AWS Keyword Assocation Flashcards
Alias Record
Route 53. S3. CloudFront Distributions. BOTH root and non root domain. no charge
Provides Amazon Route 53–specific extension to DNS functionality. Alias records let you route traffic to selected AWS resources, such as Amazon CloudFront distributions and Amazon S3 buckets. Offers weighted, geographic, and failover routing. You cannot set the TTL. It is set automatically by Route 53, which doesn’t charge for alias queries.
CNAME Record
ONLY FOR NON ROOT DOMAIN. charges. sub-domain.
in order to make a sub-domain, you add a cname record.
EX) capitalone.com –> sub-domain: jobs.capitalone.com
Maps a hostname to another hostname. Must always point to another domain name, never directly to an IP address. Can’t create same name as hosted zone. You DON’T need to use Route 53, charges for queries.
TTL
(Time To Live)
Route 53. New destination created, but users still being directed to old destination.
Used to automatically expire and delete data, which can help with data management, storage costs, and system architecture. Use IAM to regulate access to the TTL attribute. Ensure the TTL attribute has the same name across all items that need to be deleted.
Aurora Read Replicas or
Aurora Replicas
high availability. scale READ workloads. disaster recovery. read-intensive applications. Asynchronous.
Can be used to scale out reads across regions. They are read-only instances that increase compute capacity and distribute read workloads. They share the same storage as the source instance, which lowers costs and avoids copying data. They receive log streams from the writer instance and consume them by considering each log record.
Amazon Aurora
Compatible MySQL & PostgresSQL. Region DR
High performance. Scalability. Secure. Low Cost. Fully Managed. Monitoring. Replication. Serverless
Replicates your data with no impact on performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages.
latency routing policy
Route 53. Queries. Apps that are accessed from multiple locations.
Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.
(Relational Database Service)
RDS Multi-AZ
High availability. Data Replication. Read Replicas. Automatic Failover. Monitoring. Instance Replacement. Small production apps.
NOT suitable for high read load apps
Automatically creates a primary database (DB) instance and synchronously replicates the data to an instance in a different AZ.
Automatically fails over to a standby instance without manual intervention.
Session Policy
Limit Access and/or Permissions. IAM. REAL time.
Are inline policies in AWS Identity and Access Management (IAM) that limit users’ access to specific parts of an Amazon S3 bucket. They work by evaluating access in real time. They set the maximum permissions a user can have.
Use case:
- Give the same access to a group of users to a particular portion of an Amazon S3 bucket
- Lock down users so that they have access only to portions of a bucket where object prefixes contain their username
- Scope code permissions during sensitive operations
User Policy
defines the permissions of the IAM identity
User Role
a type of IAM identity that can be authenticated and authorized to utilize an AWS resource
Bucket Policy
Cross-Account permissions. AWS –> Another AWS
A type of resource-based policy that can be used to grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts. For cross-account permissions to other AWS accounts or users in another account, you must use a bucket policy.
Route 53
DNS. Latency-based routing. Route based on geographic location. Health monitoring & checks. Visual interface.
Highly available and scalable service that connects internet traffic to the appropriate servers. Allows users to tailor DNS routing policies to specific needs, such as reducing latency, enhancing application availability, and ensuring compliance. This customization empowers users to optimize their DNS configurations for performance, resilience, and adherence to regulatory requirements.
spot instances
URGENT computing. Flexibility. Low Price. Batch Jobs. Data analysis. Image processing. Distributed/short workloads.
When you place a request for a Spot instance, you specify the maximum price per hour, the instance type, and the availability zone.
Use Cases:
- Workloads that are resilient to failure.
- Flexible start and end time.
- Low Compute Price.
- Urgent computing needs for large amounts of ADDITIONAL capacity.
NOT suitable for critical jobs or DBs. less reliable
On-Demand Instances
unpredictable. short workload. predictable pricing, pay per second. Linux or Windows.
Use Case:
Recommended for short-term and un-interrupted workloads, where you can’t predict how the application will behave.
Reserved Instances
database. long workloads
Use Case:
Recommended for steady-state usage applications (think database)
Convertible Reserved Instances – long workloads with flexible instances
Savings Plan
Commitment to an amount of usage, long workload. Locked to a specific instance family & AWS region.
Use Case:
Flexible across:
* Instance Size (e.g., m5.xlarge, m5.2xlarge)
* OS (e.g., Linux, Windows)
* Tenancy (Host, Dedicated, Default)
Dedicated Hosts
Strong regulations. Compliance.
book an entire physical server, control instance placement. Most expensive.
Dedicated Instances
healthcare. single-tenant hardware. Isolate EC2
no other customers will share your hardware, but can be shared with other instances of the same AWS account that are NOT dedicated instances.
Capacity Reservations
guaranteed EC2 capacity. short term, uninterrupted workloads
reserve capacity in a specific AZ for any duration
EC2 Instance store
local. I/O performance. Buffering. Caching. Temporary storage and data. High performance.
A storage volume that acts as a physical hard drive. It provides temporary storage for Amazon EC2 instance. The data in an instance store persists during the lifetime of its instance. If an instance reboots, data in the instance store will persist.
DynamoDB
Near real time. Millions of transactions. Low latency. Throughput Management. TTL. Strong READ consistency. Partitioning for horizontal scaling. Replication across multiple AZs. NoSQL database. No maintenance. Serverless. Fully managed. Highly available.
In DynamoDB, tables, items and attributes are the core components that you work with. Simply put, a table is a collection of items and each item is a collection of attributes.
Use Case:
- best suited to store data in key-value pairs.
- can be combined with Lambdas
Transit Gateway
Supports IP Multicast. Maximize VPN throughput.
Connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud router—each new connection is made only once.
- For having transitive peering between 1000’s of UPC & on-premises hub & spoke connection
- can work cross region
- can peer across region
- works with direct connect gateway VPN connections
Security Groups
Stateful. Allows INbound traffic to necessary ports
applied at the instance level. Instance can have multiple SGs. protects the resource
DocumentDB
fully managed, cloud-native, NoSQL database service that’s compatible with MongoDB
Use Case:
It’s a good choice for storing online profiles because you can store each user’s profile efficiently
NACL Network Access Control List
Stateless. YOU must allow BOTH inbound and outbound traffic.
Are like firewalls controlling traffic to and from subnet. Accepts everything inbound/outbound associated with subnets. DO NOT modify default, must create new ones. Protects the network. Can only be associated with 1 subnet.
Use Case:
Great way to block specific IPs at subnet level.
Kinesis Data Streams
ingest. REAL time. producers. consumers. managed scaling (shards). Replay capability.
build custom applications that process or analyze streaming data for specialized needs. manages the infrastructure, storage, networking, and configuration needed to stream your data at the level of your data throughput. Once data is inserted can’t be deleted.
provisioned: planned capacity
on demand: unknown capacity
Kinesis Data Firehose
NEAR real time. Auto Scaling. NO data storage. Fully managed. No admin. Serverless. Batches.
Simplifies the process of loading data streams into AWS data stores:
- S3
- Amazon Redshift (copy through S3)
- Amazon Open Search
CANNOT send data to dynamoDB
Athena
- Queries will be simple and will run on-demand.
- Minimal changes to the existing architecture.
Serverless Queries. ADHOC. Complex. Columnar Data. Compressed Data. Partition. Complex analysis
Serverless, interactive query service that allows users to analyze data in Amazon S3 using SQL. Define Schema, then start query. only pay for queries ran. Partition to improve performance.
Use Case:
- best for quick adhoc queries, log analysis, smaller DB, interactive queries.
- Commonly used with Amazon Quicksight for
reporting/dashboards
Redshift
OLAP(online analytical processing). Faster/repeatable/complex Queries. Quicksight. Tablue. Business Intelligence.
Columnar data storage and parallel query engine
Based on PostgresSQL but not used for OLTP
faster queries, joins & aggregation thank to indexes
2 modes: provisioned or cluster
Lets you access and analyze data without all of the configurations of a provisioned data warehouse. Resources are automatically provisioned and data warehouse capacity is intelligently scaled to deliver fast performance for even the most demanding and unpredictable workloads.
Use Case:
best for complex, large, fast queries / datasets. Business intelligence apps.
SQS FIFO
decoupling but in a strict order
exactly once delivery, removes duplicates. Not sending too many messages into SQS.
300 withOUT batching
3000 WITH batching
EFA (elastic fabric adapter)
High network performance. minimize latency. high message rates. Scalability.
direct access to the high-speed network infrastructure. A network device that can be attached to an EC2 instance to accelerate HPC & ML. Enabled at no cost
cloudformation
IaC (infrastructure as code), disaster recovery. reusable infrastructure template
used when we need to repeat an architecture in different environments, different regions, or even different AWS accounts.
glue
Apache Spark. Metadata. Serverless. ETL.
Managed extract, transform, and load (ETL) service. Useful to prepare and transform data for analytics. prevent re-processing old data
ECR (elastic container registry)
store/manage/deploy docker images
access controlled through IAM
integrated with Amazon ECS and Amazon EKS, allowing you to store, run, and manage container images
ECS (elastic container service)
Fargate. Docker. EC2.
Is a fully managed container orchestration service. ECS allows you to easily run, scale, and secure Docker container applications on AWS.
ECS Fargate launch type
docker. microservices, short-term tasks, serverless, scaling out capacity. billed based on task size. Auto manages upgrades.
ECS EC2 launch type
docker. traditional apps, more control over infra, cost based on memory of each instance type, maintenance.
EKS (elastic kubernetes service)
open source. Nodes (EC2 instances). EKS Pods.
Amazon’s managed Kubernetes, an open-source system that automates the management, scaling, and deployment of containerized applications.
SSE KMS (key managed service)
encryption for an AWS service
advantages: user control, audit key usage using cloudtrail
your principal needs DescribeKey and Encrypt permissions on the KMS key used to encrypt bucket data
GLB (Gateway Load Balancer)
layer 3 (network). Inspection purposes.
Enable you to deploy, scale, and manage virtual appliances with a single entry and exit for traffic. Doesn’t act as a proxy or terminate connections. It ONLY forwards traffic.
Use Cases:
balancing on network gateway level
managing traffic between cloud and on premises environments across diff regions
VPC Peering
direct communication
CANNOT establish on premises connectivity with AWS
VPC Sharing
resource sharing. centrally managed.
Firewall Manager
Security. centralized management.
Security Management Service that helps you to centrally configure & manage firewalls. Allows you to create and apply security policies consistently, ensuring that your security rules are enforced across your organization.
NOT used for traffic inspection & filtering
Quicksight
SPICE. Interactive. Athena.
Allows you to analyze and visualize data from various resources. You can create an interactive dashboard, report, visualization. DOESN’T support IAM, only supports users and groups.
RDS (relational database service)
read replicas, scale read capacity. Oracle. Encryption at rest.
Managed relational database service provided by AWS. Allows you to set up, operate, and scale relational databases in the cloud without the need to manage underlying infrastructure
Use Cases:
- NOT suitable for analytics
- AWS key management service(KMS) is integrated with amazon RDS to make it easier to create, control, and manage keys for encryption
Global Accelerator
DYNAMIC, low latency, UDP, non HTTP, off the shelf globalization, static IP. APPLICATION. Automatic failover.
minimizes network hops to get your application global, optimizes network path
Use Case:
A media company wants a low-latency way to distribute live sports results which are delivered via a proprietary application using UDP protocol.
Cloudfront
STATIC content, DDoS, improved performance, low latency, caching, CDN (content delivery network), S3
Events & Alerts. Log aggregation & analysis. Improves read performance, content is cached at the edge. DDoS protection integration with Shield, AWS Web Application Firewall.
Use Case:
static content (videos, images, etc) that must be available globally.
Secrets Manager
secrets. integration for RDS, credential management
secrets are encrypted using KMS. can rotate secrets. automation of rotation with Lambda
Use Case:
You would like to store a database password in a secure place, and enable automatic rotation of that password every 90 days
Lifecycle Policies
Storage tiers. file access, frequent at first, then not as frequent.
Lifecycle policies can transition objects between storage classes, or delete objects after a specified period
S3 File Gateway
NFS & SMB Protocol
most recently used data is cached in file gateway. can transition to glacier using lifecycle policy. use IAM roles for bucket access
EventBridge
notifications. SaaS. archive. replay events. reliable delivery
Use Case:
create 1 time event that fires at specific time. Integration with SaaS providers. easily discover schemas that other teams produce & incorporate them into your application
Cloudtrail
trailing information, recording history of API calls, account-specific activity and audit. monitoring
can define trails for specific resources. global service.
Use Case:
find out who accessed what. Record API calls made within your account by everyone
Cloudwatch
resource performance monitoring, events, and alerts
Config
configurations. resource-specific history, audit, and compliance
record configuration changes
evaluate resources against compliance rules
get timeline of changes & compliance
Gateway VPC Endpoint
dynmaoDB or S3. Privately access S3 no charges
They are destinations that route traffic to specific AWS services within an Amazon VPC. They work by targeting prefix lists in the VPC’s route table, which contain IP ranges for services like Amazon S3 and Amazon DynamoDB. They eliminate the need for an Internet gateway or NAT device in a VPC.
EFS (Elastic File System)
Wordpress. content management. web serving. data sharing. NFS (network file system). Linux. highly available, durable location
Managed NFS (network file system) that can be mounted on many EC2 instances in multi-AZ. Highly available, scalable, expensive (pay/use)
Use Case:
If ever data is being split between 2 EC2 instances & users need access to all data at once, use EFS bc it’s a shared storage drive.
SQS (simple queueing system)
decoupling, microservices. polling. ingesting data delay
can only have 1 consumer.
SNS + SQS = fan out
SNS (simple notification system
microservices. pub/sub (publish & subscribe)
Use Case:
push/email notifications. have many subscribers, publish messages to many diff subs with single action. Requires high throughput & reliability for publishing to consumers.
SNS + SQS = fan out
Elasticache
redis (multi-AZ) & memcached (multi-node) compatible, HIPPA compliant, code changes
A fully managed in-memory key-value store that speeds up application and database performance. ElastiCache sits between your application and the data store, and uses a lazy loading caching strategy. When your application requests data, it first checks the cache. If the data is there, ElastiCache returns it. If not, the application requests the data from the data store, and then writes it to the cache.
IAM Roles
when an EC2 needs access to a bucket
GuardDuty
malicious, threat detection service
delivers finding for visibility & remediation
NLB (network load balancer)
layer 4. TLP, UDP, TLS
monitors target health & routes traffic only to healthy targets. routes based on network conditions (IP address). terminates & establishes new connections.
Use Case:
gaming, media streaming, IoT
ALB (application load balancer)
Layer 7, HTTP, websocket, OSI, microservices, contained environment, web apps
Collection of EC2 instances. terminates & establishes new connections as a proxy. routes traffic based on CONTENT examination.
Cognito User Pool
API Gateway, ALB, verification, authentication
Used to verify a user’s identity and grant access to an application. Users can sign in using a username and password, or through a third-party identity provider (IdP) like Amazon, Facebook, or Google. User pools can also be used to manage user data, create sign-in and sign-up webpages, and track user activity.
Cognito
mobile users, auth & auth with SAML, 100s of users
create identity for external users
Cognito Identity Pool
Federated Identity, authorization, unique identities
Create unique identities for users, and give them access to other AWS services. Integrates with Cognito User Pool as an identity provider.
Used to grant users access to AWS services, like Amazon S3 and DynamoDB. Identity pools can provide temporary credentials for unauthenticated users, or issue credentials for authenticated users who have received a token. Identity pools can also be used to create unique identities for users, and assign identity and access management (IAM) roles.
DAX DynamoDB Accelerator
microseconds, READ congestion, caching service,
Designed to run within an Amazon Virtual Private Cloud (Amazon VPC) environment.
It does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables
help solve read congestion by caching. microsecond latency for cached data. doesn’t require app logic modification. compatible with existing dynamoDB apis).
lambda
allows you to run code without having to provision or manage servers. pay only for requests made & compute time consumed. works well with both API Gateway & RDS. Easy to monitor with Cloudwatch. Integrated with many languages (NodeJS, Python) & AWS Services.
ASG (auto scaling group)
CoudWatch, maintain a fixed number of instances even if an instance becomes unhealthy. Load Balancer, AMIs
contains a collection of EC2 instances that share similar characteristics and are treated as a logical grouping for the purposes of fleet management and dynamic scaling.
ELB (elastic Load Balaner)
distributing load across machines
Cross Zone Load Balancing: automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets, and routes traffic only to the healthy targets.
EC2 (elastic cloud compute)
HPC, Batching, ML, gaming
renting virtual machines
Client-side Encryption
Use Case:
client wants to control everything an only wants to send encrypted data to AWS
SSE-C (customer managed keys)
keys managed by customer outside of AWS
AS3 does NOT store encryption key you provide
Use Case:
user wants to manage keys & not store on AWS
SQS Standard
decoupling
default for SQS
unlimited transactions/second
at least once delivery
best effort ordering
scales automatically
reliable 1:1 Async communication to decouple apps from one another
SQS Message Visibility Timeout
if you’re getting duplicates, INCREASE visibility timeout
EBS (elastic block store)
storage volumes. snapshots.
storing data on virtual drives (think USB). Bound to a specific AZ
are used for data that needs to persist. It is important to backup the data with AWS EBS snapshots.
Docker
microservices, lift & shift from on premises to AWS cloud, ECR
deploys apps.
apps are packed in containers that can be run on any OS
faster and more lightweight than AWS AMI instances because they share the host OS
SSE
Kinesis Data Streams, SQS, S3
enabled by default for new bucket objects
Encrypts data before it’s saved and decrypts it when it’s downloaded. This protects data at rest
S3 Batch Operations
encrypt unencrypted objects
invoke lambda function to perform custom action on each object
Intelligent Teiring
unpredictable/random pattern
moves objects automatically based on usage. small auto-tiering fee, no retrieval charge.
Glacier Deep Archive
save the most on storage cost, lifecycle rules/policies
A storage class that provides secure, long-term storage for large amounts of data. It’s designed for data that’s rarely accessed, such as regulatory, compliance, and scientific data.
Use Cases:
long term data retention
digital preservation
eliminating the need for on-premises tape libraries
S3 Standard IA (infrequent Access)
quickly accessible, long-term storage, disaster recovery, backups
One-Zone IA
single AZ, storing secondary backups of on premises data or data you can recreate
S3 Standard
frequently accessed. high availability, low latency, high throughput
Used for storing data that is frequently accessed, such as for cloud applications, content distribution, and big data analytics.
AWS Datasync
on premise you want to synchronize to AWS to keep a copy
file permissions & metadata are preserved.
Snowcone comes with datasync agent preinstalled.
Volume Gateway
EBS snapshots (disaster recovery), low latency, local caching, on-premises
Essentially acting as a bridge between your on-premises applications and cloud storage with the ability to operate in either a “cached” mode (storing frequently accessed data locally) or a “stored” mode (keeping all data locally with an asynchronous copy to S3).
Use cases:
Ideal for applications requiring low latency access to frequently used data while still maintaining a cloud-based backup strategy, such as database backups, application data, or large media files.
Kinesis
designed for streaming, REAL TIME, big data
producers: send data to stream (SDK)
consumers: receive data & process it (AWS services)
Use Case:
real time streaming
big amount of data
AWS shield advanced
paid service, more functionality, works with ELB
AWS Shield
DDoS
EBS snapshot
can take snapshot of running EBS volume and restore that EBSV from that snapshot, and then attach those to running EC2 instances. you don’t pay for snapshots. contains all the data that is captured in the snapshot
cost explorer
budget planning, budget forecasts, identify the root cause and get idea of future billing of your particular services
budgets
tracks your current expenditure, can create alarms
DB instance / database instance
if you stop/modify for the DB instance you’ll still pay for resources
S3 bucket
static web hosting
AWS Systems Manager Session Manager
secure SSH connection to your EC2
site-to-site VPN
AWS Side : virtual private gateway or a transit gateway
on-premises side: customer gateway device
strong encryption
delivers high availability by using two tunnels across multiple Availability Zones within the AWS global network. You can stream primary traffic through the first tunnel and use the second tunnel for redundancy — if one tunnel goes down, traffic continues to flow.
WAF (web application firewall)
block specific things
helps protects your website from common attack techniques like SQL injection and Cross-Site Scripting (XSS). In addition, you can create rules that can block or rate-limit traffic from specific user-agents, from specific IP addresses, or that contain particular request headers.
AWS shield standard
layer 3 / 4, SUN / UDP, DDoS
free, managed service that protects applications running on AWS from Distributed Denial of Service (DDoS) attacks. It’s automatically enabled for all AWS customers.
Conventional 3-tier application architecture
Presentation Tier (client) <–> Logic Tier (server) <–> Data Tier (database)
NAT Gateway (network address translation)
IPv4, subnets, traffic
improved security, scalability (depending on traffic volume), cost-effective (only pay for data processed)
Allows resources in a private subnet to access services outside the subnet, while keeping those resources inaccessible to unsolicited traffic. The NAT gateway translates the private IP address of the traffic to an Elastic IP (EIP) address, allowing the private resources to access the internet securely (Isolates instances from the public internet, reducing the attack surface for malicious actors).
public vs private subnets
public - direct route to internet gateway (web servers, load balancers)
private - NO direct route to internet gateway (database, application servers)
when to use containers vs serverless
Serverless: stateless. SMALL applications, easily split into microservices
Containers: stateful. Large complex applications
Provisioned IOPS SSD
database storage performance. increase or change storage type
EBS, FSx
amazon AppFlow
SaaS
AWS Direct Connect
internet bandwidth limitations, long-term solution, internet connectivity
MFA Delete
accidental deletion for S3 bucket. need to enable versioning on S3 bucket
Macie
PII, personal identifiable information, alerts of PII, remediation (automation)
System Manager Run Command
multiple EC2 instances. powered and patched by third party software.
custom command that applies a patch to al EC2 instances.
S3 Transfer Acceleration
- ideally works with objects for long-distance transfer (uses Edge Locations)
- can speed up content transfers to and from S3
