Domain: Design High-Performing Architectures

You are uploading large files to AWS S3 bucket, ranging from 1GB – 3GB. Your organization has a requirement to calculate the hash checksum of the file by reading entire file so the users can validate the checksum to identify any potential corruptions during downloads. For this, you created a Lambda function and getting it triggered through S3 notifications.

However, the request is getting timed out. What could be the reason?

Option A is not correct. If the function reaches the maximum configured memory, in this case

128 MB, the function gets terminated with an error message as below, not as request timed out.

REPORT RequestId: xxxxxxxx   Duration: xxxxx ms   Billed Duration: xxxxx ms

Memory Size: 128 MB Max Memory Used: 129 MB RequestId: xxxxxxx Process exited before completing request

 Option B is correct. AWS Lambda functions can run within a private VPC with the resources allocated inside the subnet provided during configuration.

For the lambda function to access S3 service endpoint from within private VPC, there should be a NAT Gateway or S3 VPC Endpoint configured in the route table associated with the subnet which was chosen during Lambda function setup. If not, the request would get timed out.

• https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

Option C is not correct. Bucket need not be configured as environment variable.

Lambda function environment variables are used to configure additional parameters that can be passed to lambda function.

• https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html

Option D is not correct. As long as Lambda function has internet access, it can access S3 service endpoints irrespective of S3 bucket region.

Domain: Design Secure Architectures

Which of the following is the customer’s responsibility concerning the AWS Lambda service? (Select TWO)

Option D is incorrect. You cannot log in to underlying compute instances of lambda execution. So, we cannot install any required libraries. However, you can package all the required dependent libraries along with your code.

Refer to the below documentation for more information on creating a deployment package for Lambda functions.

• https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example-deployment-pkg.html

Option E is correct. AWS Lambda assumes the role assigned during setup to access any AWS resources it performs any action on. Policy on the role must grant access to any such resources for Lambda to perform operations, for example, S3 gets object, Dynamodb GetItem etc.

• https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html#lambda-intro- execution-role

Domain: Design Resilient Architectures

A Company ABC has 100 REST APIs exposed to the Internet from their on-premise network. They have already integrated with AWS through DirectConnect. They have approached you asking for a cost-effective way of making these REST APIs available through AWS API Gateway because of the resiliency and cost reductions provided by it. What solution would you provide?

• For more information on VPC Link, refer to the documentation here. 

  • https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/

• Option A is INCORRECT because you can use API Gateway to integrate with on-premises backend APIs. Therefore this option is invalid.

• Option C is INCORRECT because you can choose the integration type as "HTTPS" if your API is integrated with an existing HTTPS endpoint. Since the question does not state any integration with any HTTPS endpoint, this option is invalid.

• Option D is INCORRECT because you can choose the integration type as "AWS Service" only if your API will be integrated with an AWS service. Since the question does not state any integration with any AWS service, this option is invalid.

• Please refer to page 605 on the below link:

  • https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-dg.pdf

Domain: Design Resilient Architectures

In AWS API Gateway, which of the following security measures is provided default by AWS to protect the backend systems?

Answer: C

API Gateway supports throttling settings for each method or route in your APIs. You can set a standard rate limit and a burst rate limit per second for each method in your REST APIs and each route in WebSocket APIs. Further, API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3).

Options A and B are part of the above list and do not have any default configurations. Option C is correct.

Option D's statement is incorrect as it is a distractor. The above screenshot shows AWS automatically protects from DDoS attacks.

Reference:

• https://aws.amazon.com/api-gateway/faqs/

• https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

Domain: Design High-Performing Architectures

With respect to API caching for API Gateway through the console, which of the following is not a cache setting?

Answer: C

Following are the settings when enabling/disabling API caching for API Gateway.

• Options A, B, D are highlighted in the above screenshots. There is no 'Import cache' on API Gateway.

Reference:

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

Domain: Design for New Solutions

A scientific research organization is looking for a data backup solution for their on-premises data. Their hybrid cloud storage solution should include

• Seamless connection between on-premises environments and AWS

• Quick and easy to deploy

• Moving backups to the cloud, using on-premises file shares backed by durable and cost-effective cloud storage

• Providing low-latency access to data in AWS for on-premises applications

• End-to-end data protection

Which of these will be a cost-conscious architecture that satisfies all of the above?

Correct Answer: B

• Option A is incorrect because Direct Connect is not fast and easy to deploy. Plus, data transfer is not encrypted, so the last condition of End-to-End data protection does not satisfy.

• Option B is CORRECT because AWS Storage Gateway satisfies all the above conditions - To support these use cases, the service provides four different types of gateways – Tape Gateway, Amazon S3 File Gateway, Amazon FSx File Gateway, and Volume Gateway – that seamlessly connect on-premises applications to cloud storage, caching data locally for low-latency access. AWS Storage gateway is easy to integrate with Amazon S3 for durable and cost-effective backup storage.

• Image source: https://aws.amazon.com/storagegateway/

  • Option C is incorrect because AWS DataSync is an online data transfer service that simplifies, automates, and accelerates the process of copying large amounts of data to and from AWS storage services over the Internet or AWS Direct Connect. It is mainly designed for migrating On-premises data from Network Attached Storage (NAS) system or Network File System (NFS) to Amazon S3 or Amazon EFS. AWS DataSync is ideal for online data transfers.

  Hopefully, this will make it clearer from a usage point of view - You can use DataSync to migrate active data to AWS, transfer data to the cloud for analysis and processing, archive data to free up on-premises storage capacity, or replicate data to AWS for business continuity.

  AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage.

  • Option D is incorrect because AWS Snowball is mainly used for Data Import/Export to/from AWS. This does not form hybrid cloud storage as per the above requirement. 

  Reference:

  • https://aws.amazon.com/storagegateway/features/?nc=sn&loc=2&dn=1

Domain: Design for New Solutions

A new web application is designed by a developer team using Amazon API Gateway and AWS Lambda. REST APIs will be used for this purpose which will synchronously invoke the AWS Lambda function. The developer team is expecting a huge response to this application and looking for a secure solution for authenticating a large number of clients.            

Which solution can be designed for this requirement in the most effective way?

Correct Answer: B

Amazon Cognito user pool can be used to control who can access REST APIs in the API Gateway. With this method,

1. Clients sign up with a user pool.

2. Once clients sign in with a user pool, they obtain an identity token.

3. Clients pass this token with API Gateway to get access to the REST APIs created in the API Gateway.

This method is best suited when there is a need to provide access to a large number of global users.

• Option A is incorrect as request parameter-based Lambda authorizers are supported only for WebSocket API and not REST APIs.

• Option C is incorrect because there would be a large number of clients accessing these APIs, and using resource policies will not be an efficient way to control access.

• Option D is incorrect as IAM-based policies are best suited for controlling access to API from within the AWS Infrastructure. These are not suited to control access for external clients.

For more information on authentication methods with API Gateway, refer to the following URL,

• https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html