Foundation
PreviousAWS Certified Solutions Architect - Associate (SAA-C03)NextCertified Kubernetes Administrator (CKA)
Last updated
IAM = Identity and Access Management (Global Service)
Root Account created by default, shouldn't be used or shared
Users are people within your organization, and can be grouped
Users don't have to belong to a group, and user can belong to multiple groups
Users or Groups can be assigned JSON documents called policies
These policies define the permissions of the users
In AWS you apply the least privilege principle: don't give more permissions than a user needs
Some AWS service will need to perform actions on your behalf
To do so, we will assign permissions to AWS services with IAM Roles
EC2 Instance Roles
Lambda Function Roles
Roles for CloudFormation
A report that lists all your account's users and the status of their various credentials
Access advisor shows the service permissions granted to a user and when those services were last accessed.
You can use this information to revise your policies.
Users: mapped to a physical user, has a password for AWS Console
Groups: contains users only
Policies: JSON document that outlines permissions for users or groups
Roles: for EC2 instances or AWS services
Security: MFA + Password Policy
AWS CLI: manage your AWS services using the command-line
AWS SDK: manage your AWS services using a programming language
Access Keys: access AWS using the CLI or SDK
Audit: IAM Credential Reports & IAM Access Advisor
To let IAM Users access Billing & Cost Management, you have to enable it from your root account
Placement Groups:
Types: Cluster, Spread, Partition.
Cluster: Instances in a low-latency group in a single AZ.
Spread: Spread across hardware for fault tolerance.
Partition: Instances spread across partitions for high availability.
Elastic Network Interface (ENI):
Cannot be attached to EC2 instances in another AZ.
EC2 Hibernate:
Requires encrypted EBS Root Volume.
Root EBS Volume:
Deleted by default with the instance termination (Delete on Termination enabled by default).
AMI:
Region-specific, can copy to other regions.
EBS Multi-Attach:
Attach the same EBS volume to multiple EC2 instances in the same AZ with full read/write permissions.
EBS Volume Types for Boot Volumes:
gp2, gp3, io1, io2, Magnetic.
Application Load Balancer (ALB):
Supports HTTP, HTTPS, WebSocket.
Can route traffic based on URL Path, Hostname, Headers, Query String.
Adds the X-Forwarded-For header to get the client's IP address.
Network Load Balancer (NLB):
Highest performance, static IP per AZ, supports Elastic IP.
HTTP, TCP, HTTPS health checks.
Cross-Zone Load Balancing:
Even distribution across all registered instances in all AZs.
SNI (Server Name Indication):
Allows multiple SSL certificates per listener (ALB/NLB).
Scaling:
Standard, Target, Scheduled, Predictive scaling options.
Health Checks:
ALB detects unhealthy instances, ASG replaces them.
Capacity:
ASG cannot go below min capacity or above max capacity during scaling events.
RDS Multi-AZ vs Read Replica:
Multi-AZ: Synchronous replication for high availability.
Read Replica: Asynchronous replication for scaling read-heavy workloads.
RDS:
Supports up to 15 Read Replicas.
Cannot create encrypted Read Replicas from unencrypted instances.
ElastiCache (Redis vs Memcached):
Redis: High availability, persistence, backups, IAM support.
Memcached: Pure cache for high performance, no persistence, no IAM.
Backup and Restore:
Automated backups up to 35 days, use on-demand for long-term storage.
S3 Glacier Retrieval Modes:
Deep Archive: Retrieval within 12 hours.
Flexible Retrieval: Standard (3–5 hours), Bulk (5–12 hours), Expedited (1–5 minutes).
Multi-Part Upload:
Recommended for files over 100 MB.
S3 Pre-Signed URLs:
Time-limited access to objects.
MFA Delete:
Adds MFA requirement for object deletions.
S3 Retention Policies:
Governance Mode: Some users can override retention.
Compliance Mode: No deletions or changes possible.
Legal Hold: Indefinite protection.
SQS FIFO:
Ensures strict message ordering and exactly-once processing.
SNS Fan-Out Pattern:
Send one message to SNS, fan out to multiple SQS queues (fully decoupled).
SQS Visibility Timeout:
Prevents other consumers from receiving the same message within the timeout window (default: 30 sec, max: 12 hours).
Kinesis Data Streams (KDS):
Partitions data using a partition key.
Supports real-time data streaming from multiple sources.
Kinesis Data Firehose:
Supports transformations with Lambda.
Can stream data into S3, Redshift, and Elasticsearch.
Lambda:
Max execution time: 15 minutes.
DynamoDB Accelerator (DAX): Caches frequently accessed data, reduces read latency.
DynamoDB Streams: Time-ordered modifications to items, integrated with Lambda for triggers.
API Gateway:
Edge-Optimized: Routes requests through CloudFront for globally distributed clients.
Lambda@Edge: Runs code closer to users to reduce latency.
DynamoDB Limits:
Max item size: 400 KB.
RCU (Read Capacity Unit) and WCU (Write Capacity Unit) are decoupled.
Amazon Redshift:
Columnar data warehouse for big data analytics.
EMR (Elastic MapReduce):
Hadoop clusters for large-scale data processing.
Quicksight:
Machine-learning-powered BI service for dashboards and insights.
SageMaker:
Develop, train, and deploy machine learning models.
Kinesis Data Analytics:
Real-time processing using SQL on data from Kinesis Streams and Firehose.
MSK (Managed Streaming for Kafka):
Fully managed Apache Kafka alternative to Kinesis for event streaming.
KMS (Key Management Service):
Supports automatic key rotation every 1 year.
KMS Key Policies control access to customer master keys (CMKs).
SSM Parameter Store:
Stores configuration data and secrets, supports versioning.
AWS Shield (Standard & Advanced):
Protects against DDoS attacks (Standard: Free, Advanced: $3k/month).
GuardDuty:
Intelligent threat detection (API activity, DNS logs, VPC flow logs).
Macie:
ML-based discovery of sensitive data in S3 (PII detection, unencrypted/public bucket detection).
Direct Connect vs VPN:
Direct Connect: Dedicated, low-latency connection.
VPN: Internet-based, latency and bandwidth fluctuate.
VPC Peering:
VPC-to-VPC connection, not transitive, not for on-prem connections.
VPC Endpoints:
Gateway Endpoint: For S3 and DynamoDB.
Interface Endpoint: Powered by PrivateLink, for other services.
VPC Traffic Mirroring:
Mirrors VPC traffic to security appliances for inspection.
Security Groups vs NACLs:
Security Groups: Stateful (Remember past), allows return traffic.
NACLs: Stateless (Doesn't remember past), evaluates each packet independently.
AWS Global Accelerator vs CloudFront:
Global Accelerator: Low-latency, real-time applications.
CloudFront: Static/dynamic content delivery with caching.
CloudWatch Contributor Insights:
Analyzes log data and provides metrics on top-N contributors.
Lambda Resource-Based Policy:
Controls access for external services (like EventBridge).
PrivateLink:
Securely access services within VPC without public IP.
Backup and Restore:
Simple strategy, backup data regularly, restore after a disaster.
Higher recovery time (RTO) and recovery point objectives (RPO).
Pilot Light:
Critical services are always running (minimal version).
Rapidly scale up additional resources during a disaster.
Warm Standby:
A scaled-down version of your production environment is always running.
Shorter RTO and RPO than Pilot Light but still requires scaling resources.
Multi-Site (Hot Standby):
Fully redundant, full-scale production environments running in multiple regions.
Shortest RTO and RPO, but the most expensive.
Chaos Monkey:
Simulates random failures (e.g., shutting down random EC2 instances).
Helps test the resilience and self-healing capabilities of your architecture.
Simian Army:
A suite of tools (by Netflix) for chaos engineering, inducing failures, ensuring systems can automatically recover.
