Cloud Computing




















  • An Application team has asked a SysOps Admin to provision an additional environment for an application in four additional regions. The application is running on more than 100 instances in us-east-1, using fully baked AMIs. An AWS CloudFormation template has been created to deploy resources in us-east-1. To provision the application quickly the SysOps Admin must Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.

  • A company has a fleet of EC2 instances, and needs to remotely execute scripts for all of the instances. Amazon EC2 System Manager Run Command allows this.

  • A company is creating an application that will keep records. The application will run on Amazon EC2 instances and will use an Amazon Aurora MySQL DB as its data store. To maintain compliance, the application must not retain information that is determined to be sensitive. To detect if sensitive data is being stored in the application a SysOps admin should Export data from the DB by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.

  • Access Control List (ACL) is the document that defines who can access a particular bucket or object in Amazon S3. ACLs enable to manage access to buckets and objects. Each bucket and object has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access.

  • A user is sending custom data metrics to CloudWatch. The allowed time stamp granularity for each data point published for the custom metric is 1 millisecond (ms).
    The user is allowed to send data up to 1,000 of a second. CloudWatch aggregates the data by each minute and generates a metric for that.

  • Dev teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Admin to configure alerts so teams are notified when spending approaches preset limits. AWS Budgets service will satisfy these requirements.

  • A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified. A SysOps admin can achieve this with the LEAst amount of operational overhead by From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.

  • A launch configuration in Auto Scaling represents a template that the Auto Scaling group uses to launch the Amazon EC2 instances. When create a launch configuration, specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping.

  • AWS CloudWatch is a service used to monitor the AWS resources and the applications running on EC2. It collects and tracks the metrics of various services or applications.

  • A Dev team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data. AWS WAF service will mitigate this issue.

  • Every object in Amazon S3 is stored in a Bucket. Before can store data in Amazon S3, must create a bucket.

  • An Auto Scaling group scales up and down based on Average CPU Utilization. The alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80% for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new instances are not being added. The issue could be The maximum size of the Auto Scaling group is below or at the current group size.

  • AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user has to always include the namespace as a part of the request. However, the other parameters are optional. If the user has uploaded data using CLI, he can view it as a graph inside the console. The data will take around 2 minutes to upload but can be viewed only after around 15 minutes.

  • A popular auctioning platform requires near-real-time access to dynamic bidding information. The platform must be available at all times. The current Amazon RDS instance often reaches 100% CPU utilization during the weekend auction and can no longer be resized. To improve application performance, a sysops admin is evaluating Amazon ElastiCache, and has chosen Redis (cluster mode enabled) instead of Memcached. Reasons for making this choice are Multi-AZ with automatic failover and Online resharding.
    Amazon ElastiCache for Redis supports both Redis cluster and non-cluster modes and provides high availability via support for automatic failover by detecting primary node failures and promoting a replica to be primary with minimal impact.

  • Amazon S3 offer Storage over the Internet. It's a simple web services interface that can use to store and retrieve any amount of data, at any time, from anywhere on the web.

  • To change the Instance type for instances running. In application tier that are using Auto Scaling. Would change the instance type definition in Auto Scaling launch configuration.

  • To generate a report detailing specific cost allocation tags when creating a Monthly Cost Allocation report required steps are:
    • Activate the 'requested' tags by clicking Manage report tags on the Billing Preferences page.
    • Select the checkbox for Cost Allocation Report in the AWS account's Billing Management Console.
Last edited:


  • A company runs a multi-tier web application with two Amazon EC2 instances in one AZ in the us-east-1 Region. A SysOps admin must migrate one of the EC2 instances to a new AZ. Solution will accomplish this by Create an Amazon Machine Image (AMI) from the EC2 instance and launch it in a different AZ. Terminate the original instance.

  • A SysOps Admin has configured health checks on a load balancer. An Amazon EC2 instance attached to this load balancer fails the health check. The EC2 instance will be terminated based on the health check failure. And The load balancer will stop sending traffic to the EC2 instance.

  • Company A purchases company B and inherits three new AWS accounts. Company A would like to centralize billing and reserved instance benefits but wants to keep all other resources separate. This can be accomplished by Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console.

  • Amazon Route53 provides a scalable Domain Name System (DNS). It is a highly available and scalable cloud DNS web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like into the numeric IP addresses like that computers use to connect to each other. It is fully compliant with IPv6 as well.

  • AWS CloudWatch supports monitoring of the AWS estimated usage charges. When enable the monitoring of estimated charges for AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data.

  • AWS Auto Scaling can launch instances based on certain criteria. This provides cost optimization to the user as it will only launch the instance when required, thereby resulting in cost saving.

  • AWS bills the user on a as pay as you go model. AWS will charge the user once the AWS resource is allocated. Even though the user is not using the resource, AWS will charge if it is in service or allocated. Thus, it is advised that once the user's work is completed he should:
    • Terminate the EC2 instance
    • Delete the EBS volumes
    • Release the unutilized Elastic IPs
    • Delete ELB
The AutoScaling launch configuration does not cost the user. Thus, it will not make any difference to the cost whether it is deleted or not.​
  • Store data in Amazon S3 and retain a copy of frequently accessed data subsets locally.
    In AWS Storage Gateway, Gateway-cached volumes offer a substantial cost savings on primary storage and minimize the need to scale storage on-premises. Also retain low-latency access to frequently accessed data.

  • An Auto Scaling group associated with an Elastic Load Balancer (ELB). Noticed that instances via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instance are not being terminated. To ensure trial instances marked unhealthy by the ELB will be terminated and replaced by Add an ELB health check to Auto Scaling group.
    By default, an Auto Scaling group periodically reviews the results of EC2 instance status to determine the health state of each instance. However, if associated Auto Scaling group with an ELB load balancer, can choose to use the ELB health check. In this case, Auto Scaling determines the health status of instances by checking the results of both the EC2 instance status check and the ELB instance health check.
    For information about EC2 instance status checks, see Monitor Instances With Status Checks in the Amazon EC2 User Guide for Linux Instances. For information about ELB health checks, see Health Check in the ELB Developer Guide.
    Assuming that have created a LB and have registered the LB with Auto Scaling group. If not registered the LB with Auto Scaling group, see Set Up a Scaled and LB Application.
    Auto Scaling marks an instance unhealthy if the calls to the Amazon EC2 action DescribeInstanceStatus return any state other than running, the system status shows impaired, or the calls to ELB action DescribeInstanceHealth returns OutOfService in the instance state field.
    If there are multiple LB associated with Auto Scaling group, Auto Scaling checks the health state of EC2 instances by making health check calls to each LB. For each call, if the ELB action returns any state other than InService, the instance is marked as unhealthy. After Auto Scaling marks an instances as unhealthy, it remains in that state, even if subsequent calls from other LB return an InService state for the same instance.

  • A company would like to review each change in the infrasturcture before deploying updates in its AWS CloudFormation stacks. To understand the impact of these changes before implementation an Admin should Create a change set for the running stack.

  • When the user has launched an EC2 instance from an instance store backed AMI and added an instance store volume to the instance in addition to the root device volume, the block device mapping for the new AMI contains the information for these volumes as well. In addition, the block device mappings for the instances those are launched from the new AMI will automatically contain information for these volumes.

  • A SysOps Admin wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet. AWS OpsWorks service will satisfy the requirement.

  • A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS vloume. The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool.
    AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

  • An application running on Amazon EC2 instances in an Auto Scaling group across multiple AZs was deployed using an AWS CloudFormation template. The SysOps team has patched the AMI version and must update all the EC2 instances to use the new AMI. The SysOps Admin can use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity by Set an AutoScalingUpdate policy in the CloudFormation template to update the stack.

  • A company is running a popular social media site on EC2 instances. The application stores data in an Amazon RDS for MySQL DB instance and has implemented read caching by using an ElastiCache for Redis (cluster mode enabled) cluster to improve read times. A social event is happening over the weekend, and the SysOps Admin expects website traffic to triple. To ensure improved read times for users during the social event, A SysOps Admin can Add shards to the existing Redis cluster.

  • Running a web-application on AWS consisting of the following components an ELB an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and RDS MySQL. Security measures fall into AWS's responsibility is Protect against IP spoofing or packet sniffing.

  • A SysOps Admin is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon S3. The domain name of the website is and the S3 bucket name is anycompany-static. After the record set is set up in Route 53, the domain name does not seem to work, and the static website is not displayed in the browser. A cause of this is The S3 bucket name must match the record set name in Route 53. The name of the bucket must be
Last edited:


  • Design principles, A series of questions, and Six pillars are the components of the AWS Well-Architected Framework.

  • A Multi-AZ deployed DB is synchronous while read replicas are asynchronous.

  • Amazon CloudWatch use to monitor certain metrics of DBs and can set alarms when certain metrics/thresholds are reached.

  • Warm standby DR approach ensures that there is a scaled down, but fully functional, copy of production environment in another Region.

  • DB can be cost effective by Use read replicas and auto scaling.

  • Performance efficiency pillar of the AWS Well-Architected Framework features the 'go global in minutes' design principle.

  • Relational DBs use structured data due to their defined schemas.
    Semi-structured data or All other DBs listed would be considered to use nonrelational DBs,
    and unstructured data may be stored in object storage such as Amazon S3 like mp3 audio files, etc.

  • Amazon Neptune is a full-managed graph DB.

  • A ledger DB use if want a transparent, immutable, and cryptographically verifiable transaction log.

  • The reliability pillar features the 'stop guessing capacity' design principle.

  • Amazon MemoryDB purpose built DB service would choose to implement a fully managed, Redis compatible, durable primary DB solution.
    While Amazon Elasticache for Redis is Redis compatible, it generally requires a primary DB as it is an in-memory cache solution, while Amazon MemoryDB is not a cache.

  • A DB has a table which stores metadata of images as json documents categorize to Semi-structured.

  • Amazon Relational Database Service (Amazon RDS) can run several different engines such as Amazon Aurora, Oracle, PostgreSQL, etc.

  • AWS Schema Conversion Tool (AWS SCT) is recommended to use first for heterogeneous migrations, where migrate between different DB engines. It is designed to help manage migrations by estimating workloads and potential issues. In some cases it can even migrate schemas automatically.

  • The six pillars of the AWS Well-Architected Framework are Security, Reliability, Performance, Operational Excellence, Cost Optimization, and Sustainability.

  • Amazon Redshift is A fast, cloud-centered, fully managed, and secure data warehousing service that houses analytical data for use in complex queries, business intelligence reporting, and machine learning.

  • The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application. This request can be fulfilled by Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format.

  • A SysOps Admin is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Admin wants to be notified automatically of AWS Personal Health Dashboard events.
    In the main payer account, the Admin configures Amazon CloudWatch Events triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger. The alerts fail because The AWS Personal Health Dashboard only reports events from one account, not linked accounts.

  • A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is trying to delete the VPC it will not allow as the NAT instance is still running.

  • Amazon RDS supports SSL encryption for SQL Server DB instances. Using SSL, can encrypt connections between applications and SQL Server DB Instances. This is available for all the versions of Microsoft SQL Server.

  • A SysOps admin must run a script on production servers to fix an issue. The company has a policy to block all remote interactive access to production servers. Based on this situation, the admin should run the script by Configure the script to run as a cron job or scheduled task on the EC2 instances.

  • A SysOps Admin has an AWS Direct Connect connection in place in region us-east-1, between an AWS account and a data center. The Admin is now required to connect the data to a VPC in another AWS Region, us-west-2, which must have consistent network performance and low-latency. The MOST efficient and quickest way to establish this connectivity is Use Direct Connect gateway with the existing Direct Connect connection to connect to the Virtual Private Gateway of the VPC in region us-west-2.

  • A SysOps Admin receives a connection timeout error when attempting to connect to an Amazon EC2 instance from a home network using SSH. The Admin was able to connect to this EC2 instance SSH from their office network in the past. Cause the connection time out is The security group is not allowing inbound traffic from the home network on the SSH port.

  • A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 mins. If the user wants to send the data to CloudWatch to view the data visually, with respect to the information given The user needs to use AWS CLI or API to upload the data.
    AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. While sending the data the user has to include the metric name, namespace, and timezone as part of the request.

  • A company's application running on Amazon EC2 Linux recently crashed because it ran out of available memory. Management wants to be alerted if this ever happens again. Steps will accomplish this are Create an:
    • Amazon CloudWatch dashboard to monitor the memory usage metrics on the instance over time.
    • alarm on the AWS Personal Health Dashboard that publishes an Amazon SNS notification to alert the CIO when the system is out of memory.
  • An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups.
    The user can grant permission to an AWS account by the email address of that account or by the canonical user ID. If the user provides an email in the grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACL will always contain the canonical user ID for the AWS account, and not the AWS account's email address.

  • A company has deployed a NAT instance to allow web servers to obtain software updates from the internet. There is high latency on the NAT instance as the network grows. A SysOps Admin needs to reduce latency on the instance in a manner that is efficient, cost-effective, and allows for scaling with future demand. To accomplish this should Add a second NAT instance and place both instances behind a load balancer.

  • A company's audit shows that users have been changing cost-related tags on Amazon EC2 instances after deployment. The company has an organization in AWS Organizations with many AWS accounts.
    The company needs a solution to detect the EC2 instances automatically. The solution must require the least possible operational overhead. The solution meets these requirements is Use Service Control Policies (SCPs) to track EC2 instances that do not have the required tags.
Last edited:


  • Foreign key is used to create relationships between tables in a relational DB.

  • Structured Query Language (SQL) use to access data in a relational DB.

  • Amazon Aurora, Oracle DB, and PostgreSQL can Amazon RDS run.

  • Can create and modify Amazon RDS DB instances by using the AWS Command Line Interface (CLI), Amazon RDS Application Programming Interface (API), or the console.

  • PostgreSQL and MySQL DB engines are compatible with Amazon Aurora.
    Aurora is not compatible with Oracle DB, Microsoft SQL Server, or Spark SQL. However, can use the AWS Schema Conversion Tool (SCT) and AWS DB Migration Service (DMS) to convert and migrate content within these DBs to Aurora.

  • Amazon Aurora DB automatically maintains six copies of data across three AZs. Can have up to 15 read replicas and is managed by Amazon RDS.

  • Amazon ElastiCache service offers fully managed Redis and Memcached distributed memory caches.

  • Amazon Neptune stores data as nodes and the relationships between each node.

  • Amazon DocumentDB service sets up and scales MongoDB-compatible DBs to the cloud.

  • Table, Attribute, and Item are components of Amazon DynamoDB.

  • Amazon Athena service helps analyze data in Amazon S3 using standard Structured Query Language (SQL).

  • Amazon Redshift service acts as a datawarehouse and can access S3 data lakes.

  • A SysOps Admin is reviewing AWS Trusted warnings and encounters a warning for an S3 bucket policy that has open access permissions. While discussing the issue the bucket owner, the Admin realizes the S3 bucket is an origin for an Amazon CloudFront web distribution. To ensure that users access objects in Amazon S3 by using only CloudFront URLs the Admin should Create an origin access identity and grant it permissions to read objects in the S3 bucket.

  • A company wants to launch a group of Amazon EC2 instances that need to communicate with each other with the lowest possible latency. When launching these instances a SysOps admin should Launch instances in a cluster placement group with enhanced networking enabled.

  • A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances. To ensure that all customer data stored on the EFS file system meets the new requirement the SysOps Admin should Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.

  • Amazon RDS integrates with AWS IAM, a service that lets organization create users and groups under organization's AWS account and assign unique security credentials to each user.

  • A company has a web application that runs both on-premises and on Amazon EC2 instances.
    Over time, both the on-premises servers and EC2 instances begin crashing. A SysOps Admin suspects a memory leak in the application and wants a unified method to monitor memory utilization over time.
    The Admin can track both the EC2 memory utilization and on-premises server memory utilization over time by Use Amazon CloudWatch agent for both Amazon EC2 instances and on-premises servers to report MemoryUtilization metrics to CloudWatch and set a CloudWatch alarm for notifications.

  • Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different AZ. The primary DB instance is synchronously replicated across AZs to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect DB against DB instance failure and AZ disruption. Note that the high-availability feature is not a scaling solution for read-only scenarios; cannot use a standby replica to serve read traffic. To service read-only traffic, should use a read replica.

  • A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. The SIMPLEST approach the SysOps Admin can take to ensure S3 buckets in those accounts can never be deleted is Use SCPs to deny the s3: DeleteBucket action on all buckets in production accounts.

  • An application team is using Remote Desktop to connect to its application server and perform admin tasks. After deployment a Windows service an existing subnets, the team discovers that it is unable to communicate with the new servers. A SysOps Admin has obtained the VPC logs as shown in the teble related to the communication to help troubleshooting the problem.

  • Version​
    account id​
    interface id​
    log status​
This issue can be resolved by Ensures that the RDP service and Windows firewall are open and listening on Port 3389 TCP.​
  • A SysAdmin has created the below mentioned policy on an S3 bucket named cloudacademy.
    "Statement": [{
        "Sid": "stmt2499922170942",
        "Effect": "Allow",
        "Principal": {"AWS": "*"},
        "Action": ["s3:GetObjectAcl", "s3:ListBucket"],
         "Resource": ["arn:aws:s3:::cloudacademy]
    It will give an error as no object is defined as part of the policy while the account defines the rule about the object.

  • An application maintain consists of multiple EC2 instances in a default tenancy VPC.
    This application has undergone an internal audit has been determined to require dedicated hardware for one instance.
    Compliance team has given a week to move this instance to single-tenant hardware.
    Process will have minimal impact on application while complying with this requirement is Stop the intance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance.
    Cannot change the tenancy of a default instance after have launched it.
    Can change the tenancy of an instance from 'dedicated' to 'host' after have launched it, and vice versa.

  • A company has an application running on a fleet of Microsoft Windows instances. Patches to the OS need to be applied each month. AWS Systems Manager Patch Manager is used to apply the patches on a schedule.
    When the fleet is being patched, customers complain about delayed service responses. To ensure patches are deployed with MINIMAL customer impact can Configure the maintenance window to patch 10% of the instance in the patch group at a time.
Last edited:


  • A business is currently running their inventory management on premises, but is looking to move into the cloud for increased performance and scalability. >
    For OnLine Transaction Processing (OLTP), and OnLine Analytical Processing (OLAP), DBs using row-based indexing, there is Amazon RDS. Now, this service streamlines setting up, operating, and scaling a relational DB in the cloud. The service provides cost-efficient and scalable capacity while automating many time-consuming admin tasks, such as HW provisioning, DB setup, patching, and backups.

  • A business running a gaming website is noticing that their DB is running slowly because of how rapidly they are growing. >
    Can use Amazon ElastiCache to support data-intensive apps or improve the performance of existing apps by retrieving data from high throughput and low latency in-memory data stores. It's a popular choice for gaming, advertising technology (ad tech), financial service, healthcare, and Internet of Things (IoT) apps. This service offers fully managed Redis and Memcached cache engines.

  • A business needs a solution that lets DB engineers focus their time on customer-facing features instead of routine DB maintenance and administration. >
    Amazon Aurora is a relational DB engine managed by Amazon RDS. It combines the speed and reliability of high-end commercial DBs with the simplicity and cost-effectiveness commonly associated with open-source DB. It's designed to eliminate unneccessary in/output operations to reduce costs and ensure that resources are available for serving read/write traffic. Compute and memory are automatically scaled.

  • A business needs a DB that can rapidly gather customer (shopping cart) data. >
    Amazon DynamoDB can handle more than 10 trillion requests per day and support peaks of more than 20 million requests per second. More than 100,000 AWS customers have chosen its as their key-value DB for mobile, web, gaming, ad tech, IoT, and other applications that need low-latency data access at any scale. It supports Atomicity, Consistency, Isolation, Durability (ACID)-compliant transactions.

  • A business needs a way to load data into a warehouse and archive in storage so they can manage costs. >
    Amazon Redshift uses machine learning, massively parallel query execution, and columnar storage on high-performance disks. Can set up and deploy a new data warehouse in minutes. Run queries across petabytes of data in its data warehouse and exabytes of data directly from data lake built on Amazon S3 with Amazon Redshift Spectrum.

  • A business is working to develop an e-commerce app that specializes in fraud detection. The business needs a solution that can provide near real-time detection of patterns that are defined as suspicious and indicate known fraud activity. >
    Amazon Neptune is a fast, reliable, fully managed graph DB service that makes it easy to build and run applications that work with highly connected datasets used to discover potential fraudulent behavior before it happens. Use cases include social networking, recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security.

  • A business is storing online profiles in which different users provide different types of information. The business is already using MongoDB, but wants to migrate to the cloud. >
    Amazon DocumentDB (with MongoDB compatibility) can run the same application code and use the same drivers and tools that use with MongoDB. It's used for storing semi-structured data as a document, rather than normalizing data across multiple tables, each with a unique and fixed structure, as in a relational DB. Use nested key-value pairs to provide the document's schema.

  • Server-based architecture should be used for
    • tasks that are predictable and compute resources will be in constant use.
    • application requires long-running computations.
  • Serverless architecture should be used for applications that:
    • require no system admin or capacity provisioning use.
    • experience high traffic volumes and require scalability use.
    • Only pay for what use.
    • There is zero server maintenance.
  • Relational DBs rely on tables, fields, and records to hold data.

  • An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Admin has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. The problem likely to be The account has reached the default limit for VPCs allowed. The default VPC Limitation per region is 5.

  • Amazon Simple Notification Service (SNS) is a fast, flexible, fully managed push/pub/sub messaging service. It's simple and cost-effective to push to mobile devices such as iPhone, Android, Kindle Fire, and internet connected smart devices, as well as pushing to other distributed services.

  • An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups.
    Amazon S3 has a set of predefined groups. When granting account access to a group, the user can specify one of the URLs of that group instead of a canonical user ID.
    AWS S3 has the following predefined groups:
    • Authenticated Users group: It represents all AWS accounts.
    • All Users group: Access permission to this group allows anyone to access the resource.
    • Log Delivery group: WRITE permission on a bucket enables this group to write server access logs to the bucket.
  • A user has configured Auto Scaling with 3 instances. The user had created a new AMI after updating one of the instances.
    If the user wants to terminate two specific instances to ensure that Auto Scaling launches an instances with the new launch configuration, should run:
    • as-terminate-instance-in-auto-scaling-group <Instance ID> -> will terminate the specific instance ID.
    • --no-decrement-desired-capacity -> to ensure that it launches a new instance from the launch config after terminating the instance.

    • --decrement-desired-capacity -> Auto Scaling will terminate the instance and decrease the desired capacity by 1.
  • A user wants to make so that whenever the CPU utilization of the AWS EC2 instance is above 90%, the redlight of his bedroom turns on. AWS CloudWatch + AWS SNS are helpful for this purpose.
    Amazon SNS can deliver notifications by SMS text message or email to the Amazon SQS queues or to any HTTP endpoint. The user can configure some sensor devices at his home which receives data on the HTTP end point (REST) calls and turn on the red light. The user can configure the CloudWatch alarm to send a notification to the AWS SNS HTTP end point (the sensor device) and it will turn the light red when there is an alarm condition.

  • Malicious traffic is reaching company web servers from a single IP address located in another country. The SysOps Admin is tasked with blocking this IP address. The Admin should implement the restriction by Edit the network Access Control List (ACL) for the web server subnet and add a deny entry for the IP address.
    Need to restrict one IP so Geo restriction can't use and can't deny traffic for one IP in Security Group.

  • A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC. The SIMPLEST method to deploy and update the VPCs in each account is Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template, then deploy the template to all accounts using the stack set.
Last edited:


  • A user has configured a VPC with a new subnet. The user has created a security group and wants to configure that instances of the same subnet communicate with each other. The user should Configure the security group itself as the source and allow traffic on all the protocols and ports.
    AWS provides two features that the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level. If the user is using the default security group it will have a rule which allows the instances to communicate with other. For a new security group the user has to specify the rule, add it to define the source as the security group itself, and select all the protocols and ports for that source.

  • A Systems Admin is planning to deploy multiple EC2 instances within two separate AZs in the same AWS Region. The instances cannot be exposed to the Internet, but must be able to exchange traffic between one another. The data does not need to be encrypted. Solution meets these requirements while maintaining the lowest cost is Create two private subnets within the same VPC. Communicate between instances using their private IP addresses.

  • Amazon S3 provides Scalable Storage in the Cloud. Amazon S3 is object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web. It is designed to deliver 99.999999999% (11 9's) durability, and scale past trillions of objects worldwide.

  • An errant process is known to use in an entire processor and run at 100%. A SysOps Admin wants to automate restarting the instance once the problem occurs for more than 2 mins. This can be accomplished by Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
    Using Amazon CloudWatch alarm actions, can create alarms that automatically stop, terminate, reboot, or recover instances. Can use the stop or terminate actions to help save money when no longer need an instance to be running. Can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occur.

  • An organization stores sensitive customer information in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information. Steps should a SysOps Admin take to meet the CISO's requirement are Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs. And Use Amazon Athena to query S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.

  • A SysOps Admin launched an Amazon EC2 instance and received a message that the service limit was exceeded for that instance type. To ensure that EC2 instances can be launched the Admin should Open a case with AWS Support requesting an increase of the EC2 instance limit.

  • Only the below services provide full administrative privileges / Root level access:
    • EC2
    • Elastic Beanstalk
    • Elastic MapReduce - Master Node
    • Opswork
  • A company has an AWS account for each department and wants to consolidate billing and reduce overhead. The company wants to make sure that the finance team is denied from accessing services other than Amazon EC2, the security team is denied from accessing services other than AWS CloudTrail, and IT can access any resource. Solition meets these requirements with the LEAST amount of operational overhead is Implement service contol policies within AWS Organizations to determine which resources each department can access.

  • A user has set the Alarm for the CPU utilization > 50%. Due to an internal process, the current CPU utilization will be 80% for 6 hours. The user can ensure that the CloudWatch alarm does not perform any action by disable the alarm using the DisableAlarmActions API or mon-disable-alarm-actions.
    Can enable using EnableAlarmActions API or mon-enable-alarm-actions commands.

  • In a Hardware Security Module (HSM), To reduce the risk of confidential data theft is the function of a Transparent Data Encryption (TDE) by encrypting sensitive data.

  • Mission is to create a lights-out datacenter environment, and plan to use AWS OpsWorks to accomplish this.
    First created a stack and added an App Server layer with an instance running in it.
    Next added an application to the instance, and now need to deploy a MySQL RDS DB instance.
    To add a backend DB server to an OpsWorks stack should:
    • Add a new DB layer and then add recipes to the deploy actions of the DB and App Server layers.
    • The variables that characterize the RDS DB connection--host, user, and so on--are set using the corresponding values from the deploy JSON's [:deploy][:app_name][:database] attributes.
    • Set up the connection between the app server and the RDS layer by using a custom recipe.
      The recipe configures the app server as required, typically by creating a configuration file.
      The recipe gets the connection data such as the host and DB name from a set of attributes in the stack configuration and deployment JSON that AWS OpsWorks installs on every instance.
  • Can graph several metrics over time on the same graph. The user can select metrics such as CPU utilization in % and Network I/O in bytes across resources and graph them on a single graph. It is not required that they should be of the same instance. They can be of different instances with the same AMI or based on some other dimension. Can filter records and plot them all on the same graph.

  • A SysOps Admin is responsible for a legacy, CPU-heavy application. The application can only be scaled vertically. Currently, the application is deployed on a single t2.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency after a few minutes. Change should be made to alleviate the performance problem is Upgrade to a compute-optimized instance.

  • Amazon EC2 supports the following storage options:
    • Amazon Elastic Block Store (EBS)
    • Amazon EC2 Instance Store
    • Amazon Simple Storage Service (S3)
  • A company with dozens of AWS accounts wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS Config rules be deployed using an AWS CloudFormation template. These requirements should be met by Create a CloudFormation stack in the master account of AWS Organizations and execute the CloudFormation template to create AWS Config rules in all accounts.

  • A company is concerned about a security vulnerability impacting its Linux operating system. To alleviate this concern the SysOps Admin should Patch the Linux operating system using AWS Systems Manager.

  • A company has a web application that is deployed in a VPC. Inbound traffic to this web application comes in through an internet gateway and arrives at a Network Load Balancer (NLB).
    From there, the traffic travels to multiple Amazon EC2 instances in two private subnets. The company wants to perform deep packet inspection on the inbound traffic to identify potential hacking attempts. Solution meets these requirements is Set up Traffic Mirroring on an inbound port of the NLB.

  • A sys admin is maintaining an application on AWS. The application is installed on EC2 and user has configured ELB and Auto Scaling. Considering future load increase, the user is planning to launch new servers proactively so that they get registered with ELB. The user can add these instances with Auto Scaling by Increase the desired capacity of the Auto Scaling group.
Last edited:


วันนี้เรามาดูวิธีการปรับขนาด AWS EC2 แบบอัตโนมัติ (Autoscaling) กันนะคับ ว่าคืออะไร มีประโยชน์อย่างไร:
การปรับขนาดแบบอัตโนมัตินั้น ช่วยให้ตัว Application ยังคงมีประสิทธิภาพตามความต้องการของผู้ใช้งาน ด้วยราคาที่ต่ำที่สุดนั่นเอง (Cost Optimization) ไม่ต้อง Deploy Application ทุกครั้งเมื่อมีการเพิ่ม Server เข้ามา และเมื่อมีการปรับขนาดจะมีการแจ้งเตือนไปยัง Email หรือโทรศัพท์อีกด้วย

  • By default, a load balancer routes each request independently to the registered instance with the smallest load. However, can use the sticky session feature (also known as session affinity), which enables the load balancer to bind a user's session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance.

  • A user is receiving a notification from the RDS DB whenever there is a change in the DB security group. The user does not want to receive these notifications for only a month.
    Thus, he does not want to delete the notification. The user can configure this by Change the Enable radio button for notification to 'No' in the RDS console or by setting the Enabled parameter to false using the CLI or Amazon RDS API.
    Amazon RDS uses the Amazon Simple Notification Service (SNS) to provide a notification when an Amazon RDS event occurs. Event notifications are sent to the addresses that the user has provided while creating the subscription. The user can easily turn off without deleting a subscription.

  • A user creates an Auto Scaling group from the Amazon AWS Console and assigned a tag with a key of 'environment' and a value of 'Prod'. The user can assign tags to instances launched in the Auto Scaling group, to organize and manage them.
    Can organize and manage Auto Scaling groups by assigning own metadata to each group in the form of tags. Specify a key and a value for each tag. A key can be a general category, such as 'project', 'owner', or 'environment', with specific associated values.
    By default, the instance will have a tag with the key as 'aws:autoscaling.groupName' and the value as the name of the group.

  • VPC allows the user to set up a connection between his VPC and corporate or home network data centre. If the user has an IP address prefix in the VPC that overlaps with one of the networks' prefixes, any traffic to the network's prefix is dropped. For example, the user's data centre has CIDR of falls in the VPC's CIDR range of Thus, it will not allow traffic on that IP.
Last edited:


วันนี้เรามาดูในส่วนของ Streaming กันบ้าง
สถาปัตยกรรมการ Stream ข้อมูลสมัยใหม่เป็นยังไง?

สถาปัตยกรรมการ Stream ข้อมูลที่ทันสมัยช่วยให้เรานำเข้า, ประมวลผล, และวิเคราะห์ข้อมูลความเร็วสูงปริมาณมากจากแหล่งที่มาที่หลากหลายแบบ Real-time เพื่อสร้างประสบการณ์ตอบสนองลูกค้าที่ชาญฉลาดมากขึ้น สถาปัตยกรรมข้อมูลการ Stream สมัยใหม่สามารถออกแบบเป็น Stack ของ Logical Layer 5 ชั้น โดยแต่ละ Layer จะประกอบด้วยส่วนประกอบที่สร้างขึ้นตามวัตถุประสงค์หลายๆ อย่าง เพื่อตอบสนองความต้องการแบบเฉพาะเจาะจง Diagram ด้านล่างนี้จะแสดงสถาปัตยกรรมข้อมูลการ Stream สมัยใหม่

โดยจะมีส่วนประกอบหลักๆ ดังนี้:

  • แหล่งที่มา - แหล่งที่มาของข้อมูลการ Stream จะประกอบด้วยแหล่งข้อมูลต่างๆ เช่น Sensor, social media, อุปกรณ์ IoT, File Log ที่สร้างขึ้นโดย Web และ Application บนมือถือ, อุปกรณ์เคลื่อนที่ที่สร้างข้อมูลกึ่งโครงสร้าง และไม่มีโครงสร้างที่เป็น Stream ต่อเนื่องความเร็วสูง

  • การนำเข้า Stream - Layer การจัดเก็บ Stream ที่สามารถปรับขนาดได้และคุ้มค่า เพื่อจัดเก็บข้อมูลการ Stream โดยที่ข้อมูลการ Stream สามารถจัดเก็บไว้ตามลำดับที่ได้รับมา ตามระยะเวลาที่กำหนด และสามารถเล่นซ้ำได้ไม่จำกัดในช่วงเวลานั้น

  • ที่เก็บข้อมูล Stream - Layer การนำเข้า Stream มีหน้าที่นำเข้าข้อมูลไปยัง Layer ที่เก็บข้อมูล Stream จะมีความสามารถในการรวบรวมข้อมูลจากแหล่งข้อมูลนับหมื่นและนำเข้าในเวลาใกล้เคียง Real-time
Last edited: