Test Review Questions Flashcards
(200 cards)
1
Q
How to deploy a lambda function with multiple stages - dev, test, prod
A
Use environment variables to configure different dndpoints for each stagew
2
Q
On premises application accessing AWS services through SDK
A
Generate access key and store in secrets manager
3
Q
Improve on storing session state in memory
A
Store in Elasticache for distributed session management
4
Q
Monitor events in cloudwatch every 10 seconds
A
High resolution cloudwatch metric - can set alarms for periods of 10 or 30 seconds
5
Q
Cloudwatch metric standard resolution granularity
A
Granularity of 1 minute, and period of at least 5 minutes
6
Q
Override the build command on a CodeBuild project to test a change
A
Run the start build command from the CLI with the ‘buildspecOverride’ property
7
Q
Migrating SQL to AWS, current encrypting some data with Transparent Data Encruption
A
Use RDS - supports TDE
8
Q
Update Beanstalk EC2 instance type
A
Create a config file in S3 with the new instance type
9
Q
Large number of reads/writes to S3 per second
A
Use a hash prefix when writing to distribute I/O load across multiple partitions
10
Q
Preprocess data before analysis in Kinesis Analytics
A
Use Lambda to preprocess data
11
Q
Mintor incoming connections on an ELB
A
Enable access logs on the load balancer
12
Q
Reduce throttling from scans on a large DDB table
A
Reduce page size to reduce RCUs per request
13
Q
Bootstrap application script into autoscaling instances
A
Place script into Userdata for the instance
14
Q
Analyse information stored in Cognito
A
Cognito streams configures a Kinesis stream to which Cognito can push dataset changes
15
Q
How to implement a Lambda function with 300 second execution time
A
Default timeout is 3 seconds - increase this
16
Q
Where to place a healthcheck.config file for an ~Elastic Beanstalk application
A
In the .ebextensions folder of the application’s source code
17
Q
Allow users to test an API gateway instance.
A
Ensure that a deployment is create in API gateway
18
Q
How to allow an application to take 60 to process a message from an SQS queue
A
Increase the visibility timeout in the queue from the default of 30 seconds, then delete the message after processing
19
Q
Test out permissions assigned to a policy via CLI
A
Get the context keys then use them with command ‘aws iam simulate custom policy’
20
Q
Steps to host a static website
A
Enable website hosting, configure index document, set permissions for website access
21
Q
MFA for S3 bucket
A
Add bucket policy with condition ‘aws:MultiFactorAuthPresent’:’false’ as a deny policy
22
Q
Reduce response time for reads on DDB to microseconds
A
Use DAX - DDB in-memory caching
23
Q
Preconfigure EC2 instances with NGINX web server using cfn
A
Use cfn-init helper script - allows you to describe configurations rather than scripting steps.
24
Q
Migrate from a Subversion repo to CodeCommit
A
For svn, perforce or TFS, migrate to git first, then to CodeCommit
25
Enable encryption at rest on existing DDB table
Not possible - create a new table with encryption enabled and copy data across (most likely an obsolete question - current sources show data is encrypted at rest by default)
26
Does CodeDeploy require an instance profile to be attached to both EC2 & on-premises instances.
Only for EC2 - instance profile is automatically create when an IAM role is created for EC2
27
Generate a data key in encrypted format
Use the KMS command 'GenerateDataKeyWithoutPlaintext'
28
Query a DDB table and only retrieve certain attributes
Use a Projection Expression - a comma separated string of the attributes you want.
29
Prevent message visibility for X minutes when a message enters the SQS queue
To impact whole queue - Implement a delay queue (default - 0 seconds, max - 15 minutes)
To impact individual messages use message timers (not for FIFO)
30
Best practices for activity workers & tasks wrt. Step Functions
Specify timeout in state machine definitions (avoid getting stuck waiting for a response).
To pass large payloads between states, store data in S3 and pass resource ARN to next state
31
Diagnose high number/rate of 503 errors on bucket with frequent put operations
Bucket may have versioning enabled, and with many put requests, may have millions of versions of objects. Use S3 inventory tool to generate bucket report.
32
Measure consumed capacity for DDB queries
Set 'ReturnConsumedCapacity' parameter to 'TOTAL' on request
33
Send metadata along with messages between components
Insert metadata using message attributes in SQS
34
Preserve database for analysis after Beanstalk env. is torn down
Mark database retention as 'Create Snapshot'
35
Where to upload lambda function package
Upload application files to S3
36
Blue Green deployment for new version of Beanstalk application
Create a new env. in the application with the updated application version and perform a URL swap.
37
Allow CodeBuild integration tests to access private subnet
Provide VPC specific configuration info as part of the codebuild project - e.g., VPC IDs, subnet IDs, security group IDs
38
Clients cannot connect to internet facing load balancer
LB must be attached to a public subnet
Security group/ACL for subnet must allow traffic to/from client
39
Allow S3 static website access to S3 bucket
Enable CORS on the bucket
40
Maintain session states with even distribution across ELB
Use Elasticache (even distro, so can't use sticky sessions)
41
What is the EC2 instance store lifetime
Instance store data is ephemeral - will be lost if stopped/restarted.
EBS persists until instance is terminated.
42
API call to describe an AMI
DescribeImages
43
Connect instances behind public & private subnets to internet
Create a NAT instance
44
Reader behaviour in SQS with long polling
Reader will listen to the queue until a message is available, or until timeout
45
Difference between LSIs and GSIs
LSIs share the same partition key as the primary key. GSIs have a different partition & sort key
46
Max item size in DDB
400kb
47
'ProvisionedThroughputExceededException' but not exceeding table read capacity throughput
Exceeded max provisioned throughout for one or more GSIs
48
SS max message retention period
14 days
49
DDB concurrency control
Optimistic locking - write only proceeds if version in write request matches version on item in table
50
Using SNS to message different devices & platform
Use platform specific KVPs in a single payload
51
Ensure application data on EBS is encrypted at rest
Enable encryption and launch an instance type that supports EBS encryption
52
Pass a stage variable to HTTP url
${stageVariables.}
53
What should be done when met with a LambdaThrottledException with cognito events
Perform retry on sync
54
Sequence of hooks called in CodeDeploy
ApplicationStop -> BeforeInstall -> AfterInstall -> ApplicationStart
55
How to resolve CodeDeploy error: HEALTH_CONSTRAINTS_INVALID
Reduce the number of health instances required during deployment
56
A developer is writing a custom script that will run in an Amazon EC2 instance. The script needs to access the local IP address from the instance to manage a connection to an application outside the AWS Cloud. The developer found out that the details about an instance can be viewed by visiting a certain Uniform Resource Identifier (URI).
http://169.254.169.254/latest/meta-data/
57
A transcoding media service is being developed in AWS. Photos uploaded to Amazon S3 will trigger Step Functions to coordinate a series of processes that will perform image analysis tasks. The final output should contain the input plus the result of the final state to conform to the application's logic flow.
What should the developer do?
ResultPath field filter is the only one that can control input values and its previous results to be passed to the state output.
Declare a ResultPath field filter on the Amazon States Language Specification.
58
What should be done to only allow authorized clients to invalidate an API Gateway cache entry when submitting API requests?
- Tick the 'Require Authorization' checkbox in the Cache settings of your API via the console
- The client must send a request which contains the 'Cache-Control: max-age=0'
59
How should you fix a Lambda function configured with VPC-specific information that cannot connect to the internet via public API?
- Add a NAT gateway to your VPC
- Ensure that the associated security group of the Lambda function allows outbound connections
60
You have a Lambda function configured with VPC-specific information that cannot connect to the internet via public API. Why would setting up Elastic Network Interfaces (ENIs) not help enabling your Lambda function to connect to the internet?
The ENIs are already automatically set up by Lambda, using the VPC information provided.
61
A recruitment agency has a large collection of resumes stored in an Amazon S3 bucket. The agency wants to perform an analysis on these files, but for privacy compliance reasons, they need to ensure that certain personally identifiable information (PII) is redacted before being processed by their internal service.
Why is Lambda@Edge not an appropriate solution for this scenario?
Lambda@Edge allows transformations of data for CloudFront distribution at CDN edge locations, for end users. This scenario calls for transformation of data by an internal service.
Lambda@Edge is also a somewhat costly service compared to regular lambda functions.
62
Why might you get a 403 Forbidden error when using newly generated API keys for a REST API in API gateway, and how would you resolve this?
API keys do not grant access to execute an API with API Gateway without first being associated with a usage plan. This usage plan determines the stages and methods the API key can access.
To fix this, associate the API keys with a usage plan using the CreateUsagePlanKey operation.
63
How should you provide access for a Node.js application run on a Linux server in an on-premises data center to various AWS services such as S3, DDB, etc.
Create an IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user.
64
You want to release a new firmware update intended only to a specific set of customers, and unauthorized access should be denied with a user authentication process that has minimal latency.
Why would the use of Signed URLs and Signed Cookies in CloudFront not be appropriate here?
This process of authentication has a significant latency, along with signifcant refactoring requirements, compared with use a combination of Lambda@Edge and cognito for filtering out unauthorized requests.
65
What is the purpose of an RDS Proxy, and how does it achieve this purpose?
RDS Proxy is used to manage a large number of connections from Lambda to an RDS database. It does this by establishing a warm connection pool to the DB. Lambda interacts with the proxy, reusing existing connections instead of create new connections for every function.
66
How would you configure an AWS Step Functions workflow to allow for a pause while a service works on a task, and only to resume after the service sends a notification to a webhook endpoint?
Why is this cost effective?
Steps functions can be configured to be paused for external system processes using the 'waitForTaskToken' option. The step function generates a unique token, which can be retrieved from the context object of the state machine.
The external system can then call the webhook with a 'SendTaskSuccess' or '...Failure' while referencing the token.
This is cost effective since the the workflow is paused, and so you are not billed for time when a workflow is paused.
67
Give an example of when a InvalidParameterValueException would be returned when creating a Lambda function.
When a parameter of the request is invalid, such as providing an IAM role in the CreateFunction API which the Lambda function is unable to assume.
68
You attempt to create a Lambda function, however the resource already exists. What error would be returned?
ResourceConflictException - 409
69
What is the difference between the 'Period' and 'Evalution Period' in cloudwatch?
- Period is the length of time to evaluate the metric or expression and produce a data point for an alarm.
- Evaluation Period is the number of the most recent periods, or data points, to evaluate when determining alarm state.
70
How can you redirect a user to a geolocation-specific URL using CloudFront?
- Implement a CloudFront function that returns the appropriate URL based on the CloudFront-Viewer-Country.
- Configure the distribution to trigger the function on Viewer request events.
71
Why is using Route 53 geolocation routing an unsuitable solution to redirecting a user to a geolocation-specific URL using CloudFront?
Route 53 geolocation is primarily for directing traffic to specific resources based on user location for performance or regulatory reasons - not for content personalization based on geolocation.
72
How would you setup up HTTPS communication between viewers and a CloudFront distribution?
- Set the 'Viewer Protocol Policy' to 'HTTPS Only'
or
- Set the 'Viewer Protocol Policy' to use 'Redirect HTTP to HTTPS'
73
Why would using a self-signed SSL/TLS certificate in the ALB which is stored in a private S3 bucket not help you to setup up HTTPS communication between viewers and a CloudFront distribution?
1. You can't use a self-signed certificate stored in S3. You would need a certificate from ACM or a third-party.
2. This would provide you HTTPS communication between origin and CloudFront, not between viewers and CloudFront
74
A developer is creating an analytics REST API service that is powered by API Gateway. Analysts from a separate AWS account must interact with the service through an IAM role. The IAM role already has a policy that grants permission to invoke the API.
What else should the developer do to meet the requirement without too much overhead?
Set AWS_IAM as the method authorization type for the API.
Attach a resource policy to the PAI that grants permission to the specified IAM role to invoke the 'execute-api:Invoke' action.
75
You have an application hosted on Lambda that typically takes around 5 minutes to process a request. During this time, the application is unresponsive. How can you prevent the application from becoming unresponsive?
Configure the application to asynchronously process the requests and change the invocation type of the Lambda function to Event (i.e., publish an event to the function to trigger it)
76
You have an application which uses X-Ray to generate trace data. How can you implement a filter expression that will limit the results of a search based on the custom attributes or keys specified? Why this approach?
Add custom attributes as annotations in your segment document.
Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console, or when calling the GetTraceSummaries API. X-Ray indexes up to 50 annotations per trace.
77
Why can you not use metadata to implement a search on custom attribute for X-Ray?
Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed.
78
What are the predefined deployment strategies for EC2/On-premises compute platforms?
CodeDeployDefault.OneAtATime, CodeDeployDefault.HalfAtATime, CodeDeployDefault.AllAtOnce
79
Why is CodeDeployDefault.HalfAtATime not quicker than CodeDeployDefault.LambdaCanary10Percent5Minutes for deploying Lambda functions?
It is not a viable deployment strategy for Lambda - it is only for EC2/On-premises
80
How can you establish end-to-end encryption using an AWS applications fronted by a CloudFront distribution?
Configure both Origin Protocol Policy and Viewer Protocol Policy to use HTTPS
81
What is the function of Origin Access Control (OAC)?
Allows you to secure S3 origins by allowing bucket access to designated CloudFront distributions
82
What is the difference between the AWS/AWS_PROXY and HTTP/HTTP_PROXY API Gateway integration request mappings?
For the Lambda proxy integration, the value is AWS_PROXY. For the Lambda custom integration and all other AWS integrations, it is AWS.
For the HTTP proxy integration and HTTP integration, the value is HTTP_PROXY and HTTP, respectively. For the mock integration, the type value is MOCK.
83
What sections are required in a CloudFormation template, both when using and not using AWS SAM?
With SAM - Resources and Transform (specifies the version of SAM to use)
Without SAM - Resources
84
What is the AWS Default Lambda concurrent executions value?
AWS Lambda limits the total concurrent executions across all functions within a given region to 1000
85
How can you configure a Kinesis Data Stream to ingest data, processing each item once, and processing the items in the same order that they are received?
And why that API call?
Embed a unique DI in each item. Use Kinesis 'PutRecord' API to write items - 'PutRecord' and not 'PutRecords', since Kinesis will attempt to process all records in a batch in the latter, and so does not guarantee the ordering of records.
Assign a timestamp-based value for the 'SequenceNumberForOrdering' parameter.
86
Why is SQS FIFO not a good fit for an auction app that ingests and processes bids in real-time?
SQS FIFO is not a good fit for real-time processing (not sure why, but maybe performance and due to the max of 300 send, receive or delete operations per second).
87
What is the different between the X-Ray headers 'X-Forwarded-For' and 'X-Forwarded-Host'?
X-Forwarded-For deals with tracking the IP addresses through which the request has passed, while X-Forwarded-Host is concerned with preserving the original host name requested by the client.
X-Forwarded-For is more about the path of the request (i.e., routing information), whereas X-Forwarded-Host is about the intended destination (i.e., which host the client originally intended to reach).
88
How can you configure CloudWatch to set up graphical representations of key performance metrics for separate applications?
Create a custom CloudWatch namespace with a unique metric name for each application (metrics in different namespaces are isolated from each other - metrics from different applications are not mistakenly aggregated into the same statistics).
89
What is the sequence of event hooks that run during Lambda deployment?
Start -> BeforeAllowTraffic -> AllowTraffic -> AfterAllowTraffic -> End
90
How would you invoke a Lambda function asynchronously? Why that particular API call?
Use 'Invoke' API to call the Lambda function and set the invocation type request parameter to event.
Cannot use 'InvokeAsync' as this is deprecated.
91
A developer wants to track the number of visitors on their website, which has a DynamoDB database. This is primarily used to give a rough idea on how many people visit the site whenever they launch a new advertisement, which means it can tolerate a slight overcounting or undercounting of website visitors.
Why is the use of atomic counters here acceptable?
Atomic counters are not idempotent - they are incremented on very update. This means that if a request fails and is retried, the counter would be incremented twice (or more). This example has a tolerance for over/undercounting of updates.
92
What is the easiest method of deploying a Node.js 'Hello World' Lambda function using CloudFormation?
Include your function source code inline in the `ZipFile` parameter of the `AWS::Lambda::Function` resource in the cfn template.
93
What is the default retention period of data records in a Kinesis data stream, and how much can this be increased to?
24 hours, up to 365 days.
94
You have an EB application attached to an AWS RDS db. How can you decouple your db instance from the environment for blue/green deployments without incurring data loss?
Create an RDS DB snapshot of the database and enable delete protection.
Create a new EB env. with the necessary information to connect to the RDS instance.
Before terminating the old EB env., remove its security group which allows RDS access (if this is not done, the old EB env retains a dependency on RDS via the security group, and so cannot be terminated).
95
What is Lambda's minimum unreserved account concurrency?
100
96
Your application relies on Cognito for user authentication. How can you enforce MFA only on users only with suspicious login attempts?
Enable Adaptive Authentication for the User Pool - this can turn on/require MFA for a user when Cognito detects risk in a user's session.
97
What headers must be included to upload data to an S3 bucket with SSE-C (customer-provided encryption keys)?
x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be "AES256".
x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.
98
Which appspec.yml properties are required by CodeDeploy for ECS deployments?
TaskDefinition, ContainerName and ContainerPort
99
Which are the only platforms that can use in-place deployments through CodeDeploy?
EC2 and on-premises
100
What is a good architectural pattern for managing in-place deployments?
Use a load balancer so that each instance is deregistered during deployment and then restored to service after deployment is completed.
101
On which platforms can you perform blue/green deployments using CodeDeploy
EC2, ECS and Lambda
102
Why must you use FIFO instead of standard SQS queue for preventing messages being processed multiple times?
Standard SQS queues do not support message deduplication.
103
What are the two ways you can configure FIFO queues to prevent messages being processed multiple times?
- Enable content-based deduplication. This instructs Amazon SQS to use a SHA-256 hash to generate the message deduplication ID using the body of the message - but not the attributes of the message.
- Explicitly provide the message deduplication ID (or view the sequence number) for the message.
104
What service should you use to store encryption keys within a dedicated, third-party validated hardware security module under you exclusive control?
AWS CloudHSM (hardware security module) - provides secure storage for cryptographic keys
105
Why should you not use Secrets Manager as a key-management service for storing encryption keys of on-premises servers?
You cannot store Customer Master Keys (CMKs) in AWS Secrets Manager.
106
What can you use in ECS to group container instances together by specific attributes? Give examples of these attributes.
Cluster Query Language.
- AZ, instance type or custom metadata
107
You have several developers, each with their own IAM user. How can you give access to CodeCommit for them to utilize code repositories on their own computers?
- Generate HTTPS Git credentials.
- Generate new SSH keys and associate the public SSH key to each of you developer's IAM users.
108
How can you detach a root EBS volume from a running EC2 instance?
Since it is the root volume, you have to stop the instance and then detach the volume.
109
How can you detach a non-root EBS volume from a running EC2 instance?
- Unmount the volume, then detach from the instance.
- Terminate the instance, causing the volume to become detached.
110
Which languages are supported natively by Lambda?
Java, Go, PowerShell, Node. js, C#, Python, and Ruby code
111
How can you implement a Lambda function using C++? Why can you not include this in the lambda function code?
Create a new layer which contains the Customer Runtime for C++ and launch a Lambda which uses that runtime.
Lambda functions have a max deployment package size of 50mb, so you have to use a layer.
112
What is the most suitable solution for an application that is required to trace downstream requests to multiple different tracing backends without having to re-instrument the application code and why?
Install the AWS Distro for OpenTelemetry Collector and set up the distro to trace all downstream API calls.
X-Ray is unsuitable here since it cannot send traces to multiple different tracing backends without having to re-instrument the application.
113
Why might you get an Access Denied error when you attempt to upload a file to S3 over 100gb in size via the CLI?
AWS S3 CLI performs a multipart upload when the file is too large - this requires you to have access to the kms:Decrypt action, as you need to decrypt the KMS key you are using to encrypt the object.
114
A software engineer is developing a serverless application which will use a DynamoDB database. One of the requirements is that each write request should return the total number of write capacity units consumed, with subtotals for the table and any secondary indexes that were affected by the operation.
What should be done to accomplish this feature?
Add the 'ReturnConsumedCapacity' parameter with a value of INDEXES in every write request.
115
You have an application using CloudFront that occasionally gives 504 errors. How can you configure CloudFront to avoid this?
Set up origin failover by creating an origin group with two origins - primary and secondary.
Should primary origin fail, CloudFront will automatically switch to secondary origin.
116
How can you easily manage multiple cfn templates for different environments, across multiple accounts?
AWS CloudFormation StackSets - Create multiple stacks across regions using a single CFN template.
117
You have an application that must support HTTPS connections. What do you need to do to set up HTTPS connections using a third-party certificate?
- Request an SSL/TLS certificate
- Import that certificate into AWS using either ACM or IAM certificate store.
118
What is a good number of shards:worker instances when using Kinesis Client Library for managing streams and why?
4:2 - each worker can process multiple shards. 4 shards provides high read/write throughput, and 2 works provides high availability.
119
How can you enable E2E testing with Cypress on a React application with code hosted in GitHub?
- Connect the Github repo to AWS Amplify Hosting
- Update the amplify.yml file with appropriate configuration settings for Cypress.
120
You have an S3 bucket, and you want to retrieve data from it at low latency, with low operating costs, using a structured query language (SQL) to filter the contents of S3 objects and retrieve just the subset of data that you need. What should you use, and what objects can you use this on?
S3 select - can be used on CSV, JSON or Apache Parquet format objects.
121
What are some differences between AWS Athena and S3 Select?
Athena - higher cost, executes bucket-wide statements
S3 Select - lower cost, executes statement against a given object
122
What is a key difference between AppSync and Cognito Sync?
AppSync allows multiple users to synchronise and collaborate in real time on shared data; Cognito Sync allows synchronisation of data across devices for a single user.
123
You want to be notified if sensitive parameters that you have stored in Parameter Store have not been rotated within 90 days. What are the requirements for this, and how would you set this up?
You have to use Advanced Tier parameters to use parameter policies (You can be notified about changes or status related to parameter policies, such as when a parameter expires, is going to expire, or hasn't changed for a specified period of time).
Set a NoChangeNotification policy with value of 90 days, and use eventbridge to send a notification via SNS
124
What does the advanced tier on Parameter store allow?
100,000 params stored (as opposed to 10,000 for standard)
8KB param (as opposed to 4kb for standard)
Parameter policies
124
You have a Lambda function that requires access to an RDS instance within a private subnet. What two things do you have to do, and why?
- Configure the Lambda function to connect to your VPC. If this is not done, the Lambda cannot access ANY aws resources within the VPC.
- Provide IAM permissions to access RDS.
IAM permissions is not enough on its own - the Lambda would have the correct permissions, but would be unable to connect to any resources within the VPC.
124
Why does DDB global tables not work with Optimistic Locking?
Global tables use 'last writer wins' reconciliation between concurrent updates.
125
What services should you use to coordinate multiple AWS services into serverless workflows?
Step Functions
126
What is TDE, and what does it do?
Transparent Data Encryption - automatically encrypts data before it is written to storage, and decrypts when data is read from storage.
126
Why can you not use RDS encryption to automatically encrypt data before it is written to storage, and decrypt when data is read from storage
RDS encryption encrypts your DB instances and snapshots at rest - it does not encrypt/decrypt data before it is written/read from storage.
127
When would you use X-Ray GetTraceSummaries over BatchGetTraces?
GetTraceSummaries retrieves IDs and annotations for traces within a specified time frame, with an optional filter field.
BatchGetTraces returns a list of traces specified by ID, but does not support filter expressions, nor returns annotations.
128
What is a high level difference between segments and subsegments wrt. X-Ray?
The segment can be thought of as representing the overall request, with each subsegment breaking down the individual components of that request (i.e., downstream requests vs the actual request to the application).
129
Why can you not use 'aws cloudformation deploy' to deploy local code to AWS, and what should you use instead?
'aws cloudformation deploy' can deploy a stack if your code artifacts are already packages and uploaded to S3 - it cannot package and upload code itself.
'sam deploy' zips code artifacts, uploads them to S3 and produces a packaged SAM template that is used to deploy the application.
130
What task placement should you use to allow ECS to place instances, following constraints that you have specified both implicitly or explicitly, with the least amount of configuration?
'random' task placement with custom placement constraints - this places tasks on instances at random yet still honours other constraints that you have specified. It also makes sure that instances have enough resources for an additional task.
131
What are the functions of a Lambda runtime?
- Runs the function's setup code
- Reads the handler name from an environment variable
- Reads invocation events from the Lambda runtime API
132
You need to configure ECS to allow two Docker containers to share log data. Why would you not need two task definitions for this?
You can define a task definition to hold one or more containers, so two definitions is unnecessary.
133
What do 'ModuleNotFoundError' and 'Module cannot be loaded' indicate for Lambda functions, and how would you fix this?
These errors normally surface due to incorrect folder structure or file permissions with the deployment package .zip file
To fix:
1. Install all dependency modules locally to the function project
2. Build the deployment package by zipping up the project folder for deployment to Lambda
3. Upload the deployment package
134
'ModuleNotFoundError' and 'Module cannot be loaded' appears in a Lambda function. Why can you not just import the missing modules in the code?
You will get the same error codes since the Lambda function won't be able to recognise the modules. The module dependencies need to be downloaded and then zipped within the deployment package.
135
You have an application that is expected to consume SQS messages of a large size. What is the max SQS message size, and if a message is over the the max item size, how should you process it?
256 KB
If a message is over this size, use a combination of S3 and SQS Extended Client Library for Java - this will allow you to send a message that references a message object stored in S3, retrieve the message object, and then delete the message object from S3.
136
How can you validate IAM access for an API call?
- Use IAM Policy Simulator to validate the permission for the IAM role
- Run the API call with --dry-run parameter (this checks whether you have the required permissions for the action without actually making the request)
137
How can you create a Stack that defines cloud resources in a desired programming language (as opposed to yaml)?
AWS CDK - Cloud Development Kit
Opensource framework to provision cloud application resources using programming languages. Under the hood, this just 'compiles' your stack into cloudformation templates.
138
You have a team of developers, and you need to provide permissions to launch EC2 instances with an instance role that will let them update items on a DDB table. All developers belong to the same IAM group. How can you do this?
Allow EC2 to assume a role that can access the DDB table:
- Create an IAM role with permission to access the DDB table
- Add EC2 as a trusted entity in the role's trust policy (this allows an EC2 instance to assume the role)
- Attach a PassRole policy to the IAM group, which allows the new role with DDB access permission to be passed along)
139
What is the difference between terminating a container in ECS with EC2 launch type in the RUNNING state vs STOPPED state?
If RUNNING - will automatically be removed or deregistered from the cluster
If STOPPED - not automatically removed
140
How can you allow an ALB to obtain all values of an identical query parameters key that is supplied in a requests, e.g., ?name=foo&name=bar, and what happens if you don't enable this?
Enable multi-value header syntax - this will allow the ALB to supply these duplicate params in an event object with the format 'name': ['foo', 'bar']
If you don't enable this, the LB will just use the last value of the query parameter.
141
You have an EC2 instance, and are using CodeDeploy to deploy a new version of an application, with the code stored in S3. When might the `DownloadBundle` deployment lifecycle event throw an error?
- The EC2 instance does not have permission to access the code in S3
- An S3 internal error occurs
- The instances are associated to one Region, but the S3 bucket that contains the application revision is related to another Region
142
What is the difference between 'sam local invoke' and 'sam local start-lambda'?
invoke calls an invocation to the lambda function; start-lambda starts the lambda locally as an endpoint (to be called by other services)
143
How can you implement access control on a table in DDB to ensure that a user only has access to their item(s)?
Use conditions - in this case, we can assume that a user has an ID, and that their ID is the partition key (this makes sense as it provides a good distribution across the partition).
To do this, we use dynamodb:LeadingKeys, which targets the partition key, and specify the user ID for use.
144
What is a lambda:FunctionUrlAuthType, why might this be useful, and what is the difference between the two conditions?
Lambdas can be called via URL like a simple REST endpoint - the FunctionUrlAuthType specifies what auth to use: NONE or AWS_IAM
NONE means no authorisation required; AWS_IAM means only allow invocation if via an authorised IAM user or role.
145
How can you configure Elastic Beanstalk to allow a multi-container docker environment?
Configure the container definitions in the 'Dockerrun.aws.json' file, placed on the same level where the application file resides (i.e., not in .ebextensions)
146
What are the respective yml files for CodeBuild and CodeDeploy?
CodeBuild - buildspec.yml
CodeDeploy - appspec.yml
147
Which part of which file should you modify when configuring CodeBuild to run with a proxy server?
The proxy element of the buildspec.yml
148
What is the high level setup for running CodeBuild in a proxy server?
- All components are within a VPC
- The CodeBuild service is within a private subnet
- The proxy server is within a public subnet
- There is an internet gateway, allowing traffic to/from the internet
149
What are the steps to allow a production account to delegate S3 access to a development account?
- On the production account, create an IAM role and specify the development account as a trusted entity.
- Set the policy that will grant access to S3 for the IAM role created in the production account
- Log in to the development account and create a policy that will use STS to assume the IAM role in the production account. Attach the policy to corresponding IAM users.
150
What are the two ways you can authenticate with CodeCommit (HTTPS)?
- Set up a Git credential helper using your access key credentials specified in your AWS credential profile
- Generate HTTP Git credentials for AWS CodeCommit. Specify the credentials in the Git Credential Manager
151
You want to view the percentage of used memory and number to TCP connections of instances inside an Auto Scaling Group. These metrics are to be send to CloudWatch. What must you do and why?
Create an IAM role with cloudwatch:PutMetricData permission for the new Auto Scaling launch configuration from which you launch instances.
You cannot modify existing launch configurations, so you must create a new one and apply it to the ASG.
152
What sections of a CloudFormation template can you and can't you associate with a 'Condition'?
Can: Outputs, Resources
Can't: Parameters
153
What credentials does IAM for CodeCommit support and not support?
Supports: SSH Keys, AWS Access Keys, Git credentials
Does not support: IAM username and password
154
What resource types does AWS SAM support?
AWS::Serverless::Api
AWS::Serverless::Application
AWS::Serverless::Function
AWS::Serverless::HttpApi
AWS::Serverless::LayerVersion
AWS::Serverless::SimpleTable
AWS::Serverless::StateMachine
155
You have an API hosted on ECS. Variable traffic spikes on the application are causing order processing time to increase - this causes the number of orders within the SQS queue to increase. What can you do to improve performance, given that you have access to the `ApproximateNumberOfMessagesVisible` metric in CloudWatch?
Use backlog per instance metric with target tracking scaling policy - in this case, the target value being the acceptable backlog per instance to maintain (calculated by number of messages in backlog / ECS fleet running capacity).
156
What is a key difference between step scaling and target tracking?
Step scaling defines thresholds and actions to take at a given threshold (e.g., at 80% CPU utilization, add 20% more instances)
Target tracking aims for a particular metric target to be met (e.g., SQS queue backlog per instance)
157
What Elastic Beanstalk deployment policies cause EC2 burst balance to be lost?
- Managed platform updates with instance replacement enabled
- Immutable updates
- Deployments with immutable updates or traffic splitting enabled
(behind the scenes for traffic splitting - such as canary or blue/green - Beanstalk launches a full new set of instances)
158
What header would you include with an S3 PutObject operation to force encryption a rest with Amazon S3-managed keys?
x-amz-servier-side-encryption: AES256
Instructs S3 to use AES-256 encryption cipher
159
How can you enable an IAM user to access AWS Billing and Cost Management?
- Provide the IAM policy to access Billing and Cost Management
- Activate IAM user access to the Billing and Cost Management console for the user
160
What should you do to control access to an API Gateway API using a 3rd party authorisation mechanism?
Use Lambda Authorizer - allows custom authorisation schemes for API Gateway, where gateway calls the Lambda authoriser using the caller's identity, and returns an IAM policy.
161
You want to set up member access to user-specific folders in an Amazon S3 bucket - bucket-a. So, user x can only access files in his folder - bucket-a/user/user-x/ and user y can only access files in her folder - bucket-a/user/user-y/ and so on.
How would you achieve this?
Use IAM policy variables. E.g.,
Condition: { StringLike: {s3:prefix: [$aws:username}/]}}
The variable username ensures that only users with bucket names with their username are accessable.
162
What is the order of steps to be followed for creating an app using AWS CDK?
Create the app from a template provided by AWS CDK -> Add code to the app to create resources within stacks -> Build the app (optional) -> Synthesize one or more stacks in the app -> Deploy stack(s) to your AWS account
163
What is the difference between Access advisor and IAM Access analyser?
IAM Access Analyser - Allows you to identify access to your AWS resources that is outside your defined boundary (zone of trust - this can be an organisation or an AWS account).
Access advisor - identify unused IAM roles via timestamp of last request made using that role.
164
What are some differences between immutable and blue/green deployments?
Immutable - new ASG created alongside the old one within the same environment. As soon as the first instance is created, it begins to serve traffic. When all new instances are health, old ones are switched off
Blue/Green - new environment is created from scratch (using a new load balancer). The switch is performed at DNS level, routing traffic from the old to the new env. when new env. is healthy.
165
What two things must you do to a Network ACL to enable a connection to a service running on an EC2 instance from the internet.
To enable the connection to a service running on an instance, the associated network ACL must allow both:
1. Inbound traffic on the port that the service is listening on
2. Outbound traffic to ephemeral ports
166
An Auto Scaling group has a maximum capacity of 3, a current capacity of 2, and a scaling policy that adds 3 instances.
When executing this scaling policy, what is the expected outcome and why?
When a scaling policy is executed, if the capacity calculation produces a number outside of the minimum and maximum size range of the group, Amazon EC2 Auto Scaling ensures that the new capacity never goes outside of the minimum and maximum size limits.
Hence, the ASG only adds one instance to the group.
167
You have created a continuous delivery service model with automated steps using AWS CodePipeline. Your pipeline uses your code, maintained in a CodeCommit repository, AWS CodeBuild, and AWS Elastic Beanstalk to automatically deploy your code every time there is a code change. However, the deployment to Elastic Beanstalk is taking a very long time due to resolving dependencies on all of your 100 target EC2 instances.
Which of the following actions should you take to improve performance with limited code changes?
Bundle the dependencies in the source code during the build phase of CodeBuild
168
What are the limits on the number of stored and in-flight messages in SQS?
No limit for stored, ~120,000 for in-flight
169
What is the difference between using a signed URL and signed cookies in CloudFront?
Signed URL provides access to a single file.
Signed cookies allow access to multiple files when you don't want to change the URL.
(Signed URLs take precedence over signed cookies - if you provide a signed URL with signed cookies, you will only get the file corresponding to the URL).
170
How would you re-use ssh key-pairs across multiple instances and regions?
Generate a public ssh key from the private key, and then import the key into each of the desired regions
171
How does CloudFront use key pairs to create signed URLs?
The public key of the key pair is stored in CloudFront. The private key is used to sign a portion of the URL
172
How many CloudFront key pairs can the root user of an AWS account have, and how can you allow for more key pairs?
2. For more, use CloudFront key groups - allows you to associate up to 4 key groups with a distribution, and up to 5 keys per group
173
What is the difference between provisioned and reserved concurrency for Lambda?
Provisioned - The number of pre-initialised execution environments for your function (used to reduce latency)
Reserved - Concurrency that cannot be allocated to any other function than the one specified; it also dictates the maximum number of concurrent instances for that function
174
How does port mapping differ between ALB and CLB?
CLB - only supports static port mapping, meaning that you cannot run multiple copies of a task on the same instance, due to a conflict of ports.
ALB - allows dynamic port mapping, meaning that you are able to run multiple copies of a task on the same instance.
175
What is the maximum Lambda function container image size?
10GB
176
Above what size payload should you use envelope encryption?
4kb
177
A diagnostic lab stores its data on DynamoDB. The lab wants to backup a particular DynamoDB table data on Amazon S3, so it can download the S3 backup locally for some operational use.
Why can you not use on-demand backups in DDB to achieve this?
On-demand back up stores data in S3, but in buckets that the user is not provided access to.
178
Describe how S3 replication can be configured.
Same-Region Replication and Cross-Region Replication can be configured at bucket level, shared-prefix level or object level using S3 object tags
179
What is the difference between detailed monitoring and high-resolution?
Detailed monitoring - how often the datapoints are reported (every 1 min vs every 5)
High-resolution - how granular the metrics are (a metric every 10 seconds vs 30 seconds)
180
What is the retention period for RDS automatic backups, and what is a limitation of this regarding disaster recovery?
0-35 days
Backups are limited to a single region.
181
What are two use cases for ElastiCache?
Read heavy applications
Compute heavy applications (store objects that are often read in the cache)
182
What can be configured when publishing a custom metric?
Can define own data as a custom metric, along with the resolution of the metric
- Can be defined as standard resolution or high-resolution. If high, CloudWatch stores it with a resolution of 1 second.
183
When using CloudTrail with S3, what is a requirement to receiving object-level API access logs when data is read by another AWS account?
The bucket owner also needs to be the object owner to get the object access logs, or must get permissions through the object ACL.
184
How would you encrypt log group data in CloudWatch using a KMS Customer Master Key, and why this approach?
Use the AWS CLI associate-kms-key command and specify the KMS key ARN
Log group data is always encrypted in CloudWatch logs - you can optionally use KMS for this encryption.
185
You have uploaded a zip file to AWS Lambda that contains code files written in Node.Js. When your function is executed you receive the following output, 'Error: Memory Size: 10,240 MB Max Memory Used'.
Which of the following explains the problem?
Your function ran out of RAM
186
What does SSE-C mean?
Server Side Encryption with Customer-provided encryption keys
187
Why does S3 reject any requests made over HTTP using SSE-C?
HTTP is not secured. When using SSE-C, you must provide your encryption key as part of the request. AWS will treat this key as compromised when using HTTP, and reject the request.
188
What are the possible target types for an ALB?
Instance, IP and Lambda
189
How can you specify IP addresses from an ALB?
Only from specific CIDR blocks - you can't specify publicly routable IP addresses
190
How can you ensure that source code is encrypted in transit and at rest when using CodeCommit?
No need, repositories automatically encrypt data in transit and at rest with CodeCommit.
191
What service could you use to serve static content from S3 and dynamic content from an ALB while keeping latency low across a global website?
CloudFront with multiple origins (one origin for S3, one for the ALB). CloudFront will use edge locations to serve content via the lowest latency route.
192
How could you collect system memory metrics, such as RAM statistics, from EC2 instances?
Use a cron job on the instances that pushes EC2 RAM stats as a Custom Metric to CloudWatch.
193
How do you set up X ray on Docker containers deployed to AWS FarGate?
Deploy the X ray daemon agent as a sidecar container, and provide the correct IAM task role to the X ray container
194
How do you set up HTTPS on beanstalk?
Create a config file in the .ebextensions folder to configure the Load balancer (assign a server certificate)
195
What CLI options do you use to limit the results of a S3 List call to 100 results per page?
--starting-token and --max-items
196
How can you reduce throttling when using KMS for encryption?
Use the data key aching feature with AWS Encryption SDK.
197
