AWS Cloud practitioner exam prep QA

Security Groups act as a virtual firewall at the instance level, are stateful (return traffic is automatically allowed), and only support allow rules. Network ACLs operate at the subnet level, are stateless (return traffic must be explicitly allowed), and support both allow and deny rules. Security Groups evaluate all rules before deciding; NACLs process rules in order.

CloudFront is a Content Delivery Network (CDN) that delivers data, videos, applications, and APIs globally with low latency. It caches content at edge locations close to users. When a user requests content, CloudFront serves it from the nearest edge location. If the content isn't cached there, CloudFront retrieves it from the origin (like S3 or EC2) and caches it for future requests.

CloudFormation lets you model and provision AWS resources using templates written in JSON or YAML (Infrastructure as Code). You describe the desired resources, and CloudFormation creates and configures them in the right order. Benefits: repeatable deployments, version control for infrastructure, automated rollback on failure, and consistency across environments.

The Well-Architected Framework provides best practices across six pillars: Operational Excellence (automate operations), Security (protect data and systems), Reliability (recover from failures), Performance Efficiency (use resources efficiently), Cost Optimization (avoid unnecessary costs), and Sustainability (minimize environmental impact). It helps you build secure, high-performing, resilient, and efficient architectures.

Route 53 is AWS's scalable DNS (Domain Name System) service. It translates domain names (example.com) into IP addresses. It also performs health checks and supports routing policies: Simple, Weighted (distribute traffic by percentage), Latency-based (route to lowest latency region), Failover (active-passive), and Geolocation (route by user location).

Basic (free — billing support, documentation, forums), Developer (from $29/month — email support, 12-hour response), Business (from $100/month — 24/7 phone, 1-hour response for production issues, Trusted Advisor full checks), and Enterprise (from $15,000/month — 15-minute critical response, Technical Account Manager, Concierge). Choose based on your workload criticality.

Trusted Advisor inspects your AWS environment and makes recommendations across five categories: Cost Optimization (underutilized resources), Performance (bottlenecks), Security (open ports, missing MFA), Fault Tolerance (backups, Multi-AZ), and Service Limits (approaching quotas). Basic and Developer plans get limited checks; Business and Enterprise get all checks.

AWS Organizations lets you centrally manage multiple AWS accounts. You can group accounts into Organizational Units (OUs) and apply Service Control Policies (SCPs) to restrict what services and actions are allowed. Benefits: consolidated billing (single payment for all accounts, volume discounts), centralized governance, and automated account creation.

Elastic Beanstalk is a PaaS service that deploys and manages web applications automatically. You upload your code, and Beanstalk handles provisioning, load balancing, scaling, and monitoring. It supports Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker. You retain full control over the underlying resources but don't have to manage them manually.

Redshift is a fully managed data warehouse service designed for large-scale data analytics. It can handle petabytes of structured data and run complex SQL queries across massive datasets. Redshift uses columnar storage and parallel processing for fast performance. It's typically used for business intelligence, reporting, and analyzing historical data from multiple sources.

S3 is object storage — stores files as objects with metadata, accessed via HTTP/HTTPS, virtually unlimited capacity, 11 nines durability, ideal for static content, backups, data lakes. EBS is block storage — behaves like a hard drive attached to an EC2 instance, supports file systems and databases, exists within a single AZ. Use S3 for unstructured data and EBS for data that needs frequent read/write operations with low latency.

ECS (Elastic Container Service) is AWS's native container orchestration service for running Docker containers. EKS (Elastic Kubernetes Service) is a managed Kubernetes service. Both let you run containerized applications without managing the underlying infrastructure. Use ECS if you want a simpler AWS-native solution; use EKS if you need Kubernetes compatibility or are already using Kubernetes.

AWS uses a pay-as-you-go model with three fundamental drivers: compute (per hour or second), storage (per GB per month), and data transfer (per GB out, inbound is usually free). You can reduce costs through Reserved Instances, Savings Plans, Spot Instances, and volume discounts. The AWS Pricing Calculator helps estimate costs before deployment.

Public cloud — resources owned and operated by a third-party provider, shared across customers (AWS, Azure, GCP). Private cloud — infrastructure used exclusively by one organization, on-premises or hosted. Hybrid cloud — combines public and private, allowing data and apps to move between them. AWS supports hybrid with services like Outposts and Direct Connect.

GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence. GuardDuty detects unauthorized access, compromised instances, and unusual API calls. It requires no infrastructure to manage — just enable it.

AWS Web Application Firewall (WAF) protects web applications from common exploits like SQL injection, cross-site scripting (XSS), and bot traffic. You create rules to allow, block, or count requests based on conditions like IP addresses, HTTP headers, or request body content. WAF integrates with CloudFront, Application Load Balancer, and API Gateway.

Athena is a serverless query service that lets you analyze data directly in S3 using standard SQL. No infrastructure to set up or manage — you pay only per query based on the amount of data scanned. It supports CSV, JSON, Parquet, and ORC formats. Athena is commonly used for log analysis, ad-hoc queries, and data exploration without needing to load data into a separate database.

The Snow Family consists of physical devices for migrating large amounts of data to AWS when network transfer is too slow or impractical. Snowcone (8–14 TB, portable), Snowball Edge (80 TB storage, with compute), Snowmobile (up to 100 PB, a literal shipping container truck). They also support edge computing in locations with limited connectivity.

Shield Standard is free and automatically protects all AWS customers against common DDoS attacks at the network and transport layers. Shield Advanced (paid) provides enhanced protection with real-time visibility, 24/7 access to the AWS DDoS Response Team, cost protection during attacks, and advanced mitigation for applications on EC2, ELB, CloudFront, and Route 53.

AWS Key Management Service (KMS) lets you create and manage encryption keys to protect your data. It integrates with most AWS services (S3, EBS, RDS) to easily encrypt data at rest. KMS handles key rotation automatically and provides audit trails through CloudTrail. You control who can use keys through IAM policies, ensuring strong data protection with minimal operational overhead.