AWS Interview Questions Cloud Computing

Spot Instances

Explanation:  Spot Instance is an unused EC2 instance.Spot Instances are almost 90% cheaper compared to On-Demand instances.

Dedicated Hosts

Explanation: In Dedicated Hosts, Amazon EC2 instances run on hardware that's dedicated to a single customer which adheres to compliance.

100 buckets. If additional buckets are required, service limit increase could be requested to increase the bucket limit, increase the bucket limit by submitting a service limit increase.

Elastic block storage provides persistent, highly available and high-performance block-level storage that could be logically attached to an EC2 instance. The storage can be formatted and mounted as a file system or the raw storage can be accessed directly.

CloudFront delivers the content directly from the origin server and stores it in the cache of the edge location

No, it is not possible. If a subnet has multiple route tables can cause confusion to detect the location of the packet. Therefore, there is a single route table in a subnet.

Virtual Private Network (VPN) and Direct Connect.

Perform VPC Peering. VPC CIDR’s must not overlap and owner of the VPC’s must allow for Peering connection to be established.

While deleting a DB Instance, you have an option of creating a final DB snapshot, which is recommended. RDS retains this user-created DB snapshot along with all other manually created DB snapshots after the instance is deleted, also automated backups are deleted and only manually created DB Snapshots are retained.

No.

Explanation: No, Standby DB instance cannot be used for read or write operations, the secondary instance could be used only when the primary DN instance goes down.

Use Sticky Session and update Session Cookie value with appropriate values for how long you want the session to be persisted.

Elastic Load Balancing supports three types of load balancers -Classic, Application and Network.  You can select the appropriate load balancer based on your application needs. If an application requires complex capabilities like Path-based and Host-based routing, recommended is Application Load Balancer. If extreme performance and static IP is needed for your application then we recommend you to use Network Load Balancer. If application requires basic features Classic Load Balancer is recommended.

Manual Scaling, Based on Demand and Based on Schedule.

Explanation: Manual Scaling is done manually whenever there is a requirement of increasing or decreasing the instances based on the load. Scaling could be also be done automatically based on the load/demand on the EC2 instance, one can define the Maximum and Minimum EC2 instance details based on the various metrics. Last option is Based on Schedule wherein one can define a specific duration or time in which how many minimum and maximum instances must be running irrespective of demand.

Connection Draining

Explanation: When ELB detects that an instance is unhealthy, it stops sending traffic to other instance and allows the in-flight requests to be completed. Connection Draining ensures that the unhealthy instance is terminated after the in-flight request and a new instance is created and traffic starts flowing into the new instance.

Enable Cloud Trail to audit all activities.

Explanation: AWS CloudTrail is designed for logging all the management and user activities onto S3 bucket.

Custom metrics are user-defined metrics which could be used for monitoring in Cloud Watch. For example, you can create a custom metric to monitor specific application and database parameters running on an EC2

Yes, using bootstrapping scripts in CloudFormation you can install packages and services on your EC2 instances by updating the details in CloudFormation template.

Once you enable AWS Systems Manager from the AWS Systems Manager console or API, it gives an activation code and ID. Using this activation code and ID, you can run a command on your servers to register them to Systems Manager.

2

Explanation:CloudFormation does not have any additional costs for the service but depends on the cost of the resources of the stack

AWS Managed policies are designed to provide permissions for many common use cases. Eg: AmazonDynamoDBFullAccess and IAMFullAccess which is normally assigned to System Administrators and have full access to those services.  AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

The data keys can be are encrypted using a Master Key which could be defined in AWS KMS. Once it is encrypted, encrypted data key can only be decrypted by users with permissions to use the original master key used in encrypting the data key.

SSL /TLS certificate allow web browsers to identify and establish encrypted network connections to websites using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are part of a cryptographic system known as a public key infrastructure (PKI) which provides a way for one party to establish the identity of another party using certificates if they both trust a third party - known as a certificate authority.

AWS Lambda

Explanation: AWS Lambda is a serverless service which could convert the photos to the required format by using functions. It is a computer service which makes it easy to build applications that respond quickly.

Elastic BeanStalk

Explanation: Elastic BeanStalk is a cloud deployment service that automates the process of setting up applications and handles the details of capacity provisioning, load balancing, scaling and application monitoring.

AWS Elastic Beanstalk is a PaaS while OpsWorks is a configuration management platform. BeanStalk is an easy to use service which is used for deploying and scaling web applications developed with Java, .Net, PHP, Node.js, Python, Ruby, Go and Docker. Customers upload their code and Elastic Beanstalk automatically handles the deployment. The application will be ready to use without any infrastructure or resource configuration.

On the other hand, AWS Opsworks is an integrated configuration management platform for IT administrators or DevOps engineers who want to perform Automation for operations.

SWF

Explanation:Amazon Simple Workflow Service (Amazon SWF) makes it easy to build applications that use Amazon's cloud to coordinate work across distributed components. In Amazon SWF, a task represents a logical unit of work that is performed by a component of your workflow. Coordinating tasks in a workflow involves managing intertask dependencies, scheduling, and concurrency in accordance with the logical flow of the application.

Route 53 recordsets

Explanation: Route 53 record sets are common assets, therefore, there is no need to replicate them since Route 53 is valid across regions

Active-Active

Explanation: In Active-Active failover, all the records that have the same name, the same type (such as A or AAAA), and the same routing policy (such as weighted or latency) are active unless Route 53 considers them unhealthy.

Create separate VPC’s for each environment and create VPN tunnels from Customer’s Office to individual VPC’s

Explanation:  This is a cheaper and secure solution as any information would between Customer’s premises and VPC’s be encrypted using IPSec protocol and each customer’s environment is segregated for efficient management.

As per Shared Responsibility Model AWS is responsible for “Security of the Cloud” and Customer is responsible for “Security in the Cloud”.

Assigning fixed root password for a public AMI is a security risk and must be restricted. Password-based remote logins for the root user must be disabled. Process for disabling is given below.

Open the /etc/ssh/sshd_config (CentOS Linux) file with a text editor and locate the following line:

#PermitRootLogin yes

Change the line to:

PermitRootLogin without-password

Location of this file varies based on the linux distribution.

 Amazon S3 provides read-after-write consistency for PUTS of new objects in the S3 buckets and eventual consistency for overwrite PUTS and DELETES in all regions.  

Read-After-Write Consistency:

So, if you add a new object to your bucket, you would immediately see it.

Eventual Consistency:

If you overwrite (Update / Delete)  an existing object, changes it might take some time to update its replicas as the changes need to be propagated across AZs.

Use Amazon Data Lifecycle Manager (Amazon DLM) from the management console to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Also, automated backups can be deployed using AWS API or writing automation scripts in AWS CLI. The EBS snapshot should be stored on Amazon S3 and can be used for recovery of the database instance in case of any failure or downtime.

Gateway cached with snapshots saved in S3

Explanation:

Reference from AWS documentation :

Gateway-cached volumes let you use Amazon Simple Storage Service (Amazon S3) as your primary data storage while retaining frequently accessed data locally in your storage gateway. Gateway-cached volumes minimize the need to scale your on-premises storage infrastructure, while still providing your applications with low-latency access to their frequently accessed data. You can create storage volumes up to 32 TiB in size and attach to them as iSCSI devices from your on-premises application servers. Your gateway stores data that you write to these volumes in Amazon S3 and retains recently read data in your on-premises storage gateway’s cache and upload buffer storage

Linux instance would refer the route table for delivering the packets to the appropriate target. Details of NAT also must be updated in the Route Table attached to the Private Subnet.

No

Explanation:No, since the purpose of having a standby instance is to avoid an infrastructure failure (if it happens), therefore the standby instance is stored in a different availability zone, which is a physical

Dynamo DB.

Explanation: DynamoDB provides a better scalable solution compared to others and only Dynamo DB can perform complex queries and table joins.

VPC Endpoints must be configured to access ELB APIs from VPC. With VPC Endpoints, the routing between the VPC and Elastic Load Balancing APIs is handled by the AWS network without the need to access internet connection

First Method -Programmatically request temporary security credentials (GetFederationToken and AssumeRole) for federated users and include them as part of the sign-in request to the AWS Management Console. After authentication is provided using temporary security credentails, generate a sign-in token that is used by the AWS single sign-on (SSO) endpoint.

Second Method- Post a SAML assertion directly to AWS sign-in (https://signin.aws.amazon.com/saml). The user’s actions in the console are limited to the access control policy associated with the IAM role that is assumed using the SAML assertion.

Using either approach allows a federated user to access the console without having to sign in with a username and password.

Security Assertion Markup Language

Explanation: SAML identity providers are required in AWS to establish trust between a SAML-compatible IdP such as Active Directory Federation Services and AWS, so that users in your organization can access AWS resources Security Assertion Markup Language Provider must be added for authentication.

Create a custom IAM policy limited to Amazon S3 API in “backup” bucket

Explanation: Granular Permissions must be provided to the user to access the appropriate bucket