AWS CloudOps Engineer - Associate (SOA-C03)

Although I've been using AWS for a while now, I still need to review a lot of the knowledge frequently.

Preparation:
1 Tried Official Practice Question Set https://awscertificationpractice.benchprep.com/app/official-practice-question-set-aws-certified-cloudops-engineer-associate-soa-c03#exams/details/315463, passed with 80%.

2 Knowledge points I forgot：

• gateway VPC endpoint for Amazon S3 and DynamoDB
• Gateway endpoints allow EC2 instances in private subnets to access Amazon S3 without using the internet or incurring data processing charges.
• Reserved concurrency specifies the maximum number of concurrent instances of a Lambda function that can run at the same time.

• Provisioned concurrency specifies the number of pre-initialized execution environments that a Lambda function has. If the initialization of the code is pre-provisioned, then the Lambda function will spend less time running.

• IAM OIDC IdPs when you want to connect an external OIDC-compatible IdP to AWS resources.

-IAM Identity Center to provide user access from external IdPs to -AWS applications by using the SAML protocol. You would typically use IAM Identity Center to provide **single sign-on access **for external users to AWS services.

• **CloudWatch Logs data protection **policies help identify and protect sensitive data within CloudWatch Logs. Sensitive data includes personally identifiable information (PII) or PHI. CloudWatch Logs data protection policies automatically detect sensitive data patterns. CloudWatch Logs data protection policies can invoke alerts or initiate actions when sensitive data is logged.
• The SPF record specifies which IP addresses are allowed to send email for the domain. To prevent spoofing and to improve email deliverability, you should add an SPF record as a TXT record.
• Rolling update deployment gradually replaces tasks with new versions. Rolling deployments maintain application availability by gradually updating tasks in small batches.
• A canary deployment shifts a small percentage of traffic for validation. A canary deployment with weighted routing requires additional infrastructure to split traffic. A weighted routing configuration leads to higher costs for this scenario.

Route53

• AAAA record-> IPv6
• A record-> IPv4
• Alias -> zone apex or ALB DNS -> CNAME, point a subdomain like www.example.com to the root domain example.com, or to map a domain to a different service provider.

RDS

• RDS proxy, pool and share database connections

Rerfer: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.html

EC2

• Cluster Placement Group, Packs instances close together inside an Availability Zone. low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of high-performance computing (HPC) applications.
• Partition Placement Group, Spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
• Spread placement group, trictly places a small group of instances across distinct underlying hardware to reduce correlated failures.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

Storage

• EFS, Can create only one mount target per Availability Zone https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html -EBS snapshot is an incremental backup, which means that we save only the blocks on the volume that have changed since the most recent snapshot. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data.
• EBS fast snapshot restore (FSR) enables you to create a volume from a snapshot that is fully initialized at creation. This eliminates the latency of I/O operations on a block when it is accessed for the first time. Volumes that are created using fast snapshot restore instantly deliver all of their provisioned performance.
• RDS Performance Insights. can visualize the database load on your Amazon RDS DB instance load and filter the load by waits, SQL statements, hosts, or users. Fhttps://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html

• Aurora,

  • PITR is the robust, long-term backup and restore solution that involves creating a new database cluster.
  • Backtracking is a quick, in-place "undo" feature for Aurora MySQL to recover from recent, minor errors with low Recovery Time Objective (RTO).

• Storage Gateway

  • Gateway-stored volumes: Store a full copy of the data locally while asynchronously backing it up to AWS. For the backup application, it behaves like operating a local block storage device.
  • Gateway-cached volumes: Store most of the data in AWS, with only recently accessed data cached locally.

• ElastiCache

  • Memcached is lightweight and simple, good for read-heavy, non-persistent caching.
  • Redis is feature-rich, supports high availability, persistence, and advanced data types, making it suitable for mission-critical caching and real-time applications.

CloudFormation

• A stack set lets you create stacks in AWS accounts across AWS Regions by using a single CloudFormation template
• Custom resources, provisioning requirements involve complex logic or workflows that can't be expressed with CloudFormation's built-in resource types. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html

EC2

• stop an instance, it shuts down.
• start an instance, it is typically migrated to a new underlying host computer and assigned a new public IPv4 address. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html
• reboot, An instance reboot is equivalent to an operating system reboot. In most cases, it takes only a few minutes to reboot your instance. When you reboot an instance, it keeps the following:
  • Public DNS name (IPv4)
  • Private IPv4 address
  • Public IPv4 address
  • IPv6 address (if applicable)
  • Any data on its instance store volumes
• Terminate, After you terminate an instance, you can no longer connect to it, and it can't be recovered. All attached Amazon EBS volumes that are configured to be deleted on termination are also permanently deleted and can't be recovered.

Network

• Customer gateway,

• Route 53 Resolver,

  • Inbound Resolver, endpoints allow DNS queries on-premises network or another VPC-> your VPC.
  • Outbound Resolver, DNS queries your VPC -> your on-premises network or another VPC.

• Route 53 routing policy

  • Geolocation, route traffic based on the location of your users
  • Geoproximity, route traffic based on the location of your resources
  • Latency-based
  • Multivalue answer,

CloudWatch

• Collect process metrics with the procstat plugin
• CloudWatch Synthetics canary, create canaries, configurable scripts that run on a schedule, to monitor your endpoints and APIs. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html

Tag Editor

• user-defined cost allocation tags, you must activate them. https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html

Security

• Trusted Advisor inspects your AWS environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.
  • The support plan will affect the quantity of available Trusted Advisor checks

Others

• AWS Service Catalog sharing, When you share a portfolio using account-to-account sharing or Organizations, you are sharing a reference of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio, the original portfolio that you shared.

The recipient cannot change the products or constraints, but can add IAM access for end users. https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing_how-to-share.html

• AWS Personal Health Dashboard, a personalized view of AWS service events that may affect your AWS resources

• OpsWorks supports Chef and Puppet

• AWS Control Tower,

  • Automated landing zone setup: Quickly sets up a well-architected, multi-account environment with features like dedicated log archive and audit accounts.
  • Pre-configured controls: Provides a library of pre-packaged governance rules (guardrails) to enforce security, compliance, and operational policies. These can be preventive, detective, or proactive.
  • Account Factory: Enables the provisioning of new AWS accounts that automatically comply with the established governance policies.

Attended and passed the exam on 7 Dec. There was one AI-related question.