AWS Certified Solutions Architect Associate

Table of content

1. Table of content
2. About the exam
3. Learning resources
4. Active learning
5. Fundamentals
   • Cloud Environment
   • AWS Fundamentals
6. Identity & Governance
   • Accounts
   • IAM
   • Cognito
7. ACM (AWS Certificate Manager)
   • Policies
8. Networking
   • Networking Fundamentals
   • VPC
     • VPC Peering
   • Route 53
     • Public Hosted Zones
     • Private Hosted Zones
     • Routing Types
     • Registering a domain
   • Load Balancers
     • Application Load Balancer (ALB)
     • Network Load Balancer (NLB)
     • Gateway Load Balancer
   • Cloud Front
   • Global Accelerator
9. Compute
   • RDS
     • RDS Backup & Restore
     • Data Security
   • EC2
     • Auto Scaling Groups
10. ECS
    • Lambda
11. Storage
    • S3
    • EFS
    • Aurora
      • Database Migration Service
12. Integration
    • API Gateway
    • SNS
    • SQS
    • Kinesis
13. KMS (Key Management Service)
14. Cloud Formation
15. CloudWatch & Observability
16. Tips
    • Tip #1
    • Tip #2
    • Tip #3

About the exam

https://aws.amazon.com/certification/certified-solutions-architect-associate/

Learning resources

Main resource: https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c02

Practice exams (dojo): https://portal.tutorialsdojo.com/product/aws-certified-solutions-architect-associate-practice-exams/

Active learning

Basic questions for active learning. Start the session by answering all the questions and mark the answers with emojis depending on the result (see the table below).

Bolded items are either important to understand or there is high likelihood that they will appear on the exam.

Answer Status	Description
👍	You've answered correctly first time, skip repetition for the next session
✋	You've answered the question only partially right, include the question in the next session
👎	You've answered the question wrong and had to lookup the answer. Start from those questions in the next session

You can easily add emojis to markdown by typing :emojiname:

• thumbs up: :+1:
• thumbs down: :-1:
• hand: :hand:

Easiest way to to learn yourself is to:

• clone this repository
• make a copy of this file
• use this regex expression to select and remove (replace with empty) all the <details> tags (they contain the answers to the questions) <(details)>(.|\n)*?</details>, remember to toggle "use regular expressions" in the search box if you are using VS Code. If you are using vim/nvim use this command instead :g/<details>/,/<\/details>/d _
• save the file as a learning session, grade yourself for answers
• IMPORTANT: lookup in the original file if you don't know the answer at all
• leave the files with dates of each learning session and start next session from the ones you didn't know the answers for

Fundamentals

Cloud Environment

1. On-Demand Self Service
2. Broad Network Access
3. Resource Pooling (multi-tenancy)
4. Rapid elasticity
5. Measured Service (pay as you go)

AWS Fundamentals

• What is the difference between public and private services?
• Describe different types of high availability (regional, zonal, etc)

Identity & Governance

Accounts

• An account is a container, what it can contain?
  click to see the answer

  • identities (users)
  • resources
• What is required to create AWS account?
  click to see the answer

  • email
  • payment method
• How are resources grouped?
  Details

  click to see the answer

  Into accounts

• Can the same email address be used with multiple accounts?
  Details

  click to see the answer

  No

• Can account root user login into multiple accounts?
  Details

  click to see the answer

  No

• What are called the things that you can create inside of the account?
  click to see the answer

  • Users
  • Groups
  • Roles
• What is the default access mode for an account for external actors?
  Details

  click to see the answer

  Only identies created inside an account can be granted access to the resources in this account. Cross-permissions are possible with IAM roles

• What set of permissons does new IAM Identity starts with?
  Details

  click to see the answer

  None, every new identity starts with zero permissions until granted.

• What are the 3 alarm states?
  click to see the answer

  • OK
  • ALARM
  • INSUFFICIENT DATA

IAM

• How/where to allow IAM user access to billing information?

• How is IAM resilient?

• What identity objects IAM let us create?

  click to see the answer

  • user
  • group
  • role

• Does users type represents only human users?

• What is the necessary condition for a policy to have an effect?

• Is IAM authentication service as well as identity management and authorization?

• How much does IAM cost?

• Why IAM account aliases must be globally uniq?

• How many access keys can IAM user have?

• What variable to setup for the aws cli to designate a default profile?

  click to see the answer

  export AWS_DEFAULT_PROFILE=

• Can external identiy be used to access AWS resources?

• When to use IAM Role?

• When does principal became authenticated identity?

• How can you login into an IAM group?

  click to see the answer

  No, IAM groups are for helping with organizing IAM user access to AWS resources.

• Can IAM groups be nested?

• Can IAM user be a member of more than one group?

• Can you reference an IAM Group from a resource policy?

• What are the two types of authentication for IAM?

  click to see the answer

  Username/password or Access Keys

• What does ARN stand for?

• What is the ARN structure?

  click to see the answer

  arn:partition:service:region:account-id:resource-type:resource-id

• How many IAM users can be created in an account?

  click to see the answer

  5000

• How many IAM groups can a user be a member of?

  click to see the answer

  10

• What does SCP stand for

  click to see the answer

  Service Control Policies

• How do you call a nested grouping within an organization?

  click to see the answer

  Organization Units

• Is the root "management" account of an organization affected by SCP?

  click to see the answer

  No

• What is the main role of an SCP?

  click to see the answer

  To limit what an account can do. Only Deny.

• Can you attach an identity policy to someone's else account?

  click to see the answer

  No

• What is more preferable, Roles or IAM User?

  click to see the answer

  Always prefer IAM roles if possible.

Cognito

• What functionality does cognito provide?

  click to see the answer

  For web applications. This looks a bit like Okta/Auth0

  • Authentication
  • Authorization
  • User management

• What are identity pools?

• Can the JWT tokens be used to access AWS resources?

  click to see the answer

  No

ACM (AWS Certificate Manager)

• What is origin access identit?
• Can/Should you reuse one OAI?

TODO: pick up here

Policies

• What are 2 main types of policies?

  click to see the answer

  Inline, Managed

• When to use inline policy?

  click to see the answer

  For exceptions to the managed policy.

Networking

Networking Fundamentals

• How many layers are there in OSI model? 👍

• What groups are OSI layers divided into? 👍

• Does the device on a higher layer include the capabilities of the devices in layers below it? Why? 👍

• If a network consists of 5 participants and a HUB, when participant 1 broadcasts a signal, how many participants will receive it? 👍

• In a network with a HUB, what happens when participants transmit a broadcast at once? 👍

• Describe on a high level frame components 👍

• What is a backoff period? 👎

• What does MAC stands for? :hand:

• What layer switch belongs to?

• What layer does router belong to?

• What are the two components of an IP address?

• How does subnet mask and its prefix indicate which octets describe network?

• What does ARP stand for?

• What is the high level structure of a TCP packet?

• How does TCP ensures packets delivery reliability?

• What does NAT do?

• What is static NAT?

• What is dynamic NAT?

• What does PAT stand for?

• The larger the CIDR value the .... the network.

• Explain briefly what are network classes

  click to see the answer

  Class A through E, A is the biggest, D, E are reserved. Important note: network classes are replaced by CIDR

  • Class A: 10.0.0.0 - 10.255.255.255 - single network
  • Class B: 172.16.0.0. - 172.19.255.255 - 16 networks
  This is also the default VPC range.
  • Class C: 192.168.0.0 - 192.168.255.0 - 256 networks

• Explain what are CIDR networks and how to calculate CIDR

  click to see the answer

  • /16 networks have fixed value in first and second octet
  • To create two networks from 10.0.0.0/16 use 2x 10.0.0.0/17 by halving the third and fourth octets.

• What CIDR represents all IP addresses

  click to see the answer

  0.0.0.0/0

• What CIDR represents 1 IP address

  click to see the answer

  1.2.3.4/32

VPC

• How many default VPCs per region/per account are there?

  click to see the answer

  1

• What are the CIDR limits for AWS VPC

  click to see the answer

  • minimum /28
  • maximum /16

• Can you launch an AWS service directly into a VPC?

  click to see the answer

  No, services use subnets to be launched from

• What is a good default number or VPCs subnets and why?

  click to see the answer

  • 4 is a good number because it will cover most of the AZs.
  • /16 network subdivided into 16 subnets gives 16 subnets of CIDR size /20 - 4091 IPs per subnet

• What is the level of isolation & resiliency for a VPC?

  click to see the answer

  Regional

• What is the default setting for the in and outgoing traffic in a VPC?

  click to see the answer

  IN and OUT traffic is blocked by default

• What are the VPC's tenancy models?

  click to see the answer

  • Default - shared hardware
  • Dedicated tenancy - dedicated hardware
  Comes with a cost premium and all resources also must be on the dedicated hardware

• What settings to use to enable DNS hostnames for entities with public IP addresses in a VPC and switch on DNS support?

  click to see the answer

  • enableDnsHostnames
  • enableDnsSupport

• What is the subnet resiliency level?

  click to see the answer

  AZ resilient

• Can a subnet be in multiple AZs?

  click to see the answer

  No

• Can the subnet be moved into another AZ?

  click to see the answer

  No

• Can a subnet overlap with other subnets?

  click to see the answer

  No

• Can you use all the available IP addresses in a subnet?

  click to see the answer

  No, there are 5 that are reserved.

  • first address cannot be used
  • second address cannot be used (used by VPC router)
  • third address cannot be used (used for DNS)
  • fourth address cannot be used (reserved)
  • last IP address cannot b used (broadcast address)

• Are there any charges for creating VPCs and Subnets?

  click to see the answer

  No

• How to get VPC router into your VPC?

  click to see the answer

  VPC router is a global service available by default in every VPC, so no need to configure anything.

• What is the role of VCP Router

  click to see the answer

  It routes traffic between subnets of a VPC

• How many route tables can a subnet have associated with it?

  click to see the answer

  1

• What does the route table control?

  click to see the answer

  Route table controls the destination of the data leaving the subnet. In can be within a subnet or a gateway address.

• What is the resiliency mode of an internet gateway?

  click to see the answer

  Regionally resilient

• How many IGW can a VPC have?

  click to see the answer

  0 or 1

• What happens is a VPC has an IGW?

  click to see the answer

  This VPC is publicly available.

• List actions required to make a subnet public

  click to see the answer

  1. Create IGW
  2. Attach IGW to the VPC
  3. Create a custom route table
  4. Associate the route table with the VPC
  5. Configure default routes in the route table to point to IGW
  6. Configure VPC to auto-allocate IPv4 and optionally IPv6 addresses withing the subnet

• Where is the public IP of a service (for example EC2) running in a VPC maintained?

  click to see the answer

  In the IGW, NOT in the VPC where the service is located

• What does NACL stand for?

  click to see the answer

  Network Access Control List. Works similar as Azure security group. Once it matches it stops.

• Is Security Group stateless or stateful?

  click to see the answer

  Stateful. Security group is more like Azure private endpoint.

• What is the implicit setting for a security group?

  click to see the answer

  Implicit deny - everything is denied by default and only things you allow are allowed.

• In a security group is traffic and response separate?

  click to see the answer

  No, a security group is stateful, so traffic and response to it is covered by the same rule.

• Why would you use NACL in combination with an SG?

  click to see the answer

  NACL allows for adding an explicit DENY rule

• If the traffic is not crossing the boundary of a subnet, would you use NACL or SG?

  click to see the answer

  Use SG, NACL has no effect within subnet

• What does IP masquerading do?

  click to see the answer

  Hides whole private CIDR IP block behind a single public IP

• What is the resiliency level of a NAT Gateway?

  click to see the answer

  AZ

• Does a NAT Gateway work with IPv6?

  click to see the answer

  No

• What SSH option is used to connect secrely to a Bastion server?

  click to see the answer

  SSH Agent Forwarding

  ssh -A

• What are points of failure for VPN site-to-site connection?

  click to see the answer

  @startuml
  box "AWS VPC"
  "router" -> "AWS Public zone"
  end box
  box "AWS Public Zone"
  participant "Virtual Gateway" as vgw
  participant "VPN" as vpn
  vgw <-> vpn
  
  vpn -> "Endpoint1"
  vpn -> "Endpoint2"
  end box
  box "Public Internet"
  participant "Customer Gateway" as cgw
  cgw ->
  end box
  "AWS Public zone" -> "Public internet"
  
  "Public internet" -> "On prem router"
  @enduml

• What are VPC flow logs?

• Do VPC flow logs capture metadata or contents of a request?

  click to see the answer

  Only metadata

VPC Peering

• Can you peer more than one VPC together?
  Details

  click to see the answer

  No

Route 53

• What is the difference between a hosted zone and a hosted zone group?
• Which DNS record points to IPv6 address?
• What is the difference between a CNAME and an ALIAS?
  click to see the answer

  • CNAME maps a name to another name in the same domain (naked domain)
  • ALIAS maps a name to AWS resource - default for the exam. AWS specific implementation
• What does CNAME stand for?
• Can CNAMEs point to an IP address?
• How many DNS root servers exist?
  Details

  click to see the answer

  13

Public Hosted Zones

• What are R53 public hosted zones?
• How many name servers does R53 alocate?
• What records to use to point at the hosted name servers?
• What is the DNS resolver in a VPC instance?
  Details

  click to see the answer

  VPC+2 IP

Private Hosted Zones

• Can you access the zone in the VPC?
• How to run intranet and public facing web page on the same DNS?
  Details

  click to see the answer

  Split-View

Routing Types

• What is simple routing?

• What are health checkers?

• Can health checks be performed on targets outside of AWS resources?

• What protocols are supported by health checkers?

• What checks are supported?

  Details

  click to see the answer

  Endpoint, CloudWatch Alarm, Checks of Checks

• What is failover routing?

  Details

  click to see the answer

  Endpoint, CloudWatch Alarm, Checks of Checks

  -What is failover routing?

• What is a multivalue routing

  Details

  click to see the answer

  Can create many records with the same name Up to 8 healthy records are returned to the client Improves availability

• What is a weighted routing

• What is the weight formula

  Details

  click to see the answer

  Record weight vs total weight, each of the 3 records. Use when u want to control the distribution of the DNS queries

• When to use latency based routing

• When to use geo-location based routing

  Details

  click to see the answer

  It returns relevant locations only, NOT based on goe-proximity

• When to use geo-proximity routing?

• What is a geo-proximity bias?

  Details

  click to see the answer

  Expands or shrinks the location of the routing zone

• What is the difference between Route 53 routing policies and load balancing?

  Details

  click to see the answer

  Load balancer is actually routing traffic to the backend services whereas DNS routing returns a DNS resolver server location.

Registering a domain

• What are different scenarios for registering a domain

  click to see the answer

  • Registrar and Public DNS Hosting role

  @startuml domain-registration-traditional
  !theme materia-outline
  actor Developer as user
  participant "Route53\nRegistrar Role" as r53_registrar
  participant "Route53\nDNS Hosting Role" as r53_dns_hosting
  participant "TLD Server for *.domain" as tld_server
  user -> r53_registrar: Requests domain registration\nand pays 1 time fee
  r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
  return 4x Name Servers
  
  r53_registrar -> tld_server : Passes the Name Servers to
  
  tld_server -> tld_server : Creates entries\nfor the Name Servers
  
  tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone
  
  @enduml
  • Hosting only role

  @startuml domain-registration-traditional
  !theme materia-outline
  actor Developer as user
  participant "Route53\nRegistrar Role" as r53_registrar
  participant "3rd Party Domain Hosting" as r53_dns_hosting
  participant "TLD Server for *.domain" as tld_server
  user -> r53_registrar: Requests domain registration\nand pays 1 time fee
  r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
  return 4x Name Servers
  
  r53_registrar -> tld_server : Passes the Name Servers to
  
  tld_server -> tld_server : Creates entries\nfor the Name Servers
  
  tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone
  
  @enduml

Load Balancers

• What is LCU?

• How load balancer is priced?

• Describe briefly ALB architecture

• How many load balancing nodes does ALB have as a minimum?

• What is the default distribution algorithm?

• What is cross zone load balancing?

• What is a listener configuration?

• What types of load balancers are there?

  click to see the answer

  • A(pplication)LB
  • N(etwork)LB
  • C(lassic)LB

• How can load balancer handle SSL offloading?

  click to see the answer

  • Bridging - connection terminated on the ELB. Second connection is created to target services (http). EC2 instances also need copy of the same certificate
  • Pass-through - connection encryption is maintained by the client. Listener is configured for TCP.
  • Offload - backend connections use http

• What is session stickiness?

• How does a load balancer enable session stickiness?

  click to see the answer

  Cookie 1s to 7 days. It is generally better to use stateless servers and host the state somewhere else, either in a database of on the client side in the case of SPA.

Application Load Balancer (ALB)

• What layer is ALB on?
  Details

  click to see the answer

  7

• What makes ALB internet facing?
  Details

  click to see the answer

  Presence of public IP

Network Load Balancer (NLB)

• What layer is NLB on?
• Is NLB a performance-oriented load balancer?

Gateway Load Balancer

• What is the usecase for a gateway load balancer?

  click to see the answer

  Load balances between multiple security appliances

• What are 2 components of a GWLB?

  click to see the answer

  GWLB endpoints GWLB instances

• What protocol is used by GWLB?

  click to see the answer

  GENEVE

• How does GWLB endpoint integrates with the existing VPC traffic?

  click to see the answer

  It is added to a route table as a nex hop in the traffic

Cloud Front

• What does CDN stand for?

Global Accelerator

• What are anycast IP addresses?

Compute

RDS

• What are some of the downsides of putting a database on EC2 instnace?

• What is an RDS Instance?

• Can you connect to RDS instance using IP?

  Details

  click to see the answer

  No, you have to use CNAME DNS record

• What is the resiliency level of an RDS instance?

  Details

  click to see the answer

  AZ, also storage (EBS)

• Explain pricing model of RDS

  Details

  click to see the answer

  ALlocated GM/month Additional storage charges if applicable

• Can you reuse an security group with RDS?

  Details

  click to see the answer

  Yes

• Why do we need to configure subnet groups when provisioning an RDS database instance?

• Is the multi AZ feature available in the free tier?

  Details

  click to see the answer

  No

• Can the standby replica be accessed directly?

  Details

  click to see the answer

  No, it's just an availability improvement.

• What is synchronous Replication

  Details

  click to see the answer

  Multi AZ, same AWS region

RDS Backup & Restore

• What are RTO and RPO? RP(oint)O - time between last working backup and data loss event RT(ime)O - time between data loss event and full recovery

• Do manual snapshots expire?

  Details

  click to see the answer

  No

• What are transaction logs? Stored every 5 minitest (lowers RPO)

• Do automated backups expire?

  Details

  click to see the answer

  Yes, you can set up to 35 days.

• How does the restore process work?

  Details

  click to see the answer

  Backups are restored from the closest snapshot (from S3) and than transaction logs are replayed on top of the backup. Restoring snapshots can be a long time.

• Can read replicas be created in a different regions?

  Details

  click to see the answer

  Yes

• How many read replicas can you have per RDS DB Instance?

  Details

  click to see the answer

  5

• Why do read replicas matter?

  click to see the answer

  • Improved performance
  • Makes CQRS pattern possible
  • Use read only data in different regions to improve access performance
  • In case of a failure, read replica can be promoted to read-write database. This is only useful for database failures, not data corruption

Data Security

• How is encryption at rest supported?
  Details

  click to see the answer

  Handled by host

  • EBS Volume Encryption
  • KMS
  • TDE: Only MS SQL and Oracle

EC2

• 👍 What does EC2 stand for?

  click to see the answer

  Elastic Compute 2

• Is EC2 going to fail when az (zone) fails?

• 👍 Are you still getting charged when EC2 instance is stopped? If yes for what component?

  click to see the answer

  Yes, for storage

• 👍 Is deleting an EC2 instance a reversible operation?

  click to see the answer

  No

• What does AMI stand for?

• What kinds of permissions are on the AMI?

• What port number RDP service runs on?

  click to see the answer

  3389

• How many times can you download private key for linux EC2 instance?

• Can a single security group apply to multiple EC2 instances?

• What is the resiliency model of EC2

  click to see the answer

  AZ, all things connected to EC2, like networking or storage run in the same AZ.

• After restarting EC2 instance, will it move to another random host?

  click to see the answer

  No, after restarting the EC2 instance boots up on the same host.

• What are the two conditions under which the instance can be relocated to another EC2 host?

  click to see the answer

  Host taken down for maintenance by AWE, EC2 instance stopped and started (not jus restarted)

• What are the 5 EC2 instance types

  click to see the answer

  1. General Purpose
  2. Compute optimized - ML, Games, HPC
  3. Memory optimized - some databases
  4. Accelerated computing - custom programmable hardware
  5. Storage optimized - transactional databases, data warehouses, data analytics

  https://aws.amazon.com/ec2/instance-types/https://instances.vantage.sh/

• Explain storage types that can be attached to EC2

  click to see the answer

  Directly attached (hadrware) Network attached

• Explain key differences between Block, Volume and Object Storage

• Can you attach EBS storage between availability zones?

  click to see the answer

  No

• What mechanism can be used to create snapshots of EBS volumes between AZs?

  click to see the answer

  S3 replication

• What are 2 volume types available?

  click to see the answer

  • GP2
  • GP3

• What is an IO Credit and how big is it?

  click to see the answer

  IO Credit is a single chunk of data and is 16kb in size

• What is an IOPS?

  click to see the answer

  1 IOPS is 1 IO Credit in 1 second

• What EBS drives are designed for max performance?

• What are 2 types of HDD drives?

  click to see the answer

  • ST1 - throughput optimized
  • SC1 - cold

• What are Instances Store Volumes?

  click to see the answer

  • Block Storage Devices
  • Physically connected to one EC2 Host
  • Highest storage performance
  • Included in the instance price
  • Need to be attached at launch time

• When to choose EBS vs Instance Store Volumes

• How does incremental copy work in S3 snapshots

  click to see the answer

  1. Full data is copied
  2. Following snapshots are incremental

• What happens when incremental snapshot is deleted

  click to see the answer

  All prior snapshots are still kept safely

• Explain what it means that the EBS snapshot volume restores lazily

  click to see the answer

  Data is fetched gradually.

  To remedy it, use FSR (Fast Snapshot Restore). You can also force this manually using dd for example

• How many FRS you can have per region?

  click to see the answer

  50

• How does snapshot pricing work?

  click to see the answer

  Gigabyte-month, paid only for used data

• Can EC2 network interfaces be in different AZs?

  click to see the answer

  No

• What does AMI stand for?

  click to see the answer

  Amazon Machine Image

• Are AMIs global?

  click to see the answer

  No, each region will have their own AMI for a given image. AMI in a given region will work only in this region.

• Explain briefly lifecycle of AMI

  click to see the answer

  1. Launch
  2. Configure - this also includes volumes
  3. Create Image
  4. Launch

• What is "AMI baking"?

  click to see the answer

  It is a process of creating an AMI from an EC2 instance with all the dependencies and applications pre-installed.

• Can AMI be edited/updated?

  click to see the answer

  No

• What are you paying for when using AMI

  click to see the answer

  You are billed for using EBS snapshots. Remember, snapshots are charged by space actually used by data not allocated.

• What is EC2 Instance Metadata This is data about runtime environment of the instance

• What IP do you need to access to see the Instance Metadata information?

  click to see the answer

  (http) 169.254.169.254 /latest/metadata

• Is the metadata service encrypted?

  click to see the answer

  No

• Does the metadata service require authentication?

  click to see the answer

  No

• How to access user data for EC2 build automation?

  click to see the answer

  • http://169.254.169.254/latest/user-data
  • Executes only once at the initial launch time
  • runs as a root user

• What metric measures how much time does it take to get a service in a ready state?

  click to see the answer

  Boot-Time-To-Service-Time

• What is an instance profile?

  click to see the answer

  It is a wrapper around an IAM role and is attached to an EC2 instance. Credentials are automatically renewed.

• Can you use parameter store to store secrets?

  click to see the answer

  Yes, is also supports versioning. Any changes to parameters can trigger events.

  You can also establish hierarchy by adding / in the name.

• What types of parameters can be stored in PS?

  click to see the answer

  • Strings
  • StringLists
  • SecureStrings

• How to capture logs inside of an EC2 instance?

  click to see the answer

  Install CloudWatch agent

• What technology is used in enhanced networking?

  click to see the answer

  SR-IVO - logical cards, higher PPS, better bandwidth. Most EC2 instance types have this available by default.

• What is launch configuration and launch template?

• Are launch configurations editable?

  click to see the answer

  No

Auto Scaling Groups

• Where are auto scaling groups defined?

• What are the 3 characteristics of an auto scaling group?

  click to see the answer

  • Minimum
  • Desired - lways will be set
  • Maximum

• Are auto scaling groups regional?

  click to see the answer

  Auto scaling group will try to provision an EC2 instance in a different AZ.

• What are scaling policies?

• What are sub types of dynamic scaling?

  click to see the answer

  • Simple
  • Stepped - almost always preferred
  • Target tracking

ECS

• What modes does ECS run in

  click to see the answer

  • Fargate:
  • Infra is abstracted away
  • Hosted on shared platform
  • Each task and service is injected into your VPC
  • Only pay for use as containers run
  • Use for small or burst style workloads, batch, periodic
  • EC2
  • Created inside a VPC
  • Uses ASG for EC2 instances scaling
  • You manage the instances
  • Good if you want to manage infra

• What is task?

  click to see the answer

  Container for containers (same as ACI group) - self contained app

• What is task role?

  click to see the answer

  It is an IAM role that the task can assume to gain the credentials to interact with AWS resources

• What is service definition?

  click to see the answer

  Defines task scalability and HA options.

• What are the main ECS concepts

  click to see the answer

  

Lambda

• What resource can you allocate to lambda? 👍

  click to see the answer

  Memory

• What is the execution time limit on a lambda function? 👍

  click to see the answer

  15 min

• What are cloud watch events and EventBdirge?

• What is Lambda edge?

• What languages do lambda edge support?

  click to see the answer

  • Ptyhon
  • Node.js

Storage

S3

• What are the 2 constituent parts of S3 object?

• What is the size limit of a single object?

• Are buckets regional?

• Does a bucket name have to be globally uniq?

• How many objects can be stored in 1 bucket?

• Can objects be nested in the bucket?

• How can you simulate a folder name in a bucket?

• What is another name that folders are refereed as?

• What are the naming rules for a bucket?

  click to see the answer

• How many buckets can you have in an account?

  click to see the answer

  100 soft limit, 1000 hard limit

• Can you mount an S3 bucket like a block storage?

• Are S3s public by default?

  click to see the answer

  No

• What is the difference between S3 resource policy and identity policy?

• What is an anonymous principal?

  click to see the answer

  An principal that is not authenticated against AWS

• How many policies can there be assigned to an S3 bucket?

  click to see the answer

  1

• What name requirement is there in an S3 bucket when you want to use it as static page hosting with a custom domain?

• What field is used to identify a version of an object?

  click to see the answer

  Id

• How to fully delete a versioned object?

  click to see the answer

  By specifying its version in the delete command

• What is MFA delete

• What does SSE-C stand for?

  click to see the answer

  Server-Side Encryption with Customer-Provided Keys. S3 encrypts data with keys provided by the customer. Key is discarded after encryption, only key hash is stored.

• What are the benefits of SSE-C model?

  click to see the answer

  Save on CPU, more control over the encryption process (you hold the keys).

• What does SSE-S3 stand for?

  click to see the answer

  Server-Side Encryption with AWS S2-Managed Keys. S3 creates a master key and a key for each object. Master key is encrypted with object key and master key is discarded. We have encrypted object, encrypted master key and public key used to encrypt the object.

• What are the benefits of SSE-S3 model?

  click to see the answer

  Key are managed by AWS, very low admin overhead.

• What algorithm does SSE-S3 uses by default?

  click to see the answer

  AES256

• What does SSE-KMS stand for?

  click to see the answer

  Server-Side Encryption with Customer-Managed Keys stored in AWS Key Management Service (KMS).

• What are the benefits of SSE-KMS model?

  click to see the answer

  Someone else can manage the KMS, role separation. Key rotation control.