SAA-CO2

Question 1

AWS Organizations (units)

Answer 1

Consolidated Billing, Root -> OU (organizational unit) -> Accounts

Question 2

SAML

Answer 2

Security Assertion Markup Language

Question 3

Storage Gateway

Answer 3

Hybrid cloud storage service

Question 4

File Gateway

Answer 4

(NFS/SMB) on premise backs up to cloud, low latency access for on premises applications to in cloud data

Question 5

Tape Gateway

Answer 5

replace physical tapes with virtual tapes

Question 6

volume gateway

Answer 6

cloud backed block storage volumes

Question 7

Macie

Answer 7

machine learning & NLP to discover, classify, protect sensitive data

Question 8

NAT Gateway

Answer 8

connect to the internet from instances within a private subnet. prevents internet from initiating a connection. do not support ipv6 connections

Question 9

Max number of Internet Gateways per VPC

Answer 9

1

Question 10

Internet Gateway

Answer 10

VPC and internet connection

Question 11

egress only igw

Answer 11

like NAT gateway but for ipv6, outbound traffic only

Question 12

elastic IP address

Answer 12

static ipv4 address

Question 13

direct connect

Answer 13

direct connection to AWS using colocation

Question 14

global accelerator

Answer 14

directs customer traffic to optimal endpoints over the global network. provided two static IP addresses

Question 15

privatelink

Answer 15

private connectivity between VPCs, aws services, on prem networks

Question 16

ENI

Answer 16

elastic network interface: networking component in a VPC

Question 17

gp2

Answer 17

general purpose ssd EBS storage

Question 18

Io1

Answer 18

provisioned IOPS EBS storage (databases)

Question 19

St1

Answer 19

throughput optimized HDD (big data and Warehouses)

Question 20

Sc1

Answer 20

cold hdd (file servers)

Question 21

Standard

Answer 21

ebs magnetic (hdd for infrequent access)

Question 22

ebs backed ami

Answer 22

ebs storage backed ami, by default root volume is deleted on termination (can set to not do this)

Question 23

instance store backed ami

Answer 23

ephemeral storage, lost on stop

Question 24

ec2 hypervisors

Answer 24

zen -> nitro

Question 25

customer gateway

Answer 25

customer side vpn to allow connection to vpc

Question 26

vpc endpoints

Answer 26

allows privately connect VPC to supported services
interface endpoint: private endpoint to many services
gateway endpoints: nat gateway for s3 and dynamodb

Question 27

customer gateway

Answer 27

customer side connection to private vpc through vpn

Question 28

cluster placement group

Answer 28

place ec2 near another in a datacenter, can’t span availability zones

Question 29

partition placement group

Answer 29

place ec2 across logical partitions; maximum 7 partitions

Question 30

spread placement group

Answer 30

spread your ec2s out, max 7 per availability zone

Question 31

VPC network costs

Answer 31

free traffic in, costs across AZ, inter region costs across vpcs, always use private connection over public

Question 32

ACL

Answer 32

access control list, a firewall for a subnet. all traffic entering or exiting is checked against these rules. first rule that matches. default allowing all traffic. These are stateless. Allow and deny rules

Question 33

Route Table

Answer 33

direct traffic into or out of a subnet. routes traffic to the correct destination. traffic sent to smallest CIDR range that matches

Question 34

Security Groups

Answer 34

stateful (traffic out is allowed back in). virtual firewall for your instance. up to 5 allowed for an instance. automatically assigned default security group if not assigned. Allow rules only

Question 35

subnets

Answer 35

part of a VPC in a specific availability zone

Question 36

glacier deep archive

Answer 36

cheapest form, can be restored in 12 hours

Question 37

S3 Tiers

Answer 37

Standard (9 9’s, 99.99 availability), IA (99.9 availability), One zone IA (99.5 availability) intelligent tiering (pay per object), glacier, glacier deep archive

Question 38

S3 object lock and glacier vault lock

Answer 38

write once, read many. Governance mode: certain users can overwrite, compliance mode: no one can overwrite, legal holds: must actively delete holds

Question 39

S3 Performance

Answer 39

first byte within 100-200ms, 3500 PUT/COPY, 5500 Get/Head requests/second/prefix

Question 40

S3 multipart upload

Answer 40

recommended for 100MB, required for 5GB

Question 41

S3 Byte Range Fetches

Answer 41

parallelize downloads, pull part of an object

Question 42

S3 Transfer acceleration

Answer 42

use EDGE network to accelerate uploads

Question 43

AWS datasync

Answer 43

move large amounts of data to AWS s3, syncs on prem to AWS

Question 44

S3 cross accounts

Answer 44

create a cross account iam role

Question 45

IAM root sign in url

Answer 45

different than user sign in url

Question 46

AWS RAM

Answer 46

resource access manager, share resources across accounts

Question 47

AWS Shield

Answer 47

sits on edge, protects against DDOS attacks. Standard: included with WAF (free). Advanced: enhanced protection for ec2, cloudfront, route53, etc. 24x7 response

Question 48

Cloud HSM

Answer 48

hardware security modules. manage your own keys. Fips 140-2 level 3 service

Question 49

WAF

Answer 49

web application firewall. monitor web requests and protect against bad actors. can inspect http traffic

Question 50

KMS

Answer 50

key management service. regional. pay per api call. Fips 140-2 level 2 service. CMK=customer master key, AES-256. single tenant, multi-az cluster. must provision across az’s

Question 51

secrets manager

Answer 51

cost per secret stored, automatically rotates keys. generate random secrets. shared across accounts

Question 52

RDS Backups

Answer 52

automated backups, db snapshots (1-35 days). automated backups enabled by default. may have higher latency during backups. snapshots are retained. restored is a new RDS instance with new endpoint

Question 53

RDS Multi AZ

Answer 53

automatic failover, ip address stays the same. during maintenance it fails over. synchronous replication. data charge is free for AZ

Question 54

RDS Read Replicas

Answer 54

each read replica has its own endpoint. can promote to be their own database. asynchronous replication

Question 55

redshift

Answer 55

BI / data warehousing. OLAP (online analytics processing). only one AZ. one day retention period default backup, max 35 days

Question 56

OLTP

Answer 56

Online transaction processing

Question 57

Aurora

Answer 57

AWS’s own high end database.

• starts 10GB, scales in 10GB increments to 64TB.
• two copies of data in each AZ, min 3 (6 copies)
• self healing storage
• automated backups always enabled (snapshots no impact on performance)
• can be serverless (for unpredictable loads)

Question 58

elasticache

Answer 58

caching, memcached and redis

memcached: simple, horizontal scaled key-value store
redis: different types, multiple az, backup restore

Question 59

AWS Directory Service

Answer 59

Active Directory (Microsoft) for aws. SSO to ec2 instances
- AD trust to go on prem
AD Connector
Simple AD

Question 60

cloud directory

Answer 60

directory based store for developers

Question 61

load balancers

Answer 61

application load balancer: most features
network load balancer: high performance
classic load balancer: legacy
x-forwarded-for: users public ip address
load balancers exist in an az
listeners: check for http requests
target groups: instance targets

Question 62

sticky sessions

Answer 62

bind users session to specific instance

Question 63

cross zone load balancing

Answer 63

make sure to balance across az’s, number of instances can differ in each az

Question 64

path patterns

Answer 64

path based routing using load balancers

Question 65

auto scaling

Answer 65

auto scaling group: group of instances
configuration templates: instructions on what to launch
scaling options: how you scale your group

Question 66

auto scaling options

Answer 66

maintain current instance levels
manually
on a schedule
based on demand (reactive)
based on predictions (proactive)

Question 67

HA Architecture

Answer 67

plan for failure

Question 68

server migration service

Answer 68

can be used on premises. migrate on prem workloads to aws

Question 69

application discovery service

Answer 69

gathers information about on premises data centers

Question 70

sqs

Answer 70

maximum visibility timeout 12 hours. long polling returns a response until messages arrive in the queue