AWS Compute:

AWS EC2: Elastic cloud compute

Elastic Container Registry

ECS - container

EKS – Kubernetes

Lightsail

AWS Batch

AUTOSCALING

ELB

AWS Lambda

AWS ParallelCluster

AWS STORAGE SERVICES

Amazon S3 – simple storage service

Amazon elastic block service(EBS)

Amazon elastic file storage (EFS) –

Amazon FSx

ASW Storage Gateway -

VPC –

Amazon Route 53

Amazon CloudFront

AMAZON Relational Database Service (RDS)

Amazon Elasticache

Amazon Neptune

Amazon Redshift

Availability Zones

HIGH AVAILABILITY

ARCHITECTURE

Simple Queue service SQS – delivery of mssg between components

SNS Simple notification service

1
Amazon Kinesis

Architecture basics

SECURITY

AWS Firewall manager

AWS Shield

Amazon Cognito

AWS Cloudwatch

AWS Cloudtrail

AWS Config

Cloudfront access logs –

VPC Flow logs

Encryption – KMS – Key Management Service

AWS Hardware security module – HSM

MISC REVIEW

Beanstalk -

Amazon API Gateway

AWS Compute:
AWS EC2: Elastic cloud compute

- Virtual server - You are limited to running On-Demand Instances per your vCPU-based On-
Demand Instance limit, purchasing 20 Reserved Instances, and requesting Spot Instances per
your dynamic Spot limit per region.
- The AWS Nitro System is the underlying platform of the next generation of EC2 instances. Nitro
offloads virtualization leading to better performance and reduced costs.
- Amazon Machine Images – AMIs – all s/w related
o Template of pre-config EC2 instance – includes OS + apps and config(including vendor specific). Can save
your custom AMIs as a template(My AMIs).
o Choice – AWS managed, custom, marketplace and community AMIs
- Instance types – h/w related s- defines VCPU, memory, storage, network performance etc – General
purpose, Compute optimized, Memory optimized, Accelerated compute and storage optimized
- Instance purchasing options:
o On Demand – launch any time, paid by second, short term usage – cannot be interrupted
o Reserved – set period of time. 1 or 3 year. Cheapest paid upfront. Long term predictable workload.
Standard(can be sold, some modifications possible) and convertible(lower discount, exchangeable,
cannot be sold)
o Scheduled – similar to reserved but runs on a defined schedule. Will be charged even if you don’t use.
Not continuous run

2
 o Spot – Bid higher than current spot price. 2 minute warning. Work will be interrupted when bid is lower.
Spot blocks for defined duration. Spot fleet - Spot Instances, and optionally On-Demand Instances based
on max amount specified. A Spot Instance pool is a set of unused EC2 instances with the same instance
type, operating system, Availability Zone, and network platform. Allocation strategy for Spot Instances
▪ LowestPrice – The Spot Instances come from the pool with the lowest price. This is the default
strategy.
▪ Diversified – The Spot Instances are distributed across all pools.

▪ CapacityOptimized – The Spot Instances come from the pool with optimal capacity for the number
of instances that are launching.
▪ InstancePoolsToUseCount – The Spot Instances are distributed across the number of Spot pools
that you specify. This parameter is valid only when used in combination with the lowest Price.
o On-Demand capacity reservation – reserve capacity based on instance type, platform and tenancy in an
AZ for any period of time
- Tenancy
o Shared – EC2 will launch on any host, will be shared with other customers
o Dedicated instance – Hosted on dedicated h/w. Compliance requirement. Can be shared with other
instances in your own account
o Dedicated host – Dedicated instance + additional visibility and control of physical host. Can use
licenses. Can use same host for number of instances
- User data - Commands that will run during first boot cycle of instance such as OS or S/w updates
- Meta data - Used to gather and query instance data that is running such as host name, events and security
groups etc
- Storage options
o Persistent – EBS(elastic block store) Volumes – network attached not physical. Auto replicated to other
EBS volumes in same AZ. Encryption and tape back up to S3 if needed.
o Ephemeral (temp)- physically attached. Stop or terminate – lost. Reboot is ok.
- Security
o Instance level firewall for inbound and outbound traffic
o Key pair – encrypt login info and then decrypt to authenticate
o Windows RDP port 3389 + Linux SSH port 22
o Private key/Windows – decrypts data to gain access to login credentials
o Private key/Linux – remote connect onto instance via SSH
- Tags – project/cost center that instance belongs to
- System status check – underlying H/s set up – will need AWS support. Stop and restart!
- Instance status check – user. Incorrect config usually.

When you hibernate an instance, Amazon EC2 signals the operating system to perform hibernation (suspend-to-
disk). Hibernation saves the contents from the instance memory (RAM) to your Amazon Elastic Block Store (Amazon
EBS) root volume. Amazon EC2 persists the instance's EBS root volume and any attached EBS data volumes. When
you start your instance:

The EBS root volume is restored to its previous state

● The RAM contents are reloaded

● The processes that were previously running on the instance are resumed
● Previously attached data volumes are reattached and the instance retains its instance ID

You can hibernate an instance only if it's enabled for hibernation and it meets the hibernation prerequisites.

3
If an instance or application takes a long time to bootstrap and build a memory footprint to become fully productive,
you can use hibernation to pre-warm the instance.

You're not charged for instance usage for a hibernated instance when it is in the stopped state. You are charged for
instance usage while the instance is in the stopping state, when the contents of the RAM are transferred to the EBS
root volume. (This is different from when you stop an instance without hibernating it.) You're not charged for data
transfer. However, you are charged for storage of any EBS volumes, including storage for the RAM contents.
If you no longer need an instance, you can terminate it at any time, including when it is in a stopped (hibernated) state.
Hibernation requires an EC2 instance to be an encrypted EBS-backed instance.

Stop – is just a normal instance shutdown. You may restart it again anytime. All EBS volumes remain attached, but
data in instance store volumes are deleted. You won’t be charged for usage while instance is stopped. You can attach
or detach EBS volumes. You can also create an AMI from the instance, and change the kernel, RAM disk, and
instance type while in this state. No stop for ephemeral, only running/terminated.

AWS Instance store volume – resides on the instance, acts as a local disk drive. Ephemeral. Lost on stop or terminate
(not on reboot). No additional cost, very high I/O(good for no sql db), use for cache/buffer. Not available for all
instances. EBS backed instance, default is for root EBS/instance volume to be deleted when instance is terminated.
WIth EBS you can choose to keep root device. Additional volumes will not be terminated by default(can be changed
during setup.

You can exchange one or more Convertible Reserved Instances for another Convertible Reserved Instance with a
different configuration, including instance family, operating system, and tenancy. There are no limits to how many
times you perform an exchange, as long as the new Convertible Reserved Instance is of an equal or higher value than
the original Convertible Reserved Instances that you are exchanging. When you exchange your Convertible Reserved
Instance, the number of instances for your current reservation is exchanged for a number of instances that cover the
equal or higher value of the configuration of the new Convertible Reserved Instance.

Spot instance - will not charge for partial hour if terminated by AWS, but will be if you do.

Instance termination protection on EC2 is off by default.

you can launch encrypted EBS-backed EC2 instances from unencrypted AMIs directly

An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. With it, you can mask the failure
of an instance. Internet access needs public IP or elastic IP. Max 5 EIP per account per region.

Enhanced Networking – It provides higher bandwidth, higher packet per second (PPS) performance, and consistent
lower inter-instance latencies, which is being used in Placement Groups. It uses single root I/O virtualization (SR-IOV)
to provide high-performance networking capabilities.

system status check - AWS Vs instance status check you need to fix.

Placement groups

Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the
low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC
applications.

Partition – spreads your instances across logical partitions such that groups of instances in one partition do not share
the underlying hardware with groups of instances in different partitions. This strategy is typically used by large
distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka. MULTIPLE INSTANCES

Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
INDIVIDUAL INSTANCES

4
Elastic Container Registry
A managed AWS Docker registry service. Amazon ECR is a regional service.

ECS is responsible for managing the lifecycle and placement of tasks. A task is usually made of
one or two containers that work together. However, ECS does not run or execute your container.
ECS only provides the control plane to manage tasks. Fargate or ECS to run the containers.

ECS - container
- Regional service that allows you to run Docker enabled apps as containers across cluster of Ec2 instances.
- ECS can be used to create a consistent deployment and build experience, manage, and scale
batch and Extract-Transform-Load (ETL) workloads, and build sophisticated application
architectures on a microservices model
- AWS Fargate is used to abstract burden of managing cluster
- There are two different charge models for Amazon Elastic Container Service (ECS): Fargate Launch Type
Model and EC2 Launch Type Model. With Fargate, you pay for the amount of vCPU and memory resources
that your containerized application requests while for EC2 launch type model, there is no additional
charge. You pay for AWS resources (e.g. EC2 instances or EBS volumes) you create to store and run your
application. You only pay for what you use, as you use it; there are no minimum fees and no upfront
commitments.
- Amazon ECS Exec is a way for customers to execute commands in a container running on Amazon EC2
instances or AWS Fargate.
- When launching a ECS cluster – options are Fargate launch (less config-cpu, memory, AIM policy) and EC2
launch (no of containers, patching and scaling)
- Clusters are group of EC2 instances, pool resources such as CPU, memory, dynamically scale but are ONLY
in a single region(multiple AZ ok)

- Fargate does not support Windows server and is ideal for high performance computing

- Containers created from images using DockerFile stored in the registry.

- When you launch a container instance, you have the option of passing user data to the instance.

- Task definition is a JSON file that describes one to a max of 10 containers that form your application.

5
EKS – Kubernetes
- Container orchestration tool by utilizing multiple AZs
- EKS managed service to run Kubernetes without having to take care of provisioning and running the
Kubernetes management infra(control plane)
- Control plane(sets up containers on nodes) includes no of APIs, kubelet process and Kubernetes master
- CP tracks state of all Kubernetes object by continuous monitoring
- Worker nodes in Kubernetes are on demand EC2 instance using an AMI
- To start create EKS Service role(once only), create an EKS cluster VPC, Install Kubectl and AWS-IAM-
Authenticator, create EKS cluster, config Kubectl, provision nodes and connect node to cluster

Lightsail
is an easy-to-use virtual private server (VPS) provider that offers you everything needed to build an application
or website. Lightsail includes everything you need for your websites and web applications – a virtual
machine (choose either Linux or Windows OS), SSD-based storage, data transfer, DNS management,
and a static IP address.

● Lightsail load balancers direct traffic to your healthy target instances based on a round robin
algorithm. Can support session persistence
● fully configured MySQL or PostgreSQL managed database
● Managed databases are available in Standard and High Availability plans. High Availability
plans add redundancy and durability to your database, by automatically creating standby
database in a separate AZ from your primary database, synchronously replicating
● automatically backs up your database and allows point in time restore from the past 7 days
using the database restore tool.
● Has CDN(Cloudfront backed) and works on IPV4/6

AWS Batch
- Regional service used to manage and run batch computing workload
- Components – Jobs(run as container), job definition(cpu, data volume etc), job queue(with priority and
separation of queue types), job scheduler (fifo and priority), compute environments(managed - auto vs
unmanaged - customizable)

AUTOSCALING
- Allows you to inc or dec EC2 resources to meet demand based on metrics
- Eg: Amazon EC2 auto scaling – load increases, deploy another instance. Set up metrics to trigger up and
down limits. Enable a DynamoDB table or a global secondary index to increase or decrease its provisioned
read and write capacity to handle increases in traffic without throttling. Dynamically adjust the number of
Aurora read replicas
- Launch config and Launch template (newer version, more config options) – to define config, instance type,
AMI, storage etc. Launch template allow versions – used to create autoscaling groups
- You can only specify one launch configuration for an Auto Scaling group at a time, and
you can’t modify a launch configuration after you’ve created it.
- Instance protection – scale in prevents termination during scale in
- Set min and max size of your group with associated conditions to trigger up and down

- You can add a lifecycle hook to your Auto Scaling group to perform custom actions when
instances launch or terminate.

Auto scaling- scheduled, dynamic and predictive(ML)

6
The main issue with simple scaling is that after a scaling activity is started, the policy must wait
for the scaling activity or health check replacement to complete and the cooldown period to
expire before responding to additional alarms. Cooldown periods(default 300 Sec) help to
prevent the initiation of additional scaling activities before the effects of previous activities are
visible.

In contrast, with step scaling the policy can continue to respond to additional alarms, even while
a scaling activity or health check replacement is in progress. Therefore, all alarms that are
breached are evaluated by Amazon EC2 Auto Scaling as it receives the alarm messages.

With target tracking scaling policies, you select a scaling metric and set a target value. Amazon
EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy
and calculates the scaling adjustment based on the metric and the target value. The scaling
policy adds or removes capacity as required to keep the metric at, or close to, the specified
target value.

ELB
- Manage and control flow of inbound requests destined to a group of targets by distributing these requests
evenly across the healthy target group across AZs
- Target could be EC2 instance, Lambda functions, range of IPs or containers
- If instance fails, ELB will auto detect failure and divert traffic (auto scaling will launch not ELB)
7
 - ELB nodes are placed in AZ where you want load balancing and are used by ELB to distribute traffic to target
groups
- Application Load Balancer – web apps running HTTP/S, operates at request level, provides advanced
routing(path-based on URL and host-based in host header), TLS termination, microservices and
containers
o Runs at layer 7 application layer
o Cross zone load always enabled(only ALB)
- Network Load Balancer – ultra high perf and low latency, operates at connection level, routing traffic to
different targets, handles millions of requests/sec
o Runs at layer 4 transport layer enabling balancing requests on TCP and UDP protocol
o Supports listeners using TCP, UDP and TLS
o Supports static IP and Preserves source IP
o Cross zone load balancing is disabled by default - can be enabled or disabled
o You CANNOT enable or disable Availability Zones for a Network Load Balancer after you create it.
- Classic Load Balancer – used for apps were built in classic env. Works both at connection and request level
o Supports TCP, SLL/TLS,s HTTP/S protocols
o Not supported any more
o Compare to ALB - Support for EC2 classic, TCP and SSL listeners and sticky sessions using app
generated cookies
o Does not use target groups – uses instances
- Gateway LB - Primarily used for deploying, scaling, and running third-party virtual appliances, Runs within
one Availability Zone (AZ)
-
- Component – Listener(defines how inbound connections are routed to target), target groups, Rules(how
routing works)
- Cross zone load balancing depending on ELB options. If disabled load will be balanced within the AZ only.
- Internal ELB only has internal IP accessible within VPC only.

Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you
enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores
them in the Amazon S3 bucket that you specify as compressed files.
ELB allows you to dynamically manage load across target groups using rules and auto scaling allows you to scale
those target groups based on demand. Autoscaling replaces unhealthy instances

Server certs(SSL/TLS)

- For HTTPS – encrypted communication – needs server cert and policy

- SSL(Secure sockets layer)/ TLS(Transport layer security) are cryptographic protocols
- Certs are provisioned by ACM(AWS Certificate manager) – can also IAM(for 3rd party certs) – regions not
supported by ACM.

AWS Lambda
- Serverless compute service that allows you to run application codes without having to manage EC2 instances
integrated with CloudWatch. Upload deployment package to create Lambda function.
- Charges compute power per 100ms in addition to no of times your code runs
o Event Sources – services that can trigger Lambda function – poll or push
o Lambda function – compiled of you own code that you want Lambda to invoke
o Downstream resources – reqd during exec of function such as SNS topic/SQS Queue
o Log Streams – logging into cloud watch
o Layers - distribution mech for libraries and dependencies. keeps deployment package small
8
 - Create a function to mount EFS for local directory
- Synchronous invocations(app is responsible) do not auto retry failed attempts but asynch do.
- Synch allows you to assess result before next operation. Asynch has no order.
- Poll based event sources are always synchronous. Push based varies on service.
- unreserved account concurrency – concurrent occurrences of lambda func running at once
- reserve concurrency – set at function level…..part of unreserved , reserved for this particular function.
Throttle – sets reserved concurrency for function to 0
- To enable your function to scale without fluctuations in latency, use provisioned concurrency. By
allocating provisioned concurrency before an increase in invocations, you can ensure that all requests are
served by initialized instances with very low latency.
- Memory can be changed – CPU, disk IO and network bandwidth is auto calculated. Memory overflow
causes crash and not captured correctly.
- Active tracing – AWS X Ray to trace event sources that invoked Lambda
- Lambda qualifiers – allows to use versions of your function. Alias is a pointer to a version.
- Push based event source – mapping in event source + publish events and invoke function – all remaining
sources
- Poll based event source – config is in Lambda func + polls for particular event and invokes function on
match- Kinesis/SQS/DynamoDB
- An environment variable is a pair of strings that are stored in a function's version-specific
configuration. The Lambda runtime makes environment variables available to your code and sets
additional environment variables that contain information about the function and invocation
request.

- Cloudfront triggers - viewer/origin request and response

- Lambda stores code in S3 and encrypts it at rest.

- Failed Lambda events can be sent to Dead letter Q with SQS which can trigger Lambda again for
retry or can can also send notification to SNS topic

- If your Lambda function accesses a VPC, you must make sure that your VPC has sufficient ENI
capacity to support the scale requirements of your Lambda function. If your VPC does not have
sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will
see an increase in invocation errors with EC2 error types like EC2ThrottledException

Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your
application, which improves performance and reduces latency. With Lambda@Edge, you don't
have to provision or manage infrastructure in multiple locations around the world. You pay only
for the compute time you consume - there is no charge when your code is not running.

AWS ParallelCluster
is an AWS-supported open source cluster management tool that makes it easy for you to deploy
and manage High Performance Computing (HPC) clusters on AWS. ParallelCluster uses a simple
text file to model and provision all the resources needed for your HPC applications in an
automated and secure manner. It also supports multiple instance types and job submission
queues, and job schedulers like AWS Batch and Slurm. Does not support windows and does not
support mixed instances but can support dif instances in Master vs compute
AWS Serverless Application Model
SNS is a distributed publish-subscribe system. Messages are pushed to subscribers as and when they are
sent by publishers to SNS.
9
SQS is distributed queuing system. Messages are not pushed to receivers. Receivers have to poll or pull
messages from SQS. Messages can't be received by multiple receivers at the same time.
Choose SNS if:
You would like to be able to publish and consume batches of messages.
You would like to allow same message to be processed in multiple ways.
Multiple subscribers are needed.
Choose SQS if:
You need a simple queue with no particular additional requirements.
Decoupling two applications and allowing parallel asynchronous processing.
Only one subscriber is needed.

AWS STORAGE SERVICES

Block storage - Stored in chunks/blocks, stored on volume attached to a single instance. Very low latency,
comparable to DAS storage

File Storage – stored as separate files in directories within a file system. Shared access for multiple users, like NAS

Object Storage – stored as object across a flat address space. Referenced by a unique key. Can have associated
metadata to help categorize

Amazon S3 – simple storage service

- Largest file size 5TB. Single copy operation upto 5GB
- Object storage system across flat address space.
- Regional service, duplicated across multiple AZs within region
- Create a bucket (soft limit 100 buckets). Can support folders inside but works at a bucket level

- S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL
expressions

S3 Storage class

- Standard – high throughput, low latency, frequent access, durable(11 9s) and available(99.99%), SSL to
encrypt data in transit
- Standard INT (Intelligent tiering) – unpredictable data access pattern. Frequent and infrequent access tier.
not accessed for 30 days - IA, 90 - Archive and 180 - Deep archive. 99.9%
- S3 S – IA(infrequent access) – infrequent access. minimum 30 days
- S3 Z-IA(1 zone IA) – Infrequent access, Eleven 9s but at single AZ, 99.5%
- S3 Glacier – Durable, replicated across AZ. Vault contains archives(unlimited). No UI. Data access through
expedited(less than 250Mb under 5 min), standard(3-5 hours) and bulk options(5-12 hours)
- S3 G-DA(Deep archive) – Minimal access retrieval within 12 hours
- Glacier and DA can use S3 PUT API to add data apart from lifecycle rules

Lifecycle rule automate data storage management – can only be suspended

- Encryption is not enable by default

- Transfer acceleration is not enabled by default. Uses edge locations
- Bucket policy does not exist by default
10
 - Versioning is disbaled by default
- Server access logging provides detailed records for the requests that are made to a
bucket. Server access logs are useful for many applications. For example, access log
information can be useful in security and access audits. It can also help you learn about
your customer base and understand your Amazon S3 bill.
- S3 offers strong read-after-write consistency in all regions and eventual consistency
for overwrite PUTS and DELETES
- S3 does not support object locking for concurrent writers
- Updates to single key are atomic. You will never get partial or corrupt data IE old or new
depending on whether PUT is complete.
- File storage g/w has a file interface and files can be accessed vi S3 API
- S3 can support 3500 PUT/DELETE/POST and 5500 GET request pers secs per prefix in a
bucket
- You can use prefixes to organize the data that you store in Amazon S3 buckets. A prefix
value is similar to a directory name that enables you to group similar objects together in a
bucket. When you programmatically upload objects, you can use prefixes to organize your
data. The purpose of the prefix and delimiter parameters is to help you organize and then
browse your keys hierarchically. To do this, first pick a delimiter for your bucket, such as
slash (/)
- Single PUT - 5GB - Multipart can be used for objects from 5MB to 5TB
- File size 0 Bytes to 5 TB, single copy 5 GB. Larger than 100MB use Multipart upload
- S3 charges based on actual storage use per GB per day
- VPC endpoints are for accessing AWS resources within VPC (not cross-region)
- S3 Cross region replication needs versioning on both source and destination buckets
S3 - Object lock prevents change and delete -> auto version.

Retention period - data when object lock expires. Legal Hold - obj lock does not expire. Retention mode -
Compliance(stricter - no one can overwrite or delete) and Governance(users with privilege can overwrite or delete)

S3 Batch Operations is a new feature that makes it simple to manage billions of objects stored in
Amazon S3. Customers can make changes to object properties and metadata, and perform other
storage management tasks – such as copying objects between buckets, replacing tag sets, modifying
access controls, and restoring archived objects from Amazon S3 Glacier – for any number of S3
objects in minutes.

Versioning

- Not enabled by default, once enable can only be suspended

11
 - Delete – Delete marker is the current version and so cannot be found. Obj can be requested by version ID

Static website hosting

- Region specific end point does not support HTTPS

- Bucket and content must be marked public access
- Does not support requester pays

Object level logging

- Records all activities using AWS Cloudtrail in a log file

- GetObject, DeleteObject and PutObject

Transfer Acceleration

- Long distance transfers in and out of S3 – Amazon cloudfront – CDN. Uses edge locations to distribute
traffic
- Transfer Acceleration cannot be disabled, and can only be suspended.
- Cost per gigabyte – both inbound(as compared to std free) and increased outbound
- Does not support Get service, Put bucket, Delete bucket and cross region copies using Put object – copy

S3 Access policies

- Can access actions based on conditions

- IAM policy is based on identity and group
- Resource based policy – associate with resource – Access control list(ACL) and Bucket policies
- Bucket policy – JSON, attached to bucket (by default no policy), define ‘principal’ element who is associate
with action and effect
- IAM is central manage in one service, can control access for more than one service at a time Vs Bucket
only controls that bucket and objects, used to maintain security policies in S3 alone and can grant cross
account access without having to create a role in IAM
- IAM policy max 2KB – users, 5kb-groups and 10kb -rules VS bucket – 20Kb
- ACLS – control access to bucket and/or specific objects in a bucket by grouping. Do not follow JSON (like
IAM and Bucket). Cannot explicitly deny access like IAM and no conditions. No write permissions for
Object ACL(bucket ACL has it)
- Conflict – Principle of least privilege

Cross origin resource sharing – CORS

- Allows specific resources on a web page to be requested from a different domain- client side web apps

AWS Snowball Edge is a type of Snowball device with on-board storage and compute power for select AWS
capabilities. Snowball Edge can do local processing and edge-computing workloads in addition to transferring data
between your local environment and the AWS Cloud. Storage optimized and compute optimized, and with GPU

Each Snowball Edge device can transport data at speeds faster than the internet. This transport is done by shipping
the data in the appliances through a regional carrier.

AWS Snowcone is a portable, rugged, and secure device for edge computing and data transfer. You can use
Snowcone to collect, process, and move data to AWS, eitherj offline by shipping the device to AWS, or online by
using AWS DataSync. upto 8 TB

12
Snowmobile - An exabyte-scale data transfer service used to move extremely large amounts of data to
AWS. You can transfer up to 100PB per Snowmobile. Snowmobile will be returned to your designated AWS
region where your data will be uploaded into the AWS storage services you have selected, such as S3 or Glacier.

AWS DataSync is an online data transfer service that moves data between on-premises storage systems and AWS
Storage services, as well as between AWS Storage services.

S3 objects are immutable - DURABLE storage cannot be changed, only be replaced - object storage, write once read
many. use multipart for larger than 100MB. S3 transfer acceleration does no support GET service(list buckets), PUT
bucket(create bucket), DELETE bucket and cross region copies using PUT object(copy)

Amazon Storage - EFS/EBS

Amazon simple storage solution(S3) – entire file replaced when something changes…..not good for frequent
write…..good for videos, netflix

Amazon elastic block service(EBS)

– stored in small chunks, only changes are updated. Low latency solutions r/w. ONLY attached to resources in single
AZ. Perfect for databases.

- Persistent, rapidly changing, independent of EC2(logically attached).

- SSD – Highest performance. smaller blocks, boot volumes. General purpose vs Provisioned IOPS SSD
volumes for apps with high I/O - Databases.
- HDD – For frequent access throughput intensive apps(Big data, DWH). higher throughput large blocks of
data. Cannot be used for boot. Throughput optimized HDD vs Cold HDD
- Provisioned IOPS SSD can be attached to multiple Nitro instances using Multi-attach
- Encryption is supported - AES-256 – KMS
- Backups via snapshots – manual or scheduled(cloudwatch event) - stored on S3. Can be copied to other
regions. Stored on S3 – incremental. Encryption/unencryption on snapshot retained.

- New EBS Volumes created from snapshots need to be initialized by reading from them. ’fast snapshot’
- New EBS from scratch receive max performance immediately
- Volume can be attached to instances in same AZ….across AZ/region- use snapshot and restore
- You cannot add instance store volumes once EC2 instance is launched. EBS volumes
support live configuration changes while in production which means that you can modify
the volume type, volume size, and IOPS capacity without service interruptions. The volume
enters first the Modifying state, then the Optimizing state, and finally the Complete state.
Decreasing the size of an EBS volume is not supported.
- Highest performance and low latency for critical apps or large DBs - Provisioned IOPS
- Amazon Data lifecycle manager automates creation, retention and deletion of snapshots
for EBS
- You can create an image and EBS Volume from a snapshot. A snapshot is a backup of an
EBS volume. An AMI (Amazon Machine Image) is a clone of the entire EC2 instance
including licenses. An AMI created from an EC2 instance includes snapshots of the root
volume and any other attached EBS volumes.
13
- EBS optimized instance provides additional dedicated capacity for Amazon EBS I/O
- EBS encrypted volume -> encrypts data at rest, encrypts all data moving between volume
and instance and encrypts all snapshots created from volume and all volumes created
from those snapshots
- You can enable encryption while copying from an unencrypted snapshot
- Use modern Linux kernel and RAID 0 to get high performance(RAID 0 offers striping, which
translates to better performance, but no-fault tolerance or data redundancy. RAID 1, on the
other hand, offers mirroring, so the same data is available in two disks.)
- When you create an EBS volume in an Availability Zone, it is automatically replicated
within that zone to prevent data loss due to a failure of any single hardware component.
- After you create a volume, you can attach it to any EC2 instance in the same Availability
Zone
- Infrequent large, sequential I/O operations - Cold HDD vs frequent ->Throughput Optimized
HDD vs small, random I/O operations - SSD

14
Amazon elastic file storage (EFS) –
shared file level storage, low latency support. Network access to files. EFS is regional and can support multiple EC2
instances across AZs in a region. Support life cycle management to move data auto.(files smaller than 128K or
metadata are always in standard). Supports strong consistency and file locking

Does not support windows

EFS has 2 classes – standard and Infrequent access(Lifecycle management 30 days default - IA 1Z available).

Standard - Access anytime, cost higher and lower latency

IA is cheaper than standard but also charges for r/w vs standard is based on amount of storage

EFS has 2 different performance modes – General and Max I/O

● General -> Throughput standard, IOPS 7k >= and Latency is low

● Max I/O -> Throughput unlimited, IOPS 7k <= and Latency is slightly higher. Recommended for tens,
hundreds or thousands of instances. Higher through put and ops per second. Big data, genomics, media
processing.

Throughput modes – Bursting(the more you store, the more throughput available) and Provisioned(allows you to
burst above your allowance) measured in MiB/Sec + BurstCreditBalance – run out -use Provisioned throughput

Encryption using KMS, both at rest(set only during creation) and in transit(enable encryption during mounting).

EFS file mount – Linux NFS or EFS Mount helper(preferred)

You can choose from five EFS Lifecycle Management policies (7, 14, 30, 60, or 90 days) to
automatically move files into the EFS Infrequent Access (EFS IA) storage class and save up to 85% in
cost.

EFS can only be in one VPC at a time -> When you use a VPC peering connection or VPC Transit
Gateway to connect VPCs, EC2 instances in one VPC can access EFS file systems in another VPC,
even if the VPCs belong to different accounts. You can also now place EC2 instances owned by one
account in the same VPC as an EFS file system owned by a different account using shared VPCs.
This allows applications in different accounts to share a central file system, eliminating the cost and
complexity of copying data between VPCs.

AWS DataSync – Direct connection or internet. On prem to AFS or between different AFS accounts.

Amazon FSx
– for windows file servers and for lustre(linux only) (EFS is linux only)

Windows

o Fully manages native windows file system on AWS

o Move and migrate windows based workloads requiring file storage
o Built on windows server
o Share file storage
o Support for SMB protocol, Windows NTFS, Active Dir integration, Dist File Syst
o Uses SSD storage for enhanced performance and sub millisecond latencies
o Cost – avg storage per month, through put and capacity

o FSx - cost- capacity(avg storage), throughput and backups . Windows FSx provides data dedup -
stored only once. Windows has cost for throughput but none for Lustre

Lustre - Linux
15
 ● Linux based - Designed for compute intensive workloads such as machine learning.

● Perf can run upto 100s of GB/sec and sub millisecond latencies

● Integration with Amazon S3

● Supports cloud bursting workloads using Direct connect and VPN

● SSD and HDD options(cheaper, lower performance)

● EBS is a high-performance per-instance block storage system designed to act as

storage for a single EC2 instance. Boot volume, transactional and NoSql Db, DWH,
ETL
● EFS is a highly scalable file storage system designed to provide flexible storage for
multiple EC2 instances. Big data, analytics, media processing, web serving, content
management and home directories
● S3 is a more complex object storage system, designed to provide archiving and data
control options and to interface with other services beyond EC2. It’s also useful for
storing static html pages and shared storage for applications. Slowest
performance….web serving, content management, media,big data analytics, data lake

● EBS provides the lowest-latency access to the data for your EC2 instance since the volume
is directly attached to the instance. S3 does not reside within your VPC by default, which
means the data will traverse the public Internet that may result to higher latency. You can
set up a VPC Endpoint for S3 yet still, its latency is greater than that of EBS. Although EFS
can provide low latency data access to the EC2 instance as compared with S3, the storage
service that can provide the lowest latency access is still EBS. EFS throughput is higher
than EBS.

● EBS stores data redundantly in single AZ vs EFS and S3 are across multiple AZs

● S3 and EFS are unlimited size vs EBS volume is max 16TB

● EBS and EFS are accessed inside a VPC vs S3 can be accessed inside or outside VPC

Stunnel – open source universal TLS/SSL tunneling service. Provide secure encrypted connections for clients or
servers that do not speak TL/SSL natively.

ASW Storage Gateway -

AWS Storage Gateway is a set of hybrid cloud services that gives you on-premises access to virtually unlimited cloud
storage. Customers use Storage Gateway to integrate AWS Cloud storage with existing on-site workloads

- Integration between on prem and cloud

- File gateway – stores files as objects in S3, nfs share can be mapped as a drive, includes local on prem
cache to reduce latency. Supports S3 Standard, IA and IA-1Z
- Volume gateway –iscsi device, stored(entire data exists on prem for low latency and Data is backed up
asynch to Amazon S3 in the form of Amazon EBS snapshots) vs cached(primary data on cloud, has local
buffer). can detach and attach volumes, from and to a Volume Gateway.

16
 - Tape gateway (VTL)- iscsi devices, Back up data to S3 and leverage S3 Glacier. Lower cost than S3. Cloud
based virtual tape back up

Cloudfront signed URL for external access. CloudFront signed cookies allow you to control who can
access your content when you don't want to change your current URLs or when you want to
provide access to multiple restricted files, for example, all of the files in the subscribers' area of a
website.

When you create a presigned URL for your object, you must provide your security credentials,
specify a bucket name, an object key, specify the HTTP method (GET to download the object)
and expiration date and time. The presigned URLs are valid only for the specified duration.
Anyone who receives the presigned URL can then access the object. In order to successfully
access an object, the presigned URL must be created by someone who has permission to
perform the operation that the presigned URL is based upon.

NETWORKING

VPC –
Private segment inside AWS. Allows you to build and deploy compute resources on the cloud. Defaults 5 VPCs per
region per AWS account. Define name and range of Ips via CIDR block (Classless Inter-Domain Routing). A VPC spans
all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability
Zone.

Subnet – allow you to segment your vpc into multiple networks

- Public subnets have an internal IP address and external public IP address

- Public has Internet gateway(AWS component) + route table (destination and target).
- All subnets within VPC can talk to each other

- Each subnet exists in a single A

17
Network Access Control List (NACL’s)

- Virtual network level firewall associated with each subnet – controls inbound and outbound and between
subnets. default – allows all
- Rule number decides priority. “.” Is default rule. Support both allow and deny
- NACLs stateless and so better suited for a private subnet.

Security Groups

- Filter traffic at instance level – inbound and outbound

- NACLs work at subnet level security groups act as virtual firewall at instance level
- No rule #, so all rules will be assessed before action. Rule means allow….no deny action

-
- To access Subnet, you need subnet allow rule and then to access component inside subnet such as a DB you
need security group setting

18
 - NACLs are stateless, Security groups are stateful which means you don’t have to configure specific rules to
allow return traffic from requests. Security groups are Stateful and hence can be used for public subnets
- Default rule allows all outbound traffic and denies all inbound.

Internet g/w – allows public subnet to access internet

NAT Gateway

- Private subnets have no internet access so cannot upgrade patches and udpates – need NAT g/w
- NAT gateway sits in Public Subnet with elastic IP which is public
- Route table of private subnet needs a route to target as NAT g/w.
- Nat G/w will not accept inbound comm from internet only outbound from VPC (such as initiated by Private
subnet)
- Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone
- If you have multiple subnets across AZs, you will need to set up the NAT g/w within those subnets

- NAT g/w cannot be shared across VPC via peering, direct connect or VPN connections.

Bastion Hosts

- access EC2 instances in a private subnet via Internet – via Bastion Hosts. Incoming via Internet g/w is not allowed
- Bastion host sits in Public subnet in VPC.
- Windows RDP port 3389 and Linux SSH port 22

-
- To connect from Bastion host to EC2 in Private subnet, using SSH, requires a private key(should not be stored on
host). SSH Agent forwarding stores key on local client rather than bastion host.

VPN

-Way to connect 2 remote networks across the public internet. Connect VPC <-> data centre
-Needs a virtual g/w(in VPC), customer g/w(in datacenter) as end points
-VPN tunnel can be originated from Customer g/w only.
-If CGW supports BGP –> dynamic routing

Direct Connect

-Uses private infrastructure to connect directly – data center and AWS region, not just VPC. Much faster, dedicated
lease lines.
19
-Public virtual interface connect to AWS region and allows access to public resource such as S3
-Private virtual interface connects to virtual g/w in your VPC

VPC Peering

- Allows VPCs to connect with each other

- VPC connections are 1:1
- Each VPC cannot have a IP address(CIDR block) overlap – so will not be able to connect….

AWS Cloudhub - If you have more than one remote network, you can create multiple AWS-managed VPN
connections via your virtual private gateway to enable communication between these networks. AWS VPN CloudHub
uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous
system numbers (ASNs).

AWS Transit gateway

- 1 to Many connectivity – also allows central monitoring through one dashboard

20
AWS PrivateLink enables you to privately connect your VPC to supported AWS services, services
hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner
services. You do not require an internet gateway, NAT device, public IP address, AWS Direct Connect
connection, or VPN connection to communicate with the service. Traffic between your VPC and the
service does not leave the Amazon network. Applications in an Amazon VPC can securely access
AWS PrivateLink endpoints across VPC peering connections. The support of VPC peering by AWS
PrivateLink makes it possible for customers to privately connect to a service even if that service’s
endpoint resides in a different Amazon VPC that is connected using VPC peering.

AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering
connections.

Elastic IP address – EIP – associated to your account and not instance

- When you need a persistent IPv4 public IP address that you need associated with your instance or ENI
- If you associate EIP to an instance with a pool of public IP, will be released and EIP will be used
- Public IP cannot be converted to EIP. Public IP changes every time we start and stop instance.
- If you create elastic IP but don’t associate to instance, it will cost $. Either release or associate with instance

Elastic Network Interface (ENIs)

-Logical virtual network cards in your VPC which can be attached to EC2 instances. Config is bound to ENI and not
EC2. You can detach and reattach ENI(for eg private IP, EIP or MAC address)
-EC2 comes with a primary interface(PNI) that cannot be detached – Eth0
-No of interfaces depends on instance type
-Useful to create management network

EC2 Enhanced Networking with Elastic Network Adapter (ENA)

-Custom interface to optimize network performance

-100 Gbps speed, higher bandwidth and increases packet per second (pps) performance.
-No extra cost, turned on by default on supported instance types
-Does not support all instances(kernel above 2.6.32 and 3.2)

VPC Endpoints

-Allow you to connect to supported services without configuring an internet g/w, NAT g/w, VPN or direct connect
connection.
-#1 Interface endpoints – ENIs within a subnet that act as a target for any traffic that is being sent to a supported
services and uses PrivateLink(private secure connection). Can be accessed through AWS VPN connections or
AWS Direct Connect connections, through intra-region VPC peering connections from Nitro instances, and
through inter-region VPC peering connections from any type of instance.
-#2 Gateway endpoints – target that is used with your route tables to allow you to reach supported services,
currently they only support (S3 and Dynamo DB only). Only works with IPv4
-

AWS Global Accelerator

-Global service not tied to a region to get UDP and TCP traffic from end user clients to your apps faster and quicker
and more reliably using AWS infra and specified end points (instead of public internet)
-Name and select 2 IPs;static IPS. create listener (receives and processes incoming UDP/TCP connections); associate
with end point group and finally associate and register end points for application(can be a load balancer, EC2
instance or Elastic IP; % load by end point can be defined).

21
-End points group is associated with a different region and withing each group there are multiple endpoints. Set
‘traffic dial’ for group to specify percentage to be directed to group – blue/green deployment. Also allows to set
health check criteria

ENA vs Global Accelerator – ENA provides high speed performance for you instance vs Global accelerator provides
high speed performance from an end client to application on AWS

Amazon Route 53
-A highly available and scalable Domain Name System (DNS) web service used for domain registration, DNS routing,
and health checking.
-DNS translates domain name to IP address and reduces routing latency
-Route 53 provides routing of requests both for services within AWS and infra outside of AWS using global network
of authoritative DNS servers that reduce latency and can be managed via console or API
-Hosted zone is a container that holds information about how you want to route traffic for a domain. Supports
public(internet) and private(within vpc) zones
-Different domain supported
o Generic Top-Level Domains (TLDs) eg .watch for website watches. What info do you expect to find
o Geographic Domains eg .in is for India Location specific
-Routing policy determines how Route 53 responds to queries. Simple routing, Failover routing, Geo-Location(user
location) routing, Geo-proximity(user and resources) routing, Latency routing, Multi value answer routing(8
random records), Weighted routing(resource perform same function)
-Alias records act like a CNAME allowing to route traffic to other AWS resources such as ELS, VPC etc
-Route 53 can host public domain names for external web apps.

-Health checks need IP to monitor + protocol HTTP/S/TCP, request interval, failure threshold(consecutive failure). Can
monitor other health checks, edn points and cloudwatch alarms.

Amazon CloudFront
-AWSs fault tolerant and scalable content delivery network(CDN) service using network of edge locations
-Edge locations cache data, reducing latency for users by routing to closest location
-Does not provide durability as its cached data. Distributes source data which is on durable storage
-Web distribution for web, http/s, live streaming, static and dynamic content
-RTMP Distribution – media with Adobe flash RTMP protocol. Can start viewing before complete d/w. RTMP can only
exit in S3 not EC2 web server
-Objects from S3 are cached for 24 hours by default. You can invalidate files in CloudFront edge caches even before
they expire.
-CloudFront also has regional edge caches that bring more of your content closer to your viewers, even when the
content is not popular enough to stay at a CloudFront edge location, to help improve performance for that
content.
-CloudFront also offers a new method of cache configuration called policies. You may use the policies premade by
AWS or you can create your own. These policies define how you’d like the cache to behave, such as cache TTL
Settings, Cache Key Contents, and Compression settings.
-Use signed cookies for the following cases:
o You want to provide access to multiple restricted files, for example, all of the files for a video in HLS
format or all of the files in the subscribers’ area of a website.
o You don’t want to change your current URLs.
-Geo restriction possible
-Origin access identity (OAI) is a cloud front user for S3 bucket that provides added security. Only OAI can access

22
AMAZON Relational Database Service (RDS)
-MySQL, MariaDB, PostgreSQL, Amazon Aurora, Oracle and SQL Server
-Choice of compute instance to host the DB
o DB Instance class – General purpose and memory optimized
o Multi AZ for HA – secondary instance of RDS in a different AZ within the same region as the primary –
synchronous replication. (Patching on primary, failure, reboot, primary instance modified, AZ fails). Aurora
is anych for multi AZ
o During failover RDS would updated DNS to point to secondary AZ – 60-120 seconds
-Storage autoscaling – Elastic block storage – MySQL, PostgreSQL, MariaDB, Oracle and SQL Server for data and log
storage
-EBS - supports
o General purpose SSD(broad use, single digit millisecond latency, cost effective, Min 20GiB Max 64TiB except
SQL Server is max 16 TiB),
o Provisioned IOPS(SSD) – operates at very high i/o. IOPS Min 8000-Max80,000(SQL Server 40K). Storage Min
100Gib and Max is 64Tib(SQL Server 16 TiB) and
o Magnetic storage – backward compatibility only. AWS recommends general purpose
-Amazon Aurora uses shared cluster storage – no option to select and configure. Storage will scale auto. Replicated
across 3 AZs
-Aurora – Encryption at rest – KMS and transit is SSL
-Aurora perf – 5X MySQL and 3X PostgreSQL and is cheaper
-Scaling compute instance – Vertical scaling will improve DB performance -can be immediate or scheduled
-Horizontal scaling – eg read can be in a separate instance. Asynch replicated link
-Patching and back ups are managed by RDS automatically in S3. Backup retention(7-35 days) is auto, config no of
days of retention, back up window, KMS encryption.
-Manual backups can be taken – snapshots, delete is manual
-Aurora has a backtrack feature allows you to go back in time – max 72 hours and self healing
-Once a DB is created you cannot change the VPC

-Point-In-Time Restore and snapshot restore features of Amazon RDS for MySQL require a crash-recoverable storage
engine and are supported for the InnoDB storage engine only.

-AWS recommends to NOT enable Simple Recover, Offline, or Read-only modes because they turn off transaction
logging, which is required for Multi-AZ.

-Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon’s failover technology.
SQL Server DB instances use SQL Server Mirroring. Back ups are from stand by.

-You can copy a snapshot within the same AWS Region, you can copy a snapshot across AWS Regions, and you can
copy a snapshot across AWS accounts. When you restore a DB instance to a point in time, the default DB
parameter and default DB security group is applied to the new DB instance.

-Enhanced DB monitoring(extra cost) provides IOPS, Latency, Throughout and queue depth. CPU utilization stats is
from hypervisor and enhanced monitoring is from agent on instance.

-Amazon RDS proxy is a highly available database proxy that allows applications to pool and share connections
established with the database, improving database efficiency and application scalability. you pay per vCPU of
the database instance for which the proxy is enabled.

-If you convert to Provisioned IOPS storage, make sure you also use a DB instance class that is optimized for
Provisioned IOPS. Make sure you have enough throughput capacity. convert to IOPS for IO intensive load

-If your client application is caching the Domain Name Service (DNS) data of your DB instances, set a time-to-live (TTL)
value of less than 30 seconds.
23
-To create a read replica, enable automatic back ups by setting retention period greater than 0 on source.

Aurora

Amazon Aurora Auto Scaling works with Amazon CloudWatch to automatically add and remove Aurora Replicas in
response to changes in performance metrics that you specify. This feature is available in the PostgreSQL-compatible
edition of Aurora.

With Aurora MySQL, you can set up cross-region Aurora Replicas using either logical or physical replication. Aurora
PostgreSQL does not currently support cross-region replicas.

Back up - 1-35 days and backtrack is 72 hours

An Aurora global database spans multiple AWS Regions, enabling low latency global reads and disaster recovery
from region-wide outages. Consists of one primary AWS Region where your data is mastered, and one read-only,
secondary AWS Region.

Instead of provisioning and managing database servers, in serverless you specify Aurora Capacity Units (ACUs). Each
ACU is a combination of processing and memory capacity.

Amazon Aurora Auto Scaling works with Amazon CloudWatch to automatically add and remove Aurora Replicas in
response to changes in performance metrics that you specify.

An Aurora global database spans multiple AWS Regions, enabling low latency global reads and disaster recovery
from region-wide outages. Consists of one primary AWS Region where your data is mastered, and one read-only,
secondary AWS Region.

Aurora Serverless is an on-demand, autoscaling configuration for Amazon Aurora (supports both MySQL and
PostgreSQL). An Aurora Serverless DB cluster automatically starts up, shuts down, and scales up or down capacity
based on your application’s needs. The cluster volume for an Aurora Serverless cluster is always encrypted. You can
choose the encryption key, but not turn off encryption.

Amazon DynamoDB

-NoSQL Database(key-val store). Ultra high performance, single digit latency, serverless
-Fully managed, patching, back ups, replicated synchronously auto across three different zones(same reg)
-Steps -set up table and provision throughput for each table
-Charged based on throughput and amount of storage
-PITR - upto 35 days
- Global tables replicate your DynamoDB tables automatically across your choice of AWS Regions.
-Back up do not impact performance due to distributed tech
-Tables are schemaless
-Primary Key – uniquely identifies each item in the table, so that no two items can have the same key. Must be scalar.
-Partition key – a simple primary key, composed of one attribute.
-Partition key and sort key (composite primary key) – composed of two attributes.
-Optional set up –
o secondary index – allows you to define secondary keys for querying that are not a part of the primary key.
One query only per index. Specify index for each query. Global secondary index – across the entire table,
partition key and sort key can be different from table and local secondary index – only in a single partition,
same partition but diff sort key.
o R/w capacity mode – provisioned mode allows to set r/w against DB per second(RCU/WCU), used when you
have a predicted and forecasted workload. On-demand- scaled on demand, not cost effective.
Unpredictable workload. Prov mode – charge for prov and data stored throttling on excess

24
 o Disadvantages – eventual consistency(may return old results), queries are less flexible than SQL, workflow
limitations(max record size 400Kb and max index per table – 20 global and 5 secondary), provisioned
throughput
o Adjustable limitations – max no of tables in AWS account

o DynamoDB Streams – an optional feature that captures data modification events in DynamoDB tables. Stream
records are organized into groups, or shards. Stream records have a lifetime of 24 hours. You can use
DynamoDB Streams together with AWS Lambda to create a trigger
o Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust
provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a
global secondary index to increase its provisioned read and write capacity to handle sudden increases in
traffic, without throttling.you create a scaling policy for a table or a global secondary index. The scaling policy
specifies whether you want to scale read capacity or write capacity (or both), and the minimum and maximum
provisioned capacity unit settings for the table or index. DynamoDb->CloudWatch->Alarm->Autoscaling
update table

o DynamoDB provides some flexibility in your per-partition throughput provisioning by providing burst capacity.
To better accommodate uneven access patterns, DynamoDB adaptive capacity enables your application to
continue reading and writing to ‘hot’ partitions without being throttled, by automatically increasing
throughput capacity(from spare capacity of other partitions) for partitions that receive more traffic. on by
default.

DAX – DynamoDB Accelerator

-Eventual consistency – issue with microsecond response times -> DAX. Fully managed and scalable.
-DAX – in-memory cache delivering 10X performance…milli to micro seconds
-Max of 10 nodes – 1 primary, 9 read replicas
-Encryption at rest – 256 AES + KMS keys
-DAX client on EC2 intercepts API calls to new DAX cluster
-Cache miss is passed to DB and data is added to cache. Write first to DB and then to DAX

Amazon Elasticache
-Service to deploy, operate and scale open source in-memory data stores in the cloud which improves performance
through caching for web applications
-Caching -RAM on a PC allows our PC to store frequently accessed data in memory rather than go to disk
-Helps with read only performance.
-Supports Memcached(High perf, sub-milli second latency, key value store, consistent load) and Redis engines(purely
in-mem data store, high perf, sub-milli sec latency for RT apps)
-Memcached – offer caching and session store(simplicity + consistent memory allocation).
-Redis ++ media streaming, queues, RT analytics, geospatial etc. persistent data,not multi threaded. Sorted set to
guarantee uniqueness and order. stores user session state in memory
-Redis also offers cluster mode to scale out. Default single shard to max of 90 shards.
-Node – fixed size chunk of secure, network attached RAM
-Shard – Redis shard(node group) group of up to 6 elasticCache nodes
-Cluster – contains 1 to 90 redis shards(depends on enabled cluster mode)
-Memcached cluster – Cluster are collection of one more cache nodes
-Use – gaming score, social media, RT analytics
-Don’t use when you need persistence, working with primary records, need write performance rather than read
performance.

25
Amazon Neptune
-Fully managed graph database. Graph Db engine.
-Supports upto 15 read replicas
-replicated six ways across three AZs. Cross region replicas not supported.
-Social networking…complex tightly networked data; fraud detection, recommendation engines
-Apache tinkerpop gremlin – query graph using gremlin traversal language and worldwide web consortium sparql –
works with internet to run queries
-Neptune cluster – single or multiple Db instances across AZs in addition to virtual db cluster volume which contains
data across all instances. The single cluster volume contains no of SSDs which scale with vol growth(max 64 TB).
-Neptune storage auto-repair – find and fix segment failures in SSDs. Self healing.
-End point –
o Cluster – points directly to current primary DB, used by apps that need r/w access, failures -> point to new
primary instance
o reader – connect to read replicas, single reader end point, round robin basis. End point does not load
balance
o instance – instance specific end points to direct certain traffic to specific instances. Load balancing….

Amazon QLDB

● Fully managed ledger database that provides a transparent, immutable, and cryptographically
verifiable transaction log owned by a central trusted authority.
● Used to track all application data changes, and maintain a complete and verifiable history of
changes over time
● Amazon QLDB is serverless
● Amazon QLDB uses PartiQL as its query language. (also DynamoDb)
● Amazon QLDB does not support Backup and Restore. But you can export your data from QLDB
to S3. Does not support cross-region replication

Amazon Redshift
-Fully managed petabyte scale data warehouse, designed for performance and analysis of info,
-Redshift extends data warehouse queries to your data lake. You can run analytic queries against petabytes of data
stored locally in Redshift, and directly against exabytes of data stored in S3
-Currently, Redshift only supports Single-AZ deployments.
-Redshift automatically and continuously backs up your data to S3. It can asynchronously replicate your snapshots
to S3 in another region for disaster recovery.
-Based on PostgreSQL, supports SQL
-Staging, transformation, loading – ETL
-Cluster – run its own redshift engine which contains at least one DB + compute nodes (leader node if multi
cluster). Compute node contains cpu, attached storage and memory (RA3 or dense type)
-Leader node is responsible for comms between compute nodes and external apps(ODBC/JDBC). Creates execution
plans containing code to return required results.
-Node slice(determined by node type – dc/ds) is a partition of compute node where nodes memory and disk space
is split. Each node splice processes operation given by leader node. Parallel ops across slices
-Massively parallel processing(MPP), Columnar data storage and Result caching
-Redshift spectrum allows you run queries against exabytes of data without loading/transforming data

RDS instance purchasing options

-On demand instances – on demand creation and termination. Cost is hourly, partial is per second. Altering running
costs – min 10 min charge
-On demand instances(BYOL)

26
-Reserved instances – set criteria for set period of time(1/3 yr). Upfront cheapest.
-Reserved instances (BYOL)
-Serverless – measured in Aurora capacity units(ACU). ACU is 2GB memory and associated CPU
-BYOL is Oracle and Serverless is Aurora only
-Amazon Aurora either MySQL or PostgreSQL compatibility – different price
-Oracle – depends on which edition of ORCL-> SE1, SE2. For BYOL also SE and EE
-SQL Server – Express, web or standard

Database storage and IO pricing

-MySQL, PostgreSQL, MariaDB, Oracle and SQL server use EBS Elastic block store volumes for data and log
-Aurora – shared cluster
-General purpose SSD – broad use, low latency, cost effective Min 20GiB Max 64 TiB (16TiB for SQL Server) charged
for amount of storage provisioned not for IO
-Provisioned IOPS (SSD) – high IO workload. Min 80K, Max 80K IOPS(SQL server 40K). Min storage for data is 100 GiB,
Max 64TiB (16TiB for SQL Server). Charged for amount of storage provisioned in addition to IOPS throughput (not
for total IO processed)
-Magnetic – backward compatibility
-GB-Month – how many GBs for how long. 720 hours in a 30 day month.
-300 GB for 24 hours -> 300/(720/24) => tot provisioned storage/(720/no of hours running)
-Aurora – GB-months used(not provisioned) + actual number of I/O processed (per million requests)

Nitro – Run a DB cluster on sing EBS volume. 60K + IOPS, able to access from one or more EC2 instances. Use Nitro
with multi attach option

Back up storage and pricing

-No charge for back up storage equal to provisioned storage used(across all RDS Dbs)
-$0.10 per GiB-Month regardless of region. Aurora is different by region.
-Auto and Manual backups use back up storage

Backtrack

-Only for MySQL compatible Aurora – go back in time. Max of 72 hours

-Based on number of changes per hour.

Snapshot export pricing

-Backups of DB tables and instance

-Can be exported from RDS to S3
-Can filter to export specific Dbs, tables or schemas
-Different by region per GB
-KMS cost if encrypted
-S3 cost

Data transfer pricing

-Cost for transferring data in and out of RDS depending on source and destination
-Data transfer in to RDS is free
-Data out to cloud front is free
-Out to EC2 instance in same AZ
-Between AZs for multi AZ replication

AWS Datasync – move large amount of objects from on prem to S3, efs or AwsFSx. TLS. Snowball for v large data

27
AWS database migration service to move data to RDS

Availability Zones
-AZs are essentially the physical data centers of AWS. it’s likely that multiple data centers located close together form
a single availability zone.
-Low latency links connect isolated AZs in the same geo region
-Low latency links between AZs are used by many AWS services to replicate data for high availability and resilience
purposes
-Localized geographical grouping of multiple AZs, which would include multiple data centers, is defined as an AWS
Region.
-Edge Locations are AWS sites deployed in major cities and highly populated areas across the globe. While Edge
Locations are not used to deploy your main infrastructures such asEC2 ingatewaystances,EBS storage, VPCs, or
RDS resources like AZs, they are used by AWS services such asAmazon CloudFrontandAWS Lambda@Edge to
cache data and reduce latency for end-user access by using the Edge Locations as a global Content Delivery
Network (CDN).
-Regional Edge Cache. These sit between your CloudFront Origin servers and the Edge Locations and have a larger
cache-width than each of the individual Edge Locations, and because data expires from the cache at the Edge
Locations, the data is retained at the Regional Edge Caches.

HIGH AVAILABILITY
Back up and DR Strategies

-RTO – time to restore business to prev service level as per Ops level agreement
-RPO – Acceptable amount of data loss measured in time
-#1 Back up and restore – virtual tape library using AWS storage gateway, AWS import/export. Data retention policy,
security measures including access and encryption, regular test of recovery
-#2 Pilot Light – data is mirrored and minimal environment is scaled during DR. EC2 replica, supporting custom s/w
available in AWS and create and maintain AMI images, regular testing, auto provision as much as possible.
-#3Warm stand by – all services running in scaled down way.
-#4 Multi site – DNS routing to both sites and auto failover
-Replication – Distance, bandwidth, data rate required by app and replication tech(parallel)
-Synch rep – Data is atomically updated in multi locations, dependent on network performance and availability
-Asynch – Non-atomic write update on secondary when network and bandwidth permit. App continues to write while
it might not be fully replicated.

28
 High
Availability and Fault tolerance

-HA – maintain a % of uptime in line with ops performance and aligned to SLA eg have 2 EC2 instances with 2 AZs in a
region (app requires 2 EC2s)
-FT builds on HA by building additional resiliency and up time % at a cost eg duplicate above in a different region to
tolerate a region outage and increase up time %
-AWS snowball – physical appliance to transfer data(50/80TB) to S3 – if it will take more than a week
-AWS snowmobile – 100PB
-AWS Storage g/w – g/w between you datacenter and AWS. Can be d/w from AWS as a VM. File/Volume/Tape
o File- store files as object in S3, map (like local)drives to S3, sent over HTTPS. Local cache
o Stored/Cached Volume – storage has all data on prem and backed up asynch as EBS snapshots to S3. 1GB-
16TB X 32 volumes. Snapshots are incremental and stored as EBS snapshots on S3. Cached local volume 32TB
X 32 volumes.
o Tape – VTL. Data stored in Glacier 3-5 hours access
-AWS Artifact – access and review AWS compliance reports and present to auditors

S3 as backup

-Highly scalable – max upto 5TB

-Standard (across multiple devices and AZs in a region + encryption at rest and transit), Standard IA and
Glacier(archives upto 40TB into vaults – move using lifecycle rules, SDKs or API)
-Glacier has Vault locks enabling WORM control and vault access policies
-S3 can additionally have CRR(Cross region replication) – compliance requirements?
-Supports multiple r/w. files larger than 100MB should use multi-part upload. Speed, interruption recovery and data
management.
-Security – IAM policy(allow/restrict access to buckets and objects at a role level)/Bucket Policy(JSON policies
assigned to individual buckets and objects)/Access Control List(ACL) – allows to control which user or account
can access a bucket or obj using r/w/full control etc/ MFA delete/Version/Lifecycle policy
-Snowball – HIPAA compliant, SNS text message. Used if more than a week elapsed time

RDS Multi AZ

-Configures a secondary RDS instance in a diff AZ in same region – synchronous replication. Not a read replica.
-RDS uses a failover mechanism on Oracle, MySQL, MariaDB and PostgreSQL. Auto - DNS update to secondary –
completion event RDS-EVENT-0025

29
-SQL Server Multi AZ (when available) uses mirroring – provisions a secondary RDS in a separate AZ. Primary and
Secondary use same end point. Mirroring updates physical network address to secondary. DB subnet group with
min of 2 AZs
-Aurora DB clusters are fault tolerant and can withstand loss of AZ. In the cluster, data is replicated across different
instances in different AZs. Multi AZ will allow RDS to provision a replicate in a diff AZ automatically.(no waiting for
primary in Multi AZ)

Read Replicas

-Read replicas asynch replicate from Primary, back up retention period greater than 0. Only 5 read replicas per
source DB
-Read replicas – MySQL, PostgreSQL, Amazon Aurora, Oracle
-During outage, when AZ enabled, RDS automatically redirects read replica source to secondary DB.
-In PostgreSQL native streaming is used for replication. asynch data between master and read replica. Needs a
specific role, can set up Multi AZ reads. Nested read replicas not supported (unlike MySQL and MariaDB)

Amazon Aurora HA

-Separates compute from storage layer – allows scaling. Storage is shared amongst all nodes in cluster
-Aurora stores data in 10GB blocks, each replicated six times across 3 AZs, two in each AZ(only supported in regions
that have 3 or more AZs)
-3 lost read and 2 lost writes are ok out of 6
-Aurora does not need replication(vs RDS) as it shares a single logical volume
-Quorum and gossip protocol to keep data consistent – self healing.
-If master goes offline, either launch a replacement master or promote existing read(preferred) – 30 sec

-
-Cluster endpoint – points to current master. R/w
-Reader endpoint – points to read only copy, load balanced across set.
-Custom endpoint – can be used to group instances based on size, particular db parameter eg: month end reports.
Load balancing implemented internally using Route 53 DNS.
-Instance endpoint – Specific instance endpoint for fine grained control
-Read replicas upto 15 – asynch
-Daily auto backups retained for 1 day – max of 35 days. Manual snapshots stored till deleted.
-Amazon multi master(max2) – multiple write instances….no need for failover. Load balancing will need to be
managed by client

30
Aurora Serverless – elastic solution that scales compute layer based on application demand and only bills when in
use.

-Suits apps that exhibit varying workloads, infrequent data access and modification needs
-No need to plan instance, just lower and upper capacity limits measured in ACUs(RAM)
-When turned off, you only pay for storage
-Single connection end point, since serverless
-Web service Data API – only on serverless – allows HTTP web service interface – allows you to run queries without
JDBC(connectionless). Works well with Lambda functions
-AWS CLI updated to allow queries though command line
-Daily auto backups retained for 1 day – max of 35 days. Manual snapshots stored till deleted.
-AWS Secrets manager – store, rotate, monitor and control access to secrets such as Db credentials, API keys or
OAuth tokens

Amazon DynamoDB HA

-NoSQL Db that auto partitions data and incoming traffic across multiple partitions
-Distributed across servers across 3 AZs in a region. SSD – synchronous replication
-Global table(same AWS account) gives you capability to replicate a single table across 1 or many alternate regions.
Increases availability and takes advantage of data locality. Eventual consistency

Point in time recovery

-Disabled by default – 1-35 days. Restored in new table

-Same region or diff region

Summary on HA

-Migration of large amounts of data for S3, EFS etc – AWS Datasync
-Migration of large objects – snowball
-Storage - EC2 – ephemeral(high IO), EBS-persistent, S3(Object) and glacier(archives)
-EFS and FSx – fully managed file system, most suited for shared access to files and data
-Deal with Cluster file systems enable EBS multi attach feature between upto 16 instances – on prem to cloud
migration of DB with high IOPS – supported in Nitro based instance
-Data in and out – Direct connect, VPN, internet connection, AWS Snowball(more than a week or more than 50TB),
AWS, Snowmobile and AWS Storage Gateway

ARCHITECTURE
-Decoupled and event driven architecture – SQS
-Services in an event driven arch are triggered by event within infra – producer, event router & consumer
-Event router – processes and takes the necessary action in pushing outcome to consumers - SNS, Kinesis and Lambda

Simple Queue service SQS – delivery of mssg between components

-Send, store and receive data at scale without dropping messages
-Producer – queue – consumer
-Visibility timeout – timeout is start when a mssg is retrieved by a consumer (30 sec – 12 hours). Delete mssg back
to queue when mssg processed. If not delete recd before time out, mssg is available again
-Delay Queue to postpone delivery of new mssg - 0 -15 mins
-Q type – server side KMS encryption
o STD Q – at least once delivery(maybe dupes), order is best effort, unlimited tps
o FIFO Q – order is preserved, exactly once processing, no duplication, 300 tps(batching 10 - 3000 tps)
o Dead letter Q – mssg failed to process, same Q type as source

31
 SNS Simple notification service
-Managed and highly scalable - Pub/Sub mssg service
-Users/endpoints can subscribe to topics which is a group for collecting mssg where mssg/events are pub
-When mssg pub -> all subs receive notification of mssg
-Every mssg contains name, type and value
-SNS Topic -> HTTP/S/EMAIL/EMAIL-JSON/SQS/Application/Lambda/SMS
-Topic policy restricts access similar to IAM policies
-SNS as a producer for SQS Q
-Lambda functions subscribe to topic and use mssg payload as input to trigger function
-SNS fan out when you want parallel asynch processing

-End points - Lambda, SQS, SMS, EMAIL, EMAIL JSON and application

-SNS has Time to Live(TTL) value for each mssg.

AWS provides AWS Security Token Service (AWS STS) as a GLOBAL web service that enables
you to request temporary, limited-privilege credentials for AWS Identity and Access Management
(IAM) users or for users you authenticate (federated users).

Amazon Kinesis
-Address complexity and cost of streaming data into cloud, Connect, process and analyze data streams
-IAM policy, KMS, TLS
-No free tier
-Video streams – stream processing on binary encoded data such as audio and video(traditionally A/V but can be any
binary encoded time-series data). Supports webRTC, allowing 2 way RT streaming between web
browsers/apps/devices
-Data streams – stream processing on base64 text-encoded data. Does not have auto-scaling. Producers can be SDKs,
Kinesis agent, APIs or KPL(Producer Library). Set of shards, shard contains sequence of data records, data record
has Seq No, Partition key and data blob. A shard is the base throughput unit of an Amazon Kinesis stream.
-Data fireshose – stream processing on base64 text-encoded data
-Data analytics – stream processing on base64 text-encoded data
-Layers of streaming – Source, Stream ingestion, Stream storage, Stream processing and Destination

-
32
-Amazon Kinesis Data stream – stores data for 24 hours(upto 365 days). Immutable IE cannot be changed or
removed, only expired
-A Kinesis stream is an ordered sequence of data records meant to be written to and read from in real-time.
-Beyond 24 hours up to 7 days charged for each shard hour. After 7d, per GB per month
-Retention period is updated using API call – IncreaseStreamRetentionPeriod()
-Charge for retrieving data older than 7 days using GetRecords() API call. No charge for long-term data retrieval using
Enhanced Fanout Consumer using SubscribeToShard() API
-Classic Consumer – pull/polling mech, limited no of times and data that can be pulled out. Adding a consumer,
divides through put
-Enhanced Fan Out – push method. Every consumer gets 2Mbps of throughput.
-Firehose
o is a fully managed(unlike data stream which is customizable) data streaming service for data.
o Data can be transformed, scaled and auto delivered to data store. Not a streaming storage layer like data
stream.
o Unlike DS, Firehose buffers(size- mb and interval – 60-900 sec config) data before delivery. Data leaves when
buffer is full or expiry. Near RT streaming solution
o Unlike DS, Firehose will auto scale
o Convert JSON to Apache Parquet/ORC – column data formats, save space and faster queries
o No free tier but costs only when data is in firehose stream. Bill only for used cap not provisioned cap.
-Data Analytics – ability to read from stream in RT and do aggregation and analysis in motion. Leverage SQL or Apache
Flink using Java or Scala
-Video stream – cost is based on data ingested and consumed across all streams in account
-Data stream – hourly cost based on number of shards(regardless of whether or not data is actually in stream)
+separate cost when producers put data in stream + optional extended data retention hourly charge per shard
for data stored in stream + consumer charges depend - Enhanced fan out use – based on amount of data and
no of consumers
-Firehose – cost is based on amount of data in stream, amount of data converted by Firehose and if data is sent to
a VPC, the amount of data delivered as well as an hourly charge per AZ
-Data analytics – cost is based on hourly rate based on KPUS(Amazon Kinesis Processing Units – 1 vCPU and 4gb
memory) used to run streaming app

Architecture basics
-LAMP – Linux + Apache web server + MySQL db + PHP prog to build web service
-MEAN – Mongo db + Express JS + Angular JS + Node JS
-SERVERLESS – beneficial in multi-tiered design, use API G/w + lambda
-MICROSERVICES – each app is decoupled and independently deployed and operated
-Multi-tier – Presentation + Logic + Data tiers
-Single tier machine can be put in multiple AZs and can use auto scaling – all services on same m/c using same
resources
-One VPC that runs all front end, logic layer and db on one m/c – single tier; or public(front end) and private(logic
and data) subnets in VPC; vpc with pub(front end) and priv(logic and data) subnet and vpn access
-Subnet is public if it has an internet g/w and route to internet g/w. Public – default route table enables i/b and
o/b traffic. Private – need a route table to direct flow within vpc
-Security groups control access at instance level and can have separate i/b and o/b rules.
-ACLS work at subnet level to control i/b and o/b traffic – individual controls
-Instance access internet by either Public IP or Elastic IP
-NAT G/w – managed service – allow instances to access internet even without Public IP. Allows only outbound
connection

33
-Serverless – replace logic layer with Amazon API G/w + lambda – autoscale and provision instead of EC2 instances.
Improved API performance via caching and content delivery which means no elastic load balancers – cost
saving.
-Credential in code -> AWS Secret manager + lambda like to retrieve using IAM role.
-Cloudfront signed URL with token – share content with finite group of people.
-You can deploy AWS WAF(web app firewall) on Amazon CloudFront as part of your CDN solution, the Application
Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST
APIs, or AWS AppSync for your GraphQL APIs. With AWS WAF, you pay only for what you use and the pricing is
based on how many rules you deploy and how many web requests your application receives.
-NACL can block range of IP in same CIDR range – low rule #- deny method to inbound table of NACL
-Compliance – Cloud trail to track API calls and CONFIG to track config changes in VPC and account
-Decoupling archt – SQS and SNS multi tiered arch.
-Parallel asynch process – SNS fanout – multiple events happening in parallel.
-Improve performance – EC2 autoscaling middle tier based on SQS Q depth
-For NoSQL db, like Dynamo – increase read performance by adding auto scaling to table and adding global indexes +
Elasticache as cache(read performance only)
-Cache: feature – redis and speed – memcacheD
-Monolithic app – you can launch larger instances or compute optimized instances
-Cloudfront should be used for caching and distributing including static content which might be from a S3 bucket
origin. Can also geoblock or restrict access
-IPV4 – works with NAT gateway IPV6- internet gateway

SECURITY
IAM

-Authentication is process of presenting an identity and providing verification such as via p/w
-Access management relates to authorization and access control.
o Authorization determines what an identity can access once it is authenticated
o Access control is a mechanism of accessing a secured resource eg login, MFA, Federated access
-IAM components
o Users – objects identifying users or system accounts
▪ Access type – programmatic(Access key ID + Secret Access key ID) or console(p/w)

▪ Security credential allows to manage current p/w, MFA, signing certs, new access key for prog access,
upload SSH public keys and generate GIT credentials for AWS CodeCommit
▪ Access Advisor – list of services user has permissions for and last time service used
o Groups – object groups of users
▪ Not used in authentication process but used to authorize access using AWS policies

▪ Allows to modify permissions for multiple users at once (who are part of group)

▪ Default max 100 groups – AWS can increase. User max of 10 groups
o Roles – objects that different identities can adopt to assume a new set of permissions
▪ Role allows you to adopt a set of temporary IAM permissions

▪ Eg: EC2 instance can be assigned IAM role to access S3 bucket vs set of credentials stored on EC2

▪ Roles don’t have access keys or credentials associated, assigned dynamically by AWS

34
 ▪ Altering role permission, will auto impact all resources

▪ AWS Service role is used by other services to perform specific functions based on set of permissions eg:
Amazon EC2, Directory service, Lambda
▪ AWS Service Linked role – specific roles, predefined and permissions cannot be altered eg Amazon Lex-
bots and channels
▪ Role for cross account access – accounts you own or you + 3rd party. Trusting(has the resources) and
trusted(needs access) accounts. Allows access to specific resources. Eg Trusting Prod and Trusted is
Dev.
▪ Trusting account creates a role specifically for trusted account and then trusting account adds inline
policy adding that specific role.
▪ Role for identity provider access – grants access to web identity providers(goog, fb etc), grant web SSO
to SAML providers or grant API access to SAML providers
▪ Role can be changed for an EC2 instance via actions – instance setting – attach/replace role

▪ Cross account access prefer role over IAM

o Policy permissions – JSON policies that define what resource can and cant be accessed
▪ JSON document that are used to assign permissions

▪ SID – Stmt ID is unique id in Stmt array

▪ Actions are API calls for services

▪ Effect – allow or deny what is defined in action. Default is deny

▪ Resource – actual resource you wish action and effect applied to. ARNs to call out resources.

▪ Condition – optional on when the permission is effective eg: IP address. Key value pair

▪ Principal: only used by resource based policies such as S3 bucket: defines identity that the policy refers
to for eg specific IAM user
▪ Managed policies – AWM or Customer managed(copy AWS, policy generator or create your own) –
associated with groups, roles or users
▪ In-line policies – directly embedded into a specific user, group or role. Do not show up under policies list
in IAM and so not available for use by others. Used when don’t want to risk permissions being used by
others. When user/group is deleted inline policy is also deleted.
o Access control mechanism – how a resource is accessed eg MFA
-By default access is denied – allow only if explicitly added. Single deny will overrule any allow
-Multi Factor authentication – can be used to increase security for API calls on other resources
-Identity federation – allows you to access and manage AWS resources even if you don’t have user account within
IAM eg: MSFT Active Directory, Amazon, Google, FB – openID Connect. Allows SSO + reduced admin. Needs
trust relation between IdP(identity provider) and AWS account.
-ID Fed supports OpenID(FB, Goog) connect and SAML(MS-AD SSO)
-Credential report includes details on user such as pw last used, changed, next rotation, mfa etc. every 4 hours
-KMS enables encryption keys to secure data. KMS CMK – customer master keys

35
-Web identity Federation allows authentication between AWS resources and any public OpenID Connect provider
such as Facebook, Google or Amazon. When its setup and configured and an access request is made by a user
to an AWS resource, their IdP credentials will be used to exchange an authentication token for temporary
authentication credentials. These temporary credentials with correct pre-configured permissions allow
authorized access to the resource as required.
-AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with
temporary security credentials that can control access to your AWS resources.
-SAML 2.0 based federations can allow your existing Active Directory users to authenticate to your AWS resources,
allowing for a Single sign-on (SSO) approach. SAML stands for Security Assertion Markup Language, and allows
for the exchange of security data including authentication and authorization tokens to take place between an
identity provider and a service provider.

WAF – Web app firewall – prevents web apps from malicious common attack patterns, used to identify how
CloudFront distributions and load balancers respond to web requests. Filters both HTTP/S. web access control lists
acls contain -

o Conditions – WAF monitors for these elements. XSS (eg cookies),Geo match(if geo blocked in CloudFront will
not reach WAF), IP address, size constraint of request part, SQL injection(extract data or do privileged DB
func), string and regex matching on web requests,
o Rules – add conditions via AND(every condition in the rule has to be met) join to rules. Regular / Rate
based(# of requests over 5 min. Min 2K) rule. Specify is associated to CloudFront or ALB(region). Executed in
order of listing and no check after match found
o Web ACLs – action associated definition – blocked or allow or count.
-Cloudwatch WAF – Passed requests - # of requests that didn’t match any rules in web acl.

AWS Organizations provides central governance and management for multiple accounts. Org units group
together accounts to administer as a single unit. Central security administrators use service control policies
(SCPs) with AWS Organizations to establish controls that all IAM principals (users and roles) adhere to. SCPs
offer central access controls for all IAM entities in your accounts. You can use them to enforce the
permissions you want everyone in your business to follow. Using SCPs, you can give your developers more
freedom to manage their own permissions because you know they can only operate within the boundaries you
define.

Here is how AWS Organizations' SCPs and IAM policies work together:

Users and roles must still be granted permissions with appropriate IAM permission policies. A user
without any IAM permission policies has no access, even if the applicable SCPs allow all services and all
actions.

If a user or role has an IAM permission policy that grants access to an action that is also allowed by the
applicable SCPs, the user or role can perform that action.

If a user or role has an IAM permission policy that grants access to an action that is either not allowed or
explicitly denied by the applicable SCPs, the user or role can't perform that action.

AWS Firewall manager

-Multiple AWS accounts need protection, WAF would need repeated admin across each account. Helps manage
WAF in a multi-account environment
-Key benefit - Auto protects certain resources added to your account as they become active
-Prereq – create organization(Organizational Unit OU) with all features, mark an account as the master admin and
AWS config enabled
-Components
36
 o WAF rules
o Rule groups – allow you to group one or more WAF rules with the same action applied. Can be bought from
market place – advantage on compliance, reg or known issues. Rule groups only support Block or Count(no
allow like WAF) and 10 rules per group (max)
o Firewall manager policies – policy contains rule groups that you want to assign to AWS resource. Only 2 rule
groups per policy(1 customer created and 1 AWS marketplace rule group)
-Each policy cost is $100 per policy, per region, per month

AWS Shield
-Protect infra against DDoS attacks. No of requests simultaneously from multiple distributed sources
o Standard – Free, covers common DDoS attacks at layer 3(network) and layer 4(transport). Integrated with
cloudfront and Route 53
o Advanced – integrated with EC2, Cloudfront, Route 53 and ELB. Enhanced levels of DDoS protection. Access
to 24X7 specialized team(DRT). Layers 3 + 4 + 7(application). Real time metrics of attacks. Cost protection.
This is account specific. Rate based rules only for cloudfront and load balancers

Amazon Cognito
lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon
Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook,
Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

-Integrate with Active Directory using SAML

-Uses User pools and Identity pools for governing authentication and verification access
-User pools create and maintain an directory of users, manages sign up and sign-in and utilizes external ID
providers such as FB or by using SAML for MS-AD
-Identity pools – provide temp access AWS credentials for authenticated users and unauthenticated guests,
operates in conjunction with user pools, allows access to AWS services sitting outside app and provided ability
to federate using external ID providers
-Main difference is the user pools provide authentication through identity verification allowing to sign in using a ID
provider or local cognito user directory where as ID pools are used to help control access using temp
credentials to access AWS services

AWS Cloudwatch
● Cloudwatch Dashboard – can be built using AWS management console, CLI or PutDashboard API

● Default free set of metrics collated over 5 minutes. Detailed monitoring per minute is extra cost

● Custom metrics are regional

● Anomaly detection – ML algos to detect activity outside baseline parameters

● Cloudwatch alarms - integrate with metrics and allow auto action based on thresholds -states - OK, Alarm,
insufficient data
● Cloudwatch EventBridge – evolved from Amazon events, connect apps to RT monitoring
o Rules- act as filter for incoming events and then routes to appropriate target(same region) based on
definition
o Targets – destination such as lambda, in JSON format
o Event bus is the component that receives the event from your application and rules are associated with
specific event bus

37
● Cloudwatch logs – centralized location for all logs. Cloudwatch Insights to monitor in RT. Unified Cloudwatch
agent collect logs and metrics from EC2 instances(auto) as well on prem services
● Cloudwatch insights types – log, container and lambda(per lambda function).

AWS Cloudtrail
● Records and tracks all API requests in your account from SDK/CLI/Management console or another AWS service

● Events contain – eventName(API name), eventSource(service to which AP call was made), timestamp, source
IP,userIdentity(identity that made API request)
● New file every 5 mins, delivered to S3 15 mins after API was called. also cloudwatch logs -> SNS for investigation

● API activity filter – stores 7 days of data to filter for a particular type

● Cloudtrail logs can aggregate logs from multiple accounts into a single S3 bucket (but cannot do this into
cloudwatch logs)
● Log file integrity validation – file unchanged check in S3(SHA 256 hash)

● Creates hourly digest file to verify log files

AWS Config
● Region specific service to capture and record resource changes allowing you to perform actions against the
data
● Resource changes, resource inventory, config history per resource, snapshot of configs, notification on changes,
cloud trail integration(who and when), compliance checks via rules, security analysis and relationship between
resources via UI
● Region specific

● SNS and cloud trail integration

38
●

● AWS Resources – AWS config records changes to resources in a region which are objects that can be created,
updated or deleted from Management console/CLI or SDK
● Configuration item – JSON file that holds config and relationship info + other metadata as a point in time
snapshot. Created every time there is a resource change. Apart from the change, also records CIs for any linked
resources for impact.
● Config stream – CIs are sent to SNS topic to help analysis. Also used to send events for other events -config
history files are delivered, snapshot started, compliance changes, eval begins and config fails to deliver
● Config history – allows to see complete set of changes made to resource over a set period of time. Sent to S3
every 6 hours….covers all CIs for a particular resource type
● Config snapshot – of all supported resources configured for that region

● Config recorder – records all changes and generates CIs

● Config rules – enforce specific compliance checks….each rule is lambda function. Runs when a change is made.
Will send notification but will continue to work
● Resource relationship – identifies relation between resources

● AWS config permission – IAM role is required to allow AWS config to obtain correct permission for interaction

AWS Organisations – ability to centrally manage multiple accounts from a single account known as master account.
Add existing account to organization and then create new master account. Can be used to consolidate billing of all
member accounts

● Organisations – hierarchical structure of multiple AWS accounts – tree view of your entire AWS account
structure

39
● Org types – 1.consolidated billing and 2.all features(SCP needs this)

● Root – at the top of your organization is a root container(single) – contains all OUs and accounts.

● Organizational units – allow categorization – containers allow grouping of specific accounts, can connect to
account or OU, 5 nested layers max.
● Accounts – allows to configure and provision AWS resources – has account number

● Service control policies – defines what services and features are accessible from AWS account. Can be at Root,
OU or account specific. Child object inherit permission boundaries….
● Restrictions made within SCP set a boundary of permission for AWS accounts. SCP do not grant permissions…but
they can override existing permission to prevent access

Cloudwatch logs –

● Unified cloudwatch agent allows collection of logs and additional metrics from EC instance + on prem servers in
addition to default metrics and logs
● Config file in JSON – config parameters specify which metrics and logs to capture

● Cloudwatch log events have a size limit of 256KB on events they can process. Larger will not be sent.

Cloudfront access logs –

-Cloudfront speeds up distribution of static and dynamic content using edge locations with lowest latency
-Cloudfront retains logs for 1-24 hours(size dependent) until logs are saved in S3

-Standard logging is an optional feature of CloudFront. There is no extra charge for enabling standard logging.
However, you accrue the usual Amazon S3 charges for storing and accessing the files on Amazon S3 (you can
delete them at any time).

VPC Flow logs

-Allows you to capture all traffic info within your VPC. Not stored in S3 but sent to Cloudwatch logs
-Limitation - VPC peered connections – logs within same account (only) are visible, not able to get info from EC2
classic env and once created, cannot be changed
-Following not captured
o DHCP traffic within vpc
o Traffic from instances destined for Amazon DNS servers
o Traffic destined to IP addresses for VPC default router
o Instance metadata and timesync service traffic
o Amazon windows activation license
o Between Network load balancer and end point network interface
-You can create flow log against network interface, subnet or vpc itself

The role that is simply used to install the agent and send data back to CloudWatch needs the following
configuration, the 'select type of trusted identity' needs to be 'AWS service'. The option 'choose the service that
will use this role' needs to be 'EC2 Allows EC2 instances to call AWS services on your behalf'. And finally under the
'Attach Permissions Policies' it needs to be 'CloudWatch Agent Server Policy and 'Amazon EC2 Role for SSM'.

To enable logging for your distribution, the user account activating that feature must have full control on the ACL
for the S3 bucket, along with the S3 GetBucketAcl and S3 PutBucketAcl.

40
Configuration items are used by other features and components of AWS Config, such as:

Configuration History - Configuration items are used to look up all changes that have been made to a resource

Configuration Streams - Configuration items are sent to an SNS Topic to enable analysis of the data

Configuration Snapshots - Configuration items are used to create a point in time snapshot of all supported resource

Encryption – KMS – Key Management Service

-KMS is a managed service used to store and generate encryption keys that are used by other AWS services/apps
-KMS is for encryption of data at rest only eg – S3, EBS, RDS (SSL for encryption in transit). KMS Data sent would be
cipher text.
-KMS is a region specific service like IAM
-Encryption key is a string of char used in conjunction with encryption algo to revert ciphertext to plaintext
-Symmetric crypto – uses single key to encrypt and decrypt data – even for diff person reading. Key sharing needs
to be secure - AWS KMS is central repo for key
-Asymmetric – separate keys to encrypt and decrypt(linked by algo). Private key not shared. Public key can be shared
without secure transmission. Both key needed to decrypt data. Sender will encrypt using your public key, you will
use private key to decrypt
-Symmetric is a lot faster both encrypt + decrypt but has additional risk eg RSA, Diffie Hellman and Digital Sign.
-KMS server side – encryption by server as data arrives, transparent to end user. Overhead of encryption and keys
managed by server
-KMS client side – done by end user. User interacts with data for encryption. Overhead is managed by client

Components of KMS

-Customer Master keys CMK – can encrypt data up to 4KB in size, used to generate, encrypt and decrypt DEK
o Customer managed – flexible - rotation, access governance and key policy config +ability to
enable/disable key
o AWS managed – used by other AWS services, can only be used by service that created them
-Data encryption keys DEK – create by CMK, can encrypt data of any size
-The Customer Master Key is used to protect data keys and data keys are used to encrypt and decrypt data objects.
-Envelope encryption – data is encrypted using a key which is encrypted – managed by KMS
-Key policies – allows you to define who can use and access a key in KMS. Tied to CMK, resource based policies.
Every CMK must have exactly one key policy.
-Grants – method to control access and use of the CMKs held in KMS, resource based but they allow you to
delegate a subset of your own access to CMK for principals (which means less risk of someone altering access
control permission of that CMK)
-Grants are often used for temporary permissions because you can create one, use its permissions, and delete it
without changing your key policies or IAM policies

41
 Blue is plain text key is deleted after the encryption is complete

Orange is encrypted key which is retained

For decryption – S3 will send encrypted key to KMS -> CMK which will generate the plain text key to decrypt.

KMS permissions and policies

-For most services access is controlled via IAM but not KMS
-To manage access to CMK, you must use a key policy associated with CMK
o using key policies,
o using key policies with IAM, and
o using key policies with grants.
-key policies(JSON) are resource based policies which are tied to your CMK. And if you want a
principal to be able to access your CMK, then a key policy must be in place to do so. contain elements
such as resource, action, effect, principal and optionally conditions
-During the creation of a CMK KMS will create a default key policy for you to allow principals to use the
CMK in question as remember a key policy is required for all CMKs.
-The key administrators can either be users or roles that you have setup and configured within IAM. These
principals can only administer the CMK. Can delete keys, can give themselves access if they want
-we can also use key policies in conjunction with IAM policies, but only if you have the following entry within the key
policy allowing the root full KMS access to the CMK, by doing so enables you to centralize your permissions
administration from within IAM as you would likely be doing for many other AWS services.

-
42
-Grants - they allow you to delegate your permissions to another AWS principal within your AWS
account. Much like the key policy, grants are another resource based method of access control to the
CMKs. The grants themselves need to be created using the AWS KMS APIs. Cannot be created
from Mgmt console. Provides grant ID and token(needed for encryption command)
-Auto key rotation – ARN and CMK-ID remain same. Backing key of CMK changes. older backing
keys are retained to decrypt data that was encrypted prior to this rotation. Rotating will only
prevent future access as you use new key. Not possible for imported keys and is 365 days (only).
AWS managed CMKs are out of scope and rotate every 1095 days (3 yrs)
-Manual rotation requires new CMK – which means new CMK ID along with new backing key. Apps need to point to
new CMK ID(alias can be used). Retain old CMKs
-When creating a CMK, you can choose key material origin as external to import from your on prem keys
-KMS enforces scheduled key deletion 7-30 days. Pending deletion state where it cannot be used and cannot be
rotated
-KMS stores keys on multi-tenant hardware security modules (HSMs). S3 provides the back-end system that Key
Management Service is built upon which helps ensure a low latency for access to keys and the high throughput
for multiple customer and data encryption keys

AWS Hardware security module – HSM

-Physical tamper-resistant h/w used to protect crypto material and encryption keys
-Dedicated single tenant device
-When an AWS CloudHSM device is initialized, existing keys are destroyed
-As a best practice with CloudHSM, always deploy CloudHSM in a high availability configuration with at least two
appliances in separate availability zones.
-There are a number of different operations that CloudHSM can help you provide, these include:
● The creation, storage and management of cryptographic keys, allowing you to import and export both
asymmetric and symmetric keys.
● The ability to use cryptographic hash functions to enable you to compute message digests and hash-based
message authentication codes, otherwise known as HMACs.
● Cryptographic data signing and signature verification.

● Using both asymmetric and symmetric encryption algorithms.

● And the ability to generate cryptographically secure random data.

-AWS KMS, the default key stores are managed by KMS and are stored on HSMs managed by AWS, less control.
require a greater level of control of your key stores. By creating a custom key store you can leverage the power
of your CloudHSM cluster… Cloud HSM must be provisioned in a VPC

43
-

44
-

45
-

46
-

47
-

-
- Using CSE-C, AWS assists in creating the keys and storing the encrypted objects. Key storage,
rotation, encryption and decryption is entirely performed on the client side. Most flexible and risky

MISC REVIEW
If you purchase a Reserved Instance and you already have a running instance that matches the
specifications of the Reserved Instance, the billing benefit is immediately applied. You do not have to
restart your instances.

AWS Batch - can be run on EC2(memory, GPU, CPU managed) or EC2+ Fargate(AWs managed).
Batch has no cost - only Ec2 and/or Fargate cost

48
Beanstalk -
automatic infra provision. 2 types- web tier environment and worker environment. A worker is a
background process that helps applications for handling heavy resource and time-intensive
operations.

Route 53 TTL - amount of time which a DNS resolver creates a cache infor about records and
reduces query latency
VM Import/Export enables you to easily import virtual machine images from your existing environment to
Amazon EC2 instances and export them back to your on-premises environment. This offering allows you to
leverage your existing investments in the virtual machines that you have built to meet your IT security,
configuration management, and compliance requirements by bringing those virtual machines into Amazon EC2
as ready-to-use instances.

- You can only export previously imported instances

- Virtual instances can be imported as AMIs
- Virtual Machines may be imported from your existing environment and back to your on prem

AWS transfer acceleration speed comparison tool - In general, the farther away you are from an Amazon
S3 region, the higher the speed improvement you can expect from using Amazon S3 Transfer
Acceleration. If you see similar speed results with and without the acceleration, your upload
bandwidth or a system constraint might be limiting your speed.

Kinesis - Is an analytics service to RT data collection, processing and analysis. Data stream,
Firehose, Video Streams and Data Analytics. Data Streams is a low latency streaming service in
AWS Kinesis with the facility for ingesting at scale and can store data. On the other hand, Kinesis
Firehose aims to serve as a managed data transfer service. The primary purpose of Kinesis Firehose
focuses on loading streaming data to Amazon S3, Splunk, ElasticSearch, and RedShift.

Athena - is a serverless analytics service uses SQL to query S3

AWS Direct Connect is a cloud service that helps to establish a dedicated connection from an on-premises network
to one or more VPCs in the same region.

Direct Connect gateway: It is a globally available service used to connect multiple Amazon VPCs across different
regions or AWS accounts. It can be integrated with either of the following gateways: ● Transit gateway - it is a
network hub used to connect multiple VPCs to an on-premise network in the same region. ● Virtual private gateway
- It is a distributed edge routing function on the edges of VPC. Transit gw is latest not global

VPN

-Way to connect 2 remote networks across the public internet. Connect VPC <-> data centre
-Needs a virtual g/w(in VPC), customer g/w(in datacenter) as end points
-VPN tunnel can be originated from Customer g/w only.
-If CGW supports BGP –> dynamic routing

Direct Connect

-Uses private infrastructure to connect directly – data center and AWS region, not just VPC. Much faster, dedicated
lease lines.
-Public virtual interface connect to AWS region and allows access to public resource such as S3
-Private virtual interface connects to virtual g/w in your VPC

49
VPC Endpoints

-Allow you to establish private connection(PrivateLink) from VPN to supported services without configuring an
internet g/w, NAT g/w, VPN or direct connect connection. Transfer between S3 and AWS resources in the same
region is free. Horizontally scalable, redundant and highly available.
-#1 Interface endpoints – ENIs within a subnet that act as a target for any traffic that is being sent to a supported
services and uses PrivateLink(private secure connection)
-#2 Gateway endpoints – target that is used with your route tables to allow you to reach supported services,
currently they only support (S3 and Dynamo DB only). Only works with IPv4. You can configure multiple g/w
end points for same service with different policies to grant specific access

You can use an AWS Direct Connect gateway to connect your AWS Direct Connect
connection over a private virtual interface to one or more VPCs in any account that are
located in the same or different Regions. You associate a Direct Connect gateway with the
virtual private gateway for the VPC. Then, you create a private virtual interface for your
AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple
private virtual interfaces to your Direct Connect gateway.

Amazon SQS long polling is a way to retrieve messages from your Amazon SQS queues.
While the regular short polling returns immediately, even if the message queue being polled
is empty, long polling doesn’t return a response until a message arrives in the message
queue, or the long poll times out. Message timers let you specify an initial invisibility period
for a message added to a queue. The default (minimum) invisibility period for a message is
0 seconds. The maximum is 15 minutes.

Redshift is scalable d/w - OLAP - analytics, columnar storage, MPP

DynamoDB - millisecond latency + DAX for low latency - integrated with DynamoDB - does not need code like
Elasticache + RDS(which needs code)

NAT Instance ● NAT Instance is an EC2 Instance. ● It will be deployed in the Public Subnet.● NAT Instance allows
you to initiate IPv4 Outbound traffic to the internet. ● It will not allow the instance to receive inbound traffic from
the internet. a NAT instance must be able to send and receive traffic when the source or
destination is not itself. Therefore, you must disable source/destination checks on the NAT
instance. create route in RT from private subnet to NAT instance. Allocate an Elastic IP and
associate it with NAT instance. Use a script to manage failover between
instances.Managed by you

To copy instance to another region, create an AMI and copy the AMI to other region and
launch

Amazon Inspector is an automated security assessment service that helps improve the security
and compliance of applications deployed on AWS. Amazon Inspector automatically assesses
applications for exposure, vulnerabilities, and deviations from best practices.

Read replicas in other regions not supported by SQL Server

Auto scaling increases size gradually and once it scales, there is a gap before next scaling.
Manual vertical scaling is a good option

50
Instance backed AMI for boot but cannot be restarted -> EBS backed AMI, faster than instance
backed

Amazon EC2 Auto Scaling offers the ability to add lifecycle hooks to your Auto Scaling groups.
These hooks enable an Auto Scaling group to be aware of events in the Auto Scaling instance
lifecycle, and then perform a custom action when the corresponding lifecycle event occurs. A
lifecycle hook provides a specified amount of time (one hour by default) to complete the lifecycle
action before the instance transitions to the next state.

Enabling capacity rebalancing is a feature specific to spot instances when risk of interruption

UnhealthyThresholdCount - amount of time between when an unhealthy instance is identified and

when it is replaced.

Route 53 Calculated Health Check aggregates all individual health checks + Evaluate Target
Health flag - true/false

Multipart uploads - can be paused to relieve network traffic + if upload aborts, lifecycle rule to
delete incomplete uploads.

Redis - support in memory cache

AWS CloudFormation is a service that collects AWS and third-party resources and manages
them throughout their life cycles, by launching them together as a stack. A template is used to
create, update, and delete an entire stack as a single unit, without managing resources
individually. Templates - A JSON or YAML formatted text file used for building AWS resources.
Stack - It is a single unit of resources. Change sets - It allows checking how any change to a
resource might impact the running resources.

S3 IA is low cost but min duration is 30 days. Glacier 90 da 180

DynamoDB - Time to live - expiration time for the data.

AWS Glue - managed ETL service

EFS - file storage shared between instances across AZ. class- std and IA(92% cheaper -
charges for r/w+storage) and perf - general(7k<=) and max IO and through put mode -
bursting, provisioned.

EBS - block storage - individual instance storage. SSD(General(can be boot) and IOPS
provisioned(critical apps, large DB - more than 16K IOPS) and HDD(THru put optimized-
frequent access - streaming workload, big data) and cold HDD.

Subnet is public if it has a route to IGW for internet traffic

Egress routing gw for IPV6

51
RDS Multi AZ is synch rep(Auroa is asynch) - HA. Read replicas are asynch - performance
ENI is bound to interface and not the instance - management network

SQS FIFO - 300 tps -> 3000 batch of 10 mssg

SNS does not guarantee delivery…..vs SQS guarantees delivery

AWS global accelerator is UDP TCP end user traffic optimization

Route 53 - Geolocation routing policy – Use when you want to route traffic based on the
location of your users. Geoproximity routing policy – Use when you want to route traffic based
on the location of your resources and, optionally, shift traffic from resources in one location to
resources in another.

ENA vs EFA ->

ENA uses sriov single root io virtualisation , no cost only on supported instances

EFA - high performance compute/ML - internode connectivity, GPU -> EFA use case. EFA has os
bypass on Linux

Cloudfront - HTTP VS Global accelerator - TCP/UDP, 2 static ips

Private key is used to decrypt login and then RDP into Windows and remote connect via SSH in
Linux. Public key - AWS

EAR
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
}
]
}

WAF - WEb ACL + Rules(Allow,block,count) + Rule Groups

Firewall pre-req - AWS Org, set one account as admin and have config enabled - WAF rules +
Rule groups + Firewall Manager policies(2 rule - one customer, one AWS/marketplace)
KMS Grants - delegate permissions - can only be done programmatically CLI or API

52
On Demand capacity reservation for instance - reserve capacity based on different attributes such as instance type,
platform, tenancy within AZ for any period of time

RDS - cost is based on storage provisioned in EBS vs Aurora is actual usage in cluster storage.

AWS Direct Connect - consistent and reduces cost

AWS CloudFront - reduce data transfer cost as you use cached data

VPC endpoint allow services to communicate over private network reducing need for NAT g.w and public data
transfer costs

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and
services. You can simply upload your code and Elastic Beanstalk automatically handles the
deployment, from capacity provisioning, load balancing, auto-scaling to application health
monitoring. There is no additional charge for Elastic Beanstalk - you pay only for the AWS resources needed
to store and run your applications.

Elastic Global Accelerator - Global service not tied to a region to get UDP and TCP traffic from end user
clients to your apps faster and quicker and more reliably using AWS infra and specified end points (instead of
public internet). ENA vs Global Accelerator – ENA provides high speed performance for you instance vs Global
accelerator provides high speed performance from an end client to application on AWS

High availability in Aurora and DynamoDB

-Amazon Aurora uses shared cluster storage – no option to select and configure. Storage will scale auto. Replicated
across 3 AZs
-Only for MySQL compatible Aurora – go back in time. Max of 72 hours
-Aurora DB clusters are fault tolerant and can withstand loss of AZ. In the cluster, data is replicated across different
instances in different AZs. Multi AZ will allow RDS to provision a replicate in a diff AZ automatically.(no waiting for
primary in Multi AZ).
-Separates compute from storage layer – allows scaling. Storage is shared amongst all nodes in cluster
-Aurora stores data in 10GB blocks, each replicated six times across 3 AZs, two in each AZ(only supported in regions
that have 3 or more AZs) 3 lost read and 2 lost writes are ok out of 6
-Aurora does not need data replication(vs RDS) as it shares a single logical volume
DynamoDB + DAX + Global tables

Amazon DyanmoDB HA

-NoSQL Db that auto partitions data and incoming traffic across multiple partitions
-Distributed across servers across 3 AZs in a region. SSD – synchronous replication
-Global table(same AWS account) gives you capability to replicate a single table across 1 or many alternate regions.
Increases availability and takes advantage of data locality. Eventual consistency

Point in time recovery

-Disabled by default – 1-35 days. Restored in new table

-Same region or diff region

DAX – DynamoDB Accelerator

-Eventual consistency – issue with microsecond response times -> DAX. Fully managed and scalable.
-DAX – in-memory cache delivering 10X performance…milli to micro seconds
-Max of 10 nodes – 1 primary, 9 read replicas
-Encryption at rest – 256 AES + KMS keys
-DAX client on EC2 intercepts API calls to new DAX cluster
-Cache miss is passed to DB and data is added to cache. Write first to DB and then to DAX
53
IAM resource vs Identity policy and use

Identity-based policies are attached to an IAM user, group, or role. These policies let you
specify what that identity can do (its permissions).

Resource-based policies are attached to a resource. For example, you can attach resource-
based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, and AWS Key
Management Service encryption keys.

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in
one domain to interact with resources in a different domain. With CORS support, you can build
rich client-side web applications with Amazon S3 and selectively allow cross-origin access to
your Amazon S3 resources.

START HERE

When you use Amazon Redshift enhanced VPC routing, Amazon Redshift forces all COPY and
UNLOAD traffic between your cluster and your data repositories through your virtual private cloud
(VPC) based on the Amazon VPC service.

CNAME - hostname->hostname, only non root domain;

alias - hostname -> AWS resource, works for root and non root domains

The main difference between Port 80 and Port 443 is strong security. Port-443 allows data
transmission over a secured network, while Port 80 enables data transmission in plain text.
AWS Resource manager helps share resources across accounts or organisation.

A presigned URL gives you access to the object identified in the URL, provided that the creator of
the presigned URL has permissions to access that object. That is, if you receive a presigned URL
to upload an object, you can upload the object only if the creator of the presigned URL has the
necessary permissions to upload that object.

All objects and buckets by default are private. The presigned URLs are useful if you want your
user/customer to be able to upload a specific object to your bucket, but you don't require them
to have AWS security credentials or permissions.

EFS
You can mount EFS over VPC connections in a SINGLE REGION by using VPC peering and
access them via mount targets within a region on certain instance types. Across regions VPC

54
peering works for all instances. You can only mount EFS on instance in only one VPC at a time.
File system and VPC must be in same AWS region. When you use a VPC peering connection or VPC
Transit Gateway to connect VPCs, EC2 instances in one VPC can access EFS file systems in another VPC,
even if the VPCs belong to different accounts.

Open port 22 SSH EC2 security group and port 2409 NFS on EFS security group to enable SSH
connectivity between them
EFS encryption at rest can only be set during EFS creation.
EFS encryption during transit is enabled via EFS mount helper during mounting. Unmount and
remount to enable.
EFS Max IO will increase throughput and operations per second with a trade off - higher latency
compared to General purpose mode
For high throughput compared to storage use throughput mode use
EFS - used for Big data and analytics, media processing, workflow, content management, web
serving and home directories
EBS - Boot volume, transactional, NoSQL Db, data warehouse and ETL

ELB/AS
- Launch config cannot be updated - delete and recreate
- if one Ec2 instance is updated, create an image from EC2, create a new launch config with
new Image and update autoscaling group to use new Launch config
- Request tracing to track HTTP requests in load balancer x-amzn-trace-id
Network Access Control List (NACL’s) subnet level, only one, default – allows all in and out, Support both allow and
deny, read in ascending order, NACLs stateless and so better suited for a private subnet. * rule denies as last step
as a catch all. If lower rule allows and higher denies, allow takes precedence as lower rule#

Security group - instance, allow only(no deny), stateful - public subnet, default allow all outbound rule and traffic.
All rules applied
NAT g/w cannot be used via VPC peering connection/VPN connection or Direct Connect.
VPC flow logs can be set up at VPC, Subnet or Network interface level
VPN Cloudhub requires virtual private gw with multiple customer gws each with unique border
gw protocol(BGP) Autonomous System Number (ASN)

55
 Security group Network ACL

Operates at the instance level - multiple Operates at the subnet level - single

Supports allow rules only Supports allow rules and deny rules
Default allows all outbound Default - Both i/b and o/b allowed

Is stateful: Return traffic is automatically Is stateless: Return traffic must be

allowed, regardless of any rules explicitly allowed by rules

We evaluate all rules before deciding We process rules in order, starting with
whether to allow traffic the lowest numbered rule, when deciding
whether to allow traffic

Applies to an instance only if someone Automatically applies to all instances in

specifies the security group when the subnets that it's associated with
launching the instance, or associates (therefore, it provides an additional layer of
the security group with the instance defense if the security group rules are too
later on permissive)

Policy based VPNS with one or more pairs of security associations drop already existing connections when new
connection requests are generated with different security associations. can cause packet loss and connectivity
failures

S3 - HTTP 200 code if upload successful

S3 - not good for OS or Db more for objects....

S3 - Read after write consistency for Puts of new objects and eventual consistency for overwrite
Puts and deletes(can take time to propagate)

https://acloudguru.s3.amazonaws.com/

https://acloudguru.eu-west-1.amazonaws.com/

ACLs can be applied to individual objects in bucket.

S3 versioning has MFA Delete capability

56
S3 Lifecycle rules has transition(move across classes) and expiration(delete). Min 30 days. Glacier
min 90 and DA is 180

3 ways to share S3 across accounts

- Bucket policy(entire bucket) + IAM - prog only

- Bucket ACL(individual objs) + IAM - prog only
- Cross account IAM - prog and console

Cross region rep - Existing files do not get replicated automatically, updates and new will be
replicated. Delete markers or individual delete versions are not replicated

CDN - Cloudfront- TTL - cache for duration - time to live to keep data. Origin can be S3, EC2,
ELB and Route 53. You can write to cache and can clear cache(but charged)

Snowball - 50-80TB

Snowball Edge - 100 TB + onboard storage and compute. Offline cloud, can cluster

File gw is for flat files stored directly on S3 vs volume gw(stored vs cached) is for entire dataset

Athena - Query service on top of S3 - query logs, business reports, Amazon Athena is an
interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL
expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for
the queries you run.

Macie - uses ML and NLP to discover, classify and protect sensitive data in S3, can also analyze
cloudtrail logs for suspicious activity. security service.

Security group changes are immediately in effect. stateful so anything going in is allowed to go
out, no explicit rule needed. EC2 can have multiple security groups(many-many). All inbound is
blocked by default and all outbound traffic is allowed. Cannot add specific deny rules - allow
only.

EBS - virtual hard disk drive in cloud- should be in same AZ as EC2 instance

- General purpose SSD - GP2- most loads

- Provisioned IOPS SSD - IO1 - DB - Highest performance for critical apps
- THru put optimized HDD - ST1 - Big Data and DWH - frequent access, throughput
intensive load
- Cold HDD -SC1 - File server
- Magnetic - Standard

Ephemeral/instance store volume cannot be added after instance launch.

ENI/ENA/EFA

- ENI - virtual network card. separate networks

- ENA - no additional charge only on supported instances. up to 100 Gbps. Default off.
Sriov. Single root
- EFA - HPC ML. uses OS bypass but limited to single subnet. high throughput low latency.
Only Linux. Only one per instance.
57
Snapshots of encrypted vol are encrypted automatically. snapshots are incremental.

Volumes restored from encrypted snapshots are encrypted automatically

You can only share snapshots with other AWS accounts or made public if unencrypted

EBS Root volumes can be encrypted during setup under storage section.

Unencrypted volume can be copied via snapshot - option to encrypt snapshot.

Volume -> snapshot -> AMI - can be used to convert unencrypted to encrypted. You can create
AMI from both volume and snapshot.

Cloudwatch - performance….CPU, Network, Disk and Status check

Cloudtrail - auditing - API and management console actions recorded

Metadata - get info about instance such as IP Vs user data - startup script like YUM update.

EFS - you only pay for storage used vs EBS is pre-provision during set up

EFS - has read after write consistency

EFS - NAS filer for linux/unix based on NFS

FSx - SMB based, for windows works with Windows products

FSx Lustre - HPC/ML. Extremely high performance. can store data on S3 directly

RDS runs on VM - AWS manage eg OS updates . you cannot access the VM.

AWS RDS auto back up - 1-35 days. Full daily snapshot + transaction logs. Recovery is the most
recent backup + transaction logs for point in time recovery. Stored in S3, free equal to Db size.

Restore will be a new RDS with a new DNS endpoint

Multi AZ is HA - Synchronous vs Read replica - performance - async

Eventually Consistent Reads (1 second)

When you read data from a DynamoDB table, the response might not reflect the results of a
recently completed write operation. The response might include some stale data. If you repeat
your read request after a short time, the response should return the latest data.

Strongly Consistent Reads

When you request a strongly consistent read, DynamoDB returns a response with the most up-
to-date data, reflecting the updates from all prior write operations that were successful. However,
this consistency comes with some disadvantages:

58
 ● A strongly consistent read might not be available if there is a network delay or outage. In
this case, DynamoDB may return a server error (HTTP 500).
● Strongly consistent reads may have higher latency than eventually consistent reads.
● Strongly consistent reads are not supported on global secondary indexes.
● Strongly consistent reads use more throughput capacity than eventually consistent reads.

Aurora serverless is a relatively simple, cost effective option for infrequent, intermittent or
unpredictable workloads. Cost for serverless is per invocation (including lambda)

read replicas - aurora -15, mysql - 5 and postgresql -1.

Aurora has automated failover

Redis is Multi AZ and you can back up and restore

ELBs do not have predefined IPV4 address you resolve them using DNS

Multi value routing is similar to simple routing however allows you to put health checks on each
record set. only get healthy records

NACLs are second line of defence and lower rule # takes precedence……

Default NACL allows all out and in. Custom NACLS denies all in and out. Block IP using
NACL. Subnet can only have one NACL but one NACL can apply to multiple subnet.
Stateless so needs in and out rules.

You need at least 2 public subnets to create an ELB

VPC flow log for peer will work only if VPC is in your account.

Global accelerator tcp udp traffic uses edge locations and AWS network to speed up network
traffic for end users, 2 static IP address + traffic dials to control traffic in end points. weights can
be applied to end points. Standard and custom routing.

VPC endpoint enables you to privately connect your vpc to supported AWS services and VPC
endpoint services powered by PrivateLink without requiring internet gateway, NAT device, VPN
connection or AWS Direct Connect. Do not need public Ip.

ALB - 504 error - gw timeout as app not responding. X Forwarded for header - IP of user

Sticky session - sticks user session to specific EC2 instance - classic LB. ALB supports but at
target group level

Cross zone LB - if not enabled restricts LB to work within AZ.

Path pattern or path based routing - listener with rules to forward requests based on URL path.

Cloudformation - completely script your complex cloud environment

Beanstalk - for developers to set up environment

59
Elastic Beanstalk is a PaaS-like layer on top of AWS's IaaS services which abstracts away the
underlying EC2 instances, Elastic Load Balancers, auto-scaling groups, etc. This makes it a lot easier
for developers, who don't want to be dealing with all the systems stuff, to get their application quickly
deployed on AWS.

CloudFormation, on the other hand, doesn't automatically do anything. It's simply a way to define all
the resources needed for deployment in a huge JSON/YAML file. So a CloudFormation template mi4
daysght actually create two Elastic Beanstalk environments (production and staging), a couple of
ElasticCache clusters, a DynamoDB table, and then the proper DNS in Route53. I then upload this
template to AWS, walk away, and 45 minutes later everything is ready and waiting. Since it's just a
plain-text JSON/YAML file, I can stick it in my source control which provides a great way to version my
application deployments. It also ensures that I have a repeatable, "known good" configuration that I
can quickly deploy in a different region.

SQS - decouple - if duplication, increase visibility time out - max is 12hours. Max mssg size is
256KB…..larger will be stored on S3. Short poll(costs more) - immediate return even if empty.
long polling no response until mssg or until long poll times out. retention is 14 days

Amazon SWF helps developers build, run, and scale background jobs that have
parallel or sequential steps. You can think of Amazon SWF as a fully-managed state
tracker and task coordinator in the Cloud. AWS warehouse coordination + human.
task based.

Amazon API Gateway

is a fully managed service that makes it easy for developers to create, publish, maintain, monitor,
and secure APIs at any scale. APIs act as the "front door" for applications to access data,
business logic, or functionality from your backend services. Users call API g/w which can then be
routed to ELB, EC2, Lambda etc. API caching - cache your end point response to reduce
latency.TTL. API GW throttles requests by setting a limit on steady state rate and a burst of
request submission against all APIs in your account. Protects against DDoS

Serverless - > User -> Api GW + Lambda + Dynamodb / Aurora DB (serverless).

RDS cannot trigger Lambda.

Lambda triggers - DynamoDB, Kinesis, MQ, Kafka and SQS

Lambda price - no of requests and duration (1st million requests are free)

XRay allows to debug serverless esp Lambda

The maximum days for the EFS lifecycle policy is only 90 days.
CloudWatch custom metric using a Perl or other shell script, as there are no ready to use metrics for:
1. Memory utilization
2. Disk swap utilization
3. Disk space utilization
4. Page file utilization
5. Log collection
60
There is no “bid price” anymore for Spot EC2 instances since March 2018. You simply have to set your
maximum price instead.
The AWS Nitro System is the underlying platform for the latest generation of EC2 instances that
enables AWS to innovate faster, further reduce the cost of the customers, and deliver added benefits
like increased security and new instance types. max IOPS 64K
To achieve fault tolerance, you need to have redundant resources in place to avoid any system
degradation in the event of a server fault or an Availability Zone outage. Having a fault-tolerant
architecture entails an extra cost in running additional resources than what is usually needed.
You are limited to running On-Demand Instances per your vCPU-based On-Demand Instance limit,
purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic Spot limit per
region
DynamoDB - Global secondary index (20)- partition and sort keys can be diff than base table.
Local secondary index(5 per tbl) - has same partition key but diff sort key
The default termination policy is designed to help ensure that your network architecture spans
Availability Zones evenly. With the default termination policy, the behavior of the Auto Scaling group is
as follows:
1. If there are instances in multiple Availability Zones, choose the Availability Zone with the most
instances and at least one instance that is not protected from scale in. If there is more than one
Availability Zone with this number of instances, choose the Availability Zone with the instances that
use the oldest launch configuration.
2. Determine which unprotected instances in the selected Availability Zone use the oldest launch
configuration. If there is one such instance, terminate it.
3. If there are multiple instances to terminate based on the above criteria, determine which unprotected
instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances
and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it.
4. If there is more than one unprotected instance closest to the next billing hour, choose one of these
instances at random.
Autoscaling default cool down is 300 seconds
ELB is regional - can run across zones not region.
With step scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that
trigger the scaling process as well as define how your scalable target should be scaled when a
threshold is in breach for a specified number of evaluation periods. Step scaling policies increase or
decrease the current capacity of a scalable target based on a set of scaling adjustments, known as
step adjustments. The adjustments vary based on the size of the alarm breach. After a scaling activity
is started, the policy continues to respond to additional alarms, even while a scaling activity is in
progress. the target tracking scaling policy increases or decreases the current capacity of the group
based on a target value for a specific metric, instead of a set of scaling adjustments.
DynamoDB optionally supports conditional writes for these operations: PutItem, UpdateItem,
DeleteItem.
Amazon Redshift Spectrum is a feature within Amazon Web Services' Redshift data warehousing
service that lets a data analyst conduct fast, complex analysis on objects stored on the AWS cloud.
With Redshift Spectrum, an analyst can perform SQL queries on data stored in Amazon S3 buckets.

61
While both Spectrum and Athena are serverless, they differ in that Athena relies on pooled resources
provided by AWS to return query results, whereas Spectrum resources are allocated according to your
Redshift cluster size. This means that using Redshift Spectrum gives you more control over
performance. If you need a specific query to return extra-quickly, you can allocate additional compute
resources (needless to say, this can get expensive over time). This is not the case with Athena, where
your query will only receive the resources allocated automatically by AWS, which might differ during
peak usage times. Redshift Spectrum is more suitable for running large, complex queries, while
Athena is more suited for simplifying interactive queries
You can store session state data on both DynamoDB and ElastiCache. These AWS services provide
high-performance storage of key-value pairs which can be used to build a highly available web
application.
Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as
Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using
these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can
process data for analytics purposes and business intelligence workloads. Additionally, you can use
Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and
databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.
RAID 0 configuration enables you to improve your storage volumes’ performance by distributing the
I/O across the volumes in a stripe. Therefore, if you add a storage volume, you get the straight addition
of throughput and IOPS. This configuration can be implemented on both EBS or instance store
volumes. Attach multiple Provisioned IOPS SSD volumes in the instance is incorrect because
persistent storage is not needed in the scenario. Also, instance store volumes have greater I/O
performance than EBS volumes.
Enable Cross-Region Snapshots Copy in your Amazon Redshift Cluster.
VPC peering does not extend to Direct Connect, VPN, internet g/w, internet through NAT g/w or g/w end point to
services like S3.

A Kinesis data stream stores records from 24 hours by default to a maximum of 168 hours.
Using an Elastic Load Balancer is an ideal solution for adding elasticity to your application.
Alternatively, you can also create a policy in Route 53, such as a Weighted routing policy, to evenly
distribute the traffic to 2 or more EC2 instances.
Instance metadata is the data about your instance that you can use to configure or manage the
running instance. You can get the instance ID, public keys, public IP address and many other
information from the instance metadata by firing a URL command
AWS Cloud Map is simply a cloud resource discovery service. With Cloud Map, you can define custom
names for your application resources, and it maintains the updated location of these dynamically
changing resources. This increases your application availability because your web service always
discovers the most up-to-date locations of its resources.
When you launch an instance, the root device volume contains the image used to boot the instance.
S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL
expressions. By using S3 Select to retrieve only the data needed by your application, you can achieve
drastic performance increases – in many cases you can get as much as a 400% improvement. It works
by retrieving a subset of an object’s data (using simple SQL expressions) instead of the entire object,
which can be up to 5 terabytes in size.

62
With Amazon Glacier Select, you can now provide a SQL query and an Amazon Glacier archive where
you want the query to be applied. You specify how soon you need results based on three options:
Expedited Retrievals take 1-5 minutes, Standard Retrievals take 3-5 hours, and Bulk Retrievals take
up to 12 hours. Provisioned capacity ensures that your retrieval capacity for expedited retrievals is
available when you need it. Each unit of capacity provides that at least three expedited retrievals can
be performed every five minutes and provides up to 150 MB/s of retrieval throughput.
Amazon RDS is incorrect because this is just a “managed” service and not “fully managed”. This
means that you still have to handle the backups and other administrative tasks such as when the
automated OS patching will take place. Amazon DynamoDB is the best option to use in this scenario.
It is a fully managed non-relational database service – you simply create a database table, set your
target utilization for Auto Scaling, and let the service handle the rest. You no longer need to worry
about database management tasks such as hardware or software provisioning, setup, and
configuration, software patching, operating a reliable, distributed database cluster, or partitioning data
over multiple instances as you scale. DynamoDB also lets you backup and restore all your tables for
data archival, helping you meet your corporate and governmental regulatory requirements.
Use AWS Lambda and Amazon API Gateway. With AWS Lambda, you pay only for what you use. You
are charged based on the number of requests for your functions and the duration, the time it takes for
your code to execute.
The premise of the scenario is that the EC2 servers have high memory usage, but since this specific
metric is not tracked by the Auto Scaling group by default, the scaling out activity is not being
triggered. Remember that by default, CloudWatch doesn’t monitor memory usage but only the CPU
utilization, Network utilization, Disk performance, and Disk Reads/Writes.This is the reason why you
have to install a CloudWatch agent in your EC2 instances to collect and monitor the custom metric
(memory usage), which will be used by your Auto Scaling Group as a trigger for scaling activities.
Based on the given scenario, web service clients can only access trusted IP addresses. To resolve this
requirement, you can use the Bring Your Own IP (BYOIP) feature to use the trusted IPs as Elastic IP
addresses (EIP) to a Network Load Balancer (NLB). This way, there’s no need to re-establish the
whitelists with new IP addresses.
ALB - You can use path conditions to define rules that forward requests to different target groups
based on the URL in the request (also known as path-based routing). host-based routing defines rules
that forward requests to different target groups based on the host name in the host header. Also
supports http, query string and source IP based routing.
Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code
that automatically respond to events in DynamoDB Streams. With triggers, you can build applications
that react to data modifications in DynamoDB tables.
AWS AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the
heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda, and more. Adding
caches to improve performance, subscriptions to support real-time updates, and client-side data stores
that keep off-line clients in sync are just as easy. Once deployed, AWS AppSync automatically scales
your GraphQL API execution engine up and down to meet API request volumes.
When the word durability pops out, the first service that should come to your mind is Amazon S3.
Since this service is not available in the answer options, we can look at the other data store available
which is Amazon DynamoDB. DynamoDB is durable, scalable, and highly available data store which
can be used for real-time tabulation. You can also use AppSync with DynamoDB to make it easy for
you to build collaborative apps that keep shared data updated in real time. DynamoDB is much more
suitable for simple mobile apps that do not have complicated data relationships compared with
63
enterprise web applications. It is stated in the scenario that the mobile app will be used from around
the world, which is why you need a data storage service which can be supported globally. It would be a
management overhead to implement multi-region deployment for your RDS and Aurora database
instances compared to using the Global table feature of DynamoDB.
You can set up CloudFront with origin failover for scenarios that require high availability. To get
started, you create an origin group with two origins: a primary and a secondary. If the primary origin is
unavailable, or returns specific HTTP response status codes that indicate a failure, CloudFront
automatically switches to the secondary origin. In the given scenario, you can use Lambda@Edge to
allow your Lambda functions to customize the content that CloudFront delivers and to execute the
authentication process in AWS locations closer to the users. In addition, you can set up an origin
failover by creating an origin group with two origins with one as the primary origin and the other as the
second origin which CloudFront automatically switches to when the primary origin fails. This will
alleviate the occasional HTTP 504 errors that users are experiencing.
Storage optimized instances are designed for workloads that require high, sequential read and write
access to very large data sets on local storage. They are optimized to deliver tens of thousands of low-
latency, random I/O operations per second (IOPS) to applications.
Memory Optimized Instances are designed to deliver fast performance for workloads that process
large data sets in memory, which is quite different from handling high read and write capacity on local
storage.
Compute Optimized Instances are ideal for compute-bound applications that benefit from high-
performance processors, such as batch processing workloads and media transcoding.
General Purpose Instances are the most basic type of instances. They provide a balance of compute,
memory, and networking resources, and can be used for a variety of workloads. Since you are
requiring higher read and write capacity, storage optimized instances should be selected instead.
AWS CloudFormation provides a common language for you to describe and provision all the
infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file
to model and provision, in an automated and secure manner, all the resources needed for your
applications across all regions and accounts. This file serves as the single source of truth for your
cloud environment. AWS CloudFormation is available at no additional charge, and you pay only for the
AWS resources needed to run your applications.
Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics
tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon
Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence
tools and dashboards you are already using today.It is a fully managed service that automatically
scales to match the throughput of your data and requires no ongoing administration. It can also batch,
compress, and encrypt the data before loading it, minimizing the amount of storage used at the
destination and increasing security. You can use Amazon Kinesis Data Firehose in conjunction with
Amazon Kinesis Data Streams if you need to implement real-time processing of streaming big data.
Kinesis Data Streams provides an ordering of records, as well as the ability to read and/or replay
records in the same order to multiple Amazon Kinesis Applications. The Amazon Kinesis Client Library
(KCL) delivers all records for a given partition key to the same record processor, making it easier to
build multiple applications reading from the same Amazon Kinesis data stream (for example, to
perform counting, aggregation, and filtering).
AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic
Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for
you to focus on building your applications. Fargate removes the need to provision and manage
64
servers, lets you specify and pay for resources per application, and improves security through
application isolation by design. Fargate allocates the right amount of compute, eliminating the need to
choose instances and scale cluster capacity. You only pay for the resources required to run your
containers, so there is no over-provisioning and paying for additional servers. Fargate runs each task
or pod in its own kernel providing the tasks and pods their own isolated compute environment. This
enables your application to have workload isolation and improved security by design.
Amazon EFS provides the scale and performance required for big data applications that require high
throughput to compute nodes coupled with read-after-write consistency and low-latency file operations.
AWS DataSync enables you to migrate your on-premises data to Amazon S3(mainly), Amazon EFS,
and Amazon FSx for Windows File Server. You can configure DataSync to make an initial copy of your
entire dataset, and schedule subsequent incremental transfers of changing data towards Amazon S3.
Enabling S3 Object Lock prevents your existing and future records from being deleted or overwritten.
Storage gateway if you want to retain and access data.
When you create an encrypted EBS volume and attach it to a supported instance type, the following
types of data are encrypted:
– Data at rest inside the volume
– All data moving between the volume and the instance
– All snapshots created from the volume
– All volumes created from those snapshots
Encryption operations occur on the servers that host EC2 instances, ensuring the security of both
data-at-rest and data-in-transit between an instance and its attached EBS storage. You can encrypt
both the boot and data volumes of an EC2 instance
Many companies that distribute content over the Internet want to restrict access to documents,
business data, media streams, or content that is intended for selected users, for example, users who
have paid a fee. To securely serve this private content by using CloudFront, you can do the following:
– Require that your users access your private content by using special CloudFront signed URLs or
signed cookies.
– Require that your users access your Amazon S3 content by using CloudFront URLs, not Amazon S3
URLs. Requiring CloudFront URLs isn’t necessary, but it is recommended to prevent users from
bypassing the restrictions that you specify in signed URLs or signed cookies. You can do this by
setting up an origin access identity (OAI) for your Amazon S3 bucket. You can also configure the
custom headers for a private HTTP server or an Amazon S3 bucket configured as a website endpoint.
All objects and buckets by default are private. The pre-signed URLs are useful if you want your
user/customer to be able to upload a specific object to your bucket, but you don’t require them to have
AWS security credentials or permissions.
Use signed URLs for the following cases:
– You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions.
– You want to restrict access to individual files, for example, an installation download for your
application.
– Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
Use signed cookies for the following cases:
65
– You want to provide access to multiple restricted files, for example, all of the files for a video in HLS
format or all of the files in the subscribers’ area of a website.
– You don’t want to change your current URLs.
The best practice in handling API Credentials is to create a new role in the Identity Access
Management (IAM) service and then assign it to a specific EC2 instance. In this way, you have a
secure and centralized way of storing and managing your credentials.
If you triggered an S3 API call and got HTTP 200 result code and MD5 checksum, then it is considered
as a successful upload. The S3 API will return an error code in case the upload is unsuccessful.
you can create a CloudTrail trail to further archive, analyze, and respond to changes in your AWS
resources. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you
specify. You can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon
CloudWatch Events.
A static Anycast IP address is primarily used by AWS Global Accelerator to enable organizations to
seamlessly route traffic to multiple regions and improve availability and performance for their end-
users. Traffic dial
VPN connection to connect the VPC and your on-premises network. Second, you need AWS Directory
Services to integrate with your on-premises Active Directory and lastly, you need Amazon
WorkSpaces is a fully managed, persistent desktop virtualization service that enables your users to
access the data, applications, and resources they need, anywhere, anytime, from any supported
device. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few
minutes and quickly scale to provide thousands of desktops to workers across the globe. Amazon
WorkSpaces is deployed within an Amazon Virtual Private Cloud (VPC), and no user data is stored on
the local device. to use Amazon Workspace to create the needed virtual desktops in your VPC.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC
endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device,
VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP
addresses to communicate with resources in the service. Traffic between your VPC and the other
service does not leave the Amazon network. When you create a VPC endpoint, you can attach an
endpoint policy that controls access to the service to which you are connecting. You can modify the
endpoint policy attached to your endpoint and add or remove the route tables used by the endpoint. An
endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3
bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.
SSH Port 22 Linux, RDP port 3389 Windows
HTTP, FTP and SSH are TCP
Video conf, streaming, DNS, VoIP - UDP
A route table contains a set of rules, called routes, that are used to determine where network traffic
from your subnet or gateway is directed.
Since the files are easily reproducible and some of them are needed to be retrieved quickly based on a
specific prefix filter (tdojo-finance), S3-One Zone IA would be a good choice for storing them. The
other files that do not contain such prefix would then be moved to Glacier for low-cost archival. This
setup would also be the most cost-effective for the client.

66
Running is billed
Stopping - if hibernate billed…..if stop, not billed
terminated - not billed unless reserved
The option that says: Use simple scaling is incorrect because you need to wait for the cooldown period
to complete before initiating additional scaling activities. Target tracking or step scaling policies can
trigger a scaling activity immediately without waiting for the cooldown period to expire.
Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The
configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply
to a group of objects. These actions can be classified as follows:
Transition actions – In which you define when objects transition to another storage class. For example,
you may choose to transition objects to the STANDARD_IA (IA, for infrequent access) storage class 30
days after creation or archive objects to the GLACIER storage class one year after creation.
Expiration actions – In which you specify when the objects expire. Then Amazon S3 deletes the
expired objects on your behalf.
Glacier has a management console that you can use to create and delete vaults. However, you cannot
directly upload archives to Glacier by using the management console. To upload data such as photos,
videos, and other documents, you must either use the AWS CLI or write code to make requests by
using either the REST API directly or by using the AWS SDKs. You can specify an absolute or relative
time period (including 0 days) in lifecycle policy after which the specified Amazon S3 objects should be
transitioned to Amazon Glacier.
AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your
resources following AWS best practices. It inspects your AWS environment and makes
recommendations for saving money, improving system performance and reliability, or closing security
gaps.

Cost Optimization – recommendations that can potentially save you money by highlighting unused
resources and opportunities to reduce your bill.
Security – identification of security settings that could make your AWS solution less secure.
67
Fault Tolerance – recommendations that help increase the resiliency of your AWS solution by
highlighting redundancy shortfalls, current service limits, and over-utilized resources.
Performance – recommendations that can help to improve the speed and responsiveness of your
applications.
Service Limits – recommendations that will tell you when service usage is more than 80% of the
service limit.
AWS Cost Explorer is just a tool that enables you to view and analyze your costs and usage. You can
explore your usage and costs using the main graph, the Cost Explorer cost and usage reports, or the
Cost Explorer RI reports. It has an easy-to-use interface that lets you visualize, understand, and
manage your AWS costs and usage over time.
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage
exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set
reservation utilization or coverage targets and receive alerts when your utilization drops below the
threshold you define.
AWS Lambda supports the synchronous and asynchronous invocation of a Lambda function. You can
control the invocation type only when you invoke a Lambda function. When you use an AWS service
as a trigger, the invocation type is predetermined for each service. You have no control over the
invocation type that these event sources use when they invoke your Lambda function. Since
processing only takes 5 minutes, Lambda is also a cost-effective choice.You can use an AWS Lambda
function to process messages in an Amazon Simple Queue Service (Amazon SQS) queue. Lambda
event source mappings support standard queues and first-in, first-out (FIFO) queues. With Amazon
SQS, you can offload tasks from one component of your application by sending them to a queue and
processing them asynchronously.
Transferring data with Snowball is simple, fast, secure, and can be as little as one-fifth the cost of high-
speed Internet.
Amazon S3 Standard – Infrequent Access is an Amazon S3 storage class for data that is accessed
less frequently but requires rapid access when needed. Standard – IA offers the high durability,
throughput, and low latency of Amazon S3 Standard, with a low per GB storage price and per GB
retrieval fee. Intelligent Tiering storage class entails an additional fee for monitoring and automation of
each object in your S3 bucket vs. the Standard storage class and S3 Standard – Infrequent Access.

68
While S3 Intelligent-Tiering can automatically move data between two access tiers (frequent access
and infrequent access) when access patterns change, it is more suitable for scenarios where you don’t
know the access patterns of your data. It may take some time for S3 Intelligent-Tiering to analyze the
access patterns before it moves the data to a cheaper storage class like S3-IA which means you may
still end up paying more in the beginning. In addition, you already know the access patterns of the files
which means you can directly change the storage class immediately and save cost right away.
Using Redis AUTH command can improve data security by requiring the user to enter a password
before they are granted permission to execute Redis commands on a password-protected Redis
server. Hence, the correct answer is: Authenticate the users using Redis AUTH by creating a new
Redis Cluster with both the --transit-encryption-enabled and --auth-token parameters enabled.
Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora. An Aurora
Serverless DB cluster is a DB cluster that automatically starts up, shuts down, and scales up or down
its compute capacity based on your application’s needs. Aurora Serverless provides a relatively
simple, cost-effective option for infrequent, intermittent, sporadic or unpredictable workloads. It can
provide this because it automatically starts up, scales compute capacity to match your application’s
usage and shuts down when it’s not in use. Non relational can be DynamoDB….Global table if fully
managed and mult region multi master DB.
Considering that the company is using a corporate Active Directory, it is best to use AWS Directory
Service AD Connector for easier integration. In addition, since the roles are already assigned using
groups in the corporate Active Directory, it would be better to also use IAM Roles. Take note that you
can assign an IAM Role to the users or groups from your Active Directory once it is integrated with
your VPC via the AWS Directory Service AD Connector.
Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs
on. You can view the metrics for your DB instance using the console, or consume the Enhanced
Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice. By default,
Enhanced Monitoring metrics are stored in the CloudWatch Logs for 30 days. To modify the amount of
time the metrics are stored in the CloudWatch Logs, change the retention for the RDSOSMetrics log
group in the CloudWatch console. Take note that there are certain differences between CloudWatch
and Enhanced Monitoring Metrics. CloudWatch gathers metrics about CPU utilization from the
69
hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the
instance. As a result, you might find differences between the measurements, because the hypervisor
layer performs a small amount of work. The differences can be greater if your DB instances use
smaller instance classes, because then there are likely more virtual machines (VMs) that are managed
by the hypervisor layer on a single physical instance. Enhanced Monitoring metrics are useful when
you want to see how different processes or threads on a DB instance use the CPU.
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in
either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters and
then referencing them in your container definition. This feature is supported by tasks using both the
EC2 and Fargate launch types.
Secrets can be exposed to a container in the following ways:
– To inject sensitive data into your containers as environment variables, use the secrets container
definition parameter.
– To reference sensitive information in the log configuration of a container, use the secretOptions
container definition parameter

Within your container definition, specify secrets with the name of the environment variable to set in
the container and the full ARN of either the Secrets Manager secret or Systems Manager Parameter
Store parameter containing the sensitive data to present to the container. The parameter that you
reference can be from a different Region than the container using it, but must be from within the same
account.
You can authenticate to your DB instance using AWS Identity and Access Management (IAM)
database authentication. IAM database authentication works with MySQL and PostgreSQL. With this
70
authentication method, you don’t need to use a password when you connect to a DB instance. Instead,
you use an authentication token.
When you create or update Lambda functions that use environment variables, AWS Lambda encrypts
them using the AWS Key Management Service. When your Lambda function is invoked, those values
are decrypted and made available to the Lambda code. The first time you create or update Lambda
functions that use environment variables in a region, a default service key is created for you
automatically within AWS KMS. This key is used to encrypt environment variables. However, if you
wish to use encryption helpers and use KMS to encrypt environment variables after your Lambda
function is created, you must create your own AWS KMS key and choose it instead of the default key.
The default key will give errors when chosen. Creating your own key gives you more flexibility,
including the ability to create, rotate, disable, and define access controls, and to audit the encryption
keys used to protect your data.
CloudTrail events provide a history of both API and non-API account activity made through the AWS
Management Console, AWS SDKs, command-line tools, and other AWS services. There are two types
of events that can be logged in CloudTrail: management events and data events. By default, trails
log management events, but not data events. Management Events provide visibility into
management operations that are performed on resources in your AWS account. These are also known
as control plane operations. Management events can also include non-API events that occur in your
account. Data Events, on the other hand, provide visibility into the resource operations performed on
or within a resource. These are also known as data plane operations. It allows granular control of data
event logging with advanced event selectors. You can currently log data events on different resource
types such as Amazon S3 object-level API activity (e.g. GetObject, DeleteObject, and PutObject API
operations), AWS Lambda function execution activity (the Invoke API), DynamoDB Item actions, and
many more.
You can use CloudWatch Events to run Amazon ECS tasks when certain AWS events occur. You can
set up a CloudWatch Events rule that runs an Amazon ECS task whenever a file is uploaded to a
certain Amazon S3 bucket using the Amazon S3 PUT operation. You can also declare a reduced
number of ECS tasks whenever a file is deleted on the S3 bucket using the DELETE operation.
AWS X-Ray helps you debug and analyze your microservices applications with request tracing so you
can find the root cause of issues and performance.
the maximum days for the EFS lifecycle policy is only 90 days.
The offering class of a Reserved Instance is either Standard or Convertible. A Standard Reserved
Instance provides a more significant discount than a Convertible Reserved Instance, but you can’t
exchange a Standard Reserved Instance unlike Convertible Reserved Instances. You can modify
Standard and Convertible Reserved Instances. Take note that in Convertible Reserved Instances, you
are allowed to exchange another Convertible Reserved instance with a different instance type and
tenancy.When your computing needs change, you can modify your Standard or Convertible Reserved
Instances and continue to take advantage of the billing benefit. You can modify the Availability Zone,
scope, network platform, or instance size (within the same instance type) of your Reserved Instance.
You can also sell your unused standard instance on the Reserved Instance Marketplace.you can
reserve capacity to a specific AWS Region (regional Reserved Instance) or specific Availability Zone
(zonal Reserved Instance) only. You cannot reserve capacity to multiple AWS Regions in a single RI
purchase.
A DynamoDB stream is an ordered flow of information about changes to items in an Amazon
DynamoDB table. When you enable a stream on a table, DynamoDB captures information about every
modification to data items in the table.

71
Whenever an application creates, updates, or deletes items in the table, DynamoDB Streams writes a
stream record with the primary key attribute(s) of the items that were modified. A stream record
contains information about a data modification to a single item in a DynamoDB table. You can
configure the stream so that the stream records capture additional information, such as the “before”
and “after” images of modified items.
Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code
that automatically respond to events in DynamoDB Streams. With triggers, you can build applications
that react to data modifications in DynamoDB tables.
If you enable DynamoDB Streams on a table, you can associate the stream ARN with a Lambda
function that you write. Immediately after an item in the table is modified, a new record appears in the
table’s stream. AWS Lambda polls the stream and invokes your Lambda function synchronously when
it detects new stream records. The Lambda function can perform any actions you specify, such as
sending a notification or initiating a workflow.
You can invoke an AWS Lambda function from an Amazon Aurora MySQL-Compatible Edition
DB cluster with a native function or a stored procedure. This approach can be useful when you
want to integrate your database running on Aurora MySQL with other AWS services. For example, you
might want to capture data changes whenever a row in a table is modified in your database. RDS
events only provide operational events such as DB instance events, DB parameter group events, DB
security group events, and DB snapshot events. What we need in the scenario is to capture data-
modifying events (INSERT, DELETE, UPDATE) which can be achieved thru native functions or stored
procedures.

The partition key portion of a table’s primary key determines the logical partitions in which a table’s
data is stored. This in turn affects the underlying physical partitions. Provisioned I/O capacity for the
table is divided evenly among these physical partitions. Therefore a partition key design that doesn’t
distribute I/O requests evenly can create “hot” partitions that result in throttling and use your
provisioned I/O capacity inefficiently.
The optimal usage of a table’s provisioned throughput depends not only on the workload patterns of
individual items, but also on the partition-key design. This doesn’t mean that you must access all
partition key values to achieve an efficient throughput level, or even that the percentage of accessed
partition key values must be high. It does mean that the more distinct partition key values that your
workload accesses, the more those requests will be spread across the partitioned space. In general,
you will use your provisioned throughput more efficiently as the ratio of partition key values accessed
to the total number of partition key values increases.
One example for this is the use of partition keys with high-cardinality attributes, which have a large
number of distinct values for each item.
72
The AWS Key Management Service (KMS) custom key store feature combines the controls provided
by AWS CloudHSM with the integration and ease of use of AWS KMS. You can configure your own
CloudHSM cluster and authorize AWS KMS to use it as a dedicated key store for your keys rather than
the default AWS KMS key store. When you create keys in AWS KMS you can choose to generate the
key material in your CloudHSM cluster. CMKs that are generated in your custom key store never leave
the HSMs in the CloudHSM cluster in plaintext and all AWS KMS operations that use those keys are
only performed in your HSMs. AWS KMS can help you integrate with other AWS services to encrypt
the data that you store in these services and control access to the keys that decrypt it. To immediately
remove the key material from AWS KMS, you can use a custom key store. Take note that each custom
key store is associated with an AWS CloudHSM cluster in your AWS account. Therefore, when you
create an AWS KMS CMK in a custom key store, AWS KMS generates and stores the non-extractable
key material for the CMK in an AWS CloudHSM cluster that you own and manage. This is also suitable
if you want to be able to audit the usage of all your keys independently of AWS KMS or AWS
CloudTrail.
Since you control your AWS CloudHSM cluster, you have the option to manage the lifecycle of your
CMKs independently of AWS KMS. There are four reasons why you might find a custom key store
useful:
1. You might have keys that are explicitly required to be protected in a single-tenant HSM or in an
HSM over which you have direct control.
2. You might have keys that are required to be stored in an HSM that has been validated to FIPS
140-2 level 3 overall (the HSMs used in the standard AWS KMS key store are either validated
or in the process of being validated to level 2 with level 3 in multiple categories).
3. You might need the ability to immediately remove key material from AWS KMS and to prove
you have done so by independent means.
4. You might have a requirement to be able to audit all use of your keys independently of AWS
KMS or AWS CloudTrail.

https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html#edge-to-edge-vgw
AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted
users with temporary security credentials that can control access to your AWS resources. Temporary
security credentials work almost identically to the long-term access key credentials that your IAM users
can use.
SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows
multiple domains to serve SSL traffic over the same IP address by including the hostname which the
viewers are trying to connect to.
AWS Global Accelerator is incorrect because this service is more suitable for non-HTTP use cases,
such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically
require static IP addresses or deterministic, fast regional failover. Moreover, there is no direct way that
you can integrate AWS Global Accelerator with Amazon S3. It’s more suitable to use Amazon
CloudFront instead in this scenario. AWS Global Accelerator and Amazon CloudFront are separate
services that use the AWS global network and its edge locations around the world. CloudFront
improves performance for both cacheable content (such as images and videos) and dynamic content
(such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a
wide range of applications over TCP or UDP by proxying packets at the edge to applications running in
one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming
(UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP
addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS
protection.
73
Here are the prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket:
– An S3 bucket that is configured to host a static website. The bucket must have the same name as
your domain or subdomain. For example, if you want to use the subdomain portal.tutorialsdojo.com,
the name of the bucket must be portal.tutorialsdojo.com.
– A registered domain name. You can use Route 53 as your domain registrar, or you can use a
different registrar.
– Route 53 as the DNS service for the domain. If you register your domain name by using Route 53,
we automatically configure Route 53 as the DNS service for the domain.
AWS OpsWorks is a configuration management service that provides managed instances of Chef and
Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the
configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are
configured, deployed, and managed across your Amazon EC2 instances or on-premises compute
environments.
S3 can publish events to SQS, SNS and Lamda only
AWS IoT Core is a managed cloud service that lets connected devices easily and securely interact
with cloud applications and other devices. AWS IoT Core provides secure communication and data
processing across different kinds of connected devices and locations so you can easily build IoT
applications.
Geoproximity Routing lets Amazon Route 53 route traffic to your resources based on the geographic
location of your users and your resources. You can also optionally choose to route more traffic or less
to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the
geographic region from which traffic is routed to a resource.
Geolocation Routing lets you choose the resources that serve your traffic based on the geographic
location of your users, meaning the location that DNS queries originate from.
A fanout scenario occurs when a message published to an SNS topic is replicated and pushed to
multiple endpoints, such as Amazon SQS queues, HTTP(S) endpoints, and Lambda functions. This
allows for parallel asynchronous processing. For example, you can develop an application that
publishes a message to an SNS topic whenever an order is placed for a product. Then, two or more
SQS queues that are subscribed to the SNS topic receive identical notifications for the new order. An
Amazon Elastic Compute Cloud (Amazon EC2) server instance attached to one of the SQS queues
can handle the processing or fulfillment of the order. And you can attach another Amazon EC2 server
instance to a data warehouse for analysis of all orders received. By default, an Amazon SNS topic
subscriber receives every message published to the topic. You can use Amazon SNS message
filtering to assign a filter policy to the topic subscription, and the subscriber will only receive a message
that they are interested in. Using Amazon SNS and Amazon SQS together, messages can be
delivered to applications that require immediate notification of an event. This method is known as
fanout to Amazon SQS queues.
SQS is a fully-managed message queuing service. It does not monitor applications nor send email
notifications unlike SES.
S3 - Object lock prevents change and delete -> auto version. If you enable the S3 Object Lock feature, you
won’t be able to upload new versions of an object. This feature is only helpful when you want to
prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
Retention period - data when object lock expires. Legal Hold - obj lock does not expire. Retention mode -
Compliance(stricter - no one can overwrite or delete) and Governance(users with privilege can overwrite or delete)
74
Datasync to move data to cloud vs storage gateway for a hybrid solution.
Amazon API Gateway has no minimum fees or startup costs. You pay only for the API calls you
receive and the amount of data transferred out.
Main difference is the user pools provide authentication through identity verification allowing to sign in
using a ID provider or local cognito user directory where as ID pools are used to help control access
using temp credentials to access AWS services
RDS backup default is 7 days upto 35 days(PITR also)
Redshift back default is 1 days upto 35 days. only in 1 zone but can do asynch replication of snapshot
to S3 in another region for DR
EMR log files can be persisted on S3 in five minute intervals but can be set up only during initial set up
- Big data use case
Global accelerator - 2 static IPs or BYO IPs. Traffic dials can be set within end point group - allow blue
green deployment
MUlti VPC connection without VPC peering, route table, NAT or Internet GW -> Use PrivateLink - set
up a NLB on service VPC and ENI on customer VPC.
Transit g/w connects VPC and on prem data centers. across accounts using RAM. supports IP
Multicast
VPN Cloudhub to connect multiple VPN connections over public internet
Autoscaling group with min and max of 1 + EIP….helps with HA. Has some down time but low cost
Decouple - > SQS - 256KB limit over in S3.
Std Q - Unlimited through put, at least once, order is best effort. FiFO exactly once, order is preserved.
Retention is 1 minute to 1 days, default is 4 days. SQS guarantees at least once processing.
SWF execution can last upto 1 year. task oriented API(not mssg). SWF does not have duplication.
tracking of workflow. Workflow starters, deciders and activity workers
SNS Push - for instance to mobile devices, text, email
API G/w provides request throttling and also cached API response(TTL)
Kinesis data streams has shards, data is stored for 24 hours upto 7 days -> 365 days, you need to
build autoscaling, data records in stream are immutable….fireshose has no persistence, managed,
customizable buffers data 60-900 Sec - near RT solution, auto scales….Lambda to do something with
it….stores in S3, Redshift or elasticsearch
DLQ - SNS fail to deliver, SQS maxReceiveCount and Lambda - failed asynch invocations, retry twice
and then send to SQS/SNS
Lambda responds to event sources - Poll based event sources are Kinesis SQS and DynamoDB,
mapping in Lambda. rest Push based, mapping in event source.
You can use Lambda extensions to augment your Lambda functions. For example, use Lambda
extensions to integrate functions with your preferred monitoring, observability, security, and
governance tools. Lambda supports external and internal extensions. An external extension runs as an
independent process in the execution environment and continues to run after the function invocation is
fully processed. Because extensions run as separate processes, you can write them in a different
language than the function.
75
AWS Lambda runs your function code securely within a VPC by default. However, to enable your
Lambda function to access resources inside your private VPC, you must provide additional VPC-
specific configuration information that includes VPC subnet IDs and security group IDs. AWS Lambda
uses this information to set up elastic network interfaces (ENIs) that enable your function to connect
securely to other resources within your private VPC. Lambda functions cannot connect directly to a
VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second
VPC with default tenancy.Your Lambda function automatically scales based on the number of events it
processes. If your Lambda function accesses a VPC, you must make sure that your VPC has sufficient
ENI capacity to support the scale requirements of your Lambda function. It is also recommended that
you specify at least one subnet in each Availability Zone in your Lambda function configuration. By
specifying subnets in each of the Availability Zones, your Lambda function can run in another
Availability Zone if one goes down or runs out of IP addresses. If your VPC does not have sufficient
ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an
increase in invocation errors with EC2 error types like EC2ThrottledException. For asynchronous
invocation, if you see an increase in errors without corresponding CloudWatch Logs, invoke the
Lambda function synchronously in the console to get the error responses.
When setting up a bastion host in AWS, you should only allow the individual IP of the client and not the
entire network. Therefore, in the Source, the proper CIDR notation should be used. The /32 denotes
one IP address and the /0 refers to the entire network.
DynamoDB is durable, scalable, and highly available data store which can be used for real-time
tabulation. You can also use AppSync with DynamoDB to make it easy for you to build collaborative
apps that keep shared data updated in real time. You just specify the data for your app with simple
code statements and AWS AppSync manages everything needed to keep the app data updated in real
time. This will allow your app to access data in Amazon DynamoDB, trigger AWS Lambda functions, or
run Amazon Elasticsearch queries and combine data from these services to provide the exact data you
need for your app.
the allowed block size in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP
addresses) and not /27 netmask.
SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows
multiple domains to serve SSL traffic over the same IP address by including the hostname which the
viewers are trying to connect to. You can host multiple TLS secured applications, each with its own
TLS certificate, behind a single load balancer. In order to use SNI, all you need to do is bind multiple
certificates to the same secure listener on your load balancer. ALB will automatically choose the
optimal TLS certificate for each client. These features are provided at no additional charge.
only EBS-backed instances can be stopped and restarted, it is implied that the instance is EBS-
backed. Remember that an instance store-backed instance can only be rebooted or terminated and its
data will be erased if the EC2 instance is either stopped or terminated. If the instance is stopped, AWS
usually moves the instance to a new host computer. Your instance may stay on the same host
computer if there are no problems with the host computer.
AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises
networks. You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a
single Transit Gateway consolidating and controlling your organization’s entire AWS routing
configuration in one place. It also controls how traffic is routed among all the connected spoke
networks using route tables. This hub and spoke model simplifies management and reduces
operational costs because VPCs only connect to the Transit Gateway to gain access to the connected
networks.

76
A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your
VPC over the AWS network. Interface endpoints extend the functionality of gateway endpoints by
using private IP addresses to route requests to Amazon S3 from within your VPC, on-premises, or
from a different AWS Region. Interface endpoints are compatible with gateway endpoints. If you have
an existing gateway endpoint(S3 and DynamoDB) in the VPC, you can use both types of endpoints in
the same VPC. Hourly charge for interface end point vs g/w is only data transfer and resource usage.
Active-Active Failover
Use this failover configuration when you want all of your resources to be available the majority of the
time. When a resource becomes unavailable, Route 53 can detect that it’s unhealthy and stop
including it when responding to queries. In active-active failover, all the records that have the same
name, the same type (such as A or AAAA), and the same routing policy (such as weighted or latency)
are active unless Route 53 considers them unhealthy. Route 53 can respond to a DNS query using
any healthy record.
Active-Passive Failover
Use an active-passive failover configuration when you want a primary resource or group of resources
to be available the majority of the time and you want a secondary resource or group of resources to be
on standby in case all the primary resources become unavailable. When responding to queries, Route
53 includes only the healthy primary resources. If all the primary resources are unhealthy, Route 53
begins to include only the healthy secondary resources in response to DNS queries.
Use Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks
in its data centers and decrypt it when you download the objects.
Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
Use Server-Side Encryption with Customer-Provided Keys (SSE-C)
Use Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to
Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
Use Client-Side Encryption with AWS KMS–Managed Customer Master Key (CMK)
Use Client-Side Encryption Using a Client-Side Master Key
AWS Backup is a centralized backup service that makes it easy and cost-effective for you to backup
your application data across AWS services in the AWS Cloud, helping you meet your business and
regulatory backup compliance requirements. AWS Backup makes protecting your AWS storage
volumes, databases, and file systems simple by providing a central place where you can configure and
audit the AWS resources you want to backup, automate backup scheduling, set retention policies, and
monitor all recent backup and restore activity.you can use AWS Backup to create a backup plan with a
retention period of 90 days.the maximum rds backup retention period for automated backup is only 35
days.
S3 is cheaper than EBS and EFS in pure storage costs
EBS and EFS has higher performance than S3
EBS is meant to be used as volumes for EC2 instances
S3 has a built-in query feature

77
S3 offers eventual consistency for overwrite PUTS and DELETES in all regions.S3 does not have a
hierarchy (flat environment) for files unlike EFS
AWS Step Functions (serverless)
A fully managed service that makes it easy to coordinate the components of distributed applications
and microservices using visual workflows.
You define state machines that describe your workflow as a series of steps, their relationships, and
their inputs and outputs. State machines contain a number of states, each of which represents an
individual step in a workflow diagram. States can perform work, make choices, pass parameters,
initiate parallel execution, manage timeouts, or terminate your workflow with a success or failure.
Consider using AWS Step Functions for all your new applications, since it provides a more productive
and agile approach to coordinating application components using visual workflows. If you require
external signals (deciders) to intervene in your processes, or you would like to launch child processes
that return a result to a parent, then you should consider Amazon SWF.
SWF API actions are task-oriented. SQS API actions are message-oriented. SWF keeps track of all
tasks and events in an application. SQS requires you to implement your own application-level tracking,
especially if your application uses multiple queues.
CloudWatch is a monitoring service for AWS resources and applications. CloudTrail is a web service
that records API activity in your AWS account. They are both useful monitoring tools in AWS. With
CloudWatch, you can collect and track metrics, collect and monitor log files, and set alarms.
CloudTrail, on the other hand, logs information on who made a request, the services used, the actions
performed, parameters for the actions, and the response elements returned by the AWS service.
CloudTrail Logs are then stored in an S3 bucket or a CloudWatch Logs log group that you specify.
Typically, CloudTrail delivers an event within 15 minutes of the API call. CloudWatch delivers metric
data in 5 minutes periods for basic monitoring and 1 minute periods for detailed monitoring. The
CloudWatch Logs Agent will send log data every five seconds by default.
● CloudFront uses multiple sets of dynamically changing IP addresses while Global Accelerator
will provide you a set of static IP addresses as a fixed entry point to your applications.
● CloudFront pricing is mainly based on data transfer out and HTTP requests while Global
Accelerator charges a fixed hourly fee and an incremental charge over your standard Data
Transfer rates, also called a Data Transfer-Premium fee (DT-Premium).
● CloudFront uses Edge Locations to cache content while Global Accelerator uses Edge
Locations to find an optimal pathway to the nearest regional endpoint.
● CloudFront is designed to handle HTTP protocol meanwhile Global Accelerator is best used for
both HTTP and non-HTTP protocols such as TCP and UDP.

Parameter Store was designed to cater to a wider use case, not just secrets or passwords, but also
application configuration variables like URLs, DB hostnames, custom settings, product keys, etc. which
is why the default selection for creating a parameter is a plain text String value. You can enable
encryption if you explicitly choose to. Secrets Manager was designed specifically for confidential
information that needs to be encrypted so the creation of a secret entry has encryption enabled by
default. You can also choose to store in plaintext if you explicitly want to. Both services have a
versioning feature. This allows you to view previous versions of your parameters of secret in case you
needed them. You can choose to restore the older version of the parameter. Parameter Store only
allows one version of the parameter to be active at any given time. Secrets Manager, on the other
hand, allows multiple versions to exist at the same time when you are performing a secret rotation.
Secrets Manager distinguishes between different versions by the staging labels. AWS Secrets
Manager offers the ability to switch secrets at any given time and can be configured to regularly rotate
depending on your requirements. Another feature available for Secrets Manager is cross-account
78
access. Secrets can be accessed from another AWS account. One advantage of SSM Parameter is
that it costs nothing to use standard parameters. You can store up to 10,000 parameters and you
won’t get billed. Advanced Parameters has a cost associated with it, however. AWS Secret Manager
bills you a fixed cost for every secret per month and for every 10,000 API calls.

Objects that are stored in the S3 Glacier or S3 Glacier Deep Archive storage classes are not available
in real time. Archived objects are Amazon S3 objects, but before you can access an archived object,
you must first restore a temporary copy of it. The restored object copy is available only for the duration
you specify in the restore request. After that, Amazon S3 deletes the temporary copy, and the object
remains archived in Amazon S3 Glacier.
AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises
networks. You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a
single Transit Gateway consolidating and controlling your organization's entire AWS routing
configuration in one place.
When the word durability pops out, the first service that should come to your mind is Amazon S3.
Since this service is not available in the answer options, we can look at the other data store available
which is Amazon DynamoDB.
Kinesis Data Streams provides an ordering of records, as well as the ability to read and/or replay
records in the same order to multiple Amazon Kinesis Applications. The Amazon Kinesis Client Library
(KCL) delivers all records for a given partition key to the same record processor, making it easier to
build multiple applications reading from the same Amazon Kinesis data stream (for example, to
perform counting, aggregation, and filtering). Integrates with S3, Redshift, Splunk and Elastisearch.A
Kinesis data stream stores records from 24 hours by default to a maximum of 168 hours.
Small random I/O ops - SSD and large sequential I/O ops - HDD
Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5
terabytes. The largest object that can be uploaded in a single PUT is 5 gigabytes. For objects larger
than 100 megabytes, customers should consider using the Multipart Upload capability.
You are limited to running On-Demand Instances per your vCPU-based On-Demand Instance limit,
purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic Spot limit per
region.
A VPC spans all the Availability Zones in the region.Each subnet maps to a single Availability Zone.

79
-

80
-Amazon SWF provides useful guarantees around task assignments. It ensures that a task is never duplicated and is
assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number
of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance).
Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus,
you can run multiple decider instances without worrying about two instances operating on the same execution
simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost,
or conflicting tasks.

RDS Enhanced monitoring shows RDS child processes, RDS processes and OS Processes.

When you launch an EC2 instance into a default VPC, AWS provides it with public and private
DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance.
However, when you launch an instance into a non-default VPC, AWS provides the instance with a
private DNS hostname only. New instances will only be provided with public DNS hostname
depending on these two DNS attributes: the DNS resolution and DNS hostnames, that you have
specified for your VPC, and if your instance has a public IPv4 address.

An Amazon S3 Glacier (Glacier) vault can have one resource-based vault access policy and one Vault Lock policy
attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you
enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to
manage the Vault Lock policies.

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking
capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O
performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced
networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-
instance latencies. There is no additional charge for using enhanced networking.

the OS-bypass capabilities of the Elastic Fabric Adapter (EFA) are not supported on Windows
instances.
S3 is incorrect because although this provides the same level of high availability and high scalability
like EFS, this service is not suitable for storing data which are rapidly changing, just as mentioned in
the above explanation. It is still more effective to use EFS as it offers strong consistency and file
locking which the S3 service lacks.

In order for you to establish an SSH connection from your home computer to your EC2 instance, you
need to do the following:

– On the Security Group, add an Inbound Rule to allow SSH traffic to your EC2 instance.

– On the NACL, add both an Inbound and Outbound Rule to allow SSH traffic to your EC2 instance.

The reason why you have to add both Inbound and Outbound SSH rule is due to the fact that Network
ACLs are stateless which means that responses to allow inbound traffic are subject to the rules for
outbound traffic (and vice versa). In other words, if you only enabled an Inbound rule in NACL, the
traffic can only go in but the SSH response will not go out since there is no Outbound rule.

An interface endpoint is an elastic network interface with a private IP address from the IP address
range of your subnet. Unlike a Gateway endpoint, you still get billed for the time your interface
endpoint is running and the GB data it has processed. From a cost standpoint, using the S3 Gateway
endpoint is the most favorable solution.
VPC endpoints are region-specific only and do not support inter-region communication.

81
General Purpose SSD (gp2) volumes offer cost-effective storage that is ideal for a broad range of
workloads. These volumes deliver single-digit millisecond latencies and the ability to burst to 3,000
IOPS for extended periods of time.

The ReceiveMessageWaitTimeSeconds is the queue attribute that determines whether you are using
Short or Long polling. By default, its value is zero which means it is using Short polling. If it is set to a
value greater than zero, then it is Long polling.

AWS Storage Gateway is more suitable to be used in integrating your storage services by replicating
your data while AWS DataSync is better for workloads that require you to move or migrate your data.

There are two types of events that you configure your CloudTrail for:
– Management Events
– Data Events

Management Events provide visibility into management operations that are performed on resources in
your AWS account. These are also known as control plane operations. Management events can also
include non-API events that occur in your account.
Data Events, on the other hand, provide visibility into the resource operations performed on or within a
resource. These are also known as data plane operations. It allows granular control of data event
logging with advanced event selectors. You can currently log data events on different resource types
such as Amazon S3 object-level API activity (e.g. GetObject, DeleteObject, and PutObject API
operations), AWS Lambda function execution activity (the Invoke API), DynamoDB Item actions, and
many more. By default, trails log management events, but not data events.

Amazon EC2 Auto Scaling provides you with an option to enable automatic scaling for one or more
EC2 instances by attaching them to your existing Auto Scaling group. After the instances are attached,
they become a part of the Auto Scaling group The instance that you want to attach must meet the
following criteria:

– The instance is in the running state.

– The AMI used to launch the instance must still exist.

– The instance is not a member of another Auto Scaling group.

82
– The instance is launched into one of the Availability Zones defined in your Auto Scaling group.

– If the Auto Scaling group has an attached load balancer, the instance and the load balancer must
both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the
instance and the load balancer must both be in the same VPC

You can use Run Command from the console to configure instances without having to login to each
instance. AWS Systems Manager Run Command lets you remotely and securely manage the
configuration of your managed instances.

Amazon S3 now provides increased performance to support at least 3,500 requests per second to add
data and 5,500 requests per second to retrieve data, which can save significant processing time for no
additional charge. Each S3 prefix can support these request rates, making it simple to increase
performance significantly.

You can use geo match conditions with other AWS WAF Classic conditions or rules to build
sophisticated filtering. For example, if you want to block certain countries but still allow specific IP
addresses from that country, you could create a rule containing a geo match condition and an IP
match condition. Configure the rule to block requests that originate from that country and do not match
the approved IP addresses. As another example, if you want to prioritize resources for users in a
particular country, you could include a geo match condition in two different rate-based rules. Set a
higher rate limit for users in the preferred country and set a lower rate limit for all other users.

AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your
resources following AWS best practices. It inspects your AWS environment and makes
recommendations for saving money, improving system performance and reliability, or closing security
gaps.

By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.

Elastic Load Balancing provides access logs that capture detailed information about requests sent to
your load balancer. Each log contains information such as the time the request was received, the
client’s IP address, latencies, request paths, and server responses. You can use these access logs to
analyze traffic patterns and troubleshoot issues.Access logging is an optional feature of Elastic Load
Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic
Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as
compressed files. You can disable access logging at any time.

AWS Transit Gateway also enables you to scale the IPsec VPN throughput with equal-cost multi-path
(ECMP) routing support over multiple VPN tunnels. A single VPN tunnel still has a maximum
throughput of 1.25 Gbps. If you establish multiple VPN tunnels to an ECMP-enabled transit gateway, it
can scale beyond the default limit of 1.25 Gbps.

Step scaling applies “step adjustments” which means you can set multiple actions to vary the scaling
depending on the size of the alarm breach. When you create a step scaling policy, you can also
specify the number of seconds that it takes for a newly launched instance to warm up.

Snapshots(EBS) occur asynchronously; the point-in-time snapshot is created immediately, but the
status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have
been transferred to Amazon S3), which can take several hours for large initial snapshots or
subsequent snapshots where many blocks have changed.While it is completing, an in-progress
snapshot is not affected by ongoing reads and writes to the volume hence, you can still use the EBS

83
volume normally.When you create an EBS volume based on a snapshot, the new volume begins as an
exact replica of the original volume that was used to create the snapshot. The replicated volume loads
data lazily in the background so that you can begin using it immediately. If you access data that hasn’t
been loaded yet, the volume immediately downloads the requested data from Amazon S3, and then
continues loading the rest of the volume’s data in the background.

You can use Scheduled Reserved Instances (Scheduled Instances) which enables you to purchase
capacity reservations that recur on a daily, weekly, or monthly basis, with a specified start time and
duration, for a one-year term. This will ensure that you have an uninterrupted compute capacity to
process your mission-critical batch jobs.

IAM roles are global services that are available to all regions hence, all you have to do is assign the
existing IAM role to the instance in the new region.

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The
source database remains fully operational during the migration, minimizing downtime to applications
that rely on the database. The AWS Database Migration Service can migrate your data to and from
most widely used commercial and open-source databases. First use the AWS Schema Conversion
Tool to convert the source schema and code to match that of the target database, and then use the
AWS Database Migration Service to migrate data from the source database to the target database. All
the required data type conversions will automatically be done by the AWS Database Migration Service
during the migration. The source database can be located in your own premises outside of AWS,
running on an Amazon EC2 instance, or it can be an Amazon RDS database. The target can be a
database in Amazon EC2 or Amazon RDS.

Failover is automatically handled by Amazon Aurora so that your applications can resume database
operations as quickly as possible without manual administrative intervention. If you have an Amazon
Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the
canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is
promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds. If
you do not have an Amazon Aurora Replica (i.e. single instance) and are not running Aurora
Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the
original instance. This replacement of the original instance is done on a best-effort basis and may not
succeed, for example, if there is an issue that is broadly affecting the Availability Zone.

If EC2 interrupts your spot instance in the first hour before a full hour of run time, you are not charged
for partial hour used

HTTPS Port 443 traffic - Security group rule to allow HTTPS on 443 and NACL to allow Inbound on
Port 443. and ALL PORTS OUTBOUND as sender port is random (1024-65535)

Savings Plans are a flexible pricing model that offer low prices on EC2, Lambda, and Fargate usage,
in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1 or 3 year
term. When you sign up for a Savings Plan, you will be charged the discounted Savings Plans price for
your usage up to your commitment. AWS offers two types of Savings Plans: Compute Savings Plans
provide the most flexibility and help to reduce your costs by up to 66%. These plans automatically
apply to EC2 instance usage regardless of instance family, size, AZ, region, OS or tenancy, and also
apply to Fargate or Lambda usage. For example, with Compute Savings Plans, you can change from
C4 to M5 instances, shift a workload from EU (Ireland) to EU (London), or move a workload from EC2
to Fargate or Lambda at any time and automatically continue to pay the Savings Plans price. EC2
Instance Savings Plans provide the lowest prices, offering savings up to 72% in exchange for
commitment to usage of individual instance families in a region (e.g. M5 usage in N. Virginia). This
automatically reduces your cost on the selected instance family in that region regardless of AZ, size,

84
OS or tenancy. EC2 Instance Savings Plans give you the flexibility to change your usage between
instances within a family in that region. For example, you can move from c5.xlarge running Windows to
c5.2xlarge running Linux and automatically benefit from the Savings Plan prices. EC2 Instance
Savings Plans provide savings up to 72 percent off On-Demand, in exchange for a commitment to a
specific instance family in a chosen AWS Region (for example, M5 in Virginia). These plans
automatically apply to usage regardless of size (for example, m5.xlarge, m5.2xlarge, etc.), OS (for
example, Windows, Linux, etc.), and tenancy (Host, Dedicated, Default) within the specified family in a
Region. A convertible instance and a compute savings plan both offer up to 66 percent off. However,
an EC2 instance savings plan offers up to 72 percent discount.

When you create a target tracking scaling policy, you can specify the number of seconds that it takes
for a newly launched instance to warm up. Until its specified warm-up time has expired, an instance is
not counted toward the aggregated metrics of the Auto Scaling group.

If you lose the private key for an EBS-backed instance, you can regain access to your instance. You
must stop the instance, detach its root volume and attach it to another instance as a data volume,
modify the authorized_keys file with a new public key, move the volume back to the original instance,
and restart the instance. This procedure is not supported for instances with instance store-backed root
volumes.

Route 53 health check's primary purpose is not to send notifications as a CloudWatch alarm would;
Route 53 health checks exist to support DNS failover. Also, Route 53 health checks do not track
metrics like counting the number of 500-level errors as a health check independently. A CloudWatch
alarm would be necessary for that.

Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You
have full control over these KMS keys, including establishing and maintaining their key policies, IAM
85
policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags,
creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.

Cross zone LB enabled -> 100/no of total instances = traffic per instance - same number across all
instances
Cross zone LB disabled -> 100/no of zones -> each zone share/no of instances

Frequent scale in-scale out of auto scaling - adjust cloud watch metric to higher threshold and add
lifecycle hook.

When you want to include instances with multiple purchase types in the same auto scaling group, you
have the ability to maintain a set number of on-demand instances will be deployed at all times, and
then split the remaining instances between multiple purchase types as you see fit. To configure this,
set a number of instances as your "optional on-demand base" within your launch template. This is not
possible using a launch configuration.

In order for the third-party account to securely connect to your services, they need to provide you
their account ID, an external ID (a secret shared between the two accounts), and the specific
permissions for the services they need to access.

An elastic network interface is a virtual network interface that you can attach to an instance in a VPC.
Network interfaces are available only for instances running in a VPC. If one of your instances serving
a particular function fails, its network interface can be attached to a replacement or hot standby
instance pre-configured for the same role to rapidly recover the service.

EKS-managed node groups and EKS on AWS Fargate do not support Windows servers

SQL Server does not support read replicas located in a separate AWS region from the primary DB

It is recommended that you launch the number of instances that you need in the placement group in a
single launch request and that you use the same instance type for all instances in the placement
group. If you try to add more instances to the placement group later, or if you try to launch more than
one instance type in the placement group, you increase your chances of getting an insufficient capacity
error. If you receive a capacity error when launching an instance in a placement group that already has
running instances, stop and start all of the instances in the placement group, and try the launch again.
Restarting the instances may migrate them to hardware that has capacity for all the requested
instances.

Elastic Beanstalk - Application files are stored in S3. The server log files can also optionally be stored
in S3 or in CloudWatch Logs.
Deploying Aurora to two Auto-Scaling groups of EC2 instances across two Availability Zones with an
elastic load balancer which handles load balancing is incorrect because Aurora is a managed
database engine for RDS and not deployed on typical EC2 instances that you manually provision.

86
AWS FsX for Lustre has the capability to easily process your S3 data with a high-performance POSIX
interface. Fsx for Windows and EFS cannot interact with S3 natively.

Kinesis Datastream - Splitting increases the number of shards in your stream and therefore increases
the data capacity of the stream. Because you are charged on a per-shard basis, splitting increases the
cost of your stream. Similarly, merging reduces the number of shards in your stream and therefore
decreases the data capacity—and cost—of the stream.

Data transferred between Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache
instances, and Elastic Network Interfaces in the same Availability Zone is free. Instead of using the
public network to transfer the data, you can use the private network to reduce the overall data
transfer costs.

If you already have a data lake or data store (e.g. S3, RedShift, ElasticSearch)where you want your
data stream to be delivered to, Kinesis Data Firehose might be for you. Firehose has been built to
remove the admin work that comes with delivering data streams. Do note that data latency for
Firehose is 60 seconds or higher. If you have your own data processing pipeline and just need to be
able to stream data there, then Kinesis Data Streams(Kinesis Data Analytics, Spark on EMR, EC2,
Lambda) will be for you. It’s for custom processing. It also has sub-second processing latency which
Firehose doesn’t have. Amazon Kinesis Data Firehose only supports Amazon S3, Amazon Redshift,
Amazon Elasticsearch, and an HTTP endpoint as the destination.

When the application usage grows, the number of IP addresses and endpoints that you need to
manage also increase. AWS Global Accelerator allows you to scale your network up or down. AWS
Global Accelerator lets you associate regional resources, such as load balancers and EC2 instances,
to two static IP addresses. You only whitelist these addresses once in your client applications,
firewalls, and DNS records. With AWS Global Accelerator, you can add or remove endpoints in the
AWS Regions, run blue/green deployment, and A/B test without needing to update the IP addresses
in your client applications. This is particularly useful for IoT, retail, media, automotive, and healthcare
use cases in which client applications cannot be updated frequently. If you have multiple resources in
multiple regions, you can use AWS Global Accelerator to reduce the number of IP addresses. By
creating an endpoint group, you can add all of your EC2 instances from a single region in that group.
You can add additional endpoint groups for instances in other regions. After it, you can then associate
the appropriate ALB endpoints to each of your endpoint groups. The created accelerator would have
two static IP addresses that you can use to create a security rule in your firewall device. Instead of
regularly adding the Amazon EC2 IP addresses in your firewall, you can use the static IP addresses of
AWS Global Accelerator to automate the process and eliminate this repetitive task.

With web identity federation, you don’t need to create custom sign-in code or manage your own user
identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as
Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive
an authentication token, and then exchange that token for temporary security credentials in AWS that
map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps
you keep your AWS account secure because you don’t have to embed and distribute long-term
security credentials with your application.

87
You can authenticate to your DB instance using AWS Identity and Access Management (IAM)
database authentication. IAM database authentication works with MySQL and PostgreSQL. With this
authentication method, you don’t need to use a password when you connect to a DB instance. Instead,
you use an authentication token.

There is no EIP cost if the instance is running and it has only one associated EIP.

There are 2 ways to use SSL to connect to your SQL Server DB instance:
– Force SSL for all connections — this happens transparently to the client, and the client doesn’t have
to do any work to use SSL. To use SSL from a specific client, you must obtain certificates for the client
computer, import certificates on the client computer, and then encrypt the connections from the client
computer.
– Encrypt specific connections — this sets up an SSL connection from a specific client computer, and
you must do work on the client to encrypt connections. If you want to force SSL, use the
rds.force_ssl parameter.

transparent data encryption (TDE) is primarily used to encrypt stored data on your DB instances
running Microsoft SQL Server, and not the data that are in transit.

when it comes to services providing scalability and elasticity for your web tier, you should always
consider using Auto Scaling and Elastic Load Balancer.

For sub-millisecond latency caching, ElastiCache is the best choice. In order to address scalability and
to provide a shared data storage for sessions that can be accessed from any individual web server,
you can abstract the HTTP sessions from the web servers themselves. A common solution for this is to

88
leverage an In-Memory Key/Value store such as Redis and Memcached. better performance
compared to DynamoDB

RDS Read Replicas can only provide asynchronous replication in seconds and not in milliseconds.
You have to use Amazon Aurora replicas for millisecond performance.

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance
networking capabilities on supported instance types. SR-IOV is a method of device virtualization that
provides higher I/O performance and lower CPU utilization when compared to traditional virtualized
network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS)
performance, and consistently lower inter-instance latencies. There is no additional charge for using
enhanced networking.

CloudFront serves an object from an edge location until the cache duration that you specified passes
— that is, until the object expires. After it expires, the next time the edge location gets a user request
for the object, CloudFront forwards the request to the origin server to verify that the cache contains the
latest version of the object.The Cache-Control max-age directive lets you specify how long (in
seconds) you want an object to remain in the cache before CloudFront gets the object again from the
origin server. The minimum expiration time CloudFront supports is 0 seconds for web distributions and
3600 seconds for RTMP distributions.

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create
and control the encryption keys used to encrypt your data. The master keys that you create in AWS
KMS are protected by FIPS 140-2 validated cryptographic modules. AWS KMS is integrated with most
other AWS services that encrypt your data with encryption keys that you manage. AWS KMS is also
integrated with AWS CloudTrail to provide encryption key usage logs to help meet your auditing,
regulatory and compliance needs. By using AWS KMS, you gain more control over access to data you
encrypt. You can use the key management and cryptographic features directly in your applications or
through AWS services that are integrated with AWS KMS. Whether you are writing applications for
AWS or using AWS services, AWS KMS enables you to maintain control over who can use your
customer master keys and gain access to your encrypted data. AWS KMS is integrated with AWS
CloudTrail, a service that delivers log files to an Amazon S3 bucket that you designate. By using
CloudTrail you can monitor and investigate how and when your master keys have been used and by
whom. You should consider using AWS CloudHSM over AWS KMS if you require your keys stored in
dedicated, third-party validated hardware security modules under your exclusive control.
An origin is a location where content is stored, and from which CloudFront gets content to serve to
viewers. Amazon CloudFront is a service that speeds up the distribution of your static and dynamic
web content, such as .html, .css, .js, and image files, to your users. You can also set up CloudFront
with origin failover for scenarios that require high availability. An origin group may contain two origins:
a primary and a secondary. If the primary origin is unavailable or returns specific HTTP response
status codes that indicate a failure, CloudFront automatically switches to the secondary origin. To set
up origin failover, you must have a distribution with at least two origins.

With Bursting Throughput mode, a file system’s throughput scales as the amount of data stored in the
EFS Standard or One Zone storage class grows. File-based workloads are typically spiky, driving high
levels of throughput for short periods of time, and low levels of throughput the rest of the time. To
accommodate this, Amazon EFS is designed to burst to high throughput levels for periods of time.

Provisioned Throughput mode is available for applications with high throughput to storage (MiB/s per
TiB) ratios, or with requirements greater than those allowed by the Bursting Throughput mode. For
example, say you’re using Amazon EFS for development tools, web serving, or content management
applications where the amount of data in your file system is low relative to throughput demands. Your

89
file system can now get the high levels of throughput your applications require without having to pad
your file system.

You can use CloudWatch Events to run Amazon ECS tasks when certain AWS events occur. You can
set up a CloudWatch Events rule that runs an Amazon ECS task whenever a file is uploaded to a
certain Amazon S3 bucket using the Amazon S3 PUT operation. You can also declare a reduced
number of ECS tasks whenever a file is deleted on the S3 bucket using the DELETE operation. First,
you must create a CloudWatch Events rule for the S3 service that will watch for object-level operations
– PUT and DELETE objects. For object-level operations, it is required to create a CloudTrail trail first.
On the Targets section, select the “ECS task” and input the needed values such as the cluster name,
task definition and the task count. You need two rules – one for the scale-up and another for the scale-
down of the ECS task count.

To protect your system from DDoS attack, you can do the following:
– Use an Amazon CloudFront service for distributing both static and dynamic content.
– Use an Application Load Balancer with Auto Scaling groups for your EC2 instances. Prevent direct
Internet traffic to your Amazon RDS database by deploying it to a new private subnet.
– Set up alerts in Amazon CloudWatch to look for high Network In and CPU utilization metrics.

Amazon FSx for Windows File Server is incorrect. This won’t provide low-latency access since all the
files are stored on AWS, which means that they will be accessed via the internet. AWS Storage
Gateway supports local caching without any development overhead making it suitable for low-latency
applications.

To preserve the root volume when an instance terminates, change the DeleteOnTermination
attribute for the root volume to False.

Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential
steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the
Cloud. Amazon SWF provides useful guarantees around task assignments. It ensures that a task is
never duplicated and is assigned only once. Thus, even though you may have multiple workers for a
particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to
only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task
outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without
worrying about two instances operating on the same execution simultaneously. These facilities enable
you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks. Altering the
visibility timeout of SQS is incorrect because for standard queues, the visibility timeout isn’t a
guarantee against receiving a message twice. To avoid duplicate SQS messages, it is better to design
your applications to be idempotent (they should not be affected adversely when processing the same
message more than once).

Transit Gateway establishes a hub and spoke model between VPCs, Direct Connects, etc (quite a bit
more in fact). AWS VPN CloudHub provides a hub and spoke model specifically for VPNs, so that you
can provide tunnels between your VPN links. This is a far more specific situation than Transit
Gateway, and is much simpler to setup for this specific solution.

You can add multi-factor authentication (MFA) to a user pool to protect the identity of your users. MFA
adds a second authentication method that doesn’t rely solely on user name and password. You can
choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in
signing in your users. You can also use adaptive authentication with its risk-based model to predict
when you might need another authentication factor.

You pay for all bandwidth into and out of Amazon S3, except for the following:
– Data transferred in from the Internet.
90
– Data transferred out to an Amazon EC2 instance, when the instance is in the same AWS Region as
the S3 bucket (including to a different account in the same AWS region).
– Data transferred out to Amazon CloudFront.

AWS Transit Gateway also enables you to scale the IPsec VPN throughput with equal cost multi-path
(ECMP) routing support over multiple VPN tunnels. A single VPN tunnel still has a maximum
throughput of 1.25 Gbps. If you establish multiple VPN tunnels to an ECMP-enabled transit gateway, it
can scale beyond the default maximum limit of 1.25 Gbps. You also must enable the dynamic routing
option on your transit gateway to be able to take advantage of ECMP for scalability.

In order for you to establish an SSH connection from your home computer to your EC2 instance, you
need to do the following:
– On the Security Group, add an Inbound Rule to allow SSH traffic to your EC2 instance.
– On the NACL, add both an Inbound and Outbound Rule to allow SSH traffic to your EC2 instance.

By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE)

Failover is automatically handled by Amazon Aurora so that your applications can resume database
operations as quickly as possible without manual administrative intervention. If you have an Amazon
Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the
canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is
promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds. If
you are running Aurora Serverless and the DB instance or AZ become unavailable, Aurora will
automatically recreate the DB instance in a different AZ. If you do not have an Amazon Aurora Replica
(i.e. single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB
Instance in the same Availability Zone as the original instance. This replacement of the original
instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is
broadly affecting the Availability Zone.
You can use geo match conditions with other AWS WAF Classic conditions or rules to build
sophisticated filtering. For example, if you want to block certain countries but still allow specific IP
addresses from that country, you could create a rule containing a geo match condition and an IP
match condition. Configure the rule to block requests that originate from that country and do not match
the approved IP addresses. As another example, if you want to prioritize resources for users in a
particular country, you could include a geo match condition in two different rate-based rules. Set a
higher rate limit for users in the preferred country and set a lower rate limit for all other users.
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of
your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine
in your hybrid environment that has been configured for Systems Manager. Run Command enables
you to automate common administrative tasks and perform ad hoc configuration changes at scale. You
can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for
Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to
your load balancer. Each log contains information such as the time the request was received, the
client’s IP address, latencies, request paths, and server responses. You can use these access logs to
analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load
Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic
Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as
compressed files. You can disable access logging at any time.

91
Application Load Balancers support Weighted Target Groups routing. With this feature, you will be able
to do weighted routing of the traffic forwarded by a rule to multiple target groups. This enables various
use cases like blue-green, canary and hybrid deployments without the need for multiple load
balancers. It even enables zero-downtime migration between on-premises and cloud or between
different compute types like EC2 and Lambda. To divert 50% of the traffic to the new application in
AWS and the other 50% to the application, you can also use Route 53 with Weighted routing policy.
This will divert the traffic between the on-premises and AWS-hosted application accordingly. you can
control the proportion of traffic directed to each endpoint using AWS Global Accelerator by assigning
weights across the endpoints
There is a time constraint in transitioning objects in S3, you can only change the storage class of your
objects from S3 Standard storage class to STANDARD_IA or ONEZONE_IA storage after 30 days.
This limitation does not apply on INTELLIGENT_TIERING, GLACIER, and DEEP_ARCHIVE storage
class.
For sub-millisecond latency caching, ElastiCache is the best choice. In order to address scalability and
to provide a shared data storage for sessions that can be accessed from any individual web server,
you can abstract the HTTP sessions from the web servers themselves. A common solution for this is to
leverage an In-Memory Key/Value store such as Redis and Memcached.
Splitting increases the number of shards in your stream and therefore increases the data capacity of
the stream. Because you are charged on a per-shard basis, splitting increases the cost of your stream.
Similarly, merging reduces the number of shards in your stream and therefore decreases the data
capacity—and cost—of the stream.

92