AWS Certification Exams Prep: Serverless Facts and Summaries and Question/Answers

AWS Serverless

AWS Serverless – Facts and summaries, Top 20 AWS Serverless Questions and Answers Dump

Definition 1: Serverless computing is a cloud-computing execution model in which the cloud provider runs the server, and dynamically manages the allocation of machine resources. Pricing is based on the actual amount of resources consumed by an application, rather than on pre-purchased units of capacity. It can be a form of utility computing.
Definition 2: AWS Serverless is the native architecture of the cloud that enables you to shift more of your operational responsibilities to AWS, increasing your agility and innovation. Serverless allows you to build and run applications and services without thinking about servers. It eliminates infrastructure management tasks such as server or cluster provisioning, patching, operating system maintenance, and capacity provisioning.

AWS Serverless Facts and summaries

  1. The AWS Serverless Application Model (AWS SAM) is a model to define serverless applications. AWS SAM is natively supported by AWS CloudFormation and provides a simplified way of defining the Amazon API Gateway APIs, AWS Lambda functions, and Amazon DynamoDB tables needed by your serverless application.
  2. You can use AWS CodePipeline with the AWS Serverless Application Model to automate building, testing, and deploying serverless applications. AWS CodeBuild integrates with CodePipeline to provide automated builds. You can use AWS CodeDeploy to gradually roll out and test new Lambda function versions.
  3. You can monitor and troubleshoot the performance of your serverless applications and AWS Lambda functions with AWS services and third-party tools. Amazon CloudWatch helps you see real-time reporting metrics and logs for your serverless applications. You can use AWS X-Ray to debug and trace your serverless applications and AWS Lambda.
  4. The AWS Serverless Application Repository is a managed repository for serverless applications. It enables teams, organizations, and individual developers to store and share reusable applications, and easily assemble and deploy serverless architectures in powerful new ways. Using the Serverless Application Repository, you don’t need to clone, build, package, or publish source code to AWS before deploying it. Instead, you can use pre-built applications from the Serverless Application Repository in your serverless architectures, helping you and your teams reduce duplicated work, ensure organizational best practices, and get to market faster.
  5. Anyone with an AWS account can publish a serverless application to the Serverless Application Repository. Applications can be privately shared with specific AWS accounts. Applications that are shared publicly include a link to the application’s source code so others can view what the application does and how it works.
  6. What kinds of applications are available in the AWS Serverless Application Repository? The AWS Serverless Application Repository includes applications for Alexa Skills, chatbots, data processing, IoT, real time stream processing, web and mobile back-ends, social media trend analysis, image resizing, and more from publishers on AWS.
  7. The AWS Serverless Application Repository enables developers to publish serverless applications developed in a GitHub repository. Using AWS CodePipeline to link a GitHub source with the AWS Serverless Application Repository can make the publishing process even easier, and the process can be set up in minutes.
  8. What two arguments does a Python Lambda handler function require?
    Event, Context
  9. A Lambda deployment package contains Function code and libraries not included within the runtime environment
  10. When referencing the remaining time left for a Lambda function to run within the function’s code you would use The context object.
  11. Long-running memory-intensive workloads is LEAST suited to AWS Lambda
  12. The maximum execution duration of your Lambda functions is Fifteen Minutes
  13. Logs for Lambda functions are Stored in AWS CloudWatch
  14. Docker Container Images are constructed using instructions in a file called Dockerfile
  15. The ECS Task Agent Is responsible for starting and stopping tasks. It runs inside the EC2 instance and reports on information like running tasks and resource utilization
  16. AWS ECR Stores Container Images.
  17. Elastic Beanstalk is used to Deploy and scale web applications and services developed with a supported platform
  18. When deploying a simple Python web application with Elastic Beanstalk which of the following AWS resources will be created and managed for you by Elastic Beanstalk?
    An Elastic Load Balancer, an S3 Bucket, an Ec2 instance.
  19. When using Elastic Beanstalk you can deploy your web applications by:

    • Configuring a git repository with Elastic Beanstalk so that changes will be detected and your application will be updated.
    • Uploading code files to the Elastic Beanstalk service

Reference: AWS Serverless

AWS Serverless: Top 20 Questions and Answers Dump

Q00: You have created a serverless application which converts text in to speech using a combination of S3, API Gateway, Lambda, Polly, DynamoDB and SNS. Your users complain that only some text is being converted, whereas longer amounts of text does not get converted. What could be the cause of this problem?

  • A. Polly has built in censorship, so if you try and send it text that is deemed offensive, it will not generate an MP3.
  • B. You’ve placed your DynamoDB table in a single availability zone, which is currently down, causing an outage.
  • C. Your lambda function needs a longer execution time. You should check how long is needed in the fringe cases and increase the timeout inside the function to slightly longer than that.
  • D. AWS X-ray service is interfering with the application and should be disabled.

Answer: C

Reference: AWS Lambda limits


Q1: How does API Gateway deal with legacy SOAP applications?

  • A. Converts the response from the application to REST
  • B. Converts the response from the application to HTML
  • C. Provides webservice passthrough for SOAP applications
  • D. Converts the response from the application to XML

Answer: C
SOAP Applications send their responses in XML format. API Gateway supports SOAP applications, but only provides passthrough. API Gateway does not transform or convert the responses.
Reference: How to configure Amazon API Gateway as a SOAP webservice passthrough in minutes


Q3: You have launched a new web application on AWS using API Gateway, Lambda and S3. Someone post a thread to reddit about your application and it starts to go viral.
Your start receiving 100000 requests every second and you notice that most requests are similar.
Your web application begins to struggle. What can you do to optimize performance of your application?

  • A. Enable API Gateway Accelerator
  • B. Enable API Gateway caching to cache frequent requests.
  • C. Change your route53 allias record to point to AWS Neptune and then configure Neptune to filter your API requests to genuine requests only.
  • D. Migrate your API Gateway to an Network Load Balancer and enable session stickiness for all sessions.

Answer: B.

Reference: Amazon API Gateway FAQs


Q4: Which of the following services does X-ray integrate with? (Choose 3)

  • A. Elastic Load Balancer
  • B. Lambda
  • C. S3
  • D. API Gateway

Answer: A. B. and D.
AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors.
You can use X-Ray with applications running on EC2, ECS, Lambda, and Elastic Beanstalk. In addition, the X-Ray SDK automatically captures metadata for API calls made to AWS services using the AWS SDK. In addition, the X-Ray SDK provides add-ons for MySQL and PostgreSQL drivers.

Reference: AWS X-Ray


Q5: You are a developer for a busy real estate company and you want to enable other real estate agents to the
ability to show properties on your books, but skinned so that it looks like their own website. You decide the most efficient way to do this is to
expose your API to the public. The project works well, however one of your competitors starts abusing this, sending your API tens of thousands
of requests per second. This generates a HTTP 429 error. Each agent connects to your API using individual API Keys. What actions can you take to stop this behaviour?

  • A. Use AWS Shield Advanced API protection to block the requests.
  • B. Deploy multiple API Gateways and give the agent access to another API Gateway.
  • C. Place an AWS Web Application Firewall in front of API gateway and filter requests.
  • D. Throttle the agents API access using the individual API Keys

Answer: D.
Throttling ensures that API traffic is controlled to help your backend services maintain performance and availability.
How can I protect my backend systems and applications from traffic spikes?
Amazon API Gateway provides throttling at multiple levels including global and by service call. Throttling limits can be set for standard rates and bursts. For example, API owners can set a rate limit of 1,000 requests per second for a specific method in their REST APIs, and also configure Amazon API Gateway to handle a burst of 2,000 requests per second for a few seconds. Amazon API Gateway tracks the number of requests per second. Any requests over the limit will receive a 429 HTTP response. The client SDKs generated by Amazon API Gateway retry calls automatically when met with this response.

Reference: Amazon API Gateway FAQs


Q6: You are developing a new application using serverless infrastructure and are using services such as S3, DynamoDB, Lambda, API Gateway, CloudFront, CloudFormation and Polly.
You deploy your application to production and your end users begin complaining about receiving a HTTP 429 error. What could be the cause of the error?

  • A. You enabled API throttling for a rate limit of 1000 requests per second while in development and now that you have deployed to production your API Gateway is being throttled.
  • B. Your cloudFormation stack is not valid and is failling to deploy properly which is causing a HTTP 429 error.
  • C. Your lambda function does not have sufficient permissions to read to DynamoDB and this is generating a HTTP 429 error.
  • D. You have an S3 bucket policy which is preventing lambda from being able to write tyo your bucket, generating a HTTP 429 error.

Answer: A.
Amazon API Gateway provides throttling at multiple levels including global and by service call. Throttling limits can be set for standard rates and bursts. For example, API owners can set a rate limit of 1,000 requests per second for a specific method in their REST APIs, and also configure Amazon API Gateway to handle a burst of 2,000 requests per second for a few seconds. Amazon API Gateway tracks the number of requests per second. Any requests over the limit will receive a 429 HTTP response. The client SDKs generated by Amazon API Gateway retry calls automatically when met with this response.

Reference: Amazon API Gateway FAQs


Q7: What is the format of structured notification messages sent by Amazon SNS?

  • A. An XML object containing MessageId, UnsubscribeURL, Subject, Message and other
  • B. An JSON object containing MessageId, DuplicateFlag, Message and other values
  • C. An XML object containing MessageId, DuplicateFlag, Message and other values
  • D. An JSON object containing MessageId, unsubscribeURL, Subject, Message and other

Answer: D.

The notification message sent by Amazon SNS for deliveries over HTTP, HTTPS, Email-JSON and SQS transport protocols will consist of a simple JSON object, which will include the following information: MessageId: A Universally Unique Identifier, unique for each notification published.Reference: Format of structured notification messages sent by Amazon SNS


Other AWS Facts and Summaries

AWS Developer and Deployment Theory: Facts and Summaries and Questions/Answers

AWS Certification Exam Preparation

AWS Developer – Deployment Theory Facts and summaries, Top 60 AWS Developer Theory Questions and Answers Dump

Definition 1: The AWS Developer is responsible for designing, deploying, and developing cloud applications on AWS platform

Definition 2: The AWS Developer Tools is a set of services designed to enable developers and IT operations professionals practicing DevOps to rapidly and safely deliver software.

AWS Developer and Deployment Theory Facts and summaries

  1. Continuous Integration is about integrating or merging the code changes frequently, at least once per day. It enables multiple devs to work on the same application.
  2. Continuous delivery is all about automating the build, test, and deployment functions.
  3. Continuous Deployment fully automates the entire release process, code is deployed into Production as soon as it has successfully passed through the release pipeline.
  4. AWS CodePipeline is a continuous integration/Continuous delivery service:
    • It automates your end-to-end software release process based on user defines workflow
    • It can be configured to automatically trigger your pipeline as soon as a change is detected in your source code repository
    • It integrates with other services from AWS like CodeBuild and CodeDeploy, as well as third party custom plug-ins.
  5. AWS CodeBuild is a fully managed build service. It can build source code, run tests and produce software packages based on commands that you define yourself.
  6. Dy default the buildspec.yml defines the build commands and settings used by CodeBuild to run your build.
  7. AWS CodeDeploy is a fully managed automated deployment service and can be used as part of a Continuous Delivery or Continuous Deployment process.
  8. There are 2 types of deployment approach:
    • In-place or Rolling update- you stop the application on each host and deploy the latest code. EC2 and on premise systems only. To roll back, you must re-deploy the previous version of the application.
    • Blue/Green : New instances are provisioned and the new application is deployed to these new instances. Traffic is routed to the new instances according to your own schedule. Supported for EC2, on-premise systems and Lambda functions. Rollback is easy, just route the traffic back to the original instances. Blue is active deployment, green is new release.
  9. Docker allows you to package your software into Containers which you can run in Elastic Container Service (ECS)
  10.  A docker Container includes everything the software needs to run including code, libraries, runtime and environment variables etc..
  11.  A special file called Dockerfile is used to specify the instructions needed to assemble your Docker image.
  12.  Once built, Docker images can be stored in Elastic Container Registry (ECR) and ECS can then use the image to launch Docker Containers.
  13. AWS CodeCommit is based on Git. It provides centralized repositories for all your code, binaries, images, and libraries.
  14. CodeCommit tracks and manages code changes. It maintains version history.
  15. CodeCommit manages updates from multiple sources and enables collaboration.
  16. To support CORS, API resource needs to implement an OPTIONS method that can respond to the OPTIONS preflight request with following headers:
    • Access-Control-Allow-Headers
    • Access-Control-Allow-Origin
    • Access-Control-Allow-Methods
  17. You have a legacy application that works via XML messages. You need to place the application behind the API gateway in order for customers to make API calls. Which of the following would you need to configure?
    You will need to work with the Request and Response Data mapping.
  18. Your application currently points to several Lambda functions in AWS. A change is being made to one of the Lambda functions. You need to ensure that application traffic is shifted slowly from one Lambda function to the other. Which of the following steps would you carry out?
    • Create an ALIAS with the –routing-config parameter
    • Update the ALIAS with the –routing-config parameter

    By default, an alias points to a single Lambda function version. When the alias is updated to point to a different function version, incoming request traffic in turn instantly points to the updated version. This exposes that alias to any potential instabilities introduced by the new version. To minimize this impact, you can implement the routing-config parameter of the Lambda alias that allows you to point to two different versions of the Lambda function and dictate what percentage of incoming traffic is sent to each version.

  19. AWS CodeDeploy: The AppSpec file defines all the parameters needed for the deployment e.g. location of application files and pre/post deployment validation tests to run.
  20. For Ec2 / On Premise systems, the appspec.yml file must be placed in the root directory of your revision (the same folder that contains your application code). Written in YAML.
  21. For Lambda and ECS deployment, the AppSpec file can be YAML or JSON
  22. Visual workflows are automatically created when working with which Step Functions
  23. API Gateway stages store configuration for deployment. An API Gateway Stage refers to A snapshot of your API
  24. AWS SWF Services SWF guarantees delivery order of messages/tasks
  25. Blue/Green Deployments with CodeDeploy on AWS Lambda can happen in multiple ways. Which of these is a potential option? Linear, All at once, Canary
  26. X-Ray Filter Expressions allow you to search through request information using characteristics like URL Paths, Trace ID, Annotations
  27. S3 has eventual consistency for overwrite PUTS and DELETES.

Reference: AWS Developer Tools

AWS Developer and Deployment Theory: Top 60 Questions and Answers Dump

Q0: Which AWS service can be used to compile source code, run tests and package code?

  • A. CodePipeline
  • B. CodeCommit
  • C. CodeBuild
  • D. CodeDeploy

Answer: C.

Reference: AWS CodeBuild


Q1: How can your prevent CloudFormation from deleting your entire stack on failure? (Choose 2)

  • A. Set the Rollback on failure radio button to No in the CloudFormation console
  • B. Set Termination Protection to Enabled in the CloudFormation console
  • C. Use the –disable-rollback flag with the AWS CLI
  • D. Use the –enable-termination-protection protection flag with the AWS CLI

Answer: A. and C.

Reference: Protecting a Stack From Being Deleted


Q2: Which of the following practices allows multiple developers working on the same application to merge code changes frequently, without impacting each other and enables the identification of bugs early on in the release process?

  • A. Continuous Integration
  • B. Continuous Deployment
  • C. Continuous Delivery
  • D. Continuous Development

Answer: A

Reference: What is Continuous Integration?


Q3: When deploying application code to EC2, the AppSpec file can be written in which language?

  • A. JSON
  • B. JSON or YAML
  • C. XML
  • D. YAML


Q4: Part of your CloudFormation deployment fails due to a mis-configuration, by defaukt what will happen?

  • A. CloudFormation will rollback only the failed components
  • B. CloudFormation will rollback the entire stack
  • C. Failed component will remain available for debugging purposes
  • D. CloudFormation will ask you if you want to continue with the deployment

Answer: B

Reference: Troubleshooting AWS CloudFormation


Q5: You want to receive an email whenever a user pushes code to CodeCommit repository, how can you configure this?

  • A. Create a new SNS topic and configure it to poll for CodeCommit eveents. Ask all users to subscribe to the topic to receive notifications
  • B. Configure a CloudWatch Events rule to send a message to SES which will trigger an email to be sent whenever a user pushes code to the repository.
  • C. Configure Notifications in the console, this will create a CloudWatch events rule to send a notification to a SNS topic which will trigger an email to be sent to the user.
  • D. Configure a CloudWatch Events rule to send a message to SQS which will trigger an email to be sent whenever a user pushes code to the repository.

Answer: C

Reference: Getting Started with Amazon SNS


Q6: Which AWS service can be used to centrally store and version control your application source code, binaries and libraries

  • A. CodeCommit
  • B. CodeBuild
  • C. CodePipeline
  • D. ElasticFileSystem

Answer: A

Reference: AWS CodeCommit


Q7: You are using CloudFormation to create a new S3 bucket,
which of the following sections would you use to define the properties of your bucket?

  • A. Conditions
  • B. Parameters
  • C. Outputs
  • D. Resources

Answer: D

Reference: Resources


Q8: You are deploying a number of EC2 and RDS instances using CloudFormation. Which section of the CloudFormation template
would you use to define these?

  • A. Transforms
  • B. Outputs
  • C. Resources
  • D. Instances

Answer: C.
The Resources section defines your resources you are provisioning. Outputs is used to output user defines data relating to the resources you have built and can also used as input to another CloudFormation stack. Transforms is used to reference code located in S3.

Reference: Resources


Q9: Which AWS service can be used to fully automate your entire release process?

  • A. CodeDeploy
  • B. CodePipeline
  • C. CodeCommit
  • D. CodeBuild

Answer: B.
AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates

Reference: AWS CodePipeline


Q10: You want to use the output of your CloudFormation stack as input to another CloudFormation stack. Which sections of the CloudFormation template would you use to help you configure this?

  • A. Outputs
  • B. Transforms
  • C. Resources
  • D. Exports

Answer: A.
Outputs is used to output user defines data relating to the resources you have built and can also used as input to another CloudFormation stack.

Reference: CloudFormation Outputs


Q11: You have some code located in an S3 bucket that you want to reference in your CloudFormation template. Which section of the template can you use to define this?

  • A. Inputs
  • B. Resources
  • C. Transforms
  • D. Files

Answer: C.
Transforms is used to reference code located in S3 and also specifying the use of the Serverless Application Model (SAM)
for Lambda deployments.
Name: ‘AWS::Include’
Location: ‘s3://MyAmazonS3BucketName/MyFileName.yaml’

Reference: Transforms


Q12: You are deploying an application to a number of Ec2 instances using CodeDeploy. What is the name of the file
used to specify source files and lifecycle hooks?

  • A. buildspec.yml
  • B. appspec.json
  • C. appspec.yml
  • D. buildspec.json

Answer: C.

Reference: CodeDeploy AppSpec File Reference


Q13: Which of the following approaches allows you to re-use pieces of CloudFormation code in multiple templates, for common use cases like provisioning a load balancer or web server?

  • A. Share the code using an EBS volume
  • B. Copy and paste the code into the template each time you need to use it
  • C. Use a cloudformation nested stack
  • D. Store the code you want to re-use in an AMI and reference the AMI from within your CloudFormation template.

Answer: C.

Reference: Working with Nested Stacks


Q14: In the CodeDeploy AppSpec file, what are hooks used for?

  • A. To reference AWS resources that will be used during the deployment
  • B. Hooks are reserved for future use
  • C. To specify files you want to copy during the deployment.
  • D. To specify, scripts or function that you want to run at set points in the deployment lifecycle

Answer: D.
The ‘hooks’ section for an EC2/On-Premises deployment contains mappings that link deployment lifecycle event hooks to one or more scripts.

Reference: AppSpec ‘hooks’ Section


Q15:You need to setup a RESTful API service in AWS that would be serviced via the following url Which of the following combination of services can be used for development and hosting of the RESTful service? Choose 2 answers from the options below

  • A. AWS Lambda and AWS API gateway
  • B. AWS S3 and Cloudfront
  • C. AWS EC2 and AWS Elastic Load Balancer
  • D. AWS SQS and Cloudfront

Answer: A and C
AWS Lambda can be used to host the code and the API gateway can be used to access the API’s which point to AWS Lambda Alternatively you can create your own API service , host it on an EC2 Instance and then use the AWS Application Load balancer to do path based routing.
Reference: Build a Serverless Web Application with AWS Lambda, Amazon API Gateway, Amazon S3, Amazon DynamoDB, and Amazon Cognito


Q16: As a developer, you have created a Lambda function that is used to work with a bucket in Amazon S3. The Lambda function is not working as expected. You need to debug the issue and understand what’s the underlying issue. How can you accomplish this in an easily understandable way?

  • A. Use AWS Cloudwatch metrics
  • B. Put logging statements in your code
  • C. Set the Lambda function debugging level to verbose
  • D. Use AWS Cloudtrail logs

Answer: B
You can insert logging statements into your code to help you validate that your code is working as expected. Lambda automatically integrates with Amazon CloudWatch Logs and pushes all logs from your code to a CloudWatch Logs group associated with a Lambda function (/aws/lambda/).
Reference: Using Amazon CloudWatch


Q17: You have a lambda function that is processed asynchronously. You need a way to check and debug issues if the function fails? How could you accomplish this?

  • A. Use AWS Cloudwatch metrics
  • B. Assign a dead letter queue
  • C. Congure SNS notications
  • D. Use AWS Cloudtrail logs

Answer: B
Any Lambda function invoked asynchronously is retried twice before the event is discarded. If the retries fail and you’re unsure why, use Dead Letter Queues (DLQ) to direct unprocessed events to an Amazon SQS queue or an Amazon SNS topic to analyze the failure.
Reference: AWS Lambda Function Dead Letter Queues


Q18: You are developing an application that is going to make use of Amazon Kinesis. Due to the high throughput , you decide to have multiple shards for the streams. Which of the following is TRUE when it comes to processing data across multiple shards?

  • A. You cannot guarantee the order of data across multiple shards. Its possible only within a shard
  • B. Order of data is possible across all shards in a streams
  • C. Order of data is not possible at all in Kinesis streams
  • D. You need to use Kinesis firehose to guarantee the order of data

Answer: A
Kinesis Data Streams lets you order records and read and replay records in the same order to many Kinesis Data Streams applications. To enable write ordering, Kinesis Data Streams expects you to call the PutRecord API to write serially to a shard while using the sequenceNumberForOrdering parameter. Setting this parameter guarantees strictly increasing sequence numbers for puts from the same client and to the same partition key.
Option A is correct as it cannot guarantee the ordering of records across multiple shards.
Reference: How to perform ordered data replication between applications by using Amazon DynamoDB Streams


Q19: You’ve developed a Lambda function and are now in the process of debugging it. You add the necessary print statements in the code to assist in the debugging. You go to Cloudwatch logs , but you see no logs for the lambda function. Which of the following could be the underlying issue for this?

  • A. You’ve not enabled versioning for the Lambda function
  • B. The IAM Role assigned to the Lambda function does not have the necessary permission to create Logs
  • C. There is not enough memory assigned to the function
  • D. There is not enough time assigned to the function

Answer: B
“If your Lambda function code is executing, but you don’t see any log data being generated after several minutes, this could mean your execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. For information about how to make sure that you have set up the execution role correctly to grant these permissions, see Manage Permissions: Using an IAM Role (Execution Role)”.

Reference: Using Amazon CloudWatch


Q20: Your application is developed to pick up metrics from several servers and push them off to Cloudwatch. At times , the application gets client 429 errors. Which of the following can be done from the programming side to resolve such errors?

  • A. Use the AWS CLI instead of the SDK to push the metrics
  • B. Ensure that all metrics have a timestamp before sending them across
  • C. Use exponential backoff in your request
  • D. Enable encryption for the requests

Answer: C.
The main reason for such errors is that throttling is occurring when many requests are sent via API calls. The best way to mitigate this is to stagger the rate at which you make the API calls.
In addition to simple retries, each AWS SDK implements exponential backoff algorithm for better flow control. The idea behind exponential backoff is to use progressively longer waits between retries for consecutive error responses. You should implement a maximum delay interval, as well as a maximum number of retries. The maximum delay interval and maximum number of retries are not necessarily fixed values and should be set based on the operation being performed, as well as other local factors, such as network latency.
Reference: Error Retries and Exponential Backoff in AWS

Q21: You have been instructed to use the CodePipeline service for the CI/CD automation in your company. Due to security reasons , the resources that would be part of the deployment are placed in another account. Which of the following steps need to be carried out to accomplish this deployment? Choose 2 answers from the options given below

  • A. Dene a customer master key in KMS
  • B. Create a reference Code Pipeline instance in the other account
  • C. Add a cross account role
  • D. Embed the access keys in the codepipeline process

Answer: A. and C.
You might want to create a pipeline that uses resources created or managed by another AWS account. For example, you might want to use one account for your pipeline and another for your AWS CodeDeploy resources. To do so, you must create a AWS Key Management Service (AWS KMS) key to use, add the key to the pipeline, and set up account policies and roles to enable cross-account access.
Reference: Create a Pipeline in CodePipeline That Uses Resources from Another AWS Account


Q22: You are planning on deploying an application to the worker role in Elastic Beanstalk. Moreover, this worker application is going to run the periodic tasks. Which of the following is a must have as part of the deployment?

  • A. An appspec.yaml file
  • B. A cron.yaml  file
  • C. A cron.cong file
  • D. An appspec.json file

Answer: B.
Create an Application Source Bundle
When you use the AWS Elastic Beanstalk console to deploy a new application or an application version, you’ll need to upload a source bundle. Your source bundle must meet the following requirements:
Consist of a single ZIP file or WAR file (you can include multiple WAR files inside your ZIP file)
Not exceed 512 MB
Not include a parent folder or top-level directory (subdirectories are fine)
If you want to deploy a worker application that processes periodic background tasks, your application source bundle must also include a cron.yaml file. For more information, see Periodic Tasks.

Reference: Create an Application Source Bundle


Q23: An application needs to make use of an SQS queue for working with messages. An SQS queue has been created with the default settings. The application needs 60 seconds to process each message. Which of the following step need to be carried out by the application.

  • A. Change the VisibilityTimeout for each message and then delete the message after processing is completed
  • B. Delete the message and change the visibility timeout.
  • C. Process the message , change the visibility timeout. Delete the message
  • D. Process the message and delete the message

Answer: A
If the SQS queue is created with the default settings , then the default visibility timeout is 30 seconds. And since the application needs more time for processing , you first need to change the timeout and delete the message after it is processed.
Reference: Amazon SQS Visibility Timeout


Q24: AWS CodeDeploy deployment fails to start & generate following error code, ”HEALTH_CONSTRAINTS_INVALID”, Which of the following can be used to eliminate this error?

  • A. Make sure the minimum number of healthy instances is equal to the total number of instances in the deployment group.
  • B. Increase the number of healthy instances required during deployment
  • C. Reduce number of healthy instances required during deployment
  • D. Make sure the number of healthy instances is equal to the specified minimum number of healthy instances.

Answer: C
AWS CodeDeploy generates ”HEALTH_CONSTRAINTS_INVALID” error, when a minimum number of healthy instances defined in deployment group are not available during deployment. To mitigate this error, make sure required number of healthy instances are available during deployments.
Reference: Error Codes for AWS CodeDeploy


Q25: How are the state machines in AWS Step Functions defined?

  • A. SAML
  • B. XML
  • C. YAML
  • D. JSON

Answer: D. JSON
AWS Step Functions state machines are defines in JSON files!
Reference: What Is AWS Step Functions?


Q26:How can API Gateway methods be configured to respond to requests?

  • A. Forwarded to method handlers
  • B. AWS Lambda
  • C. Integrated with other AWS Services
  • D. Existing HTTP endpoints

Answer: B. C. D.

Reference: Set up REST API Methods in API Gateway


Q27: Which of the following could be an example of an API Gateway Resource URL for a trucks resource?

  • A.
  • B.
  • C.
  • D.

Answer: C

Reference: Amazon API Gateway Concepts


Q28: API Gateway Deployments are:

  • A. A specific snapshot of your API’s methods
  • B. A specific snapshot of all of your API’s settings, resources, and methods
  • C. A specific snapshot of your API’s resources
  • D. A specific snapshot of your API’s resources and methods

Answer: D.
AWS API Gateway Deployments are a snapshot of all the resources and methods of your API and their configuration.
Reference: Deploying a REST API in Amazon API Gateway


Q29: A SWF workflow task or task execution can live up to how long?

  • A. 1 Year
  • B. 14 days
  • C. 24 hours
  • D. 3 days

Answer: A. 1 Year
Each workflow execution can run for a maximum of 1 year. Each workflow execution history can grow up to 25,000 events. If your use case requires you to go beyond these limits, you can use features Amazon SWF provides to continue executions and structure your applications using child workflow executions.
Reference: Amazon SWF FAQs


Q30: With AWS Step Functions, all the work in your state machine is done by tasks. These tasks performs work by using what types of things? (Choose the best 3 answers)

  • A. An AWS Lambda Function Integration
  • B. Passing parameters to API actions of other services
  • C. Activities
  • D. An EC2 Integration

Answer: A. B. C.



Q31: How does SWF make decisions?

  • A. A decider program that is written in the language of the developer’s choice
  • B. A visual workflow created in the SWF visual workflow editor
  • C. A JSON-defined state machine that contains states within it to select the next step to take
  • D. SWF outsources all decisions to human deciders through the AWS Mechanical Turk service.

Answer: A.
SWF allows the developer to write their own application logic to make decisions and determine how to evaluate incoming data.
Q: What programming conveniences does Amazon SWF provide to write applications? Like other AWS services, Amazon SWF provides a core SDK for the web service APIs. Additionally, Amazon SWF offers an SDK called the AWS Flow Framework that enables you to develop Amazon SWF-based applications quickly and easily. AWS Flow Framework abstracts the details of task-level coordination with familiar programming constructs. While running your program, the framework makes calls to Amazon SWF, tracks your program’s execution state using the execution history kept by Amazon SWF, and invokes the relevant portions of your code at the right times. By offering an intuitive programming framework to access Amazon SWF, AWS Flow Framework enables developers to write entire applications as asynchronous interactions structured in a workflow. For more details, please see What is the AWS Flow Framework?


Q32: In order to effectively build and test your code, AWS CodeBuild allows you to:

  • A. Select and use some 3rd party providers to run tests against your code
  • B. Select a pre-configured environment
  • C. Provide your own custom AMI
  • D. Provide your own custom container image

Answer:A. B. and D.

Reference: AWS CodeBuild FAQs


Q33: X-Ray Filter Expressions allow you to search through request information using characteristics like:

  • A. URL Paths
  • B. Metadata
  • C. Trace ID
  • D. Annotations


Q34: CodePipeline pipelines are workflows that deal with stages, actions, transitions, and artifacts. Which of the following statements is true about these concepts?

  • A. Stages contain at least two actions
  • B. Artifacts are never modified or iterated on when used inside of CodePipeline
  • C. Stages contain at least one action
  • D. Actions will have a deployment artifact as either an input an output or both

Answer: B. C. D.



Q35: When deploying a simple Python web application with Elastic Beanstalk which of the following AWS resources will be created and managed for you by Elastic Beanstalk?

  • A. An Elastic Load Balancer
  • B. An S3 Bucket
  • C. A Lambda Function
  • D. An EC2 instance

Answer: A. B. and D.
AWS Elastic Beanstalk uses proven AWS features and services, such as Amazon EC2, Amazon RDS, Elastic Load Balancing, Auto Scaling, Amazon S3, and Amazon SNS, to create an environment that runs your application. The current version of AWS Elastic Beanstalk uses the Amazon Linux AMI or the Windows Server 2012 R2 AMI.
Reference: AWS Elastic Beanstalk FAQs


Q36: Elastic Beanstalk is used to:

  • A. Deploy and scale web applications and services developed with a supported platform
  • B. Deploy and scale serverless applications
  • C. Deploy and scale applications based purely on EC2 instances
  • D. Manage the deployment of all AWS infrastructure resources of your AWS applications

Answer: A.
Who should use AWS Elastic Beanstalk?
Those who want to deploy and manage their applications within minutes in the AWS Cloud. You don’t need experience with cloud computing to get started. AWS Elastic Beanstalk supports Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker web applications.


Q35: How can AWS X-Ray determine what data to collect?

  • A. X-Ray applies a sampling algorithm by default
  • B. X-Ray collects data on all requests by default
  • C. You can implement your own sampling frequencies for data collection
  • D. X-Ray collects data on all requests for services enabled with it

Answer: A. and C.

Reference: AWS X-Ray FAQs


Q37: Which API call is used to list all resources that belong to a CloudFormation Stack?

  • A. DescribeStacks
  • B. GetTemplate
  • C. DescribeStackResources
  • D. ListStackResources

Answer: D.

Reference: ListStackResources


Q38: What is the default behaviour of a CloudFormation stack if the creation of one resource fails?

  • A. Rollback
  • B. The stack continues creating and the failed resource is ignored
  • C. Delete
  • D. Undo

Answer: A. Rollback

Reference: AWS CloudFormation FAQs


Q39: Which AWS CLI command lists all current stacks in your CloudFormation service?

  • A. aws cloudformation describe-stacks
  • B. aws cloudformation list-stacks
  • C. aws cloudformation create-stack
  • D. aws cloudformation describe-stack-resources

Answer: A. and B.

Reference: list-stacks


Which API call is used to list all resources that belong to a CloudFormation Stack?

  • A. DescribeStacks
  • B. GetTemplate
  • C. ListStackResources
  • D. DescribeStackResources

Answer: C.

Reference: list-stack-resources


Q41: How does using ElastiCache help to improve database performance?

  • A. It can store petabytes of data
  • B. It provides faster internet speeds
  • C. It can store the results of frequent or highly-taxing queries
  • D. It uses read replicas

Answer: C.
With ElastiCache, customers get all of the benefits of a high-performance, in-memory cache with less of the administrative burden involved in launching and managing a distributed cache. The service makes setup, scaling, and cluster failure handling much simpler than in a self-managed cache deployment.
Reference: Amazon ElastiCache


Q42: Which of the following best describes the Lazy Loading caching strategy?

  • A. Every time the underlying database is written to or updated the cache is updated with the new information.
  • B. Every miss to the cache is counted and when a specific number is reached a full copy of the database is migrated to the cache
  • C. A specific amount of time is set before the data in the cache is marked as expired. After expiration, a request for expired data will be made through to the backing database.
  • D. Data is added to the cache when a cache miss occurs (when there is no data in the cache and the request must go to the database for that data)

Answer: D.
Amazon ElastiCache is an in-memory key/value store that sits between your application and the data store (database) that it accesses. Whenever your application requests data, it first makes the request to the ElastiCache cache. If the data exists in the cache and is current, ElastiCache returns the data to your application. If the data does not exist in the cache, or the data in the cache has expired, your application requests the data from your data store which returns the data to your application. Your application then writes the data received from the store to the cache so it can be more quickly retrieved next time it is requested.
Reference: Lazy Loading


Q43: What are two benefits of using RDS read replicas?

  • A. You can add/remove read replicas based on demand, so it creates elasticity for RDS.
  • B. Improves performance of the primary database by taking workload from it
  • C. Automatic failover in the case of Availability Zone service failures
  • D. Allows both reads and writes

Answer: A. and B.

Reference: Amazon RDS Read Replicas


Q44: What is the simplest way to enable an S3 bucket to be able to send messages to your SNS topic?

  • A. Attach an IAM role to the S3 bucket to send messages to SNS.
  • B. Activate the S3 pipeline feature to send notifications to another AWS service – in this case select SNS.
  • C. Add a resource-based access control policy on the SNS topic.
  • D. Use AWS Lambda to receive events from the S3 bucket and then use the Publish API action to send them to the SNS topic.

Answer: C.

Reference: Access Control List (ACL) Overview


Q45: You have just set up a push notification service to send a message to an app installed on a device with the Apple Push Notification Service. It seems to work fine. You now want to send a message to an app installed on devices for multiple platforms, those being the Apple Push Notification Service(APNS) and Google Cloud Messaging for Android (GCM). What do you need to do first for this to be successful?

  • A. Request Credentials from Mobile Platforms, so that each device has the correct access control policies to access the SNS publisher
  • B. Create a Platform Application Object which will connect all of the mobile devices with your app to the correct SNS topic.
  • C. Request a Token from Mobile Platforms, so that each device has the correct access control policies to access the SNS publisher.
  • D. Get a set of credentials in order to be able to connect to the push notification service you are trying to setup.

Answer: D.
To use Amazon SNS mobile push notifications, you need to establish a connection with a supported push notification service. This connection is established using a set of credentials.
Reference: Add Device Tokens or Registration IDs


Q46: SNS message can be sent to different kinds of endpoints. Which of these is NOT currently a supported endpoint?

  • A. Slack Messages
  • B. SMS (text message)
  • D. AWS Lambda

Answer: A.
Slack messages are not directly integrated with SNS, though theoretically, you could write a service to push messages to slack from SNS.


Q47: Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can Company B reduce the number empty responses?

  • A. Set the imaging queue VisibilityTimeout attribute to 20 seconds
  • B. Set the imaging queue MessageRetentionPeriod attribute to 20 seconds
  • C. Set the imaging queue ReceiveMessageWaitTimeSeconds Attribute to 20 seconds
  • D. Set the DelaySeconds parameter of a message to 20 seconds

Answer: C.
Enabling long polling reduces the amount of false and empty responses from SQS service. It also reduces the number of calls that need to be made to a queue by staying connected to the queue until all messages have been received or until timeout. In order to enable long polling the ReceiveMessageWaitTimeSeconds attribute needs to be set to a number greater than 0. If it is set to 0 then short polling is enabled.
Reference: Amazon SQS Long Polling


Q48: Which of the following statements about SQS standard queues are true?

  • A. Message order can be indeterminate – you’re not guaranteed to get messages in the same order they were sent in
  • B. Messages will be delivered exactly once and messages will be delivered in First in, First out order
  • C. Messages will be delivered exactly once and message delivery order is indeterminate
  • D. Messages can be delivered one or more times

Answer: A. and D.
A standard queue makes a best effort to preserve the order of messages, but more than one copy of a message might be delivered out of order. If your system requires that order be preserved, we recommend using a FIFO (First-In-First-Out) queue or adding sequencing information in each message so you can reorder the messages when they’re received.
Reference: Amazon SQS Standard Queues


Q49: Which of the following is true if long polling is enabled?

  • A. If long polling is enabled, then each poll only polls a subset of SQS servers; in order for all messages to be received, polling must continuously occur
  • B. The reader will listen to the queue until timeout
  • C. Increases costs because each request lasts longer
  • D. The reader will listen to the queue until a message is available or until timeout

Answer: D.

Reference: Amazon SQS Long Polling


Q50: When dealing with session state in EC2-based applications using Elastic load balancers which option is generally thought of as the best practice for managing user sessions?

  • A. Having the ELB distribute traffic to all EC2 instances and then having the instance check a caching solution like ElastiCache running Redis or Memcached for session information
  • B. Permanently assigning users to specific instances and always routing their traffic to those instances
  • C. Using Application-generated cookies to tie a user session to a particular instance for the cookie duration
  • D. Using Elastic Load Balancer generated cookies to tie a user session to a particular instance

Answer: A.

Reference: Distributed Session Management


Q51: When requested through an STS API call, credentials are returned with what three components?

  • A. Security Token, Access Key ID, Signed URL
  • B. Security Token, Access Key ID, Secret Access Key
  • C. Signed URL, Security Token, Username
  • D. Security Token, Secret Access Key, Personal Pin Code

Answer: B.
Security Token, Access Key ID, Secret Access Key


Q52: Your application must write to an SQS queue. Your corporate security policies require that AWS credentials are always encrypted and are rotated at least once a week.
How can you securely provide credentials that allow your application to write to the queue?

  • A. Have the application fetch an access key from an Amazon S3 bucket at run time.
  • B. Launch the application’s Amazon EC2 instance with an IAM role.
  • C. Encrypt an access key in the application source code.
  • D. Enroll the instance in an Active Directory domain and use AD authentication.

Answer: B.
IAM roles are based on temporary security tokens, so they are rotated automatically. Keys in the source code cannot be rotated (and are a very bad idea). It’s impossible to retrieve credentials from an S3 bucket if you don’t already have credentials for that bucket. Active Directory authorization will not grant access to AWS resources.
Reference: AWS IAM FAQs


Q53: Your web application reads an item from your DynamoDB table, changes an attribute, and then writes the item back to the table. You need to ensure that one process doesn’t overwrite a simultaneous change from another process.
How can you ensure concurrency?

  • A. Implement optimistic concurrency by using a conditional write.
  • B. Implement pessimistic concurrency by using a conditional write.
  • C. Implement optimistic concurrency by locking the item upon read.
  • D. Implement pessimistic concurrency by locking the item upon read.

Answer: A.
Optimistic concurrency depends on checking a value upon save to ensure that it has not changed. Pessimistic concurrency prevents a value from changing by locking the item or row in the database. DynamoDB does not support item locking, and conditional writes are perfect for implementing optimistic concurrency.
Reference: Optimistic Locking With Version Number


Q54: Which statements about DynamoDB are true? Choose 2 answers

  • A. DynamoDB uses optimistic concurrency control
  • B. DynamoDB restricts item access during writes
  • C. DynamoDB uses a pessimistic locking model
  • D. DynamoDB restricts item access during reads
  • E. DynamoDB uses conditional writes for consistency


Q55: Your CloudFormation template has the following Mappings section:

Which JSON snippet will result in the value “ami-6411e20d” when a stack is launched in us-east-1?

  • A. { “Fn::FindInMap” : [ “Mappings”, { “RegionMap” : [“us-east-1”, “us-west-1”] }, “32”]}
  • B. { “Fn::FindInMap” : [ “Mappings”, { “Ref” : “AWS::Region” }, “32”]}
  • C. { “Fn::FindInMap” : [ “RegionMap”, { “Ref” : “AWS::Region” }, “32”]}
  • D. { “Fn::FindInMap” : [ “RegionMap”, { “RegionMap” : “AWS::Region” }, “32”]}

Answer: C.
The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section.
You can use the Fn::FindInMap function to return a named value based on a specified key. The following example template contains an Amazon EC2 resource whose ImageId property is assigned by the FindInMap function. The FindInMap function specifies key as the region where the stack is created (using the AWS::Region pseudo parameter) and HVM64 as the name of the value to map to.


Q56: Your application triggers events that must be delivered to all your partners. The exact partner list is constantly changing: some partners run a highly available endpoint, and other partners’ endpoints are online only a few hours each night. Your application is mission-critical, and communication with your partners must not introduce delay in its operation. A delay in delivering the event to one partner cannot delay delivery to other partners.


What is an appropriate way to code this?

  • A. Implement an Amazon SWF task to deliver the message to each partner. Initiate an Amazon SWF workflow execution.
  • B. Send the event as an Amazon SNS message. Instruct your partners to create an HTTP. Subscribe their HTTP endpoint to the Amazon SNS topic.
  • C. Create one SQS queue per partner. Iterate through the queues and write the event to each one. Partners retrieve messages from their queue.
  • D. Send the event as an Amazon SNS message. Create one SQS queue per partner that subscribes to the Amazon SNS topic. Partners retrieve messages from their queue.

Answer: D.
There are two challenges here: the command must be “fanned out” to a variable pool of partners, and your app must be decoupled from the partners because they are not highly available.
Sending the command as an SNS message achieves the fan-out via its publication/subscribe model, and using an SQS queue for each partner decouples your app from the partners. Writing the message to each queue directly would cause more latency for your app and would require your app to monitor which partners were active. It would be difficult to write an Amazon SWF workflow for a rapidly changing set of partners.

Reference: AWS SNS Faqs


Q57: You have a three-tier web application (web, app, and data) in a single Amazon VPC. The web and app tiers each span two Availability Zones, are in separate subnets, and sit behind ELB Classic Load Balancers. The data tier is a Multi-AZ Amazon RDS MySQL database instance in database subnets.
When you call the database tier from your app tier instances, you receive a timeout error. What could be causing this?

  • A. The IAM role associated with the app tier instances does not have rights to the MySQL database.
  • B. The security group for the Amazon RDS instance does not allow traffic on port 3306 from the app
  • C. The Amazon RDS database instance does not have a public IP address.
  • D. There is no route defined between the app tier and the database tier in the Amazon VPC.

Answer: B.
Security groups block all network traffic by default, so if a group is not correctly configured, it can lead to a timeout error. MySQL security, not IAM, controls MySQL security. All subnets in an Amazon VPC have routes to all other subnets. Internal traffic within an Amazon VPC does not require public IP addresses.

Reference: Security Groups for Your VPC


Q58: What type of block cipher does Amazon S3 offer for server side encryption?

  • A. RC5
  • B. Blowfish
  • C. Triple DES
  • D. Advanced Encryption Standard

Answer: D
Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

Reference: Protecting Data Using Server-Side Encryption


Q59: You have written an application that uses the Elastic Load Balancing service to spread
traffic to several web servers Your users complain that they are sometimes forced to login
again in the middle of using your application, after they have already togged in. This is not
behaviour you have designed. What is a possible solution to prevent this happening?

  • A. Use instance memory to save session state.
  • B. Use instance storage to save session state.
  • C. Use EBS to save session state
  • D. Use ElastiCache to save session state.
  • E. Use Glacier to save session slate.

Answer: D.
You can cache a variety of objects using the service, from the content in persistent data stores (such as Amazon RDS, DynamoDB, or self-managed databases hosted on EC2) to dynamically generated web pages (with Nginx for example), or transient session data that may not require a persistent backing store. You can also use it to implement high-frequency counters to deploy admission control in high volume web applications.

Reference: Amazon ElastiCache FAQs


Q60: You are writing to a DynamoDB table and receive the following exception:”
ProvisionedThroughputExceededException”. though according to your Cloudwatch metrics
for the table, you are not exceeding your provisioned throughput. What could be an
explanation for this?

  • A. You haven’t provisioned enough DynamoDB storage instances
  • B. You’re exceeding your capacity on a particular Range Key
  • C. You’re exceeding your capacity on a particular Hash Key
  • D. You’re exceeding your capacity on a particular Sort Key
  • E. You haven’t configured DynamoDB Auto Scaling triggers

Answer: C.
The primary key that uniquely identifies each item in a DynamoDB table can be simple (a partition key only) or composite (a partition key combined with a sort key).
Generally speaking, you should design your application for uniform activity across all logical partition keys in the Table and its secondary indexes.
You can determine the access patterns that your application requires, and estimate the total read capacity units and write capacity units that each table and secondary Index requires.

As traffic starts to flow, DynamoDB automatically supports your access patterns using the throughput you have provisioned, as long as the traffic against a given partition key does not exceed 3000 read capacity units or 1000 write capacity units.

Reference: Best Practices for Designing and Using Partition Keys Effectively


Q61: Which DynamoDB limits can be raised by contacting AWS support?

  • A. The number of hash keys per account
  • B. The maximum storage used per account
  • C. The number of tables per account
  • D. The number of local secondary indexes per account
  • E. The number of provisioned throughput units per account

Answer: C. and E.

For any AWS account, there is an initial limit of 256 tables per region.
AWS places some default limits on the throughput you can provision.
These are the limits unless you request a higher amount.
To request a service limit increase see Limits in DynamoDB


Other AWS Facts and Summaries

AWS Certification Exam Prep: S3 Facts, Summaries, Questions and Answers

AWS S3 Facts and summaries, AWS S3 Top 10 Questions and Answers Dump

Definition 1: Amazon S3 or Amazon Simple Storage Service is a “simple storage service” offered by Amazon Web Services that provides object storage through a web service interface. Amazon S3 uses the same scalable storage infrastructure that uses to run its global e-commerce network.

Definition 2: Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

AWS S3 Facts and summaries

  1. S3 is a universal namespace, meaning each S3 bucket you create must have a unique name that is not being used by anyone else in the world.
  2. S3 is object based: i.e allows you to upload files.
  3. Files can be from 0 Bytes to 5 TB
  4. S3 has unlimited storage.
  5. Files are stored in Buckets.
  6. Read after write consistency for PUTS of new Objects
  7. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)
  8. S3 Storage Classes/Tiers:
    • S3 Standard (durable, immediately available, frequently accesses)
    • Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering): It works by storing objects in two access tiers: one tier that is optimized for frequent access and another lower-cost tier that is optimized for infrequent access.
    • S3 Standard-Infrequent Access – S3 Standard-IA (durable, immediately available, infrequently accessed)
    • S3 – One Zone-Infrequent Access – S3 One Zone IA: Same ad IA. However, data is stored in a single Availability Zone only
    • S3 – Reduced Redundancy Storage (data that is easily reproducible, such as thumbnails, etc.)
    • Glacier – Archived data, where you can wait 3-5 hours before accessing
  9. Core fundamentals of an S3 object
    • Key (name)
    • Value (data)
    • Version (ID)
    • Metadata
    • Sub-resources (used to manage bucket-specific configuration)
      • Bucket Policies, ACLs,
      • CORS
      • Transfer Acceleration
  10. Object-based storage only for files
  11. Not suitable to install OS on.
  12. Successful uploads will generate a HTTP 200 status code.
  13. S3 Security – Summary
    • By default, all newly created buckets are PRIVATE.
    • You can set up access control to your buckets using:
      • Bucket Policies – Applied at the bucket level
      • Access Control Lists – Applied at an object level.
    • S3 buckets can be configured to create access logs, which log all requests made to the S3 bucket. These logs can be written to another bucket.
  14. S3 Encryption
    • Encryption In-Transit (SSL/TLS)
    • Encryption At Rest:
      • Server side Encryption (SSE-S3, SSE-KMS, SSE-C)
      • Client Side Encryption
    • Remember that we can use a Bucket policy to prevent unencrypted files from being uploaded by creating a policy which only allows requests which include the x-amz-server-seide-encryption parameter in the request header.
  15. S3 CORS (Cross Origin Resource Sharing):
    CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. 

    • Used to enable cross origin access for your AWS resources, e.g. S3 hosted website accessing javascript or image files located in another bucket. By default, resources in one bucket cannot access resources located in another. To allow this we need to configure CORS on the bucket being accessed and enable access for the origin (bucket) attempting to access.
    • Always use the S3 website URL, not the regular bucket URL. E.g.:
  16. S3 CloudFront:
    • Edge locations are not just READ only – you can WRITE to them too (i.e put an object on to them.)
    • Objects are cached for the life of the TTL (Time to Live)
    • You can clear cached objects, but you will be charged. (Invalidation)
  17. S3 Performance optimization – 2 main approaches to Performance Optimization for S3:
    • GET-Intensive Workloads – Use Cloudfront
    • Mixed Workload – Avoid sequencial key names for your S3 objects. Instead, add a random prefix like a hex hash to the key name to prevent multiple objects from being stored on the same partition.
      • mybucket/7eh4-2019-03-04-15-00-00/cust1234234/photo1.jpg
      • mybucket/h35d-2019-03-04-15-00-00/cust1234234/photo2.jpg
      • mybucket/o3n6-2019-03-04-15-00-00/cust1234234/photo3.jpg
  18. The best way to handle large objects uploads to the S3 service is to use the Multipart upload API. The Multipart upload API enables you to upload large objects in parts.
  19. You can enable versioning on a bucket, even if that bucket already has objects in it. The already existing objects, though, will show their versions as null. All new objects will have version IDs.
  20. Bucket names cannot start with a . or – characters. S3 bucket names can contain both the . and – characters. There can only be one . or one – between labels. E.G mybucket-com are valid names but mybucket–com and are not valid bucket names.
  21. What is the maximum number of S3 buckets allowed per AWS account (by default)? 100
  22. You successfully upload an item to the us-east-1 region. You then immediately make another API call and attempt to read the object. What will happen?
    All AWS regions now have read-after-write consistency for PUT operations of new objects. Read-after-write consistency allows you to retrieve objects immediately after creation in Amazon S3. Other actions still follow the eventual consistency model (where you will sometimes get stale results if you have recently made changes)

Reference: AWS S3

AWS S3 Top 10 Questions and Answers Dump

Q0: You’ve written an application that uploads objects onto an S3 bucket. The size of the object varies between 200 – 500 MB. You’ve seen that the application sometimes takes a longer than expected time to upload the object. You want to improve the performance of the application. Which of the following would you consider?

  • A. Create multiple threads and upload the objects in the multiple threads
  • B. Write the items in batches for better performance
  • C. Use the Multipart upload API
  • D. Enable versioning on the Bucket

C. All other options are invalid since the best way to handle large object uploads to the S3 service is to use the Multipart upload API. The Multipart upload API enables you to upload large objects in parts. You can use this API to upload new large objects or make a copy of an existing object. Multipart uploading is a three-step process: You initiate the upload, you upload the object parts, and after you have uploaded all the parts, you complete the multipart upload. Upon receiving the complete multipart upload request, Amazon S3 constructs the object from the uploaded parts, and you can then access the object just as you would any other object in your bucket.



Q2: You are using AWS SAM templates to deploy a serverless application. Which of the following resource will embed application from Amazon S3 buckets?

  • A. AWS::Serverless::Api
  • B. AWS::Serverless::Application
  • C. AWS::Serverless::Layerversion
  • D. AWS::Serverless::Function

Answer – B
AWS::Serverless::Application resource in AWS SAm template is used to embed application frm Amazon S3 buckets.
Reference: Declaring Serverless Resources


Q3: A static web site has been hosted on a bucket and is now being accessed by users. One of the web pages javascript section has been changed to access data which is hosted in another S3 bucket. Now that same web page is no longer loading in the browser. Which of the following can help alleviate the error?

  • A. Enable versioning for the underlying S3 bucket.
  • B. Enable Replication so that the objects get replicated to the other bucket
  • C. Enable CORS for the bucket
  • D. Change the Bucket policy for the bucket to allow access from the other bucket

Answer – C

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:

Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket, A browser would normally block JavaScript from allowing those requests, but with CORS you can congure your bucket to explicitly enable cross-origin requests from

Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preight check) for loading web fonts. You would congure the bucket that is hosting the web font to allow any origin to make these requests.

Reference: Cross-Origin Resource Sharing (CORS)


Q4: Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch. You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and you must decide how to authenticate and authorize your users for access to these images. You also need to manage the storage of these images. Which two of the following approaches should you use? Choose two answers from the options below

  • A. Create an Amazon S3 bucket per user, and use your application to generate the S3 URL for the appropriate content.
  • B. Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code.
  • C. Authenticate your users at the application level, and use AWS Security Token Service (STS)to grant token-based authorization to S3 objects.
  • D. Authenticate your users at the application level, and send an SMS token message to the user. Create an Amazon S3 bucket with the same name as the SMS message token, and move the user’s objects to that bucket.

Answer- C
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). The token can then be used to grant access to the objects in S3.
You can then provides access to the objects based on the key values generated via the user id.

Reference: The AWS Security Token Service (STS)


Q5: Both ACLs and Bucket Policies can be used to grant access to S3 buckets. Which of the following statements is true about ACLs and Bucket policies?

  • A. Bucket Policies are Written in JSON and ACLs are written in XML
  • B. ACLs can be attached to S3 objects or S3 Buckets
  • C. Bucket Policies and ACLs are written in JSON
  • D. Bucket policies are only attached to s3 buckets, ACLs are only attached to s3 objects

Answer: A. and B.
Only Bucket Policies are written in JSON, ACLs are written in XML.
While Bucket policies are indeed only attached to S3 buckets, ACLs can be attached to S3 Buckets OR S3 Objects.


Q6: What are good options to improve S3 performance when you have significantly high numbers of GET requests?

  • A. Introduce random prefixes to S3 objects
  • B. Introduce random suffixes to S3 objects
  • C. Setup CloudFront for S3 objects
  • D. Migrate commonly used objects to Amazon Glacier

Answer: C
CloudFront caching is an excellent way to avoid putting extra strain on the S3 service and to improve the response times of reqeusts by caching data closer to users at CloudFront locations.
S3 Transfer Acceleration optimizes the TCP protocol and adds additional intelligence between the client and the S3 bucket, making S3 Transfer Acceleration a better choice if a higher throughput is desired. If you have objects that are smaller than 1GB or if the data set is less than 1GB in size, you should consider using Amazon CloudFront’s PUT/POST commands for optimal performance.
Reference: Amazon S3 Transfer Acceleration


Q7: If an application is storing hourly log files from thousands of instances from a high traffic
web site, which naming scheme would give optimal performance on S3?

  • A. Sequential
  • B. HH-DD-MM-YYYY-log_instanceID
  • C. YYYY-MM-DD-HH-log_instanceID
  • D. instanceID_log-HH-DD-MM-YYYY
  • E. instanceID_log-YYYY-MM-DD-HH

Answer: A. B. C. D. and E.
Amazon S3 now provides increased performance to support at least 3,500 requests per second to add data and 5,500 requests per second to retrieve data, which can save significant processing time for no additional charge. Each S3 prefix can support these request rates, making it simple to increase performance significantly.
This S3 request rate performance increase removes any previous guidance to randomize object prefixes to achieve faster performance. That means you can now use logical or sequential naming patterns in S3 object naming without any performance implications.

Reference: Amazon S3 Announces Increased Request Rate Performance


Other AWS Facts and Summaries

Latest DevOps and SysAdmin Feed

What is DevOps in Simple English?

What is a System Administrator?

DevOps: In IT world, DevOps means Development Operations. The DevOps is the bridge between the developers, the servers and the infrastructure and his main role is to automate the process of delivering code to operations.
DevOps on wikipedia: is a software development process that emphasizes communication and collaboration between product management, software development, and operations professionals. DevOps also automates the process of software integration, testing, deployment and infrastructure changes.[1][2] It aims to establish a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably.

DevOps Latest Feeds

DevOps Resources

  1. What is DevOps? Tackling some frequently asked questions
  2. Find Remote DevOps Jobs here.