Skip to content

Instantly share code, notes, and snippets.

@allistera

allistera/aws_csaa_notes.md

Last active October 30, 2020 01:41
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save allistera/08e897369f41d96e75d976afb4c6ae33 to your computer and use it in GitHub Desktop.
Save allistera/08e897369f41d96e75d976afb4c6ae33 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Certified Solutions Architect - Associate Notes
Raw
aws_csaa_notes.md

AWS Certified Solutions Architect - Associate Notes

IAM

  • Power users can do everything except manage users and groups.
  • Can assign Roles to EC2 Instances.
  • Access Key ID and Secret Access key is auto-generated on user account creation.
  • Create role and attach policy for granting users temporary access.
  • 'Paying Account' and 'Linked Account' are types of consolidated billing account types.

EC2

  • Need to take snapshot to encrypt a non-encrypted instance.
  • Types of alerts:
    • OK
    • Alarm
    • Insufficient Data
  • Use spot instances for:
    • Massive parallel computations
    • Cost optimisations
    • Increase spike compute requirements.
  • With spot instances you pay the current price up to each hour.
  • Increasing instance size increases network performance inc communication with ESB.
  • Ratio of IOPS to volume is 50:1 - so if volume is 8GiB the max IOPS is 400.
  • 16TiB Max Size.
  • Reserved instances are best for running for long periods.
  • Restarting will most likely cause it to start on a new host.
  • Use 'Logs Agent' to send data to CloudWatch.
  • Can run command from EC2 console without needing to login to the host.

Auto Scaling

  • If more than 20 instances are not spinning up may be due to soft limits.
  • Over period of time not spikes.
  • Scales in according to a hierarchy of decisions.
  • Proactive Cyclic Scaling allows scaling during desired time window.

Networking

  • Use simple solutions such as spreading load out and know the difference between storage traffic and general network traffic.
  • Private IP Address is not required to allow public access to EC2 instance.
  • 'Warm Attach' = attaching to ENI (Elastic Network Interface) when it is stopped.
  • You will be charged for an Elastic IP if it is associated to a stopped instance.

VPC

  • By default soft limit of 5 per region.
  • Once VPC is set to Designated Hosting, not possible to change to Default Hosting. Must re-create VPC.
  • VPC Peering does not support edge to edge routing.
  • Internet gateway can only be attached to one VPC.
  • A VPN subnet is one which has 1 route in its routing table that is an internet gateway.
  • Use VPC Flow Logs to monitor traffic.
  • Can span multiple AZ

Subnets

  • Subnet can only be in one AZ.
  • Amazon reserves 5 IP's on subnet creation.
  • By default all subnets can route between each other in the VPC.

Security

  • Security groups are stateful.
  • ACL's are stateless - must create both inbound and outbound.
  • By default subnets will be able to communicate with each other via Main routing table.
  • Security Groups act like a firewall.
  • Storage Gateway, Glacier and RedShift are encrypted by default.
  • OS Level access is given to you on EC2, EMR, Elastic Beanstalk and OpsWorks.
  • Need permission from Amazon to run pen test.
  • Command revoke-security-group-ingress will remove one or more rules from a security group.

ELB

  • Limited to 1 region. Span AZs.
  • To monitor logs 'Access Logs' needs to be enabled on the LB.
  • Must enable Cross-Zone LB for ELB that spans multiple AZs.
  • Uses HTTPS/SSL.
  • Host based routing is not supported by the classic LB.

NAT

  • Most common oversight with NAT instances are forgetting to disable source/destination check.

S3

  • URL Schema: http://[BucketName].s3-website.[Region].amazonaws.com.
  • Use referrer policy to block hot-linking.
  • Provides read-after-write consistency for PUTs of a new object.
  • Eventual consistency for overwrite PUTs and DELETEs.
  • Create Origin Access Identity (OAI) for CloudFront to limit access to S3 buckets.
  • Events can trigger SNS, SQS or Lamdba.
  • if > 100 PUT/List/DELETE per second or > 300 then add random prefix.
  • Not encrypted by default but can when right API's are called for SSE.
  • Use 'Transfer Acceleration' to improve transfer speed.
  • Requests per second is important for design.

EBS

  • Order of actions to backup a RAID volume: Stop IO, Take Snapshot, Wait, Start IO.
  • Can be used to full capacity when snapshot is pending.
  • Stored in a single AZ.
  • Ephemeral == Temporary.

DynamoDB

  • Allows for storage of large text and binary objects. Limit of 400 KB per item.
  • Can be used for:
    • Managing Web Sessions.
    • Storing JSON documents.
    • Storing metadata for S3 objects.
  • Is fully managed.
  • Automatically Scales

Import/Export/Migration

  • Import/Export does not support export from Glacier.
  • Use AWS VM Import/Export for VM's.

RDS

  • Read replication is supported in MySQL, MariaDB and PostgreSQL NOT Oracle.
  • DB Parameter Groups can be used to assign specific settings to RDS instance.
  • When running in Multi-AZ you can NOT use standby for read/writes.
  • Multi-AZ is an example of sync replication.
  • Secondary DB instances can not be used for writing purposes.
  • DB Subnet Group is a collection of subnets that you may want to designate for your RDS DB Instances in a VPC. Each DB Subnet Group should have at least one subnet for every Availability Zone in a given Region.
  • Can record database memory usage, disk ops, and database visibility metrics from CloudWatch.
  • Only partially managed - you still have to specify server capacity, security groups, VPC's etc.

SQS

  • Use two queues to handle priorities.
  • Invisible in the queue for 12 hours.
  • Long polling wont return a response until a messaging arrives in the queue.
  • Short polling will return an empty response.
  • Messages live for 14 days.
  • Max message size is 256KB.
  • Guaranteed to be delivered at least once.
  • Order is not guaranteed to be preserved.

Route53

  • Can not assign alias records to hostnames outside of AWS.
  • Internal records can not be read by external sources. To workaround create a EC2 DNS Server.
  • Use an A record to point to a LB's DNS name.

Lambda

  • Automatically Scales.
  • Temporary space is 512MB.
  • 300ms is the max execution time.

API Gateway

  • Automatically scales.
  • Gives you throttling and caching services.

Storage Gateway

  • Valid types of storage gateways:
    • Gateway-cached Volume
    • Gateway-stored Volume
    • Gateway-virtual Tape Library

CloudWatch

  • Min time interval for the data is 5 mins for basic monitoring.
  • 14 days is the retention period for 1 min data point.
  • Use to monitor for error messages and create an alarm/auto restart server.
  • Use the 'Freeable Memory' tab to indicate free memory.

SWF

  • A decision tasks is used to tell the decider the state of the workflow execution.
  • Use as best option for order processing problems.

CloudFront

  • Can host S3 buckets or HTTP server content.

Trust Advisor

  • Use to check snapshots, ip addresses.

Kinesis

  • Retention period is 24 hours by default, max is 7 days.

EMR

  • Methods to reduce job time:
    • Change input Size
    • Increase the number of workers

Misc

  • Amazon Resource Name (ARNs) are used to identify AWS resources.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment