DevOps

Question 1

What’s the Ref function used for with CloudFormation?

Answer 1

An intrinsic function of CloudFormation that receives a logical ID as input and returns:

• for parameters: value of parameter
• for resources: physical ID (mostly, can also be something different, like for Elastic IPs, it’s the IP address)

Question 2

What’s the GetAtt function used for with CloudFormation?

Answer 2

Returns the value of an attribute for a given resource (input is the logical ID of the resource).

Question 3

What does this CloudFormation statement do?

!Select [ 0, !GetAZs ‘’ ]

Answer 3

Returns all AZs for the current region (‘’) and picks the first one in the list.

Note: returns only Availability Zones that have a default subnet unless none of the Availability Zones has a default subnet; in that case, all Availability Zones are returned

Question 4

What’s the problem with this CloudFormation definition?

MyElasticIP:
Type: AWS::EC::EIP
Properties:
[…]

Answer 4

It doesn’t have a DependsOn attribute. As Elastic IPs however depend on the existence of an Internet Gateway, this CloudFormation definition could lead to a failure. A better definition would look like that:

MyElasticIP:
  Type: AWS::EC::EIP
  DependsOn: InternetGatewayAttachment
  Properties:
  [...]

Question 5

What’s the resource limit for a single CloudFormation stack?

Answer 5

500

Question 6

What’s the key difference between Nested Stacks and Cross-Stack References with CloudFront?

Answer 6

Nested Stacks allow re-usage of templates, for instance to create a specific VPC structure. Cross-Stack References instead re-use the actual resources created by a stack, rather than the template.

Use Nested Stacks when all resources belong together and therefore shall be spin up and down together. Use Cross-Stack References instead when there is an existing resource (like a VPC) that is used by the template, but should not be spin up and down when the template is being applied.

Question 7

What are the two ways that you can apply permission for CloudFormation StackSets?

Answer 7

1: self-managed permissions (via IAM roles)
2: service-managed permissions (via AWS Organizations)

Question 8

What’s “Concurrent Accounts” in the context of CloudFormation StackSets?

Answer 8

The number of accounts that stack instances can be created in parallel by StackSets.

For example, if a StackSet shall be applied to 10 accounts, and “Concurrent Accounts” is set to 2, stack instances can only be created in 2 accounts at the same time, therefore needing more time to finish the resource creation.

Question 9

What’s “Failure Tolerance” in the context of CloudFormation StackSets?

Answer 9

Amount of individual deployments that can fail before the stack set itself is considered as failed

Question 10

What’s “Retain Stacks” in the context of CloudFormation StackSets?

Answer 10

When removing a stack instance from a stack set, this flag defines whether the stack instance will be deleted or not.

Question 11

What are valid actions for a CloudFormation DeletionPolicy?

Answer 11

Delete (default)
Retain
Snapshot (if supported)

Question 12

What services/resources support taking a Snapshot as part of a CloudFormation DeletionPolicy?

Answer 12

EBS Volumes, RDS, Neptune, Redshift, ElastiCache

Question 13

If an identity (user, script, etc.) wants to create resources with CloudFormation, but doesn’t have the permissions for these resources, what’s the recommended way to handling this?

Answer 13

Create an IAM role that serves as “Stack Role”, which has the permissions required to create the resources. The identity can then pass that role to CloudFormation when the stack is created, so that CloudFormation can assume the role and successfully create the resources.

Question 14

What’s the buildspec.yml used for by AWS CodeBuild and where is it defined?

Answer 14

It’s collection of build commands and related settings that CodeBuild uses to run a build. You can include a buildspec as part of the source code or you can define a buildspec when you create a build project.

Question 15

What’s the appspec.[yml or json] used for by AWS CodeDeploy?

Answer 15

It’s used by CodeDeploy to manage a deployment. When deploying to Lambda for example, it specifies which version to deploy.

Question 16

What are valid deployment targets for AWS CodeDeploy?

Answer 16

• EC2 / On-Premise (via an agent)
• ECS
• Lambda

Question 17

Where’s the buildspec.yml that is used by AWS CodeBuild located?

Answer 17

In the root of the source

Question 18

What are the four phases in a buildspec.yml used by AWS CodeBuild and what do they do?

Answer 18

• install: install build dependencies (like test frameworks)
• pre_build: sign-in to things, install app dependencies (like npm packages)
• build: commands to run during the build
• post_build: packaging, pushing images, notifications

Question 19

What are the three configuration sections in an Appspec.[yml/json] and with which deployment targets are they used?

Answer 19

• Files (EC2/On-prem)
• Resources (ECS/Lambda)
• Permissions (EC2/On-prem)

Question 20

What’s the “Resources” configuration section in an Appspec.[yml/json] used for?

Answer 20

It configures ECS or Lambda properties for the deployment. For example:

Lambda: name, alias, versions, ..
ECS: task definition, container & port details, etc.

Question 21

What are the seven lifecycle event hooks in a Appspec.[yml/json] used by AWS CodeDeploy?

Answer 21

• ApplicationStop
• DownloadBundle
• BeforeInstall
• Install
• AfterInstall
• ApplicationStart
• ValidateService

Question 22

What are the three different platform types that AWS Elastic Beanstalk supports?

Answer 22

• Built-in languages (.NET, Java, Pyhton, etc.)
• Docker (Single + Multi)
• Custom Platforms (requires AMI created by Packer)

Question 23

From which two type of environment tiers can you choose when launching an environment in AWS Elastic Beanstalk?

Answer 23

Web and Worker tiers

Question 24

What’s important to consider regarding databases with AWS Elastic Beanstalk?

Answer 24

They can either be created as part of the environment, or outside/separately. The latter is strongly recommended for anything but short-lived experiments as the database will be deleted along with the environment when a environment is removed.

Question 25

What’s the process if you want to decouple an RDS database from an existing AWS Elastic Beanstalk and use it within a new environment where it’s separated from the environment (so that it’s independent)? Note: without deleting the database.

Answer 25

• create a snapshot of the database
• enable delete protection on the database
• create a new environment with the same app version
• configure the new app to connect to the database
• swap the environments
• terminate the old environment (which will fail)
• go to the failed CloudFormation stack and manually delete it, opting in to retain the database that failed to delete on the first attempt

Question 26

For using Elastic Beanstalk Extensions, what do you have to do (folder, file extension, file format)?

Answer 26

• folder: /.ebextensions
• file extension: .config
• file format: JSON or YAML

Question 27

Which section of an Elastic Beanstalk Extension configuration file is used to define additional resources in form of a CloudFormation definition?

Answer 27

Resources

Question 28

Which section of an Elastic Beanstalk Extension configuration file is used to configure resources of the environment?

Answer 28

option_settings

Question 29

For enabling HTTPS on an AWS Elastic Beanstalk environment, what two things do you need to do?

Answer 29

• Assign an SSL certificate to the Load Balancer
• Configure the Security Group to allow HTTPS

Note: both can be done either via the console, or via .ebextensions.

Question 30

When using Docker in “Single Container” mode on AWS Elastic Beanstalk, is the container deployed to EC2 or ECS?

Answer 30

EC2

Question 31

When using Docker in “Multi Container” mode on AWS Elastic Beanstalk, are the containers deployed to EC2 or ECS?

Answer 31

Both. It creates an ECS cluster that is backed by EC2 instances to execute the containers.

Question 32

When using Docker in “Multi Container” mode on AWS Elastic Beanstalk, in which file do you have to define the containers, and where to do you have to place that file?

Answer 32

/Dockerrun.aws.json

Note: must be “version 2” of the Dockerrun.aws.json file format

Question 33

When using Docker in “Multi Container” mode on AWS Elastic Beanstalk, does this support deploying more than one container to a single EC2 instance?

Answer 33

Yes, one EC2 instance may contain multiple containers, and there may be multiple EC2 instances in the ECS cluster managed by AWS Elastic Beanstalk.

Question 34

What are the three modes supported by AWS OpsWorks?

Answer 34

• AWS OpsWorks for Puppet Enterprise (AWS Managed Puppet Master Server)
• AWS OpsWorks for Chef Automate (AWS Managed Chef Server)
• AWS OpsWorks Stacks (AWS Integrated Chef, NO SERVERS)

Question 35

What are the three scaling types used by instances of AWS OpsWorks Stacks?

Answer 35

• 24/7 - start and stop manually
• time-based: based on a specified schedule
• load-based: based on specified load metrics

Question 36

How do you typically deploy recipes with AWS OpsWorks Stacks?

Answer 36

Using either a built-in recipes, or using a GitHub Cookbook Repository, deploying the recipes into individual layers such as Load Balancer Layer, App Layer and DB Layer

Question 37

How do you typically deploy application code with AWS OpsWorks Stacks?

Answer 37

Using either HTTP(S) or an S3 bucket, deploying the app into an layer.

Question 38

What are the minimum requirements for AWS Systems Manager to work with AWS-provided EC2 instances, i.e. being able to manage the instances?

Answer 38

• an IAM role with appropriate permissions attached to the instance as instance profile
• either: allow outbound HTTPS traffic -OR- a VPC endpoint in the VPC of the EC2 instances

Question 39

What are the minimum requirements for AWS Systems Manager (SSM) to work with on-prem servers, i.e. being able to manage the servers?

Answer 39

• an IAM service role with appropriate permissions
• allow outbound HTTPS traffic for on-prem servers
• install TLS certificate on the on-prem servers
• SSM agent installed on each of the servers
• servers registered with SSM

Question 40

When using the “Run Command” functionality of AWS Systems Manager, what are three options you can chose from that decide on which hosts the command is being executed on?

Answer 40

• Instances
• Tags
• Resource Groups

Question 41

What’s the “Concurrency” option of the “Run Command” functionality of AWS Systems Manager used for?

Answer 41

Defines at how many instances the command is run at the same time

Question 42

What’s the “Error Threshold” option of the “Run Command” functionality of AWS Systems Manager used for?

Answer 42

Defines the number of errors that can happen while running the command on the individual instances, before the whole command execution is deemed as failed

Question 43

When using the “Run Command” functionality of AWS Systems Manager, what’s the central element that the commands are retrieved from?

Answer 43

The Command Document

Question 44

What’s a “Patch Baseline” in AWS Systems Manager - Patch Manager?

Answer 44

Defines what should be installed

Question 45

What’s the naming pattern of the “Patch Baseline” in AWS Systems Manager - Patch Manager used for Linux distribution?

Answer 45

AWS-[distribution name]DefaultPatchBaseline

For example for Ubuntu and Amazon Linux 2:
AWS-UbuntuDefaultPatchBaseline
AWS-AmazonLinux2DefaultPatchBaseline

Question 46

What’s the “Patch Baseline” in AWS Systems Manager - Patch Manager with the name AWS-DefaultPatchBaseline or AWS-WindowsPredefinedPatchBaseline-OS used for?

Answer 46

Applies critical and security updates to Windows instances and servers.

Question 47

What’s the “Patch Baseline” in AWS Systems Manager - Patch Manager with the name AWS-WindowsPredefinedPatchBaseline-OS-Applications used for?

Answer 47

Applies critical and security updates to the OS and any Microsoft applications on Windows instances and servers.

Question 48

What’s AWS-RunPatchBaseline used for?

Answer 48

It’s a feature of AWS Systems Manager - Patch Manager that runs the actual patching as defined by the Maintenance Window.

Question 49

What are the five essential steps to perform a patch process using AWS Systems Manager - Patch Manager?

Answer 49

1: select one or more patch baselines to be applied
2: define one or more servers as patch groups
3: define the maintenance window (schedule, duration, targets, tasks)
4: execute run command (AWS-RunPatchBaseline)
5: verify if server is compliant (using Systems Manager Inventory)

Question 50

What are data sources of Amazon GuardDuty?

Answer 50

• Route 53 DNS Logs
• VPC Flow Logs
• CloudTrail Event Logs
• CloudTrail Management Events
• CloudTrail S3 Data Events

Question 51

Can you use AWS Config to block unwanted config changes?

Answer 51

No, not directly. But it’s possible to remediate such unwanted changes by detecting them via AWS Config and then fixing them, for instance via Lambda or Systems Manager.

Question 52

What AWS service can be used when end-to-end network reachability shall be tested for an EC2 instance?

Answer 52

AWS Inspector

Question 53

What AWS service can generate a “Common vulnerabilities and exposures (CVE)” report for EC2 instances?

Answer 53

AWS Inspector

Question 54

What AWS service can generate a “Center for Internet Security (CIS)” Benchmark?

Answer 54

AWS Inspector

Question 55

What AWS service generates findings with the following names? RecognizedPortWithListener, RecognizedPortNoListener, RecognizedPortNoAgent

Answer 55

AWS Inspector, as part of it’s Network Reachability checks.

Question 56

What are Blue-Green-Deployments and how are they typically executed in the context of AWS?

Answer 56

It’s a deployment strategy where you have two identical (or nearly identical) environments of the same software stack, where one environment is the old software stack and the other one the new software stock. The actual deployment happens by swapping traffic from the old to the new stack. If anything goes wrong, you can immediately go back to the old software stock.

With AWS this is typically achieved by updating DNS entries (either in Route 53, Elastic Beanstalk or OpsWorks). This is also a key difference to the “Immutable” deployment strategy, where no DNS change is required (instead using the same environment and shifting traffic from old to new instances).

Question 57

What’s a CloudFormation Stack Policy and what is it used for?

Answer 57

It’s a JSON document that defines the update actions (Update:Modify, Update:Replace, Update:Delete) that can be performed on CloudFormation resources. For instance, to explicit block CloudFormation from deleting a certain resource. Stack policies are stack-specific and can be defined and attached to a stack when creating the stack.

Note: adding a stack policy to an existing stack is only possible via CLI. And once added, it cannot be removed.

Note 2: existing stack policies can be modified only via the CLI.

Question 58

What’s the difference between physical and logical ID in CloudFront?

Answer 58

The logical ID is a free-chosen name used within the CloudFormation template to refer to a resource, for example “MyEC2Instance”. The physical ID is an AWS-provided identifier to uniquely identify a resource, for example the EC2 instance ID, or the S3 bucket name.

Question 59

Can you use CodeDeploy to deploy software on an Auto Scaling Group (ASG)?

Answer 59

Yes, when creating a Deployment Group, you can select an Auto Scaling Group (ASG).