Developer Associate

Question 1

What additional logging can be enabled in S3?

Answer 1

Object level logging to CloudTrail

Server access logging - log files delivered to another bucket

Storage, Request and Data Transfer metrics in CloudWatch. Storage is free.

Question 2

What is an ACL in S3?

Answer 2

Access Control List.

Is per object.

Can grant access to object, including public and cross-account access

Different permission to put an object’s ACL - can’t just do it with s3:PutObject

Question 3

What happens if you attempt to put a public object in an S3 bucket where public access settings do not allow public objects?

Answer 3

Forbidden error

Question 4

When are headers required when uploading an object that requires encrypting to S3?

Describe the headers used when uploading an object to S3 that is to be encrypted

Answer 4

Use headers if you’re not using default encryption - if you are you don’t need the headers.

You can enforce encryption without using default encryption by using a bucket policy that rejects requests that don’t have the headers. The headers are like this:

x-amz-server-side-encryption: AES256
x-amz-server-side-encryption: ams:kms

Question 5

What CORS configurations are available for S3?

Answer 5

AllowedOrigin

AllowedMethod (e.g. GET)

MaxAgeSeconds (how long browser should cache preflight request)

AllowedHeader (e.g. x-amz-*)

Question 6

How can you optimise GETTING objects from S3 when you have a lot of requests?

Answer 6

Use CloudFront

Question 7

How can you optimise PUTTING objects into S3 when you have a lot of requests?

Answer 7

Random prefixes to distribute across partitions

but - not really necessary now there’s higher limits

Question 8

What are the S3 limits for GET and PUT?

Answer 8

GET - 5,500

PUT - 3,500

Question 9

What are the two types of ARN for lambda functions?

Answer 9

Unqualified - without version

Fully qualified - with version, e.g. 1 or $LATEST

Question 10

Are lambda functions immutable?

Answer 10

Yes - once published they cannot be changed. Publishing a new version results in a new version number

Question 11

How can lambda traffic be split using aliases?

Answer 11

Using a percentage between a maximum of 2 aliases.

$LATEST cannot be used, it must be a specific version

Question 12

Do step functions support branching and parallel steps?

Answer 12

Yes. Can also define retry behaviour

Question 13

How is a state machine described in step functions?

Answer 13

Amazon State Language (JSON)

Question 14

What are the components of X-Ray?

Answer 14

X-ray API - hosted by amazon

X-ray daemon - can run on a server, sends data to the API

X-ray SDK and CLI - sends data to daemon and/or API (other AWS tools might do this too)

Question 15

What tools does the X-Ray SDK provide?

Answer 15

SDK provides ways to hook in X-ray:

Interceptors to trace incoming HTTP requests

Client handlers to track calls via AWS SDK

HTTP client

Question 16

Which services are automatically integrated with X-ray?

Answer 16

Lambda

API gateway

EC2

ELB

Elastic beanstalk

Question 17

Describe the default throttling limits for API Gateway

Answer 17

10,000 requests per second across all APIs in account

5,000 concurrent requests at once across all APIs in account

Exceeding these will result in “429 too many requests” responses

E.g. 10,000 requests in one millisecond - only 5,000 served. 10,000 spread evenly over 1 second - all served.

5,000 in 1 millisecond and 5,000 spread over the other 999 milliseconds - all requests served

Limits can be adjusted for a cost

Question 18

What support does API Gateway offer for SOAP?

Answer 18

SOAP web service passthrough can be used with API for legacy stuff

Question 19

What does SOAP stand for?

Answer 19

Simple Object Access Protocol

Question 20

What is a KMS CMK?

Answer 20

Customer Master Key

Used for encrypting data up to 4KB

Typically used to encrypt data keys that are managed outside of KMS

Question 21

Describe how key material can be created for KMS CMKs

Answer 21

KMS can generate it for you

Import your own by downloading a public key, encrypting and then uploading

Question 22

Can you export KMS keys?

Answer 22

No - could need to use Cloud-HSM to do this

Question 23

What do KMS key policies do?

Answer 23

Allow you to set permissions for who can use and edit the key. It’s possible to completely lock yourself out - would need to contact AWS Support to get back in

Question 24

Are KMS keys regional?

Answer 24

Yes

Question 25

Can you delete KMS keys?

Answer 25

Deletion can be scheduled, but you have to wait a minimum period of 7 days

Question 26

Describe some common CLI calls for KMS

Answer 26

aws kms encrypt

aws kms decrypt

aws kms re-encrypt (allows you to decrypt existing ciphertext and target a new key to re-encrypt - all happens server-side so no secrets exposed - value passed in must be from previous encrypt or generatedatakey call)

aws kms enable-key-rotation (results in a new key each year)

Question 27

What is Web Identity Federation?

Answer 27

Allows access to AWS resources after authenticating with a web-based identity provider (e.g. Facebook or Google)

User trades authentication code from provider which is traded for short-term AWS credentials

This can be handled through Amazon Cognito (an identity broker) - e.g. a mobile app needs to access S3, the app can sign in user via Facebook and cognito, get AWS creds, and then access S3 directly.

No need to embed credentials

Question 28

Describe Cognito identity and user pools

Answer 28

User pools - provides JWTs on successful authentication. Can use with web-based identity providers

Identity pools - provide short-lived AWS credentials to identities. It integrates with an identity provider, which can be cognito user pools

Question 29

Describe Cognito push synchronisation

Answer 29

Push synchronisation - uses SNS to send a silent push notification to sync user data across all devices they are associated with

Question 30

What is STS assume-role-with-web-identity?

Answer 30

Provides temp credentials for user authenticated with web identity provider (e.g. Facebook of Cognito user pools)

Cognito identity pools uses this under the covers
Response from this call will give you an arn and id for the “role” - but this isn’t an IAM role - just a way to programmatically refer to this temporary set of credentials

Response also contains actual credentials (key and secret) to use

The provider would have to be configured in IAM first to get credentials!

Question 31

What does each Kinesis shard provide in terms of capacity?

Answer 31

READ: 5 transactions per second, up to 2mb per second

WRITE: 1,000 transactions per second, up to 1mb per second (including partition key)

Question 32

How does Kinesis decide which partition data goes in?

Answer 32

Kinesis uses partition key to decide which shard data should go in. Apps must define a partition key when putting data into a stream

Question 33

How does lambda/kinesis integration work?

Answer 33

In terms of lambda integration, lambda polls kinesis and processes per shard (so blocking is per shard if there’s an error). This is configured with event source mapping, along with SQS and DynamoDB. Lambda is invoked synchronously in these cases

Question 34

What does the elastic beanstalk managed platform updates feature do?

Answer 34

Apply OS patches and runtime environment patches (e.g. Java)

Question 35

Can a single elastic beanstalk app have multiple environments?

Answer 35

Yes

Question 36

What are the 4 deployment policies available in elastic beanstalk?

Answer 36

All at once - new version deployed to all instances at same time - instances out of service while this is happening - rollback involves deploying previous code

Rolling - deploy to batch of instances at a time

Rolling with additional bath - extra batch to compensate for out of service batch that is being updated

Immutable - new instances started in new ASG, and once health checks passed the instances are moved to initial ASG

Question 37

How can an elastic beanstalk environment be configured in source code?

Answer 37

Elastic beanstalk environment can be customized with a YAML file called whatever you like with a .config extension saved in a folder called .ebextensions. Can do stuff like create linux users/groups, run shell scripts, configure load balancer etc. (e.g. configure health check). This is included in top level directory of app source code

Question 38

How can RDS be used with elastic beanstalk?

Answer 38

Coupled deployment: Can deploy RDS from EBS, but not always a good idea as lifecycle of DB is then tied to app (i.e. if app is deleted, RDS DB will be too)

Decoupled deployment: spin up in RDS. Will need to open SG rules and provide connection string to EBS

Question 39

What is the maximum message size in SQS?

Answer 39

256KB

Question 40

What is the maximum long poll timeout in SQS?

Answer 40

20s

Question 41

Which API call is used to change message viability in SQS?

Answer 41

ChangeMessageVisibility API call is used to change the message visibility

Question 42

What are the 2 consistency models for dynamoDB?

Answer 42

Eventually consistent reads (closest data replication is returned first) - best read performance

Strongly consistent reads (all replies evaluated and newest returned) - all writes that received successful response are returned

Question 43

What is the structure of data in dynamoDB?

Answer 43

Table
Item
Attribute (key/value pairs)

Question 44

What are the two types of primary key in DynamoDB?

Answer 44

Partition key (unique attribute, e.g. user id) - put into internal hash function to determine partition where data will be physically stored. If using this as primary key, no two items can have same partition key

Composite key - partition + sort keys. Must be unique overall, so can use same partition key for multiple items but must have different sort keys

Question 45

Where are partition and sort keys stored for DynamoDB items?

Answer 45

The partition and sort keys are just attributes on items

Question 46

Should you have many or few partition keys in DynamoDB?

Answer 46

It’s good practice to use high-cardinality attributes for partition keys (e.g. OrderID)

Question 47

How can IAM be used for item-level security in dynamoDB?

Answer 47

IAM conditions can be used to lock down access to specific records

Condition would be ForAllValues and look at dynamodb:LeadingKeys - which is the partition key

Can also use dynamodb:Attributes to lock down access to specific attributes

Question 48

What are the supported document formats of DynamoDB?

Answer 48

JSON, HTML and XML

Question 49

What are the two types of index in DynamoDB?

Answer 49

Maintains an additional sort key for a given partition key

(If querying using the partition key, the main table can be used as partition key determines physical storage location)

If querying using the sort key, a local secondary index can be used to speed things up

Each local secondary index must specify a partition key - it can only work on one partition. You can create multiple indexes, though

This index must be created when table is created - can’t be created, removed or altered afterwards

=====================================================

Uses any specified partition and sort key (as in - the index has its own partition/sort keys that can be defined from any property)

Sort key is optional

Can be added/removed/altered any time

Question 50

What is an attribute projection in DynamoDB indexes?

Answer 50

Where attributes from items are copied into the index. Can have anywhere between 0 and all attributes copied over.

Question 51

How is throughput specified for DynamoDB indexes?

Answer 51

Local secondary index - shares throughput with table

Global secondary index - has its own

Question 52

How does having a local secondary index affect write performance?

Answer 52

There are two writes for every write operation - one for the table, one for the index

Question 53

Which consistency models does each type of index support in DynamoDB?

Answer 53

Local - both

Global - eventual only

Question 54

How are global secondary indexes kept in sync with the table in DynamoDB?

Answer 54

Asynchronously

Question 55

What is the maximum total size of items in a single partition that a local secondary index can support?

Answer 55

10GB

Question 56

Describe the properties of a Query in DynamoDB

Answer 56

Query - uses a primary key and a list of attributes you wish to read (specified with the ProjectionExpression parameter)

Can use an optional sort key name and value to refine the results

Results always ordered by sort key (numeric ascending)

Can reverse order by setting ScanIndexForward parameter to false

ASCII character code values

Eventually consistent by default - need to explicitly set query to be strongly consistent

Can use global secondary indexes - name of index must be specified in Query call

Can also Query local secondary indexes - again have to specify name of index in call

Question 57

Describe the properties of a Scan in DynamoDB

Answer 57

Scan - examines every item in the table. Can define a list of attributes you wish to read (specified with the ProjectionExpression parameter)

Careful - a single scan could use up all provisioned capacity for a table, causing other requests to be throttled

By default, returns 1MB of data at a time

Can only scan one partition at a time

Scans can use local secondary indexes and global secondary indexes - need to specify index name in Scan call

Question 58

What are the preferred alternatives to Scan in DynamoDB?

Answer 58

GetItem - gets an item based on a set primary key

BatchGetItems - gets items from one or more tables based on primary keys

Query - queries based on partition key, not primary key, so can return multiple items from a single table

Question 59

How can you optimize reads in DynamoDB?

Answer 59

Can use a smaller page size (resulting in fewer read operations per request) - will allow other requests to succeed without throttling

Avoid scans if possible - use Query, GetItem or BatchGetItem APIs

Use parallel scans - divides table or index into logical segments and scans them in parallel (you provide Segment and TotalSegments parameters to Scan call - Segment is a number starting at 0 - dynamoDB will figure out the splitting of segments, but you are responsible for running the scans in parallel)

Question 60

Describe DynamoDB capacity units

Answer 60

1x write capacity is 1kb write per second

1x read capacity is 1 strongly consistent read of 4kb or 2 eventually consistent reads of 4kb

When calculating capacity units, round up as you’re billed to the nearest kb used (rounding up)

Question 61

What is the “on-demand” pricing model for DynamoDB?

Answer 61

In addition to provisioned capacity, you can also select on-demand, where dynamodb automatically scales up and down depending on activity. Great for unpredictable workloads or spikey workloads

Question 62

How many times can you switch between provisioned capacity and on-demand pricing models per day in DynamoDB?

Answer 62

Once per day

Question 63

Is pricing model per table in DynamoDB?

Answer 63

LOOK THIS UP

Question 64

What is DAX for DynamoDB?

Answer 64

Write-through caching service (data written to cache at same time as store)

Your app will send DynamoDB API calls to DAX cluster instead of DynamoDB

Might result in being able to reduce provisioned read capacity

Question 65

What consistency model does DAX support?

Answer 65

Only supports eventually consistent reads (NOT strongly consistent)

Question 66

What sort of data and calls will DAX cache?

Answer 66

DAX will cache negative (null) results

It will cache Query, Scan, GetItem and BatchGetItem results

Question 67

What is ACID?

Answer 67

ACID - Atomic, Consistent, Isolated, Durable

Question 68

Are DynamoDB transactions supported across multiple tables?

Answer 68

Yes

Question 69

How might you use a DynamoDB transaction?

Answer 69

Can use it do check for a prerequisite before writing (e.g. check a bank account has sufficient funds before moving money)

Question 70

What is DynamoDB global tables?

Answer 70

Allows for multi-region, multi-master database

Question 71

How do you create a global table in DynamoDB?

Answer 71

Create tables in each region and then use global tables to replicate data between them

Question 72

How does global tables keep data in sync?

Answer 72

Keeps track of state by creating attributes on each item:

aws: rep:deleting
aws: rep:updatetime
aws: rep:updateregion

Question 73

What’s the consistency model for global tables?

Answer 73

Last writer wins

Question 74

What write consistency models does global tables support in DynamoDB?

Answer 74

Doesn’t support strong consistency - if an app requires this it must do all reads/writes from a table in a single region

Question 75

How does DAX interact with global tables?

Answer 75

Any DAX clusters in a region won’t be aware of global replication

Question 76

How do transactions interact with global tables?

Answer 76

Transactions are supported but disabled by default - must contact AWS Support to enable them

Question 77

What are the default provisioned capacity values of global secondary indexes in DynamoDB?

Answer 77

Global secondary indexes inherit the base table’s provisioned capacity units by default

Question 78

Describe TTL in DynamoDB

Answer 78

Can set TTL for an item. Item will be deleted when TTL expires

TTL is expressed in epoch time format

You must define the item attribute that contains the TTL
If streams is enabled, you effectively have a 24h backup for TTL deleted items

Question 79

What is DynamoDB streams?

Answer 79

Time-ordered sequence of item-level modifications
Encrypted and stored for 24h

Accessed using a dedicated endpoint

By default the primary key is recorded

Before and after images can be captured

Can be used to trigger lambda functions (lambda polls this - event sourcing)

Question 80

Are DynamoDB streams encrypted?

Answer 80

Yes

Question 81

What does a ProvisionedThroughputExceededException mean?

Answer 81

When request rate too high for provisioned read/write
SDK automatically retries requests until successful

If not using SDK, can reduce request frequency
SDK also supports exponential back-off

Remember - size of request could also exceed provisioned throughput

Question 82

What are the max capacity limits for DynamoDB?

Answer 82

Both on-demand and provisioned have default limits of 40,000 read and 40,000 write capacity units per table

80,000 read and 80,000 write units per account

Question 83

What is the max item size in DynamoDB?

Answer 83

Max item size: 400kb (this includes all attributes and local secondary index data if applicable)

No limit on number of attributes - but they must fit within maximum item size

Question 84

What is the maximum nested attribute depth in DynamoDB?

Answer 84

Max nested attribute depth: 32

Question 85

Describe memcached in elasticache

Answer 85

Object caching

Multi-threaded

Not multi-AZ

Question 86

Describe redis in elasticache

Answer 86

Key-value store

Supports complex structures: sorted sets and lists

Multi-AZ (master/slave)

Question 87

What is the lazy loading pattern of accessing a cache?

Answer 87

App will request from cache first, and if null is returned it will go to DB, get the result, and then save to cache

Advantage: only requested data is cached

Disadvantage: cache miss penalty

Question 88

What is the write-through pattern of accessing a cache?

Answer 88

App will save to cache on every write

Advantage: reduced cache misses

Disadvantage: write penalty, and wasted resources if some data in cache is never requested

Question 89

Can the lazy loading and write-through patterns for caching be used together?

Answer 89

Could use both in conjunction with each other (e.g. if node fails and is re-created, you’ll need lazy loading to repopulate cache)

Question 90

Is data encrypted at rest in CodeCommit?

Answer 90

Yes

Question 91

What protocols can be used to access CodeCommit?

Answer 91

HTTPS

SSH

Question 92

What deployment targets does CodeDeploy support?

Answer 92

EC2
On-premises
ECS
Lambda