Developing (CLI & SDK)

Question 1

How can you develop and perform AWS tasks against AWS?

Answer 1

• Using the AWS CLI on our local computer
• Using the AWS CLI on our EC2 machines
• Using the AWS SDK on our local computer
• Using the AWS SDK on our EC2 machines
• Using the AWS Instance Metadata Service for EC2

Question 2

What is CLI?

Answer 2

The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts

Question 3

What is your first step to use the CLI on your computer?

Answer 3

Download and install it. Run aws –version to see if it was installed successfully

Question 4

What you need to do if you want to upgrade your CLI on your computer?

Answer 4

Download it and install it once again

Question 5

What is your next step after you install CLI on your computer?

Answer 5

Download an access key from your IAM user

Question 6

What is your next step on CLI after you installed and downloaded your access key on your computer?

Answer 6

1- You need to run “aws configure” in your pc console.
2- type your access key (id and secret) downloaded
3- type the default region
4- type the default format or leave empty

Question 7

How can you use CLI on your EC2 instances (the bad way)?

Answer 7

you could run “aws configure” just like you do on your personal computer

Question 8

How can you use CLI on your EC2 instances (the right way)?

Answer 8

you can attach an IAM Role to your EC2 instances. IAM Rol can come with a policy authorizing exactly what the EC2 instance should be able to do

Question 9

In general terms what you need to do if you want your EC2 instance to perform something?

Answer 9

Use IAM Roles!! Never put your credentials there!

Question 10

How can you test your IAM policies?

Answer 10

Using AWS Policy Simulator

Question 11

What is EC2 Instance Metadata?

Answer 11

Instance metadata is data about your instance that you can use to configure or manage the running instance

Question 12

How can you retrieve your Instance metadata?

Answer 12

You must run from your terminal curl http://169.254.169.254/latest/meta-data/
Ending in / is a folder, otherwise a file

Question 13

What can you not retrieve from the Instance metadata?

Answer 13

The IAM policies

Question 14

Do you need an IAM role to access your instance metadata?

Answer 14

No needed

Question 15

What is AWS SDK?

Answer 15

The software development kit (SDK) helps make AWS applications and services available to your applications across many devices and operating systems without using the CLI

Question 16

How many SDKs are?

Answer 16

A lot, because there are un-official SDKs as well

Question 17

What region is used by default by SDK?

Answer 17

us-east-1

Question 18

What happens behind scenes when you configure the CLI in your computer?

Answer 18

A directory is created at ~/.aws/credentials where all the information is stored

Question 19

What you should do for intermittent errors received from API Rate Limits?

Answer 19

Exponential Backoff

Question 20

How works retry mechanism in Exponential Backoff?

Answer 20

You set a constant and use exponential values i.e.

• for 2: 1, 2, 4, 8, 16, 32…
• for 3: 1, 3, 9, 27, 81, 243…

Question 21

What are the 2 types of AWS Limits (Quotas)?

Answer 21

• API Rate Limits

- Service Quota Limits

Question 22

Explain technology stack for CICD on AWS

Answer 22

use CodePipeline to orchestrate = CodeCommit + CodeBuild + CodeDeploy

Question 23

If after installing the AWS CLI, regardless the OS you are using, you use it and you get the error “aws: command not found”, what does that mean?

Answer 23

Means the aws executable is not in the PATH environment variable

Question 24

What you get if you type aws configure again in your terminal?

Answer 24

You get the current configuration:
1- access key id
2- secret access key
3- default region
4- default format

Question 25

What is created behind scenes when you run aws configure on your terminal?

Answer 25

a new directory is created in ~/.aws with two files:

• config: region
• credentials: access keys

Question 26

What is the cardinality between IAM Roles and EC2 instances?

Answer 26

1 IAM Role can be used by many instances but an instance can only have 1 IAM Role

Question 27

What is –dry-run?

Answer 27

It is an option to make sure we have the permissions… but not actually run the commands!
Some AWS CLI commands (such as EC2) can become expensive if they succeed, say if we wanted to try to create an EC2 Instance.

Question 28

Can you use –dry-run on any CLI API call?

Answer 28

not all commands support it

Question 29

What message do you get when you use –dry-run option in your command?

Answer 29

An error occurred (DryRunOperation) when calling the COMMAND operation: Request would have succeeded, but DryRun flag is set.

Question 30

What can you use to decode a long error message from executing an API call?

Answer 30

The STS command line “sts decode-authorization-message –encoded-message MESSAGE_TOKEN”

Question 31

What you must do on your EC2 instance to execute “sts decode-authorization-message –encoded-message MESSAGE_TOKEN” command from the instance CLI?

Answer 31

You need first to update the role policy to grant permission to execute sts:DecodeAuthorizationMessage

Question 32

What if you want to use more than one account from your terminal CLI?

Answer 32

You can use profiles

Question 33

How can I use a different account from my terminal CLI?

Answer 33

By running aws configure –profile MY_OTHER_ACCOUNT.
This will allow you to configure a new bracket in your ~/.aws directory, something like:
[default]
aws_access_key_id = dk43jkkj43j4334k
aws_secret_access_key = dasdfew32332fek43jkkj43j43ASA34kdsrere
[MY_OTHER_ACCOUNT]
aws_access_key_id = dk43jkkj43j4334k
aws_secret_access_key = dasdfew32332fek43jkkj43j43ASA34kdsrere

Question 34

What happens if I execute a command from my terminal CLI and I have more than one profile set?

Answer 34

the default profile is use. If you want to use another profile you must specify –profile MY_OTHER_ACCOUNT at the end of the command

Question 35

What is the command to create MFA temporary session from CLI?

Answer 35

You must run STS GetSessionToken API call using the command:
aws sts get-session-token –serial-number ARN_OF_THE_MFA_DEVICE –token-code MFA_CODE –duration-seconds #MS

Question 36

What you must do to use temporary credentials returned by GetSessionToken CLI’s API call?

Answer 36

You need to use it with profiles using aws configure –profile mfa and specifying the access key id and the secret access key returned.

Question 37

Once you have created a MFA profile in your CLI what is your last step to make it work?

Answer 37

You need to modify the file ~/.aws/credentials and add the session token to the file

Question 38

What is API Rate Limit for DescribeInstances API call on EC2?

Answer 38

100 calls per second

Question 39

What is API Rate Limit for GetObject API call on S3?

Answer 39

5500 GET per second per prefix

Question 40

What you should do for consistent errors received from API Rate Limits?

Answer 40

request an API throttling limit increase

Question 41

What is the Service Limit for running on-demand instances?

Answer 41

1152 vCPU

Question 42

What can you do if you need a service limit increase?

Answer 42

open a ticket

Question 43

What can you do if you need a service quota increase?

Answer 43

you can use the Service Quotas API

Question 44

What can you do if you get ThrottlingExceptions?

Answer 44

Exponential Backoff

Question 45

What has the highest priority in terms of Credentails Providers when using CLI?

Answer 45

the command line options:

• -region
• -output
• -profile

Question 46

What has the highest priority in terms of Credentails Providers when using SDK or CLI without command line options?

Answer 46

Environment variables:
CLI:
a. AWS_ACCESS_KEY_ID
b. AWS_SECRET_ACCESS_KEY
c. AWS_SESSION_TOKEN
SDK:
a. AWS_ACCESS_KEY_ID
b. AWS_SECRET_ACCESS_KEY

Question 47

What has the second highest priority in terms of Credentails Providers when using SDK or CLI without command line options?

Answer 47

~/.aws/credentials file and ~/.aws/config file (just CLI)

Question 48

What has the lower priority in terms of Credentails Providers when using SDK or CLI without command line options?

Answer 48

Container credentials (ECS) and last Instance Profile Credentials (EC2 Instances Profiles)

Question 49

What is best practice for Credentials when working within AWS?

Answer 49

IAM Roles:
=> EC2 Instances Roles for EC2 Instances
=> ECS Roles for ECS tasks
=> Lambda Roles for Lambda functions

Question 50

What is best practice for Credentials when working outside AWS?

Answer 50

• Environment variables

- Named profiles

Question 51

What is used for SigV4?

Answer 51

to add authentication information to AWS requests sent by HTTP

Question 52

What options can you use when using SigV4?

Answer 52

• HTTP Header

- Query String (S3 pre-signed URLs)

Question 53

How do you sign the HTTP requests when using the CLI or SDK?

Answer 53

requests are signed for you in this case, otherwise you must use SigV4