Theory Flashcards
iAM Users and Groups
iAM is a global service.
User is single entity.
Groups only contain users
iAM Policies
iAM Group is attached a policy which defines the access control to a resource
Structure is Effect (Allow/Deny), Action(API calls), Resource (What resource access is allowed)
iAM Role
iAM roles are used by AWS services to access resources on users behalf.
Permissions are assigned to the iAM role in order to do that.
E.g. - EC2 instance roles, Lambda function roles, CloudFormation roles
iAM Role application steps
- Add new role
- Choose the AWS service like EC2, Lambda, etc…
- Attach a policy
EC2 Instance Type(optimized)
Compute Optimized - Batch processing, media transcoding, high performance web servers, scientific modeling, ML, gaming servers
Memory Optimized - High performance RDBMS or NonRDMBS, distributed webscale cache stores, In memory DB for BI, real time proecssing of big structured data
Storage Optimized - OLTP, RDBMS and NoSQL DB, Cache in memory DB like Redis, DW, distributed file system
Connecting to EC2
Using SSH, EC2 instance connect and Putty
EC2 Purchase Options
On Demand - Pay by sec after first min (Linux and Windows). For other OS Pay by hour. Stopped instances, however, do not incur charges. [For short term uninterruped workload]
Reserved (1 or 3 years) - Commit to an instance type, Region, Tenancy(host, dedicated, default) and OS. Reserved Instances incur charges for every clock-hour during the selected term, regardless of instance running status [For steady state usage like DB]
Convertible Reserved - Same as Reserved except you can change instance type, family, region, tenancy or OS
Savings Plan (1 or 3 years) - Commit to usage in $ (like $10/hour) instead of instance type. Compute savings plan you can change instance family and region. Ec2 savings plan you can change instance type,size, OS and Tenancy within same family
Spot - Short workloads and can lose the instance [For batch jobs, data analysis, image processing, etc]
Dedicated host - Dedicated entire physical server and unshared. On demand or resereved [For compliance or existing server bound s/w licences]
Dedicated instance - Dedicated entire physical server and shared [No control on instance placement. Can move h/w after stop/start]
Capacity reservations - Reserve capacity in specific AZ for any duration. No time commitment. If you dont run you are still charged. [For short term uninterruped workload in a specific AZ]
Availability, Scalability and Elasticity
Availability = Running your application in at least two AZs
Scalability = Application can take greater loads either by increasing the size (verticle) or add more instances (horizontal)
Elasticity = Same as horizontal scalability
ASG Strategies
Manual scaling - Update the size manually
Condition based scaling -
1. Simple step scaling
e.g. When all my EC2 instance goes over 70% for five minutes, then add two units to capacity to my ASG
2. Target tracking scaling
e.g. I want the average CPU utilization of all the EC2 instances in my ASG to stay at around 40% on average
3. Scheduled Scaling
e.g. Increase the minimum capacity to 10 EC2 instances in my ASG
at 5pm on Friday
4. Predictive scaling
e.g. using ML to predict the pattern and scale
Bucket Policy
Bucket wide rules that you can assign directly from the S3 console
Replication
CRR - Cross Region Replication
SRR - Same Region Replication
Copying is asynchronous
Storage Classes
(Availability, Minimum Storage Duration Charge, Minimum billable object size, Retrieval Fee)
Amazon S3 Standard-General Purpose (99.99, NA, NA, NA)
Amazon S3 Intelligent Tiering (99.9, NA, NA, NA)
Amazon S3-Infrequent Access (99.9, 30, 128KB, PerGB)
Amazon S3 One Zone-Infrequent Access (99.5, 30, 128KB, PerGB)
Glacier Instant Retrieval (99.9, 90, 128KB, PerGB)
Glacier Flexible Retrieval (99.99, 90, 40KB, PerGB)
Glacier Deep Archive (99.99, 180, 40 KB, PerGB)
Encryption
Server side encryption is default
Client side encryption is done when data is encrypted before uploading into S3
Shared Responsibility(S3)
Client responsibility is for
S3 versioning
S3 bucket policies
Replication
Logging and Monitoring
S3 storage classes
Data encryption at rest and in transit
Snowball Edge Pricing
You have to pay for except data into Amazon S3
Storage classes uses
Amazon S3 Standard- Frequently accessed data
Amazon S3 IT - Data automatically moves from frequest to IA tier
Amazon S3-IA - Less frequently accessed but requires rapid access when needed
Amazon S3 One Zone-IA - Less frequently accessed but requires rapid access when needed but 1 zone only
Glacier Instant Retrieval - Archiving but millisecond retrieval (once a quarter)
Glacier Flexible Retrieval - Archiving but 1min to 12 hrs retreival
Glacier Deep Archive - Archiving but 12 hrs to 48 hrs retreival
RDS and Aurora
SQL Databases and Aurora is AWS proprietery DB (Postgre SQL and MySQL)
Multi AZ setup for DR
Verticle and Horizontal scaling
You CANNOT SSH into your instance
RDS Deployment
Read Replicas - Read from more than 1 instance and write to only 1
Multi-AZ - Read and Write from 1 and on Failover move to another
Multi Region - Region 1(Main) reads/writes on Region 1 instance and Region 2 reads on Region 2 but writes to Region 1
Serverless
Is IaaS or PaaS or FaaS?
Function as service (FaaS)
Gateways
Internet - Connect public subnet to internet
NAT/Instance - Connect private subnet to internet
Customer - For site to site VPN at on premise
Virtual Private - For site to site VPN at AWS VPC
DDoS
Denial of service attack - The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.
Shared Responsibility(ec2)
Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management
Operational Excellence
IaaS and PaaS, Anticipate and Learn from failure, Changes to Infra
- All your operations should be code (IaaS, PaaS)
- Annotate documentation
- Make frequent and small reversible changes
- Refine operations procedures frequently
- Anticipate failure
- Learn from all these failures
Security
Logs, identity foundation, keep people away from data
- Strong identity foundation
- Enable traceability (Logs and Metrics)
- Apply security at all layers (Edge->VPC->Subnet->ELB->EC2->OS-Application)
- Automate security best practices
- Protect data in transit and at rest
- Keep people away from data
- Prepare for security events