PE Reviews Flashcards
minimum properties required in resources for lambda
name, alias, current version, and target version
To enable SSL between the end-user and CloudFront, what policy should be configured.
Viewer Protocol Policy
To enable SSL between the origin and the distribution the Developer can configure the
Origin Protocol Policy
The _________________ policy will add an additional batch of instances, updates those instances, then move onto the next batch.
no reduction in app performance/availability during update
Rolling with additional batch:
Like Rolling but launches new instances in a batch ensuring that there is full availability.
Application is running at capacity.
Can set the bucket size.
Application is running both versions simultaneously.
Small additional cost.
Additional batch is removed at the end of the deployment.
Longer deployment.
Good for production environments.
Only deployment policy with downtime
All-at-once
What 3 deployment types have no reduction in capacities?
Rolling w/ additional batch
Immutable
Blue/green
happen to be the 3 with the longest deployment time too
________ is a container for CloudWatch metrics. Metrics in different ________ are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.
namespace
You can configure a CloudWatch alarm that notifies based on item lifecycle events. (T/F)
False
Amazon DynamoDB is integrated with AWS Lambda so that you can create __________
—pieces of code that automatically respond to events in DynamoDB Streams. With _________, you can build applications that react to data modifications in DynamoDB tables.
triggers
When you create a ___________ in Amazon Cognito and then configure a domain for it, Amazon Cognito automatically provisions a hosted web UI to let you add sign-up and sign-in pages to your app. You can add a custom logo or customize the CSS for the hosted web UI.
user pool
With _________________ mode, you specify the number of data reads and writes per second that you require for your application.
provisioned capacity
For items up to 4 KB in size, one RCU can perform
one RCU can perform two eventually consistent read requests per second.
one RCU can perform one strongly consistent read request per second.
require two RCUs to perform one read per second for items up to 4 KB.
Transactional read requests
require two WCUs to perform one write per second for items up to 1 KB.
Transactional write requests
To encrypt an object at the time of upload, you need to add a header called ________________ to the request to tell S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS.
x-amz-server-side-encryption:
tells S3 to use S3-managed keys
AES256
tells S3 to use AWS KMS–managed key
aws:kms
conveys information about a segment to X-Ray.
can be up to 64 kB and contain a whole segment with subsegments, a fragment of a segment that indicates that a request is in progress, or a single subsegment that is sent separately.
segment document
You can send segment documents directly to X-Ray by using the
PutTraceSegments API
this API action retrieves a service graph for one or more specific trace IDs.
GetTraceGraph API
You should initialize SDK clients and database connections outside of the function handler, and cache static assets locally in the
/tmp directory.
is a custom session handler for PHP that allows developers to use Amazon DynamoDB as a session store.
The DynamoDB Session Handler
Using DynamoDB for session storage alleviates issues that occur with session handling in a distributed web application by moving sessions off of the local file system and into a shared location. DynamoDB is fast, scalable, easy to setup, and handles replication of your data automatically.
involves maintaining session state data on the EC2 instances and thus that data is lost if an instance fails.
Use sticky sessions with an Elastic Load Balancer target group
There are no limits to the number of prefixes that you can have in your bucket.
True
To avoid throttling in Amazon S3 you must ensure you do not exceed certain limits on a per-prefix basis.
T/F: You can send 5,500 PUT/COPY/POST/DELETE or 3,500 GET/HEAD requests per second per prefix in an Amazon S3 bucket.
False
You can send 3,500 PUT/COPY/POST/DELETE or 5,500 GET/HEAD requests per second per prefix in an Amazon S3 bucket
is a fully managed build service in the cloud.
It compiles your source code, runs unit tests, and produces artifacts that are ready to deploy.
It eliminates the need to provision, manage, and scale your own build servers.
It provides pre-packaged build environments for popular programming languages and build tools such as Apache Maven, Gradle, and more.
AWS CodeBuild
is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services.
CodeDeploy
Flow logs can help you with a number of tasks, such as:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that is reaching your instance
- Determining the direction of the traffic to and from the network interfaces
is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
VPC Flow Logs
Flow Log data can be published to:
Amazon CloudWatch Logs or Amazon S3.
Adding certificates to the EC2 instances would place a burden on CPU when
encrypting and decrypting data, this burden will impact performance
which uses encrypted connections (also known as SSL offload). This feature enables traffic encryption between your load balancer and the clients that initiate SSL or TLS sessions.
HTTPS listener,
To use an HTTPS listener, you must deploy at least one SSL/TLS server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets.
configuring elb w/ ssl passthrough is used to forward encrypted packets directly to EC2 instance for termination
true
is an API Gateway feature that uses a Lambda function to control access to your API.
A Lambda authorizer (formerly known as a custom authorizer)
is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.
A Lambda authorizer
When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.
What Lambda authorizer receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token?
A token-based Lambda authorizer
type of Lambda authorizer that receives the caller’s identity in a combination of headers, query string parameters, stageVariables, and $context variables.
A request parameter-based Lambda authorizer
You can create an authorizer in API Gateway that uses Cognito identity pools, but not user pools.
False, you can create an authorizer in API Gateway that uses Cognito user pools, but not identity pools.
is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
An instance profile,
and using an instance profile you can attach an IAM Role to an EC2 instance that the instance can then assume in order to gain access to AWS services.
is used to manage encryption keys.
AWS KMS
is used to manage encryption keys. It is similar to KMS but uses a dedicated hardware device that is not multi-tenant.
AWS CloudHSM
To include objects defined by the AWS Serverless Application Model (SAM) in an AWS CloudFormation template, in addition to Resources, what section MUST be included in the document root?
Transform
AWS SAM templates differ from CloudFormation templates in which areas:
Transform declaration, Globals section, Resources section.
The declaration Transform: AWS::Serverless-2016-10-31 is required for AWS SAM templates. This declaration identifies an AWS CloudFormation template as an AWS SAM template.
The Globals section is unique to AWS SAM. It defines properties that are common to all your serverless functions and APIs. All the AWS::Serverless::Function, AWS::Serverless::Api, and AWS::Serverless::SimpleTable resources inherit the properties that are defined in the Globals section.
- In AWS SAM templates the Resources section can contain a combination of AWS CloudFormation resources and AWS SAM resources.
An application uses both Amazon EC2 instances and on-premises servers. The on-premises servers are a critical component of the application, and a developer wants to collect metrics and logs from these servers. The developer would like to use Amazon CloudWatch.
How can the developer accomplish this?
Install the CloudWatch agent on the on-premises servers and specify IAM credentials with permissions to CloudWatch
You can download the CloudWatch agent package using either Systems Manager Run Command or an Amazon S3 download link. You then install the agent and specify the IAM credentials to use. The IAM credentials are an access key and secret access key of an IAM user that has permissions to Amazon CloudWatch.
Once this has been completed the on-premises servers will automatically send metrics and log files to Amazon CloudWatch and can be centrally monitored along with AWS services.
Your Amazon ECS tasks can have an IAM role associated with them. The permissions granted in the IAM role are assumed by the containers running in the task. What explains the benefits of using IAM roles with your tasks.
Credential Isolation, Authorization, Auditability
- Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
- Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.
- Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.
True/False: Access keys are not a secure way of providing authentication. It is better to use roles that obtain temporary security permissions using the AWS STS service.
True
SSM Parameter Store supports automatic key rotation.
False
Which service encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (KMS)?
When you retrieve a secret, this service decrypts the secret and transmits it securely over TLS to your local environment.
With this service, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI.
AWS Secrets Manager
The ________ strategy adds data or updates data in the cache whenever data is written to the database.
write-through
The advantages of write-through are as follows:
- Data in the cache is never stale. Because the data in the cache is updated every time it’s written to the database, the data in the cache is always current.
- Write penalty vs. read penalty.
Every write involves two trips:
- A write to the cache
- A write to the database
This will allow the cache to be updated when an item is next read but will not ensure the best performance for all items in the database.
Invalidate the cache for each database write
this is a caching strategy that loads data into the cache only when necessary. This will not ensure strong consistency between the database and the cache.
Lazy loading (caching)
uses permissions in the function’s execution role to read and manage items in the event source. Permissions, event structure, settings, and polling behavior vary by event source.
An event source mapping
- Launches new instances in a new ASG and deploys the version update to these instances before swapping traffic to these instances once healthy.
- Zero downtime.
Immutable
- Zero downtime and release facility.
- Create a new “stage” environment and deploy updates there.
Blue / Green deployment
Deploys the new version to all instances simultaneously.
All at once
Update a few instances at a time (bucket), and then move onto the next bucket once the first bucket is healthy (downtime for 1 bucket at a time).
Rolling
Like Rolling but launches new instances in a batch ensuring that there is full availability.
Rolling with additional batch
enable you to create unique identities for your users and federate them with identity providers. With this, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Amazon Cognito identity pools (federated identities)
Amazon Cognito identity pools support what identity providers:
- Public providers: Login with Amazon (Identity Pools), Facebook (Identity Pools), Google (Identity Pools) Sign in with Apple (Identity Pools).
- Amazon Cognito User Pools
- Open ID Connect Providers (Identity Pools)
- SAML Identity Providers (Identity Pools)
- Developer Authenticated Identities (Identity Pools)
is an algorithm for selecting instances for task placement or tasks for termination.
can be specified when either running a task or creating a new service.
Task placement strategies
ECS supports what 3 task placement strategies
binpack, random, spread
place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.
binpack
place tasks randomly
random
place tasks evenly based on the specified value. Accepted values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone.
spread
Service tasks are spread based on the tasks from that service. Standalone tasks are spread based on the tasks from the same task group.
S3 and SNS invoke functions in what manner to process events?
asynchronously
To invoke a function asynchronously, set the invocation type parameter to
Event
if your access pattern exceeds 3000 RCU or 1000 WCU for a single partition key value, your requests might be throttled with a
ProvisionedThroughputExceededException error.
To avoid request throttling, design your DynamoDB table with the right partition key to meet your access requirements and provide even distribution of data. Recommendations for doing this include the following:
- Use high cardinality attributes (e.g. email_id, employee_no, customer_id etc.)
- Use composite attributes
- Cache popular items
- Add random numbers or digits from a pre-determined range for write-heavy use cases
GSI is used for querying data more efficiently, it will not solve the problem of write performance due to a
hot partition.
You can force update the cache in CloudFront (T/F)
False, there’s no way to directly update the cache.
The Developer should invalidate the relevant cache entries and then the cache will be updated the next time a request is received.
If you need to remove a file from CloudFront edge caches before it expires, you can do one of the following:
- Invalidate the file from edge caches. The next time a viewer requests the file, CloudFront returns to the origin to fetch the latest version of the file.
- Use file versioning to serve a different version of the file that has a different name. For more information, see Updating Existing Files Using Versioned File Names.
is used with the AWS KMS services and generates a unique symmetric data key.
This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify.
GenerateDayKey API.
You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.
Name the feature:
The Lambda console lets you encrypt environment variable values client side, before sending them to Lambda.
This feature enhances security further by preventing secrets from being displayed unencrypted in the Lambda console, or in function configuration that’s returned by the Lambda API.
The console also provides sample code that you can adapt to decrypt the values in your function handler.
Encryption helpers
Name the feature:
On a per-function basis, you can configure Lambda to use an encryption key that you create and manage in AWS Key Management Service. These are referred to as customer managed customer master keys (CMKs) or customer managed keys. If you don’t configure a customer managed key, Lambda uses an AWS managed CMK named aws/lambda, which Lambda creates in your account.
Key configuration
CodeDeploy:
Traffic is shifted in two increments. You can choose from predefined ______ options. The options specify the percentage of traffic that’s shifted to your updated Lambda function version in the first increment, and the interval, in minutes, before the remaining traffic is shifted in the second increment.
Canary
CodeDeploy:
Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined _____ options that specify the percentage of traffic that’s shifted in each increment and the number of minutes between each increment.
linear
CodeDeploy:
All traffic is shifted from the original Lambda function to the updated Lambda function version at once.
All-at-once
You can use Half at a Time traffic shifting strategy with
EC2 and on-premises instances, but not Lambda
is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications.
Amazon Simple Notification Service (SNS)
is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
Amazon Simple Queue Service (SQS)
Which AWS services can be used for asynchronous message passing?
SNS and SQS
The ____________ API call returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token.
GetSessionToken
Typically, you use what API call if you want to use MFA to protect programmatic calls to specific AWS API operations
GetSessionToken
a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).
AWS Security Token Service (AWS STS)
Returns a set of temporary security credentials that you can use to access AWS resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you used within your account or for cross-account access.
AssumeRole
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.
This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.
AssumeRoleWithSAML
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.
AssumeRoleWithWebIdentity
Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
DecodeAuthorizationMessage
Returns the account identifier for the specified access key ID.
GetAccessKeyInfo
Returns details about the IAM user or role whose credentials are used to call the operation.
GetCallerIdentity
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
GetFederationToken
AWS Security Token Service API calls include:
AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
DecodeAuthorizationMessage
GetAccessKeyInfo
GetCallerIdentity
GetFederationToken
GetSessionToken
Returns the account identifier for the specified access key ID.
GetAccessKeyInfo
represents the partition key of the dynamodb table
LeadingKeys
represents the items that can be changed in the dynamodb table
Attributes
This condition key allows users to access only the items where the partition key value matches their user ID. This ID, ${www.amazon.com:user_id}, is a substitution variable.
dynamodb:LeadingKeys
This dynamoDB condition key limits access to the specified attributes so that only the actions listed in the permissions policy can return values for these attributes.
In addition, the StringEqualsIfExists clause ensures that the app must always provide a list of specific attributes to act upon and that the app can’t request all attributes.
dynamodb:Attributes
Which action defined by Amazon DynamoDB:
Grants permission to return the attributes of one or more items from one or more tables
BatchGetItem
Which action defined by Amazon DynamoDB:
Grants permission to put or delete multiple items in one or more tables
Grants permission to put or delete multiple items in one or more tables
Which action defined by Amazon DynamoDB:
Grants permission to the ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key
ConditionCheckItem
Which action defined by Amazon DynamoDB:
Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index
Scan
Which action defined by Amazon DynamoDB:
Grants permission to create a new item, or replace an old item with a new item
PutItem
With _________________, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.
developer authenticated identities
Using developer authenticated identities involves interaction between the end user device, your backend for authentication, and Amazon Cognito.
Therefore, the Developer can implement developer-authenticated identities by using Amazon Cognito, and get credentials for these identities.
It is suitable to store session state in an Amazon RDS database. T/F
False, RDS is not suitable for storing session state data. DynamoDB is a better fit for this.
With the _______ integration, also known as the ________ custom integration, you must configure both the integration request and integration response. You must set up necessary data mappings from the method request to the integration request, and from the integration response to the method response.
HTTP
The ____________ integration allows a client to access the backend HTTP endpoints with a streamlined integration setup on single API method. You do not set the integration request or the integration response. API Gateway passes the incoming request from the client to the HTTP endpoint and passes the outgoing response from the HTTP endpoint to the client.
HTTP proxy
this is a custom integration that would be used if you need to customize the data mappings.
HTTP
this type of integration lets an API expose AWS service actions.
AWS
this type of integration lets an API method be integrated with the Lambda function invocation action with a flexible, versatile, and streamlined integration setup.
AWS_PROXY
provides fully managed implementations of two popular in-memory data stores – Redis and Memcached.
ElastiCache,a web service that makes it easy to deploy and run Memcached or Redis protocol-compliant server nodes in the cloud.
this elasticache implementation does not offer read replicas or auto-failover and therefore cannot provide high availability
memcached
is a data warehouse for use in online analytics processing (OLAP) use cases. It is not suitable to be used as a caching layer.
Amazon Redshift
this elasticache implementation does offer read replicas or auto-failover and therefore can provide high availability
redis
Memcached Elasticache offers data partitioning but does Redis?
Yes, but only if cluster mode is enabled
which elasitcache offers simple data types w/ no data persistence, encryption or replication?
memcached, unique features include nodes (scale up and out) and multithreading
which elasticache offers complex data types, data persistence, encryption and replication?
redis, unique features include automatic and manual snapshots, and sharding (which allows for scaling)
As an alternative to using IAM roles and policies or Lambda authorizers (formerly known as custom authorizers), you can use an ___________ to control who can access your API in Amazon API Gateway.
Amazon Cognito user pool
To use an Amazon Cognito user pool with your API, you must first create an authorizer of the COGNITO_USER_POOLS type and then configure an API method to use that authorizer. After the API is deployed, the client must first sign the user in to the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request’s Authorization header. The API call succeeds only if the required token is supplied and the supplied token is valid, otherwise, the client isn’t authorized to make the call because the client did not have credentials that could be authorized.
A developer is preparing the resources for creating a multicontainer Docker environment on AWS Elastic Beanstalk. How can the developer define the Docker containers?
Define the containers in the Dockerrun.aws.json file in JSON format and save at the root of the source directory.
You can launch a cluster of multicontainer instances in a single-instance or autoscaling Elastic Beanstalk environment using the Elastic Beanstalk console. The single container and multicontainer Docker platforms for Elastic Beanstalk support the use of Docker images stored in a public or private online image repository.
You specify images by name in the Dockerrun.aws.json file and save it in the root of your source directory.
is a rule that is considered during task placement. can be specified when either running a task or creating a new service.
task placement constraint
Amazon ECS supports the following types of task placement constraints:
distinctInstance, memberOf
The memberOf task placement constraint can be specified with the following actions:
Running a task
Creating a new service
Creating a new task definition
Creating a new revision of an existing task definition
Place tasks on container instances that satisfy an expression
memberOf
Place each task on a different container instance. This task placement constraint can be specified when either running a task or creating a new service.
distinctInstance
is used to select instances for task placement using the binpack, random and spread algorithms.
task placement strategy
A developer is building a multi-tier web application that accesses an Amazon RDS MySQL database. The application must use a credentials to connect and these need to be stored securely. The application will take care of secret rotation.
Which AWS service represents the LOWEST cost solution for storing credentials?
AWS IAM with the Security Token Service (STS)
AWS Systems Manager Parameter Store
AWS Secrets Manager
AWS Key Management Service (KMS)
AWS Systems Manager Parameter Store
provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. It is highly scalable, available, and durable.
AWS Systems Manager Parameter Store
You can then reference values by using the unique name that you specified when you created the parameter.
By default, Amazon SQS uses ____ polling, querying only a subset of its servers (based on a weighted random distribution) to determine whether any messages are available for a response.
short polling
You can use long polling to reduce your costs while allowing your consumers to receive messages as soon as they arrive in the queue.
When the wait time for the ReceiveMessage API action is greater than 0, long polling is in effect. The maximum long polling wait time is
20 seconds
This attribute sets the length of time, in seconds, for which Amazon SQS retains a message.
MessageRetentionPeriod
This SQS attribute sets the length of time, in seconds, for which the delivery of all messages in the queue is delayed.
DelaySeconds
A scenario requires encryption of in-flight data which can be done by implementing HTTPS. To do this the organization must configure the
Origin Protocol Policy and the Viewer Protocol Policy on the CloudFront Distribution.
Origin Protocol Policy gives what 3 options:
HTTP only
HTTPS Only
Match Viewer
Viewer Protocol Policy gives what 3 options:
HTTP and HTTPS
Redirect HTTP to HTTPS
HTTPS Only
is used to configure whether you want CloudFront to require users to access your content using a signed URL or a signed cookie.
Enable the CloudFront option Restrict Viewer Access
is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it’s at rest by using an AWS KMS customer master key (CMK) you specify.
Server-side encryption
The AWS STS __________ API decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request. The output is then decoded into a more human-readable output that can be viewed in a JSON editor.
decode-authorization-message
- Launches new instances in a new ASG and deploys the version update to these instances before swapping traffic to these instances once healthy.
- Zero downtime.
- New code is deployed to new instances using an ASG.
- High cost as double the number of instances running during updates.
- Longest deployment.
- Quick rollback in case of failures.
- Great for production environments.
Immutable
The default credential provider chain looks for credentials in what order:
- Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
- Java system properties–aws.accessKeyId and aws.secretKey. The AWS SDK for Java uses the SystemPropertiesCredentialsProvider to load these credentials.
- The default credential profiles file– typically located at ~/.aws/credentials (location can vary per platform) and shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
- Amazon ECS container credentials– loaded from the Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials. You can specify the IP address for this value.
- Instance profile credentials– used on EC2 instances and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider to load these credentials. You can specify the IP address for this value.
When you initialize a new service client without supplying any arguments, the AWS SDK for Java attempts to find AWS credentials by using the default credential provider chain implemented by the
DefaultAWSCredentialsProviderChain class
You can invoke Lambda functions directly with the
Lambda console, the Lambda API, the AWS SDK, the AWS CLI, and AWS toolkits.
You can also configure other AWS services to invoke your function, or you can configure Lambda to read from a stream or queue and invoke your function.
You wait for the function to process the event and return a response.
o To invoke a function in this manner with the AWS CLI, use the invoke command.
o The Invocation-type can be used to specify a value of “RequestResponse”. This instructs AWS to execute your Lambda function and wait for the function to complete.
Synchronous invocation
Asynchronous invocation:
o When you invoke a function asynchronously, you don’t wait for a response from the function code.
o For asynchronous invocation, Lambda handles retries and can send invocation records to a destination.
o To invoke a function asynchronously, set the invocation type parameter to Event.
The fastest way to process all the files is to use asynchronous invocation and process the files in parallel. To do this you should specify the invocation type of
Event
querying only a subset of its servers (based on a weighted random distribution) to determine whether any messages are available for a response.
short polling, Amazon SQS defaults to this
Used to reduce your costs while allowing your consumers to receive messages as soon as they arrive in the queue.
long polling
When the wait time for the ReceiveMessage API action is greater than 0, long polling is in effect. The maximum long polling wait time is 20 seconds.
helps reduce the cost of using Amazon SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request) and false empty responses (when messages are available but aren’t included in a response). It also returns messages as soon as they become available.
Long polling
Service: AWSKMS; Status Code: 400, Error Code: ThrottlingException
Resolve
Perform error retries with exponential backoff in the application code
Contact AWS support to request an AWS KMS rate limit increase
A function execution result includes
version, timestamp, request context, request payload, response context, and response payload
For each execution status (i.e. Success and Failure), you can choose one destination from four options: another Lambda function and what others?
an SNS topic, an SQS standard queue, or EventBridge.
provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values.
AWS Systems Manager Parameter Store
This picture depicts what?
envelope encryption
