Governance

Question 1

What is organizations?

Answer 1

AWS Organizations is a free governance tool that allows you to create and manage multiple AWS accounts. With it, you can control your accounts from a single location rather than jumping from account to account.

Question 2

What are the key features of organizations?

Answer 2

1. Logging Accounts - it’s best practice to create a specific account dedicated to logging; CloudTrail supports logs aggregation
2. Programmatic Creation - easily create and destroy new AWS accounts
3. Reserved Instances - RIs can be shared across all accounts
4. Consolidated Billing - the primary account pays the bills
5. Service Control Policies - SCP’s can limit user’s permissions

Question 3

What is a Service Control Policy?

Answer 3

A global policy for an account - no matter what the user permissions are, SCP would override them, even applied to the root account

Once implemented, these policies will applied to every single resource inside an account. They are the ultimate way to restrict permissions, and even apply to the root account

It simply takes permissions away, but doesn’t give permissions

Question 4

In a Service Control Policy, what is the purpose of an allow statement?

Answer 4

With an allow statement, it means that a user only has the potential to make the calls mentioned in the statement - it doesn’t give you permission to make the calls, it just narrows down every possible service

Question 5

In a Service Control Policy, what is the purpose of a deny statement?

Answer 5

It restricts anyone from making the API calls denied in the statement

Question 6

If you are given a scenario about wanting to ensure logs are centralized where no one can edit or delete them, what service would you recommend?

Answer 6

AWS Organizations

Question 7

What is AWS RAM?

Answer 7

AWS Resource Access Manager (RAM) is a free service that allows you to share AWS resources with other accounts and within your organization. AWS RAM allows you to easily share resources rather than having to create duplicate copies in your different accounts.

Question 8

What can be shared using AWS RAM?

Answer 8

1. Transit gateways
2. VPC subnets (most important)
3. License manager
4. Route 53 resolver
5. Dedicated hosts
6. (many more…)

Question 9

When should you use AWS RAM vs VPC Peering?

Answer 9

Are you sharing resources within the same region? Use RAM

Are you sharing resources across regions? Use VPC peering

If RAM isn’t available and VPC peering is, that’s still a great option

Question 10

What is the cost of AWS RAM?

Answer 10

It is free, you just pay for the architecture

Question 11

What is cross-account role access?

Answer 11

As the number of AWS accounts you manage increases, you’ll need to set-up cross-account access. Duplicating IAM accounts creates a security vulnerability. Cross-account role access gives you the ability to set up temporary access you can easily control.

Question 12

When given a scenario where credentials are mentioned, what should you look for?

Answer 12

Something mentioning roles

Question 13

When given a scenario that talks about multiple accounts, what is preferred over creating multiple IAM users in each account?

Answer 13

Cross-account roles

Question 14

When given a scenario where it asks what would be the proper way to give an auditor credentials?

Answer 14

Never given them permanent credentials. Always use roles for temporary users.

Question 15

What is AWS Config?

Answer 15

Config is an inventory management and control tool. It allows you to show the history of your infrastructure along with creating rules to make sure it conforms to the best practices you’ve laid out.

Question 16

What are the three features of AWS Config?

Answer 16

1. Query - you can easily discover what architecture you have in your account (you can query by resource type, tag and even see deleted infrastructure)
2. Enforce - rules can be created to flag when something is going wrong (whenever a rule is violated, you can be alerted or even have it automatically fixed)
3. Learn - what is the history of your environment? (when did something change? who made that call?)

Question 17

If you are given a scenario that lays out any type of standard that needs to be managed across accounts, what service would you recommend?

Answer 17

AWS Config

For example, you’d use Config to ensure your S3 buckets aren’t publicly readable or your users are using the approved AMI in their EC2 instances

Question 18

What is AWS Directory Service?

Answer 18

AWS Directory Service is a fully managed version of Active Directory. It allows you to offload the painful parts of keeping AD online to AWS while still giving you the full control and flexibility AD provides.

Question 19

Why use AWS Directory Service?

Answer 19

1. Managed Microsoft AD - this is the entire AD suite; you can easily build out AD in AWS
2. AD Connector - creates a tunnel between AWS and your on-premises AD
3. Simple AD - standalone directory powered by Linus Samba Active Directory-compatible server

Question 20

What is AWS Cost Explorer?

Answer 20

AWS Cost Explorer is an easy-to-use tool that allows you to visualize your cloud costs. You can generate reports based on a variety of factors, including resource tags.

Question 21

What are the features of AWS Cost Explorer?

Answer 21

1. Service - easily break down costs on a service-by-service basis
2. Time - what was you bill last month? how about next month?
3. Filter - where is the spend coming from? filter on tag, categories, etc.

It is predictive as well.

Question 22

How does AWS Cost Explorer filtering by tag work?

Answer 22

You have to enable the filtering by a cost allocation tag in the billing portal. Going forward from that moment, you can filter your reports or your spend based on that tag, but it does not work retroactively. You have to opt in an a per-tag basis.

Question 23

If you are given scenario that talks about budgeting or controlling spend, what service would you recommend?

Answer 23

AWS Cost Explorer

Question 24

What is AWS Budgets?

Answer 24

AWS Budgets allows organizations to easily plan and set expectations around cloud costs. You can easily track your ongoing spend and create alerts to let users know when they are close to exceeding their allotted spend.

Question 25

What are the four types of budgets that can be created within AWS Budgets?

Answer 25

1. Cost Budget - how much are we spending?
2. Usage Budget - how much are we using?
3. Reservation Budget - are we being efficient with our reserved instances?
4. Saving Plans Budget - is what we are doing covered by our savings plan?

Question 26

How do costs work in AWS Budgets?

Answer 26

You get two free budgets every month.

Question 27

What is the service you would use to notify yourself when you are getting close to overspending on AWS costs?

Answer 27

AWS Budgets

Question 28

What service would you use to create fine-grained budgets?

Answer 28

AWS Cost Explorer

Question 29

What is the AWS Cost and Usage Reports?

Answer 29

1. Comprehensive service that offers you a set of cost and usage data available for your AWS spending
2. It publishes the reports to Amazon S3 for centralized collection
3. These reports that you receive break down your costs by time span, hour, day, month, as well as by product or product resource, or by tags you define
4. AWS updates these reports once a day, using CSV
5. You can also choose to configure your report data for integration with other AWS services (Amazon Athena, Amazon Redshift, Amazon QuickSight)

It is commonly abbreviated as CUR

Question 30

What are the use cases for AWS CUR (AWS Cost and Usage Reports)?

Answer 30

1. You can use within AWS Organizations for entire OU groups or individual member accounts
2. Track savings plans utilizations, charges and current allocations
3. Monitor on-demand capacity reservations
4. Break down your AWS data transfer charges (external or inter-region)
5. Dive deeper into cost allocation tag resource spending

Question 31

What service do you use to get the most comprehensive and detailed view of your AWS spending?

Answer 31

AWS Cost and Usage Reports (CUR)

Question 32

If you are given a scenario that mentions needing detailed cost breakdowns, delivery of daily usage reports, or tracking Savings Plan utilizations, what service would you recommend?

Answer 32

AWS Cost and Usage Reports (CUR)

Question 33

What is AWS Compute Optimizer?

Answer 33

1. It’s a service that analyzes configuration and utilization metrics of your resources and helps you optimize them
2. It will report on your current usage optimizations and also give you potential recommendations so that you can improve performance and possibly save money
3. Provides graphical history data and projected utilization metrics
4. Use graphs, metrics data, and recommendations for moving and resizing resources

Question 34

What resources does the AWS Compute Optimizer work with?

Answer 34

1. Amazon EC2
2. EC2 Autoscaling Groups
3. Amazon Elastic Block Store (EBS)
4. Lambda functions

Question 35

What are the supported account types for AWS Compute Optimzer?

Answer 35

1. Standalone AWS account without Organizations
2. Single member accounts within an Organization
3. AWS Organizations management account with recommendations based on the entire organization

Question 36

Is AWS Compute Optimizer enabled by default?

Answer 36

No, you must opt-in to leverage this service

Question 37

What is recommended after enabling AWS Compute Optimzer?

Answer 37

Enabling enhanced recommendations via activation of recommendation preferences in the menu (paid feature)

Question 38

What does activation of recommendation preferences in AWS Compute Optimizer provide?

Answer 38

It extends your metrics analysis and you can look back further and get a better view of your historical data and get more accurate recommendations

Question 39

What are AWS Savings Plans?

Answer 39

1. Flexible Pricing - offer flexible pricing models for up to 72% savings on compute
2. Lower Prices - compute savings plans provide you lower prices on EC2 instances regardless of the instance family, size, OS, tenancy or regions
3. Variety - savings can also apply to AWS Lambda and AWS Fargate usage
4. SageMaker - they also offer plans for lowering Amazon SageMaker instance pricing
5. Commitments - savings are provided as a trade for long-term commitments (there are one-year and three-year plans)
6. Pricing Plan Options - choose from All Upfront, Partial Upfront or No Upfront

Question 40

What are the three AWS Savings Plan Types?

Answer 40

1. Compute Savings - most flexible savings plan; applies to any EC2 compute, Lambda or Fargate usage, with up to 66% savings on compute
2. EC2 Savings - stricter savings plans; applies only to EC2 instances of a specific instance family in specific regions; up to 72% savings
3. SageMaker Savings - apply to SageMaker instances regardless of instance family or sizing; any region and any component; up to 64% savings

Question 41

How do you use and apply AWS Savings Plans?

Answer 41

1. View recommendations in your AWS billing console
2. Recommendations are automatically calculated to make purchasing easier
3. Add to cart and purchase directly within your AWS account
4. Apply to usage rates after Reserved Instances are applied and exhausted
5. Consolidated Billing Family - applied to account owner first and then can be spread to others if you enable sharing

Question 42

What type of accounts can take advantage of AWS Savings Plans?

Answer 42

1. An organization in management account
2. Member account level
3. Standalone account

Question 43

What are the pricing terms for AWS Savings Plans?

Answer 43

One-year and three-year agreements

All Upfront, Partial Upfront and No Upfront

Question 44

What is AWS Trusted Advisor?

Answer 44

AWS Trusted Advisor is a fully-managed best practice auditing tool. It will scan 5 different parts of your account and look for places where you can improve your adoption of the recommended best practices provided by AWS.

Question 45

What are the five questions that AWS Trusted Advisor asks?

Answer 45

1. Cost Optimization - are you spending money on resources that aren’t needed?
2. Performance - are your services configured properly?
3. Security - is your AWS architecture full of vulnerabilities?
4. Fault Tolerance - are you protected when something fails?
5. Service Limits - do you have room to scale?

Question 46

If you can’t automate a fix for a problem within your architecture, what is the next best option?

Answer 46

To automate notification of the problem using SNS Alerts

Question 47

To get the most useful checks in AWS Trusted Advisor, what do you need enabled?

Answer 47

Business or Enterprise Support Plan

Question 48

What does Trusted Advisor do when it detects a problem?

Answer 48

Report on the problem (it will not fix the problem for you; use EventBridge to kick off a Lambda to fix the problem)

Question 49

What is AWS Control Tower?

Answer 49

1. Governance - easy way to set up and govern an AWS multi-account environment
2. Orchestration - automates account creation and security controls via other AWS services
3. Extension - extends AWS Organizations to prevent governance drift and leverage different guardrails
4. New AWS Accounts - users can provision new AWS accounts quickly, using central admin established compliance policies (using Account Factory)
5. Simple Terms - quickest way to create and manage a secure, compliant multi-account environment based on best practices

Question 50

What are features and terms to know about AWS Control Tower?

Answer 50

1. Landing Zone - well-architected, multi-account environment based on compliance and security best practices
2. Guardrails - high-level rules providing continuous governance for the AWS environment
3. Account Factory - configurable account template for standardizing pre-approved configs of new accounts
4. Cloudformation Stackset - automated deployments of templates deploying repeated resources for governance
5. Shared Accounts - three accounts used by Control Tower created during Landing Zone creation

Question 51

What are the two types of Guardrails in AWS Control Tower?

Answer 51

1. Preventative - ensures accounts maintain governance by disallowing violating actions, leveraging service control policies in Organizations; they have statuses of being “enforced” or “not enabled” and they are supported in all regions
2. Detective - detects and alerts on non-compliant resources within all AWS accounts; leverages AWS Config rules; they have statuses of “clear”, “in violation” and “not enabled” and they only apply to certain regions

Question 52

What is AWS License Manager?

Answer 52

1. Licenses made easy - simplifies managing software licenses with different vendors (Microsoft, SAP, Oracle, etc)
2. Centralized - helps centrally manage licenses across AWS accounts and on-premises environments
3. Set Usage Limits - control and visibility into usage of licenses and enabling license usage limits
4. Reduce Overages - reduce overages and penalties via inventory tracking and rule-based controls for consumption
5. Versatile - supports any software based on vCPU, physical cores, sockets or number of machines

It is strictly for licenses and not for deployment of services and infrastructure

Question 53

If you are given a scenario that mentions AWS-hosted license management, hybrid environment license management or preventing license abuse, what service would you recommend?

Answer 53

AWS License Manager

Question 54

What is the AWS Personal Health Dashboard?

Answer 54

1. AWS Health - AWS is shifting to calling the service AWS Health in the documentation
2. Visibility - gain visibility of resource performance and availability of AWS services or accounts
3. How it affects you - view how the health events affect you and your services, resources and accounts
4. Timely - AWS attempts to maintain timeliness and relevant information with the events
5. Be prepared and automate - view upcoming maintenance tasks that may affect your accounts and resources
6. Alerts - it has near-instant delivery of notifications and alerts to speed up troubleshooting and prevention; it is recommended to automate actions based on incoming events using EventBridge

Question 55

What are AWS Health concepts you should know?

Answer 55

1. AWS Health event - notifications sent on behalf of AWS services or AWS
2. Account specific event - events specific to your AWS account or Organization
3. Public event - events that are reported on services that are public, not specific to accounts
4. AWS Health Dashboard - dashboard showing account and public events, shows service health as well
5. Event type code - include the affected services and the specific type of event
6. Event type category - associated category — will be attached to every event
7. Event status - reports if the event is “open”, “closed” or “upcoming”
8. Affected entities - which AWS resources are or may be affected by the event

Question 56

What is the AWS Service Catalog?

Answer 56

1. Catalogs - allows organizations to create and manage catalogs of approved IT resources
2. Multipurpose - list things like AMIs, servers, software, databases and other preconfigured components
3. Centralized - AWS Organizations can centrally manage IT services and maintain compliance
4. End-user friendly - end users can be allowed to easily deploy pre-approved catalog items within an organization
5. CloudFormation - catalog templates are written and listed using CloudFormation templates

Question 57

What are the benefits of using AWS Service Catalog?

Answer 57

1. Standardize - restrict launching products to a specific list of pre-approved solutions
2. Self-service - end users can browse products and deploy approved services on their own
3. Access control - add constraints and grant access to products using AWS IAM
4. Versioning - update products to newer versions and propagate changes automatically

Question 58

What is AWS Proton?

Answer 58

AWS Proton is a service that creates and manages infrastructure and deployment tooling for users as well as serverless and container-based applications

Question 59

What are the features of AWS Proton?

Answer 59

1. Automates infrastructure-as-code (IaC) provisioning and deployments
2. Defines standardized infrastructure for your serverless and container-based apps
3. Use templates to define and manage app stacks that contain ALL components
4. AWS Proton automatically provisions resources, configures CI/CD and deploys the code
5. Supports AWS CloudFormation and Terraform IaC providers

Question 60

What are the six pillars of AWS Well-Architected?

Answer 60

1. Operational Excellence
2. Reliability
3. Security
4. Performance Efficiency
5. Cost Optimization
6. Sustainability

Question 61

What is the AWS Well Architected Tool?

Answer 61

1. Provides a consistent process for measuring cloud architectures
2. Enables assistance with documenting workloads and architectures
3. Guides for making workloads reliable, secure, efficient and cost-effective
4. Measure workloads against years of AWS best practices
5. Intended for specific audiences, such as technical teams, CTOs, architecture and operational teams

Question 62

True or false, AWS Config offers real-time evaluation of rule violations?

Answer 62

false