Skip to main content

Module Quiz

Complete this quiz after finishing all concept and practice pages. Work closed-book; then review your answers against the explanations.

Current Module Questions

Question 1: Shared Responsibility for RDS

A developer says "we use RDS, so backups and patching are handled." Which parts of that are true, which need qualification, and which are still the customer's job?

Answer: AWS handles OS patching, Postgres binary patches, hardware failure recovery, and automated backups if the feature is enabled and the retention is set. The customer must enable automated backups, set retention, configure encryption, choose the maintenance window, manage parameter groups, manage IAM access, choose Multi-AZ for HA, and design point-in-time recovery. Backups and patching are not "handled"; they are available and must be configured.

Question 2: Regions and AZs

An RDS instance is set to "Multi-AZ." Does that protect you from the loss of the us-east-1 region?

Answer: No. Multi-AZ is a synchronous standby in another AZ of the same region. For region loss you need cross-region read replicas, Aurora Global Database, or some form of cross-region DR.

Question 3: Scenario - Compute Choice

You need to transcode video clips. Each job takes 2-20 minutes and requires up to 8 GB of memory. Traffic is steady at 60 jobs/hour. Which service would you choose and why? Which would you reject and why?

Answer: Fargate (or ECS on EC2) is the best fit. The job duration can exceed Lambda's 15-minute limit; the memory requirement is within Fargate's range; the steady traffic makes managed containers' pricing competitive. Reject Lambda because of the 15-minute hard limit. Reject raw EC2 unless you need GPU or specific kernel features - you would be taking on host patching and cluster management without gaining anything at this scale.

Question 4: Subnet Classification

What single configuration decides whether a subnet is public or private?

Answer: The presence (or absence) of a route for 0.0.0.0/0 in its route table pointing at an Internet Gateway. The subnet name and tags are cosmetic.

Question 5: NAT Gateway Placement

Why is "one NAT Gateway in one AZ" an antipattern for a production VPC?

Answer: NAT Gateways are AZ-scoped. If they are all in AZ-a and that AZ fails, private subnets in AZ-b and AZ-c lose outbound internet access. The correct design is one NAT Gateway per AZ that has private subnets needing outbound traffic.

Question 6: L4 vs L7

You need to route traffic based on URL path (/v1/* vs /v2/*) to different target groups. Can you do this with an NLB? With an ALB?

Answer: Only the ALB (L7) can make decisions based on HTTP path, host, header, or cookie. An NLB operates at L4 (TCP/UDP) and cannot see HTTP details. Use ALB for path-based routing.

Question 7: Scenario - Storage

Your application generates a 200 GB daily log file that your on-call team occasionally greps through. Which storage class in S3 makes sense, and why?

Answer: Start in S3 Standard for the first week or so (while the log is "hot"), then lifecycle to Standard-IA after 30 days (cheaper storage, small retrieval fee), then to Glacier Flexible Retrieval after 90 days if grep-access becomes rare. Keep it in a bucket with lifecycle policies and versioning off to limit cost. The key is matching storage class to access frequency, not just age.

Question 8: Cold Starts

Why does a Lambda function attached to a VPC have worse cold starts than one that is not, and what would you do about it?

Answer: VPC-attached Lambdas must attach an ENI into the VPC on cold start, adding ~500 ms-2 s historically (much less with Hyperplane-backed ENIs but still non-zero). Options: avoid VPC attachment when you do not need it; use provisioned concurrency for latency-sensitive traffic; use SnapStart (for Java) to snapshot an initialized runtime; or move to Fargate/Cloud Run where cold start economics are different.

Question 9: IAM Policy Shape

What are the five elements of an IAM statement, and which one is only present in resource-based policies and cross-account trust policies?

Answer: Effect, Action, Resource, Condition are present in both identity- and resource-based policies. Principal is present in resource-based policies (S3 bucket policy, KMS key policy) and in role trust policies; it is implicit (the attached identity) in identity-based policies.

Question 10: Roles vs Users

Why is an EC2 instance with an IAM role preferred over one with an IAM user's access keys?

Answer: A role delivers short-lived, automatically-rotated credentials via the instance metadata service. A user means long-lived static keys on disk - they can be stolen, leaked into logs or Git history, and are rarely rotated. Roles also make cross-account and workload-identity patterns possible without key distribution.

Question 11: Scenario - Data Egress

A team adds a "sync to DR region" feature that replicates 5 TB/day from us-east-1 to eu-west-1. What cost line items appear, and roughly how big are they monthly?

Answer: Three lines grow: cross-region data transfer (~$0.02/GB × 5 TB × 30 = ~$3000), duplicate storage in eu-west-1 (add one region's worth of per-GB-month charges), and potentially per-request replication fees if it is S3 replication. Order-of-magnitude: several thousand dollars per month on top of whatever the primary already costs. The team should also check whether data residency rules permit the transfer at all.

Question 12: Scenario - Landing Zone

A new team of 4 engineers joins your organization. Which accounts do they receive, and what IAM access?

Answer: At minimum: one team-<n>-dev, one team-<n>-staging, and one team-<n>-prod account, placed under the appropriate OUs (Non-prod vs Production). Humans get SSO access via Identity Center to roles scoped per account (Developer, ReadOnly, Admin). No long-lived IAM users. The prod account inherits stricter SCPs from the Production OU; dev inherits a looser set. Baseline: CloudTrail enabled, logs shipped to the Log Archive account, default tags enforced, budgets set at account level.

Question 13: SCP vs IAM

A developer asks: "If I delete all SCPs, but keep IAM policies the same, what changes?" Answer in plain language.

Answer: SCPs act as a Deny-list bounded around an account; removing them relaxes the cap. Any Action that was previously Deny-capped by an SCP (for example, iam:CreateUser, or actions in disallowed regions) becomes permitted as long as an IAM Allow exists. SCPs do not grant permissions on their own; they only block. Removing them never grants new permissions directly but removes the guardrail.

Question 14: Tagging

Why is it dangerous to leave tagging as a "best effort" practice across your accounts?

Answer: Without required tags, cost reports cannot attribute spend to teams or services. Anomalies are harder to diagnose. Automated governance (IAM boundaries keyed on PrincipalTag, ResourceTag-scoped policies, budget alerts grouped by tag) becomes unreliable. Retrofitting tags later is expensive because many resource types do not allow re-tagging after creation without rebuild.

Question 15: Scenario - "Our Bill Doubled"

Your monthly bill jumped from $6k to $12k last month. Name three places you would look first and why.

Answer: (1) The NAT Gateway line item - often a hidden cost when chatty services send traffic to the public internet or to services without VPC endpoints. (2) Data transfer out (cross-region or to the internet) - an egress spike, perhaps from a new DR replication or a log shipper. (3) Any new managed service added recently (a new RDS instance in Multi-AZ costs roughly 2x a single-AZ one; an Aurora cluster with 3 replicas runs hot). Then check cost-allocation tags to see which service or team is responsible; then check the anomaly detection dashboard.

Interleaved Review Questions

Prior Module Question 1 (from S8)

What is the difference between horizontal and vertical scaling, and which does an ASG across multiple AZs provide?

Answer: Vertical scaling increases the capacity of a single machine (bigger instance type); horizontal scaling adds more machines. An ASG spans multiple AZs and adds/removes instances horizontally; vertical scaling would require changing the launch template's instance type and replacing instances.

Prior Module Question 2 (from S6 - replication)

How does RDS Multi-AZ relate to the concept of synchronous replication you studied in S6?

Answer: Multi-AZ RDS uses synchronous replication to a standby in another AZ: writes are only acknowledged once both copies are durable. This is the same tradeoff seen in S6 - lower throughput and higher latency than async, but zero data loss on failover.

Prior Module Question 3 (from S7 - architecture)

Which architectural principle from S7 is most directly violated by a workload that uses a shared "everything" cloud account?

Answer: Separation of concerns / bounded contexts. The blast-radius boundary is missing. Changes or incidents in one workload can affect unrelated workloads, violating both the principle and typical audit requirements.

Prior Module Question 4 (from S8 - scale and reliability)

An S8 service-level objective of 99.9% availability. How does availability-zone design relate to meeting that SLO?

Answer: A single-AZ deployment accepts AZ-level failure as a full outage. At 99.9% (~43 minutes downtime/month), a single AZ outage can blow the budget on its own. Multi-AZ is the baseline architectural answer; the remaining budget is spent on app-level faults, deploys, and dependencies.

Prior Module Question 5 (from S7 - API design)

You are designing a new internal API between two services in different accounts. Which cloud primitives from this module support the integration, and which architectural decision from S7 determines the contract?

Answer: PrivateLink (or VPC endpoints) keeps the traffic private; cross-account IAM roles authorize the caller; Route 53 private DNS provides stable names. From S7: the API contract (request/response shape, error model, versioning strategy) is the architectural decision; the cloud primitives support the transport.

Self-Assessment and Remediation

Scoring and Advancement Criteria

Mastery Level (90-100% correct):

  • Status: Ready to advance to Module 2 (Infrastructure as Code).
  • Action: proceed; revisit any single missed concept.

Proficient Level (75-89% correct):

  • Status: Good grasp with targeted gaps.
  • Action: re-read the concept pages tied to your incorrect answers and redo the matching kata.

Developing Level (60-74% correct):

  • Status: Foundation present but insufficient.
  • Action: rework Practice 1 (networking) and Practice 3 (IAM); redo the katas; re-take the quiz.

Insufficient Level (<60% correct):

  • Status: Do not advance.
  • Action: redo the module end-to-end. Focus on Clusters 1, 3, and 5; these are prerequisites for almost everything in S9.

Remediation Resources by Score Range

75-89% range:

  • Review the concept pages corresponding to your missed questions.
  • Redo the matching kata once from scratch.

60-74% range:

  • Rework Practice 1 and Practice 3 from memory.
  • Re-read Clusters 1, 3, and 5.
  • Write a one-page summary of the shared-responsibility model and the IAM policy structure.

<60% range:

  • Restart the module from Cluster 1.
  • Pair with the official docs linked under See also for every concept.
  • Re-attempt the quiz only after completing all four katas.