Skip to main content

AWS SAA Extended Notes


Ryan Kroonenburg course in Udemy

Jon Bonso practice exams in Udemy - AWS Certified Solutions Architect Associate Practice Exams

AWS Well-Architected Framework

Jayendra's Blog

Exam Content Outline
 Domain  % of Examination
 Domain 1: Design Resilient Architectures  30% 
 Domain 2: Design High-Performing Architectures  28%
 Domain 3: Design Secure Applications and Architectures  24%
 Domain 4: Design Cost-Optimized Architectures  18%
 TOTAL  100%

Domain 1: Design Resilient Architectures
1.Design a multi-tier architecture solution
2.Design highly available and/or fault-tolerant architectures
3.Design decoupling mechanisms using AWS services
4.Choose appropriate resilient storage

Domain 2: Design High-Performing Architectures
1.Identify elastic and scalable compute solutions for a workload
2.Select high-performing and scalable storage solutions for a workload
3.Select high-performing networking solutions for a workload
4.Choose high-performing database solutions for a workload

Domain 3: Design Secure Applications and Architectures
1.Design secure access to AWS resources
2.Design secure application tiers
3.Select appropriate data security options

Domain 4: Design Cost-Optimized Architectures
1.Identify cost-effective storage solutions
2.Identify cost-effective compute and database services
3.Design cost-optimized network architectures

 Category  Service
 Storage  S3
Storage Gateway
 Compute EC2
Elastic Load Balancing
Elastic Beanstalk
 Networking Route 53
Direct Connect
Snowball / Snowmobile
 Database RDS
 Application Management CloudWatch
 Security and Identity IAM
Directory Service
Disaster Recovery
 Application Integration SNS
API Gateway


Amazon Athena is an interactive query service that makes it easy to analyse data in Amazon S3, using standard SQL commands. It will work with a number of data formats including "JSON", "Apache Parquet", "Apache ORC" amongst others, but "XML" is not a format that is supported.

AWS Certificate Manager is used to generate SSL certificates to encrypt traffic in transit but not at rest

API Gateway with STS is used for issuing tokens while using API Gateway for traffic in transit 


AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI.
Launch permissions, S3 bucket permissions, and user-defined tags must be copied manually to an instance based on an AMI. User data is part of the AMI, itself, and does not need to be copied manually.

AMIs are categorized as either backed by Amazon EBS or backed by instance store. 
Amazon EBS means that the root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot. 
The instance store means that the root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3. Data on instance store volumes persist only during the life of the instance which means that if the instance is terminated, the data will be automatically deleted.

API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application. Since it can use AWS Lambda, you can run your APIs without servers.
Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. Amazon API Gateway has no minimum fees or startup costs. You pay only for the API calls you receive and the amount of data transferred out. Enables you to build RESTful APIs and WebSocket APIs that are optimized for serverless workloads

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only.

API Gateway supports X-Ray tracing for all API Gateway REST API endpoint types: Regional, edge-optimized, and private.

Auto Scaling

Scaling Options
a. maintain the current instance levels at all times
b. scale manually
c. scale based on a schedule
d. scale based on demand
e. use predictive scaling

1. Create Launch Configuration (IAM Role, Storage, Security Group, Key Pair)
2. Creating ASG using the above Launch Configuration (Group name, Launch Configuration, Group Size, Network, Subet, LB with Healthchecks, Use Scaling Policies)

The default termination policy is designed to help ensure that your network architecture spans Availability Zones evenly. With the default termination policy, the behavior of the Auto Scaling group is as follows:
1. If there are instances in multiple Availability Zones, choose the Availability Zone with the most instances and at least one instance that is not protected from scale in. If there is more than one Availability Zone with this number of instances, choose the Availability Zone with the instances that use the oldest launch configuration.
2. Determine which unprotected instances in the selected Availability Zone use the oldest launch configuration. If there is one such instance, terminate it.
3. If there are multiple instances to terminate based on the above criteria, determine which unprotected instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it.
4. If there is more than one unprotected instance closest to the next billing hour, choose one of these instances at random.

In Auto Scaling, the following is about the cooldown period:
- It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances before the previous scaling activity takes effect.
- Its default value is 300 seconds.
- It is a configurable setting for your Auto Scaling group.

A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can't modify a launch configuration after you've created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Bastion Host

Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don't confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet. It should be in a public subnet with either a public or Elastic IP address with sufficient RDP or SSH access defined in the security group. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.
You cannot use a NAT gateway as a Bastion Host
Windows bastion - RDP access. Linux-based systems - SSH

AWS Elastic Beanstalk

Elastic Beanstalk supports the deployment of web applications from Docker containers. With Docker containers, you can define your own runtime environment. You can choose your own platform, programming language, and any application dependencies (such as package managers or tools), that aren't supported by other platforms. Docker containers are self-contained and include all the configuration information and software your web application requires to run.

By using Docker with Elastic Beanstalk, you have an infrastructure that automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring. You can manage your web application in an environment that supports the range of services that are integrated with Elastic Beanstalk, including but not limited to VPC, RDS, and IAM.

AWS Cognito

Amazon Cognito delivers temporary, limited-privilege credentials to your application so that your users can access AWS resources. Amazon Cognito identity pools support both authenticated and unauthenticated identities. You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users.

Amazon Cognito service is primarily used for user authentication and not for providing access to your AWS resources. A JSON Web Token (JWT) is meant to be used for user authentication and session management is returned on successful authentication

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users, handles things like user registration, authentication and account recovery. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.

Eg.The goal is to authenticate your user, and then grant your user access to another AWS service.

In the first step your app user signs in through a user pool and receives user pool tokens after a successful authentication.
Next, your app exchanges the user pool tokens for AWS credentials through an identity pool.
Finally, your app user can then use those AWS credentials to access other AWS services such as Amazon S3 or DynamoDB.


Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.

CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services. CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience. Lastly, if you use AWS origins such as Amazon S3, Amazon EC2 or Elastic Load Balancing, you don’t pay for any data transferred between these services and CloudFront.

Distrubution Types
- Web

Use signed URLs for the following cases:
- You want to use an RTMP distribution. Signed cookies aren't supported for RTMP distributions.
- You want to restrict access to individual files, for example, an installation download for your application.
- Your users are using a client (for example, a custom HTTP client) that doesn't support cookies.
Use signed cookies for the following cases:
- You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of a website.
- You don't want to change your current URLs.

Perfect Forward Secrecy is used to offer SSL/TLS cipher suites.

The Cache-Control and Expires headers control how long objects stay in the cache. The Cache-Control max-age directive lets you specify how long (in seconds) you want an object to remain in the cache before CloudFront gets the object again from the origin server. The minimum expiration time CloudFront supports is 0 seconds for web distributions and 3600 seconds for RTMP distributions.

Many companies that distribute content over the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content by using CloudFront, you can do the following:
- Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
- Require that your users access your Amazon S3 content by using CloudFront URLs, not Amazon S3 URLs. Requiring CloudFront URLs isn't necessary, but it is recommended to prevent users from bypassing the restrictions that you specify in signed URLs or signed cookies. You can do this by setting up an origin access identity (OAI) for your Amazon S3 bucket. You can also configure the custom headers for a private HTTP server or an Amazon S3 bucket configured as a website endpoint.
All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able to upload a specific object to your bucket, but you don't require them to have AWS security credentials or permissions. You can generate a pre-signed URL programmatically using the AWS SDK for Java or the AWS SDK for .NET. If you are using Microsoft Visual Studio, you can also use AWS Explorer to generate a pre-signed object URL without writing any code. Anyone who receives a valid pre-signed URL can then programmatically upload an object.

You cannot integrate DynamoDB table with CloudFront as these two are incompatible.
Amazon CloudFront uses edge locations, it doesn't have the capability to route the traffic to the closest edge location via an Anycast static IP address.

You can use your own SSL certificates with Amazon CloudFront at no additional charge with Server Name Indication (SNI) Custom SSL. SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address by including the hostname viewers are trying to connect to. Amazon CloudFront delivers your content from each edge location and offers the same security as the Dedicated IP Custom SSL feature. 

Consolidated Billing

Consolidated Billing is a feature of AWS Organisations. Once enabled and configured, you will receive a bill containing the costs and charges for all of the AWS accounts within the Organisation. Although each of the individual AWS accounts are combined into a single bill, they can still be tracked individually and the cost data can be downloaded in a separate file. Using Consolidated Billing may ultimately reduce the amount you pay, as you may qualify for Volume Discounts. There is no charge for using Consolidated Billing


AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. It provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment. AWS CloudFormation is available at no additional charge, and you pay only for the AWS resources needed to run your applications.
- Declarative programming language for deploying AWS resources
- Uses templates and stacks to provision resources
- Create, update and delete a set of resources as a single unit.
- Enables modeling, provisioning, and version-controlling of your entire AWS infrastructure
- Allows you to model your entire infrastructure in a text file
9 valid sections allowed within a CloudFormation template. "Options" is not a template section
Parameters - For inputs from Users
Resources (required)
Outputs - an optional section that describes the values that are returned whenever you view your stack's properties.

CloudFormation is recommended if you want a tool for granular control over the provisioning and management of your own infrastructure.

JSON and YAML can be used to create CloudFormation templates.

To signal a resource, you can use the cfn-signal helper script or SignalResource API. cfn-init helper script is not suitable to be used to signal another resource.
Use the CreationPolicy attribute when you want to wait on resource configuration actions before stack creation proceeds
UpdatePolicy attribute is primarily used for updating resources and for stack update rollback operations.
UpdateReplacePolicy attribute is primarily used to retain or in some cases, back up the existing physical instance of a resource when it is replaced during a stack update operation.

AWS CloudTrail

A service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE) by default.

CloudTrail can be used for durable logging solution that will track all of the activities of all AWS resources on all regions with multi-region trail enabled, however, it will only cover the activities of the regional services (EC2, S3, RDS etc.) and not for global services such as IAM, CloudFront, AWS WAF, and Route 53. In order to satisfy the requirement, you have to add the --include-global-service-events parameter in your AWS CLI command.


Metrics like memory utilization and disk space require us to look into the OS running in the instance and that is why we do not have these valuable metrics
Metrics available :
CPU utilization
Network utilization
Disk performance
Disk Reads/Writes
Not available :
Memory utilization, disk swap utilization, disk space utilization, page file utilization, log collection - requires Custom Cloud Watch Metrics

Using the default settings metrics are sent every 5 minutes to CloudWatch. Using the detailed settings, metrics are then sent every 1 minute.

You can’t directly set CloudWatch Alarms to update the ECS task count. You have to use CloudWatch Events
You can use CloudWatch Events to run Amazon ECS tasks when certain AWS events occur

Using Amazon CloudWatch alarm actions, you can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs

To collect logs from your Amazon EC2 instances and on-premises servers into CloudWatch Logs, AWS offers both a new unified CloudWatch agent, and an older CloudWatch Logs agent. It is recommended to use the unified CloudWatch agent which has the following advantages:
- You can collect both logs and advanced metrics with the installation and configuration of just one agent.
- The unified agent enables the collection of logs from servers running Windows Server.
- If you are using the agent to collect CloudWatch metrics, the unified agent also enables the collection of additional system metrics, for in-guest visibility.
- The unified agent provides better performance.

AWS CloudTrail vs Amazon CloudWatch

AWS CloudWatch is mainly concerned with “What is happening on AWS?” and logging all the events for a particular service or application. AWS CloudTrail is mainly concerned with “Who did what on AWS?” and the API calls to the service or resource. 
AWS CloudWatch is more of a real-time function that looks after your resources. While it indeed records historical logs and data, it’s value lies in the extensive integration with other AWS services and the on-going live, actionable insights it provides to keep your infrastructure healthy and secure.
AWS CloudTrail provides users with the valuable insight of who did what and when. The service is turned on as soon as you create an AWS account because finding audit trails and working backward from issue to root cause, is greatly helped when you have the timestamps and logs of the actions and their owners.
AWS CloudWatch is a monitoring service for AWS resources and applications, reporting on their health and performance. CloudTrail is a web service that records API activity in your AWS account. They are both useful monitoring tools in AWS.
By default, CloudWatch offers free basic monitoring for your resources, such as EC2 instances, EBS volumes, and RDS DB instances. CloudTrail is also enabled by default when you create your AWS account.
With CloudWatch, you can collect and track metrics, collect and monitor log files, and set alarms. CloudTrail, on the other hand, logs information on who made a request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. CloudTrail Logs are then stored in an S3 bucket or a CloudWatch Logs log group that you specify.
You can enable detailed monitoring from your AWS resources to send metric data to CloudWatch more frequently, with an additional cost.
CloudTrail delivers one free copy of management event logs for each AWS region. Management events include management operations performed on resources in your AWS account, such as when a user logs in to your account. Logging data events are charged. Data events include resource operations performed on or within the resource itself, such as S3 object-level API activity or Lambda function execution activity.
CloudTrail helps you ensure compliance and regulatory standards.
CloudWatch Logs reports on application logs, while CloudTrail Logs provide you specific information on what occurred in your AWS account.
CloudWatch Events is a near real time stream of system events describing changes to your AWS resources. CloudTrail focuses more on AWS API calls made in your AWS account.
Typically, CloudTrail delivers an event within 15 minutes of the API call. CloudWatch delivers metric data in 5 minutes periods for basic monitoring and 1 minute periods for detailed monitoring. The CloudWatch Logs Agent will send log data every ve seconds by default.

Decoupled Architecture

Decoupled architecture is a type of computing architecture that enables computing components or layers to execute independently while still interfacing with each other.
Amazon Simple Queue Service (SQS) and Amazon Simple Workflow Service (SWF) are the services that you can use for creating a decoupled architecture in AWS. 
Amazon SQS offers reliable, highly-scalable hosted queues for storing messages while they travel between applications or microservices. Amazon SQS lets you move data between distributed application components and helps you decouple these components. Amazon SWF is a web service that makes it easy to coordinate work across distributed application components.

If you are building brand new applications in the cloud, then it is highly recommended that you consider Amazon SQS and Amazon SNS. Amazon SQS and SNS are lightweight, fully managed message queue and topic services that scale almost infinitely and provide simple, easy-to-use APIs. You can use Amazon SQS and SNS to decouple and scale microservices, distributed systems, and serverless applications, and improve reliability.


ECS, Elastic Beanstalk and Fargate allow containers to run natively

AWS Directory Service

AWS Directory Service provides multiple ways to use Amazon Cloud Directory and Microsoft Active Directory (AD) with other AWS services. Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources. AWS Directory Service provides multiple directory choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud. It also offers those same choices to developers who need a directory to manage users, groups, devices, and access.

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) - AWS Managed Microsoft AD is your best choice if you need actual Active Directory features to support AWS applications or Windows workloads, including Amazon Relational Database Service for Microsoft SQL Server. It's also best if you want a standalone AD in the AWS Cloud that supports Office 365 or you need an LDAP directory to support your Linux applications.

AD Connector - AD Connector is your best choice when you want to use your existing on-premises directory with compatible AWS services. 

Simple AD - You can use Simple AD as a standalone directory in the cloud to support Windows workloads that need basic AD features, compatible AWS applications, or to support Linux workloads that need LDAP service. Simple AD, would be suitable if you require an inexpensive AD-compatible service for running Active Directory in AWS. Simple AD provides a subset of features found in Microsoft AD. It allows you to manage users, groups and computers but, does not allow you to define trust relationships between domains, or add domain controllers to instances. Also, you will not have features such as AD Administrative Center, AD Recycle Bin and PowerShell. You will also have limited control over password policies, the group managed service accounts and schema extensions. Again, this may be fine for small organisations, but for large organisations, Microsoft AD will probably be required.

Disaster Recovery Architectures

Pilot Light - the most cost-effective type
Backup & Restore - slow
Warm Standby - not cost effective. Warm standby is a method of redundancy in which the scaled-down secondary system runs in the background of the primary system
Multi Site - expensive


The vCPU-based On-Demand Instance limit is set per region and not per Availability Zone (20?)

To move EC2 volume from one AZ to another
- Take a snapshot
- Create an AMI from the snapshot
- Use the AMI to launch EC2 instance in a new AZ

To move EC2 volume from one Region to another
- Take a snapshot
- Create an AMI from the snapshot
- Copy the AMI from one Region to another
- Use the copied AMI to launch new EC2 instance in the new region

EBS volumes are always in the same AZ as the EC2 instance
If your applications need temporary storage, you can use an EC2 internal disk that is physically attached to the host computer. The data on instance stores persists only during the lifetime of its associated instance. However, instance store volumes are not encrypted

An instance store-backed instance can only be rebooted or terminated and its data will be erased if the EC2 instance is terminated. If you stopped an EBS-backed EC2 instance, the volume is preserved but the data in any attached Instance store volumes will be erased. In addition, its Elastic IP address is disassociated from the instance if it is an EC2-Classic instance. Otherwise, if it is an EC2-VPC instance, the Elastic IP address remains associated.

Placement groups :-
Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.
Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures. A spread placement group can span multiple Availability Zones in the same Region. You can have a maximum of 7 running instances per Availability Zone per group. Spread placement groups are not supported for Dedicated Instances or Dedicated Hosts
Partition – spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka. A partition placement group supports a maximum of seven partitions per Availability Zone. Partition placement groups are not supported for Dedicated Hosts.

Amazon EC2 Spot instances are spare compute capacity in the AWS cloud available to you at steep discounts compared to On-Demand prices. EC2 Spot enables you to optimize your costs on the AWS cloud and scale your application's throughput up to 10X for the same budget. By simply selecting Spot when launching EC2 instances, you can save up-to 90% on On-Demand prices. The only difference between On-Demand instances and Spot Instances is that Spot instances can be interrupted by EC2 with two minutes of notification when the EC2 needs the capacity back. 
You can specify whether Amazon EC2 should hibernate, stop, or terminate Spot Instances when they are interrupted. You can choose the interruption behavior that meets your needs.

Reserved Instances provide you with a significant discount (up to 75%) compared to On-Demand instance pricing. In addition, when Reserved Instances are assigned to a specific Availability Zone, they provide a capacity reservation, giving you additional confidence in your ability to launch instances when you need them.
For applications that have steady state or predictable usage, Reserved Instances can provide significant savings compared to using On-Demand instances.
Reserved Instances are recommended for:
- Applications with steady state usage
- Applications that may require reserved capacity
- Customers that can commit to using EC2 over a 1 or 3 year term to reduce their total computing costs
To stop incurring charges for the Reserved instances :-
- Go to the AWS Reserved Instance Marketplace and sell the Reserved instances.
- Terminate (not stop) the Reserved instances as soon as possible to avoid getting billed at the on-demand price when it expires.
When a Reserved Instance expires, any instances that were covered by the Reserved Instance are billed at the on-demand price which costs significantly higher. 

The valid EC2 lifecycle instance states:
pending - The instance is preparing to enter the running state. An instance enters the pending state when it launches for the first time, or when it is restarted after being in the stopped state.
running - The instance is running and ready for use.
stopping - The instance is preparing to be stopped. Take note that you will not billed if it is preparing to stop however, you will still be billed if it is just preparing to hibernate.
stopped - The instance is shut down and cannot be used. The instance can be restarted at any time.
shutting-down - The instance is preparing to be terminated.
terminated - The instance has been permanently deleted and cannot be restarted. Take note that Reserved Instances that applied to terminated instances are still billed until the end of their term according to their payment option.

Billing commences when Amazon EC2 initiates the boot sequence of an AMI instance. Billing ends when the instance terminates, which could occur through a web services command, by running "shutdown -h", or through instance failure. When you stop an instance, AWS shuts it down but don't charge hourly usage for a stopped instance or data transfer fees, but AWS does charge for the storage of any Amazon EBS volumes. There is no charge for a terminated EC2 instance that you have shut down.

Amazon EC2 Auto Scaling supports the following types of scaling policies:
Target tracking scaling - Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest.
Step scaling - Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.
Simple scaling - Increase or decrease the current capacity of the group based on a single scaling adjustment.
Amazon EC2 Auto Scaling provides you with an option to enable automatic scaling for one or more EC2 instances by attaching them to your existing Auto Scaling group. The instance that you want to attach must meet the following criteria:
- The instance is in the running state.
- The AMI used to launch the instance must still exist.
- The instance is not a member of another Auto Scaling group.
- The instance is launched into one of the Availability Zones defined in your Auto Scaling group.
- If the Auto Scaling group has an attached load balancer, the instance and the load balancer must both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the instance and the load balancer must both be in the same VPC.

Encrypted EBS Volume :-
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
- All volumes created from those snapshots
Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. You can encrypt both the boot and data volumes of an EC2 instance

AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.

Instance Types :-
Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. They are optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications.

Memory Optimized Instances are designed to deliver fast performance for workloads that process large data sets in memory, which is quite different from handling high read and write capacity on local storage.

Compute Optimized Instances are ideal for compute-bound applications that benefit from high-performance processors, such as batch processing workloads and media transcoding.

General Purpose Instances are the most basic type of instances. They provide a balance of compute, memory, and networking resources, and can be used for a variety of workloads. For higher read and write capacity, storage optimized instances should be selected.


Amazon ECS supports batch jobs. You can use Amazon ECS Run Task action to run one or more tasks once. The Run Task action starts the ECS task on an instance that meets the task’s requirements including CPU, memory, and ports.
Scenario :-
Set up an ECS Batch architecture for an image processing application. You can set up an AWS CloudFormation template that creates an Amazon S3 bucket, an Amazon SQS queue, an Amazon CloudWatch alarm, an ECS cluster, and an ECS task definition. Objects uploaded to the input S3 bucket trigger an event that sends object details to the SQS queue. The ECS task deploys a Docker container that reads from that queue, parses the message containing the object name and then downloads the object. Once transformed it will upload the objects to the S3 output bucket.
By using the SQS queue as the location for all object details, you can take advantage of its scalability and reliability as the queue will automatically scale based on the incoming messages and message retention can be configured. The ECS Cluster will then be able to scale services up or down based on the number of messages in the queue

There are two different charge models for Amazon Elastic Container Service (ECS): Fargate Launch Type Model and EC2 Launch Type Model.

Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters and then referencing them in your container definition. This feature is supported by tasks using both the EC2 and Fargate launch types.
Secrets can be exposed to a container in the following ways:
- To inject sensitive data into your containers as environment variables, use the secrets container definition parameter.
- To reference sensitive information in the log configuration of a container, use the secretOptions container definition parameter.

Amazon EFS

A fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. With a few clicks in the AWS Management Console, you can create file systems that are accessible to Amazon EC2 instances via a file system interface (using standard operating system file I/O APIs) and supports full file system access semantics (such as strong consistency and file locking).

Amazon EFS file systems can automatically scale from gigabytes to petabytes of data without needing to provision storage. Tens, hundreds, or even thousands of Amazon EC2 instances can access an Amazon EFS file system at the same time, and Amazon EFS provides consistent performance to each Amazon EC2 instance. Amazon EFS is designed to be highly durable and highly available.

POSIX-compatible file system or if you are storing rapidly changing data.


ElastiCache is only a key-value store and cannot therefore store relational data

Elasticache is the best option for distributed session management

Using Redis AUTH command can improve data security by requiring the user to enter a password before they are granted permission to execute Redis commands on a password-protected Redis server. Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the --transit-encryption-enabled and --auth-token parameters enabled.
To require that users enter a password on a password-protected Redis server, include the parameter --auth-token with the correct password when you create your replication group or cluster and on all subsequent commands to the replication group or cluster.

Elasticache for Memcached which does not offer a native encryption service, although Elasticache for Redis does


To ensure efficient use of Elastic IP addresses, we impose a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface. While your instance is running, you are not charged for one Elastic IP address associated with the instance, but you are charged for any additional Elastic IP addresses associated with the instance


An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. You can also use them for throughput-intensive applications that perform continuous disk scans. EBS volumes persist independently from the running life of an EC2 instance.
- When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to a failure of any single hardware component.
- An EBS volume can only be attached to one EC2 instance at a time.
- After you create a volume, you can attach it to any EC2 instance in the same Availability Zone
- An EBS volume is off-instance storage that can persist independently from the life of an instance. You can specify not to terminate the EBS volume when you terminate the EC2 instance during instance creation.
- EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions. The AMI cannot be changed.
- Amazon EBS encryption uses 256-bit Advanced Encryption Standard algorithms (AES-256)
- EBS Volumes offer 99.999% SLA.
- EBS Snapshot is both incremental and complete
- A non-root EBS volume can be detached or attached to a new EC2 instance while the snapshot is in progress. However, you cannot do this for your root volume.

There are a number of ways you can optimise performance above that of choosing the correct EBS type. 
One of the easiest options is to drive more I/O throughput than you can provision for a single EBS volume, by striping using RAID 0. You can join multiple gp2, io1, st1, or sc1 volumes together in a RAID 0 configuration to use the available bandwidth for these instances. 
You can also choose an EC2 instance type that supports EBS optimisation. This ensures that network traffic cannot contend with traffic between your instance and your EBS volumes. 
The final option is to manage your snapshot times, and this only applies to HDD based EBS volumes. When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume's baseline value while the snapshot is in progress. This behaviour is specific to these volume types. Therefore you should ensure that scheduled snapshots are carried at times of low usage. 

HDD based volumes will always be less expensive than SSD types. The Cold (sc1) and Throughout Optimized (st1) types are HDD based and will be the lowest cost options

Dominant performance attribute of SSD is IOPS while HDD is Throughput.
SSD - small, random I/O operations. For transaction workloads
HDD - large, sequential I/O operations. Large streaming workloads
EBS General Purpose SSD (gp2) - used as system boot volumes, virtual desktops, low-latency interactive apps. Allocates 3 IOPS per GB
Provisioned IOPS SSD (io1) - highest performance SSD volume for mission-critical low-latency or high-throughput workloads
Throughput Optimized HDD (st1) - used for frequently accessed, throughput-intensive workloads
The maximum ratio of provisioned IOPS to requested volume size (in GiB) is 50:1. (50 IOPS per GB)
For example, a 100 GiB volume can be provisioned with up to 5,000 IOPS. On a supported instance type, any volume 1,280 GiB in size or greater allows provisioning up to the 64,000 IOPS maximum (50 × 1,280 GiB = 64,000).

EBS volumes can be encrypted, but they are not encrypted by default. 
You cannot create an unencrypted volume from an encrypted snapshot or encrypt an existing volume
Existing unencrypted volumes cannot be encrypted directly

Data stored on EBS is automatically replicated within an AZ

RAID 0 is a more suitable option for providing faster read and write operations, compared with RAID 1
RAID 1 is to provide disk mirroring, redundancy, and fault-tolerance. RAID 1 can mirror two volumes together. Using Disk Mirroring, which is also known as RAID 1, that replicates data to two or more disks/EBS Volumes is not an efficient and cost-optimized solution

EBS snapshots occur asynchronously which makes the option that says: The volume can be used as normal while the snapshot is in progress. This means that the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume hence, you can still use the volume.

Multiple Amazon EBS volume with snapshots and Multiple instance stores do not provide durable storage.

Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to:
- Protect valuable data by enforcing a regular backup schedule.
- Retain backups as required by auditors or internal compliance.
- Reduce storage costs by deleting outdated backups.
Combined with the monitoring features of Amazon CloudWatch Events and AWS CloudTrail, Amazon DLM provides a complete backup solution for EBS volumes at no additional cost

Availability Zone names are unique per account and do not represent a specific set of physical resources
EC2 Key Pairs are region-specific.
For all new accounts, there is a soft limit of 20 EC2 instances per Region

Auto Scaling scales-in according to a hierarchy of decisions.
Amazon EC2 Auto Scaling terminates instances that use a launch configuration before instances that use a launch template, which Availability Zones have the most instances.

Proactive Cyclic Scaling allows you to scale during the desired time window.

Each instance that you launch into a VPC has a tenancy attribute. This attribute has the following values.
1.default - Your instance runs on shared hardware.
2.dedicated - Your instance runs on single-tenant hardware. - Your instance runs on a Dedicated Host, which is an isolated server with configurations that you can control.
-You cannot change the tenancy of an instance from default to dedicated or host after you've launched it.
-You cannot change the tenancy of an instance from dedicated or host to default after you've launched it.
-You can change the tenancy of an instance from dedicated to host, or from host to dedicated after you've launched it.

Transferring data from an EC2 instance to Amazon S3, Amazon Glacier, Amazon DynamoDB, Amazon SES, Amazon SQS, or Amazon SimpleDB in the same AWS Region has no cost at all.

Amazon Elastic File System (EFS) is a mountable file storage service for EC2, but has no connection to S3 which is an object storage service. 
Amazon Elastic Block Store (EBS) is a block level storage service for use with Amazon EC2 and again has no connection to S3

There are two ways of checking the status of your EC2 instances:
1. Via the Auto Scaling group
2. Via the ELB health checks

The data in an instance store persists only during the lifetime of its associated instance. If an instance reboots (intentionally or unintentionally), data in the instance store persists. However, data in the instance store is lost under any of the following circumstances:
- The underlying disk drive fails
- The instance stops
- The instance terminates

ELB (Elastic Load Balancer)

ELBs are region-specific.
You need atleast 2 subnets to create a Load Balancer
If you need flexible application management and TLS termination then we recommend that you use Application Load Balancer. 
If extreme performance and static IP is needed for your application then we recommend that you use Network Load Balancer. 
If your application is built within the EC2 Classic network then you should use Classic Load Balancer.
Application Load Balancer - Intelligent Routing (Layer 7). Support path-based routing, host-based routing and support for containerized applications. Routes traffic based on the content of the requests. Uses TLS ciphers to encrypt/decrypt data
Network Load Balancer - High Performance and Low Network Latency (Layer 4). Load Balancing of TCP packets
Classic Load Balancer - the regular LB. Costs down and no intelling routing. X-Forwarded-For to get the original IP
LB are never given a IP Address
Elastic Load Balancers distribute traffic among EC2 instances across multiple Availability Zones but not across AWS regions

Application Load Balancers (only) support Weighted Target Groups. You will be able to do weighted routing of the traffic forwarded by a rule to multiple target groups. 

Classic Load Balancer - With the API or CLI, cross-zone load balancing is disabled by default. With the AWS Management Console, the option to enable cross-zone load balancing is selected by default
Connection Draining - To ensure that a Classic Load Balancer stops sending requests to instances that are de-registering or unhealthy while keeping the existing connections open, use connection draining. This enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy.
When you enable connection draining, you can specify a maximum time for the load balancer to keep connections alive before reporting the instance as de-registered. The maximum timeout value can be set between 1 and 3,600 seconds (the default is 300 seconds). When the maximum time limit is reached, the load balancer forcibly closes connections to the de-registering instance.

Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

In Elastic Load Balancing, there are various security features that you can use such as Server Order Preference, Predefined Security Policy, Perfect Forward Secrecy and many others. Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.   
Perfect Forward Secrecy is used to offer SSL/TLS cipher suites

Amazon EMR

Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

Provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. It securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB.

Amazon EMR with Compute Optimized Instances is a web service that uses an open-source Hadoop framework to quickly & cost-effectively process vast amounts of data. It does not provide the ability to process your data in real-time, unlike Kinesis. Compute-optimized instances are ideal for compute-bound applications that benefit from high-performance processors but not for analyzing clickstream data from various websites in real-time.


Which services have encryption at rest enabled by default?
Glacier, Storage Gateway (for data stored in S3), WorkDocs


Elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card. You can attach a network interface to an EC2 instance in the following ways:
When the instance is being launched (cold attach).
When it's running (hot attach)
When it's stopped (warm attach)
When you move a network interface from one instance to another, network traffic is redirected to the new instance. If the instance fails, you (or more likely, the code running on your behalf) can attach the network interface to a hot standby instance. Because the interface maintains its private IP addresses, Elastic IP addresses, and MAC address, network traffic begins flowing to the standby instance as soon as you attach the network interface to the replacement instance. Users experience a brief loss of connectivity between the time the instance fails and the time that the network interface is attached to the standby instance, but no changes to the VPC route table or your DNS server are required

Enhanced Networking

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking.


Elastic Fabric Adapter is just a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by AWS. The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, the instance functions as an Elastic Network Adapter, without the added EFA capabilities

AWS Fargate
A serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Fargate allocates the right amount of compute, eliminating the need to choose instances and scale cluster capacity. You only pay for the resources required to run your containers, so there is no over-provisioning and paying for additional servers. Fargate runs each task or pod in its own kernel providing the tasks and pods their own isolated compute environment. This enables your application to have workload isolation and improved security by design. This is why customers such as Vanguard, Accenture, Foursquare, and Ancestry have chosen to run their mission critical applications on Fargate.

Global Accelerator

Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Integrates with AWS Shield for DDoS protection

Global Accelerators are a service which you create accelerators to improve availability and performance of your application for both local and global users.
1. static ip addresses (2 of them)
2. accelerator - directs traffic to optimal endpoints over the aws global network
3. DNS name
4. Network zone services the static IP addresses for your accelerator
5. listener 
6. End Point groups - each endpoint group is associated with specific AWS region. can control the traffic using traffic dials
7. End Points are simply things like Network Load Balancers, Application Load Balancers, EC2 instances or EIP
Provides you with static anycast IP addresses that serve as a fixed entry point to your applications hosted in one or more AWS Regions

A static AnyCast IP address is primarily used for AWS Global Accelerator 


Amazon FSx provides fully managed third-party file systems.
Amazon FSx provides you with two file systems to choose from: Amazon FSx for Windows File Server for Windows-based applications and Amazon FSx for Lustre for compute-intensive workloads.
For Windows-based applications, Amazon FSx provides fully managed Windows file servers with features and performance optimized for "lift-and-shift" business-critical application workloads including home directories (user shares), media workflows, and ERP applications. It is accessible from Windows and Linux instances via the SMB protocol. If you have Linux-based applications, Amazon EFS is a cloud-native fully managed file system that provides simple, scalable, elastic file storage accessible from Linux instances via the NFS protocol. The storage service has full support for the SMB protocol and Windows NTFS, Active Directory (AD) integration, and Distributed File System (DFS)

For compute-intensive and fast processing workloads, like high-performance computing (HPC), machine learning, EDA, and media processing, Amazon FSx for Lustre, provides a file system that’s optimized for performance, with input and output stored on Amazon S3. Amazon FSx for Lustre works natively with Amazon S3, making it easy for you to process cloud data sets with high-performance file systems. When linked to an S3 bucket, an FSx for Lustre file system transparently presents S3 objects as files and allows you to write results back to S3. You can also use FSx for Lustre as a standalone high-performance file system to burst your workloads from on-premises to the cloud. By copying on-premises data to an FSx for Lustre file system, you can make that data available for fast processing by compute instances running on AWS. With Amazon FSx, you pay for only the resources you use. There are no minimum commitments, upfront hardware or software costs, or additional fees.


Universal, not region specific

When you use the AWS Management Console to create a user, you must choose to at least include a console password or access keys. By default, a brand new IAM user created using the AWS CLI or AWS API has no credentials of any kind. You must create the type of credentials for an IAM user based on the needs of your user.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users. When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.

IAM Access Key is used for secure access to EC2 instances 
You should generate a password for each user and give these passwords to your system administrators. You should then have each user set up multi factor authentication once they have been able to log in to the console. You cannot use the secret access key and access key id to log in to the AWS console; rather, these credentials are used to call Amazon API’s.

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations SCPs, ACLs, and session policies.

IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. 

When editing permissions (policies and ACLs), to whom does the concept of the "Owner" refer? - Refers to the identity and email address used to create the AWS account

KMS - import your own keys, disable and re-enable keys and define key management roles in IAM are valid. Importing keys into a custom key store and migrating keys from the default key store to a custom key store are not possible. Lastly operating as a private, native HSM is a function of CloudHSM and is not possible directly within KMS.

AWS Key Management Service (KMS) is a multi-tenant, managed service that allows you to use and manage encryption keys. Both services offer a high level of security for your cryptographic keys. AWS CloudHSM provides a dedicated, FIPS 140-2 Level 3 HSM under your exclusive control, directly in your Amazon Virtual Private Cloud (VPC).AWS KSM only uses symmetric keys, while Cloud HSM allows symmetric and asymmetric keys

SSL certificates will only be useful to encrypt data in transit, not data at rest

If you got your certificate from a third-party CA, import the certificate into AWS Certificate Manager or upload it to the IAM certificate store. 

You cannot tag individual folders within an S3 bucket. If you create an individual user for each staff member, there will be no way to keep their active directory credentials synched when they change their password. You should either create a federation proxy or identity provider and then use AWS security token service to create temporary tokens. You will then need to create the appropriate IAM role for which the users will assume when writing to the S3 bucket

You should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use an IAM role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an EC2 instance.

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options:
- Use an AWS KMS-managed customer master key.
- Use a client-side master key.
When using an AWS KMS-managed customer master key to enable client-side data encryption, you provide an AWS KMS customer master key ID (CMK ID) to AWS. On the other hand, when you use client-side master key for client-side data encryption, your client-side master keys and your unencrypted data are never sent to AWS. It's important that you safely manage your encryption keys because if you lose them, you can't decrypt your data.

Instance metadata is the data about your instance that you can use to configure or manage the running instance. You can get the instance ID, public keys, public IP address and many other information from the instance metadata by firing a URL command in your instance to this URL:

You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this? User data

To integrate your LDAP service to IAM, you need to use SAML, STS or a custom identity broker.

IAM DB Authentication
You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
IAM database authentication provides the following benefits:
- Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).
- You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance.
- For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security

AWS supports identity federation with SAML 2.0, an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP's service instead of writing custom identity proxy code.

Setting up SAML 2.0-Based Federation by using a Web Identity Federation is primarily used to let users sign in via a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google. It does not utilize Active Directory.

Amazon Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and responds instantly instead of having to wait until all your data is collected before the processing can begin. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications.

It has four distinct services under it: 
Kinesis Data Streams
Kinesis Data Firehose
Kinesis Video Streams
Kinesis Data Analytics

Amazon Kinesis Data Streams is used to collect and process large streams of data records in real time. You can use Kinesis Data Streams for rapid and continuous data intake and aggregation. The type of data used includes IT infrastructure log data, application logs, social media, market data feeds, and web clickstream data. Because the response time for the data intake and processing is in real time, the processing is typically lightweight. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications.
Amazon Kinesis Data Streams supports resharding, which lets you adjust the number of shards in your stream to adapt to changes in the rate of data flow through the stream. Resharding is considered an advanced operation. Splitting increases the number of shards in your stream and therefore increases the data capacity of the stream. Because you are charged on a per-shard basis, splitting increases the cost of your stream. Similarly, merging reduces the number of shards in your stream and therefore decreases the data capacity—and cost—of the stream. If your data rate increases, you can also increase the number of shards allocated to your stream to maintain the application performance. You can reshard your stream using the UpdateShardCount API. The throughput of an Amazon Kinesis data stream is designed to scale without limits via increasing the number of shards within a data stream. 

Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using today.
It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.

Amazon Kinesis Client Library (KCL) delivers all records for a given partition key to the same record processor, making it easier to build multiple applications reading from the same Amazon Kinesis data stream (for example, to perform counting, aggregation, and filtering).

It is not suitable to be used as a queue for a batch application

A Kinesis data stream stores records from 24 hours by default to a maximum of 168 hours (7 days)


Lambda does not allow SSH

Lambda billing is based on both the MB of RAM reserved and the execution duration in 100ms units.

AWS Lambda scales your functions automatically on your behalf. Every time an event notification is received for your function, AWS Lambda quickly locates free capacity within its compute fleet and runs your code. Since your code is stateless, AWS Lambda can start as many copies of your function as needed without lengthy deployment and configuration delays.

API Gateway, Elastic Load Balancer, and Kinesis Data Firehose are all valid ways to directly trigger Lambda. 
RDS cannot trigger Lambda
Here is a list of services that invoke Lambda functions synchronously:
Elastic Load Balancing (Application Load Balancer)
Amazon Cognito
Amazon Lex
Amazon Alexa
Amazon API Gateway
Amazon CloudFront (Lambda@Edge)
Amazon Kinesis Data Firehose

Here is a list of services that invoke Lambda functions asynchronously:
Amazon Simple Storage Service
Amazon Simple Notification Service
Amazon Simple Email Service
AWS CloudFormation
Amazon CloudWatch Logs
Amazon CloudWatch Events
AWS CodeCommit
AWS Config

Poll-Based Invokes :
Amazon Kinesis
Amazon SQS
Amazon DynamoDB Streams

Lambda@Edge lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events, without provisioning or managing servers. You can use Lambda functions to change CloudFront requests and responses at the following points:
- After CloudFront receives a request from a viewer (viewer request)
- Before CloudFront forwards the request to the origin (origin request)
- After CloudFront receives the response from the origin (origin response)
- Before CloudFront forwards the response to the viewer (viewer response)

CloudWatch logs are used to debug Lambda
AWS Lambda automatically monitors functions on your behalf, reporting metrics through Amazon CloudWatch. 
These metrics include :-
Invocations – The number of times that the function was invoked in each 5-minute period.
Duration – The average, minimum, and maximum execution times.
Error count and success rate (%) – The number of errors and the percentage of executions that completed without error.
Throttles – The number of times that execution failed due to concurrency limits.
IteratorAge – For stream event sources, the age of the last item in the batch when Lambda received it and invoked the function.
Async delivery failures – The number of errors that occurred when Lambda attempted to write to a destination or dead-letter queue.
Concurrent executions – The number of function instances that are processing events.
You can monitor metrics for Lambda and view logs by using the Lambda console, the CloudWatch console, the AWS CLI, or the CloudWatch API.

AWS Lambda compute platform deployment configuration types to specify how traffic is shifted from the original AWS Lambda function version to the new AWS Lambda function version:
Canary: Traffic is shifted in two increments. You can choose from predefined canary options that specify the percentage of traffic shifted to your updated Lambda function version in the first increment and the interval, in minutes, before the remaining traffic is shifted in the second increment.
Linear: Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined linear options that specify the percentage of traffic shifted in each increment and the number of minutes between each increment.
All-at-once: All traffic is shifted from the original Lambda function to the updated Lambda function version at once.

Sending a very small fraction of production traffic, to better reflect real user traffic. This is called canary analysis or canary testing.

Lambda Function accessing VPC resources :-
You can configure a function to connect to a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your function to the VPC to access private resources during execution.
AWS Lambda runs your function code securely within a VPC by default. However, to enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes VPC subnet IDs and security group IDs. AWS Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function to connect securely to other resources within your private VPC.
Lambda functions cannot connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy.
Your Lambda function automatically scales based on the number of events it processes. If your Lambda function accesses a VPC, you must make sure that your VPC has sufficient ENI capacity to support the scale requirements of your Lambda function. It is also recommended that you specify at least one subnet in each Availability Zone in your Lambda function configuration.
By specifying subnets in each of the Availability Zones, your Lambda function can run in another Availability Zone if one goes down or runs out of IP addresses. If your VPC does not have sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an increase in invocation errors with EC2 error types like EC2ThrottledException. For asynchronous invocation, if you see an increase in errors without corresponding CloudWatch Logs, invoke the Lambda function synchronously in the console to get the error responses.

The AWS Lambda limits the total concurrent executions across all functions within a given region to 1000.If that limit is exceeded, the function will be throttled but not terminated.
To prevent your Lambda function from running indefinitely, you specify a timeout. When the specified timeout is reached, AWS Lambda terminates execution of your Lambda function. It is recommended that you set this value based on your expected execution time. The default timeout is 3 seconds and the maximum execution duration per request in AWS Lambda is 900 seconds, which is equivalent to 15 minutes.

Amazon Macie

Tackles a different problem related to Data Loss Prevention and protects sensitive data

Amazon MQ

Amazon MQ is a managed message broker service for Apache ActiveMQ that makes it easy to set up and operate message brokers in the cloud. Connecting your current applications to Amazon MQ is easy because it uses industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket. Using standards means that in most cases, there’s no need to rewrite any messaging code when you migrate to AWS. If you're using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. 

Multi A-Z

S3, SQS & DynamoDB are already built in a fault tolerant fashion, you do not need to provision these services across multiple availability zones. 
Following services should you implement in multiple availability zones in order to achieve high availability - RDS and EC2
Amazon RDS Standby Replicas is used in Multi-AZ deployments and is not a solution to reduce read-heavy database workloads.

AWS OpsWorks

AWS orchestration service that can implement Chef recipes
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. OpsWorks has three offerings - AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
Primarily used for application deployment, without providing load balancing, auto-scaling, monitoring or ECS cluster management.


Amazon Redshift is a fast, scalable data warehouse that makes it simple and cost-effective to analyze all your data across your data warehouse and data lake. Redshift delivers ten times faster performance than other data warehouses by using machine learning, massively parallel query execution, and columnar storage on high-performance disk.

Amazon Redshift Spectrum is a feature of Amazon Redshift that enables you to run queries against exabytes of unstructured data in Amazon S3 with no loading or ETL required, without the need for unnecessary data movement, which enables you to analyze data across your data warehouse and data lake, together, with a single service.
You cannot create a flow log for your Amazon Redshift cluster.
When you use Amazon Redshift Enhanced VPC Routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using Enhanced VPC Routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers.

For DR - You can configure Amazon Redshift to copy snapshots for a cluster to another region. To configure cross-region snapshot copy, you need to enable this copy feature for each cluster and configure where to copy snapshots and how long to keep copied automated snapshots in the destination region. When cross-region copy is enabled for a cluster, all new manual and automatic snapshots are copied to the specified region.


In Amazon RDS, failover is automatically handled so that you can resume database operations as quickly as possible without administrative intervention in the event that your primary database instance went down. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.

DynamoDB - It is a fully managed non-relational database service – you simply create a database table, set your target utilization for Auto Scaling, and let the service handle the rest. You no longer need to worry about database management tasks such as hardware or software provisioning, setup and configuration, software patching, operating a reliable, distributed database cluster, or partitioning data over multiple instances as you scale. DynamoDB also lets you backup and restore all your tables for data archival, helping you meet your corporate and governmental regulatory requirements.

DynamoDB features are chargeable, when using a single region :-
Charge for provisioning read and write capacity and the storage of data
No charge for the transfer of data into DynamoDB, providing you stay within a single region (if you cross regions, you will be charged at both ends of the transfer.) There is no charge for the actual number of tables you can create in DynamoDB, providing the RCU and WCU are set to 0, however in practice you cannot set this to anything less than 1 so there always be a nominal fee associated with each table.
Dynamo DB - Automatically replicated across Multiple AZ
DynamoDB - Data consistency - Ask the dev team to code for SCR
DynamoDB is a regional service, there is no need to explicitly create a multi-AZ deployment
Use cases include storing JSON data, BLOB data and storing web session data. You cannot run relational joins on DynamoDB
Scaling and Automatic Sharding, limitless storage - DynamoDB
Auto Scaling is not enabled in a DynamoDB table which is created using the AWS CLI.

Valid DynamoDB Headers attributes :-
Host: dynamodb.<region>.<domain>;
Accept-Encoding: identity
Content-Length: <PayloadSizeBytes>
User-Agent: <UserAgentString>
Content-Type: application/x-amz-json-1.0
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
X-Amz-Date: <Date> 
X-Amz-Target: DynamoDB_20120810.GetItem

DynamoDB makes use of parallel processing to achieve predictable performance. You visualise each partition as an independent DB server of fixed size. Each responsible for a defined block of data. In SQL terminology it is called sharding. The documentation is specific about the SSDs, but makes no mention of read-replicas or EBS-Optimised. Caching in-front of DDB is an option (DAX), but it is not inherent to DDB.

DynamoDB allows for the storage of large text and binary objects, but there is a limit of 400 KB

DynamoDB - ProvisionedThroughputExceededException - The consumption of provisioned throughput units, and I/O bottlenecks are not a simple average over the table. Consumption is measured in terms of load on each individual partition, as well as load on each Local & Global Secondary Index

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that can reduce Amazon DynamoDB response times from milliseconds to microseconds, even at millions of requests per second.

DynamoDB stream is an ordered flow of information about changes to items in an Amazon DynamoDB table. When you enable a stream on a table, DynamoDB captures information about every modification to data items in the table.

DynamoDB Time-to-Live (TTL) mechanism enables you to manage web sessions of your application easily. It lets you set a specific timestamp to delete expired items from your tables. Once the timestamp expires, the corresponding item is marked as expired and is subsequently deleted from the table. By using this functionality, you do not have to track expired data and delete it manually. TTL can help you reduce storage usage and reduce the cost of storing data that is no longer relevant.

In RDS, you still have to manually scale up your resources and create Read Replicas to improve scalability while in DynamoDB, this is automatically done.

If you enable DynamoDB Streams on a table, you can associate the stream ARN with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table's stream. 

InnoDB is the recommended storage engine for MySQL. However, in case you require intense, full-text search capability, use MyISAM storage engine

Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora where the database will automatically start-up, shut down, and scale capacity up or down based on your application's needs. It enables you to run your database in the cloud without managing any database instances. It's a simple, cost-effective option for infrequent, intermittent, or unpredictable workloads and not as a key-value store.

Aurora is a database engine for RDS and not deployed on a typical EC2 instance

Aurora automatically replicates your volume 6 ways, across three Availability Zones. These 6 ways replication is only applied for the "volume" (HA for storage level). It still need read-replica for cluster's HA.
Aurora includes a high-performance storage subsystem. Its MySQL- and PostgreSQL-compatible database engines are customized to take advantage of that fast distributed storage. The underlying storage grows automatically as needed, up to 64 tebibytes (TiB). Aurora also automates and standardizes database clustering and replication, which are typically among the most challenging aspects of database configuration and administration.
Amazon Aurora typically involves a cluster of DB instances instead of a single instance. Each connection is handled by a specific DB instance. When you connect to an Aurora cluster, the host name and port that you specify point to an intermediate handler called an endpoint. Aurora uses the endpoint mechanism to abstract these connections. Thus, you don't have to hardcode all the hostnames or write your own logic for load-balancing and rerouting connections when some DB instances aren't available.
For certain Aurora tasks, different instances or groups of instances perform different roles. For example, the primary instance handles all data definition language (DDL) and data manipulation language (DML) statements. Up to 15 Aurora Replicas handle read-only query traffic.
Using endpoints, you can map each connection to the appropriate instance or group of instances based on your use case. 
A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries. By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance. It also helps the cluster to scale the capacity to handle simultaneous SELECT queries, proportional to the number of Aurora Replicas in the cluster. Each Aurora DB cluster has one reader endpoint.
A cluster endpoint (also known as a writer endpoint) simply connects to the current primary DB instance for that DB cluster. This endpoint can perform write operations in the database such as DDL statements, which is perfect for handling production traffic but not suitable for handling queries for reporting since there will be no write database operations that will be sent.

Failover is automatically handled by Amazon Aurora so that your applications can resume database operations as quickly as possible without manual administrative intervention.
If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds.
If you are running Aurora Serverless and the DB instance or AZ become unavailable, Aurora will automatically recreate the DB instance in a different AZ.
If you do not have an Amazon Aurora Replica (i.e. single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the original instance. This replacement of the original instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is broadly affecting the Availability Zone.

Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ) in the same Region. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable.
When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB instance failure.The standby instance will not perform any read and write operations while the primary instance is running.
RDS Read Replica provides an asynchronous replication instead of synchronous.

Amazon Aurora Parallel Query is a feature of the Amazon Aurora database that provides faster analytical queries over your current data, without having to copy the data into a separate system. It can speed up queries by up to two orders of magnitude, while maintaining high throughput for your core transactional workload. The computational load of a single query is pushed across thousands of CPUs in Aurora's storage layer.

Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console, or consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice. By default, RDS Enhanced Monitoring metrics are stored in the CloudWatch Logs for 30 days - RDS processes, OS processes

CPU Utilization, Database Connections, and Freeable Memory are the regular items provided by Amazon RDS Metrics in CloudWatch

Route 53

AAAA record type queries are free when using Route 53. To route traffic to a resource, such as a web server, using an IPv6 address in colon-separated hexadecimal format.
Canonical Name - CNAME - to resolve one domain name to another - = You can't create a CNAME record/alias for CNAME record at the zone apex. For example, if you register the DNS name, the zone apex is
Alias Record - Map resource sets in your hosted zone to ELB, CloudFront Distribution or S3 buckets  eg. to
A Record - Translates domain name to IP.
MX record specifies the mail server responsible for accepting email messages on behalf of a domain name.
If IPv6 is enabled for the distribution, create two records, one with a value of A — IPv4 address for Type, and one with a value of AAAA — IPv6 address.
In Route 53, which record types will you use to point the DNS name of the Application Load Balancer - Alias with a type "AAAA" record set and Alias with a type "A" record set

Serving DNS queries: You incur charges for every DNS query answered by the Amazon Route 53 service, except for queries to Alias A records that are mapped to Elastic Load Balancing instances, CloudFront distributions, AWS Elastic Beanstalk environments, API Gateways, VPC endpoints, or Amazon S3 website buckets, which are provided at no additional charge.

UDP protocol is not supported when using with Route 53 health check

Route 53 is Universal, not region specific

Has the following routing policies - Simple, Weighted, Latency, Failover, Multivalue answer, Geoproximity and Geolocation

Latency based routing will approximate geographic balance only when all routes and traffic evenly supported which is rarely the case due to infrastructure and day night variations
Weighted routing is randomized and will not respect Geo boundaries.
Geolocation is based on national boundaries and will meet the needs well. 
Geoproximity is based on Latitude & Longitude and will also provide a good approximation with potentially less configuration

Alias Records can also point to AWS Resources that are hosted in other accounts by manually entering the ARN
1. Correct. Alias can map a DNS name to another DNS name for AWS services, or for other Record in the same hosted zone.
2. Wrong. CNAME can NOT be created for zone apex
3. Correct. CNAME can point to a DNS record in AWS Route53 or outside of AWS
4. Wrong. TTL can not be set for certain AWS resources on Alias records
5. Wrong. An Alias record can only point to resources within Route 53.

Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.

A Route Origin Authorization (ROA) is a document that you can create through your Regional internet registry (RIR), such as the American Registry for Internet Numbers (ARIN) or Réseaux IP Européens Network Coordination Centre (RIPE). It contains the address range, the ASNs that are allowed to advertise the address range, and an expiration date.

The ROA authorizes Amazon to advertise an address range under a specific AS number. However, it does not authorize your AWS account to bring the address range to AWS. To authorize your AWS account to bring an address range to AWS, you must publish a self-signed X509 certificate in the RDAP remarks for the address range. The certificate contains a public key, which AWS uses to verify the authorization-context signature that you provide. You should keep your private key secure and use it to sign the authorization-context message.

Prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket:
- An S3 bucket that is configured to host a static website. The bucket must have the same name as your domain or subdomain. For example, if you want to use the subdomain, the name of the bucket must be
- A registered domain name. You can use Route 53 as your domain registrar, or you can use a different registrar.
- Route 53 as the DNS service for the domain. If you register your domain name by using Route 53, we automatically configure Route 53 as the DNS service for the domain.

How can I configure DNS failover using Amazon Route 53 health checks?
You can use Route 53 to check the health of your resources and only return healthy resources in response to DNS queries. There are three types of DNS failover configurations:
Active-passive: Route 53 actively returns a primary resource. In case of failure, Route 53 returns the backup resource. Configured using a failover policy.
Active-active: Route 53 actively returns more than one resource. In case of failure, Route 53 fails back to the healthy resource. Configured using any routing policy besides failover.
Combination: Multiple routing policies (such as latency-based, weighted, etc.) are combined into a tree to configure more complex DNS failover.

You can use Route 53 health checking to configure active-active and active-passive failover configurations. You configure active-active failover using any routing policy (or combination of routing policies) other than failover, and you configure active-passive failover using the failover routing policy.
Active-Active Failover
- Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Route 53 can detect that it's unhealthy and stop including it when responding to queries. Active-Active Failover uses all available resources all the time without a primary nor a secondary resource.
Active-Passive Failover
- Use an active-passive failover configuration when you want a primary resource or group of resources to be available the majority of the time and you want a secondary resource or group of resources to be on standby in case all the primary resources become unavailable.

Amazon Route 53 currently supports the following DNS record types:
-A (address record)
-AAAA (IPv6 address record)
-CNAME (canonical name record)
-CAA (certification authority authorization)
-MX (mail exchange record)
-NAPTR (name authority pointer record)
-NS (name server record)
-PTR (pointer record)
-SOA (start of authority record)
-SPF (sender policy framework)
-SRV (service locator)
-TXT (text record)
DNSSEC (Not supported)


Recovery Time Objective - how long for the system to recover and come back online
Recovery Point Objective - how much data is lost if the system fails

Security Groups

Security Groups are region-specific.

When you launch an instance in a VPC, you can assign up to 5 security groups to the instance.

Security Groups operate at the instance level, they support "allow" rules only, and they evaluate all rules before deciding whether to allow traffic.

Security Group is Stateful, any changes applied to an incoming rules is automatically applied to an outgoing rule

We cannot block IP address with SG only with NACL

When I create a new security group, all outbound traffic is allowed by default. It has no inbound rules

Instances associated with a security group can't talk to each other unless you add rules allowing the traffic (exception: the default security group has these rules by default).

AWS Security Token Service (STS)

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). It is not used for encrypting data unlike KMS

Server Name Indication (SNI)

SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address by including the hostname which the viewers are trying to connect to.

Classic Load Balancer does not support Server Name Indication (SNI). Use Application Load Balancer instead or a CloudFront web distribution to allow the SNI feature

Shared Responsibility Model

This differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.

The shared responsibility model for infrastructure services, such as Amazon Elastic Compute Cloud (Amazon EC2) for example, specifies that AWS manages the security of the following assets:
Physical security of hardware
Network infrastructure
Virtualization infrastructure

You as the customer are responsible for the security of the following assets:
Amazon Machine Images (AMIs)
Operating systems
Data in transit
Data at rest
Data stores
Policies and configuration

AWS Shield 

Operates on layer 3 and 4 of the ISO network model and its primary purpose is to protect against DDoS attacks

To protect your system from DDoS attack, you can do the following:

- Use an Amazon CloudFront service for distributing both static and dynamic content.
- Use an Application Load Balancer with Auto Scaling groups for your EC2 instances then restrict direct Internet traffic to your Amazon RDS database by deploying to a private subnet.
- Set up alerts in Amazon CloudWatch to look for high Network In and CPU utilization metrics.

Services that are available within AWS Regions, like Elastic Load Balancing and Amazon Elastic Compute Cloud (EC2), allow you to build Distributed Denial of Service resiliency and scale to handle unexpected volumes of traffic within a given region. Services that are available in AWS edge locations, like Amazon CloudFront, AWS WAF, Amazon Route53, and Amazon API Gateway, allow you to take advantage of a global network of edge locations that can provide your application with greater fault tolerance and increased scale for managing larger volumes of traffic.
In addition, you can also use AWS Shield and AWS WAF to fortify your cloud network. AWS Shield is a managed DDoS protection service that is available in two tiers: Standard and Advanced. AWS Shield Standard applies always-on detection and inline mitigation techniques, such as deterministic packet filtering and priority-based traffic shaping, to minimize application downtime and latency at no charge.

AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. You can use AWS WAF to define customizable web security rules that control which traffic accesses your web applications. If you use AWS Shield Advanced, you can use AWS WAF at no extra cost for those protected resources and can engage the DRT to create WAF rules.

Snowball and Snowmobile

A Snowball is a rugged shipping container with a semi-trailer truck. While a single Snowball can store up to 80 TB of data, a single Snowmobile can store 100 PB of data, which is almost 1,250 times the capacity of a single Snowball.
As a rule of thumb, if it takes more than one week to upload your data to AWS using the spare capacity of your existing Internet connection, then you should consider using Snowball. For example, if you have a 100 Mb connection that you can solely dedicate to transferring your data and need to transfer 100 TB of data, it takes more than 100 days to complete data transfer over that connection. You can make the same transfer by using multiple Snowballs in about a week.

AWS Snowball Edge is a type of Snowball device with on-board storage and compute power for select AWS capabilities.Snowball Edge can undertake local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud. The AWS Snowball Edge device differs from the standard Snowball because it can bring the power of the AWS Cloud to your on-premises location, with local storage and compute functionality. Snowball Edge devices have three options for device configurations – storage optimized, compute optimized, and with GPU.

AWS Step Functions

Coordinate multiple AWS services into serverless workflows so you can build and update apps quickly

Provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.

Application development is faster and more intuitive with Step Functions, because you can define and manage the workflow of your application independently from its business logic. Making changes to one does not affect the other. You can easily update and modify workflows in one place, without having to struggle with managing, monitoring and maintaining multiple point-to-point integrations. Step Functions frees your functions and containers from excess code, so your applications are faster to write, more resilient, and easier to maintain.


It’s a simple storage service that offers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.

The largest object that can be uploaded in a single PUT is 5 GB. For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability.

It does not provide file system access semantics. EFS provides this feature but not S3. User EFS - "file operation" and "allows concurrent connections from multiple EC2 instances"

S3 is not replicated across Regions

The storage savings between IA and OneZone-IA are about $0.0025

Signed URLs and Signed Cookies are different ways to ensure that users attempting access to files in an S3 bucket can be authorised. One method generates URLs and the other generates special cookies but they both require the creation of an application and policy to generate and control these items. 
Origin Access Identity is a virtual user identity that is used to give the CloudFront distribution permission to fetch a private object from an S3 bucket

Signed Cookies do not work for RTMP

Gateway-Cached and File Gateway volumes retain a copy of frequently accessed data subsets locally
A File Gateway supports a file interface into Amazon Simple Storage Service (Amazon S3) and combines a service and a virtual software appliance. By using this combination, you can store and retrieve objects in Amazon S3 using industry-standard file protocols such as Network File System (NFS) and Server Message Block (SMB).

Virtual style puts your bucket name 1st, s3 2nd, and the region 3rd.  - name Bucket is part of the domain name
Path style puts s3 1st and your bucket as a sub domain. - name Bucket is the first part of the path
Legacy Global endpoint has no region.  
S3 static hosting can be your own URL or your bucket name 1st, s3-website 2nd, followed by the region. 
AWS are in the process of phasing out Path style, and support for Legacy Global Endpoint format is limited and discouraged

S3 Select is an Amazon S3 feature that makes it easy to retrieve specific data from the contents of an object using simple SQL expressions without having to retrieve the entire object.

S3 doesn't provide AES-128 encryption, only AES-256
You have the following options for protecting data at rest in Amazon S3:
1) Use Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
- Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
- Use Server-Side Encryption with Customer-Provided Keys (SSE-C)
2) Use Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
- Use Client-Side Encryption with AWS KMS–Managed Customer Master Key (CMK)
- Use Client-Side Encryption Using a Client-Side Master Key

Amazon S3 supports the following destinations where it can publish events: (Event Notification destinations)
- Amazon SNS
- Amazon SQS
- AWS Lambda
S3 does not support MQ, SES, SWF, Kinesis as a destination

Amazon Glacier - Retrieval
- Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.
- To make an Expedited, Standard, or Bulk retrieval, set the Tier parameter in the Initiate Job (POST jobs) REST API request to the option you want, or the equivalent in the AWS CLI or AWS SDKs. If you have purchased provisioned capacity, then all expedited retrievals are automatically served through your provisioned capacity.
- Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes. Without provisioned capacity Expedited retrievals are accepted, except for rare situations of unusually high demand. However, if you require access to Expedited retrievals under all circumstances, you must purchase provisioned retrieval capacity.

Coyping objects :-
By default, an S3 object is owned by the account that uploaded the object. That's why granting the destination account the permissions to perform the cross-account copy makes sure that the destination owns the copied objects. You can also change the ownership of an object by changing its access control list (ACL) to bucket-owner-full-control.
However, object ACLs can be difficult to manage for multiple objects, so it's a best practice to grant programmatic cross-account permissions to the destination account.
To be sure that a destination account owns an S3 object copied from another account, grant the destination account the permissions to perform the cross-account copy. Follow these steps to configure cross-account permissions to copy objects from a source bucket in Account A to a destination bucket in Account B:
- Attach a bucket policy to the source bucket in Account A.
- Attach an AWS Identity and Access Management (IAM) policy to a user or role in Account B.
- Use the IAM user or role in Account B to perform the cross-account copy.

Amazon S3 provides read-after-write consistency for PUTS of new objects in your S3 bucket in all regions with one caveat: if you make a HEAD or GET request to the key name (to find if the object exists) before creating the object, Amazon S3 provides eventual consistency for read-after-write. Amazon S3 offers eventual consistency for overwrite PUTS and DELETES in all regions.
Updates to a single key are atomic. For example, if you PUT to an existing key, a subsequent read might return the old data or the updated data, but it will never return corrupted or partial data. This usually happens if your application is using parallel requests on the same object.
Amazon S3’s support for parallel requests means you can scale your S3 performance by the factor of your compute cluster, without making any customizations to your application. Amazon S3 does not currently support Object Locking. If two PUT requests are simultaneously made to the same key, the request with the latest timestamp wins. If this is an issue, you will need to build an object-locking mechanism into your application.
Updates are key-based; there is no way to make atomic updates across keys. For example, you cannot make the update of one key dependent on the update of another key unless you design this functionality into your application.

Amazon S3 can publish notifications for the following events:
1. New object created events
2. Object removal events
3. Restore object events
4. Reduced Redundancy Storage (RRS) object lost events
5. Replication events

Server Access Logging :-
Track and log every request access to their S3 buckets including the requester, bucket name, request time, request action, referrer, turnaround time, and error code information. The solution should also provide more visibility into the object-level operations of the bucket.  Note that detailed information about every access request sent to the S3 bucket including the referrer and turn-around time information records are not available in CloudTrail.

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path. Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects

Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. 
Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. For example, bucket policies and access control lists (ACLs) are resource-based policies. 
You can also attach access policies to users in your account. These are called user policies. 
You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.
ACLs are primarily used to grant basic read/write permissions to AWS accounts and not suitable for providing public access over the Internet.

Which methods ensure that all of the objects uploaded to the S3 bucket can be read publicly all over the Internet?
Grant public read access to the object when uploading it using the S3 Console.
Configure the S3 bucket policy to set all objects to public read.
WRONG - IAM Role, in itself, cannot directly make the S3 objects public or change the permissions of each individual object
WRONG - ACLs are primarily used to grant basic read/write permissions to AWS accounts and are not suitable for providing public access over the Internet.

AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure. You can use the service to store data in the AWS Cloud for scalable and cost-effective storage that helps maintain data security.

Amazon S3 vs EFS vs EBS :- 
Amazon S3 is an object storage service. Amazon S3 makes data available through an Internet API that can be accessed anywhere.
Amazon EFS is a file storage service for use with Amazon EC2. Amazon EFS provides a file system interface, file system access semantics (such as strong consistency and file locking), and concurrently-accessible storage for up to thousands of Amazon EC2 instances.  
Amazon EBS is a block-level storage service for use with Amazon EC2. Amazon EBS can deliver performance for workloads that require the lowest-latency access to data from a single EC2 instance. You can also increase EBS storage for up to 16TB or add new volumes for additional storage.

Amazon S3 now provides increased performance to support at least 3,500 requests per second to add data and 5,500 requests per second to retrieve data. Amazon S3 does not support retrieving multiple ranges of data per GET request.

Lifecycle Constraints :-
- Objects must be stored at least 30 days in the current storage class before you can transition them to STANDARD_IA or ONEZONE_IA. This limitation does not apply on INTELLIGENT_TIERING, GLACIER, and DEEP_ARCHIVE storage class.
- Amazon S3 does not transition objects that are smaller than 128 KB to the STANDARD_IA or ONEZONE_IA storage classes because it's not cost effective.


SQS long polling doesnt return a response until a message arrives in the queue, reducing your overall cost over time. Short polling WILL return empty responses.

"DelaySeconds" attribute - When a new message is added to SQS it will be hidden from the customer instances for a fixed period

In Amazon SQS, you can configure the message retention period to a value from 1 minute to 14 days. The default is 4 days. Once the message retention limit is reached, your messages are automatically deleted. Use the SetQueueAttributes action
A single Amazon SQS message queue can contain an unlimited number of messages. However, there is a 120,000 limit for the number of inflight messages for a standard queue and 20,000 for a FIFO queue. Messages are inflight after they have been received from the queue by a consuming component, but have not yet been deleted from the queue.

You cannot set a priority to individual items in the SQS queue

Amazon SWF

Provides useful guarantees around task assignments. It ensures that a task is never duplicated and is assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without worrying about two instances operating on the same execution simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks.


Amazon VPC allows you to connect your AWS cloud resources to your on-premises data center using secure and private sessions with IP Security (IPSec) or Transport Layer Security (TLS) tunnels

5 Amazon VPCs per AWS account per region
200 subnets per Amazon VPC
5 Amazon VPC Elastic IP addresses per AWS account per region
One internet gateway per Amazon VPC

The allowed block size in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses) 

Add a route to your routing table that will allow connections to the internet from your subnet - Destination - Target to IG

Steps should you take to make this subnet public - attach an Internet Gateway (IGW) and to create a route in the route table out to the Internet Gateway (IGW).

When you create a custom VPC, a default Security Group, NACL, and Route Table are created automatically. You must create your own Subnets, Internet Gateway, and NAT Gateway

Only 1 NAT Gateway in a A-Z. It cannot span A-Z's. Start at 5GBPS and scales to 45GBPS. You are charged for creating and using a NAT gateway in your account.
Ephermal Ports - NAT Gateway uses ports 1024-65535.
NAT gateways are not supported for IPv6 traffic—use an egress-only internet gateway instead.
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. The Elastic IP address cannot be changed once you associate it with the NAT Gateway.

A VPC public subnet is one that has at least one route in its associated routing table that uses an Internet Gateway (IGW).

An EC2-VPC instances DOES retain its private IP when stopped

VPC automatically comes with a default NACL where by default all inbound and outbound are allowed.
When you create a new NACL by default all are denied. NACL rules are numbered.
Each subnet has to be associated with NACL, else it is associated with default NACL
Each subnet must reside entirely within one Availability Zone and cannot span zones
By default, instances in new subnets in a custom VPC can communicate with each other across Availability Zones. In a custom VPC with new subnets in each AZ, there is a route that supports communication across all subnets/AZs. Plus a default Security Group with an allow rule 'All traffic, all protocols, all ports, from anything using this default Security Group'.

Default vs nondefault subnet :-
By default, a "default subnet" of your VPC is actually a public subnet, because the main route table sends the subnet's traffic that is destined for the internet to the internet gateway. You can make a default subnet into a private subnet by removing the route from the destination to the internet gateway. However, if you do this, any EC2 instance running in that subnet can't access the internet.
Instances that you launch into a default subnet receive both a public IPv4 address and a private IPv4 address, and both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don't receive a public IPv4 address or a DNS hostname. You can change your subnet's default public IP addressing behavior
By default, nondefault subnets have the IPv4 public addressing attribute set to false, and default subnets have this attribute set to true. An exception is a nondefault subnet created by the Amazon EC2 launch instance wizard — the wizard sets the attribute to true.

NACL Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied immediately regardless of any higher-numbered rule that may contradict it.

EC2 instances in a private subnet can communicate with the Internet not just by having an Elastic IP, but also with a public IP address via a NAT Instance or a NAT Gateway. To enable communication with the Internet, a public IPv4 address is mapped to the primary private IPv4 address through network address translation (NAT).
In order for you to access your EC2 instance from the Internet, you need to have:
- An Internet Gateway (IGW) attached to the VPC.
- A route entry to the Internet gateway in the Route table of the VPC.
- A Public IP address attached to the EC2 instance.

RDP Port is 3389

VPC is a virtual network to isolate the resources dedicated to our account.
Internet gateway is the one which helps to enable the resources to have communication with internet
If we want to have dedicated connection, then we can create VPN to connect to our VPC.
Virtual private gateway and customer gateway will be coming part of VPN.
VPG is the on the amazon side of VPN, Customer gateway is physical/virtual device on our side of VPN.

You can connect your VPC to remote networks by using a VPN connection which can be Direct Connect, IPsec VPN connection, AWS VPN CloudHub, or a third party software VPN appliance.

You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway on the remote side of the VPN connection. If you have more than one remote network (for example, multiple branch offices), you can create multiple AWS managed VPN connections via your virtual private gateway to enable communication between these networks.

With AWS Site-to-Site VPN, you can connect to an Amazon VPC in the cloud the same way you connect to your branches. AWS Site-to-Site VPN establishes secure and private sessions with IP Security (IPSec) and Transport Layer Security (TLS) tunnels.

A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC

Direct connect connection into AWS data centres and it's useful for high throughput workloads
You need to ensure that your application in your custom VPC can communicate back to the on-premise data center. You can do this by either using a site to site VPN or Direct Connect. It will be using an internal IP address range, so you must make sure that your internal IP addresses do not overlap.
Direct Connect creates a direct, private connection from your on-premises data center to AWS, letting you establish a 1-gigabit or 10-gigabit dedicated network connection using Ethernet fiber-optic cable.

You have created a Direct Connect Link from your on premise data center to your Amazon VPC. The link is now active and routes are being advertised from the on-premise data center. You can connect to EC2 instances from your data center; however, you cannot connect to your on premise servers from your EC2 instances. 
This is because there is no route connecting your VPC back to the on premise data center. You need to add this route to the VPC Subnet route table and then enable propagation on the Virtual Private Gateway.

A public subnet within VPC has alteast 1 route that uses IGW

You can only have 1 Internet Gateway per VPC. You can however have 5 Internet Gateways per REGION

Route table entries enable EC2 instances in the subnet to use IPv4 to communicate with other instances in the VPC, and to communicate directly over the Internet. A subnet that's associated with a route table that has a route to an Internet gateway is known as a public subnet. If you could not connect to your EC2 instance even if there is already an Internet Gateway in your VPC and there is no issue in the security group, then you must check if the entries in the route table are properly configured.

"Egress-Only Internet Gateway" is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

Each VPC has a related instance tenancy attribute. This attribute has the following values.
default - An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch.
dedicated - An instance launched into the VPC is a Dedicated Instance by default, unless you explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default during instance launch.
You can change the instance tenancy of a VPC from dedicated to default after you create it. You cannot change the instance tenancy of a VPC to dedicated.

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Endpoint are virtual devices and they are horizontally scaled redundant and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risk or bandwidth constraints on your network traffic.
2 types
- Interface Endpoint - elastic network interface or an ENI with a private IP address that serves as an entry point for traffic destined to a supported service
- Gateway Endpoint - Supported for S3 and Dynamo DB

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. You cannot peer two VPCs with overlapping CIDR blocks. Transitive VPC peering is not allowed
Invalid Peering configurations :-
The following VPC peering connection configurations are not supported.
- Overlapping CIDR Blocks
- Transitive Peering
- Edge to Edge Routing Through a Gateway or Private Connection
Communication over IPv6 is not supported for an inter-region VPC peering connection.

AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway in to each Amazon VPC, on-premises data center, or remote office across your network. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes. This hub and spoke model significantly simplifies management and reduces operational costs because each network only has to connect to the Transit Gateway and not to every other network. Any new VPC is simply connected to the Transit Gateway and is then automatically available to every other network that is connected to the Transit Gateway. This ease of connectivity makes it easy to scale your network as you grow.
A transit gateway attachment is both a source and a destination of packets. You can attach the following resources to your transit gateway:
- One or more VPCs
- One or more VPN connections
- One or more AWS Direct Connect gateways
- One or more transit gateway peering connections
If you attach a transit gateway peering connection, the transit gateway must be in a different Region.

You can only create a private virtual interface to a Direct Connect gateway and not a public virtual interface. An AWS Direct Connect Gateway is quite limited as opposed to a Transit Gateway as it can only manage a single connection for multiple VPCs or VPNs that are in the same Region

Multicast is a network capability that allows one-to-many distribution of data. With multicasting, one or more sources can transmit network packets to subscribers that typically reside within a multicast group. However, take note that Amazon VPC does not support multicast or broadcast networking.
You can use an overlay multicast in order to migrate the legacy application. An overlay multicast is a method of building IP level multicast across a network fabric supporting unicast IP routing, such as Amazon Virtual Private Cloud (Amazon VPC).


"Customer Gateway" and "Virtual Private Gateway". When connecting a VPN between AWS and a third party site, the Customer Gateway is created within AWS, but it contains information about the third party site e.g. the external IP address and type of routing. The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN. "Direct Connect Gateway" and "Cross Connect" are both Direct Connect related terminology and have nothing to do with VPNs

By default, instances that you launch into a virtual private cloud (VPC) can't communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, updating your security group rules, and creating an AWS managed VPN connection.
Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections.
A customer gateway is a physical device or software application on your side of the VPN connection.
To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. Next, you have to set up an Internet-routable IP address (static) of the customer gateway's external interface.

You don't need a NAT instance for you to be able to create a VPN connection.
You do not attach an EIP to a VPG

Stateless Installation
You've been tasked with building a new application with a stateless web tier for a company that produces reusable rocket parts. Which three services could you use to achieve this?
The essence of a stateless installation is that the scalable components are disposable, and configuration is stored away from the disposable components. The best way to solve this type of problem is by elimination. Storage Gateway offers no advantage in this situation. CloudWatch is a reporting tool and will not help. An ELB will distribute load but will not really specific to stateless design. Elasticache is well suited for very short fast cycle data and is very suitable to replace in memory or on disk state data previously held on the web servers. RDS is well suited to structured and long cycle data, and DynamoDB is well suited for unstructured and medium cycle data. Both can be used for certain types of stateful data either in partner with or instead of Elasticache.
Answer : DynamoDb, ElastiCache, RDS

There are a number of ways to set up a VPN. Based on the options provided, AWS have a standard solution that makes use of a VPC with; a private subnet, Hardware VPN Access, a VPG, and an on-premise Customer Gateway.

A Site-to-Site VPN connection has the following limitations.
- IPv6 traffic is not supported.
- An AWS VPN connection does not support Path MTU Discovery

VPC Flow Logs 

is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination. 
Created at the following levels :
Network Interface Level

You cannot enable flow logs for VPC that are peered with your VPC unless the peer VPC is in your account

You cannot change its configuration for example you can't go in an associate at different IAM role

Not all IP traffic is monitored 
- traffic generated by instances when they contact the Amazon DNS serve
- traffic generated by Windows instances for Amazon windows licensing activation is not going to be monitored
- then traffic to and from for instance metadata
- DHCP traffic
- traffic to the reserved IP addresses for the default VPC router


AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer
AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, API Gateway, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You also can configure CloudFront to return a custom error page when a request is blocked.
At the simplest level, AWS WAF lets you choose one of the following behaviors:
Allow all requests except the ones that you specify – This is useful when you want CloudFront or an Application Load Balancer to serve content for a public website, but you also want to block requests from attackers.
Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.
Count the requests that match the properties that you specify – When you want to allow or block requests based on new properties in web requests, you first can configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This lets you confirm that you didn't accidentally configure AWS WAF to block all the traffic to your website. When you're confident that you specified the correct properties, you can change the behavior to allow or block requests.

Your server logs are full of what appear to be application-layer attacks, so you deploy AWS Web Application Firewall. Which of the following conditions may you set when configuring AWS WAF?
String Match Conditions
IP Match Conditions
Size Constraint Conditions

SQL Injection attacks which are dealt with by AWS WAF. 
WAF also protects against Cross Site Scripting and can block traffic from IP addresses based on rules

AWS premium support

Basic, Developer, Business, Enterprise

Maximum Response time for a Business Level 'production down' support case - 1 hour

'Serverless' computing is not about eliminating servers, but shifting most of the responsibility for infrastructure and operation of the infrastructure to a vendor so that you can focus more on the business services, not how to manage the infrastructure that they run on. Billing does tend to be based on simple units, but the choice of services, intended usage pattern (RIs), and amount of capacity needed also influences the pricing.
RDS, EC2 is not Serverless
API Gateway
Dynamo Db

Are you permitted to conduct your own vulnerability scans on your own VPC without alerting AWS first? Depends on type of scan. Some requires alerting.


RDS multi-AZ is guarantee to 99.95%.
EC2 availability is guarantee to 99.95%.
EBS availability is guarantee to 99.95%.
S3 availability is 99.9%

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.
Budgets can be tracked at the monthly, quarterly, or yearly level, and you can customize the start and end dates. You can further refine your budget to track costs associated with multiple dimensions, such as AWS service, linked account, tag, and others. Budget alerts can be sent via email and/or Amazon Simple Notification Service (SNS) topic.
You can also use AWS Budgets to set a custom reservation utilization target and receive alerts when your utilization drops below the threshold you define. RI utilization alerts support Amazon EC2, Amazon RDS, Amazon Redshift, and Amazon ElastiCache reservations.
Budgets can be created and tracked from the AWS Budgets dashboard or via the Budgets API.

Cost Explorer helps you visualize and manage your AWS costs and usages over time. It offers a set of reports you can view data with for up to the last 13 months, forecast how much you're likely to spend for the next three months, and get recommendations for what Reserved Instances to purchase. You use Cost Explorer to identify areas that need further inquiry and see trends to understand your costs.

Cost Allocation Tags eases the organization of your resource costs on your cost allocation report to make it easier for you to categorize and track your AWS costs.

Payment History provides a location where you can view the monthly invoices you receive from AWS. If your account isn't past due, the Payment History page shows only previous invoices and payment status.

Other Services

App Mesh is  a service mesh that provides application-level networking to make it easy for your services to communicate with each other across multiple types of compute infrastructure.
Amazon AppStream 2.0 is a fully managed application streaming service and can't be used as a queue
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
AWS Connect is actually a self-service, cloud-based contact center service in AWS that makes it easy for any business to deliver better customer service at a lower cost. Amazon Connect is based on the same contact center technology used by Amazon customer service associates around the world to power millions of customer conversations.
AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources
AWS Cloud Map is a cloud resource discovery service that enables you to name your application resources with custom names and automatically update the locations of your dynamically changing resources
CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions. It allows you to rapidly release new features, update Lambda function versions, avoid downtime during application deployment, and handle the complexity of updating your applications, without many of the risks associated with error-prone manual deployments.
AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment. 
AWS Data Pipeline is primarily used as a cloud-based data workflow service that helps you process and move data between different AWS services and on-premises data sources.
AWS DataSync is primarily used to simplify your migration with AWS. It makes it simple and fast to move large amounts of data online between on-premises storage and Amazon S3 or Amazon Elastic File System (Amazon EFS)
AWS Device Farm is an app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time.
ekognition is a service that can identify the objects, people, text, scenes, and activities, as well as detect any inappropriate content on your images or videos
AWS Fargate service is a serverless compute engine for containers that work with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design. Although this service is more cost-effective than its server-based counterpart, Amazon S3 still costs way less than Fargate, especially for storing static content.
AWS Firewall Manager simplifies your AWS WAF and AWS Shield Advanced administration and maintenance tasks across multiple accounts and resources
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
AWS Import/Export is a service you can use to transfer large amounts of data from physical storage devices into AWS. You mail your portable storage devices to AWS and AWS Import/Export transfers data directly off of your storage devices using Amazon's high-speed internal network. 
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS
AWS IoT Core is a managed cloud service that lets connected devices easily and securely interact with cloud applications and other devices. AWS IoT Core provides secure communication and data processing across different kinds of connected devices and locations so you can easily build IoT applications.
AWS Organizations is an account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage. With Organizations, you can create member accounts and invite existing accounts to join your organization. You can organize those accounts into groups and attach policy-based controls.
AWS ParallelCluster is an AWS-supported open-source cluster management tool that makes it easy for you to deploy and manage High-Performance Computing (HPC) clusters on AWS
AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. Many organizations use multiple accounts to create administrative or billing isolation, and limit the impact of errors. RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.
AWS Secrets Manager is an AWS service that makes it easier for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text. You can store and control access to these secrets centrally by using the Secrets Manager console, the Secrets Manager command line interface (CLI), or the Secrets Manager API and SDKs.
AWS Transfer for SFTP (AWS SFTP) is a fully managed AWS service that enables you to transfer files over Secure File Transfer Protocol (SFTP), into and out of Amazon Simple Storage Service (Amazon S3) storage. This service is not related to EC2 instances.
Amazon Simple Email Service (SES) is a cloud-based email sending service designed to send notification and transactional emails.
Amazon Simple Queue Service (SQS) is a fully-managed message queuing service. It does not monitor applications nor send email notifications unlike SES.
AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Using Step Functions, you can design and run workflows that stitch together services, such as AWS Lambda, AWS Fargate, and Amazon SageMaker, into feature-rich applications.
AWS Trusted Advisor is an application that draws upon best practices learned from AWS' aggregated operational history of serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps.
Amazon WorkDocs is a fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, edit, and share content. And because it’s stored centrally on AWS, you can access it from anywhere on any device.It is not a suitable service for storing static content.
AWS X-Ray helps you debug and analyze your microservices applications with request tracing so you can find the root cause of issues and performance. Can be used with applications running on Amazon Elastic Compute Cloud (EC2), Amazon EC2 Container Service (Amazon ECS), AWS Lambda, AWS Elastic Beanstalk and API Gateway. Active Tracing using X-Ray is only available for Lambda. You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway REST APIs to the underlying services. 

The pillars of the AWS Well-Architected Framework
Operational Excellence The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
Security The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Reliability The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
Performance Efficiency The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
Cost Optimization The ability to run systems to deliver business value at the lowest price point


Back to Top