WGU D321 - AWS Developer Exam Questions and Answers (Rated A+)
Send an email after push to CodeCommit? - Answers Use Notifications, this will add CW Events rule to
send a notification to SNS which will trigger an email to be sent
What AWS service to fully automate entire process? - Answers CodePipeline
What 2 things can go in the Transforms section of CF? - Answers - Re-use Code located in S3
- Specify the use of the Serverless Application Model for Lamdba deployments.
What CF section to define proerties of a new bucket? - Answers Resources
What are hooks for in CodeDeploy AppSpec file? - Answers To specify code, scripts or functions that you
want to run at set points int he developmnet lifecycle
Name of CodeDeply file to specify source files and lifecylce hooks? - Answers appspec.yml
is appSpec file only YAML - Answers no, also json
What API call to enable user authentication via Facebook to a app in AWS? - Answers STS assume-role-
with-web-identity
when would you use an Inline Policy over Managed? - Answers To add permissions that are only ever
intended to be used for a single user in your account
What does Congnito use to manage sign-up and sign-in functionality for mobile and web applications? -
Answers User Pools
what does Cog to create unique identities for user and authenticate them with Web ID providers -
Answers Identity Pools
App behind ELB, how to get public IP addresses of the users? - Answers Update App to log the x-
forwarded-for header.
Which feature of AWS can you use to configure S3 to allow web applications being hosted in one S3
bucket to access files in another S3 bucket? - Answers CORS
How does S3 determine which partition to use to store files? - Answers The key name determines which
partition the file is stored in
You are using S3 in AP-Northeast to host a static website in a bucket called "acloudguru". What would
the new URL endpoint be? - Answers http://acloudguru.s3-website-ap-northeast-1.amazonaws.com
What is the HTTP code you would see once you successfully place a file in an S3 bucket? - Answers 200
Is a new S3 bucket public by default? - Answers No
,You work for an online gaming store which has a global worldwide leaderboard for players of the game.
You need to implement a caching system for your leaderboard that has multiple availability zones in
order to prevent an outage. Which ElastiCache solution should you use? - Answers Redis
You have a three-tier web application with a webserver tier, application tier and database tier. The
application is spread across multiple availability zones for redundancy and is in an autoscaling group
with a minimum size of 2 and a maximum size of 10. The application relies on connecting to an RDS
multi-AZ database. When new instances are launched they download a connection string file which is
saved in an encrypted S3 bucket using a bootstrap script. During a routine scaling event you notice that
your new webservers are failing their health checks and are not coming in to service. You investigate
and discover that the EC2 - S3 read only role that the webservers rely on has no policies attached to it.
What steps should you take together to remediate this problem while maintaining the principle of least
privilege? (Choose 2) - Answers Terminate the existing instances and allow new instances to come into
service.
Attach the S3 - Read-only policy to the role.
You have an EC2 instance in a single availability zone connected to an RDS instance. The EC2 instance
needs to communicate to S3 to download some important configuration files from it. You try the
command aws s3 cp s3://yourbucket /var/www/html however you receive an error message. You log in
to Identity Access Management (IAM) and discover there is no role created to allow EC2 to
communicate to S3. You create the role and attach it to the existing EC2 instance. How fast will the
changes take to propagate? - Answers Immediately
Your EC2 instance needs to access files located in an S3 bucket, what is the best way to enable access? -
Answers Create an IAM role with read access to S3 and assign the role to the EC2 instance
* Using an IAM role associated with the EC2 instance is the recommended way, storing credentials
locally is not recommended.
When using the AWS REST API to upload an object to S3, which of the following request headers will
ensure that your data must be encrypted using SSE? - Answers x-amz-server-side-encryption
You need to allow another AWS account access to resources in your AWS account, what is the
recommended mechanism to configure this? - Answers Configure cross account access by creating a role
in your account which has permission to access only the resources they need. Allow the third party
account to assume the role based on their account ID and unique external ID
, Roles are the primary way to grant cross-account access. With IAM roles, you can grant third parties
access to your AWS resources without sharing your AWS security credentials. Instead, the third party
can access your AWS resources by assuming a role that you create in your AWS account.
Which of the following activities are the responsibility of the customer?
Safe disposal of storage devices
Security Group configuration settings
Controls around who can physically access the data center
Management of user credentials
Encryption of sensitive data - Answers Security Group configuration settings
Management of user credentials
Encryption of sensitive data
Security and Compliance is a shared responsibility between AWS and the customer. The customer
assumes responsibility and management of the guest operating system (including updates and security
patches), other associated application software as well as the configuration of the AWS-provided
security group firewall. AWS is responsible for protecting the infrastructure that runs all of the services
offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and
facilities that run AWS Cloud services.
Your application needs to access content located in an S3 bucket which is residing in a different AWS
account, which of the following API calls should be used to gain access? - Answers The STS AssumeRole
API call returns a set of temporary security credentials which can be used to access AWS resources,
incuding those in a different account
You are working on a mobile phone app for an online retailer which stores customer data in DynamoDB.
You would like to allow new users to sign-up using their Facebook credentials. What is the
recommended approach? - Answers After the user has successfully logged in to Facebook and received
an authentication token, Cognito should be used to exchange the token for temporary access to
DynamoDB
For mobile applications, using Cognito as an ID broker is the recommended approach to enabling user
sign-up, sign-in and guest access using Web Identity Providers like Facebook.
Which of the following does Cognito use to manage sign-up and sign-in functionality for mobile and web
applications? - Answers Cognito User Pools are like a directory, allowing users sign-up and sign-in.
Send an email after push to CodeCommit? - Answers Use Notifications, this will add CW Events rule to
send a notification to SNS which will trigger an email to be sent
What AWS service to fully automate entire process? - Answers CodePipeline
What 2 things can go in the Transforms section of CF? - Answers - Re-use Code located in S3
- Specify the use of the Serverless Application Model for Lamdba deployments.
What CF section to define proerties of a new bucket? - Answers Resources
What are hooks for in CodeDeploy AppSpec file? - Answers To specify code, scripts or functions that you
want to run at set points int he developmnet lifecycle
Name of CodeDeply file to specify source files and lifecylce hooks? - Answers appspec.yml
is appSpec file only YAML - Answers no, also json
What API call to enable user authentication via Facebook to a app in AWS? - Answers STS assume-role-
with-web-identity
when would you use an Inline Policy over Managed? - Answers To add permissions that are only ever
intended to be used for a single user in your account
What does Congnito use to manage sign-up and sign-in functionality for mobile and web applications? -
Answers User Pools
what does Cog to create unique identities for user and authenticate them with Web ID providers -
Answers Identity Pools
App behind ELB, how to get public IP addresses of the users? - Answers Update App to log the x-
forwarded-for header.
Which feature of AWS can you use to configure S3 to allow web applications being hosted in one S3
bucket to access files in another S3 bucket? - Answers CORS
How does S3 determine which partition to use to store files? - Answers The key name determines which
partition the file is stored in
You are using S3 in AP-Northeast to host a static website in a bucket called "acloudguru". What would
the new URL endpoint be? - Answers http://acloudguru.s3-website-ap-northeast-1.amazonaws.com
What is the HTTP code you would see once you successfully place a file in an S3 bucket? - Answers 200
Is a new S3 bucket public by default? - Answers No
,You work for an online gaming store which has a global worldwide leaderboard for players of the game.
You need to implement a caching system for your leaderboard that has multiple availability zones in
order to prevent an outage. Which ElastiCache solution should you use? - Answers Redis
You have a three-tier web application with a webserver tier, application tier and database tier. The
application is spread across multiple availability zones for redundancy and is in an autoscaling group
with a minimum size of 2 and a maximum size of 10. The application relies on connecting to an RDS
multi-AZ database. When new instances are launched they download a connection string file which is
saved in an encrypted S3 bucket using a bootstrap script. During a routine scaling event you notice that
your new webservers are failing their health checks and are not coming in to service. You investigate
and discover that the EC2 - S3 read only role that the webservers rely on has no policies attached to it.
What steps should you take together to remediate this problem while maintaining the principle of least
privilege? (Choose 2) - Answers Terminate the existing instances and allow new instances to come into
service.
Attach the S3 - Read-only policy to the role.
You have an EC2 instance in a single availability zone connected to an RDS instance. The EC2 instance
needs to communicate to S3 to download some important configuration files from it. You try the
command aws s3 cp s3://yourbucket /var/www/html however you receive an error message. You log in
to Identity Access Management (IAM) and discover there is no role created to allow EC2 to
communicate to S3. You create the role and attach it to the existing EC2 instance. How fast will the
changes take to propagate? - Answers Immediately
Your EC2 instance needs to access files located in an S3 bucket, what is the best way to enable access? -
Answers Create an IAM role with read access to S3 and assign the role to the EC2 instance
* Using an IAM role associated with the EC2 instance is the recommended way, storing credentials
locally is not recommended.
When using the AWS REST API to upload an object to S3, which of the following request headers will
ensure that your data must be encrypted using SSE? - Answers x-amz-server-side-encryption
You need to allow another AWS account access to resources in your AWS account, what is the
recommended mechanism to configure this? - Answers Configure cross account access by creating a role
in your account which has permission to access only the resources they need. Allow the third party
account to assume the role based on their account ID and unique external ID
, Roles are the primary way to grant cross-account access. With IAM roles, you can grant third parties
access to your AWS resources without sharing your AWS security credentials. Instead, the third party
can access your AWS resources by assuming a role that you create in your AWS account.
Which of the following activities are the responsibility of the customer?
Safe disposal of storage devices
Security Group configuration settings
Controls around who can physically access the data center
Management of user credentials
Encryption of sensitive data - Answers Security Group configuration settings
Management of user credentials
Encryption of sensitive data
Security and Compliance is a shared responsibility between AWS and the customer. The customer
assumes responsibility and management of the guest operating system (including updates and security
patches), other associated application software as well as the configuration of the AWS-provided
security group firewall. AWS is responsible for protecting the infrastructure that runs all of the services
offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and
facilities that run AWS Cloud services.
Your application needs to access content located in an S3 bucket which is residing in a different AWS
account, which of the following API calls should be used to gain access? - Answers The STS AssumeRole
API call returns a set of temporary security credentials which can be used to access AWS resources,
incuding those in a different account
You are working on a mobile phone app for an online retailer which stores customer data in DynamoDB.
You would like to allow new users to sign-up using their Facebook credentials. What is the
recommended approach? - Answers After the user has successfully logged in to Facebook and received
an authentication token, Cognito should be used to exchange the token for temporary access to
DynamoDB
For mobile applications, using Cognito as an ID broker is the recommended approach to enabling user
sign-up, sign-in and guest access using Web Identity Providers like Facebook.
Which of the following does Cognito use to manage sign-up and sign-in functionality for mobile and web
applications? - Answers Cognito User Pools are like a directory, allowing users sign-up and sign-in.
