Mastering AWS Best Practices

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which AWS service is best for decoupling the components of a monolithic application?

EC2

VPC

SQS (correct)

What is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores?

Host tenancy

Shared tenancy

Dedicated host (correct)

Dedicated instance

If a VPC's CIDR block overlaps with an internal network's IP range, what is the most valid solution?

Change the internal network's IP range

Create a new VPC with a different CIDR block (correct)

Ignore the overlap and proceed with the setup

Use a VPN to connect the VPC and internal network

How can an EC2 instance access the internet in a private subnet?

By using a NAT gateway Signup and view all the answers

What is the most appropriate way to manage sensitive information in AWS?

Use AWS Secrets Manager Signup and view all the answers

What happens when a global secondary index is created in DynamoDB?

It consumes write capacity Signup and view all the answers

What is the difference between STS tokens and IAM access keys?

STS tokens are designed for temporary access, while IAM access keys are designed for ongoing access Signup and view all the answers

What is the purpose of AWS KMS?

To manage encryption keys for data Signup and view all the answers

Does changing the instance type of an EC2 instance change its Elastic IP address?

No Signup and view all the answers

Which AWS service offers read-after-write consistency automatically for all objects, including overwrite PUTS and DELETES?

S3 Signup and view all the answers

What is the purpose of AWS STS?

To request temporary, limited-privilege credentials for IAM users or federated users Signup and view all the answers

Which AWS service is well-suited for storing JSON documents that have a consistent structure and supports the creation of global secondary indexes for existing tables at any time?

DynamoDB Signup and view all the answers

AWS's Developer Support plan includes access to a support API.

False Signup and view all the answers

The user is responsible for the specific configuration of EC2 instances.

True Signup and view all the answers

SQS is the best AWS service for storing and managing sensitive information.

False Signup and view all the answers

A Dedicated Host is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores.

True Signup and view all the answers

Changing the instance type of an EC2 instance changes its Elastic IP address.

False Signup and view all the answers

Quick Start AMIs can only be used to create instances of the same type as the original instance.

False Signup and view all the answers

Durability, in the context of Amazon S3, measures the percentage likelihood that a given object will not be lost by AWS over the course of a year.

True Signup and view all the answers

A public subnet's route table must have a default route pointing to an Internet Gateway as a target.

True Signup and view all the answers

Which service can be used to detect and alert you to malware on an EC2 instance?

AWS GuardDuty Signup and view all the answers

When an EC2 instance in a private subnet has necessary network access to the internet, can it resolve an "A" resource record for a public hosted zone in Route 53?

Yes Signup and view all the answers

Which ElastiCache engine can persistently store data?

Redis Signup and view all the answers

Which routing policy in Route 53 is best for sending users to the closest application load balancer?

Geoproximity routing Signup and view all the answers

Which AWS service is NOT an AWS service, but rather an open-source configuration management tool?

Puppet Signup and view all the answers

Which two AWS services primarily store their logs in S3 buckets?

AWS CloudTrail and AWS Config Signup and view all the answers

Which feature of S3 automatically creates a new, encrypted version of an object when encryption is applied to an existing, unencrypted object?

None of the above Signup and view all the answers

Which AWS service allows running Docker containers on a cluster of EC2 instances?

Elastic Container Service (ECS) Signup and view all the answers

Which AWS service allows running code without provisioning or managing servers?

Lambda Signup and view all the answers

EC2 instances automatically send memory utilization metrics to CloudWatch

False Signup and view all the answers

An EC2 instance in a private subnet can resolve an 'A' resource record for a public hosted zone in Route 53

True Signup and view all the answers

Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer

True Signup and view all the answers

Route 53 cannot be used as the DNS service for existing domain names without switching their registration to AWS

False Signup and view all the answers

Redis is the ElastiCache engine that can persistently store data

True Signup and view all the answers

Puppet is an AWS service for configuration management

False Signup and view all the answers

S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are inherently coupled or dependent on each other

False Signup and view all the answers

AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance

True Signup and view all the answers

Enabling versioning on an S3 bucket automatically creates a new, encrypted version of an object when encryption is applied to an existing, unencrypted object

False Signup and view all the answers

Which of the following is required to enable EC2 instances to send memory utilization metrics to CloudWatch?

Installing the CloudWatch agent on instances Signup and view all the answers

Under what condition can an EC2 instance in a private subnet resolve an 'A' resource record for a public hosted zone in Route 53?

If it has necessary network access to the internet Signup and view all the answers

Which routing policy in Route 53 is best to send users to the closest application load balancer?

Geoproximity routing Signup and view all the answers

Can Route 53 be used as the DNS service for existing domain names without switching their registration to AWS?

Yes Signup and view all the answers

Which ElastiCache engine can persistently store data?

Redis Signup and view all the answers

Is Puppet an AWS service?

No Signup and view all the answers

Are S3 cross-region replication and transfer acceleration inherently coupled or dependent on each other?

No Signup and view all the answers

Which AWS service is specifically designed to detect and alert you to malware on an EC2 instance?

AWS GuardDuty Signup and view all the answers

Does enabling versioning on an S3 bucket automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object?

No Signup and view all the answers

Which of the following statements about EC2 instances sending memory utilization metrics to CloudWatch is true?

It can be enabled by installing the CloudWatch agent on instances Signup and view all the answers

Under what conditions can an EC2 instance in a private subnet resolve an 'A' resource record for a public hosted zone in Route 53?

It can resolve the record if it has necessary network access to the internet Signup and view all the answers

Which routing policy in Route 53 is best suited to send users to the closest application load balancer?

Latency-based routing Signup and view all the answers

Can Route 53 be used as the DNS service for existing domain names without switching their registration to AWS?

Yes Signup and view all the answers

Which ElastiCache engine can persistently store data?

Redis Signup and view all the answers

Is Puppet an AWS service?

No Signup and view all the answers

Are S3 cross-region replication and transfer acceleration separate features?

Yes, they are separate features with distinct functionalities Signup and view all the answers

Which AWS service is specifically designed to detect and alert you to malware on an EC2 instance?

AWS GuardDuty Signup and view all the answers

Does enabling versioning on an S3 bucket automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object?

No Signup and view all the answers

Study Notes

AWS Best Practices: EC2, VPC, S3, DynamoDB, and More

AWS's Developer Support plan does not include access to a support API, but AWS offers APIs for many of its services.
AWS provides the underlying network infrastructure and services for EC2, but the specific configuration of instances is up to the user.
SQS is the most useful AWS service for decoupling the components of a monolithic application.
A Dedicated Host is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores.
Changing the instance type of an EC2 instance does not change its Elastic IP address.
Quick Start AMIs can be used to create any instance type as long as they are compatible with the hardware.
Durability, in the context of Amazon S3, measures the percentage likelihood that a given object will not be lost by AWS over the course of a year.
Amazon S3 offers read-after-write consistency automatically for all objects, including overwrite PUTS and DELETES.
If a VPC's CIDR block overlaps with an internal network's IP range, the most valid solution is to create a new VPC with a different CIDR block.
An EC2 instance can access the internet via a NAT gateway or a NAT instance in a private subnet.
A public subnet's route table must have a default route pointing to an Internet Gateway as a target.
DynamoDB is well-suited for storing JSON documents that have a consistent structure and supports the creation of global secondary indexes for existing tables at any time.AWS Services and Security: Global Secondary Index, Encrypting EC2 Instances, and STS Tokens vs IAM Access Keys
Creating a global secondary index in DynamoDB can consume significant write capacity and it's best to define them during the design phase.
AWS KMS can be used to encrypt the operating system of an EC2 instance by encrypting the EBS volume containing the OS.
AWS KMS is a managed service that allows users to create and control encryption keys for data.
AWS Secrets Manager is a service for securely storing and managing sensitive information, not for encrypting operating systems.
CloudHSM is a cloud-based hardware security module that can be used with KMS for key management, but not for encrypting operating systems.
AWS STS is a web service that enables users to request temporary, limited-privilege credentials for IAM users or federated users.
STS tokens consist of an access key ID, a secret access key, and a security token and expire after a set period of time.
IAM access keys consist of an access key ID and a secret access key and do not expire unless manually deleted or rotated.
STS tokens are designed for temporary access, while IAM access keys are designed for ongoing access.
STS tokens should be used for short-term access to resources and services, while IAM access keys should be managed with care and regularly rotated.
AWS KMS can be used to encrypt EBS volumes containing data other than the operating system, such as databases.
AWS provides multiple options for encryption and security, and users should choose the appropriate service based on their specific needs.

AWS Best Practices: EC2, VPC, S3, DynamoDB, and More

AWS's Developer Support plan does not include access to a support API, but AWS offers APIs for many of its services.
AWS provides the underlying network infrastructure and services for EC2, but the specific configuration of instances is up to the user.
SQS is the most useful AWS service for decoupling the components of a monolithic application.
A Dedicated Host is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores.
Changing the instance type of an EC2 instance does not change its Elastic IP address.
Quick Start AMIs can be used to create any instance type as long as they are compatible with the hardware.
Durability, in the context of Amazon S3, measures the percentage likelihood that a given object will not be lost by AWS over the course of a year.
Amazon S3 offers read-after-write consistency automatically for all objects, including overwrite PUTS and DELETES.
If a VPC's CIDR block overlaps with an internal network's IP range, the most valid solution is to create a new VPC with a different CIDR block.
An EC2 instance can access the internet via a NAT gateway or a NAT instance in a private subnet.
A public subnet's route table must have a default route pointing to an Internet Gateway as a target.
DynamoDB is well-suited for storing JSON documents that have a consistent structure and supports the creation of global secondary indexes for existing tables at any time.AWS Services and Security: Global Secondary Index, Encrypting EC2 Instances, and STS Tokens vs IAM Access Keys
Creating a global secondary index in DynamoDB can consume significant write capacity and it's best to define them during the design phase.
AWS KMS can be used to encrypt the operating system of an EC2 instance by encrypting the EBS volume containing the OS.
AWS KMS is a managed service that allows users to create and control encryption keys for data.
AWS Secrets Manager is a service for securely storing and managing sensitive information, not for encrypting operating systems.
CloudHSM is a cloud-based hardware security module that can be used with KMS for key management, but not for encrypting operating systems.
AWS STS is a web service that enables users to request temporary, limited-privilege credentials for IAM users or federated users.
STS tokens consist of an access key ID, a secret access key, and a security token and expire after a set period of time.
IAM access keys consist of an access key ID and a secret access key and do not expire unless manually deleted or rotated.
STS tokens are designed for temporary access, while IAM access keys are designed for ongoing access.
STS tokens should be used for short-term access to resources and services, while IAM access keys should be managed with care and regularly rotated.
AWS KMS can be used to encrypt EBS volumes containing data other than the operating system, such as databases.
AWS provides multiple options for encryption and security, and users should choose the appropriate service based on their specific needs.

AWS Services and Features: Key Facts and Functions

EC2 instances do not automatically send memory utilization metrics to CloudWatch, but this can be enabled by installing the CloudWatch agent on instances.
An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone in Route 53 if it has necessary network access to the internet.
Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer.
Route 53 can be used as the DNS service for existing domain names without switching their registration to AWS.
Redis is the ElastiCache engine that can persistently store data.
Puppet is not an AWS service, it is an open-source configuration management tool.
S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are not inherently coupled or dependent on each other.
AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance.
Enabling versioning on an S3 bucket does not automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object.
On-demand instances will continue to incur costs as long as they are running, regardless of their utilization, while other instance types may have different cost structures.
AWS Config and AWS CloudTrail primarily store their logs in S3 buckets.
If a CloudWatch alarm for CPU utilization on an EC2 instance transitions from INSUFFICIENT_DATA to ALARM state, it means that CPU utilization of the EC2 instance crossed the threshold set in the alarm.Comparison of AWS services for spinning up web servers
Different AWS services have different cost implications based on pricing models and termination conditions.
Lambda is a serverless compute service that allows running code without provisioning or managing servers.
Lambda automatically scales to handle incoming requests and executes code in response to events.
Lambda functions are triggered by events such as API Gateway or other event sources to handle small, focused tasks or functions.
Lambda functions have extremely fast startup times and can quickly respond to requests.
When an event is triggered, Lambda provisions the necessary compute resources in milliseconds and executes the function code.
Lambda is an excellent choice for quickly spinning up new web servers or handling short-lived, bursty workloads without manual provisioning or management.
Auto Scaling is a service that automatically scales EC2 instances to meet demand, based on defined policies.
Elastic Container Service (ECS) is a fully-managed container orchestration service that allows running Docker containers on a cluster of EC2 instances.
CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce latency and improve content delivery.
While Auto Scaling, ECS, and CloudFront provide scalability and performance benefits, Lambda stands out in terms of speed and simplicity for quickly spinning up new web servers.
Choosing the right AWS service depends on specific use cases, workload requirements, and cost considerations.

AWS Services and Features: Key Facts and Functions

EC2 instances do not automatically send memory utilization metrics to CloudWatch, but this can be enabled by installing the CloudWatch agent on instances.
An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone in Route 53 if it has necessary network access to the internet.
Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer.
Route 53 can be used as the DNS service for existing domain names without switching their registration to AWS.
Redis is the ElastiCache engine that can persistently store data.
Puppet is not an AWS service, it is an open-source configuration management tool.
S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are not inherently coupled or dependent on each other.
AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance.
Enabling versioning on an S3 bucket does not automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object.
On-demand instances will continue to incur costs as long as they are running, regardless of their utilization, while other instance types may have different cost structures.
AWS Config and AWS CloudTrail primarily store their logs in S3 buckets.
If a CloudWatch alarm for CPU utilization on an EC2 instance transitions from INSUFFICIENT_DATA to ALARM state, it means that CPU utilization of the EC2 instance crossed the threshold set in the alarm.Comparison of AWS services for spinning up web servers
Different AWS services have different cost implications based on pricing models and termination conditions.
Lambda is a serverless compute service that allows running code without provisioning or managing servers.
Lambda automatically scales to handle incoming requests and executes code in response to events.
Lambda functions are triggered by events such as API Gateway or other event sources to handle small, focused tasks or functions.
Lambda functions have extremely fast startup times and can quickly respond to requests.
When an event is triggered, Lambda provisions the necessary compute resources in milliseconds and executes the function code.
Lambda is an excellent choice for quickly spinning up new web servers or handling short-lived, bursty workloads without manual provisioning or management.
Auto Scaling is a service that automatically scales EC2 instances to meet demand, based on defined policies.
Elastic Container Service (ECS) is a fully-managed container orchestration service that allows running Docker containers on a cluster of EC2 instances.
CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce latency and improve content delivery.
While Auto Scaling, ECS, and CloudFront provide scalability and performance benefits, Lambda stands out in terms of speed and simplicity for quickly spinning up new web servers.
Choosing the right AWS service depends on specific use cases, workload requirements, and cost considerations.

AWS Services and Features: Key Facts and Functions

EC2 instances do not automatically send memory utilization metrics to CloudWatch, but this can be enabled by installing the CloudWatch agent on instances.
An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone in Route 53 if it has necessary network access to the internet.
Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer.
Route 53 can be used as the DNS service for existing domain names without switching their registration to AWS.
Redis is the ElastiCache engine that can persistently store data.
Puppet is not an AWS service, it is an open-source configuration management tool.
S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are not inherently coupled or dependent on each other.
AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance.
Enabling versioning on an S3 bucket does not automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object.
On-demand instances will continue to incur costs as long as they are running, regardless of their utilization, while other instance types may have different cost structures.
AWS Config and AWS CloudTrail primarily store their logs in S3 buckets.
If a CloudWatch alarm for CPU utilization on an EC2 instance transitions from INSUFFICIENT_DATA to ALARM state, it means that CPU utilization of the EC2 instance crossed the threshold set in the alarm.Comparison of AWS services for spinning up web servers
Different AWS services have different cost implications based on pricing models and termination conditions.
Lambda is a serverless compute service that allows running code without provisioning or managing servers.
Lambda automatically scales to handle incoming requests and executes code in response to events.
Lambda functions are triggered by events such as API Gateway or other event sources to handle small, focused tasks or functions.
Lambda functions have extremely fast startup times and can quickly respond to requests.
When an event is triggered, Lambda provisions the necessary compute resources in milliseconds and executes the function code.
Lambda is an excellent choice for quickly spinning up new web servers or handling short-lived, bursty workloads without manual provisioning or management.
Auto Scaling is a service that automatically scales EC2 instances to meet demand, based on defined policies.
Elastic Container Service (ECS) is a fully-managed container orchestration service that allows running Docker containers on a cluster of EC2 instances.
CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce latency and improve content delivery.
While Auto Scaling, ECS, and CloudFront provide scalability and performance benefits, Lambda stands out in terms of speed and simplicity for quickly spinning up new web servers.
Choosing the right AWS service depends on specific use cases, workload requirements, and cost considerations.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Test your knowledge of Amazon Web Services (AWS) best practices with these two quizzes. The first quiz covers EC2, VPC, S3, DynamoDB, and more. Learn about the underlying network infrastructure, the most useful AWS services, and the correct tenancy model for your application. In the second quiz, dive into global secondary indexes, encrypting EC2 instances, and STS tokens vs IAM access keys. Brush up on how to create and control encryption keys for data, request temporary

Mastering AWS Best Practices

Choose a study mode

Podcast

Questions and Answers

Which AWS service is best for decoupling the components of a monolithic application?

What is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores?

If a VPC's CIDR block overlaps with an internal network's IP range, what is the most valid solution?

How can an EC2 instance access the internet in a private subnet?

What is the most appropriate way to manage sensitive information in AWS?

What happens when a global secondary index is created in DynamoDB?

What is the difference between STS tokens and IAM access keys?

What is the purpose of AWS KMS?

Does changing the instance type of an EC2 instance change its Elastic IP address?

Which AWS service offers read-after-write consistency automatically for all objects, including overwrite PUTS and DELETES?

What is the purpose of AWS STS?

Which AWS service is well-suited for storing JSON documents that have a consistent structure and supports the creation of global secondary indexes for existing tables at any time?

AWS's Developer Support plan includes access to a support API.

The user is responsible for the specific configuration of EC2 instances.

SQS is the best AWS service for storing and managing sensitive information.

A Dedicated Host is the correct tenancy model for an application requiring licensing based on the number of physical CPU sockets and cores.

Changing the instance type of an EC2 instance changes its Elastic IP address.

Quick Start AMIs can only be used to create instances of the same type as the original instance.

Durability, in the context of Amazon S3, measures the percentage likelihood that a given object will not be lost by AWS over the course of a year.

A public subnet's route table must have a default route pointing to an Internet Gateway as a target.

Which service can be used to detect and alert you to malware on an EC2 instance?

When an EC2 instance in a private subnet has necessary network access to the internet, can it resolve an "A" resource record for a public hosted zone in Route 53?

Which ElastiCache engine can persistently store data?

Which routing policy in Route 53 is best for sending users to the closest application load balancer?

Which AWS service is NOT an AWS service, but rather an open-source configuration management tool?

Which two AWS services primarily store their logs in S3 buckets?

Which feature of S3 automatically creates a new, encrypted version of an object when encryption is applied to an existing, unencrypted object?

Which AWS service allows running Docker containers on a cluster of EC2 instances?

Which AWS service allows running code without provisioning or managing servers?

EC2 instances automatically send memory utilization metrics to CloudWatch

An EC2 instance in a private subnet can resolve an 'A' resource record for a public hosted zone in Route 53

Geoproximity routing is the best routing policy in Route 53 to send users to the closest application load balancer

Route 53 cannot be used as the DNS service for existing domain names without switching their registration to AWS

Redis is the ElastiCache engine that can persistently store data

Puppet is an AWS service for configuration management

S3 cross-region replication and transfer acceleration are separate features with distinct functionalities and are inherently coupled or dependent on each other

AWS GuardDuty is the AWS service specifically designed to detect and alert you to malware on an EC2 instance

Enabling versioning on an S3 bucket automatically creates a new, encrypted version of an object when encryption is applied to an existing, unencrypted object

Which of the following is required to enable EC2 instances to send memory utilization metrics to CloudWatch?

Under what condition can an EC2 instance in a private subnet resolve an 'A' resource record for a public hosted zone in Route 53?

Which routing policy in Route 53 is best to send users to the closest application load balancer?

Can Route 53 be used as the DNS service for existing domain names without switching their registration to AWS?

Which ElastiCache engine can persistently store data?

Is Puppet an AWS service?

Are S3 cross-region replication and transfer acceleration inherently coupled or dependent on each other?

Which AWS service is specifically designed to detect and alert you to malware on an EC2 instance?

Does enabling versioning on an S3 bucket automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object?

Which of the following statements about EC2 instances sending memory utilization metrics to CloudWatch is true?

Under what conditions can an EC2 instance in a private subnet resolve an 'A' resource record for a public hosted zone in Route 53?

Which routing policy in Route 53 is best suited to send users to the closest application load balancer?

Can Route 53 be used as the DNS service for existing domain names without switching their registration to AWS?

Which ElastiCache engine can persistently store data?

Is Puppet an AWS service?

Are S3 cross-region replication and transfer acceleration separate features?

Which AWS service is specifically designed to detect and alert you to malware on an EC2 instance?

Does enabling versioning on an S3 bucket automatically create a new, encrypted version of an object when encryption is applied to an existing, unencrypted object?

Study Notes

Studying That Suits You

Description

More Like This

Cloud Computing and AWS Key Terms Chapter 1

Cloud Computing with Amazon Web Services (AWS)

AWS CloudFront and Global Accelerator Best Practices