AWS Solutions Architect Professional

How to handle peak load of application?

- When encountering the phrase "handle peak load traffic" in a question, think of AWS Auto-Scaling.

- Use Auto-Scaling with Spot instances 

- Use Auto-Scaling with On-Demand instances 

What to be used for steady state load of application?

- Use Reserved instances

What EC2 pricing model should be used for RDS?

- Use Reserved instances for RDS

Which Route53 record should be used for EC2?

- Use a Type A Record without an Alias for EC2 instances

Which Route53 record should be used for ELB, CloudFront, S3?

- Use a Type A Record with an Alias for ELB, CloudFront, and S3

Which Route53 record should be used for RDS?

- Use a CNAME Record with no Alias for RDS

Which service should be used to discover and protect sensitive data in AWS using machine-learning and pattern-matching?

- Using Amazon Macie

Which AWS service should be used to scan Amazon S3 buckets for data security and data privacy?

- Using Amazon Macie

Where to store encryption keys?

- In AWS KMS

What is the cheapest way to scan the CodeCommit repository?

- Writing a lambda function

Can you rotate IAM keys on secrets manager?

- No

What should be done when IAM credentials are found in the commits of CodeCommit repository?

- Search for credentials on new code submissions using custom Lambda function.

- Set CodeCommit push event as function trigger.

- If credentials are found, disable IAM keys and notify violation.

How to store huge data and their meta-data?

- Store huge data in S3, and their meta-data in DynamoDB.

Where to store user preferences data in KB size?

- In DynamoDB

An application will be used by millions of users. The user preferences data whose size, will be in KB, should be stored in AWS. The storage should be cost-effective, highly-available, scalable and secure. Social login accounts will be used for user authentication. What solution should be used?

- You can use anything like S3, RDS DynamoDB. However, since the size of the data is small, DynamoDB should be used.

- DynamoDB has fine -grained access control for authentication and authorisation.

- DynamoDB is more scalable and cost effective than RDS.

AWS Storage Gateway 'Tape Gateway' is backed by?

- Glacier

AWS Storage Gateway 'File Gateway' is backed by?

- S3

AWS Storage Gateway 'Volume Gateway' is backed by?

- EBS volumes (which is asynchronously backed up to S3, providing double off-site backups)

There is a 'Tape library' on-premises. Which 'Storage gateway' technique should you use to move the tape library data to AWS cloud?

- You can set up a 'Tape gateway' appliance on-prem to archive the data in Glacier (but data can't be retrieved faster)

- You can set up a 'File gateway' appliance on-prem to store the data in S3 (other AWS services can retrieve data from S3 faster)

Can you connect 'tape gateway' directly to 'Kinesis Video Streams Service'?

- No. It should be done only via Storage Gateway first.

Service used for facial recognition from images, videos, streaming videos?

- Amazon Rekognition

Service used to track changes made to AWS resources?

- CloudTrail

Changes to regional services are logged to?

- CloudTrail of that region

Changes to global services are logged to?

- All CloudTrails with 'IncludeGlobalServiceEvents' flag (global services option selected)

How to log changes made to resources in all AWS regions in CloudTrail?

- With global services option selected

CloudTrail logs are backed by?

- S3

How to maintain data integrity in S3?

- Enable MFA to delete

Which service logs AWS events in CloudTrail?

- IAM

Is S3 POSIX compliant?

- No

Is NFS POSIX compliant?

- Yes

How to increase network throughput of EC2 instances?

- By attaching multiple ENIs

Will increased throughput handle DDoS attacks in EC2 instances?

- No, the CPU will still be saturated

How to prevent overloading applications by distributing traffic?

- By using ELB

Which services can be used to ensure application availability?

- WAF

- ELB

Which services can be used to mitigate DDoS?

- WAF

- ELB

Can CloudWatch alerts trigger EC2 Auto-Scaling?

- Yes

What all metrics the CloudWatch alerts can monitor and notify?

- CPUUtilization

- NetworkIn

What's the relationship between SSO and Identity Federation?

SSO is a subset of Identity Federation

How to give access to a system to external users?

Through Identity Federation

Can you apply SCPs only to one accounts?

It can be applied to a single account, multiple accounts, all accounts under an Organizational Unit (OU)

How to restrict one or few of the accounts in an AWS organization to create resources in a specific region?

Through AWS Organization's Service Control Policies (SCPs)

How to restrict IAM roles in one or few of the accounts in an AWS organization to create EC2 instances in a specific region?

Through AWS Organization's Service Control Policies (SCPs)

How to restrict a specific IAM role, in one or few of the accounts in an AWS organization, from accessing Amazon S3 buckets in a certain AWS account?

Through AWS Organization's Service Control Policies (SCPs)

How to restrict a set of EC2 instance types to be launched in one or few of the accounts in an AWS organization?

Through AWS Organization's Service Control Policies (SCPs)

How to allow or deny the use of certain AWS resources in one or few of the accounts in an AWS organization?

Through AWS Organization's Service Control Policies (SCPs)

How to manage IAM policies for multiple AWS accounts?

If the #accounts <= 2, use cross-account access, else use AWS Organization with Service Control Policies (SCPs)

Difference between IAM policies and SCPs?

IAM policies can't be applied to root identity of accounts. It can only be applied to IAM roles, users and groups.

Can you only blacklist services in SCPs?

You can also whitelist.

What if a service is not explicitly allowed in SCPs?

It's denied.

Why is a new AWS account still able to perform certain actions even after a custom SCP is applied to restrict it from performing those actions on an ECS cluster with an attached service-linked role?

Service-linked roles can't be restricted by SCPs.

What is the default AWS Organizations Service Control Policy (SCP) that is attached to every root, organizational unit (OU), and account, and what steps can be taken to restrict permissions using a custom policy?

The default Service Control Policy (SCP) named FullAWSAccess allows all actions and services attached to every root, organizational unit (OU), and account. To restrict permissions, a custom policy needs to be created, and a Deny policy can be used to block access to specific services and actions.

How does a Deny policy in a custom policy interact with the Allow policy in the default SCP?

The Deny policy overrides any Allow policy in the default SCP.

Will a Service Control Policy (SCP) attached to a higher-level Organizational Unit (OU) with an Allow policy for a specific service override a Deny policy in the same service control policy attached to a lower-level OU?

No, it does not necessarily mean that it will override the Deny policy. Creating and attaching a new Deny SCP to the new account's OU will not be affected by the pre-existing Allow policy in the same OU.

Will RDS Multi-AZ protect from regional failures?

No, it protects only from AZ failures.

How many primary DB instances will RDS Multi-AZ have?

One.

What are the other instances in RDS Multi-AZ?

Standby instances.

Will the data be synchronously replicated from primary to standby instances in RDS Multi-AZ?

Yes.

What will happen when the primary instance fails in RDS Multi-AZ?

RDS automatically fails over to a standby instance without manual intervention.

There are two master RDS DB in two regions. They are master DBs to their individual regions (i.e., they accept write operations in their own region) How to replicate data between them?

It's not possible to replicate data between two master DBs in different regions when they both accept write operations.

There are 2 servers in us-east-1 and us-west-1 regions. Users from New York should be directed to us-east-1 and users from Los Angeles to us-west-1. Which Route53 routing policy should be used?

Geo-location routing policy.

A portion of Los Angeles based users should be directed to us-east-1 even though us-west-1 is their closest region. Which Route53 routing policy should be used?

Geo-proximity routing policy.

How is Multivalue answer routing policy is different from failover routing policy?

In Multivalue answer routing policy, a single domain is resolved to multiple IP addresses. The DNS resolver on the client-side selects one of those IPs randomly and uses it to connect to the resource that can server the request. It's main use is load balancing.

In Failover routing policy, AWS (not the client) redirects the traffic to a healthy instance during a failover. It's main use is disaster recovery/high availability.

There are servers in North Virginia, Sydney and Frankfurt regions. Users from USA should be directed to Sydney and users from Australia should be directed to North Virginia in case of regional failures. Should we use Multivalue answer routing policy/Failover routing policy?

Failover routing policy. Multivalue routing policy should not be used as the users may be directed to Frankfurt if the servers there are healthy. But, the requirement doesn't say the traffic should be redirected to Frankfurt.

There are servers in North Virginia, Sydney and Frankfurt regions. Users from USA should be directed to North Virginia and users from Australia should be directed to Sydney. Which Route53 routing policy should be used?

Geo-location routing policy.

There should be a DB set-up which should span multiple regions. The in-region DB endpoint should accept both reads and writes. Data should be sync'd across all regions with less than a second latency. Which DB should be used?

Create a cluster of Aurora Global database in all the regions.

There are 2 regions (Ohio and Seoul) and Aurora Global database is span across these 2 regions. Can applications write data in their local regions?

No, Aurora Global database can have only one primary region and up to 5 secondary regions. Data will only be written to the primary instance and replicated to the secondary instances instantly. In this case, if Ohio is the primary region, applications from both Ohio and Seoul will write only into the primary region i.e., Ohio . However, applications from the secondary regions can read the data from secondary regions i.e., Seoul.

In the set-up above, Aurora Global database instance in Ohio region should be set up as the primary instance during the morning time in North America. Aurora Global database instance in Seoul region should be set up as the primary instance during the morning time in East Asia. How to do this?

Any secondary database instance can be promoted to a primary database instance in Aurora Global database, through configurations, in under a minute.

How to store the state of the EC2 application servers regularly?

By taking snapshots.

Where can we store those snapshots?

In S3.

Which open-source framework can be used to build serverless application on AWS?

AWS Serverless Application Model (SAM)

Is AWS SAM an extension of AWS CloudFormation?

Yes. It has the deployment capabilities of AWS CloudFormation. Resources can be defined using AWS CloudFormation in AWS SAM templates. AWS CloudFormation's resources suite, function and template features are available.

Which AWS services can be used to build a deployment pipeline for serverless applications?

AWS CodeBuild, AWS CodeDeploy and AWS CodePipeline.

Which AWS service can be used to automatically configure project structure, code repository and a CI/CD pipeline?

AWS CodeStar.

Can we use Jenkins plugin to deploy serverless applications?

Yes.

Can we build production-ready applications using Stackery.io's toolkit?

Yes.

Which service lets use Chef and Puppet to automate how servers are configured, deployed and managed across EC2 instances or On-premises?

AWS OpsWorks.

Which service is used to configure and manage instances with custom runbooks or pre-defined runbooks maintained by AWS?

AWS Systems Manager Automation.

What is AWS Serverless Application Repository?

It's a managed repository for serverless applications.

A fleet of EC2 instances/On-prem VMs should be patched based on their OS type (Windows, Linux), Environment (dev, prod), Server functions (Web, App, File, DB). Patching should be targeted e.g., a specific patch should be applied only to Windows servers in prod environment. Which Systems Manager service you would use?

Use Systems Manager's Patch Manager, Patch Group and Patch Baseline. Tag resources based on their types e.g., dev-linux-app.

Systems Manager Run Command, Patch Compliance, Systems Manager Maintenance Windows and AWS Config can also be used but it takes more effort.

What would you use to collect and analyze logs from a large number of mixed Windows and Linux Amazon EC2 instances for monthly performance checks? What will be the appropriate tool for log analysis?

Set up Unified CloudWatch Log agent (better than SSM agent in this case) in each EC2 instance. This will automatically collect and push data to CloudWatch logs. CloudWatch Logs Insights will be the appropriate log analysis tool.

What is the quickest approach for a solutions architect to troubleshoot new Amazon EC2 instances marked as unhealthy by an ALB, despite having AWS Systems Manager Agent and CloudWatch Logs set up, which are getting terminated before the architect can log in and the collected logs on CloudWatch Logs do not provide definitive errors?

To prevent the Auto Scaling group from terminating EC2 instances and allow sufficient time for troubleshooting, the solutions architect should suspend the "Terminate" process for the Auto Scaling Group and use AWS Systems Manager Session Manager to log in to one of the unhealthy instances.