CSA

Question 1

Lambda-support languages (5)

Answer 1

python
Go
C# (.NET core)
node.js (javascrip)
Java

Question 2

Lambda triggers (9 most used)

Answer 2

• API Gateway
• Alexa Skills Kit
• CloudFront
• CloudWatch Events
• CloudWatch Logs
• DynamoDB
• Kinesis
• S3
• SNS

others:
•	SQS
•	AWS IoT
•	Alexa Smart Home
•	CodeCommit
•	Cognito Sync Trigger

Question 3

Route53 DNS Routing Options (6)

Answer 3

Simple
weighted
Latency-based
Failover
Geolocation
Multivalue ANswer

Question 4

What 10 AWS services are serverless?

Answer 4

• Compute: Lambda (+ Lambda@edge for Cloudfront)
• Storage: S3
• DB: DynamoDB
• API Gateway
• AWS AppSync
• Orchestration: AWS step functions
• Message queuing: SQS
• Notification: SNS
• Analytics: Kinesis
• Interactive query: Athena

Question 5

What are the key differences between Multi-AZ DB’s and Read Replicas?

Answer 5

Multi-AZ is for DR/maintenance (active-passive), Read-replicas are for improved performance and resiliency

M-AZ is synchronous, Read-replicas are asynch.

M-AZ has one defined endpoint, RR has endpoint for each replica

Question 6

List the 6 key AWS databases and their uses

Answer 6

• RDS – OLTP (RDBMS)
• DynamoDB – noSQL
• Redshift – OLAP
• Elasticache – in-mem caching
• Aurora - Customer, high-perf RDBMS
• Neptune - Graph database

Question 7

What are the 6 DB’s available within RDS?

Answer 7

Oracle
Aurora
PostgresSQL
MySQL
MariaDB
MS SQL Server

Question 8

What are the 5 key basic components of a VPC?

Answer 8

IGW (Internet gateway/VPG)
Route tables
Subnets
Security Groups
NACL's

Question 9

List the (8 ) steps to creating a custom VPC

Answer 9

1) Create VPC (creates default security group, NACL & route
2) Create subnets
3) Create iNet Gateway
4) Create route table
5) link public subnet to Inet gateway
6) Setup auto-assign of public IP’s if desired
7) Create instances in each subnet
8) Create security groups as needed (HTTP, etc) to allow access between subnets

Question 10

At what three levels can VPC flowlogs be created?

Answer 10

o VPC – all VPC traffic
o Subnet – all subnet traffic
o Network interface – per instance

Question 11

What are the two types of VPC endpoints?

Answer 11

o Interface endpoint – elastic network interface (ENI) – entry point for traffic destined to the service
o Gateway endpoint – serves as a target for a route in your route table for traffic destined for the service. Similar to NAT gateway, is more resilient than interface.

Question 12

What are the two type of SQS queues and key differences?

Answer 12

1) Standard (default) - volume/speed, but risk of 2x delivery and mis-ordering
2) FIFO - 300/sec but guaranteed 1x and ordering (use case: banking)

Question 13

What are the 3 actors of SWF (Simple Workflow Service)

Answer 13

1) Activity Workers = programs that interact with SWF to get tasks, process them and return result
2) Deciders = controls the coordination of tasks – ordering, concurrency, scheduling
3) Workflow Starters - initiates workflow (i.e. a web site sending transaction)

Question 14

What are 4 differences between SWF and SQS?

Answer 14

o SWF only assigns ONCE, whereas SQS can assign 2x (due to timeout)
o SWF is task-orientated, SQS is message-orientated
o SWF keeps track of all app tasks. With SQS, you need to implement your own app-level tracking
o SWF retention max = 1 year. SQS = 14 days

• Exam: scenarios usually around when to use SWF vs SQS
o Any human interaction should be SWF
o Delivery timeframe – longer than 12 hours, then SWF

Question 15

What are the 3 core service of Kinesis?

Answer 15

1) Streams - shards, hold data 12h - 7d. Manual scaling
2) Firehose - automated, no shards, no retention. Batching, encrypting, compressing
3) Analytics - Analysis of data in Streams or Firehose

Question 16

What are the 8 types of subscribers (protocols) to SNS

Answer 16

HTTP
HTTPS
Email
Email-JSON
Lambda
Application
SQS
SMS

Question 17

What is the IP to get user and meta data from an instance?

Answer 17

169.254.169.254
/latest (or date)/meta-data
/latest (or date)/user-data
/latest (or date)/dynamic

Question 18

What are 4 key capabilities of AWS Organizations

Answer 18

1) Consolidate billing
2) Centrally manage policies across accounts
3) Control access to services/actions (SCP - Service Control Policies)
4) Automate AWS account create/delete

Question 19

What are the steps to enable cross-account access?

Answer 19

(need to know account #’s)

1) In dev: Create user + group
2) In prod:
a) Create read-write-app-bucket policy
b) Create UpdateApp cross account role
c) Apply policy to the role
3) in Dev: Create new in-line policy & apply to the group created earlier

4) Use “Switch Role” from Account drop-down

Question 20

What are the 2 types of resource groups?

Answer 20

1) Classic - global or regional, view-only

2) AWS Systems Manager - regional only, automation, insights, health checks, etc

Question 21

What are the 9 steps of a typical STS authentication process?

Answer 21

o Step 1 – user enters their ID & password
o Step 2 – App passes ID/pw to broker
o Step 3 - Broker verifies via LDAP/AD that ID/pw are correct
o Step 4+5: On EXAM: STS returns to broker:
 Access key
 Secret access key
 Token (demonstrates that user is authenticated)
 Duration (can last between 1 – 36 hours)
o Step 6: Broker sends STS info to app
o Step 7: App connects to S3 with token
o Step 8/9: S3 verifies user has permissions for that resource

Question 22

What are the 7 key components of docker?

Answer 22

1) Docker image
2) Docker container
3) Layers / Union File System
4) DockerFile
5) Docker Daemon / Engine (runtime)
6) Docker client – interface between user and daemon
7) Docker registries – i.e. Dockerhub, ECH, etc

Question 23

List the 2 types of ECS schedulers

Answer 23

o Service Scheduler
 Container re-launch on failure
 Can ensure tasks are registered against ELB
o Custom Scheduler
 Build you own schedulers
 Leverage third-party schedulers, like Blox

Question 24

What are the 4 default metrics provided by Cloudwatch?

Answer 24

o CPU
o Storage
o Network
o Status

Question 25

What are the 4 IAM policy types?

Answer 25

1) Identity-based (Managed & inline)
2) Resource-based
3) Organizations SCP
4) ACL’s

Question 26

What 5 operating systems are included free with EC2?

Answer 26

• Redhat Enterprise Linux
• SUSE enterprise Linux
• Windows Server
• Oracle Enterprise Server
• MS SQL Server

Question 27

What are the 5 pillars of a well-architected framework?

Answer 27

1) Operational Excellence
2) Security
3) Reliability
4) Performance Efficiency
5) Cost Optimization

Question 28

What are the 4 AWS Support plans?

Answer 28

1) Basic
2) Developer
3) Business
4) Enterprise

Question 29

What five categories does Trusted Advisor cover?

Answer 29

• Cost optimization
• Performance
• Security
• Fault tolerance
• Service limits

Question 30

What are the 4 valid orgins for CloudFront?

Answer 30

1) S3 bucket
2) S3 bucket set up as a Mediastore container
3) MediaPackage Channel
4) Custom - EC2 instance, http server, etc

(note: Lamba is not a valid origin)

Question 31

What are the 13 key design principles?

Answer 31

1) Scalability
2) Disposable Resources, not fixed servers
3) Automation
4) Loose Coupling
5) Services, no Servers
6) Databases
7) Data Warehouse
8) Search
9) Removing Single Points of Failure
10) Optimize for Cost
11) Caching
12) Security
13) Real-time monitoring

Question 32

What 5 AWS Resources are “reservable”

Answer 32

EC2
Redshift
RDS
DynamoDB
Cloudfront

Question 33

List common AWS support tools and their scope

Answer 33

• AWS Config – track and maintain configurations
• Amazon Inspector – automated security & compliance assessment (Includes pre-configured checks for common best practices)
• AWS Trusted Advisor – optimization of cost & performance, basic security checks, fault tolerance & service limits
• Access Advisor – visibility into policies/access that is not used, so you can remove
• Consolidated billing

TCO calculator, COst estimator, AWS budgets, etc

Question 34

What are the three key points of S3’s data consistency model?

Answer 34

o PUTS of new objects – read-after write consistency (with caveat)
o Overwrite PUTS and DELETES – eventual consistency
o Object-locking not supported

Question 35

What are the 4 options for encrypting S3 data?

Answer 35

1) Client side encryption
2) Server-side encryption with S3 managed keys (SSE-S3)
3) Server side encryption with KMS (SSE-KMS)
4) Server-side encryption with Customer keys (SSE-C)

Question 36

What are the four things you can do with CloudWatch?

Answer 36

1) Create dashboard
2) Monitor/react to events
3) Monitor logs
4) set alarms based on thresholds

Question 37

What are the two types of EC2 Placement groups

Answer 37

1) Clustered (default). Single AZ, low-latency,

2) Spread. New in 2017, can span AZ, set on specific hardware to ensure decoupling

Question 38

What are the 3 AWS Storage Gateway options?

Answer 38

1) Tape Gateway
2) Volume Gateway (cached & stored)
3) File Gateway (S3 via local VM/app & NFS)

Question 39

What services are included in free tier and which stay free (within limits)?

Answer 39

o	Expire after 12 months:
	EC2
	S3
	RDS
	Cloudfront
o	Always free (each have limits):
	DynamoDB
	Glacier
	Lambda