AWS SysOps Administrator — Associate Exam Notes

Photo by Green Chameleon on Unsplash

Placement Groups

• Cluster, Partition, spread (CPS)
• Cluster placement group — instances are deployed in single AZ
• Partition placement group — instances are created in logical segments called partitions, each located in separate racks with independent network and power. Can have multiple instances in same rack. Each logical segment can span multiple AZ
• Spread placement group — each instance is created in separate rack with independent network and power. can have only 7 max running instances per AZ
• Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. Network traffic to and from resources outside the placement group is limited to 5 Gbps.

Cloud Watch

• By default it can monitor CPU, network, disk and status check. RAM utilization is a custom metrics. (CNDS)
• Amazon CloudWatch now includes cross-account cross-region dashboards
• You can use CloudWatch logs to store your log data indefinitely. You can access terminated EC2 instances or deleted load balancers CloudWatch metrics for 15 months.
• By default, Amazon EC2 sends metric data to CloudWatch in 5-minute periods. To send metric data for your instance to CloudWatch in 1-minute periods, you can enable detailed monitoring (at an additional charge) on the instance.
• Custom metric: A custom metric is any metric you provide to Amazon CloudWatch. Default 1 min. You can set 1 sec.
• CloudWatch does not support metric deletion.
• You can aggregate the metrics for AWS resources across multiple accounts and Regions. For example, you can aggregate statistics for your EC2 instances that have detailed monitoring enabled. Instances that use basic monitoring are not included. Therefore, you must enable detailed monitoring (at an additional charge), which provides data in 1-minute periods.

CloudTrail

Photo by Francesca Ciarlo on Unsplash

• CloudTrail will only show the results of the CloudTrail Event History for the current region you are viewing for the last 90 days
• You can create up to five trails in an AWS region
• CloudTrail delivers log files to your S3 bucket approximately every 5 minutes. CloudTrail does not deliver log files if no API calls are made on your account.
• CloudTrail Insights events help customers identify unusual activity in their AWS accounts
• CloudTrail integration with CW will deliver logs to CW log group. It will also continue delivering logs to S3
• CloudTrail logs delivered to S3 are encrypted by SSE-S3

S3

• by default all S3 buckets and objects are private
• Max object size 5 TB. Max size upload in single PUT is 5GB
• SSE-S3 : AWS managed keys. AWS manages both data key and master key
• SSE — C : client supplied keys. You manage both data key and master key
• SSE — KMS : AWS managed keys with auditing and more features. AWS manages master key and you manage data key.
• All S3 services are designed to protect (durability) data upto 11 nines.
• Amazon S3 Intelligent-Tiering moves object between two access tiers when access patterns change
• S3-IA is an Amazon S3 storage class for data that is accessed less frequently but requires rapid access when needed. Ideal for long-term storage, backups, and as a data store for disaster recovery. 99.9% availability,
• S3 One Zone-IA storage class — to store objects in a single availability zone. storage at 20% less cost than S3 IA. 99% availability.
• S3 Glacier Deep Archive is designed for 99.99% availability
• S3 Select provides a new way to retrieve specific data using SQL statements from the contents of an object stored in Amazon S3 without having to retrieve the entire object. It does not generate a detailed report, unlike S3 Inventory.
• S3 inventory is one of the tools Amazon S3 provides to help manage your storage. The inventory tool generates a report that provides a flat file list of the objects in a bucket. You can use it to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs. You can use Athena to run queries on your inventory files.
• Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL queries. Athena is serverless.
• Amazon S3 Object Lock blocks object version deletion during a customer-defined retention period
• Amazon S3 Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can copy objects between different AWS Regions (S3 Cross-Region Replication CRR), or within the same AWS Region (S3 Same-Region Replication).
• S3 Transfer Acceleration (S3TA) enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.
• S3 Analytics is primarily used to analyze storage access patterns to help you decide when to transition the right data to the right storage class.
• S3 Signed bucket urls- By default 1 hours. We can change it using “ — expires-in” SECONDS parameter
• An Origin Access Identity (OAI) is used for sharing private content via CloudFront. The OAI is a virtual user identity that will be used to give your CF distribution permission to fetch a private object from your origin server

Amazon Glacier and Vaults

Photo by Immo Wegmann on Unsplash

• You can store objects in Amazon Glacier. You create a vault and store archives (one or more files) inside the vault.
• To access data from Glacier, you need account id, vault id and archive name
• You can specify controls such as “write once read many” (WORM) in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.
• You can lock a vault. Once locked it becomes immutable. You can initiate the lock by attaching a vault lock policy to your vault which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process.
• You can create vault access policies to manager vault access
• You can create vault lock policies to manager deletion of objects from a vault.

IAM

• Can create max 1000 IAM roles
• You can associate an IAM role to Auto scaling group
• You can only associate one IAM role with an EC2 instance
• On IAM role deletion, any application running on the instance that is using the role will be denied access immediately.
• Instance metadata service http://169.254.169.254/latest/meta-data/
• You can log IAM actions, STS actions, and AWS Management Console sign-ins by activating AWS CloudTrail.

Cloud Formation

• You can install software at stack creation time using AWS CloudFormation
• With “WaitCondition” stack creation can wait for other action to finish
• The AWS CloudFormation Registry is a managed service that lets you register, use, and discover AWS and third-party resource types
• You can create up to 200 resources per stack.

RDS & EBS

• Gp2 (general purpose)- boot volume. Min 100 IOPS. 3 IOPS/GB. upto 16000 iops at 5.2TB volume
• Io1 (provisioned iops)- IO intensive work. For example DB related work. Min 300 IOPS. 50 IOPS/GB. Up to 64000 IOPS
• Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. performance of over 100,000 IOPS depending on the instance types.
• IOPS capacity is dependent on its size.
• VolumeReadOps & VolumeWriteOps = total number of IO operations in a specified period of time
• VolumeQueueLengh = number of read and write operation requests waiting to be completed in a specified period of time
• Amazon RDS DB snapshots and automated backups are stored in S3.
• You can also add encryption to a previously unencrypted DB instance or DB cluster by creating a DB snapshot and then creating a copy of that snapshot and specifying a KMS encryption key. You can then restore an encrypted DB instance or DB cluster from the encrypted snapshot.
• You can create up to 5 read replicas for a given source DB instance.
• Amazon RDS (except RDS for SQL Server) supports cross-region read replicas.
• Instance Store volumes are ephemeral/temporary. Data in instance store persist if instance reboots. However data is lost if disk drive fails, instance stops or terminates.
• Data stored on an EBS volume will persist independently of the life of the instance.
• If you are using an Amazon EBS volume as a root partition, you will need to set the Delete On Terminate flag to “N” if you want your Amazon EBS volume to persist outside the life of the instance.
• volumes that can be attached to any running instance that is in the same Availability Zone.
• The Amazon EBS Snapshot Lifecycle can automate the creation, retention, and deletion of EBS snapshots.
• RDS Multi AZ for disaster recovery
• RDS Read replica for performance
• Aurora comes in two flavor- Aurora and Aurora Serverless. Faster performance than MySQL and Postgre and 1/10 of cost.
• Aurora Redundancy — Two copies of data is contained in three availability zone.

ElastiCache

Photo by Geert Pieters on Unsplash

• You cannot move an existing Amazon ElastiCache Cluster from outside VPC into a VPC or vice versa. You will need to create a new Amazon ElastiCache Cluster inside the VPC.
• We currently do not support automatically migrating from Memcached to Redis or vice versa.
• ElastiCache for Redis and Memcached both support cross region read replicas
• Read replicas in Elasticache can be provisioned in same region as your primary
• Backup (snapshots) and Restore are available only for ElastiCache for Redis.
• Memcached service does NOT offer encryption of data at rest

KMS

• Keys belong to a region. They cannot be transferred to another region.
• You cannot import asymmetric CMKs into AWS KMS.
• You can import 256-bit symmetric keys.
• Two types of keys:
• Master key: It can encrypt max 4 KB of data. master key is used to encrypt data keys. Two types: customers managed master key, aws managed master key key
• Data key: symmetric key, generated by aws kms. Is used to encrypt/decrypt your data.
• Master key is used to generate plain text data key and and encrypted data key. Plaintext data key is used to encrypt a data. After encryption plaintext data key is deleted. To decrypt a data, first encrypted data key is decrypted using master key and then decrypted data key is used to decrypt the data.

Inspector

• Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems
• Amazon Inspector is a HIPAA eligible service

GuardDuty

• Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
• Amazon GuardDuty do not perform security assessment of applications deployed on EC2 instance but is a threat detection service which monitors anomalous behavior in AWS network using AWS CloudTrail, Amazon VPC Flow Logs, and DNS Logs
• Along with VPC flow logs, AWS CloudTrail event logs, and DNS logs, Amazon GuardDuty can be used to include custom IP addresses for generating findings to detect malicious activities. Amazon GuardDuty maintains two types of list: Trusted IP list & Threat List. Trusted IP List consists of IP address which is whitelisted & Amazon GuardDuty do not generate any findings for this IP address. Threat List consist list of the malicious IP address for which Amazon GuardDuty generates findings. Users for the master account has permissions to upload & manage IP address in Trusted IP address & Threat list. For member accounts, Amazon GuardDuty generates findings based upon the Threat list uploaded by the master account.

Trusted Advisor (CPSR = cost, performance, security & resiliency)

• Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps.
• Cost Optimization — recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.
• Performance — recommendations that can help to improve the speed and responsiveness of your applications.
• Security — identification of security settings that could make your AWS solution less secure.
• Fault Tolerance — recommendations that help increase the resiliency of your AWS solution by highlighting redundancy shortfalls, current service limits, and over utilized resources.

AWS Config

• AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config.

Direct Connect

• AWS Direct Connect is a network service that provides an alternative to using the Internet to connect customer’s on premise sites to AWS.
• Using AWS Direct Connect, data that would have previously been transported over the Internet can now be delivered through a private network connection between AWS and your datacenter or corporate network.
• VPN has two components on the AWS side it has Virtual Private Gateway and On-Prem side it has Customer Gateway.

Systems Manager

• AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks across AWS resources.
• You can use Systems Manager documents with run command, state manager, or automation features.
• Systems Manager Parameter Store is a feature that offers the ability to store, retrieve and manage a secret or plain-text configuration value.
• Systems Manager AppConfig is an application configuration management service which allows you to safely release updated configuration to applications at runtime and allows you to store configurations as Parameters. If you need to model a complex set of application configurations that you can validate and deploy safely in a controlled environment, with ability to rollback changes under certain conditions, you should use AWS AppConfig.
• Run Command provides you safe, secure remote management of your instances at scale without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell
• Patch Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances
• Distributor is an AWS Systems Manager feature that enables you to securely store and distribute software packages in your organization.

VPC

• VPC endpoints enable you to privately connect your VPC to services hosted on AWS without requiring an Internet gateway, a NAT device, VPN, or firewall proxies.
• Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. NAT gateway resides in the public subnet.
• Currently you can create 200 subnets per VPC. The minimum size of a subnet is a /28 (or 11 IP addresses.)
• You can not change the private IP addresses of an Amazon EC2 instance while it is running and/or stopped within a VPC.
• You can assign one or more secondary private IP addresses to an Elastic Network Interface or an EC2 instance in Amazon VPC.
• Amazon VPC flow logs allow customers to collect, store, and analyze network flow logs. The information captured in flow logs includes information about allowed and denied traffic, source and destination IP addresses, ports, protocol number, packet and byte counts, and an action (accept or reject). You can use this feature to troubleshoot connectivity and security issues.
• Amazon VPC traffic mirroring, provides deeper insight into network traffic by allowing you to analyze actual traffic content, including payload, and is targeted for use-cases when you need to analyze the actual packets to determine the root cause a performance issue, reverse-engineer a sophisticated network attack, or detect and stop insider abuse or compromised workloads.
• Network interfaces can only be attached to instances residing in the same Availability Zone.
• Peered VPCs must have non-overlapping IP ranges.
• VPC peering connections do not require an Internet Gateway.
• NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.
• Route tables are used mostly when you are using NAT instance or NAT gateway
• Amount of traffic NAT instance can support, depends on the instance size
• NAG gateway can support upto 10GBPS
• NAT gateway must sit in the public subnet
• NAT instances and NAT Gateway do not support IPV6

ELB

Photo by Jeremy Thomas on Unsplash

• 3 types of load balancers
• Application
• Network
• Classic (also known as ELB)
• Static IP address provided by network load balancers. 1 per subnet
• LB access logs can store data where EC2 instance has been deleted
• Request Tracing — Only Application Load Balancer adds a request header X-Amzn-Trace-Id before sending request to target.
• only the Application Load Balancer supports the HTTP header-based routing as it operates at the application layer and HTTP/HTTPS is a layer 7 protocol.
• Use network load balancer for high transactions applications (hundreds of TPS)

EC2

• You can assign security groups to your instance when you launch it and while it’s running.
• You can move a reserved instance from one Availability Zone to another, as long as region does not change.
• Do you need to shutdown your EC2 instance when you create a snapshot of EBS volumes that serve as root devices? = YES
• what is the limit of Reserved Instances per Availability Zone each month? = 20
• There are two type of reserved instance types. Standard reserved instance & convertible reserved instance. You can upgrade or downgrade the instance size of both Standard and Convertible Reserved Instance. However, only the Convertible Reserved instance can change the instance type.
• T Unlimited instances can sustain high CPU performance for as long as a workload needs it. For most general-purpose workloads, T Unlimited instances will provide ample performance without any additional charges.
• When you launch an instance in default VPC, Elastic IP is NOT attached when it is launched. Public IP, private IP & Internet gateway are available.
• Elastic IP address is a static IPv4 address. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.
• When you associate an Elastic IP address with an instance or its primary network interface, the instance’s public IPv4 address (if it had one) is released back into Amazon’s pool of public IPv4 addresses
• An Elastic IP address is allocated to your AWS account, and is yours until you release it. A disassociated Elastic IP address remains allocated to your account until you explicitly release it. An Elastic IP address is for use in a specific Region only, and cannot be moved to a different Region.

EFS

• Amazon EFS provides scalable file storage for use with Amazon EC2. You can create an EFS file system and configure your instances to mount the file system. You can use an EFS file system as a common data source for workloads and applications running on multiple instances.
• You can store files across AZs, across region & across VPCs.
• You can enable encryption at rest and in transit
• Files which have not accessed recently get moved to EFS Infrequent Access (IA)
• Support encryption in transit and at rest. Must be enabled at creation
• Amazon EFS is not supported on Windows instances. For Windows there is a different services called FSx
• it is more costly than an EBS

OpsWorks

• Allows you to automate your server configuration using managed instances of Puppet or Chef

Cost Explorer

• Cost based on service. Filters for hourly, daily & monthly report. Forecast future cost and usage. Filter & group your data.

Cost and Usage Report

• AWS delivers the AWS Cost & Usage Report (in CSV format) to whichever Amazon Simple Storage Service (S3) bucket you specify, and updates the reports at least once per day. It doesn’t forecast your future costs. It just lists the AWS usage for each service category used by an account and its IAM users in hourly or daily line items, as well as any tags that you have activated for cost allocation purposes.

AWS Budget

• Cost budget, usage budget and reservation budge. You can trigger notifications based on actual or forecast.

Dynamo DB

• No SQL DB
• Data stored in SSD and automatically replicated across multiple AZs.
• Suited for read heavy applications

Miscellaneous

Photo by Louis Hansel @shotsoflouis on Unsplash

• KMS used to encrypt data in rest, multi tenancy, only symmetric keys,
• CloudHSM used to encrypt data in rest, single tenancy, symmetric & asymmetric both keys
• AWS Shield protect Cloud Front, ELB and R53
• Dedicated instance and dedicated host, both have dedicated hardware.
• After VPC creation, Instance that you launch into default subnet receives both a public and a private IP address.
• In Amazon Route 53, you can NOT create a hosted zone for a top-level domain (TLD).
• A VPN connection and Direct Connect are best suited for connectivity between AWS and an on-premise data center.
• Amazon Kinesis is a managed, scalable, cloud-based service that allows real-time processing of streaming large amount of data per second. It is designed for real-time applications and allows developers to take in any amount of data from several sources, scaling up and down that can be run on EC2 instances.
• AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. X-Ray gives you an end-to-end view of an entire request, so you can analyze latencies in your APIs and their backend services. You can use an X-Ray service map to view the latency of an entire request and that of the downstream services that are integrated with X-Ray. And you can configure sampling rules to tell X-Ray which requests to record, at what sampling rates, according to criteria that you specify.
• AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.
• AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
• AWS Organization allows creation of Service Control Policies (SCP) that centrally control aws services use across multiple aws accounts.
• With AWS Organization, you can consolidate billing across multiple aws accounts, automate aws account creation & management.
• SG are stateful, NACL are stateless
• NACL can be associated with multiple subnets. However a subnet can be associated with only one NACL
• NACL contain a numbered list of rules that is evaluated in order starting with the lowest number rule
• AWS reserves 5 IP addresses.
• Public IP addresses can be created only at the time of instance creation.
• Ephemeral ports — temporary port (short lived) a client chooses to receive the response from the server.
• AWS Step Functions provides serverless orchestration for modern applications.
• With Redshift Enhanced VPC Routing you can use VPC flow logs to monitor traffic.
• If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file, move the volume back to the original instance, and restart the instance.
• Amazon Cognito identity pools assign your authenticated users a set of temporary, limited privilege credentials to access your AWS resources. The permissions for each user are controlled through IAM roles that you create.
• Bastion host is defined as “a server whose purpose is to provide access to a private network from an external network, such as the Internet”
• Macie is a security and compliance service, is used to discover, classify, and protect sensitive data in AWS such as personally identifiable information or intellectual property
• State Manager is a tool to control how and when configurations are applied. It can be used to enforce enterprise wide compliance. It automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.
• Session Manager is a new interactive shell and CLI that helps to provide secure, access-controlled, and audited Windows and Linux EC2 instance management.
• AWS Config and Inspector cannot used for RDS because both of these services requires an agent to be installed.