AWS Dev Practice Flashcards
What are the beanstalk deployment types?
All at once Rolling Rolling with additional batch immutable (blue/green) traffic splitting
EC2 instances in an ASG have only basic monitoring enabled. Why?
The console was used to create the launch configuration
Kinesis data streams give a ‘ProvisionedThroughputException’ error. How do we fix it?
Configure data producer to retry w/ exponential backoff
Increase shards
Which db engines can use IAM db authentication?
RDS MySQL
RDS PostGreSQL
How do you retrieve only some DynamoDB items and not all?
use ProjectionExpression
What AWS service uses the appspec.yaml file?
Code Deploy
What does the ‘Transform’ section indicate in a CloudFormation template?
It is a SAM template
What type of RI can you use in addition to a savings plan?
Zonal RI’s
What service can NOT be used to authenticate w/ API gateway?
AWS STS
What DynamoDB write option should you use to ensure you don’t overwrite primary key values?
Conditional writes
What service gives temporary, limited-privilege credentials to AWS services using 3rd party idP’s?
Cognito Identity pools
What are Kinesis Firehose destinations?
S3 Redshift Elasticsearch Splunk Custom HTTP Endpoint
How do you make ‘all or nothing’ updates to DynamoDB?
use transactional read/write API’s
Can you move an EBS volume between AZ’s?
No
What is the limit of stored messages in SQS?
no limit - only ‘in flight’ messages have a limit (120K)
What credential type is NOT supported by IAM for CodeCommit?
IAM username and password
What are 2 services that can be used to deploy SSL certs?
IAM
Certificate Manager
What RI type allows you to change the instance family?
Convertible RI
JWT authorizer is used by what?
HTTP API
Can ECS or Lambda use in-place deployments with CodeBuild?
No, Blue-green only
What are DynamoDB streams?
Info about changes to items in a DynamoDB table
They can be used by other services to perform actions
Websocket API’s allow what?
Bi-directional communications
What service helps identify unused IAM roles & remove them without disrupting service?
Access Advisor
What are 2 ways to authenticate with Cognito User Pools?
To the user pool directly
Federated authentication using social identities to the user pool
What is the max message size for SQS?
256KB
What is the max data size of KMS?
4KB
What is application discovery service?
collects usage and config data about on-prem servers
What API types can use Cognito?
REST
Websocket
DynamoDB tables have high latency, how do you fix it?
Use Global tables
Use eventually consistent reads
What API call will extend the length of time an SQS job will process?
ChangeMessageVisibility
If you have a web app on EC2 with a DynamoDB table, how can you make an API call from instances if no SDK exists?
Sign requests with access keys and Sig V4
Make HTTP POST request to DynamoDB API
Include the JSON document in the request body
What is SWF?
Task oriented API’s
Ensures task assigned only once
What is SQS?
Message based API’s
Messages can be delivered more than once
EC2 auto scaling works with what kind of load balancer?
ALB
NLB
What is required for code to be executed in a Lambda function?
Lambda function handler
Your ALB is down or misconfigured, what error code doe you get?
503 error
What key requires the root user?
CloudFront key pair
How do you limit access to an API to users in a Cognito User Pool?
Assign an authorizer.
Assign the authorizer to the API
What feature of a load balancer will let you analyze incoming requests for latency & client IP patterns?
ALB access logs
How do you reduce load on web servers with high CPU?
Put the certificate on the ALB
Put a listener on the ALB with SSL termination
What are the SAM references?
API Application Function HTTPAPI LayerVersion SimpleTable StateMachine
If multiple apps write to the same DynamoDB table and you want to send changes to an API what do you do?
Send changes to Kinesis data streams
Use Lambda to process changes and call an HTTP API
What policy types limit permissions but don’t grant them?
Permissions boundary
AWS Organization SCP
What can you change with standard RI’s?
Instance size
Network types
AZ
How do you minimize impact of a full DynamoDB table scan?
parallel scans
limit parameter
What is an immutable deployment for Beanstalk?
Like blue-green. New servers spun up in a new ASG
What are 3 options allow users to have secure access to private files in S3?
CloudFront signed URL’s
CloudFront Signed cookies
CloudFront OAI
What do you do with a Lambda function who uses libraries that aren’t available at runtime?
zip up code and dependencies
To implement Lambda with Step Functions what do you setup?
define step function tasks
state machine
How do you migrate a Beanstalk environment from one account to another?
Save configuration Export configuration Make environment updates Upload to S3 Create new app from saved config
How do you define an OS, programming language and tools needed when using CodeBuild?
specify a docker image in the buildspec.yml file
What does DynamoDB rate limit do?
Limits the throughput so you don’t use it all
What is the only resource based policy that IAM supports?
trust policy
How would you design an app that uses Lambda to process HTTP requests?
create an API
Configure proxy integration with Lambda
To encrypt data at rest in S3 while managing the keys, what do you do?
Upload the key when uploading to the object to S3
What are API mapping templates?
They map data in API’s so you can have multiple versions
What is Kinesis data streams?
data streaming service
not auto scaling
can replay data
needs to be configured
What is API call used to obtain temp credentials when using Web Identity Federation?
AssumeRoelWithWebIdentity
PTR record vs A Record
IP to Domain
Domain to IP
What is Kinesis Firehose?
Data transfer service
auto scales
cannot replay
fully managed
What is DynamoDB encryption client?
client side encryption at rest & in transit
HTTP 4XX vs 5XX errors
4XX is client side
5XX is server side
What is !FindInMap?
Think case/switch statement
What is the structure of !FindInMap?
[MapName, TopLevelKey, SecondLevelKey]
4 tasks of CloudWatch Logs?
Set log retention policy
Monitor logs from EC2
Monitor CloudTrail logged events
Query log data
EC2 auto scaling cannot…
add volumes to an EC2 instance when a volume is filling up
How do you allow Lambda in Account A access to DynamoDB in account B?
Create role in account B with access to DynamoDB
Allow the role to be called by Lambda
Have Lambda in Account A call the role with AssumeRole API
What is SSE-C?
Server Side Encryption - Customer managed keys
Where can HTTPS be enforced with CloudFront?
Before CloudFront
After CloudFront
What section of a CloudFormation template does not allow conditions?
Parameters
What access do member accounts have to Organization trails?
Read only, not modify/delete
At what level does CloudTrail track S3 by default?
Bucket level only
What metric is not part of target tracking scaling policy?
ApproximateNumberOfMessagesVisible
In CloudFormation how do you reference a parameter?
!Ref
What is X-Forwarded-For header used for?
to get the client IP address from HTTP requests when using an ALB
What is the max poll time out?
20 seconds
What are 2 reasons to use the ‘Transforms’ section of a CloudFormation template?
SAM
When you want to use code from S3
How can 2 docker containers share memory?
Be defined in the same task definition
In CloudFormation how do you use an exported value from another stack?
!ImportValue
What Load Balancer do you use to capture source IP w/o using X-Forwarded-For?
NLB
If your app uses JWT’s what service do you use?
Cognito User Pools
What will happen to ECS if you terminate an instance that is stopped?
It will still show in the cluster
What is reserved concurrency in Lambda?
It guarantees concurrency for Lambda functions to use but it also acts as a limiter when you have multiple Lambda functions running
When using Cognito with ALB & CloudFront where does the authentication occur?
ALB
What can cause an ALB to send traffic to one instance or AZ over another?
Unevenly split EC2 instance types between AZ’s
Sticky sessions
Dedicated Instance vs Dedicated hosts
Dedicated instances are cheaper
Dedicated hosts are good for ‘bring your own license’
How can you have an IAM policy that allows each user access to only buckets with their user name in it?
Use policy variables
Which elasticache service supports replication?
Redis
During rollback, which instances does CodeDeploy deploy to?
failed instances
How can Lambda connect to an RDS instance in a private subnet?
Connect Lambda to the VPC and then allow access with security groups
What is the ratio of Kinesis shards to workers?
1:1
What service do you use to rotate secrets?
Secrets Manager
What service requires the appspec.yaml file?
CodeDeploy
What should go into a Lambda deployment package?
Compiled code and dependencies
What deployment types can Lambda & ECS use?
Blue/Green
Which ECS task placement strategy minimizes the # of instances?
binpack
How do you provide an on-prem app server with permissions to AWS?
Create user with access keys
Store access keys in a credentials file
What service coordinates multiple AWS services using workflows?
AWS Step Functions
What 2 languages can the appspec file be in?
JSON
YAML
Does AWS Shield protect from SQL Injection attacks?
No
Are KMS keys regional or global?
Regional
What service does X-Ray not integrate with?
S3
S3 buckets offer read after write consistency for PUTS
Yes
What service let’s you troubleshoot a performance problem in a microservices app?
X-Ray
In CloudFormation, exported output values are unique per…
Region
What is the maximum ratio of provisioned IOPS to requested volume size?
50:1
At what size will gp2 volumes hit max IOPS?
5.3TB
What is CodeBuild?
A fully managed build service to compile, test, and document builds
What CloudTrail event isn’t available for EBS when created during EC2 launch?
CreateVolume
How do you reduce API calls and improve latency in an API?
enable API gateway caching
CLI command for setting detailed monitoring on EC2?
aws ec2 monitor-instances –instance-ids i-adf8965876
How can you have an EC2 instance access S3 files?
use an IAM role
What is the total set size/number of environment variables you can create for AWS Lambda?
Total size of all environment variables cannot exceed 4KB and there is no limit on number of variables
Max retention period for SQS?
14 days
Why would you use an Elastic Beanstalk dedicated worker environment?
If your application performs tasks that take a long time to complete.
You have a site hosted on Bucket A and JavaScript on Bucket B, how do you enable CORS?
On Bucket B to allow Bucket A origin to make requests
X-Ray costs are high, how do you reduce costs while still obtaining tracing?
use X-Ray sampling
Does Cognito User Pools allow for use of MFA?
Yes
When does Lambda add a message to a DLQ?
When Lambda function is async
When the event fails all processing attempts
Does S3 support object locking for concurrent udpates?
No
How do you increase the message size for SQS?
Use the SQS Extended library (up to 2GB)
Is EBS encryption region or AZ specific by default?
Region
How can you invalidate the API cache?
Cache-Control: max-age=0
Which encryption mechanism will get rejected if the connection is not using HTTPS?
SSE-C
When using the AWS CLI to execute commands it fails with the following exception: You are not authorized to perform this operation. Encoded authorization failure message: 6h34GtpmGjJJUm946eDVBfzWQJk6z5GePbbGDs9Z2T8xZj9EZtEduSnTbmrR7pMqpJrVYJCew2m8YBZQf4HRWEtrpncANrZMsnzk
AWS STS decode-authorization-message
Which header must the developers add to their request for all new objects uploaded to S3 to be encrypted using SSE-S3 at the time of upload?
‘x-amz-server-side-encryption’: ‘AES256’
What is the maximum number of messages that can be retrieved at one time for SQS?
10
How do you encrypt an existing CloudWatch Log group using an AWS KMS customer master key (CMK)?
Use the AWS CLI associate-kms-key command and specify the KMS key ARN
How can you speed up a CodeBuild that has a lot of dependencies?
cache dependencies in S3
How do you increase performance of Kinesis Data Streams with multiple consumers?
Use enhanced fanout feature of Kinesis Data Streams
How can the organization ensure source code is encrypted in transit and at rest?
CodeCommit repositories are automatically encrypted at rest
How do you declare an Lambda function in CloudFormation?
Upload all code as a zip to S3
Write Lambda code inline as long as there are no 3rd party dependencies
How can you remove older versions that are not used by Elastic Beanstalk so that new versions can be created for your applications?
Use a lifecycle policy
How do you search and filter through multiple X-Ray traces?
Use annotations
Which environment variable can be used by AWS X-Ray SDK to ensure that the daemon is correctly discovered on ECS?
AWS_XRAY_DAEMON_ADDRESS
What is AWS CodeStar?
service that enables you to quickly develop, build, and deploy apps on AWS. Has one UI w/ dashboards, etc
Which message parameter should you set for deduplicating messages?
MessageDeduplicationId
Which message parameter should you set the value of user_id to guarantee the ordering?
MessageGroupId
How do you ensure your build artifacts are automatically encrypted?
Specify a KMS key to use
What do you setup in X-Ray daemon when tracing across multiple accounts?
Create a role in main account and allow other accounts to assume role
Configure the X-Ray daemon to use the IAM role
When using Elastic Beanstalk, how do you perform repetitive/scheduled tasks?
Setup a worker environment and a cron.yaml file
When using a Classic Load Balancer how can you keep users from having to re-authenticate often?
Use ElastiCache
How do you allow a CodeBuild build environment to scale and run builds in parallel?
You don’t! It automatically scales
What actions do you take to have an app with sign-up/sign-in functionality make API calls to a custom solution to log the sign-in events?
Use Cognito to provide sign-up/sign-in functionality
Execute a Lambda function to make the API call triggered by the post-authentication event
How do you allow only IAM users from another account access to your API’s?
Create IAM policy and attach to each user. Use Sig v4
Create a resource policy for the API’s that allow access for each IAM user
