AWS Certified Solutions Architect Associate — SAA (C02) — Cheatsheet
AWS Certified Solutions Architect is among the most valuable and highly sought-after cloud computing certifications in the world today. Earning AWS Certified Solutions Architect — Associate validates the ability to design and implement distributed systems on AWS.
In your pursuit to pass this prestigious associate-level AWS certificate, I have invested my time to prepare this cheat sheet to help fellow Netizens pass this certification, and level up their cloud career as I have.
The cheat sheet is broken down by domains per the official exam guide.
- Design Resilient Architectures — 30%
- Design High-Performing Architectures — 28%
- Design Secure Applications and Architectures — 24%
- Design Cost-Optimized Architectures — 18%
The exam costs 150 USD and the total length to complete the exam is 130 minutes. There will be 65 questions either multiple choice or multiple responses. The passing score is at 72% as of now.
NOTE: I strongly recommend, getting at least 1 year of hands-on practical AWS experience to get familiar with AWS products offerings.
Design Resilient Architectures (30%)
- AWS RDS Multi-AZ deployment can have one standby or two standby DB instances. MultiAZ DB instance deployment has one standby DB instance, it only provides failover support but doesn’t serve read traffic. Multi-AZ DB cluster deployment has two standby DB instances, provides failover support, and can also serve read traffic to increase application read throughput. Learn more
- AWS RDS Multi-AZ primary to standby DB instance failover times is typically 60–120 seconds or within 5 minutes in case of a large transaction or lengthy recovery process.
- AWS RDS Multi-AZ deployment automatically provisions and maintains synchronous standby replica in a different Availability Zone.
- AWS RDS Multi-AZ with read-replicas uses asynchronous replication and can use used to offload read traffic to increase application read throughput.
- AWS CloudWatch and Amazon SNS services can be used to notify by email when certain CloudWatch metrics thresholds exceed.
- In order for a public subnet in a VPC to access the Internet, ensure a
0.0.0.0/0destination route in the VPC route table has an Internet Gateway target.
- To retrieve user data from within a running EC2 instance, use the following URI:
http://169.254.169.254/latest/user-data. Learn more
- AWS EC2 user data is limited to 16KB in raw form before it is base64-encoded.
- By default, AWS EC2 user data scripts and cloud-init directives run only during the first boot cycle when an EC2 instance is launched.
- AWS Application Load Balancer (ALB) supports path-based and host-based routing, since concepts of URL, Paths, and DNS Hostnames are only defined for Layer 7 — Application of the OSI model. Learn more
- AWS Network Load Balancer (NLB) supports only port-based routing since NLB operates at Layer-4 — Transport of OSI model. Learn more
- Recovery Time Objective (RTO) is the maximum acceptable delay between the interruption of service and restoration of service.
- Recovery Point Objective (RPO) is the maximum acceptable amount of time since the last data recovery point. This determines what is considered an acceptable loss of data between the last recovery point and the interruption of service.
- AWS Load Balancer will route the incoming requests only to healthy EC2 instances. The EC2 instance may have passed the status check and be considered healthy to the ASG, but the ELB may not use it if the ELB health check has not been met. The ELB health check has a default of 30 seconds between checks, and a default of 3 checks before making a decision.
- AWS recommends using a launch template for Auto Scaling groups to access the latest features and improvements. Launch templates are immutable. To modify a launch template, you must create a new version of the launch template. Learn more
- AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet to automate how servers are configured, deployed, and managed across your EC2 instances or on-premises compute environments. Learn more
- AWS Auto Scaling Group (ASG) can also scale instances based on Amazon SQS queue load. Learn more
- Canary-based deployment configuration allows percentage-based traffic splitting.
- AWS EC2 ENI can be attached to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
- Read-replica failure on Multi-AZ RDS deployment, will not cause primary to standby failover to take place.
- Amazon SQS can be used to decouple the architecture and facilitates scalability, resiliency, reliability, and elasticity in the application.
- AWS CloudFormation is infrastructure as code, and the CloudFormation feature of templates allows this infrastructure as code to be version controlled. Learn more
- AWS CloudFormation Registry is a managed service that lets you register, use, and discover AWS and third-party resource types to be used with CloudFormation templates.
- AWS CloudFormation limits to 2000 stacks per account, 500 resources per template, 100 stack sets per account, 51KB of raw template size, and 1MB of S3 template size.
- To retrieve data about the instances such as instance ID, public keys, and public IP address, use
- AWS SQS message will be invisible for all the other users/instances for 30 seconds (by default) after picking up the message from the queue.
- AWS FIFO (first-in-first-out) queues preserve the exact order in which messages are sent and received.
- Amazon SNS service allows sending text messages, or SMS messages, to SMS-enabled devices. Learn more
- Amazon SNS supports HTTP, HTTPS, Email-JSON, and SQS transport protocols.
- AWS Kinesis data stream is made of shards. In case you want to increase the per shard limit, just increase the number of shards in the Kinesis data stream.
- On-prem applications using MQTT protocol can be migrated to AWS cloud using the Amazon MQ service, without requiring the rewriting of application code.
- AWS S3 offers the following storage classes: S3 Standard, S3 Standard-IA, S3 Intelligent-Tiering, S3 One Zone-IA, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, S3 Glacier Deep Archive.
- All S3 storage classes have ≥ 3 AZ, only S3 One Zone IA has 1 AZ.
- S3 charges per GB retrieved retrieval charges.
- The minimum storage duration charge is 30 days for S3 Standard IA and One Zone IA, 90 days for S3 Glacier Instant Retrieval and S3 Glacier Flexible Retrieval, 180 days for S3 Glacier Deep Archive.
- The minimum capacity charge per object is 128KB for S3 Standard IA, S3 One Zone IA, S3 Glacier Instance Retrieval, 40KB for S3 Glacier Flxible Retrieval, and S3 Glacier Deep Archive.
- During the failing over in RDS Multi-AZ deployment, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
- Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you only pay for the queries you run.
- AWS Database Migration Service helps you migrate databases to AWS quickly and securely. AWS Database Migration Service supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora.
- Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
- An Amazon EBS-backed instance can be stopped and later restarted without affecting data stored in the attached volumes. By default, the root volume for an AMI backed by Amazon EBS is deleted when the instance terminates. You can change the default behavior to ensure that the volume persists after the instance terminates. To change the default behavior, set the
DeleteOnTerminationattribute to false using a block device mapping.
- AWS IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use.
- Public IPv4 address, elastic IP address, and IPv6 address are globally unique addresses. The IPv4 addresses known for not being unique are private IPs. These are found in the following ranges: from 10.0.0.0 to 10.255.255.255, from 172.16.0.0 to 172.31.255.255, and from 192.168.0.0 to 192.168.255.255. See RFC1918.
- AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view of the performance and availability of the AWS services underlying your AWS resources.
- AWS EC2 EBS volume can be used normally while the snapshot is in progress. Learn more
- AWS Route53 Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB in the Frankfurt region. You can also use geolocation routing to restrict the distribution of content to only the locations in which you have distribution rights. Learn more
Design High-Performing Architectures (28%)
- AWS CloudWatch metrics for EC2 instances do not provide Memory utilization metrics. CloudWatch agent must be installed separately on the EC2 instance to collect such metrics. Learn more
- Amazon Redshift is a petabyte-scale data warehouse service that uses SQL to analyze structured and semi-structured data. Redshift achieves extremely fast query execution with these performance features: Massively parallel processing (MPP), columnar data storage, query optimizer, data compression, result caching, compiled code.
- Amazon Redshift offers near real-time complex querying on massive data sets.
- AWS ElastiCache service can be used to store frequently accessed data in-memory to improve the performance of read-heavy applications.
- AWS DynamoDB Accelerator (DAX) is a highly available, in-memory cache for DynamoDB that delivers up to a 10 times performance improvement — from milliseconds (ms) to microseconds (us) — even at millions of requests per second.
- Amazon Kinesis Data Streams is a serverless streaming data service to collect and process large streams of data records in real-time. Some use cases are: Stream large log and event data, run real-time analytics using Kinesis Data Analytics, Power event-driven applications using AWS Lambda.
- AWS EC2 cluster placement group is a logical grouping of instances within a single Availability Zone. Launching EC2 instances in a cluster placement group allows for low-latency network performance, high network throughput, and tightly coupled node-to-node communication.
- The best way to upload large files (> 100MB) to the S3 bucket is using multipart upload — allows you to upload a single object as a set of parts. Learn more
- AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
- AWS Elastic Beanstalk service allows us to deploy and manage applications in the AWS Cloud without having to worry about the infrastructure that runs those applications. Supports languages are Go, Java, .NET, Node.js, PHP, Python, and Ruby. When deploying the application, Elastic Beanstalk builds the selected supported platform version and provisions one or more AWS resources, such as Amazon EC2 instances, to run the application.
- Amazon DynamoDB auto scaling can be used to solve the throttling issue. It uses the AWS Application Auto Scaling service to dynamically provision the read and write capacity to handle sudden traffic spikes. When workload decreases Application Auto Scaling decreases the throughput to reclaim the unused provisioned capacity.
- AWS EC2 ephemeral instance store volume is ideal for temporary storage, but data is lost in any of the following circumstances: Underlying disk drive fails, Instance stops or terminates, Instance is terminated, Hardware disk failure. Instance store volume will however persist during the instance reboot.
- Warm standby DR (Disaster Recovery) configuration maintains a scaled-down but fully functional version of the application workload always running in the DR Region. When the time comes for recovery, the system is scaled up quickly to handle the production load. Learn more
- With default termination policy in ASG, during scale-in, instance launched from the oldest launch configuration is terminated first.
- AWS ElastiCache service can improve the performance of the application by caching frequently accessed data in-memory.
- Amazon DynamoDB is a NoSQL database that supports key-value and document data models and enables developers to build modern, serverless applications that can start small and scale globally to support petabytes of data and tens of millions of read and write requests per second.
- AWS Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies.
- If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.
- AWS Service Quotas is an AWS service that helps you manage your quotas for over 100 AWS services from one location
- Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards.
Design Secure Applications and Architectures (24%)
- By default, up to 5 security groups can be assigned to a network interface (e.g: EC2).
- AWS VPC Network ACL (NACL) rules are evaluated by rule number from lowest to highest. If a matching ALLOW/DENY rule is found, it is immediately executed.
- AWS S3 event notification supports the following destinations: SQS, SNS Lambda function.
- AWS EC2 Security groups for an instance can be changed when the instance is in the running or stopped state. Learn more
- The principle of least privilege is the best practice when giving users permissions in IAM policies.
- AWS IAM identity-based policy cannot be attached to resources. Resouce-based policy are attached to a resource. Identity-based policies are attached to an IAM user, group, or role. Learn more about identity-based policies vs resource-based policies
- To encrypt data before writing to storage in an EC2 instance, use AWS KMS API to encrypt all the data before saving it to disk.
- AWS EBS encryption can be used in EC2 instance to encrypt the data before writing to storage.
- Key concepts of subnets are: Each subnet maps to a single AZ, Every subnet created is automatically associated with the current main route table for the VPC.
- Secure Shell (SSH) uses port 22.
- By default, default VPC NACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
- Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
- AWS VPC Network ACLs (NACL) are stateless, and security groups are stateful. Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
- AWS CloudTrail tracks changes to resources, logs users' activity and enables compliance.
- An AWS S3 notification can be set up to notify you when objects are restored from Glacier to S3.
- AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.
- Amazon Macie is a fully-managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Design Cost-Optimized Architectures (18%)
- AWS S3 Lifecycle helps to manage and automate the life of objects within S3. It supports two types of actions: Transition actions (objects transition to another storage class) and Expiration actions (objects are deletes on expiry).
- Reserved Instance Marketplace platform allows the sale of third-party and AWS customers’ unused Standard Reserved Instances, which vary in term lengths and pricing options. For example, you may want to sell Reserved Instances after moving instances to a new AWS Region, changing to a new instance type, ending projects before the term expiration, when your business needs change, or if you have unneeded capacity.
- For applications that have steady-state or predictable usage, Reserved Instances can provide significant savings (up to 75%) compared to using On-Demand instances. Reserved instances are recommended for customers that can commit to using EC2 over a 1 or 3 years term to reduce their total computing costs.
- AWS Snowball is a data transport solution that accelerates moving terabytes to petabytes of data into and out of AWS using storage appliances designed to be secure for physical transport.
- The AWS Snowball Edge device differs from the standard Snowball because it can bring the power of the AWS Cloud to your on-premises location with onboard storage and compute power.
- Amazon CloudWatch Alarms “Stop Actions” features allow us to stop an EC2 instance when a certain threshold is been. For example, You can create a CloudWatch alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 4 hours and stops the instance.
- Amazon EC2 provides the following purchasing options to enable you to optimize your costs based on your needs: On-Demand Instances — Pay, by the second, for the instances that you launch. Savings Plans — Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. Reserved Instances — Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years. Scheduled Instances — Purchase instances that are always available on the specified recurring schedule, for a one-year term. Spot Instances — Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly. Dedicated Hosts — Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. Dedicated Instances — Pay, by the hour, for instances that run on single-tenant hardware. Capacity Reservations — Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.
- Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility for, and management of, the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS-provided security group firewall. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. Learn more
- AWS EC2 EBS volume types fall into these categories: SSD (Solid-state drives) and HDD (Hard disk drive). SSD-backed volumes fall into: General Purpose SSD (balance of price and performance), Provisioned IOPS SSD (high performance for mission-critical, low-latency, and high-throughput workloads).
- You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.
- AWS Trusted Advisor is an online tool that provides you with real-time guidance to help you provision your resources following AWS best practices. Trusted Advisor checks help optimize your AWS infrastructure, increase security and performance, reduce your overall costs, and monitor service limits.
- Adding Terminate Actions to Amazon CloudWatch Alarms: You can create an alarm that terminates an EC2 instance automatically when a certain threshold has been met (as long as termination protection is not enabled for the instance).
- AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.
- A Cloud Guru Practice Exam (Paid)
- AWS Certified Solutions Architect — Associate (SAA-C02) Exam Guide
- AWS Sample Questions PDF (Free)
- AWS SQS SNS Kinesis Typical Exam Questions for AWS Solutions Architect Associate (Free)