AWS Certified Solutions Architect Associate Notes

While preparing for the AWS CSA Associate exam, I’ve put together few draft notes to help me revise on-going bases.


  • IAM is global
  • root account has admin access
  • by default new users have no permissions
    • access key id and secret access keys are only used for api access and not for console login
  • permissions are by granted by policies
    • administrator access to make someone an admin
    • effect: allow, deny
  • Role allows resources in aws to access other resources. Ex: EC2 can access S3.
    • Role types: Service Roles, Cross account access and Identity provider access


    • object based storage
    • region based
    • spread across multiple devices and facilities
    • 1byte to 5tb
    • unlimited storage
    • files are stored in buckets
    • read after write consistency for PUTS of new objects
    • PUT and DELETES can take some time for existing objects
    • key value store
      • version id
      • Metadata
      • Access control lists
    • availability is 99.99 and durability 99.11×9
    • Tiered storage available
    • Lifecycle management
    • Encryption is available to force encryption at rest
    • S3 standard, S3 infrequently accessed, reduced redundancy (1 concurrent facility), glacier
    • charged for storage, requests, data transfer pricing
    • object is private by default. click make public that is quick way
    • once version is on, you cannot remove it, you can only suspend. delete the bucket to remove it.
    • delete the delete marker to bring back deleted versioned file
    • it takes up to double space for each version. also costs double
    • cross region replication by creating a backup. only future objects by default will be replicated. requires versioning enabled on source bucket.
    • 100 s3 bucks per account by default
  • S3 lifecycle
      • min 30 days required to move to infrequently accessed. 128kb is min object size.
      • works with versioning
      • move to glacier day after moving to infrequently accessed storage.
  • S3 encryption
      • in transit – ssl/tls
      • at rest – server side = s3 managed keys sse-s3; aws key management service sse-kms; server side encryption with custom provider keys sse-c
      • client side
  • S3 transfer acceleration
    • upload to local CF edge location first


  • edge location is where content will be cached
  • separate from region
  • web or rtmp
  • multiple origins
  • signed urls or cookies to restrict access to cf distribution
  • distribution is the name given to cdn
  • default cache is 24 hours but can be configured
  • charges for cache clearance

Storage gateway

  • Gateway stored volumes
    • entire data on site and async backed to s3
  • Gateway cached volumes
    • entered data is stored on s3, and most frequently accessed data is cached on site
  • Gateway virtual tape library
    • used for backup and uses popular backup apps like netbackup, backup exec, veam etc


  • Import/Export Disk
    • Buy disk, load data and send to aws. aws will send disk back
    • 600gb or more at 10mbps
    • import to ebs, s3, glacier
    • export from s3 only
  • Snowball
    • petabyte scale disk transfer
    • 50TB per snowball. 256 bit encryption. Trusted Platform Module. USA only. S3 only. can rent from amzn only.
    • import and export only on s3
    • go for snowball over disk as prefered.


    • resizable compute capacity in cloud
    • scale capacity both up and down
    • On-demand
      • fixed rate by the hour
      • short term, spiky or unpredictable workloads. ex: black friday sales
    • Reserved
      • 1 or 3 years. significant discount
      • predictable usage. users able to make upfront payments to reduce their total computing costs
      • cannot move region to region
    • Spot
      • bid price on capacity by the hour. hour notice and terminate the instance. large compute requirement used by pharma when prices are cheaper
      • partial hour is not charged if aws terminates but if you do, it does.
    • user data on provision uses bash script
    • you cannot assign a role after instance is created
  • Roles
      • roles are considered more secure because you don’t need to store creds on the instance
      • roles are easier to manage. you can update permissions in a role later.
      • roles are universal, available on all regions
    • underlying hypervisor for ec2 is Xen
    • Metadata
  • Placement group
    • grid computing, cassandra, hadoop, low network latency, high throughput 10gb network
    • only one az. cannot be multiple
    • name must be unique
    • only certain types c, g, r, i
    • recommends same instance families
    • can’t merge, cannot move an existing placement group, must use an ami to launch into another place


  • It’s a block storage, duh.
  • automatically replicated to protect failure
  • GP SSD – GP2
    • 99.99% up to 3 per gig upto 10k iops. burst of 30k available.
  • IOPS SSD – IO1
    • if more than 10k iops
  • Magnetic
    • cheap infrequently accessed storage
  • cannot mount ebs volume to more than 1 instance
  • root device vol is not not encrypted by default. to do so use 3rd party tool like bitlocker.
  • ebs backed instance, default action is for root ebs vol to be deleted when instance is terminated.
  • typically RAID 0 or 10 is ideal.
  • to take snapshot of raid:
    • freeze the file system
    • unmount the raid array
    • or easiest of all shut down the ec2 instance.
  • Volume vs Snapshot
    • ss on s3
    • vol on ebs
    • ss of encrypted vol is encrypted auto
    • root vol ss, instance must be stopped
    • cant share encrypted ss

Security group

  • security rules take effect immediately
  • you can only allow rules. denied by default
  • all inbound traffic is blocked and outbound traffic is allowed by default
  • security groups are stateful. if you allow inbound rule it is allowed as outbound too


  • are regional but can copy to other region
  • template for root vol for the instance
  • launch permissions that control with aws accounts can use the ami to launch instances
  • a block device mapping that specifies the volumes to attach to the instance when its launched
  • Instance store vol based ec2 instance you cannot stop it but only terminate or reboot
    • Instance Storage is less durable.. host failure means you lose the instance
    • rebooting IS does not lose data.
    • on termination IS vol is deleted by default and you cannot change that
    • cannot delete a snap shot of EBS vol that is used as the root device of a registered AMI


  • default connection draining is 300 sec
  • Cross zone lb is enabled by default
  • Never gives static IP only DNS

Cloud Watch

  • Monitor Resources and Applications
  • Default basic monitoring every 5 mins.
  • Dashboard, alarms, events and logs
  • Detail monitoring is $3 per instance and runs every 1 min.
  • Memory is missing. CPU, Disk, Network and Status for EC2
  • S3 bucket size and bytes
  • You can create events to trigger actions based on metrics
  • HTTP response codes in apache logs, alarms for errors in kernel logs
  • alarms can be configured.

Cloud Trail

  • User activity and API usage
  • mostly for auditing

Launch config and auto scaling

  • go through launch config before setting up auto scaling
  • HC grace period default is 300 sec. time it takes to first initiate the HC once instance is provisioned.
  • specify increase group size and decrease group size
  • deleting auto group will terminate all associated instances


  • elastic file system
  • grow and shrink auto based on add/remove files.
  • can share across instances
  • NFSv4 network file system
  • only pay for what we use
  • 1000s of concurrent NFS connections
  • EFS is block based
  • Read after write consistency


  • 5 vpc are allowed by default in each region
  • 1 internet gateway can be attached to custom vpc
  • network acl are an additional layer of security on subnet level


  • default ec2 instance pull sqs messages from queue on LIFO bases.


  • you can create a topic, and an ARN is created.


  • you can force a failover that has multi-az configured
  • max backup retention policy days: 35
  • available for multi-az deployments
  • changes to backup window takes place immediately
  • does not currently support increasing storage of sql server db
  • max size for ms sql db is 10GB
    • There are two different limits. That of the DB (10GB), and that of the DB instance server storage (300GB). A DB server instance could quite easily host several DBs, or a DB and support files such as Logs, Dumps and flat file backups.
  • Automatic backups are enabled by default on new DB instance

Additional Notes:

  • When using a custom VPC and placing an ec2 instance into a public subnet, you still need to assign elastic Ip or elb to instance in order to be internet accessible
  • Aurora stores 6 copies of data by default
  • AWS platform consists of 15 regions and 40 AZ
  • mysql default port 3306
  • QSA accreditation is still required for deploying app accepting credit cards
  • Amazon redshift uses 1 mb columnar storage block size
  • AWS premium support, basic, developer, business, enterprise

Leave a Reply

Your email address will not be published.