AWS Solution Architect Associate Exam Notes
For more information on AWS, visit aws.amazon.com
Developer Tools:
AWS CodeCommit is a fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories.
- AWS implementation of GIT
- Not covered as exam topic currently
| Resource or Operation | Default Limit |
|---|---|
| Number of repositories per account: | 1000 |
For additional information about Code Commit Service Limits, see Limits in Amazon CodeCommit
AWS CodeDeploy is a service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises.
- Automate code deployments, AWS CI/CD service
- Not covered as exam topic currently
| Resource or Operation | Default Limit |
|---|---|
| Number of applications under an account in a single region: | 40 |
| Number of concurrent deployments under an account: | 10 |
| Number of deployment groups associated with a single application: | 50 |
| Number of instances in a single deployment: | 50 |
For additional information about Code Deploy Service Limits, see Limits in Amazon CodeDeploy
AWS CodePipeline is a continuous delivery service for fast and reliable application updates. CodePipeline builds, tests, and deploys your code every time there is a code change, based on the release process models you define.
- Build, test, and deploy code based on commits
- Not covered as exam topic currently
| Resource or Operation | Default Limit |
|---|---|
| Number of pipelines per AWS account: | 20 |
| Number of stages in a pipeline: | Minimum of 2, maximum of 10 |
| Number of actions in a stage: | Minimum of 1, maximum of 20 |
| Number of parallel actions in a stage: | 5 |
| Number of sequential actions in a stage: | 5 |
| Number of custom actions per AWS account: | 20 |
| Maximum number of revisions running across all pipelines: | 20 |
| Maximum size of source artifacts: | 500 megabytes (MB) |
| Maximum number of times an action can be run per month: | 1,000 per calendar month |
For additional information about Code Pipelines Service Limits, see Limits in Amazon CodePipelines
Service Limit Changes:
It may take up to two weeks to process requests for a limit increase.
It may take up to two weeks to process requests for a limit increase.
Mobile Services:
AWS Mobile Hub lets you easily add and configure features for your mobile apps, including user authentication, data storage, backend logic, push notifications, content delivery, and analytics. After you build your app, AWS Mobile Hub gives you easy access to testing on real devices, as well as analytics dashboards to track usage of your app – all from a single, integrated console.
- Build, run, and test usage of your mobile applications
- Not covered as exam topic currently
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users devices so that their app experience remains consistent regardless of the device they use.
- Save mobile data like game states or preferences
- Not covered as exam topic currently
AWS Device Farm is an app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time. View video, screenshots, logs, and performance data to pinpoint and fix issues before shipping your app.
- Enables customers to test their mobile applications against real smart phones in the cloud
- Not covered as exam topic currently
| Resource or Operation | Default Limit |
|---|---|
| App file size you can upload: | 4 GB |
| Number of devices AWS Device Farm can test during a run: | 5 which can be increased to 1K upon request |
| Number of devices you can include in a test run: | None |
| Number of runs you can schedule: | None |
| Duration of a remote access session: | 60 Minutes |
With Amazon Mobile Analytics, you can measure app usage and app revenue. By tracking key trends such as new vs. returning users, app revenue, user retention, and custom in-app behavior events, you can make data-driven decisions to increase engagement and monetization for your app.
- Measure mobile application usage, revenue and track new/returning users, etc..
- Not covered as exam topic currently
Simple Notification Service is a web service that makes it easy to set up, operate, and send notifications from the cloud. It provides developers with a highly scalable, flexible, and cost-effective capability to publish messages from an application and immediately deliver them to subscribers or other applications.
- Web service that allows customers to setup, operate, and send notifications from the cloud
- Can push to Apple, Google, FireOS, and Windows devices, as well as Android devices in China with Baidu cloud push
- Follows the publish-subscribe (pub-sub) messaging paradigm, with notifications being delivered to clients using a push mechanism that eliminates the need to poll for updates
- Can deliver notifications by SMS, email, SQS queues, or any HTTP endpoint
- SNS notifications can be used to trigger lambda functions
- When a message is published to an SNS topic that has a lambda function subscribed to it, the function is invoked with the payload of the published message. The lambda function would receive the message payload as an input parameter, and can manipulate the info in the message, publish the message to other SNS topics or send the message to other AWS services
- Allows you to group multiple recipients using topics
- Topics are access points for allowing recipients to dynamically subscribe for copies of the notification
- One topic can support deliveries to multiple endpoint types, for example, IOS, Android, and SMS recipients can be grouped together
- When message is published, SNS delivers appropriately formatted copies of your message to each subscriber
- Email notifications will be JSON formated not XML
- Subscriptions have to be confirmed
- Subscription expire after 3 days if they are not confirmed
- TTL is the number of seconds since the message was published
- If the message is not delivered within the TTL time, then the message will expire
- To prevent messages from being lost, all messages published to SNS are stored redundantly across multiple AZ's
- Instantaneous, PUSH based delivery (No Polling) --> SQS requires polling
- Simple API and easy integration with applications
- Flexible message deliver over multiple transport protocols
- Inexpensive, pay as you go model
- Web based AWS management console offers simplicity of point and click interface
- $.50 per million SNS requests
- $.06 per 100,000 notification deliveries over HTTP
- $0.75 per 100 notifications over SMS
- $2.00 per 100,000 notification deliveries over email
- Can be used in conjunction with SQS to fan a single message out to multiple SQS queues
- Remember:
- SNS - PUSH
- SQS - PULL (poll)
- Subscribers:
- HTTP
- HTTPS
- Email-JSON
- SQS
- Application
- Lambda
- Messages can be customized for each of the available protocols
| Resource or Operation | Default Limit |
|---|---|
| Topics : | 100,000 |
| Account spend threshold for SMS: | 50 USD |
| Delivery rate for promotional SMS messages: | 20 Messages per second |
| Delivery rate for transactional SMS messages: | 20 Messages per second |
Enterprise Applications:
Amazon WorkSpaces is a fully managed, secure desktop computing service which runs on the AWS cloud. Amazon WorkSpaces allows you to easily provision cloud-based virtual desktops and provide your users access to the documents, applications, and resources they need from any supported device, including Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets.
- Virtual Desktop Infrastructure (VDI) that provides a bundle of compute resources, storage space, and software application access that allow a user to interact with just as a traditional desktop
- Users can connect to a WorkSpace from any supported device (PC, Mac, Chrome-book, iPad, Kindle Fire, or Android) using a free Workspace Client application
- Can be integrated into Active Directory using federated services
- Runs Windows 7 provided by Windows Server 2008 R2
- Users can personalize their workspace with their favorite settings for items such as wallpaper, icons, shortcuts, etc. This can be locked down by an administrator
- By default you will be given local admin access so you can install your own applications
- Workspaces are persistent
- All data on the D:\ is backed up every 12 hours
| Resource or Operation | Default Limit | Comments |
|---|---|---|
| WorkSpaces: | 5 | To prevent denial of service attacks, accounts new to the Amazon WorkSpaces service are limited to five WorkSpaces. |
For additional information about Workspaces Limits, see Limits in Amazon WorkSpaces
Amazon WorkDocs is a fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that improve user productivity.
- AWS version of Dropbox for the enterprise
- Not covered as exam topic currently
Amazon WorkMail is a secure, managed business email and calendar service with support for existing desktop and mobile email clients.
- AWS version of Exchange Server for E-mail Services
- Not covered as exam topic currently
Internet of Things:
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. AWS IoT can support billions of devices and trillions of messages, and can process and route those messages to AWS endpoints and to other devices reliably and securely.
- Not covered as exam topic currently
| Resource or Operation | Default Limit |
|---|---|
| Topic length limit: | The topic passed to the message broker when publishing a message cannot exceed 256 bytes encoded in UTF-8. |
| Restricted topic prefix: | Topics beginning with '$' are considered reserved and are not supported for publishing and subscribing except when working with the Thing Shadows service. |
| Maximum number of slashes in topic and topic filter: | A topic provided while publishing a message or a topic filter provided while subscribing can have no more than eight forward slashes (/). |
| Client ID size limit: | 128 bytes encoded in UTF-8. |
| Restricted client ID prefix: | '$' is reserved for internally generated client IDs. |
| Message size limit: | The payload for every publish message is limited to 128 KB. The AWS IoT service will reject messages larger than this size. |
| Throughput per connection: | AWS IoT limits the ingress and egress rate on each client connection to 512 KB/s. Data sent or received at a higher rate will be throttled to this throughput. |
| Maximum subscriptions per subscribe call: | A single subscribe call is limited to request a maximum of eight subscriptions. |
| Subscriptions per session: | The message broker limits each client session to subscribe to up to 50 subscriptions. A subscribe request that pushes the total number of subscriptions past 50 will result in the connection being disconnected. |
| Connection inactivity (keep-alive) limits: | By default, an MQTT client connection is disconnected after 30 minutes of inactivity. When the client sends a PUBLISH, SUBSCRIBE, PING, or PUBACK message, the inactivity timer is reset. A client can request a shorter keep-alive interval by specifying a keep-alive value between 5-1,200 seconds in the MQTT CONNECT message sent to the server. If a keep-alive value is specified, the server will disconnect the client if it does not receive a PUBLISH, SUBSCRIBE, PINGREQ, or PUBACK message within a period 1.5 times the requested interval. The keep-alive timer starts after the sender sends a CONNACK. If a client sends a keep-alive value of zero, the default keep-alive behavior will remain in place. If a client request a keep-alive shorter than 5 seconds, the server will treat the client as though it requested a keep-alive interval of 5 seconds. The keep-alive timer begins immediately after the server returns a CONNACK to the client. There may be a brief delay between the client's sending of a CONNECT message and the start of keep-alive behavior. |
| Maximum inbound unacknowledged messages: | The message broker allows 100 in-flight unacknowledged messages (limit is across all messages requiring ACK). When this limit is reached, no new messages will be accepted until an ACK is returned by the server. |
| Maximum outbound unacknowledged messages: | The message broker only allows 100 in-flight unacknowledged messages (limit is across all messages requiring ACK). When this limit is reached, no new messages will be sent to the client until the client acknowledges the in-flight messages. |
| Maximum retry interval for delivering QoS 1 messages: | If a connected client is unable to receive an ACK on a QoS 1 message for one hour, the message broker will drop the message. The client may be unable to receive the message if it has 100 in-flight messages, it is being throttled due to large payloads, or other errors. |
| WebSocket connection duration: | WebSocket connections are limited to 24 hours. If the limit is exceeded, the WebSocket connection will automatically be closed when an attempt is made to send a message by the client or server. If you need to maintain an active WebSocket connection for longer than 5 minutes, simply close and re-open the WebSocket connection from the client side before the 5 minutes elapses. |
| IoT rules per AWS account | 1000 |
The following limits apply to thing shadows:
| Resource or Operation | Default Limit |
|---|---|
| Maximum size of a JSON state document: | The maximum size of a JSON state document is 8 KB. |
| Maximum number of JSON objects per AWS account: | There is no limit on the number of JSON objects per AWS account. |
| Shadow lifetime: | A thing shadow is deleted by AWS IoT if it has not been updated or retrieved in more than 1 year. |
| Maximum number of in-flight, unacknowledged messages: | The Thing Shadows service supports up to 10 in-flight unacknowledged messages. When this limit is reached, all new shadow requests will be rejected with a 429 error code. |
| Maximum depth of JSON device state documents: | The maximum number of levels in the "desired" or "reported" section of the JSON device state document is 5. |
The following limits apply to security:
| Resource or Operation | Default Limit |
|---|---|
| Policies that can be applied to an AWS IoT certificate: | 10 |
| Number of versions of a named policy: | 5 |
| Policy document size limit: | 2048 characters |
Throttling Limits:
| Resource or Operation | Default Limit |
|---|---|
| AcceptCertificateTransfer: | 10 |
| AttachThingPrincipal: | 15 |
| CancelCertificateTransfer: | 10 |
| CreateCertificateFromCsr: | 15 |
| CreatePolicy: | 10 |
| CreatePolicyVersion: | 10 |
| CreateThing: | 15 |
| DeleteCertificate: | 10 |
| DeleteCACertificate: | 10 |
| DeletePolicy: | 10 |
| DeletePolicyVersion: | 10 |
| DeleteThing: | 10 |
| DescribeCertificate: | 10 |
| DescribeCACertificate: | 10 |
| DescribeThing: | 10 |
| DetachThingPrincipal: | 10 |
| DetachPrincipalPolicy: | 15 |
| DeleteRegistrationCode: | 10 |
| GetPolicy: | 10 |
| GetPolicyVersion: | 15 |
| GetRegistrationCode: | 10 |
| ListCertificates: | 10 |
| ListCertificatesByCA: | 10 |
| ListPolicies: | 10 |
| ListPolicyVersions: | 10 |
| ListPrincipalPolicies: | 15 |
| ListPrincipalThings: | 10 |
| ListThings: | 10 |
| ListThingPrincipals: | 10 |
| RegisterCertificate: | 10 |
| RegisterCACertificate: | 10 |
| RejectCertificateTransfer: | 10 |
| SetDefaultPolicyVersion: | 10 |
| TransferCertificate: | 10 |
| UpdateCertificate: | 10 |
| UpdateCACertificate: | 10 |
| UpdateThing: | 10 |
Well Architected Framework:
- Consists of 4 pillars:
- Security
- Apply security at all layers
- Enable Traceability
- Automate response to security events
- Focus on securing your system
- Automate security best practices
- Encrypt your data both in transit and at rest using ELB, EBS, S3 and RDS
- Use IAM and MFA for privilege management
- Security in the cloud has 4 areas:
- Data Protection
- Organize and classify your data into segments such as public, available only to org/dept/user
- Implement a least privilege access system so people can only access what they need
- Encrypt everything where possible, whether it be at rest or in transit
- Customers maintain full control of your data
- AWS makes it easy to manage keys using KMS or KMS-C
- Detailed logging is available that contains important content such as file access and changes
- Designed storage systems for exceptional resiliency.
- S3 is designed for 11 nines durability. If you store 10K objects on S3, you can on average expect to incur a loss of a single object once every 10,000,000 years.
- Versioning which can protect against accidental overwrites, deletes, and similar harm
- AWS never initiates the movement of data between regions. Content placed in a region will remain in that region, unless manually moved.
- Privilege Management
- Ensures that only authorized and authenticated users are able to access your resources
- Mechanisms in place such as ACLs, Role based access controls, Password management such as password rotation policies
- Infrastructure Protection
- How do you protect your data center
- RFID controls
- Security
- Lockable cabinets
- CCTV
- Amazon handles all of the physical, really customer is responsible for VPC protection.
- Enforce network and host level boundary protection
- Enforce the integrity of the OS, updates, patches, and anti-virus
- Detective Controls
- Detect or identify a security breach, tools available to help with this are:
- CloudTrail
- CloudWatch
- AWS Config
- S3
- Glacier
- Detect or identify a security breach, tools available to help with this are:
- Data Protection
- Reliability
- Ability of a system to recover from a service or infrastructure outage/disruptions
- Ability to dynamically acquire computing resources to meet demand
- Test recovery procedures
- Automatically recover from failure
- Scale horizontally to increase aggregate system availability
- Stop guessing capacity
- Consists of 3 areas:
- Foundations:
- Make sure you have the prerequisite foundations in place
- Consider the size of communication links between HQ and data centers
- Mis-provisioning connections could result in 3-6 upgrade time-frames
- AWS handles most of the foundations for you. The cloud is designed to be essentially limitless meaning that AWs handles the networking, and compute requirements themselves. They set service limits to limit accidental spin up of too many resources.
- Change Management:
- Be aware of how change affects a system so you can plan pro-actively around it.
- Monitoring allows you to detect any changes to your environment and react.
- Traditionally change control is done manually and carefully co-ordinated with auditing
- CloudWatch can be configured to monitor your environment and services such as auto-scaling, to automate change in response to changes in your prod environment.
- Failure Management:
- Always architect your system with the assumption that failure will occur
- Become aware of these failures, how they occurred, how to respond to them and then plan on how to prevent them in the future.
- Foundations:
- Performance Efficiency:
- Focuses on how to use computing resources efficiently to meet requirements
- How to maintain that efficiency as demand changes and technology evolves
- Democratize advanced technologies (Consume as service vs setup and maintain)
- Go Global in minutes
- Use server-less architectures
- Experiment more often
- Consists of 4 areas:
- Compute:
- Choose the right kind of server
- AWS servers are virtualized and at the click of a button you can change server types
- You can even switch to running with no servers, and use Lambda
- Storage:
- Optimal storage solutions for your environment depend on access methods (block, file or object), patterns of access, throughput, frequency of access, frequency of update, availabilty constraints, and durability constraints.
- S3 has 11x9's durability and cross region replication
- EBS has different mediums such as magnetic, SSD, or provisioned IOPS SSD
- Can easily switch between different mediums
- Databases:
- Optimal database solution depends on number of factors, do you need database consistency, high availability, No-SQL, DR, Relational tables?
- Lots of options, RDS, DynamoDB, Redshift, etc..
- Space Time Trade off:
- Using services such as RDS to add read replicas reduces the load of your database and creates multiple copies of the data to help lower latency
- Can use Direct Connect to provide predictable latency between HQ and AWS
- Use the global infrastructure to have copies of environment in regions closest to where your customer base is located.
- Caching services such as Elasticache or CloudFront to reduce latency
- Compute:
- Cost Optimization
- Reduce cost to minimum and use those saving for other parts of your business
- Allows you pay the lowest price possible while still achieving your business objectives
- Transparently attribute expenditure
- Use managed services to reduce the cost of ownership
- Trade capital expense for operating expense
- Benefit from economies of scale (AWS buys servers by the thousands)
- Stop spending money on data center operations
- Design Principles:
- Stop guessing your capacity needs
- Test systems at production scale
- Lower the risk of architecture change
- Automate to make architectural experimentation easier
- Allow for evolutionary architectures
- Comprised of 4 different areas:
- Matched Supply and demand
- Align supply with demand
- Don't over or under provision, instead expand as demand grows
- Auto-scaling or lambda execute or respond when a request comes in
- Services such as CloudWatch can help you keep track as to what your demand is.
- Cost-Effective resources
- Use correct instance type
- Well architected system will use the most cost efficient resources to reach the end business goal
- Expenditure awareness
- No longer need to get quotes for physical servers, choosing a supplier, have resources delivered, installed, manufactured, etc..
- Can provision things within seconds
- Be aware of what each team is spending and where is crucial to any well architected system
- Use cost allocation tags to track this, billing alerts as well as consolidated billing.
- Optimizing over time
- A service that you chose yesterday man not be the best service to be using today
- Constantly re-evaluate your existing architecture
- Subscribe to the AWS blog
- Use Trusted Advisor
- Matched Supply and demand
- Security
White Paper Review:
- 6 Advantages of Cloud
- Trade capital expense for variable expense
- Benefit from massive economies of scale
- Stop guessing about capacity
- Increase speed and agility
- Stop spending money running and maintaining data centers
- Go Global in minutes
- 14 Regions, each with different number of AZ's
- Storage devices uses DoD 5220.22-M or NIST 800-88 to destroy data when a device has reached the end of its useful life. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standard practices
- VPC provides a private subnet within the cloud and the ability to use an IPsec VPN to provide an encrypted tunnel between the VPC and your data center
- AWS prod is segregated from the AWS Corporate network by means of a complex set of network security / segregation devices
- Provides protection against DDoS, Man in the middle attacks, IP spoofing, Port Scanning, and Packet Sniffing by other tenants
- AWS has a host based firewall infrastructure that will not permit an instance to send traffic with a source IP or MAC address other than its own, which prevents IP Spoofing
- Unauthorized port scans by EC2 customers are a violation of the Acceptable use policy
- You may request permission to conduct vulnerability scans as required to meet your specific compliance requirements
- Any pre-approved vulnerability scans must be limited to your own instances and must not violate the Acceptable use policy; You MUST request a vulnerability scan in advance
- Password for root or IAM user accounts into the console should be protected by MFA
- Use access keys to access AWS APIs (using AWS SDK, CLI, REST/Query APIs)
- Use SSH Key Paris to login to EC2 instances, or CloudFront signed URLS
- Use x.509 Certs to tighten security of your applications/cloudfront via HTTPS
- Trusted Advisor inspects your environment and makes recommendations when opportunities exist to save money, improve system performance, or close security gaps
- Different instances running on the same physical machine are isolated from each other via the Xen hypervisor
- AWS firewall resides within the hypervisor layer, between the physical network and the the instances virtual interface.
- ALL packets must pass through this layer. Any instance's neighbors have no more access to the instance than any other host on the Internet and can be treated as if they are separate hosts
- Physical RAM is separated using similar mechanisms
- Customer instances have no access to raw disk devices, but instead are presented with virtualized disks
- AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, so that one customers data is never unintentionally exposed to another
- Memory allocated to guests is scrubbed (set to 0) by the hypervisor when it is unallocated to a guest
- Memory is not returned to the pool of free memory available for new allocations until th memory scrub process has completed
- Virtual instances are completely controlled by you, the customer. You have full root access or administrative control over accounts, services, and applications. AWS does not have any access rights to any instance or guest OS
- EC2 provides a complete firewall solution. The inbound firewall is configured in a default deny any any mode and EC2 customers must explicitly open the ports needed to allow inbound traffic
- Encryption of sensitive data is generally a good practice and AWS provides the ability to encrypt EBS volumes and their snapshots with AES-256. The encryption occurs on the servers that host the EC2 instances and EBS storage
- EBS encryption feature is only available on EC2's more powerful instance types (M3, C3, R3, G2)
- SSL termination on ELB is supported and recommended
- X- forwarded for headers enabled, passes real IP from LB's to web servers
- You can procure rack space within the facility housing the AWS direct connect location and deploy your equipment nearby. Once deployed, you can connect to this equipment to AWS direct connect using cross-connect
- Using 802.1q VLANs dedicated connections can be partitioned into multiple virtual interfaces. This allows you to use the connection to access public resources such as objects stored in S3 using public IP address space and private resources such as EC2 instances running within the VPC private IP space, while maintaining network separation between public and private environments
- AWS management re-evaluates the strategic business plan at least bi-annually
- AWS security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities. These do NOT include customer instances
- External vulnerability threat assessments are performed regularly by independent security firms, and their findings are passed to management
- Data Center Security:
- State of the art electronic surveillance and MF access control
- Staffed 24x7 by security guards
- Access is authorized on a least privilege basis
- Compliance:
- SOC 1/SSAE 16/ISAE 3402 (formally SAS 70 Type II)
- SOC2
- SOC3
- FISMA, DIACAP, and FedRAMP
- PCI DSS Level 1
- ISO 27001
- ISO 9001
- HIPAA
- Cloud Security Alliance (CSA)
- Motion Picture Association of America (MPAA)
- ITAR
- FIPS 140-2
- DSS 1.0
- Data Security:
- Shared security model
- AWS:
- Responsible for securing the underlying infrastructure
- Responsible for protecting the global infrastructure that runs all of the services offered on the AWS cloud.
- Infrastructure comprised of hardware, software, networking, and facilities that run AWS services
- Responsible for the security configuration of its products that are considered managed services, such as DynamoDB, RDS, Redshift, Elastic MapReduce, lambda, and Workspaces.
- User:
- Responsible for anything put on the cloud
- EC2, VPC, S3 security configuration and management tasks
- Account Management (MFA, SSL, TLS, CloudTrail API/User activity logging)
- AWS:
- Shared security model