AWS CSA Professional Notes

  1. You have set up your company in an AWS organization in a hierarchical manner. You now need to move an account from one organization to another organization. How can you do this with as little effort as possible?
    • First, remove the account from your organization and make it a standalone account.  After making the account standalone, it can be invited to join another organization.
  2. You work for a fast growing organization which grows via purchases or smaller companies.  As part of your AWS strategy, you create a master account and configure AWS organizations for your company.  You have recently learned that the business is going through a major restructuring exercise, and you need to change the organization master account.  How can this be accomplished?
    • You cannot change which AWS account is the master account – You would need to create a new account, a new organization and move the accounts across to a new organization.  There is no way to change the master account of an organization.
  3. You are configuring a new AWS account for a logistics company.  The company has 6 offices in the us-east-1 region and your requirement is to set up a VPC for each location and configure VPC peering.  What limitation will you encounter with this design?
    • The default maximum number of VPC’s allowed per region is 5 .
  4. You have configured consolidated billing for your organization with one Master account and 3 linked sub accounts.  Your CFO has asked for detailed billing reports.  What AWS feature can you use with detailed billing reports, which enables cost to be analyzed and decomposed across multiple dimensions and aggregation levels?
    • Resource Tagging//Billing Tags – Consolidated billing works best with Resource tagging, as tags included in the detailed billing report, which enables cost to be analyzed and decomposed across multiple dimensions and aggregation levels.
  5. You are in the process of implementing AWS Organizations for your company.  At your previous company you saw an Organizations implementation go bad when an SCP (service control policy) was applied at the root of the organization before being thoroughly tested.  In what way can an SCP be properly tested and implemented?
    • Create an organizational unit (OU).  Attach the SCP to this new OU.  Move your accounts in one at a time to ensure that you don’t inadvertently lock users out of key services. 
  6. You have recently started working for a large enterprise who is about to move from Azure to AWS.  They have 100’s of staff members who need to directly access AWS and 100’s of business units who make use of AWS services.  You have been asked to propose an account structure which provides account and network layer isolation between the business units.  Which option meets those objectives, with the least admin overhead and AWS accounts.
    • Create an AWS organization for each business unit.  Allow the business units to create VPC’s inside the accounts based on their own requirements.
  7. You have created Dev, Test, and Prod environments for your development team using three separate AWS accounts.  You want to allow your administrator in the Prod account to be able to create in Dev and Test as needed.  You also want them to be able to terminate or stop the instances as necessary when not in use.  How can you best achieve this?
    • Create cross-account roles in Dev and Test that grants the Prod Administrators access to the resources in Dev and Test.
  8. You have an application running in a shared services VPN within a member account of your AWS organization.  You are the project manager on a merger with another business and need to provide this business with access to a private application running inside this VPC.  What options below offers a workable solution? (choose 2)
    • Use RAM to share the subnets with that account using an external sharing rule – allow the new organization to control access.
    • Invite the new organizations AWS account into your organization and use RAM to share the subnets with that account – allow the new organization to control access.
  9.  You have create a large set of AWS accounts in readiness for a large migration into AWS.  All the accounts are within a single AWS organization create with 10 organizational units.  You have created an SCP to restrict access to certain IAM features and notice that it’s being applied to all users in all the AWS accounts except one.  The SCP is applied to the root container of the organization.  What would be your first step to diagnose the problem?
    • If its the master account in the organization failing then there is nothing to be done – It cannot be restricted in this way.
  10. You have recently completed a large project implementation in a major enterprise client and are looking at how to optimize cost.  The client uses 47 AWS accounts spread across their various business units and DEV, Test , and PROD teams.  The utilization in these accounts is varies and uncertain but you begin to see levels of base-load in each account.  Which of the following options represents the best methods to achieve cost reductions via reserved instances?
    • Enable Reserved Instance Sharing on reserved instances in the master account.
  11. You have been asked to propose a solution to restrict all accounts within the organization from accessing an auditing bucket in each account.  This restriction must include the root accounts within all of the accounts in the organization. What should your response be?
    • This isn’t possible.
  12. You have been consulting for a large enterprise who after the completion of a number of large project deployments have asked you to provide each of their 56000 users with access to their AWS account infrastructure, which consists of around 30 accounts within an AWS organization with all features enabled.  The organization make use of two identity providers.  An internal active directory and google IDP for any web applications.  The priority is security first and lowest admin overhead second.  Which of the following architectures should you suggest?
    • Enable SAML federation to a single organization accounts.  Create roles in all other organization accounts and allow role shifting into the other accounts.
  13. You have been asked to suggest an in-memory cache available inside AWS which can support snapshots and advanced data structures beyond simple key-value pairs.
    • Elasticache – Redis
  14. You have been asked to create a VPN architecture which is fully tolerant of failure.  One which is able to cope with the failure of an AWS AZ or piece of comms hardware either at the AWS side or local customer side.  Currently the business you are consulting for has the following: 1) A VGW configured and atached to a VPC 2) 1x CGW defined 3) A dynamic VPN created with 1 active tunnel between the VGW and the CGW.  You need to assess if this is HA based on the above requirements and if not, how to correct it.  What should you suggest?
    • Add another CGW, activate another tunnel and add another connection. – Another CGW at the customer side will protect against hardware failure.  Each of the CGW’s will need two tunnels, on to each AZ of the VGW… so bring up the second tunnel on the existing connection and add another dual-tunnel VPN connection to the new second CGW.
  15. You are looking to choose an appropriate deployment and configuration management product for use in AWS.  You are looking for a solution to manage a small set of applications your company hosts and manages for clients.  The environments must run Linux, include PHP, Apache and be capable of accepting application code as a deliverable.  In short – a PAAS style product is needed.  The priorities since the business have development team and very few IT operations staff is to reduce any admin overhead to manage the environments.  Which AWS deployment management platform should you suggest>
    • Elastic Beanstalk

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.