Certified Developer Associate

Question 1

What can be enabled in X-Ray to get filtered output?

Answer 1

Annotations -> key-value pairs indexed to use with filter expressions

Question 2

In CodeBuild, how can we override a build command when code is not reachable?

Answer 2

Run the start build AWS CLI command with buildspecOverride property set to the new buildspec.yml file.

Question 3

What is canary deployment type when deploying a new version of a lambda function?

Answer 3

Traffic is shifted in two increments:
- 1st: a given percentage of traffic is shifted to new version of lamnda
- 2nd: remaining traffic is shifted after a given interval
Ex: Canary10Percent30Minutes means that first 10% of traffic is shifted to new version, then remaining traffic is shifted after 30 mn.

Question 4

What is immutable deployment?

Answer 4

Immutable deployments perform an immutable update to launch a full set of new instances running the new version of the application in a separate Auto Scaling group, alongside the instances running the old version.

Question 5

What is rolling deployment?

Answer 5

Rolling deployment deploys the new version in batches of instances. Each batch is taken out of service during the deployment phase, new version is deployed on them, and then instances are reattached.

Question 6

What is rolling with additional batch deployment?

Answer 6

Using Rolling with additional batch deployment, a new batch of the Amazon EC2 instance is launched before taking a batch of instances out of service for deploying a new version. Once all Amazon EC2 instances are upgraded to a new version of the application, this additional batch of Amazon EC2 instances is terminated.

Question 7

What must be defined in CloudWatch to set an alarm?

Answer 7

• Period (in second): length of time to evaluate the metric to create each individual data point.
• Evaluation Period (in unit): number of most recent data points to evaluate when determining alarm state.
• Datapoints to Alarm (in unit): number of data points within the evaluation period that must be breached to cause the alarm to go to the ALARM state.

Question 8

How to configure server-side encryption for artifacts stored in S3 for CodePipeline

Answer 8

• CodePipeline creates an S3 artifact bucket and default AWS managed key when you create a pipeline using the Create Pipeline wizard. The AWS managed key is encrypted along with object data and managed by AWS.
• You can create and manage your own customer managed key.

Question 9

In API Gateway, how can we control the behavior of front-end interactions and back-end interactions?

Answer 9

For front-end : modify configuration of Method request & response
For back-end : modify configuration of Integration resquest & response (data mappings between a method and its corresponding integration)

Question 10

What is the encryption method of AWS Envelope Encryption?

Answer 10

First, the data is encrypted using a plaintext Data Key. The Data Key is then further encrypted using a plaintext Master Key. This plaintext Master key is securely stored in AWS KMS and known as Customer Master Keys.

Question 11

What do AWS Cognito User pools provide?

Answer 11

User pools provide:
- Sign-up and sign-in services.
- A built-in, customizable web UI to sign in users.
- Social sign-in with Facebook, Google, and log in with Amazon, as well as sign-in with SAML identity providers from your user pool.
- User directory management and user profiles.
- Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
- Customized workflows and user migration through AWS Lambda triggers.

Question 12

How is managed encryption at rest in DynamoDB?

Answer 12

All user data stored in Amazon DynamoDB is fully encrypted at rest. This includes tables, primary key, local and global secondary indexes, streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters. When creating a new table, we can choose one of the following AWS KMS keys:
- AWS owned key (owned by DynamoDB)
- AWS managed key (managed by AWS KMS)
- Customer managed key (managed by AWS KMS-CMS)

Question 13

List the deployment methods in Elastic Beanstalk

Answer 13

• All at once (fastest)
• Rolling
• Rolling with additional batch (preserve full capacity)
• Immutable
• Blue/Green

Question 14

What is the best way to pre-process streaming data?

Answer 14

Use Kinesis with AWS Lambda functions to pre-process the data. It enables to query the data in stream or build entire streaming applications using SQL. Customers use Kinesis Analytics for things like filtering, aggregation, and anomaly detection.

Question 15

How can we encrypt application data in EBS resources associated to EC2 instances?

Answer 15

Ensure that Encryption is enabled during volume creation time. Data key is generated by AWS KMS, and CMK is not required.

Question 16

What is Lamda@Edge?

Answer 16

Lambda@Edge is an extension of AWS Lambda, a compute service that lets you execute functions that customize the content that CloudFront delivers. You can author functions in one region and execute them in AWS locations globally closer to the viewer, without provisioning or managing servers.

Question 17

How to specify in AWS CodeDeploy the version of Lambda to deploy?

Answer 17

Specify the version to be deployed in the AppSpec file.

Question 18

How can we monitor calls to DynamoDB for latency detection?

Answer 18

Enable X-Ray tracing on Lambda, use the AWS SDK inside Lambda code to monitor DynamoDB API calls in X-Ray, send this information to CloudWatch, and create a metric that triggers an SNS alert if the response times get too high.

It is not possible to enable X-Ray in DynamoDB.

Question 19

What is the field in CloudFormation template which specify the method called by Lambda to execute the function?

Answer 19

Handler. This is the name of the method within a code that Lambda calls to execute the function.

Question 20

How can we monitor the incoming client connections to the Elastic Load Balancer?

Answer 20

Enable access logs on the load balancer.

Question 21

In a S3 bucket A hosting a static website, how can we allow this website to access data hosted by another bucket B?

Answer 21

Enable CORS on the bucket B.
Browsers will block javascript from allowing requests made to another bucket (or any other website), unless CORS check (or preflight check) is positive.

Question 22

In API Gateway, how can we use stage variables in URI and sub-domain?

Answer 22

http://example.com/${stageVariables.<variable_name>}/prod
http://${stageVariables.<variable_name>}.example.com/dev/operation</variable_name></variable_name>

Question 23

What is Chef and Puppet, and which AWS service integrates this platform?

Answer 23

Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.
OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

Question 24

What must be done to ensure that a Lambda function can access resources in a VPC?

Answer 24

Ensure that
- the Subnet IDs
- the Security Group IDs
are configured in the Lambda function.

Question 25

What is Packer?

Answer 25

Packer is an open-source tool for creating machine images for many platforms, including AMIs for Amazon EC2.
It is used for creating its own Elastic Beanstalk platform.

Question 26

In DynamoDB, considering that items have a size of 15.5 KB, and that an application write 10 items every seconds, what would be the required provisioned write throughput for best performance?

Answer 26

160.
Items must be divided in blocks of 1 KB, so each item requires 16 blocks. For 10 items, we must have a write throughput of 16 x 10.

Question 27

What is the default timeout of a Lambda function?

Answer 27

3 seconds

Question 28

What is Amazon Cognito Events?

Answer 28

A service that allows dev to execute AWS Lambda function in response to important events in Amazon Cognito. Amazon Cognito raises the Sync Trigger event when a dataset is synchronized. Dev can use the Sync Trigger event to take an action when a user updates data.

Question 29

Amazon Cognito Events: what is the cause of LambdaSocketTimeoutException?

Answer 29

When Lambda function doesn’t respond within 5 seconds. Timeout value cannot be increased.

Question 30

Amazon Cognito Events: what is the cause of LambdaThrottledException?

Answer 30

When Lambda is throttled. The sync operation must be tried again to update the record.

Question 31

In CodeDeploy, what is the run order of hooks for a ECS deployment?

Answer 31

BeforeInstall > Install > AllowTestTraffic > AfterAllowTestTraffic > BeforeAllowTraffic > AllowTraffic > AfterAllowTraffic

Question 32

In CodeDeploy, what is the run order of hooks for a Lambda deployment?

Answer 32

BeforeAllowTraffic > AllowTraffic > AfterAllowTraffic

Question 33

In CodeDeploy, what is the run order of hooks for a EC2/On-Premises deployment WITHOUT Classic load balancer?

Answer 33

ApplicationStop > DownloadBundle > BeforeInstall > Install > AfterInstall > ApplicationStart > ValidateService

Question 34

In CodeDeploy, what is the run order of hooks for a EC2/On-Premises deployment WITH Classic load balancer?

Answer 34

BeforeBlockTraffic > BlockTraffic > AfterBlockTraffic > Application Stop > DownloadBundle > BeforeInstall > Install > AfterInstall > ApplicationStart > ValidateService > BeforeAllowTraffic > AllowTraffic > AfterAllowTraffic

Question 35

What are the options -r, -t, -b, -o for xray-daemon command?

Answer 35

-r : assume an IAM role while saving results in different accounts.
-t : bind a different TCP port for the X-Ray service
-b : bind a different UDP port for the X-Ray service
-o : skip checking Amazon EC2 instance metadata (to run daemon locally)

Question 36

What is Kinesis Data Streams?

Answer 36

Kinesis Data Streams allows to collect and process large streams of data records in real time. It’s used for rapid and continuous data intake and aggregation. The type of data used can include IT infrastructure log data, application logs, social media, market data feeds, and web clickstream data.

Question 37

What is Kinesis Data Firehose?

Answer 37

Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and any custom HTTP endpoint or HTTP endpoints owned by supported third-party service providers, including Datadog, Dynatrace, LogicMonitor, MongoDB, New Relic, and Sumo Logic.

Question 38

What is the configuration file used in Beanstalk to deploy multiple Docker containers in one EC2 instance running ECS?

Answer 38

Dockerrun.aws.json version 2

Question 39

In S3, which request header must be provided to request server-side encryption, when using the object creation REST APIs?

Answer 39

x-amz-server-side-encryption

Question 40

Which service is used to request temporary security credentials? Which items are included in temporary credentials?

Answer 40

AWS Security Token Service (AWS STS).
STS API operations create a new session with temporary security credentials that include an access key pair and a session token. The access key pair consists of an access key ID and a secret key.

Question 41

In X-Ray, what is the segment document? Which fields are mandatory?

Answer 41

A segment document is a JSON formatted string that contains information about the work that your application does in service of a request.
At a minimum, a segment contains :
- name
- id
- start_time
- trace_id
- end_time
- in_progress

Question 42

In Elastic Beanstalk, how to set up a traffic-splitting deployment with configuration file?

Answer 42

• Create file .ebextensions/traffic-splitting.config
• Fill it with :
  option_settings:
  aws:elasticbeanstalk:command:
  DeploymentPolicy: TrafficSplitting
  aws:elasticbeanstalk:trafficsplitting:
  NewVersionPercent: “<percent>"
  EvaluationTime: "<health>"</health></percent>

Question 43

What should be implemented in order to allow an application running on EC2 instance to access AWS resources?

Answer 43

Use IAM roles :
- Create the role
- Define which accounts or AWS services can assume the role.
- Define which API actions and resources the application can use after assuming the role.
- Specify the role when you launch your instance, or attach the role to a running or stopped instance.
- Have the application retrieve a set of temporary credentials and use them.

Question 44

How to test a resource policy with IAM Policy simulator?

Answer 44

Include the resource & copy resource policy in the IAM policy simulator.
You cannot type or copy a resource-based policy into the simulator. To use a resource-based policy in the simulator, you must include the resource in the simulation. You must also select the check box to include that resource’s policy in the simulation.

Question 45

In Lambda, how can we configure the traffic weights between two function versions?

Answer 45

Use the create-alias and update-alias AWS CLI lambda commands. When creating or updating an alias pointing to version 1, the option –routing-config gives the ability to route a part of traffic to version 2.

Question 46

What is the combination of command to use for deploying a serverless application model?

Answer 46

“sam package” which returns a SAM template,
“sam deploy” for deploying this template.