(2) my notes on AWS Certified Solutions Architect Associate 2021

SAA-C02

Lambda function

Security in rest Lambda always provides server-side encryption at rest with an AWS KMS key. By default, Lambda uses an AWS managed key.
Security in transit For additional security, you can enable helpers for encryption in transit, which ensures that your environment variables are encrypted client-side for protection in transit.
Sudden burst of traffic can be handled by Lambda as the response is within seconds while options like ECS/EKS or ECS with autoscaling needs few minutes.
Lamdbda@EDGE is a feature of cloudfront and you can use it to improve your site performance with optimized cost by running some lambda at location nearest to the end user and provivde features such as added authentication.
Lambda is better for cost control as it is pay per use.
Your Lambda function automatically scales based on the number of events it processes. If your Lambda function accesses a VPC, you must make sure that your VPC has sufficient ENI capacity to support the scale requirements of your Lambda function. It is also recommended that you specify at least one subnet in each Availability Zone in your Lambda function configuration.
By specifying subnets in each of the Availability Zones, your Lambda function can run in another Availability Zone if one goes down or runs out of IP addresses. If your VPC does not have sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an increase in invocation errors with EC2 error types like EC2ThrottledException.

RDS

- RDS multi-AZ support automatic fail-over.
- RDS cross-region read replica only allows you to manually promote a read replica to be primary.
- RDS multi-AZ replication is synchronous.
- RDS read replica is asynchronous.
- Global Database: In the unlikely event of a regional degradation or outage, one of the secondary regions can be promoted to read and write capabilities in less than 1 minute. This provides your application with an effective Recovery Point Objective (RPO) of 1 second and a Recovery Time Objective (RTO) of less than 1 minute, providing a strong foundation for a global business continuity plan.
-  IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
- An authentication token is a unique string of characters that Amazon RDS generates on request. Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication.

Aurora

A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries. By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance.
Aurora by default has 6 copies of data across 3 AZ in the same region.

RPO and RTO

- Recovery Point Objective (RPO) is a measure of how frequently you take backups, which relates to amount of potential data loss.
- Recovery Time Objective (RTO) is the amount of downtime a business can tolerate.

AD FS

we can setup SAML 2.0-Based federation using Microsoft Active Directory Federation (AD FS) to share credentials between on-premise and AWS environments.

Amazon MQ

Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers in the cloud. You get direct access to the ActiveMQ and RabbitMQ consoles and industry standard APIs and protocols for messaging, including JMS, NMS, AMQP 1.0 and 0.9.1, STOMP, MQTT, and WebSocket. You can easily move from any message broker that uses these standards to Amazon MQ because you don’t have to rewrite any messaging code in your applications.

Cloudfront

Cloudfront is an AWS CDN to serve static content with low latency.
* cloudfront has cache in edge locations around the world.
* cloudfront can be used together with S3 to create low cost static website.
* cloudfront OAI (original access identity) can be used to block user access to S3 directly.
* cloudfront can be used to block access from certain counties.
* we can use cloudfront price class to grant access to certain region only to be cost effective.
An HTTP 504 status code (Gateway Timeout) indicates that when CloudFront forwarded a request to the origin (because the requested object wasn’t in the edge cache), one of the following happened:
- The origin returned an HTTP 504 status code to CloudFront.
- The origin didn’t respond before the request expired.
CloudFront will return an HTTP 504 status code if traffic is blocked to the origin by a firewall or security group, or if the origin isn’t accessible on the internet.

Global accelerator

* intelligent routing to achieve lowest latency
* 2 ip address to whitelist
* fast cross-regional failover
* static anycast IP addresses

FSx

Amazon FSx File Gateway provide high availability.
FSx can be integrated with Microsft AD.
NFS is mostly for Linux; 
SMB is mostly for windows and AD.

various security service

* Rekognition: use ML and computer vision to detect info and insights from your image/video.
* Macie: Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).
* GuardDuty: is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity.
* Inspector: is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network.

EC2 billing

you won't be billed if the instance is not in running state except the following:
- stopped/terminated state for a reserved instance
- stopping state when preparing to hibernate
Take note that when a Reserved Instance expires, any instances that were covered by the Reserved Instance are billed at the on-demand price which costs significantly higher.
By hibernating an EC2 allows the memory to be persisted to EBS volume and saves the cost.
An Elastic IP address is free as long as all the following conditions are true:
- The Elastic IP address is associated with an EC2 instance.
- The instance associated with the Elastic IP address is running.
- The instance has only one Elastic IP address attached to it.
Data transfer within the same Availability Zone is free.

AWS Shield and WAF

shield for Ddos;
WAF for normal web attack.

Best practice for Partition key in dynamoDB

The cardinality of a data attribute refers to the number of distinct values that it can have; so high cardinality means there could be a lot of distinct values for the attributes.
Good practice:
- Use high-cardinality attributes as partition key. These are attributes that have distinct values for each item, like emailid, employee_no, customerid, sessionid, orderid, and so on.
Bad practice:
- Using low-cardinality attributes like Product_SKU as the partition key and Order_Date as the sort key. For example, if one product is more popular, then the reads and writes for that partition key are high resulting in throttling issues. This is because partition keys have the largest influence on which partition an item falls on, and items with the same partition key are usually on the same underlying DynamoDB partition.
When you use the AWS Management Console to create a new table, Amazon DynamoDB auto scaling is enabled for that table by default.
When you use AWS CLI to create a dynamoDB table, you have to explicitly create a auto scaling poicy to enable autoscaling.

S3 and cloudfront

Use signed URLs in the following cases:
- You want to restrict access to individual files, for example, an installation download for your application.
- Your users are using a client (for example, a custom HTTP client) that doesn't support cookies.
Use signed cookies in the following cases:
- You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website.
- You don't want to change your current URLs.
S3 event notification destination:
- SNS
- SQS
- Lambda
- Amazon EventBridge
s3:ObjectRemoved:DeleteMarkerCreated type is only triggered when a delete marker is created for a versioned object and not when an object is deleted or a versioned object is permanently deleted.

S3 transfer acceleration

Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects.

KMS and CMK

October 29, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key.
hardware security modules (HSMs)

EC2 scale-in policy

Determine whether any of the instances eligible for termination use the oldest launch template or configuration:
- [For Auto Scaling groups that use a launch template]
Determine whether any of the instances use the oldest launch template, unless there are instances that use a launch configuration. Amazon EC2 Auto Scaling terminates instances that use a launch configuration before it terminates instances that use a launch template.
- [For Auto Scaling groups that use a launch configuration]
Determine whether any of the instances use the oldest launch configuration.

status check
- System status checks detect (StatusCheckFailed_System) problems with your instance that require AWS involvement to repair.
- Instance status checks (StatusCheckFailed_Instance) detect problems that require your involvement to repair.

ECS/EKS

you can use cloudwatch to monitor S3 bucket event and trigger ECS task; you don't have to use lambda function in such scenario.

AWS organizations

AWS Organizations is an account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage. With Organizations, you can create member accounts and invite existing accounts to join your organization. You can organize those accounts into groups and attach policy-based controls.

S3 lifecycle

- the maximum days for the EFS lifecycle policy is only 90 days.
S3 Standard-IA and S3 One Zone-IA
 - The S3 Standard-IA and S3 One Zone-IA storage classes are designed for long-lived and infrequently accessed data. (IA stands for infrequent access.)
 - Objects must be stored at least 30 days in the current storage class before you can transition them to STANDARD_IA or ONEZONE_IA.
S3 Glacier
 - Amazon S3 Glacier is ideal for archiving.
 - With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
 - you need to use expedited retrieval to retrieve data in few minutes
 - Provisioned capacity helps ensure sufficient retrieval throughput (up to 150 MB/s).

Redis

Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the --transit-encryption-enabled and --auth-token parameters enabled.

ElasticCache

ElastiCache improves the performance of your database through caching query results.
The primary purpose of an in-memory key-value store is to provide ultra-fast (submillisecond latency) and inexpensive access to copies of data.
subminilisecond, not microsecond; DAX could deliver microsecond performance, not ElasticCache.

EBS, EFS and disk type

EBS multi-attach doesn't support multi AZs.
- You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
EFS (elastic file system) is good for scalable NTFS file system mounted to multiple EC2 instances.

AWS Glue

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

Policy & MISC

policy can’t be attached to a container in ECS as the container is ephemeral.

Migration

DMS (data migration service) is for DB, not files or S3.
AWS Datasync helps with on-prem to AWS data transfer fast and reliably.

Monitoring

CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance. As a result, you might find differences between the measurements, because the hypervisor layer performs a small amount of work.  
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.
There are certain metrics that are not readily available in CloudWatch such as memory utilization, disk space utilization, and many others which can be collected by setting up a custom metric.
Amazon CloudWatch uses Amazon SNS to send email.
For RDS,
-- CPU Utilization, Database Connections, and Freeable Memory are the regular items provided by Amazon RDS Metrics in CloudWatch.
-- Enhanced Monitoring metrics can collect metrics about RDS process, RDS child process, and OS process.
For S3, 
-- AWS CloudTrail alone won't give detailed logging information for object-level access.
-- CloudTrail event log files are by-default encrypted using the Amazon S3 server-side encryption (SSE).

Encryption

When using an AWS KMS-managed customer master key to enable client-side data encryption, you provide an AWS KMS customer master key ID (CMK ID) to AWS. 
On the other hand, when you use client-side master key for client-side data encryption, your client-side master keys and your unencrypted data are never sent to AWS.
S3 server side encryption doesn't provide AES-128 encryption, only AES-256.
ACM (AWS certificate manager) is for certificate.
KMS (Key management service) is for encryption keys.
AWS Secrets manager is to store and encrypt db credentials, API keys and other secrets and automatically rotate them by default.
EBS volumes are only encrypted using AWS KMS. 
Server-side encryption (SSE) is actually an option for Amazon S3, but not for Amazon EC2.
S3 server side encryption supports a few methodds:
- Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
- Server-Side Encryption with Customer-Provided Keys (SSE-C)

API gateway

Amazon API Gateway provides throttling at multiple levels including global and by a service call. Throttling limits can be set for standard rates and bursts.

AWS Transit Gateway

AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks. You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single Transit Gateway consolidating and controlling your organization's entire AWS routing configuration in one place.

snowball vs snowball edge

snowball can only store up to 72 TB
snowball EDGE can store up to 83 TB or more (using cluster)
snowball EDGE has onboard lambda support.

Route 53

- Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. You can use Route 53 to perform three main functions in any combination: 
 * domain registration, 
 * DNS routing, and 
 * health checking.
- to map domain name to Elastic Load Balancing (ELB) load balancer 
  * A record (IPv4) or 
  * AAAA record (IPv6)

ALB, NLB and HA/LB

Application Load Balancer cannot be assigned an Elastic IP address (static IP address).
However, a Network Load Balancer can be assigned one Elastic IP address for each Availability Zone it uses.
SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address by including the hostname viewers are trying to connect to.
Default cool down period is 300 seconds.
ELB works in one single region.
HA/LB
typical HA questions implies a few things in AWS context:
* use RDS with multi-AZ deployment
* use ALB and EC2 auto-scaling group across multi AZs.
* use Amazon MQ active/standby broker for high availability
typical LB questionsimplies:
* use ALB in front of EC2 instances
* use auto scaling group to add or remove instance automatically
limitation:
* ALB auto scaling group works in the same region.

VPC and subnet

- you need to add IPv4 subnet first before you can create an IPv6 subnet.
- By default, a new EC2 instance uses an IPv4 addressing protocol.
- You can only change your VPC to dual-stack mode where your resources can communicate over IPv4, or IPv6, or both, but not exclusively with IPv6 only.
- By default, Amazon VPC uses the IPv4 addressing protocol; you can't disable this behavior. 
- When you create a VPC, you must specify an IPv4 CIDR block (a range of private IPv4 addresses). You can optionally assign an IPv6 CIDR block to your VPC and assign IPv6 addresses from that block to instances in your subnets.
the allowed block size in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses) and not /27 netmask.