Questions From Udemy I Flashcards
1
Q
In addition to regular sign-in credentials, AWS supports Multi-Factor Authentication (MFA) for accounts with privileged access.
There are 4 ways to use MFA but only one is not available for the root user
A
- Virtual MFA devices (A software app that runs on a phone)
- U2F security key (A device that you plug into a USB port on your computer)
- Hardware MFA device (A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm)
- SMS text message-based MFA (A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device)
- You cannot use this type of MFA with the AWS account root user**
2
Q
Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. An IAM role is both an identity and a resource that supports resource-based policies. For this reason, you must attach both a trust policy and an identity-based policy to an IAM role. The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.
There are 6 Policy types in the answer
A
Identity-based policies – Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
Resource-based policies – Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts. Permissions boundaries – Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. Organizations SCPs – Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions. Access control lists (ACLs) – Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account. Session policies – Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions. For more information, see Session Policies.
3
Q
A company is looking at optimizing their Amazon EC2 instance costs. Few instances are sure to run for a few years, but the instance type might change based on business requirements.
Which EC2 instance purchasing option should they opt to meet the reduced cost criteria?
Whate are some Instance purchasing options, there are 7 types
A
Anser: Convertible Reserved instances - A Convertible Reserved Instance can be exchanged during the term for another Convertible Reserved Instance with new attributes including instance family, instance type, platform, scope, or tenancy. This is the best fit for the current requirement.
https://image.slidesharecdn.com/venhtue1530win301-161226230140/95/aws-reinvent-2016-bring-microsoft-applications-to-aws-to-save-money-and-stay-license-compliant-using-powershell-windows-kms-and-dedicated-hosts-win301-15-638.jpg?cb=1482793363
Types:
On-Demand Instances – Pay, by the second, for the instances that you launch. Savings Plans – Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. Reserved Instances – Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years. The offering class of a Reserved Instance is either Standard or Convertible. A Standard Reserved Instance provides a more significant discount than a Convertible Reserved Instance, but you can't exchange a Standard Reserved Instance. You can exchange Convertible Reserved Instances. You can modify Standard and Convertible Reserved Instances. Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly. Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware. Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.
4
Q
A firm runs its technology operations on a fleet of Amazon EC2 instances. The firm needs a certain software to be available on the instances to support their daily workflows. The developer team has been told to use the user data feature of EC2 instances.
Which of the following are true about the user data EC2 configuration?
A
User Data is generally used to perform common automated configuration tasks and even run scripts after the instance starts. When you launch an instance in Amazon EC2, you can pass two types of user data - shell scripts and cloud-init directives. You can also pass this data into the launch wizard as plain text or as a file.
By default, scripts entered as user data are executed with root user privileges - Scripts entered as user data are executed as the root user, hence do not need the sudo command in the script. Any files you create will be owned by root; if you need non-root users to have file access, you should modify the permissions accordingly in the script.
By default, user data runs only during the boot cycle when you first launch an instance - By default, user data scripts and cloud-init directives run only during the boot cycle when you first launch an instance. You can update your configuration to ensure that your user data scripts and cloud-init directives run every time you restart your instance.
Incorrect options:
5
Q
The development team at an IT company would like to provision their own Docker images that can be used as input sources for CodeBuild. These images will contain cached dependencies as well as special tooling for builds that are proprietary to the company.
Which of the following services can be used to store and deploy these Docker images?
A
ECR
Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow.
6
Q
This section contains reference information for the AWS SAM resource and property types.
What are the 7 serverless resource type
A
AWS::Serverless
::Api
Creates a collection of Amazon API Gateway resources and methods that can be invoked through HTTPS endpoints
::Application
Embeds a serverless application from the AWS Serverless Application Repository or from an Amazon S3 bucket as a nested application
::Function
Creates an AWS Lambda function, an IAM execution role, and event source mappings that trigger the function.
::HttpApi
Creates an Amazon API Gateway HTTP API, which enables you to create RESTful APIs with lower latency and lower costs than REST APIs.
::LayerVersion
Creates a Lambda LayerVersion that contains library or runtime code needed by a Lambda Function.
::SimpleTable
Creates a DynamoDB table with a single attribute primary key. It is useful when data only needs to be accessed via a primary key.
::StateMachine
Creates an AWS Step Functions state machine, which you can use to orchestrate AWS Lambda functions and other AWS resources to form complex and robust workflows.
7
Q
X has configured forecast-based AWS Budgets alerts for cost management. However, no alerts have been received even though the account and the budgets have been created almost three weeks ago.
What could be the issue with the AWS Budgets configuration?
A
AWS requires approximately 5 weeks of usage data to generate budget forecasts. If you set a budget to alert based on a forecasted amount, this budget alert isn’t triggered until you have enough historical usage information.
8
Q
This allow you to map parameters one-to-one and map a family of integration response status codes (matched by a regular expression) to a single response status code
They cannot be used with proxy integration endpoints, which lack data mappings. For more information about integration types, see Choose an API Gateway API integration type.
A
Mapping templates
9
Q
Using IAM with CodeCommit:
A
Git credentials, an IAM -generated user name and password pair you can use to communicate with CodeCommit repositories over HTTPS.
SSH keys, a locally generated public-private key pair that you can associate with your IAM user to communicate with CodeCommit repositories over SSH. AWS access keys, which you can use with the credential helper included with the AWS CLI to communicate with CodeCommit repositories over HTTPS.
10
Q
Two things about ASG
A
Auto Scaling groups can span across the availability Zones of a Region
Amazon EC2 Auto Scaling attempts to distribute instances evenly between the Availability Zones that are enabled for your Auto Scaling group
11
Q
X running on an EC2 instance takes about 20 seconds on average to process each X. The application picks the new job messages from an SQS queue. The development team needs to account for the use-case when X takes longer than usual so that the same X is not processed by multiple consumers.
A
Use ChangeMessageVisibility action to extend a message’s visibility timeout
For example, you have a message with a visibility timeout of 5 minutes. After 3 minutes, you call ChangeMessageVisibility with a timeout of 10 minutes. You can continue to call ChangeMessageVisibility to extend the visibility timeout to the maximum allowed time. If you try to extend the visibility timeout beyond the maximum, your request is rejected. So, for the given use-case, the application can set the initial visibility timeout to 1 minute and then continue to update the ChangeMessageVisibility value if required.
12
Q
Which of the following security credentials can only be created by the AWS Account root user?
A
CloudFront Key Pairs - IAM users can’t create CloudFront key pairs. You must log in using root credentials to create key pairs.
To create signed URLs or signed cookies, you need a signer. A signer is either a trusted key group that you create in CloudFront, or an AWS account that contains a CloudFront key pair. AWS recommends that you use trusted key groups with signed URLs and signed cookies instead of using CloudFront key pairs.
The rest of the credentials can be created by any user with permissions
13
Q
A developer in your company has configured a build using AWS CodeBuild. The build fails and the developer needs to quickly troubleshoot the issue to see which commands or settings located in the BuildSpec file are causing an issue.
Which approach will help them accomplish this?
A
Run AWS CodeBuild locally using CodeBuild Agent
AWS CodeBuild is a fully managed build service. There are no servers to provision and scale, or software to install, configure, and operate.
With the Local Build support for AWS CodeBuild, you just specify the location of your source code, choose your build settings, and CodeBuild runs build scripts for compiling, testing, and packaging your code. You can use the AWS CodeBuild agent to test and debug builds on a local machine.
By building an application on a local machine you can:
Test the integrity and contents of a buildspec file locally.
Test and build an application locally before committing.
Identify and fix errors quickly from your local development environment.
- Install Git on your local machine.
- Install and setup Docker on your local machine.
- To run the CodeBuild agent
14
Q
What characteristics of an Elastic Load Balancer make it a winning choice? (Select two)
A
- Separate public traffic from private traffic
- Build a highly available system
15
Q
You now want to ensure that the team has only the minimum permissions required to finish their work.
Which of the following will help her identify unused IAM roles and remove them without disrupting any service?
A
Access Advisor feature on IAM console
To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments. Additionally, by removing unused roles, you can simplify your monitoring and auditing efforts by focusing only on roles that are in use.
16
Q
A development team lead is configuring policies for his team at an IT company.
Which of the following policy types only limit permissions but cannot grant permissions (Select two)?
- AWS Organizations Service Control Policy (SCP)
- Permissions boundary
- Access control list (ACL)
- Resource-based policy
- Identity-based policy
A
- Permissions boundary
Permissions boundary is a managed policy that is used for an IAM entity (user or role). The policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. - AWS Organizations Service Control Policy (SCP)
SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
17
Q
- Number of minutes you can specify in a build project for the build timeout of all related builds
- Number of minutes you can specify for the build timeout of a single build
A
5 to 480 (8 hours)
18
Q
When do you chose latency?
A
If your application is hosted in multiple AWS Regions, you can improve performance for your users by serving their requests from the AWS Region that provides the lowest latency.
19
Q
You have just configured and attached the IAM policy needed to access AWS Billing and Cost Management for all users under the Finance department. But, the users are unable to see AWS Billing and Cost Management service in the AWS console.
A
You need to activate IAM user access to the Billing and Cost Management console for all the users who need access
By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users. Then, you need to activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once.
20
Q
To enable HTTPS connections for his web application deployed on the AWS Cloud, a developer is in the process of creating server certificate.
Which AWS entities can be used to deploy SSL/TLS server certificates? (Select two)
A
- AWS Certificate Manager
- IAM - IAM is used as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all Regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.
21
Q
You didn’t assig a target group to you ALB.
Which error code should he expect in his debug logs?
A
HTTP 503 - HTTP 503 indicates ‘Service unavailable’ error. This error in ALB is an indicator of the target groups for the load balancer having no registered targets.
22
Q
What are some of the 8 Pseudo parameters ?
A
AWS::AccountId
Returns the AWS account ID of the account in which the stack is being created, such as 123456789012.
AWS::NotificationARNs
Returns the list of notification Amazon Resource Names (ARNs) for the current stack.
AWS::NoValue
Removes the corresponding resource property when specified as a return value in the Fn::If intrinsic function.
For example, you can use the AWS::NoValue parameter when you want to use a snapshot for an Amazon RDS DB instance only if a snapshot ID is provided
AWS::Partition
Returns the partition that the resource is in. For standard AWS regions, the partition is aws.
AWS::Region
AWS::StackId
(arn:aws:cloudformation:us-west-2:123456789012:stack/teststack/51af3dc0-da77-11e4-872e-1234567db123)
AWS::StackName
(the aws cloudformation create-stack command, such as teststack)
AWS::URLSuffix
(The suffix is typically amazonaws.com)
23
Q
The team wants to analyze the incoming requests for latencies and the client’s IP address patterns.
Which feature of the Load Balancer will help collect the required information?
A
ALB access logs
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load Balancing that is disabled by default.
24
Q
Which section of a CloudFormation template does not allow for conditions?
A
Parameters enable you to input custom values to your CloudFormation template each time you create or update a stack.
Conditions cannot be used within the Parameters section. After you define all your conditions, you can associate them with resources and resource properties only in the Resources and Outputs sections of a template.
25
An application is hosted by a 3rd party and exposed at yourapp.3rdparty.com. You would like to have your users access your application using www.mydomain.com, which you own and manage under Route 53.
What Route 53 record should you create?
Create a CNAME record
A CNAME record maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com or example.net) or subdomain (acme.example.com or zenith.example.org).
CNAME records can be used to map one domain name to another. Although you should keep in mind that the DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com. You cannot create a CNAME record for example.com, but you can create CNAME records for www.example.com, newproduct.example.com, and so on.
"Create an A record" - Is used to point a domain or subdomain to an IP address. 'A record' cannot be used to map one domain name to another.
26
A cybersecurity firm wants to run their applications on single-tenant hardware to meet security guidelines.
Which of the following is the MOST cost-effective way of isolating their Amazon EC2 instances to a single tenant?
- Dedicate Instances
- Dedicated Host
Dedicated Instances -
They are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that's dedicated to a single customer. Dedicated Instances that belong to different AWS accounts are physically isolated at a hardware level, even if those accounts are linked to a single-payer account. However, Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances.
A Dedicated Host is also a physical server that's dedicated for your use. With a Dedicated Host, you have visibility and control over how instances are placed on the server.
Dedicated Hosts - An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. (Is more expensive, you can have several instances there)
27
Outputs
The optional Outputs section declares output values that you can import into other stacks (to create cross-stack references), return in response (to describe stack calls), or view on the AWS CloudFormation console. For example, you can output the S3 bucket name for a stack to make the bucket easier to find
Export
The name of the resource output to be exported for a cross-stack reference.
For each AWS account, Export names must be unique within a region.
You can't create cross-stack references across regions. You can use the intrinsic function Fn::ImportValue to import only values that have been exported within the same region.
28
EXPORT EXPORT EXPORT EXPORT
The name of the resource output to be exported for a cross-stack reference.
```
"Outputs" : {
"StackVPC" : {
"Description" : "The ID of the VPC",
"Value" : { "Ref" : "MyVPC" },
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-VPCID" }
}
}
}
```
Cross-stack output
The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify. In your templates, you can use this function to construct commands or outputs that include values that aren't available until you create or update a stack.
29
The development team at a company creates serverless solutions using AWS Lambda. Functions are invoked by clients via AWS API Gateway which anyone can access. The team lead would like to control access using a 3rd party authorization mechanism.
As a Developer Associate, which of the following options would you recommend for the given use-case?
Use API Gateway Lambda authorizers
A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.
A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller's identity.
When a client makes a request to one of your API's methods, API Gateway calls your Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.
There are two types of Lambda authorizers:
A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.
A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller's identity in a combination of headers, query string parameters, stageVariables, and $context variables.
For WebSocket APIs, only request parameter-based authorizers are supported.
30
You are creating a Cloud Formation template to deploy your CMS application running on an EC2 instance within your AWS account. Since the application will be deployed across multiple regions, you need to create a map of all the possible values for the base AMI.
How will you invoke the !FindInMap function to fulfill this use case?
The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section.
Fn::FindInMap: [ MapName, TopLevelKey, SecondLevelKey ]
31
Fn::ImportValue
The intrinsic function Fn::ImportValue returns the value of an output exported by another stack. You typically use this function to create cross-stack references. In the following example template snippets, Stack A exports VPC security group values and Stack B imports them.
EXPORT The name of the resource output to be exported for a cross-stack reference.
"Outputs" : {
"PublicSubnet" : {
"Description" : "The subnet ID to use for public web servers",
"Value" : { "Ref" : "PublicSubnet" },
"Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SubnetID" }}
},
"WebServerSecurityGroup" : {
"Description" : "The security group ID to use for public web servers",
"Value" : { "Fn::GetAtt" : ["WebServerSecurityGroup", "GroupId"] },
"Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SecurityGroupID" }}
}
}
```
"Resources" : {
"WebServerInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : "t2.micro",
"ImageId" : "ami-a1b23456",
"NetworkInterfaces" : [{
"GroupSet" : [{"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}-SecurityGroupID"}}],
"AssociatePublicIpAddress" : "true",
"DeviceIndex" : "0",
"DeleteOnTermination" : "true",
"SubnetId" : {"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}-SubnetID"}}
}]
}
}
}
```
32
Fn::Sub
The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify. In your templates, you can use this function to construct commands or outputs that include values that aren't available until you create or update a stack.
{ "Fn::Sub" : [ String, { Var1Name: Var1Value, Var2Name: Var2Value } ] }
{ "Fn::Sub" : String }
33
Fn::Transform
The intrinsic function Fn::Transform specifies a macro to perform custom processing on part of a stack template. Macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to extensive transformations of entire templates. For more information, see Using AWS CloudFormation macros to perform custom processing on templates.
```
{
"Fn::Transform": {
"Name": "macro name",
"Parameters": {
"Key": "value"
}
}
}
```
34
The development team at a retail organization wants to allow a Lambda function in its AWS Account A to access a DynamoDB table in another AWS Account B.
As a Developer Associate, which of the following solutions would you recommend for the given use-case?
Create an IAM role in account B with access to DynamoDB. Modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. Update the Lambda function code to add the AssumeRole API call
You can give a Lambda function created in one account ("account A") permissions to assume a role from another account ("account B") to access resources such as DynamoDB or S3 bucket. You need to create an execution role in Account A that gives the Lambda function permission to do its work. Then you need to create a role in account B that the Lambda function in account A assumes to gain access to the cross-account DynamoDB table. Make sure that you modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. Finally, update the Lambda function code to add the AssumeRole API call.
35
Managing concurrency for a Lambda function
| There are two types of concurrency available:
Provisioned concurrency – It initializes a requested number of execution environments so that they are prepared to respond to your function's invocations.
You can configure AS / on a schedule
Reserved concurrency – It creates a pool of requests that can only be used by its function, no other function can use that concurrency
36
A Developer has been entrusted with the job of securing certain S3 buckets that are shared by a large team of users. Last time, a bucket policy was changed, the bucket was erroneously available for everyone, outside the organization too.
Which feature/service will help the developer identify similar security issues with minimum effort?
IAM Access Analyzer - AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.
You can set the scope for the analyzer to an organization or an AWS account. This is your zone of trust. The analyzer scans all of the supported resources within your zone of trust. When Access Analyzer finds a policy that allows access to a resource from outside of your zone of trust, it generates an active finding.
37
IAM Access Analyzer
VS:
Use IAM access advisor
- AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. You can set the scope for the analyzer to an organization or an AWS account. This is your zone of trust. The analyzer scans all of the supported resources within your zone of trust. When Access Analyzer finds a policy that allows access to a resource from outside of your zone of trust, it generates an active finding.
- IAM access advisor helps you audit service access, remove unnecessary permissions, and set appropriate permissions providing the last timestamp when an IAM entity (e.g., user, role, or a group) accessed an AWS service.
38
The development team at an e-commerce company wants to run a serverless data store service on two docker containers using shared memory.
Which of the following ECS configurations can be used to facilitate this use-case?
Put the two containers into a single task definition using a Fargate Launch Type
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. You can host your cluster on a serverless infrastructure that is managed by Amazon ECS by launching your services or tasks using the Fargate launch type. For more control over your infrastructure, you can host your tasks on a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage by using the EC2 launch type.
39
A photo-sharing application manages its EC2 server fleet running behind an Application Load Balancer and the traffic is fronted by a CloudFront distribution. The development team wants to decouple the user authentication process for the application so that the application servers can just focus on the business logic.
Use Cognito Authentication via Cognito User Pools for your Application Load Balancer
Application Load Balancer can be used to securely authenticate users for accessing your applications.
This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic. You can use Cognito User Pools to authenticate users through well-known social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito or through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito.
You configure user authentication by creating an authenticate action for one or more listener rules. The authenticate-cognito and authenticate-oidc action types are supported only with HTTPS listeners.
40
What intrinsic function should you use to reference a parameter?
For example, an AMAZON EC2 AMI ID?
!Ref
Eg.
MyEIP:
Type: "AWS::EC2::EIP"
Properties:
InstanceId: !Ref MyEC2Instance
41
What is the limit of the maximum number of messages that can be stored in an SQS queue?
No limit
There are no message limits for storing in SQS, but 'in-flight messages' do have limits. Make sure to delete messages after you have processed them.
(120,000 inflight messages (received from a queue by a consumer)
42
CloudFormation currently supports the following parameter types:
4 types
7 with ::EC2::
- String – A literal string
- Number – An integer or float
- List – An array of integers or floats
- CommaDelimitedList – An array of literal strings that are separated by commas
- AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
- AWS::EC2::SecurityGroup::Id – A security group ID
- AWS::EC2::Subnet::Id – A subnet ID
- AWS::EC2::VPC::Id – A VPC ID
- List – An array of VPC IDs
- List – An array of security group IDs
- List – An array of subnet IDs
43
Database engines where you can use: IAM database authentication
- RDS MySQL
- RDS PostGreSQL
With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
44
If the deployment part to Elastic Beanstalk is taking a very long time due to resolving dependencies you can use this kind of solution:
- Bundle the dependencies in the source code during the last stage of CodeBuild
- Because most of the dependent files do not change frequently between builds, you can noticeably reduce your build time by caching dependencies.
45
Is a subnet always associated with a route table?
A subnet is implicitly associated with the main route table if it is not explicitly associated with a particular route table
46
What are some mantatory sections in a SAM?
- Transform
| - Resources
47
What other section does a SAM have?
The same as a CloudFormation Template and:
- Globals (optional)
| Properties that are common to all your serverless functions, APIs, and simple tables.
48
In the Amazon EC2 instances for Auto Scaling only the basic monitoring is active, what type of monitoring is active by default when you create the launch configuration Via:
SDK
AWS Managment Console
CLI
Detailed (1 minute)
Basic (5 minutes)
Detailed (1 minute)
You can enable detailed monitoring on an instance as you launch it or after the instance is running or stopped
aws ec2 monitor-instances --instance-ids i-1234567890abcdef0
49
What is an IOP?
input/output operations per second (IOPS).
50
What is the maximum ratio of provisioned IOPS to the requested volume size (in GiB)
50:1
50 IOPS: 1 GiB
5,000 IOPS : 100GiB Volume
200 GiB size volume with 15000 IOPS is incorrect because 15.000 / 50 = 300GB and 300 > 200
51
One of the EC2 instances has been reported as unhealthy, What does the ASG do with the unhealthy instance?
The ASG will terminate the EC2 Instance
52
You need to generate a report of code builds, success and failure, time spent, team members.
What can you use for this?
S3 and CloudWatch Logs integration
AWS CodeBuild monitors functions on your behalf and reports metrics through Amazon CloudWatch. These metrics include the number of total builds, failed builds, successful builds, and the duration of builds. You can monitor your builds at two levels: Project level, AWS account level.
53
You need to encrypted and decrypted data over 1mb at runtime.
What type of encryption do you have to do?
Use Envelope Encryption and reference the data as file within the code
While AWS KMS does support sending data up to 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with AWS KMS it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller data key go over the network. The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire block of data to AWS KMS and suffer network latency.
To encrypt 1 MB, you need to use the Encryption SDK and pack the encrypted file with the lambda function.
54
What is the maximun size of Lambda environment variables?
4Kb
55
You want to make sure that the application's serverless backend running via Lambda functions does not hit latency bottlenecks as a result of the traffic spike.
Configure Application Auto Scaling to manage Lambda provisioned concurrency on a schedule
Use scheduled scaling to increase provisioned concurrency in anticipation of peak traffic. To increase provisioned concurrency automatically as needed, use the Application Auto Scaling API to register a target and create a scaling policy.
56
How can I use a single SSH key pair for all my AWS Regions?
To use a single SSH key pair for all your AWS Regions, first generate a public SSH key from a private SSH key. Then, import the key into each of your AWS Regions.
Steps:
- Generate a public SSH key (.pub) file from the private SSH key (.pem) file.
- Set the AWS Region you wish to import to.
- Import the public SSH key into the new Region.
57
How can I back up a DynamoDB table to Amazon S3?
DynamoDB offers two built-in backup methods:
- On-demand: Create backups when you choose.
- Point-in-time recovery: Enable automatic, continuous backups.
This feature exports table data in DynamoDB JSON or Amazon Ion format only. If you want to export table data in a different format, use: Data Pipeline, Amazon EMR, AWS Glue
58
The following is an example of the event for Spot Instance interruption. The possible values for instance-action are 3:
Hibernate, Stop, and Terminate.
59
At which gp2 volume size will their test environment hit the max IOPS?
5.3 TiB
volumes offer cost-effective storage that is ideal for a broad range of workloads
16,000 IOPS (at 5,334 GiB and above)
60
Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as :
- Amazon Simple Storage Service (Amazon S3),
- Amazon Redshift,
- Amazon Elasticsearch Service (Amazon ES),
- Splunk,
- And any custom HTTP/s endpoints owned by supported third-party service providers, including Datadog, MongoDB, and New Relic
61
ECS_ENABLE_TASK_IAM_ROLE
| Where do you use that configuration?
This configuration item is used to enable IAM roles for tasks for containers with the bridge and default network modes.
62
These are examples of what?
```
ECS_CLUSTER
ECS_RESERVED_PORTS
ECS_RESERVED_PORTS_UDP
ECS_ENGINE_AUTH_TYPE
ECS_ENGINE_AUTH_DATA
AWS_DEFAULT_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
DOCKER_HOST
ECS_LOGFILE
ECS_LOGLEVEL
ECS_LOGLEVEL_ON_INSTANCE
ECS_CHECKPOINT
ECS_DATADIR
ECS_UPDATES_ENABLED
ECS_DISABLE_METRICS
ECS_POLL_METRICS
ECS_POLLING_METRICS_WAIT_DURATION
ECS_RESERVED_MEMORY
ECS_AVAILABLE_LOGGING_DRIVERS
ECS_DISABLE_PRIVILEGED
ECS_SELINUX_CAPABLE
ECS_APPARMOR_CAPABLE
ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION
ECS_CONTAINER_STOP_TIMEOUT
ECS_CONTAINER_START_TIMEOUT
HTTP_PROXY
NO_PROXY
ECS_ENABLE_TASK_IAM_ROLE
ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST
ECS_DISABLE_IMAGE_CLEANUP
ECS_IMAGE_CLEANUP_INTERVAL
ECS_IMAGE_MINIMUM_CLEANUP_AGE
NON_ECS_IMAGE_MINIMUM_CLEANUP_AGE
ECS_NUM_IMAGES_DELETE_PER_CYCLE
ECS_IMAGE_PULL_BEHAVIOR
ECS_IMAGE_PULL_INACTIVITY_TIMEOUT
ECS_INSTANCE_ATTRIBUTES
ECS_ENABLE_TASK_ENI
ECS_CNI_PLUGINS_PATH
ECS_AWSVPC_BLOCK_IMDS
ECS_AWSVPC_ADDITIONAL_LOCAL_ROUTES
ECS_ENABLE_CONTAINER_METADATA
ECS_HOST_DATA_DIR
ECS_ENABLE_TASK_CPU_MEM_LIMIT
ECS_CGROUP_PATH
ECS_ENABLE_CPU_UNBOUNDED_WINDOWS_ xWORKAROUND
ECS_TASK_METADATA_RPS_LIMIT
ECS_SHARED_VOLUME_MATCH_FULL_CONFIG
ECS_CONTAINER_INSTANCE_PROPAGATE_TAGS _FROMECS_CONTAINER_INSTANCE_TAGS
ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP
ECS_EXCLUDE_UNTRACKED_IMAGE
ECS_DISABLE_DOCKER_HEALTH_CHECK
ECS_NVIDIA_RUNTIME
ECS_ENABLE_SPOT_INSTANCE_DRAINING
ECS_LOG_ROLLOVER_TYPE
ECS_LOG_OUTPUT_FORMAT
ECS_LOG_MAX_FILE_SIZE_MB
ECS_LOG_MAX_ROLL_COUNT
ECS_ENABLE_ AWSLOGS_ EXECUTIONROLE_ OVERRIDE
ECS_PULL_DEPENDENT_CONTAINERS_UPFRONT
```
Amazon ECS Container Agent Configuration
Available Parameters
63
An Amazon EBS volume is a durable, block-level storage device that you can attach to your instances
Are EBS volumes region locked or
AZ locked?
EBS volumes are AZ locked
When you create an EBS volume, it is automatically replicated within its Availability Zone to prevent data loss due to the failure of any single hardware component. You can attach an EBS volume to an EC2 instance in the same Availability Zone.
64
What is the maximum data size supported by AWS KMS?
4Kb
You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information.
65
You are purchasing a Reserved Instance
- Zonal Reserved Instances
- Regional Reserved Instances
You need capacity reservation
Zonal Reserved Instances - A zonal Reserved Instance provides a capacity reservation in the specified Availability Zone. Capacity Reservations enable you to reserve capacity for your Amazon EC2 instances in a specific Availability Zone for any duration.
When you purchase a Reserved Instance for a Region, it's referred to as a regional Reserved Instance. A regional Reserved Instance does not provide a capacity reservation
66
You'd like to test if an user can terminate instances, how can you try that?
Use the AWS CLI --dry-run option: The --dry-run option checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation, otherwise, it is UnauthorizedOperation.
67
Configure Application Auto Scaling to manage Lambda XXX concurrency on a schedule:
What types of concurrency can you use on a schedule?
Lambda provisioned concurrency
68
Controlling and managing access to a REST API in API Gateway
You can use the following 6 mechanisms for authentication and authorization:
- Resource policies
- Standard AWS IAM roles and policies
- IAM tags
- Endpoint policies for interface VPC endpoints
- Lambda authorizers
- Amazon Cognito user pools
69
When to use EB environments?
- Single-Instance Env: launches a single EC2 instance, an EIP is assigned to the EC2
- Load Balanced Envlaunch EC2s behind an ELB managed by an ASG
- Worker Environment: creates an SQS queue, install the SQS daemon on the EC2 instances, and has ASG scaling policy which will add or remove instances based on queue size.
If your AWS Elastic Beanstalk application performs operations or workflows that take a long time to complete, you can offload those tasks to a dedicated worker environment. Decoupling your web application front end from a process that performs blocking operations is a common way to ensure that your application stays responsive under load.
For a worker environment, you need a cron.yaml file to define the cron jobs and do repetitive tasks.
70
What is the total set size/number of environment variables you can create for AWS Lambda?
x
71
- Private subnet with an RDS
- Lambda function
What do you have to do to connect the Lambda function to its RDS instance?
Lambda connected to the VPC with a security group needed to access RDS
72
What happens if you terminate a container Instance in STOPPED state?
That container instance isn't automatically removed from the cluster. You will need to deregister your container instance in the STOPPED state.
If you terminate the instance in the Running state, that container instance is automatically removed, or deregistered, from the cluster
73
What do you have to do if you want to control the amount of data that you record In CloudTrail?
- Reducing costs
Enable X-Ray Sampling
By default, the X-Ray SDK records the first request each second, and five percent of any additional requests.
74
ECS
The instances created in the second run were also launched in 'PreviousCluster' even after specifying a different cluster name.
Why did that happen?
The cluster name Parameter has not been updated in the file /etc/ecs/ecs.config during bootstrap
In the ecs.config file you have to configure the parameter ECS_CLUSTER='your_cluster_name' to register the container instance with a cluster named 'your_cluster_name'.
75
Data should be secure at every stage of its lifecycle on all of the EBS
Security on EBS
- In-flight
- At Rest
Amazon EBS works with AWS KMS to encrypt and decrypt your EBS volume. You can encrypt both the boot and data volumes of an EC2 instance
EBS volumes support both in-flight encryption and encryption at rest using KMS
Types of data are encrypted
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
- All volumes created from those snapshots
76
The use cases, wherein AWS Lambda will add a message into a DLQ after being processed
- When an asynchronous invocation event exceeds the maximum age or fails all retry attempts, Lambda discards it. Or sends it to dead-letter queue if you have configured one.
- The event fails all processing attempt - A dead-letter queue acts the same as an on-failure destination in that it is used when an event fails all processing attempts or expires without being processed.
77
A company uses microservices-based infrastructure to process the API calls from clients
Users report receiving 501 error when they request API Gateway, Which service will you choose to help you troubleshoot?
Use X-Ray service "microservices architecture"
78
What can you do with CodeDeploy Agent?
The CodeDeploy agent is a software package that, when installed and configured on an instance, makes it possible for that instance to be used in CodeDeploy deployments
79
Number of variables you can create for AWS Lambda
- There is no limit defined on the number of variables that can be used.
- 4KB each variable
80
S3 data consitency Model
A process writes a new object to Amazon S3 and immediately lists keys within its bucket. The new object will appear in the list.
A process replaces an existing object and immediately tries to read it. Amazon S3 will return the new data.
A process deletes an existing object and immediately tries to read it. Amazon S3 will not return any data as the object has been deleted.
A process deletes an existing object and immediately lists keys within its bucket. The object will not appear in the listing.
81
Amazon S3 event notifications are designed to be delivered at least once.
If two writes are made to a single non-versioned object at the same time, it is possible that only a single event notification will be sent. If you want to ensure that an event notification is sent for every successful write, you can enable versioning on your bucket. With versioning, every successful write will create a new version of your object and will also send event notification.
82
ElastiCache can be used to:
Application workloads (such as social networking, gaming, media sharing, and Q&A portals)
Compute-intensive workloads (such as a recommendation engine)
83
Query your data by the primary key and an alternate key... use a GSI or LSI
Some applications only need to query data using the primary key; however, there may be situations where an alternate sort key would be helpful.
To give your application a choice of sort keys, you can create one or more local secondary indexes on a table and issue Query or Scan requests against these indexes.
Create an LSI: It has the same partition key
GSI: Partition and sort key can be different
84
- Setup ElastiCache in front of RDS
| - Setup RDS Read Replicas
Setup ElastiCache in front of RDS
- high-performance
- high request rates
- low latency requirements
- scale and speed is improved
Setup RDS Read Replicas
- add to the database costs
- It Will not help in reducing latency when compared to a caching solution
85
Which of the following services rely on CloudFormation to provision resources?
AWS Elastic Beanstalk
AWS CodeBuild
AWS Lambda
AWS Serverless Application Model (AWS SAM)
- AWS Elastic Beanstalk
Elastic Beanstalk uses AWS CloudFormation to launch the resources in your environment and propagate configuration changes
- AWS Serverless Application Model (AWS SAM
AWS SAM needs CloudFormation templates as a basis for its configuration.
86
A Classic Load Balancer with HTTP or HTTPS listeners might route more traffic to higher-capacity instance types
A traffic imbalance might also occur if you have instances of similar capacities running on different Amazon Machine Images (AMIs). In this scenario, the imbalance of the traffic in favor of higher-capacity instance types is desirable.
87
Things about EBS and security
- Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region
- A volume restored from an encrypted snapshot, or a copy of an encrypted snapshot, is always encrypted
88
Amazon RDS as its database, a highly reliable fully-managed caching layer has to be configured in front of RDS.
Implement Amazon ElastiCache Redis in Cluster-Mode
VS
Implement Amazon ElastiCache Memcached
One can leverage ElastiCache for Redis with cluster mode enabled to enhance reliability and availability with little change to your existing workload. Cluster mode comes with the primary benefit of horizontal scaling of your Redis cluster, with almost zero impact on the performance of the cluster.
Memcached is designed for simplicity while Redis offers a rich set of features that make it effective for a wide range of use cases. Redis offers snapshots facility, replication, and supports transactions, which Memcached cannot and hence ElastiCache Redis is the right choice for our use case.
89
By default, the health check configuration of your Auto Scaling group is set as an EC2 type that performs a status check of EC2 instances. To automate the replacement of unhealthy EC2 instances, ...
You must change the health check type of your instance's Auto Scaling group from EC2 to ELB by using a configuration file.
90
You would like to track CPU utilization of the EC2 instances as frequently as every 10 seconds.
Create a high-resolution custom metric and push the data using a script triggered every 10 seconds
Using high-resolution custom metric, your applications can publish metrics to CloudWatch with 1-second resolution. You can watch the metrics scroll across your screen seconds after they are published and you can set up high-resolution CloudWatch Alarms that evaluate as frequently as every 10 seconds. You can alert with High-Resolution Alarms, as frequently as 10-second periods. High-Resolution Alarms allow you to react and take actions faster and support the same actions available today with standard 1-minute alarms.
91
Migrate an EB From an account to another One
Create a saved configuration in Team A's account and download it to your local machine. Make the account-specific parameter changes and upload to the S3 bucket in Team B's account. From Elastic Beanstalk console, create an application from 'Saved Configurations
You must use saved configurations to migrate an Elastic Beanstalk environment between AWS accounts. You can save your environment's configuration as an object in Amazon Simple Storage Service (Amazon S3) that can be applied to other environments during environment creation, or applied to a running environment. Saved configurations are YAML formatted templates that define an environment's platform version, tier, configuration option settings, and tags.
Download the saved configuration to your local machine. Change your account-specific parameters in the downloaded configuration file, and then save the changes. For example, change the key pair name, subnet ID, or application name (such as application-b-name). Upload the saved configuration from your local machine to an S3 bucket in Team B's account. From this account, create a new Beanstalk application by choosing 'Saved Configurations' from the navigation panel.
92
What are the important points to remember when configuring an organization trail?
Correct things:
By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
AWS offers Organization Trail for easy management and monitoring.
By default, CloudTrail tracks only bucket-level actions. To track object-level actions, you need to enable Amazon S3 data events
Member accounts will be able to see the organization trail, but cannot modify or delete it
93
You want to create monthly database backups in a period of three years, but You can enable automatic backups but as of 2020, the retention period is 0 to 35 days.
You should use...
Create a cron event in CloudWatch, which triggers an AWS Lambda function that triggers the database snapshot - There are multiple ways to run periodic jobs in AWS. CloudWatch Events with Lambda is the simplest of all solutions. To do this, create a CloudWatch Rule and select “Schedule” as the Event Source. You can either use a cron expression or provide a fixed rate (such as every 5 minutes). Next, select “Lambda Function” as the Target. Your Lambda will have the necessary code for snapshot functionality.
94
A manager has tried to find the user name that created an EBS volume by searching CloudTrail events logs but wasn't successful.
AWS CloudTrail event logs for 'CreateVolume' aren't available for EBS volumes created during an Amazon EC2 launch
AWS CloudTrail event logs for 'CreateVolume' aren't available for EBS volumes created during an Amazon Elastic Compute Cloud (Amazon EC2) launch.
95
Security measures have become stricter and require you to store data in encrypted queues
Enable SQS KMS encryption
96
Multiple consumer applications are using the incoming data streams
You have noticed a performance lag for the data delivery speed between producers and consumers of the data streams.
What feature you can use?
Use Enhanced Fanout feature of Kinesis Data Streams
(ɛnˈhænst fænaʊt)
By default, the 2MB/second/shard output is shared between all of the applications consuming data from the stream. You should use enhanced fan-out if you have multiple consumers retrieving data from a stream in parallel. With enhanced fan-out developers can register stream consumers to use enhanced fan-out and receive their own 2MB/second pipe of read throughput per shard, and this throughput automatically scales with the number of shards in a stream.
97
SSE-S3
Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).
98
You are configuring ProjectArtifacts in your build stage.
If you choose ProjectArtifacts and your value type is S3 then the build project stores build output in Amazon Simple Storage Service (Amazon S3).
What do you need for that?
to give AWS CodeBuild permissions to upload.
99
You have 10 shards
You are below the throughput
3mbs of 10mbs
You are getting: Provisioned Throughput Exceeded Exception
The partition key that you have selected isn't distributed enough
Using the partition key associated with each data record to determine the shard to which a given data record belongs
For the given use-case, as the partition key is not distributed enough, all the data is getting skewed at a few specific shards and not leveraging the entire cluster of shards.
100
How many messages can you receive from a SQS?
Up to 10
101
Available Headers:
SSE-S3:
'x-amz-server-side-encryption' : 'xxxxxx' ?
and SSE-KMS:
'x-amz-server-side-encryption' : 'xxxxxx' ?
SSE-S3:
'x-amz-server-side-encryption': 'AES256'
SSE-KMS:
'x-amz-server-side-encryption': 'aws:kms'
102
- A long build process
- A hundred dependencies
- You want to speed this process up
- You are using AWS CodeBuild.
Best pracrtices for cache
Downloading dependencies is a critical phase in the build process. These dependent files can range in size from a few KBs to multiple MBs. Because most of the dependent files do not change frequently between builds, you can noticeably reduce your build time by caching dependencies in S3.
103
You must ensure that all communications to Amazon S3 are encrypted.
This Encryption mechanisms will get a request rejected if the connection is not using HTTPS
SSE-C
Amazon S3 will reject any requests made over HTTP when using SSE-C. For security considerations, AWS recommends that you consider any key you send erroneously using HTTP to be compromised.
104
Data in AWS CodeCommit repositories
- Non encrypted
- encrypted
(At rest and In transit)
Data in AWS CodeCommit repositories is encrypted in transit and at rest.
When data is pushed into an AWS CodeCommit repository (for example, by calling git push), AWS CodeCommit encrypts the received data as it is stored in the repository.
105
You are publishing log data to a log group in Amazon CloudWatch Logs
You must encrypt the log data using an AWS KMS customer master key (CMK)
- Use the AWS CLI
- associate-kms-key command
- and specify the KMS key ARN
Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS (AWS KMS) customer master key (CMK). Encryption using AWS KMS is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.
106
Some logs commands
aws logs describe -log-groups (Prefix)
aws logs create-log-group (Name, KeyARN)
aws logs associate-kms-key (Name, KeyARN)
107
By default, your instance is enabled for basic monitoring and Amazon EC2 sends metric data to CloudWatch in ___ ___ periods
5 minutes
periods. You can optionally enable detailed monitoring. After you enable detailed monitoring, the Amazon EC2 console displays monitoring graphs with a 1-minute period for the instance
108
CloudFront Origin Protocol Policy
HTTPS Between clients and CloudFront as well as between CloudFront and backend
For web distributions, you can configure CloudFront to require that viewers use HTTPS to request your objects, so connections are encrypted when CloudFront communicates with viewers.
You also can configure CloudFront to use HTTPS to get objects from your origin, so connections are encrypted when CloudFront communicates with your origin.
109
Which other element MUST be included to allow the role to be assumed?
"Effect": "Allow",
"Action": "????",
"Resource": "arn:aws:iam::5123399432:role/MyCARole"
"Action": "sts:AssumeRole"
110
The Lambda function executes 20 times per second and takes 20 seconds to complete each execution.
How many concurrent executions will the Lambda function require?
To calculate the concurrency requirements for the Lambda function simply multiply the number of executions per second (20) by the time it takes to complete the execution (20).
400
111
Oon-premise application that will connect to several AWS services. What is the BEST way to provide the application server with permissions to authenticate to AWS services?
Create an IAM user and generate access keys. Create a credentials file on the application server" is the correct answer.
key pairs are used for SSH access to Amazon EC2 instances. You cannot use them in API calls to AWS services.
112
You use key pairs for?
SH access to Amazon EC2 instances.
113
X-RAY
| A developer requires more detailed timing information and data related to downstream calls to AWS services.
Subsegments
A segment can break down the data about the work done into subsegments. Subsegments provide more granular timing information and details about downstream calls that your application made to fulfill the original request.
A subsegment can contain additional details about a call to an AWS service, an external HTTP API, or an SQL database. You can even define arbitrary subsegments to instrument specific functions or lines of code in your application.
114
To reduce the cost of API actions performed on an Amazon SQS queue, a Developer has decided to implement long polling.
What is the api and the command to do that?
___ ___ 20
Set the ReceiveMessage API with a WaitTimeSeconds of 20
115
```
An Api Gateway have Resources and Methods:
/
__/pets
__GET
__POST
____/{petId}
```
Can you identify the methods and resources?
Resources are:
/
__/pets
____/{petId}
Methods are:
Get
Post
116
In ECS you have a diagram with ASG, CloudWatch
- ECS Cluster
- ECS Service
- Auto Scaling group
- Container Instance 1
__ - task
__ - task
- Container Instance 2
__ - task
__ - task
117
5 Configurations you can find in myQueue
setting the queue attribute ReceiveMessageWaitTimeSeconds to 20 will result in fewer attempts to poll the queue which is more efficient and will reduce cost.
```
Visibility timeout (0s, 12h)
Message retention period (1d, 14d)
Maximun message size (1kb, 256kb)
Delivery delay (0s, 15m)
Receive message wait time (0s, 20s)
```
118
If the Developers already have AWS CLI configured on their workstations, how can the Docker images be pulled to the workstations?
Commands
Run the output of the following: aws ecr get-login and then run: docker pull REPOSITORY URI : TAG"
- ecr get-login
- docker login
- docker pull
119
In S3 these are examples of what?
· Development/Projects.xls
· Finance/statement1.pdf
· Private/taxdocument.pdf
· s3-dg.pdf
Object Key
120
___ is a collection of AWS resources in the same AWS Region that match tag-based criteria provided in a search query.
You can define these queries in the console or using the AWS CLI. The search query includes lists of resources types and tag key/value.
A resource group
121
Use Amazon ElastiCache Redis with replicas
if you're running the Redis engine, you can group 2 to 6 nodes into a cluster with replicas where 1 to 5 read-only nodes contain replicate data of the group's single read/write primary node.
122
When do you use The message deduplication ID?
| SQS
The message deduplication ID is used with FIFO queues which also provide exactly-once processing (unlike standard queues which only provide “at least once delivery”). The producer should provide message deduplication ID values for each message.
Use a FIFO queue and configure the producer to provide a message deduplication ID
123
Name of the metric that measures the time between when API Gateway receives a request from a client and when it returns a response to the client.
The Latency
124
Caching strategy write-through
Write to the backend first and then invalidate the cache
125
What is the ports when you use...
HTTP?
HTTPS?
80
| 443
126
Serverless Application Model (AWS SAM)
Policies to give buckets read access?
Gives read-only permission to objects in an Amazon S3 bucket.
Gives create, read, update, and delete permission to objects in an Amazon S3 bucket.
S3ReadPolicy => Gives read-only permission to objects in an Amazon S3 bucket.
S3CrudPolicy => Gives create, read, update, and delete permission to objects in an Amazon S3 bucket.
127
To use the exported value in another stack, which functions must be used?
!ImportValue
The intrinsic function Fn::ImportValue returns the value of an output exported by another stack. You typically use this function to create cross-stack references.
Incorrect options:
!Ref - Returns the value of the specified parameter or resource.
!GetAtt - Returns the value of an attribute from a resource in the template.
!Sub - Substitutes variables in an input string with values that you specify.
128
!ImportValue
Vs
!GetAtt
!ImportValue - returns the value of an output exported by another stack
!GetAtt - Returns the value of an attribute from a resource in the template
129
3 different Docker Containers simultaneously.
| What EB platform shoud tou choose?
Docker multi-container platform
130
Use this:
aws ecs create-service --service-name ecs-simple-service --task-definition ecs-demo --desired-count 10
To create a new service you would use this command which creates a service in your default region called ecs-simple-service. The service uses the ecs-demo task definition and it maintains 10 instantiations of that task.
131
AWS QSQ FIFO
As a developer, which message parameter should you set the value of user_id to guarantee the ordering?
MessageGroupId
The message group ID is the tag that specifies that a message belongs to a specific message group. Messages that belong to the same message group are always processed one by one, in a strict order relative to the message group (however, messages that belong to different message groups might be processed out of order).
132
Example: Lambda inline cloudFormation:
Write the AWS Lambda code inline in CloudFormation in the AWS::Lambda::Function block as long as there are no third-party dependencies
```
Type: AWS::Lambda::Function
Properties:
Code:
Code
DeadLetterConfig:
DeadLetterConfig
Description: String
Environment:
Environment
FileSystemConfigs:
- FileSystemConfig
FunctionName: String
Handler: String
KmsKeyArn: String
Layers:
- String
MemorySize: Integer
ReservedConcurrentExecutions: Integer
Role: String
Runtime: String
Tags:
- Tag
Timeout: Integer
TracingConfig:
TracingConfig
VpcConfig:
VpcConfig
```
133
X-Ray Cross Account
Create a role in the target unified account and allow roles in each sub-account to assume the role
Configure the X-Ray daemon to use an IAM instance role
The X-Ray agent can assume a role to publish data into an account different from the one in which it is running. This enables you to publish data from various components of your application into a central account.
X-Ray can also track requests flowing through applications or services across multiple AWS Regions.
134
You would like to paginate the results of an S3 List to show 100 results per page to your users and minimize the number of API calls that you will use.
aws s3api list-objects --bucket my-bucket --max-items 100 --starting-token eyJNYXJrZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==
--max-items
--starting-token
135
S3 Select
S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL expressions. By using S3 Select to retrieve only the data needed by your application, you can achieve drastic performance increases in many cases you can get as much as a 400% improvement.
136
Canary Deployment
In a canary release deployment, total API traffic is separated at random into a production release and a canary release with a preconfigured ratio. Typically, the canary release receives a small percentage of API traffic and the production release takes up the rest. The updated API features are only visible to API traffic through the canary. You can adjust the canary traffic percentage to optimize test coverage or performance.
137
Which environment variable can be used by AWS X-Ray SDK to ensure that the daemon is correctly discovered on ECS?
AWS_XRAY_DAEMON_ADDRESS
Set the host and port of the X-Ray daemon listener. By default, the SDK uses 127.0.0.1:2000 for both trace data (UDP) and sampling (TCP). Use this variable if you have configured the daemon to listen on a different port or if it is running on a different host.
138
Services That Lambda Reads Events From
Amazon DynamoDB
Amazon Kinesis
Amazon Simple Queue Service
139
Lambda
| Concurrency is subject to a Regional limit that is shared by all functions in a Region.
The regional concurrency limit starts at 1,000. You can increase the limit by submitting a request in the Support Center console.
140
If you have cold shards (Kinesis)
the best approach to minimizing the cost of the Kinesis Data Stream is to merge the “cold” shards. This will reduce cost as you pay for each shard.
141
EC2, ALB, RDS
The security team noticed some SQL injection attacks and cross-site scripting attacks targeting the web application.
Which service can a Developer use to protect against future attacks?
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
142
The Developer has set the user field on segments to a string that identifies the user who sent the request.
How can the Developer search for segments associated with specific users?
CORRECT: "By using the GetTraceSummaries API with a filter expression" is the correct answer.
A subset of segment fields are indexed by X-Ray for use with filter expressions. For example, if you set the user field on a segment to a unique identifier, you can search for segments associated with specific users in the X-Ray console or by using the GetTraceSummaries API.
143
An application is instrumented to generate traces using AWS X-Ray and generates a large amount of trace data. A Developer would like to use filter expressions to filter the results to specific key-value pairs added to custom subsegments.
How should the Developer add the key-value pairs to the custom subsegments?
CORRECT: "Add annotations to the custom subsegments" is the correct answer.
Explanation
You can record additional information about requests, the environment, or your application with annotations and metadata. You can add annotations and metadata to the segments that the X-Ray SDK creates, or to custom subsegments that you create.
144
To add a role to an Amazon EC2 instance using the AWS CLI you must first create an instance profile. Then you need to add the role to the instance profile and finally assign the instance profile to the Amazon EC2 instance.
aws iam create-instance-profile --instance-profile-name EXAMPLEPROFILENAME
aws iam add-role-to-instance-profile --instance-profile-name EXAMPLEPROFILENAME --role-name EXAMPLEROLENAME
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=EXAMPLEPROFILENAME --instance-id i-012345678910abcde
