agussman/AWS-CSA-A-Notes.md

## AWS-CSA-A-Notes.md

      
    Raw
  

              AWS-CSA-A-Notes.md
            
          
    External Resources

linuxacademy.com (Training)
Acloud.guru (training)
Read the top-level Documentation and FAQs for all the major AWS resources (EC2, S3, RDS, Auto Scaling, etc). The answers to the "nit-picky" questions can be found here. It's also helpful to go deeper on VPCs and networking-related concepts.

VPC http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html
VPC Security http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
VPC Route Tables http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html


Everyone says read the white papers. The ones I read were:

Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Cloud Best Practices https://d0.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf


Core

Elasticity

Ability to scale up/down on demand
Reduce cost
Scaling

Proactive - fixed interval
Proactive Event-based
Auto-Scaling based on demand
Out: more instances, Up: Bigger instances
Fault tolerant
Operationally efficient
More resources, less resources cost


Scalability

grow over time
economies of scale
vertically: more powerful resources
horizontally: increased number of resources


Reserved

reduced price
guaranteed capacity (useful for disaster recovery)
within AZ
Can submit modification request to

change AZ
scope up/down AZ to Region
instance size w/in same type


"Tightly Coupled" vs "Loosely Coupled"

Tightly

one thing fails, all fail


Loosely

individual component failure won't break everything
Can scale out individual components


Shared Security Model

AWS: host OS/Virtualization, physical security

DDoS

Could use CloudFront to absorb requests


Do INGRESS filtering on incoming traffic


You: guest OS/VPC on up, security group, software updates, data in transit/rest

Also use software-level security: IPTABLES, Firewalls, etc
DDoS

Block CIDR at Network ACL (Subnet level)
Must have permission to do Port Scanning w/in cloud


Encryption (AES-256):

EBS

done on instance itself, not good for small instances
snapshots automatically encrypted


S3 - at rest
Glacier
Redshift
SQL RDS

MySQL//Aurora, Oracle, Postgres, MSSQL
Snapshots, backups, read replicas all encrypted
SSL connection encryption


Disaster Recovery

Recovery Time Objective (RTO)

restore to level of service, measured in time


Recovery Point Objective (RPO)

acceptable amount of dataloss, measured in time


Methodology

Pilot light

Minimal version of production environment in AWS
Scale out and DNS switch if disaster
Make sure it's up to date
Requires extra time to spin up


Warm standby

Larger footprint than pilot light
Running business critical applications


Multi-site

clone production environment
active-active
also use as load balance
less downtime, more costly


DR Services

ELB and Auto Scaling
Route53 failover DNS, or latency based
Storage Gateway
lots of AWS tools to get data, AMIs out of on-premises


EC2

AMI

Unique to a Region (need to manually copy to another Region)
Permissions: can make public, or available to another AWS account
PV Paravirtual

cannot take advantage of hardware extensions
historically was faster, but basically no diff now


HVM Hardware Virtual - preferred method, on current instance types
Copying an image, can encrypt from unencrypted, but default is keep same


Security Group

EC2-Classic: Can't add/remove SGs to running instance
VPC: Live in that VPC
Stateful: response traffic is allowed
500 Security Groups / VPC, 50 rules/SG, 5 SGs/network interface
Can't delete the default security group
Instance needs at least one security group


Dedicated instance - hardware w/ just our stuff
Elastic Load Balancer

Can distribute traffic across AZs
Can live in a public subnet and serve traffic to private subnets (eg Auto Scaling Groups)
Can apply an SSL directly to it
Needs to split between two subnets?
Configure

What to listen on (80)
Apply a Security Group to the ELB
Health Check on target instances (eg port 80)
target instances


Instances Security Groups still need to allow traffic from ELB

Instances don't need a Public IP, just a public subnet
Requests look like they're from ELB, might want to log traffic at ELB level


ELB for Apex domain required Route53 Alias record
Internal ONLY accepts traffic from w/in VPC (use w/ private subnet for multi-tier apps)
Connection draining: wait for connections to complete
Cross Zone load balancing required across AZs
AWS will increase ELB as needed

Contact AWS for "Prewarming" to handle rapid, drastic spikes in traffic


Lots of built in Metrics on the ELB (connections, responses, etc)

Can create Alerts off of it


Classic: register instances, Application: target group
Troubleshooting

Make sure target is available for health check (correct "index.html" target)
Make sure ELB and Instances have port 80 open
Enable Access Logs to Amazon S3 (otherwise ELB logs on Instance)
Add specific subnets to ELB


Auto Scaling Group (ASG)

Launch additional instances as needed

Load
Proactive
Event


Consists of Launch Configuration + Scaling Plan
Spans AZs, not Regions
Tell it to receive traffic from an ELB
static size = "self healing", or
scaling policy to adjust capacity w/ CloudWatch Alarm for Increase and Decrease group size
Can use with internal multi-tier apps
Deleting ASG terminates running instances
Can't pass EC2 instance cap
Launch Configuration (LC)

Info on the instance that an Auto Scaling Group uses (AMI, instance type, etc)
LC can be used w/ multiple ASGs
ASG requires an LC
Can't modify LC after launch

Create new LC, apply to ASG

Only affects new instances! Existing are kept.


Scaling Plan

Tells Auto Scaling when and how to scale

Manual
Scheduled
Demand (In and Out)

Alarm - What to look for (via CloudWatch)

Could be SQS Queue Size


Policy - how to respond to Alarm

Can't go outside min/max group size
Adjustment Types

ChangeInCapacity (+/-)
ExactCapacity
PercentChangeInCapacity


Scaling Policy Types

Simple

has cooldown


Step

based on size of alarm breach
continuously evaluated


Troubleshooting

"thrashing" up and down

Change thresholds
Decrease checking frequency
Increase cooldown (not for step or scheduled)


doesn't happen

max too low


EBS Volumes

cannot cross AZs (auto replicated WITHIN AZ)

create snapshot in other AZ to access there


IOP is max 256KB
SSD General Purpose

1GiB to 16TiB
Burstable IOP credits
baseline 3 IOPS/GiB


Provisioned IOPS

4GiB to 16TiB
up to 20,000 IOPS
Critical apps requiring sustained IOPS, large DB workloads


Magnetic

1Gib to 1024GiB


AWS EBS encryption uses AWS Key Management Service (don't use on smaller than m3)

Customer Master Key (CMK)
Snapshots/Volumes by default inherit status of their source

Can't change CMK of volume/snapshot but
encrypt > encrypt w/ new CMK w/ copy snapshot
unencrypted > encrypt: w/ copy snapshot
encrypt > unencrypt: mount both, copy over


Can share an encrypted snapshot but using non-default CMK and sharing both w/ other account


Snapshots

Stored on S3 under the hood (can't see them)
incremental in nature (behind the scenes first snapshot might still exist)
When creating snapshots of EBS volumes that are configured in a RAID array, it is critical that there is no data I/O to or from the volumes when the snapshots are created

freeze filesystem, unmount, or stop instance


Elastic File System (EFS)

NFS for EC2


EC2 Classic

internal IPs are unstable after reboot


Placement Groups

instances w/in same AZ, low latency (close together), min 10 Gbps network
stop / start as a group
failure is "insufficient capacity error"
CAN span peered VPCs, apparently


Spot Instances

If AWS terminates, no charge for last hour (you kill, you pay)
The price per instance-hour for a Spot instance is set at the beginning of each instance-hour for the entire hour. Any changes to the Spot price will not be reflected until the next instance-hour begins.


S3

URL

to object bucketname.s3.amazonaws.com/path
to static site linuxacademy-big-bucket.s3-website-ap-southeast-2.amazonaws.com


unlimited storage

no limit to number of objects in bucket


11 nines durability, 99.99% availability
Created in a Region, stay there

synchronized across all AZ w/in Region automatically
new PUT read-after-write consistent
overwrite PUT, DELETE eventual consistent


bucketnames unique across ALL regions
100 buckets / account, can't change owner
Account (not user) owns bucket
min object size: 0 bytes
max: 5GB? multipart: 5TB (recc'd > 100MB)
if rapid increase > 100 PUT/LIST/DELETE or > 300 GET reqs/sec, contact AWS
CORS configuration

JavaScript thing


Resource Based Policies

ACL to share bucket across account
Bucket Policy

Restrict off IP address, HTTP referrer,
Will overwrite "Public Permissions"
Can be edited by CloudFront Distributions
Use IAM to give a User access to a specific bucket

Resource format arn:aws:s3:::bucketname/folder


User-based Policies

IAM


RRS - Reduced Redundancy Storage

99.99 durability, availability
cheaper, for reproducible objects


Versioning

Off by default
Once on, can only be suspended, not disabled (old versions continue to exist)


Lifecycle policies

Archive (Glacier) and Delete options
Can be applied to Versions


Glacier
VPC

Spans all AZs in the Region
Internet Gateway (IGs) attach to VPC
/28 is smallest possible subnet, /16 largest

can't resize (requires redo)


Subnet

Only belongs to one AZ
/28 is smallest possible subnet, up to VPC range

First 4, last 1 reserved by AWS


Route Tables

VPC comes w/ main route table
Subnet must have route table (only one at a time, implicitly main).
Route table can have multiple Subnets
Subnet automatically associated with the main route table for the VPC (modifiable)


private subnet - no internet gateway

public requires IG + Route Table

Use when serving traffic to Internet
default subnets in default vpc are public (3 of them)
Route Table

Says all traffic to IG
Attach RT to subnet


Can set all instances to receive public IP


Even in Public, Instances needs Elastic/Public IP to comm w/ internet

Use a NAT for a Private Subnet to get updates


By default, instances w/in VPC can all communicate w/ e/o regardless of pub/private via "local route"


Can assign public IPs by default (routed to private IP (NAT))
NAT

NAT Gateway (AWS Provided)

Add to Public subnet,
Edit Route to Private Subnet (default if not explicit) to all traffic to nat


Instance

allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet
AWS provides instance types
Needs Public Subnet, Public IP
SG setting: Allow 80/443 from subnet CIDR
Disable source/destination check on EC2 instance
Add Route Table to Private Subnet pointing to NAT instance id


In VPC, reboot keeps internal + elastic IPs (not so for non-ElasticIP public ip classic)
Network ACLs (firewall at subnet level)

Live w/in a VPC. Can associate w/ multiple Subnets (Subnet has at most 1 Network ACL)
Block all traffic from an IP/range at Network ACL level
"stateless" - return traffic must be allowed through outbound rule

Security Groups - stateful, always allow return traffic


deny at low number trumps allow at high number (reverse NOT true)
increment rules by 10
Kind of like a Security Group, but for Subnets


VPC Peering Connections

Can't do across regions (only between AZs in Region)

Can do across accounts w/in same Region


Can't have overlapping CIDR
Can do 1:Many where children can't see each other (not transitive)
Can configure Routes to act at VPC or Subnet level, or instance level

Edit Route Tables of BOTH VPC/Subnets to point to the PC


Only works w/in AWS (can't peer Internal network, use a VPG or DC instead)
Can't "cross over" into S3 endpoints


Virtual Private Gateway

VPN connection from Customer Gateway to VPG in VPC
Add on-site route tables to AWS Subnet, apply to VPG
Could also run OpenVPN (not site-to-site)

Works w/ mobile devices that have OpenVPN client
Use w/ ElasticIP + backup OpenVPN to support High Availability


Bastion Host

Log in from the web, it has access to private subnet resources


Limits

5 / VPCs region

1 IG / VPC limit
ergo 5 IGs/region


50 customer gateways / region
50 VPN connections /region
200 subnets/VPC
200 Network ACLs/VPC, 20 rules/ACL
200 route tables/VPC, 50 entries/table
5 elastic IP/region
500 Security Groups / VPC, 50 rules/SG, 5 SGs/network interface


RDS

Automatic point-in-time backups, updates
Multi-AZ Deployment

primary DB instance is synchronously replicated across Availability Zones to the standby replica
InnoDB only for MySQL
Read replicas for heavy read only traffic
avoids need for user-initiated point-in-time restore


DB Subnet Groups

Needs multiple Subnets across (at least two) AZs
generally private subnets
Use DNS to connect to DB instance; IP can change on failover


Publicly Accessible needs to be True (plus SG, etc) to be accessible
Can move VPCs for non-Aurora dbs
Supported DBs

MySQL // Aurora
MariaDB
Postgres
Oracle
MSSQL


5 GB to 6 TB of storage
Can't do MySQL Clusters, would need to run on EC2
RDS does NOT support a cluster of instances w/ load balancing traffic
Can use ElasticCache clusters for caching db session info
Shares same Security Groups as EC2
Can encrypt data at rest
Can use an SSL certificate for connections
CNAME can be used w/ Route53 to give it a different DNS name
Automated Backup

automated point in time recovery (serious)
default 1 day (free), can be set up to 35


Snapshots

user initiated


Encryption

DynamoDB

Fully managed NoSQL (MongoDB): HA, scaling
Sync'd across AZ within Region
Dev specifies table throughput
Document and Key/Value
Can use SSL
Use case: User session data

AWS Database Migration Service

Done while running
homogenous, heterogenous migrations
Can stream to Redshift

Redshift

petabyte-scale data warehouse for BI

hRedshift columns = 1024kb


Supports SQL tools w/ ODBC/JDBC connections (Postgres-based)
Columnar data store
Monitors and backups data, can enable encryption

ElasticCache - in-memory data store

Redis
Memcached

Amazon Storage Gateway

Local Storage that backs up to S3
Gateway-Cached Volumes:

iSCSI mounted on-premise. Writes to S3, caches locally. Store all data in S3, cache most-frequently accessed locally.
less-limited, only cache data locally, everything else in S3 (cheaper?)


Gateway-Stored Volumes:

local storage, periodic incremental snapshots
limited to the amount of space you allocate to the VM (eg potentially more costly)


Recommend use w/ Direct Connect

Import/Export

Mail hard drives
Example: Baseline data into S3 (use incremental updates over internet)
Snowball

Secure appliance (encrypted)


Direct Connect - dedicated private connection from ISP to AWS

Not over internet
Private Virtual Interface

Only internal IP addresses inside of EC2


Public Virtual Interface

connect to public AWS endpoints


Cross Connect
Alternative to VPN
1 to 10 GB

IAM

Global users, all AWS regions

New users start with no permissions


Federated - can integrate w/ existing LDAP or Kerberos
Simple Token Service

Temporary permissions for users/role


SAML - integrate w/ active directory
Groups -

Collection of IAM users
Deny overrides allow


Roles - other AWS resources (users, EC2 instances can assume)

Identify Provider Access - gran on-premises networks Role access
Don't have API credentials (password or access keys)
EC2 Instance can only assume ONE Role when it is first created (cannot change or add)
Roles are always preferred to API keys
Default PowerUser role has access to everything except IAM
Delegation requires

Trust Policy
Permissions Policy


Temporary Credentials
Policies

Last 5 versions are tracked


ARN - Amazon Resource Name (includes amazon account id)
Security Token Service - assume a temporary role, do something (write to database), expires
Cloudtrail - logs API calls
Resource-level permissions

EC2
EBS: attach, delete, detach
Could require MFA for actions


Cannot apply permissions to Root

AWS WAF

Web application firewall, blocks common attacks (SQL injection, cross-site scripting)

Route53

Apex of domain is "bare", w/o subdomain "example.com"

Route53 can Alias to

ELB
CloudFront
Elastic Beanstalk
S3 Bucket configured Static
other R53 record in zone


Routing Policy

Simple
Latency based routing / multiregion failover

"Active-Active"
Routes to whichever has lowest latency
Requires duplicate architecture (use CloudFormation)


Weighted

"Active-Active"
Probabilistic off weighting
Useful for A/B tests


Geo-based Routing

Compliance w/ laws


Failover

Active-Passive
Example was ELB-Instance failing to CloudFormation-S3


SNS

Notifications when events occur in AWS
Topic: what a message is sent to
Subscription/Subscriber: who/what gets the message

SMS, HTTPS,JSON,SQS


Exists at Region level (e.g., don't pick an AZ)

SQS - Simple Queue Service

Exists at Region level (e.g., don't pick an AZ)
Distributed and Decoupled applications (Fault Tolerant)
Messages up to 256KB
Default message retention in queue is 4 days

Can set to 60s to 14 days


Standard Queue

at-least-once message delivery


FIFO (First In First Out)
Maximum inflight messages

120,000 standard
20,000 FIFO


Default Visibility Timeout is 30s
Guaranteed delivery
Order best effort
Can create an Auto Scaling group for component based off queue size
Long Polling

1-20s waits for all messages in queue
Reduces cost when you get lots of empty responses
Queries all servers


Short Polling (default)

increases API requests (increases cost)
returns some (not all) messages in queue (queries subset of servers)


dead-letter queue

messages that cannot be processed successfully (poison-pill management)
Must be in the same Region as the feeder queue


SWF - Simple Work Flow Service

Distributed and Decoupled applications (Fault Tolerant)
coordinates asynchronously across multiple devices
guaranteed order, no duplicates
Execution can last up to 1 year
Activity Task
Decision Task
API is task-oriented (SQS is message-oriented)

Amazon API Gateway

Service to build RESFUL API to expose lambda, http, other

EMR - Elastic MapReduce

Hadoop Master/Slave

Master, Core, Task Nodes


Can launch apps on it (Hive, Pig compatible
Launches a pre-built Hadoop cluster

You can login (unlike RDS)


Input data from S3, DynamoDB, RedShift

S3 mounted by default


Chunk out data into 128MB sizes (default, can be changed)

split files loaded into memory


Preconfigured Hadoop AMI w/ Mappers/Reducers per instance size
Can use CloudWatch to configure number of workers
customers may encrypt the input data before they upload it to Amazon S3 (using any common data compression tool); they then need to add a decryption step to the beginning of their cluster when Amazon EMR fetches the data from Amazon S3.

Kinesis

Collect data from multiple Producers, maintains order
"Stream"

Preserves for 24hrs default, 7 days max
Data blob can be 1 MB


Run SQL queries on streaming data
Emit from Kensis Streams to S3, Redshift, EMR, Lambda (Consumers)
Scale across multiple shards
Aggregation refers to the storage of multiple records in a Streams record

Elastic Beanstalk

Uses CloudFormation templates
Deploy less-complex applications, single tier, core services

EC2
Auto Scaling
ELB
RDS
SQS
CloudFront


Supported Platforms:

Docker
Java
Windows .NET
Node.js
PHP
Python
Ruby


Don't use if:

Need software updates on boot?


Integrates with version control
Web server Environment vs Worker Environment
Deploys an ELB, integrates w/ Route53

CloudFormation - create and provision resources w/ templates

JSON Templates "infrastructure as code"
Stack - template that deploys infrastructure

Can create from existing application architecture
25 at a time


Resources

AWS things to be launched


Can configure Parameters that prompt for user input
"Automatic rollback on error" enabled by default

CloudWatch

Can be used to shut down inactive instances
integrates w/ CloudTrail for AWS environment change monitoring
Only accessible via SSL endpoint
EC Instances "built in" hypervisor metrics

CPU
Network I/O
Disk Read/Write


EC Instance custom metrics (non-RDS)

disk usage / free
swap
memory use /free


Status Check

"self healing applications"


Basic: 5 min, Detailed: 1 min

CloudTrail

Log any action taken against AWS API, user details of who did it

account, IP, time, parameters, response


CloudFront - CDN, uses edge locations to serve data

Edge Location - AWS datacenter w/o services
origin (S3 bucket, ELB CNAME) to edge location
distribution can have multiple origins (by device type)

Web or RTMP (Flash media)
Restrict Bucket Access: Only accessible via CloudFront, ignore Bucket policy

CloudFront adds ACL to Bucket Policy (OAI?)
S3 Bucket permissions still apply otherwise


Private content

can create one time use "signed URLs" (or cookies) for private content

urls for RTMP, individual files
cookies for multiple files, or to not change URLs


specify ending datetime (optional: starttime, IP address range)
Limit S3 access to just CloudFront

Create Origin Access identity (OAI)
Give it S3 read permissions, lock out everyone else


Price Class: varies by geographic spread
Route53

can create alternate cnames for long CloudFront names (eg "cdn.mywebsite.com")
Can create two Alias records, one as primary one as failover (eg, ELB to Instance, CloudFront to S3)

"Active-Passive"


caches files until

cache expires
or overwrite w/ new name
or create an "invalidation" (costs, might be cheaper to recreate a new CloudFront distribution & update CNAME)


AWS Config

Point in time snapshot of AWS
JSON
Stores config changes

Trusted Advisor

Notify you of security holes, High Availability issues, cost, performance
According to AWS best practices

CloudHSM

Hardware Security Module
You can implement in multiple AZs and enable replication
dedicated hardware to store keys, encryption, etc
isolated physically, tamper resistant
Compliance reasons, encrypt data/files
AWS Engineers don't have access

Key Management Service
AWS CloudSearch

Upload data, they index and provide a search interface

AWS ElasticSearch Service
ECS EC2 Container Service

Start/Stop Docker containers

AWS Lambda

Run code in response to "events"
AWS handles all scaling