Solution Architect Associate 2021 Flashcards
What are four key services for Compute?
EC2
Elastic Beanstalk
Lambda
Lightsail
What are five key services for Storage?
S3 EBS EFS FSx Storage Gateway
What are three key services for Databases?
DynamoDB
Redshift
RDS
What are five key services for Networking?
API Gateway Direct Connect Global Accelerator Route 53 VPCs
What’s a Region?
A physical location in the world that consists of two or more Availability Zones (AZs).
What’s an Availability Zone?
One or more discrete data centers housed in separate facilities
What’s an Edge Location?
Endpoints for caching content, usually CloudFront CDN.
Name the three IAM Policy Statement options
Effect
Action
Resource
How big can files in S3 be?
5 TB
What does the S3 key-value pair represent?
Object name - object binary
Name the six S3 storage classes
Standard Standard Infrequently Accessed (IA) One-Zone IA Glacier Glacier Deep Archive Intelligent Tiering
What is S3 Object Lock?
The ability to store objects with a write-once, read-many (WORM) model
What are the two S3 Object Lock modes?
Governance mode where users can’t overwrite/delete object versions or alter lock settings without special permissions
Compliance mode where nobody can overwrite/delete objects, including the root user
What is S3 Glacier Vault Lock?
A policy that locks an S3 Glacier vault’s compliance controls that can no longer be edited once set
How many S3 object GET requests can there be per second per prefix (folder)?
5500
What are the three S3 SSE-KMS requests/second limit quotas?
5500
10k
30k
What files sizes should and must use multipart uploads to S3?
100+ MB
5+ GB
What’s S3 Replication?
Automatic copying of objects from one bucket to another
What are the four EC2 pricing options?
On-Demand
Spot
Reserved
Dedicated
What are the three networking interface options for EC2?
Elastic Network Interface (ENI) for standard use
Enhanced for 10-100 Gbps throughput
Elastic Fiber Adapter (EFA) for HPC/ML
What are the three types of EC2 Placement Groups?
Cluster within an AZ for low latency, high throughput
Spread across distinct hardware for critical uptime and high availability
Partition across distinct hardware for multiple logical partitions supporting HDFS (Hadoop), HBase, or Cassandra
Which EC2 instance type is good for addressing special software licensing requirements?
Dedicated
What is EBS?
Elastic Block Store for EC2 instances
What’s the difference between EBS and Instance Store volumes for EC2?
Instance store volumes are ephemeral and data will be lost if the attached EC2 instance is stopped or terminated, while EBS volumes can persist if the attached EC2 instance is stopped or terminated.
How long can EC2 On-Demand and Reserved instances be hibernated?
60 days
What is EFS?
Elastic File System for shared storage across EC2 instances using the Network File System v4 (NFS) protocol
How large can EFS scale up to?
Terabytes
How many concurrent connections can EFS support?
Thousands
Where is EFS data stored within a region?
Across multiple AZs
What is the data consistency pattern for EFS?
Read-after-write
What is FSx for Windows?
Centralized storage for Windows-based applications like SharePoint, SQL Server, etc.
What is FSx for Lustre?
High-speed, high-capacity distributed storage for HPC, financial modeling, etc. and is stored on S3
What is AWS Backup?
For consolidating backup policies and automations across services, organizations, and accounts
What are the six RDS database types?
Aurora MariaDB MySQL Oracle PostgreSQL SQL Server
How many database read replicas are allowed per database instance?
5
What’s the difference between Multi-AZ and Read-Replica RDS configurations?
Multi-AZ is for disaster recovery of the primary instance while read replicas are for increased performance
How many copies of data does RDS Aurora store?
2 per AZ across 3 AZs for 6 copies total
What is the primary RDS Aurora Serverless use case?
Provides a relatively simple, cost-effective option for infrequent, intermittent, or unpredictable workloads
Across how many geographically distinct data centers is DynamoDB data stored?
3
What’s the difference between DynamoDB Eventually and Strongly consistent reads?
Eventually consistent reads can be reached within one second for better performance, while Strongly consistent reads occur when all writes have been completed
What are DynamoDB Transactions?
All-or-nothing database operations good for financial transactions for fulfilling orders
What are the three read consistency options in DynamoDB?
Eventual
Strong
Transactional
How may items or how much data can a DynamoDB Transaction support?
Up to 25 items or 4 MB of data
What does ACID stand for and to which AWS service does it apply?
Atomicity
Consistency
Isolation
Durability
Applies across one or more tables within a single DynamoDB account or region
Which RDS service has On-Demand Backup and Restore?
DynamoDB
What is the time range for the DynamoDB Point-In-Time-Recovery (PITR) function?
Between 5 minutes and 35 days
What is the DynamoDB feature that can be combined with Lambda functions for stored procedure-like functionality?
DynamoDB Streams
For how long can DynamoDB Streams data be stored?
24 hours
How does DynamoDB Streams chunk its data?
With a time-ordered sequence of shards
What is DynamoDB Global Tables?
Managed multi-master and multi-regional data replication for globally distributed applications
What is DynamoDB Global Tables based on?
DynamoDB Streams
What is the replication latency for DynamoDB Global Tables?
Under 1 second
What five items do VPCs consist of?
Internet or Virtual Private Gateways Route Tables Access Control Lists (ACLs) Subnets Security Groups
In how many AZs is a subnet located?
1
What’s the throughput range of a NAT Gateway?
5 to 45 Gbps
How do you make a NAT Gateway highly available across AZs?
Create a NAT Gateway in each AZ and configure routing to ensure resources use the gateway in their same AZ
Are security groups stateful or stateless?
Stateful
What networking function do you use to block IP addresses?
Network ACLs
What does each subnet need to be associated with?
A Network ACL
How are Network ACLs evaluated?
By a numbered list of rules starting with lowest number first
Are Network ACLs stateful or stateless?
Stateless
What does Direct Connect do?
Establishes a dedicated network connection between on-premise data center and AWS
What is a VPC Endpoint?
When you want to connect AWS services without leaving the AWS internal network
What are the two types of VPC Endpoints?
Interface
Gateway
Which two AWS services do VPC Gateway Endpoints support?
DynamoDB
S3
How do you connect VPCs with one another?
Via Peering that works in a star configuration (no transitive peering) and between regions
What service do you use to peer VPCs among tens, hundreds, or thousands of customer VPCs?
PrivateLink
What two things does PrivateLink require?
A network load balancer on the service VPC and an ENI on the customer VPC
What is Transit Gateway?
A network transit hub that connects your VPCs and on-premises networks
What are the two types of network connections that Transit Gateway works with?
Direct Connect
VPN
What is the only networking service that supports IP multicast?
Transit Gateway
What is VPN CloudHub?
Allows you to securely communicate from one physical site to another via Virtual Private Gateways and Customer Gateways
In Route 53, which is preferred: Alias or CNAME?
Alias
What are the four common DNS record types?
A
CNAME
NS
SOA
What are the 7 routing policies available with Route 53?
Simple Weighted Latency-Based Failover Geolocation Geoproximity Multivalue Answer
How many days can it take for a new domain name to register?
3
How does Route 53 return the IP values to the user in a Simple Routing policy?
Randomly
How does Route 53’s Weighted Routing policy direct user traffic?
By percentage amount of traffic to one IP address versus another in relation
How does Route 53’s Latency Routing policy direct user traffic?
To the IP with the lowest latency with the user, usually in miliseconds
How does Route 53’s Failover Routing policy direct user traffic?
In active/passive mode where traffic goes to the active IP until a failure is detected which then routes traffic to the passive IP
How does Route 53’s Geolocation Routing policy direct user traffic?
By sending users to the AWS region physically closest to them
How does Route 53’s Geoproximity Routing policy direct user traffic?
Similar to Geolocation Routing with users sent to the AWS region physically closest to them, but with an optional Bias setting to expand/shrink the size of a geographic region; and it must use Traffic Flow
How does Route 53’s Multivalue Answer Routing policy direct user traffic?
By routing users to multiple resources that have associated health checks
What are the 3 different types of Elastic Load Balancers and on what network layers do they apply?
Application (Layer 7)
Network (Layer 4)
Classic (Layer 4 and 7)
What is the primary limitation of an Application Load Balancer?
It only supports HTTP and HTTPS
When would you use a Network Load Balancer over an Application Load Balancer?
When you need extreme performance at Layer 4 and other use cases where you need protocols not supported by Application Load Balancers
With Classic Load Balancers, what HTTP error code means the gateway has timed out?
504
With Classic Load Balancers, what HTTP header do you need in order to find out the IPv4 address of the end user?
X-Forwarded-For
What’s a Sticky Session?
Where users are directed to the same resource for the duration of a session
What does a Deregistration Delay (aka Connection Draining) on an Elastic Load Balancer do?
Keeps existing connections open to an EC2 instance for a set period of time after it becomes unhealthy; disable if you want the load balancer to close connections immediately
What is the main tool for anything alarm related?
CloudWatch
What service is best to monitor AWS standards?
Config
What are the standard and detailed monitoring delivery intervals for CloudWatch?
Standard = 5 minutes Detailed = 1 minute
What is the log monitoring tool that works for EC2, CloudTrail, and Route 53?
CloudWatch Logs
What monitoring service allows for SQL queries?
CloudWatch Logs Insights
What service is best for real-time logging?
Kinesis
What’s the only service that can make use of Auto Scaling?
EC2
What’s a better alternative to EC2 user data to help avoid long provisioning times during Auto Scaling?
Building custom AMIs
What can you use in EC2 to allow for a situation where the failure of a legacy codebase or resource that can’t be scaled can automatically recover from failure?
Steady state groups
Which database service has the most scaling options?
RDS
What type of scaling is preferred for databases?
Horizontal
What does DynamoDB scaling come down to?
Access patterns
What two things should you check for when SQS is consistently showing duplicate messages?
A misconfigured visibility timeout
The developer is failing to delete the message via API call
What do you need to set up for there to be bidirectional message queueing?
A second SQS queue
For how long can SQS messages persist?
14 days
What SQS setting do you need if message ordering is important?
First In First Out (FIFO)
What is the default Visibility Timeout in SQS?
30 seconds
What is the default Message Retention Period in SQS?
4 days
What is the default Delivery Delay in SQS?
0 seconds
What is the default maximum message size in SQS?
256 KB
What is the default Receive Message Wait Time for a standard SQS queue?
0 seconds for short polling; any non-zero value sets long polling
What is the default Enable Content-Based Deduplication setting for a FIFO SQS queue?
Disabled
What is the best service for proactive notifications like email, text, or push-based?
Simple Notification Service (SNS)
What service is best for getting notified of CloudWatch alarms?
Simple Notification Service (SNS)
What service acts as a secure front door to external communications coming into an application environment?
API Gateway
Is Redshift a suitable replacement for RDS in traditional applications?
No
What kind of AZ deployments does Redshift support?
Single; you can create multiple clusters in different AZs, but they’re separate deployments and it’s not highly available by default
What service does EMR reside on?
EC2
What is the only service with a real-time response?
Kinesis
How long can Kinesis store data when used as a queue?
Up to 1 year
What service is good for serverless SQL or querying data that is stored in S3?
Athena
What is Glue?
Serverless ETL that can help create a schema for your data when paired with Athena
What service provides visualizing data in dashboards?
QuickSight
What service when combined with Logstash and Kibana creates an ELK stack that is a common way to search over server logs?
Elasticsearch
What’s the best way to enable credentials with Lamba functions?
Roles
What are three common Lambda triggers?
S3
Kinesis
EventBridge (CloudWatch Events)
How much RAM can a Lambda function consume?
Up to 10 GB
For how long can a Lambda function run?
Up to 15 minutes
What’s a better way to perform an automated action than scraping through CloudTrail logs?
EventBridge (CloudWatch Events) rules and Lambda functions
What open source container management service can run in AWS and on-premises?
Elastic Kubernetes Service (EKS)
What is Fargate?
A serverless compute engine that works with Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS) that removes the need to provision and manage servers
Which is more favored on the exam: containers or EC2?
Containers
What are the four steps to implement a container?
- Create a Dockerfile
- Build an image
- Upload to a repository
- Run it on a host
What are the two types of Distributed Denial of Service (DDoS) attacks?
Layer 4 such as SYN floods or NTP amplification
Layer 7 such as GET/POST request floods
What three things does logging API calls with CloudTrail allow?
After-the-fact incident investigation
Near real-time intrusion detection
Industry/regulatory compliance auditing
Where does CloudTrail store its logs?
S3
What is Shield?
It protects against DDoS network Layer 3 and 4 attacks
How much does Shield Advanced cost and what does it provide extra?
$3000 per month with a dedicated DDoS response team
What are the three things the Web Application Firewall (WAF) service allows you to do?
Allow all requests except the ones you specify
Block all requests except the ones you specify
Count the requests that match the properties you specify
What service blocks network Layer 7 DDoS attacks, SQL injections, and cross-site scripting?
Web Application Firewall (WAF)
What service can block access to specific countries or IP addresses?
Web Application Firewall (WAF)
What is GuardDuty?
Alerts you of any abnormal or malicious behavior in your account using AI to learn what normal behavior looks like
What does GuardDuty do with external feeds from third parties?
Updates a database of known malicious domains
What three things does GuardDuty monitor?
CloudTrail logs
DNS logs
VPC Flow Logs
How can you address threats that appear in GuardDuty?
With EventBridge (CloudWatch Events) that can trigger Lambda functions
What does Macie do?
Helps identify sensitive PII, PHI, and financial data residing in S3 using AI
How can Macie alerts be addressed?
Sent to EventBridge (CloudWatch Events) and remediate with Lambda or Step Functions
What does Inspector do?
Performs host and network vulnerability scans on EC2 instances and VPCs that can be run once or weekly
What is Key Management Service (KMS)?
Allows you to create and control the encryption keys used to encrypt your data
What do you need in order to start using Key Management Service (KMS)?
By requesting the creation of a Customer Master Key (CMK)
What are the three ways to generate a Customer Master Key (CMK) for KMS?
AWS creates the CMK for you on their Hardware Security Modules (HSM)
Have the key material generated and used in a CloudHSM cluster as part of the custom key store feature in KMS
Import your own key material from your own key management infrastructure and associate it with a CMK
What are three ways to control encryption key permissions?
Use the key policy
Use IAM policies in combination with the key policy
Use grants in combination with the key policy
What are the differences between KMS and CloudHSM?
KMS is on shared hardware with automatic key generation and rotation
CloudHSM is on dedicated hardware with full control of users, groups, keys, etc. but with no automatic key rotation
What is Secrets Manager?
Allows you to securely store application secrets such as database credentials, API keys, SSH keys, passwords, etc.
What are the application caveats to using Secrets Manager?
Make sure application instances are configured to use Secrets Manager before enabling credential rotation as they rotate easily but immediately
When should you use Parameter Store over Secrets Manager and at what threshold?
To minimize cost with up to 10,000 parameters
In what three scenarios should you use Secrets Manager over Parameter Store?
When you need:
More than 10,000 parameters
Key rotation
The ability to generate passwords using CloudFormation
What service feature allows you to share private files in your S3 buckets?
Presigned URLs
In IAM policies, not explicitly allowed means what?
Implicitly denied
In IAM policies, what supersedes all else?
Explicit denies
How are IAM policies put into effect?
By attachment
How are multiple IAM policies applied to an object or resource?
By joins
What are the two ways IAM policies can be managed?
By AWS or by customer
What service allows you to manage SSL certificates?
Certificate Manager
What services does Certificate Manager support?
API Gateway
CloudFront
Elastic Load Balancer
What are the three main sections of a CloudFormation script?
Parameters
Mappings
Resources
What is preferred: Stateless or stateful resource architecture?
Stateless
What service works well with a CloudFormation’s Mappings section to make your templates more flexible and avoid breakage?
Parameter Store
What service provides a simple solution to bundle and deploy applications over CloudFormation?
Elastic Beanstalk
What type of object allows you to configure the internals of an EC2 instance?
Automation Documents
What is Systems Manager?
A centralized user interface to track and resolve operational issues across your applications and resources
What is the only service that can add HTTPS to a static website hosted in an S3 bucket?
CloudFront
Between caching and cost, which one does the exam favor more?
Caching
What service provides for IP caching to reduce issues with customers caching old IP addresses?
Global Accelerator
What are two in-memory databases, and which one is preferred?
Redis and DynamoDB, with DynamoDB being preferred
What service offers in-memory data stores?
ElastiCache
What are the two in-memory data stores supported by ElastiCache?
Redis and Memcached
Which ElastiCache service offers a persistent data store?
Redis
What ElastiCache service supports backups?
Redis
What two services are NOT a source of truth for your data?
ElastiCache for Memcached and DynamoDB Accelerator (DAX)
What is DynamoDB Accelerator (DAX)?
An in-memory cache for DynamoDB
What is the only way to restrict the root user account?
Service Control Policies (SCPs)
Which is preferred: centralized or decentralized logs?
Centralized via CloudTrail
What is the preferred way to add more layers of security and controls: centralized or isolated workloads?
Isolated into separate accounts
What are the three benefits of using Config?
Standardization for compliance using rules
Automated remediation using Automation Documents
Historical changelog of the entire system architecture
What tools do you use to manage internal and external users?
SSO for internal and Cognito for external
What service supports Active Directory?
Directory Service using Managed Microsoft AD
What service do you use for Active Directory on-premise?
Directory Service using AD Connector
What is the best way to enable cross-account access?
Via roles, not unnecessary IAM credentials
What are the three ways to track costs?
Budgets
Cost Explorer
Tags
How do you be proactive with potential cost problems?
By implementing SNS alerts when costs reach a certain threshold
What is preferred when a cost problem is encountered: automated or manual intervention?
Automated
What is Trusted Advisor?
Provides recommendations that help you follow AWS best practices
What do you need in order to get the most useful checks from Trusted Advisor?
A Business or Enterprise support plan
What is Trusted Advisor’s biggest limitation?
That it’s strictly an auditing tool. It can’t remediate issues that are found.
What’s the best way to resolve problems found in Trusted Advisor?
By using EventBridge to kick off a Lambda function
How much data is Snowball good at migrating?
Terabytes
What’s the difference between Snowcone and Snowmobile?
Snowcone is the smallest migration device
Snowmobile is a shipping container towed by a truck
When is it best to use Snowball for data migration?
Where you have slow or no Internet
What service is good at hybridizing with on-premise storage?
Storage Gateway
Which Storage Gateway option is good for when local network-attached storage is full?
File Gateway
What does Storage Gateway run on?
A local virtual machine (VM) on-premise
What is DataSync?
An agent-based solution that is good for one-time migration of file shares into AWS
What are two viable locations for DataSync to transfer data into?
EFS
FSx
What service allows you to use legacy file transfer protocols to give older applications the ability to read/write in S3?
Transfer Family
What is Migration Hub?
An organization tool that gives you a way to organize all your migration steps, but doesn’t actually perform the migration
What is the Database Migration Service?
A tool for any sort of database migration. It works for on-premise-to-cloud or between internal RDS databases
What is the Server Migration Service?
A tool for migrating server instances out of the data center and into AWS
For what five database engines does RDS support read replicas?
MariaDB MySQL Oracle PostgreSQL SQL Server
What are the two write consistency options in DynamoDB?
Standard
Transactional
