PE Reviews Flashcards
minimum properties required in resources for lambda
name, alias, current version, and target version
To enable SSL between the end-user and CloudFront, what policy should be configured.
Viewer Protocol Policy
To enable SSL between the origin and the distribution the Developer can configure the
Origin Protocol Policy
The _________________ policy will add an additional batch of instances, updates those instances, then move onto the next batch.
no reduction in app performance/availability during update
Rolling with additional batch:
Like Rolling but launches new instances in a batch ensuring that there is full availability.
Application is running at capacity.
Can set the bucket size.
Application is running both versions simultaneously.
Small additional cost.
Additional batch is removed at the end of the deployment.
Longer deployment.
Good for production environments.
Only deployment policy with downtime
All-at-once
What 3 deployment types have no reduction in capacities?
Rolling w/ additional batch
Immutable
Blue/green
happen to be the 3 with the longest deployment time too
________ is a container for CloudWatch metrics. Metrics in different ________ are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.
namespace
You can configure a CloudWatch alarm that notifies based on item lifecycle events. (T/F)
False
Amazon DynamoDB is integrated with AWS Lambda so that you can create __________
—pieces of code that automatically respond to events in DynamoDB Streams. With _________, you can build applications that react to data modifications in DynamoDB tables.
triggers
When you create a ___________ in Amazon Cognito and then configure a domain for it, Amazon Cognito automatically provisions a hosted web UI to let you add sign-up and sign-in pages to your app. You can add a custom logo or customize the CSS for the hosted web UI.
user pool
With _________________ mode, you specify the number of data reads and writes per second that you require for your application.
provisioned capacity
For items up to 4 KB in size, one RCU can perform
one RCU can perform two eventually consistent read requests per second.
one RCU can perform one strongly consistent read request per second.
require two RCUs to perform one read per second for items up to 4 KB.
Transactional read requests
require two WCUs to perform one write per second for items up to 1 KB.
Transactional write requests
To encrypt an object at the time of upload, you need to add a header called ________________ to the request to tell S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS.
x-amz-server-side-encryption:
tells S3 to use S3-managed keys
AES256
tells S3 to use AWS KMS–managed key
aws:kms
conveys information about a segment to X-Ray.
can be up to 64 kB and contain a whole segment with subsegments, a fragment of a segment that indicates that a request is in progress, or a single subsegment that is sent separately.
segment document
You can send segment documents directly to X-Ray by using the
PutTraceSegments API
this API action retrieves a service graph for one or more specific trace IDs.
GetTraceGraph API
You should initialize SDK clients and database connections outside of the function handler, and cache static assets locally in the
/tmp directory.
is a custom session handler for PHP that allows developers to use Amazon DynamoDB as a session store.
The DynamoDB Session Handler
Using DynamoDB for session storage alleviates issues that occur with session handling in a distributed web application by moving sessions off of the local file system and into a shared location. DynamoDB is fast, scalable, easy to setup, and handles replication of your data automatically.
involves maintaining session state data on the EC2 instances and thus that data is lost if an instance fails.
Use sticky sessions with an Elastic Load Balancer target group
There are no limits to the number of prefixes that you can have in your bucket.
True
To avoid throttling in Amazon S3 you must ensure you do not exceed certain limits on a per-prefix basis.
T/F: You can send 5,500 PUT/COPY/POST/DELETE or 3,500 GET/HEAD requests per second per prefix in an Amazon S3 bucket.
False
You can send 3,500 PUT/COPY/POST/DELETE or 5,500 GET/HEAD requests per second per prefix in an Amazon S3 bucket
is a fully managed build service in the cloud.
It compiles your source code, runs unit tests, and produces artifacts that are ready to deploy.
It eliminates the need to provision, manage, and scale your own build servers.
It provides pre-packaged build environments for popular programming languages and build tools such as Apache Maven, Gradle, and more.
AWS CodeBuild
is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services.
CodeDeploy
Flow logs can help you with a number of tasks, such as:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that is reaching your instance
- Determining the direction of the traffic to and from the network interfaces
is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
VPC Flow Logs
Flow Log data can be published to:
Amazon CloudWatch Logs or Amazon S3.
Adding certificates to the EC2 instances would place a burden on CPU when
encrypting and decrypting data, this burden will impact performance
which uses encrypted connections (also known as SSL offload). This feature enables traffic encryption between your load balancer and the clients that initiate SSL or TLS sessions.
HTTPS listener,
To use an HTTPS listener, you must deploy at least one SSL/TLS server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets.
configuring elb w/ ssl passthrough is used to forward encrypted packets directly to EC2 instance for termination
true
is an API Gateway feature that uses a Lambda function to control access to your API.
A Lambda authorizer (formerly known as a custom authorizer)
is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.
A Lambda authorizer
When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.
What Lambda authorizer receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token?
A token-based Lambda authorizer
type of Lambda authorizer that receives the caller’s identity in a combination of headers, query string parameters, stageVariables, and $context variables.
A request parameter-based Lambda authorizer
You can create an authorizer in API Gateway that uses Cognito identity pools, but not user pools.
False, you can create an authorizer in API Gateway that uses Cognito user pools, but not identity pools.
is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
An instance profile,
and using an instance profile you can attach an IAM Role to an EC2 instance that the instance can then assume in order to gain access to AWS services.
is used to manage encryption keys.
AWS KMS
is used to manage encryption keys. It is similar to KMS but uses a dedicated hardware device that is not multi-tenant.
AWS CloudHSM
To include objects defined by the AWS Serverless Application Model (SAM) in an AWS CloudFormation template, in addition to Resources, what section MUST be included in the document root?
Transform
AWS SAM templates differ from CloudFormation templates in which areas:
Transform declaration, Globals section, Resources section.
The declaration Transform: AWS::Serverless-2016-10-31 is required for AWS SAM templates. This declaration identifies an AWS CloudFormation template as an AWS SAM template.
The Globals section is unique to AWS SAM. It defines properties that are common to all your serverless functions and APIs. All the AWS::Serverless::Function, AWS::Serverless::Api, and AWS::Serverless::SimpleTable resources inherit the properties that are defined in the Globals section.
- In AWS SAM templates the Resources section can contain a combination of AWS CloudFormation resources and AWS SAM resources.
An application uses both Amazon EC2 instances and on-premises servers. The on-premises servers are a critical component of the application, and a developer wants to collect metrics and logs from these servers. The developer would like to use Amazon CloudWatch.
How can the developer accomplish this?
Install the CloudWatch agent on the on-premises servers and specify IAM credentials with permissions to CloudWatch
You can download the CloudWatch agent package using either Systems Manager Run Command or an Amazon S3 download link. You then install the agent and specify the IAM credentials to use. The IAM credentials are an access key and secret access key of an IAM user that has permissions to Amazon CloudWatch.
Once this has been completed the on-premises servers will automatically send metrics and log files to Amazon CloudWatch and can be centrally monitored along with AWS services.
Your Amazon ECS tasks can have an IAM role associated with them. The permissions granted in the IAM role are assumed by the containers running in the task. What explains the benefits of using IAM roles with your tasks.
Credential Isolation, Authorization, Auditability
- Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
- Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.
- Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.
True/False: Access keys are not a secure way of providing authentication. It is better to use roles that obtain temporary security permissions using the AWS STS service.
True
SSM Parameter Store supports automatic key rotation.
False
Which service encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (KMS)?
When you retrieve a secret, this service decrypts the secret and transmits it securely over TLS to your local environment.
With this service, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI.
AWS Secrets Manager
The ________ strategy adds data or updates data in the cache whenever data is written to the database.
write-through
The advantages of write-through are as follows:
- Data in the cache is never stale. Because the data in the cache is updated every time it’s written to the database, the data in the cache is always current.
- Write penalty vs. read penalty.
Every write involves two trips:
- A write to the cache
- A write to the database
This will allow the cache to be updated when an item is next read but will not ensure the best performance for all items in the database.
Invalidate the cache for each database write
this is a caching strategy that loads data into the cache only when necessary. This will not ensure strong consistency between the database and the cache.
Lazy loading (caching)
uses permissions in the function’s execution role to read and manage items in the event source. Permissions, event structure, settings, and polling behavior vary by event source.
An event source mapping
- Launches new instances in a new ASG and deploys the version update to these instances before swapping traffic to these instances once healthy.
- Zero downtime.
Immutable
- Zero downtime and release facility.
- Create a new “stage” environment and deploy updates there.
Blue / Green deployment
Deploys the new version to all instances simultaneously.
All at once
Update a few instances at a time (bucket), and then move onto the next bucket once the first bucket is healthy (downtime for 1 bucket at a time).
Rolling
Like Rolling but launches new instances in a batch ensuring that there is full availability.
Rolling with additional batch
enable you to create unique identities for your users and federate them with identity providers. With this, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Amazon Cognito identity pools (federated identities)
Amazon Cognito identity pools support what identity providers:
- Public providers: Login with Amazon (Identity Pools), Facebook (Identity Pools), Google (Identity Pools) Sign in with Apple (Identity Pools).
- Amazon Cognito User Pools
- Open ID Connect Providers (Identity Pools)
- SAML Identity Providers (Identity Pools)
- Developer Authenticated Identities (Identity Pools)
is an algorithm for selecting instances for task placement or tasks for termination.
can be specified when either running a task or creating a new service.
Task placement strategies
ECS supports what 3 task placement strategies
binpack, random, spread
place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.
binpack
place tasks randomly
random
place tasks evenly based on the specified value. Accepted values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone.
spread
Service tasks are spread based on the tasks from that service. Standalone tasks are spread based on the tasks from the same task group.
S3 and SNS invoke functions in what manner to process events?
asynchronously
To invoke a function asynchronously, set the invocation type parameter to
Event
if your access pattern exceeds 3000 RCU or 1000 WCU for a single partition key value, your requests might be throttled with a
ProvisionedThroughputExceededException error.
To avoid request throttling, design your DynamoDB table with the right partition key to meet your access requirements and provide even distribution of data. Recommendations for doing this include the following:
- Use high cardinality attributes (e.g. email_id, employee_no, customer_id etc.)
- Use composite attributes
- Cache popular items
- Add random numbers or digits from a pre-determined range for write-heavy use cases
GSI is used for querying data more efficiently, it will not solve the problem of write performance due to a
hot partition.
You can force update the cache in CloudFront (T/F)
False, there’s no way to directly update the cache.
The Developer should invalidate the relevant cache entries and then the cache will be updated the next time a request is received.
If you need to remove a file from CloudFront edge caches before it expires, you can do one of the following:
- Invalidate the file from edge caches. The next time a viewer requests the file, CloudFront returns to the origin to fetch the latest version of the file.
- Use file versioning to serve a different version of the file that has a different name. For more information, see Updating Existing Files Using Versioned File Names.
is used with the AWS KMS services and generates a unique symmetric data key.
This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify.
GenerateDayKey API.
You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.
Name the feature:
The Lambda console lets you encrypt environment variable values client side, before sending them to Lambda.
This feature enhances security further by preventing secrets from being displayed unencrypted in the Lambda console, or in function configuration that’s returned by the Lambda API.
The console also provides sample code that you can adapt to decrypt the values in your function handler.
Encryption helpers
Name the feature:
On a per-function basis, you can configure Lambda to use an encryption key that you create and manage in AWS Key Management Service. These are referred to as customer managed customer master keys (CMKs) or customer managed keys. If you don’t configure a customer managed key, Lambda uses an AWS managed CMK named aws/lambda, which Lambda creates in your account.
Key configuration
CodeDeploy:
Traffic is shifted in two increments. You can choose from predefined ______ options. The options specify the percentage of traffic that’s shifted to your updated Lambda function version in the first increment, and the interval, in minutes, before the remaining traffic is shifted in the second increment.
Canary
CodeDeploy:
Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined _____ options that specify the percentage of traffic that’s shifted in each increment and the number of minutes between each increment.
linear
CodeDeploy:
All traffic is shifted from the original Lambda function to the updated Lambda function version at once.
All-at-once
You can use Half at a Time traffic shifting strategy with
EC2 and on-premises instances, but not Lambda
is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications.
Amazon Simple Notification Service (SNS)
is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
Amazon Simple Queue Service (SQS)
Which AWS services can be used for asynchronous message passing?
SNS and SQS
The ____________ API call returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token.
GetSessionToken
Typically, you use what API call if you want to use MFA to protect programmatic calls to specific AWS API operations
GetSessionToken
a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).
AWS Security Token Service (AWS STS)
Returns a set of temporary security credentials that you can use to access AWS resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you used within your account or for cross-account access.
AssumeRole
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.
This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.
AssumeRoleWithSAML
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.
AssumeRoleWithWebIdentity
Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
DecodeAuthorizationMessage
Returns the account identifier for the specified access key ID.
GetAccessKeyInfo
Returns details about the IAM user or role whose credentials are used to call the operation.
GetCallerIdentity
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
GetFederationToken
AWS Security Token Service API calls include:
AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
DecodeAuthorizationMessage
GetAccessKeyInfo
GetCallerIdentity
GetFederationToken
GetSessionToken
Returns the account identifier for the specified access key ID.
GetAccessKeyInfo
represents the partition key of the dynamodb table
LeadingKeys
represents the items that can be changed in the dynamodb table
Attributes
This condition key allows users to access only the items where the partition key value matches their user ID. This ID, ${www.amazon.com:user_id}, is a substitution variable.
dynamodb:LeadingKeys
This dynamoDB condition key limits access to the specified attributes so that only the actions listed in the permissions policy can return values for these attributes.
In addition, the StringEqualsIfExists clause ensures that the app must always provide a list of specific attributes to act upon and that the app can’t request all attributes.
dynamodb:Attributes
Which action defined by Amazon DynamoDB:
Grants permission to return the attributes of one or more items from one or more tables
BatchGetItem
Which action defined by Amazon DynamoDB:
Grants permission to put or delete multiple items in one or more tables
Grants permission to put or delete multiple items in one or more tables
Which action defined by Amazon DynamoDB:
Grants permission to the ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key
ConditionCheckItem
Which action defined by Amazon DynamoDB:
Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index
Scan
Which action defined by Amazon DynamoDB:
Grants permission to create a new item, or replace an old item with a new item
PutItem
With _________________, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.
developer authenticated identities
Using developer authenticated identities involves interaction between the end user device, your backend for authentication, and Amazon Cognito.
Therefore, the Developer can implement developer-authenticated identities by using Amazon Cognito, and get credentials for these identities.
It is suitable to store session state in an Amazon RDS database. T/F
False, RDS is not suitable for storing session state data. DynamoDB is a better fit for this.
With the _______ integration, also known as the ________ custom integration, you must configure both the integration request and integration response. You must set up necessary data mappings from the method request to the integration request, and from the integration response to the method response.
HTTP
The ____________ integration allows a client to access the backend HTTP endpoints with a streamlined integration setup on single API method. You do not set the integration request or the integration response. API Gateway passes the incoming request from the client to the HTTP endpoint and passes the outgoing response from the HTTP endpoint to the client.
HTTP proxy
this is a custom integration that would be used if you need to customize the data mappings.
HTTP
this type of integration lets an API expose AWS service actions.
AWS
this type of integration lets an API method be integrated with the Lambda function invocation action with a flexible, versatile, and streamlined integration setup.
AWS_PROXY
provides fully managed implementations of two popular in-memory data stores – Redis and Memcached.
ElastiCache,a web service that makes it easy to deploy and run Memcached or Redis protocol-compliant server nodes in the cloud.
this elasticache implementation does not offer read replicas or auto-failover and therefore cannot provide high availability
memcached
is a data warehouse for use in online analytics processing (OLAP) use cases. It is not suitable to be used as a caching layer.
Amazon Redshift
this elasticache implementation does offer read replicas or auto-failover and therefore can provide high availability
redis
Memcached Elasticache offers data partitioning but does Redis?
Yes, but only if cluster mode is enabled
which elasitcache offers simple data types w/ no data persistence, encryption or replication?
memcached, unique features include nodes (scale up and out) and multithreading
which elasticache offers complex data types, data persistence, encryption and replication?
redis, unique features include automatic and manual snapshots, and sharding (which allows for scaling)
As an alternative to using IAM roles and policies or Lambda authorizers (formerly known as custom authorizers), you can use an ___________ to control who can access your API in Amazon API Gateway.
Amazon Cognito user pool
To use an Amazon Cognito user pool with your API, you must first create an authorizer of the COGNITO_USER_POOLS type and then configure an API method to use that authorizer. After the API is deployed, the client must first sign the user in to the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request’s Authorization header. The API call succeeds only if the required token is supplied and the supplied token is valid, otherwise, the client isn’t authorized to make the call because the client did not have credentials that could be authorized.
A developer is preparing the resources for creating a multicontainer Docker environment on AWS Elastic Beanstalk. How can the developer define the Docker containers?
Define the containers in the Dockerrun.aws.json file in JSON format and save at the root of the source directory.
You can launch a cluster of multicontainer instances in a single-instance or autoscaling Elastic Beanstalk environment using the Elastic Beanstalk console. The single container and multicontainer Docker platforms for Elastic Beanstalk support the use of Docker images stored in a public or private online image repository.
You specify images by name in the Dockerrun.aws.json file and save it in the root of your source directory.
is a rule that is considered during task placement. can be specified when either running a task or creating a new service.
task placement constraint
Amazon ECS supports the following types of task placement constraints:
distinctInstance, memberOf
The memberOf task placement constraint can be specified with the following actions:
Running a task
Creating a new service
Creating a new task definition
Creating a new revision of an existing task definition
Place tasks on container instances that satisfy an expression
memberOf
Place each task on a different container instance. This task placement constraint can be specified when either running a task or creating a new service.
distinctInstance
is used to select instances for task placement using the binpack, random and spread algorithms.
task placement strategy
A developer is building a multi-tier web application that accesses an Amazon RDS MySQL database. The application must use a credentials to connect and these need to be stored securely. The application will take care of secret rotation.
Which AWS service represents the LOWEST cost solution for storing credentials?
AWS IAM with the Security Token Service (STS)
AWS Systems Manager Parameter Store
AWS Secrets Manager
AWS Key Management Service (KMS)
AWS Systems Manager Parameter Store
provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. It is highly scalable, available, and durable.
AWS Systems Manager Parameter Store
You can then reference values by using the unique name that you specified when you created the parameter.
By default, Amazon SQS uses ____ polling, querying only a subset of its servers (based on a weighted random distribution) to determine whether any messages are available for a response.
short polling
You can use long polling to reduce your costs while allowing your consumers to receive messages as soon as they arrive in the queue.
When the wait time for the ReceiveMessage API action is greater than 0, long polling is in effect. The maximum long polling wait time is
20 seconds
This attribute sets the length of time, in seconds, for which Amazon SQS retains a message.
MessageRetentionPeriod
This SQS attribute sets the length of time, in seconds, for which the delivery of all messages in the queue is delayed.
DelaySeconds
A scenario requires encryption of in-flight data which can be done by implementing HTTPS. To do this the organization must configure the
Origin Protocol Policy and the Viewer Protocol Policy on the CloudFront Distribution.
Origin Protocol Policy gives what 3 options:
HTTP only
HTTPS Only
Match Viewer
Viewer Protocol Policy gives what 3 options:
HTTP and HTTPS
Redirect HTTP to HTTPS
HTTPS Only
is used to configure whether you want CloudFront to require users to access your content using a signed URL or a signed cookie.
Enable the CloudFront option Restrict Viewer Access
is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it’s at rest by using an AWS KMS customer master key (CMK) you specify.
Server-side encryption
The AWS STS __________ API decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request. The output is then decoded into a more human-readable output that can be viewed in a JSON editor.
decode-authorization-message
- Launches new instances in a new ASG and deploys the version update to these instances before swapping traffic to these instances once healthy.
- Zero downtime.
- New code is deployed to new instances using an ASG.
- High cost as double the number of instances running during updates.
- Longest deployment.
- Quick rollback in case of failures.
- Great for production environments.
Immutable
The default credential provider chain looks for credentials in what order:
- Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
- Java system properties–aws.accessKeyId and aws.secretKey. The AWS SDK for Java uses the SystemPropertiesCredentialsProvider to load these credentials.
- The default credential profiles file– typically located at ~/.aws/credentials (location can vary per platform) and shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
- Amazon ECS container credentials– loaded from the Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials. You can specify the IP address for this value.
- Instance profile credentials– used on EC2 instances and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider to load these credentials. You can specify the IP address for this value.
When you initialize a new service client without supplying any arguments, the AWS SDK for Java attempts to find AWS credentials by using the default credential provider chain implemented by the
DefaultAWSCredentialsProviderChain class
You can invoke Lambda functions directly with the
Lambda console, the Lambda API, the AWS SDK, the AWS CLI, and AWS toolkits.
You can also configure other AWS services to invoke your function, or you can configure Lambda to read from a stream or queue and invoke your function.
You wait for the function to process the event and return a response.
o To invoke a function in this manner with the AWS CLI, use the invoke command.
o The Invocation-type can be used to specify a value of “RequestResponse”. This instructs AWS to execute your Lambda function and wait for the function to complete.
Synchronous invocation
Asynchronous invocation:
o When you invoke a function asynchronously, you don’t wait for a response from the function code.
o For asynchronous invocation, Lambda handles retries and can send invocation records to a destination.
o To invoke a function asynchronously, set the invocation type parameter to Event.
The fastest way to process all the files is to use asynchronous invocation and process the files in parallel. To do this you should specify the invocation type of
Event
querying only a subset of its servers (based on a weighted random distribution) to determine whether any messages are available for a response.
short polling, Amazon SQS defaults to this
Used to reduce your costs while allowing your consumers to receive messages as soon as they arrive in the queue.
long polling
When the wait time for the ReceiveMessage API action is greater than 0, long polling is in effect. The maximum long polling wait time is 20 seconds.
helps reduce the cost of using Amazon SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request) and false empty responses (when messages are available but aren’t included in a response). It also returns messages as soon as they become available.
Long polling
Service: AWSKMS; Status Code: 400, Error Code: ThrottlingException
Resolve
Perform error retries with exponential backoff in the application code
Contact AWS support to request an AWS KMS rate limit increase
A function execution result includes
version, timestamp, request context, request payload, response context, and response payload
For each execution status (i.e. Success and Failure), you can choose one destination from four options: another Lambda function and what others?
an SNS topic, an SQS standard queue, or EventBridge.
provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values.
AWS Systems Manager Parameter Store
is any sensitive data that needs to be stored and referenced in a secure manner.
secure string parameter,
If you have data that you don’t want users to alter or reference in plaintext, such as passwords or license keys, create those parameters using the SecureString datatype.
Each shard is processed by how many KCL workers?
exactly one
The maximum number of instances should be the same as the number of shards.
To collect logs from Amazon EC2 and on-premises instances it is necessary to install an agent. There are two options:
the unified CloudWatch Agent which collects logs and advanced metrics (such as memory usage)
the older CloudWatch Logs agent which only collects logs from Linux servers.
enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis.
CloudWatch Logs
creates a unique customer managed customer master key (CMK) in your AWS account and Region.
kms:CreateKey
Which api generates a unique symmetric data key?
This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.
kms:GenerateDataKey
this sets the key state of a customer master key (CMK) to enabled. It allows you to use the CMK for cryptographic operations
kms:EnableKey
is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale.
Amazon API Gateway
act as the “front door” for applications to access data, business logic, or functionality from your backend services.
APIs
you can use this to create RESTful APIs and WebSocket APIs that enable real-time two-way communication applications.
it supports containerized and serverless workloads, as well as web applications.
API Gateway
is used to provide central management of multiple AWS accounts and business applications and to provide single sign-on to accounts.
AWS Single Sign On (SSO)
is used for adding sign-up, sign-in and access control to web and mobile apps.
AWS Cognito
is a web service that enables you to coordinate the components of distributed applications and microservices using visual workflows. You build applications from individual components that each perform a discrete function, or task, allowing you to scale and change applications quickly.
AWS Step Functions
offers a graphical console to visualize the components of your application as a series of steps. It automatically triggers and tracks each step, and retries when there are errors, so your application executes in order and as expected, every time.
AWS Step Functions
Can be thought of as a fully-managed state tracker and task coordinator in the Cloud. It does not coordinate serverless workflows.
Amazon SWF
is used to run batch computing jobs on Amazon EC2 and is therefore not serverless.
AWS Batch
it is serverless, it does not provide a native capability to coordinate multiple AWS services.
AWS Lambda
True/False: You can access the SAR through the console and deploy SAM templates
True
True/False: You can access AWS SAM through the AWS Management Console
False
True/False: You cannot deploy SAM templates through the CloudFormation console.
True, you must use the SAM CLI or deploy using the SAR
command initializes a serverless application with an AWS SAM template. The template provides a folder structure for your Lambda functions and is connected to an event source such as APIs, S3 buckets, or DynamoDB tables
sam init
Each _____ can be a thread (in programming languages that support multithreading) or an operating system process. (DynamoDB related question)
worker
The total number of segments for the parallel scan. This value must be the same as the number of workers that your application will use.
TotalSegments
T/F: Even though DynamoDB distributes a large table’s data across multiple physical partitions, a Scan operation can only read one partition at a time. For this reason, the throughput of a Scan is constrained by the maximum throughput of a single partition.
True
To address these issues, the Scan operation can logically divide a table or secondary index into multiple segments, with multiple application workers scanning the segments in parallel. Each worker can be a thread (in programming languages that support multithreading) or an operating system process. To perform a parallel scan, each worker issues its own Scan request with the following parameters:
- Segment
- TotalSegments
To control the amount of data returned per request, using this can help prevent situations where one worker consumes all of the provisioned throughput, at the expense of all other workers.
Limit parameter.
BeforeInstall > AfterInstall > AfterAllowTestTraffic > BeforeAllowTraffic > AfterAllowTraffic
What is shown?
a valid structure for the order of hooks that should be specified in the appspec.yml file
extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.
AWS CloudFormation StackSets
A team of developers need to be able to collaborate and synchronize multiple distributed code repositories and leverage a pre-configured continuous delivery toolchain for deploying their projects on AWS. The team also require a centralized project dashboard to monitor application activity.
Which AWS service should they use?
AWS CodeStar
is a fully managed source control service that hosts Git-based repositories. However, it does not offer the collaboration and project management dashboard features of CodeStar or the pre-configured continuous delivery toolchain.
CodeCommit
Steps to determine number of RCUs needed
- Determine the average item size by rounding up the next multiple of 4KB (9KB rounds up to 12KB).
- Determine the RCU per item by dividing the item size by 4KB (12KB/4KB = 3).
- Multiply the value from step 2 with the number of reads required per second (3x4 = 12).
What does an Amazon SQS delay queue accomplish?
Messages are hidden for a configurable amount of time when they are first added to the queue
options for preventing DynamoDB throttling from occurring include:
Add exponential backoff to the application logic
Distribute read and write operations as evenly as possible across your table
Implement a caching solution
An application is running on a fleet of EC2 instances running behind an Elastic Load Balancer (ELB). The EC2 instances session data in a shared Amazon S3 bucket. Security policy mandates that data must be encrypted in transit.
How can the Developer ensure that all data that is sent to the S3 bucket is encrypted in transit?
Create an S3 bucket policy that denies traffic where SecureTransport is false
A Developer is creating an AWS Lambda function that generates a new file each time it runs. Each new file must be checked into an AWS CodeCommit repository hosted in the same AWS account.
How should the Developer accomplish this?
Use an AWS SDK to instantiate a CodeCommit client. Invoke the put_file method to add the file to the repository
delivers a near real-time stream of system events that describe changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly set up, you can match events and route them to one or more target functions or streams.
Amazon CloudWatch Events
You can use Amazon CloudWatch Events to invoke the Lambda function on a recurring schedule of 15 minutes. This solution is entirely automated and serverless.
actions are allowed by default, and you specify what services and actions are prohibited
SCP deny list
actions are prohibited by default, and you specify what services and actions are allowed
SCP allow list
compiles your source code, runs unit tests, and produces artifacts that are ready to deploy.
CodeBuild
is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.
AWS CodePipeline
is an ordered flow of information about changes to items in a DynamoDB table. When you enable a stream on a table, DynamoDB captures information about every modification to data items in the table.
DynamoDB stream
To restrict access to content that you serve from Amazon S3 buckets, you create CloudFront signed URLs or signed cookies to limit access to files in your Amazon S3 bucket, and then you create a
special CloudFront user called an origin access identity (OAI) and associate it with your distribution.
After creating a special CloudFront user called an origin access identity (OAI) and associate it with your distribution, you then?
configure permissions so that CloudFront can use the OAI to access and serve files to your users, but users can’t use a direct URL to the S3 bucket to access a file there.
Taking these steps help you maintain secure access to the files that you serve through CloudFront.
True/False: You can restrict access to buckets by IP address when using ACL
False
Name 3 benefits of envelope encryption:
Protecting data keys
Encrypting the same data under multiple master keys
Combining the strengths of multiple algorithms
This picture depicts what?
envelope encryption
is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
envelope encryption
The top-level plaintext key encryption key is known as the
master key
CMK can only encrypt up to ______ in a single operation.
4kb
To encrypt large amounts of data via KMS, you must use a __________ instead of a CMK
data encryption key
To generate a data key, call the ____________________ operation
GenerateDataKey
With the SAM CLI you can package and deploy your source code using two simple commands:
- sam package
- sam deploy
Alternatively, you can use:
- aws cloudformation package
- aws cloudformation deploy
are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can’t be tolerated.
FIFO (First-In-First-Out) queues
An AppSpec file can be written using
JSON or YAML
For a deployment to an Amazon ECS compute platform:
True/False: A revision is the same as an AppSpec file.
True
For a deployment to an Amazon ECS compute platform:
What specifies the Amazon ECS task definition used for the deployment, a container name and port mapping used to route traffic, and optional Lambda functions run after deployment lifecycle events.
appspec file
describes how to deploy a remote Docker image as an Elastic Beanstalk application.
Dockerrun.aws.json file
is a collection of build commands and related settings, in YAML format, that CodeBuild uses to run a build using AWS CodeBuild.
A build spec, buildspec.yaml
The _______________________ in the source code for an Elastic Beanstalk application is used for .config files that configure the environment and customize resources.
.ebextensions folder
- Writes to one or more Kinesis data streams with an automatic and configurable retry mechanism
- Collects records and uses PutRecords to write multiple records to multiple shards per request
Kinesis Producer Library (KPL)
- Aggregates user records to increase payload size and improve throughput
- Integrates seamlessly with the Kinesis Client Library (KCL) to de-aggregate batched records on the consumer
- Submits Amazon CloudWatch metrics on your behalf to provide visibility into producer performance
Kinesis Producer Library (KPL)
What object storage uses standards-based REST and SOAP interfaces designed to work with any internet-development toolkit.
Amazon S3, an object storage built to store and retrieve any amount of data from anywhere on the Internet.
Amazon S3 is a simple key-based object store. T/F
True
allow containers to access ports on the host container instance to send or receive traffic. And they are specified as part of the container definition.
port mappings
the port number on the container that is bound to the user-specified or automatically assigned host port.
containerPort
the port number on the container instance to reserve for your container.
hostPort
True/False: You can create a VPC endpoint for AWS Lambda
False
a feature that lets you specify placeholders in a policy.
When the policy is evaluated, they are replaced with values that come from the context of the request itself.
policy variables
True/False: You can run docker login with an IAM key pair
False
Amazon Cognito ______ pools support both authenticated and unauthenticated identities.
identity
A Developer is publishing custom metrics for Amazon EC2 using the Amazon CloudWatch CLI. The Developer needs to add further context to the metrics being published by organizing them by EC2 instance and Auto Scaling Group.
What should the Developer add to the CLI command when publishing the metrics using put-metric-data
the –dimensions parameter
A dimension further clarifies
what the metric is and what data it stores. You can have up to 10 dimensions in one metric, and each dimension is defined by a name and value pair.
enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
Amazon S3 Transfer Acceleration
What can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using today?
Amazon Kinesis Data Firehose, the easiest way to load streaming data into data stores and analytical tools.
is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.
Firehose
What kinesis service needs consumers running on EC2 instances or AWS Lambda for processing data from stream and won’t load data directly to a datastore?
Amazon Kinesis Data Streams
displays a graphical view of your state machine’s structure. This provides a way to visually check your state machine’s logic and monitor executions.
The Step Functions console
is based on the concepts of tasks and state machines
defined using the JSON-based Amazon States Language.
AWS Step Functions
True or false: Read Replicas are used for fault tolerance
False
is the only Elastic Load Balancer provided by AWS that can perform host-based routing.
The Application Load Balancer,
This means you can route traffic coming in to forum.example.com and myaccount.example.com to different target groups.
this type of ELB routes traffic based on information at the connection layer (L4).
Network Load Balancer
A Developer is creating an AWS Lambda function that will process medical images. The function is dependent on several libraries that are not available in the Lambda runtime environment. Which strategy should be used to create the Lambda deployment package?
Create a ZIP file with the source code and all dependent libraries
True/False: You cannot map an external path to a Lambda function using an environment variable.
True
a map of services used by your application with trace data. You can use the trace data to drill into specific services or issues. This data provides a view of connections between services in your application and aggregated data for each service, including average latency and failure rates.
X-ray service map
is used to record API calls for governance, compliance operation, and risk auditing purposes.
CloudTrail event history
delivers a near-real-time stream of system events that describe changes in Amazon Web Services resources.
EventBridge (CloudWatch Events)
provides real-time guidance to help provision AWS resources to follow AWS best practices. It can report overall system utilization, but it is not used for identifying application performance issues.
Trusted Advisor
(Step Functions)
The HeartbeatSeconds attribute defines the
maximum interval that the task will wait for a heartbeat signal.
If an activity worker fails to send heartbeats within this interval, the state is failed. A retry policy on the state allows another activity worker to attempt to complete the state.
(Step Functions)
The TimeoutSeconds attribute defines the
maximum task duration before the task is considered failed.
A function needs permission to call CloudWatch Logs. Update the execution role to grant the permission. You can use the managed policy of
AWSLambdaBasicExecutionRole
You use the Lambda _________ to grant Lambda permission to AWS resources. The ____________ allows other services to invoke the Lambda function.
execution role, resource-based policy
(DynamoDB Feature) provides end-to-end protection for your data in transit and at rest. You can encrypt selected items or attribute values in a table.
The DynamoDB Encryption Client
When you configure the DynamoDB Encryption Client to use AWS KMS, the DynamoDB Encryption Client uses a KMS key that is always encrypted when the key is used outside of AWS KMS. This cryptographic materials provider returns a unique encryption key and a signing key for every table item. This method of encryption uses a
symmetric KMS key.
allows for easy externalization of parameters, such as an API key. The secure string option provides for data security by keeping the value encrypted at rest.
Parameter Store
is used to manage the state of an instance itself, such as specific instance configurations or software installations.
Systems Manager State Manager
An ElastiCache cluster with a _________ strategy will allow for the read requests to be redirected to ElastiCache efficiently. The strategy will allow for the most up-to-date data to be retrieved.
write-through
can help users quickly identify services by their relative response times and can identify a poorly performing service from within a web of interacting services.
X-Ray, once identified, CloudWatch provides the context, including the logs and metrics necessary to study specific issues.
The contents of the appspec.yml file can be directly added into the CodeDeploy console only when an ___________ deployment is created.
AWS Lambda application
Set the _________ parameter to 1 to set the maximum number of items that need to be retrieved with a DynamoDB scan operation.
scan limit
AWS software development kits (SDKs) require what 2 things to make programmatic calls to AWS.
an access key ID and a secret access key
An EC2 instance, or any AWS principal, service, or resource can assume how many roles at a time?
1
is a .zip file archive that contains libraries, a custom runtime, or other dependencies.
With them, you can use libraries in a Lambda function without needing to include the libraries in a deployment package.
can be used on multiple lambda functions
Lambda layer
is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key.
Envelope Encryption
True/False: It is bad practice to store the encrypted form of the data key so that you can use the data key with the encrypted data
False, You must store the encrypted form of the data key so that you can use the data key to decrypt the encrypted data in the database.
can grant API access in one AWS account to users in a different AWS account by using Signature Version 4 (SigV4) protocols.
resource policy
simplifies application development by giving you the ability to create a flexible API to securely access, manipulate, and combine data from one or more data sources. It is a managed service that uses GraphQL to help applications get the exact data that they need.
AWS AppSync, You can use AWS AppSync to build scalable applications that require real-time updates on a range of data sources, including Amazon DynamoDB.
helps protect the credentials that are needed to access databases, applications, services, and other IT resources.
name service and use
With Secrets Manager, you can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Users and applications retrieve secrets by making a Secrets Manager API call, eliminating the need to hardcode sensitive information in plaintext.
Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB (with MongoDB compatibility).
Supports SSL endpoints using https protocol, client side, and server side encryption
S3
SSE-S3, SSE-C, SSE-KMS
Encrypts data at rest and in transit via EBS encryption that uses AWS KMS CMKs
EBS
Encrypt data at rest and in transit. Data at rest via AWS KMS, in-transit via TLS
EFS
If your AWS Elastic Beanstalk application performs operations or workflows that take a long time to complete, you can offload those tasks to a dedicated
worker environment
With _______, you can also configure the worker daemon to queue messages based on a cron schedule. Each of which can POST to a different path
periodic tasks
are primarily used in updating data and for scenarios where you want the updates to not be idempotent.
atomic counters
True/False: There is a default SSL/TLS certificate in ELBs
False
is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second.
Amazon DynamoDB Accelerator (DAX)
DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables without requiring developers to manage cache invalidation, data population, or cluster management.
the default value of the –storage-resolution parameter is
60, which stores data in one-minute granularity
provides a time-ordered sequence of item level changes in any DynamoDB table. The changes are de-duplicated and stored for 24 hours. Applications can access this log and view the data items as they appeared before and after they were modified, in near real time.
DynamoDB Streams
Amazon DynamoDB is also integrated with AWS Lambda so that you can create _____ which are pieces of code that automatically respond to events in DynamoDB Streams. With them, you can build applications that react to data modifications in DynamoDB tables.
triggers
Choose Memcached or Redis if you have the following requirements:
– You need the simplest model possible.
– You need to run large nodes with multiple cores or threads.
– You need the ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.
– You need to cache objects, such as a database.
Memcached
Choose Memcached or Redis if you have the following requirements:
-Snapshots &/or Replications
-Pub/Sub
-Advanced Data Structures
-Transactions
Redis
this service is primarily used to enable connected devices to run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely even without an Internet connection
AWS IoT Greengrass
You can integrate an API method in your API Gateway with a custom HTTP endpoint of your application in two ways:
– HTTP proxy integration
– HTTP custom integration
Programmatically, you choose an integration type by setting the type property on the Integration resource. For the Lambda proxy integration, the value is
AWS_PROXY
For the Lambda custom integration and all other AWS integrations, it is AWS
allows container instances to connect to your cluster.
Container Agent
The Amazon ECS container agent is included in the Amazon ECS-optimized AMIs, but you can also install it on any Amazon EC2 instance that supports the Amazon ECS specification.
an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into a cluster.
Container instance
Amazon ECS provides a _________ for long-running tasks and applications. It also provides the ability to run tasks manually for batch jobs or single run tasks.
service scheduler
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition which can be configured in the
task definition.
Ticking the _______ _______ checkbox ensures that not every client can invalidate the API cache. If most or all of the clients invalidate the API cache, this could significantly increase the latency of your API.
Require authorization
If the AWS Lambda service encountered an internal error, the return will be
ServiceException
GenerateDataKeyWithoutPlaintext is identical to GenerateDataKey except that it returns only the
encrypted copy of the data key.
is an AWS service that makes it easier for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text.
AWS Secrets Manager
You can store and control access to these secrets centrally by using the Secrets Manager console, the Secrets Manager command line interface (CLI), or the Secrets Manager API and SDKs.
enables you to replace hardcoded credentials in your code (including passwords), with an API call to it to retrieve the secret programmatically.
Secrets Manager
AWS resources created for a worker environment tier include
an Auto Scaling group, one or more Amazon EC2 instances, and an IAM role.
Allows you to define periodic tasks in a file named ______ in your source bundle to add jobs to your worker environment’s queue automatically at a regular intervals.
cron.yaml
file that is primarily used to configure the environment name, solution stack, and environment links to use when creating your environment in Elastic Beanstalk.
env.yaml
file used to manage each application deployment as a series of lifecycle event hooks in CodeDeploy
appspec.yml
helps you manage a large number of connections from Lambda to an RDS database by establishing a warm connection pool to the database. Your Lambda functions interact with this instead of your database instance
RDS Proxy,
It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to reuse existing connections, rather than creating new connections for every function invocation.
increasing the maximum number of connections alone, without considering the database size, may lead to other issues, such as
slow response times, timeouts, and even crashes.
provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components.
AWS X-Ray
You can use X-Ray to analyze both applications in development and in production, from simple three-tier applications to complex microservices applications consisting of thousands of services.
AWS X-Ray works with Amazon EC2, Amazon EC2 Container Service (Amazon ECS), AWS Lambda, and AWS Elastic Beanstalk. You can use X-Ray with applications written in Java, Node.js, and .NET that are deployed on these services.
provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.
AWS Systems Manager Parameter Store
offers the following benefits and features:
– Use a secure, scalable, hosted secrets management service (No servers to manage).
– Improve your security posture by separating your data from your code.
– Store configuration data and secure strings in hierarchies and track versions.
– Control and audit access at granular levels.
– Configure change notifications and trigger automated actions.
– Tag parameters individually, and then secure access from different levels, including operational, parameter, Amazon EC2 tag, or path levels.
– Reference AWS Secrets Manager secrets by using Parameter Store parameters.
This environment variable exposes the X-Ray daemon’s address in the following format: IP_ADDRESS:PORT. You can use the X-Ray daemon’s address to send trace data to the X-Ray daemon directly without using the X-Ray SDK.
AWS_XRAY_DAEMON_ADDRESS
Contains the tracing header, which includes the sampling decision, trace ID, and parent segment ID. If Lambda receives a tracing header when your function is invoked, that header will be used to populate the ___________ environment variable. If a tracing header was not received, Lambda will generate one for you.
_X_AMZN_TRACE_ID
The X-Ray SDK uses this variable to determine its behavior in the event that your function tries to record X-Ray data, but a tracing header is not available. Lambda sets this value to LOG_ERROR by default.
AWS_XRAY_CONTEXT_MISSING
A recently deployed Lambda function has an intermittent issue in processing customer data. You enabled the active tracing option in order to detect, analyze, and optimize performance issues of your function using the X-Ray service.
Which of the following environment variables are used by AWS Lambda to facilitate communication with X-Ray? (Select TWO.)
AUTO_INSTRUMENT
AWS_XRAY_DEBUG_MODE
AWS_XRAY_TRACING_NAME
AWS_XRAY_CONTEXT_MISSING
_X_AMZN_TRACE_ID
AWS_XRAY_CONTEXT_MISSING
_X_AMZN_TRACE_ID
When you create an alarm, you specify three settings to enable CloudWatch to evaluate when to change the alarm state:
– Period
– Evaluation Period
– Datapoints to Alarm
is the length of time to evaluate the metric or expression to create each individual data point for an alarm. It is expressed in seconds. If you choose one minute as the period, there is one datapoint every minute
Period
is the number of the most recent periods, or data points, to evaluate when determining alarm state.
Evaluation Period
the number of data points within the evaluation period that must be breaching to cause the alarm to go to the ALARM state. The breaching data points do not have to be consecutive, they just must all be within the last number of data points equal to Evaluation Period.
– Datapoints to Alarm
is a string that identifies the attributes you want. To retrieve a single attribute, specify its name. For multiple attributes, the names must be comma-separated.
A DynamoDB projection expression
determines which items (and not the attributes) within the Query results should be returned to you. All of the other results are discarded
Using filter expressions
-can include one or more nested applications. You can deploy a nested application as a stand-alone artifact or as a component of a larger application.
A serverless application
By using _________ as the method authorization type, it ensures that the API can only be accessed by IAM identities such as IAM users or IAM roles.
AWS_IAM
True/False: API Keys are just a way of identifying the calling parties that you trust, but they are not intended to be used to grant permissions to an IAM role.
True
The following are the Gateway response types which are associated with the HTTP 504 error in API Gateway:
INTEGRATION_FAILURE
INTEGRATION_TIMEOUT
The gateway response for an integration timed out error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.
INTEGRATION_TIMEOUT
For the integration timeout, the range is from 50 milliseconds to 29 seconds for all integration types, including Lambda, Lambda proxy, HTTP, HTTP proxy, and AWS integrations.
The gateway response for an integration failed error. If the response type is unspecified, this response defaults to the DEFAULT_5XX type.
INTEGRATION_FAILURE
a bucket-level feature that enables faster data transfers to and from Amazon S3. Although this will improve the retrieval times of your objects, this feature will still not paginate the result, which may still cause time-out errors.
Enabling Amazon S3 Transfer Acceleration
provides you with the capability to use simple structured query language (SQL) statements to filter the contents of Amazon S3 objects and retrieve just the subset of data that you need.
Using S3 Select
What are the reserved and unreserved concurrency limits of an AWS Lambda function? (For a newly created AWS account or one without any concurrency limit increases)
By default, an AWS account’s concurrent execution limit is 1000 which will be shared by all Lambda functions.
reserve concurrency is 900 due to the fact that unreserved account concurrency can’t go below 100.
Database with autoscaling capabilities: RDS or DynamoDB
DynamoDB
Beyond Auto Scaling for Amazon EC2, you can use Application Auto Scaling to automatically scale resources for other AWS services, including:
- Amazon ECS
- Amazon EC2 Spot Fleets
- Amazon EMR clusters
- Amazon AppStream 2.0 stacks and fleets
- Amazon DynamoDB
In addition, you can migrate an existing Git repository to a CodeCommit repository as well. To migrate a project hosted on another Git repository to CodeCommit, you have to follow what sequence:
- Complete the initial setup required for CodeCommit.
- Create a CodeCommit repository.
- Clone the repository and push it to CodeCommit.
- View files in the CodeCommit repository.
- Share the CodeCommit repository with your team
True or False: It’s possible to enable scheduling on the AWS Console of your Lambda function
False
evaluates the policies that you choose and determines the effective permissions for each of the actions that you specify.
IAM Policy Simulator
an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Amazon Inspector
a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
AWS Config
T/F: the update-application command will allow you to upload packages to Elastic Beanstalk.
false
When using server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers:
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
– This header specifies the encryption algorithm.
x-amz-server-side-encryption-customer-algorithm
This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key
– This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.
x-amz-server-side-encryption-customer-key-MD5
What API gets the list of trace IDs of an app
GetTraceSummaries
What app gets a list of traces
BatchGetTraces
Container Instance IAM Role only applies if you are using the ___ launch type
EC2
You attach policies to ECS tasks via a) IAM roles or b) IAM Groups?
A, IAM Roles
is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API.
The AWS X-Ray daemon
The daemon works in conjunction with the AWS X-Ray SDKs and must be running so that data sent by the SDKs can reach the X-Ray service.
In a _______ deployment configuration, the traffic will be shifted in equal increments with an equal number of minutes between each increment
Linear
Describe the envelope encryption process.
Encrypt plaintext data with a data key and then encrypt the data key with a top level plain text master key
True/False: A subnet can be associated with multiple route tables at once.
False, a subnet can only be associated with one route table at a time.
(Amazon RDS _________
provide enhanced performance and durability for the database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.
Amazon RDS Read Replicas
A developer needs to configure the environment name, solution stack, and environment links of his application environment which will be hosted in Elastic Beanstalk. Which configuration file should the developer add in the source bundle to meet the above requirement?
env.yaml
env.config
cron.yaml
Dockerrun.aws.json
env.yaml
represent your application’s view of a downstream call as a client. If the downstream service is also instrumented, the segment that it sends replaces the inferred segment generated from the upstream client’s subsegment.
Subsegments
is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in DynamoDB. If you use this strategy, then your database writes are protected from being overwritten by the writes of others — and vice-versa. (type of locking)
Optimistic locking
type of locking can interrupt user operations. This is an approach where an entity is locked in the database for the entire time that it is in application memory (often in the form of an object). This can prevent certain users from reading, updating, or deleting an entry depending on the lock type.
pessimistic locking with read locking
or certificates in a Region supported by AWS Certificate Manager (ACM), it is recommended that you use ACM to provision, manage, and deploy your server certificates. In unsupported Regions, you must use ___ as a certificate manager.
IAM
If you got your certificate from a third-party CA, import the certificate into _____ or upload it to the ______ certificate store
ACM, IAM
Lambda integration that requires you to specify how the incoming request data is mapped to the integration request and how the resulting integration response data is mapped to the method response.
Lambda custom integration
The __________ integration type (AWS_PROXY) lets an API method be integrated with the Lambda function invocation action with a flexible, versatile, and streamlined integration setup.
Lambda proxy
The following are the Gateway response types which are associated with the HTTP 504 error in API Gateway:
-INTEGRATION_FAILURE
-INTEGRATION_TIMEOUT
For the integration timeout, the range is from ___ milliseconds to ___ seconds for all integration types, including Lambda, Lambda proxy, HTTP, HTTP proxy, and AWS integrations.
For the integration timeout, the range is from 50 milliseconds to 29 seconds for all integration types, including Lambda, Lambda proxy, HTTP, HTTP proxy, and AWS integrations.
It is recommended that you use the following pattern to encrypt data locally in your application:
- Use the ________ operation to get a data encryption key.
- Use the plaintext data key (returned in the ________ field of the response) to encrypt data locally, then erase the plaintext data key from memory.
- Store the encrypted data key (returned in the ________ field of the response) alongside the locally encrypted data.
1)GenerateDataKey
2)Plaintext
3)CiphertextBlob
True/False: To increase or decrease the capacity of a Kinesis stream, you can upgrade the EC2 instance type.
False, this will improve processing time of data in the stream but to effect capacity the stream must be resharded, i.e. splitting or merging shards.
When you upload an object, Amazon S3 uses the encryption key you provide to apply AES-256 encryption to your data and removes the encryption key from memory. It is important to note that Amazon S3 does not store the encryption key you provide. Instead, it is stored in a randomly salted HMAC value of the encryption key in order to validate future requests.
The salted HMAC value cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object. That means,
if you lose the encryption key, you lose the object
–ECS feature which provides you with expressions that you can use to group container instances by a specific attribute is
Cluster Query Language
For example, you can group container instances by attributes such as Availability Zone, instance type, or custom metadata. You can add custom metadata to your container instances, known as attributes. Each attribute has a name and an optional string value. You can use the built-in attributes provided by Amazon ECS or define custom attributes.
True/False: To implement a DLQ in Lambda, you must specify teh ARN of the SQS Queue in the Lambda function’s DeadLetterConfig parameter.
True
True/False: CloudWatch Events service has the capability to track any new inserts or updates on the DynamoDB table
False, Although Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in Amazon Web Services (AWS) resources, it cannot provide tracking of the DynamoDB’s table activities.
CodeDeploy provides two deployment type options:
In-place deployment
Blue/green deployment
True/False: Blue green deployments work with on-premises computing platforms
False.
True/False: All AWS Lambda compute platform deployments are blue/green deployments.
True
It is also important to note that the CodeDeploy agent is required only if you deploy to an EC2/On-Premises compute platform. The agent is not required for deployments that use what 2 compute platforms?
Amazon ECS or AWS Lambda
Including the x-amz-server-side-encryption header with a value of AES256 in your upload request is only applicable for
SSE-S3 and SSE-C.
To upload an object to the S3 bucket which uses SSE-KMS, you have to send a request with an x-amz-server-side-encryption header with the value of
aws:kms
To perform a multipart upload with encryption using an AWS Key Management Service (AWS KMS) customer master key (CMK), the requester must have permission to the _______ and _______ actions on the key.
kms:Decrypt and kms:GenerateDataKey
s helpful for troubleshooting your application, it does not have the capability to track the memory and swap usage of the instance.
AWS X-Ray daemon
S3 Galcier retrieval option that allows you to access any of your archives within several hours. Standard retrievals typically complete within 3–5 hours. This is the default option.
Standard retrievals
allow you to quickly access your data when occasional urgent requests for a subset of archives are required. Expedited retrievals are typically made available within 1–5 minutes.
Expedited retrievals
are Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.
– Bulk retrievals
let you postpone the delivery of new messages to a queue for a number of seconds.
Delay Queues
If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes
Delay Queues vs Visibility Timeouts
Delay queues are similar to visibility timeouts because both features make messages unavailable to consumers for a specific period of time. The difference between the two is that, for delay queues, a message is hidden when it is first added to queue, whereas for visibility timeouts a message is hidden only after it is consumed from the queue.
Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.
________________ tracks the number of requests served from the backend in a given period, when API caching is enabled. On the other hand, ________________ track the number of requests served from the API cache in a given period
CacheMissCount, CacheHitCount
automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.
Systems Manager State Manager service
helps consume and process data from a Kinesis data stream by handling shard-to-worker relationships.
The KCL
safe threshold for a visibility timeout
max time that it takes app to process and delete a message from the queue
Symmeyttic or Assymetric keys: SSE-C
Symmetric
Symmeyttic or Assymetric keys: SSE-KMS
symmetric
Symmeyttic or Assymetric keys: S3 managed encryption keys
symmetric
Client-side encryption with customer-managed encryption keys allows you to select what type (symmetric/asymmetric) keys
both
The CodeBuild buildspec.yml file and the CodeDeploy appspec.yml file should be in the .
root of the source directory
What can you use to circumvent the 50mb dployment package size limit for Lambda?
Upload deployment package to S3 and reference using the –code CLI parameter
can store and distribute credentials programmatically from a central and secure datastore.
can also automatically rotate the secrets according to a specified schedule.
Secrets Manager
-provides secure, hierarchical storage for configuration data management and secrets management.
-can store data, including passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
-does not support automatic rotation of credentials
Parameter Store
True/False: A Lambda alias does not give you the ability to modify the function configuration. And you cannot create environment variables for the function alias.
True, An alias is a reference to a Lambda function version or a weighted route between multiple versions.
is a fully managed artifact repository service compatible with package managers. It is mainly used by companies to address security concerns by storing approved artifacts within an AWS account.
-would have a negligible effect on performance when compared to caching.
CodeArtifact
A DynamoDB table that is keyed by S3 object key, label, and user would allow you to store every unique label combination for every object for every user. The global secondary index that is keyed by user and label provides an alternate organization for fast lookup performance. The key values in a global secondary index do not need to be unique.
What API can quickly look up all items for a user, including all labels and all S3 objects for each label?
QueryItem
Access or Trust Policy related error:
AccessDenied – Not authorized to perform sts:AssumeRoleWithWebIdentity
Trust
You must use the ____ associate-kms-key or the create-log-group API call to encrypt Cloud Watch log groups.
AWS CLI (not the console)
To create a Lambda function, you first create a Lambda function deployment package. This package is a
.zip or .jar file consisting of your code and any dependencies.
True/False: VPC Flow Logs help identify the cause of latency or find performance bottlenecks.
False
X-Ray gives you the ability to trace latency issues with your API Gateway APIs. X-Ray provides an end-to-end view of requests as they travel through your application. X-Ray can be used to trace and analyze user requests. These collected traces give you the ability to evaluate the end-to-end latency and identify performance bottlenecks.
API caching in API Gateway improves performance by
reducing the number of requests that are sent to your endpoint service.
