# AWS SAA Mock Exam ###### tags: `AWS` 1. You are a consultant planning to deploy DynamoDB across three AZs. Your lead DBA is concerned about data consistency. Which of the following do you advise the lead DBA to do? :::spoiler Answer To ask the development team to code for strongly consistent reads. As the consultant, you will advise the CTO it may have higher latency than eventually consistent reads. When you request a strongly consistent read, DynamoDB returns a response with the most up-to-date data, reflecting the updates from all prior write operations that were successful. However, this consistency comes with some disadvantages such as read might not be available if there is a network delay or outage, higher latency than eventually consistent reads, global secondary indexes not supported, and use of more throughput capacity than eventually consistent reads. ::: 2. By definition, a public subnet within a VPC is one that :::spoiler Answer Has at least one route in its routing table that uses an Internet Gateway (IGW). ::: 3. You are a solutions architect working for a large anti-virus company and your job is to secure your company’s production AWS environment. A new policy dictates that a particular public-facing subnet needs to allow RDP on port 3389 at custom network ACL layer. You create an inbound rule allowing traffic to port 3389 on the ACL level. However, users complain that they still cannot connect. Which of the following answers may represent the root cause of the connectivity issues? :::spoiler Answer Network Access Control Lists are stateless, so rules must be created for both inbound and outbound traffic. ::: 4. When using a Dedicated Instance, which of the following tenancy attributes are you able to transition between by stopping the instance and starting it again? :::spoiler Answer The tenancy of an instance can only be changed between variants of ‘dedicated' tenancy hosting. It cannot be changed from or to default tenancy hosting. ::: 5. When it comes to Security Groups within a custom VPC, which of the following statements are correct? :::spoiler Answer Security Groups are stateful and updates are applied immediately. ::: 6. How does AWS deliver high availability for DynamoDB? :::spoiler Answer Being automatically replicated across multiple AZs makes DynamoDB highly available. ::: 7. You work for a genomics company that is developing a cure for motor neuron disease by using advanced gene therapies. As a part of their research, they take extremely large data sets (usually in the terabytes) and analyze these data sets using Elastic Map Reduce. In order to keep costs low, they run the analysis for only a few hours in the early hours of the morning, using spot instances for the task nodes. The core nodes are on-demand instances. Lately however the EMR jobs have been failing. This is due to spot instances being unexpectedly terminated. Which of the following is recommended to have the best experience in terms of availability using the Spot service? :::spoiler Answer 1. Capacity Rebalancing helps you maintain workload availability by proactively augmenting your fleet with a new Spot Instance before a running Spot Instance receives the two-minute Spot Instance interruption notice. When Capacity Rebalancing is enabled, Auto Scaling or Spot Fleet attempts to proactively replace Spot Instances that have received a rebalance recommendation, providing the opportunity to rebalance your workload to new Spot Instances that are not at elevated risk of interruption. Capacity Rebalancing complements the capacity optimized allocation strategy (which is designed to help find the most optimal spare capacity) and the mixed instances policy (which is designed to enhance availability by deploying instances across multiple instance types running in multiple Availability Zones). 2. Allocation strategies in Auto Scaling groups help you to provision your target capacity without the need to manually look for the Spot Instance pools with spare capacity. AWS recommends using the capacity optimized strategy because this strategy automatically provisions instances from the most-available Spot Instance pools. You can also take advantage of the capacity optimized allocation strategy in Spot Fleet. Because your Spot Instance capacity is sourced from pools with optimal capacity, this decreases the possibility that your Spot Instances are reclaimed. ::: 8. Which of the following features only relate to Spread Placement Groups? :::spoiler Answer A spread placement group supports a maximum of seven running instances per Availability Zone. Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone and therefore this is the only correct option. Deploying instances in a single Availability Zone is unique to Cluster Placement Groups only and therefore is not correct. The other two remaining options are common to all placement group types and so are not specific to Spread Placement Groups. ::: 9. Your company provides an online image recognition service and uses SQS to decouple system components. Your EC2 instances poll the image queue as often as possible to keep end-to-end throughput as high as possible, but you realize that all this polling is resulting in both a large number of CPU cycles and skyrocketing costs. How can you reduce cost without compromising service? :::spoiler Answer Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0 SQS long polling doesn't return a response until a message arrives in the queue, reducing your overall cost over time. Short polling WILL return empty responses. ::: 10. A user of your web-site makes an HTTP request to access a static resource on your server. The request is automatically redirected to the nearest CloudFront server. For some reason, the requested resource does not exist on the CloudFront server. Which of the following is true? :::spoiler Answer CloudFront will query the origin server and then cache the resource on the edge location. CloudFront checks its cache for the requested files. If the files are in the cache, CloudFront returns them to the user. If the files are not in the cache, it does the following: a) CloudFront compares the request with the specifications in your distribution and forwards the request for the files to your origin server for the corresponding file type—for example, to your Amazon S3 bucket for image files and to your HTTP server for HTML files. b) The origin servers send the files back to the edge location. c) As soon as the first byte arrives from the origin, CloudFront begins to forward the files to the user. CloudFront also adds the files to the cache in the edge location for the next time someone requests those files. ::: 11. You have been asked by your employer to create an identical copy of your production environment in another Region for disaster recovery purposes. In the list below, which AWS resources would you NOT need to recreate, because they are available universally across the console? :::spoiler Answer Route 53 configurations are available universally across the AWS management console and do not need to be recreated in a different region. Identity Access Management Roles are available universally across the AWS management console and do not need to be recreated in a different region. Security Groups are region-specific, so you need to recreate those type of resources if you want to replicate your environment configurations to a different region. ::: 12. You're building out a single-region application in us-west-2. However, disaster recovery is a strong consideration, and you need to build the application so that if us-west-2 becomes unavailable, you can fail-over to us-west-1. Your application relies exclusively on pre-built AMI's, and has specific launch permissions, custom tags, and security group rules. In order to run your application leveraging those AMI's in your backup region, which process would you follow? :::spoiler Answer Copy the AMI from us-west-2 to us-west-1. After the copy operation is complete, apply launch permissions, user-defined tags, and security group configurations. AWS does not copy launch permissions, user-defined tags, or security group rules from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and security group configurations to the new AMI. ::: 13. DynamoDB has many use cases. Which of the following are legitimate use cases for DynamoDB? :::spoiler Answer Use cases include storing JSON data, BLOB data and storing web session data. You cannot run relational joins on DynamoDB and storing archived data would be better placed on Glacier ::: 14. You are reviewing Change Control requests, and you note that there is a change designed to reduce costs by updating the Amazon SQS "WaitTimeSeconds" attribute. What does this mean? :::spoiler Answer When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for one or more messages to be available before closing the connection. Poor timing of SQS processes can significantly impact the cost effectiveness of the solution. Long polling helps reduce the cost of using Amazon SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request) and false empty responses (when messages are available but aren't included in a response). ::: 15. You manage a Ruby on Rails messaging application that lives on a cluster of EC2 instances. Your website occasionally experiences brief, strong, and entirely unpredictable spikes in traffic that overwhelm your EC2 instances’ resources and freeze the application. As a result, you're losing recently submitted messages from end-users. You use Auto Scaling to deploy additional resources to handle the load during spikes, but the new instances don't spin-up fast enough to prevent the existing application servers from freezing. Which of the following will provide the most cost-effective solution in preventing the loss of recently submitted messages? :::spoiler Answer Use Amazon SQS to decouple the application components and keep the messages in queue until the extra Auto-Scaling instances are available. ::: 16. Following advice from your consultant, you have configured your VPC to use dedicated hosting tenancy. Your VPC has an Amazon EC2 Auto Scaling designed to launch or terminate Amazon EC2 instances on a regular basis, in order to meet workload demands. A subsequent change to your application has rendered the performance gains from dedicated tenancy superfluous, and you would now like to recoup some of these greater costs. How do you revert your instance tenancy attribute of a VPC to default for new launched EC2 instances? :::spoiler Answer Modify the instance tenancy attribute of your VPC from dedicated to default using the AWS CLI, an AWS SDK, or the Amazon EC2 API. You can change the instance tenancy attribute of a VPC from dedicated to default. Modifying the instance tenancy of the VPC does not affect the tenancy of any existing instances in the VPC. The next time you launch an instance in the VPC, it has a tenancy of default, unless you specify otherwise during launch. You can modify the instance tenancy attribute of a VPC using the AWS CLI, an AWS SDK, or the Amazon EC2 API only. ::: 17. Which of the following services should you provision in multiple availability zones in order to achieve high availability? :::spoiler Answer EC2, RDS S3, SQS & DynamoDB are already built in a fault tolerant fashion, you do not need to provision these services across multiple availability zones. Therefore the correct answers are RDS and EC2 ::: 18. You are reviewing Change Control requests and you note that there is a proposed change designed to reduce errors due to SQS Eventual Consistency by updating the "DelaySeconds" attribute. What does this mean? :::spoiler Answer When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period. Delay queues let you postpone the delivery of new messages to a queue for a number of seconds, for example, when your consumer application needs additional time to process messages. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes. To set delay seconds on individual messages, rather than on an entire queue, use message timers to allow Amazon SQS to use the message timer's DelaySeconds value instead of the delay queue's DelaySeconds value. ::: 19. With EBS, I can ____. :::spoiler Answer Create an encrypted snapshot from an unencrypted snapshot by creating an encrypted copy of the unencrypted snapshot. Create an encrypted volume from a snapshot of another encrypted volume. Although there is no direct way to encrypt an existing unencrypted volume or snapshot, you can encrypt them by creating either a volume or a snapshot. ::: 20. How many internet gateways can I attach to my custom VPC? :::spoiler Answer 1 ::: 21. You have been engaged by a company to design and lead the migration to an AWS environment. An argument has broken out about how to meet future Backup & Archive requirements and how to transition. The Security Manager and CTO are concerned about backup continuity and the ability to continue to access old tape archives. The Senior engineer is adamant that there is no way to retain the old backup solution in the AWS environment, and that they will lose access to all the current archives. What information can you share that will satisfy both parties in a cost-effective manner? :::spoiler Answer 1. Suggest that during transition, a second AWS Tape Gateway (VTL) solution could be commissioned in the customer's new VPC and integrated with existing VTS. At the same time, the existing Enterprise Backup Solution could be used to perform tape-to-tape copies to migrate the Archives from tape to VTL/VTS virtual tape. 2. Meet with both parties and brief them on the AWS Tape Gateway (VTL) solution. Explain that it can initially be installed in the on-premises environment utilizing the existing enterprise backup product to start the transition without losing access to the existing backups and archives. Over the duration of the migration, most (if not all) the backup cycles will be replaced by the new VTL & VTS tapes. Any migration project needs to consider how to manage legacy data and data formats. This includes backup and archives. A 3rd party archive service is viable, but would be an ongoing expense. Storage Gateway can be used to efficiently move data into AWS. Old tapes could either be restored to the Storage Gateway volume, or migrated to Virtual tapes inside AWS using Tape Gateway. ::: 22. You are reviewing Change Control requests, and you note that there is a change designed to reduce costs by updating the Amazon SQS "WaitTimeSeconds" attribute. What does this mean? :::spoiler Answer When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for one or more messages to be available before closing the connection. Poor timing of SQS processes can significantly impact the cost effectiveness of the solution. When the wait time for the ReceiveMessage API action is greater than 0, long polling is in effect. The maximum long polling wait time is 20 seconds. Long polling helps reduce the cost of using Amazon SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request) and false empty responses (when messages are available but aren't included in a response). ::: 23. You have created a VPC that contains two EC2 instances in different availability zones. Both are running web servers, hosting the same content. These web servers will be accessible via the internet. Which of the following DNS configurations could you consider? :::spoiler Answer 1. Set up an Application Load Balancer and place your instances behind this ELB. Configure a Route 53 Alias record to point to the resource of the Application Load Balancer. 2. Assign each EC2 instance with an Elastic IP Address. Configure a Route 53 "A" multi-value record with both EIP’s and health checks. A NAT instance will prevent the EC2 instances from receiving inbound traffic initiated from the internet. Application Load Balancers require an Alias to ALB and a record type "A – IPv4 address". CNAME record maps a name to another name, it can't be used with the public IP address of the ALB. However, a CNAME can be used to route traffic to your ALB DNS name (A Record). Using an ALB will provide a very fault tolerant setup. When creating a record in Route 53 to other AWS resources, including ALB's, you should use Alias records where available. The alternate option of attaching Elastic IPs directly to the instances with an "A" record accomplishes similar results, but doesn't incur the cost of an ALB ::: 24. Which native AWS service will act as a file system mounted on an S3 bucket? :::spoiler Answer File Gateway (O) Amazon Elastic File System (EFS) (X) Amazon Elastic File System (EFS) is a mountable file storage service for EC2, but has no connection to S3 which is an object storage service. A file gateway supports a file interface into Amazon Simple Storage Service (Amazon S3) and combines a service and a virtual software appliance. By using this combination, you can store and retrieve objects in Amazon S3 using industry-standard file protocols such as Network File System (NFS) and Server Message Block (SMB). The software appliance, or gateway, is deployed into your on-premises environment as a virtual machine (VM) running on VMware ESXi, Microsoft Hyper-V, or Linux Kernel-based Virtual Machine (KVM) hypervisor. The gateway provides access to objects in S3 as files or file share mount points. You can manage your S3 data using lifecycle policies, cross-region replication, and versioning. You can think of a file gateway as a file system mount on S3. 25. What are two key concepts regarding subnets? :::spoiler Answer 1. Every subnet you create is associated with the main route table for the VPC. Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table. 2. Each subnet maps to a single Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and==cannot span zones==. ::: 26. Which option does AWS handle under the shared responsibility model? :::spoiler Answer Physical Hardware Infrastructure AWS 負責「雲端本身的安全」 客戶負責「雲端內部的安全」 Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility for, and management of, the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose, as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. This differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud. AWS responsibility “Security of the Cloud”: AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. ::: 27. As a DevOps engineer you are told to prepare a complete solution to run a piece of code that requires multi-threaded processing. The code has been running on an old custom server using a 4 core Intel Xeon processor. Which of these options best describes the AWS compute services that could be used for multi-threaded processing? :::spoiler Answer EC2, ECS, & Lambda. The exact ratio of cores to memory has varied over time for Lambda instances, however Lambda like EC2 and ECS supports hyper-threading on one or more virtual CPUs (if your code supports hyper-threading). ::: 28. What AWS service can help you to understand how your Lambda functions are performing? :::spoiler Answer AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices & serverless architectures. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. ::: 29. Which of the following services can invoke a Lambda function synchronously (with functionality built-in with the invoking service)? :::spoiler Answer ALB, Cognito(簡單、安全的使用者註冊、登入和存取控制), Lex(適用於聊天機器人的交談 AI), Alexa, API Gateway, CloudFront, and Kinesis Data Firehose are all valid direct (synchronous) triggers for Lambda functions. S3 is one of the valid asynchronous triggers. EC2 is one of the valid asynchronous triggers. ::: 30. What is true of security groups? :::spoiler Answer Security groups act at the instance level, not the subnet level. The following are the basic characteristics of security groups for your VPC: - There are quotas on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface. - You can specify allow rules, but not deny rules. - You can specify separate rules for inbound and outbound traffic. - When you create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group. - By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed. - Security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.