AWS SAA-Notes
AWS SAA-Notes
IAM user
- 5000 per account limit
IAM Groups
- inline and managed policy
- no nesting
- no credentials
- 300 groups per account
IAM Roles
- assign = temporary credential from STS
- external account/identity can’t be used directly on AWS
- permission and trust policy
AWS Organization
- one master/management account
- consolidated billing - master is payer
Service Control Policy
- is account permission boundaries
- limit what account they do
- don’t grant any permission
- default is deny list
S3 Storage class
- S3 Standard- for frequently accessed data which is important and non replaceable
- S3 Standard IA- should be used for long-lived data, which is important but where access is
infrequent
- S3 One Zone-IA- should be used for long-lived data, which is NON-CRITICAL &
REPLACEABLE and where access is infrequent
- S3 Glacier - for archival data where frequent or real time isn’t needed. Minutes-hours
retrieval. Data retrieval: Expedited - 1-5 minutes, Standard - 3-5 hours, Bulk - 5-12 hours
- S3 Glacier Deep Archive- for archival data that rarely if ever needs to be accessed - hours
of day retrieval. e,g, legal or regulation data storage. Data retrieval: Standard - 12 hours, Bulk
- up to 48 hours
- S3 Intelligent Tiering- should be used for long-lived data, with changing or unknown
patterns
NACL
- stateless - Initiation and response seen as different
- only impacts data crossing subnet border
- default allow in/out traffic
- can explicitly allow and deny
- IPs/Networks, Ports, Protocols - no logical resource
- NACLs cannot be assigned to aws resource - only subnets
- use with Security Group to add explicit deny (BAD IPs/Nets)
- one subnet = One NACL at a time
Security Group
- stateful - traffic and response = same rule
- SGs can filter based on AWS Logical resources other SGs and even themselves
- Implicit deny and explicit allow
- no explicit deny
NAT Gateway
- runs from public subnet
- uses Elastic IPs (static IPv4 public)
- AZ resilient Service (HA in that AZ)
- for region resilience = NATGW in each AZ
- RT in for each AZ with that NATGW as target
- managed, scales to 45 Gbps, $ duration and data volume
EC2 Storage
- Block storage - Volume presented to the OS as a collection of blocks ..no structure provided.
Mountable and bootable
- File Storage- Presented as a file share … has structure. Mountable, but not bootable
- Object Storage- collection of objects, flat. Not mountable, not bootable
- Direct(local) attached Storage- Storage on the EC2 host
- Network attached storage- Volumes delivered over the network
- Ephemeral Storage - Temporary storage
- Persistent Storage- permanent storage - lives on past the lifetime of the instance
EBS
- Volumes created in an AZ, isolated in that AZ
- AZ- fails - Volume impacted… Snapshot help
- Highly available and resilient in that AZ
- Generally one volume <-> 1 instance (..but multiattach)
- GB/m free regardless of instance state
- EBS MAX 80k IOPS (Instance,) 64k (Vol) (io1)
- Max 2375 MB/s (Instance), 1000 MiB/s (Vol) (io1)
EBS Snapshot
- Snapshots are incremental volume copies to S3
- The first is a fully copy of ‘data’ on the volume
- Future snaps are incremental
- Volumes can be created (restored) from snapshots
- Snapshot can be copied to another region
- New EBS volume = full performance immediately
- Snaps restore lazily - fetched gradually
- Force a read of all data immediately
- Fast Snapshot Restore (FSR) = immediate restore up to 50 snaps per region. Set on the
Snap & AZ
EBS Encryption
- Accounts can be set to encrypt by default - default CMK
- otherwise choose a CMK to use
- Each volumes uses 1 unique DEK
- Snapshots & future volumes use the same DEK
- Can’t change a volume to NOT be encrypted
- The OS isn’t aware of the encryption .. no performance loss
Spot Instances
- Spot pricing offers up to 90% off vs On-Demand
- A spot price is set by EC2 - based on spare capacity
- You can specify a maximum price you’ll pay
- If spot price goes above yours - instances terminate
- Application that have flexible start and end times
- Apps which only make sense at low cost
- Apps which can tolerate failure and continue later
Reserved Instances
- Up to 75% off vs On-Demand - for a commitment
- 1 or 3 years, All Upfront, Partial Upfront, No Upfront
- Reserved in region, or AZ with capacity reservation
- Scheduled Reservation
- Know steady state usage
- Lowest cost for apps which can’t handle disruption
- Need reserved capacity
EC2 Scaling
Vertical Scaling
- Each resize requires a reboot
- Larger instances often carry a $ premium
- There is an upper cap on performance - instance size
- No application modification required
- Works for All applications = even Monoliths
Horizontal Scaling
- Sessions, sessions, sessions
- Requires application support or off-host sessions
- No disruption when scaling
- No real limits to scaling
- Often less expensive - no large instance premium
- More granular…
Instance Metadata
- EC2 service provides data to Instances
- Accessible inside ALL instances
- http://169.254.169.254
- Environment
- Networking
- Authentication
- User-Data
- Not Authenticated or Encrypted
User Data
- It’s opaque to EC2 .. it’s just a block of data
- It’s NOT secure, don’t use it for passwords or long term credentials (ideally)
- User data is limited to 16 KB in size
- Can be modified when instance stopped
- But only executed once at launch
AWS ECS
- Dockerfiles are used to build images
- Portable - self-contained, always run as expected
- Lightweil - Parent OS used, fs layer are shared
- Container only runs the application & environment it needs
- Provides much of the isolation VM’s do
- Ports are exposed to the host and beyond
- Application stacks can be multi-container
ECS Concepts
- Container definition - Image & Ports
- Task definition - Security (Task Role), Container(s), Resources
- Task Role - IAM Role which the TASK assume
- Service - How many copies, HA, restarts
Cluster Types
- EC2 Mode
- Fargate Mode
Logging on EC2
- CloudWatch is for metrics
- CloudWatch Logs is for logging
- Neither natively capture data inside an Instance
- CloudWatch agent is required
- … plus configurations and permissions
Enhanced Networking
- Uses SR-IOV - NIC is virtualization aware
- No charge - available on most EC2 Types
- Higher I/O & Lower Host CPU Usage
- More bandwidth
- Higher packets-per-second (PPS)
- Consistent lower latency
EBS Optimized
- EBS = Block storage over the network
- Historically network was shared ,, dataf and EBS
- EBS Optimized means dedicated capacity for EBS
- Most instances support and have enabled by default
- Some support, but enabling costs extra
Amazon RDS
- Database-as-a-service (DBaaS)
- DatabaseServer-as-a-Service
- Managed Database Instance ( 1 + Databases)
- Multiple engines MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server, Amazon
Aurora
RDS Restores
- Creates a NEW RDS Instance - new address
- Snapshots = single point in time, creation time
- Automated = any 5 minute point in time
- Backups is restored and transaction logs are ‘replayed’ to bring DB to desired point in time
- Restores aren’t fast - think about RTO
Amazon Aurora
- Aurora architecture is VERY different from RDS uses a Cluster
- A single primary instance + 0 or more replicas
- No local storage - uses cluster volume
- Faster provisioning & improves availability & performance
Aurora Storage Architecture
- All SSD Based - high IOPS, low latency
- Storage is billed based on what’s used
- High water mark - billed for the most used
- Storage which is freed up can be re-used
- Replicas can be added and removed without requiring storage provisioning
Cost
- No free-tier option
- Aurora doesn’t support Micro Instances
- Beyond RDS single AZ(micro) Aurora offers better value
- Compute - hourly charge, per second, 10 minute minimum
- Storage - GB-Month consumed, IO cost per request
- 100% FB Size in backups are included
Aurora Restore, Clone & Backtrack
- Backups in AUrora work in the same way as RDS
- Resotres create a new cluster
- Backtrack can be used which allow in-place rewinds to a previous point in time
- Fast clones make a new database MUCH faster than copying all the data - copy-on-write
Aurora Serverless
- Scalable - ACU - Aurora Capacity Units
- Aurora Serverless cluster has a MIN & MAX ACU
- Cluster adjust based on load
- Can go to 0 and be paused
- Consumption billing per second basis
- Same resilience as Aurora ( 6 copies across AZs)
Uses Cases
- infrequently used applications
- New applications
- Variable workloads
- Unpredictable workloads
- Development and test databases
- Multi-tenant application
Aurora Global Database
- Cross Region Disaster Recovery and Business Continuity
- Global Read Scaling - low latency performance improvements
- ~1s or less replication between regions
- No impact on DB performance
- Secondary regions can have 16 replicas
- Can be promoted to Read/Write
- Currently MAX 5 secondary regions
Load Balancing
- Clients connect to the Load Balancer
- … specifically the listener of the LB
- The LB connects on your behalf to 1+ targets (servers)
- 2 connections .. listener & backend
- Client abstracted from individual servers
- Used for High-Availability, Fault Tolerance and Scaling
Scaling Policies
- Manual Scaling - Manually adjust the desired capacity
- Scheduled Scaling - Time based adjustment
- Dynamic Scaling
- Simple - “CPU above 50% +1”,”CPU Below 50 -1”
- Stepped - Bigger +/- based on difference
- Target Tracking - Desired Aggregate CPU = 40% … ASG handle it
AWS Lambda
- Function-as-a-Service (FaaS)
- Event driven invocation ( execution)
- Lambda function = piece of code in one language
- Lambda functions use a runtime ( e.g. Python 3.6)
- Runs in runtime environment
- You are billed only for the duration a function runs
- Key component of serverless architecture
Key considerations
- Currently - 15 minute execution limit
- New runtime environment every execution - no persistence
- Execution Role provides permission
- Load data from other services (e.g. S3)
- Store data to other services (e.g. S3)
- (free tier) 1M free requests per month and 400.000 GB-seconds of compute time per month
API Gateway
- API Gateway is a managed API Endpoint Service
- Create, Publish, Monitor and Secure APIs .. as a Service
- Billed based on NUmber of API Calls, Data Transfer and additional performance features
such as caching
- Can be used directly for serverless architecture
- Or during a architecture evolution
Serverless Architecture
- Serverless isn’t one single thing
- You manage few, if any servers - low overhead
- Applications are a collection of small & specialised functions
- … Stateless and Ephemeral environments - duration billing
- Event driven .. consumption only when being used
- FaaS is used where possible for compute functionality
- Managed Services are used where possible
CloudFront
- CloudFront is a global object cache (CDN)
- Content is cached in locations close to customers
- Lower latency and higher throughput
- Load one the content server is decreased
- It can handle static and dynamic content
CloudFront Terms
- Origin - The source location of your content
- Distribution - The configuration unit of CloudFront
- Edge Location - local infrastructure which hosts a cache of your data
- Regional Edge Cache - Larger versions of an edge location. Provides another layer caching
Lambda@Edge
- You can run lightweight Lambda at edge locations
- Adjust data between the Viewer & Origin
- Currently supports Nde.js and Python
- Run in the AWS Public Space ( Not VPC)
- Layers are not supported
- Different Limits vs Normal Lambda Functions
Lambda@Edge Use Cases
- A/B Testing - Viewer Request
- Migration between S3 Origins - Origin Request
- Different Objects Based on Device - Origin Request
- Content by Country - Origin Request
VPC Endpoints
Gateway
- Provide private access to S3 and DynamoDB
- Prefix List added to route table => Gateway Endpoint
- Highly Available (HA) across all AZs in a region by default
- Endpoint policy is used to control what it can access
- Regional … can’t access cross-regions services
- Prevent Leaky Buckets - S3 Buckets can be set to private only by allowing access ONLY from
a gateway endpoint
Interface
- Provide private access to AWS Public Service anything not S3 and DynamoDB
- Added to specific subnets - and ENI - not HA
- For HA .. add one endpoint to one subnet, per AZ used in the VPC
- Network access controlled via SG
- Endpoint Policies - restrict what can be done with the endpoint
- TCP and IPv4 only
- Uses PrivateLink
VPC Peering
- DIrect encrypted network link between two VPCs
- Works same/cross-region and same/cross-account
- (optional) Public Hostnames resolve to private IPs
- Same region SG’s can reference peer SGs
- VPC peering does NOT support transitive peering
- Routing Configuration is needed, SGs & NACLs can filter
Directory Service
- Stores objects (e.g. Users, Groups, Computers, Servers, FIle Shares) with a structure
(domain. tree)
- Multiple trees can be grouped into a forest
- Commonly used in Windows Environment
- Sing-in to multiple devices with the same username/password provides centralised
management for assets
- … Microsoft Active Directory Domain Services (AD DS)
- AD DS most popular, open source alternatives (SAMBA)
- AWS Managed Implementation
- Runs within a VPC
- To implement HA … deploy into multiple AZs
- Some AWS services need a directory e.g. Amazon Workspace
- Can be isolated or integrated with existing on-premises system or act as a proxy back to on
-premises
Directory Modes
- Simple AD - The default. Simple requirements. A directory in AWS
- Microsoft AD - Applications in AWS which need MS AD DS, or you need to TRUST AD DS
- Ad Connector - Use AWS Services which need a directory without storing any directory info in
the cloud … proxy to your on=premises Directory
AWS DataSync
- Data Transfer service TO and FROM AWS
- Migrations, Data Processing Transfers, Archival Cost Effective Storage or DR/BC .. designed
to work at huge scale
- Keeps metadata (e.g. permissions/timestamps)
- Built in data validation
Key features
- Scalable - 10Gbps per agent (~100TB per day)
- Bandwidth Limiters ( avoid link saturation)
- Incremental and scheduled transfer options
- Compression and encryption
- Automatic recovery from transit errors
- AWS Service Integration - S3, EFS, FSx
- Pay as you use .. per GB cost for data moved
Components
- Task - A job within DataSync, defines what is being synced, how quickly, FROM where and
TO where
- Agent - Software used to read or write to on-premises data stores using NFS or SMB
- Location - every task has two locations FROM and TO. e.g. NFS, SMB, Amazon EFS,
Amazon FSx and Amazon S3
CloudHSM
- With MKS .. AWS Managed .. Shared but separated
- True “Single Tenant” Hardware Security Module (HSM)
- AWS provisioned … fully customer managed
- Fully FIPS 140-2 Level 3 ( KMS is L2 overall, some L3)
- Industry Standard APIs - PKCS#11, Java Cryptography Extensions (JCE), Microsoft
CryptoNG (CNG) libraries
- KMS can use CloudHSM as a custom key store, CloudHSM integration with KMS
Use cases
- No native AWS integration .. e.g. no S3 SSE
- Offload the SSL/TLS Processing for Web Servers
- Enable Transparent Data Encryption (TDE) for Oracle Databases
- Protect the Private Keys for an Issuing Certificate Authority (CA)
DynamoDB
DynamoDB Concepts
- No SQL Public Database-as-a-Service (DBaaS) - Key/Value & Document
- No self-managed server or infrastructure
- Manual/Automatic provisioned performance IN/OUT or On-Demand
- Highly Resilient … across AZs and optionally global
- Really fast .. single digit milliseconds (SSD based)
- Backus, point-in-time recovery, encryption at rest
- Event-Driven Integration .. do things when data changes
DynamoDB Considerations
- No SQL ..preference DynamoDB in the exam
- Relation Data .. generally NOT DynamoDB
- Key/Value .. preference DYnamoDB in the exam
- Access via console, CLI, API .. ‘NO SQL’
- Billed based RCU, WCU, Storage and features
DynamoDB - Operations, Consistency and Performance
- On-Demand - unknown, inpredictable, low admin
- On-Demand - price per million Read or Write Units
- Provisioned .. RCU and WCU set on aper table basis
- Every operation consumes at least 1 RCU/WCU
- 1 RCU is 1 x 4KB read operation per second
- 1 WCU is 1 x 4KB write operation per second
- Every table has a RCU and WCU burst pool (300 seconds)
Amazon Athena
- Serverless Interactive Querying Service
- Ad-hoc queries on data - pay only data consumed
- Schema-on-read - table like translation
- Original data never changed - remains on S3
- Schema translates data => relational-like when read
- Output can be sent to other services
ElastiCache
- In-memory database .. high performance
- Managed Redis or memcached as a service
- Can be used to cache data - for READ HEAVY workloads with low latency requirements
- Reduces database workloads ( expensive)
- Can be used to store Session Data ( Stateless Servers)
- Requires application code changes!!
Redshift Architecture
- Petabyte-scale data warehouse
- OLAP(Column based) not OLTP(row/transaction)
- Pay as you use .. similar structure to RDS
- Direct Query S3 using Redshift Spectrum
- Direct Query other DBs using federated query
- Integrates with AWS tooling such as Quicksight
- SQL-like interface JDBC/ODBC connections
- Server based (not serverless)
- One AZ in a VPC - network cost/performance
- Leader Node - Query input, planning and aggregation
- Compute Node - performing queries of data
- VPC Security, IAM Permissions, KMS at rest Encryption, CW Monitoring
- RedShift Enhanced VPC Routing - VPC Networking!!!