Summer: June 2022

Special File Names

buildspec.yml is for building instruction for AWS code build.

Dockerrun.aws.json is used to run beanstalk in a single docker container. The other option is to provide a Dockfile. If we want to run in multiple docker containers, have to pre-built image and use Dockerrun.aws.json file at the root of source codes.

Limitation

KMS can encrpt max 4kb data per call

SQS

The visibility timeout value for the queue is in seconds, which defaults to 30 seconds
max message size 256kb
max retention period are 14 days. min is 1 minute. Default is 4 days
FIFO queues support up to 3,000 messages per second

Lambda Function

Total size of environment variables for a function can not exceed 4kb.
Max timeout is 15 minutes
Max /tmp folder is 512MB
Lambda function deployment size (compressed .zip): 50 MB. Size of uncompressed deployment (code + dependencies): 250 MB
AWS Support cannot increase the Lambda timeout upper limit.

For gp2 EBS volume

Max IOPS is 16,000
3 IOPS per GB
5,334GB reach the max IOPS

Step Function

Express Workflows have a maximum duration of five minutes and Standard workflows have a maximum duration of one year.

Dynamodb

Max item size is 400 KB

How many Aurora Read Replicas can you have in a single Aurora DB Cluster

The ephemeral port range 1024-65535

Requests originating from Elastic Load Balancing use ports 1024-65535
AWS Lambda functions use ports 1024-65535.
A NAT gateway uses ports 1024-65535

S3 Object size

Max Object Size 5TB (5000GB)
If wants to upload a file larger than 5GB, must use "multi-part upload"

AWS Kinesis retension time

A Kinesis data stream stores records from 24 hours by default, up to 8760 hours (365 days).

aws kinesis increase-stream-retention-period --stream-name retentionPeriodDemo --retention-period-hours 72

Beanstalk file size

When you use the AWS Elastic Beanstalk console to deploy a new application

max size is 512M zip file or war file

Process

AWS Cloud Development Kit (CDK)

It supports Java, Python, C#, Javascript and TypeScript

cdk bootstrap
cdk synth
cdk deploy

Tricky questions

1. ApproximateNumberOfMessagesVisible metric of SQS and auto scalling

Can not use ApproximateNumberOfMessagesVisible metric directly
Need to create a backlog per instance (message count divided by instance count) Cloudwatch metric
Use backlog per instance metric with target tracking scaling policy

2. ElasticCache Redis vs Memcached

Redis support replication. Memcached does not.
Both can be used to store session data. Better than using session stickness

3. Which AWS entities can be used to deploy SSL/TLS server certificates

AWS Certificate Manager
IAM (Use IAM as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM)

4. Load balancer and regions?

A Load Balancer can target EC2 instances only within an AWS Region.

5. IAM database authentication

IAM database authentication works with MySQL, MariaDB and PostgreSQL.

6. Lambda and container

The container image must implement the Lambda Runtime API
You must create the Lambda function from the same account as the container registry in Amazon ECR
You can deploy Lambda function as container image with the maximum size of 10GB.

7. Destination of Kineses Data Firehose

Amazon S3
Amazon Redshift
Amazon ElasticSearch

8. VPC endpoint

Internet gateway: a combination of hardware and software that provides your private netwrok (VPC) with a router to outside world internet
NAT: network address translation. The purpose is to translate a set of IP addresses to another set of IP addresses such as translation private IP to public IP
Subnet: is a sub-section of a network. Each subnet must reside entirely within one AZ. A VPC spans all AZ in a region. Can add one or more subnets in each AZ to VPC
NACL: Network ACL is a firewall to control traffic from and to subnet using rules. Rules will only use IPs to allow or deny to access the subnet. It is also stateless because the return traffic needs to be explictly allowed. Comparing with security group which is called statefull because return traffic is automatically allowed.
- All AWS Services are public
- For a EC2 instance inside a VPC, we can create VPC endpoint inside VPC for those services
- Through this VPC end point, EC2 can talk to those AWS service privately

9. Lambda function in VPC

Lambda function in a VPC does not have access to the internet
Lambda function in a public subnet does not give it internet access or a public IP too
To get internet, deploy the Lambda function in a private subnet. Then route outbound traffic to a NAT gateway in a public subnet
From this NAT gateway, we can get an elastic IP. We can use this IP in the securtity group as an inbound source for ELB if we want to access a restricted ELB

10. You would like to know the security group and the instance id of the current instance.

Query the metadata at http://169.254.169.254/latest/meta-data

11. wants to allow a Lambda function in its AWS Account A to access a DynamoDB table in another AWS Account B

In account B, create an IAM role with access to DynamoDB
Modify trust policy of Account B to allow the lambda function to assume role.
Add AWS STS AssumeRole API call in the Lambda function

12. Cloudwatch

Cloudwatch log metric filters define the terms and patterns to look for in log data when the log is sent to Cloudwatch logs. Cloudwatch logs use these metric filters to turn log data into numerical Cloudwatch metrics that you can grab to set alarms on.
A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other. Metrics belong to namespaces
Dimension is an attribute of a metric
The standard CloudWatch metrics don't have any metrics for memory utilization details.
High-resolution alarms If you set an alarm on a high-resolution metric, you can specify a high-resolution alarm with a period of 10 seconds or 30 seconds, or you can set a regular alarm with a period of any multiple of 60 seconds.

13. S3 Server side encryption

SSE-S3: use key managed by AWS S3. With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket so that all new objects are encrypted when they are stored in the bucket.
SSE-KMS: use key managed by AWS KMS. Need to add header x-amz-server-side-encrption:"aws:kms"
SSE-C: use key provided by client. Need to have key in the header, so need to send request via HTTPS. Amazon S3 will reject any requests made over HTTP when using SSE-C.

14. S3 prefix and performance

To avoid throttling in Amazon S3 you must ensure you do not exceed certain limits on a per-prefix basis. You can send 3,500 PUT/COPY/POST/DELETE or 5,500 GET/HEAD requests per second per prefix in an Amazon S3 bucket
There are no limits to the number of prefixes in a bucket. You can increase your read or write performance by using parallelization. For example, if you create 10 prefixes in an Amazon S3 bucket to parallelize reads, you could scale your read performance to 55,000 read requests per second. Similarly, you can scale write operations by writing to multiple prefixes.

15. API Gateway – Security Lambda Authorizer

Will use the third party Authentication system

Token-based authorizer (bearer token) – ex JWT (JSON Web Token) or Oauth
A request parameter-based

16. A website is running on a single Amazon EC2 instance. What type of IP address MUST be assigned to the EC2 instance and used in the A record to ensure ongoing connectivity?

ans: Elastic IP is the only type of static, public IP address you can assign to an Amazon EC2 instance. Public IP is not static and will change every time the EC2 instance restarts.
An Elastic IP address is a static IPv4 address designed for dynamic cloud computing.
An Elastic IP address is allocated to your AWS account, and is yours until you release it.

17. KMS key rotation cycle

When you enable automatic key rotation for a KMS key, AWS KMS generates new cryptographic material for the KMS key every year

18. Decode an encoded error message

sts decode-authorization-message --encoded-message ...

19. Encryption in Kinesis data stream

Server-side encryption using AWS Key Management Service (AWS KMS) keys makes it easy for you to meet strict data management requirements by encrypting your data at rest within Amazon Kinesis Data Streams.

20. Serverless application created by SAM Deployment

If you use AWS SAM to create your serverless application, it comes built-in with CodeDeploy to provide gradual Lambda deployments.

Canary CodeDeployDefault.LambdaCanary10Percent5Minutes
Linear CodeDeployDefault.LambdaLinear10PercentEvery1Minute
All-at-once: All traffic is shifted from the original Lambda function to the updated Lambda function version at once

21. Applying a trail to all regions

Applying a trail to all AWS Regions refers to creating a trail that will record AWS account activity across all regions
You will receive a record of account activity made in your AWS account across all regions to one Amazon S3 bucket or CloudWatch logs group

22. resource-based policies and DynamoDB tables.

DynamoDB tables do not support resource-based policies
Amazon DynamoDB supports identity-based policies only

23. Scan DynamoDB tables

Scan will consume lots of RCU
To limit impact, using limit or reduce the size of result and pause
For faster performance, use parallel scan. However, it will increase throughput and RCU consumed. To limit impact, limit rate

24. writing an AWS Lambda function that will send notifications for state changes of AWS CodePipeline

AWS CodePipeline can be configured as an event source in CloudWatch Events
Create an Amazon CloudWatch Events rule that uses CodePipeline as an event source to invoke Lambda
For codecommit, we can set up event in codecommit setting. The target can be SNS topic or AWS chatbot(slack)

25. Dynamodb strong consistent read and eventually consistent read

Eventually consistent read may get stale data because of replication if a write just happens
Strong consistent read will always get the correct data
Need to set ConsistentRead to be true in the API call to force strong consistent read

26. Websocket API and route selection expression

if your JSON messages contain an action property and you want to perform different actions based on this property, your route selection expression might be ${request.body.action}. Your routing table would specify which action to perform by matching the value of the action property against the custom route key values that you have defined in the table.

//INCOMING DATA (body)
{
   "service" : "chat",
   "action" : "join",
   "data" : {
       "room" : "room1234"
   }
}

27. DynamoDB Encryption Client

a software library that enables you to include client-side encryption in your Amazon DynamoDB design
The DynamoDB Encryption Client is designed to be implemented in new, unpopulated databases.
The DynamoDB Encryption Client does not support the encryption of existing, unencrypted DynamoDB table data

28 CreateUsagePlanKey

Creates a usage plan key for adding an existing API key to a usage plan.

29 Cross-account cross-Region CloudWatch console

In AWS you can enable Cross-account cross-Region CloudWatch console. Then You can create cross-account cross-Region dashboards, which summarize your CloudWatch data from multiple AWS accounts and multiple Regions into one dashboard.

30. CloudFormation StackSet

Create, update or delete a stack across multiple accounts and multiple regions
Admininstrator create a StackSet
When update a StackSet, all stack instances are updated across all accounts and all regions

31. SQS long polling

reduce cost
receive message as soon as it is received into queue
When the wait time for the ReceiveMessage API action is greater than 0, long polling is in effect

32. X-ray write API

PutTraceSegments: Uploads segment documents to AWS X-Ray
PutTelemetryRecords: Used by the AWS X-Ray daemon to upload telemetry such SegmentsReceivedCount, SegmentsRejectedCounts, BackendConnectionErrors...
GetSamplingRules: Retrieve all sampling rules (to know what/when to send

33. Service control policies and AWS Organization

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization
SCPs offer central control over the maximum available permissions for all accounts in your organization.
You can configure the SCPs in your organization to work as either of the following: deny list or allow list
you cannot create deny policies in IAM. IAM policies implicitly deny access unless you explicitly allow permissions.

34. According to AWS best practice, how should access keys be managed to improve security?

Remove (or Don't Generate) Account Access Key for root account
Don't embed access keys directly into code.
Use different access keys for different applications.
Rotate access keys periodically.
Remove unused access keys.

35. How can you enhance the security of your ElastiCache Redis Cluster by forcing users to enter a password when they connect?

use Redis AUTH

36. IAM Service principal vs principal

Service principal is an AWS IAM principal that represents an AWS service.
A principal represent an AWS account or user

37. AWS CodeCommit and Security

AWS CodeCommit automatically encrypts your files in transit and at rest.

38. AWS cli pagenation

Underline, aws cli uses page size to decide how many api calls to make to retriev items. For example, S3 has the default page size 1000. If you have 3500 objects in the bucket, the AWS CLI automatically makes four calls to Amazon S3, handling the service-specific pagination logic for you in the background and returning all 3,500 objects in the final output.

--no-paginate option. Only return the first 1000 objects
--page-size will automatically make more api calls in the backend to retrieve all items. This is used to prevent timeout if page size too big
--max-items will control how many items in the output iteration. It will not affect underline api calls number.
--starting-token if max-items is smaller than total items. It will return a nexttoken. Pass this nextToken as value of --starting-token. Iterate through to get all items. It likes the traditional pagenation

39. AWS RDS storage auto scaling

Starting Jun 20, 2019, Amazon RDS for MariaDB, Amazon RDS for MySQL, Amazon RDS for PostgreSQL, Amazon RDS for SQL Server and Amazon RDS for Oracle support RDS Storage Auto Scaling.

40. VPC endpoint types

VPC endpoint gateway for S3 and Dynomdb
The rest use VPC endpoint interface. Noted that S3 also support VPC endpoint interface

41. /etc/ecs/ecs.config

The Linux variants of the Amazon ECS-optimized AMI look for agent configuration data in the /etc/ecs/ecs.config file when the container agent starts. You can specify this configuration data at launch with Amazon EC2 user data.

#!/bin/bash
echo "ECS_CLUSTER=MyCluster" >> /etc/ecs/ecs.config

42. ALB and authentication

Application Load Balancer can be used to securely authenticate users for accessing your applications.
This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic.
Use Cognito Authentication via Cognito User Pools for your Application Load Balancer

43. How can I automate the replacement of unhealthy Amazon EC2 instances in an Elastic Beanstalk environment?

By default, the health check configuration of your Auto Scaling group is set as an EC2 type
You need to use the configuration file changes the health check type of your instance's Auto Scaling group from EC2 to ELB

44. Amazon S3 delivers strong read-after-write consistency automatically

all S3 GET, PUT, and LIST operations, as well as operations that change object tags, ACLs, or metadata, are strongly consistent
What you write is what you will read
the results of a LIST will be an accurate reflection of what’s in the bucke
Bucket configurations have an eventual consistency model. If you delete a bucket and immediately list all buckets, the deleted bucket might still appear in the list.

45. HTTP 5** code

HTTP 500 - HTTP 500 indicates 'Internal server' error
HTTP 503 - HTTP 503 indicates 'Service unavailable' error.
HTTP 504 - HTTP 504 is 'Gateway timeout' error.

46. SQS extended client

It is a Java library
used to send large message (>256KB)
message is stored in s3
small metadata is stored in sqs

47. EC2 monitoring resolution

EC2 instance metrics have metrics every 5 minutes
With detailed monitoring, can get data every 1 minute

48. CloudWatch Custom Metrics Resolution

API call PutMetricData
Standard resolution is every 1 minute
High resolution is 1, 5, 10, 30 seconds

49. Kinesis Client Library (KCL)

A Java library that helps read record from a Kinesis Data Stream with distributed applications sharing the read workload
Each shard is to be read by only one KCL instance
KCL can run on EC2, Elastic Beanstalk, and on-premises

50. AWS S3 other properties

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.

51. AWS CodeStar

AWS CodeStar enables you to quickly develop, build, and deploy applications on AWS. AWS CodeStar provides a unified user interface, enabling you to easily manage your software development activities in one place. With AWS CodeStar, you can set up your entire continuous delivery toolchain in minutes, allowing you to start releasing code faster.

52. Which method should the Developer use to access the multi-factor authentication protected API?

GetSessionToken.

GetSessionToken: for MFA, from a user or AWS account root user
GetFederationToken: obtain temporary creds for a federated user
GetCallerIdentity: return details about the IAM user or role used in the API call

53. Secret Manager vs SSM Paramter Store

Secret manager has automatically rotation of secret with Lamda function. SSM Parameter Store does not have built-in function to rotation of secret
For Secret manager, KMS encryption is mandatory. For SSM Parameter Store, it is optional

54. Hooks in appspec.yaml for codedeploy

For Lambda

BeforeAllowTraffic
AfterAllowTraffic

For EC2 Blue Green deployment

ApplicationStop
DownloadBundle
BeforeInstall
Install
AfterInstall
ApplicationStart
ValidateService

For ECS Deployment

BeforeInstall
AfterInstall
AfterAllowTestTraffic
BeforeAllowTraffic
AfterAllowTraffic

55. AWS Services which are global

IAM
Route 53
CloudFront
WAF (Web Application Firewall)

56. IAM Security Tools

IAM Credentials Report: List all your account's user and the status of their credentials.
IAM Access Advisor(this is user level): Show permissions granted to a user and when these servicices are last accessed
IAM Access Analyzer: identify unintended access to your resources and data, which is a security risk
AWS Trusted Advisor: give guidance to help you provision your resources following AWS best practices
AWS Inspector: automatically assesses applications for exposure, vulnerabilities, and deviations from best practices

57. EC2 Instance Store

high-performance hardware disk. Noted that EBS is network driver
Better I/O performance
lost storage if they are stopped
Good for buffer, cache and other temporay content
Max IOPS can be 2 million

58. EBS Volume Types

gp2/gp3(SSD) General purpose SSD. Max IOPS 16,000
io1/io2(SSD) High performance SSD. Max IOPS 64,000
stl(HDD) For frequently accessed, throughput instensive workload. Max IOPS 500
stc(HDD) for less frequently accessed workload. Max IOPS 250
Only gp2/gp3 and io1/io2 can be used as boot volume
io2 Block express can have Max IOPS 256, 000

59. NLB and IP

NLB has one static IP per AZ
Support assigning Elastic IP

60. Cross Zone Load Balancing

if enabled, traffic is distributed evenly accross all registered instances in all AZ
if NOT enabled, traffic is divided by AZ. That means every AZ gets the same amount of traffic
for ALB, it is always on. For classic LB and NLB, it is disabled by default.

61. Scaling rules managed by EC2

Average CPU usage
Number of requests on per instance
Average network in/out

62. Elastic Cache:Custer Model enabled. To ensure high availability

enable multi-AZ

63. Service sources for Lambda event source mapping

DynamoDB
Kinesis
SQS

63. AWS Profile

create profile:

aws configure --profile my-other-account

use profile:
```
aws s3 ls --profile my-other-account
```

64. AWS S3 Byte-Range Fetches

Using the Range HTTP header in a GET Object request, you can fetch a byte-range from an object, transferring only the specified portion

65. ECS Service Auto Scaling

It is different from EC2 auto scaling. ECS service can scale on:

Average CPU Utilization
Average Memory Utilization
ALB Request Count Per Target

66. Exported output in CloudFormation

For each AWS account, export names must be unique within a region

67. Access Control Lists (ACL)

Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached.
ACLs cannot grant permissions to entities within the same account

68. SAM supports the following resource types

AWS::Serverless::Function
AWS::Serverless::SimpleTable
AWS::Serverless::StateMachine
AWS::Serverless::Api
AWS::Serverless::HttpApi
AWS::Serverless::LayerVersion
AWS::Serverless::Application

69. Text message MFA

SMS-based MFA is available only for IAM users, you cannot use this type of MFA with the AWS account root user.

70. Dedicated Host and Instance

Dedicated Hosts – book an entire physical server, control instance placement. Can bring your server-bound software license
Dedicated Instances – no other customers will share your hardware

71 Beanstalk Traffic Splitting

can do canary testing
deploy to a temporary ASG
small % traffic is sent for some time
If there is a failure, automatic rollback
if good, new instances are migrated from the tempory to the original ASG
Old application version is terminated
No DNS change. This point is different from Blue/Green

72. AWS CodeGuru

automatic code review
performance recommendation

73. Pseudo Parameters in CloudFormation

AWS::AccountId
AWS::NotificationARNs
AWS::NoValue
AWS::Region
AWS::StackId
AWS::StackName

74. io1 volumes

max 50 iops for every GB
Max total is 64,000 iops

75. not need to sigin

Anonymous requests made to Amazon S3 resources need not be signed.
Some API operations in AWS Security Token Service (AWS STS) are exempt from signing too.

76. Default EC2 monitoring

Detailed monitoring is enabled by default when you create a launch configuration using the AWS CLI or an SDK.
basic monitoring is enabled when you create a launch template or when you use the AWS Management Console

77. CloudFormation currently supports the following parameter types

String – A literal string
Number – An integer or float
List<Number> – An array of integers or floats
CommaDelimitedList – An array of literal strings that are separated by commas
AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
AWS::EC2::SecurityGroup::Id – A security group ID
AWS::EC2::Subnet::Id – A subnet ID
AWS::EC2::VPC::Id – A VPC ID
List<AWS::EC2::VPC::Id> – An array of VPC IDs
List<AWS::EC2::SecurityGroup::Id> – An array of security group IDs
List<AWS::EC2::Subnet::Id> – An array of subnet IDs

78. Control access to Amazon S3 resources

Identity and Access Management (IAM) policies
bucket policies
Access Control Lists (ACLs)
Query String Authentication. Also called pre-signed URL

79. S3 Bucket Ownership Setting

Object writer – The uploading account will own the object.
Bucket owner preferred – The bucket owner will own the object if the object is uploaded with the bucket-owner-full-control canned ACL.

80. Elastic Cache improves latency and throughput for

Read intensive
Computing intensive

81. CodeDeploy to archive revision

CodeDeploy can archive revisions on Instances
Can config :max_revisions to decide how many revisions to be archived.

82. SQS Access Policy

Like S3 bucket policy
Can use to enable cross account access
can use to publish S3 event notification to SQS

83. SNS Message Filtering

By default, an Amazon SNS topic subscriber receives every message published to the topic. To receive a subset of the messages, a subscriber must assign a filter policy to the topic subscription.

84. redis cluster enabled

All the nodes in a Redis cluster must reside in the same region
While using Redis with cluster mode enabled, you cannot manually promote any of the replica nodes to primary
whenever data is written to the primary, the changes are asynchronously propagated to all the read replicas, for both cluster mode enabled or cluster mode disabled

85. ALB and IP target

can not specify publicly routable IP addresses. Specify IP addresses from specific CIDR blocks only and it is private IP
can route traffic to an instance using any private IP address from one or more network interfaces.
If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address

86. Kinesis Producer

Kinesis SDK
Kinesis Producer Library KPL (better)
Kinesis Agent(for Linux, log file etc)

87. CloudTrail and S3 Bucket

If the bucket owner is also the object owner, the bucket owner gets the object access logs.
If not, the bucket owner must get permissions, through the object ACL, for the same object API to get the same object-access API logs.

88. SSE-C and SSE-S3

SSE-C use customer provided key
SSE-S3 use S3 own key

89. S3 static website

Route 53 alias record to S3 static website not need cors
Need to create a bucket policy to give permission

90. Direct http to https

Need open both 80 and 443 port

Solution Architecture Questions

91. The max CIDR size in AWS

92. EC2 to internet

EC2 is inside a subnet which is in a VPC
Subnet has a route table
VPC is one to one mapped to a internet gateway
The route table has a rule to connect to internet gateway. If destination is 0.0.0.0/0, the target is internet gateway. This is a public subnet.

Subnet's route table does not have a rule to internet gateway

It is private subnet
For EC2 to connect to internet, can set a route table rule to NAT gateway in the public subnet

93. NACL (Network Access Control List)

Every subnet has one NACL. The newly created subnet is assigned the default NACL
You can associate a NACL with multiple subnets. However, a subnet can be associated with only one network ACL at a time
The default NACL accepts everything for inbound and outbound
The newly created NACL will deny everything
- Rule has a number
- Rules are evaluated in order (from the lowest to the highest)
- Lower number has higher precedence
- The first matched rule(with the lowerest number) matters. It directs the decision
- After the first rule (with the lowerest number) is matched, other rules do not matter any more
- Should alway has a last rule which is wild cat. The rule will deny a request. Therefore, make sure a request has at least one rule.
Also, security group does not have deny rule. We use NACL to deny a IP

94. How to set up a Direct Connect to more than one VPC in many different regions (in the same account)

Use a Direct Connect Gateway

95. Reserved IP address in a VPC

AWS reserves 5 IP addresses (first 4 and last 1) in each subnet

96. Assign public hostname to EC2 instances with public Ipv4 in a VPC

enableDnsSupport (DNS Resolution)
enableDnsHostname

97. Set up an AWS Site-to-Site VPN connect between on-premise data center and a VPC

In on premise site, need to set up a Customer Gateway
In VPC, need to set up a Virtual Private Gateway
Enable roue propagation for Virtual Private Gateway in route table
If ping EC2 instance from on premise, add ICMP protocal in security group
If several on premise sites connect to the same Virtual Private Gateway, it is call AWS VPN Clould Hub. These on premise sites can talk to each other.

98. The Default Termination Policy for Auto Scaling Group.

It tries to balance across AZs first
then terminates based on the age of the Launch Configuration.

99. Redis sorted sets use cases

Real time Leaderboards
Rate limiters

100. Add extra CIDR for a VPC

You can add up to five IPv4 CIDR blocks to your VPC by default, but the limit is adjustable

101. Kinesis enhenced fan out feature

Without this feature, 2M/sec per shard is divided by all consumers.
Wth this feature, 2M/sec per shard is received by on consumer

102 AWS Global Accelerator

network service to improve performance
work with elastic IP, EC2 instance, ALB or NLB
use anyIP. Provide two static public ip
route client to the nearest edge location
from edge location to your aws application using aws private network
Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover

103. Billing for AWS Shield Advanced for multiple accounts

Create a single consolidation billing for all accounts
$3000 per month per organization
If not consolidate billing to a single billing, need to pay $3000 for every account

104. Disaster Recovery Strategies

Backup and Restore --- use backup to recreate structure
Pilot Light --- a small version (for critical part of System) is running
Warm Standby --- full system is running, but it is at minimium size
Hot Site / multi Site Approach --- a System is running in full production scale

105. AWS Database Migration Service

Database to Database
AWS S3 to stream service such as AWS Kinesis Stream and Amazon Managed Streaming of Kafka

106. Use CloudFront distribution in front of the Application Load Balancer

CloudFront can cache objects and serve them directly to users (viewers)
Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer
Configure the Application Load Balancer to only forward requests that contain the custom HTTP header

107. Amazon S3 One Zone-Infrequent Access

S3 One Zone-IA stores data in a single AZ and costs 20% less than S3 Standard-IA.
The minimum storage duration is 30 days before you can transition objects from S3 Standard to S3 One Zone-IA.
S3 One Zone-IA offers the same high durability, high throughput, and low latency of S3 Standard,

108. NAT instance and port forwarding

Port forward definition
NAT instance support port forwarding. You can manually customize the configuration to support port forwarding.
NAT Gateway do not support port forwarding

109. Cost Saving

Use AWS Cost Explorer Resource Optimization to get a report of EC2 instances that are either idle or have low utilization
use AWS Compute Optimizer to look at instance type recommendations

110. VPC sharing

allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, Amazon Redshift clusters, and AWS Lambda functions, into shared, centrally-managed virtual private clouds (VPCs).
In this model, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations.

110. Copy snowball edge data into S3 glacier

The data stored on the Snowball Edge device can be copied into the S3 bucket
and later transitioned into AWS Glacier via a lifecycle policy.
You can't directly copy data from Snowball Edge devices into AWS Glacier.

111.Cloudwatch alarm and email

Clouldwatch alarm to trigger to send to a SNS topic
email can subscribe to SNS topic

112. Existing server-bound software licenses

Dedicated Hosts enable you to use your existing server-bound software licenses like Windows Server and address corporate compliance and regulatory requirements
Dedicated instances cannot be used for existing server-bound software licenses becaue dedicated instances may share hardware with other instances from the same AWS account

113. Amazon Guard Duty

Intelligent threat discovery to protect your AWS account
Use CloudTrail Log, VPC Flow Log, DNS log and Kubernetes Audit log
Protect CryptoCurrency attack
Disabling the service will delete all remaining data, including your findings and configurations

114. Cloudwatch and Action on EC2 instance

You can Create alarms to stop, terminate, reboot, or recover an EC2 instance
Using Amazon CloudWatch alarm actions, you can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances.
Do not need to use Lambda function to perform actions on EC2

115. AWS Lake Formation

Data lake is a central place for all your data. It can consis of structure and unstructure data. We use this central place to do data analysis
build, manage, and create data lake in days
break down different data storages and discover data with a central data catalog
support organization wide data accessibility with cross data sharing
Access Control and column security for AWS Lake Formation to make centralize data permission possible

116. loT core

loT core allows to harvest data from loT device

117. VPC console supports 4 configurations

VPC with a single public subnet
VPC with public subnet and private subnet (NAT)
VPC with private subnet and site to site VPN
VPC with private subnet and public subnet and site to site VPN
Not support (Public subnet only and site to site VPN)

118 RDS Custom

For Oracle and SQL Server only
Can SSH to underly EC2
Can access to OS and database to do customization and patch

119. What should you use to control access to your KMS CMKs

KMS Key policy

120. KMS and parameter store

Prameter store has versioning, and KMS does not have
KMS can automatically rotate kMS key, but Parameter store can not

121. Direct connection + VPN

It is better than Direct connection only

122. Delete AWS KMS Key

can only delete custom created KMS Keys
can not delete it right away and have to schedule it to be deleted
waiting period is 7 to 30 days and default is 30 days
you may also disable KMS key

123. Price for S3, EBS and EFS

S3 standard $0.023 per GB usage
EFS $0.30 per GB usage
EBS $0.10 per GB of provisioned storage

124. Elastic load balancer

Application Load Balancers support HTTP, HTTPS and WebSocket protocols
Target group for ALB can be private IP, EC2 instances and Lambda
Network load balancers support TCP and UDP protocols. Also it have both static IP per AZ and a static hostname. However, Network Loadbalancer supports TCP, HTTP and HTTPS health check
Target for NLB can be EC2 instances, private IPs and ALB
The following cookie names are reserved by the ELB (AWSALB, AWSALBAPP, AWSALBTG)

125. Two ways to do maintenance for a EC2 instance in an auto scaling group

Suspemd the replaceUnhealthy process
Put the instance in stand by state

126. API Gateway and throttle

API Gateway has an account level quotes
It uses the token bucket algorithm

127. S3 object retension period (lock period)

When you apply a retention period to an object version explicitly, you specify a Retain Until Date for the object version
Different versions of a single object can have different retention modes and periods

128. S3 Glacier Storage Classes

Instance Retrieval: 1. millisecond retrieval 2. min storage duration: 90 days.
Flexible Retrieval: 1. Expedited(1 to 5 minutes) standard(3 to 5 hours) bulk(5 to 12 hours) 2.min storage duration: 90 days
Deep Archive: 1. standard(12 hours) Bulk (48 hours) 2. min storage duration: 180 days

129. AWS S3 tools

S3 Access Log -- Log any requests from any accounts into another S3 bucket
Amazon S3 analytics – You are looking to get recommendations for S3 Lifecycle Rules. Storage Class Analysis. Find pattern and recommend from S3 standard to S3 IA
S3 select ---Retrieve less data using SQL by performing server side filtering
S3 inventory --- audit and report on the replication and encryption status of your objects

130. S3 delete marker and permanent deletion

When delete an object, aws will create a delete marked for this object and object will not show up in the list. However, if list by version, you can a delete marked version of this object
If list object by version and check it and delete it, the object of this version will be deleted permanently

131. S3 replication

Can replicate to buckets in the same region or different region. Also can replication to different account.
it is asynchronous
Both source buchets and destination buckets need to enable version
Delete marker can be replicated too. Default is not to replicate, but we can change setting to replicate it
Permanent deletion will NOT be replicated
For existing objects before the replicate rules are created, they will not be replicated. However, can use one time batch operation to copy them if we want to

132. FiFo SQS and batch

300 API call every second
When batch is enbaled, we can process 3000 message per second because max batch is 10 message per API call.
Without batch, 300 message per second
If 1000 message per second in the peak time. Use Amazon SQS FIFO queue in batch mode of 4 messages per operation to process the messages at the peak rate (4* 300 = 1200)

133. AWS Storage Gateway Types

Amazon S3 File Gateway
Amazon FSx File Gateway (Access file share provided by Amazon FSx for Window file server
Volumn Gateway
Tape Gateway

134. AWS FSx

Managed service to launch the third part high performance file systems on AWS
FSx for Lustre
FSx for Windows File System
FSx for NetApp ONTAP
FSx for Open ZFS

135. Aurora Failover

Can have 15 replicas
Choose high prioriy one (low tier number)
If tier is the same, pich larger size

136. AWS Snow Family

Snowcone 8TB
Snowball Edge Storage optimized 80TB
Snowball Edge Computer optimized 42TB
Snow Mobile 100PB (1PB = 1,000 TB)
Snallball Edge to S3 standard. Then with life cycle rule to Glacier.(Can not directly go to Glacier)

137. Auto Scalling Setting

If do not have range, use desired number only
If want to range, set max and min number

138. S3 waterfall

139. WAF Rules

Scripts that are likely to be malicious.
IP addresses or address ranges that requests originate from.
Country or geographical location that requests originate from.
Length of a specified part of the request, such as the query string.
SQL code that is likely to be malicious. Prevent SQL injection
Strings that appear in the request
Labels that prior rules in the web ACL have added to the request

140. NLB health check protocols

Default is TCP
If target type ALB, protocols can be http and https

141. Access EFS file systems in other region

You can connect to Amazon EFS file systems from EC2 instances in other AWS regions using an inter-region VPC peering connection
from on-premises servers using an AWS VPN connection.

142. AWS ACM

Configure Event Bridge for daily expired event from ACM to SNS to get email about expiring notification for ssl certificate
For cloudfront, need to create certification in ACM of us-east-1 region

143. Which Amazon VPC options do I need to enable to use my private hosted zone?

DNS hostnames and DNS resolution are required settings for private hosted zones.

144. SNS topic type

FIFO
Standard

143 AWS multi-region KMS key

AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably
as though you had the same key in multiple Regions

144. Is S3 a file storage service

No
EFS is file storage service

145. S3 read policy

s3:ListBucket is applied to buckets, so the ARN is in the form "Resource":"arn:aws:s3:::mybucket"
s3:GetObject is applied to objects within the bucket, so the ARN is in the form "Resource":"arn:aws:s3:::mybucket/*"

146 aws:RequestedRegion in policy

aws:RequestedRegion represents the target of the API call.
smaple. "Condition": { "StringEquals": { "aws:RequestedRegion": "eu-west-1" } }

147 Route 53

latency policy is for reducing latency
GeoLocation policy is to route source ip from geo to a specific target. It uses for content copy right restriction etc

148 Two modes for volume gateway

In the cached Volume Gateway mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access
In the stored Volume Gateway mode, your primary data is stored locally and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3.

149. RPO and RTO for Different DR(Disaster Recovery)

Backup and Restore(RPO in hours, RTO 24 hours or less)
Pilot Light(RPO in minutes, RTO in hours)
Warm Standby(RPO in seconds, RTO in minutes)
Multi - Site (Multi - region) Active-Active (Both RPO and RTO near zeros)

150. Which AWS Service Use Security Group

EC2 Instances
Elastic Load Balancing
Lambda
Services that use EC2 instances such ElasticCache

151. Destinations for S3 event notification

SNS
SQS (Standard Queue only. FIFO queue is not allowed
Lambda

Tricky service names

Amazon Athena is serverless service to perform analytics against S3 objects.

Some commands

AWS cli to enable detailed monitoring of a running EC2 instance.

aws ec2 monitor-instances --instance-ids i-1234567890abcdef0

Regions or AZs bound

EBS is AZ bound. Use snapshot to copy
AMI is region bound. Can copy to other region
EFS works with EC2 instances in multiple AZ. It is region bound
Cloudwatch event rule's targets must be in the same region as the rule
Security Groups are locked down to a region/VPC combination
S3 bucket is defined at region level. But need a global unique name
Auto Scaling groups can span across the availability Zones of a Region. It is region bound

Cloudformation tricks

1. define list in mapping

define a comma seperated string value in mapping section.
```
 cdeSecurityGroupIds: sg-12345,sg-678910
```

use split function to use the value.

SecurityGroupIds: !Split [ ",", !FindInMap [ AWSRegionParams, !Ref 'AWS::Region', cdeSecurityGroupIds ] ]

ALB to redirect domain

How to do it from AWS

AWS Certification Link

Use Amazon account and it is not AWS account.

AWS Certification

See Codecommit Triggers

Go to Codecommit
Choose a repository
Click Settings
Click triggers tab

AWS WAF Tutorial

Dynamodb auto deletion

Table Overview
Additional Info
Time to Live (TTL) on
Additional Setting
Go to TTL section
will see something like (TTL attribute expiredAt)

See vulnerabilities for docker images in AWS ECR

Go to Amazon ECR
Go to Repositories
Click a repository
Click a image tag

Summer

Thursday, 30 June 2022

AWS Questions