Dev with AWS Flashcards

Question

MemoryDB for Redis vs. ElastiCache for Redis?

Answer 1

Amazon ElastiCache for Redis, a fully managed in-memory caching service, as a low latency cache in front of a durable database service such as Amazon Aurora or Amazon DynamoDB to minimize data loss. However, this setup requires you to introduce custom code in your applications to keep the cache in sync with the database. You’ll also incur costs for running both a cache and a database. Amazon MemoryDB for Redis, a new Redis-compatible, durable, in-memory database. MemoryDB makes it easy and cost-effective to build applications that require microsecond read and single-digit millisecond write performance with data durability and high availability. Instead of using a low-latency cache in front of a durable database, you can now simplify your architecture and use MemoryDB as a single, primary database. With MemoryDB, all your data is stored in memory, enabling low latency and high throughput data access.

Answer 2

managing the Amazon SQS queue and running a daemon process on each instance that reads from the queue for you. When the daemon pulls an item from the queue, it sends an HTTP POST request locally to http://localhost/ on port 80 with the contents of the queue message in the body. All that your application needs to do is perform the long-running task in response to the POST. You can configure the daemon to post to a different path, use a MIME type other than application/JSON, connect to an existing queue, or customize connections (maximum concurrent requests), timeouts, and retries. Also can define periodic tasks that add jobs to your worker env's queue automatically at a regular interval.

Answer 3

Web Server Environment and Worker Environment.

Answer 4

a logical networking component in a VPC that represents a virtual network card. (Includes ip addresses and security groups) A single EC2 instance can now be attached to two ENIs, each one on a distinct subnet. The ENI (not the instance) is now associated with a subnet.

Answer 5

encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key. Because the master key is stored in KMS, it’s safe and can be used in many envelope encrypted sets of data.

Answer 6

it's identical to the GenerateDataKey operation except that it does not return a plaintext copy of the data key.

Answer 7

Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS key that you specify.

Answer 8

By default, Lambda invokes your function synchronously (i.e. theInvocationType is RequestResponse). To invoke a function asynchronously, set InvocationType to Event.

Answer 9

create different versions of your function and then allow it to shift traffic between two versions, based on weights (%) that you assign to it. Create an alias and it gives options to do this.

Answer 10

a fully managed service that you can use to coordinate the components of distributed applications and microservices using VISUAL WORKFLOWS. You build small applications that each perform a discrete function (or step) in your workflow, which means that you can scale and change your applications quickly. Think of it as first this function runs, which invokes another function, which invokes two more functions to complete a series of steps in your workflow. Step Functions is based on state machines and tasks. A state machine is a workflow. A task is a state in a workflow that represents a single unit of work performed by another AWS service. Each step in a workflow is a state.

Answer 11

When you create a state machine, you can select either a Standard (default) or Express Workflow. In both cases, you define your state machine using the Amazon States Language (JSON based). Your state machine workflow runs will behave differently depending on which option you select. You cannot change the workflow type after you have created your state machine. Standard Workflows are ideal for long-running, durable, and auditable workflows. Express Workflows are ideal for high-volume, event-processing workloads such as IoT data ingestion, streaming data processing and transformation, and mobile application backends. There are two types of Express Workflows, asynchronous and synchronous.

Answer 12

A web service that makes it easy to coordinate work across distributed application components. In Amazon SWF, tasks represent invocations of logical steps in applications. Tasks are processed by workers which are programs that interact with Amazon SWF to get tasks, process them, and return their results. The coordination of tasks involves managing execution dependencies, scheduling, and concurrency in accordance with the logical flow of the application.

Answer 13

build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app. you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.

Answer 14

then you must write code that interacts with a web IdP, such as Facebook, and then calls the AssumeRoleWithWebIdentity API to trade the authentication token you get from those IdPs for AWS temporary security credentials.

Answer 15

You can configure functions to mount a file system during initialization with the NFS protocol over the local network within a VPC. Lambda manages the connection and encrypts all traffic to and from the file system. The file system and the Lambda function must be in the same region. A Lambda function in one account can mount a file system in a different account. For this scenario, you configure VPC peering between the function VPC and the file system VPC.

Answer 16

x-amz-server-side-encryption

Answer 17

x-amz-server-side-encryption-aws-kms-key-id header which specifies the id of the KMS master encryption key. If the header is not present in the request, Amazon S3 assumes the default KMS key. Regardless, the KMS key ID that Amazon S3 uses for object encryption must match the KMS key ID in the policy, otherwise Amazon S3 denies the request. To upload an object to the S3 bucket, which uses SSE-KMS, you have to send a request with an x-amz-server-side-encryption header with the value of aws:kms

Answer 18

SSE-S3 is an encryption key that S3 creates, manages and uses for the customer. SSE-KMS is an encryption key that AWS protects for the customer.

Answer 19

an Identity Broker which handles interaction between your applications and the Web ID provider (you don’t need to write your own code to do this) Amazon Cognito is a service that helps you manage identities for your CUSTOMER facing applications; it is not a supported identity source in IAM Identity Center. Amazon Cognito is our identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution. Identity Center (SSO) is focused on SSO for employees accessing AWS and BUSINESS apps, initially with Microsoft Active Directory as the underlying employee directory. You can create and manage your workforce identities in IAM Identity Center or in your external identity source including Microsoft Active Directory, Okta Universal Directory, Azure Active Directory (Azure AD), or another supported IdP. USES SAML

Answer 20

Optimistic locking depends on checking a value upon save to ensure that it has not changed. Pessimistic locking prevents a value from changing by locking the item or row in the database. DynamoDB does not support item locking, and conditional writes are perfect for implementing optimistic concurrency.

Answer 21

A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token. A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller's identity in a combination of headers, query string parameters, stageVariables, and $context variables. For WebSocket APIs, only request parameter-based authorizers are supported.

Answer 22

When you use an IAM identity provider, you don't have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through a well-known IdP, such as Login with Amazon, Facebook, or Google. You can give those external identities permissions to use AWS resources in your account. IAM identity providers help keep your AWS account secure because you don't have to distribute or embed long-term security credentials, such as access keys, in your application. To use an IdP, you create an IAM identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) OR SAML 2.0 (Security Assertion Markup Language 2.0).

Answer 23

are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren't available if your organization has enabled only the consolidated billing features.

Answer 24

AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. Using an administrator account, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts across specified AWS Regions.

Answer 25

Customer provided encryption keys.

Answer 26

x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be "AES256". x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

Answer 27

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Answer 28

This option doesn't provide a secure way of allowing the application that is hosted in EC2 to upload data to an S3 bucket. You should use an IAM Role instead.

Answer 29

The Kinesis Adapter is the recommended way to consume streams from DynamoDB for real-time processing. The DynamoDB Streams API is intentionally similar to that of Kinesis Streams, a service for real-time processing of streaming data at a massive scale. You can write applications for Kinesis Streams using the Kinesis Client Library (KCL). The KCL simplifies coding by providing useful abstractions above the low-level Kinesis Streams API. As a DynamoDB Streams user, you can leverage the design patterns found within the KCL to process DynamoDB Streams shards and stream records. To do this, you use the DynamoDB Streams Kinesis Adapter. The Kinesis Adapter implements the Kinesis Streams interface, so that the KCL can be used for consuming and processing records from DynamoDB Streams.

Answer 30

Set the limit parameter to 1 to set the maximum number of items that need to be retrieved with a DynamoDB scan operation.

Answer 31

Create an API Gateway API and configure the routes to use Lambda proxy integration. Target the corresponding Lambda function Amazon Resource Name (ARN) that is concatenated with the expression ${stageVariables.LambdaAlias}. Modify the Lambda resource-based policy by adding the permission lambda:InvokeFunction. Create production, testing, and development stages. Add the LambdaAlias stage variable to the corresponding stage. To add "stageVariable" to the Lambda ARN, you should use the following format: ${stageVariable.stageVariableName}.

Answer 32

The Lambda environment can reuse the same database connection for subsequent invocations when defining the database connection details in the code but outside the handler method.

Answer 33

Elaticache. DAX is only for DynamoDB. dummy.

Answer 34

provide VPC config info to the function (private subnet ID, and security group ID)

Answer 35

API Gateway, ELB, S3, Lambda, EB, SNS, and SQS.

Answer 36

GET, HEAD: You can use CloudFront only to get objects from your origin or to get object headers. GET, HEAD, OPTIONS: You can use CloudFront only to get objects from your origin, get object headers, or retrieve a list of the options that your origin server supports. GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE: You can use CloudFront to get, add, update, and delete objects, and to get object headers. In addition, you can perform other POST operations such as submitting data from a web form.

Answer 37

Requiring HTTPS for communication between CloudFront and your custom origin HTTPS Only – CloudFront uses only HTTPS to communicate with your custom origin. Match Viewer – CloudFront communicates with your custom origin using HTTP or HTTPS, depending on the protocol of the viewer request. For example, if you choose Match Viewer for Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin. Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.

Answer 38

Choose the protocol policy that you want viewers to use to access your content in CloudFront edge locations: HTTP and HTTPS: Viewers can use both protocols. Redirect HTTP to HTTPS: Viewers can use both protocols, but HTTP requests are automatically redirected to HTTPS requests. HTTPS Only: Viewers can only access your content if they're using HTTPS.

Answer 39

must be created in us-east-1

Answer 40

Lambda@EdgeLambda, a compute service that lets you execute functions that customize the content that CloudFront delivers. You can author Node.js or Python functions in one Region, US East (N. Virginia), and then execute them in AWS locations globally that are closer to the viewer, without provisioning or managing servers.

Answer 41

Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, an additional step is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications. This extra step is the creation of an instance profile that is attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

Answer 42

The AssumeRoleWithSAML API operation returns a set of temporary security credentials for federated users who are authenticated by your organization's existing identity system. The users must also use SAML 2.0 (Security Assertion Markup Language) to pass authentication and authorization information to AWS. This API operation is useful in organizations that have integrated their identity systems (such as Windows Active Directory or OpenLDAP) with software that can produce SAML assertions. Such an integration provides information about user identity and permissions (such as Active Directory Federation Services or Shibboleth).

Answer 43

Shared (default) – Multiple AWS accounts can share the same physical hardware. Dedicated Instance (dedicated) – Your instance runs on single-tenant hardware. Dedicated Instances might share hardware with other instances from the same AWS account that are not Dedicated Instances. You have no visibility into the underlying hardware nor control of instance placement. Dedicated Host (host) – Your instance runs on a physical server with EC2 instance capacity fully dedicated to your use. This is an isolated physical server with configurations that you can control a Dedicated Host gives you additional visibility and control over how instances are placed on a physical server. And you have greater visibility into the hardware that the instance is running on.

Answer 44

A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token. A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller's identity in a combination of headers, query string parameters, stageVariables, and $context variables.

Answer 45

Add the ARN of the SQS or SNS in the Lambda function's DeadLetterConfig parameter.

Answer 46

Kinesis Data Stream - which ingests and stores data streams for processing.

Answer 47

CloudFront Functions allows you to write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. This feature is designed for operations that can be processed with low latency at the edge locations of AWS, such as: Cache key normalization, Header manipulation, Status code modification and body generation, URL redirects or rewrites, and Request authorization. When you associate a CloudFront function with a CloudFront distribution, it allows CloudFront to intercept requests and responses at CloudFront edge locations. CloudFront functions can only be invoked during two specific events: when CloudFront receives a request from a viewer (viewer request) and before CloudFront returns the response to the viewer (viewer response).

Answer 48

https://Your_AWS_Account_ID.signin.aws.amazon.com/console/

Answer 49

https://Your_Alias.signin.aws.amazon.com/console/

Answer 50

100 (not 500) the number of concurrent executions for poll-based event sources is different from push-based event sources. This number of concurrent executions would have been correct if the Lambda function is integrated with a push-based even source such as API Gateway or Amazon S3 Events. Remember that the Kinesis and Lambda integration is using a poll-based event source, which means that the number of shards is the unit of concurrency for the function.

Answer 51

To return the number of write capacity units consumed by any of these operations, set the ReturnConsumedCapacity parameter to one of the following: TOTAL — returns the total number of write capacity units consumed. INDEXES — returns the total number of write capacity units consumed, with subtotals for the table and any secondary indexes that were affected by the operation. NONE — no write capacity details are returned. (This is the default.)

Answer 52

In-place deployments to on-premises servers. B/G deployments to ECS. B/G deployments to Lambda.

Answer 53

an index with a partition key and a sort key that can be different from those on the base table. A global secondary index is considered "global" because queries on the index can span all of the data in the base table, across all partitions. You can add up to 20 global secondary indexes per table. A global secondary index (GSI) is primarily used if you want to query over the entire table, across all partitions. GSI only supports eventual consistency and not strong consistency. You have to use a local secondary index instead.

Answer 54

an index that has the same partition key as the base table, but a different sort key. A local secondary index is "local" in the sense that every partition of a local secondary index is scoped to a base table partition that has the same partition key value. For greater query or scan flexibility, you can create up to five local secondary indexes per table.

Answer 55

ECS feature which provides you with expressions that you can use to group container instances by a specific attribute

Answer 56

AWS Lambda natively supports Java, Go, PowerShell, Node.js, C#, Python, and Ruby code, and provides a Runtime API which allows you to use any additional programming languages to author your functions.

Answer 57

AWS_PROXY: This type of integration lets an API method be integrated with the Lambda function invocation action with a flexible, versatile, and streamlined integration setup. This integration relies on direct interactions between the client and the integrated Lambda function. With this type of integration, AKA LAMBDA PROXY INTEGRATION, you do not set the integration request or the integration response. API Gateway passes the incoming request from the client as the input to the backend Lambda function. The integrated Lambda function takes the input of this format and parses the input from all available sources, including request headers, URL path variables, query string parameters, and applicable body. The function returns the result following this output format. This is the PREFFERED integration type to call a Lambda function through API Gateway and is not applicable to any other AWS service actions, including Lambda actions other than the function-invoking action. HTTP: This type of integration lets an API expose HTTP endpoints in the backend. With the HTTP integration, also known as the HTTP custom integration, you must configure both the integration request and integration response. You must set up necessary data mappings from the method request to the integration request, and from the integration response to the method response. HTTP_PROXY: The HTTP proxy integration allows a client to access the backend HTTP endpoints with a streamlined integration setup on single API method. You do not set the integration request or the integration response. API Gateway passes the incoming request from the client to the HTTP endpoint and passes the outgoing response from the HTTP endpoint to the client. MOCK: This type of integration lets API Gateway return a response without sending the request further to the backend.

Answer 58

TheupdateItem function is used to update an existing item's attributes. Overall, developers can add, edit, or delete attributes from an existing item using the updateItem function. The putItem function creates an entirely new item or replaces an existing item from a DynamoDB table. So, unlike the updateItem function, you can not use the putItem function to update existing items. The behavior of the putItem function is determined by the primary key you provide. For example, if you provide an existing primary key, it will completely replace the old item.

Answer 59

GraphQL is a query and manipulation language for APIs. (used by AppSync) GraphQL provides a flexible and intuitive syntax to describe data requirements and interactions. It enables developers to ask for exactly what is needed and get back predictable results. It also makes it possible to access many sources in a single request, reducing the number of network calls and bandwidth requirements, therefore saving battery life and CPU cycles consumed by applications. It's meant to improve drawbacks of a REST API. Single endpoints: GraphQL uses a single endpoint to query data. There's no need to build multiple APIs to fit the shape of the data. This results in fewer requests going over the network. Fetching: GraphQL solves the perennial issues of over- and under-fetching by simply defining the data you need. GraphQL lets you shape the data to fit your needs so you only receive what you asked for. Abstraction: GraphQL APIs contain a few components and systems that describe the data using a language-agnostic standard. In other words, the shape and structure of the data are standardized so both the front- and backends know how it will be sent over the network. This allows developers on both ends to work with GraphQL's systems and not around them. Rapid iterations: Because of the standardization of data, changes on one end of development may not be required on the other. For example, frontend presentation changes may not result in extensive backend changes because GraphQL allows the data specification to be modified readily. You can simply define or modify the shape of the data to fit the needs of the application as it grows. This results in less potential development work.

Answer 60

250 MB unzipped. and container, 10 GB.

Answer 61

Function memory allocation 128 MB to 10,240 MB, in 1-MB increments. Note: Lambda allocates CPU power in proportion to the amount of memory configured. You can increase or decrease the memory and CPU power allocated to your function using the Memory (MB) setting. At 1,769 MB, a function has the equivalent of one vCPU. Deployment package (.zip file archive) size 50 MB (zipped, for direct upload) 250 MB (unzipped) Container image code package size 10 GB (maximum uncompressed image size, including all layers) /tmp directory storage Between 512 MB and 10,240 MB, in 1-MB increments

Answer 62

1. In Account B, create an IAM role with a trust policy for the Developers in Account A. 2. Update the IAM role’s permission to access the resources in Account B 3. In Account A, update the permission of the IAM users to assume the IAM role in Account B

Answer 63

Use the --dry-run parameter along with the CLI command.

Answer 64

Use the aws cloudformation package and aws cloudformation deploy command

Answer 65

Use the AssumeRole API

Answer 66

Create a CloudFront URL that redirects requests based on the CloudFront-Viewer-Country header’s value. Associate the CloudFront URL with the distribution’s Viewer Request event.

Answer 67

The write capacity of the GSI is less than the base table.

Answer 68

The API requests are reaching the maximum integration timeout for API Gateway (29 seconds)

Answer 69

Lambda allocates CPU power in proportion to the amount of memory configured. By increasing the function memory, you will increase the CPU allocation.

Dev with AWS Flashcards

(95 cards)