☁️ AWS Solutions Architect Associate Interview Guide

Answer: AWS is responsible for security "of" the cloud (infrastructure, hardware, software, networking, facilities), while customers are responsible for security "in" the cloud (data encryption, IAM, OS patches, network traffic protection, guest OS).

Answer: Grant users, groups, and roles only the minimum permissions necessary to perform their job functions. Start with no permissions and gradually add only what's needed, regularly review and remove unnecessary permissions.

• Users: Individual identities for people/applications
• Groups: Collections of users with shared permissions
• Roles: Temporary credentials that can be assumed by users, services, or external identities for specific tasks

Answer: AWS Security Token Service provides temporary security credentials. Used for cross-account access, federation, role switching, and providing temporary access to applications without embedding long-term credentials.

Answer: SCPs are JSON policies that define maximum permissions for accounts in an organization. They act as guardrails, limiting what actions can be performed regardless of IAM permissions within member accounts.

Answer: Centralized identity service that enables single sign-on access to multiple AWS accounts and cloud applications. Integrates with external identity providers and provides centralized permission management.

Answer: Identity policies are attached to users/roles/groups and define what they can do. Resource policies are attached to resources and define who can access them. Use resource policies for cross-account access and when you need resource-centric control.

Answer: Enable MFA in IAM console, choose virtual MFA device, hardware MFA device, or SMS. Scan QR code with authenticator app, enter two consecutive codes to verify. Root user MFA is critical for account security.

Answer: Allows users in one AWS account to access resources in another. Implement using IAM roles with trust policies that allow the external account to assume the role, then attach permission policies to the role.

Answer: Provides pre-configured guardrails, centralized logging, automated account provisioning, and compliance monitoring across multiple AWS accounts using best practices and organizational policies.

Answer: Inbound and outbound rules specifying protocol (TCP/UDP/ICMP), port range, and source/destination (IP addresses, CIDR blocks, or other security groups). Security groups are stateful - return traffic is automatically allowed.

Answer: Use multiple subnets (public for internet-facing resources, private for internal resources), implement security groups and NACLs, use VPC endpoints for AWS services, and implement proper routing tables.

Answer: Web Application Firewall that protects web applications from common exploits like SQL injection, XSS, and DDoS. Use with CloudFront, ALB, or API Gateway to filter malicious traffic before it reaches your application.

Answer: Provides user authentication, authorization, and user management. Supports user pools for authentication, identity pools for authorization, and integrates with social identity providers and SAML.

Answer: Allow private connectivity to AWS services without internet gateway. Interface endpoints use private IP addresses, Gateway endpoints route traffic through route tables. Traffic stays within AWS network, reducing exposure.

• AWS VPN: Encrypted connections over internet
• AWS Direct Connect: Dedicated private connections
• AWS PrivateLink: Private connectivity to AWS services

Answer: Threat detection service using machine learning to monitor for malicious activity and unauthorized behavior. Analyzes VPC Flow Logs, DNS logs, and CloudTrail logs to identify threats.

Answer: Uses machine learning to automatically discover, classify, and protect sensitive data (PII, PHI) in S3. Provides visibility into data security risks and compliance status.

• Encryption at rest: Data stored on disk
• Encryption in transit: Data moving between systems
• Client-side encryption: Data encrypted before sending to AWS

AWS provides various services like KMS, CloudHSM, and SSL/TLS certificates.

Answer: Key Management Service for encryption key management.

• Customer managed keys: Full control
• AWS managed keys: AWS controls
• AWS owned keys: Used by AWS services

Supports key rotation and policies.

Answer: When you need dedicated hardware security modules for regulatory compliance, want exclusive control over encryption keys, or need to integrate with applications requiring PKCS#11, JCE, or Microsoft CryptoNG libraries.

• Use TLS/SSL certificates (AWS Certificate Manager)
• VPN connections
• AWS PrivateLink
• Application-level encryption

Ensure all communication channels are encrypted end-to-end.

Answer: Service to provision, manage, and deploy SSL/TLS certificates. Provides free certificates for AWS services, automatic renewal, and integration with ELB, CloudFront, and API Gateway.

• Use AWS Backup for centralized backup
• S3 cross-region replication
• RDS automated backups and read replicas
• EBS snapshots
• Implement appropriate retention policies based on compliance requirements

Answer: Rules that automatically transition objects between storage classes or delete them based on age, tags, or other criteria. Helps optimize costs while maintaining data availability and compliance.

• Enable automatic key rotation in KMS (annual rotation)
• Implement manual rotation procedures for customer-managed keys
• Update applications to use new keys
• Maintain audit trails of key usage

Answer: Process of categorizing data based on sensitivity, value, and regulatory requirements. AWS Config and Macie help automate discovery and classification of sensitive data across AWS resources.

• Use S3 lifecycle policies
• RDS automated backup retention
• Implement legal hold capabilities
• Create secure deletion procedures
• Ensure compliance with regulations like GDPR for data retention periods

Answer: Components interact through well-defined interfaces with minimal dependencies. Important for scalability, fault tolerance, and maintainability. Achieved through message queues, load balancers, and microservices architecture.

Answer: Message queue service that decouples components by allowing asynchronous communication. Messages are stored reliably until consumed, enabling independent scaling and failure isolation between producers and consumers.

• SNS: Pub/sub messaging to multiple subscribers (fan-out), push notifications, real-time messaging
• SQS: Decoupling components, job queues, pull-based message consumption

Benefits:

• Independent scaling
• Technology diversity
• Fault isolation
• Faster development

Challenges:

• Increased complexity
• Network overhead
• Data consistency
• Service discovery
• Monitoring complexity

Answer: Event-driven compute service that runs code without managing servers. Automatically scales, charges only for execution time, integrates with many AWS services, and supports multiple programming languages.

Answer: Lightweight, portable units that package applications with dependencies. Use for consistent deployment across environments, microservices, modernizing legacy applications, and achieving better resource utilization.

Answer: Regions are geographic locations with multiple AZs. AZs are isolated data centers within a region with independent power, cooling, and networking. Design across multiple AZs for high availability.

• RTO (Recovery Time Objective): Maximum acceptable time to restore service
• RPO (Recovery Point Objective): Maximum acceptable data loss measured in time

These metrics drive DR strategy selection.

• Deploy resources across multiple AZs
• Use load balancers to distribute traffic
• Implement health checks
• Use managed services that provide multi-AZ capabilities (RDS Multi-AZ, ELB)

• Use services with built-in replication (S3, RDS)
• Implement cross-region backups
• Design for eventual consistency where appropriate
• Implement proper backup and recovery procedures

Choose based on access patterns, durability requirements, and cost optimization.

Choose based on IOPS, throughput, and cost requirements.

Answer: Consider workload requirements:

• C5: CPU-intensive workloads
• R5: Memory-intensive workloads
• I3: Storage-optimized workloads
• M5: General purpose workloads

Use tools like Compute Optimizer for recommendations based on utilization patterns.

Answer: MySQL/PostgreSQL-compatible relational database.

Benefits:

• 5x better performance than MySQL
• Automatic scaling storage
• Continuous backups
• Multi-AZ deployment with fast failover

Answer: CDN that caches content at edge locations worldwide, reducing latency by serving content from locations close to users. Supports dynamic content acceleration and has extensive global presence.

Answer: Real-time data streaming service.

• Kinesis Data Streams: Real-time data ingestion
• Kinesis Analytics: Stream processing
• Kinesis Firehose: Data delivery to destinations

Answer: Serverless ETL service that discovers, catalogs, and transforms data. Creates data catalog, generates ETL code, and can schedule and monitor ETL jobs for data preparation and transformation.

Answer: Managed big data platform using open-source tools like Hadoop, Spark, and Hive. Used for large-scale data processing, analytics, and machine learning workloads with automatic scaling.

• Use appropriate storage classes
• Implement lifecycle policies
• Enable intelligent tiering
• Delete incomplete multipart uploads
• Use S3 analytics for access patterns
• Compress data

Answer: Storage class that automatically moves objects between access tiers based on usage patterns. Optimizes costs without performance impact or operational overhead, ideal for unknown access patterns.

Answer: For fault-tolerant, flexible workloads like:

• Batch processing
• Data analysis
• Containerized workloads
• CI/CD
• Stateless web servers

Not suitable for: Persistent databases or real-time applications.

Answer: Flexible pricing model offering significant savings in exchange for consistent usage commitment.

• EC2 Instance Savings Plans: Instance family flexibility
• Compute Savings Plans: Broader flexibility across services

Answer: Matching instance types and sizes to workload requirements. Use CloudWatch metrics, Cost Explorer, and Compute Optimizer recommendations to identify underutilized resources and optimize sizing.

• Use Reserved Instances
• Choose appropriate instance sizes
• Implement read replicas for read scaling
• Use Aurora Serverless for variable workloads
• Optimize storage types based on IOPS requirements

Answer: For unpredictable workloads, infrequent usage patterns, development/testing environments, and applications with variable traffic. Automatically scales based on demand and charges only for resources used.

• Use CloudFront for content delivery
• Implement VPC endpoints for AWS service access
• Keep data transfers within same region/AZ when possible
• Use Direct Connect for large data transfers

• Use Site-to-Site VPN for persistent connections
• Client VPN for user access
• Consider Direct Connect for high-bandwidth requirements
• Implement connection sharing where possible

Answer: Framework with five pillars:

• Operational Excellence: Run and monitor systems
• Security: Protect information and systems
• Reliability: Ensure workloads perform consistently
• Performance Efficiency: Use computing resources efficiently
• Cost Optimization: Avoid unnecessary costs

Provides best practices, questions, and guidance for building secure, reliable, efficient, and cost-effective systems.

Answer: Use AWS CloudFormation for declarative templates, AWS CDK for programmatic infrastructure definition, or third-party tools like Terraform.

Benefits:

• Version control
• Repeatability
• Consistency
• Automated deployments

Answer: Assess current environment (discovery), choose migration strategy (6 R's: Rehost, Replatform, Repurchase, Refactor, Retire, Retain), plan for security and compliance, estimate costs, train teams, and implement in phases with proper testing.

The 6 R's of Migration: