AWS Config is a service that enables you to assess, audit, and evaluate the configurations of

your AWS resources. Config continuously monitors and records your AWS resource
configurations and allows you to automate the evaluation of recorded configurations against
desired configurations. With Config, you can review changes in configurations and
relationships between AWS resources, dive into detailed resource configuration histories, and
determine your overall compliance against the configurations specified in your internal
guidelines. This enables you to simplify compliance auditing, security analysis, change
management, and operational troubleshooting.

AWS Database Migration Service (AWS DMS) is a cloud service that makes it easy to
migrate relational databases, data warehouses, NoSQL databases, and other types of data
stores. You can use AWS DMS to migrate your data into the AWS Cloud, between on-
premises instances (through an AWS Cloud setup) or between combinations of cloud and on-
premises setups. With AWS DMS, you can perform one-time migrations, and you can
replicate ongoing changes to keep sources and targets in sync.

You can migrate data to Amazon S3 using AWS DMS from any of the supported database
sources. When using Amazon S3 as a target in an AWS DMS task, both full load and change
data capture (CDC) data is written to comma-separated value (.csv) format by default.

The comma-separated value (.csv) format is the default storage format for Amazon S3 target
objects. For more compact storage and faster queries, you can instead use Apache Parquet
(.parquet) as the storage format.

You can encrypt connections for source and target endpoints by using Secure Sockets Layer
(SSL). To do so, you can use the AWS DMS Management Console or AWS DMS API to
assign a certificate to an endpoint. You can also use the AWS DMS console to manage your
certificates.

You have three mutually exclusive options depending on how you choose to manage the
encryption keys:

1. Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

2. Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
3. Use Server-Side Encryption with Customer-Provided Keys (SSE-C)

AWS DataSync makes it simple and fast to move large amounts of data online between on-
premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon
FSx for Windows File Server. Manual tasks related to data transfers can slow down
migrations and burden IT operations. DataSync eliminates or automatically handles many of
these tasks, including scripting copy jobs, scheduling, and monitoring transfers, validating
data, and optimizing network utilization. The DataSync software agent connects to your
Network File System (NFS), Server Message Block (SMB) storage, and your self-managed
object storage, so you don’t have to modify your applications.

DataSync can transfer hundreds of terabytes and millions of files at speeds up to 10 times
faster than open-source tools, over the Internet or AWS Direct Connect links. You can use
DataSync to migrate active data sets or archives to AWS, transfer data to the cloud for timely
analysis and processing, or replicate data to AWS for business continuity. Getting started
with DataSync is easy: deploy the DataSync agent, connect it to your file system, select your
AWS storage resources, and start moving data between them. You pay only for the data you
move.

Although you can copy data from on-premises to AWS with Storage Gateway, it is not
suitable for transferring large sets of data to AWS. Storage Gateway is mainly used in
providing low-latency access to data by caching frequently accessed data on-premises while
storing archive data securely and durably in Amazon cloud storage services. Storage Gateway
optimizes data transfer to AWS by sending only changed data and compressing data.

Amazon EMR ( Amazon Elastic Map Reduce) is a managed cluster platform that
simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS
to process and analyze vast amounts of data. By using these frameworks and related open-
source projects, such as Apache Hive and Apache Pig, you can process data for analytics
purposes and business intelligence workloads. Additionally, you can use Amazon EMR to
transform and move large amounts of data into and out of other AWS data stores and
databases.

Amazon Redshift is the most widely used cloud data warehouse. It makes it fast, simple, and
cost-effective to analyze all your data using standard SQL and your existing Business
Intelligence (BI) tools. It allows you to run complex analytic queries against terabytes to
petabytes of structured and semi-structured data, using sophisticated query optimization,
columnar storage on high-performance storage, and massively parallel query execution.

Decoupling:

Amazon Simple Queue Service (SQS) and Amazon Simple Workflow Service (SWF) are
the services that you can use for creating a decoupled architecture in AWS. Decoupled
architecture is a type of computing architecture that enables computing components or layers
to execute independently while still interfacing with each other.

Amazon SQS offers reliable, highly-scalable hosted queues for storing messages while they
travel between applications or microservices. Amazon SQS lets you move data between
distributed application components and helps you decouple these components. Amazon SWF
is a web service that makes it easy to coordinate work across distributed application
components.

AWS WAF is a web application firewall that helps protect your web applications or APIs
against common web exploits that may affect availability, compromise security, or consume
excessive resources. AWS WAF gives you control over how traffic reaches your applications
by enabling you to create security rules that block common attack patterns, such as SQL
injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the
Application Load Balancer that fronts your web servers or origin servers running on EC2, or
Amazon API Gateway for your APIs.

AWS Organization is a service that allows you to manage multiple AWS accounts easily.
With this service, you can effectively consolidate billing and manage your resources across
multiple accounts. AWS IAM Identity Center can be integrated with your corporate directory
service for centralized authentication. This means you can sign in to multiple AWS accounts
with just one set of credentials. This integration helps to streamline the authentication process
and makes it easier for companies to switch between accounts.
In addition to this, you can also configure a service control policy (SCP) to manage your
AWS accounts. SCPs help you enforce policies across your organization and control the
services and features accessible to your other account. This way, you can ensure that your
organization's resources are used only as intended and prevent unauthorized access. You can
provide secure and centralized management of your AWS accounts by setting up AWS
Organization, integrating AWS IAM Identity Center with your corporate directory service,
and configuring SCPs. This simplifies your management process and helps you maintain
better control over your resources.

An Amazon EBS volume is a durable, block-level storage device that you can attach to a
single EC2 instance. You can use EBS volumes as primary storage for data that requires
frequent updates, such as the system drive for an instance or storage for a database
application. You can also use them for throughput-intensive applications that perform
continuous disk scans. EBS volumes persist independently from the running life of an EC2
instance.

Here is a list of important information about EBS Volumes:

- When you create an EBS volume in an Availability Zone, it is automatically replicated

within that zone to prevent data loss due to a failure of any single hardware component.

- An EBS volume can only be attached to one EC2 instance at a time.

- After you create a volume, you can attach it to any EC2 instance in the same Availability
Zone

- An EBS volume is off-instance storage that can persist independently from the life

of an instance. You can specify not to terminate the EBS volume when you terminate the
EC2 instance during instance creation.

- EBS volumes support live configuration changes while in production which means that you
can modify the volume type, volume size, and IOPS capacity without service interruptions.

- Amazon EBS encryption uses 256-bit Advanced Encryption Standard algorithms (AES-
256)

- EBS Volumes offer 99.999% SLA.

First, the Network ACL should be properly set to allow communication between the two
subnets. The security group should also be properly configured so that your web server can
communicate with the database server.
AWS IAM Identity Center (successor to AWS Single Sign-On) provides single sign-on
access for all of your AWS accounts and cloud applications. It connects with Microsoft
Active Directory through AWS Directory Service to allow users in that directory to sign in to
a personalized AWS access portal using their existing Active Directory user names and
passwords. From the AWS access portal, users have access to all the AWS accounts and
cloud applications that they have permission for.

Users in your self-managed directory in Active Directory (AD) can also have single sign-on
access to AWS accounts and cloud applications in the AWS access portal.
AWS Security Token Service (AWS STS) is the service that you can use to create and
provide trusted users with temporary security credentials that can control access to your AWS
resources. Temporary security credentials work almost identically to the long-term access key
credentials that your IAM users can use.

In this diagram, IAM user Alice in the Dev account (the role-assuming account) needs to
access the Prod account (the role-owning account). Here’s how it works:

1. Alice in the Dev account assumes an IAM role (WriteAccess) in the Prod account by
calling AssumeRole.
2. STS returns a set of temporary security credentials.
3. Alice uses the temporary security credentials to access services and resources in the
Prod account. Alice could, for example, make calls to Amazon S3 and Amazon EC2,
which are granted by the WriteAccess role.
Amazon EKS provisions and scales the Kubernetes control plane, including the API servers
and backend persistence layer, across multiple AWS availability zones for high availability
and fault tolerance. Amazon EKS automatically detects and replaces unhealthy control plane
nodes and provides patching for the control plane. Amazon EKS is integrated with many
AWS services to provide scalability and security for your applications. These services include
Elastic Load Balancing for load distribution, IAM for authentication, Amazon VPC for
isolation, and AWS CloudTrail for logging.

Amazon SNS is a fully managed pub/sub messaging service. With Amazon SNS, you can
use topics to simultaneously distribute messages to multiple subscribing endpoints such as
Amazon SQS queues, AWS Lambda functions, HTTP endpoints, email addresses, and
mobile devices (SMS, Push).
Amazon SQS is a message queue service used by distributed applications to exchange
messages through a polling model. It can be used to decouple sending and receiving
components without requiring each component to be concurrently available.

A fanout scenario occurs when a message published to an SNS topic is replicated and pushed
to multiple endpoints, such as Amazon SQS queues, HTTP(S) endpoints, and Lambda
functions. This allows for parallel asynchronous processing.
For example, you can develop an application that publishes a message to an SNS topic
whenever an order is placed for a product. Then, two or more SQS queues that are subscribed
to the SNS topic receive identical notifications for the new order. An Amazon Elastic
Compute Cloud (Amazon EC2) server instance attached to one of the SQS queues can handle
the processing or fulfillment of the order. And you can attach another Amazon EC2 server
instance to a data warehouse for analysis of all orders received.

By default, an Amazon SNS topic subscriber receives every message published to the topic.
You can use Amazon SNS message filtering to assign a filter policy to the topic subscription,
and the subscriber will only receive a message that they are interested in. Using Amazon SNS
and Amazon SQS together, messages can be delivered to applications that require immediate
notification of an event. This method is known as fanout to Amazon SQS queues.

Amazon API Gateway is a fully managed service that makes it easy for developers to create,
publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS
Management Console, you can create an API that acts as a “front door” for applications to
access data, business logic, or functionality from your back-end services, such as workloads
running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda,
or any web application. Since it can use AWS Lambda, you can run your APIs without
servers.
Amazon API Gateway handles all the tasks involved in accepting and processing up to
hundreds of thousands of concurrent API calls, including traffic management, authorization
and access control, monitoring, and API version management. Amazon API Gateway has no
minimum fees or startup costs. You pay only for the API calls you receive and the amount of
data transferred out.

Amazon Kinesis Video Streams makes it easy to securely stream video from connected
devices to AWS for analytics, machine learning (ML), playback, and other processing.
Kinesis Video Streams automatically provisions and elastically scales all the infrastructure
needed to ingest streaming video data from millions of devices.
Amazon Rekognition Video can detect objects, scenes, faces, celebrities, text, and
inappropriate content in videos. You can also search for faces appearing in a video using your
own repository or collection of face images.
In Auto Scaling, the following statements are correct regarding the cooldown period:

It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances
before the previous scaling activity takes effect.

Its default value is 300 seconds.

It is a configurable setting for your Auto Scaling group.

The following options are incorrect:

- It ensures that before the Auto Scaling group scales out, the EC2 instances have ample
time to cooldown.
- It ensures that the Auto Scaling group launches or terminates additional EC2
instances without any downtime.
- Its default value is 600 seconds.

These statements are inaccurate and don't depict what the word "cooldown" actually means
for Auto Scaling. The cooldown period is a configurable setting for your Auto Scaling group
that helps to ensure that it doesn't launch or terminate additional instances before the previous
scaling activity takes effect. After the Auto Scaling group dynamically scales using a simple
scaling policy, it waits for the cooldown period to complete before resuming scaling
activities.