Names (API, CLI, etc.) Flashcards
When requesting SSE-S3 encryption for objects sent so S3, what key-value pair must be present in the header?
“x-amz-server-side-encryption”: “AES256”
When requesting SSE-KMS encryption for objects sent to S3, what key-value pair must be present in the header?
“x-amz-server-side-encryption”: ”aws:kms”
What CLI option/flag should be used to simulate an AWS API call without using resources?
(Note: this option is not available on all API calls)
–dry-run
You may get long error messages from failed AWS API calls. Which command is used to decode these error messages?
sts decode-authorization-message
If you want detailed information on an EC2 instance, which URL should you query from that instance?
http://169.254.169.254/latest/meta-data
If you want detailed information on the launch script of an EC2 instance, which URL should you query from that instance?
http://169.254.169.254/latest/user-data
To use MFA with the CLI, which API call is used?
STS GetSessionToken
To use MFA with the CLI, what CLI command is used?
aws sts get-session-token –serial-number arn-of-the-mfa-device –tokencode code-from-token –duration-seconds 3600
When you upload objects to an S3 bucket encrypted with SSE-KMS, which KMS API call is used?
GenerateDataKey
When you download objects from an S3 bucket encrypted with SSE-KMS, which KMS API call is used?
Decrypt
If you want to invalidate part of your CloudFront cache, which API call can you use?
CreateInvalidation
If you want to place ECS tasks on EC2 machines with the least available amount of memory (to minimize # of EC2 instances and save costs), fill in the Xs.
“placementStrategy”: [
{
“type”: X1,
“field”: X2
}
]
X1 = “binpack”
X2 = “memory”
If you want to place ECS tasks on EC2 machines randomly, fill in the X.
“placementStrategy”: [
{
“type”: X
}
]
X = “random”
If you want to place ECS tasks on EC2 machines distributed evenly across the ECS availability zone, fill in the X.
“placementStrategy”: [
{
“type”: X,
“field”: “attribute:ecs.availability-zone”
}
]
X = “spread”
If you want to place ECS tasks on their own EC2 instances, fill in the X.
“placementStrategy”: [
{
“type”: X
}
]
X = “distinctInstance”
If you want to place ECS tasks on EC2 only in us-east-1a and us-west-2b, fill in the X.
“placementStrategy”: [
{
“type”: X,
“expression”: “attribute:ecs.availability-zone in [us-east-1a, us-east-2b]”
}
]
X = “memberOf”
To login to ECR using AWS CLI v2, what CLI command is used?
aws ecr get-login-password –region region | docker login –username AWS –password-stdin aws_account_id.dkr.ecr.region.amazonaws.com
To push to Amazon ECR, what CLI command is used?
docker push aws_account_id.dkr.ecr.region.amazonaws.com/demo:latest
To pull from Amazon ECR using the CLI, what CLI command is used?
docker pull aws_account_id.dkr.ecr.region.amazonaws.com/demo:latest
The directory at the root of your EB project that contains all your .config files has what directory name?
.ebextensions/
EB Single Docker requires one of two files in order to get the container up and running. What are the names of those two files?
(Bonus points, what’s the difference between the two?)
Dockerfile : (EB will build and run the container)
Dockerrun.aws.json (v1) : (Describe where an already built container is)
An EB Multi Docker Container app requires a file with what filename to generate the ECS task definition?
(Bonus points: where should the file be located?)
Dockerrun.aws.json (v2)
(at the root of the source code)
You want to create an EB custom platform. The filename of the AMI must be what?
Platform.yaml
AWS CodeBuild reads build instructions from a file with what name?
buildspec.yml
The CodeDeploy Agent runs deployment instructions based on a file with what name?
appspec.yml
In CloudFormation templates, functions in are prefixed with Fn::
What is the .yml shorthand for function prefixes that’s used in place of Fn:: ?
!
In CloudFormation templates, what is the .yml function for referencing parameters and resources?
(Bonus points: What do Parameters and Resources return?)
!REF
Parameters returns the value of the parameter. Resources returns the physical ID of the underlying resource.
In CloudFormation templates, what is the .yml function for referencing the attributes of the resources you create? (ex: the AZ of an EC2 machine)
!GetAtt
In CloudFormation templates, what is the .yml function for accessing values from key-value pairs listed in the Mappings section of your template?
!FindInMap
In CloudFormation templates, what is the .yml function for importing values that are exported from your other CloudFormation templates?
!ImportValue
In CloudFormation templates, what .yml function should you use if you want to generate the following output based on the given input?
Input: “ :: ”, [“Hello”, “World”, “!”]
Output: “Hello :: World :: !”
!Join
In CloudFormation templates, what is the .yml function equivalent to the str.replace() method?
What is the syntax?
!Sub
!Sub
- String
- { Var1Name: Var1Value, Var2Name: Var2Value }
In CloudFormation templates, what are the 5 .yml condition functions?
!IF
!AND
!OR
!NOT
!EQUALS
To send custom metrics to CloudWatch, which API call is used?
PutMetricData
To modify metric resolution in CloudWatch, which API call is used?
(Bonus points: what are the logging frequencies for Standard and High Resolution?)
StorageResolution
( Standard: 60 sec
High Resolution: 1/5/10/30 sec )
To move log data from CloudWatch to S3, which API call is used?
(Bonus points: how long does the transfer take?)
CreateExportTask
(up to 12 hours)
To test CloudWatch alarms and notifications, what CLI command is used?
aws cloudwatch set-alarm-state –alarm-name “myalarm” –state-value ALARM –state-reason “testing purposes”
To upload segment documents to AWS X-Ray, which API call is used?
PutTraceSegments
The AWS X-Ray daemon uploads telemetry with which API call?
PutTelemetryRecords
To retrieve all sampling rules for X-Ray, which API call is used?
GetSamplingRules
Which 3 AWS X-Ray API calls are considered Write APIs?
PutTraceSegments
PutTelemetryRecords
GetSamplingRules
To get the main X-Ray service graph, which API call is used?
GetServiceGraph
To retrieve a list of traces specified by ID in X-Ray, which API call is used?
(Note: each trace is a collection of segment documents that originates from a single request)
BatchGetTraces
To retrieve IDs and annotations for X-Ray traces available for a specified time frame (using an optional filter), which API call is used?
(Note: to get the full traces, pass the trace IDs to BatchGetTraces)
GetTraceSummaries
To retrieve a service graph for one or more specific trace IDs, which API call should be used?
GetTraceGraph
Which 4 AWS X-Ray API calls are considered Read APIs?
GetServiceGraph
BatchGetTraces
GetTraceSummaries
GetTraceGraph
To run X-Ray with EB, you can either set the option in the console or with a configuration file in DIRECTORY/FILENAME
What are the missing strings?
DIRECTORY = .ebextensions/
FILENAME = xray-daemon.config
To allow cross account access to SQS queues for an AWS account with a principal of 111122223333, what key-value pair should be present in the IAM policy statement?
“Princical”: { “AWS”: [111122223333] }
What does this IAM policy enable?
This policy enables an S3 bucket with a specific source account to write to this SQS queue.
To change the message visibility timeout in SQS queues, which API call is used?
ChangeMessageVisibility
Which SQS parameter determines the number of retries before a message is sent to the queue’s DLQ (if configured)?
MaximumReceives
Which SQS parameter determines the number of seconds a message must stay in queue before it becomes visible to consumers?
DelaySeconds
SQS Long Polling can be enabled at the queue level or at the API level using which SQS parameter?
WaitTimeSeconds
List the 9 essential SQS API calls:
(Bonus points: which 3 have Batch APIs?)
CreateQueue, DeleteQueue
PurgeQueue,
SendMessage, ReceiveMessage, DeleteMessage
MaxNumberOfMessages
ReceiveMessageWaitTimeSeconds
ChangeMessageVisbility
To create an SQS queue, which API call is used?
(Bonus points: which argument can be used to set how long a message should be kept in queue before being discarded)
CreateQueue
(MessageRetentionPeriod)
To delete an SQS queue (and all messages inside), which API call is used?
DeleteQueue
To delete all the messages in an SQS queue but not the queue itself, which API call is used?
PurgeQueue
To send a message to an SQS queue, which API call is used?
(Bonus points: which argument is used to set the number of seconds of delay)
SendMessage
(DelaySeconds)
To poll an SQS queue for messages, which API call is used?
ReceiveMessage
To delete an SQS message after it has been processed by a consumer, which API call is used?
DeleteMessage
To change the number of SQS messages received in a ReceiveMessage API call, which [API call / SQS parameter] is used?
(Bonus points: what is the default number, min number, and max number)
MaxNumberOfMessages
(1, 1, 10)
To enable long polling of an SQS queue, which [API call / SQS parameter] is used?
ReceiveMessageWaitTimeSeconds
To change the message timeout for an SQS queue, which [API call / SQS parameter] is used?
ChangeMessageVisbility
Which 3 SQS API calls have batch APIs available?
SendMessage
DeleteMessage
ChangeMessageVisibility
Which parameter is used to order subsets of an SQS FIFO queue?
MessageGroupID
Which 3 Lambda environment variables are communicated with X-Ray?
_X_AMZN_TRACE_ID
AWS_XRAY_CONTEXT_MISSING
AWS_XRAY_DAEMON_ADDRESS
Which Lambda environment variable contains the tracing heading for X-Ray?
_X_AMZN_TRACE_ID
To configure Lambda with VPC Lambda will create an ENI, but it first needs which AWS managed IAM role?
AWSLambdaVPCAccessExecutionRole
Which 3 DynamoDB API calls are considered Write APIs?
PutItem
UpdateItem
Conditional Writes
To create or replace items in a DynamoDB table, which API call is used?
PutItem
To update an existing item in DynamoDB or create a new one if it doesn’t exist, which API call is used?
UpdateItem
To accept a write/update/delete in DynoamoDB only if certain conditions are met, which parameter/category is used?
Conditional Writes
Which 3 DynamoDB API calls are considered Read API calls?
GetItem
Query
Scan
To retrieve a specific item from DynamoDB based on its primary key, which API call is used?
(Bonus points: what parameter is used to retrieve only specified attributes of the item?)
GetItem
(ProjectionExpression)
To retrieve a list of items from a DynamoDB table based on conditions, which API call is used?
Which parameter uses comparison operators on the partition and sort keys?
Which parameter allows additional filtering on non-key attributes after retrieval but before delivery?
Query
(KeyConditionExpression)
(FilterExpression)
When querying a DynamoDB table…
Which expression uses comparison operators on the partition and sort keys?
Which expression allows additional filtering on non-key attributes after retrieval but before delivery?
KeyConditionExpression
FilterExpression
To retrieve all items from a DynamoDB table, which API call is used?
Scan
To delete an item in a DynamoDB table, which API call is used?
DeleteItem
To delete an entire DynamoDB table, which API call is used?
DeleteTable
Which 2 DynamoDB API calls are used for batch operations?
(Bonus points: which two standard DynamoDB API calls does BatchWriteItem use?)
BatchWriteItem
BatchGetItem
(PutItem and DeleteItem)
In DynamoDB streams you can choose the scope of information that will be written to the stream by using one of 4 options. List the 4 options.
KEYS_ONLY
NEW_IMAGE
OLD_IMAGE
NEW_AND_OLD_IMAGES
Which 2 DynamoDB CLI options/flags are good to know for the exam?
(Bonus points: what 3 general AWS CLI pagination options/flags are good to know for the exam?)
–filter-expression
–projection-expression
( –page-size
–max-items
–starting-token )
To filter DynamoDB items before they are returned to you, which AWS CLI option/flag is used?
–filter-expression
To only return specified attributes of an item from a DynamoDB table, which AWS CLI option/flag is used?
–projection-expression
List 3 AWS CLI pagination options/flags and their effect
–page-size retrieve items in more API calls
–max-items set the max number of items to show in the CLI (returns NextToken)
–starting-token specify the last NextToken to retrieve the next set of items
To specify that the AWS CLI retrieves the full list of items (from DynamoDB, S3, etc.), but with a larger number of API calls, which CLI option/flag is used?
–page-size
To specify the max number of items to show in the CLI, what CLI option/flag is used?
(Bonus points: what’s the name of the variable returned, used to retrieve the next page of items?)
–max-items
( NextToken )
To specify the previous NextToken (generated from a CLI command with the –max-items option/flag) to retrieve the next set of items, which CLI option/flag is used?
–starting-token
Which 2 DynamoDB API calls are part of DynamoDB Transactions?
(Bonus points: what API calls fall under their umbrella?)
TransactGetItems
TransactWriteItems
( 1+ GetItem operations
1+ PutItem, UpdateItem, DeleteItem operations )
TransactGetItems performs which standard DynamoDB API call?
GetItem
TransactWriteItems performs which 3 standard DynamoDB API calls?
PutItem, UpdateItem, DeleteItem
To limit DynamoDB access for users to row-level access based on the primary key, which IAM policy key is used?
(Bonus points: what is the syntax?
“Condition”: {
KEY1: {
KEY2: [STRING]
}
)
LeadingKeys
( “Condition”: {
“ForAllValues:StringEquals”: {
“dynamodb:LeadingKeys”: [”${cognito-identity.amazonaws.com::sub}”]
}
)
For a client to invalidate an API gateway cache, what should be included in the header?
Cache-Control: max-age=0
List 7 API GateWay CloudWatch Metrics:
CacheHitCount, CacheMissCount
Count
IntegrationLatency
Latency
4XX error, 5xx error
To observe the efficiency of your API gateway cache, which 2 CloudWatch metrics are used?
CacheHitCount, CacheMissCount
To measure the total number of API requests to your API Gateway in a given period, which CloudWatch metric is used?
Count
To measure the time between when API Gateway relays a request to the backend and when it received a response from the backend, which CloudWatch metric is used?
IntegrationLatency
To measure the total time from when API Gateway receives a request and when it returns a response, which CloudWatch metric is used?
Latency
An API Gateway returning 4XX (400) and 5XX (500) http response status codes indicates what?
4XX: client-side error
5XX: server-side error
Which 4XX http response status code indicates throttling?
(Bonus points: how should this error be handled by the client?)
429 Too Many Requests
(Retry with exponential backoff)
Http response status codes 400, 403, and 429 indicate what?
400: bad request
403: unauthorized
429: throttling
Http status response codes 502, 503, and 504 indicate what?
502: Bad Gateway Exception (bad response or heavy loads)
503: Service Unavailable Exception
504: Integration Failure (Ex: Lambda timeout after 29 seconds)
The OPTIONS pre-flight request for CORS must contain which 3 headers?
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Access-Control-Allow-Origin
To package a SAM template, which 2 interchangeable CLI commands are used?
aws cloudformation package
sam package
To deploy a SAM template, which 2 interchangeable CLI commands are used?
aws cloudformation deploy
sam deploy
To indicate a YAML template is a SAM template, what header should be included?
Transform : ‘AWS::Serverless-2016-10-31’
(mnemonic: Uncle SAM → Trump Elected in 2016 → Scary like Halloween
Trump Halloween)
List the 3 SAM resource types as written in the YAML template:
AWS::Serverless::Function
AWS::Serverless::Api
AWS::Serverless::SimpleTable
To give read only permissions to objects in S3, which SAM policy template is used?
S3ReadPolicy
To allow polling of an SQS queue, which SAM resource policy is used?
SQSPollerPolicy
To allow CRUD operations in DynamoDB, which SAM policy template is used?
DynamoDBCrudPolicy
List the 6 AWS Step Functions states:
Choice State
Fail or Succeed State
Pass State
Wait State
Map State
Parallel State
Step Functions error handling uses which 2 logic phrases?
Retry and Catch
List the 4 step functions SLS (State Language Spec) Retry keys:
“Retry”: [{key1:val, key2:val, etc}]
ErrorEquals
IntervalSeconds
BackoffRate
MaxAttempts
To match a specific kind of Step Function error, which SLS (State Language Spec) key is used?
ErrorEquals
To specify a Step Function initial delay before retrying an error, which SLS (State Language Spec) Retry key is used?
IntervalSeconds
To multiply Step Functions delays after each error retry, which SLS (State Language Spec) Retry key is used?
BackoffRate
To specify the maximum number of attempts for Step Functions error retries, which SLS (State Language Spec) Retry key is used?
(Bonus points: what is the default value?)
MaxAttempts
(default 3 max attempts)
List the 3 Step Functions SLS (State Language Spec) Catch keys:
ErrorEquals
Next
ResultPath
To match a specific kind of Step Function error, which SLS (State Language Spec) Catch Key is used?
ErrorEquals
To send a Step Function to another state after an error is caught, which SLS (State Language Spec) Catch Key is used?
Next
To determine what input is sent to the state specified in the Next field of a Step Function after an error is caught, which SLS (State Language Spec) Catch Key is used?
ResultPath
List the 4 ways you can authorize applications to interact with your AWS AppSync GraphQL API:
API_KEY
AWS_IAM
OPENID_CONNECT
AMAZON_COGNITO_USER_POOLS
List the 7 AWS STS API Calls needed for the exam:
(3/3/1)
AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
GetSessionToken
GetFederationToken
GetCallerIdentity
DecodeAuthorizationMessage
To assume roles within your account or cross account, which STS API call is used?
AssumeRole
To return credentials for users logged in with SAML, which STS API call is used?
AssumeRoleWithSAML
To return credentials for a user logged in with an IdP, which STS API call is used?
(Note: AWS recommends AWS Identity Pools instead)
AssumeRoleWithWebIdentity
Which STS API call is used for MFA login from a user or AWS account root user?
GetSessionToken
To obtain temporary credentials for a federated user, which STS API call is used?
GetFederationToken
To return details about the IAM user or role used in the API call, which STS API call is used?
GetCallerIdentity
To decode an error message when an AWS API call is denied, which STS API call is used?
DecodeAuthorizationMessage
To enforce MFA, which “Condition”: { “Bool”: { key:val } } key-value pair should be present in the IAM policy?
“aws:MultiFactorAuthPresent”: “true”
To grant a user permission to pass a role to an AWS service, which IAM permission do you need?
iam:PassRole
(i.e. “Action”: “iam:PassRole”)
Which hashing algorithm is used for symmetric encryption in KMS?
AES-256
Which hashing algorithms are used for asymmetric encryption in KMS?
RSA & ECC key pairs
To encrypt anything over 4KB, which KMS API call is used?
GenerateDataKey
List 5 KMS Symmetric APIs:
Encrypt
GenerateDataKey
GenerateDataKeyWithoutPlaintext
Decrypt
GenerateRandom
To encrypt up to 4KB of data, which KMS API call is used?
Encrypt
To generate a unique symmetric data key (DEK) and return both a plaintext copy and encrypted copy of the key, which KMS API call is used?
GenerateDataKey
To generate a unique symmetric data key (DEK) and return only an encrypted copy of the key, which KMS API call is used?
(Note: this is generally only for later use)
GenerateDataKeyWithoutPlaintext
To decrypt up to 4KB of data (including data encryption keys, or DEK), which KMS API call is used?
Decrypt
To return a random byte string, which KMS API call is used?
GenerateRandom
When you exceed a KMS request quota, which exception is thrown?
(Bonus points: how should you address and resolve this exception?)
ThrottlingException
(exponential backoff)
SSE-KMS uses which 2 KMS API calls?
GenerateDataKey and Decrypt
To force SSL in an S3 bucket policy, which effect and key-value pair should be present in the bucket policy?
i.e. “Effect“: EFFECT, Condition”: { “Bool”: { KEY:VAL} }
“Effect”: “Deny”
“Bool”: { “aws:SecureTransport”: “false” }
When using CloudWatch logs API via CLI, one of two flags regarding log groups must be present in the call. List those two flags:
(Bonus points: when would you use one vs the other?)
associate-kms-key (if the log group already exists)
create-log-group (if the log group doesn’t exist yet)
