Exam Points Flashcards
Exam prep
How does CloudFormation promote Separation of Concern
Stacks
You can create stacks for many apps and layers,
e.g.
* VPC Stacks
* Network stacks
* App Stacks
What is a CloudFormation Template
It’s a JSON or YAML file that declares your requirement
A template has to be uploaded in S3 then referenced in CloudFormation
It must be versioned. Immutable.
Metadata
A template can utilise References and Functions
How does CloudFormation represent the AWS Components it wants to create?
By using a Resource
looks like this AWS::aws-product-name::data-type-name
When should you use a CloudFormation parameter
If the resource config is likely to change in the future then paramaterise it. That way you won’t have to re-upload a template if content changes.
What are Valid Parameter Settings (CloudFormation)
Type:
- String
- Number
- CommaDelimitedList
- List <Type>
- AWS Parameter
Description
Constraints
ConstraintDescription (String)
Min/MaxLength
Min/MaxValue
Default
AllowedValues (array)
AllowedPattern (regexp)
NoEcho (Boolean)</Type>
How to reference a CloudFormation parameter
Fn:: Ref
in YAML it is !Ref
can reference other params in the template
What are CloudFormation PseudoParameters
AWS::AccountId
AWS::NotifiationARNs
AWS::NoValue
AWS::Region
AWS::StackId
AWS:StackName
What are CloudFormation Mappings?
They are fixed variables within your CloudFormaton Template, values are hardcoded
eg
RegionMap:
us-east-1:
“32”: “ami-123”
us-west-1:
“32”: “ami-456”
When to use Mappings V Parameters in CloudFormation
When you know upfront all the values that you will need and they can be deduced from variables like ‘region’.
Use parameters when the values are user-specific and may change at run time.
How do you access Mapping Values in CloudFormaton?
Fn::FindInMap
in YAML
!FindInMap [MapName, TopLevelKey, SecondLevelKey]
How do you do CloudFormation Outputs?
These are optional and are declared in a YAML using Export:
Outputs:
StackSSHSecurityGroup:
Description: this is the description
Value: !Ref MySecurityGroup
Export:
Name: SSHSecurityGroup
We then reference it using:
!ImportValue SSHSecurityGroup
For each AWS account, export names must be unique within a region
What are conditions in CloudFormation
Control creation of resources based on a condition.
eg
Conditions:
CreateProdResources: !Equals [!Ref EnvType, prod]
And, Equals, If, Not, Or are all valid functions
What is Fn:: GetAtt in cloudformation used for?
It gets the attributes of resources you create.
So for example
!GetAtt EC2Instance.AvailabilityZone
How does Fn::Join work in CloudFormation
It joins values with a delimiter
e.g.
!Join [delimiter, [a, b, c]]
What happens if CloudFormation Stack Creation fails
Default: everything gets rolled back and you can look at the log
Option to disable rollback to troubleshoot
What happens if CloudFormation Stack update fails
The stack automatically rolls back to last known working state, logs can show errors
Pattern for CF Stackevent notifications
Enable SNS integration on Stack Events, you can have a Lambda filtering on ROLLBACK IN PROGRESS events, that trigger another SNS notification to say send an email.
What is a ChangeSet in CloudFormation
Similar to a plan in terraform, it will show you the diff
Why would you use Nested Stacks (CloudFormation)
Considered best practice for configurations that are reused e.g a Security Group
To update a nested Stack, always update the parent (root stack)
Why would you use Cross Stacks (CloudFormation)
When stacks have different lifecycles
When you need to pass export values to many stacks e.g. VPC id
use outputs export and Fn::ImportValue
Why would you use a StackSet (CloudFormation)
To create update or delete stacks across multiple accounts and regions
Admin account creates stack sets
Trusted Accounts to create, update, delete, etc stack instances
When you update a stack set, ALL associated stack instances are updated across accounts and regions
How to protect against manual config changes (CloudFormation)
CloudFormation Drift
What is a Stack Policy (CloudFormation)
It’s a Json document that defines the update actions that are allowed on specific resources
it protects resources from unintentional updates
Specify an explicit ALLOW for the resources you want to be updated.
What tool automates Software package deployment to AWS as part of continuous integration and delivery
AWS Code Deploy
fully managed “deployment” service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers.
How does Elastic Beanstalk work? What are the steps?
- Create Application
- Upload Version
- Launch environment
- Manage environment
What is an ‘immutable’ deploy in Elastic Beanstalk
A new ASG is launched pointing to the new instances
This is the best deployment if you want full capacity of the application and minimal impact of failed deployment
If you want to deploy a container image to Lambda, what must the container image do?
It must implement the Lambda Runtime API
also AWS Lambda service does not support Lambda functions that use multi-architecture container image
Which Credentials are supported in IAM for CodeCommit?
Git
AWS Access Keys
IAM Username and Password
SSH Keys are NOT SUPPORTED
Elastic Beanstack Use case for deploy using Rolling with Additional Batch’policy
costs less than immutable as it has less instances
maintains availablity of application throughout
but
takes longer
The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings. With just a few lines per resource, you can define the application you want and model it using YAML.
What resource types does it support?
AWS::Serverless::Api
AWS::Serverless::Application
AWS::Serverless::Function
AWS::Serverless::HttpApi
AWS::Serverless::LayerVersion
AWS::Serverless::SimpleTable
AWS::Serverless::StateMachine
Elastic Beanstalk - what happens if instances fail during a deployment and are terminated
Elastic Beanstalk will replace them with instances running the application version from the most recent successful deployment
SQS what is the message limit in a queue
unlimited
How do you handle manual approvals in the deployment process
Create one CodePipeline for your entire flow and add a manual approval step - You can add an approval action to a stage in a CodePipeline pipeline at the point where you want the pipeline to stop so someone can manually approve or reject the action. Approval actions can’t be added to Source stages. Source stages can contain only source actions.
SQS what is the retention of messages?
Default: 4 days
Max: 14
message otherwise persisted until consumer deletes it
SQS what is the limit on message size
256KB
Can SQS messages be out of order?
Yes, best effort ordering
SQS consumer receives how many messages at a time?
up to 10
How does an SQS consumer delete the message
DeleteMessageApi
How would you use SQS to decouple a front end web app that has a back end that does video processing and inserts into an S3 bucket
You would put an SQS queue between front end and back end
What sort of encryption is available for SQS and SNS? name 3
Inflight using HTTPS API
At rest using KMS
Client side if required
How do you regulate access to the SQS or SNS API
IAM Policies
What are SQS/SNS AccessPolicies?
Useful for cross account access to SQS queues /SNS topics
Useful for allowing other services to write to an SQS queue/SNS topic
What is the default MessageVisibilityTimeout and what is it used for
30 seconds
It means that once a message is polled by a consumer, it can’t be polled by another for 30 seconds.
This prevents multiple consumers from handling the same message.
If a message is not processed in time, it will be processed twice.
A consumer could call ChangeMessageVisibility API to get more time
What is the throughput of FIFO Queue
300 msg/s without batching, 3000 msg/s with
Exactly once capability and messages are processed in order by the consumer
What is Redrive to Source in a SQS Dead Letter Queue
Ability to replay messages after you have fixed any errors
What is a Delay Queue
It delays a message from 0 secs - 15 mins so consumers don’t see it immediately
This can be overridden using DelaySeconds parameter
What is the purpose of ‘long polling’?
When a consumer polls and waits for a message to arrive if there are none in the queue.
This decreases the number of API calls made to SQS and it increases efficency as well as decreasing latency of the app
Wait time can be between 1 - 20 sec
LongPolling can be enabled at API using ReceiveMessageWaitTimeSeconds or when creating the queue.
SQS What if the message you want to send exceeds the size limit of 256KB?
Use SQS Extended Client (java library)
In this pattern the producer sends the large message to S3 and sends a small metadata message to SQS Queue
The consumer polls the Queue and uses the small metadata message to retrieve the large item from the S3 bucket.
Important SQS Apis for exam
CreateQueue (MessageRetentionPeriod), DeleteQueue
* PurgeQueue: delete all the messages in queue
* SendMessage (DelaySeconds), ReceiveMessage, DeleteMessage
* MaxNumberOfMessages: default 1, max 10 (for ReceiveMessage API)
* ReceiveMessageWaitTimeSeconds: Long Polling
* ChangeMessageVisibility: change the message timeout
* Batch APIs for SendMessage, DeleteMessage, ChangeMessageVisibility
helps decrease your costs
SNS what is the max subscriptions per topic
12500000
SNS Topic Limit?
100000
What is the FAN OUT pattern?
A queue can only have one consumer
A topic can have many subscribers
Fan out - you push once in SNS
You have queues that subscribe to the topic
- SQS allows for: data persistence, delayed processing and retries of work
- Ability to add more SQS subscribers over time
- Make sure your SQS queue access policy allows for SNS to write
- Cross-Region Delivery: works with SQS Queues in other regions
AN S£ object create event to /images/ can only have one S3 event rule.
How can you propagate this across many consumers?
Use FAN out
use the single event to publish to an SNS topic, have some SQS queues subscribe to the topic
SNS Message filtering - what is it
a Json policy to filter messages send to the subscriptions allows subscribers to filter what they are interested in.
Kinesis High level what does it make it easy to do?
Collect, process and analyze streaming data in real time
Ingest real time data such as app logs, metrics, website clickstreams, IOT telemetry
What does Kinesis Data Streams do
capture, process, and store data streams
Kinesis Data Streams enables real-time processing of streaming big data.
What does Kinesis Data Firehose do
load data streams into AWS data stores
Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using today
What does Kinesis Data Analytics do
analyze data streams with SQL or Apache Flink
What does Kinesis Video Streams do
capture, process, and store video streams
Key points Kinesis - retention
Retention between 1 day to 365 days
Kinesis Operation - What is ShardSplitting?
Used to increase stream capacity
Used to split a ‘hot shard’
What is AWS Glue
AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development.
Glue is not best suited to handle real-time data.
What is the total set size/number of environment variables you can create for AWS Lambda?
4KB total size
no limit on number
What is S3 bucket naming conventions
- No uppercase, No underscore
- 3-63 characters long
- Not an IP
- Must start with lowercase letter or number
- Must NOT start with the prefix xn–
- Must NOT end with the suffix -s3alias
What is the max object size you can upload to a bucket?
5TB/5000GB
Otherwise you have to use multipart upload
Describe an S3 bucket policy
JSON based policies
* Resources: buckets and objects
* Effect: Allow / Deny
* Actions: Set of API to Allow or Deny
* Principal: The account or user to apply the policy to
What are the use cases for using an S3 bucket policy?
Grant public access to bucket
Force encryption at upload
Cross Account access
What does it mean if you get 403 forbidden on a static website hosted on S3
Check that bucket policy allows public reads
How do you enable versioning on files stored in S3
Enable at bucket level
How do you enable Same Region Replication or Cross Region Replication on a bucket?
Must enable versioning
Must give proper IAM permissions to S3
What are the use cases for Same Region Replication or Cross Region Replication on a bucket?
CRR – compliance, lower latency access, replication across accounts, DR
SRR – log aggregation, live replication between production and test accounts
Note that S3 lifecycle actions are not replicated
If you enable replication in a bucket, are old objects replicated?
No, only new objects
What is the use case for S3 infrequent access?
Data less frequently accessed but rapid access needed
What is the use case for S3 Glacier Storage access?
Low cost for archiving/backup
object retrieval costs £££
Amazon S3 Glacier Instant Retrieval
* Millisecond retrieval, great for data accessed once a quarter
* Minimum storage duration of 90 days
Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):
* Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
* Minimum storage duration of 90 days
Amazon S3 Glacier Deep Archive – for long term storage:
* Standard (12 hours), Bulk (48 hours)
* Minimum storage duration of 180 days
What is the use case for S3 general purpose access?
Frequently accessed
low latency
high throughput
What are the costs of S3 intelligent tiering
The cost is for monitoring and auto-tiering, no cost for retrieval.
Frequent Access tier (automatic): default tier
* Infrequent Access tier (automatic): objects not accessed for 30 days
* Archive Instant Access tier (automatic): objects not accessed for 90 days
* Archive Access tier (optional): configurable from 90 days to 700+ days
* Deep Archive Access tier (optional): config. from 180 days to 700+ days
If you enable replication on an S3 bucket what is not replicated?
S3 Lifecycle Actions
Object Tags
Metadata
Old objects that existed before replication
What are two main benefits of using elasticache?
Amazon ElastiCache can be used to significantly improve latency and throughput for many read-heavy application workload
What is the simplest and least effort way of deploying Docker Containers in a serverless Architecture
ECS on Fargate
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. You can host your cluster on a serverless infrastructure that is managed by Amazon ECS by launching your services or tasks using the Fargate launch type.
How do you scale SQS?
Amazon SQS is highly scalable and does not need any intervention to handle the expected high volumes
Amazon SQS leverages the AWS cloud to dynamically scale, based on demand. SQS scales elastically with your application so you don’t have to worry about capacity planning and pre-provisioning. For most standard queues (depending on queue traffic and message backlog), there can be a maximum of approximately 120,000 inflight messages (received from a queue by a consumer, but not yet deleted from the queue).
If you implement Amazon Elasticache Redis in cluster mode, what does that provide for your app
Enhanced reliability and availability with little change to your existing workload.
Cluster mode comes with the primary benefit of horizontal scaling of your Redis cluster, with almost zero impact on the performance of the cluster.
What is S3 Object Ownership
S3 Object Ownership is an Amazon S3 bucket setting that you can use to control ownership of new objects that are uploaded to your buckets. By default, when other AWS accounts upload objects to your bucket, the objects remain owned by the uploading account. With S3 Object Ownership, any new objects that are written by other accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner, who then has full control of the objects.
S3 Object Ownership has two settings: 1. Object writer – The uploading account will own the object. 2. Bucket owner preferred – The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. Without this setting and canned ACL, the object is uploaded and remains owned by the uploading account.
What does this header identify in a request - X-Forwarded-For
The Client IP
How would you reuse execution context to improve a Lambda performance
move it out of the function handler
explanation:
AWS best practices for Lambda suggest taking advantage of execution context reuse to improve the performance of your functions. Initialize SDK clients and database connections outside of the function handler, and cache static assets locally in the /tmp directory. Subsequent invocations processed by the same instance of your function can reuse these resources. This saves execution time and cost.
What ca a n you take to make RDS architecture resilient for DR
Enable automated backups in a MultiAZ deployment that creates backups in a single region.
Use Cross Region read replicas
What is the use case for EB Dedicated Worker environment
operations or workflows that take a long time to complete,
DynamoDB what is the max item size
400KB
How do you make a primary key for Dynamo DB
It must be as unique as possible
Can be a combination of partition key and sort key
How to calculate Write Capacity Unit for Dynamo DB
1 write per second for an item up to 1KB in size
items * nKB (rounded up to nearest int)/1
Example 1: we write 10 items per second, with item size 2 KB
10 * (2/1) = 20
* Example 2: we write 6 items per second, with item size 4.5 KB
got to round 4.5 to 5
6 * 5/1 = 30
* Example 3: we write 120 items per minute, with item size 2 KB
120 per min = 2 per sec
therefore
2 * 2/1 = 4
What is the difference between Strongly Consistent and eventually consistent read
Eventually (default) - if we read just after a write it’s possible we will get stale data
Strongly (ConsistentRead = true in api calls)
we will get data
BUT consumes twice the RCU
How to calculate Read Capacity Units
1 RCU = 1 Strongly Consistent Read per second (in chunks of 4KB)
1 RCU = 2 Eventually Consistent Reads per second (in chunks of 4KB
Example 1: 10 Strongly Consistent Reads per second, with item size 4 KB
10 * 4KB/4KB = 10 RCU
* Example 2: 16 Eventually Consistent Reads per second, with item size 12 KB
16/2 * 12KB/4kB = 24 RCU
* Example 3: 10 Strongly Consistent Reads per second, with item size 6 KB
10 * 8/4KB = 20
What happens if we exceed provisioned RCUS or WCUS across partitions in Dynamo DB?
Provisioned ThroughputExceededException
How do you calculate Read Write Capacity for ON DEMAND Dynamo DB
not required, it’s unlimited
What is DynamoDBAccelerator (DAX) used for?
Caching to solve Hot key problem , increase latency
encryption at rest
cluster
What are DynamoDBStreams?
Ordered stream of item-level modifications (create/update/delete) in a table
Use cases:
* react to changes in real-time (welcome email to users)
* Analytics
* Insert into derivative tables
* Insert into OpenSearch Service
* Implement cross-region replication
How often can you get EC2 metrics by default
5 mins
1 min if detailed monitoring
HOw many detailed monitoring metrics can you get on free tier
up to 10
What is Custom Metric resolution?
can be 1 min (standard) or high resolution is more detailed £££
How to get EC2 logs to Cloudwatch?
You need to run a Cloudwatch agent on EC2 and
make sure your IAM permissions are correct
What is CloudWatch Synthetics canary
a script that monitors your APIs URLs an websites
How does eventbridge trigger sNS or lambda?
- cronjob
- event driven
Where does XRay shine
tracing microservice behaviour and providing a ui
How do you configure ECS containers in Fargate to send log information to Cloudwatch logs
Using the awslogs log driver you can configure the containers in your tasks to send log information to CloudWatch Logs. If you’re using the Fargate launch type for your tasks, you need to add the required logConfiguration parameters to your task definition to turn on the awslogs log driver.
How do I migrate my Elastic Beanstalk environment from one AWS account to another AWS account?
Create a saved configuration in Team A’s account and download it to your local machine. Make the account-specific parameter changes and upload to the S3 bucket in Team B’s account. From Elastic Beanstalk console, create an application from ‘Saved Configurations - You must use saved configurations to migrate an Elastic Beanstalk environment between AWS accounts. You can save your environment’s configuration as an object in Amazon Simple Storage Service (Amazon S3) that can be applied to other environments during environment creation, or applied to a running environment. Saved configurations are YAML formatted templates that define an environment’s platform version, tier, configuration option settings, and tags.
What does it mean if I see duplicate log entries from a lambda in Cloudwatch logs
It means the function was retried (total retry 3)
S3 events information regarding versioning.
- S3 event notifications typically deliver events
in seconds but can sometimes take a minute
or longer - If two writes are made to a single non- versioned object at the same time, it is
possible that only a single event notification
will be sent - If you want to ensure that an event
notification is sent for every successful write,
you can enable versioning on your bucket.
What is an edge function?
Code that you write and attach to a cloudfront distribution to improve latency
Name 2 CloudFront edge functions
Lambda@Edge and CloudFrontFunctions (both serverless)
Because Lambda is launched in an AWS owned VPC, how do you get it to speak to your own?
You must define the VPC ID, the
Subnets and the Security Groups
* Lambda will create an ENI (Elastic
Network Interface) in your subnets
How do you get your lambda access to external libraries such as AWSXRay or SDK or DB?
You need to install the packages alongside your code and zip it together.
Zip has to be less than 50MB, else put it in S3
What are AWS Lambda Aliases for?
They point to different Lambda versions such as
dev
test
prod
They have their own ARNS
they enable Canary deployment
A developer in your company has configured a build using AWS CodeBuild. The build fails and the developer needs to quickly troubleshoot the issue to see which commands or settings located in the BuildSpec file are causing an issue.
Which approach will help them accomplish this?
Run AWS CodeBuild locally using CodeBuild Agent
AWS CodeBuild is a fully managed build service. There are no servers to provision and scale, or software to install, configure, and operate.
With the Local Build support for AWS CodeBuild, you just specify the location of your source code, choose your build settings, and CodeBuild runs build scripts for compiling, testing, and packaging your code. You can use the AWS CodeBuild agent to test and debug builds on a local machine.
By building an application on a local machine you can:
Test the integrity and contents of a buildspec file locally.
Test and build an application locally before committing.
Identify and fix errors quickly from your local development environment.
Incorrect options:
Your organization has developers that merge code changes regularly to an AWS CodeCommit repository. Your pipeline has AWS CodeCommit as the source and you would like to configure a rule that reacts to changes in CodeCommit.
Which of the following options do you choose for this type of integration?
Use CloudWatch Event Rules
Amazon CloudWatch Events is a web service that monitors your AWS resources and the applications you run on AWS. You can use Amazon CloudWatch Events to detect and react to changes in the state of a pipeline, stage, or action. Then, based on rules you create, CloudWatch Events invokes one or more target actions when a pipeline, stage, or action enters the state you specify in a rule. Examples of Amazon CloudWatch Events rules and targets:
A rule that sends a notification when the instance state changes, where an EC2 instance is the event source, and Amazon SNS is the event target.
A rule that sends a notification when the build phase changes, where a CodeBuild configuration is the event source, and Amazon SNS is the event target.
A development team has noticed that one of the EC2 instances has been wrongly configured with the ‘DeleteOnTermination’ attribute set to True for its root EBS volume.
As a developer associate, can you suggest a way to disable this flag while the instance is still running?
When an instance terminates, the value of the DeleteOnTermination attribute for each attached EBS volume determines whether to preserve or delete the volume. By default, the DeleteOnTermination attribute is set to True for the root volume and is set to False for all other volume types.
Set the DeleteOnTermination attribute to False using the command line - If the instance is already running, you can set DeleteOnTermination to False using the command line.
What are dynamo DB global tables and why would you use them?
Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s a fully managed, multi-Region, multi-master, durable database with built-in security, backup, and restore and in-memory caching for internet-scale applications.
Consider using Global tables if your application is accessed by globally distributed users - If you have globally dispersed users, consider using global tables. With global tables, you can specify the AWS Regions where you want the table to be available. This can significantly reduce latency for your users. So, reducing the distance between the client and the DynamoDB endpoint is an important performance fix to be considered.
Use eventually consistent reads in place of strongly consistent reads whenever
How would you troubleshoot load balancer errors 503?
HTTP 503 - HTTP 503 indicates ‘Service unavailable’ error. This error in ALB is an indicator of the target groups for the load balancer having no registered targets.
How would you troubleshoot load balancer errors 500?
HTTP 500 - HTTP 500 indicates ‘Internal server’ error. There are several reasons for their error: A client submitted a request without an HTTP protocol, and the load balancer was unable to generate a redirect URL, there was an error executing the web ACL rules.
How would you troubleshoot load balancer errors 504?
HTTP 504 - HTTP 504 is ‘Gateway timeout’ error. Several reasons for this error, to quote a few: The load balancer failed to establish a connection to the target before the connection timeout expired, The load balancer established a connection to the target but the target did not respond before the idle timeout period elapsed.
How would you troubleshoot load balancer errors 403?
HTTP 403 - HTTP 403 is ‘Forbidden’ error. You configured an AWS WAF web access control list (web ACL) to monitor requests to your Application Load Balancer and it blocked a request.
How would you redirect using a CloudFront Function
With CloudFront Functions in Amazon CloudFront, you can write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. Your functions can manipulate the requests and responses that flow through CloudFront, perform basic authentication and authorization, generate HTTP responses at the edge, and more.
When you associate a CloudFront function with a CloudFront distribution, CloudFront intercepts requests and responses at CloudFront edge locations and passes them to your function. You can invoke CloudFront functions when the following events occur: 1. When CloudFront receives a request from a viewer (viewer request): The function executes when CloudFront receives a request from a viewer before it checks to see whether the requested object is in the CloudFront cache.
Before CloudFront returns the response to the viewer (viewer response): The function executes before returning the requested file to the viewer. Note that the function executes regardless of whether the file is already in the CloudFront cache.
We use the value of the CloudFront-Viewer-Country header to update the S3 bucket domain name to a bucket in a Region that is closer to the viewer. This can be useful in several ways: 1. It reduces latencies when the Region specified is nearer to the viewer’s country. 2. It provides data sovereignty by making sure that data is served from an origin that’s in the same country that the request came from.
When would a lambda authorizer come in handy
A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.
When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.
There are two types of Lambda authorizers:
A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.
A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller’s identity in a combination of headers, query string parameters, state variables, and $context variables
What is the purpose of S3 Cross Region Replication
S3 Cross-Region Replication allows you to replicate the data from one S3 bucket in an AWS region to another S3 bucket in another AWS region.
How Does CloudFront Caching work?
By default the cache has hostname+ resource portion of the URL
You can enhance it using Cache Policy
Can cache on: (none, all, whitelist etc)
HTTP Headers
Cookies
Query Strings
ttl up to 1 year
headers or cookies or query strings that are included are forwarded in cache key to the origin
What is Cloudfront Origin Request policy
sending e.g headers that were not sent by the user so are not in the cache key.
What are VPC Endpoints
Allow you to connect services using a private network instead of public www network.
Enhanced security and lower latency
What is VPC Peering and how to establish it
2 or more VPC connected together as one
must not have overlapping CIDR
is not transitive ie a peers with b and a peers with c doesn’t mean b is peered with c
What is the difference between
x-amz-server-side-encryption’: ‘aws:kms’
and
x-amz-server-side-encryption’: ‘AES-256’
x-amz-server-side-encryption’: ‘aws:kms’ is essentially saying use kms to encrypt, this will give the client some more control ofver keys
“s3:x-amz-server-side-encryption”: “AES256” ensures that all objects uploaded to S3 will be encrypted at time of upload . This will use SSE:s3 which is the bucket key and will be managed/rotated by the bucket.
Things to remember about SSE-C
This is a customer provided encryption key
any key
If you are using this encryption mechanism you must use https or else it will be rejected.
Also the customer must manage key rotations etc
IAM Instance Role Facts
it’s a container for an IAM role
The SDK will use EC2 metadta s service to obtain temp credentials
This is the most secure and common set up when deploying any kind of applicaiton on an EC2 instance!
Which service uses this command
decode-authorization-message
sts
How can you ensure repos in Code Commit are enrypted?
Repos in Code Commit are automatically encrypted in transit and at rest
How to implement a solution for storing data in S3 that needs encryption at rest AND keys must be rotated at least annually?
AWS KMS with automatic key rotation
What are the AWS options for encryption and what is the simplest to use.
3 mutually exclusive options, depending on how you choose to manage the encryption keys:
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3),
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS),
Server-Side Encryption with Customer-Provided Keys (SSE-C).
You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS
so KMS is simplest
Gotchas
question about a public website, not using IAM that’s for sure, use cors
What are the three possible ALB target types
Instance, IP, Lambda
When the target is IP you can only specify specific CIDR blocks, not publicly routable IP addresses
What is the max memory available to lambda at runtime?
10240MB , if that is exceeded you will get Max Memory Used exception
What is the difference between a Local Secondary Index and a Global Secondary Index (DynamoDB)
LSI allows you to create a query using the primary key and an alternative key
GSI is using the partition key and a different sort key than the one on the base table
