Services - Management and Governance

Question 1

Auto Scaling - Characteristics

Answer 1

• Monitors applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost
• There’s no charge for using this service
• From a single UI can configure automatic scaling policies for multiple resources like:
• EC2 instances and Spot Fleets
• ECS tasks
• DynamoDB tables and global secondary indexes
• Aurora Replicas
• Can also select to auto-scale an application defined in a CloudFormation stack or in Elastic Beanstalk

Question 2

Auto Scaling - Steps for CloudFormation application

Answer 2

1. Select the CloudFormation stack used for your application
2. Auto scaling will identify the supported resource types that can be scaled
3. Create and review a scaling plan, which is a unit that consists of several resource items
4. Select a scaling strategy: scale with availability, cost savings, or a balance of both
5. Based on the scaling strategy, Auto scaling will create the target tracking scaling policies for each resource

Question 3

Auto Scaling - Scaling recommendations

Answer 3

• Based on the most popular scaling metrics and thresholds used for auto scaling
• Also calculate the minimum and maximum limits between which your resources will scale. At any time you can quickly gauge the minimum / maximum performance cost of your environment

Question 4

Auto Scaling - Scaling strategies

Answer 4

• Availability: a low resource utilization target is used to ensure capacity to absorb spikes on demand
• Balance strategy: a moderate resource utilization target is used to provide high availability and reduce costs
• Cost strategy: a high resource utilization target is used to optimize usage and reduce costs
• Custom strategy: can set your own target resource utilization with your own values

Question 5

Auto Scaling - Target tracking scaling policies

Answer 5

• Lets you select a metric and set a target value. So it creates and manage CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value
• Adds / removes capacity as required to keep the metric at or close to the specified target value
• Also it self‑optimizes to adjust to changes in the metric due to a changing load pattern. Therefore, it reduces the fluctuations in the capacity of that target

Question 6

Auto Scaling - EC2 scaling options

Answer 6

• Maintain current instance levels at all times: a periodic health check is performed on running instances. When there’s an unhealthy instance, it’s terminated and a new one is created
• Scale manually: when you specify only the minimum, maximum, or desired capacity of your Auto Scaling group
• Scale based on a schedule: scaling actions are performed automatically as a function of time and date. Useful when you know when to increase or decrease the number of instances
• Scale based on demand: using dynamic scaling, lets you define a scaling policy that dynamically resizes your Auto Scaling group to meet changes in demand
• Predictive scaling: when you want to increase instances in advance of daily and weekly patterns in traffic flows

Question 7

Auto Scaling - EC2 auto scaling group characteristics

Answer 7

• Can schedule scaling to increase / decrease capacity at preset times
• Cooldown period, measured in seconds, is a setting that ensures that the Auto Scaling group doesn’t launch or terminate additional instances before the previous scaling activity takes effect
• Lifecycle hooks allow to put the instances to be terminated into a wait state. Can perform custom activities during the wait state. The default wait period is 1 hour
• Termination policy allows to specify which instances to terminate first during scale in

Question 8

Backup - Characteristics 1

Answer 8

• It’s a managed service that centralizes and automate data protection across AWS services, in the cloud, and on-premises
• Supports automatic backups, centralized backup monitoring, and backups retention as long as they are needed
• Supports cross-region backups, cross-account management and cross-account backups
• Pay only for the amount of backup storage used and the amount of backup restored per month

Question 9

Backup - Characteristics 2

Answer 9

• Integrates with CloudTrail to register activity logs, and SNS for notification delivery
• Uses backup vaults to offer encryption and resource-based access policies to define who has access to them
• Supports encryption of backup data, additional to the encryption of the resources being backed up
• Some AWS resources support incremental backups. A full backup is performed only the first time

Question 10

Backup - Policy-based backups

Answer 10

• Can create backup policies, known as backup plans to define backup requirements
• Can create separate backup plans to meet business and regulatory compliance requirements

Question 11

Backup - Supported resources

Answer 11

• FSx
• EFS, EBS
• RDS databases, Aurora clusters, DynamoDB tables
• EC2 instances
• Storage Gateway volumes

Question 12

Config - Characteristics

Answer 12

• It’s a managed service that enables you to assess, audit, and evaluate the configurations of your AWS resources
• Continuously monitors and records your resource configuration
• Payment is based on the number of configuration items recorded, number of active AWS Config rule evaluations, and number of conformance pack evaluations in your account
• Can also be used to discover existent resources
• Can help to troubleshoot operational issues by identifying recent configuration changes

Question 13

Config - How it works

Answer 13

1. A configuration change occurs in any AWS resource
2. Config records and normalizes changes in a consistent format
3. Changes history and snapshot files are delivered to a S3 bucket, accessed through Config API, and alerts are optionally generated using SNS or EventBridge
4. (Optional) Config automatically evaluates recorded configurations against desired configurations
5. (Optional) Evaluations are displayed on a dashboard, accessed through Config API, and optionally sent via SNS

Question 14

Config - Rules

Answer 14

• Allow to check if a change to a resource configuration meet a desired configuration
• Rules types:
• AWS-managed config rules: defined by AWS
• Customer-managed config rules: authored by a client, or an AWS Partner using Lambda. Examples: INSTANCES_IN_VPC (Do all EC2 instances belong to a VPC?), ENCRYPTED_VOLUMES (Are all attached EBS volumes encrypted?)

Question 15

EventBridge - Characteristics 1

Answer 15

• A serverless event bus service that can connect your applications with data from a variety of sources. Formerly known as CloudWatch Events
• Delivers a stream of real-time data from applications, SaaS applications, and AWS services to targets such as Lambda, API destinations, or event buses in other AWS accounts
• Pay for events published on the event bus, events ingested for Schema Discovery, and for Event Replay

Question 16

EventBridge - Characteristics 2

Answer 16

• API destinations are HTTP endpoints that can be set as the target of a rule, in the same way that event data can be set to an AWS service or resource
• Events can be archived or saved. And then replayed, at a later time, from the archive

Question 17

EventBridge - How it works

Answer 17

• An events bus, events patterns, and rules must be defined first. An event bus is a pipeline that receives events. That bus applies a rule when an event arrives to route it to a specific target
• Event patterns have the same structure as the events they match
• Rules uses event patterns or a schedule to select events and send them to targets
• All events are associated with an event bus. Rules are tied to a single event bus

Question 18

EventBridge - Schema

Answer 18

• Defines the structure of events that are sent to EventBridge
• EventBridge provides schemas for all events that are generated by AWS services
• Also can be created, uploaded or inferred directly from events
• Schema registries collect and organize schemas

Question 19

Organizations - Characteristics

Answer 19

• It’s an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage
• Includes consolidated billing capabilities to better meet the budgetary, security, and compliance needs
• It’s offered at no additional charge

Question 20

Organizations - Terminology

Answer 20

• Root: parent container of all accounts
• Organizational Unit (OU): a container for accounts within a root. Can contain other OUs
• Account: a standard AWS account. It’s not the same as a “user account”. It typically contain many users and roles
• Invitation: process of asking an account to join the organization
• Policies: allow to apply additional types of management to the AWS accounts in your organization

Question 21

Organizations - Account types

Answer 21

• Management account:
• The account that creates the organization. Can’t be changed
• Manages invitations. Invites or remove accounts. It’s the payer account
• Applies policies to entities (roots, OUs, and accounts)
• Member account:
• The rest of the accounts
• Can be member of one organization at a time

Question 22

Organizations - Policy types

Answer 22

• Authorization policies or Service Control Policies (SCPs): help to centrally manage the security of AWS accounts
• An SCP is also needed to grant / deny permission to a resource in conjunction with an IAM policy
• Any account has only those permissions allowed / denied by every parent above it. Even if there are SCPs / IAM policies in the upper parents allowing / denying those permissions
• Management policies: help to centrally configure and manage AWS services and their features. There’s three subtypes:
• AI service opt-out policies: control data collection for AWS AI services
• Backup policies: centrally manage and apply backup plans to AWS resources
• Tag policies: standardize the tags attached to AWS resources

Question 23

Resource Access Manager - Characteristics

Answer 23

• It helps to securely share AWS resources across AWS accounts
• Can share within your organization or OUs
• There’s no additional pricing for this service
• Also can share with IAM roles and IAM users but for specific resource types
• Eliminates the need to provision duplicate resources in every account

Question 24

Resource Access Manager - Shareable resources

Answer 24

• Aurora clusters
• EC2 capacity reservations and dedicated hosts
• S3 on Outposts
• Resource groups
• Route 53 rules
• Prefix lists, subnets, transit gateways
• License Manager license configurations

Question 25

Systems Manager - Characteristics 1

Answer 25

* It allows to view operational data from multiple AWS services and automate operational tasks across AWS resources (your infrastructure) * Formerly Amazon Simple Systems Manager (SSM) and Amazon EC2 Systems Manager (SSM) * Some capabilities charge fees based on the functionality they offer such as OpsCenter, AppConfig, Incident Manager, and others * Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. Can store passwords, database strings, AMI IDs, and license codes as parameter values

Question 26

Systems Manager - Characteristics 2

Answer 26

* A managed instance is a machine configured for use with Systems Manager * Helps you maintain security and compliance by scanning managed instances and reporting on (or taking corrective action on) any policy violations it detects * Can associate AWS resources by applying the same identifying resource tag, or can view operational data of these resources as a resource group

Question 27

Systems Manager - Supported machine types for managed instances

Answer 27

* EC2 instances * On-premises servers * VMs

Question 28

Systems Manager - Capabilities 1

Answer 28

* Quick setup: to configure frequently used AWS services and features with recommended best practices * Operations management: to manage AWS resources. Includes Incident Manager, Explorer, OpsCenter, and CloudWatch Dashboards capabilities * Application management: to manage applications running in AWS. Includes Application Manager, Resource groups, and AppConfig capabilities

Question 29

Systems Manager - Capabilities 2

Answer 29

* Change management: to provide management of taking action on, or changing your AWS resources. Includes Change Manager, Automation, and Change Calendar * Node management: to help when managing EC2 instances, on-premises servers, VMs, and other types of AWS resources (nodes) * Shared resources: includes Documents capability that defines the actions that Systems Manager performs

Question 30

Systems Manager - SSM Agent

Answer 30

* It's an Amazon software that must be installed on each instance to be monitored by System Manager * Allows Systems Manager to update, manage, and configure resources * Processes requests from Systems Manager in the AWS cloud, then sends status and execution information back to Systems Manager