Gangadevi saibaba

IAM
IAM are global- available across the account not local to any region.
The root account is simlply the account creted when first setup your AWS account. It
has complete Admin access.
New users have NO permission when created. They are assigned Access key ID &
secret Access key for programmatic access.
Users - people
Groups – Collection of users
Polices – in JSON and they give permission as to what a user/ group/ role is able to do.
Roles – Way of allowing one part of AWS to do something with another part of AWWS
Security Assertion Markup Language –SAML
Can you authentic without using active director – yes using SAML
You need authentic active directory first and then you would be assigned temporary
security credentials. Will get token for 5000 seconds.
ARN- amazon resource name.
IAM consists of Users, Groups, Roles and policy documents.
Policy documents are universal, generally JASOn formate : “Attribute- value”.
Root user have administrator permission.
Power users access to all AWS services except the management of groups and users
with IAM.
New users don’t have any permission, when created. New users are assigned Access
key ID & Secret Access keys when first created. These are used to access AWS via
the API and command line. You can only get to view these view once, once lost , you
have regenerate them.

The user navigates to ADFS webserver. The user enter in their single sign on credentials. The
user's web browser receives a SAML assertion from the AD server. The user's browser then
posts the SAML assertion to the AWS SAML end point for SAML and the
AssumeRoleWithSAML API request is used to request temporary security credentials. 5) The
user is then able to access the AWS Console
A user authenticates with facebook first. They are then given an ID token by facebook. An API
call, AssumeRoleWithWebIdentity, is then used in conjunction with the ID token. A user is then
granted temporary security credentials.

The AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml.

You always have multifactor authentication.

AssumeRoleWithWebIdentity is API call in web identity federation.

AssumeRoleWithSAML is API call in federating with active directory.

S3- simple storage service.

S3 is object base store.
S3 is created region based and viewed globally.
S3 buckets are a universal name same & should have unique name.
Upload an object to S3 recive a HTTP 200 Code.
S3- Standard, S3-IA : infrequent access, S3-IA (One Zone): infrequent access one zone, S3
Glacier.
Control access to S3 buckets using either a bucket ACL (access control list- object level)or using
Bucket Polices (bucket level).
Encryption in transit is achieved by

 SSL/TLS
Encryption at rest (server side) is achieved by (SSE- service side encryption)

 S3 managed keys- SSE-S3

 AWS key management service, Managed keys -SSE- KMS
 Server side Encrption with customer provided keys – SSE-C
Client side Encryption
Stores all version of an object (including all writes & even if you delete an object)
Great back up tool
Once enabled version cannot be disabled, only suspended
S3 Integrates with lifecycles rules
 Versioning’s MFA delete capability, which uses multi-factor authentication, can be used to
provide an additional layer security.
The key fundamentals of S2 are :

 Key (this is simply the name of the object)

 Value (This is simply the data and is made up of the a sequence of bytes).
 Version ID ( Important of versioning)
 Metadata ( Data about data you are storing)
 Subresouces:
o Access control lists
o Torrent

Read after Write Consistency for PUTS of new objects.

Eventual consistency for overwrite PUTS and DELETES (Can take some time to propagate)

 Standard S3: availability – 99.99% , Durability : 99.999999999%

 S3 IA (infrequent access): availability – 99.9% , Durability : 99.999999999%. For Data
that is accessed less frequently, but required rapid access when needed. Lower fee then
S3 b, but you are charged a retrieval fee.
 S3 One Zone – 1A: availability – 99.5% , Durability : 99.999999999%. For where you
want a lower-cost option for infrequently accessed data, but do not required the
multiple availability zone data resilience.
 S3- Intelligent Tiering : availability – 99.9% , Durability : 99.999999999%. Designed to
optimize costs by automatically moving the data to most cost- effective access tier,
without performance impact or operational overhead.
 S3 Glacier : S3 Glacier is a secure, durable, and low cost storage class for data archiving.
Retrieval times configurable from minutes to hours.
 S3 Glacier Deep Archive: is Amazon S3’s lowest cost storage class where a retrieval
time of 12 hours is acceptable.

S3 bucket should be lower case , number. Capital letters are NOT allowed.

 Upload objects in a single operation—With a single PUT operation, you can upload objects up
to 5 GB in size.
 Upload objects in parts—Using the multipart upload API, you can upload large objects, up to 5
TB.
 Minimum file size that can be stored on S3 is 0 bytes
 https://acloudguru1234.s3.amazonaws.com/ will bucket name
 Default we can have 100 S3 buckets per account.
Lifecyle management is :

 Automates moving your objects between different storage tiers.

 Can be used in conjunction with versioning.
 Can be applied for current & previous versions.
Cross region replication.

 Versioning must be enabled o both the source and destination buckets.

 Regions must be unique.
 Files in an existing bucket are not replicated automatically.
 All subsequent updated files will be replicated automatically.
 Delete marker are replicated.
 Deleting individual versions or delete markers will not be replicated.
Se transfer acceleration : utilizes the cloudfront edge network to accelerate your uploads to
s3.
bucketname.s3-accelerate.amazonaws.com
Cloudfront: can be used to delivery your entire website, including dynamic, static, streaming,
and interactive content using a global network of edge locations. Request for your content are
automatically routed t the nearest edge location, so content is delivered with best possible
performance .
Cloudfront is global.
Edge location: this is the location where content will be cached. This is separate to an AWS
region /AZ.
Origin – this is the origin of all the files that the CDN will distribute. This can be either an S3
bucket, an EC2 instance, an Elastic Load balancer, or Router 53
Distribution – This is the name given the CDN which consists of a collection of Edge locations.
Web Distribution – typically used for websites
RTMP – Used for media streaming
Edge locations are not just READ only – you can write to them too. (ie put an object on to them)
Objects are cached for the lie of the TTL(TIME TO LIVE) in seconds.
You an clear the cached objects, but you will be charged
Snowball is a petabyte-scale data transport solution that uses devices designed to be secure to
transfer large amounts of data into and out of the AWS Cloud. Snowball comes in either a 50TB
or 80TB size. Snowball uses multiple layes of security designed to protect your date including
tamper resistant enclosures, 256-bit encryption, and an industry-standard trusted platform
module (TPM) designed to ensure both security and full chain-of-custody of your data. Once
the data transfer job has been processed and verified, AWS performs a software erasure of the
snowball appliances.
AWS snowball Edge is 100TB data transfer with on board storage and compute capabilities. You
can use snowball edge to move large amounts of data into and out of AWS, as a temporary
storage ties for large local datasets, or to support local workloads in remote or offline locations.

AWS Snowmobile is an exabyte-scale date transfer service used to extremely large amounts of
data to AWS. You can transfer 100PB per snowmobile.
Snow ball can to import & export to S3 .
Storage Gateway: is a service that connects an on-premises software appliance with clod based
storage to provide seamless and secure integration between an organization’s on-premises IT
environment and AWS storage infrastructure.
Storage Gateway supports etierh VMware ESXi or Microsoft Hyper-V.
Three different types of storage

 File Gateway (NFS & SMB) : for flat files, are stored as objects in your S3 buckets.
 Volume Gateway (iSCSI) : using disk volumes like hard disk and data written
asynchronously backed up as point-in-time snapshots of your volumes.
o Stored volumes : Entire Dataset is stored on site and is asynchronously backed
up to S3.
o Cached Volumes : Entire dataset is stored on S3 and the most frequently
accessed data is cached on site. 32TiB
 Gateway virtual Tape Library.
CDN: Content delivery network
EC2 – Elastic cloud computing.
EC2 is a web service that provides resiazable compute capacity in the cloud.
EC2 pricing models

 On Demand: Allows you to pay a fixed rate by the hours or second with no commitment
 Reserved: Provide you with a capacity reservation, and offer a significant discount on
the hourly charge for an instance. Contact terms are 1 year or 3 years.
o Standard reserved instance : 75% offer. You can’t convert your instance type
o Convertible reserved instances : 54% offer. You can convert your instance type
o Scheduled reserved instance : for a schedule time.
  Spot: Enables you to bid whatever price you want for instance capacity, providing for
even greater saving if your applications have flexible start and end times
 Dedicated hosts : Physical EC2 server dedicated for your use. Dedicated hosts can help
you reduce costs by allowing you to use your existing server bound software license.
When spot instance is terminated by Amazon EC2, you will not be charged for partial hour but if
you terminate, it would be chargeable.

 Termination protection is turned off by default, you must turn it on.

 On an EBS-backed instance, the default action is for the root EBS volume to be deleted
when the instance is terminated.
 EBS root volumes of you DEFAULT AMI’s CAN be encrypted. You can also use a third
party tool (such as bit locker etc) to encrypt the root volume, or this can be done when
creating AMI’s in the AWS console using API.
 Additional volumes can be encrypted.
Security groups:

 All inbound traffic is blocked by default.

 All outbound traffic is allowed.
 Changes to security group take effective immediately.
 You can have any number of EC2 instances with in a security group.
 You can have multiple security groups attached to EC2 instances.
 Security groups are STATEFUL
 If you create an inbound rule allowing traffic in, that traffic is automatically allowed back
out again.
 You cannot block specific IP address using security groups, instead use Network Access
Control Lists.
 You can specify allow rules, but not deny rules.
EBS- Elastic block store (EBS):

 EBS provides persistent block storage volumes for use with Amazon EC2 instance in the
AWS cloud. Each Amazon EBS volume is automatically replicated with its availability
zone to protect you from component failure, offering high availability & durability.
 Compare EBS
 Volumes exists on EBS. Think of EBS as a virtual hard disk.
 Snapshots exits on S3. Think of snapshots as a photograph of the disk.
 Snapshots are point in time copies of volumes.
 Snapshots are incremental- this means that only the blocks that have changed since
your last snapshot are moved to S3.
 If this is your first snapshot, it may take some time to create.
  To create a snapshot for Amazon EBS volumes that serve as root devices, you should
stop the instance before taking this snapshot for better output.
 However you can take a snap while the instance is running.
 You can create AMIs from both volumes and snapshots.
 You can change EBS volume sizes on the fly, including changing the size and storage
type.
 Volumes will ALWAYS be in the same availability zone as the EC2 instance.
 To move an EC2 volume from one AZ to another, take snapshot of it, create anAMI from
the snapshot and then use the Ami to launch the EC2 instances in a new AZ.
 To move an EC2 volume from one region to another, take a snapshot of it, create an
AMI from the snapshot and then copy the AMI from region to the other. Then use the
coped AMI to launch the new EC2 instance in the new region.

Solid-State Drives (SSD) Hard Disk Drives (HDD)

 
Volume General Purpose Provisioned IOPS Throughput Cold HDD (sc1) EBS
Type SSD (gp2) SSD (io1) Optimized HDD magnetic
(st1)
Description General purpose Highest- Low-cost HDD Lowest cost HDD Previous
SSD volume that performance SSD volume designed volume designed Generation
balances price and volume for mission- for frequently for less frequently Volume
performance for a critical low-latency accessed, accessed Types
wide variety of or high-throughput throughput- workloads
workloads workloads intensive
workloads
Use Cases Workload
where data
Big data & Data
Most work loads Databases File servers is
warehouses
infrequently
accessed
API Name gp2 io1 st1 sc1 standard
Volume Size 1 GiB - 16 TiB 4 GiB - 16 TiB 500 GiB - 16 TiB 500 GiB - 16 TiB 1 GiB - 1 TiB
Max IOPS 16,000 (16 KiB I/O) 64,000 (16 KiB I/O) 500 (1 MiB I/O) 250 (1 MiB I/O) 40-200
per Volume * †
Max 250 MiB/s * 1,000 MiB/s † 500 MiB/s 250 MiB/s
Throughput
per Volume  
Max IOPS 80,000 80,000 80,000 80,000
per Instance   
Max 2,375 MB/s 2,375 MB/s 2,375 MB/s 2,375 MB/s
Throughput
per
Instance ††  
Dominant IOPS IOPS MiB/s MiB/s
Performance
Attribute  

EBS VS Instance store (EPHEMERAL STORAGE):

 The root device for an instance launched from the AMI is an instance store volume
create from a template stored in Amazon S3
 Instance storage volume are sometimes called ephemeral storage because if the
instances stops for some reason, data is lost.
 Instance store volumes can’t be stopped. If the underlying host fails, you will loose you
data.
 EBS backed instances can be stopped. You will not lose the data on this instance if it is
stopped.
 You can reboot both, you will not lose your data.
 By default, both ROOT Volumes will be delete on termination. However, with EBS
volumes, you can tell AWS to keep the root device volume.
Encrypted root device volume & snapshots

 Snapshots are encrypted volumes are encrypted automatically.

 Volumes restored from encrypted snapshots are encrypted automatically.
 You can share snapshots, but only if they are unencrypted. These snapshots can be
shared with other AWS accounts or made public.
 You can now encrypt root device volumes upon creation of the EC2.
 When to create encrypt instance from unencrypted
o Create a snapshot of the unencrypted root device volume.
o Create a copy of the snapshot and select the encrypt option.
o Create an AMI from the encrypted snapshot.
o Use that AMI to launch new encrypted instances.

Cloudwatch

 Cloudwatch is a monitoring services to monitor you AWS resources, as well as the

applications that you run on AWS
S3- simple storage service.
S3 is object base store.
S3 is 99.99% availability and 99.999999999 (11* 9’s) durability .
Amazon guarantee 99.9% availability in SLA agreement
S3 file cab be 0 byte to 5TB, S3 is universal namespace and unique globally.
Largest file size that can be uploaded to s3 using puts is 5GB.
https://s3-eu-west-1.amazonaws.com/acloudguru
when a file is uploaded you will receive HTTP 200 code if the upload was successful.
Read after write consistency for PUTS of new object
Eventual Consistency for overwrite PUTS and DELETE (can take some time to propagate)
S3 object consists of :

 Key – name of object

 Value – data, sequence of bytes
 Version ID
 Meta data
 Sub resources
o Acess control list
o torrent

Standard S3: availability – 99.99% , Durability : 99.999999999%

S3 IA (infrequent access): availability – 99.9% , Durability : 99.999999999%
RRS ( reduce redundancy storage): availability – 99.99% , Durability : 99.99%
Glacier : Very cheap but used for only archival only. Takes 3-5 hours to restore.
S3 bucket should be lower case , number. Capital letters are NOT allowed.
Static website Hosting link: http://bucketname.s3-website.region.amazonaws.com
Once S3 version is enabled , it can only be disabled but can be removed.
Objects deleted when version is enabled, can be restored.
Cross Region Replication:

 Version Must be enabled on both the source and destination buckets

 Regions must be unique
 Files in an existing bucket are not replicated automatically. All subsequent updated
files will be replicated automatically.
 You can’t replicate to multiple buckets or use daisy chaining.
 Delete markers are replicated.
 Deleting individual versions or delete markers will not be replicated.
CDN – content delivery network
Edge location: this is location where content will be cached. This is separate to an aws region.
Web distribution: typically uses for website.
RTMP: used for media streaming.
Objects are cached for the life of TTL(Time to live). Generally TTL is 24 hours, maximum is 365
days, min is 0 days. Need to enter time in seconds. You can clear cache objects , but you will be
charged.
S3 buckets can be configured to create access logs which log all request made to the S3 bucket
For life cycle management minimum size is 128kb and 30 days after creation date.
By default, all newly created buckets are PRIVATE.
Bucket can be access by:

 Bucket policies
 Access control lists
S3 Encryption:

 In transit:
o SSL/TLS
 At rest :
o Server side encryption
  S3 managed keys : SSE-S3
 Aws key management service, managed keys- SSE-KMS
 Server side encryption with customer provided keys – SSE-C
o Client side encryption

Storage Gateway:

 File gateway(NFS) – files like words, pdf, pic, etc stores on S3

 Volume gateway (iSCSI) – block storage like hard disc.
o Store volumes – store all data in premises. Store as EBS snapshot in S3. 1GB-
16TB. Asynchronously backed
o Cached volumes – store only that are cached in premises. 1Gb – 32Tb
 Tape gateway (VTL) – back up

Import/export is now snowball.

Snowball: 80TB , 256 –bit encryption . only storage option
Snowball edge : on board storage and compute capabilities. 100TB
Snowmobile: big sea container truck.
S3 transfer acceleration: utilizes the cloudfront edge network to accelerate your uploads to s3.
bucketname.s3-accelerate.amazonaws.com
CORS- cross origin resource sharing

EC2 -Elastic compute cloud

DR Mc GIFT PX
D is for Density
R is for RAM
M is main choice for generally purpose.
C if for computer
G is for Graphics
I is for IOPS
F is for FPGA
T is cheap generally purpose.T2 micro
P- graphics (this of pics)
X- extremely memory
EBS- Elastic block storage
GP2- General purpose SSD- General purpose. 3IOPS per GB with upto 10,000IOPS and able to
burst 3000 IOPS for extended period for under 1Gib. . 1Gib- 16384 Gib. Min is 100 IOP
Provisioned IOPS SSD : Designed for I/O intensive application such as lager relational or NoSQL
database. Use if need more the 10,000 IOPS. Can provide 20,000 IOPS . 4Gib- 16384 Gib. Min is
100 IOPS
Magnetic storage :
Throughput Optimized HDD (ST1): Big data, Data warehouse, log processing,. Cann’t be Boot
volume
Cold HDD(SC1) : low cost storage for infrequent access workloads like file serve. Cann’t be Boot
volume. 500GIB to 16384 GiB,
Magnetic standard: Lowest cost, infrequent access dat. Can be Boot volume
EC2
You can’t mount 1 EBS to multiple to EC2 instance. If you need shared space, need to use EFS.
1 Subnet = 1 availability zone.
Root volume can’t be encrypted when using Amazon default AMI but can encrypted when using
third party tools. Additional volumes can be encrypted
Termination protection is turn off, by default.
Security Group: Is a virtual firewall.
Security rules are applied immediately.
Security groups all inbound traffic by default DENY, you can add only allow rule.
Security groups are STATEFULL. All outbound traffic is allowed respective of inbound.
STATEFULL: if you create an inbound rule allowing traffic in, that traffic is automatically
allowed back out again.
All instance with-in same security groups can communicate to each other.
RDP port no : 3389
MRSQL / Aurora port no : 3306
EBS of different availability zone can’t be attached to EC2 instance in different availability zone.
Snapshots are incremental , this means that only the blocks that have changed since your last
snapshot are moved to S3.
You CAN’T add role to EC2 after creation. Role can be assigned only while EC2 is created. You
can add policy to the role after creation of EC2, it takes effect immediately.
Roles are universal and can be used any region.

Important CLI commands: https://docs.aws.amazon.com/cli/latest/reference/ec2/

 run-instances
 describe-instances
 describe-images
 terminate-instances

Describe-images: all images that are available to us

aws ec2 describe-images --owners amazon --filters

"Name=platform,Values=windows" "Name=root-device-type,Values=ebs"

Describe-instance: the instance that are currently running.

“Run-instances” CLI command for launch/create instance. The key pair

named MyKeyPair and the security group sg-903004f8 must exist.

eg: aws ec2 run-instances --image-id ami-abc12345 --count 1 --

instance-type t2.micro --key-name MyKeyPair --security-group-ids sg-
903004f8 --subnet-id subnet-6e7f829e

Terminate-instance:

aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

Start instance : only to start, a stop instance not to create instance.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
Meta date : http://169.254.169.254/latest/meta-data/
ELB – Elastic load balancer
Instances monitored by ELB are reported as : Inserivce, or outofService
ELB have their owne DNS name but have no IP address .
Classic load balance are important in exam not application load balancers

Amzon available SDKs are:

Android, iOS, Java scripit (browser)
Node.js
Java
.net
PHP
Python
Ruby
Go
C++
AWS mobile SDK
Default SDK region is “US-EAST-1”

To create a snapshot for Amazon EBS volume that serve as root devices, you should stop the
instance before taking the snapshot.
Instance store volume is Ephemeral storage and can’t be stoped.
For RAID system to take snapshot, need to stop the application from writing to disk and flush
all caches to disk. This can be done
freeze the file system
unmount the RAID array
Shutting down the associate EC2 instance
AMI are regional
Cloud watch is performance monitoring
Standard monitor is 5 minutes
Detail monitoring is 1 minute
Cloud Trail is auditing
Cloud watch can be used for Dash boards, Alarms, Events, Logs
Elastic Load Balancing is chargeable.

HTTP Status Codes

1xx Informational

2xx Success

3xx Redirection

4xx Client Error

5xx Server Error

Database:
Database services:
RDS: Relation database
DynamoDB
ElastiCache
Redshift
DMS: Data migration service.
RDS:

 SQL server
 Oracle
 MySQL server
 PostgreSQL
 Aurora
 MariaDB
Non RDS conation:

 Collection = Table
 Document = row
 Key value Pairs = fields
Data warehousing : redshift
OLTP: online transaction process
OLAP: online transition analytics process
ELastiCache:

 Memcached
 Redis

SQS – simple queue service

Decouple - SQS
256Kb message length. Billing is at 64kb chunks and referred as 1 request, so 256kb is 4
request.
SQS pulls the messages from queue.
Maximum retention period is 14 days, default is 4 days.
visibility time out: how long the message is not visible in queue. Default is 30 seconds,
maximum is 12 hours visibility time out. Using “CHANGEMessagevisibilty” can extend its
visibility.
auto scaling can be used for SQS.
SQS ensure message is delivered Atleast once and in random error. SQS can be delivered
multiple times in any order.
Long polling: doesn’t response until a message arrives in the queue, or the long poll time outs
which is 20 seconds.
Shot polling: returns immediately even if the queue is empty.
Fanning out: passing a single message from SNS to multiple queue in order to deliver the
message to the subscribers.
SNS : Simple Notification services
Uses push mechanism
To prevent messages from being lost, all messages publish to amazon SNS are stored
redundantly across multiple availability zone.
SNS can be customized by protocol.
Protocols included:

 HTTP
 HTTPS
  Email
 Email JSON
 Amazon SQS
 Application
Topics:
Email contains: type, messageId, topicArn, subject, message, timestamp, signature version,
signature, singing url.

SWF simple workflow services

Task oriented API
Workers are programmers that interact with amazon SWF to get task, process received tasks
and return the results.
Decider is a program that controls the coordination of the task i.e, their ordering ,
concurrency , and scheduling according to the application logic.
Maximum work flow can be 1 year.
SWF Domain:
Task is processed only ONCE and never duplicated.
Cloud Formation
Usage of clod formation, elastic beanstalk and auto scaling are free but you pay for the
resources used by these.
By default rollback for failure is enabled in cloud formation.
FN::GetAtt is important function.
Elastic beanstalk
EBS Preconfigure platform are: IIS, node.js, PHP, Python, Ruby, Tomcat.
Preconfigured docker: glassfish, python
Aws abstracted services are S3 and dynomo DB.
Dynamo DB
Dynamo DB is fast and flexiable NOSQL database service for all application that need
consistent, single-digit milliseconds latency at any scale. It support both document and key
value models. Mostly good for mobile, web, gaming, ad-tech, IOT etc.
Stored in SSD storage.
Eventual consistent reads (Default): consistency across all copies of read within one second.
Strong consistent reads: returns a result that reflects all write that received a successful
response prior to the read.

Dynamo DB consists of :
Tables
Items – row
Attributes – column of data
35 levels of nesting is supporting in DynamoDB.
Write throughput for 10 units. Write capacity unit can handle 1 write per second.
Read throughput for 50 units.
Two types of primary key available

 Single attribute (think of unique ID) : partition key (hash key) composed of one attribute.
 Composite attribute (think of unique ID & date range) : partition key (hash key) & Sort
key (Range) composed of two attribute.
No two items in a table can have the same partition key value in single attribute.
Indexes
Local secondary Index:

 Has the SAME partition key, different sort key.

 Can ONLY be created at time of creating table. They can’t be removed or modified later
Global secondary index:

 Has DIFFERENT partition key and different sort key.

 Can be created at the table creation or added later.
Can have max 5 LSI and 5 GSI per table.
Streams: used to capture any kind of modification of the DynamoDB tables. It capture the
images before and after following events happens.

 If a new item is added to the table.

 If an item is updated.
 If an item is deleted.
DynamoDB streams are stored for maximum 24 hours.
DynamoDB is push button scalable.
Triggers: DynamoDB triggers connect dynamoDB streams to Lambda functions.
Query: A query operation finds items in a table using only primary key attribute values. You
much provide a partition name and a distinct value to search for. You can optionally use sort
key and name , also use comparisons operators to refine the search.
By default a Query returns all the data attributes. You can use “projectionExpression” only to
return some attributes. Same for SCAN operation.
Query results are always sorted in ascending order by the sort key. To reverse the order, set
the “ScanIndexForward” parameter to false.
Query operation is more efficiency than scan.
DynamoDB provisioned throughput calucations:
Unit of read provisioned throughput

 All reads are rounded up to increments of 4KB

 Eventually consistent reads (default) : 2 reads per second
 Strong consistent read: 2 reads per second.
Unit of write provisioned throughput

 All write of 1 KB
 All write are 1 write per second.
400 HTTP status code: provisionedThroughputExceedExpection : you exceed your maximum
allowed provisioned throughput for a table or for one or more global secondary index.
AssumeRoleWithWebIdentity API for web identity provides such as facebook, google etc.
Conditions write: update if current price is xx.
Automatic counter can be used if margin of error is accpteable.
A single BatchGetItem request can retrieve up to 1MB of data, which can contain as main as
100 items. In addition, a single BatchGetItem request can retrieve items from multiple tables.
NAT instance

 When creating NAT instance, disable Source/Destination Check on the instance.

 NAT instance must be in public zone.
 Must have elastic IP address to work.
 There must be route out of private subnet to the NAT instance, in order for this to
work.
 The amount of traffic that NAT instance supports, dependence on instance size.
  You can create high availability using auto scaling groups, multiple subnets in different
AZ’s and a script to automate fail over.
 NAT instance are behind security group.
NAT gateway:

 Sale automatically up to 10 GbPS

 No need to patch
 Not association with security groups
 Automatically assigned public IP
 Remember to update your route table
 No need to disable source / destination checks

ELB doesn’t have IP, you resolve them using DNS name
Alias name is like CNAME expect you can resolve individual aws resources.
Better to choose Alias record over CNAME in exam.
Different routing polices:

 Simple
 Weight
 Latency
 Fail over
 Geo location.