AWS

AWS regions are data centers hosted across different geographical locations worldwide.

Within each region, there are multiple isolated locations known as Availability Zones. Each availability zone is one or more data-centers with redundant network and connectivity and power supply. Multiple availability zones ensure high availability in case one of them goes down.

Edge locations are basically content delivery network which caches data and insures lower latency and faster delivery to the users in any location. They are located in major cities in the world.

True.

False. The minimum is 2 while the maximum is 6.

• Services Availability: not all service (and all their features) are available in every region
• Reduced latency: deploy application in a region that is close to customers
• Compliance: some countries have more strict rules and requirements such as making sure the data stays within the borders of the country or the region. In that case, only specific region can be used for running the application
• Pricing: the pricing might not be consistent across regions so, the price for the same service in different regions might be different.

In short, it's used for managing users, groups, access policies & roles Full explanation can be found here

True

False. Instead of using the root account, you should be creating users and use them.

True

False. Users can belong to multiple groups.

• Delete root account access keys and don't use root account regularly
• Create IAM user for any physical user. Don't share users.
• Apply "least privilege principle": give users only the permissions they need, nothing more than that.
• Set up MFA and consider enforcing using it
• Make use of groups to assign permissions ( user -> group -> permissions )

Only a login access.

False(!). MFA is a great additional security layer to use for authentication.

• AWS Management Console
  • AWS CLI
  • AWS SDK

AWS docs: "An IAM role is an IAM identity that you can create in your account that has specific permissions...it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS." For example, you can make use of a role which allows EC2 service to access s3 buckets (read and write).

Policies documents used to give permissions as to what a user, group or role are able to do. Their format is JSON.

There can be several reasons for that. One of them is lack of policy. To solve that, the admin has to attach the user with a policy what allows him to access the s3 bucket.

• Role
  • Policy

• Sid: identifier of the statement (optional)
• Effect: allow or deny access
• Action: list of actions (to deny or allow)
• Resource: a list of resources to which the actions are applied
• Principal: role or account or user to which to apply the policy
• Condition: conditions to determine when the policy is applied (optional)

This policy permits to perform any action on any resource. It happens to be the "AdministratorAccess" policy.

• IAM Credentials Report: lists all the account users and the status of their credentials
• IAM Access Advisor: Shows service permissions granted to a user and information on when he accessed these services the last time

IAM Access Advisor

Role

"a web service that provides secure, resizable compute capacity in the cloud". Read more here

True. As opposed to IAM for example, which is a global service, EC2 is a regional service.

• OS (Linux, Windows)
• RAM and CPU
• Networking - IP, Card properties like speed
• Storage Space - (EBS, EFS, EC2 Instance Store)
• EC2 User Data
• Security groups

AMI. With AMI (Amazon Machine Image) you can customize EC2 instances by specifying which software to install, what OS changes should be applied, etc.

Amazon Machine Images is "An Amazon Machine Image (AMI) provides the information required to launch an instance". Read more here

• Personal AMIs - AMIs you create
• AWS Marketplace for AMIs - AMIs made by others, mostly sold for some price
• Public AMIs - Provided by AWS

True (but they can be copied from one region to another).

1. Start an EC2 instance
2. Customized the EC2 instance (install packages, change OS configuration, etc.)
3. Stop the instance (for avoiding data integrity issues)
4. Create EBS snapshot and build an AMI
5. To verify and test the AMI, launch an instance from the AMI

"the instance type that you specify determines the hardware of the host computer used for your instance" Read more about instance types here

Let's take for example the following instance type: m5.large

m is the instance class 5 is the generation large is the size of the instance (affects the spec properties like vCPUs and RAM)

False. From the above list only compute optimized is available.

Compute Optimized:

• Used for compute-intensive tasks
• It has high performance processors
• Use cases vary: gaming serves, machine learning, batch processing, etc.

Memory Optimized:

• Used for processing large data sets in memory
• Other use cases: high performance, databases, distributed cache stores

Storage Optimized:

• Used for storage intensive tasks - high read and write access to large data sets
• Use cases: databases, OLTP system, distributing file systems

EBS

AWS Docs: "provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices."

By default, the root volume is marked for deletion, while other volumes will still remain.

You can control what will happen to every volume upon termination.

Disk is intact and can be used when the instance starts.

True

EBS snapshots used for making a backup of the EBS volume at point of time.

• Backups of the data
• Moving the data between AZs

Yes, with multi-attach it's possible to attach a single EBS volume to multiple instances.

True

• HDD (st 1, sc 1): Low cost HDD volumes
• SSD
  • io1, io2: Highest performance SSD
  • gp2, gp3: General purpose SSD

SSD - io1, io2

SSD - gp2, gp3

SSD - io1, io2

HDD - sc1

SSD: gp2, gp3, io1, io2

True.

EC2 Instance Store.

EC2 instance store provides better I/O performances when compared to EBS.

It is mostly used for cache and temporary data purposes.

Yes, the data on instance store is lost when they are stopped.

AWS Docs: "Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources."

In simpler words, it's a network file system you can mount on one or more EC2 instances.

False. EFS can be mounted across multiple availability zones.

• Data sharing (e.g. developers working on the same source control)
• Web serving
• Content management

True

False. EFS scales automatically and you pay-per-use.

• Performance mode
  • General purpose: used mainly for CMS, web serving, ... as it's optimal for latency sensitive applications
  • Max I/O: great for scaling to high levels of throughput and I/O operations per second
• Throughput mode
  • Bursting: scale throughput based on FS size
  • Provisioned: fixed throughput

Performance Mode (Max I/O): It provides high throughput and scales to operations per second. Mainly used for big data, media processing, etc.

Performance Mode (General Purpose): Used for web serving, CMS, ... anything that is sensitive to latency.

• Standard: frequently accessed files
• Infrequent access: lower prices to store files but it also costs to retrieve them

On Demand - pay a fixed rate by the hour/second with no commitment. You can provision and terminate it at any given time. Reserved - you get capacity reservation, basically purchase an instance for a fixed time of period. The longer, the cheaper. Spot - Enables you to bid whatever price you want for instances or pay the spot price. Dedicated Hosts - physical EC2 server dedicated for your use.

True.

• Convertible Reserved Instances: used for long running workloads but used when instance type might change during the period of time it's reserved
• Scheduled Reserved Instances: when you need to reserve an instance for a long period but you don't need it continuously (so for example you need it only in the morning)

False. You pay per second (after the first minute) when using Windows or Linux and per hour for any other OS.

On Demand is good for short-term non-interrupted workloads (but it also has the highest cost).

Reserved instances: they are cheaper than on-demand and the instance is yours for the chosen period of time.

Spot instances provide the biggest discount but has the disadvantage of risking losing them due bigger bid price.

Reserved instances from the "Scheduled Reserved Instances" type which allows you to reserve for specific time window (like 10:00-15:00 every day).

Spot instances. The discount potential is the highest compared to all other pricing models. The disadvantage is that you can lose the instance at any point so, you must run only workloads that you are fine with them failing suddenly.

EC2 Dedicated Host

In dedicated hosts you have per host billing, you have more visibility (sockets, cores, ...) and you can control where instance will be placed.

In dedicated instances the billing is per instance but you can't control placement and you don't have visibility of sockets, cores, ...

• Compliance needs
• When the software license is complex (Bring Your Own License) and doesn't support cloud or multi-tenants
• Regulatory requirements

"A security group acts as a virtual firewall that controls the traffic for one or more instances" More on this subject here

False. Security groups only contain allow rules.

True

False. They are locked down to regions and VPC.

True

Imagine you have an instance referencing two security groups, allowing to get inbound traffic from them.

Now imagine you have two instances, each using one of the security groups referenced in the instance we've just mentioned. This means you can get traffic from these two instances because they use security groups which referenced in the instance mentioned at the beginning. No need to use IPs.

EBS

Standard RI - most significant discount + suited for steady-state usage Convertible RI - discount + change attribute of RI + suited for steady-state usage Scheduled RI - launch within time windows you reserve

Learn more about EC2 RI here

1 or 3 years.

Security Groups

Bootstrapping is about launching commands when a machine starts for the first time. In AWS EC2 this is done using the EC2 user data script.

Security group isn't configured properly.

AWS: "Amazon EC2 Instance Connect provides a simple and secure way to connect to your Linux instances using Secure Shell (SSH)."

DO NOT configure AWS credentials on the instance (this means anyone else in your account would be able to use and see your credentials).

The best practice is to attach an IAM role with sufficient permissions (like IAMReadOnlyAccess)

False. When you cancel a Spot instance request, you are not terminating the instances created by it.

To terminate such instances, you must cancel the Spot instance request first.

Set of Spot instances and if you would like, also on-demand instances.

• lowestPrice: launch instances from the pool that has the lowest price
• diversified: distributed across all pools
• capacityOptimized: optimized based on the number of instances

A private IP and a public IP.

[AWS Docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html: "Hibernation saves the contents from the instance memory (RAM) to your Amazon Elastic Block Store (Amazon EBS) root volume."

True. This is because the operating system isn't restarted or stopped.

• Save RAM state
• Service with long time initialization
• Keep long-running processes

• Instance RAM size is limited
• Root volume must be encrypted EBS
• Hibernation time is limited
• Doesn't supports all instances types
• No support for bare metal. Only On-Demand and Reserved instances
• Doesn't supports all AMIs

• Next generation EC2 instances using new virtualization technology
• Better EBS: 64,000 EBS IOPS
• Better networking: HPC, IPv6
• Better security

• Modifying number of CPU cores (useful for high RAM and low CPU applications)
• Modifying number of threads per cure (useful for HPC workloads)

• Allows you to ensure you have EC2 capacity when you need it
• Usually combined with Reserved Instances and Saving Plans to achieve cost saving

AWS Docs: "You can create a launch template that contains the configuration information to launch an instance. You can use launch templates to store launch parameters so that you do not have to specify them every time you launch an instance"

Launch configuration is a legacy form of Launch Template that must be recreated every time you would like to update the configuration.

In addition, launch template has the clear benefits of:

• Provision both On-Demand and Spot instances
• supporting multiple versions
• support creating parameters subsets (used for reuse and inheritance)

AWS Docs: "An elastic network interface is a logical networking component in a VPC that represents a virtual network card."

1. One public IPv4 address
2. Mac Address
3. A primary private IPv4 address (from the address range of your VPC)

False. ENI are bound to specific availability zone.

True. They can be attached later on and on the fly (for failover purposes).

AWS Docs: "When you launch a new EC2 instance, the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures. You can use placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload."

• Cluster: places instance close together in an AZ.
• Spread: spreads the instance across the hardware
• Partition: spreads the instances across different partitions (= different sets of hardware/racks) within an AZ

• High availability is top priority - Spread
  • Low latency between instances - Cluster
  • Instances must be isolated from each other - Spread
  • Big Data applications that are partition aware - Partition
  • Big Data process that needs to end quickly - Cluster

Cons: if the hardware fails, all instances fail Pros: Low latency & high throughput network

Cons:

• Current limitation is 7 instances per AZ (per replacement group) Pros:
• Maximized high availability (instances on different hardware, span across AZs)

"A logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define" Read more about it here.

False

True. As of today, the soft limit is 5.

True. Just to clarify, a single subnet resides entirely in one AZ.

AWS reserves 5 IP addresses in each subnet - first 4 and the last one, and so they aren't available for use.

x.x.x.0 - network address x.x.x.1 - VPC router x.x.x.2 - DNS mapping x.x.x.3 - future use x.x.x.255 - broadcast address

AWS Docs: "component that allows communication between instances in your VPC and the internet"

In addition it's good to know that IGW is:

• Highly available and redundant
• Not porivding internet access by its own (you need route tables to be edited)
• Created separately from VPC

False. Only one VPC can be attached to one IGW and vice versa

True

docs.aws: "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."

False. Only one internet gateway can be attached to a single VPC.

Use Elastic IP which provides you a fixed IP address.

AWS Docs: Tenancy option defines if EC2 instances that you launch into the VPC will run on hardware that's shared with other AWS accounts or on hardware that's dedicated for your use only.

AWS Docs: "An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and is yours until you release it. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account."

Let's say you have an instance that you need to shutdown or perform some maintenance on. In that case, what you would want to do is to move the Elastic IP address to another instance that is operational, until you finish to perform the maintenance and then you can move it back to the original instance (or keep it assigned to the second one).

True

The best practice is actually not using them in the first place. It's more common to use a load balancer without a public IP or use a random public IP and register a DNS record to it

False. An Elastic IP is free of charge as long as **it is ** associated with an EC2 instance. This instance should be running and should have only one Elastic IP.

False.

• NACL - security layer on the subnet level.
• Security Group - security layer on the instance level.

Read more about it here and here

Allows you to connect your corporate network to AWS network.

Elastic IP

No. Since AWS reserves 5 IP addresses for every subnet, Kratos will have 32-5=27 addresses and this is less than what he needs (29).

It's better if Kratos uses a subnet of size /26 but good luck telling him that.

True.

False. The default VPC has internet connectivity and any launched EC2 instance gets a public IPv4 address.

In addition, any launched EC2 instance gets a public and private DNS names.

All of them :)

AWS definition: "AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume."

Read more on it here

False. Charges are being made when the function is executed for the time it takes to execute and compute resources it uses.

• Python, Ruby, Go, Node.js, PowerShell, C#

True

Users shouldn't access directly AWS Lambda directly. If you'd to like to expose your Lambda function to users a better approach would be to set up API Gateway endpoint between the users and the Lambda function.

This not only provides enhanced security but also easier access for the user where he can use HTTP or HTTPS for accessing the function.

• Uploading images to S3 and tagging them or inserting information on the images to a database
• Uploading videos to S3 and edit them or add subtitles/captions to them and store the result in S3
• Use SNS and/or SQS to trigger functions based on notifications or messages received from these services.
• Cron Jobs: Use Lambda together with CloudWatch events to schedule tasks/functions periodically.

That's a big no. You shouldn't let users direct access to your Lambda function.

The way to go here and expose the Lambda function to users is to to an API Gateway endpoint.

AWS Docs: "Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service. Customers such as Duolingo, Samsung, GE, and Cook Pad use ECS to run their most sensitive and mission critical applications because of its security, reliability, and scalability."

In simpler words, it allows you to launch containers on AWS.

While AWS takes care of starting/stopping containers, you need to provision and maintain the infrastructure where the containers are running (EC2 instances).

Install ECS agent on it. Some AMIs have built-in configuration for that.

• EC2 Instance
• AWS Fargate

AWS Docs: "Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images."

EC2 Instance Profile used by ECS agent on an EC2 instance to:

• Make API calls to ECS Service
• Send logs to CloudWatch from the container
• Use secrets defined in SSM Parameter Store or Secrets Manager
• Pull container images from ECR (Registry)

Using EFS is a good way to share data between containers and it works also between different AZs.

Amazon Docs: "AWS Fargate is a serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers. AWS Fargate is compatible with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)"

In simpler words, AWS Fargate allows you launch containers on AWS without worrying about managing infrastructure. It runs containers based on the CPU and RAM you need.

In AWS ECS, you manage the infrastructure - you need to provision and configure the EC2 instances.

While in AWS Fargate, you don't provision or manage the infrastructure, you simply focus on launching Docker containers. You can think of it as the serverless version of AWS ECS.

True.

• S3 is a object storage service which is fast, scalable and durable. S3 enables customers to upload, download or store any file or object that is up to 5 TB in size.

• S3 stands for: Simple Storage Service

• As a user you don't have to worry about filesystems or disk space

An S3 bucket is a resource which is similar to folders in a file system and allows storing objects, which consist of data.

False. They are defined at the region level.

True

A S3 bucket name is immutable. That means it's not possible to change it, without removing and creating a new bucket.

This is why the process for renaming a bucket is as follows:

• Create a new bucket with the desired name
• Move the data from the old bucket to it
• Delete the old bucket

With the AWS CLI that would be:

# Create new bucket
aws s3 mb s3://[NEW_BUCKET_NAME]
# Sync the content from the old bucket to the new bucket
$ aws s3 sync s3://[OLD_BUCKET_NAME] s3://[NEW_BUCKET_NAME]
# Remove old bucket
$ aws s3 rb --force s3://[OLD_BUCKET_NAME]

True

Amazon docs: "Multipart upload allows you to upload a single object as a set of parts. Each part is a contiguous portion of the object's data...In general, when your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation."

When enabled at a bucket level, versioning allows you to upload new version of files, overriding previous version and so be able to easily roll-back and protect your data from being permanently deleted.

• Object Lifecycles - Transfer objects between storage classes based on defined rules of time periods
  • Object Sharing - Share objects via a URL link

Object Durability: The percent over a one-year time period that a file will not be lost Object Availability: The percent over a one-year time period that a file will be accessible

False. A newly created bucket is private unless it was configured to be public.

Since every newly created bucket is by default private it doesn't allows to share files with users. Even if the person who uploaded them tries to view them, it gets denied.

A presigned URL is a way to bypass that and allow sharing the files with users by including the credentials (token) as part of the URL. It can be done for limited time.

• Don't make a bucket public.
  • Enable encryption if it's disabled.
  • Define an access policy

• SSE-S3
• SSE-KMS
• SSE-C

1. You upload a file to S3 using HTTP (or HTTPS) and header
2. S3 uses the managed data key to encrypt it
3. S3 stores the encrypted object in the bucket

False. S3 manages the key and uses AES-256 algorithm for the encryption.

The KMS service.

SS3-KMS provides control over who has access to the keys and you can also enabled audit trail.

False. You manage the keys. It's customer provided keys.

True.

1. User uploads a file to S3 using HTTPS while providing data key in the header
2. AWS S3 performs the encryption using the provided data key and encrypted object is stored in the bucket

If a user would like to get the object, the same data key would have to be provided.

x-amz

Each object has a storage class assigned to, affecting its availability and durability. This also has effect on costs. Storage classes offered today:

• Standard:

  • Used for general, all-purpose storage (mostly storage that needs to be accessed frequently)
  • The most expensive storage class
  • 11x9% durability
  • 2x9% availability
  • Default storage class

• Standard-IA (Infrequent Access)

  • Long lived, infrequently accessed data but must be available the moment it's being accessed
  • 11x9% durability
  • 99.90% availability

• One Zone-IA (Infrequent Access):

  • Long-lived, infrequently accessed, non-critical data
  • Less expensive than Standard and Standard-IA storage classes
  • 2x9% durability
  • 99.50% availability

• Intelligent-Tiering:

  • Long-lived data with changing or unknown access patterns. Basically, In this class the data automatically moves to the class most suitable for you based on usage patterns
  • Price depends on the used class
  • 11x9% durability
  • 99.90% availability

• Glacier: Archive data with retrieval time ranging from minutes to hours

• Glacier Deep Archive: Archive data that rarely, if ever, needs to be accessed with retrieval times in hours

• Both Glacier and Glacier Deep Archive are:

  • The most cheap storage classes
  • have 9x9% durability

More on storage classes here

Glacier Deep Archive

Expedited, Standard and Bulk

False. Unlimited capacity.

"AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage". More on Storage Gateway here

Explained in detail here

Stored Volumes - Data is located at customer's data center and periodically backed up to AWS Cached Volumes - Data is stored in AWS cloud and cached at customer's data center for quick access

AWS definition: "Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket"

Learn more here

S3 Data Consistency provides strong read-after-write consistency for PUT and DELETE requests of objects in the S3 bucket in all AWS Regions. S3 always return latest file version.

No. S3 support only statis hosts. On a static website, individual webpages include static content. They might also contain client-side scripts. By contrast, a dynamic website relies on server-side processing, including server-side scripts such as PHP, JSP, or ASP.NET. Amazon S3 does not support server-side scripting.

RTO - The maximum acceptable length of time that your application can be offline.

RPO - The maximum acceptable length of time during which data might be lost from your application due to an incident.

• The Cold Method - Periodically backups and sending the backups off-site

• Pilot Light - Data is mirrored to an environment which is always running

• Warm Standby - Running scaled down version of production environment

• Multi-site - Duplicated environment that is always running

Lowest - Multi-site Highest - The cold method

AWS definition: "Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment."

More on CloudFront here

True

A transport solution which was designed for transferring large amounts of data (petabyte-scale) into and out the AWS cloud.

Deploy the application in multiple Regions. Use Amazon Route 53 DNS health checks to route traffic to a healthy Region

AWS Docs: "Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions."

True. AWS responsible for making sure ELB is operational and takes care of lifecycle operations like upgrades, maintenance and high availability.

• Classic Load Balancer (CLB): Mainly for TCP (layer 4) and HTTP, HTTPS (layer 7)
• Application Load Balancer (ALB): Mainly for HTTP, HTTPS and WebSocket
• Network Load Balancer (NLB): Mainly for TCP, TLS and UDP
• Gateway Load Balancer (GWLB): Mainly for layer 3 operations (IP protocol)

Application Load Balancer (ALB).

• Intrusion Detection
• Firewall
• Payload manipulation

Health checks used by ELB to check whether EC2 instance(s) are properly working.

If health checks fail, ELB knows to not forward traffic to that specific EC2 instance where the health checks failed.

True.

For example, port 2017 and endpoint /health.

• Application LB - layer 7 traffic

• Network LB - ultra-high performances or static IP address (layer 4)

• Classic LB - low costs, good for test or dev environments (retired by August 15, 2022)

• Gateway LB - transparent network gateway and and distributes traffic such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. (layer 3)

Application Load Balancer (routing based on different endpoints + HTTP is used).

• EC2 tasks
• ECS instances
• Lambda functions
• Private IP Addresses

False. ALB can route to multiple target groups.

Gateway Load Balancer

Network Load Balancer (~100 ms) as ALB has a latency of ~400 ms

True.

• EC2 instance
• IP addresses
• Application Load Balancer

• EC2 instance
• IP addresses (must be private IPs)

You might want to have a fixed IP address (NLB) and then forward HTTP traffic based on path, query, ... which is then done by ALB

• TCP, UDP traffic
• Extreme performance

True. They forward TCP, UDP traffic.

False. This is only supported in Classic Load Balancer and Application Load Balancer.

With cross zone load balancing, traffic distributed evenly across all (registered) instances in all the availability zones.

False. It's disabled by default

True. It charges for inter AZ data in network load balancer, but not in application load balancer

True

The period of time or process of "draining" instances from requests/traffic (basically let it complete all active connections but don't start new ones) so it can be de-registered eventually and ELB won't send requests/traffic to it anymore.

Layer 4

True.

True

Amazon Docs: "An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management. An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements and scaling policies"

One of the instances will be terminated.

One way is to use CloudWatch alarms where an alarm will monitor a metric and based on a certain value (or range) you can choose to scale-in or scale-out the ASG.

• Network In/Out
• Number of requests on ELB per instance
• Average CPU, RAM usage

A policy in which scaling will occur automatically based on different metrics.

There are 3 types:

1. Target Tracking Scaling: scale when the baseline changes (e.g. CPU is over 60%)
2. Step Scaling: more granular scaling where you can choose different actions for different metrics values (e.g. when CPU less than 20%, remove one instance. When CPU is over 40%, add 3 instances)
3. Scheduled Actions: set in advance scaling for specific period of time (e.g. add instances on Monday between 10:00 am to 11:00 am)

Scale by analyzing historical load and schedule scaling based on forecast load.

During a scaling cooldown, ASG will not terminate or launch additional instances. The cooldown happens after scaling activity and the reason for this behaviour is that some metrics have to be collected and stabilize before another scaling operating can take place.

1. It finds the AZ which the most number of EC2 instances
2. If number of instances > 1, choose the one with oldest launch configuration, template and terminate it

True, this is why when it terminates instances, it chooses the AZ with the most instances.

Lifecycle hooks allows you perform extra steps before the instance goes in service (During pending state) or before it terminates (during terminating state).

Lifecycle hooks in pending state.

In Linux instances, you can install the 'stress' package and run stress to load the system for certain period of time and see if ASG kicks in by adding additional capacity (= more instances).

For example: sudo stress --cpu 100 --timeout 20

The shared responsibility model defines what the customer is responsible for and what AWS is responsible for.

More on the shared responsibility model here

False. It is responsible for Hardware in its sites but not for security groups which created and managed by the users.

AWS definition: "apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services"

Learn more about it here

• Instance IAM roles should have minimal permissions needed. You don't want an instance-level incident to become an account-level incident
  • Use "AWS System Manager Session Manager" for SSH
  • Using latest OS images with your instances

AWS definition: "AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements."

Read more about it here

AWS definition: "Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.""

Learn more here

AWS definition: "Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your Amazon Web Services accounts, workloads, and data stored in Amazon S3"

Monitor VPC Flow lows, DNS logs, CloudTrail S3 events and CloudTrail Mgmt events.

AWS definition: "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS."

Amazon definition: "AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud."

Learn more here

True

AWS definition: "KMS makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications." More on KMS here

It describes prohibited uses of the web services offered by AWS. More on AWS Acceptable Use Policy here

False. On some services, like EC2, CloudFront and RDS, penetration testing is allowed.

False.

False. Security key is an example of an MFA device.

Amazon definition: "Amazon Cognito handles user authentication and authorization for your web and mobile apps."

Learn more here

Amazon definition: "AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources."

Learn more here

• Relational Database Service
• Managed DB service (you can't ssh the machine)
• Supports multiple DBs: MySQL, Oracle, Aurora (AWS Proprietary), ...

AWS RDS is a managed service, that means it's automatically provisioned and patched for you.

In addition, it provides you with continuous backup (and the ability to restore from any point of time), scaling capability (both horizontal and vertical), monitoring dashboard and read replicas.

• Automated backups
• Full daily backup (done during maintenance window)
• Transactions logs backup every 5 minutes
• Retention can be increased and by default it's 7 days

• RDS storage can automatically be increased upon lack in storage
• The user needs to set "Maximum Storage Threshold" to have some limit on storage scaling
• Use cases: applications with unpredictable workloads
• Supports multiple RDS database engines

AWS Docs: "Amazon RDS Read Replicas provide enhanced performance and durability for RDS database (DB) instances. They make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads."

In simpler words, it allows you to scale your reads.

True

True. This is done so the reads are consistent.

False. RDS is relational database and MongoDB is a NoSQL db.

You have a main application which works against your database but you would like to add additional app, one used for logging, analytics, ... so you prefer it won't use the same database. In this case, you create a read replica instance and the second application works against that instance.

• RDS multi AZ used mainly for disaster recovery purposes
• There is an RDS master instance and in another AZ an RDS standby instance
• The data is synced synchronously between them
• The user, application is accessing one DNS name and where there is a failure with the master instance, the DNS name moves to the standby instance, so the failover done automatically

False. It's a zero downtime operation = no need to stop the database.

1. Snapshot is taken by RDS
2. The snapshot is restored to another, standby, RDS instance
3. Synchronization is enabled between the two instances

True

False

• If RDS database is encrypted then, the snapshot itself is also encrypted
• If RDS database isn't encrypted then, the snapshot itself isn't encrypted and then you can copy the un-encrypted snapshot to created an encrypted copy

Create a copy of the un-encrypted instance -> copy the snapshot to create an encrypted copy -> restore the database from the encrypted snapshot -> migrate the application to work against the copied instance -> remove the original DB instance

For example:

1. EC2 instance uses IAM role to make an API call to get auth token
2. The token, with SSL encryption, is used for accessing the RDS instance

Note: The token has a lifetime of 15 minutes

True. Since read replicas add endpoints, each with its own DNS name, you need to modify your app to reference these new endpoints to balance the load read.

• A MySQL & Postgresql based relational database.
• Proprietary technology from AWS
• The default database proposed for the user when using RDS for creating a database.
• Storage automatically grows in increments of 10 GiB
• HA native - failover in instant
• Has better performances over MySQL and Postgres
• Supports 15 replicas (while MySQL supports 5)

False. It stores 6 copies across 3 availability zones

True

False. 100 volumes.

True. If your read replica instances exhaust their CPU, you can scale by adding more instances

• Aurora serverless is an automated database instantiation and it's auto scaled based on an actual usage
• It's good mainly for infrequent or unpredictable workflows
• You pay per second so it can eventually be more cost effective

Aurora multi-master is perfect for a use case where you want to have instant failover for write node.

Amazon definition: "You can create on-demand backups of your Amazon DynamoDB tables, or you can enable continuous backups using point-in-time recovery. For more information about on-demand backups, see On-Demand Backup and Restore for DynamoDB."

Learn more here

Amazon definition: "A global table is a collection of one or more replica tables, all owned by a single AWS account."

Learn more here

Amazon definition: "Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds..."

Learn more here

Amazon Elasticache is a fully managed Redis or Memcached in-memory data store.

It's great for read-intensive workloads where the common data/queries are cached and apps/users access the cache instead of the primary database.

1. The application performs a query against the DB. There is a check to see if the data is in the cache
2. If it is, it's a "cache hit" and the data is retrieved from there
3. If it's not in there, it's a "cache miss" and the data is pulled from the database
4. The data is then also written to the cache (assuming it is often accessed) and next time the user queries for the same data, it might be retrieved from the cache (depends on how much time passed and whether this specific data was invalidated or not)

Let's say you have multiple instances running the same application and every time you use the application, it creates a user session.

This user session can be stored in ElastiCache so even if the user contacts a different instance of the application, the application can retrieve the session from the ElsatiCache.

ElastiCache Redis.

ElastiCache Redis.

ElastiCache Memcached

True.

• Write Through: add or update data in the cache when the data is written to the DB
• Lazy Loading: all the read data is cached
• Session Store: store temporary session data in cache

cloud data warehouse

• You can confirm your suspicion by going to AWS Redshift console and see running queries graph. This should tell you if there are any long-running queries.
• If confirmed, you can query for running queries and cancel the irrelevant queries
• Check for connection leaks (query for running connections and include their IP)
• Check for table locks and kill irrelevant locking sessions

Amazon definition: "Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. As a document database, Amazon DocumentDB makes it easy to store, query, and index JSON data."

Learn more here

EBS

AWS CodeDeploy

AWS Lambda

CloudFormation

Cognito

Lightsail

Cost Explorer

Trusted Advisor

AWS Snowball

AWS RedShift

VPC

Amazon Aurora

AWS Database Migration Service (DMS)

AWS CloudTrail

AWS RDS

AWS DynamoDB

AWS Rekognition

AWS X-Ray

SNS

AWS Athena

AWS Glue

Amazon GuardDuty

AWS Organizations

AWS WAF

CloudWatch

AWS Inspector

Route 53

Amazon DocumentDB

AWS Cognito

AWS SQS. Since it's a messaging queue so it allows applications to switch from synchronous communication to asynchronous one.

Simple Queue Service (SQS)

AWS Shield

ElastiCache

Amazon S3 Transfer Acceleration

Lambda - to define a function that gets an input and returns a certain string

API Gateway - to define the URL trigger (= when you insert the URL, the function is invoked).

Kinesis

Trusted Advisor

Storage Gateway

AWS Route 53: "Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service..."

Some of Route 53 features:

• Register domains
• DNS service - domain name translations
• Health checks - verify your app is available
• Not a feature but its SLA is 100% availability

The customer can update DNS records

• Domain/subdomain name (e.g. blipblop.com)
• Value (e.g. 201.7.202.2)
• Record type (e.g. A, AAAA, MX)
• TTL: amount of time the record is going to be cached
• Routing Policy: how to respond to queries

• A
• AAAA
• CNAME
• NS
• DS
• CAA
• SOA
• MX
• TXT
• SPF
• SRV
• NAPTR
• PTR

A container that includes records for defining how to route traffic from a domain and its subdomains

• Public Hosted Zones - include records to specify how to route traffic on the internet
• Private Hosted Zones - contain records that specify how you traffic within VPC(s)

CNAME is used for mapping one hostname to any other hostname while Alias is used to map an hostname to an AWS resource.

In addition, Alias work for both root domain (somedomain.com) and non-root domain, while CNAME works only with non-root domain (foo.somedomain.com)

False

True

True

A routing policy routing defines how Route 53 responds to DNS queries.

• Simple
• Geolocation
• Failover
• Latency based
• Geoproximity
• Multi-Value Answer
• Weighted

Weighted routing policy.

The simple routing policy

• Routing based on user location
• Location can be specified by continent, country or US state
• It's recommended to have a default record in case there is no match on location

• Restrict content distribution
• App localization
• Load balancing

• Route based on the geographic location of resources
• Shifting routing is done based on the bias value
• Resources can be of AWS and non-AWS type
  • For non-AWS you have to specify latitude and longitude in addition to AWS region as done in AWS-based resources
• To use it, you have to use Route 53 traffic flow

• Load balancing between regions
• Testing new applications versions

True.

If multiple values are returned from Route 53 then, the client chooses a single value to use.

False. They must have the same name AND type.

Latency-based routing policy.

All records are used equally.

Automated DNS failover based on monitoring:

• Another health check
• endpoint (app, AWS resource, server)
• CloudWatch alarms

Geoproximity routing policy

It's a visual editor for managing complex routing decision trees. It allows you to simplify the process of managing records.

Configuration can be saved (as Traffic Flow Policy) and applied to different domains/hosted zones. In addition, it supports versioning

When you combine the results of multiple health checks into a single health check.

Performing maintenance for a website without causing all the health checks to fail.

Geolocation routing policy. It's based on user location.

Don't confuse it with latency-based routing policy. While shorter distance may result in lower latency, this is not the requirement in the question.

False. Route 53 Multi Value is not a substitute for ELB. It's focused on client-side load balancing as opposed to ELB.

False. DNS service can be Route 53 (where you manage DNS records) while the domain itself can be purchased from other sources that aren't Amazon related (e.g. GoDadday).

AWS definition: "Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications".

Learn more about it here

Producer is the application or in general, the source that sends messages to the queue.

Consumer is the process or application that pulls the messages from the queue.

It refers to a retention period in which a message has to consumed/processed and deleted from the queue.

As of today, the retention of a message is 4 days by default and the maximum allows is 14 days.

256KB

True. It's referred to as "at least once delivery".

False. They can be Lambda functions and even on-premise instances

True.

It means messages in the queue can be out of order.

It's the time in seconds to delay the delivery of new messages (when they reached the queue already).

The limit as of today is 15 minutes.

The time in seconds for a message to not be visible for consumers.

The limit as of today is 12 hours

A website that allows users to upload videos and adds subtitles to them:

1. First the user uploads the video through the web interface which uploads it to an S3 bucket
2. SQS gets notified with a message on the video location
3. EC2 instance (or Lambda function) starts to work on adding the subtitles
4. The video with the subtitles is uploaded to an S3 buckets
5. SQS gets notified of the result and specifically the video location

AWS definition: "a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications."

Read more about it here

• Topics - used for grouping multiple endpoints
  • Subscribers - the endpoints where topics send messages to
  • Publishers - the provider of the message (event, person, ...)

SNS, as opposed to SQS, works in a publisher/subscriber model. Where's SQS works in Producer/Consumer model.

SQS delivers the message to one consumer where's SNS will send a message to multiple subscribers.

A messaging pattern where a single message is send to multiple destinations (often simultaneously). So one-to-many broadcast message.

AWS definition: "Amazon CloudWatch is a monitoring and observability service..."

More on CloudWatch here

AWS definition: "AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account."

Read more on CloudTrail here

AWS organizations service and the definition by Amazon: "SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines."

Learn more here

It mainly works on "pay-as-you-go" meaning you pay only for what are using and when you are using it. In s3 you pay for 1. How much data you are storing 2. Making requests (PUT, POST, ...) In EC2 it's based on the purchasing option (on-demand, spot, ...), instance type, AMI type and the region used.

More on AWS pricing model here

• TCO calculator
• AWS simple calculator
• Cost Explorer
• AWS Budgets
• Cost Allocation Tags

• 24x7 customer service
• Trusted Advisor
• AWS personal Health Dashoard

Amazon definition: "Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost."

Learn more here

Amazon definition: "APN Consulting Partners are professional services firms that help customers of all types and sizes design, architect, build, migrate, and manage their workloads and applications on AWS, accelerating their journey to the cloud."

Learn more here

• Basic, Developer, Business, Enterprise

True. You pay differently based on the chosen region.

AWS Definition: "AWS Infrastructure Event Management is a structured program available to Enterprise Support customers (and Business Support customers for an additional fee) that helps you plan for large-scale events such as product or application launches, infrastructure migrations, and marketing events."

AWS definition: "AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS."

Read more on Organizations here

OU (Organizational Units) is a way to group multiple accounts together so you can treat them as a single unit.

By default there is the "Root" OU created in AWS Organizations.

Most of the time OUs are based on functions or common set of controls.

Amazon definition: "AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers."

Learn more here

AWS definition: "AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you."

AWS definition: "The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure as code and provision it through AWS CloudFormation. CDK gives the flexibility to use popular programming languages like TypeScript, JavaScript, Python, Java, C# and Go (in Developer Preview) to define your infrastructure, and AWS CDK provides a set of libraries for AWS services that abstract away the need to write raw CloudFormation templates.

Learn more here

AWS definition: "Lightsail is an easy-to-use cloud platform that offers you everything needed to build an application or website, plus a cost-effective, monthly plan."

AWS definition: "Amazon Rekognition makes it easy to add image and video analysis to your applications using proven, highly scalable, deep learning technology that requires no machine learning expertise to use."

Learn more here

Amazon definition: "You can use resource groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at one time. "

Learn more here

Amazon definition: "AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users..."

Learn more here

Amazon definition: "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources."

Learn more here

AWS definition: "AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture." Learn more here

Amazon definition: "AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet."

Learn more about it here

"AWS Snowmobile is an Exabyte-scale data transfer service used to move extremely large amounts of data to AWS."

Learn more here

"Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL."

Learn more about AWS Athena here

Amazon definition: "Amazon Cloud Directory is a highly available multi-tenant directory-based store in AWS. These directories scale automatically to hundreds of millions of objects as needed for applications."

Learn more here

AWS definition: "AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services...You can simply upload your code and Elastic Beanstalk automatically handles the deployment"

Learn more about it here

Amazon definition: "Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud."

Learn more on Amazon Simple Workflow Service here

AWS definition: "big data platform for processing vast amounts of data using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto."

Learn more here

AWS definition: "Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS, based on AWS best practices for security and high availability."

Read more here

Amazon definition: "AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas."

Learn more here

Amazon definition: "AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS."

Learn more here

Amazon definition: "AWS Professional Services created the AWS Cloud Adoption Framework (AWS CAF) to help organizations design and travel an accelerated path to successful cloud adoption. "

Learn more here

AWS: "AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser"

AWS: "AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources."

Amazon definition: "AWS Application Discovery Service helps enterprise customers plan migration projects by gathering information about their on-premises data centers."

Learn more here

AWS definition: "The Well-Architected Framework has been developed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications. Based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization"

Learn more here

AWS Lambda AWS Athena

ARN (Amazon Resources Names) are used for uniquely identifying different AWS resources. It is used when you would like to identify resource uniqely across all AWS infrastructures.

• Application/Service is running in at least 2 availability zones
• Application/Service should survive (= operate as usual) a data center disaster

One way is through launching a new instance. In more detail:

1. Launch a new instance
2. Install all the updates and applications
3. Test the instance
4. If all tests passed successfully, you can start using the new instance and perform the switch with the old one, in one of various ways:
5. Go to route53 and update the record with the IP of the new instance
6. If you are using an Elastic IP then move it to the new instance ...

EBS volumes are locked to a specific availability zone. To use them in another availability zone, you need to take a snapshot and restore it in the destination availability zone.

Consider creating customized AMI with the commands from user data already executed there. This will allow you launch instance instantly.

Security group isn't attached to your EFS or it lacks a rule to allow NFS traffic.

1. Pause the application
2. Take a snapshot of the EBS volume
3. Restore the snapshot in another availability zone

1. Create EBS snapshot of the volume
2. Copy the snapshot and mark the "Encrypt" option
3. Create a new EBS volume out of the encrypted snapshot

Missing security group or misconfigured one. For example, if you go to your instances in the AWS console you might see that the instances under your NLB are in "unhealthy status" and if you didn't create a dedicated security group for your NLB, that means that the security group used is the one attached to the EC2 instances.

Go to the security group of your instance(s) and enable the traffic that NLB should forward (e.g. TCP on port 80).

Enable sticky sessions. This way, the user keep working against the same instance, instead of being redirected to a different instance every request.

One possible way is to use health checks with the load balancer to ensure the instances are ready to be used before forwarding traffic to them.

It's possible that traffic is distributed evenly between the AZs but that doesn't mean it's distributed equally across all instances evenly.

To distribute it evenly between all the instances, you have to enable cross-zone load balancing.

Yes, using SNI (Server Name Indication) each application can has its own SSL certificate (This is supported from 2017).

Read Replicas use asynchronous replication so it's possible users access a read replica instance that wasn't synced yet.

EFS. It allows us to have persistent multi-AZ shared storage for containers.

Use Amazon EventBridge so every time a file is uploaded to an S3 bucket (event) it will run an ECS task.

Such task should have an ECS Task Role so it can get the object from the S3 bucket (and possibly other permissions if it needs to update the DB for example).

Often circular scaling (scale down, up and vice versa) is not a sign that the threshold set for scaling down and up are met quite often. In most cases that's a sign for you to adjust the threshold so scaling down doesn't happen as often.

Network Load Balancer

You can use an ElastiCache cluster or RDS Read Replicas.

More details are missing to determine for sure but it might be better to decouple the applications by introducing one of the following:

• Queue model with SQS
• Publisher/Subscriber model with SNS