Test domain 3: Design Secure Applications and Architectures

This domain makes up 24% of the exam and includes the following three objectives:

  1. Design secure access to AWS resources.
  2. Design secure application tiers.
  3. Select appropriate data security options.

What you need to know

Here are some things you should know about:
You need to understand how to use native AWS technologies and solution architecture to create secure applications. This includes configuring security controls for authentication, authorization, and access as well as applying encryption to data.
You need to know how to design isolation and separation through AWS service architecture, Amazon EC2 instance deployment options, and Amazon VPC configuration.
It is also recommended to understand the best practices for implementing services in the most secure manner as well as best practices for creating users, groups, and roles using AWS IAM. Knowledge about which services can use Multi-Factor Authentication is also required. In addition, you should have a thorough understanding of available AWS Directory Services and when to use them.
Questions asking you to identify which technologies include DDoS mitigation come up often. These include AWS Auto Scaling, Amazon CloudFront, and Amazon Route 53.
You should also know how to implement monitoring and logging using Amazon CloudWatch and AWS CloudTrail, when and what penetration testing you are allowed to perform within the AWS cloud, and what compliance programs AWS complies with.
Technologies you need to know for domain 3 include Amazon VPC, AWS KMS, AWS CloudHSM, AWS IAM, Amazon Cognito, and AWS Directory Services.

Here are some example questions you can expect from this test domain:

1

The development team at your company has created a new mobile application that will be used by users to access confidential data. The developers have used Amazon Cognito for authentication, authorization, and user management. Due to the data’s sensitivity, there is a requirement to add another method of authentication in addition to a username and password.

You have been asked to recommend the best solution. What is your recommendation?

A)

Integrate IAM with a user pool in Cognito.

B)

Enable Multi-Factor Authentication (MFA) in IAM.

C)

Integrate a third-party identity provider (IdP).

D)

Use Multi-Factor Authentication (MFA) with a Cognito user pool.

Question 1 of 20 attempted

Test domain 4: Design Cost-Optimized Architectures

This domain makes up 18% of the exam and includes the following objectives:

  1. Identify cost-effective storage solutions.
  2. Identify cost-effective compute and database services.
  3. Design cost-optimized network architectures.

What you need to know

Here are some things you should know about:
This small but important area of the exam requires architects to consider cost-effectiveness when deploying applications on AWS.
You need to understand the various cost models of compute and storage services, what you pay for, and what the best choices would be given a specific scenario.

Here are some example questions you can expect from this test domain:

1

You need to run a production batch process quickly. This batch will use several EC2 instances. The process cannot be interrupted and must be completed within a short time period.

What is likely to be the most cost-effective choice of EC2 instance type to use for this requirement?

A)

Reserved instances

B)

Spot instances

C)

On-demand instances

D)

Flexible instances

Question 1 of 20 attempted

Up next

Now that you are familiar with the exam structure and test domains, the upcoming lesson will discuss all the services and technologies that the exam will test.

The chapters are broken down based on the technologies that they discuss. Each chapter concludes with a short quiz.