Mixed Flashcards
Iam
Identity federation PCI payment card industry Password rotation Temp access Multi factor authentication
Policies
Assigned to role, group or user
When a user created we get
Access key id
Secret access key
Password policy
Life cycle management
Complexity
True or false: Link to log in through iam is customizable?
True
Role
Can be assigned to an Iam user in another account
An aws resource
Application running on the resources
True or false: ec2 is region based
True
5 types of ec2 pricing models
On demand Reserved Spot Dedicated Saving plan
On demand ec2 pricing model
Pay per hour or sec depending on the instance
Reserved ec2 pricing model
1 or 3 years of prepaid and commitment
Called RI
For predictable load
RI, convertible RI and scheduled
Convertible RI vs RI vs Scheduled
Convertible you can change the power or type of ec2 as long as you are spending the same amount or higher
Scheduled, you scheduled for a certain time
Convertible up to 54% off
RI up to 72%
Spot ec2 pricing model
You bid on it and whenever it matches your bidded price, it assigns you the ec2
If you stop, you gotta pay for the resource, if aws stops you, you don’t pay for the rest of the hour
It’s for tasks that interruption doesn’t matter
Can be used for calcs, parallel computing
Up to 90% discount
Dedicated ec2 pricing model
License and compliance
On demand or reserved
Reserved up to 70% off
Saving plan pricing model
Not just for ec2
Not region based
Dedicated to 1 to 3 years and pay 72% percent off
You can change the type, the region,…
Ssh port
22
Http port
Port 80
True or false: Making ec2 we can decide what happens if we shut down the insurance. Shall it be terminated or stopped
True
Different types of ec2 instances
General purpose Micro Compute Optimized Fpga Gpu Machine learning Memory optimized Storage optimized
General Purpose instance
For general purposes, start with T1, T2
Micro insurance
Instance for testing or low i/o throughput and low network performance First 750 h is free for the first year 1 virtual cpu Less than one gig memory Cheapest Starts with m
Compute optimized instant type
Starts with C
It has the highest rate of Cpu to memory
Good for apps needed analysis and high performance apps
Fpga instance
Hardware accelerated instance
Good for parallel computing and finance
Starts with F
Gpu instance
Good for graphics
Starts with G
ImGe rendering and media processing
Machine learning instance
Good for machine learning, language processing
Uses ASIC (application specific integrated circuit)
Custom build cpu
Chip is called inference
Starts with Inf
Memory optimized instance type
Cheapest Ram per G
Starts with Z, X or R
For DB applications and memcache
Storage optimized insrance
Start with H, I or D Good apps need higher io or storage capacity I3 is good for nosql D3 is for warehouse Directly attach storage blocks to ec2
True or false: ebs is region based
True
Whats Ebs
Disk on the cloud
Availability zone sensitive
Replicate themselves into other zones, to avoid single point of failure
Different types of EBS
General purpose Provisioned iops Provisioned iops 2 Throughput optimized HHD Cold HHD Magnetic Storage
General purpose ebs
It’s for development or not latency sensitive
3 iops per g
Max iops 16000
Burst 3000 iops
Provisioned iops
SSD
50 iops per g
Max 64000 iops per g
Good for io intensive apps - DB or Io sensitive
Durability: 99.9%
Iops SSD 2 EBS
500 iops per G
64000 iops per G max
Higher durability 99.999%
HHD - throughout optimized ebs
Good for big data, data warehouse and log files Cannot be boot Good for Low frequency accessed data 40 mb per sec per T Burst 250 mb per sec per T Max 500 mb per sec per T
Cold HHD Ebs
Good for archive Can’t be boot The cheapest 12 mbs per T Burst 80 mbs per T Max 250mbs per T
True or false: encrypted EBS image is always encrypted
True
True or false: Changing ebs type or zone or adding a new ebs takes time time to take effect
False - it’s immediate and requires no down time
Different kind of load balancer
Application load balancer
Network load balancer
Classic load balancer
Application load balancer
Later 7
SSL / TLS level
Application aware
Routes the traffic to specific page
Network load balancer
Layer 4 Most expensive Routs TCP traffic pretty fast Can handle a mil per sec Fast speed used for extreme performance
Classic load balancer
Both layer 4 and 7 (x forward and sticky seasion)
Hard to debug 504 error. Which level is the error
Not as smart as other load balancer
How to find ip address when using load balancer
X-forwarded-for-header
What is 504 error
Means the gateway has timed out
Application is not responding within the timeout time
Https port
443
True or false: Load balancer target can be all Availability Zones
True
True or false: Adding roles to an instance or changing policies assigned to a role requires a reboot to take effect
No, no need to reboot. It takes effect immediately
What is Aurora?
Amazon relational DB
It doesn’t support free tier
OLAP VS OLTP
Olap is for extensive data analysis. Data warehouse.
Redshift is an olap
Oltp: for small frequent queries
Different kind of cache supported by elasticache
Memcache
Redis
Widely adapted memory object cache
Memcache
Which elasticache engine supports complicated data structures
Redis
Which elasticache engine supports multi az
Redis
Redis
Open source, in memory Key value Cache engine
It supports multi az, and data lists and other data types
Redis clusters are stateful entities
Memcache
Object caching system
Widely adapted
What elasticache engine to use if primary goal is object caching?
Memcache
What elasticache engine to use if primary goal is simplicity?
Memcache
What elasticache engine to use if primary goal is running large caching nodes and multi threaded performance?
Memcache
What elasticache engine to use if primary goal is expanding your cache horizontally?
Memcache
What elasticache engine to use if primary goal is using advanced data types?
Redis
What elasticache engine to use if primary goal is using leaderboards or sorting and ranking data sets?
Redis
What elasticache engine to use if primary goal is persistence of the key?
Redis
What elasticache engine to use if primary goal is running on multiple availability zones?
Redis
What elasticache engine to use if primary goal is having pub sub capability?
Redis
If DB is under stress and load is read only mostly what we should do to help?
Caching - elasticache
Def port for connecting to DB is
3306
To open RDS port to an ec2 what needs to be done?
Open inbound rules to ex2 sec group - port 3306
True or false: When RDS is created, you only get endpoint url not ip address
True
Rds backup types:
Automatic - by def on
Retention time is 0 to 35 days - def is 7 says
You can back up to any time of the day
When rds instance is deleted, backup is deleted
Back up being saved on S3 - free s3 with tge size of backup
Time of getting backup is changeable
Manual
Manually triggered
Doesn’t del the back up when rds instance deleted
How to restore from rds backup
Create a new instance from the backup. That gives you a new endpoint
True or false: you can encrypt an unencrypted rds instance
False - you have to get a snapshot, create a new instance and make that encrypted
How an rds instance get encrypted
At rest - using KMS
True or false: once an rds instance is encrypted, the backup (automated and manual) is encrypted too
True
Encryption at rest is supposed for what RDS types
Sql, mysql, Aurora, mariadb, postgres, oracle
Read replica vs elasti cache
Elasticache, data can get old, only available if it’s been seen before. While replica, data gets updates on replicas more frequently.
If you have many frequently changing dara, replica is better.
Difference between milti az and read replica for rds
Multi az is for disaster recovery
Read replica is for performance
Multi az is sync
Read replica is async
Multi az for rds
It means data is being replicated in different availability zones in case one fails the other takes over
Endpoint never changes but ip changes. That’s why we deal with endpoint
It can be turned kn from the beginning or when changing an rds instance
Read replica
We can have up to 5 replicas
Good for heavy read loads
Update happens async
We can have read replica of multi az
We can have multi az of read replica
Read replica can turn into a real db. If we have too many or need a copy of db
Not available for sql and oracle
Replicas can be in different regions and zones
Automatic back shall be on when using read replica
Read replica can be encrypted even if the main version of rds is not encrypted
Copies are read only
True or false: read replicas are read only
True
True or false: read replicas are only in one region and zone
False. Can be in multiple regions and zones
True or false: to have a read replica encrypted the main copy must be encrypted
False.
True or false: you must have auto backup on if want to have read replica in
True
How many read replica can we have
5
True or false: Multi az is for performance improvement of rds
False only for disaster recovery
True or false: read replicas get updated immediately
False- it happens async
Is s3 bucket object based or block based?
Object. Ebs is block based.
True or false: s3 is only used for objects not for os or db
True
True or false: high availability and disaster recovery is built in s3 bucket
True
S3 bucket file size range? And max size it can handle in one upload
0-5 t
5 g
Size range for Multi part upload for S3
5meg to 5 t
Recommend for over 100meg
Api response after successfully uploading a file into s3
200
True or false: s3 is not scaleable and has storage limit
False
It’s scalable and it has unlimited storage
S3 bucket, reading models
Eventually consistent- put (update) and del
Read after write consistent- put for new file
S3 availability and durability
Availability 99.9 guarantied built for 99.99
Durability 9.9 (11X)
Access control vs bucket policy
Access control- individual files
Bucket policy for the whole bucket
Different kinds of S3 bucket
S3 Durability 99.9 x11 Availability: 99.99
S3 IA - the same D A: 99.9 - paid retrieval
S3 one zone IA - Availability: 99.5 Durability the same - 20% cheaper
S3 glacier - archive - retrieval configurable mins to hours 99.99
S3 intelligent tiering - it decides based on 30 days frequency of access - same D, A: 99.9
.0025 usd for for managing a 1000 files
S3 deep archive glacier - min 12 h retrieval- the cheapest - A:99.99
Outposts - on premise local access
Redundancy reduced - when data can be retrieved easily
Charges involved with s3
Access requests Storage space Moving files Tagging - storage management Transfer acceleration
True or false: S3 can have access log and versioning enabled
True- you can see who called apis
We made a file public on s3 but still not accessible what can be wrong
You need to allow public access on policy
Encryption on S3
In transit - ssl tls transport layer
At rest
Aes 256 - Sse - aws is responsible for key management and protection
Kms - kms does the key management and generation
Sse-c client key is being used for encryption
Client side client does the encryption and send the data
S3 request header for encryption
X-amz-server-side-encryption
Expect in s3 bucket request
Don’t send the msg is header is rejected
What’s the s3 bucket url format
S3-region-amazonaws.com/ bucketname
What’s CORS
For cross origin resource sharing
When you want to give access of a resource in two different buckets
Under permission you need to give access to the website url - endpoint
Stops Cross scripting attack
S3 website url format
Bucketname-s3-website-region-amazonaws.com
Cdn vs content acceleration
Content acceleration uses cdn edges to expedite uploading files into s3 bucket
What’s cdn
Content delivery network
There are edges in different regions and zones
Edges are readable and writeable
Distribution is a group of edges
What’s distribution and how many types we have?
Group of edges
Web distribution for web content
Rtmp real time messaging protocols for steaming and adobe
True or false: we can have different resources per cdn edge
True - load balancer, ec2, s3, route 53 and tour own server
True or false: after activating cdn, you should remove direct access to the resource
True
What’s ttl and is it changeable
Ttl is expiration date for cdn content
You can manually request the edges to refresh the data, but costs you money
How many edges in how many countries
More than 100 in 25 counties
What to do if we want to have restricted access
Setup cdn to Use signed url - signed cookies
Can cdn have it’s own domain
Yes
Waf
Web firewall application
Works like firewall- application layer layer 7. Avoids sql injection and ddos
Block cross scripting attack
Blocking IP addresses
Cdn default and max ttp
24 h and 365 days
Whbe to optimize performance of s3 by cdn?
If more than 5500 get or 3500 put / list /del it’s time to use cdn to optimize
What’s lambda
Serverless computing service
What languages lambda supports
C# Java Go Python Node.js
Lambda pricing model
Requests: First 1 mil requests are free
After .20 per mil
Duration of execution - per G per secrounds up to 100ms
Example of serverless services
S3, lambda, dynamodb, api gateways
True or false: lambda is region-based but can work globally
True
True or false: Xray is for debugging lambda system
True
True or false: api gateway can have def url or custom
True
Does aws support ssl certificate
Yes, and it’s free
Does api connects to cloudwatch
Yes, to log calls and stuff
Does api gateway has caching?
Yes and ttl.
What security mechanisms can you use for api gateway
Aws Iam
Open
Open with key
Does api have versioning?
Yes it does. Latest label is for the last one.
True or false: after creating an api we need to deploy it
True
True or false: we can’t have versioning in lambda
False
Each version of lambda function has a label and a unique Arn.
True or false: lambda functions are immutable
True. Meaning any change must happen on new version
True or false: lambda functions can be run concurrently
True
There is a limit per account per region. 1000 per reg per acc
If you go over, 429 error is returned
Toomanyrequestsexception
You can go with reserved concurrency, but to make sure a function always get it’s own required number. Not a good idea though because it cannot go above that number
What’s reserved concurrency for lambda functions
It means we have a certain capacity out of 1000 assigned to a specific func to ensure it always runs. Not good cause it makes the function limited to that number
If we want to do ab testing on lambda what’s the process
We can’t use latest. We need ti create two versions and then name them with aliases then do ab testing
Lambda and vpc what do we need for setting up the connection
We need to setup eni (elastic network interface)
We need security group and private subnet ip
- - vpc-config subnetid=xyz,security-group=secgro
What is step In lambda
It’s used to trigger the function, log and visualize the info and what happens and it can do sequential, branching or parallel
What’s xray
It’s added to code for logging all interactions between resources, and logs all api calls and all responses to log all the info.
What do we need to integrate with xray on our server or system
Xray sdk and daemon
Sdk for gathering info and sending them to daemon
Daemon for queuing them and send batching them them back to aws
X-ray is configurable with what services?
Ex2 or on promises on ec2 or your system
Elastic Beanstalk - on ec2
Container - separate container is needed for xray
Annotations on logging
Extra data we can send along with a request. They are key pairs, can be used with filter expression to fund the data.
Can we import batch of Apis
Yes, apis are importable in case we are moving to aws
Can you change the max number of concurrent lambda functions?
Yes through support
How can you upload api file into aws
Swagger 2
Openapi v2 and v3
What’s the highest number of api call?
5000 concurrent
10000 per sec
If it goes over 428 error will be returned
What to do if we have old soap requests? For legacy systems
You can configure api gateway as a soap web service pass through
To creat a new api what’s the api call
Post - with swagger in payload - and endpoint configs
What’s the api call for updating / replacing
Put api and swagger in the payload.
Mode query param, You can decide if you want to replace or update existing api.
What’s dynamo db
Fast and flexible nosql db
Where do the dynamo db collections sit?
Ssd
How dynamo db avoids single point of failure?
The underlying hardware supporting dynamo is speared through 3 regions
What are dynamo db consistency model?
Strongly consistent
Eventually consistent - consistency reaches within a sec - good for read performance
Different types of primary key in dynamo db
Partition key - hash func to define physical partition
Composite key - partition key and sort key
How to control access on dynamo db
Iam role
Iam condition to give partial access to the table
LeadingKeys param is used
Is partition key value in dynamo db collection changeable?
No
Different indexes on dynamo db
Local secondary index - created when table is being created - cannot change - it has the same partition key - sort key is different
Global secondary- it can he added or changed later - it has a different partition key as well as sort key
Languages supported by dynamo db document
Hml, xml, and json
Query cs scan
Query returns all the results that we can filter - scan returns based on criteria- projection expression
Are Query results showing up ascending or descending?
Ascending - if we want to change the order we have to make scanindexforward false
Can we change the results order on scan
No, only query result order is changeable
How to improve performance of dunamodb
Decrease the size of the results for each page
Call queries rather than scan
Use large queries n higher number rather than small
Api to get items - query
Getbatchitem
How can you improve scan speed on dynamo db
By making the process parallel. Parallel scanning can happen by changing the config however if another process is already doing it, you should avoid
By def scanning happens sequential. Meaning 1m then another 1m.
Dynamo db capacity unit:
1k per sec for writing
4k for reading strongly consistent
4k *2 for reading eventually consisten
Dynamo db pricing models
Provisioned - specific capacity unit
On demand - pay as you use. Good when using serverless, or you have unpredictable spike
What’s dax
Dynamo db specific cache. Fully managed in memory cache Micro sec performance over 1 mil request 10x performance Write through cache Eventual consistent If we want strongly it’s not good
True or false: dax is good if we want strongly consistent read from caching
False - it’s eventual consistent
True or false: dax is cluster based
True
True or false: memcache is cluster based
False
Strategies for caching:
Lazy loading
When user requests, if the data doesn’t exist, it will be retrieved.
Advantage:
unnecessary, unused data won’t be saved in db
Disadvantages:
Data can get old - need ttl
Read penalty - cache miss
Write through
It writes every time we write new data or update data
Advantages:
Data is new always updated
User can tolerate wait on write rather than read
Disadvantages: Not used data gets saved When data is deleted, db doesn’t know to replace. We must use lazy load a long with it Write penalty
True or false: memcache support multi az
False - that’s why it’s not good if we care about not losing data
What does atomic transaction mean in acid
Means either all transactions happen, or none
What the period for data to be delete from db after ttl reaches
48 hours
Ttl is good for
Log data
Session data
Temp data
What’s ttl unit
Epox - unix posix
From jan 1 1970
What’s dynamodb stream api
It’s timebased item level modifications - del, add update…
It’s great for serverless system and for trigger based systems
It has it’s own domain endpoint
By def, primary key is recorded
Logs are encrypted at rest
True or false: dynamodb stream api is good for serverless services
True. Good for triggering system
How long dynamodb stream api log is saved encrypted
24 h
What is Provisionthroughputexceeded
When you send too many read or write requests to dynamodb
How dynamodb sdk or our app deals with provisionthroughputexceeded
Either we use sdk, it keeps sending and decreases the sending rate.
Or our application exponential back off. Meaning every time it gives 2x sec delay
If it keeps failing for 1 min, it exceeds the throughput capacity
Is exponential backoff only for dynamodb
No, any service that the app uses sdk. The sdk does that
What to do if dynamo db is stressed?
If too many writes, look at throughput capacity - you can contact support to increase
If read, use elasticache or dax
What’s CMK
Customer master key which is used for encrypting envelop key / dara key
Whats data / envelope key
It’s used for encrypting the data
True or false: Deleting a key on kms would del the key immediately?
False. It has 1 week grace time
You can schedule key deletion between how many days?
7 days to 30 days.
Key has to be disabled before
What does cmk have?
Alias Description State Date Content
True or false: cmk cannot be exported
True
True or false: if you want to export the cmk key, you need to use hsm.
True - it’s a dedicated hardware, it’s way more expensive than cmk
What’s the first service of aws
Sqs
True or false: sqs is auto scaleable
True
Is sqs pull based or push bases?
Pull based
True or false: if a resource processing a message from sqs dies, msg goes back to sqs so another one takes over?
True
Max msg size for sqs
256 k - if bigger msg saves on s3
What’s sqs visibility timeout
30sec by def can be increased to 12 h
Sqs retention period (keep the msg)
1 to 14 days def 4 d.
Sqs data poling type
Long polling- no empty response - waits till msg is in
Short polling if bo msg, returns null. Def option - not good for saving money
Different type of sqs
Standard
- not guaranteed receiving order
- msg can get delivered multiple times
- no limitation on the number of msg per min
Fifo Good for banks Max 300 per sec Order guaranteed One time delivery guaranteed
What do you subscribes to when using sns
Topic
True or false: sna can fan out msges to multiple methods.
True
Pricing for sns
.5 for 1 mil sns requests
.06 100k http notifications
2 for 100k email
.75 over 100 sms
What is sqs delay queue
For delaying messages. 0 sec to 50 min (900 sec)
Does changing delay value on sqs, affect the existing messages?
For standard no
For fifo yes
What size of the sqs msg is large that needs to be saved on s3
256 k to 2G
What do we need to handle large messages on sqs
Sqs extended lib for java
Sdk for java
S3 bucket
Ses
Simple email system - for sending emails or receiving emails
Incoming email are being delivered to S3 bucket
Can be used to activate lambda or sns
Sns vs ses
Sns is for receiving
Ses for receiving and sending
Sns for fanning out to large number of different recipient
They both can trigger lambda
Sns needs subscription to a topic
Ses only email address needed
Sns for all different services ses only email
Kinesis
It’s a streaming data service
Gathers and analyze data from different resources
Different kinds of kinesis?
Kinesis steaming
Kinesis firehose
Kinesis analytics
What’s the retention for kinesis stream?
24 hours by def. can change up to 7 days
What is shard on kinesis?
Data record holder - provides fixed unit of capacity. Can change the capacity by resharding
Kinesis stream
It’s for streaming data - we have video streaming too
It has shreds which father the data records. consumers which analyze the data and eventually storage to save or cache the data.
Realtime analysis
What does kinesis consumer have
Kinesis client lib and data record processor
Processor processes the data
And client lib decides the number of processor needed, recognizing shards when resharding happens and keep track of them
What is the ratio of kinesis shard / dara record vs record processor
They are equal. However that doesn’t mean number of consumers have to be the same.
What decides the number of kinesis record processor?
Number of shards. Number of consumers is bases on the cpu power. When cpu power is high, we can have multiple record processors on each.
The important point is that, number of records has to be equal on consumers
True or false: number of shards can be less than number of consumers
False - worst case it’s equal.
True or false: number of record processor can be different on multiple kinesis consumers
False
Firehose kinesis
It’s the most automated version of kinesis
No worries about shard and consumer
Data is being analyzed semi real time and then saved to s3 or elastisearch. From S3 it can go to redshift
Kinesis analytics
It lets you run queries on data existing on kinesis stream or firehose.
The result goes in s3, elastisearch and redshift
Elastisearch
It’s for storing, searching and analyzing huge volume of data
Different beanstalk deployment policies
All at once Rolling Rolling with additional batch Immutable Traffic splitting
Beanstalk roll at once deployment policy
Deploy in batches - one batch goes down for an update. Not good for mission critical
Failure, you need to roll back
Beanstalk immutable deployment policy
Meaning create a new batch in a new auto scaling group and have it updated with new revision. Then kill the old one once passed the health check
Beanstalk split traffic deployment policy
Means immutable style only config enable canary testing. A/b testing
What scripting language beanstalk support
Json and yaml
It has to be put in .config file under
.ebextension folder. Under root. E
Wha are ways of integrating rds with elastic beanstalk
Set it up with the stack on eb. That’s not good. The rds will be dependent to beanstalk lifecycle. Once eb is removed rds is removed
Other way would be creating externally and using security group and network info, connect to the beanstalk.
What’s file gateway?
It’s like a file system to be mounted on s3 bucket
Where to we save the params
Parameter store
Aws waf vs shield
Shield are for dds attack
While waf is for application firewall
Macie
It’s for data loss prevention and protecting sensitive data
It uses machine learning
What’s the max long poll timeout?
20 sec
Code integration tool
Code commit
Code deployment tool
Code pipeline
Code delivery tools
Code build and code deploy
True or false: codecommit works with https and ssh and ut can work wuth sns fir notifications
True true
Code deploy methods:
Inplace update:
The instance will be stopped, new version gets installed
Great for first time
Bad for capacity sensitive systems
Blue green:
A new set of instances in a new sec group will be installed.
Green color is the new set
Pay extra short term for the second term
Load balancer switches from blue to green
Deploy appspec file
It’s for codedeploy
It includes param for deploy
Yaml or json if lambda is the target
Or yaml only on ec2
Code deploy Appspec file format
Version
Os
Hook
Files - scripts
Code depoly spec file
Appspec.yml has to be placed in root
Code deploy config file hook category
Before blocking traffic Block traffic After blocking traffic Application stop Download the files Before install Install After install Application start Health check Before allowing traffic Allowtraffic Afterallowtraffic
What accesses needed for code deploy
Create iam for ec2 accessing s3
Create a role codecommit accessing ec2
What’s ecs
Elastic container service
True or false: for code deploy we beed to have codedeploy agent on our system?
True
Ecs features
Scaleable
Maintainable
Fault tolerance
Container parts
Virtual kernel
Code
Libs
Ecr
Elastic container register
Image registey
Ecs platforms
On ec2
Or
Fargate Serverless
Steps to create docker on aws
Create a cluster
Create image repo to hold on images
Docker build -t, docker tag, docker push
Create task definition
Create service
Codebuild specfile
Buildspec.yml Format: Pre-build Build Post-build
Has to be in root
Can you update buildspec from codebuilt through aws website?
Yes, either buildspec.yml or on the insert console
If codebuild fails what shall we check?
Console and cloud watch
Can we Deploy docker through elasticbeanstalk?
Yes either one docker or multiple through cluster
What format of file is used for cloud formation and where the file is being saved?
Json and yml it grsts saved on s3
True or false: Aws to create resources based on cloud formation template calls apis
True
True or false: the result of cloud formation is called stack
True
What in a cloud formation file is mandatory
Resources
What’s the usage of transform in cloud formation
Using external scripts or s3 files
Output in cloud formation template
It’s for spitting out output for another stack
What’s the process of deleting a stack
Del stack through console and then del the s3 template file
What’s sam
Serverless application model - cloud formation for serverless
Such as lambda, dynamo db, s3 and apis
How to build and deploy sam package?
Sam package to convert cloud formation yml file to Sam friendly format
Sam deploy
What to add to cloud formation template to define Sam
Transform: aws::serverless-…
Resources:
Type: aws:: serverless::function
Handler: index.handler holds the function
Nested stacks
Created stack from another stack
It allows reuse of cloudformation stack template
How can we reuse a cloud formation
Nested stack
True or false:
When we want to refer to an ec2 when creating a container, we have to use tags
True
Nested stacks template parts:
Templateurl: mandatory
Timeout: by def no timeout. But timeout is for how long the cf wait until it stops.
Notifications ARN: SNS
Parameters: what needs to be passed to CF
By def, if cloud formation stack creating fails what happens and what are the options
Def: full Roll back
Keep until it’s created.
Nested stack indicator
Type: aws::cloudformation::stack
Cloudformation template parts
Version Description Metadata Parameter Transform Conditions Mapping Resources
What’s the index.handler on cloudformation templatefor Sam
It’s for the function for the serverless lambda functions
What is Web identity federation
Let user login with social media, then get a token and exchange the token with temp creds
What’s Cognito
Enables web identity federation for mobile app
Syncs user dara between apps
Acts as an identity broker
Maps a token to an iam role
User doesn’t need to keep the user pass locally
User pool and identity pool on cognito
User pool let’s user signup or sign in using social media
Identity pool let’s user exchange token with aws creds
How does cognito keeps the user data synced between different devices
By sending silent push notifications - sns
Different kinds of iam policies
Managed policies - not changeable, managed by aws, recommended policy, can be shared between users, roles and groups
Customer policies - managed by customer
Inpine policies- only for a single user, group or role. Once that’s deleted, the policy goes away
What is Assumerolewithidentity
It’s an api provided by STS (security token service) - it is used with web and creates temp token for signed in users
Api returns ARN which can be used when referring ti temp creds, also creds that include access key id, security access key, expiration date and sec token
Cross account access
When you are one one account and want ti give access to another account - iam can be used
What’s the process on giving access to another user in another account
Create a policy and assign the policy to a role that can be used in another account
In other account. Create a user, assign that user to a group. Add a new policy to let the group members use the role. Policy: assumerole
Cloudwatch
To watch cpu, disk (just the throughput not consumption) network and status check for ec2 instance
What’s the standard frequency of doing cloudwatch monitoring?
5 min, paid 1 min
How long cloudwatch log is retained?
Indefinitely unless you changed
Can we pull cloudwatch logs after deleting the resource
Yes
Dan we have alarms for cloudwatch
Yes, we can use sns to trigger lambda or send sms
Can cloudwatch be used on premises?
Yes it can. Ssm agent and cloudwatch agent are needed
How do you pull cloudwatch logs
Getmerticsstatistics api or other third party apis
Different between cloudwatch vs cloudtrail and config
Cloudwatch is for performance
Cloudtrail is for monitoring api calls - who provisioned what… and config is for checking history of permissions and configs such as security groups- state of aws
Xxx is a sever error, what’s the first digit if the error is client error vs server error?
Server error starts with 5 while client starts with 4.
What’s max lambda timeout?
900 sec, 15 min
What tool shall you use if you want to figure which iam policies are granting too much access?
Iam policy simulator
What’s s3 replication
It’s for automatically and async copying object across aws s3 buckets. It can be on the same region or different region or even a different account
You need to provide a destination bucket and iam role to write on the bucket
Versioning must be enabled You can replicate within the same storage class or a different storage class
What does sit in .ebextensions?
Custom variables
How to upload and deploy lambda code?
Zip and upload through lambda console
Zip and put in s3 and have lambda download from there
Copy and paste the code in the editor
Write cloudformation template and deploy environment along with your code
Lambda is not supported by beanstalk
Lambda can be triggered by async and sync. What services call that sync
Load balancer Cognito Lex Alexa Api gateway Cloudfront Kinesis
What if lambda code needs libs that aren’t standard and available
Make a deployment package of code and libs, upload in s3 bucket and then lambda or direct to lambda if less than 50 M
What is cloud9
It’s a cloud based integrated ide that let’s you write code and debug
What’s codestar
For code develop, build and delivery
Permissions for a lambda func connects to a resource in a vpc
- configure sec group allowing the lambda access the resource
- giving exec permission role for letting lambda to create eni (elastic network interface)
- setup lambda to connect to subnet used by ec2
What’s the best option for saving session data / session state?
Dynamo db and elasticache - it’s flexible.
Ec2 is not scaleable for session data
Lambda can’t save session state.
How to calc number of read writes for byte if i have RCU or WCU
Just multiply rcu to 4k and 2 * 4k for read and wcu to 1k
What’s the formula for wcu and rcu
Wcu = number of writes * size of item / 1
Rcu = number of reads / 2 (if eventual) * size of item / 4
Docker build and tag cmds
Docker push $repourl:latest
Docker build -t $repourl:latest .
What are web containers
Passenger, puma and tomcat
Elasticbeanstalk supports what languages
Java, node, pho… web containers and docker container with multiple config
What’s the way of rolling back for inplace code depoly
Redeploy the prev version of the code to the nodes
What service allows you to run applications without knowing the structure
Elasticbeanstalk
What service let’s you improve network availability and performance
Global accelerator
True or false: cloudfront lets you improve speed if you use it along with api gateway to assist with geo disprate calls
True
What’s iam policy simulator usage
You can test and troubleshoot iam and resiurce policies attached to them. You can test which actions are allowed or denied.
What’s NAT
Network address translation
It’s for letting resources inside the vpc to access outside, at the same time it prevents the internet from accessing or connecting with instances inside
True or false:
What’s internet gateway
It provides direct access / connectivity to the public internet
Thus it makes the subnet public
Basion host vs host
Bastation host allows inbound access to authorized ips and users
NAT allows instances within vpc to go out to the internet
Nsg
Network security group allows or denies network traffic on port 1433
True or false: beat practice is creating rds db on provate subnet
True
True or false: cognito is used for multi device log in, handling their sessions and limiting the number of devices on streaming services
True
What’s cognito good for
Limiting the access by number of devices
Logging kn and identifying the users
Track when users access the site and their devices
Why it’s good to have ssl installed on load balancer
Because it removes complexity of installing on all instances and easier to remove or disable
Removes the load off of ec2
How to stop ppl uploading unencrypted file to s3 bucket
Add policy to only allowput operations with x-amz-server-side-encryption
Tool to test if the policies work as expected
Iam simulator
What is sticky session
Saving sessions on the nodes locally. When load balancer receives the request it routes it to proper web server that already have active session
It’s good because it sends the client back to the same web server.
It’s bad because if node crashes, session gone. Bad also because if we want to expand, number of node, still load balancer sends the requests to the same old web servers. That makes load balancing unequally spreading the load.
What is distributed session management
Key value - in memory. Redis and memcache
Fast and scaleable. It adds network latency and cost are the drawbacks.
What’s the api to gain access to a resource
Sts: assumerole returns temp creds to access
How to decrease a website cost
Move to serverless is the most cost effective
Scale in when not needed
Adding cloudfront increases the cost
Who on Elastic beanstalk is responsible for applying patches and updates to platform
Aws
In beanstalk, application and data sec repressibility is on ?
Developer
On elasticbeanstalk. Responsibility for publishing platform policies abd retirement schedule is on
Aws
On elasticbeanstalk responsibility for any component that’s required by ur app and that you downloaded is on
You
If data us constantly saved on s3 and rds, what’s the most cost effective ec2 price modeling?
Spot
You deployed something on lamda, it went wrong, how would you roll back?
Remap PROD aliad to point to prev version of ur func
True or false: An ebs backed stopped and restarted without losing data
True
True or false:
Using sqs extended lib, you can create an s3 bucket and move messages there
False
What’s the sqs extended lib for
For adding msg tocs3, deleting, referencing, deciding if msg is 256k or not
Ways to optimize ebs
- increase throughout, through joining multiple volumes together in a RAID 0
- for hdd, make sure do it on low traffic time
- make sure ec2 instances are optimizable for use with ebs
True or fskse: ami id is dependent on regions
True
True or false: tags are universal namespace
False
True or false: cloudformation stack can be used through different regions and different accounts
True
True or false: Ami roles are valid across your account
True
True or false: image in one region is not accessible in another region. U will have to copy. Id will change after copying
True
Amazon inspector
It does automatic security assessments and find loopholes in specific resources specific to ec2
True or false: config keeps track of environment changes based on the rules you define
True it’s a monitoring and governance tool
True or false: saving data in s3 and json is serverless but not fast
True
True or false: saving data on ec2 is not scaleable
True
True or false: saving data i dynamo db is fast, scaleable and key value
True
Fir greater scan and query flexibility you can creat up to how many local secondary indexes?
5
True or false: route 53 distributes traffic across region s
True
Different between application load balancer and classic load balancer?
Both support sticks session and layer 7 (http) laod balancing. The classic one doesn’t work as application aware lb. meaning, it can’t do routing
If we have micro services we need to have routing. Then application lb is better.
True or false: rds cannot trigger lambda directly
True. It can send a msg to sns then sns can trigger lambda
True or false: s3 cannot trigger lambda
False. It can trigger lambda
True or false: cloudfront can trigger lambda
True
True or false: cloudfront can trigger lambda
True
True or false: cognito can trigger lambda
True
To do portioning when saving 33 bucket
Use a a random key before date. Or random key prefix
True or false: x ray is to find bottle necks of the app
True
To create an auto scaling group what’s needed
Iam permission - role to be able to create auto scaling group - create ec2 instances and we need a template with required AMI content.
How to manage access to api gateway
1- resource policies - to allow or deny access from a vpc, user or ip address to methods
2- aws iam role and policies - who can create and manage as well as who can invoke api or individual method
3- create and configure lambda authorizer - about who can invoke methods using tokens
4- cognito user pool - can create authentication and authorization solution for who can invoke the methods
How can we listen to http request using lambda
Useapi gateway and confit it with proxy integration with lambda function
What does api gateway lambda proxy integration do?
It lets a user to call a function from an api
True or false:
Subnet within a vpc can communicate with no extra routing required.
True
True or false: we don’t need public ip for subnet to communicate
True
True or false:
Security groups block all network traffic by default
True
True or false: mysql security groups not iam is responsible for controlling traffic
True -port 3306
Dead letter sqs
Holds onto problematic messages for the sake of debugging
When credentials need to be encrypted and rotated frequently the best practice is
Using iam role is good and they are based on sec tokens
Difference between optimistic conditional write vs pessimistic and which one is proper for dynamo
Pessimistic locks the row and table. Not supported by dynamo Optimistic, doesn’t lock. Only ready to make sure it hasn’t changed. It’s good along with conditional writing. Supported ny dunamo
True or false:
A sqs can subscribe for an sns topic
True
Athena
Serverless interactive query tool makes it easy to analyze data in S3
True or false: Elastic beanstalk is good for quickly developing environments including docker
True
Opswork
Config management tool - It’s good for when you have multiple stacks and you want to use config tools
To update a build file name or location for codebuild what to do
Change buildspec.app, update project or start build
Or update project would let you update the new location.
Where does the logs from lambda go
Cloudwatch and it’s already automated
You can see invocation errors too
Python writing into logs fir lambda
Stdout - stderr
Aws inspector
Assesses security if applications deployed on aws. It checks for exposure , vulnerability and best practices
What are Api stage variables oh http request
They are for having one api multiple stages
What’s dynamo accelerator
Dax - in memory cache for dynamo only
If you want to do blue green deployment what service to use
Code deploy and route 53
What’s thr verion of a file if it’s uploaded before versioning activated?
Null. Otherwise 1
S3 bucket permissions can be limited to a specific user from a website, how?
S3 bucket policy - get object permissions- referer key
True or false: ttl on dynamo db is not enable by def and can be assigned to any attribute with any name
True
When to use scan vs query on dynamo db
When you want all the rows use scan. It doesn’t matter if you want all the attributes- because projectionexpression does the job of filter columns.
Get item vs query vs batchgetitem
Getitem requires both partition key and sort key
Query only requires partition key
Batchgetitem allows you send multiple partion keys to a request
Lambda concurrency
Up to a 1000 lambda funcs can run concurrently. 900 of them can reserved to guarantee. In case some actions happens at the same time
In lambda there is autopublishalias what does that do?
It creates a new alias, creat a new version, point the alias to it and point all event sources to this alias.
Good for fast switching
Dynamodbcrudpolicy
It’s an aws managed policy, better than full access
When to use dead letter queue with lambda
When lambda is overwhelmed and missing processing of data coming from stream
In order a lambda to be communicating with an rds in a vpc subnet, what do we need to have
We need to have a role / lambdavpcaccessexecution role
