Professional Documents
Culture Documents
IAM
IAM are global- available across the account not local to any region.
The root account is simlply the account creted when first setup your AWS account. It
has complete Admin access.
New users have NO permission when created. They are assigned Access key ID &
secret Access key for programmatic access.
Users - people
Groups – Collection of users
Polices – in JSON and they give permission as to what a user/ group/ role is able to do.
Roles – Way of allowing one part of AWS to do something with another part of AWWS
Security Assertion Markup Language –SAML
Can you authentic without using active director – yes using SAML
You need authentic active directory first and then you would be assigned temporary
security credentials. Will get token for 5000 seconds.
ARN- amazon resource name.
IAM consists of Users, Groups, Roles and policy documents.
Policy documents are universal, generally JASOn formate : “Attribute- value”.
Root user have administrator permission.
Power users access to all AWS services except the management of groups and users
with IAM.
New users don’t have any permission, when created. New users are assigned Access
key ID & Secret Access keys when first created. These are used to access AWS via
the API and command line. You can only get to view these view once, once lost , you
have regenerate them.
The user navigates to ADFS webserver. The user enter in their single sign on credentials. The
user's web browser receives a SAML assertion from the AD server. The user's browser then
posts the SAML assertion to the AWS SAML end point for SAML and the
AssumeRoleWithSAML API request is used to request temporary security credentials. 5) The
user is then able to access the AWS Console
A user authenticates with facebook first. They are then given an ID token by facebook. An API
call, AssumeRoleWithWebIdentity, is then used in conjunction with the ID token. A user is then
granted temporary security credentials.
SSL/TLS
Encryption at rest (server side) is achieved by (SSE- service side encryption)
S3 bucket should be lower case , number. Capital letters are NOT allowed.
Upload objects in a single operation—With a single PUT operation, you can upload objects up
to 5 GB in size.
Upload objects in parts—Using the multipart upload API, you can upload large objects, up to 5
TB.
Minimum file size that can be stored on S3 is 0 bytes
https://acloudguru1234.s3.amazonaws.com/ will bucket name
Default we can have 100 S3 buckets per account.
Lifecyle management is :
AWS Snowmobile is an exabyte-scale date transfer service used to extremely large amounts of
data to AWS. You can transfer 100PB per snowmobile.
Snow ball can to import & export to S3 .
Storage Gateway: is a service that connects an on-premises software appliance with clod based
storage to provide seamless and secure integration between an organization’s on-premises IT
environment and AWS storage infrastructure.
Storage Gateway supports etierh VMware ESXi or Microsoft Hyper-V.
Three different types of storage
File Gateway (NFS & SMB) : for flat files, are stored as objects in your S3 buckets.
Volume Gateway (iSCSI) : using disk volumes like hard disk and data written
asynchronously backed up as point-in-time snapshots of your volumes.
o Stored volumes : Entire Dataset is stored on site and is asynchronously backed
up to S3.
o Cached Volumes : Entire dataset is stored on S3 and the most frequently
accessed data is cached on site. 32TiB
Gateway virtual Tape Library.
CDN: Content delivery network
EC2 – Elastic cloud computing.
EC2 is a web service that provides resiazable compute capacity in the cloud.
EC2 pricing models
On Demand: Allows you to pay a fixed rate by the hours or second with no commitment
Reserved: Provide you with a capacity reservation, and offer a significant discount on
the hourly charge for an instance. Contact terms are 1 year or 3 years.
o Standard reserved instance : 75% offer. You can’t convert your instance type
o Convertible reserved instances : 54% offer. You can convert your instance type
o Scheduled reserved instance : for a schedule time.
Spot: Enables you to bid whatever price you want for instance capacity, providing for
even greater saving if your applications have flexible start and end times
Dedicated hosts : Physical EC2 server dedicated for your use. Dedicated hosts can help
you reduce costs by allowing you to use your existing server bound software license.
When spot instance is terminated by Amazon EC2, you will not be charged for partial hour but if
you terminate, it would be chargeable.
EBS provides persistent block storage volumes for use with Amazon EC2 instance in the
AWS cloud. Each Amazon EBS volume is automatically replicated with its availability
zone to protect you from component failure, offering high availability & durability.
Compare EBS
Volumes exists on EBS. Think of EBS as a virtual hard disk.
Snapshots exits on S3. Think of snapshots as a photograph of the disk.
Snapshots are point in time copies of volumes.
Snapshots are incremental- this means that only the blocks that have changed since
your last snapshot are moved to S3.
If this is your first snapshot, it may take some time to create.
To create a snapshot for Amazon EBS volumes that serve as root devices, you should
stop the instance before taking this snapshot for better output.
However you can take a snap while the instance is running.
You can create AMIs from both volumes and snapshots.
You can change EBS volume sizes on the fly, including changing the size and storage
type.
Volumes will ALWAYS be in the same availability zone as the EC2 instance.
To move an EC2 volume from one AZ to another, take snapshot of it, create anAMI from
the snapshot and then use the Ami to launch the EC2 instances in a new AZ.
To move an EC2 volume from one region to another, take a snapshot of it, create an
AMI from the snapshot and then copy the AMI from region to the other. Then use the
coped AMI to launch the new EC2 instance in the new region.
The root device for an instance launched from the AMI is an instance store volume
create from a template stored in Amazon S3
Instance storage volume are sometimes called ephemeral storage because if the
instances stops for some reason, data is lost.
Instance store volumes can’t be stopped. If the underlying host fails, you will loose you
data.
EBS backed instances can be stopped. You will not lose the data on this instance if it is
stopped.
You can reboot both, you will not lose your data.
By default, both ROOT Volumes will be delete on termination. However, with EBS
volumes, you can tell AWS to keep the root device volume.
Encrypted root device volume & snapshots
Cloudwatch
Bucket policies
Access control lists
S3 Encryption:
In transit:
o SSL/TLS
At rest :
o Server side encryption
S3 managed keys : SSE-S3
Aws key management service, managed keys- SSE-KMS
Server side encryption with customer provided keys – SSE-C
o Client side encryption
Storage Gateway:
run-instances
describe-instances
describe-images
terminate-instances
Terminate-instance:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
Meta date : http://169.254.169.254/latest/meta-data/
ELB – Elastic load balancer
Instances monitored by ELB are reported as : Inserivce, or outofService
ELB have their owne DNS name but have no IP address .
Classic load balance are important in exam not application load balancers
To create a snapshot for Amazon EBS volume that serve as root devices, you should stop the
instance before taking the snapshot.
Instance store volume is Ephemeral storage and can’t be stoped.
For RAID system to take snapshot, need to stop the application from writing to disk and flush
all caches to disk. This can be done
freeze the file system
unmount the RAID array
Shutting down the associate EC2 instance
AMI are regional
Cloud watch is performance monitoring
Standard monitor is 5 minutes
Detail monitoring is 1 minute
Cloud Trail is auditing
Cloud watch can be used for Dash boards, Alarms, Events, Logs
Elastic Load Balancing is chargeable.
1xx Informational
2xx Success
3xx Redirection
Database:
Database services:
RDS: Relation database
DynamoDB
ElastiCache
Redshift
DMS: Data migration service.
RDS:
SQL server
Oracle
MySQL server
PostgreSQL
Aurora
MariaDB
Non RDS conation:
Collection = Table
Document = row
Key value Pairs = fields
Data warehousing : redshift
OLTP: online transaction process
OLAP: online transition analytics process
ELastiCache:
Memcached
Redis
HTTP
HTTPS
Email
Email JSON
Amazon SQS
Application
Topics:
Email contains: type, messageId, topicArn, subject, message, timestamp, signature version,
signature, singing url.
Dynamo DB consists of :
Tables
Items – row
Attributes – column of data
35 levels of nesting is supporting in DynamoDB.
Write throughput for 10 units. Write capacity unit can handle 1 write per second.
Read throughput for 50 units.
Two types of primary key available
Single attribute (think of unique ID) : partition key (hash key) composed of one attribute.
Composite attribute (think of unique ID & date range) : partition key (hash key) & Sort
key (Range) composed of two attribute.
No two items in a table can have the same partition key value in single attribute.
Indexes
Local secondary Index:
All write of 1 KB
All write are 1 write per second.
400 HTTP status code: provisionedThroughputExceedExpection : you exceed your maximum
allowed provisioned throughput for a table or for one or more global secondary index.
AssumeRoleWithWebIdentity API for web identity provides such as facebook, google etc.
Conditions write: update if current price is xx.
Automatic counter can be used if margin of error is accpteable.
A single BatchGetItem request can retrieve up to 1MB of data, which can contain as main as
100 items. In addition, a single BatchGetItem request can retrieve items from multiple tables.
NAT instance
ELB doesn’t have IP, you resolve them using DNS name
Alias name is like CNAME expect you can resolve individual aws resources.
Better to choose Alias record over CNAME in exam.
Different routing polices:
Simple
Weight
Latency
Fail over
Geo location.