AWS Solution Architect Certification Notes – Part 5

My AWS certification notes part 5 from A Cloud Guru material

Shared Responsibility

  • AWS
  • Responsible for security ‘of’ the cloud
  • Decommissioning Storage devices
  • Securing physical access to AWS resources
  • Virtualization infrastructure
  • Customer
  • Responsible for security ‘in’ the cloud
  • Security group & ACL settings
  • Patch management on EC2 instances
  • Life cycle management if IAM credentials
  • Encryption of EBS volumes
  • OS, network, firewall configuration
  • Customer Data
  • Server side encryption

OpsWorks

  • Orchestration service that uses chef
  • chef consists of ‘receips’ to maintain a consistent state
  • cook book

Security

  • Design Principle
  • Apply security at all layers
  • Enable traceability
  • Automate responses to security events
  • Foucus on securing your system – Responsibility
  • Automate security best practice
  • Definition
  • consists of 4 areas
  • Data Protection
    • Organise and classify your data (public, only employees, only MD)
    • least privilege access system (peoples are only able to access what they need)
    • encrypt everything possible (transit and rest)
    • ELB, EBS, S3 and RDS
  • Privilege management
    • Only authorized and authenticated users are able to access your resources
    • Access control list
    • Role based access control
    • Password management
    • IAM, MFA
  • Infrastructure protection
    • How you protect your VPC, security group, NACL, private subnet etc
  • Detective controls
    • Detect or identity securtiy breach
    • CloudTrail, CloudWatch, AWS config

Reliability

  • Ability of a system recover from service or infrastructure outage and autoscale
  • Design Principle
  • Test recovery procedures
  • Automatically recover from failures
  • Scale horizontally to increase aggregate system availability
  • Stop guessing capacity
  • Definition
  • consists of 3 areas
  • Foundations – IAM, VPC
  • Change Management – Cloud Trail
  • Failure Management – CloudFormation

Performance Efficiency

  • Design Principle
  • Democratize advanced techonologies
  • Go global in mins
  • Use serverless architecture
  • Experiment more often
  • Definition
  • Consists of 4 areas
  • Compute – Autoscaling
  • Storage – EBS, S3, Glacier
  • Database – RDS, DynamoDB, RedShift
  • Space – time trade off – CloudFront, Elasticache, Direct connect, RDS read replicas

Cost Optimization

  • Design Principle
  • Transparently attribute expenditure
  • Use managed services to reduce cost of ownership
  • Trade capital expense for operatiing expense
  • Benefit from economies scale
  • Stop spending money on data centers and operations
  • Definition
  • Consists of 4 areas
  • Matched supply and demand – Autoscaling
  • Cost effective resources – EC2 (reserved), trusted advicer
  • Expenditure awareness – cloud watch alarms, SNS
  • Optimizing overtime – AWS blog, trusted advicer

Operational Excellence

  • Design Principle
  • Perform operations with code
  • Align operations processess to business objectives
  • Make regular, small, incremental changes
  • Test for responses to unexpected events
  • Learn from operational events and failures
  • Keep operations procedures current
  • Definition
  • Consists of 3 areas
  • Preparation
    • Runbook
    • Playbook
    • Tagging the resources
    • CloudFormation, Auto Scaling, AWS config, Service catalog, SQS
  • Operation – Code Commit, Code Deploy, Code Pipeline, AWS SDK’s, Cloud Trail
  • Response – CloudWatch, alarms, SNS

BigData

  • To consume bigdata – Kinesis
  • For business inteligence – RedShift
  • For BigData processing – Elastic Map Reduce

Consolidated Billing

  • AWS Organization
  • account management service enables you consolidate multiple aws accounts
  • Centrally manage policies across mutiple aws accounts
  • Control access to AWS services
    • you can create Service Control policies (SCP). Eg. you can deny your HR group to access Kinesis or DynamoDB
    • Even IAM in the account allows it, SCP will override it
  • Automate AWS account creation
  • Consolidate billing accross multiple AWS accounts
  • Two Features
    • Consolidated Billing
    • All Features
  • Single payment method for all the AWS accounts
  • Paying account only for billing purpose only. do not deploy servcices in paying account
  • Linked accounts – 20 is the limit
  • Can do billing alerts consolidated and individual
  • consolidated billing on the linked accounts
  • Consolidated billing allows you to get volume discounts on all your accounts. Eg. S3 storage more you use less you pay. so when you consolidate storaged used will save your moneny.
  • Unused reserved Ec2 instances are applied across the accounts. this will save your cost.
  • CloudTrail
  • per AWS account and is enabled per region
  • Can consolidate logs using s3 bucket
    • Turn on cloudtrail on the paying account
    • create bucket policy to enable CORS
    • Turn on cloud trail in linked accounts and use the bucket in the paying account

Cross Account Access

  • Can switch users without login

Tags

  • Key pair value
  • Meta Data
  • Case sensitive

Resource Groups

  • group your resources using tags
  • Can contain Region, Name, Health checks etc
  • For EC2 – public and private IP addresses
  • For ELB – port configurations
  • for RDS – DB engine
  • 2 types
  • Classic resource groups
    • Global
  • AWS system manager
    • Per region based

Direct Connect

  • Dedicated network connection from your premises to AWS
  • Reduce costs when using large volumes of traffic
  • Increase reliability
  • Increase bandwidth
  • for immediate need go for VPN since it can done in few mins (also if you want to encrypt your traffic)
  • VPN goes over internet where as Direct Connect is Intranet
  • Direct Connect is not a site-to-site VPN
  • doesn’t encrypt traffic between vpn and on prime

Workspaces

  • VDI
  • cloud based replacement for a traditional desktop
  • Windows 7 experiance provided by windows server 2008 R2
  • by default users can personalise their workspace (wallpaper, icons, shortcuts). This can be locked by administrater by adding policy
  • By default you will be given local admin access, so you can install your own applications
  • Persistant
  • All the data in D:\ is backed up every 12 hours
  • you dont need AWS accout to login to workspaces

ECS

  • Amazon EC2 Container Service
  • Container management service that makes it easy to run, stop and manage docker containers on a cluster of EC2 instances.
  • Docker Components
  • Docker Image – Containers are created from a read only template called Image which has instructions to create container
  • Docker Container
  • Layers / Union file system
  • DockerFile
  • Docker Daemon / Engine
  • Docker Client
  • Docker Registries – Docker Hub or ECR
  • Container and Images
  • Task definition
  • to run docker containers in ECS
  • test files in json format
  • can have
    • docker image name,
    • cpu, memory to use
    • networking mode to use
    • ports
    • IAM role
    • data volumes
    • environment variables
    • init task
  • ECS Clusters
  • logical grouping of container instances
  • with first ECS service, default cluster will be created.
  • Can create multiple clusters
  • Can contain multiple different container instance types
  • region specific
  • Container instances can be part of 1 container at a time
  • can use IAM policies to restrict/ allows users to aceess specific clusters
  • ECS Scheduling
  • Service Scheduler
  • Custom Scheduler – you can create your own scheduler or use third party like blox
  • ECS Container Agent
  • This agent allows container instances to connect your cluster.
  • supported only on EC2 instances that supports ECS specification
  • Linux based
  • works with Amazon linux, Ubuntu, Red Hat, CentOs etc
  • Will not work with Windows
  • ECS Security
  • IAM roles- to restrict/allow aceess
  • Security group – at the instance level. not at the tasks or container level
  • Customers will have full control over ECS. with root access can install third party apps
  • Container instance need external network access to communicate with ECS service endpoint. so if your container instances doest have public IP, they you muse use NAT Gatway for external network access (internet)
  • For ECS agents to communicate with ECS cluster
  • IAM role used to run ECS instance should have ecs:poll action in its policy
  • security groups should allow traffic to ECS service endpoint
  • ECS container has no password to use for SSH access, use key pair to login to your instance securely. you will specify name of key pair when you launch your container service, then provide the private when you login using SSH.
  • ECS launch types
  • Fargate launch type – you dont have to provision and manage the backend infrastructure. Just register the task definition, Farget launches the container for you
  • EC2 launch type
  • Service definition
  • Defines which task definition to use with your service
  • How many instantiations of that task to run
  • which load balancers associated with the tasks
  • cluster on which run your service
  • IAM role that allows ECS to call your load balancer
  • To set ECS container agent configuration during ECS instance launch – Set configuration in user data parameter of ECS instance
  • if a shared service is deployed in multiple containers and customer from container 1 should not have access to data from another customer – IAM roles for tasks

ECR

  • Amazon EC2 Container Registry
  • like DockerHub
  • Docker image repository


Leave a comment