Please enable JavaScript.

Coggle requires JavaScript to display documents.

AWS SysOps Administrator Associate, Deployment Policies, image, image,…

- - - - EXAM TIP: instance shutdown behavior = terminate and termination protection enabled
        :!!: Result: Instance will be terminated
      - EC2 Launch Troubleshooting
        :!?: InstanceLimitExceeded - Means you've reached max limit of instance per region
        
        :!!: EXAM TIP: Sept 24, 2019 - Limits are counted in vCPUs (Not Instances)
        :check: Default is 32
        :no_entry: Not yet in the exam but good to know
        
        :star: Resolution:
        Solution 1: Launch instances in another region
        Solution 2: Request AWS to increase your limit for the given region
        :red_flag: Default is 20 instances per region
        
        :!?: # InsufficientInstanceCapacity
        AWS does not have enough on-demand capacity in that particular AZ
        https://aws.amazon.com/premiumsupport/knowledge-center/ec2-insufficient-capacity-errors/
        
        :star: Resolution:
        Solution 1: Wait a few minutes and try again
        
        :star: Resolution:
        Solution 2: Request 1 instance at a time
        Solution 3: Submit a request for a different instance type (Resize later if needed)
        
        :!?:Instance Terminates Immediately
        Goes from pending to terminate
        
        :warning: Issue: Reached max EBS volume limit
        :warning: Issue: Corrupted Snapshot
        
        :warning: Issue: EBS volume encrypted / you don't permission to access KMS for decryption
        :warning: Issue: Instance stored-backed AMI is missing a required part (image.part.xx file)
      - EXAM TIP: instance shutdown behavior = Stop and termination protection enabled
        :!!: Result: Instance will be Stopped
    - - Reserved (Minimum 1 Year)
        Reserved: Long workloads
        Convertible: Long workloads, flexible instances
        Scheduled: i.e Every Tuesday btw 3 and 6 pm
        
        Reserved: Up to 75% discount compared to On-Demand
        Reservation can be 1 or 3 years
        Can reserve specific instance type
        
        Convertible: Can change EC2 Instance type
        Up to 54% discount
        
        Scheduled: Launch within time window
      - Spot Instances - Short workloads, cheap, can lose instance
        Up to 90% savings compared to On-Demand
        May lose the instance if current price > than your max price
        Not recommended for critical apps
        
        Spot Block - Block a spot instance for a specified amount of time (1 to 6 hours) no interruptions
        
        You can only cancel Spot Instance requests that are Open, Active of Disabled
        
        :!!: Cancelling a Spot Request does not terminate the Instance
        
        Must cancel Spot Request First, and then terminate associated Spot Instances
      - On Demand - Short workload, predictable pricing
      - Dedicated Instances: Customers have dedicated hardware
        Dedicated Hosts: Book an entire physical server (control instance placement)
      - Spot Fleet
        :check: Mix of Spot Instances + optional On-Demand
        
        Strategies
        :red_flag: lowestPrice: Cost optimization, short workload
        :red_flag: diversified: Great for availability, log workloads
        :red_flag: capacityOptimized: Optimal capacity for number instances
  - - - :pencil2: Low-latency group in a single hardware and single AZ
        :smiley: Upside: High-performance (10Gbps between instances)
        :cry:: Downside: High-Risk - Rack fails, all instances fail
        Use Case: Big Data job that needs to complete fast or apps that need extreme low latency and high network throughput
    - - :pencil2: Spread across different hardware
        :warning: Limitation: Up to 7 instances per group/ per AZ
        :!!: Recommended use: Critical Apps / max HA, instance isolation from failures
    - - :new: Spread across different partitions
        :check: Different set of racks (hardware) within an AZ
        :neutral_face: 7 partitions per AZ
        :smiley: Upside: Scale to 100s of EC2 instances per group
        :smiley: Upside: Instances in partition 1 do not share the same rack as partition 2 etc
        :smiley: Upside: A partition failure won't will affect all instances on that partition. Do not affect instances in other partitions
        :!!: Allows you to run apps such as: Hadoop, Cassandra, Kafka
        :star: EC2 get access to the partition info as Metadata
  - - - Limitations:
        :!!: Can't copy encrypted AMI shared from another account
        :!!: Copy snapshot while re-encrypting with your own key
        :!!: Can't copy AMI associated with billingProduct code
- - - - Classic LB
        :check: Deprecated
        :check: ALB and CLB support SSL termination
        :check: All LBs have health check capability
        :check: Only ALB can route based on hostname /path
        
        Pre-Warming
        :check: Traffic scales gradually
        :check: May fail in case of sudden traffic spike
        :check: For expected high traffic - Open a support ticket
      - Application Load Balancer (ALB)
        :check: Layer 7 LB
        :check: Can LB to multiple HTTP apps (Target Groups)
        :check: Can LB to multiple apps on the same machine (Think Containers)
        :check: Can LB based on route in URL, or hostname
        
        :bulb:EXAM TIP: Must enable X-Forwarded-For header to see the true source IP address of the user
      - Network Load Balancer (NLB)
        :check: Used for extreme high performance access (Not recommended as default LB)
        :check: Forward TCP traffic (Layer 4)
        :check: Millions of requests per sec
        :check: Supports static and EIP
        
        :bulb: EXAM TIP: Can see the client IP (No Need for X-Forwarded-For) header
        
        :warning: EXAM TIP: Limitations
        :check: 1 static IP per subnet
        :check:No SSL termination (SSL must be enabled at the app level)
        
        :bulb: EXAM TIP:
        :!!:Chain an NLB and ALB = ALB with a fixed IP
      - Monitoring
        :check: All LB metrics are pushed to CloudWatch metrics
        :check: BackendConnection errors
        :check: Latency
        :check: RequestCount
        :check: SurgeQueueLength max value is 1024
        :check: SpillOverCount (Number or rejected requests)
        
        Access Logs
        :check: Can be stored in S3 Pay only for S3 storage
        :check: Keep access data after ELB or EC2 termination
        :check: Already encrypted by default
    - - LB Error 503 = Capacity or no registered target
        LB can't connect to App = Check Security Group
      - :link:HTTP Error Status Codes
    - - :warning: May bring inbalance to backend EC2
- - - - :warning: Only GP2 and IO1 can be used for boot volume
      - Size: 1GiB to 16TiB
        Max IOPS 16K
        3IOPS per GB
  - - - EBS Encryption
        :check: All Snapshots are encrypted
        :check: Leverages keys from KMS (AES256)
        :check: Data at rest is encrypted
        :check: Data in-flight (btw instances) is encrypted
      - EBS Migration:
        :check: Can only be done by copying Snapshot to another AZ or Region
        :check: Create the volume from the Snapshot
      - Instance Store
        
        Pros:
        :check: Better I/O performance
        :check: Good for buffer / temporary data
        
        Cons:
        :check: Does not survive stop or termination
    - - RAID0
        :smiley: Increased performance and more disk space
        :cry: one disk fails, all the data is failed
      - RAID1
        :smiley: Mirroring a volume to another
        :smiley: one disk fails, our logical volume is still working
  - - - :check: Uses NFS v4.1 Protocol
        :check: Requires Security group configuration
        :check: Only compatible with Linux (Not Windows)
- - - - :!!: Delete Marker
        Objects deleted receive a delete marker with zero size.
  - - - SSE-S3
        
        :pencil2: Encryption keys handled and managed by S3
        :pencil2: Objects encrypted on server side
        :pencil: Uses AES-256 encryption type
        :bulb: Must set header: "x-amz-server-side-encryption":"AES256"
      - SSE-KMS
        
        :pencil2: Encryption keys handled and managed by KMS
        :pencil2: Objects encrypted on server side
        :pencil2: All KMS advantages + audit trail
        :bulb: Must set header: "x-amz-server-side-encryption":"aws:kms"
      - SSE-C
        
        :pencil2: Server side encryption, data keys are managed by the customer outside AWS
        :pencil2: HTTPS must be used
        :pencil2: HTTP header must be provided for every HTTP request
      - Client Side Encryption
        
        :pencil2: Must use client library such as S3 encryption client
        :pencil2: Must encrypt data before sending to S3
        :pencil: decryption of the data is done by the customer
        :!!: S3 does not perform any encryption
  - - - Same Origin: http://example.com/app1 & http://example.com/app2
        Different Origin: http://example.com & http://other.example.com
        
        CORS headers must be enabled
  - - - :pencil2: IAM Policies (Which API Calls can a user make???)
    - - :pencil2: Bucket Policies
        :pencil2:Object Access Control List (Fine Grained)
        :pencil2:Bucket Access Control List (Less Common)
  - - - EXCEPT IF
        You perform GET before to see if object exists
        GET 404 => PUT 200 => 404
        (Eventually Consistent)
        
        Trying to retrieve (read) an object right away, may return an old version of the object as S3 uses eventually consistency model
        
        :!!: S3 does not offer strongly consistency model
  - - - :warning:
        :red_flag:Do not set your logging bucket to be monitored
        :red_flag: it creates a logging looop)
        :red_flag: Size will grow exponentially
  - - - Use Cases:
        CRR: Compliance, low latency access, replication across accounts
        SRR: Log Aggregation, live replication between environments
        :warning: Replication is asynchronous
  - - - Lifecycle rules
        Define when objects are transitioned to another storage class
        
        EXAMPLES:
        :check: Move to Standard IA 60 days after creation
        :check: Move to Glacier for archiving after 6 months
        
        Expiration can be set to delete an object after some time
  - - - File Gateway
        S3 buckets accessible via NFS and SMB Protocol
        
        Most recent used data is cached in the File Gateway
      - Volume Gateway
        :check: Block staorage using iSCSI backed by S3
        :check: cached volume (low latency) - most recent data locally
        :check: storage volume: entire dataset is on prem
        
        Cached Mode - Store entire dataset in S3 and cache most frequently accessed data on-prem
        
        Stored Volume Mode - Entire dataset stored onsite and backed up to S3
        
        Each volume can be up to 16TB and max of 512TB per gateway
        
        Each volume can be up to 32TB and max of 1PB per gateway
      - Tape Gateway
        :check: Virtual Tap Library (VTL) backed up by S3 and Glacier
- - - - :!!: :bulb:EXAM TIP: Aurora Database is an optional topic and does not come up often in the exam, except as a potential wrong answer
      - Scalability:
        :pencil2: Can only be scaled up. No option to decrease storage capacity
        :pencil2: You can change the storage type for all DB engines except MS SQL
        :pencil2: Scale can be done without stopping the instance w/ some performance degradetion.
        :!!: IMPORTANT: Changing instance type will cause downtime. You can set a maintenance window
        
        Multi-AZ Deployment
        
        :check: Synchronous replication
        :check: Only one primary DB engine instance active
        :check: Used for DR strategies since you have Active/Standby
        :check: Upgrades happen on the secondary first
        :!!: Always Spans across two AZs in a single region (Cannot be multi-Region)
        :smiley: Provides automated Backups
        
        :bulb: EXAM TIP
        Failover to Standby may take up to 1 minute
        :!!: Recommended to implement DB connection retries at the app level
        
        :bulb: EXAM TIP
        :!!: You cannot read from the Standby Database
        :!!: Only used for Disaster Recovery
        :!!: No need to change app URL since it remains unchanged
        :!!: Backups are done from the standby; hence, no service disruption
        
        Read Replicas
        
        :check: Asynchronous replication
        :check: Used to scale reads
        :check: All read replicas are accessible
        :check: Can be within an AZ, Cross-AZ or Cross Region
        Upgrades are independent
        A read replica can be promoted to a standalone
        :cry:No Automated Backups
        
        :!!: Application must be reconfigured to point to the new read address instance
    - - Snapshot
        Unencrypted DB must be encrypted from a Snapshot
  - - - Caching Strategies
        
        Lazy Loading
        Data is loaded only when needed. i.e Data has not been written in memory before
        
        :warning: Data can become stale if Lazy Loading is implemented without TTL
- - - - pushed from your systems/apps as well as other AWS services
      - stored indefinitely (not in S3)
      - CloudWatch Logs require an agent installed and running on EC2 instance and EC2 instance need to have a role with permissions to send logs to CloudWatch
        :!!: By Default, EC2 instance do not send logs to CloudWatch
      - Basic Lambda permissions required to log to CloudWatch Logs include: CreateLogGroup,
        CreateLogStream, and PutLogEvents.
    - - :!:Cannot be performed via the console
        :!:Must use the CloudWatch Logs API
        associate-kms-key: if the log group already exists
        create-log-group: if the log group does not exist yet
        
        CloudWatch must be authorized via the key policy to use the CMK
        i.e "Principal": {"logs.west-2.amazonaws.com"},
    - - CloudWatch Custom Metrics
        Metric resolution
        :!: Standard: 1 minute (60 seconds)
        :!: High Resolution: up to 1 second – Higher cost
        :!: Use StorageResolution API call to enable high resolution
        :!: Use PutMetricData to send custom metric
        
        :!!: High Resolution
        Gives more immediate insight into your application’s sub-minute activity
        
        :warning: PutMetricData on high-resolution metric can lead to higher charges
      - Free Tier allows for 10 detailed monitoring metrics
    - - :smiley: 3 Dashboards up to 50 metrics are FREE
        :moneybag: $3 USD after that
  - - - Logs are delivered every 5 active minutes (with up to 15 minutes delay)
      - for example RDP/SSH sessions are NOT logged
      - you can move/delete logs after every X days by using S3 Lifecyclemanagement
      - Log file Integrity is validated by default (checks if it was modified)
        
        Every hour log files are delivered with 'digest' file to validate the log's integrity
        
        It uses SHA-256 hashing and SHA-256 with RSA for digital signing
      - Prevent logs from being deleted by configuring S3 MFA Delete
      - you can use SSE-S3 or SSE-KMS for encrypting logs
      - S3 and Lambda Data Events are NOT enabled by default in CloudTrail - you have to enable logging them explicitly and additional charge is taken (0,1$ per 100 000 events)
  - - - Configuration Recorder
        
        configuration of Config that records and stores Config Items
        
        records configuration change
        
        Stores everything in S3 Bucket
      - Config Items
        
        Point-in-time attributes of resources
      - Configuration Stream
        
        stream of changed Config Items
      - Configuration History
        
        Collection of Config Items for a resource over time
      - Configuration snapshots
        
        collection of Configuration Items
    - - security analysis
      - compliance auditing
      - resource tracking
- - - - minimize the attack surface (e.g. by using Bastion Host with whitelisted IPs, the attack surface is limited to exposed, few hardened entry points)
      - DDoS Cost Protection: AWS Shield Advanced comes with DDoS cost protection, to safeguard against scaling charges resulting from DDoS-related usage spikes on protected Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53 resources. If any of these protected resources scale up in response to a DDoS attack, you can request AWS Shield Advanced service credits via your regular AWS Support channel https://aws.amazon.com/shield/features
    - - should be enabled when you use ELB, CloudFront or Route53
        
        in Route53 using alias Record Sets you can redirect traffic to CloudFront distribution, Private DNS
        
        Safeguard Exposed Resources (e.g. by using geolimitatio, CloudFront, Route53, WAFs)
    - - re:Invent Video: DDOS Best Practices: https://www.youtube.com/watch?v=HnoZS5jj7pk
      - AWS DDoS protection whitepaper: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
  - - - For more than basic checks you have to upgrade your support plan to Business or Enterprise
- - - - Automate actions such as: shutdown EC2, Create AMIs
        Run Command, Patch Manager, Session Manager
      - Parameter Store
        
        :pencil2: Secure Storage for configuration and secrets
        :pencil2: Can use Encryption KMS
        :pencil2: Serverless
        :pencil2: Version tracking
        :smiley: FREE
        
        Uses IAM
        CloudWatch Events Notification
        CloudFormation integration
        
        Can create parameter store hierarchy
        
        Allows you to call specific parameters via i.e Lambda functions using APIs
        GetParameters or GetParametersByPath
      - :pencil2: SSM requires the SSM agent installation on the system
        :pencil2: Comes with Amazon Linux AMI by default and some Ubuntu AMis
        :pencil2: Requires an IAM role "AmazonEC2RoleforSSM"
        TIP: SSM will not see the instance without this Role
        
        SSM Documents
        :check: Can be in JSON or YAML
        :check: Define actions
        :check: AWS has many already
        
        SSM Run Command
        :check: Can execute a command or a script
        :check: Integrated with IAM and CloudTrail
        
        SSM Inventory & Patches
        
        SSM Inventory
        :pencil2: Inventory + Run Command = Patch Software
        
        Path Manager
        :pencil2: Path Mgr + Maint. Window = Patch OS
        :pencil2: Patch Mgr = Compliance
        :pencil2: State Mgr = Ensure instance consistency
        
        SSM Secure Shell
        :pencil2: Session Manager - Allows Secure Shell to EC2 and On-Prem
        
        Upside
        :smiley: Does not use SSH access or Bastion Hosts
        :smiley: Support EC2 and On-Prem
        
        Upside
        :smiley: Logs sent to CloudWatch Logs
        :smiley: IAM Permissions: SSM + Write to S3 + Write to CloudWatch
        :smiley: No need to open TCP 22 for SSH
        
        EXAM TIPS: Lost SSH Keys
        
        Traditional Method (EBS Backed)
        :check: Stop Instance / detach root volume
        :check: Attach root volume to another Instance as a data volume
        :check: Add new key to ~/.ssh/authorized_keys file
        :check: Move the volume back to the stopped instance
        :check: Start the instance (SSH works again)
        
        New Method (EBS)
        :check: Run AWSSupport-ResetAccess Doc in SSM
        
        Instance Store backed EC2
        :warning: Can't stop instance / Data will be lost
        :cry: AWS Recommends termination
        
        Off the Books TIP
        :check: Use Session Manager and edit ~.ssh/authorized_keys file directly
      - AWS TAGs
        Free name convention
        Used for resource grouping, automation, cost allocation
      - Resource Groups
        Creation of logical groups of resources: apps, app stack, prod vs dev
  - - - Similar to CHEF and Puppet
        :check: Manage configuration as code
        :check: Linux and Windows
        :check: OpenSource
        :check: CHEF file config = Recipes
        :check: Puppet file config - Manifest
        
        :bulb: EXAM TIP: Everytime CHEF and Puppet are mentioned = OpsWork
- - - - :check: Only pais for the provisioned resources
        :check: Automatically apply updates to server OS
        :check: It leverages Cloudformation to provision the resources
        
        EB integrates with CloudWatch and X-Ray for application monitoring
  - - - WebServers: standard applications that listen for and then process HTTP requests
    - - :pencil2: Use the .ebextensions to configure instances to terminate HTTPS (end-to-end)
        
        HTTP to HTTP Redirection
        :check: Configure an ELB to terminate HTTPS
        :check:Configure the application to terminate HTTP if a single instance
- - - - :star:JSON or YAML text file that contains the instructions for building out the AWS environment
      - Stack
        
        :star: The entire environment described by the template
        
        StackSets
        
        :check: StackSets extends the functionality of stacks
        :check: Enables you to create, update, or delete stacks across multiple accounts and regions with a single operation
        
        Nested Stacks
        
        :check: Stacks as part of other stacks
        :check: Isolated repeated patterns, reuse common components from other stacks
        
        :!!: Always update the root (Parent) stack prior to updating the nested
    - - Resources
        
        Parameters
        
        :check: Enable you to input custom values to the template each time you create or update a stack.
        
        Mappings
        
        :check: Matches a key to a corresponding
        set of named values.
        :check: Can set values based on a region
        
        Outputs
        
        :check: Declares output values that you can
        import into other stacks
        
        Conditions
        
        :check: Contains statements that define
        the circumstances under which entities are created or configured
        
        Transform
        
        1 more item...
        
        :check: Declares the AWS resources that
        you want to include in the stack
    - - :thinking_face: Issue: AMI does not have helper script
        :smiley:Solution: Download to your EC2 from AWS website
      - :thinking_face: Issue: cfn-init & cfn-signal failed
        :smiley:Solution: check /var/log/cloud-init.log or /var/log/cfn-init.log
      - :pencil2: Retrieve logs by logging into the EC2
        :warning: Must disable rollback on failure
      - :pencil2: Verify instance has connection to Internet via IGW or NAT GW
    - - DeletePolicy = Snapshot
        Delete resources but retain the data
        
        Default Behavior
        DeletePolicy = Delete
        :!!: Except for RDS
      - Enable Termination Protection at the stack to prevent accidental deletion
    - - Rolling Update
        
        Updates instances in batches
      - Replacing Update
        
        :explode: Destroy the old ASG
        :new: Creates a brand new ASG
- - - - It takes a lot of time distribute this change *from several hours to 24 hours even)
      - you can grant read permissions when configuring CloudFront distribution or you can do it by yourself (by updating the Origin Access Identity permissions)
  - - - Certificates for CloudFront have to be stored in US East (N. Virginia) region or in IAM (certs can be imported to IAM only via CLI)
        
        To use custom SSL certificate (for your custom domain name, e.g. example.com) you have to import it using ACM (AWS Certificate Manager)
  - - - Cloudfront vs S3 CRR
        CloudFront
        :pencil2: Files are cached for a TTL i.e 24 hours
        :pencil2: Great for static content that must be available everywhere.
        :pencil2: Content may be outdated for a period of time
        CRR
        :pencil2: must be setup in each region
        :pencil2: Files updated in near real-time
  - - - :link:HTTP Error Status Codes
- - - - Migrate RDS DB from EB to RDS Standalone
        :check: Take snapshot from RDS DB
        :check: Enable deletion protection
        :check: Create new EB env (no DB) and point Apps to the existing RDS DB
        :check: Perform Blue/Green Deployment
        :check: Terminate the old environment
        :check: Delete the CloudFormation Stack
        
        https://www.youtube.com/watch?v=lmT7QI8IIiM
        
        re:Invent 2018: PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323)
        
        https://www.youtube.com/watch?v=o4clRJuH9xU
        
        re:Invent 2019: Deploy your code, scale, and lower cloud costs using Elastic Beanstalk (DOP326)
- - - - Vault Policies and Vault Lock
        :check: Written in JSON
        :check: Each vault has 1 vault access policy and 1 vault lock policy
        
        :!!: Vault Lock Policy is immutable
- - - - Remote account must accept the peering request
        
        Peering Routing Tables
        Must add routes on both sides
        :!!: VPCs cannot have overlapping subnets