AWS 22, 23, 24

Question 1

What indicates that a YAML file is a SAM template?

Answer 1

There needs to be a Transform Header

Question 2

What is a Cognito User Pool?

Answer 2

Create a serverless database of users for your web & mobile apps

Question 3

Cognito User Pools integrates with what two services natively?

Answer 3

API Gateway and Application Load Balancer

Question 4

What is Cognito Identity Pools?

Answer 4

Allows us to grant temporary access to AWS resources to users that we do not want to give IAM access to. Either because of size or security concerns

Question 5

Cognito Identity Pools allow for unauthenticated guest access, true or false?

Answer 5

True

Question 6

How does Cognito Identity Pools work with Cognito User Pools?

Answer 6

Users will reach out to Cognito User Pools which will either reach out to an Internal DB of users or Federated login options;
CUP will return a token;
Users will send token to CIP;
CIP will validate with CUP and get temp creds with STS and return the credentials;

Question 7

What is the difference between standard vs express step functions?

Answer 7

Standard workflow has a maximum duration of 1 year and express step functions have and express workflow of 5 minutes;
Express is cheaper;

Question 8

What is AWS STS?

Answer 8

Allows you to grant and temporarily access AWS resources (up to 1 hour)

Question 9

If you don’t know what user or role you are using, what call can you make with STS?

Answer 9

GetCallerIdentity

Question 10

How do we define in IAM roles who can assume the role?

Answer 10

The Principal element in the role’s trust policy

Question 11

What temporary security credentials are returned when you use STS AssumeRole?

Answer 11

Access key ID, secret access key, and a security token

Question 12

What call do we make to STS to get credentials once logged in with MFA?

Answer 12

GetSessionToken

Question 13

What happens when an IAM principal makes an API request to S3 with a bucket policy?

Answer 13

The union of the IAM Policy and the S3 Bucket Policy is examined; an explicit deny on the S3 Bucket Policy overrules everything.

Question 14

An EC2 instance does not have an allowance to access an S3 bucket but the S3 bucket does allow the EC2 instance contact on the bucket policy. What is the outcome?

Answer 14

The EC2 instance will be able to access the S3 bucket.

Question 15

How can we make sure that a user can give an AWS service a role?

Answer 15

We use IAM PassRole and define what we can pass to a service; however, we must have a trust policy on that role which allows it to be given to be used by the service

Question 16

What is the use of Asymmetric keys in KMS?

Answer 16

Used for encryption outside of AWS by users who can’t call KMS API

Question 17

Up to what sizse limit for data can KMS encrypt per call?

Answer 17

4KB;

If data is greater than 4 KB, we use envelope encryption

Question 18

Which API allows us to use the envelope encryption technique?

Answer 18

GenerateDataKey API

Question 19

We have reached our KMS request quota. What should we do?

Answer 19

If it is a temporary or only happens a few times, implement an exponential backoff strategy. If it happens a lot, we can reach out to the API or support and increase the request quota

Question 20

How do we force SSL for S3 bucket?

Answer 20

Create an S3 bucket policy that has a DENY when condition aws:SecureTransport = false

Question 21

Why would you choose Secrets Manager over SSM Parameter Store?

Answer 21

Secrets manager is usually used for RDS and can rotate secrets;
Secrets manager costs more money;
In Secrets Manager KMS encryption is mandatory;

Question 22

We would like to audit the values of an encryption value over time. What should we use?

Answer 22

Parameter store

Question 23

How to encrypt existing CloudWatch logs?

Answer 23

Encrypt them with the associate-kms-key API call

Question 24

AWS Certificate Manager loads SSL certificates on what integrations?

Answer 24

Load Balancers (including EB)
CloudFront distributions
APIs on API Gateways