acloudguru Flashcards
1
Q
You previously used access keys to access S3 from an EC2 instance, but changed to a role.
But you still cannot connect.
What could be a reason?
A
The credentials are still stored in /.aws and need to be deleted first.
2
Q
How to encrypt a volume currently attached to an instance?
A
- Create a snapshot
- Copy the snapshot (same region) and choose “Encrypt this snapshot”
3
Q
How to create multiple AWS CLI profiles (for example with different roles)
A
aws configure –profile my_other_profile
4
Q
What ist the API call to obtain a session for MFA for CLI/SDK?
And what is returned?
A
STS GetSessionToken
aws sts-get-session-token –serial-number [your device] –token-code [current code] –duration [ttl]
SecretAccessKey
SessionToken
Expiration
AccessKeyId
5
Q
What should be done when an “intermittent error” occurs?
A
Implement Exponential Backoff, since a rate limit for API calls has been hit
6
Q
What ist “Exponential Backoff”
A
on failed API calls the wait time to the next call is increased on failure.
1s -> 2s -> 4s -> 8s
7
Q
What is the chain of priorities for CLI credentials?
A
- CLI options
- ENV variables (AWS_ACCESS_KEY_ID..)
- CLI credentials file
- CLI configuration file
- Container credentials
- Instance Profile credentials
8
Q
What are the option for SigV4 signing?
A
Using HTTP Header
Using query string options
9
Q
For which actions is MFA delete (if enabled) neccessary?
A
- Permanently delete
- suspend versioning
10
Q
S3: How are deletes on an CRR Bucket handled?
A
Per default: no replication of delete marker, but can be set.
11
Q
S3: Is it possible to chain replication across three regions?
A
No,
12
Q
Lambda: What is needed to connect Lambda to a file system?
A
A connection to a VPC
13
Q
CodeCommit: What are the three merge strategies?
A
Fast forward merge
Squash and merge
3-way merge
14
Q
CodeCommit: What are approval rules?
A
Rule that says how many developers have to vote for a pull request to be pulled.
Possible to specify who counts for the voting
Possible to specify the branches
15
Q
What is CodeArtifact?
A
Repository for storing build artifacts (like jar files)
16
Q
CodeBuild: what should be enabled to visualize the status of the build?
A
BuildBadge
17
Q
CodeBuild: What can be source provider?
A
CodeCommit
S3
GitHub
18
Q
CodeBuild: What are the two authentification methods for GitHub?
A
Personal Token
OAuth
19
Q
CodeBuild: What are the three options to reference the right code in CodeCommit?
A
Branch
Commit ID
Git Tag
20
Q
CodeBuild: What can be done to troubleshoot a running build job?
A
Use the CLI and utilize the codebuild-breakpoint command
21
Q
CodeBuild: what are the four phases in the BuildSpec?
A
install
pre_build
build
post_build
22
Q
CodeDeploy: What are the Compute platforms for an application?
A
OnPremise
EC2
Lambda
ECS
23
Q
CodeDeploy: Which are the two methods of deployment?
A
In-Place (not for lambda)
Blue/Green
24
Q
CodeDeploy: What are the four parts of the appspec file?
A
Version
Files
OS
Hooks
25
CodeDeploy: What are the 13 appspec hooks?
```
ApplicationStop
DownloadBundle
BeforeInstall
Install
AfterInstall
```
```
ApplicationStart
ValidateService
BeforeBlockTraffic
BlockTraffic
AfterBlockTraffic
BeforeAllowTraffic
AllowTraffic
AfterAllowTraffic
```
26
S3: What is needed for Static Website Hosting?
Public S3 Bucket
Bucket Policy
index.html file (does not need to be named index.html)
27
Cloudformation: What is a Stack Policy?
Defines the resources that you want to protect from unintentional updates during a stack update.
28
CloudFormation: What are the four operations of a change set?
Create
View
Execute
Delete
29
API Gateway: What is a Resource Policy?
A Resource Policy is a JSON policy document that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use a Resource Policy to enable users from a different AWS account to securely access your API or to allow the API to be invoked only from specified source IP address ranges or CIDR blocks. Resource Policies can be used with REST APIs in Amazon API Gateway.
30
API Gateway: What is the HTTP Code for a dropped request de to throtteling?
HTTP 429 Too Many Requests
31
API Gateway: Does Amazon API Gateway provide API result caching?
Yes,
- specifying its size in gigabytes
- TTL
- provisioned for a specific stage
32
API Gateway: Can you change a public or private API endpoint type in API Gateway?
Yes, it will take up to 60s.
The following endpoint type changes are supported:
- From edge-optimized to regional or private
- From regional to edge-optimized or private
- From private to regional
You cannot change a private API into an edge-optimized API.
33
API Gateway: What are the three types of endpoints?
Edge-optimized API endpoints
- best for geographically distributed clients.
- routed to the nearest CloudFront Point of Presence
Regional API endpoints
- clients in the same region.
Private API endpoints
- can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint
34
Kinesis: What are the three factors that determine the number of shards necessary?
```
Record size (in KB)
Writes per second
```
35
Kinesis: How many shards are necessary for 300 writes/sec on 50kb size?
15
| (300*50) / 1000
36
Kinesis: What are the limits per shard?
1000kb / 1000 writes per second
37
Kinesis: What are the three types of producers?
Amazon Kinesis Agent
AWS SDK
Amazon Kinesis Producer Library (KPL)
38
IAM: Which three ways can you authenticate a MFA device?
AWS Management Console, API, CLI
39
IAM: What consistency level does IAM utilize?
IAM is eventually consistent.
40
IAM: What is a principal?
An entity that can take an action on an AWS resource.
| IAM users, roles, federated users, and applications are all AWS principals.
41
IAM: Can you specify a wildcard (*) as the principal for a role?
No, Wildcards (*) cannot be specified as a principal.
42
IAM: What is a Trust policy?
Specifies the trusted accounts that are allowed to assume the role.
43
IAM: What are the three types of policies?
Managed policies | Customer managed policies | Inline policies
Managed Policy:
- Created and administered by AWS.
- Used for common use cases based on job function
- Cannot change the permissions assigned.
Customer Managed Policy:
- Standalone policy that you create and administer in your own AWS account.
Inline Policy:
- Strict 1:1 relationship between the entity and the policy.
- When you delete the user, group or role in which the inline policy is embedded, the policy will also be deleted.
- In most cases, AWS recommends using Managed Policies instead of inline policies.
44
IAM: How to get information about an instance profile
aws iam get-instance-profile
45
CloudFront: What can be an origin?
Origins can be either
- an S3 bucket
- an EC2 instance
- an Elastic Load Balancer
- Route 53
- can also be external (non-AWS).
46
CloudFront: What is the default caching time?
Objects are cached for 24 hours by default.
47
DynamoDB: What IAM Policies are allowed?
DynamoDB supports identity-based policies:
| DynamoDB doesn’t support resource-based policies.
48
DynamoDB: What is a composite key?
Partition key + Sort key(s)
49
DynamoDB: What can negatively affect read/write capabilities?
- Uneven distribution of data due to the wrong choice of partition key.
- Frequent access of the same key in a partition (the most popular item, also known as a hot key).
- A request rate greater than the provisioned throughput.
50
DynamoDB: What are the best practices for partition keys?
- Use high-cardinality attributes – e.g. e-mailid, employee_no, customerid, sessionid, orderid, and so on.
- Use composite attributes – e.g. customerid+productid+countrycode as the partition key and order_date as the sort key.
- Cache popular items – use DynamoDB accelerator (DAX) for caching reads.
- Add random numbers or digits from a predetermined range for write-heavy use cases – e.g. add a random suffix to an invoice number such as INV00023-04593
51
DynamoDB: What are the disadvantages of Strongly consistent reads?
- A strongly consistent read might not be available if there is a network delay or outage. In this case, DynamoDB may return a server error (HTTP 500).
- Strongly consistent reads may have higher latency than eventually consistent reads.
- Strongly consistent reads are not supported on global secondary indexes.
- Strongly consistent reads use more throughput capacity than eventually consistent reads.
52
DynamoDB: How to enable Strongly Consistent Reads?
You can configure strongly consistent reads with the GetItem, Query and Scan APIs by setting the –consistent-read (or ConsistentRead) parameter to “true”.
53
DynamoDB: What is the call methods for Transactions?
TransactWriteItems / TransactGetItems
54
DynamoDB: Why are transactions more costly?
DynamoDB performs two underlying reads or writes of every item in the transaction: one to prepare the transaction and one to commit the transaction.
55
DynamoDB: How is a Scan operation limited?
A single Scan operation reads up to the maximum number of items set (if using the Limit parameter) or a maximum of 1 MB.
56
DynamoDB: How can you limit the the returned attributes on a scan operation?
You can use the ProjectionExpression parameter
57
DynamoDB: What is a filter expression?
Used in scans to filter out unwanted items
| NOTE: done after the scan and before the values are returned.
58
DynamoDB: A Scan is slow, how to speed it up?
For faster performance on a large table or secondary index, applications can request a parallel Scan operation by providing the Segment and TotalSegments parameters.
59
DynamoDB: Is it possbile to use Strongly Consisten reads on a scan operation?
yes, but not per default.
If you need a consistent copy of the data, as of the time that the Scan begins, you can set the ConsistentRead parameter to true.
60
DynamoDB: What is a query operation?
A query operation finds items in your table based on the primary key attribute and a distinct value to search for.
61
DynamoDB: How are query operation results sorted? And how to reverse the order?
Results are always sorted by the sort key.
| You can reverse the order by setting the ScanIndexForward parameter to false.
62
DynamoDB: How to reduce the impact of a scan/query operation?
Setting a smaller page size which uses fewer read operations. A larger number of smaller operations will allow other requests to succeed without throttling.
63
DynamoDB: What are the key facts for Local Secondary Indices?
- uses the same Partition Key, but a different Sort Key
- up to five LSIs per table
- must be created at table creation time
- has the same partition key as the original table
64
DynamoDB: What are the key facts for Global Secondary Indices?
- basically a completly new table, but with the same data
- can be created at any time
- has different partition - and sort key
- RCU / WCU must be defined (can be changed)
- If writes are throttled on the GSI, the main table will be throttled
65
DynamoDB: What should be considered when choosing RCU/WCU for a GSI?
You typically need to ensure that you have at least the same, or more, RCU/WCU specified in your GSI as in your main table to avoid throttling on your main table.
66
DynamoDB: How are RCUs used?
- Used in 4KB increments
- One strongly consistent read per increment
- Two eventual consistent reads per increment
- Twice the RCUs for transactional operations
Example: a strongly consistent read of an 8 KB item would require two RCUs, an eventually consistent read of an 8 KB item would require one RCU, and a transactional read of an 8 KB item would require four RCUs.
67
DynamoDB: How are WCU used?
- Used in 1KB increments
- Transactional will double the needs
For example, a standard write request of a 1 KB item would require one WCU, a standard write request of a 3 KB item would require three WCUs, and a transactional write request of a 3 KB item would require six WCUs.
68
DynamoDB: What are Replicated write capacity unit (rWCU)?
- When using DynamoDB global tables, your data is written automatically to multiple AWS Regions of your choice.
- Each write occurs in the local Region as well as the replicated Regions.
69
DynamoDB: What is write-through caching- and who uses it?
DAX is a write-through caching service – this means the data is written to the cache as well as the back end store at the same time.
70
DynamoDB: What are the key facts for DynamoDB Streams?
- stores this information in a log for up to 24 hours
- stream can be an event source for Lambda
- enabled with StreamEnabled = true
- StreamViewType handles which data is written to the stream (KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES)
71
DynamoDB: What are the (six) API calls for writing data?
- PutItem – create data or full replacement (consumes WCU).
- UpdateItem – update data, partial update of attributes (can use atomic counters).
- Conditional writes – accept a write / update only if conditions are met.
- DeleteItem – delete an individual row (can perform conditional delete).
- DeleteTable – delete a whole table (quicker than using DeleteItem on all items).
- BatchWriteItem – can put or delete up to 25 items in one call (max 16MB write / 400KB per item).
72
DynamoDB: What are the (six) API calls for reading data?
- GetItem – read based on primary key (eventually consistent by default, can request strongly consistent read). Projection expression can be specified to include only certain attributes.
- BatchGetItem – up to 100 items, up to 16MB per item. Items are retrieved in parallel to minimize latency.
- Query – return items based on PartitionKey value and optionally a sort key. FilterExpression can be used for filtering. Returns up to 1MB of data or number of items specified in Limit. Can do pagination on results. Can query table, local secondary index, or a global secondary index.
- Scan – scans the entire table (inefficient). Returns up to 1MB of data – use pagination to view more results. Consumes a lot of RCU. Can use a ProjectionExpression + FilterExpression.
73
DynamoDB: What is Optimistic Locking?
Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in Amazon DynamoDB.
74
DynamoDB: What are Conditional Updates?
You can optionally specify a condition expression to determine which items should be modified.
If the condition expression evaluates to true, the operation succeeds; otherwise, the operation fails.
75
CloudWatch: How to delete a metric?
Metrics cannot be deleted but automatically expire after 15 months.
76
CloudWatch: Which attributes describe a metric?
Metrics are uniquely defined by a name, a namespace, and zero or more dimensions.
77
CloudWatch: How long does CW store metrics when pushed every minute?
15 days
78
CloudWatch: What is a statistic set?
An aggregated set of data points
79
CloudWatch: For which times can you set an alarm for a high-resolution metric?
If you set an alarm on a high-resolution metric, you can specify a high-resolution alarm with a period of 10 seconds or 30 seconds, or you can set a regular alarm with a period of any multiple of 60 seconds.
80
CloudWatch: What is a namespace?
Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.
81
CloudWatch: What is a dimension?
An Attribute that further describes the environment, such as instance ID, or instance type
82
CloudFormation: What is the use of Fn::ImportValue
Returns the value of an output exported by another stack.
83
CodeBuild: How can you define environment variables?
- directly in plain text
| - using the SSM Parameter store
84
CodeBuild: What are the four phases?
Install: install dependencies you may need for the build.
Pre-build: final commands to execute before build.
Build: actual build commands.
Post build: finishing touches (e.g. zip file output).
85
CodeDeploy: Which are the two types of deployment?
```
In Place (only EC2)
Blue/Green
```
86
X-Ray: What is a segment?
Set of data points, for example a HTTP Request, which contains information about the host, the request, the response and errors
87
Security - S3:
How to make sure that SSL is used in transport?
Use a deny with a condition for "aws:SecureTransport"
88
Security - S3:
What is not replicated in "Cross Region Replication"?
- Anything before the option is turned on
- Objects encrypted with SSE-C
- Objects encrypted with SSE-KMS - if not specifically enabled
- If bucket owner differs from source to destination
- If a particular version is deleted
89
Security - S3:
How to force the use of CloudFront (instead of S3) before/after creating a CloudFront distribution?
Before: Enable "Restrict Bucket Access"
After: DIstribution -> Origins -> "Restrict Bucket Access" + select Origin Access Identity (A special CF user) + Update Read Permissions on Bucket
90
Which of the following two policies work in combination to define who or what can access an S3 bucket?
S3 Access Control Policies
IAM Policy
S3 Object Policy
S3 Bucket Policy
S3 Bucket Policy
IAM Policy
An IAM Policy is an entity that, when attached to an identity or resource, defines their permissions. A Bucket Policy is a resource-based AWS Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it. IAM Policies and Bucket Policies work together in combination to determine who or what can access an S3 bucket and what actions they are allowed to take.
91
Which elements are returned by the GetFederationToken service?
User name, temporary password, SAML token
A presigned url, secret access key, session token
Access key, secret access key, presigned url
Access key ID, secret access key, security token
Access key ID, secret access key, security token
GetFederationToken returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user.
Reference: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
92
Which of the following can you achieve using Amazon Cognito?
Anonymous guest access to your web application
Federated access to your web application for Facebook users
Federated access to your web application for Active Directory using SAML
Self-service password resets for Facebook users
Anonymous guest access to your web application
Federated access to your web application for Facebook users
Federated access to your web application for Active Directory using SAML
Identity pools support anonymous guest users, as well as federation through third-party IdPs. You can leverage Amazon Cognito identity pools to handle unauthenticated users (users who do not authenticate with any identity provider), but instead access your app as a guest. For example, you can define a separate IAM role for these users to provide limited permissions to access your back-end resources.
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.
With Amazon Cognito, your users can sign-in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory using SAML.
93
Which of the following steps would you need to complete in order to configure Cross Region Replication where source and destination buckets are owned by different accounts?
The owner of the source bucket must grant the owner of the destination bucket permissions to replicate objects with a bucket policy AND the owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.
The source and destination bucket must be owned by the same account otherwise Cross Region Replication will not work
The owner of the source bucket must grant the owner of the destination bucket permissions to replicate objects with a bucket policy.
The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.
The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.
94
To which of the following entities can you attach an IAM Policy?
S3 Buckets
IAM Groups
EC2 Instances
IAM Roles
IAM Groups
IAM Roles
You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles). A policy is an object in AWS that, when associated with an identity, defines their permissions. You can attach an IAM Policy to a user, group, or role. You can associate a role with an EC2 instance but you cannot attach an IAM Policy directly to the EC2 instance. You cannot attach policies to S3 buckets.
95
The AWS STS API supports which of the following methods of access?
```
Web Identity Federation
Cross Account Access
Azure AD Federation
Kubernetes Federation
Active Directory Federation
```
The AWS STS API AssumeRoleWithWebIdentity supports Web ID Federation.
The AWS STS API AssumeRole supports Cross Account Access.
The AWS STS API AssumeRoleWithSAML supports Azure AD Federation.
The AWS STS API AssumeRoleWithSAML supports Active Directory Federation. operations
