MyIndexCards Flashcards
Cognito Process
User authenticates with WebID Provider
Receives token
Token received for temp aws creds
Assume IAM Role
Cognito Process
Route 53
Lookup domain for host
DNS Domain
Route 53
Translates host name into an IP address
DNS Host
Local Secondary Index
Same partition key as
Base Index
Cognito
User directory for applications
Cognito User Pool
Cognito
With federated id you obtain temporary, limited privileges to AWS credentials and services
Cognito Federated
Cognito
Maps a user from identity provider to an IAM role
Identity Pool
SQS
Not guaranteed - messages can be delivered more than once
Standard
SQS
Order is strictly maintained and messages may be delivered more than once.
FIFO
Cognito
Identity broker that handles interaction between apps and web Id provider
Cognito
Simple Notification Service (SNS)
Instant push of data that is flexible and inexpensive
SNS
S3 Security
Server side encryption with customer provided keys.
SSE-C
You give amazon your own keys that you manage.
S3 Security
AWS Key Management Service: You and Amazon manage keys together
SSE-KMS
S3 Security
S3 managed keys: Amazon manages keys for you
SSE - MKS
S3
Eventual consistency for overwrite of PUTS and Deletes (can take some time to propagate)
You might see older object or deleted file until S3 catches up
S3
Read after Write consistency for PUTS of new objects
As soon as you create an object it is available to read - immediately
S3
Name of the object
Key
S3
Data made up in bytes
Value
S3
This is important for versioning
Version ID
S3
Data about data
Metadata
S3
Capability that can be used to provide an additional layer of security.
MFA Delete
S3
Integrates with lifecycle rules
Versioning control
S3
Versioning is a great backup tool
Once it is enabled it cannot be disabled
Only suspended
S3
Stores all versions of an object (including all writes and even if you delete an object)
Version Control
Authentication
Helps to protect credentials needed to access databases, applications, services and IT resources. It enables users to easily, rotate, manage and retrieve database credentials, API keys and other secrets throughout their lifecycle.
Secrets Manager
Sample Question
A developer is designing a web app that allows users to post comments and receive near real-time feedback.
What architecture meets this requirement?
AppSync: Create flexible APIs to securely access, manipulate and combine data from one or more sources. Users get extracted data with real time updates
–AND–
DynamoDb table as data store
Sample Question
What combination of actions would allow a developer to add sign-up and sign-in to an app?
*The app is required to make a call to a custom analytics solution to log user events.
AWS Cognito: adds user sign-up and user sign-in
–AND–
Execute a Lambda function to make an API call triggered by a post-authentication event.
Sample Question
What combination of services would allow users from ANOTHER AWS account to access REST APIs in an account.
Create a resource policy to allow access to the APIs from users in another account using
Signature Version 4 Protocols (SigV4)
Sample Question
A developer builds an app that transforms text files to .pdf files. The text files are written to a source S3 bucket by a separate app. The dev wants to read the files, as they arrive, in S3 and convert them to .pdf using Lambda. The dev wrote a policy to allow access to S3 and CloudWatch logs.
- What needs to be done so that the Lambda function has correct permissions?
Create a Lambda execution role with IAM and attach an IAM policy to the role. Then assign the Lambda execution role to the Lambda function.
Sample Questions
A company has AWS workloads in multiple regions. A dev created an Aurora DB in us-west-1. The database is encrypted using customer-managed keys. Now the dev wants to duplicate the db in us-east-1.
- How can this be accomplished
Create a snapshot of db in us-west-1
Copy the snapshot to us-east-1 and specify KMS
Restore the database from the copied snapshot
Sample Question
Delays loading a record until it is needed. It first checks the cache and if the record is not present, the record is retrieved from the database and stored in the cache.
- What does this describe?
Lazy Loading
Sample Question
A developer is adding ElastiCache for Memcached to a company’s existing record storage app to reduce the load on the db and to increase performance. The developer has decided to use lazy loading based on analysis of common record handling patterns.
- What pseudonym code implements lazy loading?
record_value = cache.get (record_key)
if (record_value == NULL)
record_value = db.query(“SELECT Detail FROM Records WHERE ID == {0}, record_key)
cache.set (record_key, record_value)
Sample Questions
A developer wants to track performance of an app that runs on a fleet of EC2 instances. The developer wants to view and track stats across the fleet such as average and maximum request latency. The dev wants immediate notification if average response time exceeds a threshold.
How can the developer accomplish this?
Configure the app to write response times to a log file.
Install and configure CloudWatch agent on the instance to stream to stream app logs to CloudWatch.
Create a metric filter of response times from the log.
View graphs in CloudWatch console.
Create an alarm to send to SNS notification when the average of response time metric exceeds threshold.
Sample Question
A developer is testing an app locally and has deployed it to Lambda. To remain under the package size limit, the dependencies were NOT included in the deployment file. When testing the app remotely, the function does not execute due to missing dependencies.
- What would resolve this?
Attach a layer to the Lambda function that contains the missing dependencies.
Sample Questions
A dev is building a web app that uses the API Gateway and he wants to maintain different envs for dev and prod workloads. The API is backed by a Lambda function with two aliases: one for dev and one for prod.
- How can this be achieved with LEAST amount of configuration?
Create one REST API and integrate it with Lambda using STAGE VARIABLES in place of alias.
Then deploy the API to two different stages - dev and prod.
Create stage variables in each stage with different aliases as values.
Access API using different stage URLs
Assessment
You have an app running on EC2 that needs read-only access to several AWS services. What is the best way to grant that app permission only to a specific set of resources in your account?
Launch EC2 instances into IAM Role with custom IAM policies for the permissions.
Assessment
You have deployed a new app in us-west (Oregon) Region. However, you accidentally deployed an Amazon Polly lexicon need for your app to EU (London). How can you use your lexicon to synthesize speech while minimizing the changes to your app code and reducing cost?
Upload a copy of the lexicon to us west (Oregon)
Assessment
When your placing subnets for a specific VPC you can place subnets
In any AZ within the region for the VPC.