Important Notes SA Pro

1. Review these topics before the exam.

1. CloudFront
1. Behaviors with trusted signers - restrict viewer access - then an
account must generate CF signed URLs or cookies needed to access
content. Caching controls and access are set at the Behavior level.
2. Default SSL Cert provided if we use *.cloudfront.net if you need
custom domain name - then get a custom SSL Cert from ACM or IAM.
Public certificates NEEDED. Self-sign WILL NOT work. EC2/OnPremise
- manage own certificate - NO ACM. All should be PUBLIC CA
CERTIFICATE
3. CloudFront does NOT support renegotiation of SSL to thwart those
attacks for viewer and origin requests.
4. SNI is TLS extension - can specify specific hostname to access via
same IP address - Older browsers do not support it.
5. OAI - Origin Access Identity - direct access blocked - deny. Only
access from CF allowed. Can be done ONLY for S3 Origins. For
Custom Origin like EC2 - use Custom Headers from CF edge or use
Firewall to allow only CF Edge IPs
2. Root access on EC2 but not to the SSL Certificate - it is called SSL
offload: HTTPS is configured on the ALB and from ALB—> EC2 it will use
HTTP - and so there is no need of the cert to be on the EC2 instance.
Role separation - even if Dev has root on the EC2 they cannot access the
SSL Cert which is on the ALB.
3. VPC flow logs - unencrypted packet content sniffer? VPC FL - captures
only packet metadata NOT contents. It is not realtime. Hence use sniffer
to scan contents.
4. CloudFront protocol policy, SSL Cert needed? Yes - see above. Also
set Viewer policy to HTTPS Only in CF and use an SSL/TLS Cert from
a 3rd party imported to ACM or IAM store
5. Load Balancer - stickiness on target group
1. It is enabled on the target group level. Generates AWSALB cookie and
uses it for all future connections unless it expires or instance fails - in
which case it moves to another instance.
6. Licensing on specific Mac and IP address - when migrating to AWS - Add
ENI to EC2 - it is like an additional Network Card with FIXED IP and MAC
address.
7. DynamoDB Streams - lambda function use case to summarize data.
1. Behind the scenes uses Kinesis Data Streams, ITEM changes generate
an event, can invoke Lambda function.
8. Gateway endpoints into VPC for secure communications. Features of
 8.
VPC GW and IF endpoints.
1. GW endpoints - Created per service per region - provide private
access to S3 and DynamoDB (which are public services residing
outside the VPC). GW configured on subnets - it will add Prefix List
to the Route Table and allows traffic to go via VPC router to GW
endpoint and into S3. Endpoint Policy can control which buckets can
be accessed. GW are HA within the same region that has the VPC.
NO cross region access allowed. Without GW you would normally
need to provide infra like: -
1. An IGW and have the VPC resources obtain public IPV4 or IPV6
addresses
2. Have a NATGW for the private IPs to communicate out with public
services
2. Interface endpoints - Supports any public service except
DynamoDB. 1 Interface Endpoint = 1 subnet = 1 AZ = an ENI - Hence
NOT HA. Add one endpoint per subnet in each AZ for HA within VPC.
Since they are inside VPC - can use SG to control access. Can use
endpoint policy also. Supports only TCP and IPV4. Under the hood
uses PrivateLink (AWS or 3rd party services injected into your VPC).
Useful for highly regulated industry to use 3rd party services via
Interface endpoint - very secure. Uses a NEW service endpoint DNS
to route traffic to public service. Or, can use R53 private hosted
zone as well. No application change needed as it overrides the default
DNS in R53.
9. Cost - public vs private ipv4 - Elastic IP is free if attached to EC2 and
running. Private ranges are 10.x.x.x 172.x.x.x 192.x.x.x
10. Direct Connect 1 private VIF = 1 VGW = 1 VPC (with private IPs), NO
encryption on Private VIFs and MAX of 100 VPC CIDR IPs / BGP Peer -
needs to be in SAME region as DX location. Public VIF - can access all
regions, AWS advertises all public IPs we can advertise our own IPs over
BGP. Can use Public VIF + VPN for encryption
1. Standard Internet from on premise to AWS using IPSEC VPN is easier
than MACsec - single hop. MACsec is an IEEE standard because DX
does not do encryption natively. Encrypts Layer 2 Frames - it is hop to
hop of adjacent devices. Very high speed possible - but Colo provider
has to support it. Alternative is end-to-end IPSEC VPN.
2. Then go for Direct Connect also running IPSEC VPN tunnel - takes
time to provision
3. DX Gateway is free - can connect to multiple regions 1 Private VIF = 1
DX GW & 10 VGW per GW (1 DX can have 50 private VIFs) so total 500
VPCs.
4. DX GW associated with Private VIF OR TGW / Transit VIF BUT NOT
both!!!
 5. Automatic primary/secondary scenario - DX HA - 2 DX routers in 2
Colo to 2 customer sites. Improve speed using DX LAG - link
aggregation group. 100 Gbps total.
11. IAM policy boundaries vs SCPs
1. Policy Boundaries - can be set around access control policies - to
restrict users / roles to perform only actions that they are entitled to
perform. These are similar to IAM policies.
2. SCPs - used to manage permissions in your AWS Organizations. No
permissions are granted by SCP, it defines guardrail or sets limits.
Don’t affect users/roles in management account. Affect only the
member accounts in your Org. SCP DO NOT affect any service-
linked role.
3. IAM Permissions and Trust policies work together - example EC2
Application accessing S3 objects.
4. When an invited account joins your organization, you do
not automatically have full administrator control over the account,
unlike created accounts. If you want the master account to have full
administrative control over an invited member account, you must
create the OrganizationAccountAccessRole IAM role in the member
account and grant permission to the master account to assume the
role
12. NATGW and route tables for Lambda functions
1. See this https://aws.amazon.com/premiumsupport/knowledge-center/
internet-access-lambda-function/
2. Public subnet inside VPC ==> IGW Dest 0 Target IGW, Private subnet
==> NAT GW, Edit route tables Dest 0.0.0.0/0 Target NAT GW, SG
should allow inbound from Internet, Outbound is allowed by default.
Create VPC Exec role and attach to Lambda function. Now the
Lambda function can access Internet from a private subnet within a
VPC.
13. DLQ - Dead Letter Queue - each time a message is received the
ReceiveCount is incremented. We can have a redrive policy with source
Q and DLQ and conditions to move messages. Configure an alarm
whenever a message enters DLQ, The timestamp is when the message
entered the original queue. One DLQ can be used for multiple source
Qs.
14. Enhanced Networking - no additional charge - on supported instances -
using Elastic Network Adaptor ENA - cannot manage from Console.
Provides higher I/O lowers CPU utilization
15. EBS encryption - what components are affected by this?
1. Uses AWS KMS envelope encryption with CMK - for volumes and
snapshots. Can choose ‘by default’. Encrypted EBS = encrypted
snapshot = can be shared with another AWS Account - share the
 1.

same CMK.
2. S2N - Signal To Noise is AWS answer to open source TLS - OpenSSL.
Small code footprint, in GitHub via Apache License.
3. Symmetric encryption is great for local files in laptop etc. not for
transferring to others as there is no secure way to send the KEY.
4. Asymmetric encryption makes it easier to exchange keys - public
key is used to encrypt and private + public key is needed to decrypt.
Only one party needs to generate the private key and keep it safely.
This method is used by SSL/TLS and SSH.
5. Signing - Send an acknowledgement signed with private key.
Receiver can use the public key to verify that the acknowledgement
indeed came from the private key holder.
6. Steganography - embed encrypted data in another image. Receiver
uses private key to decrypt
16. SSE-KMS for S3, IAM role separation - store and replication
1. KMS - regional and public service. Keys NEVER leave KMS. FIPS
140-2 L2. Some people may have permission to create keys but not
use them to encrypt data - that is Role separation. DEKs can be used
to encrypt data larger than 4KB. DEK is encrypted using CMK. YOU do
the encryption using DEK - not KMS. CMK isolated to a region. AWS
managed is rotated every 3 years. Customer managed - you have to
set rotation - always 1 year.
2. Replicate keys from one AWS region to another. No need to run
multiple decrypt and encrypt operations. Integrated with S3 and
DynamoDB encryption Client.
17. RDS primary node deployment failure, Replicas - minimum uptime
guarantee
1. RDS Multi-AZ Access only via CNAME - to Primary in one AZ.
Synchronous Replication to Standby but users cannot access it.
Disk Writes to Primary and Standby happens in Parallel - no lag.
When Primary FAILS, RDS switches CNAME to Standby - there will
be a brief disruption.
2. Extra cost for Standby - it is in the SAME region - just different AZ.
Take backups from Standby - no performance impact. It is NOT fault
tolerant.
3. RDS Read Replicas - can be in AZs of same region or another
region. AWS manages all inter region traffic with encryption. Uses
Asynchronous Replication. 5x direct read replicas per DB instance.
RR offer near realtime RPO. RR can be promoted quickly to handle
writes - low RTO. Cannot be used to write scaling. Use Provisioned
IOPS storage to improve read performance of RDS
4. Aurora uses Cluster Topology - very different than RDS. Standby can
be used for reads under normal operations. Uses SHARED cluster
 4.

volumes. Replication happens at the storage level - max 128 TiB

across 6 replicas in 3 AZs. Fast Cloning and Backtrack is allowed.
18. AWS identities and requester pays feature
1. Requester assumes IAM role before making request, the account
related to the role is CHARGED. No anonymous or SOAP requests
allowed. Bucket owner pays for storage, requester pays for data
transfer and the request. The parameter x-amz-request-payer in the
header is required.
19. EC2 move across regions - same ssh keys - AMI copy, Replication factor
in EC2.
1. The only way to move an EC2 is to create an image (AMI) and create a
new instance with that image. Also you can re-associate the EIP of the
old instance. It may take some time to create image if EBS snapshots
have not been taken. EBS snapshots are slow to restore - use RAID
1 (mirroring) if extreme storage HA is needed.
20. Domain records in R53 from a different domain provider.
1. Get the details from GoDaddy or Google and create CNAME records in
R53
21. Internal site access from Workspaces - private hosted zone?
1. Yes, it is called Split View Hosted Zones. Some records of the Private
Zone can be accessed only from the VPC via the VPC+2 R53 resolver.
All other records can be made to be accessed from the public
internet. So, the same company domain name will have 2 levels of
access - public and private.
22. SNS, Step functions - based on STATE machines - Succeed/Fail, Wait,
Choice, Parallel, Map and TASK.
23. Workspaces - AD connector on premise
1. AD Connector redirects all requests to an on premise existing
directory servers - no directory data is stored in AWS. It requires 2
subnets in different AZs within the VPC. Needs DX or site-2-site VPN.
24. AWS Organizations - master and root account relationship
1. Management / Master / Payer account is one per Organization. Rest
are member accounts. Organizational Root is just a container which
can have many organizational units OU which can have member
accounts. On Premise Identity federation can be used to connect to a
login account and then Role Switch.
25. Egress only IGW Routes
1. Egress only IGW is used for IPV6 traffic only. Enables outbound
internet communication and does not allow IPV6 to access VPC
resources. For IPV4 outbound only - use NAT GW.
26. NACL and SG features
1. NACL associated with every subnet - filters traffic as it leaves the
boundary of that subnet. Default NACL allows all traffic within a VPC
 1.

between instances in different subnets.

2. SGs are attached to ENI - stateful, no explicit deny, only allows. Can
reference logical resources like another SG etc.
27. S3 transition to Glacier deep archive timing and S3 Replication
1. Standard==>Standard IA==>Intelligent Tiering==>OneZone
IA==>Glacier==>Deep Archive
2. 30 day min on S3 Standard and 30 day min on IA Tiers before moving
to Glacier.
3. Glacier has Instant Retrieval and Flexible Retrieval. Deep Archive takes
more than 12 hours to retrieve.
4. Can setup multiple Transitions for each action to be taken on the S3
objects
5. Replication - CRR and SRR (same region) - configured on source
bucket, Role to be assumed to replicate and it is encrypted (SSL) -
can be from one account to another. If target is different account,
then that bucket needs a policy to ALLOW the source account to
write into it. Can choose cheaper storage class in target bucket.
Can change ownership on target bucket. RTC replication time control
- guarantees 15 minute SLA and gives monitoring info. DELETES not
replicated. SRR = Log aggregation, strict sovereign requirements. CRR
= global resilience and reduced latency
28. VPC range and subnetting - available IPs etc.
1. There is NO NEED to have separate subnets for separate
application TIER in AWS
2. 1 subnet = 1 AZ = 1 NACL = No application Tier DENY possible and
NOT HA
3. Decide NOT to allocate Public IP to DB resources - even though they
are in same subnet - will provide security Also configure SG on ENI
to DB resource to accept connection only from App resource -
another level of security
4. 1 Route table = 1 subnet - If different Routing is needed go for
multiple subnets - like to IGW, NAT GW
5. ALB needs to run in public subnet and can support both public and
private resources
29. Jumbo Frames - 9000 bytes in Direct Connect, 8500 in TGW and same
region peering - are the ONLY supported AWS Services for this
30. ASG
1. ASG operate on version of Launch Template or Launch configuration.
Scaling policies are optionally associated with ASG for more granular
control of desired, min and max instances based on metrics like CPU
usage etc. Scheduled and Dynamic Scaling - simple, stepped and
target. ELB can be used with ASG to automatically update the ELB
target group with EC2 instance info when they are added or removed.
 But carefully choose the health check metric.
31. R53 - Create Alias record to point to ELB - can be used for both root
and sub domain. CNAME can be used only for sub domain. R53
Failover policy can be used for DR from one region to another.
32. DynamoDB shared tables? It is most likely Global Tables - multi-master
cross-region replication of the same table. Strongly consistent in the
same region and eventual to other regions. SQS and DynamoDB with a
provisioned write throughput can be used to scale massive writes to
the database.
33. SQS - FIFO limit is 3000 messages per second. So, use Kinesis data
streams instead to scale
34. EC2 connections within VPC without IGW and no public IP
1. Primary ENI is attached to EC2 - cannot be removed. Secondary
ENI can be attached in another subnet to the EC2 instance - can also
be moved to other EC2s BUT in SAME AZ.
2. SG is attached to the ENI and NOT to EC2.
3. NACL is attached to the subnet
4. Private IPV4 configured on OS. Public IPV4 NOT configured on OS -
allocated to the instance.
35. TGW and VPC Peering
1. VPC Router - virtual within VPC, HA across all AZs in that region.
Main Route Table (RT) or Custom. Subnets associated with ONE RT
only
36. X-Ray - to diagnose performance issues with API Gateway, EC2 and
Lambda functions.
37. EMR Cluster - best practice for Master - On Demand, Core - On
Demand, Task - SPOT
38. Site to Site VPN features - By default uses the Public Internet - meaning
several Hops. Creates 2 IPSEC tunnels between on premise and AWS.
Alternative is to use CGW—> TGW —> multiple VPCs on AWS but it still
goes through Public Internet. Accelerated S2S VPN uses AGA - low
latency, less jitter. Dynamic S2S is a good alternative to DX
39. S3 and API Gateway - Configure Static Website Hosting and policy on
the S3 bucket. Configure CORS on the API Gateway - for non-simple
HTTP/S requests.
40. RedShift - By default single region - but can configure backups to
automatically go to another region for HA.
41. Snowball Edge - supports Lambda / EC2, NFS protocol, AWS IoT
services, cluster architecture.
42. S3 Transfer Acceleration - can speed up transfer to and from AWS S3
by 50-500% for remote user connections. Use for global upload of
large files, endpoint has s3-accelerate - uses AWS CloudFront
backbone network from POPs / edge locations
43. Truly Global and uses a single copy of database - R53, CloudFront
and IAM
44. 504 Gateway Error - when Lambda function exceeds a certain time
limit. API Gateway throttling would return a 429 error Gateway
Endpoint gets more than a 1000 concurrent invocations from Lambda.
45. OpsWorks - Stacks —> uses Layers —> has instances in it. Layers are
used for various functionality in the same App.
46. EFS - can scale automatically to PB of data, low and consistent
operational latency around 10GB per sec. Can work in tandem with
CloudFront and can serve 1000s of users for weather App etc. Have a
cache-control timeout to give latest data. Use Provisioned Throughput
mode on EFS volume to ensure the required higher IOPS
47. EC2 - instance metadata can be used to get temporary credentials
based on the IAM EC2 role. When an IAM role is attached to the
instance, the AWS CLI automatically and securely retrieves the
credentials from the instance metadata.
48. CloudWatch - set up and configure unified CW Logs agent in EC2
instances to automatically collect all metrics from both Linux and
Windows servers on premise or in AWS
49. API Gateway - It is better to use Lambda with API GW rather than ALB
especially when we need to use API Keys - more functionality.
50. Snowball Edge - Initiate multiple parallel copy jobs to improve overall
throughput.
51. Elastic BeanStalk (EB) - one of the deployment policy is immutable -
creates a new set of instances to deploy new application version - it
can prevent issues caused by partially completed rolling
deployments. If new instances do not pass checks, EB terminates them
and leaves the original instances untouched. We can also deploy
newer version to Staging environment and swap the application
(CNAME) URLs between PROD and STAGING if the deployment is
successful.
52. HPC Cluster Performance - place all compute nodes close to each
other in single AZ in a cluster placement group. Improve network
performance by using Elastic Fabric Adapter EFA network interface.
Implement FSx for Lustre for Storage performance.
53. S3 Versions - initially are NULL and then based on changes they are
an Alphanumeric string.
54. WAF Web ACL - put it in front of API Gateway to stop malicious SQL
injection etc.
55. Amazon Data Lifecycle Manager - automatically create scheduled DB
snapshots against EBS volumes
56. Amazon Inspector - use it for detailed CVE assessment and scanning
for approved AMIs
57. Automatic Tagging - AWS Service Catalog TagOption - can tag
provisioned resources with unique identifiers Another option is
CloudFormation Resource Tags property
58. AWS Billing - On the AWS Billing and Cost Management console of the
parent account, ensure that consolidated billing is enabled
59. IP Packet attack - Configure a Challenge-Handshake Authentication
Protocol (CHAP) to authenticate iSCSI and initiator connections.
60. Docker on Fargate - more EXPENSIVE than API Gateway and Lambda
functions