Flashcards from AWS Course

Question 1

What is AWS Serverless Application Model (AWS SAM)?

Answer 1

A framework for building serverless applications in AWS.

Question 2

How do you share AWS CloudFormation templates across multiple AWS accounts?

Answer 2

Use CloudFormation StackSets.

Question 3

Where do you store files for an AWS Lambda function that needs temporary storage during execution?

Answer 3

/tmp directory.

Question 4

In Amazon Elastic Container Server (Amazon ECS), where are port mappings located and where are they configured?

Answer 4

Port mappings are part of the container definition and are configured in the task definition.

Question 5

What is the unit of scale for Lambda?

Answer 5

Concurrent executions.

Question 6

What condition keys would you use to limit the execution of a Lambda function to a particular Amazon VPC?

Answer 6

lambda:VpcIds – Allow or deny one or more VPCs.

lambda:SubnetIds – Allow or deny one or more subnets.

lambda:SecurityGroupIds – Allow or deny one or more security groups.

Question 7

Global secondary index queries support what type of consistency?

Answer 7

Eventual consistency only.

Question 8

What are best practices for partition keys in Amazon DynamoDB?

Answer 8

Use high-cardinality attributes which are attributes that have distinct values for each item.

Use composite attributes to combine more than one attribute to form a unique key.

Cache the popular items when there is a high volume of read traffic using Amazon DynamoDB Accelerator (DAX).

Add random numbers or digits from a predetermined range for write-heavy use cases.

Question 9

How do you ensure that your applications cannot retrieve a message from an Amazon Simple Queue Service (Amazon SQS) queue that is being processed or has already been processed?

Answer 9

Increase the VisibilityTimeout value from the ChangeMessageVisibility API and delete the message using the DeleteMessage API.

Question 10

What API call do you use to give the ability to the application so that it can use an IAM role?

Answer 10

AssumeRole API.

Question 11

What do you use to authenticate users for a website using identity profiles?

Answer 11

Amazon Cognito identity pools.

Question 12

What is a role-based access control (RBAC) models?

Answer 12

It is the traditional authorization model used in IAM and it defines the permissions based on a user’s job.

Question 13

What is an attribute-based access control (ABAC) model?

Answer 13

An authorization model that defines permissions based on attributes or tags.

Question 14

What are the AWS Directory Services and when are they used?

Answer 14

Simple AD is compatible with basic Active Directory functions and can handle 500 users to 5000 users. Simple AD is for simple requirements.

AWS Managed Microsoft AD is an actual Microsoft Active Directory service. You can create a trust relationship with your on premises directory.

AD Connector provides proxy requests back to an on premises directory. It is great for proxy identities to integrate with AWS services when you do not want to store any directory information in the cloud.

Question 15

What are the three types of identity federation?

Answer 15

Cross account role: When a remote account, so a remote identity provider (IdP), is allowed to assume a role and access your account resources. Look further into AssumeRole and cross-account access as well as AssumeRoleWithSAML and AssumeRoleWithWebIdentity.

SAML 2.0: A standard that is used mostly for on premises, for example, Microsoft Active Directory or others. Users can log in to AWS with their on premises credentials.

Web identity federation: When you use IdPs (for example, Amazon, Google, and Facebook) to allow users to assume roles and access your AWS resources using their IdP credentials.

Question 16

What are the differences between STS Get Tokens, GetFederationToken, and GetSessionToken and when you would use each?

Answer 16

GetFederationToken could be used in a proxy application that gets temporary security credentials for a distributed application in a corporate network.

GetSessionToken could be used if you want to use multi-factor authentication to protect programmatic calls to specific AWS API operations.

You can also use roles to delegate access to not only users and services, but also applications that do not have access to your AWS resources (for example, access to resources or services that a user does not usually have access to or to grant access for users in a different AWS account).

Question 17

What are the two types of Lambda authorizers used with Amazon API Gateway?

Answer 17

Lambda authorizer and REQUEST authorizer.

A token-based Lambda authorizer is the answer for this scenario because a TOKEN authorizer receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.

A request parameter-based Lambda authorizer, also known as REQUEST authorizer, receives the caller’s identity in a combination of headers, query string parameters, StageVariables, and $context variables.

Question 18

What are Amazon Cognito user pools and identity pools?

Answer 18

User pools are user directories that provide sign-up or sign-in for users and authenticate a user to obtain tokens related to user identity and access policies.

Identity pools help to grant temporary and limited credentials for your users to access AWS services and resources and federate them with identity providers.

Question 19

What additional protection does tokenization provide?

Answer 19

Tokenization adds additional protection for your data and can help to meet compliance requirements.

Question 20

What are the two options AWS offers to customers deploying managed X.509 certificates?

Answer 20

AWS Certificate Manager (ACM) is for enterprise customers who need a secure web presence using TLS.

AWS Private CA is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization.

Question 21

What are the three main categories of preventative controls?

Answer 21

IAM
Infrastructure security
Data protection (encryption and tokenization)

Question 22

What AWS services can you use for detective controls?

Answer 22

You can see detection of unauthorized traffic by continuous monitoring of VPC flow logs to identify and remediate any security anomalies along with Amazon GuardDuty to manage threat intelligence in the cloud.

And then you can consume these findings as Amazon CloudWatch events to drive automated responses. Under detective controls is also configuration drift and you can use AWS Config with Amazon DynamoDB to detect configuration drift easily at the table level and with Amazon Relational Database Service (Amazon RDS) for database instances, security groups, snapshots, subnet groups, and event subscriptions.

Question 23

What is a canary deployment?

Answer 23

Incoming traffic is shifted in two increments. 10% of the traffic must be shifted in the first increment, and then remaining 90% should be deployed after some minutes.

Question 24

What are the Lambda types of deployment packages?

Answer 24

Container images and .zip file archives.

Question 25

What is AWS AppConfig?

Answer 25

AWS AppConfig helps to create, manage, and quickly deploy application configurations. It supports controlled deployments to applications of any size and includes built-in validation checks and monitoring.

Question 26

What are the AWS CodeDeploy deployment configurations for Amazon ECS deployments?

Answer 26

CodeDeployDefault.ECSLinear10PercentEvery1Minutes
CodeDeployDefault.ECSLinear10PercentEvery3Minutes
CodeDeployDefault.ECSCanary10Percent5Minutes
CodeDeployDefault.ECSCanary10Percent15Minutes

Question 27

What are the AWS CodeDeploy deployment configurations for Amazon Elastic Compute Cloud (Amazon EC2) or on premises?

Answer 27

CodeDeployDefault.OneAtATime: Deploys the application revision to only one instance at a time

CodeDeployDefault.HalfAtATime: Deploys to up to half of the instances at a time (with fractions rounded down)

CodeDeployDefault.AllAtOnce: Attempts to deploy an application revision to as many instances as possible at once

Question 28

What are the CloudFormation set of helper scripts?

Answer 28

cfn-init, cfn-signal, cfn-get-metadata, and cfn-hup.

Question 29

When would you use cfn-init?

Answer 29

You would use cfn-init to retrieve metadata, install packages, start services, or create files.

Question 30

What is the run order of hooks in an Amazon ECS deployment for CodeDeploy?

Answer 30

Start, BeforeInstall, Install, AfterInstall, AllowTestTraffic, AfterAllowTestTraffic, BeforeAllowTraffic, AllowTraffic, AfterAllowTraffic, and end.

Question 31

What is the run order of hooks in an AWS Lambda function for CodeDeploy?

Answer 31

Start, BeforeAllowTraffic, AllowTraffic, AfterAllowTraffic, and end.

Question 32

For AWS STS API who can call AssumeRole?

Answer 32

An IAM user or IAM role with existing temporary security credentials.

Question 33

For AWS STS API who can call AssumeRoleWithSAML?

Answer 33

Any user, but the caller must pass a SAML authentication response that indicates authentication from a known identity provider.

Question 34

For AWS STS API who can call AssumeRoleWithWebIdentity?

Answer 34

Any user, but the caller must pass a web identity token that indicates authentication from a known identity provider

Question 35

For AWS STS API who can call GetFederationToken?

Answer 35

An IAM user or an AWS account root user.

Question 36

For AWS STS API who can call GetSessionToken?

Answer 36

An IAM user or an AWS account root user

Question 37

What is the run order of hooks in blue/green deployments for CodeDeploy?

Answer 37

Start, ApplicationStop, DownloadBundle, BeforeInstall, Install, AfterInstall, ApplicationStart, ValidateService, BeforeAllowTraffic, AllowTraffic, AfterAllowTraffic, BeforeBlockTraffic, BlockTraffic, AfterBlockTraffic, and end.

Question 38

How do you monitor API endpoints in Amazon API Gateway?

Answer 38

In the API Gateway dashboard.

Question 39

Which environment variables are used by Lambda to communicate with AWS X-Ray?

Answer 39

_X_AMZN_TRACE_ID

Question 40

Why would you use the aws sts decode-authorization-message command?

Answer 40

To decode an encoded authorization failure message.

Question 41

Why would you use the –dry-run parameter along with the command line interface (CLI) command?

Answer 41

To verify permission to call a CLI command without actually making a request.

Question 42

How do you monitor the end-to-end view of your application?

Answer 42

Using AWS X-Ray or Amazon CloudWatch ServiceLens.

Question 43

What is the environment variable AWS_XRAY_CONTEXT_MISSING?

Answer 43

The X-Ray SDK uses this variable to determine its behavior if your function tries to record X-Ray data, but a tracing header is not available. Lambda sets this value to LOG_ERROR by default.

Question 44

What does active tracing with X-Ray provide?

Answer 44

Active tracing with AWS X-Ray provides distributed tracing capabilities and visual service maps for faster troubleshooting while identifying degradation, anomalies, and latency.

Question 45

What AWS service helps you use subscription filter policies to optimize messaging?

Answer 45

Amazon Simple Notification Service (Amazon SNS) and Amazon EventBridge Pipes which is a new service and will not appear on the exam for a while.

Question 46

How do you choose the most efficient partition key for the DynamoDB table?

Answer 46

The partition key with the highest cardinality based on user access patterns.

Question 47

What AWS service can be used to reduce the DynamoDB response times?

Answer 47

Amazon DynamoDB Accelerator (DAX) and Amazon ElastiCache.

Question 48

How do you invalidate Amazon API Gateway cache?

Answer 48

First send a request with a Cache-Control: max-age header.
Then enable the Require Authorization option on your API cache settings.