AdrianBinDC/ACGNotes.md

## ACGNotes.md

      
    Raw
  

              ACGNotes.md
            
          
    Review

S3 and IAM Summary


IAM consists of the following

Users
Groups
Roles
Policies

Policies are in a JSON file


IAM is universal


Root account has complete administrator access


New Users have no permissions when first created

Least Privilege


New users are assigned Access Key ID and Secret Access Keys when first created

These are not the same as a password
You cannot use the Access Key ID and Secret Access Key to login to the console

You CAN use this to access AWS via APIs and Command Line, however


you only get to view these onece. If you lose them, you need to regenerate them, so save them in a secure location.


Always setup  MFA and password rotation policies


S3 Exam Tips


S3 is Object based
Files can be from 0b to 5TB
There is unlimited storage
Files are stored in buckets
S3 is a universal namespace

Names must be unique globally


https://s3-[region_name].amazonaws.com/[bucket_name]
Not suitable for operating system or database
Successful uploads receive HTTP200 status code
Access control to buckets are determined by

Bucket policies
Access Control Lists (down to file level)


S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be sent to another bucket or even another bucket in another account.

S3 Key Fundamentals


key = name of the object
value = the data
version id
metadata
subresources

ACLs
Torrents


read after write consistency of new PUTS
eventual consistency for overwrite PUTS and DELETES

Classes of Storage


S3 Standard
S3 IA
S3 One Zone - IA
S3 Intelligent Tiering
S3 Glacier

3-5 hours
can be expedited


S3 Glacier Deep Archive

12 hour retrieval time


S3 Encryption


Encryption IN transit achieved by SSL/TLS
Encryption AT REST

SSE-S3

Amazon provided


SSE-KMS

Keys provided by KMS Service


SSE-C

Customer managed keys


Client side encryption


AWS Organizations


Enable MFA on root account
Use strong and complex accounts on root account
Paying account should be used for billing only
Do not deploy resources into the paying account
Enable/Disable AWS services using SCPs on OU (organizational unit) or individual accounts

Three different ways to share S3 buckets across accounts


Bucket policies and IAM (entire bucket)

Programmatic only


Using ACLs and IAM (individual objects)

Programmatic only


Cross account IAM roles

Progammatic and Console access


Cross Region Replication


replicate objects across regions or within region
versioning needs to be enabled on both sides
files in existing bucket are not replicated automatically

subsequent


delete mamrkers are not replicated
deleting individual versions or delete markers will not be replicated

Lifecycle Policies


automates moving objects between storage tiers
can be used in conjunction with versioning
can be used with current as well as previous versions

S3 Transfer Acceleration


files transit AWS backbone network

impmrove speed and performance


CloudFront


edge location

location where content is cached


origin can be

S3 bucket
EC2 instance
ELB
Route 53


distribution

this is the name given the CDN which consists of a collection of Edge Locations


web distribution

typically used for websites


RTMP

used for media


Edge locations are not just read only
objects are cached for the TTL
clear cached objects costs money

Snowball


Snowball can import or export from S3

Storage Gateway

Two types:

File Gateway

Flat files stored directly on S3


Volume Gateway

Stored volumes: Entire dataset stored on site and is asynchronmously backed up to S3
Cached volumes: Entire dataset is stored on S3 and the most frequently accessed data is cached on site


Gateway Virtual Tape Library

Used for backup and uses popular backup applications like NetBackup, Backup Exec, Veeam, etc.


Athena


Interactive query service
Allows you to  q uery data located in S3 using standard SQL
Serverless
Commonly used to analyze log data stored in S3

Macie


Macie uses AI to analyze data in S3 and helps identify PII
Can also be used to analyze CloudTrail logs for suspicious API a ctivity
Includes Dashboards, Reports, and Alerting
Great for PCI-DSS compliance and preventing ID theft

READ THE S3 FAQ

EC2 Summary


A resizable compute capacity in the cloud
Reduces time required to obtain and boot a new servcer instance to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change

Pricing Models


On Demand: pay a fixed rate by the hour or second with no commitment.
Reserved: provides you with a capacity reserveation and offers a significant discount on the hourly charge for an instance. Contract terms are 1 or 3 years.
Spot: Enables you to bid whatever price you want for instance apacity, providing even greater savings if your applications have flexible start and end times.
Dedicated Hosts: Physical EC2 server dedicated for your use. Can help you reduce costs by allowing you to use your existing server-bound software licenses.

Spot Intances


if instance terminated by AWS, you're not charged

Instance Types


F - FPGA
I - IOPS
G - Graphics
H - High Disk Throughput
T - Cheap general purpose (T2 micro)
D - Density
R - RAM
M - Main choice for general purpose apps
C - Compute
P - Graphics (p for pictures)
X - Extreme Memory
Z - Extreme memory and CPU
A - Arm-based workloads
U - Bare Metal

EBS


virtual hard disk in the cloud
termination protection is turned off by default
on an EBS-backed instance, the d efault action is for the root EBS volume to be deleted

additionally attached volumes ARE NOT deleted automatically


EBS Root Volumes of your DEFAULT AMIs can be encrypted

You can use third party tool to encrypt the root voume or this can be done when creating AMIs in the AWS console or using the API


Security Groups


all inbound traffice is blocked by default
all outbound traffic is allowed
changes to security groups take effect immediately
you can have any number of EC2 instances within a security group
you can have multiple security groups attached to EC2 instances
SECURITY GROUPS ARE STATEFUL

when you open up a port, it will be for inbound and outbound
cannot block specific IPs with security groups


NACLs are STATELESS

Need to open up inbound and outbound
Block specific IP addresses using NACLs


You can only specify allow rules with security groups

EBS Snapshots


volumes exist on EBS
SNAPSHOTS exist on S3 and can be though of as photographs of the disk
snapshots are point in time copies of volumes
snapshots are incremental

only blocks that have changed since your last snapshot are moved to S3


to create a root snapshot, stop the instance ideally, but can do it while it's running
AMIs can be created from both volumes and snapshots
you can change EBS volume size on the fly including size and storage type
volumes will ALWAYS be in the same AZ as the EC2 instance

Migrating EBS

One AZ to Another


take a snapshot
create an AMI from the snapshot
use the AMI to launch the EC2 instance in a new AZ

One Region to Another


take a snapshot
create an AMI from the snapshot
copy AMI from one region to another
use copied AMI to launch the EC2 instance in a new AZ

EBS Encryption


snapshots of encrypted volumes are encrypted automatically
volumes restored from encrypted snapshots are encrypted automatically
you can share snapshots, but only if they are unencrypted
these snapshots can be shared with other AWS accounts or made public

Root Device Volume Encryption


root device volumes can be encryted

Enrypting Rooot Device Volumes


Create a snapshot of the unencrypted root device volume
Create a copy of the snapshot and select encryption option
Create an AMI from the  encrypted snapshot
Use the AMI to launch

EBS vs. Instance Store


instance stroe volumes are sometimes called ephemeral storage
instance volumes cannot be stopped

If the underlying host fails, you will lose your data


EBS backed intances can be stopped and you will not lose your data if you have disabled automatic deletion.

default setting is to delete root, so you must disable


If you reboot EBS or Instance, you will not lose data

Enhanced Networking

Three types of networking

ENI: For basic networking.
Enhanced Nentwork: When you need speeds between 10GB/S and 100GB/S
Elastic Fabric Adapter: When you need HPC or machine learning applications OR if you need to do an OS-bypass.

CloudWatch


monitor performance
can monitor most of AWS as well as your applications that run on AWS
5 min increments by default
1 min increments for detailed monitoring
create CloudWatch alarms which trigger notifications
CloudWatch is all about performance. CloudTrail is about auditing

What can you do?


Dashboards: see what's happening
Alarms: notify when thresholds are hit
Events: respond to state changes in AWS resources
Logs: CloudWatch logs help you aggregate, monitor, and store logs

The CLI


you can interact with AWS anywhere in the world by using the CLI
you will need to setup accss in IAM
commands themselves are not on the exam, but some basic commands are useful to know for real life

Roles


roles are universal--you can use in any region
roles are more secure than storing your access key and secret access key on individual EC2 instances
roles are easier to manage
roles can be assigned to an EC2 instance after it is created using both the console and the command line

BootStrap Scripts


Bootstrap scripts run when an EC2 instance first boots
Can be a powerful way to automate software installs and updates

Instance Metadata


get information about an instance (such as a public IP)

meta data: curl http://169.254.169.254/latest/meta-data/
user data: curl http://169.254.169.254/latest/user-data/

literally just the bootstrap script, nothing else


EFS


supports NFSv4 protocol
you only pay for the storage you use

no pre-provisiooning required


scale up to petabytes
can support thousands of concurrent NFS connections
data is stored across multiple AZs within a region
read after write consistency

EFS Use Cases


EFS: when you need distributed, highly resilient storage for Linux instances and Linux-based applications.
Amazon FSx for Windows: When you need centralized storage for Windows-based applications such as Sharepoint, Microsoft SQL Server, Workspaces, IIS Web Server, or any other native Microsoft Application.
Amazon FSx for Lustre: When you need high-speed, high-capacity distributed storage. This will be for applications that do HPC, financial modeling, etc.

FSx for Lustre CAN STORE DATA DIRECTLY ON S3


EC2 Placement Groups


only certain tyupes of instances can be used in a placement groups
you can't merge placement groups
you CAN move an instance into a placement group

Types


clustered: low network latency/high network throughput

CANNOT SPAN MULTIPLE AZS
Use homogenous instances in clustered placement groups


spread: individual critical EC2 instances

CAN span multiple AZS
different AZs
different racks


partitioned:

CAN span multiple AZS
multiple EC2 instances on separate hardware from other partitions
HDFS, HBase, Cassandra


WAF


WAF can block malicious API addresses
NACLs can do the same

Database Summary


RDS (OLTP)

SQL
MySQL
PostgreSQL
Oracle
Oracle
Aurora
MariaDB


DynamoDB (No SQL)
Red Shift (OLAP)

Elasticache


Memcached

simple


Redis

more advanced, multiple AZs or backups


RDS


runs on VMs
you cannot login to these systems
patching of the RDS OS and DB is amazon's responsibility
RDS is NOT serverless EXCEPT AURORA

Backups


automated
database snapshots

Read Replicas


can be multi-AZ
used to increase performance
must have backups turned on
can be in different regions
can be MySQL, PostgreSQL, MariaDB, Oracle, Aurora
Can be promosted to master, but this will break the read replica

Multi-AZ


used for DR, not for performance
you can force a failover from one AZ to another by rebooting the RDS instance

Encryption


supported by...

MySQL
Oracle
SQL Server
PostgreSQL
MariaDB
Aurora


Encryption done using AWS KMS
Once RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted

DynamoDB


serverless
stored on SSD storage
spread across three geographically distinct data centers
eventual consistent reads

onen second rule


strongly consistent reads

Redshift


used for business intelligence
available in only one AZ at present

Redshift backups


enabled by default with one day retention
35 day max retention
always attempts to maintain at least three copies of your data (the original and replica on the compute nodes and a backup in S3)
redshift can asynchronously replicate your snapshots to S3 in another region for DR

Aurora


2 copies of your data are contained in each AZ with a minimum mof 3 AZs (6 copies of your data)
you can share Auroora Snapshots with other AWS accounts
3 types of replicas available

Aurora
MySQL
PostreSQL


Use Aurora Serverless if you want simple, cost effective option for infrequent, intermittent, or unpredictable workloads

Elasticache


use Elasticache to incirease database and web application performance
Redis is multi-AZ
you can do backups and restores of Redis
If you need to scale horizontally, use Memcached

Advanced IAM

Active Directory


understand conceptually
connect AWS with on-premises AD
SSO to any domain-joined EC2 instance
AWS Managed Microsoft AD
AD Trust
AWS vs. customer responsibility

Simple AD


baby brother of microsoft AD
does not support AD Trusts

can't join simple AD to on-prmises AD
use AD Connecntor instead


Cloud Directory has nothing to do with Microsoft AD, used for heirarchial data
Cognito user pools
AD vs Non-AD pools

Understand ARN


ARN
IAM policy structure
Effect/Action/Resource
Identity vs Resource policies
Policy evaluation logic

deny supercedes allow


Route 53


ELBs do not have pre-defined IPv4 addresses, we resolve using a DNS name
Understand the difference between an Alias Record and a CNAME
Given a choice, choose alias record over a CNAME

Common DNS Types


SOA records
NS records
A records
CNAMES
MX records
PTR records

Routing


simple routing
weighted routing
latency-based routing
failover routing
geolocation routing
geoproximity routing (traffic flow only)
multi-value answer routing

Health Checks


you can set health checks on individual record sets
if a record set fails a health check it will be removed from Route53 until it passes the health check
you can set SNS notifications to alert you if a health check is failed

Simple Routing


you can only have one  record with multiple IP addresses
if you specify multiple values in a record, Route 53 returns all values to the user in a random order

Weighted Routing


specify a weight

Latency


based on delay time for response, route to shortest

Failover


active and passive environment

Geolocation Routing


route based on location

Geoproximity Routing


based on location of users AND resources

Multivalue Answer Policy


simple routing with health checks

VPCs


Create a VPC from memory!

Overview


VPC is a logical datacenter in AWS
consists of IGWs, Route Tables, NACLs, Subnets, and Security Groups
1 subnet = 1 AZ
security groups = STATEFUL

need an explicit allow
anything without allow is denied


NACL = STATELESS

use to block IP addresses


NO TRANSITIVE PEERING

BUILDING VPC


You get the following when you create a VPC:

Route Table
NACL list
Default security group


You need to create...

subnets
Internet Gaeway


AZ's are randomized
5 IP addresses are reserved within subnets
You can only have 1 IGW per VPC
Security Groups cannot span VPCs

NAT Instances


When creating a NAT instance, disable source/destination check on the instance
NAT instances must be in a public subnet
There must be aroute out of the private subnet to the NAT instnace in order for this to work
The amount of traffic that NAT instances can support depends on the instance size.

If you encounter bottlenecking, increase the instance size.


You can create high availability by using autoscaling groups, multiple subnets in different AZs, and a script to automate failover
Must be behind a security group

NAT Gateways


redundant inside the AZ
perferred by the enterprise
starts at 5GB/S and currently scales to 45GB/S
No need to patch
Not associated with security groups
Automatically assigned a public IP address
Remember to update route tables
No need to disable source/destination checks
If you have resources in multiple AZs and they share one NAT gateway, in the event that the NAT gateway's AZ is down, resources in other AZs lose internet access.
To create an AZ-independent architecture, create a NAT gateway in each AZ and configure you routing to ensure that resources use the NAT gateway in the same AZ

Network Access Control Lists (NACLs)


your VPC automatically comes with a default NACL
you can create custom NACLs

need to add explicit rules to allow ingress/regress


Each subnet in your VPC must be associated with a NACL

if you don't specify, it'll be tied to default NACL


IP addresses are blocked by NACL, not security group

You can block in front of the VPC with a WAF...otherwise, block inside with a NACL


NACLs are one to many relationships

Subnet associations with a NACL are one-to-one


NACL rules are numbered...lower numbers trump lower rules

If 100 says deny a port, 101 allowing the same port will be denied


NACLs need explicit inbound/outbound ports and are STATELESS

If you allow an inbound port, the corresponding port will not be allowed, as is the case with Security Groups
Security groups are STATEFUL

If you allow a port in a security group, the outbound port is opened, too


ELBs


you need 2 public subnets to deploy internet facing load balancer

VPC Flow Logs


you cannot enable multiple flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
you can tag flow logs
after you've created a flow log, you cannot change its configuration

you can't associate a different IAM role with the flow log


not all traffic is monitored

DNS traffic to AWS service not monitored

If you bring your own DNS, it IS monitored


traffic generatd by Windows Instance for Windows License activation is not monitored
traffic to/from 169.254.169.254/[user-data/metadata]
DHCP traffic
traffic to reserved IP for root


Bastions


Used by private subnets to provide internet traffic to EC2 instances on private subnets
Need to have SSH port 22 open to get in or RDP for Windows
Cannot use a NAT gateway for a bastion host, but can use NAT instance (FML)

Direct Connect


directly conects your data center to AWS
useful for high throughput workloads
KNOW THE STEPS TO CREATE A DIRECT CONNECT CONNECTION (AWS YOUTUBE VIDEO)

create virtual interface in direct connect console
go to VPC console and then to VPN connections to create a customer gateway
create a virtual private gateway
attach VPG to the desired VPC
select VPN connections and create a new VPN connection
select the virtual private gateway and the customer gateway


Global Accelerator


service that improve availability for local and global users
you are assigned two static IP addresses or bring your own
you control traffic using traffic dials in the endpoint group
you control weighting to individual endpoints using weights.

VPC Endpoint


VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an IGW, NAT device, VPN connection, or AWS direct connection.
do not require public IP addresses to communicate with the service
traffic does not leave AWS network
endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components that allow communication between instnces in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

Types of VPC endpoints


interface endpoints

most AWS servces


gateway endpoints (only 2 services)

S3
DynamoDB (no SQL database)


AWS PrivateLink


if you see a question re: peering VPCs to 10s, 100s, or 1,000s of customer VPCs, think PrivateLink
doesn't require VPC peering; no route tables, NAT, IGWs, etc.
requires a network load balancer on the service VPC and an ENI on the customer VPC

Transit Gateway


allows you to have transitive peering between thousands of VPCs and on-premise data centers
work on hub-and-spoke model
works on a regional basis, but you an have it across multiple regions
you can use it across multiple AWS accounts using RAM (resource action manager)
you can use route tables to limit how VPCs talk to one another
works with direct connect as well as VPN connections
supports IP multi-cast (only service that supports it in AWS)

VPN CloudHub


simplify VPN connections
if you have multiple sites with own VPN connections, connect with CloudHub
low cost-easy to manage
operates over public internet, but all traffic between customer gateway and AWS VPN CloudHub is encrpypted

Network Costs


use private IP addresses over public to save $
same AZ is cost free, but single points of failure emerge as a problem

Databases

RDS (OLTP)


SQL
MySQL
PostgreSQL
Oracle
Aurora
MariaDB

DynamoDB (No SQL)

Red Shift (OLTP)

Elasticache


Memcached

something simple


Redis

more advanced
multi-az
backups


RDS


runs on VMs
can't SSH into them or RDP into them
pating RDS is Amazon's responsibility
AURORA Serverless is serverless

Backups


Automated Backups
Automated Backups

Read Replicas


can be multi-AZ
used to increase performance
must have backups turned on
can be in different regions
can be MySQL, PostgreSQL, MariaDB, Oracle, Aurora
Can be promoted to master, but this will break the read replica

Multi-AZ


used for DR, NOT PERFO RMANCE
force a failure by rebooting RDS

Encryption


Encryption at rest supported by...

MySQL
Oracle
SQL Server
PostgreSQL
MariaDB
Aurora


Encryption done using AWS KMS

Once encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots


DynamoDB


stored on SSD
spread across 3 geographically distinct data centers
eventual consistency is default (1 second rule)
can be updated to strongly consistent

Redshift


used for business intelligence
only one AZ
enabled by default with 1 day retention
can be upt o 35 days
Redshift always attempts to maintain at least 3 copies of yoru data (the original and replica on the compute nodes and a backup in Amazon S3)
Redshift can also asynchronously replicate your snapshots to S3 in another region for disaster recovery.

Aurora


2 copies in each AZ with a minimum of 3 AZs
can share snapshots with other AWS
3 types of replicas available

Aurora Replicas

AUTOMATED FAILOVER ONLY WITH AURORA REPLICAS


MySQL Replicas
PostgreSQL replicas


Aurora has automated backups turned on by default. You can also take snapshots with Aurora. You can share these snapshots with other AWS accounts
Use Aurora Serverless if you want a simple, cost-effective option for infrequent, intermitten, or unpredicatable workloads

Elasticache


use to increase database and web application performance
Redis is multi-AZ
You can do backups and restores of Redis
If you need to scale horizontally, use Memcached

HA Architecture

Load Balancers

Know the use cases for these

ALB: layer 7
NLB: layer 4
CLB: layer 4 + 7

Exam Tips


504 means gateway timed out
If you need the IPv4 address of your end user, look for the X-Forwarded-For header
Instances monitored by ELBs are reported as InService or OutOfService
Health checks check the instance health by talking to it
Load balancers have their own DNS name
READ THE ELB FAQ

expect 10 questions


Advanced Load Balancer Theory


sticky sessions enable your users to stick to the same EC2 instsnce

can be useful if you are storing information locally to that instance


cross zone load balancing enables yout o load balance across multiple AZs
path patterns allow you to direct traffic to different EC2 instances based on the URL contained within the request

CloudFormation


a way of completely scripting your cloud environment
QuickStart is a bunch of Cloud Formation templates already built by AWS Solutions Architects allowing you to create complex environments very quickly

ElasticBeanstalk


quickly deploy and manage applications in the AWS cloud without worrying about infrastructure that runs those applications
you simply upload your application and ElasticBeanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring

Bastions in Action


can't use ALB for bastion b/c it's layer 7 and you need layer 4

On Premises AWS services


DMS
SMS
AWS Applicaiton discovery Service
VM Import/Export
Download Amazon Linux 2 as an ISO

Applications Summary

SQS


a way to decouple infrastructure
pull based
256kb in size, bigger stored in S3
1 min to 14 day storage
default retention is 4 days
standard SQS order not guaranteed, messages delivered more than once
FIFO order is guaranteed, delivered only once
visibility timeout is the amount of time the message is invisible in the SQS queue after a reader picks up the message

if job is done before visibility timeout expires, message deleted from the queue
if not processed within that time, the message will become visible again and another reader will process it, resuling in message being delivered twice
max timeout is 12 hours


long polling

a way to retrieve messages from your Amazon SQS Queues, doesn't return a response until a message arrives in the message queue or the long poll times out


SWF vs. SQS


SWF workflows can lasdt up to 1 year
represents a task-oriented API while SQS is a message-oriented API
ensures a task is assigned only once and not duplicated
keeps track of all tasks and events in an application

SWF ACtors


workflow starters: initiator
deciders: control flow
activity workers: carry out activity tasks

SNS Benefits


push based
instantaneous
flexible message delivery over multiple transport protocols
inexpensive
Web-based AWS management console offers the simplicty of a point and click interface

Elastic Transcoder


media transcoder in the cloud, convert to different formats

API Gateway


remember what it is at a high level
has caching capabilities
low cost and scales automatically
you can throttle
you can log to cloudwatch
you can use CORS across multiple domains
CORS enforfced by client

Kinesis


streams has data persistence

anything with shards, want streams


firehose does not have data persistence

lambda function that stores separately, but you've gotta add your own in


Cognito


web identity federation
user authenticates first with Web ID Provider and receives an authentication token
user pool is user based

user registration, authentication, and account recover


identity pools authorize access to AWS resources

WAF


monitor HTTP requests to CloudFront, ALB, or API Gateway
control access to content
configure filtering rules

IP addresses
query string parameters


blocked traffic by WAF kicks back 403
three behaviors

allow all except ones you block
block all except ones you block
count requests that match properties you specify


Serverless


AWS X-ray allows you to debug what's happening
Lambda  can do things globally, can use to backup S3 buckets into other S3 buckets
Know your triggers