Pass Your Amazon AWS Certified Solutions Architect - Professional Exam Easy!

Amazon AWS Certified Solutions Architect - Professional AWS Certified Solutions Architect - Professional (SAP-C01) exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Amazon AWS Certified Solutions Architect - Professional AWS Certified Solutions Architect - Professional (SAP-C01) exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Amazon AWS Certified Solutions Architect - Professional certification exam dumps & Amazon AWS Certified Solutions Architect - Professional practice test questions in vce format.

New Domain 1 - Design for Organizational Complexity

17. Overview of CloudFormation Stack Sets

Hey everyone and welcome back. In today's video, we will be discussing the CloudFormation stack sets. Now, in very simple terms, cloud formation stack sets basically allow us to deploy stacks across multiple AWS accounts or even multiple AWS regions from a single location. Now, this can be explained with a simple use case that we have over here. Now, AWS configuration is basically a good practise for enabling it across all the regions. However, in order to enable it across all regions, especially if you're doing it from cloud formation, you had to maintain a stack in each one. And that stack was used to enable AWS configuration. So there are ten AWS regions. You have to maintain ten individual stacks of your cloud formation. Now, this becomes tiresome, specifically if you have multiple AWS accounts. So what cloud formation came up with?It came up with a feature of stack sets, which basically allows us to deploy stacks. Now what you do is you just create a stack set and deploy tax sets across all the regions, and you just have one central place from which you can push the stats. So it becomes much easier. So let's do one thing. Let me show you the demo so that it will be easier for us to understand here. I'm currently in my cloud formation console. Now within here, if I go to stack sets, you will see that I currently have one stack set that is available here. So this is the stack set. Now there is a tag called stack instances. This basically means into which regions or to which AWS accounts the current stack has been pushed into.So currently, my stack has been pushed into a single AWS account. You see the account ID is the same. However, it has been pushed to multiple regions. You have us on the west one.You've got EU West 3. You've got AP Northeast 2; So these are the multiple AWS regions that your stack has been pushed into. So let's say that if you want to enable AWS configuration across all the regions of your AWS account, you can just create a stack set, and you have a cloud formation template. You just push your cloud formation template through stack sets to all the AWS regions. So now, to understand it better, let's do one thing. Let me go to Cloud Trail. I'll go to the Cloud Trail console because this specific stack enables cloud trail across multiple regions. So when I deployed it, it enabled cloud trails across the AP Northeast to the US West Three and US West One regions. I could have done all the regions, but I'm just using the minimal one, which is required for the demo purposes. Now within the cloud trail, let me go to the Paris one. So within Paris, if I go to trails, I have the trails that are here. Now, within the Paris one, take a look at the cloud formation. Let's go to cloud formation. What this text does is that, if you see, there are three regions. Basically, it has a stack deployed across all of these three regions. So this part that you see over here is basically a stack. Now, this tag in turn basically creates the required resources. In our case, it created a trail, it createda trail bucket and it created the trail bucketpolicy within the Paris region and similar for allthe other regions where you are pushing. Now, in order to verify how exactly this works, what we'll do is terminate the specific stacks. so I'll go to actions. I'll click on "delete stack from stack set." So let me do a stack delete from the stack set. Now you have to specify the account number over here. So I'll give you this specific account number. Basically, we already discussed that Stack Set allows us to deploy across multiple AWS accounts. So in case you have stacks like this that have been deployed to a destination account, you can specify it over here. Now that you have placed it, you have to specify the region. Currently only three regions would appear becauseyour stack have been deployed through StackSets from only three regions. So I'll just select all three regions here. So you are North California sea all and Paris. I'll do a next; please allow me to submit. So now what it is doing is basically deleting it. So whatever tax was created across all of these regions would be deleted, and in turn, whatever resources were created through those taxes would also be deleted. So we'll quickly see great things. So currently, our operation has succeeded. Now if you go into stack instances, let me just quickly do a refresh. Currently, there are no stack instances. So basically, all the stacks that were deployed at the destination account and destination region have been deleted. Now, within the cloud formation and also in the Paris region, you can see that there are no stacks available. So this is the high-level overview of the video. I hope you understand what stack sets allow us to do. Not only does it allow us to deploy our stack across multiple regions, but it also allows us to deploy our stacks across multiple AWS accounts. And with this central place where you manage everything, it really becomes much simpler for the administrator.

18. Creating Stack Sets for Deployment

Hey everyone and welcome back. Now in the earlier video, we were discussing the overview of stack sets. We also had a demo on what exactly stacked sets might look like. So in today's video, we'll go ahead and create our own stack set, and we'll look into the steps that are required for configuring our own stack set. Now, I have created a slide that basically states the deployment instructions. Now, what you need to do is realise that there are two roles that are required. One role would be for the administrator account where your taxes would be created, and one role would be for the destination account. So let's say you have multiple AWS accounts and an AWS account where you'll be centrally managing your taxes. So there will be one role that would be required there, and the role name there should be "AWS cloud formation stack set administrator role." So this name convention is something that you cannot change. As a result, you must have the same as well as one for the destination account where the stacks will be created. So in the destination account, you need to have a role called an AWS CloudFormation Tax Set execution role. So for our example purposes, we'll be having both of these roles within the same AWS account because a lot of people might not have multiple AWS accounts. So I'll just show you how we can do that within the same AWS account as well. So let's go to Cloud Formation, and I'll go to Stack Sets. So, this was the demo stack set that we had created. Let's create a new stack set. So you can either use your own template here or use the sample template. Now, for the sample templates, you have a variety of configuration and cloud trail sample templates. Let's select "enable." AWS cloud trailer. So this template basically enables the cloud trail. Now, let's click on "next." Let's give it a stack name. I'll say cloud trail. Stack sets practical All right, now we'll leave this parameter as the default once I click on Next. Within the permission, it is essentially asking you for permission. So this is the IAM role that you have to create. So, we discussed that there are two things that we need to create. One is the Im role for an admin account. One is the Im role for the destination account. So let's go ahead and create the role. So within my IM, I'll go to roles, and I'll click on "create a role." So the first role we'll play is that of administrator. So I'll just select cloud formation here. Let me click on "next." I'll just ignore setting up the policies. Let's just create the role. So you need to enter the role, let me copy it and paste it over here, and we can go ahead and create a role. All right, so this is the first role. Let's create one more role. This time it would be based on another AWS account over here because that role would be on the destination side. So we need to basically enable the trust policy. So here you have to specify the account ID. Now, in my case, I already have the account ID. So this is the account ID of my current AWS account, where we are doing the practical. I'll select Next, and this time I'll add the administrator access here. Let's give the role a name, and I'll go ahead and create a ss here. LeSo the reason why we added administrator access here is because, from the central account, you do not really know if your stack is creating an easy to use instance or a VPC. And this is the reason why we have created administrator access over here for our demo d administratorSo now let's go back to roles, and we'll go to the role that states the AWS CloudFormation Stack Set administrator role. Now within this area, you basically need to add a policy. I'll set an inline policy. Let me open up a JSON, and within my notepad, I already have a sample policy that is created over here. I'll be sharing it after this video so that you can directly use it. So this is the policy that you need to set. You can do a review, and we'll go ahead and do a great policy. I'll say "based policy." I'll go ahead and create a do a great pSo now we have both the roles that are created. In the event that you have multiple AWS accounts, the stack execution role would be created in the destination AWS account. Anyway, so let's come back to the CloudFormation stack. Now within here, we'll select the AWS Cloud Formation stack set administrator role. All right, so this is the role, and the IAM execution role name is the role name that is defined over here. Let's click on "next." Now it is basically asking to deploy stacking accounts. So if you have multiple AWS accounts where your AWS cloud formation stack set execution role is already created, you can specify your account IDs over here. Now, in my case, I already have my account ID. So this is the current account ID where we are doing the practice. I'll just put it here. Now you have to specify the region where you want your template to be deployed to. So for the region, let me select Mumbai, let's select Ireland, and let's select Tokyo. You can select multiple regions as well, and we can go ahead. We can do a Next. So basically, this region that you have created is where our cloud formation stack would be deployed by the stack set that we are creating. Let me do a Next, and let's go ahead and click on be deployed So currently, it is running. Now if you look into the stack instances, it basically says the status is "outdated.Now, this status would change as soon as the CloudFormation stack is deployed across the destination region and the resources are created. Now, one of the regions that we had selected was Mumbai. So let's go to Mumbai here.So within the Mumbai, you see that your stack creation is in process. So that creates a process. So now what the stack set has done is deploy the three stacks across three regions, which are northeastern 1, southern 1, and western 1. And this individual stack will create the appropriate resources, which were part of the sample template that we were using. So now that we've refreshed, we can now conclude that it was deployed in the AP South One region, which is Mumbai. And if we just refresh the Mumbai region, you'll see that "create complete" is the status, and this is the reason why the status is current. Now, as soon as the stack sets up the appropriate stack, both of these would also become current. So let's quickly wait for a moment. Great. So now our stack is deployed across all three regions. And basically, we already discussed that our stack is created in the Mumbai region. If you want to double-check, go to CloudTrail, select the trails, and you'll see the stacks that occurred. Cloud Trail, so this was the trail that was created. So this is a high-level overview of stack sets. I hope by now you have started to understand the idea of stack sets and what flexibility there is and how it allows you to deploy, create, and delete them from the central account. Now, if you want to delete this, you can go to Actions and delete the stacks from Stack Set. Let's click here. You again will have to deploy, and you have to specify the account number. So basically, let's say you have deployed Cloud Trail in five accounts, and now you want to delete the Cloud Trail trail in one account. So you have to specify the account number here. So I'll specify the account number here. Now you have to specify the region. It will only show you the regions where it was deployed to.You can go ahead and you can do a next. And let's click on Submit. So the earlier type was "Create." This type of operation is a delete. So let's quickly wait for a moment for this to be deleted. Great. So the status is now showing as "successful." If you go to stack instances, you should typically see that there are no stack instances. Let me click Refresh from the cloud formation. You should see that the stack is now deleted. and from the cloud trail as well. Let's click on Refresh. You should see that the trail is deleted. So once you have done that, if you want to delete the stack set, you can go to Action. Click on "delete stack set." And now your accent on the stack is also deleted.

New Domain 2 - Design for New Solutions

1. Understanding DOS Attacks

Hey everyone and welcome to the Kplabs course. Now, in today's lecture, we are going to speak about a very interesting topic, which I'm sure most of you will really like, which is called the denial of service. So one thing that I'm sure many of youmight have already heard about denial of service andhow many of the big websites are going downbecause of the denial of service attacks. So let's understand the basics, or what denial-of-service attacks are all about, and then we'll go ahead with our interesting tacticals as well. So in a normal website operation, generally, there is something called "normal traffic." So if this is a website, a websitecan handle a specific amount of traffic. So it can be ten requests per second or it can be 100 requests per second, depending upon the server capacity. So in the normal scenario, you can see the server is all happy. So it is in green where there is a normaltraffic, certain times there can be a high traffic wherethe server resources becomes really busy and the application ofthe website becomes to be quite slow. However, the website remains operational. So the about two use cases you willfind to be a very genuine one. But certain times what attacker tries to do isthey try to generate intentionally this malicious high trafficwith a sole intention to bring the server down. So if you'll see over here in the third-use case, you have a denial of service where a single attacker is generating a lot of requests in such a way that the server is completely down. Now, there is one more attack called "distributed denial of service," where there are multiple parties doing a denial of service attack on the same resource. So one of the differences between a DoS and a DDoS is that in POS, there can be more than one user who is attacking the server. However, in DDoS attacks, there will be hundreds of users across the world who are attacking the same endpoint at the same time, which is why they are called "distributed denial of service" attacks. So DOS and DWS are basically part and parcel of the servers and the network life.Now, the reason why these attacks are so successful is because it is very easy to launch them. And along with that, when you go and inquire about DDoS protection, if you are a system administrator, you will be presented with a big bill that you might have to pay if you really need DDoS protection. However, many of the cloud providers, like AWS, are offering good services like AWS Shield, which can help you protect against the distributed data service attack to a certain extent. So nowadays, the DDoS attacks are very, very big. So if you talk about 2016 itself, which is like two years ago, you had a DDoS of 800 GB/s. You can imagine 800 GB per second worth of traffic. It can actually bring the biggest of the websites down. So let me show you, in a practical example, what a POS attack would look like. So on the left side, I have my Windows machine. And if you look into the CPU utilisation, it is at 3%. So I have a Core I-V, and it is at 3% of Utilization.Now, after I performed a denial-of-service attack, you can see that the CPU instantly went to 100%. So, within a few seconds, DoS attacks increased from 3% to 100%. So, let's not waste time. And let me show you exactly what it would really look like. So first, I have a Windows Ten machine over here. And if you look into the CPU utilization, notmuch, quite empty, around 8% 78% of the utilization. Now, on the right side, I have a Kali Linux machine. And this is where we'll be launching the DoS attacks from. So, let's start. So, just notice the CPU utilisation is quite low at 3% right now. Now, within Kali Linux, there is a great tool called Loic. So Loic is one of the tools that can perform Denial of Service attacks. So, the first thing that you will have to put is eitheryou need to put a URL or you need to put anIP address of the endpoint which you want to attach. So in my case, I'll put the IP address of the endpoint. So, 109, 216–8923. So this is the IP address of my Windows machine. Depending on the firewall and the application, you may be able to employ a variety of attack vectors. So, for my case, I will be using a UDP-based attack vector. Let's start. The first thing you have to do is log on tothe target and just press the I am charging my laser. As you can see, the amount of requests sent by this POLY is astoundingly fast. And note that this virtual machine only has around two GB of RAM. Examine the requests that are being made within two GB of RAM. Now, if I go to the Windows Server, you can see the CPU utilisation is actually at a very high spike rate. So around 89% And after a minute or two, the CPU utilisation will spike to 100% full.And this is the power of a denial of service attack. You seeputil, already reaching 89% anyway. So, if I simply press "Stop flooding," as a counterrequest, I am confident that I will be able to say "ten hundred thousand," "ten lakh," "ten lakh." So, around 13 requests were sent within just 1 minute from a 2 GB RAM virtual machine. So imagine what would happen if you launched this attack vector from a 16 GB RAM server. The volume of requests that will be received will be enormous, and it has the potential to bring down many networks and websites. So coming back to our PowerPoint presentation, I hope you understand what the denial-of-service attack is all about. So, for the time being, we have denied service because there is only one entity. You also have distributed denial of service, where there are multiple users who might run the loyal tool—which we just ran now to a common endpoint. So that is the difference between a DOS and a DDoS. And DDoS attacks are again fairly common. It has actually brought down Twitter,brought a lot of functions, functionalityof Facebook, PayPal and various others.

2. Mitigating DDOS attacks

Hi everyone and welcome back to the Knowledge Code video series. In the previous lectures, we understood the basics of DDoS and what a single machine could do for DDoS-based attacks. So generally, what happens is that hackers use the full botnet of servers to attack the websites, and a lot of websites generally go down because of distributed denial-of-service attacks. So what we'll do today is learn about various techniques for mitigating DDoS attacks on our infrastructure. So there are four major points to understand as far as mitigating DDoS is concerned. The first is being ready to scale as traffic surges. So you should be ready to scale up if the traffic increases. So we'll understand all of these points in detail. So my second point is minimising the attack surface area. This basically means that you should not expose your entire infrastructure structure to the internet because DDoS attacks are most likely to occur in the exposed area, which is usually the public subnet. So this is what the second point says. The third point says to know what is normal and what is abnormal. This is specifically applicable to an enterprise website. They should have a proper metric to understand that this much traffic is normal and this traffic is abnormal. So many important points! The fourth point is creating a plan for attacks. So this basically means: what will you do when there is an ongoing DDoS attack? So you should have a proper plan for that as well. So let's understand each point in detail. So the first point again is to be ready to scale. So basically, our infrastructure, or your infrastructure in AWS, should be designed to scale up as well as scale down whenever required. So this will not only help you during your peak business hours, but it will also help you protect yourself under a DDoS attack. So to scale infrastructure up and scale infrastructure down, there are various AWS services that you can use, specifically ELB and auto scaling. Now, for example, whenever a CPU load is more than 70%, the application server automatically adds one more application server to meet the needs. So generally, in DDoS attacks, there is resource consumption. So let's assume that your application server—your present application server—is consuming 70% of the CPU. Then the auto-scaling group should automatically add one more application server to meet the needs. So this will help you not only in your peak hours, or, as I would say, suddenly when the traffic comes, but also when there is a DDoS attack going on. It is very important to always have your infrastructure ready for scaling. This is the first point. The second point is to minimise the attack service surface area. So again, this is possible if you have a proper decoupled infrastructure. So as with PCI, DS also says that one server should be used for one service; there cannot be multiple services on a single server. So, for example, an application and database server should not be in the same EC2 instance. Now, let's assume that you have a single EC2 instance running both the application and database server. So if you have such a scenario and if there is a vDOS attack that is happening on that particular EC2 instance, not only your application server will go down, but along with that, even your database will go down. Now, if, for example, you have a separate EC2 instance for application and database, and if you have a sudden DDoS attack, then this application server will go down. In the worst case, your database server will still be up and running. So, it's very important to always have a decoupled infrastructure, and in order to have a decoupled infrastructure, there are various services like SQS and elasticbeanstalk that will help you. The third important point is to know what is normal and what is abnormal. So there should be a key matrix that defines that this is normal behavior. So again, an example is that of a website that is receiving huge traffic in the middle of the night at 3:00 a.m. So assume that you have an e-commerce-based website, and suddenly at 3 a.m. on a Saturday you're getting a huge spike in traffic. That is actually abnormal. Now you can know that that is abnormal because during the night, an e-commerce website for a specific country will not receive a huge amount of traffic. So similar to this, you should have a key matrix that can help you as a security engineer determine whether this amount of traffic at this time, for example, is normal or abnormal. So again, various services can help you, like Cloud Watch and SNS, which are important services that can help in this case. Now the fourth and most important point is creating a plan for attack. So let's assume that there is an ongoing attack on your infrastructure. How you will mitigate or what action you will take in this scenario is extremely important. So you should have a plan to mitigate DDoS attacks or ongoing DDoS attacks. So for example, let's assume that there is a DDoS attack going on and you are not aware of what exactly is happening. So a very simple way to analyse if it is a DSA attack or not is to check whether the source IP address of the request that has searched the traffic is the same. The second important point is to check from which country the increased traffic is coming from.So if you have an ecommerce website basedon India and suddenly you are finding hugeamount of traffic coming from another country, thatdefinitely means that that traffic is basically suspicious. Third, understand the nature of the attack. So if attack is sin flood or ifthe attack is at the application level. So, once you understand the nature of the attacks, you can decide what countermeasures to take. So if it is a simpler-based attack, then maybe you can work around it with, say, network AC or a security group. But if it is an application-level attack, then maybe you might need a web application firewall, et cetera. So in order to understand how you can prevent an attack, you should know the nature of an attack. And the fourth point is that it can be blocked at the network ACL or security group level. So example again if a source IP address,most of the traffic is coming from aspecific IP address, then you can directly blockthat IP address as a network ACL level. And the last point to remember, which AWS also recommends here, is that it is recommended to have AWS support, at least for business support. So whenever you are having a DDoS attack, you can immediately contact AWS Support, and they, along with your security engineers, can help you work around the ongoing attack. So, four very important points. Now there are various services that will help you protect against DDoS attacks, like Amazon CloudFront. It is one of the major services that can help you protect against DDoS attacks. The second is route 53. Then you have various services like auto-scaling, web applications, firewalls, ELBVPC Security Groups, and network ACLs. So generally, as far as exams are concerned, specifically in a security specialty exam, whenever you see a DDoS attack, they might ask you what the prevention measures are to protect against those DDoS attacks. And again, the number one prevention mechanism I would say that we are having an AWS cloud front. Two very important services Amazon has released a very nice webinar, or should I say video, on mitigating DDoS attacks. I attach the link along with this module. I would strongly advise you to watch that video at least once because it goes into far too much technical detail about how CloudFront or Route53 can actually help you protect against a DDoS attack. So it goes into the Sin Flood and how cloud fronts can mitigate the Sin Flood-based attacks and those things. So, it's really recommended to watch this video. So that's the fundamentals of mitigating DDoS attacks. So I hope this has been useful for you. And this is again a very important question as far as the exams are concerned. So I would really recommend you watch and understand these. So this is it about this lecture. I hope this has been informed and informative, and I'd like to thank you for viewing.

3. AWS Sheild

Hey everyone and welcome back. In today's video, we will be discussing the AWS Shield. Now, AWS Shield is basically managed distributed denial of service protection. AWS Shield is essentially a managed DDoS service that serves. Now AWS Shield basically helps you protect your workloads against distributed denial of service attacks. Now, there are two tyres of AW Shield that are available. One is the Shield Standard. And second is Shield Advance. Now one of the very common scenarios nowadays is a distributed denial of service attack, which actually brings the website down. And this is the reason why a lot of customers have been asking for a solution that can protect against a large-scale DDoS attack, and AWS Shield is one of the solutions that can help against this scenario. Now speaking about the two variants of Shield, which are Shield Standard and Shield Advanced, let's understand the difference between them. Now, when it comes to the AWS Shield standard, it basically provides a basic level of protection against the common attacks related to the transport and the network layers of the OSI tag. Now, when it comes to a higher level of protection, AWS Shield Advance is the right choice. Now, Shield Advance basically protects against various sophisticated distributed denial-of-service of Service attack.And one good thing about Shield is that it provides near-real-time visibility into the attack that is occurring or that might be occurring within the organization. Now, along with that, AW Shield Advanced gives customers 24x7 access to the AWS DDoS Response Team, which is also referred to as the DRT during the ongoing attack. So let's assume that your organisation is already facing a massive DDoS attack. So what you can do is contact the AWS DRT team, which will help you with other measures that can be taken to protect against those attacks. Now, the next important part to remember is the AWS Shield-related cost and credit factor. Now AW Shield Advance will cost you a base of $3,000 per organization, and it basically requires you to have business or enterprise support. Now one of the interesting parts about AWS Shield is that during the attack, let's assume that you have Shield Advance enabled and have received a huge amount of attack, due to which your infrastructure costs will also increase. So AWS will basically return you that money in the form of credits. Now remember, it does not offer you credit for all the AWS resources. There are certain AWS resources, like route 53 ELP CloudFront, for which the credits will be returned to you if you have seen a search due to a DDoS attack. This is a screenshot of ShieldAdvance as it actually appears. If you are interested, you can pay $3,000, and you can see in real time what Shield Advance would really give you. But I'm sure that we will be content with a few screenshots to just see what exactly it might look like. So these are a few screenshots related to the Shield Advance. Now, before we conclude the lecture, I just wanted to show you the shield on the console. So within the Waffen Shield page of AWS, you can go to the AWS Shield, and basically on the start page, it will give you a comparison between AWS Shield Standard and AWS Shield Advanced. So these are all the comparisons. If you look, this is the cost of protection where it reimburses. AWS will reimburse the cost related to Route 53 CloudFront as well as ELB. And along with that, you can activate the ShieldAdvance, where the base price is $3,000 per month. And you have an additional data fee charge as well.

Go to testing centre with ease on our mind when you use Amazon AWS Certified Solutions Architect - Professional vce exam dumps, practice test questions and answers. Amazon AWS Certified Solutions Architect - Professional AWS Certified Solutions Architect - Professional (SAP-C01) certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Amazon AWS Certified Solutions Architect - Professional exam dumps & practice test questions and answers vce from ExamCollection.