AWS solutions architect flash cards
CORS (Cross Origin Resource Sharing)
Way to integrate applications. provides a way for a client web app loaded in one domain to interact with resources in another. For example, your app uses a public front library. CORS lets the client browser check third party servers to check if the request is legit before data transfers.
Server Errors (e.g. 404)
4xx - Client
5xx - Server
400 - Bad Request (Generic)
403 - Access Denied
429 - Throttling
502 - Bad Gateway
503 - Unavailable Service
504 - Timeout
B.A.T B.U.T
Kinesis Data Streams
Kinesis - Scalable streaming
Data Streams:
Basic entity of Kinesis, 24 hour moving window of data. Multiple producers, multiple consumers, has shards (1mb ingestion, 2mb consumption).
Kinesis Firehose
ALLOWS PERSISTENCE - you write to S3 or another storage (Redshift,OpenSearch, 3rd party using Splunk)
Service to load data for data lakes, data stores, and analytics.
Transformation with lambda.
Reads from data streams, or have data passed to it directly.
Kinesis Data Analytics
Takes from fire hose or data streams. destinations same as fire hose. SQL processing, good for real-time dashboards and metrics.
Kinesis video streams
Ingests live video feeds.
Cognito
User pool:
Authentication. Users sign in through user pool or federate through identity provider (IdP)
Identity Pool:
Authorization. Allows you to offer access to temporary credentials. Cognito assumes IAM role in identity pool.
Congito - near unlimited, good with web apps.
Glue
Serverless, Extract-Transform-Load (ETL) service. Moves and transforms data between src and destination.
Crawls data, makes regional data catalogue (RDS, DynamoDB, S3)
MQ
Merge of SNS and SQS, but using industry standards. Provides queues and topics.
NOT PUBLIC.
Appflow
Exchange data between apps (connectors) using flows. Look for Saas keyword
Macie
Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data
Lambda SnapStart
Use Lambda SnapStart for Java to reduce cold start time without provisioning additional resources or implementing complex performance optimizations.
Lambda concurrency.
concurrency is the number of in-flight requests that your function is currently handling. There are reserved and provisioned concurrency. Provisioned concurrency is useful for reducing cold start latencies for functions. Reserved concurrency is useful for ensuring that your most critical functions always have enough concurrency to work
Aurora Capacity Units
ACU - About 2 gibibytes (GiB) of memory, corresponding CPU, and networking. With Aurora Serverless v2, your starting capacity can be as small as 0.5 ACU, and the maximum capacity supported is 128 ACU.
Cloudfront Distribution, Edge Location, and Regional Edge Cache
Unit of configuration
Local Cache of data
Larger version of edge location. Provides another caching layer
process when a cache miss?
Edge Cache -> Regional Cache -> Origin fetch.
ACM
AWS certificates manager, integrates with CloudFront. It allows deployment of certificates onto supported AWS services such as CloudFront and ALB, NOT EC2.
ALB - THE CERT MUST BE IN THE SAME REGION
CLOUDFRONT - CERT IN US-EAST-1
Does cloudfront do write caching?
No
When to USE NLB over ALB?
When to use NLB:
Static IP for whitelisting
Fastest performance
Unbroken encryption
Private link
Non-HTTP or non-HTTPS
CloudFront Behaviours
A lot of important configuration for distributions. Origins are linked to behaviours, which are then linked to behaviours.
Every distribution has a default behaviour.
Have custom behaviours which are configured using a path pattern
What do behaviours control?
caching controls and restrict viewer access.
CloudFront TTL and invalidations
default TTL - 24 hr (defined in behaviours)
Set min and max TTL.
TTL headers
Cache-Control max-age (seconds)
Cache-Control s-maxage (seconds)
above are the same thing.
Expires (Data and Time)
Custom Origin or S3 (via object metadata)
Cache Invalidation
Performed on Distribution too all edge locations, takes time
Viewer and Origin protocols
The SSL connections between the viewer and cloudfront distribution, and the cloudfront distribution and origin respectively. Both need PUBLIC certs. Self-signed won’t work,
EMR
Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Spark
overhead - complex and require additional configuration, maintenance, and monitoring, etc .
API GW
- You pay only for the API calls you receive and the amount of data transferred out.
- Enables you to build RESTful APIs and WebSocket APIs that are optimized for serverless workloads.
SNS or SES for montitoring emails?
SNS
Which services can backup directly to Glacier deep archive?
Datasync, Storage Gateway (at least)
Routing types
Simple routing:
One record per name. e.g WWW record which is an A record (but each record can have multiple values). ONLY ONE WITH NO HEALTH CHECKS
Latency Routing:
Lowest Latency
Weighted Routing:
Choose how much traffic is routed to a resource if you have multiple resources associated with a domain name
Geoproximity Routing:
Bias (+ or - ), distance based.
Geolocation Routing:
tagged with country, continent, or default, doesn’t return closest record, only relevant ones. good for content restriction.
Prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket
Domain name and s3 bucket name are the same.
The domain name is a registered domain name.
SWF
Simple Workflow Service - used for decoupling.
Inspector vs guard duty
Shield is DDoS protection and also located “at the edge”.
GuardDuty is intelligent threat detection. That means without much configuration, it reads your CloudTrail, Config and VPC FlowLogs and notifies if something unexpected happened. That is usually for infrastructure.
Amazon Inspector is more for applications. It’s an automated security assessment service that helps improve the security and compliance of applications.
Gateway endpoint vs interface endpoint
Both:
- to privately connect AWS services, not over the public internet
Gateway endpoint:
Used for connecting to public services such as S3 and DynamoDB.
Inside VPC, but not subnet
associated with a route table
Interface Endpoint:
Uses PrivateLink
an ENI with a private IP address
Inside a subnet
Associated with a SG
EC2 placement strategies
Cluster – Packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of high-performance computing (HPC) applications.
Partition – Spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
Spread – Strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
Aurora endpoints
Cluster endpoint:
only one that can do writes. one cluster endpoint and one primary db instance
Reader endpoint:
one reader endpoint, LOAD BALANCING for read only connections.
Custom endpoint:
A set of DB instances you choose, you define which instances this endpoint uses, and what purpose the endpoint serves
Instance endpoint:
Specific DB instance within an aurora cluster. mainly use to diagnose or performance issues of one specific instance.
DNS TTL
How long records can be cached for. We can store the record at a DNS resolver server to prevent searching the tree.
Authoritative - getting the rcord from the source that is trusted by DNS. get authoritative answer by talking to a name server that is authoratative for that particular domain.
TTL - Low values mean more queries against the name server, as we cache at the DNS resolver for less time, but longer TTL means more chance of the cached results being out of date.
R53 Health Checks and Fail over
HTTP/HTTPS and TCP
Monitor:
- CloudWatch alarm status
- Health of other health checks
- Specific resource health checks
Based on:
- Response time
- Number of failed health checks.
Failovers
- Active-Active:
All records have the same name, type, routing policy. When you want all resources available majority of time.
- Active-Passive:
primary resource group available majority of time, secondary to be standby.
can have single resource for primary + secondary or multiple resources for primary + secondary.
Aurora HA and FT
- When Aurora Replicas across AZ, primary DB synchronously replicated across AZ to Aurora replicas to provide redundancy.
- Failover-promotes primary or new primary
- Self-healing data blocks and disks.
- Auto-backup - 1 to 35 day retention
Monitoring RDS
Subscribe to Amazon RDS events to be notified when changes occur with a DB instance, DB cluster, DB cluster snapshot, DB parameter group, or DB security group.
Database log files
RDS Enhanced Monitoring — Look at metrics in real time for the operating system.
RDS Performance Insights monitors your Amazon RDS DB instance load so that you can analyze and troubleshoot your database performance.
Use CloudWatch Metrics, Alarms and Logs
gp2
Volume size
Max. Throughput/Volume (MiBs)
Max IOPS/Volume (IOPS)
Performance attribute
Volume size:
1gb - 16tb
Max Throughput/Volume:
250 MiBs
Max IOPS/Volume:
16000
Performance attribute:
IOPS
st1
Volume size
Max. Throughput/Volume (MiB/s)
Max IOPS/Volume (IOPS)
Performance attribute
Volume size:
500gb - 16tb
Max Throughput/Volume:
500 MiBs
Max IOPS/Volume:
500
Performance attribute:
MiB/s
io1
volume size
Max. Throughput/Volume (MiB/s)
Max IOPS/Volume (IOPS)
Performance attribute
Volume size:
4gb - 16tb
Max Throughput/Volume:
1000 MiBs
Max IOPS/Volume:
64000
Performance attribute:
IOPS
sc1
volume size
Max. Throughput/Volume (MiB/s)
Max IOPS/Volume (IOPS)
Performance attribute
Volume size:
500gb - 16tb
Max Throughput/Volume:
250 MiBs
Max IOPS/Volume:
500
Performance attribute:
MiB/s
Data Lifecycle Manager
A service that automates the creation of Amazon EBS snapshots on a regular basis
Cloudwatch agent
An agent/program that monitors the available swap space of your Amazon EC2 instances.
Endpoint policy
A type of policy that controls which AWS principals (AWS accounts, IAM users, and IAM roles) can use the VPC endpoint to access the endpoint service.
AWS Datasync
A service which improves the speed users transfer data from an on-premise data centre to AWS in a cost effective manner.
OpenSearch Service
OpenSearch is a open source and Apache
Analytics suite, lots of use cases, real-time application monitoring, log analytics, and website search.
Can you enable hibernation mode after you’ve created an EC2 instance?
NO
Which SSE method provides an audit trail?
SSE-KMS