Cloud Computing

PlAwAnSaI · Apr 26, 2021

Multi Factor Authentication - MFA:

Users have access to account and can possibly change configurations or delete resources in AWS account
Want to protect Root Accounts and IAM users
MFA = password know + security device own
Alice > Password + MFA => Successful login
Main benefit of MFA:
if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS:

Virtual MFA device: Google Authenticator (phone only), Authy (multi-device), Duo
Support for multiple tokens on a single device.
Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)
Support for multiple root and IAM users using a single security key
Hardware Key Fob MFA Device:
Provided by Gemalto (3rd party)
Hardware Key Fob MFA Device for AWS GovCloud (US):
Provided by SurePassID (3rd party)

How can users access AWS?:

To access AWS, have three options:
- AWS Management Console (protected by password + MFA)
- Command Line Interface (CLI): protected by access keys
- Software Developer Kit (SDK) - for code: protected by access keys
Access Keys are generated through the AWS Console
Users manage their own access keys
Access Keys are secret, just like a password. Don't share them
Access Key ID ~= username
Secret Access Key ~= password

Example Access Keys:

Access key ID: AKIAREOC3O54I7ZEOWVC
Secret Access Key: VEcVINNDMqR5VnywD/oXQ7YHRmIt7tDcKpATsq6q
Remember: don't share access keys

IAM Roles for Services:

Some AWS service will need to perform actions on behalf
To do so, will assign permissions to AWS services with IAM Roles
Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation

IAM Security Tools:

IAM Credentials Report (account-level)
- a report that lists all account's users and the status of their various credentials
IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed.
- Can use this information to revise policies.

IAM Guidelines & Best Practices:

Don't use the root account except for AWS account setup
One physical user = One AWS user
Assign users to groups and assign permissions to groups
Create a strong password policy
Use and enforce the use of Multi Factor Authentication (MFA)
Create and use Roles for giving permissions to AWS services
Use Access Keys for Programmatic Access (CLI / SDK)
Audit permissions of account with the IAM Credentials Report
Never share IAM users & Access Keys

Summary:

Users: Map กับผู้ใช้จริง, มีรหัสผ่านสำหรับ AWS Console
Groups: มีแต่ผู้ใช้เท่านั้น
Policies: JSON document ที่ระบุการอนุญาตสำหรับผู้ใช้หรือกลุ่ม
Roles: สำหรับ Instance EC2 หรือบริการ AWS
Security: MFA + นโยบายรหัสผ่าน
Access Keys: เข้าถึง AWS โดยใช้ CLI หรือ SDK
Audit: รายงาน IAM Credential และ IAM Access Advisor

An IAM entity that defines a set of permissions for making AWS service requests, that will be used by AWS services is a proper definition of IAM Roles.
IAM Credentials Report is an IAM Security Tool. It lists all account's users and the status of their various credentials.
The other IAM Security Tool is an IAM Access Advisor. It shows the service permissions granted to a user and when those services were last accessed.

A company has a mobile game that reads most of its metadata from an Amazon RDS DB instances. As the game increased in popularity, developer noticed slowdowns related to the game's metadata load times. Performance metrics indicate that simply scaling the database will not help. A solution architect must explore all options that include capabilities for snapshots, replication, and sub-millisecond response times. The solution architect should recommend Add an Amazon ElastiCache for Redis layer in front of the database to solve the issues.
A company has implemented one of its micro-services on AWS Lambda that accesses an Amazon DynamoDB table named Books. A solution architect is design an IAM policy to be attached to the Lambda function's IAM role, giving it access to put, update, and delete items in the Books table. The IAM policy must prevent function from performing any other actions on the Books table or any other. IAM policy would fulfill these needs and provide the LEAST privileged access is:
{
"Version": "2013-11-28",
"Statement": [
{
"Sid": "PutUpdateDeleteOnBooks",
"Effect": "Allow",
"Action": [
"dynamodb: PutItem",
"dynamodb: UpdateItem",
"dynamodb: DeleteItem"
],
"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
}
]
}
A solution architect is designing the cloud architecture for a company that needs to host hundreds of machine learning models for its users. During startup, the models need to load up to 10 GB of data from Amazon S3 into memory, but they do not need disk access. Most of the models are used sporadically, but the users expect all of them to be highly available and accessible with low latency. Deploy models as Amazon Elastic Container Service (Amazon ECS) services behind an Application Load Balancer for each model solution meets the requirements and is MOST cost-effective.
A company host a popular web application. The web application connects to a database running in a private VPC subnet. The web servers must be accessible only to customers on an SSL connection (Open an HTTPS port on the security group for web server and set the source to 0.0.0.0/0). The Amazon RDS for MySQL database services be accessible only from the web servers (Open the MySQL port on the database security group and attach it to the MySQL instance. Set the source to web server security group). This is a solution which a solution architect should design to meet the requirements without impacting applications.
A company has a website deployed on AWS. The database backend is hosted on Amazon RDS for MySQL with a primary instance and five read replicas to support scaling needs. The read replicas should lag no more than 1 second behind the primary instance to support the user experience. As traffic on the website continues to increase, the replicas are falling further behind during periods of peak load, resulting in complaints from users when searches yield inconsistent results. A solution architect needs to reduce the replication lag as much as possible, with minimal changes to the application code or operational requirements. Migrate the database to Amazon Aurora MySQL. Replace the MySQL read replicas with Aurora Replicas and enable Aurora Auto Scaling solution meets these requirements.

PlAwAnSaI · Apr 28, 2021

IAM Users:
- Can belong to multiple groups
- Don't have to belong to a group
- Can have policies assigned to them
- Access AWS using a username and a password
Don't use the root user account is an IAM best practice.
Only want to use the root account to create first IAM user, and for a few account and service management tasks. For every day and administration tasks, use an IAM user with permissions.
JSON documents to define Users, Groups or Roles' permissions are IAM Policies.
An IAM policy is an entity that, when attached to an identity or resource, defines their permissions.
Grant least privilege principle should apply regarding IAM Permissions.
Don't give more permissions than the user needs.
Enable Multi-Factor Authentication (MFA) should do to increase root account security.
It adds a layer of security, so even if password is stolen, lost or hacked, account is not compromised.

EC2 sizing & configuration options:

Operating System (OS): Linux, Windows or Mac OS
How much:
- compute power & cores (CPU)
- random-access memory (RAM)
- storage space: Network-attached (EBS & EFS) / hardware (EC2 Instance Store)
Network card: speed of the card, Public IP address
Firewall rules: security group
Bootstrap script (configure at first launch): EC2 User Data

EC2 instance types: example

Instance: t2.micro, vCPU: 1, Mem 1 GiB, Storage: EBS-Only, Network Performance: Low to Moderate - is part of the AWS free tier (up to 750 hours per month)
t2.xlarge - 4 vCPU, Mem 16 GiB, Storage: EBS-Only, Network Performance: Moderate
c5d.4xlarge - 16 vCPU 32 GiB, Storage: 1 x 400 NVMe SSD, Network Performance: Up to 10 Gbps, EBS Bandwidth: 4.75 Gbps
r5.16xlarge - 64 vCPU 512 GiB, EBS-Only, Network Performance: 20 Gbps, EBS Bandwidth: 13.6 Gbps
m5.8xlarge - 32 vCPU 128 GiB, EBS-Only, Network 10 Gbps, EBS Bandwidth: 6.8 Gbps
- m: instance class/family
- 5: generation (AWS improves them over time)
- 8xlarge: size within the instance class

A company has two applications: a sender application that sends messages with payloads to be processed and a processing application intended to receive messages with payloads. The company wants to implement an AWS service to handle messages between the two applications. The sender application can send about 1,000 messages each hour. The messages may take up to 2 days to be processed. If the messages fail to process, they must be retained so that they do not impact the processing of any remaining messages. Integrate the sender and processor applications with an Amazon Simple Queue Service (Amazon SQS) queue. Configure a dead-letter queue to collect the messages that failed to process solution meets these requirements and is the MOST operationally efficient.
A solution architect must create a highly available bastion host architecture. The solution needs to be resilient within a single AWS Region and should require only minimal effort to maintain. The solutions architect should Create a Network Load Balancer backed by an Auto Scaling with instances in multiple Availability zones as the target to meet these requirements.
A company hosts its multi-tier applications on AWS. For compliance, governance, auditing, and security, the company must track configuration changes on its AWS resources and record a history of API calls made to these resources. A solution architect should Use AWS Config to track configuration changes and AWS CloudTrail to record API calls.
A solution architect is moving the static content from a public website hosted on Amazon EC2 instances to an Amazon S3 bucket. An Amazon CloudFront distribution will be used to deliver the static assets. The security group used by the EC2 instances restricts access to a limited set of IP ranges. Access to the static content should be similarly restricted. Combination of steps will meet these requirements are:
Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.
Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group. Associate this new web AC with the CloudFront distribution.
An application running on AWS uses an Amazon Aurora Multi-AZ deployment for its database. When evaluating performance metrics, a solution architect discovered that the database reads are causing high I/O and adding latency to the write requests against the database. The solution architect should Create read replica and modify the application to use the appropriate endpoint to separate the read requests from the write requests.
Aurora Replicas are independent endpoints in an Aurora DB cluster, best used for scaling read operations and increasing availability. Up to 15 Aurora Replicas can be distributed across the Availability Zones that a DB cluster spans within an AWS Region.
The DB cluster volume is made up of multiple copies of the data for the DB cluster. However, the data in the cluster volume is represented as a single, logical volume to the primary instance and to Aurora Replicas in the DB cluster.

Aurora Fault Tolerance:
- Fault tolerance across 3 AZs
- Single logical volume
- Aurora Replicas scale-out read requests
- Up to 15 Aurora Replicas with sub-10ms replica lag
- Aurora Replicas are independent endpoints
- Can promote Aurora Replica to be a new primary or create new primary
- Set priority (tiers) on Aurora Replicas to control order of promotion
- Can use Auto Scaling to add replicas
As well as providing scaling for reads, Aurora Replicas are also targets for multi-AZ. In this case the solution architect can update the application to read from the Multi-AZ standby instance.
A company has multiple AWS accounts with applications deployed in the us-west-2 Region. Application logs are stored within Amazon S3 buckets in each account. The company wants to build a centralized log analyst solution that uses a single S3 bucket. Logs must not leave us-west-2 and the company wants to incur minimal operational overhead. Create an S3 Lifecycle policy that copies the objects from one of the application S3 buckets to the centralized S3 bucket is MOST cost-effective.
A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Key must be rotated every year. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation is the MOST operationally efficient.
An application launched on Amazon EC2 instances needs to publish Personally Identifiable Information (PII) about customers using Amazon Simple Notification Service (Amazon SNS). The application is launched in private subnets within an Amazon VPC. Use AWS PrivateLink is the MOST secure way to allow the application to access service endpoints in the same AWS Region.

PlAwAnSaI · May 3, 2021

EC2 instance types/families:

General Purpose:
- Great for a diversity of workloads such as web servers or code repositories
- Balance between Compute, Memory, and Networking
- Mac, T4g, T3, T3a, T2, M6g, M5, M5a, M5n, M5zn, M4, and A1
Compute Optimized:
- Great for compute-intensive tasks that require high performance processors:
  - Batch processing workloads
  - Media trans-coding
  - High Performance web servers / Computing (HPC)
  - Scientific modeling & machine learning
  - Dedicated gaming servers
- C6g, C6gn, C5, C5a, C5n, and C4
Memory optimized:
- Fast performance for workloads that process large data sets in memory
- Use cases:
  - High performance, relational/non-relational databases
  - Distributed web scale cache stores
  - In-memory databases optimized for BI (Business Intelligence)
  - Applications performing real-time processing of big unstructured data
- R6g, R5, R5a, R5b, R5n, R4, X1e, X1, High Memory, and z1d
Storage Optimized:
- Great for storage-intensive tasks that require high, sequential read and write access to large data sets on local storage
- Use cases:
  - High frequency OnLine Transaction Processing (OLTP) systems
  - Relational & NoSQL databases
  - Cache for in-memory databases (for example, Redis)
  - Data warehousing applications
  - Distributed file systems
- I3, I3en, D2, D3, D3en, and H1
Accelerated computing

Classic Ports to know:

21 = FTP (File Transport Protocol) - upload files into a file share
22 = SSH (Secure Shell) - log into a Linux instance
And SFTP (Secure File Transport Protocol) - upload files using SSH
80 = HTTP - access unsecured websites
443 = HTTPS - access secured websites
1433 = Microsoft SQL
3389 = RDP (Remote Desktop Protocol) - log into a Windows instance

A company receives structured and semi-structured data from various sources once every day. A solution architect needs to design a solution that leverages big data processing frameworks. The data should be accessible using SQL queries and business intelligence tools. The solution architect should recommend Use Amazon EMR to process data and Amazon Redshift to store data to build the MOST high-performing solution.
The company must optimize its S3 storage costs while maintaining high availability and resiliency of stored assets. An image hosting company uploads its large assets to Amazon S3 Standard buckets. The company uses multipart upload in parallel by using S3 APIs and overwrites if the same object is uploaded again (Configure an S3 Lifecycle policy to clean up expired object delete markers). For the first 30 days after upload the objects will be accessed frequently. The objects will be used less frequently after 30 days but the access patterns for each object will be inconsistent (Move assets to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days).
A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements, all existing and new data in this database must be encrypted. Take a snapshot of the RDS instance. Create an encrypted copy of the snapshot. And restore the RDS instance from the encrypted snapshot should this be accomplished.
A company designed a stateless two-tier that uses Amazon EC2 in a single Availability Zone and an Amazon RDS multi-AZ DB instance. New company management wants to ensure the application is highly available. A solution architect should Configure Amazon Route 53 rules to handle incoming requests and create a multi-AZ Application Load Balancer.
A company's dynamic website is hosted using on-premises servers in the United States. The company is launching its product in Europe and it wants to optimize site loading times for new European users. The site's backend must remain in the United States. The product is being launched in a few days, and an immediate solution is needed. The solution architect recommend Use Amazon CloudFront with a custom origin pointing to the on-premises servers.
A global company plans to track and store information about local allergens in an Amazon DynamoDB table and query this data from its website. The company anticipates that website traffic will fluctuate. The company estimates that the combined read and write capacity units will range from 10 to 10,000 per second, depending on the severity of the conditions for the given day. A solution architect must design a solution that avoids throttling issues and manages capacity efficiently. The solutions architect should Use provisioned capacity mode and a scaling policy in DynamoDB auto scaling to meet MOST cost-effectively.
A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users. A solution architect should recommend Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
Rate limit:
For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.
Can specify a rate limit alone, or a rate limit and conditions. If specify only a rate limit, AWS WAF places the limit on all IP addresses. If specify a rate limit and conditions, AWS WAF places the limit on IP addresses that match the conditions.
When an IP address reaches the rate limit threshold, AWS WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, AWS WAF resets the counter to zero.
A company is deploying an application that processes large quantities of data in parallel. The company plans to use Amazon EC2 instances for the workload. The network architecture must be configurable to provide the lowest possible latency between nodes. By Place the EC2 instances in a single Availability Zone and Run the EC2 instances in a cluster placement group.
A company is migrating a Linux-based web server group to AWS. The web servers must access files in a shared file store for some content to meet the migration date, minimal changes can be made. A solution architect should Create an Amazon Elastic File System (Amazon EFS) volume and mount it on all web servers.
A mobile gaming company runs application servers on Amazon EC2 instances. The servers receive updates from players every 15 minutes. The mobile game creates a JSON object of the progress made in the game since the last update, and sends the JSON object an Application Load Balancer. As the mobile game is played, game updates are being lost. The company wants to create a durable way to get the updates in order. A solution architect should recommend Use Amazon simple Queue service (Amazon SQS) FIFO queue to capture the data and EC2 instances to process the messages in the queue to decouple the system.

PlAwAnSaI · May 4, 2021

EC2 Nitro:

Underlying Platform for the next generation of EC2 instances
New virtualization technology
Allows for better performance:
- Better networking options (enhanced networking, HPC, IPv6)
- Higher Speed EBS (Nitro is necessary for 64,000 EBS IOPS - max 32,000 on non-Nitro)
Better underlying security
Instance types example:
- Virtualized: A1, C5, C5a, C5ad, C5d, C5n, C6g, C6gd, C6gn, D3, D3en, G4, I3en, Inf1, M5, M5a, M5ad, M5d, M5dn, M5n, ....
- Bare metal: a1.metal, c5.metal, c5d.metal, c5n.metal, c6g.metal, c6gd.metal...

Understanding vCPU:

Multiple threads can run on one CPU (multithreading)
Each thread is represented as a virtual CPU (vCPU)
Example: m5.xlarge: 4 CPU, 2 threads per CPU => 8 vCPU in total

Optimizing CPU options:

EC2 instances come with a combination of RAM and vCPU
But in some cases, may want to change the vCPU options:
- # of CPU cores: can decrease it (helpful if need high RAM and low number of CPU) - to decrease licensing costs
- # of threads per core: disable multithreading to have 1 thread per CPU - helpful for high performance computing (HPC) workloads
Only specified during instance launch

Capacity Reservations:

Ensure have EC2 Capacity when needed
Manual or planned end-date for the reservation
No need for 1 or 3-year commitment
Capacity access is immediate, get billed as soon as it starts
Specify:
- The Availability Zone in which to reserve the capacity (only one)
- The number of instances for which to reserve capacity
- The instance attributes, including the instance type, tenancy, and platform/OS
Combine with Reserved Instances and Savings Plans to do cost saving

Scalability & High Availability:

Scalability means that an application / system can handle greater loads by adapting.
There are two kinds of scalability:
- Vertical Scalability
- Horizontal Scalability (= elasticity)
Scalability is linked but different to High Availability
Let's deep dive into the distinction, using a call center as an example

Vertical Scalability:

Means increasing the size of the instance
For example, application runs on a t2.micro
Scaling that application vertically means running it on a t2.large
Is very common for non distributed systems, such as a database.
RDS, ElastiCache are services that can scale vertically.
There's usually a limit to how much can vertically scale (hardware limit)

Horizontal Scalability:

Means increasing the number of instances / systems for application
Horizontal scaling implies distributed systems.
This is very common for web applications / modern applications

A prediction process requires access to a trained model that is stored in an Amazon S3 bucket. The process takes a few seconds to process an image and make a prediction. The process is not overly resource-intensive does not require any specialized hardware, and takes less than 512 MB of memory to run. Amazon Lambda functions is the MOST effective compute solution for this use case.
A solution architect is designing a new workload in which an AWS Lambda function will access an Amazon DynamoDB table. Create an IAM role with the necessary permissions to access the DynamoDB table. Assign the role to the Lambda function is the MOST secure means of granting the Lambda function access to the DynamoDB.
A company is running a multi-tier web application on AWS. The application runs its database tier on Amazon Aurora MySQL. The application and database tiers are in the us-east-1 Region. A database administrator who regularly monitors the Aurora DB cluster finds that an intermittent increase in read traffic is creating high CPU utilization on the read replica and causing increased read latency of the application. A solution architect should Configure Aurora Auto Scaling for the read replica to improve read scalability.
A company hosts a static website on-premises and wants to migrate the website to AWS. The website should load as quickly as possible for users around the world. The company also wants the most cost-effective solution/option. A solution architect should Copy the website content to an Amazon S3 bucket (Cheaper than EC2). Configure the bucket to serve/host static webpage content. To enable good performance for global users should Configure Amazon CloudFront with the S3 bucket as the origin. This will cache the static content around the world closer to users.
A company wants to host a web application on AWS that will communicate to a database within a VPC. The application should be highly available. A solution architect should recommend Deploy a load balancer in multiple Availability Zones with an Auto Scaling group for the web servers, and then deploy Amazon RDS in multiple Availability Zones.
A recent analysis of a company's IT expenses highlights the need to reduce backup costs. The company's chief information officer wants to simplify the on-premises backup infrastructure and reduce costs by eliminating the use of physical backup tapes. The company must preserve the existing investment in the on-premises backup applications and workflows. A solution architect should recommend Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.
Tape Gateway:
- Some companies have backup processes using physical tapes (!)
- With Tape Gateway, companies use the same processes but in the cloud
- Virtual Tape Library (VTL) backed by Amazon S3 and Glacier
- Back up data using existing tape-based processes (and iSCSI interface)
- Works with leading backup software vendors.
A company is preparing to deploy a data lake on AWS. A solution architect must define the encryption strategy for data at rest in Amazon S3. The company's security policy states:
- Keys must be rotated every 90 days.
- Strict separation of duties between key users and key administrators must be implemented.
- Auditing key usage must be possible.
The solutions architect should recommend Server-side encryption with AWS KMS managed keys (SSE-KMS) with customer managed customer master keys (CMKs).
A recently acquired company is required to build its own infrastructure on AWS and migrate multiple applications to the cloud within a month. Each application has approximately 50 TB of data to be transferred. After the migration is complete this company and its parent company will do the require secure network connectivity with consistent throughput from their data centers to the applications. A solutions architect must ensure one-time data migration and ongoing network connectivity. AWS Snowball for the initial transfer and AWS Direct Connect for ongoing connectivity solution will meet these requirements.
A user has underutilized on-premises resources. Elasticity AWS Cloud concept can BEST address this issue.

PlAwAnSaI · May 9, 2021

EBS Snapshots:

Make a backup (snapshot) of EBS volume at a point in time
Not necessary to detach volume to do snapshot, but recommended
Can copy snapshots across AZ or Region

AMI Overview:

AMI = Amazon Machine Image
AMI are a customization of an EC2 instance
- Add own software, configuration, operating system, monitoring...
- Faster boot / configuration time because all software is pre-packaged
AMI are built for a specific region (and can be copied across regions)
Can launch EC2 instances from:
- A Public AMI: AWS provided
- Own AMI: make and maintain them yourself
- An AWS Marketplace AMI: an AMI someone else made (and potentially sells)

AMI Process (from an EC2 instance):

Start an EC2 instance and customize it
Stop the instance (for data integrity)
Build an AMI - this will also create EBS snapshots
Launch instances from other AMIs

EC2 Instance Store:

EBS volumes are network drives with good but 'limited' performance
If need a high-performance hardware disk, use EC2 Instance Store
Better I/O performance
EC2 Instance Store lose their storage if they're stopped (ephemeral)
Good for buffer / cache / scratch data / temporary content
Risk of data loss if hardware fails
Backups and Replication are your responsibility

Local EC2 Instance Store:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/storage-optimized-instances.html#i2-instances-diskperf

EBS Volume Types Use cases:
General Purpose SSD:

Cost effective storage, low-latency
System boot volumes, Virtual desktops, Development and test environments
1 GiB - 16 TiB
gp3:
- Baseline of 3,000 IOPS and throughput of 125 MiB/s
- Can increase IOPS up to 16,000 and throughput up to 1,000 MiB/s independently
gp2:
- Small gp2 volumes can burst IOPS to 3,000
- Size of the volume and IOPS are linked, max IOPS is 16,000
- 3 IOPS per GB, means at 5,334 GB we are at the max IOPS

Provisioned IOPS (PIOPS) SSD:

Critical business applications with sustained IOPS performance
Or applications that need more than 16,000 IOPS
Great for databases workloads (sensitive to storage perf and consistency)
io1/io2 (4 GiB - 16 TiB):
- Max PIOPS: 64,000 for Nitro EC2 instances & 32,000 for other
- Can increase PIOPS independently from storage size
- io2 have more durability and more IOPS per GiB (at the same price as io1)
io2 Block Express (4 GiB - 64 TiB):
- Sub-millisecond latency
- Max PIOPS: 256,000 with an IOPS:GiB ratio of 1,000:1
Supports EBS Multi-attach

Hard Disk Drives (HDD):

Cannot be a boot volume
125 MiB to 16 TiB
Throughput Optimized HDD (st1)
- Big Data, Data Warehouses, Log Processing
- Max throughput 500 MiB/s - max IOPS 500
Cold HDD (sc1):
- For data that is infrequently accessed
- Scenarios where lowest cost is important
- Max throughput 250 MiB/s - max IOPS 250
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html

EBS Multi-Attach - io1/io2 family:

Attach the same EBS volume to multiple EC2 instances in the same AZ
Each instance has full read & write permissions to the volume
Use case:
- Achieve higher application availability in clustered Linux applications (ex: Tera-data)
- Applications must manage concurrent write operations
Must use a file system that's cluster-aware (not XFS, EX4, etc...)

A web application runs on Amazon EC2 instances behind an Application Load Balancer. The application allows users to create custom reports of historical weather data. Generating a report can take up to 5 minutes. These long-running requests use many of the available incoming connections, making the system unresponsive to other users. A solution architect can make the system more responsive by Use Amazon SQS with AWS Lambda to generate reports.
A solution architect should Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set to ensure that all objects uploaded to an Amazon S3 bucket are encrypted.
An ecommerce website is deploying its web application as Amazon Elastic Container Service (Amazon ECS) container instances behind an Application Load Balancer (ALB). During periods of high activity, the website slows down and availability is reduced. A solution architect uses Amazon CloudWatch alarms to receive notifications whenever there is an availability issue so they can scale out resources. Company management wants a solution that automatically responds to such events. Should Set up AWS Auto Scaling to scale out the ECS service when there are timeouts on the ALB. Set up AWS Auto Scaling to scale out the ECS cluster when the CPU or memory reservation is too high.
A company runs a web service on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across two Availability Zones. The company needs a minimum of four instances at all times to meet the required service level agreement (SLA) while keeping costs low. If an Availability Zone fails, the company can remain compliant with the SLA by Change the Auto Scaling group to use eight servers across two Availability Zones.
A manufacturing company wants to implement predictive maintenance on its machinery equipment. The company will install thousands of IoT sensors that will send data to AWS in real time. A solution architect is tasked with implementing a solution that will receive events in an ordered manner for each machinery asset and ensure that data is saved for further processing at a later time. Use Amazon Kinesis Data Streams for real-time events with a partition for each equipment asset. Use Amazon Kinesis Data Firehose to save data to Amazon S3 solution would be MOST efficient.
Amazon SQS Introduces FIFO Queues with Exactly-Once Processing and Lower Prices for Standard Queues. Can now use Amazon Simple Queue Service (SQS) for applications that require messages to be processed in a strict sequence and exactly once using First-in, First-out (FIFO) queues. FIFO queues are designed to ensure that the order in which messages are sent and received is strictly preserved and that each message is processed exactly once.
Amazon SQS is a reliable and highly-scalable managed message queue service for storing messages in transit between application components. FIFO queues complement the existing Amazon SQS standard queues, which offer high throughput, best-effort ordering, and at-least-once delivery. FIFO queues have essentially the same feature as standard queues, but provide the added benefits of supporting ordering and exactly-once processing. FIFO queues provide additional features that help prevent unintentional duplicates from being sent by message producers or from being received by message consumers. Additionally, message groups allow multiple separate ordered message streams within the same queue.

PlAwAnSaI · May 14, 2021

EBS Encryption:

When create an encrypted EBS volume, get the following:
- Data at rest is encrypted inside the volume
- All the data in flight moving between the instance and the volume is encrypted
- All snapshots are encrypted
- All volumes created from the snapshot
Encryption and decryption are handled transparently (have nothing to do)
Encryption has a minimal impact on latency
EBS Encryption leverages keys from KMS (AES-256)
Copying an unencrypted snapshot allows encryption
Snapshots of encrypted volumes are encrypted

Encryption: encrypt an unencrypted EBS volume:

Create an EBS snapshot of the volume
Encrypt the EBS snapshot (using copy)
Create new EBS volume from the snapshot (the volume will also be encrypted)
Now can attach the encrypted volume to the original instance

EBS RAID Options:

EBS is already redundant storage (replicated within an AZ)
But what if want to increase IOPS to say 100,000 IOPS?
What if want to mirror EBS volumes?
Would mount volumes in parallel in RAID settings!
RAID is possible as long as OS supports it
Some RAID options are: 0, 1, 5 & 6 (not recommended for EBS)

RAID 0 (increase performance):

Combining 2 or more volumes and getting the total disk space and I/O
But one disk fails, all the data is failed
Use cases would be:
- An application that needs a lot of IOPS and doesn't need fault-tolerance
- A database that has replication already built-in
Using this, can have a very big disk with a lot of IOPS
For example:
- two 500 GiB Amazon EBS io1 volumes with 4,000 provisioned IOPS each will create a...
- 1,000 GiB RAID 0 array with an available bandwidth of 8,000 IOPS and 1,000 MB/s of throughput

RAID 1 (increase fault tolerance):

Mirroring a volume to another
If one disk fails, logical volume is still working
Have to send the data to two EBS volume at the same time (2 x network)
Use case:
- Application that need increase volume fault tolerance
- Application where need to service disks
For example:
- two 500 GiB Amazon EBS io1 volumes with 4,000 provisioned IOPS each will create a...
- 500 GiB RAID 1 array with an available bandwidth of 4,000 IOPS and 500 MB/s of throughput

EFS - Elastic File System:

Managed NFS (network file system) that can be mounted on many EC2
Works with EC2 instances in multi-AZ
Highly available, scalable, expensive (3 x gp2), pay per use
Use case: content management, web serving, data sharing, WordPress
Uses NFSv4.1 protocol
Uses security group to control access to EFS
Compatible with Linux based AMI (not Windows)
Encryption at rest using KMS
POSIX file system (~Linux) that has a standard file API
File system scales automatically, pay-per-use, no capacity planning!

Performance & Storage Classes:

EFS Scale:
- 1,000s of concurrent NFS clients, 10 GB+/s throughput
- Grow to Petabyte-scale network file system, automatically
Performance mode (set at EFS creation time):
- General purpose (default): latency-sensitive use cases (web server, CMS, etc...)
- Max I/O - higher latency, throughput, highly parallel (big data, media processing)
Throughput mode:
- Bursting (1 TB = 50MiB/s + burst of up to 100MiB/s)
- Provisioned: set throughput regardless of storage size, ex: 1 GiB/s for 1 TB storage
Storage Tiers (lifecycle management feature - move file after N days):
- Standard: for frequently accessed files
- Infrequent access (EFS-IA): cost to retrieve files, lower price to store

Installing the Amazon EFS client on Amazon Linux 2:

sudo yum install -y amazon-efs-utils
mkdir efs
ls
sudo mount -t efs -o tls fs-2571d165

efs
The EFS folder will be shared folder for both EC2 instances

EBS vs EFS:
Elastic Block Storage:

EBS volumes...:
- can be attached to only one instance at a time
- are locked at the Availability Zone (AZ) level
- gp2: IO increases if the disk size increases
- io1: can increase IO independently
To migrate an EBS volume across AZ:
- Take a snapshot
- Restore the snapshot to another AZ
- EBS backups use IO and shouldn't run them while application is handling a lot of traffic
Root EBS Volumes of instances get terminated by default if the EC2 instance gets terminated. (can disable that)

A company sells datasets to customers who do research in artificial intelligence and machine learning (AIML). The datasets are large formatted files met are stored in an Amazon S3 bucket in the us-east-1 Region. The company hosts a web application that the customers use to purchase access to a given dataset. The web application is deployed on mutate Amazon EC2 instances behind an Application Load Balancer. After a purchase is made customers receive an S3 signed URL that allows access to the files.
The customers are distributed across North America and Europe. The company wants to reduce the cost that is associated with data transfers and wants to maintain or improve performance. A solution architect should Configure S3 Transfer Accelerator on the existing S3 bucket Direct customer requests to the S3 Transfer Acceleration endpoint Continue to use S3 signed URLs for access control.
A company is running a multi-tier ecommerce web application in the AWS Cloud. The application runs on Amazon EC2 Instances with an Amazon RDS MySQL Multi-AZ DB instance. Amazon RDS is configured with the latest generation instance with 2,000 GB of storage in an Amazon EBS General Purpose SSD (gp2) volume. The database performance impacts the application during periods of high demand.
After analyzing the logs in Amazon CloudWatch Logs, a database administrator finds that the application performance always degrades when the number of read and write IOPS is higher than 6,000. A solution architect should Replace the volume with a Provisioned IOPS (PIOPS) volume to improve the application performance.
A solution architect needs to design a low-latency solution for a static single-page application accessed by users utilizing a custom domain name. The solution must be serverless, encrypted in transit, and cost-effective. Amazon S3 and CloudFront combination of AWS services and features should the solution architect use.
A company purchased Amazon EC2 Partial Upfront Reserved Instances for a 1-year term. A solutions architect wants to analyze how much the daily effective cost is with all possible discounts. Show amortized costs view must the solutions architect choose in the advanced options of Cost Explorer to get the correct values.

PlAwAnSaI · May 16, 2021

Elastic File System:

Mounting 100s of instances across AZ
EFS share website files (WordPress)
Only for Linux Instances (POSIX)
EFS has a higher price point than EBS
Can leverage EFS-IA for cost savings

Instance in us-east-1a just got terminated, and the attached EBS volume is now available. Colleague can't seem to attach it to instance in us-east-1b. Because EBS volumes are AZ locked.
EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZ through backup and restore.
Have provisioned an 8TB gp2 EBS volume and running out of IOPS. Mount EBS volumes in RAID 0 or Change to an io1 volume type are ways to increase performance.
EBS IOPS peaks at 16,000 IOPS or equivalent 5,334 GB.
RAID 0 leverage EBS volumes in parallel to linearly increase performance, while accepting greater failure risks.
Although EBS is already a replicated solution, company SysOps advised to use a RAID 1 mode that will mirror data and will allow instance to not be affected if an EBS volume entirely fails.
Mount an EFS have the same data being accessible as an NFS drive cross AZ on all EC2 instances.
EFS is a network file system (NFS) and allows to mount the same file system on EC2 instances that are in different AZ.
Instance Store have a high-performance cache for application that mustn't be shared. Don't mind losing the cache upon termination of instance.
Instance Store provide the best disk performance.
Use an EC2 Instance Store can run a high-performance database that requires an IOPS of 210,000 for its underlying filesystem.
It is possible to run a database on EC2. It is also possible to use instance store, but there are some considerations to have. The data will be lost if the instance is stopped, but it can be restarted without problems. One can also set up a replication mechanism on another EC2 instance with instance store to have a standby copy. One can also have back-up mechanisms. It's all up to how want to set up architecture to validate requirements.

AWS RDS Overview:

RDS stands for Relational Database Service
It's a managed DB service for DB use SQL as a query language.
It allows to create databases in the cloud that are managed by AWS
- PostgreSQL
- MySQL
- MariaDB
- Oracle
- Microsoft SQL Server
- Aurora (AWS Proprietary database)

Advantage over using RDS versus deploying DB on EC2:

RDS is a managed service:
- Automated provisioning, OS patching
- Continuous backups and restore to specific timestamp (Point in Time Restore)!
- Monitoring dashboards
- Read replicas for improved read performance
- Multi AZ setup for DR (Disaster Recovery)
- Maintenance windows for upgrades
- Scaling capability (vertical and horizontal)
- Storage backed by EBS (gp2 or io1)
BUT can't SSH into instances

A company receives data (different sources and implements multiple applications to consume this data. There are many short-running jobs that run only on the weekend. The data arrives in batches rather then throughout the entire weekend. The company needs an environment on AWS to ingest and process this data while maintaining the order of the transactions. Amazon Simple Queue Service (Amazon SQS) with AWS Lambda is the MOST cost-effective manner.
A company serves content to its subscribers across the world using an application running on AWS. The application has several Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). Due to a recent change in copyright restrictions the chief information officer (CIO) wants to block access for certain countries. Use Amazon CloudFront to serve the application and deny access to blocked countries.
'block access for certain countries.' can use geo restriction, also known as geo blocking, to prevent users in specific geographic locations from accessing content that are distributing through a CloudFront web distribution.
A company has three VPCs named Development, Testing, and Production in the us-east-1 Region. The three VPCs need to be connected to an on-premises data center and are designed to be separate to maintain security and prevent any resource sharing. A solution architect needs to find a scalable and secure solution. The solution architect should recommend Create VPC peers from all the VPCs to the Production VPC. Use an AWS Direct Connect connection from the Production VPC back to the data center.
A company runs an internal browser-based application. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales up to 20 instances during work hours, but scales down to 2 instances overnight. Staff are complaining that the application is very slow when the day begins, although it runs well by mid-morning. The scaling should be changed by Implement a scheduled action that sets the desired capacity to 20 shortly before the office opens to address the staff complaints and keep costs to a minimum.
A company is rolling out a new web service, but is unsure how many customers the service will attract. However, the company is unwilling to accept any downtime. A solution architect could recommend Amazon RDS to the company to keep.
A solution architect needs to design a centralized logging solution for a group of web applications running on Amazon EC2 instances. The solution requires minimal development effort due to budget containts. The architect should recommend Install and configure Amazon CloudWatch Logs agent in the Amazon EC2 instances.
A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service Customer Master Keys (AWS KMS CMKs). A solution architect needs to design a solution that will ensure the required permissions are set correctly. By Grant the decrypt permission for the Lambda IAM role in the KMS key's policy and Create a new IAM role with the kms decrypt permission and attach the execution role to the Lambda function.
A company has developed a micro-services application. It uses a client-facing API with Amazon API Gateway and multiple internal services hosted on Amazon EC2 instances to process user requests. The API is designed to support unpredictable surges in traffic, but internal services may become overwhelmed and unresponsive for a period of time during surges. A solution architect needs to design a more reliable solution that reduces errors when internal services become unresponsive or unavailable. Should Use Amazon Simple Queue Service (Amazon SQS) to store user requests as they arrive. Change the internal services to retrieve the requests from the queue for processing.
A company stores user data in AWS. The data is used continuously with peak usage during business hours. Access patterns vary, with some data not being used for months at a time. A solution architect must choose a cost-effective solution that maintains the highest level of durability while maintaining high availability. Should use Amazon S3 intelligent-Tiering storage solution.

PlAwAnSaI · May 17, 2021

RDS Backups:

Backups are automatically enabled in RDS
Automated backups:
- Daily full backup of the database (during the maintenance window)
- Transaction logs are backed-up by RDS every 5 minutes
- => ability to restore to any point in time (from oldest backup to 5 minutes ago)
- 7 days retention (can be increase to 35 days)
DB Snapshots:
- Manually triggered by the user
- Retention of backup for as long as want

Storage Auto Scaling:

Helps increase storage on RDS DB instance dynamically
When RDS detects running out of free database storage, it scales automatically
Avoid manually scaling database storage
Have to set Maximum Storage Threshold (maximum limit for DB storage)
Automatically modify storage if:
- Free storage is less then 10% of allocated storage
- Low-storage lasts at least 5 minutes
- 6 hours have passed since last modification
Useful for applications with unpredictable workloads
Supports all RDS database engines (MariaDB, MySQL, PostgreSQL, SQL Server, Oracle)

Read Replicas for read scalability:

Up to 5 Read Replicas
Within AZ, Cross AZ or Cross Region
Replication is ASYNC, so reads are eventually consistent
Replicas can be promoted to their own DB
Applications must update the connection string to leverage read replicas

Read Replicas:
Use Cases:

Have a production database that is taking on normal load
Want to run a reporting application to run some analytics
Create a Read Replica to run the new workload there
The production application is unaffected
Read replicas are used for SELECT (=read) only kind of statements (not INSERT, UPDATE, DELETE)

Network Cost:

In AWS there's a network cost when data goes from one AZ to another
For RDS Read Replicas within the same region, don't pay that fee

Multi AZ (Disaster Recovery):

SYNC replication
One DNS name - automatic app failover to standby
Increase availability
Failover in case of loss of AZ, network, instance or storage failure
No manual intervention in apps
Not used for scaling
The Read Replicas be setup as Multi AZ for Disaster Recovery (DR)

From Single to Multi-AZ:

Zero downtime operation (no need to stop the DB)
Just click on 'modify' for the database
The following happens internally:
- A snapshot is taken
- A new DB is restored from the snapshot in a new AZ
- Synchronization is established between the two databases

https://github.com/sqlectron/sqlectron-gui/releases/tag/v1.30.0

Security - Encryption:

At rest encryption:
- Possibility to encrypt the master & read replicas with AWS KMS - AES-256 encryption
- Encryption has to be defined at launch time
- If the master is not encrypted, the real replicas cannot be encrypted
- Transparent Data Encryption (TDE) available for Oracle and SQL Server
In-flight encryption:
- SSL certificates to encrypt data to RDS in flight
- Provide SSL options with trust certificate when connecting to database
- To enforce SSL:
  - PostgreSQL: rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)
  - MySQL: Within the DB:
    GRANT USAGE ON *.* TO 'mysqluser'@'%' REQUIRE SSL;

A company's near-real-time streaming application is running on AWS. As the data is ingested a job runs on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large amounts of incoming data. A solution architect needs to design a scalable and serverless solution to enhance performance. The solution architect should Use Amazon Kinesis Data Firehose to ingest and Amazon EC2 instances in an Auto Scaling group to process the data.
A company that operates a web application on premises is preparing to launch a newer version of the application on AWS. The company needs to route requests to either the AWS-hosted or the on-premises-hosted application based on the URL query string. The on-premises application is not available from the internet, and a VPN connection is established between Amazon VPC and the company's data center. The company wants to use an Application Load Balancer (ALB) for this launch. Should Use two ALBs: one for on premises and one for the AWS resource. Add hosts to the target group of each ALB. Create a software router on an EC2 instance based on the URL query string.
A start-up company has a web application based in the us-east-1 Region with multiple Amazon EC2 instances running behind an Application Load Balancer across multiple Availability Zones. As the company's user base grows in the us-west-1 Region, it needs the solution with low latency and high availability. A solution architect should Provision EC2 instances and configure an Application Load Balancer in us-west-1. Create an accelerator in AWS Global Accelerator that uses an endpoint group that includes the load balancer endpoints in both Regions.
A company hosts its application in the AWS Cloud. The application runs on Amazon EC2 instances behind an Elastic Load Balancer in an Auto Scaling group and with an Amazon DynamoDB table. The company wants to ensure the application can be made available in another AWS Region with minimal downtime. A solution architect should Create an AWS CloudFormation template to create EC2 instances and a load balancer to be executed when needed. Configure the DynamoDB table_as a global table. And configure DNS failover to point to the new disaster

recovery Region's load balancer to meet with the LEAST amount of

downtime.
A solution architect is using Amazon S3 to design the storage architecture of a new digital media application. The media files must be resilient to the loss of an Availability Zone. Some files are accessed frequently while other files are rarely accessed in an unpredictable pattern. The solution architect must minimize the costs of storing and retrieving the media files by use S3 Intelligent-Tiering.
A company recently deployed a new auditing system to centralize information about operating system versions, patching, and installed software for Amazon EC2 instances. A solution architect must ensure all instances provisioned through EC2 Auto Scaling groups successfully send reports to the auditing system as soon as they are launched and terminated. Use EC2 Auto Scaling lifecycle hooks to execute a custom script to send data to the audit system when instances are launched and terminated is MOST efficiency solution.
A development team needs to host a website that will be accessed by other teams. The website contents consist of HTML, CSS, client side JavaScript, and images. Create an Amazon S3 bucket and host the website there is the MOST cost-effective.

PlAwAnSaI · May 21, 2021

AWS Cost Calculator Overview:
Pricing Philosophy - High volume / low margin businesses are in core DNA:

Trade CapEx for variable expense: Pay for what use
Economies of scale provide with lower costs: 80 price reductions since 2006
Pricing model choice to support variable and stable workloads: On-demand / Spot / Reserved Instances / Saving Plan
Save more money as you grow bigger: Tiered pricing, Volume discounts, and Custom pricing

Compute:Amazon EC2:

Linux | Windows
Arm and x86 architectures
General purpose and workload optimized
Bare metal, disk, networking capabilities
Packaged | Custom | Community AMIs
Multiple purchase options: On-demand, RI, Spot

Operating Systems Supported:

Windows 2003R2 / 2008 / 2008R2 / 2012 / 2012R2 / 2016 / 2019
Amazon Linux
Debian
Suse
CentOS
Red Hat Enterprise Linux
Ubuntu
Etc.

Processor and architecture:

Intel® Xeon® Scalable (Skylake) processor
NVIDIA V100 Tensor Core GPUs
AMD EPYC processor
Amazon ARM based Cloud Processor
FPGAs for custom hardware acceleration

Right compute for the right application and workload

Naming Explained - c5n.xlarge:

c: Instance family
- a: ARM
- c: Compute Intensive
- d: Dense storage
- f: FPGA
- g: GPU (Graphics Intensive)
- h: HDD (Big Data Optimized)
- i: high I/O
- m: Most scenarios (General Purpose)
- p: Premium GPU (General Purpose GPU)
- r: Random-access (Memory Optimized)
- t: Turbo (Burstable performance); a1 also
- x: eXtra-large (In-memory)
- z: high frequency (Compute and Memory Intensive)
5: Instance generation
n: Attribute
xlarge: Instance size

Which service?
Which instance type?
- EC2: General Purpose / Compute / Memory / etc.
- S3
Purchasing Options:
- On-Demend: Pay for compute capacity by the second with no long-term commitments
- Reserved Instances
- Spot Instances
- Savings Plans: Because Reserved Instances fixed instance type
To optimize EC2, combine three purchase options!
gp3 vs gp2: gp3 is recommend with better performance & cheaper price

https://calculator.aws/#/estimate?id=5491ecc080df4414a1436dc69ecfc156b3a43a48
RDS Encryption Operations:

Encryption RDS backups:
- Snapshots of:
  - un-encrypted RDS database are un-encrypted
  - encrypted RDS database are encrypted
- Can copy a snapshot into an encrypted one
To encrypt an un-encrypted RDS database:
- Create a snapshot of the un-encrypted database
- Copy the snapshot and enable encryption for the snapshot
- Restore the database from the encrypted snapshot
- Migrate applications to the new database, and delete the old database

Security - Network & IAM:

Network Security:
- RDS database are usually deployed within a private subnet, not in a public one
- RDS security works by leveraging security groups (the same concept as for EC2 instances) - it controls which IP / security group can communicate with RDS
Access Management:
- IAM policies help control who can manage AWS RDS (through the RDS API)
- Traditional Username and Password can be used to login into the database
- IAM-based authentication can be used to login into RDS MySQL & PostgreSQL

IAM Authentication:

IAM database authentication works with MySQL and PostgreSQL
Don't need a password, just an authentication token obtained through IAM & RDS API calls
Auth token has a lifetime of 15 minutes
Benefits:
- Network in/out must be encrypted using SSL
- IAM to centrally manage users instead of DB
- Can leverage IAM Roles and EC2 Instance profiles for easy integration

Security - Summary:

การเข้ารหัส at rest:
- จะทำก็ต่อเมื่อสร้าง Instance DB ขึ้นเป็นครั้งแรก
- หรือ: unencrypted DB => snapshot => คัดลอก snapshot โดยเข้ารหัส => สร้าง DB จาก snapshot
ความรับผิดชอบของคุณ:
- ตรวจสอบกฎขาเข้าของ Port / IP / กลุ่มความปลอดภัยใน DB SG
- การสร้างผู้ใช้ในฐานข้อมูลและสิทธิ์หรือจัดการผ่าน IAM
- การสร้างฐานข้อมูลโดยมีหรือไม่มีการเข้าถึงแบบสาธารณะ
- ตรวจสอบให้แน่ใจว่ามีการกำหนดค่ากลุ่ม Parameter หรือ DB ให้อนุญาตเฉพาะการเชื่อมต่อ SSL
ความรับผิดชอบของ AWS:
- ไม่มีการเข้าถึง SSH
- ไม่มีการ Manual Patch ฐานข้อมูล
- ไม่มีการ Manual Patch ระบบปฏิบัติการ
- ไม่มีวิธีตรวจสอบ Underlying Instance

A medical records company is hosting an application on Amazon EC2 instances. The application processes customer data files that are stored on Amazon EC2 instance. The EC2 instances access Amazon S3 over the internet, but they do not require any other network access. A new requirement mandates that the network traffic for file transfers take a private route and not be sent over the internet. Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table_for the private subnets change to the network architecture should a solution architect recommend.
A software vendor is deploying a new software-as-a-service (SaaS) solution that will be utilized by many AWS users. The service is hosted in a VPC behind a Network Load Balancer. The software vendor wants to provide access to this service to users with the least amount of administrative overhead and without exposing the service to the public internet. A solution architect should Connect the service in the VPC with an AWS PrivateLink endpoint. Have users subscribe to the endpoint.
A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider. A solution architect must devise a strategy that maximizes security without increasing operational overhead. The solutions architect should Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.

PlAwAnSaI · May 23, 2021

Amazon Aurora:

Is a proprietary technology from AWS (not open sourced)
Postgres and MySQL are both supported as Aurora DB (that means drivers will work as if Aurora was a Postgres or MySQL database)
Is 'AWS cloud optimized' and claims 5x performance improvement over MySQL on RDS, over 3x the performance of Postgres on RDS
Storage automatically grows in increments of 10GB, up to 64 TB.
Can have 15 replicas while MySQL has 5, and the replication process is faster (sub 10 ms replica lag)
Failover is instantaneous. It's HA native.
Costs more than RDS (20% more) - but is more efficient

High Availability and Read Scaling:

6 copies of data across 3 AZ:
- 4 copies out of 6 needed for writes
- 3 copies out of 6 need for reads
- Self healing with peer-to-peer replication
- Storage is striped across 100s of volumes
One Aurora Instance takes writes (master)
Automated failover for master in less than 30 seconds
Master + up to 15 Read Replicas serve reads
Support for Cross Region Replication

DB Cluster:

Writer Endpoint: Pointing to the master
Reader Endpoint: Connection Load Balancing

Features:

Automatic fail-over
Backup and Recovery
Isolation and security
Industry compliance
Push-button scaling
Automated Patching with Zero Downtime
Advanced Monitoring
Routine Maintenance
Backtrack: restore data at any point of time without using backups

Security:

Similar to RDS because uses the same engines
Encryption at rest using KMS
Automated backups, snapshots and replicas are also encrypted
Encryption in flight using SSL (same process as MySQL or Postgres)
Possibility to authenticate using IAM token (same method as RDS)
You are responsible for protecting the instance with security groups
Can't SSH

Custom Endpoints:

Define a subset of Aurora Instances as a Custom Endpoint
Example: Run analytical queries on specific replicas
The Reader Endpoint is generally not used after defining Custom Endpoints

Serverless:

Automated database instantiation and auto-scaling based on actual usage
Good for infrequent, intermittent or unpredictable workloads
No capacity planning needed
Pay per second, can be more cost-effective

Multi-Master:

In case want immediate failover for write node (HA)
Every node does R/W - vs promoting a RR as the new master

Global:

Aurora Cross Region Read Replicas:
- Useful for disaster recovery
- Simple to put in place
Global Database (recommended):
- 1 Primary Region (read / write)
- Up to 5 secondary (read-only) regions, replication lag is less than 1 second
- Up to 16 Read Replicas per secondary region
- Helps for decreasing latency
- Promoting another region (for disaster recovery) has an RTO of < 1 minute

Machine Learning:

Enables to add ML-based predictions to applications via SQL
Simple, optimized, and secure integration between Aurora and AWS ML services
Supported services:
- Amazon SageMaker (use with any ML model)
- Amazon Comprehend (for sentiment analysis)
Don't need to have ML experience
Use cases: fraud detection, ads targeting, sentiment analysis, product recommendations

IAM Policies Structure:

{
"Version": "2012-10-17", // policy language version, always include '2012-10-17'
"Id": "S3-Account-Permissions", // an identifier for the policy (optional)
"Statement": [ // one or more individual statements (required)
{
"Sid": "1", // an identifier for the statement (optional)
"Effect": "Allow", // whether the statement allows or denies access (Allow, Deny)
"Principal": { // account/user/role to which this policy applied to
"AWS": [arn:aws:iam;;123456789012:root"]
},
"Action": [ // list of actions this policy allows or denies
"s3:GetObject",
"s3utObject"
],
"Resource": ["arn:aws:s3:::mybucket/*"] // list of resources to which the actions applied to
"Condition": { // for when this policy is in effect (optional)
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
}
}
]
}

A solution architect is performing a security review of a recently migrated workload. The workload is a web application that consists of amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The solution architect must improve the security posture and minimize the impact of a DDoS attack on resources. Create a custom AWS Lambda function that adds identified attacks into a common vulnerability pool to capture a potential DDoS attack. Use the identified information to modify a network ACL to block access is MOST effective solution.
A solution architect needs to ensure that all Amazon Elastic Block Store (Amazon EBS) volumes restored from unencrypted EBS snapshots are encrypted. The solution architect should Create a new volume and specify the symmetric customer master key (CMK) to use for encryption.

PlAwAnSaI · May 23, 2021

Amazon ElastiCache Overview:

The same way RDS is to get managed Relational Databases...
Is to get managed Redis or Memcached
Caches are in-memory databases with really high performance, low latency
Helps reduce load off of databases for read intensive workloads
Helps make application stateless
AWS takes care of OS maintenance / patching, optimizations, setup, configuration, monitoring, failure recovery and backups
Using involves heavy application code changes

Solution Architecture - DB Cache:

Applications queries ElastiCache, if not available, get from RDS and store in ElastiCache.
Helps relieve load in RDS
Cache must have an invalidation strategy to make sure only the most current data is used in there.

User Session Store:

User logs into any of the application
The application writes the session data into ElastiCache
The user hits another instance of application
The instance retrieves the data and the user is already logged in

Redis vs Memcached:

REDIS:
- Multi AZ with Auto-Failover
- Read Replicas to scale reads and have high availability
- Data Durability using AOF persistence
- Backup and restore features
MEMCACHED:
- Multi-node for partitioning of data (sharding)
- No high availability (replication)
- Non persistent
- No backup and restore
- Multi-threaded architecture

Cache Security:

All caches in ElastiCache:
- Do not support IAM authentication
- IAM policies on ElastiCache are only used for AWS API-level security
Redis AUTH:
- Can set a 'password/token' when create a Redis cluster
- This is an extra level of security for cache (on top of security groups)
- Support SSL in flight encryption
Memcached:
- Supports SASL-based authentication (advanced)

Patterns:

Lazy Loading: all the read data is cached, data can become stale in cache
Write Through: Adds or update data in the cache when written to a DB (no stale data)
Session Store: store temporary session data in a cache (using TTL features)
There are only two hard things in Computer Science: cache invalidation and naming things

Redis Use Case:

Gaming Leaderboards are computationally complex
Redis Sorted sets guarantee both uniqueness and element ordering
Each time a new element added, it's ranked in real time, then added in correct order

RDS database struggles to keep up with the demand of the users from website. Million users mostly read news, and don't post news very often. An ElastiCache cluster and RDS Read Replicas solution is adapted to do indeed help with scaling reads.
Have setup read replicas on RDS database, but users are complaining that upon updating their social media posts, they do not see the update right away. Because Read Replicas have asynchronous replication and therefore it's likely users will only observe eventual consistency.
Multi AZ RDS feature does not require to change SQL connection string.
Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply need to reference individually in application as each read replica will have its own DNS name.
Enable Multi AZ to ensure Redis cluster will always be available (high availability).

Write a custom AWS Lambda function to generate the thumbnail and alert the user. Use the image upload process as an event source to invoke the Lambda function. The solution architect should Create Amazon Simple Notification Service (Amazon SNS) notification topics and subscriptions. Use one subscription with the application to generate the thumbnail.
A company has a three-tier, stateless web application. The company's web and application tiers run on Amazon EC2 instances in an Auto Scaling group with an Amazon Elastic Block Store (Amazon EBS) root volume, and the database tier runs on Amazon RDS for PostgreSQL. The company's recovery point objective (RPO) is 2 hours. A solutions architect should recommend Retain the latest Amazon Machine Images (AMIs) of the web and application tiers. Configure daily Amazon RDS snapshots and use point-in-time recovery to meet the RPO to enable backups for this environment.
A company has thousands of edge devices that collectively generate 1 TB of status alerts each day. Each alert is approximately 2 KB in size. A solution architect needs to implement a solution to ingest and store the alerts for future analysis.
The company wants a highly available solution. However the company needs to minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to keep 14 days of data available for immediate analysis and archive any data older than 14 days. Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts and set the message retention period to 14 days. Configure consumers to poll the SQS queue check the age of the message and analyze the message data as needed if the message is 14 days old, the consumer should copy the message to an Amazon S3 bucket and delete the message from the SQS queue is the MOST operationally efficient solution.
A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest. The LEAST amount of changes to the infrastructure is Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.
A company is processing data on a daily basis. The results of the operations are stored in an Amazon S3 bucket analyzed daily for one week and then must remain immediately accessible for occasional analysis. Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days is the MOST cost-effective storage solution alternative to the current configuration.
A company is creating a new application that will store a large amount of data. The data will be analyzed hourly and will be modified by several Amazon EC2 Linux instances that are deployed across multiple Availability Zones. The needed amount of storage space will continue to grow for the next 6 months. A solution architect should recommend Store the data in Amazon S3 Glacier Update the S3 Glacier vault policy to allow access to the application instances.
An application running on an Amazon EC2 instance needs to access an Amazon DynamoDB table. Both the EC2 instance and the DynamoDB table are in the same AWS account. A solution architect must configure the necessary permissions. Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Create an instance profile to assign this IAM role to the EC2 instance solution will allow least privilege access to the DynamoDB table from the EC2 instance.
A company plans to store sensitive user data on Amazon S3. Internal security compliance requirement encryption of data before sending it to Amazon S3. Server-side encryption with customer-provided encryption keys should a solution architect recommend.

PlAwAnSaI · May 24, 2021

AWS Cost Optimization:

How We Saved Over $1,000 By Building CloudForecast With Serverless And AWS Lambda:
https://www.cloudforecast.io/blog/how-we-saved-money-using-aws-serverless-lambda
http://awscostlabs.com

How many instances could right-size?
What benefits could get from using reserved instances?
How many of instances need to be running 24x7?
How many instances are configured for auto-scaling?

Application functions on an ASG behind an ALB. Users have to constantly log back in and rather not enable stickiness on ALB as fear it will overload some servers. Should Store session data in ElastiCache is a common pattern to ensuring different instances can retrieve user's state if needed.
One analytics application is currently performing its queries against main production database. These queries slow down the database which impacts the main user experience.Should Setup a Read Replica to improve the situation.
It will help as analytics application can now perform queries against it, and these queries won't impact the main production database.
Have a requirement to use TDE (Transparent Data Encryption) on top of KMS. Oracle and MS SQL Server database technologies support TDE on RDS.
Aurora Global Databases allow to have cross region replication. It ensure a database available in another region if a disaster happens to main region.
Can enhance the security of Redis cache to force users to enter a password by Use Redis Auth.
Company has a production Node.js application that is using RDS MySQL 5.6 as its data backend. A new application programmed in Java will perform some heavy analytics workload to create a dashboard, on a regular hourly basis. Want to the final solution to minimize costs and have minimal disruption on the production application, should Create a Read Replica in a different AZ and run the analytics workload on the replica database.
Would like to create_a disaster recovery strategy for RDS PostgreSQL database so that in case of a regional outage, a database can be quickly made available for Read and Write workload in another region. The DR database must be highly available. Should Create a Read Replica in a different region and enable multi-AZ on the main database.
Managing a PostgreSQL database and for security reasons, would like to ensure users are authenticated using short-lived credentials. Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service.
In this case, IAM is leveraged to obtain the RDS service token, so this is the IAM authentication use case.
PostgreSQL and MySQL RDS database technologies support IAM authentication.
An application is running in production, using an Aurora database as its backend. Development team would like to run a version of the application in a scaled-down application, but still be able to perform some heavy workload on a need-basis. Most of the time, the application will be unused. CIO has tasked with helping the team while minimizing costs by Use Aurora Serverless.
Company would like to have a MySQL database internally that is going to be available even in case of a disaster in the AWS cloud. Should setup Multi AZ.
Consider a disaster to be an entire Availability Zone going down. In which case Multi-AZ will help. If want to plan against an entire region going down, backups and replication across regions would help.

A product manager of an ecommerce website is launching a new product line next month. The application hosting the website runs on Amazon EC2 instances in an Auto Scaling group behind a load balancer. Testing has been performed, and the maximum load at launch has been estimated. Traffic to the application is expected to decrease gradually within the first few weeks after the launch. This workload is the only one on this account that is expected to scale during launch. Purchase Reserved instance (RIs) with zonal scope to reserve capacity and get the discount to compute. Then cancel the RIs after the launch. And Purchase scheduled instances to reserve capacity for the launch, and run them on a daily schedule during peak capacity hours combination of steps is MOST cost-effective to ensure that will be adequate capacity when the application scales at launch.
A company's near-real-time streaming application is running on AWS. As the data is ingested a job runs on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large amounts of incoming data. A solution architect needs to design a scalable and serverless solution to enhance performance. Should Use Amazon Kinesis Data Firehose to ingest and EC2 instances in an Auto Scaling group to process the data.
A company's security policy requires that all AWS API activity in its AWS accounts be recorded for periodic auditing. The company needs to ensure that AWS CloudTrail is enabled on all of its current and future AWS accounts using AWS Organizations. Add all existing accounts under the organization's root. Define and attach a service control policy (SCP) to every account that prevents users from disabling CloudTrail is MOST secure.
A company is running an application on AWS to process weather sensor data that is stored in an Amazon S3 bucket. Three batch jobs run hourly to process the data in the S3 bucket for different purpose. The company wants to reduce the overall processing time by running the three applications in parallel using an event-based approach. A solution architect should Enable S3 Event Notifications for new objects to separate Amazon Simple Queue Service (Amazon SQS) FIFO queues. Create an additional SQS queue for each application and subscribe each queue to the initial topic for processing.
A company's website is using an Amazon RDS MySQL Multi-AZ DB instance for its transactional data storage. There are other internal systems that query this DB instance to fetch data for internal batch processing. The RDS DB instance slows down significantly the internal systems fetch data. This impacts the website's read and write performance, and the users experience slow response times. Add a read replica to the RDS DB instance and configure the internal systems to query the read replica solution will improve the website's performance.
Amazon RDS Read Replicas enhanced performance. Can reduce the load on source DB instance by routing read queries from applications to the read replica. Allow to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Because read replicas can be promoted to master status, they are useful as part of a sharding implementation.
To further maximize read performance, Amazon RDS for MySQL allows to add table indexes directly to Read Replicas, without those indexes being present on the master.
A solution architect is designing an application for a two-step order process. The first step is synchronous and must return to the user with little latency. The second step takes longer, so it will be implemented in a separate component. Orders must be processed exactly once and in the order in which they are received. The solution architect should Create an SNS topic and subscribe an Amazon SQS FIFO queue to that topic.

PlAwAnSaI · May 30, 2021

EC2 User Data:

It is possible to bootstrap our instances using an EC2 User data script.
bootstrapping means launching commands when a machine starts
That script is only run once at the instance first start
EC2 user data is used to automate boot tasks such as:
- Installing updates / software
- Downloading common files from the internet
- Anything can think of
The EC2 User Data Script runs with the root user

AWS Route 53 Overview:

Is a Managed DNS (Domain Name System)
DNS is a collection of rules and records which helps clients understand how to reach a server through its domain name.
In AWS, the most common records are:
- A: hostname to IPv4
- AAAA: hostname to IPv6
- CNAME: hostname to hostname
- Alias: hostname to AWS resource.
Can use:
- public domain names own (or buy)
  application1.mypublicdomain.com
- private domain names that can be resolved by instances in VPCs.
  application1.company.internal
Has advanced features such as:
- Load balancing (through DNS - also called client load balancing)
- Health checks (although limited...)
- Routing policy: simple, failover, geolocation, latency, weighted, multi value
Pay $0.5 per month per hosted zone

DNS Records TTL (Time to Live):

High TTL: (e.g. 24hr):
- Less traffic on DNS
- Possibly outdated records
Low TTL: (e.g. 60 s):
- More traffic on DNS
- Records are outdated for less time
- Easy to change records
TTL is mandatory for each DNS record
https://toolbox.googleapps.com/apps/dig

CNAME vs Alias:

AWS Resources (Load Balancer, CloudFront...) expose an AWS hostname:
lb1-1234.ap-southeast-1.elb.amazonaws.com and want myapp.mydomain.com
CNAME:
- Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
- ONLY FOR NON ROOT DOMAIN (ex: something.mydomain.com)
- myapp.mydomain.com => LB DNS name
Alias:
- Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
- Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
- Free of charge
- Native health check

Simple Routing Policy:

Use when need to redirect to a single resource
Can't attach health checks to simple routing policy
If multiple values are returned, a random one is chosen by the client

A company receives inconsistent service from its data center provider because the company is headquartered in an area affected by natural disasters. The company is not ready to fully migrate to the AWS Cloud, but it wants a failure environment on AWS in case the on-premises data center fails. The company runs web servers that connect to external vendors. The data available on AWS and on premises must be uniform. A solution architect should recommend Configure an Amazon Route 53 failover record. Run application servers on Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group. Set up AWS Storage Gateway with stored volumes to back up data to Amazon S3 to the LEAST amount of downtime.
An application running on AWS generates audit logs of operational activities. Compliance requirements mandate that the application retain the logs for 5 years. Should Save the logs in an Amazon S3 Glacier vault and define a vault lock policy.
A company wants to migrate its 1PB on-premises image repository to AWS. The images will be used by a serverless web application Images stored in the repository are rarely accessed, but they must be immediately available. Additionally, the images must be encrypted at rest and protected from accidental deletion. Should Store the images in an Amazon S3 bucket in the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Enable versioning: default encryption, and MFA Delete on the S3 bucket.
A company has 150 TB of archived image data stored on-premises that needs to be moved to the AWS Cloud within the next month. The company's current network connection allows up to 100 Mbps uploads for this purpose during the night only. Order multiple AWS Snowball devices to ship the data to AWS is the MOST cost-effective mechanism to move this data and meet the migration deadline.
Use network during the night only = 24 - 9 = 15 hrs/day, 100 Mbps x 60 = 6Gbps/min x 60 = 360 Gbps/hr x 15 = 5.4 Tbps/day, deadline next month = 5.4 x 30 days = 162 Tbps/month / 8 = 20.25 TB.
A company is migrating to the AWS Cloud. A file server is the first workload to migrate. Users must be able to access the file share using the Server Message Block (SMB) protocol should use Amazon FSx AWS managed service.
A company has an API-based inventory reporting application running on Amazon EC2 instances. The application stores information in an Amazon DynamoDB table. The company's distribution centers have an on-premises shipping application that calls an API to update the inventory before printing shipping labels. The company has been experiencing application interruptions several times each day, resulting in lost transactions. A solution architect should recommend Configure Amazon API Gateway to call the EC2 inventory application APIs to improve application resiliency.
A company requires operating system permission on a relational database server. A solution architect should suggest Multiple Amazon EC2 instances in a database replication configuration that uses two Availability Zones as a configuration for a highly available database architecture.
A manufacturing company has machine sensors that upload csv files to an Amazon S3 bucket. These csv files must be converted into images and must be made available as soon as possible for the automatic generation of graphical reports by Design an AWS Lambda function that converts the csv files into images and stores the images in the S3 bucket. Invoke the Lambda function when a csv file is uploaded. The images become irrelevant after 1 month, but the csv files must be kept to train machine learning (ML) models twice a year. The ML trainings and audits are planned weeks in advance by Create S3 Lifecycle rules for csv files and image files in the S3 bucket. Transition the csv files from S3 Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) 1 day after they are uploaded. Expire the image files after 30 days.
A company is using a VPC peering strategy to connect its VPCs in a single Region to allow for cross-communication. A recent increase in account creations and VPCs has made it difficult to maintain the VPC peering strategy, and the company expects to grow to hundreds of VPCs. There are also new requests to create site-to-site VPNs with some of the VPCs. A solutions architect has been tasked with creating a centrally networking setup for multiple accounts, VPCs, and VPNs. Should Configure a transit gateway with AWS Transit Gateway and connected all VPCs and VPNs.
A company has many applications on Amazon EC2 instances running in Auto Scaling groups. Company policy requires that the data on the attached Amazon Elastic Block Store (Amazon EBS) volumes be retained. Should Disable the Delete on Termination attribute for the Amazon EBS volumes.

PlAwAnSaI · May 31, 2021

Weighted Routing Policy:

Control the % of the requests that go to specific endpoint
Helpful to test 1% of traffic on new app version for example
Helpful to split traffic between two regions
Can be associated with Health Checks

Latency:

Redirect to the server that has the least latency close to users
Super helpful when latency of users is a priority
Latency is evaluated in terms of user to designated AWS Region
Thailand may be directed to the Australia (if that's the lowest latency)
https://www.bitcatcha.in.th/vpn-ที่ดีที่สุด

Health Checks:

Have X failed => unhealthy (default 3)
After X passed => health (default 3)
Default Interval: 30s (can set to 10s - higher cost)
About 15 health checkers will check the endpoint health
=> one request every 2 seconds on average
Can have HTTP, TCP and HTTPS (no SSL verification)
Possibility of integrating with CloudWatch
Can be linked to Route53 DNS queries!

Failover:

Primary & Secondary (disaster recovery)
Primary need Health check (mandatory)

Geo Location:

Different from Latency based!
This is routing based on user location
Like a static routing (eg. Thailand should go to 11.22.33.44, HongKong go to 22.33.44.55)
Should create a 'default' policy (in case there's no match on location)

Geoproximity:

Route traffic to resources based on the geographic location of users and resources
Ability to shift more traffic to resources based on the defined bias
To change the size of the geographic region, specify bias values:
- To expand (1 to 99) - more traffic to the resource
- To shrink (-1 to -99) - less traffic to the resource
Resources can be:
- AWS resources (specify AWS region)
- Non-AWS resources (specify Latitude and Longitude)
Must use Route 53 Traffic Flow (advanced) to use this feature

Multi Value:

Use when routing traffic to multiple resources
Want to associate a Route 53 health checks with records
Up to 8 healthy records are returned for each Multi Value query
Multi Value is not a substitute for having an ELB

A Registrar:

A domain name registrar is an organization that manages the reservation of Internet domain names
Famous names: GoDaddy, Google Domains, Etc...
And also... Route53 (e.g. AWS)!
Domain Registrar != DNS

3rd Party Registrar:

If buy domain on 3rd party website, can still use Route53.

Create a Hosted Zone in Route 53
Update NS Records on 3rd party website to use Route 53 name servers

Domain Registrar != DNS
(But each domain registrar usually comes with some DNS features)

A company hosts its static website content from an Amazon S3 bucket in the us-east-1 Region. Content is made available through an Amazon CloudFront origin pointing to that bucket. Cross-Region replication is set up to create a second copy of the bucket in the ap-southeast-1 Region. Management wants a solution that provides greater availability for the website. Should Configure failover routing in Amazon Route 53 and Set up a CloudFront origin group with the us-east-1 bucket as the primary and the ap-southeast-1 bucket as the secondary.
A company is running a database on Amazon Aurora. The database is idle every evening. An application that performs extensive reads on the database experiences performance issues during morning hours when user traffic spikes. During these peak periods, the application receives timeout errors when reading from the database. The company does not have a dedicated operations team and needs an automated solution to address the performance issues. Should Migrate the database to Aurora Serverless and Configure Aurora Auto Scaling with Aurora Replicas.
A company is hosting an application in its own data center. The application uses Amazon S3 for data storage. The application transfers several hundred terabytes of data every month to and from Amazon S3. The company needs to minimize the cost of this data transfer. Should Create an AWS Storage Gateway file gateway. Deploy the software appliance in the company's data center. And Configure the application to use the file gateway to store and retrieve files.
A solution architect must design a solution for a persistent database that is being migrated from on-premises to AWS. The database requires 64,000 IOPS according to the database administrator. If possible, the database administrator wants to use a single Amazon Elastic Block Store (Amazon EBS) volume to host the database instance. Should Create an Nitro-based Amazon EC2 instance with an Amazon EBS Provisioned IOPS SSD (io1) volume attached. Configure the volume to have 64,000 IOPS.
A company has thousands of edge devices that collectively generate 1 TB of status alerts each day. Each alert is approximately 2 KB in size. A solutions architect needs to implement a solution to ingest and store the alerts for future analysis.
The company wants a highly available solution. However, the company needs to minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to keep 14 days of data available for immediate analysis and archive any data older than 14 days. The MOST operationally efficient solution is Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts and set the message retention period to 14 days. Configure consumers to poll the SQS queue check the age of the message and analyze the message data as needed if the message is 14 days old, the consumer should copy the message to an Amazon S3 bucket and delete the message from the SQS queue.
A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this. A solution architect should recommend Configure an Amazon CloudWatch SwapUsage metric dimension. Monitor the SwapUsage dimension in the EC2 metrics in Cloud Watch.
A company is using Amazon EC2 to run its big data analytics workloads. These variable workloads run each night, and it is critical they finish by the start of business the following day. A solution architect has been tasked with designing the MOST cost-effective solution. Should use Reserved Instances.
A company provides an API to its users that automates inquiries for tax computations based on item prices. The company experiences a larger number of inquiries during the holiday season only that cause slower response times. A solution architect needs to design a solution that is scalable and elastic. The solution architect should Design a REST API using Amazon API Gateway that accepts the item names. API Gateway passes item names to AWS Lambda for tax computations.

PlAwAnSaI · Jun 4, 2021

Have purchased 'coolcompany.com' on the AWS registrar and would like for it to point to lb1-1234.ap-southeast-1.elb.amazonaws.com. Alias sort of Route 53 record is POSSIBLE to set up for this.
The DNS protocol does not allow to create a CNAME record for the top node of a DNS namespace (coolcompany.com), also known as the zone apex.
Have deployed a new Elastic Beanstalk environment and would like to direct 5% of production traffic to this new environement, in order to monitor for CloudWatch metrics and ensuring no bugs exist. Weighted type of Route 53 records allows to do so.
Weighted allows to redirect a part of the traffic based on a weight (hence a percentage). It's common to use to send a part of a traffic to a new application deploying.
After updating a Route 53 record to point 'app.domain.com' from an old Load Balancer to a new load balancer, it looks like the users are still not redirected to new load balancer. It's because of the TTL.
DNS records have a TTL (Time To Live) in order for clients to know for how long to caches these values and not overload the DNS with DNS requests. TTL should be set to strike a balance between how long the value should be cached vs how much pressure should go on the DNS.
Want users to get the best possible user experience and that means minimizing the response time from servers to users. Latency routing policy will help.
Latency will evaluate the latency results and help users get a DNS responce that will minimize their latency (e.g. response time).
Have a legal requirement that people in any country but France should not be able to access website. Geolocation Route 53 record helps in achieving this.
Have purchased a domain on Godaddy and would like to use it with Route 53. Need to Create a public hosted zone and update the 3rd party registrar NS records to make this work.
Private hosted zones are meant to be used for internal network queries and are not publicly accessible. Public Hosted Zones are meant to be used for people requesting website through the public internet. Finally, NS records must be updated on the 3rd party registrar.

Stateless Web App: WhatsTheTime.com:

Allows people to know what time it is
Don't need a database
Want to start small and can accept downtime
Want to fully scale vertically and horizontally, no downtime

Only one t2.micro access by EC2's Public IP
If restart, IP will change =>
+ Elastic IP Address
If too much users t2.micro isn't enough =>
Change to m5.large with 1st downtime
If too much users m5.large isn't enough =>
Horizontally scaling by + more m5.large, - Elastic IP due to many IPs by + Route 53 with A Record instead
But when remove the instance, due to the Route 53 TTL, some users can't access that time =>
+ Public-facing ELB & Health Checks & Restricted Security groups to Private EC2 instances, change Route 53 A Record to Alias Record due to ELB IP changing all the time
But now, adding and removing instances manually is pretty hard to do =>
+ Auto Scaling group
If disaster happen, the entire web will go down due to only one AZ =>
+ Multi-AZ both ELB & EC2: 2 AZ & one EC2 reserved instance for each

Stateful Web App: Clothes.com:

Allows people to buy clothes online.
There's a shopping cart
Having hundreds of users at the same time
Need to scale, maintain horizontal scalability and keep it as stateless as possible
Users should not lose their shopping cart
Users should have their details (address, etc) in a database

Use final architecture of WhatsTheTime.com
When user request change the EC2, the shopping cart is lost =>
Enable ELB Stickiness
If the EC2 terminated for some reason, the shopping cart is still lost =>
Use User Web Client Cookies instead of ELB Stickiness and making web app stateless
But Security risk & Cookies must be less than 4KB =>
Just Send session_id in Web Cookies & + ElastiCache to store sessions (alternative: DynamoDB)
+ RDS to store user data
If one RDS isn't enough =>
1. + another RDS for Read Replicas, the old one do a Master (writes)
2. Use ElastiCache to cache data from RDS
Route 53 is already highly available, there is Multi AZ feature both RDS & ElastiCache
Tight Security with security groups referencing each other

A solution architect needs to design a highly available application consisting of web, application, and database tiers, HTTPS content delivery should be as close to the edge as possible, with the least delivery time. Should use Amazon EC2 instances in private subnets. Configure a public Application Load Balancer with multiple redundant. Amazon CloudFront to deliver HTTPS content using the EC2 instances as the origin is MOST secure.
A healthcare company stores highly sensitive patient records. Compliance requires that multiple copies be stored in different locations. Each record must be stored for 7 years. The company has a service level agreement (SLA) to provide records to government agencies immediately for the first 30 days and then within 4 hours of a request thereafter. A solution architect should recommend Use Amazon S3 with cross-Region replication enabled. After 30 days, transition the data to Amazon S3 Glacier using lifecycle policy.
A company is planning to build a new web application on AWS. The company expects predictable traffic most of the year and very high traffic on occasion. The web application needs to be highly available and fault tolerant with minimal latency. A solution architect should recommend Use Amazon EC2 instances in an Auto Scaling group with an Application Load Balancer across multiple Availability Zones.
A company runs analytics software on Amazon EC2 instances. The software accepts job requests from users to process data that has been uploaded to Amazon S3. Users report that some submitted data is not being processed. Amazon CloudWatch reveals that the EC2 instances have a consistent CPU utilization at or near 100%. The company wants to improve system performance and scale the system based on user load. A solution architect should Create a copy of the instance. Place all instances behind an Application Load Balancer.
A solution architect needs to design a network that will allow multiple Amazon EC2 instances to access a common data source used for mission-critical data that can be accessed by all the EC2 instances simultaneously. The solution must be highly scalable, easy to implement and support the NFS protocol. Should Create an Amazon EFS file system. Configure a mount target in each Availability Zone. Attach each instance to the appropriate mount target.
A solution architect is designing a new service behind Amazon API Gateway. The request patterns for the service will be unpredictable and can change suddenly from 0 requests to over 500 per second. The total size of the data that needs to be persisted in a backend database is currently less than 1 GB with unpredictable future growth. Data can be queried using simple key-value requests. Should use AWS Lambda and Amazon DynamoDB.

PlAwAnSaI · Jun 6, 2021

Stateful Web App: WordPress.com:

Trying to create a fully scable WordPress website
Want that website to access and correctly display picture uploads
User data, and the blog content should be stored in a MySQL database.

Use 5. architecture of Clothes.com
If want to go big & scale up better & easier to upwrite =>
Change from RDS to Aurora MySQL Multi AZ & Read Replicas
Use EBS for storing images
But when scaling 2 EC2, each have their own EBS, one EBS is no image present =>
Use EFS instead to share data between EC2s

Instantiating Applications quickly:

When launching a full stack (EC2, EBS, RDS), it can take time to:
- Install applications
- Insert initial (or recovery) data
- Configure everything
- Launch the application
Can take advantage of the cloud to speed that up!
EC2 Instances:
- Use a Golden AMI: Install applications, OS dependencies etc.. beforehand and launch EC2 instance from the Golden AMI
- Bootstrap using User Data: For dynamic configuration, use User Data scripts
- Hybrid: mix Golden AMI and User Data (Elastic Beanstalk)
RDS Databases:
- Restore from a snapshot: the database will have schemas and data ready!
EBS Volumes:
- Restore from a snapshot: the disk will already be formatted and have data!

Developer problems on AWS:

Managing infrastructure
Deploying Code
Configuring all the databases, load balancers, etc
Scaling concerns
Most web apps have the same architecture (ALB + ASG)
All the developers want is for their code to run!
Possibly, consistently across different applications and environments

AWS ElasticBeanStalk Overview:

Is a developer centric view of deploying an application on AWS
It uses all the component's have seen before:
EC2, ASG, ELB, RDS, etc...
But it's all in one view that's easy to make sense of!
Still have full control over the configuration
Is free but pay for the underlying instances
Managed service:
- Instance configuration / OS is handled by beanstalk
- Deployment strategy is configurable but performed
Just the application code is the responsibility of the developer
Three architecture models:
- Single Instance deployment: good for dev
- LB + ASG: great for production or pre-production web applications
- ASG only: great for non-web apps in production (workers, etc...)
ElasticBeanStalk has three components:
- Application
- Application version: each deployment gets assigned a version
- Environment name (dev, test, prod...): free naming
Deploy application versions to environments and can promote application versions to the next environment
Rollback feature to previous application version
Full control over lifecycle of environments
Support for many platforms:
- Go, Java SE / with Tomcat
- .NET on Windows Server with IIS
- Node.js, PHP
- Python, Ruby
- Packer Builder
- Single Container / Multicontainer / Preconfigured Docker
If not supported, can write custom platform (advanced)

A company is running a global application. The application's users submit multiple videos that are then merged into a single video file. The application uses a single Amazon S3 bucket in the us-east-1 Region to receive uploads from users. The same S3 bucket provides the download location of the single video file that is produced. The final video file output has an average size of 250 GB.
The company needs to develop a solution that delivers faster uploads and downloads of the video files that are stored in Amazon S3. The company will offer the solution as a pay for the increased speed. A solution architect should Enable S3 Transfer Acceleration for the S3 bucket in us-east-1. Configure the application to use the bucket's S3-accelerate endpoint domain name for the upload and download links for users who have a subscription.
A company plans to host a survey website on AWS. The company anticipates an unpredictable amount of traffic. This traffic results in asynchronous updates to the database. The company wants to ensure that writes to the database hosted on AWS do not get dropped. The company should write its application to handle these database requests by Configure the application to publish to an Amazon Simple Notification Service (Amazon SNS) to Subscribe the database to the SNS topic.
A company has developed a database in Amazon RDS for MySQL. Due to increased support team is reporting slow reads against the DB instance and recommends adding a read replica. A solution architect should Allow long-running transactions to complete on the source DB instance and Enable automatic backups on the source instance by settings the backup retention period to a value other than 0 before implementing this change.
A company is building a document storage application on AWS. The Application runs on Amazon EC2 instances in multiple Availability Zones. The company requires the document store to be highly available. The documents need to be returned immediately when requested. The lead engineer has configured the application to use Amazon Elastic Block Store (Amazon EBS) to store the documents, but is willing to consider other options to meet the availability requirement. A solution architect should recommend Use Amazon EBS for the EC2 instance root volumes. Configure the application to build the document store on Amazon S3.
A web application must persist order data to Amazon S3 to support neat-real time processing. A solution architect needs create an architecture that is both scalable and fault tolerant. Should Write the order event to an Amazon Simple Queue Service (Amazon SQS) queue. Use the queue to trigger an AWS Lambda function that parsers the payload and writes the data to Amazon S3. And Write the order event to an Amazon Simple Notification Service (Amazon SNS) topic. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger an AWS Lambda function that parses the payload and writes the data to Amazon S3.
The DNS provider that hosts a company's domain name records is experiencing outages that cause service disruption for a website running on AWS. The company needs to migrate to a more resilient managed DNS service and wants the service to run on AWS. A solution architect should Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file containing the domain records hosted by the previous provider to rapidly migrate the DNS hosting service.

PlAwAnSaI · Jun 8, 2021

Have an ASG that scales on demand based on the traffic going to new website: Triangle.Com. Would like to optimize for cost, so have selected an ASG that scales based on demand going through ELB. Still, want solution to be highly available so have selected the minimum instances to 2. Can further optimize the cost while respecting the requirements by Reserve two EC2 instances.
This is the way to save further costs as know will run 2 EC2 instances no matter what.
Offload data in RDS, Store the session data in ElastiCache, or Send the session data through the client cookies help make application tier stateless.
Looking to store shared software updates data across 100s of EC2 instances. The software updates should be dynamically loaded on the EC2 instances and shouldn't require heavy operations. Should Store the software updates on EFS and mount EFS as a network drive.
EFS is a network file system (NFS) and allows to mount the same file system to 100s of EC2 instances. Publishing software updates their allow each EC2 instance to access them.
As a solution architect managing a complex ERP software suite, orchestrating a migration to the AWS cloud. The software traditionally takes well over an hour to setup on a Linux machine, and would like to make sure application does leverage the ASG feature of auto scaling based on the demand. Recommend speed up the installation process by Use a Golden AMI.
Golden AMI is a standard in making sure snapshot a state after an application installation or pulling dependencies so that future instances can boot up from that AMI quickly.
Creating an application and would like for it to be running with minimal cost in a development environment with Elastic Beanstalk. Should run it in Single Instance Mode.
This will create one EC2 instance and one Elastic IP.
Deployments on Elastic Beanstalk have been painfully slow, and after looking at the logs, realize this is due to the fact that dependencies are resolved on each EC2 machine at deployment time. Can speed up deployment with the minimal impact by Create a Golden AMI that contains the dependencies and launch the EC2 instances from that.

Amazon S3
Another base block of AWS:

Introduction:

Amazon S3 is one of the main building blocks of AWS
It's advertised as 'infinitely scaling' storage
It's widely popular and deserves its own section
Many websites use Amazon S3 as a backbone
Many AWS services uses Amazon S3 as an integration as well

Overview - Buckets:

Amazon S3 allows people to store objects (files) in 'buckets' (directories)
Must have a globally unique name
Are defined at the region level
Naming convention:
- No uppercase & underscore
- 3-63 characters long
- Not an IP
- Must start with lowercase letter or number

Objects:

(files) have a Key
The key is the FULL path:
- s3://my-bucket/my_file.txt
The key is composed of prefix + object name:
- s3://my-bucket/my_folder1/another_folder/my_file.txt
There's no concept of 'directories' within buckets (although the UI will trick to think otherwise)
Just keys with very long names that contain slashes ('/')
Object values are the content of the body:
- Max Size is 5TB (5,000GB)
- If uploading more than 5GB, must use 'multi-part upload'
Metadata (list of text key / value pairs - system or user metadata)
Tags (Unicode key / value pair - up to 10) - useful for security / lifecycle
Version ID (if versioning is enabled)

A company has an application with a REST-based Interface that allows data to be received in near-real time from a third-party vendor. Once received, the application processes and stores the data for further analysis. The application is running on Amazon EC2 instances.
The third-party vendor has received many 503 Service Unavailable Errors when sending data to the application. When the data volumes spikes, the compute capacity reaches its maximum limit and the application is unable to process all requests. A solution architect should recommend Use Amazon Kinesis Data Streams to ingest the data. Process the data using AWS Lambda functions to provide a more scalable solution.
A company has three VPCs named Development, Testing and Production in the ap-southeast-1 Region. The three VPCs need to be connected to an on-premises data center and are designed to be separate to maintain security and prevent any resource sharing. A solution architect needs to find a scalable and secure solution. The solutions architect should recommend Create a new VPC called Network. Within the Network VPC create an AWS Transit Gateway with an AWS Direct Connect connection back to the data center. Attach all the other VPCs to the Network VPC.
A company is developing a serverless web application that gives users the ability to interact with real-time analytics from online games. The data from the games must be streamed in real time. The company needs a durable, low-latency database option for user data. The company does not know how many users will use the application. Any design considerations must provide response times of single-digit milliseconds as the application scales. Should use Amazon CloudFront and DynamoDB.
A company hosts its multi-tier, public web application in the AWS Cloud. The web application runs on Amazon EC2 instances and its database runs on Amazon RDS. The company is anticipating a large increase in sales during an upcoming holiday weekend. A solutions architect needs to build a solution to analyze the performance of the web application with a granularity of no more than 2 minutes. The solution architect should Enable detailed monitoring on all EC2 instances. Use Amazon CloudWatch metrics to perform further analysis.
A company runs a web application that is backed by Amazon RDS. A new database administrator caused data loss by accidentally editing information in a database table. To help recover from this type of incident, the company wants the ability to restore the database to its state from 5 minutes before any change within the last 30 days. Automated backups feature should the solution architect include in the design.
A company has an application that uses Amazon Elastic File System (Amazon EFS) to store data. The files are 1 GB in size or larger and are accessed often only for the first few days after creation. The application data is shared across a cluster of Linux servers. The company wants to reduce storage costs for the application. A solution architect should Configure a lifecycle policy to move the files to the EFS Infrequent Access (IA) storage class after 7 days.
A company must migrate 20 TB of data from a data center to the AWS Cloud within 30 days. The company's network bandwidth is limited to 15 Mbps and cannot exceed 70% utilization. A solution architect should Use AWS Snowball.
70% of 15 Mbps = 10.5 Mbps, 30 days all day & night just 3.402 TB.
A company is designing a new application that runs in a VPC on Amazon EC2 instances. The application stores data in Amazon S3 and uses Amazon DynamoDB as its database. For compliance reasons, the company prohibits all traffic between the EC2 instances and other AWS services from passing over the public internet. A solution architect can Configure gateway VPC endpoints to Amazon S3 and DynamoDB.

PlAwAnSaI · Jun 14, 2021

Versioning:

Can version files in Amazon S3
It is enabled at the bucket level
Same key overwrite will increment the 'version': 1, 2, 3....
It is best practice to version buckets:
- Protect against unintended deletes (ability to restore a version)
- Easy roll back to previous version
Notes:
- Any file that is not versioned prior to enabling versioning will have version 'null'
- Suspending versioning does not delete the previous versions

Encryption for Objects:

There are 4 methods of encrypting objects in S3
- SSE-S3: encrypts S3 objects using keys handled & managed by AWS
- SSE-KMS: leverage AWS Key Management Service to manage encryption keys
- SSE-C: when want to manage own encryption keys
- Client Side Encryption
It's important to understand which ones are adapted to which situation.

SSE-S3:

Object is encrypted server side
AES-256 encryption type
Must set header: "x-amz-server-side-encryption":"AES256"

SSE-KMS:

encryption using keys handled & managed by KMS
KMS Advantages: user control + audit trail
Object is encrypted server side
Must set header: "x-amz-server-side-encryption":"aws:kms"

SSE-C:

server-side encryption using data keys fully managed by the customer outside of AWS
Amazon S3 does not store the encryption key provide
HTTPS must be used
Encryption key must provided in HTTP headers, for every HTTP request made

Client Side Encryption:

Client library such as the Amazon S3 Encryption Client
Clients must encrypt data themselves before sending to S3
Clients must decrypt data themselves when retrieving from S3
Customer fully manages the keys and encryption cycle

Encryption in transit (SSL/TLS):

Amazon S3 exposes:
- HTTP endpoint: non encrypted
- HTTPS endpoint: encryption in flight
Are free to use the endpoint want, but HTTPS is recommended
Most clients would use the HTTPS endpoint by default
Encryption in flight is also called SSL / TLS

Security:

User based:
- IAM policies - which API calls should be allowed for a specific user from IAM console
Resource Based:
- Bucket policies - bucket wide rules from the S3 console - allows cross account
- Object Access Control List (ACL) - finer grain
- Bucket ACL - less common
Note: an IAM principal can access an S3 object if:
- the user IAM permissions allow it OR the resource policy ALLOWS it
- AND there's no explicit DENY

Bucket Policies:

JSON based policies:
{
"Version": "2013-11-28",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow", // Allow / Deny
"Principal": "*", // The account or user to apply the policy to
"Action": [ // Set of API to Allow or Deny
"s3:GetObject"
],
"Resource": [ // buckets and objects
"arn:aws:s3:::examplebucket/*"
]
}
]
}
Use S3 bucket for policy to:
- Grant public access to the bucket
- Force objects to be encrypted at upload
- Grant access to another account (Cross Account)

Bucket and object settings for Block Public Access:

Granted through:
- new / any access control lists (ACLs)
- new public bucket or access point policies
Block public and cross-account access to buckets and objects through any public bucket or access point policies
These setting were created to prevent company data leaks
If know bucket should never be public, leave these on
Can be set at the account level

Security - Other:

Networking:
- Supports VPC Endpoints (for instances in VPC without www internet)
Logging and Audit:
- S3 Access Logs can be stored in other S3 bucket
- API calls can be logged in AWS CloudTrail
User Security:
- MFA Delete: Multi Factor Authentication can be required in versioned buckets to delete objects
- Pre-Signed URLs: URLs that are valid only for a limited time (ex: premium video service for logged in users)

A company has been running a web application with an Oracle relational database in an on-premises data center for the past 15 years. The company must migrate the database to AWS. The company needs to reduce operational overhead without having to modify the application's code. Should Use AWS Database Migration Service (AWS DMS) to migrate the database servers to Amazon RDS.
A solution architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company's security policy requires that all website traffic be inspected by AWS WAF. The solution architect should comply with Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.
A company is designing a new application that runs in a VPC on Amazon EC2 instances. The application stores data in Amazon S3 and uses Amazon DynamoDB as its database. For compliance reasons, the company prohibits all traffic between the EC2 instances and other AWS services from passing over the public internet. A solution architect can Configure gateway VPC endpoints to Amazon S3 and DynamoDB.
A company has a custom application running on an Amazon EC2 instance that:
- Reads a large amount of data from Amazon S3
- Performs a multi-stage analysis
- Writes the results to Amazon DynamoDB
The application writes a significant number of large, temporary files during the multi-stage analysis. The process performance depends on the temporary storage performance. Multiple Amazon S3 buckets with Transfer Acceleration for storage would be the fastest storage option for holding the temporary files.
A company wants to run a hybrid workload for data processing. The data needs to be accessed by on-premises applications for local data processing using an NFS protocol and must also be accessible from the AWS Cloud for further analytics and batch processing. Should Use an AWS Storage Gateway file gateway to provide file storage to AWS, then perform analytics on this data in the AWS Cloud.
A company's website hosted on Amazon EC2 instances processes classified data stored in Amazon S3. Due to security concerns, the company requires a private and secure connection between its EC2 resources and Amazon S3. Should Set up S3 bucket policies to allow access from a VPC endpoint.

PlAwAnSaI · Jun 15, 2021

Database กำลัง Run อยู่บน EC2 instance, Software มีการ Backup ข้อมูลที่ต้องใช้ Block Storage,EBS Cold HDD Volume มีต้นทุนน้อยที่สุด
Amazon Simple Queue Service และ Elastic Load Balancing ช่วยอำนวยความสะดวกในการใช้งานสถาปัตยกรรมที่มีความเป็นอิสระต่อกัน (Loosely Coupled)
Web มี SLA 99% ในด้านประสิทธิภาพการทำงานที่จะตอบสนองต่อ Request ในเวลาน้อยกว่า 1 วินาที ในการทำงานหนักและแบบปกติ การกระจาย Request ไปยัง 4 Instance สามารถรองรับได้ หาก Availability Zone นึง Down ยังจะมีความพร้อมใช้งานสูงในราคาที่คุ้มค่า โดยการใช้ 4 Instance เท่าเดิม แต่ให้มี 2 Availability Zone (ระบบอาจทำงานในสภาวะที่ไม่เต็มรูปแบบ)
หากต้องการความสามารถทนทานต่อความเสียหาย ควรปรับใช้ 8 Instance ใน 2 Availability Zone
มีแผนจะใช้ CloudFormation กับ Instance Linux EC2 ใน 2 Region โดยใช้ Amazon Machine Image (AMI) เดียวกัน ทำได้โดยการ Map AMI เนื่องจากว่า ID ของ AMI จะแตกต่างกันในแต่ละ Region
สามารถเข้าถึงผลลัพธ์ของคำสั่ง Print ของ Lambda ได้จาก CloudWatch Logs
Instance EC2 ใช้ EBS ในการจัดเก็บ State มีการ Snapshot EBS ทุกวัน เมื่อระบบล่ม กู้ขึ้นมาได้จาก Snapshot โดยใช้เวลา 10 นาที
Recovery Time Objective (RTO) = 10 นาที, Recovery Point Objective (RPO) = 1 วัน
https://monsterconnect.co.th/rpo-rto
พื้นที่จัดเก็บแบบ Object ของ Amazon S3 แตกต่างจากพื้นที่จัดเก็บแบบ Block และ File:
- S3 ช่วยให้จัดเก็บ Object ได้ไม่จำกัดจำนวน
- Object จะคงสภาพ - วิธีเดียวที่จะเปลี่ยน Byte ใด Byte หนึ่ง คือต้องแทนที่ Object
- Object จะได้รับการจำลองทั่วทุก Availability Zone ภายใน Region เดียว
คุณสมบัติของ Amazon EBS:
- ข้อมูลที่จัดเก็บไว้จะได้รับการจำลองโดยอัตโนมัติภายใน Availability Zone
- Drive ข้อมูลสามารถเข้ารหัสได้

A company's website provides users with downloadable historical performance reports. The website needs a solution that will scale to meet the company's website demands globally. The solution should be cost-effective, limit the provisioning of infrastructure resources, and provide the fastest possible response time. A solution architect should recommend Amazon CloudFront and S3.
A company is using AWS Key Management Service (AWS KMS) customer master keys (CMKs) to encrypt AWS Lambda environment variables. A solution architect needs to ensure that the required permissions are in place to decrypt and use the environment variables. Add AWS KMS permissions in the Lambda execution role and function policy steps must the solution architect take to implement the correct permissions.
A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this. A solution architect should recommend Configure an Amazon CloudWatch SwapUsage metric dimension. Monitor the SwapUsage dimension in the EC2 metrics in CloudWatch.
{
"Version": "2013-11-28",
"Statement": [
{
"Sid": "1",
"Effect": "Allow", // Group members are allowed
"Action": "ec2:*", // Group members are permitted any other Amazon EC2 action
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "ap-southeast-1" // permissions for / within the ap-southeast-1 Region
}
}
},
{
"Sid": "2",
"Effect": "Deny",
"Action": [
"ec2:StopInstances", // the ec2 StopInstances
"ec2:TerminateInstances" // and ec2 TerminateInstances
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws.MultiFactorAuthPresent": false} // only when logged in with multi-factor authentication (MFA)
}
}
]
}
A company runs a web application that is backed by Amazon RDS. A new database administrator caused data loss by accidentally editing information in a database table. To help recover from this type of incident, the company wants the ability to restore the database to its state from 5 minutes before any change within the last 30 days. Automated backups feature should the solution architect include in the design.
A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles during peak operating hours. The company wants to use these data points in its existing analytics platform. A solution architect must determine the most viable multi-tier option to support this architecture. The data points must be accessible from the REST API. Should Use Amazon API Gateway with Amazon Kinesis Data Analytics for storing and retrieving location data.
A company has deployed a multiplayer game for mobile devices. The game requires live location tracking of players based on latitude and longtitude. The data store for the game must support rapid updates and retrieval of locations.
The game uses an Amazon RDS for PostgreSQL DB instance with read replicas to store the location data. During peak usage periods, the database is unable to maintain the performance that is needed for reading and writing updates. The game's user base is increasing rapidly. Deploy an Amazon ElastiCache for Redis cluster in front of the existing DB instance. Modify the game to use Redis should a solution architect do to improve the performance of the data tier.
A company has created an isolated backup of its environment in another Region. The application is running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover process is manual and requires updating a DNS alias record to point to the secondary ALB in another Region. A solution architect should Enable an Amazon Route 53 health check to automate the failover process.
A company's facility has badge readers at every entrance throughout the building. When badges are scanned, the readers send a message over HTTPS to indicate who attempted to access that particular entrance.
A solution architect must design a system to process these messages from the sensors. The solution must be highly available, and the results must be made available for the company's security team to analyze. Create an HTTPS endpoint in Amazon API Gateway. Configure the API Gateway endpoint to invoke an AWS Lambda function to process the messages and save the results to an Amazon DynamoDB table system architecture should the solution architect recommend.
A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this. A solution architect should recommend Configure an Amazon CloudWatch SwapUsage metric dimension. Monitor the SwapUsage dimension in the EC2 metrics in CloudWatch.

PlAwAnSaI · Jun 21, 2021

ฐานข้อมูล MySQL, MariaDB, PostgreSQL, Oracle, SQL Server, และ Aurora ของ Amazon Relational Database Service (Amazon RDS) รองรับ Read Replica.
Amazon DynamoDB เหมาะที่สุดสำหรับฐานข้อมูลที่ไม่สัมพันธ์
สถานะ Session, ตะกร้าสินค้า, และ Catalog สินค้า เป็นตัวเลือกที่ดีที่จะจัดเก็บไว้ใน Cache
Amazon ElastiCache มี 2 แบบ คือ Memcached และ Redis
ควรใช้ Auto Scaling, Elastic Load Balancer, และ CloudWatch ทำงานร่วมกันเพื่อเปิดใช้งานการปรับขนาดอัตโนมัติของ Instance EC2
Launch Configuration คือ Template ที่ Auto Scaling ใช้เพื่อเรียกใช้ Instance ที่ได้รับการกำหนดค่าอย่างสมบูรณ์โดยอัตโนมัติ
สถานีวิทยุแห่งหนึ่งจัดการประกวดแข่งขันขึ้นมาทุกวันในช่วงเที่ยง โดยจะทำการประกาศ ทำให้อัตราการรับส่งข้อมูลพุ่งขึ้นสูงสุดอย่างทันทีทันใด ซึ่งจำเป็นต้องใช้ Instance EC2 จำนวน 8 Instance ในการประมวลผล ส่วนช่วงเวลาทั่วไปต้องใช้ Instance EC2 จำนวน 2 Instance การสร้างกลุ่ม Auto Scaling ที่มีขั้นต่ำ 2 Instance และตั้งเวลาให้ปรับจำนวนขึ้นเมื่อเวลา 11:40 น.
Application หนึ่งทำงานบน Instance EC2 ในกลุ่ม Auto Scaling, Application นี้ทำงานได้อย่างเหมาะสมที่สุดบน Instance EC2 จำนวน 9 Instance และต้องมี Instance ที่กำลังทำงานอยู่อย่างน้อย 6 Instance เพื่อรักษาประสิทธิภาพการทำงานขั้นต่ำที่ยอมรับได้ในช่วงเวลาสั้นๆ การ Run 9 Instance ใน 3 Availability Zone เป็นการกำหนดค่ากลุ่ม Auto Scaling ซึ่งตอบสนองความต้องการแบบนี้ได้คุ้มค่าที่สุด
ลักษณะของบริการ Auto Scaling บน AWS:
- ตอบสนองต่อสภาพการเปลี่ยนแปลงโดนการเพิ่มหรือยกเลิก Instance Amazon EC2
- เรียกใช้ Instance จาก Amazon Machine Image (AMI) ที่ระบุ
- บังคับใน Instance Amazon EC2 ทำงานตามจำนวนขั้นต่ำ
Web Application กำลังทำงานบน Instance EC2 จำนวน 6 Instance ซึ่งกระจายอยู่ใน 2 Availability Zone ที่อยู่หลัง ELB Classic Load Balancer, ฐานข้อมูลเป็น MySQL ซึ่งทำงานบน Instance EC2 สามารถเพิ่มความพร้อมใช้งานของ Application ได้โดยการเรียกใช้ Instance EC2 สำหรับ Web ในกลุ่ม Auto Scaling และในส่วนฐานข้อมูลย้ายไป Instance Multi-AZ RDS MySQL Database
สามารถติดตามจำนวน Error 404 ที่ผู้ใช้เห็นใน Web Application ที่ Run บน Amazon EC2 Instance ได้โดยใช้ CloudWatch Logs เพื่อรับบันทึกของ Web Server จาก EC2 Instance.
Application Run บน EC2 Instance ต้องเข้าถึง Bucket ใน S3 การ Attach IAM Role กับ EC2 Instance โดย Policy ที่อนุญาตให้เข้าถึง Bucket ใน S3 เพื่อให้ Application สามารถเข้าถึง Bucket ได้อย่างปลอดภัย
ผู้ดูแลระบบ AWS ลาออกจากบริษัทวันนี้ ผู้ดูแลระบบมีสิทธิ์เข้าถึง Root User และ IAM User ของเค้าเอง Account เหล่านี้ใช้สร้าง IAM User อื่นๆ และ Key สามารถปกป้องโครงสร้างพื้นฐานของ AWS ได้โดยการ เปลี่ยนรหัสผ่านและเพิ่ม MFA ให้กับ Root User, Rotate Key และเปลี่ยนรหัสผ่าน IAM User อื่น, และลบ IAM User ของผู้ดูแลระบบทิ้งไป

A company operates a two-tier application for image processing. The application uses two Availability Zones, each with one public subnet and one private subnet. An Application Load Balancer (ALB) for the web tier uses the public subnets. Amazon EC2 instances for the application tier use the private subnets.
Users report that the application is running more slowly than expected. A security audit of the web server log files shows that the application is receiving millions of illegitimate requests from a small number of IP addresses. A solution architect needs to resolve the immediate performance problem while the company investigates a more permanent solution. The solution architect should recommend Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.
A company's security team requests that network traffic be captured in VPC Flow Logs. The logs will be frequently accessed for 90 days and then accessed intermittently. A solution architect should Use Amazon S3 as the target. Enable an S3 Lifecycle policy to transition the logs to S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days.
A company recently started using Amazon Aurora as the data store for its global ecommerce application. When large reports are run developers report that the ecommerce application is performing poorly. After reviewing metrics in Amazon CloudWatch, a solution architect finds that the ReadIOPS and CPUUtilization metrics are spiking when monthly reports run. Increase the Provisioned IOPS on the Aurora instance is the MOST cost-effective solution.
An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%. A solution architect should Use a target tracking policy to dynamically scale the Auto Scaling group to maintain the desired performance across all instances in the group.
A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements all existing and new data in this database must be encrypted. Should Take a snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.
An ecommerce company hosts its analytics application in the AWS Cloud. The application generates about 300 MB of data each month. The data is stored in JSON format. The company is evaluating a disaster recovery solution to back up the data. The data must be accessible in milliseconds if it is needed, and the data must be kept for 30 days. Amazon Elasticsearch Service (Amazon ES) MOST cost-effectively.
A company has created an isolated backup of its environment in another Region. The application is running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover process is manual and requires updating a DNS alias record to point to the secondary ALB in another Region. A solution architect should Enable an Amazon Route 53 health check to automate the failover process.
A company has two VPCs that are located in the ap-southeast-2 Region within the same AWS account. The company needs to allow network traffic between these VPCs. Approximately 500 GB of data transfer will occur between the VPCs each month. Set up a VPC peering connection between the VPCs. Update the route tables of each VPC to use the VPC peering connection for inter-VPC communication is the MOST cost-effective solution to connect these VPCs'.
A company hosts its static website content from an Amazon S3 bucket in the ap-southeast-1 Region. Content is made available through an Amazon CloudFront origin pointing to that bucket. Cross-Region replication is set up to create a second copy of the bucket in the us-east-1 Region. Management wants a solution that provides greater availability for the website. Configure failover routing in Amazon Route 53 and Set up a CloudFront origin group with the ap-southeast-1 bucket as the primary and the us-east-1 bucket as the secondary should a solution architect take to increase availability.
A company is developing a new online gaming application. The application will run on Amazon EC2 instances in multiple AWS Regions and will have a high number of globally distributed users. A solution architect must design the application to optimize network latency for the users. The solution architect should Configure AWS Global Accelerator. Create Regional endpoint groups in each Region where an EC2 fleet is hosted. And Create a Content Delivery Network (CDN) by using Amazon CloudFront. Enable caching for static and dynamic content, and specify a high expiration period.

Cloud Computing

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator