acloudguru Flashcards

1
Q

You previously used access keys to access S3 from an EC2 instance, but changed to a role.

But you still cannot connect.

What could be a reason?

A

The credentials are still stored in /.aws and need to be deleted first.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How to encrypt a volume currently attached to an instance?

A
  • Create a snapshot

- Copy the snapshot (same region) and choose “Encrypt this snapshot”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How to create multiple AWS CLI profiles (for example with different roles)

A

aws configure –profile my_other_profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What ist the API call to obtain a session for MFA for CLI/SDK?
And what is returned?

A

STS GetSessionToken
aws sts-get-session-token –serial-number [your device] –token-code [current code] –duration [ttl]

SecretAccessKey
SessionToken
Expiration
AccessKeyId

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What should be done when an “intermittent error” occurs?

A

Implement Exponential Backoff, since a rate limit for API calls has been hit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What ist “Exponential Backoff”

A

on failed API calls the wait time to the next call is increased on failure.
1s -> 2s -> 4s -> 8s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the chain of priorities for CLI credentials?

A
  1. CLI options
  2. ENV variables (AWS_ACCESS_KEY_ID..)
  3. CLI credentials file
  4. CLI configuration file
  5. Container credentials
  6. Instance Profile credentials
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the option for SigV4 signing?

A

Using HTTP Header

Using query string options

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

For which actions is MFA delete (if enabled) neccessary?

A
  • Permanently delete

- suspend versioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

S3: How are deletes on an CRR Bucket handled?

A

Per default: no replication of delete marker, but can be set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

S3: Is it possible to chain replication across three regions?

A

No,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Lambda: What is needed to connect Lambda to a file system?

A

A connection to a VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CodeCommit: What are the three merge strategies?

A

Fast forward merge

Squash and merge

3-way merge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CodeCommit: What are approval rules?

A

Rule that says how many developers have to vote for a pull request to be pulled.

Possible to specify who counts for the voting

Possible to specify the branches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is CodeArtifact?

A

Repository for storing build artifacts (like jar files)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CodeBuild: what should be enabled to visualize the status of the build?

A

BuildBadge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CodeBuild: What can be source provider?

A

CodeCommit
S3
GitHub

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CodeBuild: What are the two authentification methods for GitHub?

A

Personal Token

OAuth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

CodeBuild: What are the three options to reference the right code in CodeCommit?

A

Branch
Commit ID
Git Tag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

CodeBuild: What can be done to troubleshoot a running build job?

A

Use the CLI and utilize the codebuild-breakpoint command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CodeBuild: what are the four phases in the BuildSpec?

A

install
pre_build
build
post_build

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

CodeDeploy: What are the Compute platforms for an application?

A

OnPremise
EC2
Lambda
ECS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

CodeDeploy: Which are the two methods of deployment?

A

In-Place (not for lambda)

Blue/Green

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CodeDeploy: What are the four parts of the appspec file?

A

Version
Files
OS
Hooks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CodeDeploy: What are the 13 appspec hooks?

A
ApplicationStop
DownloadBundle
BeforeInstall
Install
AfterInstall
ApplicationStart
ValidateService
BeforeBlockTraffic
BlockTraffic
AfterBlockTraffic
BeforeAllowTraffic
AllowTraffic
AfterAllowTraffic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

S3: What is needed for Static Website Hosting?

A

Public S3 Bucket
Bucket Policy
index.html file (does not need to be named index.html)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Cloudformation: What is a Stack Policy?

A

Defines the resources that you want to protect from unintentional updates during a stack update.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

CloudFormation: What are the four operations of a change set?

A

Create
View
Execute
Delete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

API Gateway: What is a Resource Policy?

A

A Resource Policy is a JSON policy document that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use a Resource Policy to enable users from a different AWS account to securely access your API or to allow the API to be invoked only from specified source IP address ranges or CIDR blocks. Resource Policies can be used with REST APIs in Amazon API Gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

API Gateway: What is the HTTP Code for a dropped request de to throtteling?

A

HTTP 429 Too Many Requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

API Gateway: Does Amazon API Gateway provide API result caching?

A

Yes,

  • specifying its size in gigabytes
  • TTL
  • provisioned for a specific stage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

API Gateway: Can you change a public or private API endpoint type in API Gateway?

A

Yes, it will take up to 60s.

The following endpoint type changes are supported:

  • From edge-optimized to regional or private
  • From regional to edge-optimized or private
  • From private to regional

You cannot change a private API into an edge-optimized API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

API Gateway: What are the three types of endpoints?

A

Edge-optimized API endpoints

  • best for geographically distributed clients.
  • routed to the nearest CloudFront Point of Presence

Regional API endpoints
- clients in the same region.

Private API endpoints
- can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Kinesis: What are the three factors that determine the number of shards necessary?

A
Record size (in KB)
Writes per second
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Kinesis: How many shards are necessary for 300 writes/sec on 50kb size?

A

15

(300*50) / 1000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Kinesis: What are the limits per shard?

A

1000kb / 1000 writes per second

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Kinesis: What are the three types of producers?

A

Amazon Kinesis Agent
AWS SDK
Amazon Kinesis Producer Library (KPL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

IAM: Which three ways can you authenticate a MFA device?

A

AWS Management Console, API, CLI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

IAM: What consistency level does IAM utilize?

A

IAM is eventually consistent.

40
Q

IAM: What is a principal?

A

An entity that can take an action on an AWS resource.

IAM users, roles, federated users, and applications are all AWS principals.

41
Q

IAM: Can you specify a wildcard (*) as the principal for a role?

A

No, Wildcards (*) cannot be specified as a principal.

42
Q

IAM: What is a Trust policy?

A

Specifies the trusted accounts that are allowed to assume the role.

43
Q

IAM: What are the three types of policies?

A

Managed policies | Customer managed policies | Inline policies

Managed Policy:

  • Created and administered by AWS.
  • Used for common use cases based on job function
  • Cannot change the permissions assigned.

Customer Managed Policy:
- Standalone policy that you create and administer in your own AWS account.

Inline Policy:

  • Strict 1:1 relationship between the entity and the policy.
  • When you delete the user, group or role in which the inline policy is embedded, the policy will also be deleted.
  • In most cases, AWS recommends using Managed Policies instead of inline policies.
44
Q

IAM: How to get information about an instance profile

A

aws iam get-instance-profile

45
Q

CloudFront: What can be an origin?

A

Origins can be either

  • an S3 bucket
  • an EC2 instance
  • an Elastic Load Balancer
  • Route 53
  • can also be external (non-AWS).
46
Q

CloudFront: What is the default caching time?

A

Objects are cached for 24 hours by default.

47
Q

DynamoDB: What IAM Policies are allowed?

A

DynamoDB supports identity-based policies:

DynamoDB doesn’t support resource-based policies.

48
Q

DynamoDB: What is a composite key?

A

Partition key + Sort key(s)

49
Q

DynamoDB: What can negatively affect read/write capabilities?

A
  • Uneven distribution of data due to the wrong choice of partition key.
  • Frequent access of the same key in a partition (the most popular item, also known as a hot key).
  • A request rate greater than the provisioned throughput.
50
Q

DynamoDB: What are the best practices for partition keys?

A
  • Use high-cardinality attributes – e.g. e-mailid, employee_no, customerid, sessionid, orderid, and so on.
  • Use composite attributes – e.g. customerid+productid+countrycode as the partition key and order_date as the sort key.
  • Cache popular items – use DynamoDB accelerator (DAX) for caching reads.
  • Add random numbers or digits from a predetermined range for write-heavy use cases – e.g. add a random suffix to an invoice number such as INV00023-04593
51
Q

DynamoDB: What are the disadvantages of Strongly consistent reads?

A
  • A strongly consistent read might not be available if there is a network delay or outage. In this case, DynamoDB may return a server error (HTTP 500).
  • Strongly consistent reads may have higher latency than eventually consistent reads.
  • Strongly consistent reads are not supported on global secondary indexes.
  • Strongly consistent reads use more throughput capacity than eventually consistent reads.
52
Q

DynamoDB: How to enable Strongly Consistent Reads?

A

You can configure strongly consistent reads with the GetItem, Query and Scan APIs by setting the –consistent-read (or ConsistentRead) parameter to “true”.

53
Q

DynamoDB: What is the call methods for Transactions?

A

TransactWriteItems / TransactGetItems

54
Q

DynamoDB: Why are transactions more costly?

A

DynamoDB performs two underlying reads or writes of every item in the transaction: one to prepare the transaction and one to commit the transaction.

55
Q

DynamoDB: How is a Scan operation limited?

A

A single Scan operation reads up to the maximum number of items set (if using the Limit parameter) or a maximum of 1 MB.

56
Q

DynamoDB: How can you limit the the returned attributes on a scan operation?

A

You can use the ProjectionExpression parameter

57
Q

DynamoDB: What is a filter expression?

A

Used in scans to filter out unwanted items

NOTE: done after the scan and before the values are returned.

58
Q

DynamoDB: A Scan is slow, how to speed it up?

A

For faster performance on a large table or secondary index, applications can request a parallel Scan operation by providing the Segment and TotalSegments parameters.

59
Q

DynamoDB: Is it possbile to use Strongly Consisten reads on a scan operation?

A

yes, but not per default.
If you need a consistent copy of the data, as of the time that the Scan begins, you can set the ConsistentRead parameter to true.

60
Q

DynamoDB: What is a query operation?

A

A query operation finds items in your table based on the primary key attribute and a distinct value to search for.

61
Q

DynamoDB: How are query operation results sorted? And how to reverse the order?

A

Results are always sorted by the sort key.

You can reverse the order by setting the ScanIndexForward parameter to false.

62
Q

DynamoDB: How to reduce the impact of a scan/query operation?

A

Setting a smaller page size which uses fewer read operations. A larger number of smaller operations will allow other requests to succeed without throttling.

63
Q

DynamoDB: What are the key facts for Local Secondary Indices?

A
  • uses the same Partition Key, but a different Sort Key
  • up to five LSIs per table
  • must be created at table creation time
  • has the same partition key as the original table
64
Q

DynamoDB: What are the key facts for Global Secondary Indices?

A
  • basically a completly new table, but with the same data
  • can be created at any time
  • has different partition - and sort key
  • RCU / WCU must be defined (can be changed)
  • If writes are throttled on the GSI, the main table will be throttled
65
Q

DynamoDB: What should be considered when choosing RCU/WCU for a GSI?

A

You typically need to ensure that you have at least the same, or more, RCU/WCU specified in your GSI as in your main table to avoid throttling on your main table.

66
Q

DynamoDB: How are RCUs used?

A
  • Used in 4KB increments
  • One strongly consistent read per increment
  • Two eventual consistent reads per increment
  • Twice the RCUs for transactional operations

Example: a strongly consistent read of an 8 KB item would require two RCUs, an eventually consistent read of an 8 KB item would require one RCU, and a transactional read of an 8 KB item would require four RCUs.

67
Q

DynamoDB: How are WCU used?

A
  • Used in 1KB increments
  • Transactional will double the needs

For example, a standard write request of a 1 KB item would require one WCU, a standard write request of a 3 KB item would require three WCUs, and a transactional write request of a 3 KB item would require six WCUs.

68
Q

DynamoDB: What are Replicated write capacity unit (rWCU)?

A
  • When using DynamoDB global tables, your data is written automatically to multiple AWS Regions of your choice.
  • Each write occurs in the local Region as well as the replicated Regions.
69
Q

DynamoDB: What is write-through caching- and who uses it?

A

DAX is a write-through caching service – this means the data is written to the cache as well as the back end store at the same time.

70
Q

DynamoDB: What are the key facts for DynamoDB Streams?

A
  • stores this information in a log for up to 24 hours
  • stream can be an event source for Lambda
  • enabled with StreamEnabled = true
  • StreamViewType handles which data is written to the stream (KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES)
71
Q

DynamoDB: What are the (six) API calls for writing data?

A
  • PutItem – create data or full replacement (consumes WCU).
  • UpdateItem – update data, partial update of attributes (can use atomic counters).
  • Conditional writes – accept a write / update only if conditions are met.
  • DeleteItem – delete an individual row (can perform conditional delete).
  • DeleteTable – delete a whole table (quicker than using DeleteItem on all items).
  • BatchWriteItem – can put or delete up to 25 items in one call (max 16MB write / 400KB per item).
72
Q

DynamoDB: What are the (six) API calls for reading data?

A
  • GetItem – read based on primary key (eventually consistent by default, can request strongly consistent read). Projection expression can be specified to include only certain attributes.
  • BatchGetItem – up to 100 items, up to 16MB per item. Items are retrieved in parallel to minimize latency.
  • Query – return items based on PartitionKey value and optionally a sort key. FilterExpression can be used for filtering. Returns up to 1MB of data or number of items specified in Limit. Can do pagination on results. Can query table, local secondary index, or a global secondary index.
  • Scan – scans the entire table (inefficient). Returns up to 1MB of data – use pagination to view more results. Consumes a lot of RCU. Can use a ProjectionExpression + FilterExpression.
73
Q

DynamoDB: What is Optimistic Locking?

A

Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in Amazon DynamoDB.

74
Q

DynamoDB: What are Conditional Updates?

A

You can optionally specify a condition expression to determine which items should be modified.

If the condition expression evaluates to true, the operation succeeds; otherwise, the operation fails.

75
Q

CloudWatch: How to delete a metric?

A

Metrics cannot be deleted but automatically expire after 15 months.

76
Q

CloudWatch: Which attributes describe a metric?

A

Metrics are uniquely defined by a name, a namespace, and zero or more dimensions.

77
Q

CloudWatch: How long does CW store metrics when pushed every minute?

A

15 days

78
Q

CloudWatch: What is a statistic set?

A

An aggregated set of data points

79
Q

CloudWatch: For which times can you set an alarm for a high-resolution metric?

A

If you set an alarm on a high-resolution metric, you can specify a high-resolution alarm with a period of 10 seconds or 30 seconds, or you can set a regular alarm with a period of any multiple of 60 seconds.

80
Q

CloudWatch: What is a namespace?

A

Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.

81
Q

CloudWatch: What is a dimension?

A

An Attribute that further describes the environment, such as instance ID, or instance type

82
Q

CloudFormation: What is the use of Fn::ImportValue

A

Returns the value of an output exported by another stack.

83
Q

CodeBuild: How can you define environment variables?

A
  • directly in plain text

- using the SSM Parameter store

84
Q

CodeBuild: What are the four phases?

A

Install: install dependencies you may need for the build.
Pre-build: final commands to execute before build.
Build: actual build commands.
Post build: finishing touches (e.g. zip file output).

85
Q

CodeDeploy: Which are the two types of deployment?

A
In Place (only EC2)
Blue/Green
86
Q

X-Ray: What is a segment?

A

Set of data points, for example a HTTP Request, which contains information about the host, the request, the response and errors

87
Q

Security - S3:

How to make sure that SSL is used in transport?

A

Use a deny with a condition for “aws:SecureTransport”

88
Q

Security - S3:

What is not replicated in “Cross Region Replication”?

A
  • Anything before the option is turned on
  • Objects encrypted with SSE-C
  • Objects encrypted with SSE-KMS - if not specifically enabled
  • If bucket owner differs from source to destination
  • If a particular version is deleted
89
Q

Security - S3:

How to force the use of CloudFront (instead of S3) before/after creating a CloudFront distribution?

A

Before: Enable “Restrict Bucket Access”

After: DIstribution -> Origins -> “Restrict Bucket Access” + select Origin Access Identity (A special CF user) + Update Read Permissions on Bucket

90
Q

Which of the following two policies work in combination to define who or what can access an S3 bucket?

S3 Access Control Policies
IAM Policy
S3 Object Policy
S3 Bucket Policy

A

S3 Bucket Policy
IAM Policy

An IAM Policy is an entity that, when attached to an identity or resource, defines their permissions. A Bucket Policy is a resource-based AWS Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it. IAM Policies and Bucket Policies work together in combination to determine who or what can access an S3 bucket and what actions they are allowed to take.

91
Q

Which elements are returned by the GetFederationToken service?

User name, temporary password, SAML token
A presigned url, secret access key, session token
Access key, secret access key, presigned url
Access key ID, secret access key, security token

A

Access key ID, secret access key, security token
GetFederationToken returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user.

Reference: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html

92
Q

Which of the following can you achieve using Amazon Cognito?

Anonymous guest access to your web application
Federated access to your web application for Facebook users
Federated access to your web application for Active Directory using SAML
Self-service password resets for Facebook users

A

Anonymous guest access to your web application
Federated access to your web application for Facebook users
Federated access to your web application for Active Directory using SAML

Identity pools support anonymous guest users, as well as federation through third-party IdPs. You can leverage Amazon Cognito identity pools to handle unauthenticated users (users who do not authenticate with any identity provider), but instead access your app as a guest. For example, you can define a separate IAM role for these users to provide limited permissions to access your back-end resources.

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.

With Amazon Cognito, your users can sign-in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory using SAML.

93
Q

Which of the following steps would you need to complete in order to configure Cross Region Replication where source and destination buckets are owned by different accounts?

The owner of the source bucket must grant the owner of the destination bucket permissions to replicate objects with a bucket policy AND the owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.

The source and destination bucket must be owned by the same account otherwise Cross Region Replication will not work

The owner of the source bucket must grant the owner of the destination bucket permissions to replicate objects with a bucket policy.

The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.

A

The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.

94
Q

To which of the following entities can you attach an IAM Policy?

S3 Buckets
IAM Groups
EC2 Instances
IAM Roles

A

IAM Groups
IAM Roles

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles). A policy is an object in AWS that, when associated with an identity, defines their permissions. You can attach an IAM Policy to a user, group, or role. You can associate a role with an EC2 instance but you cannot attach an IAM Policy directly to the EC2 instance. You cannot attach policies to S3 buckets.

95
Q

The AWS STS API supports which of the following methods of access?

Web Identity Federation
Cross Account Access
Azure AD Federation
Kubernetes Federation
Active Directory Federation
A

The AWS STS API AssumeRoleWithWebIdentity supports Web ID Federation.
The AWS STS API AssumeRole supports Cross Account Access.
The AWS STS API AssumeRoleWithSAML supports Azure AD Federation.
The AWS STS API AssumeRoleWithSAML supports Active Directory Federation. operations