SAA C02考试指南

https://d1.awsstatic.com/zh_CN/training-and-certification/docs-sa-assoc/AWS-Certified-Solutions-Architect-Associate_Exam-Guide.pdf

领域考试百分比

领域1:设计弹性架构 30%

  • 1.1 设计多层架构解决方案
  • 1.2 设计高可用和/或容错架构
  • 1.3 使用AWS 服务设计分离机制
  • 1.4 选择适当能复原的存储

领域2:设计高性能架构28%

  • 2.1 为工作负载寻找弹性和可扩展的计算解决方案
  • 2.2 为工作负载选择高性能和可扩展的存储解决方案
  • 2.3 为工作负载选择高性能网络解决方案
  • 2.4 为工作负载选择高性能数据库解决方案

领域3:设计安全的应用程序和架构24%

  • 3.1 设计对AWS 资源的安全访问
  • 3.2 设计安全的应用程序层
  • 3.3 选择适当的数据安全选项

领域4:设计成本优化架构18%

  • 4.1 寻找高成本效益的存储解决方案
  • 4.2 寻找高成本效益的计算和数据库服务
  • 4.3 设计成本优化的网络架构

考点分析

C02比C01多了一些范围: Global Accerlerator , HPC (FSx) , AWS Organization (SCP)一共出现5到6题左右,分别是:GA(1) , Fsx (3) , Organizagion(1), AD(1)。 AWS Macie , AWS Control Tower

  1. Web应用二层(三层)结构和高可用,这里面主要是ELB / ASG 和 Multi-AZ

2. 存储:EBS / EFS / S3 / Storage Gateway 这也是老生长谈了,大家基本都会碰到这些题目,要搞清楚每一种存储的优势 、不足、使用场景。其中S3的加密、Lifecycle还有高性能是必考题 ,另外Storage Gateway在我的考试中也出现3次,要熟悉File Gateway/Cache Gateway / Storage Gateway的区别。

网络:主要要弄清楚整个VPC,这是基础中的基础。同时要掌握各种Hybrid组网方式:Direct Connect , VPN , VPN Gateway , VPC Endpoint  等。 另外,值得一提的是:昨天晚上正好看到2019 Re: Invent有一个演讲(AWS re:Invent 2019: [REPEAT 1] Advanced VPC design and new capabilities for Amazon VPC (NET305-R1)谈最新的网络服务,演讲者Matt提到Transit Gateway的优势,今天考试中遇到一个题,场景就是有很多VPC,还有很多On-Premises数据中心的时候,如何利用一个中心节点来组网,果断选Transit Gateway!强烈推荐大家看看这个视频!

无服务架构:Lambda+API Gateway:最新的趋势,必考。要了解 Lambda的优势,限制和使用场景。API Gateway的Stage ,架构和安全。

据库:考了好几次Read Replica,还有Dynamdo的使用场景,总体来说题目难度不大,量也不是太多。

微服务:ECS / EKS / ECR / Fargate 这里面肯定会碰到题 (本人考试中碰到3题)。微服务和Docker也是现在的热点,要多多熟悉。

监控和Goverance: CloudWatch和CloudTrail的区别,适用场景,CloudWatch和Lambda/SQS的配合等。AWS X-Ray / AWS Config / AWS Trust Advisor / AWS Budget 的基础知识也需要了解。

SQS  / SNS / Kinesis: 这些消息处理还有流处理也是常见考题,特别是SQS,我这次提考到2题。

还有其它好一些热门的服务比如:System Manager(包括:Parameter Store /State Manager/Run Command 等) , Steps , SWF,KMS,Config ,  Opsworks ,  Cloudformation , Kinesis , Beastalk ,Athena我居然一个题也没有碰到。  另外,关于DR和SSO/Cognito本来也是C02的scope,我以为是必考题,但是我这次我也没有遇到。(值得提醒的是:AWS题库是庞大的,每个人遇到的题目不一样,但AWS对应试者的要求是一样的,所以每个服务,我们都应该认真去对待)

关注点分析:AWS Trusted Advisor V.S. AWS Cloudwatch /CloudTrail

Your company has a large set of resources hosted on AWS.

Your company wants to keep a check on the Active Volumes, Active snapshots and Elastic IP addresses you use so that you don’t go beyond the service limit. Which of the below services can help in this regard?

  1. AWS Cloudwatch
  2. AWS EC2
  3. AWS Trusted Advisor
  4. AWS SNS

An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment, Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.

Company has an application hosted in AWS.

This application consists of EC2 Instances which sit behind an ELB. The following are requirements from an administrative perspective:

a) Ensure notifications are sent when the read requests go beyond 1000 requests per minute
b) Ensure notifications are sent when the latency goes beyond 10 seconds
c) Any API activity which calls for sensitive data should be monitored

Which of the following can be used to satisfy these requirements? Choose 2 answers from the options given below.

  1. Use CloudTrail to monitor the API Activity
  2. Use CloudWatch logs to monitor the API Activity
  3. Use CloudWatch metrics for the metrics that need to be monitored as per the requirement and set up an alarm activity to send out notifications when the metric reaches the set threshold limit.
  4. Use custom log software to monitor the latency and read requests to the ELB.

AWS CloudTrail can be used to monitor the API calls.

For more information on CloudTrail, please visit the following URL:

https://aws.amazon.com/cloudtrail/
When you use CloudWatch metrics for an ELB, you can get the amount of read requests and latency out of the box.

For more information on using Cloudwatch with the ELB, please visit the following URL:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html

Option A is correct. CloudTrail is a web service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. The recorded information includes the identity of the user, the start time of the AWS API call, the source IP address, the request parameters, and the response elements returned by the service.

https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/Welcome.html

Option C is correct. Use Cloudwatch metrics for the metrics that needs to be monitored as per the requirement and set up an alarm activity to send out notificatons when the metric reaches the set threshold limit.

关注点分析:AWS Elastic Beanstalk V.S. AWS Cloudformation

You work as an architect for a consulting company.

The consulting company normally creates the same set of resources for their clients. They want some way of building templates, which can then be used to deploy the resources to the AWS accounts for the various clients. Which of the following service can help fulfil this requirement?

  1. AWS Elastic Beanstalk
  2. AWS SQS
  3. AWS Cloudformation
  4. AWS SNS

You have been designing a CloudFormation template that creates one elastic load balancer fronting two EC2 instances.

Which section of the template should you edit so that the DNS of the load balancer is returned upon creation of the stack?

  1. Resources
  2. Parameters
  3. Outputs
  4. Mappings

关注点分析:meta-data/ V.S. user-data/

关注点分析:Cross Region / Diaster Recovery

  1. EBS AMI replica cross region
  2. Enable Cross Region Replication for the underlying S3 bucket

关注点分析: AWS organizations

关注点分析: HSM/KMS/ SSE-S3

Your company wants to enable encryption of services such as S3 and EBS volumes so

They want to have complete control over the keys and the entire lifecycle around the keys. How can you accomplish this?

  1. Use the HSM Module
  2. Use the KMS service
  3. Enable S3 server-side encryption
  4. Enable EBS Encryption with the deaf ult KMS

Your company is planning on moving to the AWS Cloud.

There is a strict compliance policy that mandates that data should be encrypted at rest. As an AWS Solution architect, you have been tasked to put the organization data on the cloud and also ensure that all compliance requirements have been met. Which of the below needs to be part of the implementation plan to ensure compliance with the security requirements.

Choose 2 answers from the options given below.

  1. Ensure that all EBS volumes are encrypted
  2. Ensure that server-side encryption is enabled for S3 buckets
  3. Ensure that SSL is enabled for all load balancers
  4. Ensure that the EC2 Security rules only allow HTTPS traffic

解析: Answer – A and B The AWS Documentation mentions the following Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build,maintain, and secure your own key management infrastructure. Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key Options C and D are invalid since these are used to manage encryption of data in transit For more information on Encryption of EBS volumes, please visit the url (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) For more information on Encryption of S3 buckets, please visit the url (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)

The security policy of an organization requires an application to encrypt data before writing to the disk.

Which solution should the organization use to meet this requirement?

  1. AWS KMS API
  2. AWS Certificate Manager
  3. API Gateway with STS
  4. IAM Access Key

Option B is incorrect – The AWS Certificate Manager can be used to generate SSL certificates to encrypt traffic in transit, but not at rest.

Option C is incorrect – It is used for issuing tokens while using the API gateway for traffic in transit.

Option D is used for secure access to EC2 Instances.

AWS Documentation mentions the following on AWS KMS:

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage.

For more information on AWS KMS, please visit the following URL:

https://docs.aws.amazon.com/kms/latest/developerguide/overview.html

关注点分析: Glacier Expedited retrieval/ Standard retrieval / Bulk retrieval /Amazon S3 Standard Infrequent Access

A Solutions Architect designing a solution to store and archive corporate documents, has determined Amazon Glacier as the right choice of solution.

An important requirement is that the data must be delivered within 10 minutes of a retrieval request. Which feature in Amazon Glacier can help meet this requirement?

  1. Vault Lock
  2. Expedited retrieval
  3. Bulk retrieval
  4. Standard retrieval

解析: AWS Documentation mentions the following:

Expedited retrievals to access data in 1 – 5 minutes for a flat rate of $0.03 per GB retrieved. Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For more information on AWS Glacier Retrieval, please visit the following URL: (https://docs.aws.amazon.com/amazonglacier/latest/dev/downloading-an-archive-two-steps.html) The other two are

standard ( 3-5 hours retrieval time) and

Bulk retrievals which is the cheapest option.(5-12 hours retrieval time)

关注点分析: DynamoDB /Amazon Aurora

An application needs to have a Data store hosted in AWS.

The following requirements are in place for the Data store:

a) An initial storage capacity of 8 TB
b) The ability to accommodate a database growth of 8GB per day
c) The ability to have 4 Read Replicas

Which of the following Data stores would you choose for this requirement?

  1. DynamoDB
  2. Amazon S3
  3. Amazon Aurora
  4. SQL Server

Aurora can have a storage limit of 64TB and can easily accommodate the initial 8TB plus a database growth of 8GB/day for nearly a period of 20+ years. It can have up to 15 Aurora Replicas that can be distributed across the Availability Zones that a DB cluster spans within an AWS Region.

Aurora Replicas work well for read scaling because they are fully dedicated to read operations on your cluster volume. Write operations are managed by the primary instance. Because the cluster volume is shared among all DB instances in your DB cluster, no additional work is required to replicate a copy of the data for each Aurora Replica.

For more information on AWS Aurora, please visit the following URL:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Replication.html

Note:
Our db choice need to fulfill 3 criteria’s.
1. Initial Storage capacity 8 TB
2. Daily db growth of 8GB/day
3. Need 4 Read replicas

DynamoDB, along side DynamoDB Accelerator(DAX) can support up to 9 read replicas in its primary cluster. However we have to choose the best suitable one from the options listed in the question. We have Aurora also listed under the option which is fully dedicated for read operations in the cluster.

A company has a requirement for a managed database in AWS. It is also required that joins need to be
performed on the underlying queries. Which of the following can be used as the underlying database?
A. AWS Aurora
B. AWS DynamoDB
C. AWS S3
D. AWS Redshift

In this case, AWS Aurora would be the perfect choice.
Option B is incorrect because joins are not supported in DynamoDB.
Option C is incorrect because this is more of an option for object storage.
Option D is incorrect because this option is better for data warehousing solutions.
For more information on AWS Aurora please visit the following URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Overview.html
The correct answer is: AWS Aurora

关注点分析:Rouet53 routing policy: Simple , Weighted , Multivalue Answer , Latency

A company hosts 5 web servers in AWS.

They want to ensure that Route53 can be used to route user traffic to random web servers when they request for the underlying web application. Which routing policy should be used to fulfill this requirement?

  1. Simple
  2. Weighted
  3. Multivalue Answer
  4. Latency

The AWS Documentation mentions the following to support this:

If you want to route traffic approximately randomly to multiple resources such as web servers, you can create one multivalue answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record. For example, suppose you manage an HTTP web service with a dozen web servers that each have their own IP address, no one web server could handle all of the traffic, but if you create a dozen multivalue answer records, Amazon Route 53 responds to DNS queries with up to eight healthy records in response to each DNS query. Amazon Route 53 gives different answers to different DNS resolvers. If a web server becomes unavailable after a resolver caches a response, client software can try another IP address in the response.

For more information on this option, please visit the following URL:

https://aws.amazon.com/about-aws/whats-new/2017/06/amazon-route-53-announces-support-for-multivalue-answers-in-response-to-dns-queries/

Simple routing policy – Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.

Latency routing policy – Use when you have resources in multiple locations and you want to route traffic to the resource that provides the best latency.

Weighted routing policy – Use to route traffic to multiple resources in proportions that you specify.

Multivalue answer routing policy – Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.

在AWS Route53中有多种不同的路由策略(Routing Policy),我们可以根据自己的不同需求将我们的DNS解析到不同的目标上去。

简单路由策略(Simple Routing Policy):提供单一资源的策略类型,即一个DNS域名指向一个单一目标
加权路由策略(Weighted Rouing Policy):按照不同的权值比例将流量分配到不同的目标上去
延迟路由策略(Latency Routing Policy):根据网络延迟的不同,将与用户延迟最小的结果应答给最终用户
地理位置路由策略(Geolocation Routing Policy):根据用户所在的地理位置,将不同的目标结果应答给用户
故障转移路由策略(Failover Routing Policy):配置主动/被动(Active/Passive)的故障转移策略,保证DNS解析的容灾
多值应答路由策略(Multivalue answer routing policy) – 如果您想要让 Route 53 用随机选择的正常记录(最多八条)响应 DNS 查询,则可以使用该策略。可以作为简单的LoadBlance

Posted in AWS

发表评论

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据