Design For New Solutions Flashcards
(30 cards)
To Manage temporary credentials for applications that run on EC2 instances
Associate an IAM role upon EC2 instance launch. Application retrieves the Temp credentials - credentials stored in EC2 metadata
Devs Can only use Approved AMIs for EC2 instances; latest security patches always installed on approved AMIs; checks are in place to verify AMIs used are approved; but don’t stop dev’s from launching unapproved AMIs - just send notification
AWS Systems Manager Patch Manager patch baselines
+
AWS Config Managed Rules
+
Cloudwatch Alarms
Credentials kept in dedicated storage with lifecycle management and key rotation
AWS Secrets Manager
Grant users in Account B access to resources in Account A (ie. S3 bucket)
- S3 bucket policy in account A must grant access to account B
- AWS KMS key policy in account A must grant access to the user in account B
- The AWS IAM policy in account B must grant user access to the bucket and the AWS KMS key in account A
Write IaC in AWS in familiar Python, Typescript, JavaScript, Java, C#
use AWS CDK
then deploy with:
CodeCommit, CodeBuild, CodeDeploy, CodePipeline
CloudFront distribution; dynamic content set to go to ALB (in front of compute services); static content served from S3 using OAC; Getting error 404 - How to fix?
- Need 2 origins in the CloudFront Distribution- 1 for dynamic content and a 2nd for Static content — so create a second origin to serve the static assets
- Need to update CloudFront by creating a new behavior to forward requests for static assets to S3 based on path pattern
Mobile app;
store user data;
user data is small size (4 KB)
millions of users;
social login account for authentication
DynamoDB, Web identity federation, STS, DynamoDB fine grained Access Control for authentication and Authorization
Need a System to check if EC2 instances are using approved AMIs. Don’t prevent dev team from using unapproved AMIs but send notification if unapproved AMI is used
AWS Config Managed Rule to specify list of approved AMIs
sends config changes to SNS topic to send notifications
Easily centrally manage and scale desktop applications and deliver them to any computer across the globe. No acquiring, provisioning, managing hardware needed. Simplify application delivery; Good for migration purposes also
Amazon AppStream 2.0
Expecting an increase in incoming traffic to website from across globe;
Can’t migrate to AWS in time;
Need ability to scale out fast;
Need to remain Cost effective
Launch CloudFront distribution;
Offload DNS to AWS for CloudFront traffic
Scalable, highly available, caching functionality, global content distribution network, lots of edge locations
CloudFront - securely delivers data, videos, applications, APIs globally with low latency and high transfer speeds
Document storage;
Create documents;
Secure;
accessible by external application;
Upload documents;
Version control;
Sharing documents
Collaborate on documents
Amazon Workdocs and Workdocs content manager
In memory data store
Popular for real time uses like caching, session store, gaming, geospatial, real time analytics, and queuing
Amazon ElastiCache
Sequence to authenticate an employee into AWS against Active Directory LDAP to get to specific S3 bucket
Create identity broker
Authenticate against LDAP using identity broker in order to retrieve name of an IAM ROLE
Application retrieves federated user credentials via a call to IAM STS
Application gets the IAM role federated credentials from the identity broker to access the S3 bucket
Application assumes the role via a call to STS
Cloudformation DeletionPolicy
snapahot - take a snapshot of the resource before deleting it
retain - do not delete the specified resource when the rest of the cloudformation stack is deleted
Build serverless architecture comprised of Lambda, API gateway, and DynamoDB.
Plus needs a code pipeline for gradual deployment
AWS SAM (serverless application, model)
&
Codebuild, codedeploy, and codepipeline
search feature needed for website for large amount of books, articles, other written materials (ie. 50 TB);
Amazon CloudSearch for managed, cost effective, scalable search solution for website or application
Kinesis has storage backed by S3;
Every record retrieval, write, and delete on a Kinesis data stream incurs additional cost
Millions records/min
Worldwide user base
storage and retrieval of data where each record less then 4KB; low latency retrieval time; data stored for 120 days only;
DynamoDB with proper scaling, enable DynamoDB TTL settings to delete records after 120 days
Automates patching managed instances with security and other updates - uses patch baselines.
AWS Systems Manager Patch Manager
AWS Systems Manager Automation
An IAM role attached to an EC2 instance retrieves temporary credentials from the instance metadata or userdata?
From the instance metadata
Solution to protect against DDOS, SQL Injection, cross-site scripting, other Layer 7 attacks
and
Notify for incoming layer 3 & 4 attacks like SYN floods and UDP reflection attacks
AWS WAF & AWS Shield Advanced
Critical application;
CICD pipeline;
Cloudformation creates resources;
Userdata script downloads from S3
Cloudformation template update causes major downtime
How to fix for no downtime?
CodeBuild to auto test on a non-production environment
Cloudformation change sets to preview changes before applying to production
Blue/Green deployment pattern on CodeDeploy to deploy changes on separate environments and rollback quick if needed
Cloudformation tenplate that defines an EC2 autoscaling group so that when you update the launch template or launch configuration, this update action does not deploy any change across the running EC2 instances. However, all new instances will get the updated configuration, while existing instances will not
AWS::AutoScaling::AutoScalingGroup
