AWS Developer study

Question 1

Your application’s document NoSQL database is growing as more customers are discovering your service. You need a type of version control to manage data points as they may change to define trends in your customers’ use cases. Which AWS service will track time-based versions of your data as it goes through changes?

Answer 1

DynamoDB can provide record of data changes over time. This can be done by either time-stamp or sequential numbering.

Question 2

You are an account representative for an AWS SaaS partner organization that works with healthcare providers. You want to provide a new potential client assurance that your software meets HIPAA compliance. Which of the below statements are NOT true?

Answer 2

AWS is one of the few HIPAA cloud service providers.

Question 3

You’ve set up an AWS CodePipeline to streamline the CI/CD stages. You want to know when there is a failure in the pipeline’s state. Which of the below code samples will create a CloudWatch alarm to trigger a SNS Topic event should the state change to fail?

Answer 3

{
“source”: [
“aws.codepipeline”
],
“detail-type”: [
“CodePipeline Pipeline Execution State Change”
],
“detail”: {
“state”: [
“FAILED”
]
}
}

Question 4

In traditional on-premise data centers, best practices suggest maximizing key security by using Hardware Security Module (HSM). What are two ways that a customer can ensure proper data encryption?

Answer 4

AWS CloudHSM

Answer explanation: AWS CloudHSM gives customers the ability to manage their HSMs. Both the AWS KMS and AWS CloudHSM can protect plaintext master keys on behalf of the client. The client is still ultimately responsible for managing the access controls to determine who can cause which encryption keys to be used under which conditions.

Use AWS KMS (Key Management Service)

Answer explanation: AWS KMS is a service provided by AWS that manages a fleet of HSMs. This service can protect plaintext master keys on the customer’s behalf.

Question 5

To stay aligned with a project, your team has released a web application prior to testing being completed. You do not anticipate a high amount of traffic on the application yet and some pages will probably have no traffic until another project milestone is completed. What AWS service would you use to help preempt any UX issues with page load speeds and errors even though it is not collected activity data yet?

Answer 5

CloudWatch Synthetics

Answer explanation: CloudWatch Synthetics is a service with AWS X-Ray. It can provide insights and suggestions based on connections to endpoints even without user activity taking place yet.

Question 6

You have recently uploaded 50 new buckets into your account. These buckets contain confidential objects. You need to ensure that access is limited to select internal users and no external entities. What IAM service can help identify your account’s resources that are shared with external entities?

Answer 6

Access Analyzer

Answer explanation: Access Analyzer helps identify the resources in your account to identify unintended access to resources and data. Findings from Access Analyzer can include information about the access and external entity granted access.

Question 7

Your team is using CodeStar to build a new software project on AWS. To collect data about requests and gain some insights, your team has requested that X-Ray be installed. Which code snippet below accurately shows how to add X-Ray tracing to the resources for our EcommerceWorld application?

Answer 7

Resources:
EcommerceWorld
Type: AWS::Serverless::Function
Properties:
Handler: index.get
Runtime: nodejs4.3
Tracing: Active
Role:
Fn:: ImportValue:
!Join [’-‘, [!Ref ‘ProjectId’, !Ref ‘AWS::Region’, ‘LambdaTrustRole’]]

Question 8

Your organization is deploying a new application using the AWS Cloud Development Kit (CDK). What CLI cmd will read the file and perform its instructions?

Answer 8

cdk deploy

Answer explanation: cdk deploy will the deploy the stack of files. It will read and perform the instructions in the files.cdk deploy

Question 9

Your web application has files exceeding 10MB in size. You are using CI/CD with CodePipeline to stage changes in the application. Which of the following AWS services would be most appropriate to use?

Answer 9

S3

Answer explanation: S3 can manage files up to 5 terabytes in size, which is more than sufficient for the application files. CodePipeline works with git sources and non-git sources like S3. Enabling versioning in the S3 bucket will allow updates to the objects as needed

Question 10

While deploying a new application, the development team originally planned on hosting EC2 instances. Due to some updates in the application, you have decided to switch from EC2 to Lambda. The CloudFormation template you deployed is shown below. What steps do you need to take to change it from EC2 to Lambda?

Answer 10

{
“Type”: “AWS::CodeDeploy::Application”,
“Properties”: {
“ApplicationName” : ShoppingTodayApp,
“ComputePlatform”: “Lambda”
}
}

You cannot make changes to the computer platform properties via an update in CloudFormation. To make the change, the template would need to be replaced.

Question 11

A developer team is working on a new web application and wants to build it using AWS resources. They have decided that CloudFormation service is the best and most efficient way to begin. What is NOT a best practice when using CloudFormation?

Answer 11

Using large formation templates to create a customized infrastructure instead of microservices

Using one template to define every part of the deployment would create a large and difficult project when there comes a need to troubleshoot. One of the advantages of AWS is the modular options it provides, such as microservices. Troubleshooting and iterating are simpler when a template is used for each of the components. For example, a child template could be created for a database, the application, the web layer, and a parent template that manages the deployment of child templates in sequence.

Question 12

Your team uses CodePipeline to monitor CI/CD as updates are made on your code. Your DevOps team members want to monitor the CodePipeline events and receive notifications when an event is triggered. What are two AWS services that you can enable to achieve this? Select all that apply.

Answer 12

Enabling CloudWatch event rules

CloudWatch does provide a way to manage events in CodePipeline. EventBridge is preferred as it provides more features.

Enabling SNS topics

SNS topics can be created and have developers subscribe to receive notifications via a push notification. For example, developers can receive SMS messages on their mobile devices without polling events searching for a trigger.

Question 13

A cooking school has launched an application that can be used to connect users (potential and current clients) with opportunities to participate in cooking classes and large demonstration events. They have asked their development team to research how they can offer the functionality of daily instructional videos so that they can package this feature as an easy-to-use service that does not require travel to the cooking school or an event. Leadership at the cooking school has communicated that it is a high priority to ensure that the User Interface (UI) design of this potential video service is intuitive because they are aware of other similar services offered by competitors that have failed because users have become frustrated with the navigation required and responsiveness of the mobile application. Which Amazon service should the development team use to demonstrate to leadership that functional requirements can be met in an application?

Answer 13

AWS Amplify

AWS Amplify offers Admin UI. Admin UI provides ease of managing the Amplify framework, including UI components, libraries, and CLI toolchains.

Question 14

A development team is using Amazon CloudWatch and Amazon EventBridge to monitor failures of EC2 to launch throughout the company’s AWS Organization. The team wants to monitor this type of cross-account event to troubleshoot the cause and implement solutions if warranted. The team has decided to create an event bus in the centralized account to generate the event logs in Amazon Cloudwatch. Given this scenario, what/who should be authorized to put events into the event bus?

Answer 14

All accounts

All accounts will be authorized. The scenario takes place in an AWS Organizations account.

Question 15

Which one of the following code samples will use AWS SAM to deploy a serverless application to the cloud and will allow CloudFormation to create an IAM role?

Answer 15

sam deploy \
–template-file packaged.yaml \
–stack-name sam-app \
–capabilities CAPABILITY_IAM \
–region us-east-1

This code snippet shows the command for SAM to deploy the appropriate template-file, stack-name, capabilities, and region. This code will direct AWS CloudFormation to create the AWS resources that are defined in the template.

Question 16

What does IAM stand for and is is a global service

Answer 16

Identity Access management and yes

Question 17

What is the least privalege principle?

Answer 17

don’t give
more permissions than a user
needs

Question 18

What is a IAM role?

Answer 18

Its sets up permissions for a user or service

Question 19

What is the shared responsibility model?

Answer 19

It is the responsibility of what AWS and what you’re responsible for. You are responsible for policies, management, monitoring, rotating keys, IAM and permissions

Question 20

What are IAM Policies?

Answer 20

A set of permissions for making requests to AWs services and can be used by IAM users, groups and IAM roles

Question 21

A statement in an IAM Policy consists of?

Answer 21

Side Effect, Principal, Action, Resource, and Condition.

Question 22

What is EC2?

Answer 22

Elastic Compute Cloud: It consists of virtual machines, virtual drives, load balancers and scaling services

Question 23

What are some EC2 sizing on config options?

Answer 23

How much CPU, RAM, Storage (EBS, EFS), Network card, firewall rules and bootstap script.

Question 24

What is bootstrapping?

Answer 24

Launching commands when a machine starts

Question 25

What is bootstrapping used for?

Answer 25

Installing updates, software, downloading common files and automating tasks

Question 26

What are some EC2 instance Types

Answer 26

General Purpose Instances Compute Optimized Instances Memory-Optimized Instances Storage Optimized Instances Accelerated Computing Instances

Question 27

What EC2 type would you use for storage intensive tasks that require high read/write access?

Answer 27

Storage Optimized Instances

Question 28

What does a security group do?

Answer 28

They control how traffic is allowed in or out of EC2 instances.

Question 29

What does attributes does a security group contain?

Answer 29

Type (http), protocol (tcp), port range, source, description

Question 30

What are the security ports and their purpose?

Answer 30

22 - ssh (secure shell) 21 - FTP 22 - SFTP 80 - un-secure websites 443 - HTTPs secure websites 3389 - RDP (remote desktop protocol)

Question 31

What is a PEM file and where do you get it?

Answer 31

Its a secure key to ensure better security. After creating a ECC2 instance, you go to create key pair under network and secutiry and download the pem file. Then you login using ssh with the pem. ssh -i filename.pem username@101.1.1.1

Question 32

What is another (easiest) way to ssh into your instance?

Answer 32

Use EC2 Instance Connect

Question 33

What are some E2C purchase options?

Answer 33

On-Demand Instances – short workload, predictable pricing, pay by second * Reserved (1 & 3 years) * Reserved Instances – long workloads * Convertible Reserved Instances – long workloads with flexible instances * Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload * Spot Instances – short workloads, cheap, can lose instances (less reliable) * Dedicated Hosts – book an entire physical server, control instance placement * Dedicated Instances – no other customers will share your hardware * Capacity Reservations – reserve capacity in a specific AZ for any duration

Question 34

What is EC2 on demand?

Answer 34

* Pay for what you use: * Linux or Windows - billing per second, after the first minute * All other operating systems - billing per hour * Has the highest cost but no upfront payment * No long-term commitment * Recommended for short-term and un-interrupted workloads, where you can't predict how the application will behave

Question 35

What is EC2 reserved instances?

Answer 35

Up to 72% discount compared to On-demand * You reserve a specific instance attributes (Instance Type, Region, Tenancy, OS) * Reservation Period – 1 year (+discount) or 3 years (+++discount) * Payment Options – No Upfront (+), Partial Upfront (++), All Upfront (+++) * Reserved Instance’s Scope – Regional or Zonal (reserve capacity in an AZ) * Recommended for steady-state usage applications (think database) * You can buy and sell in the Reserved Instance Marketplace

Question 36

What is EC2 Savings Plans?

Answer 36

Get a discount based on long-term usage (up to 72% - same as RIs) * Commit to a certain type of usage ($10/hour for 1 or 3 years) * Usage beyond EC2 Savings Plans is billed at the On-Demand price * Locked to a specific instance family & AWS region (e.g., M5 in us-east-1) * Flexible across: * Instance Size (e.g., m5.xlarge, m5.2xlarge) * OS (e.g., Linux, Windows) * Tenancy (Host, Dedicated, Default)

Question 37

What is EC2 Spot Instance?

Answer 37

Can get a discount of up to 90% compared to On-demand * Instances that you can “lose” at any point of time if your max price is less than the current spot price * The MOST cost-efficient instances in AWS * Useful for workloads that are resilient to failure * Batch jobs * Data analysis * Image processing * Any distributed workloads * Workloads with a flexible start and end time * Not suitable for critical jobs or databases

Question 38

What’s an EBS Volume?

Answer 38

An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances while they run. (like a network usb stick)

Question 39

What does IOPS stand for?

Answer 39

Input/Output Operations per Second, and is a unit of measurement used to evaluate disk performance in AWS.

Question 40

What is vertical scalability?

Answer 40

Increasing the size or your instance. You would use it on a full DB

Question 41

What is a good case for EC2 instance store

Answer 41

Temporary cache or temp content

Question 42

What is a limitation of an EC2 instance

Answer 42

Storage. You can use an instance store to boost storage I/O and performance

Question 43

What are the EBS volume types?

Answer 43

gp2 / gp3 (SSD): General purpose SSD volume that balances price and performance for a wide variety of workloads * io1 / io2 Block Express (SSD): Highest-performance SSD volume for mission-critical low-latency or high-throughput workloads * st1 (HDD): Low cost HDD volume designed for frequently accessed, throughput- intensive workloads * sc1 (HDD): Lowest cost HDD volume designed for less frequently accessed workloads

Question 44

What is the maximum EBS Multi-Attach can you attach at once?

Answer 44

16

Question 45

What is EFS?

Answer 45

Elastic File system - Highly availible - Scaliable - only compatible with linux based OS

Question 46

What are the storage classes for EFS?

Answer 46

Storage Tiers (lifecycle management feature – move file after N days) * Standard: for frequently accessed files * Infrequent access (EFS-IA): cost to retrieve files, lower price to store. Enable EFS-IA with a Lifecycle Policy * Availability and durability * Standard: Multi-AZ, great for prod * One Zone: One AZ, great for dev, backup enabled by default, compatible with IA (EFS One Zone-IA)

Question 47

When should you use EFS?

Answer 47

When you need multiple avaiblitly zones and when It complies with the requirements

Question 49

What is horizontal scalability?

Answer 49

increasing the instances. Its having distributed systems.

Question 50

What is the goal of a high availability system?

Answer 50

To create redundancies in your system. Its just in case one instance or AZ goes down

Question 51

Why would you want to use a load balancer?

Answer 51

* Spread load across multiple downstream instances * Expose a single point of access (DNS) to your application * Seamlessly handle failures of downstream instances * Do regular health checks to your instances * Provide SSL termination (HTTPS) for your websites * Enforce stickiness with cookies * High availability across zones * Separate public traffic from private traffic

Question 52

What are the 4 kinds of managed load balancers?

Answer 52

* Classic Load Balancer (v1 - old generation) – 2009 – CLB * HTTP, HTTPS, TCP, SSL (secure TCP) * Application Load Balancer (v2 - new generation) – 2016 – ALB * HTTP, HTTPS, WebSocket * Network Load Balancer (v2 - new generation) – 2017 – NLB * TCP, TLS (secure TCP), UDP * Gateway Load Balancer – 2020 – GWLB * Operates at layer 3 (Network layer) – IP Protocol

Question 53

What is ALB is used for?

Answer 53

Application load balancer is mostly used to route to micro services

Question 54

What is a NLB used for?

Answer 54

Network load balancer is (high performance) is used to forward requests to your instances. Network load balancers (Layer 4) allow to: * Forward TCP & UDP traffic to your instances * Handle millions of request per seconds * Less latency ~100 ms (vs 400 ms for ALB) * NLB has one static IP per AZ, and supports assigning Elastic IP (helpful for whitelisting specific IP) * NLB are used for extreme performance, TCP or UDP traffic * Not included in the AWS free tier

Question 55

What are the target groups for an NLB?

Answer 55

* EC2 instances * IP Addresses – must be private IPs * Application Load Balancer * Health Checks support the TCP, HTTP and HTTPS Protocols

Question 56

What is a GLB used for?

Answer 56

A gateway load balancer is used to analyze the traffic coming into your application * Deploy, scale, and manage a fleet of 3rd party network virtual appliances in AWS * Example: Firewalls, Intrusion Detection and Prevention Systems, Deep Packet Inspection Systems, payload manipulation, … * Operates at Layer 3 (Network Layer) – IP Packets * Combines the following functions: * Transparent Network Gateway – single entry/exit for all traffic * Load Balancer – distributes traffic to your virtual appliances * Uses the GENEVE protocol on port 6081

Question 57

What are the target groups for your GLB?

Answer 57

* EC2 instances * IP Addresses – must be private IPs

Question 58

What is a sticky session?

Answer 58

* It is when the same client is always redirected to the same instance behind a load balancer

Question 59

What are the sticky session cookie names?

Answer 59

Application-based Duration based

Question 60

What is cross zone load balancing?

Answer 60

Each LB instance evenly distributes traffic across all registered Ec2 instances in all AZ

Question 61

What is an SSL cert?

Answer 61

Secure socket layer allows encrypted traffic connections between your load balancer and client. SSL refers to Secure Sockets Layer, used to encrypt connections * TLS refers to Transport Layer Security, which is a newer version * Nowadays, TLS certificates are mainly used, but people still refer as SSL * Public SSL certificates are issued by Certificate Authorities (CA) * Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc… * SSL certificates have an expiration date (you set) and must be renewed

Question 62

What is SSL SNI?

Answer 62

* SNI solves the problem of loading multiple SSL certificates onto one web server (to serve multiple websites) * It’s a “newer” protocol, and requires the client to indicate the hostname of the target server in the initial SSL handshake * The server will then find the correct certificate, or return the default one

Question 63

What is connection draining?

Answer 63

It gives time for in flight requests to complete while an EC2 instance is shutting down

Question 64

What is auto scaling?

Answer 64

ASG or auto scaling group increases or decreases to match a decreased or increased load.

Question 65

What are the auto scaling types and their definitions?

Answer 65

Dynamic Scaling * Target Tracking Scaling * Simple to set-up * Example: I want the average ASG CPU to stay at around 40% * Simple / Step Scaling * When a CloudWatch alarm is triggered (example CPU > 70%), then add 2 units * When a CloudWatch alarm is triggered (example CPU < 30%), then remove 1 Scheduled Scaling * Anticipate a scaling based on known usage patterns * Example: increase the min capacity to 10 at 5 pm on Fridays

Question 66

Why use a RDS proxy?

Answer 66

* Fully managed database proxy for RDS * Allows apps to pool and share DB connections established with the database * Improving database efficiency by reducing the stress on database resources (e.g., CPU, RAM) and minimize open connections (and timeouts) * Serverless, autoscaling, highly available (multi-AZ) * Reduced RDS & Aurora failover time by up 66% * Supports RDS (MySQL, PostgreSQL, MariaDB, MS SQL Server) and Aurora (MySQL, PostgreSQL) * No code changes required for most apps * Enforce IAM Authentication for DB, and securely store credentials in AWS Secrets Manager * RDS Proxy is never publicly accessible (must be accessed from VPC)

Question 67

What kind of DBs can you use with RDS?

Answer 67

* Postgres * MySQL * MariaDB * Oracle * Microsoft SQL Server * IBM DB2 * Aurora

Question 69

What is Elasti Cache?

Answer 69

* Caches are in-memory databases with really high performance, low latency * Helps reduce load off of databases for read intensive workloads * Helps make your application stateless * AWS takes care of OS maintenance / patching, optimizations, setup, configuration, monitoring, failure recovery and backups * Using ElastiCache involves heavy application code changes

Question 70

What is route 53?

Answer 70

Its amazon's DNS management tool

Question 71

Whats the difference between CNAME and Alias?

Answer 71

CNAME – maps a hostname to another hostname Alias (A, AAAA) maps to a IP or a hostname to an AWS Resource

Question 72

What is a VPC?

Answer 72

virtual private cloud, which is an instance of the app. (ec2 instance, server, DB)

Question 73

What is TTL?

Answer 73

Time to live: its how long you want the client to cache your DNS mapping

Question 74

What does an alias record do

Answer 74

Maps a hostname to an AWS resource * An extension to DNS functionality * Automatically recognizes changes in the resource’s IP addresses * Unlike CNAME, it can be used for the top node of a DNS namespace (Zone Apex), e.g.: example.com * Alias Record is always of type A/AAAA for AWS resources (IPv4 / IPv6) * You can’t set the TTL

Question 75

What can you not set an alias record for?

Answer 75

EC2 DNS name

Question 76

What are the types of 53 routing policies?

Answer 76

* Simple * Weighted * Failover * Latency based * Geolocation * Multi-Value Answer * Geoproximity (using Route 53 Traffic Flow feature)

Question 77

What is a route 53 health check?

Answer 77

Health checks monitor an endpoint and automate DNS failover

Question 78

How many health checks can you monitor

Answer 78

256

Question 79

What is VPC?

Answer 79

Virtual private cloud

Question 80

What is a VPC endpoint?

Answer 80

Endpoint that allows you to connect to AWS services using a private network instead of the public

Question 81

What is a VPC subnet?

Answer 81

Tied to an AZ, network partition of the VPC

Question 82

What is a Internet Gateway at the VPC level?

Answer 82

Provides Internet Access

Question 83

What is a VPC NAT Gateway

Answer 83

it give internet access to private subnets

Question 84

What is NACL?

Answer 84

Stateless, subnet rules for inbound and outbound

Question 85

What is VPC Peering

Answer 85

It connects two VPC with non overlapping IP ranges, non transitive

Question 86

What are VPC Endpoints?

Answer 86

They Provide private access to AWS Services within VPC

Question 87

What are VPC Flow Logs?

Answer 87

network traffic logs

Question 88

What is Site to Site VPN?

Answer 88

VPN over public internet between on-premises DC and AWS

Question 89

What is Direct Connect?

Answer 89

direct private connection to a AWS

Question 90

What are the ECS task placement strategies?

Answer 90

Binpack, Random, Spread & Mix

Question 91

What is the Binpack placement strategy?

Answer 91

* Tasks are placed on the least available amount of CPU and Memory * Minimizes the number of EC2 instances in use (cost savings)

Question 92

What is the random placement strategy?

Answer 92

Tasks are placed randomly

Question 93

What is the spread placement strategy?

Answer 93

* Tasks are placed evenly based on the specified value * Example: instanceId, attribute:ecs.availability-zone

Question 94

What is the mix placement strategy?

Answer 94

A mix of the binpack spread strategies

Question 95

What is Amazon ECR

Answer 95

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service

Question 96

What is cloud formation?

Answer 96

Its a tool that uses a template to create AWS resources.

Question 97

What is SQS?

Answer 97

Its the middle wear amazon uses to send event messages between services.