Skip to content

Instantly share code, notes, and snippets.

@AdrianBinDC

AdrianBinDC/ACGNotes.md

Created January 31, 2021 21:27
Show Gist options
  • Save AdrianBinDC/6524cc68583e3dbfbd2abe6fd9c33e39 to your computer and use it in GitHub Desktop.
Save AdrianBinDC/6524cc68583e3dbfbd2abe6fd9c33e39 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ACGNotes.md

Review

S3 and IAM Summary

  • IAM consists of the following

    • Users
    • Groups
    • Roles
    • Policies
      • Policies are in a JSON file

  • IAM is universal

  • Root account has complete administrator access

  • New Users have no permissions when first created

    • Least Privilege

  • New users are assigned Access Key ID and Secret Access Keys when first created

    • These are not the same as a password
    • You cannot use the Access Key ID and Secret Access Key to login to the console
      • You CAN use this to access AWS via APIs and Command Line, however
    • you only get to view these onece. If you lose them, you need to regenerate them, so save them in a secure location.

  • Always setup MFA and password rotation policies

S3 Exam Tips

  • S3 is Object based
  • Files can be from 0b to 5TB
  • There is unlimited storage
  • Files are stored in buckets
  • S3 is a universal namespace
    • Names must be unique globally
  • https://s3-[region_name].amazonaws.com/[bucket_name]
  • Not suitable for operating system or database
  • Successful uploads receive HTTP200 status code
  • Access control to buckets are determined by
    • Bucket policies
    • Access Control Lists (down to file level)
  • S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be sent to another bucket or even another bucket in another account.

S3 Key Fundamentals

  • key = name of the object
  • value = the data
  • version id
  • metadata
  • subresources
    • ACLs
    • Torrents
  • read after write consistency of new PUTS
  • eventual consistency for overwrite PUTS and DELETES

Classes of Storage

  • S3 Standard
  • S3 IA
  • S3 One Zone - IA
  • S3 Intelligent Tiering
  • S3 Glacier
    • 3-5 hours
    • can be expedited
  • S3 Glacier Deep Archive
    • 12 hour retrieval time

S3 Encryption

  • Encryption IN transit achieved by SSL/TLS
  • Encryption AT REST
    • SSE-S3
      • Amazon provided
    • SSE-KMS
      • Keys provided by KMS Service
    • SSE-C
      • Customer managed keys
    • Client side encryption

AWS Organizations

  • Enable MFA on root account
  • Use strong and complex accounts on root account
  • Paying account should be used for billing only
  • Do not deploy resources into the paying account
  • Enable/Disable AWS services using SCPs on OU (organizational unit) or individual accounts

Three different ways to share S3 buckets across accounts

  • Bucket policies and IAM (entire bucket)
    • Programmatic only
  • Using ACLs and IAM (individual objects)
    • Programmatic only
  • Cross account IAM roles
    • Progammatic and Console access

Cross Region Replication

  • replicate objects across regions or within region
  • versioning needs to be enabled on both sides
  • files in existing bucket are not replicated automatically
    • subsequent
  • delete mamrkers are not replicated
  • deleting individual versions or delete markers will not be replicated

Lifecycle Policies

  • automates moving objects between storage tiers
  • can be used in conjunction with versioning
  • can be used with current as well as previous versions

S3 Transfer Acceleration

  • files transit AWS backbone network
    • impmrove speed and performance

CloudFront

  • edge location
    • location where content is cached
  • origin can be
    • S3 bucket
    • EC2 instance
    • ELB
    • Route 53
  • distribution
    • this is the name given the CDN which consists of a collection of Edge Locations
  • web distribution
    • typically used for websites
  • RTMP
    • used for media
  • Edge locations are not just read only
  • objects are cached for the TTL
  • clear cached objects costs money

Snowball

  • Snowball can import or export from S3

Storage Gateway

Two types:

  • File Gateway
    • Flat files stored directly on S3
  • Volume Gateway
    • Stored volumes: Entire dataset stored on site and is asynchronmously backed up to S3
    • Cached volumes: Entire dataset is stored on S3 and the most frequently accessed data is cached on site
  • Gateway Virtual Tape Library
    • Used for backup and uses popular backup applications like NetBackup, Backup Exec, Veeam, etc.

Athena

  • Interactive query service
  • Allows you to q uery data located in S3 using standard SQL
  • Serverless
  • Commonly used to analyze log data stored in S3

Macie

  • Macie uses AI to analyze data in S3 and helps identify PII
  • Can also be used to analyze CloudTrail logs for suspicious API a ctivity
  • Includes Dashboards, Reports, and Alerting
  • Great for PCI-DSS compliance and preventing ID theft

READ THE S3 FAQ

EC2 Summary

  • A resizable compute capacity in the cloud
  • Reduces time required to obtain and boot a new servcer instance to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change

Pricing Models

  1. On Demand: pay a fixed rate by the hour or second with no commitment.
  2. Reserved: provides you with a capacity reserveation and offers a significant discount on the hourly charge for an instance. Contract terms are 1 or 3 years.
  3. Spot: Enables you to bid whatever price you want for instance apacity, providing even greater savings if your applications have flexible start and end times.
  4. Dedicated Hosts: Physical EC2 server dedicated for your use. Can help you reduce costs by allowing you to use your existing server-bound software licenses.

Spot Intances

  • if instance terminated by AWS, you're not charged

Instance Types

  • F - FPGA
  • I - IOPS
  • G - Graphics
  • H - High Disk Throughput
  • T - Cheap general purpose (T2 micro)
  • D - Density
  • R - RAM
  • M - Main choice for general purpose apps
  • C - Compute
  • P - Graphics (p for pictures)
  • X - Extreme Memory
  • Z - Extreme memory and CPU
  • A - Arm-based workloads
  • U - Bare Metal

EBS

  • virtual hard disk in the cloud
  • termination protection is turned off by default
  • on an EBS-backed instance, the d efault action is for the root EBS volume to be deleted
    • additionally attached volumes ARE NOT deleted automatically
  • EBS Root Volumes of your DEFAULT AMIs can be encrypted
    • You can use third party tool to encrypt the root voume or this can be done when creating AMIs in the AWS console or using the API

Security Groups

  • all inbound traffice is blocked by default
  • all outbound traffic is allowed
  • changes to security groups take effect immediately
  • you can have any number of EC2 instances within a security group
  • you can have multiple security groups attached to EC2 instances
  • SECURITY GROUPS ARE STATEFUL
    • when you open up a port, it will be for inbound and outbound
    • cannot block specific IPs with security groups
  • NACLs are STATELESS
    • Need to open up inbound and outbound
    • Block specific IP addresses using NACLs
  • You can only specify allow rules with security groups

EBS Snapshots

  • volumes exist on EBS
  • SNAPSHOTS exist on S3 and can be though of as photographs of the disk
  • snapshots are point in time copies of volumes
  • snapshots are incremental
    • only blocks that have changed since your last snapshot are moved to S3
  • to create a root snapshot, stop the instance ideally, but can do it while it's running
  • AMIs can be created from both volumes and snapshots
  • you can change EBS volume size on the fly including size and storage type
  • volumes will ALWAYS be in the same AZ as the EC2 instance

Migrating EBS

One AZ to Another

  1. take a snapshot
  2. create an AMI from the snapshot
  3. use the AMI to launch the EC2 instance in a new AZ

One Region to Another

  1. take a snapshot
  2. create an AMI from the snapshot
  3. copy AMI from one region to another
  4. use copied AMI to launch the EC2 instance in a new AZ

EBS Encryption

  • snapshots of encrypted volumes are encrypted automatically
  • volumes restored from encrypted snapshots are encrypted automatically
  • you can share snapshots, but only if they are unencrypted
  • these snapshots can be shared with other AWS accounts or made public

Root Device Volume Encryption

  • root device volumes can be encryted

Enrypting Rooot Device Volumes

  1. Create a snapshot of the unencrypted root device volume
  2. Create a copy of the snapshot and select encryption option
  3. Create an AMI from the encrypted snapshot
  4. Use the AMI to launch

EBS vs. Instance Store

  • instance stroe volumes are sometimes called ephemeral storage
  • instance volumes cannot be stopped
    • If the underlying host fails, you will lose your data
  • EBS backed intances can be stopped and you will not lose your data if you have disabled automatic deletion.
    • default setting is to delete root, so you must disable
  • If you reboot EBS or Instance, you will not lose data

Enhanced Networking

Three types of networking

  1. ENI: For basic networking.
  2. Enhanced Nentwork: When you need speeds between 10GB/S and 100GB/S
  3. Elastic Fabric Adapter: When you need HPC or machine learning applications OR if you need to do an OS-bypass.

CloudWatch

  • monitor performance
  • can monitor most of AWS as well as your applications that run on AWS
  • 5 min increments by default
  • 1 min increments for detailed monitoring
  • create CloudWatch alarms which trigger notifications
  • CloudWatch is all about performance. CloudTrail is about auditing

What can you do?

  • Dashboards: see what's happening
  • Alarms: notify when thresholds are hit
  • Events: respond to state changes in AWS resources
  • Logs: CloudWatch logs help you aggregate, monitor, and store logs

The CLI

  • you can interact with AWS anywhere in the world by using the CLI
  • you will need to setup accss in IAM
  • commands themselves are not on the exam, but some basic commands are useful to know for real life

Roles

  • roles are universal--you can use in any region
  • roles are more secure than storing your access key and secret access key on individual EC2 instances
  • roles are easier to manage
  • roles can be assigned to an EC2 instance after it is created using both the console and the command line

BootStrap Scripts

  • Bootstrap scripts run when an EC2 instance first boots
  • Can be a powerful way to automate software installs and updates

Instance Metadata

  • get information about an instance (such as a public IP)
    • meta data: curl http://169.254.169.254/latest/meta-data/
    • user data: curl http://169.254.169.254/latest/user-data/
      • literally just the bootstrap script, nothing else

EFS

  • supports NFSv4 protocol
  • you only pay for the storage you use
    • no pre-provisiooning required
  • scale up to petabytes
  • can support thousands of concurrent NFS connections
  • data is stored across multiple AZs within a region
  • read after write consistency

EFS Use Cases

  • EFS: when you need distributed, highly resilient storage for Linux instances and Linux-based applications.
  • Amazon FSx for Windows: When you need centralized storage for Windows-based applications such as Sharepoint, Microsoft SQL Server, Workspaces, IIS Web Server, or any other native Microsoft Application.
  • Amazon FSx for Lustre: When you need high-speed, high-capacity distributed storage. This will be for applications that do HPC, financial modeling, etc.
    • FSx for Lustre CAN STORE DATA DIRECTLY ON S3

EC2 Placement Groups

  • only certain tyupes of instances can be used in a placement groups
  • you can't merge placement groups
  • you CAN move an instance into a placement group

Types

  • clustered: low network latency/high network throughput
    • CANNOT SPAN MULTIPLE AZS
    • Use homogenous instances in clustered placement groups
  • spread: individual critical EC2 instances
    • CAN span multiple AZS
    • different AZs
    • different racks
  • partitioned:
    • CAN span multiple AZS
    • multiple EC2 instances on separate hardware from other partitions
    • HDFS, HBase, Cassandra

WAF

  • WAF can block malicious API addresses
  • NACLs can do the same

Database Summary

  • RDS (OLTP)
    • SQL
    • MySQL
    • PostgreSQL
    • Oracle
    • Oracle
    • Aurora
    • MariaDB
  • DynamoDB (No SQL)
  • Red Shift (OLAP)

Elasticache

  • Memcached
    • simple
  • Redis
    • more advanced, multiple AZs or backups

RDS

  • runs on VMs
  • you cannot login to these systems
  • patching of the RDS OS and DB is amazon's responsibility
  • RDS is NOT serverless EXCEPT AURORA

Backups

  • automated
  • database snapshots

Read Replicas

  • can be multi-AZ
  • used to increase performance
  • must have backups turned on
  • can be in different regions
  • can be MySQL, PostgreSQL, MariaDB, Oracle, Aurora
  • Can be promosted to master, but this will break the read replica

Multi-AZ

  • used for DR, not for performance
  • you can force a failover from one AZ to another by rebooting the RDS instance

Encryption

  • supported by...
    • MySQL
    • Oracle
    • SQL Server
    • PostgreSQL
    • MariaDB
    • Aurora
  • Encryption done using AWS KMS
  • Once RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted

DynamoDB

  • serverless
  • stored on SSD storage
  • spread across three geographically distinct data centers
  • eventual consistent reads
    • onen second rule
  • strongly consistent reads

Redshift

  • used for business intelligence
  • available in only one AZ at present

Redshift backups

  • enabled by default with one day retention
  • 35 day max retention
  • always attempts to maintain at least three copies of your data (the original and replica on the compute nodes and a backup in S3)
  • redshift can asynchronously replicate your snapshots to S3 in another region for DR

Aurora

  • 2 copies of your data are contained in each AZ with a minimum mof 3 AZs (6 copies of your data)
  • you can share Auroora Snapshots with other AWS accounts
  • 3 types of replicas available
    • Aurora
    • MySQL
    • PostreSQL
  • Use Aurora Serverless if you want simple, cost effective option for infrequent, intermittent, or unpredictable workloads

Elasticache

  • use Elasticache to incirease database and web application performance
  • Redis is multi-AZ
  • you can do backups and restores of Redis
  • If you need to scale horizontally, use Memcached

Advanced IAM

Active Directory

  • understand conceptually
  • connect AWS with on-premises AD
  • SSO to any domain-joined EC2 instance
  • AWS Managed Microsoft AD
  • AD Trust
  • AWS vs. customer responsibility

Simple AD

  • baby brother of microsoft AD
  • does not support AD Trusts
    • can't join simple AD to on-prmises AD
    • use AD Connecntor instead
  • Cloud Directory has nothing to do with Microsoft AD, used for heirarchial data
  • Cognito user pools
  • AD vs Non-AD pools

Understand ARN

  • ARN
  • IAM policy structure
  • Effect/Action/Resource
  • Identity vs Resource policies
  • Policy evaluation logic
    • deny supercedes allow

Route 53

  • ELBs do not have pre-defined IPv4 addresses, we resolve using a DNS name
  • Understand the difference between an Alias Record and a CNAME
  • Given a choice, choose alias record over a CNAME

Common DNS Types

  • SOA records
  • NS records
  • A records
  • CNAMES
  • MX records
  • PTR records

Routing

  • simple routing
  • weighted routing
  • latency-based routing
  • failover routing
  • geolocation routing
  • geoproximity routing (traffic flow only)
  • multi-value answer routing

Health Checks

  • you can set health checks on individual record sets
  • if a record set fails a health check it will be removed from Route53 until it passes the health check
  • you can set SNS notifications to alert you if a health check is failed

Simple Routing

  • you can only have one record with multiple IP addresses
  • if you specify multiple values in a record, Route 53 returns all values to the user in a random order

Weighted Routing

  • specify a weight

Latency

  • based on delay time for response, route to shortest

Failover

  • active and passive environment

Geolocation Routing

  • route based on location

Geoproximity Routing

  • based on location of users AND resources

Multivalue Answer Policy

  • simple routing with health checks

VPCs

  • Create a VPC from memory!

Overview

  • VPC is a logical datacenter in AWS
  • consists of IGWs, Route Tables, NACLs, Subnets, and Security Groups
  • 1 subnet = 1 AZ
  • security groups = STATEFUL
    • need an explicit allow
    • anything without allow is denied
  • NACL = STATELESS
    • use to block IP addresses
  • NO TRANSITIVE PEERING

BUILDING VPC

  • You get the following when you create a VPC:
    • Route Table
    • NACL list
    • Default security group
  • You need to create...
    • subnets
    • Internet Gaeway
  • AZ's are randomized
  • 5 IP addresses are reserved within subnets
  • You can only have 1 IGW per VPC
  • Security Groups cannot span VPCs

NAT Instances

  • When creating a NAT instance, disable source/destination check on the instance
  • NAT instances must be in a public subnet
  • There must be aroute out of the private subnet to the NAT instnace in order for this to work
  • The amount of traffic that NAT instances can support depends on the instance size.
    • If you encounter bottlenecking, increase the instance size.
  • You can create high availability by using autoscaling groups, multiple subnets in different AZs, and a script to automate failover
  • Must be behind a security group

NAT Gateways

  • redundant inside the AZ
  • perferred by the enterprise
  • starts at 5GB/S and currently scales to 45GB/S
  • No need to patch
  • Not associated with security groups
  • Automatically assigned a public IP address
  • Remember to update route tables
  • No need to disable source/destination checks
  • If you have resources in multiple AZs and they share one NAT gateway, in the event that the NAT gateway's AZ is down, resources in other AZs lose internet access.
  • To create an AZ-independent architecture, create a NAT gateway in each AZ and configure you routing to ensure that resources use the NAT gateway in the same AZ

Network Access Control Lists (NACLs)

  • your VPC automatically comes with a default NACL
  • you can create custom NACLs
    • need to add explicit rules to allow ingress/regress
  • Each subnet in your VPC must be associated with a NACL
    • if you don't specify, it'll be tied to default NACL
  • IP addresses are blocked by NACL, not security group
    • You can block in front of the VPC with a WAF...otherwise, block inside with a NACL
  • NACLs are one to many relationships
    • Subnet associations with a NACL are one-to-one
  • NACL rules are numbered...lower numbers trump lower rules
    • If 100 says deny a port, 101 allowing the same port will be denied
  • NACLs need explicit inbound/outbound ports and are STATELESS
    • If you allow an inbound port, the corresponding port will not be allowed, as is the case with Security Groups
    • Security groups are STATEFUL
      • If you allow a port in a security group, the outbound port is opened, too

ELBs

  • you need 2 public subnets to deploy internet facing load balancer

VPC Flow Logs

  • you cannot enable multiple flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
  • you can tag flow logs
  • after you've created a flow log, you cannot change its configuration
    • you can't associate a different IAM role with the flow log
  • not all traffic is monitored
    • DNS traffic to AWS service not monitored
      • If you bring your own DNS, it IS monitored
    • traffic generatd by Windows Instance for Windows License activation is not monitored
    • traffic to/from 169.254.169.254/[user-data/metadata]
    • DHCP traffic
    • traffic to reserved IP for root

Bastions

  • Used by private subnets to provide internet traffic to EC2 instances on private subnets
  • Need to have SSH port 22 open to get in or RDP for Windows
  • Cannot use a NAT gateway for a bastion host, but can use NAT instance (FML)

Direct Connect

  • directly conects your data center to AWS
  • useful for high throughput workloads
  • KNOW THE STEPS TO CREATE A DIRECT CONNECT CONNECTION (AWS YOUTUBE VIDEO)
    • create virtual interface in direct connect console
    • go to VPC console and then to VPN connections to create a customer gateway
    • create a virtual private gateway
    • attach VPG to the desired VPC
    • select VPN connections and create a new VPN connection
    • select the virtual private gateway and the customer gateway

Global Accelerator

  • service that improve availability for local and global users
  • you are assigned two static IP addresses or bring your own
  • you control traffic using traffic dials in the endpoint group
  • you control weighting to individual endpoints using weights.

VPC Endpoint

  • VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an IGW, NAT device, VPN connection, or AWS direct connection.
  • do not require public IP addresses to communicate with the service
  • traffic does not leave AWS network
  • endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components that allow communication between instnces in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

Types of VPC endpoints

  • interface endpoints
    • most AWS servces
  • gateway endpoints (only 2 services)
    • S3
    • DynamoDB (no SQL database)

AWS PrivateLink

  • if you see a question re: peering VPCs to 10s, 100s, or 1,000s of customer VPCs, think PrivateLink
  • doesn't require VPC peering; no route tables, NAT, IGWs, etc.
  • requires a network load balancer on the service VPC and an ENI on the customer VPC

Transit Gateway

  • allows you to have transitive peering between thousands of VPCs and on-premise data centers
  • work on hub-and-spoke model
  • works on a regional basis, but you an have it across multiple regions
  • you can use it across multiple AWS accounts using RAM (resource action manager)
  • you can use route tables to limit how VPCs talk to one another
  • works with direct connect as well as VPN connections
  • supports IP multi-cast (only service that supports it in AWS)

VPN CloudHub

  • simplify VPN connections
  • if you have multiple sites with own VPN connections, connect with CloudHub
  • low cost-easy to manage
  • operates over public internet, but all traffic between customer gateway and AWS VPN CloudHub is encrpypted

Network Costs

  • use private IP addresses over public to save $
  • same AZ is cost free, but single points of failure emerge as a problem

Databases

RDS (OLTP)

  • SQL
  • MySQL
  • PostgreSQL
  • Oracle
  • Aurora
  • MariaDB

DynamoDB (No SQL)

Red Shift (OLTP)

Elasticache

  • Memcached
    • something simple
  • Redis
    • more advanced
    • multi-az
    • backups

RDS

  • runs on VMs
  • can't SSH into them or RDP into them
  • pating RDS is Amazon's responsibility
  • AURORA Serverless is serverless

Backups

  • Automated Backups
  • Automated Backups

Read Replicas

  • can be multi-AZ
  • used to increase performance
  • must have backups turned on
  • can be in different regions
  • can be MySQL, PostgreSQL, MariaDB, Oracle, Aurora
  • Can be promoted to master, but this will break the read replica

Multi-AZ

  • used for DR, NOT PERFO RMANCE
  • force a failure by rebooting RDS

Encryption

  • Encryption at rest supported by...
    • MySQL
    • Oracle
    • SQL Server
    • PostgreSQL
    • MariaDB
    • Aurora
  • Encryption done using AWS KMS
    • Once encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots

DynamoDB

  • stored on SSD
  • spread across 3 geographically distinct data centers
  • eventual consistency is default (1 second rule)
  • can be updated to strongly consistent

Redshift

  • used for business intelligence
  • only one AZ
  • enabled by default with 1 day retention
  • can be upt o 35 days
  • Redshift always attempts to maintain at least 3 copies of yoru data (the original and replica on the compute nodes and a backup in Amazon S3)
  • Redshift can also asynchronously replicate your snapshots to S3 in another region for disaster recovery.

Aurora

  • 2 copies in each AZ with a minimum of 3 AZs
  • can share snapshots with other AWS
  • 3 types of replicas available
    • Aurora Replicas
      • AUTOMATED FAILOVER ONLY WITH AURORA REPLICAS
    • MySQL Replicas
    • PostgreSQL replicas
  • Aurora has automated backups turned on by default. You can also take snapshots with Aurora. You can share these snapshots with other AWS accounts
  • Use Aurora Serverless if you want a simple, cost-effective option for infrequent, intermitten, or unpredicatable workloads

Elasticache

  • use to increase database and web application performance
  • Redis is multi-AZ
  • You can do backups and restores of Redis
  • If you need to scale horizontally, use Memcached

HA Architecture

Load Balancers

Know the use cases for these

  • ALB: layer 7
  • NLB: layer 4
  • CLB: layer 4 + 7

Exam Tips

  • 504 means gateway timed out
  • If you need the IPv4 address of your end user, look for the X-Forwarded-For header
  • Instances monitored by ELBs are reported as InService or OutOfService
  • Health checks check the instance health by talking to it
  • Load balancers have their own DNS name
  • READ THE ELB FAQ
    • expect 10 questions

Advanced Load Balancer Theory

  • sticky sessions enable your users to stick to the same EC2 instsnce
    • can be useful if you are storing information locally to that instance
  • cross zone load balancing enables yout o load balance across multiple AZs
  • path patterns allow you to direct traffic to different EC2 instances based on the URL contained within the request

CloudFormation

  • a way of completely scripting your cloud environment
  • QuickStart is a bunch of Cloud Formation templates already built by AWS Solutions Architects allowing you to create complex environments very quickly

ElasticBeanstalk

  • quickly deploy and manage applications in the AWS cloud without worrying about infrastructure that runs those applications
  • you simply upload your application and ElasticBeanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring

Bastions in Action

  • can't use ALB for bastion b/c it's layer 7 and you need layer 4

On Premises AWS services

  • DMS
  • SMS
  • AWS Applicaiton discovery Service
  • VM Import/Export
  • Download Amazon Linux 2 as an ISO

Applications Summary

SQS

  • a way to decouple infrastructure
  • pull based
  • 256kb in size, bigger stored in S3
  • 1 min to 14 day storage
  • default retention is 4 days
  • standard SQS order not guaranteed, messages delivered more than once
  • FIFO order is guaranteed, delivered only once
  • visibility timeout is the amount of time the message is invisible in the SQS queue after a reader picks up the message
    • if job is done before visibility timeout expires, message deleted from the queue
    • if not processed within that time, the message will become visible again and another reader will process it, resuling in message being delivered twice
    • max timeout is 12 hours
  • long polling
    • a way to retrieve messages from your Amazon SQS Queues, doesn't return a response until a message arrives in the message queue or the long poll times out

SWF vs. SQS

  • SWF workflows can lasdt up to 1 year
  • represents a task-oriented API while SQS is a message-oriented API
  • ensures a task is assigned only once and not duplicated
  • keeps track of all tasks and events in an application

SWF ACtors

  • workflow starters: initiator
  • deciders: control flow
  • activity workers: carry out activity tasks

SNS Benefits

  • push based
  • instantaneous
  • flexible message delivery over multiple transport protocols
  • inexpensive
  • Web-based AWS management console offers the simplicty of a point and click interface

Elastic Transcoder

  • media transcoder in the cloud, convert to different formats

API Gateway

  • remember what it is at a high level
  • has caching capabilities
  • low cost and scales automatically
  • you can throttle
  • you can log to cloudwatch
  • you can use CORS across multiple domains
  • CORS enforfced by client

Kinesis

  • streams has data persistence
    • anything with shards, want streams
  • firehose does not have data persistence
    • lambda function that stores separately, but you've gotta add your own in

Cognito

  • web identity federation
  • user authenticates first with Web ID Provider and receives an authentication token
  • user pool is user based
    • user registration, authentication, and account recover
  • identity pools authorize access to AWS resources

WAF

  • monitor HTTP requests to CloudFront, ALB, or API Gateway
  • control access to content
  • configure filtering rules
    • IP addresses
    • query string parameters
  • blocked traffic by WAF kicks back 403
  • three behaviors
    • allow all except ones you block
    • block all except ones you block
    • count requests that match properties you specify

Serverless

  • AWS X-ray allows you to debug what's happening
  • Lambda can do things globally, can use to backup S3 buckets into other S3 buckets
  • Know your triggers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment