Exam Points

Question 1

How does CloudFormation promote Separation of Concern

Answer 1

Stacks
You can create stacks for many apps and layers,
e.g.
* VPC Stacks
* Network stacks
* App Stacks

Question 2

What is a CloudFormation Template

Answer 2

It’s a JSON or YAML file that declares your requirement
A template has to be uploaded in S3 then referenced in CloudFormation
It must be versioned. Immutable.

Metadata

A template can utilise References and Functions

Question 3

How does CloudFormation represent the AWS Components it wants to create?

Answer 3

By using a Resource
looks like this AWS::aws-product-name::data-type-name

Question 4

When should you use a CloudFormation parameter

Answer 4

If the resource config is likely to change in the future then paramaterise it. That way you won’t have to re-upload a template if content changes.

Question 5

What are Valid Parameter Settings (CloudFormation)

Answer 5

Type:
- String
- Number
- CommaDelimitedList
- List <Type>
- AWS Parameter
Description
Constraints
ConstraintDescription (String)
Min/MaxLength
Min/MaxValue
Default
AllowedValues (array)
AllowedPattern (regexp)
NoEcho (Boolean)</Type>

Question 6

How to reference a CloudFormation parameter

Answer 6

Fn:: Ref
in YAML it is !Ref

can reference other params in the template

Question 7

What are CloudFormation PseudoParameters

Answer 7

AWS::AccountId
AWS::NotifiationARNs
AWS::NoValue
AWS::Region
AWS::StackId
AWS:StackName

Question 8

What are CloudFormation Mappings?

Answer 8

They are fixed variables within your CloudFormaton Template, values are hardcoded
eg
RegionMap:
us-east-1:
“32”: “ami-123”
us-west-1:
“32”: “ami-456”

Question 9

When to use Mappings V Parameters in CloudFormation

Answer 9

When you know upfront all the values that you will need and they can be deduced from variables like ‘region’.
Use parameters when the values are user-specific and may change at run time.

Question 10

How do you access Mapping Values in CloudFormaton?

Answer 10

Fn::FindInMap
in YAML
!FindInMap [MapName, TopLevelKey, SecondLevelKey]

Question 11

How do you do CloudFormation Outputs?

Answer 11

These are optional and are declared in a YAML using Export:
Outputs:
StackSSHSecurityGroup:
Description: this is the description
Value: !Ref MySecurityGroup
Export:
Name: SSHSecurityGroup

We then reference it using:
!ImportValue SSHSecurityGroup

For each AWS account, export names must be unique within a region

Question 12

What are conditions in CloudFormation

Answer 12

Control creation of resources based on a condition.
eg
Conditions:
CreateProdResources: !Equals [!Ref EnvType, prod]

And, Equals, If, Not, Or are all valid functions

Question 13

What is Fn:: GetAtt in cloudformation used for?

Answer 13

It gets the attributes of resources you create.
So for example
!GetAtt EC2Instance.AvailabilityZone

Question 14

How does Fn::Join work in CloudFormation

Answer 14

It joins values with a delimiter
e.g.
!Join [delimiter, [a, b, c]]

Question 15

What happens if CloudFormation Stack Creation fails

Answer 15

Default: everything gets rolled back and you can look at the log
Option to disable rollback to troubleshoot

Question 16

What happens if CloudFormation Stack update fails

Answer 16

The stack automatically rolls back to last known working state, logs can show errors

Question 17

Pattern for CF Stackevent notifications

Answer 17

Enable SNS integration on Stack Events, you can have a Lambda filtering on ROLLBACK IN PROGRESS events, that trigger another SNS notification to say send an email.

Question 18

What is a ChangeSet in CloudFormation

Answer 18

Similar to a plan in terraform, it will show you the diff

Question 19

Why would you use Nested Stacks (CloudFormation)

Answer 19

Considered best practice for configurations that are reused e.g a Security Group
To update a nested Stack, always update the parent (root stack)

Question 20

Why would you use Cross Stacks (CloudFormation)

Answer 20

When stacks have different lifecycles
When you need to pass export values to many stacks e.g. VPC id
use outputs export and Fn::ImportValue

Question 21

Why would you use a StackSet (CloudFormation)

Answer 21

To create update or delete stacks across multiple accounts and regions
Admin account creates stack sets
Trusted Accounts to create, update, delete, etc stack instances
When you update a stack set, ALL associated stack instances are updated across accounts and regions

Question 22

How to protect against manual config changes (CloudFormation)

Answer 22

CloudFormation Drift

Question 23

What is a Stack Policy (CloudFormation)

Answer 23

It’s a Json document that defines the update actions that are allowed on specific resources
it protects resources from unintentional updates
Specify an explicit ALLOW for the resources you want to be updated.

Question 24

What tool automates Software package deployment to AWS as part of continuous integration and delivery

Answer 24

AWS Code Deploy

fully managed “deployment” service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers.

Question 25

How does Elastic Beanstalk work? What are the steps?

Answer 25

1. Create Application
2. Upload Version
3. Launch environment
4. Manage environment

Question 26

What is an ‘immutable’ deploy in Elastic Beanstalk

Answer 26

A new ASG is launched pointing to the new instances
This is the best deployment if you want full capacity of the application and minimal impact of failed deployment

Question 27

If you want to deploy a container image to Lambda, what must the container image do?

Answer 27

It must implement the Lambda Runtime API

also AWS Lambda service does not support Lambda functions that use multi-architecture container image

Question 28

Which Credentials are supported in IAM for CodeCommit?

Answer 28

Git
AWS Access Keys
IAM Username and Password

SSH Keys are NOT SUPPORTED

Question 29

Elastic Beanstack Use case for deploy using Rolling with Additional Batch’policy

Answer 29

costs less than immutable as it has less instances
maintains availablity of application throughout

but
takes longer

Question 30

The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings. With just a few lines per resource, you can define the application you want and model it using YAML.

What resource types does it support?

Answer 30

AWS::Serverless::Api

AWS::Serverless::Application

AWS::Serverless::Function

AWS::Serverless::HttpApi

AWS::Serverless::LayerVersion

AWS::Serverless::SimpleTable

AWS::Serverless::StateMachine

Question 31

Elastic Beanstalk - what happens if instances fail during a deployment and are terminated

Answer 31

Elastic Beanstalk will replace them with instances running the application version from the most recent successful deployment

Question 32

SQS what is the message limit in a queue

Answer 32

unlimited

Question 33

How do you handle manual approvals in the deployment process

Answer 33

Create one CodePipeline for your entire flow and add a manual approval step - You can add an approval action to a stage in a CodePipeline pipeline at the point where you want the pipeline to stop so someone can manually approve or reject the action. Approval actions can’t be added to Source stages. Source stages can contain only source actions.

Question 34

SQS what is the retention of messages?

Answer 34

Default: 4 days
Max: 14
message otherwise persisted until consumer deletes it

Question 35

SQS what is the limit on message size

Answer 35

256KB

Question 36

Can SQS messages be out of order?

Answer 36

Yes, best effort ordering

Question 37

SQS consumer receives how many messages at a time?

Answer 37

up to 10

Question 38

How does an SQS consumer delete the message

Answer 38

DeleteMessageApi

Question 39

How would you use SQS to decouple a front end web app that has a back end that does video processing and inserts into an S3 bucket

Answer 39

You would put an SQS queue between front end and back end

Question 40

What sort of encryption is available for SQS and SNS? name 3

Answer 40

Inflight using HTTPS API
At rest using KMS
Client side if required

Question 41

How do you regulate access to the SQS or SNS API

Answer 41

IAM Policies

Question 42

What are SQS/SNS AccessPolicies?

Answer 42

Useful for cross account access to SQS queues /SNS topics
Useful for allowing other services to write to an SQS queue/SNS topic

Question 43

What is the default MessageVisibilityTimeout and what is it used for

Answer 43

30 seconds
It means that once a message is polled by a consumer, it can’t be polled by another for 30 seconds.
This prevents multiple consumers from handling the same message.

If a message is not processed in time, it will be processed twice.
A consumer could call ChangeMessageVisibility API to get more time

Question 44

What is the throughput of FIFO Queue

Answer 44

300 msg/s without batching, 3000 msg/s with

Exactly once capability and messages are processed in order by the consumer

Question 45

What is Redrive to Source in a SQS Dead Letter Queue

Answer 45

Ability to replay messages after you have fixed any errors

Question 46

What is a Delay Queue

Answer 46

It delays a message from 0 secs - 15 mins so consumers don’t see it immediately

This can be overridden using DelaySeconds parameter

Question 47

What is the purpose of ‘long polling’?

Answer 47

When a consumer polls and waits for a message to arrive if there are none in the queue.
This decreases the number of API calls made to SQS and it increases efficency as well as decreasing latency of the app

Wait time can be between 1 - 20 sec

LongPolling can be enabled at API using ReceiveMessageWaitTimeSeconds or when creating the queue.

Question 48

SQS What if the message you want to send exceeds the size limit of 256KB?

Answer 48

Use SQS Extended Client (java library)
In this pattern the producer sends the large message to S3 and sends a small metadata message to SQS Queue
The consumer polls the Queue and uses the small metadata message to retrieve the large item from the S3 bucket.

Question 49

Important SQS Apis for exam

Answer 49

CreateQueue (MessageRetentionPeriod), DeleteQueue
* PurgeQueue: delete all the messages in queue
* SendMessage (DelaySeconds), ReceiveMessage, DeleteMessage
* MaxNumberOfMessages: default 1, max 10 (for ReceiveMessage API)
* ReceiveMessageWaitTimeSeconds: Long Polling
* ChangeMessageVisibility: change the message timeout
* Batch APIs for SendMessage, DeleteMessage, ChangeMessageVisibility
helps decrease your costs

Question 50

SNS what is the max subscriptions per topic

Answer 50

12500000

Question 51

SNS Topic Limit?

Answer 51

100000

Question 52

What is the FAN OUT pattern?

Answer 52

A queue can only have one consumer
A topic can have many subscribers
Fan out - you push once in SNS
You have queues that subscribe to the topic

• SQS allows for: data persistence, delayed processing and retries of work
• Ability to add more SQS subscribers over time
• Make sure your SQS queue access policy allows for SNS to write
• Cross-Region Delivery: works with SQS Queues in other regions

Question 53

AN S£ object create event to /images/ can only have one S3 event rule.
How can you propagate this across many consumers?

Answer 53

Use FAN out
use the single event to publish to an SNS topic, have some SQS queues subscribe to the topic

Question 54

SNS Message filtering - what is it

Answer 54

a Json policy to filter messages send to the subscriptions allows subscribers to filter what they are interested in.

Question 55

Kinesis High level what does it make it easy to do?

Answer 55

Collect, process and analyze streaming data in real time
Ingest real time data such as app logs, metrics, website clickstreams, IOT telemetry

Question 56

What does Kinesis Data Streams do

Answer 56

capture, process, and store data streams
Kinesis Data Streams enables real-time processing of streaming big data.

Question 57

What does Kinesis Data Firehose do

Answer 57

load data streams into AWS data stores

Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using today

Question 58

What does Kinesis Data Analytics do

Answer 58

analyze data streams with SQL or Apache Flink

Question 59

What does Kinesis Video Streams do

Answer 59

capture, process, and store video streams

Question 60

Key points Kinesis - retention

Answer 60

Retention between 1 day to 365 days

Question 61

Kinesis Operation - What is ShardSplitting?

Answer 61

Used to increase stream capacity
Used to split a ‘hot shard’

Question 62

What is AWS Glue

Answer 62

AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development.

Glue is not best suited to handle real-time data.

Question 63

What is the total set size/number of environment variables you can create for AWS Lambda?

Answer 63

4KB total size
no limit on number

Question 64

What is S3 bucket naming conventions

Answer 64

• No uppercase, No underscore
• 3-63 characters long
• Not an IP
• Must start with lowercase letter or number
• Must NOT start with the prefix xn–
• Must NOT end with the suffix -s3alias

Question 65

What is the max object size you can upload to a bucket?

Answer 65

5TB/5000GB
Otherwise you have to use multipart upload

Question 66

Describe an S3 bucket policy

Answer 66

JSON based policies
* Resources: buckets and objects
* Effect: Allow / Deny
* Actions: Set of API to Allow or Deny
* Principal: The account or user to apply the policy to

Question 67

What are the use cases for using an S3 bucket policy?

Answer 67

Grant public access to bucket
Force encryption at upload
Cross Account access

Question 68

What does it mean if you get 403 forbidden on a static website hosted on S3

Answer 68

Check that bucket policy allows public reads

Question 69

How do you enable versioning on files stored in S3

Answer 69

Enable at bucket level

Question 70

How do you enable Same Region Replication or Cross Region Replication on a bucket?

Answer 70

Must enable versioning
Must give proper IAM permissions to S3

Question 71

What are the use cases for Same Region Replication or Cross Region Replication on a bucket?

Answer 71

CRR – compliance, lower latency access, replication across accounts, DR
SRR – log aggregation, live replication between production and test accounts

Note that S3 lifecycle actions are not replicated

Question 72

If you enable replication in a bucket, are old objects replicated?

Answer 72

No, only new objects

Question 73

What is the use case for S3 infrequent access?

Answer 73

Data less frequently accessed but rapid access needed

Question 74

What is the use case for S3 Glacier Storage access?

Answer 74

Low cost for archiving/backup
object retrieval costs £££

Amazon S3 Glacier Instant Retrieval
* Millisecond retrieval, great for data accessed once a quarter
* Minimum storage duration of 90 days
Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):
* Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
* Minimum storage duration of 90 days
Amazon S3 Glacier Deep Archive – for long term storage:
* Standard (12 hours), Bulk (48 hours)
* Minimum storage duration of 180 days

Question 75

What is the use case for S3 general purpose access?

Answer 75

Frequently accessed
low latency
high throughput

Question 76

What are the costs of S3 intelligent tiering

Answer 76

The cost is for monitoring and auto-tiering, no cost for retrieval.

Frequent Access tier (automatic): default tier
* Infrequent Access tier (automatic): objects not accessed for 30 days
* Archive Instant Access tier (automatic): objects not accessed for 90 days
* Archive Access tier (optional): configurable from 90 days to 700+ days
* Deep Archive Access tier (optional): config. from 180 days to 700+ days

Question 77

If you enable replication on an S3 bucket what is not replicated?

Answer 77

S3 Lifecycle Actions
Object Tags
Metadata
Old objects that existed before replication

Question 78

What are two main benefits of using elasticache?

Answer 78

Amazon ElastiCache can be used to significantly improve latency and throughput for many read-heavy application workload

Question 79

What is the simplest and least effort way of deploying Docker Containers in a serverless Architecture

Answer 79

ECS on Fargate

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. You can host your cluster on a serverless infrastructure that is managed by Amazon ECS by launching your services or tasks using the Fargate launch type.

Question 81

How do you scale SQS?

Answer 81

Amazon SQS is highly scalable and does not need any intervention to handle the expected high volumes

Amazon SQS leverages the AWS cloud to dynamically scale, based on demand. SQS scales elastically with your application so you don’t have to worry about capacity planning and pre-provisioning. For most standard queues (depending on queue traffic and message backlog), there can be a maximum of approximately 120,000 inflight messages (received from a queue by a consumer, but not yet deleted from the queue).

Question 82

If you implement Amazon Elasticache Redis in cluster mode, what does that provide for your app

Answer 82

Enhanced reliability and availability with little change to your existing workload.

Cluster mode comes with the primary benefit of horizontal scaling of your Redis cluster, with almost zero impact on the performance of the cluster.

Question 83

What is S3 Object Ownership

Answer 83

S3 Object Ownership is an Amazon S3 bucket setting that you can use to control ownership of new objects that are uploaded to your buckets. By default, when other AWS accounts upload objects to your bucket, the objects remain owned by the uploading account. With S3 Object Ownership, any new objects that are written by other accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner, who then has full control of the objects.

S3 Object Ownership has two settings: 1. Object writer – The uploading account will own the object. 2. Bucket owner preferred – The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account.

Question 84

What does this header identify in a request - X-Forwarded-For

Answer 84

The Client IP

Question 85

How would you reuse execution context to improve a Lambda performance

Answer 85

move it out of the function handler

explanation:
AWS best practices for Lambda suggest taking advantage of execution context reuse to improve the performance of your functions. Initialize SDK clients and database connections outside of the function handler, and cache static assets locally in the /tmp directory. Subsequent invocations processed by the same instance of your function can reuse these resources. This saves execution time and cost.

Question 86

What ca a n you take to make RDS architecture resilient for DR

Answer 86

Enable automated backups in a MultiAZ deployment that creates backups in a single region.
Use Cross Region read replicas

Question 87

What is the use case for EB Dedicated Worker environment

Answer 87

operations or workflows that take a long time to complete,

Question 88

DynamoDB what is the max item size

Answer 88

400KB

Question 89

How do you make a primary key for Dynamo DB

Answer 89

It must be as unique as possible
Can be a combination of partition key and sort key

Question 90

How to calculate Write Capacity Unit for Dynamo DB

Answer 90

1 write per second for an item up to 1KB in size
items * nKB (rounded up to nearest int)/1

Example 1: we write 10 items per second, with item size 2 KB
10 * (2/1) = 20
* Example 2: we write 6 items per second, with item size 4.5 KB
got to round 4.5 to 5
6 * 5/1 = 30
* Example 3: we write 120 items per minute, with item size 2 KB
120 per min = 2 per sec
therefore
2 * 2/1 = 4

Question 91

What is the difference between Strongly Consistent and eventually consistent read

Answer 91

Eventually (default) - if we read just after a write it’s possible we will get stale data
Strongly (ConsistentRead = true in api calls)
we will get data
BUT consumes twice the RCU

Question 92

How to calculate Read Capacity Units

Answer 92

1 RCU = 1 Strongly Consistent Read per second (in chunks of 4KB)
1 RCU = 2 Eventually Consistent Reads per second (in chunks of 4KB

Example 1: 10 Strongly Consistent Reads per second, with item size 4 KB
10 * 4KB/4KB = 10 RCU
* Example 2: 16 Eventually Consistent Reads per second, with item size 12 KB
16/2 * 12KB/4kB = 24 RCU
* Example 3: 10 Strongly Consistent Reads per second, with item size 6 KB
10 * 8/4KB = 20

Question 93

What happens if we exceed provisioned RCUS or WCUS across partitions in Dynamo DB?

Answer 93

Provisioned ThroughputExceededException

Question 94

How do you calculate Read Write Capacity for ON DEMAND Dynamo DB

Answer 94

not required, it’s unlimited

Question 95

What is DynamoDBAccelerator (DAX) used for?

Answer 95

Caching to solve Hot key problem , increase latency
encryption at rest
cluster

Question 96

What are DynamoDBStreams?

Answer 96

Ordered stream of item-level modifications (create/update/delete) in a table

Use cases:
* react to changes in real-time (welcome email to users)
* Analytics
* Insert into derivative tables
* Insert into OpenSearch Service
* Implement cross-region replication

Question 97

How often can you get EC2 metrics by default

Answer 97

5 mins
1 min if detailed monitoring

Question 98

HOw many detailed monitoring metrics can you get on free tier

Answer 98

up to 10

Question 99

What is Custom Metric resolution?

Answer 99

can be 1 min (standard) or high resolution is more detailed £££

Question 100

How to get EC2 logs to Cloudwatch?

Answer 100

You need to run a Cloudwatch agent on EC2 and
make sure your IAM permissions are correct

Question 101

What is CloudWatch Synthetics canary

Answer 101

a script that monitors your APIs URLs an websites

Question 102

How does eventbridge trigger sNS or lambda?

Answer 102

1. cronjob
2. event driven

Question 103

Where does XRay shine

Answer 103

tracing microservice behaviour and providing a ui

Question 104

How do you configure ECS containers in Fargate to send log information to Cloudwatch logs

Answer 104

Using the awslogs log driver you can configure the containers in your tasks to send log information to CloudWatch Logs. If you’re using the Fargate launch type for your tasks, you need to add the required logConfiguration parameters to your task definition to turn on the awslogs log driver.

Question 105

How do I migrate my Elastic Beanstalk environment from one AWS account to another AWS account?

Answer 105

Create a saved configuration in Team A’s account and download it to your local machine. Make the account-specific parameter changes and upload to the S3 bucket in Team B’s account. From Elastic Beanstalk console, create an application from ‘Saved Configurations - You must use saved configurations to migrate an Elastic Beanstalk environment between AWS accounts. You can save your environment’s configuration as an object in Amazon Simple Storage Service (Amazon S3) that can be applied to other environments during environment creation, or applied to a running environment. Saved configurations are YAML formatted templates that define an environment’s platform version, tier, configuration option settings, and tags.

Question 106

What does it mean if I see duplicate log entries from a lambda in Cloudwatch logs

Answer 106

It means the function was retried (total retry 3)

Question 107

S3 events information regarding versioning.

Answer 107

• S3 event notifications typically deliver events
  in seconds but can sometimes take a minute
  or longer
• If two writes are made to a single non- versioned object at the same time, it is
  possible that only a single event notification
  will be sent
• If you want to ensure that an event
  notification is sent for every successful write,
  you can enable versioning on your bucket.

Question 108

What is an edge function?

Answer 108

Code that you write and attach to a cloudfront distribution to improve latency

Question 109

Name 2 CloudFront edge functions

Answer 109

Lambda@Edge and CloudFrontFunctions (both serverless)

Question 110

Because Lambda is launched in an AWS owned VPC, how do you get it to speak to your own?

Answer 110

You must define the VPC ID, the
Subnets and the Security Groups
* Lambda will create an ENI (Elastic
Network Interface) in your subnets

Question 111

How do you get your lambda access to external libraries such as AWSXRay or SDK or DB?

Answer 111

You need to install the packages alongside your code and zip it together.
Zip has to be less than 50MB, else put it in S3

Question 112

What are AWS Lambda Aliases for?

Answer 112

They point to different Lambda versions such as
dev
test
prod
They have their own ARNS
they enable Canary deployment

Question 113

A developer in your company has configured a build using AWS CodeBuild. The build fails and the developer needs to quickly troubleshoot the issue to see which commands or settings located in the BuildSpec file are causing an issue.

Which approach will help them accomplish this?

Answer 113

Run AWS CodeBuild locally using CodeBuild Agent

AWS CodeBuild is a fully managed build service. There are no servers to provision and scale, or software to install, configure, and operate.

With the Local Build support for AWS CodeBuild, you just specify the location of your source code, choose your build settings, and CodeBuild runs build scripts for compiling, testing, and packaging your code. You can use the AWS CodeBuild agent to test and debug builds on a local machine.

By building an application on a local machine you can:

Test the integrity and contents of a buildspec file locally.

Test and build an application locally before committing.

Identify and fix errors quickly from your local development environment.

Incorrect options:

Question 114

Your organization has developers that merge code changes regularly to an AWS CodeCommit repository. Your pipeline has AWS CodeCommit as the source and you would like to configure a rule that reacts to changes in CodeCommit.

Which of the following options do you choose for this type of integration?

Answer 114

Use CloudWatch Event Rules

Amazon CloudWatch Events is a web service that monitors your AWS resources and the applications you run on AWS. You can use Amazon CloudWatch Events to detect and react to changes in the state of a pipeline, stage, or action. Then, based on rules you create, CloudWatch Events invokes one or more target actions when a pipeline, stage, or action enters the state you specify in a rule. Examples of Amazon CloudWatch Events rules and targets:

A rule that sends a notification when the instance state changes, where an EC2 instance is the event source, and Amazon SNS is the event target.

A rule that sends a notification when the build phase changes, where a CodeBuild configuration is the event source, and Amazon SNS is the event target.

Question 115

A development team has noticed that one of the EC2 instances has been wrongly configured with the ‘DeleteOnTermination’ attribute set to True for its root EBS volume.

As a developer associate, can you suggest a way to disable this flag while the instance is still running?

Answer 115

When an instance terminates, the value of the DeleteOnTermination attribute for each attached EBS volume determines whether to preserve or delete the volume. By default, the DeleteOnTermination attribute is set to True for the root volume and is set to False for all other volume types.

Set the DeleteOnTermination attribute to False using the command line - If the instance is already running, you can set DeleteOnTermination to False using the command line.

Question 116

What are dynamo DB global tables and why would you use them?

Answer 116

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s a fully managed, multi-Region, multi-master, durable database with built-in security, backup, and restore and in-memory caching for internet-scale applications.

Consider using Global tables if your application is accessed by globally distributed users - If you have globally dispersed users, consider using global tables. With global tables, you can specify the AWS Regions where you want the table to be available. This can significantly reduce latency for your users. So, reducing the distance between the client and the DynamoDB endpoint is an important performance fix to be considered.

Use eventually consistent reads in place of strongly consistent reads whenever

Question 117

How would you troubleshoot load balancer errors 503?

Answer 117

HTTP 503 - HTTP 503 indicates ‘Service unavailable’ error. This error in ALB is an indicator of the target groups for the load balancer having no registered targets.

Question 118

How would you troubleshoot load balancer errors 500?

Answer 118

HTTP 500 - HTTP 500 indicates ‘Internal server’ error. There are several reasons for their error: A client submitted a request without an HTTP protocol, and the load balancer was unable to generate a redirect URL, there was an error executing the web ACL rules.

Question 119

How would you troubleshoot load balancer errors 504?

Answer 119

HTTP 504 - HTTP 504 is ‘Gateway timeout’ error. Several reasons for this error, to quote a few: The load balancer failed to establish a connection to the target before the connection timeout expired, The load balancer established a connection to the target but the target did not respond before the idle timeout period elapsed.

Question 120

How would you troubleshoot load balancer errors 403?

Answer 120

HTTP 403 - HTTP 403 is ‘Forbidden’ error. You configured an AWS WAF web access control list (web ACL) to monitor requests to your Application Load Balancer and it blocked a request.

Question 121

How would you redirect using a CloudFront Function

Answer 121

With CloudFront Functions in Amazon CloudFront, you can write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. Your functions can manipulate the requests and responses that flow through CloudFront, perform basic authentication and authorization, generate HTTP responses at the edge, and more.

When you associate a CloudFront function with a CloudFront distribution, CloudFront intercepts requests and responses at CloudFront edge locations and passes them to your function. You can invoke CloudFront functions when the following events occur: 1. When CloudFront receives a request from a viewer (viewer request): The function executes when CloudFront receives a request from a viewer before it checks to see whether the requested object is in the CloudFront cache.

Before CloudFront returns the response to the viewer (viewer response): The function executes before returning the requested file to the viewer. Note that the function executes regardless of whether the file is already in the CloudFront cache.
We use the value of the CloudFront-Viewer-Country header to update the S3 bucket domain name to a bucket in a Region that is closer to the viewer. This can be useful in several ways: 1. It reduces latencies when the Region specified is nearer to the viewer’s country. 2. It provides data sovereignty by making sure that data is served from an origin that’s in the same country that the request came from.

Question 122

When would a lambda authorizer come in handy

Answer 122

A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.

When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.

There are two types of Lambda authorizers:

A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.

A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller’s identity in a combination of headers, query string parameters, state variables, and $context variables

Question 123

What is the purpose of S3 Cross Region Replication

Answer 123

S3 Cross-Region Replication allows you to replicate the data from one S3 bucket in an AWS region to another S3 bucket in another AWS region.

Question 124

How Does CloudFront Caching work?

Answer 124

By default the cache has hostname+ resource portion of the URL
You can enhance it using Cache Policy
Can cache on: (none, all, whitelist etc)
HTTP Headers
Cookies
Query Strings
ttl up to 1 year
headers or cookies or query strings that are included are forwarded in cache key to the origin

Question 125

What is Cloudfront Origin Request policy

Answer 125

sending e.g headers that were not sent by the user so are not in the cache key.

Question 126

What are VPC Endpoints

Answer 126

Allow you to connect services using a private network instead of public www network.

Enhanced security and lower latency

Question 127

What is VPC Peering and how to establish it

Answer 127

2 or more VPC connected together as one

must not have overlapping CIDR

is not transitive ie a peers with b and a peers with c doesn’t mean b is peered with c

Question 128

What is the difference between
x-amz-server-side-encryption’: ‘aws:kms’
and
x-amz-server-side-encryption’: ‘AES-256’

Answer 128

x-amz-server-side-encryption’: ‘aws:kms’ is essentially saying use kms to encrypt, this will give the client some more control ofver keys
“s3:x-amz-server-side-encryption”: “AES256” ensures that all objects uploaded to S3 will be encrypted at time of upload . This will use SSE:s3 which is the bucket key and will be managed/rotated by the bucket.

Question 129

Things to remember about SSE-C

Answer 129

This is a customer provided encryption key
any key
If you are using this encryption mechanism you must use https or else it will be rejected.
Also the customer must manage key rotations etc

Question 130

IAM Instance Role Facts

Answer 130

it’s a container for an IAM role
The SDK will use EC2 metadta s service to obtain temp credentials
This is the most secure and common set up when deploying any kind of applicaiton on an EC2 instance!

Question 131

Which service uses this command
decode-authorization-message

Answer 131

sts

Question 132

How can you ensure repos in Code Commit are enrypted?

Answer 132

Repos in Code Commit are automatically encrypted in transit and at rest

Question 133

How to implement a solution for storing data in S3 that needs encryption at rest AND keys must be rotated at least annually?

Answer 133

AWS KMS with automatic key rotation

Question 134

What are the AWS options for encryption and what is the simplest to use.

Answer 134

3 mutually exclusive options, depending on how you choose to manage the encryption keys:
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3),

Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS),

Server-Side Encryption with Customer-Provided Keys (SSE-C).

You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS
so KMS is simplest

Question 135

Gotchas

Answer 135

question about a public website, not using IAM that’s for sure, use cors

Question 136

What are the three possible ALB target types

Answer 136

Instance, IP, Lambda
When the target is IP you can only specify specific CIDR blocks, not publicly routable IP addresses

Question 137

What is the max memory available to lambda at runtime?

Answer 137

10240MB , if that is exceeded you will get Max Memory Used exception

Question 138

What is the difference between a Local Secondary Index and a Global Secondary Index (DynamoDB)

Answer 138

LSI allows you to create a query using the primary key and an alternative key
GSI is using the partition key and a different sort key than the one on the base table