Names (API, CLI, etc.)

Question 1

When requesting SSE-S3 encryption for objects sent so S3, what key-value pair must be present in the header?

Answer 1

“x-amz-server-side-encryption”: “AES256”

Question 2

When requesting SSE-KMS encryption for objects sent to S3, what key-value pair must be present in the header?

Answer 2

“x-amz-server-side-encryption”: ”aws:kms”

Question 3

What CLI option/flag should be used to simulate an AWS API call without using resources?

(Note: this option is not available on all API calls)

Answer 3

–dry-run

Question 4

You may get long error messages from failed AWS API calls. Which command is used to decode these error messages?

Answer 4

sts decode-authorization-message

Question 5

If you want detailed information on an EC2 instance, which URL should you query from that instance?

Answer 5

http://169.254.169.254/latest/meta-data

Question 6

If you want detailed information on the launch script of an EC2 instance, which URL should you query from that instance?

Answer 6

http://169.254.169.254/latest/user-data

Question 7

To use MFA with the CLI, which API call is used?

Answer 7

STS GetSessionToken

Question 8

To use MFA with the CLI, what CLI command is used?

Answer 8

aws sts get-session-token –serial-number arn-of-the-mfa-device –tokencode code-from-token –duration-seconds 3600

Question 9

When you upload objects to an S3 bucket encrypted with SSE-KMS, which KMS API call is used?

Answer 9

GenerateDataKey

Question 10

When you download objects from an S3 bucket encrypted with SSE-KMS, which KMS API call is used?

Answer 10

Decrypt

Question 11

If you want to invalidate part of your CloudFront cache, which API call can you use?

Answer 11

CreateInvalidation

Question 12

If you want to place ECS tasks on EC2 machines with the least available amount of memory (to minimize # of EC2 instances and save costs), fill in the Xs.

“placementStrategy”: [

{

“type”: X1,

“field”: X2

}

]

Answer 12

X1 = “binpack”

X2 = “memory”

Question 13

If you want to place ECS tasks on EC2 machines randomly, fill in the X.

“placementStrategy”: [

{

“type”: X

}

]

Answer 13

X = “random”

Question 14

If you want to place ECS tasks on EC2 machines distributed evenly across the ECS availability zone, fill in the X.

“placementStrategy”: [

{

“type”: X,

“field”: “attribute:ecs.availability-zone”

}

]

Answer 14

X = “spread”

Question 15

If you want to place ECS tasks on their own EC2 instances, fill in the X.

“placementStrategy”: [

{

“type”: X

}

]

Answer 15

X = “distinctInstance”

Question 16

If you want to place ECS tasks on EC2 only in us-east-1a and us-west-2b, fill in the X.

“placementStrategy”: [

{

“type”: X,

“expression”: “attribute:ecs.availability-zone in [us-east-1a, us-east-2b]”

}

]

Answer 16

X = “memberOf”

Question 17

To login to ECR using AWS CLI v2, what CLI command is used?

Answer 17

aws ecr get-login-password –region region | docker login –username AWS –password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

Question 18

To push to Amazon ECR, what CLI command is used?

Answer 18

docker push aws_account_id.dkr.ecr.region.amazonaws.com/demo:latest

Question 19

To pull from Amazon ECR using the CLI, what CLI command is used?

Answer 19

docker pull aws_account_id.dkr.ecr.region.amazonaws.com/demo:latest

Question 20

The directory at the root of your EB project that contains all your .config files has what directory name?

Answer 20

.ebextensions/

Question 21

EB Single Docker requires one of two files in order to get the container up and running. What are the names of those two files?

(Bonus points, what’s the difference between the two?)

Answer 21

Dockerfile : (EB will build and run the container)

Dockerrun.aws.json (v1) : (Describe where an already built container is)

Question 22

An EB Multi Docker Container app requires a file with what filename to generate the ECS task definition?

(Bonus points: where should the file be located?)

Answer 22

Dockerrun.aws.json (v2)

(at the root of the source code)

Question 23

You want to create an EB custom platform. The filename of the AMI must be what?

Answer 23

Platform.yaml

Question 24

AWS CodeBuild reads build instructions from a file with what name?

Answer 24

buildspec.yml

Question 25

The CodeDeploy Agent runs deployment instructions based on a file with what name?

Answer 25

appspec.yml

Question 26

In CloudFormation templates, functions in are prefixed with Fn::

What is the .yml shorthand for function prefixes that’s used in place of Fn:: ?

Answer 26

!

Question 27

In CloudFormation templates, what is the .yml function for referencing parameters and resources?

(Bonus points: What do Parameters and Resources return?)

Answer 27

!REF

Parameters returns the value of the parameter. Resources returns the physical ID of the underlying resource.

Question 28

In CloudFormation templates, what is the .yml function for referencing the attributes of the resources you create? (ex: the AZ of an EC2 machine)

Answer 28

!GetAtt

Question 29

In CloudFormation templates, what is the .yml function for accessing values from key-value pairs listed in the Mappings section of your template?

Answer 29

!FindInMap

Question 30

In CloudFormation templates, what is the .yml function for importing values that are exported from your other CloudFormation templates?

Answer 30

!ImportValue

Question 31

In CloudFormation templates, what .yml function should you use if you want to generate the following output based on the given input?

Input: “ :: ”, [“Hello”, “World”, “!”]

Output: “Hello :: World :: !”

Answer 31

!Join

Question 32

In CloudFormation templates, what is the .yml function equivalent to the str.replace() method?

What is the syntax?

Answer 32

!Sub

!Sub

• String
• { Var1Name: Var1Value, Var2Name: Var2Value }

Question 33

In CloudFormation templates, what are the 5 .yml condition functions?

Answer 33

!IF

!AND

!OR

!NOT

!EQUALS

Question 34

To send custom metrics to CloudWatch, which API call is used?

Answer 34

PutMetricData

Question 35

To modify metric resolution in CloudWatch, which API call is used?

(Bonus points: what are the logging frequencies for Standard and High Resolution?)

Answer 35

StorageResolution

( Standard: 60 sec

High Resolution: 1/5/10/30 sec )

Question 36

To move log data from CloudWatch to S3, which API call is used?

(Bonus points: how long does the transfer take?)

Answer 36

CreateExportTask

(up to 12 hours)

Question 37

To test CloudWatch alarms and notifications, what CLI command is used?

Answer 37

aws cloudwatch set-alarm-state –alarm-name “myalarm” –state-value ALARM –state-reason “testing purposes”

Question 38

To upload segment documents to AWS X-Ray, which API call is used?

Answer 38

PutTraceSegments

Question 39

The AWS X-Ray daemon uploads telemetry with which API call?

Answer 39

PutTelemetryRecords

Question 40

To retrieve all sampling rules for X-Ray, which API call is used?

Answer 40

GetSamplingRules

Question 41

Which 3 AWS X-Ray API calls are considered Write APIs?

Answer 41

PutTraceSegments

PutTelemetryRecords

GetSamplingRules

Question 42

To get the main X-Ray service graph, which API call is used?

Answer 42

GetServiceGraph

Question 43

To retrieve a list of traces specified by ID in X-Ray, which API call is used?

(Note: each trace is a collection of segment documents that originates from a single request)

Answer 43

BatchGetTraces

Question 44

To retrieve IDs and annotations for X-Ray traces available for a specified time frame (using an optional filter), which API call is used?

(Note: to get the full traces, pass the trace IDs to BatchGetTraces)

Answer 44

GetTraceSummaries

Question 45

To retrieve a service graph for one or more specific trace IDs, which API call should be used?

Answer 45

GetTraceGraph

Question 46

Which 4 AWS X-Ray API calls are considered Read APIs?

Answer 46

GetServiceGraph

BatchGetTraces

GetTraceSummaries

GetTraceGraph

Question 47

To run X-Ray with EB, you can either set the option in the console or with a configuration file in DIRECTORY/FILENAME

What are the missing strings?

Answer 47

DIRECTORY = .ebextensions/

FILENAME = xray-daemon.config

Question 48

To allow cross account access to SQS queues for an AWS account with a principal of 111122223333, what key-value pair should be present in the IAM policy statement?

Answer 48

“Princical”: { “AWS”: [111122223333] }

Question 49

What does this IAM policy enable?

Answer 49

This policy enables an S3 bucket with a specific source account to write to this SQS queue.

Question 50

To change the message visibility timeout in SQS queues, which API call is used?

Answer 50

ChangeMessageVisibility

Question 51

Which SQS parameter determines the number of retries before a message is sent to the queue’s DLQ (if configured)?

Answer 51

MaximumReceives

Question 52

Which SQS parameter determines the number of seconds a message must stay in queue before it becomes visible to consumers?

Answer 52

DelaySeconds

Question 53

SQS Long Polling can be enabled at the queue level or at the API level using which SQS parameter?

Answer 53

WaitTimeSeconds

Question 54

List the 9 essential SQS API calls:

(Bonus points: which 3 have Batch APIs?)

Answer 54

CreateQueue, DeleteQueue

PurgeQueue,

SendMessage, ReceiveMessage, DeleteMessage

MaxNumberOfMessages

ReceiveMessageWaitTimeSeconds

ChangeMessageVisbility

Question 55

To create an SQS queue, which API call is used?

(Bonus points: which argument can be used to set how long a message should be kept in queue before being discarded)

Answer 55

CreateQueue

(MessageRetentionPeriod)

Question 56

To delete an SQS queue (and all messages inside), which API call is used?

Answer 56

DeleteQueue

Question 57

To delete all the messages in an SQS queue but not the queue itself, which API call is used?

Answer 57

PurgeQueue

Question 58

To send a message to an SQS queue, which API call is used?

(Bonus points: which argument is used to set the number of seconds of delay)

Answer 58

SendMessage

(DelaySeconds)

Question 59

To poll an SQS queue for messages, which API call is used?

Answer 59

ReceiveMessage

Question 60

To delete an SQS message after it has been processed by a consumer, which API call is used?

Answer 60

DeleteMessage

Question 61

To change the number of SQS messages received in a ReceiveMessage API call, which [API call / SQS parameter] is used?

(Bonus points: what is the default number, min number, and max number)

Answer 61

MaxNumberOfMessages

(1, 1, 10)

Question 62

To enable long polling of an SQS queue, which [API call / SQS parameter] is used?

Answer 62

ReceiveMessageWaitTimeSeconds

Question 63

To change the message timeout for an SQS queue, which [API call / SQS parameter] is used?

Answer 63

ChangeMessageVisbility

Question 64

Which 3 SQS API calls have batch APIs available?

Answer 64

SendMessage

DeleteMessage

ChangeMessageVisibility

Question 65

Which parameter is used to order subsets of an SQS FIFO queue?

Answer 65

MessageGroupID

Question 66

Which 3 Lambda environment variables are communicated with X-Ray?

Answer 66

_X_AMZN_TRACE_ID

AWS_XRAY_CONTEXT_MISSING

AWS_XRAY_DAEMON_ADDRESS

Question 67

Which Lambda environment variable contains the tracing heading for X-Ray?

Answer 67

_X_AMZN_TRACE_ID

Question 68

To configure Lambda with VPC Lambda will create an ENI, but it first needs which AWS managed IAM role?

Answer 68

AWSLambdaVPCAccessExecutionRole

Question 69

Which 3 DynamoDB API calls are considered Write APIs?

Answer 69

PutItem

UpdateItem

Conditional Writes

Question 70

To create or replace items in a DynamoDB table, which API call is used?

Answer 70

PutItem

Question 71

To update an existing item in DynamoDB or create a new one if it doesn’t exist, which API call is used?

Answer 71

UpdateItem

Question 72

To accept a write/update/delete in DynoamoDB only if certain conditions are met, which parameter/category is used?

Answer 72

Conditional Writes

Question 73

Which 3 DynamoDB API calls are considered Read API calls?

Answer 73

GetItem

Query

Scan

Question 74

To retrieve a specific item from DynamoDB based on its primary key, which API call is used?

(Bonus points: what parameter is used to retrieve only specified attributes of the item?)

Answer 74

GetItem

(ProjectionExpression)

Question 75

To retrieve a list of items from a DynamoDB table based on conditions, which API call is used?

Which parameter uses comparison operators on the partition and sort keys?

Which parameter allows additional filtering on non-key attributes after retrieval but before delivery?

Answer 75

Query

(KeyConditionExpression)

(FilterExpression)

Question 76

When querying a DynamoDB table…

Which expression uses comparison operators on the partition and sort keys?

Which expression allows additional filtering on non-key attributes after retrieval but before delivery?

Answer 76

KeyConditionExpression

FilterExpression

Question 77

To retrieve all items from a DynamoDB table, which API call is used?

Answer 77

Scan

Question 78

To delete an item in a DynamoDB table, which API call is used?

Answer 78

DeleteItem

Question 79

To delete an entire DynamoDB table, which API call is used?

Answer 79

DeleteTable

Question 80

Which 2 DynamoDB API calls are used for batch operations?

(Bonus points: which two standard DynamoDB API calls does BatchWriteItem use?)

Answer 80

BatchWriteItem

BatchGetItem

(PutItem and DeleteItem)

Question 81

In DynamoDB streams you can choose the scope of information that will be written to the stream by using one of 4 options. List the 4 options.

Answer 81

KEYS_ONLY

NEW_IMAGE

OLD_IMAGE

NEW_AND_OLD_IMAGES

Question 82

Which 2 DynamoDB CLI options/flags are good to know for the exam?

(Bonus points: what 3 general AWS CLI pagination options/flags are good to know for the exam?)

Answer 82

–filter-expression

–projection-expression

( –page-size

–max-items

–starting-token )

Question 83

To filter DynamoDB items before they are returned to you, which AWS CLI option/flag is used?

Answer 83

–filter-expression

Question 84

To only return specified attributes of an item from a DynamoDB table, which AWS CLI option/flag is used?

Answer 84

–projection-expression

Question 85

List 3 AWS CLI pagination options/flags and their effect

Answer 85

–page-size retrieve items in more API calls

–max-items set the max number of items to show in the CLI (returns NextToken)

–starting-token specify the last NextToken to retrieve the next set of items

Question 86

To specify that the AWS CLI retrieves the full list of items (from DynamoDB, S3, etc.), but with a larger number of API calls, which CLI option/flag is used?

Answer 86

–page-size

Question 87

To specify the max number of items to show in the CLI, what CLI option/flag is used?

(Bonus points: what’s the name of the variable returned, used to retrieve the next page of items?)

Answer 87

–max-items

( NextToken )

Question 88

To specify the previous NextToken (generated from a CLI command with the –max-items option/flag) to retrieve the next set of items, which CLI option/flag is used?

Answer 88

–starting-token

Question 89

Which 2 DynamoDB API calls are part of DynamoDB Transactions?

(Bonus points: what API calls fall under their umbrella?)

Answer 89

TransactGetItems

TransactWriteItems

( 1+ GetItem operations

1+ PutItem, UpdateItem, DeleteItem operations )

Question 90

TransactGetItems performs which standard DynamoDB API call?

Answer 90

GetItem

Question 91

TransactWriteItems performs which 3 standard DynamoDB API calls?

Answer 91

PutItem, UpdateItem, DeleteItem

Question 92

To limit DynamoDB access for users to row-level access based on the primary key, which IAM policy key is used?

(Bonus points: what is the syntax?

“Condition”: {

KEY1: {

KEY2: [STRING]

}

)

Answer 92

LeadingKeys

( “Condition”: {

“ForAllValues:StringEquals”: {

“dynamodb:LeadingKeys”: [”${cognito-identity.amazonaws.com::sub}”]

}

)

Question 93

For a client to invalidate an API gateway cache, what should be included in the header?

Answer 93

Cache-Control: max-age=0

Question 94

List 7 API GateWay CloudWatch Metrics:

Answer 94

CacheHitCount, CacheMissCount

Count

IntegrationLatency

Latency

4XX error, 5xx error

Question 95

To observe the efficiency of your API gateway cache, which 2 CloudWatch metrics are used?

Answer 95

CacheHitCount, CacheMissCount

Question 96

To measure the total number of API requests to your API Gateway in a given period, which CloudWatch metric is used?

Answer 96

Count

Question 97

To measure the time between when API Gateway relays a request to the backend and when it received a response from the backend, which CloudWatch metric is used?

Answer 97

IntegrationLatency

Question 98

To measure the total time from when API Gateway receives a request and when it returns a response, which CloudWatch metric is used?

Answer 98

Latency

Question 99

An API Gateway returning 4XX (400) and 5XX (500) http response status codes indicates what?

Answer 99

4XX: client-side error

5XX: server-side error

Question 100

Which 4XX http response status code indicates throttling?

(Bonus points: how should this error be handled by the client?)

Answer 100

429 Too Many Requests

(Retry with exponential backoff)

Question 101

Http response status codes 400, 403, and 429 indicate what?

Answer 101

400: bad request
403: unauthorized
429: throttling

Question 102

Http status response codes 502, 503, and 504 indicate what?

Answer 102

502: Bad Gateway Exception (bad response or heavy loads)
503: Service Unavailable Exception
504: Integration Failure (Ex: Lambda timeout after 29 seconds)

Question 103

The OPTIONS pre-flight request for CORS must contain which 3 headers?

Answer 103

Access-Control-Allow-Methods

Access-Control-Allow-Headers

Access-Control-Allow-Origin

Question 104

To package a SAM template, which 2 interchangeable CLI commands are used?

Answer 104

aws cloudformation package

sam package

Question 105

To deploy a SAM template, which 2 interchangeable CLI commands are used?

Answer 105

aws cloudformation deploy

sam deploy

Question 106

To indicate a YAML template is a SAM template, what header should be included?

Answer 106

Transform : ‘AWS::Serverless-2016-10-31’

(mnemonic: Uncle SAM → Trump Elected in 2016 → Scary like Halloween

Trump Halloween)

Question 107

List the 3 SAM resource types as written in the YAML template:

Answer 107

AWS::Serverless::Function

AWS::Serverless::Api

AWS::Serverless::SimpleTable

Question 108

To give read only permissions to objects in S3, which SAM policy template is used?

Answer 108

S3ReadPolicy

Question 109

To allow polling of an SQS queue, which SAM resource policy is used?

Answer 109

SQSPollerPolicy

Question 110

To allow CRUD operations in DynamoDB, which SAM policy template is used?

Answer 110

DynamoDBCrudPolicy

Question 111

List the 6 AWS Step Functions states:

Answer 111

Choice State

Fail or Succeed State

Pass State

Wait State

Map State

Parallel State

Question 112

Step Functions error handling uses which 2 logic phrases?

Answer 112

Retry and Catch

Question 113

List the 4 step functions SLS (State Language Spec) Retry keys:

“Retry”: [{key1:val, key2:val, etc}]

Answer 113

ErrorEquals

IntervalSeconds

BackoffRate

MaxAttempts

Question 114

To match a specific kind of Step Function error, which SLS (State Language Spec) key is used?

Answer 114

ErrorEquals

Question 115

To specify a Step Function initial delay before retrying an error, which SLS (State Language Spec) Retry key is used?

Answer 115

IntervalSeconds

Question 116

To multiply Step Functions delays after each error retry, which SLS (State Language Spec) Retry key is used?

Answer 116

BackoffRate

Question 117

To specify the maximum number of attempts for Step Functions error retries, which SLS (State Language Spec) Retry key is used?

(Bonus points: what is the default value?)

Answer 117

MaxAttempts

(default 3 max attempts)

Question 118

List the 3 Step Functions SLS (State Language Spec) Catch keys:

Answer 118

ErrorEquals

Next

ResultPath

Question 119

To match a specific kind of Step Function error, which SLS (State Language Spec) Catch Key is used?

Answer 119

ErrorEquals

Question 120

To send a Step Function to another state after an error is caught, which SLS (State Language Spec) Catch Key is used?

Answer 120

Next

Question 121

To determine what input is sent to the state specified in the Next field of a Step Function after an error is caught, which SLS (State Language Spec) Catch Key is used?

Answer 121

ResultPath

Question 122

List the 4 ways you can authorize applications to interact with your AWS AppSync GraphQL API:

Answer 122

API_KEY

AWS_IAM

OPENID_CONNECT

AMAZON_COGNITO_USER_POOLS

Question 123

List the 7 AWS STS API Calls needed for the exam:

(3/3/1)

Answer 123

AssumeRole

AssumeRoleWithSAML

AssumeRoleWithWebIdentity

GetSessionToken

GetFederationToken

GetCallerIdentity

DecodeAuthorizationMessage

Question 124

To assume roles within your account or cross account, which STS API call is used?

Answer 124

AssumeRole

Question 125

To return credentials for users logged in with SAML, which STS API call is used?

Answer 125

AssumeRoleWithSAML

Question 126

To return credentials for a user logged in with an IdP, which STS API call is used?

(Note: AWS recommends AWS Identity Pools instead)

Answer 126

AssumeRoleWithWebIdentity

Question 127

Which STS API call is used for MFA login from a user or AWS account root user?

Answer 127

GetSessionToken

Question 128

To obtain temporary credentials for a federated user, which STS API call is used?

Answer 128

GetFederationToken

Question 129

To return details about the IAM user or role used in the API call, which STS API call is used?

Answer 129

GetCallerIdentity

Question 130

To decode an error message when an AWS API call is denied, which STS API call is used?

Answer 130

DecodeAuthorizationMessage

Question 131

To enforce MFA, which “Condition”: { “Bool”: { key:val } } key-value pair should be present in the IAM policy?

Answer 131

“aws:MultiFactorAuthPresent”: “true”

Question 132

To grant a user permission to pass a role to an AWS service, which IAM permission do you need?

Answer 132

iam:PassRole

(i.e. “Action”: “iam:PassRole”)

Question 133

Which hashing algorithm is used for symmetric encryption in KMS?

Answer 133

AES-256

Question 134

Which hashing algorithms are used for asymmetric encryption in KMS?

Answer 134

RSA & ECC key pairs

Question 135

To encrypt anything over 4KB, which KMS API call is used?

Answer 135

GenerateDataKey

Question 136

List 5 KMS Symmetric APIs:

Answer 136

Encrypt

GenerateDataKey

GenerateDataKeyWithoutPlaintext

Decrypt

GenerateRandom

Question 137

To encrypt up to 4KB of data, which KMS API call is used?

Answer 137

Encrypt

Question 138

To generate a unique symmetric data key (DEK) and return both a plaintext copy and encrypted copy of the key, which KMS API call is used?

Answer 138

GenerateDataKey

Question 139

To generate a unique symmetric data key (DEK) and return only an encrypted copy of the key, which KMS API call is used?

(Note: this is generally only for later use)

Answer 139

GenerateDataKeyWithoutPlaintext

Question 140

To decrypt up to 4KB of data (including data encryption keys, or DEK), which KMS API call is used?

Answer 140

Decrypt

Question 141

To return a random byte string, which KMS API call is used?

Answer 141

GenerateRandom

Question 142

When you exceed a KMS request quota, which exception is thrown?

(Bonus points: how should you address and resolve this exception?)

Answer 142

ThrottlingException

(exponential backoff)

Question 143

SSE-KMS uses which 2 KMS API calls?

Answer 143

GenerateDataKey and Decrypt

Question 144

To force SSL in an S3 bucket policy, which effect and key-value pair should be present in the bucket policy?

i.e. “Effect“: EFFECT, Condition”: { “Bool”: { KEY:VAL} }

Answer 144

“Effect”: “Deny”

“Bool”: { “aws:SecureTransport”: “false” }

Question 145

When using CloudWatch logs API via CLI, one of two flags regarding log groups must be present in the call. List those two flags:

(Bonus points: when would you use one vs the other?)

Answer 145

associate-kms-key (if the log group already exists)

create-log-group (if the log group doesn’t exist yet)