Amazon Web Services (AWS) & Microsoft Azure & Google Cloud Platform (GCP)


  • 'docker ps -a' to show containers status
    • Up = Running
  • To kill the container use 'docker kill [NAMES]'


  • Task roles is the best practice way of providing permissions to running containers on ECS.

  • ECS Fargate mode should be used if want as little admin overhead as possible.

  • ECS Service is used to configure scaling and HA for containers.

  • 3 cluster modes are available within ECS:
    • Network Only (Fargate)
    • EC2 Linux + Networking
    • EC2 Windows + Networking
  • Docker is the only container platform supported by Amazon ECS at this time.

  • Container images store in a container registry.

  • The advantages/benefits of container are Fast to startup, Portable, and Lightweight.
Bootstrapping Wordpress Installation:

  • A Dev has been asked to build a real-time dashboard web application to visualize the key prefixes and storage size of objects in Amazon S3 buckets. Amazon DynamoDB will be used to store the Amazon S3 metadata. The optimal and MOST cost-effective design to ensure that the real-time dashboard is kept up to date with the state of the objects in the Amazon S3 buckets is Use an Amazon CloudWatch event backed by an AWS Lambda function. Issue an Amazon S3 API call to get a list of all Amazon S3 objects and persist the metadata within DynamoDB. Have the web application poll the DynamoDB table to reflect this change.

  • An on-premises application is implemented using a Linux, Apache, Mysql, and Php (LAMP) stack. The Dev wants to run this application in AWS. Amazon EC2 and Aurora can be used to run this stack.

  • A dev is building a backend system for the long-term storage of information from an inventory management system. The information needs to be stored so that other teams can build tools to report and analyze the data. To achieve the FASTEST running time the dev should Create an AWS Lambda function that writes to Amazon S3 synchronously. Set the inventory system to retry failed requests.

  • A Dev is working on an application that handles 10MB documents that contain highly-sensitive data. The application will use AWS KMS to perform client-side encryption. Should Invoke the GenerateDataKey API to retrieve the plaintext version of the data encryption key to encrypt the data.
    GenerateDataKey API: Generates a unique data key. This operation returns a plaintext copy of the data key and a copy that is encrypted under a Customer Master Key (CMK) that specify. Can use the plaintext key to encrypt data outside of KMS and store the encrypted data key with the encrypted data.

  • A dev is using AWS CodeDeploy to deploy an application running on Amazon EC2. The dev wants to change the file permissions for a specific deployment file. To meet this requirement a dev should use AfterInstall lifecycle event.

  • An application ingests a large number of small messages and stores them in a database. The application uses AWS Lambda. A dev team is making changes to the application's processing logic. In testing, it is taking more than 15 mins to process each message. The team is concerned the current backend may time out. To ensure each message is processed in the MOST scalable way to the backend system should Add the messages to an Amazon SQS queue. Set up an Amazon EC2 instance to poll the queue and process messages as they arrive.

  • A dev has discovered that an application responsible for processing messages in an Amazon SQS queue is routinely falling behind. The application is capable of processing multiple messages in one execution, but is only receiving one message at a time. To increase the number of messages the application receives the dev should Call the ChangeMessageVisibility API for the queue and set MaxNumberOfMessages to a value greater than the default of 1.

  • A dev is writing an AWS Lambda function. The dev wants to log key events that occur during the Lambda function and include a unique identifier to associate the events with a specific function invocation. To help the dev accomplish this objective should Obtain the request identifier from the Lambda context object. Architect the application to write logs to the console.

  • A dev is trying to monitor an application's status by running a cron job that returns 1 if the service is up and 0 if the service is down. The dev created code that uses an AWS CLI put-metric-alarm command to publish the custom metrics to Amazon CloudWatch and create an alarm. However the dev is unable to create an alarm as the custom metrics do not appear in the CloudWatch console. This issue cause from The dev needs to use the put-metric-data command.

  • A company runs an e-commerce website that uses Amazon DynamoDB where pricing for items is dynamically updated in real time. At any given time, multiple updates may occur simultaneously for pricing information on a particular product. This is causing the original editor's changes to be overwritten without a proper review process. To prevent this overwriting should use DynamoDB Conditional writes option.

  • Company C provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company C is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. Company C can reduce the number of empty responses by Set the Imaging queue ReceiveMessageWaitTimeSeconds attribute to 20 sec.

  • A dev has created a REST API using Amazon API Gateway. The dev wants to log who and how each caller accesses the API. The dev also wants to control how long the logs are kept. To meet these requirements the dev should Enable API Gateway execution logging. Delete old logs using API Gateway retention settings.

  • Company D is currently hosting their corporate site in an Amazon S3 bucket with Static Website Hosting enabled. Currently, when visitors go to the index.html page is returned. Company D now would like a new page welcome.html to be returned when a visitor enters in the browser. The steps will allow Company D to meet this requirement are:
    • Upload an html page named welcome.html to their S3 bucket
    • Set the Index Document property to welcome.html.
  • A company is launching an ecommerce website and will host the static data in Amazon S3. The company expects approximately 1,000 Transactions Per Second (TPS) for GET and PUT requests in total. Logging must be enabled to track all requests and must be retained for auditing purposes. The MOST cost-effective solution is Enable AWS CloudTrail logging for the S3 bucket-level action and create a lifecycle policy to expire the data in 90 days.
Last edited:







  • An application takes 40 sec to process instructions received in an Amazon SQS message. Assuming the SQS queue is configured with the default VisibilityTimeout value, upon receiving a message, to ensure that no other instances can retrieve a message that has already been processed or is currently being processed, the BEST way is Use the ChangeMessageVisibility API to increase the VisibilityTimeout, then use the DeleteMessage API to delete the message.

  • A Dev needs to deploy an application running on AWS Fargate using Amazon ECS. The application has environment variables that must be passed to a container for the application to initialize. The environment variables should be passed to the container by Define an array that includes the environment variables under the environment parameter within the task definition.

  • A company is developing a web application that allows its employees to upload a profile picture to a private Amazon S3 bucket. There is no size limit for the profile pictures, which should be displayed every time an employee log in. For security reasons, the pictures cannot be publicly accessible. A viable long-term solution for this scenario is Save the picture's S3 key in an Amazon DynamoDB table. Create an Amazon S3 VPC endpoint to allow the employees to download pictures once they log in.

  • A dev creates an Amazon S3 bucket to store project status files that are uploaded hourly. The dev also crates an AWS Lambda function that will be used to process the project status files. To invoke the function with the LEAST amount of AWS infrastructure the dev should Create an S3 event notification to invoke the function when a new object is created in the S3 bucket.

  • A dev from AnyCompany's AWS account needs access to the Example Corp. AWS account AnyCompany uses an identity provider that is compatible with OpenID Connect. The MOST secure way for Example Corp to allow dev access is Create a user in the Example Corp account and provide the access keys.

  • A dev is designing a distributed application built using a microservices architect spanning multiple AWS accounts. The company's operations team wants to analyze and debug application issues from a centralized account. The dev can meet these requirements by Use an Amazon X-Ray agent with role assumption on to publish data into the centralized account.

  • The Dev for a retail company must integrate a fraud detection solution into the order processing solution. The fraud detection solution takes between ten and thirty mins to verify an order. At peak, the web site can receive one hundred orders per min. The most scalable method to add the fraud detection solution to the order processing pipeline is Add all new orders to an SQS queue. Configure an Auto Scaling group that uses the queue depth metric as its unit of scale to launch a dynamically-sized fleet of EC2 instances spanning multiple AZs with the fraud detection solution installed on them to pull orders from this queue. Update the order with a pass or fails status.

  • An on-premises application makes repeated calls to store files to Amazon S3. As usage of the application has increased, "LimitExceeded" errors are being logged. To fix this error should be Implement exponential backoffs in the application.

  • A dev is working on an AWS Lambda function that accesses Amazon DynamoDB. The Lambda function must retrieve an item and update some of its attributes or create the item if it does not exist. The Lambda function has access to the primary key. To achieve this functionality the dev should request:
    dynamodb: PutItem

  • A company wants to make sure that only one user from its Admin group has the permanent right to delete an Amazon EC2 resource. There should be no changes in the existing policy under the Admin group. To meet these requirements a dev should use Inline policy.

  • A Dev wants to debug an application by searching and filtering log data. The application logs are stored in Amazon CloudWatch Logs. The Dev creates a new metric filter to count exceptions in the application logs. However, no result are returned from the logs. The reason that no filtered results are being returned is CloudWatch Logs only publishes metric data for events that happen after the filter is created.

  • A supplier is writing a new RESTful API for customers to query the status of orders. The customers requested the API endpoint. The application designs meet the requirements are Amazon API Gateway; AWS Lambda and Amazon S3; Amazon CloudFront.

  • An application on AWS is using third-party APIs. The Dev needs to monitor API errors in the code, and wants to receive notifications if failures go above a set threshold value. The Dev can achieve these requirements by Publish a custom metric on Amazon CloudWatch and use Amazon SNS for notification.

  • Company B has an S3 bucket containing premier content that they intend to make available to only paid subscribers of their website. The S3 bucket currently has default permissions of all objects being private to prevent inadvertent exposure of the premier content to non-paying website visitors. Company B can provide only paid subscribers the ability to download a premier content file in the S3 bucket by Generate a pre-signed object URL for the premier content file when a paid subscriber requests a download.

  • The format of structured notification messages sent by Amazon SNS is An JSON object containing MessageId, unsubscribeURL, Subject, Message and other values.

  • A dev has built an application using Amazon Cognito for authentication and authorization. After a user is successfully logged in to the application, the application creates a user record in an Amazon DynamoDB table. The correct flow to authenticate the user and create a record in the DynamoDB table is Authenticate and get a token from an Amazon Cognito identity pool. Use the token to access DynamoDB.

  • A dev is building an application. The application's front end is developed in JavaScript, and the data is stored in an Amazon DynamoDB table. During testing, the application returns an HTTP 5xx error from the strongly consistent reads to the DynamoDB table; "Internal server error (Service: AmazonDynamoDBv2. Status Code: 500; Error Code; InternalServerError)." Actions the developer should take to mitigate this error are Avoid strongly consistent reads and Retry the failed read requests with exponential backoff.

  • A dev is building a serverless application using AWS Lambda and must create a REST API using an HTTP GET method. To be defined to meet this requirement needs An Amazon API Gateway with a Lambda function and An exposed GET method in Amazon Route 53.

  • An application runs on multiple EC2 instances behind an ELB. The session data best written so that it can be served reliably across multiple requests is Write data to Amazon EC2 Instance Store.
Last edited:


  • Enhanced Networking Provide Higher Packets Per Second (PPS), Consistent Low Latency, and High Throughput benefits.

  • Cluster placement group:
    • should be used when need the best performance within EC2
    • Only one AZ can be used
  • Spread placement group
    • is ideal when need the best levels of resilience
    • 7 instances Per AZ can be
  • If run a large application which uses 100's of EC2 instances and it needs exposure to physical location for performance and availability reasons. Should use Partition placement group.

  • Can permissions be provided to an application running in EC2 using best practices by Instance Profile & IAM Role.

  • There is no charge for EC2 instances running on a dedicated host and the host is dedicated to you.

  • EC2 user-data feature allows to provide commands that the instance will run at startup.

  • Commands specified in user-data get executed Once when the instance is provisioned.


  • nonportable.yaml:
        Type: 'AWS::S3::Bucket'
          BucketName: 'dogpics1337'
        Type: 'AWS::EC2::Instance'
          KeyName: 'A4L'
          InstanceType: 't2.micro'
          ImageId: 'ami-0c802847a7dd848c0' > for Singapore Region









  • A Dev is going to deploy an AWS Lambda function that requires significant CPU utilization. Approach will MINIMIZE the average runtime of the function is Deploy the function with its memory allocation set to the maximum amount.

  • A Dev is trying to make API calls using SDK. The IAM user credentials used by the application require multi-factor authentication for all API calls. Method the Dev use to access the multi-factor authentication protected API is GetCallerIdentity.

  • A Dev has created a software package to be deployed on multiple EC2 instances using IAM roles. Actions could be performed to verify IAM access to get records from Amazon Kenesis Streams are Use the AWS CLI to retrieve the IAM group and Validate the IAM role policy with the IAM policy simulator.

  • A Dev needs temporary access to resources in a second account. The MOST secure way to achieve this is Create a cross-account access role, and use sts:AssumeRole API to get short-lived credentials.

  • An application stores images in an S3 bucket. Amazon S3 event notifications are used to trigger a Lambda function that resizes the images. Processing each image takes less than a second. AWS Lambda will handle the additional traffic by scale out to execute the requests concurrently.

  • An application reads data from an Amazon DynamoDB table. Several times a day, for a period of 15 sec, the application receives multiple ProvisionedThroughputEceeded errors. This exception should be handled by Retry the failed read requests with exponential backoff.

  • An application uploads photos to an Amazon S3 bucket. Each photo that is uploaded to the S3 bucket must be resized to a thumbnail image by the application. Each thumbnail image is uploaded with a new name in the same S3 bucket. Service can a dev configure to directly process each single S3 event for each S3 object upload is AWS Lambda.

  • When a Dev tries to run an AWS CodeBuild project, it raises an error because the length of all environment variables exceeds the limit for the combined maximum of characters. The recommended solution is Use AWS Systems Manager Parameter Store to store large numbers of environment variables.

  • A dev is working on a web application that runs on Amazon Elastic Container Service (Amazon ECS) and uses an Amazon DynamoDB table to store data. The application performs a large number of read requests against a small set of the table data. The dev can improve the performance of these requests by:
    • Create an Amazon ElastiCache cluster. Configure the application to cache data in the cluster.
    • Increase the read capacity of the DynamoDB table.
  • A company has a three-tier application that is deployed in Amazon ECS. The application is using an Amazon RDS for MySQL DB instance. The application performs more database reads than writes. During times of peak usage, the application's performance degrades. When this performance degradation occurs, the DB instance's ReadLatency metric in Amazon CloudWatch increases suddenly. A dev should modify the application to improve performance by Use Amazon ElastiCache to cache query results.

  • A Dev team currently supports an application that uses an in-memory store to save accumulated game results. Individual results are stored in a database. As part of migrating to AWS, the team needs to use automatic scaling. The team knows this will yield inconsistent results. The team should store these accumulated game results to BEST allow for consistent results without impacting performance in Amazon ElastiCache.

  • A dev registered an AWS Lambda function as a target for an Application Load Balancer (ALB) using a CLI command. However, the Lambda function is not being invoked when the client sends requests through the ALB. The Lambda function is not being invoked because The permissions to invoke the Lambda function are missing.

  • DynamoDB uses optimistic concurrency control and conditional writes for consistency.

  • A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token being used should expire automatically and needs to be refreshed periodically. A dev can meet these requirements by Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use the identity or access token.

  • A dev is building an application that reads 90 Items of data each second from an Amazon DynamoDB table. Each item is 3 KB in size. The table is configured to use eventually consistent reads. Read capacity units should the dev provision for the table is (Size of each item at 4KB increments) x 90 Items / 8 = 45 RCUs.
Last edited:


  • nonportable.json
  • portable-stage1.json
  • portable-stage2.json
  • portable-stage3.json












  • 1_userdata.yaml
  • 2_userdata with signal.yaml
  • 3_cfninit with signal.yaml
  • 4_cfninit with signal and cfnhup.yaml

  • When a Simple Queue Service (SQS) message triggers a task that takes 5 mins to complete, process will result in successful processing of the message and remove it from the queue while minimizing the chances of duplicate processing is Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue.

  • A Dev is asked to implement a caching layer in front of Amazon RDS. Cached content is expensive to regenerate in case of service failure. Implementation would work while maintaining maximum uptime is Implement Amazon ElastiCache Redis in Cluster Mode.

  • A company is developing a serverless ecommerce web application. The application needs to make coordinated, all-or-nothing changes to multiple items in the company's inventory table in Amazon DynamoDB. Solution will meet these requirements is Use the TransactWriteitem operation to group the changes. Update the items in the table.

  • A company has a web application in an Amazon Elastic Container Service (Amazon ECS) cluster running hundreds of secure services in AWS Fargate containers. The services are in target groups routed by an Application Load Balancer (ALB). Application users log in to the website anonymously, but they must be authenticated using any OpenID Connect protocol-compatible identity provider (IdP) to access the secure services. Authentication approach would meet these requirements with the LEAST amount of effort by Configure the services to use Amazon Cognito.

  • The programming languages have an officially supported AWS SDK are PHP and Java.

  • A team of Dev must migrate an application running inside an AWS Elastic Beanstalk environment from a Classic Load Balancer to an Application Load Balancer. Steps should be taken to accomplish the task using the AWS Management Console are:
    1. Create a new environment with the same configurations except for the load balancer type.
    2. Deploy the same application version as used in the original environment.
    3. Run the swap-environment-cnames action.
By default, Elastic Beanstalk creates an Application Load Balancer for environment when enable load balancing with the Elastic Beanstalk console or the EB CLI. It configures the load balancer to listen for HTTP traffic on port 80 and forward this traffic to instances on the same port. Can choose the type of load balancer that environment uses only during environment creation. Later, can change settings to manage the behavior of running environment's load balancer, but can't change its type.​
  • Application is trying to upload a 6 GB file to Simple Storage Service and receive a 'Proposed upload exceeds the maximum allowed object size.' error message. A possible solution for this is Use the multi-part upload API for this object.

  • A Dev is writing an imaging micro service on AWS Lambda. The service is dependent on several libraries that are not available in the Lambda runtime environment. Strategy should the Dev follow to create the Lambda deployment package is Create a ZIP file with the source code and a script that installs the dependent libraries at runtime.

  • A company is running an application on AWS Elastic Beanstalk in a single-instance environment. The company's deployments must avoid any downtime. Deployment option will meet these requirements is Immutable.

  • A dev is building a static, client-side rendered website that is powered by ReactJS. The code has no server-side generated components and does not need to run any programming languages on the server. However, the code serves static HTML, CSS, and JavaScript to the client on each request. The dev's solution to host the website must maximize performance and cost-effectiveness. Combination of AWS services or resources should the dev use to meet these requirements are Amazon CloudFront and Amazon S3.

  • A dev team decides to adopt a Continuous Integration/Continuous Delivery (CI/CD) process using AWS CodePipeline and AWS CodeCommit for a new application. However, management wants a person to review and approve the code before it is deployed to production. The dev team can add a manual approver to the CI/CD pipeline by Add an approval action to the pipeline. Configure the approval action to publish to an Amazon SNS topic when approval is required. The pipeline execution will stop and wait for an approval.

  • While developing an application that runs on Amazon EC2 in an Amazon VPC, a Dev identifies the need for centralized storage of application-level logs. AWS service can be used to securely store these logs is Amazon CloudWatch Logs.

  • Custom libraries should be utilized in AWS Lambda by Modify the function runtime to include the necessary library.

  • Given the following AWS CloudFormation template:
    Description: Creates a new Amazon S3 bucket for shared content. Uses a random bucket name to avoid conflicts.
        Type: AWS::S3::Bucket
          Value: !Ref ContentBucket
    The MOST efficient way to reference the new Amazon S3 bucket from another AWS CloudFormation template is Add an Export declaration to the outputs section of the original template and use ImportValue in other templates.
Last edited:


  • template1.yaml
  • template2.yaml

  • basicS3bucket.yaml
  • customresource.yaml

  • CloudFormation Custom Resources use to extend its funtionality or integrate it with other system.

  • Designing a system using CloudFormation which has two distinct parts. Infrastructure (which includes a VPC, subnets, gateways and configuration) and multiple application instances. Should design this using Stack Exports/Imports (cross stack references).

  • CloudFormation Stack Roles allows identities to deploy infrastructure in a controlled way, beyond their usual permissions.

  • CloudFormation Intrinsic Functions Is often used to improve portability and make a template able to adjust itself based on where it's applied.

  • CloudFormation CFN-HUP allows EC2 instances to update their configuration if a STACK changes.

  • CloudFormation CFN-SIGNAL allows an instance to tell CloudFormation when it's finished bootstrapping and configuration.

  • CloudFormation Change Sets allows it to be integrated into a Organisations Change management processes.

  • If have two stacks which are always applied together (e.g. VPC stack and App Stack) should use Nested Stacks.

  • If need to deploy Infrastructure to multiple regions and accounts should use CloudFormation Stack Sets.

  • CloudFormation DependsOn allows to influence the order of resources created by CFN.







  • A dev is writing an application to analyze the traffic to a fleet of Amazon EC2 instances. The EC2 instances run behind a public Application Load Balancer (ALB). An HTTP server runs on each of the EC2 instances, logging all requests to a log file.
    The dev wants to capture the client public IP addresses. The dev analyzes the log files and notices only the IP address of the ALB. The dev must Install the AWS X-Ray daemon on each EC2 instance. Configure the daemon to write to the log file to capture the client public IP addresses in the log file.

  • A dev is creating AWS CloudFormation templates to manage an application's deployment in Amazon Elastic Container Service (Amazon ECS) through AWS CodeDeploy. The dev wants to automatically deploy new versions of the application to a percentage of users before the new version becomes available for all users. The dev should manage the deployment of the new version by Deploy the new version in a new CloudFormation stack. After testing is complete, update the application's DNS records for the new stack.

  • A dev is preparing a deployment package using AWS Cloud Formation. The package consists of two separate templates: one for the infrastructure and one for the application. The application has to be inside the VPC that is crated from the infrastructure template. The application stack can refer to the VPC created from the infrastructure template by Use the Ref function to import the VPC into the application stack from the infrastructure template.

  • A dev must allow guest users without logins to access an Amazon Cognito-enabled site to view files stored within an Amazon S3 bucket. The dev should meet these requirements by Create a new user pool, enable access to unauthenticated identities, and grant access to AWS resources.

  • In a multi-container Docker environment in AWS Elastic Beanstalk, to configure container instances in the environment is required An Amazon ECS task definition.

  • A front-end web application is using Amazon Cognito user pools to handle the user authentication flow. A dev is integrating Amazon DynamoDB into the application using the AWS SDK for JavaScript. The dev would securely call the API without exposing the access or secret keys by Hardcode the credentials use Amazon S3 to host the web application, and enable server-side encryption.

  • An organization is using Amazon CloudFront to ensure that its users experience low-latency access to its web application. The organization has identified a need to encrypt all traffic between users and CloudFront, and all traffic between CloudFront and the web application. These requirements can be met by Use AWS KMS to encrypt traffic between CloudFront and the web application and Set the Origin Protocol Policy to "HTTPS Only".

  • A company wants to implement authentication for its new REST service using Amazon API Gateway. To authenticate the calls, each request must include HTTP headers with a client ID and user ID. These credentials must be compared to authentication data in an Amazon DynamoDB table. The company MUST do to implement this authentication in API Gateway is Implement an AWS Lambda authorizer that references the DynamoDB authentication table.

  • A comapny has an AWS Lambda function that runs hourly, reads log files that are stored in Amazon S3, and forwards alerts to Amazon Simpile Notification Service (Amazon SNS) topics based on content. A dev wants to add a custom metric to the Lambda function to track the number of alerts of each type for each run. The dev needs to log this information in Amazon CloudWatch in a metric that is named Lambda/AlertCounts. The dev should modify the Lambda function to meet this requirement with the LEAST operational overhead by Add a call to the PutMetricAlarm API operation. Pass an array of alerts in the metrics member with the namespace of "Lambda/AlertCounts".

  • A company uses a third-party tool to build, bundle, and package rts applications on-premises and store them locally. The company uses Amazon EC2 instances to run its front-end applications. An application can be deployed from the source control system onto the EC2 instances by Upload the bundle to an Amazon S3 bucket and specify the S3 location when doing a deployment using AWS CodeDeploy.

  • A company needs to ingest terabytes of data each hour from thousands of sources that are delivered almost continually throughout the day. The volume of messages generated varies over the course of the day.
    Messages must be delivered in real time for fraud detection and live operational dashboards. Approach will meet these requirements is Use Amazon Kinesis Data Streams with Kinesis Client Library to ingest and deliver messages.

  • An application is running on a cluster of Amazon EC2 instance. While trying to read objects stored within a single Amazon S3 bucket that are encrypted with server-side encryption with AWS KMS managed keys (SSE-KMS), the application receives the following error:
    Service : AWSKMS: Status Code: 400: Code : ThrottlingException
    Combination of steps should be taken to prevent this failure are:
    • Contact AWS Support to request an AWS KMS rate limit increase.
    • Import a Customer Master Key (CMK) with a larger key size.
Last edited:













  • A meteorological system monitors 600 temperature gauges, obtaining temperature samples every minute and saving each sample to a DynamoDB table. Each sample involves writing 1K of data and the writes are evenly distributed over time.
    600 / 60 secs = 10/sec. All writes are 1K (only unit of read provisioned throughput are rounded up to increment of 4K).
    10 x 1 = 10 write capacity units.

  • A dev has written an application that runs on Amazon EC2 instances and generates a value every minute. The Dev wants to monitor and graph the values generated over time without logging in to the instance each time. Approach should the Dev use to achieve this goal is Publish each generated value as a custom metric to Amazon CloudWatch using available AWS SDKs.

  • A three-tier application hosted on AWS uses Amazon RDS for MySQL as its database. A dev must ensure the database credentials are stored and accessed securely. The MOST secure way for the dev to achieve this is Store the credentials in a configuration file and commit it to the GIT repository.

  • A company experienced partial downtime during the last deployment of a new application AWS Elastic Beanstalk split the environment's Amazon EC2 instances into batches and deployed a new version one batch at a time after taking them out of service. Therefore, full capacity was not maintained during deployment. The dev plans to release a new version of the application, and is looking for a policy that will maintain full capacity and minimize the impact of the failed deployment. Dev policy should the dev use is Rolling with an Additional Batch.

  • A dev is testing a Docker-based application that uses the AWS SDK to interact with Amazon DynamoDB in the local development environment, the application has used IAM access keys. The application is now ready for deployment onto an ECS cluster. The application should authenticate with AWS services in production by Configure an ECS task IAM role for the application to use.

  • A company process incoming documents from an Amazon S3 bucket. Users upload documents to an S3 bucket using web user interface. Upon receiving files in S3, and AWS Lambda function is invoked to process the files, but the Lambda function times out intermittently. If the Lambda function is configured with the default settings, when there is a timeout exception The S3 event is discarded after the event is retried twice.

  • A dev wants to insert a record into an Amazon DynamoDB table as soon as a new file is added to an Amazon S3 bucket. Necessary steps to achieve this is Configure an S3 event to invoke a Lambda function that inserts records into DynamoDB.

  • A dev is building an application on Amazon EC2. The dev encountered an "Access Denied" error on some of the API calls to AWS services while testing. The dev needs to modify permissions that have been already given to the instance. These requirements can be met with minimal changes and minimum downtime by Update the attached IAM role adding the needed permissions.

  • A dev receives the following error message when trying to launch or terminate an Amazon EC2 instance using a boto4 script.
    boto.exception.BotoServerError: BotoServerError: 503 Service Unavailable
    <?xml version="1.0" encoding="UTF-8"?>
    <Message>Request limit exceeded.</Message></Error></Errors><RequestID>c0eefd95-64c4-5812-c839-edff0c7a7dfe</RequestID>
    To correct this error message the dev should Upgrade to the latest AWS CLI version so that boto4 can handle higher request rates.

  • A company hosts a monolithic application on Amazon EC2 instances. The company starts converting some features of the application to a serverless architecture by using Amazon API Gateway and AWS Lambda. After the migration, some users report problems with payment processing. Upon inspection, a dev discovers that the Lambda function that calls the external payment API is taking longer than expected. Therefore, the API Gateway requests are timing out. To resolve this issue in the serverless architecture the dev should Use Amazon Simple Queue Service (Amazon SQS) with API Gateway and the Lambda function to asynchronously call the payment API.

  • A Dev has an application that can upload tens of thousands of objects per second to Amazon S3 in parallel within a single AWS account. As part of new requirements, data stored in S3 must use Server Side Encryption with AWS KMS (SSE-KMS). After creating this change, performance of the application is slower. The MOST likely the cause of the application latency is The AWS KMS API calls limit is less than needed to achieve the desired performance.

  • An application that runs on an Amazon EC2 instance needs to access and make API calls to multiple AWS services. The MOST secure way to provide access to the AWS services with MINIMAL management overhead is Use EC2 instance profiles.

  • A Dev wants access to make the log data of an application running on an EC2 instance available to systems administrators. To enables monitoring of this metric in Amazon CloudWatch is Install the Amazon CloudWatch Logs agent on the EC2 instance that the application is running on.

  • A dev has written an Amazon Kinesis Data Streams application. As usage grows and traffic increases over time, the application is regularly receiving ProvisionedThroughputExceededException error message. To resolve the error the dev should Increase the:
    • delay between the GetRecords call and the PutRecords call.
    • number of shards in the data stream.
  • A dev is building a WebSocket API using Amazon API Gateway. The payload sent to this API is JSON that includes an action key. This key can have three different values, create, update, and remove. The dev must integrate with different routes based on the value of the action key of the incoming JSON payload. The dev can accomplish this task with the LEAST amount of configuration by Set the value of the route selection expression to $request.body action.
Last edited:



  • A company is using AWS CodePipeline to deliver one of its applications. The delivery pipeline is triggered by changes to the master branch of an AWS CodeCommit repository and uses AWS CodeBuild to implement the test and build stages of the process and AWS CodeDeploy to deploy the application. The pipeline has been operating successfully for several months and there have been no modifications. Following a recent change to the application's source code, AWS CodeDeploy has not deployed the updates application as expected. The possible causes are:
    • The change was not made in the master branch of the AWS CodeCommit repository.
    • One of the earlier stages in the pipeline failed and the pipeline has terminated.
  • The default chosen region when making an API call with an AWS SDK is us-east-1.
    This section applies only when using a client builder to access AWS services. AWS clients created by using the client constructor will not automatically determine region from the environment and will, instead, use the default SDK region (us-east-1).

  • An Amazon DynamoDB table uses a Global Secondary Index (GSI) to support read queries. The primary table is write-heavy, whereas the GSI is used for read operations. Looking at Amazon CloudWatch metrics, the Dev notices that write operations to the primary table are throttled frequently under heavy write activity. However, write capacity units to the primary table are available and not fully consumed. The table being throttled because The GSI write capacity units are underprovisioned.

  • An ecommerce application is using Amazon Simple Notification Service (Amazon SNS) with an AWS Lambda subscription to save all new orders into an Amazon DynamoDB table. The company wants to record all the orders that are more than a certain amount of money in a separate table. The company wants to avoid changes to the processes that post orders to Amazon SNS or the current Lambda function that saves the orders to the DynamoDB table. A dev can implement this feature with the LEAST change to the existing application by Modify the Lambda code to filter the orders and save the appropriate orders to a separate table.

  • An application is running on an EC2 instance. The Dev wants to store an application metric in Amazon CloudWatch. The best practice for implementing this requirement is Use the CloudWatch PutMetricData API call to submit a custom metric to CloudWatch. Launch the EC2 instance with the required IAM role to enable the API call.

  • After launching an instance that intend to serve as a Network Address Translation (NAT) device in a public subnet, modify route tables to have the NAT device be the target of internet bound traffic of private subnet. When try and make an outbound connection to the Internet from an instance in the private subnet, are not successful. Could resolve the issue by Disabling the Source/Destination. Then check attribute on the NAT instance.

  • A dev wants to use React to build a web and mobile application. The application will be hosted on AWS. The application must authenticate users and then allow users to store and retrieve files that they own. The dev wants to use Facebook for authentication. MOST accelerate the development and deployment of this application on AWS is AWS Amplify CLI.

  • Attempt to store an object in the US-STANDARD region in Amazon S3, and receive a confirmation that it has been successfully stored. Then immediately make another API call and attempt to read this object. S3 tells that the object does not exist. Because US-STANDARD uses eventual consistency and it can take time for an object to be readable in a bucket.

  • A dev is refactoring a monolithic application. The application takes a POST request and performs several operations. Some of the operations are in parallel while others run sequentially. These operations have been refactored into individual AWS Lambda functions. The POST request will be processed by Amazon API Gateway. The dev should invoke the Lambda functions in the same sequence using API Gateway by Use Amazon SQS to invoke the Lambda functions.

  • No additional services cost with the use of the AWS platform are Auto Scaling and CloudFormation.

  • An application under development is required to store hundreds of video files. The data must be encrypted within the application prior to storage, with a unique key for each video file. The Dev should code the application by Use the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store the encrypted data key and data.

  • A company has an application that logs all information to Amazon S3. Whenever there is a new log file, an AWS Lambda function is invoked to process the log files. The code works, gathering all of the necessary information. However, when checking the Lambda function logs, duplicate entries with the same request ID are found. Causing the duplicate entries is The Lambda function failed, and the Lambda service retired the invocation with a delay.

  • A company is building a compute-intensive application that will run on a fleet of Amazon EC2 instances. The application uses attached Amazon EBS disks for storing data. The application will process sensitive information and all the data must be encrypted. To ensure the data is encrypted on disk without impacting performance a dev should Configure the Amazon EC2 instance fleet to use encrypted EBS volumes for storing data.

  • A dev team wants to immediately build and deploy an application whenever there is a change to the source code. Approaches could be used to trigger the deployment are Store the source code in an:
    • encrypted Amazon EBS volume. Configure AWS CodePipeline to start whenever a file in the volume changes
    • AWS CodeCommit repository. Configure AWS CodePipeline to start whenever a change is committed to the repository
  • Providing AWS consulting services for a company developing a new mobile application that will be leveraging Amazon SNS Mobile Push for push notifications. In order to send direct notification messages to individual devices each device registration identifier or token needs to be registered with SNS; however the dev are not sure of the best way to do this. Should Call the CreatePlatformEndPoint API function to register multiple device tokens.

  • A dev at a company writes an AWS CloudFormation template. The template refers to subnets that were created by a separate AWS CloudFormation template that the company's network team wrote. When the dev attempts to launch the stack for the first time, the launch fails. Template coding mistakes could have caused this failure are The dev's template does not use the ImportValue intrinsic function to refer to the subnets and The network team's template does not export the subnets in the Outputs section.

  • A company wants to migrate an existing web application to AWS. The application consists of two web servers and a MySQL database. The company wants the application to automatically scale in response to demand. The company also wants to reduce its operational overhead for database backups and maintenance. The company needs the ability to deploy multiple versions of the application concurrently. The MOST operationally efficient solution that meets these requirements is Deploy the application to AWS Elastic Beanstalk. Migrate the database to an Amazon RDS Multi-AZ DB instance.

  • A dev must modify an Alexa skill backed by an AWS Lambda function to access an Amazon DynamoDB table in a second account. A role in the second account has been created with permissions to access the table. The table should be accessed by Modify the Lambda function execution role's permissions to include the new role.
Last edited:










  • routing policy can be used to
    • Weighted - distribute load over recordsets in a controlled way
    • Failover - implement simple high-availability
  • A + Alias type of recordset is generally used to point at AWS resources

  • Private Hosted Zones is available only within 1 or more VPCs

  • Route53 HealthChecks feature can help improve the availability of service to customers

  • CloudFront is A Global CDN capable of caching static & dynamic content

  • Origin Access Identity (OAI) and Bucket Policies are used together to ensure S3 buckets can only be accessed via CloudFront

  • Certificates must be created when using AWS Certificate Manager (ACM) in the region the service which uses them is in

  • To use an ACM cert with CloudFront us-east-1 region must it be created in

  • ACM FULLY supports CloudFront and API Gateway services

  • A TCP based application which is used globally want to improve the network performance for global users. Service might support this requirement is Global Accelerator.

  • A Dev is using AWS CLI, but when running list commands on a large number of resources, it is timing out. To avoid this time-out can be Use pagination.

  • A company wants to implement a Continuous Integration (CI) for its workloads on AWS. The company wants to trigger unit test in its pipeline for commits-on its code repository, and wants to be notified of failure events in the pipeline. These requirements be met by Store the source code in AWS CodeCommit. Create a CodePipeline to automate unit testing. Use Amazon CloudWatch to trigger notification of failure events.

  • A dev has built a market application that stores pricing data in Amazon DynamoDB with Amazon ElastiCache in front. The prices of items in the market change frequently. Sellers have begun complaining that, after they update the price of an item, the price does not actually change in the product listing. This issue could be causing by The cache is not being invalidated when the price of the item is changed.

  • A company is developing a new online game that will run on top of Amazon ECS. Four distinct Amazon ECS services will be part of the architecture, each requiring specific permissions to various AWS services. The company wants to optimize the use of the underlying Amazon EC2 instances by bin packing the containers based on memory reservation. Configuration would allow the Dev team to meet these requirements MOST securely is Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then configure each ECS task definition to reference the associated IAM role.

  • An application is designed to use Amazon SQS to manage messages from many independent senders. Each sender's messages must be processed in the order they are received. SQS feature should be implemented by the Dev is Configure each sender with a unique MessageGroupId.

  • Amazon ElastiCache, DynamoDB, and Simple Storage Service (S3) are key/value stores.

  • A dev is trying to get data from an Amazon DynamoDB table called demoman-table. The dev configured the AWS CLI to use a specific IAM user's credentials and executed the following command:
    aws dynamodb get-item table-name demoman-table --key '("id"; <"N"; "1993"}}' The command returned errors and no rows were returned. The MOST likely cause of these issues is The IAM user needs an associated policy with read access to demoman-table.

  • An application stores payroll information nightly in DynamoDB for a large number of employees across hundreds of offices. Item attributes consist of individual name, office identifier, and cumulative daily hours. Managers run reports for ranges of names working in their office. One query is "Return all Items in this office for names starting with A through E". Table configuration will result in the lowest impact on provisioned throughput for this query is Configure the table to have a range index on the name attribute, and a hash index on the office identifier.
    Partition key and sort key - Referred to as a composite primary key, this type of key is composed of two attributes. The first attribute is the partition key, and the second attribute is the sort key. DynamoDB uses the partition key value as input to an internal hash function. The output from the hash function determines the partition (physical storage internal to DynamoDB) in which the item will be stored. All items with the same partition key value are stored together, in sorted order by sort key value.

  • If a message is retrieved from a queue in Amazon SQS, the message inaccessible to other users by default is 30 seconds.
    Visibility timeout: minimum 0 second, maximum 12 hours.

  • An application is expected to process many files. Each file takes four minutes to process each AWS Lambda invocation. The Lambda function does not return any important data. The fastest way to process all the files is Make asynchronous Event Lambda invocations and process the files in parallel.

  • A dev must extend an existing application that is based on the AWS Service Application Model (AWS SAM). The dev has used the AWS SAM CLI to create the project. The project contains different AWS Lambda functions. Commands must the dev use to redeploy the AWS SAM application are Sam init & deploy.

  • A Dev is writing transactions into a DynamoDB table called "SystemUpdates" that has 5 write capacity units. The highest read throughput is Strongly consistent reads of 5 read capacity units reading items that are 4 KB in size.

  • A company recently migrated its web, application and NoSQL database tiers to AWS. The company is using Auto Scaling to scale the web and application tiers. More than 95% of the Amazon DynamoDB requests are repeated read-requests. The DynamoDB NoSQL tier can be scaled up to cache these repeated requests by Amazon DynamoDB Accelerator.

  • An application is using a custom library to make HTTP calls directly to AWS service endpoints. The application is experiencing transient errors that are causing processes to stop when each error is first encountered. A request has been made to make the application more resilient by adding error retries and exponential backoff. A developer should implement the changes with MINIMAL custom code by Use an AWS SDK and set retry-specific configurations.

  • Amazon EBS-backed instances can be stopped and restarted.

  • Company needs a fully-managed source control service that will work in AWS. The service must ensure that revision control synchronizes multiple distributed repositories by exchanging sets of changes peer-to-peer. All users need to work productively even when not connected to a network. Should be used AWS CodeCommit source control service.
Last edited:


  • A Dev team would like to migrate their existing application code from a GitHub repository to AWS CodeCommit. Before can migrate a cloned repository to CodeCommit over HTTPS needs to be crated A set of Git credentials generated from IAM.

  • A dev is creating an AWS lambda function that generates a new file each time it runs. Each new file must be checked into an AWS CodeCommit repository hosted in the same AWS account. The dev should accomplish this by Upload the new file to an Amazon S3 bucket. Create an AWS step Function to accept S3 events. In the step Function, add the new file to the repository.

  • A Dev accesses AWS CodeCommit over SSH. The SSH keys configured to access AWS CodeCommit are tied to a user with the following permissions:
    "Version": "2013-11-28",
    "Statement": [
        "Effect": "Allow",
        "Action": [
         "Resource": "*"
    The Dev needs to create/delete branches. Based on the principle of least privilege, the specific IAM permissions need to be added are
    "codecommit: DeleteBranch",

  • A company has implemented AWS CodePipeline to automate its release pipelines. The dev team is writing an AWS Lambda function that will send notifications for state changes of each of the actions in the stages. Step must be taken to associate the Lambda function with the event source is Create an event trigger and specify the Lambda function from the CodePipeline console.

  • A dev team is creating a new application designed to run on AWS. While the test and production environments will run on Amazon EC2 instances, dev will each run their own environment on their laptops. The simplest and MOST secure way to access AWS services from the local development machines is Use an IAM role to assume a role and execute API calls using the role.

  • A dev is working on a serverless application. The application uses Amazon API Gateway. AWS Lambda functions that are written in Python, and Amazon DynamoDB. Combination of steps should the dev take so that the Lambda functions can be debugger in the event of application failures are Ensure that the execution role for the Lambda function has access to write to Amazon CloudWatch Logs and Use the Amazon CloudWatch metric for Lambda errors to create a CloudWatch alarm.

  • An application is real-time processing millions of events that are received through an API. Service could be used to allow multiple consumers to process the data concurrently and MOST cost-effectively is Amazon Kinesis Streams.

  • An organization is storing large files in Amazon S3, and is writing a web application to display meta-data about the files to end-users. Based on the metadata a user select an object to download. The organization needs a mechanism to index the files and provide single-digit millisecond latency retrieval for the metadata. AWS service should be used to accomplish this is Amazon DynamoDB.
    Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed database and supports both document and key-value data models. Its flexible data model and reliable performance make it a great fit for mobile, web, gaming, ad-tech, Internet of Things (IoT), and many other applications.

  • A Dev wants to enable AWS X-Ray for a secure application that runs in an Amazon ECS environment. Steps will enable X-Ray are:
    • Create a Docker image that runs the X-Ray daemon.
    • Add instrumentation to the application code for X-Ray.
    • Configure and use an IAM role for tasks.
  • A company is adding items to an Amazon DynamoDB table from an AWS Lambda function that is written in Python. A dev needs to implement a solution that inserts records in the DynamoDB table and performs automatic retry when the insert fails. Solution meets these requirements with MINIMUM code changes is Use the AWS Software Development Kit (SDK) for Python (boto3) to call the PutItem operation.

Application Modernization with AWS:

Enterprise Investment Trend on IT Infrastructure:


ทำไมลูกค้าย้ายไป AWS:
  • เปลี่ยนจากเงินก้อน (CapEx) เป็นเงินผ่อนหรือรายเดือน (OpEx)
  • จ่ายตามการใช้งานจริงเป็นรายชั่วโมง (Pay as you grow) / ง่ายในการ Scale
  • เพิ่มความเร็วและความคล่องตัว มี Service ให้พร้อมใช้งานแค่ 5 นาที
  • ขยายไปได้ทั่วโลก (Scale Globally)
  • ลดการทำงานของแผนก IT
  • เป็นมิตรกับสิ่งแวดล้อม
AWS customers in Thailand:
  • SCB abacus, SanSiRi, ANanDa, CPF, KBTG, PrukSa
  • ไทยวิวัฒน์, SCG, AIS, SET, King PoWer, CAT, TisCo, dtac, CounTer SerVice
  • BBTV, trueMart, CenTral Group, Jamsai
  • SingHa ESTate, MaJor, TV Direct, ascend
  • meb, true money, Eventpass, Snocko, 2C2P
  • WiseSight, KMITL, bitkub, QueQ, acommerce
  • wongnai, omise, AMPOS,, Sellsuki
  • eko, FlowAcCount, eatigo, OpenDurian, sunday, Pomelo
Broad and Deep Functionality - Periodic Table of Amazon Web Services:

Application migration strategies:

รู้จัก Application ของคุณและทำความเข้าใจตัวเลือกของคุณ:
  • ลดขนาด Resource ของคุณ: Retire, SaaS
  • ย้ายไป AWS: Lift and shift (Re-host) - ใช้ AWS Services แต่ยังไม่อยากแก้ไข Code
  • ปรับปรุงให้ทันสมัยบน AWS: Re-factor (Re-architect), Re-platform
ทำไมต้อง Re-host?:
  • Team งานค่อยๆ เรียนรู้วิธีการทำงานบน Cloud
  • เร่งเส้นทางสู่ Cloud
  • นำเสนอโอกาสในการใช้ขนาดที่เหมาะสม
    • ประหยัดค่าใช้จ่าย
  • อุปสรรคน้อย และใช้ความรู้อีกนิดหน่อย
  • ให้เวลาในการสร้างสถาปัตยกรรมใหม่
ประโยชน์และข้อจำกัดของ Re-host:
  • ร่นระยะเวลาส่งมอบบริการ (Time to value)
  • มีความยืดหยุ่นในการทำงาน สามารถทำ Redundancy ได้ แต่ยังต้องทำเอง
  • ประหยัดค่าใช้จ่าย แต่ประหยัดได้น้อยกว่าการใช้ Serverless และมี Limit ในการ Horizontal Scale
  • เพิ่ม Productivity ด้วยการจัดสรรทรัพยากร IT ที่ง่ายขึ้น
  • หลีกเลี่ยงค่าใช้จ่ายของการต้องซื้อ Hardware ทุกๆ 5 ปี
  • ความคล่องตัวทางธุรกิจ
ประโยชน์และข้อจำกัดของ Re-architecture:
  • ค่าใช้จ่ายในการทำงาน: ลดงาน Operation ด้วย Managed Services
  • เพิ่ม Productivity ขึ้น 30-50% เพื่อ Focus ไปที่ผลลัพธ์ทางธุรกิจ
  • ประหยัดค่าใช้จ่าย: ไม่ต้องซื้อ Hardware ทุกๆ 5 ปี ไม่มีค่าบำรุงรักษา หรือค่าบริหารจัดการ, Scale อัตโนมัติ ใช้เท่าไหร่จ่ายเท่านั้น
  • มีความยืดหยุ่นในการทำงานด้วย AWS Managed Services มี Redundancy ให้พร้อม (Highly Available: HA)
  • รวดเร็วขึ้นเพราะการ Release ได้บ่อยขึ้น และสามารถคาดเดาได้
  • ตอนแรกจะแพงจากค่า Migrate ไปเป็น Microservices และใช้เวลานาน แต่คุ้มค่าในระยะยาว

หมัดต่อหมัด Microservices vs. Monolithic / Monolith บริษัทเราเหมาะกับอะไรมากกว่า?:
  • APIs คือประตูด่านหน้าของ Microservices เพราะฉะนั้น Dev แต่ละ Teams ต้องคุยกันให้ดีๆ ก่อน โดย AWS จะใช้ CloudTrail ในการเก็บ Log
Serverless เป็นรูปแบบการทำงานที่ครอบคลุมบริการประเภทต่างๆ มากมาย:
  • Compute: AWS Lambda, AWS Fargate
  • Data stores: Amazon S3, Amazon Aurora Serverless, Amazon DynamoDB
  • Integration: Amazon API Gateway, Amazon SQS, Amazon SNS, AWS Step Functions, AWS AppSync

Cr: SiS :cool:
Last edited:


  • A Dev team wants to instrument their code to provide more detailed information to AWS X-Ray than simple outgoing and incoming requests. This will generate large amounts of data, so the Dev team wants to implement indexing so they can filter the data. To achieve this the Dev team should Add annotations to the segment document and the code.

  • An application writes items to an Amazon DynamoDB table. As the application scales to thousands of instances, calls to the DynamoDB API generate occasional ThrottlingException errors. The application is coded in a language incompatible with the AWS SDK. The error should be handled by Add exponential backoff to the application logic.
    SDKs automatically add exponential backoff. If not using the AWS SDKs, add own backoff logic to the application code.

  • An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center and the encryption is handled by S3. Type of encryption should be used is Use server-side encryption with Amazon S3-managed keys.

  • A Lambda function processes data before sending it to a downstream service. Each piece of data is approximately 1 MB in size. After a security audit, the function this now required to encrypt the data before sending it downstream. API call is required to perform the encryption is Pass the data to KMS as part of the Encrypt API for encryption.

  • Run an ad-supported photo sharing website using S3 to serve photos to visitors of site. At some point find out that other sites have been linking to the photos on site, causing loss to business. An effective method to mitigate this is Remove public read access and use signed URLs with expiry dates.

  • A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes user_id, user_name, user_score, and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation. Set of conditions should be added in the policy attached to the role for the DynamoDB PutItem API call is:
    "Condition": {
      "ForAllValues:StringEquals": {
        "dynamodb:LeadingKeys": [
        "dynamodb:Attributes": [

  • An application uses Amazon Kinesis Data Streams to ingest and process large streams of data records in real time. Amazon EC2 instances consume and process the data from the shards of the Kinesis data stream by using Amazon Kinesis Client Library (KCL). The application handles the failure scenarios and does not require standby workers. The application reports that a specific shard is receiving more data than expected. To adapt to the changes in the rate of data flow, the 'hot' shard is resharded. Assuming that the initial number of shards in the Kinesis data stream is 4, and after resharding the number of shards increased to 6, the maximum number of EC2 instances that can be deployed to process data from all the shards is 6.
    Typically, when use the KCL, should ensure that the number of instances does not exceed the number of shards (except for failure standby purposes). Each shard is processed by exactly one KCL worker and has exactly one corresponding record processor, so never need multiple instances to process one shard. However, one worker can process any number of shards, so it's fine if the number of shards exceeds the number of instances.

  • Features can be used to restrict access to data in S3 are Set an S3 Bucket policy and/or ACL on the bucket or the object.

  • A Dev has implemented a Lambda function that needs to add new customers to an RDS database that is expected to run hundreds of times per hour. The Lambda function is configured to use 512MB of RAM and is based on the following pseudo code:
    def lambda_handler(event, context):
    db = database.connect()
    db.statement('INSERT INTO Customers (CustomerName) VALUES (')
    After testing the Lambda function, the Dev notices that the Lambda execution time is much longer than expected. To improve performance the Dev should Move the database connection and close statement out of the handler. Place the connection in the global space.
    Lambda Best Practices - Take advantage of Execution Context reuse to improve the performance of function. Make sure any externalized configuration or dependencies that code retrieves are stored and referenced locally after initial execution. Limit the re-initialization of variables/objects on every invocation. Instead use static initialization/constructor, global/static variables and singletons. Keep alive and reuse connections (HTTP, database, etc.) that were established during a previous invocation.

Observability หรือการ Monitor ก็สำคัญ:
  • Logs: Amazon CloudWatch Logs
  • Metrics: Amazon CloudWatch metrics
  • Traces: AWS X-Ray (Application Performance Monitoring: APM)
ประสิทธิภาพของการเอา CloudWatch & X-Ray มาใช้ร่วมกัน:
  • เริ่มต้นจากการเก็บ Log ก่อน, Status, Metric ต่างๆ ที่เกิดขึ้น
  • สามารถ Monitor ค่าต่างๆ พวกนี้ได้จาก Dashboard จะทำเป็นอัตโนมัติ หรือ Custom ก็ได้ เพื่อให้รู้ว่า Action ต้องทำอะไรต่อ
  • แล้วก็นำไปวิเคราะห์ นำไป Plan ติดตั้ง Workload หรือการทำ Auto Scaling โดยใช้ตัว Metric ไป Trig ได้
  • Analyze: Application Insights, X-Ray Analytics, Container Insights, Logs Insights, Application Insights for .NET & SQL
AWS X-Ray tracing:

Monolith vs Microservice development lifecycle:


DevOps Tool ของ AWS มาช่วยอะไรบ้าง:
  • ช่วยทำให้เป็น Microservices, Team Pizza 2 ถาด คือ การแบ่งเป็น Team เล็กๆ ซึ่ง Team นึงกิน Pizza ได้ 2 ถาดพอดี หรือประมาณ 10 คน ไม่ควรเกินนี้ ยิ่งมากคนก็มากความ
  • ลดความผิดพลาด ลด Manual Process ด้วยการทำให้เป็นอัตโนมัติในทุกอย่าง
  • ด้วยเครื่องมือที่ได้มาตรฐาน ทำให้สามารถ Integrate เชื่อมต่อกันได้โดยไม่มีปัญหา
  • การทำ Template หรือการทำ Governance Policy ต่างๆ
  • Infrastructure as Code (IaC)
AWS Developer Tools for CI/CD:


AWS Cloud9 สำหรับ Development บน Cloud: Cloud IDE สำหรับเขียน, Run, และ Debug Code:
  • Code ด้วย Browser
  • เริ่มโครงการใหม่ได้อย่างรวดเร็ว
  • Code ด้วยกันแบบ Real Time
  • สร้าง Application แบบ Serverless ได้อย่างง่ายดาย
  • Access Terminal ได้โดยตรง
AWS CodeCommit:
  • บริการ Source Control ที่มีการจัดการที่ปลอดภัย ปรับขนาดได้มาก เป็น Private Git
  • ทำงานร่วมกับ Git Tool ที่มีอยู่แล้วได้
  • Integrate เข้ากับ AWS Services เช่น IAM, Cloudwatch Events, AWS KMS, Amazon SNS ได้
  • ไม่มี Hardware
  • มีความพร้อมใช้งานสูง (HA) (ด้วย S3)
AWS CodeBuild:
  • Fully Managed Build Service ที่ Comply Source Code, ทดสอบ Run, และสร้าง Software Package
  • ปรับขนาดได้อย่างต่อเนื่องและประมวลผลหลาย Build ได้พร้อมกัน
  • ไม่ต้องจัดการ Server
  • จ่ายเป็นนาทีสำหรับ Compute Resource ที่ใช้เท่านั้น
  • Monitor Build ด้วย Cloudwatch Events
AWS CodeDeploy:
  • Deploy Code โดยอัตโนมัติไปยัง Instance อะไรก็ได้ และ Lambda
  • จัดการกับความซับซ้อนของการ Update Application
  • หลีกเลี่ยง Downtime ระหว่างการ Deploy Application
  • Roll Back โดยอัตโนมัติหากตรวจเจอความผิดพลาด
  • Deploy ไปยัง Amazon EC2, Amazon ECS, AWS Lambda หรือ On-premises Server ได้
Cr: SiS :cool:
Last edited:



  • A dev wants to build an application that will allow new users to register and create new user accounts. The application must also allow users with social media accounts to log in using their social media credentials. To meet these requirements can be used Amazon Cognito user pools.

  • A Dev must trigger an AWS Lambda function based on the item lifecycle activity in an Amazon DynamoDB table. The Dev can create the solution by Enable a DynamoDB stream, and trigger the Lambda function synchronously from the stream.

  • EC2 instances are launched from Amazon Machine Images (AMIs). A given public AMI can only be used to launch EC2 instances in the same AWS region as the AMI is stored.
AWS Certified SysOps Administrator - Associate:
  • A user has created a VPC with public and private subnets using the VPC wizard. VPC bounds the main route table with a private subnet and a custom route table with a public subnet.
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance of a smaller or higher size, respectively. The VPC has an implied router and the VPC wizard updates the main route table used with the private subnet, crates a custom route table and associates it with the public subnet.

  • The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application. This request can be fulfilled by Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format.

  • A company in a highly regulated industry has just migrated an Amazon EC2 based application to AWS. For compliance reasons, all network traffic data between the servers must be captured and retained. Solution will accomplish this with the LEAST amount of effort is Set up flow logs at the VPC level. Configure Amazon S3 as the destination.

  • Run a database on an EC2 instance, with the data stored on Elastic Block Store (EBS) for persistence. At times throughout the day, see large variance in the response times of the database queries. Looking into the instance with the isolate command see a lot of wait time on the disk volume that the database's data is stored on. While maintaining the current persistence of the data can improve the performance of the database's storage by Move the database to an EBS-Optimized Instance and Use Provisioned IOPs EBS.

  • A company issued SSL certificates to its users, and needs to ensure the private keys that are used to sign the certificates are encrypted. The company needs to be able to store the private keys and perform cryptographic signing operations in a secure environment. Service should be used to meet these requirements is AWS CloudHSM.
    Import and Existing Private Key might already have a private key and a corresponding SSL/TLS certificate that use for HTTPS on web server. If so, can import that key into an HSM by doing the following:
    To import an existing private key into an HSM:
    1. Connect to Amazon EC2 client instance. If necessary, copy existing private key and certificate to the instance.
    2. Run the command to start the AWS CloudHSM client.
  • Pricing is per instance-second or per instance-hour consumed for EC2 instances.
    In AWS, pay only for what use. EC2 pricing is depending on the instance type and operating system for the AMI. For example, spot, reserved, and on-demand instances are billed per-second, while Dedicated instances are billed per hour. Linux instances can be billed per second, but Microsoft Windows instances are billed per hour.

  • In Amazon CloudFront, if have chosen On for Logging, the access logs are stored in Amazon S3 bucket that want CloudFront to store access logs in. For example:
    If enable logging, CloudFront records information about each end-user request for an object and stores the files in the specified Amazon S3 bucket.
Last edited: