Notes taken during preparation for the AWS SA Associate Certification.
Purpose
The AWS Solutions Architect Certification is intended for individuals who perform a Solutions Architect role. This exam validates an examinee’s ability to effectively demonstrate knowledge of how to architect and deploy secure and robust applications on AWS technologies.
Exam Domains
The exam is broken down into 5 domains. These domains are the 5 pillars of the AWS Well Architected Framework.
- Design Resilient Architectures (34%)
- Choose reliable/resilient storage
- Determine how to design decoupling mechanisms using AWS services
- Determine how to design a multi-tier architecture solution
- Determine how to design high availability and/or fault tolerant architectures
- Define Performant Architectures (24%)
- Choose performant storage and databases
- Apply caching to improve performance
- Design solutions for elasticity and scalability
- Specify Secure Applications and Architectures (26%)
- Determine how to secure application tiers
- Determine how to secure data
- Define he networking infrastructure for a single VPC application
- Design Cost-optimized Architectures (10%)
- Determine how to design cost-optimized storage
- Determine how to design cost-optimized compute
- Define Operationally Excellent Architectures (6%)
- Choose design features in solutions that enable operational excellence
AWS Services List
- Edge Location – endpoints for AWS which used for caching content, typically consists of CloudFront. There are more edge connections than regions. (205 locations as of 2020)
- Compute
- EC2
- EC2 Container Service (ECS)
- Elastic Beanstalk
- Lambda
- Lightsail (easy server provisioning, simple EC2)
- Batch (EC2)
- Storage
- S3 (object based storage)
- EFS (file store)
- Glacier
- Snowball (data transport hardware)
- Storage Gateway – vm that are stored in your on prem data center that will mimic AWS
- Databases
- RDS
- DynamoDB
- Elasticache
- Redshift (warehouse)
- Data migration
- AWS Migration Hub (migration service)
- Application Discovery Service
- Database Migration Service (DMS)
- Server Migration Service
- Snowball
- Networking
- VPC
- CloudFront (CDN)
- Route53 (DNS)
- API Gateway
- Developer Tools
- Codestar
- CodeCommit
- CodeBuild
- CodeDeploy (to EC2)
- CodePipeline (CI/CD)
- X-Ray (analyze serverless apps)
- Cloud9 (IDE)
- Management Tools
- CloudWatch
- CloudFormation
- CloudTrail
- Config
- OpsWorks (like ELB, uses Chef/Puppet to automate environment)
- Service Catalog (catalog of IT services approved for use)
- Systems Manager (manages EC2 for things like patching)
- Trusted Advisor (analyzes your services to give advice on improvements, like security, cost)
- Managed Services
- Media Services
- Elastic Transcoder – can process video
- MediaConnect – is a high-quality transport service for live video. Today, broadcasters and content owners rely on satellite networks or fiber connections to send their high-value content into the cloud or to transmit it to partners for distribution.
- MediaConvert – file-based video transcoding service with broadcast-grade features. It allows you to easily create video-on-demand (VOD) content for broadcast and multiscreen delivery at scale.
- MediaLive – broadcast-grade live video processing service. It lets you create high-quality video streams for delivery to broadcast televisions and internet-connected multiscreen devices, like connected TVs, tablets, smart phones, and set-top boxes. The service works by encoding your live video streams in real-time, taking a larger-sized live video source and compressing it into smaller versions for distribution to your viewers.
- MediaPackage – reliably prepares and protects your video for delivery over the Internet.
- MediaStore – AWS storage service optimized for media. It gives you the performance, consistency, and low latency required to deliver live streaming video content.
- MediaTailor – lets video providers insert individually targeted advertising into their video streams without sacrificing broadcast-level quality-of-service. With AWS Elemental MediaTailor, viewers of your live or on-demand video each receive a stream that combines your content with ads personalized to them.
- Machine Learning
- SageMaker – deep learning
- Comprehend – sentiment analysis
- DeepLens – camera
- Lex
- Machine Learning – unlike SageMaker, its more basic that analysis data sets given
- Polly
- Rekognition
- Amazon Translate (voice translate)
- Amazon Transcribe (text translate)
- Analytics
- Athena – SQL queries against S3
- Elastic Map Reduce (EMR) – processing large amounts of data (big data)
- CloudSearch
- ElasticSearch Service
- Kinesis
- Kinesis Video Streams
- QuickSight
- Data Pipeline – moving data between AWS services
- Glue – for ETL (extract transform load)
- Security and Identity Compliance
- IAM – Identity Access Management
- Cognito
- GuardDuty
- Inspector – checks for vulnerabilities for EC2
- Macie – scans S3 for PII (personally identifiable information)
- Certificate Manager – ssl certs
- CloudHSM (Hardware Security Module) – dedicated hardware that stores keys
- Directory Service
- WAF (Web App Firewall) – layer 7 firewall, stops XSS, SQL injection,
- Shield – 24/7 DDOS attack protection, expensive
- Artifact – Service Organization Control, AWS documentation
- Mobile Services
- Mobile Hub –
- Pinpoint
- AWS AppSync
- Device Farm
- Mobile Analytics
- AR / VR
- Sumerian – virtual world
- Application Integration
- Step Functions
- SNS
SQS - SWF
- Amazon MQ
- IoT
- Iot Core
- IoT Device Management
- IoT Greengrass
- Customer Engagement
- Connect – cloud call center
- Simple Email Service
- Alex for Business
- Chime
- Work Docs
- WorkMail
- Workspaces
- AppStream
- Gaming
- GameLift
Exam Tips
Kinesis vs Redshift or EMR (Elastic Map Reduce)
- Kinesis is for consuming large amounts of data, such as streamining social media, news feeds, logs, etc
- Redshift is for Business Intelligence
- EMR is for Big Data processing
OpsWorks
- Orchestration service using Chef
- Chef consists of recipes to maintain consistent state
- Any question regarding chef or recipes or cookbooks is related to OpsWorks
Elastic Transcoder
- Media transcoder in cloud, converts media files to different formats, such as mobile devices.
AWS Well Architected Framework
- Security
- Data Protection – encryption at rest and transit; ELB, EBS, S3
- Privilege management – managing root accounts, roles; limit automated access; key management in IAM, MFA
- Infrastructure protection – enforce network and host level boundry protection, protect IAAS for patching, monitoring; VPC, Security Groups,
- Detective Controls – cloudtrail, AWS Config, auditing
- Reliability
- Manage Service limits, plan network topology and have escalation path for issues
- Change Management in place to adapt to changes, monitor them
- Failure Management in place such as backups, DR plans
- Performance Efficient
- Compute – using appropriate instance types, plans for upgrading; monitor and match demand
- Storage – using appropriate storage; monitor and ensure storage is matching throughput required; use proper database solutions; monitor capacity and throughput
- Space Time trade off – use proximity and caching solutions, monitoring performance of these;
- Cost Optimization
- Matched supply and demand – ensure capacity matches need (not below or exceed)
- Cost effective resources – use of RI or managed services
- Expenditure awareness – monitor costs, set alerts, plan for costing
- Optimizing over time
- Operational Excellence
- Preparation
- AWS Config for inventory
- AWS Service Catalog for standardized products
- Autoscale, SQS
- Operation
- AWS Codestar and other Code* services, use of SDKs
- CloudTrail to monitor
- Responses
- CloudWatch, set alarms
- Preparation
Sample Questions
Following sample questions were gathered from a variety of study sources, but mostly from the AWS training center at aws.training.
When designing a loosely coupled system, which AWS services provide an intermeditate durable storage layer between components?
- CloudFront
- Kinesis
- Route 53
- CloudFormation
- SQS
Which type of DNS record should you use to resolve a domain name to another domain name?
- A record (ip address)
- CNAME record (actual name)
- D record (dne)
- PTR record (pointer record for reverse DNS lookup)
Your application polls an SQS queue frequently and returns immediately, often with empty responses. What is one thing that can be done to reduce SQS costs?
- Pricing on SQS does not include a cost for service requests; therefore, there is no concern
- Increase the timeout value for short polling to wait for messages longer before returning a response
- Change the message visibility value to a higher number
- Use long polling by supplying a value for WaitTimeSeconds
Which AWS db service is best suited for traditional Online Transaction Processing (OLTP)?
- Redshift (not OLTP)
- RDS
- ElastiCache (temporary)
- Neptune (graph db)
In the basic monitoring package for EC2, what CloudWatch metrics are available?
- Web server visible metrics such as number of failed transaction requests (CW cant see this by default)
- OS visible metrics such as memory utilization (CW cant see this by default)
- DB visible metrics such as number of connections (available in RDS but not in EC2)
- Hypervisor visible metrics such as CPU utilization (CW can see CPU)
Which of the following is Amazon side of a VPN connection?
- Elastic IP / EIP (not really related to VPC)
- Customer Gateway CGW (this is on customer side)
- Internet Gateway IGW (it is on AWS side but not related to VPN)
- Virtual Private Gateway VPG (this is AWS’s service for setting up VPN connection)
How can you authenticate to a new Amazon Linux instance using SSH?
- Decrypt the root password (this is more for Windows)
- Provide a username and password (this is not provided by default)
- Use the private half of a key pair (the public side is stored into the EC2, the private side provided to user as .pem)
- Use MFA (not necessary)
- Provide an Access Key and Secret Key (this is IAM permissions)
What is needed to enable cross-region replication between two S3 buckets?
- Buckets must be in the same AWS account (no)
- Enable versioning on the buckets (this is required for cross-region replication)
- Enable static website hosting on the source bucket (not related to replication)
- The IAM user must have read access on the source bucket and write on the destination bucket (IAM not necessary for this)
- S3 must be attached to an Internet Gateway (not necessary)
You company provides a mobile voting app for popular TV show and 5-25 million viewers all vote in a 15 second timespan. What mechanism can you use to decouple the voting app from your backend services that tally the votes?
- ElastiCache (more about performance, not decouple)
- SQS
- Redshift (BI data warehouse, not really related to this)
- Simple Notification Service SNS (may not perform for this scale)
What type of AWS Elastic Beanstalk environment tier provisions resources to support a web app that handles background processing tasks?
- Web server environment tier
- Worker environment tier (this is the backend processing)
- Database environment tier
- Batch environment tier (not really related)
Each month your company processes 200TB of data in S3, taking 24hrs to complete. Which method is most cost-effective?
- Copy the data to a persistent EMR cluster and run MapReduce jobs
- Create an app that reads the information from S3 and runs it through a Kenesis stream
- Run a transient EMR cluster and run MapReduce jobs against the data directly in S3
- Launch a d2.8xlarge EC2 instance and run an app to read and process each object sequentially
An EC2 instance is being underutilized so you decide to downsize the instance. You stop the instance and change its Instance Type. However, you are unable to start the instance again because it is now in a Terminated state. What caused the instance to Terminate?
- It was using Instance Store for the boot volume
- It was a Spot Instance (user cannot stop spot)
- The instance had been launched using Auto Scaling
- It was using a capacity reservation that is no longer available
You have an AWS Lambda function that needs access to a public API on Internet and a RDS instance in a private subnet of a VPC. How do you configure such access?
- Associate the Lambda function with a private subnet in the VPC and associate an Elastic IP address to the Elastic Network Interface (networking wont work)
- Launch a NAT Gateway in a public subnet and associate the Lambda function with a private subnet in the VPC (NAT provides the Internet access)
- Associate the Lambda function with a public subnet in the VPC and create a VPC Endpoint for Amazon RDS (its not giving Internet access)
- It is not possible to connect Lambda function simultaneously to a private subnet and Internet
Hundreds of buses are sending realtime coordinates to SQS FIFO queue. The queue has thousands of messages, but after retrieving 10 messages no more messages can be retrieved. What could be the cause?
- SQS FIFO queues have a maximum of 10 in flight messages (this can be tuned)
- Each bus should use its own MessageGroupID (A way of grouping messages, which applies in this case since there are multiple buses)
- Dead Letter Queue is full
- Long Polling should be used (not apply)
Your corporate data center was recently flooded, which caused significant outages. Your CIO mandated a move to the cloud but they are still concerned about catastrophic failures in the data center. What can you do to alleviate their concerns?
- Distribute the architecture across multiple AZs
- Use VPC with subnets
- Launch the compute in a placement group
- Purchase Reserved Instances for the processing of servers
Which feature of AWS is designed to permit calls to the platform from an EC2 instance without needing access keys placed on the instance?
- IAM instance profiles
- IAM groups (group is collection of users, not applicable)
- IAM roles (roles are not attached directly to the instance but instead to the Instance Profile of EC2)
- EC2 key pairs
Your company has 50,000 weather stations that send updates every 2 seconds. What service will enable you to ingest this stream of data and store it in S3 for future processing?
- SQS (not the most efficient or performant solution)
- Kinesis Data Firehose (made specifically for this)
- EC2 (not applicable)
- Data Pipeline (more of an ETL engine to move data)
You have an application that for legal reasons must be hosted in US when US citizens access it. The app must be hosted in the EU when citizens of the EU access it. For all other citizens of the world, the app must be hosted in Sydney. Which routing policy should you choose in order to achieve this?
- Latency-based routing
- Data Governance routing (no such thing)
- Gelocation routing
- IP lookup routing (there is no such thing)
How can you grant a different AWS account permission to send messages to your SQS queue?
- Have the other account’s app use your account’s credentials to access SQS queue
- Create an IAM user for the other account and add an IAM policy that grants access to the queue (this is only for same accounts)
- Create an SQS policy that grants the other account access
- Use VPC peering between the two accounts (SQS doesnt use VPC, VPC peering is more about network)
You are building a photo management app that maintains metadata on millions of images in a DynamoDB table. When a photo is retrieved, you want to display the metadata next to the image. Which DynamoDB operation will you use to retrieve the metadata attributes from the table?
- Query operation
- Scan operation (searches the entire table)
- Search operation (dne)
- Find operation (dne)
What are some reasons to enable cross region replication on an S3 bucket? (choose 2)
- You want to backup your data in case of accidental deletion (can use versioning or policies)
- You have a set of users or customers who can access the second bucket with lower latency
- For compliance reasons, you need to store the data in a location at least 300 miles away from the first region
- Your data needs at least five 9s of durability
Which EC2 feature ensures that your instances will not share a physical host with instances from any other AWS customer?
- VPC
- Cluster placement groups
- Dedicated instances
- Reserved instances
Your web app runs on multiple EC2 instances behind an application load balancer. The load balancer is configured to perform health checks on the EC2 instances. If an instance fails to pass health checks, which statement will be true?
- The instance is replaced automatically by the load balancer
- The instance is terminated automatically by the load balancer
- The load balancer stops sending traffic to the instance that failed its health check
- The instance is quarantine by the load balancer for root cause analysis
Which of the following actions can be authorized by IAM? (choose 2)
- Installing ASP.NET on a Windows Server
- Launching an Amazon Linux EC2 instance
- Querying an Oracle database
- Adding a message to an SQS queue
What aspect of an Amazon VPC is stateful?
- Network ACLs (these are just rules)
- Security Groups – virtual firewall, rules for inbound dont apply to outbound, therefore its stateful
- VPC Peering (just a link, theres no state)
- VPC Subnet (these are part of VPC)
From VPC doc:
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
What are characteristics of EC2 Auto Scaling service? (choose 2)
- Sends traffic to healthy instances (ELB)
- Responds to changing conditions by Stopping/Starting instances (auto scale doesnt stop/start, it creates/destroys)
- Responds to changing conditions by Terminating and Launching instances
- Enforces a minimum number of running EC2 instances
When using RDS multi-AZ how can you offload read requests from the primary? (choose 2)
- Configure the app to connect to the secondary node for reads and the primary node for writes (not possible)
- Amazon RDS automatically sends writes to the primary and sends reads to the secondary (primary always does read/write, so this not possible)
- Add a read replicca DB instance and configure the clients app logic to use a read-replica
- Use ElasticCache to cache frequently used data. Update the app logic to read/write from the cache
Your company has its primary production site in NA and its DR site in Asia. You need to configure DNS so that if your primary site becomes unavailable, you can fail DNS over the secondary site. Which DNS routing policy would best achieve this?
- Weighted routing (multiple records with different weights, this is more for auto balancing as both records are active)
- Geolocation routing (multiple active records based on location)
- Simple routing
- Failover routing (multiple records, setup health check, only one record active at a time)
Route 53 is because DNS runs off port 53
What two features are supported with EBS volume snapshot feature?
- EBS replication across regions
- EBS multi-zone replication
- EBS single region only
- Full snapshot data only
- Unencrypted snapshot only
What two resource tags are supported for an EC2 instance?
- VPC endpoint
- EIP
- Network Interface
- Security Group
- Flow Log
What two options are available to alert tenants when an EC2 instance is terminated
- SNS
- CloudTrail
- Lambda
- SQS
- STS
What class of EC2 recommended for data analytics?
- Memory
- Compute
- Storage
- General
What class of EC2 instance type is recommended for database servers?
- Memory
- Compute
- Storage
- General
What two attributes distinguish each pricing model?
- Reliability
- Service
- Discount
- Performance
- Redundancy
References
AWS Certification
https://www.aws.training/Certification
AWS Training (Free available)
https://www.aws.training/Details/eLearning?id=20686
AWS Whitepapers
https://aws.amazon.com/whitepapers