Questions from Exam Pro & Topics Flashcards
How to Prevent Uploads of Unencrypted Objects to Amazon S3
prevents users from uploading unencrypted objects, unless they are using server-side encryption with S3–managed encryption keys (SSE-S3) or server-side encryption with AWS KMS–managed keys (SSE-KMS).
x-amz-server-side-encryption
The release process workflow of an application requires a manual approval before the code is deployed, what can you set up?
Use an approval action in a stage
Amazon API Gateway now supports importing ___ ___ ___. This allows you to easily create and deploy new APIs as well as update existing APIs in Amazon API Gateway.
Swagger API definitions
penapi: 3.0.0
info:
-title: Sample API
-description:
-version: 0.1.9
servers:
- url: http://api.example.com/v1
description: x
- url: http://staging-api.example.com
description: x
paths:
/users:
get:
summary: x.
description: y
responses:
'200': # status code
description: x:
application/json:
schema:
AWS Serverless Application Model (AWS SAM) Supports Inline ___
- Swagger
- Use intrinsic functions to specify URIs - CodeUri and DefinitionUri now accept Amazon S3 objects with a Bucket, Key and Version. This means you can now use intrinsic functions to dynamically specify your code or Swagger file’s location.
What does the client have to do to invalidate the cache in API Gateway?
The client must send a request that contains the Cache-Control: max-age=0 header.
The client receives the response directly from the integration endpoint instead of the cache, provided that the client is authorized to do so. This replaces the existing cache entry with the new response, which is fetched from the integration endpoint.
What S3 bucket policy should I use to comply with the AWS Config SSL requests only?
By default, Amazon S3 allows both HTTP and HTTPS requests. To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests might not comply with the rule.
To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key “aws:SecureTransport”. When this key is true, this means that the request is sent through HTTPS. To be sure to comply with the s3-bucket-ssl-requests-only rule, create a bucket policy that explicitly denies access when the request meets the condition “aws:SecureTransport”: “false”. This policy explicitly denies access to HTTP requests.
If you have 4 ECS services and each one needs to have specific permissions, what do you have to do?
Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then configure each ECS task definition to reference the associated IAM role.
What code changes do I need to make to my application to use X-Ray?
For applications running on other AWS services, such as EC2 or ECS, you will need to install the X-Ray agent and instrument your application code.
Developer must minimize the time between the message arrival in the queue and the dashboard update
OK: Retrieve the messages from the queue using long polling every 20 seconds.
NOK: Retrieve the messages from the queue using short polling every 10 seconds. (This doesn’t exist)
The maximum long polling wait time is 20 seconds.
A social media company is using Amazon Cognito in order to synchronize profiles across different mobile devices, to enable end users to have a seamless experience.
Which of the following configurations can be used to silently notify users whenever an update is available on all other devices?
Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and the web without requiring your own backend. The client libraries cache data locally so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and if you set up push sync, notify other devices immediately that an update is available.
What are the top caching strategies?
Cache Aside (If data exists in the cache, read from it, else read from the db but the db will write that data in the cache after that)
Read Through (It gets only data from the cache, if it doesn’t exist, the db will write in the cache but the app continues reading from the cache)
An application runs on multiple EC2 instances behind an ELB.
Where is the session data best written so that it can be served reliably across multiple requests?
Write data to Amazon ElastiCache
A Developer has developed a web application and wants to deploy it quickly on a Tomcat server on AWS. The Developer wants to avoid having to manage the underlying infrastructure.
What is the easiest way to deploy the application, based on these requirements?
AWS Elastic Beanstalk
To log in to an Amazon ECR registry
This command retrieves an authentication token using the GetAuthorizationToken API, and then it prints a docker login command with the authorization token and, if you specified a registry ID, the URI for an Amazon ECR registry. You can execute the printed command to authenticate to the registry with Docker. After you have authenticated to an Amazon ECR registry with this command, you can use the Docker CLI to push and pull images to and from that registry as long as your IAM principal has access to do so until the token expires. The authorization token is valid for 12 hours.
aws ecr get-login
The upload of a 15 GB object to Amazon S3 fails. The error message reads: “Your proposed upload exceeds the maximum allowed object size.”
What technique will allow the Developer to upload this object?
The multipart upload API is designed to improve the upload experience for larger objects. You can upload an object in parts. These object parts can be uploaded independently, in any order, and in parallel. You can use a multipart upload for objects from 5 MB to 5 TB in size. For more information, see Uploading and copying objects using multipart upload.
Where can PortMapping be defined when launching containers in Amazon ECS?
Task definition
Typically, when you use the KCL, you should ensure that…
the number of instances does not exceed the number of shards (except for failure standby purposes). Each shard is processed by exactly one KCL worker and has exactly one corresponding record processor, so you never need multiple instances to process one shard. However, one worker can process any number of shards, so it’s fine if the number of shards exceeds the number of instances.
KCL, Kinesis, consumers
To scale up processing in your application, you should test a combination of these approaches:
- Increasing the instance size (because all record processors run in parallel within a process)
- Increasing the number of instances up to the maximum number of open shards (because shards can be processed independently)
- Increasing the number of shards (which increases the level of parallelism)
What does an Amazon SQS delay queue accomplish?
Delay queues let you postpone the delivery of new messages to a queue for a number of seconds, for example, when your consumer application needs additional time to process messages. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes. For information about configuring delay queues using the console see Configuring queue parameters (console).
A Developer is writing a serverless application that requires that an AWS Lambda function be invoked every 10 minutes.
What is an automated and serverless way to trigger the function?
Create an Amazon CloudWatch Events rule that triggers on a regular schedule to invoke the Lambda function.
What is deployment package?
Your AWS Lambda function’s code consists of scripts or compiled programs and their dependencies. You use a deployment package to deploy your function code to Lambda. Lambda supports two types of deployment packages: container images and .zip files.
Lambda supports two types of deployment packages:
container images
.zip files
In CloudFormation you can create lambda functions and yo can set the code via three ways
- Code inline (Python and JS)
- .Zip Archive (IN S3, S3Key, S3ObjectVersion)
- Container image (IN ECR)
What can you do if you want to run the X-Ray daemon on Amazon ECS?
In Amazon ECS, create a Docker image that runs the X-Ray daemon, upload it to a Docker image repository, and then deploy it to your Amazon ECS cluster and Ensure port mappings and network settings are correct and IAM task roles are defined.
Extra: On ECS you don’t have control of your EC2 then you can’t install de daemon
In CloudFormation if you want to set values based on a region, you can use the key…
The optional Mappings section matches a key to a corresponding set of named values. For example, if you want to set values based on a region, you can create a mapping that uses the region name as a key and contains the values you want to specify for each specific region. You use the Fn::FindInMap intrinsic function to retrieve values in a map.
The following example shows a Mappings section with a map RegionMap, which contains five keys that map to name-value pairs containing single string values. The keys are region names. Each name-value pair is the AMI ID for the HVM64 AMI in the region represented by the key.
“Mappings” : {
“RegionMap” : {
“us-east-1” : { “HVM64” : “ami-aaa”},
“us-west-1” : { “HVM64” : “ami-bbb”},
“eu-west-1” : { “HVM64” : “ami-ccc”},
}
}
To manage large Amazon Simple Queue Service (Amazon SQS) messages, you must use two services:
Amazon Simple Storage Service (Amazon S3) and the Amazon SQS Extended Client Library for Java. This is especially useful for storing and consuming messages up to 2 GB. Unless your application requires repeatedly creating queues and leaving them inactive or storing large amounts of data in your queues, consider using Amazon S3 for storing your data.
The Developer makes changes to the code and uploads a new .ZIP file to Amazon S3. However, Lambda executes the earlier code.
This is not about version, fix it via CLI…
- -function-name my-function \
- -zip-file fileb://my-function.zip
How do I give internet access to a Lambda function that’s connected to an Amazon VPC?
If you’re using an existing Amazon VPC, start from Create your VPC components to create a public subnet with a NAT gateway and one or more private subnets. If your existing VPC already has a public subnet with a NAT gateway and one or more private subnets, skip ahead to Create a Lambda execution role for your VPC.
A Developer is creating an AWS Lambda function to process a stream of data from an Amazon Kinesis Data Stream. When the Lambda function parses the data and encounters a missing field, it exits the function with an error. The function is generating duplicate records from the Kinesis stream. When the Developer looks at the stream output without the Lambda function, there are no duplicate records.
What is the reason for the duplicates?
The Lambda function did not handle the error, and the Lambda service attempted to reprocess the data.
Read or write operations on my Amazon DynamoDB table are being throttled. Why is this happening, and how can I fix it?
One strategy for distributing loads more evenly across a partition key space is to add a random number to the end of the partition key values. Then you randomize the writes across the larger space.
- Distribute read and write operations as evenly as possible across your table
– One way to better distribute writes across a partition key space in Amazon DynamoDB is to expand the space. You can do this in several different ways. You can add a random number to the partition key values to distribute the items among partitions. Or you can use a number that is calculated based on something that you’re querying on.
- Sharding Using Random Suffixes
- Sharding Using Calculated Suffixes
- Implement a caching solution
- Implement error retries and exponential backoff
How can you call a “container for CloudWatch metrics”
“A namespace”
In Amazon CloudWatch you have some concepts:
- Namespaces:
- Metrics: It represents a time-ordered set of data points that are published to CloudWatch
- Dimensions: It is a name/value pair that is part of the identity of a metric. You can assign up to 10 dimensions to a metric.
- Statistics: They are metric data aggregations over specified periods of time
- Percentiles: The relative standing of a value in a dataset
- Alarms: Automatically initiate actions on your behalf (An alarm watches a single metric over a specified time period)
A Developer wants access to make the log data of an application running on an EC2 instance available to systems administrators.
Which of the following enables monitoring of this metric in Amazon CloudWatch?
Install the Amazon CloudWatch Logs agent on the EC2 instance that the application is running on.
The unified CloudWatch agent enables you to do the following: Collect internal system-level metrics from Amazon EC2 instances across operating systems. The metrics can include in-guest metrics, in addition to the metrics for EC2 instances
You can configure API Gateway to perform basic validation of an API request before proceeding with the integration request.
When the validation fails, API Gateway immediately fails the request, returns a 400 error response to the caller, and publishes the validation results in CloudWatch Logs. This reduces unnecessary calls to the backend. More importantly, it lets you focus on the validation efforts specific to your application.
Where should the company move session data to MOST effectively reduce downtime and make users’ session data more fault tolerant?
An Amazon ElastiCache for Redis cluster
What is the file format that you have to set in your Configuration files in (.ebextensions)
.config
A Developer wants to debug an application by searching and filtering log data.
The Developer creates a new metric filter to count exceptions in the application logs. However, no results are returned from the logs.
What is the reason that no filtered results are being returned?
Filters do not retroactively filter data. Filters only publish the metric data points for events that happen after the filter was created. Filtered results return the first 50 lines, which will not be displayed if the timestamp on the filtered results is earlier than the metric creation time.
Publishing Custom Metrics
You can publish your own metrics to CloudWatch using the AWS CLI or an API. You can view statistical graphs of your published metrics with the AWS Management Console
High-Resolution Metrics
- Standard resolution, with data having a one-minute granularity
- High resolution, with data at a granularity of one second
Which option would enable DynamoDB table updates to trigger the Lambda function?
An event source mapping is an AWS Lambda resource that reads from an event source and invokes a Lambda function. You can use event source mappings to process items from a stream or queue in services that don’t invoke Lambda functions directly. Lambda provides event source mappings for the following services.
By default, the DynamoDB write operations (PutItem, UpdateItem, DeleteItem) are unconditional: Each operation overwrites an existing item that has the specified primary key.
Which DynamoDB write option should be selected to prevent this overwriting when two people write data to the same element?
DynamoDB optionally supports conditional writes for these operations. A conditional write succeeds only if the item attributes meet one or more expected conditions. Otherwise, it returns an error. Conditional writes are helpful in many situations. For example, you might want a PutItem operation to succeed only if there is not already an item with the same primary key. Or you could prevent an UpdateItem operation from modifying an item if one of its attributes has a certain value.
Get value: 10
Update if value is 10
Can you change the ELB in a EB when it is already created?
No, you Can’t
By default, Elastic Beanstalk creates an Application Load Balancer for your environment when you enable load balancing with the Elastic Beanstalk console or the EB CLI. It configures the load balancer to listen for HTTP traffic on port 80 and forward this traffic to instances on the same port. You can choose the type of load balancer that your environment uses only during environment creation. Later, you can change settings to manage the behavior of your running environment’s load balancer, but you can’t change its type.
A Developer must encrypt a 100-GB object using AWS KMS.
What is the BEST approach?
Make an GenerateDataKey API call that returns a plaintext key and an encrypted copy of a data key. Use a plaintext key to encrypt the data
You need to have permission, cli s3 cp large file
How can you Migrate a Git repository to AWS CodeCommit?
A set of Git credentials generated from IAM
A Developer is writing a REST service that will add items to a shopping list. The service is built on Amazon API Gateway with AWS Lambda integrations. The shopping list items are send as query string parameters in the method request.
How should the Developer convert the query string parameters to arguments for the Lambda function?
Change the integration type (API GATEWAY)
ReceiveMessageWaitTimeSeconds
length of time, in seconds, for which a ReceiveMessage action waits for a message to arrive. Valid values: An integer from 0 to 20 (seconds). Default: 0.
How can Company B reduce the number of empty responses?
DynamoDB uses a pessimistic locking model
DynamoDB uses optimistic concurrency control
Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in Amazon DynamoDB. If you use this strategy, your database writes are protected from being overwritten by the writes of others, and vice versa.
CreatePlatformEndpoint
Creates an endpoint for a device and mobile app on one of the supported push notification services, such as GCM (Firebase Cloud Messaging) and APNS. CreatePlatformEndpoint requires the PlatformApplicationArn that is returned from CreatePlatformApplication. You can use the returned EndpointArn to send a message to a mobile app or by the Subscribe action for subscription to a topic. The CreatePlatformEndpoint action is idempotent, so if the requester already owns an endpoint with the same device token and attributes, that endpoint’s ARN is returned without creating a new endpoint. For more information, see Using Amazon SNS Mobile Push Notifications.
