AWS Solutions Architect Associate Flashcards

What is a VPC (Virtual Private Cloud)?

A logically isolated virtual network within AWS where you can launch AWS resources. It provides complete control over your networking environment including IP address ranges, subnets, route tables, and network gateways.

What is the difference between a Security Group and a Network ACL?

Security Groups are stateful firewalls that operate at the instance level with allow rules only. Network ACLs are stateless firewalls that operate at the subnet level with both allow and deny rules. Security Groups evaluate all rules before allowing traffic, while NACLs process rules in order.

What is AWS KMS and when should you use it?

AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys. Use it for encrypting data at rest and in transit, managing key rotation, and maintaining compliance requirements. It integrates with most AWS services.

What is the principle of least privilege in AWS IAM?

Grant only the minimum permissions necessary for users or services to perform their required tasks. Start with no permissions and add only what's needed, regularly review and remove unnecessary permissions.

How do you design a secure multi-tier architecture in AWS?

Use separate subnets for each tier (web, application, database). Place web tier in public subnets with ALB, app tier in private subnets with auto scaling, and database tier in private subnets with Multi-AZ RDS. Use security groups to control traffic flow between tiers.

What is the difference between Multi-AZ and Read Replicas in RDS?

Multi-AZ provides high availability with synchronous replication to a standby instance in another AZ for automatic failover. Read Replicas provide read scaling with asynchronous replication, can be in different regions, and are used for read-heavy workloads.

When should you use Application Load Balancer vs Network Load Balancer?

Use ALB for HTTP/HTTPS traffic, advanced routing based on content, microservices, and containerized applications. Use NLB for TCP/UDP traffic, ultra-high performance, static IP addresses, and when you need to preserve source IP.

What are the different Auto Scaling policies available?

Target Tracking (maintain specific metric), Step Scaling (scale based on metric thresholds), Simple Scaling (single adjustment), Scheduled Scaling (time-based), and Predictive Scaling (ML-based forecasting).

What are the four disaster recovery strategies in AWS?

1. Backup and Restore (lowest cost, highest RTO), 2. Pilot Light (minimal running resources), 3. Warm Standby (scaled-down replica), 4. Multi-Site Active/Active (highest cost, lowest RTO).

What is the difference between EBS gp3 and io2 volumes?

gp3 provides baseline performance with ability to provision IOPS and throughput independently, suitable for most workloads. io2 provides consistent high IOPS performance, 99.999% durability, and is designed for I/O intensive applications like databases.

When should you use EC2 Spot Instances?

Use Spot Instances for fault-tolerant, flexible workloads that can handle interruptions, such as batch processing, data analysis, background processing, and testing environments. They offer up to 90% cost savings but can be terminated with 2-minute notice.

What is the difference between CloudFront and ElastiCache?

CloudFront is a CDN that caches content at edge locations globally for low latency content delivery. ElastiCache is an in-memory caching service (Redis/Memcached) that improves application performance by caching frequently accessed data.

When should you use DynamoDB vs RDS?

Use DynamoDB for applications requiring single-digit millisecond latency, massive scale, flexible schema, and serverless architecture. Use RDS for ACID transactions, complex queries, existing SQL applications, and when you need relational database features.

What are the different S3 storage classes and their use cases?

Standard (frequently accessed), Standard-IA (infrequent access), One Zone-IA (non-critical infrequent), Glacier Instant Retrieval (archive with instant access), Glacier Flexible Retrieval (archive 1-12 hours), Glacier Deep Archive (long-term archive 12+ hours), Intelligent Tiering (automatic optimization).

What are the benefits and limitations of AWS Lambda?

Benefits: No server management, automatic scaling, pay-per-execution, event-driven. Limitations: 15-minute execution limit, cold starts, limited runtime environments, temporary disk space (512MB-10GB), memory limit (128MB-10GB).

What are the different EC2 pricing models?

On-Demand (pay per use), Reserved Instances (1-3 year commitment), Spot Instances (up to 90% discount, can be interrupted), Savings Plans (flexible commitment), and Dedicated Hosts (physical server dedication).

How can you optimize S3 costs?

Use appropriate storage classes, implement lifecycle policies, enable intelligent tiering, delete incomplete multipart uploads, use S3 Transfer Acceleration sparingly, and regularly review access patterns with S3 Storage Lens.

What is right-sizing in AWS and how do you implement it?

Right-sizing is selecting the most cost-effective instance types and sizes for your workload. Implement using AWS Compute Optimizer, CloudWatch metrics, AWS Cost Explorer, and regularly review utilization to downsize over-provisioned resources.

What is the difference between Standard and Convertible Reserved Instances?

Standard RIs offer higher discounts but cannot be modified once purchased. Convertible RIs offer slightly lower discounts but allow you to exchange for different instance families, sizes, or regions during the term.

What tools help with AWS cost optimization?

AWS Cost Explorer (cost analysis), AWS Budgets (cost alerts), AWS Trusted Advisor (recommendations), AWS Compute Optimizer (right-sizing), AWS Cost and Usage Reports (detailed billing), and Cost Anomaly Detection (unusual spend patterns).

How do you design a microservices architecture on AWS?

Use containers (ECS/EKS) or serverless (Lambda), API Gateway for service communication, separate databases per service, implement circuit breakers, use service discovery, implement distributed tracing with X-Ray, and use SQS/SNS for async communication.

How do you design for compliance requirements (SOC, PCI DSS, HIPAA)?

Use AWS services that are compliant, implement encryption at rest and in transit, enable logging and monitoring, implement proper access controls, regular security assessments, data residency controls, and maintain audit trails.

How do you design a global multi-region architecture?

Use multiple AWS regions, implement cross-region replication, use Route 53 for DNS failover, CloudFront for global content delivery, consider data sovereignty, implement disaster recovery across regions, and use AWS Global Accelerator for performance.

What are the components of an event-driven architecture on AWS?

Event sources (S3, DynamoDB, etc.), event routing (EventBridge), message queues (SQS), pub/sub messaging (SNS), stream processing (Kinesis), serverless compute (Lambda), and dead letter queues for error handling.

How can automation help with cost optimization?

Implement auto-scaling to match demand, use scheduled actions to stop/start non-production resources, automate lifecycle policies, use Infrastructure as Code for consistent deployments, implement cost allocation tags, and automate rightsizing recommendations.