aws developer

What is the maximum size of an S3 object?

5 TB The minimum size of an object is 0 bytes (empty or 'touched' files are permitted) and the maximum size of an object is 5TB.

What is the maximum execution duration for a Lambda request?

As of Oct 2018 the maximum execution duration has been increased from 300 seconds to 900 seconds (15 minutes)

When using the AWS REST API to upload an object to S3, which of the following request headers will ensure that your data must be encrypted using SSE?

x-amz-server-side-encryption

is appSpec file only YAML

no, also json

What 2 things can go in the Transforms section of CF?

- Re-use Code located in S3 - Specify the use of the Serverless Application Model for Lamdba deployments.

What is the HTTP code you would see once you successfully place a file in an S3 bucket?

200

You are trying to diagnose a performance problem with your serverless application, which uses Lambda, API Gateway, S3 and DynamoDB. Your DynamoDB table is performing well and you suspect that your Lambda function is taking too long to execute. Which of the following could you use to investigate the source of the issue?

AWS X-Ray API Gateway Integration Latency metric in CloudWatch EXPLANATION:AWS X-Ray can be used to display a histogram showing the latency of your Lambda function. Latency is the amount of time between when a request starts and when it completes. API Gateway Integration Latency in the time between when API Gateway relays a request to the backend and when it receives a response from the backend. API Gateway Latency is the time between when API Gateway receives a request from a client and when it returns a response to the client. The latency includes the integration latency and other API Gateway overhead. Lambda Invocations Sum measures the number of times a function is invoked in response to an event or invocation API call.

An organization has adopted a new policy that all services should be built using AWS Serverless technology. Which of the following AWS services could the organization use under this new policy?

AWS consider S3, DynamoDB, and Fargate to be serverless services.

An organization is hosting their static website on S3, using a custom domain name. Users have started reporting that their web browsers' are alerting them to the fact that the organization's website is "Not Secure" because it is not served via a secure HTTPS connection. What is the easiest way to start serving the website via HTTPS?

Add a CloudFront distribution in front of the S3 static website, which supports HTTPS with a custom domain name. EXPLANATION:S3 buckets do not directly support HTTPS with a custom domain name. The simplest solution is to create a CloudFront distribution and set its origin to the S3 bucket. CloudFront allows you to specify a custom domain name, and supports managed certificates via Amazon Certificate Manager. Enabling AES-256 Default Encryption on the S3 bucket only affects the object at rest. Application Load Balancers do support SSL termination but do not support S3 as a target. AWS Shield relates to Distributed Denial of Service protection, not encryption over the wire.

Your application uses the STS API call AssumeRoleWithWebIdentity to enable access for users who have authenticated using a Web ID provider. Which of the following best describe what is returned by a successful call to AssumeRoleWithWebIdentity?

AssumeRoleWithWebIdentity returns a set of temporary credentials (access key ID, secret access key and security token) which give temporary access to AWS services AssumeRoleWithWebIdentity returns a set of temporary credentials, giving the user temporary access to AWS. It also returns an Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the temporary security credentials.

Your application on EC2 must write to an Aurora cluster to store user and purchasing data. Your CISO implements a new company-wide policy that requires all AWS credentials are encrypted and rotated monthly. How would you fulfill the new security policy with minimum administrative burden?

Attach an IAM role to the instance with proper credentials. EXPLANATION:AWS designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. IAM roles are based on temporary security tokens, so they are rotated automatically. Credentials embedded in source code cannot be rotated without it being an administrative burden, and is a bad practice. It's impossible to retrieve credentials from an S3 bucket if you don't already have credentials for that bucket. IAM users cannot be associated with resources, and Active Directory authorization will not grant access to AWS resources.

Which feature of AWS can you use to configure S3 to allow web applications being hosted in one S3 bucket to access files in another S3 bucket?

CORS

You are developing a healthy-eating application which tracks nutrition and water intake on a daily basis. Your users mainly access the application using a mobile device like a cell phone or tablet. You are planning to run a promotion to attract new users by providing a free trial period and you would like to make it easy for guest users to trial your application. Which of the following can you use to configure access for guest users?

Cognito Identity Pools EXPLANATION:With a Cognito identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as federation through third-party IdPs.

You are developing an online gaming application which needs to synchronize user profile data, preferences and game state across multiple mobile devices. Which of the following Cognito features enables you to do this?

Cognito Sync Cognito Events EXPLANATION:Amazon Cognito Sync is an AWS service and client library that enable cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and web applications. The client libraries cache data locally so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and if you set up push sync, notify other devices immediately that an update is available.

You want to recieve an email whenever a user pushes code to your CodeCommit repository, how can you configure this?

Configure Notifications in the console, this will create a CloudWatch Events rule to send a notification to an SNS topic which will trigger an email to be sent to the user EXPLANATION:You can configure the SNS notifications in the CodeCommit console

You work for a large I.T. recruitment company that are launching a mobile application which will allow job seekers to apply for jobs online and attach their résumé to their application. Users will be able to log in to their account using Facebook and the application stores their contact and profile details in a DynamoDB table. Which of the following approaches would you recommend for enabling the users to gain access to view and update their data?

Configure Web Identity Federation with Cognito EXPLANATION:With Web Identity Federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google. For most Web Identity Federation scenarios, we recommend that you use Amazon Cognito because it acts as an identity broker and does much of the federation work for you.

A company is developing its first lambda function. The function needs access to their existing EC2 instances, which are all hosted in private subnets within their VPC. What must the company do to ensure their lambda can access the EC2 instances?

Configure lambda's security group, so it has access to the EC2 instances. Configure the lambda function to connect the private subnets used by the EC2 instances. Configure lambda's execution role to have permissions for managing an ENI within the VPC. EXPLANATION:To configure a lambda to connect to a VPC, one or more subnets into which it can connect must be defined. The lambda function creates an Elastic Network Interface in one of the given subnets. It, therefore, needs an execution policy that allows it permissions to do so. The specific permissions required are in the attached AWS documentation link. The Elastic Network Interface through which the lambda connects should then be associated with one or more security groups that allow network communication to the desired destinations, over the desired ports.

One of your junior developers has never had AWS Access before and needs access to an Elastic Load Balancer in your custom VPC. This is the first and only time she will need access. Which of the following choices is the most secure way to grant this access?

Create a new IAM user with *only* the required credentials and delete that IAM user after the developer has finished her work. EXPLANATION:It's always best practice to grant users access via IAM roles and groups. In this case, we would *not* assign the junior Dev to an existing group, as most Dev groups will have *more* access than is required for this Dev to perform the single task she has been asked to accomplish. Remember - always grant the *fewest* privileges possible.

A developer needs to share an EBS volume with a second AWS account. What actions need to be performed to accomplish this task in the most optimal way?

Create an EBS volume snapshot. Modify EBS snapshot permissions and add the second AWS account ID to share the snapshot. In the second AWS account, create an EBS volume from the snapshot. EXPLANATION:It is not possible to directly share an EBS volume with another account. In order to accomplish the required task, it is required to create an EBS volume snapshot and grant permissions to that snapshot to the second AWS account. Although EBS volume snapshots are stored in S3, they are not in a user-visible bucket. Sharing a private AMI with a second account does not meet the specific requirement as defined in the question.

A developer is configuring CodeDeploy to deploy an application to an EC2 instance. The application's source code is stored within AWS CodeCommit. What permissions need to be configured to allow CodeDeploy to perform the deployment to EC2?

Create an IAM policy with an acton to allow `codecommit:GitPull` on the required repository. Attach the policy to the EC2 instance profile role. EXPLANATION:CodeDeploy interacts with EC2 via the CodeDeploy Agent, which must be installed and running on the EC2 instance. During a deployment the CodeDeploy Agent running on EC2 pulls the source code from CodeCommit. The EC2 instance accesses CodeCommit using the permissions defined in its instance profile role; therefore, it is the EC2 instance itself that needs CodeCommit access. The specific CodeCommit permission needed to pull code is `codecommit:GitPull`.

You are building an S3 hosted website and your website is accessing javascript and image files located in another S3 bucket. How can you enable this?

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.

You are working for a small but busy veterinary surgery and you need to design a new DynamoDB table to store information relating to customers, their pets, and any medications that are currently being prescribed. Which of the following attributes would be a good choice for a partition key, in order to achieve maximum provisioned throughput efficiency?

Customer ID When selecting a partition key, you want to distribute the workload evenly across as many partitions as you can, to maximize provisioned throughput of your DynamoDB table. The partition key determines which partition the record will be stored on. To achieve maximum provisioned throughput, choose a partition key with a unique attribute like Customer ID, Product ID, email address, phone number etc. A partition key design that does not distribute I/O requests evenly can create hot partitions which result in throttling and uses your provisioned I/O capacity inefficiently. Values such as Medication, Species and Registration date, are not unique and in some cases may have only a few possible values which could result in hot partitions and inefficient use of provisioned throughput.

You are developing a scalable application which will run in Docker on ECS. You would like to be able to run multiple tasks on the same ECS service. How should you approach this?

Dynamic Port Mapping Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition. Dynamic port mapping with an Application Load Balancer makes it easier to run multiple tasks on the same Amazon ECS service on an Amazon ECS cluster.

You are working on a flight booking application which runs on a number of EC2 instances. Recently one of your servers crashed which meant all of your users lost their sessions and had to log in again. Many of your customers have complained that they had to start their session again from the beginning because your application does not store session state anywhere. Which of the following could you use to persist session state and stop this from happening?

DynamoDB EXPLANATION:Many applications store session state data in memory. However, this approach doesn't scale well. After the application grows beyond a single web server, the session state must be shared between servers. DynamoDB provides an effective and scalable solution for sharing session state across web servers.

Which of the following AWS services enables you to capture a time-ordered sequence of any modifications which happened to the items in your DynamoDB table over the past 24 hours?

DynamoDB Streams EXPLANATION:DynamoDB Streams captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the information for up to 24 hours.

You can use X-Ray with applications running on which platforms?

EC2 Lambda Elastic Beanstalk ECS

You are developing a batch process job on Amazon EMR. The EMR instances need to access data stored in Amazon RDS in order to initialize the batch processing. The application code ran properly during testing but is not able to properly retrieve data from the RDS instance as there appears to be no connectivity. How would you remedy this situation in the most effective manner?

Edit the security group rules associated with the RDS and EMR instances to allow inbound/outbound access. EXPLANATION:For AWS Container services, customers are responsible for the data and for firewall rules for access to the container service. For example, Amazon RDS provides RDS security groups, and Amazon EMR allows customers to manage firewall rules through Amazon EC2 security groups for Amazon EMR instances. Editing the security group rules will solve the issue. Although AWS does manage the underlying RDS and EMR infrastructure, customers are responsible for the data and firewall rules for access to container services. Key pairs related to infrastructure services such as EC2 and is not relevant in this case. Migrating to EC2 would work but is unnecessary, more costly and require additional administrative overhead.

what does Cog to create unique identities for user and authenticate them with Web ID providers

Identity Pools

ABC corp runs a web application that uses API Gateway to provide their developer customers with access to data. To reduce load on their upstream systems, the ABC corp have enabled API Gateway caching. A small number of developer customers still need access to results directly from the integration endpoint. To prevent all developer customers from bypassing the cache, ABC corp has also enabled the requirement for cache invalidation to require authorization. What must a developer customer do to return a result that is not cached from the API Gateway?

Include a Cache-Control: max-age=0 HTTP header in their request. Sign their request with a user or role that has the required execute-api:InvalidateCache permissions to invalidate the cache. EXPLANATION:Setting a Cache-Control: max-age=0 HTTP header as part of the request tells API Gateway that you want a response directly from the integration endpoint, rather than a cached response. This header can be interpreted as the client stating the maximum age a cached result can be is 0 seconds - equivalent to saying it cannot be cached at all. As the cache is configured to require authorization to be invalidated, the request must be signed with a user or role that allows the execute-api:InvalidateCache action to be performed on the API Gateway resource. An example of this policy is found in the documentation for API Gateway Caching. We have also included a link to how to sign a request using AWS Signature Version 4. It is recommended that you require authorization to invalidate a cached response; otherwise, if a significant number of requests perform an invalidation, the cache is no longer helping reduce load on upstream systems. Calling flush-stage-cache is incorrect because this would delete all data in the entire API cache, rather than just for the response the client has requested. Called often, this will likely result in the cache not having sufficient data to be effective.

A content publishing organization runs its own platform, which uses DynamoDB as its data store. A bug report has come in from the content team. They say that when two editors are working on the same content they frequently overwrite each other's changes. What DynamoDB feature would prevent the most number of overwrite bug reports?

Include a condition-expression in the UpdateItem command. EXPLANATION:Using a condition-expression we can perform a conditional update to an item. The condition must evaluate to true; otherwise, the update operation fails. We can use this feature to make sure the content of an article has not changed since it was last read, before we update it. acid-expression is incorrect because there is no such expression. DynamoDB TTL is incorrect because it is for deleting items from DynamoDB after a given duration, not creating a lock. Calling GetItem immediately before calling UpdateItem would help mitigate the issue, but still leaves a small race condition where condition-expression does not. It is, therefore, not the best solution.

You are building a serverless web application which will serve both static and dynamic content. Which of the following services would you use to create your application?

Lambda API Gateway S3 EXPLANATION:Lambda lets you run code without provisioning servers, API Gateway is a managed service which makes APIs available to your user base in a secure way, S3 can be used to serve static web content. EC2 and RDS are not serverless. Elasticache is not required for this solution.

An organization wishes to use CodeDeploy to automate its application deployments. The organization has asked a developer to advise on which of their services can integrate with CodeDeploy. Which of the following services can the developer advise are compatible with CodeDeploy managed deployments?

On-premises servers EC2 Lambda Fargate CodeDeploy supports EC2, ECS (both EC2 and Fargate), Lambda, and on-premise servers.

You want to add a cross-origin resource sharing (CORS) configuration to one of your S3 buckets. Which of the following tabs should you choose to do so?

Permissions EXPLANATION:To add a CORS configuration to your S3 bucket, you have to click the 'Permissions' tab and choose 'CORS configuration'. The 'Properties' tab is for configuring object settings such as versioning, transfer acceleration, and logging. The 'Management' tab is for managing object replication, analytics, and storage lifecycle. If you want to simplify bucket access by creating endpoints, you choose 'Access points'.

Using the AWS console, you are trying to Scale DynamoDB past its preconfigured maximums. Which service can you increase by raising a ticket to AWS support?

Provisioned throughput limits

You need to retrieve some data from your DynamoDB table, which of the following methods would consume the least provisioned Capacity Units?

Query with eventual consistency EXPLANATION:A Query is generally more efficient than a Scan operation. Eventual consistency reads use up fewer Read Capacity Units than strongly consistent reads

You work for an online gaming store which has a global worldwide leaderboard for players of the game. You need to implement a caching system for your leaderboard that has multiple availability zones in order to prevent an outage. Which ElastiCache solution should you use?

Redis

What CF section to define proerties of a new bucket?

Resources

A developer has been tasked with enabling Access Logs on the Application Load Balancer that sits in-front of their web services. As part of this task, they must configure a location to which the logs are delivered. To what AWS service can Access Logs from an Application Load Balancer be delivered?

S3 is the only service supported by AWS for receiving ALB access logs.

Which of the following protocols are used to set up secure connections to AWS CodeCommit repositories?

SSH HTTPS EXPLANATION:AWS allows you to use either the HTTPS or the SSH protocol to connect to CodeCommit repositories. There's no option to select HTTP or RDP connections.

What API call to enable user authentication via Facebook to a app in AWS?

STS assume-role-with-web-identity

You need to retrieve some data from your DynamoDB table, which of the following methods would consume the greatest number of provisioned Capacity Units?

Scan with strong consistency

Which of the following activities are the responsibility of the customer? Safe disposal of storage devices Security Group configuration settings Controls around who can physically access the data center Management of user credentials Encryption of sensitive data

Security Group configuration settings Management of user credentials Encryption of sensitive data Security and Compliance is a shared responsibility between AWS and the customer. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS-provided security group firewall. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

An organization receives documents from its users, which must be put into a SQS queue, ready for processing. The documents range in size from 3 MB to 20 MB, and must always be encrypted at rest. What is the best was to queue these documents?

Store the document in S3. Include a reference to the object in a SQS message. EXPLANATION:SQS has a maximum message size of 256 KB, and DynamoDB has a maximum Item size of 400 KB; therefore, neither of these would be suitable for storing such large documents. Glacier would not be suitable as its use-case is for long term document archiving, not short term document processing. All options listed provide encryption at rest.

A recent increase in the amount of users of an application hosted on an EC2 instance that you manage has caused the instances OS to run out of CPU resources and crash. The crash caused several users' unsaved data to be lost and your supervisor wants to know how this problem can be avoided in the future. Which of the following would you NOT recommend?

Take frequent snapshots of the EBS volume during business hours to ensure users' data is backed up. EXPLANATION:Frequent snapshots are not recommended, as they can result in performance degradation. Additionally, these snapshots will not capture users' unsaved data that lives in the instance's memory.

Your EC2 instance needs to access a number of files which have been encrypted using KMS. Which of the following must be configured in order for the EC2 instance to successfully read the files?

The Key Policy must allow the instance role to use the CMK The EC2 instance must have an instance role which has permission run the decrypt operation EXPLANATION:Manage access to KMS keys using a key policy. In the key policy, you must specify the principal (the identity) that the permissions apply to. You can specify AWS accounts (root), IAM users, IAM roles, and some AWS services as principals in a key policy. You can use IAM policies in combination with key policies to control access to your customer master keys (CMKs) in AWS KMS.

Your company has a corporate identity store used to authenticate its users. Your company also has resources running on AWS. Your admin has created IAM roles and an identity broker that sits between your corporate users and your AWS resources to manage the authentication and authorization process without needing to re-create all your users as IAM users in AWS. Your CISO asked you to summarize the AWS identity federation process to ensure compliance with your applications' security. Which of the following statements correctly describes the authentication process?

The enterprise user accesses the identity broker application. The identity broker application authenticates the users against the corporate identity store. The identity broker application has permissions to access the AWS Security Token Service (STS) to request temporary security credentials. Enterprise users can get a temporary URL that gives them access to the AWS APIs or the Management Console. EXPLANATION:Users might already have identities outside of AWS, such as in your corporate directory. However, those users might need to work with AWS resources (or work with applications that access those resources). If so, these users also need AWS security credentials in order to make requests to AWS. The process can be summarized as follows: 1. The enterprise user accesses the identity broker application. 2. The identity broker application authenticates the users against the corporate identity store. 3. The identity broker application has permissions to access the AWS Security Token Service (STS) to request temporary security credentials. 4. Enterprise users can get a temporary URL that gives them access to the AWS APIs or the Management Console. A sample identity broker application for use with Microsoft Active Directory is provided by AWS. Details on page 22 of the URL link.

You deployed a new Lambda function a few days ago and your code seems to be executing successfully, however when you check CloudWatch there isn't any log data for your function. What could be the reason for this?

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs EXPLANATION:A service needs to have permissions to write log data to CloudWatch logs, Lambda is associated with an execution role which needs to grant the relevant IAM permissions

How does S3 determine which partition to use to store files?

The key name determines which partition the file is stored in

You are working on an application which shares video content to subscribed users. This morning you have received a number of complaints that users are unable to access your content and they are seeing an HTTP 504 Status Code. Which of the following could be a possible explanation?

There is a server side error within your AWS infrastructure An HTTP 504 status code is a Gateway Timeout which indicates that when CloudFront forwarded a request to the origin, because the requested object was not in the edge cache, one of the following happened: The origin returned an HTTP 504 status code to CloudFront; or, the origin didn't respond before the request expired. This is a server side issue, i.e. a problem or misconfiguration in your AWS infrastructure. Remember that any 5XX error indicates a server-side error, and a 4XX error indicates a client-side error.

An organization has mandated that all data within its DynamoDB tables must be encrypted at rest using an AWS owned key. What must a developer do to ensure this?

There's no need to do anything; all DynamoDB tables are encrypted at rest with an AWS owned key by default. EXPLANATION:All DynamoDB tables are encrypted at rest using an AWS owned CMK by default. Non-encrypted DynamoDB tables are no longer supported in AWS. You have the option to pick an alternative AWS or Customer Managed KMS key if required.

You are attempting to upload a number of objects to S3, however you keep seeing the following error message: "AmazonS3Exception: Internal Error; Service: Amazon S3;" Which of the following is the best explanation for this kind of error?

This is a 500 type error, which is a server-side error This is an Internal Error which indicates that Amazon S3 is unable to handle the request at that time. Internal errors or server-side errors have a 5xx status code, whereas client-side errors have a 4xx status code.

when would you use an Inline Policy over Managed?

To add permissions that are only ever intended to be used for a single user in your account

Under what circumstances would you use an SQS Delay Queue?

To postpone the delivery of new messages to a queue for a number of seconds EXPLANATION:Delay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period.

In the CodeDeploy AppSpec file, what are hooks used for?

To specify code, scripts or functions that you want to run at set points in the deployment lifecycle The hooks section for an EC2/On-Premises deployment contains mappings that link deployment lifecycle event hooks to one or more scripts. The hooks section for a Lambda deployment specifies Lambda validation functions to run during a deployment lifecycle event.

What are hooks for in CodeDeploy AppSpec file?

To specify code, scripts or functions that you want to run at set points int he developmnet lifecycle

Which section of the AWS Serverless Application Model template would you use to describe the configuration of a Lambda function and an API Gateway endpoint, if you were deploying your application using AWS SAM?

Transform EXPLANATION:Use the Transform section to describe your Serverless functions when using the serverless application model. Under the Transform section, you define the resources you want to deploy.

App behind ELB, how to get public IP addresses of the users?

Update App to log the x-forwarded-for header.

You are the development lead on a large project to launch a new e-commerce website specialising in fishing supplies. Your developers are located in India, USA and the Middle East. You need to find a source code repository that everyone can use, and that will allow developers to continue to work on their code even when they are not connected to the internet. Which of the following would you suggest to the team?

Use CodeCommit to manage your source code EXPLANATION:CodeCommit is based on Git, which is a distributed version control system, meaning there is no single, central place where everything is stored. In a distributed system, there are multiple backups in the event that you need one. This approach also means that you can work offline and commit your changes when you are ready.

You are running an application on an EC2 instance. The application needs to be able to access an S3 bucket to read and write data. Which of the following is the best approach to enabling the EC2 instance to access your bucket?

Use an IAM role with permissions to read and write to the bucket EXPLANATION:Storing credentials in EC2, in the code or in databases is not recommended. Using an IAM role with the requisite permissions and associating that with your EC2 instance is the recommended approach.

What does Congnito use to manage sign-up and sign-in functionality for mobile and web applications?

User Pools

Which service can you use to analyze and debug distributed applications, identify issues and locate performance bottlenecks?

X-Ray EXPLANATION:X-Ray allows you to debug distributed, Serverless and microservices based applications. CloudTrail is used for auditing activity in your AWS account, CloudWatch and Systems Manager do not give an end-to-end view of your application.

Name of CodeDeply file to specify source files and lifecylce hooks?

appspec.yml

You are using S3 in AP-Northeast to host a static website in a bucket called "acloudguru". What would the new URL endpoint be?

http://acloudguru.s3-website-ap-northeast-1.amazonaws.com

A transport company uses a mobile GPS application to track the location of each of their 60 vehicles. The application records each vehicle's location to a DynamoDB table every 6 seconds. Each transmission is just under 1KB and throughput is spread evenly within that minute. How many units of write capacity should you specify for this table?

10 Writing to the database every six seconds, there are 10 writes/minute/vehicle. There are sixty vehicles in the fleet, so there are 600 writes/minute overall. 600/60 seconds = 10 writes/second.

How long can a message be retained in an SQS Queue?

14 days

Which HTTP response code indicates that an API call was successful?

200

If your table item's size is 3KB and you want to have 90 eventually consistent reads per second, how many read capacity units will you need to provision on the table?

3 rounds up to 4. 4/4=1. 90*1/2=45

What is the largest size file you can transfer to S3 using a PUT operation?

5GB EXPLANATION:The largest file you can transfer to S3 using a PUT operation is 5GB.

You are working on a mobile phone app for an online retailer which stores customer data in DynamoDB. You would like to allow new users to sign-up using their Facebook credentials. What is the recommended approach?

After the user has successfully logged in to Facebook and received an authentication token, Cognito should be used to exchange the token for temporary access to DynamoDB For mobile applications, using Cognito as an ID broker is the recommended approach to enabling user sign-up, sign-in and guest access using Web Identity Providers like Facebook.

A clothing company needs to build a REST service to allow salespeople quick access to stock levels. The service must be accessible from an HTTP request. Which of the following solutions addresses the company's requirements?

Amazon API Gateway and AWS Lambda EXPLANATION:In an AWS Lambda integration in Amazon API Gateway, the HTTP method request from the client is mapped to a backend Lambda function invocation. Depending on your use case, you may choose to use Lambda proxy integration, Lambda non-proxy integration, or both in your API Gateway API. In a Lambda proxy integration, the entire client request is sent to the backend Lambda function as is, except that the order of the request parameters isn't preserved. In a Lambda non-proxy integration (also called a custom integration), you configure the way the parameters, headers, and body of the client's request are translated into the format that your backend Lambda function requires.

Which of the following specifies the correct run order for lifecycle hooks for an In-Place deployment using CodeDeploy?

ApplicationStop, BeforeInstall, AfterInstall, ApplicationStart EXPLANATION:The logical sequence is: ApplicationStop, BeforeInstall, AfterInstall, ApplicationStart

You are working on an application which is made up of a number of Lambda functions as well as API Gateway endpoints. Which of the following technologies would you use to build and deploy this application in AWS? 2 things

CloudFormation AWS Serverless Application Model CLI CloudFormation and the AWS SAM CLI can be used to deploy serverless applications. Use the Transform section of the CloudFormation template to specify the serverless resources you would like to deploy. The other technologies cannot be used to deploy serverless applications. OpsWorks provides configuration management using managed instances of Puppet or Chef. Elastic Beanstalk is for deploying and scaling web applications on familiar servers such as Apache, Nginx, Passenger, and IIS. CodeBuild is an automated build system, and CodeDeploy deploys your built code to either EC2 or an on-premises server.

A developer needs to compile Java code to produce a deployment artifact. Which Amazon service can the developer use for this task?

CodeBuild EXPLANATION:Amazon CodeBuild is a service that compiles source code, runs tests, and produces software packages that are ready to deploy. Amazon CodeCommit is a source control service that hosts Git-based repositories. Amazon CodeDeploy is a deployment service that automates software deployments. Amazon CodePipeline is a continuous delivery service that helps you automate your release pipelines.

What AWS service to fully automate entire process?

CodePipeline

Which of the following does Cognito use to manage sign-up and sign-in functionality for mobile and web applications?

Cognito User Pools are like a directory, allowing users sign-up and sign-in. Identity pools are used to grant temporary access to unauthenticated guests. IAM users are user account entities which allow you to interact with AWS resources. IAM groups are collections of IAM users and are used to specify permissions for multiple users.

You are developing a new application which allows users to search for parking spots in their local area. Your application is based on Lambda and uses API Gateway to connect to third party parking lot companies to access information about parking tariffs and availability. Your application stores session data in a DynamoDB table, however you want to keep costs to a minimum and would like to automatically delete the session data from the table once the user session has expired and the data is no longer relevant. How can you most easily achieve this?

Configure a TTL based on the session expiry time Time To Live (TTL) for DynamoDB allows you to define when items in a table expire so that they can be automatically deleted from the database. TTL is provided at no extra cost as a way to reduce storage usage and reduce the cost of storing irrelevant data without using provisioned throughput. With TTL enabled on a table, you can set a timestamp for deletion on a per-item basis, allowing you to limit storage usage to only those records that are relevant.

ou have provisioned an RDS database and then deployed your application servers using Elastic Beanstalk. You now need to connect your application servers to the database. What should you do? 2 things

Configure a security group allowing access to the database and add it to your environments auto-scaling group Provide the database connection information to your application *As you are connecting to a database that was not created within your Elastic Beanstalk environment, you will need to create the Security Group yourself and also provide connection string and credentials to allow your application servers to connect to the database

You are using X-Ray to monitor your application for performance and troubleshooting purposes. You would like to be able to index and filter the traces based on values specific to your project. How can you do this?

Configure annotations in your traces so that they can be indexed and filtered in the X-Ray console, based on the annotations. When you instrument your application, the X-Ray SDK records information about incoming and outgoing requests, the AWS resources used, and the application itself. You can add other information to the segment document as annotations and metadata. Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console.

You need to allow another AWS account access to resources in your AWS account, what is the recommended mechanism to configure this?

Configure cross account access by creating a role in your account which has permission to access only the resources they need. Allow the third party account to assume the role based on their account ID and unique external ID Roles are the primary way to grant cross-account access. With IAM roles, you can grant third parties access to your AWS resources without sharing your AWS security credentials. Instead, the third party can access your AWS resources by assuming a role that you create in your AWS account.

You are developing a Serverless application written in Node.js, which will run on Lambda. During performance testing, you notice that the application is not running as quickly as you would like and you suspect that your Lambda function does not have enough CPU capacity. Which of the following options will improve the overall performance of your function?

Configure more memory for your function *In the AWS Lambda resource model, you choose the amount of memory you want for your function, and are allocated proportional CPU power and other resources. For example, choosing 256MB of memory allocates approximately twice as much CPU power to your Lambda function as requesting 128MB of memory and half as much CPU power as choosing 512MB of memory. Lambda allocates CPU power linearly in proportion to the amount of memory configured.

You have a legacy application located in your production data centre, which frequently accesses files stored in S3. Due to a significant increase in workload, your application servers are now generating a huge number of requests to your S3 bucket, with many requests now failing. What can you do to improve the situation?

Configure your application to use Exponential Backoff Numerous components on a network, such as DNS servers, switches, load balancers, and others can generate errors anywhere in the life of a given request. The usual technique for dealing with these error responses in a networked environment is to implement retries in the client application. Retrying the request with Exponential Backoff technique increases the reliability of the application and reduces operational costs for the developer.

You are about to work on a brand-new feature that you wish to propose for the upcoming second release of a job search engine application. However, you do not want to use the production-ready code. How will you keep your work separate from it?

Create a branch off of the default branch in AWS CodeCommit. EXPLANATION:AWS CodeCommit is what you need for creating the code repository necessary for developing the application. To work on the app's new feature while keeping it separate from production-ready code, you must create a branch off of the default branch, which is the repo's base branch. You create a pull request if you want to review, comment on, and merge code changes from one branch to another. AWS CodeStar is for developing, building, and deploying applications so is not a suitable response. Creating a 'delineator' is not a valid answer; you can't create a delineator in the repo.

You are building a distributed application, which is made up of a number of Docker instances running on an ECS cluster. You would like to configure your application to send data to X-Ray. Where should you install the X-Ray daemon?

Create a separate Docker image to run the X-Ray daemon. In Amazon ECS, create a Docker image that runs the X-Ray daemon, upload it to a Docker image repository, and then deploy it to your Amazon ECS cluster. X-Ray provides an official Docker container image that you can deploy alongside your application.

You are responsible for a number of different applications which are hosted across multiple regions. You would like to use CloudWatch to view all system metrics data in one place. Which of the following approaches should you choose?

Create a single dashboard to cover all the regions and include metrics for each application CloudWatch dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different Regions.

Your EC2 instance needs to access files located in an S3 bucket, what is the best way to enable access?

Create an IAM role with read access to S3 and assign the role to the EC2 instance * Using an IAM role associated with the EC2 instance is the recommended way, storing credentials locally is not recommended.

You have an application running on a number of Docker containers running on AWS Elastic Container Service. You have noticed significant performance degradation after you made a number of changes to the application and would like to troubleshoot the application end-to-end to find out where the problem lies. What should you do?

Deploy the AWS X-Ray daemon as a new container alongside your application EXPLANATION:Within a microservices architecture, each application component runs as its own service. Microservices are built around business capabilities, and each service performs a single function. So if you want to add X-Ray to a Dockerized application, it makes the most sense to run the X-Ray daemon in a new Docker container and have it run alongside the other microservices which make up your application.

An organization is considering making use of AWS Fargate in their next project. Which of the following statements best describes AWS Fargate?

Deploys Docker containers within AWS, without having to manage underlying EC2 instances. EXPLANATION:AWS Fargate is a compute engine for Amazon ECS that allows you to run containers without having to manage servers or clusters.

You are troubleshooting a major incident which has resulted in data loss in your application. Your manager asks if you can provide a time-ordered sequence of any modifications which happened to the items in your DynamoDB table over the past 24 hours so that you can work out what happened. Which service could you use to most effectively provide this?

DynamoDB Streams captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the information for up to 24 hours.

Which of the following DynamoDB features allows Items to be automatically deleted at a given date and time?

DynamoDB TTL EXPLANATION:DynamoDB TTL allows each Item to include a date and time at which DynamoDB will automatically delete the Item.

You have been asked to use Elastic Beanstalk to build a number of web servers to use in your development environment, which of the following services can you use? 4 things

EC2 Elastic Load Balancer Auto Scaling Group S3 Except for Lambda, all of the services listed can be used to create a web server farm. AWS Lambda automatically runs your code without requiring you to provision or manage servers. Lambda is generally used for stateless, short-running tasks and is not suitable for long-running tasks like running a web server.

Which of the following AWS services would you recommend using to store session state data for a scalable web application?

ElastiCache EXPLANATION:Storing session state locally is not a good idea for a scalable application, so it doesn't make sense to store the session state on the EC2 instance. Lambda is generally for short-lived functions which do not persist, so is not suitable for managing session state. Glacier is designed for archiving infrequently used data so is not suitable for session data which could be frequently used for the lifetime of the session and then no longer required. In order to address scalability and to provide a shared data storage for sessions that can be accessed from any individual web server, you can abstract the HTTP sessions from the web servers themselves. A common solution to for this is to leverage an In-Memory Key/Value store such as Redis and Memcached, and in AWS the service to use is ElastiCache.

You work in the security industry for a large consultancy. One of your customers uses Lambda extensively in their production environment and they require a log of all API calls made to and from their Lambda functions. How can you achieve this?

Enable CloudTrail for Lambda

You are running an online fitness tracker application on a number of EC2 instances behind an Elastic Load Balancer. You have noticed some anomalies with the way the application is performing lately and would like to collect the application logs from all of your application servers into one central location. Which of the following will you need to do for each instance?

Ensure the CloudWatch agent is installed and running on your EC2 instance Ensure the instance role associated with your EC2 instance has permission to write logs to CloudWatch EXPLANATION:You will need the agent installed and running as well as configuring permission for the EC2 instance role to send logs to CloudWatch - i.e. permission to CreateLogGroup, CreateLogStream, PutLogEvents and DescribeLogStreams

You are in a development team working on a popular serverless web application which allows users to book late availability flights and hotels at a significant discount. You occasionally receive complaints that the website is running slowly. After some investigation, you notice that at the time of the complaints, DynamoDB reported a ProvisionedThrougputExceeded error. Which of the following approaches is a recommended way to handle this error?

Ensure your application is using Exponential Backoff Increasing Lambda capacity will not fix the issue because the problem is with DynamoDB. As the error only appears occasionally, the first thing to do is to ensure that the application is using Exponential Backoff to improve flow control. Increasing the capacity on the DynamoDB table could be considered but only if the problem persists.

Which of the following approaches can improve the performance of your Lambda function? 2 things

Establish your database connections from within the Lambda execution environment to enable connection reuse Only include the libraries you need to minimize the size of your deployment package Establishing connections within the execution environment allows them to be reused next time the function is invoked which saves time. Only including the libraries you need will minimise the time taken for Lambda to unpack the deployment package.

You have an EC2 instance in a single availability zone connected to an RDS instance. The EC2 instance needs to communicate to S3 to download some important configuration files from it. You try the command aws s3 cp s3://yourbucket /var/www/html however you receive an error message. You log in to Identity Access Management (IAM) and discover there is no role created to allow EC2 to communicate to S3. You create the role and attach it to the existing EC2 instance. How fast will the changes take to propagate?

Immediately

Which of the following Elastic Beanstalk deployment approaches allow you to maintain full capacity while performing an update?

Immutable Rolling With Additional Batch Rolling with Additional Batch and Immutable both involve provisioning new servers to ensure capacity is not reduced. All At Once means the application will be offline for the duration of the update. Performing a Rolling Update without an additional batch of servers means a reduction in capacity.

Your application is using SQS to send and receive messages. On average, it takes your application between 20 and 40 seconds to process a message and you have noticed that quite frequently, multiple application servers are attempting to process the same message which is causing issues within the application. What can you do to help prevent this from happening?

Increase the message visibility timeout EXPLANATION:Default message visibility timeout is 30 seconds. Your application is not always able to process a message within that time which means that after 30 seconds, the message is becomes visible on the queue again and is available for other consumers. Increasing the Visibility Timeout will give your application servers more time to processing and delete the message from the queue.

You are using CloudFront to serve static website content to users based in multiple locations across the USA, Africa, India and the Middle East. You recently made some significant updates to the website, but users are complaining that they can only see the original content. What can you do you make sure the latest version of the website is being served by CloudFront?

Invalidate the file from the CloudFront edge cache EXPLANATION:If you need to remove a file from CloudFront edge caches before it expires, you can do one of the following: Invalidate the file from edge caches. The next time a viewer requests the file, CloudFront returns to the origin to fetch the latest version of the file. Use file versioning to serve a different version of the file that has a different name.

You have a simple, stateless Python application which processes the contents of an S3 bucket once an hour and takes about 6 minutes to complete once started. Which AWS service should you run this application on in order to provide the most reliable and cost effective solution?

Make the application a Lambda function and create a Scheduled Event Trigger set to 1 hour EXPLANATION:The question states that the application is to run once every hour, which immediately means we should be looking for an option which only utilises resources when needed. Lambda is the only option in the above list which bills you only when an application is running. The EC2 and ECS options will bill for all resources, regardless of whether the application is running or not. S3 should be discounted because although you can host static Websites, you cannot run Python applications from it.

Which of the following statements about a standard SQS queue is true?

Messages will be delivered one or more times and message delivery order is indeterminate. EXPLANATION:With standard queues, SQS will deliver each message at least once, but cannot guarantee the delivery order. Because each message may be delivered more than once, your application should be idempotent by design.

Is a new S3 bucket public by default?

No

You are working on a mobile phone app for an online retailer which stores its customer data in DynamoDB. You would like to enable new users to sign-up using Facebook or Google credentials. What is the recommended approach?

Once the user has logged in to the Web Identity Provider, use Cognito to exchange the authentication tokens for temporary access to DynamoDB

You are creating a DynamoDB table to manage your customer orders, which of the following attributes would make a good Sort Key?

OrderDate EXPLANATION:A well designed Sort key allows you to retrieve groups of related items and query based on a range of values, e.g. a range of dates. In this case, Order Date is the best choice as it will allow users to search based on a range of dates

You are working on a Serverless application written in Python and running in Lambda. You have uploaded multiple versions of your code to Lambda, but would like to make sure your test environment always utilizes the latest version. How can you configure this?

Reference the function using an unqualified ARN Reference the function using a qualified ARN and the $LATEST suffix When you create a Lambda function, there is only one version: $LATEST. You can refer to the function using its Amazon Resource Name (ARN). There are two ARNs associated with this initial version, the qualified ARN which is the function ARN plus a version suffix e.g. $LATEST. Or the unqualified ARN which is the function ARN without the version suffix. The function version for an unqualified function always maps to $LATEST, so you can access the latest version using either the qualified ARN with $LATEST, or the unqualified function ARN. Lambda also supports creating aliases for each of your Lambda function versions. An alias is a pointer to a specific Lambda function version, aliases will not be updated automatically when a new version of the function becomes available.

You have deployed a new version of your Lambda function, however during testing, you notice that your application is not behaving as expected. How can you roll back to the previous version of your code?

Remap the PROD alias to point to the previous version of your function EXPLANATION:Remapping the PROD alias to the previous version will allow you to quickly roll back

You work for a company which facilitates and organizes technical conferences. You ran a large number of events this year with many high profile speakers and would like to enable your customers to access videos of the most popular presentations. You have stored all your content in S3, but you would like to restrict access so that people can only access the videos after logging into your website. How should you configure this? 2 things

Remove public read access from the S3 bucket where the videos are stored Share the videos by creating a pre-signed URL *All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects. Anyone who receives the pre-signed URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a pre-signed URL.

You are working on an application which handles online credit card applications. It consists of a number of web and application servers running on EC2, customer reference data stored in S3 and transactional data stored in RDS. The security team have noticed that you have a lot of sensitive customer information stored in S3 and you have been asked to configure encryption at rest to protect the data. How can you do this?

Select default encryption on your S3 bucket

You are working for an investment bank and have been asked to help the application support team with their annual Disaster Recovery testing. The main production PostgreSQL database is hosted in RDS Multi-AZ deployment, with multiple applications running on a combination of EC2 and Lambda. You have been asked to help the team to demonstrate the impact that a failed Availability Zone will have on the database. Which of the following do you suggest?

Simulate an AZ failure by performing a reboot with forced failover on the RDS instance If the Amazon RDS instance is configured for Multi-AZ, you can perform the reboot with a failover. An Amazon RDS event is created when the reboot is completed. If your DB instance is a Multi-AZ deployment, you can force a failover from one Availability Zone (AZ) to another when you reboot. When you force a failover of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone, and updates the DNS record for the DB instance to point to the standby DB instance. As a result, you need to clean up and re-establish any existing connections to your DB instance. Rebooting with failover is beneficial when you want to simulate a failure of a DB instance for testing, or restore operations to the original AZ after a failover occurs.

You have an application running on multiple EC2 instances, however every time an instance fails, your users complain that they lose their session. What can you do to prevent this from happening?

Store session state in ElastiCache There are various ways to manage user sessions including storing those sessions locally to the node responding to the HTTP request or designating a layer in your architecture which can store those sessions in a scalable and robust manner. Common approaches used include utilizing Sticky sessions or using a Distributed Cache for your session management. In order to address scalability and to provide a shared data storage for sessions that can be accessed from any individual web server, you can abstract the HTTP sessions from the web servers themselves. A common solution for this is to leverage an In-Memory Key/Value store such as ElastiCache.

Establishing connections within the execution environment allows them to be reused next time the function is invoked which saves time. Only including the libraries you need will minimise the time taken for Lambda to unpack the deployment package. 3 things

Store the deployment package in an S3 bucket and then upload it to Lambda Upload the deployment package to Lambda Create a deployment package containing your function code and libraries

You are migrating a restaurant booking application from your own data center to AWS. The application currently runs on a number of virtual machines running web and application servers as well as a shared database server. The applications need to access a large number of shared images and documents containing drinks and food menus. Which of the following could you use as a shared storage solution for this application so that the application servers can still access the shared files?

Store the files in S3 Use an IAM instance role to grant access ElastiCache is a temporary in memory data store, and is not for persisting shared files. DynamoDB is a noSQL database and not a suitable place to store images and text documents. SQS is a messaging system and not a data store. S3 is a storage solution suitable for images, documents and other files or objects which can be accessed by multiple users and services. The recommended way to enable EC2 instances to access S3 is by using an Instance Role.

Your distributed application sends and receives a number of large SQS messages, each of which can be up to 2GB in size. You are finding that the messages in one particular queue are getting processed a few seconds faster than expected which is causing problems in your application. The application architect has asked you to introduce a sleep period of 5 seconds which should apply to all the messages in the queue and you have also been asked to avoid storing large amounts of data in SQS. Which of the following changes do you recommend? 2 things

Store the large messages on S3 Use an SQS delay queue to let you postpone the delivery of SQS messages by 5 seconds Delay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. You can use Amazon S3 and the Amazon SQS Extended Client Library for Java to manage Amazon SQS messages. This is especially useful for storing and consuming messages up to 2 GB in size. Unless your application requires repeatedly creating queues and leaving them inactive or storing large amounts of data in your queue, consider using Amazon S3 for storing your data.

You are developing a website that allows fee-paying users to access video rentals on demand and for a limited time. How would you design this application?

Store the videos in S3 Enable users to access the content using CloudFront with signed URLs *Using CloudFront, you can distribute private content using a signed URL that is valid for a limited time. Signed URLs that are valid for such a short period are good for distributing content on-the-fly to a user for a limited purpose, such as distributing movie rentals or music downloads to customers on demand. If your signed URLs will be valid for just a short period, you will probably want to generate them automatically using an application that you develop. When the user starts to download a file or starts to play a media file, CloudFront compares the expiration time in the URL with the current time to determine whether the URL is still valid.

You have a three-tier web application with a webserver tier, application tier and database tier. The application is spread across multiple availability zones for redundancy and is in an autoscaling group with a minimum size of 2 and a maximum size of 10. The application relies on connecting to an RDS multi-AZ database. When new instances are launched they download a connection string file which is saved in an encrypted S3 bucket using a bootstrap script. During a routine scaling event you notice that your new webservers are failing their health checks and are not coming in to service. You investigate and discover that the EC2 - S3 read only role that the webservers rely on has no policies attached to it. What steps should you take together to remediate this problem while maintaining the principle of least privilege? (Choose 2)

Terminate the existing instances and allow new instances to come into service. Attach the S3 - Read-only policy to the role.

Which of the following best describes Amazon ECS?

The Elastic Container Service is a service that manages running Docker containers on a group of your EC2 instances. EXPLANATION:ECS stands for Elastic Container Service: It manages running containers on your EC2 instances. It does not act as a scheduler and it is neither serverless nor software that you manage.

Your application needs to access content located in an S3 bucket which is residing in a different AWS account, which of the following API calls should be used to gain access?

The STS AssumeRole API call returns a set of temporary security credentials which can be used to access AWS resources, incuding those in a different account

Send an email after push to CodeCommit?

Use Notifications, this will add CW Events rule to send a notification to SNS which will trigger an email to be sent

You are using CloudFormation to build a number of different application environments to host development, test, UAT, pre-production and production stacks. Your application is comprised of a web servers, load balancers, application servers and databases each web server, load balancer and database needs to be configured identically across all environments. How can you achieve this with CloudFormation?

Use a CloudFormation Nested Stack EXPLANATION:Nested stacks provide the ability to configure multiple elements within your environment while reducing duplication of code. As your infrastructure grows, common patterns can emerge in which you declare the same components in multiple templates. You can separate out these common components and create dedicated templates for them. Then use the resource in your template to reference other templates, creating nested stacks.

You are using CloudFormation to build a number of different application environments to host development, test, UAT, pre-production and production stacks. Your application is comprised of web servers, load balancers, application servers and databases each web server, load balancer and database needs to be configured identically across all environments. How can you achieve this with CloudFormation?

Use a CloudFormation Nested Stack EXPLANATION:Nested stacks provide the ability to configure multiple elements within your environment while reducing duplication of code. As your infrastructure grows, common patterns can emerge in which you declare the same components in multiple templates. You can separate out these common components and create dedicated templates for them. Then use the resource in your template to reference other templates, creating nested stacks.

You are developing a website which allows customers to purchase tickets to popular sporting events. Your application uses S3 for static web hosting, Lambda for business logic, stores transaction data in RDS and uses DynamoDB for product and stock information. After the customer has paid for their purchase, a message is sent to an SQS queue to trigger a confirmation email to be sent out to the customer including an e-ticket for their chosen event. You want to send out the email as soon as the payment has been processed, however during testing you discover that the confirmation emails are being processed a few seconds before the stock control database has finished updating. This sometimes results in selling the same ticket twice. How can you quickly fix this without re-engineering the application?

Use an SQS delay queue to let you postpone the delivery of SQS messages by a few seconds Delay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.

You have some sensitive data that you would like to encrypt. You want to be sure that once the data is encrypted, nobody but you will be able to use the encryption key to decrypt your files. Your head of security has asked you to make sure that the key used to encrypt your files is itself encrypted under another key. Which AWS technology enables this?

Use envelope encryption to encrypt the data key with another key When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

You have configured your CI/CD process using CodePipeline, however you want to introduce a manual sign-off and approval process which needs to be completed before a new version of your application is deployed to Production. How can you achieve this?

Use the CodePipeline Manual Approvals feature EXPLANATION:With CodePipeline, you can add an approval action to a stage in a pipeline at the point where you want the pipeline execution to stop so that someone with the required AWS Identity and Access Management permissions can approve or reject the action.

Your e-commerce application needs to use database connection strings to access a database containing product and customer data. Which of the following is a secure and scalable way to manage this?

Using secure string parameters in Parameter Store is an appropriate way to avoid hard coding a password in your template code. This ensures that sensitive runtime parameters are kept as secure as you keep other secrets, while also keeping them separate from your deployment code.

Your application stores files in an S3 bucket located in us-east-1, however many of your users are located in ap-south-1. The files are less than 50MB in size, however users are frequently experiencing delays when attempting to upload files. Which of the following options will maximize the upload speed?

Utilize S3 Transfer Acceleration. EXPLANATION:S3 Transfer Acceleration is recommended to increase upload speeds and especially useful in cases where your bucket resides in a Region other than the one in which the file transfer was originated. Multipart upload is a good option for large files, e.g. >100MB in size.

You are performing an audit of your IAM policies. Which of the following tools will enable you to identify which specific statement in a policy results in allowing or denying access to a particular resource or action?

With the IAM policy simulator, you can test and troubleshoot IAM and resource-based policies attached to IAM users, groups, or roles in your AWS account. You can test which actions are allowed or denied by the selected policies for specific resources.

You are using CodeBuild to create a Docker image and add the image to your Elastic Container Registry. Which of the following commands should you include in the buildspec.yml?

docker build -t $REPOSITORY_URI:latest . docker push $REPOSITORY_URI:latest EXPLANATION:Use the docker push command to add your image to your Elastic Container Registry

You are working on an application which runs inside a Docker container. All your images are stored in a repository named mydockerrepo AWS ECR. Which of the following commands could you use to pull the Docker image to your local workstation?

docker pull aws_account_id.dkr.ecr.us-west-2.amazonaws.com/mydockerrepo:latest If you would like to run a Docker image that is available in Amazon ECR, you can pull it to your local environment with the docker pull command.

You have software on an EC2 instance that needs to access both the private and public IP address of that instance. What's the best way for the software to get that information?

have the software use cURL or GET to access the instance metadata. To view all categories of instance metadata from within a running instance, use the following URI: http://169.254.169.254/latest/meta-data/

Where should the appspec.yml be stored?

in the root of your application source directory EXPLANATION:The AppSpec file (appspec.yml) must always be in the root or your application source directory otherwise the deployment will not work. The .ebextensions folder is used to set custom environment variables in Elastic Beanstalk, not CodeDeploy.

You are testing a new Serverless application which uses Lambda, S3, DynamoDB and API Gateway. You are suddenly seeing a large number of 4XX HTTP response codes coming from API Gateway. What could be the problem and what should you do about this?

this is a client error, you should fix the issue in your application and retry the request EXPLANATION:Client errors: Client errors are indicated by a 4xx HTTP response code. Client errors indicate that Amazon API Gateway found a problem with the client request, such as an authentication failure or missing required parameters. Fix the issue in the client application before submitting the request again. Server errors: Server errors are indicated by a 5xx HTTP response code, and need to be resolved by Amazon. You can resubmit/retry the request until it succeeds.