AWS Certified Solutions Architect Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Authors

Table of Exercises

Introduction

What Does This Book Cover?

Interactive Online Learning Environment and Test Bank

Exam Objectives

Objective Map

Assessment Test

Answers to Assessment Test

PART I: The Core AWS Services

Chapter 1: Introduction to Cloud Computing and AWS

Cloud Computing and Virtualization

The AWS Cloud

AWS Platform Architecture

AWS Reliability and Compliance

Working with AWS

Summary

Exam Essentials

Review Questions

Chapter 2: Amazon Elastic Compute Cloud and Amazon Elastic Block Store

Introduction

EC2 Instances

EC2 Storage Volumes

Accessing Your EC2 Instance

Securing Your EC2 Instance

EC2 Auto Scaling

AWS Systems Manager

AWS CLI Example

Summary

Exam Essentials

Review Questions

Chapter 3: AWS Storage

Introduction

S3 Service Architecture

S3 Durability and Availability

S3 Object Lifecycle

Accessing S3 Objects

Amazon S3 Glacier

Other Storage‐Related Services

AWS CLI Example

Summary

Exam Essentials

Review Questions

Chapter 4: Amazon Virtual Private Cloud

Introduction

VPC CIDR Blocks

Subnets

Elastic Network Interfaces

Internet Gateways

Route Tables

Security Groups

Network Access Control Lists

Public IP Addresses

Elastic IP Addresses

AWS Global Accelerator

Network Address Translation

Network Address Translation Devices

VPC Peering

Hybrid Cloud Networking

High‐Performance Computing

Summary

Exam Essentials

Review Questions

Chapter 5: Database Services

Introduction

Relational Databases

Amazon Relational Database Service

Amazon Redshift

Nonrelational (NoSQL) Databases

DynamoDB

Summary

Exam Essentials

Review Questions

Chapter 6: Authentication and Authorization—AWS Identity and Access Management

Introduction

IAM Identities

Authentication Tools

AWS CLI Example

Summary

Exam Essentials

Review Questions

Chapter 7: CloudTrail, CloudWatch, and AWS Config

Introduction

CloudTrail

CloudWatch

AWS Config

Summary

Exam Essentials

Review Questions

Chapter 8: The Domain Name System and Network Routing: Amazon Route 53 and Amazon CloudFront

Introduction

The Domain Name System

Amazon Route 53

Amazon CloudFront

AWS CLI Example

Summary

Exam Essentials

Review Questions

Chapter 9: Simple Queue Service and Kinesis

Introduction

Simple Queue Service

Kinesis

Summary

Exam Essentials

Review Questions

PART II: The Well‐Architected Framework

Chapter 10: The Reliability Pillar

Introduction

Calculating Availability

EC2 Auto Scaling

Data Backup and Recovery

Creating a Resilient Network

Designing for Availability

Summary

Exam Essentials

Review Questions

Chapter 11: The Performance Efficiency Pillar

Introduction

Optimizing Performance for the Core AWS Services

Infrastructure Automation

Reviewing and Optimizing Infrastructure Configurations

Optimizing Data Operations

Summary

Exam Essentials

Review Questions

Chapter 12: The Security Pillar

Introduction

Identity and Access Management

Detective Controls

Protecting Network Boundaries

Data Encryption

Summary

Exam Essentials

Review Questions

Chapter 13: The Cost Optimization Pillar

Introduction

Planning, Tracking, and Controlling Costs

Cost‐Optimizing Compute

Summary

Exam Essentials

Review Questions

Chapter 14: The Operational Excellence Pillar

Introduction

CloudFormation

CodeCommit

CodeDeploy

CodePipeline

AWS Systems Manager

AWS Landing Zone

Summary

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Chapter 1: Introduction to Cloud Computing and AWS

Chapter 2: Amazon Elastic Compute Cloud and Amazon Elastic Block Store

Chapter 3: AWS Storage

Chapter 4: Amazon Virtual Private Cloud

Chapter 5: Database Services

Chapter 6: Authentication and Authorization—AWS Identity and Access Management

Chapter 7: CloudTrail, CloudWatch, and AWS Config

Chapter 8: The Domain Name System and Network Routing: Amazon Route 53 and Amazon CloudFront

Chapter 9: Simple Queue Service and Kinesis

Chapter 10: The Reliability Pillar

Chapter 11: The Performance Efficiency Pillar

Chapter 12: The Security Pillar

Chapter 13: The Cost Optimization Pillar

Chapter 14: The Operational Excellence Pillar

Index

Online Test Bank

Register and Access the Online Test Bank

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 AWS service categories

TABLE 1.2 Core AWS services (by category)

TABLE 1.3 A list of publicly accessible AWS regions

Chapter 2

TABLE 2.1 EC2 instance type family and their top‐level designations

TABLE 2.2 Pricing estimates comparing on‐demand with reserve costs

TABLE 2.3 A sample key/value tagging convention

TABLE 2.4 Sample costs for each of the four EBS storage volume types

TABLE 2.5 The three IP address ranges used by private networks

Chapter 3

TABLE 3.1 Guaranteed availability standards for S3 storage

TABLE 3.2 Sample retrieval costs for Glacier data in the US East region

TABLE 3.3 Sample storage costs for data in the US East region

Chapter 4

TABLE 4.1 Subnets in different availability zones

TABLE 4.2 The local route

TABLE 4.3 Route table with default route

TABLE 4.4 Inbound rules allowing SSH and HTTPS access from any IP address

TABLE 4.5 Outbound rule allowing Internet access

TABLE 4.6 Default NACL inbound rules

TABLE 4.7 Blocking rule

TABLE 4.8 Default NACL outbound rules

TABLE 4.9 IP address configuration when using a NAT device

TABLE 4.10 Default routes for the Private and Public subnets

TABLE 4.11 Routes for VPC peering

TABLE 4.12 Route table entries for using a transit gateway

Chapter 5

TABLE 5.1 The Employees table

TABLE 5.2 The Departments table

TABLE 5.3 The Employees table

TABLE 5.4 Item in an unstructured database

TABLE 5.5 Composite primary keys

Chapter 8

TABLE 8.1 The data categories contained in a resource record from a zone file

TABLE 8.2 Some common DNS record types

TABLE 8.3 Permitted CloudFront origins

Chapter 9

TABLE 9.1 Comparison of SQS and Kinesis services

Chapter 10

TABLE 10.1 The relationship between annual availability percentage and time u...

Chapter 11

TABLE 11.1 Instance type parameter descriptions

TABLE 11.2 Common use cases for compute categories

TABLE 11.3 Third‐party data warehousing and management tools

List of Illustrations

Chapter 1

FIGURE 1.1 A virtual machine host

FIGURE 1.2 Copies of a machine image are added to new VMs as they're launche...

FIGURE 1.3 The AWS Shared Responsibility Model

Chapter 2

FIGURE 2.1 A multi‐VPC infrastructure for a development environment

FIGURE 2.2 A NAT gateway providing network access to resources in private su...

FIGURE 2.3 Scheduled action setting the desired capacity to 2 every Saturday...

FIGURE 2.4 Scheduled action setting the desired capacity to 4 every Friday

Chapter 4

FIGURE 4.1 VPC with subnets and instances

FIGURE 4.2 Network address translation using a NAT device

Chapter 6

FIGURE 6.1 The Security Status checklist from the IAM page of an AWS account...

FIGURE 6.2 The six action items displayed on the Your Security Credentials p...

Chapter 7

FIGURE 7.1 CPU utilization

FIGURE 7.2 The sum of network bytes sent out over a one‐hour period

FIGURE 7.3 Combining metric math functions

Chapter 8

FIGURE 8.1 A simple DNS domain broken down to its parts

FIGURE 8.2 A sample Traffic Flow policy

Chapter 9

FIGURE 9.1 SQS workflow

Chapter 10

FIGURE 10.1 Scheduled action setting the desired capacity to 2 every Saturda...

FIGURE 10.2 Scheduled action setting the desired capacity to 4 every Friday...

Chapter 11

FIGURE 11.1 The data flow of a typical load balancing operation

FIGURE 11.2 A typical ElastiCache configuration with an ElastiCache cluster ...

Chapter 12

FIGURE 12.1 CloudWatch Logs showing

AttachVolume

,

DetachVolume

, and

DeleteVo

...

FIGURE 12.2 Athena query results

FIGURE 12.3 AWS Config showing an EBS volume as noncompliant

FIGURE 12.4 Configuration timeline for an EBS volume

FIGURE 12.5 EBS volume configuration and relationship changes

FIGURE 12.6 GuardDuty finding showing a possible malware infection

FIGURE 12.7 Inspector finding showing that root users can log in via SSH

Guide

Cover Page

Table of Contents

Begin Reading

Pages

i

ii

iii

v

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

AWS Certified Solutions Architect Study Guide

Associate (SAA-C02) Exam

Third Edition

Copyright © 2021 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978‐1‐119‐71308‐1

ISBN: 978‐1‐119‐71309‐8 (ebk.)

ISBN: 978‐1‐119‐71310‐4 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 646‐8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762‐2974, outside the U.S. at (317) 572‐3993 or fax (317) 572‐4002.

Wiley publishes in a variety of print and electronic formats and by print‐on‐demand. Some material included with standard print versions of this book may not be included in e‐books or in print‐on‐demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2020947039

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a registered trademark of Amazon Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Acknowledgments

We would like to thank the following people who helped us create AWS Certified Solutions Architect Study Guide: Associate SAA‐C02 Exam, Third Edition.

First, a special thanks to our friends at Wiley. Kenyon Brown, senior acquisitions editor, got the ball rolling on this project and pushed to get this book published quickly. His experience and guidance throughout the project was critical. Stephanie Barton, project editor, helped push this book forward by keeping us accountable to our deadlines. Her edits made many of the technical parts of this book more readable.

Todd Montgomery reviewed the chapters and questions for technical accuracy. Not only did his comments and suggestions make this book more accurate, he also provided additional ideas for the chapter review questions to make them more challenging and relevant to the exam.

Lastly, the authors would like to thank each other!

About the Authors

Ben Piper is a networking and cloud consultant who has authored multiple books, including the AWS Certified Cloud Practitioner Study Guide: Foundational CLF‐C01 Exam (Sybex, 2019) and Learn Cisco Network Administration in a Month of Lunches (Manning, 2017). You can contact Ben by visiting his website: benpiper.com.

David Clinton is a Linux server admin and AWS solutions architect who has worked with IT infrastructure in both academic and enterprise environments. He has authored books—including (with Ben Piper) the AWS Certified Cloud Practitioner Study Guide: Foundational CLF‐C01 Exam (Sybex, 2019) and Linux in Action (Manning Publications, 2018)—and created more than two dozen video courses teaching Amazon Web Services and Linux administration, server virtualization, and IT security for Pluralsight.

In a “previous life,” David spent 20 years as a high school teacher. He currently lives in Toronto, Canada, with his wife and family and can be reached through his website: bootstrap-it.com.

Table of Exercises

EXERCISE 1.1

  Use the AWS CLI

EXERCISE 2.1

  Launch an EC2 Linux Instance and Log in Using SSH

EXERCISE 2.2

  Assess the Free Capacity of a Running Instance and Change Its Instance Type

EXERCISE 2.3

  Assess Which Pricing Model Will Best Meet the Needs of a Deployment

EXERCISE 2.4

  Create and Launch an AMI Based on an Existing Instance Storage Volume

EXERCISE 2.5

  Create a Launch Template

EXERCISE 2.6

  Install the AWS CLI and Use It to Launch an EC2 Instance

EXERCISE 2.7

  Clean Up Unused EC2 Resources

EXERCISE 3.1

  Create a New S3 Bucket and Upload a File

EXERCISE 3.2

  Enable Versioning and Lifecycle Management for an S3 Bucket

EXERCISE 3.3

  Generate and Use a Presigned URL

EXERCISE 3.4

  Enable Static Website Hosting for an S3 Bucket

EXERCISE 3.5

  Calculate the Total Lifecycle Costs for Your Data

EXERCISE 4.1

  Create a New VPC

EXERCISE 4.2

  Create a New Subnet

EXERCISE 4.3

  Create and Attach a Primary ENI

EXERCISE 4.4

  Create an Internet Gateway and Default Route

EXERCISE 4.5

  Create a Custom Security Group

EXERCISE 4.6

  Create an Inbound Rule to Allow Remote Access from Any IP Address

EXERCISE 4.7

  Allocate and Use an Elastic IP Address

EXERCISE 4.8

  Create a Transit Gateway

EXERCISE 4.9

  Create a Blackhole Route

EXERCISE 5.1

  Create an RDS Database Instance

EXERCISE 5.2

  Create a Read Replica

EXERCISE 5.3

  Promote the Read Replica to a Master

EXERCISE 5.4

  Create a Table in DynamoDB Using Provisioned Mode

EXERCISE 6.1

  Lock Down the Root User

EXERCISE 6.2

  Assign and Implement an IAM Policy

EXERCISE 6.3

  Create, Use, and Delete an AWS Access Key

EXERCISE 6.4

  Create and Configure an IAM Group

EXERCISE 7.1

  Create a Trail

EXERCISE 7.2

  Create a Graph Using Metric Math

EXERCISE 7.3

  Deliver CloudTrail Logs to CloudWatch Logs

EXERCISE 8.1

  Create a Hosted Zone on Route 53 for an EC2 Web Server

EXERCISE 8.2

  Set Up a Health Check

EXERCISE 8.3

  Configure a Route 53 Routing Policy

EXERCISE 8.4

  Create a CloudFront Distribution for Your S3‐Based Static Website

EXERCISE 10.1

  Create a Launch Template

EXERCISE 11.1

  Configure and Launch an Application Using Auto Scaling

EXERCISE 11.2

  Sync Two S3 Buckets as Cross‐Region Replicas

EXERCISE 11.3

  Upload to an S3 Bucket Using Transfer Acceleration

EXERCISE 11.4

  Create and Deploy an EC2 Load Balancer

EXERCISE 11.5

  Launch a Simple CloudFormation Template

EXERCISE 11.6

  Create a CloudWatch Dashboard

EXERCISE 12.1

  Create a Limited Administrative User

EXERCISE 12.2

  Create and Assume a Role as an IAM User

EXERCISE 12.3

  Configure VPC Flow Logging

EXERCISE 12.4

  Encrypt an EBS Volume

EXERCISE 13.1

  Create an AWS Budget to Send an Alert

EXERCISE 13.2

  Build Your Own Stack in Simple Monthly Calculator

EXERCISE 13.3

  Request a Spot Fleet Using the AWS CLI

EXERCISE 14.1

  Create a Nested Stack

EXERCISE 14.2

  Create and Interact with a CodeCommit Repository

Introduction

Studying for any certification always involves deciding how much of your studying should be practical hands‐on experience and how much should be simply memorizing facts and figures. Between the two of us, we've taken dozens of IT certification exams, so we know how important it is to use your study time wisely. We've designed this book to help you discover your strengths and weaknesses on the AWS platform so that you can focus your efforts properly. Whether you've been working with AWS for a long time or whether you're relatively new to it, we encourage you to carefully read this book from cover to cover.

Passing the AWS Certified Solutions Architect – Associate exam requires understanding the components and operation of the core AWS services as well as how those services interact with each other. Read through the official documentation for the various AWS services. Amazon offers HTML, PDF, and Kindle documentation for many of them. Use this book as a guide to help you identify your strengths and weaknesses so that you can focus your study efforts properly.

You should have at least six months of hands‐on experience with AWS before taking the AWS Certified Solutions Architect – Associate exam. If you're relatively new to AWS, we strongly recommend our own AWS Certified Cloud Practitioner Study Guide: CLF‐C01 Exam (Sybex, 2019) as a primer.

Even though this book is designed specifically for the AWS Certified Solutions Architect – Associate exam, some of your fellow readers have found it useful for preparing for the SysOps Administrator and DevOps Engineer exams.

Hands‐on experience is crucial for exam success. Each chapter in this AWS Certified Solutions Architect Study Guide: Associate SAA‐C02 Exam, Third Edition contains hands‐on exercises that you should strive to complete during or immediately after you read the chapter. It's vital to understand that the exercises don't cover every possible scenario for every AWS service. In fact, it's quite the opposite. The exercises provide you with a foundation to build on. Use them as your starting point, but don't be afraid to venture out on your own. Feel free to modify them to match the variables and scenarios you might encounter in your own organization. Keep in mind that some of the exercises and figures use the AWS web console, which is in constant flux. As such, screenshots and step‐by‐step details of exercises may change. Use these eventualities as excuses to dig into the AWS online documentation and browse around the web console on your own. Also remember that although you can complete many of the exercises within the bounds of the AWS Free Tier, getting enough practice to pass the exam will likely require you to spend some money. But it's money well spent, as getting certified is an investment in your career and your future.

Each chapter contains review questions to thoroughly test your understanding of the services and concepts covered in that chapter. They also test your ability to integrate the concepts with information from preceding chapters. Although the difficulty of the questions varies, rest assured that they are not “fluff.” We've designed the questions to help you realistically gauge your understanding and readiness for the exam. Avoid the temptation to rush through the questions to just get to the answers. Once you complete the assessment in each chapter, referring to the answer key will give you not only the correct answers but a detailed explanation as to why they're correct. It will also explain why the other answers are incorrect.

The book also contains a self‐assessment exam with 39 questions, two practice exams with 50 questions each to help you gauge your readiness to take the exam, and flashcards to help you learn and retain key facts needed to prepare for the exam.

This AWS Certified Solutions Architect Study Guide: Associate SAA‐C02 Exam, Third Edition is divided into two parts: “The Core AWS Services” and “The Well‐Architected Framework.”

Part I, “The Core AWS Services”

The first part of the book dives deep into each of the core AWS services. These services include ones you probably already have at least a passing familiarity with: Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Identity and Access Management (IAM), Route 53, and Simple Storage Service (S3), to name just a few.

Some AWS services seem to serve similar or even nearly identical purposes. You'll learn about the subtle but important differences between seemingly similar services and, most importantly, when to use each.

Part II, “The Well‐Architected Framework”

The second part of the book is a set of best practices and principles aimed at helping you design, implement, and operate systems in the cloud. Part II focuses on the following five pillars of good design:

Reliability

Performance efficiency

Security

Cost optimization

Operational excellence

Each chapter of Part II revisits the core AWS services in light of a different pillar. Also, because not every AWS service is large enough to warrant its own chapter, Part II simultaneously introduces other services that, although less well known, may still show up on the exam.

Achieving the right balance among these pillars is a key skill you need to develop as a solutions architect. Prior to beginning Part II, we encourage you to peruse the Well‐Architected Framework white paper, which is available for download at d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf.

What Does This Book Cover?

This book covers topics you need to know to prepare for the Amazon Web Services (AWS) Certified Solutions Architect – Associate exam:

Chapter 1

: Introduction to Cloud Computing and AWS

  This chapter provides an overview of the AWS Cloud computing platform and its core services and concepts.

Chapter 2

: Amazon Elastic Compute Cloud and Amazon Elastic Block Store

  This chapter covers EC2 instances—the virtual machines that you can use to run Linux and Windows workloads on AWS. It also covers the Elastic Block Store service that EC2 instances depend on for persistent data storage.

Chapter 3

: AWS Storage

  In this chapter, you'll learn about Simple Storage Service (S3) and Glacier, which provide unlimited data storage and retrieval for AWS services, your applications, and the Internet.

Chapter 4

: Amazon Virtual Private Cloud

  This chapter explains Amazon Virtual Private Cloud (Amazon VPC), a virtual network that contains network resources for AWS services.

Chapter 5

: Database Services

  In this chapter, you will learn about some different managed database services offered by AWS, including Relational Database Service (RDS), DynamoDB, and Redshift.

Chapter 6

: Authentication and Authorization—AWS Identity and Access Management

  This chapter covers AWS Identity and Access Management (IAM), which provides the primary means for protecting the AWS resources in your account.

Chapter 7

: CloudTrail, CloudWatch, and AWS Config

  In this chapter, you'll learn how to log, monitor, and audit your AWS resources.

Chapter 8

: The Domain Name System and Network Routing: Amazon Route 53 and Amazon CloudFront

  This chapter focuses on the Domain Name System (DNS) and Route 53, the service that provides public and private DNS hosting for both internal AWS resources and the Internet. It also covers CloudFront, Amazon's global content delivery network.

Chapter 9

: Simple Queue Service and Kinesis

  This chapter explains how to use the principle of loose coupling to create scalable and highly available applications. You'll learn how Simple Queue Service (SQS) and Kinesis fit into the picture.

Chapter 10

: The Reliability Pillar

  This chapter will show you how to architect and integrate AWS services to achieve a high level of reliability for your applications. You'll learn how to plan around and recover from inevitable outages to keep your systems up and running.

Chapter 11

: The Performance Efficiency Pillar

  This chapter covers how to build highly performing systems and use the AWS elastic infrastructure to rapidly scale up and out to meet peak demand.

Chapter 12

: The Security Pillar

  In this chapter, you'll learn how to use encryption and security controls to protect the confidentiality, integrity, and availability of your data and systems on AWS. You'll also learn about the various security services such as GuardDuty, Inspector, Shield, and Web Application Firewall.

Chapter 13

: The Cost Optimization Pillar

  This chapter will show you how to estimate and control your costs in the cloud.

Chapter 14

: The Operational Excellence Pillar

  In this chapter, you'll learn how to keep your systems running smoothly on AWS. You'll learn how to implement a DevOps mind‐set using CloudFormation, Systems Manager, and the AWS Developer Tools.

Interactive Online Learning Environment and Test Bank

The authors have worked hard to provide some really great tools to help you with your certification process. The interactive online learning environment that accompanies the AWS Certified Solutions Architect Study Guide: Associate SAA‐C02 Exam, Third Edition provides a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the first time! The test bank includes the following:

Sample Tests

  All the questions in this book are provided, including the assessment test at the end of this Introduction and the chapter tests that include the review questions at the end of each chapter. In addition, there are two practice exams with 50 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.

Flashcards

  The online text banks include 100 flashcards specifically written to hit you hard, so don't get discouraged if you don't ace your way through them at first. They're there to ensure that you're really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you'll be more than prepared when exam day comes. Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last‐minute test prep before the exam.

Resources

  You'll find some AWS CLI and other code examples from the book for you to cut and paste for use in your own environment. A glossary of key terms from this book is also available as a fully searchable PDF.

Go to wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Exam Objectives

The AWS Certified Solutions Architect – Associate exam is intended for people who have experience in designing distributed applications and systems on the AWS platform. In general, you should have the following before taking the exam:

A minimum of one year of hands‐on experience designing systems on AWS

Hands‐on experience using the AWS services that provide compute, networking, storage, and databases

Ability to define a solution using architectural design principles based on customer requirements

Ability to provide implementation guidance

Ability to identify which AWS services meet a given technical requirement

An understanding of the five pillars of the Well‐Architected Framework

An understanding of the AWS global infrastructure, including the network technologies used to connect them

An understanding of AWS security services and how they integrate with traditional on‐premises security infrastructure

The exam covers five different domains, with each domain broken down into objectives.

Objective Map

The following table lists each domain and its weighting in the exam, along with the chapters in the book where that domain's objectives are covered.

Domain

Percentage of Exam

Chapters

Domain 1: Design Resilient Architectures

30%

1.1 Design a multi‐tier architecture solution

2, 3, 5, 8, 9, 10, 11

1.2 Design highly available and/or fault‐tolerant architectures

2, 3, 5, 7, 8, 9, 10, 11, 14

1.3 Design decoupling mechanisms using AWS services

4, 5, 9, 10, 11, 14

1.4 Choose appropriate resilient storage

2, 3, 5, 9, 10, 11

Domain 2: Design High‐Performing Architectures

28%

2.1 Identify elastic and scalable compute solutions for a workload

2, 3, 5, 7, 8, 9, 11

2.2 Select high‐performing and scalable storage solutions for a workload

2, 3, 9, 11

2.3 Select high‐performing networking solutions for a workload

5, 8, 9, 11

2.4 Choose high‐performing database solutions for a workload

5, 11

Domain 3: Design Secure Applications and Architectures

24%

3.1 Design secure access to AWS resources

2, 3, 4, 6, 7, 12

3.2 Design secure application tiers

3, 6, 12

3.3 Select appropriate data security options

3, 4, 6, 7, 12

Domain 4: Design Cost‐Optimized Architectures

18%

4.1 Identify cost‐effective storage solutions

2, 3, 13

4.2 Identify cost‐effective compute and database services

2, 13

4.3 Design cost‐optimized network architectures

8, 13

Assessment Test

True/false: The Developer Support plan provides access to a support application programming interface (API).

True

False

True/false: AWS is responsible for managing the network configuration of your EC2 instances.

True

False

Which of the following services is most useful for decoupling the components of a monolithic application?

SNS

KMS

SQS

Glacier

An application you want to run on EC2 requires you to license it based on the number of physical CPU sockets and cores on the hardware you plan to run the application on. Which of the following tenancy models should you specify?

Dedicated host

Dedicated instance

Shared tenancy

Bring your own license

True/false: Changing the instance type of an EC2 instance will change its elastic IP address.

True

False

True/false: You can use a Quick Start Amazon Machine Image (AMI) to create any instance type.

True

False

Which S3 encryption option does

not

require AWS persistently storing the encryption keys it uses to decrypt data?

Client‐side encryption

SSE‐KMS

SSE‐S3

SSE‐C

True/false: Durability measures the percentage of likelihood that a given object will not be inadvertently lost by AWS over the course of a year.

True

False

True/false: After uploading a new object to S3, there will be a slight delay (one to two seconds) before the object is available.

True

False

You created a Virtual Private Cloud (VPC) using the Classless Inter‐Domain Routing (CIDR) block 10.0.0.0/24. You need to connect to this VPC from your internal network, but the IP addresses in use on your internal network overlap with the CIDR. Which of the following is a valid way to address this problem?

Remove the CIDR and use IPv6 instead.

Change the VPC's CIDR.

Create a new VPC with a different CIDR.

Create a secondary CIDR for the VPC.

True/false: An EC2 instance must be in a public subnet to access the Internet.

True

False

True/false: The route table for a public subnet must have a default route pointing to an Internet gateway as a target.

True

False

Which of the following use cases is well suited for DynamoDB?

Running a MongoDB database on AWS

Storing large binary files exceeding 1 GB in size

Storing JSON documents that have a consistent structure

Storing image assets for a website

True/false: You can create a DynamoDB global secondary index for an existing table at any time.

True

False

True/false: Enabling point‐in‐time RDS snapshots is sufficient to give you a recovery point objective (RPO) of less than 10 minutes.

True

False

Which of the following steps does the most to protect your AWS account?

Deleting unused Identity and Access Management (IAM) policies

Revoking unnecessary access for IAM users

Rotating root access keys

Restricting access to S3 buckets

Rotating Secure Shell (SSH) key pairs

Which of the following can be used to encrypt the operating system of an EC2 instance?

AWS Secrets Manager

CloudHSM

AWS Key Management Service (KMS)

AWS Security Token Service (STS)

What is a difference between a token generated by the AWS Security Token Service (STS) and an IAM access key?

The token generated by STS can't be used by an IAM principal.

An IAM access key is unique.

The token generated by STS can be used only once.

The token generated by STS expires.

True/false: EC2 sends instance memory utilization metrics to CloudWatch every five minutes.

True

False

You configured a CloudWatch alarm to monitor CPU utilization for an EC2 instance. The alarm began in the

INSUFFICIENT_DATA

state and then entered the

ALARM

state. What can you conclude from this?

The instance recently rebooted.

CPU utilization is too high.

The CPU utilization metric crossed the alarm threshold.

The instance is stopped.

Where do AWS Config and CloudTrail store their logs?

S3 buckets

CloudWatch Logs

CloudTrail Events

DynamoDB

Amazon Athena

True/false: An EC2 instance in a private subnet can resolve an “A” resource record for a public hosted zone hosted in Route 53.

True

False

You want to use Route 53 to send users to the application load balancer closest to them. Which of the following routing policies lets you do this with the least effort?

Latency routing

Geolocation routing

Geoproximity routing

Edge routing

True/false: You can use an existing domain name with Route 53 without switching its registration to AWS.

True

False

You're designing an application that takes multiple image files and combines them into a video file that users on the Internet can download. Which of the following can help you quickly implement your application in the fastest, most highly available, and most cost‐effective manner?

EC2 spot fleet

Lambda

Relational Database Service (RDS)

Auto Scaling

You're using EC2 Auto Scaling and want to implement a scaling policy that adds one extra instance only when the average CPU utilization of each instance exceeds 90 percent. However, you don't want it to add more than one instance every five minutes. Which of the following scaling policies should you use?

Simple

Step

Target tracking

PercentChangeInCapacity

True/false: EC2 Auto Scaling automatically replaces group instances directly terminated by the root user.

True

False

Which ElastiCache engine can persistently store data?

MySQL

Memcached

MongoDB

Redis

Which of the following is

not

an AWS service?

CloudFormation

Puppet

OpsWorks

Snowball

True/false: S3 cross‐region replication uses transfer acceleration.

True

False

Which of the following services can you deactivate on your account?

Security Token Service (STS)

CloudWatch

Virtual Private Cloud (VPC)

Lambda

Which of the following services can alert you to malware on an EC2 instance?

AWS GuardDuty

AWS Inspector

AWS Shield

AWS Web Application Firewall

True/false: If versioning is enabled on an S3 bucket, applying encryption to an unencrypted object in that bucket will create a new, encrypted version of that object.

True

False

Which instance type will, if left running, continue to incur costs?

Spot

Standard reserved

On‐demand

Convertible reserved

True/false: The EBS Lifecycle Manager can take snapshots of volumes that were once attached to terminated instances.

True

False

Which of the following lets you spin up new web servers the quickest?

Lambda

Auto Scaling

Elastic Container Service

CloudFront

True/false: CloudFormation stack names are case‐sensitive.

True

False

Where might CodeDeploy look for the

appspec.yml

file? (Choose two.)

GitHub

CodeCommit

S3

CloudFormation

True/false: You can use either CodeDeploy or an AWS Systems Manager command document to deploy a Lambda application.

True

False

Answers to Assessment Test

B. The Business plan offers access to a support API, but the Developer plan does not. See Chapter 1 for more information.

B. Customers are responsible for managing the network configuration of EC2 instances. AWS is responsible for the physical network infrastructure. See Chapter 1 for more information.

C. Simple Queue Service (SQS) allows for event‐driven messaging within distributed systems that can decouple while coordinating the discrete steps of a larger process. See Chapter 1 for more information.

A.The dedicated host option lets you see the number of physical CPU sockets and cores on a host. See Chapter 2 for more information.

B. An elastic IP address will not change. A public IP address attached to an instance will change if the instance is stopped, as would happen when changing the instance type. See Chapter 2 for more information.

A.A Quick Start AMI is independent of the instance type. See Chapter 2 for more information.

D.With SSE‐C you provide your own keys for Amazon to use to decrypt and encrypt your data. AWS doesn't persistently store the keys. See Chapter 3 for more information.

A. Durability corresponds to an average annual expected loss of objects stored on S3, not including objects you delete. Availability measures the amount of time S3 will be available to let you retrieve those objects. See Chapter 3 for more information.

B. S3 uses a read‐after‐write consistency model for new objects, so once you upload an object to S3, it's immediately available. See Chapter 3 for more information.

C. You can't change the primary CIDR for a VPC, so you must create a new one to connect it to your internal network. See Chapter 4 for more information.

B. An EC2 instance can access the Internet from a private subnet provided it uses a NAT gateway or NAT instance. See Chapter 4 for more information.

A. The definition of a public subnet is a subnet that has a default route pointing to an Internet gateway as a target. Otherwise, it's a private subnet. See Chapter 4 for more information.

C. DynamoDB is a key‐value store that can be used to store items up to 400 KB in size. See Chapter 5 for more information.

A.You can create a global secondary index for an existing table at any time. You can create a local secondary index only when you create the table. See Chapter 5 for more information.

A. Enabling point‐in‐time recovery gives you an RPO of about five minutes. The recovery time objective (RTO) depends on the amount of data to restore. See Chapter 5 for more information.

B. Revoking unnecessary access for IAM users is the most effective of the listed measures for protecting your AWS account. See Chapter 6 for more information.

C. KMS can be used to encrypt Elastic Block Store (EBS) volumes that store an instance's operating system. See Chapter 6 for more information.

D. STS tokens expire and IAM access keys do not. An STS token can be used more than once. IAM access keys and STS tokens are both unique. An IAM principal can use an STS token. See Chapter 6 for more information.

B. EC2 doesn't track instance memory utilization. See Chapter 7 for more information.

C. The transition to the ALARM state simply implies that the metric crossed a threshold but doesn't tell you what the threshold is. Newly created alarms start out in the INSUFFICIENT_DATA state. See Chapter 7 for more information.

A. Both store their logs in S3 buckets. See Chapter 7 for more information.

A. An EC2 instance in a private subnet still has access to Amazon's private DNS servers, which can resolve records stored in public hosted zones. See Chapter 8 for more information.

C. Geoproximity routing routes users to the location closest to them. Geolocation routing requires you to create records for specific locations or create a default record. See Chapter 8 for more information.

A. Route 53 is a true DNS service in that it can host zones for any domain name. You can also register domain names with or transfer them to Route 53. See Chapter 8 for more information.

B. Lambda is a highly available, reliable, “serverless” compute platform that runs functions as needed and scales elastically to meet demand. EC2 spot instances can be shut down on short notice. See Chapter 10 for more information.

A. A simple scaling policy changes the group size and then has a cooldown period before doing so again. Step scaling policies don't have cooldown periods. Target tracking policies attempt to keep a metric at a set value. PercentChangeInCapacity is a simple scaling adjustment type, not a scaling policy. See Chapter 10 for more information.

A. Auto Scaling always attempts to maintain the minimum group size or, if set, the desired capacity. See Chapter 10 for more information.

D. ElastiCache supports Memcached and Redis, but only the latter can store data persistently. See Chapter 11 for more information.

B. Puppet is a configuration management platform that AWS offers via OpsWorks but is not itself an AWS service. See Chapter 11 for more information.

B. S3 cross‐region replication transfers objects between different buckets. Transfer acceleration uses a CloudFront edge location to speed up transfers between S3 and the Internet. See Chapter 11 for more information.

A. You can deactivate STS for all regions except US East. See Chapter 12 for more information.

A. GuardDuty looks for potentially malicious activity. Inspector looks for vulnerabilities that may result in compromise. Shield and Web Application Firewall protect applications from attack. See Chapter 12 for more information.

A. Applying encryption to an unencrypted object will create a new, encrypted version of that object. Previous versions remain unencrypted. See Chapter 12 for more information.

C. On‐demand instances will continue to run and incur costs. Reserved instances cost the same whether they're running or stopped. Spot instances will be terminated when the spot price exceeds your bid price. See Chapter 13 for more information.

A. The EBS Lifecycle Manager can take scheduled snapshots of any EBS volume, regardless of attachment state. See Chapter 13 for more information.

C. Elastic Container Service lets you run containers that can launch in a matter of seconds. EC2 instances take longer. Lambda is “serverless,” so you can't use it to run a web server. CloudFront provides caching but isn't a web server. See Chapter 13 for more information.

A. Almost everything in CloudFormation is case sensitive. See Chapter 14 for more information.

A, C. CodeDeploy looks for the appspec.yml file with the application files it is to deploy, which can be stored in S3 or on GitHub. See Chapter 14 for more information.

B. You can use CodeDeploy to deploy an application to Lambda or EC2 instances. But an AWS Systems Manager command document works only on EC2 instances. See Chapter 14 for more information.

PART IThe Core AWS Services

Chapter 1Introduction to Cloud Computing and AWS

The cloud is where much of the serious technology innovation and growth happens these days, and Amazon Web Services (AWS), more than any other, is the platform of choice for business and institutional workloads. If you want to be successful as an AWS solutions architect, you'll first need to understand what the cloud really is and how Amazon's end of it works.

TO MAKE SURE YOU'VE GOT THE BIG PICTURE, THIS CHAPTER WILL EXPLORE THE BASICS:

What makes cloud computing different from other applications and client‐server models

How the AWS platform provides secure and flexible virtual networked environments for your resources

How AWS provides such a high level of service reliability

How to access and manage your AWS‐based resources

Where you can go for documentation and help with your AWS deployments

Cloud Computing and Virtualization

The technology that lies at the core of all cloud operations is virtualization. As illustrated in Figure 1.1, virtualization lets you divide the hardware resources of a single physical server into smaller units. That physical server could therefore host multiple virtual machines (VMs) running their own complete operating systems, each with its own memory, storage, and network access.

FIGURE 1.1 A virtual machine host

Virtualization's flexibility makes it possible to provision a virtual server in a matter of seconds, run it for exactly the time your project requires, and then shut it down. The resources released will become instantly available to other workloads. The usage density you can achieve lets you squeeze the greatest value from your hardware and makes it easy to generate experimental and sandboxed environments.

Cloud Computing Architecture

Major cloud providers like AWS have enormous server farms where hundreds of thousands of servers and disk drives are maintained along with the network cabling necessary to connect them. A well‐built virtualized environment could provide a virtual server using storage, memory, compute cycles, and network bandwidth collected from the most efficient mix of available sources it can find.

A cloud computing platform offers on‐demand, self‐service access to pooled compute resources where your usage is metered and billed according to the volume you consume. Cloud computing systems allow for precise billing models, sometimes involving fractions of a penny for an hour of consumption.

Cloud Computing Optimization

The cloud is a great choice for so many serious workloads because it's scalable, elastic, and, often, a lot cheaper than traditional alternatives. Effective deployment provisioning will require some insight into those three features.

Scalability

A scalable infrastructure can efficiently meet unexpected increases in demand for your application by automatically adding resources. As Figure 1.2 shows, this most often means dynamically increasing the number of virtual machines (or instances as AWS calls them) you've got running.

FIGURE 1.2 Copies of a machine image are added to new VMs as they're launched.

AWS offers its autoscaling service through which you define a machine image that can be instantly and automatically replicated and launched into multiple instances to meet demand.

Elasticity

The principle of elasticity covers some of the same ground as scalability—both address how the system manages changing demand. However, though the images used in a scalable environment let you ramp up capacity to meet rising demand, an elastic infrastructure will automatically reduce capacity when demand drops. This makes it possible to control costs, since you'll run resources only when they're needed.

Cost Management

Besides the ability to control expenses by closely managing the resources you use, cloud computing transitions your IT spending from a capital expenditure (capex) framework into something closer to operational expenditure (opex).

In practical terms, this means you no longer have to spend $10,000 up front for every new server you deploy—along with associated electricity, cooling, security, and rack space costs. Instead, you're billed much smaller incremental amounts for as long as your application runs.

That doesn't necessarily mean your long‐term cloud‐based opex costs will always be less than you'd pay over the lifetime of a comparable data center deployment. But it does mean you won't have to expose yourself to risky speculation about your long‐term needs. If, sometime in the future, changing demand calls for new hardware, AWS will be able to deliver it within a minute or two.

To help you understand the full implications of cloud compute spending, AWS provides a free Total Cost of Ownership (TCO) Calculator at aws.amazon.com/tco-calculator. This calculator helps you perform proper “apples‐to‐apples” comparisons between your current data center costs and what an identical operation would cost you on AWS.

The AWS Cloud

Keeping up with the steady stream of new services showing up on the AWS Console can be frustrating. But as a solutions architect, your main focus should be on the core service categories. This section briefly summarizes each of the core categories (as shown in Table 1.1) and then does the same for key individual services. You'll learn much more about all of these (and more) services through the rest of the book, but it's worth focusing on these short definitions, because they lie at the foundation of everything else you're going to learn.

TABLE 1.1 AWS service categories

Category

Function

Compute

Services replicating the traditional role of local physical servers for the cloud, offering advanced configurations including autoscaling, load balancing, and even serverless architectures (a method for delivering server functionality with a very small footprint)

Networking

Application connectivity, access control, and enhanced remote connections

Storage

Various kinds of storage platforms designed to fit a range of both immediate accessibility and long‐term backup needs

Database

Managed data solutions for use cases requiring multiple data formats: relational, NoSQL, or caching

Application management

Monitoring, auditing, and configuring AWS account services and running resources

Security and identity

Services for managing authentication and authorization, data and connection encryption, and integration with third‐party authentication management systems

Table 1.2 describes the functions of some core AWS services, organized by category.

TABLE 1.2 Core AWS services (by category)

Category

Service

Function

Compute

Elastic Compute Cloud (EC2)

EC2 server instances provide virtual versions of the servers you would run in your local data center. EC2 instances can be provisioned with the CPU, memory, storage, and network interface profile to meet any application need, from a simple web server to one part of a cluster of instances providing an integrated multi‐tiered fleet architecture. Since EC2 instances are virtual, they're resource‐efficient and deploy nearly instantly.

Lambda

Serverless application architectures like the one provided by Amazon's Lambda service allow you to provide responsive public‐facing services without the need for a server that's actually running 24/7. Instead, network events (like consumer requests) can trigger the execution of a predefined code‐based operation. When the operation (which can currently run for as long as 15 minutes) is complete, the Lambda event ends, and all resources automatically shut down.

Auto Scaling

Copies of running EC2 instances can be defined as image templates and automatically launched (or

scaled up

) when client demand can't be met by existing instances. As demand drops, unused instances can be terminated (or

scaled down

).

Elastic Load Balancing

Incoming network traffic can be directed between multiple web servers to ensure that a single web server isn't overwhelmed while other servers are underused or that traffic isn't directed to failed servers.

Elastic Beanstalk

Beanstalk is a managed service that abstracts the provisioning of AWS compute and networking infrastructure. You are required to do nothing more than push your application code, and Beanstalk automatically launches and manages all the necessary services in the background.

Networking

Virtual Private Cloud (VPC)

VPCs are highly configurable networking environments designed to host your EC2 (and RDS) instances. You use VPC‐based tools to secure and, if desired, isolate your instances by closely controlling inbound and outbound network access.

Direct Connect

By purchasing fast and secure network connections to AWS through a third‐party provider, you can use Direct Connect to establish an enhanced direct tunnel between your local data center or office and your AWS‐based VPCs.

Route 53

Route 53 is the AWS DNS service that lets you manage domain registration, record administration, routing protocols, and health checks, which are all fully integrated with the rest of your AWS resources

CloudFront

CloudFront is Amazon's distributed global content delivery network (CDN). When properly configured, a CloudFront distribution can store cached versions of your site's content at edge locations around the world so that they can be delivered to customers on request with the greatest efficiency and lowest latency.

Storage

Simple Storage Service (S3)

S3 offers highly versatile, reliable, and inexpensive object storage that's great for data storage and backups. It's also commonly used as part of larger AWS production processes, including through the storage of script, template, and log files.

S3 Glacier

A good choice for when you need large data archives stored cheaply over the long term and can live with retrieval delays measuring in the hours. Glacier's lifecycle management is closely integrated with S3.

Elastic Block Store (EBS)

EBS provides the persistent virtual storage drives that host the operating systems and working data of an EC2 instance. They're meant to mimic the function of the storage drives and partitions attached to physical servers.

Storage Gateway

Storage Gateway is a hybrid storage system that exposes AWS cloud storage as a local, on‐premises appliance. Storage Gateway can be a great tool for migration and data backup and as part of disaster recovery operations.

Database

Relational Database Service (RDS)

RDS is a managed service that builds you a stable, secure, and reliable database instance. You can run a variety of SQL database engines on RDS, including MySQL, Microsoft SQL Server, Oracle, and Amazon's own Aurora.

DynamoDB

DynamoDB can be used for fast, flexible, highly scalable, and managed nonrelational (NoSQL) database workloads.

Application management

CloudWatch

CloudWatch can be set to monitor process performance and resource utilization and, when preset thresholds are met, either send you a message or trigger an automated response.

CloudFormation

This service enables you to use template files to define full and complex AWS deployments. The ability to script your use of any AWS resources makes it easier to automate, standardizing and speeding up the application launch process.

CloudTrail

CloudTrail collects records of all your account's API events. This history is useful for account auditing and troubleshooting purposes.

Config

The Config service is designed to help you with change management and compliance for your AWS account. You first define a desired configuration state, and Config evaluates any future states against that ideal. When a configuration change pushes too far from the ideal baseline, you'll be notified.

Security and identity

Identity and Access Management (IAM)

You use IAM to administrate user and programmatic access and authentication to your AWS account. Through the use of users, groups, roles, and policies, you can control exactly who and what can access and/or work with any of your AWS resources.

Key Management Service (KMS)

KMS is a managed service that allows you to administrate the creation and use of encryption keys to secure data used by and for any of your AWS resources.

Directory Service

For AWS environments that need to manage identities and relationships, Directory Service can integrate AWS resources with identity providers like Amazon Cognito and Microsoft AD domains.

Application integration

Simple Notification Service (SNS)