BPE4 Notes
Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. By default, Enhanced Monitoring metrics are stored in the CloudWatch Logs for ____________. To modify the amount of time the metrics are stored in the CloudWatch Logs, change the ____________
30 days retention for the RDSOSMetrics log group in the CloudWatch console.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an ______________
Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer.
With RDS Enhanced Monitoring and CloudWatch, which has more detailed metrics about database processes?
RDS Enhanced Monitoring since it collects data from the agent, not the hypervisor
This API has a single parameter: TraceSegmentDocuments, that takes a list of JSON segment documents.
PutTraceSegments
Take note that you can invoke a Lambda function synchronously either by calling the Invoke operation or by using an AWS SDK in your preferred runtime. If you anticipate a long-running Lambda function, your client may time out before function execution completes. To avoid this, update the ______________
client timeout or your SDK configuration.
With the the AWS CloudFormation python helper scripts it is only a wrapper script that retrieves either all metadata that is defined for a resource or path to a specific key or a subtree of the resource metadata, but does not interpret the resource metadata, install packages, create files, and start services.
cfn-get-metadata
AWS CloudFormation Python helper script cfn-get-metadata:
cfn-get-metadata: Use to retrieve metadata for a resource or path to a specific key.
With the the AWS CloudFormation python helper scripts This is a a daemon that checks for updates to metadata and executes custom hooks when changes are detected.
cfn-hup
AWS CloudFormation Python helper script cfn-hup:
cfn-hup: Use to check for updates to metadata and execute custom hooks when changes are detected.
With the the AWS CloudFormation python helper scripts This scripts interprets the metadata that contains the sources, packages, files, and services. You run the script on the EC2 instance when it is launched. The script is installed by default on Amazon Linux and Windows AMIs.
cfn-init
AWS CloudFormation Python helper script cfn-init:
cfn-init: Use to retrieve and interpret resource metadata, install packages, create files, and start services.
AWS CloudFormation provides the following Python helper scripts that you can use to install software and start services on an Amazon EC2 instance that you create as part of your stack:
cfn-init: Use to retrieve and interpret resource metadata, install packages, create files, and start services. cfn-signal: Use to signal with a CreationPolicy or WaitCondition, so you can synchronize other resources in the stack when the prerequisite resource or application is ready. cfn-get-metadata: Use to retrieve metadata for a resource or path to a specific key. cfn-hup: Use to check for updates to metadata and execute custom hooks when changes are detected.
With the the AWS CloudFormation python helper scripts This script is a wrapper thats signals an AWS CloudFormation WaitCondition for synchronizing other resources in the stack when the application is ready.
cfn-signal
AWS CloudFormation Python helper script cfn-signal:
cfn-signal: Use to signal with a CreationPolicy or WaitCondition, so you can synchronize other resources in the stack when the prerequisite resource or application is ready.
AWS Lambda will keep the unreserved concurrency pool at a minimum of 100 concurrent executions, so that functions that _________ set can still process requests. So, in practice, if your total account limit is 1000, you are limited to allocating 900 to individual functions.
do not have specific limits
For lamba functions, use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as _______________. Connect your function to the VPC to access private resources during execution.
databases, cache instances, or internal services
With optimistic locking, each item has an attribute that acts as a version number. If this happens, you simply try again by retrieving the item and then attempting to update it.
version mismatch
With DynamoDB optimistic locking, each item has an attribute that acts as a ____________. If you retrieve an item from a table, the application records the _______________ of that item.
version number
With X-Ray Your application can record data about the work that it does itself in segments or _______________ in subsegments.
work that uses downstream services and resources
With X-Ray, To deploy your instrumented app to AWS, create an IAM role with _______________ permissions and assign it to the resources running your application.
write
All of the APIs created with Amazon API Gateway expose HTTPS endpoints only. When configuring your APIs to run under a custom domain name, you can provide __________
your own certificate for the domain.
AWSXRayElasticBeanstalkWriteAccess is __________ a managed policy
not
The data provided by CloudWatch is ____________ as compared with the Enhanced Monitoring feature in RDS.
not as detailed
Tracking the CPU% and MEM% metrics these metrics are ___________ in the Amazon RDS console
not readily available
With SWF, Timers enables you to ______________ when a certain amount of time has elapsed
notify your decider
Although ECS can host Docker applications, it doesn't automatically handle all the details such as ______________, unlike Elastic Beanstalk.
resource provisioning, balancing load, auto-scaling, monitoring, and placing your containers across your cluster
A local secondary index lets you query over a ________
single partition, as specified by the partition key value in the query.
A developer is managing an application hosted in EC2, which stores data in an S3 bucket. To comply with the new security policy, the developer must ensure that the data is encrypted at rest using an encryption key that is provided and managed by the company. The change should also provide AES-256 encryption to their data. Is the following correct? Using SSL to encrypt the data while in transit to Amazon S3
the requirement is to only secure the data at rest and not data in transit. Hence, you have to use server-side encryption instead.
With X-Ray The compute resources running your application logic send data about their work as segments. A segment provides ___________
the resource's name, details about the request, and details about the work done.
With the the AWS CloudFormation python helper scripts By default, ________ You must include calls in your template to _____________
the scripts are not executed, execute specific helper scripts.
With optimistic locking, each item has an attribute that acts as a version number. You can update the item, but only if ___________
the version number on the server side has not changed.
The metrics reported by API Gateway provide information that you can analyze in different ways. The list below shows some common uses for the metrics. These are suggestions to get you started, not a comprehensive list.
- Monitor the IntegrationLatency metrics to measure the responsiveness of the backend. - Monitor the Latency metrics to measure the overall responsiveness of your API calls. - Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.
Amazon RDS supports TDE for the following SQL Server versions and editions:
- SQL Server 2017 Enterprise Edition - SQL Server 2016 Enterprise Edition - SQL Server 2014 Enterprise Edition - SQL Server 2012 Enterprise Edition - SQL Server 2008 R2 Enterprise Edition
best practices in working with AWS Lambda Functions:
- Separate the Lambda handler (entry point) from your core logic. - Take advantage of Execution Context reuse to improve the performance of your function - Use AWS Lambda Environment Variables to pass operational parameters to your function. - Control the dependencies in your function's deployment package. - Minimize your deployment package size to its runtime necessities. - Reduce the time it takes Lambda to unpack deployment packages - Minimize the complexity of your dependencies - Avoid using recursive code
The default Lambda function timeout is ____________ and the maximum execution duration per request in AWS Lambda is 900 seconds, which is equivalent to 15 minutes.
3 seconds
With CloudWatch, the following describes basic and detailed monitoring for instances. Basic - Data is available automatically in __________ periods at no charge. Detailed - Data is available in ___________ periods for an additional cost.
5-minute, 1-minute
Take note that Lambda has a deployment package size limit of __________ for direct upload (zipped file) and 250 MB for layers (unzipped).
50 MB
For Lambda Functions, Each execution context provides _________ of additional disk space in the /tmp directory.
512 MB
A segment document can be up to __________ and contain a whole segment with _____________
64 kB subsegments, a fragment of a segment that indicates that a request is in progress, or a single subsegment that is sent separately.
This is primarily used to automate the application release process of both your frontend and backend allowing you to deliver features faster, and not for synchronizing application data across devices.
AWS Amplify
this service makes it easy to create, configure, and implement scalable mobile and web apps powered by AWS.
AWS Amplify
this just simplifies your AWS WAF and AWS Shield Advanced administration and maintenance tasks across multiple accounts and resources.
AWS Firewall Manager
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in either _______________ and then referencing them in your container definition.
AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters
This feature is supported by tasks using both the EC2 and Fargate launch types. Amazon ECS letting you inject sensitive data into your containers by storing your sensitive data in _____________
AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters
With authenticating to utilize AWS services with IAM, An custom identity broker application obtains temporary security credentials for the employees. A AssumeRole or GetFederationToken call returns temporary security credentials consisting of an __________
AWS access key ID, a secret access key, and a session token.
This simple role helps provide Lambda permissions to upload logs to CloudWatch.
AWSLambdaBasicExecutionRole
With DynamoDB Streams, you can trigger a Lambda function to perform additional work each time a DynamoDB table is updated. The ___________________ managed policy already includes the write dynamoDB permissions for Lambda
AWSLambdaDynamoDBExecutionRole
With the X-ray daemon, To upload data to X-Ray, the X-Ray daemon requires IAM permissions in the __________________ managed policy. These permissions are included in the Elastic Beanstalk instance profile.
AWSXRayDaemonWriteAccess
With X-ray and an instrumented app, The read and write policies do not include permission to configure encryption key settings and sampling rules. Use ____________ to access these settings, or add configuration APIs in a custom policy. For encryption and decryption with a customer-managed key that you create, you also need ___________ to use the key.
AWSXrayFullAccess, permission
To use the X-Ray console to view service maps and segments, you only need read permissions. To enable console access, add the _________________ managed policy to your IAM user.
AWSXrayReadOnlyAccess
At the simplest level, AWS WAF lets you choose one of the following behaviors:
Allow all requests except the ones that you specify - This is useful when you want CloudFront or an Application Load Balancer to serve content for a public website, but you also want to block requests from attackers. Block all requests except the ones that you specify - This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website. Count the requests that match the properties that you specify - When you want to allow or block requests based on new properties in web requests, you first can configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This lets you confirm that you didn't accidentally configure AWS WAF to block all the traffic to your website. When you're confident that you specified the correct properties, you can change the behavior to allow or block requests.
If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy. The Effect element is required and specifies whether the statement results in an allow or an explicit deny. The valid values for the Effect element are __________
Allow and Deny.
although this service can also be used in synchronizing application data across devices, it does not allow multiple users to synchronize and collaborate in real time on shared data, unike AWS AppSync.
Amazon Cognito Sync
this is just a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
Amazon GuardDuty
This service allows you to engage with your customers across multiple messaging channels.
Amazon Pinpoint
This service is primarily used to send push notifications, emails, SMS text messages, and voice messages for engaging customers across multiple messaging channels
Amazon Pinpoint
this service is suitable for querying your Redshift clusters
Amazon Redshift Spectrum
This service can handle far more complex ad-hoc queries on data in Amazon S3, but entails an increase in operating cost as compared to S3 Select.
Athena
With ECS , Spread is typically used to achieve high availability by making sure that multiple copies of a task are scheduled across multiple instances based on attributes such as _________.
Availability Zones
With X-Ray this API simply retrieves a list of traces specified by ID. It does not support filter expressions nor returns the annotations.
BatchGetTraces
This WAF feature is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.
Block all requests except the ones that you specify
Amazon S3 Select works on objects stored in _____________. It also works with objects that are compressed with ____________, and server-side encrypted objects. You can specify the format of the results as either CSV or JSON, and you can determine how the records in the result are delimited.
CSV, JSON, or Apache Parquet format GZIP or BZIP2 (for CSV and JSON objects only)
You can call the AWS CloudFormation python helper scripts directly from your ________________
CloudFormation template.
This AWS::Serverless::Function parameter accepts the S3 URL of your code and not the actual code itself.
CodeUri
When you want to allow or block requests based on new properties in web requests, you first can configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This WAF feature lets you confirm that you didn't accidentally configure AWS WAF to block all the traffic to your website. When you're confident that you specified the correct properties, you can change the behavior to allow or block requests.
Count the requests that match the properties that you specify
It is possible to use an AWS Lambda function from an AWS account that is different from the one in which you created your Lambda authorizer function by using a __________
Cross-Account Lambda Authorizer.
Including the xray-daemon.config configuration file in the AMI this is only applicable for
Elastic Beanstalk
With X-Ray You can search for segments associated with specific information in the X-Ray console or by using the __________________ API.
GetTraceSummaries
Queries on this index support eventual consistency only.
Global Secondary
Queries or scans on this index consume capacity units from the index, not from the base table.
Global Secondary
Optimistic locking is a strategy to ensure that the client-side item that you are updating (or deleting) is the same as the item in DynamoDB. - DynamoDB global tables use a "last writer wins" reconciliation between concurrent updates. If you use _____________, last writer policy wins. - DynamoDBMapper ______________ do not support optimistic locking.
Global Tables, transactional operations
AppSync is a managed service that uses _____________ to make it easy for applications to get exactly the data they need.
GraphQL
All of the APIs created with Amazon API Gateway expose _______ endpoints only.
HTTPS
With X-Ray Running the GetTraceSummaries operation retrieves ______________ for traces available for a specified time frame using an optional filter.
IDs and annotations
there is no direct way to fetch the public and private ___________ of the EC2 instance using CloudWatch.
IP addresses
CloudTrail is primarily used to track the API activity of each AWS service. Just like CloudWatch, there is no easy way to get the associated _________ instance using CloudTrail.
IP addresses of the EC2
AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the _________________ API Gateway, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an ____________
IP addresses that requests originate from or the values of query strings, HTTP 403 status code (Forbidden).
You can send trace data to X-Ray in the form of segment documents. A segment document is a _________ formatted string that contains information about the work that your application does in service of a request.
JSON
Queries or scans on this index consume read capacity units from the base table
Local Secondary
When you query this index, you can choose either eventual consistency or strong consistency.
Local Secondary
With this index, For each partition key value, the total size of all indexed items must be 10 GB or less.
Local Secondary
this option is primarily used if you want to integrate RDS with your AWS Directory Service for Microsoft Active Directory (also called AWS Managed Microsoft AD) to enable Windows Authentication to authenticate users.
Microsoft SQL Server Windows Authentication
Amazon RDS supports using Transparent Data Encryption (TDE) to encrypt stored data on your DB instances running ___________
Microsoft SQL Server.
this is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Network Access Control List
A developer is using AWS X-Ray to create a visualization scheme to monitor the requests that go through their enterprise web application. There are different services that communicate with the application and all these requests should be traced in X-Ray, including all the downstream calls made by the application to AWS resources. Is this correct? Pass multiple trace segments as a parameter of PutTraceSegments API
No contrary to the API's name, you have to upload segment documents and not trace segments. The API has a single parameter: TraceSegmentDocuments, that takes a list of JSON segment documents.
A developer is launching a Lambda function which requires access to a MySQL RDS instance that is in a private subnet. Which of the following is the MOST secure way to achieve this? Is this statement correct? Ensuring that the Lambda function has proper IAM permission to access RDS
No even though you grant the necessary IAM permissions to the Lambda function to access RDS, the function would still not be able to connect to RDS since there is no established connection between Lambda and to the private subnet of your VPC.
A developer is launching a Lambda function which requires access to a MySQL RDS instance that is in a private subnet. Which of the following is the MOST secure way to achieve this? Is this statement correct? Exposing an endpoint of your RDS to the Internet using an Elastic IP
No this is not the most secure way of granting access to your Lambda function. It will be able to connect to RDS but so will the billions of people on the public Internet.
A developer is using AWS X-Ray to create a visualization scheme to monitor the requests that go through their enterprise web application. There are different services that communicate with the application and all these requests should be traced in X-Ray, including all the downstream calls made by the application to AWS resources. Is this correct? Use AWS X-Ray SDK to upload a trace segment by executing PutTraceSegments API
No you cannot run a trace on the application and the services at the same time as this will produce two different results. You simply have to send the segment documents with subsegments to get the information about downstream calls that your application makes to AWS resources.
If you use this locking strategy, then your database writes are protected from being overwritten by the writes of others — and vice-versa.
Optimistic locking
With authenticating to utilize AWS services with IAM, If your identity store is not compatible with _________, then you can build a custom identity broker application to perform a similar function.
SAML 2.0
You can protect data in transit by using __________
SSL or by using client-side encryption.
Compared to Step Functions, this is just a fully-managed state tracker and task coordinator service. It does not provide serverless orchestration to multiple AWS resources.
SWF
this service just helps developers build, run, and scale background jobs that have parallel or sequential steps.
SWF
With SWF, This enables you to inject information into a running workflow execution.
SWF Signals
With SWF, This enables you to filter the listing of the executions when you use the visibility operation
SWF Tags
This lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly.
Step Functions
With authenticating to utilize AWS services with IAM, A custom broker application does this
The broker application authenticates users, requests temporary credentials for users from AWS, and then provides them to the user to access AWS resources.
Using roles to grant permissions to applications that run on EC2 instances requires an additional step is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
This extra step is the creation of an instance profile that is attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance.
You have the following options for protecting data at rest in Amazon S3:
Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects. 1. Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) 2. Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) 3. Use Server-Side Encryption with Customer-Provided Keys (SSE-C) Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. 1. Use Client-Side Encryption with AWS KMS-Managed Customer Master Key (CMK) 2. Use Client-Side Encryption Using a Client-Side Master Key
to enable your Lambda function to access resources inside your private VPC, AWS Lambda uses ________ to set up elastic network interfaces (ENIs) that enable your function to connect securely to other resources within your private VPC.
VPC subnet IDs and security group IDs
to enable your Lambda function to access resources inside your private VPC, you must provide additional ____________ configuration information that includes ______________.
VPC-specific, VPC subnet IDs and security group IDs
This WAF feature is useful when you want CloudFront or an Application Load Balancer to serve content for a public website, but you also want to block requests from attackers.
Whitelisting requests Allow all requests except the ones that you specify
A developer is managing an application hosted in EC2, which stores data in an S3 bucket. To comply with the new security policy, the developer must ensure that the data is encrypted at rest using an encryption key that is provided and managed by the company. The change should also provide AES-256 encryption to their data. Is the following correct? Encrypt the data on the client-side before sending to Amazon S3 using their own master key.
Yes
A developer is managing an application hosted in EC2, which stores data in an S3 bucket. To comply with the new security policy, the developer must ensure that the data is encrypted at rest using an encryption key that is provided and managed by the company. The change should also provide AES-256 encryption to their data. Is the following correct? Implement Amazon S3 server-side encryption with customer-provided keys (SSE-C)
Yes
A developer is using AWS X-Ray to create a visualization scheme to monitor the requests that go through their enterprise web application. There are different services that communicate with the application and all these requests should be traced in X-Ray, including all the downstream calls made by the application to AWS resources. Is this correct? Use X-Ray SDK to generate segment documents with subsegments and sending them to the X-Ray daemon, which will buffer them and upload to the X-Ray API in batches
Yes
Your request to increase your account's concurrent execution limit to 2000 has been recently approved by AWS. There are 10 Lambda functions running in your account and you already specified a concurrency execution limit on one function at 400 and on another function at 200. Is this statement correct? The remaining 1400 concurrent executions will be shared among the other 8 functions.
Yes
Your request to increase your account's concurrent execution limit to 2000 has been recently approved by AWS. There are 10 Lambda functions running in your account and you already specified a concurrency execution limit on one function at 400 and on another function at 200. Is this statement correct? You can still set a concurrency execution limit of 1300 to a third Lambda function.
Yes
You were recently hired by a media company that is planning to build a news portal using Elastic Beanstalk and DynamoDB database, which already contains a few data. There is already an existing DynamoDB Table that has an attribute of ArticleName which acts as the partition key and a Category attribute as its sort key. You are instructed to develop a feature that will query the ArticleName attribute but will use a different sort key other than the existing one. The feature also requires strong read consistency to fetch the most up-to-date data. Is the following correct? create a new DynamoDB table with a Local Secondary Index that uses the ArticleName attribute with a different sort key then migrate the data from the existing table to the new table.
Yes If you need the same primary key, different sort key, and the table has already been created You just can create a new DynamoDB table
You currently have an IAM user for working in the development environment using shell scripts that call the AWS CLI. The EC2 instance that you are using already contains the access key credential set and an IAM role, which are used to run the CLI and access the development environment. You were given a new set of access key credentials with another IAM role that allows you to access and manage the production environment. Is the following correct? create a new profile for the role in the AWS CLI configuration file then append the --profile parameter, along with the new profile name, whenever you run the CLI command.
Yes Note that when you specify that profile in an AWS CLI command, you are using the new role. In this situation, you cannot make use of your original permissions in the development account at the same time. The reason is that only one set of permissions can be in effect at a time.
Your application is hosted on an Auto Scaling group of EC2 instances with a DynamoDB database. There were a lot of data discrepancy issues where the changes made by one user were always overwritten by another user. You noticed that this usually happens whenever there are a lot of people updating the same data. Is the following correct? implementing an optimistic locking strategy in your application source code by designating one property to store the version number in the mapping class for your table
Yes With optimistic locking, each item has an attribute that acts as a version number.
A developer is launching a Lambda function which requires access to a MySQL RDS instance that is in a private subnet. Which of the following is the MOST secure way to achieve this? Is this statement correct? configure the Lambda function to connect to your VPC
Yes Services like Amazon Elasticsearch Service can be secured over IAM with access policies, so exposing the endpoint publicly is safe and wouldn't require you to run your function in the VPC to secure it.
The AWS X-Ray SDK does not send trace data directly to AWS X-Ray. To avoid calling the service every time your application serves a request, the SDK sends the trace data to ________
a daemon, which collects segments for multiple requests and uploads them in batches.
AWS AppSync simplifies application development by letting you create _____________
a flexible API to securely access, manipulate, and combine data from one or more data sources.
With RDS Transparent data encryption for SQL Server provides encryption key management by using ____________
a two-tier key architecture.
For using X-Ray with local development and testing, Generate _____________ for the user and store them in the standard AWS SDK location. You can use these _____________ with the X-Ray daemon, the AWS CLI, and the AWS SDK.
access keys
Your application is hosted on an Auto Scaling group of EC2 instances with a DynamoDB database. There were a lot of data discrepancy issues where the changes made by one user were always overwritten by another user. You noticed that this usually happens whenever there are a lot of people updating the same data. Is the following correct? Using DynamoDB global tables and implementing an optimistic locking strategy
although it is correct to use the optimistic locking strategy, the use of DynamoDB global tables is wrong. This uses a "last writer wins" reconciliation between concurrent updates. If you use Global Tables, the last writer policy is in effect so in this case, the locking strategy will not work as expected.
With CloudWatch, For the instances where you've enabled detailed monitoring, you can also get __________
aggregated data across groups of similar instances.
A developer is managing an application hosted in EC2, which stores data in an S3 bucket. To comply with the new security policy, the developer must ensure that the data is encrypted at rest using an encryption key that is provided and managed by the company. The change should also provide AES-256 encryption to their data. Is the following correct? Implementing Amazon S3 server-side encryption with AWS KMS-Managed Keys (SSE-KMS)
although you can upload the company's customer master keys (CMKs), the keys will be managed by KMS and not your company. This does not comply with the security policy mandated by the company.
instead of sending segment documents to the X-Ray API, you can send segments and subsegments to _____________
an X-Ray daemon, which will buffer them and upload to the X-Ray API in batches.
With ECS spread strategy, Place tasks evenly based on the specified value. Accepted values are ___________
attribute key-value pairs, instanceId, or host.
If you need server-side encryption for all of the objects that are stored in a bucket, use a __________
bucket policy.
The primary key of a local secondary index must be ___________
composite (partition key and sort key).
Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the ____________
console, or consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice.
With TDE, Amazon RDS backs up and manages the ______________ and the __________. To comply with several security standards, Amazon RDS is working to implement automatic periodic master key rotation.
database master key, TDE certificate
With RDS TDE, A certificate, which is generated from the _____________, is used to protect the data encryption keys. The ____________ performs the actual encryption and decryption of data on the user database.
database master key, database encryption key
With SWF, Markers are useful when you want to record custom information to help implement ____________. For example, you could use a marker to count the number of loops in a recursive workflow.
decider logic
Amazon RDS's RDS Encryption encrypts your Amazon RDS DB instances and snapshots at rest. It __________ encrypt data before it is written to storage, nor automatically decrypt data when _____________
doesn't automatically , it is read from storage.
With DynamoDB Streams, you can trigger a Lambda function to perform additional work each time a DynamoDB table is updated. You also need to assign the following permissions to Lambda:
dynamodb:DescribeStream dynamodb:ListStreams dynamodb:GetRecords dynamodb:GetShardIterator
With authenticating to utilize AWS services with IAM, An custom identity broker application obtains temporary security credentials for the employees. To get temporary security credentials, the identity broker application calls _______________ to obtain temporary security credentials, depending on how you want to manage the policies for users and when the temporary credentials should expire.
either AssumeRole or GetFederationToken
Amazon RDS TDE automatically ________________ to storage, and automatically ____________ from storage.
encrypts data before it is written, decrypts data when the data is read
With DynamoDB Streams, you can trigger a Lambda function to perform additional work each time a DynamoDB table is updated. You need to create an _________________________ to tell Lambda to send records from your stream to a Lambda function. You can create multiple ______________ to process the same data with multiple Lambda functions, or process items from multiple streams with a single function.
event source mapping, event source mappings
With SWF, You can use markers to record __________________ for application specific purposes.
events in the workflow execution history
With API Gateway, Calling a deployed API involves submitting requests to the URL for the API Gateway component service for API execution, known as ________
execute-api
AWS AppSync is quite similar with Amazon Cognito Sync which is also a service for synchronizing application data across devices. It enables user data like app preferences or game state to be synchronized as well However, the key difference is that, AppSync also ______________
extends these capabilities by allowing multiple users to synchronize and collaborate in real time on shared data.
For Lamba Functions, The directory content remains when the execution context is frozen, providing transient cache that can be used for multiple invocations. You can add _____________ check if the cache has the data that you stored.
extra code to
Take note as well that you do not _______________ of your RDS database instance, unlike with your EC2 instances where you can install a ________________
have direct access to the instances/servers, CloudWatch agent or a custom script to get CPU and memory utilization of your instance.
With API Gateway, The base URL for REST APIs is in the following format:
https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage_name}/ where {restapi_id} is the API identifier, {region} is the region, and {stage_name} is the stage name of the API deployment.
Take note that there are certain differences between CloudWatch and Enhanced Monitoring Metrics. CloudWatch gathers metrics about CPU utilization from the _____________, and Enhanced Monitoring gathers its metrics from ___________
hypervisor for a DB instance, an agent on the instance.
Take note that CloudWatch gathers metrics about CPU utilization from the ______________ for a DB instance while RDS Enhanced Monitoring gathers its metrics from ___________
hypervisor, an agent on the instance.
You can configure an approval action to publish a message to an Amazon Simple Notification Service topic when the pipeline stops at the action. When you create a topic, it is recommended that you give it a name that will ______________, in formats such as tutorialsdojoManualApprovalPHL-us-east-2-approval.
identify its purpose
You currently have an IAM user for working in the development environment using shell scripts that call the AWS CLI. The EC2 instance that you are using already contains the access key credential set and an IAM role, which are used to run the CLI and access the development environment. You were given a new set of access key credentials with another IAM role that allows you to access and manage the production environment. Is the following correct? Creating a new instance profile in the AWS CLI configuration file then appending the --profile parameter along with the new profile name whenever you run the CLI command
incorrect because an instance profile is just a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. This is different from an AWS CLI profile, which you can use for switching to various profiles. In addition, an instance profile is associated with the instance and not configured in the AWS CLI.
You were recently hired by a media company that is planning to build a news portal using Elastic Beanstalk and DynamoDB database, which already contains a few data. There is already an existing DynamoDB Table that has an attribute of ArticleName which acts as the partition key and a Category attribute as its sort key. You are instructed to develop a feature that will query the ArticleName attribute but will use a different sort key other than the existing one. The feature also requires strong read consistency to fetch the most up-to-date data. Is the following correct? Creating a Global Secondary Index that uses the ArticleName attribute and a different sort key
incorrect because it is stated in the scenario that you are still using the same partition key, but with an alternate sort key that warrants the use of a local secondary index instead of a global secondary index.
Your request to increase your account's concurrent execution limit to 2000 has been recently approved by AWS. There are 10 Lambda functions running in your account and you already specified a concurrency execution limit on one function at 400 and on another function at 200. Is this statement correct? the combined allocated 600 concurrent execution will be shared among the 2 functions
incorrect because the execution limit is per function only and will not be shared with other functions, which also have reserved concurrent executions.
To properly instrument your application hosted in an EC2 instance, you have to install the X-Ray daemon by using a user data script. This will install and run the daemon automatically when you launch the instance. To use the daemon on Amazon EC2, create a new ______________ This will grant the daemon permission to upload trace data to X-Ray.
instance profile role or add the managed policy to an existing one.
By default, Amazon API Gateway assigns an ___________ to the API that automatically uses the ___________ certificate.
internal domain, Amazon API Gateway
For mobile and web apps, AppSync additionally provides _____________ when devices go offline, and data _____________, when they are back online.
local data access, synchronization with customizable conflict resolution
Your instance metadata is available from your running instance, which is helpful when you're writing scripts to run from your instance. For example, you can access the_____________ of your instance from instance metadata to manage a connection to an external application
local IP address
If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy. Take note that the Sid (statement ID) is just an ________ identifier that you provide for the policy statement.
optional
A trace segment records information about the __________________, and subsegments with information about ______________
original request, information about the work that your application does locally downstream calls that your application makes to AWS resources, HTTP APIs, and SQL databases.
although you can use Amazon CloudWatch to monitor the CPU Utilization of your database instance, it does not provide the _____________ by each database process in your RDS instance.
percentage of the CPU bandwidth and total memory consumed
using the ......169.254/latest/userdata/ endpoint is mainly used to __________
perform common automated configuration tasks and run scripts after the instance starts You will not find the associated IP addresses of the EC2 instance from its user data. You have to use the metadata service instead.
To view the ____________________ and all other categories of instance metadata from within a running instance, use the following URL: http://169.254.169.254/latest/meta-data/.
private IPv4 address, public IPv4 address,
You are configuring the task definitions of your ECS Cluster in AWS to make sure that the tasks are scheduled on instances with enough resources to run them. By default, tasks are placed _____________
randomly with RunTask or spread across Availability Zones with CreateService.
For using X-Ray with local development and testing, create an IAM user with ______________ permissions
read and write
With AppSync, you can build scalable applications, including those requiring ___________, on a range of data sources such as ______________
real-time updates NoSQL data stores, relational databases, HTTP APIs, and your custom data sources with AWS Lambda.
With load balancers, instance health is ___________
regularly checked by the ELB.
Because your instance metadata is available from your running instance, This can be helpful when you're writing scripts to ____________.
run from your instance
You can configure an approval action to publish a message to an Amazon Simple Notification Service topic when the pipeline stops at the action. You must use a topic created in the _________________
same AWS region as the pipeline that will include the approval action.
With X-ray You can _________________ by using the PutTraceSegments API.
send segment documents directly to X-Ray
If you set the concurrent execution limit for a function, the value is deducted from the unreserved concurrency pool. For example, if your account's concurrent execution limit is 1000 and you have 10 functions, you can specify a limit on one function at 200 and another function at 100. The remaining 700 will be __________
shared among the other 8 functions.
X-ray Annotations are ___________
simple key-value pairs that are indexed for use with filter expressions
Take note that there are certain differences between CloudWatch and Enhanced Monitoring Metrics. As a result, you might find differences between the measurements, because the hypervisor layer performs a small amount of work. The differences can be greater if your DB instances use ____________ because then _________________
smaller instance classes , there are likely more virtual machines (VMs) that are managed by the hypervisor layer on a single physical instance.
With optimistic locking, each item has an attribute that acts as a version number. If there is a version mismatch, it means that ___________________; the update attempt fails, because you have a ____________ version of the item.
someone else has modified the item before you did, stale
With task placement By default, ECS uses _____________
spread with the ecs.availability-zone attribute to place tasks.
The AWS CloudFormation python helper scripts run on the Amazon EC2 instance during the _______________
stack creation process.
With API Gateway, Sending a request with the Cache-Control: no-cache header forces the cache to ___________
submit the request to the origin server for validation before releasing a cached copy.
With Amazon S3 Select, you can use simple structured query language (SQL) statements to filter the contents of Amazon S3 objects and retrieve just the _____________
subset of data that you need.
With X-Ray A _________________ are indexed by X-Ray for use with filter expressions.
subset of segment fields
A developer is managing an application hosted in EC2, which stores data in an S3 bucket. To comply with the new security policy, the developer must ensure that the data is encrypted at rest using an encryption key that is provided and managed by the company. The change should also provide AES-256 encryption to their data. Is the following correct? Implementing Amazon S3 server-side encryption with Amazon S3-Managed Encryption Keys
the Amazon S3-Managed encryption does not comply with the policy mentioned in the given scenario since the keys are managed by AWS (through Amazon S3) and not by the company. The suitable server-side encryption that you should use here is SSE-C.
On supported platforms, you can use a configuration option to run the X-Ray daemon on the instances in your environment. You can enable the daemon in _______________ or by ______________.
the Elastic Beanstalk console, using a configuration file
To enable transparent data encryption for an RDS SQL Server DB instance, specify ______________
the TDE option in an RDS option group that is associated with that DB instance.
Amazon API Gateway does not support __________ endpoints.
unencrypted (HTTP)
although you can use Amazon CloudWatch Logs and CloudWatch dashboard to monitor the CPU Utilization of the database instance, using CloudWatch alone is still not enough _________
to get the specific percentage of the CPU bandwidth and total memory consumed by each database processes.
With DynamoDB Streams, you can trigger a Lambda function to perform additional work each time a DynamoDB table is updated. To configure your function ________________, create a DynamoDB trigger.
to read from DynamoDB Streams in the Lambda console
Take note that there are certain differences between CloudWatch and Enhanced Monitoring Metrics. Enhanced Monitoring metrics are useful when you want ______________
to see how different processes or threads on a DB instance use the CPU.
Instance metadata is data about your EC2 instance that you can use to configure or manage the running instance. Because your instance metadata is available from your running instance, you do not need ________________
to use the Amazon EC2 console or the AWS CLI.
With load balancers, If an instance health check failed, the ELB will not send traffic to it. But once the configured health checks are passed again, ______________
traffic will automatically flow through it again.
With ECS and secrets, Secrets can be exposed to a container in the following ways:' - To inject sensitive data into your containers as environment variables, ________________ - To reference sensitive information in the log configuration of a container, ___________________
use the secrets container definition parameter. use the secretOptions container definition parameter.
Use X-ray annotations to record data that you want to _____________________. X-Ray indexes up to 50 annotations per trace.
use to group traces in the console, or when calling the GetTraceSummaries API
Data protection refers to protecting data while in transit (as it travels to and from Amazon S3) and at rest (_______________).
while it is stored on disks in Amazon S3 data centers