AWS Solution Architect Interview Question-2

In your project , security team requires each Amazon ECS task to have an IAM policy that limits the task’s privileges. How can you achieve this?

  • We can use IAM roles for Amazon ECS tasks to associate a specific IAM role with each ECS task definition.
  • With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task.
  • Users must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.
  • The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services.

In your project, application requires a persistent key-value store database that must service 150,000 reads/second. Your company is looking at 20% growth in traffic and data volume month over month for the next several years. Which service will you use here?

  • DynamoDB is fully managed NoSQL solution and supports both key-value and document structures.
  • DynamoDB Auto Scaling is a fully managed feature that automatically scales up or down provisioned read and write capacity of a DynamoDB table or a global secondary index, as application requests increase or decrease.
  • DynamoDB supports key-value and document data structures.

How will you design a storage solution in AWS? When your input videos are required for a day, after which they should be archived. If required, the videos can be request with advance notices and expected to be available within 5 hours. However, in case of any breaking news the videos need to be made available within minutes.

  • Glacier provides the most cost-effective archival solution.
  • For normal requests, which default for standard retrieval, the videos can be retrieved within 3-5 hours.
  • For express retrieval, Expedited retrieval request can be made with additional charges for the video to be available in 1-5 minutes.

Your project wants to use Redshift cluster for petabyte-scale data warehousing. Data for processing is stored on Amazon S3. As a security purpose, manager wants the data to be encrypted at rest. How will you implement this solution?

  • Store the data in S3 with Server Side Encryption. Launch an encrypted Redshift cluster and copy the data to the cluster.
  • In Amazon Redshift, we can enable database encryption for clusters to protect data at rest.
  • When we enable encryption for a cluster, the data blocks and system metadata are encrypted for the cluster and its snapshots.
  • If you want encryption, you can enable it during the cluster launch process.
  • To go from an unencrypted cluster to an encrypted cluster or the other way around, unload your data from the existing cluster and reload it in a new cluster with the chosen encryption setting.

Your project storage database stores data coming from more than 20,000 sensors. Sometimes your manager wants to query information coming from a particular sensor for the past week very rapidly, after which the data is infrequently accessed for another week. Then the data needs to be archived. How will you do this?

Since the data fetch pattern is different for each week, it would be better to define different DynamoDB tables for each week with the current week having a higher provisioned throughput configured. The data can then be moved to Glacier and the old DynamoDB table can be dropped.

Your project has an application running on an Amazon EC2 instance in a VPC that needs to access external third-party services. A client running in another VPC in the same region must be able to communicate with this application. Security policies require that this application should not be accessible from the internet.

  • We can Configure a VPC peering connection between the application VPC and the client VPC and can configure a NAT gateway in the VPC in the application VPC.
  • VPC Peering connection would allow Client running in other VPC access the application.
  • A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account.
  • NAT Gateway helps host the application in private subnets and still be able to access the external third-party services.
  • You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.