AWS2
AWS2
1. CLOUD CONCEPTS
THE BENEFITS OF THE AWS - Security:
Includes the ability to protect information, systems, and assets while delivering business
value through risk assessments and mitigation strategies
Design Principles
* Implement a strong identity foundation - Centralize privilege management and reduce (or
even eliminate) reliance on long-term credentials - Principle of least privilege - IAM
* Enable traceability - Integrate logs and metrics with systems to automatically respond and
take action
* Apply security at all layers - Like edge network,VPC, subnet, load balancer, every instance,
operating system, and application
* Automate security best practices
* Protect data in transit and at rest - Encryption, tokenization, and access control
* Keep people away from data - Reduce or eliminate the need for direct access or manual
processing of data
* Prepare for security events - Run incident response simulations and use tools with
automation to increase your speed for detection, investigation, and recovery
* Shared Responsibility Model
FOUNDATIONS:
AWS CLI
• A tool that enables you to interact with AWS services using commands in your command-
line shell
• Direct access to the public APIs of AWS services
• You can develop scripts to manage your resources
• It’s open-source
• Alternative to using AWS Management Console
AWS Marketplace
• Digital catalog with thousands of software listings from independent software vendors (3rd
party) Example:
• Custom AMI (custom OS, firewalls, technical solutions...)
• CloudFormation templates • Software as a Service
• Containers
• If you buy through the AWS Marketplace, it goes into your AWS bill
• You can sell your own solutions on the AWS Marketplace
Service Quotas is an AWS service that helps you manage your quotas for many AWS
services, from one location. Along with looking up the quota values, you can also request a
quota increase from the Service Quotas console.
AWS Support might approve, deny, or partially approve your requests.
AWS SDK?
• AWS Software Development Kit (AWS SDK)
• Language-specific APIs (set of libraries)
• Enables you to access and manage AWS services programmatically
• Embedded within your application
• Supports
• SDKs(JavaScript,Python,PHP,.NET,Ruby,Java,Go,Node.js, C++)
• Mobile SDKs (Android, iOS, ...)
• IoT Device SDKs (Embedded C, Arduino, ...)
• Example: AWS CLI is built on AWS SDK for Python
AWS Shield
• AWS Shield Standard:
• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and
other layer 3/layer 4 attacks
7
Cloud Watch
Amazon CloudWatch is a monitoring and observability service. CloudWatch provides you
with data and actionable insights to monitor your applications, respond to system-wide
performance changes, and optimize resource utilization. CloudWatch collects monitoring and
operational data in the form of logs, metrics, and events. You get a unified view of
operational health and gain complete visibility of your AWS resources, applications, and
services running on AWS and on-premises.
CloudWatch Metrics
• CloudWatch provides metrics for every services in AWS
• Metric is a variable to monitor (CPUUtilization, NetworkIn...)
• Can create CloudWatch dashboards of metrics
Amazon CloudWatch Alarms
• Alarms are used to trigger notifications for any metric
• Alarms actions...
• Auto Scaling: increase or decrease EC2 instances “desired” count
• EC2 Actions: stop, terminate, reboot or recover an EC2 instance
• SNS notifications: send a notification into an SNS topic
• Various options (sampling, %, max, min, etc...)
• Can choose the period on which to evaluate an alarm
• Example: create a billing alarm on the CloudWatch Billing metric
Amazon CloudWatch Logs
• CloudWatch Logs can collect log from:
• Elastic Beanstalk: collection of logs from application
• ECS: collection from containers
• AWS Lambda: collection from function logs
• CloudTrail based on filter
• CloudWatch log agents: on EC2 machines or on-premises servers
• Route53: Log DNS queries
8
Amazon EventBridge
EventBridge is the next evolution of CloudWatch Events
Default event bus: generated by AWS services (CloudWatch Events)
Partner event bus: receive events from SaaS service or applications (Zendesk,
DataDog, Segment, Auth0...)
Custom Event buses: for your own applications
Schema Registry: model event schema
EventBridge has a different name to mark the new capabilities
The CloudWatch Events name will be replaced with EventBridge
AWS Config
• Helps with auditing and recording compliance of your AWS resources
• Helps record configurations and changes over time
• Possibility of storing the configuration data into S3 (analyzed by Athena)
• Questions that can be solved by AWS Config:
• Is there unrestricted SSH access to my security groups?
• Do my buckets have any public access?
• How has my ALB configuration changed over time?
• You can receive alerts (SNS notifications) for any changes
• AWS Config is a per-region service
• Can be aggregated across regions and accounts
AWS CloudTrail
• Provides governance, compliance and audit for your AWS Account
• CloudTrail is enabled by default!
• Get an history of events / API calls made within your AWS Account by:
• Console
• SDK
• CLI
• AWS Services
• Can put logs from CloudTrail into CloudWatch Logs or S3
• A trail can be applied to All Regions (default) or a single Region.
• If a resource is deleted in AWS, investigate CloudTrail first!
access AWS
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) - for code: protected by access keys
• Access Keys are generated through the AWS Console
• Users manage their own access keys
• Access Keys are secret, just like a password. Don’t share them
Amazon Macie
• Amazon Macie is a fully managed data security and data privacy service that uses machine
learning and pattern matching to discover and protect your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally identifiable
information (PII)
Amazon Inspector
• Automated Security Assessments
• For EC2 instances
• Leveraging the AWS System Manager (SSM) agent
• Analyze against unintended network accessibility
• Analyze the running OS against known vulnerabilities
• For Containers push to Amazon ECR
• Assessment of containers as they are pushed
• Reporting & integration with AWS Security Hub • Send findings to Amazon Event Bridge
What does AWS Inspector evaluate?
• Remember: only for EC2 instances and container infrastructure
• Continuous scanning of the infrastructure, only when needed
• Package vulnerabilities (EC2 & ECR)
• Network reachability (EC2)
• A risk score is associated with all vulnerabilities for prioritization
Amazon GuardDuty
• Intelligent Threat discover y to Protect AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• One click to enable (30 days trial), no need to install software
• Input data includes:
• CloudTrail Events Logs – unusual API calls, unauthorized deployments
• CloudTrailManagementEvents–createVPCsubnet,createtrail,...
10
• CloudTrailS3DataEvents–getobject,listobjects,deleteobject,...
• VPC Flow Logs – unusual internal traffic, unusual IP address
• DNS Logs – compromised EC2 instances sending encoded data within DNS
queries
• Kubernetes Audit Logs – suspicious activities and potential EKS cluster
compromises
• Can setup CloudWatch Event rules to be notified in case of findings
• CloudWatch Events rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)
Amazon Detective
• GuardDuty, Macie, and Security Hub are used to identify potential security issues, or
findings
• Sometimes security findings require deeper analysis to isolate the root cause and take
action – it’s a complex process
• Amazon Detective analyzes, investigates, and quickly identifies the root cause of security
issues or suspicious activities (using ML and graphs)
• Automatically collects and processes events from VPC Flow Logs, CloudTrail, GuardDuty
and create a unified view
• Produces visualizations with details and context to get to the root cause
CloudHSM
KMS => AWS manages the software for encryption
CloudHSM => AWS provisions encryption hardware
Dedicated Hardware (HSM = Hardware Security Module)
You manage your own encryption keys entirely (not AWS)
HSM device is tamper resistant, FIPS 140-2 Level 3 compliance
3. TECHNOLOGY
Site to Site VPN & Direct Connect
• Site to Site VPN
Connect an on-premises VPN to AWS
The connection is automatically encr ypted
Goes over the public internet
• Direct Connect (DX)
Establish a physical connection between on-premises and AWS
The connection is private, secure and fast
Goes over a private network
Takes at least a month to establish
• On-premises: must use a Customer Gateway (CGW)
• AWS: must use a Virtual Private Gateway (VGW)
AWS CloudFront
Content Delivery Network (CDN)
Improves read performance, content is cached at the edge
Improves users experience
216 Point of Presence globally (edge
locations)
DDoS protection (because worldwide), integration with Shield, AWS Web Application
Firewall
CloudFront – Origins
• S3 bucket
• For distributing files and caching them at the edge
• Enhanced security with CloudFront Origin Access Identity (OAI)
• CloudFront can be used as an ingress (to upload files to S3)
• Custom Origin (HTTP)
• Application Load Balancer
• EC2 instance
• S3 website (must first enable the bucket as a static S3 website)
• Any HTTP backend you want
EC2 Types
• On-Demand Instances – short workload, predictable pricing, pay by second
• Reserved (1 & 3 years)
• Reserved Instances – long workloads
• Convertible Reserved Instances – long workloads with flexible instances
• Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload
• Spot Instances – short workloads, cheap, can lose instances (less reliable)
• Dedicated Hosts – book an entire physical server, control instance placement
• Dedicated Instances – no other customers will share your hardware
• Capacity Reservations – reserve capacity in a specific AZ for any duration
EC2 On Demand
Pay for what you use:
• Linux or Windows - billing per second, after the first minute
• All other operating systems - billing per hour
Has the highest cost but no upfront payment
No long-term commitment
Recommended for short-term and un-interrupted workloads, where you can't predict
how the application will behave
EC2 Reserved Instances
• Up to 72% discount compared to On-demand
• You reserve a specific instance attributes (Instance Type, Region,Tenancy, OS)
• Reservation Period – 1 year (+discount) or 3 years (+++discount)
• Payment Options – No Upfront (+), Partial Upfront (++), All Upfront (+++)
13
Load Balance
Load balancers are servers that forward internet traffic to multiple servers (EC2 Instances)
downstream
Why use a load balancer?
• Spread load across multiple downstream instances
• Expose a single point of access (DNS) to your application • Seamlessly handle failures of
downstream instances
• Do regular health checks to your instances
• Provide SSL termination (HTTPS) for your websites
• High availability across zones
• An ELB (Elastic Load Balancer) is a managed load balancer
• AWS guarantees that it will be working
• AWS takes care of upgrades, maintenance, high availability
• AWS provides only a few configuration knobs
• It costs less to setup your own load balancer but it will be a lot more effort on your end
(maintenance, integrations)
• 3 kinds of load balancers offered by AWS:
Application Load Balancer (HTTP / HTTPS only) – Layer 7
14
S3
• Amazon S3 is one of the main building blocks of AWS
• It’s advertised as ”infinitely scaling” storage
• Many websites use Amazon S3 as a backbone
• Many AWS services use Amazon S3 as an integration as well
• We’ll have a step-by-step approach to S3
• The CCP exam requires “deeper” knowledge about S3
S3 Use cases
• Backup and storage
• Disaster Recovery
• Archive
• Hybrid Cloud storage
• Application hosting
• Media hosting
• Data lakes & big data analytics
• Software delivery
• Static website
• Amazon S3 allows people to store objects (files) in “buckets” (directories)
• Buckets must have a globally unique name (across all regions all accounts)
• Buckets are defined at the region level
• S3 looks like a global service but buckets are created in a region
• Naming convention
No uppercase
No underscore
3-63 characters long
Not an IP
Must start with lowercase letter or number
• The key is the FULL path:
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• The key is composed of prefix + object name
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• There’s no concept of “directories” within buckets (although the UI will trick you to think
otherwise)
Glacier
• Low-cost object storage meant for archiving / backup
15
Snow Family
Highly-secure, portable devices to collect and process data at the edge, and migrate data
into and out of AWS
AWS Snowcone
• Small, portable computing, anywhere, rugged & secure, withstands harsh environments
• Light (4.5 pounds, 2.1 kg)
• Device used for edge computing, storage, and data transfer
• 8 TBs of usable storage
• Use Snowcone where Snowball does not fit (space-constrained environment)
• Must provide your own battery / cables
• Can be sent back to AWS offline, or to internet and use AWS DataSync to send data
Snowball Edge (for data transfers)
Physical data transport solution:moveTBs or PBs of data in or out of AWS
Alternative to moving data over the network (and paying network fees)
Pay per data transfer job
Provide block storage and Amazon S3-compatible object storage
• Snowball Edge Storage Optimized
• 80 TB of HDD capacity for block volume and S3 compatible object storage
• Snowball Edge Compute Optimized
• 42 TB of HDD capacity for block volume and S3 compatible object storage
• Usecases:largedatacloudmigrations,DCdecommission,disaster recover
Snowmobile - Truck
• Transfer exabytes of data (1 EB = 1,000 PB = 1,000,000 TBs)
• Each Snowmobile has 100 PB of capacity (use multiple in parallel)
• High security: temperature controlled, GPS, 24/7 video surveillance
• Better than Snowball if you transfer more than 10 PB
EBS Volume
• An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances
while they run
• It allows your instances to persist data, even after their termination
• They can only be mounted to one instance at a time (at the CCP level)
• They are bound to a specific availability zone
• Analogy:Think of them as a “network USB stick”
• Free tier: 30 GB of free EBS storage of type General Purpose (SSD) or Magnetic per
month
• It’s a network drive (i.e. not a physical drive)
• It uses the network to communicate the instance, which means there might be a bit of
latency
• It can be detached from an EC2 instance and attached to another one quickly
• It’s locked to an Availability Zone (AZ)
• An EBS Volume in us-east-1a cannot be attached to us-east-1b
• To move a volume across, you first need to snapshot it
• Have a provisioned capacity (size in GBs, and IOPS)
• You get billed for all the provisioned capacity
16
AWS Backup
Fully-managed service to centrally manage and automate backups across AWS
services
On-demand and scheduled backups
Supports PITR (Point-in-time Recovery)
Retention Periods, Lifecycle Management, Backup Policies, ...
Cross-Region Backup
Cross-Account Backup (using AWS Organizations)
VPC
• VPC -Virtual Private Cloud: private network to deploy your
resources (regional resource)
• Subnets allow you to partition your network inside your VPC (Availability Zone resource)
• A public subnet is a subnet that is accessible from the internet
• A private subnet is a subnet that is not accessible from the internet
• To define access to the internet and between subnets, we use Route Tables.
API Gateway
• Fully managed service for developers to easily create, publish, maintain, monitor, and
secure APIs
• Serverless and scalable
• Suppor ts RESTful APIs and WebSocket APIs
• Support for security, user authentication, API throttling, API keys, monitoring...
WorkSpaces
• Managed Desktop as a Service solution to easily provision Windows or Linux desktops
• Great to eliminate management of on-premiseVDI (Virtual Desktop Infrastructure)
• Fast and quickly scalable to thousands of users
• Secured data – integrates with KMS
• Pay-as-you-go service with monthly or hourly rates
Batch
• Fully managed batch processing at any scale
• Efficiently run 100,000s of computing batch jobs on AWS
• A “batch” job is a job with a star t and an end (opposed to continuous)
• Batch will dynamically launch EC2 instances or Spot Instances
• AWS Batch provisions the right amount of compute / memory
• You submit or schedule batch jobs and AWS Batch does the rest!
• Batch jobs are defined as Docker images and run on ECS
• Helpful for cost optimizations and focusing less on the infrastructure
Lambda
• Virtual functions – no servers to manage!
• Limited by time - short executions
• Run on-demand
• Scaling is automated!
Benefits
• Easy Pricing:
• Pay per request and compute time
• Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time
• Integrated with the whole AWS suite of services
• Event-Driven: functions get invoked by AWS when needed
• Integrated with many programming languages
• Easy monitoring through AWS CloudWatch
• Easy to get more resources per functions (up to 10GB of RAM!) • Increasing RAM will also
improve CPU and network!
• language support: Node.js (JavaScript),Python, Java (Java 8 compatible), C# (.NET Core),
Golang, C# / Powershell, Ruby, Custom Runtime API (community supported, example Rust)
Batch vs Lambda
• Lambda:
• Time limit
• Limited runtimes
• Limited temporary disk space • Serverless
• Batch:
• No time limit
• Any runtime as long as it’s packaged as a Docker image
• Rely on EBS / instance store for disk space
• Relies on EC2 (can be managed by AWS)
Amazon Lightsail
• Virtual servers, storage, databases, and networking
18
Elastic Beanstalk
• Elastic Beanstalk is a developer centric view of deploying an application on AWS
• It uses all the component’s we’ve seen before: EC2, ASG, ELB, RDS, etc...
• But it’s all in one view that’s easy to make sense of!
• We still have full control over the configuration
• Beanstalk = Platform as a Service (PaaS)
• Beanstalk is free but you pay for the underlying instances
• Managed service
• Instance configuration / OS is handled by Beanstalk
• Deployment strategy is configurable but performed by Elastic Beanstalk
• Capacity provisioning
• Load balancing & auto-scaling
• Application health-monitoring & responsiveness
• Just the application code is the responsibility of the developer
CloudFormation
•CloudFormation is a declarative way of outlining your AWS Infrastructure, for any resources
(most of them are supported).
• For example, within a CloudFormation template, you say:
• I want a security group
• I want two EC2 instances using this security group
• I want an S3 bucket
• I want a load balancer (ELB) in front of these machines
• Then CloudFormation creates those for you, in the right order, with the exact configuration
that you specify
Benefits of AWS CloudFormation
• Infrastructure as code
• No resources are manually created, which is excellent for control
• Changes to the infrastructure are reviewed through code
• Cost
• Each resources within the stack is tagged with an identifier so you can easily see how
much a stack costs you
• You can estimate the costs of your resources using the CloudFormation template
• Savings strategy: In Dev, you could automation deletion of templates at 5 PM and
recreated at 8 AM, safely
• Productivity
• Ability to destroy and re-create an infrastructure on the cloud on the fly
• Automated generation of Diagram for your templates!
• Declarative programming (no need to figure out ordering and orchestration)
• Don’t re-invent the wheel
• Leverage existing templates on the web!
• Leverage the documentation
• Supports (almost) all AWS resources:
• Everything we’ll see in this course is supported
• You can use “custom resources” for resources that are not suppor ted
Trusted Advisor
19
CodeBuild
• Code building service in the cloud (name is obvious)
• Compiles source code, run tests, and produces packages that are ready to be deployed
(by CodeDeploy for example)
Benefits:
• Fully managed, serverless
• Continuously scalable & highly available
• Secure
• Pay-as-you-go pricing – only pay for the build time
CodeDeploy
• We want to deploy our application automatically
• Works with EC2 Instances
• Works with On-Premises Servers
• Hybrid service
• Servers / Instances must be provisioned and configured ahead of time with the
CodeDeploy Agent
CodePipeline
• Orchestrate the different steps to have the code automatically pushed to production
• Code => Build => Test => Provision => Deploy
• Basis for CICD (Continuous Integration & Continuous Delivery)
• Benefits:
Fullymanaged,compatiblewithCodeCommit,CodeBuild,CodeDeploy,ElasticBeanstalk,
CloudFormation, GitHub, 3rd-party services (GitHub...) & custom plugins...
Fast delivery & rapid updates
CodeArtifact
Software packages depend on each other to be built (also called code
dependencies), and new ones are created
Works with common dependency management tools such as Maven, Gradle, npm,
yarn, twine, pip, and NuGet
CodeStar
• Unified UI to easily manage software development activities in one place
• “Quick way” to get started to correctly set-up CodeCommit, CodePipeline, CodeBuild,
CodeDeploy, Elastic Beanstalk, EC2, etc...
• Can edit the code ”in-the-cloud” using AWS Cloud9
Aurora DB
• Aurora is a proprietary technology from AWS (not open sourced)
• PostgreSQL and MySQL are both supported as Aurora DB
• Aurora is “AWS cloud optimized” and claims 5x performance improvement over MySQL on
RDS, over 3x the performance of Postgres on RDS
• Aurora storage automatically grows in increments of 10GB, up to 64 TB.
• Aurora costs more than RDS (20% more) – but is more efficient
• Not in the free tier
DynamoDB
20
Redshift
• Redshift is based on PostgreSQL, but it’s not used for OLTP
• It’s OLAP – online analytical processing (analytics and data warehousing)
• Load data once every hour, not every second
• 10x better performance than other data warehouses, scale to PBs of data
• Columnar storage of data (instead of row based)
• Massively Parallel Query Execution (MPP), highly available
• Pay as you go based on the instances provisioned
• Has a SQL interface for performing the queries
• BI tools such as AWS Quicksight or Tableau integrate with it
ElastiCache
• The same way RDS is to get managed Relational Databases...
• ElastiCache is to get managed Redis or Memcached
• Caches are in-memory databases with high performance, low latency
• Helps reduce load off databases for read intensive workloads
• AWS takes care of OS maintenance / patching, optimizations, setup, configuration,
monitoring, failure recovery and backups
Fargate
• Launch Docker containers on AWS
• You do not provision the infrastructure (no EC2 instances to manage) – simpler!
• Serverless offering
• AWS just runs containers for you based on the CPU / RAM you need
Amazon Athena
• Serverless query service to analyze data stored in Amazon S3
• Uses standard SQL language to query the files
• SupportsCSV,JSON,ORC,Avro,andParquet(builtonPresto)
• Pricing: $5.00 per TB of data scanned
• Use compressed or columnar data for cost-savings (less scan)
• Use cases: Business intelligence / analytics / reporting, analyze & query VPC Flow Logs,
ELB Logs, CloudTrail trails, etc...
• Exam Tip: analyze data in S3 using serverless SQL, use Athena
Amazon QuickSight
• Serverless machine learning-powered business intelligence service to create interactive
dashboards
• Fast, automatically scalable, embeddable, with per-session pricing
• Use cases:
• Business analytics
• Building visualizations
• Perform ad-hoc analysis
• Get business insights using data
• Integrated with RDS, Aurora, Athena, Redshift, S3...
22
AWS Glue
• Managed extract, transform, and load (ETL) service
• Useful to prepare and transform data for analytics
• Fully serverless service
• Glue Data Catalog: catalog of datasets: can be used by Athena, Redshift, EMR, S3
Amazon Kinesis
• For the exam: Kinesis = real-time big data streaming
• Managed service to collect, process, and analyze real-time streaming data at any scale
23
Cost Explorer
• Visualize, understand, and manage your AWS costs and usage over time
• Create custom reports that analyze cost and usage data.
• Analyze your data at a high level: total costs and usage across all accounts • Or
Monthly, hourly, resource level granularity
• Choose an optimal Savings Plan (to lower prices on your bill)
• Forecast usage up to 12 months based on previous usage
AWS Budgets
• Create budget and send alarms when costs exceeds the budget
• 3 types of budgets: Usage, Cost, Reservation
• For Reserved Instances (RI)
• Track utilization
• Supports EC2, ElastiCache, RDS, Redshift
• Up to 5 SNS notifications per budget
• Can filter by: Service, Linked Account,Tag, Purchase Option, Instance Type, Region,
Availability Zone, API Operation, etc...
• Same options as AWS Cost Explorer!
• 2 budgets are free, then $0.02/day/budget
1. Which of the following are the serverless computing services offered by AWS
(Select two)
Amazon Elastic Compute Cloud (EC2)
Amazon Lightsail(Incorreto)
AWS Lambda(Correto)
AWS Elastic Beanstalk(Incorreto)
AWS Fargate(Correto)
2. Which of the following AWS services can be used to forecast your AWS account
usage and costs?
AWS Cost and Usage Reports
AWS Pricing Calculator
AWS Budgets(Incorreto)
AWS Cost Explorer(Correto)
4.Which of the following AWS services are part of the AWS Foundation services for
the Reliability pillar of the Well-Architected Framework in AWS Cloud? (Select two)
Amazon CloudWatch(Incorreto)
AWS CloudFormation
AWS Service Quotas(Correto)
AWS Trusted Advisor(Correto)
AWS CloudTrail (Incorreto)
AWS Trusted Advisor is an online tool that provides you real-time guidance to help you
provision your resources following AWS best practices on cost optimization, security, fault
tolerance, service limits, and performance improvement. Whether establishing new
workflows, developing applications, or as part of ongoing improvement, recommendations
provided by Trusted Advisor regularly help keep your solutions provisioned optimally.
Service Quotas enables you to view and manage your quotas for AWS services from a
central location. Quotas, also referred to as limits in AWS, are the maximum values for the
resources, actions, and items in your AWS account. Each AWS service defines its quotas
and establishes default values for those quotas.
6. Data encryption is automatically enabled for which of the following AWS services?
(Select two)?
Amazon EBS volumes
Amazon S3 Glacier(Correto)
Amazon Redshift
AWS Storage Gateway(Correto)
Amazon EFS drives(Incorreto)
7. Which AWS service can be used to subscribe to an RSS feed to be notified of the
status of all AWS service interruptions?
Amazon SNS(Incorreto)
AWS Service Health Dashboard (Correto)
AWS Lambda
AWS Personal Health Dashboard
8. An AWS user is trying to launch an EC2 instance in a given region. What is the
region-specific constraint that the Amazon Machine Image (AMI) must meet so that it
can be used for this EC2 instance?
You should use an AMI from the same region, as it improves the performance of the
EC2 instance
You must use an AMI from the same region as that of the EC2 instance. The region
of the AMI has no bearing on the performance of the EC2 instance (Correto)
You can use an AMI from a different region, but it degrades the performance of the
EC2 instance
An AMI is a global entity, so the region is not applicable
10 A financial services company wants to ensure that its AWS account activity meets
the governance, compliance and auditing norms. As a Cloud Practitioner, which AWS
service would you recommend for this use-case?
CloudWatch
CloudTrail(Correto)
Trusted Advisor(Incorreto)
Config
CloudTrail You can use CloudTrail to log, monitor and retain account activity related to
actions across your AWS infrastructure. CloudTrail provides an event history of your AWS
account activity, including actions taken through the AWS Management Console, AWS
SDKs, command-line tools, and other AWS services.
11. Which AWS service would you choose for a data processing project that needs a
schemaless database?
Amazon DynamoDB(Correto)
Amazon RedShift(Incorreto)
Amazon RDS
Amazon Aurora
27
13. A company wants to improve the resiliency of its flagship application so it wants to move
from its traditional database system to a managed AWS database service to support active-
active configuration in both the East and West US AWS regions. The active-active
configuration with cross-region support is the prime criteria for any database solution that the
company considers.
Which AWS database service is the right fit for this requirement?
Amazon Aurora with multi-master clusters(Incorreto)
Amazon Relational Database Service (Amazon RDS) for MYSQL
Amazon DynamoDB with DynamoDB Accelerator
Amazon DynamoDB with global tables (Correto)
14. Which of the following AWS services are always free to use (Select two)?
Elastic Compute Cloud (Amazon EC2)
Identity and Access Management (IAM) (Correto)
DynamoDB
AWS Auto Scaling (Correto)
Simple Storage Service (Amazon S3)
15. Which of the following statements is the MOST accurate when describing AWS
Elastic Beanstalk?
• It is an Infrastructure as Code which allows you to model and provision resources needed
for an application
• It is a Platform as a Service (PaaS) which allows you to deploy and scale web applications
and services(Correto)
• It is a Platform as a Service (PaaS) which allows you to model and provision resources
needed for an application
• It is an Infrastructure as a Service (IaaS) which allows you to deploy and scale web
applications and services
16. A company's flagship application runs on a fleet of Amazon EC2 instances. As per the
new policies, the system administrators are looking for the best way to provide secure shell
access to AWS EC2 instances without opening new ports or using public IP addresses.
Which tool/service will help you achieve this requirement?
Amazon EC2 Instance Connect(Incorreto)
Amazon Inspector
Amazon Route 53
AWS Systems Manager Session Manager(Correto)
AWS Systems Manager Session Manager
28
AWS SSM Session Manager is a fully-managed service that provides you with an interactive
browser-based shell and CLI experience. It helps provide secure and auditable instance
management without the need to open inbound ports, maintain bastion hosts, and manage
SSH keys. Session Manager helps to enable compliance with corporate policies that require
controlled access to instances, increase security and auditability of access to the instances
while providing simplicity and cross-platform instance access to end-users.
17. A company uses reserved EC2 instances across multiple units with each unit
having its own AWS account. However, some of the units under-utilize their reserved
instances while other units need more reserved instances. As a Cloud Practitioner,
which of the following would you recommend as the most cost-optimal solution?
• Use AWS Trusted Advisor to manage AWS accounts of all units and then share the
reserved EC2 instances amongst all units
• Use AWS Organizations to manage AWS accounts of all units and then share the reserved
EC2 instances amongst all units(Correto)
• Use AWS Cost Explorer to manage AWS accounts of all units and then share the reserved
EC2 instances amongst all units
• Use AWS Systems Manager to manage AWS accounts of all units and then share the
reserved EC2 instances amongst all units(Incorreto)
18. An IT company has a hybrid cloud architecture and it wants to centralize the
server logs for its EC2 instances and on-premises servers. Which of the following is
the MOST effective for this use-case?
• Use CloudTrail for the EC2 instance and CloudWatch Logs for the on-premises servers
• Use CloudWatch Logs for the EC2 instance and CloudTrail for the on-premises servers
• Use AWS Lambda to send log data from EC2 instance as well as on-premises servers to
CloudWatch Logs
• Use CloudWatch Logs for both the EC2 instance and the on-premises servers (Correto)
20. Read Replica improves database scalability Amazon Relational Database Service
(Amazon RDS) makes it easy to set up, operate, and scale a relational database in the
cloud. Read Replicas allow you to create read-only copies that are synchronized with your
master database. Read Replicas are used for improved read performance. You can also
place your read replica in a different AWS Region closer to your users for better
performance. Read Replicas are an example of horizontal scaling of resources.
21. A start-up would like to quickly deploy a popular technology on AWS. As a Cloud
Practitioner, which AWS tool would you use for this task?
AWS Whitepapers
AWS Forums
AWS CodeDeploy (Incorreto)
AWS Quick Starts references(Correto)
AWS Quick Starts references Quick Starts are built by AWS solutions architects and
partners to help you deploy popular technologies on AWS, based on AWS best practices for
security and high availability. These accelerators reduce hundreds of manual procedures
into just a few steps, so you can build your production environment quickly and start using it
immediately.
23. A Cloud Practitioner would like to get operational insights of its resources to
quickly identify any issues that might impact applications using those resources.
Which AWS service can help with this task?
AWS Systems Manager(Correto)
Amazon Inspector
AWS Personal Health Dashboard
AWS Trusted Advisor (Incorreto)
AWS Systems Manager AWS Systems Manager allows you to centralize operational data
from multiple AWS services and automate tasks across your AWS resources. You can
create logical groups of resources such as applications, different layers of an application
stack, or production versus development environments.
With Systems Manager, you can select a resource group and view its recent API activity,
resource configuration changes, related notifications, operational alerts, software inventory,
and patch compliance status. You can also take action on each resource group depending
on your operational needs. Systems Manager provides a central place to view and manage
your AWS resources, so you can have complete visibility and control over your operations.
AWS Edge Locations - An AWS Edge location is a site that CloudFront uses to cache
copies of the content for faster delivery to users at any location.
26. A web application stores all of its data on Amazon S3 buckets. A client has mandated
that data be encrypted before sending it to Amazon S3.
Which of the following is the right technique for encrypting data as needed by the customer?
Enable server-side encryption with Amazon S3-Managed Keys (SSE-S3)
Enable client-side encryption using AWS encryption SDK (Correto)
Enable server-side encryption with KMS keys stored in AWS Key Management
Service (SSE-KMS)
Encryption is enabled by default for all the objects written to Amazon S3. Additional
configuration is not required
27. According to the AWS Shared Responsibility Model, which of the following are
responsibilities of AWS? (Select two)
Creating IAM role for accessing Amazon EC2 instances(Incorreto)
Replacing faulty hardware of Amazon EC2 instances(Correto)
Maintaining Amazon S3 data in different availability zones to keep it durable(Correto)
Enabling Multi Factor Authentication on AWS accounts in your organization
Creating S3 bucket policies for appropriate user access
28. Which of the following AWS services support reservations to optimize costs?
(Select three)
S3
Lambda
EC2 Instances(Correto)
DocumentDB
RDS(Correto)
DynamoDB(Correto)
29. Which of the following AWS services support VPC Endpoint Gateway for a private
connection from a VPC? (Select two)
S3 (Correto)
Amazon SQS
DynamoDB (Correto)
Amazon EC2 (Incorreto)
Amazon SNS
30. A multi-national corporation wants to get expert professional advice on migrating to AWS
and managing their applications on AWS Cloud. Which of the following entities would
you recommend for this engagement?
AWS Trusted Advisor (Incorreto)
APN Consulting Partner (Correto)
Concierge Support Team
APN Technology Partner
APN Consulting Partner The AWS Partner Network (APN) is the global partner program for
technology and consulting businesses that leverage Amazon Web Services to build solutions
and services for customers.
APN Consulting Partners are professional services firms that help customers of all types and
sizes design, architect, build, migrate, and manage their workloads and applications on
AWS, accelerating their migration to AWS cloud.
31
31. A multi-national company has just moved its infrastructure from its on-premises
data center to AWS Cloud. As part of the shared responsibility model, AWS is
responsible for which of the following?
Physical and Environmental controls (Correto)
Service and Communications Protection or Zone Security (Incorreto)
Patching guest OS
Configuring customer applications
32. A company wants to have control over creating and using its own keys for
encryption on AWS services. Which of the following can be used for this use-case?
AWS Owned CMK
AWS Managed CMK
Customer Managed CMK (Correto)
Secrets Manager (Incorreto)
Customer Managed CMK A customer master key (CMK) is a logical representation of a
master key. The CMK includes metadata, such as the key ID, creation date, description, and
key state. The CMK also contains the key material used to encrypt and decrypt data. These
are created and managed by the AWS customer. Access to these can be controlled using
the AWS IAM service.
33. Which of the following is CORRECT regarding removing an AWS account from
AWS Organizations?
The AWS account must be able to operate as a standalone account. Only then it can
be removed from AWS organizations (Correto)
Raise a support ticket with AWS Support to remove the account
The AWS account must not have any Service Control Policies (SCPs) attached to it.
Only then it can be removed from AWS organizations (Incorreto)
The AWS account can be removed from AWS Systems Manager
34. Which of the following AWS Support plans provides access to Infrastructure Event
Management for an additional fee?
Basic
Enterprise(Incorreto)
Developer
Business (Correto)
35. Which of the following AWS services can be used to connect a company's on-
premises environment to a VPC without using the public internet?
AWS Direct Connect (Correto)
Site-to-Site VPN
Internet Gateway (Incorreto)
Amazon VPC Endpoint
36. Which of the following are correct statements regarding the AWS Global
Infrastructure? (Select two)
Each AWS Region consists of two or more Availability Zones (Correto)
Each AWS Region consists of two or more Edge Locations (Incorreto)
Each Availability Zone (AZ) consists of one or more discrete data centers (Correto)
Each Availability Zone (AZ) consists of two or more discrete data centers
Each AWS Region consists of one or more Availability Zones (Incorreto)
37. Which AWS services can be used to facilitate organizational change management,
part of the Reliability pillar of AWS Well-Architected Framework? (Select three)
AWS Trusted Advisor (Incorreto)
AWS CloudTrail (Correto)
Amazon GuardDuty
Amazon CloudWatch (Correto)
32
Amazon Inspector(Incorreto)
AWS Config (Correto)
38. Which of the following statements are CORRECT regarding the AWS VPC service?
(Select two)
A NAT Instance is managed by AWS
A Security Group can have both allow and deny rules
A NACL can have allow rules only
A Security Group can have allow rules only (Correto)
A NAT Gateway is managed by AWS (Correto)
39. Which of the following statements are CORRECT regarding the Availability Zone
(AZ) specific characteristics of EBS and EFS storage types?
EBS volume can be attached to a single instance in the same Availability Zone
whereas EFS file system can be mounted on instances across multiple Availability
Zones (Correto)
EBS volume can be attached to one or more instances in multiple Availability Zones
and EFS file system can be mounted on instances across multiple Availability Zones
EBS volume can be attached to a single instance in the same Availability Zone and
EFS file system can only be mounted on instances in the same Availability Zone (X)
EBS volume can be attached to one or more instances in multiple Availability Zones
and EFS file system can be mounted on instances in the same Availability Zone
40. Which AWS service will help you receive alerts when the reservation utilization falls
below the defined threshold?
AWS Trusted Advisor
AWS Pricing Calculator
AWS CloudTrail (Incorreto)
AWS Budgets (Correto)
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or
usage exceed (or are forecasted to exceed) your budgeted amount.
You can also use AWS Budgets to set reservation utilization or coverage targets and receive
alerts when your utilization drops below the threshold you define. Reservation alerts are
supported for Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache, and
Amazon Elasticsearch reservations.
41. The DevOps team at an IT company is moving 500 GB of data from an EC2
instance to an S3 bucket in the same region. Which of the following scenario captures
the correct charges for this data transfer?
• The company would be charged for both the outbound data transfer from EC2 instance as
well as the inbound data transfer into the S3 bucket
• The company would only be charged for the outbound data transfer from EC2 instance
• The company would only be charged for the inbound data transfer into the S3 bucket (Wro)
• The company would not be charged for this data transfer (Correto)
42. Which AWS Support plan provides architectural guidance contextual to your
specific use-cases?
Enterprise (Incorreto)
Developer
Basic
Business (Correto)
44. Which of the following entities applies patches to the underlying OS for AWS Aurora?
The AWS Product Team automatically (Correto)
The AWS Support after receiving a request from the customer (Incorreto)
The AWS customer by SSHing on the instances
The AWS customer by using AWS Systems Manager
45. Which of the following AWS services has encryption enabled by default?
CloudTrail Logs(Correto)
Amazon S3(Incorreto)
Elastic Block Storage (EBS)
Elastic File Storage (EFS)
46. A startup wants to migrate its data and applications from the on-premises data
center to AWS Cloud. Which of the following options can be used by the startup to
help with this migration? (Select two)
• Leverage AWS Professional Services to accelerate the infrastructure migration (Correto)
• Consult moderators on AWS Developer Forums
• Use AWS Trusted Advisor to automate the infrastructure migration (Incorreto)
• Utilize AWS Partner Network (APN) to build a custom solution for this infrastructure
migration(Correto)
• Raise a support ticket with AWS Support for further assistance
47. A company is using a message broker service on its on-premises application and
wants to move this messaging functionality to AWS Cloud. Which of the following
AWS services is the right choice to move the existing functionality easily?
Amazon MQ (Correto)
Amazon Simple Queue Service (SQS)
Amazon Simple Notification Service (SNS)
Amazon Kinesis Data Stream
48. A customer has created a VPC and a subnet within AWS Cloud. Which of the
following statements is correct?
Both the VPC and the subnet span all of the Availability Zones in the Region
A VPC spans all of the Availability Zones in the Region whereas a subnet spans only
one Availability Zone in the Region (Correto)
Both the VPC and the subnet span only one Availability Zone in the Region
A subnet spans all of the Availability Zones in the Region whereas a VPC spans only
one Availability Zone in the Region
49. Which of the following statements are true about AWS Lambda? (Select two)
AWS Lambda provides access to the underlying operating system to control its
behavior through code
Allows you to orchestrate and manage Docker containers to facilitate complex
containerized applications on AWS
You pay for the compute time you consume(Correto)
AWS Lambda lets you run code without provisioning or managing servers (Correto)
Allows you to install databases on the underlying serverless Operating System
50. Which of the following statement is correct for a Security Group and a Network
Access Control List?
Security Group acts as a firewall at the AZ level whereas Network Access Control
List acts as a firewall at the VPC level
Security Group acts as a firewall at the VPC level whereas Network Access Control
List acts as a firewall at the AZ level
Security Group acts as a firewall at the subnet level whereas Network Access Control
List acts as a firewall at the instance level
Security Group acts as a firewall at the instance level whereas Network Access
Control List acts as a firewall at the subnet level (Correto)
34
51. Which of the following is correct about AWS "Developer" Support plan?
Allows one contact to open unlimited cases (Correto)
Allows one contact to open a limited number of cases per month
Allows unlimited contacts to open a limited number of cases per month (Incorreto)
Allows unlimited contacts to open unlimited cases
52. Access Key ID and Secret Access Key are tied to which of the following AWS
Identity and Access Management entities?
IAM Group
AWS Policy
IAM Role
IAM User (Correto)
53. Which AWS compute service provides the EASIEST way to access resizable
compute capacity in the cloud with support for per-second billing and access to the
underlying OS?
Amazon Lightsail (Incorreto)
AWS Lambda
Amazon Elastic Container Service (ECS)
Amazon Elastic Compute Cloud (EC2) (Correto)
Amazon Elastic Compute Cloud (EC2) is a web service that provides secure, resizable
compute capacity in the cloud with support for per-second billing. It is the easiest way to
provision servers on AWS Cloud and access the underlying OS. Amazon EC2 reduces the
time required to obtain and boot new server instances to minutes, allowing you to quickly
scale capacity, both up and down, as your computing requirements change.
57. What are the fundamental drivers of cost with AWS Cloud?
Compute, Databases and Outbound Data Transfer
Compute, Databases and Inbound Data Transfer (Incorreto)
Compute, Storage and Inbound Data Transfer
Compute, Storage and Outbound Data Transfer(Correto)
58. AWS Compute Optimizer delivers recommendations for which of the following
AWS resources? (Select two)
Amazon EC2 instances, Amazon EC2 Auto Scaling groups(Correto)
Amazon EBS volumes, AWS Lambda functions(Correto)
AWS Lambda functions, Amazon Simple Storage Service (Amazon S3)
Amazon Elastic File System (Amazon EFS), AWS Lambda functions
Amazon EC2 instances, Amazon Elastic File System (Amazon EFS)
59. Which of the following AWS services can be used to prevent Distributed Denial-of-
Service (DDoS) attack? (Select three)
Amazon CloudFront with Route 53(Correto)
Amazon Inspector
AWS CloudHSM
AWS Trusted Advisor
AWS Shield (Correto)
AWS WAF (Correto)
60. Which of the following statements are correct about the AWS account root user
(Select two)
Root user credentials should only be shared with managers requiring administrative
responsibilities to complete their jobs
Root user access credentials are the email address and password used to create the
AWS account (Correto)
Root user account password cannot be changed once it is set
It is highly recommended to enable Multi Factor Authentication (MFA) for root user
account (Correto)
Root account gets unrestricted permissions when the account is created, but these
can be restricted using IAM policies
61. A startup is looking for 24x7 phone based technical support for his AWS account.
Which of the following is the MOST cost-effective AWS support plan for this use-
case?
Enterprise
Developer
Business (Correto)
Basic
62. The AWS Well-Architected Framework provides guidance on building cloud based
applications using AWS best practices. Which of the following options are the pillars
mentioned in the AWS Well-Architected Framework? (Select two)
Cost Optimization (Correto)
Scalability
Elasticity
Availability
Reliability (Correto)
63. Which AWS service can be used to provision resources to run big data workloads
on Hadoop clusters?
AWS Step Function
Amazon EC2
Amazon EMR (Correto)
AWS Batch
64. What are the different gateway types supported by AWS Storage Gateway service?
36
66. The engineering team at an IT company wants to monitor the CPU utilization for its
fleet of EC2 instances and send an email to the administrator if the utilization exceeds
80%. As a Cloud Practitioner, which AWS services would you recommend to build this
solution? (Select two)
Lambda
CloudTrail
SQS
CloudWatch (Correto)
SNS (Correto)
67. Which of the following AWS services are global in scope? (Select two)
AWS Identity and Access Management (IAM) (Correto)
Amazon S3
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Relational Database Service (Amazon RDS)
Amazon CloudFront (Correto)
68. Which of the following statement is correct regarding the AWS pricing policy for
data transfer charges into or out of an AWS Region?
Both inbound data transfer and outbound data transfer are charged
Only inbound data transfer is charged (Incorreto)
Only outbound data transfer is charged (Correto)
Neither inbound nor outbound data transfer are charged
69. Which of the following is the correct statement regarding the AWS Storage
services?
* S3 is object based storage, EBS is file based storage and EFS is block based storage
* S3 is file based storage, EBS is block based storage and EFS is object based storage
* S3 is object based storage, EBS is block based storage and EFS is file based storage
(Correto)
* S3 is block based storage, EBS is object based storage and EFS is file based storage
71. Which of the following AWS services is essential for implementing security of
resources in AWS Cloud?
AWS Shield
AWS Identity and Access Management (IAM) (Correto)
37
Amazon CloudWatch
AWS WAF (Incorreto)
AWS Identity and Access Management (IAM) enables you to manage access to AWS
services and resources securely. Using IAM, you can create and manage AWS users and
groups, and use permissions to allow and deny their access to AWS resources. IAM enables
security best practices by allowing you to grant unique security credentials to users and
groups to specify which AWS service APIs and resources they can access. These features
make IAM an important service for the overall security of AWS resources in your account.
IAM is secure by default; users have no access to AWS resources until permissions are
explicitly granted.