AWS Certified Solutions Architect Associate

Table of content

Table of content
About the exam
Learning resources
Active learning
Fundamentals
- Cloud Environment
- AWS Fundamentals
Identity & Governance
- Accounts
- IAM
- Cognito
ACM (AWS Certificate Manager)
- Policies
Networking
Compute
- RDS
  - RDS Backup & Restore
  - Data Security
- EC2
  - Auto Scaling Groups
ECS
- Lambda
Storage
Integration
- API Gateway
- SNS
- SQS
- Kinesis
KMS (Key Management Service)
Cloud Formation
CloudWatch & Observability
Tips
- Tip #1
- Tip #2
- Tip #3

About the exam

https://aws.amazon.com/certification/certified-solutions-architect-associate/

Learning resources

Main resource: https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c02

Practice exams (dojo): https://portal.tutorialsdojo.com/product/aws-certified-solutions-architect-associate-practice-exams/

Active learning

Basic questions for active learning. Start the session by answering all the questions and mark the answers with emojis depending on the result (see the table below).

Bolded items are either important to understand or there is high likelihood that they will appear on the exam.

Answer Status	Description
👍	You've answered correctly first time, skip repetition for the next session
✋	You've answered the question only partially right, include the question in the next session
👎	You've answered the question wrong and had to lookup the answer. Start from those questions in the next session

You can easily add emojis to markdown by typing :emojiname:

thumbs up: :+1:
thumbs down: :-1:
hand: :hand:

Easiest way to to learn yourself is to:

clone this repository
make a copy of this file
use this regex expression to select and remove (replace with empty) all the <details> tags (they contain the answers to the questions) <(details)>(.|\n)*?</details>, remember to toggle "use regular expressions" in the search box if you are using VS Code. If you are using vim/nvim use this command instead :g/<details>/,/<\/details>/d _
save the file as a learning session, grade yourself for answers
IMPORTANT: lookup in the original file if you don't know the answer at all
leave the files with dates of each learning session and start next session from the ones you didn't know the answers for

Fundamentals

Cloud Environment

On-Demand Self Service
Broad Network Access
Resource Pooling (multi-tenancy)
Rapid elasticity
Measured Service (pay as you go)

AWS Fundamentals

What is the difference between public and private services?
Describe different types of high availability (regional, zonal, etc)

Identity & Governance

Accounts

An account is a container, what it can contain?
click to see the answer
- identities (users)
- resources
What is required to create AWS account?
click to see the answer
- email
- payment method
How are resources grouped?
Details
click to see the answer
Into accounts
Can the same email address be used with multiple accounts?
Details
click to see the answer
No
Can account root user login into multiple accounts?
Details
click to see the answer
No
What are called the things that you can create inside of the account?
click to see the answer
- Users
- Groups
- Roles
What is the default access mode for an account for external actors?
Details
click to see the answer
Only identies created inside an account can be granted access to the resources in this account. Cross-permissions are possible with IAM roles
What set of permissons does new IAM Identity starts with?
Details
click to see the answer
None, every new identity starts with zero permissions until granted.
What are the 3 alarm states?
click to see the answer
- OK
- ALARM
- INSUFFICIENT DATA

IAM

How/where to allow IAM user access to billing information?
How is IAM resilient?
What identity objects IAM let us create?
click to see the answer
- user
- group
- role
Does users type represents only human users?
What is the necessary condition for a policy to have an effect?
Is IAM authentication service as well as identity management and authorization?
How much does IAM cost?
Why IAM account aliases must be globally uniq?
How many access keys can IAM user have?
What variable to setup for the aws cli to designate a default profile?
click to see the answer
export AWS_DEFAULT_PROFILE=
Can external identiy be used to access AWS resources?
When to use IAM Role?
When does principal became authenticated identity?
How can you login into an IAM group?

click to see the answer
No, IAM groups are for helping with organizing IAM user access to AWS resources.
Can IAM groups be nested?
Can IAM user be a member of more than one group?
Can you reference an IAM Group from a resource policy?
What are the two types of authentication for IAM?

click to see the answer
Username/password or Access Keys
What does ARN stand for?
What is the ARN structure?

click to see the answer
arn:partition:service:region:account-id:resource-type:resource-id
How many IAM users can be created in an account?

click to see the answer
5000
How many IAM groups can a user be a member of?

click to see the answer
10
What does SCP stand for

click to see the answer
Service Control Policies
How do you call a nested grouping within an organization?

click to see the answer
Organization Units
Is the root "management" account of an organization affected by SCP?

click to see the answer
No
What is the main role of an SCP?

click to see the answer
To limit what an account can do. Only Deny.
Can you attach an identity policy to someone's else account?

click to see the answer
No
What is more preferable, Roles or IAM User?

click to see the answer
Always prefer IAM roles if possible.

Cognito

What functionality does cognito provide?
click to see the answer
For web applications. This looks a bit like Okta/Auth0
- Authentication
- Authorization
- User management
What are identity pools?
Can the JWT tokens be used to access AWS resources?

click to see the answer
No

ACM (AWS Certificate Manager)

What is origin access identit?
Can/Should you reuse one OAI?

TODO: pick up here

Policies

What are 2 main types of policies?

click to see the answer
Inline, Managed
When to use inline policy?

click to see the answer
For exceptions to the managed policy.

Networking

Networking Fundamentals

How many layers are there in OSI model? 👍
What groups are OSI layers divided into? 👍
Does the device on a higher layer include the capabilities of the devices in layers below it? Why? 👍
If a network consists of 5 participants and a HUB, when participant 1 broadcasts a signal, how many participants will receive it? 👍
In a network with a HUB, what happens when participants transmit a broadcast at once? 👍
Describe on a high level frame components 👍
What is a backoff period? 👎
What does MAC stands for? :hand:
What layer switch belongs to?
What layer does router belong to?
What are the two components of an IP address?
How does subnet mask and its prefix indicate which octets describe network?
What does ARP stand for?
What is the high level structure of a TCP packet?
How does TCP ensures packets delivery reliability?
What does NAT do?
What is static NAT?
What is dynamic NAT?
What does PAT stand for?
The larger the CIDR value the .... the network.
Explain briefly what are network classes
click to see the answer
Class A through E, A is the biggest, D, E are reserved. Important note: network classes are replaced by CIDR
- Class A: 10.0.0.0 - 10.255.255.255 - single network
- Class B: 172.16.0.0. - 172.19.255.255 - 16 networks
- Class C: 192.168.0.0 - 192.168.255.0 - 256 networks
Explain what are CIDR networks and how to calculate CIDR
click to see the answer
- /16 networks have fixed value in first and second octet
- To create two networks from 10.0.0.0/16 use 2x 10.0.0.0/17 by halving the third and fourth octets.
What CIDR represents all IP addresses

click to see the answer
0.0.0.0/0
What CIDR represents 1 IP address

click to see the answer
1.2.3.4/32

VPC

How many default VPCs per region/per account are there?

click to see the answer
1
What are the CIDR limits for AWS VPC
click to see the answer
- minimum /28
- maximum /16
Can you launch an AWS service directly into a VPC?

click to see the answer
No, services use subnets to be launched from
What is a good default number or VPCs subnets and why?
click to see the answer
- 4 is a good number because it will cover most of the AZs.
- /16 network subdivided into 16 subnets gives 16 subnets of CIDR size /20 - 4091 IPs per subnet
What is the level of isolation & resiliency for a VPC?

click to see the answer
Regional
What is the default setting for the in and outgoing traffic in a VPC?

click to see the answer
IN and OUT traffic is blocked by default
What are the VPC's tenancy models?
click to see the answer
- Default - shared hardware
- Dedicated tenancy - dedicated hardware
What settings to use to enable DNS hostnames for entities with public IP addresses in a VPC and switch on DNS support?
click to see the answer
- enableDnsHostnames
- enableDnsSupport
What is the subnet resiliency level?

click to see the answer
AZ resilient
Can a subnet be in multiple AZs?

click to see the answer
No
Can the subnet be moved into another AZ?

click to see the answer
No
Can a subnet overlap with other subnets?

click to see the answer
No
Can you use all the available IP addresses in a subnet?
click to see the answer
No, there are 5 that are reserved.
- first address cannot be used
- second address cannot be used (used by VPC router)
- third address cannot be used (used for DNS)
- fourth address cannot be used (reserved)
- last IP address cannot b used (broadcast address)
Are there any charges for creating VPCs and Subnets?

click to see the answer
No
How to get VPC router into your VPC?

click to see the answer
VPC router is a global service available by default in every VPC, so no need to configure anything.
What is the role of VCP Router

click to see the answer
It routes traffic between subnets of a VPC
How many route tables can a subnet have associated with it?

click to see the answer
1
What does the route table control?

click to see the answer
Route table controls the destination of the data leaving the subnet. In can be within a subnet or a gateway address.
What is the resiliency mode of an internet gateway?

click to see the answer
Regionally resilient
How many IGW can a VPC have?

click to see the answer
0 or 1
What happens is a VPC has an IGW?

click to see the answer
This VPC is publicly available.
List actions required to make a subnet public
click to see the answer
1. Create IGW
2. Attach IGW to the VPC
3. Create a custom route table
4. Associate the route table with the VPC
5. Configure default routes in the route table to point to IGW
6. Configure VPC to auto-allocate IPv4 and optionally IPv6 addresses withing the subnet
Where is the public IP of a service (for example EC2) running in a VPC maintained?

click to see the answer
In the IGW, NOT in the VPC where the service is located
What does NACL stand for?

click to see the answer
Network Access Control List. Works similar as Azure security group. Once it matches it stops.
Is Security Group stateless or stateful?

click to see the answer
Stateful. Security group is more like Azure private endpoint.
What is the implicit setting for a security group?

click to see the answer
Implicit deny - everything is denied by default and only things you allow are allowed.
In a security group is traffic and response separate?

click to see the answer
No, a security group is stateful, so traffic and response to it is covered by the same rule.
Why would you use NACL in combination with an SG?

click to see the answer
NACL allows for adding an explicit DENY rule
If the traffic is not crossing the boundary of a subnet, would you use NACL or SG?

click to see the answer
Use SG, NACL has no effect within subnet
What does IP masquerading do?

click to see the answer
Hides whole private CIDR IP block behind a single public IP
What is the resiliency level of a NAT Gateway?

click to see the answer
AZ
Does a NAT Gateway work with IPv6?

click to see the answer
No
What SSH option is used to connect secrely to a Bastion server?

click to see the answer
SSH Agent Forwarding
ssh -A

What are points of failure for VPN site-to-site connection?

click to see the answer

@startuml
box "AWS VPC"
"router" -> "AWS Public zone"
end box
box "AWS Public Zone"
participant "Virtual Gateway" as vgw
participant "VPN" as vpn
vgw <-> vpn

vpn -> "Endpoint1"
vpn -> "Endpoint2"
end box
box "Public Internet"
participant "Customer Gateway" as cgw
cgw ->
end box
"AWS Public zone" -> "Public internet"

"Public internet" -> "On prem router"
@enduml

What are VPC flow logs?
Do VPC flow logs capture metadata or contents of a request?

click to see the answer
Only metadata

VPC Peering

Can you peer more than one VPC together?
Details
click to see the answer
No

Route 53

What is the difference between a hosted zone and a hosted zone group?
Which DNS record points to IPv6 address?
What is the difference between a CNAME and an ALIAS?
click to see the answer
- CNAME maps a name to another name in the same domain (naked domain)
- ALIAS maps a name to AWS resource - default for the exam. AWS specific implementation
What does CNAME stand for?
Can CNAMEs point to an IP address?
How many DNS root servers exist?
Details
click to see the answer
13

Public Hosted Zones

What are R53 public hosted zones?
How many name servers does R53 alocate?
What records to use to point at the hosted name servers?
What is the DNS resolver in a VPC instance?
Details
click to see the answer
VPC+2 IP

Private Hosted Zones

Can you access the zone in the VPC?
How to run intranet and public facing web page on the same DNS?
Details
click to see the answer
Split-View

Routing Types

What is simple routing?
What are health checkers?
Can health checks be performed on targets outside of AWS resources?
What protocols are supported by health checkers?
What checks are supported?

Details
click to see the answer
Endpoint, CloudWatch Alarm, Checks of Checks
What is failover routing?

Details
click to see the answer
Endpoint, CloudWatch Alarm, Checks of Checks

-What is failover routing?
What is a multivalue routing

Details
click to see the answer
Can create many records with the same name Up to 8 healthy records are returned to the client Improves availability
What is a weighted routing
What is the weight formula

Details
click to see the answer
Record weight vs total weight, each of the 3 records. Use when u want to control the distribution of the DNS queries
When to use latency based routing
When to use geo-location based routing

Details
click to see the answer
It returns relevant locations only, NOT based on goe-proximity
When to use geo-proximity routing?
What is a geo-proximity bias?

Details
click to see the answer
Expands or shrinks the location of the routing zone
What is the difference between Route 53 routing policies and load balancing?

Details
click to see the answer
Load balancer is actually routing traffic to the backend services whereas DNS routing returns a DNS resolver server location.

Registering a domain

What are different scenarios for registering a domain

click to see the answer

Registrar and Public DNS Hosting role

@startuml domain-registration-traditional
!theme materia-outline
actor Developer as user
participant "Route53\nRegistrar Role" as r53_registrar
participant "Route53\nDNS Hosting Role" as r53_dns_hosting
participant "TLD Server for *.domain" as tld_server
user -> r53_registrar: Requests domain registration\nand pays 1 time fee
r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
return 4x Name Servers

r53_registrar -> tld_server : Passes the Name Servers to

tld_server -> tld_server : Creates entries\nfor the Name Servers

tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone

@enduml

Hosting only role

@startuml domain-registration-traditional
!theme materia-outline
actor Developer as user
participant "Route53\nRegistrar Role" as r53_registrar
participant "3rd Party Domain Hosting" as r53_dns_hosting
participant "TLD Server for *.domain" as tld_server
user -> r53_registrar: Requests domain registration\nand pays 1 time fee
r53_registrar -> r53_dns_hosting : Requests cretion of public hosted zone
return 4x Name Servers

r53_registrar -> tld_server : Passes the Name Servers to

tld_server -> tld_server : Creates entries\nfor the Name Servers

tld_server -> r53_dns_hosting : Points to 4 NS Servers in Public Hosted Zone

@enduml

Load Balancers

What is LCU?
How load balancer is priced?
Describe briefly ALB architecture
How many load balancing nodes does ALB have as a minimum?
What is the default distribution algorithm?
What is cross zone load balancing?
What is a listener configuration?
What types of load balancers are there?
click to see the answer
- A(pplication)LB
- N(etwork)LB
- C(lassic)LB
How can load balancer handle SSL offloading?
click to see the answer
- Bridging - connection terminated on the ELB. Second connection is created to target services (http). EC2 instances also need copy of the same certificate
- Pass-through - connection encryption is maintained by the client. Listener is configured for TCP.
- Offload - backend connections use http
What is session stickiness?
How does a load balancer enable session stickiness?

click to see the answer
Cookie 1s to 7 days. It is generally better to use stateless servers and host the state somewhere else, either in a database of on the client side in the case of SPA.

Application Load Balancer (ALB)

What layer is ALB on?
Details
click to see the answer
7
What makes ALB internet facing?
Details
click to see the answer
Presence of public IP

Network Load Balancer (NLB)

What layer is NLB on?
Is NLB a performance-oriented load balancer?

Gateway Load Balancer

What is the usecase for a gateway load balancer?

click to see the answer
Load balances between multiple security appliances
What are 2 components of a GWLB?

click to see the answer
GWLB endpoints GWLB instances
What protocol is used by GWLB?

click to see the answer
GENEVE
How does GWLB endpoint integrates with the existing VPC traffic?

click to see the answer
It is added to a route table as a nex hop in the traffic

Cloud Front

What does CDN stand for?

Global Accelerator

What are anycast IP addresses?

Compute

RDS

What are some of the downsides of putting a database on EC2 instnace?
What is an RDS Instance?
Can you connect to RDS instance using IP?

Details
click to see the answer
No, you have to use CNAME DNS record
What is the resiliency level of an RDS instance?

Details
click to see the answer
AZ, also storage (EBS)
Explain pricing model of RDS

Details
click to see the answer
ALlocated GM/month Additional storage charges if applicable
Can you reuse an security group with RDS?

Details
click to see the answer
Yes
Why do we need to configure subnet groups when provisioning an RDS database instance?
Is the multi AZ feature available in the free tier?

Details
click to see the answer
No
Can the standby replica be accessed directly?

Details
click to see the answer
No, it's just an availability improvement.
What is synchronous Replication

Details
click to see the answer
Multi AZ, same AWS region

RDS Backup & Restore

What are RTO and RPO? RP(oint)O - time between last working backup and data loss event RT(ime)O - time between data loss event and full recovery
Do manual snapshots expire?

Details
click to see the answer
No
What are transaction logs? Stored every 5 minitest (lowers RPO)
Do automated backups expire?

Details
click to see the answer
Yes, you can set up to 35 days.
How does the restore process work?

Details
click to see the answer
Backups are restored from the closest snapshot (from S3) and than transaction logs are replayed on top of the backup. Restoring snapshots can be a long time.
Can read replicas be created in a different regions?

Details
click to see the answer
Yes
How many read replicas can you have per RDS DB Instance?

Details
click to see the answer
5
Why do read replicas matter?
click to see the answer
- Improved performance
- Makes CQRS pattern possible
- Use read only data in different regions to improve access performance
- In case of a failure, read replica can be promoted to read-write database. This is only useful for database failures, not data corruption

Data Security

How is encryption at rest supported?
Details
click to see the answer
Handled by host
- EBS Volume Encryption
- KMS
- TDE: Only MS SQL and Oracle

EC2

👍 What does EC2 stand for?

click to see the answer
Elastic Compute 2
Is EC2 going to fail when az (zone) fails?
👍 Are you still getting charged when EC2 instance is stopped? If yes for what component?

click to see the answer
Yes, for storage
👍 Is deleting an EC2 instance a reversible operation?

click to see the answer
No
What does AMI stand for?
What kinds of permissions are on the AMI?
What port number RDP service runs on?

click to see the answer
3389
How many times can you download private key for linux EC2 instance?
Can a single security group apply to multiple EC2 instances?
What is the resiliency model of EC2

click to see the answer
AZ, all things connected to EC2, like networking or storage run in the same AZ.
After restarting EC2 instance, will it move to another random host?

click to see the answer
No, after restarting the EC2 instance boots up on the same host.
What are the two conditions under which the instance can be relocated to another EC2 host?

click to see the answer
Host taken down for maintenance by AWE, EC2 instance stopped and started (not jus restarted)
What are the 5 EC2 instance types
click to see the answer
1. General Purpose
2. Compute optimized - ML, Games, HPC
3. Memory optimized - some databases
4. Accelerated computing - custom programmable hardware
5. Storage optimized - transactional databases, data warehouses, data analytics
https://aws.amazon.com/ec2/instance-types/https://instances.vantage.sh/
Explain storage types that can be attached to EC2

click to see the answer
Directly attached (hadrware) Network attached
Explain key differences between Block, Volume and Object Storage
Can you attach EBS storage between availability zones?

click to see the answer
No
What mechanism can be used to create snapshots of EBS volumes between AZs?

click to see the answer
S3 replication
What are 2 volume types available?
click to see the answer
- GP2
- GP3
What is an IO Credit and how big is it?

click to see the answer
IO Credit is a single chunk of data and is 16kb in size
What is an IOPS?

click to see the answer
1 IOPS is 1 IO Credit in 1 second
What EBS drives are designed for max performance?
What are 2 types of HDD drives?
click to see the answer
- ST1 - throughput optimized
- SC1 - cold
What are Instances Store Volumes?
click to see the answer
- Block Storage Devices
- Physically connected to one EC2 Host
- Highest storage performance
- Included in the instance price
- Need to be attached at launch time
When to choose EBS vs Instance Store Volumes
How does incremental copy work in S3 snapshots
click to see the answer
1. Full data is copied
2. Following snapshots are incremental
What happens when incremental snapshot is deleted

click to see the answer
All prior snapshots are still kept safely
Explain what it means that the EBS snapshot volume restores lazily

click to see the answer
Data is fetched gradually.
To remedy it, use FSR (Fast Snapshot Restore). You can also force this manually using dd for example
How many FRS you can have per region?

click to see the answer
50
How does snapshot pricing work?

click to see the answer
Gigabyte-month, paid only for used data
Can EC2 network interfaces be in different AZs?

click to see the answer
No
What does AMI stand for?

click to see the answer
Amazon Machine Image
Are AMIs global?

click to see the answer
No, each region will have their own AMI for a given image. AMI in a given region will work only in this region.
Explain briefly lifecycle of AMI
click to see the answer
1. Launch
2. Configure - this also includes volumes
3. Create Image
4. Launch
What is "AMI baking"?

click to see the answer
It is a process of creating an AMI from an EC2 instance with all the dependencies and applications pre-installed.
Can AMI be edited/updated?

click to see the answer
No
What are you paying for when using AMI

click to see the answer
You are billed for using EBS snapshots. Remember, snapshots are charged by space actually used by data not allocated.
What is EC2 Instance Metadata This is data about runtime environment of the instance
What IP do you need to access to see the Instance Metadata information?

click to see the answer
(http) 169.254.169.254 /latest/metadata
Is the metadata service encrypted?

click to see the answer
No
Does the metadata service require authentication?

click to see the answer
No
How to access user data for EC2 build automation?
click to see the answer
- http://169.254.169.254/latest/user-data
- Executes only once at the initial launch time
- runs as a root user
What metric measures how much time does it take to get a service in a ready state?

click to see the answer
Boot-Time-To-Service-Time
What is an instance profile?

click to see the answer
It is a wrapper around an IAM role and is attached to an EC2 instance. Credentials are automatically renewed.
Can you use parameter store to store secrets?

click to see the answer
Yes, is also supports versioning. Any changes to parameters can trigger events.
You can also establish hierarchy by adding / in the name.
What types of parameters can be stored in PS?
click to see the answer
- Strings
- StringLists
- SecureStrings
How to capture logs inside of an EC2 instance?

click to see the answer
Install CloudWatch agent
What technology is used in enhanced networking?

click to see the answer
SR-IVO - logical cards, higher PPS, better bandwidth. Most EC2 instance types have this available by default.
What is launch configuration and launch template?
Are launch configurations editable?

click to see the answer
No

Auto Scaling Groups

Where are auto scaling groups defined?
What are the 3 characteristics of an auto scaling group?
click to see the answer
- Minimum
- Desired - lways will be set
- Maximum
Are auto scaling groups regional?

click to see the answer
Auto scaling group will try to provision an EC2 instance in a different AZ.
What are scaling policies?
What are sub types of dynamic scaling?
click to see the answer
- Simple
- Stepped - almost always preferred
- Target tracking

ECS

What modes does ECS run in
click to see the answer
- Fargate:
- EC2
What is task?

click to see the answer
Container for containers (same as ACI group) - self contained app
What is task role?

click to see the answer
It is an IAM role that the task can assume to gain the credentials to interact with AWS resources
What is service definition?

click to see the answer
Defines task scalability and HA options.
What are the main ECS concepts

click to see the answer

Lambda

What resource can you allocate to lambda? 👍

click to see the answer
Memory
What is the execution time limit on a lambda function? 👍

click to see the answer
15 min
What are cloud watch events and EventBdirge?
What is Lambda edge?
What languages do lambda edge support?
click to see the answer
- Ptyhon
- Node.js

Storage

S3

What are the 2 constituent parts of S3 object?
What is the size limit of a single object?
Are buckets regional?
Does a bucket name have to be globally uniq?
How many objects can be stored in 1 bucket?
Can objects be nested in the bucket?
How can you simulate a folder name in a bucket?
What is another name that folders are refereed as?
What are the naming rules for a bucket?

click to see the answer
How many buckets can you have in an account?

click to see the answer
100 soft limit, 1000 hard limit
Can you mount an S3 bucket like a block storage?
Are S3s public by default?

click to see the answer
No
What is the difference between S3 resource policy and identity policy?
What is an anonymous principal?

click to see the answer
An principal that is not authenticated against AWS
How many policies can there be assigned to an S3 bucket?

click to see the answer
1
What name requirement is there in an S3 bucket when you want to use it as static page hosting with a custom domain?
What field is used to identify a version of an object?

click to see the answer
Id
How to fully delete a versioned object?

click to see the answer
By specifying its version in the delete command
What is MFA delete
What does SSE-C stand for?

click to see the answer
Server-Side Encryption with Customer-Provided Keys. S3 encrypts data with keys provided by the customer. Key is discarded after encryption, only key hash is stored.
What are the benefits of SSE-C model?

click to see the answer
Save on CPU, more control over the encryption process (you hold the keys).
What does SSE-S3 stand for?

click to see the answer
Server-Side Encryption with AWS S2-Managed Keys. S3 creates a master key and a key for each object. Master key is encrypted with object key and master key is discarded. We have encrypted object, encrypted master key and public key used to encrypt the object.
What are the benefits of SSE-S3 model?

click to see the answer
Key are managed by AWS, very low admin overhead.
What algorithm does SSE-S3 uses by default?

click to see the answer
AES256
What does SSE-KMS stand for?

click to see the answer
Server-Side Encryption with Customer-Managed Keys stored in AWS Key Management Service (KMS).
What are the benefits of SSE-KMS model?

click to see the answer
Someone else can manage the KMS, role separation. Key rotation control.

AWS Certified Solutions Architect Associate

Table of content​

About the exam​

Learning resources​

Active learning​

Fundamentals​

Cloud Environment​

AWS Fundamentals​

Identity & Governance​

Accounts​

IAM​

Cognito​

ACM (AWS Certificate Manager)​

Policies​

Networking​

Networking Fundamentals​

VPC​

VPC Peering​

Route 53​

Public Hosted Zones​

Private Hosted Zones​

Routing Types​

Registering a domain​

Load Balancers​

Application Load Balancer (ALB)​

Network Load Balancer (NLB)​

Gateway Load Balancer​

Cloud Front​

Global Accelerator​

Compute​

RDS​

RDS Backup & Restore​

Data Security​

EC2​

Auto Scaling Groups​

ECS​

Lambda​

Storage​

S3​