Core Exam

Question 1

A published lambda version is a snapshot copy of the lambda function code and configuration in the $LATEST version. This means ….

Answer 1

A published version is inmutable. Code and configuration cannot be changed.

Question 2

Many instances can pull a single queue, but to keep multiple instances from processing the same SQS message…

Answer 2

your application must delete the SQS message after processing. Being processed many times is probably an indication that the message is not being deleted following processing.

Question 3

Benefits in costs of SQS long polling over short polling

Answer 3

Long polling doesn’t return a response until a message arrives to the queue. That is why you also reduce the cost because you reduce the number of empty receives.

Question 4

An application requires maximum throughput and minimum latency. High availability is not a requirement. Which ec2 solution is best?

Answer 4

Cluster placement groups. These are logical grouping of instances in the same Availability Zone. Performance benefits by using private ip addresses. Also P2 instances are preferred (over T2) because they have enhanced Networking and compute.

Question 5

Which method use CodePipeline to trigger automatically ?

Answer 5

CodePipeline use CloudWatch events to detect changes in the configured CodeCommit or Amazon S3 source. So then this starts the pipeline. This is default configuration.

Question 6

If you want to route traffic by subdomain names which EC2 solution is best?

Answer 6

An Application Load Balancer with host-based routing rules. With path-based rules you can route based on the uris (.com/lalala/lelele)

Question 7

For stream-based event sources (ex polling a dynamoDB) a lambda function is invoked. What happens if it is throttled?

Answer 7

Lambda attempts to process the throttled batch of records until the data expires.

Question 8

If data requires to be encrypted in transit and at Rest, what could not be allowed?

Answer 8

ELB configured with SSL termination.

Question 9

What is the best option to share an encrypted EBS volume between different accounts?

Answer 9

It is not possible to share access in the default process with a AWS managed CMK. To do so, you need a custom CMK. So copy the data to an unencrypted volume, create an snapshot and share it.

Question 10

A person with only list object permissions on a bucket can generate pre-signed urls?

Answer 10

No. Only the owner can share the objects using pre-signed urls with his own credentials to grant time-limited permission to download objects.

Question 11

If you have a deployment group with 10 instances and a minimum of 8 healthy instances, what would do CodeDeploy?

Answer 11

Will deploy in two instances at a time. If it fails, fails the overall deployment.

Question 12

What are the benefits of using CORS on S3?

Answer 12

Allows Javascript trying to access web pages on the bucket and allows to host a web font.

Question 13

How to ensure that data is encrypted in-flight both into and out S3?

Answer 13

Use the TLS endpoint and you can encrypt the data yourself on the client side before upload.

Question 14

The integration between AWS Api Gateway and a backend running other AWS service is called..

Answer 14

AWS Service Proxy

Question 15

What do you require to integrate Jenkins running on a instance with CodePipeline

Answer 15

Provide the IAM user credentials to integrate CodePipeline and fill out the required fields for your proxy host.

Question 16

What would be valid reasons to run most of the code on Lambda?

Answer 16

Scalability is a main reason and updates on the logic of the app occurs very frequently.

Question 17

If you use the AWS config managed rule IAM_PASSWORD_POLICY to check that password are changed after a period of time, which type of rule use?

Answer 17

Only a periodic trigger.

Question 18

If the execution code of a lambda is taking too longer, which CloudWatch Metrics you should check?

Answer 18

The function’s latency CloudWatch metric to see if the latency is increasing or you can see an increase in the CloudWatch errors metric, which might be due to timeout errors

Question 19

You have two instances in separated subnets, how you failover to the other?

Answer 19

You can add a second private ip to the primary instance’s ENI that can be moved to the secondary instance. Then use load balancing to redirect traffic to the secondary instance.

Question 20

The frontend connection to an ELB has timeout. The health checks are not reaching the EC2 instances. What are the recommendation to troubleshoot?

Answer 20

First of all check a direct connection to the instances. After that verify different configuration for the health checks settings.

Question 21

After a code update your app is down. What troubleshot steps could you take?

Answer 21

. Verify the SSL certificate is not expired.
. Validate the health check is working as expected after the software update. Instances are not in service until it succeeds
. The instances do not have the correct port open. Validate connection between the load balancer and the instances.

Question 22

If a system status check for an instances has failed you can try..

Answer 22

. Stop and restart the instance
. Create an instance recovery alarm. Retrieve the system log and look for errors
. Post your issue to the Amazon EC2 forum

Question 23

What is not a feature of KMS?

Answer 23

You cannot synchronize or move/copy keys across regions. You can only define rules to allow access across regions.

Question 24

Which is a best practice to test a correct RDS implementation?

Answer 24

Test the failover for your DB instance to see how long it takes and ensure that your programmatic connection to the new database is working as expected.

Question 25

In the context of Authentication Flow for Cognito you must pass also one valid token. And also all tokens must pass the validation during the GetOpenIdToken if not the connection fails. Why?

Answer 25

Because the Identity ID you pass may not be the one that is returned.

Question 26

What is recommended to prevent users to deleting CodeCommit repositories accidentally ?

Answer 26

AWS recommends using IAM policies along with MFA-protection.

Question 27

Which feature enables API developers to generate API responses from API Gateway directly without the integration with a backend?

Answer 27

Mock Integration

Question 28

If a S3 upload of large amount of data is taking too long which feature you can use to reduce the times?

Answer 28

• Multipart upload

- Use direct connect between the on-premises and AWS VPC

Question 29

If you need to increase a value on a DynamoDb table which commands would work?

Answer 29

• ADD
• SET + :p
• SET - :p

Question 30

On a S3 versioned bucket what is true regarding encryption keys if encryption at rest server-side is enabled and the user provides also his own keys?

Answer 30

Both keys can coexist on different versions of the object but the user is responsible to track which key was used for each version.

Question 31

If you have an app growing and you need elasticity and high availability with increased compute needs how can the environment be optimized?

Answer 31

• Launch larger instances and compute optimized

Question 32

If you want to use CodeDeploy in different regions what is required?

Answer 32

• Define your app in your target regions
• copy the application bundle to a S3 bucket on each region
• deploy using either serial o parallel rollout across the regions

Question 33

What do you need to perform a blue/green deployment with elastic Beanstalk?

Answer 33

You can clone your current environment or launch a new one with the desired configuration, test the new version and then use the Swap Environment URLs to switch to the new one.

Question 34

A Stateless lambda function does not have affinity with the underlying compute resources. What happens if you want to store the state of the function?

Answer 34

The state can be stored in S3, DynamoDB or any other cloud storage

Question 35

What’d be the cause GetRecords returns empty from a Kinesis Stream even there is data?

Answer 35

There is no more data currently in the shard

Question 36

How the integration between AWS Lambda and Kinesis works?

Answer 36

AWS Lambda invokes a Lambda function using the RequestResponse invocation type (synchronous) by polling the Kinesis Stream.

Question 37

Which features provides API Gateway invoking Lambda function over HTTP?

Answer 37

• Ability to throttle individual users or request.
• Protect against DDOs attacks
• Provide a caching layer to cache response from your lambda function.

Question 38

How do CloudFormation and Elastic Beanstalk differs?

Answer 38

Cloudformation is a provisioning mechanism that supports Elastic Beanstalk, and this is for deployments only.

Question 39

How do you manage the permissions for a Lambda app to trigger a Lambda function when an image is uploaded to an S3 bucket?

Answer 39

Grant the Amazon S3 permissions (event source) to invoke the lambda function.

Question 40

If you want to use a custom domain name for your API endpoints, in addition to register it what else you must provide?

Answer 40

an SSL certificate

Question 41

Which protocols are available with IPSec to provide confidentiality?

Answer 41

DES, 3DES, AES

Question 42

What do you need to do if you receive the error Code Storage limit exceeded during the lambda execution?

Answer 42

Reduce the size of your code storage

Question 43

You want to copy an EBS-backed AMI (an snapshot) between regions, but the launched new AMI doesn’t contain the EBS snapshot, what most likely happened?

Answer 43

The EBS snapshot was encrypted and your user account doesn’t have the permissions to use the encryption key.

Question 44

Which API Gateway feature you can enable to reduce the calls made to your endpoint and improve the latency of the requests to your API?

Answer 44

API caching

Question 45

If you want to store in DynamoDB an ordered collection of values which type you must use?

Answer 45

Document

Question 46

On which cases SSL/TSL protect your data and which ones don’t ?

Answer 46

is great for encrypting server traffic , but cannot handle DDOS attacks and SQL injection.

Question 47

How you can immediately publish a lambda function version each time you create or update it?

Answer 47

Add the publish parameter in the CreateFunction or UpdateFunction requests

Question 48

If you want to start an app mobile, requiring that user have individual accounts but would only storing simple text data. Budget is a concern What solution would you use?

Answer 48

You need a backend database, DynamoDB and the ability for users to sing-in with Cognito

Question 49

A EC2 instance created from a instance store-backed AMI failed a status check. What steps would you follow?

Answer 49

• Retrieve the system log and look for errors
• Terminate the instance and launch a replacement
• Wait for Amazon EC2 to resolve the issue

Question 50

How can you encrypt data at Rest in S3?

Answer 50

• Set the server-side encryption option on upload

- Encrypt it on the client-side before uploading

Question 51

Which tasks placement supports Amazon ECS?

Answer 51

• binpack: place task based on the least available amount of CPU or memory. This minimizes the number of instances in use.
• random: place task randomly.
• spread: place tasks evenly based on the specified attribute

Question 52

What are the best approaches to migate DDoS attacks?

Answer 52

• Use security groups, acls, and host-based firewalls
• Use AWS Shield
• Use host-based or inline IDS/IPS systems

SSL/TLS (encryption) doesn’t help against these attacks

Question 53

If you want to use server-side encryption with S3 but with your own keys, what you must do?

Answer 53

Need to send the key and the algorithm of encryption with each api call

Question 54

You are experimenting spikes on traffic and the deployment of new instances is not fast enough. What is a way of not loosing submitted request due an application freeze?

Answer 54

Use Amazon SQS to delete acknowledged messages and redeliver the failed.

Question 55

What protocol is supported by AWS Lambda for authenticating in inbound API requests?

Answer 55

Signature version 4

Question 56

what provides aws cloudformation list-stacks?

Answer 56

A list of any of the stacks you have created or have been deleted up to 90 days ago.

Question 57

How you optimize performance and cost for uploading large amount of data to a principal S3 bucket from other locations on the world?

Answer 57

Utilize Cloudfront to allow customers yo upload to their closest location.
Also you can use S3 transfer accelerator on the primary bucket in the primary region.

Question 58

If you use a DynamoDB multi-region, and after a downtime users in different regions see different data. What happened?

Answer 58

The system did not include repair logic and request replay buffering logic for post-failure to re-synchronize data to the Region that was unavailable for a number of hours

Question 59

When would be useful CreateEventSourceMapping function when using Lambda or DynamoDB?

Answer 59

CreateEventSourceMapping identifies a stream as an event source for a lambda function. It can be either a Kinesis or DynamoDB stream. Lambda invokes the specified functions when records are posted to the stream.

Question 60

Which policies do you need for internal communication between an application running on a EC2 instance?

Answer 60

• An IAM trust policy that allows the EC2 instance to assume a role
• An IAM policy or S3 bucket policy that allows the role to get/put objects to the specific bucket.

Question 61

On Elastic BeanStalks workers tiers pulls job from..

Answer 61

SQS

Question 62

If you want to encrypt your data prior uploading without storing the key off premises, you have to use ..

Answer 62

CSE-C (client side encryption - customer key)

Question 63

Kinesis Firehose enables you to capture and transform data streamed from a client producer, to which data services?

Answer 63

• Kinesis Analytics
• S3
• Elastic Search
• Redshift

Question 64

What are the options to create a lambda function to be invoked through an Api Gateway?

Answer 64

You must create a deployment package, after which you have the option of uploading either locally or a S3 bucket to the API Gateway. Either from the CLI or the Lambda Console

Question 65

If you need to replicate API calls across two systems in real time, what you should use as a buffer and a transport mechanism for API call events

Answer 65

Kinesis is an event stream service. Streams can act as buffers and transport across systems for in-order programmatic events, making it ideal for replicating API calls across systems.

Question 66

Which variants of RTMP protocol does support Cloudfront?

Answer 66

RTMP
RTMPE (encrypted)
RTMPT (tunneled)
RTMPTE (tunneled encrypted)

Question 67

If you would like to sing-on AWS using third parties identity providers such as Google, Facebook etc you must use ..

Answer 67

Web Identity Federation

Question 68

On which Cloudformation section you define serverless application such as Lambda?

Answer 68

on Transform

Question 69

What will happen if you delete a unused custom deployment configuration in CodeDeploy?

Answer 69

You will no longer be able to associate the deleted deployment configuration with new deployments and new deployment groups.

Question 70

What do you need to do if CloudFormation doesn’t recognize a template change as an update?

Answer 70

You can add or modify the metadata attribute for any of your resources.

Question 71

How you can reestablish a failed connection to a new server after a period of time?

Answer 71

• Use the AWS SDK to change the default client configuration

- Use the ClientConfiguration.setConnectionTTL method

Question 72

Which service helps to achieve compartmentalization or decoupling at sending messages between different application components?

Answer 72

SQS queue

Question 73

What is recommended when you enable encryption for your RDS?

Answer 73

Determine your encryption key requirements before you create your instance.
Enable backups for your encrypted DB instances.

Question 74

What does the push sync feature in Amazon Cognito ensure?

Answer 74

It ensures that every instance of a given identity is notified when identity data changes.

Question 75

Why is not recommended that ElasticCache can be accessed from outside AWS?

Answer 75

The problem is the NAT instances:

• They are a single point of failure
• They act as proxy between clients and multiple clusters affecting cache cluster performance
• The traffic between the clients and the NAT is unencrypted.
• overhead of maintaining.

Question 76

What is a characteristic of CMKs and data keys in relation to KMS?

Answer 76

KMS uses CMK to encrypt and decrypt data. They can never leave KMS unencrypted but data keys can.

Question 77

Kinesis Streams supports resharding , which adjust the number of shards in your stream to adapt to changes in the rate of data flow. What other elements are true?

Answer 77

• The shards over the operation acts are the parents
• The resulting are the child shards
• After the resharding is called you have to wait for the stream to become active again.

Question 78

Which KMS component you can create from the IAM console?

Answer 78

KMS Customer Master Key

Question 79

How are repositories in CodeCommit encrypted?

Answer 79

They are automatically encrypted at Rest