AWS Certified Solution Architect – Associate Exam Learning Path

Udemy Braincert-AWS-Certified-SA-Professional-Practice-Exam

AWS Certified Solution Architect – Associate Exam Learning Path

AWS Solution Architect – Associate exam basically validates the following 2 abilities

  • Identify and gather requirements in order to define a solution to be built using architecture best practices.
  • Provide guidance on architectural best practices to developers and system administrators throughout the lifecycle of the project.

Refer to the AWS Solution Architect – Associate Exam Blue Print

AWS Solution Architect - Associate Exam Break up

AWS Cloud Computing Whitepapers

AWS Solution Architect – Associate Exam Contents

NOTE: With recent feedback from users AWS SA-A Exams have questions for new Lambda, ALB, ALB vs Classic Load Balancer, ECS, API Gateway services

Domain 1.0: Designing highly available, cost-efficient, fault-tolerant, scalable systems

  1. Identify and recognize cloud architecture considerations, such as fundamental components and effective designs. Content may include the following:

2 Domain 2.0: Implementation/Deployment

  1. Identify the appropriate techniques and methods using Amazon EC2, Amazon S3, AWS Elastic Beanstalk, AWS CloudFormation, AWS OpsWorks, Amazon Virtual Private Cloud (VPC), and AWS Identity and Access Management (IAM) to code and implement a cloud solution.
    Content may include the following:

    1. Configure an Amazon Machine Image (AMI)
    2. Operate and extend service management in a hybrid IT architecture
    3. Configure services to support compliance requirements in the cloud
    4. Launch instances across the AWS global infrastructure
    5. Configure IAM policies and best practices

3 Domain 3.0: Data Security

  1. Recognize and implement secure practices for optimum cloud deployment and maintenance. Content may include the following:
  2. Recognize critical disaster recovery techniques and their implementation.
    Content may include the following:

4 Domain 4.0: Troubleshooting

  1. Content may include the following:

NOTE: I have just marked the topics inline with the AWS Exam Blue Print. So be sure to check the same, as it is updated regularly and go through Whitepapers, FAQs and Re-Invent videos.

AWS Solution Architect – Associate Exam Resources

Braincert-AWS-Certified-SA-Associate-Practice-Exam

Udemy AWS Certified Solution Architect - Associate Practice Tests

  • Purchased the acloud guru AWS Certified Solutions Architect – Associate course from Udemy (should get it for $10-$15 on discount) helps to get a clear picture of the the format, topics and relevant sections
  • Opinion : acloud guru course are good by itself but is not sufficient to pass the exam but might help to counter about 50-60% of exam questions
  • Check out the New course on Udemy AWS Certified Solutions Architect Associate Exam Mastery 2018
    • Covers the exam topics in detail, scenario based practice questions and visual aids.
    • Very good rating and user feedback (~ 4.7)
  • Signed up with AWS for the Free Tier account which provides a lot of the Services to be tried for free with certain limits which are more then enough to get things going. Be sure to decommission anything, if you using any thing beyond the free limits, preventing any surprises 🙂
  • Also, used the QwikLabs for all the introductory courses which are free and allow you to try out the services multiple times (I think its max 5, as I got the warnings couple of times)
  • Update: Qwiklabs seems to have reduced the free courses quite a lot and now provide targeted labs for AWS Certification exams which are charged
  • Read the FAQs atleast for the important topics, as they cover important points and are good for quick review
  • Did not purchase the AWS Practice exams, as the questions are available all around. But if you want to check the format, it might be useful.
  • You can also check practice tests

86 thoughts on “AWS Certified Solution Architect – Associate Exam Learning Path

  1. Associate architect is relatively simple. Read and understand all the IAM, VPC, EC2, S3 documentation, read the FAQs for the next most popular other services, read the recommended white papers, do some sample exams on Cloud Guru / Linux Academy, play with EC2/VPC a bit, you’ll likely pass. Doing a Cloud Guru or Linux Academy course will make it easier but doesn’t replace the reading.

    1. Thanks Tim, agreed A Cloud Guru and Linux Academy helps you to get started but not clear the exams for sure. Also CSAA is relatively simple once you clear it 😉

  2. Hi Jayendra,

    I appeared for architect associate and scored 90%.Lot of websites offer sample questions but they are misleading.Other than your blog and whitepapers,I didn’t refer additional resources.Thanks a lot!!

    1. thats Awesome Bhuvana .. congrats and thanks .. Happy to help 🙂
      Let me know if any feedback to improve ..

      1. 🙂 It would be great if you can provide guidance for Specialty exams as well.

        Thanks in advance!

  3. Where can I find the sample questions and whitepapers in your website for AWS certified solutions architect- associate exam.

  4. Hi Jayendra
    I found your blog while I am googling for practice questions for CSA exam. Your blog is very informative & it clarified few of my open questions.

    I am preparing for AWS-CSA(Certified Solution Architect-Associate) certification and I have gone through all the material & videos of Linux Academy. Have got good understanding of the concepts but I want to try testing myself by taking up some quiz. I am currently looking for Practice questions & answers for my preparation. Can you please share me, if you any ?

    Thanks in advance.

    Thanks,
    Ravi

  5. Hi Jayendra.I work in Amazon and I really love this blog. I am going to appear for all 3 associate exams shortly and going through your blog has given me a confidence of passing. Acloud.guru was the only other source which I found as good as your blog. Keep it up for the good writing and sharing !!

  6. Jayendra, thanks again for these helpful resources.

    I studied for the SysOps Associate exam first and passed. I am now moving on to Solution Architect Associate. I’m comfortable / familiar with the Sys Ops topics. Which topics are specific to Solution Architect that are not on SysOps that I should focus my time on to pass Solution Architect given that I have the SysOps knowledge already?

    Thanks

    1. You can refer to the SA – Associate Blog Post.
      Topics like VPC, IAM, S3, EC2, EBS are mainly common.
      However, there are lot other topics that you need to cover like Auto Scaling, ELB, Storage Gateway, Route 53, RDS Multi-AZ & Read Replicas, CloudFront, Storage Options Whitepaper etc.

    1. Thanks Ankit, STS is something already covered. Have got feedback for Lambda, API Gateway, DynamoDB and ELB vs ALB as well.

  7. My exprience with AWS CSA Associate exam –
    A couple lines on my background before I start.
    I have 20 years exprience in software engineering. I am mostly hands on but on occasion I was into leadership.
    All my experience is on Microsoft Stack.
    I wanted to do my certification in aws because I wanted to get my feet wet with non MS eco system.

    I have gone trhough a cloud guru course
    I have done all practice exams on BrainCert
    I have done all practice exams on Whizlabs
    I have done all questions on cloudacademy.
    I have read sections on Jayendrapatil.com and paracticed questions on his blog.
    (Reading jayendrapatil.com is a must. It is probably beyond associate level. But if you read and try those questions, you can not go wrong. THIS GUY IS A ROCK STAR FOR AWS CERTIFICATION !!! )
    I have heard 20-30 hours of re-invent videos
    I have watched videos on SSL/TLS

    Since I have no hands on experience on aws, I used more resources than usual.
    I took the exam and passed with 85%.
    Here are my thoughts. Obviously they don’t reflect anyone else’s viewpoint but me.
    Hope you find them useful.

    A Cloud Guru can ease you into the exam preparation and helps you to scope the breadth and depth of content.
    It is nice and friendly place you like to start. But it is not sufficient to pass.
    I got some areas which are not covered in acloud guru. Lamdas, cloud front path patterns, DirectConnect and VPN fault tolerance etc.
    Also cloud guru content does not put you in that (tricky and twisty) exam groove.
    The best relavant questions are on BrainCert.com. some of the questions from braincert.com you can see on jayendrapatil.com.
    Whizlabs questions are easy and not really upto the exam standard but still decent content if you want to cover more surface area.
    I am not too impressed at the cloud academy questions and their relavance with the exam.
    Like someone mentioned cloud academy is picking up some unexplored corners from aws documentation, rather than creating a scnario which forces to analyze (or elimininate options).

    Now coming to the actual questions. Most questions have 2 bad answers. one correct and one looks correct.
    when you have to pick more than one option, you get get 1 or 2 immediately, the second or third one requires some analysis/ elimination.
    Here is the areas I can point you to based on my experience
    API Gateway Features, Lamda Basics, EFS Basics, Setting up ECS tasks with IAM permissions, cloudfront path patterns. Ec2 instances showing up in ECS cluser, Direct Connect / VPN fault tolerance (read DiretConnect on jayendrapatil.com),
    Kinesis Streams Vs firehose, DynamoDB VS Elastic cache, which services provide encryption at rest, which services can trigger lamdas, EBS replication across regions, Cloudfront origins, why and when to use DynamoDB,
    reserved instance features, graceful shutdown of application and spot instances, what does STS provide , SQS and priority, auto scaling termination policy, auto scaling cool down timers, SNS supported end points.

    over all it was not very straight forward exam to just walk in and pass/ace. I took the full 1 hr 20 mins and reviewed quickly once before hitting submit.

    your experience may vary !! good luck

  8. Jayendra, Dude i cant thank you enough for all this effort that you have put in to setup these blogs. I have cleared my Solution Architect exam and i am so thankful to you. Most of the questions on the exam were from the questions that you have listed below in the various topics. You have also covered all the critical topics and concepts so well.

    You are doing a great service here my friend

    THANKS AGAIN, GOD BLESS YOU

  9. I took my AWS Solutions Architect Associate Exam today, sadly I failed. Most of the questions are API Gateway, Lambda, ECS, VPC Cross Account, Security, IAM. Hope to pass next time. 🙁

    1. You can surely clear it next time. I have added the topics to the blog as I got feedback from multiple users about this new topics.

  10. Dear Jayendra,

    It is wonderful reading your blog and as also the interaction from other aspirants and exam takers. I have been trying to take up the exam for the last 2 years but have been unable to do so because of time constraints. I have now dedicated my time to pass both the associate as well as the pro exam. Any help from you in the for of study notes, sample exam questions etc. which would help me to cross the first hurdle of associate exam would be highly appreciated.

    Could you please send me the same to mail mail @ prash.rao@outlook.com.

    Many thanks for your blog. Really helpful.

    Prashanth

  11. I am very happy write this that, I took SAA exam yesterday 7th sept 2017. I passed with 81% 🙂

    First of all Let me say thanks to Jayendra for such a excellent detail blogs, which helped me lot to clear my concepts and buy me confidence to go for this exam.

    How I prepared for this:

    Jayendra’s blog will lay the foundation for this exam.
    cloud guru course with hands on will help you to understand and those concepts at high level.

    Jayendra’s question set are more than enough to prepare for this exam. I solved the Whizlabs tests to feel the exam pattern and format.

    Topics in my exam:

    1. Couple of questions on Lambda (which services invoke lampda, how to improve performance of function)

    2. API gate way : advantages of API gateway.

    3. Application load balancer : dynamic port and Path base hosting. No questions on classic load balancer

    4. Cross account access: how to allow permission for the dev user in production. ( by creating cross role in production account)

    5. OPS works – def of OPS works

    6. def of Beanstalk

    7. SQS – decoupling

    8. Cloudwatch – restarting the hung instance by scanning logs

    9. Spot instance – pricing

    10. Shared responsibility of AWS

    11. Kinesis stream VS Kinesis fire hose: User want to access stream and process streams. I selected Kinesis stream.

    12.Cloud Front: origin servers can be either S3,ELB. There were different choices for RDS, dynamoDB etc

    13. Dynamo db : two questions: web session storing ( once question was pretty clear and had only Dynamo db as option along with other RDS, Second question was checking on storing session in tabular structure having option of Elastic cache and Dynamo db. I selected Dynamo db. Not sure though).

    14. S3: Access . bucket Policy

    15. No questions on Direct connect,

    16. EBS: how to create encrypted EBS volume from unencrypted volume.

    17. Route 53: Select correct options for alias record. 1. Zone apex record 2. Can map against DNS entry 3. Can’t set TTL

    18. there was a question to share the data for a application to all users on a file system. the system should be scalable or shrink as per the data size. Options were S3,EFS,EBS. I selected EFS.

    19. Few questions on VPC. Server A can ping Server B but Server B can’t ping Server A. Out bound traffic is not allowed to both instance, what changes should user do to get this done.

    20.VPC flow logs for tracing logs in VPC

    21.IAM Roles are global: You can use same role created to another Ec2 instance in different region

    22. auto scaling: termination policy

    23.STS : 2 question on the temp access. ( web federation )

    24. No questions ECS

    25. VPC Peering

    26. AWS Import/Export use case.

    It was very easy exam if you read all Jayendra’s blogs and get your had dirty with VPC,EBS,EC2,S3,ELB,AUTO scaling.

    I finished the exam in 1 hour and reviewed it for next 20 mins.

    Best luck!!

    1. Does any of these questions sounds familiar to you!! I bet it does……lol. Also, AWS is changing their test within 3 months from now to BETA version. So take this old test ASAP. Best of luck and Thank You “Jayendrapatil..keep up the good work.

      SQS – Poll based decouple the components of application
      SNS – PUSH based notifications – Send messages (Email or Text messages)
      Elastic Transcoder – Convert media files from their original source format in to different formats that will play smartphones, tablets, PC’s etc…

      Inbound Traffic – Is traffic that is coming into a router interface from outside.
      Outbound Traffic – Is traffic inside the router that leaves through an interface.

      Security groups
      1. Act as a firewall for associated Amazon instances, controlling both inbound and outbound traffic at the instance level.
      2. Are stateful, when you add inbound rule it automatically adds Outbound rule.

      Alias Records are used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3 buckets that are configured as websites. Alias records work like a CNAME record in that you can map one DNS name (example.com) to another ‘target’ DNS name (elb1234.elb.amazonaws.com).

      Business Intelligence – Think of Redshift
      Big Data consuming and bringing into the cloud – Think Kinesis
      Big Data Processing – Think Elastic Map Reduce (EMR)

      EC2 – EBS Backed
      1. Are persistent & can be detached and reattached to other EC2 instances
      2. EBS volumes can be stopped; data will persist
      3. Store Data long term

      Instance Store
      1. Are not persistent (Ephemeral) & cannot be detached and reattached to other instances.
      2. They exist only for the life of that instance.
      3. Shouldn’t be used for long-term data storage

      OpsWorks
      1. Orchestration Service that Uses Chef
      2. Chef consists of recipes to maintain a consistent state
      3. Look for the term “chef” or “recipes” or “cook books” and think of OpsWorks
      4. AWS OpsWorks provides a simple and flexible way to create and manage stacks and applications.
      5. AWS OpsWorks, you can provision AWS resources, manage their configuration, deploy applications to those resources, and monitor their health.

      Elastic Transcoder
      1. Media Transcoder in the cloud
      2. Convert media files from their original source format into different formats that
      play on smartphones, tablets, PC’s

      VPC Peering
      1. The connection between two VPCs that enables you to route traffic between them using private IP addresses.
      2. Instances within the same network can communicate with each other
      3. You can create a VPC peering connection between your own VPCs, and another AWS account within a single region.
      4. Does not rely on a separate piece of physical hardware
      5. No single point of failure for communication or a bandwidth bottleneck.

      Cross-Account Access
      1. Customers use separate AWS accounts for their development and production resources.
      2. Easier to work productively within a multi-account (or multi-role) AWS environment by
      making it easy for you to switch roles within the AWS Management Console.

      Cross account access: how to allow permission for the dev user in production. (by creating
      cross role in production account)

      API Gateway
      1. Fully Managed

      What are the benefits of API gateway?

      Low cost and efficient
      Scales effortlessly
      You can throttle requests to prevent attacks
      Can connect with cloud-watch to log all requests

      What does this Error mean “Origin Policy cannot be ready at the remote resource”?

      Enable CORS on API Gateway

      You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers.

      A. Elastic Load Balancing (ELB)
      B. Relational Database Service (RDS)
      C. CloudWatch
      D. ElastiCache
      E. DynamoDB
      F. AWS Storage Gateway

      What services should store session data? Two are correct

      A: DynamoDB
      B: RDS
      C: S3
      D: Elastic Cache

      Storing session in tabular structure?

      A: Elastic Cache
      D: DynamoDB

      Which services invoke lambda function to improve performance?

      A: Dynamo DB
      B: Elastic Cache

      User want to access stream and process streams.

      Kinesis stream

      Which service allows you to process nearly limitless streams of data in flight?

      A. Kinesis Firehose
      B. Elastic MapReduce (Amazon EMR)
      C. Redshift
      D. Kinesis Streams

      Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application.

      Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else” If so how?

      A. No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not allowed across subnet (iebroadcast) boundaries
      B. Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP
      C. Yes, the security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP
      D. Yes, Both the monitoring instance’s security group and the application instance’s security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol

      Choose the correct AWS database service for the following requirements:

      > Large volumes of structured data to persist and query using standard SQL and existing business intelligence tools
      > High performance at scale as data and query complexity grows

      A. Amazon DynamoDB
      B. Amazon RDS
      C. Amazon ElastiCache
      D. Amazon Redshift

      Comments:
      Amazon Redshift is a fast-managed petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools.

      You have an existing website called example.com that points to a specific IP address. You now want to create three subdomains that point to the same IP address. To reduce maintenance which domain record type should you choose?

      A. CNAME
      B. A
      C. MX
      D. TXT

      Amazon Elastic Block Store (Amazon EBS) volumes provide durable block-level storage for use with Amazon EC2 instances (virtual machines). Amazon EBS volumes are off-instance storage that persists independently from the running life of a single Amazon EC2 instance.

      Which type would you choose for I/O-intensive workloads, relational databases, and NoSQL databases?

      A. Amazon EBS Magnetic
      B. Amazon EBS Provisioned IOPS
      C. Amazon EBS ZX1
      D. Amazon EBS General Purpose

      Which of the following in NOT part of security group?

      A. List of usernames
      B. List of protocols
      C. IP address ranges
      D. Ports

      Which of the following is the correct statement regarding Availability Zones?

      A. A collection of regions that together make up an Availability Zone.
      B. A distinct location within a region that is insulated from failures in other Availability Zones
      C. Another name for an entire region which contains AWS instances.
      D. The timeframe a particular service is available for use by authorized users

      Which Amazon service would you use for content delivery?

      A. CloudFront
      B. ELB
      C. SES
      D. SQS

      Which service provides an automated security assessment that helps improve the security and compliance of applications deployed on AWS. The service automatically assesses applications for vulnerabilities or deviations from best practices.

      A. Amazon Redshift
      B. EC2
      C. Elastic Beanstalk
      D. Amazon Inspector

      Which product is ideal for transferring anywhere from terabytes to many petabytes of data in and out of the AWS cloud securely, especially in cases where you don’t want to make expensive upgrades to your network infrastructure, frequently experience large backlogs of data, are in a physically isolated environment, or are in an area where high-speed Internet connections are not available or cost-prohibitive. In general, if loading your data over the Internet would take a week or more, you should consider what?

      A. Amazon S3
      B. AWS Snowball
      C. Amazon EBS Magnetic
      D. Amazon CloudFront

      You have developed a new web application that offers users the chance to buy music at a discounted rate through partnerships with local recording companies. You want to host this app in AWS but you don’t want the overhead of managing the infrastructure. Which option should you choose?

      A. EC2
      B. CloudFront
      C. Amazon Redshift
      D. AWS Elastic Beanstalk

      Amazon Glacier is an extremely low-cost storage service that provides highly secure, durable, and flexible storage for data archiving and online backup.

      Which of the following will you NOT be charged for when using Glacier?

      A. Storage (per GB per month)
      B. Data transfer in (per GB per month)
      C. Requests (per thousand UPLOAD and RETRIEVAL requests per month)
      D. Data transfer out (per GB per month)

      Which service would you use to control access to content by allowing or blocking web requests based on criteria that you specify, such as header values or the IP addresses that the requests originate from. This service helps to protect against common web exploits that could affect application availability, compromise security, or consume excessive resources.

      A. EC2
      B. S3
      C. CloudFront
      D. AWS WAF (Web Application Firewall)

      Which of the below instances is used normally for massive parallel computations?

      A. Spot Instances
      B. On-Demand Instances
      C. Dedicated Instances
      D. This is not possible in AWS

      DDoS attacks at their core create an availability problem, as the goal of attackers is to render resources unusable for legitimate end users. Consequently, you can leverage failover capabilities within AWS to reduce your vulnerability to availability problems caused by DDoS attacks.

      Which of the following is a protocol exhausting attack?

      A. HTTP GET/POST flood
      B. SYN flood
      C. None of these
      D. UDP flood

      You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?

      A. Amazon Glacier multipart upload
      B. AWS Storage Gateway
      C. VM Import/Export
      D. AWS Import/Export

      An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto Scaling needs to terminate an EC2 instance by default, Auto Scaling will:

      Choose 2 answers

      A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating the instance.
      B. Terminate the instance with the least active network connections. If multiple instances meet this criterion, one will be randomly selected.
      C. Send an SNS notification, if configured to do so.
      D. Terminate an instance in the AZ which currently has 2 running EC2 instances.
      E. Randomly select one of the 3 AZs, and then terminate an instance in that AZ.

      An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

      A. The outbound security group needs to be modified to allow outbound traffic.
      B. The outbound network ACL needs to be modified to allow outbound traffic.
      C. Nothing, it can be accessed from any IP address using SSH.
      D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic

      A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated?

      A. A single facility in eu-west-1 and a single facility in eu-central-1
      B. A single facility in eu-west-1 and a single facility in us-east-1
      C. Multiple facilities in eu-west-1
      D. A single facility in eu-west-1

      A company is building a two-tier web application to serve dynamic transaction-based content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What services should you leverage to enable an elastic and scalable web tier?

      A. Elastic Load Balancing, Amazon EC2, and Auto Scaling
      B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3
      C. Amazon RDS with Multi-AZ and Auto Scaling
      D. Amazon EC2, Amazon DynamoDB, and Amazon S3

      Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? Choose 2 answers

      A. Amazon Relational Database Service
      B. Amazon Elastic Map Reduce
      C. Amazon ElastiCache
      D. Amazon DynamoDB
      E. AWS Elastic Beanstalk

      You are working with a customer who is using Chef Configuration management in their data center. Which service is designed to let the customer leverage existing Chef recipes in AWS?

      A. Amazon Simple Workflow Service
      B. AWS Elastic Beanstalk
      C. AWS CloudFormation
      D. AWS OpsWorks

      How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another?

      A. Detach the volume and attach it to another EC2 instance in the other AZ.
      B. Simply create a new volume in the other AZ and specify the original volume as the source.
      C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ.
      D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.

      A client application requires operating system privileges on a relational database server. What is an appropriate configuration for a highly available database architecture?

      A. A standalone Amazon EC2 instance
      B. Amazon RDS in a Multi-AZ configuration
      C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
      D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones

      Which of the following are characteristics of Amazon VPC subnets?

      Choose 2

      A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment.
      B. Each subnet maps to a single Availability Zone.
      C. CIDR block mask of/25 is the smallest range supported.
      D. By default, all subnets can route between each other, whether they are private or public.
      E. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP

      You have a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances. Which of the following architectural choices should you make?

      A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer.
      B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer.
      C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer.
      D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.

      You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?

      A. Remove public read access and use signed URLs with expiry dates.
      B. Use CloudFront distributions for static content.
      C. Block the IPs of the offending websites in Security Groups.
      D. Store photos on an EBS volume of the web server.

      You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?

      A. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
      B. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
      C. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
      D. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0

      You have decided to change the instance type for instances running in your application tier that is using Auto Scaling. In which area below would you change the instance type definition?

      A. Auto Scaling policy
      B. Auto Scaling group
      C. Auto Scaling tags
      D. Auto Scaling launch configuration

      Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

      A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
      B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
      C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
      D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
      E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types

      When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions?

      Choose 2 answers

      A. Amazon DynamoDB
      B. Amazon Elastic Compute Cloud (EC2)
      C. Amazon Elastic Load Balancing (ELB)
      D. Amazon Simple Notification Service (SNS)
      E. Amazon Simple Storage Service (S3)

      You launch an Amazon EC2 instance without an assigned AVVS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it?

      A. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping.
      B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance.
      C. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned.
      D. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned.

      In order to optimize performance for a compute cluster that requires low inter-node latency, which of the following feature should you use?

      A. Multiple Availability Zones
      B. AWS Direct Connect
      C. EC2 Dedicated Instances
      D. Placement Groups
      E. VPC private subnets

      Please select the Amazon EC2 resource which can be tagged.

      A. key pairs
      B. Elastic IP addresses
      C. Placement groups
      D. Amazon EBS snapshots

      What are characteristics of Amazon S3?

      Choose 2 answers

      A. S3 allows you to store objects of virtually unlimited size.
      B. S3 offers Provisioned IOPS.
      C. S3 allows you to store virtually unlimited amounts of data.
      D. S3 should be used to host a relational database.
      E. Objects are directly accessible via a URL

      How can you secure data at rest on an EBS volume?

      A. Attach the volume to an instance using EC2’s SSL interface.
      B. Write the data randomly instead of sequentially.
      C. Encrypt the volume using the S3 server-side encryption service.
      D. Create an IAM policy that restricts read and write access to the volume.
      E. Use an encrypted file system (EFS) on top of the EBS volume.

      Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?

      A. Instance user data
      B. Resource tags
      C. Instance metadata
      D. Amazon Machine Image

      After creating a new IAM user which of the following must be done before they can successfully make API calls?

      A. Add a password to the user.
      B. Enable Multi-Factor Authentication for the user.
      C. Assign a Password Policy to the user.
      D. Create a set of Access Keys for the user.

      A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as part of their backup and archive infrastructure. The customer plans to use third-party software to support this integration. Which approach will limit the access of the third-party software to only the Amazon S3 bucket named “companybackup”?

      A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive “company-backup”
      B. A custom bucket policy limited to the Amazon S3 API in “company-backup”
      C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive “company-backup”.
      D. A custom IAM user policy limited to the Amazon S3 API in “company-backup”.

      A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?

      A. Create a new peering connection Between Prod and Dev along with appropriate routes.
      B. Create a new entry to Prod in the Dev route table using the peering connection as the target.
      C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.
      D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.

      A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this?

      Choose 2 answers

      A. Amazon Simple Email Service
      B. Amazon CloudWatch
      C. Amazon Simple Queue Service
      D. Amazon Route 53
      E. Amazon Simple Notification Service

      A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?

      A. Create a new IAM role and associated policies within the new region
      B. Assign the existing IAM role to the Amazon EC2 instances in the new region
      C. Copy the IAM role and associated policies to the new region and attach it to the instances
      D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

      An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume?

      A. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Re-mount the Amazon EBS volume.
      B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
      C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.
      D. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume

      A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume. The customer is becoming increasingly constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed data. Which AWS Storage Gateway configuration meets the customer requirements?

      A. Gateway-Cached volumes with snapshots scheduled to Amazon S3
      B. Gateway-Stored volumes with snapshots scheduled to Amazon S3
      C. Gateway-Virtual Tape Library with snapshots to Amazon S3
      D. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

      You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery truck once every three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you use to implement data ingestion?

      A. Amazon Kinesis
      B. AWS Data Pipeline
      C. Amazon AppStream
      D. Amazon Simple Queue Service

      A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

      A. SAML-based Identity Federation
      B. Cross-Account Access
      C. AWS Identity and Access Management roles
      D. Web Identity Federation

      You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and network access control lists are property configured. Instances in a private subnet can access the NAT. The NAT can access the Internet. However, private instances cannot access the Internet. What additional step is required to allow access from the private instances?

      A. Enable Source/Destination Check on the private Instances.
      B. Enable Source/Destination Check on the NAT instance.
      C. Disable Source/Destination Check on the private instances.
      D. Disable Source/Destination Check on the NAT instance.

      A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower Overall CPU resources for the web tier?

      A. Amazon EBS volume
      B. Amazon S3
      C. Amazon EC2 instance store
      D. Amazon RDS instance

      You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer’s DNS name. Which options are probable causes of this behavior?
      Choose 2 answers

      A. The load balancer was not configured to use a public subnet with an Internet gateway configured
      B. The Amazon EC2 instances do not have a dynamically allocated private IP address
      C. The security groups or network ACLs are not property configured for web traffic.
      D. The load balancer is not configured in a private subnet with a NAT instance.
      E. The VPC does not have a VGW configured.

      A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex queries and table joins. Which configuration provides the solution for the company’s requirements?

      A. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone
      B. Amazon RDS for MySQL with Multi-AZ
      C. Amazon ElastiCache
      D. Amazon DynamoDB

      You have a distributed application that periodically processes large volumes of data across multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance failures. You are required to accomplish this task in the most cost- effective way.

      Which of the following will meet your requirements?

      A. Spot Instances
      B. Reserved instances
      C. Dedicated instances
      D. On-Demand instances

      A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-securitygroup with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?

      A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
      B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
      C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
      D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.

      Which of the following statements are true about Amazon Route 53 resource records?
      Choose 2 answers

      A. An Alias record can map one DNS name to another Amazon Route 53 DNS name.
      B. A CNAME record can be created for your zone apex.
      C. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
      D. TTL can be set for an Alias record in Amazon Route 53. E. An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.

      You have a content management system running on an Amazon EC2 instance that is approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?

      A. Create a load balancer, and register the Amazon EC2 instance with it
      B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin
      C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action
      D. Create a launch configuration from the instance using the CreateLaunchConfiguration action

      With which AWS orchestration service can you implement Chef Recipes?

      A. CloudFormation
      B. Elastic Beanstalk
      C. Opsworks
      D. Lambda

      What events can be triggered by an AWS Lambda function?

      Object uploads to Amazon S3
      Amazon SNS notifications
      API actions

      You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance?

      A. Use multi-part upload.
      B. Add a random prefix to the key names.
      C. Amazon S3 will automatically manage performance at this scale.
      D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names

      In the shared security model, AWS is responsible for which of the following security best practices (check all that apply):

      Penetration testing
      Operating system account security management
      Threat modeling
      User group access management
      Static code analysis

      Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been canceled. Your supervisor wants to stop incurring charges for these reserved instances immediately and recuperate as much of the reserved instance cost as possible.
      What can you do to avoid being charged for them?

      Choose the 2 correct answers:

      A. What are characteristics of Amazon S3
      B. Terminate the instances as soon as possible
      C. Sell the reserved instances on the AWS Reserved Instance Marketplace
      D. Stop the instances as soon as possible

      What URL might you query on an EC2 instance in order to find the public AND private IP address of an instance?

      A. http://169.254.169.254/latest/meta-data/
      B. http://169.254.169.254/latest/user-data/
      C. http://169.254.169.169/latest/meta-data/
      D. http://169.254.169.169/latest/meta-data/

      You design an application that checks for new items in an S3 bucket once per hour. If new items exist, a message is added to an SQS queue. You have several EC2 instances which retrieve messages from the SQS queue, parse the file, and send you an email containing the relevant information from the file. You upload one test file to the bucket, wait a couple hours and find that you have hundreds of emails from the application. What is the most likely cause for this volume of email?

      A. This is expected behavior when using short polling because SQS does not guarantee that there will not be duplicate messages processed.
      B. Your application does not issue a delete command to the SQS queue after processing the message.
      C. You can only have one EC2 instance polling the SQS queue at a time.

      This is expected behavior when using long polling because SQS does not guarantee that there will not be duplicate messages processed. What is true about EBS?
      (choose 3 correct answers)

      A. You can share the snapshot with other AWS accounts
      B. The snapshots are just stored as another EBS volume
      C. Snapshots are automatically encrypted
      D. The snapshots are stored in S3
      E. Snapshots are incremental in nature and only

      You are excited to have just been employed by a large scientific institution that is at the cutting edge of high-performance computing. Your first job is to launch 10 Large EC2 instances which will all be used to crunch huge amounts of data and will also need to pass this data back and forth between each other. Which of the following would be the most efficient setup to achieve this?

      A. Use the largest EC2 instances currently available on AWS, but make sure they are all in the same Availability Zone
      B. Use Placement Groups and launch the 10 instances at the same time.
      C. Use Placement Groups. Make sure the 10 Instances are spread evenly across Availability Zones.
      D. Use the largest EC2 instances currently available on AWS, but make sure they are all in the same region.

      You’re building a mobile application game. The application needs permissions for each user to communicate and store data in DynamoDB tables. What is the best method for granting each mobile device that installs your application to access DynamoDB tables for storage when required?

      A. Create an IAM group that only gives access to your application and to the DynamoDB tables. Then, when writing to DynamoDB, simply include the unique device ID to associate the data with that specific user.
      B. Create an IAM role with the proper permission policy to communicate with the DynamoDB table. Use web identity federation, which assumes the IAM role using AssumeRoleWithWebIdentity, when the user signs in, granting temporary security credentials using STS.
      C. Create an Active Directory server and an AD user for each mobile application user. When the user signs into the AD sign-on, allow the AD server to federate using SAML 2.0 to IAM and assign a role to the AD user which is the assumed with AssumeRoleWithSAML
      D. BCJC should create a new stack that contains the Python application code and manages separate deployments of the application via the secondary stack using the deploy lifecycle action to implement the application code.

      A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario?

      A. It will not allow to delete the VPC since it has a running route instance
      B. It will terminate the VPC along with all the instances launched by the wizard
      C. It will not allow to delete the VPC as it has subnets with route tables
      D. It will not allow to delete the VPC since it has a running NAT instance

      A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public-private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is trying to delete the VPC it will not allow as the NAT instance is still running.

      Which AWS services that you can access to underlying host? (Multiple choice)

      A. ElastiCache
      B. EMR
      C. EC2
      D. DynamoDB
      E. Elastic Beanstalk
      F. RDS

      What are the characteristics of Dynamo DB? (choose 3 correct answers)

      A. It is used for SQL databases like SQL Server, MySQL, Oracle
      B. Gives you a fast and predictable performance with seamless scalability
      C. When reading data from Amazon DynamoDB, users can specify whether they want the read to
      be eventually consistent or strongly consistent
      D. It is a managed service provided by AWS
      E. There is a limit of stored data or throughput of data

      An instance is launched in private VPC subnet. All security, NACL and routing definition configured as expected. A custom NAT instance is launched. Which of the following answer is right for configuring custom NAT instance?

      A. NAT instance should have public is address configured
      B. Source/Destination check should be disabled
      C. NAT instance should be launched in public subnet
      D. NAT instance should have elastic IP address configured

      You are configuring a new VPC for one of your client for a cloud migration project. Only a public VPN will be in place. After you created your VPC, you created a new subnet, a new internet gateway and attached your internet gateway with your VPC. As you created your first instance in to your VPC, you realized that you cannot connect the instance even it is configured with elastic IP. What should be done to access the instance?

      A. A route should be created as 0.0.0.0/0 and your internet gateway as target
      B. A NACL should be created and allow all outbound traffic
      C. A NAT instance should be created, and all traffic should be forwarded to NAT instance
      D. Attach another ENI to instance and connect via new ENI

      How can an instance be copied to another region?

      A. There is no way to copy an instance to another region
      B. First instance’s root volume is detached. Then a new instance is created in another region. Finally, detached volume can be attached to new instance as root device
      C. By stopping instance and using copy option
      D. By creating an AMI and copy it to another region

      What is the most secure option to connect to instances without Internet connectivity in private subnet VPC?

      A. Enable internet connectivity and configure NACL and security group to connect to the instances
      B. Enable internet connectivity and configure security group to connect to the instances
      C. Using a bastion host server to connect to the instances
      D. Configure IAM policy to restrict access to the instances

      Which record type queries are free when using Route 53?

      A. TXT
      B. MX
      C. Alias
      D. AAAA

      About the charge of Elastic IP Address, which of the following is true?

      A. Elastic IP addresses can always be used with no charge.
      B. You can have one Elastic IP (EIP) address associated with a running instance at no charge.
      C. You can have 5 Elastic IP addresses per region with no charge.
      D. You are charged for each Elastic IP addressed.

      You have assigned one Elastic IP to your EC2 instance. Now we need to restart the VM without EIP changed. Which of below you should not do?

      A. Reboot and stop/start both works.
      B. When the instance is in VPC public subnets, stop/start works.
      C. When the instance is in VPC private subnet, stop/start works.
      D. Reboot the instance.

      Which of the below mentioned steps will not be performed while creating the AMI of instance stored-backend?

      A. Define the AMI launch permissions.
      B. Register the AMI
      C. Bundle the volume
      D. Upload the bundled volume

      Which of the following are features of enhanced networking? (Choose 3 answers)

      A. More Packets Per Second (PPS)
      B. Lower latency
      C. Multiple network interfaces
      D. Border Gateway Protocol (BGP) routing
      E. Less jitter

      The user just started an instance at 3 PM. Between 3 PM to 5 PM, he stopped and started the instance twice. During the same period, he has run the Linux reboot command by SSH once and triggered reboot from AWS console once. For how many instance hours will AWS charge this user?

      A. 2
      B. 3
      C. 4
      D. 5

      How can we attach our instance store volume to another instance?

      A. We can stop the instance. Detach the volume. And attach to another instance
      B. We can use “force detach” and then attach to another instance
      C. We can use “detach volume” and then attach to another instance.
      D. We cannot detach or attach instance store volume

      You have an Amazon Elastic Cloud Compute (EC2) security group with several running EC2 instances. You change the security group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same security group. The new rules apply:

      A. To all instances, but it may take several minutes for old instances to see the changes.
      B. Immediately to the new instances only.
      C. Immediately to all instances in the security group
      D. Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply.

      How can software determine the public and private IP addresses of the Amazon Elastic Cloud Compute instance that it is running on?

      A. Use an ipconfig or ifconfig command
      B. Query the local instance metadata.
      C. Query the local instance userdata.
      D. Query the appropriate Amazon CloudWatch metric.

      You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to $0.06/hr. and your Spot Instance is terminated by AWS. What was the total EC2 compute cost of running your Spot Instance?

      A. $0.02
      B. $0.00
      C. $0.05
      D. $0.06
      E. $0.025

      (Note: if you bid on a price, and AWS restart the instances for marketplace and price changes within the marketplace, the customer pays the CURRENT price). Similar question but bid starts at $0.20/hr. and you bid $0.22/hr., after 90 minutes, the instance is terminated by AWS and new price is $0.22/hr. Which price would you pay? ANS: $0.25. Anytime instance restart, Amazon charges you per hour. So 90 minutes, user will be charged for 2hrs.

      You have an Amazon Virtual Private Cloud (VPC) with a public subnet. Three Amazon Elastic Compute Cloud (EC2) instances currently running inside the subnet can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same Amazon Machine Image (AMI) and security group configuration you used for the others, but find that this instance cannot be accessed from the Internet. What should you do to enable Internet access?

      A. Deploy a NAT instance into the public subnet
      B. Modify the routing table for the public subnet
      C. Assign an elastic IP address to the fourth instance
      D. Configure a publicly routable IP address in the host OS of the fourth instance.

      A startup company hired you to help them build a mobile application, that will ultimately store billions of images and videos in Amazon Simple Storage Service (S3). The company is lean on funding, and wants to minimize operational costs, however, they have an aggressive marketing plan, and expect to double their current installation base every six months. Due to the nature of their business, they are expecting sudden and large increases in the traffic to and from S3, and need to ensure that it can handle the performance needs of their application. What other information must you gather from this customer in order to determine whether S3 is the right option?

      A. In order to build the key namespace correctly, you must understand the total amount of storage needs for each S3 bucket.
      B. You must find out the total number of requests per second at peak usage.
      C. You must know how many customers the company has today, because this is critical in understanding what their customer base will be in two years.
      D. You must know the size of individual objects being written to S3, in order to properly design the key namespace.

      You are deploying an application an Amazon Elastic Cloud Compute (EC2) that must call AWS APIs. What method of securely passing credentials to the application should you use?

      A. Embed the API credentials into your JAR files.
      B. Pass API credentials to the instance using instance user data.
      C. Store API credentials as an object in Amazon Simple Storage Service
      D. Use AWS Identity and Access Management roles for EC2 instances

      A VPC public subnet is one that:

      A. Includes a route in its associated routing table via a Network Address Translation (NAT) instance.
      B. Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0
      C. Has at least one route in its associated routing table that uses an Internet Gateway (IGW).
      D. Has the Public Subnet option selected in its configuration.

      In reviewing the Auto Scaling events for your application, you notice that your application is scaling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity? (Choose 3 answers)

      A. Modify the Auto Scaling group termination policy to terminate the oldest instance first.
      B. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.
      C. Modify the Auto Scaling group termination policy to terminate the newest instance first
      D. Modify the Auto Scaling policy to use scheduled scaling actions.
      E. Modify the Auto Scaling group cool-down timers.

      What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN connection between an on-premises data center and an Amazon VPC virtual private gateway?

      A. Modify the main route table to allow traffic to a network address translation instance.
      B. Assign a static Internet-routable IP address to an Amazon VPC customer gateway.
      C. Establish a dedicated networking connection using AWS Direct Connect.
      D. Use a dedicated network address translation instance in the public subnet

      Which of the following is a durable key-value store?

      A. Amazon Simple Queue Service
      B. Amazon Simple Workflow Service
      C. Amazon Simple Storage Service
      D. Amazon Simple Notification Service

      You have an application running in us-west-2 that requires six Amazon Elastic Compute Cloud (EC2) instances running at all times. With three AZs available in that region (us-west-2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent fault tolerance if any single AZ in us-west-2 becomes unavailable? (Choose 2 answers)

      A. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances
      B. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2-instances
      C. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with no EC2 instances
      D. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances.
      E. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances

      Which route must be added to your routing table to allow connections to the Internet from your subnet?

      A. Destination: 0.0.0.0/0 –> Target: 0.0.0.0/32
      B. Destination: 192.168.1.257/0 –> Target: your Internet gateway
      C. Destination: 0.0.0.0/0 –> Target: your Internet gateway
      D. Destination: 10.0.0.0/32 –> Target: your virtual private gateway
      E. Destination: 0.0.0.0/32 –> Target: your virtual private gateway

      What are the characteristics of Subnet? (choose 2 correct answers)

      A. A subnet can be across multiple availability zones
      B. Default subnets are assigned a /16 netblocks
      C. Network traffic entering and exiting each subnet can be allowed or denied via network Access Control Lists (ACLs)
      D. A subnet can be across multiple regions
      E. Default subnets are assigned a /20 netblocks

      In Which case do you have full authority of the underlying host? (choose 2 correct answers)

      A. EC2
      B. EMR (Elastic Map Reduce)
      C. Simple DB
      D. Dynamo DB
      E. RDS

      After the Government organization you work for suffers it’s 3rd DDOS attack of the year you have been handed one part of a strategy to try and stop this from happening again. You have been told that your job is to minimize the attack surface area. You do have a vague idea of some of the things you need to put in place to achieve this. Which of the following is NOT one of the ways to minimize the attack surface area as a DDOS minimization strategy?

      A. Eliminate non-critical Internet entry points.
      B. Reduce the number of necessary Internet entry points.
      C. Configure services such as Elastic Load Balancing and Auto Scaling to automatically scale.
      D. Separate end user traffic from management traffic.

      What is the difference between an availability zone and an edge location?

      A. Edge locations are used as control stations for AWS resources
      B. None of the above
      C. An availability zone is an Amazon Resource within an AWS region whereas an edge location will deliver cached content to the closest location to reduce latency
      D. An availability zone is a grouping of AWS resources in a specific region; an edge location is a specific resource within the AWS region

      Which of the following AWS services allow you access to the underlying operating system?
      Choose the 2 correct answers:

      A. RDS
      B. S3
      C. EMR
      D. Elastic Beanstalk

      You are a consultant tasked with migrating an on-premise application architecture to AWS. During your design process you have to give consideration to current on-premise security and determine which security attributes you are responsible for on AWS. Which of the follow does AWS provide for you as part of the shared responsibility model?
      Choose the 2 correct answers:

      A. Virtualization Infrastructure
      B. Instance Security
      C. Physical Network Infrastructure
      D. User access to the AWS environment

      Which is an operational process performed by AWS for data security?

      A. Secure wiping of EBS data when an EBS volume is unmounted
      B. Background virus scans of EBS volumes and EBS snapshots
      C. Background virus scans of EBS volumes and EBS snapshots
      D. Decommissioning of storage devices using industry-standard practices

      Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumer’s readers’ poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?

      A. Enable short polling on the SQS queue by setting the ReceiveMessageWaitTimeSeconds to a number > 0
      B. Enable short polling on the SQS message by setting the ReceiveMessageWaitTimeSeconds to a number = 0
      C. Scale the component making the request using auto scaling based off the number of messages in the queue
      D. Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

      You need to import several hundred megabytes of data from a local Oracle database to an Amazon RDS DB instance. What does AWS recommend to use to accomplish this?

      A. Oracle Data Pump
      B. Oracle Export/Import Utilities
      C. DBMS_FILE_TRANSFER
      D. Oracle SQL Developer

      A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet?

      A. Use the internet gateway with a private IP
      B. Allow outbound traffic in the security group for port 80 to allow internet updates
      C. The private subnet can never connect to the internet
      D. Use NAT with an Elastic IP

      A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?

      A. AWS VPC will automatically create a NAT instance with the micro size
      B. VPC bounds the main route table with a public subnet and a custom route table with a private subnet
      C. VPC bounds the main route table with a private subnet and a custom route table with a public subnet
      D. User has to manually create a NAT instance

      A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The internet gateway has also been created. What can be the reason for the error?

      A. The internet gateway is not configured with the route table
      B. The private IP is not present
      C. The internet gateway is not configured with the security group
      D. The outbound traffic on the security group is disabled

      You are attempting to connect to an instance in Amazon VPC without success you have already verified that the VPC has an Internet Gateway (IGW) the instance has an associated Elastic IP (EIP) and correct security group rules are in place. Which VPC component should you evaluate next?

      A. The configuration of the Routing Table
      B. The configuration of a NAT instance
      C. The configuration of the internet Gateway (IGW)
      D. The configuration of SRC/DST checking

      After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the Internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?

      A. Attaching an Elastic IP address to the instance in the private subnet
      B. Disabling the Source/Destination Check attribute on the NAT instance
      C. Attaching a second Elastic Network interface (ENI) to the NAT instance, and placing it in the private subnet
      D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet

      An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

      A. The outbound network ACL needs to be modified to allow outbound traffic.
      B. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
      C. The outbound security group needs to be modified to allow outbound traffic.
      D. Nothing, it can be accessed from any IP address using SSH.

      You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

      A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block
      B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block
      C. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block
      D. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

      You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly. Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC? Choose 2 answers

      A. That the default route is set to a NAT instance or Internet Gateway (IGW) for them to communicate.
      B. Both instances are the same instance class and using the same Key-pair.
      C. A network ACL that allows communication between the two subnets.
      D. Security groups are set to allow the application host to talk to the database on the right port/protocol

      When you put objects in Amazon S3, what is the indication that an object was successfully stored?

      A. A success code is inserted into the S3 object metadata.
      B. Each S3 account has a special bucket named_s3_logs. Success codes are written to this bucket with a timestamp and checksum.
      C. Amazon S3 is engineered for 99.999999999% durability. Therefore, there is no need to confirm that data was inserted.
      D. A HTTP 200 result code and MD5 checksum, taken together, indicate that the operation was successful.

      A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this?
      Choose 3 answers

      A. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
      B. Use Amazon S3 server-side encryption with customer-provided keys
      C. Use Amazon S3 bucket policies to restrict access to the data at rest.
      D. Use SSL to encrypt the data while in transit to Amazon S3
      E. Use Amazon S3 server-side encryption with EC2 key pair.
      F. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key

      When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the data on the root volume?

      A. Data is automatically deleted
      B. Data is automatically saved as an EBS snapshot.
      C. Data is automatically saved as an EBS volume.
      D. Data is unavailable until the instance is restarted

      In AWS, which security aspects are the customer’s responsibility? Choose 4 answers

      A. Life-cycle management of IAM credentials
      B. Patch management on the EC2 instances operating system
      C. Encryption of EBS (Elastic Block Storage) volumes
      D. Decommissioning storage devices (AWS responsibility)
      E. Security Group and ACL (Access Control List) settings
      F. Controlling physical access to compute resources (AWS responsibility)

      A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?

      A. Create an A record aliased to the load balancer DNS name
      B. Create a CNAME record aliased to the load balancer DNS name.
      C. Create an A record pointing to the IP address of the load balancer
      D. Create a CNAME record pointing to the load balancer DNS name.

      For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an appropriate solution? Choose 2 answers

      A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet of sensors
      B. Managing a multi-step and multi-decision checkout process of an e-commerce website
      C. Orchestrating the execution of distributed and auditable business processes
      D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs
      E. Using as a distributed session store for your web application

      Which procedure for backing up a relational database on EC2 that is using a set of RAIDED EBS volumes for storage minimizes the time during which the database cannot be written to and results in a consistent backup?

      F. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes
      G. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk I/O
      H. Stop the EC2 Instance. 2. Snapshot the EBS volumes
      I. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O
      J. Orchestrating the execution of distributed and auditable business processes
      using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs
      K. using as a distributed session store for your web application

      A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1? Choose 2 answers

      A. Establish a hardware VPN over the internet between VPC-2 and the on-premises network. (Peered VPC does not support Edge to Edge Routing)
      B. Establish a hardware VPN over the internet between VPC-1 and the on-premises network
      C. Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2 (Peered VPC does not support Edge to Edge Routing)
      D. Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1 (need to be in the same region as VPC-1)
      E. Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

  12. Hi Jayendra, I have passed AWS CSA exam today. Thanks a lot for putting so much effort in keeping these blogs up to date. My exam pattern was similar to Nandkishor.

  13. Hello All,
    Just now i came to know about the Jay’s Blog. Feel great on the Jay’s efforts in preparing this…. I am preparing for the CSA exam. i am yet to browse the blog completely. as of now i am referring Acloudguru , Linux academy and will add this blog now for preparation.
    I welcome the suggestions on preparation recommended for the exam .

    Regards,
    csvenkat.

  14. Dear Jayendra,
    I just cleared my AWS SA and I want to thank you for an awesome blog you have here which is full of information. It helped me immensely and I am now getting ready for Sys OPs and hoping to repeat the same with your blog’s help !!! God Bless !!

  15. Dear Jayendra,

    I cleared AWS SA i really appreciate your help in making this real. i watched acloud guru that helped in understanding the concept also read your white papers and also used Brain cert many of the questions are on the question. God bless from United states

  16. Hello Jayendra,
    I just came across your blog. I finished my course on linuxacademy and took whizlabs but still failed my SAA. Right now I am going thru your blog to get more knowledge for my next attempt. Do I have to go over each whitepaper under “AWS Whitepapers” and each section under “AWS Services” to clear my SAA exam? or do I have to go over http://jayendrapatil.com/aws-solution-architect-associate-exam-learning-path/

    Please advise.

    Thanks
    -Praveen.

    1. Hi Pravenn, I would recommend go through FAQs for the services, read through the blog topics and try Braincert practice exams. Also, know the reasoning for right as well as wrong answers, that would help you eliminate options during exams

  17. Hi Jayendra,

    Your blog is excellent, it help me a lot to recollect all important points before going to take my exam. Yesterday I cleared my AWS – CSA Associate. Thank you so much by keeping this blog updated.

    -Srinu

  18. Thank you so much for the blog.. I completed my SA associate exam today with 85%.. your blog was most elaborate and the questions in every page helps us to understand the concept..I have purchased braincert as well.. Now my target is solution architect professional.. Can you please provide some inputs on that?

    1. thats great Keerthana, congrats. For SA-Prof, I would recommend going for Linux Academy course as it is more detailed and Braincert practice tests for preparation. Go through the blog for important topics and whitepapers. Prof. exam is quite exhaustive and needs good preparation.

  19. Hi Jayendra,

    I will be taking the Solutions Architect Associate exam this weekend what will be your suggestion that I should read at this point in time.

    I am still not confident enough to face the exam. I need your valuable suggestion.

    Thank you

    1. Go through the important topics and FAQs. If you are not confident, would recommend you try Braincert practice tests and try to map all the concepts for the right and wrong answers.

    2. Hello,

      On 24th Oct, questions came from below topics.

      Spot instance charge
      API gateway benefits
      Quickly transfer 10tb data to glacier – aws export import
      How to track access to ec2 in vpc. Option was vpc flow logs, cloud trail etc
      Deploy lamp stack with less human resource(option beanstalk/code deploy)
      Bastion host questions
      Study Load balancer type difference
      What service will do Dynamic port configure
      Which help in instance increase in auto scale. (option were lock down/ cool down cloud watch etc)
      Cross-Origin Resource Sharing (CORS)
      NAT instance / NAT gateway…check the difference/use
      Elastic store which will shrink and expand (EFS)
      Cross zone balancing in ELB, benfits
      Availability of S3/RRS
      Use of kinesis

  20. Hi Jayendra

    Thank you for keeping the blog updated and filled with details, please continue to do so. It is very helpful for us.
    One question – how to know if I’m ready for the exam? Any thoughts? Actually
    I have planned for the exam in a week. I have gone through acloudguru, your blog notes. I have tried all the Wizhlabs and TheCertSchool practice tests and some of the braincert tests. I have got between 75% to 85% score in these practice tests.
    Is it ok for me to proceed to the exam spending couple of days refreshing all the above? Or Is it necessary to get more than 90% in all these practice tests before sitting for the actual exam?

    Thank you.

    1. It necessary to know the concepts well enough, even if you do not score on the tests. But if you know whats right and whats wrong and why that should be enough to appear for the exam.

  21. Hi Jayendra

    Advertisement on your blog regarding AWS exam test is not appropriate.
    It is not fully complete and on 1 exam test is available out of 6

  22. Hi Jayendra
    Thanks for this awesome information.
    I’m an analyst and have never worked on anything related to this.
    Is there any prerequisite before I take this exam?
    Can you please suggest some reading material for the basic concepts?

  23. Hello Jayendra,

    Thank you for this awesome blog. Passed SA Accociate exam. Saw this blog only 3-4 days before the exam. The Dumps i referred had wrong answers, but was cleared by your blog with explanation. Thanks a lot. As you said, knowing all the concept is must.Out of 500 questions referred only 15 came, but will get an idea. Practicing aws labs also helped a lot.

  24. Currently studying for the exam and just found this site… great resource!

    One question I have, there is discussion about reading the FAQ’s along with whitepapers.

    I found a link to the FAQs (https://aws.amazon.com/faqs/) but is there a link / location for the whitepapers?

    Or would the FAQ’s be sufficient?

    Thanks!

  25. Hello Jayendra,

    Passed the Solution Architect Associate exam with 89% score.
    Thanks for sharing this blog. It really helped a lot.

    Thanks,
    Kishnaz

  26. Hi Jayendra,

    Thank you very much for this great blog! Please continue to update it.

    I cleared my AWS Solution Architect Associate Exam 95%. Looking forward to the Professional level.

    Thank you

    1. Ramya,

      Please can you update on the topics that came up in the questions? which areas did it cover? any new topics have been added to the questions. Please advise. that would really help the test takers.

    2. Hi Ramya,

      Congrats for the accomplishment. I plan to take the exam in few days.
      Can you please highlight us on the topic came for exam and any new concept .

      Regards
      Sriram

  27. The questions were very similar to what has posted above. Whizlabs and brain cert practice questions are very helpful. No other new topics other than Api Gateway, Lamda, ALB.
    Good luck to you!

  28. Thankyou Jayendra for the wonderful coverage of all the topics. This really helped me to PASS the exam y’day . My exam had questions from IAM, 1 ECS, VPC,S3, Lambda, Route 53, EC2, RDS, Elasticache, Autoscaling. The questions were not lengthy but answer choices were close enough. More ‘choose 2’ options questions.

  29. Thanks a lot Jayendra for the beautiful blog.

    I cleared my AWS Solution Architect Associate Exam today. The exams question were mostly similiar to what are discussed in ur blog, Whizlab and Braincert.

    Apart from the Core and major topics, I got questions from the below topics
    – Kinesis usecase ( mainly on Kinesis firehose and streams usecase)
    – NAT gateway ( A webserver hosted in a NAT setup with 7Gbps traffic)
    – Couple of ALB Q ( ECS with dynamic port mapping, path based routing)
    – Lambda ( Event source generation services S3, DynamoDB, ELB, Route53,Redshift)
    – API gateway & cors ( combined usecase )
    – Trusted Advisor ( under utilization of EC2 instance)
    – STS
    – DynamoDB
    – Spot Instance pricing
    – Identification of Rough EC2 instance details ( cloud trail, vpc flow)
    – Auto-scaling ( changing ec2 image, one scenario q on number of Autoscaling grp)

      1. It wasn’t hard. The questions were straightforward and English statements were simple to understand. Answer options were also not confusing. If you understand the concepts well you can answer without difficulty.

        Regards
        Sriram

  30. Thank you Rajendra for your
    Lightning quick response and additional informations you have provided. I am aiming to do the exam associate exam in the next 10 days. We are lucky that we found you. Thanks again.
    BR
    Shiva

  31. Hi,
    What is the future prospect after AWS Solution Architect certification ? I am an experienced IT pro with development background with 12+ yrs exp.

    Best Regards
    AB

Leave a Reply

Your email address will not be published. Required fields are marked *