Misc Flashcards
How can you Enable the X-Ray daemon on Beanstalk?
Include the xray-daemon.config configuration file in the .ebextensions directory of your source code.
In Amazon API Gateway, API keys by themselves do not grant access to execute an API. What else needs to be done to grant access? What error do they get if this is not done?
The API keys need to be associated with a usage plan, and that usage plan then determines which API stages and methods the API key can access. If the API key is not associated with a usage plan, it will not have permission to access any of the resources, which will result in a “403 Forbidden” error
What API call do you use to associate API Gateway keys with a usage plan?
Associate the API keys for users with the intended usage plan using the CreateUsagePlanKey operation
What should be done to only allow authorized clients to invalidate an API Gateway cache entry when submitting API requests? (TWO things)
- The client must send a request which contains the Cache-Control: max-age=0 header.
- Tick the Require Authorization checkbox in the Cache Settings of your API via the console.
If you have applications running outside of an AWS environment that need programmatic access to AWS resources, how do you do it?
Go to the AWS Console and create a new IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user.
What Gateway response types are associated with the HTTP 504 error in API Gateway?
INTEGRATION_FAILURE – The gateway response for an integration failed error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.
INTEGRATION_TIMEOUT – The gateway response for an integration timed out error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.
How can you ensure that all objects in your S3 bucket are encrypted at rest using server-side encryption with AWS KMS keys?
Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.
How can you monitor the responsiveness of your API calls as well as the underlying Lambda function?
Using CloudWatch:
- Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.
– Monitor the Latency metrics to measure the overall responsiveness of your API calls.
If you need server-side encryption for all of the objects that are stored in a bucket, how can you do it with amazon-managed keys? Can you use customer-provided keys?
- Use a bucket policy to deny permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption.
- Yes: if you chose to use server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers: x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key,
x-amz-server-side-encryption-customer-key-MD5
What are the three settings to enable CloudWatch to evaluate when to change the alarm state?
– Period is the length of time to evaluate the metric or expression to create each individual data point for an alarm. It is expressed in seconds. If you choose one minute as the period, there is one datapoint every minute.
– Evaluation Period is the number of the most recent periods, or data points, to evaluate when determining alarm state.
– Datapoints to Alarm is the number of data points within the evaluation period that must be breaching to cause the alarm to go to the ALARM state. The breaching data points do not have to be consecutive, they just must all be within the last number of data points equal to Evaluation Period.
In a system using CloudFront, how can you redirect requests , such as to display region-specific information?
Implement a CloudFront function that returns the appropriate URL based on the CloudFront-Viewer-Country. Configure the distribution to trigger the function on Viewer request events.
With ECS, how can you allow containers to access ports on the host container instance to send or receive traffic using port mapping?
Using the task definition. Port mappings are specified as part of the container definition which can be configured in the task definition.
What environment variables does AWS Lambda use to facilitate communication with the X-Ray daemon and configure the X-Ray SDK?
_X_AMZN_TRACE_ID: Contains the tracing header, which includes the sampling decision, trace ID, and parent segment ID. If Lambda receives a tracing header when your function is invoked, that header will be used to populate the _X_AMZN_TRACE_ID environment variable. If a tracing header was not received, Lambda will generate one for you.
AWS_XRAY_CONTEXT_MISSING: The X-Ray SDK uses this variable to determine its behavior in the event that your function tries to record X-Ray data, but a tracing header is not available. Lambda sets this value to LOG_ERROR by default.
AWS_XRAY_DAEMON_ADDRESS: This environment variable exposes the X-Ray daemon’s address in the following format: IP_ADDRESS:PORT. You can use the X-Ray daemon’s address to send trace data to the X-Ray daemon directly without using the X-Ray SDK.
How can a client using API gateway fetch the latest data from your endpoints every time a request is sent and invalidate the existing cache.
The client must send a request that contains the Cache-Control: max-age=0 header.
While using SAM locally, how can you provide permissions to interact with other AWS services?
- Use the aws configure command with the –profile parameter to add a named profile with the sandbox AWS account’s credentials.
- Run the function using sam local invoke with the –profile parameter.
An application scans the entire DynamoDB table to return requested data. How can performance be improved cheaply?
Use Query operations instead of Scan and reduce the page size. (DAX can be more expensive)
When should you choose Memcached over Redis ?
- You need the simplest model possible.
– You need to run large nodes with multiple cores or threads.
– You need the ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.
– You need to cache objects, such as a database.
How can you detect new entries in a DynamoDB table and automatically trigger a Lambda function to run?
Enable DynamoDB Streams to detect the new entries and automatically trigger the Lambda function.
What format does the output need to be that is returned from a Lambda proxy integration backend with API Gateway? What happens if it is the wrong format?
JSON
You’d get a 502 error in the API Gateway
What is the default for Lambda total concurrent executions across all functions within a given region? How can it be increased?
1000
Request AWS to increase the limit of your concurrent executions
How can you estimate the concurrent executions used by your Lambda function and whether the limit needs to be increased?
concurrent executions = (invocations per second) x (average execution duration in seconds). If this is > 1000 then you need to ask AWS to increase it.
How can you authenticate and authorize users for the premium pay-wall content on your website backed by S3?
Use Lambda@Edge. For example, you can trigger a Lambda function to authorize each viewer request by calling authentication and user management service such as Amazon Cognito.
What is appspec.yml for?
In CodeDeploy - it defines how a deployment happens
What things can CodeDeploy deploy to?
EC2 Instances
On-prem servers
Lambda Functions
ECS
What kinds of deployments can be performed with Code Deploy for EC2/On-prem?
In-place
Blue-green
For CodeDeploy on EC2 to work, what has to be running and where?
The CodeDeploy agent must be running on the EC2/on-prem instances
With CodeDeploy for EC2, what does EC2 need to have sufficient access to?
S3, because the deployment bundles are stored there
How does CodeDeploy work for Lambda?
It automates traffic shift for Lambda aliases
How does CodeDeploy work for ECS? What type of deployments does it do?
Automates the deployment of a new task definition. It only does blue/green.
What is the cron.yaml file used for?
For Elastic Beanstalk, you can define periodic tasks in a file named cron.yaml in your source bundle to add jobs to your worker environment’s queue automatically at a regular intervals.
What is a good way to do GeoRestriction, for example, to comply with copyright laws?
CloudFront Georestriction
How can you make CloudFront get content from different origins based on the URL path?
Use CloudFront Multiple Origin
What is a CloudFront Origin Group?
To increase high-availability and do failover. There is a primary and a secondary origin.
What are the API Gateway integration types?
MOCK - for testing
AWS = for Lambda custom integration and all other AWS integrations
AWS_PROXY = Lambda Proxy
HTTP_PROXY = HTTP proxy integration
HTTP = HTTP custom integration
When you configure your Lambda function to access VPC resources, what happens? What can you do to fix the situation if needed?
It loses default internet access. If you require external internet access for your function, make sure the Lambda’s security group allows outbound connections, and that your VPC has a NAT gateway.
Which DynamoDB secondary index CAN be created after table creation?
Global
The name of the bucket used for Transfer Acceleration must be DNS-compliant and must not contain what?
Periods
What are the ECS task placement strategies?
binpack – Place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.
random – Place tasks randomly.
spread – Place tasks evenly based on the specified value. Accepted values are attribute key-value pairs, instanceId, or host.
What are the steps to deploy code using CloudFormation?
- Create a template to define your infrastructure resources
- Bundle the template and your resource files into a zip file
- Package using “aws cloudFormation Package” command
- Deploy using “aws CloudFormation deploy” command
What are the ports for HTTP and HTTPS?
HTTP = 80
HTTPS = 443
What are the steps to set up a Lambda fn to be invoked by an ALB?
- Create a Lambda fn. It should return text/html.
- Create an ALB.
- Create security group for ALB:
a. inbound: allow HTTP from anywhere
b. allow listening on port 80 for HTTP with
default action - a target group - Create a Target Group with type = Lambda fn,
and select your Lambda fn - Assign the Target Group to your ALB
- A resource-based policy is created on your Lambda fn for you, to allow the ALB to invoke your Lambda fn.
How can you expose your Lambda function to the outside world?
ALB
API Gateway
Lambda Function URL
What is the best way to expose a REST API backed by a Lambda Function?
API Gateway + Lambda
What can you expose through API Gateway?
Lambda function, HTTP endpoints, any AWS service’s API
What are the options for API Gateway security?
- User auth: IAM roles (internal users); Cognito (external users such as mobile); a custom authorizer (= a lambda fn)
- Custom domain name HTTPS with AWS cert mgr and you would need a CNAME or A-alias rec in Route 53
How many read replicas can you have for your RDS database? How about for Aurora in a single cluster?
15
15
How can you get the EC2 instance ID when you are SSH’d into it?
Query the metadata at http://169.254.169.254/latest/meta-data
How can an app on an EC2 instance in an ECS cluster access S3?
Create an IAM task role
You have a classic ECS cluster that you want to enable IAM roles for your ECS tasks so they can call AWS services. What config option should you enable and where?
Enable ECS_ENABLE_TASK_IAM_Role in the ECS.Config file
Can EC2 Container instances run multiple copies of the same Docker image?
Yes
How can you scale SQS, for example on Black Friday?
It will scale automatically
What is SQS Delay Queues? What is the default time period?
A period of time during which Amazon SQS keeps new SQS messages invisible to consumers. In SQS Delay Queues, a message is hidden when it is first added to the queue. (default: 0 mins, max.: 15 mins)
What is the SQS + SNS fan out pattern?
This is a common pattern where only one message is sent to the SNS topic and then “fan-out” to multiple SQS queues. This approach has the following features: it’s fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.
How would you load near real-time data into S3 and Redshift that needs to be transformed before loading?
Kinesis Data Streams + Kinesis Data Firehose. Kinesis Data Firehose supports custom data transformations using AWS Lambda.
What are the default retention period, and min and max that you can set SQS message retention to?
Default is 4 days. You can set it from 1 minute to 14 days.
You can configure a Kinesis Data Stream to keep records for a maximum of ……………… days.
365
A CloudWatch Alarm set on a High-Resolution Custom Metric can be triggered as often as ………………….
10 seconds
Which API call allows you to push custom metric data to CloudWatch?
PutMetricData
By default, when do CloudWatch Logs expire?
Never
What should you do to configure X-Ray Daemon to send traces from multiple AWS accounts to a central AWS account?
Create an IAM role in the central account, and then create IAM roles in the other accounts to assume this IAM role.
By default, the X-Ray SDK records the first request ………………, and ……………… of any additional requests.
Each second, 5%
What is the KB limit forLambda environment variables?
4KB
How do you declare a Lambda function in a CloudFormation template?
Upload all the code as a zip file to an S3 bucket and refer to the object in AWS::Lambda::function block
The maximum size for a Lambda function /tmp space is …………………….
10240 MB
What can be the targets for an Application Load Balancer?
EC2 Instances
ECS tasks
Private IP
Lambda function (HTTP request is translated into a JSON event)
What can an ALB route traffic based on?
URL Path
HostName
Query String, Headers
Can IAM user groups be part of other user groups?
Negative
When would you use the GetSessionToken API call?
if you want to use MFA to protect programmatic calls to specific AWS API operations . It returns temporary credentials: an access key ID, a secret access key, and a security token.
What is a Lambda authorizer?
An API Gateway feature that uses a Lambda function to control access to your API
What types of Lambda authorizers are there?
Token based and request parameter based
In DynamoDB, what is a way to reduce storage usage and reduce the cost of storing irrelevant data without using provisioned throughput?
Enable TTL - perfect use case for session data
In a Kinesis Data Stream, what API calls can you use to read records in the same order they are written to the stream?
PutRecord along with SequenceNumberForOrdering
Anytime a question asks about a storage system that can be accessed from multiple points, what should you think of?
EFS
How can you get messages back from the DLQ to the original Q so that they can be reprocessed?
If it is a FIFO Q, you could use StartMessageMoveTask API. But if they don’t say it is a FIFO, you should use SendMessageBatch API to send multiple messages to an SQS Q.
How can you invoke a lambda function asynchronously?
Use the “Invoke” API to call the Lambda function and set the invocation type request parameter to Event
How can you invoke a lambda function synchronously?
Use the “Invoke” API to call the Lambda function and set the invocation type request parameter to RequestResponse
How can you validate parameter values for your Lambda function and verify that the user or role has permission to invoke the function - without running it?
Use the “Invoke” API to call the Lambda function and set the invocation type request parameter to DryRun
Where would you put environment configuration stuff for Elastic Beanstalk
env.yaml
What port does the AWS X-Ray daemon listen for traffic on?
UDP port 2000
How would you instrument x-ray to work on an ECS cluster?
- Create a Docker image that runs the X-Ray daemon
- Upload it to a Docker image repository
- Deploy it to your Amazon ECS cluster
- Configure the port mappings and network mode settings in your task definition file to allow traffic on UDP port 2000.
What consumes more RCU - strongly or eventually consistent reads?
strongly
What are the hooks in a serverless Lambda function version deployment, in order?
BeforeAllowTraffic
AllowTraffic
AfterAllowTraffic
Describe the process of envelope encryption
Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext key. This is NOT a KMS key
What information is included in the ECS Task Definitions?
Image Name
Port binding for Container and Host
Memory and CPU required
Environment variables
Networking information
IAM Role
Logging configuration (ex: CloudWatch)
What should you check If X-Ray is not working on EC2?
- Ensure the EC2 IAM Role has the proper permissions
- Ensure the EC2 instance is running the X-Ray Daemon
How would you enable x-ray on AWS Lambda?
- Ensure it has an IAM execution role with proper policy
(AWSX-RayWriteOnlyAccess) - Ensure that X-Ray is imported in the code
- Enable Lambda X-Ray Active Tracing
How is an execution role created and then referenced, for example a Lambda execution role?
1.Create the role in IAM
2. Then point to the role(reference it) when setting up your Lambda function (select the previously created IAM role as the “Execution role” in the function configuration)
What are the method authorization types for an API?
NONE - open access
AWS_IAM - for using IAM
CUSTOM - custom authorizer
COGNITO_USER_POOLS - Cognito
What services can have an event source mapping for Lambda?
Kinesis
DynamoDB
SQS
MQ
Managed Streaming for Apache Kafka (Amazon MSK)
What are the 2 authentication types for controlling access to a Lambda function URL?
AWS IAM
NONE
Which are the possible solutions that the developer can implement in order to set up HTTPS communication between the viewers and CloudFront?
*Set the Viewer Protocol Policy to use Redirect HTTP to HTTPS
*Set the Viewer Protocol Policy to use HTTPS Only
When would you use Cognito User Pools?
- Design sign-up and sign-in webpages for your app.
- Access and manage user data.
- Track user device, location, and IP address, and adapt to
sign-in requests of different risk levels. - Use a custom authentication flow for your app.
When would you use Cognito Identity Pools?
- Give your users access to AWS resources, such as an
Amazon Simple Storage Service (Amazon S3) bucket or
an Amazon DynamoDB table. - Generate temporary AWS credentials for
unauthenticated users.
What type of read consistency does the DynamoDB GetItem API do by default? What can you do to change it?
- it provides eventually consistent by default
- to change to strongly, set the ConsistentRead parameter to true
What problem does DynamoDB DAX solve?
It solves the hot-key problem
- prevents the “ProvisionedThroughputExceededException” exception.
The maximum size of an item in a DynamoDB table is ……………….
400 KB
What types of databases are supported by RDS?
SQLServer
DB2
Oracle
MySQL
Postgres
Maria
Aurora
***How can you scale RDS?
Turn on Auto-Scaling feature
What type of consistency are RDS read replicas?
Eventually (Async)
What is a benefit of using KMS from an audit perspective?
Calls to access your keys in KMS are logged in CloudTrail
Does KMS use symmetric or asymmetric keys? What does symmetric mean?
KMS uses symmetric keys. That means there is only one encryption key for encryption and decryption
What are the use cases for an asymmetric key?
Encryption outside of AWS by users who can’t call the KMS ApI
What kind of KMS Key policies are there, and which one is useful for cross-account access of your KMS keys?
There are the Default which is created for you if you don’t provide one; and a Custom one. A Custom key policy is useful for cross-account access.
When do you need to use envelope encryption? What API do you use?
When you need to encrypt anything over 4KB of data. Use the GenerateDataKey API
What are the key uses for:
Cloudfront function
Lambda@edge
Lambda function url
S3 object Lambda
Cloudfront function: simple & fast
Lambda@edge: external api, complexity
Lambda function url: direct http access without extra services
S3 object Lambda for S3
Would you use Lambda @edge or CF function to retrieve credentials?
Lambda@edge, because it needs network access
A developer needs to create a serverless application that uses an event-driven architecture. How can the developer configure the application to automatically receive and process events?
Create an Amazon SNS topic and an AWS Lambda function. Subscribe the Lambda function to the SNS topic and submit events to the SNS topic
What serverless service can receive streaming data and load it directly into an Amazon Elasticsearch datastore?
Kinesis data Firehose - it can load directly. (Kinesis Data Streams cannot load directly - it requires EC2 or Lambda for processing the data from the stream.
