Definition 1: The AWS Developer is responsible for designing, deploying, and developing cloud applications on AWS platform
Definition 2: The AWS Developer Tools is a set of services designed to enable developers and IT operations professionals practicing DevOps to rapidly and safely deliver software.
The AWS Certified Developer Associate certification is a widely recognized certification that validates a candidate’s expertise in developing and maintaining applications on the Amazon Web Services (AWS) platform.
The certification is about to undergo a major change with the introduction of the new exam version DVA-C02, replacing the current DVA-C01. In this article, we will discuss the differences between the two exams and what candidates should consider in terms of preparation for the new DVA-C02 exam.
Quick facts
What’s happening?
The DVA-C01 exam is being replaced by the DVA-C02 exam.
When is this taking place?
The last day to take the current exam is February 27th, 2023 and the first day to take the new exam is February 28th, 2023.
What’s the difference?
The new exam features some new AWS services and features.
Main differences between DVA-C01 and DVA-C02
The table below details the differences between the DVA-C01 and DVA-C02 exams domains and weightings:
In terms of the exam content weightings, the DVA-C02 exam places a greater emphasis on deployment and management, with a slightly reduced emphasis on development and refactoring. This shift reflects the increased importance of operations and management in cloud computing, as well as the need for developers to have a strong understanding of how to deploy and maintain applications on the AWS platform.
One major difference between the two exams is the focus on the latest AWS services and features. The DVA-C02 exam covers around 57 services vs only 33 services in the DVA-C01. This reflects the rapidly evolving AWS ecosystem and the need for developers to be up-to-date with the latest services and features in order to effectively build and maintain applications on the platform.
Click the image above to watch our video about the NEW AWS Developer Associate Exam DVA-C02 from our youtube channel
In terms of preparation for the DVA-C02 exam, we strongly recommend enrolling in our on-demand training courses for the AWS Developer Associate certification. It is important for candidates to familiarize themselves with the latest AWS services and features, as well as the updated exam content weightings. Practical experience working with AWS services and hands-on experimentation with new services and features will be key to success on the exam. Candidates should also focus on their understanding of security best practices, access control, and compliance, as these topics will carry a greater weight in the new exam.
Frequently asked questions – FAQs:
In conclusion, the change from the DVA-C01 to the DVA-C02 exam represents a major shift in the focus and content of the AWS Certified Developer Associate certification. Candidates preparing for the new exam should focus on familiarizing themselves with the latest AWS services and features, as well as the updated exam content weightings, and placing a strong emphasis on security, governance, and compliance.
With the right preparation and focus, candidates can successfully navigate the changes in the DVA-C02 exam and maintain their status as a certified AWS Developer Associate.
AWS Developer and Deployment Theory Facts and summaries
Continuous Integration is about integrating or merging the code changes frequently, at least once per day. It enables multiple devs to work on the same application.
Continuous delivery is all about automating the build, test, and deployment functions.
Continuous Deployment fully automates the entire release process, code is deployed into Production as soon as it has successfully passed through the release pipeline.
AWS CodePipeline is a continuous integration/Continuous delivery service:
It automates your end-to-end software release process based on user defines workflow
It can be configured to automatically trigger your pipeline as soon as a change is detected in your source code repository
It integrates with other services from AWS like CodeBuild and CodeDeploy, as well as third party custom plug-ins.
AWS CodeBuild is a fully managed build service. It can build source code, run tests and produce software packages based on commands that you define yourself.
Dy default the buildspec.yml defines the build commands and settings used by CodeBuild to run your build.
AWS CodeDeploy is a fully managed automated deployment service and can be used as part of a Continuous Delivery or Continuous Deployment process.
There are 2 types of deployment approach:
In-place or Rolling update- you stop the application on each host and deploy the latest code. EC2 and on premise systems only. To roll back, you must re-deploy the previous version of the application.
Blue/Green : New instances are provisioned and the new application is deployed to these new instances. Traffic is routed to the new instances according to your own schedule. Supported for EC2, on-premise systems and Lambda functions. Rollback is easy, just route the traffic back to the original instances. Blue is active deployment, green is new release.
Docker allows you to package your software into Containers which you can run in Elastic Container Service (ECS)
A docker Container includes everything the software needs to run including code, libraries, runtime and environment variables etc..
A special file called Dockerfile is used to specify the instructions needed to assemble your Docker image.
Once built, Docker images can be stored in Elastic Container Registry (ECR) and ECS can then use the image to launch Docker Containers.
AWS CodeCommit is based on Git. It provides centralized repositories for all your code, binaries, images, and libraries.
CodeCommit tracks and manages code changes. It maintains version history.
CodeCommit manages updates from multiple sources and enables collaboration.
To support CORS, API resource needs to implement an OPTIONS method that can respond to the OPTIONS preflight request with following headers:
Access-Control-Allow-Headers
Access-Control-Allow-Origin
Access-Control-Allow-Methods
You have a legacy application that works via XML messages. You need to place the application behind the API gateway in order for customers to make API calls. Which of the following would you need to configure? You will need to work with the Request and Response Data mapping.
Your application currently points to several Lambda functions in AWS. A change is being made to one of the Lambda functions. You need to ensure that application traffic is shifted slowly from one Lambda function to the other. Which of the following steps would you carry out?
Create an ALIAS with the –routing-config parameter
Update the ALIAS with the –routing-config parameter
By default, an alias points to a single Lambda function version. When the alias is updated to point to a different function version, incoming request traffic in turn instantly points to the updated version. This exposes that alias to any potential instabilities introduced by the new version. To minimize this impact, you can implement the routing-config parameter of the Lambda alias that allows you to point to two different versions of the Lambda function and dictate what percentage of incoming traffic is sent to each version.
AWS CodeDeploy: The AppSpec file defines all the parameters needed for the deployment e.g. location of application files and pre/post deployment validation tests to run.
For Ec2 / On Premise systems, the appspec.yml file must be placed in the root directory of your revision (the same folder that contains your application code). Written in YAML.
For Lambda and ECS deployment, the AppSpec file can be YAML or JSON
Visual workflows are automatically created when working with which Step Functions
API Gateway stages store configuration for deployment. An API Gateway Stage refers to A snapshot of your API
AWS SWF Services SWF guarantees delivery order of messages/tasks
Blue/Green Deployments with CodeDeploy on AWS Lambda can happen in multiple ways. Which of these is a potential option? Linear, All at once, Canary
X-Ray Filter Expressions allow you to search through request information using characteristics like URL Paths, Trace ID, Annotations
S3 has eventual consistency for overwrite PUTS and DELETES.
What can you do to ensure the most recent version of your Lambda functions is in CodeDeploy? Specify the version to be deployed in AppSpec file.
https://docs.aws.amazon.com/codedeploy/latest/userguide/application-specification-files.htmlAppSpec Files on an Amazon ECS Compute Platform
If your application uses the Amazon ECS compute platform, the AppSpec file can be formatted with either YAML or JSON. It can also be typed directly into an editor in the console. The AppSpec file is used to specify:
The name of the Amazon ECS service and the container name and port used to direct traffic to the new task set. The functions to be used as validation tests. You can run validation Lambda functions after deployment lifecycle events. For more information, see AppSpec ‘hooks’ Section for an Amazon ECS Deployment, AppSpec File Structure for Amazon ECS Deployments , and AppSpec File Example for an Amazon ECS Deployment .
Q2: Which of the following practices allows multiple developers working on the same application to merge code changes frequently, without impacting each other and enables the identification of bugs early on in the release process?
Q5: You want to receive an email whenever a user pushes code to CodeCommit repository, how can you configure this?
A. Create a new SNS topic and configure it to poll for CodeCommit eveents. Ask all users to subscribe to the topic to receive notifications
B. Configure a CloudWatch Events rule to send a message to SES which will trigger an email to be sent whenever a user pushes code to the repository.
C. Configure Notifications in the console, this will create a CloudWatch events rule to send a notification to a SNS topic which will trigger an email to be sent to the user.
D. Configure a CloudWatch Events rule to send a message to SQS which will trigger an email to be sent whenever a user pushes code to the repository.
Q8: You are deploying a number of EC2 and RDS instances using CloudFormation. Which section of the CloudFormation template would you use to define these?
A. Transforms
B. Outputs
C. Resources
D. Instances
Answer: C. The Resources section defines your resources you are provisioning. Outputs is used to output user defines data relating to the resources you have built and can also used as input to another CloudFormation stack. Transforms is used to reference code located in S3.
Q9: Which AWS service can be used to fully automate your entire release process?
A. CodeDeploy
B. CodePipeline
C. CodeCommit
D. CodeBuild
Answer: B. AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates
Q10: You want to use the output of your CloudFormation stack as input to another CloudFormation stack. Which sections of the CloudFormation template would you use to help you configure this?
A. Outputs
B. Transforms
C. Resources
D. Exports
Answer: A. Outputs is used to output user defines data relating to the resources you have built and can also used as input to another CloudFormation stack.
Q11: You have some code located in an S3 bucket that you want to reference in your CloudFormation template. Which section of the template can you use to define this?
A. Inputs
B. Resources
C. Transforms
D. Files
Answer: C. Transforms is used to reference code located in S3 and also specifying the use of the Serverless Application Model (SAM) for Lambda deployments. Transform: Name: ‘AWS::Include’ Parameters: Location: ‘s3://MyAmazonS3BucketName/MyFileName.yaml’
Q12: You are deploying an application to a number of Ec2 instances using CodeDeploy. What is the name of the file used to specify source files and lifecycle hooks?
Q13: Which of the following approaches allows you to re-use pieces of CloudFormation code in multiple templates, for common use cases like provisioning a load balancer or web server?
A. Share the code using an EBS volume
B. Copy and paste the code into the template each time you need to use it
C. Use a cloudformation nested stack
D. Store the code you want to re-use in an AMI and reference the AMI from within your CloudFormation template.
Q15:You need to setup a RESTful API service in AWS that would be serviced via the following url https://democompany.com/customers Which of the following combination of services can be used for development and hosting of the RESTful service? Choose 2 answers from the options below
Q16: As a developer, you have created a Lambda function that is used to work with a bucket in Amazon S3. The Lambda function is not working as expected. You need to debug the issue and understand what’s the underlying issue. How can you accomplish this in an easily understandable way?
A. Use AWS Cloudwatch metrics
B. Put logging statements in your code
C. Set the Lambda function debugging level to verbose
D. Use AWS Cloudtrail logs
Answer: B You can insert logging statements into your code to help you validate that your code is working as expected. Lambda automatically integrates with Amazon CloudWatch Logs and pushes all logs from your code to a CloudWatch Logs group associated with a Lambda function (/aws/lambda/). Reference: Using Amazon CloudWatch
Q17: You have a lambda function that is processed asynchronously. You need a way to check and debug issues if the function fails? How could you accomplish this?
A. Use AWS Cloudwatch metrics
B. Assign a dead letter queue
C. Congure SNS notications
D. Use AWS Cloudtrail logs
Answer: B Any Lambda function invoked asynchronously is retried twice before the event is discarded. If the retries fail and you’re unsure why, use Dead Letter Queues (DLQ) to direct unprocessed events to an Amazon SQS queue or an Amazon SNS topic to analyze the failure. Reference: AWS Lambda Function Dead Letter Queues
Q18: You are developing an application that is going to make use of Amazon Kinesis. Due to the high throughput , you decide to have multiple shards for the streams. Which of the following is TRUE when it comes to processing data across multiple shards?
A. You cannot guarantee the order of data across multiple shards. Its possible only within a shard
B. Order of data is possible across all shards in a streams
C. Order of data is not possible at all in Kinesis streams
D. You need to use Kinesis firehose to guarantee the order of data
Answer: A Kinesis Data Streams lets you order records and read and replay records in the same order to many Kinesis Data Streams applications. To enable write ordering, Kinesis Data Streams expects you to call the PutRecord API to write serially to a shard while using the sequenceNumberForOrdering parameter. Setting this parameter guarantees strictly increasing sequence numbers for puts from the same client and to the same partition key. Option A is correct as it cannot guarantee the ordering of records across multiple shards. Reference: How to perform ordered data replication between applications by using Amazon DynamoDB Streams
Q19: You’ve developed a Lambda function and are now in the process of debugging it. You add the necessary print statements in the code to assist in the debugging. You go to Cloudwatch logs , but you see no logs for the lambda function. Which of the following could be the underlying issue for this?
A. You’ve not enabled versioning for the Lambda function
B. The IAM Role assigned to the Lambda function does not have the necessary permission to create Logs
C. There is not enough memory assigned to the function
D. There is not enough time assigned to the function
Answer: B “If your Lambda function code is executing, but you don’t see any log data being generated after several minutes, this could mean your execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. For information about how to make sure that you have set up the execution role correctly to grant these permissions, see Manage Permissions: Using an IAM Role (Execution Role)”.
Q20: Your application is developed to pick up metrics from several servers and push them off to Cloudwatch. At times , the application gets client 429 errors. Which of the following can be done from the programming side to resolve such errors?
A. Use the AWS CLI instead of the SDK to push the metrics
B. Ensure that all metrics have a timestamp before sending them across
C. Use exponential backoff in your request
D. Enable encryption for the requests
Answer: C. The main reason for such errors is that throttling is occurring when many requests are sent via API calls. The best way to mitigate this is to stagger the rate at which you make the API calls. In addition to simple retries, each AWS SDK implements exponential backoff algorithm for better flow control. The idea behind exponential backoff is to use progressively longer waits between retries for consecutive error responses. You should implement a maximum delay interval, as well as a maximum number of retries. The maximum delay interval and maximum number of retries are not necessarily fixed values and should be set based on the operation being performed, as well as other local factors, such as network latency. Reference: Error Retries and Exponential Backoff in AWS
Q21: You have been instructed to use the CodePipeline service for the CI/CD automation in your company. Due to security reasons , the resources that would be part of the deployment are placed in another account. Which of the following steps need to be carried out to accomplish this deployment? Choose 2 answers from the options given below
A. Dene a customer master key in KMS
B. Create a reference Code Pipeline instance in the other account
C. Add a cross account role
D. Embed the access keys in the codepipeline process
Answer: A. and C. You might want to create a pipeline that uses resources created or managed by another AWS account. For example, you might want to use one account for your pipeline and another for your AWS CodeDeploy resources. To do so, you must create a AWS Key Management Service (AWS KMS) key to use, add the key to the pipeline, and set up account policies and roles to enable cross-account access. Reference: Create a Pipeline in CodePipeline That Uses Resources from Another AWS Account
Q22: You are planning on deploying an application to the worker role in Elastic Beanstalk. Moreover, this worker application is going to run the periodic tasks. Which of the following is a must have as part of the deployment?
A. An appspec.yaml file
B. A cron.yaml file
C. A cron.cong file
D. An appspec.json file
Answer: B. Create an Application Source Bundle When you use the AWS Elastic Beanstalk console to deploy a new application or an application version, you’ll need to upload a source bundle. Your source bundle must meet the following requirements: Consist of a single ZIP file or WAR file (you can include multiple WAR files inside your ZIP file) Not exceed 512 MB Not include a parent folder or top-level directory (subdirectories are fine) If you want to deploy a worker application that processes periodic background tasks, your application source bundle must also include a cron.yaml file. For more information, see Periodic Tasks.
Q23: An application needs to make use of an SQS queue for working with messages. An SQS queue has been created with the default settings. The application needs 60 seconds to process each message. Which of the following step need to be carried out by the application.
A. Change the VisibilityTimeout for each message and then delete the message after processing is completed
B. Delete the message and change the visibility timeout.
C. Process the message , change the visibility timeout. Delete the message
D. Process the message and delete the message
Answer: A If the SQS queue is created with the default settings , then the default visibility timeout is 30 seconds. And since the application needs more time for processing , you first need to change the timeout and delete the message after it is processed. Reference: Amazon SQS Visibility Timeout
Q24: AWS CodeDeploy deployment fails to start & generate following error code, ”HEALTH_CONSTRAINTS_INVALID”, Which of the following can be used to eliminate this error?
A. Make sure the minimum number of healthy instances is equal to the total number of instances in the deployment group.
B. Increase the number of healthy instances required during deployment
C. Reduce number of healthy instances required during deployment
D. Make sure the number of healthy instances is equal to the specified minimum number of healthy instances.
Answer: C AWS CodeDeploy generates ”HEALTH_CONSTRAINTS_INVALID” error, when a minimum number of healthy instances defined in deployment group are not available during deployment. To mitigate this error, make sure required number of healthy instances are available during deployments. Reference: Error Codes for AWS CodeDeploy
B. A specific snapshot of all of your API’s settings, resources, and methods
C. A specific snapshot of your API’s resources
D. A specific snapshot of your API’s resources and methods
Answer: D. AWS API Gateway Deployments are a snapshot of all the resources and methods of your API and their configuration. Reference: Deploying a REST API in Amazon API Gateway
Q29: A SWF workflow task or task execution can live up to how long?
A. 1 Year
B. 14 days
C. 24 hours
D. 3 days
Answer: A. 1 Year Each workflow execution can run for a maximum of 1 year. Each workflow execution history can grow up to 25,000 events. If your use case requires you to go beyond these limits, you can use features Amazon SWF provides to continue executions and structure your applications using child workflow executions. Reference: Amazon SWF FAQs
Q30: With AWS Step Functions, all the work in your state machine is done by tasks. These tasks performs work by using what types of things? (Choose the best 3 answers)
A. An AWS Lambda Function Integration
B. Passing parameters to API actions of other services
A. A decider program that is written in the language of the developer’s choice
B. A visual workflow created in the SWF visual workflow editor
C. A JSON-defined state machine that contains states within it to select the next step to take
D. SWF outsources all decisions to human deciders through the AWS Mechanical Turk service.
Answer: A. SWF allows the developer to write their own application logic to make decisions and determine how to evaluate incoming data. Q: What programming conveniences does Amazon SWF provide to write applications? Like other AWS services, Amazon SWF provides a core SDK for the web service APIs. Additionally, Amazon SWF offers an SDK called the AWS Flow Framework that enables you to develop Amazon SWF-based applications quickly and easily. AWS Flow Framework abstracts the details of task-level coordination with familiar programming constructs. While running your program, the framework makes calls to Amazon SWF, tracks your program’s execution state using the execution history kept by Amazon SWF, and invokes the relevant portions of your code at the right times. By offering an intuitive programming framework to access Amazon SWF, AWS Flow Framework enables developers to write entire applications as asynchronous interactions structured in a workflow. For more details, please see What is the AWS Flow Framework? Reference:
Q34: CodePipeline pipelines are workflows that deal with stages, actions, transitions, and artifacts. Which of the following statements is true about these concepts?
A. Stages contain at least two actions
B. Artifacts are never modified or iterated on when used inside of CodePipeline
C. Stages contain at least one action
D. Actions will have a deployment artifact as either an input an output or both
Q35: When deploying a simple Python web application with Elastic Beanstalk which of the following AWS resources will be created and managed for you by Elastic Beanstalk?
A. An Elastic Load Balancer
B. An S3 Bucket
C. A Lambda Function
D. An EC2 instance
Answer: A. B. and D. AWS Elastic Beanstalk uses proven AWS features and services, such as Amazon EC2, Amazon RDS, Elastic Load Balancing, Auto Scaling, Amazon S3, and Amazon SNS, to create an environment that runs your application. The current version of AWS Elastic Beanstalk uses the Amazon Linux AMI or the Windows Server 2012 R2 AMI. Reference: AWS Elastic Beanstalk FAQs
A. Deploy and scale web applications and services developed with a supported platform
B. Deploy and scale serverless applications
C. Deploy and scale applications based purely on EC2 instances
D. Manage the deployment of all AWS infrastructure resources of your AWS applications
Answer: A. Who should use AWS Elastic Beanstalk? Those who want to deploy and manage their applications within minutes in the AWS Cloud. You don’t need experience with cloud computing to get started. AWS Elastic Beanstalk supports Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker web applications. Reference:
Q41: How does using ElastiCache help to improve database performance?
A. It can store petabytes of data
B. It provides faster internet speeds
C. It can store the results of frequent or highly-taxing queries
D. It uses read replicas
Answer: C. With ElastiCache, customers get all of the benefits of a high-performance, in-memory cache with less of the administrative burden involved in launching and managing a distributed cache. The service makes setup, scaling, and cluster failure handling much simpler than in a self-managed cache deployment. Reference: Amazon ElastiCache
Q42: Which of the following best describes the Lazy Loading caching strategy?
A. Every time the underlying database is written to or updated the cache is updated with the new information.
B. Every miss to the cache is counted and when a specific number is reached a full copy of the database is migrated to the cache
C. A specific amount of time is set before the data in the cache is marked as expired. After expiration, a request for expired data will be made through to the backing database.
D. Data is added to the cache when a cache miss occurs (when there is no data in the cache and the request must go to the database for that data)
Answer: D. Amazon ElastiCache is an in-memory key/value store that sits between your application and the data store (database) that it accesses. Whenever your application requests data, it first makes the request to the ElastiCache cache. If the data exists in the cache and is current, ElastiCache returns the data to your application. If the data does not exist in the cache, or the data in the cache has expired, your application requests the data from your data store which returns the data to your application. Your application then writes the data received from the store to the cache so it can be more quickly retrieved next time it is requested. Reference: Lazy Loading
Q45: You have just set up a push notification service to send a message to an app installed on a device with the Apple Push Notification Service. It seems to work fine. You now want to send a message to an app installed on devices for multiple platforms, those being the Apple Push Notification Service(APNS) and Google Cloud Messaging for Android (GCM). What do you need to do first for this to be successful?
A. Request Credentials from Mobile Platforms, so that each device has the correct access control policies to access the SNS publisher
B. Create a Platform Application Object which will connect all of the mobile devices with your app to the correct SNS topic.
C. Request a Token from Mobile Platforms, so that each device has the correct access control policies to access the SNS publisher.
D. Get a set of credentials in order to be able to connect to the push notification service you are trying to setup.
Answer: D. To use Amazon SNS mobile push notifications, you need to establish a connection with a supported push notification service. This connection is established using a set of credentials. Reference: Add Device Tokens or Registration IDs
Q46: SNS message can be sent to different kinds of endpoints. Which of these is NOT currently a supported endpoint?
A. Slack Messages
B. SMS (text message)
C. HTTP/HTTPS
D. AWS Lambda
Answer: A. Slack messages are not directly integrated with SNS, though theoretically, you could write a service to push messages to slack from SNS. Reference:
Q47: Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can Company B reduce the number empty responses?
A. Set the imaging queue VisibilityTimeout attribute to 20 seconds
B. Set the imaging queue MessageRetentionPeriod attribute to 20 seconds
C. Set the imaging queue ReceiveMessageWaitTimeSeconds Attribute to 20 seconds
D. Set the DelaySeconds parameter of a message to 20 seconds
Answer: C. Enabling long polling reduces the amount of false and empty responses from SQS service. It also reduces the number of calls that need to be made to a queue by staying connected to the queue until all messages have been received or until timeout. In order to enable long polling the ReceiveMessageWaitTimeSeconds attribute needs to be set to a number greater than 0. If it is set to 0 then short polling is enabled. Reference: Amazon SQS Long Polling
Q48: Which of the following statements about SQS standard queues are true?
A. Message order can be indeterminate – you’re not guaranteed to get messages in the same order they were sent in
B. Messages will be delivered exactly once and messages will be delivered in First in, First out order
C. Messages will be delivered exactly once and message delivery order is indeterminate
D. Messages can be delivered one or more times
Answer: A. and D. A standard queue makes a best effort to preserve the order of messages, but more than one copy of a message might be delivered out of order. If your system requires that order be preserved, we recommend using a FIFO (First-In-First-Out) queue or adding sequencing information in each message so you can reorder the messages when they’re received. Reference: Amazon SQS Standard Queues
Q49: Which of the following is true if long polling is enabled?
A. If long polling is enabled, then each poll only polls a subset of SQS servers; in order for all messages to be received, polling must continuously occur
B. The reader will listen to the queue until timeout
C. Increases costs because each request lasts longer
D. The reader will listen to the queue until a message is available or until timeout
Q50: When dealing with session state in EC2-based applications using Elastic load balancers which option is generally thought of as the best practice for managing user sessions?
A. Having the ELB distribute traffic to all EC2 instances and then having the instance check a caching solution like ElastiCache running Redis or Memcached for session information
B. Permanently assigning users to specific instances and always routing their traffic to those instances
C. Using Application-generated cookies to tie a user session to a particular instance for the cookie duration
D. Using Elastic Load Balancer generated cookies to tie a user session to a particular instance
Q52: Your application must write to an SQS queue. Your corporate security policies require that AWS credentials are always encrypted and are rotated at least once a week. How can you securely provide credentials that allow your application to write to the queue?
A. Have the application fetch an access key from an Amazon S3 bucket at run time.
B. Launch the application’s Amazon EC2 instance with an IAM role.
C. Encrypt an access key in the application source code.
D. Enroll the instance in an Active Directory domain and use AD authentication.
Answer: B. IAM roles are based on temporary security tokens, so they are rotated automatically. Keys in the source code cannot be rotated (and are a very bad idea). It’s impossible to retrieve credentials from an S3 bucket if you don’t already have credentials for that bucket. Active Directory authorization will not grant access to AWS resources. Reference: AWS IAM FAQs
Q53: Your web application reads an item from your DynamoDB table, changes an attribute, and then writes the item back to the table. You need to ensure that one process doesn’t overwrite a simultaneous change from another process. How can you ensure concurrency?
A. Implement optimistic concurrency by using a conditional write.
B. Implement pessimistic concurrency by using a conditional write.
C. Implement optimistic concurrency by locking the item upon read.
D. Implement pessimistic concurrency by locking the item upon read.
Answer: A. Optimistic concurrency depends on checking a value upon save to ensure that it has not changed. Pessimistic concurrency prevents a value from changing by locking the item or row in the database. DynamoDB does not support item locking, and conditional writes are perfect for implementing optimistic concurrency. Reference: Optimistic Locking With Version Number
Answer: C. The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section. You can use the Fn::FindInMap function to return a named value based on a specified key. The following example template contains an Amazon EC2 resource whose ImageId property is assigned by the FindInMap function. The FindInMap function specifies key as the region where the stack is created (using the AWS::Region pseudo parameter) and HVM64 as the name of the value to map to. Reference:
Q56: Your application triggers events that must be delivered to all your partners. The exact partner list is constantly changing: some partners run a highly available endpoint, and other partners’ endpoints are online only a few hours each night. Your application is mission-critical, and communication with your partners must not introduce delay in its operation. A delay in delivering the event to one partner cannot delay delivery to other partners.
What is an appropriate way to code this?
A. Implement an Amazon SWF task to deliver the message to each partner. Initiate an Amazon SWF workflow execution.
B. Send the event as an Amazon SNS message. Instruct your partners to create an HTTP. Subscribe their HTTP endpoint to the Amazon SNS topic.
C. Create one SQS queue per partner. Iterate through the queues and write the event to each one. Partners retrieve messages from their queue.
D. Send the event as an Amazon SNS message. Create one SQS queue per partner that subscribes to the Amazon SNS topic. Partners retrieve messages from their queue.
Answer: D. There are two challenges here: the command must be “fanned out” to a variable pool of partners, and your app must be decoupled from the partners because they are not highly available. Sending the command as an SNS message achieves the fan-out via its publication/subscribe model, and using an SQS queue for each partner decouples your app from the partners. Writing the message to each queue directly would cause more latency for your app and would require your app to monitor which partners were active. It would be difficult to write an Amazon SWF workflow for a rapidly changing set of partners.
Q57: You have a three-tier web application (web, app, and data) in a single Amazon VPC. The web and app tiers each span two Availability Zones, are in separate subnets, and sit behind ELB Classic Load Balancers. The data tier is a Multi-AZ Amazon RDS MySQL database instance in database subnets. When you call the database tier from your app tier instances, you receive a timeout error. What could be causing this?
A. The IAM role associated with the app tier instances does not have rights to the MySQL database.
B. The security group for the Amazon RDS instance does not allow traffic on port 3306 from the app instances.
C. The Amazon RDS database instance does not have a public IP address.
D. There is no route defined between the app tier and the database tier in the Amazon VPC.
Answer: B. Security groups block all network traffic by default, so if a group is not correctly configured, it can lead to a timeout error. MySQL security, not IAM, controls MySQL security. All subnets in an Amazon VPC have routes to all other subnets. Internal traffic within an Amazon VPC does not require public IP addresses.
Q58: What type of block cipher does Amazon S3 offer for server side encryption?
A. RC5
B. Blowfish
C. Triple DES
D. Advanced Encryption Standard
Answer: D Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
Q59: You have written an application that uses the Elastic Load Balancing service to spread traffic to several web servers Your users complain that they are sometimes forced to login again in the middle of using your application, after they have already togged in. This is not behaviour you have designed. What is a possible solution to prevent this happening?
A. Use instance memory to save session state.
B. Use instance storage to save session state.
C. Use EBS to save session state
D. Use ElastiCache to save session state.
E. Use Glacier to save session slate.
Answer: D. You can cache a variety of objects using the service, from the content in persistent data stores (such as Amazon RDS, DynamoDB, or self-managed databases hosted on EC2) to dynamically generated web pages (with Nginx for example), or transient session data that may not require a persistent backing store. You can also use it to implement high-frequency counters to deploy admission control in high volume web applications.
Q60: You are writing to a DynamoDB table and receive the following exception:” ProvisionedThroughputExceededException”. though according to your Cloudwatch metrics for the table, you are not exceeding your provisioned throughput. What could be an explanation for this?
A. You haven’t provisioned enough DynamoDB storage instances
B. You’re exceeding your capacity on a particular Range Key
C. You’re exceeding your capacity on a particular Hash Key
D. You’re exceeding your capacity on a particular Sort Key
E. You haven’t configured DynamoDB Auto Scaling triggers
Answer: C. The primary key that uniquely identifies each item in a DynamoDB table can be simple (a partition key only) or composite (a partition key combined with a sort key). Generally speaking, you should design your application for uniform activity across all logical partition keys in the Table and its secondary indexes. You can determine the access patterns that your application requires, and estimate the total read capacity units and write capacity units that each table and secondary Index requires.
As traffic starts to flow, DynamoDB automatically supports your access patterns using the throughput you have provisioned, as long as the traffic against a given partition key does not exceed 3000 read capacity units or 1000 write capacity units.
Q61: Which DynamoDB limits can be raised by contacting AWS support?
A. The number of hash keys per account
B. The maximum storage used per account
C. The number of tables per account
D. The number of local secondary indexes per account
E. The number of provisioned throughput units per account
Answer: C. and E.
For any AWS account, there is an initial limit of 256 tables per region. AWS places some default limits on the throughput you can provision. These are the limits unless you request a higher amount. To request a service limit increase see https://aws.amazon.com/support.Reference: Limits in DynamoDB
Q62: AWS CodeBuild allows you to compile your source code, run unit tests, and produce deployment artifacts by:
A. Allowing you to provide an Amazon Machine Image to take these actions within
B. Allowing you to select an Amazon Machine Image and provide a User Data bootstrapping script to prepare an instance to take these actions within
C. Allowing you to provide a container image to take these actions within
D. Allowing you to select from pre-configured environments to take these actions within
Answer: C. and D. You can provide your own custom container image to build your deployment artifacts. You never actually pass a specific AMI to CodeBuild. Though you can provide a custom docker image which you could basically ‘bootstrap’ for the purposes of your build. Reference: AWS CodeBuild Faqs
Q63: Which of the following will not cause a CloudFormation stack deployment to rollback?
A. The template contains invalid JSON syntax
B. An AMI specified in the template exists in a different region than the one in which the stack is being deployed.
C. A subnet specified in the template does not exist
D. The template specifies an instance-store backed AMI and an incompatible EC2 instance type.
Answer: A. Invalid JSON syntax will cause an error message during template validation. Until the syntax is fixed, the template will not be able to deploy resources, so there will not be a need to or opportunity to rollback. Reference: AWS CloudFormatio Faqs
Q64: Your team is using CodeDeploy to deploy an application which uses secure parameters that are stored in the AWS System Mangers Parameter Store. What two options below must be completed so CodeDeploy can deploy the application?
A. Use ssm get-parameters with –with-decryption option
B. Add permissions using AWS access keys
C. Add permissions using AWS IAM role
D. Use ssm get-parameters with –with-no-decryption option
Q65: A corporate web application is deployed within an Amazon VPC, and is connected to the corporate data center via IPSec VPN. The application must authenticate against the on-premise LDAP server. Once authenticated, logged-in users can only access an S3 keyspace specific to the user. Which of the solutions below meet these requirements? Choose two answers How would you authenticate to the application given these details? (Choose 2)
A. The application authenticates against LDAP, and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM Role. The application can use the temporary credentials to access the S3 keyspace.
B. Develop an identity broker which authenticates against LDAP, and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 keyspace
C. Develop an identity broker which authenticates against IAM Security Token Service to assume an IAM Role to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the app
D. The application authenticates against LDAP. The application then calls the IAM Security Service to login to IAM using the LDAP credentials. The application can use the IAM temporary credentials to access the appropriate S3 bucket.
Answer: A. and B. The question clearly says “authenticate against LDAP”. Temporary credentials come from STS. Federated user credentials come from the identity broker. Reference: IAM faqs
Q66: A corporate web application is deployed within an Amazon VPC, and is connected to the corporate data center via IPSec VPN. The application must authenticate against the on-premise LDAP server. Once authenticated, logged-in users can only access an S3 keyspace specific to the user. Which of the solutions below meet these requirements? Choose two answers How would you authenticate to the application given these details? (Choose 2)
A. The application authenticates against LDAP, and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM Role. The application can use the temporary credentials to access the S3 keyspace.
B. Develop an identity broker which authenticates against LDAP, and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 keyspace
C. Develop an identity broker which authenticates against IAM Security Token Service to assume an IAM Role to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the app
D. The application authenticates against LDAP. The application then calls the IAM Security Service to login to IAM using the LDAP credentials. The application can use the IAM temporary credentials to access the appropriate S3 bucket.
Answer: A. and B. The question clearly says “authenticate against LDAP”. Temporary credentials come from STS. Federated user credentials come from the identity broker. Reference: AWA STS Faqs
Q67: When users are signing in to your application using Cognito, what do you need to do to make sure if the user has compromised credentials, they must enter a new password?
A. Create a user pool in Cognito
B. Block use for “Compromised credential” in the Basic security section
C. Block use for “Compromised credential” in the Advanced security section
D. Use secure remote password
Answer: A. and C. Amazon Cognito can detect if a user’s credentials (user name and password) have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use passwords that are easy to guess.
From the Advanced security page in the Amazon Cognito console, you can choose whether to allow, or block the user if compromised credentials are detected. Blocking requires users to choose another password. Choosing Allow publishes all attempted uses of compromised credentials to Amazon CloudWatch. For more information, see Viewing Advanced Security Metrics.
You can also choose whether Amazon Cognito checks for compromised credentials during sign-in, sign-up, and password changes.
Note Currently, Amazon Cognito doesn’t check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow, which doesn’t send the password during sign-in. Sign-ins that use the AdminInitiateAuth API with ADMIN_NO_SRP_AUTH flow and the InitiateAuth API with USER_PASSWORD_AUTH flow are checked for compromised credentials.
Q68: You work in a large enterprise that is currently evaluating options to migrate your 27 GB Subversion code base. Which of the following options is the best choice for your organization?
A. AWS CodeHost
B. AWS CodeCommit
C. AWS CodeStart
D. None of these
Answer: D. None of these. While CodeCommit is a good option for git reponsitories it is not able to host Subversion source control.
Q69: You are on a development team and you need to migrate your Spring Application over to AWS. Your team is looking to build, modify, and test new versions of the application. What AWS services could help you migrate your app?
A. Elastic Beanstalk
B. SQS
C. Ec2
D. AWS CodeDeploy
Answer: A. C. and D. Amazon EC2 can be used to deploy various applications to your AWS Infrastructure. AWS CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions.
Q70: You are a developer responsible for managing a high volume API running in your company’s datacenter. You have been asked to implement a similar API, but one that has potentially higher volume. And you must do it in the most cost effective way, using as few services and components as possible. The API stores and fetches data from a key value store. Which services could you utilize in AWS?
A. DynamoDB
B. Lambda
C. API Gateway
D. EC2
Answer: A. and C. NoSQL databases like DynamoDB are designed for key value usage. DynamoDB can also handle incredible volumes and is cost effective. AWS API Gateway makes it easy for developers to create, publish, maintain, monitor, and secure APIs.
Q72: AWS X-Ray was recently implemented inside of a service that you work on. Several weeks later, after a new marketing push, that service started seeing a large spike in traffic and you’ve been tasked with investigating a few issues that have started coming up but when you review the X-Ray data you can’t find enough information to draw conclusions so you decide to:
A. Start passing in the X-Amzn-Trace-Id: True HTTP header from your upstream requests
B. Refactor the service to include additional calls to the X-Ray API using an AWS SDK
C. Update the sampling algorithm to increase the sample rate and instrument X-Ray to collect more pertinent information
D. Update your application to use the custom API Gateway TRACE method to send in data
Answer: C. This is a good way to solve the problem – by customizing the sampling so that you can get more relevant information.
Q75: Which of the following is the right sequence that gets called in CodeDeploy when you use Lambda hooks in an EC2/On-Premise Deployment?
A. Before Install-AfterInstall-Validate Service-Application Start
B. Before Install-After-Install-Application Stop-Application Start
C. Before Install-Application Stop-Validate Service-Application Start
D. Application Stop-Before Install-After Install-Application Start
Answer: D. In an in-place deployment, including the rollback of an in-place deployment, event hooks are run in the following order:
Note An AWS Lambda hook is one Lambda function specified with a string on a new line after the name of the lifecycle event. Each hook is executed once per deployment. Following are descriptions of the lifecycle events where you can run a hook during an Amazon ECS deployment.
BeforeInstall – Use to run tasks before the replacement task set is created. One target group is associated with the original task set. If an optional test listener is specified, it is associated with the original task set. A rollback is not possible at this point. AfterInstall – Use to run tasks after the replacement task set is created and one of the target groups is associated with it. If an optional test listener is specified, it is associated with the original task set. The results of a hook function at this lifecycle event can trigger a rollback. AfterAllowTestTraffic – Use to run tasks after the test listener serves traffic to the replacement task set. The results of a hook function at this point can trigger a rollback. BeforeAllowTraffic – Use to run tasks after the second target group is associated with the replacement task set, but before traffic is shifted to the replacement task set. The results of a hook function at this lifecycle event can trigger a rollback. AfterAllowTraffic – Use to run tasks after the second target group serves traffic to the replacement task set. The results of a hook function at this lifecycle event can trigger a rollback. Run Order of Hooks in an Amazon ECS Deployment
In an Amazon ECS deployment, event hooks run in the following order:
For in-place deployments, the six hooks related to blocking and allowing traffic apply only if you specify a Classic Load Balancer, Application Load Balancer, or Network Load Balancer from Elastic Load Balancing in the deployment group.Note The Start, DownloadBundle, Install, and End events in the deployment cannot be scripted, which is why they appear in gray in this diagram. However, you can edit the ‘files’ section of the AppSpec file to specify what’s installed during the Install event.
Q76: Describe the process of registering a mobile device with SNS push notification service using GCM.
A. Receive Registration ID and token for each mobile device. Then, register the mobile application with Amazon SNS, and pass the GCM token credentials to Amazon SNS
B. Pass device token to SNS to create mobile subscription endpoint for each mobile device, then request the device token from each mobile device. SNS then communicates on your behalf to the GCM service
C. None of these are correct
D. Submit GCM notification credentials to Amazon SNS, then receive the Registration ID for each mobile device. After that, pass the device token to SNS, and SNS then creates a mobile subscription endpoint for each device and communicates with the GCM service on your behalf
Answer: D. When you first register an app and mobile device with a notification service, such as Apple Push Notification Service (APNS) and Google Cloud Messaging for Android (GCM), device tokens or registration IDs are returned from the notification service. When you add the device tokens or registration IDs to Amazon SNS, they are used with the PlatformApplicationArn API to create an endpoint for the app and device. When Amazon SNS creates the endpoint, an EndpointArn is returned. The EndpointArn is how Amazon SNS knows which app and mobile device to send the notification message to.
Q77: You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?
A. Store photos on an EBS volume of the web server.
B. Block the IPs of the offending websites in Security Groups.
C. Remove public read access and use signed URLs with expiry dates.
D. Use CloudFront distributions for static content.
Answer: C. This solves the issue, but does require you to modify your website. Your website already uses S3, so it doesn’t require a lot of changes. See the docs for details: http://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
CloudFront on its own doesn’t prevent unauthorized access and requires you to add a whole new layer to your stack (which may make sense anyway). You can serve private content, but you’d have to use signed URLs or similar mechanism. Here are the docs: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
Q78: How can you control access to the API Gateway in your environment?
A. Cognito User Pools
B. Lambda Authorizers
C. API Methods
D. API Stages
Answer: A. and B. Access to a REST API Using Amazon Cognito User Pools as Authorizer As an alternative to using IAM roles and policies or Lambda authorizers (formerly known as custom authorizers), you can use an Amazon Cognito user pool to control who can access your API in Amazon API Gateway.
To use an Amazon Cognito user pool with your API, you must first create an authorizer of the COGNITO_USER_POOLS type and then configure an API method to use that authorizer. After the API is deployed, the client must first sign the user in to the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request’s Authorization header. The API call succeeds only if the required token is supplied and the supplied token is valid, otherwise, the client isn’t authorized to make the call because the client did not have credentials that could be authorized.
The identity token is used to authorize API calls based on identity claims of the signed-in user. The access token is used to authorize API calls based on the custom scopes of specified access-protected resources. For more information, see Using Tokens with User Pools and Resource Server and Custom Scopes.
Q80: Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can Company B reduce the number of empty responses?
A. Set the imaging queue MessageRetentionPeriod attribute to 20 seconds.
B. Set the imaging queue ReceiveMessageWaitTimeSeconds attribute to 20 seconds.
C. Set the imaging queue VisibilityTimeout attribute to 20 seconds.
D. Set the DelaySeconds parameter of a message to 20 seconds.
Answer: B. ReceiveMessageWaitTimeSeconds, when set to greater than zero, enables long polling. Long polling allows the Amazon SQS service to wait until a message is available in the queue before sending a response. Short polling continuously pools a queue and can have false positives. Enabling long polling reduces the number of poll requests, false positives, and empty responses. Reference: AWS SQS Long Polling
81: You’re using CloudFormation templates to build out staging environments. What section of the CloudFormation would you edit in order to allow the user to specify the PEM key-name at start time?
A. Resources Section
B. Parameters Section
C. Mappings Section
D. Declaration Section
Answer:B.
Parameters property type in CloudFormation allows you to accept user input when starting the CloudFormation template. It allows you to reference the user input as variable throughout your CloudFormation template. Other examples might include asking the user starting the template to provide Domain admin passwords, instance size, pem key, region, and other dynamic options.
Q82: You are writing an AWS CloudFormation template and you want to assign values to properties that will not be available until runtime. You know that you can use intrinsic functions to do this but are unsure as to which part of the template they can be used in. Which of the following is correct in describing how you can currently use intrinsic functions in an AWS CloudFormation template?
A. You can use intrinsic functions in any part of a template, except AWSTemplateFormatVersion and Description
B. You can use intrinsic functions in any part of a template.
C. You can use intrinsic functions only in the resource properties part of a template.
D. You can only use intrinsic functions in specific parts of a template. You can use intrinsic functions in resource properties, metadata attributes, and update policy attributes.
Answer: D.
You can use intrinsic functions only in specific parts of a template. Currently, you can use intrinsic functions in resource properties, outputs, metadata attributes, and update policy attributes. You can also use intrinsic functions to conditionally create stack resources.
Today I Learned (TIL) You learn something new every day; what did you learn today? Submit interesting and specific facts about something that you just found out here.
Reddit Science This community is a place to share and discuss new scientific research. Read about the latest advances in astronomy, biology, medicine, physics, social science, and more. Find and submit new publications and popular science coverage of current research.