SPE2 Notes
Provisioned IOPS SSD (io1) volumes allow you to specify a consistent IOPS rate when you create the volume, and Amazon EBS delivers the provisioned performance 99.9 percent of the time. An io1 volume can range in size from ___________
4 GiB to 16 TiB.
While AWS KMS does support sending data up to _______ to be encrypted directly, envelope encryption can offer significant performance benefits.
4 KB
the direct 'Encrypt' API of KMS also has an upper limit of ___________ for the data payload.
4 KB
AWS Lambda environment variables can have a maximum size of __________
4 KB.
The aggregate size of the items in the DynamoDB transaction cannot exceed ____________.
4 MB
Visibility timeout is a period during which Amazon SQS prevents other consumers from receiving and processing a given message. The default visibility timeout for a message is _______. The minimum is ___________. The maximum is ______________.
30 seconds, 0 seconds, 12 hours
In terms of Maximum IOPS vs Volume Size for General Purpose SSD (gp2) volumes, If you have a Volume size of 1024 GiB or less, whats your max Baseline performance and Burst IOPS?
3000 IOPS
A Reserved Instance billing benefit can apply to a maximum of ______________ of instance usage per clock-hour.
3600 seconds (one hour)
After API Gateway processes the request, what kind of destinations can it reach?
AWS Lambda, EC2, Kinesis, DynamoDB, public endpoints, other AWS services Private Apps to Data Centers
With DynamoDB's transaction write API, you can group multiple ___________________ actions.
Put, Update, Delete, and ConditionCheck
DynamoDB optionally supports conditional writes for write operations (____________________).
PutItem, UpdateItem, DeleteItem
You can optionally include a ________________when you make a TransactWriteItems call to ensure that the request is idempotent.
client token
At least with Amazon SES, 4xx status codes indicate that there was a problem with the __________________.
client request
CodePipeline automates the build, test, and deploy phases of your release process every time there is a ______, based on the release model you define.
code change
AWS CodeDeploy rolls back deployments by redeploying a previously deployed revision of an application as a new deployment on the __________.
failed instances
The performance of gp2 volumes is tied to ____________, which determines the baseline performance level of the volume and how quickly it accumulates I/O credits
volume size
After a code review, a developer has been asked to make his publicly accessible S3 buckets private, and enable access to objects with a time-bound constraint. Does the statement below work? Share pre-signed URLs with resources that need access
yes All objects by default are private, with the object owner having permission to access the objects. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects.
Intrinsic Functions in templates are used to assign values to properties that are ____________________. They usually start with Fn:: or !. Example: !Sub or Fn::Sub.
not available until runtime
The 'Immutable' deployment policy ensures that your new application version is always deployed to new instances, instead of updating existing instances. It also has the additional advantage of a ________________ in case the deployment fails.
quick and safe rollback
A bucket policy is a ____________ IAM policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it.
resource-based
You can configure Application Auto Scaling to manage provisioned concurrency on a __________ or based on ____________.
schedule, utilization
An Amazon EBS volume is a durable, block-level storage device that you can attach to your instances. After you attach a volume to an instance, you can use it as you would use a physical hard drive. EBS volumes are flexible. For current-generation volumes attached to current-generation instance types, you can dynamically increase size, modify the provisioned IOPS capacity, and change volume type on live production volumes. You can attach an EBS volume to an EC2 instance in _____________ Availability Zone.
the same
!GetAtt - This function returns the value of an attribute from a resource in the template. The YAML syntax is like so:
!GetAtt logicalNameOfResource.attributeName
In terms of AWS step functions and tasks, A Fail state ("Type": "Fail") stops the execution of the state machine and marks it as a failure unless it is caught by a Catch block. Because Fail states always exit the state machine, they have no Next field and don't require an End field. What does it look like?
"FailState": { "Type": "Fail", "Cause": "Invalid response.", "Error": "ErrorA" }
Retries are ____________. In other words, when a client retries, it spends more of the server's time to get a higher chance of success. Where failures are rare or transient, that's not a problem. This is because the overall number of retried requests is small, and the tradeoff of increasing apparent availability works well. When failures are caused by overload, retries that increase load can make matters significantly worse. They can even delay recovery by keeping the load high long after the original issue is resolved.
"selfish"
In terms of AWS step functions and tasks, A Wait state ("Type": "Wait") delays the state machine from continuing for a specified time.
"wait_until" : { "Type": "Wait", "Timestamp": "2016-03-14T01:59:00Z", "Next": "NextState" }
With SQS, if you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is ________ The maximum is ___________
0 seconds, 15 minutes
General purpose SSD (gp2) volumes minimum IOPS is ______ at _____ GiB and below
100, 33.33
You can deploy Lambda function as container image with the maximum size of _____________.
10GB
There are no message limits for storing in SQS, but 'in-flight messages' do have limits. Make sure to delete messages after you have processed them. There can be a maximum of approximately ________________ inflight messages (received from a queue by a consumer, but not yet deleted from the queue).
120,000
You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. An IAM authentication token is a unique string of characters that Amazon RDS generates on request. Each token has a lifetime of __________.
15 minutes
General purpose SSD (gp2) volumes maximum IOPS is ____________ at __________ GiB and above
16,000, 5,334
In terms of Maximum IOPS vs Volume Size for General Purpose SSD (gp2) volumes, If you have a Volume size of 5120 GiB or more, whats your max Baseline performance?
16000 IOPS
With Amazon EBS General Purpose SSD, the throughput limit is between 128 MiB/s and 250 MiB/s, depending on the volume size. Volumes smaller than or equal to _____________ GiB deliver a maximum throughput of 128 MiB/s. Volumes larger than 170 GiB but smaller than ______________ GiB deliver a maximum throughput of 250 MiB/s if burst credits are available.
170, 334
MySQL recommendations for IAM database authentication We recommend the following when using the MySQL DB engine: 1. Use IAM database authentication as a mechanism for temporary, personal access to databases. 2. Use IAM database authentication only for workloads that can be easily retried. 3. Use IAM database authentication when your application requires fewer than ____________ connections per second.
200 new IAM database authentication
With io1 EBS volume types, for a 200 GiB volume size, max IOPS possible is
200*50 = 10000 IOPS
TransactWriteItems is a synchronous and idempotent write operation that groups up to _____________ in a single all-or-nothing operation.
25 write actions
General purpose SSD (gp2) volumes deliver single-digit millisecond latencies and the ability to burst to _________ IOPS for extended periods of time.
3,000
Provisioned IOPS SSD (io1) volumes , a 100 GiB volume can be provisioned with up to ________ IOPS.
5,000
In configurations for io1 EBS volume types, the maximum ratio of provisioned IOPS to requested volume size (in GiB) is __________
50:1
Regional Reserved Instances vs Zonal Reserved Instances Ability to reserve capacity for each
A regional Reserved Instance does not reserve capacity. A zonal Reserved Instance reserves capacity in the specified Availability Zone.
AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). However, it is not supported by ________________.
API Gateway
you are tasked with creating several API Gateway powered APIs along with your team of developers. API stages are identified by the ______________________.
API ID and stage name
CloudFormation AWS parameters are
AWS AWS::EC2::KeyPair::KeyName - An Amazon EC2 key pair name AWS::EC2::SecurityGroup::Id - A security group ID AWS::EC2::Subnet::Id - A subnet ID AWS::EC2::VPC::Id - A VPC ID
CloudFormation collection parameters are
AWS Collections List<Number> - An array of integers or floats List<AWS::EC2::VPC::Id> - An array of VPC IDs List<AWS::EC2::SecurityGroup::Id> - An array of security group IDs List<AWS::EC2::Subnet::Id> - An array of subnet IDs
A development team has configured their Amazon EC2 instances for Auto Scaling. By default, basic monitoring is enabled when you create a launch template or when you use the ____________ to create a launch configuration.
AWS Management Console
You should consider _________________ when you need to coordinate service components in the development of highly scalable and auditable applications. You should consider using ___________________ when you need a reliable, highly scalable, hosted queue for sending, storing, and receiving messages between services.
AWS Step Functions, Amazon Simple Queue Service (Amazon SQS)
When you send HTTP requests to an AWS service - When you send HTTP requests to AWS, you sign the requests so that AWS can identify who sent them. You sign requests with your ___________, which consists of an access key ID and secret access key.
AWS access key
You configure your data producers to send data to Kinesis Data Firehose, and it automatically delivers the data to the destination that you specified. Amazon Elasticsearch Service (Amazon ES) with optionally backing up data to Amazon S3
Amazon ES is a supported destination type for Kinesis Firehose. Streaming data is delivered to your Amazon ES cluster, and can optionally be backed up to your S3 bucket concurrently.
Amazon SNS can be used to develop event-driven applications, but ________________ is recommended when you want to build an application that reacts to events from SaaS applications and/or AWS services. ___________________ is the only event-based service that integrates directly with third-party SaaS partners.
Amazon EventBridge
Amazon Athena is an interactive query service that makes it easy to analyze data in ___________ using standard SQL.
Amazon S3
A "Throttling - Maximum sending rate exceeded" error is retriable. This error is different than other errors returned by _____________. A request rejected with a "Throttling" error can be retried at a later time and is likely to succeed.
Amazon SES
Signing AWS API requests helps AWS identify an authentic user from a potential threat. Is the following an use-case where you need to sign the API requests? When you send anonymous requests to Amazon Simple Storage Service (Amazon S3)
Anonymous requests made to Amazon S3 resources need not be signed. Some API operations in AWS Security Token Service (AWS STS) are exempt from signing too.
When configuring ASG's provisioned concurrency, to increase provisioned concurrency automatically as needed, use the __________________ API to register a target and create a __________.
Application Auto Scaling, scaling policy
In an Elastic Beanstalk immutable update, a second ____________ is launched in your environment and the new version serves traffic alongside the old version until the new instances pass health checks. In case of deployment failure, the new instances are terminated, so the impact is minimal.
Auto Scaling group
When an API Gateway is triggered initially, where does it pass the data to?
Before the AWS services, it passes it to a cache and Cloudwatch
In the relation database terminology, a transaction results in a _____________. Each transaction is treated in a coherent and reliable way independent of other transactions.
COMMIT or a ROLLBACK
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to _________________
CloudFront
When using Cloudfront Signed Urls, if a user is accessing your content in a web browser, your application returns the signed URL to the browser. The browser immediately uses the signed URL to access the file in the ________________ cache without any intervention from the user.
CloudFront edge
When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account. Whereas, with ______________ you can associate a higher number of public keys with your CloudFront distribution, giving you more flexibility in how you use and manage the public keys.
CloudFront key groups,
What kind of users or clients interact with API Gateway first?
Connected Users and Streaming Dashboards, Web and Mobile apps, IoT Devices, Private Apps within VPC and On-Premises
With API Gateway, you can use the following mechanisms for performing other tasks related to access control:
Cross-origin resource sharing (CORS) lets you control how your REST API responds to cross-domain resource requests. Client-side SSL certificates can be used to verify that HTTP requests to your backend system are from API Gateway. AWS WAF can be used to protect your API Gateway API from common web exploits.
With SQS, your consumer application needs additional time to process messages. What should you use to postpone the delivery of new messages to a queue for several seconds?
Delay queues
You have created a continuous delivery service model with automated steps using AWS CodePipeline. Your pipeline uses your code, maintained in a CodeCommit repository, AWS CodeBuild, and AWS Elastic Beanstalk to automatically deploy your code every time there is a code change. However, the deployment part to Elastic Beanstalk is taking a very long time due to resolving dependencies on all of your 100 target EC2 instances. Does the following action improve the performance with limited code changes? "Bundle the dependencies in the source code during the last stage of CodeBuild"
Downloading dependencies is a critical phase in the build process. These dependent files can range in size from a few KBs to multiple MBs. Because most of the dependent files do not change frequently between builds, you can noticeably reduce your build time by caching dependencies. This will allow the code bundle to be deployed to Elastic Beanstalk to have both the dependencies and the code, hence speeding up the deployment time to Elastic Beanstalk
When using the AWS CLI --dry-run option, if you have the required permissions, the error response is _____________, otherwise, it is UnauthorizedOperation.
DryRunOperation
You configure your data producers to send data to Kinesis Data Firehose, and it automatically delivers the data to the destination that you specified. Amazon Redshift with Amazon S3 works by
For Amazon Redshift destinations, streaming data is delivered to your S3 bucket first. Kinesis Data Firehose then issues an Amazon Redshift COPY command to load data from your S3 bucket to your Amazon Redshift cluster. If data transformation is enabled, you can optionally back up source data to another Amazon S3 bucket.
You configure your data producers to send data to Kinesis Data Firehose, and it automatically delivers the data to the destination that you specified. Amazon Simple Storage Service (Amazon S3) as a direct Firehose destination
For Amazon S3 destinations, streaming data is delivered to your S3 bucket. If data transformation is enabled, you can optionally back up source data to another Amazon S3 bucket.
Regional Reserved Instances vs Zonal Reserved Instances Instance size flexibility for each
For Regional, the Reserved Instance discount applies to instance usage within the instance family, regardless of size. Only supported on Amazon Linux/Unix Reserved Instances with default tenancy. For Zonal, there is no instance size flexibility—the Reserved Instance discount applies to instance usage for the specified instance type and size only.
A company runs its flagship application on a fleet of Amazon EC2 instances. After misplacing a couple of private keys from the SSH key pairs, they have decided to re-use their SSH key pairs for the different instances across AWS Regions. What's the correct way of reusing SSH keys in your AWS Regions?
Generate a public SSH key (.pub) file from the private SSH key (.pem) file. Set the AWS Region you wish to import to. Import the public SSH key into the new Region.
in terms of gp2 volumes for EC2s, larger volumes have higher baseline performance levels and accumulate_______________ faster.
I/O credits
When you use the AWS account root user to manage CloudFront key pairs, you can't restrict what the root user can do or the conditions in which it can do them. You can't apply ________________ to the root user, which is one reason why AWS best practices recommend against using the root user.
IAM permissions policies
API Gateway supports multiple mechanisms for controlling and managing access to your API. Endpoint policies for interface VPC endpoints allow you to attach ___________
IAM resource policies to interface VPC endpoints to improve the security of your private APIs.
You can use AWS ______________ to restrict the actions that transactional operations can perform in Amazon DynamoDB. Permissions for Put, Update, Delete, and Get actions are governed by the permissions used for the underlying PutItem, UpdateItem, DeleteItem, and GetItem operations.
Identity and Access Management (IAM)
An Accounting firm extensively uses Amazon EBS volumes for persistent storage of application data of Amazon EC2 instances. The volumes are encrypted to protect the critical data of the clients. As part of managing the security credentials, the project manager has come across a policy snippet that looks like the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow for use of this Key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ], "Resource": "*" }, { "Sid": "Allow for EC2 Use", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "ec2.us-west-2.amazonaws.com" } } ] } In this case, the condition policy explicitly ensures that only __________________ can use the grants.
In this case, the condition policy explicitly ensures that only Amazon EC2 can use the grants. Amazon EC2 will use them to re-attach an encrypted EBS volume back to an instance if the volume gets detached due to a planned or unplanned outage. These events will be recorded within AWS CloudTrail when, and if, they do occur for your auditing.
Here's an overview of how you configure CloudFront for signed URLs and how CloudFront responds when a user uses a signed URL to request a file:
In your CloudFront distribution, specify one or more trusted key groups, which contain the public keys that CloudFront can use to verify the URL signature. You use the corresponding private keys to sign the URLs. Develop your application to determine whether a user should have access to your content and to create signed URLs for the files or parts of your application that you want to restrict access to. A user requests a file for which you want to require signed URLs. Your application verifies that the user is entitled to access the file: they've signed in, they've paid for access to the content, or they've met some other requirement for access. Your application creates and returns a signed URL to the user. The signed URL allows the user to download or stream the content.
if your program must wait for a dependent process to become active or available, should you use a DLQ?
No, don't use a dead-letter queue with standard queues when you want to be able to keep retrying the transmission of a message indefinitely.
Amazon Kinesis agent is a standalone Java software application that offers an easy way to collect and send data to _____________. By default, records are parsed from each file based on the newline ('\n') character.
Kinesis Data Firehose
Enhanced fan-out is an optional feature for _______________ consumers that provides logical 2 MB/sec throughput pipes between consumers and shards. This allows customers to scale the number of consumers reading from a data stream in parallel, while maintaining high performance.
Kinesis Data Streams
When using ECR with Lambda, Lambda currently supports only ___________-based container images.
Linux
Amazon EBS General Purpose SSD use cases are
Low-latency interactive apps Development and test environments
IAM database authentication is available primarily for
MySQL and PostgreSQL
is the following an optimal solution for providing communication between EC2 instances and DynamoDB without using the public internet? Create a NAT Gateway to provide the necessary communication channel between EC2 instances and DynamoDB
NAT Gateway is not useful here since the instance and DynamoDB are present in AWS network and do not need NAT Gateway for communicating with each other.
ElastiCache is ____________ a supported destination for Amazon Kinesis Data Firehose.
NOT
Developers are working on the API in the development environment, but they find the changes made to the APIs are not reflected when the API is called. Is this statement appropriate? Use Stage Variables for development state of API
No The developmental environment would only be provided a Stage variable, but does not reflect API changes. Stage variables are not connected to the scenario described in the current use case. Stage variables are name-value pairs that you can define as configuration attributes associated with a deployment stage of a REST API. They act like environment variables and can be used in your API setup and mapping templates.
You have created a continuous delivery service model with automated steps using AWS CodePipeline. Your pipeline uses your code, maintained in a CodeCommit repository, AWS CodeBuild, and AWS Elastic Beanstalk to automatically deploy your code every time there is a code change. However, the deployment part to Elastic Beanstalk is taking a very long time due to resolving dependencies on all of your 100 target EC2 instances. Does the following action improve the performance with limited code changes? "Bundle the dependencies in the source code in CodeCommit"
No This is not the best practice and could make the CodeCommit repository huge.
You're making a system with instructions in an Edit Decision List (EDL) for a video editing suite, where changing the order of edits changes the context of subsequent edits. Should you use a DLQ?
No, don't use a dead-letter queue with a FIFO queue if you don't want to break the exact order of messages or operations.
After a code review, a developer has been asked to make his publicly accessible S3 buckets private, and enable access to objects with a time-bound constraint. Does the statement below work? Use Bucket policy to block the unintended access
No A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it. Bucket policy can be used to block off unintended access, but it's not possible to provide time-based access, as is the case in the current use case.
You can run multiple instances concurrently, but can only receive the benefit of the Reserved Instance discount for a total of 3600 seconds per clock-hour; instance usage that exceeds 3600 seconds in a clock-hour is billed at the ____________ rate.
On-Demand
RDS supports the most demanding database applications. You can choose between two SSD-backed storage options: one optimized for high-performance ___________________ (OLTP) applications, and the other for cost-effective general-purpose use.
Online Transaction Processing
In terms of AWS step functions and tasks, this state "No-op": { "Type": "Task", "Result": { "x-datum": 0.381018, "y-datum": 622.2269926397355 }, "ResultPath": "$.coords", "Next": "End" } if of type
Pass
Limitations for IAM database authentication When using IAM database authentication, the following limitations apply: The maximum number of connections per second for your DB instance might be limited depending on its DB instance class and your workload. Currently, IAM database authentication doesn't support all global condition context keys. Currently, IAM database authentication isn't supported for CNAMEs. For PostgreSQL, if the IAM role (rds_iam) is added to the master user, IAM authentication takes precedence over ____________ authentication so the master user has to log in as an IAM user.
Password
CloudFormation primitive parameters are
Primitives String - A literal string Number - An integer or float CommaDelimitedList - An array of literal strings that are separated by commas
CloudFormation currently supports the following parameter types:
Primitives String - A literal string Number - An integer or float CommaDelimitedList - An array of literal strings that are separated by commas AWS AWS::EC2::KeyPair::KeyName - An Amazon EC2 key pair name AWS::EC2::SecurityGroup::Id - A security group ID AWS::EC2::Subnet::Id - A subnet ID AWS::EC2::VPC::Id - A VPC ID AWS Collections List<AWS::EC2::VPC::Id> - An array of VPC IDs List<Number> - An array of integers or floats List<AWS::EC2::SecurityGroup::Id> - An array of security group IDs List<AWS::EC2::Subnet::Id> - An array of subnet IDs
AWS CodeBuild monitors functions on your behalf and reports metrics through Amazon CloudWatch. You can monitor your builds at two levels: ___________________
Project level, AWS account level.
The SSD-backed volumes provided by Amazon EBS fall into these categories: General Purpose SSD — Provides a balance of price and performance. We recommend these volumes for most workloads. _________________ SSD — Provides high performance for mission-critical, low-latency, or high-throughput workloads.
Provisioned IOPS
You can only encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an ____________________ or other sensitive information
RSA key, a database password,
Regional Reserved Instances vs Zonal Reserved Instances Availability Zone flexibility for each
Regional - The Reserved Instance discount applies to instance usage in any Availability Zone in the specified Region Zonal Reserved - No Availability Zone flexibility—the Reserved Instance discount applies to instance usage in the specified Availability Zone only.
API Gateway supports multiple mechanisms for controlling and managing access to your API. You can use the following mechanisms for authentication and authorization:
Resource policies let you create resource-based policies to allow or deny access to your APIs and methods from specified source IP addresses or VPC endpoints. Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage your APIs, as well as who can invoke them. IAM tags can be used together with IAM policies to control access. Endpoint policies for interface VPC endpoints allow you to attach IAM resource policies to interface VPC endpoints to improve the security of your private APIs. Lambda authorizers are Lambda functions that control access to REST API methods using bearer token authentication—as well as information described by headers, paths, query strings, stage variables, or context variables request parameters. Lambda authorizers are used to control who can invoke REST API methods. Amazon Cognito user pools let you create customizable authentication and authorization solutions for your REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods.
What does this yaml sample do MyEIP: Type: "AWS::EC2::EIP" Properties: InstanceId: !Ref MyEC2Instance
Returns the instanceid value of MyEC2Instance with !Ref
To deploy a container image to Lambda, the container image must implement the Lambda ___________ API. The AWS open-source runtime interface clients implement the API. You can add a runtime interface client to your preferred base image to make it compatible with Lambda.
Runtime
When using ECR with Lambda, you can test the containers locally using the Lambda ____________________.
Runtime Interface Emulator
Steps for connecting to an EBS-backed instance with a different key pair
Step 1: Create a new key pair Step 2: Get information about the original instance and its root volume Step 3: Stop the original instance Step 4: Launch a temporary instance Step 5: Detach the root volume from the original instance and attach it to the temporary instance Step 6: Add the new public key to authorized_keys on the original volume mounted to the temporary instance Step 7: Unmount and detach the original volume from the temporary instance, and reattach it to the original instance Step 8: Connect to the original instance using the new key pair Step 9: Clean up
You can specify that Amazon EC2 should do one of the following when it interrupts a Spot Instance:
Stop the Spot Instance Hibernate the Spot Instance Terminate the Spot Instance
You should use enhanced fan-out for KDS if you have, or expect to have, multiple consumers retrieving data from a stream in parallel, or if you have at least one consumer that requires the use of the ______________ API to provide sub-200ms data delivery speeds between producers and consumers.
SubscribeToShard
In terms of AWS step functions and tasks, Resource field is a required parameter for ___________.
Task state
appspec.yml files are only used by this AWS service
The application specification file (AppSpec file) is a YAML -formatted or JSON-formatted file used by CodeDeploy to manage a deployment.
You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored. Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow. To create a flow log, you specify:
The resource for which to create the flow log The type of traffic to capture (accepted traffic, rejected traffic, or all traffic) The destinations to which you want to publish the flow log data
A diagnostic lab stores its data on DynamoDB. The lab wants to backup a particular DynamoDB table data on Amazon S3, so it can download the S3 backup locally for some operational use. Is this statement feasible? Use AWS Data Pipeline to export your table to an S3 bucket in the account of your choice and download locally
This is the easiest method. This method is used when you want to make a one-time backup using the lowest amount of AWS resources possible. Data Pipeline uses Amazon EMR to create the backup, and the scripting is done for you. You don't have to learn Apache Hive or Apache Spark to accomplish this task.
You have created a continuous delivery service model with automated steps using AWS CodePipeline. Your pipeline uses your code, maintained in a CodeCommit repository, AWS CodeBuild, and AWS Elastic Beanstalk to automatically deploy your code every time there is a code change. However, the deployment part to Elastic Beanstalk is taking a very long time due to resolving dependencies on all of your 100 target EC2 instances. Does the following action improve the performance with limited code changes? "Store the dependencies in S3, to be used while deploying to Beanstalk"
This option acts as a distractor. S3 can be used as a storage location for your source code, logs, and other artifacts that are created when you use Elastic Beanstalk. Dependencies are used during the process of building code, not while deploying to Beanstalk.
A diagnostic lab stores its data on DynamoDB. The lab wants to backup a particular DynamoDB table data on Amazon S3, so it can download the S3 backup locally for some operational use. Is this feasible? Use the DynamoDB on-demand backup capability to write to Amazon S3 and download locally
This option is not feasible for the given use-case. DynamoDB has two built-in backup methods (On-demand, Point-in-time recovery) that write to Amazon S3, but you will not have access to the S3 buckets that are used for these backups.
An Accounting firm extensively uses Amazon EBS volumes for persistent storage of application data of Amazon EC2 instances. The volumes are encrypted to protect the critical data of the clients. As part of managing the security credentials, the project manager has come across a policy snippet that looks like the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "Allow for use of this Key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ], "Resource": "*" }, { "Sid": "Allow for EC2 Use", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "ec2.us-west-2.amazonaws.com" } } ] }
To create and use an encrypted Amazon Elastic Block Store (EBS) volume, you need permissions to use Amazon EBS. The key policy associated with the CMK would need to include these. The above policy is an example of one such policy. In this CMK policy, the first statement provides a specified IAM principal the ability to generate a data key and decrypt that data key from the CMK when necessary. The second statement in this policy provides the specified IAM principal the ability to create, list, and revoke grants for Amazon EC2. Grants are used to delegate a subset of permissions to AWS services, or other principals, so that they can use your keys on your behalf.
With the transaction write API, you can group multiple Put, Update, Delete, and ConditionCheck actions. You can then submit the actions as a single ___________________ operation that either succeeds or fails as a unit.
TransactWriteItems
With Amazon DynamoDB transactions, you can group multiple actions together and submit them as a single all-or-nothing ______________ or ____________ operation.
TransactWriteItems, TransactGetItems
Serverless Application Model (SAM) Templates include several major sections. _______________ are the only required sections.
Transform and Resources
With API Gateway, you can use the following mechanisms for tracking and limiting the access that you have granted to authorized clients:
Usage plans let you provide API keys to your customers—and then track and limit usage of your API stages and methods for each API key.
A diagnostic lab stores its data on DynamoDB. The lab wants to backup a particular DynamoDB table data on Amazon S3, so it can download the S3 backup locally for some operational use. Is this statement feasible? Use AWS Glue to copy your table to Amazon S3 and download locally
Use AWS Glue to copy your table to Amazon S3. This is the best practice to use if you want automated, continuous backups that you can also use in another service, such as Amazon Athena.
A diagnostic lab stores its data on DynamoDB. The lab wants to backup a particular DynamoDB table data on Amazon S3, so it can download the S3 backup locally for some operational use. Is this statement feasible? Use Hive with Amazon EMR to export your data to an S3 bucket and download locally
Use Hive to export data to an S3 bucket. Or, use the open-source emr-dynamodb-connector to manage your own custom backup method in Spark or Hive. These methods are the best practice to use if you're an active Amazon EMR user and are comfortable with Hive or Spark. These methods offer more control than the Data Pipeline method.
Is the following an optimal solution for providing communication between EC2 instances and DynamoDB without using the public internet? Create an Internet Gateway to provide the necessary communication channel between EC2 instances and DynamoDB
Using an Internet Gateway would imply that the EC2 instances are connecting to DynamoDB using the public internet. Therefore, this option is incorrect.
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your __________ and the internet.
VPC
Signing AWS API requests helps AWS identify an authentic user from a potential threat. As a developer associate, why is the following not would you identify as the use-case where you need to sign the API requests? When you use one of the AWS SDKs to make requests to AWS resources/services
When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.
Signing AWS API requests helps AWS identify an authentic user from a potential threat. As a developer associate, why is the following not would you identify as the use-case where you need to sign the API requests? When you use the AWS Command Line Interface (AWS CLI) to run commands on an AWS resource
When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.
Amazon EBS Provisioned IOPS SSD use cases are
Workloads that require sustained IOPS performance or more than 16,000 IOPS I/O-intensive database workloads Workloads that require: Sub-millisecond latency Sustained IOPS performance More than 64,000 IOPS or 1,000 MiB/s of throughput
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "xray:GetSamplingRules", "xray:GetSamplingTargets", "xray:GetSamplingStatisticSummaries", "xray:BatchGetTraces", "xray:GetServiceGraph", "xray:GetTraceGraph", "xray:GetTraceSummaries", "xray:GetGroups", "xray:GetGroup" ], "Resource": [ "*" ] } ] } this an example of
X-Ray Read-Only permissions via an IAM policy:
Is the following an optimal solution for providing communication between EC2 instances and DynamoDB without using the public internet? The firm can use a virtual private network (VPN) to route all DynamoDB network traffic through their own corporate network infrastructure
You can address the requested security concerns by using a virtual private network (VPN) to route all DynamoDB network traffic through your own corporate network infrastructure. However, this approach can introduce bandwidth and availability challenges and hence is not an optimal solution here.
Regional Reserved Instances vs Zonal Reserved Instances Queuing a purchase for each
You can queue purchases for regional Reserved Instances. You can't queue purchases for zonal Reserved Instances.
When you purchase a Reserved Instance for a specific Availability Zone, it's referred to as a _______________ Instance. ____________ Instances provide capacity reservations as well as discounts.
Zonal Reserved
Amazon SQS doesn't automatically delete the message. Immediately after a message is received, it remains in the queue. Amazon SQS sets a visibility timeout which is a
a period of time during which Amazon SQS prevents other consumers from receiving and processing the message.
Whereas CodeDeploy is a deployment service, CodePipeline is a ___________ service.
continuous delivery
Bucket policy can be used to block off unintended access, but it's not possible to provide time-based ___________
access
Using the AWS CLI --dry-run option checks whether you have the required permissions for the ___________, without actually making the request, and provides an error response.
action
UpdateItem action of DynamoDB APIs, edits an existing item's attributes or _______________. You can put, delete, or add attribute values. You can also perform a conditional update on an existing item (insert a new attribute name-value pair if it doesn't exist, or replace an existing name-value pair if it has certain expected attribute values).
adds a new item to the table if it does not already exist
A Scan operation in Amazon DynamoDB reads every item in a table or a secondary index. By default, a Scan operation returns ______________ for every item in the table or index.
all of the data attributes
DynamoDB Transaction actions are completed atomically so that either _____________________________.
all of them succeed or none of them succeeds
You might use this DynamoDB feature to track the number of visitors to a website.
an atomic counter
With API Gateway After creating your API, you must deploy it to make it callable by your users. To deploy an API, you create an API deployment and ___________________.
associate it with a stage
You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an _____________.
authentication token
With DynamoDB, A TransactWriteItems operation differs from a BatchWriteItem operation in that all the actions it contains must __________________.
be completed successfully, or no changes are made at all
API Gateway supports multiple mechanisms for controlling and managing access to your API. Lambda authorizers are Lambda functions that control access to REST API methods using _______________—as well as information described by ____________ Lambda authorizers are used to control who can invoke REST API methods.
bearer token authentication headers, paths, query strings, stage variables, or context variables request parameters.
A zonal Reserved Instance gives you the ability to create and manage Capacity Reservations independently from the ______________
billing discounts offered by Savings Plans or regional Reserved Instances.
With Amazon EBS General Purpose SSD, volumes larger than or equal to 334 GiB deliver 250 MiB/s max throughput per volume regardless of ___________.
burst credits
AWS CodePipeline is a fully managed "continuous delivery" service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid downtime during application deployment, and handles the _______________ your applications.
complexity of updating
Making your transactions idempotent helps prevent application errors if the same operation is submitted multiple times due to a ___________________________.
connection time-out or other connectivity issue
You can package your Lambda function code and dependencies as a ____________, using tools such as the Docker CLI.
container image
You must create the Lambda function from the same account as the _________________ in Amazon ECR
container registry
When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL. When someone requests a restricted file, CloudFront compares the signature in the URL or cookie with the unsigned URL or cookie, to verify that it hasn't been tampered with. CloudFront also verifies that the URL or _____________ is valid, meaning, for example, that the expiration date and time haven't passed.
cookie
in terms of CloudFront signed access, Signed URLs take precedence over signed ______________. If you use both signed URLs and signed ____________ to control access to the same files and a viewer uses a signed URL to request a file, CloudFront determines whether to return the file to the viewer based only on the signed URL
cookies
You can use DynamoDB transactions to make ______________ changes to multiple items both within and across tables.
coordinated all-or-nothing
API Gateway supports multiple mechanisms for controlling and managing access to your API. Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can ________________________. ____________ can be used together with IAM policies to control access.
create and manage your APIs, as well as who can invoke them, IAM tags
At least with Amazon SES, Common client request errors include providing invalid _____________ and omitting _________________.
credentials , required parameters
API Gateway supports multiple mechanisms for controlling and managing access to your API. Amazon Cognito user pools let you create _____________ authentication and authorization solutions for your REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods.
customizable
Transactions provide atomicity, consistency, isolation, and durability (ACID) in DynamoDB, helping you to maintain _________________ in your applications.
data correctness
An Amazon EBS volume is a durable, block-level storage device that you can attach to your instances. After you attach a volume to an instance, you can use it as you would use a physical hard drive. EBS volumes are flexible. For current-generation volumes attached to current-generation instance types, you can dynamically increase size, modify the provisioned IOPS capacity, and change volume type on live production volumes. When you create an EBS volume, it is automatically replicated within its Availability Zone to prevent ___________
data loss due to the failure of any single hardware component.
A development team has configured their Amazon EC2 instances for Auto Scaling. When you create a launch configuration using the AWS CLI or an SDK, _____________ monitoring is enabled by default instead
detailed
When the browser immediately uses the Cloudfront signed URL to access the a file, If the file request meets the requirements in the policy statement, CloudFront does standard operations:
determines whether the file is already in the edge cache, forwards the request to the origin if necessary, and returns the file to the user.
The EBS volume is encrypted - This _____________ to attach an EBS volume.
doesn't affect the ability
EC2 metadata service is used to retrieve _________ information such as instance-id, local-hostname, public-hostname.
dynamic
You can use AWS Identity and Access Management (IAM) to restrict the actions that transactional operations can perform in Amazon DynamoDB. For the ConditionCheck action, you can use the ___________ permission in IAM policies.
dynamodb:ConditionCheck
To determine the root device type of your Linux instance, open the Amazon EC2 console, choose Instances, select the instance, and check the value of Root device type in the details pane. The value is either _____________
ebs or instance store.
When you create a VPC endpoint for DynamoDB, you use _____________ to control access to DynamoDB. Traffic between your VPC and the AWS service does not leave the Amazon network.
endpoint policies
DynamoDB uses ________ consistent reads unless you specify otherwise.
eventually
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets", "xray:GetSamplingStatisticSummaries" ], "Resource": [ "*" ] } ] }
example of write permissions for using X-Ray via an IAM policy
During a CodeDeploy deployment, if a Appspec.yml script runs successfully, it returns an _________________. If the ____________ installed on the operating system doesn't match what's listed in the AppSpec file, the deployment fails.
exit code of 0 (zero), CodeDeploy agent
A CloudFront signed URL includes additional information, for example, ___________________, that gives you more control over access to your content.
expiration date and time
When you write custom code to send HTTP requests to AWS, you need to include code to sign the requests. You might do this for the following reasons: 1. You are working with a programming language _________________. 2. You want complete control over how a request ____________ AWS.
for which there is no AWS SDK, is sent to
CloudFront key groups by default can associate up to __________ key groups with a single distribution. Each key group can have ____________ public keys
four five
To ensure that a function can always reach a certain level of concurrency, you can configure the function with reserved concurrency. When a function has reserved concurrency, no other _____________ can use that concurrency.
function
Amazon SNS is recommended when you want to build an application that reacts to ______________ messages published by other applications or microservices, or for applications that need very high ___________ (thousands or millions of endpoints).
high throughput or low latency, fan-out
You should consider AWS Step Functions when you need to coordinate service components in the development of ______________. You should consider using Amazon Simple Queue Service (Amazon SQS), when you need a reliable, highly scalable, hosted queue for _______________.
highly scalable and auditable applications, sending, storing, and receiving messages between services
During deployment, the CodeDeploy agent looks up the name of the current event in the _____________ section of the AppSpec file. If the event is not found, the CodeDeploy agent moves on to the next step. If the event is found, the CodeDeploy agent retrieves the list of scripts to execute. The scripts are run _______________ in which they appear in the file. The status of each script is logged in the CodeDeploy agent log file on the instance.
hooks, sequentially, in the order
The appspec.yml file must be placed ________________ of an application's source code.
in the root of the directory structure
DynamoDB Atomic Counters is a numeric attribute that is ______________ without interfering with other write requests.
incremented, unconditionally,
In CloudFormation, parameters are all _______________ and cannot reference each other.
independent
With API Gateway, A stage is a logical reference to a ______________ of your API (for example, dev, prod, beta, v2)
lifecycle state
Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and the web without requiring your own backend. The client libraries cache data ________________ so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and if you set up push sync, notify other devices immediately that an update is available.
locally
With Internet Gateway, a subnet is implicitly associated with the __________________ if it is not explicitly associated with a particular route table. So, a subnet is always associated with some route table.
main route table
Reserved concurrency also limits the ____________ concurrency for the function, and applies to the function as a whole, including versions and aliases.
maximum
A variety of factors can affect your send rate, e.g._________________. The advantage of the exponential backoff approach is that your application will self-tune
message size, network performance or Amazon service availability
To set delay seconds on individual messages, rather than on an entire queue, use ______________ to allow Amazon SQS to use the _________________'s DelaySeconds value instead of the delay queue's DelaySeconds value.
message timers
Do use dead-letter queues to decrease the number of messages and to reduce the possibility of exposing your system to poison-pill messages, which are
messages that can be received but can't be processed
DynamoDB supports eventually consistent and strongly consistent reads. Eventually Consistent Reads When you read data from a DynamoDB table, the response might not reflect the results of a recently completed write operation. The response might include some stale data. If you repeat your read request after a short time, the response should return the latest data. Strongly Consistent Reads When you request a strongly consistent read, DynamoDB returns a response with the ____________ data, reflecting the updates from all prior write operations that were successful.
most up-to-date
Amazon SNS provides ______________ throughput
nearly unlimited
Can AWS Trust Advisors store key pair credentials?
no
With Internet Gateway, a subnet can only be associated with _________ route table at a time.
one
TransactWriteItems write actions can target up to 25 distinct items in _______________ within the same AWS account and in the same Region.
one or more DynamoDB tables
DynamoDB Batch operations (read and write) help reduce the number of network round trips from your application to DynamoDB. In addition, DynamoDB performs the individual read or write operations in _____________. without having to manage __________________.
parallel, concurrency or threading
When configuring ASG's provisioned concurrency, using scheduled scaling will increase provisioned concurrency in anticipation of ____________.
peak traffic
Amazon Redshift is a fully-managed ____________-scale cloud-based data warehouse product designed for large scale data set storage and ____________.
petabyte, analysis
The network access control lists (ACLs) that are associated with the subnet must have rules to allow inbound and outbound traffic on _____________________ and _______________. This is a necessary condition for Internet Gateway connectivity
port 80 (for HTTP traffic), port 443 (for HTTPs traffic)
It is always ______________ that Spot Instances might be interrupted.
possible
DynamoDB performs two underlying reads or writes of every item in the transaction: one to _____________ and one to ____________. These two underlying read/write operations are visible in your Amazon CloudWatch metrics.
prepare the transaction, commit the transaction
AWS CodeBuild is a fully managed build service. There are no servers to provision and scale, or software to install, configure, and operate. A typical application build process includes phases like
preparing the environment, updating the configuration, downloading dependencies, running unit tests, and finally, packaging the built artifact.
When you create a VPC endpoint for DynamoDB, any requests to a DynamoDB endpoint within the Region (for example, dynamodb.us-west-2.amazonaws.com) are routed to a ______________ within the Amazon network.
private DynamoDB endpoint
When you connect to your Linux EC2 instance using SSH, to log in you must specify the _____________ that corresponds to the public key content.
private key
When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL. The signer uses its _____________ to sign the URL or cookies, and CloudFront uses the __________ to verify the signature.
private key, public key
You can use a network address translation (NAT) gateway to enable instances in a ____________ to connect to the internet or other AWS services, yet prevent the internet from initiating a connection with those instances.
private subnet
Kinesis Agent works with data ________________.
producers
This CMK policy snippet "Statement": [ { "Sid": "Allow for use of this Key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ], "Resource": "*" },
provides a specified IAM principal the ability to generate a data key and decrypt that data key from the CMK when necessary. These two APIs are necessary to encrypt the EBS volume while it's attached to an Amazon Elastic Compute Cloud (EC2) instance.
This policy snippet { "Sid": "Allow for EC2 Use", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "ec2.us-west-2.amazonaws.com" } }
provides the specified IAM principal the ability to create, list, and revoke grants for Amazon EC2. Grants are used to delegate a subset of permissions to AWS services, or other principals, so that they can use your keys on your behalf.
Due to a spike in traffic, when Lambda functions scale, this causes the portion of requests that are served by new instances to have higher latency than the rest. To enable your function to scale without fluctuations in latency, use _______________. By allocating _____________ before an increase in invocations, you can ensure that all requests are served by initialized instances with very low latency.
provisioned concurrency
When the browser immediately uses the Cloudfront signed URL to access the a file, CloudFront uses a _____________ to validate the signature and confirm that the URL hasn't been tampered with. If the signature is invalid, the request is rejected.
public key,
With CloudFront key groups, you can manage _______________ using the CloudFront API. You can use the API to automate key creation and key rotation.
public keys, key groups, and trusted signers
When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL. Each signer that you use to create CloudFront signed URLs or signed cookies must have a _____________.
public-private key pair
AWS WAF is a web application firewall that lets you control access to your content. Based on conditions that you specify, such as the values of _______________ that requests originate from, CloudFront responds to requests either with the requested content or with an HTTP status code _______________.
query strings or the IP addresses, 403 (Forbidden)
There is no additional cost to enable transactions for your DynamoDB tables. You pay only for the _____________ that are part of your transaction.
reads or writes
you are tasked with creating several API Gateway powered APIs along with your team of developers. Every time you update an API, you must _____________ Updating an API includes modifying routes, methods, integrations, authorizers, and anything else other than stage settings.
redeploy the API to an existing stage or to a new stage.
When you purchase a Reserved Instance, you determine the scope of the Reserved Instance. The scope is either ___________
regional or zonal.
At least with Amazon SES, When you get a 4xx error, you need to correct the problem and _______________ a properly formed client request.
resubmit
If capacity limits of an Amazon Kinesis data stream are exceeded due to a temporary rise of the data stream's input data rate you should ____________________________ which will eventually lead to the completion of the requests.
retry (with exponential backoff) by the data producer
When you use the_____________ to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account.
root user
CloudFront key pairs can only be created using the __________
root user account
An internet gateway serves two purposes: 1. to provide a target in your VPC _____________ for internet-routable traffic 2. to perform ________________ for instances that have been assigned public IPv4 addresses.
route tables, network address translation (NAT)
AWS Trusted Advisor is an application that draws upon best practices learned from AWS' aggregated operational history of serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and makes recommendations for _______________
saving money, improving system performance, or closing security gaps.
To maintain the same number of instances, Amazon EC2 Auto Scaling performs a periodic health check on running instances within an Auto Scaling group. When it finds that an instance is unhealthy, it terminates that instance and launches a new one. Amazon EC2 Auto Scaling creates a new ____________ for terminating the unhealthy instance and then terminates it. Later, another scaling activity launches a new instance to replace the terminated instance.
scaling activity,
You cannot configure Application Auto Scaling to manage Lambda reserved concurrency on a ________.
schedule
When you create a pre-signed URL for your object, you must provide your _____________, specify a ___________, an_________________, specify the HTTP method (GET to download the object), and ___________ date and time. The pre-signed URLs are valid only for the specified duration.
security credentials, bucket name, object key, expiration
Throttling is a _______________ error and not a client error
server
A data analytics company is processing real-time Internet-of-Things (IoT) data via Kinesis Producer Library (KPL) and sending the data to a Kinesis Data Streams driven application. The application has halted data processing. The capacity limits of an Amazon Kinesis data stream are defined by the number of _______ within the data stream. The limits can be exceeded by either data throughput or the number of PUT records. While the capacity limits are exceeded, the put data call will be rejected with a __________________ exception.
shards, ProvisionedThroughputExceeded
If capacity limits of an Amazon Kinesis data stream are exceeded due to a sustained rise of the data stream's input data rate you should _________________
should increase the number of shards within your data stream to provide enough capacity for the put data calls to consistently succeed.
When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL. The _____________ uses its private key to sign the URL or cookies, and ___________ uses the public key to verify the signature.
signer, CloudFront
Although AWS WAF lets you control access to your content hosted on AWS services, the firewall is optimal for broader use cases than restricted access to a ____________ file.
single
The CodeBuild AppSpec file is used to: Map the _______________ to their destinations on the instance. Specify ______________ for deployed files. Specify _______________ on each instance at various stages of the deployment process.
source files in your application revision, custom permissions , scripts to be run
API Gateway supports multiple mechanisms for controlling and managing access to your API. Resource policies let you create resource-based policies to allow or deny access to your APIs and methods from ________________.
specified source IP addresses or VPC endpoints
For a function configured with concurrency, a portion of the reserved concurrency pool is ____________ concurrency. When all provisioned concurrency is in use, the function scales on ____________ concurrency to serve any additional requests.
standard
If you lose the private key for an EBS-backed instance, you can regain access to your Linux instance. You must __________ This procedure is not supported for instances with instance-store backed root volumes.
stop the instance detach its root volume attach that root volume to another instance as a data volume modify the authorized_keys file with a new public key move the volume back to the original instance restart the instance.
DynamoDB Read operations (such as GetItem, Query, and Scan) provide a ConsistentRead parameter. If you set this parameter to true, DynamoDB uses __________ consistent reads during the operation.
strongly
With Internet Gateway, a route table contains a set of rules, called routes, that are used to determine where network traffic from your ______________ is directed.
subnet or gateway
With DynamoDB BatchWriteItem operation, it is possible that only some of the actions in the batch _______________.
succeed while the others do not
When an Amazon EC2 interrupts a Spot Instance, the default is to
terminate Spot Instances when they are interrupted
AWS CodeBuild monitors functions on your behalf and reports metrics through Amazon CloudWatch. These metrics include the number of ____________________ You can monitor your builds at two levels: Project level, AWS account level.
total builds, failed builds, successful builds, and the duration of builds.
a video game developer can ensure that players' profiles are updated correctly when they exchange items in a game or make in-game purchases is a good case for DynamoDB's _____
transactional read and write APIs
DynamoDB streams cannot be used to capture ________________ in DynamoDB
transactions
CloudFront signed cookies allow you to control who can access your content when you don't __________________ or when you want to provide access to _____________ files
want to change your current URLs, multiple restricted
Delay queues are similar to visibility timeouts because both features make messages unavailable to consumers for a specific period of time. The difference between the two is that, for delay queues, a message is hidden ___________________, whereas for visibility timeouts a message is hidden ______________.
when it is first added to queue, only after it is consumed from the queue
You can give EC2 instances in one account ("account A") permissions to assume a role from another account ("account B") to access resources such as S3 buckets. You need to create an IAM role in Account B and set Account A as a trusted entity. Then attach a JSON policy to this IAM role such that it delegates access to Amazon S3 like so:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::awsexamplebucket1", "arn:aws:s3:::awsexamplebucket1/*", "arn:aws:s3:::awsexamplebucket2", "arn:aws:s3:::awsexamplebucket2/*" ] } ] }
You can give EC2 instances in one account ("account A") permissions to assume a role from another account ("account B") to access resources such as S3 buckets. You need to create an IAM role in Account B and set Account A as a trusted entity. you can create another role (instance profile) in Account A and attach it to the EC2 instances in Account A and add an inline policy to this role to assume the role from Account B like so
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::AccountB_ID:role/ROLENAME" } ] }
When you launch an Linux Amazon EC2 instance, you are prompted for a key pair. If you plan to connect to the instance using SSH, you must specify a key pair. You can choose an existing key pair or create a new one. When your instance boots for the first time, the content of the public key that you specified at launch is placed on your Linux instance in an entry within _________________.
~/.ssh/authorized_keys