Please enable JavaScript.

Coggle requires JavaScript to display documents.

AWS professional - Coggle Diagram

- - - - EBS snapshot management
        
        scheduled creation of new S from volumes
        
        removal of stale S
  - - - features
        
        store
        
        API keys, passwords, etc
        
        force rotation of K
        
        uses Lambda to create new K automatically
        
        rich integration with AWS
      - a vault for secrets
      - notes
        
        can automatically rotate credentials
        
        KMS is a must for encryption
        
        vs Parameter Store
        
        can rotate K
    - - dedicated hardware device for key management, single tenanted
        
        KMS uses AWS software for encryption, HSM - your custom software
      - notes
        
        must be within a VPC
        
        requires custom scripting!
        
        broad 3rd party support
        
        cost is much higher than with KMS
        
        no free tier!
        
        good choice for SSE-C encryption (customer-provided encryption keys)
      - types
        
        "classic"
        
        pricing
        
        5000$
        
        features
        
        HA with second device
        
        safeNet Luna SA
        
        current
        
        features
        
        clustered HA
        
        proprietary device
        
        pricing
        
        pay-per-hour
      - features
        
        SSL/TLS acceleration
        
        offloads SSL overhead from EC2 to HSM
        
        private key never leaves HSM
        
        must setup a cryptographic user for HSM
    - - notes
        
        integrates with many AWS services
        
        encrypts data it has
      - features
        
        multi-tenant
        
        HA + durability
        
        broad AWS support
        
        grants
        
        dynamically and programmatically allowing a process the ability to use the key
        
        revokes after the need is over
        
        more efficient than analogous IAM manipulations
    - - GuardDuty
        
        notes
        
        analyzes threats for malicious activity with ML
        
        can watch CloudTrail, VPC Flow Logs and DNS Logs
        
        features
        
        build-in list of suspect IP addresses + custom IPs
        
        triggers CW events
        
        30-day trial
    - - resource access manager
      - features
        
        share VPC subnets / Route 53 / License Manager / Transit Gateway, EC2, etc
      - share with any A or within Org to avoid res duplication
      - example
        
        share VPC cross-A
        
        use one range of private IPs, security groups, etc
        
        w/o VPC peering!
    - - features
        
        detects policy violations
        
        auto-setup of AWS Organizations
      - easy way to setup and control secure and compliant multi-account environ
      - example
        
        setup SSO with active directory. All created subsequently
        members will have it by default!
  - - - products are defined as CloudFormation Templates
        
        can be configured, tagged appropriately
    - - launch
        
        IAM role for a user to launch a product
      - notification
        
        SNS topic to receive notifications
      - template
        
        rules to narrow what user may work with
        
        example
        
        allow only certain EC2 instances for DEV environment
    - - for multi-account usage
    - - allows to enforce and apply a tagging strategy
      - to limit usage of standard products
        
        attach License Manager + some DB layer (DynamoDB)
        
        Lambda is currently not available as an incrementer of P usage!
        
        use Step Function instead
      - admins create CF templates, users select resources
      - service catalog is assigned on a Team (set of users) basis
  - - - install its agent on EC2 first
        
        is agentless for net scans
      - used to run CVE assessment on EC2s
    - - reporting
      - SNS events
      - looks for vulnerability at OS / net levels
  - - - recommends cost / security / performance / etc optimization
      - weekly email
    - - full
        
        Business / Enterprise plan
        
        features
        
        CW alarms
        
        programmatic access with Support API
        
        (it is not for modifying limits)
      - limited
        
        free
    - - can validate properties of S3 buckets, not objects!
      - Limits can only be monitored in TA
      - to increase Limits - Support Centre (Service Quotas - new svc)
  - - - track 'baseline' config and subsequent variations
      - Config Rule
        
        checks resources for certain conditions -> marks them as 'noncompliant' if don't satisfy
        
        E: is cloudTrail enabled, is EBS volume encrypted, etc
        
        managed / custom
      - integration with
        
        CT to monitor WHO did the change
        
        CW events (& Lambda)
      - auto-remediation with SSM Automation
        
        if res is not-compliant - fix it
        
        scenario
        
        SG is not compliant
        
        EC2 has non-approved tags
    - - does not prevent non-compliant actions from happening
      - regional svc
        
        can be agg across regions / accounts
  - - - provides config management, task automation, upgrading, deployment, autoscaling, etc
        on AWS and on-prem
    - - Stacks
        
        embedded Chef solo client installed on EC2s to run Chef recipes
        
        what
        
        stack
        
        manages collection of resources
        
        layers
        
        different resources
        
        EC2
        
        RDS, etc
        
        notes
        
        deployed in a single region
        
        scaling
        
        24/7
        
        for instances that remain on all the time
        
        time-based
        
        for instances that can be scheduled for a certain time of day and on certain days of the week
        
        load-based
        
        add instances based on metrics
    - - global svc
      - migration from/to other svc is NOT easy
      - ~SSM
      - manages ELB / EC2
        
        cannot manage ASG
      - no canary deployment!
  - - - inventory
        
        collection of OSs, instance metadata, etc
      - state manager
        
        create states that represent certain configuration being active on instances
        
        discover and audit software
      - parameter store
        
        SecureString - param type to be encrypted by KMS
        
        shared secure store for configs and secrets
        
        features
        
        (optional) encryption with KMS
        
        versioning
        
        implements hierarchical structure of data
        
        ex: /dev/app/team1, /dev/app/team2
        
        2 tiers
        
        std
        
        free
        
        <10k params
        
        advanced
        
        10-100k params
        
        parameter lifecycle policies
        
        integration with cloud formation
        
        retrieve secrets from secrets manager
        
        notes
        
        K rotation
        
        CW event -> custom Lambda + your own storage
      - logging
        
        cloud watch log agent and stream logs directly to cloud watch from instances
      - resource groups
        
        group resources for organization through tagging
      - patch manager
        
        do some update on all instances
        
        steps
        
        define path baseline
        
        define patch group (based on tags)
        
        select maintenance windows
        
        add RunPatchBaseline RunCommand
        
        1 more item...
      - run command
        
        apply shell command to many instances at once
        
        patch baselines
        
        apply critical updates automatically
        
        for Windows
        
        use AWS-DefaultPatchBaseline
        
        decide which patches should / shouldn't be applied
        
        no SSH needed!
      - automation
        
        automate routine tasks and scripts
        
        notes
        
        reset SSH keypair
        
        with the AWSSupport-ResetAccess, create a new SSH key for the problematic instance
      - maintenance windows
        
        define schedules for instances to patch / update apps / etc
      - session manager
        
        (best practice) secure access for a group of people to EC2s
        
        tracked by Cloud Trail
        
        no SSH ports need to be open and no SSH keys are required
        
        free of charge! (unlike bastion hosts)
    - - definition for SSM
      - types
        
        policy
        
        used with state manager
        
        for enforcing policy on targets
        
        e: perform policy action 'collect inventory'
        
        automation
        
        for routine maintenance / deployment tasks
        
        E: updating AMIs
        
        used with automation
        
        command
        
        used with
        
        run command
        
        state manager
        
        apply commands / configs on several instances
    - - resource groups
        
        N machines
    - - SSM agent must be installed in machines
      - EC2s must have IAM to allow SSM actions
  - - - provide a managed Windows / Linux server hosted on EC2
      - UC: force employees to work in a protected VPC on AWS
    - - deploy an application on a virtual desktop and allow anyone with a browser to use
        
        example
        
        serve from an S3 static webhost
        
        premium Blender editor
      - allows to configure compute / memory capacity
    - - virtual contact center
      - features
        
        accept calls
        
        integrate with other CRM
    - - ~Zoom
    - - doc storage
    - - email & calendar
    - - secure access to internal web apps from mobile devices
      - notes
        
        does not store or cache data on user devices as the web content is rendered in AWS and sent to user devices as encrypted Scalable Vector Graphics (SVG)
    - - deploy Alexa in your organization
      - retrieve information, start conference calls and book meeting rooms
    - - a document repository
      - features
        
        provides on-demand downloads of AWS security and compliance documents
    - - AWS Cost and Usage Reports
        
        features
        
        may be exported to S3 (for analysis with Quicksight)
        
        agg billing reports
        
        Cost Explorer can't do this!
      - AWS Budgets
        
        budget planning + forecasting
        
        used to increase awareness of AWS costs
        
        features
        
        set limits & alerts
        
        can be based on cost / usage of EC2s / reserved instance utilization (or coverage)
      - Cost Explorer
        
        visualize, understand, and manage your AWS costs and usage
        
        Cost allocation tags
        
        features
        
        automatically applied to the resource
        
        start with prefix 'aws:'
        
        enable detailed cost reports
        
        notes
        
        show up in 24H
        
        appear ONLY in Billing console
        
        Tag editor
        
        edit and explore tags project-wide
        
        features
        
        12 months forecast
        
        optimal savings plan
        
        custom reports
        
        analyze cross-A costs
  - - - create high-quality video streams for delivery to televisions and internet-connected devices
  - - - interactive voice response with Lex
      - inbound and outbound calling
  - - - connect with customers over channels like email, SMS, push, voice or in-app messaging
  - - - -> CW logs (L)
    - - -> CW L
    - - -> CW
    - - -> S3
    - - -> S3
    - - -> S3
    - - -> S3
  - - - storage with indexing and search capabilities
      - solutions
        
        CW -> Firehose -> OS
        
        near real-time
        
        CW -> Lambda -> OS
        
        real-time
        
        dynamo -> streams -> Lambda -> OS -> API (for querying Dynamo)
    - - real-time dashboards
  - - - create cloud infra in programming languages
        
        it is then compiled into CloudFormation template
      - features
        
        deploy infra & code TOGETHER
        
        CLI-based
  - - - reporting on failures
  - - - remote log-in to devices
      - logs of the issues
      - can be fully automated
- - - - ElasticSearch
        
        when indexing queue is full, a 429 response code is returned
  - - - SE or SE1 editions allow to purchase 11g Oracle version, not 12c
        
        use Enterprise / SE2 for this
  - - - recovery time objective
      - Time to repair a broken service
    - - recovery point objective
      - Max time during which data is being lost when a disaster occurs
    - - disaster recovery
    - - service level agreement
      - a service's goal for performance / availability
  - - - failure mode and effect analysis
      - what could go wrong
        
        what impact of it
        
        its likelyhood
        
        our ability to detect and react
  - - - Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.
  - - - use secondary instance to edit the authorized_keys
      - Systems Manager Automation
    - - delete the instance and create a new one
  - - - provides Support API
        
        option to integrate Jira, help desk in AWS
  - - - use Resource Groups to manage semantically identical, yet different dev envs (dev/stage/prod)
        
        Resource Group
        
        all R that are all in the same AWS Region, and that match the criteria specified in the group's query
  - - - authentication
        
        AWS determines which policy to apply to the request
        
        AWS evaluates the policy types and arranges an order of evaluation
        
        AWS then processes the policies against the request context to determine if it is allowed
- - - - E: on-prem (OP) SQL -> EC2
      - Lift-and-shift
    - - E: OP SQL -> RDS (this is called homogeneous migration)
      - lift-and-reshape
    - - drop and shop
      - E: CRM -> salesforce
    - - E: make serverless
    - - remove some apps
      - most costly / most flexible
    - - do nothing
  - - - features
        
        min downtime
        
        low cost
        
        continuous replication on-prem -> AWS
      - migrates almost anything on-prem -> EC2s & EBS
      - vs Elastic Disaster Recovery
        
        used for recovering on-prem on AWS
    - - -> EC2 or RDS
        
        even EC2->Aurora
        
        DMS
        
        create target, source endpoints
        
        create migration task using these endpoints
        
        can compare the source and target data for the DMS task and report any mismatches
      - schema conversion tool
        
        supported NOT for all DBs
        
        E: mysql -> DynamoDB
        
        you may improve schema based on ACCESS PATTERNS
        
        what is often queried? create partitions / sort keys, secondary indices
        
        explore existing DB -> create table in target S -> run DMS
    - - gathers info about OP infra to help plan migration
      - features
        
        results as .csv OR in MigrationHub
      - types
        
        agentless (with connector)
        
        OS-agnostic
        
        CPU / RAM / disk stats
        
        works for VMs, not physical servers
        
        agent-based
        
        extended stats of of the agentless approach
    - - cloud adoption readiness tool
      - features
        
        custom reporting on migration readiness
- - - - highest risk - fastest D
    - - low risk - medium time
      - types
        
        canary
        
        push new version to production in 1 instance, wait for errors to happen, proceed
        
        the SAFEST option
        
        weighted
        
        increase % of traffic to a new version
        
        rolling
        
        E: create new AMI and delete old EC2s in the auto-scaling group
        
        update instance by instance
        
        blue/green
        
        switch to identical infra with new version
        
        cons
        
        if app connect to a DB - restoration of the DB may be painful if new version breaks it
        
        app D relates to to internal operation of a system
        
        all at once
        
        offers the shortest deployment time but it will incur downtime as the instances are upgraded
    - - lowest risk - slowest D
  - - - update master fast and tested automatically
    - - automated release process
    - - code that passes all stages of the release process updates production w/o human intervention
  - - - hosted git repo
    - - deploys app to many EC2s / Lambda / ECS / on-prem, etc
        
        EC2
        
        update in-place (one-by-one)
        
        use hooks to verify deployment after EACH stage
        
        ASG
        
        deployment
        
        in-place
        
        update current EC2s
        
        new EC2s get v2
        
        blue/green
        
        new ASG is created
        
        must come with an ELB
        
        Lambda
        
        alias traffic shifting deployment
        
        pre-, post-traffic hooks to validate
        
        automated rollback using CW alarms
        
        ECS
        
        blue/green deployment
        
        a new task set is created and traffic is rerouted
        
        if v2 works for X mins - old task set is terminated
      - notes
        
        no shutting down! only manual in this case
        
        uses AppSpec file for configs
        
        can redeploy the previous version of the application if smth goes wrong
        
        alternative for deploy and provision - Elastic Beanstalk
      - features
    - - covers ALL CI/CD
        
        commit / build / test / deploy / provision
      - separate pipelines for dev/prod!
    - - compile, test, deploy code
      - notes
        
        may be configured to do safe updates for EC2s under ELB in auto-scaling
        
        allows to detach an instance, check updates, and reattach it to ELB
        
        uses BuildSpec file for configs
    - - visual analysis of a microservice app
      - features
        
        analysis of full client's request processing
        
        X-ray agent to monitor EC2, Lambda, ECS, etc
      - notes
        
        agent is installed in Beanstalk by def!
    - - templates with pipelines
- - - - transient
        
        SQS
        
        SNS
      - ephemeral
        
        Memcached
        
        EC2 Instance Store
      - persistent
        
        RDS
        
        Glacier
  - - - IO ops per second
      - how fast are R/W to a device
    - - how much data can be moved at a time
    - - models
        
        ACID
        
        atomicity
        
        T based in 'all or nothing'
        
        consistency
        
        transactions are valid for all readers
        
        isolation
        
        T run independently
        
        durability
        
        completed transaction must stick
        
        BASE
        
        basic availability
        
        values availability even if stale data
        
        soft-state
        
        might not be instantly C
        
        eventual consistency
        
        C at some point in time
  - - - social networks
- - - - conversational AI
    - - NLP
    - - time-series analysis
    - - recommendation engine
    - - text-to-speech
    - - image & video analysis
    - - text extraction from scans
    - - speech-to-text
- - - - Route 53
  - - - units
        
        S3, Glacier
    - - Cloud Front
  - - - Caching
        
        ElasticCache, DAX, RDS, etc
      - DB
        
        units
        
        RDS, Aurora, Dynamo, etc
      - units
        
        Fargate, Beanstalk, EC2, etc
      - Decoupling
        
        units
        
        SQS, SNS, SF, etc
      - Storage
        
        units
        
        EBS, EFS, Instance store, etc
    - - LB / API gateway / Elastic IP