EXAM01 Flashcards
Which of the following security credentials can only be created by the AWS Account root user?
EC2 Instance Key Pairs
CloudFront Key Pairs
AM User Access Keys
AM User passwords
CloudFront Key Pairs - IAM users can’t create CloudFront key pairs. You must log in using root credentials to create key pairs.
For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for.
A multi-national company has multiple business units with each unit having its own AWS account. The development team at the company would like to debug and trace data across accounts and visualize it in a centralized account.
As a Developer Associate, which of the following solutions would you suggest for the given use-case?
X-Ray
VPC Flow Logs
CloudWatch Events
CloudTrail
AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors.
To enable HTTPS connections for his web application deployed on the AWS Cloud, a developer is in the process of creating server certificate.
Which AWS entities can be used to deploy SSL/TLS server certificates? (Select two)
IAM
AWS Certificate Manager
AWS CloudFormation
AWS Secrets Manager
AWS Systems Manager
AWS Certificate Manager - AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. Certificates provided by ACM are free and automatically renew.
IAM - IAM is used as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-c
The manager at an IT company wants to set up member access to user-specific folders in an Amazon S3 bucket - bucket-a. So, user x can only access files in his folder - bucket-a/user/user-x/ and user y can only access files in her folder - bucket-a/user/user-y/ and so on.
As a Developer Associate, which of the following IAM constructs would you recommend so that the policy snippet can be made generic for all team members and the manager does not need to create separate IAM policy for each team member?
IAM policy resource
IAM policy variables
IAM policy principal
IAM policy condition
IAM policy condition - The Condition element (or Condition block) lets you specify conditions for when a policy is in effect, like so - “Condition” : { “StringEquals” : { “aws:username” : “johndoe” }}. This can not be used to address the requirements of the given use-case.
The development team at a company creates serverless solutions using AWS Lambda. Functions are invoked by clients via AWS API Gateway which anyone can access. The team lead would like to control access using a 3rd party authorization mechanism.
As a Developer Associate, which of the following options would you recommend for the given use-case?
- IAM permissions with sigv4
- Cognito User Pools
- Lambda Authorizer
- API Gateway User Pools
A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.
A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-
Your global organization has an IT infrastructure that is deployed using CloudFormation on AWS Cloud. One employee, in us-east-1 Region, has created a stack ‘Application1’ and made an exported output with the name ‘ELBDNSName’. Another employee has created a stack for a different application ‘Application2’ in us-east-2 Region and also exported an output with the name ‘ELBDNSName’. The first employee wanted to deploy the CloudFormation stack ‘Application1’ in us-east-2, but it got an error. What is the cause of the error?
Output Values in CloudFormation must have unique names within a single Region
Exported Output Values in CloudFormation must have unique names within a single Region
Output Values in CloudFormation must have unique names across all Regions
Exported Output Values in CloudFormation must have unique names across all Regions
Exported Output Values in CloudFormation must have unique names within a single Region
Export (optional): The name of the resource output to be exported for a cross-stack
An organization has offices across multiple locations and the technology team has configured an Application Load Balancer across targets in multiple Availability Zones. The team wants to analyze the incoming requests for latencies and the client’s IP address patterns.
Which feature of the Load Balancer will help collect the required information?
CloudTrail logs
CloudWatch metrics
ALB access logs
ALB request tracing
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.
What’s the use of ALB request tracing
When the load balancer receives a request from a client, it adds or updates the X-Amzn-Trace-Id header before sending the request to the target. Any services or applications between the load balancer and the target can also add or update this header.
You can use request tracing to track HTTP requests from clients to targets or other services. If you enable access logs, the contents of the X-Amzn-Trace-Id header are logged. For more information, see Access logs for your Application Load Balancer.
Which of the following best describes how KMS Encryption works?
KMS receives CMK from the client at every encrypt call, and encrypts the data with that
KMS stores the CMK, and receives data from the clients, which it encrypts and sends back
KMS sends the CMK to the client, which performs the encryption and then deletes the CMK
KMS generates a new CMK for each Encrypt call and encrypts the data with it
KMS stores the CMK, and receives data from the clients, which it encrypts and sends back
Amazon Simple Queue Service (SQS) has a set of APIs for various actions supported by the service.
As a developer associate, which of the following would you identify as correct regarding the CreateQueue API? (Select two)
- The visibility timeout value for the queue is in seconds, which defaults to 30 seconds
- The dead-letter queue of a FIFO queue must also be a FIFO queue. Whereas, the dead-letter queue of a standard queue can be a standard queue or a FIFO queue
- The length of time, in seconds, for which the delivery of all messages in the queue is delayed is configured using MessageRetentionPeriod attribute
- Queue tags are case insensitive. A new tag with a key identical to that of an existing tag overwrites the existing tag -
- You can’t change the queue type after you create it
You can’t change the queue type after you create it - You can’t change the queue type after you create it and you can’t convert an existing standard queue into a FIFO queue. You must either create a new FIFO queue for your application or delete your existing standard queue and recreate it as a FIFO queue.
The visibility timeout value for the queue is in seconds, which defaults to 30 seconds - The visibility timeout for the queue is in seconds. Valid values are: An integer from 0 to 43,200 (12 hours), the Default value is 30.
A cybersecurity firm wants to run their applications on single-tenant hardware to meet security guidelines.
Which of the following is the MOST cost-effective way of isolating their Amazon EC2 instances to a single tenant?
- Dedicated Instances
- Spot Instances
- Dedicated Hosts
- On-Demand Instances
Dedicated Instances are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that’s dedicated to a single customer.
In the EC2 context what is a dedicated host use-case?
An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server.
A developer has an application that stores data in an Amazon S3 bucket. The application uses an HTTP API to store and retrieve objects. When the PutObject API operation adds objects to the S3 bucket the developer must encrypt these objects at rest by using server-side encryption with Amazon S3-managed keys (SSE-S3).
Which solution will guarantee that any upload request without the mandated encryption is not processed?
- Invoke the PutObject API operation and set the
x-amz-server-side-encryptionheader asaws:kms. Use an S3 bucket policy to deny permission to upload an object unless the request has this header - Invoke the PutObject API operation and set the
x-amz-server-side-encryptionheader asAES256. Use an S3 bucket policy to deny permission to upload an object unless the request has this header - Invoke the PutObject API operation and set the
x-amz-server-side-encryptionheader assse:s3. Use an S3 bucket policy to deny permission to upload an object unless the request has this header - Set the encryption key for SSE-S3 in the HTTP header of every request. Use an S3 bucket policy to deny permission to upload an object unless the request has this header
- Invoke the PutObject API operation and set the
x-amz-server-side-encryptionheader asAES256. Use an S3 bucket policy to deny permission to upload an object unless the request has this header
A company wants to provide beta access to some developers on its development team for a new version of the company’s Amazon API Gateway REST API, without causing any disturbance to the existing customers who are using the API via a frontend UI and Amazon Cognito authentication. The new version has new endpoints and backward-incompatible interface changes, and the company’s development team is responsible for its maintenance.
Which of the following will satisfy these requirements in the MOST operationally efficient manner?
- Create a development stage on the API Gateway API and then have the developers point the endpoints to the development stage
- Configure a canary release deployment on the API Gateway API and then have the developers point to the relevant deployment by referencing the stage variable in the endpoint -
- Create new API keys on the API Gateway API and then have the developers point the endpoints by passing the new API keys
- Create a new API Gateway API that points to the new API application code and then have the developers point the endpoints to the new API
Create a development stage on the API Gateway API and then have the developers point the endpoints to the development stage
What does the Cloudformation Transform section do?
For serverless applications (also referred to as Lambda-based applications), specifies the version of the AWS Serverless Application Model (AWS SAM) to use. When you specify a transform, you can use AWS SAM syntax to declare resources in your template. The model defines the syntax that you can use and how it’s processed.
You can also use AWS::Include transforms to work with template snippets that are stored separately from the main AWS CloudFormation template. You can store your snippet files in an Amazon S3 bucket and then reuse the functions across multiple
What is a CloudFormation Instrinsic fnuction?
Intrinsic Functions are used to assign values to properties that are not available until runtime. They usually start with Fn:: or !. Example: !Sub or Fn::Sub.
