AWS Whizlabs 4

VPC Gateway Endpoint

- What services is it used to reach?

- Does it use DNS?

- Does it use route tables?
Click the card to flip 👆
1 / 43
Terms in this set (43)
VPC Gateway Endpoint

- What services is it used to reach?

- Does it use DNS?

- Does it use route tables?
- Gateway in VPC
(can use instead of IGW or NGW)

- Used to reach public endpoints of S3 and DynamoDB

- No DNS used

- Yes. Specify a VPC gateway endpoint as a target in the RT to access services from VPC
VPC Interface Endpoint

- What services is it used to reach?

- Does it use DNS?

- Does it use route tables?
- ENI with a private IP address in VPC

- Used to patch traffic through to everything besides DynamoDB and S3

- Yes. using private IP addresses to access private services

- No.
Best way to limit developer access to PRODUCTION instances using policies?
1. Define tags on production and development servers

2. add a condition to the IAM policy allowing access to specific tags
In case of a failed lambda execution, you can forward non-processed payloads to ___ using ___.
a DLQ

AWS SQS / SNS
Lambda functions that need to access other AWS resources needs ___
IAM role with the right permissions
2 Lambda features to use to securely configure your Lambda functions without deploying any code:
1. Lambda key configuration:
lets your Lambda functions use an KMS encryption key to encrypt the env variables that you can use to change your function

2. Encryption helpers:
lets you encrypt your env variables before they are sent to Lambda, thereby making your Lambda functions more secure
Lambda Layers - What is a layer?

- Benefits of using Lambda layers?

- How does it compare to environment variables?
A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies.

Let you keep your deployment package small, which makes development easier.

Requires deploying code, not as simple as env vars

(A function can use up to 5 layers at a time; total unzipped size of function and all layers must be < 250MB)
Lambda Aliases

- Benefits of using Lambda aliases?

- How does it compare to environment variables?
- Static ARN pointer to a specific Lambda version

- You can invoke a function with the alias without having to know which version of the function is being referenced
- Can use to split traffic between Lambda versions

- Not as simple, must deploy code
___ delivers strong read-after-write consistency automatically and works great for storing objects for big data analytics
S3
2 services that when combined, can establish a high bandwidth throughput, IPSEC connection from on-premise to AWS VPCs?
1. Direct Connect
2. VPN
Which 3 options prevent accidental deletion of s3 bucket objects?1. Enable MFA Delete on the bucket 2. Enable Versioning on the bucket 3. Use IAM Roles to restrict bucket accessMonitoring, auditing, and alerting for key metrics and events are the best practices of the ___ pillarSecurityRedshift Cluster snapshotsPoint-in-time backups of a cluster2 types of Redshift Cluster snapshots?1. automated 2. manualRedshift Automated Snapshots - Retention period? - Cost?1-35 days Not charged for!Redshift Manual Snapshots - Retention period? - Cost?Indefinite (even after cluster deletion) - can specify at time of cluster creation; or edit after Charged for as backup storage (S3 rates)Best way to minimize costs incurred by a cluster?Delete manual snapshots!Integrate ___ with AWS Lambda functions , so that customers may call those Lambda functions via httpsAPI GatewayDynamoDB, RDS, Redshift - Which is serverless? - Which is not?DynamoDB RDS, RedshiftGlacier Vault LockA Glacier feature that helps you easily deploy and enforce compliance controls for individual S3 Glacier vaultsBastion hosta dedicated server for users to securely SSH INTO backend servers in a private subnetAll IPv4 addresses0.0.0.0/0ENI vs ENA vs EFAENI < ENA < EFA ENI: most basic, for creating mgmt networks (low budget) ENA: low latency, but not HPC EFA: low latency, HPC2 possible ways to ensure ASG launched EC2 instances are pre-installed with software?1. User Data: Add scripts for installation 2. Create an AMI and create a launch configurationS3 Cross-Region Replication - Is it object or bucket level? - Is it sync or async?___ is a bucket-level configuration that enables automatic, async copying of objects across buckets in different AWS regions2 types of actions that can be performed by S3 Bucket lifecycle policy rules1. Transition actions (ex. -> standard_ia) 2. Expiration actions (ex. s3 deletes expired objs for you)CloudTrail log file integrity validationTo determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it - Uses SHA-256 for hashing and digital signing; makes it impossible to modify/delete/forge CloudTrail log files without detection2 best services to monitor a Redshift cluster's performance to ensure it is as efficient as possible?1. CloudWatch 2. Trusted Advisor___ checks and analyzes your AWS environment, then recommends actions to follow best practices in: - cost optimization - performance - security - fault tolerance - service limitsAWS Trusted AdvisorCloudFront Query String Forwarding: What does it do? Query string parameters must follow which 2 rules?CloudFront caches content based on query string parameters 1. parameters are separated by & 2. parameter name and values use the same caseKinesis Data Streams: Retention period range? (What is the default retention period?)24 hours - 365 days 24 hoursSQS: What is short polling? What is long polling? - Portion of servers queried? - When will it send a response to a polling request for messages?Short polling: - only queries a subset of the SQS servers for messages - SQS sends response right away even if query found no messages Long polling: - queries all the SQS servers for messages - SQS sends response only after it collects AT LEAST ONE available messageWhat are the benefits of long polling in SQS?Long polling: 1. reduces number of empty responses (both when there are no messages AND false empty responses) 2. returns messages as soon as they're available 3. reduces SQS costSQS Visibility Timeout - Possible range? (default length?) - Benefits?Prevents other consumers from processing a message again. - messages is invisible for 0 seconds ~ 12 hours (default at 30 seconds) while in process with a consumerAWS CloudHSMa cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.___ routing policy is good for testing new versions of software (e.g. blue-green deployment)WeightedAn application that needs to put records into an ENCRYPTED Kinesis Data Stream would need ___permissions to use the KMS key Via: 1. Application IAM Role: application needs KEY USER role 2. KMS Key Policy: needs to give application permission to access key___ lets DynamoDB to automatically increase its write capacity for a temporary spike, and decrease the throughput after the spikeDynamoDB Auto Scaling___ are a great solution to categorize your AWS resources differently, such as by purpose, owner, or environment. - Consist of ___, which you defineTags a key and an optional valueWhich CloudWatch metric tells you an SQS queue length?ApproximateNumberOfMessagesVisibleHow to enforce the WORM model on your stored objects in an S3 bucket?Enable object lock when creating the S3 bucketEach object in an S3 bucket can have a different ___storage classIf you have infrequently accessed data that needs to be available within milliseconds, and keep cost low, should you choose Glacier or One Zone-IA to save cost?One Zone-IA (Glacier cannot be retrieved in milliseconds)