Continuous Improvement For Existing Solutions Flashcards
(25 cards)
Lambda function, integrated with dynamo DB streams
Deployment to be done in 2 increments: 10% first, 90% little later
Also trace event source and downstream calls
Use a Canary deployment for the lambda function
Use active tracing with AWS X-Ray
AWS. Manage policy that provides full access to AWS services and resources, but does not allow management of users and groups.
PowerUserAccess
Remove access by developers to stop or terminate instances in the production environment 
Add tags to instances in production environment
Add resource level permissions to the developers with an explicit deny on terminating instances, which contain the tag
Modify the IAM role assigned to developers - remove the policy that allows them to terminate EC2 instances in production
Batch analytics processes reads data from RDS but slows the application
Add Read replicas to RDS database to speed up batch analytics
Slow time to log into serverless application portal
Global user base
Occasional HTTP 504 errors
Lambda@Edge to customize content delivered by CloudFront
Lambda@Edge to execute authentication is AWS locations closer to users
Setup origin failover by creating an origin group with 1 primary origin and 1 secondary origin
Coding automatically switches if primary origin returns HTTP status code failure responses
When not to use Code Deploy
Only use CodeDeploy when needing to deploy change to a Production environment.
Otherwise, CodeBuild is adequate
Improve speed/user experience of mobile app consisting of API Gateway, Lambda, DynamoBD
SQS queue to Buffer incoming requests
CloudFront & S3 to host static assets
To protect credit card information with CloudFront,
Use Field level encryption, not SSL
Container orchestrator that will run both in AWS cloud and in on-premise data center 
ECS Anywhere
Note: choose ECS Anywhere because EKS Anywhere does not run in the AWS Cloud
Custom domain name needed
Public DNS managed internally
Wants Apex domain / naked domain
Several ALBs as endpoints
S3 multi region access points
AWS Global accelerator with several endpoint groups
Setup Public alias record in route 53
Points custom domain name to DNS name assigned to your accelerator
Mitigate DDOS without SHIELD Advanced
Cloudfront distribution for both static and dynamic content of web application
Cloudwatch alerts for monitoring and alerting and triggering autoscaling if needed
ALB for distributing load
WAF - integrate with the ALB
Input stream
Analyze and write data to output stream of files
Input files grow
Application hosted on EC2 and large EBS volume
Slow processing. Improve how?
Store I/O files in S3
SQS to facilitate groups of hosts working in parallel
ASG to scale, according to the length of the SQS queue
Scaling limits for Lambda functions
Lambda: 500-3000 requests per second
Lambda@edge: 10,000 requests per second
User queries must be processed in less then 2 seconds
Lots of requests: 1500/sec to 15,000/sec
Don’t use Lambda - Lambda can’t handle that rate of requests
Instead, use:
EFS with EC2s for huge scaling, low latency,
CloudFront for CDN,
EC2s behind ELB
cache control timeout for CloudFront distribution
EFS use cases
Distributed data storage
Big data & Analytics
Media processing workloads
Contant management
Web serving
Refactor web service portal
Use Managed services
Global users
Needs to handle short but significant system load spikes
Regionally highly available
Dynamo DB global tables
Fargate
ALB
Route 53 alias record with latency routing policy with health checks
Multiple AWS accounts
Under AWS organizations
Upcoming audit
Needs durable and secure logging solution to track changes on AWS resources globally
Cloud Trail with a new S3 bucket with “enable for all accounts in my organization” checkbox enabled 
Enable MFA delete and log encryption on the S3 bucket
Allow Multiple website domains to serve SSL traffic without need to re-authenticate and reprovision a new certificate, whenever a new domain name is added
Add all SSL certificates for the domain to the ALB
Bind multiple certificates to the same secure listener on the load bouncer
SNI - server name indication used by the ALB to choose the correct certificate
Cloudfront distribution to
Serve HTTPS Request using dedicated IP addresses.
Lockdown an S3 bucket over cloud front so that it can only be accessed through cloud front
Create an OAC (or OAI) cloud front user
Give the OAC permission to read the objects in the S3 bucket
Remove everyone else’s permission to use S3 URL’s to read the objects
Cost-effective analytics jobs plus a reporting service
EC2 spot instances with an ASG
Custom metric to scale the spot fleet to meet needed capacity
Create a container for the reporting service and run it on ECS with Fargate
Amazon Aurora
RPO = 1 second
RTO = 1 minute
Global databases
Global/Regional availability and failover
Cross region replication less then 1 second latency
Hybrid cloud architecture - on premise + cloud
SSL key used for encryption needs to always be kept secure
CloudHSM
ECS spot instance draining
Draining disabled by default, needs to be turned on
When draining happens:
Service tasks that are in a pending state are stopped immediately
Draining prevents new tasks from being scheduled for placement
Needs to be manually enabled
with the line :
ECS_ENABLE_SPOT_INSTANCE_DRAINING=true on the /etc/ecs/ecs.config file
Other websites are illegally using Photos hosted in your S3 bucket.
Photos are taking along time to load
Solution:
Remove public read access from the S3 bucket
Use cloud front to deliver the photos Globally
Use signed URL with expiry dates
Blocking the offending IP addresses of those illegally using the photos, will not prevent other attackers, using different IP addresses to do the same thing 
