AWS Solution Architect Associate
- CLI -> create access key
- Role -> AWS Service, AWS Account, Web Identity, SAML 2.0 Factory
- Security Tools
- IAM Credential Reports(all users + various credential + last used)
- IAM Access Advisor(services access & not & permission)
- Guidelines
- Don't use root access except to create account
- One physical user = One access user
- Assign user to group & assign permission to group
- Create strong password
- Enforce MFA - virtual, universal, hardware FOB
- Create & use role for giving permission to AWS Service
- Use Access Key for program access (CLI, SDK)
- Audit permission of account using IAM Credential
- Never share IAM user & access key
- IAM Role & IAM Policies(JSON)
{ Version: 2012-10-07 Id: "s3-access", Statement: [ {"{"} "sid": 10202 "Effect": "Allow" // Deny "Princial": {"{"} "AWS": ["arn.aws..."], "Canonical user": "123", "Federated": [] "Resource": "s3:mybucket" //NOT Resource {"}"} {"}"} ] }
- Have an instance store.
- On-Demand
- Reserved Instanced & Convertible
- Saving Plans - commit of min usage and allow convertible, get charged even not used (used to be Capacity Reserved)
- Spot Instance
- Dedicated Host
- Dedicated Instance
- Spot Instance can only terminate if Open/Active/Disabled
- Spot can have x5, c5 in instances too
- Spot Fleet - Set of instance + optional on Demand
- Lowest Price
- Diversified
- Capacity Optimized
- Price Capacity Optimized
- Elastic IP - > 1 public ip, max 5
- Elastic Network Interface (ENI) - > 1 private ip, same Az and has MAC Address
- Placement group:
- Cluster - same Az
- Spread - Different region or Az, 1 Az max 7
- Partition - up to 7 partition, partition do not share rack & can be in same Az or not
- Hibernate - only if EBS encryption enabled, save the RAM state. Only charge storage.
- Instance Store - ephemeral, physical and very high IOP, emptied when stop.
- Root volume type are default deleted on terminate.
- It's a network drive.
- To move to new Az use snapshot
- To Hibernate at instance stop, needs to use encrypt. It stores all RAM into EBS.
- Snapshot archive are cheaper (72%) but takes 24-72 restore
- Recycle bin 1 to 1 year retention
- Fast snapshot restore - $$$$
- Types: only gp(General SSD) & io(Provisioned IPs) can be use as Root Volume
- gp3 - can increate IOP to 16k, throughput 1000MBis
- gp2 - max 16k with 3 IOP per GB, 5334 max IOPs
- io1 - 4-16GB, max PIOP 64k
- io2 - max 256k with 1000:1, Support EBS multi-attached
- st1 - 125GB-16TB of HDD
- sc1 - infrequent access 250 IOP of Cold HDD
- Multi-attached is only for Same Az, max 16 EC, and for filesystem that is cluster aware (linux)
- Encryption:
- Data is encrypted when 1) at rest, 2) snapshot and 3) in-flight between instance and volume
- To encrypt un-encrypted data -> snapshot -> copy -> create new EBS
- Snapshot templates and even EBS storage.
- Region specific but can be copied over via console/commandline.
- $$$ than 3 gp price
- Encryption at rest using KMS.
- Use NSF v4.1 and Linux based AMI.
- Can be Multi-Az of One Zone. One Zone is only for IA
- Can be access by Lambda, EC2 and Sagemaker
- Through Put:
- Provisioned
- Elastic
- Bursting
- Storage Tier:
- Standard
- Infrequent Access(IA)
- Archive
- Lifecycle Policy - Standard to IA
- Enable to EC by security group not ip
- Types:
- Application Load Balancer - routing table based on hostname, path, header or querystring. X-Forwarded-For/Port/Proto. Target group can be by ip, instance or lambda.
- Network Load Balancer - 1 EIP, TCP/UDP, NLB can have sub ALB
- Gateway Load Balancer - target group is 3rd-party. GENEVA protocol 6081.
- Multi Az but spread across Region
- Access via DNS except for Network that has ip
- Can have healthcheck
- Sticky Session
- Only GLB no sticky
- AWSALB and AWSALBAPP is for application based cookie
- AWSALB and AWSALBTG is for duration based cookie
- Cross Zone Balancing - enabled and not by instance, but sub-sub zone.
- Server Name Indication(SNI) - solve multiple TLS certificate onto one webserver/ALB.
- Connection Draining - allow EC2 to finish all request before shutdown. Time based, 0 is disabled.
- Launch Template to define AMI, Instance Type, EBS Volume, Security Group, SSH key pair, IAM Role, VPC, LB
- Specify Min, Max and Initial
- Can use Cloudwatch as alarm
- Health check can be for both EC2 / ELB, health check terminates the EC2.
- Scaling strategy Scheduled, Predictive(AI), Dynamic(resource), default is 30second cooldown.
- Able to integrate with CloudWatch(with custom metric) to trigger alarm, and configure scaling to run based on alarm.
- Auto scale, if free storage *lt; 10% and for 5minutes
- 6 hours past last configuration.
- 1 master multiple Replica
- Supported Postgres, MySql, MariaDB, Oracle, SqlServer, DB2, Aurora
- Multi Az support does not require connection string change. (Only read replica required)
- Replica
- Up to 15 read replica
- Free if same Az
- Sync for multi Az
- Ansync (Eventually Consistent) for same Az
- Aurora
- Auto Multi Az & Multi Region
- Regional cluster with 1 writer endpoint and reader endpoint
- Only 4 replica up only can write, 3 replica up only can read.
- Machine Learning by SageMaker and Comprehend
- Can have custom endpoint(a reader endpoint) to point specific instance.
- Can use serverless - Aurora Fleet
- Global Aurora - Cross Region or Global DB (1 primary region, up-to-5 secondary region, up-to 16 read replica per region)
- RDS Proxy - db connection pool and must be private!
- ElasticCache
- Redis Auth - IAM, use password token or SSL
- Memcache - supports SASL based authentication
- Redis supported sorted set guaranteed.
- Pattern
- Lazy Loading
- Write through(add/update db)
- Session Store(ttl)
- RDS Custom - only Oracle and SQL Server, can SSH to do patch.
- Security
- Data encrypted at rest, but KMS must be defined on creation.
- Master not encrypted, replica is not
- To encrypt an unecrypted, go snapshot route
- IAM Authentication except Oracle and SqlServer, but can SSH
- Audit log can be sent to Cloud Watch
- Security Group to control network.
- Backup auto every 5mins. Aurora cannot be disabled)
- Backup snapshot is 1 to 35 days.
- Backup Snapshot only restores to new DB and only MySQL/Aurora support from S3. Aurora used percona to do it.
- Cloning feature only available for Aurora.
- Record Types:
- A - map hostname to ipv4
- A (alias) - like CNAME but have native healthcheck, can set APEX but not TTL
- AAAA - map hostname to ipv6
- CNAME - map hostname to hostname
- NS - name server for hosted zone
- Routing Policy:
- Weighted
- Simple - multiple A with random
- Latency - closest, but you need to set region yourself
- Failover - one primary, one secondary
- Geolocation - same as latency, but specify country. If default is set means have default.
- geoproximity - weighted region
- ip base routing - use CIDR
- multivalue - like simple but add health check
- Health Check
- Calculated Health Check - up to 256 & can be OR/AND, 30 seconds interval with 18% of 2xx or 3xx
- Private Hosted Zone - Have to go thru CloudWatch
- Cannot route based on path
- Different than ALB, loadbalanced by region, health check is by TTL
- Bucket name is globally unique and region based
- Naming is lowercase + number + only allow dash (-) except -s3alias and --
- Key consist of prefix(path) + object_name
- Max 5MB and big upload is via multi-part
- Security
- Userbase (IAM)
- Resource based - Bucket Policy / Object ACL / Bucket ACL
- Can be encrypted
- S3 have a Block public access and highest even from IAM and Resource control. Means this have to be enabled before Bucket policy
- Support make S3 as static website
- Versioning
- When disabled all object have version = null. Important for on and off versioning.
- Suspend versioning does not delete prev version
- Delete versioning only add DELETE MARKER
- If delete a file with version (show version), it is Permanent Delete
- Replication
- Same Region Replica
- Cross Region Replica
- Only new objects are replicated, but can use S3 Batch Replica to do old
- Able to replicate DELETE MARKERS but need to be enabled. NOTE: records with version are not replicated.
- No chain - do not support bucket 1 TO bucket 2 TO bucket 3
- Types:
- Standard - have > 3 zones
- Infrequent Access
- Intelligent Tiering
- One Zone IA
- Glacier Storage
- Instant Retrieval - like I/A min 90days
- Flexible Retrieval - take 1 - 5 min, 3 - 5 hours, 5 - 12 hours
- Deep Retrieval - 12 - 48 hours
- Possible to make requester pays for S3.
- S3 Lifecycle
- use Storage Class Analysis - a tool for Standard and Standard IA to help analyze a report between 24-48 hours
- Move non-current version and can set to permanent delete too.
- Can have delete non-complete multi-part objects
- Rules can be added to tags.
- Can add delete on expire.
- Event supported Event Bridge, Lambda Function, SQS, SNS
- Transfer - Transfer Acceleration via multipart, s3 byte range transfer, batch via s3 select
- S3 storage lens - analyze object, discover anamolities, cost efficiency. split to:
- Organization
- Account
- Region
- Bucket
- Encryption: (policy runs before encryption so header can be checked.)
- SSE KMS - cheaper for custom with bucket key
- DSSE KMS - 2 x faster
- SSE-C - https with a key but still via kms, s3-x-ams-server-side header
- Client side encryption
- Other features include:
- CORS
- MFA Delete
- Access logs
- Presigned URL - up-to 12 hours, can even delete or upload
- Object Lock
- Compliance (fixed)
- Goverenence (some can change)
- Retention Period (can extend to indefinitely)
- Legal Hold (with s3:PutObjectLegalHold role, one can change it)
- Access Point: Good for s3 Lambda Function
- Always us-east-1 server
- Underlyer of API-Gateway
- Can use geographic restriction
- If to allow ec2 need to find all edge locations
- 3 class
- All
- class 200 - except south america and australia
- only US and Europe
- use anycast to nearest edge
- Have 1 static ip
- Can do health checks
- For Elastic ip, ec2, ALB and NLB