1) Select all deployment methods that never require a DNS change:
“All at Once”, Rolling, Immutable environments
Explanation
All the above do not require a DNS change except for Blue/Green. The key word is never. In Blue/Green we need to change DNS settings to point to the new environment, especially if you are using Elastic Beanstalk which currently uses DNS changes. But this is not necessary all the time. If we’re not using Elastic Beanstalk, we can reuse the ELB and only switch over the load balancer to your new auto scaling deployment once it is tested. The reason we usually want to avoid DNS changes is because they can be messy. There are multiple levels of DNS clients, and they don’t always obey time to live rules, which can cause weird issues and send users to the wrong application.
2) True or False: In-place deployment method is used for configuration management such as Chef, Puppet, Salt, or Ansible.
Explanation
In-place involves performing application updates on an instance, while disposable involves rolling out new instances and terminating older ones. For example, when thinking about in-place deployments, think about configuration management such as Chef, Puppet, Salt, or Ansible. Now, in an in-place upgrade environment where we want to maintain configuration over the lifetime of the instance, we might use something like OpsWorks. Instead, disposable upgrades involve rolling out new instances and terminating the old ones. Making changes and creating a new AMI from those changes to deploy new instances, for example. Essentially rolling out those changes using an immutable or blue/green deployment, and then destroying the old deployments.
3) ___ is an alternative to a rolling deployment and it ensure that changes which require replacing instances are applied correctly and efficiently.
Immutable environments
Explanation
Immutable is an alternative to a rolling deployment and it ensures that changes which require replacing instances are applied correctly and efficiently. For example, you create a separate environment when using an immutable deployment which adds instances to a different auto-scaling group behind the same load balancer. The new instances and the old instances will serve traffic alongside each other. Once we figure out that the new instances are healthy, then the original auto-scaling group can be terminated or shut down. So, with this, you are using two auto-scaling groups but the same load balancer.
4) Which method would you use when making changes and creating a new AMI from those changes to deploy new instances. In other words, essentially rolling out those changes using an immutable or blue/green deployment and then destroying the old deployments.
Disposable
Explanation
Disposable upgrades involve rolling out new instances and terminating the old ones.
5) Which of the following is the main problem with “All at Once” deployment?
If deployment fails, you will have downtime
Explanation
One main problem with this approach is that if the deployment fails, the application will be unavailable and you will have downtime. For you to roll back, you must revert and re-deploy to all of the instances.
6) What are examples of requirements to consider when selecting a deployment method?
Downtime, Cost , Re-usability
Explanation
Deployments are not just about deploying application and code, it’s also deploying changes to the architecture that you are using. You need to think about requirements: Can there be downtime if there is a failed deployment? Is it alright if our deployments take longer and require more resources which means they cost more, but maybe they reduce the chances of having downtime? Can we re-use instances or do we want to destroy those and start with brand new ones?
7) Which deployment method rolls out changes to a specific number or percentage of instances at a time?
Rolling
Explanation
Rolling deployment rolls out changes to a specific number or percentage of instances at a time. For example, 20% of instances will get the new code while 80% will still run the previous application version. This approach does require a little bit more time to deploy changes, since we are not doing it all at the same time. However, this can provide zero downtime because if we notice an issue with the newly deployed code, we still have functioning instances with functioning code and we can simply roll back the 20% of instances affected by the changes. We can have the load balancer stop serving traffic to those instances as well so that no one gets sent to them and gets affected by downtime.
8) True or False: DevOps is a process or methodology around deploying and managing environments.
True
Explanation
DevOps isn’t a piece of software. Instead, it’s a process and a combination of concepts around that process. That combination increases our ability to deliver applications or services faster than before.
9) How many questions are on the AWS DevOps Exam?
80
Explanation
The DevOps Engineer exam is three hours long with 80 scenario-based questions which are much more advanced than the associate-level exams.
10) With this deployment method, we create two identical stacks of the application, running in separate environments.
Blue/Green
Explanation
In Blue/Green deployment, you might have two elastic load balancers, two auto-scaling groups, and each of those would run the independent instances that have separate versions of our application. Other than that, they are identical. We do this to test the application in the same environment but isolated from production, until we have thoroughly checked the new application version and we are ready to switch over to production.
##############
1) You can modify a launch configuration after it has been created.
Correct answer
False
Explanation
You can’t modify a launch configuration after creating it, so if we want to update the launch configuration, you must create a launch configuration and then update the Auto Scaling group with that new launch configuration. After we change it out, new instances are launched with the new configuration options, but the existing instances don’t get affected. This is why we can use the OldestLaunchConfiguration to phase those out from rotation.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html
2) In a recent deployment of your application you created a new AMI. Your application has an Auto Scaling group of four EC2 instances behind an Elastic Load Balancer. Your Auto Scaling group was updated with a new launch configuration that refers to the updated AMI. During the deployment, customers complained that they were receiving several errors even though all instances passed the ELB health checks. How can you prevent this from happening again?
Correct answer
Create a new launch configuration with the updated AMI and associate itwith the Auto Scaling group. Increase the size of the group to eight and when instances become healthy revert to four. If the new instances are not healthy, rollback to the previous launch configuration.
Explanation
A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. If you’ve launched an EC2 instance before, you specified the same information to launch the instance.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html
3) You have an application containing health information from patients. This health information is protected under security and compliance requirements, and is required to be encrypted at rest and in transit. Your application has data that flows through a load balancer to Amazon EC2 instances with EBS volumes. Eventually, the data ends up in Amazon S3 for longer term storage. Which of the following option satisfies the security and privacy requirements?
Correct answer
Use SSL load balancing on the client side, an SSL listener on EC2 instances, EBS encryption on volumes that contain the private information, and Amazon S3 server-side encryption.
Explanation
Because we need information encrypted in transit and at rest, we need a solution that encrypts information from the client, all the way to (and including) Amazon S3. This solution is the only one that satisfies the requirement.
Further Reading
https://linuxacademy.com/cp/courses/lesson/course/298/lesson/9/module/35
4) We are currently running a two-tier architecture with a PHP application tier that contains multiple app instances under an Auto Scaling group. This group is configured using a simple scaling policy. We also have a tier with a MySQL RDS instance. The Auto Scaling group has a desired capacity of 4 instances, a minimum of 3 instances, and a maximum of 8 instances. Recently, you’ve noticed that your Auto Scaling group is not as efficient as it used to be. Instances are not being added proportionately to demand – instead, you see that more instances are being launched than are actually needed during scale out events. After further investigation, you come to the conclusion that this inefficiency started happening after someone on the Ops team modified bootstrapping actions that are executed at instance launch. What is causing this inefficiency, and how can you solve it?
Correct answer
The change made in the bootstrapping actions added additional configuration time to the instance. Because of this, Auto Scaling thinks that it needs to add more instances to react to CloudWatch alarms. In order to fix the issue, we can modify the CoolDown period to account for that increase in configuration time and prevent Auto SCaling from launching instances during the CoolDown period.
Explanation
Cooldown periods are used to ensure that Auto Scaling doesn’t launch (or terminate) more instances before the previous scaling event had time to take effect. This fits the best with our scenario, and can be more efficiently implemented than any other potential answer. Timeout periods are used with Update Policies which are covered in the CloudFormation section of this course. Also, we don’t have enough information to know whether pre-baking the AMI with all bootstrapping actions is possible – and whether it will reduce time enough to solve the problem.
5) What interval can you set Elastic Load Balancing to publish a log file for each load balancer node. Choose all that apply.
Correct answer
5 minutes, 60 minutes
Explanation
Elastic Load Balancing publishes a log file for each load balancer node at the interval you specify. You can specify a publishing interval of either 5 minutes or 60 minutes when you enable the access log for your load balancer. By default, Elastic Load Balancing publishes logs at a 60-minute interval. If the interval is set for 5 minutes, the logs are published at 1:05, 1:10, 1:15, and so on. The start of log delivery is delayed up to 5 minutes if the interval is set to 5 minutes, and up to 15 minutes if the interval is set to 60 minutes. You can modify the publishing interval at any time.
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
6) Where are Elastic Load Balancing logs stored?
Correct answer
S3
Explanation
By default, these logs are actually turned off. But once we turn them on, they are automatically gathered and stored in Amazon S3, in a bucket that you specify. When you set up the logs or any time after that, you can change the interval at which the logs are taken to 5 minutes or 60 minutes..
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
7) You have configured ELB with Auto Scaling. You decide to suspend Auto Scaling AddToLoadBalancer for a period of time. What will happen to the instances launched while you had this process suspended?
Correct answer
The instances will not be automatically added to ELB and you will have to manually register when the process is resumed.
Explanation
AddToLoadBalancer process adds instances to the load balancer or a target group when they are launched, but by suspending this process, we can stop instances from being added to the load balancer while not stopping Auto Scaling from launching more instances. This can be useful to test a configuration or something else on an instance without serving traffic from the load balancer to it. However, if we resume this process, instances that were launched while the process was suspended will not be added to the load balancer unless we manually add them.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/as-suspend-resume-processes.html
8) With both HTTP/HTTPS and TCP/SSL sticky sessions can be enabled.
Correct answer
False
Explanation
Sticky sessions can only be enable with HTTP/HTTPS.
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-sticky-sessions.html
9) Which of these fields are reported with Elastic Load Balancer (Classic Load Balancer) access logs?
Correct answer
timestamp, backend:port, backend_processing_time, request_processing_time, received_bytes
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
10) You have an application running 24/7 that has important data stored on EBS volumes which are attached to EC2 instances. This data needs to be backed up on a daily basis to make sure that a data loss would have minimal impact. You don’t need this data to be stored for longer than 15 days. You’ve been tasked with creating a backup script that runs on a daily basis thanks to a scheduling daemon. How can you implement this backup strategy?
Correct answer
Write a script that takes a snapshot of all running EBS volumes with the ec2-create-snapshot call, tagging the snapshots with a date-time group. Use the ec2-describe-snapshots call in order to list these snapshots and to look for any that are older than 15 days old by checking the date-time group. Call the ec2-delete-snapshot call to prune those older snapshots.
11) How long is the default lifecycle wait state?
Correct answer
60 minutes
Explanation
By default, the instance stays in a wait state for an hour, but if we finish sooner we can complete the lifecycle action to continue the next steps, or if we need more time to complete the action, we can send a “heartbeat” to restart the timeout period.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/lifecycle-hooks.html
12) When we create an Auto Scaling group, we must specify a launch configuration, and we can only specify one for an auto scaling group at a time.
Correct answer
True
Explanation
When you create an Auto Scaling group, you must specify a launch configuration. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for your Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration. When you change the launch configuration for your Auto Scaling group, any new instances are launched using the new configuration parameters, but existing instances are not affected.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html
13) Once we apply a hook, no matter what the option that we choose is, the instance goes in what state depending on which hook we applied and what the instance is doing? Select two.
Correct answer
pending:wait, terminating:wait
Explanation
Once we apply a hook, no matter what the option that we choose is, the instance goes in a pending:wait or terminating:wait state depending on which hook we applied and what the instance is doing. Once the action is complete or the default wait state timeout runs out, the state changes to pending:proceed or terminating:proceed.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroupLifecycle.html
14) Our organization is currently running a set of instances in an Auto Scaling group. These instances rarely need to scale up or down because traffic is stable and predictable. For this reason, the operations team lead has asked you to implement an Amazon SNS notification that sends out each time an instance is launched or terminated automatically by Auto Scaling. The notification should contain information about the instance, such as: * The instance ID * The time the event took place * What kind of event took place (scale out or scale in) This notification should be sent to the team lead. Which of these options would satisfy all of these requirements in the most efficient way possible?
Correct answer
Use Amazon SNS with a Lifecycle Hook to automatically send a notification to the team lead email address. This can be done by creating a lifecycle hook with the put-lifecycle-hook command for both scale out and scale in events, and specifying a notification target ARN., Create a CloudWatch Events notification that watches for a scaling event (scale in or scale out). Create a target using the put-targets call that sends an Amazon SNS notification when the lifecycle action occurs, by specifying the notification target ARN in that call. The instance ID, time, and event that took place, are all sent automatically since they are recorded in the CloudWatch event.
Explanation
The DevOps Pro exam likes to throw in questions with multiple answers, and oftentimes you will see one really good answer followed by less-than-ideal answers. In that case, you need to pick the best answers for the question.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/lifecycle-hooks.html#sns-notifications
15) You are the Senior DevOps engineer for a large company and have been tasked with deploying AWS infrastructure. You will have several EC2 instances and must scale accordingly based on CPU utilization. You have decided to use Auto Scaling, CloudWatch, and Elastic Load Balancing. After a month, your supervisor has requested the ELB access logs to troubleshoot an issue, but there are none to be found. What is a possible explanation?
Correct answer
Access logging is an optional feature of Elastic Load Balancing that is disabled by default.
Explanation
Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify. When you set up the logs at any time after that, you can change the interval at which the logs are taken from 5 minutes to 60 minutes.
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
16) Protecting instances from scale in prevents them from being terminated, unless: Choose two.
Correct answer
We manually terminate the instance , The instance is marked as unhealthy and removed from the group
Explanation
Instance protection does not protect Auto Scaling instances from manual termination through the Amazon EC2 console, the terminate-instances command, or the TerminateInstances operation. Instance protection does not protect an Auto Scaling instance from termination if it fails health checks and must be replaced. Also, instance protection does not protect Spot instances in an Auto Scaling group from interruption.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/healthcheck.html#as-configure-healthcheck
17) Your instance has completed the action in your lifecycle hook in your Auto Scaling group, but is not moving on to the next state. Why could this be?
Correct answer
You need to complete the lifecycle action to continue the next steps
Explanation
By default, the instance stays in a wait state for an hour, but if we finish sooner we can complete the lifecycle action to continue the next steps, or if we need more time to complete the action, we can send a “heartbeat” to restart the timeout period. To complete the action, we can use an API call from the CLI or from an SDK; for example, like the complete-lifecycle-action call which requires us to pass in a lifecycle action result of either continue or abandon. This is an important call to make if the action finishes because otherwise, the instance will wait the default of 60 minutes before completing the call and moving on to the next state.
Further Reading
http://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_CompleteLifecycleAction.html
18) You have decided to switch to a new instance type, which termination policy should you use in your Auto Scaling Group?
Correct answer
OldestInstance
Explanation
OldestInstance: This option is useful when upgrading to a different instance type so that we can gradually replace the old instance type with the new. NewestInstances: This is useful if we are testing something new on an instance that we want to keep temporarily. This can also be used to temporarily test a new launch configuration.OldestLaunchConfiguration: This option is useful to phase out an older launch configuration. ClosestToNextInstanceHour: This option is best to reduce costs.
Further Reading
http://docs.aws.amazon.com/autoscaling/latest/userguide/as-instance-termination.html
##########
1) CloudWatch Alarms can only be used to invoke actions for state changes that are sustained over a specific number of periods. They can not invoke actions only because they are in a particular state.
Correct answer
True
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#CloudWatchAlarms
2) This is the agent that we can install on EC2 instances to automatically publish log events to CloudWatch.
Correct answer
Logs Agent
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
3) Which of these statistics does CloudWatch provide?
Correct answer
Minimum, Maximum, Sum, Average, SampleCount
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Statistic
4) You have configured the following AWS services: Auto Scaling group, Elastic Load Balancer, and EC2 instances. Your supervisor has requested that you terminate an instance when CPU utilization is less than 40%. How can you do this?
Correct answer
Create a CloudWatch alarm to send a notification to the Auto Scaling group when the aggregated CPU utilization is less than 40% and configure the Auto Scaling policy to remove one instance.
Explanation
You can create a scaling policy that uses CloudWatch alarms to determine when your Auto Scaling group should scale out or scale in. Each CloudWatch alarm watches a single metric and sends messages to Auto Scaling when the metric breaches a threshold that you specify in your policy. You can use alarms to monitor any of the metrics that the services in AWS that you’re using send to CloudWatch, or you can create and monitor your own custom metrics.
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html
5) You run a multi-tier architecture on AWS with webserver instances running Nginx as a reverse proxy. You’d like to implement logging for these webserver instances so that you can collect log data from the Nginx service and kernel logs. You’ve just received an alert that users are running into 5XX errors, and you want to filter through your logs to find these errors. How can you implement this quickly and cost-effectively?
Correct answer
Install the CloudWatch Logs agent and send Nginx access log data to CloudWatch. Then, filter the log streams for 5xx errors.
Explanation
There is no need to overcomplicate logging in this case. The CloudWatch Logs agent will handle this task well, and without introducing more complexity or costs than are needed.
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SearchDataFilterPattern.html
6) Namespaces are name/value pairs that help identify a metric.
Correct answer
False
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace
7) CloudWatch integrates with CloudFormation. This means we can create and configure alarms, set up log groups and metrics, and configure instances to have the CloudWatch Logs agent installed and configured all through CloudFormation templates.
Correct answer
True
Explanation
Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances or other sources. You can use AWS CloudFormation to provision and manage log groups and metric filters.
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-cloudwatchlogs.html
8) Collecting and sending logs from instances to CloudWatch can be done using: Select all that apply.
Correct answer
API and SDK calls , AWS Console , The CloudWatch Logs agent
Explanation
AWS LogWatch does not exist.
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
9) Your finance manager has set a budget for AWS services for your project of $2500. What is a simple way to know you hit this threshold?
Correct answer
Utilize CloudWatch combined with a Billing Alarm
Explanation
You can monitor your AWS costs by using CloudWatch. With CloudWatch, you can create billing alerts that notify you when your usage of your services exceeds thresholds that you define. You specify these threshold amounts when you create the billing alerts. When your usage exceeds these amounts, AWS sends you an email notification. You can also sign up to receive notifications when AWS prices change.
Further Reading
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/monitor-charges.html
10) Once we have our logs in CloudWatch, we can do a number of things such as: Choose 3.
Correct answer
Stream the log data into Amazon Elasticsearch in near real-time with CloudWatch Logs subscriptions., Stream the log data to Amazon Kinesis , Send the log data to AWS Lambda for custom processing or to load into other systems
Explanation
Once we have our logs in CloudWatch, we can do a number of things, like: retrieve statistics, stream the log data into Amazon Elasticsearch in near real-time with CloudWatch Logs subscriptions, stream the log data to Amazon Kinesis, send the log data to AWS Lambda for custom processing or to load into other systems, and analyze and process the data through custom solutions. AWS CloudTrail is a service that records API calls for your AWS account and delivers log files containing API calls to your Amazon S3 bucket or a CloudWatch Logs log group. With AWS CloudTrail, you can look up API activity history related to creation, deletion and modification of AWS resources and troubleshoot operational or security issues.
Further Reading
https://aws.amazon.com/cloudwatch/faqs/
11) Dimensions are name/value pairs that help uniquely identify a metric.
Correct answer
True
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Dimension
12) We can have multiple different metrics for the same services
Correct answer
True
Explanation
Our load balancer might have a metric for latency and a metric for the number of requests. We could also have metrics for things outside of the AWS environment, like the temperature of a fridge or the cycles that a machine in a factory has completed. But inside each of those metrics, we have data points that are organized by time – like every minute, or every 5 minutes, for example.
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html
13) CloudWatch metrics can be aggregated across multiple regions.
Correct answer
False
Explanation
Amazon CloudWatch does not aggregate data across regions. Metrics are completely separate between regions.
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#CloudWatchRegions
14) What are examples of namespaces?
Correct answer
AWS/ELB, AWS/EBS
Further Reading
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace
15) If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in how many second intervals?
Correct answer
60
Explanation
Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer. If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals. If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.
Further Reading
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html
##################
1) You need to change the alarm threshold on a CloudWatch alarm. How can you accomplish this via CloudFormation?
Correct answer
First update the template, next update the stack with that new template file. Only the resources that need to be updated will change, and everything else will remain the same. Once the update goes through, our stack will change to the UPDATE_COMPLETE state.
Explanation
If we need to make changes to running resources in a stack, we can update the stack itself. For example, if we need to change a resource property like an alarm threshold on a CloudWatch alarm, or if we need to update the AMI running on EC2 instances, we can perform those changes through CloudFormation. Not all resources or properties can be updated, but AWS is continually adding support for more. To perform an update, we first need to update the template, and update the stack with that new template file. Only the resources that need to be updated will change, and everything else will remain the same. Once the update goes through, our stack will change to the UPDATE_COMPLETE state.
Further Reading
http://docs.aws.amazon.com/cli/latest/reference/cloudformation/wait/stack-update-complete.html, http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-direct.html
2) Which of the following best describes the key differences between deployments using Elastic Beanstalk vs OpsWorks?
Correct answer
Elastic Beanstalk doesn’t allow as much flexibility for some configurations and deployments and is more suitable for shorter application lifecycles where an environment can be thrown away with each deploy.
Explanation
.
3) You deployed an application and its infrastructure via CloudFormation by creating a stack that provisions and configures instances and the application on those instances. You’re also using the cfn-hup helper script to perform updates on the instances whenever CloudFormation Init Metadata for the instances is changed. To test this environment, you update a file declared in the Metadata, update the stack with this changed template, and see that the update was successfully applied by CloudFormation. However, when you check the file on the instance, you notice that it hasn’t changed. What went wrong?
Correct answer
Nothing went wrong. The hup daemon checks for changes in intervals, and it can take up to the interval period before the change is reflected. Check back in a few minutes.
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-hup.html#cfn-hup-config-file
4) Bootstrapping actions can take a long time to complete, increasing deployment times. How can we speed up the process?
Correct answer
Prebaking AMIs
Explanation
Pre-baked AMIs can have a significant portion of the application already installed in the base image. This means we have fewer actions to perform, reducing the time it takes to prepare an instance. We can deploy these AMIs with Auto Scaling.
Further Reading
Click to access overview-of-deployment-options-on-aws.pdf
5) Which best describes stack policies?
Correct answer
JSON documents that define which update actions can be performed on which resources and applied to all users who have access to the stack
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
6) What happens when we delete a stack or have failures in creating or updating resources? Choose two.
Correct answer
This causes the template to rollback and undo what it has done up to this point, These entries from our events show that a WaitCondition failed to receive a count signal before the time out expired
Explanation
When we try to create resources, there are several reasons that the creation would fail. One reason could be a configuration issue, such as forgetting to set a required parameter or not properly configuring a parameter. WaitConditions can be used to coordinate stack resource creation when configuring or performing actions on external resources. They can also be used to track the progress of a configuration process, like if we configure something on a resource, and we need to wait for that to finish before moving on to creating another resource that depends on it. Since we need to receive a signal acknowledging that the process succeeded, if we don’t receive that signal before the timeout expires, then CloudFormation assumes that it failed and rolls the stack back
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html
7) Which of these best describe what stack policies do?
Correct answer
Stack policies can protect specific resources from specific update actions, You can only have one stack policy per stack
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
8) Which of the following best describe what cfn-init can do? cfn-init can:
Correct answer
Get and parse metadata from CloudFormation, Enable and start services, as well as pass in configuration files for those services, Declare the owning user of a file
Explanation
Detecting changes and acting on those changes is done with the cfn-hup helper script daemon. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-init.html http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html
9) Which of the following is possible when updating a CloudFormation stack? Select all that apply.
Correct answer
Changing the AMI of our EC2 instances , Updating a CloudWatch alarm , Downloading the new version of an application or packages
Explanation
If we need to make changes to running resources in a stack, we can update the stack itself. For example, if we need to change a resource property like an alarm threshold on a CloudWatch alarm, or if we need to update the AMI running on EC2 instances, we can perform those changes throughCloudFormation. Not all resources or properties can be updated, but AWS is continually adding support for more.
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html & http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html
10) The cfn-signal helper script signals whether an EC2 instance has been successfully created or updated. This script is used with a CreationPolicy or an Auto Scaling group with a WaitOnResourceSignals update policy. When CloudFormation creates or updates resources with those policies, the rest of the stack pauses until the resource receives the required number of success signals, or until the timeout period is reached. The cfn-signal helper is what sends those signals back – successful or not.
Correct answer
True
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-signal.html
11) If a delete fails, we can use which parameter to delete stacks that are stuck in DELETE_FAILED? The stack will not attempt to delete resources specified in that parameter.
Correct answer
RetainResources
Explanation
For stacks in the DELETE_FAILED state, a list of resource logical IDs that are associated with the resources you want to retain. During deletion, AWS CloudFormation deletes the stack but does not delete the retained resources. Retaining resources is useful when you cannot delete a resource, such as a non-empty S3 bucket, but you want to delete the stack.
Further Reading
http://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-stack.html
12) Which of the following are considered immutable updates with CloudFormation:
Correct answer
Updating the AMI on an EC2 instance, Updating the instance type from t2.micro to m1.large
Explanation
Instance type updates are not immutable changes with CloudFormation if they use the same architecture (ie: PV64 vs HVM64). If they are different architectures, the instance must be created with a different AMI. Updating AMIs is an immutable change which will. In this case, t2.micro is HVM64 while m1.large is PV64, which will cause an update in the AMI and will cause the instance to be replaced. However, going from t2.micro to m3.medium will only cause a reboot, which will keep the same instance (and instance ID), but will cause a change in the public IP and public DNS.
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/updating.stacks.walkthrough.html#update.walkthrough.changing.resource.properties
13) Your developers need a way to provision a predictable environment for testing code updates. Which of the following scenarios will CloudFormation benefit the most?
Correct answer
Use CloudFormation to provision dependencies like a VPC and its subnets, as well as an RDS database, and then kick off the application deployment with Elastic Beanstalk, Use separate CloudFormation templates to model OpsWorks components and other dependencies like the RDS database and VPC. Then, use OpsWorks to create a development stack that mimics production but with fewer and cheaper resources
14) You’re in charge of changing the instance type of the EC2 instances in your Auto Scaling group. While you’re at it, you can also update the base AMI of those instances which contain a new application version. How can you deploy these changes without causing downtime?
Correct answer
Use a rolling update. This will update the instances in batches while ensuring that we have a minimum number of instances serving traffic.
Explanation
AutoScalingRollingUpdate policy gives us control over how many instances in our Auto Scaling group get updated at the same time (in batches). We can also control how many instances (at minimum) should be running during an update and how long to wait between batch updates to receive success signals. If we run into an issue with the update, there is an automatic rollback to the previous version.
Further Reading
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html
##############################
1) You cannot call AssumeRole by using AWS root account credentials; access is denied. You must use credentials for an IAM user or an IAM role to call AssumeRole.
Correct answer
True
Further Reading
http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
2) How can we reduce the odds of an attacker getting access to valid credentials?
Correct answer
Rotating credentials
Explanation
As a security best practice, AWS recommends that you, an administrator, regularly rotate (change) the access keys for IAM users in your account. If your users have the necessary permissions, they can rotate their own access keys.
Further Reading
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
3) Which call returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that you can use to access AWS resources that you might not normally have access to.
Correct answer
AssumeRole
Explanation
The AssumeRole call can be used to retrieve the access key ID, secret access key, and a security token. The AssumeRole call is typically used for SWFHTML access or federation. Typically, you use AssumeRole for cross-account access or federation
Further Reading
http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
4) How do you rotate IAM role credentials on your EC2 instances?
Correct answer
Do nothing. IAM dynamically provides temporary credentials to the EC2instance, and these credentials are automatically rotated for you.
Explanation
Applications that run on an Amazon EC2 instance need credentials toaccess other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions but isn’t a user or group. Roles also don’t have their own permanent set of credentials the way IAM users do. In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you.
Further Reading
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
5) You have created a role named instanceRole and assigned that role to a policy, but you are unable to use that role with an instance. Why?
Correct answer
You won’t be able to use that role with an instance unless you also create an instance profile and associate it with that specific role.
Explanation
When creating IAM roles for instances, those instances also require instance profiles. These instance profiles are containers for IAM roles that we select when we apply a role to an instance.
Further Reading
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
##########################
1) Elastic Beanstalk supports the following programming languages. Select all that apply.
Correct answer
Java , Go, .NET
Explanation
With Elastic Beanstalk, we have access to quite a few different languages: Java, .NET, PHP, Node.js, Python, Ruby, and Go.
Further Reading
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html
2) Your team is tasked with migrating an existing application running on a custom application server to AWS. The application also has custom dependencies, so we’re afraid it won’t work properly. What is the best way to go about this?
Correct answer
Package the application and dependencies with Docker, and deploy the Docker container with Elastic Beanstalk.
Explanation
Overall, Docker can be used with Elastic Beanstalk to maintain consistency across multiple uses, and to abstract the application from the underlying virtualized hardware.
Further Reading
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.html
3) Which deployment method is the fastest with Elastic Beanstalk?
Correct answer
All at Once
Further Reading
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.deploy-existing-version.html
4) The only way to modify or delete configuration file settings is by updating them in our config files and deploying a new application version.
Correct answer
True
Explanation
The only way to modify or delete configuration file settings is by updating them in our config files and deploying a new application version. We cannot remove them with the AWS CLI or EB CLI – we can only override them. This happens because the settings are not applied directly to the environment’s configuration. Settings applied via a saved configuration or by applying them directly to the environment (with the CLIs, SDKs, or console) can be modified and deleted via those methods, but they can’t be modified by configuration files.
Further Reading
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-configuration-methods-after.html
5) Which deployment method replaces all resources including: the load balancer, Auto Scaling group, and instances.
Correct answer
Blue/Green
Explanation
With Blue/Green deployment and Elastic Beanstalk all resources get replaced. For example, if you use Elastic Beanstalk to provision an RDS database, and you perform a Blue/Green deployment, data will be lost if you terminate the original environment. Even if you don’t, you’ve got to find a way to transfer data over. One approach to solving this issue is to not provision the database with elastic beanstalk. Instead, provision it outside of the EB environment, and link your application to it.
Further Reading
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html
6) True or False: Elastic Beanstalk uses CloudFormation under the hood to create environments.
Correct answer
True
Explanation
AWS CloudFormation supports Elastic Beanstalk application environments as one of the AWS resource types. This allows you, for example, to create and manage an AWS Elastic Beanstalk-hosted application along with an RDS database to store the application data. In addition to RDS instances, any other supported AWS resource can be added to the group as well.
Further Reading
https://aws.amazon.com/cloudformation/faqs/
############################
1) Your application requires long-term storage for backups and other data that you need to keep readily available but with lower cost. Which S3 storage option should you use?
Correct answer
Amazon S3 Standard – Infrequent Access
Explanation
Amazon S3 Standard – Infrequent Access, also known as Standard IA, is a storage class for less frequently accessed data, that still requires fast access when it’s needed. It offers a low per GB storage price. This class is a great option for longer term storage like backups and other data that we need to keep readily available but with lower cost. This also makes it a great solution for disaster recovery.
Further Reading
https://aws.amazon.com/s3/storage-classes/
2) Amazon S3 provides a set of API operations that you use to manage lifecycle configuration on a bucket. Amazon S3 stores the configuration as a lifecycle sub-resource that is attached to your bucket. Which API operations does it support?
Correct answer
GET Bucket Lifecycle, DELETE Bucket Lifecycle , PUT Bucket Lifecycle
Explanation
Once we create this configuration, S3 stores it as a lifecycle sub-resource attached to the bucket. Then, S3 applies the rules we specified to all objects or specific objects we identified in the rules. And using the Amazon S3 API, we can PUT, GET, or DELETE the lifecycle configuration. We can also do this from the Console or through an SDK and the CLI.
Further Reading
http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
3) You work for an accounting firm and need to store important financial data for clients. During tax season, you will need to access data frequently, but after tax season the data only needs to be archived in case of an audit. What is the most cost-effective way to do this?
Explanation
We can manage an object’s lifecycle by using lifecycle configuration, which tells Amazon S3 how to manage objects during their lifetime. For example, we can automatically move an object from standard storage to Standard IA, RRS, or Glacier after it reaches a certain number of days old. Say, after 30 days, move the object to Standard IA. After 90 days, move that same object to Amazon Glacier. We can also delete the object if we want to. So instead of sending it to Glacier, if we know we will never need that object again, we can delete it entirely.
Further Reading
http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
4) True or False: You can transition from Glacier to any other storage class.
Correct answer
False
Explanation
The transition of objects to the GLACIER storage class is one-way.
Further Reading
http://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-transition-general-considerations.html
5) Which S3 storage class is the default option that we get out of the box when we create a new bucket?
Correct answer
S3 Standard
Explanation
S3 Standard is the default option that we get out of the box when we create a new bucket. This is the option that gives us high durability with 11 9’s, 99.99% of availability over a given year, and high performance with low latency and high throughput. However, this option is not the cheapest. If we are storing a large number of objects, or if we are performing a lot of requests like GET, PUT, POST, LIST, and other requests, then costs can really start to add up.
Further Reading
https://aws.amazon.com/s3/storage-classes/
######################
