AWS Solutions Architect Associate(SAA-C02)- Quiz 6

Q1.
You are developing an application that uses Lambda functions. You need to store some sensitive data that includes credentials for accessing the database tier. You are planning to store this data as environment variables within Lambda. How can you ensure this sensitive information is properly secured?

This cannot be done, only the environment variables that relate to the Lambda function itself can be encrypted

Store the environment variables in an encrypted DynamoDB table and configure Lambda to retrieve them as required.

Use encryption helpers that leverage AWS Key Management Service to store the sensitive information as Ciphertext

There is no need to make any changes as all environment variables are encrypted by default with AWS Lambda

WHY A IS False?	CONCEPT: Securing sensitive information in Lambda functions	There is a solution to this requirement of securing sensitive information in Lambda functions. Environment variables for Lambda functions enable you to dynamically pass settings to your function code and libraries, without making changes to your code. Read More about them at https://kaustubhsharma.com/blog/Lambda-functions
WHY B IS False?	CONCEPT: Storing variables in encrypted DynamoDB table	Storing the variables in an encrypted DynamoDB table is not necessary when you can use encryption helpers. It's become a more complicated process.
WHY C IS True?	CONCEPT: ENCRYPTION OF ENVIRONMENT VARIABLES IN LAMBDA	ENCRYPTION AT TRANSIT: When you use environment variables, you can enable console encryption helpers to use client-side encryption to protect the environment variables in transit. ENCRYPTION AT REST : You can use environment variables to store secrets securely for use with Lambda functions. Lambda always encrypts environment variables at rest. By default, Lambda uses an AWS KMS key that Lambda creates in your account to encrypt your environment variables. This AWS managed key is named `aws/lambda`. However, you can Customer managed Keys if required. Read more about it at https://kaustubhsharma.com/blog/Lambda-functions CIPHERTEXT: It is encrypted text transformed from plaintext using an encryption algorithm. It can't be read until it has been converted into plaintext (decrypted) with a key.
WHY D IS False?	CONCEPT: ENCRYPTION OF ENVIRONMENT VARIABLES IN LAMBDA	When you deploy your Lambda function, all the environment variables you’ve specified are encrypted by default after, but not during, the deployment process. They are then decrypted automatically by AWS Lambda when the function is invoked. If you need to store sensitive information in an environment variable, you should encrypt that information before deploying your Lambda function. The Lambda console makes that easier for you by providing encryption helpers that leverage AWS Key Management Service to store that sensitive information as Ciphertext.
Short Trick	1." sensitive information is properly secured" - This sensitive information is stored as environment variables within Lambda so we need encryption of environment variables. So, environment variables are encrypted at transit by enabling console encryption helpers to use client-side encryption. To encrypt environment variables at rest, Lambda uses an AWS KMS key by default that Lambda creates in your account to encrypt your environment variables. This AWS managed key is named `aws/lambda`.
References:	REFERNCED DOCS

Q2.
Health-related data in Amazon S3 needs to be frequently accessed for up to 90 days. After that time the data must be retained for compliance reasons for seven years and is rarely accessed.

Which storage classes should be used?

Store data in STANDARD for 90 days then expire the data

Store data in STANDARD for 90 days then transition to REDUCED_REDUNDANCY

Store data in STANDARD for 90 days then transition the data to DEEP_ARCHIVE

Store data in INTELLIGENT_TIERING for 90 days then transition to STANDARD_IA

WHY A IS False?	CONCEPT: S3 Standard	S3 Standard for general-purpose storage of frequently accessed data. However, after 90 days, we don't want to expire data as it must be retained for compliance.
WHY B IS False?	CONCEPT: Reduced Redundancy Storage (RRS)	Reduced Redundancy Storage (RRS) is an Amazon S3 storage option that enables customers to store non-critical, reproducible data at lower levels of redundancy than Amazon S3’s standard storage. But the issue with RRS is that you cannot transition from any storage class to REDUCED_REDUNDANCY. Read all other unsupported S3 lifecycles transitions:https://kaustubhsharma.com/blog/s3-lifecycle-transitions
WHY C IS True?	CONCEPT: DEEP_ARCHIVE	S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class and supports long-term retention and digital preservation for data that may be accessed once or twice a year.
WHY D IS False?	CONCEPT: STANDARD_IA	S3 Standard-IA is for data that is accessed less frequently but requires rapid access when needed.
Short Trick	1."rarely accessed" clearly indicates two options DEEP ARCHIVE & REDUCED REDUNDANCY. But Reduced redundancy doesn't support lifecycle transition. So, the correct answer is DEEP ARCHIVE .
References:	REFERNCED DOCS

Q3.
A web app allows users to upload images for viewing online. The compute layer that processes the images is behind an Auto Scaling group. The processing layer should be decoupled from the front end and the ASG needs to dynamically adjust based on the number of images being uploaded. How can this be achieved?

Create an Amazon SQS queue and custom CloudWatch metric to measure the number of messages in the queue. Configure the ASG to scale based on the number of messages in the queue

Create an Amazon SNS Topic to generate a notification each time a message is uploaded. Have the ASG scale based on the number of SNS messages

Create a target tracking policy that keeps the ASG at 70% CPU utilization

Create a scheduled policy that scales the ASG at times of expected peak load

WHY A IS True?	CONCEPT: SQS	The best solution is to use Amazon SQS to decouple the front end from the processing compute layer. To do this you can create a custom CloudWatch metric that measures the number of messages in the queue and then configure the ASG to scale using a target tracking policy that tracks a certain value.
WHY B IS False?	CONCEPT: Amazon Simple Notification Service (SNS)	The Amazon Simple Notification Service (SNS) is used for sending notifications using topics. Amazon SQS is a better solution for this scenario as it provides a decoupling mechanism where the actual images can be stored for processing. SNS does not provide somewhere for the images to be stored.
WHY C IS False?	CONCEPT: Target tracking policy	Using a target tracking policy with the ASG that tracks CPU utilization does not allow scaling based on the number of images being uploaded.
WHY D IS False?	CONCEPT: Scheduled policy	Using a scheduled policy is less dynamic as though you may be able to predict usage patterns, it would be better to adjust dynamically based on actual usage.
Short Trick	1. "processing layer should be decoupled from the front end" - SQS has a better decoupling mechanism where the actual images can be stored for processing, whereas SNS doesn't.
References:	REFERNCED DOCS

Q2.Health-related data in Amazon S3 needs to be frequently accessed for up to 90 days. After that time the data must be retained for compliance reasons for seven years and is rarely accessed. Which storage classes should be used?

Q2.
Health-related data in Amazon S3 needs to be frequently accessed for up to 90 days. After that time the data must be retained for compliance reasons for seven years and is rarely accessed.

Which storage classes should be used?