1

1. CLOUD CONCEPTS
THE BENEFITS OF THE AWS - Security:
Includes the ability to protect information, systems, and assets while delivering business
value through risk assessments and mitigation strategies
Design Principles
* Implement a strong identity foundation - Centralize privilege management and reduce (or
even eliminate) reliance on long-term credentials - Principle of least privilege - IAM
* Enable traceability - Integrate logs and metrics with systems to automatically respond and
take action
* Apply security at all layers - Like edge network,VPC, subnet, load balancer, every instance,
operating system, and application
* Automate security best practices
* Protect data in transit and at rest - Encryption, tokenization, and access control
* Keep people away from data - Reduce or eliminate the need for direct access or manual
processing of data
* Prepare for security events - Run incident response simulations and use tools with
automation to increase your speed for detection, investigation, and recovery
* Shared Responsibility Model
FOUNDATIONS:

THE BENEFITS OF THE AWS - Reliability:

Ability of a system to recover from infrastructure or service disruptions, dynamically acquire
computing resources to meet demand, and mitigate disruptions such as misconfigurations or
transient network issues
Design Principles:
*Test recovery procedures - Use automation to simulate different failures or to recreate
scenarios that led to failures before
* Automatically recover from failure - Anticipate and remediate failures before they occur
* Scale horizontally to increase aggregate system availability - Distribute requests across
multiple, smaller resources to ensure that they don't share a common point of failure
* Stop guessing capacity - Maintain the optimal level to satisfy demand without over or under
provisioning - Use Auto Scaling
* Manage change in automation - Use automation to make changes to infrastructure
FOUNDATIONS

THE BENEFITS OF THE AWS - High Availability:

*High Availability usually goes hand in hand with horizontal scaling
* High availability means running your application / system in at least 2 Availability Zones
* The goal of high availability is to survive a data center loss (disaster)
2

THE BENEFITS OF THE AWS – Elasticity:

Ability to scale out and scale-in when needed. once a system is scalable, elasticity means
that there will be some “auto-scaling” so that the system can scale based on the load.This is
“cloud-friendly”: pay-per-use, match demand, optimize costs.

THE BENEFITS OF THE AWS – Agility:

Rapidly develop, test and launch software applications. (not related to scalability - distractor)
new IT resources are only a click away, which means that you reduce the time to make
those resources available to your developers from weeks to just minutes.

THE BENEFITS OF THE AWS – Scaling:

 Scalability means that an application / system can handle greater loads by adapting.
 There are two kinds of scalability:
• Vertical Scalability
• Horizontal Scalability (= elasticity)
 Scalability is linked but different to High Availability
Global AWS Infrastructure
Regions: For deploying applications and infrastructure
Availability Zones: Made of multiple data centers
Edge Locations (Points of Presence): for content delivery as close as possible to users

Six Advantages of Cloud Computing

• Trade capital expense (CAPEX) for operational expense (OPEX)
• Pay On-Demand: don’t own hardware
• ReducedTotal Cost of Ownership (TCO) & Operational Expense (OPEX)
• Benefit from massive economies of scale
• Prices are reduced as AWS is more efficient due to large scale
• Stop guessing capacity
• Scale based on actual measured usage
• Increase speed and agility
• Stop spending money running and maintaining data centers

AWS CLI
• A tool that enables you to interact with AWS services using commands in your command-
line shell
• Direct access to the public APIs of AWS services
• You can develop scripts to manage your resources
• It’s open-source
• Alternative to using AWS Management Console

Types of Cloud Computing

Infrastructure as a Service (IaaS)
• Provide building blocks for cloud IT
• Provides networking, computers, data storage space
• Highest level of flexibility
• Easy parallel with traditional on-premises IT
Platform as a Service (PaaS)
• Removes the need for your organization to manage the underlying infrastructure
• Focus on the deployment and management of your applications
Software as a Service (SaaS)
• Completed product that is run and managed by the service provider
3

Example of Cloud ComputingTypes

Infrastructure as a Service:
• Amazon EC2 (on AWS)
• GCP, Azure, Rackspace, Digital Ocean, Linode
Platform as a Service:
• Elastic Beanstalk (on AWS)
• Heroku, Google App Engine (GCP), Windows Azure (Microsoft)
Software as a Service:
• Many AWS services (ex: Rekognition for Machine Learning)
• Google Apps (Gmail), Dropbox, Zoom

AWS Marketplace
• Digital catalog with thousands of software listings from independent software vendors (3rd
party) Example:
• Custom AMI (custom OS, firewalls, technical solutions...)
• CloudFormation templates • Software as a Service
• Containers
• If you buy through the AWS Marketplace, it goes into your AWS bill
• You can sell your own solutions on the AWS Marketplace

AWS Status - Service Health Dashboard

• Shows all regions, all services health
• Shows historical information for each day
• Has an RSS feed you can subscribe

AWS Personal Health Dashboard

• AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is
experiencing events that may impact you.
• While the Service Health Dashboard displays the general status of AWS services, Personal
Health Dashboard gives you a personalized view into the performance and availability of the
AWS services underlying your AWS resources.
• The dashboard displays relevant and timely information to help you manage events in
progress and provides proactive notification to help you plan for scheduled activities.
• Global service https://phd.aws.amazon.com/
• Shows how AWS outages directly impact you & your AWS resources
• Alert, remediation, proactive, scheduled activities

AWS Service Quotas

Your AWS account has default quotas, formerly referred to as limits, for each AWS service.
Unless otherwise noted, each quota is Region-specific. You can request increases for some
quotas, and other quotas cannot be increased.
4

Service Quotas is an AWS service that helps you manage your quotas for many AWS
services, from one location. Along with looking up the quota values, you can also request a
quota increase from the Service Quotas console.
AWS Support might approve, deny, or partially approve your requests.

AWS SDK?
• AWS Software Development Kit (AWS SDK)
• Language-specific APIs (set of libraries)
• Enables you to access and manage AWS services programmatically
• Embedded within your application
• Supports
• SDKs(JavaScript,Python,PHP,.NET,Ruby,Java,Go,Node.js, C++)
• Mobile SDKs (Android, iOS, ...)
• IoT Device SDKs (Embedded C, Arduino, ...)
• Example: AWS CLI is built on AWS SDK for Python

AWS Support plans

AWS Support offers five support plans:
• Basic
• Developer
• Business
• Enterprise On-Ramp
• Enterprise
Basic Support offers support for account and billing questions and service quota increases.
The other plans offer a number of technical support cases with pay-by-the-month pricing and
no long-term contracts.
All AWS customers automatically have 24/7 access to these features of Basic Support:
• One-on-one responses to account and billing questions
• Support forums
• Service health checks
• Documentation, technical papers, and best practice guides
Customers with a Developer Support plan have access to these additional features:
• Best practice guidance
• Client-side diagnostic tools
• Building-block architecture support: guidance on how to use AWS products, features, and
services together
• Supports an unlimited number of support cases that can be opened by one primary
contact, which is the AWS account root user.
In addition, customers with a Business, Enterprise On-Ramp, or Enterprise Support plan
have access to these features:
• Use-case guidance – What AWS products, features, and services to use to best support
your specific needs.
• AWS Trusted Advisor – A feature of AWS Support, which inspects customer environments
and identifies opportunities to save money, close security gaps, and improve system
reliability and performance. You can access all Trusted Advisor checks.
• The AWS Support API to interact with Support Center and Trusted Advisor. You can use
the AWS Support API to automate support case management and Trusted Advisor
operations.
• Third-party software support – Help with Amazon Elastic Compute Cloud (Amazon EC2)
instance operating systems and configuration. Also, help with the performance of the most
popular third-party software components on AWS. Third-party software support isn't
available for customers on Basic or Developer Support plans.
• Supports an unlimited number of AWS Identity and Access Management (IAM) users who
can open technical support cases.
In addition, customers with an Enterprise On-Ramp or Enterprise Support plan have
access to these features:
5

• Application architecture guidance – Consultative guidance on how services fit together to

meet your specific use case, workload, or application.
• Infrastructure event management – Short-term engagement with AWS Support to get a
deep understanding of your use case. After analysis, provide architectural and scaling
guidance for an event.
• Technical account manager – Work with a technical account manager (TAM) for your
specific use cases and applications.
• White-glove case routing.
• Management business reviews.

AWS Compute Optimizer

helps you identify the optimal AWS resource configurations, such as Amazon EC2 instance
types, Amazon EBS volume configurations, and AWS Lambda function memory sizes, using
machine learning to analyze historical utilization metrics. AWS Compute Optimizer delivers
recommendations for selected types of EC2 instances, EC2 Auto Scaling groups, EBS
volumes, and Lambda functions.
Compute Optimizer calculates an individual performance risk score for each resource
dimension of the recommended instance, including CPU, memory, EBS throughput, EBS
IOPS, disk throughput, disk throughput, network throughput, and network packets per
second (PPS).
AWS Compute Optimizer provides EC2 instance type and size recommendations for EC2
Auto Scaling groups with a fixed group size, meaning desired, minimum, and maximum are
all set to the same value and have no scaling policy attached.
AWS Compute Optimizer supports IOPS and throughput recommendations for General
Purpose (SSD) (gp3) volumes and IOPS recommendations for Provisioned IOPS (io1 and
io2) volumes.
Compute Optimizer helps you optimize two categories of Lambda functions. The first
category includes Lambda functions that may be over-provisioned in memory sizes. The
second category includes compute-intensive Lambda functions that may benefit from
additional CPU power.
6

2. SECURITY AND COMPLIANCE

Shared Responsibility
CUSTOMER = RESPONSIBILITY FOR THE SECURITY IN THE CLOUD
AWS = RESPONSIBILITY FOR THE SECURITY OF THE CLOUD
Shared Responsibility Model for IAM
AWS
• Infrastructure (global network security)
• Configuration and vulnerability analysis
• Compliance validation
YOU
• Users, Groups, Roles, Policies management and monitoring
• Enable MFA on all accounts
• Rotate all your keys often
• Use IAM tools to apply appropriate permissions
• Analyze access patterns & review permissions
Shared Responsibility Model for EC2
AWS
• Infrastructure (global network security)
• Isolation on physical hosts
• Replacing faulty hardware
• Compliance validation
YOU
• Security Groups rules
• Operating-system patches and updates
• Software and utilities installed on the EC2 instance
• IAM Roles assigned to EC2 & IAM user access management
• Data security on your instance
Shared Responsibility Model for EC2 Storage
AWS
• Infrastructure
• Replication for data for EBS volumes & EFS drives
• Replacing faulty hardware
• Ensuring their employees cannot access your data
YOU
• Setting up backup / snapshot procedures
• Setting up data encryption
• Responsibility of any data on the drives
• Understanding the risk of using EC2 Instance Store

Shared Responsibility Model for S3

AWS
• Infrastructure (global security, durability, availability, sustain concurrent loss of data in two
facilities)
• Configuration and vulnerability analysis
• Compliance validation
YOU
• S3Versioning
• S3 Bucket Policies
• S3 Replication Setup
• Logging and Monitoring • S3 Storage Classes
• Data encryption at rest and in transit

AWS Shield
• AWS Shield Standard:
• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and
other layer 3/layer 4 attacks
7

• AWS Shield Advanced:

 Optional DDoS mitigation service ($3,000 per month per organization)
 Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing
(ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
 24/7 access to AWS DDoS response team (DRP)
 Protect against higher fees during usage spikes due to DDoS

AWS WAF – Web Application Firewall

• Protects your web applications from common web exploits (Layer 7)
• Layer 7 is HTTP (vs Layer 4 is TCP)
• Deploy on Application Load Balancer, API Gateway, CloudFront
• Define Web ACL (Web Access Control List):
• Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
• Protects from common attack - SQL injection and Cross-Site Scripting (XSS) • Size
constraints, geo-match (block countries)
• Rate-based rules (to count occurrences of events) – for DDoS protection

Penetration Testing on AWS Cloud

AWS customers are welcome to carry out security assessments or penetration tests against
their AWS infrastructure without prior approval for 8 services:
• Prohibited Activities
 DNS zone walking via Amazon Route 53 Hosted Zones
 Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS,
Simulated DDoS
 Port flooding
 Protocol flooding
 Request flooding (login request flooding, API request flooding)

Cloud Watch
Amazon CloudWatch is a monitoring and observability service. CloudWatch provides you
with data and actionable insights to monitor your applications, respond to system-wide
performance changes, and optimize resource utilization. CloudWatch collects monitoring and
operational data in the form of logs, metrics, and events. You get a unified view of
operational health and gain complete visibility of your AWS resources, applications, and
services running on AWS and on-premises.
CloudWatch Metrics
• CloudWatch provides metrics for every services in AWS
• Metric is a variable to monitor (CPUUtilization, NetworkIn...)
• Can create CloudWatch dashboards of metrics
Amazon CloudWatch Alarms
• Alarms are used to trigger notifications for any metric
• Alarms actions...
• Auto Scaling: increase or decrease EC2 instances “desired” count
• EC2 Actions: stop, terminate, reboot or recover an EC2 instance
• SNS notifications: send a notification into an SNS topic
• Various options (sampling, %, max, min, etc...)
• Can choose the period on which to evaluate an alarm
• Example: create a billing alarm on the CloudWatch Billing metric
Amazon CloudWatch Logs
• CloudWatch Logs can collect log from:
• Elastic Beanstalk: collection of logs from application
• ECS: collection from containers
• AWS Lambda: collection from function logs
• CloudTrail based on filter
• CloudWatch log agents: on EC2 machines or on-premises servers
• Route53: Log DNS queries
8

• Enables real-time monitoring of logs

• Adjustable CloudWatch Logs retention
 By default, no logs from your EC2 instance will go to CloudWatch
 You need to run a CloudWatch agent on EC2 to push the log files you want
 Make sure IAM permissions are correct
 The CloudWatch log agent can be setup on-premises too

Amazon EventBridge
 EventBridge is the next evolution of CloudWatch Events
 Default event bus: generated by AWS services (CloudWatch Events)
 Partner event bus: receive events from SaaS service or applications (Zendesk,
DataDog, Segment, Auth0...)
 Custom Event buses: for your own applications
 Schema Registry: model event schema
 EventBridge has a different name to mark the new capabilities
 The CloudWatch Events name will be replaced with EventBridge

AWS Config
• Helps with auditing and recording compliance of your AWS resources
• Helps record configurations and changes over time
• Possibility of storing the configuration data into S3 (analyzed by Athena)
• Questions that can be solved by AWS Config:
• Is there unrestricted SSH access to my security groups?
• Do my buckets have any public access?
• How has my ALB configuration changed over time?
• You can receive alerts (SNS notifications) for any changes
• AWS Config is a per-region service
• Can be aggregated across regions and accounts

AWS CloudTrail
• Provides governance, compliance and audit for your AWS Account
• CloudTrail is enabled by default!
• Get an history of events / API calls made within your AWS Account by:
• Console
• SDK
• CLI
• AWS Services
• Can put logs from CloudTrail into CloudWatch Logs or S3
• A trail can be applied to All Regions (default) or a single Region.
• If a resource is deleted in AWS, investigate CloudTrail first!

access AWS
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) - for code: protected by access keys
• Access Keys are generated through the AWS Console
• Users manage their own access keys
• Access Keys are secret, just like a password. Don’t share them

Multi Factor Authentication - MFA

• Users have access to your account and can possibly change configurations or delete
resources in your AWS account
• You want to protect your Root Accounts and IAM users
• MFA = password you know + security device you own

IAM Identity and Access Management

9

• IAM = Identity and Access Management, Global service

• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups

Amazon Macie
• Amazon Macie is a fully managed data security and data privacy service that uses machine
learning and pattern matching to discover and protect your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally identifiable
information (PII)

AWS License Manager

AWS License Manager makes it easier to manage your software licenses from vendors such
as Microsoft, SAP, Oracle, and IBM across AWS and on-premises environments. AWS
License Manager lets administrators create customized licensing rules that mirror the terms
of their licensing agreements. Administrators can use these rules to help prevent licensing
violations, such as using more licenses than an agreement stipulates

Amazon Inspector
• Automated Security Assessments
• For EC2 instances
• Leveraging the AWS System Manager (SSM) agent
• Analyze against unintended network accessibility
• Analyze the running OS against known vulnerabilities
• For Containers push to Amazon ECR
• Assessment of containers as they are pushed
• Reporting & integration with AWS Security Hub • Send findings to Amazon Event Bridge
What does AWS Inspector evaluate?
• Remember: only for EC2 instances and container infrastructure
• Continuous scanning of the infrastructure, only when needed
• Package vulnerabilities (EC2 & ECR)
• Network reachability (EC2)
• A risk score is associated with all vulnerabilities for prioritization

Amazon GuardDuty
• Intelligent Threat discover y to Protect AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• One click to enable (30 days trial), no need to install software
• Input data includes:
• CloudTrail Events Logs – unusual API calls, unauthorized deployments
• CloudTrailManagementEvents–createVPCsubnet,createtrail,...
10

• CloudTrailS3DataEvents–getobject,listobjects,deleteobject,...
• VPC Flow Logs – unusual internal traffic, unusual IP address
• DNS Logs – compromised EC2 instances sending encoded data within DNS
queries
• Kubernetes Audit Logs – suspicious activities and potential EKS cluster
compromises
• Can setup CloudWatch Event rules to be notified in case of findings
• CloudWatch Events rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)

AWS Artifact - COMPLIANCE

• Portal that provides customers with on-demand access to AWS compliance
documentation and AWS agreements
• Artifact Reports - Allows you to download AWS security and compliance documents from
third-party auditors, like AWS ISO certifications, Payment Card Industry (PCI), and System
and Organization Control (SOC) reports
• Artifact Agreements - Allows you to review, accept, and track the status of AWS
agreements such as the Business Associate Addendum (BAA) or the Health Insurance
Portability and Accountability Act (HIPAA) for an individual account or in your organization
• Can be used to support internal audit or compliance

Amazon Detective
• GuardDuty, Macie, and Security Hub are used to identify potential security issues, or
findings
• Sometimes security findings require deeper analysis to isolate the root cause and take
action – it’s a complex process
• Amazon Detective analyzes, investigates, and quickly identifies the root cause of security
issues or suspicious activities (using ML and graphs)
• Automatically collects and processes events from VPC Flow Logs, CloudTrail, GuardDuty
and create a unified view
• Produces visualizations with details and context to get to the root cause

Amazon Cognito (simplified)

• Identity for your Web and Mobile applications users (potentially millions)
• Instead of creating them an IAM user, you create a user in Cognito

CloudHSM
 KMS => AWS manages the software for encryption
 CloudHSM => AWS provisions encryption hardware
 Dedicated Hardware (HSM = Hardware Security Module)
 You manage your own encryption keys entirely (not AWS)
 HSM device is tamper resistant, FIPS 140-2 Level 3 compliance

AWS Certificate Manager (ACM)

• Let’s you easily provision, manage, and deploy SSL/TLS Certificates
• Used to provide in-flight encryption for websites (HTTPS)
• Supports both public and privateTLS certificates
• Free of charge for publicTLS certificates
11

• AutomaticTLS certificate renewal

• Integrations with (loadTLS certificates on) • Elastic Load Balancers
• CloudFront Distribution
• APIs on API Gateway

AWS Secrets Manager

• Newer service, meant for storing secrets
• Capability to force rotation of secrets every X days
• Automate generation of secrets on rotation (uses Lambda)
• Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
• Secrets are encrypted using KMS
• Mostly meant for RDS integration
12

3. TECHNOLOGY
Site to Site VPN & Direct Connect
• Site to Site VPN
 Connect an on-premises VPN to AWS
 The connection is automatically encr ypted
 Goes over the public internet
• Direct Connect (DX)
 Establish a physical connection between on-premises and AWS
 The connection is private, secure and fast
 Goes over a private network
 Takes at least a month to establish
• On-premises: must use a Customer Gateway (CGW)
• AWS: must use a Virtual Private Gateway (VGW)

AWS CloudFront
 Content Delivery Network (CDN)
 Improves read performance, content is cached at the edge
 Improves users experience
 216 Point of Presence globally (edge
locations)
 DDoS protection (because worldwide), integration with Shield, AWS Web Application
Firewall
CloudFront – Origins
• S3 bucket
• For distributing files and caching them at the edge
• Enhanced security with CloudFront Origin Access Identity (OAI)
• CloudFront can be used as an ingress (to upload files to S3)
• Custom Origin (HTTP)
• Application Load Balancer
• EC2 instance
• S3 website (must first enable the bucket as a static S3 website)
• Any HTTP backend you want

EC2 Types
• On-Demand Instances – short workload, predictable pricing, pay by second
• Reserved (1 & 3 years)
• Reserved Instances – long workloads
• Convertible Reserved Instances – long workloads with flexible instances
• Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload
• Spot Instances – short workloads, cheap, can lose instances (less reliable)
• Dedicated Hosts – book an entire physical server, control instance placement
• Dedicated Instances – no other customers will share your hardware
• Capacity Reservations – reserve capacity in a specific AZ for any duration
EC2 On Demand
 Pay for what you use:
• Linux or Windows - billing per second, after the first minute
• All other operating systems - billing per hour
 Has the highest cost but no upfront payment
 No long-term commitment
 Recommended for short-term and un-interrupted workloads, where you can't predict
how the application will behave
EC2 Reserved Instances
• Up to 72% discount compared to On-demand
• You reserve a specific instance attributes (Instance Type, Region,Tenancy, OS)
• Reservation Period – 1 year (+discount) or 3 years (+++discount)
• Payment Options – No Upfront (+), Partial Upfront (++), All Upfront (+++)
13

• Reserved Instance’s Scope – Regional or Zonal (reserve capacity in an AZ)

• Recommended for steady-state usage applications (think database)
• You can buy and sell in the Reserved Instance Marketplace
• Convertible Reserved Instance
• Can change the EC2 instance type, instance family, OS, scope and tenancy
• Up to 66% discount
EC2 Savings Plans
• Get a discount based on long-term usage (up to 72% - same as RIs) • Commit to a certain
type of usage ($10/hour for 1 or 3 years)
• Usage beyond EC2 Savings Plans is billed at the On-Demand price
• Locked to a specific instance family & AWS region (e.g., M5 in us-east-1)
• Flexible across:
• Instance Size (e.g., m5.xlarge, m5.2xlarge)
• OS (e.g., Linux, Windows)
• Tenancy (Host, Dedicated, Default)
EC2 Spot Instances
• Can get a discount of up to 90% compared to On-demand
• Instances that you can “lose” at any point of time if your max price is less than the current
spot price
• The MOST cost-efficient instances in AWS
• Useful for workloads that are resilient to failure
• Batch jobs
• Data analysis
• Image processing
• Any distributed workloads
• Workloads with a flexible start and end time
• Not suitable for critical jobs or databases
EC2 Dedicated Hosts
• A physical server with EC2 instance capacity fully dedicated to your use
• Allows you address compliance requirements and use your existing server- bound software
licenses (per-socket, per-core, pe—VM software licenses)
• Purchasing Options:
• On-demand – pay per second for active Dedicated Host
• Reserved - 1 or 3 years (No Upfront,Partial Upfront,All Upfront)
• The most expensive option
• Useful for software have complicated licensing model(BYOL Bring Your Own License)
• Or for companies that have strong regulatory or compliance needs
• Instances run on hardware that’s dedicated to you

Load Balance
Load balancers are servers that forward internet traffic to multiple servers (EC2 Instances)
downstream
Why use a load balancer?
• Spread load across multiple downstream instances
• Expose a single point of access (DNS) to your application • Seamlessly handle failures of
downstream instances
• Do regular health checks to your instances
• Provide SSL termination (HTTPS) for your websites
• High availability across zones
• An ELB (Elastic Load Balancer) is a managed load balancer
• AWS guarantees that it will be working
• AWS takes care of upgrades, maintenance, high availability
• AWS provides only a few configuration knobs
• It costs less to setup your own load balancer but it will be a lot more effort on your end
(maintenance, integrations)
• 3 kinds of load balancers offered by AWS:
 Application Load Balancer (HTTP / HTTPS only) – Layer 7
14

 Network Load Balancer (ultra-high performance, allows for TCP) – Layer 4

 Classic Load Balancer (slowly retiring) – Layer 4 & 7
Auto Scaling Group
• In real-life, the load on your websites and application can change
• In the cloud, you can create and get rid of servers very quickly
• The goal of an Auto Scaling Group (ASG) is to:
• Scale out (add EC2 instances) to match an increased load
• Scale in (remove EC2 instances) to match a decreased load
• Ensure we have a minimum and a maximum number of machines running
• Automatically register new instances to a load balancer
• Replace unhealthy instances
• Cost Savings: only run at an optimal capacity (principle of the cloud)

S3
• Amazon S3 is one of the main building blocks of AWS
• It’s advertised as ”infinitely scaling” storage
• Many websites use Amazon S3 as a backbone
• Many AWS services use Amazon S3 as an integration as well
• We’ll have a step-by-step approach to S3
• The CCP exam requires “deeper” knowledge about S3
S3 Use cases
• Backup and storage
• Disaster Recovery
• Archive
• Hybrid Cloud storage
• Application hosting
• Media hosting
• Data lakes & big data analytics
• Software delivery
• Static website
• Amazon S3 allows people to store objects (files) in “buckets” (directories)
• Buckets must have a globally unique name (across all regions all accounts)
• Buckets are defined at the region level
• S3 looks like a global service but buckets are created in a region
• Naming convention
 No uppercase
 No underscore
 3-63 characters long
 Not an IP
 Must start with lowercase letter or number
• The key is the FULL path:
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• The key is composed of prefix + object name
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• There’s no concept of “directories” within buckets (although the UI will trick you to think
otherwise)

Glacier
• Low-cost object storage meant for archiving / backup
15

• Pricing: price for storage + object retrieval cost

• Amazon S3 Glacier Instant Retrieval
• Millisecond retrieval, great for data accessed once a quarter
• Minimum storage duration of 90 days
• Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):
• Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
• Minimum storage duration of 90 days
• Amazon S3 Glacier Deep Archive – for long term storage:
• Standard (12 hours), Bulk (48 hours)
• Minimum storage duration of 180 days

Snow Family
Highly-secure, portable devices to collect and process data at the edge, and migrate data
into and out of AWS
AWS Snowcone
• Small, portable computing, anywhere, rugged & secure, withstands harsh environments
• Light (4.5 pounds, 2.1 kg)
• Device used for edge computing, storage, and data transfer
• 8 TBs of usable storage
• Use Snowcone where Snowball does not fit (space-constrained environment)
• Must provide your own battery / cables
• Can be sent back to AWS offline, or to internet and use AWS DataSync to send data
Snowball Edge (for data transfers)
 Physical data transport solution:moveTBs or PBs of data in or out of AWS
 Alternative to moving data over the network (and paying network fees)
 Pay per data transfer job
 Provide block storage and Amazon S3-compatible object storage
• Snowball Edge Storage Optimized
• 80 TB of HDD capacity for block volume and S3 compatible object storage
• Snowball Edge Compute Optimized
• 42 TB of HDD capacity for block volume and S3 compatible object storage
• Usecases:largedatacloudmigrations,DCdecommission,disaster recover
Snowmobile - Truck
• Transfer exabytes of data (1 EB = 1,000 PB = 1,000,000 TBs)
• Each Snowmobile has 100 PB of capacity (use multiple in parallel)
• High security: temperature controlled, GPS, 24/7 video surveillance
• Better than Snowball if you transfer more than 10 PB

EBS Volume
• An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances
while they run
• It allows your instances to persist data, even after their termination
• They can only be mounted to one instance at a time (at the CCP level)
• They are bound to a specific availability zone
• Analogy:Think of them as a “network USB stick”
• Free tier: 30 GB of free EBS storage of type General Purpose (SSD) or Magnetic per
month
• It’s a network drive (i.e. not a physical drive)
• It uses the network to communicate the instance, which means there might be a bit of
latency
• It can be detached from an EC2 instance and attached to another one quickly
• It’s locked to an Availability Zone (AZ)
• An EBS Volume in us-east-1a cannot be attached to us-east-1b
• To move a volume across, you first need to snapshot it
• Have a provisioned capacity (size in GBs, and IOPS)
• You get billed for all the provisioned capacity
16

• You can increase the capacity of the drive over time

EFS – Elastic File System

• Managed NFS (network file system) that can be mounted on 100s of EC2
• EFS works with Linux EC2 instances in multi-AZ
• Highly available, scalable, expensive (3x gp2), pay per use, no capacity planning
EFS Infrequent Access (EFS-IA)
• Storage class that is cost-optimized for files not accessed every day
• Up to 92% lower cost compared to EFS Standard
• EFS will automatically move your files to EFS-IA based on the last time were accessed
• Enable EFS-IA with a Lifecycle Policy
• Example: move files that are not accessed for 60 days to EFS-IA
• Transparent to the applications accessing EFS

AWS Storage Gateway

 Bridge between on-premise data and cloud data in S3
 Hybrid storage service to allow on- premises to seamlessly use the AWS Cloud
 Use cases: disaster recovery, backup & restore, tiered storage

AWS Backup
 Fully-managed service to centrally manage and automate backups across AWS
services
 On-demand and scheduled backups
 Supports PITR (Point-in-time Recovery)
 Retention Periods, Lifecycle Management, Backup Policies, ...
 Cross-Region Backup
 Cross-Account Backup (using AWS Organizations)

VPC
• VPC -Virtual Private Cloud: private network to deploy your
resources (regional resource)
• Subnets allow you to partition your network inside your VPC (Availability Zone resource)
• A public subnet is a subnet that is accessible from the internet
• A private subnet is a subnet that is not accessible from the internet
• To define access to the internet and between subnets, we use Route Tables.

Network ACL & Security Groups

• NACL (Network ACL)
 A firewall which controls traffic from and to subnet
 Can have ALLOW and DENY rules
 Are attached at the Subnet level
 Rules only include IP addresses
• Security Groups
 A firewall that controls traffic to and from an
ENI / an EC2 Instance
 Can have only ALLOW rules
17

 Rules include IP addresses and other security groups

API Gateway
• Fully managed service for developers to easily create, publish, maintain, monitor, and
secure APIs
• Serverless and scalable
• Suppor ts RESTful APIs and WebSocket APIs
• Support for security, user authentication, API throttling, API keys, monitoring...

WorkSpaces
• Managed Desktop as a Service solution to easily provision Windows or Linux desktops
• Great to eliminate management of on-premiseVDI (Virtual Desktop Infrastructure)
• Fast and quickly scalable to thousands of users
• Secured data – integrates with KMS
• Pay-as-you-go service with monthly or hourly rates

Batch
• Fully managed batch processing at any scale
• Efficiently run 100,000s of computing batch jobs on AWS
• A “batch” job is a job with a star t and an end (opposed to continuous)
• Batch will dynamically launch EC2 instances or Spot Instances
• AWS Batch provisions the right amount of compute / memory
• You submit or schedule batch jobs and AWS Batch does the rest!
• Batch jobs are defined as Docker images and run on ECS
• Helpful for cost optimizations and focusing less on the infrastructure

Lambda
• Virtual functions – no servers to manage!
• Limited by time - short executions
• Run on-demand
• Scaling is automated!
Benefits
• Easy Pricing:
• Pay per request and compute time
• Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time
• Integrated with the whole AWS suite of services
• Event-Driven: functions get invoked by AWS when needed
• Integrated with many programming languages
• Easy monitoring through AWS CloudWatch
• Easy to get more resources per functions (up to 10GB of RAM!) • Increasing RAM will also
improve CPU and network!
• language support: Node.js (JavaScript),Python, Java (Java 8 compatible), C# (.NET Core),
Golang, C# / Powershell, Ruby, Custom Runtime API (community supported, example Rust)

Batch vs Lambda
• Lambda:
• Time limit
• Limited runtimes
• Limited temporary disk space • Serverless
• Batch:
• No time limit
• Any runtime as long as it’s packaged as a Docker image
• Rely on EBS / instance store for disk space
• Relies on EC2 (can be managed by AWS)

Amazon Lightsail
• Virtual servers, storage, databases, and networking
18

• Low & predictable pricing

• Simpler alternative to using EC2, RDS, ELB, EBS, Route 53...
• Great for people with little cloud experience!
• Can setup notifications and monitoring of your Lightsail resources
• Use cases:
• Simple web applications (has templates for LAMP, Nginx, MEAN, Node.js...) •
Websites (templates for WordPress, Magento, Plesk, Joomla)
• Dev /Test environment
• Has high availability but no auto-scaling, limited AWS integrations

Elastic Beanstalk
• Elastic Beanstalk is a developer centric view of deploying an application on AWS
• It uses all the component’s we’ve seen before: EC2, ASG, ELB, RDS, etc...
• But it’s all in one view that’s easy to make sense of!
• We still have full control over the configuration
• Beanstalk = Platform as a Service (PaaS)
• Beanstalk is free but you pay for the underlying instances
• Managed service
• Instance configuration / OS is handled by Beanstalk
• Deployment strategy is configurable but performed by Elastic Beanstalk
• Capacity provisioning
• Load balancing & auto-scaling
• Application health-monitoring & responsiveness
• Just the application code is the responsibility of the developer

CloudFormation
•CloudFormation is a declarative way of outlining your AWS Infrastructure, for any resources
(most of them are supported).
• For example, within a CloudFormation template, you say:
• I want a security group
• I want two EC2 instances using this security group
• I want an S3 bucket
• I want a load balancer (ELB) in front of these machines
• Then CloudFormation creates those for you, in the right order, with the exact configuration
that you specify
Benefits of AWS CloudFormation
• Infrastructure as code
• No resources are manually created, which is excellent for control
• Changes to the infrastructure are reviewed through code
• Cost
• Each resources within the stack is tagged with an identifier so you can easily see how
much a stack costs you
• You can estimate the costs of your resources using the CloudFormation template
• Savings strategy: In Dev, you could automation deletion of templates at 5 PM and
recreated at 8 AM, safely
• Productivity
• Ability to destroy and re-create an infrastructure on the cloud on the fly
• Automated generation of Diagram for your templates!
• Declarative programming (no need to figure out ordering and orchestration)
• Don’t re-invent the wheel
• Leverage existing templates on the web!
• Leverage the documentation
• Supports (almost) all AWS resources:
• Everything we’ll see in this course is supported
• You can use “custom resources” for resources that are not suppor ted

Trusted Advisor
19

• No need to install anything – high level AWS account assessment

• Analyze your AWS accounts and provides recommendation on 5 categories
• Cost optimization
• Performance
• Security
• Fault tolerance
• Service limits

CodeBuild
• Code building service in the cloud (name is obvious)
• Compiles source code, run tests, and produces packages that are ready to be deployed
(by CodeDeploy for example)
Benefits:
• Fully managed, serverless
• Continuously scalable & highly available
• Secure
• Pay-as-you-go pricing – only pay for the build time
CodeDeploy
• We want to deploy our application automatically
• Works with EC2 Instances
• Works with On-Premises Servers
• Hybrid service
• Servers / Instances must be provisioned and configured ahead of time with the
CodeDeploy Agent

CodePipeline
• Orchestrate the different steps to have the code automatically pushed to production
• Code => Build => Test => Provision => Deploy
• Basis for CICD (Continuous Integration & Continuous Delivery)
• Benefits:
 Fullymanaged,compatiblewithCodeCommit,CodeBuild,CodeDeploy,ElasticBeanstalk,
CloudFormation, GitHub, 3rd-party services (GitHub...) & custom plugins...
 Fast delivery & rapid updates

CodeArtifact
 Software packages depend on each other to be built (also called code
dependencies), and new ones are created
 Works with common dependency management tools such as Maven, Gradle, npm,
yarn, twine, pip, and NuGet

CodeStar
• Unified UI to easily manage software development activities in one place
• “Quick way” to get started to correctly set-up CodeCommit, CodePipeline, CodeBuild,
CodeDeploy, Elastic Beanstalk, EC2, etc...
• Can edit the code ”in-the-cloud” using AWS Cloud9

Aurora DB
• Aurora is a proprietary technology from AWS (not open sourced)
• PostgreSQL and MySQL are both supported as Aurora DB
• Aurora is “AWS cloud optimized” and claims 5x performance improvement over MySQL on
RDS, over 3x the performance of Postgres on RDS
• Aurora storage automatically grows in increments of 10GB, up to 64 TB.
• Aurora costs more than RDS (20% more) – but is more efficient
• Not in the free tier

DynamoDB
20

• Fully Managed Highly available with replication across 3 AZ

• NoSQL database - not a relational database
• Scales to massive workloads, distributed “serverless” database
• Millions of requests per seconds, trillions of row, 100s of TB of storage • Fast and
consistent in performance
• Single-digit millisecond latency – low latency retrieval
• Integrated with IAM for security, authorization and administration
• Low cost and auto scaling capabilities
• Standard & Infrequent Access (IA) Table Class
• DynamoDB is a key/value database
DynamoDB – Global Tables
• Make a DynamoDB table accessible with low latency in multiple-regions
• Active-Active replication (read/write to any AWS Region)

Redshift
• Redshift is based on PostgreSQL, but it’s not used for OLTP
• It’s OLAP – online analytical processing (analytics and data warehousing)
• Load data once every hour, not every second
• 10x better performance than other data warehouses, scale to PBs of data
• Columnar storage of data (instead of row based)
• Massively Parallel Query Execution (MPP), highly available
• Pay as you go based on the instances provisioned
• Has a SQL interface for performing the queries
• BI tools such as AWS Quicksight or Tableau integrate with it

ElastiCache
• The same way RDS is to get managed Relational Databases...
• ElastiCache is to get managed Redis or Memcached
• Caches are in-memory databases with high performance, low latency
• Helps reduce load off databases for read intensive workloads
• AWS takes care of OS maintenance / patching, optimizations, setup, configuration,
monitoring, failure recovery and backups

Amazon SQS – Simple Queue Service

• Oldest AWS offering (over 10 years old)
• Fully managed service (~serverless), use to decouple applications
• Scales from 1 message per second to 10,000s per second
• Default retention of messages: 4 days, maximum of 14 days
• No limit to how many messages can be in the queue
• Messages are deleted after they’re read by consumers
• Low latency (<10 ms on publish and receive)
• Consumers share the work to read messages & scale horizontally
21

SNS – Simple Notification Service

• The “event publishers” only sends message to one SNS topic
• As many “event subscribers” as we want to listen to the SNS topic notifications
• Each subscriber to the topic will get all the messages
• Up to 12,500,000 subscriptions per topic, 100,000 topics limit

ECR (Elastic Container Registry)

• Launch Docker containers on AWS
• You must provision & maintain the infrastructure (the EC2 instances)
• AWS takes care of starting / stopping containers
• Has integrations with the Application Load Balancer

Fargate
• Launch Docker containers on AWS
• You do not provision the infrastructure (no EC2 instances to manage) – simpler!
• Serverless offering
• AWS just runs containers for you based on the CPU / RAM you need

Amazon Athena
• Serverless query service to analyze data stored in Amazon S3
• Uses standard SQL language to query the files
• SupportsCSV,JSON,ORC,Avro,andParquet(builtonPresto)
• Pricing: $5.00 per TB of data scanned
• Use compressed or columnar data for cost-savings (less scan)
• Use cases: Business intelligence / analytics / reporting, analyze & query VPC Flow Logs,
ELB Logs, CloudTrail trails, etc...
• Exam Tip: analyze data in S3 using serverless SQL, use Athena

Amazon QuickSight
• Serverless machine learning-powered business intelligence service to create interactive
dashboards
• Fast, automatically scalable, embeddable, with per-session pricing
• Use cases:
• Business analytics
• Building visualizations
• Perform ad-hoc analysis
• Get business insights using data
• Integrated with RDS, Aurora, Athena, Redshift, S3...
22

Neptune: graph database

AWS Glue
• Managed extract, transform, and load (ETL) service
• Useful to prepare and transform data for analytics
• Fully serverless service
• Glue Data Catalog: catalog of datasets: can be used by Athena, Redshift, EMR, S3

Rekognition: objects, people, text, scenes in images and videos

Transcribe: convert speech to text
Polly: applications that talk
SageMaker: Fully managed service for developers / data scientists to build ML models
Kendra: Fully managed document search service powered by Machine Learning. Extract
answers from within a document (text, pdf, HTML, PowerPoint, MS Word, FAQs...)
Personalize: build apps with real-time personalized recommendations

Amazon Kinesis
• For the exam: Kinesis = real-time big data streaming
• Managed service to collect, process, and analyze real-time streaming data at any scale
23

4. BILLING AND PRICING

AWS Organizations
• Global service
• Allows to manage multiple AWS accounts
• The main account is the master account
• Cost Benefits:
• Consolidated Billing across all accounts - single payment method
• Pricing benefits from aggregated usage (volume discount for EC2, S3...)
• Pooling of Reserved EC2 instances for optimal savings
• API is available to automate AWS account creation
• Restrict account privileges using Service Control Policies (SCP)
Multi Account Strategies
• Create accounts per department, per cost center, per dev / test / prod, based on regulatory
restrictions (using SCP), for better resource isolation (ex:VPC), to have separate per-
account service limits, isolated account for logging
• Multi Account vs One Account Multi VPC
• Use tagging standards for billing purposes
• Enable CloudTrail on all accounts, send logs to central S3 account
• Send CloudWatch Logs to central logging account
AWS Organization – Consolidated Billing
• When enabled, provides you with:
• Combined Usage – combine the usage across all AWS accounts in the AWS
Organization to share the volume pricing, Reserved Instances and Savings Plans discounts
• One Bill – get one bill for all AWS Accounts in the AWS Organization
• The management account can turn off Reserved Instances discount sharing for any
account in the AWS Organization, including itself

AWS Control Tower

• Easy way to set up and govern a secure and compliant multi-account
AWS environment based on best practices
• Benefits:
• Automate the set up of your environment in a few clicks
• Automate ongoing policy management using guardrails
• Detect policy violations and remediate them
• Monitor compliance through an interactive dashboard
• AWS Control Tower runs on top of AWS Organizations:
• It automatically sets up AWS Organizations to organize accounts and implement
SCPs (Service Control Policies)

Pricing Models in AWS

AWS has 4 pricing models:
• Pay as you go: pay for what you use, remain agile, responsive, meet scale demands
• Save when you reserve: minimize risks, predictably manage budgets, comply with long-
terms requirements
• Reservations are available for EC2 Reserved Instances, DynamoDB Reserved
Capacity, ElastiCache Reserved Nodes, RDS Reserved Instance, Redshift Reserved Nodes
• Pay less by using more: volume-based discounts
• Pay less as AWS grows

Billing and Costing Tools

• Estimating costs in the cloud:
• Pricing Calculator
• Tracking costs in the cloud:
• Billing Dashboard
• CostAllocationTags
• Cost and Usage Reports
• Cost Explorer
24

• Monitoring against costs plans:

• Billing Alarms
• Budgets

Cost and Usage Reports

• Dive deeper into your AWS costs and usage
• The AWS Cost & Usage Report contains the most comprehensive set of AWS cost and
usage data available, including additional metadata about AWS services, pricing, and
reservations (e.g., Amazon EC2 Reserved Instances (RIs)).
• The AWS Cost & Usage Report lists AWS usage for each service category used by an
account and its IAM users in hourly or daily line items, as well as any tags that you have
activated for cost allocation purposes.
• Can be integrated with Athena, Redshift or QuickSight

Cost Explorer
• Visualize, understand, and manage your AWS costs and usage over time
• Create custom reports that analyze cost and usage data.
• Analyze your data at a high level: total costs and usage across all accounts • Or
Monthly, hourly, resource level granularity
• Choose an optimal Savings Plan (to lower prices on your bill)
• Forecast usage up to 12 months based on previous usage

AWS Budgets
• Create budget and send alarms when costs exceeds the budget
• 3 types of budgets: Usage, Cost, Reservation
• For Reserved Instances (RI)
• Track utilization
• Supports EC2, ElastiCache, RDS, Redshift
• Up to 5 SNS notifications per budget
• Can filter by: Service, Linked Account,Tag, Purchase Option, Instance Type, Region,
Availability Zone, API Operation, etc...
• Same options as AWS Cost Explorer!
• 2 budgets are free, then $0.02/day/budget

Cost Allocation Tags

• Use cost allocation tags to track your AWS costs on a detailed level
• AWS generated tags
• Automatically applied to the resource you create
• Starts with Prefix aws: (e.g. aws: createdBy)
• User-defined tags
• Defined by the user
• Starts with Prefix user:
Tagging and Resource Groups
• Tags are used for organizing resources:
• EC2: instances, images, load balancers, security groups...
• RDS,VPC resources, Route 53, IAM users, etc...
• Resources created by CloudFormation are all tagged the same way
• Free naming, common tags are: Name, Environment,Team ...
• Tags can be used to create Resource Groups
• Create, maintain, and view a collection of resources that share common tags
• Manage these tags using the Tag Editor
25

1. Which of the following are the serverless computing services offered by AWS
(Select two)
 Amazon Elastic Compute Cloud (EC2)
 Amazon Lightsail(Incorreto)
 AWS Lambda(Correto)
 AWS Elastic Beanstalk(Incorreto)
 AWS Fargate(Correto)

2. Which of the following AWS services can be used to forecast your AWS account
usage and costs?
 AWS Cost and Usage Reports
 AWS Pricing Calculator
 AWS Budgets(Incorreto)
 AWS Cost Explorer(Correto)

3. AWS Organizations provides which of the following benefits? (Select two)

• Provision EC2 Spot instances across the member AWS accounts
• Share the reserved EC2 instances amongst the member AWS accounts (Correto)
• Check vulnerabilities on EC2 instances across the member AWS accounts
• Deploy patches on EC2 instances across the member AWS accounts (Incorreto)
• Volume discounts for Amazon EC2 and Amazon S3 aggregated across the member AWS
accounts( Correto)

4.Which of the following AWS services are part of the AWS Foundation services for
the Reliability pillar of the Well-Architected Framework in AWS Cloud? (Select two)
 Amazon CloudWatch(Incorreto)
 AWS CloudFormation
 AWS Service Quotas(Correto)
 AWS Trusted Advisor(Correto)
 AWS CloudTrail (Incorreto)

AWS Trusted Advisor is an online tool that provides you real-time guidance to help you
provision your resources following AWS best practices on cost optimization, security, fault
tolerance, service limits, and performance improvement. Whether establishing new
workflows, developing applications, or as part of ongoing improvement, recommendations
provided by Trusted Advisor regularly help keep your solutions provisioned optimally.
Service Quotas enables you to view and manage your quotas for AWS services from a
central location. Quotas, also referred to as limits in AWS, are the maximum values for the
resources, actions, and items in your AWS account. Each AWS service defines its quotas
and establishes default values for those quotas.

5. A startup runs its proprietary application on docker containers. As a Cloud

Practitioner, which AWS service would you recommend so that the startup can run
containers and still have access to the underlying servers?
 Amazon Elastic Container Registry (ECR)(Incorreto)
 Amazon Elastic Container Service (Amazon ECS)(Correto)
 AWS Fargate
 AWS Lambda
Amazon Elastic Container Service (Amazon ECS) - Amazon Elastic Container Service
(Amazon ECS) is a highly scalable, fast, container management service that makes it easy
to run, stop, and manage Docker containers on a cluster. This is not a fully managed service
and you can manage the underlying servers yourself.
 Amazon Elastic Container Registry (ECR) - Amazon Elastic Container Registry
(ECR) can be used to store, manage, and deploy Docker container images. Amazon
ECR eliminates the need to operate your container repositories. ECR does not
support running container applications.
26

6. Data encryption is automatically enabled for which of the following AWS services?
(Select two)?
 Amazon EBS volumes
 Amazon S3 Glacier(Correto)
 Amazon Redshift
 AWS Storage Gateway(Correto)
 Amazon EFS drives(Incorreto)

7. Which AWS service can be used to subscribe to an RSS feed to be notified of the
status of all AWS service interruptions?
 Amazon SNS(Incorreto)
 AWS Service Health Dashboard (Correto)
 AWS Lambda
 AWS Personal Health Dashboard

8. An AWS user is trying to launch an EC2 instance in a given region. What is the
region-specific constraint that the Amazon Machine Image (AMI) must meet so that it
can be used for this EC2 instance?
 You should use an AMI from the same region, as it improves the performance of the
EC2 instance
 You must use an AMI from the same region as that of the EC2 instance. The region
of the AMI has no bearing on the performance of the EC2 instance (Correto)
 You can use an AMI from a different region, but it degrades the performance of the
EC2 instance
 An AMI is a global entity, so the region is not applicable

9. The DevOps team at an e-commerce company is trying to debug performance

issues for its serverless application built using a microservices architecture. As a
Cloud Practitioner, which AWS service would you recommend addressing this use-
case?
 AWS Trusted Advisor
 Amazon Pinpoint
 AWS CloudFormation
 AWS X-Ray(Correto)
AWS X-Ray - You can use AWS X-Ray to analyze and debug serverless and distributed
applications such as those built using a microservices architecture. With X-Ray, you can
understand how your application and its underlying services are performing to identify and
troubleshoot the root cause of performance issues and errors.

10 A financial services company wants to ensure that its AWS account activity meets
the governance, compliance and auditing norms. As a Cloud Practitioner, which AWS
service would you recommend for this use-case?
 CloudWatch
 CloudTrail(Correto)
 Trusted Advisor(Incorreto)
 Config
CloudTrail You can use CloudTrail to log, monitor and retain account activity related to
actions across your AWS infrastructure. CloudTrail provides an event history of your AWS
account activity, including actions taken through the AWS Management Console, AWS
SDKs, command-line tools, and other AWS services.

11. Which AWS service would you choose for a data processing project that needs a
schemaless database?
 Amazon DynamoDB(Correto)
 Amazon RedShift(Incorreto)
 Amazon RDS
 Amazon Aurora
27

12. A developer would like to automate operations on his on-premises environment

using Chef and Puppet. Which AWS service can help with this task?
 AWS CloudFormation
 AWS CodeDeploy
 AWS OpsWorks(Correto)
 AWS Batch

13. A company wants to improve the resiliency of its flagship application so it wants to move
from its traditional database system to a managed AWS database service to support active-
active configuration in both the East and West US AWS regions. The active-active
configuration with cross-region support is the prime criteria for any database solution that the
company considers.
Which AWS database service is the right fit for this requirement?
 Amazon Aurora with multi-master clusters(Incorreto)
 Amazon Relational Database Service (Amazon RDS) for MYSQL
 Amazon DynamoDB with DynamoDB Accelerator
 Amazon DynamoDB with global tables (Correto)

14. Which of the following AWS services are always free to use (Select two)?
 Elastic Compute Cloud (Amazon EC2)
 Identity and Access Management (IAM) (Correto)
 DynamoDB
 AWS Auto Scaling (Correto)
 Simple Storage Service (Amazon S3)

15. Which of the following statements is the MOST accurate when describing AWS
Elastic Beanstalk?
• It is an Infrastructure as Code which allows you to model and provision resources needed
for an application
• It is a Platform as a Service (PaaS) which allows you to deploy and scale web applications
and services(Correto)
• It is a Platform as a Service (PaaS) which allows you to model and provision resources
needed for an application
• It is an Infrastructure as a Service (IaaS) which allows you to deploy and scale web
applications and services

16. A company's flagship application runs on a fleet of Amazon EC2 instances. As per the
new policies, the system administrators are looking for the best way to provide secure shell
access to AWS EC2 instances without opening new ports or using public IP addresses.
Which tool/service will help you achieve this requirement?
 Amazon EC2 Instance Connect(Incorreto)
 Amazon Inspector
 Amazon Route 53
 AWS Systems Manager Session Manager(Correto)
AWS Systems Manager Session Manager
28

AWS SSM Session Manager is a fully-managed service that provides you with an interactive
browser-based shell and CLI experience. It helps provide secure and auditable instance
management without the need to open inbound ports, maintain bastion hosts, and manage
SSH keys. Session Manager helps to enable compliance with corporate policies that require
controlled access to instances, increase security and auditability of access to the instances
while providing simplicity and cross-platform instance access to end-users.

17. A company uses reserved EC2 instances across multiple units with each unit
having its own AWS account. However, some of the units under-utilize their reserved
instances while other units need more reserved instances. As a Cloud Practitioner,
which of the following would you recommend as the most cost-optimal solution?
• Use AWS Trusted Advisor to manage AWS accounts of all units and then share the
reserved EC2 instances amongst all units
• Use AWS Organizations to manage AWS accounts of all units and then share the reserved
EC2 instances amongst all units(Correto)
• Use AWS Cost Explorer to manage AWS accounts of all units and then share the reserved
EC2 instances amongst all units
• Use AWS Systems Manager to manage AWS accounts of all units and then share the
reserved EC2 instances amongst all units(Incorreto)

18. An IT company has a hybrid cloud architecture and it wants to centralize the
server logs for its EC2 instances and on-premises servers. Which of the following is
the MOST effective for this use-case?
• Use CloudTrail for the EC2 instance and CloudWatch Logs for the on-premises servers
• Use CloudWatch Logs for the EC2 instance and CloudTrail for the on-premises servers
• Use AWS Lambda to send log data from EC2 instance as well as on-premises servers to
CloudWatch Logs
• Use CloudWatch Logs for both the EC2 instance and the on-premises servers (Correto)

19. Which of the following AWS authentication mechanisms supports a Multi-Factor

Authentication (MFA) device that you can plug into a USB port on your computer?
 Virtual MFA device
 SMS text message-based MFA
 U2F security key(Correto)
 Hardware MFA device (Incorreto)

20. Read Replica improves database scalability Amazon Relational Database Service
(Amazon RDS) makes it easy to set up, operate, and scale a relational database in the
cloud. Read Replicas allow you to create read-only copies that are synchronized with your
master database. Read Replicas are used for improved read performance. You can also
place your read replica in a different AWS Region closer to your users for better
performance. Read Replicas are an example of horizontal scaling of resources.

21. A start-up would like to quickly deploy a popular technology on AWS. As a Cloud
Practitioner, which AWS tool would you use for this task?
 AWS Whitepapers
 AWS Forums
 AWS CodeDeploy (Incorreto)
 AWS Quick Starts references(Correto)
AWS Quick Starts references Quick Starts are built by AWS solutions architects and
partners to help you deploy popular technologies on AWS, based on AWS best practices for
security and high availability. These accelerators reduce hundreds of manual procedures
into just a few steps, so you can build your production environment quickly and start using it
immediately.

22. Which of the following options is NOT a feature of Amazon Inspector?

 Track configuration changes (Correto)
29

 Analyze against unintended network accessibility

 Automate security assessments (Incorreto)
 Inspect running operating systems (OS) against known vulnerabilities

23. A Cloud Practitioner would like to get operational insights of its resources to
quickly identify any issues that might impact applications using those resources.
Which AWS service can help with this task?
 AWS Systems Manager(Correto)
 Amazon Inspector
 AWS Personal Health Dashboard
 AWS Trusted Advisor (Incorreto)
AWS Systems Manager AWS Systems Manager allows you to centralize operational data
from multiple AWS services and automate tasks across your AWS resources. You can
create logical groups of resources such as applications, different layers of an application
stack, or production versus development environments.
With Systems Manager, you can select a resource group and view its recent API activity,
resource configuration changes, related notifications, operational alerts, software inventory,
and patch compliance status. You can also take action on each resource group depending
on your operational needs. Systems Manager provides a central place to view and manage
your AWS resources, so you can have complete visibility and control over your operations.

24. Which pillar of the AWS Well-Architected Framework recommends maintaining

infrastructure as code?
 Operational Excellence(Correto)
 Cost Optimization
 Security
 Performance Efficiency

25. A gaming company is looking at a technology/service that can deliver a consistent

low-latency gameplay to ensure a great user experience for end-users in various
locations.
Which AWS technology/service will provide the necessary low-latency access to the
end-users?
 AWS Edge Locations(Incorreto)
 AWS Direct Connect
 AWS Wavelength
 AWS Local Zones(Correto)
AWS Local Zones allow you to use select AWS services, like compute and storage
services, closer to more end-users, providing them very low latency access to the
applications running locally. AWS Local Zones are also connected to the parent region via
Amazon’s redundant and very high bandwidth private network, giving applications running in
AWS Local Zones fast, secure, and seamless access to the rest of AWS services.
You should use AWS Local Zones to deploy workloads closer to your end-users for low-
latency requirements. AWS Local Zones have their connection to the internet and support
AWS Direct Connect, so resources created in the Local Zone can serve local end-users with
very low-latency communications.
Various AWS services such as Amazon Elastic Compute Cloud (EC2), Amazon Virtual
Private Cloud (VPC), Amazon Elastic Block Store (EBS), Amazon FSx, Amazon Elastic Load
Balancing, Amazon EMR, Amazon ElastiCache, and Amazon Relational Database Service
(RDS) are available locally in the AWS Local Zones. You can also use services that
orchestrate or work with local services such as Amazon EC2 Auto Scaling, Amazon EKS
clusters, Amazon ECS clusters, Amazon EC2 Systems Manager, Amazon CloudWatch,
AWS CloudTrail, and AWS CloudFormation. AWS Local Zones also provide a high-
bandwidth, secure connection to the AWS Region, allowing you to seamlessly connect to the
full range of services in the AWS Region through the same APIs and toolsets.
Incorrect options:
30

AWS Edge Locations - An AWS Edge location is a site that CloudFront uses to cache
copies of the content for faster delivery to users at any location.

26. A web application stores all of its data on Amazon S3 buckets. A client has mandated
that data be encrypted before sending it to Amazon S3.
Which of the following is the right technique for encrypting data as needed by the customer?
 Enable server-side encryption with Amazon S3-Managed Keys (SSE-S3)
 Enable client-side encryption using AWS encryption SDK (Correto)
 Enable server-side encryption with KMS keys stored in AWS Key Management
Service (SSE-KMS)
 Encryption is enabled by default for all the objects written to Amazon S3. Additional
configuration is not required

27. According to the AWS Shared Responsibility Model, which of the following are
responsibilities of AWS? (Select two)
 Creating IAM role for accessing Amazon EC2 instances(Incorreto)
 Replacing faulty hardware of Amazon EC2 instances(Correto)
 Maintaining Amazon S3 data in different availability zones to keep it durable(Correto)
 Enabling Multi Factor Authentication on AWS accounts in your organization
 Creating S3 bucket policies for appropriate user access

28. Which of the following AWS services support reservations to optimize costs?
(Select three)
 S3
 Lambda
 EC2 Instances(Correto)
 DocumentDB
 RDS(Correto)
 DynamoDB(Correto)

29. Which of the following AWS services support VPC Endpoint Gateway for a private
connection from a VPC? (Select two)
 S3 (Correto)
 Amazon SQS
 DynamoDB (Correto)
 Amazon EC2 (Incorreto)
 Amazon SNS

30. A multi-national corporation wants to get expert professional advice on migrating to AWS
and managing their applications on AWS Cloud. Which of the following entities would
you recommend for this engagement?
 AWS Trusted Advisor (Incorreto)
 APN Consulting Partner (Correto)
 Concierge Support Team
 APN Technology Partner
APN Consulting Partner The AWS Partner Network (APN) is the global partner program for
technology and consulting businesses that leverage Amazon Web Services to build solutions
and services for customers.
APN Consulting Partners are professional services firms that help customers of all types and
sizes design, architect, build, migrate, and manage their workloads and applications on
AWS, accelerating their migration to AWS cloud.
31

31. A multi-national company has just moved its infrastructure from its on-premises
data center to AWS Cloud. As part of the shared responsibility model, AWS is
responsible for which of the following?
 Physical and Environmental controls (Correto)
 Service and Communications Protection or Zone Security (Incorreto)
 Patching guest OS
 Configuring customer applications

32. A company wants to have control over creating and using its own keys for
encryption on AWS services. Which of the following can be used for this use-case?
 AWS Owned CMK
 AWS Managed CMK
 Customer Managed CMK (Correto)
 Secrets Manager (Incorreto)
Customer Managed CMK A customer master key (CMK) is a logical representation of a
master key. The CMK includes metadata, such as the key ID, creation date, description, and
key state. The CMK also contains the key material used to encrypt and decrypt data. These
are created and managed by the AWS customer. Access to these can be controlled using
the AWS IAM service.

33. Which of the following is CORRECT regarding removing an AWS account from
AWS Organizations?
 The AWS account must be able to operate as a standalone account. Only then it can
be removed from AWS organizations (Correto)
 Raise a support ticket with AWS Support to remove the account
 The AWS account must not have any Service Control Policies (SCPs) attached to it.
Only then it can be removed from AWS organizations (Incorreto)
 The AWS account can be removed from AWS Systems Manager

34. Which of the following AWS Support plans provides access to Infrastructure Event
Management for an additional fee?
 Basic
 Enterprise(Incorreto)
 Developer
 Business (Correto)

35. Which of the following AWS services can be used to connect a company's on-
premises environment to a VPC without using the public internet?
 AWS Direct Connect (Correto)
 Site-to-Site VPN
 Internet Gateway (Incorreto)
 Amazon VPC Endpoint

36. Which of the following are correct statements regarding the AWS Global
Infrastructure? (Select two)
 Each AWS Region consists of two or more Availability Zones (Correto)
 Each AWS Region consists of two or more Edge Locations (Incorreto)
 Each Availability Zone (AZ) consists of one or more discrete data centers (Correto)
 Each Availability Zone (AZ) consists of two or more discrete data centers
 Each AWS Region consists of one or more Availability Zones (Incorreto)

37. Which AWS services can be used to facilitate organizational change management,
part of the Reliability pillar of AWS Well-Architected Framework? (Select three)
 AWS Trusted Advisor (Incorreto)
 AWS CloudTrail (Correto)
 Amazon GuardDuty
 Amazon CloudWatch (Correto)
32

 Amazon Inspector(Incorreto)
 AWS Config (Correto)
38. Which of the following statements are CORRECT regarding the AWS VPC service?
(Select two)
 A NAT Instance is managed by AWS
 A Security Group can have both allow and deny rules
 A NACL can have allow rules only
 A Security Group can have allow rules only (Correto)
 A NAT Gateway is managed by AWS (Correto)
39. Which of the following statements are CORRECT regarding the Availability Zone
(AZ) specific characteristics of EBS and EFS storage types?
 EBS volume can be attached to a single instance in the same Availability Zone
whereas EFS file system can be mounted on instances across multiple Availability
Zones (Correto)
 EBS volume can be attached to one or more instances in multiple Availability Zones
and EFS file system can be mounted on instances across multiple Availability Zones
 EBS volume can be attached to a single instance in the same Availability Zone and
EFS file system can only be mounted on instances in the same Availability Zone (X)
 EBS volume can be attached to one or more instances in multiple Availability Zones
and EFS file system can be mounted on instances in the same Availability Zone

40. Which AWS service will help you receive alerts when the reservation utilization falls
below the defined threshold?
 AWS Trusted Advisor
 AWS Pricing Calculator
 AWS CloudTrail (Incorreto)
 AWS Budgets (Correto)
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or
usage exceed (or are forecasted to exceed) your budgeted amount.
You can also use AWS Budgets to set reservation utilization or coverage targets and receive
alerts when your utilization drops below the threshold you define. Reservation alerts are
supported for Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache, and
Amazon Elasticsearch reservations.

41. The DevOps team at an IT company is moving 500 GB of data from an EC2
instance to an S3 bucket in the same region. Which of the following scenario captures
the correct charges for this data transfer?
• The company would be charged for both the outbound data transfer from EC2 instance as
well as the inbound data transfer into the S3 bucket
• The company would only be charged for the outbound data transfer from EC2 instance
• The company would only be charged for the inbound data transfer into the S3 bucket (Wro)
• The company would not be charged for this data transfer (Correto)

42. Which AWS Support plan provides architectural guidance contextual to your
specific use-cases?
 Enterprise (Incorreto)
 Developer
 Basic
 Business (Correto)

43. Which of the following is a recommended way to provide programmatic access to

AWS resources?
 Use IAM groups to access AWS resources programmatically (Incorreto)
• Use Access Key ID and Secret Access Key to access AWS resources
programmatically (Correto)
 Create a new IAM user and share the username and password
 Use Multi Factor Authentication to access AWS resources programmatically
33

44. Which of the following entities applies patches to the underlying OS for AWS Aurora?
 The AWS Product Team automatically (Correto)
 The AWS Support after receiving a request from the customer (Incorreto)
 The AWS customer by SSHing on the instances
 The AWS customer by using AWS Systems Manager
45. Which of the following AWS services has encryption enabled by default?
 CloudTrail Logs(Correto)
 Amazon S3(Incorreto)
 Elastic Block Storage (EBS)
 Elastic File Storage (EFS)
46. A startup wants to migrate its data and applications from the on-premises data
center to AWS Cloud. Which of the following options can be used by the startup to
help with this migration? (Select two)
• Leverage AWS Professional Services to accelerate the infrastructure migration (Correto)
• Consult moderators on AWS Developer Forums
• Use AWS Trusted Advisor to automate the infrastructure migration (Incorreto)
• Utilize AWS Partner Network (APN) to build a custom solution for this infrastructure
migration(Correto)
• Raise a support ticket with AWS Support for further assistance

47. A company is using a message broker service on its on-premises application and
wants to move this messaging functionality to AWS Cloud. Which of the following
AWS services is the right choice to move the existing functionality easily?
 Amazon MQ (Correto)
 Amazon Simple Queue Service (SQS)
 Amazon Simple Notification Service (SNS)
 Amazon Kinesis Data Stream

48. A customer has created a VPC and a subnet within AWS Cloud. Which of the
following statements is correct?
 Both the VPC and the subnet span all of the Availability Zones in the Region
 A VPC spans all of the Availability Zones in the Region whereas a subnet spans only
one Availability Zone in the Region (Correto)
 Both the VPC and the subnet span only one Availability Zone in the Region
 A subnet spans all of the Availability Zones in the Region whereas a VPC spans only
one Availability Zone in the Region

49. Which of the following statements are true about AWS Lambda? (Select two)
 AWS Lambda provides access to the underlying operating system to control its
behavior through code
 Allows you to orchestrate and manage Docker containers to facilitate complex
containerized applications on AWS
 You pay for the compute time you consume(Correto)
 AWS Lambda lets you run code without provisioning or managing servers (Correto)
 Allows you to install databases on the underlying serverless Operating System

50. Which of the following statement is correct for a Security Group and a Network
Access Control List?
 Security Group acts as a firewall at the AZ level whereas Network Access Control
List acts as a firewall at the VPC level
 Security Group acts as a firewall at the VPC level whereas Network Access Control
List acts as a firewall at the AZ level
 Security Group acts as a firewall at the subnet level whereas Network Access Control
List acts as a firewall at the instance level
 Security Group acts as a firewall at the instance level whereas Network Access
Control List acts as a firewall at the subnet level (Correto)
34

51. Which of the following is correct about AWS "Developer" Support plan?
 Allows one contact to open unlimited cases (Correto)
 Allows one contact to open a limited number of cases per month
 Allows unlimited contacts to open a limited number of cases per month (Incorreto)
 Allows unlimited contacts to open unlimited cases
52. Access Key ID and Secret Access Key are tied to which of the following AWS
Identity and Access Management entities?
 IAM Group
 AWS Policy
 IAM Role
 IAM User (Correto)
53. Which AWS compute service provides the EASIEST way to access resizable
compute capacity in the cloud with support for per-second billing and access to the
underlying OS?
 Amazon Lightsail (Incorreto)
 AWS Lambda
 Amazon Elastic Container Service (ECS)
 Amazon Elastic Compute Cloud (EC2) (Correto)
Amazon Elastic Compute Cloud (EC2) is a web service that provides secure, resizable
compute capacity in the cloud with support for per-second billing. It is the easiest way to
provision servers on AWS Cloud and access the underlying OS. Amazon EC2 reduces the
time required to obtain and boot new server instances to minutes, allowing you to quickly
scale capacity, both up and down, as your computing requirements change.

54. A photo sharing web application wants to store thumbnails of user-uploaded

images on Amazon S3. The thumbnails are rarely used but need to be immediately
accessible from the web application. The thumbnails can be regenerated easily if they
are lost. Which is the most cost-effective way to store these thumbnails on S3?
 Use S3 Glacier to store the thumbnails
 Use S3 Standard Infrequent Access (Standard-IA) to store the thumbnails (Incorreto)
 Use S3 Standard to store the thumbnails
 Use S3 One-Zone Infrequent Access (One-Zone IA) to store the thumbnails (Correto)
55. An online gaming company wants to block users from certain geographies from
accessing its content. Which AWS services can be used to accomplish this task? (Select
two)
 AWS Shield
 Route 53 (Correto)
 CloudWatch
 AWS WAF (Correto)
 AWS Protect
56. Which AWS service helps with global application availability and performance
using the AWS global network?
 Global Accelerator (Correto)
 Amazon Route 53
 Elastic Load Balancer
 Amazon CloudFront (Incorreto)
AWS Global Accelerator is a service that improves the availability and performance of your
applications with local or global users. It provides static IP addresses that act as a fixed entry
point to your application endpoints in a single or multiple AWS Regions, such as your
Application Load Balancers, Network Load Balancers, or Amazon EC2 instances. AWS
Global Accelerator uses the AWS global network to optimize the path from your users to
your applications, improving the performance of your traffic by as much as 60%.
Global Accelerator improves performance for a wide range of applications over TCP or UDP
by proxying packets at the edge to applications running in one or more AWS Regions.
Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT
(MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP
addresses or deterministic, fast regional failover.
35

57. What are the fundamental drivers of cost with AWS Cloud?
 Compute, Databases and Outbound Data Transfer
 Compute, Databases and Inbound Data Transfer (Incorreto)
 Compute, Storage and Inbound Data Transfer
 Compute, Storage and Outbound Data Transfer(Correto)
58. AWS Compute Optimizer delivers recommendations for which of the following
AWS resources? (Select two)
 Amazon EC2 instances, Amazon EC2 Auto Scaling groups(Correto)
 Amazon EBS volumes, AWS Lambda functions(Correto)
 AWS Lambda functions, Amazon Simple Storage Service (Amazon S3)
 Amazon Elastic File System (Amazon EFS), AWS Lambda functions
 Amazon EC2 instances, Amazon Elastic File System (Amazon EFS)
59. Which of the following AWS services can be used to prevent Distributed Denial-of-
Service (DDoS) attack? (Select three)
 Amazon CloudFront with Route 53(Correto)
 Amazon Inspector
 AWS CloudHSM
 AWS Trusted Advisor
 AWS Shield (Correto)
 AWS WAF (Correto)

60. Which of the following statements are correct about the AWS account root user
(Select two)
 Root user credentials should only be shared with managers requiring administrative
responsibilities to complete their jobs
 Root user access credentials are the email address and password used to create the
AWS account (Correto)
 Root user account password cannot be changed once it is set
 It is highly recommended to enable Multi Factor Authentication (MFA) for root user
account (Correto)
 Root account gets unrestricted permissions when the account is created, but these
can be restricted using IAM policies

61. A startup is looking for 24x7 phone based technical support for his AWS account.
Which of the following is the MOST cost-effective AWS support plan for this use-
case?
 Enterprise
 Developer
 Business (Correto)
 Basic

62. The AWS Well-Architected Framework provides guidance on building cloud based
applications using AWS best practices. Which of the following options are the pillars
mentioned in the AWS Well-Architected Framework? (Select two)
 Cost Optimization (Correto)
 Scalability
 Elasticity
 Availability
 Reliability (Correto)

63. Which AWS service can be used to provision resources to run big data workloads
on Hadoop clusters?
 AWS Step Function
 Amazon EC2
 Amazon EMR (Correto)
 AWS Batch
64. What are the different gateway types supported by AWS Storage Gateway service?
36

 Object Gateway, File Gateway and Block Gateway

 Tape Gateway, File Gateway and Volume Gateway (Correto)
 Tape Gateway, Object Gateway and Volume Gateway
 Tape Gateway, File Gateway and Block Gateway
65. Which AWS EC2 pricing model is the most cost-effective and flexible with no
requirement for a long term resource commitment or upfront payment but still
guarantees that instance would not be interrupted?
 Dedicated Hosts
 On-demand Instances(Correto)
 Spot Instances
 Reserved Instances

66. The engineering team at an IT company wants to monitor the CPU utilization for its
fleet of EC2 instances and send an email to the administrator if the utilization exceeds
80%. As a Cloud Practitioner, which AWS services would you recommend to build this
solution? (Select two)
 Lambda
 CloudTrail
 SQS
 CloudWatch (Correto)
 SNS (Correto)

67. Which of the following AWS services are global in scope? (Select two)
 AWS Identity and Access Management (IAM) (Correto)
 Amazon S3
 Amazon Elastic Compute Cloud (Amazon EC2)
 Amazon Relational Database Service (Amazon RDS)
 Amazon CloudFront (Correto)

68. Which of the following statement is correct regarding the AWS pricing policy for
data transfer charges into or out of an AWS Region?
 Both inbound data transfer and outbound data transfer are charged
 Only inbound data transfer is charged (Incorreto)
 Only outbound data transfer is charged (Correto)
 Neither inbound nor outbound data transfer are charged

69. Which of the following is the correct statement regarding the AWS Storage
services?
* S3 is object based storage, EBS is file based storage and EFS is block based storage
* S3 is file based storage, EBS is block based storage and EFS is object based storage
* S3 is object based storage, EBS is block based storage and EFS is file based storage
(Correto)
* S3 is block based storage, EBS is object based storage and EFS is file based storage

70. An organization has a complex IT architecture involving a lot of system

dependencies and it wants to track the history of changes to each resource. Which
AWS service will help the organization track the history of configuration changes for
all the resources?
 AWS Config (Correto)
 AWS Service Catalog
 AWS CloudFormation
 AWS CloudTrail (Incorreto)

71. Which of the following AWS services is essential for implementing security of
resources in AWS Cloud?
 AWS Shield
 AWS Identity and Access Management (IAM) (Correto)
37

 Amazon CloudWatch
 AWS WAF (Incorreto)
AWS Identity and Access Management (IAM) enables you to manage access to AWS
services and resources securely. Using IAM, you can create and manage AWS users and
groups, and use permissions to allow and deny their access to AWS resources. IAM enables
security best practices by allowing you to grant unique security credentials to users and
groups to specify which AWS service APIs and resources they can access. These features
make IAM an important service for the overall security of AWS resources in your account.
IAM is secure by default; users have no access to AWS resources until permissions are
explicitly granted.