CloudFormation:

- If your template contains custom named IAM resources, don't create multiple stacks
reusing the same template. IAM resources must be globally unique within your
account => some resources were created, some are omitted.
- Any error during stack creation => Rollback
- Permissions was an issue => the stack wont be created
- Use CloudFormation StackSets with AWS Organizations to deploy and manage IAM
roles to multiple AWS accounts simultaneously
- A change set successfully executed => rest of change sets deleted
- Invalid change set => wont change anything
- Change set don’t indicate whether AWS CloudFormation will successfullu update a
stack
- There is no rollback for change sets, since there is no real change.
- Bring existing resource into AWS cloudformation => resourceimport
- Paramaters => reuse template
- Mappings => fixed variables within CloudFormation Template
- Stack policies to protect critical stack resources from updates
- !GetAtt return a value of attributes
- OnFailure=DO_NOTHING/ROLLBACK/DELETE
- DeletionPolicy=Snapshot => create a snapshot after delete
Auto Scaling Group:
- Default health check of ASG is EC2
- Automate replace unhealthy EC2 instance => change health check from EC2 to ELB
- Auto scaling group of EB use two default amazon CW alarms
Elastic Beanstalk:
- Configuration should be change using Elastic Beanstalk file (.ebextensions) =>
persistent
AWS Directory Service:
- AWS Directory Service makes it easy to set up and run directories in the AWS Cloud
or connect your AWS resources with an existing on-premises Microsoft Active
Directory
AWS Resource Access Manager:
- Share specified AWS resource with other AWS account.
AWS EC2:
- Traffic between two EC2 instances in the same AWS Region stays within the AWS
network, even when it goes over public IP addresses. Diffirent AWS regions, if there
is an Inter-region VPC peering connection => stay within aws network. If there is not
=> not guaranteed to stay within aws network.
- Recover an impaired instance => Use AWSSupport-ExecuteEC2Rescue
 - Create golden AMIs from a source AMI => AWS-UpdateLinuxAmi, AWS-
UpdateWindowAmi
- EC2 connect internet steps: attach Internet gateway to VPC, update route table
- Create an application-consistent AMI => disabling No reboot option.
- Status check: cant be disable.
- Resizing of an instance is only possible if root device for instance is an EBS volume
- Stop EBS-backed instance before change its instance type (instance ID does note
change)
- If your instance is in an Auto Scaling group, the Amazon EC2 Auto Scaling service
marks the stopped instance as unhealthy, and may terminate it and launch a
replacement instance
- Golden AMI => OS dependencies already setup
Direct Connect:
- low latency and private connections to AWS for workloads that require higher speed
or lower latency than the internet
CloudWatch:
- StatsD: both Linux and Window
- Collectd: only Linux
- Total network used => NetworkIn and NetworkOut metrics
- Use Amazon CW Synthetics to create canaries, configurable scripts that run on a
schedule to monitor Endpoints and APIs
- Composite (hỗn hợp) Alarm: go to alarm states when all conditions are met.
- ServicesLens: Xem chi tiết và toàn diện hơn.
- Alarm continue to evaluate metrics against the configured threshold, even after they
are triggered
- CPUUtilization metrics: identify the processing power required
- Same configuration file name => the second file will overwrite the first file
- instance fails either the instance check or system status check: StatusCheckFailed
- Basic monitoring: 5 minutes
- Detail monitoring: 1 minutes
Snowball Edge Storage Optimized:
- securely and quickly transfer dozens of terabytes to petabytes of data to AWS
- Can’t directly copy data from Snowball edge devices to AWS Glacier (must be
through S3 and lifecycle policy)
AWS Storage gateway:
- Use SSL/TLS
- By default, use S3-Managed Encryption Keys (SSE-S3). Can use SSE-KMS
Tape gateway:
- Can encrypt at rest using AWS KMS-managed key SSE-KMS
Recover/ rebuild an AMI:
 - Create a new AMI from amazon EBS snapshots that were created as backups
- Create a new AMI from Amazion EC2 instances that were launched before the
deletion of AMI
Interface VPC endpoints:
- enables you to privately access Amazon EC2 and Systems Manager APIs by using
private IP addresses
VPC:
- Internal IPV4 always private
- When create a VPC, specify a range of Ipv4 addresses in the form of CIDR block
- By default, all subnet can route between each other, whether they are public or
private.
- Subnet must reside entirely in a AZ
- VPC flow logs: Capture information about the IP traffic
Amazon S3:
- Track access request to s3 bucket => S3 Server Access Logging, and store log in
bucket => no further charge.
- Recovery of accidental deletion objects: S3 versioning
- Delete the bucket but the bucket is not empty: S3 versioning is enabled and delete
markers are still present
- Pre-signed URL: valid only for the specified duration
- MFA-Delete enable: Root account and AWS CLI
- Action need MFA: Suspend versioning, Permanently delete an object version
X-ray:
- Track access request, but it cost
- ALB do not send data to XRay
Amazon Inspector:
- Security assessments => check unintended network access of EC2 and vulnerability
on those EC2 (not tracing on S3 access)
AWS CloudTrail:
- Relevant to API, user activity in AWS services to monitor, analyze
Amazon RDS:
- Writing to tables on a read replica can break the replication
- If the value for the max_allowed_packet parameter for a read replica is less than the
max_allowed_packet parameter for the source DB instance, replica errors occur
- HA and failure-proof: multi AZ deployment
- RDS read replica: provide enhance performance and durability for RDS database
instance
- ensure all connections to RDS are encrypted: Review DB parameter groups
Trusted Advisor:
- Limit check
Share resoureces:
- Can only share AMIs that have unencrypted volumes and volumes encrypted with
CMK
- Don’t need to share the EBS snapshots that an AMI references to share the AMI
- AMI are regional resources and cant be shared across regions. To make it available in
another region, copy the AMI to the Region and then share it.
- If you share AMI from A to B, then deregister in account A => cant launch new
instances from the AMI in account A or B; The instances already launched from the
shared AMI, are not impacted
Scheduled events:
- Managed by AWS, cant configured scheduled events for your instances
CloudFront:
- Quickly remove file from the CloudFront distribution: invalidate the file
- Allow access to S3 only through CloudFront: S3 as a custom origin with CloudFront,
restrict access using custom header.
Error:
- Client.InternalError: Client error on launch. => ASG attempt to launch an Instance
that has an encrypted EBS volume but the service linked role does not have access to
CMK
- The authorization header is malformed; the region '<AWS Region>' is wrong;
expecting '<AWS Region>: Indicates that Amazon S3 bucket moved to another
region.
- InsufficientInstanceCapacity: Launch instance in another AZ
- InstanceLimitExceeded: Request
Cost:
- On-Demand Capacity Reservations enable you to reverse capacity for EC2 in a
specific AZ for any duration.
- Capacity reservation do not offer any billing discounts.
AWS System manager:
- AWS system manager patch manager to automate the process of patching managed
instance
- AWS Systems Manager Automation to automation workflow to configure and manage
instance.
- AWS System Manager Inventory: metadata of instances
AuroraDB:
- Aurora DB cluster can contain up to 15 Aurora Replicas
Blue/Green Deploy:
- avoid downtime and database sync issues
EBS:
- after increase size of an EBS volume: extend the file system to a larger size
- Attaching ebs volume to EC2: “attaching” state for 10-15 minutes: use a different
device name
EventBridge:
- serverless service that uses events to connect application components together
- For Lambda, Amazon SNS, Amazon SQS, and Amazon CloudWatch Logs resources,
EventBridge relies on resource-based policies.
- Schedule automated EBS snapshots
ELB:
- Log off and login several times in an hour: sticky sessions
- Gain access to logs files that describe the list of HTTP requests: Enable the ELB
access logs and query them using Athena
Athena:
- Interactive query service that makes it easy to analyze data directly in S3 using sql
Amazon guardduty:
- Threat detection service that monitors malicious activity and unauthorized behavior
AWS Personal health dashboard:
- Provide alerts and remediation guidance when AWS is experiencing events that may
impact you.
AWS service health dashboard:
- General status of AWS services
AWS artifact:
- Self-service audit artifact
OpsWorks:
- Chef, Puppet
Types of EC2 instances:
- On-Demand: pay for the compute capacity by the hours or seconds
- Spot instances: Save money 90% off
- Savings Plans: 1 or 3 yeas
- Dedicated hosts: Physical EC2 server dedicated for use
- Reversed Instances: Save money 75% off
File gateway:
 - NFS, SMB
Volume gateway:
- iSCSI
Improve read scalability on the database side:
- Set up ElastiCache cluster
- Setup Read Replicas
RAID:
- RAID 0: IO is important than fault olerance
- RAID 1: fault tolerance is important than IO