Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS Solution Architect Associate Exam Guide - Coggle Diagram
AWS Solution Architect Associate Exam Guide
Domain 1: Design Secure Architecture
Task Statement 1: Design secure access to AWS resources.
Knowledge of:
• Access controls and management across multiple accounts
AWS Organization
Consolidated billing
• AWS federated access and identity services (for example, AWS Identity and Access Management [IAM], AWS Single Sign-On [AWS SSO])
IAM
Groups
Users
roles (temporary access, nullifies all previous permissions)
AWS IAM Identity Center (SSO)
SSO
is authentication scheme that's allow to access to independent software with only one sign on. For e.g. capgemini gitlab, capgemini vpn, capgemini myconnecthr etc etc.
Workforce identities (users)
human being that are member of your organization and in your AWS IAM Identity center
Application Assignments for SAML application
with app assignments you can access with single sign on to various apps like Microsoft 365 or Salesforce
Identity Center enabled applications
AWS apps and services
Multi-account permissions
Configure permissions for various accounts in one place
?Q? can we configure IAM for multiple account in AWS Organization? Like in one place?
AWS access portal
it is portal where
Workforce identities
can see their permissions
• AWS global infrastructure (for example, Availability Zones, AWS Regions)
regions
AZ
subnets limited to AZ
VPC limited to region
?Q? local zones
• AWS security best practices (for example, the principle of least privilege)
give permissions in that amount only for the job to be done and no more.
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html
• The AWS shared responsibility model
AWS responsible
of cloud
and Customers responsible for what
in cloud
Skills in:
• Applying AWS security best practices to IAM users and root users (for example, multi-factor authentication [MFA])
just look at Trusted Advisor
• Designing a flexible authorization model that includes IAM users, groups, roles, and policies
configuring IAM, already done it in my personal aws
• Designing a security strategy for multiple AWS accounts (for example, AWS Control Tower, service control policies [SCPs])
https://docs.aws.amazon.com/controltower/?id=docs_gateway
Service control policies
does not grant anything, only prohibits
works on AWS organization level and need to be enabled to work
• Determining the appropriate use of resource policies for AWS services
just thinking
• Determining when to federate a directory service with IAM roles
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
Active Directory Federation Services: Active directory authenticates user. User go to AWS and gets token (STS) or something. And then with the token gets access to AWS console. That s how it works federated directory
• Designing a role-based access control strategy (for example, AWS Security Token Service [AWS STS], role switching, cross-account access)
Cross account access
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
AWS Security Token Service API
gives temporary, limited-privilege credentials for IAM users
role switching
switch roles
Task Statement 2: Design secure workloads and applications.
Knowledge of:
• Application configuration and credentials security
https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html
• AWS service endpoints
https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html
• Control ports, protocols, and network traffic on AWS
security groups
ec2
NACLs
subnets
?Q? • Secure application access
• Security services with appropriate use cases (for example, Amazon Cognito, Amazon GuardDuty, Amazon Macie)
Amazon Cognito
it is service that handles authentication, sign up. And we can add this to our application
Amazon GuardDuty
a service that monitors my AWS cloud and search for malicious activities and unauthorized access
Amazon Macie
using Machine learning it somehow protects your sensitive data
• Threat vectors external to AWS (for example, DDoS, SQL injection)
AWS Shield Standard
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html
Skills in:
• Designing VPC architectures with security components (for example, security groups, route tables, network ACLs, NAT gateways)
done in labs
• Determining network segmentation strategies (for example, using public subnets and private subnets)
boom in labs
• Integrating AWS services to secure applications (for example, AWS Shield, AWS WAF, AWS SSO, AWS Secrets Manager)
AWS Shields protects from DDoS
AWS WAF protects from bots, it is like firewall
AWS SSO for single sign on
AWS Secrets manager keeps db credentials, api keys and other sensitive data. And we can rotate also them
• Securing external network connections to and from the AWS Cloud (for example, VPN, AWS Direct Connect)
transit gateway
is a kinda router for VPC to On prem and VPC to VPC too.
AWS Direct connect
is connection to AWS cloud from on prem
Task Statement 3: Determine appropriate data security controls.
Knowledge of:
• Data access and governance
IAM policies
S3 bucket policy
• Data recovery
• Data retention and classification
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/data-classification.html
• Encryption and appropriate key management
AWS Key Management Service
Data encryption
https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/data-encryption.html
Skills in:
?Q? • Aligning AWS technologies to meet compliance requirements
• Encrypting data at rest (for example, AWS Key Management Service [AWS KMS])
encrypt data at rest
means that this data is encrypted on a hard drive unlike encryption in transit (https)
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-at-rest.html
S3
SSE-S3
SSE-C (customer keys)
SSE-KMS
• Implementing data backups and replications
disaster recovery options
https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html
• Implementing policies for data access, lifecycle, and protection
s3 has lifecycle, Bucket ACLs and protections thing
• Rotating encryption keys and renewing certificates
key rotation
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
Rotating SSL/TLS certificates
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
• Encrypting data in transit (for example, AWS Certificate Manager [ACM] using TLS)
AWS Certificate Manager enforce TLS (transport layer Security) or HTTPS
https://docs.aws.amazon.com/whitepapers/latest/logical-separation/encrypting-data-at-rest-and--in-transit.html
Also at lower layer of ISO OSI Amazon encrypts transparently data except 7 app layer
• Implementing access policies for encryption keys
AWS KMS key policies
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
Domain 2: Design Resilient Architectures
Task Statement 1: Design scalable and loosely coupled architectures.
Knowledge of:
• API creation and management (for example, Amazon API Gateway, REST API)
Amazon API Gateway (SERVICE)
is easy way to create publish and manage your apis
REST API
WebSocket API
• Caching strategies
AWS ElastiCache
something like redis in memory db
Caching strategies
Lazy Loading
cache hit
cache is in db. Application requests from ElastiCache
Cache miss
No cache or expired cache. App requests DB then updates cache in ElastiCache db.
Pros and cons
pros
2 more items...
cons
2 more items...
Write through
if data is added or updated in db it will be added or updated in cache (not db replica though)
pros and cons
pros
2 more items...
cons
2 more items...
TTL
expiration date of record in cache
• Design principles for microservices (for example, stateless workloads compared with stateful workloads)
loose coupling
one service do one thing
ability to scale out (stateless and statefull)
• Event-driven architectures
everything is around events and triggers
• Horizontal scaling and vertical scaling
vertical is more ec2 instances horizontal is chonkier ec2 instance
• How to appropriately use edge accelerators (for example, content delivery network [CDN])
we use cdn if we want to cache content and speed up delivery of this content to users
• Load balancing concepts (for example, Application Load Balancer)
app load balancer redirecting traffic
• Multi-tier architectures
microservice arch (webtier backend-tier dbtier
• Queuing and messaging concepts (for example, publish/subscribe)
SQS and SNS
• Serverless technologies and patterns (for example, AWS Fargate, AWS Lambda)
Fargate uses ECS for serverless computing
AWS Lambda is functions that runs in aws
• The orchestration of containers (for example, Amazon Elastic Container Service [Amazon ECS], Amazon Elastic Kubernetes Service [Amazon EKS])
EKS AWS manages kubernetes
ECS manages containers
• When to use read replicas
when we need more read capacity
• Workflow orchestration (for example, AWS Step Functions)
AWS Step Functions
serverless function orchestrator
• AWS managed services with appropriate use cases (for example, AWS Transfer Family, Amazon Simple Queue Service [Amazon SQS], Secrets Manager)
?Q?
• Storage types with associated characteristics (for example, object, file, block)
s3 object
EFS
EBS
• How to migrate applications into containers
make a dockerfile and then create image and then container from image
Skill in:
• Designing event-driven, microservice, and/or multi-tier architectures based on requirements
ok
• Determining when to use serverless technologies and patterns
ok
• Recommending appropriate compute, storage, networking, and database technologies based on requirements
it depends
• Using purpose-built AWS services for workloads
ok
• Determining scaling strategies for components used in an architecture design
auto scaling group, or AWS managed services (they usually scale out automatically )
• Determining the AWS services required to achieve loose coupling based on requirements
SQS
microarchitecture
• Determining when to use containers
when needed
Task Statement 2: Design highly available and/or fault-tolerant architectures.
Knowledge of:
• AWS global infrastructure (for example, Availability Zones, AWS Regions, Amazon Route 53)
yep
• Basic networking concepts (for example, route tables)
yep
• Disaster recovery (DR) strategies (for example, backup and restore, pilot light, warm standby, active-active failover, recovery point objective [RPO], recovery time objective [RTO])
backup and restore (cheap)
pilot light (more expensive) (active passive)
warm standby (more more expensive) (active-passive)
active-active failover (the most expensive)
2 active all works
active - primary resources, passive - secondary resources that are passive (not used) if primary works
recovery point objective (RPO) - the amount of data that can be lost durring downtime
Recovery time objective (RTO) - is maximum acceptable time for an app to be offline
• Failover strategies
active-active
active-passive
• Immutable infrastructure
• Load balancing concepts (for example, Application Load Balancer)
ok
• Proxy concepts (for example, Amazon RDS Proxy)
RDS Proxy
it is proxy between db and app
can handle a lot of connections
it is kind of load balancer for db instances
easier time to secure one proxy than db
• Service quotas and throttling (for example, how to configure the service quotas for a workload in a standby environment)
https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/operating-at-scale-service-quotas.html
• Storage options and characteristics (for example, durability, replication)
s3 replication and durability
EBS replication and durability
EFS
• Workload visibility (for example, AWS X-Ray)
AWS X-Rays
monitoring your apps
help anylyze and debug your apps
• AWS managed services with appropriate use cases (for example, Amazon Comprehend, Amazon Polly)
learn more about services
• Distributed design patterns
distributed system
is system that contains multiple computing machines working on one thing
types:
offline
distributed system
render farms, big data analisys cluster
soft real-time
distributed system
need to continually produce or update results within generous time window. Search indexer
hard real-time
distributed system
request/reply system, when customer actively waits for reply. Frontend web server, AWS API, credit card transactions
sending message is hard
request/reply messaging across network requires 8 steps
each of these steps requires error handling logic
single method can fail if even the method is bug free
https://aws.amazon.com/builders-library/challenges-with-distributed-systems/
Skills in:
• Determining automation strategies to ensure infrastructure integrity
• Determining the AWS services required to provide a highly available and/or fault-tolerant architecture across AWS Regions or Availability Zones
• Identifying metrics based on business requirements to deliver a highly available solution
• Implementing strategies to ensure the durability and availability of data (for example, backups)
• Using AWS services that improve the reliability of legacy applications and applications not built for the cloud (for example, when application changes are not possible)
• Using purpose-built AWS services for workloads
• Implementing designs to mitigate single points of failure
• Selecting an appropriate DR strategy to meet business requirements
Domain 3: Design High-Performing Architectures
Task Statement 1: Determine high-performing and/or scalable storage solutions.
Knowledge of:
• Hybrid storage solutions to meet business requirements
• Storage services with appropriate use cases (for example, Amazon S3, Amazon Elastic File System [Amazon EFS], Amazon Elastic Block Store [Amazon EBS])
• Storage types with associated characteristics (for example, object, file, block)
Skills in:
• Determining storage services and configurations that meet performance demands
• Determining storage services that can scale to accommodate future needs
Task Statement 2: Design high-performing and elastic compute solutions.
Knowledge of:
• AWS compute services with appropriate use cases (for example, AWS Batch, Amazon EMR, Fargate)
• Distributed computing concepts supported by AWS global infrastructure and edge services
• Scalability capabilities with appropriate use cases (for example, Amazon EC2 Auto Scaling, AWS Auto Scaling)
• Serverless technologies and patterns (for example, Lambda, Fargate)
• The orchestration of containers (for example, Amazon ECS, Amazon EKS)
• Queuing and messaging concepts (for example, publish/subscribe)
Skills in:
• Decoupling workloads so that components can scale independently
• Identifying metrics and conditions to perform scaling actions
• Selecting the appropriate compute options and features (for example, EC2 instance types) to meet business requirements
• Selecting the appropriate resource type and size (for example, the amount of Lambda memory) to meet business requirements
Task Statement 3: Determine high-performing database solutions.
Knowledge of:
• AWS global infrastructure (for example, Availability Zones, AWS Regions)
• Caching strategies and services (for example, Amazon ElastiCache)
• Data access patterns (for example, read-intensive compared with write-intensive) • Database capacity planning (for example, capacity units, instance types, Provisioned IOPS) • Database connections and proxies
• Database engines with appropriate use cases (for example, heterogeneous migrations, homogeneous migrations)
• Database replication (for example, read replicas)
• Database types and services (for example, serverless, relational compared with non-relational, in-memory)
Skills in:
• Configuring read replicas to meet business requirements
• Designing database architectures
• Determining an appropriate database engine (for example, MySQL compared with PostgreSQL)
• Determining an appropriate database type (for example, Amazon Aurora, Amazon DynamoDB) • Integrating caching to meet business requirements
Task Statement 4: Determine high-performing and/or scalable network architectures.
Knowledge of:
• Edge networking services with appropriate use cases (for example, Amazon CloudFront, AWS Global Accelerator)
• How to design network architecture (for example, subnet tiers, routing, IP addressing) • Load balancing concepts (for example, Application Load Balancer)
• Network connection options (for example, AWS VPN, Direct Connect, AWS PrivateLink)
Skills in:
• Creating a network topology for various architectures (for example, global, hybrid, multi-tier)
• Determining network configurations that can scale to accommodate future needs
• Determining the appropriate placement of resources to meet business requirements
• Selecting the appropriate load balancing strategy
Task Statement 5: Determine high-performing data ingestion and transformation solutions.
Knowledge of:
• Data analytics and visualization services with appropriate use cases (for example, Amazon Athena, AWS Lake Formation, Amazon QuickSight)
• Data ingestion patterns (for example, frequency)
• Data transfer services with appropriate use cases (for example, AWS DataSync, AWS Storage Gateway)
• Data transformation services with appropriate use cases (for example, AWS Glue) • Secure access to ingestion access points
• Sizes and speeds needed to meet business requirements
• Streaming data services with appropriate use cases (for example, Amazon Kinesis)
Skills in:
• Building and securing data lakes
• Designing data streaming architectures
• Designing data transfer solutions
• Implementing visualization strategies
• Selecting appropriate compute options for data processing (for example, Amazon EMR) • Selecting appropriate configurations for ingestion
• Transforming data between formats (for example, .csv to .parquet)
Domain 4: Design Cost-Optimized Architectures
Task Statement 1: Design cost-optimized storage solutions.
Knowledge of
• Access options (for example, an S3 bucket with Requester Pays object storage) • AWS cost management service features (for example, cost allocation tags, multi-account billing)
• AWS cost management tools with appropriate use cases (for example, AWS Cost Explorer, AWS Budgets, AWS Cost and Usage Report)
• AWS storage services with appropriate use cases (for example, Amazon FSx, Amazon EFS, Amazon S3, Amazon EBS)
• Backup strategies
• Block storage options (for example, hard disk drive [HDD] volume types, solid state drive [SSD] volume types)
• Data lifecycles
• Hybrid storage options (for example, DataSync, Transfer Family, Storage Gateway) • Storage access patterns
• Storage tiering (for example, cold tiering for object storage)
• Storage types with associated characteristics (for example, object, file, block)
Skills in:
• Designing appropriate storage strategies (for example, batch uploads to Amazon S3 compared with individual uploads)
• Determining the correct storage size for a workload
• Determining the lowest cost method of transferring data for a workload to AWS storage • Determining when storage auto scaling is required
• Managing S3 object lifecycles
• Selecting the appropriate backup and/or archival solution
• Selecting the appropriate service for data migration to storage services
• Selecting the appropriate storage tier
• Selecting the correct data lifecycle for storage
• Selecting the most cost-effective storage service for a workload
Task Statement 2: Design cost-optimized compute solutions.
Knowledge of:
• AWS cost management service features (for example, cost allocation tags, multi-account billing)
• AWS cost management tools with appropriate use cases (for example, Cost Explorer, AWS Budgets, AWS Cost and Usage Report)
• AWS global infrastructure (for example, Availability Zones, AWS Regions)
• AWS purchasing options (for example, Spot Instances, Reserved Instances, Savings Plans) • Distributed compute strategies (for example, edge processing)
• Hybrid compute options (for example, AWS Outposts, AWS Snowball Edge) • Instance types, families, and sizes (for example, memory optimized, compute optimized, virtualization)
• Optimization of compute utilization (for example, containers, serverless computing, microservices)
• Scaling strategies (for example, auto scaling, hibernation)
Skills in:
• Determining an appropriate load balancing strategy (for example, Application Load Balancer [Layer 7] compared with Network Load Balancer [Layer 4] compared with Gateway Load Balancer)
• Determining appropriate scaling methods and strategies for elastic workloads (for example, horizontal compared with vertical, EC2 hibernation)
• Determining cost-effective AWS compute services with appropriate use cases (for example, Lambda, Amazon EC2, Fargate)
• Determining the required availability for different classes of workloads (for example, production workloads, non-production workloads)
• Selecting the appropriate instance family for a workload
• Selecting the appropriate instance size for a workload
Task Statement 3: Design cost-optimized database solutions.
Knowledge of:
• AWS cost management service features (for example, cost allocation tags, multi-account billing)
• AWS cost management tools with appropriate use cases (for example, Cost Explorer, AWS Budgets, AWS Cost and Usage Report)
• Caching strategies
• Data retention policies
• Database capacity planning (for example, capacity units)
• Database connections and proxies
• Database engines with appropriate use cases (for example, heterogeneous migrations, homogeneous migrations)
• Database replication (for example, read replicas)
• Database types and services (for example, relational compared with non-relational, Aurora, DynamoDB)
Skills in:
• Designing appropriate backup and retention policies (for example, snapshot frequency) • Determining an appropriate database engine (for example, MySQL compared with PostgreSQL)
• Determining cost-effective AWS database services with appropriate use cases (for example, DynamoDB compared with Amazon RDS, serverless)
• Determining cost-effective AWS database types (for example, time series format, columnar format)
• Migrating database schemas and data to different locations and/or different database engines
Task Statement 4: Design cost-optimized network architectures.
Knowledge of:
• AWS cost management service features (for example, cost allocation tags, multi-account billing)
• AWS cost management tools with appropriate use cases (for example, Cost Explorer, AWS Budgets, AWS Cost and Usage Report)
• Load balancing concepts (for example, Application Load Balancer)
• NAT gateways (for example, NAT instance costs compared with NAT gateway costs) • Network connectivity (for example, private lines, dedicated lines, VPNs)
• Network routing, topology, and peering (for example, AWS Transit Gateway, VPC peering) • Network services with appropriate use cases (for example, DNS)
Skills in:
• Configuring appropriate NAT gateway types for a network (for example, a single shared NAT gateway compared with NAT gateways for each Availability Zone)
• Configuring appropriate network connections (for example, Direct Connect compared with VPN compared with internet)
• Configuring appropriate network routes to minimize network transfer costs (for example, Region to Region, Availability Zone to Availability Zone, private to public, Global Accelerator, VPC endpoints)
• Determining strategic needs for content delivery networks (CDNs) and edge caching • Reviewing existing workloads for network optimizations
• Selecting an appropriate throttling strategy
• Selecting the appropriate bandwidth allocation for a network device (for example, a single VPN compared with multiple VPNs, Direct Connect speed)