DevOps Professional Flashcards
(241 cards)
1
Q
SQS: List of operations
A
AddPermission ChangeMessageVisibility ChangeMessageVisibilityBatch CreateQueue DeleteMessage DeleteMessageBatch DeleteQueue GetQueueAttributes GetQueueUrl ListDeadLetterSourceQueues ListQueues ListQueueTags PurgeQueue ReceiveMessage RemovePermission SendMessage SendMessageBatch SetQueueAttributes TagQueue UntagQueue
2
Q
Can the cloudwatch agent monitor memory now?
A
Yes
3
Q
RDS Cross Region Replication Requirements
A
PostgresSQL 9.5.2 and above
PostgreSQL 9.4.7 and above
4
Q
Elasticache: Memcached Cluster configurations
A
Memcached clusters contain from 1 to 20 nodes across which you horizontally partition your data.
5
Q
Elasticacahe: Redis Cluster configurations
A
Elasticache: Redis Cluster Configurations
- No Replication (Single Node)
- Cluster Mode Disabled (Replicated, no Sharding/Partioning)
- Cluster Mode Enabled (Replicated with Sharding/Partitioning).
6
Q
RDS Single AZ IO Interruption
A
In a single AZ RDS Deployment there is an IO interruption on creating
* Read Replicas
* Snapshot Creation
& Automated Backups
In a multi AZ deployment these operations are performed against the secondary instead.
7
Q
ELB: Sticky Sessions
A
Use an AWSALB Cookie.
Load Balancer Generated
Can’t be modified by applications.
Stickiness is configured at a target group level.
8
Q
EC2: Metrics that need an agent
A
Swap Space
Disk Space
Memory Used
& Others
9
Q
Cloudwatch: Alarm statuses
A
OK
ALARM
INSUFFICIENT_DATA
10
Q
EC2: Status Check Types
A
System: Monitor the AWS systems on which your instance runs.
Instance: Monitor the software and network configuration of your individual instance.
11
Q
VPC: AWS IP Reservations
A
. AWS reserves the first 4 IP & the last IP addresses.
. In a 10.0.0.0/24, the following IPs are reserved:
10.0.0.0: network address
10.0.0.1: Reserved by AWS for the AWS VPC router
10.0.0.2: Reserved by AWS. IP address of the DNS server
is always the base of the AWS VPC network range.
However, the base if each subnet range is also reserved
10.0.0.3: Reserved by AWS for future use
10.0.0.255: Network braodcast address.
AWS does NOT support any broadcase in an AWS VPC.
Therefore, they reserved the addess
12
Q
AWS Personal Health Dashboard
A
https://phd.aws.amazon.come
. Provide Alerts & remedation guidance
when AWS is experiencing issues that
might impact customers
. Shows a personalized view of the
performance & availability of the
AWS services underlying your
provisioned AWS resources
13
Q
EC2: Initialising Volumes
A
When restoring a volume from a snapshot, maximum volume performance is not achieved until all blocks on the device have been read.
Tools for this:
isblk
db
fio
sudo dd if=/dev/nvme2n1 of=/dev/null bs=1M
sudo yum install -y fio
sudo fio –filename=/dev/nvme2n1 –rw=read –bs=128k –iodepth=32 –ioengine=libaio –direct=1 –name=volume-initialize
14
Q
AWS Inspector: Capabilities
A
- Security Best Practice
- Runtime behavior analysis
- Common vulnerability/exposure
- CIS Security Config Benchmark
15
Q
Direct Connect: Requirements
A
. requires single-mode fiber
. 1GB: 1000Base-LX (1310nm)
. 10GB: 10GBase-LR (1310nm)
16
Q
EBS: Ensuring Durability
A
. By default, instance store & EBS ROOT volumes are not backed up
. Will not persist upon termination
. cannot stop instance store volumes,
so termination is the only option
. This is why EBS volumes are recommended
. How do we save the data on a root volume?
1/ uncheck “Delete on Termination” in the console
. Also a CLI parameter with run-instances
2/ Create a snapshot before deletion
3/ Create a seperate volume & attach to the instance
. Attached volumes persist when the instance is terminated
17
Q
EBS Metrics: Status Check
A
. Tests run every 5 minutes
. Returns: OK, warning, impaired, insufficient data
. User can change the result of the impaired response
18
Q
ELB: SSL Offloading
A
. In a highly available web application, we use
load balancers to distribute traffic.
. Can also use load balancers’ elasticity & scalability
in HTTPS/SSL process
. Can improve the performace of the instances/applications by
off loading SLL process (encrytion/decryption) to load balancers
. Certifcate Manager also intergrates for certifiate generation & management. . AWS will create alias for certificate . point to target group . use web security group
NOTE:
IN ROUTE 53 (after create certificate for SSL, etc.)
. need to use “naked” domain name
(NO www in front of domain name)
. Then, point “alias” to the load balancer
19
Q
SNS: Definition
A
Simple Notification Service
Push model (as supposed to SQS Pull model). Create topics, messages sent to the topic is pushed out to all subscribers to that topic.
20
Q
SNS: Protocols
A
HTTP HTTPS Email Email-json Lambda SQS Application Platform SMS
21
Q
Systems Manaager: Description
A
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems. Systems Manager can be used for both EC2 instances, on-premises servers, and VMs. These capabilities help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations.
22
Q
Lambda vs EC2: Use Cases
A
Use Lambda when you want to run code
that is in response to events, such as
1/ changes to S3 buckets 2/ Messages in SQS queues 3/ Update to DynamoDB tables 4/ Cloudwatch Alarms 5/ Customed events generated by your applications or devices
23
Q
Systems Manager: Patch Manager
A
.automate the process of patching managed instances with both security-related & other types of updates. You can use Patch Manager to apply patches for both OS & applications.
24
Q
EC2: Hardware Virtualised Machines (hvm)
A
a/ Execute the master boot record of the root storage device b/ Virtual hardware set allows for running an OS as if it were run on bare metal. The OS doesn't know it's virtualized c/ No modification needed d/ Can use hardware extensions provide fast access to host hardware enhanced networking and CPU processing
25
EC2: ParaVirtualised Machines (pvm)
1/ runs a special boot loader & then loads the kernel
2/ can run on hardware that doesn't support virtualization
3/ No hardware extension support
4/ PV historically performed faster than HVM,
but that is no longer the case
5/ PV has especial drivers for networking & storage
that used less overhead than an HVM instance
trying to emulate the hardware. These drivers can
now be run on HVM instances, making the performance of
both type the same
NOTE: AWS recommends using HVM instances because the performance
is the same as PV, and enhanced networking & GPU processing
can be utilized when neccessary.
26
CloudWatch Logs: Components
1/Log Events:
record of activities recorded by
the monitored resource
2/ Log Stream:
Sequence of log events from the same
source/application
3/ Log Group:
A collection of log streams with same
access control, monitoring, &
retention settings
```
4/ Metric Filters:
.Assigned to log groups.
.It extract data from the groups'
log streams & convert that data
into a metric data point
```
5/ Retention settings:
period of time logs are kept.
assigned to log groups, but applied
to ALL streams in the group.
27
VPC: Peering Limitations
. Can't peer VPC with matching or overlapping CIDR blocks
. VPC peering connections are 1:1 between VPCs
. Transitive perring is NOT supported
However, there is a 3rd product might (Transit Gateway)
. One peering connection between the same 2 VPCs
. Tags applied to the peering connection are only applied
in the account & region in which you create them.
. Security groups can't reference peer VPC security groups
across regions
. IPV6 across regions is NOT supported
. DNS resolution for private hostnames must be enabled manually
. If in different accounts, must be enabled in both accounts
28
RDS: Multi AZ Maintenance
Zero Downtime
```
. AWS will perform the following steps:
. Perform maintenace on the standby
. Promote the standby
. Perform maintenace on the OLD primary DB
which is the standby now.
```
29
EC2: Elastic IPs
. a public IP address that can be "moved"
. Enables instances without a public IP to become accessible
from the internet
```
. GOOD to know:
. EIPs are region specific
. NOT support IPV6
. 2 step process to implement:
. allocation & Association
. upon association, any previous public IP is released
(DNS hostname changes as well)
. Can be disassociated & reassociated with another instance
. 2 step process to remove:
. Disassociate & release
```
. Custmomers are charged for:
. Elastic IPs not associated
. More than one Elastic IP on an instance
30
CloudTrail: Description
CloudTrail is a service we can use to log all the API calls in our account.
API Calls include interaction from the console, AWS CLI, and SDKs.
We can also create trails that we can analyze with CloudWatch Logs or third-party tools.
31
Systems Manager: Run Command
automate tasks across resources
| e.g. software package installs
32
CloudHSM: Description
1/ Dedicated hardware security modules under your exclusive control
2/ FIPS 140-2 LEVEL3 compliance
3/ Designed to integrate with VPC
4/ Integrates with PACS#11, Java JCE
5/ Can connect to CloudHSM from your on-premises datacenter
using VPN or AWS Direct Connect
33
RDS: Read Replica notes
. if the option for "Create Read Replica" is gray out
(disabled), i.e need to go to the DB & create backup
(default is 0 day --> aka disabled backup)
. Read Replica can be crossed Regions
. Also there is an option in the config of Read Replica to enable Multi AZs
. Can also promote Read Replica to StandAlone for disaster recovery (in case the Master becomes unvailable) --> choose "Promote" in the action menu
. can have multiple Read Replicas to improve performance
34
Redshift: Description
he Amazon Redshift service manages all of the work
of setting up, operating, and scaling a data warehouse.
These tasks include provisioning capacity, monitoring
and backing up the cluster, and applying patches and upgrades
to the Redshift engine.
35
CloudTrail: Notes
1/The last 90 days of event history
is in "View ALL events"
2/ When create a trail in ALL region,
it will create a trail in EACH region
```
3/ Always use the default to create
a trail in ALL region so that if a
new region lauches, Cloud Trail will
automatically create a trail in that
new region with the same setting as
the original trail.
```
```
4/ "Enable log file validation"
as YES --> make it impossible
edit,change,modify,delete the log
without detectin
--> good for auditing/compliance
```
36
RDS: Multi AZ Failover Process
The process is automated by AWS
1/ AWS detects an issue & starts the failover process
2/ DNS records are modified to point to the standby instace
3/ The application re-establishes any existing DB connections
The application requires no changes since
DNS of DB endpoint is the same
37
Cloudfront: Components
ORIGIN:
. The original version of your content
. Can be an S3 bucket OR a web server
. DISTRIBUTION:
. Points edge locations & regional caches back to
the origin
. Configiration of logging, availbility, and limitations
. EDGE LOCATIONS:
. The location of your cached objects, located all over the globe
. Current total is 169 in 30 countries
. Regional Edge Caches:
. Location of cached objects that are NOT
frequently accessed
. Current total is 11 in 30 countries
38
IAM: Groups
Cannot be nested (group within a group).
User can be member of multiple groups
Should assign policies to groups, not individual
39
VPC: Flow Log record syntax
```
. version
. account-id
. interface-id
. srcaddr
. dstaddr
. srcport
. dstport
. protocol
. packets
. bytes
. start
. end
. action
. log status
```
40
Config: Capabilities
1/ Evaluate resource configuration
for desire settings
2/ Get a snapshot of the current configurations
associated with your account
3/ Retrieve configuration resources in your
account
4/ Retrieve past configuration
5/ Retrieve notifications for creation,
deletions, and modifications
6/ View relationships between resources
(EX: members of security groups)
41
S3: Bucket Policy Elements
1/ Effect
Define whether to allow or deny the action
2/ Action
Actions we want to allow or deny (GET, POST,...)
An implicit DENY will overwrite an explicit ALLOW
3/ Resource
used to identity resources (like a bucket or object with Amazon
Resource Names (ARNs)
4/ Principal
An account or user that this policy applies to
Specific to S3 bucket policies, not user policies
5/ SID (optional)
6/ Condition (optional)
PutObject permission requiring objects to be stored using
server-side encryption
42
EC2: HDD Volumes
. Somewhat deprecated (Previous Generation volume)
. Low cost storage or small volume sizes
. Volume Size: 1 GiB to 1 TiB
. Burst capacity to hundreds of IOPS
43
ECS: Components
1/ Container:
. Virtualization method allowing you to run
applications in isolated processes
. Contains all the downloaded software, code,
runtime, system tools, & libraries
. packaged as readonly templates called
Docker images
2/ Docker file:
. Text file that specifies all the components
needed in the container:
. The intructions for what will be placed
inside a container
3/ Container Registry:
. A repository where container/Docker images
are stored & accessed
. A container registry can be:
. AWS Elastic Container Registry (ECR)
. A third-party repository liker Docker Hub
. self-hosted registry
4/ Task Definition:
. JSON-formatted text file that contains the
"blueprint" for your application:
. Container image
. Container Registry
. Ports that should be open on the instance
. Data Volume
5/ Service:
. Define how to run & maintain a specified number
of instances together
. Optional loading balancing
6/ Cluster:
. group of tasks or services on multiply EC2
or Fargate instance
7/ Fargate:
. A "serverless" launch type that eliminates
the need for explicit infrastructure.
Think AWS Lambda for containers.
44
RDS: MultiAZ vs Read Replica
. Cannot assign READ to a standby Multi AZs
(only a fail over mechanism)
. However, READ REPLICA helps with performance
(off load some computing capacity from
master/primary DB to Read Replica so that
it can focus on WRITE)
. READ REPLICA can also use in disaster/recovery
situation & migration
45
EBS: Snapshots
. Images or backups of EBS volunes
. Store in S3 (charge's based on volume's total size)
. Exact copy of the original volume
If the volume is encrypted, snapshot is also encrypted
. Incremental in nature, bit FULL volume can be restored
from any snapshot.
EX: if you have 5 snapshots & you delete the oldest one.
You can still restore the whole volume from any of
the 4 snapshots left.
46
AWS Service Health Dashboard
https://status.aws.amazon.com/
```
. Provide access to current state
and historical data about ALL AWS
services. If there is a problem
with a service, you can expand
the appropriate line in the details
section to get more information.
```
. you can subscribe to RSS feed
for any service
. There is a "CONTACT-US" link
if you experience any real time
operational issue.
. "STATUS HISTORY" shows outage
issue details on a daily basis
47
SQS: Queue Attributes
1/ Default Visibility timeout
(30 seconds), but can be
anywhere from 0 second to
12 hours
```
2/ Message Retaintion Period
(default 4 days), but it can
be from 1 minute to 14 days
The amount of time the message
remains in the queue before it
got deleted.
```
3/ MAX message size: 255 KB
4/ Delivery day from 0 seconds
to 15 minutes
```
5/ Receive message wait time
(0 to 20 seconds)
The amount of time that application
will wait for the message before
returning an empty respond
```
48
CloudWatch: Metrics Retention Periods
1/ 1 minute metrics (detailed monitoring)
available for 15 days
2/ 5 minute metrics (standard)
available for 63 days
3/ 1 hour metrics
available for 455 days
49
EFS: Deployment & Provisioning
. Highly available, scalable file system:
. span multiple AZs
. Throughput for parallel workloads:
Big Data, Analytics, Media Processing, Content Management,
Web Serving
. Share data store that can be mounted to multiple EC2 instances
or on-premise servers:
. For on-premises servers, use AWS Direct Connect or
AWS VPN
. Linux only, Windows is NOT supported
. TWO performance modes:
1/ General Purpose (Bursting mode?)
Most file system needs
2/ MAX I/O:cases where hundreds or more instances access
the file system
. Scales throughput & IOPS (slighly higher instances)
. Bursting:
. Burst to 100 MiB/s for any size file system
. Larger than 1TB = bursting 100 MiB/s per TB of data stored
. credit system: earns credits at 50 MB/s per TB of data stored
. Security groups should be used to control NFS traffic
. Use the EC2 security group as the source
. Supports encryption at rest & in transit
. Storage classes & lifecycle management:
. standard
. Infrequent Access (IA)
. Lifecycle management automatically moves files to IA
not access for 30 days
50
OpsWorks: Description
OpsWorks is a service that uses Chef cookbooks developed in the Ruby language.
It allows us to manage our application in layers.
We can use recipes to affect our layers at various lifecycle events in an application's deployment.
51
EC2: Reserved Instances
. can be an effective method of saving money
if long-term compute capacity is needed.
(12 or 36 months)
. They can also reserve us capacity in case of
an Availability Zone or region shortage
of on-demand instances
. Standard reserved instances, OR
Scheduled reserved instances for batch files
offer discount
reserve capacity
52
EC2: HDD Volumes
```
. Not supported as a boot device
. Ideal for frequesntly accessed & thoughput intensive workloads
. Volume size 500GiB to 16 TiB
. MAX throughput = 500 MB/s
. Burst bucket
. credits gained at 40 MB/s per TiB
. credit capacity = 1 TiB
. MAX burst = 500 MB/s (volume size 2TiB and larger)
```
Cold HHD volumes (sc1)
. Not supported as a boot device
53
IAM: Web Identity Federation
1/ Authenticate with ID provider (FB, google, Amazon,...)
2/ Obtain a temporary security credential with that provider
3/ call Assume a role with Web Identity to exchange that token
4/ for a temporary set of AWS credentials
54
Trusted Advisor: Description
can help you reduce costs,
increase performance,
and improve the security of your AWS environments.
It provides real-time guidance to help provision resources
following AWS best practices.
1/ Cost Optimization
2/ Performance
3/ Security
4/ Fault Tolerance
5/ Service limits
55
AWS Config: Description
AWS Config is a service we can use to evaluate the configurations of our resources.
It records all the details, including relationships between resources.
This can be very helpful in troubleshooting situations.
We can also create a set of rules for evaluating our resources.
When a resource is non-compliant with our set rules, AWS Config will let us know.
56
EBS: Cost Optimisation
1. EBS volumes cost money
even when not in use.
2. Take a snap shot before
delete the volume if you
want to keep the data.
Snapshot storage is cheaper
3. Provisioned IOPS costs more
Make sure you not provision
more than needed
4. Downsize volumes that aren't
anywhere near full capacity
57
SQS: Dead Letter Queue
SQS queue is configured to receive messages
from other queue (aka "source queue")
. dead letter queue receives messages after
a number of attempts has been reached
. Provide the ability to isolate messages
that couldn't be processed so that
they will not be lost
58
Glacier: Terminology
1/ Archive:
```
. a durably stored block of information
. TAR & ZIP are common formats used to aggregate files
. Total volume of data & number of archives are unlimited
. Each archive can be up to 40 TB
. Largest single upload is 4GB
(use multipart upload > 100MB)
. Archives can be uploaded and deleted,
but not deleted or overwritten
```
2/ Vault:
. Way to group archives together
. Control access using vault level access policies using IAM
. SNS notifications are available for when retrieval requests
are ready for download
3/ Vault lock:
. Lockable policy to enforce compliance controls on vaults
. Vault locl policies are immutable
(once create, cannot change)
59
RDS: Aurora Serverless
. On-Demand auto scaling configuration for Aurora
. No instances to manage
. Charge on per-second basis
60
Storage Gateway: Description
For hybrid environments, ones that include some sort of on-premises infrastructure, AWS provides services to assist with data durability. Storage Gateway provides us a way to back up and even migrate to the cloud. It has three main types, and they all include some sort of on-premises component.
61
Glacier: Vault Lock Process
. have 24 hrs to validate the new created vault policy
& complete the lock process.
. have 24 hrs to test out the policy to make sure
everything works as expected before completing
the process. As once it's locked, cannot change the policy.
. After which the lock ID will expire &
your in-progress policy will be deleted.
. copy the lock ID to a safe place
as you need the ID to complete the lock process
62
IAM Role: Use with AWS Services
1/ Role must be used because policy cannot be directly
attached to AWS services
2/ Services can only ONE role attached at a time
3/ Should never PASS or STORE credentials to an EC2 instance
instead using ROLE
EX: an EC2 needs to read data from an S3 bucket
The instance "assumes" a role with S3 read-only access from IAM
The instance can then read objects from the bucket
63
OpsWorks: Recipes
```
. Created using Ruby language & based on
the CHEF deployment software
. Custom recipes can customize different
layers in an application
. Recipes are run at certain predefined events
within a stack
a/ SETUP: occurs on a new instance
after its first boot
b/ CONFIGURE: occurs on ALL stack
instances when they enter or leave
the inline state
c/ DEPLOY: occurs when deploy an app
d/ UNDEPLOY: Happens when we delete
an app from a set of application
instances
e/ SHUTDOWN: Happen when we shutdown
an instance (but before it's
actually stopped)
```
64
EBS: Changing Volume Size
The MANUAL Method:
1/ Modify the EBS volume
2/ Extend the partition to fill available space
3/ Expand the filesystem in the resized partition
NOTE:
commands for Nitro-based instances (e.g t3 micro)
are different than the ones for T2 instances
The AUTOMATED Method:
1/ Create new lauch configuration of an Auto Scaling grp
Make sure copy "user data" over to the new configuration
2/ Point the group to the new lauch configuration
3/ Terminate instance in the autoscaling group one at a time
so that the new configuration will replace the terminated
instance with a bigger EBS volume for a higher IOPS
65
RDS: MultiAZ Deployment
. Application can talk to only RDS Master
. Synchromous Replication to Multi-AZ for failover
. Help to shorten the down time in case the Master fails
. NOT to use to improve performance (just for fault tolerance only)
. Can turn on Multi AZs through AWS console or API
. AWS automatically handles replication
. Replication can cause higher write latency
. Use Provisioned IOPS is recommended
66
EBS: Burst Buckets
. Allows an EBS volume to "burst" above the baseline performance
a/ Volumes earn "credits"
b/ Credits are then spent whenever the volume needs more
performance
c/ There is a MAX number of credits
. Not available for Provisioned IOPS SSD (io1)
. Reported as a "BurstBalance" metric in Cloudwatch
join multiple gp2, io1, st1, or sc1 volumes together in a
RAID 0 configuration (strip set) to use the available bandwidth
improving throughput.
67
S3: Storage Classes
```
1/ Standard
. Objects get replicated across at least 3 AZs
. Most expensive storage class,
. BUT no minimum object size
. and no retrieval fee
```
2/ Inteligent-tiering
. Same characteristic performance as standard
. Observe the users' pattern
& move objects across the tiers
3/ Standard IA
. Infrequent access for important objects
. BUT immediate retrieval is required
. replicate across at least 3 AZs
. 30 day minimum storage charge per object
. 128KB minimum storage charge
. Object Retrieval fee
4/ One Zone-IA
```
. for non-critical, reproducible objects
(images for web application, or dynamically resize)
. 99.5% availability
. replicate within only ONE AZ
. SAME minimum charges as Standard IA
```
5/ Glacier:
```
. Long term for archival objects
. NOT for hot backup as restore can take from several
minutes or hours.
. 99.99 % availability
. replicate across > 3 AZs
. 90 days minimum charge per object
. 40 KB minimum storage charge
. object retrieval fee
```
68
EC2: Instance status check
This is something that you can control
Reasons for failure:
```
1/ Failed system status check
2/ Incorrect networking or setup configuration
3/ Exhausted memory
4/ Corrupted file system
5/ Incompatible kernel
```
Solutions:
1/ Make instace configuration changes
2/ Reboot the instance
69
S3: Bucket Policy gotchas
1/ when working at the object level permission (PUTobject,GETobject,Deleteobject) add /* at the end of bucket's ARN to allow permission applies to ALL objects in the bucket
2/ Make sure to turn OFF "Block all public access" if you want to apply the policy to the bucket.
70
WAF: Rule Types
```
a/ IP addresses
b/ HTTP headers
c/ HTTP body
d/ Uniform Resource Identifier (URI) strings
(query strings from URL)
e/ SQL injection
d/ Cross-site scripting (XSS)
```
71
WAF: Service Integrations
a/ Cloudfront
b/ API Gateway
c/ Application Load Balancer
72
ELB: Application Load Balancer
. Work at the application layer (7)
. Content-based routing
. Path-based routing: forwards based on the URL
in the request
./dev & /prod can route to different target groups
. Host-based routing: forwards based on the host field
of HTTP header
. dev.mysite.com & prod.mysite.com can route to
different target groups
. Routes to IP addresses.. including outside the VPC
(on-premises)
. Routes to microservices (allows dynamic port mapping)
MONITORING:
```
. Cloudwatch metrics
. ActiveConnectionCount,
. HealthyHostCount,
. HTTP code totals,
. etc....
```
. Access logs: sends detailed request information to S3
. Request tracing: A header is added that includes a trace identifier
for requests
. CloudTrail Logs: Records API activity
NOTE:
.dualstack (both IPV4 & IPV6)
. Target types:
. instance
. IP (can be on-premise IP addresses as well)
. Lambda function
. BEST PRACTICE:
use auto scaling group to create instances
(create ELB, then create auto-scaling,
then associate auto-scaling group with ELB)
73
S3: Cross Region Replication
. It's bucket level configuration
. Enable automatic,
Asynchronus (a little delay depends on object's size) copy to a bucket
in a different region
. Objects are replicated only once
(i.e this is NOT a sync process. It's just a copy process)
```
. The following are retained by default:
a/ Storage class
b/ Object names
c/ Owners
d/ Permissions
```
74
RDS: Reserved Instances
. Reserved capacity is also available for AWS RDS
instances & ElasticCache nodes
. New generations of Reserved Cache Nodes only offer
Heavy Utilization nodes, while older generations offer
Heavy, Medium, and Light Utilization
75
Elasticache: Reserved Instances
. Reserved capacity is also available for AWS RDS
instances & ElasticCache nodes
. New generations of Reserved Cache Nodes only offer
Heavy Utilization nodes, while older generations offer
Heavy, Medium, and Light Utilization
76
Elastic Beanstalk: Deployment Options
```
1/ ALL at Once:
Deploy the new version all instances
simultaneouly. All instances in your
environment are out of service for a
short time while the deployment occurs
```
```
2/ BLUE/GREEN:
Deploy the new version to a separate
environment, then swap CNAMEs of the 2
environments to redirect traffic to the
new version instantly.
```
3/ Rolling:
Beanstalk splits the environment EC2 instances
into batches & deploy the new version of the
application to one batch at a time
77
EC2: EIP & ENI
. When detach & re-attach an Elastic Network Interface from an instance,
the attributes (security groups & IP addresses) are travelded with ENI
. DIFFERENCE between EIP & ENI:
. EIP replace the whole public IP
. ENI does the same, BUT it replaces the WHOLE network interface
when move ENI around, not only EIP follows, but also security grp
and other attributes as well
78
VPC: Default VPC Configuration
. Size /16 CIDR block (172.31.0.0/16)
. Default subnet in each AZ using /20 subnet mask
. Internet Gateway
. Main route table sending all IPV4 traffic for 0.0.0.0/0 to the internet gateway
. Default security group allowing all trafic
. Default network ACL (NACL) alling all traffic
. Default DHCP option set
79
Cloudwatch Events: Event
```
. similar to alarms
. instead of configuring thresholds
& alarming on metrics, Cloudwatch
Event are matching event patterns
& use target to react.
```
. near real-time
80
CloudFormation: valid values for AWS::S3::Bucket::AccessControl
Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead
81
S3: Default Bucket Limits
100 Per Account
Can be increased by AWS Support.
Limit is not regional, its a global service.
82
Cloudwatch: Metrics default retention periods
Data points with a period of less than 60 seconds are available for 3 hours. These data points are high-resolution custom metrics.
Data points with a period of 60 seconds (1 minute) are available for 15 days
Data points with a period of 300 seconds (5 minute) are available for 63 days
Data points with a period of 3600 seconds (1 hour) are available for 455 days (15 months)
83
DynamoDB: Table Creation Limits
CANNOT create more than one table with a secondary index at a time.
84
Cloudwatch Logs: Default Retention Period
By default, logs are kept indefinitely and never expire.
You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day.
85
APIGateway: Default DNS Name Format
https://api-id.execute-api.region.amazonaws.com/stage
86
S3: Static Website Name Format
[Bucketname].s3-website-[region]..amazonaws.com
87
CodeDeploy: Lambda deployment options
Canary: Traffic is shifted in two increments. You can choose from predefined canary options that specify the percentage of traffic shifted to your updated Lambda function version in the first increment and the interval, in minutes, before the remaining traffic is shifted in the second increment.
Linear: Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined linear options that specify the percentage of traffic shifted in each increment and the number of minutes between each increment.
All-at-once: All traffic is shifted from the original Lambda function to the updated Lambda function version all at once.
88
S3: Bucket Name Restrictions
Bucket names must be between 3 and 63 characters long.
Bucket names can consist only of lowercase letters, numbers, dots (.), and hyphens (-).
Bucket names must begin and end with a letter or number.
Bucket names must not be formatted as an IP address (for example, 192.168.5.4).
Bucket names can't begin with xn-- (for buckets created after February 2020).
Bucket names must be unique within a partition. A partition is a grouping of Regions. AWS currently has three partitions: aws (Standard Regions), aws-cn (China Regions), and aws-us-gov (AWS GovCloud [US] Regions).
Buckets used with Amazon S3 Transfer Acceleration can't have dots (.) in their names. For more information about transfer acceleration, see Amazon S3 Transfer Acceleration.
89
SQS: Short Polling
Short Polling is when the WaitTimeSeconds is set to zero in either of these ways:
The ReceiveMessage call sets WaitTimeSeconds to 0.
The ReceiveMessage call doesn’t set WaitTimeSeconds, but the queue attribute ReceiveMessageWaitTimeSeconds is set to 0.
90
SQS: Maximum Long Poll Wait Time
20 Seconds
91
SQS: Default MessageRetentionPeriod
4 Days is default for all SQS Queues.
Range of values is 1 minute to 14 days.
92
SQS: Default VisibilityTimeout
30 seconds
93
DynamoDB: Table limits
256 DynamoDB Tables per Region
94
DynamoDB: Index limits per table
20 Global Secondary Indexes
| 5 Local Secondary Indexes
95
DynamoDB: 1 WCU
For items up to 1 KB in size, one WCU can perform one standard write request per second.
96
DynamoDB: 1 RCU
For items up to 4 KB in size, one RCU can perform one strongly consistent read request per second
For items up to 4 KB in size, one RCU can perform two eventually consistent read request per second.
Transactional read requests require two RCUs to perform one read per second for items up to 4 KB
97
DynamoDB: Limits (API)
1) Up to 10 ReadTable, UpdateTable, and DeleteTable actions running simultaneously
2) A single BatchGetItem can get a max of 100 Items (must be < 16mb in size)
3) A single BatchWriteItem can contain up to 25 PutItems OR DeleteItems request (16mb)
4) Query and Scan results set is limited to 1mb of data per call.
* NOTE: LastEvaluatedKey in the response can be used to retrieve more data
98
S3: Bucket Policies
1) Resource-based policy
2) Created via JSON
3) Can grant other AWS accounts or IAM users permissions for the bucket/object
4) SHOULD be used to manage cross-account permissions for all S3 permissions
5) Limited to 20kb in size
99
SQS API: "ReceiveMessageWaitTimeSeconds"
1) Enable long polling on a queue (change default)
| 2) If value > 0
100
DynamoDB: Streams
Use to take actions on DynamoDB table changes with Lambda or other services.
101
DynamoDB: Scans
1) Reads every item in a table and is operationally inefficient
2) Looks for all items and attributes in a table by default
102
AWS Import/Export: Description
Mail your own devices to AWS data centers and they will upload the data for you
103
Cognito: Sync
1) Sync data across mobile devices and the web
| 2) Client libraries cache data locally
104
SNS: Items in message body
1) Message
2) MessageID
3) Signature
4) SignatureVersion
5) SigningCertURL
6) Subject
7) Timestamp
8) TopicARN
9) Type
10) UnsubscribeURL
105
Step Functions: Description
Coordinate the components of distributed applications using visual workflows
106
Step Functions: Task States
Task states can be:
An activity - Such as an EC2 or ECS process
A Lambda Function
107
SNS: Message Data - MessageId
1) Universally Unique Identifiers (UUID)
| 2) Same ID must be used for retries
108
S3: Performance Issue with sequential keys
ISSUE: Using sequential object names cause writes to the same partition (overload I/O). The object key is used to decide which partition they key is stored in
SOLUTION: Introduce randomness by using a hash prefix:
- use a hash (like MD5)
- Pick a specific number of characters from that hash to use as the prefix or find another way to introduce random characters at the start of an object name (a reversed ID)
No longer required really. Depends on age of exam questions.
109
EFS: Description
Elastic File System
- Expands and contracts to meet capacity requirements
- Can be attached to multiple EC2 Instances simeltaeously
- Must be setup after an instance is launched
110
S3: Error 404
Error 404 = Not found
1) Bucket does not exist
2) Key does not exist
111
S3: Choosing a region
# Choose a region for:
1) Optimized latency
2) Minimize cost
3) Address regulatory requirements
112
DynamoDB: Read throughput with Local Secondary Index
1) Use the same read/write capacity from parent table
2) IF you read only index keys and projected attributes, then calculations are same as table (calculate using the size of the index entry)
3) IF queried attributes are NOT projected attributes or keys, we get extra latency and read capacity cost
* NOTE: You use read capacity from the Index and every Item from the table
113
SNS: Access Control Policy
1) The AWS account owner had the only permissions by default
2) ALLOWS override default DENIES
3) Explicit DENIES override ALLOWS
4) Order of policies does NOT matter
5) Can grant access to another account API call "AddPermission"
114
Autoscaling: Scale in default termination policy
Before Amazon EC2 Auto Scaling selects an instance to terminate, it first determines which Availability Zones have the most instances, and at least one instance that is not protected from scale in.
Within the selected Availability Zone, the default termination policy behavior is as follows:
1. Allocation Strategy (Spot, On Demand etc)
2. Oldest Launch Config
2. Closest to next billing hour
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#default-termination-policy
115
Cloudformation: cfn-init
The cfn-init helper script reads template metadata from the AWS::CloudFormation::Init key and acts accordingly to:
Fetch and parse metadata from AWS CloudFormation
Install packages
Write files to disk
Enable/disable and start/stop services
116
CloudTrail: validate-logs
validates logs for a given period of time - will detect:
deletion or modification of log files
deletion or modification of digest files
https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/validate-logs.html
117
SMS (Server Migration Service): Supported Platforms
vmware vsphere
Azure VMs
Hyper V
Not physical servers
118
IAM: PassRole
Is used to pass roles to other services that might need it.
For example to pass a role with permissions to manage EC2 instances to an autoscaling group (this is created by default often).
Likewise (presumably) PassRole is required for a user configuring the euecution & task roles for ECS.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
119
DynamoDB: Can you reduce the number of partitions?
No.
Be very careful setting throughput too high by accident, it will take too many partitions.
Credits are split between partitions, hot partitions create problems.
If this happens have to export and reimport to a new table to sort out.
120
Cloudformation: cfn-hup
The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-specified actions when a change is detected. This allows you to make configuration updates on your running Amazon EC2 instances through the UpdateStack API action.
121
ElasticBeanstalk: Dockerrun.aws.json
Create a Dockerrun.aws.json file to deploy a Docker image from a hosted repository to Elastic Beanstalk.
122
ElasticBeanstalk: ApplicationVersion
Elastic Beanstalk creates an application version whenever you upload source code. This usually occurs when you create an environment or upload and deploy code using the environment management console or EB CLI. Elastic Beanstalk deletes these application versions according to the application's lifecycle policy and when you delete the application.
123
ElasticBeanstalk: Order of precende for configuration
Settings applied directly to the environment
Saved Configurations
Configuration Files (.ebextensions)
Default Values
Configuration files are executed in alphabetical order. For example, .ebextensions/01run.config is executed before .ebextensions/02do.config.
124
AutoScaling: complete-lifecycle-action
Completes the lifecycle action for the specified token or instance with the specified result
https://docs.aws.amazon.com/cli/latest/reference/autoscaling/complete-lifecycle-action.html
125
CodeCommit: Prevent push to certain branches
https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html
126
ELB: SSL Certificate Limits
25 on an NLB
| 25 on an ALB
127
AWS Credential Provider Chain
Environment Variables
Application System Properties (e.g. Java)
Web Identity Token
Default Credentials File (~/.aws/credentials)
ECS Container Credentials
EC2 Instance Profile Credentials
128
EC2: Instance Profile
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts
129
OpsWorks: Deployments (& Commands?)
Deployments are a set of operations that you can use to manage your apps, such as deploying an app to a set of app server instances, or to run a command on some or all instances in the entire stack, such as updating packages.
130
Opsworks: App
An app represents code stored in a repository that you want to install on application server instances.
131
OpsWorks: Instances
An instance represents a server. It can belong to one or more layers, that define the instance's settings, resources, installed packages, profiles and security groups. When you start the instance, OpsWorks uses the associated layer's blueprint to create and configure a corresponding EC2 instance
132
OpsWorks: Layer
A layer is a blueprint for a set of Amazon EC2 instances. It specifies the instance's settings, associated resources, installed packages, profiles, and security groups. You can also add recipes to lifecycle events of your instances, for example: to set up, deploy, configure your instances, or discover your resources
133
OpsWorks: Stack
A stack represents a collection of EC2 instances and related AWS resources that have a common purpose and that you want to manage collectively. Within a stack, you use layers to define the configuration of your instances and use apps to specify the code you want to deploy.
134
OpsWorks: Components
```
Stack
Layer
Instances
App
Deployments (maybe)
```
135
ElasticBeanstalk: Format for .ebextensions files
YAML or JSON
136
AWS::CloudFormation::WaitCondition
For EC2 and autoscaling Creation Policy & cfn-signal are preferred instead.
Can be used to wait inside a cloudformation scrip.
Up to 12 Hours.
Wait Condition Handler returns a signed URL which can be used to pass a signal too.
137
EC2:CreationPolicy
Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent.
138
EC2 Autoscaling Instance States lifecycle hooks
```
Pending
Pending: Wait
Pending: Proceed
In service
Terminating
Terminating: Wait
Terminating: Proceed
Terminated
```
https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
139
ElasticBeanstalk: 4 main components of the elastic beanstalk workflow
Create Application
Upload Version
Launch Environment
Manage Environment
140
AutoScaling: Can a Launch Configuration be used by multiple autoscaling groups
Yes
141
AutoScaling: When creating a group you must specify one of:
launch template
launch configuration
EC2 instance.
142
CloudFormation: When creating EC2 and AutoScaling resources what is usually preferred to a WaitCondition
CreationPolicy
143
CloudFormation: What happens during a WaitCondition create
When AWS CloudFormation creates a wait condition, it reports the wait condition’s status as CREATE_IN_PROGRESS and waits until it receives the requisite number of success signals or the wait condition’s timeout period has expired.
144
CloudWatch: Container for Metrics
Namespace
145
OpsWorks: Three types of instance type
Time Based
Load Based
24.7
146
OpsWorks: The 5 lifecycle events
```
Setup
Configure
Deploy
Undeploy
Shutdown
```
147
SQS: API SendMessage
1) Send message to a queue
| 2) Can be used to set the message "delay", as well as message attributes, and the message body
148
S3: Disabling Versioning
1) Once enabled, versioning cannot go back to an un-versioned state
2) You can "suspend" versioning
- New objects have an ID of NULL
- Already versioned objects don't change
149
HTTP 403
Error 403 = Forbidden (no access)
1) Access denied
2) Caused by Role, security group/ACL issue
150
Identity store list (for federation)
1) Facebook
2) Active-directory
3) Google
4) Amazon
151
S3: Bucket Permissions
1) Resource based policies
2) Specify who is allowed to access
3) What the user can do with those resources
4) AWS gives full permission to the owner of a resource (bucket, object)
5) Resource owners grant access to others, even cross-account
* NOTE: The bucket owner paying the bills can deny access/modify objects regardless of who owns them
152
SWF: Domains
| Simple WorkFlow
1) A domain is used to help determine scope of work flows
2) Multiple workflows can live in a domain
3) Workflows cannot interact with workflows in OTHER domains
153
S3: AWS Limits/Restrictions
1) AWS account can have up to 100 S3 buckets
2) No limit on the number of objects
3) Bucket name must:
- Be a min of 3 characters and a max of 63
- Can only contain lowercase letter, numbers, periods & hyphens
- Must start with a letter or number
- Periods & hyphens cannot follow each other
- Can't be an an IP address
- Comply with DNS naming rules
154
SNS: Push Notificaiton Steup Process (mobile)
1) Needs a device token
2) There are Device Tokens and Registration IDs, depending on the mobile platform.
3) Request credentials from the mobile platform
4) Request Token from the mobile platform
5) Create a platform application object
6) Create a platform endpoint object
7) Publish a messages to the mobile endpoint
155
SQS: Short Polling
1) Returns results immediatly, even if the queue is empty
| 2) It only checks a subset of servers, which can cause false empty responses
156
SNS: Subscribers
1) Subscribe to a topic to receive published messages
2) Subscribers are end-points and include:
- Mobile apps
- Web servers
- Email addresses
- Amazon SQS queue
- HTTP/HTTPS endpoints
- AWS Lambda
- SMS (text messages)
157
Lambda: Execution Duration
Create a Flash Card
Lambda - Execution duration
- The maximum length of time the function can run
- Up to 300 seconds in 1 second increment
- Up to 900 seconds in 1 second increment (as of 2019 sometime)
158
DynamoDB: Exceeding Throughput
1) Request exceeding the allocated throughput may be throttled
2) With Global Secondary Indexes, all indexes must have enough Write Capacity OR the write might get throttled (even if the write doesn't effect index)
3) You can monitor throughput in the AWS Console
159
S3: Error 409
Error 409 = Conflict
1) S3 Bucket already exist
2) Bucket is not empty (when trying to delete)
3) Bucket name already taken
160
DynamoDB: Granting temporary access
1) IAM roles
2) Web Identity federation (enterprise or web)
3) Amazon Cognito
Example: Mobile app needs to store user info
161
S3: Encryption (options)
1) Protect data "in-transit"
- Use SSL or client side encryption
2) Protect data at rest
- Request AWS S3 to encrypt data
162
AWS: Edge Locations
Contain no AWS services
| - Used for caching static content
163
DynamoDB: KEYS_ONLY
Projection Type
| 1) Only the index and primary keys are projected (smallest index, more performant)
164
Fn::GetAtt
- Get Attribute
- A CloudFormation Intrinsic Function
- Returns the value of an attribute from a resource in your CloudFormation template
- Frequently used to get things like name or ARN
165
S3: Objects Facts & Numbers
1) Size: 0 bytes - 5 TB
2) Objects larger than 5 GB require multi-part upload API
3) Multi-part uploading is recommended for ALL files larger than 100mb
4) Objects can be encrypted before being saved to disk- AND decrypted when downloaded
166
ElasticBeanstalk: Supported Languages & Services
- Packer Builder
- Single/Multi Container Docker
- Preconfigured Docker
- Go
- Java SE
- Java with Tomcat
- .NET on Windows Server with IIS
- Node.js
- PHP
- Python
- Ruby
167
CloudFormation: Ref
Ref (CloudFormation)
- CloudFormation Intrinsic Funciton
- Returns a value you can use to refer to the provided parameter or resource
168
CloudWatch: Key Words / Parts
```
Events (now event bridge)
Metrics
Alarms
Logs
Rules (Event Patterns & Scheduled Events?)
```
169
SNS: Message Data
1) JSON formatted key-value pairs
2) Allows developers to grab the message date and parse it
3) POSTs to http/s end points with specific headers
4) Allows developers to verify the authenticity of the message
170
DynamoDB: Atomic Counters
1) Allows you to increment or decrement the value of an attribute without interfering with other write request
2) Request are applied in the order that they were received
3) Updates are NOT Idempotent: It will update the value each time it is called
171
DynamoDB: Conditional Writes
1) Is Idempotent
2) Helps coordinate writes
3) Checks for condition before proceeding with operations
4) Supported for PutItem, DeleteItem, UpdateItem
5) Specify conditions in "ConditionExpression": Can contain attribute names, conditional operations, and build-in functions
6) A failed conditional write returns "ConditionalCheckFailedException"
172
SWF: Workers
```
Any component that does something for a workflow (like an instance encoding a video, or a person checking inventory)
Workers can be:
- EC2 instsances
- Other compute solutions
- Or real human people doing something
```
173
SQS: Standard Queues
- Offer best-effort ordering (not guaranteed first-in-first-out like FIFO queues)
- May deliver message more than once
174
DynamoDB: Write Throughput with local secondary indexes
1) Adding, updating, or deleting an ITEM in a table also cost write capacity to perform the action on the local index
2) new ITEM/Update ITEM = one write operation in the index
3) If you change the value of an indexed key attribute = two writes
4) Delete = one write
175
SQS: Message Retention Period
1) Amount of time a message will "live" in a queue if it is NOT deleted
2) 1 minute - 14 days
176
DynamoDB: Limits (size)
1) 265 tables per region (increase on request)
2) Partition key length: 1 byte - 2048 bytes
3) Sort key length: 1 byte - 1024 bytes
4) Item size: 400kb including attribute name & value
177
S3: MultiPart upload advantages
1) Can upload independently, in any order, and in parallel
2) If any part fails to upload, you can retransmit that part
3) You can pause/resume uploads
4) You can upload objects as they are being created
5) Object is reassembled after calling "CompletMultiPartUpload" API
178
SQS: Limitations
1) Message Size: 256kb of text (any format)
| 2) Up to 120,000 "in-flight" messages
179
S3: GET intensive workloads
1) Use random object prefixes to improve partition distribution
2) Use Cloud Front
- Distributes content with lower latency & high transfer rate
- Cache objects
- Fewer direct request to S3
180
CloudFormation: Conditions
) Check values before deciding what to do
2) Allows you to create different resources in the same template depending on the condition value
Example: Create different environments for production or dev
181
SQS: RecieveMessageWaitTime
1) If set to > 0, long polling in enabled
2) It is the maximum amount of time a long polling call will wait for a message to become available before returning empty
3) Limits: 0-20 seconds
182
SQS: Visibility Timeout
1) It is used to block other components from processing a message
2) You can choose what the timeout is, and you can extend it
3) Can be controlled via SQS API
4) Limits: 0-12 hours
183
Lambda: Handler Format
.
```
Example - A function called run in the handler.py file would have a handler of: handler.run
function has signature (event, context) which are both maps / dictionaries.
```
184
S3: ACLS
1) Used for both buckets & objects
2) Grant read/write permissions to other AWS accounts
3) You cannot grant conditional permissions
4) you cannot explicitly deny permissions
5) An object ACL is the only way to manage access to objects not owned by the bucket owner
6) Uses XML format
185
SWF: Activity Task
1) A task assigned to a worker such as encode a video OR check inventory
186
SNS: Message Data - TopicARN
ARN = Amazon Resource Name
| 1) ARN fro the topic that this message was published to
187
Lambda: DLQ
Lambda DLQ
DLQ == Dead Letter Queue
Can be setup to send information on failed Lamda function executions and the input data that caused them
1) Queues that other queues can send messages to when those messages could not be successfully processed
2) You can then analyze those messages
188
S3: Events
S3 can be setup to send events to SNS/Lambda when things happen:
- Object uploads
- Lost objects (from Reduced Redundancy Storage)
189
API Gateway: Methods
- HTTP Methods like GET, PUT, POST, DELETE
| - Also a AWS-provided catchall 'ANY' method
190
S3: Static Site URL format
1) Every static site in an S3 bucket receives it's own URL:
bucket-name.s3-website.region.amazonaws.com
OR
bucket-name.s3-website-region.amazonaws.com
191
Lambda: Context Object
Allows you to get context on the running function such as:
- time remaining in the function execution
- the request id of the function execution
192
AWS: Template Version
Cloud Formation: AWSTemplateFormatVersion
Specifies the format version of the CloudFormation template you want to use. Currently, there is only one version: "2010-09-09"
193
S3: Versioning
1) Allows multiple versions of an object
2) Protects against unintended overwrites and deletions
3) Automatically archives objects
4) Versioning is at the BUCKET LEVEL
5) Configured via console or SDK
6) "Suspended" by default
194
S3: Consistent Reads
1) Consist Reads are never stale
2) Potential higher read latency
3) potential lower read throughput
195
API Gateway: Method Configuration Options
e. g. How are the methods setup to respond to requests?
- AWS Lambda
- Exisiting HTTP endpoints
- Integrated with other AWS Services
196
SNS: Message Data - Signature
1) Base64-encoded "SHA1 with RSA" signature
- Message
- MessageID
- Subject
- Type
- Timestamp
- TropicARN values
197
API Gateway: Benefits
- Ability to cache API responses
- DDoS protection via CloudFront
- SDK generation for iOS, Android, and JavaScript
- Supports Swagger (a very popular framework of API dev tools)
- Request/response data transformation (e.g. JSON --> XML)
198
SWF: Description
Simple Workflow Service
- Create scaleable distributed workflows
- Significant customization
199
SNS: Topics
1) Channel used to send messages and subscribe to notifications
2) Names MUST be unique
3) Names are limited to 256 characters
4) All letters, numbers, hyphens and underscores allowed in name
5) Topics and messages are stored redundantly on multiple servers and data centers
200
SNS: Managing Access
1) Access is controlled with policies
2) In addition to IAM, SNS also has resource-based access control policies (RBAC policies)
3) RBAC policies can control:
- Who is allowed to publish a topic
- Who is allowed to subscribe to a topic
- and under what conditions
201
Blue/Green deployment benefits
- An application can be installed and tested and then traffic switched
- Rolling back is easy because it can happen with traffic switching back to the older instances (if they are still around) or to an older Lambda version
- New instances can also have up-to-date configuration and patches
- AWS Lambda Blue/Green deployments can control traffic shifting between AWS Lambda versions
202
SQS: Fifo Queue
- Allow for first-in-first-out ordering in the queue
- Guarantee only-once delivery
- Only supports 3000 messages/second (with batching)
203
S3: Encryption Protecting data in transit (KMS)
1) Using an AWS-KMS managed customer (master) key
- Client gets a unique key for each object
2) On Upload:
- Send request to AWS KMS for key
- AWS KMS returns an encryption key
3) On Download:
- Client downloads encrypted object with their cipher blob stored in metadata -> blob to KMS -> get plain text key -> decrypt object
204
SQS: Message Lifecycle
1) Component "1" sends message "A" to a queue, and then the message is redundantly distributed across SQS servers
2) When component "2" is ready, it retrieves the message from SQS. While message "A" is being processed it remains in the queue, but has a "Visibility Timeout" set for it
3) Component "2" deletes the message from the queue during that "Visibility Timeout"
205
CloudFormation: Template Sections
1) AWSTemplateFormatVersion
2) Description
3) MetaData
4) Parameters
5) Mappings
6) Conditions
7) Resources
8) Outputs
206
Lambda Function: Packages
All the code and dependencies required for your Lambda function. Includes:
- Lambda handler
- Packages from providers like pip or npm if appropriate
- Your own libraries and other files the handler relies on
207
API Gateway: Deployment
A snapshot of the API's resources and methods
208
CloudFormation: Rollback
1) If a Stack fails to create a resource, by default a stack will "rollback"
2) Removal of all created resources after a failed creation, or after cancelling creation
3) Rollback CAN be disabled via API
209
DynamoDB: Queries
1) Allows you to find items using ONLY primary key-values from a table OR secondary index
2) more efficient then SCAN
210
DynamoDB: Scans
Queries are preferred- scans are expensive
1) You can reduce the "page size" of an operation with the "limit" parameter, to limit how much data you try to retrieve at the same time
2) Avoid scan on mission critical tables
3) Program your application logic to retry any request that receives a response code saying you exceeded provisioned throughput (or increase your throughput)
211
DynamoDB: Provisioned Throughput
1) Flexibility to change read & write capacity:
- table creation
- or at any time after without downtime/degradation
2) Automatically allocates machine resources
3) Ability to reserve capacity
212
Step Functions: State Machine
JSON-defined series of states to execute as a workflow that can include different state types including tasks that can take certain actions and respond with data from those actions.
213
CloudFormation: MetaData
1) JSON objects that provide details about the template
2) Actually can be provided in YAML too!
3) Just one of the areas within a cloudformation template, for the inclusion of metadata
214
SNS: Message Data - Type
1) Type of the message
(i. e. notifications are type "notifications")
- SubscriptionConfirmation
- Notification
- UnsubscribeConfirmation
215
ElasticBeanstalk: Description
- AWS Service to facilitate deploying/scaling web applications
- Upload code and Elastic Beanstalk automates deployment/load balancing/auto-scaling/health monitoring
216
SWF Workflow: Max Age
1 year
217
S3: CORS
Cross Origin Resource Sharing
1) Sharing/Accessing resources stored in one bucket with another
2) MUST be enabled to share certain resources (disabled by default)
218
S3: Static Web Hosting
1) Host static html files
2) Specify index file
3) specify custom error file
4) Supports domains and redirects
5) Gives a default URL
6) redirects from www.example.com to example.com
7) Route53 integration fro custom domains
8) Bucket names must match domain name
219
DynamoDB: Pricing
Core components:
1) Provisioned Throughput for reads and writes (RCU/WCUs)
2) Indexed data stored (hourly rate per GB)
Other Features:
- Backup costs
- DynamoDB Accelerator (DAX) costs
220
SNS: Message Data - Subject
1) Subject Parameter
| 2) Optional parameter
221
IAM: Identity Federation
Allows you to authenticate users through an intermediary like Facebook, Google, Amazon or others. Can be integrated with Amazon Cognito
222
S3: Restoring Object Versions
1) Any earlier version can be restored by:
- Copying a previous version into the same bucket will restore it as the current version
- Permanently deleting the current version (then the previous version is the current one)
- Copying an earlier version GETs the version and PUTs it in the bucket, giving it a new ID (the new ID is used as current version)
223
SWF: Description
Simple WorkFlow
1) Is a task coordination and state management service for cloud applications
Features:
a) Distributed
b) Highly scalable
c) Work with both on-premise and cloud applications
d) A workflow execution can last up to 1 year
e) A workflow can consist of human events
f) Guarantees order in which activities/tasks occur
224
CloudFormation: Intrinsic Functions
1) Used to pass in values that are NOT available until runtime.
Example: "GetAtt"
225
Lambda: Memory Limitations (RAM)
- 128 MB minimum
- 3008 MB Maximum
- 64 MB increments
226
Lambda: Event Source Exmaples
- HTTP API requests (via API Gateway)
- CloudWatch schedule events
- S3 file uploads
- DynamoDB Streams
- Direct invocation via the AWS CLI or SDKs
227
S3: Encryption at Rest (S3 Managed)
1) AWS provides server-side encryption before saving data to disk
2) Add the "x-amz-server-side-encryption" request leader to your upload request
3) Uses AES-256
4) Bucket policies can require all objects use server-side encryption
5) Alternatives:
- KMS managed keys
- Customer provided keys
228
XRay: Annotations & Metadata
Annotations - Searchable key-value pairs
| Metadata - Additional non-searchable data you can view for a request
229
SNS: Mobile Push Notifications
1) SNS provides the ability to send notifications directly to apps on mobile devices
2) Notifications sent to a mobile device can appear in the app as:
- Message alerts
- Badge updates
- Sound alerts
230
EBS: Description
Elastic Block Store
- An option for EC2 storage volumes
- Frequntly a default boot volume for EC2 instances
- Can be 'snapshot' to take incremental backups of the state
231
DynamoDB: Global Tables
Managed cross-region replication of DynamoDB tables
| Improves performance over region-specific tables when making requests near the region
232
S3: Deleting an versioned object
1) Must specify the Key and version ID
| 2) AWS will then set the next ID to the "current" version
233
S3: Performance Limits
1) Burst (#of request per second)
IF > 300 put/list/delete
IF > 800 get
THEN contact AWS to prepare/avoid limit issues
2) Consistent high number of request per second
IF > 100 put/list/delete
IF > 300 get
Then follow best practice guidelines to avoid overwhelming the I/O capacity of a partition
234
RDS: Supported Database Engines
Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server
235
Lambda: $LATEST vs numbered versions
```
$LATEST:
- A mutable (changeable) version of a Lambda function
Numbered versions:
- 1, 2, 3, etc.
- Immutable (not changeable)
```
236
API Gateway: Resources
- "Logical entities that can be accessed via resources paths"
- The 'thing' you're interacting with when you want to interact with a resource URL
237
EC2: AMI API Call RegisterImage
1) Occurs during the FINAL process of creating an AMI
238
CodeDeploy: Deployment Integrations
Virtually anything, including on-premise machines by way of the code deploy agent.
239
CodePipeline: Deployment Action Integrations
```
S3
Cloudformation
AppConfig (systems manager)
CodeDeploy
ECS
BeanStalk
OpsWorks
ServiceCatalog
AlexaSkills
XebiaLabs
```
240
CodePipeline: Invoke Action Integrations
Lambda
| Step Functions
241
EC2: Basic vs Enhanced Monitoring
Basic: 5 Minute intervals
Enhanced: 1 Minute intervals
