AWS Certified Solution Architect – Associate Exam Learning Path

Udemy Discount Braincert-AWS-Certified-SA-Professional-Practice-Exam

AWS Certified Solution Architect – Associate Exam Learning Path

AWS Solution Architect – Associate exam basically validates the following 2 abilities

  • Identify and gather requirements in order to define a solution to be built using architecture best practices.
  • Provide guidance on architectural best practices to developers and system administrators throughout the lifecycle of the project.

Refer to the AWS Solution Architect – Associate Exam Blue Print

AWS Solution Architect - Associate Exam Break up

AWS Cloud Computing Whitepapers

AWS Solution Architect – Associate Exam Contents

NOTE: With recent feedback from users AWS SA-A Exams have questions for new Lambda, ALB, ALB vs Classic Load Balancer, ECS, API Gateway services

Domain 1.0: Designing highly available, cost-efficient, fault-tolerant, scalable systems

  1. Identify and recognize cloud architecture considerations, such as fundamental components and effective designs. Content may include the following:

2 Domain 2.0: Implementation/Deployment

  1. Identify the appropriate techniques and methods using Amazon EC2, Amazon S3, AWS Elastic Beanstalk, AWS CloudFormation, AWS OpsWorks, Amazon Virtual Private Cloud (VPC), and AWS Identity and Access Management (IAM) to code and implement a cloud solution.
    Content may include the following:

    1. Configure an Amazon Machine Image (AMI)
    2. Operate and extend service management in a hybrid IT architecture
    3. Configure services to support compliance requirements in the cloud
    4. Launch instances across the AWS global infrastructure
    5. Configure IAM policies and best practices

3 Domain 3.0: Data Security

  1. Recognize and implement secure practices for optimum cloud deployment and maintenance. Content may include the following:
  2. Recognize critical disaster recovery techniques and their implementation.
    Content may include the following:

4 Domain 4.0: Troubleshooting

  1. Content may include the following:

NOTE: I have just marked the topics inline with the AWS Exam Blue Print. So be sure to check the same, as it is updated regularly and go through Whitepapers, FAQs and Re-Invent videos.

AWS Solution Architect – Associate Exam Resources


Udemy AWS Certified Solution Architect - Associate Practice Tests

  • Purchased the acloud guru AWS Certified Solutions Architect – Associate course from Udemy (should get it for $10-$15 on discount) helps to get a clear picture of the the format, topics and relevant sections
  • Opinion : acloud guru course are good by itself but is not sufficient to pass the exam but might help to counter about 50-60% of exam questions
  • Check out the New course on Udemy AWS Certified Solutions Architect Associate Exam Mastery 2018
    • Covers the exam topics in detail, scenario based practice questions and visual aids.
    • Very good rating and user feedback (~ 4.7)

  • Signed up with AWS for the Free Tier account which provides a lot of the Services to be tried for free with certain limits which are more then enough to get things going. Be sure to decommission anything, if you using any thing beyond the free limits, preventing any surprises 🙂
  • Also, used the QwikLabs for all the introductory courses which are free and allow you to try out the services multiple times (I think its max 5, as I got the warnings couple of times)
  • Update: Qwiklabs seems to have reduced the free courses quite a lot and now provide targeted labs for AWS Certification exams which are charged
  • Read the FAQs atleast for the important topics, as they cover important points and are good for quick review
  • Did not purchase the AWS Practice exams, as the questions are available all around. But if you want to check the format, it might be useful.
  • You can also check practice tests

234 thoughts on “AWS Certified Solution Architect – Associate Exam Learning Path

  1. Associate architect is relatively simple. Read and understand all the IAM, VPC, EC2, S3 documentation, read the FAQs for the next most popular other services, read the recommended white papers, do some sample exams on Cloud Guru / Linux Academy, play with EC2/VPC a bit, you’ll likely pass. Doing a Cloud Guru or Linux Academy course will make it easier but doesn’t replace the reading.

    1. Thanks Tim, agreed A Cloud Guru and Linux Academy helps you to get started but not clear the exams for sure. Also CSAA is relatively simple once you clear it 😉

  2. Hi Jayendra,

    I appeared for architect associate and scored 90%.Lot of websites offer sample questions but they are misleading.Other than your blog and whitepapers,I didn’t refer additional resources.Thanks a lot!!

    1. thats Awesome Bhuvana .. congrats and thanks .. Happy to help 🙂
      Let me know if any feedback to improve ..

      1. 🙂 It would be great if you can provide guidance for Specialty exams as well.

        Thanks in advance!

  3. Where can I find the sample questions and whitepapers in your website for AWS certified solutions architect- associate exam.

  4. Hi Jayendra
    I found your blog while I am googling for practice questions for CSA exam. Your blog is very informative & it clarified few of my open questions.

    I am preparing for AWS-CSA(Certified Solution Architect-Associate) certification and I have gone through all the material & videos of Linux Academy. Have got good understanding of the concepts but I want to try testing myself by taking up some quiz. I am currently looking for Practice questions & answers for my preparation. Can you please share me, if you any ?

    Thanks in advance.


  5. Hi Jayendra.I work in Amazon and I really love this blog. I am going to appear for all 3 associate exams shortly and going through your blog has given me a confidence of passing. was the only other source which I found as good as your blog. Keep it up for the good writing and sharing !!

  6. Jayendra, thanks again for these helpful resources.

    I studied for the SysOps Associate exam first and passed. I am now moving on to Solution Architect Associate. I’m comfortable / familiar with the Sys Ops topics. Which topics are specific to Solution Architect that are not on SysOps that I should focus my time on to pass Solution Architect given that I have the SysOps knowledge already?


    1. You can refer to the SA – Associate Blog Post.
      Topics like VPC, IAM, S3, EC2, EBS are mainly common.
      However, there are lot other topics that you need to cover like Auto Scaling, ELB, Storage Gateway, Route 53, RDS Multi-AZ & Read Replicas, CloudFront, Storage Options Whitepaper etc.

    1. Thanks Ankit, STS is something already covered. Have got feedback for Lambda, API Gateway, DynamoDB and ELB vs ALB as well.

  7. My exprience with AWS CSA Associate exam –
    A couple lines on my background before I start.
    I have 20 years exprience in software engineering. I am mostly hands on but on occasion I was into leadership.
    All my experience is on Microsoft Stack.
    I wanted to do my certification in aws because I wanted to get my feet wet with non MS eco system.

    I have gone trhough a cloud guru course
    I have done all practice exams on BrainCert
    I have done all practice exams on Whizlabs
    I have done all questions on cloudacademy.
    I have read sections on and paracticed questions on his blog.
    (Reading is a must. It is probably beyond associate level. But if you read and try those questions, you can not go wrong. THIS GUY IS A ROCK STAR FOR AWS CERTIFICATION !!! )
    I have heard 20-30 hours of re-invent videos
    I have watched videos on SSL/TLS

    Since I have no hands on experience on aws, I used more resources than usual.
    I took the exam and passed with 85%.
    Here are my thoughts. Obviously they don’t reflect anyone else’s viewpoint but me.
    Hope you find them useful.

    A Cloud Guru can ease you into the exam preparation and helps you to scope the breadth and depth of content.
    It is nice and friendly place you like to start. But it is not sufficient to pass.
    I got some areas which are not covered in acloud guru. Lamdas, cloud front path patterns, DirectConnect and VPN fault tolerance etc.
    Also cloud guru content does not put you in that (tricky and twisty) exam groove.
    The best relavant questions are on some of the questions from you can see on
    Whizlabs questions are easy and not really upto the exam standard but still decent content if you want to cover more surface area.
    I am not too impressed at the cloud academy questions and their relavance with the exam.
    Like someone mentioned cloud academy is picking up some unexplored corners from aws documentation, rather than creating a scnario which forces to analyze (or elimininate options).

    Now coming to the actual questions. Most questions have 2 bad answers. one correct and one looks correct.
    when you have to pick more than one option, you get get 1 or 2 immediately, the second or third one requires some analysis/ elimination.
    Here is the areas I can point you to based on my experience
    API Gateway Features, Lamda Basics, EFS Basics, Setting up ECS tasks with IAM permissions, cloudfront path patterns. Ec2 instances showing up in ECS cluser, Direct Connect / VPN fault tolerance (read DiretConnect on,
    Kinesis Streams Vs firehose, DynamoDB VS Elastic cache, which services provide encryption at rest, which services can trigger lamdas, EBS replication across regions, Cloudfront origins, why and when to use DynamoDB,
    reserved instance features, graceful shutdown of application and spot instances, what does STS provide , SQS and priority, auto scaling termination policy, auto scaling cool down timers, SNS supported end points.

    over all it was not very straight forward exam to just walk in and pass/ace. I took the full 1 hr 20 mins and reviewed quickly once before hitting submit.

    your experience may vary !! good luck

  8. Jayendra, Dude i cant thank you enough for all this effort that you have put in to setup these blogs. I have cleared my Solution Architect exam and i am so thankful to you. Most of the questions on the exam were from the questions that you have listed below in the various topics. You have also covered all the critical topics and concepts so well.

    You are doing a great service here my friend


  9. I took my AWS Solutions Architect Associate Exam today, sadly I failed. Most of the questions are API Gateway, Lambda, ECS, VPC Cross Account, Security, IAM. Hope to pass next time. 🙁

    1. You can surely clear it next time. I have added the topics to the blog as I got feedback from multiple users about this new topics.

  10. Dear Jayendra,

    It is wonderful reading your blog and as also the interaction from other aspirants and exam takers. I have been trying to take up the exam for the last 2 years but have been unable to do so because of time constraints. I have now dedicated my time to pass both the associate as well as the pro exam. Any help from you in the for of study notes, sample exam questions etc. which would help me to cross the first hurdle of associate exam would be highly appreciated.

    Could you please send me the same to mail mail @

    Many thanks for your blog. Really helpful.


  11. I am very happy write this that, I took SAA exam yesterday 7th sept 2017. I passed with 81% 🙂

    First of all Let me say thanks to Jayendra for such a excellent detail blogs, which helped me lot to clear my concepts and buy me confidence to go for this exam.

    How I prepared for this:

    Jayendra’s blog will lay the foundation for this exam.
    cloud guru course with hands on will help you to understand and those concepts at high level.

    Jayendra’s question set are more than enough to prepare for this exam. I solved the Whizlabs tests to feel the exam pattern and format.

    Topics in my exam:

    1. Couple of questions on Lambda (which services invoke lampda, how to improve performance of function)

    2. API gate way : advantages of API gateway.

    3. Application load balancer : dynamic port and Path base hosting. No questions on classic load balancer

    4. Cross account access: how to allow permission for the dev user in production. ( by creating cross role in production account)

    5. OPS works – def of OPS works

    6. def of Beanstalk

    7. SQS – decoupling

    8. Cloudwatch – restarting the hung instance by scanning logs

    9. Spot instance – pricing

    10. Shared responsibility of AWS

    11. Kinesis stream VS Kinesis fire hose: User want to access stream and process streams. I selected Kinesis stream.

    12.Cloud Front: origin servers can be either S3,ELB. There were different choices for RDS, dynamoDB etc

    13. Dynamo db : two questions: web session storing ( once question was pretty clear and had only Dynamo db as option along with other RDS, Second question was checking on storing session in tabular structure having option of Elastic cache and Dynamo db. I selected Dynamo db. Not sure though).

    14. S3: Access . bucket Policy

    15. No questions on Direct connect,

    16. EBS: how to create encrypted EBS volume from unencrypted volume.

    17. Route 53: Select correct options for alias record. 1. Zone apex record 2. Can map against DNS entry 3. Can’t set TTL

    18. there was a question to share the data for a application to all users on a file system. the system should be scalable or shrink as per the data size. Options were S3,EFS,EBS. I selected EFS.

    19. Few questions on VPC. Server A can ping Server B but Server B can’t ping Server A. Out bound traffic is not allowed to both instance, what changes should user do to get this done.

    20.VPC flow logs for tracing logs in VPC

    21.IAM Roles are global: You can use same role created to another Ec2 instance in different region

    22. auto scaling: termination policy

    23.STS : 2 question on the temp access. ( web federation )

    24. No questions ECS

    25. VPC Peering

    26. AWS Import/Export use case.

    It was very easy exam if you read all Jayendra’s blogs and get your had dirty with VPC,EBS,EC2,S3,ELB,AUTO scaling.

    I finished the exam in 1 hour and reviewed it for next 20 mins.

    Best luck!!

    1. Does any of these questions sounds familiar to you!! I bet it does……lol. Also, AWS is changing their test within 3 months from now to BETA version. So take this old test ASAP. Best of luck and Thank You “Jayendrapatil..keep up the good work.

      SQS – Poll based decouple the components of application
      SNS – PUSH based notifications – Send messages (Email or Text messages)
      Elastic Transcoder – Convert media files from their original source format in to different formats that will play smartphones, tablets, PC’s etc…

      Inbound Traffic – Is traffic that is coming into a router interface from outside.
      Outbound Traffic – Is traffic inside the router that leaves through an interface.

      Security groups
      1. Act as a firewall for associated Amazon instances, controlling both inbound and outbound traffic at the instance level.
      2. Are stateful, when you add inbound rule it automatically adds Outbound rule.

      Alias Records are used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3 buckets that are configured as websites. Alias records work like a CNAME record in that you can map one DNS name ( to another ‘target’ DNS name (

      Business Intelligence – Think of Redshift
      Big Data consuming and bringing into the cloud – Think Kinesis
      Big Data Processing – Think Elastic Map Reduce (EMR)

      EC2 – EBS Backed
      1. Are persistent & can be detached and reattached to other EC2 instances
      2. EBS volumes can be stopped; data will persist
      3. Store Data long term

      Instance Store
      1. Are not persistent (Ephemeral) & cannot be detached and reattached to other instances.
      2. They exist only for the life of that instance.
      3. Shouldn’t be used for long-term data storage

      1. Orchestration Service that Uses Chef
      2. Chef consists of recipes to maintain a consistent state
      3. Look for the term “chef” or “recipes” or “cook books” and think of OpsWorks
      4. AWS OpsWorks provides a simple and flexible way to create and manage stacks and applications.
      5. AWS OpsWorks, you can provision AWS resources, manage their configuration, deploy applications to those resources, and monitor their health.

      Elastic Transcoder
      1. Media Transcoder in the cloud
      2. Convert media files from their original source format into different formats that
      play on smartphones, tablets, PC’s

      VPC Peering
      1. The connection between two VPCs that enables you to route traffic between them using private IP addresses.
      2. Instances within the same network can communicate with each other
      3. You can create a VPC peering connection between your own VPCs, and another AWS account within a single region.
      4. Does not rely on a separate piece of physical hardware
      5. No single point of failure for communication or a bandwidth bottleneck.

      Cross-Account Access
      1. Customers use separate AWS accounts for their development and production resources.
      2. Easier to work productively within a multi-account (or multi-role) AWS environment by
      making it easy for you to switch roles within the AWS Management Console.

      Cross account access: how to allow permission for the dev user in production. (by creating
      cross role in production account)

      API Gateway
      1. Fully Managed

      What are the benefits of API gateway?

      Low cost and efficient
      Scales effortlessly
      You can throttle requests to prevent attacks
      Can connect with cloud-watch to log all requests

      What does this Error mean “Origin Policy cannot be ready at the remote resource”?

      Enable CORS on API Gateway

      You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers.

      A. Elastic Load Balancing (ELB)
      B. Relational Database Service (RDS)
      C. CloudWatch
      D. ElastiCache
      E. DynamoDB
      F. AWS Storage Gateway

      What services should store session data? Two are correct

      A: DynamoDB
      B: RDS
      C: S3
      D: Elastic Cache

      Storing session in tabular structure?

      A: Elastic Cache
      D: DynamoDB

      Which services invoke lambda function to improve performance?

      A: Dynamo DB
      B: Elastic Cache

      User want to access stream and process streams.

      Kinesis stream

      Which service allows you to process nearly limitless streams of data in flight?

      A. Kinesis Firehose
      B. Elastic MapReduce (Amazon EMR)
      C. Redshift
      D. Kinesis Streams

      Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application.

      Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else” If so how?

      A. No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not allowed across subnet (iebroadcast) boundaries
      B. Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP
      C. Yes, the security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP
      D. Yes, Both the monitoring instance’s security group and the application instance’s security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol

      Choose the correct AWS database service for the following requirements:

      > Large volumes of structured data to persist and query using standard SQL and existing business intelligence tools
      > High performance at scale as data and query complexity grows

      A. Amazon DynamoDB
      B. Amazon RDS
      C. Amazon ElastiCache
      D. Amazon Redshift

      Amazon Redshift is a fast-managed petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools.

      You have an existing website called that points to a specific IP address. You now want to create three subdomains that point to the same IP address. To reduce maintenance which domain record type should you choose?

      A. CNAME
      B. A
      C. MX
      D. TXT

      Amazon Elastic Block Store (Amazon EBS) volumes provide durable block-level storage for use with Amazon EC2 instances (virtual machines). Amazon EBS volumes are off-instance storage that persists independently from the running life of a single Amazon EC2 instance.

      Which type would you choose for I/O-intensive workloads, relational databases, and NoSQL databases?

      A. Amazon EBS Magnetic
      B. Amazon EBS Provisioned IOPS
      C. Amazon EBS ZX1
      D. Amazon EBS General Purpose

      Which of the following in NOT part of security group?

      A. List of usernames
      B. List of protocols
      C. IP address ranges
      D. Ports

      Which of the following is the correct statement regarding Availability Zones?

      A. A collection of regions that together make up an Availability Zone.
      B. A distinct location within a region that is insulated from failures in other Availability Zones
      C. Another name for an entire region which contains AWS instances.
      D. The timeframe a particular service is available for use by authorized users

      Which Amazon service would you use for content delivery?

      A. CloudFront
      B. ELB
      C. SES
      D. SQS

      Which service provides an automated security assessment that helps improve the security and compliance of applications deployed on AWS. The service automatically assesses applications for vulnerabilities or deviations from best practices.

      A. Amazon Redshift
      B. EC2
      C. Elastic Beanstalk
      D. Amazon Inspector

      Which product is ideal for transferring anywhere from terabytes to many petabytes of data in and out of the AWS cloud securely, especially in cases where you don’t want to make expensive upgrades to your network infrastructure, frequently experience large backlogs of data, are in a physically isolated environment, or are in an area where high-speed Internet connections are not available or cost-prohibitive. In general, if loading your data over the Internet would take a week or more, you should consider what?

      A. Amazon S3
      B. AWS Snowball
      C. Amazon EBS Magnetic
      D. Amazon CloudFront

      You have developed a new web application that offers users the chance to buy music at a discounted rate through partnerships with local recording companies. You want to host this app in AWS but you don’t want the overhead of managing the infrastructure. Which option should you choose?

      A. EC2
      B. CloudFront
      C. Amazon Redshift
      D. AWS Elastic Beanstalk

      Amazon Glacier is an extremely low-cost storage service that provides highly secure, durable, and flexible storage for data archiving and online backup.

      Which of the following will you NOT be charged for when using Glacier?

      A. Storage (per GB per month)
      B. Data transfer in (per GB per month)
      C. Requests (per thousand UPLOAD and RETRIEVAL requests per month)
      D. Data transfer out (per GB per month)

      Which service would you use to control access to content by allowing or blocking web requests based on criteria that you specify, such as header values or the IP addresses that the requests originate from. This service helps to protect against common web exploits that could affect application availability, compromise security, or consume excessive resources.

      A. EC2
      B. S3
      C. CloudFront
      D. AWS WAF (Web Application Firewall)

      Which of the below instances is used normally for massive parallel computations?

      A. Spot Instances
      B. On-Demand Instances
      C. Dedicated Instances
      D. This is not possible in AWS

      DDoS attacks at their core create an availability problem, as the goal of attackers is to render resources unusable for legitimate end users. Consequently, you can leverage failover capabilities within AWS to reduce your vulnerability to availability problems caused by DDoS attacks.

      Which of the following is a protocol exhausting attack?

      A. HTTP GET/POST flood
      B. SYN flood
      C. None of these
      D. UDP flood

      You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?

      A. Amazon Glacier multipart upload
      B. AWS Storage Gateway
      C. VM Import/Export
      D. AWS Import/Export

      An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto Scaling needs to terminate an EC2 instance by default, Auto Scaling will:

      Choose 2 answers

      A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating the instance.
      B. Terminate the instance with the least active network connections. If multiple instances meet this criterion, one will be randomly selected.
      C. Send an SNS notification, if configured to do so.
      D. Terminate an instance in the AZ which currently has 2 running EC2 instances.
      E. Randomly select one of the 3 AZs, and then terminate an instance in that AZ.

      An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

      A. The outbound security group needs to be modified to allow outbound traffic.
      B. The outbound network ACL needs to be modified to allow outbound traffic.
      C. Nothing, it can be accessed from any IP address using SSH.
      D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic

      A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated?

      A. A single facility in eu-west-1 and a single facility in eu-central-1
      B. A single facility in eu-west-1 and a single facility in us-east-1
      C. Multiple facilities in eu-west-1
      D. A single facility in eu-west-1

      A company is building a two-tier web application to serve dynamic transaction-based content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What services should you leverage to enable an elastic and scalable web tier?

      A. Elastic Load Balancing, Amazon EC2, and Auto Scaling
      B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3
      C. Amazon RDS with Multi-AZ and Auto Scaling
      D. Amazon EC2, Amazon DynamoDB, and Amazon S3

      Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? Choose 2 answers

      A. Amazon Relational Database Service
      B. Amazon Elastic Map Reduce
      C. Amazon ElastiCache
      D. Amazon DynamoDB
      E. AWS Elastic Beanstalk

      You are working with a customer who is using Chef Configuration management in their data center. Which service is designed to let the customer leverage existing Chef recipes in AWS?

      A. Amazon Simple Workflow Service
      B. AWS Elastic Beanstalk
      C. AWS CloudFormation
      D. AWS OpsWorks

      How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another?

      A. Detach the volume and attach it to another EC2 instance in the other AZ.
      B. Simply create a new volume in the other AZ and specify the original volume as the source.
      C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ.
      D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.

      A client application requires operating system privileges on a relational database server. What is an appropriate configuration for a highly available database architecture?

      A. A standalone Amazon EC2 instance
      B. Amazon RDS in a Multi-AZ configuration
      C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
      D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones

      Which of the following are characteristics of Amazon VPC subnets?

      Choose 2

      A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment.
      B. Each subnet maps to a single Availability Zone.
      C. CIDR block mask of/25 is the smallest range supported.
      D. By default, all subnets can route between each other, whether they are private or public.
      E. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP

      You have a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances. Which of the following architectural choices should you make?

      A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer.
      B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer.
      C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer.
      D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.

      You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?

      A. Remove public read access and use signed URLs with expiry dates.
      B. Use CloudFront distributions for static content.
      C. Block the IPs of the offending websites in Security Groups.
      D. Store photos on an EBS volume of the web server.

      You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address should have SSH access to the host. Which option will meet the customer requirement?

      A. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source
      B. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source
      C. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source
      D. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source

      You have decided to change the instance type for instances running in your application tier that is using Auto Scaling. In which area below would you change the instance type definition?

      A. Auto Scaling policy
      B. Auto Scaling group
      C. Auto Scaling tags
      D. Auto Scaling launch configuration

      Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

      A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
      B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
      C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
      D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
      E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types

      When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions?

      Choose 2 answers

      A. Amazon DynamoDB
      B. Amazon Elastic Compute Cloud (EC2)
      C. Amazon Elastic Load Balancing (ELB)
      D. Amazon Simple Notification Service (SNS)
      E. Amazon Simple Storage Service (S3)

      You launch an Amazon EC2 instance without an assigned AVVS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it?

      A. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping.
      B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance.
      C. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned.
      D. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned.

      In order to optimize performance for a compute cluster that requires low inter-node latency, which of the following feature should you use?

      A. Multiple Availability Zones
      B. AWS Direct Connect
      C. EC2 Dedicated Instances
      D. Placement Groups
      E. VPC private subnets

      Please select the Amazon EC2 resource which can be tagged.

      A. key pairs
      B. Elastic IP addresses
      C. Placement groups
      D. Amazon EBS snapshots

      What are characteristics of Amazon S3?

      Choose 2 answers

      A. S3 allows you to store objects of virtually unlimited size.
      B. S3 offers Provisioned IOPS.
      C. S3 allows you to store virtually unlimited amounts of data.
      D. S3 should be used to host a relational database.
      E. Objects are directly accessible via a URL

      How can you secure data at rest on an EBS volume?

      A. Attach the volume to an instance using EC2’s SSL interface.
      B. Write the data randomly instead of sequentially.
      C. Encrypt the volume using the S3 server-side encryption service.
      D. Create an IAM policy that restricts read and write access to the volume.
      E. Use an encrypted file system (EFS) on top of the EBS volume.

      Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?

      A. Instance user data
      B. Resource tags
      C. Instance metadata
      D. Amazon Machine Image

      After creating a new IAM user which of the following must be done before they can successfully make API calls?

      A. Add a password to the user.
      B. Enable Multi-Factor Authentication for the user.
      C. Assign a Password Policy to the user.
      D. Create a set of Access Keys for the user.

      A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as part of their backup and archive infrastructure. The customer plans to use third-party software to support this integration. Which approach will limit the access of the third-party software to only the Amazon S3 bucket named “companybackup”?

      A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive “company-backup”
      B. A custom bucket policy limited to the Amazon S3 API in “company-backup”
      C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive “company-backup”.
      D. A custom IAM user policy limited to the Amazon S3 API in “company-backup”.

      A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?

      A. Create a new peering connection Between Prod and Dev along with appropriate routes.
      B. Create a new entry to Prod in the Dev route table using the peering connection as the target.
      C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.
      D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.

      A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this?

      Choose 2 answers

      A. Amazon Simple Email Service
      B. Amazon CloudWatch
      C. Amazon Simple Queue Service
      D. Amazon Route 53
      E. Amazon Simple Notification Service

      A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?

      A. Create a new IAM role and associated policies within the new region
      B. Assign the existing IAM role to the Amazon EC2 instances in the new region
      C. Copy the IAM role and associated policies to the new region and attach it to the instances
      D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

      An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume?

      A. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Re-mount the Amazon EBS volume.
      B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
      C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.
      D. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume

      A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume. The customer is becoming increasingly constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed data. Which AWS Storage Gateway configuration meets the customer requirements?

      A. Gateway-Cached volumes with snapshots scheduled to Amazon S3
      B. Gateway-Stored volumes with snapshots scheduled to Amazon S3
      C. Gateway-Virtual Tape Library with snapshots to Amazon S3
      D. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

      You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery truck once every three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you use to implement data ingestion?

      A. Amazon Kinesis
      B. AWS Data Pipeline
      C. Amazon AppStream
      D. Amazon Simple Queue Service

      A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

      A. SAML-based Identity Federation
      B. Cross-Account Access
      C. AWS Identity and Access Management roles
      D. Web Identity Federation

      You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and network access control lists are property configured. Instances in a private subnet can access the NAT. The NAT can access the Internet. However, private instances cannot access the Internet. What additional step is required to allow access from the private instances?

      A. Enable Source/Destination Check on the private Instances.
      B. Enable Source/Destination Check on the NAT instance.
      C. Disable Source/Destination Check on the private instances.
      D. Disable Source/Destination Check on the NAT instance.

      A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower Overall CPU resources for the web tier?

      A. Amazon EBS volume
      B. Amazon S3
      C. Amazon EC2 instance store
      D. Amazon RDS instance

      You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer’s DNS name. Which options are probable causes of this behavior?
      Choose 2 answers

      A. The load balancer was not configured to use a public subnet with an Internet gateway configured
      B. The Amazon EC2 instances do not have a dynamically allocated private IP address
      C. The security groups or network ACLs are not property configured for web traffic.
      D. The load balancer is not configured in a private subnet with a NAT instance.
      E. The VPC does not have a VGW configured.

      A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex queries and table joins. Which configuration provides the solution for the company’s requirements?

      A. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone
      B. Amazon RDS for MySQL with Multi-AZ
      C. Amazon ElastiCache
      D. Amazon DynamoDB

      You have a distributed application that periodically processes large volumes of data across multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance failures. You are required to accomplish this task in the most cost- effective way.

      Which of the following will meet your requirements?

      A. Spot Instances
      B. Reserved instances
      C. Dedicated instances
      D. On-Demand instances

      A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-securitygroup with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?

      A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
      B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
      C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
      D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.

      Which of the following statements are true about Amazon Route 53 resource records?
      Choose 2 answers

      A. An Alias record can map one DNS name to another Amazon Route 53 DNS name.
      B. A CNAME record can be created for your zone apex.
      C. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
      D. TTL can be set for an Alias record in Amazon Route 53. E. An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.

      You have a content management system running on an Amazon EC2 instance that is approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?

      A. Create a load balancer, and register the Amazon EC2 instance with it
      B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin
      C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action
      D. Create a launch configuration from the instance using the CreateLaunchConfiguration action

      With which AWS orchestration service can you implement Chef Recipes?

      A. CloudFormation
      B. Elastic Beanstalk
      C. Opsworks
      D. Lambda

      What events can be triggered by an AWS Lambda function?

      Object uploads to Amazon S3
      Amazon SNS notifications
      API actions

      You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance?

      A. Use multi-part upload.
      B. Add a random prefix to the key names.
      C. Amazon S3 will automatically manage performance at this scale.
      D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names

      In the shared security model, AWS is responsible for which of the following security best practices (check all that apply):

      Penetration testing
      Operating system account security management
      Threat modeling
      User group access management
      Static code analysis

      Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been canceled. Your supervisor wants to stop incurring charges for these reserved instances immediately and recuperate as much of the reserved instance cost as possible.
      What can you do to avoid being charged for them?

      Choose the 2 correct answers:

      A. What are characteristics of Amazon S3
      B. Terminate the instances as soon as possible
      C. Sell the reserved instances on the AWS Reserved Instance Marketplace
      D. Stop the instances as soon as possible

      What URL might you query on an EC2 instance in order to find the public AND private IP address of an instance?


      You design an application that checks for new items in an S3 bucket once per hour. If new items exist, a message is added to an SQS queue. You have several EC2 instances which retrieve messages from the SQS queue, parse the file, and send you an email containing the relevant information from the file. You upload one test file to the bucket, wait a couple hours and find that you have hundreds of emails from the application. What is the most likely cause for this volume of email?

      A. This is expected behavior when using short polling because SQS does not guarantee that there will not be duplicate messages processed.
      B. Your application does not issue a delete command to the SQS queue after processing the message.
      C. You can only have one EC2 instance polling the SQS queue at a time.

      This is expected behavior when using long polling because SQS does not guarantee that there will not be duplicate messages processed. What is true about EBS?
      (choose 3 correct answers)

      A. You can share the snapshot with other AWS accounts
      B. The snapshots are just stored as another EBS volume
      C. Snapshots are automatically encrypted
      D. The snapshots are stored in S3
      E. Snapshots are incremental in nature and only

      You are excited to have just been employed by a large scientific institution that is at the cutting edge of high-performance computing. Your first job is to launch 10 Large EC2 instances which will all be used to crunch huge amounts of data and will also need to pass this data back and forth between each other. Which of the following would be the most efficient setup to achieve this?

      A. Use the largest EC2 instances currently available on AWS, but make sure they are all in the same Availability Zone
      B. Use Placement Groups and launch the 10 instances at the same time.
      C. Use Placement Groups. Make sure the 10 Instances are spread evenly across Availability Zones.
      D. Use the largest EC2 instances currently available on AWS, but make sure they are all in the same region.

      You’re building a mobile application game. The application needs permissions for each user to communicate and store data in DynamoDB tables. What is the best method for granting each mobile device that installs your application to access DynamoDB tables for storage when required?

      A. Create an IAM group that only gives access to your application and to the DynamoDB tables. Then, when writing to DynamoDB, simply include the unique device ID to associate the data with that specific user.
      B. Create an IAM role with the proper permission policy to communicate with the DynamoDB table. Use web identity federation, which assumes the IAM role using AssumeRoleWithWebIdentity, when the user signs in, granting temporary security credentials using STS.
      C. Create an Active Directory server and an AD user for each mobile application user. When the user signs into the AD sign-on, allow the AD server to federate using SAML 2.0 to IAM and assign a role to the AD user which is the assumed with AssumeRoleWithSAML
      D. BCJC should create a new stack that contains the Python application code and manages separate deployments of the application via the secondary stack using the deploy lifecycle action to implement the application code.

      A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario?

      A. It will not allow to delete the VPC since it has a running route instance
      B. It will terminate the VPC along with all the instances launched by the wizard
      C. It will not allow to delete the VPC as it has subnets with route tables
      D. It will not allow to delete the VPC since it has a running NAT instance

      A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public-private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is trying to delete the VPC it will not allow as the NAT instance is still running.

      Which AWS services that you can access to underlying host? (Multiple choice)

      A. ElastiCache
      B. EMR
      C. EC2
      D. DynamoDB
      E. Elastic Beanstalk
      F. RDS

      What are the characteristics of Dynamo DB? (choose 3 correct answers)

      A. It is used for SQL databases like SQL Server, MySQL, Oracle
      B. Gives you a fast and predictable performance with seamless scalability
      C. When reading data from Amazon DynamoDB, users can specify whether they want the read to
      be eventually consistent or strongly consistent
      D. It is a managed service provided by AWS
      E. There is a limit of stored data or throughput of data

      An instance is launched in private VPC subnet. All security, NACL and routing definition configured as expected. A custom NAT instance is launched. Which of the following answer is right for configuring custom NAT instance?

      A. NAT instance should have public is address configured
      B. Source/Destination check should be disabled
      C. NAT instance should be launched in public subnet
      D. NAT instance should have elastic IP address configured

      You are configuring a new VPC for one of your client for a cloud migration project. Only a public VPN will be in place. After you created your VPC, you created a new subnet, a new internet gateway and attached your internet gateway with your VPC. As you created your first instance in to your VPC, you realized that you cannot connect the instance even it is configured with elastic IP. What should be done to access the instance?

      A. A route should be created as and your internet gateway as target
      B. A NACL should be created and allow all outbound traffic
      C. A NAT instance should be created, and all traffic should be forwarded to NAT instance
      D. Attach another ENI to instance and connect via new ENI

      How can an instance be copied to another region?

      A. There is no way to copy an instance to another region
      B. First instance’s root volume is detached. Then a new instance is created in another region. Finally, detached volume can be attached to new instance as root device
      C. By stopping instance and using copy option
      D. By creating an AMI and copy it to another region

      What is the most secure option to connect to instances without Internet connectivity in private subnet VPC?

      A. Enable internet connectivity and configure NACL and security group to connect to the instances
      B. Enable internet connectivity and configure security group to connect to the instances
      C. Using a bastion host server to connect to the instances
      D. Configure IAM policy to restrict access to the instances

      Which record type queries are free when using Route 53?

      A. TXT
      B. MX
      C. Alias
      D. AAAA

      About the charge of Elastic IP Address, which of the following is true?

      A. Elastic IP addresses can always be used with no charge.
      B. You can have one Elastic IP (EIP) address associated with a running instance at no charge.
      C. You can have 5 Elastic IP addresses per region with no charge.
      D. You are charged for each Elastic IP addressed.

      You have assigned one Elastic IP to your EC2 instance. Now we need to restart the VM without EIP changed. Which of below you should not do?

      A. Reboot and stop/start both works.
      B. When the instance is in VPC public subnets, stop/start works.
      C. When the instance is in VPC private subnet, stop/start works.
      D. Reboot the instance.

      Which of the below mentioned steps will not be performed while creating the AMI of instance stored-backend?

      A. Define the AMI launch permissions.
      B. Register the AMI
      C. Bundle the volume
      D. Upload the bundled volume

      Which of the following are features of enhanced networking? (Choose 3 answers)

      A. More Packets Per Second (PPS)
      B. Lower latency
      C. Multiple network interfaces
      D. Border Gateway Protocol (BGP) routing
      E. Less jitter

      The user just started an instance at 3 PM. Between 3 PM to 5 PM, he stopped and started the instance twice. During the same period, he has run the Linux reboot command by SSH once and triggered reboot from AWS console once. For how many instance hours will AWS charge this user?

      A. 2
      B. 3
      C. 4
      D. 5

      How can we attach our instance store volume to another instance?

      A. We can stop the instance. Detach the volume. And attach to another instance
      B. We can use “force detach” and then attach to another instance
      C. We can use “detach volume” and then attach to another instance.
      D. We cannot detach or attach instance store volume

      You have an Amazon Elastic Cloud Compute (EC2) security group with several running EC2 instances. You change the security group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same security group. The new rules apply:

      A. To all instances, but it may take several minutes for old instances to see the changes.
      B. Immediately to the new instances only.
      C. Immediately to all instances in the security group
      D. Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply.

      How can software determine the public and private IP addresses of the Amazon Elastic Cloud Compute instance that it is running on?

      A. Use an ipconfig or ifconfig command
      B. Query the local instance metadata.
      C. Query the local instance userdata.
      D. Query the appropriate Amazon CloudWatch metric.

      You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to $0.06/hr. and your Spot Instance is terminated by AWS. What was the total EC2 compute cost of running your Spot Instance?

      A. $0.02
      B. $0.00
      C. $0.05
      D. $0.06
      E. $0.025

      (Note: if you bid on a price, and AWS restart the instances for marketplace and price changes within the marketplace, the customer pays the CURRENT price). Similar question but bid starts at $0.20/hr. and you bid $0.22/hr., after 90 minutes, the instance is terminated by AWS and new price is $0.22/hr. Which price would you pay? ANS: $0.25. Anytime instance restart, Amazon charges you per hour. So 90 minutes, user will be charged for 2hrs.

      You have an Amazon Virtual Private Cloud (VPC) with a public subnet. Three Amazon Elastic Compute Cloud (EC2) instances currently running inside the subnet can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same Amazon Machine Image (AMI) and security group configuration you used for the others, but find that this instance cannot be accessed from the Internet. What should you do to enable Internet access?

      A. Deploy a NAT instance into the public subnet
      B. Modify the routing table for the public subnet
      C. Assign an elastic IP address to the fourth instance
      D. Configure a publicly routable IP address in the host OS of the fourth instance.

      A startup company hired you to help them build a mobile application, that will ultimately store billions of images and videos in Amazon Simple Storage Service (S3). The company is lean on funding, and wants to minimize operational costs, however, they have an aggressive marketing plan, and expect to double their current installation base every six months. Due to the nature of their business, they are expecting sudden and large increases in the traffic to and from S3, and need to ensure that it can handle the performance needs of their application. What other information must you gather from this customer in order to determine whether S3 is the right option?

      A. In order to build the key namespace correctly, you must understand the total amount of storage needs for each S3 bucket.
      B. You must find out the total number of requests per second at peak usage.
      C. You must know how many customers the company has today, because this is critical in understanding what their customer base will be in two years.
      D. You must know the size of individual objects being written to S3, in order to properly design the key namespace.

      You are deploying an application an Amazon Elastic Cloud Compute (EC2) that must call AWS APIs. What method of securely passing credentials to the application should you use?

      A. Embed the API credentials into your JAR files.
      B. Pass API credentials to the instance using instance user data.
      C. Store API credentials as an object in Amazon Simple Storage Service
      D. Use AWS Identity and Access Management roles for EC2 instances

      A VPC public subnet is one that:

      A. Includes a route in its associated routing table via a Network Address Translation (NAT) instance.
      B. Has a Network Access Control List (NACL) permitting outbound traffic to
      C. Has at least one route in its associated routing table that uses an Internet Gateway (IGW).
      D. Has the Public Subnet option selected in its configuration.

      In reviewing the Auto Scaling events for your application, you notice that your application is scaling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity? (Choose 3 answers)

      A. Modify the Auto Scaling group termination policy to terminate the oldest instance first.
      B. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.
      C. Modify the Auto Scaling group termination policy to terminate the newest instance first
      D. Modify the Auto Scaling policy to use scheduled scaling actions.
      E. Modify the Auto Scaling group cool-down timers.

      What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN connection between an on-premises data center and an Amazon VPC virtual private gateway?

      A. Modify the main route table to allow traffic to a network address translation instance.
      B. Assign a static Internet-routable IP address to an Amazon VPC customer gateway.
      C. Establish a dedicated networking connection using AWS Direct Connect.
      D. Use a dedicated network address translation instance in the public subnet

      Which of the following is a durable key-value store?

      A. Amazon Simple Queue Service
      B. Amazon Simple Workflow Service
      C. Amazon Simple Storage Service
      D. Amazon Simple Notification Service

      You have an application running in us-west-2 that requires six Amazon Elastic Compute Cloud (EC2) instances running at all times. With three AZs available in that region (us-west-2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent fault tolerance if any single AZ in us-west-2 becomes unavailable? (Choose 2 answers)

      A. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances
      B. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2-instances
      C. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with no EC2 instances
      D. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances.
      E. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances

      Which route must be added to your routing table to allow connections to the Internet from your subnet?

      A. Destination: –> Target:
      B. Destination: –> Target: your Internet gateway
      C. Destination: –> Target: your Internet gateway
      D. Destination: –> Target: your virtual private gateway
      E. Destination: –> Target: your virtual private gateway

      What are the characteristics of Subnet? (choose 2 correct answers)

      A. A subnet can be across multiple availability zones
      B. Default subnets are assigned a /16 netblocks
      C. Network traffic entering and exiting each subnet can be allowed or denied via network Access Control Lists (ACLs)
      D. A subnet can be across multiple regions
      E. Default subnets are assigned a /20 netblocks

      In Which case do you have full authority of the underlying host? (choose 2 correct answers)

      A. EC2
      B. EMR (Elastic Map Reduce)
      C. Simple DB
      D. Dynamo DB
      E. RDS

      After the Government organization you work for suffers it’s 3rd DDOS attack of the year you have been handed one part of a strategy to try and stop this from happening again. You have been told that your job is to minimize the attack surface area. You do have a vague idea of some of the things you need to put in place to achieve this. Which of the following is NOT one of the ways to minimize the attack surface area as a DDOS minimization strategy?

      A. Eliminate non-critical Internet entry points.
      B. Reduce the number of necessary Internet entry points.
      C. Configure services such as Elastic Load Balancing and Auto Scaling to automatically scale.
      D. Separate end user traffic from management traffic.

      What is the difference between an availability zone and an edge location?

      A. Edge locations are used as control stations for AWS resources
      B. None of the above
      C. An availability zone is an Amazon Resource within an AWS region whereas an edge location will deliver cached content to the closest location to reduce latency
      D. An availability zone is a grouping of AWS resources in a specific region; an edge location is a specific resource within the AWS region

      Which of the following AWS services allow you access to the underlying operating system?
      Choose the 2 correct answers:

      A. RDS
      B. S3
      C. EMR
      D. Elastic Beanstalk

      You are a consultant tasked with migrating an on-premise application architecture to AWS. During your design process you have to give consideration to current on-premise security and determine which security attributes you are responsible for on AWS. Which of the follow does AWS provide for you as part of the shared responsibility model?
      Choose the 2 correct answers:

      A. Virtualization Infrastructure
      B. Instance Security
      C. Physical Network Infrastructure
      D. User access to the AWS environment

      Which is an operational process performed by AWS for data security?

      A. Secure wiping of EBS data when an EBS volume is unmounted
      B. Background virus scans of EBS volumes and EBS snapshots
      C. Background virus scans of EBS volumes and EBS snapshots
      D. Decommissioning of storage devices using industry-standard practices

      Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumer’s readers’ poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?

      A. Enable short polling on the SQS queue by setting the ReceiveMessageWaitTimeSeconds to a number > 0
      B. Enable short polling on the SQS message by setting the ReceiveMessageWaitTimeSeconds to a number = 0
      C. Scale the component making the request using auto scaling based off the number of messages in the queue
      D. Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

      You need to import several hundred megabytes of data from a local Oracle database to an Amazon RDS DB instance. What does AWS recommend to use to accomplish this?

      A. Oracle Data Pump
      B. Oracle Export/Import Utilities
      D. Oracle SQL Developer

      A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet?

      A. Use the internet gateway with a private IP
      B. Allow outbound traffic in the security group for port 80 to allow internet updates
      C. The private subnet can never connect to the internet
      D. Use NAT with an Elastic IP

      A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?

      A. AWS VPC will automatically create a NAT instance with the micro size
      B. VPC bounds the main route table with a public subnet and a custom route table with a private subnet
      C. VPC bounds the main route table with a private subnet and a custom route table with a public subnet
      D. User has to manually create a NAT instance

      A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The internet gateway has also been created. What can be the reason for the error?

      A. The internet gateway is not configured with the route table
      B. The private IP is not present
      C. The internet gateway is not configured with the security group
      D. The outbound traffic on the security group is disabled

      You are attempting to connect to an instance in Amazon VPC without success you have already verified that the VPC has an Internet Gateway (IGW) the instance has an associated Elastic IP (EIP) and correct security group rules are in place. Which VPC component should you evaluate next?

      A. The configuration of the Routing Table
      B. The configuration of a NAT instance
      C. The configuration of the internet Gateway (IGW)
      D. The configuration of SRC/DST checking

      After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the Internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?

      A. Attaching an Elastic IP address to the instance in the private subnet
      B. Disabling the Source/Destination Check attribute on the NAT instance
      C. Attaching a second Elastic Network interface (ENI) to the NAT instance, and placing it in the private subnet
      D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet

      An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

      A. The outbound network ACL needs to be modified to allow outbound traffic.
      B. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
      C. The outbound security group needs to be modified to allow outbound traffic.
      D. Nothing, it can be accessed from any IP address using SSH.

      You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

      A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block
      B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block
      C. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block
      D. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

      You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly. Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC? Choose 2 answers

      A. That the default route is set to a NAT instance or Internet Gateway (IGW) for them to communicate.
      B. Both instances are the same instance class and using the same Key-pair.
      C. A network ACL that allows communication between the two subnets.
      D. Security groups are set to allow the application host to talk to the database on the right port/protocol

      When you put objects in Amazon S3, what is the indication that an object was successfully stored?

      A. A success code is inserted into the S3 object metadata.
      B. Each S3 account has a special bucket named_s3_logs. Success codes are written to this bucket with a timestamp and checksum.
      C. Amazon S3 is engineered for 99.999999999% durability. Therefore, there is no need to confirm that data was inserted.
      D. A HTTP 200 result code and MD5 checksum, taken together, indicate that the operation was successful.

      A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this?
      Choose 3 answers

      A. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
      B. Use Amazon S3 server-side encryption with customer-provided keys
      C. Use Amazon S3 bucket policies to restrict access to the data at rest.
      D. Use SSL to encrypt the data while in transit to Amazon S3
      E. Use Amazon S3 server-side encryption with EC2 key pair.
      F. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key

      When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the data on the root volume?

      A. Data is automatically deleted
      B. Data is automatically saved as an EBS snapshot.
      C. Data is automatically saved as an EBS volume.
      D. Data is unavailable until the instance is restarted

      In AWS, which security aspects are the customer’s responsibility? Choose 4 answers

      A. Life-cycle management of IAM credentials
      B. Patch management on the EC2 instances operating system
      C. Encryption of EBS (Elastic Block Storage) volumes
      D. Decommissioning storage devices (AWS responsibility)
      E. Security Group and ACL (Access Control List) settings
      F. Controlling physical access to compute resources (AWS responsibility)

      A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?

      A. Create an A record aliased to the load balancer DNS name
      B. Create a CNAME record aliased to the load balancer DNS name.
      C. Create an A record pointing to the IP address of the load balancer
      D. Create a CNAME record pointing to the load balancer DNS name.

      For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an appropriate solution? Choose 2 answers

      A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet of sensors
      B. Managing a multi-step and multi-decision checkout process of an e-commerce website
      C. Orchestrating the execution of distributed and auditable business processes
      D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs
      E. Using as a distributed session store for your web application

      Which procedure for backing up a relational database on EC2 that is using a set of RAIDED EBS volumes for storage minimizes the time during which the database cannot be written to and results in a consistent backup?

      F. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes
      G. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk I/O
      H. Stop the EC2 Instance. 2. Snapshot the EBS volumes
      I. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O
      J. Orchestrating the execution of distributed and auditable business processes
      using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs
      K. using as a distributed session store for your web application

      A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1? Choose 2 answers

      A. Establish a hardware VPN over the internet between VPC-2 and the on-premises network. (Peered VPC does not support Edge to Edge Routing)
      B. Establish a hardware VPN over the internet between VPC-1 and the on-premises network
      C. Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2 (Peered VPC does not support Edge to Edge Routing)
      D. Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1 (need to be in the same region as VPC-1)
      E. Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

  12. Hi Jayendra, I have passed AWS CSA exam today. Thanks a lot for putting so much effort in keeping these blogs up to date. My exam pattern was similar to Nandkishor.

  13. Hello All,
    Just now i came to know about the Jay’s Blog. Feel great on the Jay’s efforts in preparing this…. I am preparing for the CSA exam. i am yet to browse the blog completely. as of now i am referring Acloudguru , Linux academy and will add this blog now for preparation.
    I welcome the suggestions on preparation recommended for the exam .


  14. Dear Jayendra,
    I just cleared my AWS SA and I want to thank you for an awesome blog you have here which is full of information. It helped me immensely and I am now getting ready for Sys OPs and hoping to repeat the same with your blog’s help !!! God Bless !!

  15. Dear Jayendra,

    I cleared AWS SA i really appreciate your help in making this real. i watched acloud guru that helped in understanding the concept also read your white papers and also used Brain cert many of the questions are on the question. God bless from United states

  16. Hello Jayendra,
    I just came across your blog. I finished my course on linuxacademy and took whizlabs but still failed my SAA. Right now I am going thru your blog to get more knowledge for my next attempt. Do I have to go over each whitepaper under “AWS Whitepapers” and each section under “AWS Services” to clear my SAA exam? or do I have to go over

    Please advise.


    1. Hi Pravenn, I would recommend go through FAQs for the services, read through the blog topics and try Braincert practice exams. Also, know the reasoning for right as well as wrong answers, that would help you eliminate options during exams

  17. Hi Jayendra,

    Your blog is excellent, it help me a lot to recollect all important points before going to take my exam. Yesterday I cleared my AWS – CSA Associate. Thank you so much by keeping this blog updated.


  18. Thank you so much for the blog.. I completed my SA associate exam today with 85%.. your blog was most elaborate and the questions in every page helps us to understand the concept..I have purchased braincert as well.. Now my target is solution architect professional.. Can you please provide some inputs on that?

    1. thats great Keerthana, congrats. For SA-Prof, I would recommend going for Linux Academy course as it is more detailed and Braincert practice tests for preparation. Go through the blog for important topics and whitepapers. Prof. exam is quite exhaustive and needs good preparation.

  19. Hi Jayendra,

    I will be taking the Solutions Architect Associate exam this weekend what will be your suggestion that I should read at this point in time.

    I am still not confident enough to face the exam. I need your valuable suggestion.

    Thank you

    1. Go through the important topics and FAQs. If you are not confident, would recommend you try Braincert practice tests and try to map all the concepts for the right and wrong answers.

    2. Hello,

      On 24th Oct, questions came from below topics.

      Spot instance charge
      API gateway benefits
      Quickly transfer 10tb data to glacier – aws export import
      How to track access to ec2 in vpc. Option was vpc flow logs, cloud trail etc
      Deploy lamp stack with less human resource(option beanstalk/code deploy)
      Bastion host questions
      Study Load balancer type difference
      What service will do Dynamic port configure
      Which help in instance increase in auto scale. (option were lock down/ cool down cloud watch etc)
      Cross-Origin Resource Sharing (CORS)
      NAT instance / NAT gateway…check the difference/use
      Elastic store which will shrink and expand (EFS)
      Cross zone balancing in ELB, benfits
      Availability of S3/RRS
      Use of kinesis

  20. Hi Jayendra

    Thank you for keeping the blog updated and filled with details, please continue to do so. It is very helpful for us.
    One question – how to know if I’m ready for the exam? Any thoughts? Actually
    I have planned for the exam in a week. I have gone through acloudguru, your blog notes. I have tried all the Wizhlabs and TheCertSchool practice tests and some of the braincert tests. I have got between 75% to 85% score in these practice tests.
    Is it ok for me to proceed to the exam spending couple of days refreshing all the above? Or Is it necessary to get more than 90% in all these practice tests before sitting for the actual exam?

    Thank you.

    1. It necessary to know the concepts well enough, even if you do not score on the tests. But if you know whats right and whats wrong and why that should be enough to appear for the exam.

  21. Hi Jayendra

    Advertisement on your blog regarding AWS exam test is not appropriate.
    It is not fully complete and on 1 exam test is available out of 6

  22. Hi Jayendra
    Thanks for this awesome information.
    I’m an analyst and have never worked on anything related to this.
    Is there any prerequisite before I take this exam?
    Can you please suggest some reading material for the basic concepts?

  23. Hello Jayendra,

    Thank you for this awesome blog. Passed SA Accociate exam. Saw this blog only 3-4 days before the exam. The Dumps i referred had wrong answers, but was cleared by your blog with explanation. Thanks a lot. As you said, knowing all the concept is must.Out of 500 questions referred only 15 came, but will get an idea. Practicing aws labs also helped a lot.

  24. Currently studying for the exam and just found this site… great resource!

    One question I have, there is discussion about reading the FAQ’s along with whitepapers.

    I found a link to the FAQs ( but is there a link / location for the whitepapers?

    Or would the FAQ’s be sufficient?


  25. Hello Jayendra,

    Passed the Solution Architect Associate exam with 89% score.
    Thanks for sharing this blog. It really helped a lot.


  26. Hi Jayendra,

    Thank you very much for this great blog! Please continue to update it.

    I cleared my AWS Solution Architect Associate Exam 95%. Looking forward to the Professional level.

    Thank you

    1. Ramya,

      Please can you update on the topics that came up in the questions? which areas did it cover? any new topics have been added to the questions. Please advise. that would really help the test takers.

    2. Hi Ramya,

      Congrats for the accomplishment. I plan to take the exam in few days.
      Can you please highlight us on the topic came for exam and any new concept .


  27. The questions were very similar to what has posted above. Whizlabs and brain cert practice questions are very helpful. No other new topics other than Api Gateway, Lamda, ALB.
    Good luck to you!

  28. Thankyou Jayendra for the wonderful coverage of all the topics. This really helped me to PASS the exam y’day . My exam had questions from IAM, 1 ECS, VPC,S3, Lambda, Route 53, EC2, RDS, Elasticache, Autoscaling. The questions were not lengthy but answer choices were close enough. More ‘choose 2’ options questions.

  29. Thanks a lot Jayendra for the beautiful blog.

    I cleared my AWS Solution Architect Associate Exam today. The exams question were mostly similiar to what are discussed in ur blog, Whizlab and Braincert.

    Apart from the Core and major topics, I got questions from the below topics
    – Kinesis usecase ( mainly on Kinesis firehose and streams usecase)
    – NAT gateway ( A webserver hosted in a NAT setup with 7Gbps traffic)
    – Couple of ALB Q ( ECS with dynamic port mapping, path based routing)
    – Lambda ( Event source generation services S3, DynamoDB, ELB, Route53,Redshift)
    – API gateway & cors ( combined usecase )
    – Trusted Advisor ( under utilization of EC2 instance)
    – STS
    – DynamoDB
    – Spot Instance pricing
    – Identification of Rough EC2 instance details ( cloud trail, vpc flow)
    – Auto-scaling ( changing ec2 image, one scenario q on number of Autoscaling grp)

      1. It wasn’t hard. The questions were straightforward and English statements were simple to understand. Answer options were also not confusing. If you understand the concepts well you can answer without difficulty.


  30. Thank you Rajendra for your
    Lightning quick response and additional informations you have provided. I am aiming to do the exam associate exam in the next 10 days. We are lucky that we found you. Thanks again.

  31. Hi,
    What is the future prospect after AWS Solution Architect certification ? I am an experienced IT pro with development background with 12+ yrs exp.

    Best Regards

  32. Hello Jayendra ,
    Is the blueprint has change for AWS SAA exam, I am preparing from few months and scheduled exam on 29th JAN 2018.
    Is number of questions and timings are change?
    AWS Solution Architect – Associate Exam Blue Print
    Thanks in advance!!!

  33. I took exam on Nov 22 and passed SAA.

    I did 2.5 months of cloudguru. In last 10 days I found this blog.
    CloudGuru is good intro if you have no experience with AWS. But that is NOT enough.
    You need lot of in-depth reading on AWS whitepapers/faqs.
    Jayendra you have done an excellent job. I passed because of you.

    Areas to cover –
    S3, databases – when to use S3 and dynamoDB
    Know how to set up the route table for public, private subnets – web layer, DB layer, data center – saw questions here
    Load Balnacer (saw specific question on classic ELB)
    API Gateway Features (throttling, caching),
    Edge locations,Cloudfront origins, cloudfront path patterns.
    Lamda Basics,
    EFS Basics, IAM permissions,
    Ec2 instances showing up in ECS cluster,
    Direct Connect
    Kinesis Streams Vs firehose, DynamoDB VS Elastic cache,
    CloudFormation Vs ElasticBeanStalk
    Route53 (saw a question – zone apex, A record, CNAME)
    which services provide encryption at rest,
    which services can trigger lamdas,
    EBS replication across regions,
    why and when to use DynamoDB,
    reserved instance features,
    graceful shutdown of application and spot instances,
    what does STS provide , SQS and priority,
    auto scaling termination policy,
    auto scaling cool down timers, SNS supported end points.

    Overall exam is not straight forward. Good understanding of all AWS stack is required. Attempt questions on this blog.
    READ AWS whitepapers – I read last minute. Please read them as you prepare.

  34. Cleared AWS CSA on Nov 29th with 85%. Thanks Jayendra , I followed your blog and questions to get more practice.
    Basically I followed

    AWS Certified Solutions Architect Associate Exam Mastery-2018 from Udemy -Eissa Sheriff from DolfiNED. Excellent course. You will feel the confidence and scenario based explanation


  35. I passed my AWS Architect Associate exam yesterday with 89 score (still cant believe that 😉 ).

    Exam Topics coverage for my exam-
    There were 55 Qs. Exam started with relatively tough Qs on start and mostly were API Gateway and DyamoDB. I almost choked on seeing so many Qs on API Gateway in depth and all were in 1st 15 Qs of exam. Then it started with medium tough Qs from 20 to 40 Qs and end it were preety easier Qs last 15. I know it might be purposefully formulated like this to make your nerves breakdown but being patient and moving on is the key as it gets relatively better as you progress in exam. I was doubtful for anwsers for around 15 Qs (so anwered it what thought is best in 1st glance) and flagged them for review at end. Believe me It helps a lot instead of choking on 1 Q and missing easier part at the end.

    Lots of Questions on Core Services –
    EC2 , EBS, DynamoDB, S3.
    EC2 – Userdata, Metadata, SSH, choosing Access keys and passwords – difference for EC2 login, and other preety easy Qs, choosing NAT Gateway over NAT instance – know main differences
    EBS – Know IOPS limits to use for GP2 and IO1 volumes and which to use for given scnerio based on IOPS limits. Snapshots & Encrytion and few other easier Q
    Atlest 7 Questions on API gateway & 6 on DyamoDB (Please study it in depth from all available resources on Amazon realted to these 2 services – it was weighted quite heavily and really tough Qs for API especially) –
    DynamoDB use cases – Atlest 5 Questions where i had to choose DyanmoDB
    Know difference between usecases where to use Elasticache and DynamoDB – Got 2 similar Qs with one small difference based on which u need to choose elasticache in one and DynamoDB in other.
    Only 2-3 Qs on VPC
    Direct connect and VPN use cases # mixing possibilities.
    Only 2 Qs on RDS – Especially Read replica and Standby RDS instance use case, MultiAZ and Stanby RDS instance differences.
    Autoscaling and ELB’s – relatively medium and easy level Qs (Around 4 Qs), Byhard the Autoscaling termination policy (Quite tedious Q asked but if you know chart by hard u can answer it correctly)
    Route 53 – only 1 Q (scnerio based – make choice between ELB or route 53)
    EFS – 1 Q (Sharing)
    IAM – 3 Questions (pretty easier Qs),
    S3 – Scenraio based Qs (Around 3-4) – use case, choose appropriate S3 storage between STD, IA, RRS and Glacie in data lifecycling scnerio (was quite logical)
    SQS & SWF (Around 2 Qs) – Pretty easy use case Qs, Know the differnces so u can choose correct one.
    VPC flow logs vs cloudwatch logs monitoring for network monitoring – which will you use or will you use both?
    Lambda – 2 questions
    Cloudwatch logs and cloudwatch events – difference and use cases
    Cloudtrail – API logs monitoring
    STS – which login types are covered by STS – Federated (SAML – AD connector, Amazon, FB, Google).
    Does IAM Roles or cross account access comes under STS?
    Know difference between AD connector and Simple AD and its use cases.
    Cross account access – use cases
    Kinesis Streams vs Firehose VS Analytics # Know the difference which to use when?
    ECS & EMR – 1 question each – was quite medium Q for ECS and tough one for EMR.
    AWS shared responsibility model
    Other Qs – VPC peering, IAM Roles, RDS on EC2, Storage Gateway.
    No questions on Redis, Memcached, Data Pipeline, Cognito, Workspaces, WAF, Billing, AWS support, Elastic Beanstalks, Opsworks.

    Exam Tips (Based on my study) –
    1. Do Acloudguru course from Ryan on UDemy with all its Questions and Answers (Its the best) # make your own notes out of it.
    2. Do Eissa course “AWS Certified Solutions Architect Associate Exam Master” on Udemy for in depth of core services – VPC, EC2, EBS, ELB & Autoscaling – really helped me gain mastery over these hard core subjects (No need to do Q&A sections in this course as such in depth scnerios will not be asked. No need to do S3 & RDS from this as I felt doing S3 and RDS from just Acloudguru course is good enough for exam as Qs for these topics were less and relatively easy) – Make your notes.
    3. Practise on Free tier or buy Qwiklabs and practise the Architect Associate Quest and few other free labs on it. Really helps to get into the depth and understanding services more better.
    4. Read FAQs for VPC, S3, EC2, EBS, DynamoDB, API Gateway (Quick glance on Qs in good enough)
    5. Whitepapers – No need to read any of whitepaper (AWS cloudguru covers them all and is good enough). Security whitepaper is only important if you really want to read it (Do it if you have time else skip this whitepaper as well).
    6. Do revision for your exam with your notes from above 2 courses and jayendrapatil’s and
    chrisfwilliams blogs – really helps for quick last minute reviews in short and (
    7. Do as many practise exams as possible available on Udemy, Simplilearn (Free test), Free exam Apps available on Android, Sybex book (300 Q). No real exam Qs with any of them but preety close atleast for 7-8 Questions. But it gives a quest of how and what type of Qs can came and helps you for readiness for exam. Don’t byhard any Qs & Answers from here – just do them once to check your prepardness. If you have less time, just do Braincert and you can skip other Udemy and Sybex book Qs – main thing to check explanations for each answer that develops in depth knowledge of theory and they have links to AWS for proof of anwers # read them as well for any tough Qs that helps a lot ). Braincert is designed more close enough to actual exam based question framing and its expalinations gain more insight into theory.

    Final tip –
    Knowing the theory deep enough and little bit of practical labs practise is the real thing that makes you pass with flying colours. Dont rely on any Dumps as Qs are really new and logical answering based on your knowledge is the key to pass with flying colours. You need lots of patience for stuyding AWS from so many resources. I studied for almost 6 months (Average 12 hours weekly doing theory, labs, practise Qs, FAQs topic by topic and then simulating it all together in last 3 weeks with revising all of theory).

    All the Best!!!

  36. passed my AWS Architect Associate exam today with 81%.

    Thanks Jayendra . I followed your Blogs & practice questions , Linux academy &
    Cloud Guru Course.

    Thanks – Vishal

  37. Passed my exam today with 97%. Thanks so much for your wonderful blogs, it was so helpful for the preparation.

    Ryan & ACG course – Provides excellent hands-on overview of all the core services and with in few minutes of videos, you get that confidence that you are on safe hands. Really Hats off to Ryan and his method of teaching. Practice all the labs and VPC, VPC, VPC and VPC. Explore all the options on the console, while doing your labs. Like, what all you can do while the service is stopped, running, pending, what you can and can’t update. Pay close attention to the videos, there are few small things you can miss and that can be crucial for the preparation.

    DolfinEd Course & Linux Academy – One of the course, gives a real deep theoretical understanding on the core services – EC2, ELB(best explanation among all the videos), Autoscaling(again top notch), S3, RDS & EBS. Highly recommend.

    AWS Official book: Good additional supplementation to the videos. Not really required, but I am a book reader, so won’t complain.

    AWS User documentation: This really helped me in filling the gaps from the videos. Absolutely required, if you want get the deep knowledge. Highly recommend for the core services.

    Jayendra patil Blogs: Again deep theoretical understanding on the major services and nice explanation of the exam blueprint. Excellent Practice questions. Check this out w/o fail.

    Practice exams: Whizlabs and Braincert(all in all around 1000 questions). I compare Braincert to the level of AWS official exam. Good thing about them is that they pick questions from FAQ’s and also provide good explanation of the right and wrong answers. I used to get average 80% on both Braincert and Whizlabs. If you are new to AWS like me, then these are absolutely needed to get real exam experience.

    FAQ’s: VPC, EC2, S3, ELB, SQS, ECS, Lambda, API Gateway, R53, Dyanmo DB, RDS. Read FAQ’s during your final days of preparation and this will help you to revise the topics and get additional knowledge about the services. Not sure, if I really got questions straight out of FAQ’s though.

    Whitepapers: Best Practices( to me this whitepaper is really critical to understand AWS architecture), Security(read twice), Ryan’s Well Architected Framework video.

  38. I just passed. Was tough tbh. Wouldn’t have passed if it wasn’t for your website so thanks very much. I would say only about 5% of questions were similar to yours on the site. Your questions still helped a lot to see which areas I still needed to learn for the exam.

    Thanks again.

  39. hi Jayendra,

    i bought the Udemy AWS mastery course via link posted here. I aspire to clear AWS SA-A exam. Your blog is good but i also wish more people post with new changed format that we are hearing. Also want to know if the format will keep changing or gets stable after 6 months or so?

    1. Hi Ashish, it all depends on the users to provide feedback about the exam. AWS exams don’t change completely, but they do keep on adding new topics and questions. Also, it does not keep up with the latest enhancements.

  40. Hi Jayendra,
    I am taking the AWS SA-Associate test on 2nd Jan. I have been scoring about 70% in some of the sample tests. I had gone thru the Udemy course. Could you share some tips would would be useful for increasing my confidence?


  41. Hi Jayendra

    I am planning to do Certification on AWS Associate Solution Architect. Can you please provide right path so i can clear the exam. I am very thankful if you take time to guide me.please provide the notes as well if you can, currently i am a full stack java developer

  42. Hello Jayendra,

    I have started studying for Certification on AWS Associate Solution Architect. Your website is a tremendous help in this effort. Studied VPC, subnet and signed up AWS Free tier for hands on. But appears free tier does not allow VPC any longer. Can you please suggest alternate options? Should I transition to paying plan for one month? Hopefully, it will allow all hands on VPC. How to do hands-on for all other contents? Will free tier allow it?

    Appreciate any input you may have. Regards,


    1. I think the default VPC should still be free and you can create subnets within it. You don’t need to pay for any plan but just pay for what you use. Try qqiklabs where you can try VPC basic labs for free.

      1. Hello Jayendra,

        The AWS free tier now allowing me to go to VPC portion of AWS console and create it. QwikLabs looking credit to be purchased for all their labs ( , ). I am planning to utilize AWS free tier for all these lab. Is this the problem everybody facing and this path they are taking as lab hands on? I am planning to do Certification on AWS Associate Solution Architect. Appreciate any input from your end.

        For some strange reason, I am not able to log onto first Linux EC2 instance after its creation. Error: Network Error, Connection timed out.

        During EC2 creation, I tried both Public IP and Private IP. Created new Security Group, opened SSH port 22 for the whole world. And then used Putty from my Windows 10 machine.

        Appreciate any input. Thanks

  43. Hey Jayendrapatil,

    You are doing awesome job! I’m preparing for AWS solution architect associate certificate. Can you please forward the resources and preparation stuff to me too.


  44. Passed my AWS SA-A exam today with 97%, on Dec 30, 2017. Thanks Jayendra for the excellent blog. I followed your suggestions on this site. I did BrainCert and Whizlabs practice tests. Most questions look familiar, though they are not exact the same as in practice tests. I will continue to study sysops using this blog. Thank you very much.

  45. Hello All,

    I passed my CSA exam on 27th December.
    My preparation strategy :

    1. Linuxacademy video (Got 2 month free using Microsoft login. Google it)
    2. Cloudguru course on udemy. Though I skipped the common topics as they were covered in Linuxacademy
    3. Checked FAQs on AWS website for S3, VPC, DynamoDB, EC2, Lambda, API Gateway, EBS, Route 53, Cloud front and ELB.
    4. Went through all questions in the Sybex book – AWS Certified Solutions Architect Official Study Guide: Associate Exam
    5. Went through this blog and checked the content as well as the questions
    6. Purchased Braincert Practise exams

    Linux academy and Cloudguru course is good but not exhaustive.
    FAQs and this website fills some gap in learning.
    Last bit I covered by checking the questions.

    The exam itself was average in difficulty. Got 55 questions instead on 60 to answer.
    Also got a paper and pen in which I dumped all the by-hearted information
    such as numbers/seconds/min/max size before starting the exam.

    Passed with 95% marks 🙂

    1. Congratulations!

      FAQs are so long and dry, how does one stick to reading all the pages? Is there a strategy that one can employ?

  46. Hi Jayendra,
    Planning to appear for Solutions Architect Asscociate exam on 15h Jan’18.
    Can you pls share some helpful info,docs,questions & Tips ?


      1. I am curious what is the additional material. I will be taking my CSAA exam in nexg few days. Thought this blog was all it. Can you also please for the material to my email?

        1. frankly as i have mentioned earlier there is nothing additional, i just mail the resource links thats more concise then the blog as a starting point if you have gone through the blog already. If you have, the information is already there.

  47. Passed today!!

    Very hard test in my opinion. Many questions on API. This blog helped very much. I studied ACG, FAQ, Whitepapers.

    Do not underestimate, it took me the entire 80 mins

    1. Congratulations!

      Were there many scenario based questions with lot to read?

      Can you please shed some light on the complexity and time consumption?

  48. Hi Jayendra

    I have booked a slot for AWS Associate exam for 3rd April’18. Can you share any material for my preparation, please?


  49. Hi jj,

    Once you have went through linux academy and cloud guru videos and few questions. Then skimming through FAQs won’t be hard since it will be repetitive in most parts.

    1. Took the ACG Final Practice and the Exam simulator (2 times).

      Took Whizlabs 4 tests. Will be taking couple more today/trow.

      Going through the FAQs long scrolling – feels boring, time consuming and mainly how much one can remember besides the main concepts.

      ACG covered the Whitepaper summaries.

      Any additional Services, referring to this site.

      Main concern – besides the above, is chewing through the FAQs – is the time worth it?

  50. Just passed the Associate Solution Architect exam with an 87%. This blog and all the information on it was super helpful.

    I bought the official [Sybex] AWS study guide, read it cover to cover and did all the chapter practice questions plus all the online practice exam questions.
    Watched all the ACloudGuru videos from Ryan Kroonenberg.
    Purchased the BrainCert exams and did all of them- these were awesome. (Recognized several questions on the exam from these!)
    Took the official AWS practice exam. 20 questions.
    Read the FAQ’s on the major services, EC2, S3, ELB, EBS, Rt53, IAM, APIGateway, Lambda and CloudFront.

  51. Hi Jayendra,

    Thank you so much for putting the time and effort into your blog. I passed my exam and relied heavily on your notes, so I credit a lot of my success to you. You’re doing amazing things for your “students”! Keep up the amazing work.


  52. Hey Jayendrapatil,
    Very good blog ! Thanks. I’m preparing for AWS solution architect associate certificate. Can you please forward the resources and preparation stuff to me too.

  53. Hello Jayendra,

    I wanted to thank you for the work you’ve done building and maintaining this site. It was an important tool for me and it certainly accelerated my learning process. I passed on 12/22/17 with a score of 83%. The test was pretty difficult for me because my background is networking and the test is certainly directed towards system administrators and developers. I used the follow method to prepare:

    -First I did my own internet searches and basic reading.
    -Two multi-day instructor led courses. (These were no better than watching videos).
    -Used Amazon’s test description in conjunction with Google to study.


    -I reviewed all the material and questions here.
    -I used the Braincert practice tests.

    I think the practice questions here and on Braincert are very similar to the type of questions that you’ll see on the exam and the questions will help expose weaknesses that you don’t know you have. I did recognize a few questions as being identical but I did not feel like the site was just dumping actual questions which is good, that’s not what I was looking for.

  54. Hey Jayendra,

    Today! I have taken AWS Solution Architect Associate exam and successfully scored 81%. Really I would like to thank you for your suggestions and guidance for which you have done this site. Your site is really Awesome in terms of preparing the exam for AWS. As suggested in the comment, I have taken brain-cert practice tests before taking the exam. Surprised that most of the questions were same what I had practiced, which was really helpful to complete the exam quickly within 30 mins.

    I would like to share my experience here how I prepared the exam for last 6 Months. However, I have to admit myself that I have to do a lot of practice to be a master in AWS. The followings are my guidelines for becoming AWS Architect:

    1) AWS Udemy Courses.

    Linux Academy is a really good one for beginners who wants to know AWS architecture.
    AWS Certified Solutions Architect (associate)

    AWS Certified Solutions Architect – Associate 2018
    AWS Certified Solutions Architect – Professional 2018

    AWS Certified Solutions Architect – Associate – Mastery 2018

    Random Clicks:

    Some AWS whitepapers

    Hope this helps. Good Luck.!

  55. Hi Jayendra,

    I have registered my AWS SA Exam on 24-Feb-2018.

    I am referring this blog and planning scan contents multiple times along with other material as suggested. Lets see…

    If you have anything useful pls do send me..


  56. Hi Jayendra,

    I am preparing solution architect exam and came across this blog. This blog is really good for guidance moreover you always get time to respond queries.
    Can you please share some material and if any sample question which will help me to pass exam?

    Thanks in advance.

  57. HI Jayendra,

    Can you please confirm me the answer to the following question? I gues for 1 answer is c, and for 2 answer is c. Please help.

    1.An order processing website issuing EC2 instances to process messages from an SQS queue. A user reported an issue that their order was processed twice and hence charged twice. What action would you recommend ensuring this does not happen again? Choose the correct option

    Your answer
    A. Insert code into the application to delete messages after processing
    B. Increase the visibility timeout for the queue
    C. Modify the order process to use SWF
    D. Use long polling rather than short polling

    2.You have EC2 instances in three availability zones, with a load balancer configured on all the three AZs. You observe that one availability zone is receiving more traffic as compared to other AZs, how can you solve this problem effectively

    Your answer
    A. Disable sticky sessions
    B. Reduce the frequency of the health checks
    C. Enable cross zone load balancer
    D. Amazon recommends to use two availability zone behind ELB

    3. A web company is looking to implement an external payment service into their highly available application deployed in a VPC. Their application EC2 instances are behind a public facing ELB. Auto scaling is used to add additional instances as traffic increases. Under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet, which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API. How should they architect their solution?

    Your answer
    A. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the NAT instances
    B. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
    C. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
    D. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API.

  58. Hi Jayendra,

    I am preparing for AWS Certified Solutions Architect Exam.
    Can you please share any relevant documents.

    Thank you.

  59. Hi Sir,
    I am planning to take CSA-A certification by March 2018. Have gone through udemy videos of Ryan. And few white papers as listed.

    Going through your blog currently. Is there any pattern change or new topics included?

    As the time limit is very less, kindly send any further material /recommendations which would help to clear the exam.

    Thanks in Advance!

    1. I have already updated the path for the new topics which have been added to the exams, be sure to cover all the topics marked.

    1. would suggest to go through the blueprint and each of the sections which topics. That would cover almost all thats needed.

  60. Hi Jayendra,

    I am preparing for AWS SAA Exam and my exam date is Feb. 17 2018. I am in my last week for preparation.

    From comments above, I saw you sharing brief summary document for the preparation. It would be great if you could share it with me as I am looking for a document which I can go through on a day before exam.


    Panth Shah

    1. Its usually a brief summary of preparation guide, i would suggest go through questions, practice tests, cheat sheets and FAQs.

  61. Hi Jay, I’ve just started preparing CSA-A and preparing to appear exam before 12-Aug-2018. As per Amazon, we cannot take old pattern exam after 12-Aug-2018. Can you please guide me how to navigate your blog. I’m kind of lost where to start in this blog. Also, could you please share brief summary to my email. Thanks Jana.

    1. I would suggest you to start with a cloud guru course, that will give you an overview of every service with hands on experience. After that it will be very easy to go through this blog and clear the exam. It can be achieved in 2 months, though i cleared in one month preparation.

  62. Hi Jay,

    Can you please let me know important AWS FAQ’s I have to read for CSA-A Exam, thank you very much indeed for your help.


  63. Cleared solution architect associate exam!!
    Thanks so much for the awesome blog!!

    I wanted to know can i directly go for solution architect professional exam?? Or should i first go for sysops certification before professional solution architect ?

  64. Cleared my CSA certification yesterday with 83% score. Thanks a lot Jayendra for excellent blog and study material. It really helped me to clear the certification.

  65. Thanks a lot Jayendra for creating these blogs /reference material . I cleared the exam today with a score 89 % . Referred your material and found it very useful . Would be great to be in touch on linked in ..Thanks

  66. Hi Jay,

    I have one doubt about new changes for aws services, for example in 29 nov 2017 aws announced support for inter-region vpc peering. so we have to consider this change in exam question ? please let me know iam planning to give exam next month. i want to know exam questions also reflect this changes.

    your response is much appreciated. since it happens to many services


    1. usually not, the change is too recent to be coming in the exams. 99% the latest changes won’t reflect in the exam, but read the question and answer option twice for such scenarios just to make sure.

  67. Just passed my AWS: SA Associate today – This blog was key in helping me fill the gaps ACloudGuru is missing. Thank you so much for giving me something to help focus my studies of the FAQs/Whitepapers on. I really appreciate this amazing resource, Jay.


    Ryan Barker

  68. You are doing awesome job! I’m preparing for AWS solution architect associate certificate. Can you please forward the resources and preparation stuff to me too.

  69. Hi Jay,
    Thank you for you all information about AWS. I have cleared the exam.

    I do not have any prior experience on AWS and my current company does not offer any work related to that.

    Can you please help me with what is require to switch the job?
    I am a java developer with 7 years experience. Will AWS certification be enough to switch the job. What else is required? How can I get the handon practice

    1. You need gain hands on by practicing on free tier and can also use qwiklabs to try out different stuff. Check out the re-invent videos, very information.
      Try to give interviews, to know the real world questions.

  70. Hi Jayendra, can you please answer these questions for me?

    You have been asked to design a fault-tolerant and scalable web application across three Availability Zones. The presentation logic will reside on the web servers behind an ELB Classic Load Balancer, and the application logic will reside on a set of app servers behind a second load balancer.

    How should you use Auto Scaling groups?

    A. Deploy one Auto Scaling group that includes all the web and app servers across all Availability Zones.
    B. Deploy three Auto Scaling groups: one for each Availability Zone that includes both web and app servers.
    C. Deploy two Auto Scaling groups: One for the web servers in all Availability Zones and one for the app servers in all Availability Zones.
    D. Deploy six Auto Scaling groups: a web server group in each Availability Zone and app server group in each Availability Zone.

    My choice is “C”

    Your security team requires each Amazon ECS task to have an IAM policy that limits the task’s privileges to only those required for its use of AWS services.

    How can you achieve this?

    A. Use IAM roles for Amazon ECS tasks to associate a specific IAM role with each ECS definition.
    B. Use IAM roles on the Amazon ECS container instances to associate IAM roles with each ECS task on that instance.
    C. Connect to each running Amazon ECS container instance and add discrete credentials.
    D. Root each Amazon ECS task programmatically to generate new instance metadata for each task.

    My choice is “B”

    You have been asked to design a NAT solution for your company’s VPC-based web application. Traffic from the private subnets varies throughout the day from 500 Mbps to spikes of 7 Gbps.

    What is the most cost-effective and scalable solutions?

    A. Move the Internet gateway for the VPC to a public subnet; route all internet traffic through the Internet gateway.
    B. Create an Amazon EC2 NAT instance with a second elastic network interface (ENI) in a public subnet route all private subnet Internet traffic through the NAT gateway.
    C. Create a NAT gateway in a public subnet route all private subnet Internet traffic through the NAT gateway.
    D. Create an Auto group of Amazon EC2 NAT instance in a public subnet; route all Private subnet Internet traffic through the NAT gateway.

    May choice is “C”

    You bid $0.22 for an Amazon EC2 Spot instance when the market price was $0.20. For 90 minutes, the market price remained at $0.20. Then the market price changed to $0.25, and your instance was terminated by AWS.

    What was your cost of the running the stance for the entire duration?

    A. $0.47
    B. $0.20
    C. $0.40
    D. $0.22

    May choice is “D”

    You are trying to use SSH to connect from your laptop to an Amazon EC2 instance over the Internet. You cannot establish a connection.

    What could be the problem?

    A. The security group deny any allow any outbound TCP traffic to your laptop IP address.
    B. May be up Security group and outbound ACL outbound with the Amazon EC2 instance
    C. The network ACL is set to deny all outbound TCP traffic to your laptop IP address.
    D. The IAM access key on your laptop does not have console access to the Amazon EC2 instance.

    May choice is “D”

  71. Hi Jay,

    I have cleared AWS SA-A today. I want to thank you for the guidance you are providing with this website.

    Most of the questions appeared in the actual exam are from the Braincerts and from the sample questions from your posts. A few are different but they could be easily answered.

    My preparation:

    1.Gone through AWS Certified Solutions Architect – Associate course from Udemy
    2.practiced AWS concepts via AWS free tier account.
    3.practiced all the tests from Braincert exams.

  72. Hi Jayendra,

    Have you gotten chance to update your blog based on the latest AWS certified architect exam – Feb 2018?

  73. Hi Jayendra,

    I have cleared the exam today with 91%, thanks to your blog and acloudguru course. I didn’t see any new topics in the exam.

    Again, thank you so much for maintaining this blog.


  74. I would like to reflect on my experience with the CSA-A exam. I sat the existing test and not the revised one (Feb 2018). I would like to thank the time and effect other students have contributed to this invaluable forum.

    I watched the videos and wrote notes on aCloudguru’s Udemy course and although think it provides a great foundation it’s not enough. I highly recommend another Udemy course (ie mastery) which I completed (not the labs) and felt it was more comprehensive.

    Then I purchased whizlab and practiced their exams twice. Whizlabs covered 5-7 questions in the actual exam but matches the exam format and type of questions. Like most people I found on occasion whizlabs questions/answer vague so I then referred to the FAQ’s to verify the answer.

    In reflection, I should have reviewed aCloudGuru’s forum and Jay’s more in-depth as I found many more questions that matched the one’s I had in the exam.

    Not covered in the exam.
    • ALB, Placement groups, Elastic Beanstalk, EMR

    Covered in the exam
    • SQS (decoupling applications with 2 queues {premium + free})
    • VPC peering
    • DynamoDB – single-digital millisecond latency
    • CloudFormation template syntax (static/*) ??
    • SWF (1 question)
    • AWS Services that use native encryption at rest
    • IAM roles (many questions about not storing access keys /secret password and providing services access to other services)
    • IAM groups (some users in a department needs access the other services used by another department)
    • ECS – task definitions
    • Cloudwatch with Trustadvisor (checking services not being serviced in another region)
    • Using Cloudwatch to filter on applications error keywords
    • Userdata – scripts
    • Enhanced networking (using 20 x EC2 instances large but need better performance)
    • Unable to ssh via the Internet to EC2 instance. Why?
    • Lambda function invocations (which AWS services are invoked by Lambda functions)
    • EBS volume encryption (unencrypt to encrypt)
    • Kinesis FH vs Kinesis streams (large ingestion of data, sent to S3)
    • Reserved instance features
    • Spot instance – total cost after 90mins + application can gracefully recover
    • API GW features – caching and CORS
    • S3 and S3-RRS (thumbnails)
    • Auto-Scaling groups (ELB for web servers and ELB for database servers; how many ASG’s launched)
    • Shared responsibility model (Customer responsibility / AWS responsibility)
    • RDS read replica’s
    • CloudFront (origins)
    • EC2 provisioned IOPS (which one to choose with 1000 IOPS average ad 2000 IOPS burst)
    • SNS
    • STS (client uses on-prem AD &/or federation server, which service is used)

    Good luck fellow Engineers!!

    1. All the questions are on the blog. I do not have any other questions. You can check for practice exams, they are paid.

  75. 1. Which of the following requires a custom CloudWatch metric to monitor?
    A. Memory Utilization of an EC2 instance
    B. CPU Utilization of an EC2 instance
    C. Disk usage activity of an EC2 instance
    D. Data transfer of an EC2 instance

    Is the answer A or C kindly confirm

    2. When creation of an EBS snapshot is initiated,but not completed,the EBS volum

    A. Cannot be used until the snapshot completes

    B. Can be used in read-only mode while the snapshot is in progress

    C. Can be used while the snapshot is in progress

    D. Cannot be detached or attached to an EC2 instance until the snapshot completes

    Is the answer A or C kindly confirm

    3. Which of the following are characteristics of Amazon VPC subnets?(select 2
    A Each subnet spans at least 2 Availability Zones to provide a high-availability environment
    B Each subnet maps to a single Availability Zone
    C A CIDR block mask of /25 is the smallest range supported
    D By default all subnets can route between each other,whether they are private or public
    E Instances in a private subnet can communicate with the Internet only if they have an Elastic IP
    Is the answer B&D or B&E kindly confirm
    4. Per the AWS Acceptable Use Policy,penetration testing of EC2 instances
    A May be performed by the customer on their own instances,only if performed from EC2 instances
    B May be performed by AWS,and is periodically performed by AWS
    C May be performed by AWS,and will be performed by AWS upon customer request
    D Are expressly prohibited under all circumstances
    E May be performed by the customer on their own instances with prior authorization from AWS

    Is the answer B or E kindly confirm

    5. You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group.Which feature allows you to accomplish this?
    A User data
    B EC2Config service
    C IAM roles
    D AWS Config

    Is the answer A or B kindly confirm

    6. An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances.When Auto Scaling needs to terminate an EC2 instance,by default AutoScaling will: (Select 2)
    A Terminate the instance with the least active network connections.If multiple instances meet this criterion one will be randomly selected
    B Terminate an instance in the AZ which currently has 2 running EC2 instances
    C Send an SNS notification if configured to do so
    D Randomly select one of the 3 AZs,and then terminate an instance in that AZ
    E Allow at least five minutes for Windows/Linux shutdown scripts to complete before terminating the instance

    Is the answer B&C or C&D kindly confirm

    7. Which of the following notification endpoints or clients are supported by Amazon Simple Notification Service?(select two)
    A Email
    B CloudFront distribution
    C File Transfer Protocol
    D Simple Network Management Protocol
    E Shor message service

    Is the answer A&D or A&E kindly confirm

    8. A company is building software on AWS that requires access to various AWS services.Which configuration should be used to ensure that AWS credentials (i.e,Access Key ID/Secret Access Key combination) are not compromised
    Enable Multi-Factor Authentication for your AWS root account XX
    Assign an IAM role to the Amazon EC2 instance
    Store the AWS Access Key ID/Secret Access Key combination in software comments XX
    Assign an IAM user to the Amazon EC2 instance XX

    Is the answer A or B kindly confirm

  76. What is a realistic time frame to prepare and study for the exam? Can it be done in 1 months time? Studying 2 hours per day? More or less on some days.

  77. hi jayendra sir i am trying to schedule myaws CSA exam. but they are showing notification .your request is failed please try again later ..please tell me process of scheduling exam.. sir please help me

  78. anyone please help me how schedule CSA it necessary to have aws account to schedule your exam..please help me anyone

Leave a Reply

Your email address will not be published. Required fields are marked *