DevOps Professional Flashcards

Question 1

Q

SQS: List of operations

Answer

A

AddPermission
ChangeMessageVisibility
ChangeMessageVisibilityBatch
CreateQueue
DeleteMessage
DeleteMessageBatch
DeleteQueue
GetQueueAttributes
GetQueueUrl
ListDeadLetterSourceQueues
ListQueues
ListQueueTags
PurgeQueue
ReceiveMessage
RemovePermission
SendMessage
SendMessageBatch
SetQueueAttributes
TagQueue
UntagQueue

Question 2

Q

Can the cloudwatch agent monitor memory now?

Question 3

Q

RDS Cross Region Replication Requirements

Answer

A

PostgresSQL 9.5.2 and above

PostgreSQL 9.4.7 and above

Question 4

Q

Elasticache: Memcached Cluster configurations

Answer

A

Memcached clusters contain from 1 to 20 nodes across which you horizontally partition your data.

Question 5

Q

Elasticacahe: Redis Cluster configurations

Answer

A

Elasticache: Redis Cluster Configurations

No Replication (Single Node)
Cluster Mode Disabled (Replicated, no Sharding/Partioning)
Cluster Mode Enabled (Replicated with Sharding/Partitioning).

Question 6

Q

RDS Single AZ IO Interruption

Answer

A

In a single AZ RDS Deployment there is an IO interruption on creating
* Read Replicas
* Snapshot Creation
& Automated Backups

In a multi AZ deployment these operations are performed against the secondary instead.

Question 7

Q

ELB: Sticky Sessions

Answer

A

Use an AWSALB Cookie.
Load Balancer Generated
Can’t be modified by applications.

Stickiness is configured at a target group level.

Question 8

Q

EC2: Metrics that need an agent

Answer

A

Swap Space
Disk Space
Memory Used
& Others

Question 9

Q

Cloudwatch: Alarm statuses

Answer

A

OK
ALARM
INSUFFICIENT_DATA

Question 10

Q

EC2: Status Check Types

Answer

A

System: Monitor the AWS systems on which your instance runs.

Instance: Monitor the software and network configuration of your individual instance.

Question 11

Q

VPC: AWS IP Reservations

Answer

A

. AWS reserves the first 4 IP & the last IP addresses.
. In a 10.0.0.0/24, the following IPs are reserved:

10.0.0.0: network address
10.0.0.1: Reserved by AWS for the AWS VPC router
10.0.0.2: Reserved by AWS. IP address of the DNS server
is always the base of the AWS VPC network range.
However, the base if each subnet range is also reserved

10.0.0.3: Reserved by AWS for future use
10.0.0.255: Network braodcast address.
AWS does NOT support any broadcase in an AWS VPC.
Therefore, they reserved the addess

Question 12

Q

AWS Personal Health Dashboard

Answer

A

https://phd.aws.amazon.come

. Provide Alerts & remedation guidance
when AWS is experiencing issues that
might impact customers

. Shows a personalized view of the
performance & availability of the
AWS services underlying your
provisioned AWS resources

Question 13

Q

EC2: Initialising Volumes

Answer

A

When restoring a volume from a snapshot, maximum volume performance is not achieved until all blocks on the device have been read.

Tools for this:
isblk
db
fio

sudo dd if=/dev/nvme2n1 of=/dev/null bs=1M

sudo yum install -y fio
sudo fio –filename=/dev/nvme2n1 –rw=read –bs=128k –iodepth=32 –ioengine=libaio –direct=1 –name=volume-initialize

Question 14

Q

AWS Inspector: Capabilities

Answer

A

Security Best Practice
Runtime behavior analysis
Common vulnerability/exposure
CIS Security Config Benchmark

Question 15

Q

Direct Connect: Requirements

Answer

A

. requires single-mode fiber
. 1GB: 1000Base-LX (1310nm)
. 10GB: 10GBase-LR (1310nm)

Question 16

Q

EBS: Ensuring Durability

Answer

A

. By default, instance store & EBS ROOT volumes are not backed up
. Will not persist upon termination

. cannot stop instance store volumes,
so termination is the only option
. This is why EBS volumes are recommended

. How do we save the data on a root volume?

1/ uncheck “Delete on Termination” in the console
. Also a CLI parameter with run-instances

2/ Create a snapshot before deletion

3/ Create a seperate volume & attach to the instance
. Attached volumes persist when the instance is terminated

Question 17

Q

EBS Metrics: Status Check

Answer

A

. Tests run every 5 minutes
. Returns: OK, warning, impaired, insufficient data
. User can change the result of the impaired response

Question 18

Q

ELB: SSL Offloading

Answer

A

. In a highly available web application, we use
load balancers to distribute traffic.
. Can also use load balancers’ elasticity & scalability
in HTTPS/SSL process
. Can improve the performace of the instances/applications by
off loading SLL process (encrytion/decryption) to load balancers

. Certifcate Manager also intergrates for certifiate generation
&amp; management.
. AWS will create alias for certificate
. point to target group
. use web security group

NOTE:

IN ROUTE 53 (after create certificate for SSL, etc.)

. need to use “naked” domain name
(NO www in front of domain name)

. Then, point “alias” to the load balancer

Question 19

Q

SNS: Definition

Answer

A

Simple Notification Service

Push model (as supposed to SQS Pull model).
Create topics, messages sent to the topic is pushed out to all subscribers to that topic.

Question 20

Q

SNS: Protocols

Answer

A

HTTP
HTTPS
Email
Email-json
Lambda
SQS
Application Platform
SMS

Question 21

Q

Systems Manaager: Description

Answer

A

AWS Systems Manager is a management service that helps you automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems. Systems Manager can be used for both EC2 instances, on-premises servers, and VMs. These capabilities help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations.

Question 22

Q

Lambda vs EC2: Use Cases

Answer

A

Use Lambda when you want to run code
that is in response to events, such as

1/ changes to S3 buckets
2/ Messages in SQS queues
3/ Update to DynamoDB tables
4/ Cloudwatch Alarms
5/ Customed events generated
by your applications or devices

Question 23

Q

Systems Manager: Patch Manager

Answer

A

.automate the process of patching
managed instances with both
security-related &amp; other types of updates.
You can use Patch Manager to apply
patches for both OS &amp; applications.

Question 24

Q

EC2: Hardware Virtualised Machines (hvm)

Answer

A

a/ Execute the master boot record of the root storage device
b/ Virtual hardware set allows for running an OS
as if it were run on bare metal.
The OS doesn't know it's virtualized
c/ No modification needed
d/ Can use hardware extensions
provide fast access to host hardware
enhanced networking and CPU processing

Question 25

Q

EC2: ParaVirtualised Machines (pvm)

Answer

A

1/ runs a special boot loader & then loads the kernel

2/ can run on hardware that doesn’t support virtualization

3/ No hardware extension support

4/ PV historically performed faster than HVM,
but that is no longer the case

5/ PV has especial drivers for networking & storage
that used less overhead than an HVM instance
trying to emulate the hardware. These drivers can
now be run on HVM instances, making the performance of
both type the same

NOTE: AWS recommends using HVM instances because the performance
is the same as PV, and enhanced networking & GPU processing
can be utilized when neccessary.

Question 26

Q

CloudWatch Logs: Components

Answer

A

1/Log Events:
record of activities recorded by
the monitored resource

2/ Log Stream:
Sequence of log events from the same
source/application

3/ Log Group:
A collection of log streams with same
access control, monitoring, &
retention settings

4/ Metric Filters:
.Assigned to log groups.
.It extract data from the groups'
log streams &amp; convert that data
into a metric data point

5/ Retention settings:
period of time logs are kept.
assigned to log groups, but applied
to ALL streams in the group.

Question 27

Q

VPC: Peering Limitations

Answer

A

. Can’t peer VPC with matching or overlapping CIDR blocks
. VPC peering connections are 1:1 between VPCs
. Transitive perring is NOT supported
However, there is a 3rd product might (Transit Gateway)
. One peering connection between the same 2 VPCs
. Tags applied to the peering connection are only applied
in the account & region in which you create them.
. Security groups can’t reference peer VPC security groups
across regions
. IPV6 across regions is NOT supported
. DNS resolution for private hostnames must be enabled manually
. If in different accounts, must be enabled in both accounts

Question 28

Q

RDS: Multi AZ Maintenance

Answer

A

Zero Downtime

. AWS will perform the following steps:
. Perform maintenace on the standby
. Promote the standby
. Perform maintenace on the OLD primary DB
which is the standby now.

Question 29

Q

EC2: Elastic IPs

Answer

A

. a public IP address that can be “moved”
. Enables instances without a public IP to become accessible
from the internet

. GOOD to know:
. EIPs are region specific
. NOT support IPV6
. 2 step process to implement:
. allocation &amp; Association
. upon association, any previous public IP is released
(DNS hostname changes as well)
. Can be disassociated &amp; reassociated with another instance
. 2 step process to remove:
. Disassociate &amp; release

. Custmomers are charged for:
. Elastic IPs not associated
. More than one Elastic IP on an instance

Question 30

Q

CloudTrail: Description

Answer

A

CloudTrail is a service we can use to log all the API calls in our account.
API Calls include interaction from the console, AWS CLI, and SDKs.
We can also create trails that we can analyze with CloudWatch Logs or third-party tools.

Question 31

Q

Systems Manager: Run Command

Answer

A

automate tasks across resources

e.g. software package installs

Question 32

Q

CloudHSM: Description

Answer

A

1/ Dedicated hardware security modules under your exclusive control

2/ FIPS 140-2 LEVEL3 compliance

3/ Designed to integrate with VPC

4/ Integrates with PACS#11, Java JCE

5/ Can connect to CloudHSM from your on-premises datacenter
using VPN or AWS Direct Connect

Question 33

Q

RDS: Read Replica notes

Answer

A

. if the option for “Create Read Replica” is gray out
(disabled), i.e need to go to the DB & create backup
(default is 0 day –> aka disabled backup)

. Read Replica can be crossed Regions
. Also there is an option in the config of Read Replica to enable Multi AZs

. Can also promote Read Replica to StandAlone for disaster recovery (in case the Master becomes unvailable) –> choose “Promote” in the action menu

. can have multiple Read Replicas to improve performance

Question 34

Q

Redshift: Description

Answer

A

he Amazon Redshift service manages all of the work
of setting up, operating, and scaling a data warehouse.
These tasks include provisioning capacity, monitoring
and backing up the cluster, and applying patches and upgrades
to the Redshift engine.

Question 35

Q

CloudTrail: Notes

Answer

A

1/The last 90 days of event history
is in “View ALL events”

2/ When create a trail in ALL region,
it will create a trail in EACH region

3/ Always use the default to create
a trail in ALL region so that if a
new region lauches, Cloud Trail will
automatically create a trail in that
new region with the same setting as
the original trail.

4/ "Enable log file validation"
as YES --> make it impossible
edit,change,modify,delete the log
without detectin
--> good for auditing/compliance

Question 36

Q

RDS: Multi AZ Failover Process

Answer

A

The process is automated by AWS

1/ AWS detects an issue & starts the failover process

2/ DNS records are modified to point to the standby instace

3/ The application re-establishes any existing DB connections

The application requires no changes since
DNS of DB endpoint is the same

Question 37

Q

Cloudfront: Components

Answer

A

ORIGIN:
. The original version of your content
. Can be an S3 bucket OR a web server

. DISTRIBUTION:
. Points edge locations & regional caches back to
the origin
. Configiration of logging, availbility, and limitations

. EDGE LOCATIONS:
. The location of your cached objects, located all over the globe
. Current total is 169 in 30 countries
. Regional Edge Caches:
. Location of cached objects that are NOT
frequently accessed
. Current total is 11 in 30 countries

Question 38

Q

IAM: Groups

Answer

A

Cannot be nested (group within a group).

User can be member of multiple groups

Should assign policies to groups, not individual

Question 39

Q

VPC: Flow Log record syntax

Answer

A

. version
. account-id
. interface-id
. srcaddr
. dstaddr
. srcport
. dstport
. protocol
. packets
. bytes
. start
. end
. action
. log status

Question 40

Q

Config: Capabilities

Answer

A

1/ Evaluate resource configuration
for desire settings

2/ Get a snapshot of the current configurations
associated with your account

3/ Retrieve configuration resources in your
account

4/ Retrieve past configuration

5/ Retrieve notifications for creation,
deletions, and modifications

6/ View relationships between resources
(EX: members of security groups)

Question 41

Q

S3: Bucket Policy Elements

Answer

A

1/ Effect
Define whether to allow or deny the action

2/ Action
Actions we want to allow or deny (GET, POST,…)
An implicit DENY will overwrite an explicit ALLOW

3/ Resource
used to identity resources (like a bucket or object with Amazon
Resource Names (ARNs)

4/ Principal
An account or user that this policy applies to
Specific to S3 bucket policies, not user policies

5/ SID (optional)

6/ Condition (optional)
PutObject permission requiring objects to be stored using
server-side encryption

Question 42

Q

EC2: HDD Volumes

Answer

A

. Somewhat deprecated (Previous Generation volume)
. Low cost storage or small volume sizes
. Volume Size: 1 GiB to 1 TiB
. Burst capacity to hundreds of IOPS

Question 43

Q

ECS: Components

Answer

A

1/ Container:
. Virtualization method allowing you to run
applications in isolated processes
. Contains all the downloaded software, code,
runtime, system tools, & libraries
. packaged as readonly templates called
Docker images

2/ Docker file:
. Text file that specifies all the components
needed in the container:
. The intructions for what will be placed
inside a container

3/ Container Registry:
. A repository where container/Docker images
are stored & accessed
. A container registry can be:
. AWS Elastic Container Registry (ECR)
. A third-party repository liker Docker Hub
. self-hosted registry

4/ Task Definition:
. JSON-formatted text file that contains the
“blueprint” for your application:
. Container image
. Container Registry
. Ports that should be open on the instance
. Data Volume

5/ Service:
. Define how to run & maintain a specified number
of instances together
. Optional loading balancing

6/ Cluster:
. group of tasks or services on multiply EC2
or Fargate instance

7/ Fargate:
. A “serverless” launch type that eliminates
the need for explicit infrastructure.
Think AWS Lambda for containers.

Question 44

Q

RDS: MultiAZ vs Read Replica

Answer

A

. Cannot assign READ to a standby Multi AZs
(only a fail over mechanism)

. However, READ REPLICA helps with performance
(off load some computing capacity from
master/primary DB to Read Replica so that
it can focus on WRITE)

. READ REPLICA can also use in disaster/recovery
situation & migration

Question 45

Q

EBS: Snapshots

Answer

A

. Images or backups of EBS volunes
. Store in S3 (charge’s based on volume’s total size)
. Exact copy of the original volume
If the volume is encrypted, snapshot is also encrypted
. Incremental in nature, bit FULL volume can be restored
from any snapshot.
EX: if you have 5 snapshots & you delete the oldest one.
You can still restore the whole volume from any of
the 4 snapshots left.

Question 46

Q

AWS Service Health Dashboard

Answer

A

https://status.aws.amazon.com/

. Provide access to current state
and historical data about ALL AWS
services. If there is a problem
with a service, you can expand
the appropriate line in the details
section to get more information.

. you can subscribe to RSS feed
for any service

. There is a “CONTACT-US” link
if you experience any real time
operational issue.

. “STATUS HISTORY” shows outage
issue details on a daily basis

Question 47

Q

SQS: Queue Attributes

Answer

A

1/ Default Visibility timeout
(30 seconds), but can be
anywhere from 0 second to
12 hours

2/ Message Retaintion Period
(default 4 days), but it can
be from 1 minute to 14 days
The amount of time the message
remains in the queue before it
got deleted.

3/ MAX message size: 255 KB

4/ Delivery day from 0 seconds
to 15 minutes

5/ Receive message wait time
(0 to 20 seconds)
The amount of time that application
will wait for the message before
returning an empty respond

Question 48

Q

CloudWatch: Metrics Retention Periods

Answer

A

1/ 1 minute metrics (detailed monitoring)
available for 15 days

2/ 5 minute metrics (standard)
available for 63 days

3/ 1 hour metrics
available for 455 days

Question 49

Q

EFS: Deployment & Provisioning

Answer

A

. Highly available, scalable file system:
. span multiple AZs
. Throughput for parallel workloads:
Big Data, Analytics, Media Processing, Content Management,
Web Serving

. Share data store that can be mounted to multiple EC2 instances
or on-premise servers:

. For on-premises servers, use AWS Direct Connect or
AWS VPN

. Linux only, Windows is NOT supported

. TWO performance modes:

1/ General Purpose (Bursting mode?)
Most file system needs

2/ MAX I/O:cases where hundreds or more instances access
the file system
. Scales throughput & IOPS (slighly higher instances)

. Bursting:
. Burst to 100 MiB/s for any size file system
. Larger than 1TB = bursting 100 MiB/s per TB of data stored
. credit system: earns credits at 50 MB/s per TB of data stored

. Security groups should be used to control NFS traffic
. Use the EC2 security group as the source

. Supports encryption at rest & in transit

. Storage classes & lifecycle management:
. standard
. Infrequent Access (IA)
. Lifecycle management automatically moves files to IA
not access for 30 days

Question 50

Q

OpsWorks: Description

Answer

A

OpsWorks is a service that uses Chef cookbooks developed in the Ruby language.
It allows us to manage our application in layers.
We can use recipes to affect our layers at various lifecycle events in an application’s deployment.

Question 51

Q

EC2: Reserved Instances

Answer

A

. can be an effective method of saving money
if long-term compute capacity is needed.
(12 or 36 months)

. They can also reserve us capacity in case of
an Availability Zone or region shortage
of on-demand instances

. Standard reserved instances, OR
Scheduled reserved instances for batch files
offer discount
reserve capacity

Question 52

Q

EC2: HDD Volumes

Answer

A

. Not supported as a boot device
. Ideal for frequesntly accessed &amp; thoughput intensive workloads
. Volume size 500GiB to 16 TiB
. MAX throughput = 500 MB/s
. Burst bucket
. credits gained at 40 MB/s per TiB
. credit capacity = 1 TiB
. MAX burst = 500 MB/s (volume size 2TiB and larger)

Cold HHD volumes (sc1)

. Not supported as a boot device

Question 53

Q

IAM: Web Identity Federation

Answer

A

1/ Authenticate with ID provider (FB, google, Amazon,…)

2/ Obtain a temporary security credential with that provider

3/ call Assume a role with Web Identity to exchange that token

4/ for a temporary set of AWS credentials

Question 54

Q

Trusted Advisor: Description

Answer

A

can help you reduce costs,
increase performance,
and improve the security of your AWS environments.

It provides real-time guidance to help provision resources
following AWS best practices.

1/ Cost Optimization

2/ Performance

3/ Security

4/ Fault Tolerance

5/ Service limits

Question 55

Q

AWS Config: Description

Answer

A

AWS Config is a service we can use to evaluate the configurations of our resources.
It records all the details, including relationships between resources.
This can be very helpful in troubleshooting situations.
We can also create a set of rules for evaluating our resources.
When a resource is non-compliant with our set rules, AWS Config will let us know.

Question 56

Q

EBS: Cost Optimisation

Answer

A

EBS volumes cost money
even when not in use.
Take a snap shot before
delete the volume if you
want to keep the data.
Snapshot storage is cheaper
Provisioned IOPS costs more
Make sure you not provision
more than needed
Downsize volumes that aren’t
anywhere near full capacity

Question 57

Q

SQS: Dead Letter Queue

Answer

A

SQS queue is configured to receive messages
from other queue (aka “source queue”)

. dead letter queue receives messages after
a number of attempts has been reached

. Provide the ability to isolate messages
that couldn’t be processed so that
they will not be lost

Question 58

Q

Glacier: Terminology

Answer

A

1/ Archive:

. a durably stored block of information
. TAR &amp; ZIP are common formats used to aggregate files
. Total volume of data &amp; number of archives are unlimited
. Each archive can be up to 40 TB
. Largest single upload is 4GB
(use multipart upload > 100MB)
. Archives can be uploaded and deleted,
but not deleted or overwritten

2/ Vault:

. Way to group archives together
. Control access using vault level access policies using IAM
. SNS notifications are available for when retrieval requests
are ready for download

3/ Vault lock:

. Lockable policy to enforce compliance controls on vaults
. Vault locl policies are immutable
(once create, cannot change)

Question 59

Q

RDS: Aurora Serverless

Answer

A

. On-Demand auto scaling configuration for Aurora
. No instances to manage
. Charge on per-second basis

Question 60

Q

Storage Gateway: Description

Answer

A

For hybrid environments, ones that include some sort of on-premises infrastructure, AWS provides services to assist with data durability. Storage Gateway provides us a way to back up and even migrate to the cloud. It has three main types, and they all include some sort of on-premises component.

Question 61

Q

Glacier: Vault Lock Process

Answer

A

. have 24 hrs to validate the new created vault policy
& complete the lock process.

. have 24 hrs to test out the policy to make sure
everything works as expected before completing
the process. As once it’s locked, cannot change the policy.

. After which the lock ID will expire &
your in-progress policy will be deleted.

. copy the lock ID to a safe place
as you need the ID to complete the lock process

Question 62

Q

IAM Role: Use with AWS Services

Answer

A

1/ Role must be used because policy cannot be directly
attached to AWS services

2/ Services can only ONE role attached at a time

3/ Should never PASS or STORE credentials to an EC2 instance
instead using ROLE
EX: an EC2 needs to read data from an S3 bucket
The instance “assumes” a role with S3 read-only access from IAM
The instance can then read objects from the bucket

Question 63

Q

OpsWorks: Recipes

Answer

A

. Created using Ruby language &amp; based on
the CHEF deployment software
. Custom recipes can customize different
layers in an application
. Recipes are run at certain predefined events
within a stack
a/ SETUP: occurs on a new instance
after its first boot
b/ CONFIGURE: occurs on ALL stack
instances when they enter or leave
the inline state
c/ DEPLOY: occurs when deploy an app
d/ UNDEPLOY: Happens when we delete
an app from a set of application
instances
e/ SHUTDOWN: Happen when we shutdown
an instance (but before it's
actually stopped)

Question 64

Q

EBS: Changing Volume Size

Answer

A

The MANUAL Method:

1/ Modify the EBS volume

2/ Extend the partition to fill available space

3/ Expand the filesystem in the resized partition

NOTE:
commands for Nitro-based instances (e.g t3 micro)
are different than the ones for T2 instances

The AUTOMATED Method:

1/ Create new lauch configuration of an Auto Scaling grp
Make sure copy “user data” over to the new configuration

2/ Point the group to the new lauch configuration

3/ Terminate instance in the autoscaling group one at a time
so that the new configuration will replace the terminated
instance with a bigger EBS volume for a higher IOPS

Answer 64

A

. Application can talk to only RDS Master

. Synchromous Replication to Multi-AZ for failover

. Help to shorten the down time in case the Master fails

. NOT to use to improve performance (just for fault tolerance only)

. Can turn on Multi AZs through AWS console or API

. AWS automatically handles replication

. Replication can cause higher write latency
. Use Provisioned IOPS is recommended

Answer 65

A

. Allows an EBS volume to “burst” above the baseline performance
a/ Volumes earn “credits”
b/ Credits are then spent whenever the volume needs more
performance
c/ There is a MAX number of credits

. Not available for Provisioned IOPS SSD (io1)

. Reported as a “BurstBalance” metric in Cloudwatch

join multiple gp2, io1, st1, or sc1 volumes together in a
RAID 0 configuration (strip set) to use the available bandwidth
improving throughput.

Answer 66

A

1/ Standard
. Objects get replicated across at least 3 AZs
. Most expensive storage class,
. BUT no minimum object size
. and no retrieval fee

2/ Inteligent-tiering
. Same characteristic performance as standard
. Observe the users’ pattern
& move objects across the tiers

3/ Standard IA
. Infrequent access for important objects
. BUT immediate retrieval is required
. replicate across at least 3 AZs
. 30 day minimum storage charge per object
. 128KB minimum storage charge
. Object Retrieval fee

4/ One Zone-IA

. for non-critical, reproducible objects
(images for web application, or dynamically resize)
. 99.5% availability
. replicate within only ONE AZ
. SAME minimum charges as Standard IA

5/ Glacier:

. Long term for archival objects
. NOT for hot backup as restore can take from several
minutes or hours.
. 99.99 % availability
. replicate across > 3 AZs
. 90 days minimum charge per object
. 40 KB minimum storage charge
. object retrieval fee

Answer 67

A

This is something that you can control

Reasons for failure:

1/ Failed system status check
2/ Incorrect networking or setup configuration
3/ Exhausted memory
4/ Corrupted file system
5/ Incompatible kernel

Solutions:

1/ Make instace configuration changes
2/ Reboot the instance

Answer 68

A

1/ when working at the object level permission (PUTobject,GETobject,Deleteobject) add /* at the end of bucket’s ARN to allow permission applies to ALL objects in the bucket

2/ Make sure to turn OFF “Block all public access” if you want to apply the policy to the bucket.

Answer 69

A

a/ IP addresses
   b/ HTTP headers
   c/ HTTP body
   d/ Uniform Resource Identifier (URI) strings 
     (query strings from URL)
   e/ SQL injection
   d/ Cross-site scripting (XSS)

Answer 70

A

a/ Cloudfront
b/ API Gateway
c/ Application Load Balancer

Answer 71

A

. Work at the application layer (7)
. Content-based routing
. Path-based routing: forwards based on the URL
in the request
./dev & /prod can route to different target groups
. Host-based routing: forwards based on the host field
of HTTP header
. dev.mysite.com & prod.mysite.com can route to
different target groups

. Routes to IP addresses.. including outside the VPC
(on-premises)
. Routes to microservices (allows dynamic port mapping)

MONITORING:

. Cloudwatch metrics
. ActiveConnectionCount,
. HealthyHostCount,
. HTTP code totals,
. etc....

. Access logs: sends detailed request information to S3
. Request tracing: A header is added that includes a trace identifier
for requests
. CloudTrail Logs: Records API activity

NOTE:

.dualstack (both IPV4 & IPV6)
. Target types:
. instance
. IP (can be on-premise IP addresses as well)
. Lambda function
. BEST PRACTICE:
use auto scaling group to create instances
(create ELB, then create auto-scaling,
then associate auto-scaling group with ELB)

Answer 72

A

. It’s bucket level configuration
. Enable automatic,
Asynchronus (a little delay depends on object’s size) copy to a bucket
in a different region
. Objects are replicated only once
(i.e this is NOT a sync process. It’s just a copy process)

. The following are retained by default:
a/ Storage class
b/ Object names
c/ Owners
d/ Permissions

Answer 73

A

. Reserved capacity is also available for AWS RDS
instances & ElasticCache nodes

. New generations of Reserved Cache Nodes only offer
Heavy Utilization nodes, while older generations offer
Heavy, Medium, and Light Utilization

Answer 74

A

. Reserved capacity is also available for AWS RDS
instances & ElasticCache nodes

. New generations of Reserved Cache Nodes only offer
Heavy Utilization nodes, while older generations offer
Heavy, Medium, and Light Utilization

Answer 75

A

1/ ALL at Once:
Deploy the new version all instances
simultaneouly. All instances in your
environment are out of service for a
short time while the deployment occurs

2/ BLUE/GREEN:
Deploy the new version to a separate
environment, then swap CNAMEs of the 2
environments to redirect traffic to the
new version instantly.

3/ Rolling:
Beanstalk splits the environment EC2 instances
into batches & deploy the new version of the
application to one batch at a time

Answer 76

A

. When detach & re-attach an Elastic Network Interface from an instance,
the attributes (security groups & IP addresses) are travelded with ENI
. DIFFERENCE between EIP & ENI:
. EIP replace the whole public IP
. ENI does the same, BUT it replaces the WHOLE network interface
when move ENI around, not only EIP follows, but also security grp
and other attributes as well

Answer 77

A

. Size /16 CIDR block (172.31.0.0/16)
. Default subnet in each AZ using /20 subnet mask
. Internet Gateway
. Main route table sending all IPV4 traffic for 0.0.0.0/0 to the internet gateway
. Default security group allowing all trafic
. Default network ACL (NACL) alling all traffic
. Default DHCP option set

Answer 78

A

. similar to alarms
. instead of configuring thresholds
&amp; alarming on metrics, Cloudwatch
Event are matching event patterns
&amp; use target to react.

. near real-time

Answer 79

A

Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead

Answer 80

A

100 Per Account
Can be increased by AWS Support.

Limit is not regional, its a global service.

Answer 81

A

Data points with a period of less than 60 seconds are available for 3 hours. These data points are high-resolution custom metrics.
Data points with a period of 60 seconds (1 minute) are available for 15 days
Data points with a period of 300 seconds (5 minute) are available for 63 days
Data points with a period of 3600 seconds (1 hour) are available for 455 days (15 months)

Answer 82

A

CANNOT create more than one table with a secondary index at a time.

Answer 83

A

By default, logs are kept indefinitely and never expire.

You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day.

Answer 84

A

https://api-id.execute-api.region.amazonaws.com/stage

Answer 85

A

[Bucketname].s3-website-[region]..amazonaws.com

Answer 86

A

Canary: Traffic is shifted in two increments. You can choose from predefined canary options that specify the percentage of traffic shifted to your updated Lambda function version in the first increment and the interval, in minutes, before the remaining traffic is shifted in the second increment.

Linear: Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined linear options that specify the percentage of traffic shifted in each increment and the number of minutes between each increment.

All-at-once: All traffic is shifted from the original Lambda function to the updated Lambda function version all at once.

Answer 87

A

Bucket names must be between 3 and 63 characters long.

Bucket names can consist only of lowercase letters, numbers, dots (.), and hyphens (-).

Bucket names must begin and end with a letter or number.

Bucket names must not be formatted as an IP address (for example, 192.168.5.4).

Bucket names can’t begin with xn– (for buckets created after February 2020).

Bucket names must be unique within a partition. A partition is a grouping of Regions. AWS currently has three partitions: aws (Standard Regions), aws-cn (China Regions), and aws-us-gov (AWS GovCloud [US] Regions).

Buckets used with Amazon S3 Transfer Acceleration can’t have dots (.) in their names. For more information about transfer acceleration, see Amazon S3 Transfer Acceleration.

Answer 88

A

Short Polling is when the WaitTimeSeconds is set to zero in either of these ways:

The ReceiveMessage call sets WaitTimeSeconds to 0.

The ReceiveMessage call doesn’t set WaitTimeSeconds, but the queue attribute ReceiveMessageWaitTimeSeconds is set to 0.

Answer 89

A

20 Seconds

Answer 90

A

4 Days is default for all SQS Queues.

Range of values is 1 minute to 14 days.

Answer 91

A

30 seconds

Answer 92

A

256 DynamoDB Tables per Region

Answer 93

A

20 Global Secondary Indexes

5 Local Secondary Indexes

Answer 94

A

For items up to 1 KB in size, one WCU can perform one standard write request per second.

Answer 95

A

For items up to 4 KB in size, one RCU can perform one strongly consistent read request per second

For items up to 4 KB in size, one RCU can perform two eventually consistent read request per second.

Transactional read requests require two RCUs to perform one read per second for items up to 4 KB

Answer 96

A

1) Up to 10 ReadTable, UpdateTable, and DeleteTable actions running simultaneously
2) A single BatchGetItem can get a max of 100 Items (must be < 16mb in size)
3) A single BatchWriteItem can contain up to 25 PutItems OR DeleteItems request (16mb)
4) Query and Scan results set is limited to 1mb of data per call.
* NOTE: LastEvaluatedKey in the response can be used to retrieve more data

Answer 97

A

1) Resource-based policy
2) Created via JSON
3) Can grant other AWS accounts or IAM users permissions for the bucket/object
4) SHOULD be used to manage cross-account permissions for all S3 permissions
5) Limited to 20kb in size

Answer 98

A

1) Enable long polling on a queue (change default)

2) If value > 0

Answer 99

A

Use to take actions on DynamoDB table changes with Lambda or other services.

Answer 100

A

1) Reads every item in a table and is operationally inefficient
2) Looks for all items and attributes in a table by default

Answer 101

A

Mail your own devices to AWS data centers and they will upload the data for you

Answer 102

A

1) Sync data across mobile devices and the web

2) Client libraries cache data locally

Answer 103

A

1) Message
2) MessageID
3) Signature
4) SignatureVersion
5) SigningCertURL
6) Subject
7) Timestamp
8) TopicARN
9) Type
10) UnsubscribeURL

Answer 104

A

Coordinate the components of distributed applications using visual workflows

Answer 105

A

Task states can be:
An activity - Such as an EC2 or ECS process
A Lambda Function

Answer 106

A

1) Universally Unique Identifiers (UUID)

2) Same ID must be used for retries

Answer 107

A

ISSUE: Using sequential object names cause writes to the same partition (overload I/O). The object key is used to decide which partition they key is stored in

SOLUTION: Introduce randomness by using a hash prefix:

use a hash (like MD5)
Pick a specific number of characters from that hash to use as the prefix or find another way to introduce random characters at the start of an object name (a reversed ID)

No longer required really. Depends on age of exam questions.

Answer 108

A

Elastic File System

Expands and contracts to meet capacity requirements
Can be attached to multiple EC2 Instances simeltaeously
Must be setup after an instance is launched

Answer 109

A

Error 404 = Not found

1) Bucket does not exist
2) Key does not exist

Answer 110

A

Choose a region for:

1) Optimized latency
2) Minimize cost
3) Address regulatory requirements

Answer 111

A

1) Use the same read/write capacity from parent table
2) IF you read only index keys and projected attributes, then calculations are same as table (calculate using the size of the index entry)
3) IF queried attributes are NOT projected attributes or keys, we get extra latency and read capacity cost
* NOTE: You use read capacity from the Index and every Item from the table

Answer 112

A

1) The AWS account owner had the only permissions by default
2) ALLOWS override default DENIES
3) Explicit DENIES override ALLOWS
4) Order of policies does NOT matter
5) Can grant access to another account API call “AddPermission”

Answer 113

A

Before Amazon EC2 Auto Scaling selects an instance to terminate, it first determines which Availability Zones have the most instances, and at least one instance that is not protected from scale in.

Within the selected Availability Zone, the default termination policy behavior is as follows:

Allocation Strategy (Spot, On Demand etc)
Oldest Launch Config
Closest to next billing hour

https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#default-termination-policy

Answer 114

A

The cfn-init helper script reads template metadata from the AWS::CloudFormation::Init key and acts accordingly to:

Fetch and parse metadata from AWS CloudFormation
Install packages
Write files to disk
Enable/disable and start/stop services

Answer 115

A

validates logs for a given period of time - will detect:
deletion or modification of log files
deletion or modification of digest files

https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/validate-logs.html

Answer 116

A

vmware vsphere
Azure VMs
Hyper V

Not physical servers

Answer 117

A

Is used to pass roles to other services that might need it.
For example to pass a role with permissions to manage EC2 instances to an autoscaling group (this is created by default often).

Likewise (presumably) PassRole is required for a user configuring the euecution & task roles for ECS.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

Answer 118

A

No.
Be very careful setting throughput too high by accident, it will take too many partitions.
Credits are split between partitions, hot partitions create problems.

If this happens have to export and reimport to a new table to sort out.

Answer 119

A

The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-specified actions when a change is detected. This allows you to make configuration updates on your running Amazon EC2 instances through the UpdateStack API action.

Answer 120

A

Create a Dockerrun.aws.json file to deploy a Docker image from a hosted repository to Elastic Beanstalk.

Answer 121

A

Elastic Beanstalk creates an application version whenever you upload source code. This usually occurs when you create an environment or upload and deploy code using the environment management console or EB CLI. Elastic Beanstalk deletes these application versions according to the application’s lifecycle policy and when you delete the application.

Answer 122

A

Settings applied directly to the environment
Saved Configurations
Configuration Files (.ebextensions)
Default Values

Configuration files are executed in alphabetical order. For example, .ebextensions/01run.config is executed before .ebextensions/02do.config.

Answer 123

A

Completes the lifecycle action for the specified token or instance with the specified result

https://docs.aws.amazon.com/cli/latest/reference/autoscaling/complete-lifecycle-action.html

Answer 124

A

https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html

Answer 125

A

25 on an NLB

25 on an ALB

Answer 126

A

Environment Variables
Application System Properties (e.g. Java)
Web Identity Token
Default Credentials File (~/.aws/credentials)
ECS Container Credentials
EC2 Instance Profile Credentials

Answer 127

A

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts

Answer 128

A

Deployments are a set of operations that you can use to manage your apps, such as deploying an app to a set of app server instances, or to run a command on some or all instances in the entire stack, such as updating packages.

Answer 129

A

An app represents code stored in a repository that you want to install on application server instances.

Answer 130

A

An instance represents a server. It can belong to one or more layers, that define the instance’s settings, resources, installed packages, profiles and security groups. When you start the instance, OpsWorks uses the associated layer’s blueprint to create and configure a corresponding EC2 instance

Answer 131

A

A layer is a blueprint for a set of Amazon EC2 instances. It specifies the instance’s settings, associated resources, installed packages, profiles, and security groups. You can also add recipes to lifecycle events of your instances, for example: to set up, deploy, configure your instances, or discover your resources

Answer 132

A

A stack represents a collection of EC2 instances and related AWS resources that have a common purpose and that you want to manage collectively. Within a stack, you use layers to define the configuration of your instances and use apps to specify the code you want to deploy.

Answer 133

A

Stack
Layer
Instances
App
Deployments (maybe)

Answer 134

A

YAML or JSON

Answer 135

A

For EC2 and autoscaling Creation Policy & cfn-signal are preferred instead.

Can be used to wait inside a cloudformation scrip.
Up to 12 Hours.
Wait Condition Handler returns a signed URL which can be used to pass a signal too.

Answer 136

A

Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent.

Answer 137

A

Pending
Pending: Wait
Pending: Proceed
In service
Terminating
Terminating: Wait
Terminating: Proceed
Terminated

https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html

Answer 138

A

Create Application
Upload Version
Launch Environment
Manage Environment

Answer 139

A

launch template
launch configuration
EC2 instance.

Answer 140

A

CreationPolicy

Answer 141

A

When AWS CloudFormation creates a wait condition, it reports the wait condition’s status as CREATE_IN_PROGRESS and waits until it receives the requisite number of success signals or the wait condition’s timeout period has expired.

Answer 142

A

Namespace

Answer 143

A

Time Based
Load Based
24.7

Answer 144

A

Setup
Configure
Deploy
Undeploy
Shutdown

Answer 145

A

1) Send message to a queue

2) Can be used to set the message “delay”, as well as message attributes, and the message body

Answer 146

A

1) Once enabled, versioning cannot go back to an un-versioned state
2) You can “suspend” versioning
- New objects have an ID of NULL
- Already versioned objects don’t change

Answer 147

A

Error 403 = Forbidden (no access)

1) Access denied
2) Caused by Role, security group/ACL issue

Answer 148

A

1) Facebook
2) Active-directory
3) Google
4) Amazon

Answer 149

A

1) Resource based policies
2) Specify who is allowed to access
3) What the user can do with those resources
4) AWS gives full permission to the owner of a resource (bucket, object)
5) Resource owners grant access to others, even cross-account
* NOTE: The bucket owner paying the bills can deny access/modify objects regardless of who owns them

Answer 150

A

1) A domain is used to help determine scope of work flows
2) Multiple workflows can live in a domain
3) Workflows cannot interact with workflows in OTHER domains

Answer 151

A

1) AWS account can have up to 100 S3 buckets
2) No limit on the number of objects
3) Bucket name must:
- Be a min of 3 characters and a max of 63
- Can only contain lowercase letter, numbers, periods & hyphens
- Must start with a letter or number
- Periods & hyphens cannot follow each other
- Can’t be an an IP address
- Comply with DNS naming rules

Answer 152

A

1) Needs a device token
2) There are Device Tokens and Registration IDs, depending on the mobile platform.
3) Request credentials from the mobile platform
4) Request Token from the mobile platform
5) Create a platform application object
6) Create a platform endpoint object
7) Publish a messages to the mobile endpoint

Answer 153

A

1) Returns results immediatly, even if the queue is empty

2) It only checks a subset of servers, which can cause false empty responses

Answer 154

A

1) Subscribe to a topic to receive published messages
2) Subscribers are end-points and include:
- Mobile apps
- Web servers
- Email addresses
- Amazon SQS queue
- HTTP/HTTPS endpoints
- AWS Lambda
- SMS (text messages)

Answer 155

A

Create a Flash Card
Lambda - Execution duration
- The maximum length of time the function can run
- Up to 300 seconds in 1 second increment
- Up to 900 seconds in 1 second increment (as of 2019 sometime)

Answer 156

A

1) Request exceeding the allocated throughput may be throttled
2) With Global Secondary Indexes, all indexes must have enough Write Capacity OR the write might get throttled (even if the write doesn’t effect index)
3) You can monitor throughput in the AWS Console

Answer 157

A

Error 409 = Conflict

1) S3 Bucket already exist
2) Bucket is not empty (when trying to delete)
3) Bucket name already taken

Answer 158

A

1) IAM roles
2) Web Identity federation (enterprise or web)
3) Amazon Cognito

Example: Mobile app needs to store user info

Answer 159

A

1) Protect data “in-transit”
- Use SSL or client side encryption

2) Protect data at rest
- Request AWS S3 to encrypt data

Answer 160

A

Contain no AWS services

- Used for caching static content

Answer 161

A

Projection Type

1) Only the index and primary keys are projected (smallest index, more performant)

Answer 162

A

Get Attribute
A CloudFormation Intrinsic Function
Returns the value of an attribute from a resource in your CloudFormation template
Frequently used to get things like name or ARN

Answer 163

A

1) Size: 0 bytes - 5 TB
2) Objects larger than 5 GB require multi-part upload API
3) Multi-part uploading is recommended for ALL files larger than 100mb
4) Objects can be encrypted before being saved to disk- AND decrypted when downloaded

Answer 164

A

Packer Builder
Single/Multi Container Docker
Preconfigured Docker
Go
Java SE
Java with Tomcat
.NET on Windows Server with IIS
Node.js
PHP
Python
Ruby

Answer 165

A

Ref (CloudFormation)

CloudFormation Intrinsic Funciton
Returns a value you can use to refer to the provided parameter or resource

Answer 166

A

Events (now event bridge)
Metrics
Alarms
Logs
Rules (Event Patterns &amp; Scheduled Events?)

Answer 167

A

1) JSON formatted key-value pairs
2) Allows developers to grab the message date and parse it
3) POSTs to http/s end points with specific headers
4) Allows developers to verify the authenticity of the message

Answer 168

A

1) Allows you to increment or decrement the value of an attribute without interfering with other write request
2) Request are applied in the order that they were received
3) Updates are NOT Idempotent: It will update the value each time it is called

Answer 169

A

1) Is Idempotent
2) Helps coordinate writes
3) Checks for condition before proceeding with operations
4) Supported for PutItem, DeleteItem, UpdateItem
5) Specify conditions in “ConditionExpression”: Can contain attribute names, conditional operations, and build-in functions
6) A failed conditional write returns “ConditionalCheckFailedException”

Answer 170

A

Any component that does something for a workflow (like an instance encoding a video, or a person checking inventory)
Workers can be:
- EC2 instsances
- Other compute solutions
- Or real human people doing something

Answer 171

A

Offer best-effort ordering (not guaranteed first-in-first-out like FIFO queues)
May deliver message more than once

Answer 172

A

1) Adding, updating, or deleting an ITEM in a table also cost write capacity to perform the action on the local index
2) new ITEM/Update ITEM = one write operation in the index
3) If you change the value of an indexed key attribute = two writes
4) Delete = one write

Answer 173

A

1) Amount of time a message will “live” in a queue if it is NOT deleted
2) 1 minute - 14 days

Answer 174

A

1) 265 tables per region (increase on request)
2) Partition key length: 1 byte - 2048 bytes
3) Sort key length: 1 byte - 1024 bytes
4) Item size: 400kb including attribute name & value

Answer 175

A

1) Can upload independently, in any order, and in parallel
2) If any part fails to upload, you can retransmit that part
3) You can pause/resume uploads
4) You can upload objects as they are being created
5) Object is reassembled after calling “CompletMultiPartUpload” API

Answer 176

A

1) Message Size: 256kb of text (any format)

2) Up to 120,000 “in-flight” messages

Answer 177

A

1) Use random object prefixes to improve partition distribution
2) Use Cloud Front
- Distributes content with lower latency & high transfer rate
- Cache objects
- Fewer direct request to S3

Answer 178

A

) Check values before deciding what to do
2) Allows you to create different resources in the same template depending on the condition value

Example: Create different environments for production or dev

Answer 179

A

1) If set to > 0, long polling in enabled
2) It is the maximum amount of time a long polling call will wait for a message to become available before returning empty
3) Limits: 0-20 seconds

Answer 180

A

1) It is used to block other components from processing a message
2) You can choose what the timeout is, and you can extend it
3) Can be controlled via SQS API
4) Limits: 0-12 hours

Answer 181

A

.

Example - A function called run in the handler.py file would have a handler of: handler.run
function has signature (event, context) which are both maps / dictionaries.

Answer 182

A

1) Used for both buckets & objects
2) Grant read/write permissions to other AWS accounts
3) You cannot grant conditional permissions
4) you cannot explicitly deny permissions
5) An object ACL is the only way to manage access to objects not owned by the bucket owner
6) Uses XML format

Answer 183

A

1) A task assigned to a worker such as encode a video OR check inventory

Answer 184

A

ARN = Amazon Resource Name

1) ARN fro the topic that this message was published to

Answer 185

A

Lambda DLQ
DLQ == Dead Letter Queue

Can be setup to send information on failed Lamda function executions and the input data that caused them

1) Queues that other queues can send messages to when those messages could not be successfully processed
2) You can then analyze those messages

Answer 186

A

S3 can be setup to send events to SNS/Lambda when things happen:

Object uploads
Lost objects (from Reduced Redundancy Storage)

Answer 187

A

HTTP Methods like GET, PUT, POST, DELETE

- Also a AWS-provided catchall ‘ANY’ method

Answer 188

A

1) Every static site in an S3 bucket receives it’s own URL:

bucket-name.s3-website.region.amazonaws.com
OR
bucket-name.s3-website-region.amazonaws.com

Answer 189

A

Allows you to get context on the running function such as:

time remaining in the function execution
the request id of the function execution

Answer 190

A

Cloud Formation: AWSTemplateFormatVersion
Specifies the format version of the CloudFormation template you want to use. Currently, there is only one version: “2010-09-09”

Answer 191

A

1) Allows multiple versions of an object
2) Protects against unintended overwrites and deletions
3) Automatically archives objects
4) Versioning is at the BUCKET LEVEL
5) Configured via console or SDK
6) “Suspended” by default

Answer 192

A

1) Consist Reads are never stale
2) Potential higher read latency
3) potential lower read throughput

Answer 193

A

e. g. How are the methods setup to respond to requests?
- AWS Lambda
- Exisiting HTTP endpoints
- Integrated with other AWS Services

Answer 194

A

1) Base64-encoded “SHA1 with RSA” signature
- Message
- MessageID
- Subject
- Type
- Timestamp
- TropicARN values

Answer 195

A

Ability to cache API responses
DDoS protection via CloudFront
SDK generation for iOS, Android, and JavaScript
Supports Swagger (a very popular framework of API dev tools)
Request/response data transformation (e.g. JSON –> XML)

Answer 196

A

Simple Workflow Service

Create scaleable distributed workflows
Significant customization

Answer 197

A

1) Channel used to send messages and subscribe to notifications
2) Names MUST be unique
3) Names are limited to 256 characters
4) All letters, numbers, hyphens and underscores allowed in name
5) Topics and messages are stored redundantly on multiple servers and data centers

Answer 198

A

1) Access is controlled with policies
2) In addition to IAM, SNS also has resource-based access control policies (RBAC policies)
3) RBAC policies can control:
- Who is allowed to publish a topic
- Who is allowed to subscribe to a topic
- and under what conditions

Answer 199

A

An application can be installed and tested and then traffic switched
Rolling back is easy because it can happen with traffic switching back to the older instances (if they are still around) or to an older Lambda version
New instances can also have up-to-date configuration and patches
AWS Lambda Blue/Green deployments can control traffic shifting between AWS Lambda versions

Answer 200

A

Allow for first-in-first-out ordering in the queue
Guarantee only-once delivery
Only supports 3000 messages/second (with batching)

Answer 201

A

1) Using an AWS-KMS managed customer (master) key
- Client gets a unique key for each object
2) On Upload:
- Send request to AWS KMS for key
- AWS KMS returns an encryption key
3) On Download:
- Client downloads encrypted object with their cipher blob stored in metadata -> blob to KMS -> get plain text key -> decrypt object

Answer 202

A

1) Component “1” sends message “A” to a queue, and then the message is redundantly distributed across SQS servers
2) When component “2” is ready, it retrieves the message from SQS. While message “A” is being processed it remains in the queue, but has a “Visibility Timeout” set for it
3) Component “2” deletes the message from the queue during that “Visibility Timeout”

Answer 203

A

1) AWSTemplateFormatVersion
2) Description
3) MetaData
4) Parameters
5) Mappings
6) Conditions
7) Resources
8) Outputs

Answer 204

A

All the code and dependencies required for your Lambda function. Includes:

Lambda handler
Packages from providers like pip or npm if appropriate
Your own libraries and other files the handler relies on

Answer 205

A

A snapshot of the API’s resources and methods

Answer 206

A

1) If a Stack fails to create a resource, by default a stack will “rollback”
2) Removal of all created resources after a failed creation, or after cancelling creation
3) Rollback CAN be disabled via API

Answer 207

A

1) Allows you to find items using ONLY primary key-values from a table OR secondary index
2) more efficient then SCAN

Answer 208

A

Queries are preferred- scans are expensive

1) You can reduce the “page size” of an operation with the “limit” parameter, to limit how much data you try to retrieve at the same time
2) Avoid scan on mission critical tables
3) Program your application logic to retry any request that receives a response code saying you exceeded provisioned throughput (or increase your throughput)

Answer 209

A

1) Flexibility to change read & write capacity:
- table creation
- or at any time after without downtime/degradation
2) Automatically allocates machine resources
3) Ability to reserve capacity

Answer 210

A

JSON-defined series of states to execute as a workflow that can include different state types including tasks that can take certain actions and respond with data from those actions.

Answer 211

A

1) JSON objects that provide details about the template
2) Actually can be provided in YAML too!
3) Just one of the areas within a cloudformation template, for the inclusion of metadata

Answer 212

A

1) Type of the message
(i. e. notifications are type “notifications”)
- SubscriptionConfirmation
- Notification
- UnsubscribeConfirmation

Answer 213

A

AWS Service to facilitate deploying/scaling web applications
Upload code and Elastic Beanstalk automates deployment/load balancing/auto-scaling/health monitoring

Answer 214

A

Cross Origin Resource Sharing

1) Sharing/Accessing resources stored in one bucket with another
2) MUST be enabled to share certain resources (disabled by default)

Answer 215

A

1) Host static html files
2) Specify index file
3) specify custom error file
4) Supports domains and redirects
5) Gives a default URL
6) redirects from www.example.com to example.com
7) Route53 integration fro custom domains
8) Bucket names must match domain name

Answer 216

A

Core components:

1) Provisioned Throughput for reads and writes (RCU/WCUs)
2) Indexed data stored (hourly rate per GB)

Other Features:

Backup costs
DynamoDB Accelerator (DAX) costs

Answer 217

A

1) Subject Parameter

2) Optional parameter

Answer 218

A

Allows you to authenticate users through an intermediary like Facebook, Google, Amazon or others. Can be integrated with Amazon Cognito

Answer 219

A

1) Any earlier version can be restored by:
- Copying a previous version into the same bucket will restore it as the current version
- Permanently deleting the current version (then the previous version is the current one)
- Copying an earlier version GETs the version and PUTs it in the bucket, giving it a new ID (the new ID is used as current version)

Answer 220

A

Simple WorkFlow

1) Is a task coordination and state management service for cloud applications

Features:

a) Distributed
b) Highly scalable
c) Work with both on-premise and cloud applications
d) A workflow execution can last up to 1 year
e) A workflow can consist of human events
f) Guarantees order in which activities/tasks occur

Answer 221

A

1) Used to pass in values that are NOT available until runtime.

Example: “GetAtt”

Answer 222

A

128 MB minimum
3008 MB Maximum
64 MB increments

Answer 223

A

HTTP API requests (via API Gateway)
CloudWatch schedule events
S3 file uploads
DynamoDB Streams
Direct invocation via the AWS CLI or SDKs

Answer 224

A

1) AWS provides server-side encryption before saving data to disk
2) Add the “x-amz-server-side-encryption” request leader to your upload request
3) Uses AES-256
4) Bucket policies can require all objects use server-side encryption
5) Alternatives:
- KMS managed keys
- Customer provided keys

Answer 225

A

Annotations - Searchable key-value pairs

Metadata - Additional non-searchable data you can view for a request

Answer 226

A

1) SNS provides the ability to send notifications directly to apps on mobile devices
2) Notifications sent to a mobile device can appear in the app as:
- Message alerts
- Badge updates
- Sound alerts

Answer 227

A

Elastic Block Store

An option for EC2 storage volumes
Frequntly a default boot volume for EC2 instances
Can be ‘snapshot’ to take incremental backups of the state

Answer 228

A

Managed cross-region replication of DynamoDB tables

Improves performance over region-specific tables when making requests near the region

Answer 229

A

1) Must specify the Key and version ID

2) AWS will then set the next ID to the “current” version

Answer 230

A

1) Burst (#of request per second)
IF > 300 put/list/delete
IF > 800 get
THEN contact AWS to prepare/avoid limit issues

2) Consistent high number of request per second
IF > 100 put/list/delete
IF > 300 get
Then follow best practice guidelines to avoid overwhelming the I/O capacity of a partition

Answer 231

A

Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server

Answer 232

A

$LATEST:
- A mutable (changeable) version of a Lambda function
Numbered versions:
- 1, 2, 3, etc.
- Immutable (not changeable)

Answer 233

A

“Logical entities that can be accessed via resources paths”
The ‘thing’ you’re interacting with when you want to interact with a resource URL

Answer 234

A

1) Occurs during the FINAL process of creating an AMI

Answer 235

A

Virtually anything, including on-premise machines by way of the code deploy agent.

Answer 236

A

S3
Cloudformation
AppConfig (systems manager)
CodeDeploy
ECS
BeanStalk
OpsWorks
ServiceCatalog
AlexaSkills
XebiaLabs

Answer 237

A

Lambda

Step Functions

Answer 238

A

Basic: 5 Minute intervals
Enhanced: 1 Minute intervals

Brainscape's Knowledge GenomeTM

DevOps Professional Flashcards

Brainscape's Knowledge Genome^TM