Notes 5 Flashcards
DynamoDB restrict access to certain data in a table
In DynamoDB, you can control access to individual data items and attributes in a table. For example, you can do the following:
– Grant permissions on a table, but restrict access to specific items in that table based on certain primary key values. An example might be a social networking app for games, where all users’ saved game data is stored in a single table, but no users can access data items that they do not own, as shown in the following illustration:
To implement this kind of fine-grained access control, you write an IAM permissions policy that specifies conditions for accessing security credentials and the associated permissions. You then apply the policy to IAM users, groups, or roles that you create using the IAM console. Your IAM policy can restrict access to individual items in a table, access to the attributes in those items, or both at the same time.
You can optionally use web identity federation to control access by users who are authenticated by Login with Amazon, Facebook, or Google.
You use the IAM Condition element to implement a fine-grained access control policy. By adding a Condition element to a permissions policy, you can allow or deny access to items and attributes in DynamoDB tables and indexes, based upon your particular business requirements.
In the given scenario, we are only required to restrict access to specific items in the table based on User Id which is the partition key. We can achieve this by inserting a “dynamodb:LeadingKeys” condition key to the IAM policy associated with the Identity provider’s role.
How can you reduce cold starts in Lambda function?
Increase the memory allocation setting for the Lambda function.
A developer is writing a web application that will allow users to save and retrieve images in an Amazon S3 bucket. The users are required to register and log in to access the application.
Which combination of AWS Services should the Developer utilize for implementing the user authentication module of the application?
Amazon Cognito Identity Pools and User Pools.
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
mazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
A developer plans to use AWS Elastic Beanstalk to deploy a microservice application. The application will be implemented in a multi-container Docker environment.
How should the developer configure the container definitions in the environment?
Configure the container definitions in the “Dockerrun.aws.json” file
A developer is building a ReactJS application that will be hosted on Amazon S3. Amazon Cognito handles the registration and signing of users using the AWS Software Development Kit (SDK) for JavaScript. The JSON Web Token (JWT) received upon authentication will be stored on the browser’s local storage. After signing in, the application will use the JWT as an authorizer to access an API Gateway endpoint.
What are the steps needed to implement the scenario above? (Select THREE.)
– Create an Amazon Cognito User Pool.
– On the API Gateway Console, create an authorizer using the Cognito User Pool ID.
– Set the name of the header that will be used from the request to the Cognito User Pool as a token source for authorization.
As an alternative to using IAM roles and policies or Lambda Authorizers (formerly known as custom authorizers), you can use an Amazon Cognito User Pool to control who can access your API in Amazon API Gateway.
To use an Amazon Cognito user pool with your API, you must first create an authorizer of the COGNITO_USER_POOLS type and then configure an API method to use that authorizer. After the API is deployed, the client must first sign the user into the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request’s Authorization header. The API call succeeds only if the required token is supplied and the supplied token is valid, otherwise, the client isn’t authorized to make the call because the client did not have credentials that could be authorized.
Both the read and write operations to your DynamoDB table are throttled, which are causing errors in your application. You checked the CloudWatch metrics but they indicate that the consumed capacity units haven’t exceeded the provisioned capacity units. Upon further investigation, you found that the issue is caused by a “hot partition” in your table in which a certain partition is accessed by your downstream applications much more frequently than other partitions.
What should you do to resolve this issue in your application with MINIMAL cost?
– Implement error retries and exponential backoff.
– Refactor your application to distribute your read and write operations as evenly as possible across your table
To solve this issue, consider one or more of the following solutions:
– Increase the amount of read or write capacity for your table to anticipate short-term spikes or bursts in read or write operations. If you decide later you don’t need the additional capacity, decrease it. Take note that Before deciding on how much to increase read or write capacity, consider the best practices in designing your partition keys.
– Implement error retries and exponential backoff. This technique uses progressively longer waits between retries for consecutive error responses to help improve an application’s reliability. If you’re using an AWS SDK, this logic is built‑in. If you’re using another SDK, consider implementing it manually.
– Distribute your read operations and write operations as evenly as possible across your table. A “hot” partition can degrade the overall performance of your table.
– Implement a caching solution, such as DynamoDB Accelerator (DAX) or Amazon ElastiCache. DAX is a DynamoDB-compatible caching service that offers fast in‑memory performance for your application. If your workload is mostly read access to static data, query results can often be served more quickly from a well‑designed cache than from a database.
As mentioned above, the following are the solutions that you can implement to rectify the problem with minimal cost:
– Implement error retries and exponential backoff.
– Refactor your application to distribute your read and write operations as evenly as possible across your table
What is the AWS sign in URL?
https://Your_Account_ID.signin.aws.amazon.com/console/
There is a requirement to postpone the delivery of new messages to an SQS queue for a number of seconds. You must configure the queue to ensure that any messages that you send remain invisible to consumers for a duration of time specified.
Which of the following SQS feature should you use to meet this requirement?
Delay Queue.
Delay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes
Delay queues are similar to visibility timeouts because both features make messages unavailable to consumers for a specific period of time. The difference between the two is that, for delay queues, a message is hidden when it is first added to queue, whereas for visibility timeouts a message is hidden only after it is consumed from the queue.
A software engineer is developing a serverless application which will use a DynamoDB database. One of the requirements is that each write request should return the total number of write capacity units consumed, with subtotals for the table and any secondary indexes that were affected by the operation.
What should be done to accomplish this feature?
To create, update, or delete an item in a DynamoDB table, use one of the following operations:
- PutItem
- UpdateItem
- DeleteItem
For each of these operations, you need to specify the entire primary key, not just part of it. For example, if a table has a composite primary key (partition key and sort key), you must supply a value for the partition key and a value for the sort key.
To return the number of write capacity units consumed by any of these operations, set the ReturnConsumedCapacity parameter to one of the following:
TOTAL — returns the total number of write capacity units consumed.
INDEXES — returns the total number of write capacity units consumed, with subtotals for the table and any secondary indexes that were affected by the operation.
NONE — no write capacity details are returned. (This is the default.)
Hence, the correct answer is to add the ReturnConsumedCapacity parameter with a value of INDEXES in every write request.
A cryptocurrency exchange portal has a key management service hosted in their on-premises data center, which stores encryption keys and uses an RSA asymmetric encryption algorithm. The company has recently implemented a hybrid cloud architecture in AWS and you were assigned to migrate the exchange portal to their cloud infrastructure. For security compliance, the keys should be stored in dedicated, third-party validated hardware security modules under your exclusive control.
Which of the following is the BEST solution that you should implement to meet the above requirement?
import the encryption keys from your on-premises key management service to AWS CloudHSM
When you use an HSM from AWS CloudHSM, you can perform a variety of cryptographic tasks:
– Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
– Use symmetric and asymmetric algorithms to encrypt and decrypt data.
– Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
– Cryptographically sign data (including code signing) and verify signatures.
– Generate cryptographically secure random data.
You should consider using AWS CloudHSM instead of AWS KMS if you require:
– Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
– FIPS 140-2 compliance.
– Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
– High-performance in-VPC cryptographic acceleration (bulk crypto).
Hence, the correct answer is to import the encryption keys from your on-premises key management service to AWS CloudHSM.
Using AWS KMS to store and manage the encryption keys is incorrect because although AWS KMS supports asymmetric encryption, it doesn’t provide dedicated, third-party validated hardware security modules which are under your exclusive control. You have to use CloudHSM instead.
Importing the encryption keys from your on-premises key management service to AWS Secrets Manager as Customer Master Keys (CMKs) is incorrect because you can’t store CMKs to AWS Secrets Manager.
Developing a custom key management service using the AWS Encryption SDK is incorrect because this entails a lot of effort to implement. Moreover, the AWS Encryption SDK only encrypts your data using a symmetric key algorithm which doesn’t comply with the requirements provided in the scenario.
AWS SWF (Simple Workflow Service)
Simple Workflow Service
Signals - it just enables you to inject information into a running workflow execution
Markers - record events in the workflow execution history for application specific purposes.
Timers - enables you to notify your decider when a certain amount of time has elapsed
Tags - enables you to filter the listing of the executions when you use the visibility operations
What are things that the developer should consider when using a global secondary index in DynamoDB?
Global secondary index in DynamoDB
– Queries or scans on this index consume capacity units from the index, not from the base table.
– Queries on this index support eventual consistency only.
