2024 ULTIMATE AWS CERTIFIED
SOLUTIONS ARCHITECT
ASSOCIATE SAA-C03 EXAM WITH
ANSWERS
Leaders of the cloud - CORRECT-ANSWERS1. AWS
2. Microsoft
3. Google
4. Alibaba Cloud
5. Oracle
6. IBM
Over 1 million users on AWS
WAF vs. FIrewall Manager vs. Shield - CORRECT-ANSWERS• WAF, Shield and
Firewall Manager are used together for comprehensive protection
• Define your Web ACL rules in WAF
• For granular protection of your resources, WAF alone is the correct choice
• If you want to use AWS WAF across accounts, accelerate WAF
configuration, automate the protection of new resources, use Firewall
Manager with AWS WAF
• Shield Advanced adds additional features on top of AWS WAF, such as
dedicated support from the Shield Response Team (SRT) and advanced
reporting.
• If you're prone to frequent DDoS attacks, consider purchasing Shield
Advanced
Amazon GuardDuty - CORRECT-ANSWERS• Intelligent Threat discovery to
protect your AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• One click to enable (30 days trial), no need to install software
• Input data includes:
• CloudTrail Events Logs - unusual API calls, unauthorized deployments
• CloudTrail Management Events - create VPC subnet, create trail, ...
• CloudTrail S3 Data Events - get object, list objects, delete object, ...
• VPC Flow Logs - unusual internal traffic, unusual IP address
• DNS Logs - compromised EC2 instances sending encoded data within DNS
queries
• Can setup EventBridge rules to be notified in case of findings
• EventBridge rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks (has a dedicated "finding" for
it)
For EC2 instances
For Container images push to Amazon ECR
For Lambda Functions
AWS Macie - CORRECT-ANSWERS• Amazon Macie is a fully managed data
security and data privacy service that uses machine learning and pattern
matching to discover and protect your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally
identifiable information (PII)
Understanding CIDR - IPv4 - CORRECT-ANSWERSClassless inter-Domain
Routing - a method for allocating IP address. Used in security groups rules
and AWS networking in general.
CIDR consists of two components:
Base IP
Subnet Mask
VPC in AWS - IPv4 - CORRECT-ANSWERS• VPC = Virtual Private Cloud
• You can have multiple VPCs in an AWS region (max. 5 per region - soft
limit)
• Max. CIDR per VPC is 5, for each CIDR:
• Min. size is /28 (16 IP addresses)
• Max. size is /16 (65536 IP addresses)
• Because VPC is private, only the Private IPv4 ranges are allowed:
• 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
• 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
• 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
• Your VPC CIDR should NOT overlap with your other networks (e.g.,
corporate)
,VPC - Subnet (IPv4) - CORRECT-ANSWERSAWS reserves 5 IP addresses (first
4 and last 1) in each subnet. These 5 aren't available for use and can't be
assigned to an EC2 instance.
Exam tip: If you need 29 IP addresses. You can't choose a subnet of size /27
(32 IP addresses, 32 -5 = 27 < 29)
Internet Gateway (IGW) - CORRECT-ANSWERSAllow resources (e.g., EC2) in a
VPC connect to the internet.
Bastion Hosts - CORRECT-ANSWERSWe can use a Bastion Host to SSH into
our private EC2 instances. It is in the public subnet which is then connected
to all other private subnets.
*Must allow inbound from the internet on port 22 from restricted CIDR
Allows EC2 instances in private subnets to connect to the internet.
*Must be launched in a public subnet
*Must disable EC2 setting: Source/Destination Check
*Must have Elastic IP attached to it
Comments:
*Pre-Configured Amazon Linux AMI available
*Not highly available/resilient setup out of the box
*You must manage security groups & rules:
Inbound: allow HTTP/HTTPS traffic coming from private subnets and SSH
from your home network
Outbound: Allow HTTP/ HTTPS traffic to the internet
NAT Gateway - CORRECT-ANSWERS• AWS-managed NAT, higher bandwidth,
high availability, no administration
• Pay per hour for usage and bandwidth
• NATGW is created in a specific Availability Zone, uses an Elastic IP
• Can't be used by EC2 instance in the same subnet (only from other
subnets)
• Requires an IGW (Private Subnet => NATGW => IGW)
• 5 Gbps of bandwidth with automatic scaling up to 45 Gbps
• No Security Groups to manage / required
NAT Gateway with high availability - CORRECT-ANSWERSNAT Gateway is
resilient within a single Availability zone. Must create multiple NAT Gateways
in multiple AZs for fault-tolerance.
, NAT Gateway vs. NAT Instance - CORRECT-ANSWERSAvailability: Highily
available within AZ vs using a script to manage failover between instances
Bandwidth: 100 Gbps vs. Depends on instance type
Maintenance: AWS vs. yourself
Cost: per/hr
Network Access Control List (NACL) - CORRECT-ANSWERSNACL are like a
firewall which controls traffic from and to subnets. Default accepts
everything inbound/outbound. (Don't modify the default, create custom
NACLs)
*One NACL per subnet, new subnets are assigned the Default NACL
*You define NACL rules:
-Rules have a number (1-32766), higher precedence with a lower number.
i.e. 100 beats 200
-First rule match will drive the decision
-Last rule is an * and denies a request in case of no rule match
-AWS recommends adding rules by increments of 100
*Newly created NACLs will deny everything
*NACL are a great way of blocking a specific IP address at the subnet level
Ephemeral Ports - CORRECT-ANSWERSFor any two endpoints to establish a
connection, they must use ports. Clients connect to a defined port, and
expect a response on an ephemeral port.
*Different operating systems use different port ranges.
Security Group vs. NACLs - CORRECT-ANSWERS-Operates at instance level
vs. subnet level
-Supports allow rules only vs. allows rules and deny rules
-Stateful: return traffic is auto allowed vs. stateless: return traffic must be
explicitly allowed by rules
-All rules are evaluated before allowing traffic vs. rules are evaluated in order
lowest to highest.
-Applies to an EC2 instance vs. automatically applies to all EC2 instances
VPC Peering - CORRECT-ANSWERSPrivately connect two VPCs using AWS'
network as if they were in the same network.
*Must not have overlapping CIDRs
*VPC peering connection is NOT transitive
Good to know:
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Elitaa. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $30.99. You're not tied to anything after your purchase.