This document was exported from Numbers. Each table was converted to an Excel worksheet.

All other
objects on each Numbers sheet were placed on separate worksheets. Please be aware that formula
calculations may differ in Excel.

Numbers Sheet Name Numbers Table Name

Notes
Table 1
Services
Table 1
 as converted to an Excel worksheet. All other
worksheets. Please be aware that formula

Excel Worksheet Name

Notes

Services
Senario
Access S3 From Mobile App
The online auditing system needs to access certain AWS resources in your network to perform the
audit.
Handle rapid influx of incoming traffic in the most cost-effective way
Handle high number of write operations on database tier
Amazon Mechanical Turk can send a notification to
Mobile phone push notification 
EBS boot volume for EC2 instance
Redshift fast-running queries won't get stuck in queues behind long-running group queries.

HTTPS between viewers and CloudFront

HTTPS between CloudFront and a custom origin

Cloud Front - deliver content over HTTPS using your own domain name
your own domain name in CloudFront is not required.
Public certificates generated from ACM can be used on Amazon CloudFront, Elastic Load Balancing,
or Amazon API Gateway but not directly on EC2 instances unlike private certificates.
real-time data collection such as video, audio, application logs, website clickstreams, and IoT
telemetry data for machine learning, analytics
POSIX-compliant shared file storage
Grant Access to User-Specific Folders in an Amazon S3 Bucket
Cache supports multiple cores or threads
Amazon EC2 uses an instance profile as a container for an IAM role
Block the series of attacks coming from a set of determined IP ranges
To diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances.
Prevent anyone from bypassing CloudFront and using the direct Amazon S3 URLs
When I/O performance is more important than fault tolerance; stripe multiple volumes together
When fault tolerance is more important than I/O performance,mirror two volumes together
Secure Desktop-as-a-Service (DaaS)
CloudFormation templates which are regularly updated to map the latest AMI IDs

To improve the data durability of your ElastiCache cluster

Cookie used in sticky session feature, which enables the elastic load balancer to bind a user's
session to a specific EC2 instance.
On-premise to multiple VPCs in various AWS regions - private network dedicated to each region for
enhanced security

Database replication to other regions

dedicated secrets store with lifecycle management /integration with RDS
single store for configuration and secrets
Failed EC2 instances will be automatically replaced to avoid any downtime

3
You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution/Cloud Front, the
Application Load Balancer that fronts your web servers or origin servers running on EC2, or Amazon
API Gateway for your APIs.
ECS- use security groups and standard network monitoring tools at the container level
If VPC Lambda function requires Internet access
To route domain traffic to an ELB load balancer
To migrate EC2 instance from one region to another, and use its same PEM key

AWS Well Architected Framework - Operational Excellence

AWS Well Architected Framework -Security

AWS Well Architected Framework - Reliability pillar

AWS Well Architected Framework -Performance Efficiency

AWS Well Architected Framework -Cost Optimization

prevent man-in-the-middle attacks

To use a SSL certificate with Elastic Load Balancing for the same site (the same fully qualified
domain name, or FQDN, or set of FQDNs) in a different Region
To use an ACM certificate with Amazon CloudFront
SSE-S3 provides strong multi-factor encryption in which each object is encrypted with a unique key.
It also encrypts the key itself with a master key that it rotates regularly
Amazon RDS does not support certain features in Oracle such as Multitenant Database, Real
Application Clusters (RAC), Unified Auditing, Database Vault and many more.
Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB)
Instances, making them a natural fit for production database workloads.
Elastic Container Service (ECS) scalability improvement
AWS organization - Access master account to child account
SCPs cannot affect service linked roles.

4
An SCP does not grant any permissions. Instead, SCPs are JSON policies that specify the maximum
permissions for an organization or organizational unit (OU). The SCP limits permissions for entities
in member accounts, including each AWS account root user.
KMS helps to encrypt data upto 4 Kb. If its more than 4KB, use envelope encryption
S3 - no file should have a public read nor public write access.
To deploy applications to the cloud and also launch the required AWS resources automatically
A network device that supports Border Gateway Protocol (BGP) and BGP MD5 authentication is
needed to establish a Direct Connect link from your data center to your VPC.
Only one virtual private gateway (VGW) can be attached to a VPC at a time

Route 53 health for private hosted zone, don’t have direct access to resources in private subnet

Using server-side encryption with customer-provided encryption keys (SSE-C)

To ensure that the tags are always added when your resources are created

5
Possible Answer
IAM Role.STS actions such as "AssumeRole", "AssumeRoleWithSAML", and "AssumeRoleWithWebIdentity"
Create a new IAM role for cross-account access which allows the online auditing system account to assume the role. Assign it
that allows only the actions required for the compliance audit
SQS
SQS
SQS or SNS
Amazon SNS mobile push
General Purpose SSD (gp2)/Provisioned IOPS (io1)
Redshift workload management (WLM)
1) use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, Symantec or other third-pa
providers.
2) use a certificate provided by AWS certificate Manager (ACM)
If the origin is not an ELB load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA such as Comodo, D
Symantec or other third-party providers.
If your origin is an ELB load balancer, you can also use a certificate provided by ACM.
SSL/TLS certificate provided by AWS Certificate Manager (ACM), or import a certificate from a third-party certificate authority
or the IAM certificate store.
default CloudFront certificate

Kinesis
EFS
IAM Policies
Memcached

NACL
EC2Rescue
Origin access identity (OAI)
RAID 0
RAID 1
Amazon WorkSpaces
Use CloudFormation with Systems Manager Parameter Store
Daily automatic backups
Manual backups using Redis append-only file (AOF)
Setting up a Multi-AZ with automatic Failover

AWSELB
AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more
your account that are located in the same or different Regions.
Global DynamoDB table by choosing your preferred AWS region, enabling the DynamoDB Streams option and creating replica
the other AWS regions where you want to replicate your data.
Secrets Manager
Systems Manager Parameter Store
OpsWorks with Auto Healing capability enabled

6
Use awsvpc network mode in the task definition in Amazon ECS Cluster
add a NAT gateway to your VPC and Ensure associated security group of the Lambda function allows outbound connections
Amazon Route 53 alias record
copy the AMI of your EC2 machine to your new region and start up an instance using the AMI.

Perform operations as code

Annotate documentation
Make frequent, small, reversible changes
Refine operations procedures frequently
Anticipate failure
Learn from all operational failures

Implement a strong identity foundation

Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and at rest
Prepare for security events
Ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet dem
mitigate disruptions such as misconfigurations or transient network issues. This can be achieved by scaling your resources hor
and using a combination of Auto Scaling and utilization of multiple Availability Zones.

Democratize advanced technologies

Go global in minutes
Use serverless architectures
Experiment more often
Mechanical sympathy

Adopt a consumption model

Measure overall efficiency
Stop spending money on data center operations
Analyze and attribute expenditure
Use managed services to reduce cost of ownership
Amazon Route 53 supports DNSSEC for domain registration. However, Route 53 does not support DNSSEC for DNS service, reg
whether the domain is registered with Route 53

Must request a new certificate for each Region

Must request the certificate in the US East (N. Virginia) region.

Service Auto Scaling

Create IAM roles in child accounts(can use cloud formation stacksets), Assume role with STS cross account capability

7
Enabling Amazon S3 Block Public Access in the S3 bucket
AWS CloudFormation, AWS Elastic Beanstalk

Create cloud watch matrix and associate an alram for private subnet ec2.monitor that alram.
For Amazon S3 REST API calls, you have to include the following HTTP Request Headers: x-amz-server-side-encryption-custom
algorithm, x-amz-server-side-encryption-customer-key, x-amz-server-side-encryption-customer-key-MD5
For presigned URLs, you should specify the algorithm using the x-amz-server-side-encryption-customer-algorithm request hea
Set up AWS Service Catalog to tag the provisioned resources with corresponding unique identifiers for portfolio, product, and
Set up the CloudFormation Resource Tags property to apply tags to certain resource types upon creation.

8
9
10
11
Services
Amazon Macie
QuickSight
Amazon GuardDuty
Amazon Connect
Amazon Lex

Amazon CloudSearch
CloudHSM

Amazon MQ

Amazon AppStream 2.0

AWS Step Functions

AWS SWF
AWS Batch

AWS Device Farm

Amazon WorkDocs
Direct Connct Gateway
Direct Connect Link Aggregation
Groups(LAG)

Code Commit

12
Uses
Security service that uses machine learning to automatically discover, classify, and protect sensitive data(personally identifiab
visualize the reports
threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS acco
provides a seamless omnichannel experience through a single unified contact center for voice and chat.
service for building conversational interfaces into any application using voice and text.

managed service in the AWS Cloud that makes it simple and cost-effective to set up, manage, and scale a search solution for y
managed hardware security module (HSM) in the AWS Cloud that handles encryption keys
managed message broker service for Apache ActiveMQ ,it uses industry-standard APIs and protocols for messaging including J
MQTT, and WebSocket.
A fully managed application streaming service. You centrally manage your desktop applications on AppStream 2.0 and securel
computer.
Build serverless visual workflow to orchestrate your Lambda functions
Can also integrate with EC2, ECS, On premise servers, API Gateway
Coordinate work amongst applications
Run batch jobs as Docker images, Managed compute enviornment
Application testing service for your mobile and web applications.
Test across real browsers and real mobiles devices.
A fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, e
because it’s stored centrally on AWS, access it from anywhere on any device.
Direct Connect to one or more VPC in many different regions (same account, cross account)

Get increased speed and failover by summing up existing Direct Connect connections into a logical one

Integration with SNS/Lambda - delete branch/ pushes to master branch/code base analysis
CW event rules - Pull request updates,(failed pipeline)
Triggers - code related events
Notification - pull request events B41- cw

13
14