Misc

Question 1

How can you Enable the X-Ray daemon on Beanstalk?

Answer 1

Include the xray-daemon.config configuration file in the .ebextensions directory of your source code.

Question 2

In Amazon API Gateway, API keys by themselves do not grant access to execute an API. What else needs to be done to grant access? What error do they get if this is not done?

Answer 2

The API keys need to be associated with a usage plan, and that usage plan then determines which API stages and methods the API key can access. If the API key is not associated with a usage plan, it will not have permission to access any of the resources, which will result in a “403 Forbidden” error

Question 3

What API call do you use to associate API Gateway keys with a usage plan?

Answer 3

Associate the API keys for users with the intended usage plan using the CreateUsagePlanKey operation

Question 4

What should be done to only allow authorized clients to invalidate an API Gateway cache entry when submitting API requests? (TWO things)

Answer 4

1. The client must send a request which contains the Cache-Control: max-age=0 header.
2. Tick the Require Authorization checkbox in the Cache Settings of your API via the console.

Question 5

If you have applications running outside of an AWS environment that need programmatic access to AWS resources, how do you do it?

Answer 5

Go to the AWS Console and create a new IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user.

Question 6

What Gateway response types are associated with the HTTP 504 error in API Gateway?

Answer 6

INTEGRATION_FAILURE – The gateway response for an integration failed error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.

INTEGRATION_TIMEOUT – The gateway response for an integration timed out error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.

Question 7

How can you ensure that all objects in your S3 bucket are encrypted at rest using server-side encryption with AWS KMS keys?

Answer 7

Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.

Question 8

How can you monitor the responsiveness of your API calls as well as the underlying Lambda function?

Answer 8

Using CloudWatch:

• Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.

– Monitor the Latency metrics to measure the overall responsiveness of your API calls.

Question 9

If you need server-side encryption for all of the objects that are stored in a bucket, how can you do it with amazon-managed keys? Can you use customer-provided keys?

Answer 9

1. Use a bucket policy to deny permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption.
2. Yes: if you chose to use server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers: x-amz-server-side​-encryption​-customer-algorithm, x-amz-server-side​-encryption​-customer-key,
   x-amz-server-side​-encryption​-customer-key-MD5

Question 10

What are the three settings to enable CloudWatch to evaluate when to change the alarm state?

Answer 10

– Period is the length of time to evaluate the metric or expression to create each individual data point for an alarm. It is expressed in seconds. If you choose one minute as the period, there is one datapoint every minute.

– Evaluation Period is the number of the most recent periods, or data points, to evaluate when determining alarm state.

– Datapoints to Alarm is the number of data points within the evaluation period that must be breaching to cause the alarm to go to the ALARM state. The breaching data points do not have to be consecutive, they just must all be within the last number of data points equal to Evaluation Period.

Question 11

In a system using CloudFront, how can you redirect requests , such as to display region-specific information?

Answer 11

Implement a CloudFront function that returns the appropriate URL based on the CloudFront-Viewer-Country. Configure the distribution to trigger the function on Viewer request events.

Question 12

With ECS, how can you allow containers to access ports on the host container instance to send or receive traffic using port mapping?

Answer 12

Using the task definition. Port mappings are specified as part of the container definition which can be configured in the task definition.

Question 13

What environment variables does AWS Lambda use to facilitate communication with the X-Ray daemon and configure the X-Ray SDK?

Answer 13

_X_AMZN_TRACE_ID: Contains the tracing header, which includes the sampling decision, trace ID, and parent segment ID. If Lambda receives a tracing header when your function is invoked, that header will be used to populate the _X_AMZN_TRACE_ID environment variable. If a tracing header was not received, Lambda will generate one for you.

AWS_XRAY_CONTEXT_MISSING: The X-Ray SDK uses this variable to determine its behavior in the event that your function tries to record X-Ray data, but a tracing header is not available. Lambda sets this value to LOG_ERROR by default.

AWS_XRAY_DAEMON_ADDRESS: This environment variable exposes the X-Ray daemon’s address in the following format: IP_ADDRESS:PORT. You can use the X-Ray daemon’s address to send trace data to the X-Ray daemon directly without using the X-Ray SDK.

Question 14

How can a client using API gateway fetch the latest data from your endpoints every time a request is sent and invalidate the existing cache.

Answer 14

The client must send a request that contains the Cache-Control: max-age=0 header.

Question 15

While using SAM locally, how can you provide permissions to interact with other AWS services?

Answer 15

1. Use the aws configure command with the –profile parameter to add a named profile with the sandbox AWS account’s credentials.
2. Run the function using sam local invoke with the –profile parameter.

Question 16

An application scans the entire DynamoDB table to return requested data. How can performance be improved cheaply?

Answer 16

Use Query operations instead of Scan and reduce the page size. (DAX can be more expensive)

Question 17

When should you choose Memcached over Redis ?

Answer 17

• You need the simplest model possible.

– You need to run large nodes with multiple cores or threads.

– You need the ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.

– You need to cache objects, such as a database.

Question 18

How can you detect new entries in a DynamoDB table and automatically trigger a Lambda function to run?

Answer 18

Enable DynamoDB Streams to detect the new entries and automatically trigger the Lambda function.

Question 19

What format does the output need to be that is returned from a Lambda proxy integration backend with API Gateway? What happens if it is the wrong format?

Answer 19

JSON
You’d get a 502 error in the API Gateway

Question 20

What is the default for Lambda total concurrent executions across all functions within a given region? How can it be increased?

Answer 20

1000
Request AWS to increase the limit of your concurrent executions

Question 21

How can you estimate the concurrent executions used by your Lambda function and whether the limit needs to be increased?

Answer 21

concurrent executions = (invocations per second) x (average execution duration in seconds). If this is > 1000 then you need to ask AWS to increase it.

Question 22

How can you authenticate and authorize users for the premium pay-wall content on your website backed by S3?

Answer 22

Use Lambda@Edge. For example, you can trigger a Lambda function to authorize each viewer request by calling authentication and user management service such as Amazon Cognito.

Question 23

What is appspec.yml for?

Answer 23

In CodeDeploy - it defines how a deployment happens

Question 24

What things can CodeDeploy deploy to?

Answer 24

EC2 Instances
On-prem servers
Lambda Functions
ECS

Question 25

What kinds of deployments can be performed with Code Deploy for EC2/On-prem?

Answer 25

In-place
Blue-green

Question 26

For CodeDeploy on EC2 to work, what has to be running and where?

Answer 26

The CodeDeploy agent must be running on the EC2/on-prem instances

Question 27

With CodeDeploy for EC2, what does EC2 need to have sufficient access to?

Answer 27

S3, because the deployment bundles are stored there

Question 28

How does CodeDeploy work for Lambda?

Answer 28

It automates traffic shift for Lambda aliases

Question 29

How does CodeDeploy work for ECS? What type of deployments does it do?

Answer 29

Automates the deployment of a new task definition. It only does blue/green.

Question 30

What is the cron.yaml file used for?

Answer 30

For Elastic Beanstalk, you can define periodic tasks in a file named cron.yaml in your source bundle to add jobs to your worker environment’s queue automatically at a regular intervals.

Question 31

What is a good way to do GeoRestriction, for example, to comply with copyright laws?

Answer 31

CloudFront Georestriction

Question 32

How can you make CloudFront get content from different origins based on the URL path?

Answer 32

Use CloudFront Multiple Origin

Question 33

What is a CloudFront Origin Group?

Answer 33

To increase high-availability and do failover. There is a primary and a secondary origin.

Question 34

What are the API Gateway integration types?

Answer 34

MOCK - for testing
AWS = for Lambda custom integration and all other AWS integrations
AWS_PROXY = Lambda Proxy
HTTP_PROXY = HTTP proxy integration
HTTP = HTTP custom integration

Question 35

When you configure your Lambda function to access VPC resources, what happens? What can you do to fix the situation if needed?

Answer 35

It loses default internet access. If you require external internet access for your function, make sure the Lambda’s security group allows outbound connections, and that your VPC has a NAT gateway.

Question 36

Which DynamoDB secondary index CAN be created after table creation?

Answer 36

Global

Question 37

The name of the bucket used for Transfer Acceleration must be DNS-compliant and must not contain what?

Answer 37

Periods

Question 38

What are the ECS task placement strategies?

Answer 38

binpack – Place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.

random – Place tasks randomly.

spread – Place tasks evenly based on the specified value. Accepted values are attribute key-value pairs, instanceId, or host.

Question 39

What are the steps to deploy code using CloudFormation?

Answer 39

1. Create a template to define your infrastructure resources
2. Bundle the template and your resource files into a zip file
3. Package using “aws cloudFormation Package” command
4. Deploy using “aws CloudFormation deploy” command

Question 40

What are the ports for HTTP and HTTPS?

Answer 40

HTTP = 80
HTTPS = 443

Question 41

What are the steps to set up a Lambda fn to be invoked by an ALB?

Answer 41

1. Create a Lambda fn. It should return text/html.
2. Create an ALB.
3. Create security group for ALB:
   a. inbound: allow HTTP from anywhere
   b. allow listening on port 80 for HTTP with
   default action - a target group
4. Create a Target Group with type = Lambda fn,
   and select your Lambda fn
5. Assign the Target Group to your ALB
6. A resource-based policy is created on your Lambda fn for you, to allow the ALB to invoke your Lambda fn.

Question 42

How can you expose your Lambda function to the outside world?

Answer 42

ALB
API Gateway
Lambda Function URL

Question 43

What is the best way to expose a REST API backed by a Lambda Function?

Answer 43

API Gateway + Lambda

Question 44

What can you expose through API Gateway?

Answer 44

Lambda function, HTTP endpoints, any AWS service’s API

Question 45

What are the options for API Gateway security?

Answer 45

1. User auth: IAM roles (internal users); Cognito (external users such as mobile); a custom authorizer (= a lambda fn)
2. Custom domain name HTTPS with AWS cert mgr and you would need a CNAME or A-alias rec in Route 53

Question 46

How many read replicas can you have for your RDS database? How about for Aurora in a single cluster?

Answer 46

15
15

Question 47

How can you get the EC2 instance ID when you are SSH’d into it?

Answer 47

Query the metadata at http://169.254.169.254/latest/meta-data

Question 48

How can an app on an EC2 instance in an ECS cluster access S3?

Answer 48

Create an IAM task role

Question 49

You have a classic ECS cluster that you want to enable IAM roles for your ECS tasks so they can call AWS services. What config option should you enable and where?

Answer 49

Enable ECS_ENABLE_TASK_IAM_Role in the ECS.Config file

Question 50

Can EC2 Container instances run multiple copies of the same Docker image?

Answer 50

Yes

Question 51

How can you scale SQS, for example on Black Friday?

Answer 51

It will scale automatically

Question 52

What is SQS Delay Queues?

Answer 52

A period of time during which Amazon SQS keeps new SQS messages invisible to consumers. In SQS Delay Queues, a message is hidden when it is first added to the queue. (default: 0 mins, max.: 15 mins)

Question 53

What is the SQS + SNS fan out pattern?

Answer 53

This is a common pattern where only one message is sent to the SNS topic and then “fan-out” to multiple SQS queues. This approach has the following features: it’s fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.

Question 54

How would you load near real-time data into S3 and Redshift that needs to be transformed before loading?

Answer 54

Kinesis Data Streams + Kinesis Data Firehose. Kinesis Data Firehose supports custom data transformations using AWS Lambda.

Question 55

What are the default retention period, and min and max that you can set SQS message retention to?

Answer 55

Default is 4 days. You can set it from 1 minute to 14 days.

Question 56

You can configure a Kinesis Data Stream to keep records for a maximum of ……………… days.

Answer 56

365

Question 57

A CloudWatch Alarm set on a High-Resolution Custom Metric can be triggered as often as ………………….

Answer 57

10 seconds

Question 58

Which API call allows you to push custom metric data to CloudWatch?

Answer 58

PutMetricData

Question 59

By default, when do CloudWatch Logs expire?

Answer 59

Never

Question 60

What should you do to configure X-Ray Daemon to send traces from multiple AWS accounts to a central AWS account?

Answer 60

Create an IAM role in the central account, and then create IAM roles in the other accounts to assume this IAM role.

Question 61

By default, the X-Ray SDK records the first request ………………, and ……………… of any additional requests.

Answer 61

Each second, 5%

Question 62

What is the KB limit forLambda environment variables?

Answer 62

4KB

Question 63

How do you declare a Lambda function in a CloudFormation template?

Answer 63

Upload all the code as a zip file to an S3 bucket and refer to the object in AWS::Lambda::function block

Question 64

The maximum size for a Lambda function /tmp space is …………………….

Answer 64

10240 MB

Question 65

What can be the targets for an Application Load Balancer?

Answer 65

EC2 Instances
ECS tasks
Private IP
Lambda function (HTTP request is translated into a JSON event)

Question 66

What can an ALB route traffic based on?

Answer 66

URL Path
HostName
Query String, Headers

Question 67

Can IAM user groups be part of other user groups?

Answer 67

Negative

Question 68

When would you use the GetSessionToken API call?

Answer 68

if you want to use MFA to protect programmatic calls to specific AWS API operations . It returns temporary credentials: an access key ID, a secret access key, and a security token.

Question 69

What is a Lambda authorizer?

Answer 69

An API Gateway feature that uses a Lambda function to control access to your API

Question 70

What types of Lambda authorizers are there?

Answer 70

Token based and request parameter based

Question 71

In DynamoDB, what is a way to reduce storage usage and reduce the cost of storing irrelevant data without using provisioned throughput?

Answer 71

Enable TTL - perfect use case for session data

Question 72

In a Kinesis Data Stream, what API calls can you use to read records in the same order they are written to the stream?

Answer 72

PutRecord along with SequenceNumberForOrdering

Question 73

Anytime a question asks about a storage system that can be accessed from multiple points, what should you think of?

Answer 73

EFS

Question 74

How can you get messages back from the DLQ to the original Q so that they can be reprocessed?

Answer 74

If it is a FIFO Q, you could use StartMessageMoveTask API. But if they don’t say it is a FIFO, you should use SendMessageBatch API to send multiple messages to an SQS Q.

Question 75

How can you invoke a lambda function asynchronously?

Answer 75

Use the “Invoke” API to call the Lambda function and set the invocation type request parameter to Event

Question 76

How can you invoke a lambda function synchronously?

Answer 76

Use the “Invoke” API to call the Lambda function and set the invocation type request parameter to RequestResponse

Question 77

How can you validate parameter values for your Lambda function and verify that the user or role has permission to invoke the function - without running it?

Answer 77

Use the “Invoke” API to call the Lambda function and set the invocation type request parameter to DryRun

Question 78

Where would you put environment configuration stuff for Elastic Beanstalk

Answer 78

env.yaml

Question 79

What port does the AWS X-Ray daemon listen for traffic on?

Answer 79

UDP port 2000

Question 80

How would you instrument x-ray to work on an ECS cluster?

Answer 80

1. Create a Docker image that runs the X-Ray daemon
2. Upload it to a Docker image repository
3. Deploy it to your Amazon ECS cluster
4. Configure the port mappings and network mode settings in your task definition file to allow traffic on UDP port 2000.

Question 81

What consumes more RCU - strongly or eventually consistent reads?

Answer 81

strongly

Question 82

What are the hooks in a serverless Lambda function version deployment, in order?

Answer 82

BeforeAllowTraffic
AllowTraffic
AfterAllowTraffic

Question 83

Describe the process of envelope encryption

Answer 83

Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext key. This is NOT a KMS key

Question 84

What information is included in the ECS Task Definitions?

Answer 84

Image Name
Port binding for Container and Host
Memory and CPU required
Environment variables
Networking information
IAM Role
Logging configuration (ex: CloudWatch)

Question 85

What should you check If X-Ray is not working on EC2?

Answer 85

• Ensure the EC2 IAM Role has the proper permissions
• Ensure the EC2 instance is running the X-Ray Daemon

Question 86

How would you enable x-ray on AWS Lambda?

Answer 86

• Ensure it has an IAM execution role with proper policy
  (AWSX-RayWriteOnlyAccess)
• Ensure that X-Ray is imported in the code
• Enable Lambda X-Ray Active Tracing

Question 87

How is an execution role created and then referenced, for example a Lambda execution role?

Answer 87

1.Create the role in IAM
2. Then point to the role(reference it) when setting up your Lambda function (select the previously created IAM role as the “Execution role” in the function configuration)

Question 88

What are the method authorization types for an API?

Answer 88

NONE - open access
AWS_IAM - for using IAM
CUSTOM - custom authorizer
COGNITO_USER_POOLS - Cognito

Question 89

What services can have an event source mapping for Lambda?

Answer 89

Kinesis
DynamoDB
SQS
MQ
Managed Streaming for Apache Kafka (Amazon MSK)

Question 90

What are the 2 authentication types for controlling access to a Lambda function URL?

Answer 90

AWS IAM
NONE

Question 92

Which are the possible solutions that the developer can implement in order to set up HTTPS communication between the viewers and CloudFront?

Answer 92

*Set the Viewer Protocol Policy to use Redirect HTTP to HTTPS
*Set the Viewer Protocol Policy to use HTTPS Only

Question 93

When would you use Cognito User Pools?

Answer 93

1. Design sign-up and sign-in webpages for your app.
2. Access and manage user data.
3. Track user device, location, and IP address, and adapt to
   sign-in requests of different risk levels.
4. Use a custom authentication flow for your app.

Question 94

When would you use Cognito Identity Pools?

Answer 94

1. Give your users access to AWS resources, such as an
   Amazon Simple Storage Service (Amazon S3) bucket or
   an Amazon DynamoDB table.
2. Generate temporary AWS credentials for
   unauthenticated users.

Question 95

What type of read does the DynamoDB GetItem API do by default? What can you do to change it?

Answer 95

• it provides eventually consistent by default
• to change to strongly, set the ConsistentRead parameter to true

Question 96

What problem does DynamoDB DAX solve?

Answer 96

It solves the hot-key problem
- prevents the “ProvisionedThroughputExceededException” exception.

Question 97

The maximum size of an item in a DynamoDB table is ……………….

Answer 97

400 KB

Question 98

What types of databases are supported by RDS?

Answer 98

SQLServer
DB2
Oracle
MySQL
Postgres
Maria
Aurora

Question 99

***How can you scale RDS?

Answer 99

Turn on Auto-Scaling feature

Question 100

What type of consistency are RDS read replicas?

Answer 100

Eventually (Async)

Question 101

What is a benefit of using KMS from an audit perspective?

Answer 101

Calls to access your keys in KMS are logged in CloudTrail

Question 102

Does KMS use symmetric or asymmetric keys? What does symmetric mean?

Answer 102

KMS uses symmetric keys. That means there is only one encryption key for encryption and decryption

Question 103

What are the use cases for an asymmetric key?

Answer 103

Encryption outside of AWS by users who can’t call the KMS ApI

Question 104

What kind of KMS Key policies are there, and which one is useful for cross-account access of your KMS keys?

Answer 104

There are the Default which is created for you if you don’t provide one; and a Custom one. A Custom key policy is useful for cross-account access.

Question 105

When do you need to use envelope encryption? What API do you use?

Answer 105

When you need to encrypt anything over 4KB of data. Use the GenerateDataKey API