Edge Device Alert Ingestion and Storage Solution

Questions and Answers

What AWS solution meets the requirements of implementing a shared storage solution for a media application hosted in the AWS Cloud, with the ability to use SMB clients to access data and must be fully managed?

Create an Amazon EC2 Windows instance. Install and configure a Windows file share role on the instance. Connect the application server to the file share.

Create an Amazon FSx for Windows File Server file system. Attach the file system to the application server. Connect the application server to the file system. (correct)

Create an AWS Storage Gateway tape gateway. Configure tapes to use Amazon S3. Connect the application server to the tape gateway.

Create an AWS Storage Gateway volume gateway. Create a file share that uses the required client protocol. Connect the application server to the file share.

What does Amazon FSx provide native support for, allowing access to file storage over a network?

FTP protocol

SFTP protocol

Server Message Block (SMB) protocol (correct)

NFS protocol

How can a company limit access to an Amazon S3 bucket to only users of accounts within the organization in AWS Organizations?

Use AWS IAM policies to allow access only to users from accounts within the organization.

Implement AWS Key Management Service (KMS) encryption with organization-specific keys for the S3 bucket.

Enable S3 bucket policies to restrict access based on organization account IDs. (correct)

Utilize AWS Resource Access Manager to share the S3 bucket with organization accounts only.

What service can a company use to manage multiple AWS accounts for different departments?

AWS Organizations

What does Amazon S3 File Gateway enable on-premises applications to use?

Amazon S3 cloud storage

Which service is suitable for online data movement and discovery service for data migration?

AWS DataSync

What can Application Load Balancer (ALB) handle separately?

HTTP and HTTPS traffic

What principle can be applied to configure permissions for an AWS Lambda function?

Least privilege principle

What can AWS Secrets Manager be used to store and rotate credentials for?

Amazon RDS for MySQL databases across multiple AWS Regions

Which AWS service can be used to achieve lowest latency routing and failover, supporting HTTP/HTTPS with ALB, and TCP and UDP with NLB?

Amazon Global Accelerator

Which AWS service can be utilized to detect and protect against large-scale DDoS attacks?

Amazon GuardDuty

What AWS service can be used as the communication layer between application services to improve performance and modernize a multi-tiered application?

Amazon Simple Queue Service (Amazon SQS)

Which AWS service can be employed to monitor the application performance history and server peak utilization?

Amazon CloudWatch

What AWS service can copy data older than 7 days from an SMB file server to AWS?

Amazon DataSync

What AWS service can be used to extend the company's storage space?

Amazon FSx for Windows File Server

In the architecture of a public-facing web application in the AWS Cloud, what is used for the DNS?

Third-party service

What AWS service can be enabled and assigned to an Elastic Load Balancer (ELB) to detect and protect against large-scale DDoS attacks in a web application architecture?

Amazon Shield Advanced

What AWS service can be used to resolve issues of dropped transactions when one tier becomes overloaded in a multi-tiered application?

Amazon Simple Queue Service (Amazon SQS)

What is the most operationally efficient solution for ingesting and storing the alerts for future analysis?

Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts, configure it to deliver the alerts to an Amazon S3 bucket, and set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days

What can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects?

Amazon S3 Transfer Acceleration

How can improved throughput be achieved when uploading site data to the destination bucket?

By using multipart uploads

To improve application performance with the least operational overhead, what is the recommended solution for sending output data from multiple SaaS sources to an S3 bucket?

Create an Amazon EventBridge (Amazon CloudWatch Events) rule for each SaaS source to send output data, configure the S3 bucket as the rule's target, and create a second EventBridge (CloudWatch Events) rule to send events when the upload to the S3 bucket is complete, with an Amazon Simple Notification Service (Amazon SNS) topic as the second rule's target

What is suggested as a solution to improve performance with minimal operational overhead in place of using an EC2 instance?

Docker container usage and hosting the containerized application on Amazon Elastic Container Service (Amazon ECS)

What solution aims at addressing specific requirements of companies' operations and data management needs efficiently within the AWS environment?

Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts, configure it to deliver the alerts to an Amazon S3 bucket, and set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days

What can be added to an S3 bucket policy to allow access to members of a specific organization?

aws:PrincipalOrgID global condition key

Which service can be used to monitor specific events related to AWS Organization?

AWS CloudTrail

How can access control for an S3 bucket be enhanced for each user that needs access?

Tagging each user and adding the aws:PrincipalTag global condition key to the S3 bucket policy

What is recommended to ensure that Amazon S3 buckets do not have unauthorized configuration changes?

Turning on AWS Config with appropriate rules

What does AWS Config provide for resource configurations?

A detailed view and allows identification and remediation of unauthorized changes

What is recommended to provide secure access to an Amazon S3 bucket from an application tier running on Amazon EC2 instances in a VPC?

Configuring a VPC gateway endpoint for Amazon S3 within the VPC and creating a bucket policy that limits access to only the application tier running in the VPC

How can sharing an Amazon CloudWatch dashboard with a product manager while following the principle of least privilege be achieved?

Creating an IAM user specifically for the product manager and attaching the CloudWatch Read Only Access managed policy to the user

What does the CloudWatch Read Only Access managed policy allow?

Viewing the dashboard without ability to make changes

How can Amazon EC2 capacity in specific Availability Zones for a specific AWS Region be guaranteed for an upcoming event?

Creating an On-Demand Capacity Reservation specifying the Region and three Availability Zones

What AWS solution meets the requirements of implementing a shared storage solution for a media application hosted in the AWS Cloud, with the ability to use SMB clients to access data and must be fully managed?

Create an Amazon FSx for Windows File Server file system. Attach the file system to the origin server. Connect the application server to the file system.

How can a company limit access to an Amazon S3 bucket to only users of accounts within the organization in AWS Organizations?

Use AWS Organizations SCPs (Service Control Policies) to restrict access to the S3 bucket based on organizational accounts.

What does Amazon FSx provide native support for, allowing access to file storage over a network?

$CIFS (Common Internet File System) protocol

What can be used as a communication layer between application services to improve performance and modernize a multi-tiered application?

$Amazon SQS (Simple Queue Service)

What can be added to an S3 bucket policy to allow access to members of a specific organization?

aws:PrincipalOrgID global condition key

What is recommended to ensure that Amazon S3 buckets do not have unauthorized configuration changes?

Turning on AWS Config with appropriate rules

How can sharing an Amazon CloudWatch dashboard with a product manager while following the principle of least privilege be achieved?

Creating an IAM user specifically for the product manager and attaching the CloudWatch Read Only Access managed policy to the user

What is recommended to provide secure access to an Amazon S3 bucket from an application tier running on Amazon EC2 instances in a VPC?

Configuring a VPC gateway endpoint for Amazon S3 within the VPC and creating a bucket policy that limits access to only the application tier running in the VPC

What does the CloudWatch Read Only Access managed policy allow?

Viewing CloudWatch dashboards without the ability to make changes

What principle can be applied to configure permissions for an AWS Lambda function?

Using IAM roles with least privilege access

What is the correct method to enable on-premises applications to use Amazon S3 cloud storage?

Utilize Amazon S3 File Gateway

What can be configured to redirect HTTP traffic to HTTPS?

Application Load Balancer (ALB)

How can data transition be automated from S3 Standard to S3 Glacier Deep Archive?

By using S3 Lifecycle policy

What is the purpose of AWS DataSync?

To provide an online data movement and discovery service for data migration

How can permissions for an AWS Lambda function be configured?

By applying the least privilege principle

What can be used to store and rotate credentials for Amazon RDS for MySQL databases across multiple AWS Regions?

AWS Secrets Manager

Which service enables on-premises applications to use Amazon S3 cloud storage and supports SMB and NFS protocols?

Amazon S3 File Gateway

What is required to be installed in the on-premises data center for utilizing AWS DataSync?

AWS DataSync agent

Which AWS service is suitable for creating a suitable location configuration for the on-premises SFTP server?

AWS DataSync

What can be used as an online data movement and discovery service for data migration?

AWS DataSync

Which AWS service can be used to achieve lowest latency routing and failover, supporting HTTP/HTTPS with ALB, and TCP and UDP with NLB?

AWS Global Accelerator

What AWS service can be used as the communication layer between application services to improve performance and modernize a multi-tiered application?

Amazon Simple Queue Service (Amazon SQS)

What AWS service provides native support for file storage over a network, allowing access to file storage over a network?

Amazon FSx for Windows File Server

Which AWS service can be employed to detect and protect against large-scale DDoS attacks?

AWS Shield Advanced

What AWS service can be used to copy data older than 7 days from an SMB file server to AWS?

Amazon DataSync

In the architecture of a public-facing web application in the AWS Cloud, what is used for the DNS?

Amazon Route 53

What does Amazon AppFlow facilitate?

Secure data transfer between SaaS applications and AWS services like Amazon S3 and Amazon Redshift.

What is recommended to ensure automated failover between Regions for VoIP service via UDP connections on Amazon EC2 instances in Auto Scaling groups across multiple AWS Regions?

AWS Global Accelerator

What can be used to handle messaging between application servers running on Amazon EC2 in an Auto Scaling group, with Amazon CloudWatch monitoring the queue length and scaling up when communication failures are detected?

Amazon Simple Queue Service (Amazon SQS)

How can improved throughput be achieved when uploading site data to the destination bucket?

By using Amazon DataSync.

What does Amazon CloudWatch monitor in the mentioned web application architecture?

The application performance history and server peak utilization.

What is the most operationally efficient solution for ingesting and storing the alerts for future analysis?

Creating an Amazon Kinesis Data Firehose delivery stream to ingest the alerts, configuring it to deliver the alerts to an Amazon S3 bucket, and setting up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.

How can improved throughput be achieved when uploading site data to the destination bucket?

Enabling Amazon S3 Transfer Acceleration on the destination bucket.

To improve application performance with minimal operational overhead, what is the recommended solution for sending output data from multiple SaaS sources to an S3 bucket?

Creating an Amazon EventBridge (Amazon CloudWatch Events) rule for each SaaS source to send output data, configuring the S3 bucket as the rule's target, and creating a second EventBridge (CloudWatch Events) rule to send events when the upload to the S3 bucket is complete, with an Amazon Simple Notification Service (Amazon SNS) topic as the second rule's target.

What is suggested as a solution to improve performance with minimal operational overhead in place of using an EC2 instance?

Docker container usage instead of an EC2 instance and hosting the containerized application on Amazon Elastic Container Service (Amazon ECS).

What can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects?

Amazon S3 Transfer Acceleration

What does native support does Amazon FSx provide, allowing access to file storage over a network?

SMB and NFS protocols

What can be used as an online data movement and discovery service for data migration?

AWS DataSync

Study Notes

AWS Security and Access Management Best Practices

• The use of AWS Organization IDs and paths can streamline the management of S3 bucket policies and access control.
• The aws:PrincipalOrgID global condition key can be added to an S3 bucket policy to allow access to members of a specific organization.
• AWS CloudTrail can be used to monitor specific events related to AWS Organization, and S3 bucket policies can be updated accordingly based on the events.
• Tagging each user that needs access to an S3 bucket and adding the aws:PrincipalTag global condition key to the S3 bucket policy can enhance access control.
• To ensure that Amazon S3 buckets do not have unauthorized configuration changes, turning on AWS Config with appropriate rules is recommended.
• AWS Config provides a detailed view of resource configurations and allows for the identification and remediation of unauthorized changes to S3 buckets.
• To provide secure access to an Amazon S3 bucket from an application tier running on Amazon EC2 instances in a VPC, configuring a VPC gateway endpoint for Amazon S3 within the VPC and creating a bucket policy that limits access to only the application tier running in the VPC are recommended steps.
• Sharing an Amazon CloudWatch dashboard with a product manager while following the principle of least privilege involves creating an IAM user specifically for the product manager and attaching the CloudWatch Read Only Access managed policy to the user.
• The CloudWatch Read Only Access managed policy allows the user to view the dashboard without the ability to make changes.
• To guarantee Amazon EC2 capacity in specific Availability Zones for a specific AWS Region for an upcoming event, creating an On-Demand Capacity Reservation that specifies the Region and three Availability Zones is the recommended approach.
• This approach ensures the availability of the required capacity for the specified duration and locations without the need for upfront payments or long-term commitments.
• The use of AWS best practices in security and access management, such as leveraging organization IDs, CloudTrail monitoring, and IAM policies, can enhance the security and efficiency of AWS deployments.

AWS Solutions Architect Scenarios

• Amazon S3 File Gateway enables on-premises applications to use Amazon S3 cloud storage
• Supports SMB and NFS protocols and S3 Lifecycle policies for data transition
• S3 Lifecycle policy can automatically transition data from S3 Standard to S3 Glacier Deep Archive
• AWS DataSync is an online data movement and discovery service for data migration
• AWS DataSync agent needs to be installed in the on-premises data center
• Suitable location configuration for the on-premises SFTP server needs to be created using AWS DataSync
• Application Load Balancer (ALB) can be configured to redirect HTTP traffic to HTTPS
• ALB can handle HTTP and HTTPS traffic separately
• ALB listener rule can be created to redirect HTTP traffic to HTTPS
• Least privilege principle can be applied to configure permissions for an AWS Lambda function
• AWS Lambda function can be invoked by an Amazon EventBridge (Amazon CloudWatch Events) rule
• AWS Secrets Manager can be used to store and rotate credentials for Amazon RDS for MySQL databases across multiple AWS Regions

AWS Operational Efficiency Solutions

• A company with thousands of edge devices generating 1 TB of status alerts daily needs a cost-effective and highly available solution for ingesting and storing the alerts for future analysis.
• The company requires a solution that minimizes costs and does not require additional infrastructure management, while keeping 14 days of data available for immediate analysis and archiving any data older than 14 days.
• The most operationally efficient solution is to create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts, configure it to deliver the alerts to an Amazon S3 bucket, and set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.
• A company collects temperature, humidity, and atmospheric pressure data in cities across multiple continents, with an average volume of 500 GB per site daily and high-speed internet connections.
• To aggregate data from all global sites, the fastest way is to enable Amazon S3 Transfer Acceleration on the destination bucket.
• Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects, particularly useful for customers with widespread users or applications hosted far away from their S3 bucket.
• Improved throughput can be achieved by using multipart uploads to directly upload site data to the destination bucket.
• A company's application integrates with multiple SaaS sources for data collection, and the EC2 instance that receives and uploads the data also sends a notification to the user when an upload is complete.
• To improve application performance with the least operational overhead, the recommended solution is to create an Amazon EventBridge (Amazon CloudWatch Events) rule for each SaaS source to send output data, configure the S3 bucket as the rule's target, and create a second EventBridge (CloudWatch Events) rule to send events when the upload to the S3 bucket is complete, with an Amazon Simple Notification Service (Amazon SNS) topic as the second rule's target.
• Another solution is to create an Auto Scaling group so that EC2 instances can scale out and configure an S3 event notification to send events to an Amazon Simple Notification Service (Amazon SNS) topic when the upload to the S3 bucket is complete.
• Docker container usage instead of an EC2 instance and hosting the containerized application on Amazon Elastic Container Service (Amazon ECS) is also suggested as a solution to improve performance with minimal operational overhead.
• The solutions provided are aimed at addressing the specific requirements of the companies' operations and data management needs efficiently within the AWS environment.

Description

This quiz discusses the implementation of a highly available solution to ingest and store a high volume of status alerts generated by thousands of edge devices. The goal is to minimize costs and avoid managing additional infrastructure while ensuring efficient storage and future analysis.