AWS Solutions Architect Certification Prep

Kinesis Data Analytics can use standard SQL queries to process kinesis data streams and can ingest data from Kinesis Data Streams and kinesis Firehose.  Kinesis Firehose can be used for running SQL queries. ( Udemy ).

DynamoDB has two pricing models; on-demand ( unpredictable traffic ) and provisioned (predictable).

With API Gateway, you can maintain multiple versions and multiple stages of each version of an API.

Access Policy vs. ACL

IAM Policy vs. Password Policy

You can not assign deny rules to a security group.

ALB only features:
- Path Based Routing
- Host Based Routing
- HTTP Method Based Routing
- HTTP Header Based Routing
-Query String Parameter Based Routing
-Source IP Address-CIDR Based Routing
-Native HTTP/2

 NLB  only features:
-Static IP
-Elastic IP
-Source IP Preservation ( at some places it talks that all ALB , GLB also support this ) 

CLB only features
-Custom security policies

SNI , secure listener

  • Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. It is not used for testing
Each instance has a default network interface (eth0) that is assigned the primary private IPv4 address. You can also specify additional private IPv4 addresses, known as secondary private IPv4 addresses. Unlike primary private IP addresses, secondary private IP addresses can be reassigned from one instance to another.

  • KMS uses customer master keys (CMKs), not customer provided keys
  • SSE-KMS requires that AWS manage the data key but you manage the master key in AWS KMS
  • Auditable master keys can be created, rotated, and disabled from the IAM console(Udemy)
  • A custom CMK key must be used for encryption if you want to share the snapshot
  • You must share the CMK key as well as the snapshot with the other AWS account
  • Snapshots of encrypted volumes are encrypted automatically
  • To share an encrypted snapshot you must encrypt it in the source account with a custom CMK key and then share the key with the target account
  • You do not need to store the CMK key in CloudHSM (Udemy) 
ELB does not support client certificate authentication ( Digital Cloud) 

Route 53 can be used for region load balancing with ELB instances configured in each region ( Digital Cloud) 



  • S3 can be used to host static websites and you can use a custom domain name with S3 using a Route 53 Alias record. When using a custom domain name the bucket name must be the same as the domain name
  • The Alias record is a Route 53 specific record type. Alias records are used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3 buckets that are configured as websites
  • You cannot use any bucket when you want to use a custom domain name. As mentioned above you must have a bucket name that matches the domain name
  • You must use an Alias record when configuring an S3 bucket as a static website - you cannot use SRV or CNAME records ( udemy ) 

  • For instances launched in EC2-Classic, the private IPv4 address is released when the instance is stopped or terminated
  • For instances launched in a VPC, a private IPv4 address remains associated with the network interface when the instance is stopped and restarted
  • By default an instance only has a single private IP address
  • Secondary private IP addresses can be reassigned from one instance to another (the primary IPs cannot)
  • A private IPv4 address is not reachable over the Internet ( udemy ) 

Placement Groups:

Cluster :  instances packed as close as possible to enable low network latency , tightly coupled node-to-node communication.
Partition : Place instance in different logical partitions on different underlying hardware.  Hadoop, Cassandra, Kafka Clusters
Spread : Place a small group of instances across distinct underlying hardware to reduce correlated failures.

  • DynamoDB Read Replicas do not exist
ALB supports load balancer generated cookies only. All the ELBs support SSL Offloading.

For Amazon ECS launch type  "Fargate"  , allows you to run your containerized applications without the need to provision and manage the backend infrastructure. Just register your task definition and Fargate launches the container for you.

The EC2 launch type allows you to run your containerized applications on a cluster of Amazon EC2 instances that you manage.


  • With NACLs you can have permit and deny rules. 
  • For NACLs, All rules are not evaluated before making a decision (security groups do this), they are evaluated in order until a permit or deny is encountered
System Status Check ( StatusCheckFailed_System)  detect problems where AWS need to get involved while Instance Status Check ( StatusCheckFailed_Instance ) detect problems where you need to get involved. 

Fargate only supports container images hosted on Elastic Container Registry (ECR) or Docker Hub.  Private repositories are only supported by the EC2 Launch Type.


  • Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. You can enable DAX for a DynamoDB database with a few clicks.
VPC Endpoint ? 


A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

There are two types of VPC endpoints: interface endpoints and gateway endpoints (s3, DynamoDB). Create the type of VPC endpoint required by the supported service.

  • The cloudformation:TemplateURL, lets you specify where the CloudFormation template for a stack action, such as create or update, resides and enforce that it be used.
You can specify whether Amazon EC2 should hibernate, stop, or terminate Spot Instances when they are interrupted. 


  • An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances
  • A NAT Gateway is used for enabling Internet connectivity using the IPv4 protocol only.

  • Amazon MQ supports industry-standard APIs and protocols so you can migrate from your existing message broker without rewriting application code
  • Amazon SQS is a message queueing service and is not compatible with industry-standard message brokers. You would need to rewrite some application code to get the application working with SQS
  • Amazon Step Functions is used for coordinating multiple AWS services into serverless workflows, it is not a message broker
However, you cannot add multiple IAM roles to a single EC2 instance.

You can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution, the Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs. AWS WAF is pay as you go, no upfront commitments. 


  • If connection draining is enabled, Auto Scaling waits for in-flight requests to complete or timeout before terminating instances. Auto Scaling will terminate the existing instance before launching a replacement instance
  • Auto Scaling does not send a notification to the administrator
  • Unlike AZ rebalancing, termination of unhealthy instances happens first, then Auto Scaling attempts to launch new instances to replace terminated instances
  • An Interface endpoint uses AWS PrivateLink and is an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supported service
  • Using PrivateLink you can connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services

Typically, the nodes of an Internet-facing load balancer have public IP addresses and must therefore be in a public subnet. To keep your back-end instances secure you can place them in a private subnet. To do this you must associate a corresponding public and private subnet for each availability zone the ELB/instances are in


  • You cannot configure an Internet gateway to allow inbound  traffic from specific IPs. Internet gateways are used for outbound Internet access from public subnets.
  • The Amazon Elastic File System (EFS) is not an ideal storage solution for a database.
Cost for different EBS types ? 

gp2 > io1 >  st1 >  sc1

EBS Snapshot on S3 ( 5c/GB/month) 

You can store JSON files up to 400KB in size in a DynamoDB table, for anything bigger you'd want to store a pointer to an object outside of the table.

Redis Auth ? 


Using Redis AUTH command can improve data security by requiring the user to enter a password before they are granted permission to execute Redis commands on a password-protected Redis server.

To enable Redis AUTH, you must create the Redis Cluster/replication group  with --auth-token parameter( authToken API )  and specify correct password and then use the same password with other other commands  cluster/replication group commands.


  • CloudHSM can be used to encrypt data but as a dedicated service it is charged on an hourly basis and is less cost-efficient compared to S3 encryption or encrypting the data at the source.
  • Both a NAT gateway and an Internet gateway offer redundancy however the NAT gateway is limited to 45 Gbps whereas the IGW does not impose any limits
  • A VPC endpoint is used to access public services from a VPC without traversing the Internet
  • You map the groups in AD to IAM Roles, not IAM users or groups.

  • AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory. AD Connector eliminates the need for directory synchronization and the cost and complexity of hosting a federation infrastructure and connects your existing on-premise AD to AWS. It is the best choice when you want to use an existing Active Directory with AWS services.
  • AWS Directory Service Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a fully cloud-based solution and does not integrate with an on-premises Active Directory service
  • Uploading using a pre-signed URL allows you to upload the object without having any AWS security credentials/permissions. Pre-signed URLs can be generated programmatically and anyone who receives a valid pre-signed URL can then programmatically upload an object. This solution bypasses the web server avoiding any performance bottlenecks.
presigned  URL ? 

Amazon S3 provides a way to temporarily provide access to a object inside a bucket without requiring credentials from the user.   You can generate a presigned URL and provide it. This URL is signed by your signatures and so the user who uses that URL will have same access as you for the time until it expires.  You can also generate these URL via AWS CLI easily. 


  • You cannot configure DynamoDB as a destination in Amazon Kinesis Firehose. The options are S3, RedShift, Elasticsearch and Splunk (? ) 
  • When you have enabled extended data retention you can store data up to 7 days in Amazon Kinesis Data Streams - you cannot store it for 1 year (? ) 
  • The possible values for EBS status checks are ok, impaired, warning, or insufficient-data. If all checks pass, the overall status of the volume is ok. If the check fails, the overall status is impaired. If the status is insufficient-data, then the checks may still be taking place on your volume at the time
  • Amazon EC2 instance store storage is not persistent so the data would be lost when the system is powered off each night (? ) 
  • CloudTrail is used for monitoring API activity on your account, not for monitoring application logs(?)
  • You can use CloudWatch Logs to monitor applications and systems using log data. For example, CloudWatch Logs can track the number of errors that occur in your application logs and send you a notification whenever the rate of errors exceeds a threshold you specify. This is the best tool for this requirement
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.


  • AWS currently supports enhanced networking capabilities using SR-IOV which provides direct access to network adapters, provides higher performance (packets-per-second) and lower latency. You must launch an HVM AMI with the appropriate drivers and it is only available for certain instance types and only supported in VPC...can you launch instance outside VPC ? 
  • I/O optimized instances and provisioned IOPS EBS volumes are more geared towards storage performance than network performance
For low latency and high network throughput , you should use cluster placement group with instances that support enhanced VPC routing. 


  • The proxy protocol only applies to L4 and the back-end listener must be TCP for proxy protocol
  • When using the proxy protocol the front-end listener can be either TCP or SSL
  • The X-forwarded-for header only applies to L7
  • Proxy protocol for TCP/SSL carries the source (client) IP/port information. The Proxy Protocol header helps you identify the IP address of a client when you have a load balancer that uses TCP for back-end connection

The EBS Data Lifecycle Manager (DLM) is a new feature that can automate all of these actions ( creation , retention and deletion of snapshots ) for you and this can be performed centrally from within the management console.

All three types of ELBs support cross zone load-balancing.

  • You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic spot limit per region (by default)
  • You are limited to an aggregate of 300 TiB of aggregate PIOPS volumes per region and 300,000 aggregate PIOPS
  • ENIs can be “hot attached” to running instances
  • ENIs can be “warm-attached” when the instance is stopped
  • ENIs can be “cold-attached” when the instance is launched
Default interfaces(ENIs)  are terminated with instance termination. Manually added interfaces are not terminated by default.

If DynamoDB table reaches the provisioned capacity, any request beyond that capacity results into Bad Request ( 400)  with appropriate message (ProvisionedThroughputExceededException). 

CloudFormation template uses some logical ids for resources. These ids are unique within the template and used for identifying the resources within the template.

API Gateway returns 429 (Too Many requests) if requests exceed the limit configured. 

AWS SCT(Schema Conversion Tool )  , AWS DMS( Database Migration Service ), AWS Step Function, CodeCommit, CodeStar

ASG vs ELB ..how does it work ?


  • Lambda tracks the number of requests, the latency per request, and the number of requests resulting in an error
  • You can view the request rates and error rates using the AWS Lambda Console, the CloudWatch console, and other AWS resources.
  • Multipart upload can be used to speed up uploads to S3. Multipart upload uploads objects in parts independently, in parallel and in any order. It is performed using the S3 Multipart upload API and is recommended for objects of 100MB or larger. It can be used for objects from 5MB up to 5TB and must be used for objects larger than 5GB
  • To enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes VPC subnet IDs and security group IDs. AWS Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function
  • By default Auto Scaling uses EC2 status checks
  • Unlike AZ rebalancing, termination of unhealthy instances happens first, then Auto Scaling attempts to launch new instances to replace terminated instances
  • Auto Scaling does not wait for the health check grace period or verify with ELB before taking any action.
  • For RTMP CloudFront distributions files must be stored in an S3 bucket
  • You can take a snapshot of an EBS volume while the instance is running and it does not cause any outage of the volume so it can continue to be used as normal. However, the advice is that to take consistent snapshots writes to the volume should be stopped. For non-root EBS volumes this can entail taking the volume offline (detaching the volume with the instance still running), and for root EBS volumes it entails shutting down the instance
  • Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot in order to restore the volume
  • You cannot enable multi-region HA with ElastiCache
  • A launch configuration is the template used to create new EC2 instances and includes parameters such as instance family, instance type, AMI, key pair and security groups
  • You cannot edit a launch configuration once defined.
  • All EBS types support encryption and all instance families now support encryption
  • Not all instance types support encryption
  • Data in transit between an instance and an encrypted volume is also encrypted (data is encrypted in trans
  • You can have encrypted an unencrypted EBS volumes attached to an instance at the same time
  • Snapshots of encrypted volumes are encrypted automatically
  • EBS volumes restored from encrypted snapshots are encrypted automatically
  • EBS volumes created from encrypted snapshots are also encrypted
  • Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor offers a Service Limits check (in the Performance category) that displays your usage and limits for some aspects of some services
Dedicated Instance( Hardware on which instance runs is dedicated to one customer/account )  vs Dedicated Host ( Entire server is dedicated to one customer/account)

SNS supports notifications over multiple transport protocols:
  • HTTP/HTTPS – subscribers specify a URL as part of the subscription registration
  • Email/Email-JSON – messages are sent to registered addresses as email (text-based or JSON-object)
  • SQS – users can specify an SQS standard queue as the endpoint
  • SMS – messages are sent to registered phone numbers as SMS text messages

  • When an EBS volume is encrypted with a custom key you must share the custom key with the PROD account. You also need to modify the permissions on the snapshot to share it with the PROD account. The PROD account must copy the snapshot before they can then create volumes from the snapshot
  • You cannot share encrypted volumes created using a default CMK key and you cannot change the CMK key that is used to encrypt a volume
VPN, Public Private Subnets, Internet Gateway, NAT Gateway, .....


  • If you have an Auto Scaling group and need to change which type of monitoring is enabled for your Auto Scaling instances, you must create a new launch configuration and update the Auto Scaling group to use this launch configuration. After that, the instances that the Auto Scaling group launches will use the updated monitoring type
  • If you have CloudWatch alarms associated with your Auto Scaling group, use the put-metric-alarm command to update each alarm so that its period matches the monitoring type (300 seconds for basic monitoring and 60 seconds for detailed monitoring). If you change from detailed monitoring to basic monitoring but do not update your alarms to match the five-minute period, they continue to check for statistics every minute and might find no data available for as many as four out of every five periods
  • Restored DBs will always be a new RDS instance with a new DNS endpoint and you can restore up to the last 5 minutes. You cannot restore from a DB snapshot to an existing DB – a new instance is created when you restore. Only default DB parameters and security groups are restored – you must manually associate all other DB parameters and SGs
  • RDS fully supports the InnoDB storage engine for MySQL DB instances. RDS features such as Point-In-Time restore and snapshot restore require a recoverable storage engine and are supported for the InnoDB storage engine only
  • Automated backups and snapshots are not supported for MyISAM.
  • EBS optimized instances provide dedicated capacity for Amazon EBS I/O. EBS optimized instances are designed for use with all EBS volume types
  • Provisioned IOPS EBS volumes allow you to specify the amount of IOPS you require up to 50 IOPS per GB. Within this limitation you can therefore choose to select the IOPS required to improve the performance of your volume
  • Field-level encryption adds an additional layer of security on top of HTTPS that lets you protect specific data so that it is only visible to specific applications.
  • You can control who can administer your file system using IAM. You can control access to files and directories with POSIX-compliant user and group-level permissions. POSIX permissions allows you to restrict access from hosts by user and group. EFS Security Groups act as a firewall, and the rules you add define the traffic flow.
  • A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic
  • A custom NACL denies all traffic both inbound and outbound by default
  • The visibility timeout is the amount of time a message is invisible in the queue after a reader picks up the message. If a job is processed within the visibility timeout the message will be deleted. If a job is not processed within the visibility timeout the message will become visible again (could be delivered twice). The maximum visibility timeout for an Amazon SQS message is 12 hours.
  • Glacier is designed for durability of 99.999999999% of objects across multiple Availability Zones. Data is resilient in the event of one entire Availability Zone destruction. Glacier supports SSL for data in transit and encryption of data at rest. Glacier is extremely low cost and is ideal for long-term archival. Data is not resilient to the failure of an entire region. Data is not replicated globally.
  • Application Load Balancer can distribute traffic to AWS and on-premise resources using IP addresses but cannot be used to distribute traffic in a weighted manner.
  • When you launch an instance into a default VPC, we provide the instance with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance
  • When you launch an instance into a nondefault VPC, we provide the instance with a private DNS hostname and we might provide a public DNS hostname, depending on the DNS attributes you specify for the VPC and if your instance has a public IPv4 address.
  • Access Logs can be enabled on ALB and configured to store data in an S3 bucket. Amazon EMR is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3
  • Eachsubnet must reside exclusively within one Availability Zone and cannot span zones.
  • Amazon does not have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials.
  • All EBS types and all instance families support encryption
  • Not all instance types support encryption
VPCs are associated to a single region. You cannot span a VPC across regions, norcan you peer with a VPC in another region.

  • You don't loose data from instance store , if you just reboot or restart the machine because instance is still active.  You only loose instance store when you stop or terminate the instance.
Redshift provides the ability to create a cross-region snapshot. You can leverage it for creating the DR cluster in a different region. 

In CloudWatch, for the one-minute data point, the retention is 15 days.
Memory is not part of CloudWatch instance metrics; therefore, you need to create a custom metric to monitor it.
Amazon CloudFront can be integrated with WAF, which can protect against a DDoS attack.
You cannot copy the snapshots of an encrypted database to another AWS region. KMS is a regional service, so you currently cannot copy things encrypted with KMS to another region.


Comments

Popular posts from this blog

SQL

Analytics

DBeaver