AWS solutions architect flash cards

Question 1

CORS (Cross Origin Resource Sharing)

Answer 1

Way to integrate applications. provides a way for a client web app loaded in one domain to interact with resources in another. For example, your app uses a public front library. CORS lets the client browser check third party servers to check if the request is legit before data transfers.

Question 2

Server Errors (e.g. 404)

Answer 2

4xx - Client
5xx - Server

400 - Bad Request (Generic)
403 - Access Denied
429 - Throttling
502 - Bad Gateway
503 - Unavailable Service
504 - Timeout

B.A.T B.U.T

Question 3

Kinesis Data Streams

Answer 3

Kinesis - Scalable streaming

Data Streams:
Basic entity of Kinesis, 24 hour moving window of data. Multiple producers, multiple consumers, has shards (1mb ingestion, 2mb consumption).

Question 4

Kinesis Firehose

Answer 4

ALLOWS PERSISTENCE - you write to S3 or another storage (Redshift,OpenSearch, 3rd party using Splunk)

Service to load data for data lakes, data stores, and analytics.

Transformation with lambda.

Reads from data streams, or have data passed to it directly.

Question 5

Kinesis Data Analytics

Answer 5

Takes from fire hose or data streams. destinations same as fire hose. SQL processing, good for real-time dashboards and metrics.

Question 6

Kinesis video streams

Answer 6

Ingests live video feeds.

Question 7

Cognito

Answer 7

User pool:
Authentication. Users sign in through user pool or federate through identity provider (IdP)

Identity Pool:

Authorization. Allows you to offer access to temporary credentials. Cognito assumes IAM role in identity pool.

Congito - near unlimited, good with web apps.

Question 8

Glue

Answer 8

Serverless, Extract-Transform-Load (ETL) service. Moves and transforms data between src and destination.

Crawls data, makes regional data catalogue (RDS, DynamoDB, S3)

Question 9

MQ

Answer 9

Merge of SNS and SQS, but using industry standards. Provides queues and topics.

NOT PUBLIC.

Question 10

Appflow

Answer 10

Exchange data between apps (connectors) using flows. Look for Saas keyword

Question 11

Macie

Answer 11

Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data

Question 12

Lambda SnapStart

Answer 12

Use Lambda SnapStart for Java to reduce cold start time without provisioning additional resources or implementing complex performance optimizations.

Question 13

Lambda concurrency.

Answer 13

concurrency is the number of in-flight requests that your function is currently handling. There are reserved and provisioned concurrency. Provisioned concurrency is useful for reducing cold start latencies for functions. Reserved concurrency is useful for ensuring that your most critical functions always have enough concurrency to work

Question 14

Aurora Capacity Units

Answer 14

ACU - About 2 gibibytes (GiB) of memory, corresponding CPU, and networking. With Aurora Serverless v2, your starting capacity can be as small as 0.5 ACU, and the maximum capacity supported is 128 ACU.

Question 15

Cloudfront Distribution, Edge Location, and Regional Edge Cache

Answer 15

Unit of configuration
Local Cache of data
Larger version of edge location. Provides another caching layer

Question 16

process when a cache miss?

Answer 16

Edge Cache -> Regional Cache -> Origin fetch.

Question 17

ACM

Answer 17

AWS certificates manager, integrates with CloudFront. It allows deployment of certificates onto supported AWS services such as CloudFront and ALB, NOT EC2.

ALB - THE CERT MUST BE IN THE SAME REGION

CLOUDFRONT - CERT IN US-EAST-1

Question 18

Does cloudfront do write caching?

Answer 18

No

Question 19

When to USE NLB over ALB?

Answer 19

When to use NLB:

Static IP for whitelisting
Fastest performance
Unbroken encryption
Private link
Non-HTTP or non-HTTPS

Question 20

CloudFront Behaviours

Answer 20

A lot of important configuration for distributions. Origins are linked to behaviours, which are then linked to behaviours.

Every distribution has a default behaviour.

Have custom behaviours which are configured using a path pattern

Question 21

What do behaviours control?

Answer 21

caching controls and restrict viewer access.

Question 22

CloudFront TTL and invalidations

Answer 22

default TTL - 24 hr (defined in behaviours)
Set min and max TTL.

Question 23

TTL headers

Answer 23

Cache-Control max-age (seconds)
Cache-Control s-maxage (seconds)

above are the same thing.

Expires (Data and Time)

Custom Origin or S3 (via object metadata)

Question 24

Cache Invalidation

Answer 24

Performed on Distribution too all edge locations, takes time

Question 25

Viewer and Origin protocols

Answer 25

The SSL connections between the viewer and cloudfront distribution, and the cloudfront distribution and origin respectively. Both need PUBLIC certs. Self-signed won’t work,

Question 26

EMR

Answer 26

Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Spark

overhead - complex and require additional configuration, maintenance, and monitoring, etc .

Question 27

API GW

Answer 27

• You pay only for the API calls you receive and the amount of data transferred out.
• Enables you to build RESTful APIs and WebSocket APIs that are optimized for serverless workloads.

Question 28

SNS or SES for montitoring emails?

Answer 28

SNS

Question 29

Which services can backup directly to Glacier deep archive?

Answer 29

Datasync, Storage Gateway (at least)

Question 30

Routing types

Answer 30

Simple routing:
One record per name. e.g WWW record which is an A record (but each record can have multiple values). ONLY ONE WITH NO HEALTH CHECKS

Latency Routing:
Lowest Latency

Weighted Routing:
Choose how much traffic is routed to a resource if you have multiple resources associated with a domain name

Geoproximity Routing:
Bias (+ or - ), distance based.

Geolocation Routing:
tagged with country, continent, or default, doesn’t return closest record, only relevant ones. good for content restriction.

Question 31

Prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket

Answer 31

Domain name and s3 bucket name are the same.

The domain name is a registered domain name.

Question 32

SWF

Answer 32

Simple Workflow Service - used for decoupling.

Question 33

Inspector vs guard duty

Answer 33

Shield is DDoS protection and also located “at the edge”.

GuardDuty is intelligent threat detection. That means without much configuration, it reads your CloudTrail, Config and VPC FlowLogs and notifies if something unexpected happened. That is usually for infrastructure.

Amazon Inspector is more for applications. It’s an automated security assessment service that helps improve the security and compliance of applications.

Question 34

Gateway endpoint vs interface endpoint

Answer 34

Both:
- to privately connect AWS services, not over the public internet

Gateway endpoint:

Used for connecting to public services such as S3 and DynamoDB.
Inside VPC, but not subnet
associated with a route table

Interface Endpoint:

Uses PrivateLink
an ENI with a private IP address
Inside a subnet
Associated with a SG

Question 35

EC2 placement strategies

Answer 35

Cluster – Packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of high-performance computing (HPC) applications.

Partition – Spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.

Spread – Strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.

Question 36

Aurora endpoints

Answer 36

Cluster endpoint:

only one that can do writes. one cluster endpoint and one primary db instance

Reader endpoint:

one reader endpoint, LOAD BALANCING for read only connections.

Custom endpoint:

A set of DB instances you choose, you define which instances this endpoint uses, and what purpose the endpoint serves

Instance endpoint:

Specific DB instance within an aurora cluster. mainly use to diagnose or performance issues of one specific instance.

Question 37

DNS TTL

Answer 37

How long records can be cached for. We can store the record at a DNS resolver server to prevent searching the tree.

Authoritative - getting the rcord from the source that is trusted by DNS. get authoritative answer by talking to a name server that is authoratative for that particular domain.

TTL - Low values mean more queries against the name server, as we cache at the DNS resolver for less time, but longer TTL means more chance of the cached results being out of date.

Question 38

R53 Health Checks and Fail over

Answer 38

HTTP/HTTPS and TCP

Monitor:

• CloudWatch alarm status
• Health of other health checks
• Specific resource health checks

Based on:
- Response time
- Number of failed health checks.

Failovers

• Active-Active:

All records have the same name, type, routing policy. When you want all resources available majority of time.

• Active-Passive:

primary resource group available majority of time, secondary to be standby.

can have single resource for primary + secondary or multiple resources for primary + secondary.

Question 39

Aurora HA and FT

Answer 39

• When Aurora Replicas across AZ, primary DB synchronously replicated across AZ to Aurora replicas to provide redundancy.
• Failover-promotes primary or new primary
• Self-healing data blocks and disks.
• Auto-backup - 1 to 35 day retention

Question 40

Monitoring RDS

Answer 40

Subscribe to Amazon RDS events to be notified when changes occur with a DB instance, DB cluster, DB cluster snapshot, DB parameter group, or DB security group.
Database log files

RDS Enhanced Monitoring — Look at metrics in real time for the operating system.

RDS Performance Insights monitors your Amazon RDS DB instance load so that you can analyze and troubleshoot your database performance.

Use CloudWatch Metrics, Alarms and Logs

Question 41

gp2

Volume size
Max. Throughput/Volume (MiBs)
Max IOPS/Volume (IOPS)
Performance attribute

Answer 41

Volume size:
1gb - 16tb

Max Throughput/Volume:
250 MiBs

Max IOPS/Volume:
16000

Performance attribute:
IOPS

Question 42

st1

Volume size
Max. Throughput/Volume (MiB/s)
Max IOPS/Volume (IOPS)
Performance attribute

Answer 42

Volume size:
500gb - 16tb

Max Throughput/Volume:
500 MiBs

Max IOPS/Volume:
500

Performance attribute:
MiB/s

Question 43

io1

volume size
Max. Throughput/Volume (MiB/s)
Max IOPS/Volume (IOPS)
Performance attribute

Answer 43

Volume size:
4gb - 16tb

Max Throughput/Volume:
1000 MiBs

Max IOPS/Volume:
64000

Performance attribute:
IOPS

Question 44

sc1

volume size
Max. Throughput/Volume (MiB/s)
Max IOPS/Volume (IOPS)
Performance attribute

Answer 44

Volume size:
500gb - 16tb

Max Throughput/Volume:
250 MiBs

Max IOPS/Volume:
500

Performance attribute:
MiB/s

Question 45

Data Lifecycle Manager

Answer 45

A service that automates the creation of Amazon EBS snapshots on a regular basis

Question 46

Cloudwatch agent

Answer 46

An agent/program that monitors the available swap space of your Amazon EC2 instances.

Question 47

Endpoint policy

Answer 47

A type of policy that controls which AWS principals (AWS accounts, IAM users, and IAM roles) can use the VPC endpoint to access the endpoint service.

Question 48

AWS Datasync

Answer 48

A service which improves the speed users transfer data from an on-premise data centre to AWS in a cost effective manner.

Question 49

OpenSearch Service

Answer 49

OpenSearch is a open source and Apache

Analytics suite, lots of use cases, real-time application monitoring, log analytics, and website search.

Question 50

Can you enable hibernation mode after you’ve created an EC2 instance?

Answer 50

NO

Question 51

Which SSE method provides an audit trail?

Answer 51

SSE-KMS