AWS Dev Practice

Question 1

What are the beanstalk deployment types?

Answer 1

All at once
Rolling
Rolling with additional batch
immutable (blue/green)
traffic splitting

Question 2

EC2 instances in an ASG have only basic monitoring enabled. Why?

Answer 2

The console was used to create the launch configuration

Question 3

Kinesis data streams give a ‘ProvisionedThroughputException’ error. How do we fix it?

Answer 3

Configure data producer to retry w/ exponential backoff

Increase shards

Question 4

Which db engines can use IAM db authentication?

Answer 4

RDS MySQL

RDS PostGreSQL

Question 5

How do you retrieve only some DynamoDB items and not all?

Answer 5

use ProjectionExpression

Question 6

What AWS service uses the appspec.yaml file?

Answer 6

Code Deploy

Question 7

What does the ‘Transform’ section indicate in a CloudFormation template?

Answer 7

It is a SAM template

Question 8

What type of RI can you use in addition to a savings plan?

Answer 8

Zonal RI’s

Question 9

What service can NOT be used to authenticate w/ API gateway?

Answer 9

AWS STS

Question 10

What DynamoDB write option should you use to ensure you don’t overwrite primary key values?

Answer 10

Conditional writes

Question 11

What service gives temporary, limited-privilege credentials to AWS services using 3rd party idP’s?

Answer 11

Cognito Identity pools

Question 12

What are Kinesis Firehose destinations?

Answer 12

S3
Redshift
Elasticsearch
Splunk
Custom HTTP Endpoint

Question 13

How do you make ‘all or nothing’ updates to DynamoDB?

Answer 13

use transactional read/write API’s

Question 14

Can you move an EBS volume between AZ’s?

Answer 14

No

Question 15

What is the limit of stored messages in SQS?

Answer 15

no limit - only ‘in flight’ messages have a limit (120K)

Question 16

What credential type is NOT supported by IAM for CodeCommit?

Answer 16

IAM username and password

Question 17

What are 2 services that can be used to deploy SSL certs?

Answer 17

IAM

Certificate Manager

Question 18

What RI type allows you to change the instance family?

Answer 18

Convertible RI

Question 19

JWT authorizer is used by what?

Answer 19

HTTP API

Question 20

Can ECS or Lambda use in-place deployments with CodeBuild?

Answer 20

No, Blue-green only

Question 21

What are DynamoDB streams?

Answer 21

Info about changes to items in a DynamoDB table

They can be used by other services to perform actions

Question 22

Websocket API’s allow what?

Answer 22

Bi-directional communications

Question 23

What service helps identify unused IAM roles & remove them without disrupting service?

Answer 23

Access Advisor

Question 24

What are 2 ways to authenticate with Cognito User Pools?

Answer 24

To the user pool directly

Federated authentication using social identities to the user pool

Question 25

What is the max message size for SQS?

Answer 25

256KB

Question 26

What is the max data size of KMS?

Answer 26

4KB

Question 27

What is application discovery service?

Answer 27

collects usage and config data about on-prem servers

Question 28

What API types can use Cognito?

Answer 28

REST

Websocket

Question 29

DynamoDB tables have high latency, how do you fix it?

Answer 29

Use Global tables

Use eventually consistent reads

Question 30

What API call will extend the length of time an SQS job will process?

Answer 30

ChangeMessageVisibility

Question 31

If you have a web app on EC2 with a DynamoDB table, how can you make an API call from instances if no SDK exists?

Answer 31

Sign requests with access keys and Sig V4
Make HTTP POST request to DynamoDB API
Include the JSON document in the request body

Question 32

What is SWF?

Answer 32

Task oriented API’s

Ensures task assigned only once

Question 33

What is SQS?

Answer 33

Message based API’s

Messages can be delivered more than once

Question 34

EC2 auto scaling works with what kind of load balancer?

Answer 34

ALB

NLB

Question 35

What is required for code to be executed in a Lambda function?

Answer 35

Lambda function handler

Question 36

Your ALB is down or misconfigured, what error code doe you get?

Answer 36

503 error

Question 37

What key requires the root user?

Answer 37

CloudFront key pair

Question 38

How do you limit access to an API to users in a Cognito User Pool?

Answer 38

Assign an authorizer.

Assign the authorizer to the API

Question 39

What feature of a load balancer will let you analyze incoming requests for latency & client IP patterns?

Answer 39

ALB access logs

Question 40

How do you reduce load on web servers with high CPU?

Answer 40

Put the certificate on the ALB

Put a listener on the ALB with SSL termination

Question 41

What are the SAM references?

Answer 41

API
Application
Function
HTTPAPI
LayerVersion
SimpleTable
StateMachine

Question 42

If multiple apps write to the same DynamoDB table and you want to send changes to an API what do you do?

Answer 42

Send changes to Kinesis data streams

Use Lambda to process changes and call an HTTP API

Question 43

What policy types limit permissions but don’t grant them?

Answer 43

Permissions boundary

AWS Organization SCP

Question 44

What can you change with standard RI’s?

Answer 44

Instance size
Network types
AZ

Question 45

How do you minimize impact of a full DynamoDB table scan?

Answer 45

parallel scans

limit parameter

Question 46

What is an immutable deployment for Beanstalk?

Answer 46

Like blue-green. New servers spun up in a new ASG

Question 47

What are 3 options allow users to have secure access to private files in S3?

Answer 47

CloudFront signed URL’s
CloudFront Signed cookies
CloudFront OAI

Question 48

What do you do with a Lambda function who uses libraries that aren’t available at runtime?

Answer 48

zip up code and dependencies

Question 49

To implement Lambda with Step Functions what do you setup?

Answer 49

define step function tasks

state machine

Question 50

How do you migrate a Beanstalk environment from one account to another?

Answer 50

Save configuration
Export configuration
Make environment updates
Upload to S3
Create new app from saved config

Question 51

How do you define an OS, programming language and tools needed when using CodeBuild?

Answer 51

specify a docker image in the buildspec.yml file

Question 52

What does DynamoDB rate limit do?

Answer 52

Limits the throughput so you don’t use it all

Question 53

What is the only resource based policy that IAM supports?

Answer 53

trust policy

Question 54

How would you design an app that uses Lambda to process HTTP requests?

Answer 54

create an API

Configure proxy integration with Lambda

Question 55

To encrypt data at rest in S3 while managing the keys, what do you do?

Answer 55

Upload the key when uploading to the object to S3

Question 56

What are API mapping templates?

Answer 56

They map data in API’s so you can have multiple versions

Question 57

What is Kinesis data streams?

Answer 57

data streaming service
not auto scaling
can replay data
needs to be configured

Question 58

What is API call used to obtain temp credentials when using Web Identity Federation?

Answer 58

AssumeRoelWithWebIdentity

Question 59

PTR record vs A Record

Answer 59

IP to Domain

Domain to IP

Question 60

What is Kinesis Firehose?

Answer 60

Data transfer service
auto scales
cannot replay
fully managed

Question 61

What is DynamoDB encryption client?

Answer 61

client side encryption at rest & in transit

Question 62

HTTP 4XX vs 5XX errors

Answer 62

4XX is client side

5XX is server side

Question 63

What is !FindInMap?

Answer 63

Think case/switch statement

Question 64

What is the structure of !FindInMap?

Answer 64

[MapName, TopLevelKey, SecondLevelKey]

Question 65

4 tasks of CloudWatch Logs?

Answer 65

Set log retention policy
Monitor logs from EC2
Monitor CloudTrail logged events
Query log data

Question 66

EC2 auto scaling cannot…

Answer 66

add volumes to an EC2 instance when a volume is filling up

Question 67

How do you allow Lambda in Account A access to DynamoDB in account B?

Answer 67

Create role in account B with access to DynamoDB
Allow the role to be called by Lambda
Have Lambda in Account A call the role with AssumeRole API

Question 68

What is SSE-C?

Answer 68

Server Side Encryption - Customer managed keys

Question 69

Where can HTTPS be enforced with CloudFront?

Answer 69

Before CloudFront

After CloudFront

Question 70

What section of a CloudFormation template does not allow conditions?

Answer 70

Parameters

Question 71

What access do member accounts have to Organization trails?

Answer 71

Read only, not modify/delete

Question 72

At what level does CloudTrail track S3 by default?

Answer 72

Bucket level only

Question 73

What metric is not part of target tracking scaling policy?

Answer 73

ApproximateNumberOfMessagesVisible

Question 74

In CloudFormation how do you reference a parameter?

Answer 74

!Ref

Question 75

What is X-Forwarded-For header used for?

Answer 75

to get the client IP address from HTTP requests when using an ALB

Question 76

What is the max poll time out?

Answer 76

20 seconds

Question 77

What are 2 reasons to use the ‘Transforms’ section of a CloudFormation template?

Answer 77

SAM

When you want to use code from S3

Question 78

How can 2 docker containers share memory?

Answer 78

Be defined in the same task definition

Question 79

In CloudFormation how do you use an exported value from another stack?

Answer 79

!ImportValue

Question 80

What Load Balancer do you use to capture source IP w/o using X-Forwarded-For?

Answer 80

NLB

Question 81

If your app uses JWT’s what service do you use?

Answer 81

Cognito User Pools

Question 82

What will happen to ECS if you terminate an instance that is stopped?

Answer 82

It will still show in the cluster

Question 83

What is reserved concurrency in Lambda?

Answer 83

It guarantees concurrency for Lambda functions to use but it also acts as a limiter when you have multiple Lambda functions running

Question 84

When using Cognito with ALB & CloudFront where does the authentication occur?

Answer 84

ALB

Question 85

What can cause an ALB to send traffic to one instance or AZ over another?

Answer 85

Unevenly split EC2 instance types between AZ’s

Sticky sessions

Question 86

Dedicated Instance vs Dedicated hosts

Answer 86

Dedicated instances are cheaper

Dedicated hosts are good for ‘bring your own license’

Question 87

How can you have an IAM policy that allows each user access to only buckets with their user name in it?

Answer 87

Use policy variables

Question 88

Which elasticache service supports replication?

Answer 88

Redis

Question 89

During rollback, which instances does CodeDeploy deploy to?

Answer 89

failed instances

Question 90

How can Lambda connect to an RDS instance in a private subnet?

Answer 90

Connect Lambda to the VPC and then allow access with security groups

Question 91

What is the ratio of Kinesis shards to workers?

Answer 91

1:1

Question 92

What service do you use to rotate secrets?

Answer 92

Secrets Manager

Question 93

What service requires the appspec.yaml file?

Answer 93

CodeDeploy

Question 94

What should go into a Lambda deployment package?

Answer 94

Compiled code and dependencies

Question 95

What deployment types can Lambda & ECS use?

Answer 95

Blue/Green

Question 96

Which ECS task placement strategy minimizes the # of instances?

Answer 96

binpack

Question 97

How do you provide an on-prem app server with permissions to AWS?

Answer 97

Create user with access keys

Store access keys in a credentials file

Question 98

What service coordinates multiple AWS services using workflows?

Answer 98

AWS Step Functions

Question 99

What 2 languages can the appspec file be in?

Answer 99

JSON

YAML

Question 100

Does AWS Shield protect from SQL Injection attacks?

Answer 100

No

Question 101

Are KMS keys regional or global?

Answer 101

Regional

Question 102

What service does X-Ray not integrate with?

Answer 102

S3

Question 103

S3 buckets offer read after write consistency for PUTS

Answer 103

Yes

Question 104

What service let’s you troubleshoot a performance problem in a microservices app?

Answer 104

X-Ray

Question 105

In CloudFormation, exported output values are unique per…

Answer 105

Region

Question 106

What is the maximum ratio of provisioned IOPS to requested volume size?

Answer 106

50:1

Question 107

At what size will gp2 volumes hit max IOPS?

Answer 107

5.3TB

Question 108

What is CodeBuild?

Answer 108

A fully managed build service to compile, test, and document builds

Question 109

What CloudTrail event isn’t available for EBS when created during EC2 launch?

Answer 109

CreateVolume

Question 110

How do you reduce API calls and improve latency in an API?

Answer 110

enable API gateway caching

Question 111

CLI command for setting detailed monitoring on EC2?

Answer 111

aws ec2 monitor-instances –instance-ids i-adf8965876

Question 112

How can you have an EC2 instance access S3 files?

Answer 112

use an IAM role

Question 113

What is the total set size/number of environment variables you can create for AWS Lambda?

Answer 113

Total size of all environment variables cannot exceed 4KB and there is no limit on number of variables

Question 114

Max retention period for SQS?

Answer 114

14 days

Question 115

Why would you use an Elastic Beanstalk dedicated worker environment?

Answer 115

If your application performs tasks that take a long time to complete.

Question 116

You have a site hosted on Bucket A and JavaScript on Bucket B, how do you enable CORS?

Answer 116

On Bucket B to allow Bucket A origin to make requests

Question 117

X-Ray costs are high, how do you reduce costs while still obtaining tracing?

Answer 117

use X-Ray sampling

Question 118

Does Cognito User Pools allow for use of MFA?

Answer 118

Yes

Question 119

When does Lambda add a message to a DLQ?

Answer 119

When Lambda function is async

When the event fails all processing attempts

Question 120

Does S3 support object locking for concurrent udpates?

Answer 120

No

Question 121

How do you increase the message size for SQS?

Answer 121

Use the SQS Extended library (up to 2GB)

Question 122

Is EBS encryption region or AZ specific by default?

Answer 122

Region

Question 123

How can you invalidate the API cache?

Answer 123

Cache-Control: max-age=0

Question 124

Which encryption mechanism will get rejected if the connection is not using HTTPS?

Answer 124

SSE-C

Question 125

When using the AWS CLI to execute commands it fails with the following exception: You are not authorized to perform this operation. Encoded authorization failure message: 6h34GtpmGjJJUm946eDVBfzWQJk6z5GePbbGDs9Z2T8xZj9EZtEduSnTbmrR7pMqpJrVYJCew2m8YBZQf4HRWEtrpncANrZMsnzk

Answer 125

AWS STS decode-authorization-message

Question 126

Which header must the developers add to their request for all new objects uploaded to S3 to be encrypted using SSE-S3 at the time of upload?

Answer 126

‘x-amz-server-side-encryption’: ‘AES256’

Question 127

What is the maximum number of messages that can be retrieved at one time for SQS?

Answer 127

10

Question 128

How do you encrypt an existing CloudWatch Log group using an AWS KMS customer master key (CMK)?

Answer 128

Use the AWS CLI associate-kms-key command and specify the KMS key ARN

Question 129

How can you speed up a CodeBuild that has a lot of dependencies?

Answer 129

cache dependencies in S3

Question 130

How do you increase performance of Kinesis Data Streams with multiple consumers?

Answer 130

Use enhanced fanout feature of Kinesis Data Streams

Question 131

How can the organization ensure source code is encrypted in transit and at rest?

Answer 131

CodeCommit repositories are automatically encrypted at rest

Question 132

How do you declare an Lambda function in CloudFormation?

Answer 132

Upload all code as a zip to S3

Write Lambda code inline as long as there are no 3rd party dependencies

Question 133

How can you remove older versions that are not used by Elastic Beanstalk so that new versions can be created for your applications?

Answer 133

Use a lifecycle policy

Question 134

How do you search and filter through multiple X-Ray traces?

Answer 134

Use annotations

Question 135

Which environment variable can be used by AWS X-Ray SDK to ensure that the daemon is correctly discovered on ECS?

Answer 135

AWS_XRAY_DAEMON_ADDRESS

Question 136

What is AWS CodeStar?

Answer 136

service that enables you to quickly develop, build, and deploy apps on AWS. Has one UI w/ dashboards, etc

Question 137

Which message parameter should you set for deduplicating messages?

Answer 137

MessageDeduplicationId

Question 138

Which message parameter should you set the value of user_id to guarantee the ordering?

Answer 138

MessageGroupId

Question 139

How do you ensure your build artifacts are automatically encrypted?

Answer 139

Specify a KMS key to use

Question 140

What do you setup in X-Ray daemon when tracing across multiple accounts?

Answer 140

Create a role in main account and allow other accounts to assume role
Configure the X-Ray daemon to use the IAM role

Question 141

When using Elastic Beanstalk, how do you perform repetitive/scheduled tasks?

Answer 141

Setup a worker environment and a cron.yaml file

Question 142

When using a Classic Load Balancer how can you keep users from having to re-authenticate often?

Answer 142

Use ElastiCache

Question 143

How do you allow a CodeBuild build environment to scale and run builds in parallel?

Answer 143

You don’t! It automatically scales

Question 144

What actions do you take to have an app with sign-up/sign-in functionality make API calls to a custom solution to log the sign-in events?

Answer 144

Use Cognito to provide sign-up/sign-in functionality

Execute a Lambda function to make the API call triggered by the post-authentication event

Question 145

How do you allow only IAM users from another account access to your API’s?

Answer 145

Create IAM policy and attach to each user. Use Sig v4

Create a resource policy for the API’s that allow access for each IAM user