Misc Flashcards
What are the lifecycle event hooks for CodeDeploy?
- Start (Cannot be scripted)
- BeforeInstall (EC2 only)
- Install (Cannot be scripted)
- AfterInstall (EC2 only)
- AllowTestTraffic (Cannot be scripted)
- AfterAllowTestTraffic (EC2 only)
- BeforeAllowTraffic (Lambda / EC2)
- AllowTraffic (Cannot be scripted)
- AfterAllowTraffic (Lambda / EC2)
- End (Cannot be scripted)
Where are CodeDeploy deploy instructions written? (in what file?)
Appspec.yml
What can you deploy to with CodeDeploy?
EC2, On Premise, Lambda and ECS
What type of deployments can you do with CodeDeploy?
In-Place or Blue/Green
What are the Elastic Beanstalk deployment options?
All at once Rolling Rolling with additional batch Immutable Blue/Green (Traffic Splitting Deployment Policy)
Which Elastic Beanstalk deployments deploy to new instances?
Rolling with additional batch
Immutable
What are the components of ECS?
- Cluster: Multiple EC2 instances which will house the docker containers
- Task Definition: A JSON file that defines the configuration of (up to 10) containers you want to run
- Task: Launches containers defined in Task Definition. Tasks do not remain running once the workload is complete
- Service: Ensures tasks remaining running eg. web app.
- Container Agent: Binary on each EC2 instance which monitors, starts, and stops tasks
What is the X-Ray header called which identifies a trace that passed along to downstream services
The Tracing Header is named X-Amzn-Trace-Id
What X-Ray component provides the resource’s name, details about the request, and details about the work done?
Segments
What X-Ray component provides more granular timing information and details about downstream calls that your app made to fulfill the original request?
Subsegments
What X-Ray component collects all segments generated by a single request so you can track the path of requests through multiple services?
Traces
What X-Ray component provides a flow chart visualization of average response for micro-services and to visually pinpoint the failure?
Service Graph
X-Ray supports which languages?
Go, NodeJS, Ruby, Java, Python, ASP.NET, PHP
X-Ray integrates with which AWS Services?
Lambda, API Gateway, App Mesh, CloudTrail, CloudWatch, AWS Config, EB, ELB, SNS, SQS, EC2, ECS, Fargate
In X-Ray, what allows you to capture additional information in key-value pairs?
Annotations and Metadata.
- Annotations are indexed for use with filter expressions with a limit of 50
- Metadata are not indexed. Use Metadata to record data you want to store in the trace but don’t need to use for searching traces
How does the X-Ray Daemon work?
X-Ray Daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API. Data is generally not sent directly to the X-Ray API and passes through the X-Ray Daemon which uploads in bulk
Which AWS service would allow the developer to fully test and debug any resource based policies before deploying the changes?
AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
What ElastiCache feature is used to manage runtime settings?
Parameter groups.
Parameter groups are an easy way to manage runtime settings for supported engine software. Parameters are used to control memory usage, eviction policies, item sizes, and more. An ElastiCache parameter group is a named collection of engine-specific parameters that you can apply to a cluster. By doing this, you make sure that all of the nodes in that cluster are configured in exactly the same way.
What does a VPC flow log do?
capture all incoming and outgoing IP traffic within your VPC.
How to enable CloudWatch alarms triggered on a 10 second interval basis?
High Resolution Metrics can be as low as 10 seconds.
What RDS feature allows to see how different processes or threads on a DB instance use the CPU?
Enhanced Monitoring
How would you troubleshoot an EC2 application’s memory usage in CloudWatch?
Install CloudWatch Agent
Can you create access keys for an IAM role?
No, you cannot. Only for IAM users.
Using API Gateway with HTTP proxy for backend endpoints, how would you direct traffic to different endpoints for different stages e.g. dev, QA, prod?
Use stage variables in the HTTP integration request of the API.
With deployment stages in API Gateway, you can manage multiple release stages for each API, such as dev, QA and production. Using stage variables, you can configure an API deployment stage to interact with different backend endpoints.
A company currently uses API Gateway as part of their production environment. There is a requirement for a specific stage in the gateway to be able to interact directly with a DynamoDB table.
Which API Gateway component would they have to configure in order to achieve this functionality?
An Integration request.
With DynamoDB as the backend, the API developer sets up the integration request to forward the incoming method request to the chosen backend. The setup includes specifications of an appropriate DynamoDB action, required IAM role and policies, and required input data transformation. The backend returns the result to API Gateway as an integration response.
To route the integration response to an appropriate method response (of a given HTTP status code) to the client, you can configure the integration response to map required response parameters from integration to method. You then translate the output data format of the backend to that of the frontend, if necessary. API Gateway enables you to define a schema or model for the payload
Elastic Beanstalk two environment types?
Web Environment or a Worker Environment
Elastic Beanstalk web environment two types are?
Single-Instance or Load Balanced
What is the Fargate memory limit?
30 GB
Which service compiles your source code, runs unit tests, and produces artifacts that are ready to deploy?
CodeBuild
What file includes CodeBuild configuration?
buildspec.yml
Which service allows you to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services?
Amazon Certificate Manager (ACM)
Using ACM, how can SSL be terminated?
- Terminating SSL at the Load Balancer
- Terminating SSL End-to-End
Which services can AWS Certificate Manager (ACM) be attached to?
CloudFront
API Gateway
Elastic Beanstalk (through ELB)
What is Route53?
Route53 is a DNS provider, register and manage domains, create record sets.
What are the 7 routing options using Route53?
Simple Routing - Default routing policy, multiple addresses result in a random endpoint selection
Weighted Routing - Split up traffic based on different ‘weights’ assigned (percentages)
Latency-Based Routing - Directs traffic based on region, for lowest possible latency for users.
Failover Routing - Primary site in one location, secondary data recovery site in another. (change on health check)
Geolocation Routing - Route traffic based on the geographic location of a requests origin.
Geo-proximity Routing - Route traffic based on geographic location using ‘Bias’ values (needs Route53 Traffic Flow)
Multi-value Answer Routing - Return multiple values in response to DNS queries. (using health checks. The difference between this and Simple Routing is the health checks.)
What is Route53 Traffic Flow?
Traffic Flow - visual editor, for chaining routing policies, can version policy records for easy rollback
What is AWS Alias Record?
AWS’ smart DNS record, detects changed IPs for AWS resources and adjusts automatically.
What is Route53 Resolver?
Lets you regionally route DNS queries between your VPCs and your network Hybrid Environments
What are the 3 components of Cognito?
User Pools user directory, allows users to authenticate using OAuth to IpD such as Facebook, Google, Amazon to connect to web-applications. Cognito User Pool is in itself a IpD. User Pools use JWTs for to persist authentication
Identity Pools provide temporary AWS credentials to access services eg. S3, DynamoDB. You can control access to your backend AWS resources and APIs through Amazon Cognito so users of your app get only the appropriate access. You can map users to different roles and permissions and get temporary AWS credentials for accessing AWS services such as Amazon S3, Amazon DynamoDB, Amazon API Gateway, and AWS Lambda.
Cognito Sync can sync user data and preferences across devices with one line of code (powered by SNS)
What type of queues does SQS have?
Standard Queues allow you a nearly-unlimited number of transactions per second. Guarantees that a message will be delivered AT LEAST once. More than one copy of a message could be potentially delivered out of order. Provides best-effort ordering that helps ensure a message is generally delivered in the same order that it was sent.
AWS SQS First-In-First-Out queues support multiple ordered message groups within a single queue. Limited to 300 transactions per second. SWS FIFO queues have all the same capabilities of a Standard Queue
Is SQS pull or push?
pull
What types of polling does SQS have?
There are two kinds of polling Short (Default) and Long Polling:
- Short polling returns messages immediately, even if the message queue being polled is empty.
- Long polling waits until message arrives in the queue, or the long poll timeout expires.
In majority of cases Long polling is preferred over short polling.
What is the SQS message size?
Message size between 1 byte to 256 kb
What is the SQS message retention period?
SQS can retain messages from 60 seconds to 14 days and by default is 4 days
In KMS, what is Envelope Encryption?
Master Keys are used to encrypt data keys
What are the 5 EC2 instance types?
General Purpose: balance of compute, memory and networking resources
Compute Optimised: ideal for compute bound applications that benefit from high performance processors
Memory Optimised: fast performance for workloads that process large data sets in memory
Accelerated Optimised: hardware accelerators, or co-processors
Storage Optimised: high, sequential read and write access to very large data sets on local storage
What are EC2 Placement Groups?
Placement groups let you choose the logical placement of your instances to optimise for communication, performance or durability. Placement groups are free
How many VPCs can you have in a region?
5 VPCs per region
How does scaling occur in ASG?
- Capacity Settings
- Health Check Replacements
- Scaling Policies
What are the ASG capacity settings?
Min, Max and Desired Capacity.
ASG will always launch instances to meet minimum capacity.
What are ASG health check types?
- EC2 Health Check Type
- ELB Health Check Type
ASG: what does scaling out mean?
Adding More Instances (Scaling Out).
Scaling In means removing instances.
What are the 3 ASG scaling policies?
1) Target Tracking Scaling Policy
Maintains a specific metric at a target value. eg. If Average CPU Utilization exceeds 75% then add another server.
2) Simple Scaling Policy (legacy, do not use)
Scales when an alarm is breached.
Not recommended, legacy scaling policy. Use scaling policies with steps now.
3) Scaling policies with steps
Scales when an alarm is breached, can escalate based on alarm value changing.
What do VPC Endpoints do?
VPC Endpoints help keep traffic between AWS services within the AWS Network
What are the two types of VPC Endpoints?
There are two kinds of VPC Endpoints. Interface Endpoints and Gateway Endpoints
Interface Endpoints support many AWS services. Interface Endpoints uses an Elastic Network Interface (ENI) with Private IP. This is all powered by AWS PrivateLink. Interface Endpoints cost money.
Gateway Endpoints is a target for a specific route in your route table. They only support DynamoDB and S3. Gateway Endpoints are free.
What are the 3 types of ELB?
Network, Application and Classic Load Balancer
Application Load Balancer is for HTTP(S) traffic and the name implies it good for Web Applications
Network Load Balancer is for TCP/UDP is good for high network throughput eg. Video Games
Classic Load Balancer is legacy and its recommended to use ALB or NLB
What restrictions/setup requirements do ELB have?
A Elastic Load Balancer must have at least two Availability Zones.
Elastic Load Balancers cannot go cross-region. You must create one per region.
Using ELB, how can user sessions be remembered?
Sticky Sessions. Can be enabled for CLB or ALB and sessions are remembered via Cookie.
What components do ELB application and network load balancers have to route traffic?
ALB has Listeners, Rules and Target Groups to route traffic
NLB use Listeners and Target Groups to route traffic
What is a security group?
a firewall at the instance level
Security Groups, true or false: Unless allowed specifically, all inbound traffic is blocked by default.
True
Security Groups, true or false: All Outbound traffic from the instance is allowed by default.
True
Security Groups are STATEFUL (if traffic is allowed inbound it is also allowed outbound). True or false?
True
How do you block a specific IP address using a security group?
You cannot block specific IP addresses with Security Groups, for this you would need a Network Access Control List (NACL)
What is a NACL?
Network Access Control List is commonly known as NACL
VPCs are automatically given a default NACL which allows all outbound and inbound traffic.
Each subnet within a VPC must be associated with a NACL
Are NACLs stateful or stateless?
NACLs are STATELESS (incoming rule will not be applied to the outgoing)
When you create a NACL is traffic allowed or denied by default?
When you create a NACLs it will deny all traffic by default
What are the 3 components of IAM?
IAM Identities as Users, Groups, and Roles -** IAM Users** End users who log into the console or interact with AWS resources programmatically
IAM Groups: Group up your Users so they all share permission levels of the group eg. Administrators, Developers, Auditors -** IAM Roles** Associate permissions to a Role and then assign this to an Users or Groups
IAM Policies JSON documents which grant permissions for a specific user, group, or role to access services. Policies are attached to to IAM Identities
The 3 types of IAM policies?
Managed Policies are policies provided by AWS and cannot be edited
Customer Managed Policies are policies created by use the customer, which you can edit
Inline Policies are policies which are directly attached to a user
The components of CloudFront?
Origin: The location where all of original files are located. For example an S3 Bucket, EC2 Instance, ELB, or Route53
Edge Location: The location where web content will be cached. This is different than an AWS Region or AZ
Distribution: A collection of Edge locations which defines how cached content should behave
The 2 types of CloudFront Distributions?
Web (for websites)
RTMP (for streaming media)
The 4 Available Lambda@Edge Functions?
Viewer request When CloudFront receives a request from a viewer
Origin request Before CloudFront forwards a request to the origin
Origin response When CloudFront receives a response from the origin
Viewer response Before CloudFront returns the response to the viewer
How does CloudFront access private S3 buckets?
Origin Access Identity (OAI) is used access private S3 buckets
How do you protect CloudFront access to cached content?
Access to cached content can be protected via Signed Urls or Signed Cookies
What is the default logging period for CloudTrail?
CloudTrail by default logs event data for the past 90s days via Event History.
How do you track beyond the default time period in CloudTrail?
To track beyond 90 days you need to create a Trail.
how do you see if logs have been tampered with in CloudTrail?
To ensure logs have not been tampered with you need to turn on Log File Validation option
What are the two kinds of CloudTrail events?
Management Events and Data Events
Management events log management operations eg. AttachRolePolicy
Data Events log data operations for resources (S3, Lambda) eg. GetObject, DeleteObject, and PutObject. Data Events are disabled by default when creating a Trail.
CloudFormation error message is like?
ROLLBACK_IN_PROGRESS
What are smaller reusable templates called in CloudFormation?
NestedStacks
What are the 8 CloudFormation template sections?
Metadata Description Parameters Transforms Outputs Mappings Resources Conditions
What are the different stack updates?
Update with no interruption
Updates with some interruptions
Replacement
Which services can CodeDeploy deploy to?
EC2, On Premise, Lambda or Fargate
The two requirements to deploy to EC2 with CodeDeploy?
Install the CodeDeployAgent on the EC2 instance
IAM role (CodeDeployServiceRole)
What is CodePipeline?
A fully managed CI/CD pipeline to setup automatic deployments
What are the 6 relational database options in RDS?
Amazon Aurora MySQL MariaDB PostgreSQL Oracle Microsoft SQL Server
What is RDS Multi-AZ?
Multi-AZ is an option you can turn on which makes an exact copy of your database in another AZ that is only standby
For Multi-AZ AWS automatically synchronizes changes in the database over to the standby copy
Multi-AZ has Automatic Failover protection if one AZ goes down failover will occur and the standby slave will be promoted to master
How would you improve performance of your RDS if you were getting lots of reads?
Use Read-Replicas. They allow you to run multiples copies of your database, these copies only allows reads (no writes) and is intended to alleviate the workload of your primary database to improve performance
What are the 2 RDS backup solutions?
Automated Backups and Manual Snapshots
The 6 S3 storage classes?
Standard Intelligent Tiering Standard Infrequently Accessed (IA) One Zone IA Glacier Glacier Deep Archive
How can you automate moving objects between storage classes?
S3 Lifecycle Management policies
How can you protect against deleting objects in S3?
MFA delete. Must have versioning switched on.
What is the storage size range for S3?
0 Bytes up to 5 Terabytes
S3 bucket names must be unique, true or false?
true
How do you configure S3 access control?
Bucket Policies
Access Control Lists (legacy although not deprecated)
How do you enable fast and secure uploads to S3?
Transfer Acceleration which uses distinct urls to an Edge location. Data is transported to your S3 bucket via the AWS backbone network
How do you pay for Lambda serverless?
Per invocation, rounded to the nearest 100 ms and based on amount of requests.
What is the function memory allocation limit for Lambda?
10,240 MB
Do Lambda run in a VPC by default?
No. To interact with some services you need to have your Lambda in the same VPC eg. RDS
To how many concurrent functions can Lambda scale to?
1000 is the default. Can be increased via a service limit increase request.
What is API Gateway?
API Gateway is a solution for creating secure APIs in your cloud environment at any scale.
Create APIs that act as a front door for applications to access data, business logic, or functionality from back-end services.
The 2 types of Step Function state machines?
Standard - general purpose, for long workloads
Express - streaming data, short workloads
The types of Step Function States?
Pass state Task state Choices state Wait state Succeed state Fail state Parallel state Map state