AWS Gen Study

Question 1

How does the credentials file play a role in the AWS CLI?

Answer 1

When running a CLI command that does not explicitly specify which profile to use, it will look to the credentials file;

Question 2

What is the AWS CLI credentials chain?

Answer 2

Command line options;
Environment variables;
CLI Credentials file;
Configuration file;
Container Credentials;
Instance profile credentials;

Question 3

You can point an Alias to an unlimited number of function versions, true or false?

Answer 3

False. You can point it to two.

Question 4

What is lazy loading in Amazon ElastiCache?

Answer 4

When data is requested, it looks in the cache to see if it exists; if it doesn’t it will grab it from the DB, and then write it to the cache

Question 5

What are the disadvantages of a write-through in ElastiCache?

Answer 5

Missing data - when you spin up a new node, there is missing data; the data is missing until its updated or added to the DB;
Cache churn - most data will sit there and not be read (we can fix this with TTL);

Question 6

What is an CodeDeploy deployment group?

Answer 6

It is a CodeDeploy entity for grouping EC2 instances or AWS Lambda functions in a CodeDeploy Deployment

Question 7

To control access to an API in API Gateway, we can configure the security group of the API, true or false?

Answer 7

False. API Gateway does not use security groups but uses resource policies

Question 8

Auto Scaling Group can span regions, true or false?

Answer 8

False. they can span AZs

Question 9

Auto Scaling Groups can work with both Network and Application Load Balancers, true or false?

Answer 9

True

Question 10

What API operation can we use to get security credentials to an existing IAM user? What parameter can we use to specify timing?

Answer 10

GetSessionToken and Duration Seconds

Question 11

How can we request temporary security credentials?

Answer 11

With AWS STS

Question 12

What is the AssumeRole API operation used for?

Answer 12

It is useful for allowing existing IAM users to access AWS resources they don’t already have access to. It can also be used cross-account

Question 13

What file is used by CodeDeploy to manage the deployment?

Answer 13

appspec.yaml

Question 14

What are the Elastic Beanstalk deployment options?

Answer 14

All At Once
Rolling
Rolling with additional batch
Immutable update
Traffic Splitting

Question 15

What are negatives about Elastic Beanstalk Immutable update?

Answer 15

It is the highest cost and longest deployment but zero downtime

Question 16

We need to decrypt files with KMS. How can we do this?

Answer 16

We take an encrypted key and pass it to the decrypt operation. We then use the plain text key to decrypt the encrypted file. Remove the plain text key from memory as soon as possible

Question 17

What is the difference between a delay queue and a visibility timeout for SQS?

Answer 17

A delay queue is a period of time where the item added to the queue cannot be consumed once it has been added to the queue. The visibility timeout only is applicable once a message has been consumed.

Question 18

To implement long polling, we hit the SetQueueAttributes with a WaitTimeSeconds parameter. True or False?

Answer 18

False. SetQueueAttributes can be used to set things about the Queue like DelaySeconds and VisibilityTimeout. We want the RecieveMessage API with WaitTimeSeconds.
We can however set RevieveMessageWaitTimeSeconds on the queues parameters.

Question 19

How do we Recieve Messages in SQS?

Answer 19

We hit the RevieveMessages API and can consume one to 10 messages. If you set a value greater than zero for ReceiveMessageWaitTimeSeconds, than long polling is in effect. This will also query all servers instead of a subset of servers.

Question 20

We want to notify someone when items are uploaded to an S3 bucket. What is the best way to achieve this?

Answer 20

Add an event on the bucket to send out a PUT or POST to SNS

Question 21

We want to update our current instances with no downtime in elastic beanstalk and using the existing instances; what is a good option?

Answer 21

Rolling with additional batches. The new batch will receive requests while the old instances are update. Then, when all the old batches are updated, the new batch will be terminated.
In standard rolling update, instances taken out in batches cannot serve requests

Question 22

When using an on-premise server, you should attatch an IAM role and use that to make API calls to AWS, true or false?

Answer 22

False. You cannot attatch an IAM role to an on-premise server. You should create an IAM user, generate access keys and create a credentials file on the on-premise server. If it was an EC2 server, storing an IAM role would be the preferred way.

Question 23

For async lambda functions, lambda puts events in a queue. If the lambda does not have the capacity, events may be lost. How can we mitigate losing events?

Answer 23

Put them in a dead-letter queue

Question 24

An async execution of a lambda function failed, what happens?

Answer 24

Lambda reruns it twice

Question 25

What services does Lambda handle to send async invocations to?

Answer 25

SQS, SNS, Lambda and EventBridge

Question 26

The Event Source Mapper invokes the lambda function asynchronously; true or false?

Answer 26

False. Synchronously

Question 27

What happens if a function returns an error the the event source mapper when processing streams?

Answer 27

The entire batch is reprocessed until either the function succeeds or the items in the batch expires

Question 28

To set up a DLQ with Event Source Mapping, Lambda and queues, we set up the DLQ with lambda. True or false.

Answer 28

False. Lambda with DLQ is only for async invocations. The ESM is synchronous.

Question 29

For a lambda function to be triggered by an ALB, what must happen?

Answer 29

The Lambda function must be placed in a target group

Question 30

A user needs to verify that the IAM policy grants permission to call sts:AssumeRole for the role that they want to assume. What must happen in the policy?

Answer 30

The action element of the IAM policy must allow them to “sts:AssumeRole”

Question 31

What is the assume role of STS used for?

Answer 31

It returns a temporary set of credentials that allow the user to access AWS resources they normally wouldn’t have access to

Question 32

If we needed to write temporary log files to storage on an EC2 instance, would EBS of EFS be a more suitable solution?

Answer 32

EBS as EFS is generally more suitable to data that needs to be used by various EC2 instances

Question 33

For ECS dynamic port mappings is when you set the host port to say 80 and the container port to 0; true or false?

Answer 33

False. We set the host port to 0 and the container port to 80. They are specified as part of the container definition. When we set the host port to 0, ECS will automatically assign it a port.
Dynamic port mappings let us run more than one instance of a task on an instance

Question 34

What is the relationship between ECS, EC2 and Clusters?

Answer 34

Clusters are logical groupings of EC2 instances. The instances run the ECS agent (Docker container) which registers the instance to the cluster

Question 35

What do ECS task definitions do?

Answer 35

They tell ECS how to run a docker container

Question 36

A container is having trouble pulling images from ECR or cannot talk to S3. What is a good reason this may be happening?

Answer 36

There is not a task role or an inappropriate task role assigned to the task.

Question 37

What must the .zip file contain that is deployed to Lambda?

Answer 37

The zip file must contain the functions code and any dependencies needed to run the code.
If your function depends only on standard libraries or AWS SDK libraries you do not need to include the libraries in the zip file. If the zip is larger than 50 MB, we should upload it to S3.

Question 38

What is the biggest difference between SSE-KMS an SSE-S3 encryption?

Answer 38

There is an audit trail and extra security with using SSE-KMS

Question 39

What is AWS CloudTrail good for?

Answer 39

It is good for monitoring activity in the AWS account as it relates to actions taken in the Management Console, SDK, command line, etc. Really used for operational analysis

Question 40

What is an output in a CloudFormation template? What is a parameter and what is a resource? What are mappings?

Answer 40

Output declares values you can import into other stacks;
Parameter is a value allowed to be inputed at creation or updating of a stack;
Resource points to another AWS resource;
Mappings are keys that map to corresponding set of named values

Question 41

What is the max item size for DynamoDB?

Answer 41

400 KB

Question 42

What are transactional writes in DynamoDB?

Answer 42

They are coordinated all or nothing changes in the database

Question 43

What are amazon cloud watch events?

Answer 43

CloudWatch Events deliver a stream of real time events that describe changes in Amazon resources

Question 44

We pull the docker image form ECR with the CLI command of aws ecr get-login and then run docker pull REPOSITORY URI : TAG; why wont this work?

Answer 44

We need to run the output of aws ecr get-login

Question 45

What do we need to do to allow an EC2 instance to send data to AWS X-Ray?

Answer 45

We need to install the data then put the proper instance profile on the EC2 instance. The daemon will use the instance profile credentials to call out to X-Ray.

Question 46

We need to control the placement of tasks onto groups of container instances organized by AZ and instance type. How can we do this?

Answer 46

Cluster Query Language

Question 47

For general use, what is the fastest way to set up your AWS CLI configuration?

Answer 47

Run the aws configure command

Question 48

What is chain of places the AWS CLI looks for to find credentials?

Answer 48

Command line options;
Env variables;
CLI credentials file;
CLI config file;
Container credentials;
Instance profile credentials;

Question 49

We can save IAM login credentials to use with the AWS CLI, true or false?

Answer 49

False as the IAM login credentials cannot be used with the AWS CLI. You need to use an access key ID and secret access key with the AWS CLI and these are configured for use by running aws configure.

Question 50

We can define the Auto Scaling of tasks in the task definition, true or false?

Answer 50

False, we can do that in the service

Question 51

What is the action element in an IAM policy?

Answer 51

It specifies tasks you can do with a specific service

Question 52

What is a Lambda authorizer?

Answer 52

It is a feature you can use with API Gateway to control access to your API

Question 53

SSM Managament store is a good choice when rotating keys, true or false?

Answer 53

False. AWS secrets manager should be used

Question 54

What is AWS WAF?

Answer 54

A web-application firewall that helps protect web applications against common web exploits that may affect availability compromise security, or consume excessive resources.

Question 55

When using CloudFormation with SAM template, what command must you run to prepare it for deployment?

Answer 55

aws cloudformation package

Question 56

We should merge hot shards and split cold shards, true or false?

Answer 56

False. We merge cold shards to make better use of their unused capacity and split hot shards.

Question 57

DynamoDB streams with lambda triggers is asynchronous, true or false?

Answer 57

False, it is synchronous