AWS Certified Developer Associate Flashcards

Question

Elastic Beanstalk: what are the different environments?

Answer 1

*environments (dedicated worker instance, load-balanced, autoscaled, etc.) web server environment: load-balanced, scalable: A load-balanced and scalable environment uses the Elastic Load Balancing and Amazon EC2 Auto Scaling services to provision the Amazon EC2 instances that are required for your deployed application single instance: contains one Amazon EC2 instance with an Elastic IP address. use a single-instance environment if you expect your production application to have low traffic or if you are doing remote development worker environment: run long-running tasks that a web back-end would be expected to run

Answer 2

HTTPS in Elastic Beanstalk you can use https in your elastic beanstalk environment by assigning a server certificate to your environments load balancer you can configure a proxy server behind your load balancer that runs on your instances to terminate https if you need https all the way up to your EC2 instances or are running a single instance environment you can also combine https terminated at the load balancer and https terminated at the instances for https end to end in a load balanced environment forcing https in a load balanced environment: open ports 443 and 80 on the load balancer, at the ssl cert to the load balancer, have the load balancer forward http and https traffic, have the instances redirect http traffic to https

Answer 3

cron.yaml: a file that can be defined in an EB worker environment to perform a set of repetitive tasks scheduled asynchronously env.yaml: environment manifest to configure the environment name, solution stack and environment links to use when creating your environment

Answer 4

Lifecycle Policies: Each time you upload a new version of your application with the Elastic Beanstalk console or the EB CLI, Elastic Beanstalk creates an application version. If you don't delete versions that you no longer use, you will eventually reach the application version limit and be unable to create new versions of that application You can avoid hitting the limit by applying an application version lifecycle policy to your applications. A lifecycle policy tells Elastic Beanstalk to delete old application versions or to delete application versions when the total number of versions for an application exceeds a specified number.

Answer 5

platforms Elastic Beanstalk provides managed platforms that support running web applications developed for specific programming languages, frameworks, and web containers. This includes platforms for running applications written in specific languages like Java, Go, or Python, or applications using certain technologies like Docker or Tomcat

Answer 6

cloud function invokation service

Answer 7

lambda layers zip file containing supplimentary code and data (custom runtime, library funtions, etc.) can only be used with functions deployed as zip archives changes pushed to layers create a new version of the layer. each new version is considered a new entity with a unique ARN zip file archive that contains supplementary code or data. Layers usually contain library dependencies, a custom runtime, or configuration files can have up to 5 layers each layer can be up to 250MB can be common to, shared by, and pushed to many different functions

Answer 8

function memory allocation: know that cpu power is allocated proportionally to memory allocation, know that increasing memory allocation can decrease runtime for workloads with significant CPU utilization

Answer 9

reserved concurrency: upper limit to the amount of instances of a function that can be running at a given time. free of charge provisioned concurrency: certain amount of pre-warmed, provisioned instances of the function that exists and are always ready to respond to invokations. incur additional cost concurrency scaling rate: Your concurrency scaling rate is 1,000 execution environment instances every 10 seconds per function Every 10 seconds, Lambda can allocate at most 1,000 additional execution environment instances to each of your functions. requests that outpace your concurrency return a 429 error using unreserved concurrency: You can reserve up to the Unreserved account concurrency value minus 100. The remaining 100 units of concurrency are for functions that aren't using reserved concurrency (functions that are using unreserved account concurrency). For example, if your account has a concurrency limit of 1,000, you cannot reserve all 1,000 units of concurrency to a single function. https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html

Answer 10

logging events and getting access to them via cloudwatch logs Lambda automatically integrates with CloudWatch Logs and pushes all logs from your code to a CloudWatch Logs group associated with a Lambda function

Answer 11

environmental variables: You can use environment variables to adjust your function's behavior without updating code. An environment variable is a pair of strings that is stored in a function's version-specific configuration. The Lambda runtime makes environment variables available to your code and sets additional environment variables that contain information about the function and invocation request. predefined environmental variables are in ALL_CAPS_UNDERSCORE_NOTATION environmental variables are encrypted by default via AWS KMS keys (AWS managed KMS keys, by default) total size/amount of environmental variables in AWS Lambda (total size can't exceed 8KB, no limit to amount of variables)

Answer 12

/tmp directory: This is 512MB of temporary space you can use for your Lambda functions. configurable from 512MB and 10,240MB, 1MB resolution

Answer 13

event source mapping: An event source mapping is a Lambda resource that reads from an event source and invokes a Lambda function. You can use event source mappings to process items from a stream or queue in services that don't invoke Lambda functions directly. This page describes the services that Lambda provides event source mappings and how-to fine tune batching behavior. available for DynamoDB, Kinesis, MQ, apache Kafka, SQS, documentDB

Answer 14

timeout: max time the lambda function will run default 3 seconds ranges from 3 seconds to 15 minutes (1 second resolution)

Answer 15

running a lambda function in a VPC by default, lambda functions are not connected to VPCs. if you connect them to VPCs, the function cannot access the internet by default. Lambda offers hyperplane ENIs, which are managed resources that provide connectivity to the internet to lambdas in VPCs. configuring lambda to access private resources in a VPC: Lambda will set up one hyperplane ENI per resource you are accessing in the VPC. if a function needs the internet, you have to set up an internet gateway for traffic to get from the VPC out to the internet, because configuring an ENI for a lambda function prevents it from having access to the public internet (REGION lambda ---(--VPC--(--AZ--(--PRIVATE SUBNET--> ENI--> instance--)--(--PUBLIC SUBNET--> NAT GATEWAY--)--)--)--> INTERNET-GATEWAY ) The lambda must connect to an ENI in a private subnet, because you cannot get a public IP for the function to connect to you must get out of the VPC via a nat gateway that connnects to an internet getway. You must do this if you want internet connection you need the ec2:CreateNetworkInterface, ec2:DescribeNetworkInterface, ec2:DeleteNetworkInterface permissions, all included in the AWSLambdaVPCAccessExecutionRole managed policy

Answer 16

RDS proxy: You can connect a Lambda function to an Amazon Relational Database Service (Amazon RDS) database directly and through an Amazon RDS Proxy. Direct connections are useful in simple scenarios, and proxies are recommended for production.

Answer 17

EFS For Lambda: create a mount target for EFS in every AZ that your lambda function connects to ensure port 2049 is open on the security groups used by the function and mount targets an access point connects each instance of the function to the right mount target for the AZ it connects to for best performance, create an access point with a nonroot path and limit the amount of files you create in each directory

Answer 18

aliases an alias is a pointer to a function with a unique ARN aliases can only point to functions, not other aliases you can update an alias to point to a new version of a function you can use aliases in the mappings from events to functions that event sources like S3 maintain. when the function version changes, the mapping doesn't have to be updated you can configure aliases to send a certain degree of invokations it gets issued to one function it points to and the rest of the invokations it gets issued to a secondary function both functions must be published, the alias cannot point to $LATEST, and must have the same execution role (and deadletter queue configuration, if present)

Answer 19

versions: every time you publish changes to a lambda function, a new version is created. the latest version is unpublished, and referred to by the name $LATEST. function versions are immutable: you cannot change them once published a function version is composed of: the function code, dependencies, runtime identifier, runtime version, function settings, environmental variables, and a unique ARN the version of a function can optionally be placed after the ARN of the function (this is referred to as a qualified ARN): ARN of version 42 of the helloworld function: arn:aws:lambda:aws-region:acct-id:function:helloworld:42 the unqualified ARN implicitely points to the $LATEST version you cannot create an alias with this version supports blue/green and rolling deployments

Answer 20

permissions you can grant permissions to a function with resource based and identity based policies the scope of the permission depends on if you grand permissions to a function, alias, or version of the function

Answer 21

deploying code to lambda you upload code to lambda in a deployment package, of either a zip archive or container image type code must be packaged into a deployment package whether it is uploaded via the lambda console or a toolkit, Lambda API, command line tools, or the AWS SDKs you cannot change the deployment package type of a function

Answer 22

zip archives Lambda functions with function code written in a scripting language, the deployment package must be less than 3MB in size, and has no library dependencies can be edited in the embedded code editor other code must be uploaded in a zip archive. if the zip archive is less than 50MB in size, it can be uploaded from your local machine, else, it has to be uploaded via an S3 bucket unzipped size cannot exceed 250MB, including layers and extensions

Answer 23

container images max uncompressed size: 10GB you can invoke functions in container images during the pending state, however, other function operations may fail during pending, the function is optimized. if the function isn't invoked for multiple weeks, the functoin state moves to inactive, and the optimized version is reclaimed does not support layers creating a function from a container image build the image locally upload to ECR specify the repository URL when you create the function (you can create a function using an image from a different account as long as it is in the same region as the function) base image types: AWS base image: a runtime runtime interface client (to manage interaction between lambda and your function code) and a runtime interface emulator (for local testing) AWS OS-only base image: Amazon Linux disto and a runtime interface emulator (for local testing) commonly used to create images for compiled language (Go, Rust, etc.), or for a language that Lambda doesn't provide a runtime for. not pre-loaded with a runtime interface client (hence the name) you must include a runtime interface client non-AWS base image: base image made from another container registry (alpine linux, debian, etc.) lambda container images: Lambda does not support functions that use multi-architecture container images the container must implement the Lambda runtime api supports only linux-based container images

Answer 24

runtimes how lambda supports multiple languages each language has its own runtime and unique runtime identifier for container images, you choose the runtime when you create the image for zip archives you choose the archive when you make the function

Answer 25

test events a test event is a json input to your function private: Private test events are available only to the event creator, and they require no additional permissions to use. You can create and save up to 10 private test events per function. sharable: Shareable test events are test events that you can share with other users in the same AWS account.

Answer 26

sychronous invokation when you invoke a lambda function synchronously, lambda starts the function and then waits for the result, blocking as it waits asyncronous invokation (X-Amz-Invocation-Type: Event) many services invoke lambda functions asynchronously. in this case, lambda queues the invokation request(s) before sending them to the function Lambda retries function errors twice. If the function doesn't have enough capacity to handle all incoming requests, events might wait in the queue for hours or days to be sent to the function. You can configure a dead-letter queue on the function to capture events that weren't successfully processed. Async invokations support failed requests being sent to a dead-letter queue (SNS topic or SQS queue) that receives events for troubleshooting or reprocessing

Answer 27

event filtering You can use event filtering to control which records from a stream or queue Lambda sends to your function available for available for DynamoDB, Kinesis, MQ, apache Kafka, SQS, documentDB can have up to 5 filters on a single event source mapping. multiple filters are local ORed together by default

Answer 28

function states pending: function state after function is created creates resources for the function like VPC resources or EFS resources any invokatoins during this state will fail active: function state after function is created successfully functions can only be successfully invoked in this state failed: resource configuration or provisioning encountered an error inactive: the function has been idle long enough for lambda to reclaim the the external resources that were configured for it on invokation, functions in this state are set to the pending state. If resources are failed to be created after being in this state, the state is set to inactive again (states of the "LastStatusUpdate" attribute) InProgress: An update is happening on an existing function. While a function update is in progress, invocations go to the function’s previous code and configuration. Successful: The update has completed. Once Lambda finishes the update, this stays set until a further update. Failed: The function update has failed. Lambda aborts the update and the function’s previous code and configuration remain available.

Answer 29

errors invokation error: error occures before function receives invokation request function error: error occures in the function code or runtime returns an error when manually invoking a function, Lambda does not automatically retry these types of errors on your behalf. To retry, you can manually re-invoke your function, send the failed event to a queue for debugging, or ignore the error.

Answer 30

recursive loop detection allows lambda to detect certain types of recursive loops that invoke your functions in your serverless architecture can stop the function and notify you

Answer 31

lambda function URL dedicated HTTP(S) endpoint for your Lambda function. automatically created for you when you create your function https://.lambda-url..on.aws can be used to invoke your function use resource-based policies for security send a get request to the function to invoke it can monitor url actions with cloudwatch logs

Answer 32

code signing checks each deployment of code to your lambda function and verifies that it comes from a trusted source not supported for container images

Answer 33

tags free-form key-value pairs useful for implementing ABAC. applied at the function level, not the alias or version requires the Lambda:ListTags and Lambda:TagResource permissions

Answer 34

access permissions execution role: defines the permissions that your function needs to access other AWS services and resources. At a minimum, your function needs access to Amazon CloudWatch Logs for log streaming. If your function calls other service APIs with the AWS SDK, you must include the necessary permissions in the execution role's policy. Lambda also uses the execution role to get permission to read from event sources when you use an event source mapping to invoke your function. resource based policies are used to determine who can access Lambda resources (functions, layers, aliases, and versions) if a user tries to access a lambda resource, Lambda considers both the user's identity-based policies and the resource's resource-based policy. When an AWS service calls your Lambda function, Lambda considers only the resource-based policy.

Answer 35

Lambda ARN format Function – arn:aws:lambda:us-west-2:123456789012:function:my-function Function version – arn:aws:lambda:us-west-2:123456789012:function:my-function:1 Function alias – arn:aws:lambda:us-west-2:123456789012:function:my-function:TEST Event source mapping – arn:aws:lambda:us-west-2:123456789012:event-source-mapping:fa123456-14a1-4fd2-9fec-83de64ad683de6d47 Layer – arn:aws:lambda:us-west-2:123456789012:layer:my-layer Layer version – arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1

Answer 36

Data protection do not put sensative information onto a tag or free-form text field like a name field if you provide a url to an external server, do not include credencials information in the url to validate your request to that server lambda only supports secure connections over https governance can be acheived using AWS CloudFormation Gaurd and AWS Config code signing can be configured with AWS Signer

Answer 37

function monitoring lambda is automatically integrated with cloudwatch (as long as the functions execution role has the necessary permissions). It automatically reports metrics in 1 minute intervals cloudwatch, and shows metrics on the monitoring console this integration is free, but you can implement custom high-resolution metrics, to which charges apply error, performance, and concurrency, and asyncronous invokation metrics are all available

Answer 38

Lambda Insights tool to help analyze and identify problems in your lambda microservice architecture lambda insights uses the cloudwatch lambda insights extension, implemented as a lambda layer. you are charged for the metrics is collects and sends to cloudwatch layer content is extracted to the /opt directory of the function

Answer 39

extensions you are charged for execution of an extension in 1ms increments internal extensions: run as part of the runtime process, accessed via wrapper functions or in-process mechanisms external extensions: run as a separate process from the execution environment an continuous to run even after the function invokation fully processes can be written in a language that differs from the runtime, becuase it runs separately from the runtime

Answer 40

execution environment: the environment in which the lambda function executes. execution can be sped up by moving any work done out of the function code and into the execution context. the execution context is re-used between executions extensions contribute to package size limit extensions must complete initialization before the function can execute, thereby contibuting to startup time, and they also can impact performance because they share CPU, memory, and storage resources with the function permissions are also shared between the function and extension secure and isolated runtime environment that manages function resources and provides lifecycle support lifecycle phases: Init: unfreezes or creates the execution environment, downloads the function code and all layers, initializes extensions, initializes runtime, and runs the functions initialization code (the code outside the main handler) occures during the first invokation (or in advanced if provisioned concurrency is enabled) 3 sub-phases: extension init, runtime init, and function init Restore (SnapStart only): lambda resumes new execution environment from the persisted snapshot instead of initializing a new environment from scratch Invoke: lambda invokes the function handler shutdown: lambda triggers a shutdown if functions haven't been invoked for a long time the runtime is shut down and the environment is removed

Answer 41

troubleshooting general: permission is denied / cannot load such file: chmod 755 [filepath] on the code RequestEntityTooLargeException when calling updateFunction: zip file size is limited to 50MB when uploading directly to lambda (use S3 bucket to get around this) PermanentRedirect. S3 Error Message: The bucket is in this region...: must upload from the same region the function is in

Answer 42

rolling deployment Use rolling deployments to control the risks associated with introducing new versions of your Lambda function. In a rolling deployment, the system automatically deploys the new version of the function and gradually sends an increasing amount of traffic to the new version.

Answer 43

SnapStart Lambda initializes your function when you publish a function version, then it takes a snapshot of the memory and disk state of the initialized execution environment, encrypts the snapshot, and caches it for low-latency access must be a java runtime, and the function must be published

Answer 44

initialization outside of handler function: initialize the sdk or other reusable assets outside of the handler function. subsequint invokations can reuse this initialization if it is outside the handler function

Answer 45

Serverless Application Model (SAM) features templates, an extension of cloudformation, for defining serverless applications Also use the AWS SAM CLI *meaning of "Transform: 'AWS::Serverless-2016-10-31'": know that this means the cloudformation template is a SAM template *serverless resources types in 'Resources' tag: (AWS::Serverless::Api, AWS::Serverless::Application, AWS::Serverless::Function, AWS::Serverless::HttpApi, AWS::Serverless::LayerVersion, AWS::Serverless::SimpleTable, AWS::Serverless::StateMachine) 'sam deploy' zips the underlying cloudformation template and uploads it to S3, and deploys your application to the AWS cloud sam build builds the application to be ready to deploy with sam deploy

Answer 46

ECR fully-managed cloud docker image repo deploy, store, and manage docker images

Answer 47

Copilot command line tool for deploying, releasing, and operating containerized applications

Answer 48

EKS fully-managed kubernetes containerized application orchestration cloud service

Answer 49

ECS fully-managed containerized application orchestration cloud service *what happens to a container instance when it is terminated in a [insert state here] state? a container that is terminated in a stopped state isn't automatically removed from the cluster, you must deregister the cluster using the console or CLI if it is to no longer appear as a resource */etc/ecs/ecs.config where ECS configuration variables are stored on Linux variants of the Amazon ECS-optimized AMI

Answer 50

Aurora MySQL and PostgreSQL cloud database service, fully managed and serverless via RDS features automatic scaling and replications, up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, etc

Answer 51

DynamoDB cloud key/value document database

Answer 52

partitioning keys, LSIs, and GSIs partitioning key: primary key: the piece of data that gets sent through a hashing algorithm that determines the partition a piece of data should exist on when being added to the table sort key: an optional secondary key used to sort the items in their partition global secondary index (GSIs): both the partition key and sort key can be different than on the base table no size limitations can include data from anywhere in the base table has its own provisioned throughput settings local secondary indices (LSIs): same partition key as base table, different sort key total size of indexed items for any one partition key value can't exceed 10 GB scoped to a base table partition that has the same partition key value shares provisioned throughput settings for read and write activity with the table it is indexing cannot have RCUs or WCUs allocated to it directly

Answer 53

DynamoDB table TTL cost-effective method for deleting items that are no longer relevant define a per-item expiration timestamp that deletes the item when it expires

Answer 54

on-demand/point in time backup methods, and do you have access to the backups that result? point in time recovery (PITR): dynamoDB automatically backs up table data backups retained for a fixed 35 day period on-demand backups: retained forever, even after the table is deleted

Answer 55

*transactions dynamoDB transactions allow you to carry out all-or-nothing database operations that can roll back if they fail

Answer 56

conditional writes: DynamoDB optionally supports conditional writes for write operations (PutItem, UpdateItem, DeleteItem). A conditional write succeeds only if the item attributes meet one or more expected conditions. Otherwise, it returns an error

Answer 57

calculating WCUs, strongly consistent RCUs, eventually consistent RCUs Strong RCUs = (s / 4)*n, where s = size of data, rounded up to nearest 4. n = number of reads. Eventual RCUs = round((s / 4)*n/2), where s = size of data, rounded up to nearest 4. n = number of reads. round(f) rounds f to the nearest whole WCU = s*n

Answer 58

*ConsistentRead=[true, false] option sets dynamodb to use strongly consistent reads

Answer 59

DynamoDB Streams: captures a time-ordered sequence of item-level modifications in any DynamoDB table and stores this information in a log for up to 24 hours Applications can access this log and view the data items as they appeared before and after they were modified, in near-real time

Answer 60

Query vs scan Query: Can only be used if you can create indices find items in a table based on primary keys. allows you to query a table filter expression: determines which items within the Query results should be returned to you. applied after Query finishes, but before the results are returned. Scan: scan through all items and return one or more via filters parallel scan: scans that run in parallel in independent worker threads, each on their own partition of the table to be avoided when possible, due to inefficiencies (much less efficient than queries. a large table can use up all your provisioned throughput in a single scan)

Answer 61

encryption: by default, all data in dynamodb is encrypted at rest using KMS When creating a new table, you can choose one of the following AWS KMS key types to encrypt your table. You can switch between these key types at any time. AWS owned key – Default encryption type. The key is owned by DynamoDB (no additional charge). AWS managed key – The key is stored in your account and is managed by AWS KMS (AWS KMS charges apply). Customer managed key – The key is stored in your account and is created, owned, and managed by you. You have full control over the KMS key (AWS KMS charges apply).

Answer 62

Locking Optimistic Locking: no lock is aquired before an entity is accessed. after a modification is made, a check is run to see if the entity has been modified by someone else. if not, the write is completed. else, the modification is abandoned and restarted Pessimistic Locking: a lock is aquirred to write a resource Overly Optimistic Locking: it is assumed that no read/write collision will occure, so no effort is made to detect or prevent it

Answer 63

atomic counters You can use the UpdateItem operation to implement an atomic counter—a numeric attribute that is incremented, unconditionally, without interfering with other write requests. can be used to approximate the number of visitors on a website, for example can be subject to overcounting or undercounting

Answer 64

ElastiCache web application cache service supports redis or memcached in-memory caching engines choosing redis vs memcached for caching

Answer 65

memcached: Is object caching your primary goal, for example to offload your database? If so, use Memcached. Are you interested in as simple a caching model as possible? If so, use Memcached. Are you planning on running large cache nodes, and require multithreaded performance with utilization of multiple cores? If so, use Memcached. Do you want the ability to scale your cache horizontally as you grow? If so, use Memcached. redis: Are you looking for more advanced data types, such as lists, hashes, bit arrays, HyperLogLogs, and sets? If so, use Redis. Does sorting and ranking datasets in memory help you, such as with leaderboards? If so, use Redis. Are publish and subscribe (pub/sub) capabilities of use to your application? If so, use Redis. Is persistence of your key store important? If so, use Redis. Do you want to run in multiple AWS Availability Zones (Multi-AZ) with failover? If so, use Redis. Is geospatial support important to your applications? If so, use Redis. Is encryption and compliance to standards, such as PCI DSS, HIPAA, and FedRAMP, required for your business? If so, use Redis.

Answer 66

ElastiCache use cases Your data is slow or expensive to get when compared to cache retrieval. Users access your data often. Your data stays relatively the same, or if it changes quickly staleness is not a large issue.

Answer 67

redis replication: used for read-intensive workloads cluster mode: enabled: data partitioned across up to 500 shards cluster can contain up to 500 shards all nodes must reside in the same region you cannot manually promote any nodes to primary disabled: cluster contains only a single shard this shard has one primary read/write node and 0-5 replica nodes all nodes reside in the same region

Answer 68

caching strategies: lazy loading: your application always requests data from the cache and only loads it into cache from the data store when the data is expired or not present this avoids filling the cache with data that is never requested when a cache node fails and is replaced by a new node the application continues to function, it will just have increased latency until it builds back the cache a cache miss results in 3 trips: original request from the cache, subsiquent request to the data store, and final write to the cache data is only updated on a cache miss and therefor it can become stale write-through: data is added/updated in the cache whenever is is written in the database cache data is never stale every write does involve 2 trips (a write to the cache and database) however, users are more likely to tolerate writes taking longer missing data: new cache nodes have missing data, which continues to be missing uptil its added or updated on the database cache churn: most data is never read, so writing it to the cache wastes resources

Answer 69

TTL: time to live: set data to expire after a set time to limit data staleness

Answer 70

MemoryDB for Redis caching layer for a redis database

Answer 71

RDS Relational database service in the cloud supports Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server engines

Answer 72

*read replicas on RDS A read replica is a read-only copy of a DB instance. You can reduce the load on your primary DB instance by routing queries from your applications to the read replica. In this way, you can elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. read-only copy of a DB instance allows you to run multiple read-only copies of your database intended to improve performance of your primary (read/write) database must have auto backups enabled up to 5 replicas of a database possible, each with their own DNS endpoint can be multi-AZ or multi-region can have replicas of replicas replicas can be promoted to a master databases (which, necessarily, breaks replication) read replicas do not feature auto failover, a url being used to reference a master must be changed manually to point at a read replica if the master fails make it easy to take advantage of supported engines' built-in replication functionality to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. *cross-region read replicas Improve your disaster recovery capabilities. Scale read operations into an AWS Region closer to your users. Make it easier to migrate from a data center in one AWS Region to a data center in another AWS Region.

Answer 73

*automatic back up feature RDS has an automated backups feature, enabled by setting the backup retention period setting to a nonzero positive value your instance is taken offline to conduct a backup

Answer 74

Storage Autoscaling when Amazon RDS detects that you are running out of free database space it automatically scales up your storage activates when the following factors apply: Free available space is less than 10 percent of the allocated storage. The low-storage condition lasts at least five minutes. At least six hours have passed since the last storage modification.

Answer 75

Amplify manages/provisions mobile app backend provides a mobile application framework to easily integrate application with IOS, Android, React Native, Web, etc. automates application release for frontend and backend

Answer 76

Cloud9 web-based cloud IDE with terminal, debugger, and editor

Answer 77

CloudShell web-based cloud shell

Answer 78

CodeArtifact cloud software package store can automatically get latest versions of packages works with commonly used package managers and build tools like Maven, Gradle, npm, yarn, twine, pip, and NuGet

Answer 79

CodeBuild fully managed service that builds code and runs tests no need to provision a build or test suite can use default build environments or create your own *codeBuilt timeouts if a build is waiting in the queue and doesn't get picked by by codebuild for a specific timeout value, it is removed from the queue *bundling things in the source code during the build stage if deployment is taking a long time due to resolving dependencies, bundle them with the source code during the build stage if the build stage is taking a long time, cache the dependencies with S3 *Cloudwatch logs/save to S3 integration you enabled s3 and cloudwatch logs integration to get build logs from codebuild to s3 *know that codebuild scales automatically and that nothing has to be done for scaling or parallel builds output is usually to S3 rolls back deployments by deploying the latest previous working version of the application encrypting outputs: CodeBuild can be pointed to an AWS KMS customer master key to encrypt output CODEBUILD_KMS_KEY_ID: The identifier of the AWS KMS key that CodeBuild is using to encrypt the build output artifact

Answer 80

CodeCommit cloud git repo hosting closely integrated with aws cloud suite, compliant with standards like HIPAA, and features fully-managed infrastructure *supported IAM credencial types git credentials, SSH keys, and AWS access keys can all be used as valid IAM credential types *know that IAM access key and IAM user passwords do not need to be created by a root user *what happens when both an explicit deny and explicit allow rule are set any explicit deny takes president over an explicit allow the simplest way to connect to codeCommit, and the one aws recommends, is to connect with git credencials generated by the IAM console for an HTTPS connection automatically encrypted at rest and in transit

Answer 81

CodeDeploy automates code deployments to EC2 instances (if codedeploy agent is installed there), Lambda (cannot do in-place deployment), ECS, and on-prem instances communicates over https on port 443 BeforeInstall – Use to run tasks before the replacement task set is created. One target group is associated with the original task set. If an optional test listener is specified, it is associated with the original task set. A rollback is not possible at this point. AfterInstall – Use to run tasks after the replacement task set is created and one of the target groups is associated with it. If an optional test listener is specified, it is associated with the original task set. The results of a hook function at this lifecycle event can trigger a rollback. AfterAllowTestTraffic – Use to run tasks after the test listener serves traffic to the replacement task set. The results of a hook function at this point can trigger a rollback. BeforeAllowTraffic – Use to run tasks after the second target group is associated with the replacement task set, but before traffic is shifted to the replacement task set. The results of a hook function at this lifecycle event can trigger a rollback. AfterAllowTraffic – Use to run tasks after the second target group serves traffic to the replacement task set. The results of a hook function at this lifecycle event can trigger a rollback. *appspec.yml application steps: Application Stop -> Before Install -> Application Start -> ValidateService ***events in stars cannot be scripted*** without classic load balancer: start -> applicationStop -> *DownloadBundle* -> beforeInstall -> *install* -> afterInstall -> applicationStart -> validateService -> *end* with classic load balancer: start -> beforeBlockTraffic -> *BlockTraffic* -> afterBlockTraffic -> applicationStop -> *DownloadBundle* -> beforeInstall -> *install* -> afterInstall -> applicationStart -> validateService -> beforeAllowTraffic -> *allowTraffic* -> afterAllowTraffic -> *end*

Answer 82

fully managed message queueing service

Answer 83

message retention period: from 60 seconds to 14 days (default 4 days)

Answer 84

DeleteQueue, RemoveQueue, RemovePermission, PurgeQueue api calls: DeleteQueue: Deletes the queue specified by the QueueUrl, regardless of the queue's contents RemovePermission: Revokes any permissions in the queue policy that matches the specified Label parameter PurgeQueue: Deletes available messages in a queue (including in-flight messages) specified by the QueueURL parameter CreateQueue: creates a new standard or FIFO queue (defaults to standard). can't change the queue type after creating it. visibility timeout default is 30 seconds

Answer 85

backlog per instance variables backlog per instance: used instead of ApproximateNumberOfMessagesVisible as a metric for an EC2 AG autoscaling metric

Answer 86

limit to the amount of messages in an SQS queue: the message capacity in an sqs queue is unlimited

Answer 87

Delay queues: let you postpone the delivery of new messages to consumers for a number of seconds. can delay from 0-15 minutes (DelaySeconds parameter). useful when a consumer needs additional time to process messages defaults to 0 seconds delay, can be set up to 15 seconds messages are hidden when they are first added to the queue for standard queues, changing the delay timeout is not retroactive on the delay of previously added messages for FIFO queues, changing the delay timeout is retroactive on the delay of previously added messages message timers can be used to set the delay on individual messages independently of the rest of the queue can be 0 (default)-15 minutes The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.

Answer 88

Dead-Letter Queues: where other queues can send their messages after messages are processed unsuccessfully. useful for debugging messages sent here by a source queue once the application is debugged, you can move the messages back to the source queue with the redrive capability the MaxReceiveCount variable specifies the amount of times a consumer tries to receive a message before it is moved to the dead letter queue standard queues process a message until either it is processed successfully or a retention timeout expires. it would be better to move failing messages to a DLQ FIFO queues provide exactly-once processing by consuming messages in sequence from a message group. if a message fails, the entire message group is unavailable until the message processes successfully or is moved to a DLQ DLQs decrease the posibility of poison pill messages. use them in standard queues, unless you want to be able to retransmit a message indefinitely Don't use a DLQ with a FIFO queue if you cant want to break the exact ordering of messages redrive using redrive with a DLQ does bill the aws account that the SendMessageBatch, ReceiveMessage, and DeleteMessageBatch are made on behalf of, but reduces spend by batching messages. The source queue need not be the queue the messages are redriven to. the messages can be redriven to any queue whose type is that same as the source queue.

Answer 89

FIFO Queues: high (but limited) throughput, messages sent exactly once, and ordering is exact (single-lane highway) max 20,000 in flight messages

Answer 90

Standard Queues: unlimited throughput, messages sent are delivered at least once, and ordering is best-effort (many-lane highway) max 120,000 in flight messages

Answer 91

*long polling vs short polling long polling: SQS returns the messages queried, or waits until messages appear in the queue if no messages are present (this is almost always preferable as is reduces calls to query the queue) max wait time 20 seconds short polling: SQS returns the messages queries, or return automatically if no messages are present (this can easily exceed throughput) Long polling wait time: The maximum long polling wait time is 20 seconds.

Answer 92

sqs message size limit: 256kb *sending a message larger than 256kb must use the sqs extended client for java

Answer 93

SQS KMS: allows messages sent to SQS to be encrypted, with a key managed by AWS KMS EventBridge integrates with SQS queues encryption (SSE enabled by default): SSE-SQS: free AES-256 encryption using sqs managed keys SSE-KMS: encryption using KMS keys

Answer 94

messages can be sent to a queue, and after that, can be either deleted or received. You can't say which message you want to receive, but you can say how many at a time, up to 10. You must receive a message before deleting it after you receive a message, you get a unique receive handle, which you use when you delete the message (max length 1024 characters) after a message is sent, you cannot recall it message deduplication ID: if a message with deduplication id x is send successfully, not other messages with deduplication id x are send within the 5 minute deduplication window

Answer 95

behind the scenes, sqs stores queue data in partitions, replicated across availability zones a hash function is used to determine what partition the message is stored on each partition support 3000 messages/second with batching (300 messages/second for send/receive/delete in supported regions)

Answer 96

message states 1. sent to a queue 2. received from a queue 3. deleted from a queue a messages is considered stored when it is in between statest 1 and 2 (no quota for this) a message is considered in-flight between stages 2 and 3 (max 120,000 for standard queues, 20,000 for FIFO queues)

Answer 97

visibility timeout 0-12 hours (default 30 seconds) period of time after a messages is received, during which, other consumers cannot receive it begins when a message is returned a special visibility timeout for the returned message can also be set without changing the entire queues timeout ChangeMessageVisibility changes the timeout of the message that has been received from the default timeout to a specific paramater passed as argument

Answer 98

message attributes up to 10 optional pieces of structured metadata you can add to messages for use by services like X-Ray. name up to 256 characters, [a-zA-Z0-9-_.], case sensative cannot start or end with a '.', contain two or more '.' in sequence, or start with 'AWS.' or 'Amazon.' type can be: 'String' (value of attribute can be any unicode text) 'Number'(value of attribute can be up to 38 digits of precision between 10^-128 and 10^+126) 'Binary' (value of attribute can be any binary data), and you can add custom information: 256 case-sensative characters (value of attribute could be Number[.custom value]. ex: Number.byte, Number.short, and Number.float or Binary.gif, Binary.png) value for string type, the restrictions on the attribute are the same as on the message body

Answer 99

save time and development cost when using common messaging constructs like request/response Temporary queue client creates temporary queues called virtual queues can be created or deleted with no additional cost, and are API-compatible with normal SQS queues created on top of a normal "host" SQS queue (https://sqs.us-east-2.amazonaws.com/123456789012/MyQueue#MyVirtualQueueName) make sure you clean up after the temporary queue client so that SQS can reclaim any resources used by virtual queues by calling the shutdown() method

Answer 100

SQS ABAC ABAC for Amazon SQS requires fewer permissions policies. You don't have to create different policies for different job functions. You can use resource and request tags that apply to more than one queue, which reduces operational overhead. Use ABAC to scale teams quickly. Permissions for new resources are automatically granted based on tags when resources are appropriately tagged during their creation. Use permissions on the IAM principal to restrict resource access. You can create tags for the IAM principal and use them to restrict access to specific actions that match the tags on the IAM principal. This helps you to automate the process of granting request permissions. Track who's accessing your resources. You can determine the identity of a session by looking at user attributes in AWS CloudTrail.

Answer 101

figures to memorize message retention period: 60 seconds-14 days (default 4 days) in flight messages for FIFO and standard queues: 20,000 (FIFO) 120,000 (standard) visibility timeout: 0-12 hours (default 30 seconds) max message size: 256KB (up to 2GB with java SQS extended library client) max long polling wait: 20 seconds delay queue timeouts: 0 (default)-15 minutes max amount of messages receivable from a queue at once: 10 messages default tag per second per account: 30TPS

Answer 102

access management: there is only one resource in sqs: the queue the aws account that the queue exists in owns the queue, regardless of who creates the queue. access management can be acheived with either IAM or SQS policies

Answer 103

Logging/monitoring cloudtrail is integrated with sqs and enabled by default. By default it logs management event API actions in sqs data events are not logged by default. Data events provide information about the resource operations performed on or in a resource, such as sending or receiving an Amazon SQS message to and from an Amazon SQS queue. cloudwatch metrics are integrated and enabled by default in sqs. Metrics are pushed to cloudwatch in 1 minute intervals for active queues (any queue that contains messages or has had any action performed on it in the last 6 hours). use get-metric-statistics to access the logs in the API/CLI

Answer 104

resilience messages are automatically replicated across distributed sqs servers to provide resiliency

Answer 105

security best practices PUBLIC: make sure queues aren't publically accessible IAM ROLES implement least priviledge access, use IAM roles for access ENCRYPTION: implement server side encryption and enforce encryption of data in transit VPC: consider using VPC endpoints to access sqs if queues needn't be exposed to the internet

Answer 106

sqs endpoints to work with sqs queues, requests have to be made to sqs endpoints

Answer 107

subscribing to SNS topic: you can subscribe one or more sqs queues to an sns topic. the notifications are delivered to the queue using https

Answer 108

triggering lambda function: you can configure a lambda function to process a received message from a queue synchronously. set the visibility timeout of the message to be at least 6x the timeout that you configure on your function. messages unprocessed by the function can go to a dead-letter queue lambda functions may need to be given decrypt permissions to process messages on encrypted queues the queue and function must be in the same region

Answer 109

serverless aws service for creating and managing http based and websocket based web apis

Answer 110

api gateway is integrated with: CloudTrail: logging and monitoring usage/api changes CloudWatch: access/execution logging CloudFormation: templated api deployment AWS X-Ray: understanding/triaging performance latencies AWS WAF: protection from common web exploits

Answer 111

choosing between http and rest apis: TLDR: http apis are cheaper with less features, rest apis are more expensive with more features Choose REST APIs if you need features such as API keys, per-client throttling, request validation, AWS WAF integration, or private API endpoints. http and rest apis both feature regional endpoints, but in rest apis they are also edge-optimized and private http and rest apis both have mutual TLS authentication, but rest apis also support WAF and certificates for backend authentication http apis support authentication via IAM, JWT, lambda authorizer, and cognito (via JWT authorizer) rest apis support authenticatoin through IAM, resource policies, cognito, and lambda authorization http apis and rest apis both support custom domains, but rest apis also support API keys, per-client rate limiting, and per-client usage throttling REST API FEATURES: CORS configuration, Test invocations, Caching, User-controlled deployments, Custom gateway responses, Canary release deployments, Request validation, Request parameter transformation, and Request body transformation HTTP API FEATURES: CORS configuration, User-controlled deployments, Automatic deployments, Request parameter transformation

Answer 112

stage: a named reference to a deployment stage variables: name-value pairs associated with a stage not intended for sensative data example: example.com api stage variable: backend_url, db_table prod api stage backend_url = https://prod.example.com db_table = dynamodb_main_table_prod beta api stage backend_url = https://beta.example.com db_table = dynamodb_main_table_beta stage variables can also be passed in mapping templates to lambda functions, where they can point the function to different resources depending on the stage of the api

Answer 113

endpoint types: edge-optimized (default): typically routes requests to the nearest CloudFront Point of Presence (POP), which could help in cases where your clients are geographically distributed. regional: intended for clients in the same region. reduces connection overhead when an EC2 instance in the same region as the endpoint calls the api or when serving a small number of clients with high demands regional apis can support the same custom domain name in different regions private: an endpoint that can only be accessed in a VPC via an ENI called an interface VPC endpoint changing endpoint type: any endpoint type can be changed to any other endpoint type, with the exception that you cannot change from a private to an edge-optimized endpoint type some changes may involve changes in the behavior of the api (an edge-optimized API removes the Content-MD5 header).

Answer 114

mapping template: template written in VTL that is written to transform the payload from the method request to a format that the backend can understand when it is sent in the integration request it also can transform the payload send in the integration response to a format that the client can understand when it is sent back in the method response client ----(method request)----> API GATEWAY (mapping template transforms payload) ----(integration request)----> backend client <----(method response)---- API GATEWAY (mapping template transforms payload) <----(integration response)---- backend

Answer 115

api gateway authentication resource policies: policies you attach to an api to control whether specific users, IP address ranges, or VPCs/VPC endpoints can invoke the API IAM: policies that give users, groups, or roles permission to manage or invoke the API VPC endpoint policies: an IAM resource policy that you can attach to an interface VPC endpoint to control access to the endpoint. tags lambda authorizer: lambda function that takes in the identity of the caller as argument and returns the IAM policy as output amazon cognito user pool

Answer 116

when integrating a lambda function into api gateway, you must choose a timeout value between 50-29000 milliseconds

Answer 117

integration types integration types change based on the type of data coming from the backend of the API AWS: lets the api expose aws service actions AWS_PROXY: lets the API method be integrated with the lambda function invokation method HTTP: lets you expose http endpoints as a backend HTTP_PROXY: allows a client to access the backend HTTP endpoints with a streamlined integration setup on single API method. You do not set the integration request or the integration response. MOCK: allows api gateway to return a response without sending an integration request to a backend

Answer 118

configuring a usage plan: Create one or more APIs, configure the methods to require an API key, and deploy the APIs to stages. Generate or import API keys for users of the API. Create the usage plan with the desired throttle and quota limits. Associate API stages and API keys with the usage plan. Callers of the API must supply an assigned API key in the x-api-key header in requests to the API.

Answer 119

when allowing only authorized users to access the cache, you must check the "Require Authorization" checkbox

Answer 120

Errors and their meanings ACCESS DENIED 403: auth failure API_CONFIGURATION_ERROR 500: config error (invalid endpoint address, base64 decode failure, template mapping failure) AUTHORIZER_CONFIGURATION_ERROR 500: failed to connection to cognito/custom authorizer AUTHORIZER_FAILURE 500: cognito/custom authorizer failed to authenticate BAD_REQUEST_PARAMETERS 400: the request parameter cannot be validated BAD_REQUEST_BODY 400: request body cannot be validated DEFAULT_4XX Null and DEFAULT_5XX Null are reserved for unspecified errors EXPIRED_TOKEN 403: AWS authentication token expired error INTEGRATION_FAILURE 504: integration failed error INTEGRATION_TIMEOUT 504: an integration timed out error INVALID_API_KEY 403: invalid API key submitted for a method requiring an API key INVALID_SIGNATURE 403: The gateway response for an invalid AWS signature error. MISSING_AUTHENTICATION_TOKEN 403: The gateway response for a missing authentication token error QUOTA_EXCEEDED 429: usage plan quota exceeded error. REQUEST_TOO_LARGE 413: The gateway response for the request too large error. RESOURCE_NOT_FOUND 404: The gateway response when API Gateway cannot find the specified resource THROTTLED 429: The gateway response when usage plan-, method-, stage-, or account-level throttling limits exceeded. UNAUTHORIZED 401: The gateway response when the custom or Amazon Cognito authorizer failed to authenticate the caller. UNSUPPORTED_MEDIA_TYPE 415: The gateway response when a payload is of an unsupported media type, if strict passthrough behavior is enabled. WAF_FILTERED 403: The gateway response when a request is blocked by AWS WAF. Lambda proxy integration: 502 Bad Gateway error cause: the response from the backend is not json (need a mapping template)

Answer 121

environmental variables used to facilitate xray tracing in lambda: AWS_XRAY_CONTEXT_MISSING and _X_AMZN_TRACE_ID

Answer 122

key pairs: used for secure login to in EC2 instance. AWS stores the public key, you store the private key

Answer 123

instance store volumes: temporary storage volumes. deleted when you stop, hybernate, or terminate your instance

Answer 124

free tier: available within 12 months of creating the aws account, as long as free tier benefits haven't already been exceeded

Answer 125

launch permissions: says who can launch an instance from an AMI: public: anyone can launch an instance explicit: the owner of the AMI grants specific aws account permissions to launch the AMI implicit: only the owner can launch from the AMI

Answer 126

EBS vs instance store backed storage EBS: boot time: <1 minute size limit of root device: 64TiB persistance: data on root volume terminates but persists on other volumes modifications: instance type, kernal, RAM disk, user data changable when instance is stopped charges: charged for instance usage, EBS storage, and AMI image storage in S3 AMI creation/bundling: uses a single command/call stopped state: can be in stopped state. root volume is persisted in EBS while instance is stopped instance store: boot time: <5 minutes size limit of root device: 10GiB persistance: Data persists only during the lifetime of the instance on all volumes modifications: instance type, kernal, RAM disk, user data fixed for life of instance charges: charged for instance usage and AMI image storage in S3 AMI creation/bundling: requires installation/use of AMI tools stopped state: cannot be in stopped state. can be in either running or terminated state

Answer 127

what can you do with an AMI? modify: You can modify content of an AMI like the description and sharing properties, but you cannot modify the actual binary volume data of the AMI. For that, you have to create a new AMI copy: you can copy both types of AMIs, within or across regions. you can copy encrypted snapshots or change the encryption status in the process. copying makes a distinct AMI with seperate AMI ID. copying EBS-backed AMIs the EBS backed snapshot is copied to a distinct target snapshot. copies of EBSs across regions are complete copies. Encrypted copies of unencrypted snapshots and encrypted copies of encrypted snapshots encrypted using a new KMS key are complete copies. new permissions like launch permissions need to be applied for copies of AMIs Store/Restore: you can store and restort AMIs from S3 buckets. You can move AMIs between different partitions in AWS (commercial partition to gov cloud, for example) becuase copy cant move AMIs across partitions depricate: if an AMI goes out of date, you can mark that it should no longer be used by depricating it depricated AMIs do not appear in AMI listings, or DescribeApi calls, unless its AMI ID is passed depricated AMIs can still be launched if you know the AMI ID AMIs can be set to depricate on a specific date/time disable: disabled AMIs cannot be used to launch new instances disabling an AMI removes all its launch permissions disabled AMIs can be re-enabled to launch instances again archive: you can archive visabled EBS-backed AMIs. you can do this to reduce storage costs associated with rarely used AMIs that have to be stored for long periods deregister: deregistered AMIs can't have new instances created from them restore: you can restore deleted AMIs from the recycle bin a certain period after deleting them Amazon Data Lifecycle Manager can automate the movement of EBS-backed AMIs through the AMI lifecycle events can be monitored using EventBridge

Answer 128

EBS-backed AMI encryption supported in all regions where KMS is available EBS-backed AMIs launched from unencrypted snapshots can be encrypted during launch encryption is supported either by a KMS key or customer managed key encryption launch senarios: if 'KmsKeyId' param set: snapshot launched as encrypted volume (using KMS key specified in parameter) else if 'Encrypted' param set: if snapshot encrypted && owned by you: snapshot launched as encrypted volume (using the same KMS key) else: snapshot launched as encrypted volume (using your accounts default KMS key) else if no params set: if snapshot is unencrypted: if encryption by default enabled: snapshot launched as encrypted volume else: snapshot launched as unencrypted volume if snapshot is encrypted: if snapshot owned by you: snapshot launched as encrypted volume (using the same KMS key) else: snapshot launched as encrypted volume (using your accounts default KMS key)

Answer 129

instances of different types can be launched from one AMI. the type determines the hardware the instance runs on Instance Types General purpose Compute optimized Memory optimized Storage optimized Accelerated computing High-performance computing Previous generation instance types On-Demand Instances – Pay, by the second, for the instances that you launch. changing instance type EBS-backed: use the console to stop the instance and then execute a 'change instance type' action. If the desired instance is not compatible with the current one or you are upgrading an instance-store backed instance, you will have to start a new instance back up current instance, launch new instance with previous configuration, attach EBS volumes, install required software for instance and workload, restore data in new instance instances can be stopped, hibernated, or terminated when an instance is terminated, the normal shutdown process is executed, then the root device is deleted, and any attached EBS volumes are preserved by default (determined by the deleteOnTermination setting for each volume) instance termination can be disabled

Answer 130

purchasing options Savings Plans – Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. Reserved Instances – Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years. Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly. Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware. Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone.

Answer 131

instance state instance store backed instances are either running or terminated EBS volumes enter a pending state and then a running state after launch. If they are stopped in either pending or running, they go from a stopping to a stopped state. from this point, they can either be started again, and go from pending to running again, or can be shutdown, where they will enter a shut-down and then a terminated state you are only billed for use of the instance when it is in the running state you can automatically start/stop instances using the aws instance scheduler, Lambda and an EventBridge rule, or EC2 autoscaling stop protection can be enabled to protect an instance from being accidentally stopped (does not protect from stopping due to an OS command such as shutdown or poweroff, and only works on EBS backed instances. doesn't work on spot instances

Answer 132

fleet types instant: a one time synchronous request is placed for your desired capacity. the desired capacity is returned request: EC2 issues an async 1 time request for your capacity. If capacity is diminished due to spot interruptions, EC2 does not attempt to replenish spot capacity maintain (default): EC2 issues an async request, and automatically maintains the capacity by replenishing instances

Answer 133

Connecting to an instance you can use ssh, EC2 Instance Connect (which manages ssh connection to instances so you don't have to manage ssh keys), or Session Manager (fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI).

Answer 134

Fleets you can launch EC2 instances in a fleet, launching many at once with one API call the fleet can span AZs, purchasing options, and instance types you can set a spend limit, and EC2 will launch instances in your fleet until it meets you desired capacity, unless it meets your spend limit, in which case, it will not launch more instances cannot span regions or different subnets in the same AZ

Answer 135

spot instance allocation strategies: price-capacity-optimized (recommended, best for most workloads): EC2 identifies the pools with the highest capacity available for the number of instances you are launching, and then it from these pools, the lowest priced sport instances are selected capacity-optimized: EC2 Fleet identifies the pools with the highest capacity availability for the number of instances that are launching. This means that we will request Spot Instances from the pools that we believe have the lowest chance of interruption in the near term. capacity-optimized-prioritized: same as capacity-optimized, but you can optionally set a priority for each instance type in your fleet using capacity-optimized-prioritized. diversified: The Spot Instances are distributed across all Spot capacity pools. lowest-price: The Spot Instances come from the lowest priced pool that has available capacity

Answer 136

attribute based instance type fleet selection instead of selecting instances based on capacity, price, etc., you can defined attributes such as minimum and maximum vCPU count, and EC2 will launch any available instance type that meets those requirements No need to find exactly what instance type you need or to specify a template override for each instance type. your fleet can automatically start to use newer generation instances as they are released, instead of having to update the template to new the new instances EC2 can select from a wide range of spot instance types, contributing to the best practice of high spot flexibility attributes can include min/max vCPU count, min/max GiBs of Memory, Local Storage (EBs or instance store backed)

Answer 137

price protection Price protection is a feature that prevents your EC2 Fleet from using instance types that you would consider too expensive even if they happen to fit the attributes that you specified. To use price protection, you set a price threshold. Then, when Amazon EC2 selects instance types with your attributes, it excludes instance types priced above your threshold.

Answer 138

on-demand backups lets you choose a backup instance type for a fleet of on-demand EC2 instances, so that if the fleet needs to scale significantly and runs out of a certain instance, it can start using another instance type to scale the fleet

Answer 139

capacity rebalancing lets you replace spot instances when EC2 issues a rebalance request, even if the spot instance hasn't been interrupted. This proactively augments your fleet of spot instances only available for fleets of type 'maintain' and you can only modify he rebalancing setting when the fleet isn't running

Answer 140

instance weighting When you create an EC2 Fleet, you can define the capacity units that each instance type would contribute to your application's performance. You can then adjust your maximum price for each launch specification by using instance weighting.

Answer 141

CodeGuru ML-based security vulnerability detector

Answer 142

CodePipeline automates your build, test, and deploy stages every time there is a code change *manual approvals for each step: manual approvals can be configured for each step of your codepipeline workflow can only have Github, ECR, S3, BitBucket, or CodeCommit as sources to codePipeline

Answer 143

CodeStar unified user interface to develop, build, and maintain

Answer 144

CodeWhisperer generates code snippets for users from comment suggestions

Answer 145

X-Ray provides a visual representation of requests as they propigate through your application useful for understanding the movement of data through a microservice application for debugging

Answer 146

*configuring permissions to enable data collection in xray if xray is not able to get compute data from resources from a service, it probably needs permission to access the resources *enabling xray tracing on on-prem servers install and run the xray daemon on the on-prem servers and relay the data to the xray service unified account to view traces across all resources/accounts: the xray daemon can publish data to an account that is different from the one in which it is running.

Answer 147

environment variables: AWS_XRAY_CONTEXT_MISSING=[RUNTIME_ERROR, LOG_ERROR, IGNORE_ERROR]: what to do when content is missing. either throw a runtime error, log the error and continue, or ignore the error and continue AWS_XRAY_DAEMON_ADDRESS: host and port of the X-Ray daemon listener (default 127.0.0.1:2000) AWS_XRAY_DEBUG_MODE=TRUE: to configure the SDK to output logs to the console, at debug level AWS_XRAY_LOG_LEVEL=[debug, info, warn, error, silent]: log level for the default logger AWS_XRAY_TRACING_NAME: service name that the sdk uses for segments

Answer 148

Metadata - Metadata are key-value pairs with values of any type, including objects and lists, but that is not indexed. Use metadata to record data you want to store in the trace but don't need to use for searching traces. Segments - The computing resources running your application logic send data about their work as segments. A segment provides the resource's name, details about the request, and details about the work done. inferred segments: represent downstream services and resources in the trace map Sampling - To ensure efficient tracing and provide a representative sample of the requests that your application serves, the X-Ray SDK applies a sampling algorithm to determine which requests get traced. By default, the X-Ray SDK records the first request each second, and five percent of any additional requests. namespace – 'aws' for AWS SDK calls; 'remote' for other downstream calls.

Answer 149

AWS CLI command-line tool to interface with aws services * --region parameter * --dry-run parameter *command to enable detailed monitoring on an EC2 instance? configuring pagination: pass the --page-size and --max-items parameters

Answer 150

CDK allows you to define aws infrastructure using common programming languages

Answer 151

CloudFormation allows you to deploy aws infrastructure from json or yaml templates allows you to monitor and rollback deployments or changes to stacks * what section of the template cannot be associated with 'Condition'? parameters * what are pseudoparameters? pseudoparameters are parameters predefined by cloudformation * FindInMap intrinsic function returns the a specific value based on a search term in a mapping declared in the mappings section of the template *Transform: 'AWS::Serverless-2016-10-31': this indicates that this template is a SAM template

Answer 152

*YAML/JSON cloudformation template sections meaning (dependencies, conditions, output, resources, parameters, etc.) MetaData: add additional information to the template description: describes what you want the template to do parameters: defines what values are allowed to pass into the parameter at runtime mappings: lookup table, maps keys to values so you can change your values to other values conditions: can involve if/else or other conditional statements transform: applies macros to the text of the tamplate *resources: defines a resource you want to create (IAM role, EC2 instance, ...) outputs: the value returned from the execution of the file. information can also be passed to other templates *at least one resource required in the template *exported output names must be unique within a single region

Answer 153

*valid parameter types string, number, number list, or comma delimited list of strings

Answer 154

*drift detection indicates when the resources in a stack have deviated in their configuration from what was originally generated from cloudformation

Answer 155

*configuring parameters with 'AllowedValues' list the possible values that a certain parameter is allowed to take

Answer 156

*which services rely on cloudformation SAM, CDK

Answer 157

deploying lambda function in CloudFormation: for container images, point AWS::Lambda::Function to the container image in ECR for zip files, point AWS::Lambda::Function to the zip file in S3 for interpretted languages like python or Node.JS, simply include the source code of the function in the CloudFormation file inline

Answer 158

CloudTrail logs and presents to you the who, when, where, what of api calls for your account.

Answer 159

CloudFormation: CloudWatch monitors, presents, and reacts to operational metrics in your infrastrucure. set high resolution alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to optimize your applications, and ensure they are running smoothly.

Answer 160

*high-resolution custom metrics cloudwatch metrics are either standard resolution (one-minute granularity) and high resolution (one-second granularity).

Answer 161

*cron events cloudwatch allows you to run lambda functions at specific intervals, defined in cron(Minutes Hours Day-of-month Month Day-of-week Year) format

Answer 162

Events event: indicates a change in your aws environment. resources can generate events on state changes rule: matches incoming events and routes them to targets for processing targets: processes events You can schedule events to occur on a periodic basis

Answer 163

CloudWatch Agent: collect metrics and logs from EC2 instances and on-prem servers

Answer 164

CloudWatch Logs You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources.

Answer 165

collecting logs on EC2 instances: example: response time: 1. configure the application running on the EC2 instances to write the response time to a log file 2. install the cloudwatch agent on the instance to stream the application logs to CloudWatch logs 3. create a metric filter for the response time from the log file 4. create a cloudwatch alarm to send an SNS notification when the average of the response time metric exceeds a certain threshold

Answer 166

Systems Manager Systems Manager AppConfig deploys configurations from a central location supports deployment of configuration to applications and validation of code and monitoring Feature flags and toggles – Safely release new capabilities to your customers in a controlled environment. Instantly roll back changes if you experience a problem. Application tuning – Carefully introduce application changes while testing the impact of those changes with users in production environments. Allow list or block list – Control access to premium features or instantly block specific users without deploying new code. Centralized configuration storage – Keep your configuration data organized and consistent across all of your workloads. You can use AWS AppConfig to deploy configuration data stored in the AWS AppConfig hosted configuration store, AWS Secrets Manager, Systems Manager Parameter Store, or Amazon S3.

Answer 167

Systems Manager Parameter Store Provides an encrypted location to store important administrative information such as passwords and database strings. Integrates with AWS KMS to make it easy to encrypt the information you keep in the Parameter Store. can be used to store passwords, but not to authenticate to aws, because you need to be authenicated to aws to access ssm remotely

Answer 168

CloudFront aws's cloud CDN *know that cloudfront key pairs can only be created by a root user

Answer 169

origin groups: allow you to group multiple origins and select one as primary, which will failover to the secondary for high-availability in cloudfront

Answer 170

controlling access signed urls: urls used to provide access to files in cloudfront to authorized people signed cookies: allows you to provide access to multiple files in cloudfront each signer has a private key pair. cloudfront uses a public keypair to verify access you can have as many as 2 keypairs per account when you use the root user to manage signers

Answer 171

Lambda Edge: deploy lambda functions to the cloud to reduce latency

Answer 172

you can configure cloudfront to force uses to use https when connecting to cloudfront you can ALSO force it to use https when fetching objects from your resources

Answer 173

Caching Behaviors must have as many caching behaviors as origins. if you have 2 origins and only 1 caching behavior, only one origin will be used, the other will never be used behavior pattern the pattern of a behavior matches the request from the viewer the default behavior is *, which cannot be changed, and matches everything. behaviors are evaluated against requests in the order in which the rules are listed, with the default behavior being evaluated if no other rules match the request or no other rules are listed. for example: images/*.jpg would match requests for files in the JPEG format under the images/ file

Answer 174

Elastic Load Balancing (ELB) distributes incoming network traffic across multiple target instances

Answer 175

*cross-zone load balancing enabled vs disabled effect on traffic percentages enabled: each node receives equal amounts of traffic, regardless of how they are distributes across AZs disabled: traffic is divided evenly across AZs, then evenly across nodes in the AZs. traffic received by nodes CAN differ depending on how they are distributed across AZs

Answer 176

* configuring health checks (specifically, configuring permissions on instances, etc., for the health check so that is doesn't erroneously report an unhealthy status) You must ensure that your load balancer can communicate with registered targets on both the listener port and the health check port. Whenever you add a listener to your load balancer or update the health check port for a target group used by the load balancer to route requests, you must verify that the security groups associated with the load balancer allow traffic on the new port in both directions

Answer 177

*ALB vs NLB vs CLB Classic Load Balancer CLB (legacy, depricated): original load balancer. can balance both TCP/UDP or HTTP(S) traffic Application Load Balancer ALB: meant for http traffic has listeners, rules, and target groups can have instances, IP addresses (not publically routable ones), or Lambdas as targets Network Load Balancer NLB: meant for TCP/UDP traffic has listeners and target groups can support millions of requests per second doesn't support x-forwarded-for

Answer 178

*enabling stickiness bind a user's session to a specific EC2 instance, which ensures all requests from that session are sent to the same instance typically utilized with Classic Load Balancer, although it can be enabled for ALB (although only set on a target group not individual EC2 instances) cookies are used to remember user's session state useful when a specific piece of information is only stored locally on a single instance, and so you need to send a specific user to that instance and no other instances

Answer 179

session storage with ElastiCache: ALB session storage can be implemented with ElastiCache, if you are using blue/green deployment and your cookies would be erased if using sticky sessions when the ALB itself is wiped out

Answer 180

*x-forwarded-for HTTP Header request header that contains the ip address of the machine that send the request to the load balancer to be forwarded to the instance used to get the original ip address of the request, because after going through the load balancer, the request will be shown to originate from the load balancer's ip address, not the original clients IP address

Answer 181

500 errors: 500: error executing web ACL rules, the load balancer cannot communicate with the idP token endpoint/user, or the claim from the idP endpoint is larger than 11KB 501: load balancer received a Transfer-Encoding header with an unsupported value 502 (bad gateway): many reasons 503: the targets are not registered with target groups 504 (gateway timeout): generally, any timeout problem 505 (version not supported): load balancer established an HTTP/1 connection but received an HTTP/2 request. 507 (insufficient storage): The redirect URL is too long. 561 (Unauthorized): You configured a listener rule to authenticate users, but the IdP returned an error code when authenticating the user. a timeout will usually be caused by improperly configured security groups

Answer 182

Route53 AWS's cloud DNS service

Answer 183

simple routing default 1 record and multiple ip addresses with multiple ip addresses, a random adress is returned weighted routing sends a defined amount of traffic to one server over another could be stable/experimental setup latency based routing traffic directed to the lowest network latency for the end user based on region requires a latency resource record to be set for the EC2 or ELB resource that hosts your application in each region failover routing policies allows you to define a primary and secondary site, and route53 can monitor health of primary and automatically direct traffic to the secondary application if the primary is unhealthy geolocation routing policy direct traffic based on geographical location of where the requests are originating from geoproximity routing policies direct traffic based on geographic location of users, and your AWS resources pass in coordinates, and weight the size of the region represented by the coordinates by a percentage. can use predefined coordinate set of the AWS regions or can be custom coordinates regions change size with percentage weighting multi-value ansewr routing policy just like simple routing, but checks the random address that is selected against a health check, and only forwards traffic there if it is healthy, else, it picks a different random address and repeats the process

Answer 184

*CNAME, ALIAS, PTR, A, AAAA records, etc. A record: routes traffic to a target in IPV4 format (web server, etc.) AAAA record: routes traffic to a target in IPV6 format (web server, etc.) CA record: lets you specify what certificate authorities can issue certificates from your domains PTR record: maps an IP address to a domain name ALIAS record: maps a domain to an aws service ex: example.com -> S3 Bucket CNAME record: allows you to map DNS queries for the current record to another domain ex: example.com -> www.example.com or example.com -> newproduct.example.com

Answer 185

VPC Organize rocket services as if they existed in a virtual private network

Answer 186

*NACL: allows/denies specific inbound/outbound traffic at the subnet level

Answer 187

*VPC flow log enables you to capture information about the IP traffic going to and from network interfaces in your VPC can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose

Answer 188

*configuring services (EC2 instance and dynamoDB, for example) to communicate in the VPC without sending communication over the public internet configure vpc endpoints to send data through instead of going through the public internet

Answer 189

connect AWS VPCs together so that they can communicate with each other as if they were one VPC a service provider vpc and service consumer vpc can communicate via PrivateLink. A service provider vpc must allow the service consumer vpc to connect via a load balancer to the service provider vpc service a service consumer vpc must connect to the service provider vpc service through the load balancer via a vpc endpoint service consumer vpc service -> vpc endpoint -> load balancer -> service provider vpc service (endpoint service)

Answer 190

a vpc endpoint can be either a interface endpoint or gatewayLoadBalancer gatewayLoadBalancer: send traffic to a fleet of virtual appliances using private IP addresses. route traffic from your VPC to the Gateway Load Balancer endpoint using route tables. The Gateway Load Balancer distributes traffic to the virtual appliances and can scale with demand. ***sends traffic to DynamoDB or S3*** interface endpoint: send TCP traffic to an endpoint service. Traffic destined for the endpoint service is resolved using DNS.

Answer 191

Amazon Certificate Manager (ACM) provision, manage, and deploy TLS/SSL certificates

Answer 192

Amazon Certificate Manager (ACM) Private Certificate Authority pay monthly for the operation of the private CA and for the private certificates you issue

Answer 193

Cognito add user sign-up, sign-in, and access control to your web and mobile apps authenticate users through social identity providers such as Facebook, Twitter, or Amazon using SAML

Answer 194

* cognito sync vs cognito user pools vs cognito identity pools cognito sync: lets you sync user data and preferences across devices with one line of code. uses push synchronization to push updates and synchronize data. uses SNS under the hood to send notifications to all user devices when data in the cloud changes. cognito user pools: a directory of the application's users. handles sign up, sign in, accound recovery, and account confirmation. successful user authentication generates a JWT (JSON Web Token). provide sign-in/sign-on functionality to web and mobile applications Adaptive Authentication: configure your user pool to block suspicious sign-ins or add second factor authentication in response to an increased risk level. cognito identity pools: provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account. uses Federated identity for authenticating users allows users to sign in with google, amazon, facebook, or other identity providers provide authentication functionality to AWS resources

Answer 195

lambda triggers: event triggers that let you fire off lambda functions in responses to occurances like pre-sign up, post-confirmation, pre-authentication, post-authentication, etc.

Answer 196

manage the permissions and access of users and groups to resources in the cloud *know that this is what manages SSL certs if ACM is not available in the region

Answer 197

*know how to allow a user access to the Billing and Cost Management Dashboard configure and attach IAM policy to billing and cost management dashboard activate IAM user access to billing and cost management dashboard for all those who need it

Answer 198

*resource-based policies vs identity-based policies resource-based policies: are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, or VPC endpoints trust policies: specific type of resource-based policy. defines which principals can assume the role, and under which conditions. identity-based policies: attached to an IAM user, group, or role. Let you specify what that identity can do.

Answer 199

*IAM permission boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries

Answer 200

*IAM policy variables Instead of creating individual policies for each user, you can use policy variables and create a single policy that applies to multiple users (a group policy). Policy variables act as placeholders. When you make a request to AWS, the placeholder is replaced by a value from the request when the policy is evaluated. "${aws:username}" User x can only access files in his folder - bucket-a/user/user-x/ and user y can only access files in her folder - bucket-a/user/user-y/ and so on.

Answer 201

*Access Advisor feature To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments *Access Analyser

Answer 202

*Access Analyser AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.

Answer 203

*trusted advisor online tool that provides you real-time guidance to help you provision your resources following AWS best practices on cost optimization, security, fault tolerance, service limits, and performance improvement.

Answer 204

*getting access to data in aws resources across accounts by configuring a trusted entity You can give EC2 instances in one account ("account A") permissions to assume a role from another account ("account B") to access resources such as S3 buckets. You need to create an IAM role in Account B and set Account A as a trusted entity. Then attach a policy to this IAM role such that it delegates access to Amazon S3 Then you can create another role (instance profile) in Account A and attach it to the EC2 instances in Account A and add an inline policy to this role to assume the role from Account B

Answer 205

*which database engines can be configured with IAM database authentication? (MySQL and PostgreSQL)

Answer 206

cross account IAM access: allowing account B to access resources in account A 1. account A creates an IAM role 2. account A attaches a permission policy to that role 3. account A attaches a trust policy to the role, identifying account B as someone who can assume the IAM role 4. account B delegates permission to assume the IAM role to any users in account B

Answer 207

service role: an IAM role that an aws service takes on to perform an action on your behalf

Answer 208

IAM Security Token Service create and provide trusted users with temporary security credentials that can control access to your AWS resources work identically to long-term access key credentials, accept they are temporary (last for anywhere from a few minutes to several hours) and they are not stored with the user but are generated dynamically and provided to the user when requested. decode-authoriztion-message: decode additional information about the authorization status of a request from an encoded message returned in response to an AWS request token lifespan ranges from 15 to 60 minutes (with 1 second resolution)

Answer 209

actions AssumeRole: Returns a set of temporary security credentials that you can use to access AWS resources AssumeRoleWithSAML: Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response AssumeRoleWithWebIdentity: Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider DecodeAuthorizationMessage: Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request. GetAccessKeyInfo: Returns the account identifier for the specified access key ID. GetCallerIdentity: Returns details about the IAM user or role whose credentials are used to call the operation. GetFederationToken: Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user GetSessionToken: Returns a set of temporary credentials for an AWS account or IAM user.

Answer 210

Key Management Service (KMS) create and manage encryption keys and control the use of encryption across a wide range of AWS services and in your applications uses FIPS 140-2 validated hardware security modules integrated with AWS CloudTrail to provide you with logs of all key usage for regulatory and compliance needs * where are keys stored? are they sent/received from/to a user/KMS? does KMS generate keys? keys are stored in memory in a CloudHSM security module you can generate CMKs in KMS *GenerateDataKey vs GenerateDataKeyWithoutPlainText *do more research on KMS in general

Answer 211

AWS Encryption SDK: stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one. Your application can benefit from data key caching if: It can reuse data keys. It generates numerous data keys. Your cryptographic operations are unacceptably slow, expensive, limited, or resource-intensive. should be used cautiously, because excessive reuse of cryptographic keys defies cryptography best practices The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. an sdk the encrypts data data key - key used to encrypt data wrapping key - key used to encrypt data key symmetric encryption: uses the same key to encrypt and decrypt asymmetric encryption: uses a mathmatically related pair of keys. One decrypts and one encrypts.

Answer 212

SecretsManager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information

Answer 213

Elastic Block Store (EBS) fully-managed block-storage service designed for Amazon Elastic Compute Cloud raw block-level storage, attached to EC2 instances and accessed by RDS *region locking EBS volumes EBS volumes are restricted to their AZ, and so cannot be accessed by resources in different AZs, even within the same region *encryption in flight and at rest using KMS EBS volumes support encryption both in-flight and at rest using KMS can only be attached to one EC2 instance

Answer 214

WAF web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources gives you control over which traffic to allow or block to your web application by defining customizable web security rules

Answer 215

Elastic File Store (EFS) cloud storage service designed to provide scalable, elastic, concurrent and encrypted file storage for use with both AWS cloud services and on-premises resources has multiple storage tiers and throughput tiers

Answer 216

AWS Budgets *how many months worth of data is required for forcast-based AWS Budgets alerts for cost management

Answer 217

S3 aws fully managed object storage

Answer 218

*putobject api: x-amz-server-side-encryption header you can make a bucket policy to deny an upload operation unless the header has the 'x-amz-server-side-encryption' option with a specific value ("AES256", "aws:kms", sse:s3", etc.)

Answer 219

*pre-signed urls share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects must provide your security credentials, bucket name, object key, HTTP method (GET to download the object), and expiration date/time *s3 keys unique identification string for an object in s3 when versioning is enabled, uploading an object with the same S3 key as one that already exists will update the existing object, treating the newly uploaded object as a new version of the existing obj

Answer 220

*access control on s3 means of access control for your account: resource-based policies: Access policies that you attach to your resources (buckets and objects) user policies: access policies that you attach to users in your account means of access control for other accounts: access control lists (ACLs): grant basic read and write permissions to other AWS accounts can be disabled, in which case, access control is enforced only by access policies. this is recommended nowadays

Answer 221

*configuring s3 data at rest with SSE-KMS, SSE-S3, SSE-C, etc. by default, uploads to S3 are encrypted in SSL/TLS encryption in transit for encryption at rest, S3 objects can be encrypted server-side with Server Side Encryption (SSE)... SSE-AES: S3 handles the encryption key and uses AES-256 algorithm ('x-amz-server-side-encryption': 'AES256') SSE-KMS: encryption keys are managed by AWS Key Management System (KMS) and managed by you ('x-amz-server-side-encryption': 'aws:kms') SSE-C: encryption is perfromed using encryption keys that are provided by the customer (you). you must use https encryption keys can be managed by you, S3, or KMS Client-Side Encryption: customer (you) encrypt the files locally and then upload them to S3

Answer 222

*configuring an S3 bucket for replication Amazon S3 Replication (CRR and SRR) is configured at the S3 bucket level, a shared prefix level, or an object level using S3 object You add a replication configuration on your source bucket by specifying a destination bucket in the same or different AWS region for replication With S3 Replication (CRR and SRR), you can establish replication rules to make copies of your objects into another storage class, in the same or a different region. Lifecycle actions are not replicated, and if you want the same lifecycle configuration applied to both source and destination buckets, enable the same lifecycle configuration on both.

Answer 223

*configuring cors on buckets to make web content on those buckets available to websites hosted on other buckets To configure your bucket to allow cross-origin requests, you create a CORS configuration, which is an XML document with rules that identify the origins that you will allow to access your bucket, the operations (HTTP methods) that will support for each origin, and other operation-specific information. to allow CORS access to a bucket B from bucket A, configure CORS with a CORS configuration XML file on bucket B to allow access from bucket A

Answer 224

*S3 Object Ownership S3 objects are owned by the aws account that created it by default

Answer 225

S3 event notifications: set and react to certain events in S3 like object modification with actions

Answer 226

S3: cloudtrail integration: even if an account owns an S3 bucket, it still must be the owner of any object in that bucket if the account user is to receive CloudTrail object access logs for objects in that bucket

Answer 227

S3 Select: enables applications to retrieve only a subset of data from an object by using simple SQL expressions retrieve only the data needed by your application: drastic performance increases (as much as a 400% improvement, up to 80% cheaper)

Answer 228

S3 Inventory: tool to help manage your storage audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs

Answer 229

S3 Analytics: analyze storage access patterns to help you decide when to transition the right data to the right storage class. observes data access patterns to help you determine when to transition less frequently accessed STANDARD storage to the STANDARD_IA (IA, for infrequent access) storage class.

Answer 230

S3 access logs: provides detailed records for the requests that are made to a bucket. can be useful in security and access audits. can also help you learn about your customer base and understand your Amazon S3 bill.

Answer 231

Versioning: means of keeping multiple variables of the same object in one bucket always applies to the entire bucket, or not at all allows recoverability from failures or unintended user actions overwriting a file results in a new version, and deleting an object simply inserts a delete marker, however, the previous versions remain and can be restored existing objects in the bucket added before versioning was enabled have a version of 'NULL' after versioning is enabled

Answer 232

Caching on S3: can use cloudfront to serve static S3 content, cannot use ElastiCache on S3

Answer 233

s3 transfer acceleration: Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path. can speed up transfer to and from S3 grounds for use: Your customers upload to a centralized bucket from all over the world. You transfer gigabytes to terabytes of data on a regular basis across continents. You can't use all of your available bandwidth over the internet when uploading to Amazon S3.

Answer 234

Multipart Upload: Multipart upload allows you to upload a single object as a set of parts. Each part is a contiguous portion of the object's data. You can upload these object parts independently and in any order. If transmission of any part fails, you can retransmit that part without affecting other parts. increases performance on a stable network and resiliency on a spotty network. In general, when your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation.

AWS Certified Developer Associate Flashcards

(258 cards)