Skip to main content

AWS Certified Solutions Architect Associate

Table of content

  1. Table of content
  2. About the exam
  3. Learning resources
  4. Active learning
  5. Fundamentals
  6. Identity & Governance
  7. ACM (AWS Certificate Manager)
  8. Networking
  9. Compute
  10. ECS
  11. Storage
  12. Integration
  13. KMS (Key Management Service)
  14. Cloud Formation
  15. CloudWatch & Observability
  16. Tips

About the exam

https://aws.amazon.com/certification/certified-solutions-architect-associate/

Learning resources

Main resource: https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c02

Practice exams (dojo): https://portal.tutorialsdojo.com/product/aws-certified-solutions-architect-associate-practice-exams/

Active learning

Basic questions for active learning. Start the session by answering all the questions and mark the answers with emojis depending on the result (see the table below).

Bolded items are either important to understand or there is high likelihood that they will appear on the exam.

Answer StatusDescription
👍You've answered correctly first time, skip repetition for the next session
You've answered the question only partially right, include the question in the next session
👎You've answered the question wrong and had to lookup the answer. Start from those questions in the next session

You can easily add emojis to markdown by typing :emojiname:

  • thumbs up: :+1:
  • thumbs down: :-1:
  • hand: :hand:

Easiest way to to learn yourself is to:

  • clone this repository
  • make a copy of this file
  • use this regex expression to select and remove (replace with empty) all the <details> tags (they contain the answers to the questions) <(details)>(.|\n)*?</details>, remember to toggle "use regular expressions" in the search box if you are using VS Code. If you are using vim/nvim use this command instead :g/<details>/,/<\/details>/d _
  • save the file as a learning session, grade yourself for answers
  • IMPORTANT: lookup in the original file if you don't know the answer at all
  • leave the files with dates of each learning session and start next session from the ones you didn't know the answers for

Fundamentals

Cloud Environment

  1. On-Demand Self Service
  2. Broad Network Access
  3. Resource Pooling (multi-tenancy)
  4. Rapid elasticity
  5. Measured Service (pay as you go)

AWS Fundamentals

  • What is the difference between public and private services?
  • Describe different types of high availability (regional, zonal, etc)

Identity & Governance

Accounts

  • An account is a container, what it can contain?
    click to see the answer
    • identities (users)
    • resources
  • What is required to create AWS account?
    click to see the answer
    • email
    • payment method
  • How are resources grouped?
    Details

    click to see the answer Into accounts

  • Can the same email address be used with multiple accounts?
    Details

    click to see the answer No

  • Can account root user login into multiple accounts?
    Details

    click to see the answer No

  • What are called the things that you can create inside of the account?
    click to see the answer
    • Users
    • Groups
    • Roles
  • What is the default access mode for an account for external actors?
    Details

    click to see the answer Only identies created inside an account can be granted access to the resources in this account. Cross-permissions are possible with IAM roles

  • What set of permissons does new IAM Identity starts with?
    Details

    click to see the answer None, every new identity starts with zero permissions until granted.

  • What are the 3 alarm states?
    click to see the answer
    • OK
    • ALARM
    • INSUFFICIENT DATA

IAM

  • How/where to allow IAM user access to billing information?

  • How is IAM resilient?

  • What identity objects IAM let us create?

    click to see the answer
    • user
    • group
    • role
  • Does users type represents only human users?

  • What is the necessary condition for a policy to have an effect?

  • Is IAM authentication service as well as identity management and authorization?

  • How much does IAM cost?

  • Why IAM account aliases must be globally uniq?

  • How many access keys can IAM user have?

  • What variable to setup for the aws cli to designate a default profile?

    click to see the answer
    export AWS_DEFAULT_PROFILE=
  • Can external identiy be used to access AWS resources?

  • When to use IAM Role?

  • When does principal became authenticated identity?

  • How can you login into an IAM group?

    click to see the answer

    No, IAM groups are for helping with organizing IAM user access to AWS resources.

  • Can IAM groups be nested?

  • Can IAM user be a member of more than one group?

  • Can you reference an IAM Group from a resource policy?

  • What are the two types of authentication for IAM?

    click to see the answer

    Username/password or Access Keys

  • What does ARN stand for?

  • What is the ARN structure?

    click to see the answer

    arn:partition:service:region:account-id:resource-type:resource-id

  • How many IAM users can be created in an account?

    click to see the answer

    5000

  • How many IAM groups can a user be a member of?

    click to see the answer

    10

  • What does SCP stand for

    click to see the answer

    Service Control Policies

  • How do you call a nested grouping within an organization?

    click to see the answer

    Organization Units

  • Is the root "management" account of an organization affected by SCP?

    click to see the answer

    No

  • What is the main role of an SCP?

    click to see the answer

    To limit what an account can do. Only Deny.

  • Can you attach an identity policy to someone's else account?

    click to see the answer

    No

  • What is more preferable, Roles or IAM User?

    click to see the answer

    Always prefer IAM roles if possible.

Cognito

  • What functionality does cognito provide?

    click to see the answer

    For web applications. This looks a bit like Okta/Auth0

    • Authentication
    • Authorization
    • User management
  • What are identity pools?

  • Can the JWT tokens be used to access AWS resources?

    click to see the answer

    No

ACM (AWS Certificate Manager)

  • What is origin access identit?
  • Can/Should you reuse one OAI?

TODO: pick up here

Policies

  • What are 2 main types of policies?

    click to see the answer

    Inline, Managed

  • When to use inline policy?

    click to see the answer

    For exceptions to the managed policy.

Networking

Networking Fundamentals

  • How many layers are there in OSI model? 👍

  • What groups are OSI layers divided into? 👍

  • Does the device on a higher layer include the capabilities of the devices in layers below it? Why? 👍

  • If a network consists of 5 participants and a HUB, when participant 1 broadcasts a signal, how many participants will receive it? 👍

  • In a network with a HUB, what happens when participants transmit a broadcast at once? 👍

  • Describe on a high level frame components 👍

  • What is a backoff period? 👎

  • What does MAC stands for? :hand:

  • What layer switch belongs to?

  • What layer does router belong to?

  • What are the two components of an IP address?

  • How does subnet mask and its prefix indicate which octets describe network?

  • What does ARP stand for?

  • What is the high level structure of a TCP packet?

  • How does TCP ensures packets delivery reliability?

  • What does NAT do?

  • What is static NAT?

  • What is dynamic NAT?

  • What does PAT stand for?

  • The larger the CIDR value the .... the network.

  • Explain briefly what are network classes

    click to see the answer

    Class A through E, A is the biggest, D, E are reserved. Important note: network classes are replaced by CIDR

    • Class A: 10.0.0.0 - 10.255.255.255 - single network
    • Class B: 172.16.0.0. - 172.19.255.255 - 16 networks
    • This is also the default VPC range.
    • Class C: 192.168.0.0 - 192.168.255.0 - 256 networks

  • Explain what are CIDR networks and how to calculate CIDR

    click to see the answer

    • /16 networks have fixed value in first and second octet
    • To create two networks from 10.0.0.0/16 use 2x 10.0.0.0/17 by halving the third and fourth octets.

  • What CIDR represents all IP addresses

    click to see the answer

    0.0.0.0/0

  • What CIDR represents 1 IP address

    click to see the answer

    1.2.3.4/32

VPC

  • How many default VPCs per region/per account are there?

    click to see the answer

    1

  • What are the CIDR limits for AWS VPC

    click to see the answer

    • minimum /28
    • maximum /16

  • Can you launch an AWS service directly into a VPC?

    click to see the answer

    No, services use subnets to be launched from

  • What is a good default number or VPCs subnets and why?

    click to see the answer
    • 4 is a good number because it will cover most of the AZs.
    • /16 network subdivided into 16 subnets gives 16 subnets of CIDR size /20 - 4091 IPs per subnet
  • What is the level of isolation & resiliency for a VPC?

    click to see the answer

    Regional

  • What is the default setting for the in and outgoing traffic in a VPC?

    click to see the answer

    IN and OUT traffic is blocked by default

  • What are the VPC's tenancy models?

    click to see the answer
    • Default - shared hardware
    • Dedicated tenancy - dedicated hardware
    • Comes with a cost premium and all resources also must be on the dedicated hardware
  • What settings to use to enable DNS hostnames for entities with public IP addresses in a VPC and switch on DNS support?

    click to see the answer
    • enableDnsHostnames
    • enableDnsSupport
  • What is the subnet resiliency level?

    click to see the answer

    AZ resilient

  • Can a subnet be in multiple AZs?

    click to see the answer

    No

  • Can the subnet be moved into another AZ?

    click to see the answer

    No

  • Can a subnet overlap with other subnets?

    click to see the answer

    No

  • Can you use all the available IP addresses in a subnet?

    click to see the answer

    No, there are 5 that are reserved.

    • first address cannot be used
    • second address cannot be used (used by VPC router)
    • third address cannot be used (used for DNS)
    • fourth address cannot be used (reserved)
    • last IP address cannot b used (broadcast address)
  • Are there any charges for creating VPCs and Subnets?

    click to see the answer

    No

  • How to get VPC router into your VPC?

    click to see the answer

    VPC router is a global service available by default in every VPC, so no need to configure anything.

  • What is the role of VCP Router

    click to see the answer

    It routes traffic between subnets of a VPC

  • How many route tables can a subnet have associated with it?

    click to see the answer

    1

  • What does the route table control?

    click to see the answer

    Route table controls the destination of the data leaving the subnet. In can be within a subnet or a gateway address.

  • What is the resiliency mode of an internet gateway?

    click to see the answer

    Regionally resilient

  • How many IGW can a VPC have?

    click to see the answer

    0 or 1

  • What happens is a VPC has an IGW?

    click to see the answer

    This VPC is publicly available.

  • List actions required to make a subnet public

    click to see the answer
    1. Create IGW
    2. Attach IGW to the VPC
    3. Create a custom route table
    4. Associate the route table with the VPC
    5. Configure default routes in the route table to point to IGW
    6. Configure VPC to auto-allocate IPv4 and optionally IPv6 addresses withing the subnet
  • Where is the public IP of a service (for example EC2) running in a VPC maintained?

    click to see the answer

    In the IGW, NOT in the VPC where the service is located

  • What does NACL stand for?

    click to see the answer

    Network Access Control List. Works similar as Azure security group. Once it matches it stops.

  • Is Security Group stateless or stateful?

    click to see the answer

    Stateful. Security group is more like Azure private endpoint.

  • What is the implicit setting for a security group?

    click to see the answer

    Implicit deny - everything is denied by default and only things you allow are allowed.

  • In a security group is traffic and response separate?

    click to see the answer

    No, a security group is stateful, so traffic and response to it is covered by the same rule.

  • Why would you use NACL in combination with an SG?

    click to see the answer

    NACL allows for adding an explicit DENY rule

  • If the traffic is not crossing the boundary of a subnet, would you use NACL or SG?

    click to see the answer

    Use SG, NACL has no effect within subnet

  • What does IP masquerading do?

    click to see the answer

    Hides whole private CIDR IP block behind a single public IP

  • What is the resiliency level of a NAT Gateway?

    click to see the answer

    AZ

  • Does a NAT Gateway work with IPv6?

    click to see the answer

    No

  • What SSH option is used to connect secrely to a Bastion server?

    click to see the answer

    SSH Agent Forwarding

    ssh -A

  • What are points of failure for VPN site-to-site connection?

    click to see the answer
    @startuml
    box "AWS VPC"
    "router" -> "AWS Public zone"
    end box
    box "AWS Public Zone"
    participant "Virtual Gateway" as vgw
    participant "VPN" as vpn
    vgw <-> vpn

    vpn -> "Endpoint1"
    vpn -> "Endpoint2"
    end box
    box "Public Internet"
    participant "Customer Gateway" as cgw
    cgw ->
    end box
    "AWS Public zone" -> "Public internet"

    "Public internet" -> "On prem router"
    @enduml
  • What are VPC flow logs?

  • Do VPC flow logs capture metadata or contents of a request?

    click to see the answer

    Only metadata

VPC Peering

  • Can you peer more than one VPC together?
    Details

    click to see the answer No

Route 53

  • What is the difference between a hosted zone and a hosted zone group?
  • Which DNS record points to IPv6 address?
  • What is the difference between a CNAME and an ALIAS?
    click to see the answer
    • CNAME maps a name to another name in the same domain (naked domain)
    • ALIAS maps a name to AWS resource - default for the exam. AWS specific implementation
  • What does CNAME stand for?
  • Can CNAMEs point to an IP address?
  • How many DNS root servers exist?
    Details

    click to see the answer 13

Public Hosted Zones

  • What are R53 public hosted zones?
  • How many name servers does R53 alocate?
  • What records to use to point at the hosted name servers?
  • What is the DNS resolver in a VPC instance?
    Details

    click to see the answer VPC+2 IP

Private Hosted Zones

  • Can you access the zone in the VPC?
  • How to run intranet and public facing web page on the same DNS?
    Details

    click to see the answer Split-View

Routing Types

  • What is simple routing?

  • What are health checkers?

  • Can health checks be performed on targets outside of AWS resources?

  • What protocols are supported by health checkers?

  • What checks are supported?

    Details

    click to see the answer Endpoint, CloudWatch Alarm, Checks of Checks

  • What is failover routing?

    Details

    click to see the answer Endpoint, CloudWatch Alarm, Checks of Checks

    -What is failover routing?

  • What is a multivalue routing

    Details

    click to see the answer Can create many records with the same name Up to 8 healthy records are returned to the client Improves availability

  • What is a weighted routing

  • What is the weight formula

    Details

    click to see the answer Record weight vs total weight, each of the 3 records. Use when u want to control the distribution of the DNS queries

  • When to use latency based routing

  • When to use geo-location based routing

    Details

    click to see the answer It returns relevant locations only, NOT based on goe-proximity

  • When to use geo-proximity routing?

  • What is a geo-proximity bias?

    Details

    click to see the answer Expands or shrinks the location of the routing zone

  • What is the difference between Route 53 routing policies and load balancing?

    Details

    click to see the answer Load balancer is actually routing traffic to the backend services whereas DNS routing returns a DNS resolver server location.

Registering a domain

  • What are different scenarios for registering a domain

    click to see the answer
    • Registrar and Public DNS Hosting role
    • @startuml domain-registration-traditional
      !theme materia-outline
      actor Developer as user
      participant "Route53\nRegistrar Role" as r53_registrar
      participant "Route53\nDNS Hosting Role" as r53_dns_hosting
      participant "TLD Server for *.domain" as tld_server
      user -> r53_registrar: Requests domain registration\nand pays 1 time fee
      r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
      return 4x Name Servers

      r53_registrar -> tld_server : Passes the Name Servers to

      tld_server -> tld_server : Creates entries\nfor the Name Servers

      tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone

      @enduml
    • Hosting only role
    • @startuml domain-registration-traditional
      !theme materia-outline
      actor Developer as user
      participant "Route53\nRegistrar Role" as r53_registrar
      participant "3rd Party Domain Hosting" as r53_dns_hosting
      participant "TLD Server for *.domain" as tld_server
      user -> r53_registrar: Requests domain registration\nand pays 1 time fee
      r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
      return 4x Name Servers

      r53_registrar -> tld_server : Passes the Name Servers to

      tld_server -> tld_server : Creates entries\nfor the Name Servers

      tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone

      @enduml

Load Balancers

  • What is LCU?

  • How load balancer is priced?

  • Describe briefly ALB architecture

  • How many load balancing nodes does ALB have as a minimum?

  • What is the default distribution algorithm?

  • What is cross zone load balancing?

  • What is a listener configuration?

  • What types of load balancers are there?

    click to see the answer
    • A(pplication)LB
    • N(etwork)LB
    • C(lassic)LB
  • How can load balancer handle SSL offloading?

    click to see the answer
    • Bridging - connection terminated on the ELB. Second connection is created to target services (http). EC2 instances also need copy of the same certificate
    • Pass-through - connection encryption is maintained by the client. Listener is configured for TCP.
    • Offload - backend connections use http
  • What is session stickiness?

  • How does a load balancer enable session stickiness?

    click to see the answer

    Cookie 1s to 7 days. It is generally better to use stateless servers and host the state somewhere else, either in a database of on the client side in the case of SPA.

Application Load Balancer (ALB)

  • What layer is ALB on?
    Details

    click to see the answer 7

  • What makes ALB internet facing?
    Details

    click to see the answer Presence of public IP

Network Load Balancer (NLB)

  • What layer is NLB on?
  • Is NLB a performance-oriented load balancer?

Gateway Load Balancer

  • What is the usecase for a gateway load balancer?

    click to see the answer

    Load balances between multiple security appliances

  • What are 2 components of a GWLB?

    click to see the answer

    GWLB endpoints GWLB instances

  • What protocol is used by GWLB?

    click to see the answer

    GENEVE

  • How does GWLB endpoint integrates with the existing VPC traffic?

    click to see the answer

    It is added to a route table as a nex hop in the traffic

Cloud Front

  • What does CDN stand for?

Global Accelerator

  • What are anycast IP addresses?

Compute

RDS

  • What are some of the downsides of putting a database on EC2 instnace?

  • What is an RDS Instance?

  • Can you connect to RDS instance using IP?

    Details

    click to see the answer No, you have to use CNAME DNS record

  • What is the resiliency level of an RDS instance?

    Details

    click to see the answer AZ, also storage (EBS)

  • Explain pricing model of RDS

    Details

    click to see the answer ALlocated GM/month Additional storage charges if applicable

  • Can you reuse an security group with RDS?

    Details

    click to see the answer Yes

  • Why do we need to configure subnet groups when provisioning an RDS database instance?

  • Is the multi AZ feature available in the free tier?

    Details

    click to see the answer No

  • Can the standby replica be accessed directly?

    Details

    click to see the answer No, it's just an availability improvement.

  • What is synchronous Replication

    Details

    click to see the answer Multi AZ, same AWS region

RDS Backup & Restore

  • What are RTO and RPO? RP(oint)O - time between last working backup and data loss event RT(ime)O - time between data loss event and full recovery

  • Do manual snapshots expire?

    Details

    click to see the answer No

  • What are transaction logs? Stored every 5 minitest (lowers RPO)

  • Do automated backups expire?

    Details

    click to see the answer Yes, you can set up to 35 days.

  • How does the restore process work?

    Details

    click to see the answer Backups are restored from the closest snapshot (from S3) and than transaction logs are replayed on top of the backup. Restoring snapshots can be a long time.

  • Can read replicas be created in a different regions?

    Details

    click to see the answer Yes

  • How many read replicas can you have per RDS DB Instance?

    Details

    click to see the answer 5

  • Why do read replicas matter?

    click to see the answer
    • Improved performance
    • Makes CQRS pattern possible
    • Use read only data in different regions to improve access performance
    • In case of a failure, read replica can be promoted to read-write database. This is only useful for database failures, not data corruption

Data Security

  • How is encryption at rest supported?
    Details

    click to see the answer Handled by host

    • EBS Volume Encryption
    • KMS
    • TDE: Only MS SQL and Oracle

EC2

  • 👍 What does EC2 stand for?

    click to see the answer

    Elastic Compute 2

  • Is EC2 going to fail when az (zone) fails?

  • 👍 Are you still getting charged when EC2 instance is stopped? If yes for what component?

    click to see the answer

    Yes, for storage

  • 👍 Is deleting an EC2 instance a reversible operation?

    click to see the answer

    No

  • What does AMI stand for?

  • What kinds of permissions are on the AMI?

  • What port number RDP service runs on?

    click to see the answer

    3389

  • How many times can you download private key for linux EC2 instance?

  • Can a single security group apply to multiple EC2 instances?

  • What is the resiliency model of EC2

    click to see the answer

    AZ, all things connected to EC2, like networking or storage run in the same AZ.

  • After restarting EC2 instance, will it move to another random host?

    click to see the answer

    No, after restarting the EC2 instance boots up on the same host.

  • What are the two conditions under which the instance can be relocated to another EC2 host?

    click to see the answer

    Host taken down for maintenance by AWE, EC2 instance stopped and started (not jus restarted)

  • What are the 5 EC2 instance types

    click to see the answer
    1. General Purpose
    2. Compute optimized - ML, Games, HPC
    3. Memory optimized - some databases
    4. Accelerated computing - custom programmable hardware
    5. Storage optimized - transactional databases, data warehouses, data analytics
    EC2 Instance Typeshttps://aws.amazon.com/ec2/instance-types/https://instances.vantage.sh/
  • Explain storage types that can be attached to EC2

    click to see the answer

    Directly attached (hadrware) Network attached

  • Explain key differences between Block, Volume and Object Storage

  • Can you attach EBS storage between availability zones?

    click to see the answer
    No
  • What mechanism can be used to create snapshots of EBS volumes between AZs?

    click to see the answer

    S3 replication

  • What are 2 volume types available?

    click to see the answer
    • GP2
    • GP3
  • What is an IO Credit and how big is it?

    click to see the answer

    IO Credit is a single chunk of data and is 16kb in size

  • What is an IOPS?

    click to see the answer

    1 IOPS is 1 IO Credit in 1 second

  • What EBS drives are designed for max performance?

  • What are 2 types of HDD drives?

    click to see the answer
    • ST1 - throughput optimized
    • SC1 - cold
  • What are Instances Store Volumes?

    click to see the answer
    • Block Storage Devices
    • Physically connected to one EC2 Host
    • Highest storage performance
    • Included in the instance price
    • Need to be attached at launch time
  • When to choose EBS vs Instance Store Volumes

  • How does incremental copy work in S3 snapshots

    click to see the answer
    1. Full data is copied
    2. Following snapshots are incremental
  • What happens when incremental snapshot is deleted

    click to see the answer

    All prior snapshots are still kept safely

  • Explain what it means that the EBS snapshot volume restores lazily

    click to see the answer

    Data is fetched gradually.

    To remedy it, use FSR (Fast Snapshot Restore). You can also force this manually using dd for example

  • How many FRS you can have per region?

    click to see the answer

    50

  • How does snapshot pricing work?

    click to see the answer

    Gigabyte-month, paid only for used data

  • Can EC2 network interfaces be in different AZs?

    click to see the answer

    No

  • What does AMI stand for?

    click to see the answer

    Amazon Machine Image

  • Are AMIs global?

    click to see the answer

    No, each region will have their own AMI for a given image. AMI in a given region will work only in this region.

  • Explain briefly lifecycle of AMI

    click to see the answer
    1. Launch
    2. Configure - this also includes volumes
    3. Create Image
    4. Launch
  • What is "AMI baking"?

    click to see the answer

    It is a process of creating an AMI from an EC2 instance with all the dependencies and applications pre-installed.

  • Can AMI be edited/updated?

    click to see the answer

    No

  • What are you paying for when using AMI

    click to see the answer

    You are billed for using EBS snapshots. Remember, snapshots are charged by space actually used by data not allocated.

  • What is EC2 Instance Metadata This is data about runtime environment of the instance

  • What IP do you need to access to see the Instance Metadata information?

    click to see the answer

    (http) 169.254.169.254 /latest/metadata

  • Is the metadata service encrypted?

    click to see the answer

    No

  • Does the metadata service require authentication?

    click to see the answer

    No

  • How to access user data for EC2 build automation?

    click to see the answer
  • What metric measures how much time does it take to get a service in a ready state?

    click to see the answer

    Boot-Time-To-Service-Time

  • What is an instance profile?

    click to see the answer

    It is a wrapper around an IAM role and is attached to an EC2 instance. Credentials are automatically renewed.

  • Can you use parameter store to store secrets?

    click to see the answer

    Yes, is also supports versioning. Any changes to parameters can trigger events.

    You can also establish hierarchy by adding / in the name.

  • What types of parameters can be stored in PS?

    click to see the answer
    • Strings
    • StringLists
    • SecureStrings
  • How to capture logs inside of an EC2 instance?

    click to see the answer

    Install CloudWatch agent

  • What technology is used in enhanced networking?

    click to see the answer

    SR-IVO - logical cards, higher PPS, better bandwidth. Most EC2 instance types have this available by default.

  • What is launch configuration and launch template?

  • Are launch configurations editable?

    click to see the answer

    No

Auto Scaling Groups

  • Where are auto scaling groups defined?

  • What are the 3 characteristics of an auto scaling group?

    click to see the answer
    • Minimum
    • Desired - lways will be set
    • Maximum
  • Are auto scaling groups regional?

    click to see the answer

    Auto scaling group will try to provision an EC2 instance in a different AZ.

  • What are scaling policies?

  • What are sub types of dynamic scaling?

    click to see the answer
    • Simple
    • Stepped - almost always preferred
    • Target tracking

ECS

  • What modes does ECS run in

    click to see the answer
    • Fargate:
      • Infra is abstracted away
      • Hosted on shared platform
      • Each task and service is injected into your VPC
      • Only pay for use as containers run
      • Use for small or burst style workloads, batch, periodic
    • EC2
      • Created inside a VPC
      • Uses ASG for EC2 instances scaling
      • You manage the instances
      • Good if you want to manage infra
  • What is task?

    click to see the answer

    Container for containers (same as ACI group) - self contained app

  • What is task role?

    click to see the answer

    It is an IAM role that the task can assume to gain the credentials to interact with AWS resources

  • What is service definition?

    click to see the answer

    Defines task scalability and HA options.

  • What are the main ECS concepts

    click to see the answer
    ECS concepts

Lambda

  • What resource can you allocate to lambda? 👍

    click to see the answer

    Memory

  • What is the execution time limit on a lambda function? 👍

    click to see the answer

    15 min

  • What are cloud watch events and EventBdirge?

  • What is Lambda edge?

  • What languages do lambda edge support?

    click to see the answer
    • Ptyhon
    • Node.js

Storage

S3

  • What are the 2 constituent parts of S3 object?

  • What is the size limit of a single object?

  • Are buckets regional?

  • Does a bucket name have to be globally uniq?

  • How many objects can be stored in 1 bucket?

  • Can objects be nested in the bucket?

  • How can you simulate a folder name in a bucket?

  • What is another name that folders are refereed as?

  • What are the naming rules for a bucket?

    click to see the answer
  • How many buckets can you have in an account?

    click to see the answer

    100 soft limit, 1000 hard limit

  • Can you mount an S3 bucket like a block storage?

  • Are S3s public by default?

    click to see the answer

    No

  • What is the difference between S3 resource policy and identity policy?

  • What is an anonymous principal?

    click to see the answer

    An principal that is not authenticated against AWS

  • How many policies can there be assigned to an S3 bucket?

    click to see the answer

    1

  • What name requirement is there in an S3 bucket when you want to use it as static page hosting with a custom domain?

  • What field is used to identify a version of an object?

    click to see the answer

    Id

  • How to fully delete a versioned object?

    click to see the answer

    By specifying its version in the delete command

  • What is MFA delete

  • What does SSE-C stand for?

    click to see the answer

    Server-Side Encryption with Customer-Provided Keys. S3 encrypts data with keys provided by the customer. Key is discarded after encryption, only key hash is stored.

  • What are the benefits of SSE-C model?

    click to see the answer

    Save on CPU, more control over the encryption process (you hold the keys).

  • What does SSE-S3 stand for?

    click to see the answer

    Server-Side Encryption with AWS S2-Managed Keys. S3 creates a master key and a key for each object. Master key is encrypted with object key and master key is discarded. We have encrypted object, encrypted master key and public key used to encrypt the object.

  • What are the benefits of SSE-S3 model?

    click to see the answer

    Key are managed by AWS, very low admin overhead.

  • What algorithm does SSE-S3 uses by default?

    click to see the answer

    AES256

  • What does SSE-KMS stand for?

    click to see the answer

    Server-Side Encryption with Customer-Managed Keys stored in AWS Key Management Service (KMS).

  • What are the benefits of SSE-KMS model?

    click to see the answer

    Someone else can manage the KMS, role separation. Key rotation control.