Practice Test Part IIII (#6)
What is most likely happening when you have a lambda function that is processing a stream of data from kinesis data streams, but the function is generating duplicate records from the stream? You have confirmed that the stream output without the lambda does not have duplicate records
The lambda function is not properly handling an error that is occurring and the lambda service is attempting to reprocess the data -with an event source mapping from a stream (Kinesis Data Stream), Lambda retries the entire batch of items
An application uses Amazon EC2 instances, AWS Lambda functions and an Amazon SQS queue. The Developer must ensure all communications are within an Amazon VPC using private IP addresses. How can this be achieved?
Things you need to know: - SQS = public service; so you cannot create a queue within a VPC - Can't Create a VPC endpoint for lambda but you can connect it to a VPC So... - "Add the AWS Lambda function to the VPC - Create a VPC endpoint for Amazon SQS
What are your 2 options for creating a lambda deployment package?
You can upload the package directly to Lambda, or you can use an Amazon S3 bucket, and then upload it to Lambda. If the deployment package is larger than 50 MB, you must use Amazon S3.
Which type of load balancer can perform host based routing?
ALB This means you can route traffic coming in to forum.example.com and myaccount.example.com to different target groups
What happens when a lambda function with a layer is executed?
AWS downloads any specified layers and extracts them to the /opt directory on the function execution environment. Each runtime then looks for a language-specific folder under the /opt directory.
An application that is being migrated to AWS and refactored requires a storage service. The storage service should provide a standards-based REST web service interface and store objects based on keys. Which AWS service would be MOST suitable?
Amazon S3 - standards-based REST and SOAP interfaces designed to work with any internet-development toolkit Note: DynamoDb is incorrect here because it is a key/value database service that provides tables to store your data. The cost would be higher and there are additional design considerations that you would need to make
What is AWS inspector?
automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
What service is the BatchWriteItems API for?
Dynamodb NOT kinesis (You wanna just use the KPL for writing things efficiently to a kinesis stream)
A company has a website that is developed in PHP and WordPress and is launched using AWS Elastic Beanstalk. There is a new version of the website that needs to be deployed in the Elastic Beanstalk environment. The company cannot tolerate having the website offline if an update fails. Deployments must have minimal impact and rollback as soon as possible. What deployment method should be used?
Immutable Note: Don't use rolling because this will reduce the capacity of the application and it is more difficult to roll back as you must redeploy the old version to the instances
A company has sensitive data that must be encrypted. The data is made up of 1 GB objects and there is a total of 150 GB of data. What is the BEST approach for a Developer to encrypt the data using AWS KMS?
Make a GenerateDataKey API call that returns a plaintext key and an encrypted copy of a data key. Use the plaintext key to encrypt the data To encrypt for large quantities of data with KMS, you must use a data encryption key rather than a CMK (CMK can only encrypt up to 4KB in a single operation)
What are some AWS Kinesis Data Firehose destinations?
S3 Redshift ElasticSearch Service Splunk
What is the only type of RDS DB that does not support cross region read replicas?
SQL Server on Amazon RDS All other types support it (MariaDB, MySQL, Oracle, PostgreSQL)
If you have a frontend that will place messages in a SQS queue for the backend to process, and each job has a 1GB file, how can you make it work?
SQS only supports messages up to 256KB in size so you have to use something like the extended client library for Java Store the large files in Amazon S3 and use the SQS Extended Client Library for Java to manage SQS messages This is especially useful for storing and consuming messages up to 2 GB in size.
What is buildspec.yml used for?
A buildspec.yaml file is used by AWS CodeBuild to run a build.
What is an appSpec.yml file used for?
AppSpec is used for CodeDeploy in order to update your instances For ECS: The AppSpec file specifies the Amazon ECS task definition used for the deployment - can be appSpec.json for ECS
What is AWS Shield used for?
It is a service that is used to protect from distributed denial of service (DDoS) attacks
What does a presigned URL allow you to do?
A presigned URL gives you access to the object identified in the URL, provided that the creator of the presigned URL has permissions to access that object.
A Developer is creating an AWS Lambda function that will process medical images. The function is dependent on several libraries that are not available in the Lambda runtime environment. How should you create the lambda package?
Create a ZIP file with the source code and all dependent libraries If your function depends on libraries not included in the Lambda runtime, you can install them to a local directory and include them in your deployment package.
A Developer created an AWS Lambda function and then attempted to add an on failure destination but received the following error: The function's execution role does not have permissions to call SendMessage on arn:aws:sqs:us-east-1:515148212435:FailureDestination How can the Developer resolve this issue MOST securely?
Create a customer managed policy with all read/write permissions to SQS and attach the policy to the function's execution role Note: The AWSLambdaSQSQueueExecutionRole AWS managed policy cannot be used as this policy does not provide the SendMessage action.
A Developer is creating multiple AWS Lambda functions that will be using an external library that is not included in the standard Lambda libraries. What is the BEST way to make these libraries available to the functions?
Create a layer in Lambda that includes the external library Since there are multiple lambda functions, you would have to include the library in every package so that would not work... Creating one layer would allow for all functions to use it You can configure your Lambda function to pull in additional code and content in the form of layers.A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies. With layers, you can use libraries in your function without needing to include them in your deployment package.
A Developer is creating an application that uses Amazon EC2 instances and must be highly available and fault tolerant. How should the Developer configure the VPC?
Create a subnet in each AZ The EC2 instances should then be distributed between these subnets
What is the correct implementation of envelope encryption?
Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key
When you need to configure the port mapping b/w the host port and container port when using ECS, where are those settings configured?
In the Task Definition!
A monitoring application that keeps track of a large eCommerce website uses Amazon Kinesis for data ingestion. During periods of peak data rates, the producers are not making best use of the available shards. What step will allow the producers to better utilize the available shards and increase write throughput to the Kinesis data stream?
Install the Kinesis Producer Library (KPL) for ingesting data into the stream there are enough shards available but the producers are either not discovering them or are not writing records at sufficient speed to best utilize the shards Using the KPL allows you to achieve high write throughput to a kinesis data stream
Can you associate a signed cookie with an S3 distribution?
NO! You can associate it with a CloudFront distribution. S3 distribution sin't a thing...
What is the max number of Internet Gateways that can exist within a VPC?
Only 1
A Developer is creating a social networking app for games that uses a single Amazon DynamoDB table. All users' saved game data is stored in the single table, but users should not be able to view each other's data. How can the Developer restrict user access so they can only view their own data?
Restrict access to specific items based on certain primary key values Note: Use an identity-based policy that restricts read access to the table to specific principals would not work because this would only restrict read access to the entire table, not to specific items in the table
What is a dockerrun.aws.json file used for?
Specifically for an Elastic Beanstalk Application A Dockerrun.aws.json file describes how to deploy a remote Docker image as an Elastic Beanstalk application.
When using AWS Step functions to coordinate multiple lambda function execution, what else do you need to setup to proceed?
Step Functions is based on the concepts of tasks and state machines You need to define state machines using the JSON based Amazon States Language in order for the lambda functions to be coordinated Note: The StartExecution API action only executes a state machine. First, you need to actually set a state machine up
When using S3 and CloudFront, what are the two things that you can do in order to provide premium customers with access to updates faster in your S3 bucket?
There are two steps that are needed in order for you to restrict access to content within S3 buckets: - create CloudFront signed URLs or signed cookies to limit access to files (and give the URL to premium users) -create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution. Then you configure permissions so that CloudFront can use the OAI to access and serve files to your users, but users can't use a direct URL to the S3 bucket to access a file there.
A website delivers images stored in an Amazon S3 bucket. The site uses Amazon Cognito-enabled and guest users without logins need to be able to view the images from the S3 bucket.. How can a Developer enable access for guest users to the AWS resources?
Use Cognito Identity Pools!!! (Supports both authenticated and Unauthenticated identities) Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token
What is the rule for using a GSI vs a LSI when it comes to dynamodb?
Use GSI when: BOTH the partition key and sort key must be different Use LSI when: only has a different sort key - ALSO, an LSI cannot be created after table creation
The manager of a development team is setting up a shared S3 bucket for team members. The manager would like to use a single policy to allow each user to have access to their objects in the S3 bucket. Which feature can be used to generalize the policy?
Use Policy Variables Note: Using a principle wouldn't work here because that would lock the policy to allowing a specific person(s)/account(s) to being used
How a can a Developer prevent duplicate data being stored in the data warehouse in a situation where you have a lambda function putting data in a SQS queue with ECS instances processing the data and being stored in Redshift?
Use a FIFO queue and configure the Lambda function to add a message deduplication token to the message body - Without a FIFO queue and a message deduplication ID duplicate messages will still enter the queue
What are step scaling and simple scaling policies? How are they different?
With step scaling and simple scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that invoke the scaling process. You also define how your Auto Scaling group should be scaled when a threshold is in breach for a specified number of evaluation periods. The main issue with simple scaling is that after a scaling activity is started, the policy must wait for the scaling activity or health check replacement to complete and the cooldown period to end before responding to additional alarms In contrast, with step scaling the policy can continue to respond to additional alarms, even while a scaling activity or health check replacement is in progress. T
What does the --dimensions parameter do in cloudwatch? How is it different from the namespace parameter?
further clarifies what the metric is and what data it stores - 10 dimensions in one metric, and each dimension is defined by a name and value pair. a namespace is a container for CloudWatch metrics. For actual context on what a metric is, use a dimension