AWS.  You can then spin up a secondary LDAP server that replicated from the on-premises LDAP server.
  14. You manage a technology blog website on EC2 instances in an AutoScaling group behind an Elastic Load Balancer.  Traffic volume to the site is consistently low, except during several weeks of the year when major technology conferences are occurring, when traffic increases 300 percent.  What is the least advisable way to manage this environment?
    • Upgrade the reserved instances that handle the typical load for the website to larger reserved instances during technology conference weeks.
      • Upgrading the size of reserved instances means you incur a cost to reserve resources for the entire period of the reservation, which at a minimum of one year, is much more commitment that is needed for a few week-long conferences.  It’s better to keep the reserved instances sized properly to handle the typical load and use on-demand instances to handle the spikes.
  15. Best practice is to pre-warm:
    • EBS volumes newly created from snapshots.  Pre-warm by accessing each block once.
  16. You are running an application on an EC2 instance that needs access to stored images on Amazon S3.  What would be the best practice for allowing API access from the EC2 instance to Amazon S3?
    • Launch the EC2 instances using AWS IAM roles that restrict API access for the instance.
      • When available, it is best practice to use IAM roles for communicating with the AWS API.  You should never store API credentials on an AMI.  If roles are unavailable, your next best option would be to pass the API credentials to the instance at runtime.
  17. You manage a popular blog website on EC2 instances in an AutoScaling group.  You notice that between 8:00am – 8:00pm, you see a 50% increase in traffic to your website.  In addition, there are occasional random 1 to 2 hour spikes in traffic and some users are seeing timeouts when trying to load the index page during those spikes.  What is the least cost-effective way to manage this AutoScaling group?
    • Use reserved instances for the instances needed to handle the load during traffic spikes.
      • Reserved instances become cost-effective when they are in use for greater than 30% of the time.  Using reserved instances to handle spikes in traffic would not be cost effective.
  18. What AWS services give you access to the underlying operating system?
    • EC2
    • Amazon EMR
    • Elastic Beanstalk
  19. Which of the following statement is true:
    • You can customize your AWS deployments using the Ruby programming language with OpsWorks templates.
    • You can customize your AWS deployments using JSON templates in CloudFormation.
  20. You maintain an application on AWS to provide and test platforms for your developers.  Currently, both environments consist of an m1.small EC2 instance.  Your developers notice performance degradation as they increase network load in the test environment.  How would you mitigate these performance issues in the test environments?
    • Upgrade the m1.small to a larger instance type
  21. It is FALSE that if Multi-AZ is enabled and automated backups occur on your instance, your application will experience performance issues due to the increased I/O operations caused by the automated backup.
    • Automated backups are performed on the backup instance instead of the source database instance in order to avoid this performance degradation.
  22. Your company has decided to deploy a “Pilot Light” AWS environment to keep minimal resources in AWS with the intention of rapidly expanding the environment in the event of a disaster in your on-premises datacenter.  Which of the following services will you most likely mot make use of?
    • A Gateway-Cached implementation of storage gateway for storing snapshot copies of on-premises data.
      • A Gateway-Cached implementation of Storage Gateway stores all of your data in AWS and caches your frequently-accessed data on premises.  Keeping all data in AWS is not a minimal AWS implementation.  A Gateway-Stored implementation of Storage Gateway would be preferred for a “Pilot Light” AWS environment, as it would allow you to retain your data on-premises but take snapshot copies of the data to AWS, so it could be accessed in the event of an on-premises disaster.
  23. Your company is being audited by a third party auditing service; they have asked you for details about the physical network and virtualization infrastructure.  What do you tell them?
    • You go tell your AWS rep and AWS will give that information to the third party in charge of doing your audit.
  24. You manage a social media website on EC2 instances in an AutoScaling group.  You have configured your AutoScaling group to deploy one new EC2 instance when CPU utilization is greater than 90% for 3 consecutive periods of 10 minutes.  You notice that between 6pm and 10pm every night, you see a gradual increase in traffic to your website.  Although AutoScaling launches several new instances every night, some users complain they are seeing timeouts when trying to load the index page during those hours.  What is the least cost-effective way to resolve this problem?
    • Increase the minimum number of instances to the AutoScaling group.
  25. Which of the below setups would need a custom CloudWatch metric in order to be able to monitor it?
    • Disk usage percentage of an Elastic Block Store volume
  26. What is the result of the following bucket policy? {“Statement”:[{“Sid”:”SID1″, “Effect”; “Allow”, “Principal”: {“AWS”:”*”}, “Action”:”s3:*”,”Resource”:”arn:aws:s3::::mybucket/*”, “Condition”:{“IpAddress”:{“aws:SourceIp”:”50.97.0.0/32″}}}]}
    • It will deny all access to the S3 mybucket bucket except for requests coming from the IP 50.97.0.0
  27. What happens during a failover process in a Multi-AZ deployment with AWS RDS instance?
    • The DNS record of the DB instance changes from the primary to the standby DB instance.
      • The Multi-AZ failover process does not require any action from the SysOps admin.  The DNS on the backend of AWS will change from the primary to the secondary instance.  This occurs during time periods such as DB failures and DB updates by AWS.
  28. You company is setting up an application that is used to share files.  Because these files are important to the sales team, the application must be highly available.  Which AWS-specific storage option would you set up for low cost, reliability, and security?
    • Use Amazon S3, which can be accessed by end-users with signed URL’s.
  29. When managing our VPC in an AWS region, we want to give other teams access to create their own instances and modify the security groups inside subnets dedicated to their teams.  We have to make sure the development team can NOT do anything in their subnets that could allow their instances to impact production instances in the production subnets.  What can we do to separate out our VPC so that instances that the dev team can access can never interfere or interact with the ones within our production?
    • We can create NACL’s that restrict which subnets can talk to each other
  30. What item, when attached to a subnet, will allow the internal subnet to communicate to external networks?
    • Internet Gateway (IGW)
    • Virtual Private Gateway (VPG)
  31. We are preparing for our regularly scheduled security assessment.  What two configuration management practices should our organization have implemented?
    • Determine that our remote administrative access is performed securely
    • Make sure that S3 bucket policies and ACL’s correctly implement our security policies
  32. A successful systems administrator does not need to create a script for:
    • Automating backups of RDS databases
      • AWS offers automated backups of RDS, thus it is not a requirements to script the task.
  33. It is TRUE that when taking a snapshot of an EBS volume there can be a performance issue:  We might see a decrease in performance due to an increase in I/O operations.
  34. You are running an EC2 instance serving a website with an SSL certificate.  Your CPU utilization is constantly high.  How might you resolve this issue?
    • Offload the SSL cert from the EC2 instance and configure it on the Elastic Load Balancer.
  35. If you configure a VPC with an Internet Gateway that has a private and public subnet, with each subnet in a different Availability Zone.  The VPC also has a dual-tunnel VPN between the Virtual Private Gateway and the router in the private data center.  You want to make sure that you do not have a potential single point of failure in this design.  What could you do to make sure we achieve this above environment?
    • You set up a secondary router in your private data center to establish another dual-tunnel VPN connection with your Virtual Private Gateway.
  36. You patch the operating system on an EC2 instance and issue a reboot command from inside the instance’s OS.  After disconnecting from the instance and waiting several minutes, you notice that you still cannot successfully ping the instance’s public IP address.  What is the most likely reason for this?
    • Changes made during OS patching caused a problem with the instance’s NIC driver.
  37. You want to run a web application in which application servers on EC2 instances are in an AutoScaling group spread across two Availability Zones.  After monitoring for six months, we notice that only one of our web servers is needed to handle our minimum load.  During our core utilization hours (8am -8pm M-F), five to six web servers are needed to handle the minimum load.  Four to five days a year, the number of web servers required can go up to 18 servers.  What choice would reduce our costs the most while providing the highest availability?
    • Five reserved instances (heavy utilization), the rest covered by on-demand instances.
      • Different levels of utilization for reserved instances (heavy, medium, light) have been phased out.  This might still show up on the exam, however, so it’s a good idea to be familiar with the concept.
  38. Assuming you have kept the default settings and are using the automated backup services provided by AWS, which of the following will retain automated backups?
    • None of these
      • Automated backups of RDS databases are deleted when an RDS instance is terminated.  Only manual snapshots of an RDS database remain after the RDS instance is terminated.  The same goes for EBS volumes, but on top of that, AWS does not offer an automated backup solution for volumes attached to EC2 instances.
  39. Which of the following services have automated backups?
    • RDS
    • Redshift
    • ElastiCache
  40. It is FALSE that Read Replicas can have Multi Availability Zone enabled.
  41. We have a web application that is using AutoScaling and an ELB.  We would like to monitor the application to make sure that it maintains a good quality of service for our customers, defined by the application’s page load time.  What metric within CloudWatch can we use for this?
    • The latency that is reported by the ELB
  42. Which feature can be used to restrict access to data in S3?
    • Create a CloudFront distribution for the bucket
    • Set an S3 bucket policy
    • Set an S3 ACL on the bucket or the object
  43. We have developed a mobile application that gets downloaded several hundred times a week.  What authentication method should we enable for the mobile clients to access images that are stored in an AWS S3 bucket that provides us with the highest flexibility and rotates credentials?
    • Identity Federation based on AWS STS using an AWS IAM policy for the respective S3 bucket.
  44. You see an increased load on an EC2 instance that is used as a web server.  You decide to place the server behind an Elastic Load Balancer and deploying an additional instance to help meet this increased demand.  You deploy the ELB, configure it to listen for traffic on port 8-, bring up a second EC2 instance, move both instances behind the load balancer, and provide customers with the ELB’s URL – https://mywebapp-1234567890.us-west-2.elb.amazonaws.com.  You immediately begin receiving complaints that customers cannot connect to the web application via the ELB’s URL.  Why?
    • You specified https:// in the ELB’s URL but the ELB is not configured to listen on port 443
  45. In the shared responsibility model at AWS, what two options are you responsible for in the case of an audit?
    • The operating system’s administrators group
    • An application that you have running within AWS EC2
  46. You have been tasked with identifying an appropriate storage solution for a NoSQL database that require random I/O reads of greater than 10,000 4kb IOPS.  Which EC2 option will meet this requirement?
    • EBS provisioned IOPS
    • EBS optimized instances
      • EBS volumes only allow you to provision up to 4,000kb IOPS per volume.  EBS optimized instances have greater IOPS and can go up to 16k.  Provisioned IOPS can also achieve 10,000 IOPS at 200GB.  Combining EBS optimized with PIOPS can give you reliable performance.
  47. For which of the following reasons would you not contact AWS?
    • Request consolidated billing for multiple AWS accounts owned by your company.
  48. Which of the following can be overridden at the EC2 instance level?
    • The choice to not use dedicated tenancy at the VPC level
    • An IAM policy explicitly allowing a user the right to terminate all EC2 instances.
      • The default option for a VPC is to not use dedicated tenancy, but that can be overridden at the instance level.  If the option to use dedicated tenancy is explicitly set at the VPC level, however, it cannot be overridden at the instance level.  Explicit denies in IAM policies always trump explicit allows, so a user who is allowed to terminate all EC2 instances in an account can be denied the permission to terminate a particular instance.
  49.  Which if the following is a security best practice for an AWS environment?
    • Enable MFA on the root user for your AWS account
    • Use IAM users rather than the root user for administrative tasks
  50. What is the result of the following bucket policy? {“Statement”:[{“Sid”:”Sid2″, “Action”:”S3:*”, “Effect”: “Allow”, “Resource”:”am:aws:s3:::mybucket/*.”, “Condition”:{“S3:prefix”: “finance_”}}, “Principal”: {“AWS”:[“*”]}}]}
    • It will allow all actions only against objects with the prefix finance_
  51. You manage EC2 instances in two different VPC’s and you would like to both VPC’s to be able to easily communicate with each other.  You are considering using VPC peering.  Will this work?
    • Yes, as long as the VPC’s are in the same region
    • Yes, as long as the VPC’s CIDR blocks don’t overlap
  52. You run a stateless web application with the following components: an Elastic Load Balancer, three Web/Application servers on EC2, and a MySQL RDS database with 5000 provisioned IOPS.  Average response time for users is increasing.  Looking at CloudWatch, you observe 95% CPU usage on the Web/Application servers and 20% CPU usage on the database.  The average number of database disk operations varies between 2000 and 2500.  How would you improve performance?
    • Choose a different EC2 instance type for the Web/Application servers with more appropriate CPU/Memory ratio
    • Use AutoScaling to add additional Web/Application servers based on CPU load threshold
  53. We need to run a business intelligence application against our production database.  This application requires near real time data from the database.  How might we configure our RDS setup so that our application does not increase I/O load against our production database?
    • Create a read replica from the production instance and point the application to the read replica
  54. Your RDS database is experiencing high levels of read requests during the business day and performance is slowing down.  You have already verified the source of the congestion is not from backups taking place durin the business day, as automatic backups are not enabled.  Which of the following is the first step you can take toward resolving the issue?
    • Enable automated backups of the database
      • A read replica of the database cannot be created until automated backups are enabled.  Your first step should be to enable automated backups.  once automated backups are enabled, you can proceed with creating a read replica of the database and offloading some client read requests to.
  55. Which of the following will cause a noticeable performance impact on an RDS Multi-AZ deployment?
    • None of these
  56. Your company’s compliance department mandates that within you multi-national organization, all data for customers in the UK must never leave UK servers and networks.  Similarly, US data must never leave US servers and networks without explicit authorization first.  What do we have to do to comply with this requirement in our web based applications running on AWS in EC2?  The user had already set up a user profile that states their geographic location.
    • We can run EC2 instances in multiple regions, and leverage data provider to determine whether a user should be redirected to the appropriate region based on that user’s profiles.
  57. You have an Elastic Load Balancer with an AutoScaling group for your application.  You also have 4 running instances and you have AutoScaling enabled.  Some of those instances are running in one Availability Zone, and others are in a different Availability Zone.  Some instances within on of the zones are not available to the ELB.  What could be the cause?
    • The ELB isn’t configured for that Availability Zone.
  58. It is FALSE that AWS is solely responsible for the security on the guest operating system.
  59. Select all that apply:  Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
    • May be performed by the customer against their own instances with prior authorization from AWS
  60. What would be a reason you would upgrade to Direct Connect instead of a traditional VPN connection?
    • You gain higher bandwidth and consistent network connectivity.
  61. Your EC2 instance has a system status check error with an error message of loss of network connectivity.  What is the best way to attempt to resolve the EC2 instance status check error?
    • Attempt to change the physical host that the instance is on by stopping and starting the instance
    • Terminate the instance and build a new one
  62. Instance A and instance B are running in two different subnets, A and B, of a VPC.  Instance A is not able to ping instance B.  What are two possible reasons for this?
    • The security group attached to instance B does not allow inbound ICMP traffic
    • The NACL on subnet B does not allow outbound ICMP traffic
  63. Your company’s website is hosted on several EC2 instances behind an Elastic Load Balancer.  Everytime the development team deploys a new upgrade to the web application, the support desk begins receiving calls from customers being disconnected from their sessions.  Customers’ session data is very important, as it contains their shoppping cart information, and this information is lost when the customer’s sessions are disconnected.  Which of the following steps can be taken to prevent customers’ shopping cart data from being lost without affecting website availability?
    • Use ElastiCache to store session state
    • Enable connection draining and remove instances from the Elastic Load Balancer prior to upgrading the application on those instances
  64. A deny overrides an allow in which circumstances?
    • An explicit allow is set in an IAM policy governing S3 access and an explicit deny is set on an S3 bucket via an S3 bucket policy.
  65. It is FALSE that in a Network ACL an explicit Deny always overrides an explicit Allow.
  66. A colleague noticed that CloudWatch was reporting that there has not been any connections to one of your MySQL databases for several months.  You decide to terminate the database.  Two months after the database was terminated, you get a phone call from a very upset user who needs information from that database to run end-of-year reports.  You are hopeful that you can restore the database to full functionality from a snapshot, but your database administrator is not quite as confident.  Why?
    • The MySQL database was not using a transactional database engine such as InnoDB and may not restore properly.
  67. Your supervisor is concerned about losing read access to your RDS database in the unlikely event of an AWS regional failure.  You design a plan to create a read replica of the database in another region, but your supervisor sees a problem with this plan.  What problem does he see?
    • Your database is using PostgreSQL, which does not support cross-region replication.
  68. Which of the following could be a procedure for disaster recovery as it relates to RDS?
    • Create a read replica in a different region.  In the event of a failover, promote the read replica as the primary and change the DNS for your application to point to the new primary and then enable Multi-AZ.
  69. Which of the following can be overridden at the EC2 instance level?
    • The choice to not use tenancy at the VPC level
    • An IAM policy explicitly allowing a user the right to terminate all EC2 instances
  70. Your RDS instance is consistently maxed out on its resource utilization.  What are multiple ways to solve this issue?
    • Fire up an ElastiCache cluster in front of your RDS instance
    • Increase RDS instance size
    • Offload read-only activity to a read replica if the application is read-intensive.
  71. Your company is ready to start migrating its application over to the cloud, but you cannot afford any downtime.  Your manager asks you to come up with a plan of action.  She also wants a solution that offers the flexibility to test the application on AWS with only a subset of users, but with the ability to increase the number of users over time.  Which of these options are you most likely to recommend?
    • Implement a Route53 weighted routing policy that distribute the traffic between your on-premises application and the AWS application depending on weight.
      • This option works great because we can modify the weight of one record set over the other to increase or decrease the amount of traffic.  If the application on AWS is behaving properly, we can slowly increase the number of users that get routed to that application and slowly phase out the on-premises application.  Otherwise, we can revert back to the on-premises application.
  72. You have enabled a CloudWatch metric on your Redis ElastiCache cluster.  Your alarm is triggered due to an increased amount of evictions.  How might you go about solving the increased eviction errors from the ElastiCache cluster?
    • Increase the size of your node
  73. Which of the following will cause a noticeable performance impact on an RDS Multi-AZ deployment?
    • None 0f these
  74. Which of the below setups would need a custom CloudWatch metric in order to be able to monitor it?
    • Disk usage percentage of an Elastic Block Store volume
  75. Rule 100 in a NACL associated with subnets A and B denies traffic from 0.0.0.0/0.  Rule 105 in the same NACL allows HTTP traffic from 0.0.0.0/0.  Ec2 instances in subnet A are associated with a security group that allows HTTP traffic from 192.168.0.0/24.  EC2 instances in subnet B are associated with a security group that denies HTTP traffic from 128.168.0.0/24.  Which of the following statements are true?
    • HTTP traffic from the Internet will be denied to EC2 instances in both subnets due to the NACL rules.
      • Rule 105 is the higher number rule and will not be evaluated.  NACL rules are evaluated in order from lowest to highest so HTTP traffic from the internet will be denied to instances in subnet B.
  76. What would we need to attach a Bastion host or NAT host for high availability in the event the primary host went down and that we needed to send traffic to a secondary host?
    • Elastic IP address
      • EIP’s can be detached from the primary host and attached to the secondary host
  77. Instance A and instance B are running in two different subnets, A and B, of a VPC.  Instance A is not able to ping instance B.  What are two possible reasons for this?
    • The security group attached to instance B does not allow inbound ICMP traffic
    • The NACL on subnet B does not allow outbound ICMP traffic
      • Every route table contains a local route that enables communication within a VPC.  This route cannot be modified or deleted, so that eliminates the routing issue.  “The NACL on subnet B does not allow outbound ICMP traffic” is one of the correct answers because NACL is stateless – return traffic has to be explicitly allowed by rules.  Because we are not allowing outbound ICMP traffic, the ping from instance A never gets a response.
  78. You are running a legacy application that has a hardcoded IP address in your application.  How might you apply high-availability to the instance running that application?
    • Assign an elastic IP address to the EC2 instance, have a backup instance running.  In the event of a failure, move the Elastic IP from the primary instance to the backup instance.
  79. You have enabled a CloudWatch metric on your Memcached ElastiCache cluster.  Your alarm is triggered due to an increased amount of evictions.  How might you go about solving the increased eviction errors from the ElastiCache cluster?
    • Increase the node size
    • Add a node to the cluster
  80. Which of the following CloudWatch metrics require a custom monitoring script to populate the metric?
    • Swap usage
    • Available disk space
  81. We have a two-tiered application with the following components.  We have an ELB, three web and application servers on EC2, and one MySQL RDS database.  When our load grows, the database queries take longer and slow down the overall response time for the user.  Which three options would we choose to speed up performance?
    • We can shard the database and distribute the load between shards
    • We can create an RDS read-replica and redirect half of the database read requests to it
    • We can cache our database queries with ElastiCache
  82. Your RDS instance is consistently maxed out on its resource utilization.  What are multiple ways to solve this issue?
    • Fire up an ElastiCache cluster in front of your RDS instance
    • Increase RDS instance size
    • Offload read-only activity to a read replica if the application is read-intensive
  83. You have been tasked by your manager to build a tiered storage setup for database backups and their logs.  These backups must be archived to a durable solution.  After 10 days, the backups can then be archived ti a lower priced storage tier.  The data, however, must be retained for compliance policies.  Which tiered storage solution would help you save cost, and still meet this compliance policy?
    • Set up an independent EBS volume where we can store daily backups and then copy these files over to S3, where we configure a bucket that has a lifecycle policy to archive files older than 10 days to AWS Glacier.
  84. We have a customer with a web application that uses cookie-based sessions to see if users are logged in.  This uses Amazon Elastic Load Balancer and AutoScaling.  When the load on the application increases, AutoScaling launches new instances so that the load on the other instances does not increase too much.  However, all of the existing users still experience slow response time.  What could be the cause of this?
    • The ELB is continuing to send the request to the web app with the previously established connections in the same backend instances rather than spreading them to the new instances.
  85. Your company’s website is hosted on several EC2 instances behind an Elastic Load Balancer.  Every time the development team deploys a new upgrade to the web application, the support desk begins receiving calls from customers being disconnected from their sessions.  Customers’ session data is very important, as it contains their shopping cart information, and this information is lost when the customers’ sessions are disconnected.  Which of the following steps can be take to prevent customers’ shopping cart data from being lost without affecting website availability?
    • Use ElastiCache to store sessions
    • Enable connection draining and remove instances from the Elastic Load Balancer prior to upgrading the application on those instances

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.