AWS Cert Notes

My AWS cert notes.

This project is maintained by jangroth

DevOps Engineer Professional

10/2019 - 6/2020

Exam Objectives

Content

Domain 1: SDLC Automation

Domain 2:Configuration Management and Infrastructure as Code

Domain 3: Monitoring and Logging

Domain 4: Policies and Standards Automation

Domain 5: Incident and Event Response

Domain 6: High Availability, Fault Tolerance, and Disaster Recovery

Concepts

Deployment Strategies

Overview

General Strategies

Strategy Deploy
time		 Downtime Testing Deployment
Costs		 Impact of
failed deployment		 Rollback
process
Single Target Deployment 🕑 complete deploy limited no extra costs downtime redeploy
All At Once 🕑 complete deploy limited no extra costs downtime redeploy
Minimum In Service 🕑🕑 none can test new version
while old is still active		 no extra costs no downtime redeploy
Rolling 🕑🕑🕑 usually none can test new version
while old is still active		 no extra costs no downtime redeploy
Rolling With Extra Batches 🕑🕑🕑 usually none can test new version
while old is still active		 little extra costs no downtime redeploy
Blue/Green 🕑🕑🕑🕑 none can test
prior to cutover		 extra costs for new stack no downtime revert cutover

Strategies per AWS service

Strategy Auto Scaling
Group		 CodeDeploy
EC2/On-Premises		 CodeDeploy ECS CodeDeploy Lambda Elastic
Beanstalk		 OpsWorks
Single Target Deployment . . . . redeploy .
All At Once AutoScalingReplacingUpdate All-at-once . . all at once .
Minimum In Service . . . . rolling .
Rolling AutoScalingRollingUpdate One-at-at-time . . rolling .
Rolling With Extra Batches . . . . rolling with
extra batches		 .
Blue/Green . Traffic is shifted to a replacement set of instances
* All-at-once
* Half-at-a-time
* One-at-a-time		 Traffic is shifted to a replacement task set
* Canary
* Linear
* All-at-once		 Traffic is shifted to a new Lambda version
* Canary
* Linear
* All-at-once		 immutable comes close
or: create new environment and use DNS		 create new environment and use DNS
Canary . . See above
* Canary		 See above
* Canary		 Traffic Splitting .

Single target deployment

System Deploy
v1 Initial State
v1-2 Deployment Stage
v2 Final State
pros cons
Simple & very few moving parts Downtime
Deployment is faster than other methods Limited testing

All-at-once deployment

System Deploy .
v1 v1 v1 v1 v1 Initial State .
v1-2 v1-2 v1-2 v1-2 v1-2 Deployment Stage .
v2 v2 v2 v2 v2 Final State .
pros cons
Deployment is relatively fast Downtime (like STD)
. Limited testing (like STD)
. Everything in-flight - can't stop deployment/rollback if targets fail
. More complicated than STD, often requires orchestration

Minimum in-service style deployment

System Deploy .
v1 v1 v1 v1 v1 Initial State .
v1 v1 v1-2 v1-2 v1-2 Deployment Stage 1 Minimum targets required for operational state: 2
v1-2 v1-2 v2 v2 v2 Deployment Stage 2 .
v2 v2 v2 v2 v2 Final State .
pros cons
No downtime Many moving parts, requires orchestration
Deployment happens in (two) stages .
Generally quicker & with less stages than rolling deployments .

Rolling deployment

System Deploy .
v1 v1 v1 v1 v1 Initial State .
v1-2 v1-2 v1 v1 v1 Deployment Stage 1 Deploy first set of targets
v2 v2 v1-2 v1-2 v1 Deployment Stage 2 Only if health checks succeed: Deploy next set of targets
v2 v2 v2 v2 v1-2 Deployment Stage 3 Only if health checks succeed: Deploy next set of targets
v2 v2 v2 v2 v2 Final State .
pros cons
No downtime (if number of stage deployments is small enough) Does not necessarily maintain overall application health
Can be paused to allow for multi-version testing Many moving parts, requires orchestration
. Can be least efficient deployment method in terms of time taken

Rolling deployment with extra batches

System Deploy .
v1 v1 v1 v1 Initial State .
v1 v1 v1 v1 . . Deployment Stage 1 Deploy new batch of servers
v1 v1 v1 v1 v2 v2 Deployment Stage 2 Deploy new version to new servers
. . v1 v1 v2 v2 Deployment Stage 3 Undeploy first batch
v2 v2 v1 v1 v2 v2 Deployment Stage 4 Deploy new version to first batch
v2 v2 . . v2 v2 Deployment Stage 5 Undeploy second batch
v2 v2 v2 v2 Deployment Stage 6 Decommission servers from second batch
pros cons
No downtime (if number of stage deployments is small enough) Does not necessarily maintain overall application health
Can be paused to allow for multi-version testing Many moving parts, requires orchestration
. Can be least efficient deployment method in terms of time taken

Blue/green deployment

System Deploy .
(v1 v1 v1)() Initial State Blue environment, all traffic goes here
(v1 v1 v1)(v v v) Deployment Stage 1 Bring up green environment
(v1 v1 v1)(v2 v2 v2) Deployment Stage 2 Deploy application into green environment
(v1 v1 v1)(v2 v2 v2) Deployment Stage 3 Cutover - direct traffic from blue to green
() (v2 v2 v2) Final State Blue environment removed
pros cons
Rapid all-at-once deployment process, no need to wait for per target health checks Requires advanced orchestration tooling
Can test health prior to cutover Significant cost for a second environment (mitigated by advanced billing models)
Clean & controlled cutover (various options) .
Easy rollback .
Can be fully automated using advanced templating .
By far the best method in terms of risk mitigation and minimal user impact .

Red/black deployment

... are just like blue/green, but they happen at a much faster rate.

Example:

  1. DNS -> LB -> ASG1
  2. DNS -> LB -> ASG2

A/B testing

pros cons
. Different versions across the environment
. DNS switching affected by caches and other DNS related issues

Canary deployment

EC2 Concepts

Instance Profile

Load Balancing with ELB/ALB

ELB/ALB Logs

ELB/ALB Health Checks

ELB Security

Auto Scaling

Overview

Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling Groups. You can specify the minimum number of instances in each Auto Scaling Group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of instances in each Auto Scaling Group, and Amazon EC2 Auto Scaling ensures that your group never goes above this size. If you specify the desired capacity, either when you create the group or at any time thereafter, Amazon EC2 Auto Scaling ensures that your group has this many instances. If you specify scaling policies, then Amazon EC2 Auto Scaling can launch or terminate instances as demand on your application increases or decreases.

Components

Auto Scaling Group
Launch Configuration
Launch Template
Termination Policy
. . .
0 Default Designed to help ensure that your instances span Availability Zones evenly for high availability
3->4->random
1 OldestInstance Useful when upgrading to a new EC2 instance type
2 NewestInstance Useful when testing a new launch configuration
3 OldestLaunchConfiguration Useful when updating a group and phasing out instances
5 OldestLaunchTemplate Useful when you're updating a group and phasing out the instances from a previous configuration
4 ClosestToNextInstanceHour Next billing hour - useful to maximize instance us
6 AllocationStrategy Useful when preferred instance types have changed
Auto Scaling Lifecycle Hooks

The EC2 instances in an Auto Scaling Group have a path, or lifecycle, that differs from that of other EC2 instances. The lifecycle starts when the Auto Scaling Group launches an instance and puts it into service. The lifecycle ends when you terminate the instance, or the Auto Scaling group takes the instance out of service and terminates it.

Allows to cater for applications that take longer to deploy/tear-down.

After Lifecycle Hooks are added to the instance:

. .
Scale out scale out -> Pending -> Pending:Wait -> Pending:Proceed -> InService
Scale in scale in -> Terminating -> Terminating:Wait -> Terminating:Proceed -> Terminated
Troubleshoot InService -> StandBy
Scaling

Scaling is the ability to increase or decrease the compute capacity of your application. Scaling starts with an event, or scaling action, which instructs an Auto Scaling Group to either launch or terminate Amazon EC2 instances.

Protect instances from scaling in by setting termination protection, e.g. per API call

Notifications
Health Checks

Amazon EC2 Auto Scaling can determine the health status of an instance using one or more of the following:

Integration with other services

ALB

ALB -> Target Group <- ASG

CodeDeploy
CloudFormation
SQS

Deployment Concepts

Name Before Intermediate After
In Place [ASG [Instance 1]] - [ASG [Instance 2]
Rolling [ASG [Instance 1]] [ASG [Instance 1,2]] [ASG [Instance 2]
Replace [ALB [ASG1 [...]]] [ALB [ASG1 [...]][ASG2 [...]] [ALB [ASG2 [...]]]
Blue/Green [R53 [ALB1 [ASG1 [...]]]] [R53 [ALB1 [ASG1 [...]]]][ALB2 [...]] [R53 [ALB2 [ASG2 [...]]]]

Troubleshooting

Possible Problems
Suspending ASG processes

You can suspend and then resume one or more of the scaling processes for your Auto Scaling Group. This can be useful for investigating a configuration problem or other issues with your web application and making changes to your application without invoking the scaling processes.

. .
Launch Disrupts other processes as no more scale out
Terminate Disrupts other processes as no more scale in
HealthCheck .
ReplaceUnhealthy .
AZRebalance .
AlarmNotification Suspends actions normally triggered by alarms
ScheduledAction .
AddToLoadBalancer Will not automatically add instances later

On-Premises strategies

EC2 and On-Premises VMs

AWS Application Discovery Service

AWS Database Migration Service

AWS Server Migration Service

Cost Allocation Tags

Overview

A tag is a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource, each tag key must be unique, and each tag key can have only one value. You can use tags to organize your resources, and cost allocation tags to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs. AWS provides two types of cost allocation tags, an AWS generated tags and user-defined tags. AWS defines, creates, and applies the AWS generated tags for you, and you define, create, and apply user-defined tags. You must activate both types of tags separately before they can appear in Cost Explorer or on a cost allocation report.

Data/Network Protection

Data Protection

In Transit

At Rest

Network Protection

Multi AZ

Services where multi AZ needs to be enabled manually

Services that are implicitely multi AZ

Multi Region

Services that have a concept of multi region

. .
DynamoDB Global Tables multi-way replication, implemented by Streams
AWS Config Aggregators multi region as well as multi account
RDS Cross-region read replicas
Aurora Global Database One region is master, other for read & DR
EBS/AMI/RDS Snapshots
VPC Peering Private traffic between VPCs between regions
Route 53 Uses global network of DNS servers
S3 Cross-region replication
CloudFront Global CDN at Edge Locations
Lambda@Edge For global Lambda functions at Edge Locations
CloudFormation StackSets
CodePipeline action can be region specific -> multi-region deploys

Multi Region with Route 53

Multi Account

Services that have a concept of multi account

. .
IAM Define IAM Trust to enable cross account actions
Use STS to assume into roles in different accounts
CodePipeline Trigger CodeDeploy across accounts
AWS Config Agregate across accounts
CloudWatch Events Use EventBus to share events across accounts
CloudWatch Logs Use Logs Destination to send events into logging account
CloudFormation StackSets can be deployed across accounts
CloudTrail Can deliver trails into cross-account bucket

Disaster Recovery

From To .
On-prem On-prem Traditional DR, very expensive
On-prem Cloud Hybrid recovery
Cloud Region A Cloud Region B .
. RPO RTO Costs Comment What to do for DR
Backup & Restore High High $ Regular backups Restore
Pilot Light Medium Medium $$ Core system is always running Add non-critical systems
Warm Standby Low Low $$$ Full system at minimum size always running Add resources
Multi Site/Hot Site Lowest Lowest $$$$ Full system at production size always running Only switch traffic

Security Automation & Compliance

Service What it does Will warn about (example)
Amazon Inspector * Application and service security, scans EC2 instances for CVEs
* Network scans		 Root login via ssh not disabled
Config * Ensure instance has proper AWS configuration, e.g. no open SSH port
* Track audit and compliance over time		 Checks whether Amazon SNS topic is encrypted with KMS
GuardDuty * Scans accounts and workloads Instance has bitcoin activiy, unusual console logins (e.g. new location)
Macie * Protects data SSH private key uploaded to S3
Security Hub * Aggregates view from GuardDuty, Amazon Inspector, Macie, IAM Access Analyzer, AWS Firewall Manager.
Also integrates 3rd party services		 Whatever was integrated with SecurityHub
Service Catalog * Restrict how instances are launched by minimizing configuration .
Systems Manager * Run automations, patches, commands, inventory at scale .
TrustedAdvisor * Scans accounts, recommends cost optimisations, fault tolerance, performance, service limits, security Open security groups, EBS snapshot permissions

Notifications

Service SNS (native) CloudWatch/EventBridge Events CloudWatch Metrics/Alarms Comment
Amazon Inspector + - +
(every 5 min)		 Notify SNS on assessment run and findings
API Gateway - - +
(API monitoring)		 .
Auto Scaling Lifecycle Hooks +
SNS or SQS		 + + .
CloudFormation + - - .
CloudTrail + - - .
CodeBuild - + + .
CodeCommit +
Trigger to SNS or Lambda
Notification to SNS or Chatbot(Slack)		 + -
CodeDeploy +
Trigger to SNS
Notification to SNS or Chatbot(Slack)		 + - .
CodePipeline +
Notification to SNS or Chatbot(Slack)		 + - .
Config +
All events only		 + - .
ECS - + + .
Elastic Beanstalk + - +
minimal, environment health only		 .
GuardDuty - + - .
Kinesis - - - .
Lambda - - + .
Macie - + - .
OpsWorks - + + .
S3 +
Event notifications:
SNS
SQS
Lambda		 - + documentation
Server Migration Service - + - .
Service Catalog + - + .
Systems Manager + + +
Run Command metrics		 Various CloudWatch Events
Trusted Advisor - + + documentation

External Tools

Jenkins

Integrating into CodePipeline

Plugins

Services

Amazon EMR

Overview

Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects, such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and database, such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

Use cases:

Amazon Inspector (Core Service)

Overview

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

API Gateway (Core Service)

Overview

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a “front door” for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication applications.

Benefits

Concepts

Endpoint

A hostname for an API in API Gateway that is deployed to a specific region. The hostname is of the form {api-id}.execute-api.{region}.amazonaws.com.

The following types of API endpoints are supported:

Stage

A logical reference to a lifecycle state of your REST or WebSocket API (for example, dev, prod, beta, v2).

Deployment

After creating your API, you must deploy it to make it callable by your users. To deploy an API, you create an API deployment and associate it with a stage. Each stage is a snapshot of the API and is made available for client apps to call.

Canary Deployments

Integration

Mapping Template

Model

A data schema specifying the data structure of a request or response payload.

Throttling

Athena

Overview

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

Athena is out-of-the-box integrated with AWS Glue Data Catalog, allowing you to create a unified metadata repository across various services, crawl data sources to discover schemas and populate your Catalog with new and modified table and partition definitions, and maintain schema versioning.

CloudFormation (Core Service)

Overview

AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment.

AWS CloudFormation is available at no additional charge, and you pay only for the AWS resources needed to run your applications.

Components

Template

A CloudFormation template is a JSON or YAML formatted text file

Element Comment
AWSTemplateFormatVersion 2010-09-09
Description .
Metadata Details about the template
Parameters Values to pass in right before template creation
Mappings Maps keys to values (eg different values for different regions)
Conditions Check values before deciding what to do
Resources Creates resources - only mandatory section in a template
Outputs Values to be exposed from the console or from API calls
Parameters
Mappings
  RegionMap:
    us-east-1:
      HVM64: ami-0ff8a91507f77f867
      HVMG2: ami-0a584ac55a7631c0c
    us-west-1:
      HVM64: ami-0bdb828fd58c52235
      HVMG2: ami-066ee5fd4a9ef77f1
...
  myEC2Instance:
    Type: "AWS::EC2::Instance"
    Properties:
      ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", HVM64]
Conditions
Conditions:
  CreateProdResources: !Equals [ !Ref EnvType, prod ]
Resources
Outputs
Intrinsic Functions
Name Attributes Description
Ref logicalName * Returns the default value of the specified parameter. For resource typically physical id
Fn::Base64 valueToEncode * Provides encoding, converts from plain text into base64
Fn::Cidr ipBlock, count, cidrBits * Returns an array of CIDR address blocks. The number of CIDR blocks returned is dependent on the count parameter
Fn::FindInMap MapName, TopLevelKey, SecondLevelKey * Returns the value corresponding to keys in a two-level map that is declared in the Mappings section
Fn::GetAtt logicalNameOfResource, attributeName * Returns the value of an attribute from an object, either the default or the specified attribute
* Object is either from the same or a nested template
Fn::GetAZs region * Returns an array that lists Availability Zones for a specified region
* If region is omitted return AZs from the region the template is applied in
Fn::If boolean, string1, string2 * Returns string1 if boolean is true, string2 otherwise
Fn::And, Fn::Equals, Fn::Or, Fn::Not . * Good for condition element
Fn::ImportValue sharedValueToImport * Returns the value of an Output exported by another stacki
* You can't delete a stack if another stack references one of its outputs.
* You can't modify or remove an output value that is referenced by another stack.
Fn::Join delimiter, [ comma-delimited list of values ] * Joins a set of values into a single value separated by the specified delimiter
Fn::Select index, listOfObjects * Returns a single object from a list of objects by index
Fn::Split delimiter, source string * Split a string into a list of string values so that you can select an element from the resulting
Fn::Sub - String
- { key: Value, ... }		 * Substitutes variables in an input string with values that you specify string list
Also: !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
Fn::Transform Name: String
Parameters:
{ key: Value, ... }		 * Specifies a macro to perform custom processing on part of a stack template

Stacks

Element .
Effect .
Principal Must be wildcard for stack policies
Action Update:Modify,Update:Replace,Update:Delete,Update:(wildcard)
Resource,NotResource .
Condition Typically evaluates based on resource type

Processes

Stack Creation
  1. Template upload into S3 bucket
  2. Template syntax check
    • CloudFormation will check for any IAM resources being created, and require CAPABILITY_IAM| CAPABILITY_NAMED_IAM if so
    • Will raise InsufficientCapabilities otherwise
  3. Stack name & parameter verification & ingestion (apply default values)
  4. Template processing & stack creation
    • Resource ordering
      • Natural ordering
        • CloudFormation knows about 'natural' dependencies between resources.
      • DependsOn
        • Also DependsOn attribute
        • Allows to direct CloudFormation on how to handle more complex dependencies
        • Applies to creation as well as deletion & rollback
        • DependsOn can be a single resource or a list of resources
        • Will error on circular dependencies
        • DependsOn is problematic if the target resource needs more complex setup than just stack creation
      • -> Wait conditions allow further control about what happens when
    • Resource creation
      • Will try to create as many resources as possible in parallel
      • Includes pausing and waiting for other resources to be created first
      • Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded.
    • Output creation
  5. Stack completion or rollback
    • Rollback settings can be provided while creating the stack
      • onFailure - ROLLBACK | DELETE | DO_NOTHING
    • Can try to manually resolve problems if in state UPDATE_ROLLBACK_FAILED
Stacks Updates
Stack Deletion

StackSets

StackSets lets you create stacks in multiple AWS accounts across multiple regions by using a single CloudFormation template. All the resources included in each stack are defined by the stack set's AWS CloudFormation template. As you create the stack set, you specify the template to use, as well as any parameters and capabilities that template requires.

Concept
Operation options .
Maximum concurrent accounts Maximum number or percentage of target accounts in which an operation is performed at one time
Failure tolerance Maximum number or percentage of stack operation failures that can occur, per region, beyond which AWS CloudFormation stops an operation automatically
Retain stack (delete operations only) Keep stacks and their resources running even after they have been removed from a stack set

Concepts

Running code on instance boot

Script Name Purpose
cfn-init Use to retrieve and interpret resource metadata, install packages, create files, and start services.
cfn-signal Use to signal with a CreationPolicy or WaitCondition, so you can synchronize other resources in the stack when the prerequisite resource or application is ready.
cfn-get-metadata Use to retrieve metadata for a resource or path to a specific key.
cfn-hup Use to check for updates to metadata and execute custom hooks when changes are detected.
Define code and scripts to run
UserData:
  Fn::Base64: |
        #!/bin/bash -x
        ...
Signal outcome of installation back to CFN

Creation Policy

AutoScalingGroup:
  Type: AWS::AutoScaling::AutoScalingGroup
  Properties:
    ...
  CreationPolicy:
    ResourceSignal:
      Count: '3'
      Timeout: PT15M

LaunchConfig:
  Type: AWS::AutoScaling::LaunchConfiguration
  Properties:
    ...
    UserData:
      "Fn::Base64":
        !Sub |
          #!/bin/bash -xe
          yum update -y aws-cfn-bootstrap
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region}

Wait Conditions and Handlers

WebServerGroup:
  Type: AWS::AutoScaling::AutoScalingGroup
  Properties:
    ...
WaitHandle:
  Type: AWS::CloudFormation::WaitConditionHandle
WaitCondition:
  Type: AWS::CloudFormation::WaitCondition
  DependsOn: "WebServerGroup"
  Properties:
    Handle:
      Ref: "WaitHandle"
    Timeout: "300"
    Count:
      Ref: "WebServerCapacity"

Custom Resources

Drift detection

Stacks Nesting

Limits

. .
Max stacks per region 200
Max templates per region unlimited
Max template size (stored in S3) 460kB
Parameters per stack 60
Mappings per stack 100
Resources per stack 200
Outputs per stack 60

CloudFront

Overview

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

Lamdba@Edge

Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency. With Lambda@Edge, you don't have to provision or manage infrastructure in multiple locations around the world. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda@Edge, you can enrich your web applications by making them globally distributed and improving their performance — all with zero server administration. Lambda@Edge runs your code in response to events generated by the Amazon CloudFront content delivery network (CDN). Just upload your code to AWS Lambda, which takes care of everything required to run and scale your code with high availability at an AWS location closest to your end user.

CloudSearch

Overview

Amazon CloudSearch is a fully managed service in the cloud that makes it easy to set up, manage, and scale a search solution for your website or application.

With Amazon CloudSearch you can search large collections of data such as web pages, document file, forum posts, or product information. You can quickly add search capabilities without having to become a search expert or worry about hardware provisioning, setup, and maintenance. As your volume of data and traffic fluctuates, Amazon CloudSearch scales to meet your needs

CloudTrail (Core Service)

Overview

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

CloudTrail is enabled by default in every account. All activities in an AWS account are being recorded as CloudTrail events.

Concepts

Event

Trail

CloudWatch (Core Service)

Overview

Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers. You can use CloudWatch to set high resolution alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to optimize your applications, and ensure they are running smoothly.

Concepts

CloudWatch Logs

Subscriptions
AWS-Managed Logs
Service Target(s)
Load Balancer Access Logs
(ELB, ALB, NLB)		 S3
CloudTrail Logs S3, CloudWatch
VPC Flow Logs S3, CloudWatch
Route 53 Access Logs CloudWatch
S3 Access Logs S3
CloudFront Access Logs S3

CloudWatch Metrics

Namespaces

Metrics

Resolution Data retention
<60s 3h
60s 15d
300s (5min) 63d
3600s (1h) 15m

Time Stamps

Dimension

Statistics

Period

Aggregation

CloudWatch Alarms

Billing Alarms

CloudWatch Events

EventBridge
S3 Events

Dashboards

Unified CloudWatch Agent

Key metrics

EC2

Metric Effect
CPUUtilization The total CPU resources utilized within an instance at a given time.
DiskReadOps,
DiskWriteOps		 The number of read (write) operations performed on all instance store volumes. This metric is applicable for instance store-backed AMI instances.
DiskReadBytes,
DiskWriteBytes		 The number of bytes read (written) on all instance store volumes. This metric is applicable for instance store-backed AMI instances.
NetworkIn,
NetworkOut		 The number of bytes received (sent) on all network interfaces by the instance
NetworkPacketsIn,
NetworkPacketsOut		 The number of packets received (sent) on all network interfaces by the instance
StatusCheckFailed,
StatusCheckFailed_Instance,
StatusCheckFailed_System		 Reports whether the instance has passed both/instance/system status check in the last minute.

Auto Scaling Group

Metric Effect
GroupMinSize
GroupMinSize		 The minimum/maximum size of the Auto Scaling Group.
GroupDesiredCapacity The number of instances that the Auto Scaling Group attempts to maintain.
GroupInServiceInstances
GroupPendingInstances
GroupStandbyInstances
GroupTerminatingInstances		 The number of instances that are running/pending (not yet in service)/standby (still running)/ terminating as part of the Auto Scaling Group.
GroupTotalInstances The total number of instances in the Auto Scaling Group. This metric identifies the number of instances that are in service, pending, and terminating.

ELB

Metric Effect
Latency Time it takes to receive an response. Measure max and average
BackendConnectionErrorr Number of not successfully established connections to registered instances, measure sum and look at difference between min and max
SurgeQueueLength Total number of request waiting to get routed, look at max and average
SpilloverCount Dropped requests because of exceeded surge queue. Look at sum
HTTPCode_ELB_4XX
HTTPCode_ELB_5XX		 The number of HTTP XXX server error codes that originate from the load balancer. This count does not include any response codes generated by the targets. Look at sum
HTTPCode_Backend_2XX...
...HTTPCode_Backend_5XX		 The number of HTTP XXX server error codes that originate from the backend. Look at sum
RequestCount Number of completed requests
HealthyHostCount,UnhealthyHostCount Self explainatory

spillover and surge queue give an indication of the ELB being overloaded

ALB

Metric Effect
RequestCount Number of completed requests
HealthyHostCount,UnhealthyHostCount Self explainatory
TargetResponseTime The time elapsed after the request leaves the load balancer until a response from the target is received.
HTTPCode_ELB_3XX_Count
HTTPCode_ELB_4XX_Count
HTTPCode_ELB_5XX_Count		 The number of HTTP XXX server error codes that originate from the load balancer. This count does not include any response codes generated by the targets.

NLB

Metric Effect
processedbyte The total number of bytes processed by the load balancer, including TCP/IP headers.
tcp_client_reset_count the total number of reset (rst) packets sent from a client to a target.
tcp_elb_reset_count the total number of reset (rst) packets generated by the load balancer.
tcp_target_reset_coun the total number of reset (rst) packets sent from a target to a client.

Tutorials

. . .
CloudWatch Events/Eventbridge Relay Events to AWS Systems Manager Run Command Configure event ASG, Instance Launch and Terminate, EC2-Instance-Launch lifecycle action
Target: SSM Run Command, add command(s)
CloudWatch Events/Eventbridge Log the State of an Amazon EC2 Instance Usings Configure event EC2, Instance State Change, Specific states: Running
Invoke lambda the logs state from incoming event
CloudWatch Events/Eventbridge Log the State of an Auto Scaling Group Configure event ASG, Instance Launch and Terminate, EC2-Instance-Launch lifecycle action
Invoke lambda the logs state from incoming event
CloudWatch Events/Eventbridge Log Amazon S3 Object-Level Operations Configure CloudTrail trail to monitor S3 bucket(s)(no events otherwise)
Implement Lambda that logs state
Configure event to trigger on PutObject
Invoke Lamdba
CloudWatch Events/Eventbridge Use Input Transformer to Customize What Is Passed to the Event Target .
CloudWatch Events/Eventbridge Log AWS API Calls .
CloudWatch Events/Eventbridge Schedule Automated Amazon EBS Snapshots .
CloudWatch Events/Eventbridge Set AWS Systems Manager Automation as an EventBridge Target .
CloudWatch Events/Eventbridge Relay Events to a Kinesis Stream .
CloudWatch Events/Eventbridge Run an Amazon ECS Task When a File Is Uploaded to an Amazon S3 Bucket .
CloudWatch Events/Eventbridge Schedule Automated Builds Using AWS CodeBuild .
CloudWatch Events/Eventbridge Log State Changes of Amazon EC2 Instances .
CloudWatch Events/Eventbridge Download Code Bindings for Events using the EventBridge Schema Registry .

CodeBuild (Core Service)

Overview

AWS CodeBuild is a fully managed continuous integration service that compiles source code, Runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue. You can get started quickly by using prepackaged build environments, or you can create custom build environments that use your own build tools. With CodeBuild, you are charged by the minute for the compute resources you use.

Benefits

Components

How it works

. . .
version 0.3 .
run-as . .
env variables, parameter-store, exported-variables, secrets-manager, git-credentials-helper .
phases install, pre_build, build, post_build Every phase has a finally section
Failed build transitions to post_build, all others to finalizing
reports . .
artifacts, secondary-artifacts . .
cache paths .

CodeCommit (Core Service)

Overview

AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.

Benefits

How To

Protect branches

Use IAM policy:

"Condition": {
		"StringEqualsIfExists": {
				"codecommit:References": [
						"refs/heads/master"
				]
		},
		"Null": {
				"codecommit:References": false
		}
}

Send Notifications

Triggers

CodeDeploy (Core Service)

Overview

AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid downtime during application deployment, and handles the complexity of updating your applications. You can use AWS CodeDeploy to automate software deployments, eliminating the need for error-prone manual operations. The service scales to match your deployment needs.

Components

EC2/On-Premises ECS Lambda
version: 0.0
os: operating-system-name
files:
source-destination-files-mappings
permissions:
permissions-specifications
hooks:
deployment-lifecycle-event-mappings		 version: 0.0
resources: ecs-service-specifications
hooks:
deployment-lifecycle-event-mappings		 version: 0.0
resources: lambda-function-specifications
hooks:
deployment-lifecycle-event-mappings
hooks section contains mappings that link one or more scripts hooks section specifies Lambda validation functions hooks section specifies Lambda validation functions

How it works

Overview

Notifications and logging

Rollback

Deploys

To EC2/On-premises

Step Comment
Create application .
Specify deployment group Tags and/or ASG name.
Specify deployment configuration AllAtOnce,HalfAtATime,OneAtATime (default)
In-place (default), Blue/green
Upload revison .
Deploy .
Check results .
Redeploy as needed .
Integration with Elastic Load Balancing
Integration with Auto Scaling Groups
Register on-premises instances

To Lambdas

Step Comment
Create application .
Specify deployment group Only a name, Lambdas are specified in appspec
Specify deployment configuration LambdaCanary10Percent5Minutes/10/15/30
LambdaLinear10PercentEvery1Minute/2/3/10
LambdaAllAtOnce
only Blue/green
Specify an AppSpec file S3 (local with AWS CLI)
Deploy .
Check results .
Redeploy as needed .
Integration with AWS Serverless
DeploymentPreference:
 Type: Canary10Percent10Minutes
 Alarms:
   # A list of alarms that you want to monitor
   - !Ref AliasErrorMetricGreaterThanZeroAlarm
 Hooks:
   # Validation Lambda functions that are run before & after traffic shifting
   PreTraffic: !Ref PreTrafficLambdaFunction
   PostTraffic: !Ref PostTrafficLambdaFunction

To ECS

Step Comment
Create ECS service Set its deployment controller to CodeDeploy
Create application .
Specify deployment group Specify
* ECS cluster and service name
* production listener, optional test listener, and target groups
* deployment settings, such as when to reroute production traffic to the replacement ECS task
* optional settings such as triggers, alarms and rollback behaviour
Specify deployment configuration ECSCanary10Percent5Minutes/15
LambdaLinear10PercentEvery1Minute/3
ECSAllAtOnce
only Blue/green
Specify an AppSpec file S3 (local with AWS CLI)
Deploy .
Check results .
Redeploy as needed .

CodePipeline (Core Service)

Overview

AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define. This enables you to rapidly and reliably deliver features and updates. You can easily integrate AWS CodePipeline with third-party services such as GitHub or with your own custom plugin. With AWS CodePipeline, you only pay for what you use. There are no upfront fees or long-term commitments.

Benefits

Components

Pipeline Actions

Scenarios

CodePipeline with

CodeStar

Overview

AWS CodeStar enables you to quickly develop, build, and deploy applications on AWS. AWS CodeStar provides a unified user interface, enabling you to easily manage your software development activities in one place. With AWS CodeStar, you can set up your entire continuous delivery toolchain in minutes, allowing you to start releasing code faster. AWS CodeStar makes it easy for your whole team to work together securely, allowing you to easily manage access and add owners, contributors, and viewers to your projects. Each AWS CodeStar project comes with a project management dashboard, including an integrated issue tracking capability powered by Atlassian JIRA Software. With the AWS CodeStar project dashboard, you can easily track progress across your entire software development process, from your backlog of work items to teams’ recent code deployments.

Benefits

Under the hood

Uses cfn-transform to generate cfn from template.yml

Config (Core Service)

Overview

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Config Rules

Automation

Aggregation

An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:

DynamoDB

Overview

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi region, multi master, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second.

Keys and indexes

PK & Sort key

Secondary indexes

Projected attributes

Local secondary index

Global secondary index

Capacity provisioning

. .
. 300 strongly consistent reads of 11KB per minute
Calculate read/writes per second 300r/60s = 5r/s
Multiply with payload factor 5r/s * (11KB/4KB) = 15cu
If eventual consistent, devide by 2 15cu / 2 = 8cu

DynamoDB Accelerator (DAX)

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management. Now you can focus on building great applications for your customers without worrying about performance at scale. You do not need to modify application logic, since DAX is compatible with existing DynamoDB API calls. You can enable DAX with just a few clicks in the AWS Management Console or using the AWS SDK. Just as with DynamoDB, you only pay for the capacity you provision.

DynamoDB Streams

DynamoDB Streams captures a time-ordered sequence of item-level modifications in any DynamoDB table and stores this information in a log for up to 24 hours. Applications can access this log and view the data items as they appeared before and after they were modified, in near-real time.

A DynamoDB stream is an ordered flow of information about changes to items in a DynamoDB table. When you enable a stream on a table, DynamoDB captures information about every modification to data items in the table.

Global Tables

Amazon DynamoDB global tables provide a fully managed solution for deploying a multi region, multi master database, without having to build and maintain your own replication solution. With global tables you can specify the AWS Regions where you want the table to be available. DynamoDB performs all of the necessary tasks to create identical tables in these Regions and propagate ongoing data changes to all of them.

ECS

Overview

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. You can host your cluster on a serverless infrastructure that is managed by Amazon ECS by launching your services or tasks using the Fargate launch type. For more control you can host your tasks on a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage by using the EC2 launch type.

Benefits

Components

[Cluster
  [Services
    [Task Definitions
      [Family]
      [Task role/execution role]
      [Network mode]
      [Container Definitions
        [Name/Image]
        [Memory/Port Mappings]
        [Health Check]
        [Environment]
        [Network Settings]
        [Storage and Logging]
        [Security]
        [Resource Limit]
        [Docker labels]
      ]
    ]
  ]
]

Auto Scaling

Logging

ECR

Fargate

Elastic Beanstalk (Core Service)

Overview

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.

Concepts

Components

In CloudFormation stack
Web Application
(non-docker)		 Web Application
(docker, runs on ECS)		 Worker
AWS::AutoScaling::AutoScalingGroup AWS::AutoScaling::AutoScalingGroup AWS::CloudFormation::WaitConditionHandle
AWS::AutoScaling::LaunchConfiguration AWS::AutoScaling::LaunchConfiguration AWS::DynamoDB::Table
AWS::AutoScaling::ScalingPolicy AWS::CloudFormation::WaitCondition AWS::EC2::SecurityGroup
AWS::CloudFormation::WaitCondition AWS::CloudFormation::WaitConditionHandle AWS::SQS::Queue
AWS::CloudFormation::WaitConditionHandle AWS::EC2::EIP .
AWS::CloudWatch::Alarm AWS::EC2::SecurityGroup .
AWS::EC2::SecurityGroup . .
AWS::EC2::SecurityGroupIngress . .
AWS::ElasticLoadBalancing::LoadBalancer . .

Configuration precedence

Configuration options, sorted by precedence:

Settings applied directly to the environment

Via console, eb-cli, ...

Existing configuration saved into .elasticbeanstalk
.ebextensions in project
Default values

As the name says.

Deployment Types

Limits

. .
Applications 75
Application Versions 1000
Configuration Templates 2000
Environments 200

Elasticsearch Service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use – there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational overhead.

Overview

ELK

DynamoDB -> DynamoDB Stream -> Lambda -> AWS ES CloudWatch Logs -> Subscription Filter -> Lambda -> AWS ES (real time) CloudWatch Logs -> Subscription Filter -> Kinesis Firehose -> AWS ES (near real time)

GuardDuty (Core Service)

Overview

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS log. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.

Kinesis (Core Service)

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

[various data sources]->Kinesis Streams->Kinesis Analytics->Kinesis Firehose->[S3]

Overview

Kinesis Data Stream

Kinesis Data Firehose

Kinesis Data Streams Kinesis Firehose
Must manage scaling Fully managed
Real time Near real time
Data storage No data storage
Can write custom code for consumers/producers Serverless Lambda

For real time delivery Kinesis data streams are the only option.

Kinesis Data Analytics

Limits

. . ..
Kinesis Streams . .
. Producer 1MB/s or 1000 messages/s write per shard (->ProvisionedThroughputException)
. Consumer Classic 2MB/s write per shard
. . 5 API calls per second per shard
. Data Retentions 7 days

Lambda (Core Service)

Overview

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Managing Functions

triggers -> function & layers -> destinations

Versions

Aliases

Layers

Network

Database

Invoking Functions

Synchronous/Asynchronous/Event Source Invocation

Function Scaling

Monitoring and troubleshooting

License Manager

Overview

AWS License Manager makes it easier to manage your software licenses from software vendors such as Microsoft, SAP, Oracle, and IBM across AWS and on-premises environments. AWS License Manager lets administrators create customized licensing rules that emulate the terms of their licensing agreements, and then enforces these rules when an instance of EC2 gets launched. Administrators can use these rules to help prevent licensing violations, such as using more licenses than an agreement stipulates. The rules in AWS License Manager enable you to help prevent a licensing breach by stopping the instance from launching or by notifying administrators about the infringement. Administrators gain control and visibility of all their licenses with the AWS License Manager dashboard and reduce the risk of non-compliance, misreporting, and additional costs due to licensing overages.

Macie

Overview

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks. Amazon Macie is available to protect data stored in Amazon S3.

Managed Services

Overview

As enterprise customers move towards adopting the cloud at scale, some find their people need help and time to gain AWS skills and experience. AWS Managed Services (AMS) operates AWS on your behalf, providing a secure and compliant AWS Landing Zone, a proven enterprise operating model, on-going cost optimization, and day-to-day infrastructure management. By implementing best practices to maintain your infrastructure, AWS Managed Services helps to reduce your operational overhead and risk. AWS Managed Services automates common activities, such as change requests, monitoring, patch management, security, and backup services, and provides full-lifecycle services to provision, run, and support your infrastructure. AWS Managed Services unburdens you from infrastructure operations so you can direct resources toward differentiating your business.

OpsWorks Stacks (Core Service)

Overview

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

Components

Lifecycle Events

. .
Setup Occurs after a started instance has finished booting
Configure Occurs on all of the stack's instances when one of the following occurs:
* An instance enters or leaves the online state.
* You associate an Elastic IP address with an instance or disassociate one from an instance.
* You attach an Elastic Load Balancing load balancer to a layer, or detach one from a layer.
Deploy Occurs when you run a Deploy command.
Undeploy Occurs when you run a Undeploy command
Shutdown Occurs after you direct AWS OpsWorks Stacks to shut an instance down but before the associated Amazon EC2 instance is actually terminated.

Under the hood

Organizations

Overview

AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.

Using AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through APIs. Organizations helps simplify the billing for multiple accounts by enabling you to setup a single payment method for all the accounts in your organization through consolidated billing. AWS Organizations is available to all AWS customers at no additional charge.

Benefits

Service Control Policies (SCP)

Service control policies (SCPs) are one type of policy that you can use to manage your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren't available if your organization has enabled only the consolidated billing features. SCPs do not apply for the master account itself.

Tag Policies

Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged.

Limits

. .
Maximum linked accounts 20

Personal Health Dashboard

Overview

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.

The dashboard displays relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.

QuickSight

Overview

Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization.

As a fully managed service, QuickSight lets you easily create and publish interactive dashboards that include ML Insights. Dashboards can then be accessed from any device, and embedded into your applications, portals, and websites.

Redshift

Overview

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster. Each cluster runs an Amazon Redshift engine and contains one or more databases.

Relational Database Service

Overview

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Amazon RDS is available on several database instance types - optimized for memory, performance or I/O - and provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. You can use the AWS Database Migration Service to easily migrate or replicate your existing databases to Amazon RDS.

Backups

Multi-AZ deployments

Provide enhanced availability for database instances within a single AWS Region.

Read replicas

Route 53

Overview

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking. If you choose to use Route 53 for all three functions, perform the steps in this order:

Terminology

How it works

Basic Flow

Root Server -> TLD Server -> Domain-Level Name Server -> Zone File

Zone File & Records

Zone file stores records. Various records exists:

Type Definition Example
SOA State of Authority - Mandatory first entry, defines various things,
eg name servers & admin contact		 ns1.dnsimple.com admin.dnsimple.com 2013022001 86400 7200 604800 300
A Map host name to ip4 address px01.vc.example.com. 198.51.100.40
AAAA Map host name to ip6 address px01.vc.example.com. 2a00:1450:4014:80c:0:0:0:2004
CNAME Defines alias for host name
(maps one domain name to another)		 www.dnsimple.com. dnsimple.com.
MX Defines mail exchange example.com. 1800 MX mail1.example.com. 10
PTR Maps ip4 address to host name (inverse to A record) 10.27/1.168.192.in-addr.arpa. 1800 PTR mail.example.com.
SVR Points one domain to another domain name using a specific destination port _sip._tcp.example.com. 86400 IN SRV 0 5 5060 sipserver.example.com.

Route53 specific:

Route53 Routing Policies

S3

Overview

Amazon Simple Storage Service (S3) is object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web. It is designed to deliver 11x9 durability and scale past trillions of objects worldwide.

Versioning

Logging

Cross-Region Replication

Storage classes

. Durability Availability AZs Costs per GB Retrieval Fee .
S3 Standard 11x9 4x9 >=3 $0.023 No .
S3 Intelligent Tiering 11x9 3x9 >=3 $0.023 No Automatically moves objects between two access tiers based on changing access patterns
S3 IA (infrequent access) 11x9 3x9 >=3 $0.0125 Yes For data that is accessed less frequently, but requires rapid access when needed
S3 One Zone IA (infrequent access) 11x9 99.5 1 $0.01 Yes For data that is accessed less frequently, but requires rapid access when needed
Glacier 11x9 . >=3 . Yes For archival only, comes as expedited, standard or bulk
Glacier Deep Archive 11x9 . >=3 . Yes Longer time span to retrieve
S3 RRS (reduced redundancy storage) 4x9 4x9 >=3 $0.024 . Deprecated

Access Control

Defaults

IAM

Bucket policies

ACLs

Secrets Manager

Overview

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.

Automatically Rotating Your Secrets

Service Catalog (Core Service)

Overview

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.

Components

Step Functions

Overview

AWS Step Functions is a web service that enables you to coordinate the components of distributed applications and microservices using visual workflows. You build applications from individual components that each perform a discrete function, or task, allowing you to scale and change applications quickly.

Step Functions provides a reliable way to coordinate components and step through the functions of your application. Step Functions offers a graphical console to visualize the components of your application as a series of steps. It automatically triggers and tracks each step, and retries when there are errors, so your application executes in order and as expected, every time. Step Functions logs the state of each step, so when things go wrong, you can diagnose and debug problems quickly.

Step Functions manages the operations and underlying infrastructure for you to ensure your application is available at any scale.

States

. . .
Pass Passes its input to its output, without performing work .
Task Represents a single unit of work performed by a state machine Can Retry after error
Choice Adds branching logic .
Wait Delays the state machine from continuing for a specified time .
Succeed Stops an execution successfully .
Fail Stops the execution of the state machine and marks it as a failure .
Parallel Create parallel branches of execution Can Retry after error
Map Run a set of steps for each element of an input array .

Input and Output processing

Error handling

Best Practices

Systems Manager (Core Service)

Overview

AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources. Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your infrastructure securely at scale.

Group resources -> Visualize data -> Take action

Components

Resources groups

Insights

Parameter store

Action & Change

Instances & Nodes

Trusted Advisor (Core Service)

Overview

X-Ray (Core Service)

Overview

AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components. You can use X-Ray to analyze both applications in development and in production, from simple three-tier applications to complex microservices applications consisting of thousands of services.

--

Etc

Random Information from practice questions

Aurora

CloudFront

CloudWatch Metrics

CodeBuild

CodeCommit

CodePipeline

Cognito

Direct Connect

EBS

EC2

Elastic Beanstalk

Elastic Load Balancing

ECR

Fargate

GitHub

IAM

Kinesis Data Streams

Personal Health Dashboard

RDS

S3

Secrets Manager

Server Migration Service

SQS

Trusted Advisor

SSO