Senior Acquisitions Editor: Kenyon Brown
Development Editor: Kathi Duggan
Technical Editors: Shlomo Swidler and Sara Perrott
Senior Production Editor: Christine O’Connor
Copy Editor: Kim Wimpsett
Content Enablement and Operations Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Book Designers: Judy Fung and Bill Gibson
Proofreader: Nancy Carrasco
Indexer: Ted Laux
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: Getty Images Inc. / Jeremy Woodhouse
Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-50421-4
ISBN: 978-1-119-50419-1 (ebk.)
ISBN: 978-1-119-50417-7 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018957473
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
For He who created all things.
We would like to thank the following people who helped us create this AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam, Second Edition.
First, a special thanks to our friends at Wiley. Kenyon Brown, senior acquisitions editor, got the ball rolling on this project and pushed to get this book published quickly. His experience and guidance throughout the project was critical. Kathi Duggan, development editor, helped push this book forward by keeping us accountable to our deadlines. Her edits made many of the technical parts of this book more readable. Thanks also go to Katie Wisor, production manager; Christine O’Connor, production editor; Pete Gaughan, content enablement manager; and Nancy Carrasco, proofreader.
John Mueller reviewed the chapters and questions for technical accuracy. Not only did his comments and suggestions make this book more accurate, he also provided additional ideas for the chapter review questions to make them more challenging and relevant to the exam. Thanks also go to Sara Perrott and Shlomo Swidler for providing technical proofreading.
Lastly, the authors would like to thank each other!
David Clinton is a Linux server admin who has worked with IT infrastructure in both academic and enterprise environments. He has authored books—including Learn Amazon Web Services in a Month of Lunches (Manning Publications, 2017) and Linux in Action (Manning Publications, 2018)—and created more than 15 video courses teaching Amazon Web Services and Linux administration, server virtualization, and IT security for Pluralsight.
In a “previous life,” David spent 20 years as a high school teacher. He currently lives in Toronto, Canada, with his wife and family and can be reached through his website: https://bootstrap-it.com.
Ben Piper, a native of Augusta, Georgia, is an IT consultant who works with clients in the Georgia-Carolina area. He has created more than 20 training courses covering Amazon Web Services, Cisco routing and switching, Puppet configuration management, and Windows Server Administration. He’s also the author of Learn Cisco Network Administration in a Month of Lunches (Manning Publications, 2017). Over the years he has designed, implemented, and maintained a variety of technologies including VMware vSphere, Citrix XenApp, XenServer, NetScaler, and Cisco network infrastructure. You can contact Ben by visiting his website: https://benpiper.com.
Studying for any certification always involves deciding how much of your studying should be practical hands-on experience and how much should be simply memorizing facts and figures. Between the two of us, we’ve taken more than 20 different IT certification exams, so we know how important it is to use your study time wisely. We’ve designed this book to help you discover your strengths and weaknesses on the AWS platform so that you can focus your efforts properly. Whether you’ve been working with AWS for a long time or whether you’re relatively new to it, we encourage you to carefully read this book from cover to cover.
Passing the AWS Certified Solutions Architect – Associate exam requires understanding the components and operation of the core AWS services as well as how those services interact with each other. Read through the official documentation for the various AWS services. Amazon offers HTML, PDF, and Kindle documentation for many of them. Use this book as a guide to help you identify your strengths and weaknesses so that you can focus your study efforts properly.
Hands-on experience is crucial for exam success. Each chapter in this AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam, Second Edition contains hands-on exercises that you should strive to complete during or immediately after your reading of the chapter. It’s vital to understand that the exercises don’t cover every possible scenario for every AWS service. In fact, it’s quite the opposite. The exercises provide you with a foundation to build on. Use them as your starting point, but don’t be afraid to venture out on your own. Feel free to modify them to match the variables and scenarios you might encounter in your own organization. Keep in mind that some of the exercises and figures use the AWS web console, which is in constant flux. As such, screenshots and step-by-step details of exercises may change. Use these eventualities as excuses to dig into the AWS online documentation and browse around the web console on your own. Also remember that although you can complete many of the exercises within the bounds of the AWS Free Tier, getting enough practice to pass the exam will likely require you to spend some money. But it’s money well spent, as getting certified is an investment in your career and your future.
Each chapter contains review questions to thoroughly test your understanding of the services and concepts covered in that chapter. They also test your ability to integrate the concepts with information from preceding chapters. Although the difficulty of the questions varies, rest assured that they are not “fluff.” We’ve designed the questions to help you realistically gauge your understanding and readiness for the exam. Avoid the temptation to rush through the questions to just get to the answers. Once you complete the assessment in each chapter, referring to the answer key will give you not only the correct answers but a detailed explanation as to why they’re correct. It will also explain why the other answers are incorrect.
The book also contains a self-assessment exam with 39 questions, two practice exams with 50 questions each to help you gauge your readiness to take the exam, and flashcards to help you learn and retain key facts needed to prepare for the exam.
This AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam, Second Edition is divided into two parts: “The Core AWS Services” and “The Well-Architected Framework.”
The first part of the book dives deep into each of the core AWS services. These services include ones you probably already have at least a passing familiarity with: Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Identity and Access Management (IAM), Route 53, and Simple Storage Service (S3), to name just a few.
Some AWS services seem to serve similar or even nearly identical purposes. You’ll learn about the subtle but important differences between seemingly similar services and, most importantly, when to use each.
The second part of the book is a set of best practices and principles aimed at helping you design, implement, and operate systems in the cloud. Part II focuses on the following five pillars of good design:
Each chapter of Part II revisits the core AWS services in light of a different pillar. Also, because not every AWS service is large enough to warrant its own chapter, Part II simultaneously introduces other services that, although less well known, may still show up on the exam.
Achieving the right balance among these pillars is a key skill you need to develop as a solutions architect. Prior to beginning Part II, we encourage you to peruse the Well-Architected Framework white paper, which is available for download at https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf.
This book covers topics you need to know to prepare for the Amazon Web Services (AWS) Certified Solutions Architect – Associate exam:
Chapter 1: Introduction to Cloud Computing and AWS This chapter overviews the AWS Cloud computing platform and its core services and concepts.
Chapter 2: Amazon Elastic Compute Cloud and Amazon Elastic Block Store This chapter covers EC2 instances—the virtual machines that you can use to run Linux and Windows workloads on AWS. It also covers the Elastic Block Store service that EC2 instances depend on for persistent data storage.
Chapter 3: Amazon Simple Storage Service and Amazon Glacier Storage In this chapter, you’ll learn about Simple Storage Service (S3) and Glacier, which provide unlimited data storage and retrieval for AWS services, your applications, and the Internet.
Chapter 4: Amazon Virtual Private Cloud This chapter explains Amazon Virtual Private Cloud (Amazon VPC), a virtual network that contains network resources for AWS services.
Chapter 5: Databases In this chapter, you will learn about some different managed database services offered by AWS, including Relational Database Service (RDS), DynamoDB, and Redshift.
Chapter 6: AWS Identity and Access Management This chapter covers AWS Identity and Access Management (IAM), which provides the primary means for protecting the AWS resources in your account.
Chapter 7: CloudTrail, CloudWatch, and AWS Config In this chapter, you’ll learn how to log, monitor, and audit your AWS resources.
Chapter 8: The Domain Name System and Network Routing: Amazon Route 53 and Amazon CloudFront This chapter focuses on the domain name system (DNS) and Route 53, the service that provides public and private DNS hosting for both internal AWS resources and the Internet. It also covers CloudFront, Amazon’s global content delivery network.
Chapter 9: The Reliability Pillar This chapter will show you how to architect and integrate AWS services to achieve a high level of reliability for your applications. You’ll learn how to plan around and recover from inevitable outages to keep your systems up and running.
Chapter 10: The Performance Efficiency Pillar This chapter covers how to build highly performing systems and use the AWS elastic infrastructure to rapidly scale up and out to meet peak demand.
Chapter 11: The Security Pillar In this chapter, you’ll learn how to use encryption and security controls to protect the confidentiality, integrity, and availability of your data and systems on AWS. You’ll also learn about the various security services such as GuardDuty, Inspector, Shield, and Web Application Firewall.
Chapter 12: The Cost Optimization Pillar This chapter will show you how to estimate and control your costs in the cloud.
Chapter 13: The Operational Excellence Pillar In this chapter, you’ll learn how to keep your systems running smoothly on AWS. You’ll learn how to implement a DevOps mind-set using CloudFormation, Systems Manager, and the AWS Developer Tools.
The authors have worked hard to provide some really great tools to help you with your certification process. The interactive online learning environment that accompanies this AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam, Second Edition provides a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the first time! The test bank includes the following:
Sample Tests All the questions in this book are provided, including the assessment test at the end of this Introduction and the chapter tests that include the review questions at the end of each chapter. In addition, there are two practice exams with 50 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Flashcards The online text banks include 100 flashcards specifically written to hit you hard, so don’t get discouraged if you don’t ace your way through them at first. They’re there to ensure that you’re really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you’ll be more than prepared when exam day comes. Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Resources You’ll find some AWS CLI and other code examples from the book for you to cut and paste for use in your own environment. A glossary of key terms from this book is also available as a fully searchable PDF.
Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.
The AWS Certified Solutions Architect – Associate exam is intended for people who have experience in designing distributed applications and systems on the AWS platform. In general, you should have the following before taking the exam:
The exam covers five different domains, with each domain broken down into objectives.
The following table lists each domain and its weighting in the exam, along with the chapters in the book where that domain’s objectives are covered.
| Domain | Percentage of Exam | Chapter |
| Domain 1: Design Resilient Architectures | 34% | |
| 1.1 Choose reliable/resilient storage. | 2, 3, 5, 9, 10 | |
| 1.2 Determine how to design decoupling mechanisms using AWS services. | 5, 9, 10 | |
| 1.3 Determine how to design a multitier architecture solution. | 3, 4, 5, 8, 9, 10 | |
| 1.4 Determine how to design high availability and/or fault tolerant architectures. | 2, 3, 5, 7, 8, 9, 10 | |
| Domain 2: Define Performant Architectures | 24% | |
| 2.1 Choose performant storage and databases. | 2, 3, 5, 10 | |
| 2.2 Apply caching to improve performance. | 8, 10 | |
| 2.3 Design solutions for elasticity and scalability. | 2, 3, 5, 7, 8, 10 | |
| Domain 3: Specify Secure Applications and Architectures | 26% | |
| 3.1 Determine how to secure application tiers. | 2, 3, 4, 6, 7, 11 | |
| 3.2 Determine how to secure data. | 2, 3, 6, 7, 11 | |
| 3.3 Define the networking infrastructure for a single VPC application. | 4, 11 | |
| Domain 4: Design Cost-Optimized Architectures | 10% | |
| 4.1 Determine how to design cost-optimized storage. | 2, 3, 12 | |
| 4.2 Determine how to design cost-optimized compute. | 2, 12 | |
| Domain 5: Define Operationally-Excellent Architectures | 6% | |
| 5.1 Choose design features in solutions that enable operational excellence. | 7, 10, 13 |
True/false: The Developer Support plan provides access to a support application programming interface (API).
True/false: AWS is responsible for managing the network configuration of your EC2 instances.
Which of the following services is most useful for decoupling the components of a monolithic application?
An application you want to run on EC2 requires you to license it based on the number of physical CPU sockets and cores on the hardware you plan to run the application on. Which of the following tenancy models should you specify?
True/false: Changing the instance type of an EC2 instance will change its elastic IP address.
True/false: You can use a Quick Start Amazon Machine Image (AMI) to create any instance type.
Which S3 encryption option does not require AWS persistently storing the encryption keys it uses to decrypt data?
True/false: Durability measures the percentage of likelihood that a given object will not be inadvertently lost by AWS over the course of a year.
True/false: After uploading a new object to S3, there will be a slight delay (one to two seconds) before the object is available.
You created a Virtual Private Cloud (VPC) using the Classless Inter-Domain Routing (CIDR) block 10.0.0.0/24. You need to connect to this VPC from your internal network, but the IP addresses in use on your internal network overlap with the CIDR. Which of the following is a valid way to address this problem?
True/false: An EC2 instance must be in a public subnet to access the internet.
True/false: The route table for a public subnet must have a default route pointing to an Internet gateway as a target.
Which of the following use cases is well suited for DynamoDB?
True/false: You can create a DynamoDB global secondary index for an existing table at any time.
True/false: Enabling point-in-time RDS snapshots is sufficient to give you a recovery point objective (RPO) of less than 10 minutes.
Which of the following steps does the most to protect your AWS account?
Which of the following can be used to encrypt the operating system of an EC2 instance?
What is a difference between a token generated by the AWS Security Token Service (STS) and an IAM access key?
True/false: EC2 sends instance memory utilization metrics to CloudWatch every five minutes.
You configured a CloudWatch alarm to monitor CPU utilization for an EC2 instance. The alarm began in the INSUFFICIENT_DATA state and then entered the ALARM state. What can you conclude from this?
Where do AWS Config and CloudTrail store their logs?
True/false: An EC2 instance in a private subnet can resolve an “A” resource record for a public hosted zone hosted in Route 53.
You want to use Route 53 to send users to the application load balancer closest to them. Which of the following routing policies lets you do this with the least effort?
True/false: You can use an existing domain name with Route 53 without switching its registration to AWS.
You’re designing an application that takes multiple image files and combines them into a video file that users on the Internet can download. Which of the following can help you quickly implement your application in the fastest, most highly available, and most cost-effective manner?
You’re using EC2 Auto Scaling and want to implement a scaling policy that adds one extra instance only when the average CPU utilization of each instance exceeds 90 percent. However, you don’t want it to add more than one instance every five minutes. Which of the following scaling policies should you use?
True/false: EC2 Auto Scaling automatically replaces group instances directly terminated by the root user.
Which ElastiCache engine can persistently store data?
Which of the following is not an AWS service?
True/false: S3 cross-region replication uses transfer acceleration.
Which of the following services can you deactivate on your account?
Which of the following services can alert you to malware on an EC2 instance?
True/false: If versioning is enabled on an S3 bucket, applying encryption to an unencrypted object in that bucket will create a new, encrypted version of that object.
Which instance type will, if left running, continue to incur costs?
True/false: The EBS Lifecycle Manager can take snapshots of volumes that were once attached to terminated instances.
Which of the following lets you spin up new web servers the quickest?
True/false: CloudFormation stack names are case-sensitive.
Where might CodeDeploy look for the appspec.yml file? (Choose two.)
True/false: You can use either CodeDeploy or an AWS Systems Manager command document to deploy a Lambda application.
B. The Business plan offers access to a support API, but the Developer plan does not. See Chapter 1 for more information.
B. Customers are responsible for managing the network configuration of EC2 instances. AWS is responsible for the physical network infrastructure. See Chapter 1 for more information.
C. Simple Queue Service (SQS) allows for event-driven messaging within distributed systems that can decouple while coordinating the discrete steps of a larger process. See Chapter 1 for more information.
A. The dedicated host option lets you see the number of physical CPU sockets and cores on a host. See Chapter 2 for more information.
B. An elastic IP address will not change. A public IP address attached to an instance will change if the instance is stopped, as would happen when changing the instance type. See Chapter 2 for more information.
A. A Quick Start AMI is independent of the instance type. See Chapter 2 for more information.
D. With SSE-C you provide your own keys for Amazon to use to decrypt and encrypt your data. AWS doesn’t persistently store the keys. See Chapter 3 for more information.
A. Durability corresponds to an average annual expected loss of objects stored on S3, not including objects you delete. Availability measures the amount of time S3 will be available to let you retrieve those objects. See Chapter 3 for more information.
B. S3 uses a read-after-write consistency model for new objects, so once you upload an object to S3, it’s immediately available. See Chapter 3 for more information.
C. You can’t change the primary CIDR for a VPC, so you must create a new one to connect it to your internal network. See Chapter 4 for more information.
B. An EC2 instance can access the Internet from a private subnet provided it uses a NAT gateway or NAT instance. See Chapter 4 for more information.
A. The definition of a public subnet is a subnet which "?>that has a default route pointing to an Internet gateway as a target. Otherwise, it’s a private subnet. See Chapter 4 for more information.
C. DynamoDB is a key-value store which "?>that can be used to store items up to 400 KB in size. See Chapter 5 for more information.
A. You can create a global secondary index for an existing table at any time. You can create a local secondary index only when you create the table. See Chapter 5 for more information.
A. Enabling point-in-time recovery gives you an RPO of about five minutes. The recovery time objective (RTO) depends on the amount of data to restore. See Chapter 5 for more information.
B. Revoking unnecessary access for IAM users is the most effective of the listed measures for protecting your AWS account. See Chapter 6 for more information.
C. KMS can be used to encrypt Elastic Block Store (EBS) volumes which "?>that store an instance’s operating system. See Chapter 6 for more information.
D. STS tokens expire while IAM access keys do not. An STS token can be used more than once. IAM access keys and STS tokens are both unique. An IAM principal can use an STS token. See Chapter 6 for more information.
B. EC2 doesn’t track instance memory utilization. See Chapter 7 for more information.
C. The transition to the ALARM state simply implies that the metric crossed a threshold but doesn’t tell you what the threshold is. Newly created alarms start out in the INSUFFICIENT_DATA state. See Chapter 7 for more information.
A. Both store their logs in S3 buckets. See Chapter 7 for more information.
A. An EC2 instance in a private subnet still has access to Amazon’s private DNS servers, which can resolve records stored in public hosted zones. See Chapter 8 for more information.
C. Geoproximity routing routes users to the location closest to them. Geolocation routing requires you to create records for specific locations or create a default record. See Chapter 8 for more information.
A. Route 53 is a true DNS service in that it can host zones for any domain name. You can also register domain names with or transfer them to Route 53. See Chapter 8 for more information.
B. Lambda is a highly available, reliable, “serverless” compute platform that runs functions as- "?> needed and scales elastically to meet demand. EC2 spot instances can be shut down on short notice. See Chapter 9 for more information.
A. A simple scaling policy changes the group size and then waits "?>has a cooldown period before doing so again. Step scaling policies don’t have cooldown periods. Target tracking policies attempt to keep a metric at a set value. PercentChangeInCapacity is a simple scaling adjustment type, not a scaling policy. See Chapter 9 for more information.
A. Auto Scaling always attempts to maintain the minimum group size or, if set, the desired capacity. See Chapter 9 for more information.
D. ElastiCache supports Memcached and Redis, but only the latter can store data persistently. See Chapter 10 for more information.
B. Puppet is a configuration management platform that AWS offers via OpsWorks, "?> but is not itself an AWS service. See Chapter 10 for more information.
B. S3 cross-region replication transfers objects between different buckets. Transfer acceleration uses a CloudFront edge location to speed up transfers between S3 and the Internet. See Chapter 10 for more information.
A. You can deactivate STS for all regions except US East. See Chapter 11 for more information.
A. GuardDuty looks for potentially malicious activity. Inspector looks for vulnerabilities that may result in compromise. Shield and Web Application Firewall protect applications from attack. See Chapter 11 for more information.
A. Applying encryption to an unencrypted object will create a new, encrypted version of that object. Previous versions remain unencrypted. See Chapter 11 for more information.
C. On-demand instances will continue to run and incur costs. Reserved instances cost the same whether they’re running or stopped. Spot instances will be terminated when the spot price exceeds your bid price. See Chapter 12 for more information.
A. The EBS Lifecycle Manager can take scheduled snapshots of any EBS volume, regardless of attachment state. See Chapter 12 for more information.
C. Elastic Container Service lets you run containers which "?>that can launch in a matter of seconds. EC2 instances take longer. Lambda is “serverless,” so you can’t use it to run a web server. CloudFront provides caching but isn’t a web server. See Chapter 12 for more information.
A. Almost everything in CloudFormation is case sensitive. See Chapter 13 for more information.
A, C. CodeDeploy looks for the appspec.yml file with the application files it is to deploy, which can be stored in S3 or on GitHub. See Chapter 13 for more information.
B. You can use CodeDeploy to deploy an application to Lambda or EC2 instances. But an AWS Systems Manager command document works only on EC2 instances. See Chapter 13 for more information.