- HTTP 502 status code (Bad Gateway) indicates that CloudFront wasn't able to serve the requested object because it couldn't connect to the origin server.
- An HTTP 504 status code (Gateway Timeout)
- limit : 10000 req per second
- method request > integration req > lambda/ other > integration response > method response
- if one API trottled , then entire API get effect
- timeout max : 29 second
- CORS is enabled
- Type of authentication
- IAM permissions with sigv4
- Lambda Authorizer
- Cognito User Pools
- Integration Type MOCK : API Gateway returns a response without sending the request to the backend
- Integration Type HTTP / AWS (Lambda & AWS Services)
- you must configure both the integration request and integration response
- Setup data mapping using mapping templates for the request & response
- Integration Type AWS_PROXY (Lambda Proxy):
- incoming request from the client is the input to Lambda
- The function is responsible for the logic of request / response
- No mapping template, headers, query string parameters… are passed as arguments
- Integration Type HTTP_PROXY
- No mapping template
- The HTTP request is passed to the backend
- The HTTP response from the backend is forwarded by API Gateway
- Latency simply measures the overall responsiveness of your API calls.
- IntegrationLatency measures the responsiveness of the backend and not the requests which are served from the backend.
- cognito Identity Pool cannot be used as an authorizer for API Gateway.
- Code Commit
- Data in AWS CodeCommit repositories is encrypted in transit and at rest
- The first time you create an AWS CodeCommit repository in a new region in your AWS account, CodeCommit creates an AWS-managed key in that same region in AWS Key Management Service (AWS KMS) that is used only by CodeCommit.
- CodeBuild
- codebuild runs on AMI , so obviously env variables will be present , artifacts has the option of pushing to S3
- Can cache dependencies on S3
- Codedeploy
- CodeDeploy can deploy applications to EC2, AWS Lambda, Amazon ECS and on premise servers
- appspec.yml
- CodeDeploy agent is not required for deployments that use the Amazon ECS or AWS Lambda compute platform but required for the ec2
- appspec.yml
- two types of deployment
- inplace deployment : the application on each instance in the deployment group is stopped, the latest application revision is installed
- lambda won't work
- ecs , ec2 / on premise servers will work
- blue/green deployment
- workd on ec2, ecs , lambda
- on premise don't work
- Code Deploy stages
- ApplicationStop
- DownloadBundle
- BeforeInstall
- Install
- AfterInstall
- ApplicationStart
- ValidateService : impportant
- A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template. TYPES
- String : A literal string
- Number : An integer or float
- List : An array of integers or floats
- CommaDelimitedList : An array of literal strings that are separated by commas
- AWS::EC2::KeyPair::KeyName : An Amazon EC2 key pair name
- AWS::EC2::SecurityGroup::Id : A security group ID
- AWS::EC2::Subnet::Id : A subnet ID
- AWS::EC2::VPC::Id : A VPC ID
- ListAWS::EC2::VPC::Id : An array of VPC IDs
- ListAWS::EC2::SecurityGroup::Id : An array of security group IDs
- ListAWS::EC2::Subnet::Id : An array of subnet IDs
- For premium/restrict access , use signed URL / signed cookies
- To route to different kind of origins based on the content type
- Based on path pattern:
- /images/*
- /api/*
- /*
-By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE) -By default, data events are not logged
- Global tables if your application is accessed by globally distributed users
- MAX size of item : 400KB
- RCU 4Kb per seconds
- WCU 1KB per second
- 1 RCU = 1 strong read or 2 eventual read
- DynamoDB uses eventually consistent reads by default
- LSU - max 5 , must be declared at the table creation
- GSU - max 1 , can be created after the table creation
- DynamoDB transaction : double RCU and WCU
- filter expression : items within the Scan results should be returned to you.
- A projection expression is a string that identifies the attributes you want.
• --page-size: specify that AWS CLI retrieves the full list of items but with a larger
number of API calls instead of one API call (default: 1000 items)
• --max-items: max. number of items to show in the CLI (returns NextToken)
• --starting-token: specify the last NextToken to retrieve the next set of item
- All data in DynamoDB Streams is subject to a 24 hour lifetime.
- LSI both eventual and strong , GSI only strong
- LSI only particular attributes , but GSI , entire table
- atomic counters unconditionally increments without interfering with other write requests.
- Optimistic locking , where a record is locked only when changes are committed to the database. Pessimistic locking , where a record is locked while it is edited.
- Global secondary index — an index with a partition key and a sort key that can be different from those on the base table. A global secondary index is considered "global" because queries on the index can span all of the data in the base table, across all partitions.
- Local secondary index — an index that has the same partition key as the base table, but a different sort key. A local secondary index is "local" in the sense that every partition of a local secondary index is scoped to a base table partition that has the same partition key value.
-
default monitoring 5-minute , detailed monitoring 1 minute
-
SSH port : 22 ,http: 80 , FTIP: 21 , HTTPS : 443 , Windows RDP : 3389
-
metadata : 169.254.169.254/latest/meta-data
- EBS are AZ locked
-
only Zonal Reserved Instances provide capacity reservation.
-types of EC2
- On-Demand Instances – short workload, predictable pricing, pay by second
- Reserved (1 & 3 years)
- Reserved Instances – long workloads
- Convertible Reserved Instances – long workloads with flexible instances
- Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload
- Spot Instances – short workloads, cheap, can lose instances (less reliable)
- Dedicated Hosts – book an entire physical server, control instance placement
- Dedicated Instances – no other customers will share your hardware
- Capacity Reservations – reserve capacity in a specific AZ for any duration
-
EBS limited to one AZ , EFS accross the AZ
-
EBS volumes support both in-flight encryption and encryption at rest using KMS
-
SSE-C :mazon S3 will reject any requests made over HTTP when using SSE-C , only HTTTPS
-
CloudWatch does not monitor the memory, swap, and disk space utilization of your instances. If you need to track these metrics, you can install a CloudWatch agent in your EC2 instances.
-In the ecs.config file you have to configure the parameter ECS_CLUSTER='your_cluster_name' to register the container instance with a cluster named 'your_cluster_name'
- EC2 Instance Profile (EC2 Launch Type only):
- Used by the ECS agent
- Makes API calls to ECS service
- Send container logs to CloudWatch Logs
- Pull Docker image from ECR
- Reference sensitive data in Secrets Manager or
- SSM Parameter Store
- ECS Task Role:
- Allows each task to have a specific role
- Use different roles for the different ECS Services you run
- Task Role is defined in the task definition
- Never terminate the container instance while it was in RUNNING state, that lead to this synchronization issues
- If you terminate a container instance in the RUNNING state, that container instance is automatically removed or deregistered from the cluster. However, if you terminate a container instance in the STOPPED state, that container instance isn't automatically removed from the cluster.
- Cluster queries are expressions that enable you to group objects.
- Single Instance mode: Great for development environment
- High Availability with Load Balancer mode: Great for production environments
- Configuration files are YAML- or JSON-formatted documents with a .config file extension are placed in a folder named .ebextensions
- Lazy Loading / Cache-Aside / Lazy Population Write Through
- All the nodes in a Redis cluster must reside in the same region
- LB
- Provide SSL termination (HTTPS) for your websites
- Do regular health checks to your instances
- Separate public traffic from private traffic
- ALB
- Load balancing based on route in URL
- Load balancing based on hostname in URL
- The true IP of the client is inserted in the header X-Forwarded-For - An ALB has three possible target types: Instance, IP and Lambda
- Any Load Balancer (CLB, ALB, NLB) has a static host name. They do not resolve and use underlying IP
- KMS is used for till 4 KB file , if > 4KB , then use Envelope Encryption Generate DataKey API
- SSL termination refers to the process of decrypting encrypted traffic before passing it along to a web server.SSL passthrough is opposite of it
- it is enabled at region level , all the underlying objects get encrypt
- For SSL certificate we can use either ACM or IAM certificate manager .In unsupported Regions, you must use IAM as a certificate manager.
-
aws sts get-caller-identity :get current user -aws iam get-user
- IAM credentail Usage : list out all the credential and its usage
- IAM group cannot part of another group
-
Resource-based policy specifies who (which principal) can access that resource.
-
The CLI will look for credentials in this order
- Command line options – --region, --output, and --profile
- Environment variables – AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
- CLI credentials file –aws configure ~/.aws/credentials on Linux / Mac & C:\Users\user.aws\credentials on Windows
- CLI configuration file – aws configure ~/.aws/config on Linux / macOS & C:\Users\USERNAME.aws\config on Windows
- Container credentials – for ECS tasks
- Instance profile credentials – for EC2 Instance Profiles
-
IAM Credentials Report (account-level) :a report that lists all your account's users and the status of their various credentials
-
IAM Access Advisor (user-level):Access advisor shows the service permissions granted to a user and when those services were last accessed
-
components of policy
- sid
- Effect : allow /deny
- Resource : aws service ARM ID / any other ID
- Principle : if it don't have , then it is a IAM policy . Usually assigned to user
- Condition:
-
GetSessionToken API returns a set of temporary credentials for an AWS account or IAM user.use GetSessionToken if you want to use MFA to protect programmatic calls
-
AssumeRoleWithWebIdentity returns a set of temporary security credentials for federated users who are authenticated through public identity providers such as Amazon, Facebook, Google, or OpenID
-
AssumeRoleWithSAML returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.
- Kinesis Agent is a stand-alone Java software application that offers an easy way to collect and send data to Kinesis Data Streams.
- MAX is 4KB
- For anything over 4 KB, you may want to look at envelope encryption
- KMS stores the CMK, and receives data from the clients, which it encrypts and sends back Important API
- CreateKey
- Decrypt
- DisableKeyRotation
- EnableKeyRotation
- Encrypt
- GenerateDataKey
- GenerateDataKeyPair
- GenerateDataKeyPairWithoutPlaintext
- GenerateDataKeyWithoutPlaintext
-
KMS is intergrated to following services
- code commit (auto)
- code build
- codepipeline(auto/managed)
- elastic search
- EBS
- SSM
- lambda
- s3
- SQS ( enable button)
-
Automatic key rotation is only supported in symmetric KMS keys. Automatic key rotation is not available for asymmetric keys, keys in custom key stores, and keys with imported key material.
- concurrent limit : 1000 , max 900 can be allocated for a function , rest 100 will be used by other function
- Java, Go, PowerShell, Node. js, C#, Python, and Ruby code , not support C/C++
- trottling error code : 423
- ENV variable limit 4 KB
- if native dependencies then deploy either by zip or cloud formation template
- if external dependencies then deploy by zip with the dependencies included or layers
- CodeDeploy can help you automate traffic shift for Lambda aliases
- Feature is integrated within the SAM framework
- Linear: grow traffic every N minutes until 100%
- Linear10PercentEvery3Minutes
- Linear10PercentEvery10Minutes
- Canary: try X percent then 100%
- Canary10Percent5Minutes
- Canary10Percent30Minutes
- AllAtOnce: immediate
- Extract the log stream name from the Context object of the handler function.
- Note: EC2 Memory usage is by default not pushed (must be pushed from inside the instance as a custom metric)
- EC2 instance metrics have metrics “every 5 minutes”,With detailed monitoring (for a cost), you get data “every 1 minute”
- enabled detailed monitoring from cli : aws ec2 monitor-instances --instance-ids i-1234567890abcdef0
- Use API call PutMetricData to create customlogs
- IAM username and password credentials cannot be used to access CodeCommit.
- By Default , cloudwatch logs never expire
- A record -IP address
- CName - hostname
- Alias posts a hostname to an AWS resource - works for both root and non root domain
- Max 5 read replicas
- Aurora
- supports postgresql and mysql
- 6 copies across 3 AZ
- Enable the automated backup feature of Amazon RDS in a multi-AZ deployment that creates backups in a SINGLE AWS Region
- Max size 5 TB , If uploading more than 5GB, must use “multi-part upload”
- at cli , use --dry-run to simulate the policy
- no claining of replication
- Replication only replicates the objects added to the bucket after replication is enabled on the bucket.
- S3 lifecycle actions are not replicated with S3 replication
- encryption
- SSE-C
-With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
- Amazon S3 will reject any requests made over HTTP when using SSE-C
- include headers
- x-amz-server-side-encryption-customer-algorithm
- x-amz-server-side-encryption-customer-key
- x-amz-server-side-encryption-customer-key-MD5
- SSE-KMS
- include header : x-amz-server-side-encryption":"aws:kms"
- SSC-S3
- include header : x-amz-server-side-encryption": "AES256"
- Client-Side Encryption - You can encrypt the data client-side and upload the encrypted data to Amazon S3.In this case, you manage the encryption process, the encryption keys, and related tools.
- SSE-C
-With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
- S3 Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations.
- To perform a multipart upload with encryption using an AWS Key Management Service (AWS KMS) customer master key (CMK), the requester must have permission to the kms:Decrypt and kms:GenerateDataKey* actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload.
- CORS rules can be impplemented using the below elements
- AllowedOrigin - Specifies domain origins that you allow to make cross-domain requests.
- AllowedMethod - Specifies a type of request you allow (GET, PUT, POST, DELETE, HEAD) in cross-domain requests.
- AllowedHeader - Specifies the headers allowed in a preflight request.
- To enable the cross-region replication feature in S3, the following items should be met:
- The source and destination buckets must have versioning enabled.
- The source and destination buckets must be in different AWS Regions.
- Amazon S3 must have permissions to replicate objects from that source bucket to the destination bucket on your behalf.
-
AWS::Serverless::Function (AWS Lambda)
-
AWS::Serverless::Api (API Gateway)
-
AWS::Serverless::SimpleTable (DynamoDB)
-
AWS::Serverless::Application (AWS Serverless Application Repository)
-
AWS::Serverless::HttpApi (API Gateway HTTP API)
-
AWS::Serverless::LayerVersion (Lambda layers)
-
S3ReadPolicy: Gives read only permissions to objects in S3
-
SQSPollerPolicy: Allows to poll an SQS queue
-
DynamoDBCrudPolicy: CRUD = create read update delete
- SQS
- Default retention 4days , max 14days
- limitation 256 KB per message sent :use JAVA extended for 1GB
- SQS Extended Client for message size upto 2 GB
- Two types
- standard
- FIFO
- deduplicationid , contentbased deduplication is present
- Kinesis
- each shard :input : 1 MBPS , output : 2 MBPS
- each object size 4 KB
Secret Manager
- rotation of keys
- integration with RDS
- KMS is mandatory
- Step function sample
"HelloWorld": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:HelloFunction",
"Next": "AfterHelloWorldState",
"Comment": "Run the HelloWorld Lambda function"
}
- Express Workflows have a maximum duration of five minutes and Standard workflows have a maximum duration of one year.
- VPC Endpoint connects to other aws services privates like s3
- VPC flow logs allow you to monitor the traffic within, in and out of your VPC (useful for security, performance, audit)
- A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
- Segments: each application / service will send them
- The host – hostname, alias or IP address
- The request – method, client address, path, user agent
- The response – status, content
- The work done – start and end times, subsegments
- Subsegments: if you need more details in your segment
- Trace: segments collected together to form an end-to-end trace
- Sampling: decrease the amount of requests sent to X-Ray, reduce cost
- Annotations: Key Value pairs used to index traces and use with filters
- Metadata: Key Value pairs, metadata object with any additional data that you want to store in the segment.
- The maximum size of a trace is 500 KB.
- Trace data is retained for 30 days from the time it is recorded at no additional cost.
- The following services provide X-Ray integration:
AWS Lambda
Amazon API Gateway
Elastic Load Balancing
AWS Elastic Beanstalk
ECS - X-Ray will not send the memory utilization of the EC2 instance.