AWS Certified Solutions Architect - Associate (SAA-C02)

Before the KMS key is rotated, old (encrypted) data needs to be decrypted with the old key and then encrypted with the new key.

Customer Managed KMS Key:

• create manualy

• view here how to generate key material (PlaintextKeyMaterial.bin)

  and use with Terraform:

  resource "aws_kms_external_key" "this" {
    key_material_base64     = filebase64("${path.module}/PlaintextKeyMaterial.bin")
    description             = "KMS key for Vault"
    deletion_window_in_days = 7
  }
  

• YouTube: Import Custom Key or your Secrets into KMS
• Importing key material in AWS Key Management Service
• How to choose your CMK configuration

Aliases are possible only on A records.

AWS Route 53 Resolver is used in hybrid clouds.

Block vs Object storage: in block storage specific parts of the file can be replaced, in object storage the whole object needs to be replaced.

S3 vs EFS:

• S3 had higher durability and availability than EFS
• S3 has eventual consistency for overwrite PUTS and DELETES

• RAID 0 - higher throughput
• RAID 1 - higher durability

EBS types:

• SSD, General Purpose (GP2) provides 3 IOPS per GB up to 16,000 IOPS. Volume size is 1 GB to 16 TB.
• Provisioned IOPS (Io1) provides the IOPS you assign up to 50 IOPS per GiB and up to 64,000 IOPS per volume. Volume size is 4 GB to 16TB.
• Throughput Optimized HDD (ST1) provides up to 500 IOPS per volume but does not provide an SLA for IOPS.
• Cold HDD (SC1) provides up to 250 IOPS per volume but does not provide an SLA for IOPS.

Storage Classes

S3 OneZone-IA has the same durability but when one data center burns down our data is lost forever.

S3 is good for:

• WORM scenarios: Write Once Read Many times
• When the store size is not predictable

S3 can be encrypted with:

• SSE-KMS - use KMS key

• (SSE)-S3 - Server-Side Encryption with Amazon S3-Managed Keys

• SSE-C - Protecting data using server-side encryption with customer-provided encryption keys

  When you upload an object, Amazon S3 uses the encryption key you provide to apply AES-256 encryption to your data and removes the encryption key from memory. When you retrieve an object, you must provide the same encryption key as part of your request. Amazon S3 first verifies that the encryption key you provided matches and then decrypts the object before returning the object data to you.

• File Gateway: files are stored in S3 with local cache for low-latency. File Gateway offers file-based access (via NFS and SMB) to object data in Amazon S3. It can be used for applications that need file data to be transported to Amazon S3 (and vice versa) for object-based workloads like big data analytics and media processing. It is not meant to store and serve files for use with file-based workloads.
• Volume Gateway - block level protocol
  • Cached volumes: files stored on S3 with local cache
  • Stored volumes: snapshots are backed in S3
• Tape Gateway: virtual tape service. Syncs with Glacier

Storage Gateway

• File Gateway: provides a virtual file server, which enables mounting S3 buckets as SMB or NFS volumes. Can be used on-premise (in own cloud or machine) or on EC2
• Volume Gateway: virtual block volume - block storage emulation for S3

FSx for Windows File Server is our native service for storing and serving Windows/SMB file shares. It offers fully managed, highly available, highly durable, shared file storage with Windows-native compatibility, features, and performance. It is natively integrated with your Active Directory. And, you can access it from on-premises (via Direct Connect or VPN), or from within the AWS cloud.

Glacier retrieve options:

• Expedited - Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.
• Standard - Standard retrievals allow you to access any of your archives within several hours. Standard retrievals typically complete within 3–5 hours. This is the default option for retrieval requests that do not specify the retrieval option.
• Bulk - Bulk retrievals are S3 Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.

CloudFront “Field Level Encryption” allows to encrypt HTTP data with a public key on CloudFront.

WAF can be use with:

• CloudFront
• ELB

Default Security Group have an inbound rule that allows all traffic from the security group itself.

AMIs are regional.

EC2 Hypervisors:

• Xen
• Nitro

Instance metadata URL: http://169.254.169.254/latest/meta-data

Placement Groups:

• Cluster: instances on the same rack - single AZ
• Partitioned: instance groups on different racks
• Spread: only 7 instances per AZ

#!/bin/bash
yum update -y
yum install httpd curl -y
systemctl start httpd
systemctl enable httpd
chkconfig httpd on
curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep -i instanceId | sed 's/.*instanceId"\s*:\s*"//' | sed 's/".*$//' > /var/www/html/index.html`

ENI is created per AZ (subnet)

An IGW serves two purposes:

• provide a target in your VPC route tables for internet-routable traffic
• perform network address translation (NAT) for instances that have been assigned public IPv4 addresses

In a custom VPC, in a public subnet an instance doesn’t get a public IP by default.

The CLB does not support WebSockets.

PrivateLink requires an NLB (min $1/month)

Global Accelerator works with:

• EC2 instance
• ALB
• NLB
• Elastic IP

Global Accelerator:

• Works with TCP and UDP
• client IP address is lost

By default all inbound and outbound traffic for a new NACL is denied.

Flow logs can be set on:

• VPC level
• Subnet level
• Network Interface (EC2 instance) level
• Can be stored in CloudWatch Logs or S3

VPC Peering:

• Cross account
• Cross region
• Route to VPC peering
• can refer Security Groups (only the same region)

Transit Gateway

• Cross account
• Single Route to TG (Transit Gateway has it’s own routing table)
• can NOT refer Security Groups

VPN

On premise → Customer Gateway → VPN Connection → Virtual Private Gateway → VPC

Direct Connect

On premise → Private Virtual Interface → Direct Connect Location → [Direct Connect Gateway] → Virtual Private Gateway → VPC

Direct Connect Gateway

• allows connecting to max 10 VPCs
• allows to connect to multiple regions

VPC Gateway Endpoint

• Only for S3 and DynamoDB

Interface VPC Endpoint:

• When an Interface VPC Endpoint for a service is created, an Elastic Network Interface is created in the subnet and an private IP address that serves as an entry point for traffic destined to that service
• Elastic Network Interface is created for each subnet
• Needs to be associated with an Security Group

Load Balancers:

• NLB can have static IP per AZ
• One can proxy the ALB through the NLB to achieve static IP functionality

Types:

• Backup Restore -
• Pilot Light - configure and run the most critical core elements. active/passive configuration
• Warm Standby - scaled-down version of a fully functional environment is always running
• Hot Standby (Multi Site) - active/active configuration

Disaster Recovery-AWS AWS RDS: Disaster recovery

DynamoDB uses Application Auto Scaling. It’s not useful for spikes, which are better handled with DAX.

RDS can be taken offline for maintenance if patching the operating system or database is required - only related to security and instance reliability. Scaling

Resilience: infrastructure can recover. For example failover RDS Multi-AZ. Durability: AWS measures durability as a percentage. For example, the S3 Standard Tier is designed for 99.999999999% durability. This means that if you store 100 billion objects in S3, you will lose one object at most.

If ELB health checks are enabled on the Auto-Scaling group then both status checks are performed: EC2 health checks and ELB health checks.

Auto-Scaling group default termination policy:

• Determine which AZ has the most instances
• Align to allocation strategy: spot instances vs on demand
• Determine which instance uses the oldest launch template
• Determine which instance uses the oldest launch configuration
• Determine which instance is closest to the next billing hour

There are also other termination policies.

Dynamic scaling policy types:

• Simple scaling
• Step scaling
• Target tracking scaling

In Trusted Advisor one can see the limits.

• Message size up to 256KB
• Messages can be kept in the queue from 1 minute to 14 days (default retention is 4 days)
• Messages are guaranteed to be processed at least once
• Delay can be between 0 seconds and 15 minutes
• Visibility timeout can be between 0 seconds and 12 hours

Types:

• Standard
  • best effort ordering
  • Unlimited throughput
  • At least once delivery
• FIFO
  • Up to 300 mes/sec. With batch 10 messages per operation (max) can be 3000 mes/sec
  • Messages are sent and received in strict order
  • Exactly once processing
  • Messages with the same Group ID are delivered to one consumer at a time

• 10 mln subscriptions per topic
• Limit of 100 000 topics

• SQS has a longer retention period
• SQS can reprocess events in case of failure
• SNS can be used to fan out
• SNS is used when one does NOT care about lost messages

Firehose Destinations include: Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk.