My Preparation for AWS Certified Solutions Architect — Associate

57 min readMar 29, 2021

Jek Bao Choo — AWS Certified Solutions Architect — Associate Validation Number PQXVSCJD11FEQPCH *https://aws.amazon.com/verification/* expires on 03 April 2024 https://www.credly.com/badges/be9b79eb-b80b-4701-8569-d75cf03cfe3f/public_url

I used PluralSight for my AWS SAA revision but I felt that it’s rudimentary. On top of PluralSight, I did practice exam questions offered by Jon Bonso. I was lucky to have read what others recommended for preparation at https://www.reddit.com/r/AWSCertifications before taking my exam.

To take AWS SAAssociate again or AWS SAProfessional in the future, here is what I will do.

Step 1: Read https://www.reddit.com/r/AWSCertifications to know what others recommended for video learning and practice questions.

Step 2a: Watch the videos. If there are 50 hours worth of video. Then estimate that I’ll need double of that (100 hours) to include lab time and notes taking. It’s important to take notes because I learn best by writing.

Step 2b: Take notes using AWS services as header (e.g. Lambda, ELB, EC2).

Step 2c: Also take notes on the principles for each exam learning outcome (e.g. Design Resilient Architectures 30% — the fundamental principle is to have redundancy for high availability).

Step 3a: Do practice questions. For 360 practice questions, I’ll need 18 hours (allocate 3 minutes per practice question).

Step 3b: Do practice questions segmented by AWS services (e.g. Lambda, ELB, EC2) if available.

Step 3c: Do practice questions segmented by AWS exam learning out (e.g. Design Resilient Architectures).

So based on the above estimates, I’ll need a total of 118 hours. If I can only spare 2 hours a day for preparation. Then I will need 59 days for preparation. This is equivalent to two months.

Most importantly, schedule my exam based on the above estimates before starting my revision. Always book the exam first because I can always reschedule if needed. Having an exam date is a commitment to getting started and finishing as scheduled.
The below notes are no longer useful for my next revision whether I am doing SAAssociate or SAProfessional because information will be outdated or exam structure might have changed. So ignore the below notes.

Design Resilient Architectures (30%)

Video: Architecting for Availability

Reliability or resiliency are the ability of an application to avoid and recover from failure.
Availability is the percentage of time that an application is performing as expected.
Availability of EC2 SLA is 90%. 4 EC2 instances increase availability to 99.99%. Why? Because 90% availability is a 10% failure rate. 100% — 90% = 10%. 4 EC2 instances is 10% * 10% * 10% * 10% = 0.01%. This is the failure rate of all 4 EC2 instances failing. Hence, the availability of 4 EC2 instances are 100% — 0.01% = 99.9%
Availability of ELB is 99.99%. So a setup with ELB and 4 EC2 instances availability is 99.99% * 99.99% = 99.998%.
Availability improvement can be achieved with redundancy (e.g. using multiple regions availability)
Availability calculation of redundant components is to multiply the failure rate of the components and subtract that number from 100%.
Availability calculation of hard dependencies is to multiply the availability of the components.
Uptime isn’t the same as availability
EFS provides a Network File System (NFS) volume. It’s like providing harddisk — traditional file storage.
S3 is object storage. It’s useful for hosted content.
EFS or S3? This depends on the architecture design.
RDS offers managed database engines and manages database infrastructure and backups.
Loose coupling is separating each component so an information flow does not depend on a specific component. This is to prevent a single point of failure. The key is having redundancy.
Tight coupling is not separating each component so an information flow does depend on a specific component. That specific component fails, the information flow fails. The missing key is NOT having redundancy.
Redundancy enables → loose coupling enables → availability
Monolithic architecture is having both web service and video processing service in 1 EC2 instance.
Microservice architecture is having web service in 1 EC2 instance while video processing service in another EC2 instance.
ECS (Elastic Container Service) can store containers in an Elastic Container Registry (ECR). ECS is using Docker containers. Can improve availability by running multiple containers on a single EC2 instance.
Cloud Native Applications deploy on a cloud service that can’t be deployed on-premises e.g. S3, SQS, DynamoDB

Video: Setting up Your AWS Environment

IAM is used to create groups and users. Each group can have a set of policies attached to the group. Each group can have one or many users.
CloudTrail shows event history such as the group and user created using IAM.
CloudTrail stores 90 days of history
AWS CLI has several commands e.g. “aws configure” and “aws iam get-user”
AWS Route 53 is DNS e.g. register a domain name
AWS Route 53 can be used to create TLS (Transport Layer Certificate) certificate from ACM (Amazon Certificate Manager)
AWS Budget is to alert you from exceeding a certain amount but it is not going to prevent you from exceeding the budget.

Video: Building Virtual Private Cloud (VPC) Networks

VPC contains one or more subnets.
A subnet is a logical division of IP networks
192.168.0.0/24 means that the first 24 bits are reserved as network addresses so the remaining 8 bits are intended for host addresses. So 2⁸ is 256 host addresses available. So it is will be 192.168.0.0 to 192.168.0.255 range
192.168.0.0/23 means that the first 23 bits are reserved as network addresses sothe remaining 9 bits are intended for host addresses. So 2⁹ is 512 hosts addresses available.
The practice of dividing a network into two or more networks is subnetting.
A subnet exists in an availability zone.
An availability zone is the datacenter.
An instance exists in a subnet.
Redundancy is achieved by having instances in multiple subnets in different zones.
Elastic IP Address (EIP) — if an instance has a public IP address, assigning an EIP will replace the public IP address
By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
Types of ElP (a) Amazon owned which is tied to AWS region where cannot pick the address (b) Bring your own IP (BYOIP) where you can pick your address.
Allocating EIP with AWS CLI “aws ec2 allocate-address”.
Anycast, also known as IP anycast, is a networking technique that allows for multiple machines to share the same IP address.
AWS Global Accelerator decouples IP addresses so that connections to a Global Accelerator address can be forwarded to resources in any AWS region
Public Subnet vs Private Subnet where public is where the internet can reach them and they can reach the internet. Private is isolated from the internet. So use it with NAT Gateway to provide outbound only internet.
Creating a private subnet is the same as creating a public subnet where the route association table is pointed to the NAT gateway. While the public subnet route association table is pointed to the internet gateway route table.
To be a public subnet, it must contain Internet Gateway, Route Table entry to the internet gateway and a public IP address or elastic IP address.
For private subnet, it must need access to a NAT gateway or a NAT instance to access the internet. Even though resources in private subnet can access the internet, it will not be accessible from outside the private subnet.
Virtual Private Gateway provides connection to VPN
AWS Shield Standard is a free service that guards against DDoS attacks.
Bandwidth is a measure of how much data over time a communication link can handle, its capacity. This is typically measured as kbps (kilobits — thousands of bits per second), Mbps (megabits — millions of bits per second) or Gbps (gigabits — billions of bits per second). Think of lanes on a road. A mile of eight-lane freeway has more capacity for cars than a mile of two-lane road.
Latency is the time it takes for a packet to get across the network, from source to destination. It is measured in units of time — ms (millisecond, or 1/1,000 of a second). Following the road analogy, it’s how long it takes you to get to work. Longer is not better (assuming you like where you work).
Throughput is the actual amount of data that is successfully sent/received over the communication link. Throughput is presented as kbps, Mbps or Gbps, and can differ from bandwidth due to a range of technical issues, including latency, packet loss, jitter and more. Rush hour traffic, speed limits, potholes and stalled vehicles prevent you and your fellow travelers from zipping along.
Bandwidth, latency and throughput describe characteristics of telecommunication and data communication links. When comparing offerings from telecom companies and Internet service providers vying for your business, it’s important to understand the relationship between these characteristics, so you get the right solutions for your business’ needs. ISPs and carriers advertise bandwidth because that value is known, and it represents the best-case scenario. But their hype about “game-changing gig speeds blazing into town” may be misleading. A high-bandwidth service that suffers from high latency may not be the best solution for certain business applications, like Voice over Internet Protocol (VoIP), video conferencing and Virtual Desktop Infrastructure (VDI).
Low latency is good because of low response time.
High bandwidth is good because more packets can use the communication link at a time.
AWS Direct Connect is low latency connection to AWS region
AWS Direct Connect bypasses the internet.
AWS Direct Connect has Dedicated and Hosted options.
AWS Direct Connect Dedicated is directly to AWS data centers (allowing 1 gbps or 10 gbps)
AWS Direct Connect is private dedicated connection to AWS.
AWS Direct Connect Hosted is through a partner
AWS VPN Connection is an encrypted IPSec connection over the internet which comes with unpredicted (i.e. high) latency (i.e. not good).

AWS VPN Connection can be implemented in 2 ways (a) Virtual private gateway or (b) Transit gateway
AWS VPN Connection Virtual Private Gateway is the original method provided by AWS. The cons are only one VPC connection to one VPC — so doesn’t scale well.
AWS VPN Connection Transit Gateway is like a router that enables connection to multiple VPCs and supports AWS Direct Connect too. This scales well.

Video: Automated Deployments with CloudFormation

AWS Application Load Balancer has two options (a) Internet Facing and (b) Internal
HTTPS is using TCP port 443
HTTP is using TCP port 80
SSH is using TCP port 22
AWS CloudFormation is the same as Google Cloud Deployment Manager. It is used for deployment of resources such as EC2, Load Balancer.
TCP port 8080 is an alternative HTTP port. But the difference is that port 8080 comes from the Tomcat server history while TCP port 80 is a reserved port.
Bash is a Unix shell and command language
Auto scaling group depends on AWS Elastic Load Balancer health checks so they work hand in hand

Video: Multi-region Applications with Route 53

AWS Route 53 can do weighted routing to several web app tier load balancers. We can verify this use dnschecker.org
Active-active (weighted records) regions are that web users are accessing almost equally from Europe and America.
Active-passive (failover records) regions are that web users are accessing mainly from Europe. And it has a failover to America if Europe is down.
Pilot Light Architecture is having a light replica turning up when needed. This does need to wait for auto scaling to kick in when failover
Warm Standby Architecture is having a near replica always running. This doesn’t need to wait for auto scaling to kick in. when failover.
AWS Route 53 + AWS Elastic Load Balancer for failover are powerful. But if we don’t need auto-scaling then we can simply just use AWS Route 53 health check for failover. Put another way, we can use DNS failover + ELB failover. But we can’t also use only DNS failover if we don’t need auto-scaling.
AWS Route 53 requires the user to set up a Health Check and attach the Health Check to a DNS A record and indicate that if the health check fails, redirect to another DNS.

Lab: Create and Manage Users with AWS IAM

Create an IAM group. Add an IAM user to a group.
Create a n IAM policy. Create an IAM role. Attach a policy to a role.
Attach an IAM role to an EC2 instance.

Lab: Configure MFA in AWS IAM

SKIPPED

Lab: Launch an EC2 Instance into a Specific Availability Zone of a Region on AWS

Create EC2 instance and select Availability Zone e.g. US-West-2a and select an existing VPC and Subnet.

Lab: Create a VPC on AWS with the Wizard

Create an elastic IP address.
Create a VPC. Create a public subnet and a private subnet. Attach the elastic IP address to the VPC.
Check that the VPC has created a route table with internet gateway igw-*** connected to the VPC’s public subnet.
Check that the VPC has created a route table with NAT gateway nat-*** but NOT connected to the VPC’s public or private subnet.
Following security best practices, you must configure the MySQL server by using a bastion host on a public subnet. A bastion host allows secure configuration and administration of non-Internet exposed servers from an Internet-accessible server.
Create two Security Groups in VPC (1) allow SSH port 22 traffic from anywhere to the public subnet EC2 instance i.e. bastion host. (2) allow SSH port 22 traffic from the bastion host to the private subnet of an EC2 instance.

Lab: Create a VPC Manually on AWS

SKIPPED

Lab: Create a Security Group within a Multi-tier AWS Application Using the CLI

Access the jumpserver
Login with “aws configure” command
SSH into web server A and create a httpd with a simple webpage.
The idea is to create a few security groups using AWS CLI and attach the security groups to the right EC2 instance.

Design High-Performing Architectures (28%)

Video: Understanding the Design Principles

Deploy close to users’ region
Comply with locals and regulations
Cost vs. Security vs. Performance

Video: Considering Compute Performance Options

AWS EC2 has the instance options: (a) General Purpose (b) Compute optimised © memory optimised (d) accelerated computing (e) storage optimised (f) bare metal.
AWS EC2 has three auto scaling options: (a) metrics based (b) schedule (day, time) based © health based
Containers e.g. Docker containers are good for migrating apps to the cloud — just move the containers.
AWS Fargate is serverless containers (i.e. Containers without infrastructure), the equivalent of GCP Cloud Run
AWS ECS is CaaS, the equivalent of GCP Kubernetes Engine
AWS Lambda is FaaS, the equivalent of GCP Cloud Function.

Video: Reviewing Storage Performance Options

Considerations for storage are: (a) sharing (b) latency © throughput (d) persistence (e) file size
S3 Cost optimisation options are (a) Standard — Designed for frequently accessed data. (b) Standard-IA — Designed for long-lived, infrequently accessed data. © One Zone — IA — Designed for long-lived, infrequently accessed, non-critical data. (d) Glacier — Designed for long-lived, infrequent accessed, archived critical data. (e) Intelligent Tiering — Designed for long-lived with changing or unknown access patterns.
S3 has a new feature called “Query in place” which allows SQL query in S3
S3 Glacier has an extra service called AWS Snowball which ships a device to users to upload the data to AWS Snowball.
S3 Glacier has an option for connecting via AWS Direct Connect for better latency and bandwidth when moving data to S3 Glacier.
AWS EBS (Elastic Block Store) must be attached to an EC2 instance.
AWS EBS multi-attach function allows one EBS to be attached up to 16 EC2 instances.
AWS EBS has a choice of (a) SSD (b) HDD
AWS EFS (Elastic File System) is a file storage service that the equivalent of Google Filestore

Video: Examining Database Performance Options

Install own database on EC2 instances — this is a self-managed option.
RDS (Relational Database System) — this is a managed option.
DynamoDB supports transactions, encryption, and integrates well with Lambda — this is a managed option.
DynamoDB supports partition key. It is the same idea as primary key.
Redshift scales to petabytes data, encryption, and query S3 (saving time and money to ETL to Redshift).

Video: Evaluating Network Performance Options

Consider (a) latency i.e. response time and (b) throughput i.e. size of pipe © cost because different region has different cost
Network options are (a) Regions (b) Availability Zones © CloudFront (d) Route 53
CloudFront, i.e. CDN, is edge locations being moved closer to the user. In the past it is (a) static content (b) dynamic content and © programmable.
Route 53 is DNS. Routing users to the best deployment to support user experience. DNS has traffic flow features to direct to the direct region. The options are (a) latency routing (b) geographic routing © health based routing (d) round robin routing
VPC Endpoint for S3 refers to having machines outside of the VPC to access the S3 bucket. This will reduce cost and time of setting up the gateway or NAT server to get to S3.

Video: Preparing to Improve Your Architecture

Infrastructure as Code can be achieved using tools like terraform, similar to AWS CloudFormation and Google Cloud Deployment Manager. The advantage of using terraform is that it’s a common language when managing hybrid clouds of AWS and GCP.
Unwrap IaaS > CaaS > PaaS > SaaS / FaaS / DBaaS, we will understand that INFRASTRUCTURE management deployment and scaling is done through code template tools such as Terraform, AWS CloudFormation, and Google Cloud Deployment Manager. The outcome is EC2 instances and App Engine instances together with load balancers being created. An EC2 instance contains CONTAINERS. One EC2 instance or App Engine instance can run multiple containers inside it. So now we use container management and deployment tools like Google Kubernetes Engines and AWS Elastic Container Service. Inside a container contains a PLATFORM such as Node.js installation. Inside a platform holds SOFTWARE / DATABASE / FUNCTIONS (new term).
CloudFormation has 5 common sections: Format Version, Description, Parameters, Resources, Output.
CloudFormation’s Parameter section is optional. It provides values at runtime.

CloudFormation’s Resource section is required because it generates the resources in the infrastructure. This is the section where we refer to the parameter section.

CloudFormation’s Output section is optional. It provides values after resource creation.
CloudFormation idea is to make commonly used resources into code that can be repeated and tested.

Video: Monitoring Your Architecture

Monitor: (a) Resources (b) Application © Operations
Respond: (a) Ignore (b) Manual Fix © Automate Fix (d) Modify architecture and applications
CloudWatch to monitor. Then combine it with Lambda to trigger logging e.g. S3 bucket file deleted, then write to log file.

Video: Understanding the Trade-offs

Architecture trade-offs: Time, Cost Complexity, Memory, and Efficiency
Queuing Data (it takes time to go through queue but it is durable so it is time vs durability),
Partitioning Data (e.g. NoSQL is usually partitioned vs SQL),
Caching Data (e.g. cache vs. replica vs. CDN hence the tradeoff here is time vs. consistency),
Compressing Data (it takes time to compress but it saves memory so it is time vs memory)

Lab: Optimize Amazon S3 Performance

Create S3 bucket. Enable Transfer Acceleration — using edge computing to speed up the upload process.
Test the performance difference between S3 Direct Upload and S3 Transfer Acceleration.

Lab: Monitor Resources and Deployed Configurations Using AWS CloudWatch

Try CloudWatch
Create custom dashboard in CloudWatch
Add metrics to custom dashboard
Create Alarm in CloudWatch
Monitor Alarm

Design Secure Applications and Architectures (24%)

Video: Protecting AWS Credentials

Root User vs. IAM (non-root user) principal
Root User has full access to all resources and only one root user per account
IAM (non-root user) principal has permission based on IAM policies
Security = CIA = Confidentiality, Integrity, and Availability
Confidentiality = only authorised parties can access the data => Encryption and ACL access control list are techniques to ensure confidentiality
Integrity = Data has not been modified improperly =>
Availability = Authorised parties have access when they need it
Defense in Depth = Protecting CIA of data by securing everything that touches the data
Confidentiality through encryption and permission control
Integrity through logging and encryption
Availability through backups, replication, and recovery
AWS IAM has a root access key option where the root user can programmatically manage their AWS account through code. This root access key has all the access to the account.
IAM Principal is an entity that can take an action on an AWS resource.
IAM Principal synonym is Identity.
IAM Principles include users and roles. So with Policies it is a complicated Access Control List for an IAM Principal.
IAM Policies permission statement (a) Effect (e.g. Allow or Deny) (b) Service (e.g. EC2) © Action/Operation (e.g. RunInstances) (d) Resource (depends on services e.g. image/ami-e5d94) (e) Request Condition (MFA, IP range, time e.g. 192.168.0.1)
IAM Policies have Effect of Allow or Deny. This is good for whitelists and blacklists. The control can be as fine as denying users to terminate EC2 instances in Region, Account, or Instance Id.
IAM has a simulation of what access permission or deny permission a user has to see for ourselves what he/she can do.
There is a difference between Inline Policies and Managed Policies.
AWS managed policies are designed to provide permissions for many common use cases.
Inline policy is a policy that’s embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. You can create a policy and embed it in an identity, either when you create the identity or later. Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it’s applied to.
AWS Architects use IAM to secure. So begin with implementing an MFA for the root user.
Use administrative user instead of root user for computing needs.
AWS Managed Policies are updated as new services and actions are added.
Customer Managed Policies work like AWS Managed Policies but are created by Customer.

Video: Capturing and Analyzing Logs

AWS CloudTrail for capturing events. Two types of events (a) Management event e.g. changing config (b) Data event e.g. CRUD
AWS CloudWatch Logs for viewing logs. Logs are stored in S3.
CloudTrail vs CloudWatch Logs
CloudTrail logs AWS actions then stores it in S3.
CloudWatch Logs aggregates logs from CloudTrail and non-AWS sources (e.g. Apache, NGINX). The main goal of CloudWatch Logs is to provide a GUI to view and search logs.
CloudTrail captures events and delivers the logs to CloudWatch Logs for a powerful GUI view and search.
Amazon CloudWatch = GCP Cloud Monitoring: Infrastructure and application monitoring
Amazon CloudWatch Logs = GCP Cloud Logging: Centralized logging
AWS CloudTrails = GCP Cloud Audit Logs: Audit trails for GCP
AWS Athena = GCP BigQuery: Query service
AWS Config = GCP Cloud Asset Inventory: Resource monitoring
AWS Config is like a time machine in which we can take a look at the config of a specific time in the past. For example, we know an Alarm was created a month ago and the Alarm is deleted today. But if we want to know if the Alarm existed two weeks ago, we need to do correlation. So AWS Config is here to solve the problem of allowing us to look at 2 weeks ago if Alarm existed. AWS Config is easier than sorting through CloudTrail logs in CloudWatch Log. You can use AWS Config (Configuration Items) to answer “What did my AWS resource look like?” at a point in time. You can use AWS CloudTrail to answer “Who made an API call to modify this resource?”
AWS CloudWatch Alarms for creating alerts
AWS Athena for searching logs.
AWS Config for tracking changes.

Video: Protecting Network and Host-level Boundaries

Create a VPC without using VPC Wizard.
Create a VPC. Create a Subnet. Create an Internet Gateway. Create a Route Table that allows all IP addresses 0.0.0.0/0 from the Internet Gateway. Create a Security Group (e.g. allowing traffic of HTTP port number 80 / SSH port number 22 TCP from my IP address only).

The above architecture is weak because it allows web1 to traverse the whole internet through the internet gateway. So if web1 is compromised it becomes a source of threat.

Create a VPC endpoint to indicate traffic to DynamoDB. This will create a prefix list of DynamoDB IP addresses. So whenever an EC2 instance i.e. web1 sends traffic to the prefix list of IP addresses, it will go through the VPC endpoint instead of web-igw (internet gateway).
We can further set the security group inbound and outbound rule. Allowing only inbound rule from our HTTP IP address and outbound rule to only the list of prefix IP addresses.
NACL (Network Access Control List). NACL sits at the border of the subnet. While Route Table and VPC Endpoint or Internet Gateway sit at VPC level.
Defense in-depth strategy is shown in the above diagram because we have many layers of security.
Why do we still need NACL if we have a Security Group? Because to achieve Defense in-depth!
Security Group vs. NACL.
Security Group (a) Instance Level security e.g. EC2 instance level (b) Stateful © Unnumbered level e.g. not evaluated in order
NACL (a) Subnet Level security e.g. Public Subnet A (b) Stateless © Numbered level e.g. evaluated in order
Stateless vs Stateful. For NACL is stateless so if we allow inbound traffic but deny outbound, an SSH connecting to the subnet will fail because no SSH handshake can be established. For Security Group is stateful so if we allow inbound traffic it will be allowed out too(Disclaimer: I have not tested the latter. It is in theory).
Stateful is that traffic that is allowed in, will also be allowed out.
Stateless is where the traffic must be explicitly allowed in and allowed out of the network i.e. ingress and egress.
Only NACL has explicit deny rules. The Security Group does not deny rules.

Security Groups are applied to ENI level (Elastic Network Interface).
ENI is like a virtual network card in virtual machine e.g. EC2.

NACLs are applied at the subnet level.
Use an IAM instance profile to grant an instance access to an AWS service e.g. EC2 instance connecting to DynamoDB.
VPC Endpoint vs Internet Gateway. VPC Endpoint is using an AWS pipe to connect to an AWS instance e.g. DynamoDB without traversing the public internet.
Security Group and Network Access Control List (NACL) act as Firewall but in different ways.

Video: Protecting Data at Rest

Learning how to use Access Control is complicated.
2 ways to protect data at rest. (a) Access permission e.g. S3 bucket policies, Access Control List, (b) Encryption e.g. Requires access to a key encrypt or decrypt data
There are 2 options to generate KMS key (a) KMS auto-generated (b) External. Using KMS auto-generated we can’t see the key so if I’m concerned about its randomness I could use External.
We can use KMS to encrypt EBS. First, clone an EBS. Second, encrypt the cloned EBS. Third, create an AMI image from the encrypted-cloned EBS. Fourth, launch the encrypted-cloned EBS image with EC2. Outcome, the EC2 instance is using an encrypted-cloned EBS image.
When generating S3 bucket policy, the “Principal” field is the User ARN of the person.
Granting access to S3 has two options (a) user policies (b) Access Control List © Bucket Policy. Bucket policy is more restrictive than the others.
S3 Bucket Policy can grant access to just one object instead of the entire bucket.

S3 Bucket if we use Customer Managed Key of AWS KMS, Ben uploads a file. The file is only visible to Ben even if Phil has the entire bucket access. Phil can’t read the file uploaded by Ben because Phil doesn’t have access to Ben’s CMK. So for Phil to use Ben’s CMK, Phil needs to have permission under the key policy to use.

If we use Customer Managed Key on S3 bucket, only needed objects are encrypted using the CMK. However, existing objects are not. So to encrypt an existing object, one has to go to the properties of each object to enable this.
To delete a Customer Managed Key, we have to make sure to permanently decrypt all of the objects.

AWS doesn’t encourage users to use ACL to control access to S3. Instead use Bucket Policy or User Policies.

Video: Protecting Data in Transit

Protecting data in transit is encryption using TLS (Transport Layer Security). SSL is old and deprecated but sometimes people call it wrongly. The correct term is TLS.
HTTPS uses TLS.
Two ways to use TLS (a) config. Application to use TLS — this is independent of AWS (b) config. AWS Application Load Balancer to use TLS.

Application Load Balancer requires at least 2 availability zones.

Video: Configuring Data Backup, Replication, and Recovery

Protecting data S3 offers more security and options than EBS.
S3 provides versioning of all objects. Enable versioning is applied to bucket level.
S3 provides lifecycle management.
S3 enables cross-region replication.
Using S3 versioning, we delete a file from S3, it will add a delete marker. To restore the deleted file, we can delete the delete marker. This will restore the file from delete. So underneath, the delete marker hides the object from view, but the object is still available.

S3 lifecycle rule will not transition any objects that are below 128 kb.

S3 lifecycle rule allows for transition of object versions to AWS Glacier or other Zone IA (infrequent access).

S3 lifecycle delete current version (i.e. becoming previous version) and permanently delete previous version days must be greater than transition days. So that the object can first be transitioned to AWS Glacier before being permanently deleted.

S3 replication works on new objects. Doesn’t work on existing objects.
Security is about the CIA triad. Confidentiality, Integrity, and Availability.

Lab: Deny Specific Access with Policies for Users and Groups on AWS

Use IAM to create a policy to limit S3 Permission Management
Use IAM to create a policy to limit S3 All Permission But Read
Use IAM to attach existing policy to user
Use IAM to attach existing policy to group

Lab: Configure CloudTrail and Monitoring with CloudWatch on AWS

Create CloudTrail (i.e. audit log)
View trail in CloudWatch Log
View log stream in CloudWatch Log
Create metric with filter pattern in CloudWatch Log
Create alarm after creating metric in CloudWatch Log

Lab: Secure an EC2 Application Connection to DynamoDB on AWS

Use VPC to enable HTTP port 80 traffic under Security Group to reach the VPC subnet.
Use Cloud9 to load a web app to EC2 instance
Use IAM to create a read and write policy of DynamoDB.
Use IAM to create a role for EC2 and attach the above policy to the role
Use EC2 to attach the role to an EC2 instance.
Use Cloud9 cmd to create a DynamoDB table and load data in.
Use the browser to open the web app to see the data from DynamoDB. This proves that the web app is communicating with DynamoDB via internet gateway. This also proves that internet users can access the web app EC2 instance via internet HTTP (not HTTPS).
Use VPC to create Endpoints. Create an Endpoint to DynamoDB.
Use VPC to remove the outbound rule via Security Rule. Add the outbound rule to the created Endpoint.
Use Cloud9 cmd to test that ping 8.8.8.8 doesn’t work.
Use the browser to open the web app to see that data from DynamoDB still works.

Lab: Create and Utilize a Customer Managed Key in AWS KMS

Use KMS to create CMK
Use S3 to upload an object with CMK encryption
Use S3 to open the object, it should work
Use S3 with another account to open the object, it should not work.
Use KMS to disable the CMK.
Use S3 to open the object, it should show error.

Lab: Encrypt EBS Volumes on Existing EC2 Instances on AWS

SKIPPED

Lab: Configure a CloudFront Distribution for an Amazon S3 Bucket

Use CloudFront distribution to enable use of HTTPS, which S3 hosting doesn’t support.

Use S3 to disabled an existing static hosting of HTTP
Use S3 to restrict an existing bucket public access
Use CloudFront to create a CDN of S3 static website and redirect HTTP to HTTPS.

Lab: Configure Access and Encryption on Amazon S3 Buckets

SKIPPED

Lab: Create a Snapshot for an EBS Volume

Use EC2 to create an instance and attach an EBS storage
Use EC2 to create single and multi snapshots for disaster recovery.

Design Cost-Optimized Architectures (18%)

Video: Understanding Cost Effective Storage in AWS

S3 has 5 storage classes (a) Standard (b) Standard-IA © Intelligent-tiering — transition between classes (d) One zone-IA (e) S3 Glacier
S3 Lifecycle rules can help to transition objects, delete objects after N days, or both to save cost. So transition object from Standard → Standard-IA → Glacier → Delete
Caching can help to reduce cost too.
S3 Glacier retrieval time is between 1 min to 12 hours.
S3 Glacier Deep retrieval time is between 12 hours to 48 hours.
S3 Glacier Deep charges for at least 180 days minimum storage duration.
S3 Glacier charges for at least 90 days minimum storage duration.
Both S3 Glacier and S3 Glacier Deep charges retrieval by per GB.
4 types of EBS storage (a) Cold HDD, (b) Throughput optimised HDD, © General purpose SSD, (d) Provisioned IOPS SSD

Video: Understanding Cost Effective Compute in AWS

Using EC2, we are always charge for (a) instance running (b) EBS storage © Data transfer out
Using EC2, we have 4 purchase options (a) On-demand (b) Reserved Instances © Spot Instances (d) Schedule Reserved Instances
On-demand: Billed when instances are running. This option is great for uninterrupted compute power.
Reserved instances: Make 1 year or 3 years commitment. There are options to pay all, partial, or no upfront. The more we pay, the more discount we get.
Spot Instance: Bidding on unused capacity in an AZ. There are also options of Spot, Spot Fleets, and Spot Blocks. AWS can give 2 minutes notice to take the spot instance back.
Scheduled Reserved Instances: Book for a specific period and pay upfront then run it when it is your date and time. It’s like booking a badminton court. This is good for batch job processing.
Using EC2, there are a mix of instance families and instance size. For example, Family: M5 (general purpose family). Size: m5.large to m5.24xlarge
Using EC2, there are (a) burstable performance (b) fixed performance.
Use tools such as AWS CloudWatch, AWS Cost Explorer, and AWS Trusted Advisor monitor and use best practices to understand cost.

Using EC2, avoid conversion to the older generation of EC2 families. Because it is more expensive. Also changing the size of the EC2 instance requires shutting down the instance and then scale it.

Video: Understanding Database Pricing and Cost-optimization

Using RDS you have to choose instance type and size.
Using RDS one is charged for data storage, data transfer out of AZ, and backup storage.
Using RDS there are (a) general purpose instance type, (b) memory optimised, and © burstable.
Using RDS storage there (a) general purpose SSD (b) Provisioned IOPS SSD, and © magnetic storage — this is the cheapest but not recommended
Using RDS, there are (a) on-demand payment (b) reserved instance payment
Using Aurora it is auto scale.
Using Aurora, it offers Aurora Serverless features. Aurora is cheaper than RDS.
Using DynamoDB the pricing is (a) On-demand (b) Provisioned Capacity — this is purchasing capacity units.
Using DynamoDB the measurements are Write Capacity Unit (WCU) = 1 kb write per second. RCU = 4kb read per second.
Using DynamoDB, global secondary indexes are chargeable.
Using DynamoDB, global tables will need additional capacity which is chargeable.

Video: Understanding Cost-optimized Network Architectures

Site-to-site VPN is cheaper but slower than Direct Connect.

Using CloudFront for web apps is cheaper than direct S3 Storage for hosting because of caching, cheaper CloudFront fee, and no charge retrieving data within AWS.

Video: Making Cost-optimized Decisions

Use SCP (Service Control Policies) to restrict available features for example we don’t have teams to fire unnecessary services in AWS.

Use AWS CloudWatch to create a billing alarm.
Use AWS Trusted Advisor to run cost optimization recommendations.

Lab: Create Spot and On-Demand EC2 Instances on AWS

Using EC2, launch instance and “Request for Spot Instance”.

Lab: Implement a Classic Load Balancer for HTTP Traffic on AWS

Using EC2, the web app load balancer sits behind VPC NACL. But the LB is in front of the Security Group firewall. So the VPC NACL needs to add an inbound rule to allow HTTP traffic port 80 in. This will allow HTTP traffic to the load balancer. The VPC Security Group needs to limit accepting HTTP traffic from the LB only.
Important to note that even though Security Group in VPC, but Security groups act at the instance level, not the subnet level.

Video: Achieving AWS Mastery

Exam score allocations (4 parts) are indicated in the above headers with percentage.

Video: Crushing the Exam

Always design an architecture that does not result in Single Point of Failure. This is achieved through loose coupling. So avoid tight coupling.
Decouple for health reasons using Queue i.e. Simple Queue Service
Decouple for scalability using Queue
We can use SQS + CloudWatch to monitor the queue and make auto-scale based on queue size.
Decouple for Scalability using Elastic Load Balancer.
EC2 Instance Store is ephemeral with fixed capacity and limited storage
Hadoop Stores on Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto.

130 mins 65 questions. So 1 question 2 minutes at most.

Review the characteristics of EBS different storage — st1 and sc1 cannot be boot volumes for any instances.

EBS IOPS range for the General Purpose SSD, High IOPS SSD, Cold HDD and High throughput HDD. Boot volume supported.

Provisioned IOPS SSD express between 64,000 and 256,000 IOPS
Provisioned IOPS SSD io1 and io2 IOPS between 16,000 and 64,000 IOPS. Only this supports multi-attach EBS. Boot volume supported.
General Purpose SSD gp3 and gp2 IOPS max 16,000 (16 KiB I/O)
Throughput Optimised HDD st1 max 500 IOPS. This is suitable for Big Data, Data warehouses, and Log processing.
Cod HDD sc1 max 250 IOPS. Useful for throughput-oriented storage for data that is infrequently accessed. Scenarios where the lowest storage cost is important.
Previous generation magnetic max IOPS between 40 and 200. Boot volume supported.

SSD is good for random reads. If sequential reads, a traditional HDD has much better performance. Exam questions will confuse us on which storage type to use. So make sure we know the differences. Gp2 vs io1 vs st1 vs sc1.

S3 storage classes are measured in Gigabytes per month billing. S3 storage classes supports SSL for data in transit and encryption of data at rest
S3 Intelligent Tiering stores objects in four access tiers, optimized for frequent, infrequent, archive, and deep archive access. Archive access and deep Archive access tiers have the same performance as Glacier and Glacier Deep Archive. But pay a small monthly monitoring and auto-tiering fee
Starting from S3 Standard-IA, retrieval is charged by per GB retrieved.
Amazon S3 on Outposts delivers object storage to your on-premises AWS Outposts environment.
S3 charges for data transfer out of the region. We also pay for PUT, COPY, POST, LIST, GET, SELECT, Lifecycle Transition, and Data Retrievals. But DELETE and CANCEL requests are free.
S3 PUT, COPY, POST, LIST requests are more expensive than GET, SELECT, and all other requests.
RDS is transactional DB
DynamoDB — strongly consistent 1 Read Per Second. Eventually consistent 2 Reads Per second. Write is always 1 Write Per Second. Need to understand this clearly.
Redshift is analytic queries — cheaper than products than Oracle.
Amazon RDS has MariaDB, MySQL, MS SQL, Oracle, PostgreSQL and Aurora.
With RDS for MySQL, MariaDB, PostgreSQL, and Oracle, you can also set the read replica as Multi-AZ, allowing you to use the read replica as a DR target. When you promote the read replica to be a standalone database, it will already be Multi-AZ enabled.
Know how multi AZ functions within RDS. Understand how master to standby instances are done synchronously.
CloudFront serves static and dynamic content. Protect private content (with SSL and OAI).
An Origin Access Identity (OAI) is used for sharing “private” content via CloudFront. The OAI is a virtual user identity that will be used to give your CF distribution permission to fetch a private object from your origin server (e.g. S3 bucket).
AWS WAF and Shield. WAF is Web Application Firewall.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. Whereas AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
AWS WAF gives you control over which traffic to allow or block to your Amazon Web Services. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. On the other hand, AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
ElastiCache MemCached is best for horizontal scaling, low maintenance, and storing session storage. Suited to serve content from relational databases.
ElasticCache Redis is better when dealing with NoSQL databases. E.g. DynamoDB. Redis is better with vertical scaling, atomic counters, read replicas, leaderboards/counters. Modern online games use Redis for making leaderboards.
Vertical scaling can hit hardware limits e.g. CPU and RAM.
Horizontal scaling is limited by capacity of my AWS account. Horizontal scaling takes advantage of auto-scaling and takes advantage of Elastic Load Balancer to evenly distribute traffic.
CloudTrail is used to monitor API activities.
EFS supports Network File System NFS 4.0 and NFS 4.1 protocols. Share across instances. For windows deployments you can use Amazon FSX.
Glacier is not designed for a backup solution. But for an archival solution.
For unstructured data S3 is a good storage solution. Always look for caching options to improve performance. Also need to know how to select the best instance size for a given workload.

In the exam, any answers that use only a single AZ will never be correct in the exam.
Serverless to managed services are always preferred in the exam
In the exam, usually a question with writing a custom script is incorrec answer.

Always remember in exams the answer should be design architecture that is resilient. No single point of failure.
Know the principle of least privilege — never grant an account more access than it’s required.
Fault tolerant vs. High Availability. While high-availability systems and fault tolerant systems are both designed to accomplish basically the same objective, there are a number of important distinctions between the two approaches. One key difference is that high-availability systems are designed to both limit downtime as well as keep the performance of the system from being negatively affected. With a fault tolerant system, fault tolerance is designed to minimise downtime., but maintaining performance isn’t as much of a priority.
Familiar with DocumentDB — Amazon DocumentDB is a fully managed proprietary NoSQL database service that supports document data structures and has limited support for MongoDB workloads up to MongoDB version 3.6 and version 4.0. As a document database, Amazon DocumentDB makes it easy to store, query, and index JSON data.
DocumentDB vs DynamoDB. DynamoDB is a fully managed scalable service where you set the upper limit of it’s potential. DocumentDB is a bit more hands on and you have to select the number of instances for the cluster and the instance sizes. This means you would need to keep an eye on their usage / performance but not to the extent of MongoDB.
When we create a new resource and IAM there will be no permission by default. An implicit deny can be overridden by an explicit allow. But an explicit deny will always override an explicit allow. Meaning by default all permission is by default blacklisted. Explicit Whitelist overrides implicit blacklist. But explicit blacklist always overrides all explicit.
SAML federation as well as web identity federation are supported by Cognito so be familiar with Cognito services and the role it places in authenticating users. Security Assertion Markup Language 2.0 (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and pass identity and security information about them to a service provider (SP), typically an application or service.

In exams, always choose a role instead of a user account with access keys. Because roles are more secure. While access keys could be exposed. In exam questions, look for the option that uses a role instead of a user account with access keys

To allow traffic into VPC we use Security Group and NACL. To direct traffic out, we can use Internet Gateway. Or Virtual Private Gateway when dealing with VPN. or NAT gateway.
We must know the difference between private subnet and public subnet and when to use each of them in the architecture.
The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot establish connections to the database servers.
Virtual private gateway provides connection to VPN.

To protect data in transit, we use SSL or IPSec VPN. We can also use IPSec with Direct Connect because Direct Connect does NOT encrypt traffic by default.

To protect data at rest, we can use (a) SSE-S3 — amazon s3 managed keys which uses AES256 (b) SSE-KMS — amazon s3 key management server © SSE-C amazon s3 customer managed key (d) client side encryption then upload to AWS
AWS KMS holds the master key for us. We’ll never see the key.
AWS KMS supports FIPS 140–2 Level 2 Compliance — Federal Information Processing Standard supports up to level 2 because KMS is a multi-tenant solution.
For Exam, study the list of services that works with AWS KMS because the list changes frequently. AWS KMS seemed to integrate with most of the services.
If we have a workload that requires FIPS level 3, then we can use a hardware appliance that is AWS CloudHSM. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140–2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.
AWS CloudHSM is a hardware device (so definitely not an EC2 instance). It runs on a linux platform so we can do configuration and management of the hardware device. We do this through SSH into the hardware device. It is a physical hardware device that is dedicated to you. However, CloudHSM resides in AWS. Because of this Amazon will take care of the backups and replications between nodes if we have clusters. Because this could be a single point of failure. If we lose these keys we will lose access to it. For exam, we don’t have to remember the workings of CloudHSM, all that we need to remember is that it’s the only FIPS 140–2 Level 3 compliance that is available in AWS.
In the exam, always focus on locking down the AWS root account.
In the exam, use a role over access keys always.
In the exam, a pricing mindset is always as follows: (a) pay-as-you-go, (b) pay less when we reserve resources, © pay even less when we use more resources.
When dealing with S3, always pay close attention to Get Requests. Because Get operation can be a very expensive operation we can perform in S3. E.g. in S3 Infrequent Access, the retrieval starts at per GB pricing even for small objects.
Exam area of focus for cost optimisation is (a) optimising S3 costs (b) Optimising EBS volume cost.
Optimising S3 costs: Use dynamoDB to hold metadata of the objects in S3, in this way we don’t have to pay for expensive get requests when using S3. So in optimising S3, we need to know the storage class, storage consumption pattern, requests, and data transfer.
Optimising EBS cost: Focus on volume type, IOPS, snapshots and data transfer.
Always prefer serverless to save cost. In the exam, AWS Lambda, AWS S3 — which is also considered serverless, AWS API Gateway, NAT Gateway. As well as AWS Fargate these are part of Elastic Container Service.
For the exam, focus on hours of server running, instance configuration e.g. T3 instances are going to be cheaper than C5. Instance Purchase Type e.g. reserved instance is cheaper than on-demand. A rule of thumb is that if we are going to use the instance 50% of the time, it is good to purchase the reserved instance.
Auto-scaling can be used to save cost.
A shared tenancy system is going to be cheaper than a dedicated tenancy system. Workloads that require HIPAA or PCI compliance may not allow shared tenancy systems. Instead will require a dedicated tenancy system.
Database will need an SSD because it will have random reads.
OS and software can also be used to save cost. Whenever licenses software or OS are involved, it is going to cost more than open-source products. E.g. SQL server or Oracle is going to cost more than MySQL and PostgreSQL.
Need to know which EC2 families are the cheapest to the most expensive. General purpose is the cheapest.
CloudFormation is Infrastructure and a Code. It has the concept of templates and stacks. When you use CloudFormation, you manage related resources as a single unit called a stack. You create, update, and delete a collection of resources by creating, updating, and deleting stacks. All the resources in a stack are defined by the stack’s CloudFormation template. Suppose you created a template that includes an Auto Scaling group, Elastic Load Balancing load balancer, and an Amazon Relational Database Service (Amazon RDS) database instance. To create those resources, you create a stack by submitting the template that you created, and CloudFormation provisions all those resources for you.
Auto-scaling. There are 3 components of auto-scaling. Launch Template, Auto Scaling Group, and Auto Scaling Policy.
A launch template is similar to a launch configuration, in that it specifies instance configuration information. Included are the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances. However, defining a launch template instead of a launch configuration allows you to have multiple versions of a template. With versioning, you can create a subset of the full set of parameters and then reuse it to create other templates or template versions. For example, you can create a default template that defines common configuration parameters and allow the other parameters to be specified as part of another version of the same template. Launch Configuration which specific the instance size and the AMI. These can only be copied and replaced. We cannot modify a launch configuration. If the exam answer option is to modify launch configuration then we know it is not possible, we know that it can’t be launch configuration.
Auto scaling group. They will reference the Launch Template. This is specific to the min, the max, and the desired size of the auto-scaling group. With the ELB, we can also reference from the auto-scaling group. And health checks can be set up for the group. An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management. An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements and scaling policies. Both maintaining the number of instances in an Auto Scaling group and automatic scaling are the core functionality of the Amazon EC2 Auto Scaling service. The size of an Auto Scaling group depends on the number of instances that you set as the desired capacity. You can adjust its size to meet demand, either manually or by using automatic scaling.
Auto Scaling Policy — this specifics how much we should scale in and out. Multiple policies can be attached to an auto scaling group. Step scaling policies and simple scaling policies are two of the dynamic scaling options available for you to use. Both require you to create CloudWatch alarms for the scaling policies. Both require you to specify the high and low thresholds for the alarms. Both require you to define whether to add or remove instances, and how many, or set the group to an exact size. The main difference between the policy types is the step adjustments that you get with step scaling policies. When step adjustments are applied, and they increase or decrease the current capacity of your Auto Scaling group, the adjustments vary based on the size of the alarm breach. In most cases, step scaling policies are a better choice than simple scaling policies, even if you have only a single scaling adjustment.

Exam -> CloudWatch Metrics. Make sure I know what metrics can be monitored at the Hypervisor level metrics like CPU utilisation and network bandwidth. Beyond the hypervisor level, the instance level is disk space utilisation which requires CloudWatch Agent. Also remember that default monitoring is at a 5 min interval. Detailed monitoring is at 1 min interval. Make sure I know how to read CloudWatch logs and the metrics involved in those. Understand how we can use CloudWatch Alarm to monitor metrics like CPU Utilisation in scale.

Practice: Kaplan Practice Exams

Amazon Kinesis Data Analytics is to get actionable insights from streaming data with serverless Apache Flink
Amazon Kinesis Data Stream is to collect streaming data for real-time analytics.
Amazon Kinesis Data Firehose is to prepare and load real-time data streams into data stores and analytics services.
Amazon Kinesis Video Streams is to capture, process, and store media streams for playback, analytics, and machine learning.
Amazon ElastiCache for Redis is an in-memory data store built for the cloud.
Amazon ElastiCache for Memcached is Managed, Memcached-compatible, in-memory store.

Amazon Redshift limits to 100 partition per table alteration.
AWS IoT Greengrass brings local compute, messaging, data management, sync, and ML inference capabilities to edge devices
Amazon SQS default timeout is 30 seconds.
Amazon S3 key features are Same low latency and high throughput performance of S3 Standard. Designed for durability of 99.999999999% of objects across multiple Availability Zones. Resilient against events that impact an entire Availability Zone. Data is resilient in the event of one entire Availability Zone destruction.
The Amazon S3-based data lake solution uses Amazon S3 as its primary storage platform. Amazon S3 provides an optimal foundation for a data lake because of its virtually unlimited scalability. You can seamlessly and non disruptively increase storage from gigabytes to petabytes of content, paying only for what you use. Amazon S3 is designed to provide 99.999999999% durability. It has scalable performance, ease-of-use features, and native encryption and access control capabilities. Amazon S3 integrates with a broad portfolio of AWS and third-party ISV data processing tools.

The 5 Pillars of AWS Well-Architected Framework are (a) Operational Excellence (b) Security © Reliability (d) Performance Efficiency (e) Cost Optimisation.
Operational Excellence: The ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value.
Security: The ability to protect data, systems, and assets to take advantage of cloud technologies to improve your security.
Reliability: The ability of a workload to perform its intended function correctly and consistently when it’s expected to. The ability to operate and test the workload through its total lifecycle.
Performance Efficiency: The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
Cost Optimization: The ability to run systems to deliver business value at the lowest price point.

A component is the code, configuration, and AWS Resources that together deliver against a requirement.
A workload is used to identify a set of components that together deliver business value.
Architecture is how components work together with workload.
Milestones mark key changes in your architecture as it evolves throughout the product life cycle (design, implementation, testing, go live, and in production).
Technology Portfolio is the collection of workloads that are required for the business to operate.
Reliability and cost are often traded e.g. development environments will reduce cost at the expense of reliability. However, security and operational excellence are generally not traded-off against the other pillars.
Scheduled scaling is for predictable workload
Dynamic scaling is for unpredictable workload
Manual scaling is not desirable.
TrueCrypt software works with AWS EBS and AWS Import/Export features.

AWS Athena allows using SQL to query data within S3 infrastructure.
AWS Athena is serverless.
A listener is used to help Load Balancers to help evenly distribute traffic accordingly. A listener job is to manage incoming traffic into the load balancer.

AWS Glacier — Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes.
Standard — Standard retrievals allow you to access any of your archives within several hours. Standard retrievals typically complete within 3–5 hours. This is the default option for retrieval requests that do not specify the retrieval option.
Bulk — Bulk retrievals are S3 Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.

VPC flow logs will track IP addresses that are accessing your private subnet.

AWS Cost Allocation Tags gives the option to control governance and cost allocation using tagging strategy.
To reduce cost, we can stop RDS and pause Redshift instances when not in use.
CloudFront uses an Edge server to cache and deliver content faster.
AWS Mesh is Application-level networking for all your services. This gives a consistent view of all network traffic controls.
AWS OpsWorks is to Automate Operations with Chef and Puppet.
AWS VPC allows up to 200 subnets per VPC.
VPC allows up to 500 security groups per VPC per region.
AWS allows up to 5 VPC per region
An SPF record is a TXT record that is part of a domain’s DNS (Domain Name Service). An SPF record lists all authorized hostnames / IP addresses that are permitted to send email on behalf of your domain.
A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS). It includes domain name and priority.
Using EC2, when logging it, key pairs are used to decrypt and encrypt data.
To route traffic to IPv6 we use AAAA (quadruple As).
VPC’s NACL is stateless while Security Group is stateful.
Database Migration Service is used to Migrate databases to RDS from on-premises and other clouds.
AWS Simple Workflow Service (SWF) has workers and decider. It is useful for MapReduce pipeline, business processings, video editing etc.
Decider’s job is to schedule activity tasks and provide inputs to the workers.
Amazon Machine Image (AMI) is responsible for information such as structure or template that is used for pointing to the root volumes, permissions related to AWS accounts and block mapping of devices that will be attached when an EC2 instance is launched.
Amazon Dedicated Host is a bare machine.

AWS Compute Optimizer recommends optimal AWS resources to reduce costs and improve performance for your workloads

AWS Compute Optimizer is a service specifically designed to analyze your instance usage and make recommendations that help you optimize your cloud environment. In the past, AWS Trusted Advisor and AWS Cost Explorer provided this service. AWS Computer Optimizer offers a more in-depth analysis than its predecessors, including details that were previously unavailable. AWS Compute Optimizer uses machine learning to identify various workload types, then it automatically chooses a workload-specific recommendation methodology for them.
AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid downtime during application deployment, and handles the complexity of updating your applications. You can use AWS CodeDeploy to automate software deployments, eliminating the need for error-prone manual operations.
AWS CloudFormation speeds up cloud provisioning with infrastructure as code
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. Allowing on-premises to access the cloud for storage.

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS

Wmic (Window Management Instrument) command is to get the total physical memory allocation of AWS EC2 Windows instance.
When DNS accepts a request, the protocol is typically UDP (not TCP!)

AWS Managed Services (AMS) helps you operate your AWS infrastructure more efficiently and securely. Leveraging AWS services and a growing library of automations, configurations, and run books, AMS can augment and optimize your operational capabilities in both new and existing AWS environments
5 VPCs maximum per region
Amazon VPC endpoints have two types (a) Interface type endpoint (b) Gateway type endpoint
Interface type endpoint is for private connections between your side of networks that links your company resources to Amazon AWS using Direct Connect. This is more than just connecting to Amazon services e.g. S3 and DynamoDB.
Gateway type endpoint is primarily for linking to AWS services e.g. S3 and DynamoDB without going through the internet gateway.
AWS VPN CloudHub is a way of connecting office branches together in a specific network configuration. The limitation is the network upload and download speed.
AWS Direct Connection is for establishing private connection from on-premise to VPC. This type of connection is fast. Much faster than VPN.
AWS DynamoDB Accelerator (DAX) is 10x faster from milliseconds to microseconds improvement.
In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.
AWS AMI bootstrapping: Bootstrapping is setting up a repeatable process from which additional AWS resources can be created. … Bootstrapping refers to creating a sustainable, start up process that can run on its own and in the context of AWS it typically means the process needed to get an application up and running on an EC2 instance
Classic Load Balancer works at both layer 4 (TCP) and 7 (HTTP). This load balancer is usually abbreviated ELB for Elastic Load Balancer
An Application Load Balancer (ALB) only works at layer 7 (HTTP).
A Network Load Balancer (NLB) works at layer 4 only and can handle both TCP and UDP, as well as TCP connections encrypted with TLS. Its main feature is that it has a very high performance. Also, it uses static IP addresses and can be assigned Elastic IPs — not possible with ALB and ELB.
Using RDS, to support Multi-AZ, we can use MariaDB, Oracle, MySQL, and PostgreSQL. Native mirroring is MS SQL so not using RDS multi-az to support replication. RDS does not support IBM DB2 engine.
AWS Cost allocation tagging — After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs. AWS provides two types of cost allocation tags, an AWS generated tag and user-defined tags.
Placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload. Depending on the type of workload, you can create a placement group using one of the following placement strategies:
Placement group Cluster — packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.
Placement group Partition — spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
Placement group Spread — strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
There is no charge for creating a placement group.
Target groups for your Application Load Balancers. Each target group is used to route requests to one or more registered targets. When you create each listener rule, you specify a target group and conditions. When a rule condition is met, traffic is forwarded to the corresponding target group. You can create different target groups for different types of requests. For example, create one target group for general requests and other target groups for requests to the microservices for your application.

EC2 families are (a) General Purpose (b) Compute Optimized © Memory Optimized (d) Accelerated Computing (e) Storage Optimized
(a) General Purpose instances are T series, M series, A series => General Tomato Matches Apple
(b) Compute Optimized instances are C series
© Memory Optimized instances are R series, X series, and Z series => Memory X-men Reads Zebra
(d) Accelerated Computing instances are P series, G series, F series => Accelerated Papa Greets Friends
(e) Storage Optimized instances are I series, D series, and H series => Storage Iceman Delegates Homework
Long polling reduces the number of empty responses by allowing Amazon SQS to wait until a message is available before sending a response to a ReceiveMessage request.

VPC

There are two types of VPC endpoints: interface endpoints and gateway endpoints. You should create the type of VPC endpoint required by the supported service. As a rule of thumb, most AWS services use VPC Interface Endpoint except for S3 and DynamoDB, which use VPC Gateway Endpoint.

VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. Hence, you actually don’t need to explicitly add inbound rules to your Network ACL to allow inbound traffic, if your VPC has a default setting.
When you create a VPC endpoint, you can attach an endpoint policy that controls access to the service to which you are connecting. You can modify the endpoint policy attached to your endpoint and add or remove the route tables used by the endpoint. An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.
When you launch an EC2 instance into a default VPC, AWS provides it with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance.
However, when you launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname only. New instances will only be provided with a public DNS hostname depending on these two DNS attributes: the DNS resolution and DNS hostnames, that you have specified for your VPC, and if your instance has a public IPv4 address.
In this case, the new EC2 instance does not automatically get a DNS hostname because the DNS resolution and DNS hostnames attributes are disabled in the newly created VPC.

SQS

Amazon SQS automatically deletes messages that have been in a queue for more than the maximum message retention period. The default message retention period is 4 days. You can increase the message retention period to a maximum of 14 days using the SetQueueAttributes action.

S3

Server-side encryption is about data encryption at rest — that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it.
Snowball up to 100TB. Snowmobile up to 100PB.
AWS DataSync is primarily used to migrate existing data to Amazon S3. On the other hand, AWS Storage Gateway is more suitable if you still want to retain access to the migrated data and for ongoing updates from your on-premises file-based applications. So use AWS DataSync if the scenario requires that all of the existing records must be migrated to AWS. The future records will also be stored in AWS and not in the on-premises network. This means that setting up a hybrid cloud storage is not necessary since the on-premises storage will no longer be used.
Amazon FSx for Lustre has integration with S3. While Amazon FSx for Windows File Server is just a fully-managed file storage built on Windows Servers that is not for integration with S3.
Amazon FSx For Windows File Server does not have a parallel file system, unlike Lustre.
Amazon FSx For Lustre is a high-performance file system for fast processing of workloads. Lustre is a popular open-source parallel file system which stores data across multiple network file servers to maximize performance and reduce bottlenecks.
S3 lifecycle transition must be 30 days or more. No less than 30 days. from S3 Standard storage class to STANDARD_IA or ONEZONE_IA storage after 30 days. But can directly transition from Standard to Glacier.

RDS

Multi-AZ Amazon RDS database with cross-region read replicas is only applicable inside a single region and not in a multi-region setup. This database setup is not capable of providing an RPO of 1 second and an RTO of less than 1 minute. Moreover, the replication of cross-region RDS Read Replica is not as fast compared with Amazon Aurora Global Databases.
When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon’s failover technology. SQL Server DB instances use SQL Server Database Mirroring (DBM).
Read Replica provides an asynchronous replication instead of synchronous.
Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.
MySQL and PostgreSQL both support IAM database authentication. An authentication token is a unique string of characters that Amazon RDS generates on request. Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes. You don’t need to store user credentials in the database, because authentication is managed externally using IAM. So for applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security
IAM database authentication is only supported in MySQL and PostgreSQL database engines. With IAM database authentication, you don’t need to use a password when you connect to a DB instance but instead, you use an authentication token.

IAM

adding a new IAM policy to the new user will not grant the needed Access Keys needed to make API calls to the AWS resources.
Cross-account access is a feature in IAM.

ELB

Cross-Zone Load Balancing is only used in ELB
Application Load Balancers support path-based routing, host-based routing, and support for containerized applications
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.
Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised. CloudFront and Elastic Load Balancing are the two AWS services that support Perfect Forward Secrecy.
You can use path conditions to define rules that forward requests to different target groups based on the URL in the request (also known as path-based routing). This type of routing is the most appropriate solution for this scenario hence, using path conditions to define rules that forward requests to different target groups based on the URL in the request
ELB is designed to only run in one region and not across multiple regions.
Load balancers distribute traffic only within their respective regions and not to other AWS regions by default.
ELB must be created in the corresponding subnets in the same Availability Zones as the application tier subnet.

EFS

EFS provides the same level of high availability and high scalability like S3 however, this service is more suitable for scenarios where it is required to have a POSIX-compatible file system or if you are storing rapidly changing data.
The maximum days for the EFS lifecycle policy is only 90 days. While S3 standard is after 30 days. EFS is anytime before 90 days old.

EC2

When you launch a new EC2 instance, the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures. You can use placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload. Depending on the type of workload, you can create a placement group using one of the following placement strategies:
Cluster — packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.
Partition — spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
Spread — strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.

EBS

Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
Snapshots are automatically encrypted.
All data moving between the volume and the instance are encrypted.
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: — Data at rest inside the volume — All data moving between the volume and the instance — All snapshots created from the volume — All volumes created from those snapshots
Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed.

DynamoDB

The partition key portion of a table’s primary key determines the logical partitions in which a table’s data is stored. This in turn affects the underlying physical partitions. Provisioned I/O capacity for the table is divided evenly among these physical partitions. Therefore a partition key design that doesn’t distribute I/O requests evenly can create “hot” partitions that result in throttling and use your provisioned I/O capacity inefficiently. The optimal usage of a table’s provisioned throughput depends not only on the workload patterns of individual items, but also on the partition-key design. This doesn’t mean that you must access all partition key values to achieve an efficient throughput level, or even that the percentage of accessed partition key values must be high. It does mean that the more distinct partition key values that your workload accesses, the more those requests will be spread across the partitioned space. In general, you will use your provisioned throughput more efficiently as the ratio of partition key values accessed to the total number of partition key values increases.
Cannot integrate DynamoDB table with CloudFront as these two are incompatible. So the option to speed up is DAX DynamoDB Accelerator.
Auto Scaling is not enabled in a DynamoDB table which is created using the AWS CLI.
The term “fully managed” means that Amazon will manage the underlying infrastructure of the service. DynamoDB is an example.
DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don’t pay for unused provisioned capacity.

CloudFront

CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content. If you want to serve private content through CloudFront and you’re trying to decide whether to use signed URLs or signed cookies, consider the following:
Use signed URLs for the following cases: You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions (Real Time Messaging Protocol is for real-time streaming of video, audio, and data). You want to restrict access to individual files, for example, an installation download for your application. Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
Use signed cookies for the following cases: You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of a website. You don’t want to change your current URLs.
You can control how long your objects stay in a CloudFront cache before CloudFront forwards another request to your origin. Reducing the duration allows you to serve dynamic content. Increasing the duration means your users get better performance because your objects are more likely to be served directly from the edge cache. A longer duration also reduces the load on your origin.
Server Name Indication — SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address by including the hostname which the viewers are trying to connect to.
AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

Auto-scaling

Target tracking scaling — Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home — you select a temperature and the thermostat does the rest.
Step scaling — Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.
Simple scaling — Increase or decrease the current capacity of the group based on a single scaling adjustment.

You can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Kinesis

You can use Amazon Kinesis Data Firehose in conjunction with Amazon Kinesis Data Streams if you need to implement real-time processing of streaming big data. Kinesis Data Streams provides an ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications. The Amazon Kinesis Client Library (KCL) delivers all records for a given partition key to the same record processor, making it easier to build multiple applications reading from the same Amazon Kinesis data stream (for example, to perform counting, aggregation, and filtering).
Amazon Kinesis is used to process streaming data and it is not applicable in this scenario.

Misc

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.
By default, CloudWatch doesn’t monitor memory usage but only the CPU utilization, Network utilization, Disk performance, and Disk Reads/Writes.
CloudWatch agent custom metrics that you can set up:
– Memory utilization
– Disk swap utilization
– Disk space utilization
– Page file utilization
– Log collection
Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects, such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases.
you can set up cross-account access to each department, this entails a lot of configuration compared with using AWS Organizations and Service Control Policies (SCPs). Cross-account access would be a more suitable choice if you only have two accounts to manage, but not for multiple accounts.
With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes. It allows you to create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts.
CloudWatch Logs agent provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances
The CloudWatch Logs agent is comprised of the following components:
– A plug-in to the AWS CLI that pushes log data to CloudWatch Logs.
– A script (daemon) that initiates the process to push data to CloudWatch Logs.
– A cron job that ensures that the daemon is always running.
In heterogeneous database migrations the source and target databases engines are different, like in the case of Oracle to Amazon Aurora, Oracle to PostgreSQL, or Microsoft SQL Server to MySQL migrations. In this case, the schema structure, data types, and database code of source and target databases can be quite different, requiring a schema and code transformation before the data migration starts. That makes heterogeneous migrations a two step process. First use the AWS Schema Conversion Tool to convert the source schema and code to match that of the target database, and then use the AWS Database Migration Service to migrate data from the source database to the target database. All the required data type conversions will automatically be done by the AWS Database Migration Service during the migration.
There is no additional charge for using enhanced networking. Amazon EC2 provides enhanced networking capabilities through the Elastic Network Adapter (ENA). It supports network speeds of up to 100 Gbps for supported instance types. Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking.
An Elastic Fabric Adapter (EFA) is simply an Elastic Network Adapter (ENA) with added capabilities. It provides all of the functionality of an ENA, with additional OS-bypass functionality. OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality. The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, the instance functions as an Elastic Network Adapter, without the added EFA capabilities.
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances.

Additional Preparation

Hands-on with QwikLabs for Solutions Architect — Associate path
Read AWS products’ FAQ pages before exam
Read through AWS Architecture Reference Architecture Examples, Diagrams, and Best Practices (amazon.com)
Read through others’ preparation blogs/cheatsheet https://medium.com/@neonforge/the-ultimate-cheatsheet-for-aws-solutions-architect-exam-saa-c02-part-1-ed56a8096392
Recommended by Reddit for learning https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c02
Recommended by Reddit for learning https://www.udemy.com/user/stephane-maarek/
Recommended by Reddit for practice exam questions https://www.udemy.com/user/jonjonbonso/ and other practice exam questions at https://portal.tutorialsdojo.com/
Recommended by Reddit for learning too https://acloudguru.com/course/google-certified-professional-cloud-architect