sveska

AWS CDA Practise test 6

Deployment

  • Your client wants to deploy a service on EC2 instances, and as EC2 instances are added into an ASG, each EC2 instance should be running 3 different Docker Containers simultaneously. What Elastic Beanstalk platform should they choose?:Docker multi-container platform. Docker is a container platform that allows you to define your software stack and store it in an image that can be downloaded from a remote repository. Use the Multicontainer Docker platform if you need to run multiple containers on each instance. The Multicontainer Docker platform does not include a proxy server. Elastic Beanstalk uses Amazon Elastic Container Service (Amazon ECS) to coordinate container deployments to multi-container Docker environments.
  • You have created a test environment in Elastic Beanstalk and as part of that environment, you have created an RDS database. How can you make sure the database can be explored after the environment is destroyed?:Make a snapshot of the database before it gets deleted. Use an Elastic Beanstalk blue (environment A)/green (environment B) deployment to decouple an RDS DB instance from environment.

    Refactoring

  • You are running a public DNS service on an EC2 instance where the DNS name is pointing to the IP address of the instance. You wish to upgrade your DNS service but would like to do it without any downtime. Which of the following options will help you accomplish this?:Route 53 is a DNS managed by AWS, but nothing prevents you from running your own DNS (it’s just a software) on an EC2 instance. The trick of this question is that it’s about EC2, running some software that needs a fixed IP, and not about Route 53 at all. Elastic IP. DNS services are identified by a public IP, so you need to use Elastic IP.
  • You would like to paginate the results of an S3 List to show 100 results per page to your users and minimize the number of API calls that you will use. Which CLI options should you use? (Select two):–max-items.–starting-token.For commands that can return a large list of items, the AWS Command Line Interface (AWS CLI) has three options to control the number of items included in the output when the AWS CLI calls a service’s API to populate the list.–page-size.–max-items.–starting-token. By default, the AWS CLI uses a page size of 1000 and retrieves all available items.
  • You are running a web application where users can author blogs and share them with their followers. Most of the workflow is read based, but when a blog is updated, you would like to ensure that the latest data is served to the users (no stale data). The Developer has already suggested using ElastiCache to cope with the read load but has asked you to implement a caching strategy that complies with the requirements of the site. Which strategy would you recommend?Use a Write Through strategy.The write-through strategy adds data or updates data in the cache whenever data is written to the database.In a Write Through strategy, any new blog or update to the blog will be written to both the database layer and the caching layer, thus ensuring that the latest data is always served from the cache.
  • You are creating a web application in which users can follow each other. Some users will be more popular than others and thus their data will be requested very often. Currently, the user data sits in RDS and it has been recommended by your Developer to use ElastiCache as a caching layer to improve the read performance. The whole dataset of users cannot sit in ElastiCache without incurring tremendous costs and therefore you would like to cache only the most often requested users profiles there. As your website is high traffic, it is accepted to have stale data for users for a while, as long as the stale data is less than a minute old. What caching strategy do you recommend implementing?Use a Lazy Loading strategy with TTLLazy loading is a caching strategy that loads data into the cache only when necessary. Whenever your application requests data, it first requests the ElastiCache cache. If the data exists in the cache and is current, ElastiCache returns the data to your application. If the data doesn’t exist in the cache or has expired, your application requests the data from your data store. Your datastore then returns the data to your application. In this case, data that is actively requested by users will be cached in ElastiCache, and thanks to the TTL, we can expire that data after a minute to limit the data staleness.

    Monitoring

  • Your client has tasked you with finding a service that would enable you to get cross-account tracing and visualization. Which service do you recommend?: AWS X-Ray.AWS X-Ray is a service that collects data about requests that your application serves and provides tools you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization. For any traced request to your application, you can see detailed information not only about the request and response but also about calls that your application makes to downstream AWS resources, microservices, databases and HTTP web APIs.
  • You have been collecting AWS X-Ray traces across multiple applications and you would now like to index your XRay traces to search and filter through them efficiently. What should you use in your instrumentation?:Annotations AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components.
  • You would like to run the X-Ray daemon for your Docker containers deployed using AWS Fargate. What do you need to do to ensure the setup will work? (Select two)Deploy the X-Ray daemon agent as a sidecar container. Provide the correct IAM task role to the X-Ray container

    Security

  • You would like your Elastic Beanstalk environment to expose an HTTPS endpoint and an HTTP endpoint. The HTTPS endpoint should be used to get in-flight encryption between your clients and your web servers, while the HTTP endpoint should only be used to redirect traffic to HTTPS and support URLs starting with http://. What must be done to configure this setup? (Select three):Assign an SSL certificate to the Load BalancerThis ensures that the Load Balancer can expose an HTTPS endpoint. Open up port 80 & port 443,This ensures that the Load Balancer will allow both the HTTP (80) and HTTPS (443) protocol for incoming connections.Configure your EC2 instances to redirect HTTP traffic to HTTPS.This ensures traffic originating from HTTP onto the Load Balancer forces a redirect to HTTPS by the EC2 instances before being correctly served, thus ensuring the traffic served is fully encrypted.
  • A security company is requiring all developers to perform server-side encryption with customer-provided encryption keys when performing operations in AWS S3. Developers should write software with C# using the AWS SDK and implement the requirement in the PUT, GET, Head, and Copy operations. Which of the following encryption methods meets this requirement?:SSE-C.You have the following options for protecting data at rest in Amazon S3:Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects. Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
  • Your company likes to operate multiple AWS accounts so that teams have their environments. Services deployed across these accounts interact with one another, and now there’s a requirement to implement X-Ray traces across all your applications deployed on EC2 instances and AWS accounts. As such, you would like to have a unified account to view all the traces. What should you in your X-Ray daemon set up to make this work? (Select two):Create a role in the target unified account and allow roles in each sub-account to assume the role Configure the X-Ray daemon to use an IAM instance role.The X-Ray agent can assume a role to publish data into an account different from the one in which it is running. This enables you to publish data from various components of your application into a central account. X-Ray can also track requests flowing through applications or services across multiple AWS Regions.
  • You were assigned to a project that requires the use of the AWS CLI to build a project with AWS CodeBuild. Your project’s root directory includes the buildspec.yml file to run build commands and would like your build artifacts to be automatically encrypted at the end. How should you configure CodeBuild to accomplish this?:Specify a KMS key to use.AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. For AWS CodeBuild to encrypt its build output artifacts, it needs access to an AWS KMS customer master key (CMK). By default, AWS CodeBuild uses the AWS-managed CMK for Amazon S3 in your AWS account.
  • Your company is new to cloud computing and would like to host a static HTML5 website on the cloud and be able to access it via domain www.mycompany.com. You have created a bucket in Amazon Simple Storage Service (S3), enabled website hosting, and set the index.html as the default page. Finally, you create an Alias record in Amazon Route 53 that points to the S3 website endpoint of your S3 bucket. When you test the domain www.mycompany.com you get the following error: ‘HTTP response code 403 (Access Denied)’. What can you do to resolve this error?:Create a bucket policyBucket policy is an access policy option available for you to grant permission to your Amazon S3 resources. It uses JSON-based access policy language. If you want to configure an existing bucket as a static website that has public access, you must edit block public access settings for that bucket. You may also have to edit your account-level block public access settings.
  • Your company has developers worldwide with access to the company’s Amazon Simple Storage Service (S3) buckets. The objects in the buckets are encrypted at the server-side but need more flexibility with access control, auditing, rotation, and deletion of keys. You would also like to limit who can use the key. Which encryption mechanism best fits your needs?:SSE-KMS.Server-Side Encryption with Customer Master Keys (CMKs) stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3. SSE-KMS provides you with an audit trail that shows when your CMK was used and by whom. Additionally, you can create and manage customer-managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.
  • A media company wants to migrate a video editing service to Amazon EC2 while following security best practices. The videos are sourced and read from a non-public S3 bucket. As a Developer Associate, which of the following solutions would you recommend for the given use-case?:Set up an EC2 service role with read-only permissions for the S3 bucket and attach the role to the EC2 instance profile.As an AWS security best practice, you should not create an IAM user and pass the user’s credentials to the application or embed the credentials in the application. Instead, create an IAM role that you attach to the EC2 instance to give temporary security credentials to applications running on the instance. When an application uses these credentials in AWS, it can perform all of the operations that are allowed by the policies attached to the role. So for the given use-case, you should create an IAM role with read-only permissions for the S3 bucket and apply it to the EC2 instance profile.
  • You’ve just deployed an AWS Lambda function. The lambda function will be invoked via the API Gateway. The API Gateway will need to control access to it. Which of the following mechanisms is not supported for API Gateway?:STS.The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). However, is not supported at the time with API Gateway.

Development with AWS

  • You are looking to invoke an AWS Lambda function every hour (similar to a cron job) in a serverless way. Which event source should you use for your AWS Lambda function?:CloudWatch Events.You can create a Lambda function and direct CloudWatch Events to execute it on a regular schedule. You can specify a fixed rate (for example, execute a Lambda function every hour or 15 minutes), or you can specify a Cron expression.
  • The development team at an e-commerce company is preparing for the upcoming Thanksgiving sale. The product manager wants the development team to implement appropriate caching strategy on Amazon ElastiCache to withstand traffic spikes on the website during the sale. A key requirement is to facilitate consistent updates to the product prices and product description, so that the cache never goes out of sync with the backend. As a Developer Associate, which of the following solutions would you recommend for the given use-case?:Use a caching strategy to write to the backend first and then invalidate the cache. This option is similar to the write-through strategy wherein the application writes to the backend first and then invalidate the cache. As the cache gets invalidated, the caching engine would then fetch the latest value from the backend, thereby making sure that the product prices and product description stay consistent with the backend.
  • Your company wants to move away from manually managing Lambda in the AWS console and wants to upload and update them using AWS CloudFormation. How do you declare an AWS Lambda function in CloudFormation? (Select two):1.Write the AWS Lambda code inline in CloudFormation in the AWS::Lambda::Function block as long there is no dependency. 2.Upload all the code as a zip to S3 and refer the object in AWS::Lambda::Function block.
  • As part of your video processing application, you are looking to perform a set of repetitive and scheduled tasks asynchronously. Your application is deployed on Elastic Beanstalk. Which Elastic Beanstalk environment should you set up for performing the repetitive tasks?:For a worker environment, you need a cron.yaml file to define the cron jobs and do repetitive tasks.
  • You are storing bids information on your betting application and you would like to automatically expire DynamoDB table data after one week. What should you use?:Use TTL. Time To Live (TTL) for DynamoDB allows you to define when items in a table expire so that they can be automatically deleted from the database. TTL is provided at no extra cost as a way to reduce storage usage and reduce the cost of storing irrelevant data without using provisioned throughput. With TTL enabled on a table, you can set a timestamp for deletion on a per-item basis, allowing you to limit storage usage to only those records that are relevant.
  • You would like your Elastic Beanstalk environment to expose an HTTPS endpoint instead of an HTTP endpoint to get in-flight encryption between your clients and your web servers. What must be done to set up HTTPS on Beanstalk? :Create a .ebextension file to configure the Load Balancer
  • You are using AWS SQS FIFO queues to get the ordering of messages on a per user_id basis. As a developer, which message parameter should you set the value of user_id to guarantee the ordering?: AWS FIFO queues are designed to enhance messaging between applications when the order of operations and events has to be enforced.MessageGroupId.The message group ID is the tag that specifies that a message belongs to a specific message group. Messages that belong to the same message group are always processed one by one, in a strict order relative to the message group (however, messages that belong to different message groups might be processed out of order).
  • MessageDeduplicationId - The message deduplication ID is the token used for the deduplication of sent messages. If a message with a particular message deduplication ID is sent successfully, any messages sent with the same message deduplication ID are accepted successfully but aren’t delivered during the 5-minute deduplication interval.
  • A media analytics company has built a streaming application on Lambda using Serverless Application Model (SAM). As a Developer Associate, which of the following would you identify as the correct order of execution to successfully deploy the application?:Develop the SAM template locally => upload the template to S3 => deploy your application to the cloud
  • A client has hired you as an AWS Certified Developer Associate for a consulting project. The client wants to weigh their options of choosing between an Amazon SQS standard queue and Amazon Simple Workflow Service (SWF). Which of the following statements are correct regarding the two services? (Select two)1.SWF has task-oriented APIs and SQS has message-oriented APIs.2.SWF ensures the task is assigned only once while SQS may deliver the message multiple times