- Region - physical location , consists > 2 AZs
- Availability Zones - redundant power, network and connectivity
- Edge Locations - endpoints for caching content, CDN.
- Secure Root Account
- Enable MFA
- Create admin group and use it for your users.
- Create user accounts and add user
- Type:
- User: Physical person
- Groups: Functions, developer, admin, financial
- Roles: Internal usage within AWS
- Info
- Assign Permission using IAM policy documents JSON
- IAM is universal (no region)
- New user no permission assigned by default.
- Use Access key id and secret to access AWS via API and command line. Only able to view once.
- Always setup password rotations.
- Always assigned minimum privileges to user to do their job.
- Federation:
- IAM Federation: combine existing user account with AWS - use same credential (7Microsoft AD) to login AWS.
- Identity Federation: use SAML standard / AD
Policy Documents
{
Version: xxx,
Statement: [
{
Effect: “Allow”,
Action: “*”,
Resource: “*”
}
]
}
- info
- Object based
- Unlimited storage, 0bytes to 5TB
- Universal namespace.
- Buckets are private by default
- For static content
- Automatic scaling
- Cannot disable versioning, only suspend
- Can replicate objects from bucket to buckets
- Delete markers are not replicated by default
- Type:
- S3 standard
- S3 standard Infrequent access - backup, DR files
- S3 one zone Infrequent access - non critical data
- S3 Glacier Instant Retrieval - long term, few milliseconds retrieval
- S3 Glacier Flexible Retrieval - Long term data, few hours or minutes
- S3 Glacier Deep Archive - 12 hours retrieval - old financial records
- S3 Intelligent-tiering - unpredictable access patterns
- S3 object lock
- Write once and ready many
- Individual or bucket
- Governance mode - cannot overwrite / delete unless have special permission.
- compliance mode - cannot overwrite / delete including root user.
- S3 Glacier vault lock - S3 glacier
- S3 Performance
- More prefix, better performance
- Multipart uploads
- S3 byte-range fetches to download files
- Type:
- On Demand - pay by hour
- Spot - purchase unused capacity at discount <=90%
- Reserved - reserve 1 - 3 years , 72% discount
- Dedicated - physical EC2 , compliance/licensing requirement
- Info:
- Attach and detach role on EC2 without stop or terminate.
- Security group take effect immediately
- All inbound traffic is blocked by default, outbound traffic is allow
- Bootstrap script run when instance start.
- User Data = bootstrap script
- Metadata = data about EC2
- Network type:
- Elastic Network Interface - basic networking
- Enhanced Networking - 10Gbps - 100Gbps
- Elastic File Access - Machine Learning / High Performance Computing
- Placement Group:
- Cluster Placement Groups - low network latency, high network throughput, no AZ
- Spread Placement Groups - individual critical EC2, AZ
- Partition Placement Groups - Cassandra, Multiple EC2 instances, AZ
- Extra:
- VMware - Extend private VMware cloud/Vcenter to AWS public cloud
- AWS outpost - extending AWS to own data center
- AWS outpost rack for large deployment
- AWS outpost servers for smaller deployment
- Type:
- General Purpose SSD GP2 - Boot Disk
- General Purpose SSD GP3 - high Performance app
- Provisioned IOPS SSD IO1 - online transaction application, expensive
- Provisioned IOPS SSD IO2 - online transaction application
- Throughput Optimized HDD ST1 - big data, warehouse data, not boot volume
- Cold HDD SC1 - less frequent access data, not boot volume, lowest cost
- Info:
- Snapshot exist on S3 while volume exist on EBS.
- First snapshot take times, Snapshot can be share to other region but need to copy over
- EBS volume can be resize on the fly.
- Can be stop and no lost data.
- Instance store volume
- Ephemeral volume
- Cannot be stopped -> lost data
- Can be reboot and not lose data.
- EFS:
- Support network file system V4 - High scalable shared storage
- Read after write consistency
- Store multiple AZ
- Scale up to petabytes
- Amazon FSx for windows - windows use
- Amazon FSx for Lustre - high performance computing / financial modeling
- Encrypted Volumes
- All data encrypted
- All snapshot are encrypted
- All data in flight encrypted
- All volumes created from snapshot are encrypted
- How to create encrypted Volume:
- Create snapshot from unencrypted volume
- Copy snapshot with encrypted option
- Create AMI from encrypted snapshot
- Launch encrypted instance from AMI
- EC2 Hibernation
- Faster bootup
- Instance EC2 less than 150GB
- Cannot hibernate more than 60 days
- RDS - OLTP
- Redshift - OLAP, data warehouse
- Multi AZ
- Use for disaster recovery
- Automatic failover to standby instance
- Read Replica
- Scaling, not Disaster Recovery
- Require automatic backup
- Up to 5 read replica
- Aurora
- 2 copies in each AZ, minimum 3 AZ
- Can share Aurora snapshot for other AWS account.
- DynamoDB
- Store in SSD storage
- Eventually consistency , strong consistency, transactional read (ACID).
- Full backup anytime.
- DynamoDB Point In Time Recovery
- 5 minutes in the past
- Not enable by default
- Restore any point within 35 days
- Incremental backups
- Global Tables
- Global distributed applications
- DynamoDB stream
- FIFO -> lambda
- Amazon DocumentDB - MongoDB
- AWS Keyspaces - Cassandra
- Neptune - Graph Database
- AWS Quantum Ledger Database QLDB - Immutable database
- AWS Timestream - Time-series data for analysis
- VPC
- Route tables, network access control list, subnet, security groups
- 1 subnets in 1 AZ
- NAT Gateway
- Redundant inside AZ
- For internet access
- For high availability with NAT Gateway
- Create NAT gateway in each AZ
- Security Groups
- Stateful
- Allow include traffic to go out regardless outbounds rules.
- Network ACL
- VPC comes with default network ACL
- Custom Network ACL - deny all traffic until add rules
- Stateless
- Subnet associates
- can associate with a network ACL.
- Default network ACL will be use
- Associates multiple subnets. But one subnet only one network ACL.
- Block IP address - not security groups
- Direct Connect
- Connect your data center to AWS
- High-throughput workloads
- Stable and reliable secure connection
- VPC Endpoints
- Connect AWS services without leaving amazon internal network
- Interface endpoints
- Gateway endpoints
- Support S3 and DynamoDb
- VPC Peering
- Connect 1 VPC with another VPC via direct network route using private IP
- Work as if same private network
- Peer between region
- AWS PrivateLink
- peering > 10 VPCs
- Network load balance on service VPC and ENI on customer VPC
- AWS Transit Gateway
- For IP multicast
- VPN Hub
- Securing network
- Simplify network tropology
- AWS Wavelength
- 5G, mobile edge computing
- Info:
- Alias Record
- Translate DNS to IP
- Cname
- Translate subdomain to another subdomain
- Health Check
- Can set health check on individual record
- Alias Record
- Type:
- Simple Routing
- Random choose
- Weighted Routing
- Based on weight value
- Latency-based Routing
- Based on latency value
- Failover Routing
- Based on Active and Passive
- Switch between failure
- Geolocation Routing
- Based on user location
- Geoproximity Routing
- AWS route user based on user location
- Multivalue Answer Routing
- Based on health check and auto route user to active DNS
- Simple Routing
- Application load balance (Layer 7)
- Limitation - http and https only
- Have sticky session feature
- But only target to target group level, not single EC2
- Network load balance (Layer 4)
- Use for extreme performance
- Classic load balance (Layer 4/7)
- 504 means gateway timeout
- Need IPv4 of end user? X-forwarded-for in header
- Extra:
- Sticky Session
- Allow user stick to same EC2 instance
- If EC2 removed from pool, load balance still direct user to that EC2,
- Solution: disable sticky session
- Deregistration Delay/ Connection Draining
- Disable Deregistration Delay -
- load balancer close connection immediately when EC2 down
- Enable Deregistration Delay
- Keep connection when EC2 down
- Disable Deregistration Delay -
- Sticky Session
- CloudWatch
- Default: monitor every 5 minutes
- Place for logs
- Can tie to other AWS service based on alarm
- CloudWatch Logs insights
- For SQL
- Kinesis
- Real time logs
- Grafana
- Visualization of container / IOT metric
- Amazon Managed Service for Prometheus
- Kubernetes based metric mornitoring at scale.
- AWS EKS cluster or self managed cluster
- Auto Scaling Group - Auto scaling only on EC2
- Put everything in AMI to reduce build time
- Spread out ASG to multiple AZ
- Elastic load balance - enable health check at load balance
- Scaling Database
- Prefer horizontal scaling
- Read replica
- Prefer horizontal scaling
- SQS
- duplicate messages.
- Configure visibility timeout
- Not bi-directional
- Persist 14days
- Order queue - FIFO SQS
- SNS
- Push notification
- Cloud watch alarm can use SNS to push notification
- API gateway use for external communications to SNS
- AWS Batch
- Long running task > 15 minutes
- Batched workload
- Queued batch workloads
- Alternative to AWS lambda due to runtime requirements
- AmazonMQ
- RabbitMQ / ActiveMQ
- Managed messaging broker
- AWS StepFunctions (like state machines)
- Serverless orchestration service
- Condition check - logic during workflows.
- Failure catches,
- Wait period for long long time.
- AWS AppFlow
- SaaS data integration
- Simplify data ingestion for Salesforce / Other third party app
- Bi-directional
- SaaS data integration
- Redshift
- Relational DB
- Only support single AZ deployment
- Elastic MapReduce
- Made up of EC2 instances
- Extract —> transform —> load
- Basically run open source tools in EMR.
- Kinesis
- Real time solution to processing data
- Can store data up to one year
- Can be queue
- AWS Athena
- Serverless SQL
- Query data stored in S3
- AWS Glue
- Serverless ETL
- Create schema for data when paired with Athena.
- AWS QuickSight
- Tool to visualize data
- AWS OpenSearch / AWS ElasticSearch
- Analyzing cloud watch log files/ other documents
- AWS Data Pipeline
- Automated workflows for move and transformation data.
- Integrate with RDS, S3, dynamoDB, redshift.
- Managed ETL
- Data driven and task-dependent ETL workloads
- Use cases:
- Copy data to redshift
- Copy css between S3 buckets
- Export RDS data to S3
- Import / export dynamoDB
- Amazon Managed Streaming for Apache Kafka (MSK)
- Handle control plane operation
- User manage data plane operation
- Lambda
- Need to attach role to lambda
- Triggered by S3, event bridge, kinesis
- 10GB Ram and 15minutes of runtime
- Container
- Kubernetes
- Amazon EKS or EKS Anywhere (for on-premises)
- Fargate cannot work alone.
- Must use Amazon ECS / EKS
- Start with docker file —> build image —> upload to repo —> run on host
- Amazon ECR - store container image
- Kubernetes
- Amazon Aurora Serverless
- On-demand or auto scaling database
- Unknown workloads or traffic spikes for DB
- Capacity planning
- Amazon Xray
- Gain application insight using request and responses
- Trace and downstream response times
- Integrates natively in AWS Lambda & AWS API Gateway insights
- Amazon AppSync
- Managed Graphql for any frontend apps
- Connect multiple DB and datapoint into single merged API.
- AWS CloudTrail
- Log all API calls of AWS account and store log in S3
- Incident investigation
- Near real-time intrusion detection
- Industry and regulatory compliance
- AWS Shield
- Protect against DDos on layer 3 and 4
- Free but advanced cost money
- AWS WAF
- Allow / block requests except the one specific.
- Count requests that match properties you specify
- Operate at layer 7
- SQL injections / cross site scripting
- Block country / IP address
- AWS Firewall Manager
- Secure centrally for multiple AWS accounts and resources
- AWS GuardDuty
- Use AI to learn normal behavior and alert if there is abnormal behavior.
- Update DB of known malicious domains
- Monitor CloudTrail logs , VPC logs
- AWS Macie
- Use AI to analyze data in S3 about PII , PHI, financial data.
- Good for HIPAA and GDPR compliance , prevent identity theft.
- Automate remediation actions using AWS resources such as StepFunction.
- AWS Inspector
- Perform vulnerability scan
- Two types
- Host assessment - for EC2 , need to install agent
- Network assessment - for VPC, no need install agent
- AWS KMS - key management service
- Create and control the encryption keys
- Automatic key rotation
- CLoudHSM
- Dedicated HSM to user
- No auomatic key rotation
- Full control of underlying hardware
- Secret Manager
- Store password, confidential value.
- Support key rotation
- Parameter Store
- Store password
- Not key rotation support
- Not able to store more than 10,000 parameters
- Pre-signed URL
- Share private files from S3 bucket
- AWS certificate Manager - generate SSL certificates
- AWS Audit Manager - generate HIPAA or GDPR compliance report
- AWS Artifact - a place to get audit and compliance report
- Cognito - for authentication service
- Detective - analyze root cause of an event
- AWS Network Firewall
- filter network traffic before reach internet gateway
- AWS Security Hub
- View all security alerts across AWS services and AWS accounts
- CloudFormation Template
- Immutable template to provision EC2 or AWS services
- Never hardcode, use mapping and parameter store.
- Elastic Beanstalk
- Simple solution to bundle all related AWS services and deploy application
- Like PaaS
- System Manager
- Automate administration patch, update
- Automation document - RunBooks
- Parameter Store
- Control on-premises architectures
- Able to do remote login on any host.
- Have to install system manager agent on host.
- CloudFront - CDN
- Only option to have https for a static website hosted in S3
- Cache content at edge location.
- Global Accelerator
- IP address caching
- Give user 2 global IP address
- Database Caching
- In-memory database / ElasticCache (relational DB)
- Redis
- Multi AZ
- Backup supported
- Memcached
- No multi AZ
- Backup not supported.
- Redis
- DynamoDB Accelerator DAX (non-relational DB)
- In-memory database / ElasticCache (relational DB)
- Service Control Policy (SCPs)
- Only method to restrict root account action
- CloudTrail
- Centralized logs into one single AWS account
- Isolating workload - have dev account, test account and prod account
- AWS Config
- Standardize / create rule for account, check for compliance
- Automate remediate problems using automation documents/ lambda
- See architecture history of changes
- Authentication
- For internal user - AWS SSO / AWS Identity Center
- External user - Cognito
- Microsoft
- use AWS managed Microsoft AD
- On premise - AWS AD connector
- Cross account role access > create more IAM credential
- Cost Management
- Cost Explorer / AWS Cost and Usage Report
- AWS Budgets
- AWS Compute Optimizer - generate recommendation for compute need
- AWS Trusted Advisor
- Free but paid version better
- Auditing tool to generate reports, no provide solution
- Can automate response to solve problem via eventbridget to trigger lambda
- AWS Control Tower
- Implement compliance and account governance within multi account
- Preventive / detective guardrails - implemented via SCPs and AWS Config
- AWS License Manager
- Manage license from supported vendors to prevent license abuse & overcharge.
- AWS env or on-premies
- AWS Service Catalog
- Provision pre-approved products and services via shared catalog portfolio
- Written in CloudFormation template.
- AWS Proton
- Provision entire application stack for container / serverless architectures.
- Well Architecture Tools
- Document architectural decision and measurement against industry best practises
- AWS Health
- Dashboard and service to provide notification to public or within AWS
- SnowBall
- Slow internet / no internet
- type:
- Snowcone - 8TB
- Snowball Edge - 48TB - 80TB
- Snowmobile - 100PB
- Shift to AWS and also AWS shift to you
- Storage Gateway
- Hybrid cloud storage - merge on-premiese with cloud
- Run locally as VM on-premiese
- Type
- File Gateway - NFS - keep local copy of files
- Volume Gateway - backup for migration
- Tape Gateway
- DataSync
- Agent-based solution to migrate on-premiese storage to AWS
- One time migration
- TransferFamily
- Move files using Secure File Transfer Protocol (SFTP) , FTP
- AWS Migration Hub
- Track progress of application migration to AWS and also planning migration effort
- Type
- Database Migration Services
- Migrate oracle database —> AWS Schema Conversion tool —> Amazon Aurora DB
- Migrate mysql database —> AWS DMS —> Amazon Aurora DB
- Server Migration Services
- Migrate VMs —> AMI —> EC2 instance
- Install agent
- Database Migration Services
- Application Discovery Service
- agent - Install agent in each servers / VMs.
- Agentless - Agentless collector , easy VMs migration
- Application Migration Service AWS MGN
- Automate lift and shift entire application architecture to AWS
- Amplify
- Simplified frontend web and mobile development.
- Full stack application hosted on AWS.
- Device Farm
- Automated / manual testing for android, iOS, web
- Pinpoint
- Allow engage with customer
- For marketing team, business
- Can target group of users.
- Amazon Comprehend
- Speed to text
- Sentiment analysis
- Amazon Kendra
- Using ML for search service using unstructured text
- Amazon Textract
- Convert document (handwriting) to text.
- Amazon Forecast
- Make prediction based on time-series data.
- Amazon fraud detection service
- Determine fraud detection based on data
- Amazon Transcribe
- Convert video or audio to text
- Amazon Lex
- Chatbot
- Polly
- Convert text to natural speech
- Amazon Rekognition
- Content moderation using AI/ML
- Image recognition
- Amazon SageMaker
- Train ML model and deploy
- SageMaker NEO - able to train, optimize and run on specific CPU/GPU
- Reduce running cost - use Elastic inference feature
- Amazon Translate
- Translate one language to another.
- Amazon Elastic Transcoder
- Convert media files to optimized format
- Amazon Kinesis Video Stream
- Real time video streaming