Documentation, FAQs Flashcards

1
Q

X-RAY

Which are the languages supported for Services such as EC2?

A
You can use X-Ray with applications written in
- Java, 
- Node.js
- .NET 
- (Go, Ruby, Python)
that are deployed on these services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

X-RAY

Which are the supported services?

A

AWS X-Ray works with

  • Amazon EC2
  • Amazon EC2 Container Service (Amazon ECS)
  • AWS Lambda
  • Amazon SQS
  • Amazon SNS
  • AWS Elastic Beanstalk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

X-Ray

The there a region limit for the service?

A

No, with X-Ray, you can trace requests made to applications that span multiple AWS accounts, AWS Regions, and Availability Zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

X-Ray

What needs to be done to enable X-Ray on Elastic Beanstalk?

A

You only have to integrate the X-Ray SDK with your application since the X-Ray agent is pre-installed on Elastic Beanstalk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

X-Ray

What is a Service map?

A

Visual representation of the data flow in the services, which enables a high-level overview, but also allows to drill down into issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

X-Ray

What is a Filter Expression?

A

Way to filter traces to specific use cases, for example traces that too more than 5seconds or where a 5xx error was thrown

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

X-Ray

What is the use of the X-Ray daemon ?

A

Instead of sending data directly into X-Ray the daemon buffers segments in a queue and uploads them in batches.
The daemon is available for Linux, Windows, and macOS, and is included on AWS Elastic Beanstalk and AWS Lambda platforms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

X-Ray

What is a segment?

A

An X-Ray segment encapsulates all the data points for a single component.

A Segment is the result of a Request, it includes:

  • The host – hostname, alias or IP address
  • The request – method, client address, path, user agent
  • The response – status, content
  • The work done – start and end times, subsegments
  • Issues that occur – errors, faults and exceptions, including automatic capture of exception stacks.

Segment documents can be up to 64 kB in size.

Segments include system-defined and user-defined data in the form of annotations and are composed of one or more sub-segments that represent remote calls made from the service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

X-Ray

What is a subsegment?

A

Subsegments provide more granular timing information and details about downstream calls

This lets you see all of your downstream dependencies, even if they don’t support tracing, or are external

Can contain additional details about a call to an AWS service, an external HTTP API, or an SQL database.

You can even define arbitrary subsegments to instrument specific functions or lines of code in your application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

X-Ray

What are Traces?

A

A trace ID tracks the path of a request through your application. A trace collects all the segments generated by a single request. That request is typically an HTTP GET or POST request that travels through a load balancer, hits your application code, and generates downstream calls to other AWS services or external web APIs. The first supported service that the HTTP request interacts with adds a trace ID header to the request, and propagates it downstream to track the latency, disposition, and other request data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

X-Ray

What is the TraceId?

A

Send as X-Amzn-Trace-Id it contains the root id, sampling info and additionally the parent segment ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

X-Ray

What are annotations?

A

Annotations are simple key-value pairs that are indexed for use with filter expressions.

Use annotations to record information on segments or subsegments that you want indexed for search.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

X-Ray

What is the main difference between Annotations and Metadata?

A

Metadata is not indexed, therefore not used for searching with filter expressions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

X-Ray

How long does it take for trace data to be available in X-Ray?

A

Generally available for retrieval and filtering within 30 seconds of it being received by the service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

X-Ray

How far back can I query the trace data? How long does X-Ray store trace data for?

A

X-Ray stores trace data for the last 30 days.

This enables you to query trace data going back 30 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

X-Ray

Are there partial traces?

A

In some situations (connectivity issues, delay in receiving segments, and so on) it is possible that trace information provided by the X-Ray APIs will be partial. In those situations, X-Ray tags traces as incomplete or partial.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

KMS

How to encrypt/decrypt locally?

A

The AWS Encryption SDK supports AWS KMS as a root key provider for developers who need to encrypt/decrypt data locally within their applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

KMS

What needs to be done after a key is automatically rotated?

A

Nothing, the service automatically keeps older versions of the root key available to decrypt previously encrypted data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

KMS

What is an Asymmetric Key?

A

For symmetric keys the same key is used for encryption and decryption - for asymmetric key that is a public and a private key.
The public key is send to the user, while the private key does not leave HSM.

Asymmetric keys cannot be used with the Custom Key Store option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

KMS

How to handle a key that could be compromised?

A

Temporarily disable keys so they cannot be used by anyone

Re-enable disabled keys if cleared

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

KMS

How is enveloped encryption done?

A

KMS creates a data key
data key is used to encrypt data
data key is encrypted with (plaintext) mater key
data key is stored alongside encrypted data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

KMS

What is a customer managed KMS key?

A

A key created and stored in KMS, it differs from the AWS managed key, which is created by AWS and used for specific services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

KMS

What type of keys can I import?

A

256-bit symmetric keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

KMS

What’s the difference between a key I import and a key I generate in AWS KMS?

A

Keys generated by AWS KMS do not have an expiration time and cannot be deleted immediately; there is a mandatory 7 to 30 day wait period. All customer managed KMS keys, irrespective of whether the key material was imported, can be manually disabled or scheduled for deletion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

KMS

What keys can be rotated automatically?

A

KMS generated keys can be rotated once a year.

Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

KMS

What is the API call to get the public key of an asymmetric key?

A

GetPublicKey

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

KMS

How can data keys and data key pairs be exported out of the HSMs in plain text?

A

“GenerateDataKey” API or the “GenerateDataKeyWithoutPlaintext” API.

Asymmetric data key pairs: “GenerateDataKeyPair” API or the “GenerateDataKeypairWithoutPlaintext” API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Step functions

What is a state machines / state?

A

State Machine: complete workflow

State: a single step in the workflow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Step functions

What is a Task?

A

Tasks perform work, either by coordinating another AWS service or an application that you can host basically anywhere

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Step functions

What is a Pass state?

A

Pass their input as output to the next state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Step functions

What are Parallel States?

A

Begin multiple branches of execution at the same time, such as running multiple Lambda functions at once.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Step functions

What is a Choice State?

A

Choice states add branching logic to your state machine, and make decisions based on their input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Step functions

What is a state transition?

A

When you execute your state machine, each move from one state to the next is called a state transition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Step Functions

In what language is a step function written?

A

Amazon States Language (JSON based)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Step Functions

What are the main differences between standard & express workflows?

A

Duration: 1 Year / 5min
Execution: once / at least once

36
Q

Step Functions

How can the steps communicate with each other?

A

Apps can interact and update the stream via Step Function API.

37
Q

Step Functions

What are the three types of steps?

A

sequential, branching or parallel steps.

38
Q

X-Ray

What is necessary to run X-Ray on EC2 / On-premise?

A

Linux system must run the X-Ray daemon.

IAM instance role if EC2, other AWS credentials on on-premise instance.

39
Q

X-Ray

What is necessary to run X-Ray on Lambda?

A

Make sure the X-Ray integration is ticked in the Lambda configuration (Lambda will run the daemon).

IAM role is the Lambda role.

40
Q

X-Ray

What is necessary to run X-Ray on Elastic Beanstalk?

A

Set configuration in the Elastic Beanstalk console.

Or use the Beanstalk extension (.ebextensions/xray-daemon.config)

41
Q

X-Ray

What is necessary to run X-Ray on ECS/EKS/Fargate?

A

Create a Docker image that runs the daemon or use the official X-Ray Docker image.

Ensure port mappings and network settings are correct and IAM task roles are defined.

42
Q

KMS

What are the permissions needed to use a key?

A
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
43
Q

KMS

What does aws re-encrypt do?

A

It decrypts the file (in memory) and decrypts and saves it in a different file.

Useful when giving a different encryption key as before

44
Q

KMS

Can you export a CMK?

A

A CMK can never be exported from KMS (CloudHSM allows this).

45
Q

Dynamo DB

How can you change the primary key of an item?

A

A transaction will be used to delete and recreate the item with the new keys

46
Q

Dynamo DB

What is the scope of a query?

A

In queries you an only retrieve data by searching for the primary key.
Additionally it is possible to add the sort key to further refine the result (if only looking for the primary key produces to many results)

Results can then be more specific by using a filter (color = blue e.g.)

47
Q

Dynamo DB

What is the default order of a query result?

A

Ordered by the sort key in ascending order.

Can be changed setting ScanIndexForward to false

48
Q

DynamoDB

What is the purpose for ScanIndexForward in scan results?

A

Nothing, ScanIndexForward is only used in queries

49
Q

Dynamo DB

What is a parallel scan?

A

A scan only gets data in 1mb increments from one partition.
You can scan multiple partitions for a quicker result.

This should not be done if the DB is currently under load.

50
Q

Dynamo DB

If there’s always lots of traffic, but you regularly need to scan the table, what can be done?

A

Create a second table and make the writes to both of them

51
Q

Dynamo DB

What kind of caching strategy does DAX use?

A

Write through caching

DynamoDB writes to the cache and the (normal) table at the same time

52
Q

Dynamo DB

How is a API Call with a DAX cache made?

A

Client is pointed to the Cache:

a) gets a Cache hit, item will be returned
b) gets a miss, DAX performs getItem (eventual consistent) against the table, stores the value in the cache and returns the result

53
Q

Dynamo DB

How long is a stream saved?

A

24h

54
Q

DynamoDB

Which policies does it support?

A

DynamoDB supports identity-based policies:
You can use a special IAM condition to restrict user access to only their own records.

DynamoDB doesn’t support resource-based policies.

55
Q

DynamoDB

What is the ARN Format for an index?

A

arn:aws:dynamodb:[region]:[account]:[tableid]/[tablename]/index/[indexname]

56
Q

Dynamo DB

When is DynamoDB creating new partitions?

A

DynamoDB allocates additional partitions to a table in the following situations:

  • If you increase the table’s provisioned throughput settings beyond what the existing partitions can support.
  • If an existing partition fills to capacity and more storage space is required.
57
Q

DynamoDB

How is a partition key defined?

A

1) Value of the Partition key is input to an internal hash function which determines the partition or physical location on which the data is stored.
2) If you are using the Partition key as your Primary key, then no two items can have the same partition key.

Best practices for partition keys:

  • Use high-cardinality attributes – e.g. e-mailid, employee_no, customerid, sessionid, orderid, and so on.
  • Use composite attributes – e.g. customerid+productid+countrycode as the partition key and order_date as the sort key.
  • Cache popular items – use DynamoDB accelerator (DAX) for caching reads.
  • Add random numbers or digits from a predetermined range for write-heavy use cases – e.g. add a random suffix to an invoice number such as INV00023-04593
58
Q

DynamoDB

What are the disadvantages of Strongly consistent reads

A
  • A strongly consistent read might not be available if there is a network delay or outage. In this case, DynamoDB may return a server error (HTTP 500).
  • Strongly consistent reads may have higher latency than eventually consistent reads.
  • Strongly consistent reads are not supported on global secondary indexes.
  • Strongly consistent reads use more throughput capacity than eventually consistent reads.
59
Q

DynamoDB

What are the costs of Transactions?

A

There is no additional cost to enable transactions for DynamoDB tables.

DynamoDB performs two underlying reads or writes of every item in the transaction: one to prepare the transaction and one to commit the transaction.

60
Q

DynamoDB

What can be done to optimize a scan?

A
  • use ProjectionExpression to only return needed attributes
  • use FilterExpression to filter out unwanted items (done after everything is retrieved)
  • use parallel scans to get results faster (strains RCU consumption)
  • Limit page size, if provisioned throughput is reached
  • use eventual consistent reads (if possible)
61
Q

DynamoDB

What data is affected when setting a TTL?

A

he TTL is enabled per row (you define a TTL column and add the expiry date / time there).
Deleted items are also deleted from the LSI / GSI.

62
Q

DynamoDB

Define BatchWriteItem & BatchGetItem

A

Can put or delete up to 25 items in one call (max 16MB write / 400KB per item).

Up to 100 items, up to 16MB per item. Items are retrieved in parallel to minimize latency.

63
Q

DynamoDB

What is Optimistic Locking

A

Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in Amazon DynamoDB.

Protects database writes from being overwritten by the writes of others, and vice versa.

64
Q

Lambda

How to directly call a version / alias?

A

arn: aws:lambda:REGION:ID:function:[FUNCTIONNAME]:[VERSION]
arn: aws:lambda:REGION:ID:function:[FUNCTIONNAME]:[ALIAS]

65
Q

Lambda

What is the default Concurrent Execution limit and what happens if it is hit?

A

Default is 1000 (per Region)

Request will return 429: TooManyRequestsException

66
Q

Lambda

How to invoke Lambda asynchronously?

A

–invocation-type Event

67
Q

Lambda

What are the Status Codes returned by synch. / asynch. invocations?

A

Synchronous: 200, 503 etc.
Asynchronous: 202

68
Q

Lambda

What are the services that Lambda dan read events from?

A

Amazon Kinesis
Amazon DynamoDB
Amazon Simple Queue Service

69
Q

Lambda

What is “Event Source Mapping”?

A

In order to react to events in a service (such as messages in a SQS queue) Lambda needs three configurations:

  • permissions
  • event structure settings
  • polling behavior
70
Q

Lambda

Which “items” are mutable / immutable?

A

$LATEST is mutable (changeable)
Versions are immutable
Aliases are mutable.

71
Q

Lambda

What are aliases?

A
  • Mutable versions of a function
  • can be used for environments etc. w/o the knowledge which version they are assigned to
  • Aliases enable blue / green deployment by assigning weights to Lambda version (doesn’t work for $LATEST, you need to create an alias for $LATEST).
72
Q

Lambda

What is the throttling behavior for (a)sync requests?

A

Throttle behavior:

For synchronous invocations returns throttle error 429.
For asynchronous invocations retries automatically (twice) then goes to a Dead Letter Queue (DLQ).

73
Q

Lambda

What is reserved concurrency?

A

Guarantee of concurrent executions.
Sum of reserved concurrency cannot exceed max. concurrency - 100
Can be used to limit - for example to ensure that the database can handle the traffic

74
Q

Lambda

What can be done to ensure that the lambda can handle sudden traffic spikes?

A

Use Provisioned Concurrency to the amount of traffic that can be expected (additional costs occur)

75
Q

Lambda

Which role should be attached if the function will be placed in a VPC?

A

AWSLambdaVPCAccessExecutionRole

76
Q

Lambda

What needs to be done in order to enable a web socket load balancing with an ALB and Lambda?

A

WebSockets are not supported from a Load Balancer, but it is supported by API Gateway

77
Q

Lambda

What are the limits of lambda?

A

Memory allocation 128MB – 3008MB in 64MB increments.

Maximum execution time is 15 minutes (900 seconds).

Size of environment variables maximum 4KB.

Disk capacity in the “function container” (/tmp) is 512 MB.

Invocation payload:

  • Synchronous 6 MB.
  • Asynchronous 256 KB

Lambda function deployment size is 50 MB (zipped), 250 MB unzipped.

78
Q

API Gateway

Can you create HTTP Endpoints (without encryption)?

A

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only (does not support unencrypted endpoints).

79
Q

API Gateway

What are the differences between Edge-Optimized , Regional & Private Endpoints?

A

Regional Endpoint
- for clients in the same region.

Edge-Optimized Endpoint

  • is best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence (POP).
  • Edge-optimized APIs capitalize the names of HTTP headers (for example, Cookie).
  • CloudFront sorts HTTP cookies in natural order by cookie name before forwarding the request to your origin

Private Endpoint
- A private API endpoint is an API endpoint that can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint,

80
Q

API Gateway

What is the configuration chain for requests?

A

Method Request -> Integration Request -> Integration Response -> Method Response

81
Q

API Gateway

What are the use cases for stage variables?

A
  • Configure HTTP endpoints your stages talk to (dev, test, prod etc.).
  • Pass configuration parameters to AWS Lambda through mapping templates.
  • You can create a stage variable to indicate the corresponding Lambda alias.
82
Q

API Gateway

What can be done with Mapping templates?

A

Uses Velocity Template Language (VTL).
Mapping templates can be used to modify request / responses.

  • Rename parameters.
  • Modify body content.
  • Add headers.
  • Map JSON to XML for sending to backend or back to client.
  • Filter output results (remove unnecessary data).-
83
Q

API Gateway

What are the throttling limits?

A

If you go over 10,000 requests per second or 5,000 concurrent requests you will receive a 429 Too Many Requests error response.

84
Q

Kinesis

What is the difference between KCL and the Kinesis Data Streams API?

A

The KCL is different from the Kinesis Data Streams API that is available in the AWS SDKs.

The Kinesis Data Streams API helps you manage many aspects of Kinesis Data Streams (including creating streams, resharding, and putting and getting records).

The KCL provides a layer of abstraction specifically for processing data in a consumer role.

85
Q

Kinesis

What should be considered for the amount of KCLs and Shards?

A

You never need multiple instances to handle the processing of one shard.
However, one worker can process multiple shards.

Example:
4 shards = max 4 KCL instances.

86
Q

Kinesis

On which platforms does the KCL run?

A

KCL can run on EC2, Elastic Beanstalk, and on-premises servers.

87
Q

Kinesis

What are the main differences between SQS and Kinesis?

A

SQS:

  • Data is deleted after being consumed.
  • No need to provision throughput.
  • No ordering guarantee (except with FIFO queues).

Kinesis:

  • Possible to replay data.
  • Ordering at the shard level.
  • Must provision throughput.