PP ET NEW

Question 1

How would you securely store and retrieve different types of variables across different environments in Amazon ECS?

Answer 1

AWS Systems Manager Parameter Store (stores environment path)

AWS Secrets Manager (stores credentials)

Question 2

What is an S3 Object Lambda access point?

Answer 2

a way to use a Lambda function to modify the content of s3 objects on the fly

For example, return an object with the header / without depending on who makes the get request

Question 3

How would you use SNS to notify a team if a threshold goes above 5%

Answer 3

Publish data on failure to Cloud Watch and configure an alarm to notify the existing SNS topic when error rate exceeds the specified rate.

Question 4

How would you avoid accidental database deletion in the future when using AWS CloudFormation?

Answer 4

Add a CloudFormation Deletion Policy attribute with the Retain value to the database resource

Update the CloudFormation stack policy to prevent updates to the database

Question 5

How would you enforce encryption in transit for requests to retrieve data from the S3 bucket?

Answer 5

Define a resource-based policy on the S3 bucket

Deny access when a request meets the condition “aws:SecureTransport”: “false”:

Question 6

What is the cheapest way to securely manage one-time fixed license keys that need to be accessed by automation scripts running in Amazon EC2 instances and AWS CloudFormation stack

Answer 6

AWS Systems Manager Parameter Store SecureString parameters

Question 7

How would you troubleshoot issues with API Gateway timeouts using Cloud Watch?

Answer 7

IntegrationLatency (if high, api taking a long time to interact with lambda)

Latency (time for API to process request)

Question 8

How would you store and retrieve an access token that needs to be encrypted at rest and in transit, and accessible from other AWS accounts with the least management overhead?

Answer 8

Use Secrets Manager with AWS KMS with customer managed key

Resource-based policy (allows cross account access)

IAM role of the EC2 instances (permission to get the token from secrets manager)

Question 9

How would you collect all the lifecycle events of EC2 instances from multiple AWS accounts and storing them in a single Amazon SQS queue in the main AWS account?

Answer 9

An Event Bridge rule to send all EC2 lifecycle events to the main event bus to the SQS queue (which is set as the target)

Question 10

How would you increase the resiliency of the application when the batch response includes values in UnprocessedKeys?

Answer 10

• Retry the batch operation with exponential backoff and randomized delay to stop overwhelming DynamoDB with repeated requests
• Update the application to use an AWS SDK to make request because it has built in functionality for handling error and retries

Question 10

What is Secrets Manager for?

Answer 10

Storing sensitive information

Question 10

How would you return a document from s3 with/without header, if you only store one copy of the document?

Answer 10

Create an S3 Object Lambda access point from the S3 console.

Call a function that removes the header

Use S3 Access Points to access the object without the header

Question 10

What are you defining access to in Effect Action Resource permissions?

Answer 10

Objects in buckets

Question 10

How would you extend an app to run in the destination region and make sure the AMIs are encrypted in all regions?

Answer 10

• Create AMIs with encryption parameters
• Copy the AMIs to the destination regions.
• Delete the unencrypted AMIs.

Question 10

How would you configure the custom domain for a API Gateway REST API that uses Cloud Front and a custom domain name with an SSL/TLS certificate from a 3rd party provider?

Answer 10

import the SSL/TLS certificate into ACM (in the same Region as the API)

Create a DNS CNAME record for the custom domain (that points to API Gateway Cloud Front distribution)

Question 11

How would you avoid accidental deletion of a database when deploying an app using a Cloud Formation template?

Answer 11

Add a Cloud Formation Deletion policy attribute (Retain = database) and update the Cloud Formation Stack Policy (prevent updates to db)

Question 11

How would you ensure an app on an EC2 instance can list objects from S3?

Answer 11

Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket

Question 12

How would you:
- Create a Lambda function that will retrieve data from an Aurora database that is in a private subnet in the company’s VPC called VPC1.

How would the Lambda function access the data securely?

Answer 12

Create the Lambda function

Configure VPC1 access for the function.

Assign a security group (SG1) to the Lambda function and assign a security group (SG2) to the database.

Add an inbound rule to SG1 to allow TCP traffic from Port 3306.

Question 13

How would you log key events with a unique identifier associated with a specific Lambda function invocation?

Answer 13

get the AWS request ID from the context object

Configure the application to write logs to standard output.

Question 14

How would a developer reduce the time before an EC2 instance becomes available, while making sure to deploy the most recent version of an app on an EC2 instance, all updates are installed and minimise the number of images created

Answer 14

• Use EC2 Image Builder to create an AMI.
• Install the latest version of the app and all the patches and agents needed to manage and run the application.
• Update the Auto Scaling group launch configuration to use the AMI.

Set up AWS CodeDeploy to deploy the most recent version of the application at runtime.

Question 15

For an API Gateway app how would you simulate different backend responses without invoking the actual backend service and with the least operational overhead?

Answer 15

Use a request mapping template to select the mock integration response.

Mock integration means you can define responses in API gateway, without calling the backend

Question 16

How would you analyse an image before pushing it to an EKS cluster?

Answer 16

• Add Deployment action to pipeline
• Configure ECR image scanning on push
• Lambda function to check results and fail the pipeline if issues are found.

Question 17

How would you add end-to-end testing to amplify?

Answer 17

Add a test phase to amplify.yml build settings for the app

Question 18

How would you implement a web app that receives customer requests, generates reports that can be greater than 1B in 1 hour, makes them available for 8 hours and deletes reports older than 2 days old.

Answer 18

S3 bucket (to handle messages greater than 1B)

Generate a presigned URL that contains an expiration date

Provide the URL to customers through the web application.

Add S3 Lifecycle configuration rules to the S3 bucket to delete old reports

Question 19

How would you ensure that a Lambda function can securely access the DB cluster without crossing the public internet?

Answer 19

Configure the VPC, subnets, and a security group for the Lambda functions.

• Lambda and DB in same VPC
• Lambda in a private subnet in the VPC
• Security groups for Lambda function to allow outbound traffic to the DB cluster & for the DB cluster to allow inbound traffic from the Lambda function

Question 20

How would you dynamically pass a table name to a Lambda function?

Answer 20

Create a Lambda environment variable to store the table name. Use the standard method for the programming language to retrieve the variable.

Question 21

An app uses ECR, EKS and Code Pipeline.

How would a developer harden the container images?

Answer 21

• Add a CodePipeline stage (after the container image is built, but before its pushed to ECR)
• Configure **ECR image scanning ** (when image is pushed)
• Lambda in the pipeline to fail if issue detected

Question 22

In the context of Websocket API, which API in your backend service sends a message to the connected client to get info or disconnect the client?

Answer 22

@Connections API

Question 23

How do you handle connect and disconnect events in Websocket APIs

Answer 23

$connect and $disconnect

Question 24

You need to test an app hosted on EC2 instances in Auto Scaling group (which acts as a target for the ALB) and uses s3 bucket to store images

How can you do this with the least effort?

Answer 24

1. Configure a new environment (new ALB and Auto Scaling group)
2. Configure alternate Route 53 record

Doesn’t involve complex conditional routing or services like CloudFront or @LambdaEdge

Question 25

How would you troubleshoot an EC2 instance not able to access an S3 bucket?

Answer 25

1. Check the IAM policy is attached to the EC2 instances that grant access to S3
2. Check the bucket policy to validate access permissions for s3 bucket

Question 26

What does AWS:Region pseudo do?

Answer 26

determines the region the template is deployed

Question 27

How do you connect Lambda functions to an SQL instance

Answer 27

1. Create Lambda functions in the VPC
   (attach AWSLambdaVPCAccessExecutionRole policy to the Lambda execution role)
2. Security group configuration
   (modify RDS security group. allow inbound access from Lambda security group)

Question 28

How do you encrypt S3 data in transit?

Answer 28

Add a bucket policy
(deny s3 actions if the connection is not secure. aws:secureTransport condition equals false)

Question 29

How do you fix “too many connections” error?

Answer 29

• initialise the database connection outside of the handler function
• increase the max user connections value on the parameter group of the DB cluster
• restart the db cluster

Question 30

What does Macie do?

Answer 30

Use ML to identify security breaches

Question 31

How would an app identitfy users who have already created an account and keep track of the number of guests who eventually create an account?

Answer 31

Create 2 roles:
authorised and unauthorised users

Create a Cognito pool to allow unauthenticated users using temporary credentials that let them assume a role

Question 32

How would you process an image and send email notifications?

Answer 32

• Create an SNS topic
• Configure S3 event notifications with a destination of the SNS topic
• Subscribe the Lambda function to the SNS topic
• Create an email notification subscription to the topic

Question 33

How would you store the session state of an e-commerce web app that must be fault tolerant, natively highly scalable and service interruption shouldn’t affect the user experience?

Answer 33

Elasticache

Question 34

A company moved some of its secure files to a private Amazon S3 bucket that has no public access. The company wants to develop a serverless application that gives its employees the ability to log in and securely share the files with other users.

Which AWS feature should the company use to share and access the files securely?

Answer 34

Cognito Identity Pools (authentication)

not S3 presigned URLs because they are better for granting temp access to individual objects

Question 35

How to gather info on memory performance issues of an Elastic Beanstalk app if is not tracking memory?

Answer 35

Configure a Cloud Watch agent to track the memory usage of the instances

Question 36

2 ways to troubleshoot a Lambda function used by API Gateway:

Answer 36

1 Aliases (quick fix)
2 Versioning (long term)

Question 37

What does a X-Forwarded-For header and ALB show?

Answer 37

Client IP addresses

Question 38

What is the least operational overhead ffor storing reports > 1MB that need deleted after 2 days?

Answer 38

Generate, store reports with S3 encryption, share via presigned URL with expiration, and automate report deletion with S3 Lifecycle rule

Question 39

Migrate a monolithic app to Lambda?

Answer 39

Configure VPC, subnets & a security group for Lambda functions

Question 40

How do you efficiently analyse container images on a CI/CD pipeline?

Answer 40

Add a post build Code Pipeline stage and enable **ECR basic image scanning ** to happen on image push and a Lambda function to fail pipeline if issues

Question 41

How to allow unauthenticaed access to the login page while keeping private content secure?

Answer 41

• Add a 2nd cache behaviour to the distribution (with the same origin as the default cache behaviour)
• Set the path pattern of the 2nd cache behaviour to the login page path & make viewer access unrestricted
• keep default cache behaviour unchanged

Question 42

How to manage credentials with the LEAST AMOUNT OF OVERHEAD?

Answer 42

AWS Secrets Manager to store credentials

Use AWS KMS key to encrypt the secret

Use the secret from secrets manager on the lambda function to connect to the database

Question 43

How to test API Gateway simulating the backend service without invoking the backend service?

Answer 43

Use mock integration

Question 44

How do you create a secure Lambda function that fetches data from Aurora DB in a private subnet (VPC1)

Answer 44

Configure the Lambda function to run within the same VPC as Aurora DB

Configure security group

Question 45

How to use cloud front and custom domain with SSL/TLS certificate from a third party provider?

Answer 45

Import SSL/TLS certificate into ACM and create a DNS CNAME record for the custom domain

Question 46

How to copy AMI to region?

Answer 46

Create new AMI. specify encryption parameters, copy encrypted AMIs to the destination region and delete the unencrypted AMIs