KPLABS Course

AWS Certified Solutions Architect - Associate

Exam Preparation Section

ISSUED BY
Zeal Vora

REPRESENTATIVE
instructors@kplabs.in
Module 1: End to End VPC Creation
Understand the exact step by step approach to create VPC based infrastructure

● Create a new VPC

● Create public and private subnets.
● Understand the purpose of the route table
● Know the difference between Internet Gateway & NAT Gateway

Be very thorough with each step and concept related to the above topics.

Module 2: NAT Gateway

NAT Gateway allows instances within your private subnet to connect to the internet but prevents
the internet from initiating any new connection towards the instances.

It is recommended to replace NAT instances with NAT Gateways.

Make sure NAT Gateways are deployed in Multiple AZ for high availability.
Module 3: Internet Gateway

.
Module 4: EC2 Instance Types

Module 5: VPC Peering

VPC peering is a network connection between two VPC that enables the communication
between instances of both the VPC.

Maximum VPC Peering Limit = 125

Other approaches like PrivateLink endpoint with NLB can be used if there are a lot of accounts
and services that need to communicate with each other across accounts.
Unsupported VPC Peering Configurations - 1

You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4
CIDR blocks.

Module 6: VPC Endpoints

VPC Endpoints allows feature to connect to various AWS resources like S3, DynamoDB and
others in a private manner (without going through the internet)

.
Module 7: Transit Gateways
A transit gateway is a network transit hub that you can use to interconnect your virtual private
clouds (VPC) and on-premises networks.

Transit Gateway enables customers to connect thousands of VPCs

You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single
Transit Gateway— consolidating and controlling your organization's entire AWS routing
configuration in one place

Module 8: Direct Connect

AWS Direct Connect lets customers establish a dedicated direct network connection between
the client’s network and one of the direct connect locations.

For a use-case where consistent dedicated throughput is required, DX is the right answer.

Traffic is not encrypted.

Module 9: Site to Site VPN
A Site to Site (S2S) VPN allows two networking domains to communicate securely between
each other over an untrusted network like Internet.

The two sites can be AWS and on-premise data-center or even two different VPC’s.

Traffic is encrypted.

Module 10: Hybrid Connectivity

For hybrid architectures [internal networks], two options can be used:

● AWS Direct Connect

● Virtual Private Network (VPN)

If a consistent and dedicated connection is required, AWS Direct Connect is a better option.

Module 11: Miscellaneous Pointers

i) Public IP vs EIP

● Public IP changes. It is not locked to your AWS account. Instance stop and starts bring
new IP.
● EIP is static as well as movable.

ii) Security Group vs NACL

● Security Group is associated at an Instance Level.

● NACL is associated at a subnet level.
Module 12: IAM User
IAM user is an entity that you create in AWS to represent the person or application that uses it
to interact with AWS.

By default, the IAM user does not have any permission associated with it.

Module 13: IAM Policy

IAM Policy is an object in AWS that defines the permission of a specific object.

AWS evaluates the policies, and depending on that, the permission is granted or denied.

.
Module 14: Deny in IAM Policy
Any deny in IAM Policy always sets preference over allow.

Module 15: IAM Groups

An IAM group is a collection of IAM users.

IAM policy attached to the group is associated with all the users that are part of the group.
Module 16: IAM Role
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that
determine what the identity can and cannot do in AWS.

Module 17: Overview of Condition Element

The Condition element lets you specify conditions for when a policy is in effect.
Module 18: Example Use-Case - IAM
Alice has created a Lambda function that monitors for CPU Utilization of EC2 instances. If CPU
utilization is less than 10%, the Lambda function will stop the instance.

IAM Policy attached to Alice:

● CloudWatch Full Access

● Lambda Full Access
● EC2 ReadOnly Access.

Final Decision: Alice can set up Lambda, but it will not be able to stop the EC2.

Module 10: AWS Organization

Consolidated billing can be enabled via AWS organizations.

AWS Organizations allow us to set “Service Control Policies” to control access to the linked
accounts.

Two available feature sets: Consolidated Billing Features and All Features (SCP + Billing)

To “Allow Access”, you can make use of IAM Policies and not SCP Policies.

Module 11: S3 Storage Classes

At a high level, be aware of S3 storage classes.

● Standard
● Intelligent-Tiering
● Standard-IA
● One Zone-IA
● Glacier
● Glacier Deep Archive
● Reduced Redundancy
Module 12: S3 Pointers
S3 Versioning allows users to keep multiple variants of an object in the same S3 bucket. Can
protect against accidental deletion.

Cross-region replication allows an object to be replicated across S3 buckets between multiple

regions. Versioning is mandatory.

Lifecycle policies allow you to automatically review objects within your S3 Buckets and have
them moved to different S3 storage classes or have the objects deleted from S3.

Module 13: Multi-Part Uploads

Multi-Part upload is a way in which we upload an entire file in the form of small individual chunks
to the storage device.

While uploading data via multi-part, we need to specify the part number and its position in the
uploaded object. This will help AWS reconstruct data.
Module 14: S3 Transfer Acceleration
S3 Transfer Acceleration utilizes the CloudFront edge network to accelerate your uploads to S3.

Instead of uploading directly to S3, you can use a unique URL to directly upload to the edge
location which will then transfer the file to S3.

Module 15: S3 also needs Encryption

There are three ways in which we can Encrypt data in S3:-

i) Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

ii) Server-Side Encryption with AWS KMS-Managed Keys ( SSE-KMS)

iii) Server-Side Encryption with Customer-Provided Keys (SSE-C)

S3 Encryption - Use-Case

For use-cases where you want the encryption keys to be highly available and also requirement
where control of keys on per-user-basis is required, the following options can be used:

AWS SSE with KMS

AWS SSE with Customer Managed Keys. These keys can be stored in CloudHSM.

For use-cases where data must be encrypted at transit (HTTPS), you can make use of bucket
policy to enforce HTTPS connections only.
Module 16: Presigned URLs
All objects in S3 are ‘Private’ by default.

However, the Object owner can optionally share objects with others by creating a pre-signed
URL to grant time-limited permission to download the object.

Module 17: Cross-Account Access

ORG has two AWS accounts. Account A has all the S3 buckets, Account B has all EC2
instances.

EC2 instances need to periodically backup all the data to S3 bucket in Account A.

How to achieve the use-case?

Module 18: Bucket Owner Full Control
By default, an S3 object is owned by the AWS account that uploaded it. This is true even when
the bucket is owned by another account.

To get access to the object, the object owner must explicitly grant you (the bucket owner)
access.

aws s3 cp example.jpg s3://awsexamplebucket --acl bucket-owner-full-control

Module 19: RTO vs RPO

Recovery Time Objective (RTO) is the amount of time frame it takes for you to recover your
infrastructure and business operations after the disaster has struck.

Recovery Point Objective (RPO) is concerned with data and the maximum tolerance period to
which data can be lost.
Module 20: Route53 Health Checks
Amazon Route 53 health checks monitor the health of your resources, such as web servers.

The endpoint must return an HTTP 2xx or 3xx status code.

If the health check fails, you can configure to route traffic to a static S3 bucket.

Module 21: Route53 Routing Policies

Module 22: AMI
Amazon Machine Image (AMI) is the master image from which new EC2 instances can be
launched.

You can also copy the AMI to a different AWS Region and share it across AWS accounts.

Module 23: Load Balancing

Know the use case where each type of load balancer type can be used.
Module 24: Auto-Scaling

You should know basic auto-scaling concepts like Launch Configuration, Auto-Scaling Groups.

● Launch Configuration: Specify AMI ID, Key-Pair, Security Groups

● Auto-Scaling Groups: How many instances you want to run.

You cannot modify the launch config after it was created. For any updates, create a new launch
config.

Module 25: Scaling Types

Module 26: DynamoDB

Understand the distinction on when to use DynamoDB or when to use RDS.

● If you need a relational database with ACID transactions → Use RDS

● If you have unstructured data → Use DynamoDB

For use-cases where you expect large traffic and want to serve things with minimal delays and
latency, you can increase the Read Capacity and Write capacity units of DynamoDB Table.

Module 27: RDS Read Replicas

Amazon RDS Read Replicas enable you to create one or more read-only copies of your
database instance within the same AWS Region or in a different AWS Region.

If database reads are causing high I/O and slowing down the database, you can decide to
launch multiple read replicas.
Module 28: Scalability Aspect - RDS
Multi-AZ

● Useful for High-Availability Aspect.

● Standby instance cannot be accessed.
● Automated failover taken care by AWS.
● DNS Names do not change on failover.

Read replicas:

Useful for Scalability Aspect.

Can be used for DR with Read Replica across different region.
For use-case where DB slows down while generating reports, read replica is a good option.

Module 29: Aurora Global Database

Aurora Global Database allows a single Amazon Aurora database to span multiple AWS
regions.

It replicates your data with no impact on database performance, enables fast local reads with
low latency in each region, and provides disaster recovery from region-wide outages.
Module 30: EBS and Instance Store Volumes
EBS volumes:

● Persistent Storage.
● Size and Volume Types can be increased while being attached to EC2.

Instance Store:

● Size cannot be increased.

● It is not portable as is associated with the physical host.

Module 31: Amazon FSx

Amazon FSx provides highly cost-effective, fully managed, shared cloud file storage for
Windows and Linux applications.

Module 32: Elastic File System

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, elastic file system for
Linux-based workloads for use with AWS Cloud services and on-premises resources.

It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking
automatically as you add and remove files

It is designed to provide massively parallel shared access to thousands of Amazon EC2

instances
Module 33: Storage Migration
Module 34: Storage Gateway
AWS Storage Gateway is a hybrid storage service that allows the on-premise application to
easily use the cloud storage

Module 35: Data Migration Use-Cases

Be ready with use-cases related to data migration and associated services.

Example Use-Case:

Organization has 50 mbps connection and there is 500 TB of data that they want to migrate to
S3 in next 2 weeks. Which services can be used?

● VPN
● S3 Transfer Acceleration
● Direct Connect
● Snowball

Module 36: Typical Types of Data Transfer

AWS data transfer costs are the costs associated with transferring data either within AWS
between various AWS services like EC2 and S3 or AWS and the public internet.

i) Internet (Expensive)
ii) Region to Region
iii) Inter Availability Zone
iv) VPC Peering

To minimize data transfer costs between on-premise and AWS, you can decide to host your
application in the same region / AZ as that of AWS resource.
Module 37: Data Sync
AWS DataSync makes it simple and fast to move large amounts of data online between
on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon
FSx for Windows File Server.

Module 38: Simple Notification Service

It integrates with various AWS services like CloudWatch for alarm functionality.

SNS cannot provide data every minute; it works at a 5-minute interval.

Module 39: Placement Groups
Placement groups are recommended for applications that require low latency, high network
throughput.

Module 40: CloudFront

If you have your website running in one region, however, users are spread across the world
(global users), then you can decide to make use of CloudFront to reduce the latency.

Catch-Word: Content Delivery Network

CloudFront has a feature of “Geo Restriction”. With Geo Restriction, you can choose the
countries where you want Amazon CloudFront to deliver your content.
Module 41: Lambda@Edge
Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your
application, which improves performance and reduces latency.

For use-cases where you don’t want to modify application code but want to achieve certain
use-cases, Lambda@Edge can be used. For example, adding compression to reduce data
transfer costs.

Module 42: AWS WAF and AWS Shield

AWS WAF can protect against various Layer 7 attacks like SQL Injection, XSS, IP Address
Whitelisting / Blacklisting, rate limiting, and others.

WAF can be associated with CloudFront, ALB, API Gateway.

AWS Shield and AWS Shield Advanced can be used for DDoS protection.

Migrating DNS to Route53 is also a good option if DDoS is in consideration.

Module 43: Global Accelerator

AWS Global Accelerator is a service that improves the availability and performance of your
applications with local or global users.

It provides static IP addresses that act as a fixed entry point to your application endpoints in a
single or multiple AWS Region
Module 44: Global Accelerator
AWS SQS is a fast reliable, scalable, and fully managed message queuing service.

For use cases where first application is faster and the second application is slower, you can
decide to decouple them via SQS queue.
Module 45: S3 Object Notification with SQS

You can configure S3 object notification and integrate it with multiple AWS services including
SQS, SNS.

Example Use-Case:

Publish events of the s3:ObjectCreated:* type to an Amazon SQS queue.

Publish events of the s3:ReducedRedundancyLostObject type to an Amazon SNS topic.

Module 46: Serverless

If a question has a keyword of “serverless” for its use case, make sure to select serverless
services from the solution.

● AWS Lambda, SNS, SQS, Kinesis

● Lambda@Edge, Athena, Step Function
● Fargate, S3
● DynamoDB, API Gateway
● AWS EFS

Avoid services like EC2.

Module 47: API Gateway

Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and
securing APIs at any scale.

API developers can create APIs that access AWS or other web services, as well as data stored
in the AWS Cloud.

Module 48: IAM Role for ECS Tasks

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the
containers in a task.

To specify IAM role for the tasks, if you use the AWS CLI or SDKs, specify your task role ARN
using the taskRoleArn parameter.
Module 49: Miscellaneous Pointers
If you are facing spam or attack by a specific set of IP addresses, you can block them at the
Network ACL level and even WAF.

For increasing security for AWS logins, you can consider using MFA + Strong Passwords.

If you are using CloudFront and want to block a specific set of IPs, you can associate WAF with
CloudFront.

For I/O performance-related use-cases, do note that it is associated at the storage level (EBS)
and not the EC2 level.

Resiliency is the ability of a server, network, storage system, or entire data center, to recover
quickly and continue operating even when there has been an equipment failure, power outage,
or other disruption.

For use-cases where there can be unpredictable growth and burst in traffic, you can prefer
serverless services like DynamoDB, Lambda, API Gateway, and others.

Static websites can be hosted in S3 instead of EC2 instances. This can save a good amount of
costs.

.
Best of Luck for Exams, Rockstar!

Join Our Discord Community

We invite you to join our Discord community, where you can interact with our support team for
any course-based technical queries and connect with other students who are doing the same
course.

Joining URL:

http://kplabs.in/chat