Study only the topics below. They cover almost everything needed to answer the quiz correctly. fileciteturn0file0
An IAM Role attached to an EC2 instance so applications can securely access AWS services.
✅ EC2 → IAM Role → Temporary Credentials
❌ Hardcoded Access Keys
Application in Account A accessing resources in Account B:
STS AssumeRoleNever share IAM users or root credentials.
Bucket Policy can force HTTPS.
Use
aws:SecureTransport = falseinside a Deny statement.
This blocks HTTP access.
Bucket Policy
↓
Deny if SecureTransport = false
↓
HTTPS only
Prevents two EC2 instances from overwriting each other's updates.
Uses
If version changed
↓
Write fails
↓
Retry
Never store:
inside
Store in
AWS Secrets Manager
Benefits
Important Exam Trick
If CLI uses
aws configurethen it uses the IAM user's credentials.
The EC2 Role is ignored.
Example
Role:
Deny S3User:
Allow S3CLI configured with user keys
→ User permissions apply.
Before deployment test permissions using
simulate-principal-policyNo real API call is made.
EC2 application metrics like
are NOT collected automatically.
Publish using
PutMetricDataThen
EC2 Role must allow
cloudwatch:PutMetricDataWithout it
Metric never appears.
Typical architecture
EC2 Metric
↓
CloudWatch Alarm
↓
SNS
↓
Lambda
↓
Slack / Teams / EmailVery common exam question.
Need TWO things
inside application
running on EC2
The SDK sends traces to
UDP Port 2000Daemon forwards them to X-Ray.
Also IAM Role needs
xray:PutTraceSegments
xray:PutTelemetryRecordsSecurity Groups are
Everything else is denied.
Example
Allow
Everything else
↓
Automatically blocked
Need CloudFormation to wait until bootstrapping finishes.
Use
WaitCondition
+
WaitConditionHandle
+
cfn-signalCloudFormation waits.
Without signal
↓
Stack rollback.
Correct order
ApplicationStop
↓
DownloadBundle
↓
BeforeInstall
↓
Install
↓
AfterInstall
↓
ApplicationStart
↓
ValidateServiceMemorize exactly.
Must be at
Root of ZIP/TAR bundleNot inside folders.
Can set
using
permissions:inside
appspec.ymlNo shell script required.
Auto Scaling Group (ASG)
Automatically
Main settings
Want only 25% updated at once.
Use
MinimumHealthyHosts = 75%Meaning
75% stay healthy
↓
25% updated
↓
Safer deployment
You manage
Good for predictable workloads.
AWS manages everything.
No EC2.
Serverless containers.
Perfect for
Without
WaitTimeSecondsReceiveMessage immediately returns.
Many empty polls.
Higher cost.
Enable
WaitTimeSeconds
1–20 secondsFewer API calls.
Lower cost.
Sensitive values
Never
Use
SSM Parameter Store
SecureString
+
ssm-secure dynamic referenceCloudFormation retrieves securely.
SDK and CLI obtain temporary credentials from
Instance Metadata ServiceNo access keys required.
Remember
EC2
↓
IAM Role
↓
IMDS
↓
Temporary Credentials
↓
AWS SDKAlways
✅ IAM Roles
✅ Secrets Manager
✅ HTTPS
✅ Temporary Credentials
✅ KMS Encryption
Never
❌ Hardcoded Passwords
❌ Access Keys
❌ Root Credentials
❌ Plaintext Secrets
| If you see... | Answer |
|---|---|
| EC2 credentials | IAM Role (Instance Profile) |
| Cross-account | AssumeRole |
| DB password | Secrets Manager |
| Force HTTPS to S3 | Bucket Policy + aws:SecureTransport |
| Prevent DynamoDB overwrite | Optimistic Locking |
| Custom Metric | PutMetricData |
| Metric missing | cloudwatch:PutMetricData permission |
| X-Ray EC2 | SDK + Daemon + IAM permission |
| Secure EC2 firewall | Security Group |
| CloudFormation wait | WaitCondition + cfn-signal |
| CodeDeploy order | ApplicationStop → Install → ValidateService |
| appspec.yml | Root of bundle |
| appspec permissions | permissions section |
| 25% deployment | MinimumHealthyHosts = 75% |
| Bursty containers | ECS Fargate |
| Long polling | WaitTimeSeconds |
| Secure CloudFormation secret | SSM SecureString |
| Auto credentials | IMDS |