Misc

Question 1

How can you Enable the X-Ray daemon on Beanstalk?

Answer 1

Include the xray-daemon.config configuration file in the .ebextensions directory of your source code.

Question 2

In Amazon API Gateway, API keys by themselves do not grant access to execute an API. What else needs to be done to grant access? What error do they get if this is not done?

Answer 2

The API keys need to be associated with a usage plan, and that usage plan then determines which API stages and methods the API key can access. If the API key is not associated with a usage plan, it will not have permission to access any of the resources, which will result in a “403 Forbidden” error

Question 3

What API call do you use to associate API Gateway keys with a usage plan?

Answer 3

Associate the API keys for users with the intended usage plan using the CreateUsagePlanKey operation

Question 4

What should be done to only allow authorized clients to invalidate an API Gateway cache entry when submitting API requests? (TWO things)

Answer 4

1. The client must send a request which contains the Cache-Control: max-age=0 header.
2. Tick the Require Authorization checkbox in the Cache Settings of your API via the console.

Question 5

If you have applications running outside of an AWS environment that need programmatic access to AWS resources, how do you do it?

Answer 5

Go to the AWS Console and create a new IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user.

Question 6

What Gateway response types are associated with the HTTP 504 error in API Gateway?

Answer 6

INTEGRATION_FAILURE – The gateway response for an integration failed error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.

INTEGRATION_TIMEOUT – The gateway response for an integration timed out error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.

Question 7

How can you ensure that all objects in your S3 bucket are encrypted at rest using server-side encryption with AWS KMS keys?

Answer 7

Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.

Question 8

How can you monitor the responsiveness of your API calls as well as the underlying Lambda function?

Answer 8

Using CloudWatch:

• Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.

– Monitor the Latency metrics to measure the overall responsiveness of your API calls.

Question 9

If you need server-side encryption for all of the objects that are stored in a bucket, how can you do it with amazon-managed keys? Can you use customer-provided keys?

Answer 9

1. Use a bucket policy to deny permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption.
2. Yes: if you chose to use server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers: x-amz-server-side​-encryption​-customer-algorithm, x-amz-server-side​-encryption​-customer-key,
   x-amz-server-side​-encryption​-customer-key-MD5

Question 10

What are the three settings to enable CloudWatch to evaluate when to change the alarm state?

Answer 10

– Period is the length of time to evaluate the metric or expression to create each individual data point for an alarm. It is expressed in seconds. If you choose one minute as the period, there is one datapoint every minute.

– Evaluation Period is the number of the most recent periods, or data points, to evaluate when determining alarm state.

– Datapoints to Alarm is the number of data points within the evaluation period that must be breaching to cause the alarm to go to the ALARM state. The breaching data points do not have to be consecutive, they just must all be within the last number of data points equal to Evaluation Period.

Question 11

In a system using CloudFront, how can you redirect requests , such as to display region-specific information?

Answer 11

Implement a CloudFront function that returns the appropriate URL based on the CloudFront-Viewer-Country. Configure the distribution to trigger the function on Viewer request events.

Question 12

With ECS, how can you allow containers to access ports on the host container instance to send or receive traffic using port mapping?

Answer 12

Using the task definition. Port mappings are specified as part of the container definition which can be configured in the task definition.

Question 13

What environment variables does AWS Lambda use to facilitate communication with the X-Ray daemon and configure the X-Ray SDK?

Answer 13

_X_AMZN_TRACE_ID: Contains the tracing header, which includes the sampling decision, trace ID, and parent segment ID. If Lambda receives a tracing header when your function is invoked, that header will be used to populate the _X_AMZN_TRACE_ID environment variable. If a tracing header was not received, Lambda will generate one for you.

AWS_XRAY_CONTEXT_MISSING: The X-Ray SDK uses this variable to determine its behavior in the event that your function tries to record X-Ray data, but a tracing header is not available. Lambda sets this value to LOG_ERROR by default.

AWS_XRAY_DAEMON_ADDRESS: This environment variable exposes the X-Ray daemon’s address in the following format: IP_ADDRESS:PORT. You can use the X-Ray daemon’s address to send trace data to the X-Ray daemon directly without using the X-Ray SDK.

Question 14

How can a client using API gateway fetch the latest data from your endpoints every time a request is sent and invalidate the existing cache.

Answer 14

The client must send a request that contains the Cache-Control: max-age=0 header.

Question 15

While using SAM locally, how can you provide permissions to interact with other AWS services?

Answer 15

1. Use the aws configure command with the –profile parameter to add a named profile with the sandbox AWS account’s credentials.
2. Run the function using sam local invoke with the –profile parameter.

Question 16

An application scans the entire DynamoDB table to return requested data. How can performance be improved cheaply?

Answer 16

Use Query operations instead of Scan and reduce the page size. (DAX can be more expensive)

Question 17

When should you choose Memcached over Redis ?

Answer 17

• You need the simplest model possible.

– You need to run large nodes with multiple cores or threads.

– You need the ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.

– You need to cache objects, such as a database.

Question 18

How can you detect new entries in a DynamoDB table and automatically trigger a Lambda function to run?

Answer 18

Enable DynamoDB Streams to detect the new entries and automatically trigger the Lambda function.

Question 19

What format does the output need to be that is returned from a Lambda proxy integration backend with API Gateway? What happens if it is the wrong format?

Answer 19

JSON
You’d get a 502 error in the API Gateway

Question 20

What is the default for Lambda total concurrent executions across all functions within a given region? How can it be increased?

Answer 20

1000
Request AWS to increase the limit of your concurrent executions

Question 21

How can you estimate the concurrent executions used by your Lambda function and whether the limit needs to be increased?

Answer 21

concurrent executions = (invocations per second) x (average execution duration in seconds). If this is > 1000 then you need to ask AWS to increase it.

Question 22

How can you authenticate and authorize users for the premium pay-wall content on your website backed by S3?

Answer 22

Use Lambda@Edge. For example, you can trigger a Lambda function to authorize each viewer request by calling authentication and user management service such as Amazon Cognito.

Question 23

What is appspec.yml for?

Answer 23

In CodeDeploy - it defines how a deployment happens

Question 24

Where can CodeDeploy deploy to?

Answer 24

EC2 Instances
On-prem servers
Lambda Functions
ECS

Question 25

What kinds of deployments can be performed with Code Deploy for EC2/On-prem?

Answer 25

In-place
Blue-green

Question 26

For CodeDeploy on EC2 to work, what has to be running and where?

Answer 26

The CodeDeploy agent must be running on the EC2/on-prem instances

Question 27

With CodeDeploy for EC2, what does EC2 need to have sufficient access to?

Answer 27

S3, because the deployment bundles are stored there

Question 28

How does CodeDeploy work for Lambda?

Answer 28

It automates traffic shift for Lambda aliases

Question 29

How does CodeDeploy work for ECS?

Answer 29

Automates the deployment of a new task definition. It only does blue/green.

Question 30

What is the cron.yaml file used for?

Answer 30

For Elastic Beanstalk, you can define periodic tasks in a file named cron.yaml in your source bundle to add jobs to your worker environment’s queue automatically at a regular intervals.

Question 31

What is a good way to do GeoRestriction, for example, to comply with copyright laws?

Answer 31

CloudFront Georestriction

Question 32

How can you make CloudFront get content from different origins based on the URL path?

Answer 32

Use CloudFront Multiple Origin

Question 33

What is a CloudFront Origin Group?

Answer 33

To increase high-availability and do failover. There is a primary and a secondary origin.

Question 34

What are the API Gateway integration types?

Answer 34

MOCK - for testing
AWS = for Lambda custom integration and all other AWS integrations
AWS_PROXY = Lambda Proxy
HTTP_PROXY = HTTP proxy integration
HTTP = HTTP custom integration

Question 35

When you configure your Lambda function to access VPC resources, what happens? What can you do to fix the situation if needed?

Answer 35

It loses default internet access. If you require external internet access for your function, make sure the Lambda’s security group allows outbound connections, and that your VPC has a NAT gateway.

Question 36

Which DynamoDB secondary index CAN be created after table creation?

Answer 36

Global

Question 37

The name of the bucket used for Transfer Acceleration must be DNS-compliant and must not contain what?

Answer 37

Periods

Question 38

What are the ECS task placement strategies?

Answer 38

binpack – Place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.

random – Place tasks randomly.

spread – Place tasks evenly based on the specified value. Accepted values are attribute key-value pairs, instanceId, or host.

Question 39

What are the steps to deploy code using CloudFormation?

Answer 39

1. Create a template to define your infrastructure resources
2. Bundle the template and your resource files into a zip file
3. Package using “aws cloudFormation Package” command
4. Deploy using “aws CloudFormation deploy” command

Question 40

What are the ports for HTTP and HTTPS?

Answer 40

HTTP = 80
HTTPS = 443

Question 41

What are the steps to set up a Lambda fn to be invoked by an ALB?

Answer 41

1. Create a Lambda fn. It should return text/html.
2. Create an ALB.
3. Create security group for ALB:
   a. inbound: allow HTTP from anywhere
   b. allow listening on port 80 for HTTP with
   default action - a target group
4. Create a Target Group with type = Lambda fn,
   and select your Lambda fn
5. Assign the Target Group to your ALB
6. A resource-based policy is created on your Lambda fn for you, to allow the ALB to invoke your Lambda fn.

Question 42

How can you expose your Lambda function to the outside world?

Answer 42

ALB
API Gateway
…more?

Question 43

What is the best way to expose a REST API backed by a Lambda Function?

Answer 43

API Gateway + Lambda

Question 44

What can you expose through API Gateway?

Answer 44

Lambda function, HTTP endpoints, any AWS service’s API

Question 45

What are the options for API Gateway security?

Answer 45

1. User auth: IAM roles (internal users); Cognito (external users such as mobile); a custom authorizer (= a lambda fn)
2. Custom domain name HTTPS with AWS cert mgr and you would need a CNAME or A-alias rec in Route 53

Question 46

How many read replicas can you have for your RDS database? How about for Aurora in a single cluster?

Answer 46

15
15

Question 47

How can you get the EC2 instance ID when you are SSH’d into it?

Answer 47

Query the metadata at http://169.254.169.254/latest/meta-data

Question 48

How can an app on an EC2 instance in an ECS cluster access S3?

Answer 48

Create an IAM task role

Question 49

You have a classic ECS cluster that you want to enable IAM roles for your ECS tasks so they can call AWS services. What config option should you enable and where?

Answer 49

Enable ECS_ENABLE_TASK_IAM_Role in the ECS.Config file

Question 50

Can EC2 Container instances run multiple copies of the same Docker image?

Answer 50

Yes

Question 51

Does SQS scale automatically, for example on Black Friday?

Answer 51

Yes

Question 52

What is SQS Delay Queues?

Answer 52

A period of time during which Amazon SQS keeps new SQS messages invisible to consumers. In SQS Delay Queues, a message is hidden when it is first added to the queue. (default: 0 mins, max.: 15 mins)

Question 53

What is the SQS + SNS fan out pattern?

Answer 53

This is a common pattern where only one message is sent to the SNS topic and then “fan-out” to multiple SQS queues. This approach has the following features: it’s fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.

Question 54

How would you load near real-time data into S3 and Redshift that needs to be transformed before loading?

Answer 54

Kinesis Data Streams + Kinesis Data Firehose. Kinesis Data Firehose supports custom data transformations using AWS Lambda.

Question 55

What are the default retention period, and min and max that you can set SQS message retention to?

Answer 55

Default is 4 days. You can set it from 1 minute to 14 days.

Question 56

You can configure a Kinesis Data Stream to keep records for a maximum of ……………… days.

Answer 56

365

Question 57

A CloudWatch Alarm set on a High-Resolution Custom Metric can be triggered as often as ………………….

Answer 57

10 seconds

Question 58

Which API call allows you to push custom metric data to CloudWatch?

Answer 58

PutMetricData

Question 59

By default, when do CloudWatch Logs expire?

Answer 59

Never

Question 60

What should you do to configure X-Ray Daemon to send traces from multiple AWS accounts to a central AWS account?

Answer 60

Create an IAM role in the central account, and then create IAM roles in the other accounts to assume this IAM role.

Question 61

By default, the X-Ray SDK records the first request ………………, and ……………… of any additional requests.

Answer 61

Each second, 5%

Question 62

What is the KB limit forLambda environment variables?

Answer 62

4KB

Question 63

How do you declare a Lambda function in a CloudFormation template?

Answer 63

Upload all the code as a zip file to an S3 bucket and refer to the object in AWS::Lambda::function block

Question 64

The maximum size for a Lambda function /tmp space is …………………….

Answer 64

10240 MB

Question 65

What can be the targets for an Application Load Balancer?

Answer 65

EC2 Instances
ECS tasks
Private IP
Lambda function (HTTP request is translated into a JSON event)

Question 66

What can an ALB route traffic based on?

Answer 66

URL Path
HostName
Query String, Headers

Question 67

Can IAM user groups be part of other user groups?

Answer 67

Negative