A Cloud Guru Test

Question 1

How can you configure CodeBuild to notify the DevOps team of a failure in the build process?

Answer 1

Use CloudWatch Events and an SNS topic to notify subscribers of build events. CodeBuild natively supports CloudWatch Events, and SNS is a subscription based notification service that integrates with CloudWatch.

Question 2

Which service enables you to automatically build, test and release new software whenever a developer makes an update to their code?

Answer 2

CodePipeline. CodePipeline automates the build, test and can be used to deploy phases of your release process every time there is a code change, based on the release model you define.

Question 3

What services are compatible with CodeDeploy managed deployments?

Answer 3

CodeDeploy supports EC2, ECS (both EC2 and Fargate), Lambda and on-premises servers.

Question 4

A developer needs to share an EBS volume with a second AWS account. What actions need to be performed to accomplish this task in the most optimal way?

Answer 4

It is not possible to directly share an EBS volume with another account. In order to accomplish the required task, it is required to create an EBS volume snapshot and grant permissions to that snapshot to the second AWS account.

Question 5

An organization has mandated that all data within its DynamoDB tables must be encrypted at rest using an AWS owned key. What must a developer do to ensure this?

Answer 5

There’s no need to do anything; all DynamoDB tables are encrypted at rest with an AWS owned key by default. Non-encrypted DynamoDB tables are no longer supported in AWS.

Question 6

What is canary deployment?

Answer 6

With canary deployment, traffic is shifted in two increments. The options specify the percentage of traffic that’s shifted to your updated Lambda function version in the first increment, and the interval, in minutes, before the remaining traffic is shifted in the second increment.

E.g., :
Canary10Percent30Minutes

Question 7

What is linear deployment?

Answer 7

Linear deployment is when traffic is shifted in equal increments with an equal number of minutes between each increment.

E.g.:
Linear10PercentEvery1Minute

Question 8

What is all at once deployment?

Answer 8

All traffic is shifted from the original Lambda function to the updated Lambda function version at once.

Question 9

How to deploy a serverless application gradually?

Answer 9

If you use AWS SAM to create your serverless application, it comes with built-in CodeDeploy to ensure safe Lambda deployments. In the SAM template, you can specify the AutoPublishAlias and the DeploymentPreference.

The AutoPublishAlias detects when new code is being deployed and creates and published an updated version of that function with the latest code. It automatically creates an alias that points to the updated version of the Lambda function.

In the DeploymentPreference type, you can specify canary, linear or all at once.

Question 10

What is the Lambda IteratorAge metric?

Answer 10

For stream-based invocations, Lambda emits the IteratorAge metric. IteratorAge metric is the time between when the last record in a batch was recorded and when Lambda reads the record. In general, iterator age increases when a function can’t keep up with processing the amount of data that is being written to the streams.

Question 11

What’s the proper way of storing a credit card number that a Lambda function needs to use?

Answer 11

You can store it as an environment variable, however you should encrypt this before deploying, because the default encryption occurs after deploying, not during deployment.

Question 12

How can my AWS Lambda function customize its behavior to the device and app making the request?

Answer 12

When called through the AWS Mobile SDK, Lambda functions automatically gain insight into the device and application that made the call through the ‘context’ object.

Question 13

What happens if your Lambda code is too large?

Answer 13

It will trigger a code storage exception error.

Question 14

What is the PreconditionFailedException (HTTP status code 412) in Lambda?

Answer 14

Your Lambda will throw a PreconditionFailedException when the RevisionId does not match the latest RevisionId for the Lambda function or alias. Call the GetFunction or GetAlias API to retrieve the latest RevisionId for your resource.

This error is often used as a protection against a racing condition when multiple people are working on the same function.

Question 15

What happens if most or all clients of an API invalidates the cache?

Answer 15

It could significantly increase the latency of your API. You can either impose an InvalidateCache policy, or choose the Require authorization checkbox in the console.

Question 16

What is a cross-origin HTTP request?

Answer 16

A cross-origin HTTP request is one that is made to:

• a different domain
• a different subdomain
• a different port
• a different protocol

Question 17

What is a simple HTTP request?

Answer 17

An HTTP request is simple if all of the following conditions are true:

• it is issued against an API resource that allows only GET, HEAD and POST requests
• If it is a POST method request, it must include an Origin header
• The request payload content type is text/plain, multipart/form-data, or application/x-www-form-urlencoded.
• The request does not contain custom headers

Question 18

What’s required for a response to a simple cross-origin POST method request?

Answer 18

For a simple cross-origin POST method request, the response from your resource needs to incldue the header Access-Control-Allow-Origin.

Question 19

What is a symmetric key?

Answer 19

When you create a customer master key (CMK) in KMS, by default, you get a symmetric CMK. Symmetric keys are used in symmetric encryption, where the same key is used for encryption and decryption.

AWS services that are integrated with KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs.

Question 20

You have used a CMK to create a data key using the GeneratedDataKey operation to encrypt your application’s data using envelope encryption. You have been asked to provide temporary secured access to external auditors so that they can audit the data stored. These auditors should be able to immediately gain access to your data. What is the most effective and efficient way of achieving this?

Answer 20

Use grant tokens after using grants with the decrypt and re-encrypt operation. Using grant tokens received from the CreateGrant request will mitigate potential delay and grant immediate access. Decrypt operation is needed for the auditors to decrypt and re-encrypt this data.

Question 21

What is data key caching?

Answer 21

Data key caching lets you reuse the data keys that protect your data, instead of generating a new data key for each encryption operation.

Data key caching can reduce latency, improve throughput, reduce cost. In particular, caching might help if your application is hitting the KMS requests-per-second limit and raising the limit does not solve the problem.

However, these benefits come with some security tradeoffs. Encryption best practices generally discourage extensive reuse of data keys.

Question 22

What’s the LocalCryptoMaterialsCache?

Answer 22

To make data key caching easier to implement, the AWS Encryption SDK provides LocalCryptoMaterialsCache, an in-memory, least-recently-used cache with a configurable size.

Question 23

You’re the lead developer for a company that uses KMS to decrypt passwords from an RDS MySQL database using an asymmetric CMK. While decrypting the data you receive an InvalidCipherTextException error. What could have caused this error?

Answer 23

EncryptionAlgorithm is set to default value. Asymmetric CMKs cannot use the default algorithm, because the default one is for used for symmetric keys only. For symmetric CMKs, the default value would work.

Question 24

How do you control the behaviors of your APIs backend interactions?

Answer 24

You control the behaviors of your APIs backend integrations by setting up the integration request and integration response. These involve data mappings between a method and its corresponding integration.

Question 25

What are the two ways to configure server-side encryption for S3 artifacts?

Answer 25

AWS CodePipeline creates an S3 artifact bucket and default AWS-managed SSE-KMS encryption keys when you create a pipeline using the Create Pipeline wizard. The master key is encrypted along with object data and managed by AWS.

OR

You can create and manage your own customer-managed SSE-KMS keys.

Question 26

How is data encrypted using envelope encryption?

Answer 26

First, the data is encrypted using a plaintext data key. The data key is then further encrypted using a plaintext master key.

Question 27

You have a number of Lambda functions that need to be developed using AWS CodeDeploy. The Lambda functions have gone through multiple code revisions and versioning in Lambda is being used to maintain the revisions. Which of the following must be done to ensure that the right version of the function is deployed in AWS CodeDeploy?

A. Specify the version to be deployed in the AppSpec file.
B. Specify the version to be deployed in the BuildSpec file.
C. Create a Lambda function environment called ‘VER’ and mention the version that needs to be deployed.
D. Create an ALIAS for the Lambda function. Mark this as the recent version. Use this ALIAS in CodeDeploy.

Answer 27

A. Specify the version to be deployed in the AppSpec file.

If your application uses the AWS Lambda compute platform, the AppSpec file can be formatted with either YAML or JSON. It can also be typed directly into an editor in the console. The AppSpec file is used to specify: the AWS Lambda Function version to deploy, and the functions to be used as validation tests.

Question 28

You are in charge of deploying an application that will be hosted on an EC2 instance and sit behind an Elastic Load Balancer. You have been requested to monitor the incoming API connections to the Elastic Load Balancer. Which of the below options can suffice this requirement?

A. Use AWS CloudTrail with your load balancer.
B. Enable access logs on the load balancer.
C. Use a CloudWatch Logs Agent by installing on EC2.
D. Create a custom metric CloudWatch filter on your load balancer.

Answer 28

B. Enable access logs on the load balancer.

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Question 29

How do you resolve a LambdaThrottledException while using Cognito Events?

Answer 29

To resolve a LambdaThrottledException while using Cognito events, you need to perform retry on sync operations while writing the Lambda function.

Question 30

What is Cognito Events?

Answer 30

Cognito Events allows you to execute an AWS Lambda function in response to important events in Amazon Cognito. Cognito raises the Sync Trigger event when a dataset it synchronized. You can use the Sync Trigger event to take an action when a user updates data. The function can evaluate and optionally manipulate the data before it is stored in the cloud and synchronized to the user’s other devices, or to update other values in the dataset based on incoming data such as issuing an award when a player reaches a new level.

Question 31

How would you go about securing a CI/CD pipeline that uses resources created or managed by another AWS account?

Answer 31

In some cases, you want to create a pipeline that uses resources that are created or managed by another AWS account. E.g., you might want to use one account for your pipeline and another for your AWS CodeDeploy resources. To do so, you must create a AWS Key Management Service (KMS) key to use, add the key to the pipeline, and set up account policies and roles to enable cross-account access.

Question 32

Can you use the customer master key to encrypt and decrypt your data?

Answer 32

No, you should never use your customer master key directly to encrypt/decrypt your data.

Question 33

How do you protect your encryption key?

Answer 33

When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. You can even encrypt the data encryption key under another encryption key, and encrypt that encryption key with another encryption key. But, eventually, one key must remain in plaintext so that you can decrypt the keys and your data. This top-level plaintext key encryption key is known as the master key.

Question 34

What does AWS Key Management Service do?

Answer 34

AWS KMS helps you protect your master keys by storing and managing them securely. Master keys stored in AWS KMS, known as customer master keys (CMKs) never leave KMS unencrypted. To use an AWS KMS CMK, you must call KMS.

Question 35

What is a Lambda alias and how are they used?

Answer 35

A Lambda alias is like a pointer to a specific Lambda function version. Users can access the function version using the alias ARN. An alias can only point to a function version, not another alias. You can update an alias to point to a new version of the function.

Event sources such as S3 invoke your Lambda function. These event sources maintain a mapping that identifies the function to invoke when events occur. If you specify a Lambda function alias in the mapping configuration, you don’t need to update the mapping when the function version changes.

Question 36

What are routing configurations used for?

Answer 36

Use routing configurations on an alias to send a portion of traffic to a second version. E.g., you can reduce the risk of deploying a new version by configuring the alias to send the most of the traffic to the existing version, and only a small percentage of traffic to the new version.

You can point an alias to a maximum of two Lambda function versions.

Question 37

How do you configure alias routing?

Answer 37

Use the create-alias and update-alias commands to configure the traffic weights between two function versions. When you create or update the alias, you specify the traffic weight in the routing-config parameter.

Question 38

What do you need to do while enabling CORS on resources using API Gateway for all responses apart from 200 response of the OPTIONS method?

Answer 38

While enabling CORS on resources using API Gateway, for all responses apart from 200 response of the OPTIONS method, we need to manually configure to return Access-Control-Allow-Origin with ‘*’ or specific origins to fulfill pre-flight handshakes.

Question 39

A company is developing an application which interacts with a DynamoDB table. There is now a security mandate that all data must be encrypted at rest. How can you achieve this requirement?

A. Enable encryption using AWS owned CMK
B. Enable encryption using AWS managed CMK
C. Enable encryption using client keys
D. Enable your application to use the SDK to decrypt the data.

Answer 39

A & B. Enable encryption using AWS owned and AWS managed CMKs.

DynamoDB encryption is mandatory at the time of table creation itself and is of two types: Default method of using AWS owned CMK; KMS method using AWS managed key.