Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

SALE! AWS Specialty Practice Exams at $15.99 USD each ONLY instead of $17.99

AWS Certified Solutions Architect Associate Exam – SAA-C02 Study Path

The AWS Certified Solutions Architect Associate SAA-C02 exam, or SAA for short, is one of the most sought after certifications in the Cloud industry. This certification attests to your knowledge of the AWS Cloud and building a well-architected infrastructure in AWS.

As a Solutions Architect, it is your responsibility to be familiar with the services that meet your customer requirements. Aside from that, you should also have the knowledge to create an efficient, secure, reliable, fault tolerant, and cost-effective infrastructure out of these services. Your AWS SA Associate exam will be based upon these topics.

Whitepapers, FAQs, and the AWS Documentation will be your primary study materials for this exam. Experience in building systems will also be helpful, since the exam constitutes of multiple scenario type questions. You can learn more details on your exam through the official SAA-C02 Exam Guide here. Do a quick read on it to be aware of how to prepare and what to expect on the exam itself.

SAA-C02 Study Materials

For the AWS Certified Solutions Architect Associate exam, we recommend going through the FREE AWS Exam Readiness video course, official AWS sample questions, AWS whitepapers, FAQs, AWS cheat sheets, and AWS practice exams.

"Exam

We recommend that you read the following whitepapers for your review. They contain a lot of concepts and strategies which are important for you to know.

  1. Overview of Amazon Web Services: This paper provides a good introduction on Cloud Computing, the AWS Global Infrastructure, and the available AWS Services. Reading this whitepaper before proceeding to the other whitepapers below will clear up many jargons found on the succeeding materials.
  2. AWS Well Architected Framework: This paper is the most important one to read. It discusses the Five Pillars of a Well Architected Framework, with each pillar having a whitepaper of its own, and can all be found on this webpage. Be sure to understand well architected framework not just conceptually, but also in actual practice and application.
  3. AWS Best Practices: This paper teaches you the best practices to perform when running your applications in AWS. It points out the advantages of Cloud over traditional hosting infrastructures and how you can implement them to keep your applications up and running all the time. The SA Associate exam will include questions that will test your knowledge on the best practices through different example scenarios.
  4. Using Amazon Web Services for Disaster Recovery: This paper explains the different types of disaster recovery plans that you can perform in AWS. It is your responsibility as a Solutions Architect to mitigate any potential downtime when disaster strikes. Depending on your RPO and RTO, a proper disaster recovery plan will be a deciding factor between business continuity and revenue loss.

Additional SAA-C02 Whitepapers 

  1. AWS Security Practices: This paper supplements your study on the AWS services and features such as IAM, Security Groups, nACLs, etc. You should read this paper since security specific questions occasionally pop up in the exam.
  2. AWS Storage Services Overview:  This paper supplements your study on the different AWS Storage options such as S3, EBS, EFS, Glacier, etc. It contains a good detail of information and comparison for each storage service, which is crucial in knowing the best service to use for a situation.
  3. Building Fault-Tolerant Applications on AWS: This paper discusses the many ways you can ensure your applications are fault-tolerant in AWS. It also contains multiple scenarios where the practices are applied and which AWS services were crucial for the scenario.

Core AWS Services to Focus On for the SAA-C02 Exam

  1. EC2 – As the most fundamental compute service offered by AWS, you should know about EC2 inside out.
  2. Lambda – Lambda is the common service used for serverless applications. Study how it is integrated with other AWS services to build a full stack serverless app.
  3. Elastic Load Balancer – Load balancing is very important for a highly available system. Study about the different types of ELBs, and the features each of them supports.
  4. Auto Scaling – Study what services in AWS can be auto scaled, what triggers scaling, and how auto scaling increases/decreases the number of instances.
  5. Elastic Block Store – As the primary storage solution of EC2, study on the types of EBS volumes available. Also study how to secure, backup and restore EBS volumes.
  6. IT Certification Category (English)728x90
  7. S3 / Glacier – AWS offers many types of S3 storage depending on your needs. Study what these types are and what differs between them. Also review on the capabilities of S3 such as hosting a static website, securing access to objects using policies, lifecycle policies, etc. Learn as much about S3 as you can.
  8. Storage Gateway – There are occasional questions about Storage Gateway in the exam. You should understand when and which type of Storage Gateway should be used compared to using services like S3 or EBS. You should also know the use cases and differences between DataSync and Storage Gateway.
  9. EFS – EFS is a service highly associated with EC2, much like EBS. Understand when to use EFS, compared to using S3, EBS or instance store. Exam questions involving EFS usually ask the trade off between cost and efficiency of the service compared to other storage services.
  10. RDS / Aurora – Know how each RDS database differs from one another, and how they are different from Aurora. Determine what makes Aurora unique, and when it should be preferred from other databases (in terms of function, speed, cost, etc). Learn about parameter groups, option groups, and subnet groups.
  11. DynamoDB – The exam includes lots of DynamoDB questions, so read as much about this service as you can. Consider how DynamoDB compares to RDS, Elasticache and Redshift. This service is also commonly used for serverless applications along with Lambda.
  12. Elasticache – Familiarize yourself with Elasticache redis and its functions. Determine the areas/services where you can place a caching mechanism to improve data throughput, such as managing session state of an ELB, optimizing RDS instances, etc.
  13. VPC/NACL/Security Groups – Study every service that is used to create a VPC (subnets, route tables, internet gateways, nat gateways, VPN gateways, etc). Also, review on the differences of network access control lists and security groups, and during which situations they are applied.
  14. Route 53 – Study the different types of records in Route 53. Study also the different routing policies. Know what hosted zones and domains are.
  15. IAM – Services such as IAM Users, Groups, Policies and Roles are the most important to learn. Study how IAM integrates with other services and how it secures your application through different policies. Also read on the best practices when using IAM.
  16. CloudWatch – Study how monitoring is done in AWS and what types of metrics are sent to CloudWatch. Also read upon Cloudwatch Logs, CloudWatch Alarms, and the custom metrics made available with CloudWatch Agent.
  17. CloudTrail – Familiarize yourself with how CloudTrail works, and what kinds of logs it stores as compared to CloudWatch Logs.
  18. Kinesis – Read about Kinesis sharding and Kinesis Data Streams. Have a high level understanding of how each type of Kinesis Stream works.
  19. CloudFront – Study how CloudFront helps speed up websites. Know what content sources CloudFront can serve from. Also check the kinds of certificates CloudFront accepts.
  20. SQS – Gather info on why SQS is helpful in decoupling systems. Study how messages in the queues are being managed (standard queues, FIFO queues, dead letter queues). Know the differences between SQS, SNS, SES, and Amazon MQ.
  21. SNS – Study the function of SNS and what services can be integrated with it. Also be familiar with the supported recipients of SNS notifications.
  22. SWF / CloudFormation / OpsWorks – Study how these services function. Differentiate the capabilities and use cases of each of them. Have a high level understanding of the kinds of scenarios they are usually used in.

Other SAA-C02 AWS Services that you should prepare for:

For the exam version ( SAA-C02 ), you should also know the following services:

… plus a few more services and new SAA-C02 topics that we have recently added to our AWS Certified Solutions Architect Associate Practice Exams.

For more information, check out the SAA-C02 official exam guide here.

Based on our exam experience, you should also know when to use the following:

The AWS Documentation and FAQs will be your primary source of information. You can also visit Tutorials Dojo’s AWS Cheat Sheets to gain access to a repository of thorough content on the different AWS services mentioned above. Lastly, try out these services yourself by signing up in AWS and performing some lab exercises. Experiencing them on your own will help you greatly in remembering what each service is capable of.

Also check out this article: Top 5 FREE AWS Review Materials.

Common Exam Scenarios for the SAA-C02 exam 

Scenario

Solution

Domain 1: Design Resilient Architectures

Set up asynchronous data replication to another RDS DB instance hosted in another AWS Region

Create a Read Replica

A parallel file system for “hot” (frequently accessed) data

Amazon FSx For Lustre

Implement synchronous data replication across Availability Zones with automatic failover in Amazon RDS.

Enable Multi-AZ deployment in Amazon RDS.

Needs a storage service to host “cold” (infrequently accessed) data

Amazon S3 Glacier

Set up a relational database and a disaster recovery plan with an RPO of 1 second and RTO of less than 1 minute.

Use Amazon Aurora Global Database.

Monitor database metrics and send email notifications if a specific threshold has been breached.

Create an SNS topic and add the topic in the CloudWatch alarm.

Set up a DNS failover to a static website.

Use Route 53 with the failover option to a static S3 website bucket or CloudFront distribution.

Implement an automated backup for all the EBS Volumes.

Use Amazon Data Lifecycle Manager to automate the creation of EBS snapshots.

Monitor the available swap space of your EC2 instances

Install the CloudWatch agent and monitor the SwapUtilizationmetric.

Implement a 90-day backup retention policy on Amazon Aurora.

Use AWS Backup

Domain 2: Design High-Performing Architectures

Implement a fanout messaging.

Create an SNS topic with a message filtering policy and configure multiple SQS queues to subscribe to the topic.

A database that has a read replication latency of less than 1 second.

Use Amazon Aurora with cross-region replicas.

A specific type of Elastic Load Balancer that uses UDP as the protocol for communication between clients and thousands of game servers around the world.

Use Network Load Balancer for TCP/UDP protocols.

Monitor the memory and disk space utilization of an EC2 instance.

Install Amazon CloudWatch agent on the instance.

Retrieve a subset of data from a large CSV file stored in the S3 bucket.

Perform an S3 Select operation based on the bucket’s name and object’s key.

Upload 1 TB file to an S3 bucket.

Use Amazon S3 multipart upload API to upload large objects in parts.

Improve the performance of the application by reducing the response times from milliseconds to microseconds.

Use Amazon DynamoDB Accelerator (DAX)

Retrieve the instance ID, public keys, and public IP address of an EC2 instance.

Access the URL: http://169.254.169.254/latest/meta-data/ using the EC2 instance.

Route the internet traffic to the resources based on the location of the user.

Use Route 53 Geolocation Routing policy.

Domain 3: Design Secure Applications and Architectures

Encrypt EBS volumes restored from the unencrypted EBS snapshots

Copy the snapshot and enable encryption with a new symmetric CMK while creating an EBS volume using the snapshot.

Limit the maximum number of requests from a single IP address.

Create a rate-based rule in AWS WAF and set the rate limit.

Grant the bucket owner full access to all uploaded objects in the S3 bucket.

Create a bucket policy that requires users to set the object’s ACL to bucket-owner-full-control.

Protect objects in the S3 bucket from accidental deletion or overwrite.

Enable versioning and MFA delete.

Access resources on both on-premises and AWS using on-premises credentials that are stored in Active Directory.

Set up SAML 2.0-Based Federation by using a Microsoft Active Directory Federation Service.

Secure the sensitive data stored in EBS volumes

Enable EBS Encryption

Ensure that the data-in-transit and data-at-rest of the Amazon S3 bucket is always encrypted

Enable Amazon S3 Server-Side or use Client-Side Encryption

Secure the web application by allowing multiple domains to serve SSL traffic over the same IP address.

Use AWS Certificate Manager to generate an SSL certificate. Associate the certificate to the CloudFront distribution and enable Server Name Indication (SNI).

Control the access for several S3 buckets by using a gateway endpoint to allow access to trusted buckets.

Create an endpoint policy for trusted S3 buckets.

Enforce strict compliance by tracking all the configuration changes made to any AWS services.

Set up a rule in AWS Config to identify compliant and non-compliant services.

Provide short-lived access tokens that act as temporary security credentials to allow access to AWS resources.

Use AWS Security Token Service

Encrypt and rotate all the database credentials, API keys, and other secrets on a regular basis.

Use AWS Secrets Manager and enable automatic rotation of credentials.

Domain 4: Design Cost-Optimized Architectures

A cost-effective solution for over-provisioning of resources.

Configure a target tracking scaling in ASG.

The application data is stored in a tape backup solution. The backup data must be preserved for up to 10 years.

Use AWS Storage Gateway to backup the data directly to Amazon S3 Glacier Deep Archive.

Accelerate the transfer of historical records from on-premises to AWS over the Internet in a cost-effective manner.

Use AWS DataSync and select Amazon S3 Glacier Deep Archive as the destination.

Globally deliver the static contents and media files to customers around the world with low latency.

Store the files in Amazon S3 and create a CloudFront distribution. Select the S3 bucket as the origin.

An application must be hosted to two EC2 instances and should continuously run for three years. The CPU utilization of the EC2 instances is expected to be stable and predictable.

Deploy the application to a Reserved instance.

Implement a cost-effective solution for S3 objects that are accessed less frequently.

Create an Amazon S3 lifecyle policy to move the objects to Amazon S3 Standard-IA.

Minimize the data transfer costs between two EC2 instances.

Deploy the EC2 instances in the same Region.

Import the SSL/TLS certificate of the application.

Import the certificate into AWS Certificate Manager or upload it to AWS IAM.

 

AWS Certified Solutions Architect Associate Video Course – Early Access Release

This is a concise Solutions Architect Associate video training course that will equip you with the exam-specific knowledge that you need to understand in order to pass the SAA exam. Click here to enroll. Here is a sneak peek of our video course introduction:

Validate Your Knowledge

When you are feeling confident with your review, it is best to validate your knowledge through sample exams. You can take this practice exam from AWS for free as additional material, but do not expect your real exam to be on the same level of difficulty as this practice exam on the AWS website. Tutorials Dojo offers a very useful and well-reviewed set of practice tests for AWS Solutions Architect Associate SAA-C02 takers here. The practice test has a total of 390 unique questions and each question comes with detailed explanations, reference links, and cheat sheets. You can also pair our practice exams with our video course and exam study guide eBook to further help in your exam preparations.

If you have scored well on the Tutorials Dojo AWS Certified Solutions Architect Associate practice tests and you think you are ready, then go earn your certification! If you think you are lacking in certain areas, better review them again and take note of any hints in the questions that will help you select the correct answers. If you are not that confident that you’ll pass, then it would be best to reschedule your exam to another day and take your time preparing for it. In the end, the efforts you have put in for this will surely reward you.

AWS Certified Solutions Architect Associate New SAA-C02 2021

Sample SAA-C02 Practice Test Questions:

Question 1

A company hosted an e-commerce website on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The Solutions Architect noticed that the website is receiving a large number of illegitimate external requests from multiple systems with IP addresses that constantly change. To resolve the performance issues, the Solutions Architect must implement a solution that would block the illegitimate requests with minimal impact on legitimate traffic.

Which of the following options fulfills this requirement?

  1. Create a regular rule in AWS WAF and associate the web ACL to an Application Load Balancer.
  2. Create a custom network ACL and associate it with the subnet of the Application Load Balancer to block the offending requests.
  3. Create a rate-based rule in AWS WAF and associate the web ACL to an Application Load Balancer.
  4. Create a custom rule in the security group of the Application Load Balancer to block the offending requests.

Correct Answer: 3

AWS WAF is tightly integrated with Amazon CloudFront, the Application Load Balancer (ALB), Amazon API Gateway, and AWS AppSync – services that AWS customers commonly use to deliver content for their websites and applications. When you use AWS WAF on Amazon CloudFront, your rules run in all AWS Edge Locations, located around the world close to your end-users. This means security doesn’t come at the expense of performance. Blocked requests are stopped before they reach your web servers. When you use AWS WAF on regional services, such as Application Load Balancer, Amazon API Gateway, and AWS AppSync, your rules run in the region and can be used to protect Internet-facing resources as well as internal resources.

A rate-based rule tracks the rate of requests for each originating IP address and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span. You can use this type of rule to put a temporary block on requests from an IP address that’s sending excessive requests.

Based on the given scenario, the requirement is to limit the number of requests from the illegitimate requests without affecting the genuine requests. To accomplish this requirement, you can use AWS WAF web ACL. There are two types of rules in creating your own web ACL rule: regular and rate-based rules. You need to select the latter to add a rate limit to your web ACL. After creating the web ACL, you can associate it with ALB. When the rule action triggers, AWS WAF applies the action to additional requests from the IP address until the request rate falls below the limit.

Hence, the correct answer is: Create a rate-based rule in AWS WAF and associate the web ACL to an Application Load Balancer.

The option that says: Create a regular rule in AWS WAF and associate the web ACL to an Application Load Balancer is incorrect because a regular rule only matches the statement defined in the rule. If you need to add a rate limit to your rule, you should create a rate-based rule.

The option that says: Create a custom network ACL and associate it with the subnet of the Application Load Balancer to block the offending requests is incorrect. Although NACLs can help you block incoming traffic, this option wouldn’t be able to limit the number of requests from a single IP address that is dynamically changing.

The option that says: Create a custom rule in the security group of the Application Load Balancer to block the offending requests is incorrect because the security group can only allow incoming traffic. Remember that you can’t deny traffic using security groups. In addition, it is not capable of limiting the rate of traffic to your application unlike AWS WAF.

References:
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
https://aws.amazon.com/waf/faqs/

Check out this AWS WAF Cheat Sheet:
https://tutorialsdojo.com/aws-waf/

Question 2

An AI-powered Forex trading application consumes thousands of data sets to train its machine learning model. The application’s workload requires a high-performance, parallel hot storage to process the training datasets concurrently. It also needs cost-effective cold storage to archive those datasets that yield low profit.

Which of the following Amazon storage services should the developer use?

  1. Use Amazon FSx For Lustre and Amazon EBS Provisioned IOPS SSD (io1) volumes for hot and cold storage respectively.
  2. Use Amazon FSx For Lustre and Amazon S3 for hot and cold storage respectively.
  3. Use Amazon Elastic File System and Amazon S3 for hot and cold storage respectively.
  4. Use Amazon FSx For Windows File Server and Amazon S3 for hot and cold storage respectively.

Correct Answer: 2

Hot storage refers to the storage that keeps frequently accessed data (hot data). Warm storage refers to the storage that keeps less frequently accessed data (warm data). Cold storage refers to the storage that keeps rarely accessed data (cold data). In terms of pricing, the colder the data, the cheaper it is to store, and the costlier it is to access when needed.

"Sample

Amazon FSx For Lustre is a high-performance file system for fast processing of workloads. Lustre is a popular open-source parallel file system which stores data across multiple network file servers to maximize performance and reduce bottlenecks.

Amazon FSx for Windows File Server is a fully managed Microsoft Windows file system with full support for the SMB protocol, Windows NTFS, Microsoft Active Directory ( AD ) Integration.

Amazon Elastic File System is a fully-managed file storage service that makes it easy to set up and scale file storage in the Amazon Cloud. 

Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. S3 offers different storage tiers for different use cases ( frequently accessed data, infrequently accessed data, and rarely accessed data ).

 The question has two requirements:

  1. High-performance, parallel hot storage to process the training datasets concurrently.
  2. Cost-effective cold storage to keep the archived datasets that are accessed infrequently

In this case, we can use Amazon FSx For Lustre for the first requirement, as it provides a high-performance, parallel file system for hot data. On the second requirement, we can use Amazon S3 for storing the cold data. Amazon S3 supports a cold storage system via Amazon S3 Glacier / Glacier Deep Archive.

Hence, the correct answer is: Use Amazon FSx For Lustre and Amazon S3 for hot and cold storage respectively.

Using Amazon FSx For Lustre and Amazon EBS Provisioned IOPS SSD (io1) volumes for hot and cold storage respectively is incorrect because the Provisioned IOPS SSD ( io1 ) volumes are designed as a hot storage to meet the needs of I/O-intensive workloads. EBS has a storage option called Cold HDD but it is not used for storing cold data. In addition, EBS Cold HDD is a lot more expensive than using Amazon S3 Glacier / Glacier Deep Archive.

Using Amazon Elastic File System and Amazon S3 for hot and cold storage respectively is incorrect because although EFS supports concurrent access to data, it does not have the high-performance ability that is required for machine learning workloads.

Using Amazon FSx For Windows File Server and Amazon S3 for hot and cold storage respectively is incorrect because Amazon FSx For Windows File Server does not have a parallel file system, unlike Lustre.

References:
https://aws.amazon.com/fsx/
https://docs.aws.amazon.com/whitepapers/latest/cost-optimization-storage-optimization/aws-storage-services.html
https://aws.amazon.com/blogs/startups/picking-the-right-data-store-for-your-workload/

Check out this Amazon FSx Cheat Sheet:
https://tutorialsdojo.com/amazon-fsx/

Click here for more AWS Certified Solutions Architect Associate practice exam questions.

Check out our other AWS practice test courses here:

Tutorials Dojo AWS Practice Tests

To increase your chances of passing the AWS Certified Solutions Architect Associate exam, we recommend using a combination of our video course, our practice tests, and our study guide eBook. You can view our triple bundles here.

Additional SAA-C02 Training Materials: High-Quality Video Courses for the AWS Certified Solutions Architect Associate Exam

There are a few top-rated AWS Certified Solutions Architect Associate SAA-C02 video courses that you can check out as well, which can help in your exam preparations. The list below is constantly updated based on feedback from our students on which course/s helped them the most during their exams.

  1. AWS Certified Solutions Architect – Associate by Adrian Cantrill

Some notes regarding your SAA-C02 exam

The AWS Solutions Architect Associate (SAA-C02) exam loves to end questions that ask for highly available or cost-effective solutions. Be sure to understand the choices provided to you, and verify that they have correct details. Some choices are very misleading such that it seems it is the most appropriate answer to the question, but contains an incorrect detail of some service. 

When unsure of which options are correct in a multi-select question, try to eliminate some of the choices that you believe are false. This will help narrow down the feasible answers to that question. The same goes for multiple choice type questions. Be extra careful as well when selecting the number of answers you submit. Check out the tips mentioned in this article for more information.

As mentioned in this review, you should be able to differentiate services that belong in one category with one another. Common comparisons include:

  • EC2 vs ECS vs Lambda
  • S3 vs EBS vs EFS
  • CloudFormation vs OpsWorks vs Elastic Beanstalk
  • SQS vs SNS vs SES vs MQ
  • Security Group vs nACLs
  • The different S3 storage types vs Glacier
  • RDS vs DynamoDB vs Elasticache
  • RDS engines vs Aurora

The Tutorials Dojo Comparison of AWS Services contains excellent cheat sheets comparing these seemingly similar services which are crucial to solving the tricky scenario-based questions in the actual exam. By knowing each service’s capabilities and use cases, you can consider these types of questions already half-solved.

Lastly, be on the lookout for “key terms” that will help you realize the answer faster. Words such as millisecond latency, serverless, managed, highly available, most cost-effective, fault-tolerant, mobile, streaming, object storage, archival, polling, push notifications, etc are commonly seen in the exam. Time management is very important when taking AWS certification exams, so be sure to monitor the time you consume for each question.

AWS Specialty Practice Exams SALE!

NEW! AWS Certified Developer Associate Video Course (Early Access Release)

NEW! AWS Certified Solutions Architect Associate Video Course [Early Access Release]

Pass your AWS, Azure, and Google Cloud Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

FREE AWS Cloud Practitioner Essentials Course!

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

error: Content is protected !!