acloudguru Flashcards

Question 1

Q

You previously used access keys to access S3 from an EC2 instance, but changed to a role.

But you still cannot connect.

What could be a reason?

Answer

A

The credentials are still stored in /.aws and need to be deleted first.

Question 2

Q

How to encrypt a volume currently attached to an instance?

Answer

A

Create a snapshot

- Copy the snapshot (same region) and choose “Encrypt this snapshot”

Question 3

Q

How to create multiple AWS CLI profiles (for example with different roles)

Answer

A

aws configure –profile my_other_profile

Question 4

Q

What ist the API call to obtain a session for MFA for CLI/SDK?
And what is returned?

Answer

A

STS GetSessionToken
aws sts-get-session-token –serial-number [your device] –token-code [current code] –duration [ttl]

SecretAccessKey
SessionToken
Expiration
AccessKeyId

Question 5

Q

What should be done when an “intermittent error” occurs?

Answer

A

Implement Exponential Backoff, since a rate limit for API calls has been hit

Question 6

Q

What ist “Exponential Backoff”

Answer

A

on failed API calls the wait time to the next call is increased on failure.
1s -> 2s -> 4s -> 8s

Question 7

Q

What is the chain of priorities for CLI credentials?

Answer

A

CLI options
ENV variables (AWS_ACCESS_KEY_ID..)
CLI credentials file
CLI configuration file
Container credentials
Instance Profile credentials

Question 8

Q

What are the option for SigV4 signing?

Answer

A

Using HTTP Header

Using query string options

Question 9

Q

For which actions is MFA delete (if enabled) neccessary?

Answer

A

Permanently delete

- suspend versioning

Question 10

Q

S3: How are deletes on an CRR Bucket handled?

Answer

A

Per default: no replication of delete marker, but can be set.

Question 11

Q

S3: Is it possible to chain replication across three regions?

Question 12

Q

Lambda: What is needed to connect Lambda to a file system?

Answer

A

A connection to a VPC

Question 13

Q

CodeCommit: What are the three merge strategies?

Answer

A

Fast forward merge

Squash and merge

3-way merge

Question 14

Q

CodeCommit: What are approval rules?

Answer

A

Rule that says how many developers have to vote for a pull request to be pulled.

Possible to specify who counts for the voting

Possible to specify the branches

Question 15

Q

What is CodeArtifact?

Answer

A

Repository for storing build artifacts (like jar files)

Question 16

Q

CodeBuild: what should be enabled to visualize the status of the build?

Answer

A

BuildBadge

Question 17

Q

CodeBuild: What can be source provider?

Answer

A

CodeCommit
S3
GitHub

Question 18

Q

CodeBuild: What are the two authentification methods for GitHub?

Answer

A

Personal Token

OAuth

Question 19

Q

CodeBuild: What are the three options to reference the right code in CodeCommit?

Answer

A

Branch
Commit ID
Git Tag

Question 20

Q

CodeBuild: What can be done to troubleshoot a running build job?

Answer

A

Use the CLI and utilize the codebuild-breakpoint command

Question 21

Q

CodeBuild: what are the four phases in the BuildSpec?

Answer

A

install
pre_build
build
post_build

Question 22

Q

CodeDeploy: What are the Compute platforms for an application?

Answer

A

OnPremise
EC2
Lambda
ECS

Question 23

Q

CodeDeploy: Which are the two methods of deployment?

Answer

A

In-Place (not for lambda)

Blue/Green

Question 24

Q

CodeDeploy: What are the four parts of the appspec file?

Answer

A

Version
Files
OS
Hooks

Question 25

Q

CodeDeploy: What are the 13 appspec hooks?

Answer

A

ApplicationStop
DownloadBundle
BeforeInstall
Install
AfterInstall

ApplicationStart
ValidateService
BeforeBlockTraffic
BlockTraffic
AfterBlockTraffic
BeforeAllowTraffic
AllowTraffic
AfterAllowTraffic

Question 26

Q

S3: What is needed for Static Website Hosting?

Answer

A

Public S3 Bucket
Bucket Policy
index.html file (does not need to be named index.html)

Question 27

Q

Cloudformation: What is a Stack Policy?

Answer

A

Defines the resources that you want to protect from unintentional updates during a stack update.

Question 28

Q

CloudFormation: What are the four operations of a change set?

Answer

A

Create
View
Execute
Delete

Question 29

Q

API Gateway: What is a Resource Policy?

Answer

A

A Resource Policy is a JSON policy document that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use a Resource Policy to enable users from a different AWS account to securely access your API or to allow the API to be invoked only from specified source IP address ranges or CIDR blocks. Resource Policies can be used with REST APIs in Amazon API Gateway.

Question 30

Q

API Gateway: What is the HTTP Code for a dropped request de to throtteling?

Answer

A

HTTP 429 Too Many Requests

Question 31

Q

API Gateway: Does Amazon API Gateway provide API result caching?

Answer

A

Yes,

specifying its size in gigabytes
TTL
provisioned for a specific stage

Question 32

Q

API Gateway: Can you change a public or private API endpoint type in API Gateway?

Answer

A

Yes, it will take up to 60s.

The following endpoint type changes are supported:

From edge-optimized to regional or private
From regional to edge-optimized or private
From private to regional

You cannot change a private API into an edge-optimized API.

Question 33

Q

API Gateway: What are the three types of endpoints?

Answer

A

Edge-optimized API endpoints

best for geographically distributed clients.
routed to the nearest CloudFront Point of Presence

Regional API endpoints
- clients in the same region.

Private API endpoints
- can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint

Question 34

Q

Kinesis: What are the three factors that determine the number of shards necessary?

Answer

A

Record size (in KB)
Writes per second

Question 35

Q

Kinesis: How many shards are necessary for 300 writes/sec on 50kb size?

Answer

A

15

(300*50) / 1000

Question 36

Q

Kinesis: What are the limits per shard?

Answer

A

1000kb / 1000 writes per second

Question 37

Q

Kinesis: What are the three types of producers?

Answer

A

Amazon Kinesis Agent
AWS SDK
Amazon Kinesis Producer Library (KPL)

Question 38

Q

IAM: Which three ways can you authenticate a MFA device?

Answer

A

AWS Management Console, API, CLI

Question 39

Q

IAM: What consistency level does IAM utilize?

Answer

A

IAM is eventually consistent.

Question 40

Q

IAM: What is a principal?

Answer

A

An entity that can take an action on an AWS resource.

IAM users, roles, federated users, and applications are all AWS principals.

Question 41

Q

IAM: Can you specify a wildcard (*) as the principal for a role?

Answer

A

No, Wildcards (*) cannot be specified as a principal.

Question 42

Q

IAM: What is a Trust policy?

Answer

A

Specifies the trusted accounts that are allowed to assume the role.

Question 43

Q

IAM: What are the three types of policies?

Answer

A

Managed policies | Customer managed policies | Inline policies

Managed Policy:

Created and administered by AWS.
Used for common use cases based on job function
Cannot change the permissions assigned.

Customer Managed Policy:
- Standalone policy that you create and administer in your own AWS account.

Inline Policy:

Strict 1:1 relationship between the entity and the policy.
When you delete the user, group or role in which the inline policy is embedded, the policy will also be deleted.
In most cases, AWS recommends using Managed Policies instead of inline policies.

Question 44

Q

IAM: How to get information about an instance profile

Answer

A

aws iam get-instance-profile

Question 45

Q

CloudFront: What can be an origin?

Answer

A

Origins can be either

an S3 bucket
an EC2 instance
an Elastic Load Balancer
Route 53
can also be external (non-AWS).

Question 46

Q

CloudFront: What is the default caching time?

Answer

A

Objects are cached for 24 hours by default.

Question 47

Q

DynamoDB: What IAM Policies are allowed?

Answer

A

DynamoDB supports identity-based policies:

DynamoDB doesn’t support resource-based policies.

Question 48

Q

DynamoDB: What is a composite key?

Answer

A

Partition key + Sort key(s)

Question 49

Q

DynamoDB: What can negatively affect read/write capabilities?

Answer

A

Uneven distribution of data due to the wrong choice of partition key.
Frequent access of the same key in a partition (the most popular item, also known as a hot key).
A request rate greater than the provisioned throughput.

Question 50

Q

DynamoDB: What are the best practices for partition keys?

Answer

A

Use high-cardinality attributes – e.g. e-mailid, employee_no, customerid, sessionid, orderid, and so on.
Use composite attributes – e.g. customerid+productid+countrycode as the partition key and order_date as the sort key.
Cache popular items – use DynamoDB accelerator (DAX) for caching reads.
Add random numbers or digits from a predetermined range for write-heavy use cases – e.g. add a random suffix to an invoice number such as INV00023-04593

Question 51

Q

DynamoDB: What are the disadvantages of Strongly consistent reads?

Answer

A

A strongly consistent read might not be available if there is a network delay or outage. In this case, DynamoDB may return a server error (HTTP 500).
Strongly consistent reads may have higher latency than eventually consistent reads.
Strongly consistent reads are not supported on global secondary indexes.
Strongly consistent reads use more throughput capacity than eventually consistent reads.

Question 52

Q

DynamoDB: How to enable Strongly Consistent Reads?

Answer

A

You can configure strongly consistent reads with the GetItem, Query and Scan APIs by setting the –consistent-read (or ConsistentRead) parameter to “true”.

Question 53

Q

DynamoDB: What is the call methods for Transactions?

Answer

A

TransactWriteItems / TransactGetItems

Question 54

Q

DynamoDB: Why are transactions more costly?

Answer

A

DynamoDB performs two underlying reads or writes of every item in the transaction: one to prepare the transaction and one to commit the transaction.

Question 55

Q

DynamoDB: How is a Scan operation limited?

Answer

A

A single Scan operation reads up to the maximum number of items set (if using the Limit parameter) or a maximum of 1 MB.

Question 56

Q

DynamoDB: How can you limit the the returned attributes on a scan operation?

Answer

A

You can use the ProjectionExpression parameter

Question 57

Q

DynamoDB: What is a filter expression?

Answer

A

Used in scans to filter out unwanted items

NOTE: done after the scan and before the values are returned.

Question 58

Q

DynamoDB: A Scan is slow, how to speed it up?

Answer

A

For faster performance on a large table or secondary index, applications can request a parallel Scan operation by providing the Segment and TotalSegments parameters.

Question 59

Q

DynamoDB: Is it possbile to use Strongly Consisten reads on a scan operation?

Answer

A

yes, but not per default.
If you need a consistent copy of the data, as of the time that the Scan begins, you can set the ConsistentRead parameter to true.

Question 60

Q

DynamoDB: What is a query operation?

Answer

A

A query operation finds items in your table based on the primary key attribute and a distinct value to search for.

Question 61

Q

DynamoDB: How are query operation results sorted? And how to reverse the order?

Answer

A

Results are always sorted by the sort key.

You can reverse the order by setting the ScanIndexForward parameter to false.

Question 62

Q

DynamoDB: How to reduce the impact of a scan/query operation?

Answer

A

Setting a smaller page size which uses fewer read operations. A larger number of smaller operations will allow other requests to succeed without throttling.

Question 63

Q

DynamoDB: What are the key facts for Local Secondary Indices?

Answer

A

uses the same Partition Key, but a different Sort Key
up to five LSIs per table
must be created at table creation time
has the same partition key as the original table

Question 64

Q

DynamoDB: What are the key facts for Global Secondary Indices?

Answer

A

basically a completly new table, but with the same data
can be created at any time
has different partition - and sort key
RCU / WCU must be defined (can be changed)
If writes are throttled on the GSI, the main table will be throttled

Answer 64

A

You typically need to ensure that you have at least the same, or more, RCU/WCU specified in your GSI as in your main table to avoid throttling on your main table.

Answer 65

A

Used in 4KB increments
One strongly consistent read per increment
Two eventual consistent reads per increment
Twice the RCUs for transactional operations

Example: a strongly consistent read of an 8 KB item would require two RCUs, an eventually consistent read of an 8 KB item would require one RCU, and a transactional read of an 8 KB item would require four RCUs.

Answer 66

A

Used in 1KB increments
Transactional will double the needs

For example, a standard write request of a 1 KB item would require one WCU, a standard write request of a 3 KB item would require three WCUs, and a transactional write request of a 3 KB item would require six WCUs.

Answer 67

A

When using DynamoDB global tables, your data is written automatically to multiple AWS Regions of your choice.
Each write occurs in the local Region as well as the replicated Regions.

Answer 68

A

DAX is a write-through caching service – this means the data is written to the cache as well as the back end store at the same time.

Answer 69

A

stores this information in a log for up to 24 hours
stream can be an event source for Lambda
enabled with StreamEnabled = true
StreamViewType handles which data is written to the stream (KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES)

Answer 70

A

PutItem – create data or full replacement (consumes WCU).
UpdateItem – update data, partial update of attributes (can use atomic counters).
Conditional writes – accept a write / update only if conditions are met.
DeleteItem – delete an individual row (can perform conditional delete).
DeleteTable – delete a whole table (quicker than using DeleteItem on all items).
BatchWriteItem – can put or delete up to 25 items in one call (max 16MB write / 400KB per item).

Answer 71

A

GetItem – read based on primary key (eventually consistent by default, can request strongly consistent read). Projection expression can be specified to include only certain attributes.
BatchGetItem – up to 100 items, up to 16MB per item. Items are retrieved in parallel to minimize latency.
Query – return items based on PartitionKey value and optionally a sort key. FilterExpression can be used for filtering. Returns up to 1MB of data or number of items specified in Limit. Can do pagination on results. Can query table, local secondary index, or a global secondary index.
Scan – scans the entire table (inefficient). Returns up to 1MB of data – use pagination to view more results. Consumes a lot of RCU. Can use a ProjectionExpression + FilterExpression.

Answer 72

A

Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in Amazon DynamoDB.

Answer 73

A

You can optionally specify a condition expression to determine which items should be modified.

If the condition expression evaluates to true, the operation succeeds; otherwise, the operation fails.

Answer 74

A

Metrics cannot be deleted but automatically expire after 15 months.

Answer 75

A

Metrics are uniquely defined by a name, a namespace, and zero or more dimensions.

Answer 76

A

An aggregated set of data points

Answer 77

A

If you set an alarm on a high-resolution metric, you can specify a high-resolution alarm with a period of 10 seconds or 30 seconds, or you can set a regular alarm with a period of any multiple of 60 seconds.

Answer 78

A

Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.

Answer 79

A

An Attribute that further describes the environment, such as instance ID, or instance type

Answer 80

A

Returns the value of an output exported by another stack.

Answer 81

A

directly in plain text

- using the SSM Parameter store

Answer 82

A

Install: install dependencies you may need for the build.
Pre-build: final commands to execute before build.
Build: actual build commands.
Post build: finishing touches (e.g. zip file output).

Answer 83

A

In Place (only EC2)
Blue/Green

Answer 84

A

Set of data points, for example a HTTP Request, which contains information about the host, the request, the response and errors

Answer 85

A

Use a deny with a condition for “aws:SecureTransport”

Answer 86

A

Anything before the option is turned on
Objects encrypted with SSE-C
Objects encrypted with SSE-KMS - if not specifically enabled
If bucket owner differs from source to destination
If a particular version is deleted

Answer 87

A

Before: Enable “Restrict Bucket Access”

After: DIstribution -> Origins -> “Restrict Bucket Access” + select Origin Access Identity (A special CF user) + Update Read Permissions on Bucket

Answer 88

A

S3 Bucket Policy
IAM Policy

An IAM Policy is an entity that, when attached to an identity or resource, defines their permissions. A Bucket Policy is a resource-based AWS Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it. IAM Policies and Bucket Policies work together in combination to determine who or what can access an S3 bucket and what actions they are allowed to take.

Answer 89

A

Access key ID, secret access key, security token
GetFederationToken returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user.

Reference: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html

Answer 90

A

Anonymous guest access to your web application
Federated access to your web application for Facebook users
Federated access to your web application for Active Directory using SAML

Identity pools support anonymous guest users, as well as federation through third-party IdPs. You can leverage Amazon Cognito identity pools to handle unauthenticated users (users who do not authenticate with any identity provider), but instead access your app as a guest. For example, you can define a separate IAM role for these users to provide limited permissions to access your back-end resources.

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.

With Amazon Cognito, your users can sign-in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory using SAML.

Answer 91

A

The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.

Answer 92

A

IAM Groups
IAM Roles

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles). A policy is an object in AWS that, when associated with an identity, defines their permissions. You can attach an IAM Policy to a user, group, or role. You can associate a role with an EC2 instance but you cannot attach an IAM Policy directly to the EC2 instance. You cannot attach policies to S3 buckets.

Answer 93

A

The AWS STS API AssumeRoleWithWebIdentity supports Web ID Federation.
The AWS STS API AssumeRole supports Cross Account Access.
The AWS STS API AssumeRoleWithSAML supports Azure AD Federation.
The AWS STS API AssumeRoleWithSAML supports Active Directory Federation. operations

Brainscape's Knowledge GenomeTM

acloudguru Flashcards

Brainscape's Knowledge Genome^TM