- Power users can do everything except manage users and groups.
- Can assign Roles to EC2 Instances.
- Access Key ID and Secret Access key is auto-generated on user account creation.
- Create role and attach policy for granting users temporary access.
- 'Paying Account' and 'Linked Account' are types of consolidated billing account types.
- Need to take snapshot to encrypt a non-encrypted instance.
- Types of alerts:
- OK
- Alarm
- Insufficient Data
- Use spot instances for:
- Massive parallel computations
- Cost optimisations
- Increase spike compute requirements.
- With spot instances you pay the current price up to each hour.
- Increasing instance size increases network performance inc communication with ESB.
- Ratio of IOPS to volume is 50:1 - so if volume is 8GiB the max IOPS is 400.
- 16TiB Max Size.
- Reserved instances are best for running for long periods.
- Restarting will most likely cause it to start on a new host.
- Use 'Logs Agent' to send data to CloudWatch.
- Can run command from EC2 console without needing to login to the host.
- If more than 20 instances are not spinning up may be due to soft limits.
- Over period of time not spikes.
- Scales in according to a hierarchy of decisions.
- Proactive Cyclic Scaling allows scaling during desired time window.
- Use simple solutions such as spreading load out and know the difference between storage traffic and general network traffic.
- Private IP Address is not required to allow public access to EC2 instance.
- 'Warm Attach' = attaching to ENI (Elastic Network Interface) when it is stopped.
- You will be charged for an Elastic IP if it is associated to a stopped instance.
- By default soft limit of 5 per region.
- Once VPC is set to Designated Hosting, not possible to change to Default Hosting. Must re-create VPC.
- VPC Peering does not support edge to edge routing.
- Internet gateway can only be attached to one VPC.
- A VPN subnet is one which has 1 route in its routing table that is an internet gateway.
- Use
VPC Flow Logs
to monitor traffic. - Can span multiple AZ
- Subnet can only be in one AZ.
- Amazon reserves 5 IP's on subnet creation.
- By default all subnets can route between each other in the VPC.
- Security groups are stateful.
- ACL's are stateless - must create both inbound and outbound.
- By default subnets will be able to communicate with each other via Main routing table.
- Security Groups act like a firewall.
- Storage Gateway, Glacier and RedShift are encrypted by default.
- OS Level access is given to you on EC2, EMR, Elastic Beanstalk and OpsWorks.
- Need permission from Amazon to run pen test.
- Command
revoke-security-group-ingress
will remove one or more rules from a security group.
- Limited to 1 region. Span AZs.
- To monitor logs 'Access Logs' needs to be enabled on the LB.
- Must enable Cross-Zone LB for ELB that spans multiple AZs.
- Uses HTTPS/SSL.
- Host based routing is not supported by the classic LB.
- Most common oversight with NAT instances are forgetting to disable source/destination check.
- URL Schema:
http://[BucketName].s3-website.[Region].amazonaws.com
. - Use referrer policy to block hot-linking.
- Provides read-after-write consistency for PUTs of a new object.
- Eventual consistency for overwrite PUTs and DELETEs.
- Create Origin Access Identity (OAI) for CloudFront to limit access to S3 buckets.
- Events can trigger SNS, SQS or Lamdba.
- if > 100 PUT/List/DELETE per second or > 300 then add random prefix.
- Not encrypted by default but can when right API's are called for SSE.
- Use 'Transfer Acceleration' to improve transfer speed.
- Requests per second is important for design.
- Order of actions to backup a RAID volume: Stop IO, Take Snapshot, Wait, Start IO.
- Can be used to full capacity when snapshot is pending.
- Stored in a single AZ.
- Ephemeral == Temporary.
- Allows for storage of large text and binary objects. Limit of 400 KB per item.
- Can be used for:
- Managing Web Sessions.
- Storing JSON documents.
- Storing metadata for S3 objects.
- Is fully managed.
- Automatically Scales
- Import/Export does not support export from Glacier.
- Use AWS VM Import/Export for VM's.
- Read replication is supported in MySQL, MariaDB and PostgreSQL NOT Oracle.
- DB Parameter Groups can be used to assign specific settings to RDS instance.
- When running in Multi-AZ you can NOT use standby for read/writes.
- Multi-AZ is an example of sync replication.
- Secondary DB instances can not be used for writing purposes.
- DB Subnet Group is a collection of subnets that you may want to designate for your RDS DB Instances in a VPC. Each DB Subnet Group should have at least one subnet for every Availability Zone in a given Region.
- Can record database memory usage, disk ops, and database visibility metrics from CloudWatch.
- Only partially managed - you still have to specify server capacity, security groups, VPC's etc.
- Use two queues to handle priorities.
- Invisible in the queue for 12 hours.
- Long polling wont return a response until a messaging arrives in the queue.
- Short polling will return an empty response.
- Messages live for 14 days.
- Max message size is 256KB.
- Guaranteed to be delivered at least once.
- Order is not guaranteed to be preserved.
- Can not assign alias records to hostnames outside of AWS.
- Internal records can not be read by external sources. To workaround create a EC2 DNS Server.
- Use an A record to point to a LB's DNS name.
- Automatically Scales.
- Temporary space is 512MB.
- 300ms is the max execution time.
- Automatically scales.
- Gives you throttling and caching services.
- Valid types of storage gateways:
- Gateway-cached Volume
- Gateway-stored Volume
- Gateway-virtual Tape Library
- Min time interval for the data is 5 mins for basic monitoring.
- 14 days is the retention period for 1 min data point.
- Use to monitor for error messages and create an alarm/auto restart server.
- Use the 'Freeable Memory' tab to indicate free memory.
- A decision tasks is used to tell the decider the state of the workflow execution.
- Use as best option for order processing problems.
- Can host S3 buckets or HTTP server content.
- Use to check snapshots, ip addresses.
- Retention period is 24 hours by default, max is 7 days.
- Methods to reduce job time:
- Change input Size
- Increase the number of workers
- Amazon Resource Name (ARNs) are used to identify AWS resources.