AWS Certified Solutions Architect Associate (SAA02) – Free Practice Tests

Explanation

By using Amazon S3 analytics storage class analysis you can analyze storage access patterns to help you decide when to transition the right data to the right storage class. This new Amazon S3 analytics feature observes data access patterns to help you determine when to transition less frequently accessed STANDARD storage to the STANDARD_IA (IA, for infrequent access) storage class.

Explanation

S3 bucket access control lists are a legacy access control mechanism, created before IAM existed. S3 bucket ACLs are best used for a limited set of use cases

Explanation

Amazon VPC provides two features that you can use to increase security for your VPC: Security groups–Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. Network access control lists (ACLs)–Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. Security groups are stateful: (Return traffic is automatically allowed, regardless of any rules) Network ACLs are stateless: (Return traffic must be explicitly allowed by rules)

Explanation

The conditions section of a CloudFormation template defines conditions that control whether certain resources are created or whether certain resource properties are assigned a value during stack creation or update. For example, you could conditionally create a resource that depends on whether the stack is for a production or test environment

Explanation

Security Groups are essentially stateful firewalls at the instance level. Security Groups are associated with instances at launch time, and restrict or allow traffic based on port, protocol, and source/destination.

Explanation

The data is durable because EBS snapshots are stored on the Amazon S3 standard storage class.
You cannot schedule snaphots in the AWS Console.

Explanation

Most of these choices improve the responsiveness of CloudWatch in some way, but the aspect of this question is improving the responsiveness of CloudWatch alarms you have already implemented. This means you are not interested in additional metric information outside of the custom metrics you’ve already created in CloudWatch, and any features that increase responsiveness to metrics other than what you want will not be beneficial.

So, creating CloudWatch Log metric filters for default RDS metrics will not help, even though this can provide 1-second granularity, it is unlikely the logs will indicate overall latency and throughput of reads and writes, as these performance metrics are not related to specific API calls, but rather general database performance.

Performance Insights allow you to review and analyze your RDS database performance overall, but is not ideal for identifying a performance issue in real-time.

Enabling Enhanced monitoring does provide increased insight into RDS database performance, and with the increased granularity of 5 seconds instead of 60 seconds, or potentially even 1-second granularity through CloudWatch Log Streams. However, Enhanced Monitoring provides specific operating system metrics and other performance metrics, and would not apply to the custom metric you have created using CloudWatch.

Enabling Detailed Monitoring will increase the delivery of average metrics from every 5 minutes to every minute, and this will apply to your custom metrics as well.

In addition, creating a Route 53 CloudWatch Alarm Health Check will monitor the transmission of data to CloudWatch, and can effectively alert you before the CloudWatch alarm is even triggered.

Explanation

Failing to accurately estimate your costs before migration and during the migration process is a recipe for disaster. To build a migration model for optimal efficiency, it is important to accurately understand the current costs of running on-premises applications, as well as the interim costs incurred during the transition

Explanation

Amazon Glacier and S3 Standard-IA are both designed for storing infrequently accessed data. This is why the data storage fees are roughly one-half to one-sixth the cost of Standard Storage. Retrieval fees will quickly add up if the data is retrieved too often, so planning or correctly setting your object lifecycle based on how often you or your company will need the data is important.

Explanation

By default, a target starts to receive its full share of requests as soon as it is registered with a target group and passes an initial health check. Using slow start mode gives targets time to warm up before the load balancer sends them a full share of requests.

Increasing the maximum threshold for your auto scaling group will allow you to process more requests.

Explanation

When you purchase a Reserved Instance, choose a payment option, term, and an offering class that suits your needs. Generally speaking, you can save more money choosing Reserved Instances with a higher upfront payment. There are three payment options (No Upfront, Partial Upfront, All Upfront), two-term lengths (one-year or three-years), and two offering classes (Convertible and Standard). Convertible RIs offer up to a 55% discount, while Standard offers up to a 75% discount. No Upfront and Partial Upfront Reserved Instances are billed for usage on an hourly basis, regardless of whether they are being used. All Upfront Reserved Instances have no additional hourly charges.

Explanation

You can create a VPC with an instance tenancy of dedicated to ensure that all instances launched into the VPC are dedicated instances. Alternatively, you can specify the tenancy of the instance during launch

Explanation

There are some issues that could cause EC2 instances in a VPC to be unable to reach the Internet, including the following. An Internet Gateway must be attached to the VPC for a public subnet. Ingress and egress for Security Groups and Access Control Lists must be correct. EC2 instances in a private subnet need a NAT instance or a NAT Gateway, and for a NAT instance’s source/destination checks must be turned off. EC2 instances in a public subnet must have a route to the Internet Gateway in the route table

Explanation

An archive is a durably stored block of information. You store your data in Amazon Glacier as archives. You may upload a single file as an archive, but your costs will be lower if you aggregate your data. TAR and ZIP are common formats that customers use to aggregate multiple files into a single file before uploading to Amazon Glacier. The total volume of data and number of archives you can store are unlimited. Individual Amazon Glacier archives can range in size from 1 byte to 40 terabytes. The largest archive that can be uploaded in a single upload request is 4 gigabytes. For items larger than 100 megabytes, customers should consider using the Multipart upload capability. Archives stored in Amazon Glacier are immutable, i.e. archives can be uploaded and deleted but cannot be edited or overwritten.

Explanation

Both instance status checks and health checks must be enabled before unhealthy instances will be terminated. It is critical that you test not only the saturation and breaking points but also the “normal” traffic profile you expect

Explanation

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This replication feature makes it easy to elastically scale out beyond the capacity constraints of a single DB Instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances.

Read replicas in different regions are available in Amazon RDS for MYSQL, MariaDB, PostgreSQL, Oracle, and Aurora

Explanation

If an EBS volume is attached to a running EC2 instance, the user needs to detach the volume from the original instance and then attach it to a new running instance. The user doesn’t need to stop or terminate the original instance.

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.

Adjusting the cooldown period also minimizes the likelihood of scaling out again before the instances that were deployed in a previous scale out event have had time to warm up and handle requests to their full capability.

Explanation

When you create a default VPC, the following components are created with it:

Explanation

Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while managing time-consuming database administration tasks, freeing you up to focus on your applications and business. When you create or modify your DB Instance to run as a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous “standby” replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure. During certain types of planned maintenance, or in the unlikely event of DB Instance failure or Availability Zone failure, Amazon RDS will automatically failover to the standby so that you can resume database writes and reads as soon as the standby is promoted. Since the name record for your DB Instance remains the same, your application can resume database operation without the need for manual administrative intervention. With Multi-AZ deployments, replication is transparent: you do not interact directly with the standby, and it cannot be used to serve read traffic. If you are using Amazon RDS for MySQL and are looking to scale read traffic beyond the capacity constraints of a single DB Instance, you can deploy one or more Read Replicas

Explanation

Auto scaling provides redundancy for a single server with the option of launching a configuration using the attributes from a running instance. When you use this option, auto scaling copies the attributes from the specified instance into a template from which you can launch one or more auto scaling groups.

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard – Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

Standard is for Amazon S3 and provides very high durability. Standard – Infrequent Access is designed for with a minimum data amount required and paid storage for at least 30 days. Glacier is for archival and the files are not available over the internet. Reduced Redundancy Storage is for less critical files.

S3 OneZone IA is a variation of Standard-IA, which offers data archival at a reduced price, but also with less durability because the data within this class is stored within a single availability zone rather than spread throughout all availability zones within the S3 buckets region, as it is with S3 Standard storage.

Explanation

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify

Explanation

DynamoDB supports two types of secondary indexes: Local secondary index –an index that has the same hash key as the table, but a different range key. A local secondary index is “local” in the sense that every partition of a local secondary index is scoped to a table partition that has the same hash key. Global secondary index –an index with a hash and range key that can be different from those on the table. A global secondary index is considered “global” because queries on the index can span all of the data in a table, across all partitions

Explanation

You can reduce EC2 spend by migrating to reserved/spot instances, eliminating/shrinking unused resources, or consolidating AWS accounts (to qualify for volume discounts). The paying account’s use of consolidated billing can benefit from volume pricing discounts gained thru aggregate account usage.

Explanation

The Total Cost of Ownership (TCO) Calculator is a free service offered by AWS to allow you to compare the cost of on-premises servers and AWS cloud services. It requires users to answer a short series of questions and then provides a detailed report on the potential AWS cloud environment that would mirror their on-premise systems.

Explanation

Within Amazon EC2, when using a Linux instance, the device name /dev/sda1 is reserved for the root device.

Explanation

EC2 instance store volumes can be added as additional volumes to certain EBS-backed EC2 Instance types. Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated or if it fails (such as if an underlying drive has issues).

Explanation

The user cannot authorize an Amazon EC2 security group if it is in a different AWS Region than the RDS DB instance. The user can authorize an IP range or specify an Amazon EC2 security group in the same region that refers to an IP address in another region. In this case allow IP of US West inside US East’s security group and open the RDS security group for US East region.

Explanation

To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

Explanation

Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance action.

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results.

Explanation

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon technology, while SQL Server DB instances use SQL Server Mirroring.

Explanation

Resource-based permissions are permissions you attach directly to a resource. Resource-level permissions refer to the ability to specify not just what actions users can perform, but which resources they’re allowed to perform those actions on. Resource-based policies are inline only, not managed. You can specify resource-based permissions for Amazon S3 buckets, Amazon Glacier vaults, Amazon SNS topics, Amazon SQS queues, and AWS Key Management Service encryption keys.

Explanation

To prevent the public DNS address for your instance from changing and breaking your installation, you can associate an Elastic IP address (EIP) to the instance you are using. You need to allocate an Elastic IP address for that instance (the first association is free). If you own a domain name and you want to use it for your blog, you can update the DNS record for the domain name to point to your EIP address. If you don’t already have a domain name for your blog, you can register a domain name with Amazon Route 53 and associate your instance’s EIP address with your domain name.

Explanation

If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you’re distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Explanation

A Reserved Instance (RI) is an EC2 offering that provides you with a significant discount on EC2 usage when you commit to a one-year or three-year term. You can modify the Availability Zone of the RI, change the scope of the RI from Availability Zone to region (and vice-versa), change the network platform from EC2-VPC to EC2-Classic (and vice versa) or modify instance sizes within the same instance family (on the Linux/Unix platform).

Explanation

Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.

Explanation

Backup and restore, as defined in the “Using Amazon Web Services for Disaster Recovery” white paper, is most like traditional off-site backup replication. You can leverage services such as Amazon S3 or Amazon Storage Gateway to provide a backup replication target and Amazon EC2 can be used to restore access to your applications. This strategy for disaster recovery is the slowest of all AWS DR strategies.

Explanation

Security Groups are essentially stateful firewalls at the instance level. Security Groups are associated with instances at launch time, and restrict or allow traffic based on port, protocol, and source/destination.

Explanation

It is critical before making any major changes to your health checks to verify whether you can connect manually to the EC2 instances in question. Once you’ve verified you can connect to them manually, you can begin altering the health check settings.

Explanation

In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask it in a CIDR format

Explanation

The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency situations. To perform this, the user can suspend one or more scaling processes at any time. Once it is completed, the user can resume all the suspended processes.

Explanation

An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.

Data in the instance store is lost under the following circumstances:

• The underlying disk drive fails
• The instance stops
• The instance terminates

If the instance reboots (either intentionally or unintentionally) the data persists.

Explanation

A prolonged grace period and a larger number of instances will solve these issues. You can use scaling policies to increase or decrease the number of running EC2 instances in your group automatically to meet changing conditions. When the scaling policy is in effect, the Auto Scaling group adjusts the desired capacity of the group and launches or terminates the instances as needed. If you manually scale or scale on a schedule, you must adjust the desired capacity of the group for the changes to take effect.

Explanation

Public and private subnets, except for the default VPC, do not automatically have Internet access enabled. To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

Explanation

If you stop the instances you will not be charged and the data will still be kept. If you terminate the instances you will lose all your data. If you take a snapshot of all the instances and then terminate all the instances you will not be charged but will still have all your data in the snapshot which can be restored later.

Explanation

Implementing a Route 53 Calculated Health Check is the best solution in this case because it aggregates all of the individual health checks. Integrating QuickSight and CloudTrail will create an effective dashboard, but this is not an automated solution because someone has to continuously check the dashboard.

You can also create a CloudWatch Log log alarm, but this would be overly complex compared to the Calculated Health Checks.

For example, let’s say you have deployed 15 EC2 instances, and created 15 separate Route 53 health checks to monitor each one. While you are concerned about each instance’s performance, you essentially need 10 of the 15 instances to be healthy for your system to run properly. Rather than setting up SNS notifications for each individual health check, you can create a calculated health check that collects the results of each health check into a single count between 0-15, and compares that count to a threshold you’ve set. In this case, the threshold could be 10. Now, if 10 instances are healthy, the calculated health check comes back healthy. If less than 10 instances are healthy, the health check comes back unhealthy.For example, let’s say you have deployed 15 EC2 instances, and created 15 separate Route 53 health checks to monitor each one. While you are concerned about each instance’s performance, you essentially need 10 of the 15 instances to be healthy for your system to run properly. Rather than setting up SNS notifications for each individual health check, you can create a calculated health check that collects the results of each health check into a single count between 0-15, and compares that count to a threshold you’ve set. In this case, the threshold could be 10. Now, if 10 instances are healthy, the calculated health check comes back healthy. If less than 10 instances are healthy, the health check comes back unhealthy.

Explanation

An application load balancer configured to use the HTTPS or SSL protocol with back-end authentication enabled fails public key authentication it’s probable that the public key on the SSL certificate does not match the public key configured on the load balancer. You might need to update your SSL certificate. If your SSL certificate is current, try re-installing it on your load balancer.

Explanation

Amazon EBS provides three volume types: General Purpose SSD, Provisioned IOPS SSD, and Magnetic.

General Purpose SSD volumes are the default EBS volume type for Amazon EC2 instances.

GP2 volumes smaller than 1 TB can burst up to 3,000 IOPS. I/O is included in the price of gp2, so you pay only for each GB of storage you provision. GP2 is designed to deliver the provisioned performance 99% of the time. If you need a greater number of IOPS than gp2 can provide, or if you have a workload where low latency is critical or you need better performance consistency, we recommend that you use io1.

Explanation

AWS is responsible for the security of the cloud in general, in areas such data security and protection against IP spoofing. The customer is responsible for security in the cloud in areas such as data encryption, installing security patches on EC2 instances, and IAM best practices. It is very important to understand this concept to avoid any lapses in your security measures.

Explanation

Amazon Simple Queue Service (SQS) is a highly reliable distributed messaging system for storing messages as they travel between computers. By using Amazon SQS, developers can simply move data between distributed application components. It is used to achieve compartmentalization or loose coupling. In this case all the modules will send a message to the logger queue and the data will be processed by queue as per the resource availability.

Explanation

When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume’s baseline value while the snapshot is in progress. This behavior is specific to these volume types.

Explanation

Using IAM, you apply permissions to IAM users, groups, and roles by creating policies. You can create two types of IAM policies: Managed Policies and Inline Policies. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies apply only to identities (users, groups, and roles) – not resources. Inline policies are policies that you create and manage, and that are embedded directly into a single user, group, or role.

Explanation

An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. You can disassociate an Elastic IP address from a resource, and reassociate it with a different resource. A disassociated Elastic IP address remains allocated to your account until you explicitly release it. An Elastic IP address is for use in a specific region only.

Explanation

Your VPC automatically comes with a modifiable default Network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can create a custom Network ACL and associate it with a subnet. By default, each custom Network ACL denies all inbound and outbound traffic until you add rules. Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

AWS WAF could meet the same security requirements, but would add considerably more cost to your overall budget

Explanation

In Elastic Beanstalk, you can create a load-balancing, autoscaling environment or a single-instance environment. The type of environment that you require depends on the application that you deploy. For example, you can develop and test an application in a single-instance environment to save costs and then upgrade that environment to a load-balancing, autoscaling environment when the application is ready for production.

Explanation

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. AWS reserves the first four addresses and the last address in a CIDR block, so be sure to subtract five to give the number of addresses in a CIDR block available for use

Explanation

With AWS CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can identify which users and accounts called AWS for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

Explanation

Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don’t specify a different security group when you launch the instance.  The default security group disallows all inbound traffic and allows all outbound traffic. However, the rules for a default security group can be changed.

Explanation

The key is that the requirement is for high availability at the web-tier. While multi-AZ deployments and cross-region replication can contribute to high availability, they are each at the storage tier. Route 53 with Health Checks and Failover, Elastic Load Balancer (with health checks and various forms of load balancing, and auto scaling groups create high availability at the web tier.

Explanation

When you purchase a Reserved Instance, choose a payment option, term, and an offering class that suits your needs. Generally speaking, you can save more money choosing Reserved Instances with a higher upfront payment. There are three payment options (No Upfront, Partial Upfront, All Upfront), two-term lengths (one-year or three-years), and two offering classes (Convertible and Standard). Convertible RIs offer up to a 55% discount, while Standard offers up to a 75% discount. No Upfront and Partial Upfront Reserved Instances are billed for usage on an hourly basis, regardless of whether they are being used. All Upfront Reserved Instances have no additional hourly charges.

Explanation

The pricing of SQS is as follows: You pay only for what you use, and there is no minimum fee. The cost of Amazon SQS is calculated per request, plus data transfer charges for data transferred out of Amazon SQS. The Amazon SQS Free Tier provides you with 1 million requests per month at no charge. Many small-scale applications are able to operate entirely within the limits of the Free Tier. However, data transfer charges might still apply.

Explanation

Your VPC has an implicit router and a main route table that you can modify. Each subnet you create must be associated with a route table. Adding an internet gateway and adding a route to that IGW facilitates traffic out to the Internet for a public subnet. NAT instance and NAT gateways are provided to allow instances in private subnets to gain internet access

Explanation

The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency situations. To perform this, the user can suspend one or more scaling processes at any time. When the process is suspended and the user changes the desired capacity, the changes will take effect, but Auto Scaling will not be executed. Thus, the scaling activity will not happen even though there is a difference between the desired capacity and the current capacity.

Explanation

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This replication feature makes it easy to elastically scale out beyond the capacity constraints of a single DB Instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances.

Read replicas in different regions are available in Amazon RDS for MYSQL, MariaDB, PostgreSQL, Oracle, and Aurora

Explanation

To host a static website, the user needs to configure an Amazon S3 bucket for website hosting and then upload the website contents to the bucket. The website is then available at the region-specific website endpoint of the bucket.

If the user has an index.html object as part of the bucket, the user can always host it without the website hosting feature. However, it will require an absolute URL of the object. In this case the user can access the whole bucket as a website and need not refer individual objects separately.

Explanation

Lazy loading keeps the cache up to date based only on requests, which avoids filling up the cache needlessly, but if data is only written to the cache when there is a cache miss, data in the cache can become stale since there are no updates to the cache when data is changed in the database. This issue is addressed by using lazy loading in conjunction with write through, which adds data or updates data in the cache whenever data is written to the database. You may also use CloudFront to optimize your caching. By default, CloudFront doesn’t consider headers when caching your objects in edge locations. If your origin returns two objects and they differ only by the values in the request headers, CloudFront caches only one version of the object

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

Explanation

The key benefit of launch templates is their capability to support multiple instance types and purchase types within the same template.

Explanation

Explanation

Amazon S3 supports several mechanisms that give you flexibility to control who can access your data as well as how, when, and where they can access it. Amazon S3 provides four different access control mechanisms: AWS Identity and Access Management (IAM) policies, Access Control Lists (ACLs), bucket policies, and query string authentication. IAM enables organizationsto create and manage multiple users under a single AWS account. With IAM policies, you can grant IAM users fine-grained control to your Amazon S3 bucket or objects. You can use ACLs to selectively add (grant) certain permissions on individual objects. Amazon S3 bucket policies can be used to add or deny permissions across some or all of the objects within a single bucket. With Query string authentication, you have the ability to share Amazon S3 objects through URLs that are valid for a specified period of time.

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway’s volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

There are some issues that could cause EC2 instances in a VPC to be unable to reach the Internet, including the following. An Internet Gateway must be attached to the VPC for a public subnet. Ingress and egress for Security Groups and Access Control Lists must be correct. EC2 instances in a private subnet need a NAT instance or a NAT Gateway, and for a NAT instance’s source/destination checks must be turned off. EC2 instances in a public subnet must have a route to the Internet Gateway in the route table

Explanation

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to a queue is available to be received.