Dev with AWS Flashcards
What is a Gateway Load Balancer
A Gateway Load Balancer helps you to deploy, scale, and manage your third-party appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It provides a gateway for distributing traffic across multiple virtual appliances while scaling them up and down based on demand.
What are the three components of Amazon EC2 Auto Scaling?
One component is a launch template or a launch configuration you can use as a configuration template for the EC2 instances. Another component is an Amazon EC2 Auto Scaling group you can use to specify your minimum, maximum, and desired capacity of your instances. The third component refers to scaling policies you can use to configure a group to scale based on the occurrence of specified conditions or on a schedule.
Users in a company are authenticated in the corporate network, and they want to use AWS services without signing in again. Which AWS authentication option should the company use?
Instead of creating an IAM user for each employee that needs access to an AWS account, you should use IAM roles to federate users.
What are the main components that make up Elastic Load Balancing (ELB)?
The ELB service is made up of these main components: rules, listeners, and target groups. Listeners will contain rules, which are used by the listeners to route requests to the target groups.
What is Transfer Acceleration?
it will significantly reduce the upload time to S3. Take note that the name of the bucket used for Transfer Acceleration must be DNS-compliant and must not contain periods (“.”).
When to use IAM Policy for S3?
You need to control access to AWS services other than S3. IAM policies will be easier to manage since you can centrally manage all of your permissions in IAM, instead of spreading them between IAM and S3.
You have numerous S3 buckets each with different permissions requirements. IAM policies will be easier to manage since you don’t have to define a large number of S3 bucket policies and can instead rely on fewer, more detailed IAM policies.
You prefer to keep access control policies in the IAM environment.
When to use a S3 Bucket Policy?
You want a simple way to grant cross-account access to your S3 environment, without using IAM roles.
Your IAM policies bump up against the size limit (up to 2 kb for users, 5 kb for groups, and 10 kb for roles). S3 supports bucket policies of up 20 kb.
You prefer to keep access control policies in the S3 environment.
You want to apply common security controls to all principals who interact with S3 buckets, such as restricting the IP addresses or VPC a bucket can be accessed from.
Is the “Principal” needed in a IAM Policy for S3?
No. The S3 bucket policy includes a “Principal” element, which lists the principals that bucket policy controls access for. The “Principal” element is unnecessary in an IAM policy, because the principal is by default the entity that the IAM policy is attached to.
What are the 3 types of server side encryption (SSE) that S3 allows?
SSE-S3 - S3 Managed Keys, SSE-KMS - AWS KMS, and SSE-C - customer provided keys.
DAX vs. ElaticCache?
DAX is for DynamoDB only. Simple to implement. ElastiCache can be used for DynamoDB or Relational DBs. You have to reconfigure the app to use it.
What are the 3 request headers for SSE-C?
x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be “AES256”.
x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.
What is AssumeRoleWithWebIdentity?
Returns a set of temporary security TheAssumeRoleWithWebIdentityAPI operation returns a set of temporary security credentials for federated users who are authenticated through a public identity provider. Examples of public identity providers include Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible identity provider. This operation is useful for creating mobile applications or client-based web applications that require access to AWS. Using this operation means that your users do not need their own AWS or IAM identities.
What is Athena?
interactive query service to analyze and query data located in S3 using SQL.
serverless - pay per query / TB scanned
ETL processes not needed
commonly used to query log data in S3
What is Macie?
security service which uses ML and NLP to discover, classify and protect sensitive data stored in S3.
uses AI to identify PII, suspicious API activity, preventing ID theft in PCI-DSS
What AWS Service is ideal for data lakes?
S3
Why would you get inconsistent results from a deleted object in S3?
because S3 has eventual consistency for overwrite PUTS and DELETES
What is S3 Object Lambda?
allows you to add your own code to S3 GET requests to modify and process data as it’s being returned to an application. This feature is designed for use cases where data needs to be transformed on-the-fly without the need to store a transformed copy of the data. It’s useful in scenarios like filtering rows, redacting confidential data, dynamically resizing images and other similar situations where data transformation or processing is required during data retrieval.
Which storage has lower latency, block or object?
Block because you only have to update part of the storage while object storage you would have to replace the whole object.
What is EFS?
Elastic File System - is a set-and-forget file system that automatically grows and shrinks as you add and remove files. There is no need for provisioning or managing storage capacity and performance. Amazon EFS can be used with AWS compute services and on-premises resources. You can connect tens, hundreds, and even thousands of compute instances to an Amazon EFS file system at the same time, and Amazon EFS can provide consistent performance to each compute instance. offers four storage classes, where you pay for only the storage you use based on the storage class.
What is Amazon FSx?
Amazon FSx is a fully managed service that offers reliability, security, scalability, and a broad set of capabilities that make it convenient and cost effective to launch, run, and scale high-performance file systems in the cloud. With Amazon FSx, you can choose between four widely used file systems: Lustre, NetApp ONTAP, OpenZFS, and Windows File Server. You can choose based on your familiarity with a file system or based on your workload requirements for feature sets, performance profiles, and data management capabilities.
SNS vs. EventBridge?
Use SNS when:
Supports a handful of different targets, including SQS and Lambda.
You can’t filter messages by their content. You can only filter by messages attributes and are limited to just 10 attributes per message.
You want to publish messages to MANY different subscribers with a single action
Require high throughput and reliability for publishing and delivery to consumers
Have many subscribers
Use Eventbridge when:
Supports a total of 20 target types at the time of writing! The list includes the likes of SNS, SQS, Kinesis, ECS, Lambda as well as EventBridge on another AWS account.
Gives you a way to pattern match against the event content.
Can discover and keep a schema registry. Can transform the event before passing it on.
You want to publish messages to many subscribers, and use the event data itself to match targets interested certain patterns.
Want integration with other SaaS providers such as Shopify, Datadog, Pagerduty, or others
Want to easily discover schemas that other teams produce and incorporate them into your application.
You want to use regularly scheduled events using a cron-like expression to periodically send messages to your event bus.
You want to create one-time events that fire at a specific time.
What is CodeArtifact?
AWS CodeArtifact is a secure, highly scalable, managed artifact repository service that helps organizations to store and share software packages for application development. You can use CodeArtifact with popular build tools and package managers such as the NuGet CLI, Maven, Gradle, npm, yarn, pip, and twine.
What is Inspector?
an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It doesn’t have the ability to capture IP traffic of your VPC.
What is Trusted Advisor?
provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
MemoryDB for Redis vs. ElastiCache for Redis?
Amazon ElastiCache for Redis, a fully managed in-memory caching service, as a low latency cache in front of a durable database service such asAmazon AuroraorAmazon DynamoDBto minimize data loss. However, this setup requires you to introduce custom code in your applications to keep the cache in sync with the database. You’ll also incur costs for running both a cache and a database.
Amazon MemoryDB for Redis, a new Redis-compatible, durable, in-memory database. MemoryDB makes it easy and cost-effective to build applications that requiremicrosecond readandsingle-digit millisecond writeperformance withdata durabilityandhigh availability.
Instead of using a low-latency cache in front of a durable database, you can now simplify your architecture and use MemoryDB as a single,primary database. With MemoryDB, all your data is stored in memory, enabling low latency and high throughput data access.
What is Elastic Beanstalk worker environment?
managing the Amazon SQS queue and running a daemon process on each instance that reads from the queue for you. When the daemon pulls an item from the queue, it sends an HTTP POST request locally to http://localhost/ on port 80 with the contents of the queue message in the body. All that your application needs to do is perform the long-running task in response to the POST. You can configure the daemon to post to a different path, use a MIME type other than application/JSON, connect to an existing queue, or customize connections (maximum concurrent requests), timeouts, and retries.
Also can define periodic tasks that add jobs to your worker env’s queue automatically at a regular interval.
What are the two tiers in Elastic Beanstalk?
Web Server Environment and Worker Environment.
What is anelastic network interface?
a logical networking component in a VPC that represents a virtual network card. (Includes ip addresses and security groups) A single EC2 instance can now be attached to two ENIs, each one on a distinct subnet. The ENI (not the instance) is now associated with a subnet.
What is Envelope Encryption?
encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key. Because the master key is stored in KMS, it’s safe and can be used in many envelope encrypted sets of data.
What is GenerateDataKeyWithoutPlaintext ?
it’s identical to the GenerateDataKey operation except that it does not return a plaintext copy of the data key.
What is GenerateDataKey?
Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS key that you specify.
What are the Lambda invocation types? Which is default?
By default, Lambda invokes your function synchronously (i.e. theInvocationType is RequestResponse). To invoke a function asynchronously, set InvocationType to Event.
What is Lambda Traffic shifting?
create different versions of your function and then allow it to shift traffic between two versions, based on weights (%) that you assign to it. Create an alias and it gives options to do this.
What is Step Functions?
a fully managed service that you can use to coordinate the components of distributed applications and microservices using VISUAL WORKFLOWS. You build small applications that each perform a discrete function (or step) in your workflow, which means that you can scale and change your applications quickly. Think of it as first this function runs, which invokes another function, which invokes two more functions to complete a series of stepsin your workflow.
Step Functions is based on state machines and tasks. A state machine is a workflow. A task is a state in a workflow that represents a single unit of work performed by another AWS service. Each step in a workflow is a state.
What are the two types of State Machine Workflows?
When you create a state machine, you can select either a Standard (default) or Express Workflow. In both cases, you define your state machine using the Amazon States Language (JSON based). Your state machine workflow runs will behave differently depending on which option you select. You cannot change the workflow type after you have created your state machine.
Standard Workflows are ideal for long-running, durable, and auditable workflows.
Express Workflows are ideal for high-volume, event-processing workloads such as IoT data ingestion, streaming data processing and transformation, and mobile application backends. There are two types of Express Workflows, asynchronous and synchronous.
What is Simple Workflow SWF?
A web service that makes it easy to coordinate work across distributed application components.
In Amazon SWF, tasks represent invocations of logical steps in applications. Tasks are processed by workers which are programs that interact with Amazon SWF to get tasks, process them, and return their results.
The coordination of tasks involves managing execution dependencies, scheduling, and concurrency in accordance with the logical flow of the application.
Why use Web Identity Federation?
build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app.
you don’t need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.
How would you use Web Identify Federation without Cognito?
then you must write code that interacts with a web IdP, such as Facebook, and then calls the AssumeRoleWithWebIdentity API to trade the authentication token you get from those IdPs for AWS temporary security credentials.
