Thursday, May 20, 2021

AWS Associate Developer - Notes

1. SSL between viewer and cloud front - Viewer protocol policy

2. SSL between cloud front and origin - Origin Protocol policy

3. Lambda event source mapping supported by,

1. Kineses

2. SQS

3. Dynamodb

 Not supported by,

1. S3

2. SNS

4. aws cloudformation package -> to upload the source code to s3 and make it ready for deployment

5. 5KB each item, 100 records/sec in Dynamodb => 

For read, multiply to nearer 4KB. So here it will be 8KB

Eventually consistent read will take 1 RCU (for 8KB) => for 100 read we need 100RCU

Strongly consistent read will take 2 RCU (for 8KB) => for 100 read we need 200RCU

6. CloudWatch logs publish metric data for events after filter created

7. To make fault-tolerance we need to have multi AZ model

8. Deployment should happen only to new instances -> Immutable, Blue/Green

9. Need to save session data even EC2 is lost? -> keep session info it in Dynamodb

10. Storing log files -> S3 can be used

11. CI/CD options in AWS

Code Commit -> Like Git

Code Build -> Running test against code

Code Deploy -> Installing complied code on AWS

12. Kineses shards 

For Enable your stream to adapt to changes rate of flow

Increase shards (also cost) increase capacity

Decrease/Merge shards reduce (cost) capacity

13. connection strings can be stored in Environment Variables for Lambda to get runtime values

14. To direct small amount of traffic to new lambda code

Create alias to point both version and assign weighing to send portion to new code

15. Tool to simplified syntax to express serverless resources -> SAM

16. Auto delete records from dynamodb -> use TTL

17. Off load the read traffic in RDS -> Use read replica

18. Stop SQL injection , cross site attack -> use WAF

19. To ensure on-going connectivity configure Elastic IP as A-Record in R53

20. To pull docker image from ECR

run output of aws ecr get-login

then docker pull REPO URI: TAG

21. ETL on streaming data into S3 -> Use Kineses FireHose

22. In AWS X-Ray how to add key-value pair to custom sub segment -> Use Annotation

23. in SAM

SimpleTable -> Dynamodb

Function -> Lambda

API -> Creates APIGateway

24. How to ensure correct order of msg process in SQS -> unique MessageGroupId for each producer

25. Version control system - Code Commit

26. AWS EC2 instance profile

aws ec2 associate-instance-profile

aws iam add-role-to-instance-profile

aws iam create-instance-profile

27. Info about IP traffic from/to network interface of VPC -> Use VPC flow log and push to S3

28. Cognito UserPools -> Fully Managed user sign-in/sign-up

Cognito IdentifyPools -> If 3rd party want to access AWS resource

29. To avoid overwrite to dynamodb -> use conditional writes

30. Connecting lamba to internet -> Use NAT gateway to public subnet and specify route in private subnet

31. X-Ray segment an be 64KB max and you put the segment using PutTraceSegments and search using GetTraceSummaries

32. GSI of dynamodb throttle will throttle the table as well

33. LSI should be specified at the creation of the dynamodb

34. Elasticity -> Use Auto Scaling groups

35. Dynamodb stream calling Lambda will be synchronously 

36. Ingest tera byte of data continuous 24hrs in real time -> Use Kinesis data stream with KCL

37. Encryption keys to be rotated -> Use KMS with auto key rotation

38. Application wants to send 1 msg to multiple SQS -> publish to SNS and subscribe each SQS to this topic

39. Deployment with no reduction in application performance -> Rolling with additional batches

40. Use /tmp directory if the Lambda needs to download a large file or disk space for operations. The maximum size is 512 MB. The content is frozen within the execution context so multiple invocations can use the data.

41. For Custom authorization/authentication in API gateway -> Use Lambda authorizer

42. EC2 behind ELB wants to make SSL -> Configure ELB with SSL terminatin, Add SSL certificate to ELB

43. Authenticate API gateway with token -> Use lambda authorizer

44. Strict ordering of message in SQS -> Use FIFO queue

45. A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other

So, custom namespace with a unique metric name for each application will be showing all app in a single view through CloudWatch

46. ec2:startInstance, ec2:stopInstance are -> actions in IAM policy

47. EC2 wants to access AWS resource -> Use EC2 instance profile

48. A lambda takes 100s to complete. We need to exec 50 function / sec

Concurrency is the number of requests that your function is serving at any given time. When the function code finishes running, it can handle another request. If the function is invoked again while a request is still being processed, another instance is allocated, which increases the function's concurrency.

• 3000 – US West (Oregon), US East (N. Virginia), Europe (Ireland)

• 1000 – Asia Pacific (Tokyo), Europe (Frankfurt)

• 500 – Other Regions

for our request 50x100 = 5000 function/sec this is not in the limit so need to contact AWS to increase concurrency

49. What is section MUST be in SAM -> Transform

50. BEST way to provide multiple versions of the REST API?

Deploy the API versions as unique stages with unique endpoints and use stage variables to provide further context

51. Best way to delete all data in dynamodb -> delete table and recreate

52. Serverless docker containers -> Fragate

53. How to make sure data written in S3 are encrypted (at rest) -> Create S3 bucket policy denies  S3 Put request that not include the x-amz-server-side-encryption

54. To handle Throttle exception -> use exponential backoff

55. Simplest way to ensure S3 data is encrypted at rest -> Enable default encryption when creating the bucket

56. How to expose XML based SOAP interface to external clients with API Gateway -> in APIGW transform JSON to XML using mapping templates

57. Amazon S3 overwrite PUTS are eventually consistent, so the application may read the old object

58. Task placement strategy in ECS

binpack -> Place tasks based on the least available amount of CPU or memory. This minimizes the number of instances in use.

Random -> Place tasks randomly.

Spread -> Place tasks evenly based on the specified value. Accepted values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone

59. Lambda needs to access username password that needs rotation -> Use System Manager parameter store & KMS

60. In S3 simple way to ensure data encrypt before sent to S3 -> Client side encryption with KMS managed CMK and SSL

61. deploy the code first in DEV, QA then prod -> use code deploy

62. need email if new obj uploaded in S3 -> monitor PUT and POST event and use SNS topic

63. Dynamodb we need to maintain a row before it modified -> use stream with old_image

64. The ReceiveMessage API call retrieves one or more messages (up to 10)

65. Update the WaitTimeSeconds > 0 is used to configure long polling.

66. In Lambda, Use environment variables to pass environment-specific settings to your code. If you can have two functions with the same code but different configuration. One function connects to a test database, and the other connects to a production database.

67. Layers are used for adding external libraries to your Lambda functions.

68. DynamoDb single row can support max 400KB

69. Call Lambda for event change in code pipeline -> CloudWatch event rule use codepipeline as event source

70. Deploy Lambda using code deploy hooks are -> BeforeAllowTraffic -> AfterAllowTraffic

71. Dynamodb how to minimize impact of scan on RCU -> Set smaller page size

72. To get started with CodeCommit -> get Git credentials generated with IAM

73. Up and running website quickly - use S3 for static site

74. multi threaded in-memory cache -> Memcached

Redis -> not multi threaded

75. EC2 in your private subnet wants to write S3 -> use VPC endpoints

76. In CloudFormation

Parameters -> Enable you to input custom values to your template each time you create or update a stack.

Resource -> AWS resources that you want to include in the stack, such as an Amazon EC2 instance or an Amazon S3 bucket.

Mapping -> If you want to set values based on a region, you can create a mapping that uses the region name as a key and contains the values you want to specify for each specific region.

You use the Fn::FindInMap intrinsic function to retrieve values in a map

77. Direct global user to website with best performance -> latency based routing in R53

78. (SSE-KMS) is similar to SSE-S3, but with some additional benefits like audit trail

79. Docker container task charged per running task -> use fragate

80. Amazon ECS with the EC2 launch type -> pay for running container (EC2)

81. Deploy ECS using code deploy "quickly" -> Inplace

82. Authorize user based on JSON web tokens -> Cognito user pools

83. SNS ave discarded events for further processing -> Use DLQ

84. Need to access to AWS resources in another account from an insecure environment for a short-term need (around 15 minutes) -> Assume role

85. 4XX -> Client side error, 5XX -> Server side error code

86. Min permission Lambda needs to put log in CloudWatch -> createLogGroup, CreateLogStream, putLogEvents

87. Logging API activity on AWS resource -> Use CloudTrail

88. ECS EC2 application wants to share data with other application -> Create one task definition. Specify both containers in the definition. Mount a shared volume between those two containers.

89. in X-Ray we need more detailed timing info and downstream data calls -> Use subsegments

Annotations -> Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console, or when calling the GetTraceSummaries API.

Metadata -> Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed. Use metadata to record data you want to store in the trace but don't need to use for searching traces

90. Avoid port conflict in ECS cluster for web app -> Specify port 80 for the container port and port 0 for the host port

91. Lambda is dependent on external lib that is not available in runtime environment -> Create zip file with source code with all dependnet

92. To assume role we need use -> action: "sts:AssumeRole"

93. Best way to analyse distributed application end to end -> use X-Ray

94. Invoke lambda on Dynamodb stream -> an event source map to be created in lambda side to associate with stream

95. Task placement strategy to minmize number of instance -> Bin Pack

96. CodeDeply should have application specific yaml file at root dir -> AppSpec.yml (not .yaml)

97. Use Parallel scan with limiting rate to optimize scan without impacting prod table

98. If CodeBuild got error says env variable length exceeds limit -> Use System Manager Parameter store to store large env variables

99. App needs to send TEXT and Email -> use SNS

100. After new deployment cloudfront still delivers old content -> invlaidate objects at edge caches

101. Header to invaidate API cache -> Cache-Control: max-age=0

102. Process ALB request by Lambda -> You can register your Lambda functions as targets and configure a listener rule to forward requests to the target group for your Lambda function. When the load balancer forwards the request to a target group with a Lambda function as a target, it invokes your Lambda function and passes the content of the request to the Lambda function, in JSON format.

103. The Kinesis Client Library (KCL) helps you consume and process data from a Kinesis data stream

104. Dynamodb ensure ACID property -> Use Transactional API

105. In AWS Kineses number of shard = number of EC2

106. EC2 User data -> Used for launch configs and initial scripts

107. What  MUST be performed to configure the S3 as static website -> Enable public access and grant everyone the s3:GetObject permissions

108. In-memory cache with high availablity -> Use Amazon ElastiCache Redis with replicas

109. A Lambda function has inadequate compute capacity -> Allocate more RAM

110. EC2 meta data can be found using -> http://169.254.169.254/latest/meta-data/

111. API GW, company wants to give existing consumer 6 months to migrate from V1 to V2 -> Deploy a new stage named v2 to the API and provide users with its URL

112. Multiple AWS account's key performace needed in single dashboard -> You can create cross-account cross-Region dashboards, which summarize your CloudWatch data from multiple AWS accounts and multiple Regions into one dashboard

113. Deployment fails then rollback should be fast -> Immutable

114. ECS scale task automatically based load and spread across containers based on incoming connections -> Create an ECS Service with Auto Scaling and attach an Elastic Load Balancer

115. Encryption keys must be rotated annually -> KMS with auto rotation

116. Configure automatic rotation with AWS Secrets Manager" is  used for rotating credentials, not encryption keys.

117. With AWS KMS you can encrypt files directly with a customer master key (CMK). A CMK can encrypt up to 4KB (4096 bytes) of data in a single encrypt, decrypt, or reencrypt operation. As CMKs cannot be exported from KMS this is a very safe way to encrypt small amounts of data.

118. SQS avoid processing message twice -> Use a FIFO queue and configure the producer to provide a message deduplication ID

119. The maximum long polling wait time is 20 seconds in SQS

120. The DeleteMessageBatch API deletes (upto 10) the specified message from the specified queue. To select the message to delete, use the ReceiptHandle of the message (not the MessageId which you receive when you send the message)

121. Create new API Key using CreateApiKey in API Gateway

122. If users gets 403 on new Api Key -> createUsagePlanKey method must be called to associate the newly created API key with the correct usage plan

123. SQS , process msg successfully and remove from queue without duplicate processing -> Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue

124. The default visibility timeout for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours.

125. What is the BEST way to coordinate the complex invocation logic for the Lambda functions -> Step functions

126. Sticky sessions are a mechanism to route requests to the same target in a target group in ALB.

127. How to enable X-Ray in beanstalk -> Add a .ebextensions/xray-daemon.config file to the source code to enable the X-Ray daemon

128. Convert  query string param to arguments for the Lambda function -> using mapping template

129. In Dynamodb how to know how much RCU is used -> Monitor ConsumedReadCapacityUnits in metrics

130. Metrics produced by AWS services are standard resolution by default.

When you publish a custom metric, you can define it as either standard resolution or high resolution. 

When you publish a high-resolution metric, CloudWatch stores it with a resolution of 1 second, and you can read and retrieve it with a period of 1 second, 5 seconds, 10 seconds, 30 seconds, or any multiple of 60 seconds.

131. Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second.

132. Create a single page to view and manage all of the AWS resources -> Create a resource group

133. Deployed in the fastest possible time and application downtime is acceptable - All at once 

134. in ECS, Cluster queries are expressions that enable you to group objects. For example, you can group container instances by attributes such as Availability Zone, instance type, or custom metadata

135. control the placement of tasks onto groups of container instances organized by availability zone and instance type -> use CQL (Cluster Query Language)

136. From EC2, traces are not being sent to X-Ray -> The instance’s instance profile role does not have permission to upload trace data to X-Ray, The X-Ray daemon is not installed on the EC2 instance

137. AWS service can assist the Developers with automating the build, test, and deploy phases of the release process every time there is a code change -> Code pipeline

138. IAM user in the Development account needs to launch resources in the Production and Testing accounts -> Create a role with the required permissions in the Production and Testing accounts and have the Developer assume that role

139. We can use GenerateDataKey to obtain an encryption key from KMS that we can then use within the function code to encrypt the file.

140. Canary: Traffic is shifted in two increments. You can choose from predefined canary options.

141. Linear: Traffic is shifted in equal increments with an equal number of minutes between each increment

142. Use Amazon Cognito to associate unauthenticated users with an IAM role that has limited access to resources. If your application allows users who do not log in, you can enable access for unauthenticated identities using identity pools.

143. Lambda status code 202 -> async invokation successful

144. CLQ - Cluster Query Language enable you to group objects by AZ, Instance type or custom metric

145. Task placement constrain -> memberOf, distinctInstance

146. Task placement strategy -> binback, random, speread

147. Docker on beanstalk -> use Dockerrun.aws.json files in root of src

148. What method Developer should use to access the multi-factor authentication protected API -> GetSessionToken

149. AWSCredentialProviderChain

Env Var

Java Sys props

Default cred ~/.aws/credentials

AWS ECS Container cred

Instance profile cred

150. Async invoke lambda using CLI -> -invocation-type as event

151. Encryption at rest for data stored in Amazon Kinesis Data Streams

Enable server-side encryption on Kinesis Data Streams with an AWS KMS CMK

152. Deploy lambda using cloudformation ->

Create AWS::Lambda::Function, write code directly inside template

Zip in S3 with code, refer to it in AWS::Lambda::Function

153. Cognito developer authenticated identities, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.

154. AWS Lambda (status code 429) -> The concurrency execution limit for the account has been exceeded

155. Metrics produced by AWS services are standard resolution by default

Standard have 1 min granularity

High can go upto 1 sec granularity

156. Need manual approval in code pipeline -> use approval action

157. For mobile user authentication -> Cognito user pools authorizer

158. Authenticate users by FB/Google acc to view image in S3 -> Cognito web identity federation

159. Task placement strategies and constraints are not supported for tasks using the Fargate launch type

160. forward execution result of Lambda -> use "on success" destination

161. How can the architecture be refactored to provide a single interface for the services -> API Gateway

162. The data encryption keys must be generated from a dedicated, tamper-resistant hardware device - CloudHSM

163. Connect codecommit using SSH -> Generate pub key and upload in developer's IAM account

164. AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.

165. The BatchGetItem operation returns the attributes of one or more items from one or more tables. 

You identify requested items by primary key.

A single operation can retrieve up to 16 MB of data, which can contain as many as 100 items. 

In order to minimize response latency, BatchGetItem retrieves items in parallel.

166. Lambda to write dynamodb about EC2 instance launch everytime -> Use CloudWatch even to look for pattern of EC2 state change and use lambda as target set

167. A Kinesis data stream stores records from 24 hours by default, up to 168 hours.

168. S3 gets upload across globe needs faster upload time -> S3 transfer acceleration

169. "sam init" SIMPLEST way for the Developer to get started with a Hello World Lambda function

170. To connect to AWS services from a private subnet with no internet access, use VPC endpoints

171. AppSpec Hooks

ECS

BeforeInstall, AfterInstall, AfterAllowTestTraffic,

BeforeAllowTraffic, AfterAllowTraffic

EC2

BeforeInstall, AfterInstall, AppStart, ValidateService

Lambda

BeforeAllowtraffic, AfterAllowTraffic

178. A deny list – actions are allowed by default, and you specify what services and actions are prohibited

An allow list – actions are prohibited by default, and you specify what services and actions are allowed

179. view a summary of proposed changes to an AWS CloudFormation stack without implementing the changes -> Create Change Set

180. a service that can coordinate multiple AWS services into serverless workflows -> Step Function

181. Lambda generates new file and upload in Codecommit -> Use AWS SDK in Lambda and use put_file method to add file to repo

182. ensure that all data that is sent to the S3 bucket is encrypted in transit -> Deny traffic if SecureTransport is False

183. collaborate and synchronize multiple distributed code repositories, centralized project dashboard -> Code Star

184. CMK to generate the encryption key -> kms:GenerateDataKey API

185. Lambda processing data from Kinesis stream -> Lambda will receive each record in exact order it was placed into shard. But no gurantee of order across shard

186. SQS delay queue -> Msg are hidden for the given time when it first added to the queue

187. SQS cannot be created in VPC because it is public service

188. Application contains EC2, Lambda, SQS needs to be in private VPC -> Create VPC end point for SQS and Add lambda to VPC

189. Lazy Loading cache -> Load when necessary (if cache miss)

190. Write Through cache -> update cache when write/update to db

191. Configure port mapping between the host and container -> task definition

192. serverless service for receiving streaming data and loading it directly into an Amazon Elasticsearch datastore -> Firehose

193. when using put-metric-data we need to give --dimentions param

194. SQS Extended Client Library is especially useful for storing and consuming messages up to 2 GB in size

195. SQS supports 256KB size message by default

196. A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies. 

With layers, you can use libraries in your function without needing to include them in your deployment package.

197. With an Application Load Balancer it is possible to route requests based on the domain name specified in the Host header

198. Kinesis Producer Library (KPL) simplifies producer application development, allowing developers to achieve high write throughput to a Kinesis data stream

199. FIFO (First-In-First-Out) queues are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can't be tolerated

200. Refactor the app with high availability and fault tolerance -> Use ASG across multi AZ and ELB and use MultiAZ deployment for RDS


No comments:

Post a Comment