2024 AWS SOLUTIONS ARCHITECT
TERMS-UDEMY TRAINING EXAM
WITH CORRECT ANSWERS
IAM Policy - CORRECT-ANSWERSAnatomy of a Policy: Explicit DENY has
precedence over ALLOW
JSON doc with outline of
-Effect
-Action
-Resource
-Conditions
-Policy Variables
VPC Basics-• Security Groups - CORRECT-ANSWERS• Security Groups •
Applied at the instance level, only support for allow rules, no deny rules •
Stateful = return traffic is automatically allowed, regardless of rules • Can
reference other security groups in the same region (peered VPC, cross-
account)
VPC Basics - Flow Logs - CORRECT-ANSWERS• VPC Flows Logs • Log internet
traffic going through your VPC • Can be defined at the VPC level, Subnet
level, or ENI-level • Helpful to capture "denied internet traffic" • Can be sent
to CloudWatch Logs and Amazon S3
VPC Basics • Bastion Hosts - CORRECT-ANSWERS• Bastion Hosts • SSH into
private EC2 instances through a public EC2 instance (bastion host) • You
must manage these instances yourself (failover, recovery) • SSM Session
Manager is a more secure way to remote control without SSH
VPC Basics • IPv6 in short - CORRECT-ANSWERSIPv6 in short • All IPv6
addresses are public, total 3.4×1038 addresses (vs 4.3 billion IPv4) •
Example CIDR: 2600:1f18:80c:a900::/56 • Addresses are "random" and can't
be scanned online (because too many)
• VPC support for IPv6 • Create an IPv6 CIDR for VPC & use an IGW (supports
IPv6)
• Public subnet: • Create an instance with IPv6 support • Create a route
table entry to ::/0 (IPv6 "all") to the IGW
, • Private subnet (instances cannot be reached by IPv6 but can reach IPv6): •
Create an Egress-Only Internet Gateway in the public subnet • Add a route
table entry for the private subnet from ::/0 to the Egress-Only IGW
VPC Peering - CORRECT-ANSWERSYou must update route tables in each
VPC's subnets to ensure instances can communicate
• Connect two VPC, privately using AWS' network
• Make them behave as if they were in the same network
• Must not have overlapping CIDR
• VPC Peering connection is not transitive (must be established for each VPC
that need to communicate with one another)
• You can do VPC peering with another AWS account
VPC Peering - Good to know - CORRECT-ANSWERS• VPC peering can work
inter-region, cross-account
• You can reference a security group of a peered VPC (works cross account)
VPC Endpoints Interface - CORRECT-ANSWERS• Provision an ENI that will
have a private endpoint interface hostname
• Leverage Security Groups for security
• Private DNS (setting when you create the endpoint) • The public hostname
of a service will resolve to the private Endpoint Interface hostname • VPC
Setting: "Enable DNS hostnames" and "Enable DNS Support" must be 'true'
• Interface can be accessed from Direct Connect and Site-to-Site VPN
AWS PrivateLink (VPC Endpoint Services) - CORRECT-ANSWERS• Requires a
network load balancer (Service VPC) and ENI (Customer VPC)
• If the NLB is in multiple AZ, and the ENI in multiple AZ, the solution is fault
tolerant!
• Most secure & scalable way to expose a service to 1000s of VPC (own or
other accounts)
• Does not require VPC peering, internet gateway, NAT, route tables...
Site to Site VPN (AWS Managed VPN) - CORRECT-ANSWERS• on-premises: •
Setup a software or hardware VPN appliance to your on-premises network. •
The on-premises VPN should be accessible using a public IP
• AWS-side: • Setup a Virtual Private Gateway (VGW) and attach to your VPC
• Setup a Customer Gateway to point the on- premises VPN appliance
• Two VPN connections (tunnels) are created for redundancy, encrypted
using IPSec
Can optionally accelerate it using Global Accelerator (for worldwide
networks)
,Direct Connect - CORRECT-ANSWERS• Provides a dedicated private
connection from a remote network to your VPC
Dedicated connection must be setup between your DC and AWS Direct
Connect locations
• More expensive than running a VPN solution
• Private access to AWS services through VIF
• Bypass ISP, reduce network cost, increase bandwidth and stability
• Not redundant by default (must setup a failover DX or VPN)
Direct Connect - Encryption - CORRECT-ANSWERS• Data in transit is not
encrypted but is private
• Good for an extra level of security, but slightly more complex to put in
place
• AWS Direct Connect + VPN provides an IPsec-encrypted private connection
• VPN over Direct Connect connection Uses Public VIF
Direct Connect - Link Aggregation Groups (LAG) - CORRECT-ANSWERSGet
increased speed and failover by summing up existing DX connections into a
logical one
Direct Connect Gateway - CORRECT-ANSWERS• If you want to setup a Direct
Connect to one or more VPC in many different regions (same/cross account),
you must use a Direct Connect Gateway
Alexa for Business - CORRECT-ANSWERS• Use Alexa to help employees be
more productive in meeting rooms and their desk
• Measure and increase the utilization of meeting rooms in their workplace
Amazon Lex: (same technology that powers Alexa) - CORRECT-ANSWERS•
Automatic Speech Recognition (ASR) to convert speech to text
• Natural Language Understanding to recognize the intent of text, callers
• Helps build chatbots, call center bots
Amazon Connect - CORRECT-ANSWERS• Receive calls, create contact flows,
cloud-based virtual contact center
• Can integrate with other CRM systems or AWS
AWS Rekognition - CORRECT-ANSWERS• Find objects, people, text, scenes in
images and videos using ML
• Facial analysis and facial search to do user verification, people counting
• Create a database of "familiar faces" or compare against celebrities
, • Use cases:• Labeling • Content Moderation • Text Detection • Face
Detection and Analysis (gender, age range, emotions...) • Face Search and
Verification • Celebrity Recognition • Pathing (ex: for sports game analysis)
Kinesis Video Streams - CORRECT-ANSWERS• Cannot output the stream data
to S3 (must build custom solution)
One video stream per streaming device (producers) • Security cameras,
body worn camera, smartphone • Can use a Kinesis Video Streams Producer
library
• Underlying data is stored in S3 (but we don't have access to it)
• Consumers: • Consumed by EC2 instances for real time analysis, or in
batch • Can leverage the Kinesis Video Stream Parser Library • Integration
with AWS Rekognition for facial detection
AWS WorkSpaces - CORRECT-ANSWERS• Managed, Secure Cloud Desktop •
Great to eliminate management of on-premises VDI (Virtual Desktop
Infrastructure) • On Demand, pay per by usage • Secure, Encrypted,
Network Isolation • Integrated with Microsoft Active Directory
Amazon AppStream 2.0 - CORRECT-ANSWERS• Desktop Application
Streaming Service
• Deliver to any computer, without acquiring, provisioning infrastructure
• The application is delivered from within a web browser
Amazon AppStream 2.0 vs WorkSpaces - CORRECT-ANSWERSWorkspaces •
Fully managed VDI and desktop available • The users connect to the VDI and
open native or WAM applications • Workspaces are on-demand or always on
AppStream 2.0 • Stream a desktop application to web browsers (no need to
connect to a VDI) • Works with any device (that has a web browser) • Allow
to configure an instance type per application type (CPU, RAM, GPU)`
Amazon Mechanical Turk - CORRECT-ANSWERS• Crowdsourcing marketplace
to perform simple human tasks
• Integrates with SWF natively, does not integrate with Step Functions
• Distributed virtual workforce.
• Example: • You have a list of 10,000 restaurant names in your area and
you want to get the telephone number, opening hours, address, etc... •
Assume the restaurant name is not perfect, therefore Google API cannot help
• You distribute the task on Mechanical Turk and humans will fill your
database
• Other use cases: image classification, data collection, business processing