Question : Which of the following are characteristics of Amazon VPC subnets?
Choose 2 answers A. Each subnet maps to a single Availability Zone B. A CIDR block mask of /25 is the smallest range supported C. Instances in a private subnet can communicate with the internet only if they have an Elastic IP. D. By default, all subnets can route between each other, whether they are private or public E. Each subnet spans at least 2 Availability zones to provide a high-availability environment
Explanation: - B is wrong: /28 is the smallest - C is wrong: private subnet should go via NAT (EIP only in public subnet) - E is wrong: subnet can only map to ONE AZ (not span multiple)
Q. Within which Amazon EC2 region(s) is Amazon VPC available? Amazon VPC is currently available in multiple Availability Zones in all Amazon EC2 regions.
Q. Can a VPC span multiple Availability Zones? Yes.
Q. Can a subnet span Availability Zones? No. A subnet must reside within a single Availability Zone. Currently, Amazon VPC supports VPCs between /28 (in CIDR notation) and /16 in size. The IP address range of your VPC should not overlap with the IP address ranges of your existing network. Q. Is there a limit on how large or small a subnet can be? The minimum size of a subnet is a /28 (or 14 IP addresses.) Subnets cannot be larger than the VPC in which they are created with default vpc, amazon dhcp gives the instances a private ip, which cannot be routed out from the aws internet gateway (this device looks like IGW-xxxxxxx via console). so unless the aws instances route to the internet thru the ipsec tunnel gateway (looks like VGW-xxxxxx), there are two ways to allow connectivity out to the internet. 1) give vpc instances public elastic ip's, ensure a default route to the amazon internet gateway, then add a route for your private lan to the ipsec termination gateway 2) set up a second instance with iptables masquerading, and then have default route to that device, while keeping the private lan route to the ipsec termination point (back to your offic) with #1, if instances have public eip, then may be connected to from the internet, if you are not careful with security groups. with #2, all traffic is limited by the masquarading instance, which is then a point of failure. (by using amazons internet gateway, im sure they use VRRP/HSRP/CARP/ETC, so its HA). also, although it has not happened to me personally, the private ip of the masq'ing box could change, and so you would need to update dhcp lease info, and then force/wait to renew instance leases.
Question : When an EC instance that is backed by an S-based AMI Is terminated, what happens to the data on the root volume? 1. Data is automatically saved as an EBS volume. 2. Data is automatically saved as an EBS snapshot. 3. Access Mostly Uused Products by 50000+ Subscribers 4. Data is unavailable until the instance is restarted
Explanation: Instances that use instance stores for the root device automatically have instance store volumes available, with one serving as the root device volume. When an instance is launched, the image that is used to boot the instance is copied to the root volume (typically sda1). Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated (instance store-backed instances do not support the Stop action) or if it fails (such as if an underlying drive has issues). After an instance store-backed instance fails or terminates, it cannot be restored. If you plan to use Amazon EC2 instance store-backed instances, we highly recommend that you distribute the data on your instance stores across multiple Availability Zones. You should also back up the data on your instance store volumes to persistent storage on a regular basis.
Recommend that you use AMIs backed by Amazon EBS, because they launch faster and use persistent storage.
Question : You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch. Which method would be the best way to authenticate your CloudWatch PUT request? 1. Create an IAM role with the PutMetricData permission and modify the Auto Scaling launch configuration to launch instances in that role 2. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the userscredentials into the instance User Data 3. Access Mostly Uused Products by 50000+ Subscribers 4. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed
Explanation: Amazon CloudWatch integrates with AWS Identity and Access Management (IAM) so that you can specify which CloudWatch actions a user in your AWS Account can perform. For example, you could create an IAM policy that gives only certain users in your organization permission to use GetMetricStatistics. They could then use the action to retrieve data about your cloud resources. You can't use IAM to control access to CloudWatch data for specific resources. For example, you can't give a user access to CloudWatch data for only a specific set of instances or a specific LoadBalancer. Permissions granted using IAM cover all the cloud resources you use with CloudWatch. In addition, you can't use IAM roles with the Amazon CloudWatch command line tools.
Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data, such as passwords, as user data.
IAM role is the right answer as thats the way to allocate permission for AWS services to interact with EC2 in a secured way.
1. Define the group policy and add a condition which allows the access based on the IAM name 2. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable 3. Access Mostly Uused Products by 50000+ Subscribers 4. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
1. By default ELB will select the first version of the security policy 2. By default ELB will select the latest version of the policy 3. Access Mostly Uused Products by 50000+ Subscribers 4. It is not required to have a security policy since SSL is already installed
1. One account by default is limited to 100 templates 2. The user can use 60 parameters and 60 outputs in a single template 3. Access Mostly Uused Products by 50000+ Subscribers 4. One account by default is limited to 20 stacks
1. AWS SQS sends notification after 15 days for inactivity on queue 2. AWS SQS can delete queue after 30 days without notification 3. Access Mostly Uused Products by 50000+ Subscribers 4. AWS SQS notifies the user after 2 weeks and deletes the queue after 3 weeks.