AWS Certified Solutions Architect Associate quiz: doubts and solutions — Part 1

MayBeMan
7 min readApr 9, 2024

--

While preparing for the certification exam, i constantly encounter a series of challenges and uncertainties during the preparatory quizzes. These quizzes are an essential part of my learning journey, yet they can also be a source of confusion when it comes to selecting the correct answers among the options provided.

I will share with you the most common doubts that have arisen during my quizzes, along with the strategies and answers that I have found helpful in successfully overcoming them. I hope this guide proves useful to you on your path toward achieving the AWS Solution Architect Associate certification.

IAM roles vs. IAM users

In AWS, both are tools for managing access and permissions to resources in your AWS account. However, there are some key differences between the two and situations in which it is preferable to use one or the other:

  • IAM users are permanent identities associated with people or services.
    They are used when you need to provide persistent access to a specific individual or application.
    They are ideal for situations where you need to maintain granular control over who has access to what resources, such as when it comes to access to specific databases or APIs.
  • IAM roles are temporary identities with access privileges that can be assigned to users, services or resources.
    They are used when you want to temporarily grant access to other resources or services, such as an application on an EC2 server that needs access to an S3 bucket.
    They allow you to avoid having to manage and store access credentials, since they can be associated with EC2 instances, Lambda functions, or users to temporarily gain the necessary permissions.

You can also combine IAM users and IAM roles, such as granting IAM users access to certain IAM roles to perform specific tasks.
In general, it is advisable to follow the principle of “least privilege” and grant only the permissions necessary to perform a specific task.

AWS IAM | AWS Cheat Sheet (digitalcloud.training)

DynamoDB Global Table vs. Amazon Aurora Global DB

  • DynamoDB Global Tables are excellent for applications that require high scalability and availability on a global scale. They can handle very high peak loads and provide low latency for data accesses around the world.
  • Amazon Aurora Global Database is an ideal solution for applications that require high performance and ACID transactions. Aurora is designed to provide performance similar to that of a traditional database such as MySQL or PostgreSQL, with the ability to scale flexibly as needed.
  • DynamoDB is a NoSQL database, good for applications with flexible data schemas and horizontal scalability. It is particularly suitable for use cases that require high availability and management of large volumes of semi-structured data.
  • Aurora is a MySQL- and PostgreSQL-compatible relational database, ideal for applications with rigid and complex data schemas that require complex transactions, joins and advanced SQL queries.
  • DynamoDB Global Tables offers possibly consistent consistency across regions, which means that data changes can be propagated asynchronously across regions, with a slight delay. This may be acceptable for many distributed applications.
  • Amazon Aurora Global Database provides synchronous replication of data between regions, ensuring strict consistency between data in all regions. This may be important for applications that require immediate consistency across regions.
Amazon DynamoDB | AWS Cheat Sheet (digitalcloud.training)
Amazon Aurora | AWS Cheat Sheet (digitalcloud.training)

In-memory data stores that can be used to store data in memory for fast accesses and low latency

  • Amazon ElastiCache is a fully managed caching service that supports two main caching engines: Redis and Memcached. Both are great for storing data in memory and offer high performance for read and write operations. Redis is particularly powerful because of its data persistence features, advanced data structures, and support for replication and clustering.
  • Amazon DynamoDB Accelerator (DAX) is a fully managed caching service that serves as a caching layer for Amazon DynamoDB. Using DAX, you can improve query performance on DynamoDB by reducing latency and increasing scalability. DAX uses an in-memory architecture to store DynamoDB tables and responds to queries very quickly.

Although not technically an in-memory data store, Amazon Aurora Serverless offers a suspend mode that can keep data in memory between suspensions. This is useful for applications that require high performance but can tolerate slightly higher latency during idle periods.

Deploy Amazon ElastiCache for Redis using AWS CDK | AWS Database Blog
DAX and DynamoDB consistency models — Amazon DynamoDB

AWS servless solutions for real-time data streaming

Amazon Kinesisis a fully managed data streaming service that enables real-time data streams to be collected, processed and analyzed. Kinesis offers three main types of data streams:

  • Kinesis Data Streams for managing large volume real-time data streams. USE WHEN talking about clickstream events.
  • Kinesis Data Firehose for easily loading data into Amazon S3, Redshift, Elasticsearch or other services without having to write application code.
  • Kinesis Data Analytics for real-time data processing using standard SQL.
What’s the difference between kinesis firehose and Kinesis stream? · Issue #10 · ravsau/aws-exam-prep · GitHub

AWS Lambda is a serverless computing service that allows you to run code without having to manage the underlying infrastructure. You can use Lambda to process data from real-time data streams such as Kinesis. For example, you can write a Lambda function to process Kinesis records and send the results to a database or other AWS services.

Increasing real-time stream processing performance with Amazon Kinesis Data Streams enhanced fan-out and AWS Lambda | AWS Compute Blog

If you want to expose an API for real-time data access, you can use API Gateway in conjunction with Lambda to create RESTful APIs or WebSockets. This can be useful for allowing client applications to access real-time data via HTTP API or WebSocket.

Services to implement geo-restriction on your applications in AWS

  • CloudFront, the AWS CDN service, can be used to distribute content around the world. You can configure CloudFront to apply restrictions based on users’ geographic location, allowing or denying access based on their country of origin.
  • WAF is a Web application firewall that can be combined with Application Load Balancers and Classic Load Balancers to protect your Web applications from common attacks such as SQL injection and cross-site scripting (XSS). You can use WAF to set up security rules that restrict access to your application by certain IP addresses or blocks of IP addresses.
How to use AWS WAF to filter incoming traffic from embargoed countries | AWS Security Blog (amazon.com)
  • Amazon Route 53 is AWS’s DNS service that offers geolocation-based routing capabilities. You can configure Route 53 to redirect users to different versions or resources of your application based on their geographic location.
Amazon Route 53: Why You Should Consider DNS Migration (cloudacademy.com)

Monitoring and logging features

  • AWS CloudTrail logs every action performed on an AWS account. It monitors and logs API calls made through the AWS management console, AWS command-line interface (CLI), AWS SDKs, Web service requests, and so on. CloudTrail is widely used for security and compliance. It provides a comprehensive audit trail of activities performed on AWS services, enabling users to track changes to the infrastructure, detect suspicious behavior, and meet compliance requirements.
  • Amazon CloudWatch is a monitoring and observability service that enables users to collect and track metrics, create alerts, and gain operational visibility into AWS resources and applications. CloudWatch is used to monitor the performance of AWS services by collecting and displaying metrics such as CPU utilization, network traffic, queue size, database requests, etc. These metrics can be used to optimize resources, detect performance issues, and automatically scale resources as needed.
  • When to use them together: CloudTrail and CloudWatch can be used together to get a complete view of the activity and performance of your AWS environment. For example, CloudTrail can be used to track who created or modified a resource while CloudWatch can be used to monitor the real-time performance of that resource.

You can configure CloudTrail to send logs to Amazon S3 and trigger on Amazon CloudWatch Logs to analyze the logs in real time and create custom metrics or trigger alerts based on certain events.

Distinguishing AWS CloudTrail, CloudWatch, and Config | by Gabriel Varaljay | trendfingers | Medium

In summary, CloudTrail logs AWS account activity for security and compliance purposes, while CloudWatch is used to monitor the performance of AWS resources and applications. By combining them, you can gain comprehensive visibility and more robust controls over your cloud environment.

--

--

MayBeMan

Technician specialized in the security of electronic payment systems. Crypto supporter.