AWS SAA C03

Study online at https://quizlet.com/_ddulnj

1. EC2 Instance Types t-type + m-type for general pur-

pose

c-type for compute optimized

r-type, x-type, + z-type for mem-

ory-optimized

d-type, h-type, + i-type for stor-

age optimized

f-type, g-type, + p-type for accel-

erated computing

2. Access AWS in 3 ways • AWS Management Console

(protected by password + MFA)
• AWS Command Line Interface
(CLI): protected by access keys
• AWS Software Developer Kit
(SDK) - for code: protected by ac-
cess keys

3. AWS Access Keys Generated through the AWS

Console
Access Key ID ~= username
Secret Access Key ~= password

4. Instance Store vs EBS Cheap - ST1 or SC1

Throughput - streaming - ST1
Boot - Not ST1 or SC1
GP2/3 - up to 16,000 IOPS
IO1/2 - up to 64,000 IOPS
(*256,000)
RAID0 + EBS - 260,000 IOPS
(io1/2-BE/GP2/3)

1 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
More than 260,000 IOPS - In-
stance Store

5. Online transaction processing (OLTP) Databases focus on recording

Update, Insertion, and Deletion
data transactions. OLTP queries
are simple and short, which re-
quires less time and space to
process

A great example of an OLTP sys-

tem is a bank ATM, in which you
can modify your bank account us-
ing short transactions

6. AWS Global Services • Identity and Access Manage-

ment (IAM)
• Route 53 (DNS service)
• CloudFront (Content Delivery
Network)
• WAF (Web Application Firewall)

7. Region-scoped Resources • Amazon EC2 (Infrastructure as

a Service)
• Elastic Beanstalk (Platform as a
Service)
• Lambda (Function as a Ser-
vice)
• Rekognition (Software as a Ser-
vice)

8. IAM Roles • Some AWS service will need to

perform actions on your behalf
• To do so, we will assign permis-
sions to AWS services with IAM
Roles
• Common roles:
• EC2 Instance Roles
• Lambda Function Roles
• Roles for CloudFormation
2 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

9. Capacity Reservations Reserve capacity in a specific AZ

for any duration

10. IAM Security Tools • IAM Credentials Report (ac-

count-level):
• a report that lists all your ac-
count's users and the status of
their various credentials

• IAM Access Advisor (user-lev-

el):
• Access advisor shows the ser-
vice permissions granted to a
user and when those services
were last accessed
• You can use this information to
revise your policies

11. Online analytical processing (OLAP) Databases store historical data

that has been input by OLTP
OLAP databases allow users to
view different summaries of mul-
tidimensional data. Using OLAP,
you can extract information from
a large database and analyse it
for decision-making
A good example of an OLAP sys-
tem is a business intelligence tool

12. Useful ports PostreSQL: 5432

MySQL: 3306
Oracle: 1521
MS SQL Server: 1433
MariaDB:3306
Aurora: 5432

13. API Error Codes 4xx - Client error

5xx - Server error (backend is-
sue)
3 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
400 - Bad Request
403 - Access Denied
429 - API Gateway, exceeded
throttling
502 - Bad Gate Exception
503 - Service Unavailable
504 - Integration Failure/timeout
(29 secs)

14. Amazon Elastic Kubernetes Service A managed service that allows

(EKS) you to run Kubernetes on AWS
without installing, operating, or
maintaining your own Kuber-
netes control plane or nodes

The API server endpoint is pub-

lic to the internet by default, but
you can enable private access
to keep communication between
nodes and the API server within
the VPC

Supports two autoscaling prod-

ucts:
1. Cluster Autoscaler - uses AWS
Auto Scaling groups
2. Karpenter - works directly with
the Amazon EC2 Fleet

EKS cluster uses IAM / OIDC for

authentication and Kubernetes
RBAC for authorization

15. EKS Components 1. EKS control plane

Made up of nodes that run the
Kubernetes software
Each cluster is single-tenant and
4 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
unique, and runs on its own set of
EC2 instances
Cluster control plane is provi-
sioned across multiple AZs and
fronted by an ELB Network Load
Balancer
Use AWS KMS to encrypt data
stored by nodes and associated
EBS volumes
By default, cluster control plane
logs aren't sent to CloudWatch
Logs
In order to send logs for your clus-
ter, you have to enable each log
type individual

2. EKS nodes
A cluster consists of one or more
EC2 nodes on which pods are
scheduled
Connects to the cluster's control
plane via the API server endpoint

16. HTTPS listener • You must specify a default cer-

tificate
• You can add an optional list of
certs to support multiple domains
• Clients can use SNI (Server
Name Indication) to specify the
hostname they reach
• Ability to specify a security pol-
icy to support older versions of
SSL / TLS (legacy clients)

17. Deploy an IGW 1. Create IGW

2. Attach IGW to VPC
3. Create custom route table
4. Associate RT

5 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
5. Default Routes => IGW
6. Subnet allocate IPv4

18. EKS Nodes Nodes represent the compute re-

sources provisioned for your clus-
ter
Nodes must be in the same VPC
as the subnets you chose when
creating a cluster
On-Demand or Spot instances
Node updates and terminations
drain nodes automatically

1. Self-managed nodes
Nodes created by you and regis-
tered to the EKS cluster and man-
aged by an ASG
You can use prebuilt AMI - Ama-
zon EKS Optimized AMI
Supports On-Demand or Spot In-
stances

2. Managed node groups

Creates and manages Nodes
(EC2 instances)
Nodes are part of an ASG man-
aged by EKS
Supports On-Demand or Spot In-
stances

19. cfn-init Use to retrieve and interpret re-

source metadata, install pack-
ages, create files, and start ser-
vices

20. cfn-signal Use to signal with a Creation-

Policy or WaitCondition, so you
can synchronize other resources

6 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
in the stack when the prerequisite
resource or application is ready

21. cfn-get-metadata Use to retrieve metadata for a re-

source or path to a specific key

22. cfn-hup Use to check for updates to meta-

data and execute custom hooks
when changes are detected

23. Execution roles vs. Resource policies Execution roles are used to grant
permissions to AWS services or
resources when they need to per-
form actions on your behalf
Resource policies are used to
grant permissions directly to
AWS resources to control access
to those resources

24. Trusted entities (assume role) {

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazon-
aws.com"
},
"Action": "sts:AssumeRole"
}
]
}

25. Lambda Role { "Version": "2012-10-17", "State-

ment":
[
{ "Effect": "Allow", "Action":
[
"logs:CreateLogGroup",
"logs:CreateLogStream",
7 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
"logs:PutLogEvents" ],
"Resource": "arn:aws:logs:*:*:*"
},
{ "Effect": "Allow", "Action": [
"ec2:Start*", "ec2:Stop*" ], "Re-
source": "*"
}
]
}

26. EC2 Instance Roles IAM role -> temp credentials

Assume the role
Credentials inside metadata
IAM/Security - creden-
tials/role-name used rather than
access keys
CLI tools

27. AWS Systems Patch Manager Uses patch baselines

Centralise operational data and
automate tasks
Add tags to patch baselines
`AWS-RunPatchBaseline`: target
managed instances using their
IP/tags
SSM agent + patch manager
`AWS-DefaultPatchBaseline`:
critical updates used to approve
all sever OS patches

28. Systems Manager Document defines the actions that the sys-
tem manager performs
JSON/YAML

29. Health Checks Amazon EC2 Auto Scaling can

determine the health status of an
instance using one or more of the
following:
Status checks provided by Ama-
zon EC2 to identify hardware and
8 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
software issues that may impair
an instance. The default health
checks for an Auto Scaling group
are EC2 status checks only
Health checks provided by Elas-
tic Load Balancing (ELB). These
health checks are disabled by de-
fault but can be enabled.
Your custom health checks.

30. lambda_instance_stop.py import boto3

import os
import json
region = 'us-east-1'
ec2 = boto3.client('ec2', re-
gion_name=region)
def lambda_handler(event, con-
text):
instances=os.environ['EC2_IN-
STANCES'].split(",")
ec2.stop_instances(InstanceI-
ds=instances)
print('stopped instances: ' +
str(instances))

31. AWS Fargate A serverless compute engine for

containers that works with both
Amazon Elastic Container Ser-
vice (ECS) and Amazon Elastic
Kubernetes Service (EKS)
Launching containers without
having to provision or manage
EC2 instances
If you want a managed service for
container cluster management

32. AWS Lambda A serverless compute service

that executes your code only
when needed and scales auto-

9 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
matically

SOC, HIPAA, PCI, ISO compliant

o AWS DynamoDB
o AWS SQS
o AWS SNS
o CloudWatch Event
o API Gateway
o AWS IoT
o Kinesis
o CloudWatch Logs

33. DNSSEC Key-signing key

Digital signatures based on pub-
lic cryptography
KMS Key (CMK) asymmetric

34. Lifecycle hooks Enable you to perform custom

actions by pausing instances as
an Auto Scaling group launch-
es or terminates them. When an
instance is paused, it remains
in a wait state either until you
complete the lifecycle action us-
ing the complete-lifecycle-action
command or the CompleteLifecy-
cleAction operation, or until the
timeout period ends (one hour by
default)

35. Lambda Functions Supports synchronous and asyn-

chronous invocation
10 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

36. AWS SDK Manage your AWS services us-

ing a programming language

37. EC2 On Demand Pay for what you use

Has the highest cost but no up-
front payment
No long-term commitment
Recommended for short-term
and un-interrupted workloads

38. EC2 Reserved Instances Up to 72% discount compared to

On-demand
You reserve a specific instance
attributes (Instance Type, Re-
gion, Tenancy, OS)
Reservation Period - 1 year (+dis-
count) or 3 years + discount)
Payment Options - No Upfront,
Partial Upfront, All Upfront
Reserved Instance's Scope - Re-
gional or Zonal (reserve capacity
in an AZ)
Recommended for steady-state
usage applications (think data-
base)
You can buy and sell in the Re-
served Instance Marketplace
Convertible Reserved Instance
Can change the EC2 instance
type, instance family, OS, scope
and tenancy
Up to 66% discount

39. EC2 Spot Instances

11 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Can get a discount of up to 90%
compared to On-demand
Instances that you can "lose" at
any point of time if your max price
is less than the current spot price
The MOST cost-efficient in-
stances in AWS
Useful for workloads that are re-
silient to failure:
Batch jobs
Data analysis
Image processing
Any distributed workloads
Workloads with a flexible start
and end time

Not suitable for critical jobs or

databases

40. EC2 Dedicated Hosts A physical server with EC2 in-

stance capacity fully dedicated to
your use
Allows you address compliance
requirements and use your ex-
isting server- bound software
licenses (per-socket, per-core,
per—VM software licenses)
Purchasing Options:
On-demand - pay per second for
active Dedicated Host
Reserved - 1 or 3 years (No Up-
front, Partial Upfront, All Upfront)
The most expensive option
Useful for software that have
complicated licensing model
(BYOL - Bring Your Own License)
Or for companies that have
strong regulatory or compliance
needs
12 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

41. appspec.yml in the root of the app source code

42. EC2 Dedicated Instances Instances run on hardware that's

dedicated to you
May share hardware with other
instances in same account
No control over instance place-
ment (can move hardware after
Stop / Start)

43. Spot Fleets Spot Fleets = set of Spot In-

stances + (optional) On-Demand
Instances
The Spot Fleet will try to meet
the target capacity with price con-
straints
Define possible launch pools:
instance type (m5.large), OS,
Availability Zone
Can have multiple launch pools,
so that the fleet can choose
Spot Fleet stops launching in-
stances when reaching capacity
or max cost

Strategies to allocate Spot In-

stances:
lowestPrice: from the pool with
the lowest price (cost optimiza-
tion, short workload)
diversified: distributed across all
pools (great for availability, long
workloads)
capacityOptimized: pool with the
optimal capacity for the number
of instances
priceCapacityOptimized (recom-
mended): pools with highest ca-
pacity available, then select the
13 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
pool with the lowest price (best
choice for most workloads)

Spot Fleets allow us to automati-

cally request Spot Instances with
the lowest price

44. EC2 Spot Instance Requests Can get a discount of up to 90%

compared to On-demand
Define max spot price and get the
instance while current spot price
< max
The hourly spot price varies
based on offer and capacity
If the current spot price > your
max price you can choose to stop
or terminate your instance with a
2 minutes grace period

Other strategy: Spot Block

"block" spot instance during a
specified time frame (1 to 6
hours) without interruptions
In rare situations, the instance
may be reclaimed
Used for batch jobs, data analy-
sis, or workloads that are resilient
to failures
Not great for critical jobs or data-
bases

45. Elastic IP Address Static public ipv4 address

Helpful to mask instance failures
by rapidly remapping public IP of
any instance within the VPC

14 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

46. Cluster Placement Group Clusters instances into a low-la-

tency group in a single Availability
Zone
Typical of HPC applications
Cluster for good network perfor-
mance

47. Spread Placement Group Spreads instances across under-

lying hardware (max 7 instances
per group per AZ)

48. Partition Placement Group Spreads instances across many

different partitions (which rely on
different sets of racks) within an
AZ. Scales to 100s of EC2 in-
stances per group (Hadoop, Cas-
sandra, Kafka)

49. Elastic Container Service (ECS) A container management service

to run, stop and manage Docker
containers on a cluster
Regional service
Each EC2 Instance must run the
ECS Agent to register in the ECS
Cluster
Application Load Balancer sup-
ported and works for most use
cases
Network Load Balancer recom-
mended only for high throughput
/ high performance use cases, or
to pair it with AWS Private Link
15 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
ECS enables you to inject sensi-
tive data:
- AWS Secrets Manager
- AWS Systems Parameter Store
(SSM)

50. ECS - Fargate Mode You do not provision the infra-

structure (no EC2 instances to
manage)
Create task definitions
Large workloads, overhead con-
scious

51. EC2 Instance Profile (IAM) Used by the ECS agent

Makes API calls to ECS service
Send container logs to Cloud-
Watch Logs

52. ECS Task Role Use different roles for the differ-
ent ECS Services you run, de-
fined in the task definition

53. Mount EFS file systems onto ECS tasks Tasks running in any AZ will
(EC2 and Fargate) share the same data in the EFS
file system
Fargate + EFS = Serverless
Persistent multi-AZ shared stor-
age for your containers

54. ECS Auto Scaling Target Tracking - scale based on

target value for a specific Cloud-
Watch metric
Step Scaling - scale based on a
specified CloudWatch Alarm
Scheduled Scaling - scale based
on a specified date/time (pre-
dictable changes)
Accommodate ECS Service
Scaling by adding underlying
EC2 Instances
16 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

55. ECS Auto Scaling Group Scaling Scale your ASG based on CPU
Utilization
Add EC2 instances over time

56. ECS Cluster Capacity Provider Used to automatically provision

and scale the infrastructure for
your ECS Tasks
Capacity Provider paired with an
Auto Scaling Group
Add EC2 Instances when you're
missing capacity (CPU, RAM...)

57. AWS App Runner Fully managed service that

makes it easy to deploy web ap-
plications and APIs at scale
No infrastructure experience re-
quired
Start with your source code or
container image
Automatically builds and deploy
the web app
Automatic scaling, highly avail-
able, load balancer, encryption
VPC access support
Connect to database, cache, and
message queue services
Use cases: web apps, APIs, mi-
croservices, rapid production de-
ployments

58. Serverless in AWS AWS Lambda

DynamoDB
AWS Cognito
AWS API Gateway
Amazon S3
17 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
AWS SNS & SQS
AWS Kinesis Data Firehose
Aurora Serverless
Step Functions
Fargate

59. SQS - Multiple EC2 Instances Con- Consumers receive and process
sumers messages in parallel

At least once delivery

Best-effort message ordering
Consumers delete messages af-
ter processing them
We can scale consumers hori-
zontally to improve throughput of
processing

60. Simple Queue Service (SQS) A fully managed message queu-

ing service that enables you to
decouple and scale microser-
vices, distributed systems, and
serverless applications

Poll SQS for messages (receive

up to 10 messages at a time)
Process the messages (example:
insert the message into an RDS
database)
Publish-Subscribe
Delete the messages using the
DeleteMessage API

61. Dead-letter Queues Dead-letter queues (DLQ) are

useful for debugging your appli-
cation or messaging system be-
cause they let you isolate uncon-
sumed messages to determine
18 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
why their processing didn't suc-
ceed
To ensure that your system is
resilient against errors, set the
maxReceiveCount high enough
to allow for sufficient retries

62. SQS Access Policies Useful for cross-account access

to SQS queues
Useful for allowing other services
(SNS, S3...) to write to an SQS
queue

63. SQS - Long Polling LongPolling decreases the num-

ber of API calls made to SQS
while increasing the efficiency
and reducing latency of your ap-
plication

64. Simple Notification Service (SNS) AWS service that allows you to
automate the sending of email
or text messaging notifications
based on events

1. Topic Publish (using the SDK)

Create a topic
Create a subscription (or many)
Publish to the topic

2. Direct Publish (for mobile apps

SDK)
Create a platform application
Create a platform endpoint
Publish to the platform endpoint

65. Amazon SNS - Security Encryption:

In-flight encryption using HTTPS
API
At-rest encryption using KMS
19 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
keys
Client-side encryption if the client
wants to perform encryption/de-
cryption itself

Access Controls:
IAM policies to regulate access to
the SNS API

SNS Access Policies:

Useful for cross-account access
to SNS topics
Useful for allowing other services
to write to an SNS topic

66. Kinesis Makes it easy to collect, process,

and analyse streaming data in
real-time

Kinesis Data Streams: capture,

process, and store data streams
Kinesis Data Firehose: load data
streams into AWS data stores
Kinesis Data Analytics: analyse
data streams with SQL or Apache
Flink
Kinesis Video Streams: capture,
process, and store video streams

Once data is inserted in Kinesis,

it can't be deleted (immutability)
Data that shares the same parti-
tion goes to the same shard (or-
dering)

67. Application Load Balancer (ALB) Enabled by default (can be dis-

abled at the Target Group level)
No charges for inter AZ data
Supports multiple listeners with

20 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
multiple SSL certificates
Uses Server Name Indication
(SNI) to make it work

68. Network Load Balancer (NLB) Disabled by default

You pay charges for inter AZ data
if enabled
Supports multiple listeners with
multiple SSL certificates
Uses Server Name Indication
(SNI) to make it work

69. Sticky Sessions (Session Affinity) Application-based Cookies

Generated by the target
Don't use AWSALB, AWSAL-
BAPP, or AWSALBTG (reserved
for use by the ELB)
Cookie name must be specified
individually for each target group

70. Duration-based Cookies Cookie generated by the load bal-

ancer
Cookie name is AWSALB for
ALB, AWSELB for CLB

71. Gateway Load Balancer Operates at Layer 3 (Network

Layer) - IP Packets
Uses the GENEVE protocol on
port 6081

Example: Firewalls, Intrusion De-

tection and Prevention Systems,
Deep Packet Inspection Sys-
tems, payload manipulation

72. Health Checks Elastic Load Balancing supports

health checks to test the status
of the Amazon EC2 instances be-
hind an Elastic Load Balancing
load balancer
21 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

73. Elastic Beanstalk Elastic Beanstalk is a developer

centric view of deploying an ap-
plication on AWS
We still have full control over the
configuration
Components:
+ Application
+ Application Version
+ Environment

74. CORS Header Cross-Origin Resource Sharing

(CORS)
If a client makes a cross-origin
request on our S3 bucket, we
need to enable the correct CORS
headers

75. S3 - MFA Delete MFA (Multi-Factor Authentica-

tion) - force users to generate a
code on a device

MFA is required to change bucket

versioning state

76. Amazon CloudFront Content Delivery Network (CDN)

Improves read performance, con-
tent is cached at the edge
globally-distributed network of
proxy servers which cache con-
tent
22 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
DDoS protection (because world-
wide), integration with Shield,
AWS Web Application Firewall
Anycast IP

Create a CloudFront distribution

with Geo-Restriction enabled to
block all of the blacklisted coun-
tries from accessing the trading
platform

CloudFront Origin Failover - A

CloudFront origin group lets you
specify one primary origin and
one secondary origin. If the pri-
mary origin becomes unavail-
able, or returns specific HTTP re-
sponse status codes that indicate
a failure, CloudFront automatical-
ly switches to the secondary ori-
gin

Origin failover requires your dis-

tribution to have at least two ori-
gins

77. CloudFront signed cookies Allow you to control who can

access your content when you
don't want to change your current
URLs or when you want to pro-
vide access to multiple restricted
files, for example, all of the files in
the subscribers' area of a website

78. AWS Global Accelerator 2 x Anycast IP are created for

your application
The Anycast IP send traffic direct-
ly to Edge Locations
Works with Elastic IP, EC2 in-

23 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
stances, ALB, NLB, public or pri-
vate

79. AWS Storage Gateway Bridge between on-premises

data and cloud data
on-premises virtualization

1. S3 File Gateway:
Configured S3 buckets are ac-
cessible using the NFS and SMB
protocol

2. FSx File Gateway:

Native access to Amazon FSx for
Windows File Server

3. Volume Gateway:
Block storage using iSCSI proto-
col backed by S3

4. Tape Gateway:
Virtual Tape Library (VTL)
backed by Amazon S3 and Glac-
ier
Back up data using existing
tape-based processes (and iSC-
SI interface)

80. AWS Transfer Family Fully managed SFTP, FTPS, and

FTP service

81. AWS DataSync Move large amount of data to and

from on-premises / other cloud to
AWS (NFS, SMB, HDFS, S3 API)
- needs agent
AWS to AWS (different storage
services) - no agent needed

24 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

82. AWS Lambda Virtual functions - no servers to

manage!
Limited by time - short executions
Run on-demand
Scaling is automated!
Lambda will create an ENI (Elas-
tic Network Interface) in your sub-
nets

You must define the VPC ID, the

Subnets and the Security Groups

83. Lambda@Edge Customize the CDN content

Lambda functions written in
NodeJS or Python
Longer execution time

Viewer Request - after Cloud-

Front receives a request from a
viewer

Origin Request - before Cloud-

Front forwards the request to the
origin

Origin Response - after Cloud-

Front receives the response from
the origin

Viewer Response - before Cloud-

Front forwards the response to
the viewer

+ Website Security and Privacy

+ Dynamic Web Application at
25 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
the Edge
+ Search Engine Optimization
(SEO)
+ Intelligently Route Across Ori-
gins and Data Centres
+ Bot Mitigation at the Edge
+ Real-time Image Transforma-
tion
+ A/B Testing
+ User Authentication and Autho-
rization
+ User Prioritization
+ User Tracking and Analytics

84. CloudFront Functions Lightweight functions written in

JavaScript
High-scale, latency-sensitive
CDN customizations

85. Lambda with RDS Proxy If Lambda functions directly ac-

cess your database, they may
open too many connections un-
der high load

Improve scalability by pooling

and sharing DB connections
Improve availability by reducing
by 66% the failover time and pre-
serving connections
Improve security by enforcing
IAM authentication and storing
credentials in Secrets Manager

86. DynamoDB NoSQL database

AWS proprietary technology
Highly Available, Multi AZ by de-
fault, Read and Writes are decou-
pled, transaction capability
Millions of requests per seconds,

26 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
trillions of row, 100s of TB of stor-
age
Great to rapidly evolve schemas
Integrated with AWS Lambda so
that you can create triggers
If you enable DynamoDB
Streams on a table, you can as-
sociate the stream ARN with a
Lambda function

Multiple updates can occur at the

same time => conditional writes

Backups:
On-Demand
PITR -> disabled by default
Provisioned:
RCU + WCU set per table basis

87. DynamoDB Accelerator (DAX) Fully-managed, highly available,

seamless in memory cache for
DynamoDB
Help solve read congestion by
caching
5 minutes TTL for cache (default)

88. DynamoDB -Time To Live (TTL) Automatically delete items after

an expiry timestamp
Use cases: reduce stored data
by keeping only current items,
adhere to regulatory obligations,
web session handling

89. Amazon ElastiCache Managed Redis / Memcached

(similar offering as RDS, but for
caches)
Support for Clustering (Redis)
and Multi AZ, Read Replicas
(sharding)

27 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

90. Amazon Keyspaces (for Apache Cas- Open-source NoSQL distributed

sandra) database

91. Amazon Timestream Fully managed, fast, scalable,

serverless time series database

92. Amazon Athena Serverless query service to ana-

lyze data stored in Amazon S3
Uses standard SQL
Supports CSV, JSON, ORC, Avro
and Parquet
Commonly used with Amazon
Quicksight for reporting/databas-
es

93. CannotPullContainerError: API error AWS Fargate

(500):
Get For tasks in public subnets, spec-
https://111122223333.dkr.ecr.us-east-1.ama-
ify ENABLED for Auto-assign
zonaws.com/v2/: net/http: request public IP when launching the task
cancelled while waiting for connection"
For tasks in private subnets,
specify DISABLED for Auto-as-
sign public IP when launching
the task, and configure a NAT
gateway in your VPC to route re-
quests to the Internet

94. AWS Resource Access Manager (AWS Enables you to share specified
RAM) AWS resources that you own with
other AWS accounts. To enable
trusted access with AWS Organi-
zations

From the AWS RAM CLI, use

28 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
the "enable-sharing-with-aws-or-
ganizations" command

Name of the IAM service-linked

role that can be created in ac-
counts when trusted access is
enabled: AWSResourceAccess-
ManagerServiceRolePolicy
On AWS Resource Access Man-
ager (RAM), set up a shared ser-
vices VPC on your central ac-
count

Set up VPC peering from this

VPC to each VPC on the other
accounts

On Amazon Route 53, create a

private hosted zone associated
with the shared services VPC
Manage all domains and subdo-
mains on this zone

Programmatically associate the

VPCs from other accounts with
this hosted zone

95. AWS OpsWorks Stacks Manage applications and servers

on AWS and on-premises
OpsWorks is an application man-
agement service for deploying
and operating applications of all
types and sizes

29 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
96. DeletionPolicy attribute Preserve or back up a resource
when its stack is deleted

97. Cache-Control max-age Improve performance by increas-

ing the proportion of your view-
er requests that are served from
CloudFront edge caches instead
of going to your origin servers for
content

98. Recovery Manager (RMAN) Oracle Database client that per-

forms backup and recovery tasks
on your databases and auto-
mates the administration of your
backup strategies
You can store your primary
data locally, while asynchronous-
ly backing up that data to AWS

99. External ID At times, you need to give a

third-party access to your AWS
resources (delegate access)

100. Link aggregation groups Aggregate multiple connections

at a single AWS Direct Connect
endpoint, allowing you to treat
them as a single, managed con-
nection

101. AWS Transit Gateway Highly available and scalable ser-

vice used to consolidate the AWS
VPC routing configuration for a
region with a hub-and-spoke ar-
chitecture

102. AWS Application Discovery Service

30 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Gather data about your
on-premises data centre and per-
form the TCO analysis

103. Amazon CloudSearch Managed service in the AWS

Cloud that makes it simple and
cost-effective to set up, manage,
and scale a search solution for
your website or application

104. DNS active-active failover Allows access to your unhealthy

instances to be redirected to ac-
tive instances

105. DNS active-passive failover Primary resources are available

most of the time, and secondary
resources are used in case the
primary resources aren't avail-
able

1. For the primary resources, cre-

ate an alias record pointing to the
ALB with "evaluate health check"
set to "yes"
2. For the secondary resources,
create health checks for the web
servers in the data center
3. 2x failover alias records, one
for the primary and one for the
secondary

106. S3 Object Lambda Use AWS Lambda Functions to

change the object before it is re-
trieved by the caller application

107. Simple Storage Service (S3) Use Cases + Backup and storage
+ Disaster Recovery
+ Archive
+ Hybrid Cloud storage
+ Application hosting
31 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
+ Media hosting
+ Data lakes & big data analytics
+ Software delivery
+ Static website

108. Simple Storage Service (S3) + Object files have a key, prefix
and object name:
s3://my-bucket/my_folder1/anoth-
er_folder/my_file.txt
+ No concept of "directories"
+ Metadata
+ Tags
+ Version ID

109. S3 Bucket Policies A form of resource policy:

+ JSON-based policies
+ Effect Allow/Deny
+ Grant public access
+ Force encryption and upload
+ Grant access to other AWS ac-
counts
+ ALLOW or DENY anonymous
principals (*)

110. Stateful Web App Stateful applications and

processes, however, are those
that can be returned to again
and again, like online banking or
email (or retail)

32 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
111. Stateless Web App There is no stored knowledge of
or reference to past transactions
Each transaction is made as if
from scratch for the first time
Stateless applications provide
one service or function and use
content delivery network (CDN),
web, or print servers to process
these short-term requests

112. Relational Database Service (RDS) Managed DB service for DB use

SQL
• Postgres
• MySQL
• MariaDB
• Oracle
• Microsoft SQL Server
• Aurora (AWS Proprietary data-
base)
Can't SSH into your instances!

• Enable Enhanced Monitoring in

RDS
• Automated provisioning, OS
patching
• Continuous backups and re-
store to specific timestamp (Point
in Time Restore)!
• Monitoring dashboards • Read
replicas for improved read perfor-
mance
• Multi AZ setup for DR (Disaster
Recovery)
• Maintenance windows for up-
grades
33 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
• Scaling capability (vertical and
horizontal)
• Storage backed by EBS (gp2 or
io1)

113. RDS Read Replicas Read scalability

<= 15 Read Replicas
Within AZ, Cross AZ or Cross Re-
gion
ASYNC - reads are eventually
consistent
Replicas can be promoted to their
own DB
Applications must update the
connection string to leverage
read replicas
There's a network cost when data
goes from one AZ to another

114. RDS Multi AZ Disaster Recovery

SYNC replication
One DNS name - automatic app
failover to standby

34 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

115. Amazon Aurora Compatible API for PostgreSQL

/ MySQL, separation of storage
and compute
Storage: data is stored in 6 repli-
cas, across 3 AZ - highly avail-
able, self-healing, auto-scaling
Compute: Cluster of DB Instance
across multiple AZ, auto-scaling
of Read Replicas
Cluster: Custom endpoints for
writer and reader DB instances
Same security / monitoring /
maintenance features as RDS
Know the backup & restore op-
tions for Aurora

116. Aurora Multi-Master In case you want continuous

write availability for the writer
nodes
Every node does R/W - vs pro-
moting a Read Replica as the
new master
All DB instances in a multi-master
cluster must be in the same AWS
Region

35 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
117. Global Aurora Aurora Cross Region Read Repli-
cas:
• Useful for disaster recovery
• Simple to put in place
Aurora Global Database (recom-
mended):
• 1 Primary Region (read / write)
• Up to 5 secondary (read-only)
regions, replication lag is less
than 1 second
• Up to 16 Read Replicas per sec-
ondary region
• Helps for decreasing latency
• Promoting another region (for
disaster recovery) has an RTO of
< 1 minute

118. RDS Backups • Automated backups:

• Daily full backup of the data-
base (during the backup window)
• Transaction logs are backed-up
by RDS every 5 minutes
• => ability to restore to any point
in time (from oldest backup to 5
minutes ago)
• 1 to 35 days of retention, set 0
to disable automated backups

• Manual DB Snapshots
• Manually triggered by the user
• Retention of backup for as long
as you want

36 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

• Tip: in a stopped RDS database,

you will still pay for storage. If you
plan on stopping it for a long time,
you should snapshot & restore in-
stead

119. Aurora Backups • Automated backups

• 1 to 35 days (cannot be dis-
abled)• point-in-time recovery in
that timeframe

• Manual DB Snapshots
• Manually triggered by the user
• Retention of backup for as long
as you want

120. Aurora Database Cloning - Create a new Aurora DB Cluster

from an existing one;
- Faster than snapshot and re-
store;
- The new DB cluster uses the
same cluster volume and data as
the original but will change when
data updates are made
- Very fast and cost-effective
- Useful to create a "staging"
database from a "production"
database without impacting the
production database.

121. Restoring MySQL RDS database from • Create a backup of your

S3 on-premises database
• Store it on Amazon S3 (object
storage)
• Restore the backup file onto
a new RDS instance running
MySQL

122.
37 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Restoring MySQL Aurora cluster from • Create a backup of your
S3 on-premises database using Per-
cona XtraBackup
• Store the backup file on Amazon
S3
• Restore the backup file onto
a new Aurora cluster running
MySQL

123. RDS & Aurora Security At-rest encryption:

- Database master & replicas en-
cryption using AWS KMS - must
be defined as launch time
- If the master is not encrypted,
the read replicas cannot be en-
crypted
- To encrypt an un-encrypted
database, go through a DB snap-
shot & restore as encrypted

In-flight encryption: TLS-ready by

default, use the AWS TLS root
certificates client-side.

IAM Authentication: IAM roles to

connect to your database (in-
stead of username/pw).

Security Groups: Control Net-

work access to your RDS / Aurora
DB.

No SSH available except on RDS

Custom.

Audit Logs can be enabled and

sent to CloudWatch Logs for
longer retention.

38 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
124. Amazon RDS Proxy -Fully managed database proxy
for RDS
-Allows apps to pool and share
DB connections established with
the database
-Improving database efficiency
by reducing the stress on data-
base resources (e.g., CPU, RAM)
and minimize open connections
(and timeouts)
-Serverless, autoscaling, highly
available (multi-AZ)
-Reduced RDS & Aurora failover
time by up 66%
-Supports RDS (MySQL, Post-
greSQL, MariaDB) and Aurora
(MySQL, PostgreSQL)
-No code changes required for
most apps
-Enforce IAM Authentication for
DB, and securely store creden-
tials in AWS Secrets Manager
-RDS Proxy is never publicly ac-
cessible (must be accessed from
VPC)

125. ElastiCache - Redis • Multi AZ with Auto-Failover

• Read Replicas to scale reads
and have high availability
• Data Durability using AOF per-
sistence
• Backup and restore features

39 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

126. ElastiCache - Memcached - Multi-node for partitioning of

data (sharding)
- Non-persistent
- No backup and restore
- Multi-threaded architecture

127. Elasticache Patterns • Lazy Loading: all the read data

is cached, data can become stale
in cache
• Write Through: Adds or update
data in the cache when written to
a DB (no stale data)
• Session Store: store temporary
session data in a cache (using
TTL features)

128. S3 Intelligent Tiering Designed to optimize costs by

automatically moving data to the
most cost-effective access tier,
without performance impact or
operational overhead

Ideal storage class for data with

unknown, changing, or unpre-
dictable access patterns, inde-
pendent of object size or reten-
tion period
Designed to optimize costs by
automatically moving data to the
most cost-effective access tier,
without performance impact or
operational overhead

129. Server-Side Encryption with Amazon Enabled by Default

S3-Managed Keys (SSE-S3) Encrypts S3 objects using keys
40 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
handled, managed, and owned
by AWS

Encryption at rest - Server-Side

Encryption

130. Server-Side Encryption with KMS Keys Leverage AWS Key Management
stored in AWS KMS (SSE-KMS) Service (AWS KMS) to manage
encryption keys

131. Server-Side Encryption with Cus- When you want to manage your
tomer-Provided Keys (SSE-C) own encryption keys

132. S3 Replication Same-region or cross-region,

must enable versioning

133. S3 and Glacier Select Allow you to use a SQL-Like

statement to retrieve partial ob-
jects from S3 and Glacier

134. S3 Bucket Keys Amazon S3 Bucket Keys re-

duce the cost of Amazon
S3 server-side encryption using
AWS Key Management Service
(SSE-KMS)
Bucket-level keys for SSE can re-
duce AWS KMS request costs by
up to 99 percent by decreasing
the request traffic from Amazon
S3 to AWS KMS

135. Client-Side Encryption encrypting data on client side be-

fore uploading to S3

136. S3 Access Logs

41 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Provides detailed records for the
requests that are made to a buck-
et.

137. S3 Pre-Signed URLs Generate pre-signed URLs using

the S3 Console, AWS CLI or SDK

aws s3 presign s3://mywhizbuck-

et235/smiley_49_39.jpeg --ex-
pires-in 60

138. S3 Glacier Vault Lock • Adopt a WORM (Write Once

Read Many) model
• Create a Vault Lock Policy
• Lock the policy for future ed-
its (can no longer be changed or
deleted)
• Helpful for compliance and data
retention

139. DISM /online /enable-feature /feature- Enable IIS features on Windows

Name:IIS-DefaultDocument /All Server

140. S3 Storage Classes -S3 -standard

-S3 - IA
-S3 - One-Zone - IA
-S3 - Intelligent Tiering
-S3 Glacier
-S3 Glacier Deep Archive

141. S3 Transfer Acceleration CloudFront Edge Network to ac-

celerate uploads to S3 - uses a
42 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
distinct URL to upload directly to
edge location, which then trans-
fers to S3 using AWS backbone
network.

142. S3 Replication same-region or cross-region,

must enable versioning

143. Simple Notification Service (SNS) SNS is a pub/sub (publish/sub-

scribe) messaging service that
allows the delivery of messages
or notifications to multiple recipi-
ents or subscribers

144. S3 Bucket policy for static websites {

"Id":"Policy1",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt1",
"Action":[
"s3:GetObject"
],
"Effect":"Allow",

"Resource":"re-
place-this-string-with-your-buck-
et-arn/*",
"Principal":"*"
}
]
}
43 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

145. S3 presign URL The credentials used by the pre-

signed URL are those of the AWS
user who generated the URL
+ An Amazon S3 bucket
+ An object key (if downloading
this object will be in your
+ Amazon S3 bucket, if uploading
this is the file name to be up-
loaded)
+ An HTTP method (GET for
downloading objects or PUT for
uploading)
+ An expiration time interval

146. User Data script - Apache server #!/bin/bash

# Use this for your user data
(script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello World from
$(hostname -f)</h1>" >
/var/www/html/index.html

147. IAM Policy JSON format

Attach an IAM policy to different
entities such as an IAM group,
user, or role

ALLOW or DENY access to AWS

resources

+ Identity-Based-Policies
+ Resource-Based-Policies

44 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
148. IAM Role IAM identity (that we can create in
our AWS account) that has spe-
cific permissions
it can be attached to anyone who
needs it

149. https://awspolicygen.s3.amazon- Generate your own IAM policy

aws.com/policygen.html

150. Resource-Based-Policy Attach to a resource such as an

Amazon S3 bucket

151. CloudFront Origin Groups Use several different kinds of ori-

gins with CloudFront. For exam-
ple, you can use an Amazon S3
bucket, an Application Load Bal-
ancer, or an AWS Lambda func-
tion URL

152. Failover Cluster A secondary server can take over

the function when the primary
one fails

153. Virtual Private Cloud (VPC) The primary components of a

VPC include subnets, IP ad-
dresses, NAT devices, route ta-
bles, gateways, access control
lists, security groups, and VPC
endpoints
Subnets are a segment of the
VPC IP address range where
45 / 104
AWS SAA C03
Study online at https://quizlet.com/_ddulnj
AWS resources can be launched,
and they are classified as public
and private
Public subnets hold resources
that can be accessed from the
Internet, and they must have an
Elastic IP address, an Internet
Gateway, and a route table en-
try with destination as an internet
gateway

Private subnets hold resources

that can be accessed from within
the VPC network, and they use
NAT devices to interact with the
Internet
Route tables hold sets of rules,
called routes, that are used to de-
termine where the traffic is direct-
ed, and every subnet in a VPC is
linked to a route table

Internet Gateway is a virtual

router that helps a VPC connect
to the Internet, and it is attached
to the VPC to enable Internet ac-
cess

EIP is a static IPv4 address used

by AWS to manage its dynamic
cloud computing services, and it
can be associated with an AWS
account to mask if an instance
failure occurs.
NAT devices can be an instance
or a gateway residing in a public
subnet, and they help instances
in private subnets interact with
the Internet
46 / 104
AWS SAA C03
Study online at https://quizlet.com/_ddulnj

Access Control List is an option-

al layer of security that acts as
a firewall for controlling network
traffic in and out of the subnet,
and it uses rules to allow or deny
network traffic based on ports
or IP addresses which is a cus-
tom-defined virtual network with-
in the AWS Cloud

The primary components of a

VPC include subnets, IP ad-
dresses, NAT devices, route ta-
bles, gateways, access control
lists, security groups, and VPC
endpoints

Subnets are a segment of the

VPC IP address range where
AWS resources can be launched,
and they are classified as public
and private

Public subnets hold resources

that can be accessed from the
Internet, and they must have an
Elastic IP address, an Internet
Gateway, and a route table en-
try with destination as an internet
gateway

Private subnets hold resources

that can be accessed from within
the VPC network, and they use
NAT devices to interact with the
Internet

47 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

154. EFS - Elastic File System • Managed NFS (network file sys-
tem) that can be mounted on
many EC2
• EFS works with EC2 instances
in multi-AZ

• Use cases: content manage-

ment, web serving, data sharing,
Wordpress
• Uses NFSv4.1 protocol
• Uses security group to control
access to EFS
• Compatible with Linux based
AMI (not Windows)
• Encryption at rest using KMS
• POSIX file system (~Linux) that
has a standard file API

155. EFS Performance Mode (set at EFS cre- • General Purpose (default) - la-
ation time) tency-sensitive use cases (web
server, CMS, etc...)
• Max I/O - higher latency,
throughput, highly parallel (big
data, media processing)

156. EFS Throughput Mode • Bursting - 1 TB = 50MiB/s +

burst of up to 100MiB/s

• Provisioned - set your through-

put regardless of storage size, ex:
1 GiB/s for 1 TB storage

48 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
• Elastic - automatically scales
throughput up or down based on
your workloads
• Up to 3GiB/s for reads and
1GiB/s for writes
• Used for unpredictable work-
loads

157. EFS Storage Tiers • Standard: for frequently ac-

cessed files
• Infrequent access (EFS-IA):
cost to retrieve files, lower price
to store. Enable EFS -IA with a
Lifecycle Policy

158. VPC Considerations What size should the VPC be?

Are there any networks we can't
use
VPC'S, Cloud, On-premises,
Partners & Vendors
Try to predict the future
VPC Structure - tiers & resilient
AZs

159. DNS in a VPC enableDnsHostnames - gives in-

stances DNS names

enableDnsSupport - enables
DNS resolution in VPC

49 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
160. Redshift Based on PostreSQL but not
used for OLTP (Online Transac-
tion Processing)
Warehouse service in the cloud
Columnar storage of data (in-
stead of row-based)
One Availability Zone - use back-
ups

If we want to copy data from

EMR, S3, and DynamoDB to
power a custom Business intelli-
gence tool
Using a third-party library, we can
connect and query redshift for re-
sults

161. Redshift Spectrum - Query data that is already in S3

without loading it
- Must have a Redshift cluster
available to start the query
- The query is then submitted to
thousands of Redshift Spectrum
nodes

162. Elastic MapReduce (EMR) EMR helps you process large

amounts of data

Process big data

Analyze data using Hadoop

Works with big data frameworks

163. QuickSight
50 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
A Business Intelligence (BI)
Service. Connect multiple data
sources and quickly visualize
data in the form of graphs with lit-
tle to no programming knowledge

164. AWS Glue Fully-managed serverless ex-

tract, transform, and load (ETL)
service
Prepare and transform data for
analytics

165. AWS Lake Formation Centralized, curated, and se-

cured repository that stores all
your data
Fully-managed service
ML Transforms

166. AWS Kinesis Data Analytics Transform and analyse stream-

ing data in real time using SQL /
Apache Flink
Automatic scaling
Add reference data from S3 to
enrich streaming data

167. Managed Streaming for Apache Kafka Alternative to Amazon Kinesis

(MSK) Fully managed Apache Kafka on
AWS
+ Allowed to CRUD clusters

168. Big Data Ingestion Pipeline • We want the ingestion pipeline

to be fully serverless
• We want to collect data in real
time
• We want to transform the data
• We want to query the trans-
formed data using SQL
• The reports created using the
queries should be in S3
• We want to load that data into
51 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
a warehouse and create dash-
boards

169. Lambda Limits Memory allocation (128MB -

10GB)
Max execution time: 15 mins
4KB of .env variables
Disk capacity in the function con-
tainer: 512MB > 10GB
Concurrency executions: 1000
Function deployment size: 50MB
Size of uncompressed deploy-
ment: 250MB
Can use /tmp directory to load
other files at start up

170. The maximum size of an item in a Dy- 400KB

namoDB table is:

171. Cognito User Pools User directories used to manage

sign-up and sign-in functionality
for mobile and web applications
User pools are for authentication

172. Cognito Identity vs. Cognito User Pools Identity pools provide temporary
AWS credentials for users who
are guests (unauthenticated) and
for users who have been authen-
ticated and received a token

An identity pool lets you grant ac-

cess to AWS resources (e.g. an
S3 bucket) to users from all types
of identity providers:
- Cognito User Pools
- developer providers
- social identity providers

Cognito User Pools:

Handles the IdP interactions for
52 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
you
Provides profiles to manage
users
Provides OpenID Connect and
OAuth standard tokens

173. Amazon Neptune A fast, reliable, fully-managed

graph database service that
makes it easy to build and run
applications that work with highly
connected datasets

174. Amazon Rekognition Amazon Rekognition is a service

that makes it easy to add image
analysis to your applications
With Rekognition, you can detect
objects, scenes, and faces in im-
ages
You can also search and com-
pare faces

175. Amazon Transcribe An automatic speech recogni-

tion (ASR) service that makes
it easy for developers to add
speech-to-text capability to their
applications

176. Amazon Polly Amazon Polly is a service that

turns text into lifelike speech

177. Amazon Lex & Connect Amazon Lex: (same technology

that powers Alexa)
• Automatic Speech Recognition
(ASR) to convert speech to text
• Natural Language Understand-
ing to recognize the intent of text,
callers
• Helps build chatbots, call center
bots

53 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Amazon Connect:
• Receive calls, create contact
flows, cloud-based virtual contact
center
• Can integrate with other CRM
systems or AWS
• No upfront payments, 80%
cheaper than traditional contact
center solutions

178. Elastic Network Interface (ENI) • Primary private IPv4, one or

more secondary IPv4
• One Elastic IP (IPv4) per private
IPv4
• One Public IPv4
• One or more security groups
• A MAC address

179. EC2 Hibernate • The in-memory (RAM) state is

preserved
• The instance boot is much
faster! (the OS is not stopped /
restarted)
• Under the hood: the RAM state
is written to a file in the root EBS
volume
• The root EBS volume must be
encrypted

180. Amazon Comprehend is a natural language processing

(NLP) service that uses machine
learning to find insights and re-
lationships in text. No machine
learning experience required

181. Fast Snapshot Restore (FSR) Force full initialization of snap-

shot to have no latency on the
first use ($$$)

182. EBS Encryption

54 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
• Data at rest is encrypted inside
the volume
• All the data in flight moving be-
tween the instance and the vol-
ume is encrypted
• All snapshots are encrypted
• All volumes created from the
snapshot

183. Recycle Bin for EBS Snapshots
• Setup rules to retain deleted
snapshots so you can recover
them after an accidental deletion
• Specify retention (from 1 day to
1 year)

184. Amazon Comprehend Medical A HIPAA-eligible natural lan-

guage processing (NLP) service
that uses machine learning to ex-
tract health data from medical
text

185. Amazon SageMaker A fully-managed platform that en-

ables developers and data scien-
tists to quickly and easily build,
train, and deploy machine learn-
ing models at any scale

186. Amazon Kendra • Fully managed document

search service powered by Ma-
chine Learning
• Extract answers from within a
document (text, pdf, HTML, Pow-
erPoint, MS Word, FAQs...)
• Natural language search capa-
bilities
• Learn from user inter-
actions/feedback to promote
preferred results (Incremental
Learning)
• Ability to manually fine-tune
55 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
search results (importance of
data, freshness, custom, ...)

187. Amazon Personalize is a machine learning service that

makes it easy for developers to
create individualized recommen-
dations for customers using their
applications

188. Amazon Textract a machine learning service that

automatically extracts text and
data from scanned documents

189. Amazon Forecast is a fully managed service that

uses machine learning to deliver
highly accurate forecasts

190. Amazon Snowball • Migration service

• Data transport solution to trans-
fer large amounts of data into and
out of AWS

191. Snowball Edge Storage Optimized 80 TB of HDD capacity for block

volume and S3 compatible object
storage

192. Snowball Edge Compute Optimised 42TB storage

52vCPUs
208GiB memory for computing
functionality
Additional 7.68 TB of SSD Stor-
age

193. AWS Snowcone supports data collection and data

processing using AWS compute
services

It features 2 CPUs, 4 GB of mem-

ory, and 8 TB of usable storage.

56 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
194. Amazon Snow Family Evolution of AWS Import/Export
family

Transfer data via UPS, DHL,

FedEx, etc

Encrypted at rest

195. Amazon FSx for Lustre is a fully managed file system that
is optimized for compute-inten-
sive workloads, such as high per-
formance computing, machine
learning, and media data pro-
cessing workflows

196. Amazon FSx for Windows File Server
provides a fully managed native
Microsoft Windows file system so
you can easily move your Win-
dows-based applications that re-
quire file storage to AWS

197. Amazon Trusted Advisor Provides recommendations that

help you follow AWS best prac-
tices:
1. Cost optimisation
2. Performance
3. Security
4. Fault Tolerance
5. Service Limits

198. SnapshotCopyGrant Grants Amazon Redshift permis-

sion to encrypt copied snapshots
with the specified encrypted sym-
metric key from AWS KMS in the
destination region

57 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

199. AWS CloudTrail Enable governance, compliance,

and operational and risk auditing
of your AWS account
Actions taken by a user, role, or
an AWS service are recorded as
events in CloudTrail:
AWS Management Console,
AWS Command Line Interface,
and AWS SDKs and APIs

200. Traffic Mirroring (VPC) Amazon VPC feature that you

can use to copy network traffic
from an elastic network interface
of Amazon EC2 instances
- Content inspection
- Threat monitoring
- Troubleshooting
Configure Traffic Mirroring on the
elastic network interface of the
EC2 instances
Send the mirrored traffic to a
monitoring appliance for storage
and inspection

201. Application Discovery Service Use the AWS Application Discov-

ery Service to gather data about
your on-premises data centre
and perform the TCO analysis

202. NAT Gateway Instances in a private subnet can

connect to services outside your
VPC but external services cannot
initiate a connection with those
instances

58 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

203. NAT Instance A network address translation

(NAT) instance is an Amazon Lin-
ux Amazon Machine Image (AMI)
that is designed to accept traffic
from instances within a private
subnet, translate the source IP
address to the public IP address
of the NAT instance, and forward
the traffic to the IGW

In addition, the NAT instance

maintains the state of the for-
warded traffic in order to return
response traffic from the Internet
to the proper instance in the pri-
vate subnet

204. AWS EventBridge Create rules that self-trigger on

an automated schedule in Event-
Bridge using cron or rate expres-
sions
With this, you can schedule run-
ning AWS SSM Automation doc-
uments to remediate the vulnera-
ble AMIs

205. Amazon Inspector Conduct a detailed scan for CVE

in your fleet of EC2 instances
Predefined software called an
agent that you can optionally in-
stall in the operating system of
the EC2 instances that you want
to assess
Also has rules packages that help
59 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
verify whether the EC2 instances
in your assessment targets are
exposed to common vulnerabili-
ties and exposures (CVEs)

206. AWS Systems Manager Agent (SSM Makes it possible for Systems
Agent) Manager to update, manage, and
configure resources

207. AWS Service Catalog Allows organizations to create

and manage catalogs of IT ser-
vices that are approved for use on
AWS corresponding unique iden-
tifiers for portfolio, product, and
users

208. AWS CloudFormation Templates are simple text files

that create AWS resources in an
automated and secure manner

209. AWS Config Continually assesses, audits,

and evaluates the configurations
and relationships of your re-
sources on AWS, on premises,
and on other clouds

210. Service control policies (SCPs) Control over the maximum avail-
able permissions for all accounts
in your organization
SCPs help you to ensure your ac-
counts stay within your organiza-
tion's access control guidelines
Applied on Organisational Units
SCPs do not affect any ser-
vice-linked role / management
60 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
accounts.

Service-linked roles enable other

AWS services to integrate with
AWS Organizations and can't be
restricted by SCPs

Affect user and roles in member

accounts of AWS Organizations

- Any action that has an explicit

Deny in an SCP can't be delegat-
ed to users or roles in the affected
accounts. An explicit Deny state-
ment overrides any Allow that
other SCPs might grant
- Any action that has an explicit
Allow in an SCP (such as the de-
fault "*" SCP or by any other SCP
that calls out a specific service or
action) can be delegated to users
and roles in the affected accounts
- Any action that isn't explicitly
allowed by an SCP is implicitly
denied and can't be delegated to
users or roles in the affected ac-
counts

211. Amazon S3 Block Public Access When Amazon S3 receives a re-

quest to access a bucket or an
object, it determines whether the
bucket or the bucket owner's ac-
count has a Block Public Access
setting

61 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
212. Elastic Fabric Adapter (EFA) A network interface for Amazon
EC2 instances that enables cus-
tomers to run applications requir-
ing high levels of inter-node com-
munications at scale on AWS

213. AWS ParallelCluster · Open-source cluster manage-

ment tool to deploy HPC on AWS
· Configure with text files
· Automate creation of VPC, Sub-
net, cluster type and instance
types
· Ability to enable EFA on the
cluster (improves network perfor-
mance)

214. AWS Key Management Service (KMS) Enables you to perform encryp-
tion operations through the use of
cryptographic keys
Able to audit keys using Cloud-
Trail

215. Amazon GuardDuty a service that provides intelligent

threat detection for your AWS in-
frastructure and resources
It identifies threats by continuous-
ly monitoring the network activi-
ty and account behaviour within
your AWS environment
Good tool for protection against
cryptocurrency attacks

216. AWS Schema Conversion Tool (SCT)

62 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Convert your Database's
Schema from one engine to an-
other

217. Amazon Database Migration Service -Enables you to move data into
(DMS) AWS from existing databases
-Supports both one time and con-
tinual migration of data
-Supports many popular com-
mercial and open source data-
bases
-Only pay for compute leveraged
in the migration process

218. AWS Systems Manager Service that provides a collec-

tion of tools and insight into op-
erational data for central man-
agement of those cloud or
on-premise instances

219. AWS Network Firewall • Protect your entire Amazon

VPC
• From Layer 3 to Layer 7 protec-
tion

• Any direction, you can inspect:

• VPC to VPC traffic
• Outbound to internet
• Inbound from internet
• To / from Direct Connect &
Site-to-Site VPN

• Internally, the AWS Network

Firewall uses the AWS Gateway
Load Balancer
• Rules can be centrally managed
cross- account by AWS Firewall
Manager to apply to many VPCs

220. AWS Shield

63 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
A managed Distributed Denial of
Service (DDoS) protection ser-
vice that safeguards applications
running on AWS
AWS Shield provides always-on
detection and automatic inline
mitigations that minimize appli-
cation downtime and latency, so
there is no need to engage AWS
Support to benefit from DDoS
protection

DDoS protection on the following

resources:
EC2, ELB, CloudFront, Global
Accelerator, Route 53

221. AWS Server Migration Service (SMS) Agentless service for migrating
thousands of on-premise work-
loads to AWS

SMS allows for automation,

scheduling, and tracking replica-
tions of live server volumes

222. AWS Application Migration Service allows you to quickly realize the
(MGN) benefits of migrating applications
to the cloud without changes and
with minimal downtime

223. Systems Manager - SSM Session Man- · Allows you to start a secure shell
ager on your on-premises servers
· No SSH access, bastion hosts,
or SSH keys needed
· No port 22 needed (better secu-

64 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
rity)
· Send session log data to S3 or
CloudWatch Logs

224. EC2 Enhanced Networking (SR-IOV) · Higher bandwidth, higher PPS

(packet per second), lower laten-
cy
· Option 1: Elastic Network
Adapter (ENA) up to 100 Gbps
· Option 2: Intel 82599 VF up to
10 Gbps LEGACY

225. Snowball & Snowmobile Move PB of data to the cloud

226. AWS Direct Connect (DX) Move GB/s of data to the cloud,
over a private secure network

Using the current Direct Connect

connection, create a new pub-
lic virtual interface (VIF) and in-
put the network prefixes that you
want to advertise
Public gateways encrypt the traf-
fic

Create a new site-to-site VPN

connection to the VPC with the
BGP protocol using the DX con-
nection

Configure the company network

to route employee traffic to this
VPN

227. AWS DataSync Move large amount of data be-

tween on-premises and S3, EFS,
FSx for Windows

228. Fan Out Pattern see diagram

65 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

229. VMware Cloud on AWS An integrated cloud offering

jointly developed by AWS and
VMware delivering a highly scal-
able, secure and innovative ser-
vice that allows organizations
to seamlessly migrate and ex-
tend their on-premises VMware
vSphere-based environments to
the AWS Cloud running on
next-generation Amazon Elastic
Compute Cloud (Amazon EC2)
bare metal infrastructure.

230. AWS Backup Vault Lock Enforce a WORM (Write Once

Read Many)
state for all the backups that you
store in
your AWS Backup Vault
• Additional layer of defence to
protect your
backups against:
• Inadvertent or malicious delete
operations
• Updates that shorten or alter
retention periods
• Even the root user cannot
delete backups
when enabled

231. AWS Backup Fully-managed service to cen-

trally manage and automate
backups across AWS services

• Amazon EC2 / Amazon EBS

• Amazon S3
• Amazon RDS / Amazon Aurora
66 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
/ Amazon DynamoDB
• Amazon DocumentDB / Ama-
zon Neptune
• Amazon EFS / Amazon FSx
(Lustre & Windows File Server)
• AWS Storage Gateway (Volume
Gateway)

232. Backup and Restore (High RPO) https://docs.aws.ama-

zon.com/whitepapers/latest/dis-
aster-recovery-work-
loads-on-aws/disaster-recov-
ery-options-in-the-cloud.html

233. Disaster Recovery - Pilot Light • A small version of the app is

always running in the cloud
• Useful for the critical core (pilot
light)
• Very similar to Backup and Re-
store
• Faster than Backup and Restore
as critical systems are already up

234. Warm Standby - Full system is up and running,

but at minimum size
- Upon disaster, we can scale to
production load

235. Multi Site / Hot Site Approach Very low RTO (minutes or sec-
onds) - very expensive
67 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Full Production Scale is running
AWS and On Premise

236. Network Protection on AWS • Network Access Control Lists

(NACLs)
• Amazon VPC security groups
• AWS WAF (protect against ma-
licious requests)
• AWS Shield & AWS Shield Ad-
vanced
• AWS Firewall Manager (to man-
age them across accounts)

237. VPC Peering - Connecting one VPC to another

- Instances behave as if they
were on the same private net-
work
- You can peer VPC's with other
AWS accounts as well as with
other VPCs in the same account.
- Peering is in a star configura-
tion, ie 1 central VPC peers with
4 others.

238. NACL stateless, subnet rules for in-

bound and outbound, don't forget
Ephemeral Ports (49152-65535)

239. VPC Flow Logs can be setup at the VPC / Subnet

/ ENI Level, for ACCEPT and RE-
JECT traffic
Query VPC flow logs using

68 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Athena on S3 or CloudWatch
Logs Insights

240. AWS VPN CloudHub hub-and-spoke VPN model to

connect your sites

241. Bastion Host public EC2 instance to SSH into,

that has SSH connectivity to EC2
instances in private subnets

242. Private DNS + Route 53 enable DNS Resolution + DNS

hostnames (VPC)

243. Route Tables must be edited to add routes from

subnets to the IGW, VPC Peering
Connections, VPC Endpoints

244. Egress-only Internet Gateway - Used for IPv6 to allow outgoing

_only_
- IPv6 are all public IPs
- An internet gateway allows in-
coming and outgoing for IPv6
- Otherwise the same

245. AWS Batch Enables developers, scientists,

and engineers to easily and ef-
ficiently run hundreds of thou-
sands of batch computing jobs
on AWS i.e. Stock markets and
Trading, Media houses and the
Entertainment industry

246. Delay Queue Turn any queue into a de-

lay queue by configuring
SetQueueAttributes to set the
queue's DelaySeconds attribute

247. Visibility Timeout Period of time during which SQS

prevents other consuming com-

69 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
ponents from receiving and pro-
cessing a message

248. Host mode The host network mode is the

most basic network mode that's
supported in Amazon ECS

249. Bridge mode The bridge network mode al-

lows you to use a virtual network
bridge to create a layer between
the host and the networking of
the container

250. AWSVPC mode With the awsvpc network mode,

Amazon ECS creates and man-
ages an Elastic Network Interface
(ENI) for each task and each task
receives its own private IP ad-
dress within the VPC

251. Amazon SC2 Autoscaling OldestLaunchTemplate

OldestLaunchConfiguration

252. Blanket rate-based rule Prevent any single source IP ad-

dress from negatively impacting
the availability of a website
For example, if the threshold for
the rate-based rule is set to
2,000, the rule will block all IPs
that are making more than 2,000
requests in a rolling 5-minute pe-
riod

253. URI-specific rate-based rule A URI-specific rule can prevent

a single source IP address from
connecting to the login page as
few as 100 times per 5-minute
period, while still allowing a much
higher request volume to the rest
of the application
70 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

254. IP reputation rate-based rule Rate-based rules with low thresh-

olds can be applied to re-
quests coming from these sus-
pect sources

255. AWS Direct Connect plus VPN Combine one or more AWS Di-
rect Connect dedicated network
connections with the Amazon
VPC VPN

This combination provides an

IPsec-encrypted private connec-
tion that also reduces net-
work costs, increases bandwidth
throughput, and provides a more
consistent network experience
than Internet-based VPN con-
nections
MOST cost-effective

256. Amazon Elastic Container Service Feature of Amazon ECS that lets
(ECS) Anywhere you run and manage container
workloads on your infrastructure
Helps you meet compliance re-
quirements and scale your busi-
ness without sacrificing your
on-premises investments

257. create-vpc-association-authorization You can use the Amazon Route

53 console to associate more
VPCs with a private hosted zone
if you created the hosted zone
and the VPCs by using the same
AWS account
71 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

Additionally, you can associate a

VPC from one account with a pri-
vate hosted zone in a different
account

258. Public Virtual Interface To connect to services such as

EC2 using just Direct Connect
you need to create a private vir-
tual interface

However, if you want to encrypt

the traffic flowing through Direct
Connect, you will need to use
the public virtual interface of DX
to create a VPN connection that
will allow access to AWS services
such as S3, EC2, and other ser-
vices

259. Amazon Macie Amazon Macie is a data security

service that discovers sensitive
data by using machine learning
and pattern matching, provides
visibility into data security risks,
and enables automated protec-
tion against those risks

260. Multi-AZ Deployment Synchronous replication - highly

durable
Only database engine on primary
instance is active

Automated backups are taken

from standby
72 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Always span 2 AZs within a single
region
Database engine version up-
grades happen in primary
Automatic failover to standby
when a problem is detected

261. Read Replicas Asynchronous replication - highly

scalable
All read replicas are accessible
and can be used for read scaling

No backups configured by default

Can be written within an AZ,
Cross-AZ or cross region
Database engine version up-
grade is independent from
source instance
Can be manually promoted to a
standalone database

262. Network Access Control List (NACL) Acts as a firewall for associated
subnets
Controls both inbound and out-
bound traffic at the subnet level
NACLs are an additional layer of
defence
Supports allow rules and deny
rules
Stateless (Return traffic must be
explicitly allowed by rules)
Evaluates rules in number order
1 NACL per subnet
A newly created NACL denies all
inbound traffic by default
Each subnet in VPC must be as-
sociated with a NACL, if none, the
default NACL is selected

73 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

263. Turning off shared reserved instances Sign in to the AWS Manage-
and Savings Plans discounts
ment Console and open the AWS
Billing console at https://con-
sole.aws.amazon.com/billing/
In the navigation pane, choose
Billing preferences
Expand RI and Savings Plans
discount sharing by selecting the
arrow symbol
Under RI and Savings Plans dis-
count sharing enabled, select the
accounts that you want to disable
RI discount sharing for
Choose Add to list to add the
accounts to the RI and Savings
Plans discount sharing disabled
accounts.
Choose Save preferences
In the Manage RI Discount, Sav-
ings Plans Discount and Credit

264. AWS Roles More secure that using access

key id's and secret access keys
and are easier to manage
Roles are universal. you do not
need to specify what region they
are in, similar to users. You can
apply roles to EC2, takes effect
immediately.

265. Amazon Pinpoint

74 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Amazon Pinpoint makes it easy
to run targeted campaigns to dri-
ve user engagement in mobile
apps. Amazon Pinpoint helps you
understand user behaviour, de-
fine which users to target, deter-
mine which messages to send,
schedule the best time to deliver
the messages, and then track the
results of your campaign

266. Amazon AppFlow Amazon AppFlow is a ful-

ly managed integration service
that enables you to secure-
ly transfer data between Soft-
ware-as-a-Service (SaaS) appli-
cations like Salesforce, SAP, Zen-
desk, Slack, and ServiceNow,
and AWS services like Amazon
S3 and Amazon Redshift, in just
a few clicks

With AppFlow, you can run data

flows at enterprise scale at the
frequency you choose - on a
schedule, in response to a busi-
ness event, or on demand

You can configure data trans-

formation capabilities like filter-
ing and validation to generate
rich, ready-to-use data as part of
the flow itself, without additional
steps

AppFlow automatically encrypts

data in motion, and allows users
to restrict data from flowing over
the public Internet for SaaS ap-
75 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
plications that are integrated with
AWS PrivateLink, reducing expo-
sure to security threats

267. Elastic Transcoder Media transcoding in the cloud

This service is designed to be
highly scalable, easy to use and a
cost effective way for developers
and businesses to convert media
for multiple uses

268. S3 Object Lock - Use to store objects using a

write once, read many (WORM)
model.
- Used to meet regulatory re-
quirements
- Can be applied across entire
bucket or individual object

269. Amazon Lightsail easiest way to launch and man-

age a virtual private server with
AWS. Include: virtual machine,
SSD based storage, data trans-
fer, DNS management, and static
IP address

270. AWS Outposts Run AWS services on-premises

271. The 6 Rs model Rehost, Replatform, Repur-

chase, Refactor, Retire and Re-
tain

76 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

272. Virtual Interface (VIF) How multiple VPCs can connect

to a Direct Connect

273. AWS CloudFormation StackSets Roll out CloudFormation stacks

over multiple AWS accounts and
in multiple Regions

274. AWS Directory Service Use AWS Directory Service to in-

tegrate your AWS resources with
the existing Active Directory us-
ing trust relationship

Enable single sign-on using Man-

aged Microsoft AD

275. Routing Policies Simple routing policy - Use for

a single resource that performs
a given function for your do-
main, for example, a web server
that serves content for the exam-
ple.com website.

Failover routing policy - Use

when you want to configure ac-
tive-passive failover.

Geolocation routing policy - Use

when you want to route traffic
based on the location of your

77 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
users.

Geoproximity routing policy - Use

when you want to route traffic
based on the location of your re-
sources and, optionally, shift traf-
fic from resources in one location
to resources in another.

Latency routing policy - Use

when you have resources in mul-
tiple AWS Regions and you want
to route traffic to the region that
provides the best latency.

Multivalue answer routing policy -

Use when you want Route 53 to
respond to DNS queries with up
to eight healthy records selected
at random.

Weighted routing policy - Use to

route traffic to multiple resources
in proportions that you specify.

276. AWS Service Catalog AWS Service Catalog allows or-

ganizations to create and man-
age catalogs of IT services that
are approved for use on AWS

277. Concurrency The number of requests that your

function is serving at any given
time:

Reserved concurrency - Re-

served concurrency creates a
pool of requests that can only be
used by its function, and also pre-
vents its function from using un-

78 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
reserved concurrency

Provisioned concurrency - Provi-

sioned concurrency initializes a
requested number of execution
environments so that they are
prepared to respond to your func-
tion's invocations.

278. Global Tables Global Tables builds upon Dy-

namoDB's global footprint to pro-
vide you with a fully managed,
multi-region, and multi-master
database that provides fast, local,
read and write performance for
massively scaled, global applica-
tions

Global Tables replicates your

Amazon DynamoDB tables auto-
matically across your choice of
AWS regions

279. Global Services AWS Identity and Access Man-

agement (IAM), AWS STS, Ama-
zon CloudFront, and Route 53,
events are delivered to any trail
that includes global services (In-
cludeGlobalServiceEvents flag)

AWS CloudTrail service should

be your top choice for the scenar-
ios where the application is track-
ing the changes made by any
AWS service, resource, or API

280. S3 Access Points Access points are named net-

work endpoints that are attached
to buckets that you can use to

79 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
perform S3 object operations,
such as GetObject and PutObject

Configure an Amazon S3 Access

Point for the S3 bucket to restrict
data access to a particular Ama-
zon VPC only

281. snapshot copy grant Set up a snapshot copy grant for

a master key in the destination
region and enable cross-region
snapshots in your Redshift clus-
ter to copy snapshots of the clus-
ter to another region

282. Amazon Data Lifecycle Manager (DLM) for EBS Snapshots provides a
simple, automated way to back
up data stored on Amazon EBS
volumes
You can define backup and re-
tention schedules for EBS snap-
shots by creating lifecycle poli-
cies based on tags
With this feature, you no longer
have to rely on custom scripts to
create and manage your backups

283. AWS-UpdateLinuxAmi + AWS-Up- SSM Automation offers one-click

dateWindowsAmi automation for simplifying com-
plex tasks such as creating gold-
en Amazon Machines Images
(AMIs) and recovering unreach-
able EC2 instances

284. Amazon X-Ray A service that collects data about

requests that your application
serves, and provides tools that
you can use to view, filter, and
gain insights into that data to

80 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
identify issues and opportunities
for optimization

285. AWS Cloud Development Kit (CDK) Define your cloud infrastructure
using a familiar language:
TypeScript or Python code
•The code is "compiled" into
a CloudFormation template
(JSON/YAML)
• You can therefore deploy infra-
structure and application runtime
code together
• Great for Lambda functions
• Great for Docker containers in
ECS / EKS

286. AWS Elemental MediaConvert a file-based video transcoding

service with broadcast-grade fea-
tures. It allows you to easily
create video-on-demand (VOD)
content for broadcast and multi-
screen delivery at scale

287. AWS Glue crawlers can crawl multiple data stores in

a single run
Upon completion, the crawler
creates or updates one or more
tables in your Data Catalog

288. Amazon AppStream 2.0 is a fully managed application

streaming service. You
centrally manage your desktop
applications on AppStream 2.0
and securely deliver them to any
computer. You can easily scale to
any number of users across the
globe without acquiring, provi-
sioning, and operating hardware
or infrastructure

81 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
289. Amazon PrivateLink on-prem connected to AWS via
Direct Connect Links can also
connect to EFS in the same or
different regions

290. Amazon Aurora Parallel Query A feature of the Amazon Aurora

database that provides faster an-
alytical queries over your current
data, without having to copy the
data into a separate system

291. RTO - Recovery Time Objective The maximum amount of time

that a process or service is al-
lowed to be down and the con-
sequences still to be considered
acceptable

292. RPO (Recovery Point Objective) RPO is the acceptable amount of

data loss measured in time be-
fore the disaster occurs

293. AWS DNS validation Certificate Request: You start by

requesting an SSL/TLS certifi-
cate in AWS Certificate Man-
ager (ACM). During the request
process, you'll choose DNS vali-
dation as the method.
DNS Record Creation: ACM will
provide you with a specific DNS
record that you need to create
as a new DNS TXT (text) record
for your domain. The record con-
tains a random value generated
by ACM.
DNS Propagation: After you cre-
ate the DNS TXT record, it needs
to propagate through the DNS
system. This process may take a
few minutes or longer, depending
on your DNS provider's settings
82 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
and caching.
Validation: ACM will check the
DNS records to ensure that the
TXT record containing the correct
random value exists for the do-
main. If the record is found, ACM
validates that you have control
over the domain.
Certificate Issuance: Once ACM
successfully validates the DNS
record, it issues the SSL/TLS
certificate for the requested do-
main.
Certificate Management: The is-
sued certificate can be associ-
ated with various AWS services,
such as Amazon CloudFront,
Elastic Load Balancing (ELB), or
Amazon API Gateway, to enable
secure connections.
Benefits of DNS Validation:
No need to expose your server
or application to the internet to
complete validation.
Suitable for situations where you
don't have access to the server
or infrastructure hosting the do-
main.
Scalable and easy to use, espe-
cially if you manage multiple do-
mains.

294. RPO: 24 hours Periodic Data Backups: Take dai-

RTO: 48 hours ly backups using AWS services
like Amazon S3 or Amazon EBS
snapshots. Restore the data and
applications from the latest back-
up in the event of a disaster
AWS Import/Export: In case of
83 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
significant data loss, use physical
data transfer services like AWS
Import/Export to quickly restore
large amounts of data

295. RPO: 4 hours Real-Time Replication: Use AWS

RTO: 12 hours Database Migration Service
(DMS) or storage-level replica-
tion (e.g., AWS S3 Cross-Region
Replication) to continuously repli-
cate data to another AWS region
or backup site
Multi-AZ Deployments: Deploy
critical applications in multi-
ple Availability Zones (AZs) to
achieve higher availability and
fault tolerance

296. RPO: 1 hour Real-Time Data Replication: Use

RTO: 4 hours AWS services like AWS Data-
base Migration Service (DMS),
Amazon RDS Read Replicas, or
Amazon DynamoDB Global Ta-
bles to achieve real-time data
replication between primary and
secondary regions or databases
Elastic Load Balancing: Imple-
ment Elastic Load Balancers and
Auto Scaling to quickly redirect
traffic to healthy instances or con-
tainers in case of a failure

297. RPO: Zero data loss Active-Active Architecture: De-

RTO: Near-instantaneous recovery
ploy applications and databases
in an active-active configuration
across multiple AWS regions to
achieve zero RPO
Any data changes in one region
are instantly replicated to others

84 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Use Managed Services: Lever-
age fully managed services like
AWS Aurora Multi-Master or
Amazon DynamoDB Global Ta-
bles for automatic data replica-
tion and failover

298. Direct Gateway If you want to setup a Direct Con-

nect to one or more VPC in many
different regions (same account),
you must use a Direct Connect
Gateway

299. VPC Endpoints provide private access to

AWS Services (S3, DynamoDB,
CloudFormation, SSM) within a
VPC

300. CloudFront OAI Amazon CloudFront OAI is a sim-

ple function of CloudFront distri-
bution that you can enable when
you select S3 buckets as origin

If you don't use an OAI, the S3

bucket must allow public access

301. Route 53 CNAME It points a hostname to any other

hostname. (app.mything.com ->
abc.anything.com)
It works only for the non-root do-
mains
(abcxyz.maindomain.com)
Route 53 charges for CNAME
queries
It points to any DNS record that is
hosted anywhere
85 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

302. Route 53 Alias It points a hostname to an AWS

Resource. (app.mything.com
->abc.amazonaws.com)
It works for the root domain
and non-root domain. (main-
domain.com) Route 53 doesn't
charge for Alias queries

It points to an ELB, CloudFront

distribution, Elastic Beanstalk en-
vironment, S3 bucket as a static
website, or another record in the
same hosted zone

303. Infrequent Access Storage ( EFS-IA ) For files not accessed every
day Cost-Optimized (costs only
$0.025/GB-month) Use EFS Life-
cycle Management to move the
file to EFS IA

304. EBS (Elastic Block Store) ÏBackup/Migration: To move a vol-

ume across AZs, you first need to
take a snapshot
Ï Provisioned capacity: capacity
needs to be provisioned in ad-
vanced (GBs & IOPS)
Ï You can increase the capacity of
the drive over time
Ï It can be detached from an EC2
instance and attached to another
one quickly
Ï It's locked to Single Availability
Zone (AZ)
Ï The default volume type is Gen-
eral Purpose SSD (gp2)
Ï EBS Volume can be mounted
parallelly using RAID Settings:
Ë RAID 0 (increase performance)
Ë RAID 1 (increase fault toler-
86 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
ance)
Ï It's a network drive (i.e. not a
physical drive)
Ï Unencrypted volume can be en-
crypted using an encrypted snap-
shot
Ï Snapshot of the encrypted vol-
ume is encrypted by default
Ï When you share an encrypt-
ed snapshot, you must also
share the customer-managed
CMK used to encrypt the snap-
shot

305. AWS Organizations ÏThe main account is the man-

agement account - it cannot be
changed
Ï Other accounts are member ac-
counts that can only be part of a
single organization
Ï AWS Organizations provides se-
curity boundaries using multiple
member accounts
Ï It makes it easy to share crit-
ical common resources across
the accounts
Ï It organizes accounts into or-
ganizational units (OUs), which
are groups of accounts that serve
specified applications
Ï Service Control Policies (SCPs)
can be created to provide gover-
nance boundaries for the OUs
SCPs ensure that users in the ac-
counts only perform actions that
meet security requirements.

87 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

306. CloudTrail is a service that enables gover-

nance, compliance, operational
auditing, and risk auditing of your
AWS account
Allows AWS customers to record
API calls, sending log files to
Amazon S3 buckets for storage
You can turn on a trail across ALL
regions for your AWS account

307. Example of CloudTrail log file {"Records": [{ "eventVersion":

"1.0", "userIdentity": { "type":
"IAMUser", "principalId":
"PR_ID", "arn":
"arn:aws:iam::210123456789:user/R
hit", "accountId":
"210123456789",
"accessKeyId": "KEY_ID",
"userName": "Rohit" },
"eventTime":
"2021-01-24T21:18:50Z",
"eventSource":
"iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "ap-south-2",
"sourceIPAddress": "176.1.0.1",
"userAgent": "aws-cli/1.3.2
Python/2.7.5 Windows/7",
"requestParameters":
{"userName": "Nayan"},
"responseElements": {"user": {
"createDate": "Jan 24, 2021
9:18:50 PM", "userName":
88 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
"Nayan", "arn":
"arn:aws:iam::128x:user/Nayan",
"path": "/", "userId": "12xyz" }} }]}

308. AWS Security Hub It provides an option to aggre-

gate, organize, and prioritize the
security alerts, or findings from
multiple AWS services, such as
Amazon GuardDuty, Amazon In-
spector, Amazon Macie, AWS
IAM Access Analyzer, AWS Fire-
wall Manager, and also from
AWS Partner solutions

Payment Card Industry Data Se-

curity Standard (PCI DSS)

309. Amazon Elastic Transcoder Amazon Elastic Transcoder lets

you convert digital media stored
in Amazon S3 into the audio and
video codecs and the containers
required by consumer playback
devices
For example, you can convert
large, high-quality digital media
files into formats that users can
play back on mobile devices,
tablets, web browsers, and con-
nected televisions

310. AWS IoT Greengrass AWS IoT Greengrass seamless-

ly extends AWS to devices so
they can act locally on the data
they generate, while still using the
cloud for management, analytics,
and durable storage

311. IAM Accounts By default, all access to an AWS

account and resources is denied
except for the root user
89 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

312. KMS (Key Management Service) Shared, but separated

FIPS 140-2 Level 2
All operations
All operations are performed with
AWS standard APIs
KMS can use CloudHSM as a
custom key store

313. CloudHSM A true "Single Tenant" Hardware

Security Module
Fully managed
FIPS 140-2 Level 3
Industry Standard APIs -
PKCS#11, JCE, CNG libraries

314. Virtual Private Gateway Create a VPN connection be-

tween the VPC and the internal
corporate network

315. Web Access Control Lists (WEBACL) Allow / Block traffic

Resource type: Cloudfront / Re-
gional service

316. AppSync GraphQL as a service on AWS

90 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
317. WAF Rules AWS WAF is a web application
firewall that helps protect your
web applications or APIs against
common web exploits and bots
that may affect availability, com-
promise security, or consume ex-
cessive resources

318. Directory Services The Directory service is a product

which provides managed directo-
ry service instances within AWS
it functions in three modes
1. Simple AD - An implementation
of Samba 4 (compatibility with
basics AD functions)
2. AWS Managed Microsoft AD -
An actual Microsoft AD DS Imple-
mentation
3. AD Connector which proxies
requests back to an on-premises
directory

319. Service-linked Role A service-linked role is a unique

type of IAM role that is linked di-
rectly to an AWS service
Service-linked roles are prede-
fined by the service and include
all the permissions that the ser-
vice requires to call other AWS
services on your behalf

The linked service also defines

how you create, modify, and
delete a service-linked role
A service might automatically
create or delete the role
91 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

It might allow you to create, mod-

ify, or delete the role as part of a
wizard or process in the service.
Or it might require that you use
IAM to create or delete the role

320. PassRole The ability to pass a role to

Cloudformation etc

321. Amazon S3 Bucket Keys Amazon S3 Bucket Keys re-

duce the cost of Amazon
S3 server-side encryption using
AWS Key Management Service
(SSE-KMS)
Bucket-level keys for SSE can re-
duce AWS KMS request costs by
up to 99 percent by decreasing
the request traffic from Amazon
S3 to AWS KMS

322. Amazon Elastic Block Store (Amazon provides block level storage vol-
EBS) umes for use with EC2 instances
EBS volumes behave like raw,
unformatted block devices
You can mount these volumes as
devices on your instances
EBS volumes that are attached
to an instance are exposed as
storage volumes that persist in-
dependently from the life of the
instance
You can create a file system on
92 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
top of these volumes, or use them
in any way you would use a block
device (such as a hard drive)

323. Instance metadata Data about your instance that you

can use to configure or manage
the running instance
Instance metadata is divided
into categories, for example,
host name, events, and security
groups

324. AmazonMQ AWS implementation of Apache

ActiveMQ
It supports open standards such
as JMS, AMQP, MQTT, Open-
Wire and STOMP
If you need to support any of
these, and use queues and topics
- AmazonMQ is the tool to use

325. AWS Control Tower Offers a straightforward way to

set up and govern an AWS mul-
ti-account environment, following
prescriptive best practices

AWS Control Tower orchestrates

the capabilities of several oth-
er AWS services, including AWS
Organizations, AWS Service Cat-
alog, and AWS IAM Identity Cen-
ter (successor to AWS Single
Sign-On), to build a landing zone
in less than an hour
Resources are set up and man-
aged on your behalf
93 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

AWS Control Tower orchestration

extends the capabilities of AWS
Organizations

To help keep your organizations

and accounts from drift, which
is divergence from best prac-
tices, AWS Control Tower applies
preventive and detective controls
(guardrails)
For example, you can use
guardrails to help ensure that
security logs and necessary
cross-account access permis-
sions are created, and not altered

326. S3 Security S3 is private by default

1. Bucket Policies
2. ACLs on objects and bucket
(legacy)
3. Block Public Access
4. Anonymous or Cross-Account

User-Based:
+ IAM Policies - which API calls
should be allowed for a specific
user from IAM

Resource-Based:
+ Bucket Policies - bucket wide
rules from the S3 console - allows
cross account
+ Object Access Control List
(ACL) - finer grain (can be dis-
abled)
94 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
+ Bucket Access Control List
(ACL) - less common (can be dis-
abled)

327. S3 Object Versioning Disabled (id=null) > Enabled >

Suspended >

Cannot be switched off - only sus-

pended
Space is consumed by ALL
Delete

Can't be switched back to Dis-

abled!

Lets you store multiple versions

of objects within a bucket

Delete the version of an object

Undelete the delete marker

328. S3 Performance Optimization - Multipart Upload

- S3 Accelerated Transfer

329. S3 Access Points A feature of S3, simplifies manag-

ing data access at scale for appli-
cations using shared data sets on
S3
Access points are unique host-
names that customers create to
enforce distinct permissions and
network controls for any request
made through the access point

330. Instance Store vs EBS Persistence > EBS

Resilience > EBS
95 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
Storage isolated from instance
lifecycle > EBS
Super high performance > In-
stance store
Cost > Instance store

331. SSM Parameter Store A service which is part of Sys-

tems Manager which allows the
storage and retrieval of parame-
ters - string, stringlist or secure
string
The service supports encryption
which integrates with KMS, ver-
sioning and can be secured using
IAM
The service integrates native-
ly with many AWS services -
and can be accessed using the
CLI/APIs from anywhere with ac-
cess to the AWS Public Space
Endpoints

332. ACID vs BASE Database transaction models

CAP - Consistency, Availability,
Partition Tolerant (resilience) -
Choose 2

ACID = Consistency
e.g. RDS .. limits scaling, Dy-
namoDB Transactions

BASE = Availability e.g. Dy-

namoDB, NoSQL

333. CloudWatch Collects and manages opera-

tional data
96 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
- Metrics
- CloudWatch Logs
- CloudWatch Events

ALARMS connected to a specific

metric

334. CloudWatchEvents & EventBridge CloudWatch Events and Event-

Bridge have visibility over events
generated by supported AWS
services within an account
They can monitor the default ac-
count event bus - and pattern
match events flowing through
and deliver these events to mul-
tiple targets
They are also the source of
scheduled events which can per-
form certain actions at certain
times of day, days of the week,
or multiple combinations of both
- using the Unix CRON time ex-
pression format

335. Cached Volumes (Volume Gateway) You store your data in S3 and
retain a copy of frequently ac-
cessed data subsets locally
Cached volumes offer substantial
cost savings on primary storage
and minimise the need to scale
in-prem
You also retain low-latency ac-
cess to your frequently accessed
data

336. Stored Volumes (Volume Gateway)

97 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
If you need low-latency access to
your entire data set, first config-
ure your on-premises gateway to
store all your data locally
Then, asynchronously back up
point-in-time snapshots to S3
If you need replacement capacity
for disaster recovery

337. Mapping Template (API Gateway) Can be used to transform a re-

quest from a frontend data form
to the backend data format

338. AWS Security Token Service (STS)
AWS STS is an AWS service that
allows you to request temporary
security credentials for your AWS
resources, for IAM authenticated
users and users that are authen-
ticated in AWS such as federated
users via OpenID or SAML2.0

You use STS to provide trust-

ed users with temporary access
to resources via API calls, your
AWS console or the AWS com-
mand line interface (CLI)

339. AWS Single Sign-On AWS Single Sign-On is a

cloud-based service that simpli-
fies managing SSO access to
AWS accounts and business ap-
plications
You can control SSO access and
user permissions across all your
AWS accounts in AWS Organiza-
tions
You can also administer ac-
cess to popular business appli-
cations and custom applications

98 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
that support Security Assertion
Markup Language (SAML) 2.0
In addition, AWS SSO offers a
user portal where your users
can find all their assigned AWS
accounts, business applications,
and custom applications in one
place

340. Role switching assignment and re-assignment

of personnel to different positions
within the organization in order to
respond to evolving conditions

341. Cross Account Access allow access to your resources

from an AWS account outside
your organization
create policy in trusting account
(A) to grant access to trusted ac-
count (B)

342. AWS Step Functions makes it easy to coordinate the

components of distributed appli-
cations
and microservices using visual
workflows

Use cases: order fulfilment, data

processing, web applications,
any workflow

343. EC2 lifecycle instance states see diagram

344. AWS Cost and Usage Report

99 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
is a single location for access-
ing comprehensive information
about your AWS costs and usage

345. Aurora Serverless - automated database instantia-

tion and auto-scaling based on
actual usage
- *good for infrequent, intermit-
tent, or unpredictable workloads*
- no capacity planning needed
- pay per second, can be more
cost-effective

346. Cloudformation Outputs The optional Outputs section de-

clares output values that you can
import into other stacks (to cre-
ate cross-stack references), re-
turn in response (to describe
stack calls), or view on the AWS
CloudFormation console

347. Cloudformation Mappings The optional Mappings section

matches a key to a correspond-
ing set of named values

348. Recycle Bin Recycle Bin is a data recov-

ery feature that enables you
to restore accidentally deleted
Amazon EBS snapshots and
EBS-backed AMIs
When using Recycle Bin, if your
resources are deleted, they are
retained in the Recycle Bin for a
time period that you specify be-
fore being permanently deleted

349. AQUA (Advanced Query Accelerator) A Speed Boost for Your Amazon
Redshift Queries
AQUA pushes the computation
needed to handle reduction and
100 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
aggregation queries closer to the
data

350. Transparent Data Encryption RDS supports TDE with Oracle

and SQL servers
Data is automatically encrypted
at rest when data is written to
storage
Data is automatically decrypted
when data is read from storage
Oracle can be integrated with
CloudHSM which can secure-
ly store, generate and man-
age cryptographic keys in a sin-
gle-tenant Hardware module

351. cfn-init reads template metadata from

the AWS::CloudFormation::Init
key and acts accordingly to:
- Fetch and parse metadata from
AWS CloudFormation
- Install packages
- Write files to disk
- Enable/disable and start/stop
services

352. AWS OpsWorks for Chef Automate provides a fully managed Chef
Automate server and suite of au-
tomation tools that give you work-
flow automation for continuous
deployment, automated testing
for compliance and security, and
a user interface that gives you
101 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
visibility into your nodes and their
status

353. Amazon WorkDocs is a fully managed, secure con-

tent creation, storage, and collab-
oration service
With Amazon WorkDocs, you can
easily create, edit, and share
content, and because it's stored
centrally on AWS, access it from
anywhere on any device
Amazon WorkDocs makes it
easy to collaborate with others,
and lets you easily share content,
provide rich feedback, and col-
laboratively edit documents

354. EC2Rescue can help you diagnose and trou-

bleshoot problems on Amazon
EC2 Linux and Windows Server
instances
You can run the tool manually or
you can run the tool automati-
cally by using Systems Manag-
er Automation and the AWSSup-
port-ExecuteEC2Rescue docu-
ment

The AWSSupport-Execu-
teEC2Rescue document is de-
signed to perform a combina-
tion of Systems Manager ac-
tions, AWS CloudFormation ac-
tions, and Lambda functions that
automate the steps normally re-
quired to use EC2Rescue.

355. OpenSearch Amazon OpenSearch Service

is a managed service that

102 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj
makes it easy to deploy, oper-
ate, and scale OpenSearch clus-
ters in the AWS Cloud. Ama-
zon OpenSearch Service sup-
ports OpenSearch and legacy
Elasticsearch OSS (up to 7.10,
the final open-source version of
the software)

When you create a cluster, you

have the option of which search
engine to use

356. Amazon Mechanical Turk (MTurk) a crowdsourcing marketplace

that makes it easier for individu-
als and businesses to outsource
their processes and jobs to a dis-
tributed workforce who can per-
form these tasks virtually
This could include anything from
conducting simple data valida-
tion and research to more sub-
jective tasks like survey partici-
pation, content moderation, and
more

357. Canary Deployments A Canary is used to test new API

deployments and/or changes to
stage variables

A Canary can receive a percent-

age of requests going to your
stage

In addition, API deployments will

be made to the Canary first be-
fore being able to be promoted to
the entire stage

103 / 104
 AWS SAA C03
Study online at https://quizlet.com/_ddulnj

358. AWS Simple Workflow Service (SWF) Code runs on EC2 (not Server-
less)
Older service
Use SWF when you need ex-
ternal signal signals to intervene
in the process or need the child
process to pass value to the par-
ent process, otherwise, use Step
Functions for new applications

359. S3 policy that allows an OAI to read all { "Version": "2012-10-17",

of its objects "Statement": [ { "Effect": "Allow",
"Principal":
{ "AWS": "arn:aws:iam::cloud-
front:user/CloudFront Origin Ac-
cess Identity unique_identifier" },
"Action": "s3:GetObject", "Re-
source": "arn:aws:s3:::tutorials-
dojo/*" }
]}

104 / 104