Questions From Udemy I Flashcards
In addition to regular sign-in credentials, AWS supports Multi-Factor Authentication (MFA) for accounts with privileged access.
There are 4 ways to use MFA but only one is not available for the root user
- Virtual MFA devices (A software app that runs on a phone)
- U2F security key (A device that you plug into a USB port on your computer)
- Hardware MFA device (A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm)
- SMS text message-based MFA (A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device)
- You cannot use this type of MFA with the AWS account root user**
Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. An IAM role is both an identity and a resource that supports resource-based policies. For this reason, you must attach both a trust policy and an identity-based policy to an IAM role. The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.
There are 6 Policy types in the answer
Identity-based policies – Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
Resource-based policies – Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts. Permissions boundaries – Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. Organizations SCPs – Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions. Access control lists (ACLs) – Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account. Session policies – Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions. For more information, see Session Policies.
A company is looking at optimizing their Amazon EC2 instance costs. Few instances are sure to run for a few years, but the instance type might change based on business requirements.
Which EC2 instance purchasing option should they opt to meet the reduced cost criteria?
Whate are some Instance purchasing options, there are 7 types
Anser: Convertible Reserved instances - A Convertible Reserved Instance can be exchanged during the term for another Convertible Reserved Instance with new attributes including instance family, instance type, platform, scope, or tenancy. This is the best fit for the current requirement.
https://image.slidesharecdn.com/venhtue1530win301-161226230140/95/aws-reinvent-2016-bring-microsoft-applications-to-aws-to-save-money-and-stay-license-compliant-using-powershell-windows-kms-and-dedicated-hosts-win301-15-638.jpg?cb=1482793363
Types:
On-Demand Instances – Pay, by the second, for the instances that you launch. Savings Plans – Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. Reserved Instances – Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years. The offering class of a Reserved Instance is either Standard or Convertible. A Standard Reserved Instance provides a more significant discount than a Convertible Reserved Instance, but you can't exchange a Standard Reserved Instance. You can exchange Convertible Reserved Instances. You can modify Standard and Convertible Reserved Instances. Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly. Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware. Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.
A firm runs its technology operations on a fleet of Amazon EC2 instances. The firm needs a certain software to be available on the instances to support their daily workflows. The developer team has been told to use the user data feature of EC2 instances.
Which of the following are true about the user data EC2 configuration?
User Data is generally used to perform common automated configuration tasks and even run scripts after the instance starts. When you launch an instance in Amazon EC2, you can pass two types of user data - shell scripts and cloud-init directives. You can also pass this data into the launch wizard as plain text or as a file.
By default, scripts entered as user data are executed with root user privileges - Scripts entered as user data are executed as the root user, hence do not need the sudo command in the script. Any files you create will be owned by root; if you need non-root users to have file access, you should modify the permissions accordingly in the script.
By default, user data runs only during the boot cycle when you first launch an instance - By default, user data scripts and cloud-init directives run only during the boot cycle when you first launch an instance. You can update your configuration to ensure that your user data scripts and cloud-init directives run every time you restart your instance.
Incorrect options:
The development team at an IT company would like to provision their own Docker images that can be used as input sources for CodeBuild. These images will contain cached dependencies as well as special tooling for builds that are proprietary to the company.
Which of the following services can be used to store and deploy these Docker images?
ECR
Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow.
This section contains reference information for the AWS SAM resource and property types.
What are the 7 serverless resource type
AWS::Serverless
::Api
Creates a collection of Amazon API Gateway resources and methods that can be invoked through HTTPS endpoints
::Application
Embeds a serverless application from the AWS Serverless Application Repository or from an Amazon S3 bucket as a nested application
::Function
Creates an AWS Lambda function, an IAM execution role, and event source mappings that trigger the function.
::HttpApi
Creates an Amazon API Gateway HTTP API, which enables you to create RESTful APIs with lower latency and lower costs than REST APIs.
::LayerVersion
Creates a Lambda LayerVersion that contains library or runtime code needed by a Lambda Function.
::SimpleTable
Creates a DynamoDB table with a single attribute primary key. It is useful when data only needs to be accessed via a primary key.
::StateMachine
Creates an AWS Step Functions state machine, which you can use to orchestrate AWS Lambda functions and other AWS resources to form complex and robust workflows.
X has configured forecast-based AWS Budgets alerts for cost management. However, no alerts have been received even though the account and the budgets have been created almost three weeks ago.
What could be the issue with the AWS Budgets configuration?
AWS requires approximately 5 weeks of usage data to generate budget forecasts. If you set a budget to alert based on a forecasted amount, this budget alert isn’t triggered until you have enough historical usage information.
This allow you to map parameters one-to-one and map a family of integration response status codes (matched by a regular expression) to a single response status code
They cannot be used with proxy integration endpoints, which lack data mappings. For more information about integration types, see Choose an API Gateway API integration type.
Mapping templates
Using IAM with CodeCommit:
Git credentials, an IAM -generated user name and password pair you can use to communicate with CodeCommit repositories over HTTPS.
SSH keys, a locally generated public-private key pair that you can associate with your IAM user to communicate with CodeCommit repositories over SSH. AWS access keys, which you can use with the credential helper included with the AWS CLI to communicate with CodeCommit repositories over HTTPS.
Two things about ASG
Auto Scaling groups can span across the availability Zones of a Region
Amazon EC2 Auto Scaling attempts to distribute instances evenly between the Availability Zones that are enabled for your Auto Scaling group
X running on an EC2 instance takes about 20 seconds on average to process each X. The application picks the new job messages from an SQS queue. The development team needs to account for the use-case when X takes longer than usual so that the same X is not processed by multiple consumers.
Use ChangeMessageVisibility action to extend a message’s visibility timeout
For example, you have a message with a visibility timeout of 5 minutes. After 3 minutes, you call ChangeMessageVisibility with a timeout of 10 minutes. You can continue to call ChangeMessageVisibility to extend the visibility timeout to the maximum allowed time. If you try to extend the visibility timeout beyond the maximum, your request is rejected. So, for the given use-case, the application can set the initial visibility timeout to 1 minute and then continue to update the ChangeMessageVisibility value if required.
Which of the following security credentials can only be created by the AWS Account root user?
CloudFront Key Pairs - IAM users can’t create CloudFront key pairs. You must log in using root credentials to create key pairs.
To create signed URLs or signed cookies, you need a signer. A signer is either a trusted key group that you create in CloudFront, or an AWS account that contains a CloudFront key pair. AWS recommends that you use trusted key groups with signed URLs and signed cookies instead of using CloudFront key pairs.
The rest of the credentials can be created by any user with permissions
A developer in your company has configured a build using AWS CodeBuild. The build fails and the developer needs to quickly troubleshoot the issue to see which commands or settings located in the BuildSpec file are causing an issue.
Which approach will help them accomplish this?
Run AWS CodeBuild locally using CodeBuild Agent
AWS CodeBuild is a fully managed build service. There are no servers to provision and scale, or software to install, configure, and operate.
With the Local Build support for AWS CodeBuild, you just specify the location of your source code, choose your build settings, and CodeBuild runs build scripts for compiling, testing, and packaging your code. You can use the AWS CodeBuild agent to test and debug builds on a local machine.
By building an application on a local machine you can:
Test the integrity and contents of a buildspec file locally.
Test and build an application locally before committing.
Identify and fix errors quickly from your local development environment.
- Install Git on your local machine.
- Install and setup Docker on your local machine.
- To run the CodeBuild agent
What characteristics of an Elastic Load Balancer make it a winning choice? (Select two)
- Separate public traffic from private traffic
- Build a highly available system
You now want to ensure that the team has only the minimum permissions required to finish their work.
Which of the following will help her identify unused IAM roles and remove them without disrupting any service?
Access Advisor feature on IAM console
To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments. Additionally, by removing unused roles, you can simplify your monitoring and auditing efforts by focusing only on roles that are in use.
A development team lead is configuring policies for his team at an IT company.
Which of the following policy types only limit permissions but cannot grant permissions (Select two)?
- AWS Organizations Service Control Policy (SCP)
- Permissions boundary
- Access control list (ACL)
- Resource-based policy
- Identity-based policy
- Permissions boundary
Permissions boundary is a managed policy that is used for an IAM entity (user or role). The policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. - AWS Organizations Service Control Policy (SCP)
SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
- Number of minutes you can specify in a build project for the build timeout of all related builds
- Number of minutes you can specify for the build timeout of a single build
5 to 480 (8 hours)
When do you chose latency?
If your application is hosted in multiple AWS Regions, you can improve performance for your users by serving their requests from the AWS Region that provides the lowest latency.
You have just configured and attached the IAM policy needed to access AWS Billing and Cost Management for all users under the Finance department. But, the users are unable to see AWS Billing and Cost Management service in the AWS console.
You need to activate IAM user access to the Billing and Cost Management console for all the users who need access
By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users. Then, you need to activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once.
To enable HTTPS connections for his web application deployed on the AWS Cloud, a developer is in the process of creating server certificate.
Which AWS entities can be used to deploy SSL/TLS server certificates? (Select two)
- AWS Certificate Manager
- IAM - IAM is used as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all Regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.
You didn’t assig a target group to you ALB.
Which error code should he expect in his debug logs?
HTTP 503 - HTTP 503 indicates ‘Service unavailable’ error. This error in ALB is an indicator of the target groups for the load balancer having no registered targets.
What are some of the 8 Pseudo parameters ?
AWS::AccountId
Returns the AWS account ID of the account in which the stack is being created, such as 123456789012.
AWS::NotificationARNs
Returns the list of notification Amazon Resource Names (ARNs) for the current stack.
AWS::NoValue
Removes the corresponding resource property when specified as a return value in the Fn::If intrinsic function.
For example, you can use the AWS::NoValue parameter when you want to use a snapshot for an Amazon RDS DB instance only if a snapshot ID is provided
AWS::Partition
Returns the partition that the resource is in. For standard AWS regions, the partition is aws.
AWS::Region
AWS::StackId
(arn:aws:cloudformation:us-west-2:123456789012:stack/teststack/51af3dc0-da77-11e4-872e-1234567db123)
AWS::StackName
(the aws cloudformation create-stack command, such as teststack)
AWS::URLSuffix
(The suffix is typically amazonaws.com)
The team wants to analyze the incoming requests for latencies and the client’s IP address patterns.
Which feature of the Load Balancer will help collect the required information?
ALB access logs
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load Balancing that is disabled by default.
Which section of a CloudFormation template does not allow for conditions?
Parameters enable you to input custom values to your CloudFormation template each time you create or update a stack.
Conditions cannot be used within the Parameters section. After you define all your conditions, you can associate them with resources and resource properties only in the Resources and Outputs sections of a template.
An application is hosted by a 3rd party and exposed at yourapp.3rdparty.com. You would like to have your users access your application using www.mydomain.com, which you own and manage under Route 53.
What Route 53 record should you create?
Create a CNAME record
A CNAME record maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com or example.net) or subdomain (acme.example.com or zenith.example.org).
CNAME records can be used to map one domain name to another. Although you should keep in mind that the DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com. You cannot create a CNAME record for example.com, but you can create CNAME records for www.example.com, newproduct.example.com, and so on.
“Create an A record” - Is used to point a domain or subdomain to an IP address. ‘A record’ cannot be used to map one domain name to another.
A cybersecurity firm wants to run their applications on single-tenant hardware to meet security guidelines.
Which of the following is the MOST cost-effective way of isolating their Amazon EC2 instances to a single tenant?
- Dedicate Instances
- Dedicated Host
Dedicated Instances -
They are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that’s dedicated to a single customer. Dedicated Instances that belong to different AWS accounts are physically isolated at a hardware level, even if those accounts are linked to a single-payer account. However, Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances.
A Dedicated Host is also a physical server that’s dedicated for your use. With a Dedicated Host, you have visibility and control over how instances are placed on the server.
Dedicated Hosts - An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. (Is more expensive, you can have several instances there)
Outputs
The optional Outputs section declares output values that you can import into other stacks (to create cross-stack references), return in response (to describe stack calls), or view on the AWS CloudFormation console. For example, you can output the S3 bucket name for a stack to make the bucket easier to find
Export
The name of the resource output to be exported for a cross-stack reference.
For each AWS account, Export names must be unique within a region.
You can't create cross-stack references across regions. You can use the intrinsic function Fn::ImportValue to import only values that have been exported within the same region.
EXPORT EXPORT EXPORT EXPORT
The name of the resource output to be exported for a cross-stack reference.
"Outputs" : {
"StackVPC" : {
"Description" : "The ID of the VPC",
"Value" : { "Ref" : "MyVPC" },
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-VPCID" }
}
}
}
Cross-stack output
The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify. In your templates, you can use this function to construct commands or outputs that include values that aren’t available until you create or update a stack.
The development team at a company creates serverless solutions using AWS Lambda. Functions are invoked by clients via AWS API Gateway which anyone can access. The team lead would like to control access using a 3rd party authorization mechanism.
As a Developer Associate, which of the following options would you recommend for the given use-case?
Use API Gateway Lambda authorizers
A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.
A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.
When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.
There are two types of Lambda authorizers:
A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token. A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller's identity in a combination of headers, query string parameters, stageVariables, and $context variables. For WebSocket APIs, only request parameter-based authorizers are supported.
You are creating a Cloud Formation template to deploy your CMS application running on an EC2 instance within your AWS account. Since the application will be deployed across multiple regions, you need to create a map of all the possible values for the base AMI.
How will you invoke the !FindInMap function to fulfill this use case?
The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section.
Fn::FindInMap: [ MapName, TopLevelKey, SecondLevelKey ]
Fn::ImportValue
The intrinsic function Fn::ImportValue returns the value of an output exported by another stack. You typically use this function to create cross-stack references. In the following example template snippets, Stack A exports VPC security group values and Stack B imports them.
EXPORT The name of the resource output to be exported for a cross-stack reference.
“Outputs” : {
“PublicSubnet” : {
“Description” : “The subnet ID to use for public web servers”,
“Value” : { “Ref” : “PublicSubnet” },
“Export” : { “Name” : {“Fn::Sub”: “${AWS::StackName}-SubnetID” }}
},
“WebServerSecurityGroup” : {
“Description” : “The security group ID to use for public web servers”,
“Value” : { “Fn::GetAtt” : [“WebServerSecurityGroup”, “GroupId”] },
“Export” : { “Name” : {“Fn::Sub”: “${AWS::StackName}-SecurityGroupID” }}
}
}
"Resources" : {
"WebServerInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : "t2.micro",
"ImageId" : "ami-a1b23456",
"NetworkInterfaces" : [{
"GroupSet" : [{"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}-SecurityGroupID"}}],
"AssociatePublicIpAddress" : "true",
"DeviceIndex" : "0",
"DeleteOnTermination" : "true",
"SubnetId" : {"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}-SubnetID"}}
}]
}
}
}
Fn::Sub
The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify. In your templates, you can use this function to construct commands or outputs that include values that aren’t available until you create or update a stack.
{ “Fn::Sub” : [ String, { Var1Name: Var1Value, Var2Name: Var2Value } ] }
{ “Fn::Sub” : String }
Fn::Transform
The intrinsic function Fn::Transform specifies a macro to perform custom processing on part of a stack template. Macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to extensive transformations of entire templates. For more information, see Using AWS CloudFormation macros to perform custom processing on templates.
{
"Fn::Transform": {
"Name": "macro name",
"Parameters": {
"Key": "value"
}
}
}The development team at a retail organization wants to allow a Lambda function in its AWS Account A to access a DynamoDB table in another AWS Account B.
As a Developer Associate, which of the following solutions would you recommend for the given use-case?
Create an IAM role in account B with access to DynamoDB. Modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. Update the Lambda function code to add the AssumeRole API call
You can give a Lambda function created in one account (“account A”) permissions to assume a role from another account (“account B”) to access resources such as DynamoDB or S3 bucket. You need to create an execution role in Account A that gives the Lambda function permission to do its work. Then you need to create a role in account B that the Lambda function in account A assumes to gain access to the cross-account DynamoDB table. Make sure that you modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. Finally, update the Lambda function code to add the AssumeRole API call.
Managing concurrency for a Lambda function
There are two types of concurrency available:
Provisioned concurrency – It initializes a requested number of execution environments so that they are prepared to respond to your function’s invocations.
You can configure AS / on a schedule
Reserved concurrency – It creates a pool of requests that can only be used by its function, no other function can use that concurrency
A Developer has been entrusted with the job of securing certain S3 buckets that are shared by a large team of users. Last time, a bucket policy was changed, the bucket was erroneously available for everyone, outside the organization too.
Which feature/service will help the developer identify similar security issues with minimum effort?
IAM Access Analyzer - AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.
You can set the scope for the analyzer to an organization or an AWS account. This is your zone of trust. The analyzer scans all of the supported resources within your zone of trust. When Access Analyzer finds a policy that allows access to a resource from outside of your zone of trust, it generates an active finding.
IAM Access Analyzer
VS:
Use IAM access advisor
- AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. You can set the scope for the analyzer to an organization or an AWS account. This is your zone of trust. The analyzer scans all of the supported resources within your zone of trust. When Access Analyzer finds a policy that allows access to a resource from outside of your zone of trust, it generates an active finding.
- IAM access advisor helps you audit service access, remove unnecessary permissions, and set appropriate permissions providing the last timestamp when an IAM entity (e.g., user, role, or a group) accessed an AWS service.
The development team at an e-commerce company wants to run a serverless data store service on two docker containers using shared memory.
Which of the following ECS configurations can be used to facilitate this use-case?
Put the two containers into a single task definition using a Fargate Launch Type
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. You can host your cluster on a serverless infrastructure that is managed by Amazon ECS by launching your services or tasks using the Fargate launch type. For more control over your infrastructure, you can host your tasks on a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage by using the EC2 launch type.
A photo-sharing application manages its EC2 server fleet running behind an Application Load Balancer and the traffic is fronted by a CloudFront distribution. The development team wants to decouple the user authentication process for the application so that the application servers can just focus on the business logic.
Use Cognito Authentication via Cognito User Pools for your Application Load Balancer
Application Load Balancer can be used to securely authenticate users for accessing your applications.
This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic. You can use Cognito User Pools to authenticate users through well-known social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito or through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito.
You configure user authentication by creating an authenticate action for one or more listener rules. The authenticate-cognito and authenticate-oidc action types are supported only with HTTPS listeners.
What intrinsic function should you use to reference a parameter?
For example, an AMAZON EC2 AMI ID?
!Ref
Eg.
MyEIP:
Type: “AWS::EC2::EIP”
Properties:
InstanceId: !Ref MyEC2Instance
What is the limit of the maximum number of messages that can be stored in an SQS queue?
No limit
There are no message limits for storing in SQS, but ‘in-flight messages’ do have limits. Make sure to delete messages after you have processed them.
(120,000 inflight messages (received from a queue by a consumer)
CloudFormation currently supports the following parameter types:
4 types
7 with ::EC2::
- String – A literal string
- Number – An integer or float
- List – An array of integers or floats
- CommaDelimitedList – An array of literal strings that are separated by commas
- AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
- AWS::EC2::SecurityGroup::Id – A security group ID
- AWS::EC2::Subnet::Id – A subnet ID
- AWS::EC2::VPC::Id – A VPC ID
- List – An array of VPC IDs
- List – An array of security group IDs
- List – An array of subnet IDs
Database engines where you can use: IAM database authentication
- RDS MySQL
- RDS PostGreSQL
With this authentication method, you don’t need to use a password when you connect to a DB instance. Instead, you use an authentication token.
If the deployment part to Elastic Beanstalk is taking a very long time due to resolving dependencies you can use this kind of solution:
- Bundle the dependencies in the source code during the last stage of CodeBuild
- Because most of the dependent files do not change frequently between builds, you can noticeably reduce your build time by caching dependencies.
Is a subnet always associated with a route table?
A subnet is implicitly associated with the main route table if it is not explicitly associated with a particular route table
What are some mantatory sections in a SAM?
- Transform
- Resources
What other section does a SAM have?
The same as a CloudFormation Template and:
- Globals (optional)
Properties that are common to all your serverless functions, APIs, and simple tables.
In the Amazon EC2 instances for Auto Scaling only the basic monitoring is active, what type of monitoring is active by default when you create the launch configuration Via:
SDK
AWS Managment Console
CLI
Detailed (1 minute)
Basic (5 minutes)
Detailed (1 minute)
You can enable detailed monitoring on an instance as you launch it or after the instance is running or stopped
aws ec2 monitor-instances –instance-ids i-1234567890abcdef0
What is an IOP?
input/output operations per second (IOPS).
What is the maximum ratio of provisioned IOPS to the requested volume size (in GiB)
50:1
50 IOPS: 1 GiB
5,000 IOPS : 100GiB Volume
200 GiB size volume with 15000 IOPS is incorrect because 15.000 / 50 = 300GB and 300 > 200
One of the EC2 instances has been reported as unhealthy, What does the ASG do with the unhealthy instance?
The ASG will terminate the EC2 Instance
You need to generate a report of code builds, success and failure, time spent, team members.
What can you use for this?
S3 and CloudWatch Logs integration
AWS CodeBuild monitors functions on your behalf and reports metrics through Amazon CloudWatch. These metrics include the number of total builds, failed builds, successful builds, and the duration of builds. You can monitor your builds at two levels: Project level, AWS account level.
You need to encrypted and decrypted data over 1mb at runtime.
What type of encryption do you have to do?
Use Envelope Encryption and reference the data as file within the code
While AWS KMS does support sending data up to 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with AWS KMS it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller data key go over the network. The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire block of data to AWS KMS and suffer network latency.
To encrypt 1 MB, you need to use the Encryption SDK and pack the encrypted file with the lambda function.
What is the maximun size of Lambda environment variables?
4Kb
You want to make sure that the application’s serverless backend running via Lambda functions does not hit latency bottlenecks as a result of the traffic spike.
Configure Application Auto Scaling to manage Lambda provisioned concurrency on a schedule
Use scheduled scaling to increase provisioned concurrency in anticipation of peak traffic. To increase provisioned concurrency automatically as needed, use the Application Auto Scaling API to register a target and create a scaling policy.
How can I use a single SSH key pair for all my AWS Regions?
To use a single SSH key pair for all your AWS Regions, first generate a public SSH key from a private SSH key. Then, import the key into each of your AWS Regions.
Steps:
- Generate a public SSH key (.pub) file from the private SSH key (.pem) file.
- Set the AWS Region you wish to import to.
- Import the public SSH key into the new Region.
How can I back up a DynamoDB table to Amazon S3?
DynamoDB offers two built-in backup methods:
- On-demand: Create backups when you choose.
- Point-in-time recovery: Enable automatic, continuous backups.
This feature exports table data in DynamoDB JSON or Amazon Ion format only. If you want to export table data in a different format, use: Data Pipeline, Amazon EMR, AWS Glue
