Section 21: AWS Serverless: Lambda: Part 2

Question 1

What does the lambda execution role do, and what are some (the answer list is just a sample) managed policies for lambda? (also, yes, many of these managed policies having names ending in *Role)

Answer 1

1. it grants the lambda function permissions to aws services/resources
   * AWSLambdaBasicExecutionRole (upload logs to cloudwatch)
   * AWSLambdaKinesisExecutionRole (read from kinesis)
   * AWSLambdaDynamoDBExecutionRole (read from dynamoDB streams)
   * AWSLambdaSQSQueueExecutionRole (read from sqs)
   * AWSLambdaVPCAccessExecutionRole (deploy lambda function in vpc)
   * AWSXRayDaemonWriteAccess (upload trace data to xray)

note that when you use an event source mapping to invoke your function, lambda uses the execution role to read event data. that’s why some of the names above say ‘Execution’ when the descriptions say ‘read’

Question 2

What does amazon say is best practice for ratio of lambda execution roles to functions?

Answer 2

one Lambda Execution Role to one function. Also, note that the managed policy AWSLambdaVPCAccessExecutionRole is actually a policy, i’m not sure it’s a role. maybe look into what’s going on there later. i don’t think roles and policies are the same thing, i think roles contain policies. So i’m betting that either this suggestion means that you use their managed policy in a role you make for a specific function.

Question 3

Should you use resource based policies to give other accounts and aws services permission to use your lambda resource?

Answer 3

Yes. that policy appears to be created in the lambda function area (if you’re using the console). I think they’re saying the whole thing works similarly to the way it works for S3 bucket policies for S3 bucket.

Question 4

an iam principal can access lambda if blank 1 or if blank 2

Answer 4

1. the iam policy attached to the principal authorizes it (ex: user access)
2. the resource-based policy authorizes (ex: service access)

Question 5

When an aws service like s3 calls your lambda function, who gives it (s3, i presume) access?

Answer 5

the resource based policy (that, again, i beleive is from the lambda side of things)

Question 6

1. Can you create lambda environment variables?
2. does lambda service add it’s own system env vars as well?
3. The slides say that env vars can be helpful for storing secrets (or that’s what it seems like they’re saying), but what does aws say?
4. are all env vars (values) considered literal strings?

Answer 6

1. yes
2. yes
3. aws says you prob want to use AWS Secrets Manager instead
4. yes

Question 7

Lambda and CloudWatch

Are lambda execution logs stored in aws CloudWatch logs?

Answer 7

yes

Question 8

If for some reason lambda execution logs aren’t being stored in CloudWatch Logs, what might be going on? (honestly maybe you’d get an error sayig exactly what’s happening, idk)

Answer 8

You need to make sure your aws lambda function has an execution role wil iam policy that authorizes writes to CloudWatch Logs.

Question 9

Are lambda metrics automatically sent to CloudWatch Metrics, free of charge?

Answer 9

yep. in one minute intervals. if you want them send faster, build a custom metric (that will start incurring cost, though)

Question 10

Where are AWS Lambda metrics displayed, and what are some of the lambda metrics that get displayed there?

Answer 10

• invocations
• durations
• concurrent executions
• error count
• success rates
• throttles
• async delivery failures
• iterator age (kinesis and dynamoDB streams)

Lamnda Monitoring and CloudWatch

Question 11

lambda tracing with xray

Where are Lambda execution logs stored?

Answer 11

lambda exeuction logs are stored in aws CloudWatch Logs.

Question 12

How do you get lambda tracing to work with xray in the console and in the code?

Answer 12

1. in the console: enable Active Tracing in Lambda. This runs the X-Ray daemon for you.
2. in code: use aws xray sdk in code
3. ensure lambda function has a correct iam execution role

Question 13

What’s the name of the managed policy you can use to get lambda tracing with xray?

Answer 13

AWSXRayDaemonWriteAccess

Question 14

What are the environment variables needed for lambda (it seems like any service really) to chat with xray?

Answer 14

• _X_AMZN_TRACE_ID
• AWS_XRAY_CONTEXT_MISSING (by default, LOG_ERROR)
• AWS_XRAY_DAEMON_ADDRESS (the x-ray daemon IP_ADDRESS:PORT )

Question 15

1. So an edge function is code that you write and attach to CloudFront distributions. It runs close to your users why?
2. CloudFront provides two types of edge functions. What and what?

Answer 15

1. To minimize latency.
2. CloudFront Functions & Lambda@Edge

Question 16

When using CLoudFront Functions and/or Lambda@Edge:
1. are they serverless?
2. is they deployed globally?
3. What do you pay for?

Answer 16

1. Yes. They’re serverless (you don’t have to manage any servers.)
2. Yes, deployed globally.
3. only for what you use.

Question 17

What’s a common use case for using CloudFront Functions and/or Lambda@Edge?

Answer 17

• Customizing CDN content
• web security and privacy
• dynamic web app at the edge
• search engine optimization
• intelligenty route across origins and data centers
• bot mitigation at the edge
• real time image transformation
• a/b testing
• user authentication and authorization
• user prioritization
• user tracking and analytics

What is a CDN? A content delivery network (CDN) is a network of interconnected servers that speeds up webpage loading for data-heavy applications. CDN can stand for content delivery network or content distribution network. (quote from aws, but I also wrote somewhere that plenty of this is quoted from their docs)

Question 18

What’s a CDN?

Answer 18

What is a CDN? A content delivery network (CDN) is a network of interconnected servers that speeds up webpage loading for data-heavy applications. CDN can stand for content delivery network or content distribution network.

Question 19

aws authentication and authorization - just a couple words so you can see about maybe avoiding learning and forgetting that a million times

Answer 19

• authenticated (signed in to AWS)
• You must also be authorized (allowed) to complete your request.

Question 20

1. What are CloudFront functions?
2. Are they appropriate for high-scale, latency-sensitive CDN (content delivery network) customizations?

Answer 20

1. They’re lightweight functions written in JavaScript.
2. Yes

Question 21

Yes/No:

1. Do CloudFront functions have sub-ms startup times, and can they handle millions of requests per second?
2. Are CloudFront Functions used to change Viewer requests and reponses?
3. What’s a Viewer Request?
4. What’s a Viewer Response?

Answer 21

1. Yes
2. Yes
3. slides say “after CloudFront receives a request from a viewer”. I think based on some aws stuff, it’s actually an event. Specifically, it happens when CloudFront receives a request from a viewer, but before it checks to see whether the requested object is in the CloudFront cache. THis event can trigger the running of a CloudFront function or a Lambda@Edge function.
4. slides say “before cloudFront forwards the rewponse to the viewer”. aws says “this function executes before returning the requested file to the viewer. Note that the function executes regardless of whether the file is already in the CloudFront cache”. There are some situtions in which it doesn’t execute, but that kind of detail isn’t in the slides.

Question 22

Are CloudFront functions a native feature of CloudFront (can you manage code entirely within CloudFront)

Answer 22

Yes

Question 23

Regarding Lambda@Edge: what langauges can lambda functions be written in?

Answer 23

NodeJS or Python

Question 24

yes/no:

If you author your Lambda@Edge lambda functions in one aws region (ex: us-east-1) then CloudFont will replicate that function to it’s other locations

Answer 24

Yes.

Question 25

T/F/

Lambda at edge scales to 1000s of requests per second

Answer 25

True

Question 26

Lambda@Edge lambda functions are used to change CoudFront requests and responses. What are the four requests, and when do they occur?

Answer 26

• Viewer request - after cloudfront receives a request from a viewer
• origin request - before cloudfront forwards the request to the origin
• origin response - after cloudfront receives the response from the origin
• viewer response - before cloudfront forwards the response to the viewer

Question 27

Do both CloudFront functions and Lambda@Edge functions trigger CloudFront as a result of events Viewer Request, Origin Request, Origin Response, and Viewer Response?

Answer 27

No. Just CloudFront functions trigger CloudFront as a result of all those four events. Lambda@Edge only triggers CLoudFront for Viewer Request and Viewer Response events.

Question 28

What’s the max execution time allowed for a:
1. CloudFront funtion
2. Lambda@Edge Lambda function?

Answer 28

1. < 1ms
2. 5-10 seconds

Question 29

What are the following values for CloudFront functions and Lambda@Edge lambda functions:
1. max execution time
2. max memory
3. total package size

Answer 29

1. cloudfront functions: < 1ms. lambda@Edge: 5-10 secs
2. CloudFront funcs: 2MB. lambda@Edge: 128MB to 10 GB (10GB is about first 4 hp audiobooks)
3. CF funcs: 10 KB. Lambda@Edge: 1MB-50MB

Question 30

What are the following values for CloudFront functions and Lambda@Edge lambda functions:
1. Network access, file system access (do they have access)
2. access to body request?
3. pricing

Answer 30

1. CF funcs: No. L@e: yes
2. cf funcs: No. L@E: yes
3. free teir eligable, 1/6 price of edge
4. no free tier, charged per request and duration

Question 31

CloudFront functions vs lambda@edge, which is better if you:
1. want to pay the least, no other considerations
2. want to be able to handle millinos of requests per second
3. have small things that need to be done super frequently and you don’t need any special accesses
4. don’t mind paying, have bigger things and you don’t mind waiting a moment for the execution to finish

Answer 31

1. cloudfront functions
2. cloudfront functions
3. cloudfront functions
4. lambda@edge

Question 32

CloudFront functions vs lambda@edge, which is better if you:
1. need file system access or access to the body of an HTTP request
2. you want to do cache key normalization, which involves transforming request attributes (headers, cookies, query strings, url) to create an optimal cache key.
3. need network access to use external services for processing
4. you’re going to request authentication and authorization (create and validate user-generated tokens (ex JWT) to allow/deny requests)

Answer 32

1. L@E
2. CF functions
3. L@E
4. CF functions

Question 33

CloudFront functions vs lambda@edge, which is better if you:
5. your code depends on 3rd party libraries (ex: access to aws sdk to access other aws services)
6. you need to manipulate headers (insert modifyy delete http headers in the request or response)
7. you need adjustable cpu or memory
8. you want to do url rewrites or redirects

Answer 33

1. L@E
2. CF functions
3. L@E
4. CF functions

Question 34

yes/no: your lambda function is launched outside your own VPC, in an aws-owned vpc. This means it can’t (without special configuration) access resources in your vpc (rds, elasticache, internal elb…)

Answer 34

yes.

Question 35

To get lambda to access resources in your own VPC you must define what , what and what? Then lambda will create an eni (elastic network interface) in your subnets.

Answer 35

1. VPC ID, subnets and security groups