Solution Architect Associate 2021 Flashcards
(210 cards)
1
Q
What are four key services for Compute?
A
EC2
Elastic Beanstalk
Lambda
Lightsail
2
Q
What are five key services for Storage?
A
S3 EBS EFS FSx Storage Gateway
3
Q
What are three key services for Databases?
A
DynamoDB
Redshift
RDS
4
Q
What are five key services for Networking?
A
API Gateway Direct Connect Global Accelerator Route 53 VPCs
5
Q
What’s a Region?
A
A physical location in the world that consists of two or more Availability Zones (AZs).
6
Q
What’s an Availability Zone?
A
One or more discrete data centers housed in separate facilities
7
Q
What’s an Edge Location?
A
Endpoints for caching content, usually CloudFront CDN.
8
Q
Name the three IAM Policy Statement options
A
Effect
Action
Resource
9
Q
How big can files in S3 be?
A
5 TB
10
Q
What does the S3 key-value pair represent?
A
Object name - object binary
11
Q
Name the six S3 storage classes
A
Standard Standard Infrequently Accessed (IA) One-Zone IA Glacier Glacier Deep Archive Intelligent Tiering
12
Q
What is S3 Object Lock?
A
The ability to store objects with a write-once, read-many (WORM) model
13
Q
What are the two S3 Object Lock modes?
A
Governance mode where users can’t overwrite/delete object versions or alter lock settings without special permissions
Compliance mode where nobody can overwrite/delete objects, including the root user
14
Q
What is S3 Glacier Vault Lock?
A
A policy that locks an S3 Glacier vault’s compliance controls that can no longer be edited once set
15
Q
How many S3 object GET requests can there be per second per prefix (folder)?
A
5500
16
Q
What are the three S3 SSE-KMS requests/second limit quotas?
A
5500
10k
30k
17
Q
What files sizes should and must use multipart uploads to S3?
A
100+ MB
5+ GB
18
Q
What’s S3 Replication?
A
Automatic copying of objects from one bucket to another
19
Q
What are the four EC2 pricing options?
A
On-Demand
Spot
Reserved
Dedicated
20
Q
What are the three networking interface options for EC2?
A
Elastic Network Interface (ENI) for standard use
Enhanced for 10-100 Gbps throughput
Elastic Fiber Adapter (EFA) for HPC/ML
21
Q
What are the three types of EC2 Placement Groups?
A
Cluster within an AZ for low latency, high throughput
Spread across distinct hardware for critical uptime and high availability
Partition across distinct hardware for multiple logical partitions supporting HDFS (Hadoop), HBase, or Cassandra
22
Q
Which EC2 instance type is good for addressing special software licensing requirements?
A
Dedicated
23
Q
What is EBS?
A
Elastic Block Store for EC2 instances
24
Q
What’s the difference between EBS and Instance Store volumes for EC2?
A
Instance store volumes are ephemeral and data will be lost if the attached EC2 instance is stopped or terminated, while EBS volumes can persist if the attached EC2 instance is stopped or terminated.
25
How long can EC2 On-Demand and Reserved instances be hibernated?
60 days
26
What is EFS?
Elastic File System for shared storage across EC2 instances using the Network File System v4 (NFS) protocol
27
How large can EFS scale up to?
Terabytes
28
How many concurrent connections can EFS support?
Thousands
29
Where is EFS data stored within a region?
Across multiple AZs
30
What is the data consistency pattern for EFS?
Read-after-write
31
What is FSx for Windows?
Centralized storage for Windows-based applications like SharePoint, SQL Server, etc.
32
What is FSx for Lustre?
High-speed, high-capacity distributed storage for HPC, financial modeling, etc. and is stored on S3
33
What is AWS Backup?
For consolidating backup policies and automations across services, organizations, and accounts
34
What are the six RDS database types?
```
Aurora
MariaDB
MySQL
Oracle
PostgreSQL
SQL Server
```
35
How many database read replicas are allowed per database instance?
5
36
What's the difference between Multi-AZ and Read-Replica RDS configurations?
Multi-AZ is for disaster recovery of the primary instance while read replicas are for increased performance
37
How many copies of data does RDS Aurora store?
2 per AZ across 3 AZs for 6 copies total
38
What is the primary RDS Aurora Serverless use case?
Provides a relatively simple, cost-effective option for infrequent, intermittent, or unpredictable workloads
39
Across how many geographically distinct data centers is DynamoDB data stored?
3
40
What's the difference between DynamoDB Eventually and Strongly consistent reads?
Eventually consistent reads can be reached within one second for better performance, while Strongly consistent reads occur when all writes have been completed
41
What are DynamoDB Transactions?
All-or-nothing database operations good for financial transactions for fulfilling orders
42
What are the three read consistency options in DynamoDB?
Eventual
Strong
Transactional
43
How may items or how much data can a DynamoDB Transaction support?
Up to 25 items or 4 MB of data
44
What does ACID stand for and to which AWS service does it apply?
Atomicity
Consistency
Isolation
Durability
Applies across one or more tables within a single DynamoDB account or region
45
Which RDS service has On-Demand Backup and Restore?
DynamoDB
46
What is the time range for the DynamoDB Point-In-Time-Recovery (PITR) function?
Between 5 minutes and 35 days
47
What is the DynamoDB feature that can be combined with Lambda functions for stored procedure-like functionality?
DynamoDB Streams
48
For how long can DynamoDB Streams data be stored?
24 hours
49
How does DynamoDB Streams chunk its data?
With a time-ordered sequence of shards
50
What is DynamoDB Global Tables?
Managed multi-master and multi-regional data replication for globally distributed applications
51
What is DynamoDB Global Tables based on?
DynamoDB Streams
52
What is the replication latency for DynamoDB Global Tables?
Under 1 second
53
What five items do VPCs consist of?
```
Internet or Virtual Private Gateways
Route Tables
Access Control Lists (ACLs)
Subnets
Security Groups
```
54
In how many AZs is a subnet located?
1
55
What's the throughput range of a NAT Gateway?
5 to 45 Gbps
56
How do you make a NAT Gateway highly available across AZs?
Create a NAT Gateway in each AZ and configure routing to ensure resources use the gateway in their same AZ
57
Are security groups stateful or stateless?
Stateful
58
What networking function do you use to block IP addresses?
Network ACLs
59
What does each subnet need to be associated with?
A Network ACL
60
How are Network ACLs evaluated?
By a numbered list of rules starting with lowest number first
61
Are Network ACLs stateful or stateless?
Stateless
62
What does Direct Connect do?
Establishes a dedicated network connection between on-premise data center and AWS
63
What is a VPC Endpoint?
When you want to connect AWS services without leaving the AWS internal network
64
What are the two types of VPC Endpoints?
Interface
| Gateway
65
Which two AWS services do VPC Gateway Endpoints support?
DynamoDB
| S3
66
How do you connect VPCs with one another?
Via Peering that works in a star configuration (no transitive peering) and between regions
67
What service do you use to peer VPCs among tens, hundreds, or thousands of customer VPCs?
PrivateLink
68
What two things does PrivateLink require?
A network load balancer on the service VPC and an ENI on the customer VPC
69
What is Transit Gateway?
A network transit hub that connects your VPCs and on-premises networks
70
What are the two types of network connections that Transit Gateway works with?
Direct Connect
| VPN
71
What is the only networking service that supports IP multicast?
Transit Gateway
72
What is VPN CloudHub?
Allows you to securely communicate from one physical site to another via Virtual Private Gateways and Customer Gateways
73
In Route 53, which is preferred: Alias or CNAME?
Alias
74
What are the four common DNS record types?
A
CNAME
NS
SOA
75
What are the 7 routing policies available with Route 53?
```
Simple
Weighted
Latency-Based
Failover
Geolocation
Geoproximity
Multivalue Answer
```
76
How many days can it take for a new domain name to register?
3
77
How does Route 53 return the IP values to the user in a Simple Routing policy?
Randomly
78
How does Route 53's Weighted Routing policy direct user traffic?
By percentage amount of traffic to one IP address versus another in relation
79
How does Route 53's Latency Routing policy direct user traffic?
To the IP with the lowest latency with the user, usually in miliseconds
80
How does Route 53's Failover Routing policy direct user traffic?
In active/passive mode where traffic goes to the active IP until a failure is detected which then routes traffic to the passive IP
81
How does Route 53's Geolocation Routing policy direct user traffic?
By sending users to the AWS region physically closest to them
82
How does Route 53's Geoproximity Routing policy direct user traffic?
Similar to Geolocation Routing with users sent to the AWS region physically closest to them, but with an optional Bias setting to expand/shrink the size of a geographic region; and it must use Traffic Flow
83
How does Route 53's Multivalue Answer Routing policy direct user traffic?
By routing users to multiple resources that have associated health checks
84
What are the 3 different types of Elastic Load Balancers and on what network layers do they apply?
Application (Layer 7)
Network (Layer 4)
Classic (Layer 4 and 7)
85
What is the primary limitation of an Application Load Balancer?
It only supports HTTP and HTTPS
86
When would you use a Network Load Balancer over an Application Load Balancer?
When you need extreme performance at Layer 4 and other use cases where you need protocols not supported by Application Load Balancers
87
With Classic Load Balancers, what HTTP error code means the gateway has timed out?
504
88
With Classic Load Balancers, what HTTP header do you need in order to find out the IPv4 address of the end user?
X-Forwarded-For
89
What's a Sticky Session?
Where users are directed to the same resource for the duration of a session
90
What does a Deregistration Delay (aka Connection Draining) on an Elastic Load Balancer do?
Keeps existing connections open to an EC2 instance for a set period of time after it becomes unhealthy; disable if you want the load balancer to close connections immediately
91
What is the main tool for anything alarm related?
CloudWatch
92
What service is best to monitor AWS standards?
Config
93
What are the standard and detailed monitoring delivery intervals for CloudWatch?
```
Standard = 5 minutes
Detailed = 1 minute
```
94
What is the log monitoring tool that works for EC2, CloudTrail, and Route 53?
CloudWatch Logs
95
What monitoring service allows for SQL queries?
CloudWatch Logs Insights
96
What service is best for real-time logging?
Kinesis
97
What's the only service that can make use of Auto Scaling?
EC2
98
What's a better alternative to EC2 user data to help avoid long provisioning times during Auto Scaling?
Building custom AMIs
99
What can you use in EC2 to allow for a situation where the failure of a legacy codebase or resource that can't be scaled can automatically recover from failure?
Steady state groups
100
Which database service has the most scaling options?
RDS
101
What type of scaling is preferred for databases?
Horizontal
102
What does DynamoDB scaling come down to?
Access patterns
103
What two things should you check for when SQS is consistently showing duplicate messages?
A misconfigured visibility timeout
The developer is failing to delete the message via API call
104
What do you need to set up for there to be bidirectional message queueing?
A second SQS queue
105
For how long can SQS messages persist?
14 days
106
What SQS setting do you need if message ordering is important?
First In First Out (FIFO)
107
What is the default Visibility Timeout in SQS?
30 seconds
108
What is the default Message Retention Period in SQS?
4 days
109
What is the default Delivery Delay in SQS?
0 seconds
110
What is the default maximum message size in SQS?
256 KB
111
What is the default Receive Message Wait Time for a standard SQS queue?
0 seconds for short polling; any non-zero value sets long polling
112
What is the default Enable Content-Based Deduplication setting for a FIFO SQS queue?
Disabled
113
What is the best service for proactive notifications like email, text, or push-based?
Simple Notification Service (SNS)
114
What service is best for getting notified of CloudWatch alarms?
Simple Notification Service (SNS)
115
What service acts as a secure front door to external communications coming into an application environment?
API Gateway
116
Is Redshift a suitable replacement for RDS in traditional applications?
No
117
What kind of AZ deployments does Redshift support?
Single; you can create multiple clusters in different AZs, but they're separate deployments and it's not highly available by default
118
What service does EMR reside on?
EC2
119
What is the only service with a real-time response?
Kinesis
120
How long can Kinesis store data when used as a queue?
Up to 1 year
121
What service is good for serverless SQL or querying data that is stored in S3?
Athena
122
What is Glue?
Serverless ETL that can help create a schema for your data when paired with Athena
123
What service provides visualizing data in dashboards?
QuickSight
124
What service when combined with Logstash and Kibana creates an ELK stack that is a common way to search over server logs?
Elasticsearch
125
What's the best way to enable credentials with Lamba functions?
Roles
126
What are three common Lambda triggers?
S3
Kinesis
EventBridge (CloudWatch Events)
127
How much RAM can a Lambda function consume?
Up to 10 GB
128
For how long can a Lambda function run?
Up to 15 minutes
129
What's a better way to perform an automated action than scraping through CloudTrail logs?
EventBridge (CloudWatch Events) rules and Lambda functions
130
What open source container management service can run in AWS and on-premises?
Elastic Kubernetes Service (EKS)
131
What is Fargate?
A serverless compute engine that works with Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS) that removes the need to provision and manage servers
132
Which is more favored on the exam: containers or EC2?
Containers
133
What are the four steps to implement a container?
1. Create a Dockerfile
2. Build an image
3. Upload to a repository
4. Run it on a host
134
What are the two types of Distributed Denial of Service (DDoS) attacks?
Layer 4 such as SYN floods or NTP amplification
Layer 7 such as GET/POST request floods
135
What three things does logging API calls with CloudTrail allow?
After-the-fact incident investigation
Near real-time intrusion detection
Industry/regulatory compliance auditing
136
Where does CloudTrail store its logs?
S3
137
What is Shield?
It protects against DDoS network Layer 3 and 4 attacks
138
How much does Shield Advanced cost and what does it provide extra?
$3000 per month with a dedicated DDoS response team
139
What are the three things the Web Application Firewall (WAF) service allows you to do?
Allow all requests except the ones you specify
Block all requests except the ones you specify
Count the requests that match the properties you specify
140
What service blocks network Layer 7 DDoS attacks, SQL injections, and cross-site scripting?
Web Application Firewall (WAF)
141
What service can block access to specific countries or IP addresses?
Web Application Firewall (WAF)
142
What is GuardDuty?
Alerts you of any abnormal or malicious behavior in your account using AI to learn what normal behavior looks like
143
What does GuardDuty do with external feeds from third parties?
Updates a database of known malicious domains
144
What three things does GuardDuty monitor?
CloudTrail logs
DNS logs
VPC Flow Logs
145
How can you address threats that appear in GuardDuty?
With EventBridge (CloudWatch Events) that can trigger Lambda functions
146
What does Macie do?
Helps identify sensitive PII, PHI, and financial data residing in S3 using AI
147
How can Macie alerts be addressed?
Sent to EventBridge (CloudWatch Events) and remediate with Lambda or Step Functions
148
What does Inspector do?
Performs host and network vulnerability scans on EC2 instances and VPCs that can be run once or weekly
149
What is Key Management Service (KMS)?
Allows you to create and control the encryption keys used to encrypt your data
150
What do you need in order to start using Key Management Service (KMS)?
By requesting the creation of a Customer Master Key (CMK)
151
What are the three ways to generate a Customer Master Key (CMK) for KMS?
AWS creates the CMK for you on their Hardware Security Modules (HSM)
Have the key material generated and used in a CloudHSM cluster as part of the custom key store feature in KMS
Import your own key material from your own key management infrastructure and associate it with a CMK
152
What are three ways to control encryption key permissions?
Use the key policy
Use IAM policies in combination with the key policy
Use grants in combination with the key policy
153
What are the differences between KMS and CloudHSM?
KMS is on shared hardware with automatic key generation and rotation
CloudHSM is on dedicated hardware with full control of users, groups, keys, etc. but with no automatic key rotation
154
What is Secrets Manager?
Allows you to securely store application secrets such as database credentials, API keys, SSH keys, passwords, etc.
155
What are the application caveats to using Secrets Manager?
Make sure application instances are configured to use Secrets Manager before enabling credential rotation as they rotate easily but immediately
156
When should you use Parameter Store over Secrets Manager and at what threshold?
To minimize cost with up to 10,000 parameters
157
In what three scenarios should you use Secrets Manager over Parameter Store?
When you need:
More than 10,000 parameters
Key rotation
The ability to generate passwords using CloudFormation
158
What service feature allows you to share private files in your S3 buckets?
Presigned URLs
159
In IAM policies, not explicitly allowed means what?
Implicitly denied
160
In IAM policies, what supersedes all else?
Explicit denies
161
How are IAM policies put into effect?
By attachment
162
How are multiple IAM policies applied to an object or resource?
By joins
163
What are the two ways IAM policies can be managed?
By AWS or by customer
164
What service allows you to manage SSL certificates?
Certificate Manager
165
What services does Certificate Manager support?
API Gateway
CloudFront
Elastic Load Balancer
166
What are the three main sections of a CloudFormation script?
Parameters
Mappings
Resources
167
What is preferred: Stateless or stateful resource architecture?
Stateless
168
What service works well with a CloudFormation's Mappings section to make your templates more flexible and avoid breakage?
Parameter Store
169
What service provides a simple solution to bundle and deploy applications over CloudFormation?
Elastic Beanstalk
170
What type of object allows you to configure the internals of an EC2 instance?
Automation Documents
171
What is Systems Manager?
A centralized user interface to track and resolve operational issues across your applications and resources
172
What is the only service that can add HTTPS to a static website hosted in an S3 bucket?
CloudFront
173
Between caching and cost, which one does the exam favor more?
Caching
174
What service provides for IP caching to reduce issues with customers caching old IP addresses?
Global Accelerator
175
What are two in-memory databases, and which one is preferred?
Redis and DynamoDB, with DynamoDB being preferred
176
What service offers in-memory data stores?
ElastiCache
177
What are the two in-memory data stores supported by ElastiCache?
Redis and Memcached
178
Which ElastiCache service offers a persistent data store?
Redis
179
What ElastiCache service supports backups?
Redis
180
What two services are NOT a source of truth for your data?
ElastiCache for Memcached and DynamoDB Accelerator (DAX)
181
What is DynamoDB Accelerator (DAX)?
An in-memory cache for DynamoDB
182
What is the only way to restrict the root user account?
Service Control Policies (SCPs)
183
Which is preferred: centralized or decentralized logs?
Centralized via CloudTrail
184
What is the preferred way to add more layers of security and controls: centralized or isolated workloads?
Isolated into separate accounts
185
What are the three benefits of using Config?
Standardization for compliance using rules
Automated remediation using Automation Documents
Historical changelog of the entire system architecture
186
What tools do you use to manage internal and external users?
SSO for internal and Cognito for external
187
What service supports Active Directory?
Directory Service using Managed Microsoft AD
188
What service do you use for Active Directory on-premise?
Directory Service using AD Connector
189
What is the best way to enable cross-account access?
Via roles, not unnecessary IAM credentials
190
What are the three ways to track costs?
Budgets
Cost Explorer
Tags
191
How do you be proactive with potential cost problems?
By implementing SNS alerts when costs reach a certain threshold
192
What is preferred when a cost problem is encountered: automated or manual intervention?
Automated
193
What is Trusted Advisor?
Provides recommendations that help you follow AWS best practices
194
What do you need in order to get the most useful checks from Trusted Advisor?
A Business or Enterprise support plan
195
What is Trusted Advisor's biggest limitation?
That it's strictly an auditing tool. It can't remediate issues that are found.
196
What's the best way to resolve problems found in Trusted Advisor?
By using EventBridge to kick off a Lambda function
197
How much data is Snowball good at migrating?
Terabytes
198
What's the difference between Snowcone and Snowmobile?
Snowcone is the smallest migration device
Snowmobile is a shipping container towed by a truck
199
When is it best to use Snowball for data migration?
Where you have slow or no Internet
200
What service is good at hybridizing with on-premise storage?
Storage Gateway
201
Which Storage Gateway option is good for when local network-attached storage is full?
File Gateway
202
What does Storage Gateway run on?
A local virtual machine (VM) on-premise
203
What is DataSync?
An agent-based solution that is good for one-time migration of file shares into AWS
204
What are two viable locations for DataSync to transfer data into?
EFS
| FSx
205
What service allows you to use legacy file transfer protocols to give older applications the ability to read/write in S3?
Transfer Family
206
What is Migration Hub?
An organization tool that gives you a way to organize all your migration steps, but doesn't actually perform the migration
207
What is the Database Migration Service?
A tool for any sort of database migration. It works for on-premise-to-cloud or between internal RDS databases
208
What is the Server Migration Service?
A tool for migrating server instances out of the data center and into AWS
209
For what five database engines does RDS support read replicas?
```
MariaDB
MySQL
Oracle
PostgreSQL
SQL Server
```
210
What are the two write consistency options in DynamoDB?
Standard
| Transactional
