Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

my aws > aws exam cram > Flashcards

aws exam cram Flashcards

(159 cards)

Start Studying
1
Q

S3 standard

A

“Multi-AZ, single region

  • durability: 99.999999999% (eleven 9s)
  • availability: 99.9%”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

S3 object storage classes

A 
"- standard
- intelligent tiering
- infrequent access
- one-zone infrequent access
- glacier
- glacier deep archive
"
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

S3 standard IA

A

“Good for infrequently accessed data

Multi-AZ, single region

  • durability: 99.999999999% (eleven 9s)
  • availability: 99.9%

lower cost of storage, but has an
additional cost of $0.01/GB retrieved”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Glacier

A 
"Cold storage
Eleven 9s of durability
Much less expensive than hot storage
Retrieval time varies based on retrieval options:
- expedited: < 5 minutes
- standard: 3-5 hours
- bulk: 5-12 hours"
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

S3 one-zone IA

A

“Good for infrequently accessed data when you can trade off cost for reduced availability

Single AZ, so only 99.5% available

Less expensive than S3 IA; designed for eleven 9s of durability within a single AZ (if AZ is destroyed, data will be lost)”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

S3 lifecycle policies

A

“Can transition objects from standard to IA to Glacier after a certain period (restrictions apply – for instance, an object can’t be transitioned to glacier less than 30 days after it is transitioned to IA)

Transitions follow a waterfall model: standard -> IA -> intelligent tiering -> one-zone IA -> glacier -> glacier deep archive

Costs are associated with transitions to glacier.

Can delete objects after a certain number of days; different tiers have requirements for how long objects must be stored; early deletion can result in charges for the entire minimum period”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Glacier deep archive

A 
"Cold storage
Eleven 9s of durability
Less expensive than glacier
Retrieval time varies based on retrieval options:
- standard: 12 hours
- bulk: 48 hours"
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

S3 versioning

A

“With versioning enabled on a bucket, overwriting an object generates a version ID for the object; old versions are preserved.

Deleting an object on a version-enabled bucket creates a delete marker; old versions are still preserved.

Can retrieve old versions of objects using their IDs.

Must use a lifecycle policy to prevent infinite proliferation of objects.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

S3 lifecycle policies - minimum storage durations

A

”- Standard: none

  • Standard IA: 30 days
  • One-zone IA: 30 days
  • Intelligent tiering: 30 days
  • Glacier: 90 days
  • Glacier Deep Archive: 180 days”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

S3 transfer acceleration

A

“Use CloudFront to speed up transfer to/from S3 (there is a cost associated with this)

Transfer Acceleration Speed Comparison tool can tell you how much speedup to expect.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

S3 object lock

A

“Available for all storage classes

Retention policies:

  • governance: no one can delete during retention period unless they have special privileges
  • compliance: no one can delete during retention period, not even root account

Legal hold: once put on an object, the object can’t be deleted until the hold is removed”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

S3 static websites

A

”- enable web hosting

  • set permissions
  • create index document

optionally:

  • configure redirects
  • custom error document
  • enable web traffic logging

Really should use CloudFront in front of the site”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

S3 events

A

“Can be routed to:

  • SNS topic
  • SQS queue
  • Lambda function”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

EFS storage classes

A

”- Standard
- Infrequent access (reduced cost, higher latency, charge for R/W ops)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

S3 security best practices

A

”- block public access

  • avoid policies with wilcard identities or wildcard actions
  • apps should use IAM roles to access S3 buckets (don’t include credentials in apps)
  • MFA delete - requires MFA to delete a bucket to prevent accidental deletions
  • aws:SecureTransport - requires all connections to use TLS when accessing bucket contents
  • use VPC endpoints to keep traffic to/from S3 inside your VPC”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

EFS throughput

A

”- bursting: volume builds up crediets based on the filesystem size; credits allow bursting for limited time periods

  • provisioned: good for high I/O small filesystems (so you don’t have to overprovision the storage space)”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

EFS performance mode

A

”- general purpose (7K iops)

- max I/O (more throughput and iops, but more latency)”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

EFS encryption

A

“Encryption at rest supported via AWS-managed keys

EFS supports encryption of data in transit; use the -o tls mount option”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Mounting EFS

A

”- use /etc/fstab inside of linux VMs

- use the EFS mount helper, which simplifies the process by automatically editing /etc/fstab”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

AWS Data Sync

A

“Uses a super-efficient, purpose-built data transfer protocol that can run 10 times as fast as open source data transfer.

Can sync to S3 or EFS across the Internet or via Direct Connect, and can also sync from AWS to data stored on-premises.

Can be used for DR replication

Run an agent in your datacenter to perform the data transfer”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Importing data to AWS

A

”- Snowball

  • Snowmobile
  • Kinesis Data Firehose
  • S3 Transfer Acceleration
  • AWS Storage Gateway
  • AWS DataSync”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Snowmobile

A

100PB of storage capacity housed in a 45-foot long High Cube shipping container that measures 8 foot wide, 9.6 foot tall and has a curb weight of approximately 68,000 pounds. The ruggedized shipping container is tamper-resistant, water-resistant, temperature controlled, and GPS-tracked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Snowball

A

“Physical device shipped to your location; comes in 50TB and 80TB sizes (slightly less usable)

Snowball variants also exist for edge storage and edge computing, combining storage and vCPUs.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Disaster recovery strategies

A

”- Backup/restore

  • Pilot light
  • Warm Standby
  • Multisite”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Storage Gateway
"Hybrid cloud storage solution running on an on-prem VM or hardware appliance Caches data locally, providing low-latency disk and network performance for your most active data, with optimized data transfers AWS in the background Supports S3, Glacier, and EBS Data encrypted in transit and at rest in AWS."
26
RPO
"Recovery Point Objective Gap between the last transaction preserved and the time of the failure (represents the length of time for which transations were lost) - Backup/restore: time since last backup, typically 24 hours - Pilot light: time since last snapshot, maybe 4-12 hours - Warm standby: time since last database write - Multisite: time since last database write"
27
RTO
"Recovery Time Objective - amount of time service can be offline - Backup/Restore: 8-24 hours - Pilot light: 4-8 hours - Warm standby: < 4 hours - Multisite: seconds"
28
EC2 Compute-optimized instance types
"Nitro-based: - C6g: Graviton2 - C5: Intel - C5a: AMD - C5n: Intel + faster network Non-nitro based: - C4 "
29
EC2 general-purpose instance types
"Nitro-based: - A1: AWS Graviton processors (ARM) - T*: burstable (accumulate burst credits) T4g: Graviton2, T3: Intel, T3a: AMD - M6g: Graviton2 - M5: Intel - M5a: AMD - M5n: Intel + higher network Non-nitro based: - T2: Intel - M4: Intel "
30
EC2 Accelerated computing
"Hardware acccelerators - P3: Intel + GPU - P2: Intel + GPU - Inf1: AWS Inferentia - G4: Intel + GPU - G3: Intel + GPU - F1: Intel + FPGA"
31
EC2 Memory-optimized instance types
"Nitro-based: - R6g: Graviton2 - R5: Intel - R5a: AMD - R5n: Intel + faster network - X1e: high frequency Intel; up to 3TB RAM - X1: high frequency Intel; up to 2TB RAM - High Memory: 6, 9, 12, 18, 24TB of RAM - z1d: custom Xeon (up to 4GHz); local NVMe Non-nitro based: - R4"
32
Nitro
"Underlying virtualization infrastructure for current-gen EC2 instances. Uses hardware cards to offload functions like VPC, EBS, Instance Storage, and security. Security chip handles sensitive virtualization and security functions in a locked down security model preventing all administrative access (including Amazon employees) Lightweight hypervisor that manages memory and CPU to deliver performance close to bare metal. "
33
EC2 Storage-optimized instance types
"- I3: Intel + NVMe - I3en: like I3 with enhanced networking - D2: up to 48TB of HDD local storage - H1: up to 16TB of HDD local storage"
34
Inferentia
"AWS custom silicon for deep learning. Supports up to 128 TOPS with up to 16 chips per Inf1 instance."
35
Graviton
"Custom Arm-based processor designed to provide optimal price-performance ratio. 1st gen in A1 instances, Graviton2 in *g instances with local NVMe storage"
36
Enhanced networking
"Use Elastic Network Adapter (ENA) to support network speeds of up to 100 Gbps Available on current gen instances (introduced in mid-June 2016) AMI requires special tagging to indicate it supports ENA No additional fee to use it "
37
EC2 instance lifecycle
"INSTANCE LIFECYCLE DIAGRAM - billed only for running (and for stopping if hibernating) - instance stays in running state while rebooting"""
38
EBS optimized
"EBS optimized instances deliver dedicated bandwidth to EBS. When attached to an EBS-optimized instance, gp2 volumes are designed to deliver their baseline and burst performance 99% of the time; provisioned iops volumes 99.9% of the time Newer instance types enabled EBS optimization by default. Some older instance types offer it as an option, with an associated hourly fee."
39
Placement group
"Placement groups influence the placement of a group of interdependent instances: - cluster: packs instances close together in an AZ for low-latency network performance - partition: spreads instances across logical partitions so that instances in a partition don't share underlying hardware with instances in another partition - spread: strictly paces a small group of instances across underlying hardware to reduce correlated failures"
40
EC2 burstable instance types
"T2, T3, T3a, T4g Burstable instances earn a set rate of CPU credits per hour, depending on the instance size. A CPU credit allows for 100% utilization of a CPU core for one minute. For example, a t3.nano earns 6 credits per hour. So it can run at 100% CPU for 6 minutes as long as it is entirely idle for 54 minutes. But it could run at 10% for the entire hour. "
41
EC2 user data
"Small chunk of data (16KB max) that must be base64-encoded Can be used to pass two types of data: - shell scripts (starts with ""#!"") - cloud-init directives (starts with ""#cloud-config"") Shell script is run as root and output logged to /var/log/cloud-init-output.log Cloud-init directives are similar, but they have some high-level constructs that can be used to update packages, etc. Cloud-init is the mechanism by which your ssh keys are installed on instances"
42
EC2 metadata
"Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups. You can also use instance metadata to access user data that you specified when launching your instance. Metadata can be accessed inside the instance at http://169.254.169.254/latest/meta-data/"
43
EC2 AMIs
"- EBS-backed: - stored as EBS snapshot (with associated costs) - instances using the AMI will use it on EBS root volume - created using AMI tools - Instance store-backed: - stored in S3 (with associated costs) - instances using the AMI will use it on an instance store volume - created with a single command/call"
44
EC2 pricing models
"- On-Demand: expensive, no commitment - Spot instances: cheapest, not dependable - Reserved instances: cheaper, with commitment - Savings plans: similar to RI, but more flexible "
45
EC2 instance store
"An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. This storage is ephemeral; it is deleted when the instance is stopped or terminated. It is also lost if the underlying drive fails. Note: when EC2 was first introduced, all AMIs were backed by instance store. After EBS was introduced, AMIs could be backed by EBS. This is the preferred technique now; they launch faster (instance store requires full image to be retrieved from S3 before it can start; EBS-backed AMIs can lazy load; performance after startup can be a little slower than with instance store) Modern instance types don't support instance store as the root device. But you can still attach instance store volumes for things like /tmp or cache directories."
46
EC2 Reserved Instances
"- up-front payment in exchange for lower prices - 1-year or 3-year commitment - tied to specific instance types (often in a specific AZ)"
47
EC2 On-Demand
"- most expensive - no up-front payment - no commitment"
48
EC2 Savings Plans
"- optional up-front payment - 1-year or 3-year commitment - more flexible than reserved instances - doesn't save as much as reserved instances"
49
EC2 Spot instances
"- pay market rates - extremely cheap - instances can be unreliable"
50
EC2 root volumes
"- Instance store: - when stopped or terminated, the volume is destroyed - size limit of 10GB - launches slower (AMI has to be fully copied from S3 to instance store) - no cost for root volume - EBS - when stopped, volume persists - when terminated, volume is destroyed unless DeleteOnTermination=false - size limit of 16TB - launches faster (AMI is lazy-loaded; there could be a performance impact for some period after startup) - charged for EBS volume usage while running (or while stopped)"
51
EC2 Dedicated Instances
"- physical EC2 server dedicated to your use - can be important for compliance - can also help with server-bound software licenses like SQL Server - can be purchased on-demand or with reservation"
52
EBS volume types
"SSD: - io1: provisioned iops: 50 iops/s/GB, up to 1000 MB/s - io2: provisioned iops with 99.999% durability, 500 iops/s/GB, up to 1000MB/s - gp2: general purpose: 3 iops/s/GB, up to 250 MB/s io2 pricing is the same as io1; only thing io1 has over io2 is multi-attach (which is on the roadmap); so there is little reason to use io1 today HDD: - st1: throughput optimized; uses burst model; up to 500MB/s per volume - sc1: cold HDD; uses burst model; up to 250MB/s per volume; cheapest type"
53
EBS
"Elastic Block Store - Block storage for EC2 instances - replicated within an AZ - 99.999% availability - 99.8 - 99.9% durability (except io2, which has 99.999% durability)"
54
EBS encryption
"Seamless encryption of EBS data volumes, boot volumes and snapshots, eliminating the need to build and manage a secure key management infrastructure. EBS encryption enables data at rest security by encrypting your data volumes, boot volumes and snapshots using Amazon-managed keys or keys you create and manage using the AWS Key Management Service (KMS). In addition, the encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS data and boot volumes."
55
EBS snapshots
"point-in-time snapshots of your volumes to Amazon S3. Snapshots are stored incrementally: only the blocks that have changed after your last snapshot are saved, and you are billed only for the changed blocks Snapshots can be read directly via APIs, or you can restore them into EBS volumes; these EBS volumes use lazy-loading so that they come online almost immediately Can use snapshots to resize EBS volumes; just restore the snapshot to a larger EBS volume (requires application and OS support)."
56
EBS elastic volumes
Elastic Volumes allows you to dynamically increase capacity, tune performance, and change the type of any new or existing current generation volume with no downtime or performance impact.
57
EBS: Data Lifecycle Manager for EBS snapshots
"automated way to back up data stored on EBS volumes by ensuring that EBS snapshots are created and deleted on a custom schedule. No scripts or external applications required. Tag EBS volumes and create Lifecycle policies for creation and management of backups. Use Cloudwatch Events to monitor your policies and ensure that your backups are being created successfully."
58
ELB
"An Elastic Load Balancer distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones."
59
S3 encryption
"Encryption at rest: - server-side encryption: have S3 encrypt the object before saving - SSE-S3: let S3 manage the keys - SSE-KMS: use customer master keys stored in KMS - SSE-C: encrypt with customer-provided keys - client-side encryption Encryption in transit: - use TLS"
60
Autoscaling policies
"Types: - Target tracking scaling—Increase or decrease the current capacity of the group based on a target value for a specific metric. (RECOMMENDED) - Step scaling—Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach. - Simple scaling—Increase or decrease the current capacity of the group based on a single scaling adjustment. Can apply more than one policy; AWS will resolve conflict by applying the policy that requests the larger number of instances (duing scale-out and scale-in)"
61
EC2 autoscaling groups
"A collection of EC2 instances treated as a logical group for purposes of scaling Scaling can be manual, automatic based on a schedule, or automatic using one or more autoscaling policies Can launch on-demand instances or spot instances (or both) The group can span availability zones; if multiple AZs are specified, the instances will be spread across the AZs."
62
Autoscaling: step scaling
"Scaling can be specified for *how much* a CloudWatch alarm is breached. For example, imagine a CloudWatch alarm on CPU usage with a breach threshold of 50% Scale-out policy: 0-10%: 0% change, 10-20%: 10% change, 20-50%: 30% change Scale-in policy: 0-10%: 0% change, 10-20%: - 10% change, 20-50%: - 30% change at 75% CPU, ASG will scale up by 30% (75 - 50 = 25)"
63
Autoscaling: simple scaling
"The original scaling model for AWS Autoscaling groups When a CloudWatch alarm triggers, the group is scaled out; another alarm is configured to trigger the scale in "
64
Autoscaling: warm up
During a specified warm-up period, new instances are not counted toward the aggregated metrics of the group; this prevents excessive spin-up
65
Autoscaling: target tracking
"You set a target value for a metric (e.g. CPU load), and the ASG automatically scales up and down to try to maintain that target value. Think of this like a thermostat"
66
Autoscaling: notifications
"Amazon EC2 Auto Scaling supports sending Amazon SNS notifications when the following events occur: - Successful instance launch - Failed instance launch - Successful instance termination - Failed instance termination "
67
Autoscaling: cool down
After a scale-up occurs, the ASG waits for a cooldown period to complete before any further scaling activities can start (only applies to simple scaling)
68
Autoscaling: launch templates
"A launch template is similar to a launch configuration, but it allows versioning; several versions can share some common configuration (e.g. the AMI), but differ in other configuration values (e.g. the instance type) This mechanism is newer than the launch configuration. Using launch templates is required for some advanced ASG features, e.g. mixing on-demand and spot instances."
69
Autoscaling: launch configurations
"A launch configuration that specifies things like: - AMI - instance type - storage - IAM - ssh cert Recommended to use launch templates instead"
70
Elastic IPs
"a static public IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and is yours until you release it. There is a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface. There is no charge for the first Elastic IP on a given EC2 instance; additional Elastic IPs incur a charge Accounts are limited to 5 Elastic IPs per region Especially useful for fixing the outbound IP of a host for firewall rules"
71
Security groups
"A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups."
72
Subnets: public
A public subnet is a subnet that's associated with a route table that has a route to an Internet gateway.
73
VPCs
"A logically separated portion of the AWS cloud. Provides for: - selection of your own IP address range - creation of subnets - configuration of route tables and network gateway - definition of security groups and NACLs - creation of endpoints for key services inside the VPC so that traffic to/from services stays secure"
74
NAT gateway
"You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. You are charged for creating and using a NAT gateway in your account. NAT gateway hourly usage and data processing rates apply. Amazon EC2 charges for data transfer also apply"
75
Internet gateway
"An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic. There's no additional charge for having an internet gateway in your account."
76
ELB types
"- Application Load Balancer (ALB) - Layer 7 - used for HTTP/HTTPS - much more versatile than Classic - key features: SNI, routing based on path, headers, etc. - Network Load Balancer (NLB) - Layer 4 - TCP/UDB/TLS - Classic Load Balancer - Layer 7 - used for HTTP/HTTPS ALB, NLB use LCU-hours for billing on top of hourly charges Classic uses GB transferred on top of hourly charges"
77
NACLs
"Network ACL - VPC has default NACL, allowing all inbound and outbound traffic - By default, custom NACLs deny all inbound and outbound traffic until you add rules - Each subnet will always have exactly one NACL (default if not explicitly specified) - A NACL can be associated with multiple subnets - NACL rules are evaluated in ascending numeric order. Recommended to create rules in increments of 10 or 100 to allow for insertion of new rules later - NACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic. - NACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)."
78
NACLs
"Network ACL - VPC has default NACL, allowing all inbound and outbound traffic - By default, custom NACLs deny all inbound and outbound traffic until you add rules - Each subnet will always have exactly one NACL (default if not explicitly specified) - A NACL can be associated with multiple subnets - NACL rules are evaluated in ascending numeric order. Recommended to create rules in increments of 10 or 100 to allow for insertion of new rules later - NACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic. - NACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)."
79
ELB: internal vs external
"An internal ELB has only a private IP address and routes traffic within the VPC. An internet-facing ELB has a public IP address and a publicly resolveable DNS name"
80
ELB: LCU
"Load Balancer Capacity Units - used for billing by Application and Network load balancers - 25 new connections per second. - 3,000 active connections per minute. - 1 GB per hour for EC2 instances, containers and IP addresses as targets and 0.4 GB per hour for Lambda functions as targets - 1,000 rule evaluations per second"
81
ELB: health check
"The ELB periodically makes requests to the targets to determine their health. Can use TCP, HTTP, HTTPS, or SSL When a target is deemed unhealthy, traffic is no longer routed to it."
82
ELB: listener
"ALBs use listeners -- a listener is a process that checks for connection requests, using the protocol and port that you configure. The listener can offload HTTPS encryption Listeners have rules which have priority, condition, and action; these are used to route traffic to the targets, redirect, return static responses, and perform OIDC or Cognito authentication"
83
Lambda
"Serverless platform Simply upload code, and AWS handles all scaling and high-availability for your application Multi-AZ for high availability"
84
ELB: multi zone
"Need to enable the AZ for the ELB, and you need to add targets in the AZ Cross-zone load balancing allows an ELB node in AZ A to send traffic to a target in AZ B. This allows for more uniform traffic distribution to your targets ALBs always enable cross-zone. NLBs disable it by default."
85
Lambda functions
"Basic settings: - description - role - runtime Can be connected to a VPC to acccess resources in a private subnet Environment variables are encrypted at rest, so they can be used for secrets You can publish multiple versions of your functions and then define aliases to point to specific versions"
86
Lambda: API Gateway
API gateway routes HTTP requests to Lambda functions
87
Lambda: layers
"A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies. Layers let you keep your deployment package small, which makes development easier. A function can use up to 5 layers at a time; total unzipped size of function and all layers must be < 250MB"
88
Lambda: supported languages
"Java, Go, PowerShell, Node.js, C#, Python, and Ruby APIs provided to extend other languages if needed"
89
Lambda: VPCs
"When you connect a function to a VPC, Lambda creates an ENI for each combination of security group and subnet in your function's VPC configuration If the function is idle for a long period of time, Lambda can reclaim these ENIs; the next invocation of the function will fail and the function will enter a Pending state until an ENI is available"
90
Lambda: database proxies
"You can define an RDS proxy for your function This proxy manages a pool of database connections, enabling the function to reach high concurrency levels without exhausting database connections"
91
Lambda: invocation
"Invocation can be asynchronous or synchronous in the async case, Lambda manages an async event queue; it handles retries in case of error as well as exponential backoff if the function doesn't have enough resources to handle the event event source mapping - lets you read events from sources like DynamoDB, SQS, Kinesis and invoke a lambda function "
92
Lambda: permissions
"The execution role grants it permission to access AWS services and resources Specified when the function is created; Lambda assumes the role when the function is invoked Resource-based policies can grant invocation or management rights to an account or an AWS service User policies can grant invocation or management rights to users, groups, or roles"
93
EC2 reserved instance types
"Offering classes: - standard: some attributes can be modified during the term; however, the instance family cannot be modified; you cannot exchange the RI; can be sold in the RI marketplace - convertible: can be exchanged during the term for another convertible RI, allowing you to change instance family, type, platform, scope, or tenancy; cannot be sold in RI marketplace Standard and Convertible Reserved Instances can be purchased to apply to instances in a specific Availability Zone (zonal Reserved Instances), or to instances in a Region (regional Reserved Instances). Scheduled Reserved Instances: purchase capacity reservations that recur daily, weekly, or monthly with a specified start time and duration"
94
Lambda: autoscaling
"Autoscaling accomodates an intial burst, followed by a gradual scale-up During scale-up, there can be some latency while your code is loaded and initialized To enable scaling without latency fluctuations, you can use provisioned concurrency Application Auto Scaling dynamically adjusts the provisioned concurrrency levels based on a target tracking scaling policy (using a utilization metric in Lambda) "
95
RDS
"Relational Database Service Database VMs are fully managed; you can't shell into them"
96
EC2 capacity reservation
"reserved instances that are AZ-specific come with a capacity reservation on-demand capacity reservations: you pay the rate for the specific instance type whether you are running the instance or not; you can cancel an ODCR any time (unlike reserved instances)"
97
RDS Multi-AZ
"- a standby replica of the database is maintained in another AZ - changes to the primary are automatically synced to the replica - auto-failover: if the primary goes down, the replica takes over"
98
RDS Database Types
"- Aurora - MySQL - MariaDB - PostgreSQL - Oracle - SQL Server"
99
RDS Backup
"- RDS creates and saves automated backups of your DB instance during the backup window of your DB instance - RDS creates a storage volume snapshot of your entire DB instance, not just individual databases - backups are saved according to the backup retention period that you specify - snapshots are stored on S3 - manual snapshots can be taken and are included in the backup storage total"
100
RDS Read Replicas
"- read replicas are read-only replicas that allow you to horizontally scale up a read-heavy application - read replicas use asynchronous replication - you must have automatic backups enabled to use read replicas"
101
Aurora
"MySQL and PostgreSQL-compatible relational database Aurora is up to 5x faster than standard RDS MySQL and 3x faster than standard RDS PostgreSQL Aurora is fully managed by RDS, which automates time-consuming administration tasks like hardware provisioning, database setup, patching, and backups Aurora features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 64TB per database instance It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZs). Can be easily scaled "
102
RDS authentication
"All RDS DB types support password authentication. MySQL and PosgreSQL also support IAM authentication"
103
Aurora Global Database
"Aurora database replicated across regions Latency of about 1 second between regions Failover in about a minute"
104
Aurora serverless
"Fully auto-scaled; you don't specify a number of instances You can even stop and start the database to save costs if you aren't using the database all the time"
105
DynamoDB
"Fully managed NoSQL key/value and document database Predictable read/write performance at massive transaction rates Severless: scales to read/write capacity you specify"
106
S3 Security
"- Bucket policy (what principals can do what to this bucket) - IAM policy (what can this principal do to which buckets) - ACLs are a legacy mechanism and not recommended Bucket policy and IAM policies have the same controls available to them; it's mostly a matter of preference for how you like to organize your permissions"
107
DynamoDB durability/availability
"data is stored on SSDs and is automatically replicated across multiple AZs within an AWS region data is spread across a sufficient number of servers to handle your throughput and storage requirements with consistent performance You can use global tables to sync tables across AWS regions"
108
DynamoDB consistency
"- Eventually consistent reads (default) - return immediately - no guarantee of consistency - generally consistent within 1 second - Strongly consistent reads - waits until data is consistent - higher latency "
109
DynamoDB pricing
"charged for: - storage - read/writes (or RCU/WCU) - optional items: - backups - global tables - DAX - dynamodb streams"
110
DynamoDB capacity modes
"On-demand capacity mode: charged for data reads/writes on your tables Provisioned capacity mode: you specify the number of reads/writes per second you expect; you can use auto-scaling to adjust the table's capacity: - WCU: write capacity units (1 write/s = 1 WCU, 1 transactional write/s = 2 WCU) - RCU: read capacity unit (1 eventually consistent read/s = 0.5 RCU, 1 strongly consistent read/s = 1 RCU, 1 transactional read/s = 2 RCU) Reserved capacity lets you get a MUCH lower price on your RCUs/WCUs"
111
DynamoDB Streams
Captures a time-ordered sequence of item-level modifications in a DynamoDB table and stores this information in a log for up to 24 hours
112
DynamoDB Accelerator (DAX)
"fully managed, highly available, in-memory cache for DynamoDB provides up to 10x performance improvement you specify the type and size of instances to use, and there is an associated hourly charge"
113
DynamoDB encryption
"All customer data is encrypted at rest by default - AWS owned CMK (default, no additional charge) - AWS managed CMK: key is stored in your account, managed by KMS (KMS charges) - Customer managed CMK: key is stored in your account, managed by you (KMS charges)"
114
DynamoDB backup/restore
"- on-demand backups: full backups of tables; charged per GB of data stored - PITR (point-in-time recovery): continuous backups; charged per GB of data stored (more expensive than on-demand) Restoring a table from on-demand or PITR is charged based on the total size of data restored"
115
DynamoDB primary keys
"- simple primary key: uses a single attribute to identify an item (e.g. OrderID) - composite primary key: uses a combination of two attributes to identify a particular item (e.g. Artist and Album) - the first attribute is known as a partition key - the second attribute is the sort key"
116
DynamoDB keys/indexes
"- primary key - local secondary indexes - global secondary indexes"
117
DynamoDB keys/indexes
"- primary key - local secondary indexes - global secondary indexes"
118
DynamoDB global secondary indexes
"- used to query items across partition keys - read/write capacity units provisioned separately - eventual consistency - can be used on tables with composite or simple primary keys - the index itself can use a simple or composite key schema"
119
DynamoDB local secondary indexes
"- must be specified at table creation - uses the same partition key as the underlying table - only 10GB of data allowed per hash key - choose strong/eventual consistency - use the read/write capacity units of the underlying table"
120
ElastiCache
"fully managed key/value storage (faster than DynamoDB, but not durable) Instances are monitored to make sure the required number of instances are running Supports read-only replicas "
121
DynamoDB item types
"- strings - numbers - binary values - boolean - list - map length of attribute names actually affect storage size and possibly the RCU/WCU usage"
122
ElastiCache - Redis
"- redis is similar to memcache, but it has much richer queries and data types - provides high-availability via automatic failover of primary node to replica - scales to large numbers of nodes (up to 250) and data (up to 170TB) - supports Redis cluster, which allows you to partition write traffic across multiple primaries - Global Datastore supports cross-region replication (latency of ~ 1 second)"
123
ElastiCache - Memcached
"- useful for transient data like cache and session store - Elasticache client supports auto-discovery for easy configuration of your application (so nodes can be added and removed and your application is reconfigured automatically) "
124
Route53
"A highly available and scalable DNS service. Provides three main functions: - register domain names - route internet traffic to the resources for your domain - check the health of your resources"
125
Elasticache - Security
"- runs in your VPC - redis version supports encryption at rest and in transit - redis version supports IAM controls"
126
Route53: Weighted Routing
"Allows you to associate multiple resources with a single domain name and choose how much traffic is routed to each resource Each record gets a weight value between 0 and 255. The weight values are summed, and the resource will a fraction of traffic equal to the ratio of its weight value to the total"
127
Route53: Simple Routing
"Standard DNS records with no special routing (like weighted or latency) Typically, you route traffic to a single resource, like a web server Can supply multiple IP addresses, and query responses randomize the order of the IP addresses"
128
Route53: Failover Routing
"Routes to a primary resource when it is healthy or to a secondary when the primary is not healthy. Can use any type of web resource -- simple S3 bucket or a complex tree of resources"
129
Route53: Latency-based Routing
"Cross-region routing - create latency records for your resources in multiple regions. Route53 determines which of the configured regions gives the user the lowest latency and selects a latency record for that region. Route53 is using inter-region latency data; this is all about internet latency, not response time of your services"
130
Route53: Geo-proximity Routing
"Use the Traffic Flow UI to specify a location for each region, along with a bias Route53 calculates the regions based on these values (larger the bias, the larger the region grows) Recommended that you make small changes to bias so that you don't radically re-route traffic, overwhelming your resources"
131
Route53: Geolocation Routing
"Lets you choose the resources that serve your traffic based on the geographic location of your users. Can specify target resources by geographic region: - continent - country - state (US only) If you create records for overlapping geographic regions, the smallest region gets priority Uses geoIP, which is not perfect; you can set a default record for unmapped IP addresses"
132
Route53: Traffic Flow
GUI that lets you build complex routing policies by chaining rules, turning on health checks, etc
133
Route53: Multi-value Answer Routing
"Returns multiple values (e.g. multiple IP addresses) for your web servers The advantage over simple routing (which also supports multiple IP addresses) is that MVAR uses a health check and only returns values for healthy resources MVAR will respond with up to 8 healthy records, randomized from the total pool of healthy resources "
134
Route53 Resolver
"Unifies DNS resolution in a hybrid cloud implementation: - resolver rule: forwards name resolution requests across Direct Connect or Managed VPN to an on-prem resolver so that resources in AWS can resolve DNS names for on-prem resources - resolver endpoint: allows on-prem resources to resolve names of resources hosted on AWS "
135
Route53: Alias Record
"Route53 alias records are a Route53-specific extension to DNS functionality Let you route traffic to selected AWS resources (e.g. CloudFront distributions or S3 buckets) Automatically adapts to changes in IP addresses of the underlying resources"
136
Route 53 pricing
"Small monthly cost for each zone Zones with > 10,000 records incur additional charges Charge per million queries, with higher charges for more complex types of queries like latency and geo Alias queries are provided at no charge Small monthly charge per defined health check "
137
Route53 Health Checks
"Health checks monitor the health and performance of your resources. Each health check can monitor one of the following: - the health of a specified resource (e.g. a web server) - the status of other health checks - the status of a CloudWatch alarm"
138
IAM Identities
"- Account root user - has full access to everything (and can't be reduced) - IAM users - can be used to sign into the console, use the CLI, or APIs - IAM groups - collection of IAM users; can specify permissions for the group for easier management of permissions - IAM roles - similar to users, but has no credentials; roles are assumed by users (sometimes temporarily, or sometimes roles are assigned to users signing in via external identity providers)"
139
IAM
"Identity and Access Management Securely controls acccess to AWS resources (authentication and authorization)"
140
IAM Groups
"- Policies attached to group apply to all users in the group - can attach managed policies or customer policies to the group"
141
IAM Users
"- MFA can be turned on by the user (can't be turned on by the admin for a user) - access keys can be created to allow the user access to the CLI or API; id and secret pair; they are only shown once - roles and temporary security credentials are better than using keys - if you use long-term keys, they should be rotated - you can have two active keys, facilitating clean rotation"
142
IAM Policies
"Managed policies: standalone policy created and administered by AWS; designed to provide permissions for many common use cases (e.g. AmazonDynamoDBFullAccess, AmazonECReadOnlyAccess, AWSCodeCommitPowerUser) Customer managed policies: can be tailored to specific customer needs (a good way to build one is to copy a managed policy and modify it) Inline policies: policies embedded in an IAM identity Managed policies are generally better: - reusable - centrally managed (in fact, AWS-managed policies auto-update if AWS makes changes) - version controlled - can delegate permission management (some users can attach policies, but not create them)"
143
CloudWatch
Monitoring and observability for cloud applications
144
CloudWatch: Events
"- can respond to an action (like a change in the AWS environment, or somebody using root credentials to sign in) - are processed by targets, with more options than what an alarm can trigger - can self-trigger based on a schedule (e.g. take a snapshot of an EBS volume on a schedule) - allow you to take action in the environment"
145
CloudWatch: Logs
"Monitor, store, and access log files from EC2 instances, CloudTrail, Route53 and other sources Centralizes the logs from your systems and applications in a single service Can view, filter, and search logs for patterns By default, logs are kept indefinitely; need to set a retention policy for each log group"
146
CloudWatch: Events
"- can respond to an action (like a change in the AWS environment, or somebody using root credentials to sign in) - are processed by targets, with more options than what an alarm can trigger - can self-trigger based on a schedule (e.g. take a snapshot of an EBS volume on a schedule) - allow you to take action in the environment"
147
CloudWatch: Logs
"Monitor, store, and access log files from EC2 instances, CloudTrail, Route53 and other sources Centralizes the logs from your systems and applications in a single service Can view, filter, and search logs for patterns By default, logs are kept indefinitely; need to set a retention policy for each log group"
148
CloudWatch: agent
"Installed on the guest OS Allows you to collect more system-level metrics from EC2 instances You can feed metrics from your application to the agent using StatsD and collectd protocols"
149
CloudTrail
"continuous monitoring of activity across your AWS infrastructure Provides event history of actions taken through AWS console, SDKs, CLI, other AWS services Used for governance, compliance, operational auditing, and risk auditing By default, past 90 days of management events are tracked and made available via Event History in the console; for longer tracking, you need to create a Trail"
150
CloudTrail: CloudWatch Alarms
CloudWatch alarms can be tied to CloudTrail metrics to alert you when specific actions are taken (e.g. a bucket policy is changed)
151
CloudTrail: Athena
"Use Athena to analyze CloudTrail logs Log entries are loaded into Athena tables where it can be queried"
152
Kinesis Data Streams
"Durability: streaming data is replicated across three AZs; data is stored for 7 days Security: stream can be encrypted; data can be accessed via VPC Scalability: data streams scale in data throughput and PUT rate"
153
Kinesis Data Analytics
"Allows you to perform queries in real-time against a Data Stream or Firehose input Output can be sent to to another Data Stream or Firehose, or Lambda Has built-in functions for filtering, aggregating, and transforming data Run SQL queries performing joins, aggregations over time windows, etc."
154
CloudFront
Cloudfront is AWS's CDN, primarily used for speeding up websites by providing cached static content to users at the edge
155
CloudFront web distributions
"Specifies things like: - content origin (S3 buckets, MediaPackage channels, or HTTP servers) - access - public or restricted - security: require HTTPS? - cache policy - origin request settings: specific headers, cookies, or query strings to use in requests to the origin - geo-restrictions - whether or not to log access"
156
CloudFront: cache behaviors
"A distribution has a default cache behavior, and you can add additional ones (e.g. a cache behavior that applies to images) A path pattern specifies which requests this cache behavior will apply to (e.g. ""images/*"" or ""*.css"") Time-to-Live (TTL): you can opt to use the origin's cache control headers along with a min, default, and max TTL You can choose whether to forward HTTP headers, query strings, and cookies to the origin and which ones (this reduces cacheability) You can use signed URLs or signed cookies to restrict viewer access"
157
CloudFront: distribution types
"- web distribution (static web content) | - RTMP (streaming media, used for flash video)"
158
CloudFront: restricted content
"restrict access to files for selected users, for example, users who have paid a fee. To securely serve this private content: - require that your users access your private content by using signed URLs or signed cookies. - require that your users access your content by using CloudFront URLs, not directly from the origin"
159
CloudFront: signed URLs
"Signed URLs are best in these cases: - RTMP distribution (can't use signed cookies) - you need to restrict access to individual files - your users are using a client that doesnt support cookies (like a custom HTTP client)"

my aws (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions