AWS CLI Flashcards
how are Access and Secret access keys imported for use by the AWS CLI?
the AWS configure command is used to import these
You need to configure the AWS CLI on an eEc2 instance to be able to perform lists against a named S3 bucket. What is the most secure way to do this and why?
You should assign the EC2 instance an IAM role allowing to access the S3 resources. AWS Configure will also work on the machine but it is insecure as it stores these as clear text and anyone with access to that machine will have access to your ENTIRE aws account and can programmatically create ANYTHING.
You have tried to perform a run-instances command on an EC2 instance but receive and error message - An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Why?
The EC2 instance does not have the correct permissions set up in its IAM Role so cannot execute the run-instances command
You have tried to perform a run-instances command on an EC2 instance but receive and error message. The body of the error message contains an encoded hash of the error message - how do you convert this to clear text and if you are doing this on an EC2 instance, what else do you need to do?
You need to decode the message via the AWS CLI using: aws sts decode-authorization-message command. If you are running this via an EC2 instance, then that instance needs a role and policy assigned to it that can access the STS service.
Do instances need an IAM role assigned to curl 169.254.169.254/latest/meta-data/ ?
No, this is built in and requires no IAM role required
How would you, via a terminal session determine which IAM role an instance has been assigned?
You can use the meta-data service and curl a request to
http://169.254.169.254/latest/meta-data/iam/security-credentials.
You have set up 3 profiles in AWS to cover off three different accounts - ProfileOne, ProfileTwo, ProfileThree.
Write the command do perform an ls to S3 for the account under ProfileThree.
aws s3 ls –ProfileThree
When using the CLI, which API call allows us to use MFA?
the STS GetSessionToken service can be used to generate access key, secret key and a short lived STS token if an MFA device has been set up. The call looks like: aws sts get-session-token –serial-number arn:aws:iam::260783585248:mfa/ScottStevens –token-code 121602
If we wanted to avoid a timeout when reading a large table from dynamoDB via the CLI would you use:
–page-size
or
–max-items –starting-token ?
You would use page-size as this will still return all the items, but send the data back in chunks representing the page size.
–max-items is used for pagination, where we can page through the results based on the number of items to return and a start token.
What would you use a DynamoDB transaction for? What is required for a transaction to be deemed successful?
Transactions manage complex business workflows that require adding, updating, or deleting multiple items both within and across tables they help you to maintain data correctness in your applications. Transactions are all-or-nothing operations - so if we need to write to two tables in the transaction BOTH writes must succeed.
