Documentation, FAQs

Question 1

X-RAY

Which are the languages supported for Services such as EC2?

Answer 1

You can use X-Ray with applications written in
- Java, 
- Node.js
- .NET 
- (Go, Ruby, Python)
that are deployed on these services.

Question 2

X-RAY

Which are the supported services?

Answer 2

AWS X-Ray works with

• Amazon EC2
• Amazon EC2 Container Service (Amazon ECS)
• AWS Lambda
• Amazon SQS
• Amazon SNS
• AWS Elastic Beanstalk

Question 3

X-Ray

The there a region limit for the service?

Answer 3

No, with X-Ray, you can trace requests made to applications that span multiple AWS accounts, AWS Regions, and Availability Zones.

Question 4

X-Ray

What needs to be done to enable X-Ray on Elastic Beanstalk?

Answer 4

You only have to integrate the X-Ray SDK with your application since the X-Ray agent is pre-installed on Elastic Beanstalk.

Question 5

X-Ray

What is a Service map?

Answer 5

Visual representation of the data flow in the services, which enables a high-level overview, but also allows to drill down into issues

Question 6

X-Ray

What is a Filter Expression?

Answer 6

Way to filter traces to specific use cases, for example traces that too more than 5seconds or where a 5xx error was thrown

Question 7

X-Ray

What is the use of the X-Ray daemon ?

Answer 7

Instead of sending data directly into X-Ray the daemon buffers segments in a queue and uploads them in batches.
The daemon is available for Linux, Windows, and macOS, and is included on AWS Elastic Beanstalk and AWS Lambda platforms.

Question 8

X-Ray

What is a segment?

Answer 8

An X-Ray segment encapsulates all the data points for a single component.

A Segment is the result of a Request, it includes:

• The host – hostname, alias or IP address
• The request – method, client address, path, user agent
• The response – status, content
• The work done – start and end times, subsegments
• Issues that occur – errors, faults and exceptions, including automatic capture of exception stacks.

Segment documents can be up to 64 kB in size.

Segments include system-defined and user-defined data in the form of annotations and are composed of one or more sub-segments that represent remote calls made from the service.

Question 9

X-Ray

What is a subsegment?

Answer 9

Subsegments provide more granular timing information and details about downstream calls

This lets you see all of your downstream dependencies, even if they don’t support tracing, or are external

Can contain additional details about a call to an AWS service, an external HTTP API, or an SQL database.

You can even define arbitrary subsegments to instrument specific functions or lines of code in your application.

Question 10

X-Ray

What are Traces?

Answer 10

A trace ID tracks the path of a request through your application. A trace collects all the segments generated by a single request. That request is typically an HTTP GET or POST request that travels through a load balancer, hits your application code, and generates downstream calls to other AWS services or external web APIs. The first supported service that the HTTP request interacts with adds a trace ID header to the request, and propagates it downstream to track the latency, disposition, and other request data.

Question 11

X-Ray

What is the TraceId?

Answer 11

Send as X-Amzn-Trace-Id it contains the root id, sampling info and additionally the parent segment ID

Question 12

X-Ray

What are annotations?

Answer 12

Annotations are simple key-value pairs that are indexed for use with filter expressions.

Use annotations to record information on segments or subsegments that you want indexed for search.

Question 13

X-Ray

What is the main difference between Annotations and Metadata?

Answer 13

Metadata is not indexed, therefore not used for searching with filter expressions

Question 14

X-Ray

How long does it take for trace data to be available in X-Ray?

Answer 14

Generally available for retrieval and filtering within 30 seconds of it being received by the service.

Question 15

X-Ray

How far back can I query the trace data? How long does X-Ray store trace data for?

Answer 15

X-Ray stores trace data for the last 30 days.

This enables you to query trace data going back 30 days.

Question 16

X-Ray

Are there partial traces?

Answer 16

In some situations (connectivity issues, delay in receiving segments, and so on) it is possible that trace information provided by the X-Ray APIs will be partial. In those situations, X-Ray tags traces as incomplete or partial.

Question 17

KMS

How to encrypt/decrypt locally?

Answer 17

The AWS Encryption SDK supports AWS KMS as a root key provider for developers who need to encrypt/decrypt data locally within their applications.

Question 18

KMS

What needs to be done after a key is automatically rotated?

Answer 18

Nothing, the service automatically keeps older versions of the root key available to decrypt previously encrypted data

Question 19

KMS

What is an Asymmetric Key?

Answer 19

For symmetric keys the same key is used for encryption and decryption - for asymmetric key that is a public and a private key.
The public key is send to the user, while the private key does not leave HSM.

Asymmetric keys cannot be used with the Custom Key Store option.

Question 20

KMS

How to handle a key that could be compromised?

Answer 20

Temporarily disable keys so they cannot be used by anyone

Re-enable disabled keys if cleared

Question 21

KMS

How is enveloped encryption done?

Answer 21

KMS creates a data key
data key is used to encrypt data
data key is encrypted with (plaintext) mater key
data key is stored alongside encrypted data

Question 22

KMS

What is a customer managed KMS key?

Answer 22

A key created and stored in KMS, it differs from the AWS managed key, which is created by AWS and used for specific services

Question 23

KMS

What type of keys can I import?

Answer 23

256-bit symmetric keys.

Question 24

KMS

What’s the difference between a key I import and a key I generate in AWS KMS?

Answer 24

Keys generated by AWS KMS do not have an expiration time and cannot be deleted immediately; there is a mandatory 7 to 30 day wait period. All customer managed KMS keys, irrespective of whether the key material was imported, can be manually disabled or scheduled for deletion.

Question 25

KMS

What keys can be rotated automatically?

Answer 25

KMS generated keys can be rotated once a year.

Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.

Question 26

KMS

What is the API call to get the public key of an asymmetric key?

Answer 26

GetPublicKey

Question 27

KMS

How can data keys and data key pairs be exported out of the HSMs in plain text?

Answer 27

“GenerateDataKey” API or the “GenerateDataKeyWithoutPlaintext” API.

Asymmetric data key pairs: “GenerateDataKeyPair” API or the “GenerateDataKeypairWithoutPlaintext” API.

Question 28

Step functions

What is a state machines / state?

Answer 28

State Machine: complete workflow

State: a single step in the workflow

Question 29

Step functions

What is a Task?

Answer 29

Tasks perform work, either by coordinating another AWS service or an application that you can host basically anywhere

Question 30

Step functions

What is a Pass state?

Answer 30

Pass their input as output to the next state.

Question 31

Step functions

What are Parallel States?

Answer 31

Begin multiple branches of execution at the same time, such as running multiple Lambda functions at once.

Question 32

Step functions

What is a Choice State?

Answer 32

Choice states add branching logic to your state machine, and make decisions based on their input.

Question 33

Step functions

What is a state transition?

Answer 33

When you execute your state machine, each move from one state to the next is called a state transition.

Question 34

Step Functions

In what language is a step function written?

Answer 34

Amazon States Language (JSON based)

Question 35

Step Functions

What are the main differences between standard & express workflows?

Answer 35

Duration: 1 Year / 5min
Execution: once / at least once

Question 36

Step Functions

How can the steps communicate with each other?

Answer 36

Apps can interact and update the stream via Step Function API.

Question 37

Step Functions

What are the three types of steps?

Answer 37

sequential, branching or parallel steps.

Question 38

X-Ray

What is necessary to run X-Ray on EC2 / On-premise?

Answer 38

Linux system must run the X-Ray daemon.

IAM instance role if EC2, other AWS credentials on on-premise instance.

Question 39

X-Ray

What is necessary to run X-Ray on Lambda?

Answer 39

Make sure the X-Ray integration is ticked in the Lambda configuration (Lambda will run the daemon).

IAM role is the Lambda role.

Question 40

X-Ray

What is necessary to run X-Ray on Elastic Beanstalk?

Answer 40

Set configuration in the Elastic Beanstalk console.

Or use the Beanstalk extension (.ebextensions/xray-daemon.config)

Question 41

X-Ray

What is necessary to run X-Ray on ECS/EKS/Fargate?

Answer 41

Create a Docker image that runs the daemon or use the official X-Ray Docker image.

Ensure port mappings and network settings are correct and IAM task roles are defined.

Question 42

KMS

What are the permissions needed to use a key?

Answer 42

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"

Question 43

KMS

What does aws re-encrypt do?

Answer 43

It decrypts the file (in memory) and decrypts and saves it in a different file.

Useful when giving a different encryption key as before

Question 44

KMS

Can you export a CMK?

Answer 44

A CMK can never be exported from KMS (CloudHSM allows this).

Question 45

Dynamo DB

How can you change the primary key of an item?

Answer 45

A transaction will be used to delete and recreate the item with the new keys

Question 46

Dynamo DB

What is the scope of a query?

Answer 46

In queries you an only retrieve data by searching for the primary key.
Additionally it is possible to add the sort key to further refine the result (if only looking for the primary key produces to many results)

Results can then be more specific by using a filter (color = blue e.g.)

Question 47

Dynamo DB

What is the default order of a query result?

Answer 47

Ordered by the sort key in ascending order.

Can be changed setting ScanIndexForward to false

Question 48

DynamoDB

What is the purpose for ScanIndexForward in scan results?

Answer 48

Nothing, ScanIndexForward is only used in queries

Question 49

Dynamo DB

What is a parallel scan?

Answer 49

A scan only gets data in 1mb increments from one partition.
You can scan multiple partitions for a quicker result.

This should not be done if the DB is currently under load.

Question 50

Dynamo DB

If there’s always lots of traffic, but you regularly need to scan the table, what can be done?

Answer 50

Create a second table and make the writes to both of them

Question 51

Dynamo DB

What kind of caching strategy does DAX use?

Answer 51

Write through caching

DynamoDB writes to the cache and the (normal) table at the same time

Question 52

Dynamo DB

How is a API Call with a DAX cache made?

Answer 52

Client is pointed to the Cache:

a) gets a Cache hit, item will be returned
b) gets a miss, DAX performs getItem (eventual consistent) against the table, stores the value in the cache and returns the result

Question 53

Dynamo DB

How long is a stream saved?

Answer 53

24h

Question 54

DynamoDB

Which policies does it support?

Answer 54

DynamoDB supports identity-based policies:
You can use a special IAM condition to restrict user access to only their own records.

DynamoDB doesn’t support resource-based policies.

Question 55

DynamoDB

What is the ARN Format for an index?

Answer 55

arn:aws:dynamodb:[region]:[account]:[tableid]/[tablename]/index/[indexname]

Question 56

Dynamo DB

When is DynamoDB creating new partitions?

Answer 56

DynamoDB allocates additional partitions to a table in the following situations:

• If you increase the table’s provisioned throughput settings beyond what the existing partitions can support.
• If an existing partition fills to capacity and more storage space is required.

Question 57

DynamoDB

How is a partition key defined?

Answer 57

1) Value of the Partition key is input to an internal hash function which determines the partition or physical location on which the data is stored.
2) If you are using the Partition key as your Primary key, then no two items can have the same partition key.

Best practices for partition keys:

• Use high-cardinality attributes – e.g. e-mailid, employee_no, customerid, sessionid, orderid, and so on.
• Use composite attributes – e.g. customerid+productid+countrycode as the partition key and order_date as the sort key.
• Cache popular items – use DynamoDB accelerator (DAX) for caching reads.
• Add random numbers or digits from a predetermined range for write-heavy use cases – e.g. add a random suffix to an invoice number such as INV00023-04593

Question 58

DynamoDB

What are the disadvantages of Strongly consistent reads

Answer 58

• A strongly consistent read might not be available if there is a network delay or outage. In this case, DynamoDB may return a server error (HTTP 500).
• Strongly consistent reads may have higher latency than eventually consistent reads.
• Strongly consistent reads are not supported on global secondary indexes.
• Strongly consistent reads use more throughput capacity than eventually consistent reads.

Question 59

DynamoDB

What are the costs of Transactions?

Answer 59

There is no additional cost to enable transactions for DynamoDB tables.

DynamoDB performs two underlying reads or writes of every item in the transaction: one to prepare the transaction and one to commit the transaction.

Question 60

DynamoDB

What can be done to optimize a scan?

Answer 60

• use ProjectionExpression to only return needed attributes
• use FilterExpression to filter out unwanted items (done after everything is retrieved)
• use parallel scans to get results faster (strains RCU consumption)
• Limit page size, if provisioned throughput is reached
• use eventual consistent reads (if possible)

Question 61

DynamoDB

What data is affected when setting a TTL?

Answer 61

he TTL is enabled per row (you define a TTL column and add the expiry date / time there).
Deleted items are also deleted from the LSI / GSI.

Question 62

DynamoDB

Define BatchWriteItem & BatchGetItem

Answer 62

Can put or delete up to 25 items in one call (max 16MB write / 400KB per item).

Up to 100 items, up to 16MB per item. Items are retrieved in parallel to minimize latency.

Question 63

DynamoDB

What is Optimistic Locking

Answer 63

Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in Amazon DynamoDB.

Protects database writes from being overwritten by the writes of others, and vice versa.

Question 64

Lambda

How to directly call a version / alias?

Answer 64

arn: aws:lambda:REGION:ID:function:[FUNCTIONNAME]:[VERSION]
arn: aws:lambda:REGION:ID:function:[FUNCTIONNAME]:[ALIAS]

Question 65

Lambda

What is the default Concurrent Execution limit and what happens if it is hit?

Answer 65

Default is 1000 (per Region)

Request will return 429: TooManyRequestsException

Question 66

Lambda

How to invoke Lambda asynchronously?

Answer 66

–invocation-type Event

Question 67

Lambda

What are the Status Codes returned by synch. / asynch. invocations?

Answer 67

Synchronous: 200, 503 etc.
Asynchronous: 202

Question 68

Lambda

What are the services that Lambda dan read events from?

Answer 68

Amazon Kinesis
Amazon DynamoDB
Amazon Simple Queue Service

Question 69

Lambda

What is “Event Source Mapping”?

Answer 69

In order to react to events in a service (such as messages in a SQS queue) Lambda needs three configurations:

• permissions
• event structure settings
• polling behavior

Question 70

Lambda

Which “items” are mutable / immutable?

Answer 70

$LATEST is mutable (changeable)
Versions are immutable
Aliases are mutable.

Question 71

Lambda

What are aliases?

Answer 71

• Mutable versions of a function
• can be used for environments etc. w/o the knowledge which version they are assigned to
• Aliases enable blue / green deployment by assigning weights to Lambda version (doesn’t work for $LATEST, you need to create an alias for $LATEST).

Question 72

Lambda

What is the throttling behavior for (a)sync requests?

Answer 72

Throttle behavior:

For synchronous invocations returns throttle error 429.
For asynchronous invocations retries automatically (twice) then goes to a Dead Letter Queue (DLQ).

Question 73

Lambda

What is reserved concurrency?

Answer 73

Guarantee of concurrent executions.
Sum of reserved concurrency cannot exceed max. concurrency - 100
Can be used to limit - for example to ensure that the database can handle the traffic

Question 74

Lambda

What can be done to ensure that the lambda can handle sudden traffic spikes?

Answer 74

Use Provisioned Concurrency to the amount of traffic that can be expected (additional costs occur)

Question 75

Lambda

Which role should be attached if the function will be placed in a VPC?

Answer 75

AWSLambdaVPCAccessExecutionRole

Question 76

Lambda

What needs to be done in order to enable a web socket load balancing with an ALB and Lambda?

Answer 76

WebSockets are not supported from a Load Balancer, but it is supported by API Gateway

Question 77

Lambda

What are the limits of lambda?

Answer 77

Memory allocation 128MB – 3008MB in 64MB increments.

Maximum execution time is 15 minutes (900 seconds).

Size of environment variables maximum 4KB.

Disk capacity in the “function container” (/tmp) is 512 MB.

Invocation payload:

• Synchronous 6 MB.
• Asynchronous 256 KB

Lambda function deployment size is 50 MB (zipped), 250 MB unzipped.

Question 78

API Gateway

Can you create HTTP Endpoints (without encryption)?

Answer 78

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only (does not support unencrypted endpoints).

Question 79

API Gateway

What are the differences between Edge-Optimized , Regional & Private Endpoints?

Answer 79

Regional Endpoint
- for clients in the same region.

Edge-Optimized Endpoint

• is best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence (POP).
• Edge-optimized APIs capitalize the names of HTTP headers (for example, Cookie).
• CloudFront sorts HTTP cookies in natural order by cookie name before forwarding the request to your origin

Private Endpoint
- A private API endpoint is an API endpoint that can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint,

Question 80

API Gateway

What is the configuration chain for requests?

Answer 80

Method Request -> Integration Request -> Integration Response -> Method Response

Question 81

API Gateway

What are the use cases for stage variables?

Answer 81

• Configure HTTP endpoints your stages talk to (dev, test, prod etc.).
• Pass configuration parameters to AWS Lambda through mapping templates.
• You can create a stage variable to indicate the corresponding Lambda alias.

Question 82

API Gateway

What can be done with Mapping templates?

Answer 82

Uses Velocity Template Language (VTL).
Mapping templates can be used to modify request / responses.

• Rename parameters.
• Modify body content.
• Add headers.
• Map JSON to XML for sending to backend or back to client.
• Filter output results (remove unnecessary data).-

Question 83

API Gateway

What are the throttling limits?

Answer 83

If you go over 10,000 requests per second or 5,000 concurrent requests you will receive a 429 Too Many Requests error response.

Question 84

Kinesis

What is the difference between KCL and the Kinesis Data Streams API?

Answer 84

The KCL is different from the Kinesis Data Streams API that is available in the AWS SDKs.

The Kinesis Data Streams API helps you manage many aspects of Kinesis Data Streams (including creating streams, resharding, and putting and getting records).

The KCL provides a layer of abstraction specifically for processing data in a consumer role.

Question 85

Kinesis

What should be considered for the amount of KCLs and Shards?

Answer 85

You never need multiple instances to handle the processing of one shard.
However, one worker can process multiple shards.

Example:
4 shards = max 4 KCL instances.

Question 86

Kinesis

On which platforms does the KCL run?

Answer 86

KCL can run on EC2, Elastic Beanstalk, and on-premises servers.

Question 87

Kinesis

What are the main differences between SQS and Kinesis?

Answer 87

SQS:

• Data is deleted after being consumed.
• No need to provision throughput.
• No ordering guarantee (except with FIFO queues).

Kinesis:

• Possible to replay data.
• Ordering at the shard level.
• Must provision throughput.