AWS Certified Developer - Associate DVA-C02

What is CORS?

Cross-Origin Resource Sharing (CORS):

an HTTP-header based mechanism that

allows a server to indicate any origins (domain, scheme, or port) other than its own

from which a browser should permit loading resources.

CORS also relies on a mechanism by which
browsers make a “preflight” request to the server hosting the cross-origin resource,
in order to check that the server will permit the actual request.
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
the server response
Access-Control-Allow-Origin: https://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400

Alt text CORS Configuration on the Cross-Origin

Alt text CORS: Simple Request & Preflight Request

[ASSOCIATE] S3 Events (4:32)

[ASSOCIATE] S3 Access Logs (3:05)

S3 Requester Pays (4:36)

Alt text S3 Requester Pays: Requester pays for the requests and data transfer out from the bucket

[ASSOCIATE] S3 Object Lock (9:52)

Section Quiz - S3

Security

Policy Interpretation Deep Dive - Example 1 (10:23)

Policy Interpretation Deep Dive - Example 2 (9:11)

Policy Interpretation Deep Dive - Example 3 (10:59)

AWS Permissions Evaluation (10:25)

Alt text Policy Evaluation Logic - Same Account

Alt text Policy Evaluation Logic - Different Accounts

CloudHSM (14:36)

VIRTUAL PRIVATE CLOUD (VPC) BASICS

[ASSOCIATE] VPC Sizing and Structure - PART1 (11:48)

[ASSOCIATE] VPC Sizing and Structure - PART2 (11:16)

[ALL] Custom VPCs - PART1 - THEORY (10:10)

[ALL] [DEMO] Custom VPCs - PART2 - DEMO (5:40)

[ASSOCIATE] VPC Subnets (10:42)

[ALL] [DEMO] Implement multi-tier VPC subnets (15:24)

[ASSOCIATE] VPC Routing, Internet Gateway & Bastion Hosts (17:35)

[ASSOCIATE] [DEMO] Configuring A4l public subnets and Jump-box - PART1 (13:45)

[ASSOCIATE] [DEMO] Configuring A4l public subnets and Jump-box - PART2 (11:45)

[ASSOCIATE] Stateful vs Stateless Firewalls (14:04)

[ASSOCIATE] Network Access Control Lists (NACLs) (12:38)

[ASSOCIATE] Security Groups (SG) (11:48)

[ASSOCIATE] Network Address Translation (NAT) & NAT Gateway - PART1 (13:43)

[ASSOCIATE] Network Address Translation (NAT) & NAT Gateway - PART2 (11:08)

[ASSOCIATE] [DEMO] Implementing private internet access using NAT Gateways (19:25)

ELASTIC COMPUTE CLOUD (EC2) BASICS

[ASSOCIATE] Virtualization 101 (12:27)

[ASSOCIATE] EC2 Architecture and Resilience (12:36)

[ASSOCIATE] EC2 Instance Types - PART1 (11:52)

[ASSOCIATE] EC2 Instance Types - PART2 (8:13)

[ASSOCIATE] [DEMO] EC2 SSH vs EC2 Instance Connect (17:06)

[ASSOCIATE] Storage Refresher (14:16)

[DVA-C02] [ASSOCIATE] Elastic Block Store (EBS) Service Architecture (8:43)

[DVA-C02] [ASSOCIATE] EBS Volume Types - General Purpose (9:23)

[DVA-C02] [ASSOCIATE] EBS Volume Types - Provisioned IOPS (6:15)

[DVA-C02] [ASSOCIATE] EBS Volume Types - HDD-Based (4:32)

[ASSOCIATE] Instance Store Volumes - Architecture (9:00)

[ASSOCIATE] Choosing Between the EC2 Instance Store and EBS (8:49)

[ASSOCIATE] Snapshots, Restore & Fast Snapshot Restore (FSR) (10:55)

[ASSOCIATE] [DEMO] EBS Volumes - PART1 (15:16)

[ASSOCIATE] [DEMO] EBS Volumes - PART2 (14:13)

[ASSOCIATE] [DEMO] EBS Volumes - PART3 (14:27)

[ASSOCIATE] EBS Encryption (8:22)

[ASSOCIATE] Network Interfaces, Instance IPs and DNS (15:58)

[ASSOCIATE] [DEMO] Manual Install of Wordpress on EC2 - PART1 (12:27)

[ASSOCIATE] [DEMO] Manual Install of Wordpress on EC2 - PART2 (12:36)

[ASSOCIATE] Amazon Machine Images (AMI) (13:58)

[ASSOCIATE] [DEMO] Creating an Animals4life AMI - PART1 (9:38)

[ASSOCIATE] [DEMO] Creating an Animals4life AMI - PART2 (10:57)

EC2 Purchase Options - PART1 (9:22)

EC2 Purchase Options - PART2 (11:56)

Reserved Instances - the rest (11:58)

[ASSOCIATE] Instance Status Checks & Auto Recovery (7:42)

[ASSOCIATE] [DEMO] Shutdown, Terminate & Termination Protection (5:40)

[ASSOCIATE] Horizontal & Vertical Scaling (11:23)

[ASSOCIATE] Instance Metadata [THEORY & DEMO] (15:46)

Section Quiz - EC2 Basics

Monitoring and Logging

CloudWatch Architecture - PART1 (9:44)

Alt text CloudWatch: Concepts

Alt text CloudWatch: Architecture

Alt text CloudWatch: Namespace, Data-point, Metric, Dimension

CloudWatch Architecture - PART2 (9:19)

Alt text CloudWatch: Resolution, Retention, Statistic, Percentile

Alt text CloudWatch: Alarms

Alt text CloudWatch: Data Architecture

CloudWatch Logs Architecture (13:44)

Alt text CloudWatch Logs - Ingestion

Alt text CloudWatch Logs - Log Group/Stream/Event

Alt text CloudWatch Logs - Subscriptions

Alt text CloudWatch Logs - Aggregation

Alt text CloudWatch Logs - Overview

AWS X-Ray (6:20)

Alt text AWS X-Ray: Concepts

Alt text AWS X-Ray: Service Map

Alt text AWS X-Ray: How to use?

[DEMO] Lambda & AWS X-ray (16:28)

[ASSOCIATE] VPC Flow logs (9:56)

Alt text VPC FLow Logs - Capture traffic metadata, NOT capture contents, NOT realtime

Alt text VPC FLow Logs - Architecture

Alt text VPC FLow Logs - Flow Log Records

CONTAINERS, ECS & ECR

[ASSOCIATE] Introduction to Containers (17:13)

[ALL] [DEMO] Creating ‘container of cats’ Docker Image (18:15)

[ASSOCIATE] ECS - Concepts (10:25)

[ASSOCIATE] ECS - Cluster Mode (13:09)

[ALL] [DEMO] - Deploying ‘container of cats’ using Fargate [UI UPDATES IN PROGRESS] (13:13)

[DVA-C02] Elastic Container Registry (ECR) (4:14)

[ALL] Kubernetes 101 (11:27)

[ALL] Elastic Kubernetes Service (EKS) 101 (6:14)

Advanced EC2

[ASSOCIATE] Bootstrapping EC2 using User Data (10:25)

[ASSOCIATE] [DEMO] Bootstrapping Wordpress Installation - PART1 (15:00)

[ASSOCIATE] [DEMO] Bootstrapping Wordpress Installation - PART2 (6:45)

[ASSOCIATE] EC2 Instance Roles & Profile (4:18)

[ASSOCIATE] [DEMO] Using EC2 Instance Roles (13:31)

[ASSOCIATE] SSM Parameter Store (6:16)

[ASSOCIATE] [DEMO] Parameter Store (16:11)

[ASSOCIATE] System and Application Logging on EC2 (6:15)

[ASSOCIATE] [DEMO] Logging and Metrics with CloudWatch Agent-PART1 (11:51)

[ASSOCIATE] [DEMO] Logging and Metrics with CloudWatch Agent-PART2 (8:08)

[ASSOCIATE] EC2 Placement Groups (14:29)

[ASSOCIATE] Enhanced Networking & EBS Optimized (6:57)

Infrastructure as Code (CloudFormation)

CloudFormation Physical & Logical Resources (7:30)

[DEMO] Simple Non Portable Template - PART1 (10:28)

[DEMO] Simple Non Portable Template - PART2 (11:28)

CloudFormation Template and Pseudo Parameters (6:53)

CloudFormation Intrinsic Functions (14:28)

CloudFormation Mappings (4:30)

CloudFormation Outputs (3:37)

[DEMO] Template v2 - Portable (13:34)

CloudFormation Conditions (7:24)

CloudFormation DependsOn (7:14)

CloudFormation Wait Conditions & cfn-signal (11:52)

CloudFormation Nested Stacks (13:55)

CloudFormation Cross-Stack References (10:05)

CloudFormation Stack Sets (9:12)

CloudFormation Deletion Policy (5:24)

CloudFormation Stack Roles (6:47)

CloudFormation Init (CFN-INIT) (8:48)

CloudFormation cfn-hup (4:13)

[DEMO] wait conditions, cfn-signal, cfn-init and cfn-hup - PART1 (12:51)

[DEMO] wait conditions, cfn-signal, cfn-init and cfn-hup - PART2 (14:42)

CloudFormation ChangeSets (11:03)

CloudFormation Custom Resources (11:03)

[DEMO] CloudFormation Custom Resources-PART1 (9:12)

[DEMO] CloudFormation Custom Resources-PART2 (13:27)

Global Service Discovery and Content Delivery (R53 and CloudFront)

[ASSOCIATE] R53 Public Hosted Zones (6:28)

[ASSOCIATE] R53 Private Hosted Zones (5:10)

[ASSOCIATE] CNAME vs R53 Alias (5:19)

[ASSOCIATE] Simple Routing (2:17)

[ASSOCIATE] R53 Health Checks (12:41)

[ASSOCIATE] Failover Routing (1:53)

[ALL] [DEMO] Using R53 and Failover Routing-PART1 (16:41)

[ALL] [DEMO] Using R53 and Failover Routing-PART2 (6:28)

[ASSOCIATE] Multi Value Routing (2:32)

[ASSOCIATE] Weighted Routing (3:24)

[ASSOCIATE] Latency Routing (2:44)

[ASSOCIATE] Geo-location Routing (5:02)

[ASSOCIATE] Geo-proximity Routing (4:50)

[ASSOCIATE] R53 Interoperability (11:50)

[ALL] CloudFront - Architecture (14:56)

[ALL] CloudFront (CF) - Behaviors (9:21)

[ALL] CloudFront - TTL and Invalidations (13:48)

[ALL] CloudFront - SSL/TLS (14:59)

[ALL] CloudFront (CF) - Origin Types & Origin Architecture (10:20)

AWS Certificate Manager (ACM) (11:21)

[ALL] [DEMO] CloudFront (CF) - Adding a CDN to a static Website-PART1 (16:23)

[ALL] [DEMO] CloudFront (CF) - Adding a CDN to a static Website-PART2 (12:24)

[ALL] [DEMO] CloudFront (CF) - Adding an Alternate CNAME and SSL (11:12)

[ALL] CloudFront - Security - OAI & Custom Origins (8:50)

[ALL] [DEMO] CloudFront (CF) - Using Origin Access Control (OAC) (new version of OAI) (11:21)

[ALL] CloudFront - Security - Private Distributions (7:49)

[ALL] CloudFront - Geo-Restriction (9:40)

[ALL] CloudFront - Field Level Encryption (9:00)

[ALL] CloudFront - lambda@edge (8:03)

Section Quiz - R53 and CDN

DATABASES (SQL)

[ASSOCIATE] Database Refresher & MODELS - PART1 (8:51)

[ASSOCIATE] Database Refresher & MODELS - PART2 (14:45)

[ASSOCIATE] Databases on EC2 (13:08)

[ASSOCIATE] [DEMO] Splitting Wordpress Monolith => APP & DB (18:01)

[ASSOCIATE] Relational Database Service (RDS) Architecture (11:39)

[ASSOCIATE] [DEMO] Migrating EC2 DB into RDS - PART1 (18:20)

[ASSOCIATE] [DEMO] Migrating EC2 DB into RDS - PART2 (12:58)

[ASSOCIATE] Relational Database Service (RDS) MultiAZ - Instance and Cluster (11:54)

[ASSOCIATE] RDS Automatic Backup, RDS Snapshots and Restore (8:52)

[ASSOCIATE] RDS Read-Replicas (6:36)

[ASSOCIATE] [DEMO] MultiAZ & Snapshot Restore with RDS - PART1 (14:05)

[ASSOCIATE] [DEMO] MultiAZ & Snapshot Restore with RDS - PART2 (12:07)

[ASSOCIATE] RDS Data Security (7:03)

[DVA-C02] [ASSOCIATE] Aurora Architecture (13:44)

[ASSOCIATE] Aurora Serverless (9:52)

[DEMO] Migrating to Aurora Serverless [DON’T DO THIS DEMO, IT WON’T WORK, UPDATING to SERVERLESSv2] (14:47)

[ASSOCIATE] Secrets Manager (7:44)

Section Quiz - RDS

Advanced Storage

[DVA-C02] [ASSOCIATE] EFS Architecture (9:05)

[ASSOCIATE] [DEMO] Implementing EFS - PART1 (8:51)

[ASSOCIATE] [DEMO] Implementing EFS - PART2 (11:32)

[ASSOCIATE] [ DEMO] Using EFS with Wordpress (16:00)

FSx for Windows File Server (11:32)

FSx for Lustre (13:57)

AWS Storage Services

Storage Type	What is it?	What is it Optimized for?	Storage Services or Tools
Block	Block storage is direct-attached to a compute instance with low-latency access.	Low-latency, high-performance durable storage for single EC2 instances or containers, e.g., databases and local instance storage	Amazon EBS, Amazon EC2 instance store
File System	File-based storage is natively mountable from virtually any operating system, and can be shared across multiple compute instances.	Shared read and write access across multiple EC2 instances/containers or from multiple on-prem servers, e.g., team file shares, enterprise applications, analytics workloads, and ML training	Amazon EFS Amazon FSx, Amazon FSx for Lustre, Amazon FSx for NetApp ONTAP, Amazon FSx for OpenZFS, Amazon FSx for Windows File Server AWS Storage Gateway
Object	Object storage provides easy access to data through an API)over the internet and is well-suited to read-heavy workloads	Read-heavy workloads, global data storage, access, and distribution over the internet, e.g., content distribution, web hosting, big data analytics, and ML workflows	Amazon S3
Cache		Managed, scalable, high-speed cache on AWS for processing file data stored in disparate locations, including on-premises NFS file systems, and/or in cloud file systems (Amazon FSx for OpenZFS, Amazon FSx for NetApp ONTAP), and Amazon S3	Amazon File Cache, AWS Storage Gateway

Scaling, Load Balancing & High-Availability

[ASSOCIATE] Regional and Global AWS Architecture (10:42)

[ASSOCIATE] Evolution of the Elastic Load Balancer (4:10)

[ALL] Elastic Load Balancer Architecture - PART1 (10:18)

[ASSOCIATE] Elastic Load Balancer Architecture - PART2 (12:49)

[ALL] Application Load balancing (ALB) vs Network Load Balancing (NLB) (16:20)

[ASSOCIATE] Launch Configuration and Templates (4:00)

[ASSOCIATE] Auto-Scaling Groups (16:01)

[ASSOCIATE] ASG Lifecycle Hooks (4:41)

[ASSOCIATE] ASG HealthCheck Comparison - EC2 vs ELB (3:38)

[ADVANCED_DEMO] Architecture Evolution - STAGE1 - PART1 (14:24)

[ADVANCED_DEMO] Architecture Evolution - STAGE1 - PART2 (10:43)

[ADVANCED_DEMO] Architecture Evolution - STAGE2 (12:58)

[ADVANCED_DEMO] Architecture Evolution - STAGE3 (19:30)

[ADVANCED_DEMO] Architecture Evolution - STAGE4 (18:04)

[ADVANCED_DEMO] Architecture Evolution - STAGE 5 - PART1 (11:31)

[ADVANCED_DEMO] Architecture Evolution - STAGE 5 - PART2 (14:56)

[ADVANCED_DEMO] Architecture Evolution - STAGE6 (5:48)

AWS CLI, DEVELOPER TOOLS & CI/CD (CODE)

CI/CD using AWS Code (14:54)

Alt text Version Control System: Git

Alt text VCS & CI/CD

Alt text CI/CD with AWS

Alt text CD/CD Pileline

Alt text Code Deploy output

AWS CodeCommit (11:35)

AWS CodePipeline for Developers (4:08)

Alt text AWS CodePineline: The orchestator for CI/CD

Alt text AWS CodePineline: Concepts

Alt text AWS CodePineline: Architecture

AWS CodeBuild for Developers (6:23)

Alt text CodeBuild: Build & test code as-a-service (alternative to part of Jenkins)

Alt text CodeBuild: Architecture

Alt text CodeBuild: buildpsec.yml

AWS CodeDeploy for Developers (10:21)

Alt text CodeDeploy: Deploy code as-a-service (alternative to Jenkins, Ansible, Chef, Puppet, Cfn)

Alt text CodeDeploy: appspec.yml

Alt text

Elastic Container Registry (ECR) - Architecture (4:14)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE0 - INTRO (2:23)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE1 - CodeCommit (12:31)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE2 - Build a Docker Image w/ CodeBuild - PART1 (13:40)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE2 - Build a Docker Image w/ CodeBuild - PART2 (15:02)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE3 - Joining the dots - pipeline (15:31)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE4 - Deploy our Container w/ CodeDeploy - PART1 (11:29)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE4 - Deploy our Container w/ CodeDeploy - PART2 (7:42)

[DVA-C02] [ADVANCED_DEMO] - CatPipeline - STAGE5 - CLEANUP (4:07)

Application Services, Event-Driven & Serverless

[ASSOCIATE] Architecture Deep Dive - PART1 (8:52)

[ASSOCIATE] Architecture Deep Dive - PART2 (13:09)

[ALL] AWS Lambda - PART1 (11:25)

[ALL] AWS Lambda - PART2 (13:59)

[ALL] AWS Lambda - PART3 (17:03)

[ASSOCIATE] EventBridge (6:54)

[ASSOCIATE] [DEMO] Automated EC2 Control using Lambda and Events - PART1 (13:44)

[ASSOCIATE] [DEMO] Automated EC2 Control using Lambda and Events - PART2 (18:49)

[ASSOCIATE] Simple Notification Service (7:49)

[ASSOCIATE] Simple Queue Service (15:30)

SQS Standard vs FIFO Queues (3:29)

SQS Extended Client Library (2:52)

SQS Delay Queues (4:38)

SQS Dead-Letter Queues (4:17)

[ASSOCIATE] Step Functions (16:09)

[ALL] API Gateway 101 (16:27)

[MINI_PROJECT] Build A Serverless App - Pet-Cuddle-o-Tron - PART1 [UI UPDATES IN PROGRESS] (5:01)

[MINI_PROJECT] Build A Serverless App - Pet-Cuddle-o-Tron - PART2 [UI UPDATES IN PROGRESS] (8:24)

[MINI_PROJECT] Build A Serverless App - Pet-Cuddle-o-Tron - PART3 [UI UPDATES IN PROGRESS] (12:31)

[MINI_PROJECT] Build A Serverless App - Pet-Cuddle-o-Tron - PART4 [UI UPDATES IN PROGRESS] (13:31)

[MINI_PROJECT] Build A Serverless App - Pet-Cuddle-o-Tron - PART5 [UI UPDATES IN PROGRESS] (12:55)

[MINI_PROJECT] Build A Serverless App - Pet-Cuddle-o-Tron - PART6 [UI UPDATES IN PROGRESS] (2:39)

[ASSOCIATE] Kinesis Data Streams (7:52)

[ASSOCIATE] Kinesis Data Firehose (9:11)

[ASSOCIATE] Kinesis Data Analytics (8:51)

[ASSOCIATE] Amazon Cognito - User and Identity Pools (14:44)

[MINI_PROJECT] Implementing Web Identity Federation (WEB-IDF) - PART1 (7:28)

[MINI_PROJECT] Implementing Web Identity Federation (WEB-IDF) - PART2 (7:16)

[MINI_PROJECT] Implementing Web Identity Federation (WEB-IDF) - PART3 (8:16)

[MINI_PROJECT] Implementing Web Identity Federation (WEB-IDF) - PART4 (12:10)

[MINI_PROJECT] Implementing Web Identity Federation (WEB-IDF) - PART5 (2:31)

AWS Lambda In-Depth

Lambda Handler Architecture & Overview - PART1 - Theory (7:52)

Alt text Lambda Function Execution Environment

Alt text Lambda Function Handler

Lambda Handler Architecture & Overview - PART2 - Walkthrough (10:07)

Lambda Versions (4:58)

Alt text Lambda Versions: Unqualified ARN ($LATEST) & Qualified ARN (1, 2, 3…)

Alt text Lambda Versions: Example

Lambda Aliases (4:11)

Alt text Lambda Alias: ~ Git Tag

Alt text Lambda Alias: Example

[DEMO] Lambda - Aliases and Versions (13:10)

Lambda Environment Variables (7:20)

Alt text

Monitoring & Logging & Tracing Lambda Based Applications (13:24)

Alt text Lambda Monitoring

Alt text Lambda Logging

Alt text Lambda Tracing

[DEMO] Accessing Private VPC Resources using Lambda w/ TheCatAPI!!!! - PART1 (7:53)

Alt text

[DEMO] Accessing Private VPC Resources using Lambda w/ TheCatAPI!!!! - PART2 (16:19)

Lambda Layers (8:29)

Alt text

Lambda Container Images (4:14)

Alt text

Lambda & ALB Integration (5:21)

Alt text

Lambda Resource Policy (9:52)

Alt text

Section Quiz - Lambda

APIs & API Gateway In-Depth

API Gateway - Methods and Resources (4:28)

Alt text

API Gateway - [DEMO] Methods and Resources (17:04)

API Gateway - Integrations (14:02)

Alt text

API Gateway Stages and Deployments (6:25)

Alt text

Open API & Swagger (7:56)

Alt text

[DVA-C02] [DVA_DEMO] API Gateway Integrations - Mock, Lambda, AWS Service (23:55)

Section Quiz - API Gateway

NoSQL Databases & DynamoDB

DynamoDB Architecture Basics (10:49)

DynamoDB Operations, Consistency and Performance - PART1 (13:06)

DynamoDB Operations, Consistency and Performance - PART2 (11:24)

DynamoDB Indexes (LSI and GSI) (12:35)

DynamoDB Streams and Triggers (9:10)

[DVA-C02] [DEMO] DynamoDB Triggers using Lambda (16:54)

DynamoDB Accelerator (DAX) (10:58)

DynamoDB Global Tables (5:09)

DynamoDB Time-To-Live (TTL) (4:49)

ElastiCache Theory & Architecture (12:51)

[DVA-C02] Athena 101 (8:19)

[DVA-C02] [DEMO] Athena and large Datasets - PART1 (13:31)

[DVA-C02] [DEMO] Athena and large Datasets - PART2 (11:37)

Section Quiz - NoSQL

Elastic Beanstalk In-Depth

Elastic Beanstalk (EB) - Architecture (18:12)

Alt text Elastic Beanstalk (EB): Overview

what is elastic beanstalk (el)?

Elastic Beanstalk is a Platform as a service (PaaS)

Developers provides code
EB handles the deployment
- capacity provisioning
- load balancing
- automatic scaling to web application health monitoring,
- with ongoing fully managed patch and security updates
- and many other things
  - networking (VPC, subnets)
  - EC2 instance: EBS, CloudWatch, Security Group
  - database
  - deployment strategy…

Alt text Elastic Beanstalk (EB): Platforms

note

EB provides:

Managed Platform for many languages:
- Go, Java,
- .NET, .NET Code,
- Node, PHP, Python, Ruby
Custom Platform via Docker

Alt text Elastic Beanstalk (EB): Architecture

how to use eb?

When working with EB, you:

Create an EB application
Bundle a deployable code (aka source bundle) as an application version that will be automatically deployed either as One of two type of Environment tier:
- Web Server environment
- a Worker environment, that can be deployed with a message queue (SQS)
Manage the environments
Update new application version, and EB will deploy new versions of environments

Alt text Elastic Beanstalk (EB): Blue-Green Deployment

Alt text Elastic Beanstalk (EB): Summary

[DEMO] Elastic Beanstalk (EB) - Application & Environment - PART1 (11:50)

[DEMO] Elastic Beanstalk (EB) - Add additional environment and config options - PART2 (10:53)

Elastic Beanstalk (EB) - Deployment Policies (11:40)

Alt text EB - Deployment Policies

Alt text EB - Deployment Policies: All at once

Alt text EB - Deployment Policies: Rolling

Alt text EB - Deployment Policies: Rolling with additional batch

Alt text EB - Deployment Policies: Immutable

Alt text EB - Deployment Policies: Traffic Splitting

Alt text EB & Blue-Green Deployment

[DEMO] Elastic Beanstalk (EB) - Deployment (8:30)

Elastic Beanstalk (EB) - Environments and RDS (4:34)

Alt text

Elastic Beanstalk (EB) - Advanced Customization via .ebextensions (4:52)

Alt text

elastic beanstalk is based on cloudformation>

Use can provide additional Cfn configuration via the .config files inside .ebextensions folder in the source bundle.

These config can:

modify the EB application environment
modify the EC2 instances
deploy custom Cfn resources, make advance modification to Cfn resources
…

See GitHub - awsdocs/elastic-beanstalk-samples

Elastic Beanstalk (EB) - HTTPS (1:51)

Alt text

Elastic Beanstalk (EB) - Cloning (4:44)

Alt text

Elastic Beanstalk (EB) - Docker (9:11)

Alt text

[DEMO] Elastic Beanstalk (EB) - Section Cleanup (1:40)

Section Quiz - Elastic Beanstalk

Exams

AWS DVA-C02 - EXAM TRACKING

No	Exam	Score	Score Percent	Final	Exam Time	Test Date
1	Cantrill - Practical Quiz 1	40/64	62%	❌	1h	Dec 4, 2023 (15:00 - 16:00)
2	Tutorials Dojo - Time Mode Set 1 2	45/65	69%	❌	1h10m	Dec 5, 2023 (10:45 - 11:55)
3	Tutorials Dojo - Time Mode Set 2	50/65	76.9%	Passed	45m	Dec 6, 2023 (9:45 - 10:30)
4	Tutorials Dojo - Time Mode Set 3	56/65	86.2%	Passed	40m	Dec 7, 2023 (18:10 - 18:50)
5	Tutorials Dojo - Time Mode Set 4	60/65	92.3%	Passed	50m	Dec 8, 2023 (10:00 - 10:50)
6	Tutorials Dojo - Time Mode Set 5	47/65	72%	Passed	1h	Dec 9, 2023 (14:30 - 15h30)
2	Tutorials Dojo - Time Mode Set 1 - 2nd attempt	63/65	96.92%	Passed	1h	Dec 10, 2023 (16:20 - 17:20)
7	Tutorials Dojo - Final Test	63/65	96.92%	Passed	35m	Dec 10, 2023 (19:30 - 20:05)
8	REAL AWS EXAM	59/65 (Maybe)	911/100	Passed	2h	Dec 13, 2023 (9:00 - 11:00)

Cantrill - Practical Quiz

No	Q	A	Ref

1	ELB - User login randomly	ELB Sticky Session + Store session in DynamoDB
2	Config SQS Short/Long Polling	Queue’s `ReceiveMessageWaitTimeSeconds` attribute `ReceiveMessage` call’s `WaitTimeSeconds` param
3	DynamoDB TTL	1 process using TTL attribute and mark expired another process delete these expired items
	DynamoDB Streams	DynamoDB Stream is a 24h flow of item changes
4	Lambda function reuse execution environment between invocations	Cache static assets locally in the `/tmp` directory	Lambda Best Practice
		Initialize SDK clients and database connections outside of the function handler
5	Best practice to apply permissions to an EC2 instance	EC2 Instance Profile
6	Serve private content with CloudFront & S3	- Require users access private content by using CloudFront signed URL, signed cookies:	Serve Private Content
		👈️ This is implicit enabled after a signer is added
		- Require users access your content by using CloudFront URLs, not directly from origin:
		👈️ This is done with OAC (for S3 origin), or custom header (for custom origin)
7	Protect API Gateway & Lambda	Both run outside VPC, needs to use WAF
8	S3 - Encryption in transit	It’s default
9	Process orders in 48 hours (in the origin order) & Cost effective	48 hours -> Not Lambda -> Step Function + Lambda
		In order -> SQS FIFO
10	Using CWAgent to write logs to CloudWatch Logs from an EC2 instance in private subnet	- CloudWatch Logs is an public service, which can be access other AWS services, or on-premise servers.
		- To send logs to CloudWatch Logs without sending them through the internet,
		1. A private connection needs to be established between your VPC and CloudWatch Logs	Using CloudWatch Logs with interface VPC endpoints
		2. The EC2 instance have enough permissions to send logs to CW Logs
		2a. EC2 instance profile (role) have permissions	Grant permissions that the CloudWatch agent needs to write metrics to CloudWatch
		2b. Endpoint allows access (by default, endpoint policy allow all access to it)	Default endpoint policy
11	API - Gateway - Use the same function for multiple stages?	Use stage variable to change the endpoint for each stage	API Gateway - Stage variable
12	How to give custom permissions to millions of users?	Use Cognito Federated Users + IAM policy variable	IAM Policy for federated users
13	RDS Replica endpoints	Each RDS Replica has its own endpoint. Except Aurora, RDS doesn’t provide a reader endpoint with load balancing
14	Add sign up, sign in features	Cognito User Pool
15	DynamoDB RCU/WRU calculation	1 RCU = 4KB/s, 1 WRU = 1KB/s
16	Where to store CW Agent config?	SSM Parameter Store
17	Elastic Beanstalk deploy to brand new infrastructure	- EB immutable deployment	Elastic Beanstalk & Blue-Green deployment
		- Manually deploy to a new environment, EB supports swap DNS to the new environment
18	API Gateway - Legacy APIs required transformation	Use integration HTTP
19	Delete all items in a DynamoDB table everyday?	??? Use DynamoDB TTL
20	Route traffic from ELB to Lambda functions	You can register your Lambda functions as targets of ELB listener
21	SQS message size limit	256KB. To work with larger files, offload it to S3
22	CloudFormation: Share stack vs share template	Share stacks with Stack Reference; Share template with Nested Stack
23	Where is CORS applied?	CORS is applied to the origin being accessed, not the origin accessing.
24	Which services use CloudFormation under the hood?	SAM, Elastic Beanstalk
25	What is the size limit for data sent to AWS KMS?	4KB. To encrypt larger file, use DEK and envelope encryption
26	S3 encryption by S3 server, manage key by application	SSE-C
27	???
28	Tracing between many AWS services	X-ray




29	Host website on S3	- Turn on Static Website Hosting
		- Allow public access with bucket policy
30	Decouple apps & Serverless scaling	Use SQS + Lambda (config function concurrency)
31	Give access to CodeCommit repo	CodeCommit control access via IAM users: Create HTTPs credential in IAM; or create SSH key & associate to IAM user
32	Whenever a new comment added, send an email?	DynamoDB Stream + Lambda trigger + SNS
33	SQS: Messages process twice?	VisibilityTimeout not long enough
34	Import APIs to API Gateway	Import OpenAPI definitions
35	Upload file to S3 - Improve performance?	Transfer Acceleration
36	Kinesis: Improve performance?	Increase number of shards (shard splitting)
37	Lambda: Share library	Lambda Layer
38	Collect real time data	Kinesis Data Streams
39	Reuse Lambda function for multi stages	Use stage variable
40	Embed Lambda function in CloudFormation template	Code’s ZipFile
41	Host static website	S3 + CloudFront
42	Config/Update EC2 instance with CloudFormation	cfn-init + cfn-signal & cfn-hup
43	Query only a part of data on S3	S3 Select
44	Attach an EBS volume to EC2 instance	Create file system; Mount it
45	DynamoDB: Primary key	Student ID
46	APIs to request temporary credentials with IAM	AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity
47	API Gateway: Ensure searchString parameter is in the request	Method Request
48	Increase CPU allocation of a Lambda function	Increase memory allocation
49	CloudWatch namespace & metrics
50	Run AWS CLI in EC2, what will happened?	It won’t run. AWS CLI use other credential first ???
51	DynamoDB WCU	Write operation is not strongly/eventually consistent. Only read has consistent problem.
52	Send a message to user	SNS
53	S3 ListAPI	max-items, page-size
54	DynamoDB: Improve read performance	DAX
55	Migrate microservice to AWS, low operation overhead	ECS Fargate
56	DynamoDB eventually read	Use less RCU than strong consistent read, may receive outdated data
57	Which S3 encryption option can be used with CloudHSM?	CSE
58	CloudFront stale object	Invalidate
59	Failover to an maintenance page on S3	Route 53 + Health-check
60	S3: Block all access except from CloudFront	OAC, OAI (legacy)
61	Improve performance of app (using DynamoDB) without modify code	Increase RCU
62	Application workflow take up to 45 min + Cost effective	Step Function + Lambda
63	ASG: Instances started & terminated rapidly	Increase cooldown time
64	SQS + 5 EC2 instances	Increase polling time; Use ASG for scaling based on queue length
65	Check if a Spot instance is terminated	Use instance metadata service

Tutorial Dojo - DVA-C02 - Timed Mode Set 1 - 2nd attempt

Test time: xx

Score: 63/65 (96.92%):

CDA – Development with AWS Services 100% (27/27)
CDA – Security 88.89% (8/9)
CDA – Deployment 100% (7/7)
CDA – Troubleshooting and Optimization 95.45% (21/22s)

Domain 1: Development with AWS Services

No		Q	A	Ref

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅
8	✅
9	✅
10	✅
11	✅
12	✅
13	✅
14	✅
15	✅
16	✅
17	✅
18	✅
19	✅
20	✅
21	✅
22	✅
23	✅
24	✅
25	✅
26	✅
27	✅

Domain 2: Security

No		Q	A

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅
8	❌	S3. SSE-KMS. Which header?	`x-amz-server-side-encryption`. If the header were not present, S3 use the default KMS key
9	✅

Domain 3: Deployment

No		Q	A	Ref

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅

Domain 4: Troubleshooting and Optimization

No		Q	A

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅
8	✅
9	✅
10	✅
11	✅
12	✅
13	✅
14	❌	DynamoDB: Scan. Improve performance, cost-effective	Use `Query`, or still use `Scan` but with smaller `page-size`
15	✅
16	✅
17	✅
18	✅
19	✅
20	✅
21	✅
22	✅

Tutorial Dojo - DVA-C02 - Timed Mode Set 1

Domain 1: Development with AWS Services

No		Q	A	Ref
1	✅	Improve performance of S3 upload	Multipart upload
2	✅	Caching: Lazy-load & Write-through
3	✅	Lambda: Different parameter depends on environment	Environment variable (# Stage variable)
4	❌	AWS SAM: shift traffic to new version	SAM Deployment strategy	SAM - Deploying gradually
			- `AllAtOnce` (1 deploy)
			- `Canary` 10% 5, 10, 15, 30 min (2 deploys)
			- `Linear` 10% Every 1, 2, 3, 10 min

5	✅	API Gateway: same API Gateway for multiple environments	Stage variable
6	✅	CloudWatch Alarm: When to alarm?	`Period` / `Evaluation Periods` / `Data points to Alarm`
7	✅	SAM: Nested application	`AWS::Serverless::Application`
8	✅	Lambda deploy: Graduate increase traffic to new version	Lambda supports traffic shifting for aliases (by setting `traffic weight`). (That’s why SAM have `canary`, `linear` deployment strategy )
9	✅	API Gateway: Map data for microservice (in container)	Use `HTTP` integration (Not `AWS` or `_PROXY`)
10	✅	Database scale globally, handle frequent schema changes	DynamoDB (not Aurora)
11	✅	API Gateway - TTL 300s. How client can invalidate cache?	Send request with `Cache-Control: max-age=0` header
12	❌	Lambda: Response to user after 5 min	Lambda `Invoke` API `InvocationType`	Invoke - InvocationType
			- `RequestResponse`: Synchronous invocation
			- `Event`: Asynchronous invocation
			- `DryRun`: Validate params/role
13	✅	Session data store on DynamoDB. Delete session of logged out users?	Use DynamoDB TTL (when will an item is eligible for expiration - in epoch time)
14	❌	S3: Remove PII before return to application	Use S3 Object Lambda to process object before return to application	S3 Object Lambda S3 Object Lambda Use with CloudFront
15	✅	Serve content based on location	- CloudFront can add header about viewer location’s location (based on the viewer’s IP address).
			- Use a CloudFront function to return the URL base on these headers (e.g. `CloudFront-Viewer-Country`)
16	✅	What to do after update Cfn template of a Lambda function?	1. `aws cloudformation package`: Uploads local artifacts to S3, update Cfn template to reference these artifacts
			2. `aws cloudformation deploy`: Update (deploy) the Cfn stack
17	✅	Multi-thread key-value cache store	Elasticache for Memcached
18	❌	Only allow authorized clients to invalidate an API Gateway cache	- API Gateway Additional settings / Per-key cache invalidation / Require authorization	Invalidate an API Gateway cache entry
			- Client send request with `Cache-Control: max-age=0` header.
19	✅	Process long-running tasks	Elastic Beanstalk worker environment (an HTTP request handler that EB invokes with an SQS queue)
20	✅	ECS: Where to config port for container?	Task definition
21	❌	Lambda: 50 requests/s; 100 s/request 👉️ 5.000 concurrency execution	Default quota of Lambda concurrency execution: 1.000 (can be increased to 10.000)
22	✅	Can Lambda handle 10 requests/s (each request take 50s)	500 concurrent execution (Lambda can handles without doing anything. The default limit is 1.000)
23	✅	DynamoDB table attributes: UserID (PK) - GameTitle (SK) - TopScore. Get max TopScore of each game?	Create a Global Secondary Index: GameTitle (PK) - TopScore (SK). Query 1 item for each game in descending order.
24	✅	Kinesis Data Streams: How many worker is optimal to process a number of shards?	1:1 ratio
25	✅	AWS CLI timeout when list bucket with 10.000 objects	Add pagination parameter when use AWS CLI
26	✅	Permission to Create/Delete GitCommit repos	`codecommit:CreateRepository` & `codecommit:DeleteRepository`
27	✅	DynamoDB Streams: Send a copy of old item to S3	`StreamViewType`: `OLD_IMAGE`

Domain 2: Security

No		Q	A	Ref
1	❌	Give a program to AWS services	- Best practice: EC2 instance profile (IAM Role)
			- On premise: Long-term credential
2	✅	Share DB endpoint	Use System Manager Parameter Store secure string
3	❌	Database credential - How to encrypt & auto rotate?	- AWS Secret Manager + Enable auto rotate
			- IAM DB Authentication: Authenticate connection with IAM
4	✅	API Gateway: Allow another account invoke via IAM Role	1. From the other account, grant permission to interact with this API Gateway	Managing access to API Gateway
			2. From this account, attach a resource-policy to API Gateway that grant the IAM role from other account permission to invoke	Allow roles in another AWS account to use an API
5	✅	Grant permission to access only some path of a S3 bucket	Use S3 bucket policy, with the policy statement `Resource` including the path
6	✅	Login with social site: Facebook…, then access to AWS service	Cognito Identity Pool (Federated Identity)
7	✅	S3 - Encrypt AE256	`x-amz-server-side-encryption: AE256`
8	❌	S3 - Ensure all objects are encryption at rest with SSE-KMS	Add a bucket policy which denies any s3:PutObject action unless the request includes the `x-amz-server-side-encryption` header.
9	✅	KMS - Generate data key but not use immediately	`GenerateDataKeyWithoutPlaintext`

Domain 3: Deployment

No		Q	A	Ref
1	❌	Implement subscription with API Gateway	Use usage plan to distribute APIs & throttle usages based on defined limit/quota	API Gateway - Usage plan
2	❌	Lambda, pause task & wait for external process	Step Function - Callback pattern (SQS + SNS + Lambda)	Step Function - Callback Pattern
			- waitForTaskToken
			- SendTaskSuccess (with the task token)
3	✅	Deploy Lambda with CodeDeploy	CodeDeploy deploy configuration:
			- EC2, on-premise: AllAtOnce, HalfAtATime, OneAtATime (Can be Blue/Green or in-place)
			- Lambda, ECS: AllAtOnce, Canary, Linear
4	✅	Build, test, deploy serverless app	Serverless Application Model (SAM)
5	❌	SAM template requires sections	Transform & Resources
6	❌	Create Lambda function with CLI error InvalidParameterValueException	Invalid parameter: maybe a role can’t be assumed
7	❌	ECS schedule task based on CPU/memory	ECS - Task placement strategy: binpack, spread, random

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref
1	✅	Move session data to AWS, 100% CPU, HA	ElastiCache for Redis
2	✅	sam local - Access denied	1. `aws configure --profile`; 2. `sam local invoke --profile`
3	✅	Cost effective when using SQS	Long polling (config `ReceiveMessage` `WaitTime`)
4	✅	Record all changes to a DynamoDB table to another one	DynamoDB Streams + Lambda (write to another DynamoDB table)
5	✅	DynamoDB - Reduce queries	DAX
6	❌	Serve private content from CloudFront	1. Use signed-URL, sign-cookies
			2. Use Lambda@Edge + Cognito 👉️ Authentication@Edge
7	❌	X-ray: How to debug?	`_X_AMZN_TRACE_ID` + `AWS_XRAY_CONTEXT_MISSING`
8	✅	ECS store data in DynamoDB, how to verify each new items?	DynamoDB Streams + Lambda
9	✅	API Gateway - 504	504 Gateway timeout -> Integration timeout after 30s
10	✅	RDS - Too many connections	RDS Proxy
11	✅	API Gateway timeout - Which CW metrics to watch?	`Latency`, `IntegrationLatency`
12	❌	CloudFront HTTPS	Viewer Protocol Policy: `Only HTTPS` or `Redirect HTTP to HTTPS`
13	✅	CloudFront - end-to-end SSL	Viewer Protocol Policy, Origin Protocol Policy: HTTPS
14	❌	DynamoDB Scan improve performance	- Default page size: 1MB (Max) -> Reduce page size
			- Use `Query` instead of `Scan`
15	✅	Capture IP in/out of an VPC	VPC Flow Log
16	✅	Elastic Beanstalk config for cron-job	`cron.yaml`
17	✅	DynamoDB - Fetch only some attributes	Use projection attributes
18	✅	Lambda function download same big file	Use `/tmp`
19	❌	Use Lambda function inside a VPC	- By default, Lambda is public (has internet access)
			- After enable VPC for a Lambda function, it lose internet access,
			- If you require internet access for Lambda function:
			1. Add a NATGW to VPC
			2. Allow outbound traffic with security group
20	❌	X-Ray filter trace	1. Add `annotation` to record data used to group traces (indexed to used with `filter expression`)
			(`metadata` is extra data about data that isn’t indexed )
			2. Use `filter expression` to group traces in the console
21	✅	App deploy with Elastic Beanstalk - Config X-Ray	`.ebextensions/xray-daemon.config`
22	❌	API Gateway: Lambda Proxy - 502 Bad Gateway	In Lambda proxy integration, the backend Lambda function must return output according a JSON format	Output format of a Lambda function for proxy integration

Tutorial Dojo - DVA-C02 - Timed Mode Set 2

Test time: 9h45 - 10h28 (00:47:24)

Score: 50/65 (76.92%):

CDA – Development with AWS Services 79.49%
CDA – Security 77.78%
CDA – Deployment 87.5%
CDA – Troubleshooting and Optimization 55.56%

Domain 1: Development with AWS Services

No		Q	A	Ref
1	✅	RDS + Lambda + Translate text with Amazone Translate. Improve performance, reduce load to RDS?	Use Lambda execution environemnt `/tmp` as cache store
2	✅	DynamoDB: Employee info. Which attribute use as primary key?	employee_id
3	✅	Run a Lambda function every 30min?	Use EventBridge `Schedule` Rule to create scheduled events -> target the Lambda function
4	✅	ECS intergate with API Gateway. Which integration make no intervention?	HTTP_PROXY


5	✅	Which API to call to get permission (from a IAM Role) to interact with S3 API	AWS STS `AssumeRole` API (or `AssumeRoleWithWebIdentity`, `AssumeRoleWithSAML`) (optionally pass an `SessionPolicy`)
6	✅	Asynchronous invoke Lambda function with `Invoke` API	Pass parameter `InvocationType` - `Event`
7	❌	Tracking number of visitors on website (use DynamoDB)	1. (May over/under count) “Atomic counter” - just increase the counter without checking current value
			2. Use `condition write` to only update the counter item if (…) - too complicated to know	Conditional Writes - DynamoDB Conditional Updates - DynamoDB
8	❌	Kinesis Data Streams: Duplicate Records	- Two primary reasons: 1. Producer retries; 2. Consumer retries.	Handling Duplicate Records - Kinesis
			- Manually assign sequence number to record with `Kinesis` `PutRecord` `SequenceNumberForOrdering`.	Adding a Single Record - Kinesis
			(Same idea as assign an ID to message `SQS` `SendMessage` `MessageDeduplicationId` )
9	❌	X-Ray: Include info about calls to AWS services	Include `sub-segment` in the `segment document`
10	❌	DynamoDB: Forum (PK) - Subject (SK) - LastPostUpdateTime. Finds on posts of a forum in last 3 months	Add LSI: Forum (PK) - LastPostUpdatTime (SK). Use `Query` opeartion.
11	✅	DynamoDB: Write heavy - `ProvisionedThroughputExceededException`. Why?	RCU/WCU of GSI is seperate from base table
			- A `Query` on a GSI consume RCU from the GSI, not the base table.	Data synchronization between tables & GSIs
			- When you Put/Update/Delete items in a DynamoDB table, any GSIs on that table are also updated asynchronously (and consume RCU/WCU from the GSI).	Provisioned throughput considerations for GSIs
12	✅	CodeCommit: Permission to `fetch`, `clone`, `push`	`codecommit:GitPull`, `codecommit:GitPush`
13	✅	Elastic Beanstalk: Deploy new version with CLI	Package app as `zip`/`war` file. Deploy with `eb deploy` (EB CLI is a different package. It’s not packaged with AWS CLI, not `aws eb`)
14	✅	Internal app: elastic, cost-effective	DynamoDB, EC2 Spot Fleet
15	✅	Build an CI/CD to deploy to both EC2 & on-premise. Which service?	CodeDeploy
16	✅	DynamoDB: 10 RCU, each item 4KB. How much read request/s the table can hanlde?	10 RCU: 10 Strong Consistency Read - 20 Eventually Consistency Read
17	✅	Prototype microservices on ECS. Which task placement minimize cost?	Binpack, ~~random~~, ~~spread~~
18	✅	Temporary AWS credential for both authenticated/unauthenticated. Which service?	Cognito Identity Pool (Federated Identity)
19	❌	Elastic Beanstalk: Deploy infrastructure has an RDS instance coupling with EB. How to migrate RDS?	1. Create RDS snapshot; enable RDS deletion protection
			2. Remove SG attached to RDS (before delete EB app’s environment)
			3. Terminate the EB app’s environment
20	✅	SQS: Duplicated messages. How to fix?	For SQS, when call `SendMessage` API, add `MessageDeduplicationId` param
			(For Kinesis, when call `PutRecord` API, add SegmentID to `SequenceNumberForOrdering` param)
21	✅	DynamoDB: Protect from overwritten?	Implement `optimistic locking` with version number (ensure update the right version item)	Optimistic locking with version number - DynamoDB
22	✅	Lambda: Asynchronous invoke, exponential back-off, then send un-processed messages to another service.	Lambda supports Dead Letter Queue (just as SQS DLQ)
23	✅	Collect visistor click to ads. Which service?	DynamoDB: Use `UpdateItem` to implement `atomic counter` (Approximately ~ Add 1 to previous value)
24	✅	DynamoDB: Read 100 items. Which API?	`BatchGetItem` (instead of `GetItem`) then `BatchWriteItem`
25	✅	DynamoDB: Store recent updated item automatically	1. DynamoDB Streams + Lambda (not recommnend)
			2. DynamoDB Streams + DynamoDB Streams Kinesis Adapter (recommend)
26	✅	DynamoDB: Session data. Reduce storage without using provision throughput	Use DynamoDB TTL
27	✅	Kinesis Data Streams: How to handle data flow (Scaling)?	1. Split shards to increase stream capacity; 2. Merge shards to decrease stream capacity.
28	✅	Kinesis Data Streams: Consumer process every other day & store to S3. S3 only has half of the data?	Kinesis Data Streams default `retention period` is `24h` (up to 365 days)
29	✅	An AWS account has 2 Lambda function. 1 works optimal, 1 is throttled. Why?	The `reserve` `concurrency execution` of function 1 is higher
30	✅	Lambda: Process events from S3 Events. 10 events/s, each event takes 3s. How much concurrency?	Concurrency: number of in-flight request AWS Lambda function is handling at the same time.
			Concurrency = (Number of request/s) x (Time to process a request)
31	❌	Lambda: Concurrency quotas	- Account-level: 1.000 unit of concurrency	Lambda Concurrency Quotas
			- Function-level: Up-to 900 unit of concurrency. AWS reservers 100 for functions without reserved concurrency
32	✅	Protect AWS APIs call with MFA	MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is associated with their MFA device.
33	❌	Elastic Beanstalk: Environment manifest (environment name, solution stack…)	- Environment manifest: `/env.yaml`	Environment manifest (env.yaml) - Elastic Beanstalk
			- Advance config: `/.ebextensions/***.config` (YAML or JSON)	Advanced environment customization with configuration files (.ebextensions)
34	✅	Website hosted on S3 `bucket_A`, make GET request to S3 `bucket_B`. API calls are blocked by browers?	Enable CORS on `bucket_B`
35	✅	Migrate repos from Github to CodeCommit	1. Create repos on CodeCommit; 2. Clone repos from Github; 3. Push to CodeCommit repos
36	✅	Lambda: Increase CPU?	By increase memory
37	✅	ECS: Integrate with X-Ray. How to provide more granular timing information?	Use sub-segment
38	✅	Version control system. Which service?	CodeCommit
39	✅	API Gateway: Non-proxy integration with Lambda. How to ensure consumer include a query tring?	Use method request

Domain 2: Security

No		Q	A	Ref

1	✅	Cognito - Enforce MFA for suspicious login attempt	User Pool / Adaptive Authentication / Automatic risk response	Adaptive Authentication - User Pool
2	✅	EC2 instance - Upload images to S3. How to give EC2 instance permission?	IAM Role (Instance Profile)
3	✅	Dev needs to access Test/Prod accounts. How to give permission?	Grant cross-account access:
			- In Test/Prod accounts, create IAM Role (with permissons)
			- In Dev account, grant access to assume that IAM Role
4	✅	API Gateway - Lambda Authorizer: Implement one that same as OAuth, SAML	API Gateway - Lambda Authorizer (Custom Authorizer) has 2 types:
			- Token-based Lambda Authorizer <= Bearer token: OAuth token, JWT
			- Request parameter-based Lambda Authorizer <= aka REQUEST authorizer (supports a lot of data: headers, query string, `stageVariales`, `$context`…)
5	✅	EC2 instance has both `credentials` & `Instance Profile`	AWS CLI credentials precedence: CLI options > ENVVAR > Assumed Role > IAM Idendity (~~/.aws/config) > Credential file (~~/.aws/credentials) > EC2 instance profile > Container credental	AWS CLI Credentials Precedence
6	❌	Provide application in ECS access to the required AWS resources	Fargate: IAM Role -> attach to task
			EC2: Container Instance Role
7	❌	KMS: Envelope Encryption	1. encrypt plaintext data with a data key
			2. encrypt the data key with a top-level plaintext master key
8	✅	S3 - Encryption using KMS-C. How to upload object?	Include the headers: `x-amz-server-side-encryption-customer-` + `algorithm`/`key`/`key-MD5`
9	✅	IAM, SCP - How to test IAM policy?	IAM Policy Simulator

Domain 3: Deployment

No		Q	A	Ref
1	✅	SAM: workflow redeploy	1. `sam build`; 2. `sam deploy`
2	✅	Elastic Beanstalk: Dev/Test - Reploy ASAP	EB deployment strategy: `AllAtOnce`
3	✅	SAM: deploy 10% every 10min	SAM `Linear` `10min`
4	✅	Lambda: `package deployment` take too much time to deploy? How increase deploy speed?	Lambda package deployment quota (for a function) is 50 MB (zipped; includes runtimes, layer…)
			- Extract shared dependencies to `layer`.
			- (Or upload to S3)
5	❌	CodeDeploy AppSpec - Run a task before traffic is shifted to a Lambda function	AppSpec hook
			- Lambda: (Before) - AllowTraffic - (After)
6	✅	CloudFormation: Easiest way to deploy a `hello_world` lambda function	Incline the function in `AWS::Lambda::Function` `Properties / Code / Zipfile`
7	✅	Elastic Beanstalk: Upgrade from Java 7 to 8. Shift all traffic to the new one, revert if something’s wrong	Blue/Green Deployment: EB AllAtOnce + EB swap environent URLs (EB will use Route 53 to swap CNAMEs)	Blue/Green deployments with Elastic Beanstalk
8	✅	CodeDeploy: Deploy to where? How?	CodeDeploy deploy configuration:
			- EC2, on-premise: AllAtOnce, HalfAtATime, OneAtATime (Can be Blue/Green or in-place)
			- Lambda, ECS: AllAtOnce, Canary, Linear

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref

1	✅	DynamoDB: ProvisionedThroughputExceeded	Optimize DynamoDB:
			1. Use `Query` instead of `Scan`
			2. Use `Eventually Consistent Read` instead of `Strongly Consistent Read`
			3. Use DAX
2	✅	X-Ray: View full trace without using console	Use `GetTraceSummaries`, `BatchGetTraces`
3	✅	ECS + Docker app: How to setup tracing with X-Ray?	- Run `xray-daemon` inside docker image	AWS X-Ray daemon
			- Config port mapping (UDP:2000) in ECS task definition
4	✅	AWS CLI - Timeout	Use pagination: `--page-size` (request less items) `--max-items` (show less items)	AWS CLI pagination options
5	❌	Kinesis Data Streams: Not enough shards & Instances CPU 100%	1. Increase number of shards (shard splitting). 2. Increase instance size
6	❌	RDS can’t handle read	1. Use RDS Multi-AZ Cluster (not Multi-AZ Instance)
			2. Create Read Replica, then update app to read from replica
7	❌	X-Ray - namespace, metadata	X-Ray namespace: distinguish `AWS`/`remote`
8	❌	CloudWatch - namespace	CloudWatch namespace: container for metrics, e.g. `aws/lambda`
9	✅	X-Ray: From where, IP address is fetch?	`X-Forwarded-For` header

Tutorial Dojo - DVA-C02 - Timed Mode Set 3

Test time: Dec 7 2023, 9h45 - 10h28 (00:47:24)

Score: 56/65 (86.15%)

CDA – Development with AWS Services: 85.71%
CDA – Security: 100%
CDA – Deployment: 81.08%
CDA – Troubleshooting and Optimization: 91.67%

Domain 1: Development with AWS Services

No		Q	A

1	✅	Replace spreadsheet-based tracking system. DynamoDB.	EDA: DynamoDB Streams + Lambda + SNS
2	✅	Collect real-time user data	Kinesis Data Streams
3	❌	API Gateway: Lambda Proxy integration	Recommend: Simple setup
4	✅	CodeCommit, CodeBuild, CodeDeploy, CodePipeline. A central dashboard?	CodeStar
5	✅	Cfn: Reuse value from a stack?	Outputs/Export & Fn::ImportValue
6	✅	Hundreds of thousands of reads/writes per second. Which database?	DynamoDB
7	✅	DynamoDB: Bidding system.	DynamoDB Streams + Lambda + Conditional Write
8	✅	DynamoDB: Query a single table	LSI (when create the table)
9	✅	DynamoDB: Throttled. Hot partition. Fix minimal effort?	Refactor to evenly distribute between partitions; Retries with exponential backoff
10	✅	CodeCommit: Setup?	1. Git credential - HTTPS (username/password); 2. SSH connection (SSH key-pair)
11	✅	DynamoDB: 1.5KB. Write 100 items/s. WCU 100 but throttled. Fix?	Increase WCU to 200.
12	❌	Deploy serverless app: Run C++	Lambda doesn’t support C++ -> Create custom runtime
13	✅	SQS: Duplicate message	SQS FIFO + SendMessage with DeduplicationID
14	❌	SQS: postpone delivery messages to queue	`Delay queue` (not using `visibility timeout`)
15	✅	ECS: Place task between AZs?	Spread
16	❌	ECS: EC2. Task placement?	1. Cluster constraint; 2. Task placement constraint; 3. Task placement strategy
17	✅	Sync user data without your backend.	Cognito Sync (delegated use AppSync)
18	❌	Kinesis Data Streams: Resharding, Scaling, and Parallel Processing	1. One worker can process many shards. 2. Optimal ratio is `1 worker : 1 shard`
			Enhanced Fan-out: stream consumers receive their own 2MB/second pipe of read throughput per shard
19	❌	DynamoDB: Concurrency write	Optimistic Locking + Conditional Writes
20	❌	DynamoDB: For each request, return WCU consumed (base table & GSI)	`ReturnConsumedCapacity`: ~~NONE~~ (default), ~~TOTAL~~, INDEXES
21	✅	SQS: Config Dead Letter Queue	Just provide ARN of the queue to `DeadLetterConfig`
22	✅	Elastic Beanstalk: Web app process large number of items from DynamoDB. Overload. Easiest fix?	Use `Batch` operations for `Get`, `Put`, `Delete`
23	✅	DynamoDB: Send welcome mail for new user. How?	DynamoDB Streams + Lambda + SNS
24	✅	DynamoDB: Table - FighterID (PK) - FilterTitle (SK). Query by other attributes?	Create a GSI
25	✅	DynamoDB: + Elasticache. Write data if cache miss. Improve?	Add write-through + TTL
26	✅	Kinesis Data Streams: 100 shards, Lambda (10 seconds/request, 50 items/seconds)	Maximum of 100 Lambda concurrency = number of shards
27	✅	Cfn: How to automate the process of getting latest AMI?	Use System Managers Parameter Store
28	✅	SQS: Process tool long & messages appear twice	Increase visibility timeout
29	✅	CloudFront: Slow to login & 504	Authentication@Edge + Origin fail over
30	✅	Lambda: Increase CPU?	By increasing memory
31	✅	API Gateway: Implement APIs form current Swagger spec.	Just import the OpenAPI/Swagger file.
32	✅	Microservice using Docker + Fine-grain control	ECS
33	✅	Quickly deploy Node app (provisioning, load balancing, ASG…)	Elastic Beanstalk
34	✅	Amplify: config?	amplify.yaml
35	✅	S3: Cross-Region Replication. Fail. Why?	Maybe Object Versioning is not enable
36	✅	S3: Upload Terabytes of data from over the worlds. Slow. Improve speed?	S3 Transfer Acceleration
37	✅	API Gateway: Reuse same function for different stage (different DynamoDB table)	Stage variable

1.3 API Gateway API integration type

Choose an API Gateway API integration type

API Gateway - API integration types:

AWS
- Lambda non-proxy integration (Lambda custom integration): Need to specify how to map between method & integration
AWS Proxy
- Lambda proxy integration (Recommend): Simple setup
  - API Gateway maps the entire client request to the input event parameter of the backend Lambda function
HTTP
HTTP Proxy
Mock

1.16 ECS task placement

Alt text

Alt text ECS Task Placement

Task placement: Which container instances to place task?
- “Cluster constraint”: Which one satisfy CPU, memory, port (in task definition)?
- A task placement constraint is a rule that’s considered during task placement.
  - Constraint type
    - distinctInstance
    - memberOf
  - Expression: defined in cluster query language (subject operator [argument])
    - Attribute:
      - Build-in attribute: e.g. ecs.availability-zone, ecs.instance-type
      - Optional attribute:
      - Custom attribute: stack
    e.g. attribute:ecs.availability-zone == us-east-1a
- A task placement strategy is an algorithm for selecting container instances for task placement or tasks for termination: ECS supports 3 type of task placement strategy:
  - binpack: min unused CPU, memory
  - random
  - spread: evenly based on
    - : instanceId/host, attribute:ecs.availability-zone, …

Ref:

1.18 Kinesis Data Streams

https://aws.amazon.com/blogs/aws/kds-enhanced-fanout/

1.19 DynamoDB: Concurrency write

Atomic Counter: 🛣️ Any one can writes (The database use the previous value)
Optimistic locking & Conditional write: ⚠️ Many writes at a time (based on some condition)
Pessimistic locking: 🛑 1 write at a time. Wait for your turn

Domain 2: Security

No		Q hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests.	A

1	✅	API Gateway: Lambda authorizer - accepts header, query strings	Request parameter-based authorizer (REQUEST authorizer)
2	✅	On-premise KMS, migrate to AWS. Key is store in dedicated hardware	CloudHSM
3	✅	S3: Upload small file + Use KMS key: OK. Upload big file (100GB): not OK	AWS CLI use multipart upload for big files. It’s required the `kms:Decrypt` permission
4	✅	S3: SSE with KMS (using default KMS key). Which header?	- `x-amz-server-side-encryption: aws:kms`
			- Omit `x-amz-server-side-encryption`-`aws-kms-key-id` to use default KMS key for S3
5	✅	S3: SSE-C. How does it work?	1. You manage key & give AWS the key each time you upload a file
			1.1 `x-amz-SSE`-`customer`-`algorithm`/`key`/`key-MD5`
			1.2 If you lose the key, you lose the object
			2. AWS handle encryption:
			2.1 AWS store a hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests.
			2.2 When you need the object, you request the object (& provide the encryption key)
			2.3 AWS decrypt & give you back the decrypted object
6	✅	KMS: A file encrypted with data encryption key (DEK). How to decrypt the files locally?	1. Use KMS’s `Decrypt` to decrypt the DEK
			2. Use the plaintext DEK to decrypt the file (immediately erase the plaintext from memory after used)
7	✅	CodeDeploy: Platform: ECS - `appspec.yaml`	`appspec.yaml` for ECS needs: `TaskDefinition`, `ContainerImage`, `ContainerPort`
8	✅	Share DB connection endpoint	Systems Manager Parameter Store secure string
9	✅	SSL certificate from 3rd party. Which service can store?	AWS Certificate Manager (for unsupported regions, use IAM certificate store)

Domain 3: Deployment

No		Q	A	Ref

1	✅	EC2: EBS-backed root volume. How to detach the root-volume?	Stop the EC2 instance, then detach the root volume
2	✅	Elastic Beanstalk: Maintain compute resource while deploying. No downtime.	Rolling with additional batch, Immutable	3.2.1 3.2.2 3.2.3
3	✅	DynamoDB: 3.5KB. 150 eventually consistent reads/second. How many RCU?	1 strongly read -> 1 RCU
			1 eventually read -> 0.5RCU => 150 -> 75
			File 3.5KB -> 1:1 => 75 RCU
4	✅	Lambda: Deployment package 80MB. What to do now?	Split the dependencies to a layer
5	✅	SAM: How to use Cfn & include SAM?	Use Cfn `Transform` & `AWS:Serverless` macro to process SAM template to Cfn template
6	❌	CodeDeploy deployment type (How the latest revision is deployed to instance?)	1. In-place (EC2/On-Premises); 2. Blue/green	3.5
7	✅	Cfn: Different accounts. How to manage update across all accounts?	Use `StackSets`

3.2 Elastic Beanstalk Deployment policies

Deployment policies (aka deployment methods/strategies):
- AllAtOnce (Default)
- Rolling
- Rolling with additional batch
- Immutable
- Traffic splitting (aka Canary)
- Blue-green (with Swap environment URLs)

3.6 CodeDeploy deployment type

Overview of CodeDeploy deployment types CodeDeploy concepts

CodeDeploy can deploy application to 3 platform (called deployment platform):

EC2/On-Premises <= Needs CodeDeploy agent
ECS
Lambda

CodeDeploy make the latest application revision available on instance in a deployment group (a group of instances)

In-place deployment: only support EC2/On-Premise
Blue/green deployment

CodeDeploy supports 3 ways of routing traffic (via deployment configuration)

All-at-once: 100%
Canary: 2 increments: 10% + 90%
Linear: n% x m times

3.7 `StackSets` vs `nested stack` vs `cross-stack reference`

StackSets: create stacks in AWS accounts across regions by using a single CloudFormation template
Nested stack: reuse a template in multiple Cfn template
cross-stack reference: export values from one stack and use them in another (Output/Export & Fn::ImportValue)

Ref:

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref

1	❌	Collect trace from multiple backends, AWS SDK, SQL queries…	AWS Distro for OpenTelemetry (supports collect from X-Ray)
2	✅	X-Ray: Insufficient permissions to use X-ray console to view service map, segments. Which manged policy?	- AWSXrayReadOnlyAccess
				- AWSXRay~~DaemonWriteAccess~~
				- AWSXray~~FullAccess~~
3	✅	API Gateway: Fetch latest data without caching (using `Cache-Control: max-age=0` header). Which permission?	Resource-based policy for `execute-api:InvalidateCache` action
4	✅	DynamoDB: Streams, EventBridge + Lambda every 36 hours. Missing data?	DynamoDB Streams `retention period` is 24 hour. Only last 24 hours data is available
5	✅	Kinesis Data Streams: Increasing data flow. Scale up?	Split-shard + (increase numbers of worker)
6	✅	S3: CORS config: `<AllowOrigin>`, `<AllowedMethod>`, `<AllowedHeader>`, `<MaxAgeSeconds>3600</MaxAgeSeconds>`	`MaxAgeSeconds`: time in seconds that your browser can cache the response for a preflight request	4.6
7	✅	API Gateway: Lambda. 504. No errors in CW. Why?	Lambda function takes more than 30s (API Gateway timeout)
8	✅	RDS: Slow response (in peak time). Already optimize queries. Resolve?	- Add Read Replica
			- Add caching with Elasticache
9	✅	Latency-sensitive service. AWS Fargate, CloudFront, ALB. Too much unauthenticated users, increase CPU of Fargate. Fix?	Use CloudFront Function (attach to Viewer Request) to authenticate users
10	✅	EC2: Monitor memory, swap. How?	Install CW Agent
11	✅	Elastic Beanstalk: EC2. CW doesn’t show memory. Why?	By default, CW doesn’t track EC2 instance memory
12	✅	Kinesis Data Steams: Producers restart -> Duplicate record. Fix?	Call `PutRecord` with `SequenceNumberForOrdering` param.

Tutorial Dojo - DVA-C02 - Timed Mode Set 4

Test time: Dec 8 2023, 10h00 - 10h50 (00:50:00)

Score: 60/65 (92.3%):

CDA – Development with AWS Services 91.67% (33/36)
CDA – Security 90.91% (10/11)
CDA – Deployment 80% (4/5)
CDA – Troubleshooting and Optimization 100% (13/13)

Domain 1: Development with AWS Services

No		Q	A	Ref

1	✅	Automatically watermark images uploaded to S3	Use S3 Event Notification `s3:ObjectCreate:Put`. Send the event to Lambda function (destination)
2	✅	Lambda function: access RDS in private subnet	Connect to the VPC
3	✅	API Gateway + Lambda: Map incoming request to integration request & vice versa	AWS custom (Lambda custom)
4	✅	Which cache strategy ensured cached data is always up-to-date & stale data are automatically deleted?	Write-through + With TTL	1.4
5	✅	DynamoDD: How to prevent data overwritten?	Optimistic locking + Conditional writes (check version number)
6	✅	Database credential: How to encrypted & auto-rotate?	Use Secrets Manager + Enable Automatic Rotation
7	✅	S3: Use SQL to filter & retrieve only a subset data of an object?	S3 Select (supports CSV, JSON, Apache Parquet & compressed CSV, JSON)	1.7
8	❌	DynamoDB - GSI: Consumed throughput; Consistency?	GSI has its own consumed throughput. GSI only supports eventually consistent read
9	✅	DynamoDB - GSI: How much throughput to provision?	GSI WCU >= Base table WCU
10	✅	DynamoDB: 2KB items - 10 writes/s - 20 eventually consistent reads/s. How much RCU/WCU?	2KB ➡️ 1 strongly consistent read = 1 RCU ➡️ 1 eventually = 0.5 RCU ➡️ 20 eventually = 10 RCU
			2KB ➡️ 1 write = 2 WCU ➡️ 10 writes = 20 WCU
11	✅	1 item = 17KB. 320 strongly consistent read/s. How much RCU?	17KB/item ➡️ 5RCU/strongly consistent read ➡️ 320 strongly read = 320 x 5 = 1600 RCU
12	✅	HTML, JS, image, video. How to server with lowest latency around the world?	S3 + CloudFront
13	✅	AI-based app built with Lambda. How to modify the way invocation event are read form Lambda runtime API?	Use Lambda custom runtime
14	✅	Migrate monolith on-premise app to Lambda. Best practice?	1. Take advantage of `execution runtime`; 2. Use environment variable…	1.14 Lambda Best Practice
15	❌	ECS: Tasks are scheduled on instances with enough resources. Which task placement strategy?	Random
16	✅	Online game - Sync app pref + state of player + Allow multiple player to share state	App Sync (Cognito Sync not support shared data)
17	✅	AWS CLI in EC2 instance. How to easily switch role?	1. Create a new CLI profile with credential; 2. Run `aws` CLI with `--profile`
18	✅	DynamoDB: Ensure item is updated only some attribute meets some condition	Conditional writes
19	✅	DynamoDB: Debug throughput of both base table & GSI when update item?	Call `UpdateItem` with `ReturnConsumedCapacity` set to ~~`None`~~ / ~~`Total`~~ / `Indexes`	1.19 PutItem - ReturnConsumedCapacity
20	✅	DynamoDB Streams: How to integrate with Lambda?	1. Create an `EventSourceMapping` to poll the DynamoDB stream, read & process records
			2. Give Lambda function enough permission to interact with DynamoDB via `ExecutionRole` (`AWSLambdaDynamoDBExecutionRole` managed policy)
21	✅	Serverless app: Which service can manage configuration & deploy the whole stack + simple?	AWS SAM (Serverless Application Model)
22	✅	DynamoDB: Table: ArticleName (PK) - Category (SK). Query ArticleName using another Sort Key + Strongly consistent read	Create a new table with Local Secondary Index (LSI). Migrate the existing data to new table (LSI cannot be created after the DynamoTB is created)
23	✅	S3: Ensure all objects are encrypted with AE256	Use bucket policy to deny any Create request doesn’t have `x-amz-server-side-encryption: AE256` header
24	✅	EC2: Shell script to get instance public/private IP	Use Instance Metadata Service endpoint 169.254.169.254/latest/meta-data
25	✅	Lambda: Account concurrency limit 2000; 10 functions: 1 function 400, 1 function 200. The rest, the third?	The rest: 1400; the third: 1300.
26	✅	Coordinate multiple services into serverless workflow. Which service?	AWS Step Functions
27	✅	API Gateway: Enable caching. How to invalidate 1 key?	Send the request with `Cache-Control: max-age=0`
28	✅	Lambda: Connection refused. Why?	Maybe the invoke URL is wrong (`http` without `s`)
29	✅	Lambda: Improve performance?	Increase memory will increase CPU too.
30	✅	Lambda: A function initialize DB connection every time it executes. How to optimize?	Move the DB connection to shared `execution context` (outside handler)
31	✅	Lambda: Can the function built with Rust?	Yes. Use custom runtime
32	✅	Lambda: A function fetch 20MB static data every time it executes. How to optimize?	Place the initialize outside Lambda handler; saved external file to `/tmp`
33	❌	Deploy containerized apps? ECS, EKS or Elastic Beanstalk?	Under the hood, Elastic Beanstalk uses ECS (& ELB, ASG)
34	✅	Online game. How to add feature to cross-sync profile data between device?	Use Cognito Sync (or App Sync)
35	✅	DynamoDB: Which attribute to use as partition key?	The partition should uniquely identify each item
36	✅	CodePipeline: Push build details into a DynamoDB?	Use EventBridge & Lambda

1.4 Caching Strategies

	What is it?	Pros	Cons

Lazy-loading	Loads data into the cache only when necessary (catches cache misses on reads)	Only requested data is cached	Cache miss read penalty (3 trips)
			Stale data
Write-through	Loads data into the cache whenever data is written to the database (populates data on writes)	No stale data	Missing data (empty nodes)
		No read penalty	Cache churn (not re-used cache)
Lazy-loading (with TTL)	An expired key is treated as not found
Write-through (with TTL)

Domain 2: Security

No		Q	A	Ref

1	❌	1 bucket - many users. How to redact PII & manage access permission?	Use S3 Object Lambda (+) Access Point
2	✅	SSM Parameter Store: Notify if param haven’t been rotated for 90 days	1. Use Advanced tier / Parameter polices / Notification policies
			- `NoChangeNotification` After `xxx`
			- ~~`ExpirationNotification`~~ Before `xxx`
			- ~~`Expiration`~~
			2. Use EventBridge rule to filter & send `NoChangeNotification` event to a SNS topic (target)
3	✅	S3: Ensure data is encrypted at rest using the company key	1. Client-Side Encryption (CSE) - Encrypt the data before send to S3
			2. Server-Side Encryption (SSE) - Send the data with the encryption key
			2.1 For CLI, Use the request headers: `x-amz-server-side-encryption-customer` + `algorithm`/`key`/`key-MD5`
			2.2 Or use the SDK
4	✅	KMS: Locally encrypt data (Envelope encryption)	1. Use the `GenerateDataKey` API to get a `data key`.
			2. Use the plaintext `data key` (`GenerateDataKey` response `Plaintext`) to encrypt data locally, then erase the plaintext `data key` from memory.
			3. Store the encrypted `data key` (`GenerateDataKey` response `CiphertextBlob`) alongside the locally encrypted data.

5	✅	API Gateway: Custom authorizer using bearer token (same as SAML, OAuth). How?	Use API Gateway Lambda authorizer (aka custom authorizer)	2.5
			- Token-based Lambda authorizer (aka TOKEN authorizer) 👈 THIS ONE
			- Request parameter-based Lambda authorizer (aka REQUEST authorizer)
6	✅	Database credential + Rotate	Secrets Manager + Auto Rotation (How? Secrets Manager run a Lambda function )	2.6
7	✅	CloudFormation: Retrieve license key + cost-effective	Systems Manager Parameter Store + Secure String
8	✅	Migrate on-premise to AWS. Integrate LDAP directory service (not compatible with SAML)	Implement a custom identity broker, which use `STS` to issue short-live AWS credentials	2.8
9	✅	Cognito: Additional authentication method	Integrate Multi-Factor Authentication (MFA) to Cognito User Pool
10	✅	SQL Server. Migrate to RDS. Encrypt data before write to disk & vice versa.	Enable SQL Server Transparent Data Encryption
11	✅	S3. Someone use your image without permission.	(Block public access) Use pre-signed URL / pre-signed cookies

Domain 3: Deployment

No		Q	A	Ref

1	❌	SAM deploy process (From local machine)	1. Build (local); ~~2. Package (“Publish” to S3)~~; 3. Deploy (Use artifact on S3)
2	✅	Elastic Beanstalk: HA, revert quickly?	1. Use any EB deployment strategy, e.g. All-at-once (fastest)
			2. Blue-Green deployment (EB calls it swap environment URLs)	3.2
3	✅	CloudFormation: Inline code in template	`AWS::Lambda::Function` / `Code` / `ZipFile`
4	✅	Serverless app: Zip code, upload to S3, produce package deployment-ready template & deploy	`sam deploy` (which includes `sam package`)
5	✅	CloudFormation: Install packages, start services on EC2 after provisioned	`cfn-init`

3.1 SAM deploy process

	npm	sam
	npm init	sam init
	npm install

	npm build	sam build
	npm publish	~~sam package~~ (deprecated, use sam deploy)
	npm start	sam deploy
		- sam list endpoints
	- curl http//:localhost:3000	- curl https//<>.execute-api.<>.amazonaws.com

	nodemon index.js	sam sync –watch

sam deploy now implicitly performs the functionality of sam package

Ref:

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-deploying.html

Domain 4: Troubleshooting and Optimization

No		Q	A

1	✅	Send traces to X-ray?	Use X-Ray daemon (CloudWatch Agent can do this on EC2/On-Premise)
2	✅	SQS: Duplicate message. Fix?	Use FIFO queue + provide deduplicationID
3	✅	X-Ray: Filter trace?	1. Use web console; 2. Use `GetTraceSummaries` (support search)
4	✅	X-Ray: Send trace to X-Ray?	- 1. Use X-Ray SDK (through X-Ray daemon); 2. Use X-Ray/CLI (directly)
			- `PutTraceSegments` API accepts a single segment document with many segments
5	✅	Kinesis: Over-provision. Scale in?	Merge cold shards
6	✅	API Gateway: Terminated Lambda. Why?	- Lambda timeout: max `15min` ➡️ `terminated`
			- API Gateway timeout: `30s` for an integration ➡️ `504 Timeout`
7	✅	API Gateway: No metrics for CacheHitCount/CacheMissCount	API Gateway caching is not enabled
8	✅	SQS injections, XSS attack. How to deal?	Use Web Application Firewall (WAF). It works with: CloudFront, ALB, API Gateway (REST API)
9	✅	Kinesis: 10 shards - 10 EC2 instance. Increase to 20 shards, how many instances?	20 instances, the number of instances match the number of shards by `1:1` ratio
10	✅	RDS: Monitor memory, CPU usages of processes?	Use RDS enhanced monitoring
11	✅	CodePipeline: Code review in each stage before move to next stage	Use a “manually approval” action, and send the approval request to a SNS topic
12	✅	X-Ray: Record call to DB, other services, SQL queries & filter	Add annotations in the subsegment section of the segment document.
13	✅	X-Ray: Permission to send trace to X-Ray?	`AWSXRayDaemonWriteAccess`

4.1 How to send traces to X-ray?

X-Ray daemon

The AWS X-Ray daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API.

The daemon works in conjunction with the AWS X-Ray SDKs and must be running so that data sent by the SDKs can reach the X-Ray service.
AWS Distro for OpenTelemetry (ADOT) Collector
(For EC2, On-premises) CloudWatch Agent can do this from 1.300025.0

4.1 Setup X-Ray daemon

Lambda: the deamon run automatically
EC2:
- Elastic Beanstalk: Enable with XRayEnabled configuration option
- EC2: Install/Run manually (May use user data)
- ECS:
  - Use official Docker image
  - Build custom Docker image
On-premise: Install/Run manually

4.2 SQS: Duplicate messages

https://aws.amazon.com/about-aws/whats-new/2016/11/amazon-sqs-introduces-fifo-queues-with-exactly-once-processing-and-lower-prices-for-standard-queues/ https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html#SQS-SendMessage-request-MessageDeduplicationId

4.8 AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

4.9 Scale Kinesis Data Streams

To scale up processing in your application, you should test a combination of these approaches:

Increasing the instance size (because all record processors run in parallel within a process)
Increasing the number of instances up to the maximum number of open shards (because shards can be processed independently)
Increasing the number of shards (which increases the level of parallelism)

https://docs.aws.amazon.com/streams/latest/dev/kinesis-record-processor-scaling.html

4.10 Monitor RDS

CloudWatch (default): RDS automatically sends metrics to CloudWatch every minute (from hypervisor for the DB instance - “outside”)
RDS Enhanced Monitoring:
- Gather metrics about the OS: processes, memory… (from an agent on the DB instance - “inside”)
- Logs are sent to CloudWatch Logs

Differences between CloudWatch and Enhanced Monitoring metrics

4.11 Manage approval actions in CodePipeline

https://docs.aws.amazon.com/codepipeline/latest/userguide/approvals.html

Tutorial Dojo - DVA-C02 - Timed Mode Set 5

Test time: Dec 9, 2023 (14:30)

Score: 47/65 (72%):

CDA – Development with AWS Services 76.92% (20/26)
CDA – Security 61.54% (8/13)
CDA – Deployment 66.67% (6/9)
CDA – Troubleshooting and Optimization 76.47% (13/17)

Domain 1: Development with AWS Services

No		Q	A	Ref

1	❌	Lambda: Debug - Return log stream for the function instance	Use `context.logStreamName`
2	✅	API Gateway & Lambda: New version. Smooth migration	Update Lambda function -> Deploy new version. Specify new ARN in API Gateway integration. Redeploy to new stage.
3	✅	Elastic Beanstalk: Path of config file	/.ebextensions/xxx.config
4	✅	Lambda: Ephemeral storage	`/tmp`
5	✅	Lambda: How to use Ruby?	Ruby’s natively support
6	✅	CloudFront: Update image immediately	Use file name versioning
7	✅	Cognito: Authentication with JWT	1. Create User Pools
			2. Create an authorizer with Cognito User Pool ID
			3. Set token source for authorization (to the name of header store JWT)
8	❌	X-Ray: Group the trace	`Subsegment`: breakdown segment & provide granular timing detail about downstream calls (to AWS services, HTTP APIs, SQL queries)
			`Annotations`: key-pair values, indexed to used with `filter expression` 👉 group traces (with console) or call `GetTraceSummaries` API
			`Metadata`: key-pair values (not-indexed)
9	✅	S3: Lowest cost	Glacier Deep Archive
10	✅	EC2: Run Apache web server	Use user-data to install and start Apache web server
11	✅	App host in 1 region. Re-create on other regions using AMI & CloudFormation. How?	Use Cfn Mapping & FindInMap
12	✅	Serverless app. Application code & infrastructure code in Python. How?	Use CDK and Python
13	✅	Step Functions: Handle error? Aggregate data in different states?	Use Catch & ResultPath
14	❌	Step Functions: Break a task into multiple tasks (process synchronously)	Step Functions state types:	1.14
			- Do some work: Task State & Parallel State
			- Not do some work: Wait State, Pass State, Choice State, Map State, Success/Fail State.
15	✅	DynamoDB: Control access to individual items & attributes?	Fine-grain access control with	1.15
			1. IAM policy
			2. Condition keys,
			2.1 `dynamodb:LeadingKeys`
			2.2 `dynamodb:Attributes`
			3. IAM substitution variable e.g. `${www.amazon.com:user_id}`, `${graph.facebook.com:id}`, and `${accounts.google.com:sub}`
16	✅	Cognito: UI for login page missing brand logo	Cognito allows customization for: logo, CSS.
17	✅	SQS queue: messages larger than 256KB.	Use Amazon S3, (for Java) Extended Client Library
18	❌	Lambda: Provide a public HTTPS endpoint & ensure it executes only if the request’s from valid user	1. Use Lambda function URL	1.18
			2. Auth type:
			- ~~`AWS_IAM`~~
			- `NONE`: The URL endpoint will be public
			3. Implement your own authenticator logic in your function.
19	❌	In-house authentication system, support sync user data between devices/platforms	Cognito Identity Pools - Developer-authenticated identities:
			- Use your own authenticated process
			- Use Cognito to sync user data between devices/platforms

20	✅	API Gateway: Integrate a XML-based SOAP API. How?	Use HTTP Integration:
			- Integration Request: Map incoming request from JSON to XML (with `mapping template`)
			- Integration Response: Map API response from XML back to JSON (with `mapping template`)
21	✅	Serverless: Send newsletter at 7-day interval. How?	Use `EventBridge` Schedule Rule to create events at 7-day interval, sends the events to `Lambda function` target
22	❌	DynamoDB: Python call `BatchGetItem` return partial data. Why? Fix?	- `BatchGetItem` use more than the provisioned throughput limit
			- To fix this:
			1. Increase provisioned throughput
			2. Wait for the load to DynamoDB reduces & try again:
			- Implement your own retries with exponential backoff algorithm
			- Use AWS SDK to call `BatchGetItem` (comes with retries & exponential backoff)
23	✅	DynamoDB: Group multiple actions to multiple items to a one-or-nothing operation?	Use `TransactionWriteItems`
24	✅	DynamoDB: When an item added to `Customer` table, dynamically update `Payment` table. How do it in real time?	Enable DynamoDB Streams for `Customer` table, trigger a Lambda function to update `Payment` table
25	✅	ALB: Obtain all value of identical query parameter key.	Enable `multi-value headers`
26	✅	ECS: 2 containers share logs. How?	Define these 2 containers in 1 task definition, use EFS as a volume

Domain 2: Security

No		Q	A	Ref

1	❌	S3: Encryption each files with different keys. Cost-effective, low overhead	- SSE-S3: use the same key for all files.
			- SSE-C & use KMS to create CMK for each files (`CreateKey`): not cost-effective (1CMK: 1$/month)
			- SSE-KMS & Use KMS to generate DEK for each files (`GenerateDataKey`): 👈 THIS
2	✅	S3 bucket in production account. How to allow a user on dev account access?	1. In `prod` acc, create an IAM role	2.2
			1.1 Give it just enough permission for its task)
			2.2 Specify the `dev` account as a `trusted entity`
			2. In `dev` acc, allow it to assume role of `prod` acc (created in step 1)
			3. In `dev` acc, switch role to `prod` acc
3	✅	S3. Which service to allow user register/sign-in & upload/access images on S3.	Cognito User Pools & Identity Pools
4	✅	Allow temporary access to EC2 & but still enforce MFA? Which STS API?	STS `GetSessionToken`
5	❌	KMS features
6	✅	API Gateway: Regulate access to API & charge based on usage	Usage Plan
7	✅	Best practice to manage access key	Remote all access key of root account, use IAM role for applications
8	✅	Most secure way to send CW logs in EC2 instance of ASG launch configuration	- Create a new IAM role for the new Launch Configuration
			- Launch Configuration (deprecated), use Launch Template.
9	❌	AWS CLI: `UnauthorizedOperation` error with encoded authorization message. What to do?	Decode the message with `STS` `decode-authorization-message`	2.9
10	✅	S3: Hundreds of thousands of objects. Turn on SSE-KMS. Performance degradation. Why?	Requests to KMS are exceeded quota
11	✅	How to check permission of an IAM role?	1. Use IAM Policy Simulator
			2. Run AWS CLI with `--dry-run`
12	❌	Serverless app defined with Cloud Development Kit (CDK). How to test local?	1. (From CDK template) “Synthesize” & output Cfn template with `cdk synth`	2.12 What is CDK? 2.12 CDK toolkit commands
			2. Invoke the Lambda function locally with `sam invoke local` (by emulating the Lambda execution environment.)	2.12 `sam local invoke`
13	❌	Cognito Identity Pools: What does Cognito returns to authenticated/unauthenticated user?	- For authenticated users: Cognito returns the `token`
			- For unauthenticated users: Cognito returns a `Cognito ID`

2.4 Requesting temporary security credentials with Security Token Service (STS)

STS Token	What it does?	Notes
AssumeRole	cross-account delegation and federation through a custom identity broker	Cross-account, MFA
AssumeRoleWithWebIdentity	federation through a web-based identity provider	SSO
AssumeRoleWithSAML	federation through an enterprise Identity Provider compatible with SAML 2.0
GetFederationToken	federation through a custom identity broker	Proxy app
GetSessionToken	temporary credentials for users in untrusted environments	MFA

Ref:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

2.5 KMS features

KMS features:

Create symmetric/asymmetric keys
Import symmetric keys
Rotate symmetric keys
Disable/Enable keys

Not a KMS features:

Import asymmetric keys
Rotate key in custom stores

Domain 3: Deployment

No		Q	A	Ref

1	✅	CodeDeploy: S3 source. Deploy to EC2 fail during `DownloadBundle`	The EC2 instance profile don’t have permission to access S3 bucket
2	❌	CodeDeploy: Rollback	CodeDeploy rolls back deployments by redeploying a previously deployed revision of an application as a new deployment (with new deployment ID)	3.2
3	✅	Deploy to 3 environments: `test`, `staging`, `production`. How?	Use 3 `deployment group`s, each for 1 environment.
4	✅	Elastic Beanstalk: Multi-container Docker. Which file to configure container definitions?	`Dockerrun.aws.json`
5	✅	Elastic Beanstalk: Multi developers deploy without upload the whole project?	Use `eb deploy` to deploy from local `CodeCommit` repo
6	✅	Serverless app defined with CDK. Deploy to new account. `NoSuchBucket` error. Fix?	Run `cdk bootstrap` to provision resources for CDK deployment, e.g. IAM role, S3 bucket.
7	❌	CodeCommit: How to setup for a new user?	Use AWS credential (with `credential-helper`)	3.7
8	✅	CodeCommit: Forgot to pull master. Fix conflict?	`git rebase` `feature` branch on `master` branch. Then manually fix conflict.
9	❌	SAM: How to deploy (& test)?	1. (Once time) `sam init`
			2. `sam deploy`

3.7 CodeCommit: Setup for new user

HTTPs Git credential (use username & password)
SSH connections (use public-private key pair)
- Create public & private key pair on your local machine
- Associate the public key with IAM user
Use AWS credential (profile)
1. Use git-remote-commit (recommended)
2. Use aws codecommit credential-helper

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref

1	❌	Lambda: Function created with Cfn doesn’t send logs to CW?	Modify `ExecutionRole` & add `AWSLambdaBasicExecutionRole` managed policy
			- (Attach to Lambda’s resourced-based policy won’t works)
			- When created with Web Console, the console automatically add these policy to execution role for us
			- With Cfn, we need to do it ourself.
2	❌	ECS: EC2 launch type. Terminate an instance (after it’s stopped), but the container instance still appear in ECS cluster	Terminate an instance:
			- In `running` state, it will be automatically deregistered with ECS cluster
			= In `stopped` state, it won’t be


3	✅	CodeBuild: Run on a proxy server. `RequestError` when CodeBuild is accessed. Fix?
4	❌	API Gateway: Enable API caching. How to test the function without caching?	0. Create a resource-based policy to allows the API Gateway execution service to invalidate the cache for requests on the specified resource	4.4
			1. Make a request with `Cache-Control: max-age=0` header
5	✅	S3 - Event Notifications: Compress the images, but it takes too much time. Improve?	Increase memory ➡️ increase CPU
6	✅	Debug latency of your app (with recently added function)? How to do with X-Ray?	Define sug-segments inside the function to “instrument” (measure) it
7	✅	AWS CLI: Create snapshot of EC2 instance. `InvalidInstanceID.NotFound`. Why?	Maybe the AWS CLI is using a profile for a different region
8	✅	Build a CI pipeline. Which AWS services?	CodeCommit, Lambda, CodeBuild
9	✅	Step Functions: Handle & recover from State’s exception.	Use `Catch` & `Retry` fields in state machine definition
10	✅	Lambda - Cold start: Optimize?	1. Reduce pre-handler code
			2. Increase CPU (by increasing memory)
11	✅	LAMP stack. Migrate to AWS?	EC2 + Aurora/RDS
12	✅	Lambda: process file (5min). So slow?	Change `InvokeType` to `Event` (asynchronous invocation)
13	❌	DynamoDB: Optimize `Scan` in low-demand time?	Parallel scan: distribute workload across the partitions of the table (by passing `Segment` and `TotalSegments` parameters into the `Scan` operation)	4.13
14	✅	Website (hosted on S3) call API Gateway. `No "Access-Control-Allow-Origin"` error. Fix?	Config CORS for API Gateway to allow the website (S3)
15	✅	API Gateway + Lambda: Publish a new version of `AccService:Prod` with the alias `AccService:Beta`. How to test before promote?	Create a `BETA` stage. Use stage variable to reference the `beta` function alias
16	✅	Lambda: `Unable to import module`. Fix?	1. Install the missing module locally.
			2. Package it with the handler or in a layer
			3. Re-upload to Lambda
17	✅	Elastic Beanstalk: Keep the old code in S3 bucket. How?	Change `Retention` to `Retain source bundle in S3`

Tutorial Dojo - DVA-C02 - Timed Mode Set xx

Test time: xx

Score: xx/65 (xx%):

CDA – Development with AWS Services xx%
CDA – Security xx%
CDA – Deployment xx%
CDA – Troubleshooting and Optimization xx%

Domain 1: Development with AWS Services

No		Q	A	Ref

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Domain 2: Security

No		Q	A	Ref

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Domain 3: Deployment

No		Q	A	Ref

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Tutorial Dojo - DVA-C02 - Final Test

Test time: Dec 10, 2023 (19:30 - 20:05)

Score: 63/65 (96.92%):

CDA – Development with AWS Services 96.97% (32/33)
CDA – Security 90.91% (10/11)
CDA – Deployment 100% (5/5)
CDA – Troubleshooting and Optimization 100% (16/16)

Domain 1: Development with AWS Services

No		Q	A	Ref

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅
8	✅
9	✅
10	✅
11	✅
12	✅
13	✅
14	✅
15	✅
16	✅
17	❌	Lambda: Use C++	Build a custom runtime for C++	1.17
18	✅
19	✅
20	✅
21	✅
22	✅
23	✅
24	✅
25	✅
26	✅
27	✅
28	✅
29	✅
30	✅
31	✅
32	✅
33	✅

1.17 Lambda Custom Runtime

Lambda support 6 languages (through runtimes): Node, Python, Ruby, Java, .NET, Go.

You can use runtimes that Lambda provides, or build your own.

Domain 2: Security

No		Q	A

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅
8	❌	System Managers Parameter Store: Notify if a parameter hasn’t been rotated in 90 days.	1. Use Advanced tier / Parameter polices / Notification policies
			- `NoChangeNotification` After `xxx`
			- ~~`ExpirationNotification`~~ Before `xxx`
			- ~~`Expiration`~~
9	✅
10	✅
11	✅

Domain 3: Deployment

No		Q	A	Ref

1	✅
2	✅
3	✅
4	✅
5	✅

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref

1	✅
2	✅
3	✅
4	✅
5	✅
6	✅
7	✅
8	✅
9	✅
10	✅
11	✅
12	✅
13	✅
14	✅
15	✅
16	✅

Tutorial Dojo - DVA-C02 - Summary

Domain 1: Development with AWS Services

No		Q	A	Ref

I.4	❌	AWS SAM: shift traffic to new version	SAM Deployment strategy	[SAM - Deploying gradually]
I.12	❌	Lambda: Response to user after 5 min	Lambda `Invoke` API `InvocationType`	[Invoke - InvocationType]
I.14	❌	S3: Remove PII before return to application	Use S3 Object Lambda to process object before return to application	[S3 Object Lambda] [S3 Object Lambda Use with CloudFront]
I.18	❌	Only allow authorized clients to invalidate an API Gateway cache	- API Gateway Additional settings / Per-key cache invalidation / Require authorization	[Invalidate an API Gateway cache entry]
I.21	❌	Lambda: 50 requests/s; 100 s/request 👉️ 5.000 concurrency execution	Default quota of Lambda concurrency execution: 1.000 (can be increased to 10.000)
II.7	❌	Tracking number of visitors on website (use DynamoDB)	1. (May over/under count) “Atomic counter” - just increase the counter without checking current value
II.8	❌	Kinesis Data Streams: Duplicate Records	- Two primary reasons: 1. Producer retries; 2. Consumer retries.	[Handling Duplicate Records - Kinesis]
II.9	❌	X-Ray: Include info about calls to AWS services	Include `sub-segment` in the `segment document`
II.10	❌	DynamoDB: Forum (PK) - Subject (SK) - LastPostUpdateTime. Finds on posts of a forum in last 3 months	Add LSI: Forum (PK) - LastPostUpdateTime (SK). Use `Query` operation.
II.19	❌	Elastic Beanstalk: Deploy infrastructure has an RDS instance coupling with EB. How to migrate RDS?	1. Create RDS snapshot; enable RDS deletion protection
II.31	❌	Lambda: Concurrency quotas	- Account-level: 1.000 unit of concurrency	[Lambda Concurrency Quotas]
II.33	❌	Elastic Beanstalk: Environment manifest (environment name, solution stack…)	- Environment manifest: `/env.yaml`	[Environment manifest (env.yaml) - Elastic Beanstalk]
III.3	❌	API Gateway: Lambda Proxy integration	Recommend: Simple setup
III.12	❌	Deploy serverless app: Run C++	Lambda doesn’t support C++ -> Create custom runtime
III.14	❌	SQS: postpone delivery messages to queue	`Delay queue` (not using `visibility timeout`)
III.16	❌	ECS: EC2. Task placement?	1. Cluster constraint; 2. Task placement constraint; 3. Task placement strategy
III.18	❌	Kinesis Data Streams: Re-sharding, Scaling, and Parallel Processing	1. One worker can process many shards. 2. Optimal ratio is `1 worker : 1 shard`
III.19	❌	DynamoDB: Concurrency write	Optimistic Locking + Conditional Writes
III.20	❌	DynamoDB: For each request, return WCU consumed (base table & GSI)	`ReturnConsumedCapacity`: ~~NONE~~ (default), ~~TOTAL~~, INDEXES
IV.8	❌	DynamoDB - GSI: Consumed throughput; Consistency?	GSI has its own consumed throughput. GSI only supports eventually consistent read
IV.15	❌	ECS: Tasks are scheduled on instances with enough resources. Which task placement strategy?	Random
IV.33	❌	Deploy containerized apps? ECS, EKS or Elastic Beanstalk?	Under the hood, Elastic Beanstalk uses ECS (& ELB, ASG)
V.1	❌	Lambda: Debug - Return log stream for the function instance	Use `context.logStreamName`
V.8	❌	X-Ray: Group the trace	`Subsegment`: breakdown segment & provide granular timing detail about downstream calls (to AWS services, HTTP APIs, SQL queries)
V.14	❌	Step Functions: Break a task into multiple tasks (process synchronously)	Step Functions state types:	[1.14]
V.18	❌	Lambda: Provide a public HTTPS endpoint & ensure it executes only if the request’s from valid user	1. Use Lambda function URL	[1.18]
V.19	❌	In-house authentication system, support sync user data between devices/platforms	Cognito Identity Pools - Developer-authenticated identities:
V.22	❌	DynamoDB: Python call `BatchGetItem` return partial data. Why? Fix?	- `BatchGetItem` use more than the provisioned throughput limit
VI.17	❌	Lambda: Use C++	Build a custom runtime for C++	[1.17]

Domain 2: Security

No		Q	A	Ref

I.1	❌	Give a program to AWS services	- Best practice: EC2 instance profile (IAM Role)
I.3	❌	Database credential - How to encrypt & auto rotate?	- AWS Secret Manager + Enable auto rotate
I.8	❌	S3 - Ensure all objects are encryption at rest with SSE-KMS	Add a bucket policy which denies any s3:PutObject action unless the request includes the `x-amz-server-side-encryption` header.
II.6	❌	Provide application in ECS access to the required AWS resources	Fargate: IAM Role -> attach to task
II.7	❌	KMS: Envelope Encryption	1. encrypt plaintext data with a data key
IV.1	❌	1 bucket - many users. How to redact PII & manage access permission?	Use S3 Object Lambda (+) Access Point
V.1	❌	S3: Encryption each files with different keys. Cost-effective, low overhead	- SSE-S3: use the same key for all files.
V.5	❌	KMS features
V.9	❌	AWS CLI: `UnauthorizedOperation` error with encoded authorization message. What to do?	Decode the message with `STS` `decode-authorization-message`	[2.9]
V.12	❌	Serverless app defined with Cloud Development Kit (CDK). How to test local?	1. (From CDK template) “Synthesize” & output Cfn template with `cdk synth`	[2.12 What is CDK?] [2.12 CDK toolkit commands]
V.13	❌	Cognito Identity Pools: What does Cognito returns to authenticated/unauthenticated user?	- For authenticated users: Cognito returns the `token`
VI.8	❌	System Managers Parameter Store: Notify if a parameter hasn’t been rotated in 90 days.	1. Use Advanced tier / Parameter polices / Notification policies

Domain 3: Deployment

No		Q	A	Ref

I.1	❌	Implement subscription with API Gateway	Use usage plan to distribute APIs & throttle usages based on defined limit/quota	[API Gateway - Usage plan]
I.2	❌	Lambda, pause task & wait for external process	Step Function - Callback pattern (SQS + SNS + Lambda)	[Step Function - Callback Pattern]
I.5	❌	SAM template requires sections	Transform & Resources
I.6	❌	Create Lambda function with CLI error InvalidParameterValueException	Invalid parameter: maybe a role can’t be assumed
I.7	❌	ECS schedule task based on CPU/memory	ECS - Task placement strategy: binpack, spread, random
II.5	❌	CodeDeploy AppSpec - Run a task before traffic is shifted to a Lambda function	AppSpec hook
III.6	❌	CodeDeploy deployment type (How the latest revision is deployed to instance?)	1. In-place (EC2/On-Premises); 2. Blue/green
IV.1	❌	SAM deploy process (From local machine)	1. Build (local); ~~2. Package (“Publish” to S3)~~; 3. Deploy (Use artifact on S3)
V.2	❌	CodeDeploy: Rollback	CodeDeploy rolls back deployments by redeploying a previously deployed revision of an application as a new deployment (with new deployment ID)	[3.2]
V.7	❌	CodeCommit: How to setup for a new user?	Use AWS credential (with `credential-helper`)	[3.7]
V.9	❌	SAM: How to deploy (& test)?	1. (Once time) `sam init`

Domain 4: Troubleshooting and Optimization

No		Q	A	Ref

I.6	❌	Serve private content from CloudFront	1. Use signed-URL, sign-cookies
I.7	❌	X-ray: How to debug?	`_X_AMZN_TRACE_ID` + `AWS_XRAY_CONTEXT_MISSING`
I.12	❌	CloudFront HTTPS	Viewer Protocol Policy: `Only HTTPS` or `Redirect HTTP to HTTPS`
I.14	❌	DynamoDB Scan improve performance	- Default page size: 1MB (Max) -> Reduce page size
I.19	❌	Use Lambda function inside a VPC	- By default, Lambda is public (has internet access)
I.20	❌	X-Ray filter trace	1. Add `annotation` to record data used to group traces (indexed to used with `filter expression`)
I.22	❌	API Gateway: Lambda Proxy - 502 Bad Gateway	In Lambda proxy integration, the backend Lambda function must return output according a JSON format	[Output format of a Lambda function for proxy integration]
II.5	❌	Kinesis Data Streams: Not enough shards & Instances CPU 100%	1. Increase number of shards (shard splitting). 2. Increase instance size
II.6	❌	RDS can’t handle read	1. Use RDS Multi-AZ Cluster (not Multi-AZ Instance)
II.7	❌	X-Ray - namespace, metadata	X-Ray namespace: distinguish `AWS`/`remote`
II.8	❌	CloudWatch - namespace	CloudWatch namespace: container for metrics, e.g. `aws/lambda`
III.1	❌	Collect trace from multiple backends, AWS SDK, SQL queries…	AWS Distro for OpenTelemetry (supports collect from X-Ray)
V.1	❌	Lambda: Function created with Cfn doesn’t send logs to CW?	Modify `ExecutionRole` & add `AWSLambdaBasicExecutionRole` managed policy
V.2	❌	ECS: EC2 launch type. Terminate an instance (after it’s stopped), but the container instance still appear in ECS cluster	Terminate an instance:
V.4	❌	API Gateway: Enable API caching. How to test the function without caching?	0. Create a resource-based policy to allows the API Gateway execution service to invalidate the cache for requests on the specified resource	[4.4]
V.13	❌	DynamoDB: Optimize `Scan` in low-demand time?	Parallel scan: distribute workload across the partitions of the table (by passing `Segment` and `TotalSegments` parameters into the `Scan` operation)	[4.13]

Tutorial Dojo - DVA-C02 - Summary

Domain 1: Development with AWS Services

No		Q	A

I.1	✅	Improve performance of S3 upload	Multipart upload. How about Transfer Acceleration?
I.2	✅	Caching: Lazy-load & Write-through
I.3	✅	Lambda: Different parameter depends on environment	Environment variable (# Stage variable)
I.5	✅	API Gateway: same API Gateway for multiple environments	Stage variable
I.6	✅	CloudWatch Alarm: When to alarm?	`Period` / `Evaluation Periods` / `Data points to Alarm`
I.7	✅	SAM: Nested application	`AWS::Serverless::Application`
I.8	✅	Lambda deploy: Graduate increase traffic to new version	Lambda supports traffic shifting for aliases (by setting `traffic weight`). (That’s why SAM have `canary`, `linear` deployment strategy )
I.9	✅	API Gateway: Map data for microservice (in container)	Use `HTTP` integration (Not `AWS` or `_PROXY`)
I.10	✅	Database scale globally, handle frequent schema changes	DynamoDB (not Aurora)
I.11	✅	API Gateway - TTL 300s. How client can invalidate cache?	Send request with `Cache-Control: max-age=0` header
I.13	✅	Session data store on DynamoDB. Delete session of logged out users?	Use DynamoDB TTL (when will an item is eligible for expiration - in epoch time)
I.15	✅	Serve content based on location	- CloudFront can add header about viewer location’s location (based on the viewer’s IP address).
I.16	✅	What to do after update Cfn template of a Lambda function?	1. `aws cloudformation package`: Uploads local artifacts to S3, update Cfn template to reference these artifacts
I.17	✅	Multi-thread key-value cache store	Elasticache for Memcached
I.19	✅	Process long-running tasks	Elastic Beanstalk worker environment (an HTTP request handler that EB invokes with an SQS queue)
I.20	✅	ECS: Where to config port for container?	Task definition
I.22	✅	Can Lambda handle 10 requests/s (each request take 50s)	500 concurrent execution (Lambda can handles without doing anything. The default limit is 1.000)
I.23	✅	DynamoDB table attributes: UserID (PK) - GameTitle (SK) - TopScore. Get max TopScore of each game?	Create a Global Secondary Index: GameTitle (PK) - TopScore (SK). Query 1 item for each game in descending order.
I.24	✅	Kinesis Data Streams: How many worker is optimal to process a number of shards?	1:1 ratio
I.25	✅	AWS CLI timeout when list bucket with 10.000 objects	Add pagination parameter when use AWS CLI
I.26	✅	Permission to Create/Delete GitCommit repos	`codecommit:CreateRepository` & `codecommit:DeleteRepository`
I.27	✅	DynamoDB Streams: Send a copy of old item to S3	`StreamViewType`: `OLD_IMAGE`
II.1	✅	RDS + Lambda + Translate text with Amazon Translate. Improve performance, reduce load to RDS?	Use Lambda execution environment `/tmp` as cache store
II.2	✅	DynamoDB: Employee info. Which attribute use as primary key?	employee_id
II.3	✅	Run a Lambda function every 30min?	Use EventBridge `Schedule` Rule to create scheduled events -> target the Lambda function
II.4	✅	ECS integrate with API Gateway. Which integration make no intervention?	HTTP_PROXY
II.5	✅	Which API to call to get permission (from a IAM Role) to interact with S3 API	AWS STS `AssumeRole` API (or `AssumeRoleWithWebIdentity`, `AssumeRoleWithSAML`) (optionally pass an `SessionPolicy`)
II.6	✅	Asynchronous invoke Lambda function with `Invoke` API	Pass parameter `InvocationType` - `Event`
II.11	✅	DynamoDB: Write heavy - `ProvisionedThroughputExceededException`. Why?	RCU/WCU of GSI is separate from base table
II.12	✅	CodeCommit: Permission to `fetch`, `clone`, `push`	`codecommit:GitPull`, `codecommit:GitPush`
II.13	✅	Elastic Beanstalk: Deploy new version with CLI	Package app as `zip`/`war` file. Deploy with `eb deploy` (EB CLI is a different package. It’s not packaged with AWS CLI, not `aws eb`)
II.14	✅	Internal app: elastic, cost-effective	DynamoDB, EC2 Spot Fleet
II.15	✅	Build an CI/CD to deploy to both EC2 & on-premise. Which service?	CodeDeploy
II.16	✅	DynamoDB: 10 RCU, each item 4KB. How much read request/s the table can handle?	10 RCU: 10 Strong Consistency Read - 20 Eventually Consistency Read
II.17	✅	Prototype microservices on ECS. Which task placement minimize cost?	Binpack, ~~random~~, ~~spread~~
II.18	✅	Temporary AWS credential for both authenticated/unauthenticated. Which service?	Cognito Identity Pool (Federated Identity)
II.20	✅	SQS: Duplicated messages. How to fix?	For SQS, when call `SendMessage` API, add `MessageDeduplicationId` param
II.21	✅	DynamoDB: Protect from overwritten?	Implement `optimistic locking` with version number (ensure update the right version item)
II.22	✅	Lambda: Asynchronous invoke, exponential back-off, then send un-processed messages to another service.	Lambda supports Dead Letter Queue (just as SQS DLQ)
II.23	✅	Collect visitor click to ads. Which service?	DynamoDB: Use `UpdateItem` to implement `atomic counter` (Approximately ~ Add 1 to previous value)
II.24	✅	DynamoDB: Read 100 items. Which API?	`BatchGetItem` (instead of `GetItem`) then `BatchWriteItem`
II.25	✅	DynamoDB: Store recent updated item automatically	1. DynamoDB Streams + Lambda (not recommend)
II.26	✅	DynamoDB: Session data. Reduce storage without using provision throughput	Use DynamoDB TTL
II.27	✅	Kinesis Data Streams: How to handle data flow (Scaling)?	1. Split shards to increase stream capacity; 2. Merge shards to decrease stream capacity.
II.28	✅	Kinesis Data Streams: Consumer process every other day & store to S3. S3 only has half of the data?	Kinesis Data Streams default `retention period` is `24h` (up to 365 days)
II.29	✅	An AWS account has 2 Lambda function. 1 works optimal, 1 is throttled. Why?	The `reserve` `concurrency execution` of function 1 is higher
II.30	✅	Lambda: Process events from S3 Events. 10 events/s, each event takes 3s. How much concurrency?	Concurrency: number of in-flight request AWS Lambda function is handling at the same time.
II.32	✅	Protect AWS APIs call with MFA	MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is associated with their MFA device.
II.34	✅	Website hosted on S3 `bucket_A`, make GET request to S3 `bucket_B`. API calls are blocked by browsers?	Enable CORS on `bucket_B`
II.35	✅	Migrate repos from Github to CodeCommit	1. Create repos on CodeCommit; 2. Clone repos from Github; 3. Push to CodeCommit repos
II.36	✅	Lambda: Increase CPU?	By increase memory
II.37	✅	ECS: Integrate with X-Ray. How to provide more granular timing information?	Use sub-segment
II.38	✅	Version control system. Which service?	CodeCommit
II.39	✅	API Gateway: Non-proxy integration with Lambda. How to ensure consumer include a query string?	Use method request
III.1	✅	Replace spreadsheet-based tracking system. DynamoDB.	EDA: DynamoDB Streams + Lambda + SNS
III.2	✅	Collect real-time user data	Kinesis Data Streams
III.4	✅	CodeCommit, CodeBuild, CodeDeploy, CodePipeline. A central dashboard?	CodeStar
III.5	✅	Cfn: Reuse value from a stack?	Outputs/Export & Fn::ImportValue
III.6	✅	Hundreds of thousands of reads/writes per second. Which database?	DynamoDB
III.7	✅	DynamoDB: Bidding system.	DynamoDB Streams + Lambda + Conditional Write
III.8	✅	DynamoDB: Query a single table	LSI (when create the table)
III.9	✅	DynamoDB: Throttled. Hot partition. Fix minimal effort?	Refactor to evenly distribute between partitions; Retries with exponential backoff
III.10	✅	CodeCommit: Setup?	1. Git credential - HTTPS (username/password); 2. SSH connection (SSH key-pair)
III.11	✅	DynamoDB: 1.5KB. Write 100 items/s. WCU 100 but throttled. Fix?	Increase WCU to 200.
III.13	✅	SQS: Duplicate message	SQS FIFO + SendMessage with DeduplicationID
III.15	✅	ECS: Place task between AZs?	Spread
III.17	✅	Sync user data without your backend.	Cognito Sync (delegated use AppSync)
III.21	✅	SQS: Config Dead Letter Queue	Just provide ARN of the queue to `DeadLetterConfig`
III.22	✅	Elastic Beanstalk: Web app process large number of items from DynamoDB. Overload. Easiest fix?	Use `Batch` operations for `Get`, `Put`, `Delete`
III.23	✅	DynamoDB: Send welcome mail for new user. How?	DynamoDB Streams + Lambda + SNS
III.24	✅	DynamoDB: Table - FighterID (PK) - FilterTitle (SK). Query by other attributes?	Create a GSI
III.25	✅	DynamoDB: + Elasticache. Write data if cache miss. Improve?	Add write-through + TTL
III.26	✅	Kinesis Data Streams: 100 shards, Lambda (10 seconds/request, 50 items/seconds)	Maximum of 100 Lambda concurrency = number of shards
III.27	✅	Cfn: How to automate the process of getting latest AMI?	Use System Managers Parameter Store
III.28	✅	SQS: Process tool long & messages appear twice	Increase visibility timeout
III.29	✅	CloudFront: Slow to login & 504	Authentication@Edge + Origin fail over
III.30	✅	Lambda: Increase CPU?	By increasing memory
III.31	✅	API Gateway: Implement APIs form current Swagger spec.	Just import the OpenAPI/Swagger file.
III.32	✅	Microservice using Docker + Fine-grain control	ECS
III.33	✅	Quickly deploy Node app (provisioning, load balancing, ASG…)	Elastic Beanstalk
III.34	✅	Amplify: config?	amplify.yaml
III.35	✅	S3: Cross-Region Replication. Fail. Why?	Maybe Object Versioning is not enable
III.36	✅	S3: Upload Terabytes of data from over the worlds. Slow. Improve speed?	S3 Transfer Acceleration
III.37	✅	API Gateway: Reuse same function for different stage (different DynamoDB table)	Stage variable + mapping template
IV.1	✅	Automatically watermark images uploaded to S3	Use S3 Event Notification `s3:ObjectCreate:Put`. Send the event to Lambda function (destination) (# S3 Object Lambda)
IV.2	✅	Lambda function: access RDS in private subnet	Connect to the VPC
IV.3	✅	API Gateway + Lambda: Map incoming request to integration request & vice versa	AWS custom (Lambda custom)
IV.4	✅	Which cache strategy ensured cached data is always up-to-date & stale data are automatically deleted?	Write-through + With TTL
IV.5	✅	DynamoDD: How to prevent data overwritten?	Optimistic locking + Conditional writes (check version number)
IV.6	✅	Database credential: How to encrypted & auto-rotate?	Use Secrets Manager + Enable Automatic Rotation
IV.7	✅	S3: Use SQL to filter & retrieve only a subset data of an object?	S3 Select (supports CSV, JSON, Apache Parquet & compressed CSV, JSON)
IV.9	✅	DynamoDB - GSI: How much throughput to provision?	GSI WCU >= Base table WCU
IV.10	✅	DynamoDB: 2KB items - 10 writes/s - 20 eventually consistent reads/s. How much RCU/WCU?	2KB ➡️ 1 strongly consistent read = 1 RCU ➡️ 1 eventually = 0.5 RCU ➡️ 20 eventually = 10 RCU
IV.11	✅	1 item = 17KB. 320 strongly consistent read/s. How much RCU?	17KB/item ➡️ 5RCU/strongly consistent read ➡️ 320 strongly read = 320 x 5 = 1600 RCU
IV.12	✅	HTML, JS, image, video. How to server with lowest latency around the world?	S3 + CloudFront
IV.13	✅	AI-based app built with Lambda. How to modify the way invocation event are read form Lambda runtime API?	Use Lambda custom runtime
IV.14	✅	Migrate monolith on-premise app to Lambda. Best practice?	1. Take advantage of `execution runtime`; 2. Use environment variable…
IV.16	✅	Online game - Sync app pref + state of player + Allow multiple player to share state	App Sync (Cognito Sync not support shared data)
IV.17	✅	AWS CLI in EC2 instance. How to easily switch role?	1. Create a new CLI profile with credential; 2. Run `aws` CLI with `--profile`
IV.18	✅	DynamoDB: Ensure item is updated only some attribute meets some condition	Conditional writes
IV.19	✅	DynamoDB: Debug throughput of both base table & GSI when update item?	Call `UpdateItem` with `ReturnConsumedCapacity` set to ~~`None`~~ / ~~`Total`~~ / `Indexes`
IV.20	✅	DynamoDB Streams: How to integrate with Lambda?	1. Create an `EventSourceMapping` to poll the DynamoDB stream, read & process records
IV.21	✅	Serverless app: Which service can manage configuration & deploy the whole stack + simple?	AWS SAM (Serverless Application Model)
IV.22	✅	DynamoDB: Table: ArticleName (PK) - Category (SK). Query ArticleName using another Sort Key + Strongly consistent read	Create a new table with Local Secondary Index (LSI). Migrate the existing data to new table (LSI cannot be created after the DynamoTB is created)
IV.23	✅	S3: Ensure all objects are encrypted with AE256	Use bucket policy to deny any Create request doesn’t have `x-amz-server-side-encryption: AE256` header
IV.24	✅	EC2: Shell script to get instance public/private IP	Use Instance Metadata Service endpoint 169.254.169.254/latest/meta-data
IV.25	✅	Lambda: Account concurrency limit 2000; 10 functions: 1 function 400, 1 function 200. The rest, the third?	The rest: 1400; the third: 1300.
IV.26	✅	Coordinate multiple services into serverless workflow. Which service?	AWS Step Functions
IV.27	✅	API Gateway: Enable caching. How to invalidate 1 key?	Send the request with `Cache-Control: max-age=0`
IV.28	✅	Lambda: Connection refused. Why?	Maybe the invoke URL is wrong (`http` without `s`)
IV.29	✅	Lambda: Improve performance?	Increase memory will increase CPU too.
IV.30	✅	Lambda: A function initialize DB connection every time it executes. How to optimize?	Move the DB connection to shared `execution context` (outside handler)
IV.31	✅	Lambda: Can the function built with Rust?	Yes. Use custom runtime
IV.32	✅	Lambda: A function fetch 20MB static data every time it executes. How to optimize?	Place the initialize outside Lambda handler; saved external file to `/tmp`
IV.34	✅	Online game. How to add feature to cross-sync profile data between device?	Use Cognito Sync (or App Sync)
IV.35	✅	DynamoDB: Which attribute to use as partition key?	The partition should uniquely identify each item
IV.36	✅	CodePipeline: Push build details into a DynamoDB?	Use EventBridge & Lambda
V.2	✅	API Gateway & Lambda: New version. Smooth migration	Update Lambda function -> Deploy new version. Specify new ARN in API Gateway integration. Redeploy to new stage.
V.3	✅	Elastic Beanstalk: Path of config file	/.ebextensions/xxx.config
V.4	✅	Lambda: Ephemeral storage	`/tmp`
V.5	✅	Lambda: How to use Ruby?	Ruby’s natively support
V.6	✅	CloudFront: Update image immediately	Use file name versioning
V.7	✅	Cognito: Authentication with JWT	1. Create User Pools
V.9	✅	S3: Lowest cost	Glacier Deep Archive
V.10	✅	EC2: Run Apache web server	Use user-data to install and start Apache web server
V.11	✅	App host in 1 region. Re-create on other regions using AMI & CloudFormation. How?	Use Cfn Mapping & FindInMap
V.12	✅	Serverless app. Application code & infrastructure code in Python. How?	Use CDK and Python
V.13	✅	Step Functions: Handle error? Aggregate data in different states?	Use Catch & ResultPath
V.15	✅	DynamoDB: Control access to individual items & attributes?	Fine-grain access control with
V.16	✅	Cognito: UI for login page missing brand logo	Cognito allows customization for: logo, CSS.
V.17	✅	SQS queue: messages larger than 256KB.	Use Amazon S3, (for Java) Extended Client Library
V.20	✅	API Gateway: Integrate a XML-based SOAP API. How?	Use HTTP Integration:
V.21	✅	Serverless: Send newsletter at 7-day interval. How?	Use `EventBridge` Schedule Rule to create events at 7-day interval, sends the events to `Lambda function` target
V.23	✅	DynamoDB: Group multiple actions to multiple items to a one-or-nothing operation?	Use `TransactionWriteItems`
V.24	✅	DynamoDB: When an item added to `Customer` table, dynamically update `Payment` table. How do it in real time?	Enable DynamoDB Streams for `Customer` table, trigger a Lambda function to update `Payment` table
V.25	✅	ALB: Obtain all value of identical query parameter key.	Enable `multi-value headers`
V.26	✅	ECS: 2 containers share logs. How?	Define these 2 containers in 1 task definition, use EFS as a volume

Domain 2: Security

No		Q	A

I.2	✅	Share DB endpoint	Use System Manager Parameter Store secure string
I.4	✅	API Gateway: Allow another account invoke via IAM Role	1. From the other account, grant permission to interact with this API Gateway
I.5	✅	Grant permission to access only some path of a S3 bucket	Use S3 bucket policy, with the policy statement `Resource` including the path
I.6	✅	Login with social site: Facebook…, then access to AWS service	Cognito Identity Pool (Federated Identity)
I.7	✅	S3 - Encrypt AE256	`x-amz-server-side-encryption: AE256`
I.9	✅	KMS - Generate data key but not use immediately	`GenerateDataKeyWithoutPlaintext`
II.1	✅	Cognito - Enforce MFA for suspicious login attempt	User Pool / Adaptive Authentication / Automatic risk response
II.2	✅	EC2 instance - Upload images to S3. How to give EC2 instance permission?	IAM Role (Instance Profile)
II.3	✅	Dev needs to access Test/Prod accounts. How to give permission?	Grant cross-account access:
II.4	✅	API Gateway - Lambda Authorizer: Implement one that same as OAuth, SAML	API Gateway - Lambda Authorizer (Custom Authorizer) has 2 types:
II.5	✅	EC2 instance has both `credentials` & `Instance Profile`	AWS CLI credentials precedence: CLI options > ENVVAR > Assumed Role > IAM Identity (~~/.aws/config) > Credential file (~~/.aws/credentials) > EC2 instance profile > Container credential
II.8	✅	S3 - Encryption using KMS-C. How to upload object?	Include the headers: `x-amz-server-side-encryption-customer-` + `algorithm`/`key`/`key-MD5`
II.9	✅	IAM, SCP - How to test IAM policy?	IAM Policy Simulator
III.1	✅	API Gateway: Lambda authorizer - accepts header, query strings	Request parameter-based authorizer (REQUEST authorizer)
III.2	✅	On-premise KMS, migrate to AWS. Key is store in dedicated hardware	CloudHSM
III.3	✅	S3: Upload small file + Use KMS key: OK. Upload big file (100GB): not OK	AWS CLI use multipart upload for big files. It’s required the `kms:Decrypt` permission
III.4	✅	S3: SSE with KMS (using default KMS key). Which header?	- `x-amz-server-side-encryption: aws:kms`
III.5	✅	S3: SSE-C. How does it work?	1. You manage key & give AWS the key each time you upload a file
III.6	✅	KMS: A file encrypted with data encryption key (DEK). How to decrypt the files locally?	1. Use KMS’s `Decrypt` to decrypt the DEK
III.7	✅	CodeDeploy: Platform: ECS - `appspec.yaml`	`appspec.yaml` for ECS needs: `TaskDefinition`, `ContainerImage`, `ContainerPort`
III.8	✅	Share DB connection endpoint	Systems Manager Parameter Store secure string
III.9	✅	SSL certificate from 3rd party. Which service can store?	AWS Certificate Manager (for unsupported regions, use IAM certificate store)
IV.2	✅	SSM Parameter Store: Notify if param haven’t been rotated for 90 days	1. Use Advanced tier / Parameter polices / Notification policies
IV.3	✅	S3: Ensure data is encrypted at rest using the company key	1. Client-Side Encryption (CSE) - Encrypt the data before send to S3
IV.4	✅	KMS: Locally encrypt data (Envelope encryption)	1. Use the `GenerateDataKey` API to get a `data key`.
IV.5	✅	API Gateway: Custom authorizer using bearer token (same as SAML, OAuth). How?	Use API Gateway Lambda authorizer (aka custom authorizer)
IV.6	✅	Database credential + Rotate	Secrets Manager + Auto Rotation (How? Secrets Manager run a Lambda function )
IV.7	✅	CloudFormation: Retrieve license key + cost-effective	Systems Manager Parameter Store + Secure String
IV.8	✅	Migrate on-premise to AWS. Integrate LDAP directory service (not compatible with SAML)	Implement a custom identity broker, which use `STS` to issue short-live AWS credentials
IV.9	✅	Cognito: Additional authentication method	Integrate Multi-Factor Authentication (MFA) to Cognito User Pool
IV.10	✅	SQL Server. Migrate to RDS. Encrypt data before write to disk & vice versa.	Enable SQL Server Transparent Data Encryption
IV.11	✅	S3. Someone use your image without permission.	(Block public access) Use pre-signed URL / pre-signed cookies
V.2	✅	S3 bucket in production account. How to allow a user on dev account access?	1. In `prod` acc, create an IAM role
V.3	✅	S3. Which service to allow user register/sign-in & upload/access images on S3.	Cognito User Pools & Identity Pools
V.4	✅	Allow temporary access to EC2 & but still enforce MFA? Which STS API?	STS `GetSessionToken`
V.6	✅	API Gateway: Regulate access to API & charge based on usage	Usage Plan
V.7	✅	Best practice to manage access key	Remote all access key of root account, use IAM role for applications
V.8	✅	Most secure way to send CW logs in EC2 instance of ASG launch configuration	- Create a new IAM role for the new Launch Configuration
V.10	✅	S3: Hundreds of thousands of objects. Turn on SSE-KMS. Performance degradation. Why?	Requests to KMS are exceeded quota
V.11	✅	How to check permission of an IAM role?	1. Use IAM Policy Simulator

Domain 3: Deployment

No		Q	A

I.3	✅	Deploy Lambda with CodeDeploy	CodeDeploy deploy configuration:
I.4	✅	Build, test, deploy serverless app	Serverless Application Model (SAM)
II.1	✅	SAM: workflow redeploy	1. `sam build`; 2. `sam deploy`
II.2	✅	Elastic Beanstalk: Dev/Test - Deploy ASAP	EB deployment strategy: `AllAtOnce`
II.3	✅	SAM: deploy 10% every 10min	SAM `Linear` `10min`
II.4	✅	Lambda: `package deployment` take too much time to deploy? How increase deploy speed?	Lambda package deployment quota (for a function) is 50 MB (zipped; includes runtimes, layer…)
II.6	✅	CloudFormation: Easiest way to deploy a `hello_world` lambda function	Incline the function in `AWS::Lambda::Function` `Properties / Code / Zipfile`
II.7	✅	Elastic Beanstalk: Upgrade from Java 7 to 8. Shift all traffic to the new one, revert if something’s wrong	Blue/Green Deployment: EB AllAtOnce + EB swap environment URLs (EB will use Route 53 to swap CNAMEs)
II.8	✅	CodeDeploy: Deploy to where? How?	CodeDeploy deploy configuration:
III.1	✅	EC2: EBS-backed root volume. How to detach the root-volume?	Stop the EC2 instance, then detach the root volume
III.2	✅	Elastic Beanstalk: Maintain compute resource while deploying. No downtime.	Rolling with additional batch, Immutable
III.3	✅	DynamoDB: 3.5KB. 150 eventually consistent reads/second. How many RCU?	1 strongly read -> 1 RCU
III.4	✅	Lambda: Deployment package 80MB. What to do now?	Split the dependencies to a layer
III.5	✅	SAM: How to use Cfn & include SAM?	Use Cfn `Transform` & `AWS:Serverless` macro to process SAM template to Cfn template
III.7	✅	Cfn: Different accounts. How to manage update across all accounts?	Use `StackSets`
IV.2	✅	Elastic Beanstalk: HA, revert quickly?	1. Use any EB deployment strategy, e.g. All-at-once (fastest)
IV.3	✅	CloudFormation: Inline code in template	`AWS::Lambda::Function` / `Code` / `ZipFile`
IV.4	✅	Serverless app: Zip code, upload to S3, produce package deployment-ready template & deploy	`sam deploy` (which includes `sam package`)
IV.5	✅	CloudFormation: Install packages, start services on EC2 after provisioned	`cfn-init`
V.1	✅	CodeDeploy: S3 source. Deploy to EC2 fail during `DownloadBundle`	The EC2 instance profile don’t have permission to access S3 bucket
V.3	✅	Deploy to 3 environments: `test`, `staging`, `production`. How?	Use 3 `deployment group`s, each for 1 environment.
V.4	✅	Elastic Beanstalk: Multi-container Docker. Which file to configure container definitions?	`Dockerrun.aws.json`
V.5	✅	Elastic Beanstalk: Multi developers deploy without upload the whole project?	Use `eb deploy` to deploy from local `CodeCommit` repo
V.6	✅	Serverless app defined with CDK. Deploy to new account. `NoSuchBucket` error. Fix?	Run `cdk bootstrap` to provision resources for CDK deployment, e.g. IAM role, S3 bucket.
V.8	✅	CodeCommit: Forgot to pull master. Fix conflict?	`git rebase` `feature` branch on `master` branch. Then manually fix conflict.

Domain 4: Troubleshooting and Optimization

No		Q	A

I.1	✅	Move session data to AWS, 100% CPU, HA	ElastiCache for Redis
I.2	✅	sam local - Access denied	1. `aws configure --profile`; 2. `sam local invoke --profile`
I.3	✅	Cost effective when using SQS	Long polling (config `ReceiveMessage` `WaitTime`)
I.4	✅	Record all changes to a DynamoDB table to another one	DynamoDB Streams + Lambda (write to another DynamoDB table)
I.5	✅	DynamoDB - Reduce queries	DAX
I.8	✅	ECS store data in DynamoDB, how to verify each new items?	DynamoDB Streams + Lambda
I.9	✅	API Gateway - 504	504 Gateway timeout -> Integration timeout after 30s
I.10	✅	RDS - Too many connections	RDS Proxy
I.11	✅	API Gateway timeout - Which CW metrics to watch?	`Latency`, `IntegrationLatency`
I.13	✅	CloudFront - end-to-end SSL	Viewer Protocol Policy, Origin Protocol Policy: HTTPS
I.15	✅	Capture IP in/out of an VPC	VPC Flow Log
I.16	✅	Elastic Beanstalk config for cron-job	`cron.yaml`
I.17	✅	DynamoDB - Fetch only some attributes	Use projection attributes
I.18	✅	Lambda function download same big file	Use `/tmp`
I.21	✅	App deploy with Elastic Beanstalk - Config X-Ray	`.ebextensions/xray-daemon.config`
II.1	✅	DynamoDB: ProvisionedThroughputExceeded	Optimize DynamoDB:
II.2	✅	X-Ray: View full trace without using console	Use `GetTraceSummaries`, `BatchGetTraces`
II.3	✅	ECS + Docker app: How to setup tracing with X-Ray?	- Run `xray-daemon` inside docker image
II.4	✅	AWS CLI - Timeout	Use pagination: `--page-size` (request less items) `--max-items` (show less items)
II.9	✅	X-Ray: From where, IP address is fetch?	`X-Forwarded-For` header
III.2	✅	X-Ray: Insufficient permissions to use X-ray console to view service map, segments. Which manged policy?	- AWSXrayReadOnlyAccess
III.3	✅	API Gateway: Fetch latest data without caching (using `Cache-Control: max-age=0` header). Which permission?	Resource-based policy for `execute-api:InvalidateCache` action
III.4	✅	DynamoDB: Streams, EventBridge + Lambda every 36 hours. Missing data?	DynamoDB Streams `retention period` is 24 hour. Only last 24 hours data is available
III.5	✅	Kinesis Data Streams: Increasing data flow. Scale up?	Split-shard + (increase numbers of worker)
III.6	✅	S3: CORS config: `<AllowOrigin>`, `<AllowedMethod>`, `<AllowedHeader>`, `<MaxAgeSeconds>3600</MaxAgeSeconds>`	`MaxAgeSeconds`: time in seconds that your browser can cache the response for a preflight request
III.7	✅	API Gateway: Lambda. 504. No errors in CW. Why?	Lambda function takes more than 30s (API Gateway timeout)
III.8	✅	RDS: Slow response (in peak time). Already optimize queries. Resolve?	- Add Read Replica
III.9	✅	Latency-sensitive service. AWS Fargate, CloudFront, ALB. Too much unauthenticated users, increase CPU of Fargate. Fix?	Use CloudFront Function (attach to Viewer Request) to authenticate users
III.10	✅	EC2: Monitor memory, swap. How?	Install CW Agent
III.11	✅	Elastic Beanstalk: EC2. CW doesn’t show memory. Why?	By default, CW doesn’t track EC2 instance memory
III.12	✅	Kinesis Data Steams: Producers restart -> Duplicate record. Fix?	Call `PutRecord` with `SequenceNumberForOrdering` param.
IV.1	✅	Send traces to X-ray?	Use X-Ray daemon (CloudWatch Agent can do this on EC2/On-Premise)
IV.2	✅	SQS: Duplicate message. Fix?	Use FIFO queue + provide deduplicationID
IV.3	✅	X-Ray: Filter trace?	1. Use web console; 2. Use `GetTraceSummaries` (support search)
IV.4	✅	X-Ray: Send trace to X-Ray?	- 1. Use X-Ray SDK (through X-Ray daemon); 2. Use X-Ray/CLI (directly)
IV.5	✅	Kinesis: Over-provision. Scale in?	Merge cold shards
IV.6	✅	API Gateway: Terminated Lambda. Why?	- Lambda timeout: max `15min` ➡️ `terminated`
IV.7	✅	API Gateway: No metrics for CacheHitCount/CacheMissCount	API Gateway caching is not enabled
IV.8	✅	SQS injections, XSS attack. How to deal?	Use Web Application Firewall (WAF). It works with: CloudFront, ALB, API Gateway (REST API)
IV.9	✅	Kinesis: 10 shards - 10 EC2 instance. Increase to 20 shards, how many instances?	20 instances, the number of instances match the number of shards by `1:1` ratio
IV.10	✅	RDS: Monitor memory, CPU usages of processes?	Use RDS enhanced monitoring
IV.11	✅	CodePipeline: Code review in each stage before move to next stage	Use a “manually approval” action, and send the approval request to a SNS topic
IV.12	✅	X-Ray: Record call to DB, other services, SQL queries & filter	Add annotations in the subsegment section of the segment document.
IV.13	✅	X-Ray: Permission to send trace to X-Ray?	`AWSXRayDaemonWriteAccess`
V.3	✅	CodeBuild: Run on a proxy server. `RequestError` when CodeBuild is accessed. Fix?
V.5	✅	S3 - Event Notifications: Compress the images, but it takes too much time. Improve?	Increase memory ➡️ increase CPU
V.6	✅	Debug latency of your app (with recently added function)? How to do with X-Ray?	Define sug-segments inside the function to “instrument” (measure) it
V.7	✅	AWS CLI: Create snapshot of EC2 instance. `InvalidInstanceID.NotFound`. Why?	Maybe the AWS CLI is using a profile for a different region
V.8	✅	Build a CI pipeline. Which AWS services?	CodeCommit, Lambda, CodeBuild
V.9	✅	Step Functions: Handle & recover from State’s exception.	Use `Catch` & `Retry` fields in state machine definition
V.10	✅	Lambda - Cold start: Optimize?	1. Reduce pre-handler code
V.11	✅	LAMP stack. Migrate to AWS?	EC2 + Aurora/RDS
V.12	✅	Lambda: process file (5min). So slow?	Change `InvokeType` to `Event` (asynchronous invocation)
V.14	✅	Website (hosted on S3) call API Gateway. `No "Access-Control-Allow-Origin"` error. Fix?	Config CORS for API Gateway to allow the website (S3)
V.15	✅	API Gateway + Lambda: Publish a new version of `AccService:Prod` with the alias `AccService:Beta`. How to test before promote?	Create a `BETA` stage. Use stage variable to reference the `beta` function alias
V.16	✅	Lambda: `Unable to import module`. Fix?	1. Install the missing module locally.
V.17	✅	Elastic Beanstalk: Keep the old code in S3 bucket. How?	Change `Retention` to `Retain source bundle in S3`

Exam note AWS DVA-C03

Queue/stream retention time

Queue	Min	Retention time (Default)	Max	Note
SQS queue	60s	4 days	14 days	No addition charging
Kinesis Data Streams stream	24h	24h (One-day retention)	365 days	Extended data retention: up to 7 days 💸
				Long-term data retention: up to 365 days 💸💸
DB Streams queue	-	24h	-	Can’t be changed

Deployment strategy

3.2 Elastic Beanstalk Deployment policies

Deployment policies (aka deployment methods/strategies):
- AllAtOnce (Default)
- Rolling
- Rolling with additional batch
- Immutable
- Traffic splitting (aka Canary)
- Blue-green (with Swap environment URLs)

3.6 CodeDeploy deployment type

Overview of CodeDeploy deployment types CodeDeploy concepts

CodeDeploy can deploy application to 3 platform (called deployment platform):

EC2/On-Premises <= Needs CodeDeploy agent
ECS
Lambda

CodeDeploy make the latest application revision available on instance in a deployment group (a group of instances)

In-place deployment: only support EC2/On-Premise
Blue/green deployment

CodeDeploy supports 3 ways of routing traffic (via deployment configuration)

All-at-once: 100%
Canary: 2 increments: 10% + 90%
Linear: n% x m times

Notes for AWS Developer Associate (Cantrill course)