Test Review Questions

Question 1

How to deploy a lambda function with multiple stages - dev, test, prod

Answer 1

Use environment variables to configure different dndpoints for each stagew

Question 2

On premises application accessing AWS services through SDK

Answer 2

Generate access key and store in secrets manager

Question 3

Improve on storing session state in memory

Answer 3

Store in Elasticache for distributed session management

Question 4

Monitor events in cloudwatch every 10 seconds

Answer 4

High resolution cloudwatch metric - can set alarms for periods of 10 or 30 seconds

Question 5

Cloudwatch metric standard resolution granularity

Answer 5

Granularity of 1 minute, and period of at least 5 minutes

Question 6

Override the build command on a CodeBuild project to test a change

Answer 6

Run the start build command from the CLI with the ‘buildspecOverride’ property

Question 7

Migrating SQL to AWS, current encrypting some data with Transparent Data Encruption

Answer 7

Use RDS - supports TDE

Question 8

Update Beanstalk EC2 instance type

Answer 8

Create a config file in S3 with the new instance type

Question 9

Large number of reads/writes to S3 per second

Answer 9

Use a hash prefix when writing to distribute I/O load across multiple partitions

Question 10

Preprocess data before analysis in Kinesis Analytics

Answer 10

Use Lambda to preprocess data

Question 11

Mintor incoming connections on an ELB

Answer 11

Enable access logs on the load balancer

Question 12

Reduce throttling from scans on a large DDB table

Answer 12

Reduce page size to reduce RCUs per request

Question 13

Bootstrap application script into autoscaling instances

Answer 13

Place script into Userdata for the instance

Question 14

Analyse information stored in Cognito

Answer 14

Cognito streams configures a Kinesis stream to which Cognito can push dataset changes

Question 15

How to implement a Lambda function with 300 second execution time

Answer 15

Default timeout is 3 seconds - increase this

Question 16

Where to place a healthcheck.config file for an ~Elastic Beanstalk application

Answer 16

In the .ebextensions folder of the application’s source code

Question 17

Allow users to test an API gateway instance.

Answer 17

Ensure that a deployment is create in API gateway

Question 18

How to allow an application to take 60 to process a message from an SQS queue

Answer 18

Increase the visibility timeout in the queue from the default of 30 seconds, then delete the message after processing

Question 19

Test out permissions assigned to a policy via CLI

Answer 19

Get the context keys then use them with command ‘aws iam simulate custom policy’

Question 20

Steps to host a static website

Answer 20

Enable website hosting, configure index document, set permissions for website access

Question 21

MFA for S3 bucket

Answer 21

Add bucket policy with condition ‘aws:MultiFactorAuthPresent’:’false’ as a deny policy

Question 22

Reduce response time for reads on DDB to microseconds

Answer 22

Use DAX - DDB in-memory caching

Question 23

Preconfigure EC2 instances with NGINX web server using cfn

Answer 23

Use cfn-init helper script - allows you to describe configurations rather than scripting steps.

Question 24

Migrate from a Subversion repo to CodeCommit

Answer 24

For svn, perforce or TFS, migrate to git first, then to CodeCommit

Question 25

Enable encryption at rest on existing DDB table

Answer 25

Not possible - create a new table with encryption enabled and copy data across (most likely an obsolete question - current sources show data is encrypted at rest by default)

Question 26

Does CodeDeploy require an instance profile to be attached to both EC2 & on-premises instances.

Answer 26

Only for EC2 - instance profile is automatically create when an IAM role is created for EC2

Question 27

Generate a data key in encrypted format

Answer 27

Use the KMS command ‘GenerateDataKeyWithoutPlaintext’

Question 28

Query a DDB table and only retrieve certain attributes

Answer 28

Use a Projection Expression - a comma separated string of the attributes you want.

Question 29

Prevent message visibility for X minutes when a message enters the SQS queue

Answer 29

To impact whole queue - Implement a delay queue (default - 0 seconds, max - 15 minutes)

To impact individual messages use message timers (not for FIFO)

Question 30

Best practices for activity workers & tasks wrt. Step Functions

Answer 30

Specify timeout in state machine definitions (avoid getting stuck waiting for a response).

To pass large payloads between states, store data in S3 and pass resource ARN to next state

Question 31

Diagnose high number/rate of 503 errors on bucket with frequent put operations

Answer 31

Bucket may have versioning enabled, and with many put requests, may have millions of versions of objects. Use S3 inventory tool to generate bucket report.

Question 32

Measure consumed capacity for DDB queries

Answer 32

Set ‘ReturnConsumedCapacity’ parameter to ‘TOTAL’ on request

Question 33

Send metadata along with messages between components

Answer 33

Insert metadata using message attributes in SQS

Question 34

Preserve database for analysis after Beanstalk env. is torn down

Answer 34

Mark database retention as ‘Create Snapshot’

Question 35

Where to upload lambda function package

Answer 35

Upload application files to S3

Question 36

Blue Green deployment for new version of Beanstalk application

Answer 36

Create a new env. in the application with the updated application version and perform a URL swap.

Question 37

Allow CodeBuild integration tests to access private subnet

Answer 37

Provide VPC specific configuration info as part of the codebuild project - e.g., VPC IDs, subnet IDs, security group IDs

Question 38

Clients cannot connect to internet facing load balancer

Answer 38

LB must be attached to a public subnet

Security group/ACL for subnet must allow traffic to/from client

Question 39

Allow S3 static website access to S3 bucket

Answer 39

Enable CORS on the bucket

Question 40

Maintain session states with even distribution across ELB

Answer 40

Use Elasticache (even distro, so can’t use sticky sessions)

Question 41

What is the EC2 instance store lifetime

Answer 41

Instance store data is ephemeral - will be lost if stopped/restarted.

EBS persists until instance is terminated.

Question 42

API call to describe an AMI

Answer 42

DescribeImages

Question 43

Connect instances behind public & private subnets to internet

Answer 43

Create a NAT instance

Question 44

Reader behaviour in SQS with long polling

Answer 44

Reader will listen to the queue until a message is available, or until timeout

Question 45

Difference between LSIs and GSIs

Answer 45

LSIs share the same partition key as the primary key. GSIs have a different partition & sort key

Question 46

Max item size in DDB

Answer 46

400kb

Question 47

‘ProvisionedThroughputExceededException’ but not exceeding table read capacity throughput

Answer 47

Exceeded max provisioned throughout for one or more GSIs

Question 48

SS max message retention period

Answer 48

14 days

Question 49

DDB concurrency control

Answer 49

Optimistic locking - write only proceeds if version in write request matches version on item in table

Question 50

Using SNS to message different devices & platform

Answer 50

Use platform specific KVPs in a single payload

Question 51

Ensure application data on EBS is encrypted at rest

Answer 51

Enable encryption and launch an instance type that supports EBS encryption

Question 52

Pass a stage variable to HTTP url

Answer 52

${stageVariables.<var_name>}</var_name>

Question 53

What should be done when met with a LambdaThrottledException with cognito events

Answer 53

Perform retry on sync

Question 54

Sequence of hooks called in CodeDeploy

Answer 54

ApplicationStop -> BeforeInstall -> AfterInstall -> ApplicationStart

Question 55

How to resolve CodeDeploy error: HEALTH_CONSTRAINTS_INVALID

Answer 55

Reduce the number of health instances required during deployment

Question 56

A developer is writing a custom script that will run in an Amazon EC2 instance. The script needs to access the local IP address from the instance to manage a connection to an application outside the AWS Cloud. The developer found out that the details about an instance can be viewed by visiting a certain Uniform Resource Identifier (URI).

Answer 56

http://169.254.169.254/latest/meta-data/

Question 57

A transcoding media service is being developed in AWS. Photos uploaded to Amazon S3 will trigger Step Functions to coordinate a series of processes that will perform image analysis tasks. The final output should contain the input plus the result of the final state to conform to the application’s logic flow.
What should the developer do?

Answer 57

ResultPath field filter is the only one that can control input values and its previous results to be passed to the state output.

Declare a ResultPath field filter on the Amazon States Language Specification.

Question 58

What should be done to only allow authorized clients to invalidate an API Gateway cache entry when submitting API requests?

Answer 58

• Tick the ‘Require Authorization’ checkbox in the Cache settings of your API via the console
• The client must send a request which contains the ‘Cache-Control: max-age=0’

Question 59

How should you fix a Lambda function configured with VPC-specific information that cannot connect to the internet via public API?

Answer 59

• Add a NAT gateway to your VPC
• Ensure that the associated security group of the Lambda function allows outbound connections

Question 60

You have a Lambda function configured with VPC-specific information that cannot connect to the internet via public API. Why would setting up Elastic Network Interfaces (ENIs) not help enabling your Lambda function to connect to the internet?

Answer 60

The ENIs are already automatically set up by Lambda, using the VPC information provided.

Question 61

A recruitment agency has a large collection of resumes stored in an Amazon S3 bucket. The agency wants to perform an analysis on these files, but for privacy compliance reasons, they need to ensure that certain personally identifiable information (PII) is redacted before being processed by their internal service.

Why is Lambda@Edge not an appropriate solution for this scenario?

Answer 61

Lambda@Edge allows transformations of data for CloudFront distribution at CDN edge locations, for end users. This scenario calls for transformation of data by an internal service.

Lambda@Edge is also a somewhat costly service compared to regular lambda functions.

Question 62

Why might you get a 403 Forbidden error when using newly generated API keys for a REST API in API gateway, and how would you resolve this?

Answer 62

API keys do not grant access to execute an API with API Gateway without first being associated with a usage plan. This usage plan determines the stages and methods the API key can access.

To fix this, associate the API keys with a usage plan using the CreateUsagePlanKey operation.

Question 63

How should you provide access for a Node.js application run on a Linux server in an on-premises data center to various AWS services such as S3, DDB, etc.

Answer 63

Create an IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user.

Question 64

You want to release a new firmware update intended only to a specific set of customers, and unauthorized access should be denied with a user authentication process that has minimal latency.

Why would the use of Signed URLs and Signed Cookies in CloudFront not be appropriate here?

Answer 64

This process of authentication has a significant latency, along with signifcant refactoring requirements, compared with use a combination of Lambda@Edge and cognito for filtering out unauthorized requests.

Question 65

What is the purpose of an RDS Proxy, and how does it achieve this purpose?

Answer 65

RDS Proxy is used to manage a large number of connections from Lambda to an RDS database. It does this by establishing a warm connection pool to the DB. Lambda interacts with the proxy, reusing existing connections instead of create new connections for every function.

Question 66

How would you configure an AWS Step Functions workflow to allow for a pause while a service works on a task, and only to resume after the service sends a notification to a webhook endpoint?

Why is this cost effective?

Answer 66

Steps functions can be configured to be paused for external system processes using the ‘waitForTaskToken’ option. The step function generates a unique token, which can be retrieved from the context object of the state machine.

The external system can then call the webhook with a ‘SendTaskSuccess’ or ‘…Failure’ while referencing the token.

This is cost effective since the the workflow is paused, and so you are not billed for time when a workflow is paused.

Question 67

Give an example of when a InvalidParameterValueException would be returned when creating a Lambda function.

Answer 67

When a parameter of the request is invalid, such as providing an IAM role in the CreateFunction API which the Lambda function is unable to assume.

Question 68

You attempt to create a Lambda function, however the resource already exists. What error would be returned?

Answer 68

ResourceConflictException - 409

Question 69

What is the difference between the ‘Period’ and ‘Evalution Period’ in cloudwatch?

Answer 69

• Period is the length of time to evaluate the metric or expression and produce a data point for an alarm.
• Evaluation Period is the number of the most recent periods, or data points, to evaluate when determining alarm state.

Question 70

How can you redirect a user to a geolocation-specific URL using CloudFront?

Answer 70

• Implement a CloudFront function that returns the appropriate URL based on the CloudFront-Viewer-Country.
• Configure the distribution to trigger the function on Viewer request events.

Question 71

Why is using Route 53 geolocation routing an unsuitable solution to redirecting a user to a geolocation-specific URL using CloudFront?

Answer 71

Route 53 geolocation is primarily for directing traffic to specific resources based on user location for performance or regulatory reasons - not for content personalization based on geolocation.

Question 72

How would you setup up HTTPS communication between viewers and a CloudFront distribution?

Answer 72

• Set the ‘Viewer Protocol Policy’ to ‘HTTPS Only’
  or
• Set the ‘Viewer Protocol Policy’ to use ‘Redirect HTTP to HTTPS’

Question 73

Why would using a self-signed SSL/TLS certificate in the ALB which is stored in a private S3 bucket not help you to setup up HTTPS communication between viewers and a CloudFront distribution?

Answer 73

1. You can’t use a self-signed certificate stored in S3. You would need a certificate from ACM or a third-party.
2. This would provide you HTTPS communication between origin and CloudFront, not between viewers and CloudFront

Question 74

A developer is creating an analytics REST API service that is powered by API Gateway. Analysts from a separate AWS account must interact with the service through an IAM role. The IAM role already has a policy that grants permission to invoke the API.

What else should the developer do to meet the requirement without too much overhead?

Answer 74

Set AWS_IAM as the method authorization type for the API.

Attach a resource policy to the PAI that grants permission to the specified IAM role to invoke the ‘execute-api:Invoke’ action.

Question 75

You have an application hosted on Lambda that typically takes around 5 minutes to process a request. During this time, the application is unresponsive. How can you prevent the application from becoming unresponsive?

Answer 75

Configure the application to asynchronously process the requests and change the invocation type of the Lambda function to Event (i.e., publish an event to the function to trigger it)

Question 76

You have an application which uses X-Ray to generate trace data. How can you implement a filter expression that will limit the results of a search based on the custom attributes or keys specified? Why this approach?

Answer 76

Add custom attributes as annotations in your segment document.

Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console, or when calling the GetTraceSummaries API. X-Ray indexes up to 50 annotations per trace.

Question 77

Why can you not use metadata to implement a search on custom attribute for X-Ray?

Answer 77

Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed.

Question 78

What are the predefined deployment strategies for EC2/On-premises compute platforms?

Answer 78

CodeDeployDefault.OneAtATime, CodeDeployDefault.HalfAtATime, CodeDeployDefault.AllAtOnce

Question 79

Why is CodeDeployDefault.HalfAtATime not quicker than CodeDeployDefault.LambdaCanary10Percent5Minutes for deploying Lambda functions?

Answer 79

It is not a viable deployment strategy for Lambda - it is only for EC2/On-premises

Question 80

How can you establish end-to-end encryption using an AWS applications fronted by a CloudFront distribution?

Answer 80

Configure both Origin Protocol Policy and Viewer Protocol Policy to use HTTPS

Question 81

What is the function of Origin Access Control (OAC)?

Answer 81

Allows you to secure S3 origins by allowing bucket access to designated CloudFront distributions

Question 82

What is the difference between the AWS/AWS_PROXY and HTTP/HTTP_PROXY API Gateway integration request mappings?

Answer 82

For the Lambda proxy integration, the value is AWS_PROXY. For the Lambda custom integration and all other AWS integrations, it is AWS.
For the HTTP proxy integration and HTTP integration, the value is HTTP_PROXY and HTTP, respectively. For the mock integration, the type value is MOCK.

Question 83

What sections are required in a CloudFormation template, both when using and not using AWS SAM?

Answer 83

With SAM - Resources and Transform (specifies the version of SAM to use)

Without SAM - Resources

Question 84

What is the AWS Default Lambda concurrent executions value?

Answer 84

AWS Lambda limits the total concurrent executions across all functions within a given region to 1000

Question 85

How can you configure a Kinesis Data Stream to ingest data, processing each item once, and processing the items in the same order that they are received?

And why that API call?

Answer 85

Embed a unique DI in each item. Use Kinesis ‘PutRecord’ API to write items - ‘PutRecord’ and not ‘PutRecords’, since Kinesis will attempt to process all records in a batch in the latter, and so does not guarantee the ordering of records.

Assign a timestamp-based value for the ‘SequenceNumberForOrdering’ parameter.

Question 86

Why is SQS FIFO not a good fit for an auction app that ingests and processes bids in real-time?

Answer 86

SQS FIFO is not a good fit for real-time processing (not sure why, but maybe performance and due to the max of 300 send, receive or delete operations per second).

Question 87

What is the different between the X-Ray headers ‘X-Forwarded-For’ and ‘X-Forwarded-Host’?

Answer 87

X-Forwarded-For deals with tracking the IP addresses through which the request has passed, while X-Forwarded-Host is concerned with preserving the original host name requested by the client.

X-Forwarded-For is more about the path of the request (i.e., routing information), whereas X-Forwarded-Host is about the intended destination (i.e., which host the client originally intended to reach).

Question 88

How can you configure CloudWatch to set up graphical representations of key performance metrics for separate applications?

Answer 88

Create a custom CloudWatch namespace with a unique metric name for each application (metrics in different namespaces are isolated from each other - metrics from different applications are not mistakenly aggregated into the same statistics).

Question 89

What is the sequence of event hooks that run during Lambda deployment?

Answer 89

Start -> BeforeAllowTraffic -> AllowTraffic -> AfterAllowTraffic -> End

Question 90

How would you invoke a Lambda function asynchronously? Why that particular API call?

Answer 90

Use ‘Invoke’ API to call the Lambda function and set the invocation type request parameter to event.

Cannot use ‘InvokeAsync’ as this is deprecated.

Question 91

A developer wants to track the number of visitors on their website, which has a DynamoDB database. This is primarily used to give a rough idea on how many people visit the site whenever they launch a new advertisement, which means it can tolerate a slight overcounting or undercounting of website visitors.

Why is the use of atomic counters here acceptable?

Answer 91

Atomic counters are not idempotent - they are incremented on very update. This means that if a request fails and is retried, the counter would be incremented twice (or more). This example has a tolerance for over/undercounting of updates.

Question 92

What is the easiest method of deploying a Node.js ‘Hello World’ Lambda function using CloudFormation?

Answer 92

Include your function source code inline in the ZipFile parameter of the AWS::Lambda::Function resource in the cfn template.

Question 93

What is the default retention period of data records in a Kinesis data stream, and how much can this be increased to?

Answer 93

24 hours, up to 365 days.

Question 94

You have an EB application attached to an AWS RDS db. How can you decouple your db instance from the environment for blue/green deployments without incurring data loss?

Answer 94

Create an RDS DB snapshot of the database and enable delete protection.

Create a new EB env. with the necessary information to connect to the RDS instance.

Before terminating the old EB env., remove its security group which allows RDS access (if this is not done, the old EB env retains a dependency on RDS via the security group, and so cannot be terminated).

Question 95

What is Lambda’s minimum unreserved account concurrency?

Answer 95

100

Question 96

Your application relies on Cognito for user authentication. How can you enforce MFA only on users only with suspicious login attempts?

Answer 96

Enable Adaptive Authentication for the User Pool - this can turn on/require MFA for a user when Cognito detects risk in a user’s session.

Question 97

What headers must be included to upload data to an S3 bucket with SSE-C (customer-provided encryption keys)?

Answer 97

x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be “AES256”.

x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.

x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

Question 98

Which appspec.yml properties are required by CodeDeploy for ECS deployments?

Answer 98

TaskDefinition, ContainerName and ContainerPort

Question 99

Which are the only platforms that can use in-place deployments through CodeDeploy?

Answer 99

EC2 and on-premises

Question 100

What is a good architectural pattern for managing in-place deployments?

Answer 100

Use a load balancer so that each instance is deregistered during deployment and then restored to service after deployment is completed.

Question 101

On which platforms can you perform blue/green deployments using CodeDeploy

Answer 101

EC2, ECS and Lambda

Question 102

Why must you use FIFO instead of standard SQS queue for preventing messages being processed multiple times?

Answer 102

Standard SQS queues do not support message deduplication.

Question 103

What are the two ways you can configure FIFO queues to prevent messages being processed multiple times?

Answer 103

• Enable content-based deduplication. This instructs Amazon SQS to use a SHA-256 hash to generate the message deduplication ID using the body of the message - but not the attributes of the message.
• Explicitly provide the message deduplication ID (or view the sequence number) for the message.

Question 104

What service should you use to store encryption keys within a dedicated, third-party validated hardware security module under you exclusive control?

Answer 104

AWS CloudHSM (hardware security module) - provides secure storage for cryptographic keys

Question 105

Why should you not use Secrets Manager as a key-management service for storing encryption keys of on-premises servers?

Answer 105

You cannot store Customer Master Keys (CMKs) in AWS Secrets Manager.

Question 106

What can you use in ECS to group container instances together by specific attributes? Give examples of these attributes.

Answer 106

Cluster Query Language.

• AZ, instance type or custom metadata

Question 107

You have several developers, each with their own IAM user. How can you give access to CodeCommit for them to utilize code repositories on their own computers?

Answer 107

• Generate HTTPS Git credentials.
• Generate new SSH keys and associate the public SSH key to each of you developer’s IAM users.

Question 108

How can you detach a root EBS volume from a running EC2 instance?

Answer 108

Since it is the root volume, you have to stop the instance and then detach the volume.

Question 109

How can you detach a non-root EBS volume from a running EC2 instance?

Answer 109

• Unmount the volume, then detach from the instance.
• Terminate the instance, causing the volume to become detached.

Question 110

Which languages are supported natively by Lambda?

Answer 110

Java, Go, PowerShell, Node. js, C#, Python, and Ruby code

Question 111

How can you implement a Lambda function using C++? Why can you not include this in the lambda function code?

Answer 111

Create a new layer which contains the Customer Runtime for C++ and launch a Lambda which uses that runtime.

Lambda functions have a max deployment package size of 50mb, so you have to use a layer.

Question 112

What is the most suitable solution for an application that is required to trace downstream requests to multiple different tracing backends without having to re-instrument the application code and why?

Answer 112

Install the AWS Distro for OpenTelemetry Collector and set up the distro to trace all downstream API calls.
X-Ray is unsuitable here since it cannot send traces to multiple different tracing backends without having to re-instrument the application.

Question 113

Why might you get an Access Denied error when you attempt to upload a file to S3 over 100gb in size via the CLI?

Answer 113

AWS S3 CLI performs a multipart upload when the file is too large - this requires you to have access to the kms:Decrypt action, as you need to decrypt the KMS key you are using to encrypt the object.

Question 114

A software engineer is developing a serverless application which will use a DynamoDB database. One of the requirements is that each write request should return the total number of write capacity units consumed, with subtotals for the table and any secondary indexes that were affected by the operation.

What should be done to accomplish this feature?

Answer 114

Add the ‘ReturnConsumedCapacity’ parameter with a value of INDEXES in every write request.

Question 115

You have an application using CloudFront that occasionally gives 504 errors. How can you configure CloudFront to avoid this?

Answer 115

Set up origin failover by creating an origin group with two origins - primary and secondary.

Should primary origin fail, CloudFront will automatically switch to secondary origin.

Question 116

How can you easily manage multiple cfn templates for different environments, across multiple accounts?

Answer 116

AWS CloudFormation StackSets - Create multiple stacks across regions using a single CFN template.

Question 117

You have an application that must support HTTPS connections. What do you need to do to set up HTTPS connections using a third-party certificate?

Answer 117

• Request an SSL/TLS certificate
• Import that certificate into AWS using either ACM or IAM certificate store.

Question 118

What is a good number of shards:worker instances when using Kinesis Client Library for managing streams and why?

Answer 118

4:2 - each worker can process multiple shards. 4 shards provides high read/write throughput, and 2 works provides high availability.

Question 119

How can you enable E2E testing with Cypress on a React application with code hosted in GitHub?

Answer 119

• Connect the Github repo to AWS Amplify Hosting
• Update the amplify.yml file with appropriate configuration settings for Cypress.

Question 120

You have an S3 bucket, and you want to retrieve data from it at low latency, with low operating costs, using a structured query language (SQL) to filter the contents of S3 objects and retrieve just the subset of data that you need. What should you use, and what objects can you use this on?

Answer 120

S3 select - can be used on CSV, JSON or Apache Parquet format objects.

Question 121

What are some differences between AWS Athena and S3 Select?

Answer 121

Athena - higher cost, executes bucket-wide statements

S3 Select - lower cost, executes statement against a given object

Question 122

What is a key difference between AppSync and Cognito Sync?

Answer 122

AppSync allows multiple users to synchronise and collaborate in real time on shared data; Cognito Sync allows synchronisation of data across devices for a single user.

Question 123

You want to be notified if sensitive parameters that you have stored in Parameter Store have not been rotated within 90 days. What are the requirements for this, and how would you set this up?

Answer 123

You have to use Advanced Tier parameters to use parameter policies (You can be notified about changes or status related to parameter policies, such as when a parameter expires, is going to expire, or hasn’t changed for a specified period of time).

Set a NoChangeNotification policy with value of 90 days, and use eventbridge to send a notification via SNS

Question 124

What does the advanced tier on Parameter store allow?

Answer 124

100,000 params stored (as opposed to 10,000 for standard)
8KB param (as opposed to 4kb for standard)
Parameter policies

Question 124

You have a Lambda function that requires access to an RDS instance within a private subnet. What two things do you have to do, and why?

Answer 124

• Configure the Lambda function to connect to your VPC. If this is not done, the Lambda cannot access ANY aws resources within the VPC.
• Provide IAM permissions to access RDS.

IAM permissions is not enough on its own - the Lambda would have the correct permissions, but would be unable to connect to any resources within the VPC.

Question 124

Why does DDB global tables not work with Optimistic Locking?

Answer 124

Global tables use ‘last writer wins’ reconciliation between concurrent updates.

Question 125

What services should you use to coordinate multiple AWS services into serverless workflows?

Answer 125

Step Functions

Question 126

What is TDE, and what does it do?

Answer 126

Transparent Data Encryption - automatically encrypts data before it is written to storage, and decrypts when data is read from storage.

Question 126

Why can you not use RDS encryption to automatically encrypt data before it is written to storage, and decrypt when data is read from storage

Answer 126

RDS encryption encrypts your DB instances and snapshots at rest - it does not encrypt/decrypt data before it is written/read from storage.

Question 127

When would you use X-Ray GetTraceSummaries over BatchGetTraces?

Answer 127

GetTraceSummaries retrieves IDs and annotations for traces within a specified time frame, with an optional filter field.

BatchGetTraces returns a list of traces specified by ID, but does not support filter expressions, nor returns annotations.

Question 128

What is a high level difference between segments and subsegments wrt. X-Ray?

Answer 128

The segment can be thought of as representing the overall request, with each subsegment breaking down the individual components of that request (i.e., downstream requests vs the actual request to the application).

Question 129

Why can you not use ‘aws cloudformation deploy’ to deploy local code to AWS, and what should you use instead?

Answer 129

‘aws cloudformation deploy’ can deploy a stack if your code artifacts are already packages and uploaded to S3 - it cannot package and upload code itself.

‘sam deploy’ zips code artifacts, uploads them to S3 and produces a packaged SAM template that is used to deploy the application.

Question 130

What task placement should you use to allow ECS to place instances, following constraints that you have specified both implicitly or explicitly, with the least amount of configuration?

Answer 130

‘random’ task placement with custom placement constraints - this places tasks on instances at random yet still honours other constraints that you have specified. It also makes sure that instances have enough resources for an additional task.

Question 131

What are the functions of a Lambda runtime?

Answer 131

• Runs the function’s setup code
• Reads the handler name from an environment variable
• Reads invocation events from the Lambda runtime API

Question 132

You need to configure ECS to allow two Docker containers to share log data. Why would you not need two task definitions for this?

Answer 132

You can define a task definition to hold one or more containers, so two definitions is unnecessary.

Question 133

What do ‘ModuleNotFoundError’ and ‘Module cannot be loaded’ indicate for Lambda functions, and how would you fix this?

Answer 133

These errors normally surface due to incorrect folder structure or file permissions with the deployment package .zip file

To fix:

1. Install all dependency modules locally to the function project
2. Build the deployment package by zipping up the project folder for deployment to Lambda
3. Upload the deployment package

Question 134

‘ModuleNotFoundError’ and ‘Module cannot be loaded’ appears in a Lambda function. Why can you not just import the missing modules in the code?

Answer 134

You will get the same error codes since the Lambda function won’t be able to recognise the modules. The module dependencies need to be downloaded and then zipped within the deployment package.

Question 135

You have an application that is expected to consume SQS messages of a large size. What is the max SQS message size, and if a message is over the the max item size, how should you process it?

Answer 135

256 KB
If a message is over this size, use a combination of S3 and SQS Extended Client Library for Java - this will allow you to send a message that references a message object stored in S3, retrieve the message object, and then delete the message object from S3.

Question 136

How can you validate IAM access for an API call?

Answer 136

• Use IAM Policy Simulator to validate the permission for the IAM role
• Run the API call with –dry-run parameter (this checks whether you have the required permissions for the action without actually making the request)

Question 137

How can you create a Stack that defines cloud resources in a desired programming language (as opposed to yaml)?

Answer 137

AWS CDK - Cloud Development Kit
Opensource framework to provision cloud application resources using programming languages. Under the hood, this just ‘compiles’ your stack into cloudformation templates.

Question 138

You have a team of developers, and you need to provide permissions to launch EC2 instances with an instance role that will let them update items on a DDB table. All developers belong to the same IAM group. How can you do this?

Answer 138

Allow EC2 to assume a role that can access the DDB table:

• Create an IAM role with permission to access the DDB table
• Add EC2 as a trusted entity in the role’s trust policy (this allows an EC2 instance to assume the role)
• Attach a PassRole policy to the IAM group, which allows the new role with DDB access permission to be passed along)

Question 139

What is the difference between terminating a container in ECS with EC2 launch type in the RUNNING state vs STOPPED state?

Answer 139

If RUNNING - will automatically be removed or deregistered from the cluster

If STOPPED - not automatically removed

Question 140

How can you allow an ALB to obtain all values of an identical query parameters key that is supplied in a requests, e.g., ?name=foo&name=bar, and what happens if you don’t enable this?

Answer 140

Enable multi-value header syntax - this will allow the ALB to supply these duplicate params in an event object with the format ‘name’: [‘foo’, ‘bar’]

If you don’t enable this, the LB will just use the last value of the query parameter.

Question 141

You have an EC2 instance, and are using CodeDeploy to deploy a new version of an application, with the code stored in S3. When might the DownloadBundle deployment lifecycle event throw an error?

Answer 141

• The EC2 instance does not have permission to access the code in S3
• An S3 internal error occurs
• The instances are associated to one Region, but the S3 bucket that contains the application revision is related to another Region

Question 142

What is the difference between ‘sam local invoke’ and ‘sam local start-lambda’?

Answer 142

invoke calls an invocation to the lambda function; start-lambda starts the lambda locally as an endpoint (to be called by other services)

Question 143

How can you implement access control on a table in DDB to ensure that a user only has access to their item(s)?

Answer 143

Use conditions - in this case, we can assume that a user has an ID, and that their ID is the partition key (this makes sense as it provides a good distribution across the partition).

To do this, we use dynamodb:LeadingKeys, which targets the partition key, and specify the user ID for use.

Question 144

What is a lambda:FunctionUrlAuthType, why might this be useful, and what is the difference between the two conditions?

Answer 144

Lambdas can be called via URL like a simple REST endpoint - the FunctionUrlAuthType specifies what auth to use: NONE or AWS_IAM

NONE means no authorisation required; AWS_IAM means only allow invocation if via an authorised IAM user or role.

Question 145

How can you configure Elastic Beanstalk to allow a multi-container docker environment?

Answer 145

Configure the container definitions in the ‘Dockerrun.aws.json’ file, placed on the same level where the application file resides (i.e., not in .ebextensions)

Question 146

What are the respective yml files for CodeBuild and CodeDeploy?

Answer 146

CodeBuild - buildspec.yml
CodeDeploy - appspec.yml

Question 147

Which part of which file should you modify when configuring CodeBuild to run with a proxy server?

Answer 147

The proxy element of the buildspec.yml

Question 148

What is the high level setup for running CodeBuild in a proxy server?

Answer 148

• All components are within a VPC
• The CodeBuild service is within a private subnet
• The proxy server is within a public subnet
• There is an internet gateway, allowing traffic to/from the internet

Question 149

What are the steps to allow a production account to delegate S3 access to a development account?

Answer 149

• On the production account, create an IAM role and specify the development account as a trusted entity.
• Set the policy that will grant access to S3 for the IAM role created in the production account
• Log in to the development account and create a policy that will use STS to assume the IAM role in the production account. Attach the policy to corresponding IAM users.

Question 150

What are the two ways you can authenticate with CodeCommit (HTTPS)?

Answer 150

• Set up a Git credential helper using your access key credentials specified in your AWS credential profile
• Generate HTTP Git credentials for AWS CodeCommit. Specify the credentials in the Git Credential Manager

Question 151

You want to view the percentage of used memory and number to TCP connections of instances inside an Auto Scaling Group. These metrics are to be send to CloudWatch. What must you do and why?

Answer 151

Create an IAM role with cloudwatch:PutMetricData permission for the new Auto Scaling launch configuration from which you launch instances.

You cannot modify existing launch configurations, so you must create a new one and apply it to the ASG.

Question 152

What sections of a CloudFormation template can you and can’t you associate with a ‘Condition’?

Answer 152

Can: Outputs, Resources
Can’t: Parameters

Question 153

What credentials does IAM for CodeCommit support and not support?

Answer 153

Supports: SSH Keys, AWS Access Keys, Git credentials
Does not support: IAM username and password

Question 154

What resource types does AWS SAM support?

Answer 154

AWS::Serverless::Api

AWS::Serverless::Application

AWS::Serverless::Function

AWS::Serverless::HttpApi

AWS::Serverless::LayerVersion

AWS::Serverless::SimpleTable

AWS::Serverless::StateMachine

Question 155

You have an API hosted on ECS. Variable traffic spikes on the application are causing order processing time to increase - this causes the number of orders within the SQS queue to increase. What can you do to improve performance, given that you have access to the ApproximateNumberOfMessagesVisible metric in CloudWatch?

Answer 155

Use backlog per instance metric with target tracking scaling policy - in this case, the target value being the acceptable backlog per instance to maintain (calculated by number of messages in backlog / ECS fleet running capacity).

Question 156

What is a key difference between step scaling and target tracking?

Answer 156

Step scaling defines thresholds and actions to take at a given threshold (e.g., at 80% CPU utilization, add 20% more instances)

Target tracking aims for a particular metric target to be met (e.g., SQS queue backlog per instance)

Question 157

What Elastic Beanstalk deployment policies cause EC2 burst balance to be lost?

Answer 157

• Managed platform updates with instance replacement enabled
• Immutable updates
• Deployments with immutable updates or traffic splitting enabled

(behind the scenes for traffic splitting - such as canary or blue/green - Beanstalk launches a full new set of instances)

Question 158

What header would you include with an S3 PutObject operation to force encryption a rest with Amazon S3-managed keys?

Answer 158

x-amz-servier-side-encryption: AES256

Instructs S3 to use AES-256 encryption cipher

Question 159

How can you enable an IAM user to access AWS Billing and Cost Management?

Answer 159

• Provide the IAM policy to access Billing and Cost Management
• Activate IAM user access to the Billing and Cost Management console for the user

Question 160

What should you do to control access to an API Gateway API using a 3rd party authorisation mechanism?

Answer 160

Use Lambda Authorizer - allows custom authorisation schemes for API Gateway, where gateway calls the Lambda authoriser using the caller’s identity, and returns an IAM policy.

Question 161

You want to set up member access to user-specific folders in an Amazon S3 bucket - bucket-a. So, user x can only access files in his folder - bucket-a/user/user-x/ and user y can only access files in her folder - bucket-a/user/user-y/ and so on.

How would you achieve this?

Answer 161

Use IAM policy variables. E.g.,

Condition: { StringLike: {s3:prefix: [$aws:username}/]}}

The variable username ensures that only users with bucket names with their username are accessable.

Question 162

What is the order of steps to be followed for creating an app using AWS CDK?

Answer 162

Create the app from a template provided by AWS CDK -> Add code to the app to create resources within stacks -> Build the app (optional) -> Synthesize one or more stacks in the app -> Deploy stack(s) to your AWS account

Question 163

What is the difference between Access advisor and IAM Access analyser?

Answer 163

IAM Access Analyser - Allows you to identify access to your AWS resources that is outside your defined boundary (zone of trust - this can be an organisation or an AWS account).

Access advisor - identify unused IAM roles via timestamp of last request made using that role.

Question 164

What are some differences between immutable and blue/green deployments?

Answer 164

Immutable - new ASG created alongside the old one within the same environment. As soon as the first instance is created, it begins to serve traffic. When all new instances are health, old ones are switched off

Blue/Green - new environment is created from scratch (using a new load balancer). The switch is performed at DNS level, routing traffic from the old to the new env. when new env. is healthy.

Question 165

What two things must you do to a Network ACL to enable a connection to a service running on an EC2 instance from the internet.

Answer 165

To enable the connection to a service running on an instance, the associated network ACL must allow both:
1. Inbound traffic on the port that the service is listening on
2. Outbound traffic to ephemeral ports

Question 166

An Auto Scaling group has a maximum capacity of 3, a current capacity of 2, and a scaling policy that adds 3 instances.

When executing this scaling policy, what is the expected outcome and why?

Answer 166

When a scaling policy is executed, if the capacity calculation produces a number outside of the minimum and maximum size range of the group, Amazon EC2 Auto Scaling ensures that the new capacity never goes outside of the minimum and maximum size limits.

Hence, the ASG only adds one instance to the group.

Question 167

You have created a continuous delivery service model with automated steps using AWS CodePipeline. Your pipeline uses your code, maintained in a CodeCommit repository, AWS CodeBuild, and AWS Elastic Beanstalk to automatically deploy your code every time there is a code change. However, the deployment to Elastic Beanstalk is taking a very long time due to resolving dependencies on all of your 100 target EC2 instances.

Which of the following actions should you take to improve performance with limited code changes?

Answer 167

Bundle the dependencies in the source code during the build phase of CodeBuild

Question 168

What are the limits on the number of stored and in-flight messages in SQS?

Answer 168

No limit for stored, ~120,000 for in-flight

Question 169

What is the difference between using a signed URL and signed cookies in CloudFront?

Answer 169

Signed URL provides access to a single file.

Signed cookies allow access to multiple files when you don’t want to change the URL.

(Signed URLs take precedence over signed cookies - if you provide a signed URL with signed cookies, you will only get the file corresponding to the URL).

Question 170

How would you re-use ssh key-pairs across multiple instances and regions?

Answer 170

Generate a public ssh key from the private key, and then import the key into each of the desired regions

Question 171

How does CloudFront use key pairs to create signed URLs?

Answer 171

The public key of the key pair is stored in CloudFront. The private key is used to sign a portion of the URL

Question 172

How many CloudFront key pairs can the root user of an AWS account have, and how can you allow for more key pairs?

Answer 172

2. For more, use CloudFront key groups - allows you to associate up to 4 key groups with a distribution, and up to 5 keys per group

Question 173

What is the difference between provisioned and reserved concurrency for Lambda?

Answer 173

Provisioned - The number of pre-initialised execution environments for your function (used to reduce latency)

Reserved - Concurrency that cannot be allocated to any other function than the one specified; it also dictates the maximum number of concurrent instances for that function

Question 174

How does port mapping differ between ALB and CLB?

Answer 174

CLB - only supports static port mapping, meaning that you cannot run multiple copies of a task on the same instance, due to a conflict of ports.

ALB - allows dynamic port mapping, meaning that you are able to run multiple copies of a task on the same instance.

Question 175

What is the maximum Lambda function container image size?

Answer 175

10GB

Question 176

Above what size payload should you use envelope encryption?

Answer 176

4kb

Question 177

A diagnostic lab stores its data on DynamoDB. The lab wants to backup a particular DynamoDB table data on Amazon S3, so it can download the S3 backup locally for some operational use.

Why can you not use on-demand backups in DDB to achieve this?

Answer 177

On-demand back up stores data in S3, but in buckets that the user is not provided access to.

Question 178

Describe how S3 replication can be configured.

Answer 178

Same-Region Replication and Cross-Region Replication can be configured at bucket level, shared-prefix level or object level using S3 object tags

Question 179

What is the difference between detailed monitoring and high-resolution?

Answer 179

Detailed monitoring - how often the datapoints are reported (every 1 min vs every 5)

High-resolution - how granular the metrics are (a metric every 10 seconds vs 30 seconds)

Question 180

What is the retention period for RDS automatic backups, and what is a limitation of this regarding disaster recovery?

Answer 180

0-35 days

Backups are limited to a single region.

Question 181

What are two use cases for ElastiCache?

Answer 181

Read heavy applications

Compute heavy applications (store objects that are often read in the cache)

Question 182

What can be configured when publishing a custom metric?

Answer 182

Can define own data as a custom metric, along with the resolution of the metric

• Can be defined as standard resolution or high-resolution. If high, CloudWatch stores it with a resolution of 1 second.

Question 183

When using CloudTrail with S3, what is a requirement to receiving object-level API access logs when data is read by another AWS account?

Answer 183

The bucket owner also needs to be the object owner to get the object access logs, or must get permissions through the object ACL.

Question 184

How would you encrypt log group data in CloudWatch using a KMS Customer Master Key, and why this approach?

Answer 184

Use the AWS CLI associate-kms-key command and specify the KMS key ARN

Log group data is always encrypted in CloudWatch logs - you can optionally use KMS for this encryption.

Question 185

You have uploaded a zip file to AWS Lambda that contains code files written in Node.Js. When your function is executed you receive the following output, ‘Error: Memory Size: 10,240 MB Max Memory Used’.

Which of the following explains the problem?

Answer 185

Your function ran out of RAM

Question 186

What does SSE-C mean?

Answer 186

Server Side Encryption with Customer-provided encryption keys

Question 187

Why does S3 reject any requests made over HTTP using SSE-C?

Answer 187

HTTP is not secured. When using SSE-C, you must provide your encryption key as part of the request. AWS will treat this key as compromised when using HTTP, and reject the request.

Question 188

What are the possible target types for an ALB?

Answer 188

Instance, IP and Lambda

Question 189

How can you specify IP addresses from an ALB?

Answer 189

Only from specific CIDR blocks - you can’t specify publicly routable IP addresses

Question 190

How can you ensure that source code is encrypted in transit and at rest when using CodeCommit?

Answer 190

No need, repositories automatically encrypt data in transit and at rest with CodeCommit.

Question 191

What service could you use to serve static content from S3 and dynamic content from an ALB while keeping latency low across a global website?

Answer 191

CloudFront with multiple origins (one origin for S3, one for the ALB). CloudFront will use edge locations to serve content via the lowest latency route.

Question 192

How could you collect system memory metrics, such as RAM statistics, from EC2 instances?

Answer 192

Use a cron job on the instances that pushes EC2 RAM stats as a Custom Metric to CloudWatch.

Question 193

How do you set up X ray on Docker containers deployed to AWS FarGate?

Answer 193

Deploy the X ray daemon agent as a sidecar container, and provide the correct IAM task role to the X ray container

Question 194

How do you set up HTTPS on beanstalk?

Answer 194

Create a config file in the .ebextensions folder to configure the Load balancer (assign a server certificate)

Question 195

What CLI options do you use to limit the results of a S3 List call to 100 results per page?

Answer 195

–starting-token and –max-items

Question 196

How can you reduce throttling when using KMS for encryption?

Answer 196

Use the data key aching feature with AWS Encryption SDK.