AWS certification study guide

IAM - AWS Identity and Access Management (IAM) enables customers to securely control access to AWS services and resources for their users. Using IAM, customer can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

IAM - AWS Identity and Access Management

• Using IAM we can provide and restrict access to AWS services and permission levels.
• IAM is at Global level. Same credentials or roles or policy is applied across regions.
• Generally the flow of IAM set up is like
  • User -> Group -> Policy (it has what resource and permissions on those resources).
  • Role - Grant Permission to entities we trust.
    • Can be assigned to User / Service / Application .
    • These roles can be attached to instances as well.
    • Policies can be attached to these roles.
  • Access Types - for accessing AWS resources,
    • Programmatic using access key & secret access key.
    • AWS Console.

Exam Tips

• Prefer IAM over Access keys, when providing access to others.
• Cross account access - we don’t have to create individual access.
• STS is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users.
• Programmatic(SDK) access is authenticated with an access key.
• Integration with Active Directory involves integration between Active Directory and IAM via SAML.
• Federation maps policies to identities from other sources via temporary tokens.

Practice

• Create a new User, assign to a Group.
• Create a new Policy and attach to the above group.
• Log in using the user.(both programmatic & console).

VPC - Amazon Virtual Private Cloud lets customer provision a logically isolated section of the AWS Cloud where customers can launch AWS resources in a virtual network defined by them. Customer have complete control over the virtual networking environment, including selection of their own IP address range, creation of subnets, and configuration of route tables,security gateway and network gateways.

• Amazon VPC lets you provision alogically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
• Components
  • VPC is your private network, where all your services will be deployed.
  • Below components will be created by Defaultwhen a VPC is created.
    • Route Table
      1. To Route the Traffic from & To & between VPC.
      2. Internet Gateway will have to be attached here.
      3. If the traffic is coming from vpc's ip, then treat as local, anything else then route it via internet gateway.
      4. Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.
      5. Subnets will have to  be manually associated.
    • Network ACL (NACL)
      6. By Default allow all traffic.
      7. If we create a new NACL manually then its Deny all.
      8. Should always be associated with a Public Subnet.
      9. This can be used if we want to restrict incoming traffic based on IP address.(Security Gateway cannot be used in this case).
      10. NACL Operate at subnet level .
      11. They cannot restrict instance access with in the same subnet.
      12. Stateless
    • Security Group(SG)
      13. By default All traffic will be Blocked.
      14. We can manually create SG's mainly one for Public Access (application tier) & another for Private Access (Database Tier).
      15. For Private security group, we need to assign the IP range of Public Subnet and provide source as Public SG.
      16. SG areStateful - meaning, tracks the origin of a request and can automatically allow the reply to the request to be returned.
    • Below componentswe will have to created manually,
      • Subnet -
        17. An address range, with in your VPC range.
        18. A Subnet can be associated with a Particular AZ only.
        19. Always first 4 and last ip address are used by AWS
        20. Subnet are used to isolate different web tier, app tier & db tier.
        21. Public Subnet is where the Internet Gateway & NACL need to be attached.
      • Internet Gateway(ig)
        22. Provides connection to Internet.
        23. There can be only one ig per VPC.
      • Nat Instance.
        24. Another EC2 instance, created to provide internet connection to Private Subnet.
        25. NAT should be createdinside a Public subnet.
        26. Allows onlyoutbound internet connection.
      • Nat Gateway
        27. A highly availableservice, to provide internet access to private subnet.
        28. Allows only outbound internet connection.
        29. NAT should be createdinside a Public subnet for each AZ.
        30. Horizontally scalable.
      • VPC Endpoints
        • Direct private connections to AWS services within VPC and other AWS service outside VPC, like application (EC2) inside VPC and connecting to S3.
        • This is done withoutgoing to internet via route table.
        • Endpoints does not support cross region requests.
        • VPC Endpoints doesn’t need internet gateway , NAT to connect to other resources.
        • VPC Endpoints Gateway is available only for S3 & DynamoDB, for others use VPC Endpoint Interface *.
      • Flow Logs
        • Flow Logs to monitor the network traffic in your VPC.
        • Can be streamed to Lambda or Elastic search service for on-line analysis.

EXAM TIPS: -

• Default / reserved IP  are 5 , eg:10.0.0.0 … 0.1,0.2,0.3 and 0.255 @ each subnet
• VPC Peering Connection:A peering connection enables you to route traffic via private IP addresses between two peered VPCs and this can be across Regions.
• Default VPCs are assigned a CIDR range of 172.31.0.0/16
• Subnets - we can create 200 subnets per VPC.
• VPC Peer is free,however data transfer is not.
• IPv6 - Inter-Region VPC Peering does not support IPv6.
• An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in a VPC.
• Cloudwatch metrics for VPN Metrics.
• Amazon VPC, all subnets can communicate with each other by default.
• DHCP(Dynamic Host Configuration Protocol) option set allows customers to define DNS servers for DNS name resolution, establish domain names for instances within an Amazon VPC.
• VPG is the Amazon side of a VPN connection.
• IPsecis the security protocol supported by Amazon VPC.
• Use VPN to connect between VPC & on-prem and ensure data is encrypted(using Ipsec).
• VPC Peering cannot have CIDR overlapping.

Practice:

• Create VPC with Pvt & Public subnet and try this setup multiple times.
• Practice creating 2 subnets and check if you can access instances between them and how to stop accessing between them and allow access only one to connect and not vice versa.

EC2 - Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers and system administrators.

Elastic Cloud Computing

• Instance Type
  • General
    1. T2/T3 -  Burstable
    2. M3,4,5 - Fixed Performance.
  • Compute Optimized- Small or midsized applications.
    3. C2,3,4,5 - Choose when  need for More CPU than RAM
  • Storage Optimized.
    4. H1,I2,D2 - Choose when lot of Storage is the requirement.
    5. For data warehousing, Hadoop and other data-intensive operations.
  • Memory Optimized.- Main PROD applications or other Big applications.
    6. X1,R3,4,5  - For Database and memory caching applications which requires larger memory size.
    7. High on RAM is a requirement.
  • Graphic Intensified
    8. G2,G3,P2,P3 - For ML , Deep Learning & Other Graphic intense applications.
  • High Disk Throughput
    • F1 - For high end research applications.
  • Z1D- Frequency up to 4.0 GHz, the fastest of any cloud instance.
• Placement Group- A placement group is a logical grouping of instances within a single Availability Zone.
  • Types
    • Clustered- Grouping within single AZ for low network latency, high io - Use case of Big Data applications.
    • Spread- Placed in distinct H/W -Use case for a small number of critical instances but need to be separate from each other.
  • Existing instances cannotbe moved into placement group.

Exam Tips:

• Use Scheduled Reservedif the instance will be used on particular day/days of a week.
• For longer duration,always choose Spot for cost saving. Can be sold in market place to recover cost incase.
• How to make a Spot instance Data persistent.
• Always prefer Spot, if the application can be interrupted or can be easily recovered or finish certain task which can tolerate interruption.
• Public IPautomatically allocated to a particular EC2 instance & IP is released back to Pool when stopped and restart provides different IP.
• Private IPcommunication between servers, web server with db server or application server.This is used for interaction within stack.
• Elastic IPAssigned to the a/c permanently.DNS can always point to this address. Can be moved from one server to others.Priced if not assigned to an instance.Static. Max 5 per a/c & region.
• You would use the command curl http://169.254.169.254/latest/meta-data/public-hostname to get meta data details.
• Limitedto running up to a total of 20 On-Demand instances across the instance family,20 Reserved Instances.
• An instance profileis a container for an IAM role used to pass information to EC2.

Practice:

• How to move an EC2 instance from one region to another --> via custom AMI.

EBS - EBS provides block level storage volumes for use with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist independently from the life of an instance.

Elastic Block Storage

• Volumes Types:
  • General Purpose SSD
  • For IOPS < 10,000
  • Use case - System boot volumes,Small- to medium-sized databases,Development and test environments.
  • Provisioned IOPS SSD
  • Highest peformance
  • For IOPS > 10,000
  • Use Case - I/O-intensive workloads,random access I/O throughput, particularly large database workloads.
  • HDD: For Big Data & Sequential access
    • Low Cost
    • High throughput.
    • Higher throughput applications requiring up to 500 MB/s
    • Use Case - Data Streaming, Big Data,Data Warehouse.
    • Lowest cost
    • Use case - Less frequent access, can be for backup purpose.
  • Throughput Optimized HDD
  • Cold HDD
  • Like HDD, we can attach these to EC2 instances.
  • Supports Upto 16TB.
  • Use case include for DB application, Web Applications.
  • Long time persistence/availability of data.
  • Connected to EC2 via network.
  • Snapshots/ backups of EBS are stored @ S3.
  • Snapshot are incremental & auto encrypted.
• SSD : Random access

Exam Tips:

• EBS Volumes are auto replicated across AZ.
• Volumes can be attached to only one instance at a time.
• EBS, data on the root device will persist independentlyfrom the lifetime of the instance.
• EC2 and EBS shouldbe in same AZ.
• Instance Storevolume:
• Physically attached to the instance not via network unlike EBS.
• Temporary storage / Ephemeral, data lost once instance is rebooted.
• Root volume cannot be encrypted, but the we can take a snapshot and encrypt the same and attach to another instance.
• EBS encryption enables data at rest security by encrypting your data using Amazon-managed keys or KMS.
• Magnetic Volumes are used for - where data is accessed infrequently,Sequential reads,low-cost storage is a requirement.
• Your data and associated keys are encrypted using the industry-standard AES-256 algorithm.
• To save cost, always maintain a single snapshot as both incremental and complete.

Practice:

• Create EBS types of SDD / HDD and attach to the instance.
• Attach SDD snapshot and attach to the instance.

EFS- Amazon Elastic File System  provides simple, scalable, elastic file storage for use with AWS Cloud services and on-premises resources. This gives customer ability to mount file and share file system between servers.

• Amazon EFS is a fully-managed service that makes it easy to set up and scalable file storage.
• Use Case - Big Data and analytics, media processing workflows, content management, web serving, and home directories.
• Scale from gigabytes to petabytes of data.

Exam Tips:

• Tens, hundreds, or even thousands of Amazon EC2 instances can access an Amazon EFS file system at the same time.
• Diferences  - EVS vs EBS vs S3
  • Amazon EFS is a file storage service for use with Amazon EC2.
  • Amazon EBS is a block level storage service for use with Single EC2 also EFS has more throughput than EBS
  • EFS has more latency than EBS.
  • S3 is an object storage service available through an Internet API that can be accessed anywhere.
• EFS can be mounted on more than 1 EC2 instance.
• On-premises servers can mount your file systems via an AWS Direct Connect connection to your VPC.
• You can access your Amazon EFS file system concurrently from servers in your on-premises datacenter as well as Amazon EC2 instances concurrently.
• EFS File Sync copies files and directories into Amazon EFS from on-prem , 5X faster than standard copy from Linux - File Sync agent is required.
• Data encryption in transit uses industry standard Transport Layer Security (TLS).

Practice:

• Create a separate EFS and attach.

S3 - Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.

Simple Storage Service - Object based storage at lowest cost.Highest durability when compared to any other storage service.

• Types
  • S3 Standard
    1. Mostly commonly used.
    2. Use Case - Frequently accessed data should be stored here.
  • S3 Standard Infrequent Access
    3. For less frequentlyaccessed data. Cheaper than S3.
  • S3 One-zone Infrequent Access
    4. For less frequently accessed data.
    5. Data is stored in only one AZ.
    6. Cheaper than S3 Infrequent Access.
  • Amazon Glacier
    • Used for Data Archive.
    • Data retrieval types to restore in S3
      • Expedited: within few mins.
      • Standard : 3 - 4
      • Bulk: 5 - 12 hours to restore.
    • by default encrypted.
  • Reduced redundancy
    • For frequently accessed data. Stores noncritical, easily reproducibledata at lower levels of redundancy than Standard.
    • Use case - Storing image Thumbnails,
  • Data Consistency
    • Read-After-write consistency for new objects.
    • Eventual consistency - for existing objects or for all overwrites including delete.
  • Use case - To store videos,image , any other file type
  • Min- Max size of single object 0 -5TB.
  • CROSS Region Replication
    • Only new or updated objects will get replicated to other region.
    • Versioning must be enabled for CRR and CRR is at Bucket level.
    • Already existing files are not automatically replicated.
  • CORS
    • selectively allow cross-origin access to your Amazon S3 resources.
  • Life Cycle Policy
    • Can be applied on current or prev versions.
    • Policy is based on Bucket.
    • Use Case - To archive data and reduce cost; move from S3 standard to S3 IA and then to Glacier or directly to Glacier.
  • Encryption
    • In Transit
      • Use SSL / TLS
    • At Rest
      • Server Side
        1. SSE-S3 (self managed keys)
        2. SSE-KMS (audit Trail)
        3. SSE - C Customer provided
      • Client Side
        • Encrypt @ client side and upload to S3.
      • CDN - Content Delivery Network
        • Used CloudFront
        • CloudFront can be configured to automatically compress files.
        • Create distribution and then create origins & cache controls of Amazon S3 bucket or HTTP server.
        • Geo Restrictions can be made,with  whitelist (allowable ip) and blacklist(block address).

Exam Tips:

• Charged for - Storage/GB ,COPY requests, and inter-Region data transfer.
• You can set up CRR across AWS accounts.
• Versioning must be enabled for both the source and destination buckets to enable CRR.
• If the data set is less than 1GB in size, you should consider using Amazon CloudFront's PUT/POST.
• Transfer Acceleration enable S3 Transfer Acceleration on an S3 bucket using the Amazon S3 console, the Amazon S3 API, or the AWS CLI.
• S3 Select provides a new way to retrieve specific data using SQL statements.
• S3 One Zone-IA assigns an AWS Availability Zone in the region according to available capacity.
• S3-IA minimum size is 128kb across.
• SSE-KMS enables you to use AWS Key Management Service (AWS KMS) to manage your encryption keys.
• AWS KMS provides an audit trail so you can see who used your key to access which object and when.
• S3 is a Global service, and its reliability and durability are not bound to any Region or Availability Zone.
• Any metadata and ACLs associated with the object are also part of the replication.
• Random hash prefixspreads load evenly across partitions for performance.
• Multipart uploadis recommended for files greater than 100MB, and is required for files larger than 5GB.
• Multipart Upload process by re-assembling the parts of an upload.
• By design, it is possible to stop a multipart upload. Once stopped, the upload may be aborted or resumed.
• S3 charged per 1000 requests(PUT, GET,COPY,POST LIST).
• ACL can made at individual objects to make public but the bucket can be private.
• Amazon S3 server access logs store a record of what was accessed & requesting IP address.

Practice:

• Try ACL at object level and bucket level
• Try Life cycle policy at object level.

Other Storage Services

Other Storage Services

• Snowball
  • Snowball data transport solution that uses devices designed to be secure to transfer large amounts of data into and out of the AWS Cloud.
  • It is a physical mobile device which can be brought to on-prem to load or offload data.
  • Snowball Edge is a data migration + edge computing device with 100TB of capacity. For intermittent purpose or to work from remote locations.
    • Customer can develop and deploy applications in remote using snowball edge.
  • Each AWS Snowball is protected by AWS KMS
• Storage Gateway
  • Hybrid data storage (on-prem + AWS cloud).
  • virtual machines @ on-prem data centers.
  • It connects to AWS storage services, such as Amazon S3, Amazon Glacier, and Amazon EBS.
  • Types
    • Stored volumes-entire volume/copy of data and then transferred.
    • Cached volumes-only most recently used or frequently used are on-prem rest transferred to S3.
  • File Gateway
    • File transfer between S3 & on-Prem.

Elastic Load Balancer - Automatically distributes incoming application traffic across multiple Amazon instances(EC2). It enables customers to achieve even greater fault tolerance in their applications, seamlessly providing the amount of load balancing capacity needed in response to incoming application traffic.

Elastic Load Balancer

• Distributes incoming traffic across multiple instances/targets.
• Types
  • Network LB
    • Operates at layer-4, listener level (TCP/ip).
    • Network Load Balancer preserves the source IP
  • Application LB
    • Operates at layer 7, HTTP/HTTPS
  • Classic LB
    • Basic load balancing service.
  • Health checks can be done, to divert traffic away from unhealthy instances.
  • Components,
    • Response Timeout - Amount of time to wait for a response.
    • Interval - Time between the 2 health checks
    • Unhealthy Threshold - Number of consequetive health checks failure, and then declare EC2 failed health check.
    • Healthy Threshold - How many consequetive health check it needs to pass before considering healthy.
  • ELB will always have DNS names and not IP.
  • DNS will be used for hitting the ec2 servers, we can use Alias or CNAME @ Route53 to hit this url.

Exam Tips:

• There can be more than 1 application behind a single elb and each application can have multiple ec2.
• Application Load Balancer is best suited for load balancing of HTTP and HTTPS traffic and provides advanced request routing targeted at the delivery of modern application architectures, including microservices and containers.
• Network Load Balancer is best suited for load balancing of TCP traffic where extreme performance is required.
• Ec2 instance will always see ELB IP address rather than original requestor's IP, Configure X-forwarded to see client IP.
• The controller service monitors the load balancers, adding and removing load balancers as needed and verifying that the load balancers are functioning properly.
• SSL certificate will have to be installed at ELB.
• ELB always makes 2 connections one for Instance and other with Client.
• Elastic Load Balancing health check may be a ping, a connection attempt, or a page that is checked.
• When connection draining is enabled, the load balancer will stop sending requests to a deregistered or unhealthy instance.

Practice:

• Try creating,
  • Network Load Balancer (you can expect 2 - 3 questions on this).
  • Application Load balancer (multiple questions).

AutoScaling - Allows customers to scale your Amazon instances (EC2) capacity up or down automatically

AutoScaling : Scaling out(increasing number of instance) or Scaling in(decreasing number of instances) Instances based on demand and performance.

• Cloud watch will be used to set it up.
• Scalable Resources
  • Amazon EC2 Auto Scaling groups
  • Aurora DB clusters
  • DynamoDB global secondary indexes
  • DynamoDB tables
  • ECS services
  • Spot Fleet requests

Exam Tips:

• How instances are scaled-in or terminated,
  • Unprotected instances in the selected Availability Zone use the oldest launch configuration will be terminated first & closest to the next billing hour.It selects the Availability Zone with two instances
    • Select AZ with most instances
    • Select only unprotected instances
    • Select instance that uses oldest launch configuration and determine one nearest to billing cycle.
  • If we create a Autoscaling under one AZ, it will be available only under that AZ, So it should always be created under all AZ's.
  • Target tracking scaling policies simplify how you configure dynamic scaling. When we are not sure or predict the volume.
  • Auto Scaling supports four plans:
    1. maintain current levels
    2. manual scaling
    3. scheduled scaling,
    4. dynamic scaling.

Practice:

• Create Launch Configuration & Autoscaling for both scale-out and scale-in scenarios.

according to conditions customers define.

Elastic Beanstalk - AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with popular programming languages such as Java, .NET, PHP, Node.js, Python and Ruby. You simply upload your application and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling and application health monitoring.

AWS Elastic Beanstalk is used for Automatically provision resources that is required to host an application from uploaded code.

• Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring.
• If you decide you want to take over some (or all) of the elements of your infrastructure, you can do so seamlessly by using Elastic Beanstalk's management capabilities.
• Use case -
  • Useful for deploying and scaling web applications.
  • Elastic Beanstalk for long running worker process/environments.

Exam Tips:

• Supported languages/platform - Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
• For Quickly provisioning development environments – Use Elastic Beanstalk – Can also create custom Docker environments.
• AWS Elastic Beanstalk can we be used to Docker containers.
• NGINX open source web dev' can be installed on ElasticBeanstalk.

Practice:

• Have to create at least 1 stalk.

Database Services (RDS,Dynamo , Redshift) -

• Amazon RDSis a web service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.
• Amazon DynamoDBis a fast, fully managed NoSQL database service that makes it simple and cost-effective to store and retrieve any amount of data, and serve any level of request traffic. All data items are stored on Solid State Drives (SSDs), and are replicated across 3 Availability Zones for high availability and durability
• Amazon Redshiftis a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence

  DB can be installed on an EC2 but will require manual maintenance service like backup,patches,replication,fail over. -All Admin tasks are manual

  RDS will automate all the above Admin tasks.

  • RDS supports six database engines: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora.
  • Isolates DB from main instance (can be in different AZ).
  • Supports Automatic + manual snapshots.
  • Snapshot will go into S3.
  • MultiAZ - synchronous replication to minimize RPO and fast failover to minimize RTO.
  • If Multi AZ enabled then primary DB Instance switches over automatically to the standby replica incase of fail over.
  • You can also create read replicas within a Region or between Regions.
  • Encrypted at rest with AWS Key Management Service (KMS).
  • Redshift
    • AWS data warehouse service.
    • Columnar storage on high-performance disk.
    • You can enable database encryption for your clusters
    • AWS KMS for key management with Amazon Redshift - master key, a cluster encryption key (CEK), a database encryption key (DEK), and data encryption keys or HSM.
    • Redshift support CRR snapshots for clusters.
    • Instead of storing data as a series of rows, Amazon Redshift organizes the data by column.
    • Redshift Spectrum enables you to run queries against exabytes of data in Amazon S3.
    • Dense compute (DC) nodes allow you to create very high-performance data warehouses using fast CPUs, large amounts of RAM, and SSDs.
  • Dynamo DB:
    • Non Relational DB / Schema less DB.
    • Autoscaling is available for DynamoDB.
    • Through put = 4kb/unit for read.
    • Use Case- Storing user preferences, session details, logs for further analysis.
    • A local secondary indexlets you query over a single partition, as specified by the hash key value in the query.
    • A global secondary indexlets you query over the entire table, across all partitions.
    • Applications can connect to the Amazon DynamoDB service endpoint.
    • Use primary keys & sorty key / secondary indexes for performance.
    • Amazon DynamoDB Accelerator (DAX)provides a read-through/write-through distributed caching tier in front of the database, supporting the same API as Amazon DynamoDB, but providing sub-millisecond latency for entities that are in the cache.
    • upto 4kb/sec = 1 read capcity units or 2 eventual capacity read units
    • upto 1kb /sec= 1 write capacity units.
    • Data plane operations let you perform create, read, update, and delete (also called CRUD) actions on data in a table.
    • Although all reads from a DynamoDB table are eventually consistent by default, strongly consistent reads can be specified.

  Exam Tips:

  • Supports Read Replica, Mysql, Aurora ,postgressql.
  • Aurora schema changes can be done without downtime.
  • If you see NoSql, select DynamoDB.
  • If you see fully managed, highly scalable & available select Aurora most of times.
  • If you see columnar DB, then its Aurora.
  • Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention.
  • Existing database cannot be encrypted, encyption can be done during creation of RDS db.
  • You should use a combination of Read Replica's and Elasticache to help offload the traffic.
  • By default, customers are allowed to have up to a total of 40 Amazon RDS DB instances. *max 10 for each Oracle/sql server.
  • ElasticCache will be a better answer for serving repeated requests or whenever DB server is underperforming.
  • RDS does not support Autoscaling.
  • Read replicas will have eventual consistency, little lagging when compared to primary db.
  • If you see columnar db and analytics , use Redshift.
  • For Redshift , if you want the LOAD or COPY process via a VPC, then enable Redshift Enhanced VPC Routing.
  • Amazon Redshift stores these snapshots internally in Amazon S3 by using an encrypted Secure Sockets Layer (SSL) connection.
  tools.

ElastiCache - Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from a fast, managed, in-memory caching system, instead of relying entirely on slower disk-based databases.

ElastiCache - In memory Data store. For high performance and low latency data retrieval.Write and memory scaling is supported with sharding. Replicas provide read scaling.

• Amazon ElastiCache can automatically detect and recover from the failure of a
  cache node.
• Types:
  • Memcached (supports adding nodes)
    • Memcached provides a very simple interface that allows you to write and read objects into in-memory key/value data stores.
    • Use case - where frequently accessed data must be in-memory,Web, Mobile Apps, Gaming, Ad-Tech, and E-Commerce.
    • The default limit is 20 nodes per cluster.
  • Exam Tips:
    • If you anything on dynamic web application requires performance.High-performance, distributed memory object caching system, intended for use in speeding up dynamic web applications.
    • Memcache supports horizontal scaling (adding or removing nodes) & Limited Vertical scaling.
    • Memcached are standalone in-memory services without any redundant data protection services, ephemeral.
    • Snapshots cannot be created for clusters using the Memcached engine because it is a purely in-memory key. -- If snapshot is in question then prefer Redis.
    • Use Memcached when you need a simple,in-memory object store that can be easily partitioned.
  • Redis (support multi AZ with Replicas)
    • Use Case - database cache and message broker /queue.
    • Redis engine, Amazon ElastiCache makes it easy to set up read replicas and fail over from the primary to a replica in the event of a problem.
    • Redis clusters also can support up to five read replicas to offload read requests.
    • Single node, unlike Memcached which supports 20 nodes.
  • Exam Tips:
    • Caching and Data persistence in question then choose Redis. Unlike Memcached, Redis supports the ability to persist the in-memory data onto disk.
    • This allows you to create snapshots that back up your data and then recover or replicate from the backups but not Memcached.
    • If you see Sort and Rank Data, use Redis.
    • Horizontal scaling -A replication group consists of up to six clusters, with five of them designated as read replicas.
    • Use Redis when you need to back up and restore your data, need many clones or read replicas.

Route 53 - Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating human readable names.

Route53 is Amazons' Domain Name System(DNS) service.

• Route 53 performs three main functions:
  • Domain registration,
  • DNS service
  • Health check.
• It is available @ Global level like IAM.
• Hosted Zone - A collection of resource record sets hosted by Amazon Route 53.
  • Private hosted zone
    • A container that holds information about how you want to route traffic for a domain and its subdomains within one or more VPC's.
  • Public hosted zone
    • A container that holds information about how you want to route traffic on the Internet.
  • Import Record Tyes
    • Start of Authority (SOA) record & NS(Name Server) - Created by default.
    • A / AAAA record - address record/IPv6 address record.
    • CNAME - canonical name record or alias.
    • MX - Mail Exchange.
    • SPF(Sender Policy Framework) records - Used to verify authorized senders of mail from your domain.
    • TXT - Used to store arbitrary and unformatted text with a host.
  • Routing Policy
    • Simple
      • Default
      • if there is only one resource performs the function - use this.
    • Weighted
      • Useful if there are more than 1 resource like when we are using ELB with a single DNS.
      • Distribute the traffic 25% to one site and other 75% to other site.
    • Latency Based
      • Route the traffic based on lowest latency for the end user.
    • Failover
      • To configure active-passive failover, so if the active site goes down the request will be automatically transferred to passive site.
      • Note that you can’t create failover resource record sets for private hosted zones.
    • Geolocation
      • Route 53 will send your traffic based on the geographic location of users, like user request from Europe will be transferred to Europe site.

Exam Tips:

• Use an alias record, not a CNAME, for your hosted zone. CNAMEs are not allowed for hosted zones in Amazon Route 53.
• Do not use A records for subdomains (for example, www.domain.com), as they refer to hardcoded IP addresses.
• 2 Records are created by Default Start of Authority (SOA) record & NS(Name Server) when a Domain is created.
• It is a must to have below records,
  • A
  • SOA
  • NS
  • CNAME
• For For Blue Green deployments use Weighted Routing.
• Mail eXchange (MX) records to define which inbound destination mail server should be used.
• Health checks and DNS failover are major tools for highly available and resilient to failures.
• Create Multivalue record to route traffic to multiple resources.

Cloudwatch & CloudTrail - 

• Amazon CloudWatch provides monitoring for AWS cloud resources and the applications customers run on AWS. Developers and system administrators can use it to collect and track metrics, gain insight, and react immediately to keep their applications and businesses running smoothly.
• AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

AWS CloudWatch

• is a monitoring and management service.
• Collects all logs & Metrics from all your AWS resources as well on-prem(if configured).
• Can create a visualization tool /dashboard based on the logs.
• Allows to configure Alarms to take action.
• Metrics which are available by default,
  • CPU related - usage
  • Disk related - read/write ops
  • network related - in/out, packets
  • Status related - Testing instance level / host level.
• CloudWatch metric data is kept for 2 weeks.
• Amazon CloudWatch Logs Agent installer on existing Amazon EC2 instances to install and configure the CloudWatch Logs Agent.

CloudTrail

• AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket.
• Cloud Trail are by default encrypted @S3.
• CloudTrail can be enabled for all regions from one place.

Exam Tips:

• If  the question is on monitoring mostly we should use Cloudwatch, if it is on auditing then it has to be CloudTrail.
• Turning on Cloudwatch custom metrics will provide additional monitoring on Memory.
• If there are any keywords like compliance, audit, security threats,api calls,regulations ->  prefer CloudTrail over Cloudwatch.

Serverless Managed Services (SQS,SNS,API Gateway,Lambda,step function…)

SQS - Simple Queue Service (must know)

• Amazon SQS ensures delivery of each messageat least once and supports multiple readers and writers interacting with the same queue.
• Types
  • SQS -
    • Does not guarantee the order of delivery.
    • Duplicates possible.
  • SQS FIFO -
    • Delivery guaranteedbased on FIFO.
    • No Duplicates.
  • It is a pollbased system.
  • SQS by default stores message for 4 days and for max of 14 days.
  • Default timeout is 30 sec, longest configurable is 12 hrs.
  • SQS facilitates horizontal scaling.
  • Each message can have up to 10 attributes metadata(date,timestamp…).
  • Configure dead letter queuesto handle messages that can't be processed,primary benefit of using a dead letter queue is the ability to sideline and isolate the unsuccessfully processed messages.
  • Delay queuesallow you to postpone the delivery of new messages.
  • With long polling, you send a WaitTimeSeconds argument to ReceiveMessage of up to 20 seconds.
  • SQS can directly subscribe to SNS topic.

Exam Tips:

• Whenever you see decouplingand/or scaling microservices, SQS can be recommended.
• Encryption - SSEcan be used to protect the content.
• An SQS request can contain up to TEN (10) individual messages, as long as he total size of the request does not exceed 256KB.
• whenever the application lagging in performance and cannot process tasks within stipulated time, consider using SQS to pass those message and EC2/other service can pull from the queue.

SWF - Simple Workflow Service

• An SWF workflow ensure that actions are executed only once as against SQS.
• Components :
  • Actors
    • Actors can be workflow initiator / starter, decider, or activity workers. Like booking a ticket with Web portal.
  • Tasks
    • Due to above action, what are the tasks need to be performed.
    • Activity tasks, Lambda tasks, Decision tasks.
  • An instance/service outside AWS can perform worker task.

SNS - Simple Notification Service

• Push
• Amazon Simple Notification Service follows the Publish-Subscribe paradigm.
• Create Topic(like ELB launched) -> Subscribe to Topic - and protocol (email, lambda) -> go to ELB -> Create metrics -> Set alram = SNS topic name.
• All SNS messages are stored redundantly on multiple serversand in multiple data centers, which means that no single computer or network failure renders Amazon SNS inaccessible.
• A fanout scenariois when an Amazon SNS message is sent to a topic and then replicated and pushed to multiple Amazon SQS.

API Gateway:

• Amazon API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale.
• API Gateway logs API calls, latency, and error rates to Amazon CloudWatch.
• To control access use IAM Permissions , like to develop API developer, to access API Caller permission.

AWS Lambda (must know)

• A serverless compute service. Allows you to run your code with you provisioning an instance, the resource provision is done automatically according to your running code.
• Lets you run code without provisioning or managing servers.
• Lambda automatically scales your application by running code in response to each trigger.
• AWS Lambda to execute code in response to triggers such as changes in data, shifts in system state, or actions by users.
• Lambda can be directly triggered by AWS services such as S3, DynamoDB, Kinesis, SNS, and CloudWatch,Step functions.

AWS Step Functions (state machine):

• To orchestarte or choregrpha the workflow or business logic.
• If it is synchronous call, like a call from API Gateway which requires a response them use Express workflow.
• For all other async flow and standard business flow, Standard workflow can be used.
• This can be used, mainly to have series of Lambdas , SQS , SNS calls put together as a orchestration or business workflow.
• Map state can be used to achive dynamic parallelism for doing orachestration.
• Parallel state can be used to perform more than 1 workflow process together.

Kinesis (must know)

• Collect, process, and analyze real-time streaming data.
• Variants:
  • Amazon Kinesis Firehose(preferably for S3)
    • Configured to save a live stream to Amazon S3, Amazon Kinesis Firehose sends the data directly to Amazon S3.
  • Amazon Kinesis Data Streams
    • A service enabling you to build custom applications for more complex analysis of streaming data in real time.
    • As analysis is realtime, it is for processing lightweight application.
    • A Kinesis data stream is a set of shards. Each shard has a sequence of data records. Each data record has a sequence number that is assigned by Kinesis Data Streams.
    • A data record is the unit of data stored in a Kinesis data stream.
    • Data records are composed of a sequence number, a partition key, and a data blob, which is an immutable sequence of bytes.
    • Limitless data streams by distributing incoming data across a number of shards.
    • Each shard can support up to 5 transactions per second for reads, up to a maximum total data read rate of 2 MB per second and up to 1,000 records per second for writes.
    • Use case - log data, application logs, social media, market data feeds, and web clickstream data.
  • Amazon Kinesis Data Analytics:
    • A service enabling you to easily analyze streaming data real time with standard SQL.
  • Kinesis Video Stream
    • For securely streaming Video for ML/AI processing.

AWS Directory Service

• is designed to reduce identity management task, same as MS AD with AWS services connected.

KMS - Key Management Service

• Generate, store, enable/disable, and delete symmetric keys(same key 4 encrypt & decrypt) - encryption keys.
• Customer Master Key (CMK) to encrypt and decrypt data upto 4kb and this never goes out unencrypted.
• Data keys to encrypt large data objects.
• Envelope Encryption to protect data.

AWS CloudHSM:

• Helps you meet corporate, contractual, and regulatory compliance requirements for data security.
• HSM is a hardware appliance that provides secure key storage and cryptographic operations.
• AWS CloudHSM allows to generate our own encryption keys and we can manage it fully(ie) we have complete control.

EMR - Elastic MapReduce:

• EMR provides you with a fully managed, on-demand Hadoop framework.
• Define -> Instance type, number of nodes, hadoop version and application tools like hive, pig,spark, presto.
• HDFS is the standard file system can use EC2 instance storage or Amazon EBS for HDFS.
• EMRFS is an implementation of HDFS that allows clusters to store data on Amazon S3.
• EMR starts your instances in two Amazon Elastic Compute Cloud (Amazon EC2) security groups, one for the master and another for the slaves.

AWS Data Pipeline:

• AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services.
• Use case  -  batch processing / jobs.
• Tasks can be scheduled and run.

AWS OpsWorks (to Manage Stacks) :

• OpsWorks is a configuration management service that helps you configure and operate applications using Chef / Puppet.
• AWS OpsWorks provides a simple and flexible way to create and manage stacks and applications.
• Stack is the core AWS OpsWorks component. It is basically a container for AWS resources—Amazon EC2 instances, Amazon RDS database instances, and so on.
• A layer represents a set of resources that serve a particular purpose, such as load balancing, web applications, or hosting a database server.
• AWS OpsWorks sends all of your resource metrics to Amazon CloudWatch.

Cloud Formation (must know):

• Scripting the infrastructure creation.
• You can author AWS CloudFormation templates in JSON or YAML formats.
• The Resources section is the only required section. It specifies the stack resources and their properties, such as an Amazon Elastic Compute Cloud instance or an Amazon Simple Storage Service bucket.
• When a stack is deleted all the underlying services also gets deleted.Deletion policy to retain some resources out of the stack can be used incase.

AWS Trusted Advisor (must know):

• AWS Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.
• Use case - cost optimization, security, fault tolerance, and performance improvement.
  • Red: Action recommended
  • Yellow: Investigation recommended
  • Green: No problem detected

AWS Inspector

• Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS or deviations from best practices.

AWS Config (any change to AWS resource)

• AWS Config, you can discover existing and deleted AWS resources,determine your overall compliance against rules.
• Capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
• AWS Config integrates with AWS CloudTrail, a service that records AWS API calls for an account and delivers API usage log files to an Amazon S3 bucket.
• AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. automate the evaluation of recorded configurations against desired configurations.
• Config continuously monitors and records your AWS resource configurations.

Amazon GuardDuty

• is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

Amazon Athena (usecase S3-Sql or dynamoDB extraction)

• Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.
• can be used to analyze logs, such as CloudTrail logs, to help you identify trends and further isolate activity by attribute, such as source IP address or user.(serverless interactive query service).

AWS Shield (for DDoS)

• is a managed distributed denial of service (DDoS) protection service that safeguards web applications running on AWS.

AWS WAF

• is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
• Monitors the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.
• Use case:
  • Allow all requests except the ones that you specify.
  • Block all requests except the ones that you specify
  • Count the requests that match the properties that you specify.

AWS X-Ray (must know)

• traces user requests as they travel through your entire application, enabling analysis and debugging of distributed applications.
• Use Case: X-Ray can be used for debugging/analyze MicroService or components.

AWS CodeDeploy

• is a service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises.
• Use Case:
  • CodeDeploy helps in canary deployment, blue & Green deployment --> new version, failover to older version.

Amazon QuickSight

• is a business analytics service that makes it easy to build visualizations, perform ad-hoc analysis, and quickly get insights from your data.

Elastic Search

• Amazon Elasticsearch Service is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud.
• Elasticsearch is an open-source, RESTful, distributed search and analytics engine.
• When coupled with Kibana, a visualization tool, Elasticsearch can be used to provide near-real time analytics using large volumes of log data.
• Amazon ES makes it easy to deploy, secure, operate, and scale Elasticsearch for log analytics, and application monitoring.

AWS Glue

• is a fully-managed, pay-as-you-go, extract, transform, and load (ETL) service that automates the time-consuming steps of data preparation for analytics.
• Glue can automatically discover both structured and semi-structured data stored in your data lake on Amazon S3, data warehouse in Amazon Redshift, and various databases running on AWS.

Amazon Elastic Network Adapters (ENA)

• provide further optimization by delivering 20 Gbps of network capacity for your instances within a single placement group.

AWS FPS & AWS DevPay

• both leverage the Amazon Payments infrastructure to process payments from customers.

Amazon Cognito (must know)

• lets you easily add user sign-up and authentication to your mobile and web apps. (through an external identity provider like google, Facebook, Twitter, Amazon,FB).
• provides temporary security credentials.

AWS Direct Connect

• to have dedicated network between on-prem and AWS, without internet.

AWS CloudSearch

• makes it simple and cost-effective to set up, manage, and scale a search solution for your website or application.

AWS Organizations

• offers policy-based management for multiple AWS accounts
• you can create groups of accounts, automate account creation, apply and manage policies for those groups.
• you can create Service Control Policies (SCPs) that centrally control.