Theory Flashcards
iAM Users and Groups
iAM is a global service.
User is single entity.
Groups only contain users
iAM Policies
iAM Group is attached a policy which defines the access control to a resource
Structure is Effect (Allow/Deny), Action(API calls), Resource (What resource access is allowed)
iAM Role
iAM roles are used by AWS services to access resources on users behalf.
Permissions are assigned to the iAM role in order to do that.
E.g. - EC2 instance roles, Lambda function roles, CloudFormation roles
iAM Role application steps
- Add new role
- Choose the AWS service like EC2, Lambda, etc…
- Attach a policy
EC2 Instance Type(optimized)
Compute Optimized - Batch processing, media transcoding, high performance web servers, scientific modeling, ML, gaming servers
Memory Optimized - High performance RDBMS or NonRDMBS, distributed webscale cache stores, In memory DB for BI, real time proecssing of big structured data
Storage Optimized - OLTP, RDBMS and NoSQL DB, Cache in memory DB like Redis, DW, distributed file system
Connecting to EC2
Using SSH, EC2 instance connect and Putty
EC2 Purchase Options
On Demand - Pay by sec after first min (Linux and Windows). For other OS Pay by hour. Stopped instances, however, do not incur charges. [For short term uninterruped workload]
Reserved (1 or 3 years) - Commit to an instance type, Region, Tenancy(host, dedicated, default) and OS. Reserved Instances incur charges for every clock-hour during the selected term, regardless of instance running status [For steady state usage like DB]
Convertible Reserved - Same as Reserved except you can change instance type, family, region, tenancy or OS
Savings Plan (1 or 3 years) - Commit to usage in $ (like $10/hour) instead of instance type. Compute savings plan you can change instance family and region. Ec2 savings plan you can change instance type,size, OS and Tenancy within same family
Spot - Short workloads and can lose the instance [For batch jobs, data analysis, image processing, etc]
Dedicated host - Dedicated entire physical server and unshared. On demand or resereved [For compliance or existing server bound s/w licences]
Dedicated instance - Dedicated entire physical server and shared [No control on instance placement. Can move h/w after stop/start]
Capacity reservations - Reserve capacity in specific AZ for any duration. No time commitment. If you dont run you are still charged. [For short term uninterruped workload in a specific AZ]
Availability, Scalability and Elasticity
Availability = Running your application in at least two AZs
Scalability = Application can take greater loads either by increasing the size (verticle) or add more instances (horizontal)
Elasticity = Same as horizontal scalability
ASG Strategies
Manual scaling - Update the size manually
Condition based scaling -
1. Simple step scaling
e.g. When all my EC2 instance goes over 70% for five minutes, then add two units to capacity to my ASG
2. Target tracking scaling
e.g. I want the average CPU utilization of all the EC2 instances in my ASG to stay at around 40% on average
3. Scheduled Scaling
e.g. Increase the minimum capacity to 10 EC2 instances in my ASG
at 5pm on Friday
4. Predictive scaling
e.g. using ML to predict the pattern and scale
Bucket Policy
Bucket wide rules that you can assign directly from the S3 console
Replication
CRR - Cross Region Replication
SRR - Same Region Replication
Copying is asynchronous
Storage Classes
(Availability, Minimum Storage Duration Charge, Minimum billable object size, Retrieval Fee)
Amazon S3 Standard-General Purpose (99.99, NA, NA, NA)
Amazon S3 Intelligent Tiering (99.9, NA, NA, NA)
Amazon S3-Infrequent Access (99.9, 30, 128KB, PerGB)
Amazon S3 One Zone-Infrequent Access (99.5, 30, 128KB, PerGB)
Glacier Instant Retrieval (99.9, 90, 128KB, PerGB)
Glacier Flexible Retrieval (99.99, 90, 40KB, PerGB)
Glacier Deep Archive (99.99, 180, 40 KB, PerGB)
Encryption
Server side encryption is default
Client side encryption is done when data is encrypted before uploading into S3
Shared Responsibility(S3)
Client responsibility is for
S3 versioning
S3 bucket policies
Replication
Logging and Monitoring
S3 storage classes
Data encryption at rest and in transit
Snowball Edge Pricing
You have to pay for except data into Amazon S3
Storage classes uses
Amazon S3 Standard- Frequently accessed data
Amazon S3 IT - Data automatically moves from frequest to IA tier
Amazon S3-IA - Less frequently accessed but requires rapid access when needed
Amazon S3 One Zone-IA - Less frequently accessed but requires rapid access when needed but 1 zone only
Glacier Instant Retrieval - Archiving but millisecond retrieval (once a quarter)
Glacier Flexible Retrieval - Archiving but 1min to 12 hrs retreival
Glacier Deep Archive - Archiving but 12 hrs to 48 hrs retreival
RDS and Aurora
SQL Databases and Aurora is AWS proprietery DB (Postgre SQL and MySQL)
Multi AZ setup for DR
Verticle and Horizontal scaling
You CANNOT SSH into your instance
RDS Deployment
Read Replicas - Read from more than 1 instance and write to only 1
Multi-AZ - Read and Write from 1 and on Failover move to another
Multi Region - Region 1(Main) reads/writes on Region 1 instance and Region 2 reads on Region 2 but writes to Region 1
Serverless
Is IaaS or PaaS or FaaS?
Function as service (FaaS)
Gateways
Internet - Connect public subnet to internet
NAT/Instance - Connect private subnet to internet
Customer - For site to site VPN at on premise
Virtual Private - For site to site VPN at AWS VPC
DDoS
Denial of service attack - The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.
Shared Responsibility(ec2)
Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management
Operational Excellence
IaaS and PaaS, Anticipate and Learn from failure, Changes to Infra
- All your operations should be code (IaaS, PaaS)
- Annotate documentation
- Make frequent and small reversible changes
- Refine operations procedures frequently
- Anticipate failure
- Learn from all these failures
Security
Logs, identity foundation, keep people away from data
- Strong identity foundation
- Enable traceability (Logs and Metrics)
- Apply security at all layers (Edge->VPC->Subnet->ELB->EC2->OS-Application)
- Automate security best practices
- Protect data in transit and at rest
- Keep people away from data
- Prepare for security events
Reliability
Failover, stop guessing capacity, scale out
- Test recovery procedures
- Automatically recover from failure
- Scale horizontally
- Stop guessing capacity (use auto scaling)
- Use automation for changes in infrastructure
Performance Efficiency
Serverless, advanced technology, go global in mins
- Use advanced technologies
- Go global in minutes
- Use serverless architecture
- Experiment more often
- Mechanical sympathy - Be aware of all AWS services
Cost Optimization
Pay only what you use, Using cloudwatch, use tags
- Pay only what you use
- Measure overall efficiency - Use CloudWatch
- Stop spending on data center operations
- Analyze and attribute expenditure - Use Tags
- Use managed services to reduce cost of ownership
Sustainability
- Understand your impact
- Establish sustainability goals
- Maximize utilization
- Anticipate and adopt more efficient h/w or s/w
- Use managed services
- Reduce downstream imapct of cloud workloads
AWS Well Architected Tool
AWS tool to review the architechture againt the 6 pillars
AWS CAF (Cloud adoption framework)
- White paper that helps you to build and execute a plan for digital transformation using AWS
- It groups the capabilities under
Business - Business
- People
- Governance
Technical - Platform
- Security
- Operations
AWS CAF Transformation Phases
EALS
- Envision (Demostrate the benefits of cloud to business, foundation for Digi Tran)
- Align (Capability gaps across 6 CAF perpectives and create a action plan)
- Launch (Build and deliver pilot in production)
- Scale (Expand pilot initiatives)
AWS CAF Transformation Domains
TPOP
- Technology
- Process
- Organization
- Product
AWS Right Sizing
Process of matching the instance type and size to your workload performance
and capacity requirements at the lowest possible cost
-CloudWatch, Cost Explorer, Trusted Advisor
AWS Assurance Program
Certfication/Attestation and Compliance with Laws and Regulations
Access Key use
Access key as Access ID + Secret Access Key. Both are used to authenticate a user.
Employed for programmatic requests to AWS services via AWS CLI or API
SOC1 and 2 Vs PCI Vs ISO
EC2 instance customer responsibility
Security configs and Patching of OS and Apps
AWS Risk and Compliance program components
Risk Management
Information Security
Control Environment
Root user access keys can be deleted. True or False?
True
Federated Access
Using corporate directory to provide AWS resources
Can we assign User Groups or Users to an instance in AWS?
No. Only iAM Roles can be assigned. The roles are then assigned to Groups or Users
In S3, replication across AZs is whoe’s responsibility?
In S3 backing up data is whoes’s responsibility?
AWS
Customer
Which services have build in DDoS prevention?
Route 53, WAF, ELB, CloudFront, VPC and SGs
RDS what is customer responsibility?
Managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions
ELB can distribute across regions. True or False?
False.
Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones
This increases the fault tolerance of your applications
Resource tags
- Manually Assigned a key and value
- Can assign a key and leave value as empty (not null)
Redshift Components
Cluster - composed of one or more compute nodes
Compute Node - run the compiled code and send intermediate results back to the leader node for final aggregation
Leader Node - manages communications with client programs and all communication with compute nodes
Redshift Managed Storage - Data warehouse data is stored
AWS QuickStart
Higher level IaaS compared to cloudformation.
Pre-built templates and guides for rapid deployment of various workloads on AWS infrastructure
Good for starters
AWS CloudWatch vs Budget (Alarm)
In CloudWatch the alarm is triggered when the threashold limit is breached
CloudWatch is real-time metrics breaches
In Budget the alarm is triggerred against the estimated cost is reached
Budget is broader financial perspective with a focus on estimated costs and increased flexibility
OpsWork Vs CloudFormation
Infra + App configuration
Vs
Infra deployment
AWS Penetration testing
Customers are not permitted to conduct any security assessments of AWS infrastructure or the AWS services themselves. If you discover a security issue within any of the AWS services observed in your security assessment, please contact AWS Security immediately
AWS customers are welcome to carry out security assessments or penetration tests of their AWS infrastructure without prior approval for the services listed in the AWS permitted list
AWS Lambda@Edge
Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application
Data Consistency Options
Eventual Consistency: Updates may not be immediately reflected in all replicas, providing scalability and performance benefits. However, it introduces a temporary inconsistency window.
Strong Consistency: Guarantees that any read operation reflects the most recent write. This ensures immediate data accuracy but may impact system performance.
AWS Lifecycle policies for S3
Predefined rules determining actions performed on objects over their lifecycle
Users can configure rules in S3 Lifecycle to transition objects between storage tiers or expire them based on criteria such as age or count
Can you change the SG attached to an instance even if its running?
Yes
Route53 hosted zone
For example, the amazon.com hosted zone may contain records named www.amazon.com, and www.aws.amazon.com, but not a record named www.amazon.ca
Support plans supporting Business-critical system down?
Enterprise with < 30 mins for on-ramp and < 15 mins for enterprise
For business suppport plan there is no business critical support and only production system down < 1hr
