AWS – SysOPS Administrator Questions with Answers

AWS Sysops Administrator Questions Answers Techhyme

This article is designed for system administrators, operators, and engineers who are looking to operate and maintain applications running on the AWS platform.

While all the 100+ questions focuses to pass the AWS Certified SysOps Administrator-Associate exam, it is also beneficial to bookmark this article for future understanding the common set of AWS services that a SysOps engineer works with on a daily basis.

Question 1. What is the difference between Infrastructure as a Service and Platform as a Service?

Answer – IaaS provides VM instances, disk, and networks, while PaaS provides services such as databases and queues.

Question 2. Which layers is the cloud vendor responsible for when looking at Platform as a Service?

Answer – The physical security, securing access to the hypervisor, securing and patching the operating system, securing, configuring and patching the platform.

Question 3. What are the most obvious advantages of using AWS?

Answer – Trade cap-ex for op-ex, use inexpensive compute units on demand, increase the speed of application delivery and agility, matching capacity to demand, ability to go global in minutes.

Question 4. List the five AWS Foundation service categories.

Answer – Network, compute, storage, security and identity services, and end user applications.

Question 5. Define the three ways of accessing the AWS environment.

Answer – The AWS Management Console, the CLI, and the SDK.

Question 6. Essentially, what is a cloud-native application?

Answer – An application that’s built to run on the cloud (usually on platform and serverless environments).

Question 7. What is the difference between regions and availability zones?

Answer – Regions are composed of multiple availability zones, AZs are composed of multiple data centers.

Question 8. Would running two virtual machine instances in two datacenters in one availability zone make your application highly available?

Answer – No, because a single-availability zone should be considered a fault-isolation environment.

Question 9. In what case would it be normal practice to keep using the root account for administrative tasks?

Answer – None. It isn’t recommended to keep using the root account for any other case than emergency access to the account.

Question 10. What is multi-factor authentication?

Answer – MFA is the procedure of entering multiple authentication factors when logging in – for example, a username will require the user’s password and a Time-based One-time Password (TOTP) or certificate to authenticate.

Question 11. What kinds of features does the AWS IAM password policy provide?

Answer – Set the minimum password length; require at least one uppercase or lowercase character; number or special character; allow users to change their own passwords; enable password expiration after a number of days; prevent the reuse of passwords, enable administrative reset on expired passwords.

Question 12. What are the three main identity objects within IAM?

Answer – Users, Groups, Roles, and Policies.

Question 13. Can a user have more than one active access key assigned to their account?

Answer – Yes.

Question 14. A user has lost their secret access key and is asking the administrator to retrieve the existing secret access key for them. How can this be done?

Answer – You can’t retrieve an existing secret access key. A new key needs to be created.

Question 15. You are looking to give an application running on EC2 access to S3. What is the best practice way to achieve that?

Answer – Create a role with the appropriate S3 access and assign the role to the EC2 instance.

Question 16. You are in charge of directory services in your enterprise and you have been given the task of granting everyone in your organization access to AWS. There are approximately 15000 users in your directory. What is the best way to approach authentication in AWS?

Answer – Use corporate directory federation, STS, and roles to authenticate users within your existing directory and grant them access to AWS resources.

Question 17. State true or false: Yesterday someone deleted a server that inadvertently had some important data on it. The owner of that server is requesting you identify the culprit. You explain that you did not configure CloudTrail on the account and that data is not available.

Answer – False: CloudTrail is now enabled on all accounts by default and provides seven days of data so we can identify the user that deleted the EC2 instance.

Question 18. What are the two layers of networks in the VPC?

Answer – The VPC network and the VPC subnets.

Question 19. What is a CIDR?

Answer – A way to determine the network address – in CIDR, IP addresses are described as consisting of two groups of bits in the address: the network address and the host address.

Question 20. Which CIDR sizes can be assigned to the VPC?

Answer – Between /16 and /28.

Question 21. What is the difference between a private and a public subnet?

Answer – Public subnets have a route to the IGW while private subnets don’t.

Question 22. What connectivity options does VPC provide for connecting to the internet and on-premises?

Answer – IGW for public subnets, NAT gateways for private subnets, VPN and Direct Connect for on-premises.

Question 23. VPC A is peered to VPC B. VPC B is peered to VPC C. Can instances in VPC A reach instances in VPC C?

Answer – By default, transient traffic isn’t supported with VPC peering. To achieve this, a proxy instance could be installed in VPC B, and traffic for VPC C from VPC A would be redirected to the proxy.

Question 24. Your WEB application is running in a VPC. You have allowed inbound port 80 in the inbound policy of the network ACL and the inbound policy of the security group. Your application is still not responding. What could be the reason?

Answer – You didn’t allow the ephemeral ports on the outbound policy of the NACL. NACLs are stateless and the return traffic needs to be allowed. Determine the ephemeral ports the instance responds on and allow those in the NACL.

Question 25. What kind of objects does EC2 allow us to create?

Answer – Virtual machine instances, Amazon Machine Images (AMIs), snapshots.

Question 26. Which layer of cloud computing does EC2 belong in?

Answer – IaaS.

Question 27. What determines the maximum number of EC2 instances that we can run in our newly created account?

Answer – Soft limits imposed by AWS depending on the instance type.

Question 28. Which block storage type would you use for volumes that require persistence?

Answer – EBS.

Question 29. There is a requirement to create a volume with 20,000 IOPS that’s a size of 30 TB – what would be the appropriate configuration for this volume?

Answer – Use 2 EBS gp2 volumes that each provide up to 10,000 IOPS and 16 TB. Put the two volumes in a software RAID 0 (striped) configuration to get up to 32 TB.

Question 30. How do we determine in which AZ the instance will run?

Answer – By setting it in a subnet within a VPC.

Question 31. An application has a license tied to a MAC address. What can be used in AWS to prevent the machine from being arbitrarily assigned with MAC addresses?

Answer – Use an ENI and use the ENI MAC address to apply the license.

Question 32. What is the scope of operation of a load balancer service?

Answer – Load balancers operate within a region across one or more availability zones.

Question 33. Which types of load balancers are supported in AWS?

Answer – Application, Network, and Classic Load Balancer.

Question 34. We have an application that requires low latencies at scales of millions of connections. Which type of load balancer would you suggest?

Answer – The Network Load Balancer.

Question 35. An application requires mobile clients to be redirected to a special cluster running the mobile web design. Which type of load balancer would you suggest?

Answer – The Application Load Balancer.

Question 36. We need to perform cross-region load balancing. Which type of load balancer would you suggest?

Answer – None. Load balancers operate within a region.

Question 37. After creating a Classic Load Balancer, what kind of group needs to be created?

Answer – Target Groups.

Question 38. Immediately after adding the instances to the load balancer, the website does not show on the browser. Why?

Answer – We need to wait for the instances to become healthy before we can browse the address of the load balancer.

Question 39. What kind of data is S3 well suited for?

Answer – Objects that need to be accessible via HTTP GET and PUT calls.

Question 40. What kind of data is Glacier designed for?

Answer – Archives.

Question 41. What is the data durability of S3, Glacier, and S3-IA?

Answer – Eleven nines – 99.999999999% within 24/7/365.

Question 42. What is the maximum expected number of GET requests from an S3 key prefix?

Answer – We should expect at least 5,500 GET requests, maximum isn’t determined.

Question 43. Are there any cheaper options aside from S3 and S3 IA?

Answer – Yes, S3 One-Zone IA and S3 RRS.

Question 44. What do we need to upload to a bucket to serve a static website?

Answer – An index file.

Question 45. When we enable versioning on an S3 bucket, how many versions will be maintained?

Answer – We can set a desired number of versions with expiration. By default, all versions are maintained.

Question 46. In which example would it be useful to temporarily use S3 for huge amounts of data?

Answer – For training data in machine learning.

Question 47. What is CloudFront?

Answer – A Content Delivery Network.

Question 48. What kind of content can be cached by CloudFront?

Answer – Static and dynamic website data, videos, images, and any cacheable application components.

Question 49. In CloudFront, what is the name given to a source server?

Answer – An origin.

Question 50. How do we enable DDoS protection on CloudFront?

Answer – There is nothing to do, as CloudFront is inherently protected from DDoS.

Question 51. What feature would you use to restrict access to S3 buckets?

Answer – An Origin Access Identity (OAI) on CloudFront.

Question 52. What are the two types of distributions supported on CloudFront?

Answer – Web and RTMP.

Question 53. What do we need to do to be able to delete a CloudFront distribution?

Answer – First, disable it, then wait for the status to change to deployed.

Question 54. What are the three types of data that can be stored in AWS?

Answer – File, Block, and Object storage.

Question 55. What kinds of protocols are supported by the EFS service?

Answer – NFS v4 and v4.1.

Question 56. What kind of SLA does the EFR service have?

Answer – EFS doesn’t have a published SLA at this point in time.

Question 57. What are the modes of operation available on the AWS Storage Gateway?

Answer – File Gateway, Volume Gateway, Tape Gateway.

Question 58. What two options for volumes does the AWS Storage Gateway support?

Answer – Cached and Stored volumes.

Question 59. What options support transferring data from on-premises directly to Glacier?

Answer – Storage Gateway through the Tape Gateway and Snowmobile.

Question 60. Which AWS feature would you use to transfer 1 PB of data if you had unlimited time?

Answer – AWS Storage Gateway – I have unlimited time, so why waste money on a Snowball.

Question 61. What is the purpose of the DNS service?

Answer – To resolve FQDNs to IPs.

Question 62. What areas of the DNS does the Route 53 service improve upon?

Answer – Automation, reliability, traffic shaping.

Question 63. Your application is synchronizing a database from the primary to secondary site and presents the content through an EC2 instance locally. What type of DNS routing policy would be appropriate for this setup?

Answer – Failover routing policy.

Question 64. You need to make sure your content adheres to the GDPR for all users from the EU. What kind of routing policy would be applicable in this case?

Answer – Geolocation routing policy.

Question 65. You are designing a health check for a custom application that sends custom traffic via SSL on port 443 to the server. What would be the appropriate health check in this case?

Answer – TCP health check on port 443.

Question 66. Your application needs to be protected from web page hijacks and you want to eliminate any hijacked servers from responding to your clients. How can Route 53 help?

Answer – HTTP or HTTPS health check looking for a particular string.

Question 67. A peer-to-peer streaming service needs to deliver a list of servers that serve the video stream to the clients. Which routing policy would deliver this kind of response?

Answer – Multi-value answer policy.

Question 68. Name the engines supported by RDS.

Answer – MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL, and Aurora.

Question 69. How do read replicas differ from Multi-AZ deployments with the MySQL, MariaDB, and PostgreSQL engines?

Answer – Read replicas are read-only asynchronous copies, while Multi-AZ has one readwrite master and a synchronous slave replica that isn’t accessible until failover.

Question 70. What are the two instance types in Amazon Aurora?

Answer – Primary instance for writes and replica instance for reads.

Question 71. How long will an Amazon Aurora cluster be unavailable during snapshots?

Answer – Snapshots don’t affect Aurora’s availability.

Question 72. What are the steps to restore a DB snapshot to an existing Aurora cluster?

Answer – Snapshots can’t be restored to an existing cluster.

Question 73. You are implementing a BI system that will issue end of day reports. You currently run a Multi-AZ cluster. What is the easiest way to support your BI requirements?

Answer – Implement a read replica and point the BI to the read replica.

Question 74. You are developing an application with a MariaDB backend. The architecture defines two public subnets, one for the EC2 instances and one for the RDS instances. The RDS security group allows traffic from the EC2 instance subnet to the RDS subnet. How can you increase the security of your RDS cluster?

Answer – Make the RDS subnet private and specify the EC2 security group as the source in the RDS security group instead of the subnet address.

Question 75. Name a few reasons for implementing caching in our applications.

Answer – Increase performance, increase scalability, decrease database or backend burden, decrease costs.

Question 76. What engines does ElastiCache support?

Answer – Memcached and Redis.

Question 77. What is the difference between the ElastiCache engines when it comes to data?

Answer – Memcached supports only simple datasets.

Question 78. An application is storing HTTP sessions in the local memory. How can we improve the availability of this application?

Answer – Implement Memcached caching and move the session state into the cache cluster.

Question 79. You need to store your data in a write-through manner to keep as much data as possible cached. One part of your application needs to perform complex transactions using the SQL query language on the cache. Which engine would you choose for this setup?

Answer – Use Memcached to store the write-through data. Point your SQL application straight to the database, as no cache engine supports SQL.

Question 80. You have a multi threaded application using Redis. An administrator recommends adding three more Redis read/write nodes to the cluster. How will this improve the performance of the application?

Answer – Increasing the number of nodes can only be done by adding read replicas, so this isn’t possible.

Question 81. During the workday, your application is using Memcached to store transaction responses using lazy loading. Every night, your BI system needs to replay a lot of these transactions for the end-of-day analysis. Your managers are complaining about getting data that is several days old whenever the BI system runs. How would you fix this problem?

Answer – Decrease the TTL for your cache accordingly, as stale data is being kept in the cache and delivered to the BI nightly report.

Question 82. True or false: DynamoDB is a fully managed highly available NoSQL service that is addressable via a standard SQL interface.

Answer – False: DynamoDB is addressable via standard HTTP.

Question 83. What is the difference between ACID and BASE data as far as consistency is concerned?

Answer – ACID is fully consistent, while BASE defines eventual consistency.

Question 84. You have an application that requires storing session data for a complex web application that performs BI on a very large backend dataset. Which database type is suitable for storing sessions for this application?

Answer – A NoSQL database would be perfect for sessions – it doesn’t matter what the application does – it can use SQL on the BI part, but for sessions of NoSQL.

Question 85. Which HTTP methods map to CRUD (create, read, update, and delete)?

Answer – C – PUT, R – GET, U – UPDATE, D – DELETE.

Question 86. Describe the relationships between tables, items, and attributes in DynamoDB.

Answer – Tables contain items and items are composed of attributes.

Question 87. What is the maximum item size in DynamoDB?

Answer – 400 KB.

Question 88. What are the two ways of determining capacity units in DynamoDB?

Answer – Provisioned throughput and on-demand.

Question 89. You have an application that collects metrics from industrial sensors at a rate of 50 MB per second. Each entry is 1.5 KB in size and the performance is consistent. You set up a DynamoDB table with on-demand provisioning in the US West (Oregon) region to ingest all the writes. You run a test and find that not all the values are being stored. You look at the sensor logs and see a lot of ProvisionedThroughputExceededException errors in the logs. What could be the problem?

Answer – By dividing 50 MB by 1.5 KB, we get approximately 34.200 items being sent every second to the table – but each item consumes 2 WCUs, meaning we’ll need to provision approximately 68.400 WCUs for the table. We’re being throttled by the soft limit of 40.000 WCUs per table in the us-west-2 region. We would need to contact AWS to raise the service limit for this table.

Question 90. You need to gather metrics from an online test from thousands of students. The current database is MySQL and the proposal is to move to DynamoDB. How would you choose the partition and sort key according to the following requirements:

  • a) Retrieve the score per user by entering the username
  • b) Rank by the date the test was taken (a user can take the test multiple times)
  • c) Rank and sort users according to their scores

Answer – Create a table with:

  • Primary key username: To be able to list users
  • Sort key date: So that we can have multiple entries for each student to take the test multiple times
  • Score as the primary key and username for the sort key for the global secondary index: To rank users by score

Question 91. What are the two types of queues supported by SQS?

Answer – Standard and FIFO queues.

Question 92. What is the performance limitation of the FIFO queue?

Answer – 300 operations per second – up to 3,000 messages with batches of 10.

Question 93. What protocol does SQS use to deliver messages?

Answer – HTTPS.

Question 94. What is the visibility timeout?

Answer – The time the message will be hidden after it was read by a consumer and before it becomes visible in the queue again.

Question 95. When reading a message, what metadata is delivered alongside the body?

Answer – ReceiptHandle – the unique identifier for the message that was received; MD5OfBody – the MD5 sum of the body of the message, used for delivery consistency; and MessageId – the identifier of the message in the queue.

Question 96. Which piece of metadata is needed to delete the message?

Answer – ReceiptHandle.

Question 97. You have built an application that sends and processes exactly 10 messages per second. Your application has been working fine for days, but now you discover that there are over 100 messages in the queue and the number is growing. What might be the problem?

Answer – The messages are corrupt and aren’t being processed, thus not being deleted before becoming visible again.

Question 98. You have purged the queue and would like to recover the purged messages. How can you achieve this?

Answer – There’s no way to do this: once purged, messages are gone.

Question 99. Is JSON supported as an SNS transfer method?

Answer – JSON is not a transfer method.

Question 100. Name the special SNS topic property that needs to be configured when sending SMS.

Answer – Display name.

Question 101. In what way does SNS enhance SQS with fan-out?

Answer – It enhances the SQS distribution model from one-to-one to one-to-many.

Question 102. Which protocols would make sense for your Android application to use to deliver notifications to your users?

Answer – Email, SMS, mobile notifications.

Question 103. You are sending CloudWatch alarms to a global topic to alert your response team of issues. Your managers now need you to identify the number of issues in each region and bill that separately to each department that is responsible for the region. How could you easily implement this?

Answer – Create a separate notification topic in each region and subscribe each department to that topic. Separate metrics can be collected this way for each topic.

Question 104. You’ve created an email subscription, but you are not receiving emails from the topic. What would you check first?

Answer – If your subscription has been confirmed by the recipient.

Question 105. A service outside of AWS requires the ability to send a message to an SNS topic. How can we protect the topic from anyone sending to it?

Answer – Disable anonymous access and create a user with a secret key and an access key that will have the permission to only send to this topic. Provide the user to the outside service provider and direct them to use the AWS CLI with the appropriate commands to publish to the topic using the user secret and access
key provided.

Question 106. The SWF can be used to separate which two parts of an application?

Answer – It helps us separate the application processing from the application logic.

Question 107. Fill in the blank: Within a workflow, a ____ task is used to close the workflow execution.

Answer – Decider.

Question 108. True or false: An actor is a person that need to perform an action.

Answer – False: an actor can be either software or person.

Question 109. True or false: A task list is populated with activities manually when creating an activity task.

Answer – False: a task list is populated with actions automatically by SWF.

Question 110. How do the workers poll the service in SWF?

Answer – Long polling, they poll for 60 seconds, after which an empty response is received.

Question 111. True or false: We can use the global endpoint for SWF or we can create regional endpoints to save on cross-region traffic?

Answer – False: SWF only has regional endpoints.

Question 112. A secret key and access key will need to be assigned to each actor within the SWF. What will be the best practice for key distribution within the SWF?

Answer – Use roles as temporary keys will be created when workers use a role.

Question 113. Which operating system does the Lambda service use to provide the execution environment?

Answer – Amazon Linux.

Question 114. Which programming languages are supported by Lambda?

Answer – It natively supports Java, Go, PowerShell, Node.js, C#, Python, Ruby, and any other through the runtime API.

Question 115. What is a downstream resource in Lambda?

Answer – Any resource where the Lambda can record its response, such as S3 or DynamoDB.

Question 116. What does the Lambda Designer help us with?

Answer – Helps with quickly designing invocation triggers, layers, and connecting downstream resources.

Question 117. True or false: The Lambda service has a public endpoint that defaults to the North Virginia region, but other regional endpoints can be created if required.

Answer – False: Lambda doesn’t have a public endpoint.

Question 118. Your Lambda service requires read access to the S3 bucket named images and read-write access to the bucket named thumbnails; how would you configure permissions for the Lambda function?

Answer – Provide the appropriate permissions for each bucket in the execution role.

Question 119. An Amazon Kinesis Stream needs to invoke the lambda service; you are creating the invocation role for Kinesis but are unable to find where to apply this permission on the Kinesis stream. Why is this?

Answer – Kinesis can’t invoke as Lambda works in a pull manner with Kinesis – we need to add the permission to access the Kinesis stream to the Lambda execution role.

Question 120. You have a requirement to invoke the Lambda function from a public website hosted at another provider. How can you achieve this?

Answer – Implement an API gateway that will proxy the requests to the Lambda function as the Lambda service isn’t publicly accessible.

Question 121. True or false: A CloudWatch namespace must be preceded with AWS.

Answer – False: namespaces can have any format as long as they follow the namespace rules.

Question 122. True or false: Metrics come in two types: Normal and Detailed.

Answer – True.

Question 123. True or false: Metrics are aggregated to the next tier after their retention period expires.

Answer – True.

Question 124. A new compliance requirement has been introduced in your company that dictates that all EC2 system slogs need to be redirected to a central data store where they can be accessed and then stored durably in an archive. How could you achieve this?

Answer – Use the CloudWatch agent to push the EC2 system logs to CloudWatch logs. All CloudWatch logs have an indefinite retention period, but if separate archiving is required, use the AWS CLI to export older logs to S3 and the n life cycle to Glacier.

Question 125. Your application is divided into three functional environments: Test, Staging, and Production, each composed of EC2 autoscaling clusters, RDS databases, and ElastiCache cluster. A requirement to maintain alerts of CPU usage on all instances only on the Production environment is set out by a governance policy. How can you implement your CloudWatch Alarms to achieve this in the most efficient manner?

Answer – Use tagging on the environment components, then create an alarm and filter the resources with the tag and CPU utilization. Select the EC2 and RDS systems in the results and create the alarm.

Question 126. What would a number in a CloudWatch Dashboard represent?

Answer – A current state of a certain metric (for example, the current CPU usage of an instance).

Question 127. You are asked by your developers to create an alarm when 10% of the SNS messages to a particular topic are not delivered. How could this be done?

Answer – Create a query result alarm from the number of delivered and number of failed messages in SNS to reflect the requirement.

Question 128. You are running an e-commerce application that starts performing slowly when the number of concurrent connections to your frontend is above 100,000. This kind of volume is unusual and only happens during seasonal sales (3–4 times per year). During the last sale, you analyzed the metrics and discovered that your ELB and your EC2 instances are responding correctly and the latency issue is being caused by the RDS backend being hit by a high number of requests. Due to the fact that you need to keep costs as low as possible, increasing the size of your instance permanently isn’t an option. You know the thresholds at which the application starts to perform slowly. Come up with a solution that will temporarily increase the performance of the database during these few events.

Answer – Create an alarm with a metric that represents the concurrent user number at the performance ceiling of the RDS service (where the database still responds OK). Once the ceiling is reached, an alarm should be sent to SNS where a Lambda service is subscribed. The Lambda has a role with the permission to manage the RDS service. Create a Lambda function that will increase the instance size accordingly to handle the excess traffic. Create another alarm that represents the users numbers going below the threshold, and configure the Lambda function to decrease the instance size when this second alarm is triggered.

Question 129. True or false: Elastic Beanstalk requires us to maintain and manage our code and takes care of each and every aspect of the infrastructure.

Answer – True.

Question 130. True or false: An Elastic Beanstalk environment creates a transparent environment that we can see in our EC2, ELB, RDS, and other consoles.

Answer – True: you can see all the resources that EB creates in the respective parts of the management console.

Question 131. True or false: Elastic Beanstalk environments are one-click deployments that can’t be customized.

Answer – False: we can customize every part of the deployment by using the .ebextensions file.

Question 132. What is the type and maximum size of the source bundle that can be created for use with Elastic Beanstalk?

Answer – A .zip or .war file of a maximum size of 512 MB.

Question 133. What is the maximum number of versions supported in each application?

Answer – 100 versions.

Question 134. A SLA requires you to maintain the application versions for 30 days and then discard them. What feature of Elastic Beanstalk can help you adhere to the SLA?

Answer – Implement life-cycling with the application’s age set to 30 days.

Question 135. You have deployed an Elastic Beanstalk application. Now, you need to modify the instance type of the running application. How would you go about doing this?

Answer – Change the instance type in the configuration of the application. The application will be redeployed with the new instance type.

Question 136. Your application needs to be updated as inexpensively as possible. Which update option is the best for this approach?

Answer – Use all-at-once updates. The instances are deleted and new ones are created, which means there are no additional costs incurred by the update process.

Question 137. You have been tasked with an application update. You need to make sure that the uptime of the application is maintained as close to 100% as possible, even during the update process, regardless of cost. Which update option would you choose and why?

Answer – Use the blue/green approach, as this will allow you to have two productiongrade parallel deployments running during the update. If the green environment doesn’t perform well, you can instantly switch back to blue, thus maintain uptime throughout.

Question 138. What is an environment deployed in CloudFormation called?

Answer – A stack.

Question 139. What notation formats are supported in CloudFormation templates?

Answer – JSON and YAML.

Question 140. When designing a CloudFormation, we need to restrict the users to just a few images that can be used with the template. Which section of the template can help us achieve this?

Answer – Use constraints in the Parameters section.

Question 141. We would like to see the URL of the load balancer when stack creation completes. Which section of the template can help us achieve this?

Answer – Define the LB URL as an output in the Outputs section.

Question 142. We have deployed a stack with a VPC, Security Groups, EC2 instances, and an RDS instance in a Multi-AZ configuration. The stack keeps failing after it starts. What could be the reason for this failure?

Answer – The deployment is trying to deploy the EC2 and VPC in parallel. Since no VPC exists, the instance creation fails. We can fix this with a DependsOn attribute on the EC2 and RDS instances.

Question 143. You are tasked with designing a three-tiered application where each tier is designed and managed by a separate team. A network team is responsible for providing connectivity for the application. What design approach would you use in CloudFormation to separate the duties and responsibilities between the teams and how?

Answer – Create roles for each team with the appropriate permissions for the appropriate resources and allow each team to deploy a stack with the resources that they’re responsible for.

Question 144. You have just joined a DevOps team where you are responsible for the infrastructure. You are shown some automated and manual processes that need to run to deliver the infrastructure for a new deployment. The automated processes are focused around the deployment of the application and the manual processes are AWS CLI commands that need to be run to provide the instances to install to. How could you improve this process?

Answer – Determine whether the AWS CLI commands can be written into CloudFormation templates. Store the templates with the code. Provide the location of the templates to the CI server and let the CI server push the template to CloudFormation as a preceding step to the installation of the code on the servers.

Question 145. True or false: OpsWorks is a configuration management tool that supports Chef Automate and Puppet Enterprise and allows us to control our instances running in AWS.

Answer – False: it also supports on-premise servers.

Question 146. True or false: OpsWorks supports both OpsWorks and Service layers to provide the capability to use both EC2 instances and other AWS services from the same stack.

Answer – True.

Question 147. When running OpsWorks, which component can we use to install applications to instances within a stack?

Answer – Apps.

Question 148. You have a multi-tier application. How would you separate the functional aspects of this application within OpsWorks?

Answer – Into layers.

Question 149. Your development environment is deemed a success and you wish to create four similar environments (test, QA, staging, and production) based on the settings and characteristics of the development stack. What is the easiest way to do that in OpsWorks?

Answer – Clone the stacks, and name and tag them accordingly.

Question 150. You have a requirement to maintain a configuration across time on a certain set of instances due to compliance reasons. How would you go about automating the compliance requirements with OpsWorks?

Answer – Automate and schedule the deployment of a recipe or module that returns the servers back to compliance.

Question 151. You are running an application with infrequent heavy changes being delivered to the instances that are running in AWS. You are currently using a manual process with an AWS CLI script and a JSON input file to create and deploy a new AMI and then deploy the new instances and terminate the old instances. There is a need to automate the deployment with a CI server that can generate the JSON input file automatically. What would be a good solution to implement in this scenario and why?

Answer – If the CI server support is using the AWS CLI scripts, already-defined is the easiest way. If not, implementing the CLI commands in CloudFormation would be an option. Using OpsWorks would be the most complicated solution in this case, and the infrequent large updates are not the best case for OpsWorks.