1. SSL between viewer and cloud front - Viewer protocol policy
2. SSL between cloud front and origin - Origin Protocol policy
3. Lambda event source mapping supported by,
1. Kineses
2. SQS
3. Dynamodb
Not supported by,
1. S3
2. SNS
4. aws cloudformation package -> to upload the source code to s3 and make it ready for deployment
5. 5KB each item, 100 records/sec in Dynamodb =>
For read, multiply to nearer 4KB. So here it will be 8KB
Eventually consistent read will take 1 RCU (for 8KB) => for 100 read we need 100RCU
Strongly consistent read will take 2 RCU (for 8KB) => for 100 read we need 200RCU
6. CloudWatch logs publish metric data for events after filter created
7. To make fault-tolerance we need to have multi AZ model
8. Deployment should happen only to new instances -> Immutable, Blue/Green
9. Need to save session data even EC2 is lost? -> keep session info it in Dynamodb
10. Storing log files -> S3 can be used
11. CI/CD options in AWS
Code Commit -> Like Git
Code Build -> Running test against code
Code Deploy -> Installing complied code on AWS
12. Kineses shards
For Enable your stream to adapt to changes rate of flow
Increase shards (also cost) increase capacity
Decrease/Merge shards reduce (cost) capacity
13. connection strings can be stored in Environment Variables for Lambda to get runtime values
14. To direct small amount of traffic to new lambda code
Create alias to point both version and assign weighing to send portion to new code
15. Tool to simplified syntax to express serverless resources -> SAM
16. Auto delete records from dynamodb -> use TTL
17. Off load the read traffic in RDS -> Use read replica
18. Stop SQL injection , cross site attack -> use WAF
19. To ensure on-going connectivity configure Elastic IP as A-Record in R53
20. To pull docker image from ECR
run output of aws ecr get-login
then docker pull REPO URI: TAG
21. ETL on streaming data into S3 -> Use Kineses FireHose
22. In AWS X-Ray how to add key-value pair to custom sub segment -> Use Annotation
23. in SAM
SimpleTable -> Dynamodb
Function -> Lambda
API -> Creates APIGateway
24. How to ensure correct order of msg process in SQS -> unique MessageGroupId for each producer
25. Version control system - Code Commit
26. AWS EC2 instance profile
aws ec2 associate-instance-profile
aws iam add-role-to-instance-profile
aws iam create-instance-profile
27. Info about IP traffic from/to network interface of VPC -> Use VPC flow log and push to S3
28. Cognito UserPools -> Fully Managed user sign-in/sign-up
Cognito IdentifyPools -> If 3rd party want to access AWS resource
29. To avoid overwrite to dynamodb -> use conditional writes
30. Connecting lamba to internet -> Use NAT gateway to public subnet and specify route in private subnet
31. X-Ray segment an be 64KB max and you put the segment using PutTraceSegments and search using GetTraceSummaries
32. GSI of dynamodb throttle will throttle the table as well
33. LSI should be specified at the creation of the dynamodb
34. Elasticity -> Use Auto Scaling groups
35. Dynamodb stream calling Lambda will be synchronously
36. Ingest tera byte of data continuous 24hrs in real time -> Use Kinesis data stream with KCL
37. Encryption keys to be rotated -> Use KMS with auto key rotation
38. Application wants to send 1 msg to multiple SQS -> publish to SNS and subscribe each SQS to this topic
39. Deployment with no reduction in application performance -> Rolling with additional batches
40. Use /tmp directory if the Lambda needs to download a large file or disk space for operations. The maximum size is 512 MB. The content is frozen within the execution context so multiple invocations can use the data.
41. For Custom authorization/authentication in API gateway -> Use Lambda authorizer
42. EC2 behind ELB wants to make SSL -> Configure ELB with SSL terminatin, Add SSL certificate to ELB
43. Authenticate API gateway with token -> Use lambda authorizer
44. Strict ordering of message in SQS -> Use FIFO queue
45. A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other
So, custom namespace with a unique metric name for each application will be showing all app in a single view through CloudWatch
46. ec2:startInstance, ec2:stopInstance are -> actions in IAM policy
47. EC2 wants to access AWS resource -> Use EC2 instance profile
48. A lambda takes 100s to complete. We need to exec 50 function / sec
Concurrency is the number of requests that your function is serving at any given time. When the function code finishes running, it can handle another request. If the function is invoked again while a request is still being processed, another instance is allocated, which increases the function's concurrency.
• 3000 – US West (Oregon), US East (N. Virginia), Europe (Ireland)
• 1000 – Asia Pacific (Tokyo), Europe (Frankfurt)
• 500 – Other Regions
for our request 50x100 = 5000 function/sec this is not in the limit so need to contact AWS to increase concurrency
49. What is section MUST be in SAM -> Transform
50. BEST way to provide multiple versions of the REST API?
Deploy the API versions as unique stages with unique endpoints and use stage variables to provide further context
51. Best way to delete all data in dynamodb -> delete table and recreate
52. Serverless docker containers -> Fragate
53. How to make sure data written in S3 are encrypted (at rest) -> Create S3 bucket policy denies S3 Put request that not include the x-amz-server-side-encryption
54. To handle Throttle exception -> use exponential backoff
55. Simplest way to ensure S3 data is encrypted at rest -> Enable default encryption when creating the bucket
56. How to expose XML based SOAP interface to external clients with API Gateway -> in APIGW transform JSON to XML using mapping templates
57. Amazon S3 overwrite PUTS are eventually consistent, so the application may read the old object
58. Task placement strategy in ECS
binpack -> Place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.
Random -> Place tasks randomly.
Spread -> Place tasks evenly based on the specified value. Accepted values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone
59. Lambda needs to access username password that needs rotation -> Use System Manager parameter store & KMS
60. In S3 simple way to ensure data encrypt before sent to S3 -> Client side encryption with KMS managed CMK and SSL
61. deploy the code first in DEV, QA then prod -> use code deploy
62. need email if new obj uploaded in S3 -> monitor PUT and POST event and use SNS topic
63. Dynamodb we need to maintain a row before it modified -> use stream with old_image
64. The ReceiveMessage API call retrieves one or more messages (up to 10)
65. Update the WaitTimeSeconds > 0 is used to configure long polling.
66. In Lambda, Use environment variables to pass environment-specific settings to your code. If you can have two functions with the same code but different configuration. One function connects to a test database, and the other connects to a production database.
67. Layers are used for adding external libraries to your Lambda functions.
68. DynamoDb single row can support max 400KB
69. Call Lambda for event change in code pipeline -> CloudWatch event rule use codepipeline as event source
70. Deploy Lambda using code deploy hooks are -> BeforeAllowTraffic -> AfterAllowTraffic
71. Dynamodb how to minimize impact of scan on RCU -> Set smaller page size
72. To get started with CodeCommit -> get Git credentials generated with IAM
73. Up and running website quickly - use S3 for static site
74. multi threaded in-memory cache -> Memcached
Redis -> not multi threaded
75. EC2 in your private subnet wants to write S3 -> use VPC endpoints
76. In CloudFormation
Parameters -> Enable you to input custom values to your template each time you create or update a stack.
Resource -> AWS resources that you want to include in the stack, such as an Amazon EC2 instance or an Amazon S3 bucket.
Mapping -> If you want to set values based on a region, you can create a mapping that uses the region name as a key and contains the values you want to specify for each specific region.
You use the Fn::FindInMap intrinsic function to retrieve values in a map
77. Direct global user to website with best performance -> latency based routing in R53
78. (SSE-KMS) is similar to SSE-S3, but with some additional benefits like audit trail
79. Docker container task charged per running task -> use fragate
80. Amazon ECS with the EC2 launch type -> pay for running container (EC2)
81. Deploy ECS using code deploy "quickly" -> Inplace
82. Authorize user based on JSON web tokens -> Cognito user pools
83. SNS ave discarded events for further processing -> Use DLQ
84. Need to access to AWS resources in another account from an insecure environment for a short-term need (around 15 minutes) -> Assume role
85. 4XX -> Client side error, 5XX -> Server side error code
86. Min permission Lambda needs to put log in CloudWatch -> createLogGroup, CreateLogStream, putLogEvents
87. Logging API activity on AWS resource -> Use CloudTrail
88. ECS EC2 application wants to share data with other application -> Create one task definition. Specify both containers in the definition. Mount a shared volume between those two containers.
89. in X-Ray we need more detailed timing info and downstream data calls -> Use subsegments
Annotations -> Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console, or when calling the GetTraceSummaries API.
Metadata -> Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed. Use metadata to record data you want to store in the trace but don't need to use for searching traces
90. Avoid port conflict in ECS cluster for web app -> Specify port 80 for the container port and port 0 for the host port
91. Lambda is dependent on external lib that is not available in runtime environment -> Create zip file with source code with all dependnet
92. To assume role we need use -> action: "sts:AssumeRole"
93. Best way to analyse distributed application end to end -> use X-Ray
94. Invoke lambda on Dynamodb stream -> an event source map to be created in lambda side to associate with stream
95. Task placement strategy to minmize number of instance -> Bin Pack
96. CodeDeply should have application specific yaml file at root dir -> AppSpec.yml (not .yaml)
97. Use Parallel scan with limiting rate to optimize scan without impacting prod table
98. If CodeBuild got error says env variable length exceeds limit -> Use System Manager Parameter store to store large env variables
99. App needs to send TEXT and Email -> use SNS
100. After new deployment cloudfront still delivers old content -> invlaidate objects at edge caches
101. Header to invaidate API cache -> Cache-Control: max-age=0
102. Process ALB request by Lambda -> You can register your Lambda functions as targets and configure a listener rule to forward requests to the target group for your Lambda function. When the load balancer forwards the request to a target group with a Lambda function as a target, it invokes your Lambda function and passes the content of the request to the Lambda function, in JSON format.
103. The Kinesis Client Library (KCL) helps you consume and process data from a Kinesis data stream
104. Dynamodb ensure ACID property -> Use Transactional API
105. In AWS Kineses number of shard = number of EC2
106. EC2 User data -> Used for launch configs and initial scripts
107. What MUST be performed to configure the S3 as static website -> Enable public access and grant everyone the s3:GetObject permissions
108. In-memory cache with high availablity -> Use Amazon ElastiCache Redis with replicas
109. A Lambda function has inadequate compute capacity -> Allocate more RAM
110. EC2 meta data can be found using -> http://169.254.169.254/latest/meta-data/
111. API GW, company wants to give existing consumer 6 months to migrate from V1 to V2 -> Deploy a new stage named v2 to the API and provide users with its URL
112. Multiple AWS account's key performace needed in single dashboard -> You can create cross-account cross-Region dashboards, which summarize your CloudWatch data from multiple AWS accounts and multiple Regions into one dashboard
113. Deployment fails then rollback should be fast -> Immutable
114. ECS scale task automatically based load and spread across containers based on incoming connections -> Create an ECS Service with Auto Scaling and attach an Elastic Load Balancer
115. Encryption keys must be rotated annually -> KMS with auto rotation
116. Configure automatic rotation with AWS Secrets Manager" is used for rotating credentials, not encryption keys.
117. With AWS KMS you can encrypt files directly with a customer master key (CMK). A CMK can encrypt up to 4KB (4096 bytes) of data in a single encrypt, decrypt, or reencrypt operation. As CMKs cannot be exported from KMS this is a very safe way to encrypt small amounts of data.
118. SQS avoid processing message twice -> Use a FIFO queue and configure the producer to provide a message deduplication ID
119. The maximum long polling wait time is 20 seconds in SQS
120. The DeleteMessageBatch API deletes (upto 10) the specified message from the specified queue. To select the message to delete, use the ReceiptHandle of the message (not the MessageId which you receive when you send the message)
121. Create new API Key using CreateApiKey in API Gateway
122. If users gets 403 on new Api Key -> createUsagePlanKey method must be called to associate the newly created API key with the correct usage plan
123. SQS , process msg successfully and remove from queue without duplicate processing -> Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue
124. The default visibility timeout for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours.
125. What is the BEST way to coordinate the complex invocation logic for the Lambda functions -> Step functions
126. Sticky sessions are a mechanism to route requests to the same target in a target group in ALB.
127. How to enable X-Ray in beanstalk -> Add a .ebextensions/xray-daemon.config file to the source code to enable the X-Ray daemon
128. Convert query string param to arguments for the Lambda function -> using mapping template
129. In Dynamodb how to know how much RCU is used -> Monitor ConsumedReadCapacityUnits in metrics
130. Metrics produced by AWS services are standard resolution by default.
When you publish a custom metric, you can define it as either standard resolution or high resolution.
When you publish a high-resolution metric, CloudWatch stores it with a resolution of 1 second, and you can read and retrieve it with a period of 1 second, 5 seconds, 10 seconds, 30 seconds, or any multiple of 60 seconds.
131. Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second.
132. Create a single page to view and manage all of the AWS resources -> Create a resource group
133. Deployed in the fastest possible time and application downtime is acceptable - All at once
134. in ECS, Cluster queries are expressions that enable you to group objects. For example, you can group container instances by attributes such as Availability Zone, instance type, or custom metadata
135. control the placement of tasks onto groups of container instances organized by availability zone and instance type -> use CQL (Cluster Query Language)
136. From EC2, traces are not being sent to X-Ray -> The instance’s instance profile role does not have permission to upload trace data to X-Ray, The X-Ray daemon is not installed on the EC2 instance
137. AWS service can assist the Developers with automating the build, test, and deploy phases of the release process every time there is a code change -> Code pipeline
138. IAM user in the Development account needs to launch resources in the Production and Testing accounts -> Create a role with the required permissions in the Production and Testing accounts and have the Developer assume that role
139. We can use GenerateDataKey to obtain an encryption key from KMS that we can then use within the function code to encrypt the file.
140. Canary: Traffic is shifted in two increments. You can choose from predefined canary options.
141. Linear: Traffic is shifted in equal increments with an equal number of minutes between each increment
142. Use Amazon Cognito to associate unauthenticated users with an IAM role that has limited access to resources. If your application allows users who do not log in, you can enable access for unauthenticated identities using identity pools.
143. Lambda status code 202 -> async invokation successful
144. CLQ - Cluster Query Language enable you to group objects by AZ, Instance type or custom metric
145. Task placement constrain -> memberOf, distinctInstance
146. Task placement strategy -> binback, random, speread
147. Docker on beanstalk -> use Dockerrun.aws.json files in root of src
148. What method Developer should use to access the multi-factor authentication protected API -> GetSessionToken
149. AWSCredentialProviderChain
Env Var
Java Sys props
Default cred ~/.aws/credentials
AWS ECS Container cred
Instance profile cred
150. Async invoke lambda using CLI -> -invocation-type as event
151. Encryption at rest for data stored in Amazon Kinesis Data Streams
Enable server-side encryption on Kinesis Data Streams with an AWS KMS CMK
152. Deploy lambda using cloudformation ->
Create AWS::Lambda::Function, write code directly inside template
Zip in S3 with code, refer to it in AWS::Lambda::Function
153. Cognito developer authenticated identities, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.
154. AWS Lambda (status code 429) -> The concurrency execution limit for the account has been exceeded
155. Metrics produced by AWS services are standard resolution by default
Standard have 1 min granularity
High can go upto 1 sec granularity
156. Need manual approval in code pipeline -> use approval action
157. For mobile user authentication -> Cognito user pools authorizer
158. Authenticate users by FB/Google acc to view image in S3 -> Cognito web identity federation
159. Task placement strategies and constraints are not supported for tasks using the Fargate launch type
160. forward execution result of Lambda -> use "on success" destination
161. How can the architecture be refactored to provide a single interface for the services -> API Gateway
162. The data encryption keys must be generated from a dedicated, tamper-resistant hardware device - CloudHSM
163. Connect codecommit using SSH -> Generate pub key and upload in developer's IAM account
164. AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.
165. The BatchGetItem operation returns the attributes of one or more items from one or more tables.
You identify requested items by primary key.
A single operation can retrieve up to 16 MB of data, which can contain as many as 100 items.
In order to minimize response latency, BatchGetItem retrieves items in parallel.
166. Lambda to write dynamodb about EC2 instance launch everytime -> Use CloudWatch even to look for pattern of EC2 state change and use lambda as target set
167. A Kinesis data stream stores records from 24 hours by default, up to 168 hours.
168. S3 gets upload across globe needs faster upload time -> S3 transfer acceleration
169. "sam init" SIMPLEST way for the Developer to get started with a Hello World Lambda function
170. To connect to AWS services from a private subnet with no internet access, use VPC endpoints
171. AppSpec Hooks
ECS
BeforeInstall, AfterInstall, AfterAllowTestTraffic,
BeforeAllowTraffic, AfterAllowTraffic
EC2
BeforeInstall, AfterInstall, AppStart, ValidateService
Lambda
BeforeAllowtraffic, AfterAllowTraffic
178. A deny list – actions are allowed by default, and you specify what services and actions are prohibited
An allow list – actions are prohibited by default, and you specify what services and actions are allowed
179. view a summary of proposed changes to an AWS CloudFormation stack without implementing the changes -> Create Change Set
180. a service that can coordinate multiple AWS services into serverless workflows -> Step Function
181. Lambda generates new file and upload in Codecommit -> Use AWS SDK in Lambda and use put_file method to add file to repo
182. ensure that all data that is sent to the S3 bucket is encrypted in transit -> Deny traffic if SecureTransport is False
183. collaborate and synchronize multiple distributed code repositories, centralized project dashboard -> Code Star
184. CMK to generate the encryption key -> kms:GenerateDataKey API
185. Lambda processing data from Kinesis stream -> Lambda will receive each record in exact order it was placed into shard. But no gurantee of order across shard
186. SQS delay queue -> Msg are hidden for the given time when it first added to the queue
187. SQS cannot be created in VPC because it is public service
188. Application contains EC2, Lambda, SQS needs to be in private VPC -> Create VPC end point for SQS and Add lambda to VPC
189. Lazy Loading cache -> Load when necessary (if cache miss)
190. Write Through cache -> update cache when write/update to db
191. Configure port mapping between the host and container -> task definition
192. serverless service for receiving streaming data and loading it directly into an Amazon Elasticsearch datastore -> Firehose
193. when using put-metric-data we need to give --dimentions param
194. SQS Extended Client Library is especially useful for storing and consuming messages up to 2 GB in size
195. SQS supports 256KB size message by default
196. A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies.
With layers, you can use libraries in your function without needing to include them in your deployment package.
197. With an Application Load Balancer it is possible to route requests based on the domain name specified in the Host header
198. Kinesis Producer Library (KPL) simplifies producer application development, allowing developers to achieve high write throughput to a Kinesis data stream
199. FIFO (First-In-First-Out) queues are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can't be tolerated
200. Refactor the app with high availability and fault tolerance -> Use ASG across multi AZ and ELB and use MultiAZ deployment for RDS
