3. [VH] AWS Fundamentals

Questions and Answers

Consider an AWS environment where an organization is deploying both public and private services. Which of the following statements most accurately delineates the fundamental differentiation between these service types?

• Public services are billed at a higher rate due to their global accessibility, while private services offer cost savings through localized resource utilization.
• Public services are designed to handle larger data volumes and higher traffic loads, while private services are optimized for internal applications with lower scalability requirements.
• Public services are accessed via public endpoints and are accessible from any location with an internet connection, while private services operate within a VPC and are accessible only within that VPC or its connections. (correct)
• Public services are inherently more secure than private services due to AWS-managed security protocols, whereas private services necessitate custom security configurations.

In the context of AWS networking, which of the following statements elucidates the relationship between public AWS services, the public internet, and Virtual Private Clouds (VPCs)?

• Public AWS services act as gateways to the public internet for VPCs, routing all internet-bound traffic from VPCs through public service endpoints.
• Public AWS services and VPCs both reside on the public internet but utilize different ports for communication, necessitating specific firewall rules for inter-service communication.
• Public AWS services operate within the AWS public zone, a network connected to the public internet, and VPCs are private zones requiring configured connections for internet access. (correct)
• Public AWS services reside directly on the public internet, while VPCs are isolated and require explicit configuration for any internet access.

An organization architecting its AWS environment requires stringent control over data egress, specifically ensuring that data processed within a private EC2 instance does not traverse the public internet when accessing a public AWS service such as S3. Which configuration strategy most effectively guarantees this requirement?

• Configure a VPC endpoint for S3, ensuring all traffic between the EC2 instance and S3 remains within the AWS network, bypassing the public internet. (correct)
• Implement an AWS Web Application Firewall (WAF) rule to block all outbound traffic from the EC2 instance destined for public internet IP ranges.
• Utilize S3's bucket policies to restrict access to the EC2 instance's private IP range, thereby preventing unauthorized external access.
• Establish a dedicated VPN connection between the VPC and the S3 service, routing all traffic through an encrypted tunnel to prevent interception.

Given that AWS Regions are designed to be isolated for fault tolerance and geopolitical separation, under what intricate circumstance would an organization deliberately configure data to move between distinct AWS Regions, and what conditions would it need to explicitly satisfy?

To comply with specific regulatory requirements mandating data residency in multiple, geographically diverse Regions, necessitating explicit consent and configuration. (D)

How does AWS utilize edge locations in conjunction with regions to optimize content delivery, and how might a solutions architect strategically leverage this architecture for a media streaming company with a global user base?

Edge locations cache frequently accessed content, reducing latency for end-users, while regions serve as the authoritative source, allowing for solutions architect to reduce latency and improve user experience via strategic content placement within the edge locations. (C)

Under what circumstances would an AWS solutions architect strategically choose a 'globally resilient service' over a 'regionally resilient service', and what are the inherent trade-offs associated with this decision?

When selecting a service that requires a single point of management and data replication across multiple regions, trading off regional isolation for operational simplicity. (A)

An organization seeks to implement a multi-tier web application within AWS, requiring complete isolation between its development, staging, and production environments. Which AWS service configuration most effectively ensures this isolation at the network level?

Create separate VPCs for each environment (development, staging, production) to ensure complete network isolation. (C)

What are the implications of deleting the default Virtual Private Cloud (VPC) in an AWS region, and how does this action specifically impact services that rely on default network configurations?

Deleting the default VPC requires explicit configuration of network settings for all new AWS resources, potentially disrupting services that implicitly rely on the default VPC's pre-configured networking. (A)

Elaborate on the architectural significance of Availability Zones (AZs) within the context of Virtual Private Clouds (VPCs), and how does the strategic distribution of subnets across AZs contribute to building resilient applications?

AZs are equivalent to data centers within an AWS Region, and distributing subnets across multiple AZs protects applications from single data center failures, which ensure the applicaiton remains operational despite failures in one AZ. (B)

An organization migrating its on-premises workloads to AWS seeks to understand the inherent limitations and flexibilities associated with the default VPC's CIDR block. Which of the following statements accurately reflects these considerations?

The default VPC CIDR block is fixed at 172.31.0.0/16 and can't be changed though the default VPC is less flexible than custom VPCs. (C)

When designing an EC2 instance architecture for optimal cost control, what pivotal trade-offs must be evaluated concerning instance states, billing granularity, and long-term storage charges?

While 'stopped' instances cease CPU and memory billing, charges for EBS storage persist, necessitating instance termination for complete cost elimination. (A)

In the context of Amazon Machine Images (AMIs), what intricate factors govern an organization's ability to share an AMI with other AWS accounts, and how do these permissions interplay with data security and compliance requirements?

AMI permissions (public, explicit, owner) dictate which accounts can launch instances from the AMI, demanding meticulous management and alignment with data security policies and compliance stipulations. (B)

An organization seeks to enforce a globally consistent security posture across all AWS accounts, while allowing individual accounts flexibility within those guardrails. How do Service Control Policies (SCPs) and IAM policies interact to achieve this?

SCPs define the maximum permissions available within an AWS Organization account, while IAM policies delegate specific permissions to users and roles within those boundaries. (D)

Considering the need to connect to EC2 instances running different operating systems, how do Remote Desktop Protocol (RDP) and Secure Shell (SSH) keys and protocols function and how are they secured?

SSH employs key pairs for authentication on Linux instances, and RDP requires a private key to obtain the local administrator password on Windows instances for remote desktop access. (D)

What key attribute differentiates a bucket name in Simple Storage Service (S3) name from other AWS resource naming conventions, and what are the encompassing architectural implications for global deployments?

S3 bucket names have to be globally unique across all AWS accounts. (A)

In the context of Amazon S3, how do prefixes and object keys collectively emulate a hierarchical file system, and what are the inherent limitations of this approach?

S3 presents a flat namespace wherein object keys containing forward slashes (/) are interpreted by the console and SDKs to simulate directory hierarchies. The limitations being, is the need to manage S3 buckets for the object key and have proper planning to allow search based on each given unique key. (C)

When architecting a data lake solution on AWS S3, how should one reconcile the limitations on the amount of buckets in a AWS account when the system requires a bucket for each enterprise user?

Utilize S3 object prefixes to emulate individual buckets, enabling segregated data storage within a single bucket through a folder type architecture. (D)

In the context of AWS CloudFormation templates, elucidate the distinction between the 'Description' and 'Metadata' sections, and how do these sections interact to enhance template readability and usability?

The 'Description' section offers a free-text explanation. In contrast, the 'Metadata' section allows for structured data (such as grouping) to control the user interface (UI) in the AWS console. (D)

What critical sequencing constraint must an AWS solutions architect meticulously observe when composing CloudFormation templates containing both an "AWS Template Format Version" and a "Description?"

The "Description" block must immediately follow the "AWS Template Format Version" declaration, if both are included. (C)

How does the selective application of 'Conditions' within a CloudFormation template enable dynamic resource provisioning, and under what intricate circumstances is this capability most advantageous?

'Conditions' enable you to set a criteria that certain things need to have inside a templated to happen, meaning your template can do multiple automations. (D)

An AWS solutions architect is troubleshooting a CloudWatch alarm that sporadically transitions to an 'INSUFFICIENT_DATA' state, despite the underlying metric consistently reporting valid data points. What diagnostic steps should be initiated to resolve this issue?

Verify the IAM role associated with the CloudWatch alarm has adequate permissions to ingest and analyze the metric data source. Also, ensure the data is being delivered from the proper location. (C)

CloudWatch, by default, gathers certain metrics natively. In contrast, additional metric collection needs require the CloudWatch Agent. What considerations determine the necessity of deploying the CloudWatch Agent?

The CloudWatch Agent is essential for acquiring metrics external to AWS that are non-natively exposed, and specific product's internally that need non-natively exposed monitoring. (D)

The AWS Shared Responsibility Model dictates a division of security obligations between AWS and its customers. Which component is an AWS customer's responsibility?

Integrity and authentication (C)

Elaborate on the architectural nuances that distinguish high availability (HA) from fault tolerance (FT) in AWS environments, and what are the encompassing implications for system design? Consider not a simple web server, but a stateful API.

HA concentrates on automatic recovery from component malfunctions, necessitating sophisticated designs where systems fail through that, FT ensures continued correct operation in the presence failure. (D)

What is the key differentiator between high availability (HA), fault tolerance (FT), and disaster recovery (DR)?

HA minimizes outages, FT manages thru them and DR means you can't do either. (D)

How does Route 53 facilitate domain registration, and what critical steps ensure the domain correctly delegates its administrative responsibilities?

After registering to a domain to route 53, the NS records from the zone apex, delegate administrative responsibilities for the domain to the delegated DNS servers. (A)

In the intricate domain of DNS record management, how do 'A' and 'AAAA' records divergently resolve hostnames, and how should a solutions architect harmonize their coexistence to satisfy both IPv4 and IPv6 end-user resolutions?

Create each and resolve to either 4 or 6 depending in either IP and allow to client OS to pick proper resolver. (C)

How does the CNAME record type provide DNS shortcuts, and are their limitations?

CNAME record type creates DNS shortcuts by point A record to a specific hostname.. (A)

How do MX records facilitate mail exchange and how is value given to priority?

Provides lookup from MX, allowing for various paths given priority where lower values are actually valued higher. (A)

In the intricate domain of Domain Name System (DNS) record types, where do Time-To-Live (TTL) values operate to govern caching behaviors, and what complex equilibrium must administrators attain amid cache invalidation, authoritative server strain, and real-time update proliferation?

Implemented at each record you will set and this defines the amount of time to cahce by a resolver. Higher times improve strain, while lower increase validation. (C)

An organization is establishing an AWS environment with stringent network access controls. They require that a specific service be exclusively accessed via private endpoints, circumventing any exposure to the public internet. Which combination of controls most definitively ensures this?

Using VPC endpoints in conjunction with IAM policies that explicitly deny internet access and a bucket policy to reject requests not originating from the VPC endpoint. (B)

An enterprise has established multiple AWS accounts, each representing a critical business unit. Which approach offers the most scalable and secure method for uniformly governing network access across these diverse accounts, while preserving a degree of autonomy for individual unit operations?

Implement AWS Service Control Policies (SCPs) at the organizational level, supplemented by account-specific IAM policies and explicit VPC configurations. (B)

A financial institution processes highly sensitive transactional data within its AWS Virtual Private Cloud (VPC). To adhere to strict regulatory compliance, what is the most reliable strategy to ensure that all data exchanges with external AWS services, such as S3 or DynamoDB, remain confined to the AWS internal network, explicitly avoiding the public internet?

Employing VPC Endpoints combined with comprehensive IAM and VPC endpoint policies, strictly limiting data exfiltration to authorized services via private routes. (D)

An organization with a global presence requires a highly available and fault-tolerant DNS infrastructure. When designing a DNS solution using Route 53, what is the key implication of Route 53's global service architecture regarding regional failures and data consistency?

Route 53 automatically replicates DNS configurations across multiple regions, ensuring continued service during regional disruptions. (A)

When architecting a media streaming service that delivers content globally, how can route 53 be leveraged in conjunction with AWS edge locations to optimize performance and minimize latency for end users?

By using Route 53's geolocation routing policy to redirect users to the nearest CloudFront distribution. (C)

In a scenario where an organization is deploying a fleet of EC2 instances across multiple AWS regions, what configuration strategy should be adopted when leveraging Amazon Machine Images (AMIs) to ensure consistency and manageability while adhering to regional compliance requirements?

Employ a process where AMIs are built and maintained independently in each region, tailored to specific compliance needs, while using a centralized system to manage AMI IDs and lifecycle. (A)

An organization using AWS CloudFormation requires a mechanism to dynamically adjust resource deployments based on whether the target environment is a production or staging environment. How should they implement such dynamic provisioning?

Implementing dynamic resource provisioning using CloudFormation 'Conditions' based on environment-specific parameters, allowing for conditional resource creation. (B)

Which condition necessitates the installation and configuration of the CloudWatch Agent on an EC2 instance in order to collect metrics?

To collect custom application metrics, enhanced memory utilization metrics, or any metrics from within the guest operating system that are not exposed through the hypervisor. (B)

A security architect reviews an AWS environment and needs to identify a configuration where the customer has direct responsibility according to the AWS Shared Responsibility Model. Which of the following options falls squarely under the customer's purview?

Configuring and maintaining the guest operating system, including patching and security updates, as well as securing the applications and data stored on EC2 instances. (A)

In the context of workload migration to AWS, differentiate between High Availability (HA) and Fault Tolerance (FT).

HA aims to minimize downtime and offers automatic recovery, while FT aims to prevent downtime and provide continuous operation even with component failures. (A)

Given that DNS record management involves TTL values, what specific architectural considerations should an AWS Solutions Architect prioritize when designing a system requiring near-instantaneous DNS propagation for critical application updates?

Configuring a minimal TTL value on the affected DNS records, accepting the trade-off of increased query rates on authoritative name servers to ensure rapid propagation. (C)

What intricate trade-offs must an AWS Solutions Architect contemplate when configuring Time-To-Live (TTL) values within Route 53, especially concerning cache invalidation, authoritative server load, and the swiftness of real-time DNS modifications?

Balancing expeditious DNS transmission, authoritative server burden, alongside the potential destabilization from obsolete cache entries obliges administrators to empirically deduce precise TTL configurations predicated on application-specific performance profiles. (A)

An institution has a large number of users who require individual S3 buckets for isolated data storage. Given the limitations on the amount of S3 buckets per AWS account, what strategy should an architect employ to reconcile this limitation while adhering to security and compliance best practices?

Enforce S3 prefixes instead of individual buckets and implement fine-grained IAM policies for segregating user access (and optionally use S3 Access Points). (C)

Organization A has two VPCs in the same region that should not be able to communicate with each other unless specific configurations are made. By default, any attempt to directly peer these two VPCs together fails. Which configuration must be put into place to enable traffic to flow between resources in these formerly isolated VPCs?

Create a Transit Gateway, associate both VPCs to the Transit Gateway, and configure the Transit Gateway route table to route traffic between the VPCs' CIDR blocks. (C)

Which of the following is not only an AWS service, but used extensively to define AWS-hosted infrastructure in a reliable and repeatable declarative approach?

CloudFormation. (B)

AWS has designed the global infrastructure in a manner to improve resilience and reduce network hops to end-users. When considering the interplay between AWS Regions, Availability Zones and Edge Locations, which statement best depicts their respective purpose?

Regions provide fault isolation and governance boundaries, AZs provide fault tolerance within the region, and Edge Locations cache content for faster access. (B)

Architectural designs may require a private service such as EC2 having Internet access without being directly exposed. How can an AWS architect satisfy this requirement?

A NAT Gateway allows resources in a private subnet to access the Internet, while preventing the Internet from initiating a connection with those resources. (B)

Given AWS virtual networks are private and isolated from the public Internet by default, which approach can be taken to establish connectivity outside the VPC?

Associate an Internet Gateway (IGW) to the VPC and configure route tables to direct subnet traffic to the IGW, and allow traffic. (B)

AWS allows you to choose the region where much of your infrastructure is stored. What are some of the reasons an architect might choose one AWS Region over another? (Select all that apply.)

Ability to place compute closer to end-users. (B), To stay within certain laws and regulations. (D), To be geographically isolated from other Regions. (E), To take advantage of certain governance systems. (G)

Amazon's S3 is a popular object storage solution in AWS. Which of the following statements is correct about what can be done with an S3 Object programmatically?

Objects can be used an input or output for many other AWS services. (C)

Objects stored in S3 have certain metadata associated with them. Which statements are correct about S3 object's metadata?

Metadata is stored in-line with the Object's data and is retrieved as part of the object. (A)

Amazon S3 is a flat-file filesystem and doesn't offer hierarchical capabilities. However, the AWS console represents subdirectories and a file system-like view. How does S3 simulate directory structure of multiple S3 objects?

It takes the common portion of object keys delimited by / to infer directory structure in the UI. (A)

S3 is designed as an object storage solution to store data files of all kinds. Which of the following anti-patterns should be avoided when designing an S3 solution?

Performing frequent, byte-range in-place modifications to object contents. (C)

There are certain constructs all AWS CloudFormation templates share. Which one of the following is mandatory for all AWS CloudFormation implementations?

Resources. (D)

AWS cloud architect is tasked with dynamically provisioning resources based on environment (test, staging, prod). What part of the CloudFormation templates should they take advantage of?

Conditions. (C)

An AWS Cloudwatch Implementation can report metrics, log data, and AWS event state. Regarding metrics, what are key differentiators from just emitting log data?

Metrics data can use an Alarm state. (D)

What is the key difference between the 'Stopped' and 'Terminated' states for an EC2 instance concerning billing and data persistence?

A stopped instance retains its EBS volumes and incurs EBS storage costs, while a terminated instance releases its EBS volumes (unless configured otherwise) and incurs no further costs. (B)

An organization requires complete control over the data within an Amazon Machine Image (AMI) and wants to share the AMI with specific AWS accounts. What steps should be taken?

Create a private AMI, encrypt the AMI using a customer-managed key in KMS, and then explicitly grant permissions to the other AWS accounts using the KMS key policy and AMI permissions. (D)

An organization with multiple AWS accounts wants to enforce a globally consistent security posture across its accounts, while allowing individual accounts to have sufficient flexibility.

Use Service Control Policies (SCPs) to set high-level guardrails and IAM policies for more granular permissions, providing a layered security approach. (A)

AWS offers multiple mechanisms for connecting to EC2 instances. What is the key difference of connecting to a EC2 Windows image compared to a Linux instance?

Windows uses RDP and Linux uses SSH. A private key is mandatory for Linux, while a keypair can be utilized for Windows to retrieve the local administrator password. (D)

What is a key architectural implication of the requirement that S3 Bucket names must be universally unique across all AWS accounts?

It allows DNS to uniquely resolve all S3 buckets regardless of region. (B)

The AWS IAM system is composed of many parts, including Roles, User, Groups, Policies, etc. How should you approach defining the permissions necessary for EC2 instances running critical system services?

Create an IAM role with the required permissions and associate it with the EC2 instance. (C)

When considering the best approach for a large scale data storage distribution solution, what AWS service is best considered primarily for storage of complete media assets or large object artifacts rather than bit-accurate updates to in-place data?

Amazon S3. (C)

You are tasked to help automate and modernize the infrastructure deployment pipeline. One task is to take existing in-house scripts to handle complex aspects of a large system. Given the parameters for most AWS templates, which technique helps bring your in-house complex code into CloudFormation?

AWS Lambda-backed Custom Resources. (C)

A mission critical AWS Cloudwatch Alarm has ceased functioning and reports an 'Insufficient Data' state, even though metrics are still being collected. What are possible root-causes?

There has been a recent change of roles or permissions or a lack of data points reported to CloudWatch in the evaluation period. (A)

An AWS architect seeks to create a 'Globally Resilient' service offering to stay resilient to any type of disruption. According to the documentation, which two AWS services best fit this requirement?

IAM and Route 53. (D)

You wish to design architecture for highly available system. If a failure were to occur in just one availability zone, it will impact only 1 of 6 virtual servers. The application should not be down entirely. A key construct to design in place is:

Distribution of computer systems across Availability Zones (AZ). (B)

In a scenario where an application's performance is intermittently degraded due to network latency when accessing a public AWS service, what advanced network diagnostic measure could a solutions architect employ to discern whether the bottleneck resides within the AWS infrastructure or the transit network, assuming standard ping and traceroute utilities yield no conclusive results?

Deploy an active network monitoring solution, such as ThousandEyes, with agents strategically placed across both the VPC and the public internet, to correlate latency spikes with network path characteristics. (A)

An organization requires a comprehensive security assessment of its AWS environment, specifically focusing on identifying misconfigurations that could expose sensitive data to unauthorized access. Beyond standard AWS Trusted Advisor checks and IAM policy reviews, what advanced analytical technique could a solutions architect employ to proactively detect and remediate such vulnerabilities?

Deploy a specialized third-party Cloud Security Posture Management (CSPM) solution that leverages machine learning to identify anomalous access patterns and enforce least privilege principles. (C)

An organization is leveraging AWS Organizations with multiple accounts and desires to centralize control over network traffic inspection and filtering across all VPCs. What advanced architectural pattern could a solutions architect implement to achieve this objective while minimizing operational overhead and ensuring consistent security enforcement?

Implement AWS Firewall Manager with centrally managed AWS Network Firewalls, associating policies across all accounts within the organization. (D)

An organization seeks to optimize data retrieval performance from Amazon S3 for a globally distributed application. Given the inherent limitations of S3's eventual consistency model, what advanced global data replication and caching strategy could a solutions architect implement to minimize latency and ensure data consistency across all regions?

Implement S3 Multi-Region Access Points with a custom routing policy based on latency metrics collected by Amazon CloudWatch RUM, directing traffic to the optimal S3 replica. (D)

An organization is developing a highly stateful, globally distributed application with stringent requirements for data durability and consistency. Given the limitations of traditional relational databases in such scenarios, what advanced database architecture and AWS service could a solutions architect employ to ensure data integrity and recoverability in the event of regional failures?

Utilize Amazon DynamoDB Global Tables with multi-active replication, ensuring low-latency access to data across multiple regions and automatic conflict resolution. (D)

A financial services company must comply with stringent regulations that mandate complete isolation of its development, staging, and production environments within AWS. Which of the following approaches most effectively achieves this isolation, considering both network and IAM controls?

Use separate AWS accounts for each environment and implement AWS Organizations Service Control Policies (SCPs) to enforce baseline security controls across all accounts, in addition to IAM policies within each account. (C)

A data analytics firm processes highly sensitive customer data within its AWS environment and needs to ensure that all traffic between its VPC and S3 remains within the AWS network, avoiding the public internet. Which combination of solutions offers the most comprehensive approach to achieving this?

Configure a VPC Endpoint for S3, and apply a VPC Endpoint Policy that restricts access to only the required S3 buckets, combined with disabling the VPC's Internet Gateway. (D)

A global media company is establishing a highly available DNS infrastructure using Route 53. Considering that Route 53 is a global service, how would an architect design the DNS records to optimize performance for users in different geographical regions?

Utilize Route 53's 'latency-based' routing to direct users to the web servers with the lowest latency, as measured from their location. (A)

An organization is migrating its on-premises infrastructure to AWS and plans to use CloudFormation for infrastructure as code. How should the architect design the CloudFormation templates to dynamically provision different instance types and sizes based on the target environment (development, staging, or production)?

Use a single CloudFormation template with conditions and mappings, dynamically selecting the appropriate instance type and size based on the environment specified as a parameter. (A)

An application requires specific, granular metrics from an EC2 instance beyond what CloudWatch gathers by default, particularly metrics relating to custom application performance. Which of these approaches offers the most flexible and powerful solution for gathering these metrics?

Deploy Prometheus on the EC2 instance and use the CloudWatch Prometheus exporter to scrape metrics, pushing them to CloudWatch. (D)

An organization utilizes multiple AWS accounts and seeks to implement a baseline level of security across all accounts, restricting certain actions while still allowing individual teams some flexibility. Which AWS service or feature provides the most effective means of centrally governing permissions in this manner?

AWS Organizations Service Control Policies (SCPs). (D)

How does AWS Global Accelerator enhance the performance and resilience of applications hosted across multiple AWS Regions, especially in the face of unpredictable internet routing conditions?

By providing static IP addresses that serve as entry points to your application and intelligently routing traffic across the AWS global network to healthy endpoints in the optimal Region. (A)

Within AWS CloudFormation, what advanced template design patterns facilitate modularity, reusability, and simplified management of complex infrastructure deployments, promoting a 'separation of concerns' philosophy?

Employing nested stacks and custom resource providers to decompose complex deployments into smaller, manageable units with well-defined interfaces. (A)

With regard to EC2 billing, what are the nuanced cost implications associated with the 'Stopped' versus 'Terminated' states, especially in the context of data persistence and Elastic IP addresses?

'Stopped' instances retain charges for EBS volumes and Elastic IPs, whereas 'Terminated' instances release both, resulting in no further charges. (D)

What intricate mechanisms govern the sharing of Amazon Machine Images (AMIs) with other AWS accounts, meticulously controlling access while adhering to rigorous data security and compliance mandates?

AMI sharing involves explicitly granting permissions to specific AWS accounts or making them public, while considering encryption status, KMS key permissions, and regional availability. (B)

How can a solutions architect enforce consistent security standards across multiple AWS accounts within an organization, enabling centralized governance yet granting account-level teams reasonable flexibility?

Use AWS Organizations and Service Control Policies (SCPs) to define mandatory guardrails while allowing teams flexibility within those constraints through IAM policies. (D)

Considering the architectural implications of S3 bucket name uniqueness, what are the key consequences for organizations designing global deployments, particularly those leveraging infrastructure-as-code?

The global uniqueness constraint complicates automation and requires careful planning to prevent naming collisions, including strategies like prefixing with account-specific identifiers. (A)

When constructing a comprehensive Identity and Access Management (IAM) strategy for EC2 instances, how should permissions be defined for critical system services, ensuring least privilege while accommodating scalability and manageability concerns?

Utilize IAM instance profiles (roles), delegating permissions to the instance and leveraging specific roles based on the application to adhere to least privilege principles. (C)

What are the key architectural trade-offs to consider when selecting between Availability Zones (AZs) in a single region versus deploying across multiple AWS Regions, especially regarding latency, cost, data consistency, and operational complexity?

Multi-region deployments provide increased fault tolerance and reduced latency for global users, but introduce complexity in data consistency and management, often requiring sophisticated replication and conflict resolution strategies. (C)

When designing a system requiring near-instantaneous DNS propagation for critical application updates, what specific architectural considerations should an AWS Solutions Architect prioritize regarding Route 53's caching behavior and potential workarounds?

Implement a multi-layered caching strategy with a combination of low TTL values, proactive cache invalidation via Lambda@Edge, and DNS prefetching techniques. (B)

Flashcards

What is an AWS public service?

Accessible via public endpoints and Internet connection.

What is an AWS Private service?

Runs within a VPC, accessible only within that VPC or connected networks.

What is an AWS Region?

A full deployment of AWS infrastructure within a selected geographic area.

What are AWS Edge locations?

Smaller than regions; Primarily for content distribution.

What are availability zones (AZs)?

Isolated infrastructures inside a region that provide resilience

What does geographically isolated mean?

Means an issue in one region won't affect others.

Globally Resilient Services

Operates globally with data replicated across regions.

Region Resilient Services

Services that operate in a single AWS region.

AZ Resilient Services

AWS service runs from a single availability zone.

What are VPCs?

Virtual private clouds used to create private networks in AWS. Isolated unless configured

What is a VPC?

Is an AWS account inside a specific region.

Default VPC

A common VPC, pre-configure, with AWS handling all configuration.

How default VPCs are there?

Maximum one per region.

What is VPC CIDR?

Range of IP addresses assigned to VPC.

Inside the VPC what are subnetres?

Each subnet inside VPC, placed in one availability zone.

Subnets in default VPC

By default assigned a public IPv4 address.

What is EC2?

Provides virtual machines, with different instance sizes and capabilities.

What is EC2 service?

By default is private and requires public access to be configured.

AZ fails what happens to a EC2 instant?

It will likely fail.

When are you charged for data?

While the instance is operational.

Important states to remember?

Running, stopped and terminated

If its terminated what happens to an EC2 instance?

It's a non reversible action

What is AMI?

An image of a EC2 instance.

What is S3?

Storage platform that's global, can cope data

What happens to data?

S3 data has a primary home region.

What is a bucket identified for?

A bucket that is identified by it's name.

What is Amazon S3 bucket?

An object store that is not a file or a block and it can not be mounted.

Cloud Formation

lets you create update and delete infrastructure in AWS in a consistent and repeatable way using templates

How it is the template to create?

Can use a template to create AWS infrastructure using CloudFormation.

If have both a description

There needs to immediately follow template format version.

What does cloud watch do?

Is collect and manages operational data

What metrics are?

Data relating

AWS is?

Used for metric gathering inside AWS

What AWS responsibility?

The security OF the cloud

Way of making sure?

What elements you MANAGE and which AWS manage

What is high availability?

An agreed level of operational performance usually uptime higher period

Tolerance?

Means to operate with faults without impacting customers

Disaster recovery?

Minimize any outrages, operate with faults doesn't work

What is route 53?

AWS managed DNS product.

When domain register through:

AWS creates zone file for domain registered and allocates nam servers

Just a system of?

DNS is just A systems of delegation

What record delegate?

Records which allow delgation to occur

Next up what?

If its capable or record?

Canonical name?

Equivalent of DNS shortcuts, create equivalent of

DNS record type?

Are used connect with

DNS.com

A numerical value in seconds

Study Notes

AWS Public vs Private Services

• AWS services are divided into public and private categories
• Understanding the differences from a networking and security perspective is foundational for grasping complex AWS architectures
• AWS terminology refers to networking only and not accessibility when using the terms AWS private service and AWS public service
• Public services are accessed via public endpoints, like S3, and can be accessed from anywhere with an internet connection
• Private AWS services run within a VPC, accessible only by resources within or connected to that VPC
• Even though S3 is a public service, permissions are required to access the resource beyond the account root user
• Permissions and networking are distinct when considering service access; these notes focus on networking aspects

Public Cloud Environment Network Zones

• The Internet zone is where internet-based services like online stores and Gmail operate
• Private networks, such as a home network, only allow access to directly connected devices or those with the Wi-Fi password
• Virtual Private Clouds (VPCs) are private zones within AWS that are isolated and do not communicate with each other unless configured to do so
• Services like EC2 instances are placed in private zones and can only access the Internet, or be accessed from the Internet, if configured
• A third zone, the AWS public zone exists between the public Internet and the AWS private zone networks
• When accessing AWS public services with a public Internet connection, communication traverses the public Internet to and from the AWS public zone

Accessing AWS and Private Networks

• AWS public services from the public Internet are accessed via transit through the AWS public zone
• Virtual or physical connections can be configured between on-premises networks and AWS VPCs for private network connectivity
• Private networks can be connected together if configured
• An Internet Gateway can be attached to a VPC, allowing private zone resources to access the public Internet with a public IP address
• Data accessing public AWS services, like S3, through an Internet Gateway does not traverse the public Internet, instead it uses the AWS public zone
• Private resources, such as EC2 instances, can be given a public IP address, projecting them into the public zone
• The three network zones (public Internet, AWS public zone, and AWS private zone) are critical for advanced AWS networking

AWS Global Infrastructure

• Although AWS operates as a global cloud platfor, it consists of smaller infrastructure groupings connected by a high-speed network
• Designing systems to take advantage of this infrastructure yields solutions that are resilient to failure and highly available
• Infrastructure: AWS region, AWS edge location, and AWS availability zone.
• Services: Globally resilient service, regionally resilient service, and a zone resilient service.
• AWS have created a global infrastructure platform that is a collection of individual infrastructures located worldwide
• Deployment include AWS Regions and AWS Edge Locations
• AWS services interact within a specified region

AWS Regions

• An AWS Region is an AWS-defined area of the world containing a full deployment of AWS infrastructure
• An AWS region includes compute, storage, database, AI analytics, etc
• AWS Regions include Northern Virginia, Ohio, California, Oregon, Frankfurt, Ireland, London, Paris, Sao Paulo, etc
• Some countries have one region, other larger nations have multiple, based on customer requirements and size
• Regions are geographically separate from each other and can withstand global-level disasters
• Amazon's Elastic Compute Cloud (EC2) in Northern Virginia operates separately from Elastic Compute Cloud in Sydney

AWS Edge Locations

• AWS often cannot have a region in a city to serve its customers, so they utilize edge locations
• Edge locations are smaller, used for content distribution and edge computing, and are located in more places than regions
• Edge locations are useful for companies needing to store content (TV, movies) closer to customers for low latency and high-speed distribution
• The further data travels from the customer, the slower the transfer and the higher the latency
• Regions and edge locations are commonly used by solutions architects in the same system
• Edge locations store content closer to the customer with faster and lower latency delivery

Viewing the AWS Global Network

• The global AWS network can be visualized on the AWS website
• This map shows that there are far fewer regions than edge locations, and all regions are connected with high-speed networking links
• High speed, private AWS networking, enables efficient system deployments
• The AWS console presents regions
• For services that are not global, selecting a region from the console dropdown is required, such as EC2
• Choosing the region is not required for global services like IAM or Route 53
• Some services, though fewer, act from a global perspective

Benefits of AWS Regions

• Regions are important beyond the resiliency that they provide, and here at the main benefits.
• Regions are geographically separated, so a problem in one region will not affect other regions
• AWS provides the ability to place the infrastructure into one region and that it will not be impacted by faults in another
• Regions are 100% isolated to achieve fault tolerance
• Regions enable governance separation
• Selecting a region means that you will be affected by the laws and regulations of the region for wherever your infrastructure is stored in
• Regions allow location control
• Infrastructure can be placed as close to customers as possible and even duplicated into another region if the demand is there
• AWS commits that data in one region won't leave unless configured

AWS Availability Zones (AZs)

• Availability zones can be located within a region
• Referencing a region can involves its code and Name (ap-southeast-2 and Asia Pacific (sydney)
• Comfort required wit CLI, API, console as names depend on these interfaces
• Regions provide resilience
• The Sydney region could fail and it would not impact the North Virginia region

Components of an Availability Zone (AZ)

• AWS provides multiple availability zones inside a region
• Sydney has the availability zones ap-southeast-2a, 2b and 2c
• AZ's enable isolated infrastructure, compute, storage, networking, power and facilities
• Issues isolated to a region, such as a power outage, impact only one of the region's AZ's
• Solutions can be designed components that are distributed across multiple availability zones,
• For example a system using six virtual servers in Sydney, can be configure for two servers in each AZ.
• Failure of one AZ can leave four out of six servers operational
• An availability zone could be one data centre, but may consist of multiple data centres.
• AWS do not reveal the composition of AZ's
• AZ's are connected with high-speed redundant networking

Virtual Private Cloud (VPC)

• Services are placed across multiple availability zones to impart resilience
• An example of such service is a virtual private cloud or VPC, which provides a way to create a private network across multiple availability zones

Defining the Resilience of an AWS service

• An AWS service has it;s resilience described as high level, in one of threee ways.
  • Globally resilient services
  • Regionally resilient services
  • AZ resilient services

Globally Resilient Services

• A few are global services with a single database, with data replicated across multiple AWS regions
• Service runs, even when region fail
• There is no service region selecting
• These included IAM and Route 53
• They can tolerate the failure of multiple regions without impacting service

Region Resilient Services

• Services operate in one single region, and replicate over AZs located within this region.
• RDS is regiona, so a database created in Sydney wil;l only exist in Sydney
• Region resilient services operate as separate services in each region
• Data replicates to multiple AZs
• Service continues operating with the failure of a Zone
• Service will fail if the whole failure fails

AZ Resilient Services

• AWS services that are run from a single AZ
• Service will fail if the AZ that service was provisioned to fails
• Even will a resiliant AZ, hardware may fail
• All services are prone to failure if issues inside of the zone

EC2 Overview

• EC2 allows provisioning of virtual machines known as instances
• It is the customers responsibility to configure public access
• Customers of IaaS manage the operating system upwards on the infrastructure stack
• Resources are handled by AWS such as: virtualization, physical hardware, networking, storage and facilities

EC2 Billing

• EC2s offer on an demand billing, either by the second or by the hour depending on the launched software.
• Users are required to only pay during the consumption period when used while the instance is operational
• Instances usage can use different tpes of storage, typically local host and elastic block store EBS.

EC2 Instance attribute condition (State)

• An EC2 instance has an attribute that includes it:s condition within a state
• States that EC2 instances require an understanding are Running, Stopped and Terminated
• Additional states are either stopping, shutting down, or pending.

State transitions

Terminate state

• Instance terminates then this deletes and removes: the resource usage, CPU memory and networking.
• The user is required to pay attention and take special care for this process because it isn't reversible

Instance Composition

• At high level, components of an instance are CPU, memory, disk and networking.
  • The CPU determines how much processing is achieved.
  • The memory is a super fast area to store data that's frequently work on.
  • The disk is provided by EBS and is medium-term data for where date is usually stored.
  • The networking ensures how the instance communicates with AWS & beyond.
• Charges will continuously exist for the 4 aspects listed above
• Stopped equals no CPU and Memory are be used due to the resource.
• Network generates zero data
• Storage that is allocated to the instance for OS, Applications and EBS have storage created due to the generate charges.
• To prevent EC2 costs, truly to remove an instance via termination is to first remove the EC2 instance and when this occurs, it stops resource usage.
• The process involves deleting all disks and requiring care and attention because the action isn't reversible as the the user is required to pay special.

Amazon Machine Image AMI

• Used for creating EC2 instance and in its creation, has supply from AWS.
• Permissions: It must contain which accounts are alllowed to the AMI.
• This may be public access (all AWS and public access) or a private with your AWS
• Owner: In this scenario the user has ownership of AWS and has full contril and access -Explicit: this enables permission access to more specific AWS accounts.
• AMIs that are more private enable only the owner to create or it can be set to other AWS are allowed or publicly to all AWS
• Boot volume is set on what boots the OS with additional volumes depending on a root volume for Linux and the C for Windows volume.
• Block Device Mapping
• How is data presented to the OS when linking volumes to how they are presented to the operating system.
• In other words, AMI handles an image: OS, volumes, IDs (of the volumes)
• The next step is connecting to EC2 as instances can be connected
• Operating system types influence the ability to running in a Linux or Windows version.
  • Port 3389: Remote Protocol desktop.
  • Port 22: SecureShellProtocol. Authentication requires an key as public or private depending whether an user is creating a new image or and exisiting
• The creation and storage of the safety requires a user for secure key pair storage
• The private part requires use and the public ensures to be accessible based on the authenticator access

AWS Default Virtual Private Cloud (VPC)

• VPC - Enables private networks that private and public services can run
• Vpcs can be used to connect on premises networks
• Networking and VPC will be examined in exams
• VPCs - regional service that operates for multiple AZ
• Resilency provided
• VPC and isolated services that communicate to is are part for the public zone and internet
  • A type of available VPC will default for the one per region and its custom VPCs.

AWS VPC facts

• Region can have multiple custom VPCs and if they are setup, VPC can communicate privately
• A customized VPN is private
• By default VPCs can reach outside specific to each VPN CIDR and IPv4 addresses are assigned Subnets need to communicate the VPN CIDR Private access and Public share VPCs can have multiple CIDR's ranges

EC2

• Provides Virtual Machines Instances.
  • Its default - private use to VPD Networking,
  • AZ Resilient - Its AZ fails. Instance Failure,
  • Dimensions - Sizes and Capabilities.
  • On-Demand- Sec/Per - Local Storage Or EBS
  • IaaS to manage upwards - (OS, Apps; AWS Handles - virtualization and data
• Virtual is private for launch to VPC subnet for instances

Simple Storage Service S3

• AWS global storage platform that is accessed via internet Connection - public,
• regional/regional
• Stores economical to access to multi user, unlimited data with UI/CLI:API
  • Is a store for movies, photos and big datasetd within buvkets Bucket access requires: - root access
• value (Value): data component
• Object Key- similar to a file; identifies objects
• S3 default : no access
• Terabytes or billions for stores for web logs it scales from nothing to unlimited
• Good value but more the variety of usage with APIs
• Objects and Buckets*
• S3 is mainly Object type of storage. A file needs to be broken up to be used S3
• BUCKETS are the containers: image/song can be big depending
  • Buckets region specific
• Bucket Qualities*
• Bucket names are global: must be worldwide unique S3: storage must be across accounts 3- 63 characters (lowercases, no underscores) Starts letter/numbers Can’t be IP : no 1.1.1.1
• Unlimited Objects* Number depends storage. S3: flat can’t sub categorized

S3

• Stores file system
• Store on-the-go: expensive instances are shrunk. If blogs have a song its moved to the bucket
• To use the Default the file is to take Data use S3
• In AWS S3 is your default choice.

Cloud formation

• automates framework in AWS
• Automates updates and framework through templates
• Written -YAML
• JSON achieve same template
• resource component tell framework what it does with it. Resources update then get removed -template: main framework. Wouldnt do a thing, simple example will add resources.
• descriptions: Allows the author to describe

AWS exam will trip trick questions

Cloudformation template

• A Template is an AWS extensions with extends way on framework on time
• AWS restrictions*
• You NEED aws template and descriptions need follow direct with code.
• If description and versions, it must be direct under
• You choose the parameters of framework and what the user need know/add:
• Size, instance and number to use Parameters can have valid values and be changed.

Mappings With The AWS Framework

• Mapping: another part you can't use much and wont get into with Framework
• Create look up tables and in its form AWS regions: Instance type and AMI will do base regions to the framework This will pick from AMI and what you will. Expect experience from this for this
• CONDITIONS!* Conditions allow decision making in frameworks You can only find where the conditions meets or not with the Framework

When you complete one that's not used its no created Can't edit equal to prod and not prod that will create resources production

Resources for cloud framework

Framework can indicate where the servers go at the end point. framework on certain items! Stack is an ACTIVE display representation

• Stack and resources* Framework can start AWS. This section requires: what stack is logical because no hardware. In any account that you take, can find whats created. In this sense, you scan framework and stack to get the right hardware. In turn delete to match It will find what actions were done. It can look hardware and find to create new ones. Also updates to complete or delete this from the code base and it will.

Framework is code then quick to act.

CloudWatch Basics

• CloudWatch gathers and manage operational type of data
  • This is usually based on how data/logging/nominal system runs and works to be generated this data. These can be OS logs, Web logs, anti-virus logs all that data
• Monitor metrics with actions on Metrics The above is to allow metric, action, and monitoring. (Metrics types: application and system, and AWS product.)
• Public Services are able to manage and add* To all for data: You are able to access
• CloudWatch AGENT - Helps gathers metrics to non AWS outside of it like: (on/off premise with extra logging) With the cloudwatch data you get a - CLI/API to access data! The last third
• Cloudwatch is log*
  • To have a collection what was done on data and logging. Might range for what is exposed to the native with agent What type of event?
  • EC1 stops (or AWS) which helps event - actions
  • Schedule: actions/ generate every week Its easy to get different functionality but helps track how its provide, Cloud,Log!

Cloudwatch basics:

• Sources of data This maybe: systems AWS and with systems app
• All helps store data what does, can be use metric!
• Disk and memory are accessed and CLI what also send with all this: EC2's

CloudWatch

• This needs to know how to split

NameSpace

• Like a framework that manages data, and sections things with this and stay in name framework! Can only read what the framework that's set. Framework / AWS section is the most access.
• What framework the AWS set (or the instagram app) .Catgram is the access app example. Contains Metrics: So to how look over metrics What it can do if set: Metrics