aws exam cram Flashcards
S3 standard
“Multi-AZ, single region
- durability: 99.999999999% (eleven 9s)
- availability: 99.9%”
S3 object storage classes
"- standard - intelligent tiering - infrequent access - one-zone infrequent access - glacier - glacier deep archive "
S3 standard IA
“Good for infrequently accessed data
Multi-AZ, single region
- durability: 99.999999999% (eleven 9s)
- availability: 99.9%
lower cost of storage, but has an
additional cost of $0.01/GB retrieved”
Glacier
"Cold storage Eleven 9s of durability Much less expensive than hot storage Retrieval time varies based on retrieval options: - expedited: < 5 minutes - standard: 3-5 hours - bulk: 5-12 hours"
S3 one-zone IA
“Good for infrequently accessed data when you can trade off cost for reduced availability
Single AZ, so only 99.5% available
Less expensive than S3 IA; designed for eleven 9s of durability within a single AZ (if AZ is destroyed, data will be lost)”
S3 lifecycle policies
“Can transition objects from standard to IA to Glacier after a certain period (restrictions apply – for instance, an object can’t be transitioned to glacier less than 30 days after it is transitioned to IA)
Transitions follow a waterfall model: standard -> IA -> intelligent tiering -> one-zone IA -> glacier -> glacier deep archive
Costs are associated with transitions to glacier.
Can delete objects after a certain number of days; different tiers have requirements for how long objects must be stored; early deletion can result in charges for the entire minimum period”
Glacier deep archive
"Cold storage Eleven 9s of durability Less expensive than glacier Retrieval time varies based on retrieval options: - standard: 12 hours - bulk: 48 hours"
S3 versioning
“With versioning enabled on a bucket, overwriting an object generates a version ID for the object; old versions are preserved.
Deleting an object on a version-enabled bucket creates a delete marker; old versions are still preserved.
Can retrieve old versions of objects using their IDs.
Must use a lifecycle policy to prevent infinite proliferation of objects.”
S3 lifecycle policies - minimum storage durations
”- Standard: none
- Standard IA: 30 days
- One-zone IA: 30 days
- Intelligent tiering: 30 days
- Glacier: 90 days
- Glacier Deep Archive: 180 days”
S3 transfer acceleration
“Use CloudFront to speed up transfer to/from S3 (there is a cost associated with this)
Transfer Acceleration Speed Comparison tool can tell you how much speedup to expect.”
S3 object lock
“Available for all storage classes
Retention policies:
- governance: no one can delete during retention period unless they have special privileges
- compliance: no one can delete during retention period, not even root account
Legal hold: once put on an object, the object can’t be deleted until the hold is removed”
S3 static websites
”- enable web hosting
- set permissions
- create index document
optionally:
- configure redirects
- custom error document
- enable web traffic logging
Really should use CloudFront in front of the site”
S3 events
“Can be routed to:
- SNS topic
- SQS queue
- Lambda function”
EFS storage classes
”- Standard
- Infrequent access (reduced cost, higher latency, charge for R/W ops)
“
S3 security best practices
”- block public access
- avoid policies with wilcard identities or wildcard actions
- apps should use IAM roles to access S3 buckets (don’t include credentials in apps)
- MFA delete - requires MFA to delete a bucket to prevent accidental deletions
- aws:SecureTransport - requires all connections to use TLS when accessing bucket contents
- use VPC endpoints to keep traffic to/from S3 inside your VPC”
EFS throughput
”- bursting: volume builds up crediets based on the filesystem size; credits allow bursting for limited time periods
- provisioned: good for high I/O small filesystems (so you don’t have to overprovision the storage space)”
EFS performance mode
”- general purpose (7K iops)
- max I/O (more throughput and iops, but more latency)”
EFS encryption
“Encryption at rest supported via AWS-managed keys
EFS supports encryption of data in transit; use the -o tls mount option”
Mounting EFS
”- use /etc/fstab inside of linux VMs
- use the EFS mount helper, which simplifies the process by automatically editing /etc/fstab”
AWS Data Sync
“Uses a super-efficient, purpose-built data transfer protocol that can run 10 times as fast as open source data transfer.
Can sync to S3 or EFS across the Internet or via Direct Connect, and can also sync from AWS to data stored on-premises.
Can be used for DR replication
Run an agent in your datacenter to perform the data transfer”
Importing data to AWS
”- Snowball
- Snowmobile
- Kinesis Data Firehose
- S3 Transfer Acceleration
- AWS Storage Gateway
- AWS DataSync”
Snowmobile
100PB of storage capacity housed in a 45-foot long High Cube shipping container that measures 8 foot wide, 9.6 foot tall and has a curb weight of approximately 68,000 pounds. The ruggedized shipping container is tamper-resistant, water-resistant, temperature controlled, and GPS-tracked.
Snowball
“Physical device shipped to your location; comes in 50TB and 80TB sizes (slightly less usable)
Snowball variants also exist for edge storage and edge computing, combining storage and vCPUs.”
Disaster recovery strategies
”- Backup/restore
- Pilot light
- Warm Standby
- Multisite”
Storage Gateway
“Hybrid cloud storage solution running on an on-prem VM or hardware appliance
Caches data locally, providing low-latency disk and network performance for your most active data, with optimized data transfers AWS in the background
Supports S3, Glacier, and EBS
Data encrypted in transit and at rest in AWS.”
RPO
“Recovery Point Objective
Gap between the last transaction preserved and the time of the failure (represents the length of time for which transations were lost)
- Backup/restore: time since last backup, typically 24 hours
- Pilot light: time since last snapshot, maybe 4-12 hours
- Warm standby: time since last database write
- Multisite: time since last database write”
RTO
“Recovery Time Objective - amount of time service can be offline
- Backup/Restore: 8-24 hours
- Pilot light: 4-8 hours
- Warm standby: < 4 hours
- Multisite: seconds”
EC2 Compute-optimized instance types
“Nitro-based:
- C6g: Graviton2
- C5: Intel
- C5a: AMD
- C5n: Intel + faster network
Non-nitro based:
- C4
“
EC2 general-purpose instance types
“Nitro-based:
- A1: AWS Graviton processors (ARM)
- T*: burstable (accumulate burst credits)
T4g: Graviton2, T3: Intel, T3a: AMD - M6g: Graviton2
- M5: Intel
- M5a: AMD
- M5n: Intel + higher network
Non-nitro based:
- T2: Intel
- M4: Intel
”
EC2 Accelerated computing
“Hardware acccelerators
- P3: Intel + GPU
- P2: Intel + GPU
- Inf1: AWS Inferentia
- G4: Intel + GPU
- G3: Intel + GPU
- F1: Intel + FPGA”
EC2 Memory-optimized instance types
“Nitro-based:
- R6g: Graviton2
- R5: Intel
- R5a: AMD
- R5n: Intel + faster network
- X1e: high frequency Intel; up to 3TB RAM
- X1: high frequency Intel; up to 2TB RAM
- High Memory: 6, 9, 12, 18, 24TB of RAM
- z1d: custom Xeon (up to 4GHz); local NVMe
Non-nitro based:
- R4”
Nitro
“Underlying virtualization infrastructure for current-gen EC2 instances.
Uses hardware cards to offload functions like VPC, EBS, Instance Storage, and security.
Security chip handles sensitive virtualization and security functions in a locked down security model preventing all administrative access (including Amazon employees)
Lightweight hypervisor that manages memory and CPU to deliver performance close to bare metal.
”
EC2 Storage-optimized instance types
”- I3: Intel + NVMe
- I3en: like I3 with enhanced networking
- D2: up to 48TB of HDD local storage
- H1: up to 16TB of HDD local storage”
Inferentia
“AWS custom silicon for deep learning.
Supports up to 128 TOPS with up to 16 chips per Inf1 instance.”
Graviton
“Custom Arm-based processor designed to provide optimal price-performance ratio.
1st gen in A1 instances, Graviton2 in *g instances with local NVMe storage”
Enhanced networking
“Use Elastic Network Adapter (ENA) to support network speeds of up to 100 Gbps
Available on current gen instances (introduced in mid-June 2016)
AMI requires special tagging to indicate it supports ENA
No additional fee to use it
”
EC2 instance lifecycle
“INSTANCE LIFECYCLE DIAGRAM
- billed only for running (and for stopping if hibernating)
- instance stays in running state while rebooting”””
EBS optimized
“EBS optimized instances deliver dedicated bandwidth to EBS.
When attached to an EBS-optimized instance, gp2 volumes are designed to deliver their baseline and burst performance 99% of the time; provisioned iops volumes 99.9% of the time
Newer instance types enabled EBS optimization by default. Some older instance types offer it as an option, with an associated hourly fee.”
Placement group
“Placement groups influence the placement of a group of interdependent instances:
- cluster: packs instances close together in an AZ for low-latency network performance
- partition: spreads instances across logical partitions so that instances in a partition don’t share underlying hardware with instances in another partition
- spread: strictly paces a small group of instances across underlying hardware to reduce correlated failures”
EC2 burstable instance types
“T2, T3, T3a, T4g
Burstable instances earn a set rate of CPU credits per hour, depending on the instance size.
A CPU credit allows for 100% utilization of a CPU core for one minute.
For example, a t3.nano earns 6 credits per hour. So it can run at 100% CPU for 6 minutes as long as it is entirely idle for 54 minutes. But it could run at 10% for the entire hour.
”
EC2 user data
“Small chunk of data (16KB max) that must be base64-encoded
Can be used to pass two types of data:
- shell scripts (starts with “”#!””)
- cloud-init directives (starts with ““#cloud-config””)
Shell script is run as root and output logged to /var/log/cloud-init-output.log
Cloud-init directives are similar, but they have some high-level constructs that can be used to update packages, etc.
Cloud-init is the mechanism by which your ssh keys are installed on instances”
EC2 metadata
“Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.
You can also use instance metadata to access user data that you specified when launching your instance.
Metadata can be accessed inside the instance at
http://169.254.169.254/latest/meta-data/”
EC2 AMIs
”- EBS-backed:
- stored as EBS snapshot (with associated costs)
- instances using the AMI will use it on EBS root volume
- created using AMI tools
- Instance store-backed:
- stored in S3 (with associated costs)
- instances using the AMI will use it on an instance store volume
- created with a single command/call”
EC2 pricing models
”- On-Demand: expensive, no commitment
- Spot instances: cheapest, not dependable
- Reserved instances: cheaper, with commitment
- Savings plans: similar to RI, but more flexible
“
EC2 instance store
“An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer.
This storage is ephemeral; it is deleted when the instance is stopped or terminated. It is also lost if the underlying drive fails.
Note: when EC2 was first introduced, all AMIs were backed by instance store. After EBS was introduced, AMIs could be backed by EBS. This is the preferred technique now; they launch faster (instance store requires full image to be retrieved from S3 before it can start; EBS-backed AMIs can lazy load; performance after startup can be a little slower than with instance store)
Modern instance types don’t support instance store as the root device.
But you can still attach instance store volumes for things like /tmp or cache directories.”
EC2 Reserved Instances
”- up-front payment in exchange for lower prices
- 1-year or 3-year commitment
- tied to specific instance types (often in a specific AZ)”
EC2 On-Demand
”- most expensive
- no up-front payment
- no commitment”
EC2 Savings Plans
”- optional up-front payment
- 1-year or 3-year commitment
- more flexible than reserved instances
- doesn’t save as much as reserved instances”
EC2 Spot instances
”- pay market rates
- extremely cheap
- instances can be unreliable”
EC2 root volumes
”- Instance store:
- when stopped or terminated, the volume is destroyed
- size limit of 10GB
- launches slower (AMI has to be fully copied from S3 to instance store)
- no cost for root volume
- EBS
- when stopped, volume persists
- when terminated, volume is destroyed unless DeleteOnTermination=false
- size limit of 16TB
- launches faster (AMI is lazy-loaded; there could be a performance impact for some period after startup)
- charged for EBS volume usage while running (or while stopped)”
EC2 Dedicated Instances
”- physical EC2 server dedicated to your use
- can be important for compliance
- can also help with server-bound software licenses like SQL Server
- can be purchased on-demand or with reservation”
EBS volume types
“SSD:
- io1: provisioned iops: 50 iops/s/GB, up to 1000 MB/s
- io2: provisioned iops with 99.999% durability, 500 iops/s/GB, up to 1000MB/s
- gp2: general purpose: 3 iops/s/GB, up to 250 MB/s
io2 pricing is the same as io1; only thing io1 has over io2 is multi-attach (which is on the roadmap); so there is little reason to use io1 today
HDD:
- st1: throughput optimized; uses burst model; up to 500MB/s per volume
- sc1: cold HDD; uses burst model; up to 250MB/s per volume; cheapest type”
EBS
“Elastic Block Store
- Block storage for EC2 instances
- replicated within an AZ
- 99.999% availability
- 99.8 - 99.9% durability (except io2, which has 99.999% durability)”
EBS encryption
“Seamless encryption of EBS data volumes, boot volumes and snapshots, eliminating the need to build and manage a secure key management infrastructure.
EBS encryption enables data at rest security by encrypting your data volumes, boot volumes and snapshots using Amazon-managed keys or keys you create and manage using the AWS Key Management Service (KMS).
In addition, the encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS data and boot volumes.”
EBS snapshots
“point-in-time snapshots of your volumes to Amazon S3.
Snapshots are stored incrementally: only the blocks that have changed after your last snapshot are saved, and you are billed only for the changed blocks
Snapshots can be read directly via APIs, or you can restore them into EBS volumes; these EBS volumes use lazy-loading so that they come online almost immediately
Can use snapshots to resize EBS volumes; just restore the snapshot to a larger EBS volume (requires application and OS support).”
EBS elastic volumes
Elastic Volumes allows you to dynamically increase capacity, tune performance, and change the type of any new or existing current generation volume with no downtime or performance impact.
EBS: Data Lifecycle Manager for EBS snapshots
“automated way to back up data stored on EBS volumes by ensuring that EBS snapshots are created and deleted on a custom schedule. No scripts or external applications required.
Tag EBS volumes and create Lifecycle policies for creation and management of backups.
Use Cloudwatch Events to monitor your policies and ensure that your backups are being created successfully.”
ELB
“An Elastic Load Balancer distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions.
It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones.”
S3 encryption
“Encryption at rest:
- server-side encryption: have S3 encrypt the object before saving
- SSE-S3: let S3 manage the keys
- SSE-KMS: use customer master keys stored in KMS
- SSE-C: encrypt with customer-provided keys
- client-side encryption
Encryption in transit:
- use TLS”
Autoscaling policies
“Types:
- Target tracking scaling—Increase or decrease the current capacity of the group based on a target value for a specific metric. (RECOMMENDED)
- Step scaling—Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.
- Simple scaling—Increase or decrease the current capacity of the group based on a single scaling adjustment.
Can apply more than one policy; AWS will resolve conflict by applying the policy that requests the larger number of instances (duing scale-out and scale-in)”
EC2 autoscaling groups
“A collection of EC2 instances treated as a logical group for purposes of scaling
Scaling can be manual, automatic based on a schedule, or automatic using one or more autoscaling policies
Can launch on-demand instances or spot instances (or both)
The group can span availability zones; if multiple AZs are specified, the instances will be spread across the AZs.”
Autoscaling: step scaling
“Scaling can be specified for how much a CloudWatch alarm is breached.
For example, imagine a CloudWatch alarm on CPU usage with a breach threshold of 50%
Scale-out policy:
0-10%: 0% change, 10-20%: 10% change, 20-50%: 30% change
Scale-in policy:
0-10%: 0% change, 10-20%: - 10% change, 20-50%: - 30% change
at 75% CPU, ASG will scale up by 30% (75 - 50 = 25)”
Autoscaling: simple scaling
“The original scaling model for AWS Autoscaling groups
When a CloudWatch alarm triggers, the group is scaled out; another alarm is configured to trigger the scale in
”
Autoscaling: warm up
During a specified warm-up period, new instances are not counted toward the aggregated metrics of the group; this prevents excessive spin-up
Autoscaling: target tracking
“You set a target value for a metric (e.g. CPU load), and the ASG automatically scales up and down to try to maintain that target value.
Think of this like a thermostat”
Autoscaling: notifications
“Amazon EC2 Auto Scaling supports sending Amazon SNS notifications when the following events occur:
- Successful instance launch
- Failed instance launch
- Successful instance termination
- Failed instance termination
”
Autoscaling: cool down
After a scale-up occurs, the ASG waits for a cooldown period to complete before any further scaling activities can start (only applies to simple scaling)
Autoscaling: launch templates
“A launch template is similar to a launch configuration, but it allows versioning; several versions can share some common configuration (e.g. the AMI), but differ in other configuration values (e.g. the instance type)
This mechanism is newer than the launch configuration. Using launch templates is required for some advanced ASG features, e.g. mixing on-demand and spot instances.”
Autoscaling: launch configurations
“A launch configuration that specifies things like:
- AMI
- instance type
- storage
- IAM
- ssh cert
Recommended to use launch templates instead”
Elastic IPs
“a static public IPv4 address designed for dynamic cloud computing.
An Elastic IP address is allocated to your AWS account, and is yours until you release it.
There is a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface.
There is no charge for the first Elastic IP on a given EC2 instance; additional Elastic IPs incur a charge
Accounts are limited to 5 Elastic IPs per region
Especially useful for fixing the outbound IP of a host for firewall rules”
Security groups
“A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic.
Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance.
When you launch an instance, you can specify one or more security groups.”
Subnets: public
A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.
VPCs
“A logically separated portion of the AWS cloud. Provides for:
- selection of your own IP address range
- creation of subnets
- configuration of route tables and network gateway
- definition of security groups and NACLs
- creation of endpoints for key services inside the VPC so that traffic to/from services stays secure”
NAT gateway
“You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
You are charged for creating and using a NAT gateway in your account. NAT gateway hourly usage and data processing rates apply. Amazon EC2 charges for data transfer also apply”
Internet gateway
“An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic. There’s no additional charge for having an internet gateway in your account.”
ELB types
”- Application Load Balancer (ALB)
- Layer 7 - used for HTTP/HTTPS
- much more versatile than Classic
- key features: SNI, routing based on path, headers, etc.
- Network Load Balancer (NLB)
- Layer 4 - TCP/UDB/TLS
- Classic Load Balancer
- Layer 7 - used for HTTP/HTTPS
ALB, NLB use LCU-hours for billing on top of hourly charges
Classic uses GB transferred on top of hourly charges”
NACLs
“Network ACL
- VPC has default NACL, allowing all inbound and outbound traffic
- By default, custom NACLs deny all inbound and outbound traffic until you add rules
- Each subnet will always have exactly one NACL (default if not explicitly specified)
- A NACL can be associated with multiple subnets
- NACL rules are evaluated in ascending numeric order. Recommended to create rules in increments of 10 or 100 to allow for insertion of new rules later
- NACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.
- NACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).”
NACLs
“Network ACL
- VPC has default NACL, allowing all inbound and outbound traffic
- By default, custom NACLs deny all inbound and outbound traffic until you add rules
- Each subnet will always have exactly one NACL (default if not explicitly specified)
- A NACL can be associated with multiple subnets
- NACL rules are evaluated in ascending numeric order. Recommended to create rules in increments of 10 or 100 to allow for insertion of new rules later
- NACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.
- NACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).”
ELB: internal vs external
“An internal ELB has only a private IP address and routes traffic within the VPC.
An internet-facing ELB has a public IP address and a publicly resolveable DNS name”
ELB: LCU
“Load Balancer Capacity Units - used for billing by Application and Network load balancers
- 25 new connections per second.
- 3,000 active connections per minute.
- 1 GB per hour for EC2 instances, containers and IP addresses as targets and 0.4 GB per hour for Lambda functions as targets
- 1,000 rule evaluations per second”
ELB: health check
“The ELB periodically makes requests to the targets to determine their health.
Can use TCP, HTTP, HTTPS, or SSL
When a target is deemed unhealthy, traffic is no longer routed to it.”
ELB: listener
“ALBs use listeners – a listener is a process that checks for connection requests, using the protocol and port that you configure.
The listener can offload HTTPS encryption
Listeners have rules which have priority, condition, and action; these are used to route traffic to the targets, redirect, return static responses, and perform OIDC or Cognito authentication”
Lambda
“Serverless platform
Simply upload code, and AWS handles all scaling and high-availability for your application
Multi-AZ for high availability”
ELB: multi zone
“Need to enable the AZ for the ELB, and you need to add targets in the AZ
Cross-zone load balancing allows an ELB node in AZ A to send traffic to a target in AZ B. This allows for more uniform traffic distribution to your targets
ALBs always enable cross-zone. NLBs disable it by default.”
Lambda functions
“Basic settings:
- description
- role
- runtime
Can be connected to a VPC to acccess resources in a private subnet
Environment variables are encrypted at rest, so they can be used for secrets
You can publish multiple versions of your functions and then define aliases to point to specific versions”
Lambda: API Gateway
API gateway routes HTTP requests to Lambda functions
Lambda: layers
“A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies.
Layers let you keep your deployment package small, which makes development easier.
A function can use up to 5 layers at a time; total unzipped size of function and all layers must be < 250MB”
Lambda: supported languages
“Java, Go, PowerShell, Node.js, C#, Python, and Ruby
APIs provided to extend other languages if needed”
Lambda: VPCs
“When you connect a function to a VPC, Lambda creates an ENI for each combination of security group and subnet in your function’s VPC configuration
If the function is idle for a long period of time, Lambda can reclaim these ENIs; the next invocation of the function will fail and the function will enter a Pending state until an ENI is available”
Lambda: database proxies
“You can define an RDS proxy for your function
This proxy manages a pool of database connections, enabling the function to reach high concurrency levels without exhausting database connections”
Lambda: invocation
“Invocation can be asynchronous or synchronous
in the async case, Lambda manages an async event queue; it handles retries in case of error as well as exponential backoff if the function doesn’t have enough resources to handle the event
event source mapping - lets you read events from sources like DynamoDB, SQS, Kinesis and invoke a lambda function
”
Lambda: permissions
“The execution role grants it permission to access AWS services and resources
Specified when the function is created; Lambda assumes the role when the function is invoked
Resource-based policies can grant invocation or management rights to an account or an AWS service
User policies can grant invocation or management rights to users, groups, or roles”
EC2 reserved instance types
“Offering classes:
- standard: some attributes can be modified during the term; however, the instance family cannot be modified; you cannot exchange the RI; can be sold in the RI marketplace
- convertible: can be exchanged during the term for another convertible RI, allowing you to change instance family, type, platform, scope, or tenancy; cannot be sold in RI marketplace
Standard and Convertible Reserved Instances can be purchased to apply to instances in a specific Availability Zone (zonal Reserved Instances), or to instances in a Region (regional Reserved Instances).
Scheduled Reserved Instances: purchase capacity reservations that recur daily, weekly, or monthly with a specified start time and duration”
Lambda: autoscaling
“Autoscaling accomodates an intial burst, followed by a gradual scale-up
During scale-up, there can be some latency while your code is loaded and initialized
To enable scaling without latency fluctuations, you can use provisioned concurrency
Application Auto Scaling dynamically adjusts the provisioned concurrrency levels based on a target tracking scaling policy (using a utilization metric in Lambda)
”
RDS
“Relational Database Service
Database VMs are fully managed; you can’t shell into them”
EC2 capacity reservation
“reserved instances that are AZ-specific come with a capacity reservation
on-demand capacity reservations: you pay the rate for the specific instance type whether you are running the instance or not; you can cancel an ODCR any time (unlike reserved instances)”
RDS Multi-AZ
”- a standby replica of the database is maintained in another AZ
- changes to the primary are automatically synced to the replica
- auto-failover: if the primary goes down, the replica takes over”
RDS Database Types
”- Aurora
- MySQL
- MariaDB
- PostgreSQL
- Oracle
- SQL Server”
RDS Backup
”- RDS creates and saves automated backups of your DB instance during the backup window of your DB instance
- RDS creates a storage volume snapshot of your entire DB instance, not just individual databases
- backups are saved according to the backup retention period that you specify
- snapshots are stored on S3
- manual snapshots can be taken and are included in the backup storage total”
RDS Read Replicas
”- read replicas are read-only replicas that allow you to horizontally scale up a read-heavy application
- read replicas use asynchronous replication
- you must have automatic backups enabled to use read replicas”
Aurora
“MySQL and PostgreSQL-compatible relational database
Aurora is up to 5x faster than standard RDS MySQL and 3x faster than standard RDS PostgreSQL
Aurora is fully managed by RDS, which automates time-consuming administration tasks like hardware provisioning, database setup, patching, and backups
Aurora features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 64TB per database instance
It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZs).
Can be easily scaled
”
RDS authentication
“All RDS DB types support password authentication.
MySQL and PosgreSQL also support IAM authentication”
Aurora Global Database
“Aurora database replicated across regions
Latency of about 1 second between regions
Failover in about a minute”
Aurora serverless
“Fully auto-scaled; you don’t specify a number of instances
You can even stop and start the database to save costs if you aren’t using the database all the time”
DynamoDB
“Fully managed NoSQL key/value and document database
Predictable read/write performance at massive transaction rates
Severless: scales to read/write capacity you specify”
S3 Security
”- Bucket policy (what principals can do what to this bucket)
- IAM policy (what can this principal do to which buckets)
- ACLs are a legacy mechanism and not recommended
Bucket policy and IAM policies have the same controls available to them; it’s mostly a matter of preference for how you like to organize your permissions”
DynamoDB durability/availability
“data is stored on SSDs and is automatically replicated across multiple AZs within an AWS region
data is spread across a sufficient number of servers to handle your throughput and storage requirements with consistent performance
You can use global tables to sync tables across AWS regions”
DynamoDB consistency
”- Eventually consistent reads (default)
- return immediately
- no guarantee of consistency
- generally consistent within 1 second
- Strongly consistent reads
- waits until data is consistent
- higher latency
“
DynamoDB pricing
“charged for:
- storage
- read/writes (or RCU/WCU)
- optional items:
- backups
- global tables
- DAX
- dynamodb streams”
DynamoDB capacity modes
“On-demand capacity mode: charged for data reads/writes on your tables
Provisioned capacity mode: you specify the number of reads/writes per second you expect; you can use auto-scaling to adjust the table’s capacity:
- WCU: write capacity units (1 write/s = 1 WCU, 1 transactional write/s = 2 WCU)
- RCU: read capacity unit (1 eventually consistent read/s = 0.5 RCU, 1 strongly consistent read/s = 1 RCU, 1 transactional read/s = 2 RCU)
Reserved capacity lets you get a MUCH lower price on your RCUs/WCUs”
DynamoDB Streams
Captures a time-ordered sequence of item-level modifications in a DynamoDB table and stores this information in a log for up to 24 hours
DynamoDB Accelerator (DAX)
“fully managed, highly available, in-memory cache for DynamoDB
provides up to 10x performance improvement
you specify the type and size of instances to use, and there is an associated hourly charge”
DynamoDB encryption
“All customer data is encrypted at rest by default
- AWS owned CMK (default, no additional charge)
- AWS managed CMK: key is stored in your account, managed by KMS (KMS charges)
- Customer managed CMK: key is stored in your account, managed by you (KMS charges)”
DynamoDB backup/restore
”- on-demand backups: full backups of tables; charged per GB of data stored
- PITR (point-in-time recovery): continuous backups; charged per GB of data stored (more expensive than on-demand)
Restoring a table from on-demand or PITR is charged based on the total size of data restored”
DynamoDB primary keys
”- simple primary key: uses a single attribute to identify an item (e.g. OrderID)
- composite primary key: uses a combination of two attributes to identify a particular item (e.g. Artist and Album)
- the first attribute is known as a partition key
- the second attribute is the sort key”
DynamoDB keys/indexes
”- primary key
- local secondary indexes
- global secondary indexes”
DynamoDB keys/indexes
”- primary key
- local secondary indexes
- global secondary indexes”
DynamoDB global secondary indexes
”- used to query items across partition keys
- read/write capacity units provisioned separately
- eventual consistency
- can be used on tables with composite or simple primary keys
- the index itself can use a simple or composite key schema”
DynamoDB local secondary indexes
”- must be specified at table creation
- uses the same partition key as the underlying table
- only 10GB of data allowed per hash key
- choose strong/eventual consistency
- use the read/write capacity units of the underlying table”
ElastiCache
“fully managed key/value storage (faster than DynamoDB, but not durable)
Instances are monitored to make sure the required number of instances are running
Supports read-only replicas
”
DynamoDB item types
”- strings
- numbers
- binary values
- boolean
- list
- map
length of attribute names actually affect storage size and possibly the RCU/WCU usage”
ElastiCache - Redis
”- redis is similar to memcache, but it has much richer queries and data types
- provides high-availability via automatic failover of primary node to replica
- scales to large numbers of nodes (up to 250) and data (up to 170TB)
- supports Redis cluster, which allows you to partition write traffic across multiple primaries
- Global Datastore supports cross-region replication (latency of ~ 1 second)”
ElastiCache - Memcached
”- useful for transient data like cache and session store
- Elasticache client supports auto-discovery for easy configuration of your application (so nodes can be added and removed and your application is reconfigured automatically)
“
Route53
“A highly available and scalable DNS service. Provides three main functions:
- register domain names
- route internet traffic to the resources for your domain
- check the health of your resources”
Elasticache - Security
”- runs in your VPC
- redis version supports encryption at rest and in transit
- redis version supports IAM controls”
Route53: Weighted Routing
“Allows you to associate multiple resources with a single domain name and choose how much traffic is routed to each resource
Each record gets a weight value between 0 and 255.
The weight values are summed, and the resource will a fraction of traffic equal to the ratio of its weight value to the total”
Route53: Simple Routing
“Standard DNS records with no special routing (like weighted or latency)
Typically, you route traffic to a single resource, like a web server
Can supply multiple IP addresses, and query responses randomize the order of the IP addresses”
Route53: Failover Routing
“Routes to a primary resource when it is healthy or to a secondary when the primary is not healthy.
Can use any type of web resource – simple S3 bucket or a complex tree of resources”
Route53: Latency-based Routing
“Cross-region routing - create latency records for your resources in multiple regions.
Route53 determines which of the configured regions gives the user the lowest latency and selects a latency record for that region.
Route53 is using inter-region latency data; this is all about internet latency, not response time of your services”
Route53: Geo-proximity Routing
“Use the Traffic Flow UI to specify a location for each region, along with a bias
Route53 calculates the regions based on these values (larger the bias, the larger the region grows)
Recommended that you make small changes to bias so that you don’t radically re-route traffic, overwhelming your resources”
Route53: Geolocation Routing
“Lets you choose the resources that serve your traffic based on the geographic location of your users.
Can specify target resources by geographic region:
- continent
- country
- state (US only)
If you create records for overlapping geographic regions, the smallest region gets priority
Uses geoIP, which is not perfect; you can set a default record for unmapped IP addresses”
Route53: Traffic Flow
GUI that lets you build complex routing policies by chaining rules, turning on health checks, etc
Route53: Multi-value Answer Routing
“Returns multiple values (e.g. multiple IP addresses) for your web servers
The advantage over simple routing (which also supports multiple IP addresses) is that MVAR uses a health check and only returns values for healthy resources
MVAR will respond with up to 8 healthy records, randomized from the total pool of healthy resources
“
Route53 Resolver
“Unifies DNS resolution in a hybrid cloud implementation:
- resolver rule: forwards name resolution requests across Direct Connect or Managed VPN to an on-prem resolver so that resources in AWS can resolve DNS names for on-prem resources
- resolver endpoint: allows on-prem resources to resolve names of resources hosted on AWS
”
Route53: Alias Record
“Route53 alias records are a Route53-specific extension to DNS functionality
Let you route traffic to selected AWS resources (e.g. CloudFront distributions or S3 buckets)
Automatically adapts to changes in IP addresses of the underlying resources”
Route 53 pricing
“Small monthly cost for each zone
Zones with > 10,000 records incur additional charges
Charge per million queries, with higher charges for more complex types of queries like latency and geo
Alias queries are provided at no charge
Small monthly charge per defined health check
”
Route53 Health Checks
“Health checks monitor the health and performance of your resources.
Each health check can monitor one of the following:
- the health of a specified resource (e.g. a web server)
- the status of other health checks
- the status of a CloudWatch alarm”
IAM Identities
”- Account root user - has full access to everything (and can’t be reduced)
- IAM users - can be used to sign into the console, use the CLI, or APIs
- IAM groups - collection of IAM users; can specify permissions for the group for easier management of permissions
- IAM roles - similar to users, but has no credentials; roles are assumed by users (sometimes temporarily, or sometimes roles are assigned to users signing in via external identity providers)”
IAM
“Identity and Access Management
Securely controls acccess to AWS resources (authentication and authorization)”
IAM Groups
”- Policies attached to group apply to all users in the group
- can attach managed policies or customer policies to the group”
IAM Users
”- MFA can be turned on by the user (can’t be turned on by the admin for a user)
- access keys can be created to allow the user access to the CLI or API; id and secret pair; they are only shown once
- roles and temporary security credentials are better than using keys
- if you use long-term keys, they should be rotated
- you can have two active keys, facilitating clean rotation”
IAM Policies
“Managed policies: standalone policy created and administered by AWS; designed to provide permissions for many common use cases (e.g. AmazonDynamoDBFullAccess, AmazonECReadOnlyAccess, AWSCodeCommitPowerUser)
Customer managed policies: can be tailored to specific customer needs (a good way to build one is to copy a managed policy and modify it)
Inline policies: policies embedded in an IAM identity
Managed policies are generally better:
- reusable
- centrally managed (in fact, AWS-managed policies auto-update if AWS makes changes)
- version controlled
- can delegate permission management (some users can attach policies, but not create them)”
CloudWatch
Monitoring and observability for cloud applications
CloudWatch: Events
”- can respond to an action (like a change in the AWS environment, or somebody using root credentials to sign in)
- are processed by targets, with more options than what an alarm can trigger
- can self-trigger based on a schedule (e.g. take a snapshot of an EBS volume on a schedule)
- allow you to take action in the environment”
CloudWatch: Logs
“Monitor, store, and access log files from EC2 instances, CloudTrail, Route53 and other sources
Centralizes the logs from your systems and applications in a single service
Can view, filter, and search logs for patterns
By default, logs are kept indefinitely; need to set a retention policy for each log group”
CloudWatch: Events
”- can respond to an action (like a change in the AWS environment, or somebody using root credentials to sign in)
- are processed by targets, with more options than what an alarm can trigger
- can self-trigger based on a schedule (e.g. take a snapshot of an EBS volume on a schedule)
- allow you to take action in the environment”
CloudWatch: Logs
“Monitor, store, and access log files from EC2 instances, CloudTrail, Route53 and other sources
Centralizes the logs from your systems and applications in a single service
Can view, filter, and search logs for patterns
By default, logs are kept indefinitely; need to set a retention policy for each log group”
CloudWatch: agent
“Installed on the guest OS
Allows you to collect more system-level metrics from EC2 instances
You can feed metrics from your application to the agent using StatsD and collectd protocols”
CloudTrail
“continuous monitoring of activity across your AWS infrastructure
Provides event history of actions taken through AWS console, SDKs, CLI, other AWS services
Used for governance, compliance, operational auditing, and risk auditing
By default, past 90 days of management events are tracked and made available via Event History in the console; for longer tracking, you need to create a Trail”
CloudTrail: CloudWatch Alarms
CloudWatch alarms can be tied to CloudTrail metrics to alert you when specific actions are taken (e.g. a bucket policy is changed)
CloudTrail: Athena
“Use Athena to analyze CloudTrail logs
Log entries are loaded into Athena tables where it can be queried”
Kinesis Data Streams
“Durability: streaming data is replicated across three AZs; data is stored for 7 days
Security: stream can be encrypted; data can be accessed via VPC
Scalability: data streams scale in data throughput and PUT rate”
Kinesis Data Analytics
“Allows you to perform queries in real-time against a Data Stream or Firehose input
Output can be sent to to another Data Stream or Firehose, or Lambda
Has built-in functions for filtering, aggregating, and transforming data
Run SQL queries performing joins, aggregations over time windows, etc.”
CloudFront
Cloudfront is AWS’s CDN, primarily used for speeding up websites by providing cached static content to users at the edge
CloudFront web distributions
“Specifies things like:
- content origin (S3 buckets, MediaPackage channels, or HTTP servers)
- access - public or restricted
- security: require HTTPS?
- cache policy
- origin request settings: specific headers, cookies, or query strings to use in requests to the origin
- geo-restrictions
- whether or not to log access”
CloudFront: cache behaviors
“A distribution has a default cache behavior, and you can add additional ones (e.g. a cache behavior that applies to images)
A path pattern specifies which requests this cache behavior will apply to (e.g. ““images/”” or ““.css””)
Time-to-Live (TTL): you can opt to use the origin’s cache control headers along with a min, default, and max TTL
You can choose whether to forward HTTP headers, query strings, and cookies to the origin and which ones (this reduces cacheability)
You can use signed URLs or signed cookies to restrict viewer access”
CloudFront: distribution types
”- web distribution (static web content)
- RTMP (streaming media, used for flash video)”
CloudFront: restricted content
“restrict access to files for selected users, for example, users who have paid a fee.
To securely serve this private content:
- require that your users access your private content by using signed URLs or signed cookies.
- require that your users access your content by using CloudFront URLs, not directly from the origin”
CloudFront: signed URLs
“Signed URLs are best in these cases:
- RTMP distribution (can’t use signed cookies)
- you need to restrict access to individual files
- your users are using a client that doesnt support cookies (like a custom HTTP client)”
