AWS Cloud Developer Associate Certification

Exam Tips

Stephen Exam-1

  1. Q-2 Which policy applies for restricting user to a directory in s3 bucket?/(access to user-specific folders in an Amazon S3 bucket )
    • IAM condition – [guessed since it;s the only among which can have decision tree]-Incorrect
      1. IAM policy principal –  You can use the Principal element in a policy to specify the principal that is allowed or denied access to a resource (In IAM, a principal is a person or application that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity to make requests to AWS). You cannot use the Principal element in an IAM identity-based policy. You can use it in the trust policies for IAM roles and in resource-based policies.
      2. IAM policy variables – Instead of creating individual policies for each user, you can use policy variables and create a single policy that applies to multiple users (a group policy). Policy variables act as placeholders. When you make a request to AWS, the placeholder is replaced by a value from the request when the policy is evaluated. (it is a placeholder in condition section of policy)
      3. IAM policy condition – The Condition element (or Condition block) lets you specify conditions for when a policy is in effect, like so – "Condition" : { "StringEquals" : { "aws:username" : "johndoe" }}. This can not be used to address the requirements of the given use-case.
  2. Q-4 Configuration needed deploying over fleet of ec2 using blue-green deployment
    • Code deploy(gussed – only among services used to deploy)-Correct
      1. The blue/green deployment type uses the blue/green deployment model controlled by CodeDeploy. This deployment type enables you to verify a new deployment of service before sending production traffic to it.
  3. Q-8 SAM framework – Not a server-less resource type
    • AWS::serverless::Userpool [Correct]
    • AWS::serverless::function [because lamdas are fun]
    • AWS::serverless::api [serverliess bcos gateway is]
    • AWS::serverless::table l [Dynao is serverless]
      1. SAM supports the following resource types:
        1. AWS::Serverless::Api
        2. AWS::Serverless::Application
        3. AWS::Serverless::Function
        4. AWS::Serverless::HttpApi
        5. AWS::Serverless::LayerVersion
        6. AWS::Serverless::SimpleTable
        7. AWS::Serverless::StateMachine
  4. Q-9 Team has configured inbound traffic for the relevant ports in both the Security Group of the EC2 instance as well as the (NACL) but unable to access application? (Acronyn -Security Group has S so stateful -NACL -stateless )
    • Known – outbound are bydeafult allowed
  5. Q-12 AMI invocation command for multi region deployment – how to invoke !FindInMap
    • Thought process-Went with intermediate parameters – intuition
    • Correct ans = !FindInMap [ MapName, TopLevelKey, SecondLevelKey ] . YAML Syntax for the full function name: Fn::FindInMap: [ MapName, TopLevelKey, SecondLevelKey ]
Mappings:
  RegionMap:
    us-east-1:
      HVM64: "ami-0ff8a91507f77f867"
  1. Q-13 Deployment in EBT – with RDS(for storage)so that it uses previous state, Elastic cache for session management -it recreates
    • Thought process- externalise RDS so not dependent on EBS state and link EC to EBT (./extension) –Correct
      1. ElastiCache defined in .ebextensions/ – Any resources created as part of your .ebextensions is part of your Elastic Beanstalk template and will get deleted if the environment is terminated.
      2. ElastiCache defined in .ebextensions/ – Any resources created as part of your .ebextensions is part of your Elastic Beanstalk template and will get deleted if the environment is terminated.
  2. Q-14 Feature of API gateway to format the API reponse
    • Thought process- intuition- Template name matches to formatting – Correct
      1. Use API Gateway Mapping Templates Gateway lets you use mapping templates to map the payload from a method request to the corresponding integration request and from an integration response to the corresponding method response.
  3. Q-16  how KMS Encryption works?
    • Thought process- CMK should be from client -Incorrect (from client but stored in AWS kms)
      1. KMS stores the CMK, and receives data from the clients, which it encrypts and sends back
  4. Q-20 T2.micro is free
    • Thought process- intution/process of creation EC2 -Correct
      1. Burstable performance instances, which are T3, T3a, and T2 instances, are designed to provide a baseline level of CPU performance with the ability to burst to a higher level when required by your workload. Burstable performance instances are the only instance types that use credits for CPU usage.
  5. Q-22 Transform in YAML replresent Transform: 'AWS::Serverless-2016-10-31'.
    • Thought process- SAM since not in normal CDK CF –Correct
  6. Q-23 SQS API
    • Thought process- Facts
      1. DeleteQueue – Deletes the queue specified by the QueueUrl, regardless of the queue’s contents. When you delete a queue, any messages in the queue are no longer available.
        • When you delete a queue, the deletion process takes up to 60 seconds. Requests you send involving that queue during the 60 seconds might succeed. For example, a SendMessage request might succeed, but after 60 seconds the queue and the message you sent no longer exist.
        • When you delete a queue, you must wait at least 60 seconds before creating a queue with the same name.
  7. Q-26 Budget alert not received reason
    • Thought process- could not be 5week forcast since it works on current data-went by intution but developer has eanbled (not without a reason) -incorrect
      1. AWS requires approximately 5 weeks of usage data to generate budget forecasts  – AWS Budgets lets customers set custom budgets and receive alerts if their costs or usage exceed (or are forecasted to exceed) their budgeted amount.
  8. Q-27 Who has access to AWS Billing and Cost Management service in the AWS console.
    • Thought process- only root since as per ques not visibility even after permission -incorrect
      1. Correct- You need to activate IAM user access to the Billing and Cost Management console for all the users who need access – By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users. Then, you need to activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once
  9. Q-30 deployment for cost effective way -for high traffic and availability
    • Thought process- rolling in batches -Correct
  10. Q-37 User data of EC2 run scenario
    • Thought process- intuition -every-time when bootsu[and with root privileges by default -parital correct
      1. By default, scripts entered as user data are executed with root user privileges – Scripts entered as user data are executed as the root user, hence do not need the sudo command in the script. Any files you create will be owned by root; if you need non-root users to have file access, you should modify the permissions accordingly in the script.
      2. By default, user data runs only during the boot cycle when you first launch an instance – By default, user data scripts and cloud-init directives run only during the boot cycle when you first launch an instance. You can update your configuration to ensure that your user data scripts and cloud-init directives run every time you restart your instance.
  11. Q-39 EC2 burst balances
    • Thought process- fact – with immutable deployment burst balace may be lost
  12. Q-40 EBT relies on which AWS service for provisioning
    • Thought process- CFormation –Correct
  13. Q-41  MFA mechanisms is NOT for root user authentication?
    • Thought process- intuition -Virtual MFA –Incorrect
      1. Correct is SMS based pint not for root only for IAM user
  14. Q-47 Sections of cloud formation YAML
    • Thought process- Fact
      1. Resource (mandatory)
      2. Parameter
      3. Condition
  15. Q-54 Which section of a Cloud Formation template does not allow for conditions?
    • Thought process- Fact
      1. Parameters
  16. Q-57 EBT deployment

Stephen Exam-2

  1. Q-1 Step Function representation of a step
    • [Thought Process] – fact – option only having pointer to next and result of current .
      1. A Task state (“Type”: “Task”) represents a single unit of work performed by a state machine. also Resource field is a required parameter for Task state.
//correct
"HelloWorld": {
  "Type": "Task",
  "Resource": "arn:aws:lambda:us-east-1:123456789012:function:HelloFunction",
  "Next": "AfterHelloWorldState",
  "Comment": "Run the HelloWorld Lambda function"
}
//Other notes
A Wait state ("Type": "Wait") delays the state machine from continuing for a specified time.
//other note
"FailState": {
  "Type": "Fail",
  "Cause": "Invalid response.",
  "Error": "ErrorA"
}
This definition is not of a Task but of type Pass.
  1. Q-2 DynamoDB write option to prevent overwrite
    • [Thought Process] – fact – atomic guessed – incorrect
      1. Conditional writes – DynamoDB optionally supports conditional writes for write operations (PutItem, UpdateItem, DeleteItem). A conditional write succeeds only if the item attributes meet one or more expected conditions. Otherwise, it returns an error.
        • For example, you might want a PutItem operation to succeed only if there is not already an item with the same primary key. Or you could prevent an UpdateItem operation from modifying an item if one of its attributes has a certain value. Conditional writes are helpful in cases where multiple users attempt to modify the same item. This is the right choice for the current scenario.
      2. Batch writes – Bath operations (read and write) help reduce the number of network round trips from your application to DynamoDB. In addition, DynamoDB performs the individual read or write operations in parallel. Applications benefit from this parallelism without having to manage concurrency or threading. But, this is of no use in the current scenario of overwriting changes
      3. Atomic Counters – Atomic Counters is a numeric attribute that is incremented, unconditionally, without interfering with other write requests. You might use an atomic counter to track the number of visitors to a website. This functionality is not useful for the current scenario.
      4. Use Scan operation – A Scan operation in Amazon DynamoDB reads every item in a table or a secondary index. By default, a Scan operation returns all of the data attributes for every item in the table or index. This is given as a distractor and not related to DynamoDB item updates.
  2. Q-3 dynamo db feature which enabler update and consistent read
    • [Thought Process] – fact – so choose option consistent read with update.-incorrect
      1. Use ConsistentRead = true while doing GetItem operation for any item
        • DynamoDB supports eventually consistent and strongly consistent reads.
          • Strongly Consistent Reads – When you request a strongly consistent read, DynamoDB returns a response with the most up-to-date data, reflecting the updates from all prior write operations that were successful.
          • Eventually Consistent Reads – When you read data from a DynamoDB table, the response might not reflect the results of a recently completed write operation. The response might include some stale data. If you repeat your read request after a short time, the response should return the latest data.
        • DynamoDB uses eventually consistent reads by default. Read operations (such as GetItem, Query, and Scan) provide a ConsistentRead parameter. If you set this parameter to true, DynamoDB uses strongly consistent reads during the operation. As per the given use-case, to make sure that only the last updated value of any item is used in the application, you should use strongly consistent reads by setting ConsistentRead = true for GetItem operation.
  3. Q-4 Data stream throttling – ProvisionedThroughputExceeded exception
    • [Thought Process] – fact -cant use SQS for huge chunk of data
      1. increase shards and Try Exponential backoff
  4. Q-5 DynamoDB dact related to permission for doing DB operations- MINIMUM IAM permissions that can be used for the Lambda function to achieve this functionality -UPsert
    • [Thought Process] – fact – to process 3 operation need 3 permission (incorrect)
      1. dynabodb::updateItem ,getIytemPermission is suffiecient for above operation
  5. Q-7 ELB fact on what it does if a ec2 helth is unhealthy with a few parameters
    • [Thought Process] – defualt is it terminates
      1. Correct
  6. Q-9 No SQL DB configuration for making consistent read in sepcific criteria
    • [Thought Process] – fact – since 10 cons. read required and eac h has 6 kb size so make 60
      1. RCU (strongly consistent )=4kb/sec and WCU=1KB/Sec
  7. Q-11 Scaling policty fact
    • [Thought Process] – since policy says to add 3 instances so new 3 instances will be added
      1. 1 more to make it max
  8. Q-12 mandoatory template in SAM apart from resource
    • [Thought Process] – fact – as others are not so Global|transform – never heard of global so choose transform
      1. SAM -resouce and transform mandoarty
  9. Q-14 fact on – Target Tracking Scaling Policy
    • [Thought Process] –
    • You cannot use a target tracking scaling policy to scale out your Auto Scaling group when the specified metric is below the target value.
      1. EC2 Auto Scaling group to scale dynamically – Target Tracking Scaling Policy
        1. ASGAverageCPUUtilization
        2. ASGAverageNetworkOut 
        3. ALBRequestCountPerTarget
        4. Incorrect ApproximateNumberOfMessagesVisible – This is a CloudWatch Amazon SQS queue metric
  10. Q- AWS specific parameter types
    • [Thought Process] -aws key value pair is not a type of type seems
      1. CloudFormation currently supports the following parameter types
String – A literal string
Number – An integer or float
List<Number> – An array of integers or floats
CommaDelimitedList – An array of literal strings that are separated by commas
AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
AWS::EC2::SecurityGroup::Id – A security group ID
AWS::EC2::Subnet::Id – A subnet ID
AWS::EC2::VPC::Id – A VPC ID
List<AWS::EC2::VPC::Id> – An array of VPC IDs
List<AWS::EC2::SecurityGroup::Id> – An array of security group IDs
List<AWS::EC2::Subnet::Id> – An array of subnet IDs
  1. Q-17 CICID uisng AWS SPECIFIC tools – where to place code ofr validating deployment
    • [Thought Process] – should be at root since it’s not the build process not but uild and deploya re kind of alike so in codedeploy and app.yml since it more generix
      1. Define an appspec.yml file in the root directory: An AppSpec file must be a YAML-formatted file named appspec.yml and it must be placed in the root of the directory structure of an application’s source code
      2. Define a buildspec.yml file in the root directory – This is a file used by AWS CodeBuild to run a build. This is not relevant to the given use case.
  2. Q- 18 CF signer
    • [Thought Process] – known -Cloud front only available to root acocunt
      1. public key in cloud and privat ewith us . root wit hvf has 2 key paris . but cfg roup any number by default 4.
  3. Q-23 sink types is supported by Kinesis Firehose.
    • [Thought Process] -fact – what is siink? and supports
      1. Kinesis Firehose. sinks supports
        1. destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elasticsearch Service (Amazon ES), and Splunk. With Kinesis Data Firehose
        2. ElastiCache is NOT a supported destination for Amazon Kinesis Data Firehose.
    • ECR
    • To deploy a container image to Lambda, the container image must implement the Lambda Runtime API
  4. configuration for io1 EBS volume types
    1. The maximum ratio of provisioned IOPS to requested volume size (in GiB) is 50:1. So, for a 200 GiB volume size, max IOPS possible is 200*50 = UPTO 10000 IOPS.
  5. Q-26 EC2 charges if at runtime erxtra instances used in addition to particular purchaed type
    • [Thought Process] – go by on-demand pricing
      1. COORECT
  6. Q-33 interinsic fun to make resource parameter reusage
    • [Thought Process] – since resource so REf
      1. !rEF CORRECT
  7. EC2 configured on General purpose SSD volume. GP2
    1. arger volumes have higher baseline performance levels and accumulate I/O credits faster.
  8. Q-53 faster deployment , changes to EBT?
    • [Thought Process] -DEPEndencies in EBT

Quick Notes

Index

  1. EC2
    1. Instances-type and billing
  2. Lambda
    1. Versioning
  3. Scaling policy
  4. S3 Bucket
    1. Security
  5. Deployment solution
    1. immutable
    2. blue-green
    3. rolling
    4. rolling-batch
  6. IAM policies
    1. Identity Based
    2. Resource based
    3. Policy types
  7. Security
    1. Security-Group
    2. NACL
    3. Introduction,Defence order, occurrence
  8. ALB
  9. DynamoDB
    1. Read-consistency

EC2

EC2/dYNAMOdb IOPS (Test2 Q-38)

Lambda

S3 Bucket security

  • IAM Access Analyzer – AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk
  • Access Advisor feature on IAM console – To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments. This does not provide information about non-IAM entities such as S3,(analysier does shows resources used and advisor shows last timeused)

Deployment Solutions

  • EBT a few instance failure to deploy
  • EBT deplyment new feature of a appln to EC2 ,some server from old deployment other server from new, until the deployment is completed. which model to use?
    1. Rolling -instance by instace deploy on exitsing instances maniting traffic on both till deploed
    2. Immutable – The ‘Immutable’ deployment policy ensures that your new application version is always deployed to new instances, instead of updating existing instances. It also has the additional advantage of a quick and safe rollback in case the deployment fails.

IAM Policies

Broadly categorised as –

  • IAM resource based policies – applies to resources
  • IAM Identity based policies – applies to user(credentials) or application making access to resource. (not resource itself)

Congnito User Pool vs Cognito Identity Pool

Security

Security Group and NACL

Terms Related to SG– the protocal/port permission(allow/deny) to resources(ec2) traffic and resourse-SG relation(whether applied by default)

  • Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
  • By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
  • If you launch an instance using the Amazon EC2 API or a command line tool and you don’t specify a security group, the instance is automatically assigned to the default security group for the VPC. If you launch an instance using the Amazon EC2 console, you have an option to create a new security group for the instance.
  • Instances associated with a security group can’t talk to each other unless you add rules allowing the traffic (exception: the default security group has these rules by default).
  • It supports only allow rules, and by default, all the rules are denied. You cannot deny the rule for establishing a connection.

SG – https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

NACL

Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

  • NACL supports both allow and deny rules, and by default, all the rules are denied. You need to add the rule which you can either allow or deny it.

Defense order

Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.

Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.

Occurrence

Subnet can have only one NACL, whereas Instance can have multiple Security groups.(5 to be exact)

CLI Options

Queue / Application Integration

  1. The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue.

Application Load Balancer (Application/Network/Classic)

The team wants to analyze the incoming requests for latencies and the client’s IP address patterns, which feature of ALB provides this?

ALB access logs – Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load Balancing that is disabled by default.

ALB request tracing – You can use request tracing to track HTTP requests. The load balancer adds a header with a trace identifier to each request it receives. Request tracing will not help you to analyze latency specific data.

DynamoDB

Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7, Page 8, Page 9, Page 10, Page 11, Page 12, Page 13, Page 14, Page 15, Page 16, Page 17, Page 18, Page 19, Page 20, Page 21, Page 22, Page 23

Published by

Unknown's avatar

sevanand yadav

software engineer working as web developer having specialization in spring MVC with mysql,hibernate

Leave a comment