AWS Certification Preparation Notes
AWS Certification Preparation Notes
Template components:
1) Resources – AWS resources to be created.
2) Parameters – dynamic inputs to be provided.
3) Mappings – Static variables to be used by the template.
4) Outputs – Details you want to get back form the stack.
5) Conditions – Condition to perform a resource action.
6) Metadata
Template helpers:
1) References
2) Functions
Although AWS CloudFormation allows you to name some resources (such as Amazon S3
buckets), CloudFormation doesn’t allow this for all resources. Naming resources restricts the
reusability of templates and results in naming conflicts
AWS CloudFormation automatically tags Amazon EBS volumes and Amazon EC2 instances with
the name of the AWS CloudFormation stack they are part of.
A resource must have a Type attribute, which defines the kind of AWS resource you want to
create. The Type attribute has a special format:
AWS::ProductIdentifier::ResourceType
Ex: AWS::S3::Bucket
AWS::EC2::Instance
A property for a resource is simply a string value. Some resources can have multiple properties,
and some properties can have one or more subproperties.
AWS CloudFormation has a number of intrinsic functions that you can use to refer to other
resources and their properties.
You can use the Ref function to refer to an identifying property of a resource. Frequently, this is
the physical name of the resource; however, sometimes it can be an identifier, such as the IP
address for an AWS::EC2::EIP resource or an Amazon Resource Name (ARN) for an Amazon SNS
topic.
A number of resources have additional attributes whose values you can use in your template.
To get these attributes, you use the Fn::GetAtt function. The Fn::GetAtt function takes two
parameters, the logical name of the resource and the name of the attribute to be retrieved.
The AWS::Region pseudo parameter is a value that AWS CloudFormation resolves as the region
where the stack is created.
To use a map to return a value, you use the Fn::FindInMap function, passing the name of the
map, the value used to find the mapped value, and the label of the mapped value you want to
return.
DependsOn attribute enables you to specify that one resource must be created after
another.
DeletionPolicy attribute enables you to specify how AWS CloudFormation should handle
the deletion of a resource.
Metadata attribute enables you to specify structured data with a resource.
Use cross-stack references to export resources from a stack so that other stacks can use them.
Stacks can use the exported resources by calling them using the Fn::ImportValue function.
To separate permissions between a user and the AWS CloudFormation service, use a service
role. AWS CloudFormation uses the service role's policy to make calls instead of the user's
policy.
Nested stacks are stacks that create other stacks. To create nested stacks, use
the AWS::CloudFormation::Stack resource in your template to reference other templates.
If your template requires inputs for existing AWS-specific values, such as existing Amazon
Virtual Private Cloud IDs or an Amazon EC2 key pair name, use AWS-specific parameter types.
For example, you can specify a parameter as type AWS::EC2::KeyPair::KeyName, which takes an
existing key pair name that is in your AWS account and in the region where you are creating the
stack.
Parameter Constraints - you can describe allowed input values so that AWS CloudFormation
catches any invalid values before creating a stack. You can set constraints such as a minimum
length, maximum length, and allowed patterns.
Use AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2 Instances.
When you launch stacks, you can install and configure software applications on Amazon EC2
instances by using the cfn-init helper script and the AWS::CloudFormation::Init resource.
Stack policies help protect critical stack resources from unintentional updates that could cause
resources to be interrupted or even replaced.
AWS CloudFormation provides several built-in functions that help you manage your stacks. Use
intrinsic functions in your templates to assign values to properties that are not available until
runtime.
Fn::Base64
The intrinsic function Fn::Base64 returns the Base64 representation of the input string. This
function is typically used to pass encoded data to Amazon EC2 instances by way of
the UserData property.
The intrinsic function Fn::Cidr returns an array of CIDR address blocks. The number of CIDR
blocks returned is dependent on the count parameter.
ipBlock
The user-specified CIDR address block to be split into smaller CIDR blocks.
count
cidrBits
The number of subnet bits for the CIDR. For example, specifying a value "8" for this
parameter will create a CIDR with a mask of "/24".
Condition Functions
You can use intrinsic functions, such as Fn::If, Fn::Equals, and Fn::Not, to conditionally create
stack resources.
Fn::FindInMap
Fn::GetAZs
The intrinsic function Fn::GetAZs returns an array that lists Availability Zones for a specified
region.
For the EC2-Classic platform, the Fn::GetAZs function returns all Availability Zones for a region.
For the EC2-VPC platform, the Fn::GetAZs function returns only Availability Zones that have a
default subnet unless none of the Availability Zones has a default subnet; in that case, all
Availability Zones are returned.
{ "Fn::GetAZs" : "region" }
Fn::ImportValue
{ "Fn::ImportValue" : sharedValueToImport }
Fn::Join
The intrinsic function Fn::Join appends a set of values into a single value, separated by the
specified delimiter. If a delimiter is the empty string, the set of values are concatenated with no
delimiter.
Fn::Select
Fn::Select does not check for null values or if the index is out of bounds of the array. Both
conditions will result in a stack error
{ "Fn::Select" : [ index, listOfObjects ] }
For the Fn::Select index value, you can use the Ref and Fn::FindInMap functions.
Fn::FindInMap
Fn::GetAtt
Fn::GetAZs
Fn::If
Fn::Split
Ref
Fn::Split
To split a string into a list of string values so that you can select an element from the resulting
string list,
Specify the location of splits with a delimiter, such as , (a comma). After you split a string, use
the Fn::Select function to pick a specific element.
{ "Fn::Split" : [ "delimiter", "source string" ] }
Fn::Sub
The intrinsic function Fn::Sub substitutes variables in an input string with values that you
specify. In your templates, you can use this function to construct commands or outputs that
include values that aren't available until you create or update a stack.
Fn::Transform
Ref
When you specify a parameter's logical name, it returns the value of the parameter.
When you specify a resource's logical name, it returns a value that you can typically use
to refer to that resource, such as a physical ID.
{ "Ref" : "logicalName" }
Pseudo Parameters Reference
Pseudo parameters are parameters that are predefined by AWS CloudFormation. You do not
declare them in your template. Use them the same way as you would a parameter, as the
argument for the Ref function.
AWS::AccountId:
Returns the AWS account ID of the account in which the stack is being created.
AWS::NotificationARNs:
Returns the list of notification Amazon Resource Names (ARNs) for the current stack.
AWS::NoValue:
AWS::Partition:
Returns the partition that the resource is in. For standard AWS regions, the partition is aws. For
resources in other partitions, the partition is aws-partitionname.
AWS::Region:
Returns a string representing the AWS Region in which the encompassing resource is being
created, such as us-west-2.
AWS::StackId:
AWS::StackName:
Returns the name of the stack as specified with the aws cloudformation create-stack command,
such as teststack.
AWS::URLSuffix:
Returns the suffix for a domain. The suffix is typically amazonaws.com, but might differ by
region. For example, the suffix for the China (Beijing) region is amazonaws.com.cn.
CloudFormation Helper Scripts Reference
AWS CloudFormation provides the following Python helper scripts that you can use to install
software and start services on an Amazon EC2 instance that you create as part of your stack:
cfn-init: Use to retrieve and interpret resource metadata, install packages, create files,
and start services.
cfn-signal: Use to signal with a CreationPolicy or WaitCondition, so you can synchronize
other resources in the stack when the prerequisite resource or application is ready.
cfn-get-metadata: Use to retrieve metadata for a resource or path to a specific key.
cfn-hup: Use to check for updates to metadata and execute custom hooks when
changes are detected.
The cfn-init helper script reads template metadata from the AWS::CloudFormation::Init key and
acts accordingly to:
The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-
specified actions when a change is detected. This allows you to make configuration updates on
your running Amazon EC2 instances through the UpdateStack API action.
For Amazon EC2 issues, view the cloud-init and cfn logs. These logs are published on the
Amazon EC2 instance in the /var/log/ directory. These logs capture processes and command
outputs while AWS CloudFormation is setting up your instance. For Windows, view the
EC2Configure service and cfn logs in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.
DependsOn Attribute
With the DependsOn attribute you can specify that the creation of a specific resource follows
another. When you add a DependsOn attribute to a resource, that resource is created only after
the creation of the resource specified in the DependsOn attribute.
DeletionPolicy Attribute
With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when
its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to
control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource
by default.
CreationPolicy Attribute
Associate the CreationPolicy attribute with a resource to prevent its status from reaching create
complete until AWS CloudFormation receives a specified number of success signals or the
timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script
or SignalResource API.
The creation policy is invoked only when AWS CloudFormation creates the associated resource.
Currently, the only AWS CloudFormation resources that support creation policies
are AWS::AutoScaling::AutoScalingGroup, AWS::EC2::Instance,
and AWS::CloudFormation::WaitCondition.
UpdateReplacePolicy Attribute
Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical
instance of a resource when it is replaced during a stack update operation.
Options:
Delete
Retain
Snapshot
The cfn-signal helper script signals AWS CloudFormation to indicate whether Amazon EC2
instances have been successfully created or updated. If you install and configure software
applications on instances, you can signal AWS CloudFormation when those software
applications are ready.
You use the cfn-signal script in conjunction with a CreationPolicy or an Auto Scaling group with
a WaitOnResourceSignals update policy.
When AWS CloudFormation creates or updates resources with those policies, it suspends work
on the stack until the resource receives the requisite number of signals or until the timeout
period is exceeded.
A common usage pattern is to use cfn-init and cfn-signal together. The cfn-signal call uses the
return status of the call to cfn-init (using the $? shell construct). If the application fails to install,
the instance will fail to create and the stack will rollback.
AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create,
update, or delete stacks across multiple accounts and regions with a single operation. Using an
administrator account, you define and manage an AWS CloudFormation template, and use the
template as the basis for provisioning stacks into selected target accounts across specified
regions.
When you use StackSets, you work with stack sets, stack instances, and stacks.
An administrator account is the AWS account in which you create stack sets.
A target account is the account into which you create, update, or delete one or more stacks in
your stack set. Before you can use a stack set to create stacks in a target account, you must set
up a trust relationship between the administrator and target accounts.
A stack set lets you create stacks in AWS accounts across regions by using a single AWS
CloudFormation template.
A stack set is a regional resource. If you create a stack set in one region, you cannot see it or
change it in other regions.
A stack instance is a reference to a stack in a target account within a region. A stack instance
can exist without a stack; for example, if the stack could not be created for some reason, the
stack instance shows the reason for stack creation failure. A stack instance is associated with
only one stack set.
EBS:
Types:
GP2 (General Purpose) :
Size: 1 GB to 16 TB (16384 GB)
3 IOPS per GB allowed. 16000 max IOPS.
16000 IOPS for volumes greater than or equal to 5333 GB.
Min: 100 IOPS
Burst only happens when volume size is less than 1000 GB to a max of 3000 IOPS.
ST1 :
Streaming workloads that require consistent, fast throughput at a low price.
Big data, Data warehouses, log processing, kafka.
Size: 500 GiB to 16 TiB
Max 500 IOPS.
Throughput: 40 MB/s for TB , max of 500 MB/s
SC1:
Large volumes that is infrequently accessed.
Lowest storage cost.
Size: 500 GiB to 16 TiB
Max 250 IOPS.
Throughput: 12 MB/s for TB , max of 250 MB/s
IO1:
Throughput in MB/s = (Provisioned IOPS ) * (IO size in KB)
i.e , Provsioned IOPS * 256 KB/s
Limit: 500 MB/s (32000 IOPS) and 1000 MB/s (64000 IOPS)
Volume Resize:
EBS volumes can be modified while still being attached to an instance.
You can modify the type, size and IOPS.
You can only increase the size, but not decrease it.
The new resized volume is usable after it reaches Optimizing state.
You need to repartition the disk after resizing to utilize the new added space.
Data Lifecycle manager – Snapshot lifecycle policy for snapshot management.
S3:
Encryption:
SSE-S3 : using keys managed by AWS.
Header: “x-amz-server-side-encrytion”:”AES256”
SSE-KMS: using keys managed by KMS.
Header: “x-amz-server-side-encrytion”:”aws:kms”
SSE-C: using keys managed by customer.
HTTPS must be used.
AWS doe not store the encryption keys.
AWS does the encryption.
Client side encryption: clients encrypt and decrypt data by themselves and manage the keys.
Encryption in flight: called SSl/TLS
Enable default encryption on a bucket to encrypt all objects.
S3 bucket url:
<Bucketname>.s3-website-<AWS-Region>.amazonaws.com
Or
<Bucketname>.s3-website.<AWS-Region>.amazonaws.com
If you want to request data from another S3 bucket, you need to enable CORS.
CORS allows you to limit the number of webistes that can access your files.
Consistency model:
1) Read after write consistency for new object PUTS.
2) Eventual consistency for PUTS and DELETES on existing objects.
To pre-sign url, set default signature version to s3v4, which allows the resulting url format to be
compatible with kms encrypted object :
aws configure set default.s3.signature_version s3v4
Cloudfront access logs: logs every access request to cloudfront into a logging s3 bucket.
Snowball:
Physical solution to move TBs or PBs of data in and out of AWS.
Secure – KMS 256 bit encryption.
Tracking using sns and text messages.
e-ink enabled
if it takes more than a week to transfer the data over a network, use snowball.
Each snowmobile (a truck) has 100 PB of capacity.
1 EB = 1000 PB = 1,000,000 TB
Better than snowball if you transfer more than 10 PB.
Encryption:
At rest with AWS KMS – AES 256 encryption
SSL certificates for encryption in flight.
To enforce SSL:
Postgresql/SQL Server: rds.force_ssl=1 – parameter groups
MySQL/MariaDb:
Within db – run the following query
GRANT USAGE on *.* to ‘mysqluser’@’%’ require ssl;
Aurora:
Supports Postgresql and mysql db.
5* performance improvement over mysql and 3* over postgresql
Aurora storage grows in increments of 10GB upto 64 TB. (it is auto expanding)
Can have 15 read replicas. (mysql has only 5)
Failover is instantaneous. Highly available.
Costs more.
6 copies of your data across 3 AZs.
It needs 4 copies out of 6 for write.
And 3 copies out of 6 for reads.
Storage is striped across 100s of volumes in the backend.
Automated failover in less than 30 secs.
Aurora DB Cluster:
Writer endpoint points to the master.
Autoscaling on read replicas from 1 to 15.
Reader endpoint to read replica using connection load balancing.
Backtrack: restore to point in time without backups.
Authentciation using IAM.
Aurora Serverless:
Need not choose an instance type.
Only support mysql 5.6 and postgresql (beta)
Can migrate from aurora cluster to serverless and vice versa.
Usage is measured in Aurora Capacity Units (like dynamodb).
Billed in 5 mins usage of ACU.
DB Parameter group:
Configure db engine using parameter griups.
Dynamic parametersa e applied immediately.
Static parameters are applied on instance reboot.
Encryption at rest can be enabled only when first create an RDS instance.
RDS Cloudwatch Metrics:
freeStoragespace
read/write iops
Database connections
Swapusage
Read/write latency
Read/write throughput
Diskqueuedepth
Enhanced monitoring gets the details from an agent run on the DB instance.
Granularity is from 1 sec to 60 secs.
Gets more and specific details from the db instance.
Performance Insights:
To visualize database performance and analyze any issue affecting it.
Filter the load using these:
By Waits > find the resource that is the bottleneck (CPU, IO, etc)
By SQL Query> which sql query is causing performance bottleneck.
By Hosts> which server is using most of the db.
By user > which user is using most of the database.
ElastiCache:
Managed redis or MemCached.
In-memory databases with high perf and low latency.
Helps make application stateless.
Write scaling using sharding.
Use case:
To relieve load off databases.
User Session store.
Elastic BeanStalk:
Managed service:
Instance configuration/OS managed by BS
Deployment is performed by BS.
Application code is just the responsibility of developer.
Cloudwatch:
EC2 detailed monitoring:
Normally we get details evry 5 mins.
With detailed monitoring , we get metric details every 1 minutes with extra cost.
AWS free tier allows for 10 detailed metrics.
Custom metrics:
10 dimensions per metric is allowed.
Default resolution: 1 min
High resolution metric – 1 sec
To send metric data to cloudwatch, you PutMetricData API call.
Use exponential back off in case of throttle errors.
Cloudwatch dashboards:
Quick access to key metrics.
Dashboardsa re global, you can access the dashboard in any region.
Dashboards can include graphs from diff regions.
Can change time zone and time range of dashboards.
Can setup automatic refresh .
3 dashboards(upto 50 metrics) are free.
$3/dashboard/month afterwards.
Cloudwatch alarms:
Status : OK, Insufficient_data, Alarm
Targets:
1) Stop, terminate, recover, reboot an ec2 instance.
2) Trigger autoscaling action
3) Send notification to SNS.
Cloudwatch Events:
Source + rule Target
Schedule: Cron jobs
Event patterns
Triggers to lambda functions, sqs/sns/kinesis
Config:
Auditing and compliance of AWS resources.
Provides inventory of resources and history of conf changes to these resources.
Helps record conf and changes over time.
Record compliance over time.
Can store config data in s3.
Questions:
1) Is there an unrestricted ssh access to my security groups?
2) Do my buckets have any public access?
3) Has my alb conf changed over time?
Can receive alerts(SNS notifications) for any changes.
Per-region service, but can be aggregated across regions and accounts.
Config rules:
1) AWS managed( more than 75).
2) Custom (must be defined in AWS Lambda).
Rules can be evaluated/triggered:
1) For each config change.
2) At regular intervals.
Can see:
Compliance of a resource over time
Configuration of a resource over time
Cloudtrail api calls, if enabled.
Cost Explorer:
Cost explorer needs to be enabled and then you would be able to check the details after 24 hrs.
It also gives you reservation summary and recommendations on reserved instances for:
EC2
RDS
RedShift
Elsticache
ElastiSearch
Reservation utilization and coverage in Explore.
AWS Budgets:
Cans end alarms when usage exceeds the budget.
Types of budget: usage, cost and reservation
Tags to show up in cost report, they must be named cost allocation tags.
They will be shown as columns in reports.
AwS defined cost allocation tags – starts with prefix “aws:”
-need to activate them
-will not be applied on resources used before activation
- can only be seen in Billing and Cost management console, not in gen aws console or even tag
editor.
User defined – starts with prefix “user:”