AWS SAA Flashcards
AWS Organizations
Main account is the management account, all other accounts are members of the organization.
OUs for departments IE- Finance, Devs, etc.
SCP (Security Control Policies)
Security policies that restrict what services accounts can access.
Amazon Cognito
Gives users an identity to interact with web or mobile app hosted on AWS. Database of users for your web app
AWS IAM Identity Center
SSO for your AWS users in IAM. Can connect to a 3rd party IdP.
AWS Control Tower
Easily setup a secure and compliant multi-account environment in AWS based on best practices. IE- Kinda like AWS Config but for IAM.
EC2 User Data
You can input a bash script when launching the instance. Upon launching of the instance, the bash script will be run as root on the new instance.
EC2 Security Groups
Security groups control your inbound and outbound traffic to the instance.
EC2 Instance (On-Demand)
Short workloads, pay by second.
EC2 Instance (Reserved (1&3 Years))
Long workloads, you can rent for 1-3 years.
EC2 Instance (Savings Plans (1&3 Years))
Commitment to an amount of usage, like reserved but committed.
EC2 Instance (Spot Instances)
Short workloads, auction house instances, can lose at any time if the price rises.
EC2 Instance (Dedicated Hosts)
book an entire physical server, get control over instance placement. Allows you to use existing software licenses.
EC2 Instance (Dedicated Instances)
no other customer will share your hardware, book an entire instance in the data center.
EC2 Instance (Spot Fleet)
Have continuously running spot instances based on predefined configuration templates. If one of the instances gets deleted due to cost, another one will attempt to spin up if pricing works out. Set and forget type of configuration.
EC2 Networking (Private IP)
IP address in the data center’s network.
EC2 Networking (Public IP)
IP address facing the internet.
EC2 Networking (Elastic IP)
IP you can assign to an instance to have the same public IP even if the instance is stopped and started again. Think of this like a DHCP lease but for AWS.
EC2 Cluster Placement Group
Single AZ, all on the same rack in close proximity.
EC2 Spread Placement Group
Spreads instances across same set of underlying hardware. Different AZs but all running the same application. Reliability is good because if one rack goes down, we can switch to the other racks in the other AZs. Limited to 7 instances per AZ.
EC2 Partition Placement Group
Each partition is a different rack, many instances on one partition. Reliability is good because they are all on different racks/partitions. This is the best for large scale (100s of instances). These instances do not share hardware. Each partition is isolated from failure from the others.
ENI (Elastic Network Interface)
Virtual network cards that are “attached to instances”. Used to assign elastic IPs to the instance it is attached to.
EBS (Elastic Block Store)
A virtual drive that you can attach to one instance. It is locked to one AZ. Think of as “network USB sticks”. You must define the capacity size of this type of storage and you pay for the whole thing.
EFS (Elastic File System)
Managed network file system that can be mounted to many instances at the same time. Can be used in any AZ zone, on any instance. Pay-as-you-go model.
Horizontal Scaling
Spinning up more instances to handle traffic load.
Vertical Scaling
Upgrading hardware capabilities of existing instances to handle traffic load.
Application Load Balancer (ALB)
For accessing an application running on multiple instances.
Sticky Sessions
Can be enabled to lock an instance to a user trying to access. For example, User1 gets Instance5 when they first access the application. From now on, whenever they access, they will get Instance5.
Cross-Zone Load Balancing
Makes sure performance is distributed across multiple AZs
Network Load Balancer (NLB)
Handles TCP/UDP traffic, one IP per AZ.
Gateway Load Balancer (GWLB)
Used for routing all traffic through something before hitting a 3rd party virtual security application like a firewall application hosted in AWS.
Deregistration Delay
When an EC2 instance is shutting down/becoming unhealthy, the load balancer will automatically start sending traffic to other EC2 instances.
Auto Scaling Group (ASG)
Automatically spin up/spin down number of instances to handle load of traffic.
Server Name Indication (SNI)
Hosts multiple certificates for multiple domains that are handed out by the load balancer when traffic is received. IE- User1 contacts the load balancer asking to go to www.google.com. The load balancer gets the cert for that domain and hands it to the user in the SSL handshake.
RDS (Relational Database Service)
Managed database service that uses SQL as a query language.
Amazon Auora
Amazon’s native built-in DB, optimized for the cloud. It is multi-regional.
RDS Read Replicas
Like “imagining” a copy database so you can have more read power to your application from the database. IE - Two read replicas alongside the main database.
RDS Proxy
Across multiple AZs, instances will connect to the proxy which will serve as a single point of connection to the actual DB, this is useful during times of high traffic requests to the database.
Amazon ElastiCache
Cache memory for DBs. Stores common queries or user session caches on the cache so that the DB doesn’t need to be queried each time/ user doesn’t lose data. Requires it to be built into the code of the app to work.
Redis
Multi-AZs, read replicas for ElastiCache.
Route 53 (DNS)
Route 53 is Amazon’s “NS1”, built-in DNS service.
Public Hosted Zone
Able to be accessed by anyone, like buying a domain name online.
Private Hosted Zone
Your own, internal DNS server for you and your company only.
TTL (Time to Live)
How long clients querying your DNS server will keep the query results.
True or False: A CNAME DNS record can point to the root server.
False. IE- Can’t point to www.google.com but can point to www.app.google.com.
True or False: An “Alias” DNS record can point to the root server.
True.
Simple DNS Routing Policy
Routes to a single resource. Query can return multiple IPs. No health checks.
Weighted DNS Routing Policy
Controls the % of requests that go to each resource. IE - 70% of queries go to Instance2. Health checks enabled here.
Latency DNS Routing Policy
Routes to resource with the lowest latency. Geolocation of the user comes into play here.
Failover DNS Routing Policy
If a health check fails, DNS server will start routing queries to other instance that is healthy.
Geolocation DNS Routing Policy
If a user comes from a specific geolocation, route them to a specific resource. IE- People in China get routed to instance 3.
Multi-Value Answer DNS Routing Policy
Returns multiple values for one query. If you define 3 values with health checks at each, can return the other values that are healthy if one fails.
Geoproximity DNS Routing Policy
For zones inside a specific country. Biases come into play here on where to route users. IE- USEAST and USWEST. 4 people evenly distributed horizontally across the US. USEAST has a bias of 50 and USWEST has a bias of 0. Even though USEAST is not closest to one of the users, they will get routed there due to the bias.
True or False: You can host your DNS domain that you bought on a third party website on AWS Route 53.
True.
AWS Elastic Beanstalk
Takes the entire configuration and allows it to be easily managed by AWS. This is meant for developers who just want to make an app, upload it, and not worry about the backend configuration.
Golden AMI
AMIs with dependencies and configurations pre-installed in them so you can quickly and easily spin up more instances to scale without having to manually configure everything yourself.
S3 Buckets
Defined at the region level, must have a globally unique name in all of the world.
S3 Objects
Have a ‘key’ which is the full file path. Max size is 5TB. Can be public or private. Private is default, public gives a URL that can be accessed from the internet
True or False: You cannot make “Folders” within buckets.
False, you can make folders within buckets.
Multi-Part Upload
Grabbing a file larger than 5GB, splitting it into sections and uploading all sections in parallel.
Transfer Acceleration
Uploading to a nearby edge location for faster uploading. IE- File in US trying to upload it into a bucket in Australia. The file will be uploaded to an AWS edge location and then upload to the S3 bucket with faster speeds and lower latency.
Byte-Ranges
For downloading files from S3. Splits large files up into sections. You download all sections in parallel faster and then you get the whole file at the end.
S3 Security: User-Based
Specfic users are allowed to access this bucket
S3 Security: Resource-Based
Bucket policies are bucket-wide rules in the form of a JSON document.
S3 Security: Encryption
You can also encrypt the objects in buckets using encryption keys.
True/False: S3 Buckets are made available to the public by default.
False, all S3 buckets are private by default.
True/False: You can host static websites on AWS S3.
True, as long as the content never changes.
At what level is S3 Versioning enabled?
Per S3 bucket.
What is S3 Versioning?
Once file with same name is uploaded, it gets saved to “Version 2” and is not overridden. So on and so forth. Each version has a unique version ID.
S3 Replication: CRR (Cross-Region Replication)
For lower latency. When you are replicating to a bucket in a different region.
S3 Replication: SRR (Same-Region Replication)
Log aggregation between buckets, or live replication between buckets.
What is a requirement before SRR can be done?
Versioning must be enabled in both the source and destination buckets.
Name all S3 Storage Classes
Standard, Standard IA, One-Zone IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, Intelligent Tiering
S3 Standard Storage Class
Frequently accessed data, low latency, standard one.
S3 Standard IA Storage Class
Less frequently accessed, requires rapid access when needed. Disaster recoveries, backups.
S3 One-Zone IA Storage Class
In a single AZ for backups, disaster recoveries. Data can be destroyed if something happens to the AZ.
S3 Glacier Instant Retrieval Storage Class
Fastest retrieval option from Glacier.
What is Glacier meant for?
Cold data, infrequently used data.
S3 Glacier Flexible Retrieval Storage Class
3 Tiers for retrieval speeds.
Expedited: 1-5 minutes
Standard: 3-5 hours
Bulk: 5-12 hours (free tier)
S3 Glacier Deep Archive Storage Class
2 Tiers for retrieval speeds.
Standard: 12 hours
Bulk: 48 hours
S3 Intelligent Tiering Storage Class
AWS will automatically move files around storage classes for you based on how frequently they are accessed.
Amazon SDK
Amazon Software Development Kit
What tool would you give to a developer to make API calls from within an application without using the AWS CLI?
An Amazon SDK.
S3 Lifecycle Rules
Define the conditions that need to be met before moving an object.
S3 Transition Actions
Move xyz to Glacier storage after 30 days from creation.
S3 Expiration Actions
Delete xyz from Glacier if not used in 6 months.
True/False: S3 Lifecycle Rules can only be applied to the entire bucket.
False, they can be applied to a whole bucket or specific folders in buckets.
S3 Requester Pays
Requester pays for the access to the bucket’s data, not the bucket owner.
What other AWS service does S3 Event Notifications send events into?
AWS EventBridge
What tools would you use to select specific S3 data?
S3 Select or Glacier Select
S3 Batch Operations
Perform actions on multiple S3 buckets or objects at one time.
How many different S3 Encryption Types
are there
3
S3 Encryption: SSE-S3
Encryption handled by AWS. Server-side.
S3 Encryption: SSE-KMS
You have control over the encryption keys and audit logs for when keys get used.
S3 Encryption: SSE-C
Encryption key provided outside of AWS. AWS does not store the encryption key you provide.
Client-Side Encryption
Customer manages encryption keys and encryption cycle.
Encryption in Transit (SSL/TLS)
S3 Endpoint uses HTTPS for encrypted network traffic in flight. IE- What most websites are using anyways nowadays.
S3 CORS (Cross-Origin Resource Sharing)
Allows sharing of restricted resources like fonts to be requested from another domain outside the original domain of where the first resource was shared from.
IE - You go to www.api.google.com and computer automatically asks the CORS web server for xyz of www.api2.google.com on behalf of www.api.google.com. Since CORS is enabled, it sees “where you are coming from” and gives you xyz.
S3 MFA Delete
Force MFA any time a user does an important operation on S3.
S3 Access Logs
For audit purposes, logging each time someone accesses a bucket. Can keep logs in a new S3 bucket.
S3 Pre-Signed URLs
Generate a URL that has the same user permissions as the user who generated the URL. For short-term access.
S3 Glacier Lock
Create an bucket and then Glacier Lock it so it can no longer be changed or deleted. Think of it as a sealed vault. Once you’re in, there is no getting out.
What does WORM stand for?
Write Once Read Many
S3 Object Lock
Lock on a single object within a bucket.
S3 Security - Compliance Mode
No changes or deletions can be made.
S3 Security -Governance Mode
Everyone but root users or admin users in IAM cannot change or delete objects under this mode.
S3 Security - Legal Hold
Place lock on an object indefinitely, no retention period required.
What is the only S3 object/bucket mode that does not require a retention period?
Legal Hold
S3 Access Points
Access points for buckets. Think of these just like wireless AP. Connecting to the AP to connect to the bucket. Easier to manage user permissions since you can apply them to an AP and not individual users.
S3 + Lambda Use Case
Changes content of the object just before it is received. Useful for redacting sensitive data from the bucket before it reaches the endpoint or adding content before it is received.
AWS CloudFront
Content Delivery Network (CDN)
Improves read performance by utilizing edge zones around the world.
What does CloudFront do on edge locations to improve performance from S3 Buckets?
Caches the content of the bucket at the nearest edge zone for fastest performance.
Cloudfront: OAC (Origin Access Control)
Making sure the origin is the actual S3 bucket for security purposes.
How does Cache Invalidations help keep the cache that CloudFront holds current?
Cache Invalidations basically tell CloudFront that the files it has in the cache are not genuine and “forces” a sync with the bucket.
AWS Global Accelerator
Uses an anycast IP System, assign multiple IP Addresses for your server. Once a user tries to access your application from the edge, they are automatically redirected to the nearest server to them to reduce latency. This happens through edge locations so internet traffic can go through the ultra-fast AWS network.
AWS Snow Family
Portable devices that handle data offline.
AWS Snowcone
Very portable and durable, small storage capacity, has a network port to sync to AWS
AWS Snowball Edge
For large storage capacity, less durable. Can come in storage or computing power optimized.
AWS Snowmobile
A literal semi-truck, largest storage capacity.
What is Edge Computing?
Computing power on the go using the snow family of devices.
What tool do you need to utilize to connect to AWS Snow devices?
AWS OpsHub
Amazon FSx
Allows you to launch 3rd party file systems on AWS
What is a Scratch File System used for?
Temporary storage, data is not replicated or backed up.
What is a Persistent File System used for?
Long-term storage with data replication within the same AZ.
True/False: Storage Gateways are used for fully cloud enviroments.
False, Storage Gateway bridge on-prem storage with the cloud storage in hybrid cloud enviroments.
AWS Transfer Family
Uses FTP to transfer files into and out of S3 or EFS
DataSync
An agent that runs on on-prem systems to automatically sync data to the cloud.
What is Decoupling Applications?
A way to set up a streamlined workflow between servers/applications.
What are the two parts of an SQS Queue?
Producer and consumer
What does a producer do in an SQS Queue?
Putting stuff into the queue.
What does a consumer do in an SQS Queue?
Pulling stuff out of the queue.
What is the Message Visibility Timeout in an SQS Queue?
30 seconds where once the message is in the queue, it is unable to be seen for 30 seconds since it was already received once. After 30 seconds, the message is “recieved” again if not deleted.
Long Polling
When a consumer picks up a message and waits for more that are coming in before taking them all.
SQS FIFO Queue (First In, First Out)
Queue with limited throughput with message order preserved.
SNS (Simple Notification Service)
One producer sending a message to multiple consumers (also known as subscribers).
Amazon Kinesis
Makes it easy to connect, process, and analyze streaming data in real time.
Kinesis Data Streams
Capture, process, and store data streams using multiple shards.
Each piece of data in a Kinesis Data Stream has what?
A partition key
True/False: You have the ability to “replay” data in a Kinesis Data Stream
True
