16/09 - course finished, today I’ll start to take some notes from the main PDF with the course slides
21/09 - First slides study finished - Tomorrow I’ll start with the free quiz
23/09 - Little break! I’m now reading the Solutions Architect’s Handbook - Seems really interesting!
2/10 - I’m reviewing the study guide and my notes. I’m waiting to use the training budget in order to buy the mock exams
4/10 - I have the mock exams :) Now is time to take a lot of mock exams!
12/10 - Exam scheduled for 19/10 - In the meantime I’ll continue to study from resources and take other mock exams ;)
19/10 - Here we are!
20/10 - I did it!
Course Notes
⚠️
Warning
These notes are not intended to be used for study purposes. Since I already have 2 AWS certifications, I’ll add here only things that I think I need to restudy or new material from the AWS SA course.
During the simulations, when I find new info and details that could be useful in the exam, I’ll add them
🖥️
EC2 - Elastic Computer Cloud
Dedicated Hosts ⇒ Server-bound software licenses - Most expensive option
Spot Instance ⇒ You must first cancel a Spot Request, and then terminate the associated Instances
Single tenant hardware ⇒ Dedicated instances
Placement Groups:
Cluster ⇒ Cluster instances into a low-latency group in a single AZ (great network but if the rack fails all the instances fails)
Spread ⇒ Spread across underlying hardware (max 7 instances per group per AZ) (more resilient, if a rack fails the other instances continue to work)
Partition ⇒ Spreads instances across many different partitions within an AZ. Up to 7 partitions per AZ
EC2 Hibernate ⇒ Not all the instances are supported. Max 150GB ram. An instance cannot be hibernated more than 60 days
EC2 Enhanced Networking ⇒ ENA (Elastic Network Adapter) up to 100GPS
Elastic Fabric Adapter (EFA) ⇒ Improved ENA for HCP. Bypasses the underlying Linux OS to provide low-latency transport
AWS ParallelCluster ⇒ cluster management tool, enable EFA on the cluster
Maximum size of instance store is 10GB and it is used for temporary purpose but I can add multiple instance stores.
A recovered instance (from an AWS failure) is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance is in a placement group, the recovered instance runs in the placement group. If your instance has a public IPv4 address, it retains the public IPv4 address after recovery.
Security groups
Good to maintain one security gorup for SSH access
💽
EBS - Elastic Block Storage
When launching an EC2 instance, the EBS volume for root cannot be encrypted.
You can launch the instance with an unencrypted root volume and create a snapshot of the root volume. Once the snapshot is created, you can copy the snapshot where you can make the new snapshot encrypted.
EBS volume type can be converted for example from io1 to gp2
You can disable the delete on termination using the CLI by setting the DeleteOnTermination attribute
Snapshots
Snapshots archive ⇒ Move to an archive tier that is 75% cheaper
Recycle Bin ⇒ Retain a deleted snapshot to recover after an accidental deletion (from 1 day to 1 year retention)
Fast Snapshot Restore ⇒ No latency on the fist use (costs a lot)
Volume Types
io2 Block Express ⇒ Max PIOPS 256000
io1/io2 ⇒ Max PIOPS 64000 for Nitro EC2 and 32000 for other - increase storage and PIOPS independently
gp3 ⇒ 3000 IOPS - up to 16000 IOPS and up to 1000 MiB/s throughput
gp2 ⇒ IOPS and size are linked (3000 - 16000) - max IOPS at 5334 gb
st1 ⇒ Max IOPS 500
sc1 ⇒ Max IOPS 250
Multi-Attach ⇒ io1/io2 - up to 16 EC2 instances at a time
📼
EFS - Elastic File System
Performance mode
General Purpose
Max I/O
Throughput mode
Bursting
Provisioned
📈
Load balancing and auto scaling
ALB - Application Load Balancer
*.example.com matches only the target subdomains and not example.com
NLB - Network Load Balancer
From NLB to EC2 instances, traffic is routed using the primary private IP address specified in the primary network interface for the instance
Network Load Balancers expose a fixed IP to the public web, therefore allowing your application to be predictably reached using these IPs, while allowing you to scale your application behind the Network Load Balancer using an ASG. (while ALB expose a DNS (url) to the web).
GLB - Gateway Load Balancer
Layer 3
Uses the GENEVE protocol on port 6081
SNI Protocol ⇒ The clier indicate the hostname of the target in the initial SSL handshake (supported by ALB, NLB and CloudFront)
Auto Scaling Group
You can put an instance that is in the InService state into the Standby state, update some software or troubleshoot the instance, and then return the instance to service. Instances that are on standby are still part of the Auto Scaling group, but they do not actively handle application traffic. https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-enter-exit-standby.html
Default termination policy
Determine whether any of the instances use the oldest launch template/launch configuration
If there are multiple unprotected instances to terminate, determine which are closest to the next billing hour
Terminate one of the instances at random
Launch templates (LTs) are newer than launch configurations (LCs) and provide more options to work with. Thus, the AWS documentation recommends use of launch templates (LTs) over launch configuration (LCs). One of the practical key differences between LT and LC is the fact that LC is immutable. Once you define it, you can't edit it. Only a replacement is an option. However, a single LT can have multiple versions
Amazon EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it. Later, another scaling activity launches a new instance to replace the terminated instance
📥
Databases
RDS
Database parameters specify how the database is configured. For example, database parameters can specify the amount of resources, such as memory, to allocate to a database.
IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
If your workload is unpredictable, you can enable storage autoscaling for an Amazon RDS DB instance. With storage autoscaling enabled, when Amazon RDS detects that you are running out of free database space it automatically scales up your storage. Amazon RDS starts a storage modification for an autoscaling-enabled DB instance when these factors apply:
Free available space is less than 10 percent of the allocated storage.
The low-storage condition lasts at least five minutes.
At least six hours have passed since the last storage modification.
The maximum storage threshold is the limit that you set for autoscaling the DB instance. You can't set the maximum storage threshold for autoscaling-enabled instances to a value greater than the maximum allocated storage.
Read only for Multi Region
https://aws.amazon.com/about-aws/whats-new/2019/11/amazon-rds-for-oracle-now-supports-managed-disaster-recovery-and-data-proximity-with-cross-region-read-replicas/
Standby instance is for Single Region - Multi AZ
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
RDS Custom available for Oracle and Microsoft SQL Server. You can access via SSH to the OS and the database (have to disable Automation mode)
RDS Proxy ⇒ Serverless service to create a connection pool. Really useful for lambda functions and improving database efficiency. Must be accessed from VPC
RDS Automated Backups can be created in multiple Regions
The database engine level upgrade for RDS will trigger both primary and satndby db to be upgraded at the same time. This causes downtime until the upgrade is complete.
When creating a read-replica, you should create a read-replica with the same compute capacity and the same storage capacity as the primary.
Aurora
Custom endpoints ⇒ Define a subset of Aurora Instances as a Custome Endpoint (for example for Analytical Queries)
Aurora serverless!!!
Aurora Multi-Master ⇒ Every node does R/W
Aurora Global
1 Primary region - Up to 5 seconday regions
Up to 16 read replicas per secondary region
Cross-region replications typically takes less than 1 second
Aurora ML
Build ML-based predictions to the app via SQL
Build on top of SageMaker and Comprehend
Restore ⇒ Create a backup of the DB using Percona XtraBackup, store the file on s3 and restore the file in a new Aurora cluster
You can quickly create clones of an Aurora DB by using the database cloning feature. In addition, database cloning uses a copy-on-write protocol, in which data is copied only at the time the data changes, either on the source database or the clone database. Cloning is much faster than a manual snapshot of the DB cluster.
Elasticache
Redis Sorted sets guarantee both uniqueness and element ordering
multi-threading caching ⇒ MemCached
DocumentDB
AWS Implementation of MongoDB
Neptune
Graph database
Keyspaces
A managed Apache Cassandra-compatible database service
Serverless. Tables are replicated 3 times across multiple AZ. Use the Cassandra Query Language
QLDB
Ledger for recording financial transactions
Timestream
TIme series database
1000s times faster & 1/10th the cost of relational databases
🌐
Route53
Health checks can be calculated with OR, AND or NOT. Up to 256 Child Health Checks
Since Health Checks are only for public resources, to monitor a private resource you have to setup a cloudwatch alarm on the resource and make the health checker monitor that alarm
A systems administrator has created a private hosted zone and associated it with a Virtual Private Cloud (VPC). However, the DNS queries for the private hosted zone remain unresolved ⇒ Enable DNS hostnames and DNS resolution for private hosted zones
To copy data from a source bucket to a destination bucket you can use the aws s3 sync command
Security
User based
IAM policy
A password policy could be set at Account level
Resource based
Bucket policies
Object Access Control List
Bucket Access control List
MFA-Delete (could be enabled/disabled only by the root account using the CLI)
Glacier Vault Lock
WORM model
Retention mode - Compliance ⇒ Object version cannot be overwritten or deleted
Retention mode - Governance ⇒ Only admins can overwrite or delete
Retention period ⇒ Cannot delete the object for an amount of time
Legal Hold ⇒ Protect the object indefinitely independent from the retention period
Access Points
Each Access Point gets its own DNS and polity to limit who can access it
Different versions of a single object can have different retention modes and periods
Storage classes
Standard
Standard IA
One Zone IA
The minimum storage duration is 30 days before you can transition objects from S3 Standard to S3 One Zone-IA.
Glacier
Glacier Instant Retrieval
millisecond retrieval
Glacier Flexible Retrieval
Expedited (1-5 minutes), Standard (3-5 hours), Bulk (5-12 hours)
Glacier Deep Archive
Standard (12 hours), Bulk (48 hours)
Intelligent Tiering
Performance improvements:
Multi-Part upload
S3 Transfer Acceleration
You only pay for transfers that are accelerated
S3 Byte-Range Fetches
S3 Select to retrieve less data using SQL
With Requester pays we pay the storage but the AWS requester pays for the request. Useful if you’re working with multiple accounts or between companies.
S3 Object lambda ⇒ Use Lambda to change the object before is retrieved by the caller
Batch Operations ⇒ Perform bulk operations on existing S3 objects with a single request
In CloudFront there is no limit to pre-signed urls expiration date to 7 days
Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.
To use field-level encryption, when you configure your CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.)
CloudFront signed cookies allow you to control who can access your content when you don't want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers' area of a website.
Advanced storage
Snowcone
8 TB of storage
2CPU - 4GB of memory
Snowball Edge
Storage Optimized ⇒ 80TB of capacity
40 vCPUs, 80gb of RAM
Compute Optimized ⇒ 42TB of capacity
52 vCPUs, 208gb of RAM
Snowmobile
100PB of capacity
Better than Snowball if you transfer more than 10PB
FSx
FSx for Lustre
Mounting FSx for Lustre on an AWS Fargate launch type isn't supported.
HPC - Parallel distributed FS - Can be used from on-premises (VPN, directconnect)
Scratch File System
Temporary storage
Persistent File System
Long-term storage
FSx for Windows File Server
Managed Windows file system, can be mounted on EC2, Active Directory, Microsoft DFS - Can be used from on-premises (VPN, directconnect)
FSx for NetApp ONTAP
Filesystem for Hybrid Cloud, compatible with a lot of AWS services
FSx for OpenZFS
FileSystem compatible with NFS
Storage gateway
Bridge between on-premises and cloud data
Volume Gateways and Cached Volumes can be used to start storing data in S3. Cached volumes offer substantial cost savings on primary storage and minimize the need to scale your storage on-premises.
S3 File Gateway
SMB, Active Directory
FSx (for Windows File Server) File Gateway
SMB, NTFS, Active Directory
Volume Gateway
Entire Dataset on premise, scheduled backup to S3
iSCSI protocol
Tape Gateway
iSCSI interface
Used to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface
Support for direct connection between Tape Gateway and S3 Glacier Deep Archive
Hardware appliance available
Transfer Family
Service for file transfer in/out s3 or EFS using the FTP protocol (FTP/FTPS/SFTP)
DataSync
Scheduled moving of large amount of data to and from AWS and/or on-premise
Can sync to S3, EFS, FSx
Metadata and permission preserved
💬
Messagging
SQS
The name of a FIFO queue must end with the .fifo suffix.
You can now use Amazon SNS FIFO topics, in combination with SQS FIFO queues, to build applications that require messages to be sent and processed in a strict sequence and without duplicates.
SNS is a notification service and cannot be used for real-time processing of data.
We, therefore, need to use an SQS FIFO queue. If we don't specify a GroupID, then all the messages are in absolute order, but we can only have 1 consumer at most. To allow for multiple consumers to read data for each Desktop application, and to scale the number of consumers, we should use the "Group ID" attribute.
Kinesis
Real-time data streaming
Data streams
Capture, process and store data streams
1Mb/sec or 1000msg/sec per shard in input
2MB/sec per shard per customer in output
Data retention up to 365 days - ability to reprocess - immutability
Provisioned mode
On-demand mode ⇒ No need to provision the capacity (don’t handle shards)
Batch messages to send many Records Per Second (RPS)
Data Firehose
Load data streams into AWS data stores
Batch writes ⇒ Min 60 seconds latency or 1Mb of data at time
Support for data transformation, conversion, compression
Kinesis Agent cannot write to a Kinesis Firehose for which the delivery stream source is already set as Kinesis Data Streams
Data Analytics
Analyze data streams with SQL or Apache Flink
Video Streams
Capture, process and store video streams
MSK - Managed Streaming for Apache Kafka
Managed service to handle Kafka brokers and nodes. Data stored in EBS for long as you want.
MSK Serverless ⇒ Serverless service (stonks!)
🪣
Container
ECS - Elastic Container Service
Mount EFS file system onto ECS tasks
AWS Application Auto Scaling is used to scale the containers based on CPU Utilization, RAM, Request Count per Target.
Target Scaling
Step Scaling
Scheduled Scaling
With the EC2 Launch type you can use an EC2 auto scaling group to scale also the instances
EKS - Elastic Kubernetes Service
CloudWatch Container Insights for logging
Node Types:
Managed Node Groups
Handle EC2 for you
Self-Managed nodes
You handle EC2, can use prebuilt AMI
Fargate
AWS manage everything ⇒ Serverless, we like it!
Data volumes:
Need to specity StorageClass manifest on the EKS cluster
Leverage a Container Storage Interface (CSI) with support for
EBS
EFS (Fargate)
FSx for Lustre
FSx for NetApp ONTAP
App Runner
Fully managed service that makes it easy to deploy web app and APIs at scale. Handle all the infrastructure (similar to Beanstalk on the behaviour?)
🙅🏻♂️
Serverless
Lambda
To deploy Lambda in VPC, Lambda will create and ENI in the subnets
With RDS Proxy you have to deploy Lambda inside your VPC
DynamoDB
Item max size ⇒ 400kb
Provisioned Mode
Pay for provisioned RCU and WCU
Autoscaling mode for RCU and WCU
On-Demand Mode
DynamoDB could be costlier rather than Aurora global database
DAX ⇒ Seamless cache on top of DynamoDB
Global Tables
Multiple regions
Active-active replication
Read and write in any region
PITR up to 35 days ⇒ Creates a new table
API Gateway
Features
Support for websocket
Versioning
Different environments
Handle security
Handle API keys
Generate SDK and API specifications
Types
Edge-optimized
Regional
Private
Data & Analytics
Athena
Analyze & query with SQL data from S3 bucket.
Supports CSV, JSON, ORC, Avro and Pasquet.
With columnar data you can save costs
Redshift
Used for OLAP. Based on PostgreSQL. Faster joins rather than Athena
Clusters available with compute nodes.
Automated/Manual copies in different regions
Large inserts are MUCH better
Spectrum ⇒ Querty data on S3 without loading it
Opensearch
Search in any field, even partially matches. Often used as complement to another database
EMR - Elastic Map Reduce
Hadoop clusters ⇒ Analyze vast amount of data
Node Types:
Master node ⇒ Manage the cluster
Core node ⇒ Run tasks and store data
Task node ⇒ Spot to run tasks
QuickSight
Dashboard with users.
SPICE engine ⇒ In-memory computation
Enterprise edition ⇒ Setup Column-Level security, groups
Glue
Serverless ETL service
Job Bookmarks ⇒ Prevent re-processing old data
Elastic views ⇒ Combine and replicate data across multiple data stores
DataBrew ⇒ Clean and normalize data using pre-built transformation
Studio ⇒ GUI to run and monitor ETL jobs
Streaming ETL ⇒ built on Apache Spark Structured Streaming
Lake Formation
Built on top of Glue, create data lakes in days instead of months
Main security feature ⇒ centralized permission
🧠
Machine Learning
Rekognition
FInd objects, people, text etc with ML.
Facial Analysis and facial search available with familiar faces database.
Content moderation ⇒ Set confidence threshold and flag sensitive content for manual review in Amazon Augmented AI
Transcribe
Speech to text ⇒ Automatically remove PPI using Redaction
Polly
Pronunciation lexicons ⇒ customize the pronunciation of words (SyntesizeSpeech)
Speech Syntesis Markup Language
Comprehend ⇒ NLP
Comprehend Medical ⇒ Detects and returns useful info in unstructured clinical text
Kendra
Document Search Service based on Knowledge Index ⇒ Different data sources. Query with natual language search
Textract
Extracts text, handwriting and data from any scanned document
Monitoring, Auditing and Performance
CloudWatch Metrics
Metric ⇒ Variable to monitor in a namespace with a timestam. A dimension is an attribute of a metric (up to 10 dimensions per metric)
Can create custom metrics
CloudWatch Logs
Log group, log stream
CloudWatch Log Insights ⇒ Used to query logs and add queries to CW Dashboards.
Log data can take up to 12 hours (not real-time) to become available for export ⇒ CreateExportTask
CloudWatch Container Insights
Aggregate and summarize metrics and logs from containers.
Available for ⇒ ECS, EKS, Kubernetes on EC2, Fargate ⇒ Containerized version of the CloudWatch Agent
CloudWatch Application Insights
Automated dashboards that show potential problems with monitored applications, to help isolate ongoing issues (powered by SageMaker)
CloudTrail
Events stored for 90 days
Management Events
Logged by default
Data Events
Not logged by default
Insights Events
Detect unusual activity analyzing write events to detect unusual patterns
🆔
Advanced Identity in AWS
IAM Permission Boundaries ⇒ Use a managed policy to set the maximum permissions an IAM entry can get
Permission boundaries are not allowed for groups, but only for users and roles
The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.
🔐
AWS Secutiry and Encryption
KMS - Key Management System
CMK ⇒ Symmetric | Asymmetric
Pricing ⇒ $1/month per imported key or user created key + $0.03/1000 Api call
Encrypt/Decrypt up to 4kb of data per call. If needed more, use envelope encryption
1 year automatic rotation for Customer-managed CMK (if enabled) ⇒ Can use manual rotation with aliases
Multi-Region keys ⇒ A primary and replicas for the other regions. Each key managed independently
Secrets manager
Auto rotation of secrets every X days. Integration with RDS
WAF - Web Application Firewal
Layer 7 protection
Deploy on ⇒ ALB, API Gateway, CloudFront AppSync GraphQL API, Cognito User Pool
Create up to 10k rules. A rule group is a reusable set of rules
NLB is not supported and to have a fixed ip with ALB we need to use the Global Accelerator
WAF+Shield = Shield Advanced : AWS Shield Advanced includes AWS WAF in its priced subscription (Shield Standard doesn't)
Automated Security Assessments for EC2 instances and Container
☁️
VPC - Virtual Private Cloud
CIDR ⇒ Base IP and Subnet Mask (/0, /16, /24, /32). The subnet mask allows part of the underlying IP to get additional next values from the base IP.
x-32 = y ⇒ 2^y = number of addreses
Private IPs values:
10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
VPC
Max 5 VPC per region. Max 5 CIDR per VPC. Since VPC is private, only the private IPv4 ranges are allowed.
The option "VPC with a public subnet only and AWS Site-to-Site VPN access" is NOT supported by the Amazon VPC console wizard.
Subnet
AWS Reserves 5 IP addresses (first 4 & last 1)
Internet Gateway
Allows resources in a VPC connect to the Internet. Created separately from a VPC. One VPC can be attacched to one IGV and vice versa. To enable internet routing you have to update route tables
An Internet Gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. Therefore, for instance E1, the Network Address Translation is done by Internet Gateway I1.
Additionally, an Internet Gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
NAT Instances and NAT Gateway
NAT Instance
Allows EC2 Instances in private subnet to connect to the Internet.
Must be launched in a public subnet
Must disable EC2 setting: Source/destination check
Must have Elastic IP attached to it
Route tables must be configured to route traffic from private subnets to the NAT Instance
NAT Gateway
AWS-managed NAT, pay per hour of usage and bandwidth
Requires IGW
Resilient in a single AZ, must create multiple NAT Gateways in multiple AZ for fault-tollerance. No cross-AZ failover
Egress-only Internet Gateway
Used for IPv6 only
Allows instances in your VPC outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances
NACL - Network Accesso Control List
One NACL per subnet. Can define Rules [1-32766] (increment of 100 is reccomended)
Ephemeral Ports⇒ Clients connect to a defined port and expect a response on an ephemeral port
VPC Peering
Connect two VPC using AWS
Must not overlapping CIDRs. VPC Peering is NOT Transitive.
You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate
Can create VPC Peering between VPCs in different AWS accounts/regions
Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
VPC Endpoints
Allows to connect to AWS services using a private network instead of using the public internet
Endpoint types:
Interface Endpoints (PrivateLink) ⇒ Provisions an ENI $ per hour + $ per GB of data
Gateway Endpoints ⇒ target in a route table for S3 and DynamoDB (free)
VPC Flow Logs
Capture information about IP traffic going into your interfaces
Site-to-Site VPN
Virtual Private Gateway
VPN concentrator on AWS side
Enable the Route Propagation for the VPG in the route table that is associated with your subnets
If you need to PING, add the ICMP protocol
Customer Gateway
Software or physical devide on customer side of the VPN connection
VPN CloudHub ⇒ Provide secure communication between multiple sites, if you have multiple VPN connections.
Direct Connect
Provides a dedicated private connection from a remote network to your VPC
Setup a Virtual Private Gateway on your VPC
Direct Connect Gateway ⇒ Setup a DX in one or more VPC in many regions
Connection Types:
Dedicated
physical ethernet port dedicated to a customer
Hosted
Connection requests are made via AWS Direct Connect Partners
Capacity can be added or removed on demand
Lead times > 1 month to establish a new connection
Resiliency:
High Resiliency for Critical Workloads
Maximum Resiliency for Critical Workloads
Each Connection has 2 redoundant connections
Transit gateway
For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
Support IP Multicast
ECMP ⇒ Equal-cost multi-path routing | create multiple Siteto-Site VPN connections to increase the bandwidth of your connection to AWS
VPC - Traffic Mirroring
Allows you to capture and inspect network traffic in your VPC
AWS Network Firewall
Protect your entire Amazon VPC
From Layer 3 to Layer 7 protection
The AWS Network Firewall uses the AWS Gateway Load Balancer
🌊
Disaster Recovery & Migrations
RPO ⇒ Recovery Point Objective
RTO ⇒ Recovery Time Objective
Strategies:
Backup and Restore
Pilot Light
Warm Standby
Hot Site / Multi Site Approach
DMS - Database Migration Service
Homogeneus and Heterogeneus migrations. Replication task performed by a provisioned EC2 instance
DMS is used to replicate data from a database to Redshift
DMS could be used as a bridge between S3 and Kinesis Data Stream
Schema Conversion Tool ⇒ SCT
Convert database’s schema from one engine to another
AWS Backup
Manage and automate backups across AWS services
Backup Vault Lock ⇒ WORM state for all the backups
Other stuff
Security Token Service
Web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).
AWS Control Tower
Govern a secure multi-accont aws environment
GuardDuty
A threat detection service that constantly monitors your AWS accounts and workloads for malicious activity and returns detailed security results for visibility and recovery.
Disable the service in the general settings - Disabling the service will delete all remaining data, including your findings and configurations before relinquishing the service permissions and resetting the service.
Elastic MapReduce
Create a cluster of open-source frameworks for big data analytics - Apache Spark, Presto (also available serverless option)
AWS PrivateLink
Connect to AWS services using a private network instead of the public Internet
Cost Explorer
An interface that lets you visualize, understand, and manage your AWS costs and usage over time
Budgets
Budgets helps set custom spending plans so you can control costs and forecast future spending
Cost and Usage Report
Cost and Usage Reports tracks your AWS usage and provides estimated charges associated with your account. Each report contains line items for each unique combination of AWS products, usage type, and operation that you use in your AWS account.
Data exchange
Creates a bridge between publishers and subscribers to data. Provides Cloudwatch alarms when a publisher publish new data.
Data Pipeline
AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.
AppFlow
Transfer data between SaaS. There are sources and destinations. The frequency is on a schedule, in response to events, or on depand. Don’t spend time writing integrations and leverage APIs immediately
Outposts
AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. Super interesting!
Serverless Application Repository
The AWS Serverless Application Repository is a managed repository for serverless applications. It enables teams, organizations, and individual developers to store and share reusable applications, and easily assemble and deploy serverless architectures in powerful new ways.
Wavelength
5g edge computing
EKS Anywhere
Create Kubernetes cluster on premise - why should I use this service?
EKS Distro
AWS Fraud Detector
Compute Optimizer
AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.
License Manager
Managed Grafana
Observability platform for applications and infrastricture
Managed Service for Prometheus
Metrics and alerts
AWS Proton
Kinesis Video Streams
Application Migration Service
Lift&Shift solution
Resource Access Manager
AWS Resource Access Manager (RAM) helps you securely share your resources between AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for resource types supported.
Other mix info:
SCPs do not affect service-linked role
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
Amazon EventBridge is recommended when you want to build an application that reacts to events from SaaS applications and/or AWS services. Also SNS can be used for event-based services but hasn’t integrations with other tools.
