aws-exam Flashcards
A developer is building a serverless application that will send out a newsletter to customers using AWS Lambda. The Lambda function will be invoked at a 7-day interval.
Which method will provide an automated and serverless approach to trigger the function?
Configure a scheduled Amazon EventBridge (Amazon CloudWatch Events) that triggers every week to invoke the Lambda function.
A Lamba function has multiple sub-functions that are chained together to process large data synchronously. When invoked, the function tends to exceed its maximum timeout limit. This has prompted the developer to break the Lambda function into manageable coordinated states using Step Functions, enabling each sub-function to run in separate processes.
Which of the following type of states should the developer use to run processes?
Task State
|
Task State - Do some work in your state machine
Choice State - Make a choice between branches of execution
Fail or Succeed State - Stop execution with failure or success
Pass State - Simply pass its input to its output or inject some fixed data, without performing work.
A developer is building a ReactJS application that will be hosted on Amazon S3. Amazon Cognito handles the registration and signing of users using the AWS Software Development Kit (SDK) for JavaScript. The JSON Web Token (JWT) received upon authentication will be stored on the browser’s local storage. After signing in, the application will use the JWT as an authorizer to access an API Gateway endpoint.
What are the steps needed to implement the scenario above? (Select THREE.)
Create an Amazon Cognito User Pool.
On the API Gateway Console, create an authorizer using the Cognito User Pool ID.
Set the name of the header that will be used from the request to the Cognito User Pool as a token source for authorization.
A developer needs to use IAM roles to list all EC2 instances that belong to the development environment in an AWS account.
Which methods could be done to verify IAM access to describe instances? (Select TWO.)
Run the describe-instances command with the –dry-run parameter.
Use the IAM Policy Simulator to validate the permission for the IAM role.
||
The –dry-run parameter checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRun-Operation. Otherwise, it is UnauthorizedOperation.
With the IAM policy simulator, you can test and troubleshoot identity-based policies, IAM permissions boundaries, Organizations service control policies (SCPs), and resource-based policies.
A developer needs to view the percentage of used memory and the number of TCP connections of instances inside an Auto Scaling Group. To achieve this, the developer must send the metrics to Amazon CloudWatch.
Which approach provides the MOST secure way of authenticating a CloudWatch PUT request?
Create an IAM role with cloudwatch:PutMetricData permission for the new Auto Scaling launch template from which you launch instances.
|||||
Modifying an existing launch template is not possible.
A Software Engineer is developing a Node.js application that will be deployed using Elastic Beanstalk. The application source code is currently inside a folder called MyApp. He wants to add a configuration file named tutorialsdojo.config to the application.
Where should the file be placed?
You can add AWS Elastic Beanstalk configuration files (.ebextensions) to your web application’s source code to configure your environment and customize the AWS resources that it contains. Configuration files are YAML- or JSON-formatted documents with a .config file extension that you place in a folder named .ebextensions and deploy in your application source bundle.
A developer is writing a web application that will allow users to save and retrieve images in an Amazon S3 bucket. The users are required to register and log in to access the application.
Which combination of AWS Services should the Developer utilize for implementing the user authentication module of the application?
Amazon Cognito Identity Pools and User Pools.
|||||
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
A developer is using the AWS CLI to interact with different AWS services. An UnauthorizedOperation error, as shown below, is received after running the stop-instance command:
Along with the response is an additional failure message displayed in ciphertext format.
How can the developer decode the message?
Decode the message by calling the AWS STS decode-authorization-message command.
|||||
The AWS STS DecodeAuthorizationMessage API decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
AWS Security Token Service (AWS STS)
A developer is debugging an issue in an AWS Lambda-based application. To save time searching through logs, the developer wants the function to return the corresponding log location of an invocation request.
Which approach should the developer take with the least amount of effort?
Extract the log stream name from the Context object of the handler function.
|||||
When Lambda runs your function, it passes a context object to the handler. This object provides methods and properties that provide information about the invocation, function, and execution environment. One of the properties that you can get from the context object is the log_stream_name which gives the log location of a function instance.
A developer plans to launch an EC2 instance, with Amazon Linux 2 as its AMI, using the AWS Console. A security group with port 80 that is open to public access will be associated with the instance. He wants to quickly build and test an Apache webserver with an index.html displaying a hello world message.
Which of the following should the developer do?
Configure the user data at the creation of the EC2 instance to run a script that will install and create the Apache webserver after the instance starts.
\\\\\\\\\\\\\\
When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts.
A developer is hosting a static website from an S3 bucket. The website makes requests to an API Gateway endpoint integrated with a Lambda function (non-proxy). The developer noticed that the requests were failing. Upon debugging, he found a: “No ‘Access-Control-Allow-Origin’ header is present on the requested resource” error message.
What should the developer do to resolve this issue?
In the API Gateway Console, enable cross-origin resource sharing (CORS) for the method in the specified resource.
\\\\\\\\\\\\\
For a Lambda custom (non-proxy) integration, HTTP custom (non-proxy) integration, or AWS service integration, you can set up the required headers by using API Gateway method response and integration response settings. When you enable CORS by using the AWS Management Console, API Gateway creates an OPTIONS method and attempts to add the Access-Control-Allow-Origin header to your existing method integration responses.
A company is running an e-commerce application on an Amazon EC2 instance. A newly hired developer has been tasked to monitor and handle the necessary updates on the EC2 instance every Saturday. The developer is working from home and needs remote access to the webserver. As the system administrator, you’re looking to use the AWS STS API to give the developer temporary credentials and enforce Multi-factor Authentication (MFA) to protect specific programmatic calls against the instance that could adversely affect the server.
Which of the following STS API should you use?
GetSessionToken
\\\\\\
GetSessionToken - returns a set of temporary security credentials to an existing IAM user. This is useful for providing enhanced security, such as allowing AWS requests only when MFA is enabled for the IAM user. Because the credentials are temporary, they provide enhanced security when you have an IAM user who accesses your resources through a less secure environment.
A startup plans to use Amazon Cognito User Pools to easily manage their users’ sign-up and sign-in workflows to an application. To save time from designing the User Interface (UI) for the login page, the development team has decided to use Cognito’s built-in UI. However, the product manager finds the UI bland and instructed the developer to include the product logo on the web page.
How should the developer meet the above requirements?
Upload the logo to the Amazon Cognito app settings and use that logo on the custom login page.
\\\\\\\\\\\\\
You can use the AWS Management Console, or the AWS CLI or API, to specify customization settings for the built-in app UI experience. You can upload a custom logo image to be displayed in the app. You can also choose many CSS customizations.
You can specify app UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ALL). If you specify ALL, the default configuration will be used for every client that has no UI customization set previously. If you specify UI customization settings for a particular client, it will no longer fall back to the ALL configuration.
A developer uses Amazon ECS to orchestrate two Docker containers. He needs to configure ECS to allow the two containers to share log data.
Which configuration should the developer do?
Specify the containers in a single task definition and configure EFS as its volume type.
\\\\\\\\\\\\
Amazon Elastic File System (EFS)
A developer wants to expose a legacy web service that uses an XML-based Simple Object Access Protocol (SOAP) interface through API Gateway. However, there is a compatibility issue since most modern applications communicate data in JSON format.
Which is the most cost-effective method that will overcome this issue?
Use API Gateway to create a RESTful API. Transform the incoming JSON into XML using mapping templates. Forward the request into the SOAP interface by using a Lambda function and parse the response (XML) into JSON before sending back to API Gateway.
A team is collaborating on an application managed with AWS CodeCommit for source control and AWS CodePipeline for continuous integration and delivery. A developer who was working on a feature branch encounters merge conflicts during a merge attempt into the master branch. Upon investigation, one of the members forgot to pull the latest commits from the master branch.
Which action can fix the merge conflict in the LEAST amount of effort?
Run git rebase in the feature branch onto the master branch, then manually fix the conflicts.
\\\\\\\\\\\\\\\
The git rebase command can help by moving the feature branch’s changes onto the tip of the master branch, allowing you to resolve these conflicts manually.
A development team has migrated an existing Git repository to a CodeCommit repository. One of the developers was given an HTTPS clone URL of their new repository. The developer must be able to clone the repository using his access key credentials.
What must the developer do before he can proceed?
Configure the Git credential helper with the AWS credential profile.
\\\\\\\\\\\\\\\\\\\
1. Set-up a Git credential helper using your access key credentials specified in your AWS credential profile.
- Generate HTTPS Git credentials for AWS CodeCommit. Specify the credentials in the Git Credential Manager.
A developer is building a serverless URL shortener using Amazon API Gateway, Amazon DynamoDB, and AWS Lambda. The application code as well as the stack that defines the cloud resources should be written in Python. The code should also be reusable in case an update must be done to the stack.
Which of the following actions must be done by the developer to meet the requirements above?
Use AWS CDK to build the stack. Then, use Python as the runtime environment in writing the application logic on Lambda.
\\\\\\\\\\\\\\\\\\
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to model and provision your cloud application resources using familiar programming languages. The AWS CDK has first-class support for TypeScript, JavaScript, Python, Java, and C#. The AWS CDK can also update your deployed resources after you modify your app using the appropriate CDK commands.
\\\\\\\\\\\\\\\\\\\
CloudFormation only allows JSON and YAML in defining cloud resources in a stack. But everything is written in python.
A company uses AWS CodeDeploy in their CI/CD pipeline to handle in-place deployments of their web application on EC2 instances. Recently, a new version of the application was pushed, which contained a code regression. The deployment group is configured with automatic rollback.
What happens if the deployment of the new version fails?
CodeDeploy redeploys the last known good version of an application with a new deployment ID.
\\\\\\\\\\\\\\\\\\\\\\\\\
A mobile game developer is using DynamoDB as a data store and a Web Identity Federation for authorization and authentication. Each item in the DynamoDB table contains the attributes for individual user’s game data such as user ID, game scores, and top score where the user ID is the partition key. The developer must control user access to specific data items based on their IDs. In doing so, users will only be able to obtain items that they own.
Which of the following solutions must be implemented by the developer?
Modify the IAM Policy associated with the Identity provider’s role by adding a dynamodb:LeadingKeys condition key.
\\\\\\\\\\\\\\\\\\\\
In the given scenario, we are only required to restrict access to specific items in the table based on User Id which is the partition key. We can achieve this by inserting a dynamodb:LeadingKeys condition key to the IAM policy associated with the Identity provider’s role.
A company plans to conduct an online survey to distinguish the users who bought its product from those who didn’t. The survey will be processed by Step Functions which comprises four states that will manage the application logic and error handling of the state machine. It is required to aggregate all the data that passes through the nodes if the process fails.
What should the company do to meet the requirements?
Include a Catch field in the state machine definition to capture the errors. Then, use ResultPath to include each node’s input data with its output.
\\\\\\\\\\\\\\\\\\\\
ResultPath - A path that determines what input is sent to the state specified in the Next field.
A developer is building an AWS Lambda-based Java application that optimizes pictures uploaded to an S3 bucket. Upon running several tests, the Lambda function shows a cold start of about 5 seconds.
Which of the following could the developer do to reduce the cold start time? (Select TWO.)
- Reduce the deployment package’s size by including only the needed modules from the AWS SDK for Java.
- Increase the memory allocation setting for the Lambda function.
\\\\\\\\\\\\\\\\
An application uses the PutObject operation in parallel to upload hundreds of thousands of objects per second to an S3 bucket. To meet security compliance, the developer uses the server-side encryption in AWS KMS (SSE-KMS) to encrypt objects as they get stored in the S3 bucket. There is a noticeable performance degradation after making the change.
Which of the following is the most likely cause of the problem?
The API request rate has exceeded the quota for AWS KMS API operations.
\\\\\\\\\\\\\\\
AWS KMS throttles the requests if you exceed a combined total of 5,500 (or 10,000 or 30,000 depending upon your AWS Region) uploads or downloads per second of S3 objects encrypted with SSE-KMS.
A university is gradually migrating some of its physical documents to the AWS cloud. They will start by moving their alumnus’ historical records to Amazon S3. The storage solution should provide a secure and durable object storage with the lowest cost.
Which of the following types of S3 storage should you recommend?
Amazon S3 Glacier Deep Archive.
\\\\\\\\\\\\\\\\\\\\\
Amazon S3 Glacier and S3 Glacier Deep Archive are designed to be the lowest-cost Amazon S3 storage classes, allowing you to archive large amounts of data at a very low cost. This makes it feasible to retain all the data you want for use cases like data lakes, analytics, IoT, machine learning, compliance, and media asset archiving. You pay only for what you need, with no minimum commitments or up-front fees.
