Skip to content

Instantly share code, notes, and snippets.

@bommojuvishu

bommojuvishu/NotesforExam.MD

Last active January 18, 2024 05:32
Show Gist options
  • Save bommojuvishu/a6bca4b6c52a58526bf00bdaf7dd23f7 to your computer and use it in GitHub Desktop.
Save bommojuvishu/a6bca4b6c52a58526bf00bdaf7dd23f7 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Associate Developer Exam Notes
Raw
NotesforExam.MD

Go to Bottom

Other info

-  HTTP 502 status code (Bad Gateway) indicates that CloudFront wasn't able to serve the requested object because it couldn't connect to the origin server.
- An HTTP 504 status code (Gateway Timeout)

API Gateway

  • limit : 10000 req per second
  • method request > integration req > lambda/ other > integration response > method response
  • if one API trottled , then entire API get effect
  • timeout max : 29 second
  • CORS is enabled
  • Type of authentication
    • IAM permissions with sigv4
    • Lambda Authorizer
    • Cognito User Pools
  • Integration Type MOCK : API Gateway returns a response without sending the request to the backend
  • Integration Type HTTP / AWS (Lambda & AWS Services)
    • you must configure both the integration request and integration response
    • Setup data mapping using mapping templates for the request & response
  • Integration Type AWS_PROXY (Lambda Proxy):
    • incoming request from the client is the input to Lambda
    • The function is responsible for the logic of request / response
    • No mapping template, headers, query string parameters… are passed as arguments
  • Integration Type HTTP_PROXY
    • No mapping template
    • The HTTP request is passed to the backend
    • The HTTP response from the backend is forwarded by API Gateway
  • Latency simply measures the overall responsiveness of your API calls.
  • IntegrationLatency measures the responsiveness of the backend and not the requests which are served from the backend.
  • cognito Identity Pool cannot be used as an authorizer for API Gateway.

CICD

  • Code Commit
    • Data in AWS CodeCommit repositories is encrypted in transit and at rest
    • The first time you create an AWS CodeCommit repository in a new region in your AWS account, CodeCommit creates an AWS-managed key in that same region in AWS Key Management Service (AWS KMS) that is used only by CodeCommit.
  • CodeBuild
    • codebuild runs on AMI , so obviously env variables will be present , artifacts has the option of pushing to S3
    • Can cache dependencies on S3
  • Codedeploy
    • CodeDeploy can deploy applications to EC2, AWS Lambda, Amazon ECS and on premise servers
    • appspec.yml
    • CodeDeploy agent is not required for deployments that use the Amazon ECS or AWS Lambda compute platform but required for the ec2
    • appspec.yml
    • two types of deployment
    • inplace deployment : the application on each instance in the deployment group is stopped, the latest application revision is installed
      • lambda won't work
      • ecs , ec2 / on premise servers will work
    • blue/green deployment
      • workd on ec2, ecs , lambda
      • on premise don't work
  • Code Deploy stages
    • ApplicationStop
    • DownloadBundle
    • BeforeInstall
    • Install
    • AfterInstall
    • ApplicationStart
    • ValidateService : impportant

CloudFormation

  • A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template. TYPES
  1. String : A literal string
  2. Number : An integer or float
  3. List : An array of integers or floats
  4. CommaDelimitedList : An array of literal strings that are separated by commas
  5. AWS::EC2::KeyPair::KeyName : An Amazon EC2 key pair name
  6. AWS::EC2::SecurityGroup::Id : A security group ID
  7. AWS::EC2::Subnet::Id : A subnet ID
  8. AWS::EC2::VPC::Id : A VPC ID
  9. ListAWS::EC2::VPC::Id : An array of VPC IDs
  10. ListAWS::EC2::SecurityGroup::Id : An array of security group IDs
  11. ListAWS::EC2::Subnet::Id : An array of subnet IDs

CloudFront

  • For premium/restrict access , use signed URL / signed cookies
  • To route to different kind of origins based on the content type
  • Based on path pattern:
    • /images/*
    • /api/*
    • /*

CloudTrail

-By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE) -By default, data events are not logged

DynamoDB

- Global tables if your application is accessed by globally distributed users
- MAX size of item : 400KB
- RCU 4Kb per seconds
- WCU 1KB per second
- 1 RCU =  1 strong read or 2 eventual read
- DynamoDB uses eventually consistent reads by default
- LSU - max  5 , must be declared at the table creation
- GSU - max 1 , can be created after the table creation
- DynamoDB transaction : double RCU and WCU
- filter expression : items within the Scan results should be returned to you.
- A projection expression is a string that identifies the attributes you want.
• --page-size: specify that AWS CLI retrieves the full list of items but with a larger
number of API calls instead of one API call (default: 1000 items)
• --max-items: max. number of items to show in the CLI (returns NextToken)
• --starting-token: specify the last NextToken to retrieve the next set of item

- All data in DynamoDB Streams is subject to a 24 hour lifetime.
- LSI both eventual and strong , GSI only strong
- LSI only particular attributes , but GSI , entire table

- atomic counters  unconditionally increments without interfering with other write requests.
- Optimistic locking , where a record is locked only when changes are committed to the database. Pessimistic locking , where a record is locked while it is edited.
- Global secondary index — an index with a partition key and a sort key that can be different from those on the base table. A global secondary index is considered "global" because queries on the index can span all of the data in the base table, across all partitions.

- Local secondary index — an index that has the same partition key as the base table, but a different sort key. A local secondary index is "local" in the sense that every partition of a local secondary index is scoped to a base table partition that has the same partition key value.

EC2

  • default monitoring 5-minute , detailed monitoring 1 minute

  • SSH port : 22 ,http: 80 , FTIP: 21 , HTTPS : 443 , Windows RDP : 3389

  • metadata : 169.254.169.254/latest/meta-data

    • EBS are AZ locked

  • only Zonal Reserved Instances provide capacity reservation.

    -types of EC2

    • On-Demand Instances – short workload, predictable pricing, pay by second
    • Reserved (1 & 3 years)
    • Reserved Instances – long workloads
    • Convertible Reserved Instances – long workloads with flexible instances
    • Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload
    • Spot Instances – short workloads, cheap, can lose instances (less reliable)
    • Dedicated Hosts – book an entire physical server, control instance placement
    • Dedicated Instances – no other customers will share your hardware
    • Capacity Reservations – reserve capacity in a specific AZ for any duration

  • EBS limited to one AZ , EFS accross the AZ

  • EBS volumes support both in-flight encryption and encryption at rest using KMS

  • SSE-C :mazon S3 will reject any requests made over HTTP when using SSE-C , only HTTTPS

  • CloudWatch does not monitor the memory, swap, and disk space utilization of your instances. If you need to track these metrics, you can install a CloudWatch agent in your EC2 instances.

ECS ,ECR ,Fargate

-In the ecs.config file you have to configure the parameter ECS_CLUSTER='your_cluster_name' to register the container instance with a cluster named 'your_cluster_name'

  • EC2 Instance Profile (EC2 Launch Type only):
    • Used by the ECS agent
    • Makes API calls to ECS service
    • Send container logs to CloudWatch Logs
    • Pull Docker image from ECR
    • Reference sensitive data in Secrets Manager or
    • SSM Parameter Store
  • ECS Task Role:
    • Allows each task to have a specific role
    • Use different roles for the different ECS Services you run
    • Task Role is defined in the task definition
  • Never terminate the container instance while it was in RUNNING state, that lead to this synchronization issues
  • If you terminate a container instance in the RUNNING state, that container instance is automatically removed or deregistered from the cluster. However, if you terminate a container instance in the STOPPED state, that container instance isn't automatically removed from the cluster.
  • Cluster queries are expressions that enable you to group objects.

Elastic Beanstalk

  • Single Instance mode: Great for development environment
  • High Availability with Load Balancer mode: Great for production environments
  • Configuration files are YAML- or JSON-formatted documents with a .config file extension are placed in a folder named .ebextensions

Elasticache

  • Lazy Loading / Cache-Aside / Lazy Population Write Through
  • All the nodes in a Redis cluster must reside in the same region

ELB + ASG

  • LB
  • Provide SSL termination (HTTPS) for your websites
  • Do regular health checks to your instances
  • Separate public traffic from private traffic
  • ALB
  • Load balancing based on route in URL
  • Load balancing based on hostname in URL
  • The true IP of the client is inserted in the header X-Forwarded-For - An ALB has three possible target types: Instance, IP and Lambda
  • Any Load Balancer (CLB, ALB, NLB) has a static host name. They do not resolve and use underlying IP

Encryption

  • KMS is used for till 4 KB file , if > 4KB , then use Envelope Encryption Generate DataKey API
  • SSL termination refers to the process of decrypting encrypted traffic before passing it along to a web server.SSL passthrough is opposite of it
  • it is enabled at region level , all the underlying objects get encrypt
  • For SSL certificate we can use either ACM or IAM certificate manager .In unsupported Regions, you must use IAM as a certificate manager.

IAM & STS

  • aws sts get-caller-identity :get current user -aws iam get-user

    • IAM credentail Usage : list out all the credential and its usage
    • IAM group cannot part of another group

  • Resource-based policy specifies who (which principal) can access that resource.

  • The CLI will look for credentials in this order

  1. Command line options – --region, --output, and --profile
  2. Environment variables – AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
  3. CLI credentials file –aws configure ~/.aws/credentials on Linux / Mac & C:\Users\user.aws\credentials on Windows
  4. CLI configuration file – aws configure ~/.aws/config on Linux / macOS & C:\Users\USERNAME.aws\config on Windows
  5. Container credentials – for ECS tasks
  6. Instance profile credentials – for EC2 Instance Profiles

  • IAM Credentials Report (account-level) :a report that lists all your account's users and the status of their various credentials

  • IAM Access Advisor (user-level):Access advisor shows the service permissions granted to a user and when those services were last accessed

  • components of policy

    • sid
    • Effect : allow /deny
    • Resource : aws service ARM ID / any other ID
    • Principle : if it don't have , then it is a IAM policy . Usually assigned to user
    • Condition:

  • GetSessionToken API returns a set of temporary credentials for an AWS account or IAM user.use GetSessionToken if you want to use MFA to protect programmatic calls

  • AssumeRoleWithWebIdentity returns a set of temporary security credentials for federated users who are authenticated through public identity providers such as Amazon, Facebook, Google, or OpenID

  • AssumeRoleWithSAML returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.

Kinesis

  • Kinesis Agent is a stand-alone Java software application that offers an easy way to collect and send data to Kinesis Data Streams.

KMS

  • MAX is 4KB
  • For anything over 4 KB, you may want to look at envelope encryption
    • KMS stores the CMK, and receives data from the clients, which it encrypts and sends back Important API
  1. CreateKey
  2. Decrypt
  3. DisableKeyRotation
  4. EnableKeyRotation
  5. Encrypt
  6. GenerateDataKey
  7. GenerateDataKeyPair
  8. GenerateDataKeyPairWithoutPlaintext
  9. GenerateDataKeyWithoutPlaintext

  • KMS is intergrated to following services

    1. code commit (auto)
    2. code build
    3. codepipeline(auto/managed)
    4. elastic search
    5. EBS
    6. SSM
    7. lambda
    8. s3
    9. SQS ( enable button)

  • Automatic key rotation is only supported in symmetric KMS keys. Automatic key rotation is not available for asymmetric keys, keys in custom key stores, and keys with imported key material.

Lambda

  • concurrent limit : 1000 , max 900 can be allocated for a function , rest 100 will be used by other function
  • Java, Go, PowerShell, Node. js, C#, Python, and Ruby code , not support C/C++
  • trottling error code : 423
  • ENV variable limit 4 KB
  • if native dependencies then deploy either by zip or cloud formation template
  • if external dependencies then deploy by zip with the dependencies included or layers
  • CodeDeploy can help you automate traffic shift for Lambda aliases
    • Feature is integrated within the SAM framework
    • Linear: grow traffic every N minutes until 100%
      • Linear10PercentEvery3Minutes
      • Linear10PercentEvery10Minutes
    • Canary: try X percent then 100%
      • Canary10Percent5Minutes
      • Canary10Percent30Minutes
    • AllAtOnce: immediate
    • Extract the log stream name from the Context object of the handler function.

Monitoring

  • Note: EC2 Memory usage is by default not pushed (must be pushed from inside the instance as a custom metric)
  • EC2 instance metrics have metrics “every 5 minutes”,With detailed monitoring (for a cost), you get data “every 1 minute”
    • enabled detailed monitoring from cli : aws ec2 monitor-instances --instance-ids i-1234567890abcdef0
  • Use API call PutMetricData to create customlogs
  • IAM username and password credentials cannot be used to access CodeCommit.
  • By Default , cloudwatch logs never expire

Route53

  • A record -IP address
  • CName - hostname
  • Alias posts a hostname to an AWS resource - works for both root and non root domain

RDS

  • Max 5 read replicas
  • Aurora
    • supports postgresql and mysql
    • 6 copies across 3 AZ
    • Enable the automated backup feature of Amazon RDS in a multi-AZ deployment that creates backups in a SINGLE AWS Region

S3

  • Max size 5 TB , If uploading more than 5GB, must use “multi-part upload”
  • at cli , use --dry-run to simulate the policy
  • no claining of replication
  • Replication only replicates the objects added to the bucket after replication is enabled on the bucket.
  • S3 lifecycle actions are not replicated with S3 replication
  • encryption
    • SSE-C -With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
      • Amazon S3 will reject any requests made over HTTP when using SSE-C
      • include headers
        • x-amz-server-side-encryption-customer-algorithm
        • x-amz-server-side-encryption-customer-key
        • x-amz-server-side-encryption-customer-key-MD5
    • SSE-KMS
      • include header : x-amz-server-side-encryption":"aws:kms"
    • SSC-S3
      • include header : x-amz-server-side-encryption": "AES256"
    • Client-Side Encryption - You can encrypt the data client-side and upload the encrypted data to Amazon S3.In this case, you manage the encryption process, the encryption keys, and related tools.
  • S3 Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations.
  • To perform a multipart upload with encryption using an AWS Key Management Service (AWS KMS) customer master key (CMK), the requester must have permission to the kms:Decrypt and kms:GenerateDataKey* actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload.
  • CORS rules can be impplemented using the below elements
    • AllowedOrigin - Specifies domain origins that you allow to make cross-domain requests.
    • AllowedMethod - Specifies a type of request you allow (GET, PUT, POST, DELETE, HEAD) in cross-domain requests.
    • AllowedHeader - Specifies the headers allowed in a preflight request.
  • To enable the cross-region replication feature in S3, the following items should be met:
    • The source and destination buckets must have versioning enabled.
    • The source and destination buckets must be in different AWS Regions.
    • Amazon S3 must have permissions to replicate objects from that source bucket to the destination bucket on your behalf.

SAM

  • AWS::Serverless::Function (AWS Lambda)

  • AWS::Serverless::Api (API Gateway)

  • AWS::Serverless::SimpleTable (DynamoDB)

  • AWS::Serverless::Application (AWS Serverless Application Repository)

  • AWS::Serverless::HttpApi (API Gateway HTTP API)

  • AWS::Serverless::LayerVersion (Lambda layers)

  • S3ReadPolicy: Gives read only permissions to objects in S3

  • SQSPollerPolicy: Allows to poll an SQS queue

  • DynamoDBCrudPolicy: CRUD = create read update delete

SQS + SNS

- SQS
	- Default retention 4days , max 14days
	- limitation  256 KB per message sent :use JAVA extended for 1GB
	- SQS Extended Client for message size upto 2 GB
	- Two types
		- standard
		- FIFO
			- deduplicationid , contentbased deduplication is present
- Kinesis
	- each shard :input : 1 MBPS , output : 2 MBPS

SSM

- each object size 4 KB
Secret Manager
	- rotation of keys
	- integration with RDS
	- KMS is mandatory

Step Function

  • Step function sample
  "HelloWorld": {
  "Type": "Task",
  "Resource": "arn:aws:lambda:us-east-1:123456789012:function:HelloFunction",
  "Next": "AfterHelloWorldState",
  "Comment": "Run the HelloWorld Lambda function"
  }
  • Express Workflows have a maximum duration of five minutes and Standard workflows have a maximum duration of one year.

VPC

  • VPC Endpoint connects to other aws services privates like s3
  • VPC flow logs allow you to monitor the traffic within, in and out of your VPC (useful for security, performance, audit)
  • A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

X-Ray

  • Segments: each application / service will send them
    • The host – hostname, alias or IP address
    • The request – method, client address, path, user agent
    • The response – status, content
    • The work done – start and end times, subsegments
  • Subsegments: if you need more details in your segment
  • Trace: segments collected together to form an end-to-end trace
  • Sampling: decrease the amount of requests sent to X-Ray, reduce cost
  • Annotations: Key Value pairs used to index traces and use with filters
  • Metadata: Key Value pairs, metadata object with any additional data that you want to store in the segment.
  • The maximum size of a trace is 500 KB.
  • Trace data is retained for 30 days from the time it is recorded at no additional cost.
  • The following services provide X-Ray integration: AWS Lambda Amazon API Gateway Elastic Load Balancing AWS Elastic Beanstalk
    ECS
  • X-Ray will not send the memory utilization of the EC2 instance.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment