Misc

Question 1

What are the lifecycle event hooks for CodeDeploy?

Answer 1

• Start (Cannot be scripted)
• BeforeInstall (EC2 only)
• Install (Cannot be scripted)
• AfterInstall (EC2 only)
• AllowTestTraffic (Cannot be scripted)
• AfterAllowTestTraffic (EC2 only)
• BeforeAllowTraffic (Lambda / EC2)
• AllowTraffic (Cannot be scripted)
• AfterAllowTraffic (Lambda / EC2)
• End (Cannot be scripted)

Question 2

Where are CodeDeploy deploy instructions written? (in what file?)

Answer 2

Appspec.yml

Question 3

What can you deploy to with CodeDeploy?

Answer 3

EC2, On Premise, Lambda and ECS

Question 4

What type of deployments can you do with CodeDeploy?

Answer 4

In-Place or Blue/Green

Question 5

What are the Elastic Beanstalk deployment options?

Answer 5

All at once
Rolling
Rolling with additional batch
Immutable
Blue/Green (Traffic Splitting Deployment Policy)

Question 6

Which Elastic Beanstalk deployments deploy to new instances?

Answer 6

Rolling with additional batch

Immutable

Question 7

What are the components of ECS?

Answer 7

• Cluster: Multiple EC2 instances which will house the docker containers
• Task Definition: A JSON file that defines the configuration of (up to 10) containers you want to run
• Task: Launches containers defined in Task Definition. Tasks do not remain running once the workload is complete
• Service: Ensures tasks remaining running eg. web app.
• Container Agent: Binary on each EC2 instance which monitors, starts, and stops tasks

Question 8

What is the X-Ray header called which identifies a trace that passed along to downstream services

Answer 8

The Tracing Header is named X-Amzn-Trace-Id

Question 9

What X-Ray component provides the resource’s name, details about the request, and details about the work done?

Answer 9

Segments

Question 10

What X-Ray component provides more granular timing information and details about downstream calls that your app made to fulfill the original request?

Answer 10

Subsegments

Question 11

What X-Ray component collects all segments generated by a single request so you can track the path of requests through multiple services?

Answer 11

Traces

Question 12

What X-Ray component provides a flow chart visualization of average response for micro-services and to visually pinpoint the failure?

Answer 12

Service Graph

Question 13

X-Ray supports which languages?

Answer 13

Go, NodeJS, Ruby, Java, Python, ASP.NET, PHP

Question 14

X-Ray integrates with which AWS Services?

Answer 14

Lambda, API Gateway, App Mesh, CloudTrail, CloudWatch, AWS Config, EB, ELB, SNS, SQS, EC2, ECS, Fargate

Question 15

In X-Ray, what allows you to capture additional information in key-value pairs?

Answer 15

Annotations and Metadata.

• Annotations are indexed for use with filter expressions with a limit of 50
• Metadata are not indexed. Use Metadata to record data you want to store in the trace but don’t need to use for searching traces

Question 16

How does the X-Ray Daemon work?

Answer 16

X-Ray Daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API. Data is generally not sent directly to the X-Ray API and passes through the X-Ray Daemon which uploads in bulk

Question 17

Which AWS service would allow the developer to fully test and debug any resource based policies before deploying the changes?

Answer 17

AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.

Question 18

What ElastiCache feature is used to manage runtime settings?

Answer 18

Parameter groups.

Parameter groups are an easy way to manage runtime settings for supported engine software. Parameters are used to control memory usage, eviction policies, item sizes, and more. An ElastiCache parameter group is a named collection of engine-specific parameters that you can apply to a cluster. By doing this, you make sure that all of the nodes in that cluster are configured in exactly the same way.

Question 19

What does a VPC flow log do?

Answer 19

capture all incoming and outgoing IP traffic within your VPC.

Question 20

How to enable CloudWatch alarms triggered on a 10 second interval basis?

Answer 20

High Resolution Metrics can be as low as 10 seconds.

Question 21

What RDS feature allows to see how different processes or threads on a DB instance use the CPU?

Answer 21

Enhanced Monitoring

Question 22

How would you troubleshoot an EC2 application’s memory usage in CloudWatch?

Answer 22

Install CloudWatch Agent

Question 23

Can you create access keys for an IAM role?

Answer 23

No, you cannot. Only for IAM users.

Question 24

Using API Gateway with HTTP proxy for backend endpoints, how would you direct traffic to different endpoints for different stages e.g. dev, QA, prod?

Answer 24

Use stage variables in the HTTP integration request of the API.

With deployment stages in API Gateway, you can manage multiple release stages for each API, such as dev, QA and production. Using stage variables, you can configure an API deployment stage to interact with different backend endpoints.

Question 25

A company currently uses API Gateway as part of their production environment. There is a requirement for a specific stage in the gateway to be able to interact directly with a DynamoDB table.

Which API Gateway component would they have to configure in order to achieve this functionality?

Answer 25

An Integration request.

With DynamoDB as the backend, the API developer sets up the integration request to forward the incoming method request to the chosen backend. The setup includes specifications of an appropriate DynamoDB action, required IAM role and policies, and required input data transformation. The backend returns the result to API Gateway as an integration response.

To route the integration response to an appropriate method response (of a given HTTP status code) to the client, you can configure the integration response to map required response parameters from integration to method. You then translate the output data format of the backend to that of the frontend, if necessary. API Gateway enables you to define a schema or model for the payload

Question 26

Elastic Beanstalk two environment types?

Answer 26

Web Environment or a Worker Environment

Question 27

Elastic Beanstalk web environment two types are?

Answer 27

Single-Instance or Load Balanced

Question 28

What is the Fargate memory limit?

Answer 28

30 GB

Question 29

Which service compiles your source code, runs unit tests, and produces artifacts that are ready to deploy?

Answer 29

CodeBuild

Question 30

What file includes CodeBuild configuration?

Answer 30

buildspec.yml

Question 31

Which service allows you to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services?

Answer 31

Amazon Certificate Manager (ACM)

Question 32

Using ACM, how can SSL be terminated?

Answer 32

• Terminating SSL at the Load Balancer

- Terminating SSL End-to-End

Question 33

Which services can AWS Certificate Manager (ACM) be attached to?

Answer 33

CloudFront
API Gateway
Elastic Beanstalk (through ELB)

Question 34

What is Route53?

Answer 34

Route53 is a DNS provider, register and manage domains, create record sets.

Question 35

What are the 7 routing options using Route53?

Answer 35

Simple Routing - Default routing policy, multiple addresses result in a random endpoint selection

Weighted Routing - Split up traffic based on different ‘weights’ assigned (percentages)

Latency-Based Routing - Directs traffic based on region, for lowest possible latency for users.

Failover Routing - Primary site in one location, secondary data recovery site in another. (change on health check)

Geolocation Routing - Route traffic based on the geographic location of a requests origin.

Geo-proximity Routing - Route traffic based on geographic location using ‘Bias’ values (needs Route53 Traffic Flow)

Multi-value Answer Routing - Return multiple values in response to DNS queries. (using health checks. The difference between this and Simple Routing is the health checks.)

Question 36

What is Route53 Traffic Flow?

Answer 36

Traffic Flow - visual editor, for chaining routing policies, can version policy records for easy rollback

Question 37

What is AWS Alias Record?

Answer 37

AWS’ smart DNS record, detects changed IPs for AWS resources and adjusts automatically.

Question 38

What is Route53 Resolver?

Answer 38

Lets you regionally route DNS queries between your VPCs and your network Hybrid Environments

Question 39

What are the 3 components of Cognito?

Answer 39

User Pools user directory, allows users to authenticate using OAuth to IpD such as Facebook, Google, Amazon to connect to web-applications. Cognito User Pool is in itself a IpD. User Pools use JWTs for to persist authentication

Identity Pools provide temporary AWS credentials to access services eg. S3, DynamoDB. You can control access to your backend AWS resources and APIs through Amazon Cognito so users of your app get only the appropriate access. You can map users to different roles and permissions and get temporary AWS credentials for accessing AWS services such as Amazon S3, Amazon DynamoDB, Amazon API Gateway, and AWS Lambda.

Cognito Sync can sync user data and preferences across devices with one line of code (powered by SNS)

Question 40

What type of queues does SQS have?

Answer 40

Standard Queues allow you a nearly-unlimited number of transactions per second. Guarantees that a message will be delivered AT LEAST once. More than one copy of a message could be potentially delivered out of order. Provides best-effort ordering that helps ensure a message is generally delivered in the same order that it was sent.

AWS SQS First-In-First-Out queues support multiple ordered message groups within a single queue. Limited to 300 transactions per second. SWS FIFO queues have all the same capabilities of a Standard Queue

Question 41

Is SQS pull or push?

Answer 41

pull

Question 42

What types of polling does SQS have?

Answer 42

There are two kinds of polling Short (Default) and Long Polling:

• Short polling returns messages immediately, even if the message queue being polled is empty.
• Long polling waits until message arrives in the queue, or the long poll timeout expires.

In majority of cases Long polling is preferred over short polling.

Question 43

What is the SQS message size?

Answer 43

Message size between 1 byte to 256 kb

Question 44

What is the SQS message retention period?

Answer 44

SQS can retain messages from 60 seconds to 14 days and by default is 4 days

Question 45

In KMS, what is Envelope Encryption?

Answer 45

Master Keys are used to encrypt data keys

Question 46

What are the 5 EC2 instance types?

Answer 46

General Purpose: balance of compute, memory and networking resources

Compute Optimised: ideal for compute bound applications that benefit from high performance processors

Memory Optimised: fast performance for workloads that process large data sets in memory

Accelerated Optimised: hardware accelerators, or co-processors

Storage Optimised: high, sequential read and write access to very large data sets on local storage

Question 47

What are EC2 Placement Groups?

Answer 47

Placement groups let you choose the logical placement of your instances to optimise for communication, performance or durability. Placement groups are free

Question 48

How many VPCs can you have in a region?

Answer 48

5 VPCs per region

Question 49

How does scaling occur in ASG?

Answer 49

• Capacity Settings
• Health Check Replacements
• Scaling Policies

Question 50

What are the ASG capacity settings?

Answer 50

Min, Max and Desired Capacity.

ASG will always launch instances to meet minimum capacity.

Question 51

What are ASG health check types?

Answer 51

• EC2 Health Check Type

- ELB Health Check Type

Question 52

ASG: what does scaling out mean?

Answer 52

Adding More Instances (Scaling Out).

Scaling In means removing instances.

Question 53

What are the 3 ASG scaling policies?

Answer 53

1) Target Tracking Scaling Policy
Maintains a specific metric at a target value. eg. If Average CPU Utilization exceeds 75% then add another server.

2) Simple Scaling Policy (legacy, do not use)
Scales when an alarm is breached.
Not recommended, legacy scaling policy. Use scaling policies with steps now.

3) Scaling policies with steps
Scales when an alarm is breached, can escalate based on alarm value changing.

Question 54

What do VPC Endpoints do?

Answer 54

VPC Endpoints help keep traffic between AWS services within the AWS Network

Question 55

What are the two types of VPC Endpoints?

Answer 55

There are two kinds of VPC Endpoints. Interface Endpoints and Gateway Endpoints

Interface Endpoints support many AWS services. Interface Endpoints uses an Elastic Network Interface (ENI) with Private IP. This is all powered by AWS PrivateLink. Interface Endpoints cost money.

Gateway Endpoints is a target for a specific route in your route table. They only support DynamoDB and S3. Gateway Endpoints are free.

Question 56

What are the 3 types of ELB?

Answer 56

Network, Application and Classic Load Balancer

Application Load Balancer is for HTTP(S) traffic and the name implies it good for Web Applications

Network Load Balancer is for TCP/UDP is good for high network throughput eg. Video Games

Classic Load Balancer is legacy and its recommended to use ALB or NLB

Question 57

What restrictions/setup requirements do ELB have?

Answer 57

A Elastic Load Balancer must have at least two Availability Zones.

Elastic Load Balancers cannot go cross-region. You must create one per region.

Question 58

Using ELB, how can user sessions be remembered?

Answer 58

Sticky Sessions. Can be enabled for CLB or ALB and sessions are remembered via Cookie.

Question 59

What components do ELB application and network load balancers have to route traffic?

Answer 59

ALB has Listeners, Rules and Target Groups to route traffic

NLB use Listeners and Target Groups to route traffic

Question 60

What is a security group?

Answer 60

a firewall at the instance level

Question 61

Security Groups, true or false: Unless allowed specifically, all inbound traffic is blocked by default.

Answer 61

True

Question 62

Security Groups, true or false: All Outbound traffic from the instance is allowed by default.

Answer 62

True

Question 63

Security Groups are STATEFUL (if traffic is allowed inbound it is also allowed outbound). True or false?

Answer 63

True

Question 64

How do you block a specific IP address using a security group?

Answer 64

You cannot block specific IP addresses with Security Groups, for this you would need a Network Access Control List (NACL)

Question 65

What is a NACL?

Answer 65

Network Access Control List is commonly known as NACL

VPCs are automatically given a default NACL which allows all outbound and inbound traffic.

Each subnet within a VPC must be associated with a NACL

Question 66

Are NACLs stateful or stateless?

Answer 66

NACLs are STATELESS (incoming rule will not be applied to the outgoing)

Question 67

When you create a NACL is traffic allowed or denied by default?

Answer 67

When you create a NACLs it will deny all traffic by default

Question 68

What are the 3 components of IAM?

Answer 68

IAM Identities as Users, Groups, and Roles -** IAM Users** End users who log into the console or interact with AWS resources programmatically

IAM Groups: Group up your Users so they all share permission levels of the group eg. Administrators, Developers, Auditors -** IAM Roles** Associate permissions to a Role and then assign this to an Users or Groups

IAM Policies JSON documents which grant permissions for a specific user, group, or role to access services. Policies are attached to to IAM Identities

Question 69

The 3 types of IAM policies?

Answer 69

Managed Policies are policies provided by AWS and cannot be edited
Customer Managed Policies are policies created by use the customer, which you can edit
Inline Policies are policies which are directly attached to a user

Question 70

The components of CloudFront?

Answer 70

Origin: The location where all of original files are located. For example an S3 Bucket, EC2 Instance, ELB, or Route53

Edge Location: The location where web content will be cached. This is different than an AWS Region or AZ

Distribution: A collection of Edge locations which defines how cached content should behave

Question 71

The 2 types of CloudFront Distributions?

Answer 71

Web (for websites)

RTMP (for streaming media)

Question 72

The 4 Available Lambda@Edge Functions?

Answer 72

Viewer request When CloudFront receives a request from a viewer 


Origin request Before CloudFront forwards a request to the origin 


Origin response When CloudFront receives a response from the origin


Viewer response Before CloudFront returns the response to the viewer

Question 73

How does CloudFront access private S3 buckets?

Answer 73

Origin Access Identity (OAI) is used access private S3 buckets

Question 74

How do you protect CloudFront access to cached content?

Answer 74

Access to cached content can be protected via Signed Urls or Signed Cookies

Question 75

What is the default logging period for CloudTrail?

Answer 75

CloudTrail by default logs event data for the past 90s days via Event History.

Question 76

How do you track beyond the default time period in CloudTrail?

Answer 76

To track beyond 90 days you need to create a Trail.

Question 77

how do you see if logs have been tampered with in CloudTrail?

Answer 77

To ensure logs have not been tampered with you need to turn on Log File Validation option

Question 78

What are the two kinds of CloudTrail events?

Answer 78

Management Events and Data Events

Management events log management operations eg. AttachRolePolicy

Data Events log data operations for resources (S3, Lambda) eg. GetObject, DeleteObject, and PutObject. Data Events are disabled by default when creating a Trail.

Question 79

CloudFormation error message is like?

Answer 79

ROLLBACK_IN_PROGRESS

Question 80

What are smaller reusable templates called in CloudFormation?

Answer 80

NestedStacks

Question 81

What are the 8 CloudFormation template sections?

Answer 81

Metadata
Description
Parameters
Transforms
Outputs
Mappings
Resources
Conditions

Question 82

What are the different stack updates?

Answer 82

Update with no interruption

Updates with some interruptions

Replacement

Question 83

Which services can CodeDeploy deploy to?

Answer 83

EC2, On Premise, Lambda or Fargate

Question 84

The two requirements to deploy to EC2 with CodeDeploy?

Answer 84

Install the CodeDeployAgent on the EC2 instance

IAM role (CodeDeployServiceRole)

Question 85

What is CodePipeline?

Answer 85

A fully managed CI/CD pipeline to setup automatic deployments

Question 86

What are the 6 relational database options in RDS?

Answer 86

Amazon Aurora
MySQL
MariaDB
PostgreSQL
Oracle
Microsoft SQL Server

Question 87

What is RDS Multi-AZ?

Answer 87

Multi-AZ is an option you can turn on which makes an exact copy of your database in another AZ that is only standby
For Multi-AZ AWS automatically synchronizes changes in the database over to the standby copy
Multi-AZ has Automatic Failover protection if one AZ goes down failover will occur and the standby slave will be promoted to master

Question 88

How would you improve performance of your RDS if you were getting lots of reads?

Answer 88

Use Read-Replicas. They allow you to run multiples copies of your database, these copies only allows reads (no writes) and is intended to alleviate the workload of your primary database to improve performance

Question 89

What are the 2 RDS backup solutions?

Answer 89

Automated Backups and Manual Snapshots

Question 90

The 6 S3 storage classes?

Answer 90

Standard
Intelligent Tiering
Standard Infrequently Accessed (IA)
One Zone IA
Glacier
Glacier Deep Archive

Question 91

How can you automate moving objects between storage classes?

Answer 91

S3 Lifecycle Management policies

Question 92

How can you protect against deleting objects in S3?

Answer 92

MFA delete. Must have versioning switched on.

Question 93

What is the storage size range for S3?

Answer 93

0 Bytes up to 5 Terabytes

Question 94

S3 bucket names must be unique, true or false?

Answer 94

true

Question 95

How do you configure S3 access control?

Answer 95

Bucket Policies

Access Control Lists (legacy although not deprecated)

Question 96

How do you enable fast and secure uploads to S3?

Answer 96

Transfer Acceleration which uses distinct urls to an Edge location. Data is transported to your S3 bucket via the AWS backbone network

Question 97

How do you pay for Lambda serverless?

Answer 97

Per invocation, rounded to the nearest 100 ms and based on amount of requests.

Question 98

What is the function memory allocation limit for Lambda?

Answer 98

10,240 MB

Question 99

Do Lambda run in a VPC by default?

Answer 99

No. To interact with some services you need to have your Lambda in the same VPC eg. RDS

Question 100

To how many concurrent functions can Lambda scale to?

Answer 100

1000 is the default. Can be increased via a service limit increase request.

Question 101

What is API Gateway?

Answer 101

API Gateway is a solution for creating secure APIs in your cloud environment at any scale.
Create APIs that act as a front door for applications to access data, business logic, or functionality from back-end services.

Question 102

The 2 types of Step Function state machines?

Answer 102

Standard - general purpose, for long workloads

Express - streaming data, short workloads

Question 103

The types of Step Function States?

Answer 103

Pass state
Task state
Choices state
Wait state
Succeed state
Fail state
Parallel state
Map state