While preparing for the AWS CSA Associate exam, I’ve put together few draft notes to help me revise on-going bases.
- IAM is global
- root account has admin access
- by default new users have no permissions
- access key id and secret access keys are only used for api access and not for console login
- permissions are by granted by policies
- administrator access to make someone an admin
- effect: allow, deny
- Role allows resources in aws to access other resources. Ex: EC2 can access S3.
- Role types: Service Roles, Cross account access and Identity provider access
- object based storage
- region based
- spread across multiple devices and facilities
- 1byte to 5tb
- unlimited storage
- files are stored in buckets
- read after write consistency for PUTS of new objects
- PUT and DELETES can take some time for existing objects
- key value store
- version id
- Access control lists
- availability is 99.99 and durability 99.11×9
- Tiered storage available
- Lifecycle management
- Encryption is available to force encryption at rest
- S3 standard, S3 infrequently accessed, reduced redundancy (1 concurrent facility), glacier
- charged for storage, requests, data transfer pricing
- object is private by default. click make public that is quick way
- once version is on, you cannot remove it, you can only suspend. delete the bucket to remove it.
- delete the delete marker to bring back deleted versioned file
- it takes up to double space for each version. also costs double
- cross region replication by creating a backup. only future objects by default will be replicated. requires versioning enabled on source bucket.
- 100 s3 bucks per account by default
- S3 lifecycle
- min 30 days required to move to infrequently accessed. 128kb is min object size.
- works with versioning
- move to glacier day after moving to infrequently accessed storage.
- S3 encryption
- in transit – ssl/tls
- at rest – server side = s3 managed keys sse-s3; aws key management service sse-kms; server side encryption with custom provider keys sse-c
- client side
- S3 transfer acceleration
- upload to local CF edge location first
- edge location is where content will be cached
- separate from region
- web or rtmp
- multiple origins
- signed urls or cookies to restrict access to cf distribution
- distribution is the name given to cdn
- default cache is 24 hours but can be configured
- charges for cache clearance
- Gateway stored volumes
- entire data on site and async backed to s3
- Gateway cached volumes
- entered data is stored on s3, and most frequently accessed data is cached on site
- Gateway virtual tape library
- used for backup and uses popular backup apps like netbackup, backup exec, veam etc
- Import/Export Disk
- Buy disk, load data and send to aws. aws will send disk back
- 600gb or more at 10mbps
- import to ebs, s3, glacier
- export from s3 only
- petabyte scale disk transfer
- 50TB per snowball. 256 bit encryption. Trusted Platform Module. USA only. S3 only. can rent from amzn only.
- import and export only on s3
- go for snowball over disk as prefered.
- resizable compute capacity in cloud
- scale capacity both up and down
- fixed rate by the hour
- short term, spiky or unpredictable workloads. ex: black friday sales
- 1 or 3 years. significant discount
- predictable usage. users able to make upfront payments to reduce their total computing costs
- cannot move region to region
- bid price on capacity by the hour. hour notice and terminate the instance. large compute requirement used by pharma when prices are cheaper
- partial hour is not charged if aws terminates but if you do, it does.
- user data on provision uses bash script
- you cannot assign a role after instance is created
- roles are considered more secure because you don’t need to store creds on the instance
- roles are easier to manage. you can update permissions in a role later.
- roles are universal, available on all regions
- underlying hypervisor for ec2 is Xen
- get it from curl http://169.254.169.254/latest/meta-data
- Placement group
- grid computing, cassandra, hadoop, low network latency, high throughput 10gb network
- only one az. cannot be multiple
- name must be unique
- only certain types c, g, r, i
- recommends same instance families
- can’t merge, cannot move an existing placement group, must use an ami to launch into another place
- It’s a block storage, duh.
- automatically replicated to protect failure
- GP SSD – GP2
- 99.99% up to 3 per gig upto 10k iops. burst of 30k available.
- IOPS SSD – IO1
- if more than 10k iops
- cheap infrequently accessed storage
- cannot mount ebs volume to more than 1 instance
- root device vol is not not encrypted by default. to do so use 3rd party tool like bitlocker.
- ebs backed instance, default action is for root ebs vol to be deleted when instance is terminated.
- typically RAID 0 or 10 is ideal.
- to take snapshot of raid:
- freeze the file system
- unmount the raid array
- or easiest of all shut down the ec2 instance.
- Volume vs Snapshot
- ss on s3
- vol on ebs
- ss of encrypted vol is encrypted auto
- root vol ss, instance must be stopped
- cant share encrypted ss
- security rules take effect immediately
- you can only allow rules. denied by default
- all inbound traffic is blocked and outbound traffic is allowed by default
- security groups are stateful. if you allow inbound rule it is allowed as outbound too
- are regional but can copy to other region
- template for root vol for the instance
- launch permissions that control with aws accounts can use the ami to launch instances
- a block device mapping that specifies the volumes to attach to the instance when its launched
- Instance store vol based ec2 instance you cannot stop it but only terminate or reboot
- Instance Storage is less durable.. host failure means you lose the instance
- rebooting IS does not lose data.
- on termination IS vol is deleted by default and you cannot change that
- cannot delete a snap shot of EBS vol that is used as the root device of a registered AMI
- default connection draining is 300 sec
- Cross zone lb is enabled by default
- Never gives static IP only DNS
- Monitor Resources and Applications
- Default basic monitoring every 5 mins.
- Dashboard, alarms, events and logs
- Detail monitoring is $3 per instance and runs every 1 min.
- Memory is missing. CPU, Disk, Network and Status for EC2
- S3 bucket size and bytes
- You can create events to trigger actions based on metrics
- HTTP response codes in apache logs, alarms for errors in kernel logs
- alarms can be configured.
- User activity and API usage
- mostly for auditing
Launch config and auto scaling
- go through launch config before setting up auto scaling
- HC grace period default is 300 sec. time it takes to first initiate the HC once instance is provisioned.
- specify increase group size and decrease group size
- deleting auto group will terminate all associated instances
- elastic file system
- grow and shrink auto based on add/remove files.
- can share across instances
- NFSv4 network file system
- only pay for what we use
- 1000s of concurrent NFS connections
- EFS is block based
- Read after write consistency
- 5 vpc are allowed by default in each region
- 1 internet gateway can be attached to custom vpc
- network acl are an additional layer of security on subnet level
- default ec2 instance pull sqs messages from queue on LIFO bases.
- you can create a topic, and an ARN is created.
- you can force a failover that has multi-az configured
- max backup retention policy days: 35
- available for multi-az deployments
- changes to backup window takes place immediately
- does not currently support increasing storage of sql server db
- max size for ms sql db is 10GB
- There are two different limits. That of the DB (10GB), and that of the DB instance server storage (300GB). A DB server instance could quite easily host several DBs, or a DB and support files such as Logs, Dumps and flat file backups.
- Automatic backups are enabled by default on new DB instance
- When using a custom VPC and placing an ec2 instance into a public subnet, you still need to assign elastic Ip or elb to instance in order to be internet accessible
- Aurora stores 6 copies of data by default
- AWS platform consists of 15 regions and 40 AZ
- mysql default port 3306
- QSA accreditation is still required for deploying app accepting credit cards
- Amazon redshift uses 1 mb columnar storage block size
- AWS premium support, basic, developer, business, enterprise