AWS Gen Study Flashcards
How does the credentials file play a role in the AWS CLI?
When running a CLI command that does not explicitly specify which profile to use, it will look to the credentials file;
What is the AWS CLI credentials chain?
Command line options; Environment variables; CLI Credentials file; Configuration file; Container Credentials; Instance profile credentials;
You can point an Alias to an unlimited number of function versions, true or false?
False. You can point it to two.
What is lazy loading in Amazon ElastiCache?
When data is requested, it looks in the cache to see if it exists; if it doesn’t it will grab it from the DB, and then write it to the cache
What are the disadvantages of a write-through in ElastiCache?
Missing data - when you spin up a new node, there is missing data; the data is missing until its updated or added to the DB;
Cache churn - most data will sit there and not be read (we can fix this with TTL);
What is an CodeDeploy deployment group?
It is a CodeDeploy entity for grouping EC2 instances or AWS Lambda functions in a CodeDeploy Deployment
To control access to an API in API Gateway, we can configure the security group of the API, true or false?
False. API Gateway does not use security groups but uses resource policies
Auto Scaling Group can span regions, true or false?
False. they can span AZs
Auto Scaling Groups can work with both Network and Application Load Balancers, true or false?
True
What API operation can we use to get security credentials to an existing IAM user? What parameter can we use to specify timing?
GetSessionToken and Duration Seconds
How can we request temporary security credentials?
With AWS STS
What is the AssumeRole API operation used for?
It is useful for allowing existing IAM users to access AWS resources they don’t already have access to. It can also be used cross-account
What file is used by CodeDeploy to manage the deployment?
appspec.yaml
What are the Elastic Beanstalk deployment options?
All At Once Rolling Rolling with additional batch Immutable update Traffic Splitting
What are negatives about Elastic Beanstalk Immutable update?
It is the highest cost and longest deployment but zero downtime
We need to decrypt files with KMS. How can we do this?
We take an encrypted key and pass it to the decrypt operation. We then use the plain text key to decrypt the encrypted file. Remove the plain text key from memory as soon as possible
What is the difference between a delay queue and a visibility timeout for SQS?
A delay queue is a period of time where the item added to the queue cannot be consumed once it has been added to the queue. The visibility timeout only is applicable once a message has been consumed.
To implement long polling, we hit the SetQueueAttributes with a WaitTimeSeconds parameter. True or False?
False. SetQueueAttributes can be used to set things about the Queue like DelaySeconds and VisibilityTimeout. We want the RecieveMessage API with WaitTimeSeconds.
We can however set RevieveMessageWaitTimeSeconds on the queues parameters.
How do we Recieve Messages in SQS?
We hit the RevieveMessages API and can consume one to 10 messages. If you set a value greater than zero for ReceiveMessageWaitTimeSeconds, than long polling is in effect. This will also query all servers instead of a subset of servers.
We want to notify someone when items are uploaded to an S3 bucket. What is the best way to achieve this?
Add an event on the bucket to send out a PUT or POST to SNS
We want to update our current instances with no downtime in elastic beanstalk and using the existing instances; what is a good option?
Rolling with additional batches. The new batch will receive requests while the old instances are update. Then, when all the old batches are updated, the new batch will be terminated.
In standard rolling update, instances taken out in batches cannot serve requests
When using an on-premise server, you should attatch an IAM role and use that to make API calls to AWS, true or false?
False. You cannot attatch an IAM role to an on-premise server. You should create an IAM user, generate access keys and create a credentials file on the on-premise server. If it was an EC2 server, storing an IAM role would be the preferred way.
For async lambda functions, lambda puts events in a queue. If the lambda does not have the capacity, events may be lost. How can we mitigate losing events?
Put them in a dead-letter queue
An async execution of a lambda function failed, what happens?
Lambda reruns it twice
What services does Lambda handle to send async invocations to?
SQS, SNS, Lambda and EventBridge
The Event Source Mapper invokes the lambda function asynchronously; true or false?
False. Synchronously
What happens if a function returns an error the the event source mapper when processing streams?
The entire batch is reprocessed until either the function succeeds or the items in the batch expires
To set up a DLQ with Event Source Mapping, Lambda and queues, we set up the DLQ with lambda. True or false.
False. Lambda with DLQ is only for async invocations. The ESM is synchronous.
For a lambda function to be triggered by an ALB, what must happen?
The Lambda function must be placed in a target group
A user needs to verify that the IAM policy grants permission to call sts:AssumeRole for the role that they want to assume. What must happen in the policy?
The action element of the IAM policy must allow them to “sts:AssumeRole”
What is the assume role of STS used for?
It returns a temporary set of credentials that allow the user to access AWS resources they normally wouldn’t have access to
If we needed to write temporary log files to storage on an EC2 instance, would EBS of EFS be a more suitable solution?
EBS as EFS is generally more suitable to data that needs to be used by various EC2 instances
For ECS dynamic port mappings is when you set the host port to say 80 and the container port to 0; true or false?
False. We set the host port to 0 and the container port to 80. They are specified as part of the container definition. When we set the host port to 0, ECS will automatically assign it a port.
Dynamic port mappings let us run more than one instance of a task on an instance
What is the relationship between ECS, EC2 and Clusters?
Clusters are logical groupings of EC2 instances. The instances run the ECS agent (Docker container) which registers the instance to the cluster
What do ECS task definitions do?
They tell ECS how to run a docker container
A container is having trouble pulling images from ECR or cannot talk to S3. What is a good reason this may be happening?
There is not a task role or an inappropriate task role assigned to the task.
What must the .zip file contain that is deployed to Lambda?
The zip file must contain the functions code and any dependencies needed to run the code.
If your function depends only on standard libraries or AWS SDK libraries you do not need to include the libraries in the zip file. If the zip is larger than 50 MB, we should upload it to S3.
What is the biggest difference between SSE-KMS an SSE-S3 encryption?
There is an audit trail and extra security with using SSE-KMS
What is AWS CloudTrail good for?
It is good for monitoring activity in the AWS account as it relates to actions taken in the Management Console, SDK, command line, etc. Really used for operational analysis
What is an output in a CloudFormation template? What is a parameter and what is a resource? What are mappings?
Output declares values you can import into other stacks;
Parameter is a value allowed to be inputed at creation or updating of a stack;
Resource points to another AWS resource;
Mappings are keys that map to corresponding set of named values
What is the max item size for DynamoDB?
400 KB
What are transactional writes in DynamoDB?
They are coordinated all or nothing changes in the database
What are amazon cloud watch events?
CloudWatch Events deliver a stream of real time events that describe changes in Amazon resources
We pull the docker image form ECR with the CLI command of aws ecr get-login and then run docker pull REPOSITORY URI : TAG; why wont this work?
We need to run the output of aws ecr get-login
What do we need to do to allow an EC2 instance to send data to AWS X-Ray?
We need to install the data then put the proper instance profile on the EC2 instance. The daemon will use the instance profile credentials to call out to X-Ray.
We need to control the placement of tasks onto groups of container instances organized by AZ and instance type. How can we do this?
Cluster Query Language
For general use, what is the fastest way to set up your AWS CLI configuration?
Run the aws configure command
What is chain of places the AWS CLI looks for to find credentials?
Command line options; Env variables; CLI credentials file; CLI config file; Container credentials; Instance profile credentials;
We can save IAM login credentials to use with the AWS CLI, true or false?
False as the IAM login credentials cannot be used with the AWS CLI. You need to use an access key ID and secret access key with the AWS CLI and these are configured for use by running aws configure.
We can define the Auto Scaling of tasks in the task definition, true or false?
False, we can do that in the service
What is the action element in an IAM policy?
It specifies tasks you can do with a specific service
What is a Lambda authorizer?
It is a feature you can use with API Gateway to control access to your API
SSM Managament store is a good choice when rotating keys, true or false?
False. AWS secrets manager should be used
What is AWS WAF?
A web-application firewall that helps protect web applications against common web exploits that may affect availability compromise security, or consume excessive resources.
When using CloudFormation with SAM template, what command must you run to prepare it for deployment?
aws cloudformation package
We should merge hot shards and split cold shards, true or false?
False. We merge cold shards to make better use of their unused capacity and split hot shards.
DynamoDB streams with lambda triggers is asynchronous, true or false?
False, it is synchronous
