Last Minute Flashcards

1
Q

A Developer created an AWS Lambda function and then attempted to add an on failure destination but received the following error:

The function’s execution role does not have permissions to call SendMessage on arn:aws:sqs:us-east-1:515148212435:FailureDestination

How can the Developer resolve this issue MOST securely?


Create a customer managed policy with all read/write permissions to SQS and attach the policy to the function’s execution role

Add the AWSLambdaSQSQueueExecutionRole AWS managed policy to the function’s execution role

Add the Lambda function to a group with administrative privileges

Add a permissions policy to the SQS queue allowing the SendMessage action and specify the AWS account number

A

Create a customer managed policy with all read/write permissions to SQS and attach the policy to the function’s execution role

The AWSLambdaSQSQueueExecutionRole AWS managed policy cannot be used as this policy does not provide the SendMessage action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A developer is writing a custom script that will run in an Amazon EC2 instance. The script needs to access the local IP address from the instance to manage a connection to an application outside the AWS Cloud. The developer found out that the details about an instance can be viewed by visiting a certain Uniform Resource Identifier (URI).

Which of the following is the correct URI?


http://169.254.169.254/latest/user-data/

http://169.254.169.254/latest/meta-data/

A

http://169.254.169.254/latest/meta-data/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the hooks for Lambda in the appspec file?

A

BeforeAllowTraffic
AllowTraffic
AfterAllowTraffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An application is hosted in Elastic Beanstalk which is currently running in Java 7 runtime environment. A new version of the application is ready to be deployed and the developer was tasked to upgrade the platform to Java 8 to accommodate the changes.

Which of the following is the MOST appropriate action that the developer should do to upgrade the platform?


Update the environment’s platform version to Java 8.​
Manually upgrade the Java runtime environment of the EC2 instances in the Elastic Beanstalk environment.
Perform a Canary Deployment.
Perform a Blue/Green Deployment.

A

Perform a Blue/Green Deployment.

Updating the environment’s platform version to Java 8 is incorrect because using this method is only recommended when you’re updating to the latest platform version without a change in the runtime environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How to use SSE-C for encrypting S3 Objects?

A

When using server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers:

x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be “AES256”.

x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.

x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does ExposeHeader in the CORS configuration do?

A

ExposeHeader - Identifies the response headers (in this example, x-amz-server-side-encryption, x-amz-request-id, and x-amz-id-2) that customers are able to access from their applications (for example, from a JavaScript XMLHttpRequest object).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are developing a new batch job for the enterprise application suite in your company, which is hosted in an Auto Scaling group of EC2 instances behind an ELB. The application is using an S3 bucket configured with Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). The batch job must upload files to the bucket using the default AWS KMS key to protect the data at rest.

What should you do to satisfy this requirement with the LEAST amount of configuration?


Include the x-amz-server-side​-encryption​-customer-algorithm, x-amz-server-side-encryption-customer-key, and x-amz-server-side-encryption-customer-key-MD5 headers with appropriate values in the upload request.

Include the x-amz-server-side-encryption header with a value of aws:kms in your upload request.

Include the x-amz-server-side-encryption header with a value of aws:kms as well as the x-amz-server-side-encryption-aws-kms-key-id header containing the ID of the default AWS KMS key in your upload request.

A

Include the x-amz-server-side-encryption header with a value of aws:kms in your upload request.

When you upload an object, you can specify the KMS key using the x-amz-server-side-encryption-aws-kms-key-id header. If the header is not present in the request, Amazon S3 assumes the default KMS key. Regardless, the KMS key ID that Amazon S3 uses for object encryption must match the KMS key ID in the policy, otherwise Amazon S3 denies the request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A developer is planning to add a global secondary index in a DynamoDB table. This will allow the application to query a specific index that can span all of the data in the base table, across all partitions.

Which of the following should the developer consider when using this type of index?

Queries or scans on this index consume capacity units from the index, not from the base table.
Queries or scans on this index consume read capacity units from the base table.

A

Queries or scans on this index consume capacity units from the index, not from the base table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A developer wants to package the code and dependencies for the application-specific Lambda functions as container images to be hosted on Amazon Elastic Container Registry (ECR).

Which of the following options are correct for the given requirement? (Select two)


To deploy a container image to Lambda, the container image must implement the Lambda Runtime API

You can deploy Lambda function as a container image, with a maximum size of 15 GB

You can test the containers locally using the Lambda Runtime API

Lambda supports both Windows and Linux-based container images

You must create the Lambda function from the same account as the container registry in Amazon ECR

A

You must create the Lambda function from the same account as the container registry in Amazon ECR

You can test the containers locally using the Lambda Runtime API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What ist “error412 for PreconditionFailedException” for Lambda?

A

Another user has created a version in the meantime.

Call the GetAlias API to get the revisionId and publish a version again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Amazon S3 encryption client?

A

Tool provided by AWS to encrypt / decrypt data on the client with your own (symmetric or asymmetric key)

The Amazon S3 encryption client is integrated into the AWS SDKs for Java, Ruby, and .NET

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How to encrypt data in RDS?

A

RDS cannot have a server-side encryption, therefore all fields that need to be encrypted need to be secured client side .
These fields cannot be easily queried.
To support more efficient querying of encrypted data, you can store a keyed-hash message
authentication code (HMAC) of an encrypted field

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the four ways to encrypt data in S3?

A

Client-Side: Data is encrypted before send to S3

Server-side encryption (S3): Can be enabled on CLI/Console. Each object is encrypted with
a unique data key. As an additional safeguard, this key is encrypted with a periodically
rotated master key managed by Amazon S3. Amazon S3 server-side encryption uses 256-bit
Advanced Encryption Standard (AES) keys for both object and master keys. This feature is
offered at no additional cost beyond what you pay for using Amazon S3.

Server-side encryption using customer-provided keys: Amazon S3 uses this encryption key
to encrypt your data using AES-256. After the object is encrypted, the encryption key is
deleted from the Amazon S3 system that used it to protect your data. When you retrieve
this object from Amazon S3, you must provide the same encryption key in your request.

Server-side encryption using AWS KMS:
- AWS generates an object key and encrypts it using the master key (default or customer)
- Returns the encrypted object key along with the plaintext object key to S3
- S3 encrypts the object using the plaintext object key, stores the now encrypted object (with the encrypted object key), and deletes the plaintext
object key from memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Which are the components of key management infrastructure (KMI)? (Select TWO.)
A. Storage layer
B. Data layer
C. Management layer
D. Encryption layer
A

A. Storage layer

C. Management layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the two ways to enforce encryption on S3?

A

AWS Console:

  • When creating the bucket choose “Server-side encryption: enabled”
  • Choice between SSE-S3 and SSE-KMS (managed/own keys)

Bucket Policy:

  • Forces the specification of a key, else the upload will fail
  • Will check the header for the appropriate setting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a S3 Bucket Key?

A

When you configure your bucket to use an S3 Bucket Key for SSE-KMS, AWS KMS generates a bucket-level key that is used to create unique data keys for new objects that you add to the bucket. This S3 Bucket Key is used for a time-limited period within Amazon S3, reducing the need for Amazon S3 to make requests to AWS KMS to complete encryption operations.

17
Q

What are the sections of the CORS configuration?

A

Allowed Headers
Allowed Methods (GET)
Allowed Origins (www.google.com)
ExposeHeaders(Exposed Headers - available in JS)

Max-Age-Seconds

18
Q

Where can template references for nested be located?

A

In an S3 bucket accessible for the (main) template

19
Q

What is the use-case for nested stacks?

A

Reuse templates (for load-balancers etc.), so they do not need to be written multiple times

20
Q

What service delivers a JWT Token?

A

AWS Cognito - when signing into a Web-Federated Service, such as Facebook

21
Q

How does the Push-Syncronistaion for Cognito work “under the hood”?

A

It uses SNS to distribute the information to the different clients

22
Q

What are the three parts of a PutRecord call in Kinesis?

A
  • Name of the Stream
  • Partition Key
  • Data
23
Q

Kinesis

What is a partition key?

A

It defines to which shard the request goes to.
Therefore there should be more partition keys than shards.

And it should be avoided that one partition gets a lot of traffic.

24
Q

Kinesis

What are the three options for Producers?

A

Kinesis Agent: Application that reads data and writes to a stream

Kinesis Streams API: Programatically put items to the stream

Kinesis Producer Library (KPL): More low-level. for example has retry features, buffers and batch send

25
Q

Kinesis

What are the three options for Consumers?

A

Kinesis Data Streams API: Usually hosted in EC2, one instance can handle more than one shard.

Kinesis Client Library (KPL): Coordinates the load and attaches Consumers to shards (no shard ignored, and no shard processed by two consumers)

AWS Lambda: Reads the shard “sequentially” therefore does not run into 429