AWS Solutions Architect Professional 2021

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Virtualization

"OS virtualization"; process of running multiple operating systems on the same physical hardware

VPC Sharing

(part of Resource Access Manager) allows multiple AWS accounts to create their application resources such as EC2 instances, RDS databases, Redshift clusters, and Lambda functions, into shared and centrally-managed Amazon Virtual Private Clouds (VPCs).

Volume Gateway Cached Mode

***All Data is stored in S3 and cached locally*** *Capacity can be extended to AWS* Datacenter extension architecture support volumes of 1,024TB in size

Volume Gateway Stored Mode

***Everything is stored locally*** *Great for 'full disk' backups of servers* *Assists with disaster recovery... create EBS Volumes in AWS* *Doesn't improve datacenter capacity... The main copy of data is stored on the gateway* supports volumes of 512 TB size.

Signed URLs

**Private distribution that only provides access to ONE object** Use if your client doesn't support cookies One signed URL per file Use cases: - You want to use an RTMP distribution. Signed cookies aren't supported for RTMP distributions. - You want to restrict access to individual files, for example, an installation download for your application. - Your users are using a client (for example, a custom HTTP client) that doesn't support cookies.

AWS SSO (Single Sign-On)

*Allows you to centrally manage SSO access to multiple AWS accounts as well as external business applications (replaces SAML 2.0)* *Preferred by AWS vs traditional 'workforce' identify federation because it provides a significant reduction in admin overhead for identity management* Handles SSO & permissions for AWS accounts and external application Integrates with a range of Enterprise or Workplace Identities

AWS WAF (Web Application Firewall)

*Layer 7 (HTTP/s) Firewall* protects against complex Layer 7 attacks/exploits by filtering specific requests based on rules Ex. SQL Injections, Cross-Site Scripting, Geo Blocks, Rate Awareness Web Access Control List (WEBACL) integrated with *ALB, API Gateway, and CloudFront* Conditions include: - IP addresses - HTTP headers - HTTP body - URI strings - SQL injection - Cross-site Scripting

Event Source Mappings

*Typically used for streams or queues which don't support event generation to invoke lambda (Kinesis, DynamoDB streams, SQS)* - *Read/poll from the stream or queue and deliver event batches to lambda. Event batches are processed OKAY or FAIL as a batch* ***Permissions from the lambda execution role are used by this to interact with the event source*** - SQS Queues or SNS topics can be used for any discarded failed event batches

Amazon EMR (Elastic MapReduce)

*Used for Big data processing, manipulation, analytics, indexing, transformation, and more (*data pipeline*)* the AWS Managed implementation of Apache Hadoop ..Spark, HBase, Presto, Flink. Hive. Pig. Great when doing a migration from on-premise to AWS if you're using the above open source tools Runs in 1 AZ in a VPC using EC2 for compute Auto scales - Spot, Instance Fleet, Reserved, On-Demand

File Gateway

*bridges local file storage over NFS and SMB with S3 Storage* *Mount Points (file shares) available via NFS or SMB* Map directly onto an S3 bucket *Files stored into a mount point, are visible as objects in an S3 bucket* Read and Write caching ensure LAN-like performance It supports multi site, maintains storage structure, integrates with other AWS products and supports S3 object lifecycle Management *Primary data is held in S3*

Shield Standard

*free with Route53 and CloudFront* Protection against Layer 3 and Layer 4 DDoS Attacks

Spot Fleet Instances

A collection (fleet) of Spot Instances and optionally on-demand instances Set a maximum price you're willing to pay per Spot Instances or all Can have a mix of instance types

One AZ

1 or Multiple? RDS MultiAZ can tolerate the failure of 1 or multiple AZs in a region

SSM Patch Manager Steps

1. Define a *patch baseline* to use (or multiple if you have multiple environments) 2. Define patch groups: define based on tags, for example different environments (dev, test, prod) - use tag *Patch Group* 3. Define *Maintenance Windows* (schedule, duration, registered targets/patch groups, and registered tasks) 4. Add the *AWS-RunPatchBaseline Run Command* as part of the registered tasks of the Maintenance Window (works cross-platform Linux & Windows) 5. Define *Rate Control* (concurrency & error threshold) for the task 6. Monitor *Patch Compliance* using *SSM Inventory*

Custom Headers and IP Based FW Blocks

2 Ways Custom Origins Secure Architecture?

Public Internet Zone (Web), AWS Public Zone (S3), AWS Private Zone (EC2)

3 Different Network Zones

Rehosting Replatforming Repurchasing Refactoring/Rearchitecting Retire Retain

6R's of Cloud Migration

10 TB

A 1Gbps connection at full utilization can transfer approximately how many TB of data in a day

DynamoDB Streams

A 24-hour rolling window of time-ordered changes to ITEMS in a DynamoDB table (uses kinesis streams behind the scenes) Streams have to be enabled on a per-table basis , and have 4 view types: - KEYS_ONLY - NEW_IMAGE - OLD_IMAGE - NEW_AND_OLD_IMAGES captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the information for up to 24 hours.

Hosted VIF

A created VIF that you can share with other AWS accounts if you have a DX connection inside your account. a single VIF (no connection), shared bandwidth not dedicated Invite and accept architecture

Direct Connect Gateway

A global network device that's accessible in all regions If you want to set up a Direct Connect to one or more VPC in many different regions (same account, cross-account), you must use this - Integrates via a 1 private VIF - Uses VGW associations globally - Allows all of the VPCs connected to it to route to the On-Premises environment but doesn't allow routing between VPCs. - 10 VGW per DX Gateway

Route 53

A global service that's an entry point that can survive multiple region failures

Throughput Optimized HDD (st1)

A low-cost HDD designed for frequently accessed, throughput-intensive workloads *big data, data warehouses, log processing* Max 500 IOPS or 500 MB/s Cheap

AD Connector

A pair of directory endpoints running in AWS (ENIs in a VPC) that redirects requests to existing directory servers on-premises. When you actively don't want any directory data in AWS - Proof of concept - Business with small amount of infrastructure within AWS that still needs directory capability compatible with AWS services - Legal or compliance reasons not to have any directory within AWS Adds reliance on the network connectivity. Risks for larger deployments

Signed Cookies

A private distribution that provides access to groups of objects - Use for groups of files/all files of a type (Ex. All cat gifs) - Use if maintaining URL's is important One signed cookie for many files Use cases: - You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of a website. - You don't want to change your current URLs.

Asymmetric Key

A public and private key pair that can be used for encrypt/decrypt or sign/verify operations No requirement to exchange keys in advance Expensive option in terms of CPU cycles

Symmetric Key

A single encryption key that is used for both encrypt and decrypt operations Great for local file encryption or disk encryption on laptops but not useful for situations where the data needs to be transferred between two remote parties A cheaper option in terms of CPU cycles

Expiration Rules

A way to manage costs of S3 buckets which have versioning enabled Cleans up any historical previous versions after a certain time period

SSL Offloading

A way to save valuable EC2 resources (CPU) when configuring SSL on the backend Use SSL Acceleration for CloudHSM Supported by NGINX and Apache Web Servers Extra security: the SSL private key never leaves the HSM device

NLB

ALB or NLB: Private Link

ALB

ALB or NLB: Protocols HTTP or HTTPS

ALB

ALB or NLB: Slow performance

NLB

ALB or NLB: Static IP for whitelisting

NLB

ALB or NLB: Unbroken Encryption

Bad Request (Generic)

API Gateway Errors: 400

Access Denied - Authorizer denies WAF Filtered

API Gateway Errors: 403

Not Found Exception

API Gateway Errors: 404

Limit Exceeded/Too Many Requests

API Gateway Errors: 429

Client Error (Invalid request on client side)

API Gateway Errors: 4XX

Bad Gateway Exception - bad output returned by lambda

API Gateway Errors: 502

Service Unavailable - backing endpoint offline? Major service issues

API Gateway Errors: 503

Integration Failure/Endpoint Request Timeout - *29s limit*

API Gateway Errors: 504

Server Error (Valid request, backend issue)

API Gateway Errors: 5XX

Mock Integration

API Gateway integration that's used for testing, no backend involvement

AWS Glue

AWS Glue or DataPipeline? Serverless, ad hoc, or cost effective

Network Reachability Package

AWS Inspector Rule package that looks at any exposure to public networks and then whether the operating system is listening *no agent required*

AWS Cognito

AWS SSO or Cognito? Customer identities like web applications using Twitter, Google, Facebook or any other web identity

AWS SSO

AWS SSO or Cognito? Enterprise or Workplace Identities

Aurora

AWS designed database engine officially part of RDS that implements a number of radical design changes (cluster) which offer significant performance and feature improvements over other RDS database engines. Cluster - made up of a primary instance + 0 or more replicas ( can provide both of the benefits of availability and read operations) No local storage; uses cluster volumes which provides faster provisioning and improved availability and performance Aurora Auto Scaling

Layer 2 - Data Link Layer

Adds device unique IDs (MAC Address) and controls access to the shared medium; detects and mitigates collisions

Layer 4 - Transport Layer

Adds ports, error correction, retransmission, flow control and a connection orientated architecture

Layer 3 - Network Layer

Adds the ability for cross-network addressing (IP Addresses). It allows packets to be routed across different layer 2 networks, via L2 Frame encapsulation and forwarding decisions using routes and route tables. This layer allows the internet to function.

Redshift Enhanced VPC Routing

Advanced networking control used for customized networking requirements Copy/Unload goes through VPC for better performance and lower cost Controlled by security groups, network access control lists, custom DNS, etc; use these features to tightly manage the flow of data between your Amazon Redshift cluster and other resources. By default Redshift uses public routes for traffic when communicating with external services or any AWS services when it's loading data.

Lambda Layers

Allow new runtimes and allow libraries to be externalized. Deployment ZIPs are smaller, with shared libraries reused between functions Makes deployments easier and easier to manage. a .zip file archive that contains libraries, a custom runtime, or other dependencies. You can use libraries in your function without needing to include them in your deployment package.

S3 Replication

Allows S3 objects to be replicated between a SOURCE and DESTINATION buckets in the same or different AWS accounts. Two types - CRR and SRR *Storage class remains the same is default* Why use this? - Log aggregation (SRR) - PROD and TEST Sync (SRR) - Resilience with strict sovereignty (SRR) - Global Resilience Improvements (CRR) - Latency Reduction (CRR)

Route53 Endpoints

Allows you to configure a hybrid DNS platform using AWS and on-premises environments. VPC Interfaces (ENIs) that are accessible over VPN or DX 2 Different Types of Endpoints: Inbound Endpoints - on-premises can forward to the R53 Resolver Outbound - Conditional forwarders, R53 to On-premises (rules control)

Identity Pools

Allows you to offer access to Temporary AWS Credentials Enables you to create unique identities for your users and federate them with identity providers. You can obtain temporary, limited-privilege AWS credentials to access other AWS services Swaps identity tokens from an external ID provider for temporary AWS credentials. Unauthenticated Identities - Guest Users Federated Identities - SWAP - Google, Facebook, Twitter, SAML2.0 & User Pool for short term AWS Credentials to access AWS Resources

Simple Routing Policy

Amazon Route 53 routing policy for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.

Latency routing policy

Amazon Route 53 routing policy for when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.

Weighted routing policy

Amazon Route 53 routing policy for when you route traffic to multiple resources in proportions that you specify.

Multivalue answer routing policy

Amazon Route 53 routing policy for when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.

Failover routing policy

Amazon Route 53 routing policy for when you want to configure active-passive failover.

Geoproximity routing policy

Amazon Route 53 routing policy for when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.

Geolocation routing policy

Amazon Route 53 routing policy for when you want to route traffic based on the location of your users.

Dynamic Port Mapping

An Application Load Balancer direct integration feature with ECS Allows you to run multiple instances of the same application on the same EC2 Use Cases: - Increased resiliency even if running on one EC2 instance - Maximize utilization of CPU/cores - Ability to perform rolling upgrades without impacting application runtime

Elastic Beanstalk Multi-Container Docker Mode

An Elastic Beanstalk environment where it creates an ECS cluster, multiple EC2 instances running Docker and allows you to run multiple Docker containers side-by-side on the same Docker host

Scheduled Reserved Instances

An instance type that's ideal for long-term usage which doesn't run constantly You specify the frequency, duration, and time. Ex. Batch Processing daily for 5 hours starting at 23:00 Doesn't support all instance types or regions. 1,200 hours per year and 1-year term minimums

SAML 2.0 (Security Assertion Markup Language)

An open standard used by many IDP's (MS ADFS) *Indirectly* use on-premise IDs to access AWS (Console or CLI) *Use Cases:* - *When you currently use an Enterprise based Identity Provider which is SAML 2.0 compatible* (Google, Facebook, Twitter, etc not supported) - *When you have an existing identity management team and want to maintain that function allowing them to manage access to AWS as well* - *Single source of truth .. more than 5,000 users* Uses IAM Roles & AWS Temp Creds (12-hour validity) SAML assertion exchanged for Temp Creds

Yes

Are Gateway Endpoints resilient to failure?

Depends on configuration By default No, but for HA you can add one endpoint to one subnet per AZ used in the VPC

Are interface endpoints resilient to AZ failure?

Athena

Athena or Redshift? Sporadic queries

Amazon Cognito

Authentication (log in to verify creds), Authorization (manage access to services), and user management (allow the creation/management of a server as user database) for *web/mobile apps* User Pools & Identity Pools

HTTP Integration

Backend HTTP Endpoint; you configure integration request and response using mapping templates Ex. internal HTTP API on-premise, Application Load Balancer Why? Add rate limiting, caching, user authentications, API keys, etc

Lambda

Batch or Lambda? 15 minute execution time limit

Batch

Batch or Lambda? No time or resource limit

Batch

Batch or Lambda? Not serverless, uses docker, any runtime

Lambda

Batch vs Lambda? Limited disk space in the environment

Standard Queue

Best effort SQS queue At-least-once delivery. More than one copy sometimes Multi lane highway Scalable, as wide as required. Near unlimited TPS

Snowball Edge

Both Storage and Compute Ideal for remote-site or where data processing on ingestion is needed optimal choice if you need to securely and quickly transfer dozens of terabytes to petabytes of data to AWS. Larger capacity vs Snowball 10 Gbps (RJ45), 10/25 (SFP), 40/50/100 Gbps (QSFP+) *Storage Optimized* (with EC2) - 80TB, 24 vCPU, 32Gib RAM, 1 TB SSD *Compute Optimized* - 100TB + 7.68 NVME, 52 vCPU and 208 GiB RAM Compute with GPU - as above with a GPU Can be accessed using the NFS protocol Supports IOT services Supports cluster architecture

Install

Build phase that installs packages in the build environment (frameworks etc)

pre_build

Build phase that sign-in to things or install dependancies

Managed Data Identifiers

Built into the product and maintained by AWS; use a combination of criteria and techniques including ML and pattern matching to analyze the data that you specify designed to detect sensitive data types for many countries and regions, including multiple types of personally identifiable info, personal health information, and financial data. Amazon Macie

AWS QuickSight

Business Analytics & Intelligence (BA/BI) Visualization and Dashboard tool which is capable of integrating with AWS and external data sources - Visualizations, Ad-hoc analysis - Discovery and Integration with AWS Data sources - Works with external data sources like Athena, Aurora, Redshift, Redshift Spectrum S3, AWS IOT, JIRA, Github, Twitter, Salesforce, Microsoft SQL Server, MySQL, PostgreSQL, Apache Spark, Snowflake, Presto, Teradata

No

Can CMKs be migrated between AWS Regions?

No

Can Imported CMKs be automatically rotated by KMS?

Yes, use EFS

Can lambda storage space be extended in any way?

Yes, using inbound endpoints

Can on-premises virtual and physical servers access private R53 Hosted zones?

No Requires AWS credentials. Can be handed out by Identity Pools

Can user pool tokens or JSON Web Tokens (JWT) be used to access AWS resources?

AWS Systems Manager (SSM)

Central place to view and control AWS and on-premises infrastructure at scale Uses an agent architecture to allow communication between this service and managed instances *Manages inventory and patch assets for enhanced compliance* Run commands and Manage Desired State

ST1 (Throughput Optimized HDD) or SC1 (Cold HDD)

Cheap EBS Volume Type

KMS

CloudHSM or KMS? Native AWS Integration (Ex. S3 SSE)

CloudHSM

CloudHSM or KMS? Supports both symmetric and asymmetric encryption

CloudWatch Unified Agent

CloudWatch Logs Agent vs Unified Agent? Collect additional system-level metrics such as RAM, processes, etc Centralized configuration using SSM Parameter Store

Online Analytical Processing (OLAP)

Column based (Redshift) Designed for complex queries to analyze aggregated historical data from OLTP systems. RDS might put its data into Redshift for more detailed long-term analysis and trending.

VPC Peering

Connect two VPC, privately using AWS Network; can work inter-region and cross-account Make them behave as if they were in the same network Must not have overlapping CIDR *Not Transitive* *You must update route tables in each VPC's subnets to ensure instances can communicate*

CloudFront

Content Delivery network (CDN) within AWS. Integrates with ACM for HTTPS Upload direct to origins (no caching)

KMS (Key Management Service)

Create, store, manage keys Offers encryption and allows role separation Regional and Public Service Handles Symmetric and Asymmetric Keys Performs Cryptographic Operations (encrypt, decrypt, etc) *Keys NEVER Leave - Provides FIPS 140-2 (L2)* Multi-tenant access

Cross-Stack

Cross-Stack or Nested-Stack? Allow you to reuse actual resources *Used for Service-Oriented & different lifecycles & STACK Reuse* *Outputs can be exported .. making them visible from other stacks* *Exports must have a unique name in the region* *Fn::ImportValue can be used to Ref*

Nested Stack

Cross-Stack or Nested-Stack? Allow you to reuse templates. Reusing the code, not the actual resources. *Use when the stacks form part of one solution - lifecycle linked* Used to get past the Cloudformation Resources per stack limit (500)

R53 Hosted Zone

DNS DB for a domain e.g. animals4life.org Zonefile or DNS database hosted by Route53 that is on name servers

Disaster Recovery - Compute

DR Architecture and considerations for core compute services within AWS

Backup & Restore

Data is constantly backed up at the primary site. - The only costs are backup media and managements. No ongoing spare infrastructure costs. - Restores require new hardware or a lengthy restore process - Cheap and Slow (RPO in hours, RTO in 24 hours or less)

Active/Active (Multi-Site)

Data is constantly replicated from the primary site to backup - Costs are generally 200% - A full copy is running at all time - Expensive, no recovery time (RPO near zero, RTO potentially zero)

Amazon RDS (Relational Database Service)

Database(server) as a service product from AWS which allows the creation of managed databases instances. *SSL/TLS (in-transit) is available for RDS, can be mandatory* *RDS supports EBS volume encryption - KMS* *Encryption can't be removed once added*

24 Hours

Default TTL (behavior) validity period for Cloudfront Value is defined on a behavior within a distribution

Amazon AppStream 2.0

Desktop Application Streaming Service Deliver to any computer, without acquiring, provisioning infrastructure *The application is delivered from within a web browser* Use Cases: - contact center agents - online trials, demos, training - remote students and labs - 3D design and engineering

Amazon Workspaces

Desktop As A Service (DAAS) product available within AWS. It delivers managed Linux and Windows Desktops of various sizes and capabilities and integrates fully with AWS products and Services. *Not highly available by design. Susceptible to AZ failure* Can integrate with Directory Service only (simple AD, Microsoft AD, AD Connector) *Great to eliminate management of on-premise VDI (Virtual Desktop Infrastructure)* *WorkSpaces Application Manager (WAM)*

S3 Access Logs

Detailed records for the *requests* that are made to an S3 bucket Troubleshoot bucket access issues and data requests Might take hours to deliver Might be incomplete (best effort)

IPsec VPN

Direct Connect vs IPSec VPN can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity.

Direct Connect

Direct Connect vs IPSec VPN does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.

IPsec VPN

Direct Connect vs IPsec VPN establish encrypted network connectivity between your intranet and Amazon VPC over the Internet.

Site-to-Site VPN

Direct Connect vs Site-to-Site VPN? Latency considerations - Inconsistent, public internet

Site-to-Site VPN

Direct Connect vs Site-to-Site VPN? Quick to setup - only hours.. all software configuration

Yes Once every 3 years Cannot be changed or disabled

Do AWS Managed CMKs support key rotation?

Yes Optional, can be enabled and happens once a year

Do Customer Managed CMKs support rotation?

No Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer. You cannot use the security groups for clients as a source in the security groups for the targets.

Do NLB have security groups?

Retire

Do we even need this? No? Dump it Systems are often running for no reason Auditing their usage is often more work than leaving running Often 10% to 20% cost savings

Requires additional networking config and gateways to access Public internet/services Slightly increase the invocation delay

Does using EFS with lambda come with any limitations?

Aurora Serverless

Don't need to statically provision or manage the database instances Scalable - ACU - Aurora Capacity Units (allocated from a shared pool from AWS) Use Cases - Infrequently used applications, new applications unsure of load/size, variable workloads, unpredictable workloads, dev/test DBs, multi-tenant apps

Provisioned Capacity

DynamoDB Capacity mode where the RCU and WCU are set on a per-table basis; best if you have predictable app traffic, consistent, or forecasted capacity requirements - *Every operation consumes at least 1 RCU/WCU* - *1 RCU is 1 block of data x 4KB read operation per second* - *1 WCU is 1 block of data x 1KB write operation per second* - Every table has an RCU and WCU burst pool (300 seconds)

On-Demand Capacity

DynamoDB Capacity that is unknown, unpredictable, low admin Price per million R or W units - $1.25 per million write request units - $0.25 per million read request units

Eventually consistent

DynamoDB consistency model where reads check 1/3 nodes; could be unlucky with stale data if a node is checked before replication completes 50% of the cost vs other consistency models easier to implement from an underlying infrastructure perspective and scales better

Strongly consistent

DynamoDB consistency model where reads connect to the leader node to get the most up-to-date copy of data more costly to achieve and it scales less well but essential in some types of applications or some types of operations

ST1 or SC1 (HDD)

EBS Volume Type NOT supported for Boot

General Purpose SSD (gp2/gp3)

EBS volume type that provides a balance of price and performance; recommended for most workloads boot volumes, for low-latency, interactive applications, or dev/test environments *Max up to 16,000 IOPS*

Provisioned IOPS SSD (io1/2)

EBS volume type that provides high performance for mission-critical, consistent low-latency, or high throughput workloads high performance, latency sensitive workloads, I/O intensive NoSQL & Relational Databases *up to 64,000 IOPS (*256,000)*

Fargate Mode

EC2 Mode vs Fargate? Batch/Periodic workloads

Fargate Mode

EC2 Mode vs Fargate? Large workload - overhead conscious

EC2 Mode

EC2 Mode vs Fargate? Large workload - price conscious

Fargate Mode

EC2 Mode vs Fargate? Small/burst workloads

EC2 Mode

ECS cluster type/mode that deploys EC2 instances into your AWS account which can be used to deploy tasks and services. You pay for the EC2 instances regardless of container usage

Fargate Mode

ECS cluster type/mode that uses shared AWS infrastructure, and ENI's which are injected into your VPC You pay only for container resources used while they are running.

Redis

ElastiCache - Redis or MemcacheD? Advanced Structures Multi-AZ HA Replication Backup/restore Persistent Data durability: Read Only File Feature (AOF)

MemcacheD

ElastiCache - Redis or MemcacheD? Simple data structures No replication Nonpersistent Multiple Nodes for partitioning of data (sharding or *multithreaded*) No backups Ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.

Private DNS

Enabled by default A feature used with interface endpoints that is used to ensure that applications can use VPC endpoints with no modifications The public hostname of a service will resolve to the private Endpoint Interface hostname Must enable the VPC setting enableDnsHostNames and enableDnsSupport

VPC Endpoints

Endpoints that allow you to connect to AWS Services using a private network instead of the public www network They scale horizontally and are redundant No more IGW, NAT, etc... to access AWS Services Ex. Gateway Endpoint, Interface Endpoint

Snowmobile

Exabyte-scale data transfer service. Portable DataCenter within a shipping container on a truck Special order Ideal for single location when 10 PB+ is required Up to *100PB* per snowmobile Not economical for multi-site (unless huge) or sub 10PB AWS recommends that you should use Snowmobile to migrate large datasets of 10PB or more in a single location. For datasets less than 10PB or distributed in multiple locations, you should use Snowball.

MemoryFree, /var/log/messages, /var/log/anothercustomlog.log

Examples of metrics/logs which require the CWAgent to ingest

Custom Headers

For Custom Origins; Origin is configured to require this header otherwise it won't service requests. Allow the custom origin to know for sure that the request is coming from a CloudFront edge location.

IP Based FW Blocks

For Custom Origins; Traditional firewall configured to allow connections publicize by AWS services and deny anything else

FSx for Windows File Server

Fully managed native windows file servers/shares which can be used within AWS, or from on-premises environments via VPN or Direct Connect *Advanced shared file system accessible over SMB* *Integrates with Active Directory (either managed, or self-hosted)* It provides advanced features such as VSS (Volume Shadow Copy Service), Data de-duplication, backups, encryption at rest and forced encryption in transit. *Uses Windows permission model*

Kinesis Data Firehose

Fully manages stream based delivery service capable of delivering high throughput streaming data to supported destinations in *near realtime (60 Seconds).* *Supported destinations include:* - AWS: Redshift, ElasticSearch, S3 Destination Bucket - HTTP endpoints - Splunk Automatic scaling.. fully serverless ..resilient Supports transformation of data on the fly using Lambda

AWS Lambda

Function-as-a-Service (FaaS) - short running and focused functions - Billed for the duration that a function runs - Environment has a direct memory (indirect CPU) allocation Limits: - *900s (15minutes) function timeout* - RAM 128MB -3G - CPU is linked to RAM (cannot be set manually) - *512MB of /tmp storage (can't process BIG files)* Common Use Cases: - Key part of the serverless architecture (S3, API Gateway, Lambda) - File Processing (S3, S3 Events, Lambda) Watermarking - Database Triggers (DynamoDB, DB Streams, Lambda) - Serverless CRON Job (EventBridge/CW Events + Lambda) - Realtime Stream Data Processing (Kinesis + Lambda) - Can be integrated with X-Ray for distributed tracing

Gateway Endpoint

Gateway or Interface Endpoint? Highly Available by default and not added to specific subnets

Interface Endpoint

Gateway or Interface Endpoint? Uses DNS and Private DNS instead of route table prefix lists for connectivity to AWS services

Global Accelerator

Global Accelerator vs CloudFront? Network product that can be used for NON HTTP/S (TCP/UDP)

CloudFront

Global Accelerator vs CloudFront? Web product. Caching and the delivery of content

FIFO Queue

Guarantee Order queue Exactly-once delivery. Duplicates are removed Single lane road 3K messages per second with batching, or up to 300 messages per second without *Must have .fifo suffix*

HDFS

HDFS or EMRFS? Your intermediate storage requires extreme levels of IO

Trusted CA

HTTPS between CloudFront and a custom origin - If the origin is not an ELB load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA or ACM

Trusted CA or ACM

HTTPS between viewers and CloudFront What certificates can you use?

AWS X-Ray

Helps developers analyze and debug distributed applications in production or under development, such as those built using a microservices architecture. Helps you understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues (latency) and errors. Provides an end-to-end view of requests as they travel through your application, and shows a map of your application's underlying components. Distributed tracing

Elastic Beanstalk Deployment Policies

How application versions are deployed to environments provides several options for how deployments are processed and options that let you configure batch size and health check behavior during deployments - All at once: deploy to all at once, brief outage - Rolling: deploy in rolling batches - Rolling with additional batch: new batch to maintain capacity during the process - Immutable: all new instances with new version - Traffic splitting: fresh instances, with a traffic split

Create a normal bucket, create a gateway endpoint, and configure a bucket policy

How can a private S3 bucket be created?

Multiple DX Connections

How do you add resiliency to Direct Connect (DX)?

7

How many Partitions per AZ in Partition Placement Groups?

30 Days

How many days minimum before transitioning an object from Standard to S3-IA or One Zone-IA or from IA, Intelligent Tiering, One Zone-IA to Glacier or Deep Archive***

512MB

How much file storage space does a lambda function have by default?

Task Role

How should you give containers running on ECS permissions?

Disaster Recovery - Storage

How the failure of various different parts of the AWS infrastructure platform will effect Instance Store Volumes, EBS, EFS, S3 and S3 Snapshots

Lambda Execution Roles

IAM roles attached to lambda functions which control the permissions the lambda function receives Similar to EC2 instance role

1 Day

If an object is initially stored on S3 Standard, how soon can that object be transitioned to S3 Glacier?

30 Days

If an object is initially stored on S3 Standard, how soon can that object be transitioned to S3-IA/OneZoneIA?

Kinesis Data Streams, Firehose and S3

If you want to ingest large quantities of streaming data and add it to redshift, which services would you use?

Provisioned Concurrency

In advance, AWS will create and keep X execution context warm and ready to use which improves start speeds for Lambda invocations Use when you know you have periods of higher load on a serverless application or if you're preparing a new prod release of a serverless application and want to pre-create all of these execution environments.

Version Enabled

In order to enable replication, both the source and destination bucket need what?

Dedicated Hosts

Instance type where EC2 hosts are allocated to you in their entirety. Pay for hosts so no instance charges. Capacity management is required. Use for licensing based on *Sockets/Cores* (amount of resources in a physical machine, not the resources that are allocated to a VM in AWS) *Host Affinity* Feature - instance reboots are kept on the same host

Dedicated Instances

Instance type where no other customers will share your hardware. You don't own or share the host. Extra charges for instances, but dedicated hardware Common for environments with strict requirements where you can't share infrastructure. You don't want to manage the host itself

Agentless

Is SMS (Server Migration Service) an agent or agentless based VM Migration product?

No, 1 AZ only

Is redshift resilient to the failure of an AZ in a region?

AWS Service Catalog

It provides an *end-user portal* where products and portfolios can be deployed in a *self-service* way as defined by technical *administrators* Set of cloudformation templates that users can use based on their IAM permissions Helps with governance, compliance, and consistency AWS Budgets to track your service costs and usage

VPC Endpoint Policies

JSON document used to restrict what an endpoint can be used for Does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies) allows for secure, private VPCS to be granted limited public service access

CloudHSM

KMS or CloudHSM? Need to utilize Industry Standard encryption APIs

8+ Free IPs and /27 subnet

LB requires at least how many IPs per subnet and what range subnet to allow scaling?

Internet facing LB

LB type where nodes of the LB are given public addresses and private addresses Need to be in a public subnet Can still communicate with private instances

Internal LB

LB type where nodes of the LB only have private IP addresses

900s or 15mins

Lambda functions can run for up to how many seconds or minutes? Function Timeout

Synchronous Invocation

Lambda runs the function and waits for a response. When the function completes, Lambda returns the response from the function's code with additional data, such as the version of the function that was invoked. *Result (success or failure) returned during the request* *Any errors or retries have to be handled via the client*

DMS & Snowball

Larger migration might be multi-TB in size Moving data over networks takes time and consumes capacity DMS can utilize snowball

AWS Integration

Let's an API expose AWS service actions; configure request and response using mapping templates

StackSets

Let's you deploy a common set of AWS resources (CloudFormation stack) across multiple accounts and regions with a single CF template takes care of automatically and safely provisioning, updating, or deleting stacks in multiple accounts and across multiple regions. Commonly used together with AWS Organizations to centrally deploy and manage services in different accounts.

Rehosting

Lift and Shift Cloud Migration (Migrate As Is) App VM --> EC2, DB --> EC2 Reduced Admin overhead (IaaS) Potentially easier to optimize when in AWS Cost savings (Ex. Using Burst Instance T3) Not taking full advantage of Cloud and 'kicking the can down the road' VM Import/Export & Server Migration Service

Replatforming

Lift and Shift with Optimization "lift-tinker-and-shift." RDS instead of managed DBs, ELB's instead of LBs, S3 as backup or media storage No real negatives and no world-changing benefits Admin overhead reductions, performance benefits, more effective backups or Improved HA/FT Migrate app to Elastic Beanstalk (Java with Tomcat)

AWS VPN CloudHub

Low cost hub-and-spoke model for primary or secondary network connectivity between locations Can connect up to 10 Customer Gateway for each Virtual Private Gateway Provide secure communication between sites, if you have multiple VPN connections Can be a *failover connection* between your on-premise locations

AWS Firewall Manager

Manage security rules in all accounts of an AWS Organization Manage multiple AWS WAF deployments WAF rules (Application Load Balancer, API Gateways, CloudFront) AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront) Security Groups for EC2 and ENI resources in VPC

AD Connector

Microsoft AD or AD Connector? If you actively don't want any directory data in AWS

Multiple Routing Decisions

Most common reason to have different tiers or multiple subnets

Repurchasing

Move to a different product while moving to the cloud (Ex. SaaS) "drop and shop" Unless you have a reason to self-manage, Use XaaS Product MS Exchange --> Microsoft 365 CRM --> Salesforce HP --> Workday CMS --> Drupal

Synchronous Replication

Multi-AZ is associated with what type of replication?

EFS, S3, FSx for Windows

Name all the types of storage that are resilient against AZ failure

EBS, Instance Store, EFS

Name all the types of storage that support POSIX (Portable Operating System Interface)

Transparent Data Encryption (TDE)

Native DB Engine encryption. Encryption and Decryption are handled within the DB engine itself and not by the host that the instance is running on. TDE automatically encrypts data before it is written to storage (EBS), and automatically decrypts data when the data is read from storage. *Microsoft SQL and Oracle support TDE*

DynamoDB

NoSQL fully managed Database-as-a-Service (DBaaS) product available within AWS. Key/Value & Document No self-managed servers or infrastructure Billed based RCU, WCU, Storage, and features Provisioned and On-Demand Capacity Indexes - You can only query by PK + sort key on the main table and indexes

Retain

Not worth the time/money or is too scary to migrate Old application (not worth the move) Complex application (leave until later) Super-important application (risky) Complete the migration and swing back to focus on the left-overs

Hosted Connection

One of the connection types/ways that you can receive connectivity when you order via a partner Capacity can be *added or removed on demand* - a DX connection with *one* VIF - Owned and managed by that partner - 50Mbps, 500Mbps, to 10Gbps connection speed If you order a connection from a Partner, and it's this type of connection you can only create a single VIF over the connection. If you need additional VIFs, you need additional of these types of connections

Kinesis Video Streams

One video stream per streaming device (producers) Underlying data is stored in S3 *Cannot output the stream data to S3 (must build custom solution)* Consumers: - EC2 instances for real time analysis or in batch - Leverage the Kinesis Video Stream Parser Library - Integration with AWS Rekognition for facial detection

Snowball

Petabyte-scale data transport solution that uses secure applications to transfer large amounts of data into and out of AWS ordered from AWS, log a Job, Device Delivered (not instant) moves terabytes of data in about a week The AWS Snowball has a typical 5-7 days turnaround time Data Encryption uses KMS *50TB or 80TB Capacity* 1 Gbps or 10Gbps Network *10 TB or 10PB economical range (multiple devices)* **Multiple devices to multiple premises** Only storage, no compute Benefits: - lower network costs - shorter transfer times - security using 256-bit encryption keys you manage through KMS For security reasons, must be complete within 90 days of a Snowball's preparation

Dedicated Connection

Physical ethernet port dedicated to a customer 1 Gbps and 10Gbps Capacity Request made to AWS first, then completed by AWS Direct Connect Partners

Elastic Beanstalk (EB)

Platform as a Service environment which can create and manage infrastructure for application code *It doesn't come for free - app tweaks* *Great for small development teams* *Developer focused - not end user* *Platforms*: Built-in languages - Go, Java with Tomcat, Java SE Docker - Single container docker & multicontainer docker, preconfigured docker Custom - Packer Great to *Replatform* your application from on-premise to the cloud 3 Different Deployments - Single Instance (Great for Dev) - High Availability with LB (Great for Prod) - Worker Tier (SQS Queue + EC2 Auto Scaling Group)

AWS-[OS]DefaultPatchBaseline

Predefined Patch Baseline For Linux, explicitly define patches Ex. AWS-AmazonLinux2Default2PatchBaseline AWS-UbuntuDefaultPatchBaseline

AWS-WindowsPredefinedPatchBaseline-OS-Applications

Predefined Patch Baseline For Windows, + MS App Updates

AWS-DefaultPatchBaseline

Predefined Patch Baseline For Windows, critical and security updates Patches are auto-approved 7 days after the release Ex. AWS-WindowsPredefinedPatchBaseline-OS

Stack Policies

Prevent accidental updates/deletes to stack resources

Gateway Load Balancer

Primarily used for deploying, scaling, and running third-party virtual appliances. The virtual appliances can be your custom firewalls, deep packet inspection systems, or intrusion detection and prevention systems in AWS Newest, Operates at layer 3 (IP). (More important for virtualized networking, rather than applications)

Custom Data Identifiers

Proprietary and created by you; look for specific data which your business needs to identify and control. Use Regex to search for certain patterns of specific text (employee IDs, performance reports, etc) Amazon Macie

RDS Manual snapshots

RDS feature that's performed manually and live past the termination of an RDS instance Can be restored but creates a new RDS instance

S3 Event Notifications

Receive notifications when certain events happen in your S3 bucket Ex. new objects created, object removal, restore objects, replication events, generate thumbnails of images uploaded to S3 Destinations include SNS, SQS queue, Lambda

Subscribers

Received messages Includes HTTP(s), Email (JSON), SQS, Mobile Push, SMS, Lambda

S3 Multi-Part Upload

Recommended for files > 100MB, must use for files > 5GB Can help parallelize uploads (speed up transfers)

CNAMES

Record type that can only point to other names (RDS) not IP Addresses Can create only for subdomains not root domains

ALIAS

Record type that maps a NAME to an AWS Resource (ELB, Cloudfront, S3) Can be used for both naked/apex (mydomain.com) and normal records (www.mydomain.com) Should be the same "Type" as what the record is pointing at

A Record

Record type that maps a NAME to an IP Address (EC2)

Lifecycle

Resources in a cloudformation stack share a what?

Participant

Resources provisioned by Participants are owned by who?

Border Gateway Protocol (BGP)

Router protocol that is used to control how data flows through point A through point B and C and arrives at point D Dynamic Routing

Autonomous System (AS)

Routers controlled by one entity ... a network in BGP

Online transaction processing (OLTP)

Row/transaction (RDS) Captures, stores, and processes data from transactions in real time. Ex. Adding orders to an online store or a database of the best cat pictures in the world Inserts, modifies and deletes

Core Nodes

Run tasks and store data act as data nodes for HDFS, they run task trackers and can run mapping and reduce tasks in the cluster EMR clusters can have zero or more;

SSE-KMS

S3 Encryption option with some additional benefits and charges for using this service. The master key that is used to encrypt the object encryption keys is handled by a separate service (Key Management Service) Role separation - allows admins but not be able to decrypt Customer Master Key used for each object uploaded

Custom Origin

S3 Origin or Custom Origin? Custom HTTP/HTTPs ports Ability to configure the origin protocol policy (HTTP Only, HTTPS Only, Match Viewer) Configure the minimum SSL protocol versions (TLSv1.2, v1.1, v1, SSLv3) DOES NOT include Origin Access Identities (OAI)

S3 TA

S3 TA vs AWS Snow It will take more than a week to transfer over the Internet, or there are recurring transfer jobs and there is more than 25Mbps of available bandwidth

AWS Snow

S3 TA vs AWS Snow ideal for moving large batches of data at once.

S3 TA

S3 TA vs Direct Connect best for submitting data from distributed client locations over the public Internet, or where variable network conditions make throughput poor

S3 TA

S3 TA vs Multipart Upload accelerates your transfer speeds, not just for upload but also for download speed.

Multipart Upload

S3 TA vs Multipart Upload if you are uploading large files and you want to handle failed uploads gracefully

SSE-C

S3 encryption option used when you need to retain key management but don't need to retain the overhead of encryption/decryption you manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects. when you upload an object, Amazon S3 uses the encryption key you provide to apply AES-256 encryption to your data and removes the encryption key from memory. Amazon S3 does not store the encryption key you provide. Instead, they store a randomly salted HMAC value of the encryption key in order to validate future requests. The salted HMAC value cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object. That means, if you lose the encryption key, you lose the object.

S3 Byte-Range Fetches

S3 performance feature that parallelizes GETs by requesting specific byte ranges Better resilience in case of failures Can be used to speed up downloads and retrieve only partial data (for example the head of a file)

Cross-Region Replication (CRR)

S3 process used when Source and Destination are in different AWS regions Why use this? - Global Resilience Improvements - Latency Reduction

Same-Region Replication (SRR)

S3 process used when the buckets are in the same region Why use this? - Log aggregation - PROD and TEST Sync - Resilience with strict sovereignty

AmazonMQ

SNS/SQS or AmazonMQ? Need to migrate from an existing system with little to no application change. If APIs such as JMS or protocols such as AMQP, MQTT, OpenWire, and STOMP are needed

SNS/SQS

SNS/SQS or AmazonMQ? New Implementations, AWS Integration required (logging, permissions encryption, service integration)

Kinesis

SQS or Kinesis? Ingestion of data at scale

Kinesis

SQS or Kinesis? Multiple consumers .. rolling window

SQS

SQS or Kinesis? No persistence of messages, no window

SQS

SQS or Kinesis? Workables, decoupling, asynchronous communication

AWS Secrets Manager

Secrets Manager or Parameter Store? Designed for secrets (passwords, API KEYS)

Network Access Control Lists

Security Groups or Network Access Control Lists? Explicitly DENY

Minimum and Maximum TTL values

Set lower and upper values for the TTL value that an individual object can have limiters for any per object settings that are defined using the cache-control headers. *Origin Headers*: applies a TTL value in seconds to a particular object - Cache-control max-age (seconds) - Cache-control s-maxage (seconds) - Expires (Date & Time) Values are defined on a behavior within a distribution

CloudHSM

Similar to KMS; an appliance that creates, manages, and secures cryptographic material or keys required to achieve compliance with certain security standards such as *FIPS 140-2 Level 3* *Good option to use with SSE-C encryption* - *True "Single Tenant" Hardware Security Model (HSM)* - AWS provisioned .. fully customer-managed (manage your own encryption keys entirely) - Fully FIPS 140-2 Level 3 (KMS is L2 Overall, some L3) - Industry Standard APIs - *PKCS#11, JCE, CryptoNG* - KMS can use this as a custom key store *Use Cases*: - No Native AWS Integration (ex. S3 SSE) - Offload the SSL/TLS Processing for Web Servers - Enable Transparent Data Encryption (TDE) for Oracle Databases - Protect the Private Keys for an Issuing Certificate Authority (CA)

Legal Hold

Similar to retention period for S3 Object Lock in that it prevents an object version from being overwritten or deleted Difference is this doesn't have a retention period; set on an object version either on or off (binary) - no deletes or changes until the hold is removed

Datapoints

Smallest components of CloudWatch; individual points of data that CloudWatch records and manages Every one has a timestamp, value, and optionally a unit of measure - timestamp (5:42 UTC) - value (42% CPU) - unit of measure (%)

Direct Connect

Snowball vs Direct Connect If you will be transferring data to AWS on an ongoing basis

Snowball

Snowball vs Direct Connect if you don't want to make expensive upgrades to your network infrastructure, if you frequently experience large backlogs of data

S3 TA

Snowball vs S3 TA If multiple users located in different locations are interacting with S3 continuously,

Snowball

Snowball vs S3 TA if you're located in a physically isolated environment, or if you're in an area where high-bandwidth Internet connections are not available or cost-prohibitive.

Snowmobile

Snowball vs Snowmobile Does not support data export

Snowmobile

Snowball vs Snowmobile To migrate large datasets of 10PB or more in a single location

Security Group Changes, Role Assumptions, Account Logins

Some events that are captured by default by CloudTrail

Application Version

Specified labeled version of deployable code for an Elastic Beanstalk application. The source bundle is stored in S3

S3 Standard

Storage class that is frequently accessed data which is important and non replaceable

Kinesis Data Analytics

Streams or Firehose or Analytics? Streaming data needing *real-time* SQL processing Ex. Time-series (elections/esports), Real-time dashboards (leaderboards), real-time metrics (security & response teams)

Web Identity Federation

Swapping of any external ID provider token for AWS credentials

Refactoring/Re-architecting

Take advantage of Cloud Reviewing the architecture of an application Adopting 'cloud-native' architectures and products Service-orientated or microservices APIs, Event-Driven or serverless Initially very expensive and time consuming Best long-term benefits Often cheaper, much more scalable, better HA/FT, costs aligned with app usage

Encryption

Takes plaintext, uses an algorithm and a key and it uses those things to create a ciphertext.

Container Definition

Tells ECS where your container image is, what port the container uses, and info about the single container you want to define Image & Ports Points at a container image that's stored on a container registry and defines which ports are exposed from that container

Stacks

The core component of OpsWorks; a container of resources logical groupings of AWS resources (EC2 instances, Amazon RDS, Elastic Load Balancing, and so on) that have a common purpose and should be logically managed together Made of one or more layers.

Execution Context

The environment a lambda function runs in Cold Start vs Warm Start *Lambda invocation can reuse this but has to assume it can't. If used infrequently it will be removed. Concurrent executions will use multiple (potentially new) contexts*

4KB of data

The physical material contained inside a CMK can be used by the KMS product to directly encrypt or decrypt data that's up to how many kilobytes in size?

Transit VIFs

This should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect Gateways 1 per DX Connection In combination with a DX gateway attachment, it allows full routing between on-premises and TGW and beyond

CodeDeploy Agent

To use CodeDeploy with on premises servers, or EC2 instances, you need to have what installed that communicates with the product and performs deployments when instructed?

us-east-1

To use a cert with an ALB in us-east-1, you need a cert in ACM in what region?

Ready for Service Lag

Total time between when the Auto Scaling Group request additional compute instances from EC2 and the point at which they're ready.

VIF (Virtual Interface)

Transfers data. VLAN or virtual network which provides isolation of different types of traffic, as well as a BGP session which handles routing and network config VLAN and BGP Session Direct from AWS .. Up to 50 VIFS per DX (+ transit) Restrictions when ordered via partner

False

True or False: A NAT Gateway can tolerate the failure of an AZ

True

True or False: A subnet cannot span multiple availability zones. One Subnet = One AZ

False

True or False: ACM certs can leave the region they are generated or imported in

True

True or False: API Gateway can withstand the failure of 1+ AZs by default

True

True or False: AWS Pipeline is linked to one and only 1 branch within a repository

True

True or False: Accelerated Site-to-Site VPN is not compatible/can't be enabled with VPNs using a VGW

True

True or False: An ENI can't tolerate the failure of an AZ in a region

True

True or False: An IGW is resilient by design and can tolerate the failure of many AZs in a region

False

True or False: As standard, S3 cannot tolerate the failure of multiple AZs in a region

True

True or False: Automatic backups are not retained indefinitely. Automatically cleaned up (retention is 0-35 days)

False; Only objects, not buckets

True or False: Buckets and Objects are encrypted

True

True or False: CVE, CIS, Security Best practices for Amazon Inspector are AWS Inspector Rule Packages that require an agent

False

True or False: Cache can NOT be encrypted for API Cache API Gateway

False

True or False: Can you use ACM with EC2?

True

True or False: Certain configurations of S3 cannot tolerate the failure of an AZ

True

True or False: CloudTrail is NOT real time

True

True or False: CloudTrail is a regional service

True Must use Kinesis agent

True or False: CloudWatch Logs Agent and Unified Agent cannot send logs to Kinesis

True

True or False: CodeCommit allows you to create triggers to generate event driven processes based on events that happen to the repositories (Invoke Lambda function)

True

True or False: Docker is *NOT* supported for Lambda

True

True or False: DynamoDB Query Operations can only work on 1 PK (partition key) value at a time

True

True or False: EBS can potentially tolerate the failure of hardware in an AZ

False

True or False: EC2 can tolerate the failure of an AZ

False

True or False: EC2 needs to be public to work with LB

True

True or False: EFS can withstand the failure of multiple AZs in a region and continue to operate

True

True or False: Every instance at the very least has a Primary private IPv4 address that is static for the lifetime of the instance

False

True or False: FIFO queues do not have to have a .fifo suffix

False

True or False: For CloudFront, if you want to add any certs they DON'T need to be in us-east-1 (northern VA region)

True

True or False: GSIs are default, LSI only when strong consistency is required

True

True or False: Global services such as CloudFront operate as though it's in us-east-1

True

True or False: KMS does not store the data encryption key in any way

False

True or False: Keys leave KMS

False

True or False: Manual snapshots do not live past the lifetime of the RDS instance

False

True or False: Network Load Balancer has a Security group that can block IP addresses

True

True or False: One source or destination endpoint for Database Migration Service (DMS) MUST be on AWS

False

True or False: RAM is included in the AWS EC2 Metrics?

True

True or False: RDS Authorization is controlled by the DB Engine. Permissions are assigned to the local DB user. IAM is NOT used to authorize, only for authentication

True

True or False: RDS access ONLY via CNAME

True

True or False: Replication is a 1-way process

False

True or False: Replication is retroactive

False

True or False: SSL is NOT Supported by default for Cloudfront *.cloudfront.net cert

True

True or False: Secondary ENIs can be detached and reattached to other EC2 instances

False

True or False: Security Groups are associated with an EC2 Instance

True

True or False: Self-Signed certs will NOT work with CloudFront, they need to be publicly trusted

False Use SWK instead

True or False: Step Functions integrates natively with AWS Mechanical Turk

False

True or False: The more things that are involved in the caching, the more efficient the process is because CloudFront has to maintain a unique version of that object for every combination of things which are used during the caching selection Ex. Sock Color and Size (Forward All and Cache Whitelist)

False

True or False: VPC Endpoints can be accessed using a Private VIF

False

True or False: VPCs can tolerate the failure of a whole region - if they are global VPCs

True

True or False: Versions are Immutable/Fixed

True

True or False: Viewer Protocol and Origin Protocol connections BOTH NEED PUBLIC certificates and any intermediate certs in the chain

True

True or False: When configuring CloudFront, only forward what the application needs through to the origin. Cache only based on what can change the object.

False

True or False: When manually exporting Logs from CloudWatch Logs, S3 Export Task is Real Time (Up to 12 hours)

True

True or False: You can't create additional ENIs in other AZ's and attach it to the EC2 instance in a different AZ

True

True or False: You can't use a self-signed certificate for HTTPS communication between CloudFront and your origin.

True

True or False: You have to attach instance store volumes at Launch Time

False

True or False: You should NOT treat Lambda functions running in a VPC like any other VPC based resource Ex. VPC endpoints, NATGW, and IG)

True

True or False: a network device that supports Border Gateway Protocol (BGP) and BGP MD5 authentication is needed to establish a Direct Connect link from your data center to your VPC.

False

Ture or False: Amazon Elasticsearch is serverless

Asynchronous Replication

Type of replication associated with Read-replicas; written fully to the primary instance first, then once it's stored on disk, it's replicated to the read-replicas. Small amount of lag depending on network conditions and how many writes occur

CloudTrail Trails

Unit of configuration within CloudTrail that allows you to customize the CloudTrail service Can create single region trail, all region trail, or organizational trail - *IAM, STS, CloudFront are Global Service Events: Logged in us-east-1 and trails need to be configured to capture that data* How you take data and store it in S3 and CWLogs Management events only by default Data events needs to be enabled and extra cost

Alexa for Business

Use Alexa to help employees be more productive in meeting rooms and their desk Measure and increase the utilization of meeting rooms in their workplace

EB Cloning

Use an existing Elastic Beanstalk environment as the basis for a new environment by performing this. You don't have to manually configure option settings, env variables, and other settings. Copies RDS but not the data

Microsoft AD

Used for Active Directory Authentication/Authorization of products and services within AWS *Fully fledged Microsoft Active Directory running inside AWS which means if the network link fails between AWS and on-premise network, it still functions as expected (Not the case with AD Connector)* Supports RADIUS-based MFA Automatic Patching and Maintenence Best choice.. - if you need to support larger user numbers (5k+ users) - if you need an actual native Microsoft AD implementation - if you need trust relationships or RADIUS-based MFA - if the network link fails between AWS and your on-premises environment

Interface Endpoints

Used to allow private IP addressing to access public AWS services. *Not highly available by default* - they are normal VPC network interfaces and should be placed 1 per AZ to ensure full HA. Uses DNS and a private IP address. Option of using the endpoint-specific DNS names or you can enable Private DNS which overrides the default and allows unmodified applications to access the services using this type of endpoint Uses AWS PrivateLink

CloudFront Geo Restriction

Used to restrict who can access your distribution; allows for White or Black list restrictions based on ONLY Country Code - Country is determined by using a 3rd Party GeoIP database (99.8% accurate when retrieving country code) - Applies to the entire distribution Use case: Copyright Laws to control access to content Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.

Identity Pool

User Pool or Identity Pool? Can be used to directly access most AWS services

User Pool

User Pool or Identity Pool? Database of users which can include external identities. Sign in and get a JWT

User Pools

User directory in Cognito to sign in and get a JSON Web Token (JWT) and sign-up users. Users can sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers. User directory management and profiles, sign-up & sign-in (customizable web UI), MFA and other security features provide: - Sign-up and sign-in services. - A built-in, customizable web UI to sign in users. - Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, as well as sign-in with SAML identity providers from your user pool. - User directory management and user profiles. - Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. - Customized workflows and user migration through AWS Lambda triggers.

Enhanced Networking

Uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. Provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using this AWS implementation of SR-IOV, a standard allowing a physical host network card to present many logical devices which can be directly utilized by instances. This means lower host CPU usage, better throughput, lower and consistent latency

Egress Only IGW

VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances. Stateful but cannot associate a security group Use a network ACL to control the traffic to and from the subnet Can have both IGW and Egress Only attached to the same VPC (1 for IPv4 and 1 for Ipv6)

VPC Router

Virtual Router within a VPC - highly available across all AZs in that region - scalable - routes traffic between subnets - controlled using route tables

ST1 (Throughput Optimized HDD)

Volume Type for throughput.. streaming

GP2/GP3 (General Purpose SSD)

Volume Type with up to 16,000 IOPS

RAID0 + EBS

Volume Type with up to 260,000 IOPS (io1/2-BE/GP2/3)

IO1/2 (Provisioned IOPS SDD)

Volume Type with up to 64,000 IOPS (Io2 block express *256,000)

Instance store volume

Volume type with *MORE* than 260,000 IOPS

Origin Access identities (OAI)

Way to secure origins from direct access (bypassing CloudFront) for S3 Origins (not Custom) - Type of identity that can be associated with CloudFront Distributions - CloudFront becomes this - It can be used in S3 Bucket Policies - DENY all BUT one or more of these identities

Log Group

What CloudWatch component do you set retention, permissions, and encryption? It's a group of log streams that share the same retention, monitoring, and access control settings

Viewer Protocol (Viewer --> CloudFront Edge Location) Origin Protocol (CloudFront --> Origin)

What are the 2 SSL Connections (protocols) for CloudFront?

Synchronous, Asynchronous, and Event Source Mappings

What are the 3 Methods of Invocation?

install pre_build build post_build

What are the 4 Main Phases in the buildspec.yml file?

Create an RDS instance within an EB Environment - linked to EB environment - delete the env = delete RDS = data loss Create an RDS instance outside of the EB Environment - env can be changed

What are the two options to provisioning RDS instances within Elastic Beanstalk?

.ebextensions

What can you add to your web application's source code to configure your Elastic Beanstalk environment and customize the AWS resources that it contains?

Custom Resources (Lambda)

What feature of CloudFormation would you use to extend its functionality or integrate it with other systems? Cloudformation doesn't support everything. It lags behind in terms of new products/features. *Passes data to something, gets data back from something (Lambda function, SNS topic, etc)*

ValidateService

What is the Lifecycle Event Hook that verifies the deployment was completed successfully?

Origin Access Identities (OAI)

What is the best way of ensuring an *S3 origin* can only be accessed using CloudFront?

Custom Header

What is the best way to restrict a custom (non S3) origin so it can only be accessed via CLoudFront?

Log Event --> Log Stream --> Log Group

What is the hierarchy of CloudWatch logs?

900s or 15 minutes

What is the maximum duration of a lambda function execution?

1.25GBps

What is the speed limit for Site-to-Site VPN Connections?

Steps to Decouple existing RDS within EB from EB Environment

What is this process for? 1. Create an RDS snapshot 2. 'Enable delete protection' 3. Create a new EB environment with the same app version 4. Ensure new environment can connect to the DB 5. Swap environments (CNAME or DNS) 6. Terminate the old environment - this will try and terminate the RDS instance 7. Locate DELETE_FAILED Stack, manually delete and pick to retain stuck resources

Execution Role and Resource Policy

What security entities are linked with a lambda function?

KMS (Key Management Service)

What service complies with FIPS 140-2 (L2) US Security Standard?

S3 and DynamoDB

What services can be accessed using a VPC Gateway Endpoint?

Add an alternate CNAME Create an SSL cert in us-east-1 Point an Alias record in R53 at the distribution

What steps do you need to do to add an SSL certificate to a CloudFront distribution?

Self-Managed Microsoft AD & Directory Service - Microsoft AD

What type of directories are supported by FSx for windows?

RAID 0

When I/O performance is more important than fault tolerance For example, as in heavily used database (where data replication is already set up seperately) RAID configuration options can only be used for EC2 instance-hosted databases. By using EBS storage volumes with EC2 instances, you can configure volumes with any RAID levels.

RAID 1

When fault tolerance is more important than I/O performance For example, as in a critical application RAID configuration options can only be used for EC2 instance-hosted databases. By using EBS storage volumes with EC2 instances, you can configure volumes with any RAID levels.

Between the primary and secondary instances of a MultiAZ RDS

Where is synchronous replication used within RDS?

DynamoDB

Which database is the most common AWS database for serverless architectures?

NLB

Which load balancer allows client machines to connect to EC2 instances with a continuous unbroken SSL connection?

ALB

Which load balancers can perform path and host based traffic routing decisions?

Cluster Placement Group

Which placement Group doesn't span AZs (One AZ ONLY) and allows you to achieve 10Gbps single stream transfers?

SNS, SQS, Kinesis, S3, EC2

Which services can be accessed using an interface endpoint?

Spread Placement Group

Which type of placement group delivers the maximum resilience for a small set of highly important servers?

Partition Placement Group

Which type of placement group would you select for a topology-aware application?

Volume Stored Mode

Which type of storage gateway is used when you want to have AWS backups and want to maintain low latency access to all data?

File Mode or Volume Cached Mode

Which type of storage gateway mode can be used to extend datacenter capacity into AWS?

SSE-KMS & SSE-S3

Which types of S3 encryption work with S3-CRR?

HyperV, AzureVM, VMware

Which virtualization platforms are supported by SMS (Server Migration Service)?

SCP (Service Control Policies)

Whitelist or blacklist IAM actions • Applied at the OU or Account level • Does not apply to the Master Account • Applied to all the Users and Roles of the Account, including Root user • *Does not affect service-linked roles* • Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by this (cannot be modified) • Must have an explicit Allow (does not allow anything by default) *Use cases:* • Restrict access to certain services (for example: can't use EMR) • Enforce PCI compliance by explicitly disabling services determines what services and actions can be delegated by admins to the users and roles in the accounts that it's applied to. It does not grant any permissions, unlike an IAM Policy. Are available only in an organization that has all features enabled. Aren't available if your organization has enabled only the consolidated billing features.

RDS Oracle

With this service, keys can be provided via CloudHSM - removing AWS from the chain of trust Supports TDE using CloudHSM The encryption process is even more secure with even stronger key controls because CloudHSM is managed by you.

Asynchronous Invocation

You don't wait for a response from the function code. You hand off the event to Lambda and Lambda handles the rest. You can configure how Lambda handles errors and can send invocation records to a downstream resource to chain together components of your application. Typically used when AWS services invoke lambda functions - Lambda will retry between 0 and 2 times (configurable) - *Function needs to be Idempotent* (run it as many times as you want and the output will be the same) - *Events can be sent to dead letter queues after repeated failed processing* - *Supports destinations (SQS, SNS, Lambda & EventBridge) where successful or failed events can be sent* (AWS recommends you use destinations instead of DLQ)

Cross Stack References (Stack Exports/Imports)

You're designing a system using CloudFormation which has two distinct parts. Infrastructure (which includes a VPC , subnets, gateways and configuration) and multiple application instances. How should you design this using stack architecture?

ACM (AWS Certificate Manager)

a *regional service* that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources - Can generate or import certificates - If generated, it can automatically renew certificates - If imported, you are responsible to renew - Certificates can be deployed out to supported services (Load Balancers, Cloudfront distributions, APIs on API Gateway) - Not all services are supported: Ex. *EC2 NOT Supported*

AWS Discovery Connector

a VMware appliance that can collect information only about VMware virtual machines (VMs). You install this as a VM in your VMware vCenter Server environment using an Open Virtualization Archive (OVA) file. Because this relies on VMware metadata to gather server information regardless of operating system, it minimizes the time required for initial on-premises infrastructure assessment

Private Hosted Zone

a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service **To be able to access this type of hosted zone the service needs to be running inside a VPC that's associated with the hosted zone**

Public Hosted Zone

a container that holds information about how you want to route traffic on the internet for a specific domain which is accessible from the public internet

Amazon Mechanical Turk (MTurk)

a crowdsourcing marketplace that makes it easier for individuals and businesses to outsource their processes and jobs to a distributed workforce who can perform these tasks virtually. This could include anything from conducting simple data validation and research to more subjective tasks like survey participation, content moderation, and more. Enables companies to harness the collective intelligence, skills, and insights from a global workforce to streamline business processes, augment data collection and analysis, and accelerate machine learning development. *Integrates with SWF natively, does not integrate with the new Step Functions*

HDFS (Hadoop Distributed File System)

a distributed storage system that is linked to the lifecycle of the EMR cluster; stores data across local disks of your cluster in large blocks Managed by the core nodes and can fail if core nodes fail. Because all nodes are within 1 AZ, it is NOT regionally resilient

AWS Elemental MediaConvert

a file-based video transcoding service with broadcast-grade features. It allows you to easily create video-on-demand (VOD) content for broadcast and multiscreen delivery at scale. The service combines advanced video and audio capabilities with a simple web services interface and pay-as-you-go pricing. You can focus on delivering compelling media experiences without having to worry about the complexity of building and operating your own video processing infrastructure.

Amazon API Gateway

a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the "front door" for applications to access data, business logic, or functionality from your backend services. Limits: - 29s timeout - 10 MB max payload size Edge-optimized API endpoint - best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence (POP). For mobile clients this is a good use case for this type of endpoint. Regional endpoint - best suited to traffic coming from within the Region only. API Caching - reduce the number of calls made to your endpoint and also improve the latency of requests to your API.

FSx for Lustre

a managed file system which uses the FSx product designed for high performance computing delivers extreme performance for scenarios such as Big Data, Machine Learning and Financial Modeling *File system that supports POSIX (Portable Operating System Interface) style Permissions*

ClientVPN

a managed implementation of Open VPN and can be used to allow client devices to connect securely into AWS VPCs *Split tunnel is not the default. It must be enabled else all data goes via tunnel*

Elasticache

a managed in-memory cache (high performance) which provides a managed implementation of the Redis or Memcached engines. It's useful for read-heavy workloads, scaling reads in a cost-effective way, and allowing for externally hosted user *session state*. Reduces database workloads - cost-effective *Can be used to store Session Data* (Stateless Servers) *Requires application code changes* real-time use cases like Caching, Session Stores, Gaming, Geospatial Services, Real-Time Analytics, and Queuing.

Multi-master write

a mode of Aurora Provisioned Clusters which allows multiple instances to perform reads and writes at the same time - rather than only one primary instance having write capability in a single-master cluster. *No concept of a load-balanced endpoint for the cluster and application can initiate connections to one or both of the instances inside a multi-master cluster*

API Gateway Stages

a named reference to a deployment, which is a snapshot of the API. Used to manage and optimize a particular deployment. - APIs are deployed into this. - Can be used for different versions or lifecycle points for an API

Elastic Fabric Adapter (EFA)

a network interface for Amazon EC2 instances that enables customers to run applications requiring high levels of inter-node communications at scale on AWS. Its custom-built operating system (OS) bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling these applications. EFA's unique OS bypass networking mechanism provides a low-latency, low-jitter channel for inter-instance communications. This enables your tightly-coupled HPC or distributed machine learning applications to scale to thousands of cores, making your applications run faster.

Lambda Environment Variables

a pair of strings (key/value pair) that are stored in a function's version-specific configuration. The Lambda runtime makes this available to your code and sets additional ones that contain information about the function and invocation request. Allows code execution to be adjusted based on variables Associated with $LATEST (can be edited) Associated with a version (immutable/fixed)

AWS Config

a per-region service that records the configuration changes of resources over time (configuration items) into configuration histories - *Does not prevent changes from happening. No protection* - all information is stored regionally in an S3 config bucket - capable of checking for *compliance* and generating notifications (SNS) and events (EventBridge & Lambda) based on compliance Questions that can be solved by this service: - Is there unrestricted SSH access to my security groups? - Do my buckets have any public access? - How has my ALB config changed over time? provides *AWS managed rules*, which are predefined, customizable rules that it uses to evaluate whether your AWS resources comply with common best practices.

Lambda Function

a piece of code Lambda runs think of it as the code, plus all the associated wrappings and configurations at its most basic, it is a deployment package that Lambda executes

Lambda Aliases

a pointer to a specific function version. Users can access the function version using the alias Amazon Resource Name (ARN). PROD => bestanimal:1 BETA => bestanimal:2 Each has a unique ARN Mutable: Can be updated, changing which version they reference Useful for PROD/DEV, BLUE/GREEN, A/B Testing Alias Routing - Can point at a single version, or be configured to perform weighted routing between 2 versions. Routing.. Percentage at v1 and percentage at v2

AWS Secrets Manager

a product that can manage secrets within AWS. There is some overlap between it and the SSM Parameter Store - but this is specialized for secrets. capable of automatic *credential rotation* using Lambda For supported services, it can even adjust the credentials of the service itself. *Deep integration with RDS* (MySQL, PostgreSQL, Aurora) a dedicated secrets store with lifecycle management You can reference in your CloudFormation templates to create unique secrets with every invocation of your template. By default, it encrypts these secrets with encryption keys that you own and control. It ensures the secret isn't logged or persisted by CloudFormation by using a dynamic reference to the secret. Offers built-in integrations for rotating credentials for all Amazon RDS databases and supports extensibility with AWS Lambda so you can meet your custom rotation requirements.

Storage Gateway

a product that integrates local infrastructure and AWS storage such as S3, *EBS Snapshots*, and Glacier. Run as a Virtual machine (or hardware appliance on-prem) Presents storage using *iSCSI (Raw Block Devices)*, NFS or SMB Integrates with EBS, S3, Glacier within AWS *Used for Migrations, Extensions, Storage Tiering, Disaster Recovery, and Replacement of backups systems* Uses Challenge-Handshake Authentication Protocol (CHAP) to authenticate iSCSI and initiator connections You can choose to restore the snapshot as an AWS Storage Gateway volume or as an Amazon EBS volume. AWS Backup integrates with both services, and any AWS Storage Gateway snapshot can be restored to either an AWS Storage Gateway volume or an Amazon EBS volume.

AWS Step Functions

a product that lets you build long-running *serverless* workflow (state machines) based applications within AWS which integrate with many AWS services. - Maximum Duration 1 year - Standard Workflow (default, 1 year execution) and - - -- Express Workflow (high volume, IOT, streaming data processing, up to 5min)

CloudTrail

a product that logs API calls and account events. (enabled by default and 90-day retention) It's very often used to diagnose security or performance issues or to provide quality account level traceability. enables governance, compliance, operational auditing, and risk auditing of your AWS account Configured to store data indefinitely in S3 or CloudWatch Logs. *NOT REALTIME* - may take up to 15min to deliver events

AWS Datasync

a product which can orchestrate the movement of large scale data (amounts or files) from on-premises *NAS/SAN* into AWS or vice-versa using an agent Data Transfer service TO and FROM AWS Used for Migrations, Data Processing Transfers, Archival/Cost-Effective Storage or DR/BC Includes built-in data validation *Example Locations to Transfer TO: NFS, SMB, EFS, FSx, S3*

The Simple Notification Service (SNS)

a pub/sub system in AWS for the reliable delivery of notification style messages between AWS components or between AWS and external systems. Public AWS Service - network connectivity with Public Endpoint Coordinates the sending and delivery of messages Messages are <= 256KB payloads

SQS (Simple Queue Service)

a publicly, fully managed, highly-available message queue service in AWS which help to *decouple* application components, allow Asynchronous messaging or the implementation of worker pools. Messages up to 256KB in size - link to large data Could be used as a write buffer for DynamoDB Make sure consumers are idempotent

Amazon Workdocs

a secure document storage where you can collaborate in real-time with others and manage access to the documents

Warm Standby

a smaller sized but fully functional version of your primary infrastructure is running 24/7/365 - Ready to be increased in size when failover is required - Faster than pilot light - Cheaper than full active/active (RPO in seconds, RTO in minutes)

Lightweight Directory Access Protocol (LDAP)

a standard communications protocol used to read and write data to and from Active Directory. You can manage your user identities in an external system outside of AWS and grant users who sign in from those systems access to perform AWS tasks and access your AWS resources. The distinction is where the external system resides—in your data center or an external third party on the web.

Kinesis Data Streams

a streaming service within AWS designed to ingest large quantities of data and allow access to that data for consumers. ideal for dashboards and large scale real time analytics needs *Stores a 24-hour moving window of data but can be increased up to 7 days* clickstreams

AWS IOT

a suite of products designed to support Internet of Things (IOT) devices - Used for managing 1,000,000's of IOT devices - Temp, Wind, Water Sensors, Lights, Valve Control.. - Provisioning, Updates & Control - Unreliable links - device shadows - Rules and event-driven integration with AWS services

Bootstrapping

a way of building EC2 instances, which isn't particular fast, but it is super flexible. It's designed when your priority aim is the flexible, automated building of EC2 instances together with applications. Provision an EC2 instance while adding a script into the user data of the EC2 instance that is delivered to the Operating System.

Availibility Zone IDs

a way to accurately identify an availability zone across accounts

Trusted Signers

accounts that are able to generate signed URLs or signed cookies as a way to restrict viewer access to a behavior added to a behavior within a CloudFront distribution (private)

Replication Time Control (RTC)

adds a guaranteed 15-min replication SLA onto the S3 replication process. Also adds monitoring so that you can see which objects are queued for replication. Used if you have a strict requirement for your source and destination buckets to be in sync

DynamoDB Triggers

allow for actions to take place in the event of a change in data. Event-driven architecture that can respond to any data changed in a DynamoDB table AWS = DynamoDB Streams + Lambda Use Cases: - Reporting and Analytics - Aggregation, Messaging, or Notifications

Resource Access Manager (RAM)

allows AWS resources to be shared between AWS accounts Ex. VPC Subnets, Transit Gateway, Route53 Resolver Rules, License Manager Configurations

Field Level Encryption

allows CloudFront to encrypt certain sensitive data at the edge using a public key, ensuring its protection through all levels of an application stack. Only the corresponding private key can decrypt the data, meaning you have complete control over who has access Happens at the edge and separately from the HTTPS tunnel

Lambda@Edge

allows CloudFront to run lightweight lambda functions at CloudFront edge locations to modify traffic between the viewer and edge location and edge locations and origins. *Does not have any cache. It's only to change requests/responses* - Only supports Node.js and Python - Run in Public Space (Not VPC) Use Cases: A/B testing - Viewer Request Migration Between S3 Origins - Origin Request Different Objects Based on Device - Origin Request Content By Country - Origin Request

Subnet Mask

allows a HOST to determine if an IP address it needs to communicate with is local or remote - which influences if it needs to use a gateway or can communicate locally

Anycast IPs

allows a single IP to be in multiple locations. Routing moves traffic to closest location

AWS Budgets

allows customers to monitor how much of their Amazon EC2 instance usage is covered by reservations and to receive alerts when coverage falls below a specified threshold.

Cross-Zone LB

allows every LB node to distribute any connections that it receives equally across all registered instances in all availability zones. Enabled as default for Application Load Balancers

Systems Manager Patch Manager

allows for the patching of windows or linux managed instances running in AWS or on-premises automates the process of patching managed instances with both security-related and other types of updates.

Tape Gateway (VTL)

allows the product to replace an expensive tape-based backup solution with one which uses S3 and Glacier rather than physical tape media. Unlimited VTS *(archive)* Storage Pretends to be an iSCSI tape library, changer, and driver *You can't access a single file within tapes. You need to restore the tape entirely*

Origin Groups

allows you to add resiliency across the origins

DynamoDB TTL (Time to Live)

allows you to define a per-item timestamp to determine when an item is no longer needed (deleted). Shortly after the date and time of the specified timestamp, DynamoDB deletes the item from your table without consuming any write throughput. Provided at no extra cost as a means to reduce stored data volumes by retaining only the items that remain current for your workload's needs

appspec.yml

allows you to influence exactly how a deployment process proceeds (CodeDeploy) Contains configuration and lifecycle event hooks

Gateway Route Tables

allows you to inspect traffic as it flows in and out of the network. Can be attached to internet gateways or virtual private gateway. Used to direct a gateway (IGW) to take actions based on inbound traffic no matter what the actual destination is (such as forwarding it to a security appliance)

cross-region read replicas for Amazon Aurora

allows you to serve read traffic from your users in different geographic regions and increases your application's responsiveness. This feature also provides you with improved disaster recovery capabilities in case of regional disruptions. You can seamlessly migrate your database from one region to another by creating a cross-region read replica and promoting it to be the new primary database. the restoration may take several minutes to hours. Long restore times

S3 Select and Glacier Select

allows you to use a SQL-Like statement to retrieve partial objects from S3 and Glacier. *server-side filtering* Less network transfer, less CPU cost client side

permissions boundary

an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. Allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

AWS Server Migration Service (SMS)

an agentless service that makes it easier and faster for you to migrate thousands of on-premises workloads to AWS. It allows you to automate, schedule, and track incremental replications of live server volumes, making it easier for you to coordinate large-scale server migrations. An improvement over VM Import/Export *Used to re-host* Each server volume replicated is saved as a new AMI, which can be launched as an EC2 instance

Local Secondary Indexes (LSI)

an alternative view on DynamoDB base table data using the *same PK* (partition key) and *alternative SK* (sort key) *Can ONLY be created with the table* *Shares RCU and WCU with the table* Attributes - ALL, KEYS_ONLY & INCLUDE

Global Secondary Indexes (GSI)

an alternative view on DynamoDB base table data with *alternative PK (partition key) and SK (sort key)* *Can be created at any time* *MUST have their own RCU and WCU allocations* Always eventually consistent, replication between base and GSI is Asynchronous Attributes - ALL, KEYS_ONLY & INCLUDE

AWS Device Farm

an application testing service that lets you improve the quality of your web and mobile apps by testing them across an extensive range of desktop browsers and real mobile devices; without having to provision and manage any testing infrastructure. The service enables you to run your tests concurrently on multiple desktop browsers or real devices *Fully automated* using framework Can *remotely* log in to devices for debugging

AWS Inspector

an automated security assessment service that *scans EC2 instances and the running OS* for any *vulnerabilities* and deviations against best practice - Provides a *Security Report* of findings ordered by priority *Two Main Types of Assessments of EC2 Instances* 1. Network Assessment (Agentless) 2. Network & Host Assessment (Agent) - *CVE, CIS, Security best practices - Agent required* "Inspect inside EC2"

AWS Guard Duty

an automatic *threat detection service* which reviews data from supported services and attempts to identify any events outside of the 'norm' for a given AWS account or accounts - continuous *security monitoring* service - analyzes supported data sources (DNS, VPC Flow Logs, CloudTrail Logs/Events) - Generates CloudWatch Event which sends to SNS or Lambda - *identifies malicious and unauthorized activity based on AI/ML patterns* - notify or event-driven protection/remediation - supports multiple accounts (Master and Member) Not capable of doing any resource changes by itself

DAX (DynamoDB Accelerator)

an in-memory cache designed specifically for DynamoDB. It should be your default choice for any DynamoDB caching-related questions. Less complexity for the app developer - tighter integration compared to traditional caches Works for DynamoDB only Requires Provisioning Runs within a VPC Read and Write Through Caching ITEMS and Query

Amazon Athena

an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Serverless, so there is no infrastructure to manage, and you pay only for the queries that you run. Billed based on data consumed Easy to use. Simply point to your data in Amazon S3, define the schema, and start ad-hoc querying using standard SQL. Most results are delivered within seconds. There's no need for complex ETL jobs to prepare your data for analysis. Source data is never changed

AWS SAM (Serverless Application Model)

an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings. With just a few lines per resource, you can define the application you want and model it using *YAML*. During deployment, it transforms and expands the syntax into AWS *CloudFormation* syntax, enabling you to build serverless applications faster. *If it deploys a Lambda function, it will use CodeDeploy to perform traffic shifting*

AmazonMQ

an open-source message broker based on Managed Apache ActiveMQ It supports open standards such as JMS, AMQP, MQTT, OpenWire, and STOMP VPC Based - ***NOT A PUBLIC SERVICE*** - *Private networking required* No AWS native integration - delivers ActiveMQ product which you manage Merge between SQS and SNS but using open standards - Provides Queues and Topics

Key

at it's simplest is a password but it can be much more complex

Route53 Resolver

automatically answers DNS queries for local VPC domain names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) and records in private hosted zones (portal.tutorialsdojo.com). For all other domain names, Resolver performs recursive lookups against public name servers.

AWS Config Auto Remediation feature

automatically remediates non-compliant resources evaluated by AWS Config rules. You can associate remediation actions with AWS Config rules and choose to execute them automatically to address non-compliant resources without manual intervention.

Task Roles

best practice way of giving containers within ECS permissions to access AWS products and services IAM Role which the TASK assumes

CloudEndure Migration

block-level replication tool that simplifies the process of migrating applications from physical, virtual, and cloud-based servers to AWS. Supports any source infrastructure as long as it runs on x86 operating systems supported by EC2. This includes physical servers, P2V (virtual servers converted from physical), VMware, Hyper-V, and other cloud providers like Azure, GCP, IBM, or Oracle. If your source environment includes bare metal servers, and you can install agents (more on agents in the next section), the recommendation is to use this. Quickly lift-and-shift physical, virtual, or cloud servers without compatibility issues, performance impact, or long cutover windows. Continuously replicates your source servers to your AWS account. Then, when you're ready to migrate, it automatically converts and launches your servers on AWS so you can quickly benefit from the cost savings, productivity, resilience, and agility of the AWS Cloud.

post_build

build phase that packages things up, pushes docker images, explicit notifications

build

build phase that runs commands during the build process

Public Lambda

by default lambda functions are given public networking. They can access public AWS services and the public internet - Best performance because no customer specific VPC networking required - *No access to VPC based services unless public IPs are provided & security controls allow external access*

RDS Read Replicas

can be added to an RDS Instance - 5 direct per primary instance - They can be in the same region, or cross-region - They provide read performance scaling for the instance, but also offer low RTO recovery for any instance failure issues - N.B they don't help with data corruption as the corruption will be replicated to this - Performance and availability benefits

On-Demand Capacity Reservations

can be booked to ensure you always have access to capacity in an AZ when you need it - but at full on-demand price. No term limits but you pay regardless of if you consume it.

RDS Automatic backups

can be taken of an RDS instance with a 0 (Disabled) to 35 Day retention. Also use S3 for storing transaction logs every 5 minutes - allowing for point in time recovery.

Metric Filters

can be used to scan log data and generate Metrics within Cloudwatch, alarms and eventual events within Eventbridge. Allows you to create a metric from text occurring in a log group Ex. find a specific IP inside of a log or count occurrences of "ERROR" in your logs

Private Lambda (VPC)

can freely access all the VPC based resources assuming any NACLs and SGs allow access but can't access things outside of the VPC unless networking configuration exists *functions running in a VPC obey all VPC networking rules* - Can use VPC endpoints to provide access to public AWS services - Can use NATGW and IG to access internet resources

EC2Rescue

can help you diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances. You can run the tool manually or you can run the tool automatically by using Systems Manager Automation and the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue.

3rd Party Geolocation

can restrict based on almost anything, completely customizable (licensing, user login status, user profile fields and much more) requires a compute instance, a private distribution and the generation of signed URLs or Cookies Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level.

VPC Flow Logs

capture packet metadata NOT packet contents Helpful to capture "denied internet traffic" Ex. source IP address, source and destination ports, packet size and other externally visible Metadata, anything to do with packet flow) Applied to a VPC - all interfaces in that VPC Are NOT realtime The destination can be S3 or CloudWatch Logs

S3 One-Zone IA

cheaper than Standard and IA but does not provide multi-AZ resilience model. Used for long lived data, non-critical and replaceable (replication files) Use Cases: storing secondary backup copies of on-premise data, or storing data you can recreate (thumbnails) Minimum storage duration of 30 days

S3 Glacier

cold objects, not made publicly accessible (retrieval process) *First byte latency = minutes or hours* When you need to store archival data where frequent or realtime access isn't needed (minutes-hours retrieval) 3 Retrieval options: - Expedited (1 to 5 min) - Standard (3 to 5 hours) - Bulk (5 to 12 hours) Minimum storage duration of 90 days

buildspec.yml

collection of build commands and related configuration that CodeBuild uses to run a build customizes the build process **It must be located at the root of your source application that you're building**

Cookbooks

collection of recipes that can be stored on Github

Redshift

column based, petabyte scale, data warehousing product within AWS Its designed for OLTP products within AWS/on-premises to add data to for long term processing, aggregation and tending. Pay as you use .. Similar structure to RDS *It's provisioned, so it's worth it when you have a sustained usage (use Athena if the queries are sporadic instead)* Advanced Features: - Direct Query S3 using Redshift Spectrum - Direct Query other DBs using federated query - Integrates with AWS tooling such as Quicksight for visualization - SQL-like interface JDBC/ODBC connections

Reserved Instance

commit to long term consistent usage (1 or 3 year terms) for a reduced price; Instance for components that had known usage and require consistent long term access without interruption best to use for these scenarios: - Applications that have been in use for years and that you plan to continue to use. - Applications with steady state or predictable usage. - Applications that require reserved capacity. - Users who want to make upfront payments to further reduce their total computing costs.

Root Hints

config list that points at the root servers IPs and addresses

Namespace

container & isolation for metrics (Ex. AWS/EC2 & AWS/Lambda) Separates the metrics from different services AWS ones start with AWS/

Auto Scaling group

contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management. Enables you to use Amazon EC2 features such as health check replacements and scaling policies.

AWS CodePipeline

continuous delivery service you can use to model, visualize, and automate the steps required to release your software. You can quickly model and configure the different stages of a software release process. Automates the steps required to release your software changes continuously used for creating and executing Cloudformation change set

CloudFront Cache Behavior

control much of the TTL, protocol and privacy (HTTP and HTTPS) settings within CloudFront Any requests which are incoming to an edge location are pattern-matched against any behaviors for that distribution. If requests match that pattern, that behavior is used, otherwise the default Origins, Origin groups, TTL, Protocol policies, restricted access are configured here

Cooldown Periods

controls how long to wait at the end of a scaling action before doing another avoids costs associated with constantly adding or removing instances

Lambda Resource Policy

controls what services and accounts can invoke lambda functions Similar to S3 bucket policy Manually change via the CLI or API (can't be changed using the console)

ccTLD

country-code top level domain (.uk .ue)

Session State

data representation of the interaction between a user and an application Ex. Shopping cart, workflow position, or login state

SSE-S3

default S3 encryption; AWS handles both encryption/decryption process as well as key generation and management Encryption option that uses AES-256 each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.

On-Demand Instance

default purchase option, no interruption, no capacity reservation, predictable pricing, no upfront costs, no discount. Short term workloads, unknown workloads, and apps that can't be interrupted

Service Definition

defines a service and how we can define how we want a task to scale, how many copies we'd like to run; adds capacity and resilience because of multiple copies and an LB in front of a service How many copies, HA, Restarts

Service Quotas (Can't change # of IAM users, Max 5K)

defines how much of a thing that you can use inside an AWS account

Resolution

defines the minimum time period that you can get one particular data point for Standard (60s granularity) High (1s) As data ages, its aggregated and stored for longer with less resolution

SAM template specification (Serverless Application Model)

defines the serverless application; It's like CloudFormation in that it creates resources. simple and clean syntax to describe the functions, APIs, permissions, configurations, and events that make up a serverless application

Patch Baseline

defines what patches get installed include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a *Systems Manager maintenance window task.*

ECS (Elastic Container Service)

deploy, manage, and scale Docker containers running applications, services, and batch processes 2 Modes - EC2 vs Fargate

AWS CodeDeploy

deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services Deploys code, not resources When using AWS CodeDeploy with AWS Lambda there are three ways traffic can be shifted during a deployment: Canary - Traffic is shifted in two increments. You can choose from predefined canary options that specify the percentage of traffic shifted to your updated Amazon ECS task set / Lambda function in the first increment and the interval, in minutes, before the remaining traffic is shifted in the second increment. Linear - Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined linear options that specify the percentage of traffic shifted in each increment and the number of minutes between each increment. All-at-once - All traffic is shifted from the original Lambda function to the updated Lambda function all at once. Blue/green - Traffic is shifted from one version of a Lambda function to a new version of the same Lambda function.

Amazon Aurora Global Database

designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages. You can have a single Aurora database that spans multiple AWS Regions to support your globally distributed applications. Consists of one primary AWS Region where your data is mastered, and up to five read-only secondary AWS Regions. You issue write operations directly to the primary DB cluster in the primary AWS Region. Aurora replicates data to the secondary AWS Regions using dedicated infrastructure, with latency typically under a second.

AWS Global Accelerator

designed to optimize the flow of data from your users to your AWS infrastructure moves the actual *AWS network closer* to customers to get them onto the global AWS network as quickly and close as possible using *anycast IP addresses* Fewer hops, directly under AWS control. significantly better performance *Transit over AWS backbone to 1+ locations

Encryption At Rest

designed to protect against physical theft and physical tampering

APi Gateway Methods

desired action to be performed (HTTP verbs) - Where integrations are configured which provide the functionality of an API (Ex. Lambda, HTTP, AWS service)

SRC/DST Check

drops packets if the SRC or DST address isn't ON that interface (used for security appliances) associated with primary interface

Amazon Connect

easy to use omnichannel (voice and chat, incoming & outgoing) cloud contact center that helps companies provide superior customer service at a lower cost Contact center as a service Integrates with other AWS services (Lambda/Lex) for additional intelligence and features

Lifecycle Hooks

enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them Ex. cleanup, log extraction, special health checks

S3 Transfer Acceleration (TA)

enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. S3 Transfer Acceleration leverages Amazon CloudFront's globally distributed AWS Edge Locations. Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region Compatible with multi-part upload *over a fully-utilized 1 Gbps line can only transfer up to 75 TBs in a week's duration.*

Amazon Redshift workload management (WLM)

enables users to flexibly manage priorities within workloads so that short, fast-running queries won't get stuck behind long-running queries. Creates query queues at runtime according to service classes, which define the configuration parameters for various types of queues, including internal system queues and user-accessible queues. From a user perspective, a user-accessible service class and a queue are functionally equivalent.

Server Name Indication (SNI)

extension that was added to TLS that adds the ability for a client to tell a server which domain name it's attempting to access. Solves the problem of loading *multiple SSL certificates onto one web server* (to serve multiple websites) - Occurs within the TLS handshakes (Layer 4) before HTTP even gets involved (Layer 7) - Allows 1 IP to host many HTTPS websites which need their own cert - Old browsers don't support SNI; CloudFront charges for dedicated IP

Amazon Neptune

fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. Purpose-built, high-performance graph database engine optimized for storing billions of relationships and querying the graph with milliseconds latency. Use Cases: social media (anything involving fluid relationships), fraud prevention, recommendation engines, network and IT operations, Biology and other life sciences

Sticky sessions

feature of AWS ELB's which allows applications which store session state internally on EC2 instances to function with load balancers route requests to the same target in a target group enabled at the target group level Locked to specific backend instances using a cookie (AWSALB) generated by the LB Look for question keywords logout, lost carts, lost progress .. these suggest lost session state

MultiAZ

feature of RDS which provisions a standby instance which is kept in sync Synchronously with the primary instance. The standby instance cannot be used for any performance scaling ... only availability. Backups, software updates and restarts can take advantage of this to reduce user disruption.

Presigned URL's

feature of S3 which allows the system to generate a URL with access permissions encoded into it, for a specific bucket and object, valid for a certain time period (default of 3600 seconds) Ex. - Only allow logged-in users to download a premium video on your S3 bucket - Allow an ever-changing list of users to download files by generating URLs dynamically - Allow temp user to upload a file to a precise location in your bucket

S3 Access Points

feature of S3, simplifies managing data access at scale for applications using shared data sets on S3. Unique hostnames that customers create to enforce distinct permissions and network controls for any request made through this.

Stack Roles

feature of cloudformation allows identities to deploy infrastructure in a controlled way, beyond their usual permissions

Systems Manager Run Command

foundational feature of Systems Manager which allows for commands to be executed on managed instances at scale - Run 'command documents' on managed instances - *No SSH/RDP Access Required* - Executed on Instances, Tags, or Resource Groups - Command documents can be reused and can have parameters - Rate Control - Concurrency and Error Threshold - Output can be sent to S3 and then SNS - EventBridge (Cloudwatch Events) Target

AMI Baking

front load time and effort to install/configure application by launching a master EC2 instance and perform all the consuming tasks up front (install OS, install app components, etc). Then create an AMI from that instance quickly. Not mutually exclusive; Can use bootstrapping to automate install

S3 Glacier Deep Archive

frozen objects, *First byte latency = hours or days* When you rarely if ever need access (hours or days for retrieval) Legal or regulation data storage Retrieval options: - Standard (12 hours) - Bulk (48 hours) Minimum storage duration of 180 days

AWS CodeBuild

fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. You don't need to provision, manage, and scale your own build servers. It scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue **Customized via buildspec.yml file (It has to be located in the root of source of the application you're building)**

Amazon Macie

fully managed data security and data privacy service that uses machine learning and pattern matching to discover, monitor and protect your sensitive data in *AWS S3 Buckets* Uses multi-account architecture using AWS Organizations Account Inviting Two Data Identifiers - rules which your objects and content are assessed against 1. Managed 2. Custom recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies and generates detailed alerts when it detects a risk of unauthorized access or inadvertent data leaks.

AWS Glue

fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. Serverless ETL; similar to DataPipeline but that uses servers (EMR) You can create and run an ETL job with a few clicks in the AWS Management Console. You simply point it to your data stored on AWS, and it discovers your data and stores the associated metadata (e.g. table definition and schema) in the Data Catalog (persistent metadata). Once cataloged, your data is immediately searchable, queryable, and available for ETL.

Amazon Quantum Ledger Database (QLDB)

fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log ‎owned by a central trusted authority. (serverless) Can be used to track each and every application data change and maintains a complete and verifiable history of changes over time. Use Cases: Finance, Medical, Logistics, Legal

Amazon ES (Elasticsearch Service)

fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Lets you pay only for what you use - there are no upfront costs or usage requirements. With this service, you get the ELK stack you need, without the operational overhead. Runs on servers (not a serverless offering) Use Cases: - Log analytics - real time application monitoring - security analytics - full text search - clickstream analytics - indexing

AWS AppSync

fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like Amazon DynamoDB, Lambda, and more. Adding caches to improve performance, subscriptions to support real-time updates, and client-side data stores that keep offline clients in sync are just as easy.

gTLD

generic top level domain (.com .org)

Public VIF (Public Zone Services)

grants access to public AWS services like S3, DynamoDB, SNS, SQS. Anything run from AWS public space but not the public internet

Synchronous Replication

happens at the same time as the data is being written to the primary database instance. It creates almost zero lag between the primary and the standby instance in RDS Multi-AZ

AWS Site-to-Site VPN

hardware VPN solution which creates a *highly available* IPSEC VPN between an AWS VPN and external network such as on-premises traditional networks that runs over the *public internet* Quick to setup vs direct connect Don't offer the same high performance Encrypt data in transit. Setup a VGW and attach to your VPC Setup a CG to point the on-premise VPN appliance Can optionally accelerate it using Global Accelerator (for worldwide networks)

CloudWatch Events/Event Bridge EventBridge is replacing CloudWatch Events

have visibility over events generated by supported AWS services within an account. They can monitor the default account event bus (stream of events) - and pattern matches events flowing through and deliver these events to multiple targets. They are also the source of scheduled events which can perform certain actions at certain times of day, days of the week, or multiple combinations of both - using the Unix CRON time expression format.

Amazon SWF (Simple Workflow Service)

helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of it as a fully-managed state tracker and task coordinator within AWS and the predecessor to Step Functions Difference between Step Functions is this is older, uses instances/servers, and used for more complicated workflows Not recommended except: - if you need external signals to intervene in the process - if you need child processes that return values to parent processes - if you need to use Amazon Mechanical Turk

AWS Application Discovery Service

helps enterprise customers plan migration projects by gathering information about their on-premises data centers. **Does not migrate** (Send to Migration Hub) collects and presents configuration, usage, and behavior data from your servers to help you better understand your workloads. Collect server utilization data and perform dependency mapping export this data as a CSV file and use it to estimate the Total Cost of Ownership (TCO) of running on AWS and to plan your migration to AWS. In addition, this data is also available in AWS Migration Hub, where you can migrate the discovered servers and track their progress as they get migrated to AWS.

AWS Cloud Adoption Readiness Tool (CART)

helps organizations of all sizes develop efficient and effective plans for cloud adoption and enterprise cloud migrations. This 16-question online survey and assessment report details your cloud migration readiness across six perspectives including business, people, process, platform, operations, and security.

AWS Database Migration Service

helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. Can migrate your data to and from most widely used commercial and open-source databases. Basic Schema Copy

Root Server

hosts the DNS root zone operated by 12 different large global companies or organizations

30 Days

if an object is initially stored on S3 standard, and a single lifecycle rule is used to transition it to S3 IA after 30 days, how soon afterwards can it be transitioned to S3 Glacier

Versioned File Names

if you have a constant need to update individual files or invalidate files what should you use? - Ex. Whiskers1_v1.jpg // _v2.jpg // _v3.jpg - Application points at the new version name - Logging is more effective - Keep all versions of all objects - Less expensive

Cache Invalidation

immediately expire any objects regardless of their TTL based on the invalidation pattern specified. - *performed on a distribution* - *applied to all edge locations (takes time)* - Ex. /images/whiskers1.jpg /images/whiskers* /images/* /* - Costly so only should be used to correct errors

Placement Groups

influence the placement of a group of interdependent instances to meet the needs of your workload *You can move an instance into or out of a placement group* - You first need to stop it, then use the CLI (modify-instance-placement), then start the instance.

CloudWatch

ingestion, storage, and management of Metrics Public service - public space endpoints (IGW, Interface endpoints) Agent integration to receive richer metrics - on-premises or internet connected systems publishing into CloudWatch When to use? - metric data - telemetry of various different AWS services - generate alarms based on that data

Recipes

install packages, deploy apps, run scripts, reconfiguration on layers (specific function within a stack; App Layer, DB Layer, etc) using OpsWorks

DNS Forwarder

intermediary between AWS and On-Premises Requests arrive and are forwarded to the R53 Resolver by default or selectively to on-premises as required old hybrid architecture before Route53 Endpoints

Steganography

invisible ink; the method of hiding something in something else

Tag Editor

is a global service that allows us to discover resources and to add additional tags to them as well. you search for the resources that you want to tag, and then manage tags for the resources in your search results.

Batch Processing

jobs that can run without end user interaction or can be scheduled to run as resources permit

CloudFront Key

key created by an Account Root user and tied to the AWS account rather than a specific user with that account Once this exists within an account, that account can be added to CloudFront as a trusted signer

Regional Edge Cache

larger version of an edge location. Provides another layer of caching Designed to hold more data to cache things which are accessed less frequently but still need performance benefit

Network Load Balancers (NLB)

layer 4 load balancer; TCP, TLS, UDP, TCP_UDP - no visibility or understanding of HTTP or HTTPS - SMTP, SSH, Game Servers, financial apps (not http/s) - no headers, no cookies, no session stickiness - really really really fast (millions of rps, 25% of XXX latency) - Health checks JUST check ICMP/TCP Handshake (Not app aware) - Static IP's useful for whitelisting - Forward TCP to instances (unbroken encryption) - Used with private link to provide services to other VPCs A good choice if you expect millions of requests per second.

Application Load Balancers (ALB)

layer 7 load balancer; listens on HTTP and/or HTTPS - No other Layer 7 protocols (SMTP, SSH, Gaming, etc) - No TCP/UDP/TLS listeners - Understands L7 content type, cookies, custom headers, user location and app behavior - SSL/TLS always terminated on the ALB - no unbroken SSL - ALBs must have SSL certs if HTTPS is used - Slower because it has more levels of the network stack to process - Health checks evaluate application health at Layer 7

Scan Operations

least efficient operation in DynamoDB but most flexible moves through the table consuming the capacity of every ITEM. You have complete control on what data is selected, any attributes can be used and any filters applied but this operation consumes capacity for every ITEM scanned through

AWS Systems Manager Maintenance Windows

lets you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches. Each has a schedule, a maximum duration, a set of registered targets (the instances that are acted upon), and a set of registered tasks. You can also specify dates that it should not run before or after, and you can specify the international time zone on which to base this.

AWS Cloud Development Kit (AWS CDK)

lets you define your cloud infrastructure as code in one of five supported programming languages. It is intended for moderately to highly experienced AWS users. App written in TypeScript, JavaScript, Python, Java, or C# that uses the AWS CDK to define AWS infrastructure. An app defines one or more stacks. Stacks (equivalent to AWS CloudFormation stacks) contain constructs, each of which defines one or more concrete AWS resources, such as Amazon S3 buckets, Lambda functions, Amazon DynamoDB tables, and so on.

EC2 Savings Plan

like a reserved instance plan but instead of focusing on a particular type of instance in AZ or region, you're making a 1 or 3 year in terms of hour commitments; An agreement between you and AWS where you commit to a minimum spend and in return AWS give you cheaper access to any of the applicable resources (General Savings vs EC2 Savings Plan) *allows org that is migrating from EC2 to emerging architecture (Fargate, Lambda, etc)* Ex. $10 per hour for 1 to 3 years

Edge Location

local cache of your CloudFront data More locations than AWS regions and more widely distributed closer to customers Smaller than AWS regions

AWS_Proxy (Lambda)

low admin overhead lambda endpoint; integration that passes the data through unmodified; lambda function is responsible for formats. No mapping template

Cold HDD (sc1)

lowest-cost HDD design for less frequently accessed workloads *colder data requiring fewer scans per day* Max 250 IOPS or MB/s Cheaper

Amazon Rekognition

makes it easy to add image and video analysis to your applications using proven, highly scalable deep learning technology that requires no machine learning expertise to use. *Find objects, people, text, scenes, and activities in images and videos as well as detect any inappropriate content using ML* Also provides highly accurate *facial analysis and facial search* capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases. Use cases: Labeling, Content Moderation, Text and Face Detection, Pathing

AWS Batch

managed batch processing compute service which can be used for long-running or resource-heavy compute services at scale. Ex. running thousands of concurrent jobs Can choose On-demand or Spot Instances Multi-node Mode - for high-performance computing, does not work with spot instances Use to accelerate content creation, dynamically scale media packaging, and automate asynchronous media supply chain workflows.

Master Node

manages the cluster and its health, coordinates each EMR cluster has at least 1 Distributes workloads and acts as the NAME node within MapReduce If you need to SSH to the cluster it's via this node

Mapping Templates

modify or rename parameters between the method and integration - Used for AWS and HTTP (non PROXY) integrations - Modify body or headers of the request - Filtering - removing anything which isn't needed - a script expressed in velocity template language (VTL) Common exam scenario - ***REST API (on API Gateway) to a SOAP API.. Transform the request using this***

S3 Standard-Infrequent Access

more cost effective than Standard but has a retrieval fee and minimum duration charge of 30 days; should be used for long-lived data, which is important but where access is infrequent Use Cases: As a data store for disaster recovery, backups.. Minimum storage duration of 30 days

Query Operations

most efficient operation in DynamoDB; accepts a single PK (partition key) value and *optionally* a SK (sort key) or range Capacity consumed is the size of all returned items. Further filtering discards data - capacity is still consumed Can ONLY query on PK or PK and SK

Source bundle

name for the archive that you upload to Elastic Beanstalk that contains all of the source code and any of the files required by Elastic Beanstalk (directly from computer or S3)

Dimensions

name/value pair provided when you add data points into CloudWatch that create unique metrics The way that the CPUUtilization metric for EC2 differentiate between instances. Ex. CPUUtilization Name=InstanceID, Value = i-111111 (cat) CPUUtilization Name=InstanceID, Value = i-22222 (dog) Used to aggregate data - AutoScalingGroupName, ImageId, InstanceId, InstanceType

Transit Gateway (TGW)

network gateway which can be used to significantly simplify networking between VPC's, VPN and Direct Connect. It can be used to create global networks, peer VPCs (VPC attachments) in the same account, different account, same or different region (Peering Attachments) and supports transitive routing between networks. - allow you to connect VPCs and VPNs in a hub and spoke routing architecture - Benefit from reduced admin overhead and full transitive routing *Supports IP Multicast (not supported by any other AWS service*

Capacity Reservations

no billing benefits; just reserving capacity Useful when you have a requirement for some compute, which can't tolerate interruption Regional Reservations Zonal Reservations On-Demand Reservations

Point-in-time Recovery (PITR)

not enabled by default; continuous record of changes allows replay to any point in the window (35 day recovery window) helps protect your DynamoDB tables from accidental write or delete operations. you don't have to worry about creating, maintaining, or scheduling on-demand backups. don't affect performance or API latencies.

AWS Organizations

offers policy-based management for multiple AWS accounts. Consolidated billing Eventually consistent

AWS Migration Hub

one hub for all migration tasks in AWS. (VM application discovery, database, any type of migration from on-premises into AWS)

Domain Name System (DNS)

one of the most important distributed databases which exist today. It is used for service discovery, configuration and the operation of most consumer web browsing and other internet activities.

AWS Trusted Advisor

online tool that provides you real time guidance to help you provision your resources following AWS best practices. Checks help optimize your AWS infrastructure, increase security and performance, *reduce your overall costs*, and *monitor service limits*. Can check if a bucket is public but not objects

Task Nodes

optional; they have no HDFS involvement, they don't run task trackers (core) and *JUST* run the tasks Ideal for SPOT based scaling

R53 Split View Hosted Zones

overlapping public and private hosted zones with the same zone name

Cluster Placement Groups

packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance (10Gbps) necessary for tightly coupled node-to-node communication that is *typical of High-performance computing (HPC) applications* Use Case: - Big Data job that needs to complete fast - Application that needs extremely low latency and high network throughput

Zone

part of the DNS database (eg. Amazon) what the data is, it's substance

HTTP_Proxy Integration

pass through to integration unmodified, return to the client unmodified (backend need to use supported format); no mapping template

Replication Instance

performs the migration between Source and Destination endpoints which store connection information for source and target databases

Direct Connect ***Direct Connect offers NO ENCRYPTION***

physical *private* connection (fibre) between an AWS Region (DX Location) and your on-premises network It provides low and consistent latency and offers significant performance advantages. More expensive than VPN. - Neither encrypted nor secure by design - Unless encrypted specifically by the application is transiting as plain text - Use Public VIF + Site-to-Site VPN to add security to Direct Connect Connection Types: Dedicated, Hosted Use Cases: - when transferring large data sets - when developing and using applications that use real-time data feeds - when building hybrid environments that satisfy regulatory requirements requiring the use of private connectivity

Zonefile

physical database for a zone how the data is stored

Algorithm

piece of code or math that takes plaintext or encryption key and generates encrypted data (Ex. Blowfish, AES, RC4 DES, RC5 and RC6)

Root Zone

points at TLD authoritative (trusted) servers (13 root servers) .com, .uk, .org

API Gateway Resources

points in an API tree or bits of functionality within your API

MapReduce

process for large scale parallel processing of large datasets Two Phases: - Data is separated into splits and each assigned to a mapper (compute) for processing - Recombine Data into Results

CloudWatch Logs

product which can store, manage and provide access to logging data for on-premises and AWS environments including systems and applications 2 Sides of Product - Ingestion: getting logs into the system - Subscription: what other products can use those logs for other activities

Encryption In Transit

protecting data while it's being transferred between two places

SQS Delay Queues

provide an initial period of invisibility for SQS messages. Predefine periods can ensure that processing of messages doesn't begin until this period has expired. Perform set of tasks before you begin processing a message or add a certain amount of time between an action that customer takes and further processing of the message that represents that action. Minimum = 0, Max = 15 minutes

Private VIF (VPC)

provide private network connectivity. Each connects to a VPC and using it you can access resources in that VPC (EC2, ALB) from your on-premises network By default, they can only connect to VPCs in the same region as the connection

AWS Shield

provides AWS resources with *DDoS protection* (Denial of Service)

Regional Reservations

provides a billing discount for valid instances launched in any AZ in that region; While flexible they don't reserve capacity within an AZ (Which is risky during major faults when capacity can be limited)

Shield Advanced

provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF Not free - $3,000 per month For higher levels of protection against attacks targeting your applications running on *EC2, ELB, CloudFront, Global Accelerator, and R53* *24/7 access to DDoS Response Team (DRT) and Financial Insurance*

DNSSEC (Domain Name System Security Extensions)

provides data origin authentication and data integrity verification for DNS and can help customers meet compliance mandates, such as FedRAMP. ensures that DNS responses have not been tampered with in transit. This can prevent DNS Spoofing.

AWS Transfer Family

provides fully managed support for file transfers directly into and out of Amazon S3 or Amazon EFS. With support for Secure File Transfer Protocol (SFTP), File Transfer Protocol over SSL (FTPS), and File Transfer Protocol (FTP) helps you seamlessly migrate your file transfer workflows to AWS by integrating with existing authentication systems, and providing DNS routing with Amazon Route 53 so nothing changes for your customers and partners, or their applications

AWS OpsWorks

provides managed implementations of Puppet and Chef in a product that integrates with other AWS products and services Help you perform server configuration automatically or repetitive actions (Work great with EC2 & On-Premise VM) 3 Modes - Puppet Enterprise, Chef Automate, OpsWorks (no servers to manage) Visually: Cloudformation | OpsWorks | ElasticBeanstalk *Recipes, Cookbooks, or Manifests mentioned*

DynamoDB Global Tables

provides multi-master cross-region global replication of DynamoDB tables which can be used for performance, High Availability, or Disaster Recovery/Business Continuity reasons. - Sub-second replication between table replicas - Global eventual consistency. Same region eventual or strongly consistent - Last writer wins conflict resolution eliminates the difficult work of replicating data between regions and resolving update conflicts, enabling you to focus on your application's business logic allows both reads and writes to occur in both Regions unlike Aurora global database

Accelerated Site-to-Site VPN

provides performance enhancements by routing traffic over a more direct and efficient path between CGW and AWS, avoiding the public internet as much as possible. VGWs DO NOT SUPPORT this. Must use TGW

AWS PrivateLink (VPC Endpoint Services)

provides private connectivity between VPCs, AWS services, and on-premises applications, *securely* on the Amazon network. *Highly available via multiple endpoints* *Supports IPv4 and TCP Only (IPv6 Not Supported)* *Direct Connect, Site-to-Site VPN, and VPC Peering Supported* Typically used when you have an application that you want to securely provide to another AWS account or when you want to consume a service provided by a service provider Requires a NLB (Service VPC) and ENI (Customer VPC)

Instance Store Volumes

provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. Ideal for *temporary* storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers. *Attached at Launch* *More IOPS and Throughput vs EBS* On stop or termination, the instance store is lost. Data survives reboots

Device Shadows (IOT)

reliable and consistent copies of a real device that can be read from or written to. Any writes will be sent to the device when it next connects Can make a device's state available to apps and other services whether the device is connected to AWS IoT or not

Zonal Reservations

reservation that only applies to one AZ providing billing discounts and capacity reservation in that AZ; Full price and No Capacity reservation

EMRFS

resilient file system supported natively within EMR Backed by S3 which means it is regionally resilient. Persists past the lifetime of the cluster and is resilient to core node failure

Compliance Mode

retention period that can't be adjusted, deleted, overwritten until retention expires (even by the root user)

Governance Mode

retention period where special permissions can be granted allowing lock settings to be adjusted - prevent accidental deletion - process/governance reasons to keep object versions - test settings before picking other mode

Dynamic Scaling

scaling policy that are rules which react to something Simple, Stepped Scaling, Target Tracking

Scheduled Scaling

scaling policy that is time based adjustment (Ex. Sales)

Manual Scaling

scaling policy that manually adjusts the desired capacity

AWS IoT Greengrass

seamlessly extends AWS to edge devices so they can act locally on the data they generate, while still using the cloud for management, analytics, and durable storage. Connected devices can run AWS Lambda functions, Docker containers, or both, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely - even when not connected to the Internet.

Pilot Light

secondary environment is provisioned in advance running only the absolute minimum of infrastructure it can be powered on much quicker than backup and restore - Fairly Cheap but Faster (RPO in minutes, RTO in hours)

Task Definition

self contained application; stores what ever container definitions makes up the container; *stores task roles (IAM roles that a task can assume)* Security (Task Role), Container(s), Resources

Publisher

sends messages to a TOPIC

Amazon Lex

service for building conversational interfaces into any application using voice and text. Provides the advanced deep learning functionalities of automatic speed recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions Use Cases: Chatbots, voice assistants, Q&A Bots, Info/Enterprise bots, call center bots

SSM Parameter Store

service which is part of Systems Managers which allows the storage and retrieval of parameters - string, string list, or secure string Supports encryption which integrates with KMS, versioning and can be secured using IAM Integrates natively with many AWS services - and can be accessed using the CLI/APIs from anywhere with access to the AWS Public Space Endpoints /my-department/ - my-app/ - - dev/ - - - db-url - - - db-password a single store for configuration and secrets but no lifecycle management

EFS (Elastic File System)

shared file system within AWS for *Linux EC2 instances*, as well as Linux on-premises servers based on the Network File System (NFS) *private service via mount targets (isolated to a VPC)* A file system that can be mounted on many EC2 instances at a time. The data can be shared between them *Can be accessed from on-premise (VPN or DX)* *Access via Lambda - Larger File Systems* Use cases: content management, web serving, data sharing, WordPress

CloudSearch

simple and cost-effective to set up, manage, and scale a search solution for your website or application. Managed alternative to ElasticSearch you can quickly add rich search capabilities to your website or application. You don't need to become a search expert or worry about hardware provisioning, setup, and maintenance

Systems Manager Automation

simplifies common maintenance and deployment tasks of Amazon EC2 instances and other AWS resources. Automation enables you to do the following: - Build Automation workflows to configure and manage instances and AWS resources. - Create custom workflows or use pre-defined workflows maintained by AWS. - Receive notifications about Automation tasks and workflows by using Amazon CloudWatch Events. - Monitor Automation progress and execution details by using the Amazon EC2 or the AWS Systems Manager console.

Snowcone

small, portable computing, anywhere, rugged and secure, withstands harsh environments device used for edge computing, storage, and data transfer Use where snowball does not fit (space-constrained environments)

DNS resolver

software on your device or a server which queries DNS on your behalf locates the correct name server for a given zone, query that name server, retrieve the info it needs and then pass it back to the DNS client

AWS OpsHub

software that you can install on your computer to manage the Snow Family

Partition Placement Groups

spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.

S3 Intelligent-Tiering

storage class that monitors and automatically moves any objects not accessed for 30 days to a low cost infrequent access tier and eventually to archive or deep archive tiers Small monthly monitoring and auto-tiering fee Used for long-lived data with changing or unknown patterns

CodeCommit

store code in version-controlled repositories. Code can live on multiple branches

Subscription Filters

stream CloudWatch logging data for further delivery to - Lambda (realtime) - Elasticsearch (realtime) - Kinesis Data Streams (realtime) - Kinesis Data Firehose *(near realtime)* Can also be used to create a logging aggregation architecture

Spread Placement Groups

strictly places a small group of instances across distinct underlying hardware to reduce correlated failures. (critical applications) Infrastructure Isolation Each instance is on its own rack within each AZ (7 instances per AZ per placement group) Use Case: - Application that needs to maximize high availability - Critical applications where each instance must be isolated from failure from each other

Schema-on-read

table-like translation; allows SQL-like queries on data without transforming source data

SQS Fan-Out

takes 1 event (upload to S3 bucket) and creates multiple different events that can be used independently

minimumLinks attribute

the LAG is active as long as this value or MORE connections are active Ex. If this value is set to 2 and you have a LAG with 4 DX but 3 fail, the LAG is viewed as in a failed state. Designed to avoid the over saturation of any remaining operational links within a LAG if you have failures

VisibilityTimeout

the amount of time a message is hidden when it's received; if it's not deleted, it appears back in the queue to be processed again Immediately after a message is received, it remains in the queue. To prevent other consumers from processing the message again, Amazon SQS sets a period of time during which Amazon SQS prevents other consumers from receiving and processing the message. The default for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours. Used for error correction and automatic reprocessing

SNS Topics

the base entity of SNS - permissions and configuration

Spot Instance

the cheapest way to access EC2 capacity; AWS sells unused EC2 host capacity for up to a 90% discount. The price is based on the space capacity at a given time. Non-time-critical, anything which can be rerun, bursty capacity needs, cost-sensitive workloads, anything which is stateless. Not for workloads that can't tolerate interruptions (domain controllers, mail servers, traditional websites, flight control systems) Max spot price Spot Block - block instance during a specified time frame (1 to 6 hours) without interruptions Draining and Diversified Strategy

Distribution

the configuration unit of CloudFront You create this and this gets deployed out to the Cloudfront network (edge locations) Almost everything is configured within this, either directly or indirectly Origins/Origin groups and Behaviors are configured inside this

DNS Client

the device which wants the data that DNS has (laptop, phone, tablet, PC)

Kinesis Data Analytics

the easiest way to analyze streaming data, gain actionable insights, and respond to your business and customer needs in *real time*. - Using Structured Query Language (SQL) - Ingests from Kinesis Data Streams or Firehose - Destinations include Firehose (S3, Redshift, Elasticsearch & Splunk) AWS Lambda, Kinesis Data Streams Use Cases: - Streaming ETL: select columns, make simple transformations on streaming data - Continuous metric generation: live leaderboard for a mobile game - Responsive analytics: look for certain criteria and build alerting (filtering)

Multi-Value Headers

the load balancer uses both key values sent by the client and sends you an event that includes query string parameters using multiValueQueryStringParameters If requests from a client or responses from a Lambda function contain headers with multiple values or contains the same header multiple times, or query parameters with multiple values for the same key, you can enable support for this Not using this means ALB sends the last value sent by the client to Lambda

Disaster Recovery - Databases

the local and global DR Architectural points and considerations for DynamoDB, RDS, and Aurora

Lambda Function Handler

the method in your Lambda function code that processes events. When your function is invoked, Lambda runs this method. When this exits or returns a response, it becomes available to handle another event.

Ciphertext

the output when an algorithm takes plaintext and a key; isn't always text data. Encrypted data

S3 Requester Pays

the requester instead of the bucket owner pays the cost of the request and the data download from the bucket helpful when you want to share large datasets with other accounts Must use Bucket Policy and not IAM role for the requester to pay The bucket owner always pays the cost of storing data.

Origin

the source location of your content (S3 origin or custom origin) Used by behaviors as content soruces

Layer 1 - Physical Layer

the way in which data is transmitted onto, and received from a physical shared medium (copper, fibre, RF)

Recovery Point Objective (RPO)

time between last backup and the incident; - amount of maximum data loss - Influences technical solution and cost - Generally lower values cost more

Recovery Time Objective (RTO)

time between the DR event and full recovery - Influenced by process, staff, tech and documentation - Generally lower values cost more

Metric

time ordered set of data points Ex. CPUUtilization, NetworkIn, DiskWriteBytes - (EC2)

S3 Object Lock

to store objects using a write-once-read-many (WORM) model. It can help you prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. Used to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion. Two Ways: Retention Period and Legal Hold

Origin Fetch

transfer of data between an origin and edge location which isn't caching the object

Gateway Endpoint

type of VPC endpoint which allow access to S3 and DynamoDB without using public addressing (IGW, NAT Gateway). Add 'prefix lists' to route table, allowing the VPC router to direct traffic flow to the public services via this endpoint. Never require changes to the applications. The applications think that it's communicating directly with S3 or DynamoDB *Does not go into a particular subnet or an availability zone. Highly available across all AZs in a region by default*

Plaintext

unencrypted data; doesn't have to be text, it can be images or even applications

CMK (Customer Master Keys)

used by KMS within cryptographic operations; container for the actual physical master keys. - Logical and contains ID, date, policy, desc, and state - Backed by physical key material (generated or imported) ***Can be used for up to 4KB of data*** (If data >4KB, use Envelope Encryption) Isolated to a region and never leave AWS Managed or Customer Managed

DLQ (Dead-Letter Queues)

used for problem messages (repeated processing errors); different processing for problematic messages When ReceiveCount > maxReceiveCount & message isn't deleted, it's moved to this queue SNS & SQS (AWS recommends you use destinations instead of this)

AWS-Run-PatchBaseline (Run Command)

used to actually patch the machines (runs with a baseline and targets) Part of the registered tasks of the Maintenance Window (works cross platform Linux & Windows)

Dockerfile

used to build docker images. Each step creates fs layers

DEKs (Data Encryption Keys)

used to encrypt data larger than 4KB in size generated using a customer master key

Lambda Versions

used to manage the deployment of your functions. *Immutable*, it never changes once published and has its own ARN Includes the following immutable information: - Function Code, Dependencies, Runtime, Settings, and Environment Variables - A unique Amazon Resource Name (ARN) to identify the specific version of the function. Qualified ARN $Latest points at the latest - unqualified ARN, not a specific version Aliases (DEV, STAGE, PROD) can point at this and can be changed

Schema Conversion Tool (SCT)

used when converting one database engine to another Including DB --> S3 (Migrations using DMS) ***Not used when migrating between DB's of the same type*** Works with OLTP DB Types (MyQSL, MSSQL, Oracle) Works with OLAP (Teradata, Oracle, Vertica, Greenplum) *used to extract data from on-premise data warehouse and migrate to AWS (Snowball Edge)*

SQS Extended Client Library

used when handling messages over SQS max (256KB); allows you to process large payloads and have the bulk of this payload stored within S3 - SendMessage, uploads to S3, stores link in message - Receive message loads large payload from S3 - Delete message also deletes large S3 payload - Interface for SQS+S3 - handling the integration workload ***Exam often mentions JAVA with this service***

Direct Connect LAG (Link Aggregation Group)

way to combine individual direct connects into a faster logical connection - They improve manageability and speed and are not designed for resilience. - Active/Active Architecture - Maximum of 4 Connections per LAG (40 Gbps = 10 gbps x 4) - All connections need to be the same speed - All in the same DX location

Nameserver

where zonefiles are hosted


Ensembles d'études connexes

Power in the Asia Pacific- China

View Set

Lammle - Chapter 4: Easy Subnetting

View Set

Numbers 24 - Flashcard MC questions - Ted Hildebrandt

View Set

Practice Life & Health Test Questions

View Set