PP ET Flashcards
In Elastic Beanstalk, how would you change from using a micro to large instance to handle more requests?
create a NEW config file with the instance type set to large
In Elastic Beanstalk, name the 2 times you can set configuration options?
- when you create your environment
- save the configuration options in a configuration file
In Elastic Beanstalk, what happens if the same value is set in multiple locations?
The value used depends on order of precedence (highest -> lowest)
- settings specified during a create/update environment API
- settings loaded from a saved configuration.
- settings loaded from configuration files in the .ebextensions folder
- settings loaded as default value
What do we know about Elastic Beanstalk config files?
Settings aren’t applied directly to the environment and you need to deploy a new version with updated config to implement changes
What does resource: AWS::Serverless:Application in the SAM template do?
It embeds nested apps from S3 buckets in
It uses nested stacks in Cloud Formation to do this
What would you use if you want to update and persist in one transaction & roll back if update fails
Use Transact* operation in DynamoDB that lets you group multiple operations into 1 transaction that rolls back if 1 fails
Users are seeing 5XXX response error codes at irregular intervals when they are using a Java app that makes API requests directly to AWS.
How would you update the app to improve resilliancy?
Use the AWS SDK for Java to interact with AWS APIs because:
- Automatic retries (if 5XXX error)
- Exponential back off (waits between retries)
- Abstracts complexities of APIs
A company is using Cloud Front distribution to store their data in US region.
How would the company launch an app in the UK that stores data in the UK, without deploying a specific mobile client for the UK?
- Create a Lambda@Edge function
- Associate the Lambda@Edge function with origin request trigger
What is Lambda@Edge function?
Allows you to run code on Cloud Front edge locations (close to users globally) in response to Cloud Front events.
What is an origin request trigger?
An event that happens before Cloud Front sends a request to the origin
A developer is using SAM LOCAL CLI to test a Lambda function.
The app implemented by the lambda function makes several API calls using the SDK.
How would you allow the function to make API calls in a test AWS account from a developers laptop?
Add a test profile by using the aws configure command with the –profile option. Run AWS SAM by using the sam local invoke command with the –profile option.
Name 2 ways to make API requests from an EC2 instance to an S3 bucket secure?
- Create an IAM role with permissions to the S3 bucket
- Add the IAM role to the instance profile and attach the instance profile to an EC2 instance
What is an instance profile?
a container for an IAM role (can use to pass role info)
Cloud Front is being configured to encrypt data in transit.
You are running an app in the EU region.
A new ACM is created in the EU region (the same region the app is running)
But these settings are not visible to Cloud Front.
How would you make these settings visible to Cloud Front?
- ACM must be created in the SAME region as Cloud Front
- CNAME in Cloud Front must be the same as the domain name in the certificate
Users login with Facebook to your app that’s using an Application Load Balancer with Cloud Front.
How would you authenticate users?
Configure Cognito integration with the Application Load Balancer
What does a function need to do if it wants to determine whether they are running on a GPU instance?
Retrieve the instance type from the instance meta data:
curl http://169.254.169.254/latest/meta-data/instance-type
An app uses MFA and cognito user pools.
What is the most efficient way to send a login notification activity every time a user logs in?
Use a cognito post-authentication trigger that calls a Lambda function to send an email notification via SES that a user has logged in
What does SES stand for?
Simple Email Service
What is a post-authentication Lambda trigger?
Only invokes lambda after user authorised
A company has a 3 tier web app behind Cloud Front distribution
How would a developer monitor the error rates and anomalies of the Cloud Front distribution with the shortest possible interval?
- Activate real time logs (Cloud Front distribution)
- Create a stream (Kinesis Data Stream)
- Configure Kinesis Streams to deliver logs to Open Search Service (Elastic Search Service)
- Create a dashboard (OpenSearch in Kibana)
What service would you use to store SNS messages that were not able to be delivered?
SQS (dead letter queue)
An app has 1 Docker image that is built and pushed to a public Docker registry.
How would you deploy it on Elastic Beanstalk?
Create a docker-compose.yml file and use the Elastic Beanstalk CLI to deploy the app
In a three tier app, how would you decouple a RDS DB instance from the Elastic Beanstalk environment?
Create a new Elastic Beanstalk environment (that connects to the DB instance) and create a new DB instance (from a snapshot of the old DB instance)
An API Gateway endpoint exposes a Lambda function that processes and stores a clothing stores online transactions.
The number of transactions rapidly increases throughout the day and almost no transactions at night.
What is the cheapest way to increase the elasticity of the system>
Migrate from RDS to Aurora SQL and use an auto scaling policy to scale read replicas based on the number of database connections
(can have up to 15 read replicas)
What is the most secure way to configure Lambda function access to DynamoDB table?
Create an IAM policy (that allows access to the DynamoDB table (and attach this policy to the Lambda function’s IAM role)
What user authorisation and authentication would you implement for a web app hosted on an EC2 instance to ensure that their credentials are encrypted and secure in transit and at rest?
Use Amazon Cognito (to configure a user pool) and the Cognito API (to authenticate and authorise users)
What is the fastest way to create a custom IAM policy that only provides permissions to the builds and deployment in the last 3 months?
Create a new IAM policy based on the services that the build server deployed or updated in the last 3 months
What do you need to do to be able to write Cloud Formation template locally and deploy a Cloud Formation Stack to AWS?
Install AWS CLI
Configure the CLI using IAM user access key and secret key
How do you integrate API Gateway with a Lambda function?
Use Lambda Proxy Integration
What is the run order of hooking AWS Code Deploy?
Application Stop
Before Install
After Install
Application Start
Validate Service
There are many different versions of a Lambda function.
How would a developer map the Lambda function to a different S3 version each time?
Assign an alias to each version of the Lambda function and link the S3 trigger to the alias
If you want to change the version of Lambda triggered by s3, edit the alias
How would you investigate slow response times coming from API calls in API gateway in a company?
You would think cloud trail, but XRAY used to identify
Ways to reliably serve SESSION DATA reliably across requests?
ElastiCache
Sticky Sessions (route site server to particular web server)
How would you implement a caching layer in front of the database with content that is encrypted and highly available?
Elasticache for Redis in Cluster mode because it encrypts data and has multiple nodes making it highly available
How would you prepare a CloudFormation template with a Lambda function so it can be deployed using the CLI command ‘aws cloudformation deploy’?
Use a Cloud Formation package to upload the source code to an S3 bucket and produce a modified CloudFormation template
How do you update the Elastic Beanstalk Environment with developers changes?
Upload .zip file and deploy
Create a new app from the .zip and update the environment
How would you capture the client IP addresses in a log file when running an app behind an Application Load Balancer?
Add an X-Forwarded-For header to the HTTP server log configuration file because it contains the original IP address of the client who made the request
How would you push code to a serverless app and not need update the API Gateway target endpoint each time?
Create aliases and versions in Lambda
App is running on Fargate using ECS, how would you pass environment variables to the container?
In the task definition, define the environment parameter as an array of environment variables
What is the write through approach to caching
cache and db are written to / updated simultaneously so db is in sync
What is the cache-aside / lazy loading approach to caching?
cache is updated on cache misses
How would you make an on-premises stateful web app more elastic?
Store session state data in a DynamoDB table
and
Use an ELB with an auto scaling group
How would you use Cloud Watch on a legacy on-premises app?
Download the Cloud Watch agent to the on-premises server and use an IAM user with Cloud Watch credentials
How would you reduce the size of Lambda deployment packages that use a Python library?
Create a Lambda layer (which manages code and data shared across multiple lambda functions) with the Python library,
This Lambda Layer reduces duplication and makes it easy to share Lambda function across libraries
Name 3 benefits of Lambda Layers?
Reduce deployment package size, reuses code, easier to maintain
How would you allow a client app securely upload videos to an S3 bucket?
Create a new API endpoint to generate signed URLs that allow objects to be uploaded to an S3 bucket and use this API to generate a presigned URL in the client app and upload videos via the signed URL
What is the easiest way to reduce the time taken to read data from a DynamoDB database?
Use DynamoDB Accelerator (DAX) to cache the data
What is the best API for getting AGGREGATED data from DynamoDB and OpenSearch
You might think REST API on API Gateway, but that might need to make multiple requests to get AGGREGATED data
GraphQL API on AWS AppSync is a better option because it can get the AGGREGATED data in one call
How would you encrypt lambda function data before sending it downstream?
You might think to use KMS GenerateDataKey API to get an encryption key along with the encrypted copy, but here we don’t need plain text key.
So the answer would be pass the data to KMS as part of the Encrypt API for encryption because it encrypts the data only
How would you reference the value of a password stored in Secrets Manager in a Cloud Formation template?
Use the secrets manager dynamic reference by specifying the appropriate reference-key segment
What is strongly consistent read?
Most recent version guaranteed
How do you calculate the read capacity units (RCU) for a strongly consistent read?
Scenario: size 5kb, 100 items per second
RCU is 1 read per second for a size up to 4KB
Round 5kb up to the closest 4kb = 8KB so we have 2 RCUs per item
RCUS * items per second
2 * 100 = 200
Why are no logs being generated in Cloud Watch even a few minutes after a Lambda ran?
The execution role for the Lambda function is missing permissions to write log data to the CloudWatch Logs.
An IAM user has permission to write to a s3 bucket.
The bucket uses SSE-KMS encryption.
When an app uses the access key and secret key of the IAM user to call the putObject API there is an access denied error. How would you fix it?
The access denied error in this case is likely due to the IAM user lacking the necessary permissions for server-side encryption with AWS KMS (SSE-KMS). To resolve this issue, the developer should update the policy of the IAM user to allow the kms:GenerateDataKey action
What type of encryption do you use to manage keys on premsise and s3 encrypts it?
SSE-C
server side encryption customer provided keys
What is the benefit of intialising the SDK outside of the Lambda handler function?
It can be reused each time which reduces the overhead of creating a new SDK instance for each time the Lambda is invoked
How do you authenticate with AWS services from within an ECS?
Configure an IAM role to be assigned to an ECS task
How do you increase the number of messages an SQS queue can receive?
Call the ReceiveMessage API and set MaxNumberOfMessages
How would you enrich data you stream from Kinesis Data Firehose by combining it with data from DynamoDB before storing it in S3?
Use a Lambda function to transform the data from Kinesis Data Firehose before storing it in S3
Which Amazon Cognito feature will only enforce MFA when suspicious sign-in attempts are detected?
Adaptive authentication (sets rules / policies to conduct risk analysis based on user devices, locations and behaviour)
What 2 steps should you follow for an app running on an EC2 server that handles AWS activity to allow for more flexibility during peak times while still remaining cost-effective when
Implement an Amazon SQS queue to decouple the front-end and backend servers
and
Migrate the backend servers to on-premises and pull from an Amazon SNS queue.
What is a global secondary index?
An index with a primary key different to the table’s primary key
The company’s critical application on AWS, using Amazon API Gateway and AWS Lambda, faces HTTP 500 errors due to “too many connections” in the associated Amazon RDS for MySQL DB instance during unpredictable peak usage. To ensure application resilience with minimal downtime, the company must choose an appropriate solution
Use Amazon RDS Proxy to create a proxy that connects to the DB instance. Update the Lambda function to connect to the proxy. Most Voted
A company has a web application that is deployed on AWS. The application uses an Amazon API Gateway API and an AWS Lambda function as its backend.
The application recently demonstrated unexpected behavior. A developer examines the Lambda function code, finds an error, and modifies the code to resolve the problem. Before deploying the change to production, the developer needs to run tests to validate that the application operates properly.
The application has only a production environment available. The developer must create a new development environment to test the code changes. The developer must also prevent other developers from overwriting these changes during the test cycle.
Which combination of steps will meet these requirements with the LEAST development effort? (Choose two.)
change the lambda function.
update the API gateway to use the updated lambda function & deploy it into another(new) stage. so that developers can use the newly deployed API endpoin
How do you determine the region a Cloud Formation template is deployed
Use the AWS::Region pseudo parameter
