Udemy Course Flashcards

Question 1

Q

What is the Recycle Bin?

Answer

A

A recycle bin for EBS Snapshots and AMIs

Question 2

Q

ALBs can route traffic to different Target Groups based on which 4 things?

Answer

A

URL Path
Hostname
HTTP Headers
Query Strings

Question 3

Q

True or False; You can attach an Elastic IP address to Application Load Balancers?

Question 4

Q

What cookie names are reserved by the ELB (3)?

Answer

A

AWSALB
AWSALBAPP
AWSALBTG

Question 5

Q

What is Server Name Indication (SNI)?

Answer

A

Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener.

Question 6

Q

What is the maximum number of Read Replicas you can add in an ElastiCache Redis Cluster with Cluster-Mode Disabled?

Question 7

Q

EBS Volumes are network drives or physical drives?

Answer

A

Network drives

Question 8

Q

True or False; EBS volumes are locked to an Availability Zone?

Question 9

Q

True or False; EBS volumes have a provisioned capactiy?

Question 10

Q

True or False; you can attach multiple EBS volumes to an EC2 instance?

Question 11

Q

What happens by default to EBS volumes attached to an EC2 instance, when the EC2 instance is terminated?

Answer

A

By default:
- the root EBS volume is deleted
- any other attached EBS volume is not deleted

Question 12

Q

True or False; EBS snapshots can be copied across AZs and Regions?

Question 13

Q

How much cheaper are EBS snapshots stored in the ‘archive tier’?

Question 14

Q

How long do EBS snapshots in the archive tier take to be restored?

Answer

A

24 - 72 hours

Question 15

Q

Is it possible to retain deleted EBS snapshots?

Answer

A

Yes, in the recycle bin

Question 16

Q

How do you quickly restore an EBS snapshot?

Answer

A

Use Fast Snapshot Restore (FSR)

Question 17

Q

True or False; AMI can be used in any region?

Answer

A

False; they are region specific, but can be copied across regions

Question 18

Q

What type of disk to use with an EC2 instance if you require high-performance?

Answer

A

EC2 Instance Store

Question 19

Q

What are io1 / io2 (Provisioned IOPS) EBS Volumes best used for?

Answer

A

Highest performance SSD volume for mission-critical low-latency or high-throughput workloads

Question 20

Q

What is st1 (Throughput optimised) EBS Volumes used for?

Answer

A

Low cost HDD volume designed for frequently accessed, throughput-intensive workload

Question 21

Q

What is sc1 (Cold HDD) EBS Volumes used for?

Answer

A

Lowest cost HDD volume designed for less frequently accessed workloads

Question 22

Q

What EBS volumes can be used as boot volumes?

Answer

A

gp2/gp3 and io1/io2 only

Question 23

Q

Volume size of EBS volume gp2/gp3?

Answer

A

1GB - 16TB

Question 24

Q

gp3 baseline IOPS and throughput?

Answer

A

3000 IOPS and 125MB throughput

Question 25

Q

gp3 max IOPS and throughput?

Answer

A

16,000 IOPS and 1,000 MB throughput

Question 26

Q

True or False; gp3 IOPS and throughput can be scaled independently?

Question 27

Q

gp2 max IOPS?

Question 28

Q

True or False; gp2 size of volume and IOPS are linked?

Question 29

Q

gp2 how many IOPS do you get per GB of volume?

Question 30

Q

io1/io2 volume size?

Answer

A

4GB - 16TB

Question 31

Q

io1/io2 max PIOPS?

Answer

A

64,000 for Nitro EC2 instances and 32,000 for other

Question 32

Q

True or False; io1/io2 PIOPS and storage size are linked?

Question 33

Q

io2 Block Express (EBS volume) volume size?

Answer

A

4GB - 64TB

Question 34

Q

Which EBS volume types support Multi-Attach?

Answer

A

io1/io2 family

Question 35

Q

io2 Block Express (EBS volume) latency?

Answer

A

sub-millisecond latency

Question 36

Q

io2 Block Express (EBS volume) max PIOPS and IOPS ratio?

Answer

A

Max PIOPS = 256,000 with an IOPS:GB ratio of 1,000:1

Question 37

Q

st1 use cases?

Answer

A

Big data warehouses
Log processing

Question 38

Q

st1 volume size

Answer

A

500GB - 15TB

Question 39

Q

sc1 volume size?

Answer

A

500GB - 15TB

Question 40

Q

sc1 use cases?

Answer

A

Data that is infrequently accessed
scenarios where lowest cost is important

Question 41

Q

st1 max IOPS and throughput?

Answer

A

500 IOPS and 500 MB throughput

Question 42

Q

sc1 max IOPS and throughput?

Answer

A

250 IOPS and 250 MB throughput

Question 43

Q

What is EBS multi-attach?

Answer

A

Attach the same EBS volume to multiple EC2 instances in the same AZ
Each instance has full read & write permissions to the high-performance volume

Question 44

Q

How many EC2 instances can you attach to an EBS multi-attach volume at a time?

Answer

A

Up to 16 instances

Question 45

Q

What file system must you use for EBS multi-attach?

Answer

A

A file system that’s cluster-aware (not XFS, EX4, etc)

Question 46

Q

What is EFS (Elastic File System)?

Answer

A

A managed NFS (network file system) that can be mounted on many EC2 instances

Question 47

Q

4 EFS use cases?

Answer

A

content management
web serving
data sharing
wordpress

Question 48

Q

What protocol does EFS use?

Question 49

Q

How is EFS access controlled?

Answer

A

Through security groups

Question 50

Q

What AMIs is EFS compatible with?

Answer

A

Linux based AMIs, not windows based AMIs

Question 51

Q

True or False; EFS requires capacity planning?

Answer

A

False; it scales automatically and is pay-per-use

Question 52

Q

What can EFS scale to?

Answer

A

1,000s of concurrent NFS clients with 10 GB / s throughput
Petabytes-scale

Question 53

Q

What 2 modes does EFS have?

Answer

A

Performance mode (set at EFS creation time)
Throughput mode

Question 54

Q

What are the two EFS performance modes?

Answer

A

General purpose (default): latency-sensitive use cases
Max I/O: higher latency, throughput, highly parallel

Question 55

Q

What are the two EFS throughput modes?

Answer

A

Bursting (1TB = 50MB + burst of up to 100 MBs)
Provisioned: set your throughput regardless of storage size

Question 56

Q

What are the two EFS storage tiers?

Answer

A

Standard: for frequently accessed files
Infrequent Access: cost to retrieve files, lower price to storage

Question 57

Q

What are the 2 availability options for EFS?

Answer

A

Standard: which is Multi-AZ
One Zone: Single AZ

Question 58

Q

What are load balancers?

Answer

A

Load Balancers are servers that forward traffic to multiple servers (e.g., EC2 instances) downstream

Question 59

Q

What are Elastic Load Balancer health checks run against?

Answer

A

On a port and a route

Question 60

Q

What is an unhealthy response to an Elastic Load Balancers health check?

Answer

A

Any response that is not 200 (OK)

Question 61

Q

What are the 4 kinds of AWS managed Load Balancers?

Answer

A

Classic Load Balancer (depreciated) (CLB)
Application Load Balancer (ALB)
Network Load Balancer (NLB)
Gateway Load Balancer (GWLB)

Question 62

Q

3 protocols used by ALB?

Answer

A

HTTP
HTTPs
Websockets

Question 63

Q

3 protocols used by NLB?

Answer

A

TCP
TLS
UDP

Question 64

Q

What layer does the GWLB operate at?

Answer

A

Layer 3 (Network Layer)

Answer 52

A

Routing based on path in URL (example.com/users & example.com/posts)
Routing based on hostname in URL (one.example.com & other.example.com)
Routing based on Query String, Headers (example.com/users?id=123&order=false)

Answer 53

A

EC2 instances
ECS tasks
Lambda functions
IP addresses (must be private IP addresses)

Answer 54

A

At the target group level

Answer 55

A

Yes, 1 per AZ

Answer 56

A

EC2 instances
IP addresses (must be private IP addresses)
Application Load Balancer

Answer 57

A

Analyse network traffic. It allows you to deploy, scale and manage a fleet of 3rd party network virtual appliances in AWS

Answer 58

A

Layer 3 - Network Layer (IP Packets)

Answer 59

A

Transparent Network Gateway (single entry/exit for all traffic)
Load Balancer (distributes traffic to your virtual appliances)

Answer 60

A

GENEVE protocol on port 6081

Answer 61

A

EC2 instances
IP addresses (must be private IPs)

Answer 62

A

By using cookies, which have an expiration date you control

Answer 63

A

Making sure that the user doesn’t lose his session data

Answer 64

A

It may bring imbalance to the load over the backend EC2 instances

Answer 65

A

AWSALB
AWSALBAPP
AWSALBTG
AWSELB

Answer 66

A

It distributes the balance evenly across all registered instances in all AZs

Answer 67

A

ALB:
- Enabled by default
- No charges for inter AZ data

NLB & GWLB:
- Disabled by default
- Charges for inter AZ data if enabled

Answer 68

A

It allows traffic between your client and your load balancer to be encrypted in transit (in-flight encryption)

Answer 69

A

Secure Sockets Layer and Transport Layer Security

Answer 70

A

Certificate Authorities (CA)

Answer 71

A

X.509 certificate

Answer 72

A

It solves the problem of loading multiple SSL certificates onto one web server (to serve multiple websites)

Answer 73

A

It requires the client to indicate the hostname of the target server in the initial SSL handshake.
The server will then find the correct certificate, or return the default one

Answer 74

A

The time to complete “in-flight requests” while the instance is de-registering or unhealthy

Answer 75

A

Launch Template
Min Size / Max Size / Initial Capacity
Scaling Policies

Answer 76

A

AMI + Instance Type
EC2 User Data
EBS Volumes
Security Groups
SSH Key Pair
IAM Roles for your EC2 Instances
Network + Subnets Information
Load Balancer Information

Answer 77

A

True, an alarm monitors a metric (such as Average CPU, or a custom metric)

Answer 78

A

CPUUtilisation - Average CPU utilisation across your instances
RequestCountPerTarget - to make sure the number of requests per EC2 instance is stable
Average Network In / Out - if your application is network bound)
Any custom metric - that you push using CloudWatch

Answer 79

A

False, it is a managed service

Answer 80

A

Help you instance storage on your RDS DB instance dynamically
When RDS detects you are running out of free storage, it scales automatically
Avoids manually scaling your database storage
You have to set the Maximum Storage Threshold (max limit for DB storage)

Answer 81

A

Read Scalability

Answer 82

A

False; can be within the same AZ, Cross AZ or Cross Region

Answer 83

A

False, they use Asynchronous replication, so reads are eventually consistent

Answer 84

A

Same region replication is free
Cross region replication is NOT free

Answer 85

A

Disaster Recovery

Answer 86

A

Synchronous replication

Answer 87

A

False; it uses one DNS name, with automatic app failover to standby

Answer 88

A

True; it does this through via taking a snapshot and synchronisation

Answer 89

A

Automatically, in increments of 10GB

Answer 90

A

Instantaneous

Answer 91

A

6 copies of your data across 3 AZs
– 4 copies out of 6 needed for writes
– 3 copies out of 6 needed for reads
– Self healing with peer-to-peer replication

Answer 92

A

Restores data at any point of time without using backups

Answer 93

A

Database master & replicas encryption using AWS KMS - must be defined at launch time
If the master is not encrypted, the read replicas cannot be encrypted
To encrypt an un-encrypted database, go through a DB snapshot and restore as encrypted

Answer 94

A

RDS DBs are TLS-ready by default, use the AWS TLS root certificates client-side

Answer 95

A

Caches are in-memory databases with really high performance, low latency
Helps reduce the load of database for read intensive workloads
Help make your application stateless

Answer 96

A

False; ElastiCache involves heavy application code changes

Answer 97

A

Memecached

Answer 98

A

Memcached

Answer 99

A

Memcached

Answer 100

A

Memcached

Answer 101

A

Memcached

Answer 102

A

Cache is checked first, if cache hit, data is returned. If cache miss, data is read from the database and written to cache

Answer 103

A

Pros:
- Only requested data is cached (the cache isn’t filled up with unused data)
- Node failures are not fatal (just increased latency to warm the cache)

Cons:
- Cache miss penalty that results in 3 round trips, noticeable delay for that request
- Stale data: data can be updated in the database and outdated in the cache

Answer 104

A

Add or Update the cache whenever the database is updated

Answer 105

A

Pros:
- Data in cache is never stale
- Reads are quick
- Write penalty vs read penalty (each write requires 2 calls)

Cons:
- Missing Data until it is added / updated in the DB. Mitigation is to implement Lazy Loading strategy as well
- Cache churn - a lot of the data will never be read

Answer 106

A

You delete the item explicitly in the cache
Item is evicted because the memory is full and it’s not recently used (LRU)
You set an item time-to-live (TTL)

Answer 107

A

One shard, all nodes have all the data
One primary node, up to 5 replicas
Asynchronous replication
Primary node is used for read/write
Other nodes are read-only
Multi-AZ enabled by default for failover
Helpful to scale read performance

Answer 108

A

Data is partitioned across shards
Each shard has a primary and up to 5 replica nodes
Multi-AZ capability
Up to 500 nodes per cluster
Helpful to scale writes

Answer 109

A

Domain Name System, it translates the human friendly hostnames into the machine IP addresses

Answer 110

A

Contains DNS records

Answer 111

A

Resolves DNS queries

Answer 112

A

A highly available, scalable, fully managed and Authoritative DNS
Also a Domain Registrar
Has the ability to check the health of your resources

Answer 113

A

Maps a hostname to IPv4

Answer 114

A

Maps a hostname to IPv6

Answer 115

A

It maps a hostname to another hostname

Answer 116

A

The target is a domain which must have an A or AAAA record
Can’t create a CNAME record for the top node of a DNS namespace (Zone Apex), eg, example.com

Answer 117

A

Name Servers for the Hosted Zone - control how traffic is routed for a domain

Answer 118

A

A container for records that define how to route traffic to a domain and its subdomains

Answer 119

A

True, except for Alias records

Answer 120

A

CNAME:
- Point a hostname to any other hostname (app.mydomain.com => blabla.anything.com)
- ONLY FOR NON ROOT DOMAIN (aka. something.mydomain.com)

Alias:
- Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
- WORKS for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
- Free of charge
- Native health check

Answer 121

A

Maps a hostname to an AWS resource
Always of type A/AAAA for AWS resource

Answer 122

A

Alias records have no TTL

Answer 123

A

ELBs
CloudFront Distributions
API Gateway
Elastic Beanstalk environments
S3 Websites
VPC Interface Endpoints
Global Accelerator
Route 53 record in the same hosted zone

Answer 124

A

Define how Route 53 responds to DNS queries
DNS does not route traffic, it only responds to the DNS queries

Answer 125

A

Simple
Weighted
Failover
Latency based
Geolocation
Geoproximity
Multi-Value answer

Answer 126

A

Typically routes traffic to a single resource
Can specify multiple values in the same record, in which case a random one is chosen by the client

Answer 127

A

True, has a failover capability

Answer 128

A

False; for public resources only

Answer 129

A

Health checks that monitor an endpoint
Health checks that monitor other health checks
Health checks that monitor CloudWatch Alarms

Answer 130

A

About 15 global health checkers will checker the endpoint health
Healthy / unhealthy threshold is 3 (default)
If > 18% of health checkers report the endpoint is healthy, Route 53 considers it Healthy, otherwise, it’s unhealthy

Answer 131

A

Only when the endpoint responds with the 2xx and 3xx status codes
Health Checks can be setup to pass / fail based on the text in the first 5,120 bytes of the response

Answer 132

A

Combine the results of multiple health checks (children) into a single Health Check (parent)
You can use OR, AND, or NOT
Can monitor up to 256 Child Health Checks
Specify how many of the child health checks needed to pass to make the parent pass

Answer 133

A

True, Route 53 health checkers are outside the VPC.

You can create a CloudWatchMetric and associate a CloudWatch Alarm, then create a Health Check that checks the alarm itself

Answer 134

A

Routing based on user location
Specify location by continent, country or by US state
Should create a “Default” record in case of no match

Answer 135

A

Route traffic to your resources based on the geographic location of users resources
You have the ability to shift more traffic to resource based on the defined bias

Answer 136

A

Route 53 Traffic Flow

Answer 137

A

It simplifies the process of creating and maintaining records in large and complex configurations
Configurations can be saved as Traffic Flow Policy

Answer 138

A

Use when routing traffic to multiple resources
Route 53 returns multiple values/resources
Can be associated with Health Checks

Answer 139

A

1, Create a Hosted Zone in Route 53
2, Update NS Records on 3rd party website to use Route 53 Name Servers

Answer 140

A

a private network to deploy your resources (regional resource)

Answer 141

A

Allow you to partition your network inside your VPC (availability zone resource)

Answer 142

A

a subnet that is accessible from the internet

Answer 143

A

a subnet that is not accessible from the internet

Answer 144

A

Use route tables

Answer 145

A

Allow your instances in your Private Subnets to access the internet while remaining private

Answer 146

A

A firewall which controls traffic from and to subnets
Can have ALLOW and DENY rules
Are attached at subnet level
Rule only include IP addresses

Answer 147

A

A firewall that controls traffic to and from an ENI / an EC2 Instance
Can have only ONLY rules
Rules include IP addresses and other security groups

Answer 148

A

Stateless

Answer 149

A

All rules are evaluated before deciding whether to allow traffic

Answer 150

A

Rules are processed in number order when deciding whether to allow traffic

Answer 151

A

Capture information about IP traffic going into your interfaces (VPC Flow Logs, Subnet Flow Logs and ENI Flow Logs)
Helps to monitor & troubleshoot connectivity issues

Answer 152

A

S3 and CloudWatch Logs

Answer 153

A

Connects two VPCs, privately using AWS’ network
Makes them behave as if they were in the same network

Answer 154

A

Peered VPCs must not have overlapping CIDR (IP address range)

Answer 155

A

VPC Endpoints allow you to connect to AWS Services using a private network instead of the public www network
This gives you enhanced security and lower latency to access AWS services

Answer 156

A

S3 & DynamoDB

Answer 157

A

Others services (S3 and DynamoDB are used with VPC Endpoint Gateway)

Answer 158

A

Connect an on-premises VPN to AWS
Connection is automatically encrypted
Goes over the public internet

Answer 159

A

Establishes a physical connection between on-premises and AWS
The connection is private, secure and fast
Goes over a private network
Take at least a month to establish

Answer 160

A

Region level

Answer 161

A

Globally unique
No uppercase, no underscore
3-63 characters long
not an IP
Must start with lowercase letter or number
Must NOT start with the prefix xn–
Must NOT end with the suffix -s3alias

Answer 162

A

If uploading more than 5GB

Answer 163

A

Buckets and objects

Answer 164

A

Allow / Deny

Answer 165

A

Set of API to Allow or Deny

Answer 166

A

The account or use to apply the policy to

Answer 167

A

Bucket level

Answer 168

A

Versioning must be enabled in source and destination buckets

Answer 169

A

asynchronous

Answer 170

A

S3 Batch Replication

Answer 171

A

Yes (optional setting)

Answer 172

A

False (to avoid malicious deletes)

Answer 173

A

S3 Standard
S3 Standard Infrequent Access (IA)
S3 One zone Infrequent Access
S3 Glacier Instant Retrieval
S3 Glacier Flexible Retrieval
S3 Glacier Deep Archive
S3 Intelligent Tiering

Answer 174

A

Millisecond retrieval, great for data accessed once a quarter
Minimum storage duration of 90 days

Answer 175

A

Has different retrieval options
Expedited (1 to 5 minutes)
Standard (3 - 5 hours)
Bulk (5 - 12 hours)
Minimum storage duration 90 days

Answer 176

A

For term storage
Standard retrieval (12 hours)
Bulk retrieval (48 hours)
Minimum storage duration of 180 days

Answer 177

A

Move objects automatically between Access Tiers based on usage
Small monthly monitoring and auto-tiering fee
There are no retrieval charges

Answer 178

A

sts decode-authorization-message

Answer 179

A

169.254.169.254/latest/meta-data

Answer 180

A

False;
- IAM Role name: YES
- IAM Policy: NO

Answer 181

A

You must create a temporary session by running the STS GetSessionToken API call:
aws sts get-session-token –serial-number arn-of-the-mfa-device –token-code code-from-token –duration-seconds 3600

Answer 182

A

Java
.NET
Node.js
PHP
Python
Go
Ruby
C++

Answer 183

A

100 calls per second

Answer 184

A

5500 GET per second per prefix

Answer 185

A

Implement Exponential Backoff

Answer 186

A

Request an API throttling limit increase

Answer 187

A

1152 vCPU

Answer 188

A

Server errors

Answer 189

A

client errors

Answer 190

A

1, Command Line options: –region, –output, and –profile
2, Environment Variables - AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
3, CLI credentials file - aws configure
4, CLI configuration file - aws configure
5, Container credentials - for ECS tak
sks
6, Instance profile credentials - for EC2 Instance Profiles

Answer 191

A

1, Java system properties - aws.accessKeyId and aws.secretKey
2, Environment variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
3, The default credentials profile file - ex at: ~/.aws/credentials, shared by many SDKs
4, Amazon ECS container credentials - for ECS containers
5, Instance profile credentials - used on EC2 instances

Answer 192

A

Signature v4 (SigV4). If you use the SDK or CLI, the HTTP requests are signed for you

Answer 193

A

Transition Actions (configure objects to transition to another storage class)
Expiration Actions (configure objects to expire (delete) after some time

Answer 194

A

True (*.jpg)

Answer 195

A

Typically in seconds, but can sometimes take a minute or longer

Answer 196

A

SQS
SNS
Lambda
EventBridge

Answer 197

A

Advanced Filtering options with JSON rules (metadata, object size, name)
Multiple Destinations (Step Functions, Kinesis Streams / Firehose)
EventBridge Capabilities (Archive, Replay Events, Reliable delivery)

Answer 198

A

Requests per second per prefix:
- 3,500 PUT/COPY/POST/DELETE
- 5,000 GET/HEAD

Answer 199

A

Spread requests across multiple prefixes

Answer 200

A

Increase object upload speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region

Answer 201

A

Parallelise GETs by requesting specific byte ranges

Answer 202

A

Better resilience in case of failures
Can be used to speed up downloads
Can be used to retrieve only partial data (eg, the head of a file)

Answer 203

A

Retrieve less data using SQL by performing server-side filtering
Can filter by row & columns (simple SQL statements)
Less network transfer, less CPU cost client side)

Answer 204

A

Server-Side encryption with Amazon S3-Managed Keys (SSE-S3)
Server-Side encryption with KMS Keys stored in AWS KMS (SSE-KMS)
Server-Side encryption with Customer-Provided Keys (SSE-C)
Client-Side Encryption

Answer 205

A

“x-amz-server-side-encryption”:”AES256”

Answer 206

A

User control
Audit key usage using CloudTrail

Answer 207

A

“x-amz-server-side-encryption”:”aws:kms”

Answer 208

A

False; you might be

Answer 209

A

Use a bucket policy and refuse any API call to PUT an S3 object without encryption headers
Use the “default encryption” option in S3

Answer 210

A

Cross-Origin Resource Sharing
Same origin: http://example.com/app1 & http://example.com/app2
Different origins: http://www.example.com & http://other.example.com
The request won’t be fulfilled unless the other origin allows for the requests, using CORS Headers

Answer 211

A

Versioning must be enabled on the bucket

Answer 212

A

Only the bucket owner (root account)

Answer 213

A

For audit purposes, you may want to log all access to S3 buckets
Any request made to S3, from any account, authorised or denied, will be logged into another S3 bucket

Answer 214

A

S3 console
AWS CLI
AWS SDK

Answer 215

A

They inherit the permissions of the user that generated the URL

Answer 216

A

1 min - 12 hours

Answer 217

A

Max 168 hours
Default 1 hour

Answer 218

A

Access Points can used used access S3 buckets.
They can be granted read and / or write access to different buckets
Making it easier to manage than complex buckete policies

Answer 219

A

Use AWS Lambda Functions to change the object before it is retrieved by the caller application
Only one S3 bucket is needed on top of which we create an S3 Access Point and S3 Object Lambda Access Points

Answer 220

A

S3 Bucket

Custom Origin (HTTP):
- Application Load Balancer
- EC2 Instance
- S3 Website
- Any HTTP backend you want

Answer 221

A

Headers
Session Cookies
Query String Parameters

Answer 222

A

By using the CreateInvalidation API

Answer 223

A

By using an Allowlist or Blocklist

Answer 224

A

CloudFront Signed URL / Signed Cookies

Answer 225

A

False; it varies per location

Answer 226

A

1, Price Class All: all regions - best performance
2, Price Class 200: most regions, but excludes the most expensive regions
3, Price Class 100: only the least expensive regions

Answer 227

A

Used to route to different kinds of origins based on the content type, using path patterns

Answer 228

A

Has one primary and one secondary origin, if the primary origin fails, the second one is used

Answer 229

A

Sensitive information is encrypted at the edge, close to the user
Protects user sensitive information through application stack
Adds an additional layer of security along with HTTPS

Answer 230

A

Create Dockerfile
Use Dockerfile to build Docker image
Use Docker image to run docker container

Answer 231

A

The ECS Agent

Answer 232

A

False, you just create task definitions

Answer 233

A

It is serverless
You just create task definitions
AWS just runs ECS Tasks for you based on the CPU / RAM you need
To scale, just increase the number of tasks.

Answer 234

A

Allows each task to have a specific role
Use different roles for the different ECS services you run
Task Role is defined in the task definition

Answer 235

A

Yes, ALB and NLB

Answer 236

A

False; S3 cannot be used as a file system

Answer 237

A

Automatically increase / decrease the desired number of ECS tasks

Answer 238

A

Target Tracking (scale based on target value for a specific CloudWatch metric)
Step Scaling (scale based on a specific CloudWatch Alarm
Scheduled Scaling (scale based on a specified date/time (predictable changes))

Answer 239

A

When updating from v1 to v2, we can control how many tasks can be started and stopped, and in which order

Answer 240

A

Task definitions are metadata in JSON form to tell ECS how to run a Docker container

Answer 241

A

Image Name
Port Binding for Container and Host
Memory and CPU required
Environmental variables
Networking information
IAM Role
Logging configuration (eg CloudWatch)

Answer 242

A

We get a Dynamic Host Port Mapping if you define only the container port in the task definition
The ALB finds the right port on your EC2 instances
You must allow on the EC2 instance’s Security Group any port from the ALB’s Security Group

Answer 243

A

Each task has a unique private IP
Only define the container port (host port is not applicable)

Answer 244

A

Aloow you to share data between multiple containers in the same Task Definition
Works for both EC2 and Fargate Tasks

Answer 245

A

1, Identify the instances that satisfy the CPU, memory, and port requirements in the task definition
2, Identify the instances that satisfy the task placement constraints
3, Identify the instances that satisfy the task placement strategies
4, Select the instances for task placement

Answer 246

A

1, Binpack:
- Place tasks based on the least available amount of CPU or memory
- this minimises the number of instances in use (cost saving)

2, Random:
- Place the task randomly

3, Spread:
- Place the task evenly based on the specified value

Answer 247

A

distinctInstance (place each task on a different container instance)
memberOf (places task on instances that satisfy an expression, eg, type t2.*. Usese the Cluster Query Language)

Answer 248

A

Elastic Container Registry
Store and mange Docker images on AWS
Private and public repository
Fully integrated with ECS, backed by S3
Access controlled through IAM
Supports image vulnerability scanning, versioning, image tags, image lifecycle, …

Answer 249

A

Kubernetes is an open-source system for automatic deployment, scaling and management of containerised (usually Docker) application

Kubernetes is cloud-agnostic (can be used in any cloud)

Answer 250

A

Elastic Kubernetes Service
It is a way to launch managed Kubernetes clusters on AWS
It’s an alternative to ECS, similar goal but different API
EKS supports EC2 if you want to deploy worker nodes or Fargate to deploy serverless containers

Answer 251

A

1, Managed Node Groups:
- Creates and manages Nodes (EC2 instances) for you
- Nodes are part of an ASG managed by EKS
- Supports On-Demand or Spot Instances

2, Self-Managed Nodes:
- Nodes created by you and registered to the EKS cluster and managed by an ASG
- You can use prebuilt AMI - Amazon EKS Optimised AMI
- Supports On-Demand or Spot Instances

3, AWS Fargate:
- No maintenance required; no nodes managed

Answer 252

A

a Container Storage Interface (CSI) compliant driver

Answer 253

A

EBS
EFS (works with Fargate)
FSx for Lustre
FSx for NetApp ONTAP

Answer 254

A

A managed service for deploying an application on AWS
Automatically handles capacity provisioning, load balancing, scaling, application health monitoring, instance configuration…
Just the application code is the responsibility of the developer
We still have full control over the configuration

Answer 255

A

Application: collection of Elastic Beanstalk component (environments, versions, configurations, …)
Application Version: an iteration of your application code
Environment:
– Collection of AWS resources running an pplication version (only one application version at a time)
– Tiers: web server environment tier & worker environment tier
– You can create multiple enviornments (dev, test, prod, …)

Answer 256

A

Go
Java
.NET
Node.js
PHP
Python
Ruby
Packer Builder
Docker (single container | Multi-container | Preconfigured)

If not supported, you can write your custom platform (advanced)

Answer 257

A

All at once (deploy all in one go)
Rolling
Rolling with additional batches
-Immutable
Blue / Green
Traffic Splitting

Answer 258

A

Turn off old, turn on new
Fastest deployment
Application has downtime
Great for quick iteration in development environment

Answer 259

A

Turn off a few old, replace with new
Application is running below capacity
Can set the bucket size
Application is running both version of the app simultaneously
No additional cost
Long deployment

Answer 260

A

Rolling, but new versions are added, before old are removed
Application is running at capacity
Can set the bucket size
Application is running both versions simultaneously
Small additional cost
Additional batch is removed at the end of the deployment
Longer deployment
Good for production environment

Answer 261

A

New app versions are deployed to new instances in a temporary ASG
If ok, they are merged with the current (original) ASG
Then the original instances are terminated
Zero downtime
High cost, double capacity
Longest deployment
Quick rollback in case of failures (just terminate new ASG)
Great for production

Answer 262

A

Not a ‘direct feature’ of Elastic Beanstalk
Create a new “stage” environment and deploy v2 there
Use Route 53 to setup weighted policies to redirect a little bit of traffic to the stage environment
The new environment can be validated independently and roll back if issues
Zero downtime and release facility
Use Beanstalk, “swap URLs” when done with the environment test

Answer 263

A

True: EB CLI

Answer 264

A

Describe dependencies (requirements.txt for python)
Package code
Console: upload zip file (create new app version), and the deploy
CLI: create new app version using CLI (uploads zip), and then deploy
Elastic Beanstalk will deploy the zip on each EC2 instance, resolve dependencies and start the application

Answer 265

A

Elastic Beanstalk can store at most 1,000 application versions
If you don’t remove old versions, you won’t be able to deploy any more
To phase out old application versions, use a lifecycle policy (based on time or space)
Versions that are currently used won’t be deleted
Option not to delete the source bundle in S3 to prevent data loss

Answer 266

A

All the parameters set in the UI can be configured with code using files

Requirements:
- must be in the .ebextensions/ directory in the root of source code
- YAML / JSON format
- .config extensions (eg, logging.config)
- Able to modify some default settings using: option_settings
- Ability to add resources such as RDS, ElastiCache, DynamoDB, etc…

Resources managed by .ebextensions get deleted if the environment goes away

Answer 267

A

Elastic Beanstalk relies on CloudFromation

You can define CloudFormation resources in your .ebextensions to provision ElastiCache, an S3 Bcuket, anything you want!

Answer 268

A

True.

You can clone an environment with the exact same configuration
Useful for deploying a “test” version of your app
All resources and configuration are preserved

Answer 269

A

False; you have to migrate it

Answer 270

A

1, Create a new environment with the same configuration except LB
2, deploy your application into the new environment
3, perform a CNAME swap or Route53 update

Answer 271

A

RDS can be provisioned with Beanstalk, which is great for dev / test
This is not great for prod as the database lifecycle is tied to the Beanstalk environment lifecycle
The best for prod is to separately create an RDS database and provide our EB app with the connection string

Answer 272

A

Either provide:

Dockerfile: Beanstalk will build and run the Docker container
Dockerrun.aws.json(v1): describe where already built Docker image is (Image, Ports, Volumes, Logging etc)

Answer 273

A

Multi Docker container helps run multiple containers per EC2 instance in Elastic Beanstalk

Answer 274

A

ECS cluster
EC2 instances, configured to use the ECS Cluster
Load Balancer (in high availability mode)
Task definitions and execution

Answer 275

A

Requires a config Dockerrun.aws.json (v2) file at the root of source code
Dockerrun.aws.json is used to generate the ECS task definition
Your Docker images must be pre-built and stored in ECR for example

Answer 276

A

Define an AMI using Platform.yaml file
Build that platform using the Packer software (open source tool to create AMIs)

Answer 277

A

Custom Image is to tweak an existing Beanstalk Platform
Custom Platform is to create an entirely new Beanstalk Platform

Answer 278

A

Used for stoing our code

Answer 279

A

Used for automating our pipeline from code to Elastic Beanstalk

Answer 280

A

Used for building and testing our code

Answer 281

A

Used for deploying the code to EC2 instances (not Elastic Beanstalk)

Answer 282

A

Used to manage software development activities in one place

Answer 283

A

Used to store, publish, and share software packages

Answer 284

A

Used to automate code reviews using Machine Learning

Answer 285

A

Devlopers push the code to a code repo often (Github, CodeCommit)
A testing / build server checks the code as soon as it’s pushed (CodeBuild, Jenkins CI)
The developer gets feedback about the tests and checks that have passed / failed
_ Find bugs early, then fix bugs
Deliver faster as the code is tested
Deploy often

Answer 286

A

Ensures that the software can be released reliably whenever needed
Ensure deployments happen often and are quick
Shift way from “one release every 3 months” to “5 releases a day”
that usually means automated deployment (eg, CodeDeploy, Jenkins CD)

Answer 287

A

Private git repositories
No size limit on repositories
Fully managed, highly available
Code only in AWS Cloud account => increased security and compliance
Security (encrypted, access control)
Integrated with Jenkins, AWS CodeBuild, and other CI tools

Answer 288

A

It uses IAM policies to manage users / roles permissions to repositories

Answer 289

A

Visual Workflow to orchestrate your CICD
Source - CodeCommit, ECR, S3, Bitbucket, Github
Build - CodeBuild, Jenkins
Test: CodeBuild, 3rd party tools
Deploy - CodeDeploy, Elastic Beanstalk, CloudFormation, ECS
Consists of stages
– Each stage can have sequential actions and / or parallel actions, eg, build -> Test -> Deploy -> Load Testing -> …
– Manual approval can be defined at any stage

Answer 290

A

In S3 buckets

Answer 291

A

Code file buildspec.yml or insert manually in Console

Answer 292

A

S3 or CloudWatchLogs

Answer 293

A

CloudWatch metrics

Answer 294

A

Use CloudWatch Events

Answer 295

A

CloudWatch Alarms

Answer 296

A

Java
Ruby
Python
Go
Node.js
Android
.NET Core
PHP
Docker (extend any environment you like)

Answer 297

A

At the root of your code

Answer 298

A

True ( after installing Docker)

Useful for deep troubleshooting
Leverage the CodeBuild Agent

Answer 299

A

OUtside - it cannot access resources in a VPC

Answer 300

A

Yes, you can specify:
- VPC ID
- Subnet IDs
- Security Group IDs

Then your build can access resources in your VPC

Answer 301

A

CodeDeploy

Answer 302

A

Each EC2 Instance / on-premises server must be running the CodeDeploy agent
The agent is continuously polling AWS CodeDeploy for work to do
Application + appspec.yml is pulled from Github or S3
EC2 instance will run the deployment instructions in appspec.yml
CodeDeploy Agent will report of success/failure of the deployment

Answer 303

A

How to source and copy from S3 / Github to filesystem
- source
- destination

Answer 304

A

Hooks are a set of instructions to deploy the new version (hooks can have timeouts)

Answer 305

A

ApplicationStop
DownloadBundle
BeforeInstall
Install
AfterInstall
ApplicationStart
ValidateService (important)

Answer 306

A

One At A Time
Half At A Time
All At Once
Custom

Answer 307

A

EC2 Instances stay in “Failed” state
New deployments will first be deployed to failed instances

Answer 308

A

To rollback, redeploy old deployment or enable automated rollback for failures

Answer 309

A

A new Auto-Scaling Group is created (settings are copied)
Choose how long to keep the old EC2 instances (old ASG)
Must be using an ELB

Answer 310

A

CodeDeploy redeploys the last known good revision as a new deployment (not a restored version)

Answer 311

A

-Quickly create “CICD-ready” projects for EC2, LAmbda, Elastic Beanstalk
-An integrated solution that groups: Github, CodeCommit, CodeBuild, CodeDeploy, CloudFormation, CodePipeline, CloudWatch…

Answer 312

A

Software packages depend on each other to be built (also called code dependencies), and new ones are created
Storing and retrieving these dependencies is called artifact management
CodeArtifact is a secure, scalable, and cost-effective artifact management for software development

Answer 313

A

An ML-powered service for automated code reviews and application performance recommendations

Answer 314

A

CodeGuru reviewer: automated code reviews for static code analysis (development)
CodeGuru Profiler: visibility/recommendations about application performance during runtime (production)

Answer 315

A

What programming languages does CodeGuru reviewer support?
- Java
- Python

Answer 316

A

CloudFormation is a declarative way of outlines your AWS Infrastructure, for any resources (most of them are supported)
Within a CloudFormation template you define what resources you want
Then CloudFormation creates those for you, in the right order, with the exact configuration that you specify

Answer 317

A

Infrastructure as code:
- No resources are manually created, which is excellent for control
- The code can be version controlled
- Changes to the infrastructure are reviewed through code

Cost:
- Each resource with the stack is tagged with an identifier so you can easily see how much as stack costs you
- You can estimate the costs of your resources using CloudFormation template
-Savings strategy: In Dev, you could automate deletion of templates at 5PM and recreate at 8AM, safely

Productivity:
-Ability to destroy and re-create an infrastructure in the cloud on the fly
- Automated generation of Diagram for your templates
Declarative programming (no need to figure out ordering and orchestration)

Separation of concern: create many stacks for many apps, and many layers, eg:
- VPC stacks
- Network stacks
- App stacks

Don’ re-invent the wheel:
- Leverage existing templates on the web
- Leverage the documentation

Answer 318

A

Templates have to be uploaded in S3 and then referenced in CloudFormation
To update a template, we can’t edit previous ones. We have to re-upload a new version of the template to AWS
Stacks are identified by a name
Deleting a stack deletes every single artifact that was created by CloudFormation

Answer 319

A

Manually:
- Editing templates in the CloudFormation Designer
- Using the console to input parameters etc

Automated:
- Editing templates in a YAML file
- Using the AWS CLI to deploy the templates
- Recommended way when you fully want to automate your flow

Answer 320

A

1, Resources: your AWS resources declared in the templated (MANDATORY)
2, Parameters: the dytnamic inputs for your template
3, Mappings: the static variables for your template
4, Outputs: References to what has been created
5, Conditionals: List of conditions to performa resource creation
6 Metadata

Answer 321

A

Resources are the core of your CloudFormation Template (MANDATORY)
They represent the different AWS Components that will be created and configured
Resources are declared and can reference each other
AWS figures out create, updates and deletes of resource for us

Answer 322

A

AWS::aws-product-name::data-type-name

Answer 323

A

Parameters are a way to provide inputs to your AWS CloudFormation template
They important if you want to reuse your templates across the company or some inputs can’t be determined ahead of time

Answer 324

A

Parameters can be used anywhere in a template
The shorthand for this in YAML is !Ref
The function can also reference other elements within the template

Answer 325

A

AWS offers us pseudo parameters in any CloudFormation template
These can be used at any time and are enabled by default

Egs:
- AWS::AccountId
- AWS::NotificationARNs
- AWS::NoValue
- AWS::Region
- AWS::StackId
- AWS::StackName

Answer 326

A

Mappings are fixed variables within your CloudFormation template
They’re handy to differentiate between different environments (dev vs prod), regions, AMI types etc

Answer 327

A

Mappings are fixed variables within your CloudFormation template
They’re handy to differentiate between different environments (dev vs prod), regions, AMI types etc
All the values are hardcoded within the template

Answer 328

A

Mappings are great when you know in advance all the values that can be taken and that they can be deducted from variables such as:
- Region
- Availability Zone
- AWS Account
- Environment
- Etc

Answer 329

A

We use Fn::FindInMap to return a named value from a specific key
!FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Answer 330

A

The outputs sections declares optional output values that we can import into other stacks
You can also view the outputs in the AWS Console or using the AWS CLI
It’s the best way to perform some collaboration cross stack, as you let experts handle their own part of the stack
You can’t delete a CloudFormation Stack if its outputs are being referenced by another CloudFormation stack

Answer 331

A

Conditions are used to control the creation of resources or outputs based on a condition

Answer 332

A

Ref
Fn::GetAtt
Fn::FindInMap
Fn::ImportValue
Fn::Join
Fn::Sub
Condition Functions (Fn::If, Fn::Not, Fn::Equals, etc)

Answer 333

A

Stack Creation Fails:
- Default: everything rolls back (gets deleted). We can look at the log
- Option to disable rollback and troubleshoot what happened

Stack update fails:
- The stack automatically rolls back to the previous known working state
- Ability to see in the log what happened and error messages

Answer 334

A

When you update a stack, you need to know what changes before it happens for greater confidence
ChangeSets won’t say if the update will be successful

Answer 335

A

Nested stacks are stacks as part of other stacks
They allow you to isolate repeated patterns / common components in separate stacks and call them from other stacks
Examples: load balancer configuration that is re-used or security group that is re-used
Nested stacks are considered best practice
To update a nested stack, always update the parent (root stack)

Answer 336

A

Cross stacks:
- Helpful when stacks have different lifecycles
-Use Output Export and Fn::ImportValue
- When you need to pass export values to many stacks (VPC Id, etc…)

Nested Stacks:
- Helpful when components must be re-used
- Eg: how to properly configure an ALB
- The nested stack only is important to the higher level stack (it’s not shared)

Answer 337

A

Create, update, or delete stacks across multiple accounts and regions with a single operation
Administrator account to create StackSets
Trusted accounts to create, update, delete stack instances from StackSets
When you update a stack seyt, all associated stack instances are updated throughout all accounts and regions

Answer 338

A

Helps protect you against manual configuration changes
It allows you to see if your resources have changed since they where created

Answer 339

A

AWS CloudWatch:
- Metrics: Collect and track key metrics
- Logs: Collect, monitor , analyse and store log files
- Events: send notifications when certain events happen in yout AWS
- Alarms: React in real-time to metrics /events

AWS X-Ray:
- Troubleshoot application performance and errors
- Distributed tracing of microservices

AWS CloudTrail:
- Internal monitoring of API calls being made
- Audit changes to AWS REsources by your users

Answer 340

A

CloudWatch provides metrics for every service in AWS
Metric is a variable t monitor
Metrics belong to namespaces
Dimension is an attribute of a metric

Answer 341

A

Possibility to define and send your own custom metrics to CloudWatch

Answer 342

A

PutMetricData

Answer 343

A

S3
Kinesis Data Streams
Kinesis Data Firehose
AWS LAmbda
ElasticSearch

Answer 344

A

CloudWatch Logs can use filter expressions
They can be used to trigger CloudWatch alarms
CloudWatch Logs Insights can be used to query logs and add queries to CloudWatch DashBoards

Answer 345

A

Up to 12 hours
Not near real time or real- time … use Log Subscriptions instead

Answer 346

A

By default, no logs from your EC2 machine will go to CloudWatch
You need to run a CloudWatch agent on EC2 to push the log files you want
Make sure IAM permissions are correct

Answer 347

A

For virtual servers (EC2, on-premises servers…)

CloudWatch Logs Agent:
- Old version of the agent
- Can only send to CloudWatch Logs

CloudWatch Unified Agent:
- Collect additional system-level metrics such as RAM, processes, etc
- Collect logs to send to CloudWatch Logs
- Centralised configuration using SSM Parameter Store

Answer 348

A

CPU (active, guest, idle, system, user, steal)
Disk metrics (free, used, total), Disk IO (writes, reads, byres, IOPS)
RAM (free, inactive, used, total, cached)
Netstat (number of TCP and UDP connections, net packets, bytes)
Processes (Total, dead, blocked, idle, running, sleep)
Swap Space (free, used, used %)

Answer 349

A

CloudWatch Logs Metric Filter do not retroactively filter data, Filters only publish the metric data points for event that happen after the filter was created

Answer 350

A

OK
INSUFFICIENT_DATA
ALARM

Answer 351

A

The length of time in seconds to evaluate the metric

Answer 352

A

Stop, Terminate, Reboot or Recover an EC2 instance
Trigger Auto Scaling Action
Send notification to SNS (from which you can do pretty much anything)

Answer 353

A

CloudWatch Alarms are on a single meteric
Composite Alarms are monitoring the states of multiple other alarms
AND and OR conditions
Helpful to reduce “alarm noise” by creating complex composite alarms

Answer 354

A

CloudWatch Alarms are on a single meteric
Composite Alarms are monitoring the states of multiple other alarms
AND and OR conditions
Helpful to reduce “alarm noise” by creating complex composite alarms

Answer 355

A

Default Event Us: generated by AWS services (CloudWAtch EVents)
Partner Event Bus: received events from Saas service or applications
Custom Event Bus - for your own applications

Answer 356

A

EventBridge can analyse the events in your bus and infer the schema
The Schema Registry allows you to generate code for your application, that will know in advance how data is structured in the event bus
Schema can be versioned

Answer 357

A

Amazon EventBridge builds upon and extends CloudWAtch Events
It uses the same service API and endpoint, and the same underlying service infrastructure
EVentBridge allows extension to add event buseses for your custom applications and your third party SaaS apps
EventBridge has the Schema Registry capability
EventBridge has a different - Over time, the CloudWAtch Events name will be replaced with EventBridge

Answer 358

A

LAmbda
Elastic Beanstalk
ECS
ELB
API Gateway
EC2 instances or any application server (even on-premies)

Answer 359

A

Tracing is an end to end way to follow a “request”
Each component dealing with the request adds its own “trace”
Tracing is made of segments (+ sub segments)
Annotations can be added to traces to provide extra-information

Answer 360

A

2 ways:

1, Your code must import the AWS X-Ray SDK:
- Very little code required

2, Install the X-Ray daemon or enable X-Ray AWS Integration

Answer 361

A

Ensure the EC2 IAM Role has the proper permissions
Ensure the EC2 instance is running the X-Ray Daemon

Answer 362

A

Ensure it has an IAM execution role with proper policy (AWSX-RayWriteOnlyAccess)
Ensure that X-Ray is imported in the code

Answer 363

A

Instrumentation means the measure of product’s performance, diagnose errors, and to write trace information

Answer 364

A

Segments: each application / service will send them
Subsegments: if need more details in your segments

Answer 365

A

A trace are segments collected together to form an end-to-end trace

Answer 366

A

Annotation are key value pairs used to index traces and use with filters

Answer 367

A

By default the X-Ray SDK records the first request each second, and five percent of any additional requests

Answer 368

A

You can run the daemon by setting an option in the Elastic Beanstalk console or with a configuration file (in ebextensions/xray-daemon.config)

Answer 369

A

Provides governance, compliance and audit for your AWS Account
Get a history of events / API calls made within your AWS Account by: Console / SDK / CLI / AWS Services

Answer 370

A

CloudWatch Logs or S3

Answer 371

A

Both; all regions is default

Answer 372

A

CloudTrail

Answer 373

A

Management events
Data events

Answer 374

A

Operations that are performed on resources in your AWS account
By default trails are configured to log management events
Can separate Read events from write events

Answer 375

A

CloudTrail Insights analyses normal management events to create a baseline, and then continuously analyses write events to detect unusual patterns or activity in your account:
- inaccurate resource provisioning
- hitting service limits
- Bursts of AWS IAM actions
Gaps in periodic maintenance activity

Answer 376

A

EVents are stored for 90 days in CloudTrail
To keep events beyond this period, log them to S3 and use Athena

Answer 377

A

CloudTrail:
- Audit API calls made by users / services / AWS Console
- Useful to detect unauthorised calls or root causes of changes

CloudWatch:
- CloudWatch Metrics over time for monitoring
- CloudWatch Logs for storing application logs
- CloudWatch Alarms to send notifications in case of unexpected metrics

X-Ray:
- Automated Trace Analysis & Central Service Map Visualisation
- Latency, Errors and Fault analysis
- Request tracking across distributed systems

Answer 378

A

Synchronous communication is direct: application to application
Asynchronous is not direct: app to queue to app

Answer 379

A

SQS: queue model
SNS: pub/sub model
Kinesis: real-time streaming model

Answer 380

A

-Producers send messages to the SQWS queue
- Consumers poll for messages in the queue

Answer 381

A

Unlimited throughput, unlimited number of messages in queue
Default retention of messages: 4 days, maximum 14 days
Low latency (10 ms on publish and receive)
Limitation of 256KB per message sent

Answer 382

A

Yes, you can have duplicate messages (at least once delivery, occasionally)

Answer 383

A

Can have out of order messages (best effort ordering)

Answer 384

A

Consumers:
- Poll SQS for messages (receive up to 10 messages at a time)
- Process the messages
- Delete the messages using the DeleteMessage API

Answer 385

A

ApproximateNumberOfMessages

Answer 386

A

Encryption:
- Insliflight encryption using HTTPS API
- At-rest encryption using KMS keys
- Client-side encryption if the client wants to perfrom encryption/decryption themselves

Access Controls:
- IAM policies to regulate access to the SQS API

SQS Access Policies (similiar to S3 bucket policies):
- Useful for cross-account access to SQS queues
- Useful for allowing other services to write to an SQS queue

Answer 387

A

30 seconds

Answer 388

A

Call the ChangeMessageVisibility API to get more time (increase Visibility timeout)

Answer 389

A

If a consumer fails to process a message within the Visibility Timeout - the message goes back to the queue
We can set a threshold of how many times a message can go back to the queue
After the MaximumReceives threshold is exceeded, the message goes into a dead letter queue
Dead Letter Queues are a type of SQS queue
A deadletter Queue of a FIFO queue must also be a FIFO queue
A Dead Letter Queue of a standard queue must also be a Standard Queue

Answer 390

A

Redrive to source

Answer 391

A

Delay a message (consumers don’t see it immediately) up to 15 minutes
Default is 0 seconds

Answer 392

A

Yes, using the DelaySeconds parameter

Answer 393

A

By using the SQS Extended Client (Java Library)

Answer 394

A

300 msg/s with batching, 3000 msg/s with batching

Answer 395

A

Exactly-once (no duplicates)

Answer 396

A

5 minutes

Answer 397

A

Content-based deduplication: will do a SHA-256 hash of the message body
Explicitly providing a Message Duplication ID

Answer 398

A

If you specify the same value of MessageGroupID in an SQS FIFO queue, you can only have one consumer, all the messages are in order
To get ordering at the level of a subset of messages, specify different values of MessageGroupID
Messages that share a common Message Group ID will be in order within a group
Each Group ID can have a different consumer (parallel processing)
Ordering across groups is not guaranteed

Answer 399

A

The “event producer” only sends message to one SNS topic
As many “event receivers” (subscriptions) as we want to listen to the SNS topic notifications
Each subscriber to the topic will get all the messages

Answer 400

A

Topic Publish:
- Create a topic
- Create a subscription (or many)
- Publish to the topic

Direct Publish (for mobile app SDK):
- Create a platform application
- Create a platform endpoint
- Publish to the platform endpoint
- Work with Google GCM, Apple APNS, Amaazon ADM…

Answer 401

A

Push once in SNS, receive in all SQS queues that are subscribers
Fully decoupled, no data loss
Cross-REgion Delivery, works with SQS queues in other regions

Answer 402

A

First-in-First-out (ordering of messages in the topic)
Similar features as SQS FIFI (ordering by MEssage Group ID and Deduplication)
CAn only have SQS FIFO queues as subscribers
Limited throughput (same throughput as SQS FIFO)

Answer 403

A

Makes it easy to collect, process and analyse streaming data in real-time
Ingest real-time data such as: Application logs, metrics, Website clickstreams, IoT telemtry data

Answer 404

A

capture, process and store data streams

ability to reprocess (replay) data
Once data is inserted in Kinesis, it can’t be deleted (immutability)
Data that shares the same partition goes to the same shard (ordering)

Answer 405

A

load data streams into AWS data stores

Answer 406

A

analyse data streams with SQL or Apache Flink

Answer 407

A

capture, process and store video streams

Answer 408

A

Provisioned mode
On-demand mode

Answer 409

A

You choose the number of shared provisioned, scale manually or using API
Each shard get 1MB/s in (or 1000 records per second)
Each shared get 2MB/s out (classic or enhanced fan-out consumer)
You pay per shard provisioned per hour

Answer 410

A

No need to provision or manage the capacity
Default capacity provisioned (4 MB/s in or 4000 records)
Scales automatically based on observed throughput peak during the last 30 days
Pay per stream per hour & data in/out per GB

Answer 411

A

Sequence number (unique per partition-key within shard)
Partition key (must specify while put records into stream
Data blob (up to 1mb)

Answer 412

A

1 MB/sec or 10,000 records/sec per shard

Answer 413

A

Use batching with PutRecords API

Answer 414

A

Use highly distributed partition key

Answer 415

A

Use highly distributed partition key
Retries with exponential backoff
Increase shards (scaling)

Answer 416

A

Shared (Classic) Fan-out Consumer - pull
Enhanced Fan-out consumer - push

Answer 417

A

Low number

Answer 418

A

2 MB/sec per shared across all consumer

Answer 419

A

Using the GetRecords API call

Answer 420

A

Returns up to 10 MB (then throttle for 5 seconds) or up to 10,000 records

Answer 421

A

Multiple applications for the same stream

Answer 422

A

2 MB/sec per consumer per shard

Answer 423

A

over HTTP/2 (SubscribeToShard API)

Answer 424

A

soft limit of 5

Answer 425

A

Can process up to 10 batches per shard simultaneously

Answer 426

A

A Java library that helps read record from a Kinesis Data Stream with distributed aplications sharing the read workload
Each is to be read by only one KCL instance
Progress is checkpointed into DynamoDB
Track other workers and share the work amongst shards using DynamoDB
KCL can run on EC2, Elastic Beanstalk and on-premises
Records are read in order at the shard level

Answer 427

A

Used to increase the Stream capacity
Use to divide a “hot shard”
The old shard is closed and will be deleted once the data is expired
Can’t split into more than two shards in a single operation

Answer 428

A

Cecrease the Steam capacity asnd save costs
Can be used to group two shards with low traffic (cold shards)
Old shards are closed and will be deleted once the data is expired
Can’t merge more than two shards in a single operation

Answer 429

A

loads data streams into AWS data stores
Fully managed service
Pay for data going through Firehose
Near Real Time
Supports many data formats, conversions, transformations, compression
Supports custom data transformations using AWS Lambda

Answer 430

A

No, it is NEAR real-time

Answer 431

A

AWS:
- Redshift
- S3
- ElasticSearch

3rd PArty partner:
- Splunk
- MongoDB
- DataDog

Cusom:
- To any HTTP endpoint

Answer 432

A

Real-time analytics on Kinesis Data Streams & Firehose using SQL
Add reference data from S3 to enrich streaming data
Fully managed
Automatic scaling
Pay for actual consumption rate

Answer 433

A

Kinesis Data Streams and Kinesis Fire Hose for both Sources and Destinations

Answer 434

A

Pay per request and compute time
Free tier of 1,000,000 Lambda requests and 400,000 GBs of computer time

Answer 435

A

You can use the Application Load Balancer or an API Gateway
The Lambda function must be registered in a target group

Answer 436

A

HTTP headers and query string parameters that are sent with multiple values are shown as arrays

Answer 437

A

Lambda reads events from an Event queue
Lambda attempts to retry on errors, using exponential backoff

Answer 438

A

S3
SNS
CloudWatch Events / EventBridge

Answer 439

A

Kinesis Data Streams, SQS queues and DynamoDB Streams need to be polled
The results of the polling go into the event source mapping, which is a queue
When there are items in the event source mapping queue, your lambda function is invoked synchronously with the event batch

Answer 440

A

By default, if your function returns an error, the entire batch is reprocessed until the function succeeds, or the items in the batch expire
To ensure in-order processing, processing for the affected shard is paused until the error is resolved
You can configure the event source mapping to discard old events, restrict the number of retries and split the batch on error

Answer 441

A

6x the timeout of your lambda function

Answer 442

A

Kinesis Data Streams & DynamoDB Streams:
- One lambda inovation per stream shard
- If you use parallelization, to to 10 batches processed per shard simultaneously

SQS Standard:
- Lambda adds 60 more instances per minute to scale up
- Up to 1000 batches of messages processed simultaneously

SQS FIFO:
- Messages with the same GroupID will be processed in order
- The Lambda function scales to the number of active message groups

Answer 443

A

An IAM Role that grants the lambda function permissions to AWS services / resources

When you use an event source mapping to invoke your function, Lambda uses the execution role to read event data

Best practice is to create one Lambda Execution Role per function

Answer 444

A

Use resource-based policies to give other accounts and AWS services permissions to use your Lambda resources
Similar to S3 bucket policies for S3 buckets

Answer 445

A

Environment variables are key / value pairs in “String” form
Environment variables are available to your code
-Helpful to store secrets (encrypted by KMS)
Secrets can be encrypted by trhe Lambda service key, or your own CMK

Answer 446

A

CloudWatch logs.

Make sure your AWS Lambda function has an execution role with an IAM policy that authorises writes to CloudWatch Logs

Answer 447

A

Enable in Lambda configuration (Active Tracing)
Runs the X-Ray daemon for you
use AWS X-Ray SDK in code
Ensure Lambda function has a correct IAM execution role - the managed policy is called AWSXRayDaemonWriteAccess

Answer 448

A

Outside
Therefore it cannot access resources in your VPC

Answer 449

A

You must define the VPC ID, the Subnets and the Security Groups
Lambda will create an ENI (Elastic Network Interface) in your subnets
AWSLambdaVPCAccessExecutionRole

Answer 450

A

A LAmbda function in your VPC does not have internet access
Deploying a Lambda function in a public subnet does not give it internet access or a public IP
Deploying a Lambda function in a private subnet gives it internet access if you have a NAT Gateway / Instance
You can use VPC endpoints to privately access AWS services without a NAT

Answer 451

A

Increase RAM

Answer 452

A

Yes

From 128MB to 10GB in 1MB increments
The more RAM you add, the more vCPU credits you get
At 1,792 MB, a function has the equivalent of one full vCPU
After 1,792 MB, you get more than one CPU, and need to use multi-threading in your code to benefit from it

Answer 453

A

Default = 3 seconds
Max. is 900 seconds (15 mins)

Answer 454

A

Basically it is the code outside the handler
It is a temporary runtime environment that initialses asny exteneral dependencies of your lambda code
Great for database connections, HTTP clients, SDK clients…
The execution context is maintained for some time in anticipation of another LAmbda function invocation
The next functioninvocation can “re-use” the context to execution time and save time in initialising connection objects
The execution context includes the /tmp directory

Answer 455

A

Basically it is the code outside the handler
It is a temporary runtime environment that initialses asny exteneral dependencies of your lambda code
Great for database connections, HTTP clients, SDK clients…
The execution context is maintained for some time in anticipation of another LAmbda function invocation
The next functioninvocation can “re-use” the context to execution time and save time in initialising connection objects
The execution context includes the /tmp directory

Answer 456

A

-You can use the /tmp directory
- MAx size is 10GB
- The directory content remains when the execution context is frozen, providing transient cache that can be used for multiple invocations
- For permanent persistence of object , use S3

Answer 457

A

-Up to 1000
- You can set a “reserved concurrency” limit for each lambda function
- Each invocation over the concurrency limit will trigger a “throttle”

Answer 458

A

If the function doesn’t have enough concurrency available to process all event, additional requests are throttled
For throttling errors (429) and system errors (5xx), Lambda returns the event to the queue and attempts to run the function again for up to 6 hours
The retry interval increases exponentially from 1 second up to a max. of 5 mins

Answer 459

A

You need to install the packages alongside your code and zip it together
Upload the zip straight to lambda if less than 50MB, else to S3
AWS SDK comes by default with every lambda function

Answer 460

A

Inline:
- inline functions ar every simple
- Use the Code.ZipFile property
- You cannot include function dependencies withi inline functions

Through S3:
- You must store the Lambda zip in S3
- You must refer the S3 zip location in the CloudFormation template

Answer 461

A

Creating custom runtimes, eg, c++ or Rust
Externalizing dependencies to re-use them

Answer 462

A

Deploy Lambda functions as container images of up to 10GB from ECR
Pack complex dependencies, large dependencies in a container
Can create your own image as long as it implement the Lambda Runtime API

Answer 463

A

When you work on a Lambda function, we work on $LATEST
When we’re ready to publish a Lambda function, we create a version
Versions are immutable
Versions have increasing version numbers
Versions get their own ARN
Version = code + configuration
Each version of the lambda function can be accessed

Answer 464

A

Aliases are “pointers” to Lambda function versions
We can define a “dev”, “test”, “prod” aliases and have them point at different lambda versions
Aliases are mutable
Aliases enable blue / green deployments
Aliases have their own ARNs
Aliases cannot reference aliases

Answer 465

A

Use CodeDeploy
Feature is integrated within the SAM framework
Can create Pre & Post Traffic hooks to check the health of the Lambda function

Answer 466

A

128 - 10GB (1MB increments)

Answer 467

A

900 seconds (15 mins)

Answer 468

A

512MB to 10GB

Answer 469

A

1000 (can be increased)

Answer 470

A

horizontally

Answer 471

A

Millions of requests per second
Trillions of rows
100s of TB of storage

Answer 472

A

Standard
Infrequent Access (IA)

Answer 473

A

Yes, must be decided at creation time

Answer 474

A

Scalar tpyes: string, number, binary, boolean, null
Document types: list, map
Set types: string set, number set, binary set

Answer 475

A

Option 1: Partition Key (HASH):
- Partition key must be unique for each item
- Partition key must be “diverse” so that the data is distributed
- Eg, “User_ID” for a users table

Option 2: Partition Key + Sort Key (HASH + RANGE):
- The combination must be unique for each item
- Data is grouped by partition key
- Eg: users-games table, “User_ID” for PArtition Key and “Game_ID” for sort key

Answer 476

A

Provisioned Mode (Default)
On-demand mode

You can switch between different modes once every 24 hours

Answer 477

A

You specify the number of reads/write per second
You need to plan capacity beforehand
Pay for provisioned read & write capacity units
Option to setup auto-scaling of throughput to meet demand
throughput can be exceeded temporarily using “Burst capcity”
If burst capcity has been consumed, you’ll get a “ProvisionedThroughputExceededException”
Then its advised to do an exponential backoff

Answer 478

A

Read/writes automatically scale up/down with your workloads
No capacity planning needed
Pay for what you use, more expensive

Answer 479

A

1 WCU represents 1 write per second for an item up to 1KB in size
If the items are larger than 1KB, more WCUs are consumed

Answer 480

A

10 x (2KB / 1KB) = 20WCUs

Answer 481

A

6 x (5kb / 1KB) = 30 WCUs

Answer 482

A

(120 / 60) * (2KB / 1KB) = 4 WCUs

Answer 483

A

Eventually Consistent Reads (default):
- If we read just after a write, it’s possible we’ll get some stale data because of replication

Strongly Consistent Read:
- If we read just after a write, we will get the correct data
- Set “ConsistentRead” parameter to True, in API calls (GetITem, BatchGetITem, Query, Scan)
- Consumes twice the RCU

Answer 484

A

One RCU represents one Strongly Consistent Read per second, or two Eventually Consistent Reads per second, for an item up to 4KB in size
If the items are larger than 4KB, more RCU is are consumed

Answer 485

A

10 x (4KB / $KB) = 10 RCUs

Answer 486

A

(16 / 2) x (12KB / 4KB) = 24 RUCs

Answer 487

A

10 x (8KB / 4 KB) = 20 RCUs - we must round up from 6KB to 8KB)

Answer 488

A

If we exceed provisioned RCUs or WCUs, we get “ProvisionedThroughputExceededException”

Reasons:
- Hot keys: one partition key is being read too many times (eg popular item)
- Hot partitions
- Very large item,: remember RCU and WCU depends on the size of items

Solutions:
- Exponential back-off
- Distributed partition keys as much as possible
- If RCU issue, we can use DynamoDB Accelerator (DAX)

Answer 489

A

PutITem
- Create a new item or fully replaces an old item (same primary key)
- Consumes WCUs

UpdateItem
- Edits an existing item’s attributes or adds a new item if it doesn’t exist
- CAn be used to implement Atomic Counters- a numberic attribute that’s unconditionally incremented

ConditionalWrites:
- Accept a write/update/delete only if conditions are met, otherwise returns an error
- Helps with concurrent access to items

Answer 490

A

GetITem:
- Read based on Primary Key
- Eventually Consistent Read ((default)
- ProjectionExpression can be specified to retrieve only certain attributes

Answer 491

A

Query reyruns items based on:

KeyConditionExpression:
- Partition key value (must be - operator) - required
- Sort key value (=,<,<=<>,>=,Between,Begins with) - optional

FilterExpression:
- Additional filtering after the query operation (before data is returned to you)
- Use only with non-key attributes (does not allow HASH or RANGE attributes)

Return the number of items specified in Limit, or up to 1MB of data

Can query table, a Local Secondary Index, or a Global Secondary Index

Answer 492

A

Scan the entire table and then filter out data (inefficient)
Returns up to 1MB of data - use pagination to keep on reading
Consumes a lot of RCU
Limit impact using Limit or reduce the size of the result and pause
For faster performance, use Parallel Scan

Answer 493

A

DeleteItem:
- Delete an individual item
- Ability to perform a conditional delete

DeleteTable:
- Delete a whole table and its items
- Much quicker deletion than calling DeleteItem on all items

Answer 494

A

Allows you to save in latency by reducing the number of API calls
-Operations are done in parallel for better efficiency
Part of a batch can fail; in which case we need to try again for the failed items

Answer 495

A

BatchWriteItem:
- Up to 25 PutItem and/or DeleteITem in one call
- Up to 16MB of data written, up to 400KB of data per item
- CAn’t update items (use UpdateITem)

BatchGetItem:
- Return items from one or more tables
- Up to 100 items, up to 16MB of data
- Items are retrieved in parallel to minimise latency

Answer 496

A

Alternative Sort Key for your table (same partition key as that of the base table)
The Sort key consists of one scalar attribute (string, number, or binary)
Up to 5 local Secondary Indexes per table
Must be defined at table creation time
Attribute Projections - can contain some or all the attributes of the base table (KEYS_ONLY, INCLUDE, ALL)

Answer 497

A

Alternative Primary Key from the base table
Speed up queries on non-key attributes
The index key consists of scalar attributes (string, number or binary)
Attribute projections - some or all the attributes of the base table (KEYS_ONLY, INCLUDE, ALL)
Must provision RCUs and WCUs for the index
Can be added/modified after table creation

Answer 498

A

Global Secondary Index:
- If the writes are throttled on the GSI, then the main table will be throttled
- Even if the WCU on the main tables are fine
- Choose your GSI partition key carefully
- Assign your WCU capacity carefully!

Local Secondary Index:
- Uses the WCUs anr eRCUs of the main table
- No special throttling considerations

Answer 499

A

Use a SQL-like syntax to manipulate DynamoDB tables
Support some (but not all) statements (INSERT, UPDATE, SELECT, DELETE)
SUpports Batch operations

Answer 500

A

DynamoDB has a feature called “Conditional Writes”
Astrategy to ensure an item hasn’t changed before you update/delete it
Each item has an attribute that acts as a version nuimmber

Answer 501

A

Fully-managed, highly available, seamless in-memory cache for DynamoDB
Microseconds latency for cached reads and queries
Doesn’t require application logic modification (compatible with existing DynamoDB APIs)
Solves the “Hot Key” problem (too many reads)
5 minutes TTL for cache (default)
Up to 10 nodes in the cluster
Multi-AZ (3 nodes minimum recommended for production)
Secure (Encryption at rest with KMS, VPC, IAM, CloudTrail, …)

Answer 502

A

Ordered stream of item-level modifications (create/update/delete) in a table
Stream records can be (sent to Kinesis Data Streams | Read by Lambda | Read by Kinesis Client Library applications)
Data retention for up to 24 hours

Answer 503

A

KEYS_ONLY: only the key attributes of the modified item
NEW_IMAGE: the entire item, as it appears after it was modified
OLD_IMAGE: the entire item, as it appears before it was modified
NEW_AND_OLD_IMAGES: both the new and the old images of the item

Answer 504

A

Shards, just like Kinesis Data Streams

You don’t provision shards though, it is automated by AWS

Answer 505

A

You need to define an Event Source Mapping to read from a DynamoDB stream
You need to ensure the Lambda function has the appropriate permissions
Your Lambda function is invoked synchronously

Answer 506

A

Automatically delete items after an expiry timestamp
Doesn’t consume any WCUs (ie, no extra cost)
The TTL attribute must be a n”Number” data type with “Unix Epoch timestamp” value
Expired items deleted within 48 hours of expiration
Expired items are deleted from both LSIs and GSIs

Answer 507

A

one or more attributes to retrieve

Answer 508

A

filter items before returned to you

Answer 509

A

Coordinated, all-or-nothing operations (add/update/delete) to multiple items across one or more tables
Provides Atomicity, Consistency, Isolation and Durability (ACID)
Consumes 2x WCUs and RCUs - DynamoDB performs 2 operations for every item (prepare & commit)

Answer 510

A

3 x (5KB / 1KB) x 2 (transactional costs) = 30 WCUs

Answer 511

A

5 x (8KB / 4KB) x 2 (transactional cost) = 20 RCUs

%KB gets rounded to the upper 4KB = 8KB

Answer 512

A

Imagine we have a voting application with 2 candidates. If partition key is “Candidate_ID”, this results into two partitions, which will generate issues (eg, Hot Partition)
A strategy that allows better distribution of items evenly across partitions
Add a suffix to Partition Key value
Two methods - sharding using random suffix, sharding using calculated suffix

Answer 513

A

Option 1 - Scan + DeleteItem:
- Very slow, consumes RCU and WCU, expensive

Option 2 - Drop Table + Recreate Table:
- Fast efficient, cheap

Answer 514

A

Option1 - Using AWS Data Pipeline:

Option 2: Backup and restore into a new table:
- Takes some time

Option 3:- scan + PutItem or BatchWriteItem:
- Write your own code

Answer 515

A

Point-in-time Recovery (PITR) like RDS
- No performance impact

Answer 516

A

Multi-region, multi-active, fully replicated, high performance

Answer 517

A

Develop and test apps locally without accessing the DynamoDB web service (without Internet)

Answer 518

A

Swagger / Open API

Answer 519

A

Lambda Function
- Invoke lambda as a function
- Easy way to expose REST API backend by LAmbda

HTTP:
- Expose HTTP endpoints in the backend
– Why? Add rate limiting, caching, user authentications, API keys, etc…

AWS Service:
- Expose any AWS API through the API Gateway
- Why? Add authentication, deploy publicly, rate control…

Answer 520

A

Edge-Optimised (default):
- For global clients
- Requests are routed through the CloudFront Edge locations (improves latency)
- The API Gateway still lives in only one region

Regional:
- For clients within the same region
- Could manually combine with CloudFront (more control over the caching strategies and the distribution)

Private:
- Can only be accessed from your VPC using an interface VPC endpoint (ENI)
- Use a resource policy to define access

Answer 521

A

IAM Roles (useful for internal applications)
Cognito (Identity for external users - example mobile users)
Custom Authoriser (your own logic)

Answer 522

A

Through integration with AWS Certificate Manager (ACM):
- If using Edge-Optimised endpoint, then the certificate must be in us-east-1
- If using Regional endpoint, the certificate must be in the API Gateway region
- Must setup CNAME or A-alias record in Route 53

Answer 523

A

Making changes in the API Gateway does not mean they’re effective
You need to make a “deployment” for them to be in effect
Changes are deployed to “stages” (as many as you want)
Use the naming you like for stages (dev,text,prod)
Each stage has its own configuration parameters
Stages can be rolled back as a history of deployments is kept

Answer 524

A

Stage variables are like environment variables for API Gateway
Use them to change often changing configuration values
They can be used in Lambda function ARN, HTTP endpoint, parameter mapping templates
Stage variables are passed to the “context” object in AWS Lambda

Answer 525

A

Choose the % of traffic the canary channel receives
Metrics & Logs are separate (for better monitoring)
Possibility to override stage variables for canary

Answer 526

A

-MOCK
- HTTP / AWS (Lambda & AWS Services)
- AWS_PROXY (Lambda Proxy)
- HTTP_PROXY

Answer 527

A

API Gateway returns a response without sending the request to the backend

Answer 528

A

you must configure both the integration request and integration response
Setup data mapping using mapping templates for the request & response

Answer 529

A

incoming request from the client is the input to Lambda
The function is responsible for the logic of request / response
No mapping template, headers, query string parameters… are passed as arguments

Answer 530

A

No mapping template
The HTTP request is passed to the backend
The HTTP response from the backend is forwarded by API Gateway

Answer 531

A

Used for LAmbda and HTTP integration
Mapping templates can be used to modify request / responses
Rename / modify query string parameters
Modify body content
Add headers
Uses Velocity Template Language (VTL): for loop, if etc…
Filter output results (remove unnecessary data)

Answer 532

A

Common ways of defining REST APIs, using API definition as code

Answer 533

A

YAML or JSON

Answer 534

A

Default 300 seconds
Min: 0 s
Max. 3600 s

Answer 535

A

Caches are defined per stage

Answer 536

A

0.5GB to 237GB

Answer 537

A

Clients can invalidate the cache with header: Cache-Control: max-age=0

Answer 538

A

If you don’t impose an InvalidateCache policy (or choose the Require authorisation check box in the console), any client can invalidate the API Cache

Answer 539

A

1, Create one or more APIs, configure the methods to require an API key, and deploy the API to stages

2, Generate or import API keys to distribute to application developers (your customers) who will be using your API

3, Create the usage plan with the desired throttle and quota limits

4, Associate API stages and API keys with the usage plan

Callers of the API must supply an assigned API key in the x-api-key header in requests to the API

Answer 540

A

10,000 requests per second across all APIs

Soft limit can be increased upon request

Answer 541

A

429 - too many requests

Answer 542

A

429 - Quota exceeded, Throttle

Answer 543

A

Bad Request

Answer 544

A

Access Denied, WAF filtered

Answer 545

A

Bad Gateway Exception: usually for an incomptible output returned from a Lambda proxy integration backend and occasionally for out-of-order invocations due to heavy workloads

Answer 546

A

Service unable exception

Answer 547

A

Integration FAilure - eg, Endpoint REquest Tomed-Out Exception (API Gateway requests time out after 29 seconds max.)

Answer 548

A

-Access-Control-Allow-Methods
-Access-Control-Allow-Headers
-Access-Control-Allow-Origin

Answer 549

A

IAM
Customer Authorisaer
Cognito User pools

Answer 550

A

Two-way interactive communication between a user’s browser and a server
Server can push information to the client
This enables stateful application use cases
Often used in real-time applications

Answer 551

A

ConnectID

Answer 552

A

Using a Route Key Table

Answer 553

A

SAM = Serverless Application Model
Framework for developing and deploying serverless applications
All the configuration is YAML code
Generate complex CloudFormation from simple SAM YAML file
Supports anything from CloudFormation (Outputs, Mappings, Parameters, Resources)
SAM can use CodeDeploy to deploy Lambda functions
SAM can help you to run Lambda, API Gateway, DynamoDB locally

Answer 554

A

Transform: ‘AWS::Serverless-2016-10-31

Answer 555

A

aws cloudfromation packages / sam package
aws cloudfromation deploy / sam deploy

Answer 556

A

List of templates to apply permissions to your Lambda functions

Answer 557

A

SAM framework natively uses CodeDeploy to update Lambda functions

Answer 558

A

CloudFormation

Answer 559

A

Transform and Resources

Answer 560

A

sam build: fetch dependencies and create local deployment artifacts
sam package: package and upload to S3, generate CF template
sam deploy: deploy to CloudFormation

Answer 561

A

Managed repository for serverless applications
The applications are packaged using SAM
Build and publish applications that cabe re-used by organisation
Application settings and behaviour can be customised using Environment variable

Answer 562

A

Define your cloud infrastructure using a familiar language (Javascript, python, java, .net)
Leverages CloudFormation

Answer 563

A

Contains high level compnents called constructs
The code is “compiled” into a CloudFromation template
You can therefore deploy infrastructure and application runtime code together (Grreat for Lambda functions and Docker containers)

Answer 564

A

We want to give our users an identity so that they can interact with our application

Answer 565

A

Cognito user pools
Cognito Identity Pools (Federated Identity)
Cognito Sync

Answer 566

A

Sign in functionality for app users
Integrate with API Gateway & Application Load Balancer
Database of users for your web and mobile application

Answer 567

A

Provide temporary AWS credentials to users so they can access AWS resources directly
Integrate with Cognito User Pools as an identity provider
Users are mapped to IAM roles & policies,, can leverage policy variables

Answer 568

A

Synchronise data from device to Cognito
Is depreciated and replaced by AppSync
Store preferences, configuration ,state of app
ross device synchronisation
Offline capability

Answer 569

A

Authentication events:
- Pre authentication Lambda trigger
- Post authentication lambda trigger
- Pre token Generation Lambda trigger

Sign-up:
- Pre sign-up Lambda trigger
- Post confirmation Lambda trigger
- Migrate User lambda trigger

Messages:
- Custom message Lambda trigger

Token Creation:
- Pre token generation Lambda trigger

Answer 570

A

Public providers (Loginwith Amazon, Facebook, Google, Apple)
Users in an Amazon Cognito user pool
-OpenID Connect Providers & SAML Identity Providers
Developer Authenticated Identities (custom login erver)
Cognito Identity pools allow for unauthenticated (guest) access

Answer 571

A

Through STS

Answer 572

A

Default IAM roles for authenticated and guest users
Define rules to choose the role for each user based on the user’s ID

Answer 573

A

Steam data from Cognito into Kinesis

Answer 574

A

Execute lambda functions in response to events

Answer 575

A

Model your workflow as state machines (one per workflow)
Written in JSON
Visualsisation of the workflow and the execution of the workflow, as well as the history
Start workflow with SDK call, API Gateway, Event Bridge

Answer 576

A

Choice state: test for a condition to send to a branch (or default branch)
Fail or succeed state - stop execution with failure or success
Pass state - simply pass ints input to its output or inject some fixed data, without performaing work
Wait state: provide a delay for a certain amount of time or until a specified time/date
Map state : dynamically iterate steps
Parallel state: begin parallel branches of execution

Answer 577

A

Use RETRY (to retry failed state) and CATCH (transition to failure path) in the state machine to handle the error instead of inside the application code

Evaluated from top to bottom

Answer 578

A

Standard and Express

Answer 579

A

Over 2,000 per second

Answer 580

A

Over 4,000 per second per account

Answer 581

A

Priced per state transition. A state transition is counted each time a step in your execution is completed

Answer 582

A

Priced per state transition. A state transition is counted each time a step in your execution is completed

Answer 583

A

Executions can be listed and descried with Step Functions APIs, and visually debugged through the console. They can also be insepected in CloudWatch Logs by enabling logging on your state machine

Answer 584

A

exactly-once workflow execution

Answer 585

A

over 100,000 per second

Answer 586

A

Nearly unlimited

Answer 587

A

Priced by the number of executions your run, their duration, and memory consumption

Answer 588

A

Executions can be inspected in CloudWatch Logs by enabling logging on your state machine

Answer 589

A

At least once workflow execution

Answer 590

A

AppSync is a manged service that uses GraphQL
GraphQL makes it easy for applications to get exactly the data they need
This includes combining data from one or more sources
Retrieve data in real-time with WebSocket or MQTT on WebSocket
-For mobile apps: local data access & data synchronisation
It all starts with uploading one GraphQL schema

Answer 591

A

API_KEY
AWS_IAM: IAM users / roles / cross-account access
OPENID_CONNECT: OpenID Connect provider / JSON Web Token
AMZON_COGNITO_USER_POOLS

Answer 592

A

Visually build a full-stak app, both front-end UI and a back-end

Answer 593

A

Connect your app to existing AWS Services (Cognito, S3 and more)

Answer 594

A

Configure an Amplify backend. With a guided CLI workflow

Answer 595

A

Set of tools to get started with creating mobile and web applications
“Elastic Beanstalk for mobile and web applications”
Must-have features such as data storage, authentication, storage and machine-learning, all powered by AWS services

Answer 596

A

Leverages Amazon Cognito
User registration, authentication, account recovery & other operations
Supports MFA, Social Sign-in, etc
Pre-built UI components
Fine-grained authorisation

Answer 597

A

Leverages AppSync and DynamDB
Work with local data and have automatic synchronisation to the cloud without complex code
Powered by graphQL
Offline and real-time capabilities

Answer 598

A

Secure Token Service (STS)
Allows to grant limited and temporary access to AWS resources

Answer 599

A

up to 1 hour

Answer 600

A

AssumeRole: Assume roles within your account or cross account
AssumeRoleWithSAML: reteurn credentials for users logged with SAML
AssumeRoleWithWebIdentity: return creds for user logged with an IdP. AWS recommends against using this, and using Cognito Identity Pools instead
GetSessionToken: for MFA, from a user or AWS account root user
GetFederationToken: obtain temporary creds for a federated user
GetCAllerIdentity: return details about the IAM user or role used in the API call
DecodeAuthorisationMessage: decode error message when an AWS API is denied

Answer 601

A

Define an IAM Role within your account or corss-account
Define which principals can access this IAM Role
Use AWS STS to retrieve credentials and impersonate the IAM Role you have have access to (AssumeRoleAPI)
Temporary credentials can be valid between 15 minutes to 1 hour

Answer 602

A

Define an IAM Role within your account or cross-account
Define which principals can access this IAM Role
Use AWS STS to retrieve credentials and impersonate the IAM Role you have access to (AssumeRoleAPI)
Temporary credentials can be valid between 15 minutes to 1 hour

Answer 603

A

1, If there’s an explicit DENY, end decision with DENY
2, If there’s an ALOLOW, end decision with ALLOW
3, Else DENY

Answer 604

A

Users
Roles
Groups

Answer 605

A

${aws:username}

Answer 606

A

To configure many AWS services, you must pass an IAM role to the service (this happens only once during setup)
The service will later assume the role and perform actions
For this, you need to IAM permission iam:PAssRole
It often comes with iam:GetRole to view the role being passed

Answer 607

A

Found on any Windows Server with AD Domain Services
Database of objects: User Accounts, Computers, Printers, File Shares, Security Groups
Centralised security management, create account, assign permissions
Objects are organised in trees
A group of trees is a forest

Answer 608

A

AWS Managed Microsft AD
AD Connector
Simple AD

Answer 609

A

Create your own AD in AWS, manage users locally, supports MFA
Establish “trust” connections with your on-premises AD

Answer 610

A

Directory Gateway (proxy) to redirect to on-premises AD, supports MFA
Users are managed on the on-premises AD

Answer 611

A

AD-compatible managed directory on AWS
CAnnot be joined with on-premises AD

Answer 612

A

AWS manages encryption keys fo rus
Fully integrated with IAM for authorisation
Easy way to control access to your data
Able to audit KMS key usage using CloudTrail
Seamlessly integrated into most AWS

Answer 613

A

Symmetric (AES-256 keys)
Asymmetric (RSA & ECC key pairs)

Answer 614

A

Single encryption key that is used to encrypt and decrypt
AWS services that are integrated with KMS use Symmetric CMKs
You never get access to the KMS Key unencrypted (must call KMS API to use)

Answer 615

A

Public (encrypt) and private key (Decrypt) pair
Used for encrypt / decrypt, or sign/verify operations
The public key is downloadable, but you can’t access the Private Key unencrypted

Answer 616

A

AWS Managed key: free
Customer Managed Keys (CMK): created in KMS $1 / month
Customer Managed Keys: imported $1 / month

Answer 617

A

False; $0.03 / 10,000 cals

Answer 618

A

AWS managed KMS keys: automatic every 1 year
Customer-managed KMS keys: (must be enabled) automatic every 1 year
Imported KMS key: only manual rotation possible using alias

Answer 619

A

Control access to KMS keys, “similar” to S3 bucket policies
Difference: you cannot control access without them

Answer 620

A

Created if you don’t provide a specific KMS Key Policy
Complete access to the key to the root user = entire AWS account

Answer 621

A

Define users, roles that can access the KMS key
Define who can administer the key
Useful for cross-account access of your KMS keys

Answer 622

A

4 KB, if you want to encrypt >4KB, we need to use eenvelope encryption

Answer 623

A

GenerateDataKey API

Answer 624

A

The AWS Encryption SDK impemented Envelop Encryption for us
The Encryption SDK also exists as a CLI tool we can install

Answer 625

A

Data Key Caching:
- re-use keys instead of creating new ones for each encryption
- Helps with reducing the number of calls to KMS with a security trade-off
- Use LocalCryptoMaterialsCache

Answer 626

A

Encrypt: encrypt up to 4KB of data through KMS

GenerateDataKey: generates a unique symmetric data key (DEK)

GerateDataKeyWithoutPlaintext: Generate a DEK to use at some point

Decrypt: decrypt up to 4KB of data (including Data Encryption Keys)

GenerateRandom: returns a random byte string

Answer 627

A

You get a ThrottlingException.

To respond, use exponential backoff

Answer 628

A

New setting to decrease number of API calls made to KMS from S£ by 99%
This leverages data keys. A S3 bucket key is generated and that key is used to encrypt KMS objects with new data keys
You will see less KMS CloudTail events in CloudTail

Answer 629

A

Secure storage for configuration and secrets
Optional seamless encryption using KMS
Version tracking of configuration / secrets
Hierarchical storage
Simple API
No secret rotation
Optional KMS encryption

Answer 630

A

Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords

Answer 631

A

Newer service, meant for storing secrets
Mostly meant for RDS integration
Capability to force rotation of secrets every X days
Automate generation of secrets on rotation
Integration with RDS
Secrets are encrypted using KMS (madatory)

Answer 632

A

You can encrypt CloudWatch logs with KMS keys
Encryption is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists
You must use the CloudWatch Logs API - associate-kms-key & create-log-group

Answer 633

A

OLAP - analytic processing
Datawarehousing / Data Lakes
Analytics queries

Answer 634

A

Graph Database

Answer 635

A

Managed MongoDB for AWS

Answer 636

A

Lets you easily provision, manage and deploy SSL/TLS certificates
USed to provide in-flight encryption for wwebsites (HTTPS)
Supports both public and private TLS certificates
Automatic TLS certificate renewal
Integrates with ELBs, CloudFront Distributions, APIs on API Gateway

Answer 637

A

A fully managed resource discovery service
Creates a map of the backend services / resources that your applications depend on
You register your application components, their location, attributes, and health status with the AWS Cloud Map
Integrated health checking

Answer 638

A

A fully managed service for runing fault injection experiements on AWS workloads
Based on chaos engineering - stressing an application by creating disruptive events, observing how the system responds and implementing improvement
Helps you uncover hidden bugs and performance bottlenecks
Use pre-built templates that generate the desired disruptions

Answer 639

A

Move large amounts of data to and from:
- On-premises / other cloud to AWS - needs agent
- AWS to AWS - no agent needed

Replication tasks can be scheduled hourly, daily, weekly
File permissions and metadata are preserved
One agent task can use 10 Gbps, can setup a bandwidth limit

Answer 640

A

Parameters

Answer 641

A

True,you can use dynamic port maping to support multiple tasks from a single service on the same container instance

Answer 642

A

Reserved concurrency

Answer 643

A

To ensure that a function can always reach a certain level of concurrency, you can configure the function with reserved concurrency.
When a function has reserved concurrency, no other function can use that concurrency.
More importantly, reserved concurrency also limits the maximum concurrency for the function, and applies to the function as a whole, including versions and aliases.

Answer 644

A

You should use provisioned concurrency to enable your function to scale without fluctuations in latency.

Answer 645

A

Single task definition

Answer 646

A

True; You will need to deregister your container instance in the STOPPED state by using the Amazon ECS console or AWS Command Line Interface. Once deregistered, the container instance will no longer appear as a resource in your Amazon ECS cluster.

Answer 647

A

False; if you terminate a container instance in the RUNNING state, that container instance is automatically removed, or deregistered, from the cluster.

Answer 648

A

False; they span across availability zones, but not regions

Answer 649

A

A projection expression is a string that identifies the attributes you want.

To retrieve a single attribute, specify it’s name. For multiple attribute, the names must be comma-separated

Answer 650

A

If you need to further refine the Query results, you can optionally provide a filter expression

Answer 651

A

–query finds items based on primary key values

Answer 652

A

Reads every item in a table or a secondary index

Answer 653

A

EC2 typew. To automate te replacement of unhealthy EC2 instances, you must change the health check type of your instane’s auto scaling group from EC2 to ELB by using a configuration file

Answer 654

A

In AWS Organisations you can create a trail that will log all events for all AWS accounts in that organsation

Answer 655

A

False; IAM roles and resource-based policies delegate access across accounts only within a single partition

Answer 656

A

Update the cluster name parameter in the /etc/ecs/ecs.config file

Answer 657

A

!ImportValue

Answer 658

A

Returns the value of the specified parameter or resource

Answer 659

A

Returns the value of an attribute from a resource in the template.

Answer 660

A

False; EBS volumes support both in-flight encryption and encryption at rest using KMS

Answer 661

A

Use the Export output field to flag the value of a resource output for export. Then, use the Fn::ImportValue instrinsic function to import the value

Answer 662

A

Asynchronous

Answer 663

A

The failed instances

Answer 664

A

False; The cache and the backend cannot be updated at the same time via a single atomic operation as these are two separate systems.

Answer 665

A

False; lambda aliases can only point to a lambda function version

Answer 666

A

False; they do have root user privileges

Answer 667

A

Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console, or when calling the GetTraceSummaries API. X-Ray indexes up to 50 annotations per trace.

Answer 668

A

It helps process task asynchronously by managing the SQS queue and worker instances by running a daoemon process

Answer 669

A

Ticking the Require authorization checkbox ensures that not every client can invalidate the API cache

Answer 670

A

RequestResponse (default) – Invoke the function synchronously. Keep the connection open until the function returns a response or times out. The API response includes the function response and additional data.

Event – Invoke the function asynchronously. Send events that fail multiple times to the function’s dead-letter queue (if it’s configured). The API response only includes a status code.

DryRun – Validate parameter values and verify that the user or role has permission to invoke the function.

Answer 671

A

Traffic is shifted in two increments.
You can choose from predefined canary options. The options specify:
1, the percentage of traffic that’s shifted to your updated Lambda function version in the first increment
2, the interval, in minutes, before the remaining traffic is shifted in the second increment.

Answer 672

A

It’s a CodeDeploy lambda canary deployment where:
- 10 percent of your customer traffic is immediately shifted to your new version.
- After 5 minutes, all traffic is shifted to the new version.

This means that the entire deployment time will only take 5 minutes

Answer 673

A

A secondary index is a data structure that contains a subset of attributes from a table, along with an alternate key to support Query operations.

Answer 674

A

Global secondary index — an index with a partition key and a sort key that can be different from those on the base table.

Local secondary index — an index that has the same partition key as the base table, but a different sort key. Local secondary indexes are created when the main table is created

Answer 675

A

Audit
Error
General
Slow query

Answer 676

A

– Standard resolution, with data having a one-minute granularity
– High resolution, with data at a granularity of one second

Answer 677

A

False; it can’t rotate credentials

Answer 678

A

If you don’t what to retrieve all attributes from a query, use a projection expression to specify the attributes you want

Answer 679

A

Have the client send a request with the Cache-Control: max-age=0 header.

Answer 680

A

You can choose Memcached over Redis if you have the following requirements:

– You need the simplest model possible.

– You need to run large nodes with multiple cores or threads.

– You need the ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.

– You need to cache objects, such as a database.

Answer 681

A

only used for Lambda custom integration

Answer 682

A

AWS::Serverless::Application

Answer 683

A

Kinesis Adapter

Answer 684

A

The application on each instance in the deployment group is stopped, the latest application revision is installed, and the new version of the application is started and validated

Answer 685

A

EC2 instances
On-premises instances
Lambda
ECS services

Answer 686

A

HTTPS on port 443

Answer 687

A

UDP on port 2000

Answer 688

A

Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in DynamoDB. If you use this strategy, then your database writes are protected from being overwritten by the writes of others — and vice-versa.

Answer 689

A

A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other

Answer 690

A

Envelope encryption is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key.

Answer 691

A

The envelope encryption master key that is plaintext (unencrypted)

Answer 692

A

x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5

Answer 693

A

Gets a list of trace IDs of the application

Answer 694

A

Returns the the traces for all the trace IDs specified in the call

Answer 695

A

eb deploy

Answer 696

A

A Spot Fleet is a set of Spot Instances and optionally On-Demand Instances that is launched based on criteria that you specify

Answer 697

A

Create a file system on the volume

Answer 698

A

AWS Lambda will keep the unreserved concurrency pool at a minimum of 100 concurrent executions, so that functions that do not have specific limits set can still process requests. So, in practice, if your total account limit is 1000, you are limited to allocating 900 to individual functions.

Answer 699

A

An atomic counter would not be appropriate where overcounting or undercounting cannot be tolerated (For example, in a banking application). In this case, it is safer to use a conditional update instead of an atomic counter.

Answer 700

A

The IAM policy simulator evaluates the policies that you choose and determines the effective permissions for each of the actions that you specify.

Answer 701

A

annotations object with key-value pairs that you want X-Ray to index for search.

Answer 702

A

metadata object with any additional data that you want to store in the segment.

Answer 703

A

Yes, but through a custom runtime

Answer 704

A

Specifies the amount of time in seconds that the browser caches an Amazon S3 response to a preflight OPTIONS request for the specified resource.

Answer 705

A

Cluster queries are expressions that enable you to group objects.

Answer 706

A

For Lambda functions that process Kinesis or DynamoDB streams, the number of shards is the unit of concurrency. If your stream has 100 active shards, there will be at most 100 Lambda function invocations running concurrently. This is because these streams are pull based, not push based, such as API Gateway for example

Answer 707

A

For Lambda functions that process Kinesis or DynamoDB streams, the number of shards is the unit of concurrency. If your stream has 100 active shards, there will be at most 100 Lambda function invocations running concurrently. This is because these streams are pull based, not push based, such as API Gateway for example

Answer 708

A

Sending EC2 instance data every 1-minute

Answer 709

A

The application on each instance in the deployment group is stopped, the latest application revision is installed, and the new version of the application is started and validated.

Answer 710

A

In-Place:
- EC2/On-Premises

Blue/Green
- EC2
- Lambda
- ECS

Answer 711

A

False; they must be set-up when the table is created

Answer 712

A

You cannot manually configure the CPU settings of your function. You have to increase the memory configuration of your function instead.

Answer 713

A

DynamoDB Transactions feature simply provides developers atomicity, consistency, isolation, and durability (ACID)

Answer 714

A

Automates the process of keeping your EC2 and hybrid infrastructure in a state that you define

Answer 715

A

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.

Answer 716

A

global secondary index (GSI) is primarily used if you want to query over the entire table, across all partitions.

Answer 717

A

Local secondary index support both, global secondary indexes only support eventual

Answer 718

A

Use to automatically encrypt data before it is written to storage, and automatically decrypts data when is read from storage

Answer 719

A

AWS Step Functions

Answer 720

A

False; only HTTPS

Answer 721

A

Use a user data script to install the X-Ray daemon.

Answer 722

A

You can use markers to record events in the workflow execution history for application specific purposes. Markers are useful when you want to record custom information

Answer 723

A

False, use Cognito user pool instead

Answer 724

A

Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role.

Answer 725

A

python
Go
Ruby
C#
-Powerscript
Node.js
Java

Answer 726

A

Cognito ID