Scenarios and Important Concepts

Question 1

You configured an HTTPS subscription for an SNS topic, but for some reason your HTTPS endpoint is not receiving any messages. How can you troubleshoot the problem?

Answer 1

Configure delivery status logging and analyze delivery failures in CloudWatch Logs.

Question 2

You are publishing messages to an SNS topic and are expecting to have subscribers using different delivery protocols. How can you make sure that your messages will be readable by each platform?

Answer 2

Write your messages in a JSON format. You will then need to add a specific version of the message only for the platforms that differ from the default.

Question 3

You are working on a new project involving the creation of Lambda functions for a Serverless Web Application. A large team of developers will work on this project performing multiple changes to the Lambda function code. As the best practice, you have been asked to publish a version while creating a Lambda function or updating a function code. Which of the following is
TRUE with regards to the published version of a Lambda Function?

1. A published version is a snapshot of function code and has the same version number when a previous version is deleted & recreated.
2. A published version is a snapshot of function code and has a unique Amazon Resource Name that can be updated using “UpdateFunctionCode.”
3. A published version is a snapshot of function code and configuration that can be updated using the “Publish” parameter.
4. A published version is a snapshot of function code and configuration thatcan’t be changed.

Answer 3

4. A published version is a snapshot of function code and configuration thatcan’t be changed.

A Publish version is a snapshot copy of a Lambda Function code & configuration in $LATEST version. No configuration changes can be done to a published version & it has a unique ARN
which can’t be modified.

Question 4

An organization is using AWS Elastic Beanstalk for a web application. The Developer needs to configure the Elastic Beanstalk environment with deployment methods to create new instances and deploy code to those instances.
What are the 2 deployment methods that will deploy code ONLY to new instances?

Answer 4

• Immutable deployments
• Blue/Green deployment

Both allow you to have seperate deployments.

All at Once is not an option in the scenario because then your enironment is completely out of service.

Question 5

You are using AWS SAM templates to deploy a serverless application. Which resource will embed nested applications from Amazon S3 buckets?

Answer 5

AWS : : Serverless : : Application

This is the template used to embed applications from S3 buckets/

Seperate templates exist for Lambda Layered functions and for creating lambda functions.

Question 6

For SAM application, what does the AWS::Serverless::LayerFunction resource type create?

Answer 6

Lambda layered functions

Question 7

For SAM application, what does the AWS::Serverless::Function resource describe?

Answer 7

describes the configuration for creating a Lambda function

Question 8

You have created 3-stages in your codePipline:

Source -> Build -> Staging

Your build failes during hte ‘Build’ phase. What happens?

Answer 8

The entire process will halt

Question 9

Your team has completed development of an application. Now, this needs to be deployed to an application on an EC2 Instance. The Application data will be stored on a separate volume which
needs to be encrypted at rest. How can you ensure this requirement is met?

Answer 9

Make sure that the EBS volume is encrypted at its creation time.

Question 10

In API Gateway, how can you pass a stage variable to an HTTP URL? (There are 2)

Answer 10

1. http://example.com/${stageVariables.variable}/prod
2. http://${stageVariables.variable}.example.com/dev/operation

Question 11

When can a stage variable be used as part of the HTTP integration URL?

Answer 11

1. A full URI without protocol
2. A full domain
3. A subdomain
4. A path
5. A query string

Question 12

A developer is building an application that needs access to an S3 bucket. An IAM role is created with the requireed permissions to access the S3 bucket. Which API call should hte developer use in the application so that the code can access the S3 Bucket?

Answer 12

STS:AssumeRole

Question 13

A developer has recently deployed as AWS lambda function that computes a Fibonacci sequence using recursive Lambda invocations. A pre-defined AWS IAM policy is being used for this function, and only the requried dependencies are packaged. A few days after deployment, the Lambda function is being throttled. What should the Developer have done to prevent this, accoring to best practice?

Answer 13

Avoid the use of recursive code.

Using recursive code in a lambda function can lead to unintended volume of function invocations and escalated costs.

Question 14

If you accidentally build a Lambda code that contains a recursive fuction, what action(s) should you take immediately while you update the code?

Answer 14

Set the function concurrent execution limit to ‘0’ (zero) immediately to throttle all invocations of the functions while you update the code.

Question 15

A company is writing a Lambda function that will run in multiple stages (dev, test, prod). The function is dependent on several external services, and it must call different endpoints for these services based on the functions deployment stage. What lambda feature will enable the developer to ensure that the code references the correct endpoints when running in each stage?

Answer 15

Environment Variables

You can create different environment variables in the Lambda’s function that can be used to point to the different services.

Question 16

An application is publishig a custom CloudWatch metric any time an HTTP 504 error appears in the application logs. There errors are being recieved intermittenly. There is a CloudWatch alarm for this metric and the developer would like the alarm to trigger ONLY if it breaches two evaluation periods or more. What should be done to meet this requirement?

Answer 16

The evaluation period and Data Points to Alarm should be set to 2 when creating this alarm.

When you create an alarm, you specify 3 settings to enable CloudWatch to evaluate when to change the alarm state:

Period, Evaluation Period, and Datapoints to Alarm

Question 17

A company is currently using API Gateway services for development. You need to control the behavior of an API’s front-end interactions. What are the 2 main things you can do to acheive this?

Answer 17

As a developer you control the behaviors fo your API’s frontend interactions by configuring the method request and response.

Question 18

A company is currently using API Gateway services for development. You need to control the behavior of an API’s back-end interactions. What are the 2 main things you can do to acheive this?

Answer 18

As a developer, you can control the behaviors of you API’s backend interactions by setting up the integration reponse and integration request.

Question 19

You are using AWS Envelope Encryption to encrypt all of your sensitive data. How is unencrypted data encrypted using this service?

Answer 19

Data is encrypted using a plaintext Data key. This Data key is further encrypted using a plaintext Master Key.

This plaintext Master Key is securely stored in AWS KMS and is refered to a Customer Master Key.

Question 20

You’ve been given a requirement to customize the content which is distributed to users via CloudFront Distribution. The content origin is an S3 bucket. How could you achieve this?

Answer 20

Consider using Lambda@Edge - this lets you execute functions that customize the content that cloudFront delievers.

NOTE: You could add an event to the S3 bucket and make that event invoke a Lambda function that would customize content, but this would not be the simpliest solution.

Question 21

You are developing an appliction that has a key requirement from an architecture point of view to decouple the entire system to ensure less dependency. What is the most suitabe service to help achieve this?

Answer 21

AWS Simple Queue Service

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.

Question 22

What is AWS Opswork?

Answer 22

A configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

Question 23

An application has been making use of DynamoDB for its backend datastore. The size of the tables has grown to 20GB, and the scans on the table are causing throttling errors. What can you implement to avoid these errors?

Answer 23

Reduce the page size

The scan operation provides a limit paramter that you can use to set the page size for your request. Each query or scan request with a smaller page size uses fewer RCUs and creates a ‘pause’ between each request.

Question 24

Your company has developed a web application and is hosting it in an Amazon S3 bucket configured for statis web hosting. The users can log in to this app using their Google / Facebook login accounts. The application uses the AWS SDK for JavaScript in the browser to access data stored in a Amazon DynamoDB table. How can you ensure that API keys for access to your data in DynamoDB are kept secure?

Answer 24

Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials.

Question 25

What is web identity federation?

Answer 25

Using a well known identity provider (IdP) to recieve an authentication token, and then exchange that token for temporary security credential in AWS that map to an IAM role with permissions to use the resources in your AWS account.

Question 26

Why does using a Well-Known Idenity Provider help keep your account secure?

Answer 26

Because you do not have to embed and distribute long-term security credentials within your application.

Question 27

You are planning to deploy a built application onto an EC2 Instance. There will be several tests conducted on this instance. You want to have the ability to capture the logs from the web server to help diagnose any issues if they occur. How can you achieve this?

Answer 27

Install CloudWatch agent on the Instance and configure it to send the webs server logs to a central location in cloudWatch.

Question 28

You’ve developed a set of scripts using AWS lambda. These scripts need to access EC2 Instances in a VPC.What needs to be done to ensure that the AWS lambda function can access the resources in the VPC?

Answer 28

AWS lambda runs your functions code securely within a VPC by default. However, to enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific cofiguration information that includes VPC subnet ID’s and Security Group ID’s.

Question 29

You’ve currently been tasked to migrate an existing on-premises environment to Elastic Beanstalk. The application does not make use of Docker containers. You also can not see any relevant environments in the beanstalk service that woud be suitable to host your application. What should you consider doing in this case?

Answer 29

Consider using Packer to create a custom platform.

Question 30

You are using AWS SAM to define a Lambda function and configure CodeDeploy to manage deployment patterns. You would like to gradually shift customers over to the newly deployed version. What are the three deployment preference types that could be used to achieve this?

Answer 30

1. Canary - Traffic is shifted in 2 increments.
2. Linear - Traffic is shifted in equal increments with an equal number of minuted between each increment.
3. All-at-Once - All traffic is shifted from the original lambda function to the updated Lambda function version at once.

Question 31

What is the formula to calculate DynamoDB RCU’s for eventually consistent reads?

Answer 31

(# of items/second * # of actions needed) / 2

Where # of actions needed is based on 4Kb of data for each read.

Question 32

What is the formula to calculate # of WCU’s for DynamoDB

Answer 32

(# of items/second * # of actions needed)

Wherer # of actions needed is based on 1Kb of data for each write.

Question 33

What is the formula to calculate DynamoDB RCU’s for strongly consistent reads?

Answer 33

(# of items/second * # of actions needed) / 1

Where # of actions needed is based on 4Kb of data for each read.

Question 34

When should you choose to use AWS Opsworks over CloudFormation?

Answer 34

You should use OpsWorks in place of CloudFormation if you need to deploy an application that requires updates to its EC2 instances. If your application uses a lot of AWS resources and services, including EC2, use a combination of CloudFormation and OpsWorks.

Question 35

When should you choose ElasticBean stalk over CloudFormation?

Answer 35

Elastic Beanstalk deploys the required web servers and configures auto-scaling, monitoring, logging and alerting for you. If your application fits entirely inside Elastic Beanstalk, then you may not need additional tools.

Most likely, however, your application will need other AWS resources, such as database or storage service. In this scenario, use CloudFormation to deploy Elastic Beanstalk along with the other resources.

Question 36

My deployments on Elastic Beanstalk have been painfully slow, and after looking at the logs, I realize this is due to the fact that my dependencies are resolved on each EC2 machine at deployment time. How can I speed up my deployment with the minimal impact?

Answer 36

Resolve dependencies beforehand, package them in a zipfile, and upload them to ElasticBeanstalk.

Question 37

What service does Elastic Beanstalk use under the hood?

Answer 37

CloudFormation

Question 38

You would like your Elastic Beanstalk environment to expose an HTTPS endpoint instead of an HTTP endpoint in order to get in-flight encryption between your clients and your web servers. What must be done to setup HTTPS on Beanstalk?

Answer 38

create a .ebextensions/elb.config file to configure the Load Balancer

Question 39

You are looking to perform a set of repetitive and scheduled tasks asynchronously. Which Elastic Beanstalk environment should you setup?

Answer 39

Setup a worker environment and a cron.yaml file

Question 40

How do you give cross account access to your Code Commit repository?

Answer 40

Use an IAM Role in your AWS account and use AWS STS with the AssumeRole API

Question 41

Describe CodeCommit/GIT Authentication

Answer 41

• SSH Keys - can be configured in a users IAM Console
• HTTPS - done throught CLI Authtentication helper
• MFA - can be enabled for extra security

Question 42

Describe CodeCommit/Git Authorization

Answer 42

IAM policies manage user / roles rights to repos

Question 43

How is code commit encrypted?

Answer 43

At reset using AWS KMS

In transist with SSH or HTTPS

Question 44

If you want to recieve notification from CodeCommit about changes related to the code, what AWS services can you use to trigger notifications?

Answer 44

AWS Lambda or AWS SNS

Examples:

• Deletion of branches (someone deleted code)
• pushes that happens in the master branch (someone added to the code)
• Notify external build system
• perform codebase analysis (check to make sure cred aren’t in code)

Question 45

If you want to recieve notification from CodeCommit about pull requests, what AWS services can you use to trigger notifications?

Answer 45

CloudWatch Event Rules

Examples

• pull request updates
• commit comments (not the commit itself, just the comments on the commit)
• cloudwatch event rules can go into an SNS topic

Question 46

In CodePipeline, can action groups have multiple stages or can stages have multiple actions groups?

Answer 46

stages can have multiple actions groups

action groups can be sequential or parallel

Question 47

What must be runing on EACH EC2 machine (or on remise machine) for Code Deploy to work?

Answer 47

CodeDeploy Agent

It continuously polls AWS CodeDeploy for work to do

Question 48

What is a CodeDeploy target?

Answer 48

EC2 instance with tags or an ASG

Question 49

Your CodePipeline hasn’t deployed code to Elastic Beanstalk even though you’ve pushed code to your CodeCommit repository. It used to work 10 minutes ago. What reason is the most likely to explain that situation?

a. The IAM permissions are wrog
b. CodePipeline is waiting for manual approval
c. Your CodeBuild stage probably failed some tests
d. Someone has deleted the Elastic Beanstalk environment

Answer 49

c. Your CodeBuild stage probably failed some tests

Question 50

You would like to improve the performance of your CodeBuild build. You realize that 15 minutes at each build is spent on pulling dependencies from remote repositories and that takes a while. What should you do to drastically speed up the build time?

Answer 50

Change buildspec/yml to enable dependency caching in Amazon S3

Question 51

You would like to deploy static web files to Amazon S3 automatically, after generating the static websites from markdown files. Which services should you use for this?

Answer 51

CodePipeline and CodeBuild

CodeBuild can run any commands, so you can use it to run commands incuding generating a static website and copy your static webfiles to Amazon S3.

Question 52

Which hook step should be used in appspec.yml file to ensure the application is properly running after being deployed?

Answer 52

ValidateService

Question 53

You would like to have a one-stop dashboard for all the CICD needs of one of your projects. You don’t need heavy control of the individual configuration of each components in your CICD, but need to be able to get a holistic view of your projects. Which service do you recommend?

Answer 53

CodeStar

Question 54

when and why would you use AWS CloudFormation within AWS CodePipeline?

Answer 54

You can select/use CloudFOrmation as a deployment action in any stage of the CodePipeline. AWS recommends using AWS CloudFormation in an AWS CodePipeline project to track infrastructure changes and tests.

Question 55

What are two deployment methods supported by AWS CI/CD process?

Answer 55

AWS CodeDeploy

AWS Elastic Beanstalk

Question 56

Which is the only resource-based policy that the IAM service supports?

Answer 56

Trust Policy

Question 57

In addition to regular sign-in credentials, AWS supports Multi-Factor Authentication (MFA) for accounts with privileged access.

Which of the following MFA mechanisms is NOT for root user authentication?

1. Hardware MF device
2. U2F security key
3. Virtual MFA device
4. SMS text-message based MFA

Answer 57

SMS text message based device

Question 58

In SQS can you change the queue type once a queue has been created.

Answer 58

No.

You can’t change the queue type after you create it and you can’t convert an existing standard queue into a FIFO queue. You must either create a new FIFO queue for your application or delete your existing standard queue and recreate it as a FIFO queue.

Question 59

The development team at a company creates serverless solutions using AWS Lambda. Functions are invoked by clients via AWS API Gateway which anyone can access. The team lead would like to control access using a 3rd party authorization mechanism.

As a Developer Associate, what would you recommend for the given use-case?

Answer 59

“Lambda Authorizer”

An Amazon API Gateway Lambda authorizer (formerly known as a custom authorizer) is a Lambda function that you provide to control access to your API. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. Before creating an API Gateway Lambda authorizer, you must first create the AWS Lambda function that implements the logic to authorize and, if necessary, to authenticate the caller.

Question 60

How does KMS encryption work?

Answer 60

KMS stores the CMK, and receives data from the clients, which it encrypts and sends back

Question 61

Can exported output values from CloudFormation be duplicated within a single region?

Answer 61

No.

Exported Output Values in CloudFormation must have unique names within a single Region.

Question 62

In CloudFormation, can you create cross-stack references across regions?

Answer 62

No.

You can use the intrinsic finction Fn::ImportValue to import only values that have been exported within the same region.

Question 63

A cybersecurity firm wants to run their applications on single-tenant hardware to meet security guidelines.

Which instance type is the MOST cost-effective way of isolating their Amazon EC2 instances to a single tenant?

Answer 63

Dedicated Instance

Dedicated Instances are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that’s dedicated to a single customer. Dedicated Instances that belong to different AWS accounts are physically isolated at a hardware level, even if those accounts are linked to a single-payer account.

A dedicated Host would also work to seperate but is more expensive then a dedicated instance.

Question 64

Which of the following security credentials can only be created by the AWS Account root user?

1. IAM User Access Keys
2. EC2 Instance Key Pairs
3. IAM User Passwords
4. CloudFront Key Pairs

Answer 64

CloudFront Key Pairs

For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for.

IAM users can’t create CloudFront key pairs. You must log in using root credentials to create key pairs.

Question 65

What is the simpliest way to configure multi-region access using AWS CLI?

Answer 65

Use the –region parameter

Question 66

An application is hosted by a 3rd party and exposed at yourapp.3rdparty.com. You would like to have your users access your application using www.mydomain.com, which you own and manage under Route 53.

What Route 53 record should you create?

Answer 66

Create a CNAME record

A CNAME record maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com or example.net) or subdomain (acme.example.com or zenith.example.org).

Question 67

What credentail types can be used to access AWS CodeCommit?

Answer 67

Git Credentials

AWS Access Keys

SSH keys

Question 68

Can IAM username and password be used to access AWS CodeCommit?

Answer 68

No.

Only AWS Access Keys, SSH, or Git cerdentials

Question 69

An e-commerce company has developed an API that is hosted on Amazon ECS. Variable traffic spikes on the application are causing order processing to take too long. The application processes orders using Amazon SQS queues. The ApproximateNumberOfMessagesVisible metric spikes at very high values throughout the day which triggers the CloudWatch alarm. Other ECS metrics for the API containers are well within limits.

As a Developer Associate, what will you recommend for improving performance while keeping costs low?

Answer 69

Use backlog per instance metric with target tracking scaling policy

If you use a target tracking scaling policy based on a custom Amazon SQS queue metric, dynamic scaling can adjust to the demand curve of your application more effectively.

Question 70

When setting up an EC2 instance, User Data is generally used to perform common automated configuration tasks and even run scripts after the instance starts.

What are 5 defaults you as a developer should be aware of when using User Data?

Answer 70

1. By default, scripts entered as user data do not have root user privileges for executing
2. When an instance is running, you can update user data by using root user credentials.
3. By default, user data is executed every time an EC2 instance is re-started.
4. By default, user data runs only during the boot cycle when you first launch an instance.
5. By default, scripts entered as user data are executed with root user privileges.

Question 71

After a test deployment in ElasticBeanstalk environment, a developer noticed that all accumulated Amazon EC2 burst balances were lost.

What can lead to this behavior?

Answer 71

Some policies replace all instances during the deployment or update. This causes all accumulated Amazon EC2 burst balances to be lost. It happens in the following cases:

1. Managed platform updates with instance replacement enabled
2. Immutable updates
3. Deployments with immutable updates or traffic splitting enabled

Question 72

A startup with newly created AWS account is testing different EC2 instances. They have used Burstable performance instance - T2.micro - for 35 seconds and stopped the instance.

At the end of the month, what is the instance usage duration that the company is charged for?

Answer 72

0 seconds

AWS states that, if your AWS account is less than 12 months old, you can use a t2.micro instance for free within certain usage limits.

Question 73

A multi-national company has just moved to AWS Cloud and it has configured forecast-based AWS Budgets alerts for cost management. However, no alerts have been received even though the account and the budgets have been created almost three weeks ago.

What could be the issue with the AWS Budgets configuration?

Answer 73

AWS requires approximately 5 weeks of usage data to generate budget forecasts. If you set a budget to alert based on a forecasted amount, this budget alert isn’t triggered until you have enough historical usage information.

Question 74

When running a Rolling deployment in Elastic Beanstalk environment, only two batches completed the deployment successfully, while rest of the batches failed to deploy the updated version. Following this, the development team terminated the instances from the failed deployment.

What will be the status of these failed instances post termination?

Answer 74

Elastic Beanstalk will replace them with instances running the application version from the most recent successful deployment

Question 75

A development team wants to build an application using serverless architecture. The team plans to use AWS Lambda functions extensively to achieve this goal. The developers of the team work on different programming languages like Python, .NET and Javascript. The team wants to model the cloud infrastructure using any of these programming languages.

Which AWS service/tool should the team use for the given use-case?

Answer 75

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define your cloud application resources using familiar programming languages.

NOTE - The key here is that they want to use a programming language. Therefore the CDK is the best option.

If the team prefered defining the serverless infrastructure in concise declarative templates, SAM is the better fit.

Question 76

As a developer, you are working on creating an application using AWS Cloud Development Kit (CDK).

What is the correct order of steps to be followed for creating an app using AWS CDK?

Answer 76

1. Create the app from a template provided by AWS CDK ->
2. Add code to the app to create resources within stacks ->
3. Build the app (optional) ->
4. Synthesize one or more stacks in the app ->
5. Deploy stack(s) to your AWS account

Question 77

A development team has configured inbound traffic for the relevant ports in both the Security Group of the EC2 instance as well as the Network Access Control List (NACL) of the subnet for the EC2 instance. The team is, however, unable to connect to the service running on the Amazon EC2 instance.

As a developer associate, which of the following will you recommend to fix this issue?

Answer 77

Security Groups are stateful, so allowing inbound traffic to the necessary ports enables the connection.

Network ACLs are stateless, so you must allow both inbound and outbound traffic.

Question 78

A company has hired you as an AWS Certified Developer Associate to help with redesigning a real-time data processor. The company wants to build custom applications that process and analyze the streaming data for its specialized needs.

Which solution will you recommend to address this use-case?

Answer 78

Use Kinesis Data Streams to process the data streams as well as decouple the producers and consumers for the real-time data processor.

NOTE - Kinesis Firehose s the easiest way to load streaming data into data stores and analytics tools. Kinesis Firehose cannot be used to process and analyze the streaming data in custom applications.

Question 79

An organization has hosted its EC2 instances in two AZs.

AZ1 has two instances and AZ2 has 8 instances.

The Elastic Load Balancer managing the instances in the two AZs has cross-zone load balancing enabled in its configuration.

What percentage traffic will each of the instances in AZ1 receive?

Answer 79

10

When cross-zone load balancing is enabled, each of the 10 targets receives 10% of the traffic. This is because each load balancer node can route its 50% of the client traffic to all 10 targets (present in both AZs).

Question 80

To enable HTTPS connections for his web application deployed on the AWS Cloud, a developer is in the process of creating server certificate.

Which AWS entities can be used to deploy SSL/TLS server certificates?

Answer 80

IAM

AWS Certificate Manager

Question 81

A development team wants to deploy an AWS Lambda function that requires significant CPU utilization.

As a Developer Associate, which of the following would you suggest for reducing the average runtime of the function?

Answer 81

Deploy the function with its memory allocation set to the maximum amount

Question 82

A developer has been asked to create an application that can be deployed across a fleet of EC2 instances. The configuration must allow for full control over the deployment steps using the blue-green deployment.

Which service will help you achieve that?

Answer 82

CodeDeploy

The blue/green deployment type uses the blue/green deployment model controlled by CodeDeploy. This deployment type enables you to verify a new deployment of service before sending production traffic to it.

With CodeDeploy, you can choose the specific settings for your blue/green deployments. For example, you can choose to manually provision the new instances or let CodeDeploy provision them for you by copying an existing Auto Scaling group. You can also choose when to reroute traffic to the new instances, the rate at which traffic is routed to them, and whether to terminate your old instances upon completion.

Question 83

The development team has just configured and attached the IAM policy needed to access AWS Billing and Cost Management for all users under the Finance department. But, the users are unable to see AWS Billing and Cost Management service in the AWS console.

What could be the reason for this issue?

Answer 83

You need to activate IAM user access to the Billing and Cost Management console for all the users who need access.

By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users. Then, you need to activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once.

Question 84

A developer is testing Amazon Simple Queue Service (SQS) queues in a development environment. The queue along with all its contents has to be deleted after testing.

Which SQS API should be used for this requirement?

Answer 84

DeleteQueue

Question 85

A developer at a company is trying to create a digital signature for SSH’ing into the Amazon EC2 instances.

What entity can be used to facilitate this use-case?

Answer 85

key pairs

Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.

Question 86

Which section of a CloudFormation template does not allow for conditions?

Answer 86

Parameters

Question 87

A development team lead is configuring policies for his team at an IT company.

Which policy types only limit permissions but cannot grant permissions?

Answer 87

AWS Organizations Service Control Policy (SCP) - SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.

Permissions boundary -The policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions.

Question 88

Stateful vs Stateless

Answer 88

Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule .

Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule.

Question 89

A Lambda function with proper IAM roles has been developed with the default settings and uses Node.js. The function makes calls to a DynamoDB table. It is estimated that the Lambda function would run for 5 minutes. When the lambda function is executed, it does not add the required rows to the DynamoDB table and the function execution timeouts. What needs to be changed to ensure that the Lambda function works as desired?

Answer 89

Enlarge the timeout for the function.

If the lambda function was created with the default settings, it would have the default timeout of 30 seconds. Since the function executes in a timespan of 300 seconds, this value needs to be changed.

Question 90

What is the order of hooks in the appspec.yml file?

Answer 90

1. ApplicationStop
2. DownloadBundle
3. BeforeInstall
4. AfterInstall
5. ApplicationStart
6. ValidateService
7. BeforeAllowTraffic
8. AllowTraffic
9. AfterAllowTraffic

Question 91

You are developing a function that will be hosted in AWS Lambda. The function will be developed in .Net. Several external libraries are needed for the code to run. What is the best practice when it comes to working with external dependencies for AWS Lambda?

Answer 91

Selectively only include the libraries that are required.

Minimize your deployment package size to its runtime necessities. This will reduce the amount of time it takes for your deployment package to be downloaded and unpacked ahead of invocation. For functions authored in Java or .NET Core, avoid uploading the entire AWS SDK library as part of your deployment package. Instead, selectively depend on the modules which pick up components of the SDK you need.

Question 92

Your team has a Code Commit repository in your account. You need to give developers in another account access to your Code Commit repository. Which of the following is the most effective way to grant access?

Answer 92

Create a cross account role , give the role the privileges. Provide the role ARN to the developers.

Question 93

What are Amzon Cognito Streams?

Answer 93

Amazon Cognito Streams gives developers control and insight into their data stored in Amazon Cognito.

you need to select the Kinesis stream to publish to (or create a new steram) and an IAM role that grants Amazon Cognito permission to put events in the selected stream.

Question 94

Your team is developing a solution that will make use of DynamoDB tables. Currently, the application is designed to perform scans on the entire table. What can be done to re-design and improve the application’s performance when it interacts with the DynamoDB table?

Answer 94

• Consider using parallel scans
• Consider using queries

Question 95

You are using Amazon Cognito identity pools to assign authenticated SAML users temporary access for downloading data from Amazon S3 buckets. For this, you have created multiple rules for each role that gets assigned to users. What criteria is matched for evaluating these rules?

Answer 95

Rules are evaluated in sequential order & IAM role for first matching rule is used ,unless a ‘CustomRoleArn” is specified to override the order.

Question 96

You are developing a common lambda function that will be used across several developmentenvironments such as dev, qa, staging, etc. The lambda function needs to interact with each of
these development environments. What is the best way to develop the Lambda function?

Answer 96

Create one Lambda function and use environment variables for each environment to interact.

Question 97

You have defined some custom policies in AWS. You need to test out the permissions assigned to those policies. Which of the following can be used for this purpose via the CLI? Choose 2 answers from the options given below.

1. Get the context keys first.
2. Use the aws iam simulate-custom-policy command.
3. Get the AWS IAM Access keys first.
4. Use the aws iam get-custom-policy command.

Answer 97

• Get the context keys first.
• Use the aws iam simulate-custom-policy command.

Policy simulator commands typically require calling API operations to do two things.

1. Evaluate the policies and return the list of context keys that they reference. You need to know what context keys are referenced so that you can supply values for them in the next step.
2. Simulate the policies, providing a list of actions, resources, and context keys that are used during the simulation.

Question 98

You are developing a Java-based application that needs to make use of the AWS KMS service for encryption. What must be done for the encryption and decryption process?

Answer 98

• Use the Customer master key to generate a data key for the encryption process.
• Use the generated data key to decrypt the data.

Question 99

You have developed a Web-based application that makes calls to backend API. What headers are required by Web browsers to be set up in each API method which has CORS enabled?

Answer 99

To support CORS, API resource needs to implement an OPTIONS method to respond to the OPTIONS preflight request with the following headers.

• Access-Control-Allow-Headers
• Access-Control-Allow-Origin
• Access-Control-Allow-Methods

Question 100

Whae would CodeDeploy generate a error message of ”HEALTH_CONSTRAINTS_INVALID” ?

Answer 100

When a minimum number of healthy instances defined in the deployment group are not available during deployment. To
mitigate this error, reduce number of “healthy instances required” to less than the total number of instances.

Question 101

A company is storing sensitive data in their S3 bucket. The company policy states that all objects in the S3 bucket need to be encrypted at rest. What should the header include to help make sure this policy is met?

Answer 101

Deny permission to upload an object if the header does not include

x-amz-server-side-encryption

Question 102

What is a client 429 error and what can you do to help resolve it?

Answer 102

To many requests error (throttling)

Use exponential backoff in your requests

Question 103

In lambda, how can you adjust functions behavior without updating the code?

Answer 103

Use Environment Variables

Question 104

In order to run a worker role that is going to run periodic tasks in Elastic beanstalk, what file must be part of the deployment?

Answer 104

cron.yaml

Question 105

What is the default monitoring (basic or detailed) if an Auto Scaling group is created from the AWS console or launch configuration?

Answer 105

basic

Question 106

What is the default monitoring (basic or detailed) of an Auto Scaling group if its created from the AWS CLI or SDK?

Answer 106

detailed

Question 107

Which AWs RDS database engines can be configured with IAM Database Authentication?

Answer 107

RDS MySQL

RDS PostGreSQL

Question 108

What is the max size for environment variables?

Answer 108

4kb

Question 109

As a Team Lead, you are expected to generate a report of the code builds for every week to report internally and to the client. This report consists of the number of code builds performed for a week, the percentage success and failure, and overall time spent on these builds by the team members. You also need to retrieve the CodeBuild logs for failed builds and analyze them in Athena.

What AWS services can help you achieve this?

Answer 109

Enable S3 and CloudWatch Logs integration -

AWS CodeBuild monitors functions on your behalf and reports metrics through Amazon CloudWatch. These metrics include the number of total builds, failed builds, successful builds, and the duration of builds. You can monitor your builds at two levels: Project level, AWS account level. You can export log data from your log groups to an Amazon S3 bucket and use this data in custom processing and analysis, or to load onto other systems.

Question 110

How can a DynamoDB table be backed up to Amazon S3 and made accessible to you for further analysis?

Answer 110

Both On-Demand and Point-in time recovery crate backups in S3, BUT, you do not have access to these buckets.

To create backups that you can download locally you can:

• Use a Data Pipeline
• Use Hive with Amazon EMR
• Use Amazon Glue

Question 111

What mechanisms exist to control access and management to a REST API in API Gateway?

Answer 111

• Resource policies
• Standard IAM roles and ploicies
• IAM tags
• Endpoint policies for interface VPC endpoints
• Lambda Authorizers
• Amazon Cognito uer pools

Question 112

What is the maximum number of messages taht can be stored in an SQS Queue?

Answer 112

There is no limit for storing SQS.

There are in-flight message limits of (120,000)

Question 113

How do you re-use SSH keys accross AWS regions?

Answer 113

1. Generate a public SSH key (.pub) file from the private SSH key (.pem) file.
2. Set the AWS Region you wish to import to.
3. Import the public SSH key into the new Region.

Question 114

A developer is defining the signers that can create signed URLs for their Amazon CloudFront distributions.What should the deveoper consider while defining the signers?

Answer 114

• When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL
• When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account

Question 115

What is the difference between Lambda provisioned concurrency & Lambda reserved concurrency?

Answer 115

Reserved concurrency

Reserved concurrency guarantees the maximum number of concurrent instances for the function. These still have cold starts = latency. When a function has reserved concurrency, no other function can use that concurrency. There is no charge for configuring reserved concurrency for a function.

Provisioned concurrency

Provisioned concurrency initializes a requested number of execution environments so that they are prepared to respond immediately to your function’s invocations. This helps deal with the issue of cold starts - functions start faster. Note that configuring provisioned concurrency incurs charges to your AWS account.

Question 116

What is idempotency?

Answer 116

Refers to the capacity of an application or component to identify repeated events and prevent duplicated, inconsistent, or lost data.

Lambda functions should be idempotent - should treat duplicated events correctly.

Question 117

How do you make sure you can use Xray with your lambda function?

Answer 117

Make sure the LAMBDA execution roles has the right permissions to access Xray services.

Question 118

What is the reccommened pattern to encrypt data locally within your application (aka - outside of KMS)?

Answer 118

1. Use the GenerateDataKey operation to get a data key.
2. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.
3. Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.

Question 119

How does AWS reccomend to decrypt data outside of AWS KMS?

Answer 119

1. Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
2. Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.

Question 120

In order to enable CORs on a resource uisng API Gateway for a GET method, what actions needs to be performed for all types of responses except 200 response in case of Lambda integration?

Answer 120

Manually configure to return Access-Control-Allow-Origin header with (*) or specific origins to fulfil pref-flight handshakes.

Question 121

When creating a new DynamoDB table, what are the 3 possible customer master keys (CMK) you can choose to encrypt your table:

Answer 121

AWS owned CMK – Default encryption type. The key is owned by DynamoDB (no additional charge).

AWS managed CMK – The key is stored in your account and is managed by AWS KMS (AWS KMS charges apply).

Customer managed CMK – The key is stored in your account and is created, owned, and managed by you. You have full control over the CMK (AWS KMS charges apply).

Question 122

Should DAX custers be relied on for strongly consistent reads?

Answer 122

No. DAX passes strongly consistent read requests directly to DynamoDB. When it receives a response from DynamoDB, DAX returns the results to the client, but it does not cache the results. DAX ca NOT serve strongly consistent reads by itself because it’s not tightly coupled to DynamoDB.

Question 123

What does the Query operation in Amazon DynamoDB finds items based on?

Answer 123

You must provide the name of the partition key attribute and a single value for that attribute. Query returns all items with that partition key value. Optionally, you can provide a sort key attribute and use a comparison operator to refine the search results.

Question 124

You are working on creating CloudFormation templates for different environments. You want to be able to base the the create of environments on values passed at runtime to the template. How can you acheive this?

Answer 124

Specify a parameters section

Values to pass to your template at runtime (when you create or update a stack). You can refer to parameters from the Resources and Outputs sections of the template.

Question 125

You’ve started building an application on your on-prem network. You’re app needs to interact with Amazon S3 and DynamoDB tables. as the deveoepr, how do you ensure that your SDK can interact with these AWS resources?

Answer 125

Create an IAM user, generate access keys, and use those access keys in your application.

Think about how S3 is being used in my own apps.

Question 126

During an AWS CodeDeploy rollback, files required for deployment to an earlier version cannot be retrieved by AWS CodeDeploy.What steps need to be taken for a successful rollback?

Answer 126

Manually add the required files to Instance.

Create a new application revision.

Question 127

You have a set of developes that need to work with applications hosted on the Elastic Beanstalk environment. You need to ensure they can work with the beanstalk environments but not give them access to the AWS colsole. How can you achieve this in the BEST way possible?

Answer 127

As them to manage environments using the EB CLI.

The EB CLI is a command line interface for AWS Elastic Beanstalk that provides interactive commands that simplify creating, updating and monitoring environments from a local repository. Use the EB CLI as part of your everyday development and testing cycle as an alternative to the Elastic Beanstalk console.

Question 128

Your team lead has finished creating a build project in the console. You have access to run the build but not to access the project. You want to specify a different source location fo the build. How can you achieve this?

Answer 128

Specify the new location of the build in a new buildspec.yml file and use the start-build command

Question 129

How do you override the defaut build spec file name, location or both?

Answer 129

Run the AWS CLI create-project or update-project command, setting the buildspec value to the path to the alternate buildspec file relative to the value of the built-in environment variable CODEBUILD_SRC_DIR. You can also do the equivalent with the create project operation in the AWS SDKs.

Run the AWS CLI start-build command, setting the buildspecOverride value to the path to the alternate buildspec file relative to the value of the built-in environment variable CODEBUILD_SRC_DIR. You can also do the equivalent with the start build operation in the AWS SDKs.

Question 130

T/F

EBS volumes support both in-flight encrytion and encrption at rest using KMS

Answer 130

True

Question 131

What are some possible reasons that an ELB would route more traffic to one instance or AZ than then to other instances behind the same ELB?

Answer 131

Sticky sessions could be enabled on the load balancer

Instances of a specific capacity type aren’t equally distributed across AZs

Instances of similar capacities running on different Amazon Machine Images (AMIs)

Question 132

A company needs a solution for ingesting and analyzing multiple terabytes of real-time data its network generates daily in the form of flow logs. Which technology/service should the company use to ingest this data economically and has the flexibility to direct this data to other downstream systems?

Answer 132

Amazon Kinesis Data Streams

Question 133

You have been asked by your Team Lead to enable detailed monitoring of the Amazon EC2 instances your team uses. As a Developer working on AWS CLI, what command will you run?

Answer 133

aws ec2 monitor-instances –instance-ids i-1234567890abcdef0

Question 134

An IT company has migrated to a serverless application stack on the AWS Cloud with the compute layer being implemented via Lambda functions. The engineering managers would like to actively troubleshoot any failures in the Lambda functions.

As a Developer Associate, what is a possible solution to suggest for this use-case?

Answer 134

The developers should insert logging statements in the Lambda function code which are then available via CloudWatch logs

NOTE: Be careful not be be tricked by answer that refer to CloudWatch Events

Question 135

Your application is deployed automatically using AWS Elastic Beanstalk. Your YAML configuration files are stored in the folder .ebextensions and new files are added or updated often. The DevOps team does not want to re-deploy the application every time there are configuration changes, instead, they would rather manage configuration externally, securely, and have it load dynamically into the application at runtime.

What option allows you to do this?

Answer 135

Use SSM Parameter Store

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. For the given use-case, as the DevOps team does not want to re-deploy the application every time there are configuration changes, so they can use the SSM Parameter Store to store the configuration externally.

Question 136

What are the four mechanisms available for controlling access to Amazon S3 resources?

Answer 136

1. Identity and Access Management (IAM) policies,
2. Bucket policies,
3. Access Control Lists (ACLs),
4. Query String Authentication.

Question 137

How do you capture a cliets IP address

Answer 137

Use the header X-Forwarded-For

Question 138

How are single-region CloudTrail trails created?

Answer 138

The can only be created using the AWS CLI

You must specifiy the S3 Bucket the logs are stored in

Question 139

What is an Organization Trail?

Answer 139

If you have created an organization in AWS Organizations, you can also create a cloud trail that will log all events for all AWS accounts in that organization. This is referred to as an organization trail.

By default, member accounts will not have access to the log files for the organization trail in the Amazon S3 bucket.

Question 141

What is GenerateDataKeyWithoutPlaintext and when would you use it?

Answer 141

GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that returns only the encrypted copy of the data key.

This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key.

Question 142

What data types are supported while defining parameters in a CloudFormation template?

Answer 142

• String
• Number
• List
• CommaDelimitedList
• AWS-Specific Parameter Types
• SSM Parameter Types

Question 143

You have created multiple S3 buckets using CloudFormation Templates. You have added a DeletionPolicy for each template to clean up all S3 buckets created during stack creation and deletion. Upon some research, you find that nor all buckets are getting deleted? What is a possible reason for this?

Answer 143

Make sure all objects in the S3 bucket have been deleted before deleting the bucket itself.

Question 144

Your development team is planning to deploy an application using the Elastic Beanstalk service. As part of the deployment, you need to ensure that a high-end instance type is used to deploy the underlying instances. How could you achieve this?

Answer 144

1. You can modify the launch configuration file to change the instance type, key pair, EBS stoarge, etc.
2. You can include a YAML formatted environment manifest in the root of your application source bundle to cofigure the environment name, solution state and environment links to use when creating your environment.

Question 145

You are developing an application that is working with a DynamoDB table. During the development phase, you want to know how much Consumed capacity is being used for the queries being fired. How can this be achieved?

Answer 145

Set the ReturnedConsumedCapacity in the query request to TOTAL.

Question 146

You are developing an application that is working with a DynamoDB table. During the development phase, you want to know how much read capacity units are being consumed as well as the capactiy for each table and index that was accessed. How can this be achieved?

Answer 146

Set the ReturnConsumedCapactiy in the query request to INDEXES

Question 147

Your company has a bucket that has versioing and Encrytpion enabled. The bucket recieves thousands of PUT operations per day. After 6 months, there are a significant number of HTTP 503 error codes that are being recieved. What can be used to diagnose the error?

Answer 147

Use the AWS S3 Inventory

If you notice a significant increase in the number of HTTP 503-slow down responses received for Amazon S3 PUT or DELETE object requests to a bucket that has versioning enabled, you might have one or more objects in the bucket for which there are millions of versions. When you have objects with millions of versions, Amazon S3 automatically throttles requests to the bucket to protect the customer from an excessive amount of request traffic, which could potentially impede other requests made to the same bucket.

To determine which S3 objects have millions of versions, use the Amazon S3 inventory tool. The inventory tool generates a report that provides a flat file list of the objects in a bucket.

Question 148

What is the most likely reason to see a significant increase in the number of HTTP 503-slow down responses for S3 PUT or DELETE options to a bucket that has versioning enabled?

Answer 148

you might have one or more objects in the bucket for which there are millions of versions. When you have objects with millions of versions, Amazon S3 automatically throttles requests to the bucket to protect the customer from an excessive amount of request traffic, which could potentially impede other requests made to the same bucket.

Question 149

Your team is looking towards deploying an application into Elastic Beanstalk. They want to deploy different versions of the app onto the environment. How can they achieve this in the easiest possible way?

Answer 149

Upload the app versions to the environment

Elastic Beanstalk creates an application version whenever you upload source code. This usually occurs when you create an environment or upload and deploy code using the environment management console or EB CLI.

Question 150

Your team is developing a mobile-based application. The users who are going to use this application will first be authenticated using an external provider such as Facebook. The application would then need to get temporary access credentials to work with AWS resources. What API action would you ideally used for this purpose?

Answer 150

AssumeRoleWithWebIdentity

Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

Question 151

A third-party company has been hired to help monitor your AWS account adn help optimize costs. In order to track your daily spending the third-party entity needs access to your AWS resources. How do you achieve this?

Answer 151

1. Create an IAM role in order to establish a trusted relationship between your AWS account and the 3rd party.
2. Once the role is created,The 3rd party can then use the STS: AssumeRole API to create temporay credentails to access certain resources. The STS:AssumeRole call with include the ARN of the role adn the ExternalId parameter that corresponds to their customerID.

Question 152

You would like to develop an application that would transfer logs from several EC2 Instances into an S3 bucket. What AWS service would you most likely use for this purpose?

Answer 152

AWS Data Pipeline

AWS Data Pipeline is a web service that you can use to automate the movement and transformation of data. With AWS Data Pipeline, you can define data-driven workflows, so that tasks can be dependent on the successful completion of previous tasks. You define the parameters of your data transformations and AWS Data Pipeline enforces the logic that you’ve set up.

Question 153

How do you calculate the number of requestes that would be smpled per second for a given Sampling Rule in Xray?

Answer 153

Reservoir Rate + Fixed Rate% * (Total Requests - Reservoir Rate)