AWS SAA Flashcards
AWS Organizations
Main account is the management account, all other accounts are members of the organization.
OUs for departments IE- Finance, Devs, etc.
SCP (Security Control Policies)
Security policies that restrict what services accounts can access.
Amazon Cognito
Gives users an identity to interact with web or mobile app hosted on AWS. Database of users for your web app
AWS IAM Identity Center
SSO for your AWS users in IAM. Can connect to a 3rd party IdP.
AWS Control Tower
Easily setup a secure and compliant multi-account environment in AWS based on best practices. IE- Kinda like AWS Config but for IAM.
EC2 User Data
You can input a bash script when launching the instance. Upon launching of the instance, the bash script will be run as root on the new instance.
EC2 Security Groups
Security groups control your inbound and outbound traffic to the instance.
EC2 Instance (On-Demand)
Short workloads, pay by second.
EC2 Instance (Reserved (1&3 Years))
Long workloads, you can rent for 1-3 years.
EC2 Instance (Savings Plans (1&3 Years))
Commitment to an amount of usage, like reserved but committed.
EC2 Instance (Spot Instances)
Short workloads, auction house instances, can lose at any time if the price rises.
EC2 Instance (Dedicated Hosts)
book an entire physical server, get control over instance placement. Allows you to use existing software licenses.
EC2 Instance (Dedicated Instances)
no other customer will share your hardware, book an entire instance in the data center.
EC2 Instance (Spot Fleet)
Have continuously running spot instances based on predefined configuration templates. If one of the instances gets deleted due to cost, another one will attempt to spin up if pricing works out. Set and forget type of configuration.
EC2 Networking (Private IP)
IP address in the data center’s network.
EC2 Networking (Public IP)
IP address facing the internet.
EC2 Networking (Elastic IP)
IP you can assign to an instance to have the same public IP even if the instance is stopped and started again. Think of this like a DHCP lease but for AWS.
EC2 Cluster Placement Group
Single AZ, all on the same rack in close proximity.
EC2 Spread Placement Group
Spreads instances across same set of underlying hardware. Different AZs but all running the same application. Reliability is good because if one rack goes down, we can switch to the other racks in the other AZs. Limited to 7 instances per AZ.
EC2 Partition Placement Group
Each partition is a different rack, many instances on one partition. Reliability is good because they are all on different racks/partitions. This is the best for large scale (100s of instances). These instances do not share hardware. Each partition is isolated from failure from the others.
ENI (Elastic Network Interface)
Virtual network cards that are “attached to instances”. Used to assign elastic IPs to the instance it is attached to.
EBS (Elastic Block Store)
A virtual drive that you can attach to one instance. It is locked to one AZ. Think of as “network USB sticks”. You must define the capacity size of this type of storage and you pay for the whole thing.
EFS (Elastic File System)
Managed network file system that can be mounted to many instances at the same time. Can be used in any AZ zone, on any instance. Pay-as-you-go model.
Horizontal Scaling
Spinning up more instances to handle traffic load.
Vertical Scaling
Upgrading hardware capabilities of existing instances to handle traffic load.
Application Load Balancer (ALB)
For accessing an application running on multiple instances.
Sticky Sessions
Can be enabled to lock an instance to a user trying to access. For example, User1 gets Instance5 when they first access the application. From now on, whenever they access, they will get Instance5.
Cross-Zone Load Balancing
Makes sure performance is distributed across multiple AZs
Network Load Balancer (NLB)
Handles TCP/UDP traffic, one IP per AZ.
Gateway Load Balancer (GWLB)
Used for routing all traffic through something before hitting a 3rd party virtual security application like a firewall application hosted in AWS.
Deregistration Delay
When an EC2 instance is shutting down/becoming unhealthy, the load balancer will automatically start sending traffic to other EC2 instances.
Auto Scaling Group (ASG)
Automatically spin up/spin down number of instances to handle load of traffic.
Server Name Indication (SNI)
Hosts multiple certificates for multiple domains that are handed out by the load balancer when traffic is received. IE- User1 contacts the load balancer asking to go to www.google.com. The load balancer gets the cert for that domain and hands it to the user in the SSL handshake.
RDS (Relational Database Service)
Managed database service that uses SQL as a query language.
Amazon Auora
Amazon’s native built-in DB, optimized for the cloud. It is multi-regional.
RDS Read Replicas
Like “imagining” a copy database so you can have more read power to your application from the database. IE - Two read replicas alongside the main database.
RDS Proxy
Across multiple AZs, instances will connect to the proxy which will serve as a single point of connection to the actual DB, this is useful during times of high traffic requests to the database.
Amazon ElastiCache
Cache memory for DBs. Stores common queries or user session caches on the cache so that the DB doesn’t need to be queried each time/ user doesn’t lose data. Requires it to be built into the code of the app to work.
Redis
Multi-AZs, read replicas for ElastiCache.
Route 53 (DNS)
Route 53 is Amazon’s “NS1”, built-in DNS service.
Public Hosted Zone
Able to be accessed by anyone, like buying a domain name online.
Private Hosted Zone
Your own, internal DNS server for you and your company only.
TTL (Time to Live)
How long clients querying your DNS server will keep the query results.
True or False: A CNAME DNS record can point to the root server.
False. IE- Can’t point to www.google.com but can point to www.app.google.com.
True or False: An “Alias” DNS record can point to the root server.
True.
Simple DNS Routing Policy
Routes to a single resource. Query can return multiple IPs. No health checks.
Weighted DNS Routing Policy
Controls the % of requests that go to each resource. IE - 70% of queries go to Instance2. Health checks enabled here.
Latency DNS Routing Policy
Routes to resource with the lowest latency. Geolocation of the user comes into play here.
Failover DNS Routing Policy
If a health check fails, DNS server will start routing queries to other instance that is healthy.
Geolocation DNS Routing Policy
If a user comes from a specific geolocation, route them to a specific resource. IE- People in China get routed to instance 3.
Multi-Value Answer DNS Routing Policy
Returns multiple values for one query. If you define 3 values with health checks at each, can return the other values that are healthy if one fails.
Geoproximity DNS Routing Policy
For zones inside a specific country. Biases come into play here on where to route users. IE- USEAST and USWEST. 4 people evenly distributed horizontally across the US. USEAST has a bias of 50 and USWEST has a bias of 0. Even though USEAST is not closest to one of the users, they will get routed there due to the bias.
True or False: You can host your DNS domain that you bought on a third party website on AWS Route 53.
True.
AWS Elastic Beanstalk
Takes the entire configuration and allows it to be easily managed by AWS. This is meant for developers who just want to make an app, upload it, and not worry about the backend configuration.
Golden AMI
AMIs with dependencies and configurations pre-installed in them so you can quickly and easily spin up more instances to scale without having to manually configure everything yourself.
S3 Buckets
Defined at the region level, must have a globally unique name in all of the world.
S3 Objects
Have a ‘key’ which is the full file path. Max size is 5TB. Can be public or private. Private is default, public gives a URL that can be accessed from the internet
True or False: You cannot make “Folders” within buckets.
False, you can make folders within buckets.
Multi-Part Upload
Grabbing a file larger than 5GB, splitting it into sections and uploading all sections in parallel.
Transfer Acceleration
Uploading to a nearby edge location for faster uploading. IE- File in US trying to upload it into a bucket in Australia. The file will be uploaded to an AWS edge location and then upload to the S3 bucket with faster speeds and lower latency.
Byte-Ranges
For downloading files from S3. Splits large files up into sections. You download all sections in parallel faster and then you get the whole file at the end.
S3 Security: User-Based
Specfic users are allowed to access this bucket
S3 Security: Resource-Based
Bucket policies are bucket-wide rules in the form of a JSON document.
S3 Security: Encryption
You can also encrypt the objects in buckets using encryption keys.
True/False: S3 Buckets are made available to the public by default.
False, all S3 buckets are private by default.
True/False: You can host static websites on AWS S3.
True, as long as the content never changes.
At what level is S3 Versioning enabled?
Per S3 bucket.
What is S3 Versioning?
Once file with same name is uploaded, it gets saved to “Version 2” and is not overridden. So on and so forth. Each version has a unique version ID.
S3 Replication: CRR (Cross-Region Replication)
For lower latency. When you are replicating to a bucket in a different region.
S3 Replication: SRR (Same-Region Replication)
Log aggregation between buckets, or live replication between buckets.
What is a requirement before SRR can be done?
Versioning must be enabled in both the source and destination buckets.
Name all S3 Storage Classes
Standard, Standard IA, One-Zone IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, Intelligent Tiering
S3 Standard Storage Class
Frequently accessed data, low latency, standard one.
S3 Standard IA Storage Class
Less frequently accessed, requires rapid access when needed. Disaster recoveries, backups.
S3 One-Zone IA Storage Class
In a single AZ for backups, disaster recoveries. Data can be destroyed if something happens to the AZ.
S3 Glacier Instant Retrieval Storage Class
Fastest retrieval option from Glacier.
What is Glacier meant for?
Cold data, infrequently used data.
S3 Glacier Flexible Retrieval Storage Class
3 Tiers for retrieval speeds.
Expedited: 1-5 minutes
Standard: 3-5 hours
Bulk: 5-12 hours (free tier)
S3 Glacier Deep Archive Storage Class
2 Tiers for retrieval speeds.
Standard: 12 hours
Bulk: 48 hours
S3 Intelligent Tiering Storage Class
AWS will automatically move files around storage classes for you based on how frequently they are accessed.
Amazon SDK
Amazon Software Development Kit
What tool would you give to a developer to make API calls from within an application without using the AWS CLI?
An Amazon SDK.
S3 Lifecycle Rules
Define the conditions that need to be met before moving an object.
S3 Transition Actions
Move xyz to Glacier storage after 30 days from creation.
S3 Expiration Actions
Delete xyz from Glacier if not used in 6 months.
True/False: S3 Lifecycle Rules can only be applied to the entire bucket.
False, they can be applied to a whole bucket or specific folders in buckets.
S3 Requester Pays
Requester pays for the access to the bucket’s data, not the bucket owner.
What other AWS service does S3 Event Notifications send events into?
AWS EventBridge
What tools would you use to select specific S3 data?
S3 Select or Glacier Select
S3 Batch Operations
Perform actions on multiple S3 buckets or objects at one time.
How many different S3 Encryption Types
are there
3
S3 Encryption: SSE-S3
Encryption handled by AWS. Server-side.
S3 Encryption: SSE-KMS
You have control over the encryption keys and audit logs for when keys get used.
S3 Encryption: SSE-C
Encryption key provided outside of AWS. AWS does not store the encryption key you provide.
Client-Side Encryption
Customer manages encryption keys and encryption cycle.
Encryption in Transit (SSL/TLS)
S3 Endpoint uses HTTPS for encrypted network traffic in flight. IE- What most websites are using anyways nowadays.
S3 CORS (Cross-Origin Resource Sharing)
Allows sharing of restricted resources like fonts to be requested from another domain outside the original domain of where the first resource was shared from.
IE - You go to www.api.google.com and computer automatically asks the CORS web server for xyz of www.api2.google.com on behalf of www.api.google.com. Since CORS is enabled, it sees “where you are coming from” and gives you xyz.
S3 MFA Delete
Force MFA any time a user does an important operation on S3.
S3 Access Logs
For audit purposes, logging each time someone accesses a bucket. Can keep logs in a new S3 bucket.
S3 Pre-Signed URLs
Generate a URL that has the same user permissions as the user who generated the URL. For short-term access.
S3 Glacier Lock
Create an bucket and then Glacier Lock it so it can no longer be changed or deleted. Think of it as a sealed vault. Once you’re in, there is no getting out.
What does WORM stand for?
Write Once Read Many
S3 Object Lock
Lock on a single object within a bucket.
S3 Security - Compliance Mode
No changes or deletions can be made.
S3 Security -Governance Mode
Everyone but root users or admin users in IAM cannot change or delete objects under this mode.
S3 Security - Legal Hold
Place lock on an object indefinitely, no retention period required.
What is the only S3 object/bucket mode that does not require a retention period?
Legal Hold
S3 Access Points
Access points for buckets. Think of these just like wireless AP. Connecting to the AP to connect to the bucket. Easier to manage user permissions since you can apply them to an AP and not individual users.
S3 + Lambda Use Case
Changes content of the object just before it is received. Useful for redacting sensitive data from the bucket before it reaches the endpoint or adding content before it is received.
AWS CloudFront
Content Delivery Network (CDN)
Improves read performance by utilizing edge zones around the world.
What does CloudFront do on edge locations to improve performance from S3 Buckets?
Caches the content of the bucket at the nearest edge zone for fastest performance.
Cloudfront: OAC (Origin Access Control)
Making sure the origin is the actual S3 bucket for security purposes.
How does Cache Invalidations help keep the cache that CloudFront holds current?
Cache Invalidations basically tell CloudFront that the files it has in the cache are not genuine and “forces” a sync with the bucket.
AWS Global Accelerator
Uses an anycast IP System, assign multiple IP Addresses for your server. Once a user tries to access your application from the edge, they are automatically redirected to the nearest server to them to reduce latency. This happens through edge locations so internet traffic can go through the ultra-fast AWS network.
AWS Snow Family
Portable devices that handle data offline.
AWS Snowcone
Very portable and durable, small storage capacity, has a network port to sync to AWS
AWS Snowball Edge
For large storage capacity, less durable. Can come in storage or computing power optimized.
AWS Snowmobile
A literal semi-truck, largest storage capacity.
What is Edge Computing?
Computing power on the go using the snow family of devices.
What tool do you need to utilize to connect to AWS Snow devices?
AWS OpsHub
Amazon FSx
Allows you to launch 3rd party file systems on AWS
What is a Scratch File System used for?
Temporary storage, data is not replicated or backed up.
What is a Persistent File System used for?
Long-term storage with data replication within the same AZ.
True/False: Storage Gateways are used for fully cloud enviroments.
False, Storage Gateway bridge on-prem storage with the cloud storage in hybrid cloud enviroments.
AWS Transfer Family
Uses FTP to transfer files into and out of S3 or EFS
DataSync
An agent that runs on on-prem systems to automatically sync data to the cloud.
What is Decoupling Applications?
A way to set up a streamlined workflow between servers/applications.
What are the two parts of an SQS Queue?
Producer and consumer
What does a producer do in an SQS Queue?
Putting stuff into the queue.
What does a consumer do in an SQS Queue?
Pulling stuff out of the queue.
What is the Message Visibility Timeout in an SQS Queue?
30 seconds where once the message is in the queue, it is unable to be seen for 30 seconds since it was already received once. After 30 seconds, the message is “recieved” again if not deleted.
Long Polling
When a consumer picks up a message and waits for more that are coming in before taking them all.
SQS FIFO Queue (First In, First Out)
Queue with limited throughput with message order preserved.
SNS (Simple Notification Service)
One producer sending a message to multiple consumers (also known as subscribers).
Amazon Kinesis
Makes it easy to connect, process, and analyze streaming data in real time.
Kinesis Data Streams
Capture, process, and store data streams using multiple shards.
Each piece of data in a Kinesis Data Stream has what?
A partition key
True/False: You have the ability to “replay” data in a Kinesis Data Stream
True
True/False: You can’t scale number of shards automatically in a Kinesis Data Stream.
False, you can use on-demand mode to automatically adjust the number of shards needed.
Kinesis Data Firehose
the easiest way to load streaming data into data stores and analytics tools.
Kinesis Data Analytics
Analyze data streams with SQL or Apache Flink
Kinesis Video Streams
Capture, process, and store video streams
Amazon MQ
Managed message broker service for RabbitMQ and ActiveMQ
Docker in AWS
Software development platform to deploy apps.
Amazon Elastic Container Service (ECS)
Amazon’s own container service.
Amazon Elastic Kubernetes Service (EKS):
Amazon’s managed Kubernetes.
What is Kubernetes?
an open-source system for automatic deployment, scaling, and management of containerized applications.
AWS Fargate
Amazon’s own serverless container platform.
What AWS service can you use to go in conjunction with Fargate to be entirely serverless?
Fargate + EFS
Amazon ECR
Store container images on AWS
AWS App Runner
AWS Fully managed service that allows you to deploy web applications at scale
AWS Lambda
a compute service where you upload your code as a function and AWS provisions the necessary details underneath the function so that the function executes successfully.
Lambda@Edge
Running Lambda on an edge zone for lower latency
AWS DynamoDB
Fully managed DB, highly available across multiple AZs
What are the types of modes for DynamoDB?
Provisioned Mode and On-Demand Mode
DyanmoDB Accelerator (DAX)
Highly available, seamless in-memory cache for DyanmoDB
DynamoDB Stream
is an ordered flow of information about changes to items in an Amazon DynamoDB table.
DynamoDB Global Tables
a multi-region, multi-master replication solution for fast local performance of globally distributed apps.
AWS API Gateway
Integrates with AWS Lambda for a fully serverless experience, no infrastructure.
How many types of API Gateways are there?
3
What are the three types of API Gateways and describe them.
Edge-Optimized: Edge locations, lower latency.
Regional: Don’t use edge locations, when you expect all users to come from one region.
Private: Only accessed from within your VPC.
AWS Step Functions
Build visual workflows to orchestrate your Lambda functions.
Databases: DocumentDB
AWS’s implementation for MongoDB.
Databases: Neptune
Fully managed graph database
Databases: Keyspaces
Fully managed Apache-Cassandra compatible database service
Databases: QLDB
Ledger of financial transactions. No entry can be removed or modified.
Databases: TimeStream
Timeseries database
AWS Athena
Serverless query service to analyze S3. Uses SQL
AWS Redshift
Based on PostgreSQL and used for data warehousing, has indexes.
AWS OpenSearch
Can search across all of the database for values, even partial matches.
AWS EMR
Helps create Hadoop clusters for analysis of big data.
AWS QuickSight
Serverless machine learning service to create interactive dashboards.
AWS Glue
ETL (extract, transform, load) service used to prepare and transform data for analytics.
AWS Lake Formation
Fully managed service that sets up data lakes in days.
AWS DataLake
Central place to have all your data for analytics purposes. Stored in Amazon S3.
Access Control Column-Level Security
Can lock down access to specific data
IE- User connecting to Lake Formation can only see the data they are wanting to see.
MSK (Managed Streaming for Kafka)
Alternative to AWS Kinesis. Serverless. Fully managed Apache Kafka on AWS.
AWS ML: Amazon Lex + Connect
Lex builds chatbots, Connect is like a virtual call center.
AWS ML: Amazon Comprehend
Natural Language Processing (NLP), “feelings” of customer.
AWS ML: Amazon Comprehend Medical
Will take unstructured healthcare notes and structure them.
AWS ML: Amazon SageMaker
Fully managed service for developers to build their own ML models.
AWS ML: Amazon Kendra
Document search service that extracts answers from within document files. (PDFs, etc.)
AWS ML: Amazon Textract
Extracts text from any scanned document. Can detect handwriting, text, etc.
AWS CloudWatch Metrics
provides metrics for every service in AWS, can be presented in the form of a dashboard.
AWS CloudWatch Logs
provides logs for services in AWS. Services send logs here automatically.
AWS Cloudwatch Alarms
Single alarm can be set to trigger for any metric IE- CPU usage over 70%.
Composite Alarms
Triggering on multiple alarms. IE - If conditions meet all 3 metrics, trigger the alarm.
AWS Cloudwatch Container Insights
collect, aggregate, and summarize metrics and logs from containers.
AWS Cloudwatch Lambda Insights
collect, aggregate, and summarize metrics and logs from AWS Lambda.
AWS Cloudwatch Contributor Insights
Find “Top-N” contributors from logs. (IE- EC2 with the top network usage)
AWS CloudWatch Application Insights
Automatic dashboard to troubleshoot your application and related AWS services.
AWS EventBridge
Receives events of AWS services to turn into actionable items. IE- The root user is signed into, so through SNS it sends an email to you.
AWS CloudTrail
Records all API calls made within your AWS account. You can store these logs in an S3 bucket.
AWS CloudTrail Insights:
Detects unusual activity in your AWS account.
AWS CloudTrail Events Retention
Events are stored for 90 days by default, need to log them to S3 and use Athena to store for longer.
AWS Config
Create rules or use AWS built-in rules to check your instance for compliance. Can pair with auto-remediation actions to re-ensure compliance
AWS KMS (Key Management Service)
Manages encryption keys.
KMS Symmetric Key Types
Single encryption key that is used to encrypt and decrypt.
KMS Asymmetric Key Types
Two keys, one public to encrypt data and one private to decrypt data.
CMK
Customer Managed Key
Multi-Region Keys
Same key replicated to multiple AWS regions. Regions will get a replica of the original, and not the actual original.
SSM Parameter Store
Secure storage for configuration and secrets. Serverless and scalable. Meant to store things used in scripts/configuration. Encrypted by default.
Think of this as a hashicorp vault! It stores variables/parameters that are used in scripts so they are not stored in plain text!
AWS Secrets Manager
Meant to store secrets, can rotate secrets every x days, integrated with many AWS services.
Multi-Region Secrets
Same secret replicated to multiple AWS regions. Regions get replica, not the original secret.
AWS Certificates Manager (ACM)
Manage and deploy TLS certificates
Web Application Firewall (WAF)
Protects your web application from web exploits (Layer7). Only works with Application load balancer (ALB).
AWS Shield
Protects against DDoS attacks
What service should you purchase if you need advanced DDoS protection?
AWS Shield Advanced
AWS Firewall Manager
Manage firewall rules in all accounts of an AWS organization. Set rules and automate protection of new AWS resources
AWS GuardDuty
Intelligent threat discovery to protect your AWS account. Looks at logs from different AWS services to identify suspicious behaviors.
AWS Inspector
Automated security assessments on EC2 instances, container images, and lambda functions. Reports findings to AWS Security Hub and EventBridge
AWS Macie
Fully managed data security and data privacy service that uses ML and pattern matching to protect your PII data in AWS
What is a VPC?
Virtual Private Cloud
CIDR
Method for allocating IP addresses within a VPC.
Internet Gateway
a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
Bastion Hosts
way for us to SSH into our private EC2 instances. Bastion hosts are in the public subnet.
NAT (Network Address Translation) Instances
Allows EC2 instances in private subnets to connect to the internet. Outdated, depreciated
NAT Gateway
AWS managed NAT instances, high availability since it is is in one AZ.
NACL
Operates at the subnet level. Stateless, inbound and outbound rules for network traffic.
Ephemeral Ports
Connection using ports on two endpoints. The port is only opened for as long as the connection is held.
Security Group
Operates at the instance level. Inbound and outbound rules for network traffic.
What is the main difference between Security Groups and a NACL?
Security groups operate at the instance level while NACLs operate at the subnet level.
VPC Peering
Privately connect two VPCs using AWS network
VPC Endpoints
Ensure that you can connect your VPC to supported AWS services without requiring an internet gateway.
VPC Flow Logs
capture information about IP traffic going in and out of your VPC
VPG (Virtual Private Gateway)
the VPN endpoint on the Amazon side of your Site-to-Site VPN connection
Customer Gateway
the customer endpoint of your Site-to-Site VPN connection
Direct Connect (DX)
provides a dedicated private connection from a remote network to your VPC.
Direct Connect Gateway
set up direct connect to multiple VPCs
Transit Gateway
a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway
VPC Traffic Mirroring
Mirrors traffic network from an EC2 instance to a network load balancer which distributes to other EC2 instances running security software for analysis.
Egress Only Internet Gateway
NAT gateways for IPv6.
AWS Local Zones
Low-latency to users. Think VIDEO GAME SERVERS.
AWS CloudHSM
a cloud-based Hardware Security Module (HSM) that enables you to easily generate and use your encryption keys on the AWS Cloud
What should you think of when you see “message broker”?
AmazonMQ
Which support plan provides 7 core checks?
Developer and basic.
What support plan provides 24x7 support?
Business and Enterprise.
Which support plan requires only one primary contact?
Developer
AWS Data Migration Service
To migrate data from on-prem to cloud.
EC2 Instance Store
High performance block storage that is attached physically to the EC2 instance.
Framework: Operational Excellency
Able to run good services within the cloud.
Framework: Cost Optimization
Able to cut costs when needed and spend the least amount of money.
Framework: Performance Efficiency
Selecting right resource types based on workload requirements
AWS CodeDeploy
a service that automates code deployments to any instance
Cost Allocation Tag
a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource, each tag key must be unique, and each tag key can have only one value.
True/False: AWS can generate cost allocation tags for you if you enable the feature.
True
True/False: You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report
True
What are the 5 things AWS Trusted Advisor advises you on?
Cost Optimization, Performance, Security, Fault Tolerance, Service Limits.
What 3 budget types can be created using AWS budgets?
Cost, Usage, Reservation
Databases: Which AWS service can be used for online analytical processing?
Amazon Redshift
Compared to the On-demand prices, what is the highest possible discount offered for reserved instances?
72%
AWS Cost Explorer
an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time
AWS Cost and Usage Reports
contains the most comprehensive set of cost and usage data available.
What is the primary benefit of read replicas?
Improves database scalability
True/False: Cloudwatch billing is stored in whatever region the resource is made in.
False. Cloudwatch billing is consolidated to the us-east-1 region and includes all global resources.
True/False: EFS are able to be used by EC2 instances regardless of AZ, VPC, or region.
True
AWS VPN
establish secure connections between on-premises networks, remote offices, client devices, and the AWS global network.
What AWS service can be used for message brokering?
AmazonMQ
AWS Service Quotas
enables you to view and manage your quotas for AWS services from a central location.
Which AWS support plan provides access to a designated Technical Account Manager (TAM)?
Enterprise
What service would you use to set up consolidated billing?
AWS Organizations
What are the 6 Pillars of the AWS Well-Architected Framework?
operational excellence, security, reliability, performance efficiency, cost optimization and sustainability
What support class features a 1 hour response time?
Enterprise.
AWS Compute Optimizer gives advice on what 3 AWS services?
EC2, EBS volumes, and Lambda functions.
Pay by _____ for EC2 On-Demand instances.
Pay by second
What is an example of a PaaS (Platform as a service)?
Elastic Beanstalk
AWS Personal Health Dashboard
When AWS services go down, how this is affecting your specific services.
AWS Systems Manager
allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources
True/False: Route53 can do health checks.
True
Where does a VPC span?
Across all AZs within ONE region.
IAM Access Advisor
Access advisor shows the service permissions granted to a user and when those services were last accessed.
AWS Quick Starts
Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS
Amazon CodeGuru
a developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code.
AWS X-Ray
helps developers analyze and debug production code
AWS Cloud Development Kit (CDK)
AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define your cloud application resources using familiar programming languages. Infastructure as code.
When integrating identity management with a service like AD, what do you need to configure on the backend of AWS for it to work with your users?
IAM Roles and IAM Policies. You do NOT need to create a user base if you are using a 3rd party identity provider.
True/False: To increase database performance, you should use partition keys with low cardinality, which have few distinct values for each item.
False: You should be using partition keys with high cardinality, which have a large number of distinct values for each item.
What metric is not built into CloudWatch?
Memory utlization
True/False: You can create custom metrics on CloudWatch.
True!
True/False: CloudWatch is enabled by default and free of charge.
False, you need to enable this paid service.
What tool can you enable to make Redis more secure? This would require users to enter a password before they are granted permission to execute Redis commands.
Redis AUTH.
What tool would you use to manage database credentials and access from IAM?
IAM DB Authentication
True/False: When restricting traffic to a single IP address, what should the CIDR end with?
/32
What service allows you to share resources between multiple AWS accounts?
AWS Resource Access Manager (RAM)
If an ASG is scaling down, which EC2 instance will get killed off first?
Whichever EC2 instance that uses the oldest launch configuration.
What service automates snapshots of EBS on a regular basis?
Amazon Data Lifecycle Manager
What service would you use to implement a 90-day backup retention policy for AWS Aurora?
AWS Backup
AWS Security Token Service (STS)
Provides short lived access token that act as credentials to access AWS resources.
What database option has a flexible schema?
DynamoDB
What database option is globally available by default?
Amazon Aurora. It provides <1 second read replications for fast disaster mitigation.
True/False: Elasticache requires the code of the application to change.
True. Elasticache needs to be built natively into the code for it to be leveraged.
IAM Role
Acts as a “proxy” for permissions.
IE - Role says you can access S3 pucket. If a user assumes the IAM role, you assume all permissions associated with that role.
True/False: To trigger automation rules with EventBridge, you need an access policy to control the resource actions are being taken on.
True
Amazon PinPoint
Scalable inbound/outbound marketing communications service
SSM Session Manager
SSM agent installed on EC2 instances or on-prem instances. Works all OS systems. Allows SSH access to these instances.
AWS AppFlow
Fully managed integration service that transfers data from third party apps into AWS.
IE- Transfer data from Slack to an S3 bucket.
What service would you use to enable patching automation across mutliple resources to ensure compliance?
AWS Systems Manager
What is a parameter store?
It LITERALLY stores a parameter in a script. Think of powershell variables or parameters). This literally will store it for you and ensure it is encrypted.
IAM access advisor
Access advisor shows the service permissions granted to a user and when those services were last accessed.
If you are trying to separate costs for separate AWS accounts, what should you utilize to help you do it?
Create tags for each department’s account.
Which decoupler sends and receives messages?
SQS
What tool would you utilize to see a “Cost Savings Plan” in AWS?
AWS Cost Explorer
What is the difference between AWS Pricing Calculator and AWS Costs Explorer?
AWS Pricing Calculator gives you forecasts of how much you can expect to spend once you are ALREADY using AWS Services. AWS Costs Explorer gives prospective buyers a ballpark figure of what they can expect to spend if they choose to go with AWS.
What AWS Service lets you connect IoT devices to the AWS cloud without the need to provision or manage servers?
AWS IoT Core
What AWS Service can make desktop applications available in browsers for users?
Amazon AppStream 2.0
AWS OutPosts
a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any data center, co-location space, or on-premises facility for a truly consistent hybrid experience
Amazon WorkSpaces
a broad set of global cloud-based products including compute, storage, database, analytics, networking, machine learning and AI, etc.
CloudEndure Disaster Recovery
available from the AWS Marketplace, continuously replicates server-hosted applications and server-hosted databases from any source into AWS using replication of the underlying server. Can work with on-prem servers or anything.
Route Table
contains a set of rules, called routes, that are used to determine where network traffic from your VPC is directed
As part of a flexible pricing model, AWS offers two types of Savings Plans. What are the Savings Plans from AWS?
Compute Savings Plans, EC2 Instance Savings Plans
True/False: You can assign elastic IPs to ALBs.
False. You can only assign elastic IPs to NLBs. (Network Load Balancer).
Gateway Endpoint
a type ofVPC endpoint that provides reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC.
Endpoint Policy
When you create a Gateway endpoint, you can attach an endpoint policy that controls access to the service to which you are connecting
How would you enable and use Remote Procedure Call (gRPC)?
Create an Application Load Balancer and select gRPC as the protocol version
To host a static website in Amazon S3 what do you need configured on the S3 bucket end and in Route 53?
The S3 bucket name must be the same as the domain name and you must have a domain name.
True/False: Once you configure an EBS storage volume, you cannot change the hardware configuration.
False. EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions.
Which record types would you use to point the DNS name of the Application Load Balancer?
“A” records and “AAAA” records
AWS Proton
allows you to deploy any serverless or container-based application with increased efficiency, consistency, and control.
Is Kubernetes open-source?
Yes
True/False: You can set a priority to individual items in the SQS queue.
False, you cannot set a priority to individual items in an SQS queue. If you need to set a priority to a certain type of request, you need to create multiple SQS queues.
AWS Data Pipeline
a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals
AWS AppSync
creates serverless GraphQL and Pub/Sub APIs that simplify application development through a single endpoint
AWS Wavelength
embeds AWS compute and storage services within 5G networks
AWS Device Farm
an application testing service that lets you improve the quality of your web and mobile apps by testing them across an extensive range of desktop browsers and real mobile devices
AWS Amplify
a complete solution that lets frontend web and mobile developers easily build, ship, and host full-stack applications on AWS. KEYWORD: Full-stack apps
Can CloudFront be used as a tool to mitigate DDoS attacks?
Yes by distributing static and dynamic content and taking load off of the actual application itself.
In CloudFormation, what policy would you put in place that would “wait” until one service is configured before moving to the next?
CreationPolicy
Within NACLs, when using ordered rules, when does the rule testing stop?
Once a match is found. If a match is found on Rule #2, any rules after that do not go through the matching process.
Origin Shield in CloudFront is primarily used for what?
improving your origin’s load times through CloudFront
What is provisioned capacity for Expedited retrievals?
Ensures that your retrieval capacity for expedited retrievals is available when you need it. For example, you need 150MB/s of provisioned capacity for expedited retrievals.
What are expedited retrievals for S3 Glacier?
allow you to quickly access your data when occasional urgent requests for a subset of archives are required
True/False: You can enable the hibernation option on an EC2 instance after it has been launched.
False, you must do it when you first create the EC2 instance.
Elastic Fabric Adapter
a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.
Each subnet maps to what?
One availability zone.
Amazon S3 server access logs
provide detailed records for the requests that are made to an S3 bucket.
NAT Gateways belong in public or private subnets?
Public subnets, as they allow instances in the private subnets to connect out without exposing them to the internet.
What are the enhanced monitoring metrics that Amazon CloudWatch gathers from Amazon RDS DB instances?
RDS Child Policies & OS Processes
What kind of queue does not allow for duplicates messages?
FIFO Queue
What volume type is the cheapest for EBS storage volumes?
Magnetic Volume Type
What part of a Direct Connection is on the on-prem side?
A service endpoint
Standby Replica
A standby replica is a replica of the primary database that can AUTOMATICALLY become the primary one if the main one goes down.
RAID1 is for what?
Data mirroring
What prevents a LAMBDA function from getting “stuck”?
Maximum execution time, it is like a time limit for how long the function should take to run.
This ensures it does not get stuck.
Which database option handles highly transactional workloads (OLTP)?
Amazon Aurora
What kind of health checks can each load balancer perform?
ALB: HTTP, HTTPS health checks (Layer 7)
NLB: UDP/TCP health checks (Layer 4)
What are the target types for Application Load Balancers?
IP, Instances, Lambda, ECS
What are the target types for Network Load Balancers?
IP, instances
