SAA-C03 exam preparation notes
SAA-C03 = AWS Certified Solutions Architect Associate
EC2, ASG and ELB
- The spread EC2 instance group can have 7 instances at max in one AZ. Each instance will be on a single hardware with separate power and network
- Dedicated EC2 host is the physical server dedicated to you. It’s useful for software licensing bound (like Windows Server). Dedicated EC2 instances are different from Dedicated host. Dedicated instances are isolated from instances of other accounts, but they can still share the same physical server with other instances of the same account. Dedicated instances cannot be used for server-bound software licenses compliance.
- By default, user data script runs as root
- SSD-backed volumes are better in IOPS, while HDD-backed volumes are better in throughput. Only instance store and SSD-backed volumes can be used as boot volume
- It’s possible to set a time for spot instance not to be interrupted (1, 2, 3, 4, 5, 6 hours). This is called spot block. This does not guarantee the instance will definitely not be interrupted. In rare cases due to AWS capacity, spot instance can be interrupted regardless of the spot block
- ASG has three types of health check: EC2 based, ELB based and custom types. EC2 based status check reports if the instance is running and if there is any underlying hardware of software issues which impair the instance. ELB based health check follows the report of ELB to determine if an instance is unhealthy. Custom health check is defined by users.
- By default, cross-zone load balancing is enabled for ALB and disabled for NLB
- Only CLI can be used to change the
DeleteOnTerminationflag of EBS attached to running instance. The web console cannot change it
Data storage
- EFS can be multi-regional thanks to the inter-region VPC peering
- When FSx Lustre links to S3, it processes “hot data” in a distributed fashion and deal with “cold data” on S3 easily
- AWS Redshift Spectrum can query data from S3 without loading data into AWS Redshift tables
- Social media DB: Amazon Neptune (Graph DB)
- Kinesis Data Stream: per shard: ingress: 1 MB/s or 1000 messages/second; egress 2 MB/s. Can be leveraged by enhanced fan-out capability
- S3 lifecycle transition constraint: objects to be moved must be stored 30 days as standard before it can be moved to the IA class.
- ElastiCache Redis is technically possible to be used on DynamoDB, though not preferred
- Although S3 can use S3 event notification to send an event to SNS, S3 cannot directly write to SNS
- S3 Versioning cannot be disabled once enabled. It can only be suspended
- Transferring objects into S3 from the internet is free; objects that are accelerated by S3TA (S3 Transfer Acceleration) does not incur S3TA fees either. That says, if some objects are uploaded with S3TA enabled, however those objects not really accelerated, the user does not pay any fee for the object upload
- Snowball Edge Storage Optimized device: 80TB HDD, 1TB SSD; Snowmobile: 10PB
- Enabling encryption on RDS is only supported at the creation time. If this setting needs to be changed later, a snapshot and its encryption method must be created and altered there, and restored to a new database
- All RDS transactions are ACID (Atomic, Consistent, Isolated, Durable) compliant, meaning the immediate read after write is always new
- RDS read replica should be provisioned and scaled in the same size as the primary instance to make sure replication works effectively
- Upon RDS database engine upgrade, Multi-AZ deployment can’t help reduce the downtime because the primary and standby instances are upgrade at the same time. However, upon RDS instance OS upgrade, Multi-AZ deployment can help reduce the downtime by upgrading the standby instance first and promote standby as the new primary, and then upgrade the new standby (used to be primary)
- By default, S3 objects are owned by the account who uploads them, not by the bucket owner (if they are not same)
- Aurora Multi-master cluster has no downtime in writing in case of fail-over because all instances are with writing capability so another instance will immediately take over the write work if necessary
RDS/Aurora Multi-AZ Multi-Region and Read Replica
| Multi-AZ | Multi-Region | Read Replica | |
|---|---|---|---|
| Main purpose | High availability | Disaster recovery | Scalability |
| Replication | RDS: Synchronous Aurora: Asynchronous |
Asynchronous | Asynchronous |
Kinesis data streaming
Others
- API Gateway uses token bucket algorithm to throttle requests (each request counts for a token)
- SQS FIFO throughput: 300 messages/second. This can be increased by batch operations up to 10 messages/operation, which gives up to 3000 messages/second throughput
- SNS cannot send messages directly to Kinesis Data Stream
- Kinesis Data Firehose supports multiple data sources, but when KDF is configured to use Kinesis Data Stream as data source, it only takes input from KDS
- AWS Global Accelerator can be used for blue-green deployment (on a global scale)
- Cognito Identity Pool is for Cognito users to access AWS resources
- A Lambda function can use up to 5 layers at a time
- Lambda can be package and deploy as a container image
- The default concurrency limit of Lambda is 1000/s. It can be increased by contacting AWS Support
- Amazon GuardDuty uses (1) CloudTrail management logs, (2) CloudTrail S3 data logs, (3) VPC flow logs, (4) DNS logs
- KMS has a default deletion waiting period of 30 days. The configurable period is 7 - 30 days
- AMI relies on its underlying snapshots. When AMI is copied cross-region, its corresponding snapshots are also copied
- To remove existing findings on GuardDuty, simply disable the service in the general setting. It can also be stopped in the general setting, which will only suspend further analysing but keep the existing data
- AWS Direct Connect is not encrypted in transit by default
- Athena supports reading and writing data in some common compression formats (e.g. gzip)
- IAM permission boundary can only be applied to users, not groups
- Service Control Policies (SCP) is an AWS Organization policy type to manage the access of its users and roles. If an action is either not allowed or denied in SCP, the user or role cannot perform it. It applies to the root user too, but it does not apply to service-linked roles.
- Although S3 event notification supports SQS as the destination, it does not support SQS FIFO as the destination