certified solutions architect official guide/aws certified... · chapter 1: introduction to aws...
TRANSCRIPT
![Page 1: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/1.jpg)
![Page 2: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/2.jpg)
CertifiedSolutionsArchitectOfficial
![Page 3: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/3.jpg)
StudyGuide-AssociateExam
JoeBaron,HishamBaz,TimBixler,BiffGaut,KevinE.Kelly,SeanSenior,JohnStamper
![Page 4: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/4.jpg)
SeniorAcquisitionsEditor:KenyonBrownProjectEditor:GarySchwartzProductionEditor:DassiZeidelCopyEditor:KeziaEndsleyEditorialManager:MaryBethWakefieldProductionManager:KathleenWisorExecutiveEditor:JimMinatelBookDesigners:JudyFungandBillGibsonProofreader:NancyCarrascoIndexer:JohnnavanHooseDinseProjectCoordinator,Cover:BrentSavageCoverDesigner:WileyCoverImage:©GettyImages,Inc./JeremyWoodhouse
Copyright©2017byAWS
PublishedbyJohnWiley&Sons,Inc.Indianapolis,Indiana
PublishedsimultaneouslyinCanada
ISBN:978-1-119-13855-6
ISBN:978-1-119-13955-3(ebk.)
ISBN:978-1-119-13954-6(ebk.)
ManufacturedintheUnitedStatesofAmerica
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.
Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressControlNumber:2016949703
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.AWSisaregisteredtrademarkofAmazonTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.
![Page 5: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/5.jpg)
FortheoriginalAWSinstructor,MikeCulver,whotaughtushowtoteach,lead,andinspirewithtenacityandkindness.
![Page 6: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/6.jpg)
CONTENTSAcknowledgments
AbouttheAuthors
Foreword
Introduction
AssessmentTest
AnswerstoAssessmentTest
Chapter1IntroductiontoAWS
WhatIsCloudComputing?
AWSFundamentals
AWSCloudComputingPlatform
Summary
ExamEssentials
ReviewQuestions
Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage
Introduction
ObjectStorageversusTraditionalBlockandFileStorage
AmazonSimpleStorageService(AmazonS3)Basics
Buckets
AmazonS3AdvancedFeatures
AmazonGlacier
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)
Introduction
AmazonElasticComputeCloud(AmazonEC2)
AmazonElasticBlockStore(AmazonEBS)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter4AmazonVirtualPrivateCloud(AmazonVPC)
Introduction
![Page 7: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/7.jpg)
AmazonVirtualPrivateCloud(AmazonVPC)
Subnets
RouteTables
InternetGateways
DynamicHostConfigurationProtocol(DHCP)OptionSets
ElasticIPAddresses(EIPs)
ElasticNetworkInterfaces(ENIs)
Endpoints
Peering
SecurityGroups
NetworkAccessControlLists(ACLs)
NetworkAddressTranslation(NAT)InstancesandNATGateways
VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling
Introduction
ElasticLoadBalancing
AmazonCloudWatch
AutoScaling
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter6AWSIdentityandAccessManagement(IAM)
Principals
Authentication
Authorization
OtherKeyFeatures
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter7DatabasesandAWS
![Page 8: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/8.jpg)
DatabasePrimer
AmazonRelationalDatabaseService(AmazonRDS)
AmazonRedshift
AmazonDynamoDB
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter8SQS,SWF,andSNS
AmazonSimpleQueueService(AmazonSQS)
AmazonSimpleWorkflowService(AmazonSWF)
AmazonSimpleNotificationService(AmazonSNS)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter9DomainNameSystem(DNS)andAmazonRoute53
DomainNameSystem(DNS)
AmazonRoute53Overview
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter10AmazonElastiCache
Introduction
In-MemoryCaching
AmazonElastiCache
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter11AdditionalKeyServices
Introduction
StorageandContentDelivery
Security
Analytics
DevOps
![Page 9: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/9.jpg)
Summary
ExamEssentials
ReviewQuestions
Chapter12SecurityonAWS
Introduction
SharedResponsibilityModel
AWSComplianceProgram
AWSGlobalInfrastructureSecurity
AWSAccountSecurityFeatures
AWSCloudService-SpecificSecurity
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter13AWSRiskandCompliance
Introduction
OverviewofComplianceinAWS
EvaluatingandIntegratingAWSControls
AWSRiskandComplianceProgram
AWSReports,Certifications,andThird-PartyAttestations
Summary
ExamEssentials
ReviewQuestions
Chapter14ArchitectureBestPractices
Introduction
DesignforFailureandNothingFails
ImplementElasticity
LeverageDifferentStorageOptions
BuildSecurityinEveryLayer
ThinkParallel
LooseCouplingSetsYouFree
Don’tFearConstraints
Summary
ExamEssentials
Exercises
ReviewQuestions
AppendixAAnswerstoReviewQuestions
![Page 10: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/10.jpg)
Chapter1:IntroductiontoAWS
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling
Chapter6:AWSIdentityandAccessManagement(IAM)
Chapter7:DatabasesandAWS
Chapter8:SQS,SWF,andSNS
Chapter9:DomainNameSystem(DNS)andAmazonRoute53
Chapter10:AmazonElastiCache
Chapter11:AdditionalKeyServices
Chapter12:SecurityonAWS
Chapter13:AWSRiskandCompliance
Chapter14:ArchitectureBestPractices
Advert
EULA
![Page 11: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/11.jpg)
ListofTablesChapter3
TABLE3.1
TABLE3.2
TABLE3.3
TABLE3.4
TABLE3.5
TABLE3.6
Chapter4
TABLE4.1
TABLE4.2
TABLE4.3
TABLE4.4
TABLE4.5
Chapter6
TABLE6.1
TABLE6.2
TABLE6.3
Chapter7
TABLE7.1
TABLE7.2
TABLE7.3
TABLE7.4
TABLE7.5
Chapter12
TABLE12.1
Chapter14
TABLE14.1
![Page 12: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/12.jpg)
ListofIllustrationsChapter1
FIGURE1.1Sixadvantagesofcloudcomputing
FIGURE1.2AWSCloudcomputingplatform
FIGURE1.3Autoscalingcapacity
FIGURE1.4AWSCloudFormationworkflowsummary
Chapter3
FIGURE3.1MemoryandvCPUsforthem4instancefamily
FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances
Chapter4
FIGURE4.1VPC,subnets,andaroutetable
FIGURE4.2VPC,subnet,routetable,andanInternetgateway
FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting
FIGURE4.4VPCwithVPNconnectiontoacustomernetwork
Chapter5
FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer
FIGURE5.2AutoScalinggroupwithpolicy
FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout
Chapter6
FIGURE6.1DifferentidentitiesauthenticatingwithAWS
FIGURE6.2AssociatingIAMuserswithpolicies
Chapter7
FIGURE7.1Multi-AZAmazonRDSarchitecture
FIGURE7.2AmazonRedshiftclusterarchitecture
FIGURE7.3Table,items,attributesrelationship
FIGURE7.4Tablepartitioning
Chapter8
FIGURE8.1Messagelifecycle
FIGURE8.2Diagramofvisibilitytimeout
FIGURE8.3AmazonSWFworkflowillustration
FIGURE8.4Diagramoftopicdelivery
FIGURE8.5Diagramoffanoutscenario
![Page 13: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/13.jpg)
Chapter9
FIGURE9.1FQDNcomponents
Chapter10
FIGURE10.1Commoncachingarchitecture
FIGURE10.2Redisreplicationgroup
Chapter11
FIGURE11.1Deliveringstaticanddynamiccontent
FIGURE11.2HighavailabilityCloudHSMarchitecture
FIGURE11.3AmazonKinesisFirehose
FIGURE11.4AmazonKinesisStreams
FIGURE11.5Examplepipeline
FIGURE11.6Simpleapplicationserverstack
FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks
FIGURE11.8Creatingastackworkflow
FIGURE11.9Updatingastackworkflow
FIGURE11.10AWSTrustedAdvisorConsoledashboard
Chapter12
FIGURE12.1Thesharedresponsibilitymodel
FIGURE12.2AmazonWebServicesregions
FIGURE12.3AmazonEC2multiplelayersofsecurity
FIGURE12.4AmazonEC2securitygroupfirewall
FIGURE12.5AmazonVPCnetworkarchitecture
FIGURE12.6Flexiblenetworkarchitectures
Chapter13
FIGURE13.1Sharedresponsibilitymodel
Chapter14
FIGURE14.1Simplewebapplicationarchitecture
FIGURE14.2Updatedwebapplicationarchitecturewithredundancy
FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling
FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront
FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB
![Page 14: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/14.jpg)
FIGURE14.6Tightandloosecoupling
FIGURE14.7Samplewebapplicationforchapterexercises
![Page 15: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/15.jpg)
AcknowledgmentsTheauthorswouldliketothankafewpeoplewhohelpedusdevelopandwritethisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExam.
First,thankstoallourfamilieswhoputupwithusspendingweekendsandeveningscreatingcontent,writingquestions,andreviewingeachother'schapters.Theirpatienceandsupportmadethisbookpossible.
NiamhO'Byrne,AWSCertificationManager,whointroducedalloftheauthorsandmanymoresolutionsarchitectsatAWStocertificationtestingandgotthisbookstartedbychallengingsomeofustoextendourreachandhelpmorecloudpractitionersgetcertified.
NathanBowerandVictoriaSteidel,amazingtechnicalwritersatAWSwhoreviewedandeditedallthecontentandeveryquestionandgentlymadeusbetterwritersandcommunicators.Theyweretirelessinreviewingandhelpingushoneandfocusourcontent.
PatrickShumate,afellowAWSsolutionsarchitectwhocontributedtestquestionsrightwhenweneededthehelptogetusoverthefinishline.
WecouldnothavewrittenthisbookwithoutthehelpofourfriendsatWiley.KenyonBrown,SeniorAcquisitionsEditor,corralledusandfocusedusontheendgoal.Additionally,wewereguidedbyGarySchwartz,ProjectEditor;KeziaEndsley,Copyeditor;andDassiZeidel,ProductionEditorwhotookoutputfromdifferentauthorsandturneditintoacohesiveandcompletefinishedproduct.
Lastly,wewanttothankallthesolutionsarchitectsatAWSwhoparticipatedincertificationblueprintdevelopment,questionwriting,andreviewsessions,andthedevelopmentofaworld-classcertificationprogramforcloudpractitionersthatissettingthestandardforourindustry.
![Page 16: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/16.jpg)
AbouttheAuthors
JoeBaron,PrincipalSolutionsArchitectforAWS,iscurrentlyworkingwithcustomersintheSoutheasternUnitedStates.JoejoinedAWSin2009asoneofthefirstsolutionsarchitects,andintheyearssincehehashelpedcustomersofallsizes,fromsmallstartupstosomeofthelargestenterprisesintheworld,toarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.HewasalsoanearlycontributortotheAWSAssociateandProfessionalCertifiedSolutionsArchitectprograms.JoeholdsaBSdegreeinengineeringphysicsfromCornellUniversityandisproudtobean“expertgeneralist.”PriortojoiningAWS,Joehad25yearsofexperienceintechnology,withrolesindatacenterautomation,virtualization,lifesciences,high-performancecomputing,3Dvisualization,hardwareandsoftwaredevelopment,andIndependentSoftwareVendor(ISV)programmanagement.HeisalsoadedicatedhusbandtoCarolandfatheroftwochildren,MattandJessie.Whennothelpingcustomersmigrateallthethingstothecloud,Joeisanamateurclassicalpianistandcollectoroftraditionalwoodworkingtools.HelivesintheRaleigh,NCarea.
HishamBazisapassionatesoftwareengineerandsystemsarchitectwithexpertisebuildingdistributedapplicationsandhigh-performance,mission-criticalsystems.Since2013,HishamhasbeenasolutionsarchitectwithAWSworkingwithcustomerslikePinterest,Airbnb,andGeneralElectrictobuildresilientarchitecturesinthecloudwithafocusonbigdataandanalytics.PriortoAmazon,Hishamfoundedtwoearly-stagestartups,modernizedthecommunicationsnetworkconnectingcriticaltransportationinfrastructure,andimprovedcellularnetworkswithlarge-scaledataanalytics.HishamisbasedinSanFrancisco,CAandliveswithhiswife,Suki.Theycanoftenbefoundhikingtheredwoods.
![Page 17: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/17.jpg)
TimBixler,CommercialAmericasSoutheastAreaSolutionsArchitectureLeaderforAWS,leadsteamsofsolutionsarchitectswhoprovideAWStechnicalenablement,evangelism,andknowledgetransfertocustomerslikeCapitalOne,TheCoca-ColaCompany,AOL,KochIndustries,CoxAutomotive,NASCAR,Emdeon,andNeustar.Timhasover20yearsofexperienceinimprovingsystemsandoperationalperformance,productivity,andcustomersatisfactionforprivateandpublicglobalcorporationsaswellasgovernmentagencies.HeisalsoapublicspeakerforAmazonandenjoyshelpingcustomersadoptinnovativesolutionsonAWS.Butifyouaskhis7-year-oldsonTJwhathedoes,hemightsaythatdaddyisabuilderandafixer.Whennototherwisetasked,youcanfindhimburrowedinhislabbuildingrobotsdrivenbymicrocontrollersoratthelocalBrickFairadmiringthecreationsthathehasnotimetobuild.
BiffGautstartedwritingprogramsforalivingonCP/MontheOsborne1.Sincethoseearlydays,heobtainedaBSinengineeringfromVirginiaTechwhilewritingCcodeonMS-DOS,marriedhiswife,Holly,whilewritinghisfirstGUIapps,andraisedtwochildrenwhiletransitioningfromCOMobjectsinC++towebappsin.NET.Alongtheway,heleddevelopmentteamsfrom1to50membersforcompaniesincludingNASDAQ,ThomsonReuters,Verizon,Microsoft,FINRA,andMarriott.Hehascollaboratedontwobooksandspokenatcountlessconferences,includingWindowsWorldandtheMicrosoftPDC.BiffiscurrentlyasolutionsarchitectatAWS,helpingcustomersacrossthecountryrealizethebenefitsofthecloudbydeployingsecure,available,efficientworkloadsonAWS.Andyes,that’shisrealname.
![Page 18: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/18.jpg)
KevinE.Kelly,SolutionsArchitectureManagerandearlycontributortotheAWSSolutionsArchitectureCertificationexams,hasbeenatAWSforoversevenyearshelpingcompaniesarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.KevinhasaBSincomputersciencefromMercerUniversityandaMasterofInformationSystemsinbusinessfromtheUniversityofMontana.BeforejoiningAmazon,KevinwasanAirForceofficer,aprogrammer—includingembeddedprogramming—andatechnicalpresalesleader.KevinhasbeenthechairmanoftheWorldwideWebConsortium(W3C)CompoundDocumentFormatWorkingGroupandledthatopen-standardsworkinggroupindevelopingtheWebInteractiveCompoundDocument(WICD)profileformobileanddesktopdevices.HehasalsoservedastheW3CAdvisoryCouncilRepresentativeforHealthLevel7(HL7).KevinlivesinVirginiawithhiswife,Laurie,andtheirtwodaughters,CarolineandAmelia.Kevinisanamateurviolinandmandolinplayerandazymurgist.
SeanSeniorisasolutionsarchitectatAWS.Seanisabuilderatheartandthrivesinafast-pacedenvironmentwithcontinuouschallenges.SeanhasaBSincomputerinformationandsciencesfromtheUniversityofMarylandUniversityCollege.Seanisadevotedhusbandandfatherofabeautifulgirl.HeisaU.S.Navyveteran,avidsportsfan,andgymrat.Heloathestalkingabouthimselfinthethirdperson,butcanbepersuadedtodosoforagoodreason.
![Page 19: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/19.jpg)
JohnStamper,PrincipalSolutionsArchitectatAWS,isaco-inventorformultipleAWSpatentsandisparticularlyfondofdistributedsystemsatscale.JohnholdsaBSinmathematicsfromJamesMadisonUniversity(94)andanMSinInformationSystemsfromGeorgeMasonUniversity(04).Inadditiontobuildingsystemsonthecloudandhelpingcustomersreimaginetheirbusinesses,Johnisadedicatedhusbandandfatherofthreechildren.HeisaCrossFitathlete,youthsportscoach,andvocalsupporterofthearts.
![Page 20: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/20.jpg)
ForewordThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamhasbeenwrittentohelpyoupreparefortheAWSCertifiedSolutionsArchitect–Associateexam.Thiscertificationisbecominganincreasinglyimportantcredentialthateveryinformationtechnologyprofessionalandcloudpractitionerwhoplans,designs,andbuildsapplicationarchitecturesfordeploymentonAWSshouldobtain.PassingtheAWSCertifiedSolutionsArchitect–Associateexamdemonstratestoyourcolleagues,employers,andtheindustryatlargethatyouknowhowtobuildanddeployAWSsolutionsthatarehighlyavailable,secure,performant,andcosteffective.
ThisstudyguidewaswrittenbyAWSsolutionsarchitectswhowroteandreviewedexamquestionsfortheAWSCertifiedSolutionsArchitectexams.Althoughnothingreplaceshands-onexperiencebuildinganddeployingavarietyofcloudapplicationsandcontrolsonAWS,thisstudyguide,andthequestionsandexercisesineachchapter,provideyouwithcoverageofthebasicAWSCloudservicescombinedwitharchitecturalrecommendationsandbestpracticesthatwillhelpprepareyoufortheexam.Combiningthisstudyguidewithproductionapplicationdeploymentexperienceandtakingthepracticeexamsonlinewillprepareyouwellandallowyoutotaketheexamwithconfidence.AddingtheAWSCertifiedSolutionsArchitect—Associatecertificationtoyourcredentialswillestablishyouasanindustry-recognizedsolutionsarchitectfortheAWSplatform!
—KevinE.KellyAmericasSolutionsArchitectureLead
AWSCertifiedSolutionsArchitect–AssociateAWSCertifiedSolutionsArchitect–Professional
Herndon,VA
![Page 21: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/21.jpg)
IntroductionStudyingforanycertificationexamcanseemdaunting.ThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamwasdesignedanddevelopedwithrelevanttopics,questions,andexercisestoenableacloudpractitionertofocustheirpreciousstudytimeandeffortonthegermanesetoftopicstargetedattherightlevelofabstractionsotheycanconfidentlytaketheAWSCertifiedSolutionsArchitect–Associateexam.
Thisstudyguidepresentsasetoftopicsneededtoroundoutacloudpractitioner’shands-onexperienceswithAWSbycoveringthebasicAWSCloudservicesandconceptswithinthescopeoftheAWSCertifiedSolutionsArchitect–Associateexam.ThisstudyguidebeginswithanintroductiontoAWS,whichisthenfollowedbychaptersonspecificAWSCloudservices.Inadditiontotheserviceschapters,thetopicsofsecurity,riskandcompliance,andarchitecturebestpracticesarecovered,providingthereaderwithasolidbaseforunderstandinghowtobuildanddeployapplicationsontheAWSplatform.Furthermore,theAWSarchitecturalbestpracticesandprinciplesarereinforcedineverychapterandreflectedintheself-studyquestionsandexamplestohighlightthedevelopmentanddeploymentofapplicationsforAWSthataresecure,highlyavailable,performant,andcosteffective.Eachchapterincludesspecificinformationontheserviceortopiccovered,followedbyanExamEssentialssectionthatcontainskeyinformationneededinyourexampreparation.TheExamEssentialssectionisfollowedbyanExercisesectionwithexercisesdesignedtohelpreinforcethetopicofthechapterwithhands-onlearning.Next,eachchaptercontainssamplequestionstogetyouaccustomedtoansweringquestionsaboutAWSCloudservicesandarchitecturetopics.Thebookalsocontainsaself-assessmentexamwith25questions,twopracticeexams,with50questionseachtohelpyougaugeyourreadinesstotaketheexam,andflashcardstohelpyoulearnandretainkeyfactsneededtopreparefortheexam.
Ifyouarelookingforatargetedbookwrittenbysolutionsarchitectswhowrote,reviewed,anddevelopedtheAWSCertifiedSolutionsArchitect–Associateexam,thenthisisthebookforyou.
![Page 22: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/22.jpg)
WhatDoesThisBookCover?ThisbookcoverstopicsyouneedtoknowtopreparefortheAmazonWebServices(AWS)CertifiedSolutionsArchitect–Associateexam:
Chapter1:IntroductiontoAWSThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageThischapterprovidesyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.TheseservicesareusedtostoreobjectsonAWS.
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)Inthischapter,youwilllearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)ThischapterdescribesAmazonVirtualPrivateCloud(AmazonVPC),whichisacustom-definedvirtualnetworkwithinAWS.YouwilllearnhowtodesignsecurearchitecturesusingAmazonVPCtoprovisionyourownlogicallyisolatedsectionofAWS.
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.
Chapter6:AWSIdentityandAccessManagement(IAM)ThischaptercoversAWSIdentityandAccessManagement(IAM),whichisusedtosecuretransactionswiththeAWSresourcesinyourAWSaccount.
Chapter7:DatabasesandAWSThischaptercoversessentialdatabaseconceptsandintroducesthreeofAWSmanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.
Chapter8:SQS,SWF,andSNSThischapterfocusesonapplicationservicesinAWS,specificallyAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(SWF),andAmazonSimpleNotificationService(AmazonSNS).ItalsocoversarchitecturalguidanceonusingtheseservicesandtheuseofAmazonSNSinmobileapplications.
Chapter9:DomainNameSystem(DNS)andAmazonRoute53Inthischapter,youwilllearnaboutDomainNameSystem(DNS)andtheAmazonRoute53service,whichisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.
Chapter10:AmazonElastiCacheThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.
Chapter11:AdditionalKeyServicesAdditionalservicesnotcoveredinotherchaptersare
![Page 23: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/23.jpg)
coveredinthischapter.TopicsincludeAmazonCloudFront,AWSStorageGateway,AWSDirectoryService,AWSKeyManagementService(KMS),AWSCloudHSM,AWSCloudTrail,AmazonKinesis,AmazonElasticMapReduce(AmazonEMR),AWSDataPipeline,AWSImport/Export,AWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,AWSTrustedAdvisor,andAWSConfig.
Chapter12:SecurityonAWSThischaptercoverstherelevantsecuritytopicsthatarewithinscopefortheAWSCertifiedSolutionsArchitect–Associateexam.
Chapter13:AWSRiskandComplianceThischaptercoverstopicsassociatedwithriskandcompliance,riskmitigation,andthesharedresponsibilitymodelofusingAWS.
Chapter14:ArchitectureBestPracticesThefinalchaptercoverstheAWS-recommendeddesignprinciplesandbestpracticesforarchitectingsystemsandapplicationsfortheCloud.
![Page 24: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/24.jpg)
InteractiveOnlineLearningEnvironmentandTestBankTheauthorshaveworkedhardtoprovidesomereallygreattoolstohelpyouwithyourcertificationprocess.TheinteractiveonlinelearningenvironmentthataccompaniestheAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamprovidesatestbankwithstudytoolstohelpyouprepareforthecertificationexam—andincreaseyourchancesofpassingitthefirsttime!Thetestbankincludesthefollowing:
SampleTestsAllthequestionsinthisbookareprovided,includingtheassessmenttestattheendofthisIntroductionandthechapterteststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwopracticeexamswith50questionseach.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.
FlashcardsTheonlinetextbanksinclude100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst.They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes.Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.
GlossaryAglossaryofkeytermsfromthisbookisavailableasafullysearchablePDF.
Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothisinteractiveonlinelearningenvironmentandtestbankwithstudytools.
![Page 25: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/25.jpg)
ExamObjectivesTheAWSCertifiedSolutionsArchitect—AssociateexamisintendedforpeoplewhohaveexperienceindesigningdistributedapplicationsandsystemsontheAWSplatform.Herearesomeofthekeyexamtopicsthatyoushouldunderstandforthisexam:
Designinganddeployingscalable,highlyavailable,andfault-tolerantsystemsonAWS
Migratingexistingon-premisesapplicationstoAWS
IngressandegressofdatatoandfromAWS
SelectingtheappropriateAWSservicebasedondata,compute,database,orsecurityrequirements
IdentifyingappropriateuseofAWSarchitecturalbestpractices
EstimatingAWScostsandidentifyingcostcontrolmechanisms
Ingeneral,candidatesshouldhavethefollowing:
Oneormoreyearsofhands-onexperiencedesigninghighlyavailable,costefficient,secure,faulttolerant,andscalabledistributedsystemsonAWS
In-depthknowledgeofatleastonehigh-levelprogramminglanguage
AbilitytoidentifyanddefinerequirementsforanAWS-basedapplication
Experiencewithdeployinghybridsystemswithon-premisesandAWScomponents
CapabilitytoprovidebestpracticesforbuildingsecureandreliableapplicationsontheAWSplatform
Theexamcoversfourdifferentdomains,witheachdomainbrokendownintoobjectivesandsubobjectives.
ObjectiveMapThefollowingtablelistseachdomainanditsweightingintheexam,alongwiththechaptersinthebookwherethatdomain’sobjectivesandsubobjectivesarecovered.
Domain PercentageofExam
Chapter
1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
60%
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
1,2,3,4,5,7,8,9,10,11,14
Contentmayincludethefollowing:
Howtodesigncloudservices 1,2,3,4,8,9,11,14
![Page 26: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/26.jpg)
Planninganddesign 1,2,3,4,7,8,9,10,11,14
Monitoringandlogging 2,3,8,9,11
Familiaritywith:
BestpracticesforAWSarchitecture 1,2,4,7,8,9,10,14
Developingtoclientspecifications,includingpricing/cost(e.g.,onDemandvs.Reservedvs.Spot;RTOandRPODRDesign)
2,7,9
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService(RDS)vs.installingyourowndatabaseonAmazonElasticComputeCloud(EC2))
2,4,7,8,9,10
HybridITarchitectures(e.g.,DirectConnect,StorageGateway,VPC,DirectoryServices)
1,2,4,14
Elasticityandscalability(e.g.,AutoScaling,SQS,ELB,CloudFront) 1,2,5,7,8,9,10,14
2Domain2.0:Implementation/Deployment 10%
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
1,2,3,4,5,6,8,11,13
Contentmayincludethefollowing:
ConfigureanAmazonMachineImage(AMI). 2,3,11
OperateandextendservicemanagementinahybridITarchitecture. 1,4
Configureservicestosupportcompliancerequirementsinthecloud. 2,3,4,11,13
LaunchinstancesacrosstheAWSglobalinfrastructure. 1,2,3,5,8,11
ConfigureIAMpoliciesandbestpractices. 2,6
3Domain3.0:DataSecurity 20%
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
2,4,10,12,13
Contentmayincludethefollowing:
AWSsharedresponsibilitymodel 12,13
AWSplatformcompliance 11,12,13
AWSsecurityattributes(customerworkloadsdowntophysicallayer) 4,11,12,
![Page 27: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/27.jpg)
13
AWSadministrationandsecurityservices 7,10,11,12
AWSIdentityandAccessManagement(IAM) 6,12
AmazonVirtualPrivateCloud(VPC) 4,12
AWSCloudTrail 11,12
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit 11,12
“Core”AmazonEC2andS3securityfeaturesets 2,4,12
Incorporatingcommonconventionalsecurityproducts(Firewall,VPN)
4,12
Designpatterns 7,13
DDoSmitigation 12
Encryptionsolutions(e.g.,keyservices) 2,11,12
Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,etc.)
2,12
AmazonCloudWatchforthesecurityarchitect 5
TrustedAdvisor 11
CloudWatchLogs 5
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
3,7,9,10
Contentmayincludethefollowing:
Disasterrecovery 3
Recoverytimeobjective 7
Recoverypointobjective 7
AmazonElasticBlockStore 3
AWSImport/Export 11
AWSStorageGateway 11
AmazonRoute53 9
Validationofdatarecoverymethod 3
4Domain4.0:Troubleshooting 10%
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions 5,8
![Page 28: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/28.jpg)
AssessmentTest1. UnderasingleAWSaccount,youhavesetupanAutoScalinggroupwithamaximumcapacityof50AmazonElasticComputeCloud(AmazonEC2)instancesinus-west-2.Whenyouscaleout,however,itonlyincreasesto20AmazonEC2instances.Whatisthelikelycause?
A. AutoScalinghasahardlimitof20AmazonEC2instances.
B. Ifnotspecified,theAutoScalinggroupmaximumcapacitydefaultsto20AmazonEC2instances.
C. TheAutoScalinggroupdesiredcapacityissetto20,soAutoScalingstoppedat20AmazonEC2instances.
D. YouhaveexceededthedefaultAmazonEC2instancelimitof20perregion.
2. ElasticLoadBalancingallowsyoutodistributetrafficacrosswhichofthefollowing?
A. OnlywithinasingleAvailabilityZone
B. MultipleAvailabilityZoneswithinaregion
C. MultipleAvailabilityZoneswithinandbetweenregions
D. MultipleAvailabilityZoneswithinandbetweenregionsandon-premisesvirtualizedinstancesrunningOpenStack
3. AmazonCloudWatchofferswhichtypesofmonitoringplans?(Choose2answers)
A. Basic
B. Detailed
C. Diagnostic
D. Precognitive
E. Retroactive
4. AnAmazonElasticComputeCloud(AmazonEC2)instanceinanAmazonVirtualPrivateCloud(AmazonVPC)subnetcansendandreceivetrafficfromtheInternetwhenwhichofthefollowingconditionsaremet?(Choose3answers)
A. NetworkAccessControlLists(ACLs)andsecuritygrouprulesdisallowalltrafficexceptrelevantInternettraffic.
B. NetworkACLsandsecuritygrouprulesallowrelevantInternettraffic.
C. AttachanInternetGateway(IGW)totheAmazonVPCandcreateasubnetroutetabletosendallnon-localtraffictothatIGW.
D. AttachaVirtualPrivateGateway(VPG)totheAmazonVPCandcreatesubnetroutestosendallnon-localtraffictothatVPG.
E. TheAmazonEC2instancehasapublicIPaddressorElasticIP(EIP)address.
F. TheAmazonEC2instancedoesnotneedapublicIPorElasticIPwhenusing
![Page 29: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/29.jpg)
AmazonVPC.
5. IfyoulaunchfiveAmazonElasticComputeCloud(AmazonEC2)instancesinanAmazonVirtualPrivateCloud(AmazonVPC)withoutspecifyingasecuritygroup,theinstanceswillbelaunchedintoadefaultsecuritygroupthatprovideswhichofthefollowing?(Choose3answers)
A. ThefiveAmazonEC2instancescancommunicatewitheachother.
B. ThefiveAmazonEC2instancescannotcommunicatewitheachother.
C. AllinboundtrafficwillbeallowedtothefiveAmazonEC2instances.
D. NoinboundtrafficwillbeallowedtothefiveAmazonEC2instances.
E. AlloutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.
F. NooutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.
6. YourcompanywantstohostitssecurewebapplicationinAWS.Theinternalsecuritypoliciesconsideranyconnectionstoorfromthewebserverasinsecureandrequireapplicationdataprotection.Whatapproachesshouldyouusetoprotectdataintransitfortheapplication?(Choose2answers)
A. UseBitLockertoencryptdata.
B. UseHTTPSwithservercertificateauthentication.
C. UseanAWSIdentityandAccessManagement(IAM)role.
D. UseSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)fordatabaseconnection.
E. UseXMLfordatatransferfromclienttoserver.
7. YouhaveanapplicationthatwillrunonanAmazonElasticComputeCloud(AmazonEC2)instance.TheapplicationwillmakerequeststoAmazonSimpleStorageService(AmazonS3)andAmazonDynamoDB.Usingbestpractices,whattypeofAWSIdentityandAccessManagement(IAM)identityshouldyoucreateforyourapplicationtoaccesstheidentifiedservices?
A. IAMrole
B. IAMuser
C. IAMgroup
D. IAMdirectory
8. WhenarequestismadetoanAWSCloudservice,therequestisevaluatedtodecidewhetheritshouldbeallowedordenied.Theevaluationlogicfollowswhichofthefollowingrules?(Choose3answers)
A. Anexplicitallowoverridesanydenies.
B. Bydefault,allrequestsaredenied.
C. Anexplicitallowoverridesthedefault.
D. Anexplicitdenyoverridesanyallows.
![Page 30: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/30.jpg)
E. Bydefault,allrequestsareallowed.
9. WhatisthedataprocessingenginebehindAmazonElasticMapReduce(AmazonEMR)?
A. ApacheHadoop
B. ApacheHive
C. ApachePig
D. ApacheHBase
10. WhattypeofAWSElasticBeanstalkenvironmenttierprovisionsresourcestosupportawebapplicationthathandlesbackgroundprocessingtasks?
A. Webserverenvironmenttier
B. Workerenvironmenttier
C. Databaseenvironmenttier
D. Batchenvironmenttier
11. WhatAmazonRelationalDatabaseService(AmazonRDS)featureprovidesthehighavailabilityforyourdatabase?
A. Regularmaintenancewindows
B. Securitygroups
C. Automatedbackups
D. Multi-AZdeployment
12. WhatadministrativetasksarehandledbyAWSforAmazonRelationalDatabaseService(AmazonRDS)databases?(Choose3answers)
A. Regularbackupsofthedatabase
B. Deployingvirtualinfrastructure
C. Deployingtheschema(forexample,tablesandstoredprocedures)
D. Patchingtheoperatingsystemanddatabasesoftware
E. Settingupnon-admindatabaseaccountsandprivileges
13. WhichofthefollowingusecasesiswellsuitedforAmazonRedshift?
A. A500TBdatawarehouseusedformarketanalytics
B. ANoSQL,unstructureddatabaseworkload
C. Ahightraffic,e-commercewebapplication
D. Anin-memorycache
14. WhichofthefollowingstatementsaboutAmazonDynamoDBsecondaryindexesistrue?
A. Therecanbemanypertable,andtheycanbecreatedatanytime.
B. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.
C. Therecanbemanypertable,andtheycanbecreatedatanytime.
![Page 31: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/31.jpg)
D. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.
15. WhatistheprimaryusecaseofAmazonKinesisFirehose?
A. Ingesthugestreamsofdataandallowcustomprocessingofdatainflight.
B. IngesthugestreamsofdataandstoreittoAmazonSimpleStorageService(AmazonS3),AmazonRedshift,orAmazonElasticsearchService.
C. GenerateahugestreamofdatafromanAmazonS3bucket.
D. GenerateahugestreamofdatafromAmazonDynamoDB.
16. Yourcompanyhas17TBoffinancialtradingrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanayearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcost-efficientmanner?
A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumeattachedtot2.largeinstances.
B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyear,anddeletetheobjectaftersevenyears.
C. StorethedatainAmazonDynamoDB,anddeletedataolderthansevenyears.
D. StorethedatainanAmazonGlacierVaultLock.
17. WhatmustyoudotocreatearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere?
A. EnableAmazonCloudWatchlogs.
B. Enableversioningonthebucket.
C. Enablewebsitehostingonthebucket.
D. Enableserveraccesslogsonthebucket.
E. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.
18. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?
A. GETafterPUTofanewobject
B. GETorLISTafteraDELETE
C. GETafteroverwritePUT(PUTtoanexistingkey)
D. DELETEafterGETofnewobject
19. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?
A. Dataisautomaticallyreplicatedtootherregions.
B. DataisautomaticallyreplicatedtodifferentAvailabilityZoneswithinaregion.
C. Dataisreplicatedonlyifversioningisenabledonthebucket.
![Page 32: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/32.jpg)
D. Dataisautomaticallybackedupontapeandrestoredifneeded.
20. Yourcompanyneedstoprovidestreamingaccesstovideostoauthenticatedusersaroundtheworld.Whatisagoodwaytoaccomplishthis?
A. UseAmazonSimpleStorageService(AmazonS3)bucketsineachregionwithwebsitehostingenabled.
B. StorethevideosonAmazonElasticBlockStore(AmazonEBS)volumes.
C. EnableAmazonCloudFrontwithgeolocationandsignedURLs.
D. RunafleetofAmazonElasticComputeCloud(AmazonEC2)instancestohostthevideos.
21. WhichofthefollowingaretrueabouttheAWSsharedresponsibilitymodel?(Choose3answers)
A. AWSisresponsibleforallinfrastructurecomponents(thatis,AWSCloudservices)thatsupportcustomerdeployments.
B. Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).
C. ThecustomermayrelyonAWStomanagethesecurityoftheirworkloadsdeployedonAWS.
D. WhileAWSmanagessecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.
E. ThecustomermustaudittheAWSdatacenterspersonallytoconfirmthecomplianceofAWSsystemsandservices.
22. WhichprocessinanAmazonSimpleWorkflowService(AmazonSWF)workflowimplementsatask?
A. Decider
B. Activityworker
C. Workflowstarter
D. Businessrule
23. WhichofthefollowingistrueifyoustopanAmazonElasticComputeCloud(AmazonEC2)instancewithanElasticIPaddressinanAmazonVirtualPrivateCloud(AmazonVPC)?
A. TheinstanceisdisassociatedfromitsElasticIPaddressandmustbere-attachedwhentheinstanceisrestarted.
B. TheinstanceremainsassociatedwithitsElasticIPaddress.
C. TheElasticIPaddressisreleasedfromyouraccount.
D. TheinstanceisdisassociatedfromtheElasticIPaddresstemporarilywhileyourestarttheinstance.
24. WhichAmazonElasticComputeCloud(AmazonEC2)pricingmodelallowsyoutopaya
![Page 33: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/33.jpg)
sethourlypriceforcompute,givingyoufullcontroloverwhentheinstancelaunchesandterminates?
A. Spotinstances
B. Reservedinstance
C. OnDemandinstances
D. Dedicatedinstances
25. UnderwhatcircumstanceswillAmazonElasticComputeCloud(AmazonEC2)instancestoredatanotbepreserved?
A. Theassociatedsecuritygroupsarechanged.
B. Theinstanceisstoppedorrebooted.
C. Theinstanceisrebootedorterminated.
D. Theinstanceisstoppedorterminated.
E. Noneoftheabove
![Page 34: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/34.jpg)
AnswerstoAssessmentTest1. D.AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.
2. B.TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonElasticComputeCloud(AmazonEC2)instancesinoneormoreAvailabilityZoneswithinaregion.
3. AandB.AmazonCloudWatchhastwoplans:basicanddetailed.Therearenodiagnostic,precognitive,orretroactivemonitoringplansforAmazonCloudWatch.
4. B,C,andE.YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:
AttachanIGWtoyourAmazonVPC.
Createasubnetroutetableruletosendallnon-localtraffic(forexample,0.0.0.0/0)totheIGW.
ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.
YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:
AssignapublicIPaddressorEIPaddress.
5. A,D,andE.Ifasecuritygroupisnotspecifiedatlaunch,thenanAmazonEC2instancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.
6. BandD.Toprotectdataintransitfromtheclientstothewebapplication,HTTPSwithservercertificateauthenticationshouldbeused.Toprotectdataintransitfromthewebapplicationtothedatabase,SSL/TLSfordatabaseconnectionshouldbeused.
7. A.Don'tcreateanIAMuser(oranIAMgroup)andpasstheuser'scredentialstotheapplicationorembedthecredentialsintheapplication.Instead,createanIAMrolethatyouattachtotheAmazonEC2instancetogiveapplicationsrunningontheinstancetemporarysecuritycredentials.Thecredentialshavethepermissionsspecifiedinthepoliciesattachedtotherole.AdirectoryisnotanidentityobjectinIAM.
8. B,C,andD.Whenarequestismade,theAWSservicedecideswhetheragivenrequestshouldbeallowedordenied.Theevaluationlogicfollowstheserules:
1)Bydefault,allrequestsaredenied(ingeneral,requestsmadeusingtheaccountcredentialsforresourcesintheaccountarealwaysallowed).
2)Anexplicitallowoverridesthisdefault.
3)Anexplicitdenyoverridesanyallows.
9. A.AmazonEMRusesApacheHadoopasitsdistributeddataprocessingengine.Hadoopisanopensource,Javasoftwareframeworkthatsupportsdata-intensivedistributed
![Page 35: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/35.jpg)
applicationsrunningonlargeclustersofcommodityhardware.Hive,Pig,andHBasearepackagesthatrunontopofHadoop.
10. B.Anenvironmenttierwhosewebapplicationrunsbackgroundjobsisknownasaworkertier.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Databaseandbatcharenotvalidenvironmenttiers.
11. D.Multi-AZdeploymentusessynchronousreplicationtoadifferentAvailabilityZonesothatoperationscancontinueonthereplicaifthemasterdatabasestopsrespondingforanyreason.Automatedbackupsprovidedisasterrecovery,nothighavailability.Securitygroups,whileimportant,havenoeffectonavailability.Maintenancewindowsareactuallytimeswhenthedatabasemaynotbeavailable.
12. A,B,andD.AmazonRDSwilllaunchAmazonElasticComputeCloud(AmazonEC2)instances,installthedatabasesoftware,handleallpatching,andperformregularbackups.Anythingwithinthedatabasesoftware(schema,useraccounts,andsoon)istheresponsibilityofthecustomer.
13. A.AmazonRedshiftisapetabyte-scaledatawarehouse.ItisnotwellsuitedforunstructuredNoSQLdataorhighlydynamictransactionaldata.Itisinnowayacache.
14. D.Therecanbeonesecondaryindexpertable,anditmustbecreatedwhenthetableiscreated.
15. B.TheAmazonKinesisfamilyofservicesprovidesfunctionalitytoingestlargestreamsofdata.AmazonKinesisFirehoseisspecificallydesignedtoingestastreamandsaveittoanyofthethreestorageserviceslistedinResponseB.
16. B.AmazonS3andAmazonGlacierarethemostcost-effectivestorageservices.Afterayear,whentheobjectsareunlikelytobeaccessed,youcansavecostsbytransferringtheobjectstoAmazonGlacierwheretheretrievaltimeisthreetofivehours.
17. D.ServeraccesslogsprovidearecordofanyaccesstoanobjectinAmazonS3.
18. C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).ResponseCchangestheexistingobjectsothatasubsequentGETmayfetchthepreviousandinconsistentobject.
19. B.AWSwillnevertransferdatabetweenregionsunlessdirectedtobyyou.DurabilityinAmazonS3isachievedbyreplicatingyourdatageographicallytodifferentAvailabilityZonesregardlessoftheversioningconfiguration.AWSdoesn'tusetapes.
20. C.AmazonCloudFrontprovidesthebestuserexperiencebydeliveringthedatafromageographicallyadvantageousedgelocation.SignedURLsallowyoutocontrolaccesstoauthenticatedusers.
21. A,B,andD.IntheAWSsharedresponsibilitymodel,customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.
22. B.Anactivityworkerisaprocessorthreadthatperformstheactivitytasksthatarepartofyourworkflow.EachactivityworkerpollsAmazonSWFfornewtasksthatare
![Page 36: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/36.jpg)
appropriateforthatactivityworkertoperform;certaintaskscanbeperformedonlybycertainactivityworkers.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreportstoAmazonSWFthatthetaskwascompletedandprovidestheresult.Theactivitytaskrepresentsoneofthetasksthatyouidentifiedinyourapplication.
23. B.InanAmazonVPC,aninstance'sElasticIPaddressremainsassociatedwithaninstancewhentheinstanceisstopped.
24. C.YoupayasethourlypriceforanOnDemandinstancefromwhenyoulaunchituntilyouexplicitlystoporterminateit.Spotinstancescanbeterminatedwhenthespotpricegoesaboveyourbidprice.Reservedinstancesinvolvepayingforaninstanceoveraone-orthree-yearterm.Dedicatedinstancesrunonhardwarededicatedtoyouraccountandarenotapricingmodel.
25. D.Thedatainaninstancestorepersistsonlyduringthelifetimeofitsassociatedinstance.Ifaninstanceisstoppedorterminated,thentheinstancestoredoesnotpersist.Rebootinganinstancedoesnotshutdowntheinstance;ifaninstancereboots(intentionallyorunintentionally),dataontheinstancestorepersists.Securitygroupshavenothingtodowiththelifetimeofaninstanceandhavenoeffecthere.
![Page 37: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/37.jpg)
Chapter1IntroductiontoAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
OperateandextendservicemanagementinahybridITarchitecture.
Configureservicestosupportcompliancerequirementsinthecloud.
LaunchinstancesacrosstheAWSglobalinfrastructure.
In2006,AmazonWebServices,Inc.(AWS)beganofferingITinfrastructureservicestobusinessesintheformofwebservices,nowcommonlyknownascloud
![Page 38: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/38.jpg)
computing.Oneofthekeybenefitsofcloudcomputingistheopportunitytoreplaceup-frontcapitalinfrastructureexpenseswithlowvariablecoststhatscalewithyourbusiness.Withthecloud,businessesnolongerneedtoplanforandprocureserversandotherITinfrastructureweeksormonthsinadvance.Instead,theycaninstantlyspinuphundredsorthousandsofserversinminutesanddeliverresultsfaster.
Today,AWSprovidesahighlyreliable,scalable,andlow-costinfrastructureplatforminthecloudthatpowershundredsofthousandsofbusinessesinmorethan190countriesaroundtheworld.
ThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.
![Page 39: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/39.jpg)
WhatIsCloudComputing?Cloudcomputingistheon-demanddeliveryofITresourcesandapplicationsviatheInternetwithpay-as-you-gopricing.Whetheryourunapplicationsthatsharephotostomillionsofmobileusersordeliverservicesthatsupportthecriticaloperationsofyourbusiness,thecloudprovidesrapidaccesstoflexibleandlow-costITresources.Withcloudcomputing,youdon’tneedtomakelargeup-frontinvestmentsinhardwareandspendalotoftimemanagingthathardware.Instead,youcanprovisionexactlytherighttypeandsizeofcomputingresourcesyouneedtopoweryournewestbrightideaoroperateyourITdepartment.Withcloudcomputing,youcanaccessasmanyresourcesasyouneed,almostinstantly,andonlypayforwhatyouuse.
Initssimplestform,cloudcomputingprovidesaneasywaytoaccessservers,storage,databases,andabroadsetofapplicationservicesovertheInternet.CloudcomputingproviderssuchasAWSownandmaintainthenetwork-connectedhardwarerequiredfortheseapplicationservices,whileyouprovisionandusewhatyouneedforyourworkloads.
AdvantagesofCloudComputingCloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andinhoworganizationsbudgetandpayfortechnologyservices.Withtheabilitytoreconfigurethecomputingenvironmentquicklytoadapttochangingbusinessrequirements,organizationscanoptimizespending.Capacitycanbeautomaticallyscaledupordowntomeetfluctuatingusagepatterns.Servicescanbetemporarilytakenofflineorshutdownpermanentlyasbusinessdemandsdictate.Inaddition,withpay-per-usebilling,AWSCloudservicesbecomeanoperationalexpenseinsteadofacapitalexpense.
Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain,asillustratedinFigure1.1.
![Page 40: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/40.jpg)
FIGURE1.1Sixadvantagesofcloudcomputing
Variablevs.CapitalExpenseLet’sbeginwiththeabilitytotradecapitalexpenseforvariableoperationalexpense.Insteadofhavingtoinvestheavilyindatacentersandserversbeforeknowinghowyou’regoingtousethem,youcanpayonlywhenyouconsumecomputingresourcesandpayonlyforhowmuchyouconsume.
EconomiesofScaleAnotheradvantageofcloudcomputingisthatorganizationsbenefitfrommassiveeconomiesofscale.Byusingcloudcomputing,youcanachievealowervariablecostthanyouwouldgetonyourown.Becauseusagefromhundredsofthousandsofcustomersisaggregatedinthecloud,providerssuchasAWScanachievehighereconomiesofscale,whichtranslatesintolowerprices.
StopGuessingCapacityWhenyoumakeacapacitydecisionpriortodeployinganapplication,youoftenendupeithersittingonexpensiveidleresourcesordealingwithlimitedcapacity.Withcloudcomputing,organizationscanstopguessingaboutcapacityrequirementsfortheinfrastructurenecessarytomeettheirbusinessneeds.Theycanaccessasmuchoraslittleastheyneedandscaleupordownasrequiredwithonlyafewminutes’notice.
IncreaseSpeedandAgilityInacloudcomputingenvironment,newITresourcesareoneclickaway,whichallows
![Page 41: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/41.jpg)
organizationstoreducethetimeittakestomakethoseresourcesavailabletodevelopersfromweekstojustminutes.Thisresultsinadramaticincreaseinspeedandagilityfortheorganization,becausethecostandtimeittakestoexperimentanddevelopissignificantlylower.
FocusonBusinessDifferentiatorsCloudcomputingallowsorganizationstofocusontheirbusinesspriorities,insteadofontheheavyliftingofracking,stacking,andpoweringservers.Byembracingthisparadigmshift,organizationscanstopspendingmoneyonrunningandmaintainingdatacenters.Thisallowsorganizationstofocusonprojectsthatdifferentiatetheirbusinesses,suchasanalyzingpetabytesofdata,deliveringvideocontent,buildinggreatmobileapplications,orevenexploringMars.
GoGlobalinMinutesAnotheradvantageofcloudcomputingistheabilitytogoglobalinminutes.Organizationscaneasilydeploytheirapplicationstomultiplelocationsaroundtheworldwithjustafewclicks.Thisallowsorganizationstoprovideredundancyacrosstheglobeandtodeliverlowerlatencyandbetterexperiencestotheircustomersatminimalcost.Goingglobalusedtobesomethingonlythelargestenterprisescouldaffordtodo,butcloudcomputingdemocratizesthisability,makingitpossibleforanyorganization.
Whilespecificquestionsontheseadvantagesofcloudcomputingareunlikelytobeontheexam,havingexposuretothesebenefitscanhelprationalizetheappropriateanswers.
CloudComputingDeploymentModelsThetwoprimarycloudcomputingdeploymentmodelsthattheexamfocusesonare“all-in”cloud-baseddeploymentsandhybriddeployments.Itisimportanttounderstandhoweachstrategyappliestoarchitecturaloptionsanddecisions.
Anall-incloud-basedapplicationisfullydeployedinthecloud,withallcomponentsoftheapplicationrunninginthecloud.Applicationsinthecloudhaveeitherbeencreatedinthecloudorhavebeenmigratedfromanexistinginfrastructuretotakeadvantageofthebenefitsofcloudcomputing.Cloud-basedapplicationscanbebuiltonlow-levelinfrastructurepiecesorcanusehigher-levelservicesthatprovideabstractionfromthemanagement,architecting,andscalingrequirementsofcoreinfrastructure.
Ahybriddeploymentisacommonapproachtakenbymanyenterprisesthatconnectsinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresources,typicallyinanexistingdatacenter.Themostcommonmethodofhybriddeploymentisbetweenthecloudandexistingon-premisesinfrastructuretoextendandgrowanorganization’sinfrastructurewhileconnectingcloudresourcestointernalsystems.Choosingbetweenanexistinginvestmentininfrastructureandmovingtotheclouddoesnotneedtobeabinarydecision.Leveragingdedicatedconnectivity,identityfederation,andintegratedtoolsallowsorganizationstorunhybridapplicationsacrosson-premisesandcloudservices.
![Page 42: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/42.jpg)
AWSFundamentalsAtitscore,AWSprovideson-demanddeliveryofITresourcesviatheInternetonasecurecloudservicesplatform,offeringcomputepower,storage,databases,contentdelivery,andotherfunctionalitytohelpbusinessesscaleandgrow.UsingAWSresourcesinsteadofyourownislikepurchasingelectricityfromapowercompanyinsteadofrunningyourowngenerator,anditprovidesthekeyadvantagesofcloudcomputing:Capacityexactlymatchesyourneed,youpayonlyforwhatyouuse,economiesofscaleresultinlowercosts,andtheserviceisprovidedbyavendorexperiencedinrunninglarge-scalenetworks.
AWSglobalinfrastructureandAWSapproachtosecurityandcompliancearekeyfoundationalconceptstounderstandasyoupreparefortheexam.
GlobalInfrastructureAWSservesoveronemillionactivecustomersinmorethan190countries,anditcontinuestoexpanditsglobalinfrastructuresteadilytohelporganizationsachievelowerlatencyandhigherthroughputfortheirbusinessneeds.
AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionisaseparategeographicarea.Eachregionhasmultiple,isolatedlocationsknownasAvailabilityZones.AWSenablestheplacementofresourcesanddatainmultiplelocations.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.
Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.EachAvailabilityZoneisalsoisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.AvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower-riskfloodplains(specificfloodzonecategorizationvariesbyregion).Inadditiontousingadiscreteuninterruptablepowersupply(UPS)andon-sitebackupgenerators,theyareeachfedviadifferentgridsfromindependentutilities(whenavailable)toreducesinglepointsoffailurefurther.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.ByplacingresourcesinseparateAvailabilityZones,youcanprotectyourwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.
YoucanachievehighavailabilitybydeployingyourapplicationacrossmultipleAvailabilityZones.Redundantinstancesforeachtier(forexample,web,application,anddatabase)ofanapplicationshouldbeplacedindistinctAvailabilityZones,therebycreatingamultisitesolution.Ataminimum,thegoalistohaveanindependentcopyofeachapplicationstackintwoormoreAvailabilityZones.
SecurityandComplianceWhetheron-premisesoronAWS,informationsecurityisofparamountimportanceto
![Page 43: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/43.jpg)
organizationsrunningcriticalworkloads.Securityisacorefunctionalrequirementthatprotectsmission-criticalinformationfromaccidentalordeliberatetheft,leakage,integritycompromise,anddeletion.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingyourtrustandconfidence.
ThissectionisintendedtoprovideaverybriefintroductiontoAWSapproachtosecurityandcompliance.Chapter12,“SecurityonAWS,”andChapter13,“AWSRiskandCompliance,”willaddressthesetopicsingreaterdetail,includingtheimportanceofeachontheexam.
SecurityCloudsecurityatAWSisthenumberonepriority.AllAWScustomersbenefitfromdatacenterandnetworkarchitecturesbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersofferhundredsoftoolsandfeaturestohelporganizationsmeettheirsecurityobjectivesforvisibility,auditability,controllability,andagility.Thismeansthatorganizationscanhavethesecuritytheyneed,butwithoutthecapitaloutlayandwithmuchloweroperationaloverheadthaninanon-premisesenvironment.
OrganizationsleveragingAWSinheritallthebestpracticesofAWSpolicies,architecture,andoperationalprocessesbuilttosatisfytherequirementsofthemostsecurity-sensitivecustomers.TheAWSinfrastructurehasbeendesignedtoprovidethehighestavailabilitywhileputtingstrongsafeguardsinplaceregardingcustomerprivacyandsegregation.WhendeployingsystemsontheAWSCloudcomputingplatform,AWShelpsbysharingthesecurityresponsibilitieswiththeorganization.AWSmanagestheunderlyinginfrastructure,andtheorganizationcansecureanythingitdeploysonAWS.Thisaffordseachorganizationtheflexibilityandagilitytheyneedinsecuritycontrols.
Thisinfrastructureisbuiltandmanagednotonlyaccordingtosecuritybestpracticesandstandards,butalsowiththeuniqueneedsofthecloudinmind.AWSusesredundantandlayeredcontrols,continuousvalidationandtesting,andasubstantialamountofautomationtoensurethattheunderlyinginfrastructureismonitoredandprotected24/7.AWSensuresthatthesecontrolsareconsistentlyappliedineverynewdatacenterorservice.
ComplianceWhencustomersmovetheirproductionworkloadstotheAWSCloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Customersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.CustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWSenablescustomerstobuildontraditionalcomplianceprograms.ThishelpsorganizationsestablishandoperateinanAWSsecuritycontrolenvironment.
Organizationsretaincompletecontrolandownershipovertheregioninwhichtheirdataisphysicallylocated,allowingthemtomeetregionalcomplianceanddataresidencyrequirements.
![Page 44: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/44.jpg)
TheITinfrastructurethatAWSprovidestoorganizationsisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards.ThefollowingisapartiallistofthemanycertificationsandstandardswithwhichAWScomplies:
ServiceOrganizationControls(SOC)1/InternationalStandardonAssuranceEngagements(ISAE)3402,SOC2,andSOC3
FederalInformationSecurityManagementAct(FISMA),DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)
PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1
InternationalOrganizationforStandardization(ISO)9001,ISO27001,andISO27018
AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttohelporganizationsachieveregulatorycommitmentsintheformofreports,certifications,accreditations,andotherthird-partyattestations.
![Page 45: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/45.jpg)
AWSCloudComputingPlatformAWSprovidesmanycloudservicesthatyoucancombinetomeetbusinessororganizationalneeds(seeFigure1.2).Whilebeingknowledgeableaboutalltheplatformserviceswillallowyoutobeawell-roundedsolutionsarchitect,understandingtheservicesandfundamentalconceptsoutlinedinthisbookwillhelpprepareyoufortheAWSCertifiedSolutionsArchitect–Associateexam.
FIGURE1.2AWSCloudcomputingplatform
ThissectionintroducesthemajorAWSCloudservicesbycategory.Subsequentchaptersprovideadeeperviewoftheservicespertinenttotheexam.
AccessingthePlatformToaccessAWSCloudservices,youcanusetheAWSManagementConsole,theAWSCommandLineInterface(CLI),ortheAWSSoftwareDevelopmentKits(SDKs).
TheAWSManagementConsoleisawebapplicationformanagingAWSCloudservices.Theconsoleprovidesanintuitiveuserinterfaceforperformingmanytasks.Eachservicehasitsownconsole,whichcanbeaccessedfromtheAWSManagementConsole.Theconsolealsoprovidesinformationabouttheaccountandbilling.
TheAWSCommandLineInterface(CLI)isaunifiedtoolusedtomanageAWSCloudservices.Withjustonetooltodownloadandconfigure,youcancontrolmultipleservicesfromthecommandlineandautomatethemthroughscripts.
TheAWSSoftwareDevelopmentKits(SDKs)provideanapplicationprogramminginterface(API)thatinteractswiththewebservicesthatfundamentallymakeuptheAWSplatform.TheSDKsprovidesupportformanydifferentprogramminglanguagesandplatformstoallowyoutoworkwithyourpreferredlanguage.WhileyoucancertainlymakeHTTPcallsdirectly
![Page 46: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/46.jpg)
tothewebserviceendpoints,usingtheSDKscantakethecomplexityoutofcodingbyprovidingprogrammaticaccessformanyoftheservices.
ComputeandNetworkingServicesAWSprovidesavarietyofcomputeandnetworkingservicestodelivercorefunctionalityforbusinessestodevelopandruntheirworkloads.Thesecomputeandnetworkingservicescanbeleveragedwiththestorage,database,andapplicationservicestoprovideacompletesolutionforcomputing,queryprocessing,andstorageacrossawiderangeofapplications.Thissectionoffersahigh-leveldescriptionofthecorecomputingandnetworkingservices.
AmazonElasticComputeCloud(AmazonEC2)AmazonElasticComputeCloud(AmazonEC2)isawebservicethatprovidesresizablecomputecapacityinthecloud.ItallowsorganizationstoobtainandconfigurevirtualserversinAmazon’sdatacentersandtoharnessthoseresourcestobuildandhostsoftwaresystems.Organizationscanselectfromavarietyofoperatingsystemsandresourceconfigurations(memory,CPU,storage,andsoon)thatareoptimalfortheapplicationprofileofeachworkload.AmazonEC2presentsatruevirtualcomputingenvironment,allowingorganizationstolaunchcomputeresourceswithavarietyofoperatingsystems,loadthemwithcustomapplications,andmanagenetworkaccesspermissionswhilemaintainingcompletecontrol.
AWSLambdaAWSLambdaisazero-administrationcomputeplatformforback-endwebdevelopersthatrunsyourcodeforyouontheAWSCloudandprovidesyouwithafine-grainedpricingstructure.AWSLambdarunsyourback-endcodeonitsownAWScomputefleetofAmazonEC2instancesacrossmultipleAvailabilityZonesinaregion,whichprovidesthehighavailability,security,performance,andscalabilityoftheAWSinfrastructure.
AutoScalingAutoScalingallowsorganizationstoscaleAmazonEC2capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload(seeFigure1.3).NotonlycanitbeusedtohelpmaintainapplicationavailabilityandensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.Insteadofprovisioningforpeakload,organizationscanoptimizecostsanduseonlythecapacitythatisactuallyneeded.
![Page 47: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/47.jpg)
FIGURE1.3Autoscalingcapacity
AutoScalingiswellsuitedbothtoapplicationsthathavestabledemandpatternsandtoapplicationsthatexperiencehourly,daily,orweeklyvariabilityinusage.
ElasticLoadBalancingElasticLoadBalancingautomaticallydistributesincomingapplicationtrafficacrossmultipleAmazonEC2instancesinthecloud.Itenablesorganizationstoachievegreaterlevelsoffaulttoleranceintheirapplications,seamlesslyprovidingtherequiredamountofloadbalancingcapacityneededtodistributeapplicationtraffic.
AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetawebapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.Itprovidessupportforavarietyofplatforms,includingPHP,Java,Python,Ruby,Node.js,.NET,andGo.WithAWSElasticBeanstalk,organizationsretainfullcontrolovertheAWSresourcespoweringtheapplicationandcanaccesstheunderlyingresourcesatanytime.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVirtualPrivateCloud(AmazonVPC)letsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.Organizationshavecompletecontroloverthevirtualenvironment,includingselectionoftheIPaddressrange,creationofsubnets,andconfigurationofroutetablesand
![Page 48: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/48.jpg)
networkgateways.Inaddition,organizationscanextendtheircorporatedatacenternetworkstoAWSbyusinghardwareorsoftwarevirtualprivatenetwork(VPN)connectionsordedicatedcircuitsbyusingAWSDirectConnect.
AWSDirectConnectAWSDirectConnectallowsorganizationstoestablishadedicatednetworkconnectionfromtheirdatacentertoAWS.UsingAWSDirectConnect,organizationscanestablishprivateconnectivitybetweenAWSandtheirdatacenter,office,orcolocationenvironment,whichinmanycasescanreducenetworkcosts,increasebandwidththroughput,andprovideamoreconsistentnetworkexperiencethanInternet-basedVPNconnections.
AmazonRoute53AmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)webservice.Itisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplicationsbytranslatinghumanreadablenames,suchaswww.example.com,intothenumericIPaddresses,suchas192.0.2.1,thatcomputersusetoconnecttoeachother.AmazonRoute53alsoservesasdomainregistrar,allowingyoutopurchaseandmanagedomainsdirectlyfromAWS.
StorageandContentDeliveryAWSprovidesavarietyofservicestomeetyourstorageneeds,suchasAmazonSimpleStorageService,AmazonCloudFront,andAmazonElasticBlockStore.Thissectionprovidesanoverviewofthestorageandcontentdeliveryservices.
AmazonSimpleStorageService(AmazonS3)AmazonSimpleStorageService(AmazonS3)providesdevelopersandITteamswithhighlydurableandscalableobjectstoragethathandlesvirtuallyunlimitedamountsofdataandlargenumbersofconcurrentusers.Organizationscanstoreanynumberofobjectsofanytype,suchasHTMLpages,sourcecodefiles,imagefiles,andencrypteddata,andaccessthemusingHTTP-basedprotocols.AmazonS3providescost-effectiveobjectstorageforawidevarietyofusecases,includingbackupandrecovery,nearlinearchive,bigdataanalytics,disasterrecovery,cloudapplications,andcontentdistribution.
AmazonGlacierAmazonGlacierisasecure,durable,andextremelylow-coststorageservicefordataarchivingandlong-termbackup.Organizationscanreliablystorelargeorsmallamountsofdataforaverylowcostpergigabytepermonth.Tokeepcostslowforcustomers,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.AmazonS3integratescloselywithAmazonGlaciertoalloworganizationstochoosetherightstoragetierfortheirworkloads.
AmazonElasticBlockStore(AmazonEBS)AmazonElasticBlockStore(AmazonEBS)providespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectorganizationsfromcomponentfailure,offeringhigh
![Page 49: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/49.jpg)
availabilityanddurability.Bydeliveringconsistentandlow-latencyperformance,AmazonEBSprovidesthediskstorageneededtorunawidevarietyofworkloads.
AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandtheAWSstorageinfrastructure.Theservicesupportsindustry-standardstorageprotocolsthatworkwithexistingapplications.Itprovideslow-latencyperformancebymaintainingacacheoffrequentlyaccesseddataon-premiseswhilesecurelystoringallofyourdataencryptedinAmazonS3orAmazonGlacier.
AmazonCloudFrontAmazonCloudFrontisacontentdeliverywebservice.ItintegrateswithotherAWSCloudservicestogivedevelopersandbusinessesaneasywaytodistributecontenttousersacrosstheworldwithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AmazonCloudFrontcanbeusedtodeliveryourentirewebsite,includingdynamic,static,streaming,andinteractivecontent,usingaglobalnetworkofedgelocations.Requestsforcontentareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformancetoendusersaroundtheglobe.
DatabaseServicesAWSprovidesfullymanagedrelationalandNoSQLdatabaseservices,andin-memorycachingasaserviceandapetabyte-scaledatawarehousesolution.Thissectionprovidesanoverviewoftheproductsthatthedatabaseservicescomprise.
AmazonRelationalDatabaseService(AmazonRDS)AmazonRelationalDatabaseService(AmazonRDS)providesafullymanagedrelationaldatabasewithsupportformanypopularopensourceandcommercialdatabaseengines.It’sacost-efficientservicethatallowsorganizationstolaunchsecure,highlyavailable,fault-tolerant,production-readydatabasesinminutes.BecauseAmazonRDSmanagestime-consumingadministrationtasks,includingbackups,softwarepatching,monitoring,scaling,andreplication,organizationalresourcescanfocusonrevenue-generatingapplicationsandbusinessinsteadofmundaneoperationaltasks.
AmazonDynamoDBAmazonDynamoDBisafastandflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.Itisafullymanageddatabaseandsupportsbothdocumentandkey/valuedatamodels.Itsflexibledatamodelandreliableperformancemakeitagreatfitformobile,web,gaming,ad-tech,InternetofThings,andmanyotherapplications.
AmazonRedshiftAmazonRedshiftisafast,fullymanaged,petabyte-scaledatawarehouseservicethatmakesitsimpleandcosteffectivetoanalyzestructureddata.AmazonRedshiftprovidesastandardSQLinterfacethatletsorganizationsuseexistingbusinessintelligencetools.Byleveraging
![Page 50: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/50.jpg)
columnarstoragetechnologythatimprovesI/Oefficiencyandparallelizingqueriesacrossmultiplenodes,AmazonRedshiftisabletodeliverfastqueryperformance.TheAmazonRedshiftarchitectureallowsorganizationstoautomatemostofthecommonadministrativetasksassociatedwithprovisioning,configuring,andmonitoringaclouddatawarehouse.
AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesdeployment,operation,andscalingofanin-memorycacheinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingorganizationstoretrieveinformationfromfast,managed,in-memorycaches,insteadofrelyingentirelyonslower,disk-baseddatabases.Asofthiswriting,AmazonElastiCachesupportsMemcachedandRediscacheengines.
ManagementToolsAWSprovidesavarietyoftoolsthathelporganizationsmanageyourAWSresources.ThissectionprovidesanoverviewofthemanagementtoolsthatAWSprovidestoorganizations.
AmazonCloudWatchAmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsrunningonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.ByleveragingAmazonCloudWatch,organizationscangainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth.Byusingtheseinsights,organizationscanreact,asnecessary,tokeepapplicationsrunningsmoothly.
AWSCloudFormationAWSCloudFormationgivesdevelopersandsystemsadministratorsaneffectivewaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.AWSCloudFormationdefinesaJSON-basedtemplatinglanguagethatcanbeusedtodescribealltheAWSresourcesthatarenecessaryforaworkload.TemplatescanbesubmittedtoAWSCloudFormationandtheservicewilltakecareofprovisioningandconfiguringthoseresourcesinappropriateorder(seeFigure1.4).
FIGURE1.4AWSCloudFormationworkflowsummary
![Page 51: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/51.jpg)
AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforanaccountanddeliverslogfilesforauditandreview.TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheservice.
AWSConfigAWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistingAWSresources,exportaninventoryoftheirAWSresourceswithallconfigurationdetails,anddeterminehowaresourcewasconfiguredatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
SecurityandIdentityAWSprovidessecurityandidentityservicesthathelporganizationssecuretheirdataandsystemsonthecloud.Thefollowingsectionexplorestheseservicesatahighlevel.
AWSIdentityandAccessManagement(IAM)AWSIdentityandAccessManagement(IAM)enablesorganizationstosecurelycontrolaccesstoAWSCloudservicesandresourcesfortheirusers.UsingIAM,organizationscancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresources.
AWSKeyManagementService(KMS)AWSKeyManagementService(KMS)isamanagedservicethatmakesiteasyfororganizationstocreateandcontroltheencryptionkeysusedtoencrypttheirdataandusesHardwareSecurityModules(HSMs)toprotectthesecurityofyourkeys.AWSKMSisintegratedwithseveralotherAWSCloudservicestohelpprotectdatastoredwiththeseservices.
AWSDirectoryServiceAWSDirectoryServiceallowsorganizationstosetupandrunMicrosoftActiveDirectoryontheAWSCloudorconnecttheirAWSresourceswithanexistingon-premisesMicrosoftActiveDirectory.Organizationscanuseittomanageusersandgroups,providesinglesign-ontoapplicationsandservices,createandapplyGroupPolicies,domainjoinAmazonEC2instances,andsimplifythedeploymentandmanagementofcloud-basedLinuxandMicrosoftWindowsworkloads.
AWSCertificateManagerAWSCertificateManagerisaservicethatletsorganizationseasilyprovision,manage,anddeploySecureSocketsLayer/TransportLayerSecurity(SSL/TLS)certificatesforusewithAWSCloudservices.Itremovesthetime-consumingmanualprocessofpurchasing,uploading,andrenewingSSL/TLScertificates.WithAWSCertificateManager,organizations
![Page 52: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/52.jpg)
canquicklyrequestacertificate,deployitonAWSresourcessuchasElasticLoadBalancingorAmazonCloudFrontdistributions,andletAWSCertificateManagerhandlecertificaterenewals.
AWSWebApplicationFirewall(WAF)AWSWebApplicationFirewall(WAF)helpsprotectwebapplicationsfromcommonattacksandexploitsthatcouldaffectapplicationavailability,compromisesecurity,orconsumeexcessiveresources.AWSWAFgivesorganizationscontroloverwhichtraffictoalloworblocktotheirwebapplicationsbydefiningcustomizablewebsecurityrules.
ApplicationServicesAWSprovidesavarietyofmanagedservicestousewithapplications.Thefollowingsectionexplorestheapplicationservicesatahighlevel.
AmazonAPIGatewayAmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.OrganizationscancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromback-endservices,suchasworkloadsrunningonAmazonEC2,coderunningonAWSLambda,oranywebapplication.AmazonAPIGatewayhandlesallthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
AmazonElasticTranscoderAmazonElasticTranscoderismediatranscodinginthecloud.Itisdesignedtobeahighlyscalableandcost-effectivewayfordevelopersandbusinessestoconvert(ortranscode)mediafilesfromtheirsourceformatsintoversionsthatwillplaybackondeviceslikesmartphones,tablets,andPCs.
AmazonSimpleNotificationService(AmazonSNS)AmazonSimpleNotificationService(AmazonSNS)isawebservicethatcoordinatesandmanagesthedeliveryorsendingofmessagestorecipients.InAmazonSNS,therearetwotypesofclients—publishersandsubscribers—alsoreferredtoasproducersandconsumers.Publisherscommunicateasynchronouslywithsubscribersbyproducingandsendingamessagetoatopic,whichisalogicalaccesspointandcommunicationchannel.Subscribersconsumeorreceivethemessageornotificationoveroneofthesupportedprotocolswhentheyaresubscribedtothetopic.
AmazonSimpleEmailService(AmazonSES)AmazonSimpleEmailService(AmazonSES)isacost-effectiveemailservicethatorganizationscanusetosendtransactionalemail,marketingmessages,oranyothertypeofcontenttotheircustomers.AmazonSEScanalsobeusedtoreceivemessagesanddeliverthemtoanAmazonS3bucket,callcustomcodeviaanAWSLambdafunction,orpublishnotificationstoAmazonSNS.
![Page 53: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/53.jpg)
AmazonSimpleWorkflowService(AmazonSWF)AmazonSimpleWorkflowService(AmazonSWF)helpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonSWFcanbethoughtofasafullymanagedstatetrackerandtaskcoordinatoronthecloud.Incommonarchitecturalpatterns,ifyourapplication’sstepstakemorethan500millisecondstocomplete,itisvitallyimportanttotrackthestateofprocessingandtoprovidetheabilitytorecoverorretryifataskfails.AmazonSWFhelpsorganizationsachievethisreliability.
AmazonSimpleQueueService(AmazonSQS)AmazonSimpleQueueService(AmazonSQS)isafast,reliable,scalable,fullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.
![Page 54: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/54.jpg)
SummaryTheterm“cloudcomputing”referstotheon-demanddeliveryofITresourcesviatheInternetwithpay-as-you-gopricing.Insteadofbuying,owning,andmaintainingdatacentersandservers,organizationscanacquiretechnologysuchascomputepower,storage,databases,andotherservicesonanas-neededbasis.Withcloudcomputing,AWSmanagesandmaintainsthetechnologyinfrastructureinasecureenvironmentandbusinessesaccesstheseresourcesviatheInternettodevelopandruntheirapplications.Capacitycangroworshrinkinstantlyandbusinessespayonlyforwhattheyuse.
Cloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andhoworganizationsbudgetandpayfortechnologyservices.Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain.Understandingtheseadvantagesallowsarchitectstoshapesolutionsthatdelivercontinuousbenefitstoorganizations.
AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Thisenablesorganizationstoplaceresourcesanddatainmultiplelocationsaroundtheglobe.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingthetrustandconfidenceoforganizationsaroundtheworld.
AWSoffersabroadsetofglobalcompute,storage,database,analytics,application,anddeploymentservicesthathelporganizationsmovefaster,lowerITcosts,andscaleapplications.HavingabroadunderstandingoftheseservicesallowssolutionsarchitectstodesigneffectivedistributedapplicationsandsystemsontheAWSplatform.
![Page 55: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/55.jpg)
ExamEssentialsUnderstandtheglobalinfrastructure.AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionislocatedinaseparategeographicareaandhasmultiple,isolatedlocationsknownasAvailabilityZones.
Understandregions.AnAWSregionisaphysicalgeographiclocationthatconsistsofaclusterofdatacenters.AWSregionsenabletheplacementofresourcesanddatainmultiplelocationsaroundtheglobe.Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.
UnderstandAvailabilityZones.AnAvailabilityZoneisoneormoredatacenterswithinaregionthataredesignedtobeisolatedfromfailuresinotherAvailabilityZones.AvailabilityZonesprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.ByplacingresourcesinseparateAvailabilityZones,organizationscanprotecttheirwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.
Understandthehybriddeploymentmodel.Ahybriddeploymentmodelisanarchitecturalpatternprovidingconnectivityforinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.
![Page 56: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/56.jpg)
ReviewQuestions1. WhichofthefollowingdescribesaphysicallocationaroundtheworldwhereAWSclustersdatacenters?
A. Endpoint
B. Collection
C. Fleet
D. Region
2. EachAWSregioniscomposedoftwoormorelocationsthatofferorganizationstheabilitytooperateproductionsystemsthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.Whataretheselocationscalled?
A. AvailabilityZones
B. Replicationareas
C. Geographicdistricts
D. Computecenters
3. Whatisthedeploymenttermforanenvironmentthatextendsanexistingon-premisesinfrastructureintothecloudtoconnectcloudresourcestointernalsystems?
A. All-indeployment
B. Hybriddeployment
C. On-premisesdeployment
D. Scatterdeployment
4. WhichAWSCloudserviceallowsorganizationstogainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth?
A. AWSIdentityandAccessManagement(IAM)
B. AmazonSimpleNotificationService(AmazonSNS)
C. AmazonCloudWatch
D. AWSCloudFormation
5. WhichofthefollowingAWSCloudservicesisafullymanagedNoSQLdatabaseservice?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonDynamoDB
C. AmazonElastiCache
D. AmazonRelationalDatabaseService(AmazonRDS)
6. Yourcompanyexperiencesfluctuationsintrafficpatternstotheire-commercewebsite
![Page 57: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/57.jpg)
basedonflashsales.Whatservicecanhelpyourcompanydynamicallymatchtherequiredcomputecapacitytothespikeintrafficduringflashsales?
A. AutoScaling
B. AmazonGlacier
C. AmazonSimpleNotificationService(AmazonSNS)
D. AmazonVirtualPrivateCloud(AmazonVPC)
7. Yourcompanyprovidesanonlinephotosharingservice.Thedevelopmentteamislookingforwaystodeliverimagefileswiththelowestlatencytoenduserssothewebsitecontentisdeliveredwiththebestpossibleperformance.Whatservicecanhelpspeedupdistributionoftheseimagefilestoendusersaroundtheworld?
A. AmazonElasticComputeCloud(AmazonEC2)
B. AmazonRoute53
C. AWSStorageGateway
D. AmazonCloudFront
8. YourcompanyrunsanAmazonElasticComputeCloud(AmazonEC2)instanceperiodicallytoperformabatchprocessingjobonalargeandgrowingfilesystem.Attheendofthebatchjob,youshutdowntheAmazonEC2instancetosavemoneybutneedtopersistthefilesystemontheAmazonEC2instancefromthepreviousbatchruns.WhatAWSCloudservicecanyouleveragetomeettheserequirements?
A. AmazonElasticBlockStore(AmazonEBS)
B. AmazonDynamoDB
C. AmazonGlacier
D. AWSCloudFormation
9. WhatAWSCloudserviceprovidesalogicallyisolatedsectionoftheAWSCloudwhereorganizationscanlaunchAWSresourcesinavirtualnetworkthattheydefine?
A. AmazonSimpleWorkflowService(AmazonSWF)
B. AmazonRoute53
C. AmazonVirtualPrivateCloud(AmazonVPC)
D. AWSCloudFormation
10. YourcompanyprovidesamobilevotingapplicationforapopularTVshow,and5to25millionviewersallvoteina15-secondtimespan.Whatmechanismcanyouusetodecouplethevotingapplicationfromyourback-endservicesthattallythevotes?
A. AWSCloudTrail
B. AmazonSimpleQueueService(AmazonSQS)
C. AmazonRedshift
D. AmazonSimpleNotificationService(AmazonSNS)
![Page 58: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/58.jpg)
Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Developingtoclientspecifications,includingpricing/cost(e.g.,OnDemandvs.Reservedvs.Spot;RecoveryTimeObjective[RTO]andRecoveryPointObjective[RPO]disasterrecoverydesign)
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost)
HybridITarchitectures
Elasticityandscalability
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonSimpleStorageService(AmazonS3)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud.
LaunchinstancesacrosstheAWSglobalinfrastructure.
ConfigureAWSIdentityandAccessManagement(IAM)policiesandbestpractices.
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance
Contentmayincludethefollowing:
![Page 59: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/59.jpg)
SecurityArchitecturewithAWS
“Core”AmazonS3securityfeaturesets
Encryptionsolutions(e.g.,keyservices)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)
![Page 60: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/60.jpg)
IntroductionThischapterisintendedtoprovideyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.
AmazonS3providesdevelopersandITteamswithsecure,durable,andhighly-scalablecloudstorage.AmazonS3iseasy-to-useobjectstoragewithasimplewebserviceinterfacethatyoucanusetostoreandretrieveanyamountofdatafromanywhereontheweb.AmazonS3alsoallowsyoutopayonlyforthestorageyouactuallyuse,whicheliminatesthecapacityplanningandcapacityconstraintsassociatedwithtraditionalstorage.
AmazonS3isoneoffirstservicesintroducedbyAWS,anditservesasoneofthefoundationalwebservices—nearlyanyapplicationrunninginAWSusesAmazonS3,eitherdirectlyorindirectly.AmazonS3canbeusedaloneorinconjunctionwithotherAWSservices,anditoffersaveryhighlevelofintegrationwithmanyotherAWScloudservices.Forexample,AmazonS3servesasthedurabletargetstorageforAmazonKinesisandAmazonElasticMapReduce(AmazonEMR),itisusedasthestorageforAmazonElasticBlockStore(AmazonEBS)andAmazonRelationalDatabaseService(AmazonRDS)snapshots,anditisusedasadatastagingorloadingstoragemechanismforAmazonRedshiftandAmazonDynamoDB,amongmanyotherfunctions.BecauseAmazonS3issoflexible,sohighlyintegrated,andsocommonlyused,itisimportanttounderstandthisserviceindetail.
CommonusecasesforAmazonS3storageinclude:
Backupandarchiveforon-premisesorclouddata
Content,media,andsoftwarestorageanddistribution
Bigdataanalytics
Staticwebsitehosting
Cloud-nativemobileandInternetapplicationhosting
Disasterrecovery
Tosupporttheseusecasesandmanymore,AmazonS3offersarangeofstorageclassesdesignedforvariousgenericusecases:generalpurpose,infrequentaccess,andarchive.Tohelpmanagedatathroughitslifecycle,AmazonS3offersconfigurablelifecyclepolicies.Byusinglifecyclepolicies,youcanhaveyourdataautomaticallymigratetothemostappropriatestorageclass,withoutmodifyingyourapplicationcode.Inordertocontrolwhohasaccesstoyourdata,AmazonS3providesarichsetofpermissions,accesscontrols,andencryptionoptions.
AmazonGlacierisanothercloudstorageservicerelatedtoAmazonS3,butoptimizedfordataarchivingandlong-termbackupatextremelylowcost.AmazonGlacierissuitablefor“colddata,”whichisdatathatisrarelyaccessedandforwhicharetrievaltimeofthreetofivehoursisacceptable.AmazonGlaciercanbeusedbothasastorageclassofAmazonS3(seeStorageClassesandObjectLifecycleManagementtopicsintheAmazonS3AdvancedFeaturessection),andasanindependentarchivalstorageservice(seetheAmazonGlaciersection).
![Page 61: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/61.jpg)
ObjectStorageversusTraditionalBlockandFileStorageIntraditionalITenvironments,twokindsofstoragedominate:blockstorageandfilestorage.Blockstorageoperatesatalowerlevel—therawstoragedevicelevel—andmanagesdataasasetofnumbered,fixed-sizeblocks.Filestorageoperatesatahigherlevel—theoperatingsystemlevel—andmanagesdataasanamedhierarchyoffilesandfolders.BlockandfilestorageareoftenaccessedoveranetworkintheformofaStorageAreaNetwork(SAN)forblockstorage,usingprotocolssuchasiSCSIorFibreChannel,orasaNetworkAttachedStorage(NAS)fileserveror“filer”forfilestorage,usingprotocolssuchasCommonInternetFileSystem(CIFS)orNetworkFileSystem(NFS).Whetherdirectly-attachedornetwork-attached,blockorfile,thiskindofstorageisverycloselyassociatedwiththeserverandtheoperatingsystemthatisusingthestorage.
AmazonS3objectstorageissomethingquitedifferent.AmazonS3iscloudobjectstorage.Insteadofbeingcloselyassociatedwithaserver,AmazonS3storageisindependentofaserverandisaccessedovertheInternet.InsteadofmanagingdataasblocksorfilesusingSCSI,CIFS,orNFSprotocols,dataismanagedasobjectsusinganApplicationProgramInterface(API)builtonstandardHTTPverbs.
EachAmazonS3objectcontainsbothdataandmetadata.Objectsresideincontainerscalledbuckets,andeachobjectisidentifiedbyauniqueuser-specifiedkey(filename).Bucketsareasimpleflatfolderwithnofilesystemhierarchy.Thatis,youcanhavemultiplebuckets,butyoucan’thaveasub-bucketwithinabucket.Eachbucketcanholdanunlimitednumberofobjects.
ItiseasytothinkofanAmazonS3object(orthedataportionofanobject)asafile,andthekeyasthefilename.However,keepinmindthatAmazonS3isnotatraditionalfilesystemanddiffersinsignificantways.InAmazonS3,youGETanobjectorPUTanobject,operatingonthewholeobjectatonce,insteadofincrementallyupdatingportionsoftheobjectasyouwouldwithafile.Youcan’t“mount”abucket,“open”anobject,installanoperatingsystemonAmazonS3,orrunadatabaseonit.
Insteadofafilesystem,AmazonS3ishighly-durableandhighly-scalableobjectstoragethatisoptimizedforreadsandisbuiltwithanintentionallyminimalisticfeatureset.Itprovidesasimpleandrobustabstractionforfilestoragethatfreesyoufrommanyunderlyingdetailsthatyounormallydohavetodealwithintraditionalstorage.Forexample,withAmazonS3youdon’thavetoworryaboutdeviceorfilesystemstoragelimitsandcapacityplanning—asinglebucketcanstoreanunlimitednumberoffiles.Youalsodon’tneedtoworryaboutdatadurabilityorreplicationacrossavailabilityzones—AmazonS3objectsareautomaticallyreplicatedonmultipledevicesinmultiplefacilitieswithinaregion.Thesamewithscalability—ifyourrequestrategrowssteadily,AmazonS3automaticallypartitionsbucketstosupportveryhighrequestratesandsimultaneousaccessbymanyclients.
![Page 62: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/62.jpg)
IfyouneedtraditionalblockorfilestorageinadditiontoAmazonS3storage,AWSprovidesoptions.TheAmazonEBSserviceprovidesblocklevelstorageforAmazonElasticComputeCloud(AmazonEC2)instances.AmazonElasticFileSystem(AWSEFS)providesnetwork-attachedsharedfilestorage(NASstorage)usingtheNFSv4protocol.
![Page 63: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/63.jpg)
AmazonSimpleStorageService(AmazonS3)BasicsNowthatyouhaveanunderstandingofsomeofthekeydifferencesbetweentraditionalblockandfilestorageversuscloudobjectstorage,wecanexplorethebasicsofAmazonS3inmoredetail.
![Page 64: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/64.jpg)
BucketsAbucketisacontainer(webfolder)forobjects(files)storedinAmazonS3.EveryAmazonS3objectiscontainedinabucket.Bucketsformthetop-levelnamespaceforAmazonS3,andbucketnamesareglobal.ThismeansthatyourbucketnamesmustbeuniqueacrossallAWSaccounts,muchlikeDomainNameSystem(DNS)domainnames,notjustwithinyourownaccount.Bucketnamescancontainupto63lowercaseletters,numbers,hyphens,andperiods.Youcancreateandusemultiplebuckets;youcanhaveupto100peraccountbydefault.
ItisabestpracticetousebucketnamesthatcontainyourdomainnameandconformtotherulesforDNSnames.Thisensuresthatyourbucketnamesareyourown,canbeusedinallregions,andcanhoststaticwebsites.
AWSRegionsEventhoughthenamespaceforAmazonS3bucketsisglobal,eachAmazonS3bucketiscreatedinaspecificregionthatyouchoose.Thisletsyoucontrolwhereyourdataisstored.Youcancreateandusebucketsthatarelocatedclosetoaparticularsetofendusersorcustomersinordertominimizelatency,orlocatedinaparticularregiontosatisfydatalocalityandsovereigntyconcerns,orlocatedfarawayfromyourprimaryfacilitiesinordertosatisfydisasterrecoveryandcomplianceneeds.Youcontrolthelocationofyourdata;datainanAmazonS3bucketisstoredinthatregionunlessyouexplicitlycopyittoanotherbucketlocatedinadifferentregion.
ObjectsObjectsaretheentitiesorfilesstoredinAmazonS3buckets.Anobjectcanstorevirtuallyanykindofdatainanyformat.Objectscanrangeinsizefrom0bytesupto5TB,andasinglebucketcanstoreanunlimitednumberofobjects.ThismeansthatAmazonS3canstoreavirtuallyunlimitedamountofdata.
Eachobjectconsistsofdata(thefileitself)andmetadata(dataaboutthefile).ThedataportionofanAmazonS3objectisopaquetoAmazonS3.Thismeansthatanobject’sdataistreatedassimplyastreamofbytes—AmazonS3doesn’tknoworcarewhattypeofdatayouarestoring,andtheservicedoesn’tactdifferentlyfortextdataversusbinarydata.
ThemetadataassociatedwithanAmazonS3objectisasetofname/valuepairsthatdescribetheobject.Therearetwotypesofmetadata:systemmetadataandusermetadata.SystemmetadataiscreatedandusedbyAmazonS3itself,anditincludesthingslikethedatelastmodified,objectsize,MD5digest,andHTTPContent-Type.Usermetadataisoptional,anditcanonlybespecifiedatthetimeanobjectiscreated.Youcanusecustommetadatatotagyourdatawithattributesthataremeaningfultoyou.
Keys
![Page 65: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/65.jpg)
EveryobjectstoredinanS3bucketisidentifiedbyauniqueidentifiercalledakey.Youcanthinkofthekeyasafilename.Akeycanbeupto1024bytesofUnicodeUTF-8characters,includingembeddedslashes,backslashes,dots,anddashes.
Keysmustbeuniquewithinasinglebucket,butdifferentbucketscancontainobjectswiththesamekey.Thecombinationofbucket,key,andoptionalversionIDuniquelyidentifiesanAmazonS3object.
ObjectURLAmazonS3isstoragefortheInternet,andeveryAmazonS3objectcanbeaddressedbyauniqueURLformedusingthewebservicesendpoint,thebucketname,andtheobjectkey.Forexample,withtheURL:http://mybucket.s3.amazonaws.com/jack.doc
mybucketistheS3bucketname,andjack.docisthekeyorfilename.Ifanotherobjectiscreated,forinstance:http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc
thenthebucketnameisstillmybucket,butnowthekeyorfilenameisthestringfee/fi/fo/fum/jack.doc.AkeymaycontaindelimitercharacterslikeslashesorbackslashestohelpyounameandlogicallyorganizeyourAmazonS3objects,buttoAmazonS3itissimplyalongkeynameinaflatnamespace.Thereisnoactualfileandfolderhierarchy.Seethetopic“PrefixesandDelimiters”inthe“AmazonS3AdvancedFeatures”sectionthatfollowsformoreinformation.
Forconvenience,theAmazonS3consoleandthePrefixandDelimiterfeatureallowyoutonavigatewithinanAmazonS3bucketasiftherewereafolderhierarchy.However,rememberthatabucketisasingleflatnamespaceofkeyswithnostructure.
AmazonS3OperationsTheAmazonS3APIisintentionallysimple,withonlyahandfulofcommonoperations.Theyinclude:
Create/deleteabucket
Writeanobject
Readanobject
Deleteanobject
Listkeysinabucket
RESTInterfaceThenativeinterfaceforAmazonS3isaREST(RepresentationalStateTransfer)API.WiththeRESTinterface,youusestandardHTTPorHTTPSrequeststocreateanddeletebuckets,listkeys,andreadandwriteobjects.RESTmapsstandardHTTP“verbs”(HTTPmethods)to
![Page 66: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/66.jpg)
thefamiliarCRUD(Create,Read,Update,Delete)operations.CreateisHTTPPUT(andsometimesPOST);readisHTTPGET;deleteisHTTPDELETE;andupdateisHTTPPOST(orsometimesPUT).
AlwaysuseHTTPSforAmazonS3APIrequeststoensurethatyourrequestsanddataaresecure.
Inmostcases,usersdonotusetheRESTinterfacedirectly,butinsteadinteractwithAmazonS3usingoneofthehigher-levelinterfacesavailable.TheseincludetheAWSSoftwareDevelopmentKits(SDKs)(wrapperlibraries)foriOS,Android,JavaScript,Java,.NET,Node.js,PHP,Python,Ruby,Go,andC++,theAWSCommandLineInterface(CLI),andtheAWSManagementConsole.
AmazonS3originallysupportedaSOAP(SimpleObjectAccessProtocol)APIinadditiontotheRESTAPI,butyoushouldusetheRESTAPI.ThelegacyHTTPSendpointisstillavailable,butnewfeaturesarenotsupported.
DurabilityandAvailabilityDatadurabilityandavailabilityarerelatedbutslightlydifferentconcepts.Durabilityaddressesthequestion,“Willmydatastillbethereinthefuture?”Availabilityaddressesthequestion,“CanIaccessmydatarightnow?”AmazonS3isdesignedtoprovidebothveryhighdurabilityandveryhighavailabilityforyourdata.
AmazonS3standardstorageisdesignedfor99.999999999%durabilityand99.99%availabilityofobjectsoveragivenyear.Forexample,ifyoustore10,000objectswithAmazonS3,youcanonaverageexpecttoincuralossofasingleobjectonceevery10,000,000years.AmazonS3achieveshighdurabilitybyautomaticallystoringdataredundantlyonmultipledevicesinmultiplefacilitieswithinaregion.Itisdesignedtosustaintheconcurrentlossofdataintwofacilitieswithoutlossofuserdata.AmazonS3providesahighlydurablestorageinfrastructuredesignedformission-criticalandprimarydatastorage.
Ifyouneedtostorenon-criticaloreasilyreproduciblederiveddata(suchasimagethumbnails)thatdoesn’trequirethishighlevelofdurability,youcanchoosetouseReducedRedundancyStorage(RRS)atalowercost.RRSoffers99.99%durabilitywithalowercostofstoragethantraditionalAmazonS3storage.
EventhoughAmazonS3storageoffersveryhighdurabilityattheinfrastructurelevel,itisstillabestpracticetoprotectagainstuser-levelaccidentaldeletionoroverwritingofdatabyusingadditionalfeaturessuchasversioning,cross-regionreplication,andMFADelete.
![Page 67: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/67.jpg)
DataConsistencyAmazonS3isaneventuallyconsistentsystem.Becauseyourdataisautomaticallyreplicatedacrossmultipleserversandlocationswithinaregion,changesinyourdatamaytakesometimetopropagatetoalllocations.Asaresult,therearesomesituationswhereinformationthatyoureadimmediatelyafteranupdatemayreturnstaledata.
ForPUTstonewobjects,thisisnotaconcern—inthiscase,AmazonS3providesread-after-writeconsistency.However,forPUTstoexistingobjects(objectoverwritetoanexistingkey)andforobjectDELETEs,AmazonS3provideseventualconsistency.
EventualconsistencymeansthatifyouPUTnewdatatoanexistingkey,asubsequentGETmightreturntheolddata.Similarly,ifyouDELETEanobject,asubsequentGETforthatobjectmightstillreadthedeletedobject.Inallcases,updatestoasinglekeyareatomic—foreventually-consistentreads,youwillgetthenewdataortheolddata,butneveraninconsistentmixofdata.
AccessControlAmazonS3issecurebydefault;whenyoucreateabucketorobjectinAmazonS3,onlyyouhaveaccess.Toallowyoutogivecontrolledaccesstoothers,AmazonS3providesbothcoarse-grainedaccesscontrols(AmazonS3AccessControlLists[ACLs]),andfine-grainedaccesscontrols(AmazonS3bucketpolicies,AWSIdentityandAccessManagement[IAM]policies,andquery-stringauthentication).
AmazonS3ACLsallowyoutograntcertaincoarse-grainedpermissions:READ,WRITE,orFULL-CONTROLattheobjectorbucketlevel.ACLsarealegacyaccesscontrolmechanism,createdbeforeIAMexisted.ACLsarebestusedtodayforalimitedsetofusecases,suchasenablingbucketloggingormakingabucketthathostsastaticwebsitebeworld-readable.
AmazonS3bucketpoliciesaretherecommendedaccesscontrolmechanismforAmazonS3andprovidemuchfiner-grainedcontrol.AmazonS3bucketpoliciesareverysimilartoIAMpolicies,whichwerediscussedinChapter6,“AWSIdentityandAccessManagement(IAM),”butaresubtlydifferentinthat:
TheyareassociatedwiththebucketresourceinsteadofanIAMprincipal.
TheyincludeanexplicitreferencetotheIAMprincipalinthepolicy.ThisprincipalcanbeassociatedwithadifferentAWSaccount,soAmazonS3bucketpoliciesallowyoutoassigncross-accountaccesstoAmazonS3resources.
UsinganAmazonS3bucketpolicy,youcanspecifywhocanaccessthebucket,fromwhere(byClasslessInter-DomainRouting[CIDR]blockorIPaddress),andduringwhattimeofday.
Finally,IAMpoliciesmaybeassociateddirectlywithIAMprincipalsthatgrantaccesstoanAmazonS3bucket,justasitcangrantaccesstoanyAWSserviceandresource.Obviously,youcanonlyassignIAMpoliciestoprincipalsinAWSaccountsthatyoucontrol.
StaticWebsiteHostingAverycommonusecaseforAmazonS3storageisstaticwebsitehosting.Manywebsites,particularlymicro-sites,don’tneedtheservicesofafullwebserver.Astaticwebsitemeans
![Page 68: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/68.jpg)
thatallofthepagesofthewebsitecontainonlystaticcontentanddonotrequireserver-sideprocessingsuchasPHP,ASP.NET,orJSP.(Notethatthisdoesnotmeanthatthewebsitecannotbeinteractiveanddynamic;thiscanbeaccomplishedwithclient-sidescripts,suchasJavaScriptembeddedinstaticHTMLwebpages.)Staticwebsiteshavemanyadvantages:theyareveryfast,veryscalable,andcanbemoresecurethanatypicaldynamicwebsite.IfyouhostastaticwebsiteonAmazonS3,youcanalsoleveragethesecurity,durability,availability,andscalabilityofAmazonS3.
BecauseeveryAmazonS3objecthasaURL,itisrelativelystraightforwardtoturnabucketintoawebsite.Tohostastaticwebsite,yousimplyconfigureabucketforwebsitehostingandthenuploadthecontentofthestaticwebsitetothebucket.
ToconfigureanAmazonS3bucketforstaticwebsitehosting:
1. Createabucketwiththesamenameasthedesiredwebsitehostname.
2. Uploadthestaticfilestothebucket.
3. Makeallthefilespublic(worldreadable).
4. Enablestaticwebsitehostingforthebucket.ThisincludesspecifyinganIndexdocumentandanErrordocument.
5. ThewebsitewillnowbeavailableattheS3websiteURL:
<bucket-name>.s3-website-<AWS-region>.amazonaws.com.
6. CreateafriendlyDNSnameinyourowndomainforthewebsiteusingaDNSCNAME,oranAmazonRoute53aliasthatresolvestotheAmazonS3websiteURL.
7. Thewebsitewillnowbeavailableatyourwebsitedomainname.
![Page 69: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/69.jpg)
AmazonS3AdvancedFeaturesBeyondthebasics,therearesomeadvancedfeaturesofAmazonS3thatyoushouldalsobefamiliarwith.
PrefixesandDelimitersWhileAmazonS3usesaflatstructureinabucket,itsupportstheuseofprefixanddelimiterparameterswhenlistingkeynames.Thisfeatureletsyouorganize,browse,andretrievetheobjectswithinabuckethierarchically.Typically,youwoulduseaslash(/)orbackslash(\)asadelimiterandthenusekeynameswithembeddeddelimiterstoemulateafileandfolderhierarchywithintheflatobjectkeynamespaceofabucket.
Forexample,youmightwanttostoreaseriesofserverlogsbyservername(suchasserver42),butorganizedbyyearandmonth,likeso:
logs/2016/January/server42.log
logs/2016/February/server42.log
logs/2016/March/server42.log
TheRESTAPI,wrapperSDKs,AWSCLI,andtheAmazonManagementConsoleallsupporttheuseofdelimitersandprefixes.Thisfeatureletsyoulogicallyorganizenewdataandeasilymaintainthehierarchicalfolder-and-filestructureofexistingdatauploadedorbackedupfromtraditionalfilesystems.UsedtogetherwithIAMorAmazonS3bucketpolicies,prefixesanddelimitersalsoallowyoutocreatetheequivalentofdepartmental“subdirectories”oruser“homedirectories”withinasinglebucket,restrictingorsharingaccesstothese“subdirectories”(definedbyprefixes)asneeded.
UsedelimitersandobjectprefixestohierarchicallyorganizetheobjectsinyourAmazonS3buckets,butalwaysrememberthatAmazonS3isnotreallyafilesystem.
StorageClassesAmazonS3offersarangeofstorageclassessuitableforvarioususecases.
AmazonS3Standardoffershighdurability,highavailability,lowlatency,andhighperformanceobjectstorageforgeneralpurposeuse.Becauseitdeliverslowfirst-bytelatencyandhighthroughput,Standardiswell-suitedforshort-termorlong-termstorageoffrequentlyaccesseddata.Formostgeneralpurposeusecases,AmazonS3Standardistheplacetostart.
AmazonS3Standard–InfrequentAccess(Standard-IA)offersthesamedurability,lowlatency,andhighthroughputasAmazonS3Standard,butisdesignedforlong-lived,lessfrequentlyaccesseddata.Standard-IAhasalowerperGB-monthstoragecostthanStandard,butthepricemodelalsoincludesaminimumobjectsize(128KB),minimumduration(30days),andper-GBretrievalcosts,soitisbestsuitedforinfrequentlyaccesseddatathatisstoredforlongerthan30days.
![Page 70: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/70.jpg)
AmazonS3ReducedRedundancyStorage(RRS)offersslightlylowerdurability(4nines)thanStandardorStandard-IAatareducedcost.Itismostappropriateforderiveddatathatcanbeeasilyreproduced,suchasimagethumbnails.
Finally,theAmazonGlacierstorageclassofferssecure,durable,andextremelylow-costcloudstoragefordatathatdoesnotrequirereal-timeaccess,suchasarchivesandlong-termbackups.Tokeepcostslow,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.ToretrieveanAmazonGlacierobject,youissuearestorecommandusingoneoftheAmazonS3APIs;threetofivehourslater,theAmazonGlacierobjectiscopiedtoAmazonS3RRS.NotethattherestoresimplycreatesacopyinAmazonS3RRS;theoriginaldataobjectremainsinAmazonGlacieruntilexplicitlydeleted.AlsobeawarethatAmazonGlacierallowsyoutoretrieveupto5%oftheAmazonS3datastoredinAmazonGlacierforfreeeachmonth;restoresbeyondthedailyrestoreallowanceincurarestorefee.RefertotheAmazonGlacierpricingpageontheAWSwebsiteforfulldetails.
InadditiontoactingasastoragetierinAmazonS3,AmazonGlacierisalsoastandalonestorageservicewithaseparateAPIandsomeuniquecharacteristics.However,whenyouuseAmazonGlacierasastorageclassofAmazonS3,youalwaysinteractwiththedataviatheAmazonS3APIs.RefertotheAmazonGlaciersectionformoredetails.
SetadataretrievalpolicytolimitrestorestothefreetierortoamaximumGB-per-hourlimittoavoidorminimizeAmazonGlacierrestorefees.
ObjectLifecycleManagementAmazonS3ObjectLifecycleManagementisroughlyequivalenttoautomatedstoragetieringintraditionalITstorageinfrastructures.Inmanycases,datahasanaturallifecycle,startingoutas“hot”(frequentlyaccessed)data,movingto“warm”(lessfrequentlyaccessed)dataasitages,andendingitslifeas“cold”(long-termbackuporarchive)databeforeeventualdeletion.
Forexample,manybusinessdocumentsarefrequentlyaccessedwhentheyarecreated,thenbecomemuchlessfrequentlyaccessedovertime.Inmanycases,however,compliancerulesrequirebusinessdocumentstobearchivedandkeptaccessibleforyears.Similarly,studiesshowthatfile,operatingsystem,anddatabasebackupsaremostfrequentlyaccessedinthefirstfewdaysaftertheyarecreated,usuallytorestoreafteraninadvertenterror.Afteraweekortwo,thesebackupsremainacriticalasset,buttheyaremuchlesslikelytobeaccessedforarestore.Inmanycases,compliancerulesrequirethatacertainnumberofbackupsbekeptforseveralyears.
UsingAmazonS3lifecycleconfigurationrules,youcansignificantlyreduceyourstoragecostsbyautomaticallytransitioningdatafromonestorageclasstoanotherorevenautomaticallydeletingdataafteraperiodoftime.Forexample,thelifecyclerulesforbackupdatamightbe:
StorebackupdatainitiallyinAmazonS3Standard.
After30days,transitiontoAmazonStandard-IA.
After90days,transitiontoAmazonGlacier.
![Page 71: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/71.jpg)
After3years,delete.
Lifecycleconfigurationsareattachedtothebucketandcanapplytoallobjectsinthebucketoronlytoobjectsspecifiedbyaprefix.
EncryptionItisstronglyrecommendedthatallsensitivedatastoredinAmazonS3beencrypted,bothinflightandatrest.
ToencryptyourAmazonS3datainflight,youcanusetheAmazonS3SecureSocketsLayer(SSL)APIendpoints.ThisensuresthatalldatasenttoandfromAmazonS3isencryptedwhileintransitusingtheHTTPSprotocol.
ToencryptyourAmazonS3dataatrest,youcanuseseveralvariationsofServer-SideEncryption(SSE).AmazonS3encryptsyourdataattheobjectlevelasitwritesittodisksinitsdatacentersanddecryptsitforyouwhenyouaccessit.AllSSEperformedbyAmazonS3andAWSKeyManagementService(AmazonKMS)usesthe256-bitAdvancedEncryptionStandard(AES).YoucanalsoencryptyourAmazonS3dataatrestusingClient-SideEncryption,encryptingyourdataontheclientbeforesendingittoAmazonS3.
SSE-S3(AWS-ManagedKeys)Thisisafullyintegrated“check-box-style”encryptionsolutionwhereAWShandlesthekeymanagementandkeyprotectionforAmazonS3.Everyobjectisencryptedwithauniquekey.Theactualobjectkeyitselfisthenfurtherencryptedbyaseparatemasterkey.Anewmasterkeyisissuedatleastmonthly,withAWSrotatingthekeys.Encrypteddata,encryptionkeys,andmasterkeysareallstoredseparatelyonsecurehosts,furtherenhancingprotection.
SSE-KMS(AWSKMSKeys)ThisisafullyintegratedsolutionwhereAmazonhandlesyourkeymanagementandprotectionforAmazonS3,butwhereyoumanagethekeys.SSE-KMSoffersseveraladditionalbenefitscomparedtoSSE-S3.UsingSSE-KMS,thereareseparatepermissionsforusingthemasterkey,whichprovideprotectionagainstunauthorizedaccesstoyourobjectsstoredinAmazonS3andanadditionallayerofcontrol.AWSKMSalsoprovidesauditing,soyoucanseewhousedyourkeytoaccesswhichobjectandwhentheytriedtoaccessthisobject.AWSKMSalsoallowsyoutoviewanyfailedattemptstoaccessdatafromuserswhodidnothavepermissiontodecryptthedata.
SSE-C(Customer-ProvidedKeys)Thisisusedwhenyouwanttomaintainyourownencryptionkeysbutdon’twanttomanageorimplementyourownclient-sideencryptionlibrary.WithSSE-C,AWSwilldotheencryption/decryptionofyourobjectswhileyoumaintainfullcontrolofthekeysusedtoencrypt/decrypttheobjectsinAmazonS3.
Client-SideEncryptionClient-sideencryptionreferstoencryptingdataontheclientsideofyourapplicationbeforesendingittoAmazonS3.Youhavethefollowingtwooptionsforusingdataencryptionkeys:
![Page 72: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/72.jpg)
UseanAWSKMS-managedcustomermasterkey.
Useaclient-sidemasterkey.
Whenusingclient-sideencryption,youretainend-to-endcontroloftheencryptionprocess,includingmanagementoftheencryptionkeys.
Formaximumsimplicityandeaseofuse,useserver-sideencryptionwithAWS-managedkeys(SSE-S3orSSE-KMS).
VersioningAmazonS3versioninghelpsprotectsyourdataagainstaccidentalormaliciousdeletionbykeepingmultipleversionsofeachobjectinthebucket,identifiedbyauniqueversionID.Versioningallowsyoutopreserve,retrieve,andrestoreeveryversionofeveryobjectstoredinyourAmazonS3bucket.IfausermakesanaccidentalchangeorevenmaliciouslydeletesanobjectinyourS3bucket,youcanrestoretheobjecttoitsoriginalstatesimplybyreferencingtheversionIDinadditiontothebucketandobjectkey.Versioningisturnedonatthebucketlevel.Onceenabled,versioningcannotberemovedfromabucket;itcanonlybesuspended.
MFADeleteMFADeleteaddsanotherlayerofdataprotectionontopofbucketversioning.MFADeleterequiresadditionalauthenticationinordertopermanentlydeleteanobjectversionorchangetheversioningstateofabucket.Inadditiontoyournormalsecuritycredentials,MFADeleterequiresanauthenticationcode(atemporary,one-timepassword)generatedbyahardwareorvirtualMulti-FactorAuthentication(MFA)device.NotethatMFADeletecanonlybeenabledbytherootaccount.
Pre-SignedURLsAllAmazonS3objectsbydefaultareprivate,meaningthatonlytheownerhasaccess.However,theobjectownercanoptionallyshareobjectswithothersbycreatingapre-signedURL,usingtheirownsecuritycredentialstogranttime-limitedpermissiontodownloadtheobjects.Whenyoucreateapre-signedURLforyourobject,youmustprovideyoursecuritycredentialsandspecifyabucketname,anobjectkey,theHTTPmethod(GETtodownloadtheobject),andanexpirationdateandtime.Thepre-signedURLsarevalidonlyforthespecifiedduration.Thisisparticularlyusefultoprotectagainst“contentscraping”ofwebcontentsuchasmediafilesstoredinAmazonS3.
MultipartUploadTobettersupportuploadingorcopyingoflargeobjects,AmazonS3providestheMultipartUploadAPI.Thisallowsyoutouploadlargeobjectsasasetofparts,whichgenerallygivesbetternetworkutilization(throughparalleltransfers),theabilitytopauseandresume,andtheabilitytouploadobjectswherethesizeisinitiallyunknown.
Multipartuploadisathree-stepprocess:initiation,uploadingtheparts,andcompletion(or
![Page 73: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/73.jpg)
abort).Partscanbeuploadedindependentlyinarbitraryorder,withretransmissionifneeded.Afterallofthepartsareuploaded,AmazonS3assemblesthepartsinordertocreateanobject.
Ingeneral,youshouldusemultipartuploadforobjectslargerthan100Mbytes,andyoumustusemultipartuploadforobjectslargerthan5GB.Whenusingthelow-levelAPIs,youmustbreakthefiletobeuploadedintopartsandkeeptrackoftheparts.Whenusingthehigh-levelAPIsandthehigh-levelAmazonS3commandsintheAWSCLI(awss3cp,awss3mv,andawss3sync),multipartuploadisautomaticallyperformedforlargeobjects.
Youcansetanobjectlifecyclepolicyonabuckettoabortincompletemultipartuploadsafteraspecifiednumberofdays.Thiswillminimizethestoragecostsassociatedwithmultipartuploadsthatwerenotcompleted.
RangeGETsItispossibletodownload(GET)onlyaportionofanobjectinbothAmazonS3andAmazonGlacierbyusingsomethingcalledaRangeGET.UsingtheRangeHTTPheaderintheGETrequestorequivalentparametersinoneoftheSDKwrapperlibraries,youspecifyarangeofbytesoftheobject.ThiscanbeusefulindealingwithlargeobjectswhenyouhavepoorconnectivityortodownloadonlyaknownportionofalargeAmazonGlacierbackup.
Cross-RegionReplicationCross-regionreplicationisafeatureofAmazonS3thatallowsyoutoasynchronouslyreplicateallnewobjectsinthesourcebucketinoneAWSregiontoatargetbucketinanotherregion.AnymetadataandACLsassociatedwiththeobjectarealsopartofthereplication.Afteryousetupcross-regionreplicationonyoursourcebucket,anychangestothedata,metadata,orACLsonanobjecttriggeranewreplicationtothedestinationbucket.Toenablecross-regionreplication,versioningmustbeturnedonforbothsourceanddestinationbuckets,andyoumustuseanIAMpolicytogiveAmazonS3permissiontoreplicateobjectsonyourbehalf.
Cross-regionreplicationiscommonlyusedtoreducethelatencyrequiredtoaccessobjectsinAmazonS3byplacingobjectsclosertoasetofusersortomeetrequirementstostorebackupdataatacertaindistancefromtheoriginalsourcedata.
Ifturnedoninanexistingbucket,cross-regionreplicationwillonlyreplicatenewobjects.Existingobjectswillnotbereplicatedandmustbecopiedtothenewbucketviaaseparatecommand.
LoggingInordertotrackrequeststoyourAmazonS3bucket,youcanenableAmazonS3serveraccesslogs.Loggingisoffbydefault,butitcaneasilybeenabled.Whenyouenableloggingfora
![Page 74: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/74.jpg)
bucket(thesourcebucket),youmustchoosewherethelogswillbestored(thetargetbucket).Youcanstoreaccesslogsinthesamebucketorinadifferentbucket.Eitherway,itisoptional(butabestpractice)tospecifyaprefix,suchaslogs/oryourbucketname/logs/,sothatyoucanmoreeasilyidentifyyourlogs.
Onceenabled,logsaredeliveredonabest-effortbasiswithaslightdelay.Logsincludeinformationsuchas:
RequestoraccountandIPaddress
Bucketname
Requesttime
Action(GET,PUT,LIST,andsoforth)
Responsestatusorerrorcode
EventNotificationsAmazonS3eventnotificationscanbesentinresponsetoactionstakenonobjectsuploadedorstoredinAmazonS3.Eventnotificationsenableyoutorunworkflows,sendalerts,orperformotheractionsinresponsetochangesinyourobjectsstoredinAmazonS3.YoucanuseAmazonS3eventnotificationstosetuptriggerstoperformactions,suchastranscodingmediafileswhentheyareuploaded,processingdatafileswhentheybecomeavailable,andsynchronizingAmazonS3objectswithotherdatastores.
AmazonS3eventnotificationsaresetupatthebucketlevel,andyoucanconfigurethemthroughtheAmazonS3console,throughtheRESTAPI,orbyusinganAWSSDK.AmazonS3canpublishnotificationswhennewobjectsarecreated(byaPUT,POST,COPY,ormultipartuploadcompletion),whenobjectsareremoved(byaDELETE),orwhenAmazonS3detectsthatanRRSobjectwaslost.Youcanalsosetupeventnotificationsbasedonobjectnameprefixesandsuffixes.NotificationmessagescanbesentthrougheitherAmazonSimpleNotificationService(AmazonSNS)orAmazonSimpleQueueService(AmazonSQS)ordelivereddirectlytoAWSLambdatoinvokeAWSLambdafunctions.
BestPractices,Patterns,andPerformanceItisacommonpatterntouseAmazonS3storageinhybridITenvironmentsandapplications.Forexample,datainon-premisesfilesystems,databases,andcompliancearchivescaneasilybebackedupovertheInternettoAmazonS3orAmazonGlacier,whiletheprimaryapplicationordatabasestorageremainson-premises.
AnothercommonpatternistouseAmazonS3asbulk“blob”storagefordata,whilekeepinganindextothatdatainanotherservice,suchasAmazonDynamoDBorAmazonRDS.Thisallowsquicksearchesandcomplexqueriesonkeynameswithoutlistingkeyscontinually.
AmazonS3willscaleautomaticallytosupportveryhighrequestrates,automaticallyre-partitioningyourbucketsasneeded.Ifyouneedrequestrateshigherthan100requestspersecond,youmaywanttoreviewtheAmazonS3bestpracticesguidelinesintheDeveloperGuide.Tosupporthigherrequestrates,itisbesttoensuresomelevelofrandomdistributionofkeys,forexamplebyincludingahashasaprefixtokeynames.
![Page 75: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/75.jpg)
IfyouareusingAmazonS3inaGET-intensivemode,suchasastaticwebsitehosting,forbestperformanceyoushouldconsiderusinganAmazonCloudFrontdistributionasacachinglayerinfrontofyourAmazonS3bucket.
![Page 76: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/76.jpg)
AmazonGlacierAmazonGlacierisanextremelylow-coststorageservicethatprovidesdurable,secure,andflexiblestoragefordataarchivingandonlinebackup.Tokeepcostslow,AmazonGlacierisdesignedforinfrequentlyaccesseddatawherearetrievaltimeofthreetofivehoursisacceptable.
AmazonGlaciercanstoreanunlimitedamountofvirtuallyanykindofdata,inanyformat.CommonusecasesforAmazonGlacierincludereplacementoftraditionaltapesolutionsforlong-termbackupandarchiveandstorageofdatarequiredforcompliancepurposes.Inmostcases,thedatastoredinAmazonGlacierconsistsoflargeTAR(TapeArchive)orZIPfiles.
LikeAmazonS3,AmazonGlacierisextremelydurable,storingdataonmultipledevicesacrossmultiplefacilitiesinaregion.AmazonGlacierisdesignedfor99.999999999%durabilityofobjectsoveragivenyear.
ArchivesInAmazonGlacier,dataisstoredinarchives.Anarchivecancontainupto40TBofdata,andyoucanhaveanunlimitednumberofarchives.EacharchiveisassignedauniquearchiveIDatthetimeofcreation.(UnlikeanAmazonS3objectkey,youcannotspecifyauser-friendlyarchivename.)Allarchivesareautomaticallyencrypted,andarchivesareimmutable—afteranarchiveiscreated,itcannotbemodified.
VaultsVaultsarecontainersforarchives.EachAWSaccountcanhaveupto1,000vaults.YoucancontrolaccesstoyourvaultsandtheactionsallowedusingIAMpoliciesorvaultaccesspolicies.
VaultsLocksYoucaneasilydeployandenforcecompliancecontrolsforindividualAmazonGlaciervaultswithavaultlockpolicy.YoucanspecifycontrolssuchasWriteOnceReadMany(WORM)inavaultlockpolicyandlockthepolicyfromfutureedits.Oncelocked,thepolicycannolongerbechanged.
DataRetrievalYoucanretrieveupto5%ofyourdatastoredinAmazonGlacierforfreeeachmonth,calculatedonadailyproratedbasis.Ifyouretrievemorethan5%,youwillincurretrievalfeesbasedonyourmaximumretrievalrate.Toeliminateorminimizethosefees,youcansetadataretrievalpolicyonavaulttolimityourretrievalstothefreetierortoaspecifieddatarate.
AmazonGlacierversusAmazonSimpleStorageService(AmazonS3)AmazonGlacierissimilartoAmazonS3,butitdiffersinseveralkeyaspects.AmazonGlaciersupports40TBarchivesversus5TBobjectsinAmazonS3.ArchivesinAmazonGlacierare
![Page 77: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/77.jpg)
identifiedbysystem-generatedarchiveIDs,whileAmazonS3letsyouuse“friendly”keynames.AmazonGlacierarchivesareautomaticallyencrypted,whileencryptionatrestisoptionalinAmazonS3.However,byusingAmazonGlacierasanAmazonS3storageclasstogetherwithobjectlifecyclepolicies,youcanusetheAmazonS3interfacetogetmostofthebenefitsofAmazonGlacierwithoutlearninganewinterface.
![Page 78: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/78.jpg)
SummaryAmazonS3isthecoreobjectstorageserviceonAWS,allowingyoutostoreanunlimitedamountofdatawithveryhighdurability.
CommonAmazonS3usecasesincludebackupandarchive,webcontent,bigdataanalytics,staticwebsitehosting,mobileandcloud-nativeapplicationhosting,anddisasterrecovery.
AmazonS3isintegratedwithmanyotherAWScloudservices,includingAWSIAM,AWSKMS,AmazonEC2,AmazonEBS,AmazonEMR,AmazonDynamoDB,AmazonRedshift,AmazonSQS,AWSLambda,andAmazonCloudFront.
Objectstoragediffersfromtraditionalblockandfilestorage.Blockstoragemanagesdataatadevicelevelasaddressableblocks,whilefilestoragemanagesdataattheoperatingsystemlevelasfilesandfolders.Objectstoragemanagesdataasobjectsthatcontainbothdataandmetadata,manipulatedbyanAPI.
AmazonS3bucketsarecontainersforobjectsstoredinAmazonS3.Bucketnamesmustbegloballyunique.Eachbucketiscreatedinaspecificregion,anddatadoesnotleavetheregionunlessexplicitlycopiedbytheuser.
AmazonS3objectsarefilesstoredinbuckets.Objectscanbeupto5TBandcancontainanykindofdata.Objectscontainbothdataandmetadataandareidentifiedbykeys.EachAmazonS3objectcanbeaddressedbyauniqueURLformedbythewebservicesendpoint,thebucketname,andtheobjectkey.
AmazonS3hasaminimalisticAPI—create/deleteabucket,read/write/deleteobjects,listkeysinabucket—andusesaRESTinterfacebasedonstandardHTTPverbs—GET,PUT,POST,andDELETE.YoucanalsouseSDKwrapperlibraries,theAWSCLI,andtheAWSManagementConsoletoworkwithAmazonS3.
AmazonS3ishighlydurableandhighlyavailable,designedfor11ninesofdurabilityofobjectsinagivenyearandfourninesofavailability.
AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyfornewobjectPUTs.
AmazonS3objectsareprivatebydefault,accessibleonlytotheowner.Objectscanbemarkedpublicreadabletomakethemaccessibleontheweb.ControlledaccessmaybeprovidedtoothersusingACLsandAWSIAMandAmazonS3bucketpolicies.
StaticwebsitescanbehostedinanAmazonS3bucket.
Prefixesanddelimitersmaybeusedinkeynamestoorganizeandnavigatedatahierarchicallymuchlikeatraditionalfilesystem.
AmazonS3offersseveralstorageclassessuitedtodifferentusecases:Standardisdesignedforgeneral-purposedataneedinghighperformanceandlowlatency.Standard-IAisforlessfrequentlyaccesseddata.RRSofferslowerredundancyatlowercostforeasilyreproduceddata.AmazonGlacierofferslow-costdurablestorageforarchiveandlong-termbackupsthatcanarerarelyaccessedandcanacceptathree-tofive-hourretrievaltime.
Objectlifecyclemanagementpoliciescanbeusedtoautomaticallymovedatabetween
![Page 79: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/79.jpg)
storageclassesbasedontime.
AmazonS3datacanbeencryptedusingserver-sideorclient-sideencryption,andencryptionkeyscanbemanagedwithAmazonKMS.
VersioningandMFADeletecanbeusedtoprotectagainstaccidentaldeletion.
Cross-regionreplicationcanbeusedtoautomaticallycopynewobjectsfromasourcebucketinoneregiontoatargetbucketinanotherregion.
Pre-signedURLsgranttime-limitedpermissiontodownloadobjectsandcanbeusedtoprotectmediaandotherwebcontentfromunauthorized“webscraping.”
Multipartuploadcanbeusedtouploadlargeobjects,andRangeGETscanbeusedtodownloadportionsofanAmazonS3objectorAmazonGlacierarchive.
Serveraccesslogscanbeenabledonabuckettotrackrequestor,object,action,andresponse.
AmazonS3eventnotificationscanbeusedtosendanAmazonSQSorAmazonSNSmessageortotriggeranAWSLambdafunctionwhenanobjectiscreatedordeleted.
AmazonGlaciercanbeusedasastandaloneserviceorasastorageclassinAmazonS3.
AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Youcanhaveupto1,000vaults,andeachvaultcanstoreanunlimitednumberofarchives.
AmazonGlaciervaultscanbelockedforcompliancepurposes.
![Page 80: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/80.jpg)
ExamEssentialsKnowwhatamazons3isandwhatitiscommonlyusedfor.AmazonS3issecure,durable,andhighlyscalablecloudstoragethatcanbeusedtostoreanunlimitedamountofdatainalmostanyformatusingasimplewebservicesinterface.Commonusecasesincludebackupandarchive,contentstorageanddistribution,bigdataanalytics,staticwebsitehosting,cloud-nativeapplicationhosting,anddisasterrecovery.
Understandhowobjectstoragediffersfromblockandfilestorage.AmazonS3cloudobjectstoragemanagesdataattheapplicationlevelasobjectsusingaRESTAPIbuiltonHTTP.BlockstoragemanagesdataattheoperatingsystemlevelasnumberedaddressableblocksusingprotocolssuchasSCSIorFibreChannel.FilestoragemanagesdataassharedfilesattheoperatingsystemlevelusingaprotocolsuchasCIFSorNFS.
UnderstandthebasicsofAmazonS3.AmazonS3storesdatainobjectsthatcontaindataandmetadata.Objectsareidentifiedbyauser-definedkeyandarestoredinasimpleflatfoldercalledabucket.InterfacesincludeanativeRESTinterface,SDKsformanylanguages,anAWSCLI,andtheAWSManagementConsole.
Knowhowtocreateabucket;howtoupload,download,anddeleteobjects;howtomakeobjectspublic;andhowtoopenanobjectURL.
Understandthedurability,availability,anddataconsistencymodelofAmazonS3.AmazonS3standardstorageisdesignedfor11ninesdurabilityandfourninesavailabilityofobjectsoverayear.Otherstorageclassesdiffer.AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyforPUTstonewobjects.
KnowhowtoenablestaticwebsitehostingonAmazonS3.TocreateastaticwebsiteonAmazonS3,youmustcreateabucketwiththewebsitehostname,uploadyourstaticcontentandmakeitpublic,enablestaticwebsitehostingonthebucket,andindicatetheindexanderrorpageobjects.
KnowhowtoprotectyourdataonAmazonS3.EncryptdatainflightusingHTTPSandatrestusingSSEorclient-sideencryption.Enableversioningtokeepmultipleversionsofanobjectinabucket.EnableMFADeletetoprotectagainstaccidentaldeletion.UseACLsAmazonS3bucketpoliciesandAWSIAMpoliciesforaccesscontrol.Usepre-signedURLsfortime-limiteddownloadaccess.Usecross-regionreplicationtoautomaticallyreplicatedatatoanotherregion.
KnowtheusecaseforeachoftheAmazonS3storageclasses.Standardisforgeneralpurposedatathatneedshighdurability,highperformance,andlowlatencyaccess.Standard-IAisfordatathatislessfrequentlyaccessed,butthatneedsthesameperformanceandavailabilitywhenaccessed.RRSofferslowerdurabilityatlowercostforeasilyreplicateddata.AmazonGlacierisforstoringrarelyaccessedarchivaldataatlowestcost,whenthree-tofive-hourretrievaltimeisacceptable.
Knowhowtouselifecycleconfigurationrules.LifecyclerulescanbeconfiguredintheAWSManagementConsoleortheAPIs.Lifecycleconfigurationrulesdefineactionstotransitionobjectsfromonestorageclasstoanotherbasedontime.
KnowhowtouseAmazonS3eventnotifications.Eventnotificationsaresetatthe
![Page 81: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/81.jpg)
bucketlevelandcantriggeramessageinAmazonSNSorAmazonSQSoranactioninAWSLambdainresponsetoanuploadoradeleteofanobject.
Knowthebasicsofamazonglacierasastandaloneservice.Dataisstoredinencryptedarchivesthatcanbeaslargeas40TB.ArchivestypicallycontainTARorZIPfiles.Vaultsarecontainersforarchives,andvaultscanbelockedforcompliance.
![Page 82: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/82.jpg)
ExercisesForassistanceincompletingthefollowingexercises,referencethefollowingdocumentation:
GettingstartedwithAmazonS3:http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html
Settingupastaticwebsite:http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html
Usingversioning:http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
ObjectLifecycleManagement:http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
EXERCISE2.1
CreateanAmazonSimpleStorageService(AmazonS3)BucketInthisexercise,youwillcreateanewAmazonS3bucketinyourselectedregion.Youwillusethisbucketinthefollowingexercises.
1. LogintotheAWSManagementConsole.
2. Chooseanappropriateregion,suchasUSWest(Oregon).
3. NavigatetotheAmazonS3console.NoticethattheregionindicatornowsaysGlobal.RememberthatAmazonS3bucketsformaglobalnamespace,eventhougheachbucketiscreatedinaspecificregion.
4. Startthecreatebucketprocess.
5. WhenpromptedforBucketName,usemynewbucket.
6. Choosearegion,suchasUSWest(Oregon).
7. Trytocreatethebucket.Youalmostsurelywillgetamessagethattherequestedbucketnameisnotavailable.Rememberthatabucketnamemustbeuniqueglobally.
8. Tryagainusingyoursurnamefollowedbyahyphenandthentoday’sdateinasix-digitformatasthebucketname(abucketnamethatisnotlikelytoexistalready).
YoushouldnowhaveanewAmazonS3bucket.
EXERCISE2.2
Upload,MakePublic,Rename,andDeleteObjectsinYourBucket
Inthisexercise,youwilluploadanewobjecttoyourbucket.Youwillthenmakethisobjectpublicandviewtheobjectinyourbrowser.Youwillthenrenametheobjectandfinallydeleteitfromthebucket.
![Page 83: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/83.jpg)
UploadanObject1. LoadyournewbucketintheAmazonS3console.
2. SelectUpload,thenAddFiles.
3. LocateafileonyourPCthatyouareokaywithuploadingtoAmazonS3andmakingpublictotheInternet.(Wesuggestusinganon-personalimagefileforthepurposesofthisexercise.)
4. Selectasuitablefile,thenStartUpload.YouwillseethestatusofyourfileintheTransferssection.
5. Afteryourfileisuploaded,thestatusshouldchangetoDone.
ThefileyouuploadedisnowstoredasanAmazonS3objectandshouldbenowlistedinthecontentsofyourbucket.
OpentheAmazonS3URL6. Nowopenthepropertiesfortheobject.Thepropertiesshouldincludebucket,name,
andlink.
7. CopytheAmazonS3URLfortheobject.
8. PastetheURLintheaddressbarofanewbrowserwindowortab.
YoushouldgetamessagewithanXMLerrorcodeAccessDenied.EventhoughtheobjecthasaURL,itisprivatebydefault,soitcannotbeaccessedbyawebbrowser.
MaketheObjectPublic9. GobacktotheAmazonS3ConsoleandselectMakePublic.(Equivalently,youcan
changetheobject’spermissionsandaddgranteeEveryoneandpermissionsOpen/Download.)
10. CopytheAmazonS3URLagainandtrytoopenitinabrowserortab.Yourpublicimagefileshouldnowdisplayinthebrowserorbrowsertab.
RenameObject11. IntheAmazonS3console,selectRename.
12. Renametheobject,butkeepthesamefileextension.
13. CopythenewAmazonS3URLandtrytoopenitinabrowserortab.Youshouldseethesameimagefile.
DeletetheObject14. IntheAmazonS3console,selectDelete.SelectOKwhenpromptedifyouwantto
deletetheobject.
15. Theobjecthasnowbeendeleted.
16. Toverify,trytoreloadthedeletedobject’sAmazonS3URL.
YoushouldonceagaingettheXMLAccessDeniederrormessage.
![Page 84: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/84.jpg)
EXERCISE2.3
EnableVersionControl
Inthisexercise,youwillenableversioncontrolonyournewlycreatedbucket.
EnableVersioning1. IntheAmazonS3console,loadthepropertiesofyourbucket.Don’topenthebucket.
2. EnableversioninginthepropertiesandselectOKtoverify.Yourbucketnowhasversioningenabled.(Notethatversioningcanbesuspended,butnotturnedoff.)
CreateMultipleVersionsofanObject3. Createatextfilenamedfoo.txtonyourcomputerandwritethewordblueinthe
textfile.
4. Savethetextfiletoalocationofyourchoosing.
5. Uploadthetextfiletoyourbucket.Thiswillbeversion1.
6. Afteryouhaveuploadedthetextfiletoyourbucket,openthecopyonyourlocalcomputerandchangethewordbluetored.Savethetextfilewiththeoriginalfilename.
7. Uploadthemodifiedfiletoyourbucket.
8. SelectShowVersionsontheuploadedobject.
YouwillnowseetwodifferentversionsoftheobjectwithdifferentVersionIDsandpossiblydifferentsizes.NotethatwhenyouselectShowVersion,theAmazonS3URLnowincludestheversionIDinthequerystringaftertheobjectname.
![Page 85: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/85.jpg)
EXERCISE2.4
DeleteanObjectandThenRestoreIt
Inthisexercise,youwilldeleteanobjectinyourAmazonS3bucketandthenrestoreit.
DeleteanObject1. Openthebucketcontainingthetextfileforwhichyounowhavetwoversions.
2. SelectHideVersions.
3. SelectDelete,andthenselectOKtoverify.
4. Yourobjectwillnowbedeleted,andyoucannolongerseetheobject.
5. SelectShowVersions.
BothversionsoftheobjectnowshowtheirversionIDs.
RestoreanObject6. Openyourbucket.
7. SelectShowVersions.
8. Selecttheoldestversionanddownloadtheobject.Notethatthefilenameissimplyfoo.txtwithnoversionindicator.
9. Uploadfoo.txttothesamebucket.
10. SelectHideVersions,andthefilefoo.txtshouldre-appear.
Torestoreaversion,youcopythedesiredversionintothesamebucket.IntheAmazonS3console,thisrequiresadownloadthenre-uploadoftheobject.UsingAPIs,SDKs,orAWSCLI,youcancopyaversiondirectlywithoutdownloadingandre-uploading.
![Page 86: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/86.jpg)
EXERCISE2.5
LifecycleManagementInthisexercise,youwillexplorethevariousoptionsforlifecyclemanagement.
1. SelectyourbucketintheAmazonS3console.
2. UnderProperties,addaLifecycleRule.
3. Explorethevariousoptionstoaddlifecyclerulestoobjectsinthisbucket.Itisrecommendedthatyoudonotimplementanyoftheseoptions,asyoumayincuradditionalcosts.Afteryouhavefinished,clicktheCancelbutton.
Mostlifecyclerulesrequiresomenumberofdaystoexpirebeforethetransitiontakeseffect.Forexample,ittakesaminimumof30daystotransitionfromAmazonS3StandardtoAmazonS3Standard-IA.Thismakesitimpracticaltocreatealifecycleruleandseetheactualresultinanexercise.
EXERCISE2.6
EnableStaticHostingonYourBucketInthisexercise,youwillenablestatichostingonyournewlycreatedbucket.
1. SelectyourbucketintheAmazonS3console.
2. InthePropertiessection,selectEnableWebsiteHosting.
3. Fortheindexdocumentname,enterindex.txt,andfortheerrordocumentname,entererror.txt.
4. Useatexteditortocreatetwotextfilesandsavethemasindex.txtanderror.txt.Intheindex.txtfile,writethephrase“HelloWorld,”andintheerror.txtfile,writethephrase“ErrorPage.”Savebothtextfilesanduploadthemtoyourbucket.
5. Makethetwoobjectspublic.
6. CopytheEndpoint:linkunderStaticWebsiteHostingandpasteitinabrowserwindowortab.Youshouldnowseethephrase"HelloWorld"displayed.
7. Intheaddressbarinyourbrowser,tryaddingaforwardslashfollowedbyamade-upfilename(forexample,/test.html).Youshouldnowseethephrase"ErrorPage"displayed.
8. Tocleanup,deletealloftheobjectsinyourbucketandthendeletethebucketitself.
![Page 87: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/87.jpg)
ReviewQuestions1. InwhatwaysdoesAmazonSimpleStorageService(AmazonS3)objectstoragedifferfromblockandfilestorage?(Choose2answers)
A. AmazonS3storesdatainfixedsizeblocks.
B. Objectsareidentifiedbyanumberedaddress.
C. Objectscanbeanysize.
D. Objectscontainbothdataandmetadata.
E. Objectsarestoredinbuckets.
2. WhichofthefollowingarenotappropriatesusecasesforAmazonSimpleStorageService(AmazonS3)?(Choose2answers)
A. Storingwebcontent
B. StoringafilesystemmountedtoanAmazonElasticComputeCloud(AmazonEC2)instance
C. Storingbackupsforarelationaldatabase
D. Primarystorageforadatabase
E. Storinglogsforanalytics
3. WhataresomeofthekeycharacteristicsofAmazonSimpleStorageService(AmazonS3)?(Choose3answers)
A. AllobjectshaveaURL.
B. AmazonS3canstoreunlimitedamountsofdata.
C. Objectsareworld-readablebydefault.
D. AmazonS3usesaREST(RepresentationalStateTransfer)ApplicationProgramInterface(API).
E. Youmustpre-allocatethestorageinabucket.
4. WhichfeaturescanbeusedtorestrictaccesstoAmazonSimpleStorageService(AmazonS3)data?(Choose3answers)
A. Enablestaticwebsitehostingonthebucket.
B. Createapre-signedURLforanobject.
C. UseanAmazonS3AccessControlList(ACL)onabucketorobject.
D. Usealifecyclepolicy.
E. UseanAmazonS3bucketpolicy.
5. YourapplicationstorescriticaldatainAmazonSimpleStorageService(AmazonS3),whichmustbeprotectedagainstinadvertentorintentionaldeletion.Howcanthisdatabeprotected?(Choose2answers)
![Page 88: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/88.jpg)
A. Usecross-regionreplicationtocopydatatoanotherbucketautomatically.
B. Setavaultlock.
C. Enableversioningonthebucket.
D. UsealifecyclepolicytomigratedatatoAmazonGlacier.
E. EnableMFADeleteonthebucket.
6. YourcompanystoresdocumentsinAmazonSimpleStorageService(AmazonS3),butitwantstominimizecost.Mostdocumentsareusedactivelyforonlyaboutamonth,thenmuchlessfrequently.However,alldataneedstobeavailablewithinminuteswhenrequested.Howcanyoumeettheserequirements?
A. MigratethedatatoAmazonS3ReducedRedundancyStorage(RRS)after30days.
B. MigratethedatatoAmazonGlacierafter30days.
C. MigratethedatatoAmazonS3Standard–InfrequentAccess(IA)after30days.
D. Turnonversioning,thenmigratetheolderversiontoAmazonGlacier.
7. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?
A. Dataisautomaticallyreplicatedtootherregions.
B. Dataisautomaticallyreplicatedwithinaregion.
C. Dataisreplicatedonlyifversioningisenabledonthebucket.
D. Dataisautomaticallybackedupontapeandrestoredifneeded.
8. BasedonthefollowingAmazonSimpleStorageService(AmazonS3)URL,whichoneofthefollowingstatementsiscorrect?
https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc
A. Theobject“myfile.doc”isstoredinthefolder“folderx”inthebucket“bucket1.abc.com.”
B. Theobject“myfile.doc”isstoredinthebucket“bucket1.abc.com.”
C. Theobject“folderx/myfile.doc”isstoredinthebucket“bucket1.abc.com.”
D. Theobject“myfile.doc”isstoredinthebucket“bucket1.”
9. TohavearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere,youshoulddowhat?
A. Enableversioningonthebucket.
B. Enablewebsitehostingonthebucket.
C. Enableserveraccesslogsonthebucket.
D. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.
E. EnableAmazonCloudWatchlogs.
10. Whataresomereasonstoenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)
![Page 89: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/89.jpg)
A. Youwantabackupofyourdataincaseofaccidentaldeletion.
B. Youhaveasetofusersorcustomerswhocanaccessthesecondbucketwithlowerlatency.
C. Forcompliancereasons,youneedtostoredatainalocationatleast300milesawayfromthefirstregion.
D. Yourdataneedsatleastfiveninesofdurability.
11. Yourcompanyrequiresthatalldatasenttoexternalstoragebeencryptedbeforebeingsent.WhichAmazonSimpleStorageService(AmazonS3)encryptionsolutionwillmeetthisrequirement?
A. Server-SideEncryption(SSE)withAWS-managedkeys(SSE-S3)
B. SSEwithcustomer-providedkeys(SSE-C)
C. Client-sideencryptionwithcustomer-managedkeys
D. Server-sideencryptionwithAWSKeyManagementService(AWSKMS)keys(SSE-KMS)
12. YouhaveapopularwebapplicationthataccessesdatastoredinanAmazonSimpleStorageService(AmazonS3)bucket.Youexpecttheaccesstobeveryread-intensive,withexpectedrequestratesofupto500GETspersecondfrommanyclients.HowcanyouincreasetheperformanceandscalabilityofAmazonS3inthiscase?
A. Turnoncross-regionreplicationtoensurethatdataisservedfrommultiplelocations.
B. Ensurerandomnessinthenamespacebyincludingahashprefixtokeynames.
C. Turnonserveraccesslogging.
D. Ensurethatkeynamesaresequentialtoenablepre-fetch.
13. Whatisneededbeforeyoucanenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)
A. Enableversioningonthebucket.
B. Enablealifecycleruletomigratedatatothesecondregion.
C. Enablestaticwebsitehosting.
D. CreateanAWSIdentityandAccessManagement(IAM)policytoallowAmazonS3toreplicateobjectsonyourbehalf.
14. Yourcompanyhas100TBoffinancialrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanone-yearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcostefficientmanner?
A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumesattachedtot2.microinstances.
B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyearanddeletetheobject
![Page 90: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/90.jpg)
aftersevenyears.
C. StorethedatainAmazonDynamoDBandrundailyscripttodeletedataolderthansevenyears.
D. StorethedatainAmazonElasticMapReduce(AmazonEMR).
15. AmazonSimpleStorageService(S3)bucketpoliciescanrestrictaccesstoanAmazonS3bucketandobjectsbywhichofthefollowing?(Choose3answers)
A. Companyname
B. IPaddressrange
C. AWSaccount
D. Countryoforigin
E. Objectswithaspecificprefix
16. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?(Choose2answers)
A. GETafterPUTofanewobject
B. GETorLISTafteraDELETE
C. GETafteroverwritePUT(PUTtoanexistingkey)
D. DELETEafterPUTofnewobject
17. WhatmustbedonetohostastaticwebsiteinanAmazonSimpleStorageService(AmazonS3)bucket?(Choose3answers)
A. Configurethebucketforstatichostingandspecifyanindexanderrordocument.
B. Createabucketwiththesamenameasthewebsite.
C. EnableFileTransferProtocol(FTP)onthebucket.
D. Maketheobjectsinthebucketworld-readable.
E. EnableHTTPonthebucket.
18. YouhavevaluablemediafileshostedonAWSandwantthemtobeservedonlytoauthenticatedusersofyourwebapplication.Youareconcernedthatyourcontentcouldbestolenanddistributedforfree.Howcanyouprotectyourcontent?
A. Usestaticwebhosting.
B. Generatepre-signedURLsforcontentinthewebapplication.
C. UseAWSIdentityandAccessManagement(IAM)policiestorestrictaccess.
D. Useloggingtotrackyourcontent.
19. AmazonGlacieriswell-suitedtodatathatiswhichofthefollowing?(Choose2answers)
A. Isinfrequentlyorrarelyaccessed
B. Mustbeimmediatelyavailablewhenneeded
![Page 91: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/91.jpg)
C. Isavailableafterathree-tofive-hourrestoreperiod
D. Isfrequentlyerasedwithin30days
20. WhichstatementsaboutAmazonGlacieraretrue?(Choose3answers)
A. AmazonGlacierstoresdatainobjectsthatliveinarchives.
B. AmazonGlacierarchivesareidentifiedbyuser-specifiedkeynames.
C. AmazonGlacierarchivestakethreetofivehourstorestore.
D. AmazonGlaciervaultscanbelocked.
E. AmazonGlaciercanbeusedasastandaloneserviceandasanAmazonS3storageclass.
![Page 92: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/92.jpg)
Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
ConfigureanAmazonMachineImage(AMI)
Configureservicestosupportcompliancerequirementsinthecloud
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
Contentmayincludethefollowing:
Disasterrecovery
AmazonEB
![Page 93: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/93.jpg)
![Page 94: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/94.jpg)
IntroductionInthischapter,youlearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:
HowinstancetypesandAmazonMachineImages(AMIs)definethecapabilitiesofinstancesyoulaunchonthecloud
Howtosecurelyaccessyourinstancesrunningonthecloud
Howtoprotectyourinstanceswithvirtualfirewallscalledsecuritygroups
Howtohaveyourinstancesconfigurethemselvesforunattendedlaunch
Howtomonitorandmanageyourinstancesonthecloud
Howtochangethecapabilitiesofanexistinginstance
Thepaymentoptionsavailableforthebestmixofaffordabilityandflexibility
Howtenancyoptionsandplacementgroupsprovideoptionstooptimizecomplianceandperformance
HowinstancestoresdifferfromAmazonEBSvolumesandwhentheyareeffective
WhattypesofvolumesareavailablethroughAmazonEBS
HowtoprotectyourdataonAmazonEBS
![Page 95: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/95.jpg)
AmazonElasticComputeCloud(AmazonEC2)AmazonEC2isAWSprimarywebservicethatprovidesresizablecomputecapacityinthecloud.
ComputeBasicsComputereferstotheamountofcomputationalpowerrequiredtofulfillyourworkload.Ifyourworkloadisverysmall,suchasawebsitethatreceivesfewvisitors,thenyourcomputeneedsareverysmall.Alargeworkload,suchasscreeningtenmillioncompoundsagainstacommoncancertarget,mightrequireagreatdealofcompute.Theamountofcomputeyouneedmightchangedrasticallyovertime.
AmazonEC2allowsyoutoacquirecomputethroughthelaunchingofvirtualserverscalledinstances.Whenyoulaunchaninstance,youcanmakeuseofthecomputeasyouwish,justasyouwouldwithanon-premisesserver.Becauseyouarepayingforthecomputingpoweroftheinstance,youarechargedperhourwhiletheinstanceisrunning.Whenyoustoptheinstance,youarenolongercharged.
TherearetwoconceptsthatarekeytolaunchinginstancesonAWS:(1)theamountofvirtualhardwarededicatedtotheinstanceand(2)thesoftwareloadedontheinstance.Thesetwodimensionsofnewinstancesarecontrolled,respectively,bytheinstancetypeandtheAMI.
InstanceTypesTheinstancetypedefinesthevirtualhardwaresupportinganAmazonEC2instance.Therearedozensofinstancetypesavailable,varyinginthefollowingdimensions:
VirtualCPUs(vCPUs)
Memory
Storage(sizeandtype)
Networkperformance
Instancetypesaregroupedintofamiliesbasedontheratioofthesevaluestoeachother.Forinstance,them4familyprovidesabalanceofcompute,memory,andnetworkresources,anditisagoodchoiceformanyapplications.Withineachfamilythereareseveralchoicesthatscaleuplinearlyinsize.Figure3.1showsthefourinstancesizesinthem4family.NotethattheratioofvCPUstomemoryisconstantasthesizesscalelinearly.Thehourlypriceforeachsizescaleslinearlyaswell.Forexample,anm4.xlargeinstancecoststwiceasmuchasthem4.largeinstance.
![Page 96: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/96.jpg)
FIGURE3.1MemoryandvCPUsforthem4instancefamily
Differentinstancetypefamiliestilttheratiotoaccommodatedifferenttypesofworkloads,buttheyallexhibitthislinearscaleupbehaviorwithinthefamily.Table3.1listssomeofthefamiliesavailable.
TABLE3.1SampleInstanceTypeFamilies
Family
c4 Computeoptimized—Forworkloadsrequiringsignificantprocessing
r3 Memoryoptimized—Formemory-intensiveworkloads
i2 Storageoptimized—ForworkloadsrequiringhighamountsoffastSSDstorage
g2 GPU-basedinstances—Intendedforgraphicsandgeneral-purposeGPUcomputeworkloads
Inresponsetocustomerdemandandtotakeadvantageofnewprocessortechnology,AWSoccasionallyintroducesnewinstancefamilies.ChecktheAWSwebsiteforthecurrentlist.
Anothervariabletoconsiderwhenchoosinganinstancetypeisnetworkperformance.Formostinstancetypes,AWSpublishesarelativemeasureofnetworkperformance:low,moderate,orhigh.Someinstancetypesspecifyanetworkperformanceof10Gbps.The
![Page 97: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/97.jpg)
networkperformanceincreaseswithinafamilyastheinstancetypegrows.
Forworkloadsrequiringgreaternetworkperformance,manyinstancetypessupportenhancednetworking.EnhancednetworkingreducestheimpactofvirtualizationonnetworkperformancebyenablingacapabilitycalledSingleRootI/OVirtualization(SR-IOV).ThisresultsinmorePacketsPerSecond(PPS),lowerlatency,andlessjitter.Atthetimeofthiswriting,thereareinstancetypesthatsupportenhancednetworkingintheC3,C4,D2,I2,M4,andR3families(consulttheAWSdocumentationforacurrentlist).Enablingenhancednetworkingonaninstanceinvolvesensuringthecorrectdriversareinstalledandmodifyinganinstanceattribute.EnhancednetworkingisavailableonlyforinstanceslaunchedinanAmazonVirtualPrivateCloud(AmazonVPC),whichisdiscussedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”
AmazonMachineImages(AMIs)TheAmazonMachineImage(AMI)definestheinitialsoftwarethatwillbeonaninstancewhenitislaunched.AnAMIdefineseveryaspectofthesoftwarestateatinstancelaunch,including:
TheOperatingSystem(OS)anditsconfiguration
Theinitialstateofanypatches
Applicationorsystemsoftware
AllAMIsarebasedonx86OSs,eitherLinuxorWindows.
TherearefoursourcesofAMIs:
PublishedbyAWS—AWSpublishesAMIswithversionsofmanydifferentOSs,bothLinuxandWindows.TheseincludemultipledistributionsofLinux(includingUbuntu,RedHat,andAmazon’sowndistribution)andWindows2008andWindows2012.LaunchinganinstancebasedononeoftheseAMIswillresultinthedefaultOSsettings,similartoinstallinganOSfromthestandardOSISOimage.AswithanyOSinstallation,youshouldimmediatelyapplyallappropriatepatchesuponlaunch.
TheAWSMarketplace—AWSMarketplaceisanonlinestorethathelpscustomersfind,buy,andimmediatelystartusingthesoftwareandservicesthatrunonAmazonEC2.ManyAWSpartnershavemadetheirsoftwareavailableintheAWSMarketplace.Thisprovidestwobenefits:thecustomerdoesnotneedtoinstallthesoftware,andthelicenseagreementisappropriateforthecloud.InstanceslaunchedfromanAWSMarketplaceAMIincurthestandardhourlycostoftheinstancetypeplusanadditionalper-hourchargefortheadditionalsoftware(someopen-sourceAWSMarketplacepackageshavenoadditionalsoftwarecharge).
GeneratedfromExistingInstances—AnAMIcanbecreatedfromanexistingAmazonEC2instance.ThisisaverycommonsourceofAMIs.CustomerslaunchaninstancefromapublishedAMI,andthentheinstanceisconfiguredtomeetallthecustomer’scorporatestandardsforupdates,management,security,andsoon.AnAMIisthengeneratedfromtheconfiguredinstanceandusedtogenerateallinstancesofthatOS.Inthisway,allnewinstancesfollowthecorporatestandardanditismoredifficultforindividualprojectstolaunchnon-conforminginstances.
![Page 98: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/98.jpg)
UploadedVirtualServers—UsingAWSVMImport/Exportservice,customerscancreateimagesfromvariousvirtualizationformats,includingraw,VHD,VMDK,andOVA.ThecurrentlistofsupportedOSs(LinuxandWindows)canbefoundintheAWSdocumentation.ItisincumbentonthecustomerstoremaincompliantwiththelicensingtermsoftheirOSvendor.
SecurelyUsinganInstanceOncelaunched,instancescanbemanagedovertheInternet.AWShasseveralservicesandfeaturestoensurethatthismanagementcanbedonesimplyandsecurely.
AddressinganInstanceThereareseveralwaysthataninstancemaybeaddressedoverthewebuponcreation:
PublicDomainNameSystem(DNS)Name—Whenyoulaunchaninstance,AWScreatesaDNSnamethatcanbeusedtoaccesstheinstance.ThisDNSnameisgeneratedautomaticallyandcannotbespecifiedbythecustomer.ThenamecanbefoundintheDescriptiontaboftheAWSManagementConsoleorviatheCommandLineInterface(CLI)orApplicationProgrammingInterface(API).ThisDNSnamepersistsonlywhiletheinstanceisrunningandcannotbetransferredtoanotherinstance.
PublicIP—AlaunchedinstancemayalsohaveapublicIPaddressassigned.ThisIPaddressisassignedfromtheaddressesreservedbyAWSandcannotbespecified.ThisIPaddressisuniqueontheInternet,persistsonlywhiletheinstanceisrunning,andcannotbetransferredtoanotherinstance.
ElasticIP—AnelasticIPaddressisanaddressuniqueontheInternetthatyoureserveindependentlyandassociatewithanAmazonEC2instance.WhilesimilartoapublicIP,therearesomekeydifferences.ThisIPaddresspersistsuntilthecustomerreleasesitandisnottiedtothelifetimeorstateofanindividualinstance.Becauseitcanbetransferredtoareplacementinstanceintheeventofaninstancefailure,itisapublicaddressthatcanbesharedexternallywithoutcouplingclientstoaparticularinstance.
PrivateIPaddressesandElasticNetworkInterfaces(ENIs)areadditionalmethodsofaddressinginstancesthatareavailableinthecontextofanAmazonVPC.ThesearediscussedinChapter4.
InitialAccessAmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdataandanassociatedprivatekeytodecryptthedata.Thesetwokeystogetherarecalledakeypair.KeypairscanbecreatedthroughtheAWSManagementConsole,CLI,orAPI,orcustomerscanuploadtheirownkeypairs.AWSstoresthepublickey,andtheprivatekeyiskeptbythecustomer.Theprivatekeyisessentialtoacquiringsecureaccesstoaninstanceforthefirsttime.
![Page 99: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/99.jpg)
Storeyourprivatekeyssecurely.WhenAmazonEC2launchesaLinuxinstance,thepublickeyisstoredinthe /.ssh/authorized_keysfileontheinstanceandaninitialuseriscreated.TheinitialusercanvarydependingontheOS.Forexample,theAmazonLinuxdistributioninitialuserisec2-user.Initialaccesstotheinstanceisobtainedbyusingtheec2-userandtheprivatekeytologinviaSSH.Atthispoint,youcanconfigureotherusersandenrollinadirectorysuchasLDAP.
WhenlaunchingaWindowsinstance,AmazonEC2generatesarandompasswordforthelocaladministratoraccountandencryptsthepasswordusingthepublickey.Initialaccesstotheinstanceisobtainedbydecryptingthepasswordwiththeprivatekey,eitherintheconsoleorthroughtheAPI.ThedecryptedpasswordcanbeusedtologintotheinstancewiththelocaladministratoraccountviaRDP.Atthispoint,youcancreateotherlocalusersand/orconnecttoanActiveDirectorydomain.
Itisabestpracticetochangetheinitiallocaladministratorpassword.
VirtualFirewallProtectionAWSallowsyoutocontroltrafficinandoutofyourinstancesthroughvirtualfirewallscalledsecuritygroups.Securitygroupsallowyoutocontroltrafficbasedonport,protocol,andsource/destination.SecuritygroupshavedifferentcapabilitiesdependingonwhethertheyareassociatedwithanAmazonVPCorAmazonEC2-Classic.Table3.2comparesthesedifferentcapabilities(AmazonVPCisdiscussedinChapter4).
TABLE3.2DifferentSecurityGroups
TypeofSecurityGroup Capabilities
EC2-ClassicSecurityGroups Controloutgoinginstancetraffic
VPCSecurityGroups Controloutgoingandincominginstancetraffic
Securitygroupsareassociatedwithinstanceswhentheyarelaunched.Everyinstancemusthaveatleastonesecuritygroupbutcanhavemore.
Asecuritygroupisdefaultdeny;thatis,itdoesnotallowanytrafficthatisnotexplicitlyallowedbyasecuritygrouprule.AruleisdefinedbythethreeattributesinTable3.3.Whenaninstanceisassociatedwithmultiplesecuritygroups,therulesareaggregatedandalltrafficallowedbyeachoftheindividualgroupsisallowed.Forexample,ifsecuritygroupAallowsRDPtrafficfrom72.58.0.0/16andsecuritygroupBallowsHTTPandHTTPStrafficfrom0.0.0.0/0andyourinstanceisassociatedwithbothgroups,thenboththeRDPandHTTP/Strafficwillbeallowedintoyourinstance.
![Page 100: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/100.jpg)
TABLE3.3SecurityGroupRuleAttributes
Attribute Meaning
Port Theportnumberaffectedbythisrule.Forinstance,port80forHTTPtraffic.
Protocol Thecommunicationsstandardforthetrafficaffectedbythisrule.
Source/Destination Identifiestheotherendofthecommunication,thesourceforincomingtrafficrules,orthedestinationforoutgoingtrafficrules.Thesource/destinationcanbedefinedintwoways:CIDRblock—Anx.x.x.x/xstyledefinitionthatdefinesaspecificrangeofIPaddresses.Securitygroup—Includesanyinstancethatisassociatedwiththegivensecuritygroup.ThishelpspreventcouplingsecuritygroupruleswithspecificIPaddresses.
Asecuritygroupisastatefulfirewall;thatis,anoutgoingmessageisrememberedsothattheresponseisallowedthroughthesecuritygroupwithoutanexplicitinboundrulebeingrequired.
Securitygroupsareappliedattheinstancelevel,asopposedtoatraditionalon-premisesfirewallthatprotectsattheperimeter.Theeffectofthisisthatinsteadofhavingtobreachasingleperimetertoaccessalltheinstancesinyoursecuritygroup,anattackerwouldhavetobreachthesecuritygrouprepeatedlyforeachindividualinstance.
TheLifecycleofInstancesAmazonEC2hasseveralfeaturesandservicesthatfacilitatethemanagementofAmazonEC2instancesovertheirentirelifecycle.
LaunchingThereareseveraladditionalservicesthatareusefulwhenlaunchingnewAmazonEC2instances.
BootstrappingAgreatbenefitofthecloudistheabilitytoscriptvirtualhardwaremanagementinamannerthatisnotpossiblewithon-premiseshardware.Inordertorealizethevalueofthis,therehastobesomewaytoconfigureinstancesandinstallapplicationsprogrammaticallywhenaninstanceislaunched.Theprocessofprovidingcodetoberunonaninstanceatlaunchiscalledbootstrapping.
OneoftheparameterswhenaninstanceislaunchedisastringvaluecalledUserData.Thisstringispassedtotheoperatingsystemtobeexecutedaspartofthelaunchprocessthefirsttimetheinstanceisbooted.OnLinuxinstancesthiscanbeshellscript,andonWindowsinstancesthiscanbeabatchstylescriptoraPowerShellscript.Thescriptcanperformtaskssuchas:
ApplyingpatchesandupdatestotheOS
Enrollinginadirectoryservice
Installingapplicationsoftware
![Page 101: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/101.jpg)
Copyingalongerscriptorprogramfromstoragetoberunontheinstance
InstallingCheforPuppetandassigningtheinstancearolesotheconfigurationmanagementsoftwarecanconfiguretheinstance
UserDataisstoredwiththeinstanceandisnotencrypted,soitisimportanttonotincludeanysecretssuchaspasswordsorkeysintheUserData.
VMImport/ExportInadditiontoimportingvirtualinstancesasAMIs,VMImport/ExportenablesyoutoeasilyimportVirtualMachines(VMs)fromyourexistingenvironmentasanAmazonEC2instanceandexportthembacktoyouron-premisesenvironment.YoucanonlyexportpreviouslyimportedAmazonEC2instances.InstanceslaunchedwithinAWSfromAMIscannotbeexported.
InstanceMetadataInstancemetadataisdataaboutyourinstancethatyoucanusetoconfigureormanagetherunninginstance.ThisisuniqueinthatitisamechanismtoobtainAWSpropertiesoftheinstancefromwithintheOSwithoutmakingacalltotheAWSAPI.AnHTTPcalltohttp://169.254.169.254/latest/meta-data/willreturnthetopnodeoftheinstancemetadatatree.Instancemetadataincludesawidevarietyofattributes,including:
Theassociatedsecuritygroups
TheinstanceID
Theinstancetype
TheAMIusedtolaunchtheinstance
Thisonlybeginstoscratchthesurfaceoftheinformationavailableinthemetadata.ConsulttheAWSdocumentationforafulllist.
ManagingInstancesWhenthenumberofinstancesinyouraccountstartstoclimb,itcanbecomedifficulttokeeptrackofthem.TagscanhelpyoumanagenotjustyourAmazonEC2instances,butalsomanyofyourAWSCloudservices.Tagsarekey/valuepairsyoucanassociatewithyourinstanceorotherservice.Tagscanbeusedtoidentifyattributesofaninstancelikeproject,environment(dev,test,andsoon),billabledepartment,andsoforth.Youcanapplyupto10tagsperinstance.Table3.4showssometagsuggestions.
TABLE3.4SampleTags
Key Value
Project TimeEntry
Environment Production
BillingCode 4004
MonitoringInstancesAWSoffersaservicecalledAmazonCloudWatchthatprovidesmonitoringandalertingfor
![Page 102: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/102.jpg)
AmazonEC2instances,andalsootherAWSinfrastructure.AmazonCloudWatchisdiscussedindetailinChapter5,“ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling.”
ModifyinganInstanceThereareseveralaspectsofaninstancethatcanbemodifiedafterlaunch.
InstanceTypeTheabilitytochangetheinstancetypeofaninstancecontributesgreatlytotheagilityofrunningworkloadsinthecloud.Insteadofcommittingtoacertainhardwareconfigurationmonthsbeforeaworkloadislaunched,theworkloadcanbelaunchedusingabestestimatefortheinstancetype.Ifthecomputeneedsprovetobehigherorlowerthanexpected,theinstancescanbechangedtoadifferentsizemoreappropriatetotheworkload.
InstancescanberesizedusingtheAWSManagementConsole,CLI,orAPI.Toresizeaninstance,setthestatetoStopped.Choosethe“ChangeInstanceType”functioninthetoolofyourchoice(theinstancetypeislistedasanInstanceSettingintheconsoleandanInstanceAttributeintheCLI)andselectthedesiredinstancetype.Restarttheinstanceandtheprocessiscomplete.
SecurityGroupsIfaninstanceisrunninginanAmazonVPC(discussedinChapter4),youcanchangewhichsecuritygroupsareassociatedwithaninstancewhiletheinstanceisrunning.ForinstancesoutsideofanAmazonVPC(calledEC2-Classic),theassociationofthesecuritygroupscannotbechangedafterlaunch.
TerminationProtectionWhenanAmazonEC2instanceisnolongerneeded,thestatecanbesettoTerminatedandtheinstancewillbeshutdownandremovedfromtheAWSinfrastructure.InordertopreventterminationviatheAWSManagementConsole,CLI,orAPI,terminationprotectioncanbeenabledforaninstance.Whileenabled,callstoterminatetheinstancewillfailuntilterminationprotectionisdisabled.Thishelpstopreventaccidentalterminationthroughhumanerror.
NotethatthisjustprotectsfromterminationcallsfromtheAWSManagementConsole,CLI,orAPI.ItdoesnotpreventterminationtriggeredbyanOSshutdowncommand,terminationfromanAutoScalinggroup(discussedinChapter5),orterminationofaSpotInstanceduetoSpotpricechanges(discussedinthenextsection).
OptionsThereareseveraladditionaloptionsavailableinAmazonEC2toimprovecostoptimization,security,andperformancethatareimportanttoknowfortheexam.
PricingOptionsYouarechargedforAmazonEC2instancesforeachhourthattheyareinarunningstate,buttheamountyouarechargedperhourcanvarybasedonthreepricingoptions:On-DemandInstances,ReservedInstances,andSpotInstances.
On-DemandInstancesThepriceperhourforeachinstancetypepublishedontheAWSwebsiterepresentsthepriceforOn-DemandInstances.Thisisthemostflexiblepricingoption,asitrequiresnoup-frontcommitment,andthecustomerhascontroloverwhenthe
![Page 103: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/103.jpg)
instanceislaunchedandwhenitisterminated.Itistheleastcosteffectiveofthethreepricingoptionspercomputehour,butitsflexibilityallowscustomerstosavebyprovisioningavariablelevelofcomputeforunpredictableworkloads.
ReservedInstancesTheReservedInstancepricingoptionenablescustomerstomakecapacityreservationsforpredictableworkloads.ByusingReservedInstancesfortheseworkloads,customerscansaveupto75percentovertheon-demandhourlyrate.Whenpurchasingareservation,thecustomerspecifiestheinstancetypeandAvailabilityZoneforthatReservedInstanceandachievesalowereffectivehourlypriceforthatinstanceforthedurationofthereservation.AnadditionalbenefitisthatcapacityintheAWSdatacentersisreservedforthatcustomer.Therearetwofactorsthatdeterminethecostofthereservation:thetermcommitmentandthepaymentoption.
Thetermcommitmentisthedurationofthereservationandcanbeeitheroneorthreeyears.Thelongerthecommitment,thebiggerthediscount.
TherearethreedifferentpaymentoptionsforReservedInstances:
AllUpfront—Payfortheentirereservationupfront.Thereisnomonthlychargeforthecustomerduringtheterm.
PartialUpfront—Payaportionofthereservationchargeupfrontandtherestinmonthlyinstallmentsforthedurationoftheterm.
NoUpfront—Paytheentirereservationchargeinmonthlyinstallmentsforthedurationoftheterm.
Theamountofthediscountisgreaterthemorethecustomerpaysupfront.
Forexample,let’slookattheeffectofanallupfront,three-yearreservationontheeffectivehourlycostofanm4.2xlargeinstance.Thecostofrunningoneinstancecontinuouslyforthreeyears(or26,280hours)atbothpricingoptionsisshowninTable3.5.
TABLE3.5ReservedInstancePricingExample
PricingOption EffectiveHourlyCost TotalThree-YearCost
On-Demand $0.479/hour $0.479/hour*26280hours=$12588.12
Three-YearAllUpfrontReservation
$4694/26280hours=$0.1786/hour
$4694
Savings 63%
Thisexampleusesthepublishedpricesatthetimeofthiswriting.AWShasloweredpricesmanytimestodate,sochecktheAWSwebsiteforcurrentpricinginformation.
Whenyourcomputingneedschange,youcanmodifyyourReservedInstancesandcontinuetobenefitfromyourcapacityreservation.ModificationdoesnotchangetheremainingtermofyourReservedInstances;theirenddatesremainthesame.Thereisnofee,andyoudonot
![Page 104: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/104.jpg)
receiveanynewbillsorinvoices.Modificationisseparatefrompurchasinganddoesnotaffecthowyouuse,purchase,orsellReservedInstances.Youcanmodifyyourwholereservation,orjustasubset,inoneormoreofthefollowingways:
SwitchAvailabilityZoneswithinthesameregion.
ChangebetweenEC2-VPCandEC2-Classic.
Changetheinstancetypewithinthesameinstancefamily(Linuxinstancesonly).
SpotInstancesForworkloadsthatarenottimecriticalandaretolerantofinterruption,SpotInstancesofferthegreatestdiscount.WithSpotInstances,customersspecifythepricetheyarewillingtopayforacertaininstancetype.Whenthecustomer’sbidpriceisabovethecurrentSpotprice,thecustomerwillreceivetherequestedinstance(s).TheseinstanceswilloperatelikeallotherAmazonEC2instances,andthecustomerwillonlypaytheSpotpriceforthehoursthatinstance(s)run.Theinstanceswillrununtil:
Thecustomerterminatesthem.
TheSpotpricegoesabovethecustomer’sbidprice.
ThereisnotenoughunusedcapacitytomeetthedemandforSpotInstances.
IfAmazonEC2needstoterminateaSpotInstance,theinstancewillreceiveaterminationnoticeprovidingatwo-minutewarningpriortoAmazonEC2terminatingtheinstance.
Becauseofthepossibilityofinterruption,SpotInstancesshouldonlybeusedforworkloadstolerantofinterruption.Thiscouldincludeanalytics,financialmodeling,bigdata,mediaencoding,scientificcomputing,andtesting.
ArchitectureswithDifferentPricingModelsFortheexam,it’simportanttoknowhowtotakeadvantageofthedifferentpricingmodelstocreateacost-efficientarchitecture.Suchanarchitecturemayincludedifferentpricingmodelswithinthesameworkload.Forinstance,awebsitethataverages5,000visitsaday,butrampsupto20,000visitsadayduringperiodicpeaks,maypurchasetwoReservedInstancestohandletheaveragetraffic,butdependonOn-DemandInstancestofulfillcomputeneedsduringthepeaktimes.Figure3.2showssuchanarchitecture.
![Page 105: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/105.jpg)
FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances
TenancyOptionsThereareseveraltenancyoptionsforAmazonEC2instancesthatcanhelpcustomersachievesecurityandcompliancegoals.
SharedTenancySharedtenancyisthedefaulttenancymodelforallAmazonEC2instances,regardlessofinstancetype,pricingmodel,andsoforth.Sharedtenancymeansthatasinglehostmachinemayhouseinstancesfromdifferentcustomers.AsAWSdoesnotuseoverprovisioningandfullyisolatesinstancesfromotherinstancesonthesamehost,thisisasecuretenancymodel.
DedicatedInstancesDedicatedInstancesrunonhardwarethat’sdedicatedtoasinglecustomer.AsacustomerrunsmoreDedicatedInstances,moreunderlyinghardwaremaybededicatedtotheiraccount.Otherinstancesintheaccount(thosenotdesignatedasdedicated)willrunonsharedtenancyandwillbeisolatedatthehardwarelevelfromtheDedicatedInstancesintheaccount.
DedicatedHostAnAmazonEC2DedicatedHostisaphysicalserverwithAmazonEC2instancecapacityfullydedicatedtoasinglecustomer’suse.DedicatedHostscanhelpyouaddresslicensingrequirementsandreducecostsbyallowingyoutouseyourexistingserver-boundsoftwarelicenses.Thecustomerhascompletecontroloverwhichspecifichostrunsaninstanceatlaunch.ThisdiffersfromDedicatedInstancesinthataDedicatedInstancecanlaunchonanyhardwarethathasbeendedicatedtotheaccount.
PlacementGroupsAplacementgroupisalogicalgroupingofinstanceswithinasingleAvailabilityZone.Placementgroupsenableapplicationstoparticipateinalow-latency,10Gbpsnetwork.Placementgroupsarerecommendedforapplicationsthatbenefitfromlownetworklatency,highnetworkthroughput,orboth.Rememberthatthisrepresentsnetworkconnectivitybetweeninstances.Tofullyusethisnetworkperformanceforyourplacementgroup,chooseaninstancetypethatsupportsenhancednetworkingand10Gbpsnetworkperformance.
![Page 106: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/106.jpg)
InstanceStoresAninstancestore(sometimesreferredtoasephemeralstorage)providestemporaryblock-levelstorageforyourinstance.Thisstorageislocatedondisksthatarephysicallyattachedtothehostcomputer.Aninstancestoreisidealfortemporarystorageofinformationthatchangesfrequently,suchasbuffers,caches,scratchdata,andothertemporarycontent,orfordatathatisreplicatedacrossafleetofinstances,suchasaload-balancedpoolofwebservers.
ThesizeandtypeofinstancestoresavailablewithanAmazonEC2instancedependontheinstancetype.Atthiswriting,storageavailablewithvariousinstancetypesrangesfromnoinstancestoresupto242TBinstancestores.Theinstancetypealsodeterminesthetypeofhardwarefortheinstancestorevolumes.WhilesomeprovideHardDiskDrive(HDD)instancestores,otherinstancetypesuseSolidStateDrives(SSDs)todeliververyhighrandomI/Operformance.
InstancestoresareincludedinthecostofanAmazonEC2instance,sotheyareaverycost-effectivesolutionforappropriateworkloads.Thekeyaspectofinstancestoresisthattheyaretemporary.Dataintheinstancestoreislostwhen:
Theunderlyingdiskdrivefails.
Theinstancestops(thedatawillpersistifaninstancereboots).
Theinstanceterminates.
Therefore,donotrelyoninstancestoresforvaluable,long-termdata.Instead,buildadegreeofredundancyviaRAIDoruseafilesystemthatsupportsredundancyandfaulttolerancesuchasHadoop’sHDFS.BackupthedatatomoredurabledatastoragesolutionssuchasAmazonSimpleStorageService(AmazonS3)orAmazonEBSoftenenoughtomeetrecoverypointobjectives.
![Page 107: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/107.jpg)
AmazonElasticBlockStore(AmazonEBS)Whileinstancestoresareaneconomicalwaytofulfillappropriateworkloads,theirlimitedpersistencemakesthemill-suitedformanyotherworkloads.Forworkloadsrequiringmoredurableblockstorage,AmazonprovidesAmazonEBS.
ElasticBlockStoreBasicsAmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectyoufromcomponentfailure,offeringhighavailabilityanddurability.AmazonEBSvolumesareavailableinavarietyoftypesthatdifferinperformancecharacteristicsandprice.MultipleAmazonEBSvolumescanbeattachedtoasingleAmazonEC2instance,althoughavolumecanonlybeattachedtoasingleinstanceatatime.
TypesofAmazonEBSVolumesAmazonEBSvolumesareavailableinseveraldifferenttypes.Typesvaryinareassuchasunderlyinghardware,performance,andcost.Itisimportanttoknowthepropertiesofthedifferenttypessoyoucanspecifythemostcost-efficienttypethatmeetsaworkload’sperformancedemandsontheexam.
MagneticVolumesMagneticvolumeshavethelowestperformancecharacteristicsofallAmazonEBSvolumetypes.Assuch,theycostthelowestpergigabyte.Theyareanexcellent,cost-effectivesolutionforappropriateworkloads.
AmagneticAmazonEBSvolumecanrangeinsizefrom1GBto1TBandwillaverage100IOPS,buthastheabilitytobursttohundredsofIOPS.Theyarebestsuitedfor:
Workloadswheredataisaccessedinfrequently
Sequentialreads
Situationswherelow-coststorageisarequirement
Magneticvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.
General-PurposeSSDGeneral-purposeSSDvolumesoffercost-effectivestoragethatisidealforabroadrangeofworkloads.Theydeliverstrongperformanceatamoderatepricepointthatissuitableforawiderangeofworkloads.
Ageneral-purposeSSDvolumecanrangeinsizefrom1GBto16TBandprovidesabaselineperformanceofthreeIOPSpergigabyteprovisioned,cappingat10,000IOPS.Forinstance,ifyouprovisiona1TBvolume,youcanexpectabaselineperformanceof3,000IOPS.A5TBvolumewillnotprovidea15,000IOPSbaseline,asitwouldhitthecapat10,000IOPS.
General-purposeSSDvolumesunder1TBalsofeaturetheabilitytobursttoupto3,000
![Page 108: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/108.jpg)
IOPSforextendedperiodsoftime.Forinstance,ifyouhavea500GBvolumeyoucanexpectabaselineof1,500IOPS.WheneveryouarenotusingtheseIOPS,theyareaccumulatedasI/Ocredits.Whenyourvolumethenhasheavytraffic,itwillusetheI/Ocreditsatarateofupto3,000IOPSuntiltheyaredepleted.Atthatpoint,yourperformancerevertsto1,500IOPS.At1TB,thebaselineperformanceofthevolumeisalreadyat3,000IOPS,soburstingbehaviordoesnotapply.
General-purposeSSDvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.Theyaresuitedforawiderangeofworkloadswheretheveryhighestdiskperformanceisnotcritical,suchas:
Systembootvolumes
Small-tomedium-sizeddatabases
Developmentandtestenvironments
ProvisionedIOPSSSDProvisionedIOPSSSDvolumesaredesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloadsthataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.WhiletheyarethemostexpensiveAmazonEBSvolumetypepergigabyte,theyprovidethehighestperformanceofanyAmazonEBSvolumetypeinapredictablemanner.
AProvisionedIOPSSSDvolumecanrangeinsizefrom4GBto16TB.WhenyouprovisionaProvisionedIOPSSSDvolume,youspecifynotjustthesize,butalsothedesirednumberofIOPS,uptothelowerofthemaximumof30timesthenumberofGBofthevolume,or20,000IOPS.YoucanstripemultiplevolumestogetherinaRAID0configurationforlargersizeandgreaterperformance.AmazonEBSdeliverswithin10percentoftheprovisionedIOPSperformance99.9percentofthetimeoveragivenyear.
PricingisbasedonthesizeofthevolumeandtheamountofIOPSreserved.Thecostpergigabyteisslightlymorethanthatofgeneral-purposeSSDvolumesandisappliedbasedonthesizeofthevolume,nottheamountofthevolumeusedtostoredata.AnadditionalmonthlyfeeisappliedbasedonthenumberofIOPSprovisioned,whethertheyareconsumedornot.
ProvisionedIOPSSSDvolumesprovidepredictable,highperformanceandarewellsuitedfor:
CriticalbusinessapplicationsthatrequiresustainedIOPSperformance
Largedatabaseworkloads
Table3.6comparestheseAmazonEBSvolumetypes.
![Page 109: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/109.jpg)
TABLE3.6EBSVolumeTypeComparison
Characteristic General-PurposeSSD ProvisionedIOPSSSD Magnetic
Usecases Systembootvolumes
Virtualdesktops
Small-to-mediumsizeddatabases
Developmentandtestenvironments
CriticalbusinessapplicationsthatrequiresustainedIOPSperformanceormorethan10,000IOPSor160MBofthroughputpervolume
Largedatabaseworkloads
Coldworkloadswheredataisinfrequentlyaccessed
Scenarioswheretheloweststoragecostisimportant
Volumesize 1GiB–16TiB 4GiB–16TiB 1GiB–1TiB
Maximumthroughput
160MB 320MB 40–90MB
IOPSperformance
Baselineperformanceof3IOPS/GiB(upto10,000IOPS)withtheabilitytoburstto3,000IOPSforvolumesunder1,000GiB
Consistentlyperformsatprovisionedlevel,upto20,000IOPSmaximum
Averages100IOPS,withtheabilitytobursttohundredsofIOPS
Atthetimeofthiswriting,AWSreleasedtwonewHDDvolumetypes:Throughput-OptimizedHDDandColdHDD.Overtime,itisexpectedthatthesenewtypeswilleclipsethecurrentmagneticvolumetype,fulfillingtheneedsofanyworkloadrequiringHDDperformance.
Throughput-OptimizedHDDvolumesarelow-costHDDvolumesdesignedforfrequent-access,throughput-intensiveworkloadssuchasbigdata,datawarehouses,andlogprocessing.Volumescanbeupto16TBwithamaximumIOPSof500andmaximumthroughputof500MB/s.Thesevolumesaresignificantlylessexpensivethangeneral-purposeSSDvolumes.
ColdHDDvolumesaredesignedforlessfrequentlyaccessedworkloads,suchascolderdatarequiringfewerscansperday.Volumescanbeupto16TBwithamaximumIOPSof250andmaximumthroughputof250MB/s.ThesevolumesaresignificantlylessexpensivethanThroughput-OptimizedHDDvolumes.
AmazonEBS-OptimizedInstancesWhenusinganyvolumetypeotherthanmagneticandAmazonEBSI/Oisofconsequence,itisimportanttouseAmazonEBS-optimizedinstancestoensurethattheAmazonEC2instanceispreparedtotakeadvantageoftheI/OoftheAmazonEBSvolume.AnAmazon
![Page 110: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/110.jpg)
EBS-optimizedinstanceusesanoptimizedconfigurationstackandprovidesadditional,dedicatedcapacityforAmazonEBSI/O.ThisoptimizationprovidesthebestperformanceforyourAmazonEBSvolumesbyminimizingcontentionbetweenAmazonEBSI/Oandothertrafficfromyourinstance.WhenyouselectAmazonEBS-optimizedforaninstance,youpayanadditionalhourlychargeforthatinstance.ChecktheAWSdocumentationtoconfirmwhichinstancetypesareavailableasAmazonEBS-optimizedinstance.
ProtectingDataOverthelifecycleofanAmazonEBSvolume,thereareseveralpracticesandservicesthatyoushouldknowaboutwhentakingtheexam.
Backup/Recovery(Snapshots)YoucanbackupthedataonyourAmazonEBSvolumes,regardlessofvolumetype,bytakingpoint-in-timesnapshots.Snapshotsareincrementalbackups,whichmeansthatonlytheblocksonthedevicethathavechangedsinceyourmostrecentsnapshotaresaved.
TakingSnapshotsYoucantakesnapshotsinmanyways:
ThroughtheAWSManagementConsole
ThroughtheCLI
ThroughtheAPI
Bysettingupascheduleofregularsnapshots
DataforthesnapshotisstoredusingAmazonS3technology.Theactionoftakingasnapshotisfree.Youpayonlythestoragecostsforthesnapshotdata.
Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.
It’simportanttoknowthatwhilesnapshotsarestoredusingAmazonS3technology,theyarestoredinAWS-controlledstorageandnotinyouraccount’sAmazonS3buckets.ThismeansyoucannotmanipulatethemlikeotherAmazonS3objects.Rather,youmustusetheAmazonEBSsnapshotfeaturestomanagethem.Snapshotsareconstrainedtotheregioninwhichtheyarecreated,meaningyoucanusethemtocreatenewvolumesonlyinthesameregion.Ifyouneedtorestoreasnapshotinadifferentregion,youcancopyasnapshottoanotherregion.
CreatingaVolumefromaSnapshotTouseasnapshot,youcreateanewAmazonEBSvolumefromthesnapshot.Whenyoudothis,thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.Becauseofthis,itisabestpracticetoinitializeavolumecreatedfromasnapshotbyaccessingalltheblocksinthevolume.
SnapshotscanalsobeusedtoincreasethesizeofanAmazonEBSvolume.ToincreasethesizeofanAmazonEBSvolume,takeasnapshotofthevolume,thencreateanewvolumeofthedesiredsizefromthesnapshot.Replacetheoriginalvolumewiththenewvolume.
![Page 111: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/111.jpg)
RecoveringVolumesBecauseAmazonEBSvolumespersistbeyondthelifetimeofaninstance,itispossibletorecoverdataifaninstancefails.IfanAmazonEBS-backedinstancefailsandthereisdataonthebootdrive,itisrelativelystraightforwardtodetachthevolumefromtheinstance.UnlesstheDeleteOnTerminationflagforthevolumehasbeensettofalse,thevolumeshouldbedetachedbeforetheinstanceisterminated.Thevolumecanthenbeattachedasadatavolumetoanotherinstanceandthedatareadandrecovered.
EncryptionOptionsManyworkloadshaverequirementsthatdatabeencryptedatrest,eitherbecauseofcomplianceregulationsorinternalcorporatestandards.AmazonEBSoffersnativeencryptiononallvolumetypes.
WhenyoulaunchanencryptedAmazonEBSvolume,AmazonusestheAWSKeyManagementService(KMS)tohandlekeymanagement.Anewmasterkeywillbecreatedunlessyouselectamasterkeythatyoucreatedseparatelyintheservice.Yourdataandassociatedkeysareencryptedusingtheindustry-standardAES-256algorithm.TheencryptionoccursontheserversthathostAmazonEC2instances,sothedataisactuallyencryptedintransitbetweenthehostandthestoragemediaandalsoonthemedia.(ConsulttheAWSdocumentationforalistofinstancetypesthatsupportAmazonEBSencryption.)Encryptionistransparent,soalldataaccessisthesameasunencryptedvolumes,andyoucanexpectthesameIOPSperformanceonencryptedvolumesasyouwouldwithunencryptedvolumes,withaminimaleffectonlatency.Snapshotsthataretakenfromencryptedvolumesareautomaticallyencrypted,asarevolumesthatarecreatedfromencryptedsnapshots.
![Page 112: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/112.jpg)
SummaryComputeistheamountofcomputationalpowerrequiredtofulfillyourworkload.AmazonEC2istheprimaryserviceforprovidingcomputetocustomers.
Theinstancetypedefinesthevirtualhardwaresupportingtheinstance.AvailableinstancetypesvaryinvCPUs,memory,storage,andnetworkperformancetoaddressnearlyanyworkload.
AnAMIdefinestheinitialsoftwarestateoftheinstance,bothOSandapplications.TherearefoursourcesofAMIs:AWSpublishedgenericOSs,partner-publishedAMIsintheAWSMarketplacewithsoftwarepackagespreinstalled,customer-generatedAMIsfromexistingAmazonEC2instances,anduploadedAMIsfromvirtualservers.
InstancescanbeaddressedbypublicDNSname,publicIPaddress,orelasticIPaddress.ToaccessanewlylaunchedLinuxinstance,usetheprivatehalfofthekeypairtoconnecttotheinstanceviaSSH.ToaccessanewlycreatedWindowsinstance,usetheprivatehalfofthekeypairtodecrypttherandomlyinitializedlocaladministratorpassword.
Networktrafficinandoutofaninstancecanbecontrolledbyavirtualfirewallcalledasecuritygroup.Asecuritygroupallowsrulesthatblocktrafficbasedondirection,port,protocol,andsource/destinationaddress.
BootstrappingallowsyoutorunascripttoinitializeyourinstancewithOSconfigurationsandapplications.Thisfeatureallowsinstancestoconfigurethemselvesuponlaunch.Onceaninstanceislaunched,youcanchangeitsinstancetypeor,forAmazonVPCinstances,thesecuritygroupswithwhichitisassociated.
ThethreepricingoptionsforinstancesareOn-Demand,ReservedInstance,andSpot.On-Demandhasthehighestperhourcost,requiringnoup-frontcommitmentandgivingyoucompletecontroloverthelifetimeoftheinstance.ReservedInstancesrequireacommitmentandprovideareducedoverallcostoverthelifetimeofthereservation.SpotInstancesareidlecomputecapacitythatAWSmakesavailablebasedonbidpricesfromcustomers.Thesavingsontheper-hourcostcanbesignificant,butinstancescanbeshutdownwhenthebidpriceexceedsthecustomer’scurrentbid.
Instancestoresareblockstorageincludedwiththehourlycostoftheinstance.Theamountandtypeofstorageavailablevarieswiththeinstancetype.Instancestoresterminatewhentheassociatedinstanceisstopped,sotheyshouldonlybeusedfortemporarydataorinarchitecturesprovidingredundancysuchasHadoop’sHDFS.
AmazonEBSprovidesdurableblockstorageinseveraltypes.Magnetichasthelowestcostpergigabyteanddeliversmodestperformance.General-purposeSSDiscost-effectivestoragethatcanprovideupto10,000IOPS.ProvisionedIOPSSSDhasthehighestcostpergigabyteandiswellsuitedforI/O-intensiveworkloadssensitivetostorageperformance.SnapshotsareincrementalbackupsofAmazonEBSvolumesstoredinAmazonS3.AmazonEBSvolumescanbeencrypted.
![Page 113: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/113.jpg)
ExamEssentialsKnowthebasicsoflaunchinganAmazonec2instance.Tolaunchaninstance,youmustspecifyanAMI,whichdefinesthesoftwareontheinstanceatlaunch,andaninstancetype,whichdefinesthevirtualhardwaresupportingtheinstance(memory,vCPUs,andsoon).
KnowwhatarchitecturesaresuitedforwhatAmazonec2pricingoptions.SpotInstancesarebestsuitedforworkloadsthatcanaccommodateinterruption.ReservedInstancesarebestforconsistent,long-termcomputeneeds.On-DemandInstancesprovideflexiblecomputetorespondtoscalingneeds.
Knowhowtocombinemultiplepricingoptionsthatresultincostoptimizationandscalability.On-DemandInstancescanbeusedtoscaleupawebapplicationrunningonReservedInstancesinresponsetoatemporarytrafficspike.ForaworkloadwithseveralReservedInstancesreadingfromaqueue,it’spossibletouseSpotInstancestoalleviateheavytrafficinacost-effectiveway.Thesearejusttwoofcountlessexampleswhereaworkloadmayusedifferentpricingoptions.
Knowthebenefitsofenhancednetworking.EnhancednetworkingenablesyoutogetsignificantlyhigherPPSperformance,lowernetworkjitter,andlowerlatencies.
Knowthecapabilitiesofvmimport/export.VMImport/ExportallowsyoutoimportexistingVMstoAWSasAmazonEC2instancesorAMIs.AmazonEC2instancesthatwereimportedthroughVMImport/Exportcanalsobeexportedbacktoavirtualenvironment.
Knowthemethodsforaccessinganinstanceovertheinternet.YoucanaccessanAmazonEC2instanceoverthewebviapublicIPaddress,elasticIPaddress,orpublicDNSname.ThereareadditionalwaystoaccessaninstancewithinanAmazonVPC,includingprivateIPaddressesandENIs.
Knowthelifetimeofaninstancestore.Dataonaninstancestoreislostwhentheinstanceisstoppedorterminated.InstancestoredatasurvivesanOSreboot.
KnowthepropertiesoftheAmazonEC2pricingoptions.On-DemandInstancesrequirenoup-frontcommitment,canbelaunchedanytime,andarebilledbythehour.ReservedInstancesrequireanup-frontcommitmentandvaryincostdependingonwhethertheyarepaidallupfront,partiallyupfront,ornotupfront.SpotInstancesarelaunchedwhenyourbidpriceexceedsthecurrentspotprice.SpotInstanceswillrununtilthespotpriceexceedsyourbidprice,inwhichcasetheinstancewillgetatwo-minutewarningandterminate.
Knowwhatdeterminesnetworkperformance.Everyinstancetypeisratedforlow,moderate,high,or10Gbpsnetworkperformance,withlargerinstancetypesgenerallyhavinghigherratings.Additionally,someinstancetypesofferenhancednetworking,whichprovidesadditionalimprovementinnetworkperformance.
Knowwhatinstancemetadataisandhowit’sobtained.MetadataisinformationaboutanAmazonEC2instance,suchasinstanceID,instancetype,andsecuritygroups,thatisavailablefromwithintheinstance.ItcanbeobtainedthroughanHTTPcalltoaspecificIPaddress.
![Page 114: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/114.jpg)
Knowhowsecuritygroupsprotectinstances.SecuritygroupsarevirtualfirewallscontrollingtrafficinandoutofyourAmazonEC2instances.Theyaredenybydefault,andyoucanallowtrafficbyaddingrulesspecifyingtrafficdirection,port,protocol,anddestinationaddress(viaClasslessInter-DomainRouting[CIDR]block).Theyareappliedattheinstancelevel,meaningthattrafficbetweeninstancesinthesamesecuritygroupmustadheretotherulesofthatsecuritygroup.Theyarestateful,meaningthatanoutgoingrulewillallowtheresponsewithoutacorrelatingincomingrule.
Knowhowtointerprettheeffectofsecuritygroups.Whenaninstanceisamemberofmultiplesecuritygroups,theeffectisaunionofalltherulesinallthegroups.
KnowthedifferentAmazonebsvolumetypes,theircharacteristics,andtheirappropriateworkloads.Magneticvolumesprovideanaverageperformanceof100IOPSandcanbeprovisionedupto1TB.Theyaregoodforcoldandinfrequentlyaccesseddata.General-purposeSSDvolumesprovidethreeIOPS/GBupto10,000IOPS,withsmallervolumesabletoburst3,000IOPS.Theycanbeprovisionedupto16TBandareappropriatefordev/testenvironments,smalldatabases,andsoforth.ProvisionedIOPSSSDcanprovideupto20,000consistentIOPSforvolumesupto16TB.Theyarethebestchoiceforworkloadssuchaslargedatabasesexecutingmanytransactions.
KnowhowtoencryptanAmazonebsvolume.Anyvolumetypecanbeencryptedatlaunch.EncryptionisbasedonAWSKMSandistransparenttoapplicationsontheattachedinstances.
Understandtheconceptandprocessofsnapshots.Snapshotsprovideapoint-in-timebackupofanAmazonEBSvolumeandarestoredinAmazonS3.Subsequentsnapshotsareincremental—theyonlystoredeltas.Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.Snapshotsmaybecopiedbetweenregions.
KnowhowAmazonebs-optimizedinstancesaffectAmazonebsperformance.InadditiontotheIOPSthatcontroltheperformanceinandoutoftheAmazonEBSvolume,useAmazonEBS-optimizedinstancestoensureadditional,dedicatedcapacityforAmazonEBSI/O.
![Page 115: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/115.jpg)
ExercisesForassistanceincompletingtheseexercises,refertotheseuserguides:
AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
concepts.html
AmazonEC2(Windows)—http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html
AmazonEBS—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
EXERCISE3.1
LaunchandConnecttoaLinuxInstanceInthisexercise,youwilllaunchanewLinuxinstance,loginwithSSH,andinstallanysecurityupdates.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.1.
7. CreateanewsecuritygroupcalledCertBook.
8. AddaruletoCertBookallowingSSHaccessfromtheIPaddressofyourworkstation(www.WhatsMyIP.orgisagoodwaytodetermineyourIPaddress).
9. Launchtheinstance.
10. Whenpromptedforakeypair,chooseakeypairyoualreadyhaveorcreateanewoneanddownloadtheprivateportion.
Amazongeneratesakeyname.pemfile,andyouwillneedakeyname.ppkfiletoconnecttotheinstanceviaSSH.Puttygen.exeisoneutilitythatwillcreatea.ppkfilefroma.pemfile.
11. SSHintotheinstanceusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.
12. Fromthecommand-lineprompt,runsudoyumupdate—security-y.
13. ClosetheSSHwindowandterminatetheinstance.
![Page 116: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/116.jpg)
EXERCISE3.2
LaunchaWindowsInstancewithBootstrappingInthisexercise,youwilllaunchaWindowsinstanceandspecifyaverysimplebootstrapscript.Youwillthenconfirmthatthebootstrapscriptwasexecutedontheinstance.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. IntheAdvancedDetailssection,enterthefollowingtextasUserData:
<script>
mdc:\temp
</script>
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.2.
8. UsetheCertBooksecuritygroupfromExercise3.1.
9. Launchtheinstance.
10. UsethekeypairfromExercise3.1.
11. OntheConnectInstanceUI,decrypttheadministratorpasswordandthendownloadtheRDPfiletoattempttoconnecttotheinstance.YourattemptshouldfailbecausetheCertBooksecuritygroupdoesnotallowRDPaccess.
12. OpentheCertBooksecuritygroupandaddarulethatallowsRDPaccessfromyourIPaddress.
13. AttempttoaccesstheinstanceviaRDPagain.
14. OncetheRDPsessionisconnected,openWindowsExplorerandconfirmthatthec:\tempfolderhasbeencreated.
15. EndtheRDPsessionandterminatetheinstance.
![Page 117: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/117.jpg)
EXERCISE3.3
ConfirmThatInstanceStoresAreLostWhenanInstanceIsStoppedInthisexercise,youwillobservethatthedataonanAmazonEC2instancestoreislostwhentheinstanceisstopped.
1. LaunchaninstanceintheAmazonManagementConsole.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethem3.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.3.
7. UsetheCertBooksecuritygroupasupdatedinExercise3.2.
8. Launchtheinstance.
9. UsethekeypairfromExercise3.1.
10. DecrypttheadministratorpasswordlogintotheinstanceviaRDP.
11. OncetheRDPsessionisconnected,openWindowsExplorer.
12. Createanewfoldernamedz:\temp.
13. LogoutoftheRDPsession.
14. Intheconsole,setthestateoftheinstancetoStopped.
15. Oncetheinstanceisstopped,startitagain.
16. LogbackintotheinstanceusingRDP.
17. OpenWindowsExplorerandconfirmthatthez:\tempfolderisgone.
18. EndtheRDPsessionandterminatetheinstance.
![Page 118: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/118.jpg)
EXERCISE3.4
LaunchaSpotInstanceInthisexercise,youwillcreateaSpotInstance.
1. IntheAmazonEC2console,gototheSpotRequestpage.
2. Lookatthepricinghistoryform3.medium,especiallytherecentprice.
3. MakeanoteofthemostrecentpriceandAvailabilityZone.
4. LaunchaninstanceintheAmazonEC2console.
5. ChoosetheAmazonLinuxAMI.
6. Choosethet2.mediuminstancetype.
7. OntheConfigureInstancepage,requestaSpotInstance.
8. LaunchtheinstanceineithertheDefaultVPCorEC2-Classic.(NotetheDefaultVPCwilldefinetheAvailabilityZonefortheinstance.)
9. AssigntheinstanceapublicIPaddress.
10. RequestaSpotInstanceandenterabidafewcentsabovetherecordedSpotprice.
11. Finishlaunchingtheinstance.
12. GobacktotheSpotRequestpage.
Watchyourrequest.Ifyourbidwashighenough,youshouldseeitchangetoActiveandaninstanceIDappear.
13. FindtheinstanceontheinstancespageoftheAmazonEC2console.
NotetheLifecyclefieldintheDescriptionthatsaysSpot.
14. Oncetheinstanceisrunning,terminateit.
![Page 119: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/119.jpg)
EXERCISE3.5
AccessMetadataInthisexercise,youwillaccesstheinstancemetadatafromtheOS.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.5.
7. UsetheCertBooksecuritygroup.
8. Launchtheinstance.
9. UsethekeypairfromExercise3.1.
10. ConnecttheinstanceviaSSHusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.
11. AttheLinuxcommandprompt,retrievealistoftheavailablemetadatabytyping:
curlhttp://169.254.169.254/latest/meta-data/
12. Toseeavalue,addthenametotheendoftheURL.Forexample,toseethesecuritygroups,type:
curlhttp://169.254.169.254/latest/meta-data/security-groups
13. Tryothervaluesaswell.Namesthatendwitha/indicatealongerlistofsub-values.
14. ClosetheSSHwindowandterminatetheinstance.
![Page 120: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/120.jpg)
EXERCISE3.6
CreateanAmazonEBSVolumeandShowThatItRemainsAftertheInstanceIsTerminatedInthisexercise,youwillseehowanAmazonEBSvolumepersistsbeyondthelifeofaninstance.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddasecondAmazonEBSvolumeofsize50GB.NotethattheRootVolumeissettoDeleteonTermination.
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.6.
8. UsetheCertBooksecuritygroupfromearlierexercises.
9. Launchtheinstance.
10. FindthetwoAmazonEBSvolumesontheAmazonEBSconsole.NamethembothExercise3.6.
11. Terminatetheinstance.
Noticethatthebootdriveisdestroyed,buttheadditionalAmazonEBSvolumeremainsandnowsaysAvailable.DonotdeletetheAvailablevolume.
![Page 121: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/121.jpg)
EXERCISE3.7
TakeaSnapshotandRestoreThisexerciseguidesyouthroughtakingasnapshotandrestoringitinthreedifferentways.
1. FindthevolumeyoucreatedinExercise3.6intheAmazonEBSconsole.
2. Takeasnapshotofthatvolume.NamethesnapshotExercise3.7.
3. Onthesnapshotconsole,waitforthesnapshottobecompleted.(Asthevolumewasempty,thisshouldbeveryquick.)
4. OnthesnapshotpageintheAWSManagementConsole,choosethenewsnapshotandselectCreateVolume.
5. Createthevolumewithallthedefaults.
6. LocatethesnapshotagainandagainchooseCreateVolume,settingthesizeofthenewvolumeto100GB(takingasnapshotandrestoringthesnapshottoanew,largervolumeishowyouaddresstheproblemofincreasingthesizeofanexistingvolume).LocatethesnapshotagainandchooseCopy.Copythesnapshottoanotherregion.MakethedescriptionExercise3.7.
7. Gototheotherregionandwaitforthesnapshottobecomeavailable.
8. Createavolumefromthesnapshotinthenewregion.ThisishowyoushareanAmazonEBSvolumebetweenregions;thatis,bytakingasnapshotandcopyingthesnapshot.
9. Deleteallfourvolumes.
![Page 122: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/122.jpg)
EXERCISE3.8
LaunchanEncryptedVolumeInthisexercise,youwilllaunchanAmazonEC2instancewithanencryptedAmazonEBSvolumeandstoresomedataonittoconfirmthattheencryptionistransparenttotheinstanceitself.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethem3.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. Onthestoragepage,adda50GBencryptedAmazonEBSvolume.
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.8.
8. UsetheCertBooksecuritygroupasupdatedinExercise3.2.
9. Launchtheinstance.
10. ChoosethekeypairfromExercise3.1.
11. DecrypttheadministratorpasswordandlogintotheinstanceusingRDP.
12. OncetheRDPsessionisconnected,openNotepad.
13. TypesomerandominformationintoNotepad,saveitatd:\testfile.txt,andthencloseNotepad.
14. Findd:\testfile.txtinWindowsExplorerandopenitwithNotepad.ConfirmthatthedataisnotencryptedinNotepad.
15. Logout.
16. Terminatetheinstance.
EXERCISE3.9
DetachaBootDriveandReattachtoAnotherInstanceInthisexercise,youwillpracticeremovinganAmazonEBSvolumefromastoppeddriveandattachingtoanotherinstancetorecoverthedata.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
![Page 123: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/123.jpg)
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Source.
7. UsetheCertBooksecuritygroupfromearlierexercises.
8. LaunchtheinstancewiththekeypairfromExercise3.1.
9. LaunchasecondinstanceintheAmazonEC2Console.
10. ChoosetheMicrosoftWindowsServer2012BaseAMI.
11. Choosethet2.mediuminstancetype.
12. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
13. AssigntheinstanceapublicIPaddress.
14. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Destination.
15. UsetheCertBooksecuritygroupfromearlierexercises.
16. LaunchtheinstancewiththekeypairyouusedinExercise3.1.
17. Oncebothinstancesarerunning,stopthefirstinstance(Source).MakeanoteoftheinstanceID.
18. GototheAmazonEBSpageintheAmazonEC2consoleandfindthevolumeattachedtotheSourceinstanceviatheinstanceID.Detachtheinstance.
19. WhenthevolumebecomesAvailable,attachtheinstancetothesecondinstance(Destination).
20. LogintotheDestinationinstanceviaRDPusingtheadministratoraccount.
21. Openacommandwindow(cmd.exe).
22. Atthecommandprompt,typethefollowingcommands:
C:\Users\Administrator>diskpart
DISKPART>selectdisk1
DISKPART>onlinedisk
DISKPART>exit
C:\Users\Administrator>dire:
ThevolumeremovedfromthestoppedsourcedrivecannowbereadastheE:driveonthedestinationinstance,soitsdatacanberetrieved.
23. Terminatealltheinstancesandensurethevolumesaredeletedintheprocess.
![Page 124: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/124.jpg)
ReviewQuestions1. Yourwebapplicationneedsfourinstancestosupportsteadytrafficnearlyallofthetime.Onthelastdayofeachmonth,thetraffictriples.Whatisacost-effectivewaytohandlethistrafficpattern?
A. Run12ReservedInstancesallofthetime.
B. RunfourOn-DemandInstancesconstantly,thenaddeightmoreOn-DemandInstancesonthelastdayofeachmonth.
C. RunfourReservedInstancesconstantly,thenaddeightOn-DemandInstancesonthelastdayofeachmonth.
D. RunfourOn-DemandInstancesconstantly,thenaddeightReservedInstancesonthelastdayofeachmonth.
2. Yourorder-processingapplicationprocessesordersextractedfromaqueuewithtwoReservedInstancesprocessing10orders/minute.Ifanorderfailsduringprocessing,thenitisreturnedtothequeuewithoutpenalty.Duetoaweekendsale,thequeueshaveseveralhundredordersbackedup.Whilethebackupisnotcatastrophic,youwouldliketodrainitsothatcustomersgettheirconfirmationemailsfaster.Whatisacost-effectivewaytodrainthequeuefororders?
A. Createmorequeues.
B. DeployadditionalSpotInstancestoassistinprocessingtheorders.
C. DeployadditionalReservedInstancestoassistinprocessingtheorders.
D. DeployadditionalOn-DemandInstancestoassistinprocessingtheorders.
3. WhichofthefollowingmustbespecifiedwhenlaunchinganewAmazonElasticComputeCloud(AmazonEC2)Windowsinstance?(Choose2answers)
A. TheAmazonEC2instanceID
B. Passwordfortheadministratoraccount
C. AmazonEC2instancetype
D. AmazonMachineImage(AMI)
4. Youhavepurchasedanm3.xlargeLinuxReservedinstanceinus-east-1a.Inwhichwayscanyoumodifythisreservation?(Choose2answers)
A. Changeitintotwom3.largeinstances.
B. ChangeittoaWindowsinstance.
C. Moveittous-east-1b.
D. Changeittoanm4.xlarge.
5. Yourinstanceisassociatedwithtwosecuritygroups.ThefirstallowsRemoteDesktopProtocol(RDP)accessoverport3389fromClasslessInter-DomainRouting(CIDR)block72.14.0.0/16.ThesecondallowsHTTPaccessoverport80fromCIDRblock
![Page 125: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/125.jpg)
0.0.0.0/0.Whattrafficcanreachyourinstance?
A. RDPandHTTPaccessfromCIDRblock0.0.0.0/0
B. Notrafficisallowed.
C. RDPandHTTPtrafficfrom72.14.0.0/16
D. RDPtrafficoverport3389from72.14.0.0/16andHTTPtrafficoverport80from0.0.00/0
6. Whichofthefollowingarefeaturesofenhancednetworking?(Choose3answers)
A. MorePacketsPerSecond(PPS)
B. Lowerlatency
C. Multiplenetworkinterfaces
D. BorderGatewayProtocol(BGP)routing
E. Lessjitter
7. YouarecreatingaHigh-PerformanceComputing(HPC)clusterandneedverylowlatencyandhighbandwidthbetweeninstances.Whatcombinationofthefollowingwillallowthis?(Choose3answers)
A. Useaninstancetypewith10Gbpsnetworkperformance.
B. Puttheinstancesinaplacementgroup.
C. UseDedicatedInstances.
D. Enableenhancednetworkingontheinstances.
E. UseReservedInstances.
8. WhichAmazonElasticComputeCloud(AmazonEC2)featureensuresthatyourinstanceswillnotshareaphysicalhostwithinstancesfromanyotherAWScustomer?
A. AmazonVirtualPrivateCloud(VPC)
B. Placementgroups
C. DedicatedInstances
D. ReservedInstances
9. Whichofthefollowingaretrueofinstancestores?(Choose2answers)
A. Automaticbackups
B. Dataislostwhentheinstancestops.
C. VeryhighIOPS
D. Chargeisbasedonthetotalamountofstorageprovisioned.
10. WhichofthefollowingarefeaturesofAmazonElasticBlockStore(AmazonEBS)?(Choose2answers)
A. DatastoredonAmazonEBSisautomaticallyreplicatedwithinanAvailabilityZone.
![Page 126: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/126.jpg)
B. AmazonEBSdataisautomaticallybackeduptotape.
C. AmazonEBSvolumescanbeencryptedtransparentlytoworkloadsontheattachedinstance.
D. DataonanAmazonEBSvolumeislostwhentheattachedinstanceisstopped.
11. YouneedtotakeasnapshotofanAmazonElasticBlockStore(AmazonEBS)volume.Howlongwillthevolumebeunavailable?
A. Itdependsontheprovisionedsizeofthevolume.
B. Thevolumewillbeavailableimmediately.
C. Itdependsontheamountofdatastoredonthevolume.
D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.
12. YouarerestoringanAmazonElasticBlockStore(AmazonEBS)volumefromasnapshot.Howlongwillitbebeforethedataisavailable?
A. Itdependsontheprovisionedsizeofthevolume.
B. Thedatawillbeavailableimmediately.
C. Itdependsontheamountofdatastoredonthevolume.
D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.
13. Youhaveaworkloadthatrequires15,000consistentIOPSfordatathatmustbedurable.Whatcombinationofthefollowingstepsdoyouneed?(Choose2answers)
A. UseanAmazonElasticBlockStore(AmazonEBS)-optimizedinstance.
B. Useaninstancestore.
C. UseaProvisionedIOPSSSDvolume.
D. Useamagneticvolume.
14. Whichofthefollowingcanbeaccomplishedthroughbootstrapping?
A. Installthemostcurrentsecurityupdates.
B. Installthecurrentversionoftheapplication.
C. ConfigureOperatingSystem(OS)services.
D. Alloftheabove.
15. HowcanyouconnecttoanewLinuxinstanceusingSSH?
A. Decrypttherootpassword.
B. Usingacertificate
C. Usingtheprivatehalfoftheinstance’skeypair
D. UsingMulti-FactorAuthentication(MFA)
16. VMImport/Exportcanimportexistingvirtualmachinesas:(Choose2answers)
A. AmazonElasticBlockStore(AmazonEBS)volumes
![Page 127: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/127.jpg)
B. AmazonElasticComputeCloud(AmazonEC2)instances
C. AmazonMachineImages(AMIs)
D. Securitygroups
17. WhichofthefollowingcanbeusedtoaddressanAmazonElasticComputeCloud(AmazonEC2)instanceovertheweb?(Choose2answers)
A. Windowsmachinename
B. PublicDNSname
C. AmazonEC2instanceID
D. ElasticIPaddress
18. UsingthecorrectlydecryptedAdministratorpasswordandRDP,youcannotlogintoaWindowsinstanceyoujustlaunched.Whichofthefollowingisapossiblereason?
A. ThereisnosecuritygrouprulethatallowsRDPaccessoverport3389fromyourIPaddress.
B. TheinstanceisaReservedInstance.
C. Theinstanceisnotusingenhancednetworking.
D. TheinstanceisnotanAmazonEBS-optimizedinstance.
19. Youhaveaworkloadthatrequires1TBofdurableblockstorageat1,500IOPSduringnormaluse.EverynightthereisanExtract,Transform,Load(ETL)taskthatrequires3,000IOPSfor15minutes.Whatisthemostappropriatevolumetypeforthisworkload?
A. UseaProvisionedIOPSSSDvolumeat3,000IOPS.
B. Useaninstancestore.
C. Useageneral-purposeSSDvolume.
D. Useamagneticvolume.
20. HowareyoubilledforelasticIPaddresses?
A. Hourlywhentheyareassociatedwithaninstance
B. Hourlywhentheyarenotassociatedwithaninstance
C. Basedonthedatathatflowsthroughthem
D. Basedontheinstancetypetowhichtheyareattached
![Page 128: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/128.jpg)
Chapter4AmazonVirtualPrivateCloud(AmazonVPC)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)
HybridITarchitectures(forexample,DirectConnect,StorageGateway,VPC,DirectoryServices)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
OperateandextendservicemanagementinahybridITarchitecture
Configureservicestosupportcompliancerequirementsinthecloud
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSsecurityattributes(customerworkloadsdowntothephysicallayer)
AmazonVirtualPrivateCloud(VPC)
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit
![Page 129: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/129.jpg)
“Core”AmazonEC2andS3securityfeaturesets
Incorporatingcommonconventionalsecurityproducts(FirewallandVPNs)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,andsoon)
![Page 130: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/130.jpg)
IntroductionTheAmazonVirtualPrivateCloud(AmazonVPC)isacustom-definedvirtualnetworkwithintheAWSCloud.YoucanprovisionyourownlogicallyisolatedsectionofAWS,similartodesigningandimplementingaseparateindependentnetworkthatwouldoperateinanon-premisesdatacenter.ThischapterexploresthecorecomponentsofAmazonVPCand,intheexercises,youlearnhowtobuildyourownAmazonVPCinthecloud.AstrongunderstandingofAmazonVPCtopologyandtroubleshootingisrequiredtopasstheexam,andwehighlyrecommendthatyoucompletetheexercisesinthischapter.
![Page 131: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/131.jpg)
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCisthenetworkinglayerforAmazonElasticComputeCloud(AmazonEC2),anditallowsyoutobuildyourownvirtualnetworkwithinAWS.YoucontrolvariousaspectsofyourAmazonVPC,includingselectingyourownIPaddressrange;creatingyourownsubnets;andconfiguringyourownroutetables,networkgateways,andsecuritysettings.Withinaregion,youcancreatemultipleAmazonVPCs,andeachAmazonVPCislogicallyisolatedevenifitsharesitsIPaddressspace.
WhenyoucreateanAmazonVPC,youmustspecifytheIPv4addressrangebychoosingaClasslessInter-DomainRouting(CIDR)block,suchas10.0.0.0/16.TheaddressrangeoftheAmazonVPCcannotbechangedaftertheAmazonVPCiscreated.AnAmazonVPCaddressrangemaybeaslargeas/16(65,536availableaddresses)orassmallas/28(16availableaddresses)andshouldnotoverlapanyothernetworkwithwhichtheyaretobeconnected.
TheAmazonVPCservicewasreleasedaftertheAmazonEC2service;becauseofthis,therearetwodifferentnetworkingplatformsavailablewithinAWS:EC2-ClassicandEC2-VPC.AmazonEC2originallylaunchedwithasingle,flatnetworksharedwithotherAWScustomerscalledEC2-Classic.Assuch,AWSaccountscreatedpriortothearrivaloftheAmazonVPCservicecanlaunchinstancesintotheEC2-ClassicnetworkandEC2-VPC.AWSaccountscreatedafterDecember2013onlysupportlaunchinginstancesusingEC2-VPC.AWSaccountsthatsupportEC2-VPCwillhaveadefaultVPCcreatedineachregionwithadefaultsubnetcreatedineachAvailabilityZone.TheassignedCIDRblockoftheVPCwillbe172.31.0.0/16.
Figure4.1illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,twosubnetswithdifferentaddressranges(10.0.0.0/24and10.0.1.0/24)placedindifferentAvailabilityZones,andaroutetablewiththelocalroutespecified.
![Page 132: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/132.jpg)
FIGURE4.1VPC,subnets,andaroutetable
AnAmazonVPCconsistsofthefollowingcomponents:
Subnets
Routetables
DynamicHostConfigurationProtocol(DHCP)optionsets
Securitygroups
NetworkAccessControlLists(ACLs)
AnAmazonVPChasthefollowingoptionalcomponents:
InternetGateways(IGWs)
ElasticIP(EIP)addresses
ElasticNetworkInterfaces(ENIs)
Endpoints
Peering
NetworkAddressTranslation(NATs)instancesandNATgateways
![Page 133: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/133.jpg)
VirtualPrivateGateway(VPG),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)
![Page 134: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/134.jpg)
SubnetsAsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanlaunchAmazonEC2instances,AmazonRelationalDatabaseService(AmazonRDS)databases,andotherAWSresources.CIDRblocksdefinesubnets(forexample,10.0.1.0/24and192.168.0.0/24).Thesmallestsubnetthatyoucancreateisa/28(16IPaddresses).AWSreservesthefirstfourIPaddressesandthelastIPaddressofeverysubnetforinternalnetworkingpurposes.Forexample,asubnetdefinedasa/28has16availableIPaddresses;subtractthe5IPsneededbyAWStoyield11IPaddressesforyourusewithinthesubnet.
AftercreatinganAmazonVPC,youcanaddoneormoresubnetsineachAvailabilityZone.SubnetsresidewithinoneAvailabilityZoneandcannotspanzones.Thisisanimportantpointthatcancomeupintheexam,sorememberthatonesubnetequalsoneAvailabilityZone.Youcan,however,havemultiplesubnetsinoneAvailabilityZone.
Subnetscanbeclassifiedaspublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetable(discussedlater)directsthesubnet’straffictotheAmazonVPC’sIGW(alsodiscussedlater).Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPG(discussedlater)anddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(thatis,non-routableontheInternet).
DefaultAmazonVPCscontainonepublicsubnetineveryAvailabilityZonewithintheregion,withanetmaskof/20.
![Page 135: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/135.jpg)
RouteTablesAroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).
Eachroutetablecontainsadefaultroutecalledthelocalroute,whichenablescommunicationwithintheAmazonVPC,andthisroutecannotbemodifiedorremoved.AdditionalroutescanbeaddedtodirecttraffictoexittheAmazonVPCviatheIGW(discussedlater),theVPG(discussedlater),ortheNATinstance(discussedlater).Intheexercisesattheendofthischapter,youcanpracticehowthisisaccomplished.
Youshouldrememberthefollowingpointsaboutroutetables:
YourVPChasanimplicitrouter.
YourVPCautomaticallycomeswithamainroutetablethatyoucanmodify.
YoucancreateadditionalcustomroutetablesforyourVPC.
Eachsubnetmustbeassociatedwitharoutetable,whichcontrolstheroutingforthesubnet.Ifyoudon’texplicitlyassociateasubnetwithaparticularroutetable,thesubnetusesthemainroutetable.
Youcanreplacethemainroutetablewithacustomtablethatyou’vecreatedsothateachnewsubnetisautomaticallyassociatedwithit.
EachrouteinatablespecifiesadestinationCIDRandatarget;forexample,trafficdestinedfor172.16.0.0/12istargetedfortheVPG.AWSusesthemostspecificroutethatmatchesthetraffictodeterminehowtoroutethetraffic.
![Page 136: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/136.jpg)
InternetGatewaysAnInternetGateway(IGW)isahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
AmazonEC2instanceswithinanAmazonVPCareonlyawareoftheirprivateIPaddresses.WhentrafficissentfromtheinstancetotheInternet,theIGWtranslatesthereplyaddresstotheinstance’spublicIPaddress(orEIPaddress,coveredlater)andmaintainstheone-to-onemapoftheinstanceprivateIPaddressandpublicIPaddress.WhenaninstancereceivestrafficfromtheInternet,theIGWtranslatesthedestinationaddress(publicIPaddress)totheinstance’sprivateIPaddressandforwardsthetraffictotheAmazonVPC.
YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:
AttachanIGWtoyourAmazonVPC.
Createasubnetroutetableruletosendallnon-localtraffic(0.0.0.0/0)totheIGW.
ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.
YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:
AssignapublicIPaddressorEIPaddress.
Youcanscopetheroutetoalldestinationsnotexplicitlyknowntotheroutetable(0.0.0.0/0),oryoucanscopetheroutetoanarrowerrangeofIPaddresses,suchasthepublicIPaddressesofyourcompany’spublicendpointsoutsideofAWSortheEIPaddressesofotherAmazonEC2instancesoutsideyourAmazonVPC.
Figure4.2illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,onesubnetwithanaddressrangeof10.0.0.0/24,aroutetable,anattachedIGW,andasingleAmazonEC2instancewithaprivateIPaddressandanEIPaddress.Theroutetablecontainstworoutes:thelocalroutethatpermitsinter-VPCcommunicationandaroutethatsendsallnon-localtraffictotheIGW(igw-id).NotethattheAmazonEC2instancehasapublicIPaddress(EIP=198.51.100.2);thisinstancecanbeaccessedfromtheInternet,andtrafficmayoriginateandreturntothisinstance.
![Page 137: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/137.jpg)
FIGURE4.2VPC,subnet,routetable,andanInternetgateway
![Page 138: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/138.jpg)
DynamicHostConfigurationProtocol(DHCP)OptionSetsDynamicHostConfigurationProtocol(DHCP)providesastandardforpassingconfigurationinformationtohostsonaTCP/IPnetwork.TheoptionsfieldofaDHCPmessagecontainstheconfigurationparameters.Someofthoseparametersarethedomainname,domainnameserver,andthenetbios-node-type.
AWSautomaticallycreatesandassociatesaDHCPoptionsetforyourAmazonVPCuponcreationandsetstwooptions:domain-name-servers(defaultedtoAmazonProvidedDNS)anddomain-name(defaultedtothedomainnameforyourregion).AmazonProvidedDNSisanAmazonDomainNameSystem(DNS)server,andthisoptionenablesDNSforinstancesthatneedtocommunicateovertheAmazonVPC’sIGW.
TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmentstoyourownresources.Toassignyourowndomainnametoyourinstances,createacustomDHCPoptionsetandassignittoyourAmazonVPC.YoucanconfigurethefollowingvalueswithinaDHCPoptionset:
domain-name-servers—TheIPaddressesofuptofourdomainnameservers,separatedbycommas.ThedefaultisAmazonProvidedDNS.
domain-name—Specifythedesireddomainnamehere(forexample,mycompany.com).
ntp-servers—TheIPaddressesofuptofourNetworkTimeProtocol(NTP)servers,separatedbycommas
netbios-name-servers—TheIPaddressesofuptofourNetBIOSnameservers,separatedbycommas
netbios-node-type—Setthisvalueto2.
EveryAmazonVPCmusthaveonlyoneDHCPoptionsetassignedtoit.
![Page 139: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/139.jpg)
ElasticIPAddresses(EIPs)AWSmaintainsapoolofpublicIPaddressesineachregionandmakesthemavailableforyoutoassociatetoresourceswithinyourAmazonVPCs.AnElasticIPAddresses(EIP)isastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.HerearetheimportantpointstounderstandaboutEIPsfortheexam:
YoumustfirstallocateanEIPforusewithinaVPCandthenassignittoaninstance.
EIPsarespecifictoaregion(thatis,anEIPinoneregioncannotbeassignedtoaninstancewithinanAmazonVPCinadifferentregion).
Thereisaone-to-onerelationshipbetweennetworkinterfacesandEIPs.
YoucanmoveEIPsfromoneinstancetoanother,eitherinthesameAmazonVPCoradifferentAmazonVPCwithinthesameregion.
EIPsremainassociatedwithyourAWSaccountuntilyouexplicitlyreleasethem.
TherearechargesforEIPsallocatedtoyouraccount,evenwhentheyarenotassociatedwitharesource.
![Page 140: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/140.jpg)
ElasticNetworkInterfaces(ENIs)AnElasticNetworkInterface(ENI)isavirtualnetworkinterfacethatyoucanattachtoaninstanceinanAmazonVPC.ENIsareonlyavailablewithinanAmazonVPC,andtheyareassociatedwithasubnetuponcreation.TheycanhaveonepublicIPaddressandmultipleprivateIPaddresses.IftherearemultipleprivateIPaddresses,oneofthemisprimary.AssigningasecondnetworkinterfacetoaninstanceviaanENIallowsittobedual-homed(havenetworkpresenceindifferentsubnets).AnENIcreatedindependentlyofaparticularinstancepersistsregardlessofthelifetimeofanyinstancetowhichitisattached;ifanunderlyinginstancefails,theIPaddressmaybepreservedbyattachingtheENItoareplacementinstance.
ENIsallowyoutocreateamanagementnetwork,usenetworkandsecurityappliancesinyourAmazonVPC,createdual-homedinstanceswithworkloads/rolesondistinctsubnets,orcreatealow-budget,high-availabilitysolution.
![Page 141: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/141.jpg)
EndpointsAnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.
AmazonVPCendpointscurrentlysupportcommunicationwithAmazonSimpleStorageService(AmazonS3),andotherservicesareexpectedtobeaddedinthefuture.
YoumustdothefollowingtocreateanAmazonVPCendpoint:
SpecifytheAmazonVPC.
Specifytheservice.Aserviceisidentifiedbyaprefixlistoftheformcom.amazonaws.<region>.<service>.
Specifythepolicy.Youcanallowfullaccessorcreateacustompolicy.Thispolicycanbechangedatanytime.
Specifytheroutetables.Aroutewillbeaddedtoeachspecifiedroutetable,whichwillstatetheserviceasthedestinationandtheendpointasthetarget.
Table4.1isanexampleroutetablethathasanexistingroutethatdirectsallInternettraffic(0.0.0.0/0)toanIGW.AnytrafficfromthesubnetthatisdestinedforanotherAWSservice(forexample,AmazonS3orAmazonDynamoDB)willbesenttotheIGWinordertoreachthatservice.
TABLE4.1RouteTablewithanIGWRoutingRule
Destination Target10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
Table4.2isanexampleroutetablethathasexistingroutesdirectingallInternettraffictoanIGWandallAmazonS3traffictotheAmazonVPCendpoint.
TABLE4.2RouteTablewithanIGWRoutingRuleandVPCEndpointRule
Destination Target10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
pl-1a2b3c4d vpce-11bb22cc
TheroutetabledepictedinTable4.2willdirectanytrafficfromthesubnetthat’sdestinedforAmazonS3inthesameregiontotheendpoint.AllotherInternettrafficgoestoyourIGW,includingtrafficthat’sdestinedforotherservicesandforAmazonS3inotherregions.
![Page 142: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/142.jpg)
PeeringAnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoranAmazonVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.
Peeringconnectionsarecreatedthrougharequest/acceptprotocol.TheowneroftherequestingAmazonVPCsendsarequesttopeertotheownerofthepeerAmazonVPC.IfthepeerAmazonVPCiswithinthesameaccount,itisidentifiedbyitsVPCID.IfthepeerVPCiswithinadifferentaccount,itisidentifiedbyAccountIDandVPCID.TheownerofthepeerAmazonVPChasoneweektoacceptorrejecttherequesttopeerwiththerequestingAmazonVPCbeforethepeeringrequestexpires.
AnAmazonVPCmayhavemultiplepeeringconnections,andpeeringisaone-to-onerelationshipbetweenAmazonVPCs,meaningtwoAmazonVPCscannothavetwopeeringagreementsbetweenthem.Also,peeringconnectionsdonotsupporttransitiverouting.Figure4.3depictstransitiverouting.
FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting
InFigure4.3,VPCAhastwopeeringconnectionswithtwodifferentVPCs:VPCBandVPCC.Therefore,VPCAcancommunicatedirectlywithVPCsBandC.Becausepeeringconnectionsdonotsupporttransitiverouting,VPCAcannotbeatransitpointfortrafficbetweenVPCsBandC.InorderforVPCsBandCtocommunicatewitheachother,apeeringconnectionmustbeexplicitlycreatedbetweenthem.
Herearetheimportantpointstounderstandaboutpeeringfortheexam:
![Page 143: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/143.jpg)
YoucannotcreateapeeringconnectionbetweenAmazonVPCsthathavematchingoroverlappingCIDRblocks.
YoucannotcreateapeeringconnectionbetweenAmazonVPCsindifferentregions.
AmazonVPCpeeringconnectionsdonotsupporttransitiverouting.
YoucannothavemorethanonepeeringconnectionbetweenthesametwoAmazonVPCsatthesametime.
![Page 144: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/144.jpg)
SecurityGroupsAsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundnetworktraffictoAWSresourcesandAmazonEC2instances.AllAmazonEC2instancesmustbelaunchedintoasecuritygroup.Ifasecuritygroupisnotspecifiedatlaunch,thentheinstancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.Table4.3describesthesettingsofthedefaultsecuritygroup.
TABLE4.3SecurityGroupRules
Inbound
Source Protocol PortRange
Comments
sg-xxxxxxxx All All Allowinboundtrafficfrominstanceswithinthesamesecuritygroup.
Outbound
Destination Protocol PortRange
Comments
0.0.0.0/0 All All Allowalloutboundtraffic.
Foreachsecuritygroup,youaddrulesthatcontroltheinboundtraffictoinstancesandaseparatesetofrulesthatcontroltheoutboundtraffic.Forexample,Table4.4describesasecuritygroupforwebservers.
![Page 145: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/145.jpg)
TABLE4.4SecurityGroupRulesforaWebServer
Inbound
Source Protocol PortRange
Comments
0.0.0.0/0 TCP 80 AllowinboundtrafficfromtheInternettoport80.
Yournetwork’spublicIPaddressrange
TCP 22 AllowSecureShell(SSH)trafficfromyourcompanynetwork.
Yournetwork’spublicIPaddressrange
TCP 3389 AllowRemoteDesktopProtocol(RDP)trafficfromyourcompanynetwork.
Outbound
Destination Protocol PortRange
Comments
TheIDofthesecuritygroupforyourMySQLdatabaseservers
TCP 3306 AllowoutboundMySQLaccesstoinstancesinthespecifiedsecuritygroup.
TheIDofthesecuritygroupforyourMicrosoftSQLServerdatabaseservers
TCP 1433 AllowoutboundMicrosoftSQLServeraccesstoinstancesinthespecifiedsecuritygroup.
Herearetheimportantpointstounderstandaboutsecuritygroupsfortheexam:
Youcancreateupto500securitygroupsforeachAmazonVPC.
Youcanaddupto50inboundand50outboundrulestoeachsecuritygroup.Ifyouneedtoapplymorethan100rulestoaninstance,youcanassociateuptofivesecuritygroupswitheachnetworkinterface.
Youcanspecifyallowrules,butnotdenyrules.ThisisanimportantdifferencebetweensecuritygroupsandACLs.
Youcanspecifyseparaterulesforinboundandoutboundtraffic.
Bydefault,noinboundtrafficisalloweduntilyouaddinboundrulestothesecuritygroup.
Bydefault,newsecuritygroupshaveanoutboundrulethatallowsalloutboundtraffic.Youcanremovetheruleandaddoutboundrulesthatallowspecificoutboundtrafficonly.
Securitygroupsarestateful.Thismeansthatresponsestoallowedinboundtrafficareallowedtoflowoutboundregardlessofoutboundrulesandviceversa.ThisisanimportantdifferencebetweensecuritygroupsandnetworkACLs.
Instancesassociatedwiththesamesecuritygroupcan’ttalktoeachotherunlessyouaddrulesallowingit(withtheexceptionbeingthedefaultsecuritygroup).
Youcanchangethesecuritygroupswithwhichaninstanceisassociatedafterlaunch,
![Page 146: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/146.jpg)
andthechangeswilltakeeffectimmediately.
![Page 147: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/147.jpg)
NetworkAccessControlLists(ACLs)Anetworkaccesscontrollist(ACL)isanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AnetworkACLisanumberedlistofrulesthatAWSevaluatesinorder,startingwiththelowestnumberedrule,todeterminewhethertrafficisallowedinoroutofanysubnetassociatedwiththenetworkACL.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.WhenyoucreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreaterulesthatallowotherwise.YoumaysetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddalayerofsecuritytoyourAmazonVPC,oryoumaychoosetousethedefaultnetworkACLthatdoesnotfiltertraffictraversingthesubnetboundary.Overall,everysubnetmustbeassociatedwithanetworkACL.
Table4.5explainsthedifferencesbetweenasecuritygroupandanetworkACL.YoushouldrememberthefollowingdifferencesbetweensecuritygroupsandnetworkACLsfortheexam.
TABLE4.5ComparisonofSecurityGroupsandNetworkACLs
SecurityGroup NetworkACL
Operatesattheinstancelevel(firstlayerofdefense)
Operatesatthesubnetlevel(secondlayerofdefense)
Supportsallowrulesonly Supportsallowrulesanddenyrules
Stateful:Returntrafficisautomaticallyallowed,regardlessofanyrules
Stateless:Returntrafficmustbeexplicitlyallowedbyrules.
AWSevaluatesallrulesbeforedecidingwhethertoallowtraffic
AWSprocessesrulesinnumberorderwhendecidingwhethertoallowtraffic.
Appliedselectivelytoindividualinstances
Automaticallyappliedtoallinstancesintheassociatedsubnets;thisisabackuplayerofdefense,soyoudon’thavetorelyonsomeonespecifyingthesecuritygroup.
![Page 148: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/148.jpg)
NetworkAddressTranslation(NAT)InstancesandNATGatewaysBydefault,anyinstancethatyoulaunchintoaprivatesubnetinanAmazonVPCisnotabletocommunicatewiththeInternetthroughtheIGW.ThisisproblematiciftheinstanceswithinprivatesubnetsneeddirectaccesstotheInternetfromtheAmazonVPCinordertoapplysecurityupdates,downloadpatches,orupdateapplicationsoftware.AWSprovidesNATinstancesandNATgatewaystoallowinstancesdeployedinprivatesubnetstogainInternetaccess.Forcommonusecases,werecommendthatyouuseaNATgatewayinsteadofaNATinstance.TheNATgatewayprovidesbetteravailabilityandhigherbandwidth,andrequireslessadministrativeeffortthanNATinstances.
NATInstanceAnetworkaddresstranslation(NAT)instanceisanAmazonLinuxAmazonMachineImage(AMI)thatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.Theseinstanceshavethestringamzn-ami-vpc-natintheirnames,whichissearchableintheAmazonEC2console.
ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATinstance,youmustdothefollowing:
CreateasecuritygroupfortheNATwithoutboundrulesthatspecifytheneededInternetresourcesbyport,protocol,andIPaddress.
LaunchanAmazonLinuxNATAMIasaninstanceinapublicsubnetandassociateitwiththeNATsecuritygroup.
DisabletheSource/DestinationCheckattributeoftheNAT.
ConfiguretheroutetableassociatedwithaprivatesubnettodirectInternet-boundtraffictotheNATinstance(forexample,i-1a2b3c4d).
AllocateanEIPandassociateitwiththeNATinstance.
ThisconfigurationallowsinstancesinprivatesubnetstosendoutboundInternetcommunication,butitpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
NATGatewayANATgatewayisanAmazonmanagedresourcethatisdesignedtooperatejustlikeaNATinstance,butitissimplertomanageandhighlyavailablewithinanAvailabilityZone.
ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATgateway,youmustdothefollowing:
ConfiguretheroutetableassociatedwiththeprivatesubnettodirectInternet-bound
![Page 149: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/149.jpg)
traffictotheNATgateway(forexample,nat-1a2b3c4d).
AllocateanEIPandassociateitwiththeNATgateway.
LikeaNATinstance,thismanagedserviceallowsoutboundInternetcommunicationandpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
TheexerciseswilldemonstratehowaNATgatewayworks.
![Page 150: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/150.jpg)
VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)YoucanconnectanexistingdatacentertoAmazonVPCusingeitherhardwareorsoftwareVPNconnections,whichwillmakeAmazonVPCanextensionofthedatacenter.AmazonVPCofferstwowaystoconnectacorporatenetworktoaVPC:VPGandCGW.
Avirtualprivategateway(VPG)isthevirtualprivatenetwork(VPN)concentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.Acustomergateway(CGW)representsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthecustomer’ssideoftheVPNconnection.Figure4.4illustratesasingleVPNconnectionbetweenacorporatenetworkandanAmazonVPC.
FIGURE4.4VPCwithVPNconnectiontoacustomernetwork
YoumustspecifythetypeofroutingthatyouplantousewhenyoucreateaVPNconnection.IftheCGWsupportsBorderGatewayProtocol(BGP),thenconfiguretheVPNconnectionfordynamicrouting.Otherwise,configuretheconnectionsforstaticrouting.Ifyouwillbeusingstaticrouting,youmustentertheroutesforyournetworkthatshouldbecommunicatedtotheVPG.RouteswillbepropagatedtotheAmazonVPCtoallowyourresourcestoroutenetworktrafficbacktothecorporatenetworkthroughtheVGWandacrosstheVPNtunnel.
AmazonVPCalsosupportsmultipleCGWs,eachhavingaVPNconnectiontoasingleVPG(many-to-onedesign).Inordertosupportthistopology,theCGWIPaddressesmustbeuniquewithintheregion.
![Page 151: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/151.jpg)
AmazonVPCwillprovidetheinformationneededbythenetworkadministratortoconfiguretheCGWandestablishtheVPNconnectionwiththeVPG.TheVPNconnectionconsistsoftwoInternetProtocolSecurity(IPSec)tunnelsforhigheravailabilitytotheAmazonVPC.
FollowingaretheimportantpointstounderstandaboutVPGs,CGWs,andVPNsfortheexam:
TheVPGistheAWSendoftheVPNtunnel.
TheCGWisahardwareorsoftwareapplicationonthecustomer’ssideoftheVPNtunnel.
YoumustinitiatetheVPNtunnelfromtheCGWtotheVPG.
VPGssupportbothdynamicroutingwithBGPandstaticrouting.
TheVPNconnectionconsistsoftwotunnelsforhigheravailabilitytotheVPC.
![Page 152: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/152.jpg)
SummaryInthischapter,youlearnedthatAmazonVPCisthenetworkinglayerforAmazonEC2,anditallowsyoutocreateyourownprivatevirtualnetworkwithinthecloud.YoucanprovisionyourownlogicallyisolatedsectionofAWSsimilartodesigningandimplementingaseparateindependentnetworkthatyou’doperateinaphysicaldatacenter.
AVPCconsistsofthefollowingcomponents:
Subnets
Routetables
DHCPoptionsets
Securitygroups
NetworkACLs
AVPChasthefollowingoptionalcomponents:
IGWs
EIPaddresses
Endpoints
Peering
NATinstanceandNATgateway
VPG,CGW,andVPN
Subnetscanbepublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sIGW.Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPGanddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(non-routableontheInternet).
AroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2host
![Page 153: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/153.jpg)
nameassignmenttoyourownresources.Inorderforyoutoassignyourowndomainnametoyourinstances,youcreateacustomDHCPoptionsetandassignittoyourAmazonVPC.
AnEIPaddressisastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.
AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.
AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheywerewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoraVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.
AsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundtraffictoAmazonEC2instances.WhenyoufirstlaunchanAmazonEC2instanceintoanAmazonVPC,youmustspecifythesecuritygroupwithwhichitwillbeassociated.AWSprovidesadefaultsecuritygroupforyouruse,whichhasrulesthatallowallinstancesassociatedwiththesecuritygrouptocommunicatewitheachotherandallowalloutboundtraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.
AnetworkACLisanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.IfyouwanttocreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreatearulethatstatesotherwise.
ANATinstanceisacustomer-managedinstancethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.
ANATgatewayisanAWS-managedservicethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATgateway,andforwardthetraffictotheIGW.Inaddition,theNATgatewaymaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.
AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWisaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthe
![Page 154: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/154.jpg)
customer’ssideoftheVPNconnection.
![Page 155: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/155.jpg)
ExamEssentialsUnderstandwhataVPCisanditscoreandoptionalcomponents.AnAmazonVPCisalogicallyisolatednetworkintheAWSCloud.AnAmazonVPCismadeupofthefollowingcoreelements:subnets(public,private,andVPN-only),routetables,DHCPoptionsets,securitygroups,andnetworkACLs.OptionalelementsincludeanIGW,EIPaddresses,endpoints,peeringconnections,NATinstances,VPGs,CGWs,andVPNconnections.
Understandthepurposeofasubnet.AsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanplacegroupsofisolatedresources.SubnetsaredefinedbyCIDRblocks—forexample,10.0.1.0/24and10.0.2.0/24—andarecontainedwithinanAvailabilityZone.
Identifythedifferencebetweenapublicsubnet,aprivatesubnet,andaVPN-Onlysubnet.Ifasubnet’strafficisroutedtoanIGW,thesubnetisknownasapublicsubnet.Ifasubnetdoesn’thavearoutetotheIGW,thesubnetisknownasaprivatesubnet.Ifasubnetdoesn’thavearoutetotheIGW,buthasitstrafficroutedtoaVPG,thesubnetisknownasaVPN-onlysubnet.
Understandthepurposeofaroutetable.Aroutetableisasetofrules(calledroutes)thatareusedtodeterminewherenetworktrafficisdirected.AroutetableallowsAmazonEC2instanceswithindifferentsubnetstocommunicatewitheachother(withinthesameAmazonVPC).TheAmazonVPCrouteralsoenablessubnets,IGWs,andVPGstocommunicatewitheachother.
UnderstandthepurposeofanIGW.AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletrafficandperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
UnderstandwhatDHCPoptionsetsprovidetoanAmazonVPC.TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmenttoyourownresources.YoucanspecifythedomainnameforinstanceswithinanAmazonVPCandidentifytheIPaddressesofcustomDNSservers,NTPservers,andNetBIOSservers.
KnowthedifferencebetweenanAmazonVPCpublicIPaddressandanEIPaddress.ApublicIPaddressisanAWS-ownedIPthatcanbeautomaticallyassignedtoinstanceslaunchedwithinasubnet.AnEIPaddressisanAWS-ownedpublicIPaddressthatyouallocatetoyouraccountandassigntoinstancesornetworkinterfacesondemand.
UnderstandwhatendpointsprovidetoanAmazonVPC.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,aVPNconnection,orAWSDirectConnect.Endpointssupportserviceswithintheregiononly.
UnderstandAmazonVPCpeering.AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.Peeringconnections
![Page 156: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/156.jpg)
arecreatedthrougharequest/acceptprotocol.Transitivepeeringisnotsupported,andpeeringisonlyavailablebetweenAmazonVPCswithinthesameregion.
KnowthedifferencebetweenasecuritygroupandanetworkACL.Asecuritygroupappliesattheinstancelevel.Youcanhavemultipleinstancesinmultiplesubnetsthataremembersofthesamesecuritygroups.Securitygroupsarestateful,whichmeansthatreturntrafficisautomaticallyallowed,regardlessofanyoutboundrules.AnetworkACLisappliedonasubnetlevel,andtrafficisstateless.YouneedtoallowbothinboundandoutboundtrafficonthenetworkACLinorderforAmazonEC2instancesinasubnettobeabletocommunicateoveraparticularprotocol.
UnderstandwhataNATprovidestoanAmazonVPC.ANATinstanceorNATgatewayenablesinstancesinaprivatesubnettoinitiateoutboundtraffictotheInternet.ThisallowsoutboundInternetcommunicationtodownloadpatchesandupdates,forexample,butpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
UnderstandthecomponentsneededtoestablishaVPNconnectionfromanetworktoanAmazonVPC.AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWrepresentsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.TheVPNconnectionmustbeinitiatedfromtheCGWside,andtheconnectionconsistsoftwoIPSectunnels.
![Page 157: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/157.jpg)
ExercisesThebestwaytobecomefamiliarwithAmazonVPCistobuildyourowncustomAmazonVPCandthendeployAmazonEC2instancesintoit,whichiswhatyou’llbedoinginthissection.YoushouldrepeattheseexercisesuntilyoucancreateanddecommissionAmazonVPCswithconfidence.
Forassistancecompletingtheseexercises,refertotheAmazonVPCUserGuidelocatedathttp://aws.amazon.com/documentation/vpc/.
EXERCISE4.1
CreateaCustomAmazonVPC1. SignintotheAWSManagementConsoleasanadministratororpoweruser.
2. SelecttheAmazonVPCicontolaunchtheAmazonVPCDashboard.
3. CreateanAmazonVPCwithaCIDRblockequalto192.168.0.0/16,anametagofMyFirstVPC,anddefaulttenancy.
YouhavecreatedyourfirstcustomVPC.
EXERCISE4.2
CreateTwoSubnetsforYourCustomAmazonVPC1. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofMy
FirstPublicSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).
2. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofMyFirstPrivateSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyadifferentAvailabilityZoneforthesubnetthanpreviouslyspecified(forexample,US-East-1b).
Youhavenowcreatedtwonewsubnets,eachinitsownAvailabilityZone.It’simportanttorememberthatonesubnetequalsoneAvailabilityZone.YoucannotstretchasubnetacrossmultipleAvailabilityZones.
![Page 158: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/158.jpg)
EXERCISE4.3
ConnectYourCustomAmazonVPCtotheInternetandEstablishRoutingForassistancewiththisexercise,refertotheAmazonEC2keypairdocumentationat:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Foradditionalassistancewiththisexercise,refertotheNATinstancesdocumentationat:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance
.html#NATInstance
1. CreateanAmazonEC2keypairinthesameregionasyourcustomAmazonVPC.
2. CreateanIGWwithanametagofMyFirstIGWandattachittoyourcustomAmazonVPC.
3. AddaroutetothemainroutetableforyourcustomAmazonVPCthatdirectsInternettraffic(0.0.0.0/0)totheIGW.
4. CreateaNATgateway,placeitinthepublicsubnetofyourcustomAmazonVPC,andassignitanEIP.
5. CreateanewroutetablewithanametagofMyFirstPrivateRouteTableandplaceitwithinyourcustomAmazonVPC.AddaroutetoitthatdirectsInternettraffic(0.0.0.0/0)totheNATgatewayandassociateitwiththeprivatesubnet.
YouhavenowcreatedaconnectiontotheInternetforresourceswithinyourAmazonVPC.YouestablishedroutingrulesthatdirectInternettraffictotheIGWregardlessoftheoriginatingsubnet.
![Page 159: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/159.jpg)
EXERCISE4.4
LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet1. Launchat2.microAmazonLinuxAMIasanAmazonEC2instanceintothepublicsubnetofyourcustomAmazonVPC,giveitanametagofMyFirstPublicInstance,andselectthenewly-createdkeypairforsecureaccesstotheinstance.
2. SecurelyaccesstheAmazonEC2instanceinthepublicsubnetviaSSHwiththenewly-createdkeypair.
3. Executeanupdatetotheoperatingsysteminstancelibrariesbyexecutingthefollowingcommand:
#sudoyumupdate-y
4. YoushouldseeoutputshowingtheinstancedownloadingsoftwarefromtheInternetandinstallingit.
YouhavenowprovisionedanAmazonEC2instanceinapublicsubnet.YoucanapplypatchestotheAmazonEC2instanceinthepublicsubnet,andyouhavedemonstratedconnectivitytotheInternet.
![Page 160: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/160.jpg)
ReviewQuestions1. WhatistheminimumsizesubnetthatyoucanhaveinanAmazonVPC?
A. /24
B. /26
C. /28
D. /30
2. YouareasolutionsarchitectworkingforalargetravelcompanythatismigratingitsexistingserverestatetoAWS.YouhaverecommendedthattheyuseacustomAmazonVPC,andtheyhaveagreedtoproceed.Theywillneedapublicsubnetfortheirwebserversandaprivatesubnetinwhichtoplacetheirdatabases.Theyalsorequirethatthewebserversanddatabaseserversbehighlyavailableandthattherebeaminimumoftwowebserversandtwodatabaseserverseach.Howmanysubnetsshouldyouhavetomaintainhighavailability?
A. 2
B. 3
C. 4
D. 1
3. WhichofthefollowingisanoptionalsecuritycontrolthatcanbeappliedatthesubnetlayerofaVPC?
A. NetworkACL
B. SecurityGroup
C. Firewall
D. Webapplicationfirewall
4. WhatisthemaximumsizeIPaddressrangethatyoucanhaveinanAmazonVPC?
A. /16
B. /24
C. /28
D. /30
5. YoucreateanewsubnetandthenaddaroutetoyourroutetablethatroutestrafficoutfromthatsubnettotheInternetusinganIGW.Whattypeofsubnethaveyoucreated?
A. Aninternalsubnet
B. Aprivatesubnet
C. Anexternalsubnet
D. Apublicsubnet
![Page 161: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/161.jpg)
6. WhathappenswhenyoucreateanewAmazonVPC?
A. Amainroutetableiscreatedbydefault.
B. Threesubnetsarecreatedbydefault—oneforeachAvailabilityZone.
C. ThreesubnetsarecreatedbydefaultinoneAvailabilityZone.
D. AnIGWiscreatedbydefault.
7. YoucreateanewVPCinUS-East-1andprovisionthreesubnetsinsidethisAmazonVPC.Whichofthefollowingstatementsistrue?
A. Bydefault,thesesubnetswillnotbeabletocommunicatewitheachother;youwillneedtocreateroutes.
B. Allsubnetsarepublicbydefault.
C. Allsubnetswillbeabletocommunicatewitheachotherbydefault.
D. EachsubnetwillhaveidenticalCIDRblocks.
8. HowmanyIGWscanyouattachtoanAmazonVPCatanyonetime?
A. 1
B. 2
C. 3
D. 4
9. WhataspectofanAmazonVPCisstateful?
A. NetworkACLs
B. Securitygroups
C. AmazonDynamoDB
D. AmazonS3
10. YouhavecreatedacustomAmazonVPCwithbothprivateandpublicsubnets.YouhavecreatedaNATinstanceanddeployedthisinstancetoapublicsubnet.YouhaveattachedanEIPaddressandaddedyourNATtotheroutetable.Unfortunately,instancesinyourprivatesubnetstillcannotaccesstheInternet.Whatmaybethecauseofthis?
A. YourNATisinapublicsubnet,butitneedstobeinaprivatesubnet.
B. YourNATshouldbebehindanElasticLoadBalancer.
C. Youshoulddisablesource/destinationchecksontheNAT.
D. YourNAThasbeendeployedonaWindowsinstance,butyourotherinstancesareLinux.YoushouldredeploytheNATontoaLinuxinstance.
11. WhichofthefollowingwilloccurwhenanAmazonElasticBlockStore(AmazonEBS)-backedAmazonEC2instanceinanAmazonVPCwithanassociatedEIPisstoppedandstarted?(Choose2answers)
A. TheEIPwillbedissociatedfromtheinstance.
![Page 162: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/162.jpg)
B. Alldataoninstance-storedeviceswillbelost.
C. AlldataonAmazonEBSdeviceswillbelost.
D. TheENIisdetached.
E. Theunderlyinghostfortheinstanceischanged.
12. HowmanyVPCPeeringconnectionsarerequiredforfourVPCslocatedwithinthesameAWSregiontobeabletosendtraffictoeachoftheothers?
A. 3
B. 4
C. 5
D. 6
13. WhichofthefollowingAWSresourceswouldyouuseinorderforanEC2-VPCinstancetoresolveDNSnamesoutsideofAWS?
A. AVPCpeeringconnection
B. ADHCPoptionset
C. Aroutingrule
D. AnIGW
14. WhichofthefollowingistheAmazonsideofanAmazonVPNconnection?
A. AnEIP
B. ACGW
C. AnIGW
D. AVPG
15. WhatisthedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregion?
A. 5
B. 6
C. 7
D. ThereisnodefaultmaximumnumberofVPCswithinaregion.
16. Youareresponsibleforyourcompany’sAWSresources,andyounoticeasignificantamountoftrafficfromanIPaddressinaforeigncountryinwhichyourcompanydoesnothavecustomers.FurtherinvestigationofthetrafficindicatesthesourceofthetrafficisscanningforopenportsonyourEC2-VPCinstances.Whichoneofthefollowingresourcescandenythetrafficfromreachingtheinstances?
A. Securitygroup
B. NetworkACL
C. NATinstance
![Page 163: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/163.jpg)
D. AnAmazonVPCendpoint
17. WhichofthefollowingisthesecurityprotocolsupportedbyAmazonVPC?
A. SSH
B. AdvancedEncryptionStandard(AES)
C. Point-to-PointTunnelingProtocol(PPTP)
D. IPsec
18. WhichofthefollowingAmazonVPCresourceswouldyouuseinorderforEC2-VPCinstancestosendtrafficdirectlytoAmazonS3?
A. AmazonS3gateway
B. IGW
C. CGW
D. VPCendpoint
19. WhatpropertiesofanAmazonVPCmustbespecifiedatthetimeofcreation?(Choose2answers)
A. TheCIDRblockrepresentingtheIPaddressrange
B. OneormoresubnetsfortheAmazonVPC
C. TheregionfortheAmazonVPC
D. AmazonVPCPeeringrelationships
20. WhichAmazonVPCfeatureallowsyoutocreateadual-homedinstance?
A. EIPaddress
B. ENI
C. Securitygroups
D. CGW
![Page 164: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/164.jpg)
Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-effective,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Elasticityandscalability
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
CloudWatchLogs
Domain4.0:Troubleshooting
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions
![Page 165: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/165.jpg)
IntroductionInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkbothindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.
ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonElasticComputeCloud(AmazonEC2)instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.
AmazonCloudWatchisaservicethatmonitorsAWSCloudresourcesandapplicationsrunningonAWS.Itcollectsandtracksmetrics,collectsandmonitorslogfiles,andsetsalarms.AmazonCloudWatchhasabasiclevelofmonitoringfornocostandamoredetailedlevelofmonitoringforanadditionalcost.
AutoScalingisaservicethatallowsyoutomaintaintheavailabilityofyourapplicationsbyscalingAmazonEC2capacityupordowninaccordancewithconditionsyouset.
Thischaptercoversallthreeservicesseparately,butitalsohighlightshowtheycanworktogethertobuildmorerobustandhighlyavailablearchitecturesonAWS.
![Page 166: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/166.jpg)
ElasticLoadBalancingAnadvantageofhavingaccesstoalargenumberofserversinthecloud,suchasAmazonEC2instancesonAWS,istheabilitytoprovideamoreconsistentexperiencefortheenduser.Onewaytoensureconsistencyistobalancetherequestloadacrossmorethanoneserver.AloadbalancerisamechanismthatautomaticallydistributestrafficacrossmultipleAmazonEC2instances.YoucaneithermanageyourownvirtualloadbalancersonAmazonEC2instancesorleverageanAWSCloudservicecalledElasticLoadBalancing,whichprovidesamanagedloadbalancerforyou.
TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZones,enablingyoutoachievehighavailabilityinyourapplications.ElasticLoadBalancingsupportsroutingandloadbalancingofHypertextTransferProtocol(HTTP),HypertextTransferProtocolSecure(HTTPS),TransmissionControlProtocol(TCP),andSecureSocketsLayer(SSL)traffictoAmazonEC2instances.ElasticLoadBalancingprovidesastable,singleCanonicalNamerecord(CNAME)entrypointforDomainNameSystem(DNS)configurationandsupportsbothInternet-facingandinternalapplication-facingloadbalancers.ElasticLoadBalancingsupportshealthchecksforAmazonEC2instancestoensuretrafficisnotroutedtounhealthyorfailinginstances.Also,ElasticLoadBalancingcanautomaticallyscalebasedoncollectedmetrics.
ThereareseveraladvantagesofusingElasticLoadBalancing.BecauseElasticLoadBalancingisamanagedservice,itscalesinandoutautomaticallytomeetthedemandsofincreasedapplicationtrafficandishighlyavailablewithinaregionitselfasaservice.ElasticLoadBalancinghelpsyouachievehighavailabilityforyourapplicationsbydistributingtrafficacrosshealthyinstancesinmultipleAvailabilityZones.Additionally,ElasticLoadBalancingseamlesslyintegrateswiththeAutoScalingservicetoautomaticallyscaletheAmazonEC2instancesbehindtheloadbalancer.Finally,ElasticLoadBalancingissecure,workingwithAmazonVirtualPrivateCloud(AmazonVPC)toroutetrafficinternallybetweenapplicationtiers,allowingyoutoexposeonlyInternet-facingpublicIPaddresses.ElasticLoadBalancingalsosupportsintegratedcertificatemanagementandSSLtermination.
ElasticLoadBalancingisahighlyavailableserviceitselfandcanbeusedtohelpbuildhighlyavailablearchitectures.
TypesofLoadBalancersElasticLoadBalancingprovidesseveraltypesofloadbalancersforhandlingdifferentkindsofconnectionsincludingInternet-facing,internal,andloadbalancersthatsupportencryptedconnections.
Internet-FacingLoadBalancersAnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.
![Page 167: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/167.jpg)
Whenyouconfigurealoadbalancer,itreceivesapublicDNSnamethatclientscanusetosendrequeststoyourapplication.TheDNSserversresolvetheDNSnametoyourloadbalancer’spublicIPaddress,whichcanbevisibletoclientapplications.
AnAWSrecommendedbestpracticeisalwaystoreferencealoadbalancerbyitsDNSname,insteadofbytheIPaddressoftheloadbalancer,inordertoprovideasingle,stableentrypoint.
BecauseElasticLoadBalancingscalesinandouttomeettrafficdemand,itisnotrecommendedtobindanapplicationtoanIPaddressthatmaynolongerbepartofaloadbalancer’spoolofresources.
ElasticLoadBalancinginAmazonVPCsupportsIPv4addressesonly.ElasticLoadBalancinginEC2-ClassicsupportsbothIPv4andIPv6addresses.
InternalLoadBalancersInamulti-tierapplication,itisoftenusefultoloadbalancebetweenthetiersoftheapplication.Forexample,anInternet-facingloadbalancermightreceiveandbalanceexternaltraffictothepresentationorwebtierwhoseAmazonEC2instancesthensenditsrequeststoaloadbalancersittinginfrontoftheapplicationtier.YoucanuseinternalloadbalancerstoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.
HTTPSLoadBalancersYoucancreatealoadbalancerthatusestheSSL/TransportLayerSecurity(TLS)protocolforencryptedconnections(alsoknownasSSLoffload).ThisfeatureenablestrafficencryptionbetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessions,andforconnectionsbetweenyourloadbalancerandyourback-endinstances.ElasticLoadBalancingprovidessecuritypoliciesthathavepredefinedSSLnegotiationconfigurationstousetonegotiateconnectionsbetweenclientsandtheloadbalancer.InordertouseSSL,youmustinstallanSSLcertificateontheloadbalancerthatitusestoterminatetheconnectionandthendecryptrequestsfromclientsbeforesendingrequeststotheback-endAmazonEC2instances.Youcanoptionallychoosetoenableauthenticationonyourback-endinstances.
ElasticLoadBalancingdoesnotsupportServerNameIndication(SNI)onyourloadbalancer.ThismeansthatifyouwanttohostmultiplewebsitesonafleetofAmazonEC2instancesbehindElasticLoadBalancingwithasingleSSLcertificate,youwillneedtoaddaSubjectAlternativeName(SAN)foreachwebsitetothecertificatetoavoidsiteusersseeingawarningmessagewhenthesiteisaccessed.
ListenersEveryloadbalancermusthaveoneormorelistenersconfigured.Alistenerisaprocessthatchecksforconnectionrequests—forexample,aCNAMEconfiguredtotheArecordnameoftheloadbalancer.Everylistenerisconfiguredwithaprotocolandaport(clienttoloadbalancer)forafront-endconnectionandaprotocolandaportfortheback-end(loadbalancertoAmazonEC2instance)connection.ElasticLoadBalancingsupportsthefollowing
![Page 168: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/168.jpg)
protocols:
HTTP
HTTPS
TCP
SSL
ElasticLoadBalancingsupportsprotocolsoperatingattwodifferentOpenSystemInterconnection(OSI)layers.IntheOSImodel,Layer4isthetransportlayerthatdescribestheTCPconnectionbetweentheclientandyourback-endinstancethroughtheloadbalancer.Layer4isthelowestlevelthatisconfigurableforyourloadbalancer.Layer7istheapplicationlayerthatdescribestheuseofHTTPandHTTPSconnectionsfromclientstotheloadbalancerandfromtheloadbalancertoyourback-endinstance.
TheSSLprotocolisprimarilyusedtoencryptconfidentialdataoverinsecurenetworkssuchastheInternet.TheSSLprotocolestablishesasecureconnectionbetweenaclientandtheback-endserverandensuresthatallthedatapassedbetweenyourclientandyourserverisprivate.
ConfiguringElasticLoadBalancingElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.ConfigurationsettingscanbemodifiedusingeithertheAWSManagementConsoleoraCommandLineInterface(CLI).Someoftheoptionsaredescribednext.
IdleConnectionTimeoutForeachrequestthataclientmakesthroughaloadbalancer,theloadbalancermaintainstwoconnections.Oneconnectioniswiththeclientandtheotherconnectionistotheback-endinstance.Foreachconnection,theloadbalancermanagesanidletimeoutthatistriggeredwhennodataissentovertheconnectionforaspecifiedtimeperiod.Aftertheidletimeoutperiodhaselapsed,ifnodatahasbeensentorreceived,theloadbalancerclosestheconnection.
Bydefault,ElasticLoadBalancingsetstheidletimeoutto60secondsforbothconnections.IfanHTTPrequestdoesn’tcompletewithintheidletimeoutperiod,theloadbalancerclosestheconnection,evenifdataisstillbeingtransferred.Youcanchangetheidletimeoutsettingfortheconnectionstoensurethatlengthyoperations,suchasfileuploads,havetimetocomplete.
IfyouuseHTTPandHTTPSlisteners,werecommendthatyouenablethekeep-aliveoptionforyourAmazonEC2instances.Youcanenablekeep-aliveinyourwebserversettingsorinthekernelsettingsforyourAmazonEC2instances.Keep-alive,whenenabled,allowstheloadbalancertoreuseconnectionstoyourback-endinstance,whichreducesCPUutilization.
![Page 169: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/169.jpg)
Toensurethattheloadbalancerisresponsibleforclosingtheconnectionstoyourback-endinstance,makesurethatthevalueyousetforthekeep-alivetimeisgreaterthantheidletimeoutsettingonyourloadbalancer.
Cross-ZoneLoadBalancingToensurethatrequesttrafficisroutedevenlyacrossallback-endinstancesforyourloadbalancer,regardlessoftheAvailabilityZoneinwhichtheyarelocated,youshouldenablecross-zoneloadbalancingonyourloadbalancer.Cross-zoneloadbalancingreducestheneedtomaintainequivalentnumbersofback-endinstancesineachAvailabilityZoneandimprovesyourapplication’sabilitytohandlethelossofoneormoreback-endinstances.However,itisstillrecommendedthatyoumaintainapproximatelyequivalentnumbersofinstancesineachAvailabilityZoneforhigherfaulttolerance.
ForenvironmentswhereclientscacheDNSlookups,incomingrequestsmightfavoroneoftheAvailabilityZones.Usingcross-zoneloadbalancing,thisimbalanceintherequestloadisspreadacrossallavailableback-endinstancesintheregion,reducingtheimpactofmisconfiguredclients.
ConnectionDrainingYoushouldenableconnectiondrainingtoensurethattheloadbalancerstopssendingrequeststoinstancesthatarederegisteringorunhealthy,whilekeepingtheexistingconnectionsopen.Thisenablestheloadbalancertocompletein-flightrequestsmadetotheseinstances.
Whenyouenableconnectiondraining,youcanspecifyamaximumtimefortheloadbalancertokeepconnectionsalivebeforereportingtheinstanceasderegistered.Themaximumtimeoutvaluecanbesetbetween1and3,600seconds(thedefaultis300seconds).Whenthemaximumtimelimitisreached,theloadbalancerforciblyclosesconnectionstothederegisteringinstance.
ProxyProtocolWhenyouuseTCPorSSLforbothfront-endandback-endconnections,yourloadbalancerforwardsrequeststotheback-endinstanceswithoutmodifyingtherequestheaders.IfyouenableProxyProtocol,ahuman-readableheaderisaddedtotherequestheaderwithconnectioninformationsuchasthesourceIPaddress,destinationIPaddress,andportnumbers.Theheaderisthensenttotheback-endinstanceaspartoftherequest.
BeforeusingProxyProtocol,verifythatyourloadbalancerisnotbehindaproxyserverwithProxyProtocolenabled.IfProxyProtocolisenabledonboththeproxyserverandtheloadbalancer,theloadbalanceraddsanotherheadertotherequest,whichalreadyhasaheaderfromtheproxyserver.Dependingonhowyourback-endinstanceisconfigured,thisduplicationmightresultinerrors.
StickySessionsBydefault,aloadbalancerrouteseachrequestindependentlytotheregisteredinstancewith
![Page 170: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/170.jpg)
thesmallestload.However,youcanusethestickysessionfeature(alsoknownassessionaffinity),whichenablestheloadbalancertobindauser’ssessiontoaspecificinstance.Thisensuresthatallrequestsfromtheuserduringthesessionaresenttothesameinstance.
Thekeytomanagingstickysessionsistodeterminehowlongyourloadbalancershouldconsistentlyroutetheuser’srequesttothesameinstance.Ifyourapplicationhasitsownsessioncookie,youcanconfigureElasticLoadBalancingsothatthesessioncookiefollowsthedurationspecifiedbytheapplication’ssessioncookie.Ifyourapplicationdoesnothaveitsownsessioncookie,youcanconfigureElasticLoadBalancingtocreateasessioncookiebyspecifyingyourownstickinessduration.ElasticLoadBalancingcreatesacookienamedAWSELBthatisusedtomapthesessiontotheinstance.
HealthChecksElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.ThestatusoftheinstancesthatarehealthyatthetimeofthehealthcheckisInService.ThestatusofanyinstancesthatareunhealthyatthetimeofthehealthcheckisOutOfService.Theloadbalancerperformshealthchecksonallregisteredinstancestodeterminewhethertheinstanceisinahealthystateoranunhealthystate.Ahealthcheckisaping,aconnectionattempt,orapagethatischeckedperiodically.Youcansetthetimeintervalbetweenhealthchecksandalsotheamountoftimetowaittorespondincasethehealthcheckpageincludesacomputationalaspect.Finally,youcansetathresholdforthenumberofconsecutivehealthcheckfailuresbeforeaninstanceismarkedasunhealthy.
UpdatesBehindanElasticLoadBalancingLoadBalancer
Long-runningapplicationswilleventuallyneedtobemaintainedandupdatedwithanewerversionoftheapplication.WhenusingAmazonEC2instancesrunningbehindanElasticLoadBalancingloadbalancer,youmayderegistertheselong-runningAmazonEC2instancesassociatedwithaloadbalancermanuallyandthenregisternewlylaunchedAmazonEC2instancesthatyouhavestartedwiththenewupdatesinstalled.
![Page 171: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/171.jpg)
AmazonCloudWatchAmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.
Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.
Youcanspecifyparametersforametricoveratimeperiodandconfigurealarmsandautomatedactionswhenathresholdisreached.AmazonCloudWatchsupportsmultipletypesofactionssuchassendinganotificationtoanAmazonSimpleNotificationService(AmazonSNS)topicorexecutinganAutoScalingpolicy.
AmazonCloudWatchofferseitherbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforanadditionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.
AmazonCloudWatchsupportsmonitoringandspecificmetricsformostAWSCloudservices,including:AutoScaling,AmazonCloudFront,AmazonCloudSearch,AmazonDynamoDB,AmazonEC2,AmazonEC2ContainerService(AmazonECS),AmazonElastiCache,AmazonElasticBlockStore(AmazonEBS),ElasticLoadBalancing,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,AmazonKinesisStreams,AmazonKinesisFirehose,AWSLambda,AmazonMachineLearning,AWSOpsWorks,AmazonRedshift,AmazonRelationalDatabaseService(AmazonRDS),AmazonRoute53,AmazonSNS,AmazonSimpleQueueService(AmazonSQS),AmazonS3,AWSSimpleWorkflowService(AmazonSWF),AWSStorageGateway,AWSWAF,andAmazonWorkSpaces.
ReadAlert
YoumayhaveanapplicationthatleveragesAmazonDynamoDB,andyouwanttoknowwhenreadrequestsreachacertainthresholdandalertyourselfwithanemail.YoucandothisbyusingProvisionedReadCapacityUnitsfortheAmazonDynamoDBtableforwhichyouwanttosetanalarm.Yousimplysetathresholdvalueduringanumberofconsecutiveperiodsandthenspecifyemailasthenotificationtype.Now,whenthethresholdissustainedoverthenumberofperiods,yourspecifiedemailwillalertyoutothereadactivity.
AmazonCloudWatchmetricscanberetrievedbyperformingaGETrequest.Whenyouusedetailedmonitoring,youcanalsoaggregatemetricsacrossalengthoftimeyouspecify.AmazonCloudWatchdoesnotaggregatedataacrossregionsbutcanaggregateacross
![Page 172: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/172.jpg)
AvailabilityZoneswithinaregion.
AWSprovidesarichsetofmetricsincludedwitheachservice,butyoucanalsodefinecustommetricstomonitorresourcesandeventsAWSdoesnothavevisibilityinto—forexample,AmazonEC2instancememoryconsumptionanddiskmetricsthatarevisibletotheoperatingsystemoftheAmazonEC2instancebutnotvisibletoAWSorapplication-specificthresholdsrunningoninstancesthatarenotknowntoAWS.AmazonCloudWatchsupportsanApplicationProgrammingInterface(API)thatallowsprogramsandscriptstoPUTmetricsintoAmazonCloudWatchasname-valuepairsthatcanthenbeusedtocreateeventsandtriggeralarmsinthesamemannerasthedefaultAmazonCloudWatchmetrics.
AmazonCloudWatchLogscanbeusedtomonitor,store,andaccesslogfilesfromAmazonEC2instances,AWSCloudTrail,andothersources.Youcanthenretrievethelogdataandmonitorinrealtimeforevents—forexample,youcantrackthenumberoferrorsinyourapplicationlogsandsendanotificationifanerrorrateexceedsathreshold.AmazonCloudWatchLogscanalsobeusedtostoreyourlogsinAmazonS3orAmazonGlacier.Logscanberetainedindefinitelyoraccordingtoanagingpolicythatwilldeleteolderlogsasnolongerneeded.
ACloudWatchLogsagentisavailablethatprovidesanautomatedwaytosendlogdatatoCloudWatchLogsforAmazonEC2instancesrunningAmazonLinuxorUbuntu.YoucanusetheAmazonCloudWatchLogsagentinstalleronanexistingAmazonEC2instancetoinstallandconfiguretheCloudWatchLogsagent.Afterinstallationiscomplete,theagentconfirmsthatithasstartedanditstaysrunninguntilyoudisableit.
AmazonCloudWatchhassomelimitsthatyoushouldkeepinmindwhenusingtheservice.EachAWSaccountislimitedto5,000alarmsperAWSaccount,andmetricsdataisretainedfortwoweeksbydefault(atthetimeofthiswriting).Ifyouwanttokeepthedatalonger,youwillneedtomovethelogstoapersistentstorelikeAmazonS3orAmazonGlacier.YoushouldfamiliarizeyourselfwiththelimitsforAmazonCloudWatchintheAmazonCloudWatchDeveloperGuide.
![Page 173: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/173.jpg)
AutoScalingAdistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.Examplesincludeawebsiteforaspecificsportingevent,anend-of-monthdata-inputsystem,aretailshoppingsitesupportingflashsales,amusicartistwebsiteduringthereleaseofnewsongs,acompanywebsiteannouncingsuccessfulearnings,oranightlyprocessingruntocalculatedailyactivity.
AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.
EmbracetheSpike
Manywebapplicationshaveunplannedloadincreasesbasedoneventsoutsideofyourcontrol.Forexample,yourcompanymaygetmentionedonapopularblogortelevisionprogramdrivingmanymorepeopletovisityoursitethanexpected.SettingupAutoScalinginadvancewillallowyoutoembraceandsurvivethiskindoffastincreaseinthenumberofrequests.AutoScalingwillscaleupyoursitetomeettheincreaseddemandandthenscaledownwhentheeventsubsides.
AutoScalingPlansAutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.
MaintainCurrentInstanceLevelsYoucanconfigureyourAutoScalinggrouptomaintainaminimumorspecifiednumberofrunninginstancesatalltimes.Tomaintainthecurrentinstancelevels,AutoScalingperformsaperiodichealthcheckonrunninginstanceswithinanAutoScalinggroup.WhenAutoScalingfindsanunhealthyinstance,itterminatesthatinstanceandlaunchesanewone.
SteadystateworkloadsthatneedaconsistentnumberofAmazonEC2instancesatalltimescanuseAutoScalingtomonitorandkeepthatspecificnumberofAmazonEC2instancesrunning.
ManualScalingManualscalingisthemostbasicwaytoscaleyourresources.Youonlyneedtospecifythechangeinthemaximum,minimum,ordesiredcapacityofyourAutoScalinggroup.Auto
![Page 174: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/174.jpg)
Scalingmanagestheprocessofcreatingorterminatinginstancestomaintaintheupdatedcapacity.
Manualscalingoutcanbeveryusefultoincreaseresourcesforaninfrequentevent,suchasthereleaseofanewgameversionthatwillbeavailablefordownloadandrequireauserregistration.Forextremelylarge-scaleevents,eventheElasticLoadBalancingloadbalancerscanbepre-warmedbyworkingwithyourlocalsolutionsarchitectorAWSSupport.
ScheduledScalingSometimesyouknowexactlywhenyouwillneedtoincreaseordecreasethenumberofinstancesinyourgroup,simplybecausethatneedarisesonapredictableschedule.Examplesincludeperiodiceventssuchasend-of-month,end-of-quarter,orend-of-yearprocessing,andalsootherpredictable,recurringevents.Scheduledscalingmeansthatscalingactionsareperformedautomaticallyasafunctionoftimeanddate.
Recurringeventssuchasend-of-month,quarter,oryearprocessing,orscheduledandrecurringautomatedloadandperformancetesting,canbeanticipatedandAutoScalingcanberampedupappropriatelyatthetimeofthescheduledevent.
DynamicScalingDynamicscalingletsyoudefineparametersthatcontroltheAutoScalingprocessinascalingpolicy.Forexample,youmightcreateapolicythataddsmoreAmazonEC2instancestothewebtierwhenthenetworkbandwidth,measuredbyAmazonCloudWatch,reachesacertainthreshold.
AutoScalingComponentsAutoScalinghasseveralcomponentsthatneedtobeconfiguredtoworkproperly:alaunchconfiguration,anAutoScalinggroup,andanoptionalscalingpolicy.
LaunchConfigurationAlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstances,anditiscomposedoftheconfigurationname,AmazonMachineImage(AMI),AmazonEC2instancetype,securitygroup,andinstancekeypair.EachAutoScalinggroupcanhaveonlyonelaunchconfigurationatatime.
TheCLIcommandthatfollowswillcreatealaunchconfigurationwiththefollowingattributes:
Name:myLC
AMI:ami-0535d66c
![Page 175: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/175.jpg)
Instancetype:m3.medium
Securitygroups:sg-f57cde9d
Instancekeypair:myKeyPair
>awsautoscalingcreate-launch-configuration-–launch-configuration-namemyLC--
image-idami-0535d66c--instance-typem3.medium--security-groupssg-f57cde9d--
key-namemyKeyPair
SecuritygroupsforinstanceslaunchedinEC2-Classicmaybereferencedbysecuritygroupnamesuchas“SSH”or“Web”ifthatiswhattheyarenamed,oryoucanreferencethesecuritygroupIDs,suchassg-f57cde9d.IfyoulaunchedtheinstancesinAmazonVPC,whichisrecommended,youmustusethesecuritygroupIDstoreferencethesecuritygroupsyouwantassociatedwiththeinstancesinanAutoScalinglaunchconfiguration.
Thedefaultlimitforlaunchconfigurationsis100perregion.Ifyouexceedthislimit,thecalltocreate-launch-configurationwillfail.Youmayviewandupdatethislimitbyrunningdescribe-account-limitsatthecommandline,asshownhere.
>awsautoscalingdescribe-account-limits
AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.WhenbuildingmorecomplexarchitectureswithAWS,itisimportanttokeepinmindtheservicelimitsforallAWSCloudservicesyouareusing.
WhenyourunacommandusingtheCLIanditfails,checkyoursyntaxfirst.Ifthatchecksout,verifythelimitsforthecommandyouareattempting,andchecktoseethatyouhavenotexceededalimit.Somelimitscanberaisedandusuallydefaultedtoareasonablevaluetolimitaracecondition,anerrantscriptrunninginaloop,orothersimilarautomationthatmightcauseunintendedhighusageandbillingofAWSresources.AWSservicelimitscanbeviewedintheAWSGeneralReferenceGuideunderAWSServiceLimits.YoucanraiseyourlimitsbycreatingasupportcaseattheAWSSupportCenteronlineandthenchoosingServiceLimitIncreaseunderRegarding.Thenfillintheappropriateserviceandlimittoincreasevalueintheonlineform.
AutoScalingGroupAnAutoScalinggroupisacollectionofAmazonEC2instancesmanagedbytheAutoScalingservice.EachAutoScalinggroupcontainsconfigurationoptionsthatcontrolwhenAutoScalingshouldlaunchnewinstancesandterminateexistinginstances.AnAutoScalinggroupmustcontainanameandaminimumandmaximumnumberofinstancesthatcanbeinthegroup.Youcanoptionallyspecifydesiredcapacity,whichisthenumberofinstancesthatthegroupmusthaveatalltimes.Ifyoudon’tspecifyadesiredcapacity,thedefaultdesiredcapacityistheminimumnumberofinstancesthatyouspecify.
TheCLIcommandthatfollowswillcreateanAutoScalinggroupthatreferencesthepreviouslaunchconfigurationandincludesthefollowingspecifications:
![Page 176: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/176.jpg)
Name:myASG
Launchconfiguration:myLC
AvailabilityZones:us-east-1aandus-east-1c
Minimumsize:1
Desiredcapacity:3
Maximumcapacity:10
Loadbalancers:myELB
>awsautoscalingcreate-auto-scaling-group--auto–scaling-group-namemyASG--
launch-configuration-namemyLC--availability-zonesus-east-1a,us-east-1c--min-
size1--max-size10--desired-capacity3--load-balancer-namesmyELB
Figure5.1depictsdeployedAWSresourcesafteraloadbalancernamedmyELBiscreatedandthelaunchconfigurationmyLCandAutoScalingGroupmyASGaresetup.
FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer
AnAutoScalinggroupcanuseeitherOn-DemandorSpotInstancesastheAmazonEC2instancesitmanages.On-Demandisthedefault,butSpotInstancescanbeusedbyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.YoumaychangethebidpricebycreatinganewlaunchconfigurationwiththenewbidpriceandthenassociatingitwithyourAutoScalinggroup.Ifinstancesareavailableatorbelowyourbidprice,theywillbelaunchedinyourAutoScalinggroup.SpotInstancesinanAutoScalinggroupfollowthesameguidelinesasSpot
![Page 177: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/177.jpg)
InstancesoutsideanAutoScalinggroupandrequireapplicationsthatareflexibleandcantolerateAmazonEC2instancesthatareterminatedwithshortnotice,forexample,whentheSpotpricerisesabovethebidpriceyousetinthelaunchconfiguration.AlaunchconfigurationcanreferenceOn-DemandInstancesorSpotInstances,butnotboth.
SpotOn!
AutoScalingsupportsusingcost-effectiveSpotInstances.Thiscanbeveryusefulwhenyouarehostingsiteswhereyouwanttoprovideadditionalcomputecapacitybutarepriceconstrained.Anexampleisa“freemium”sitemodelwhereyoumayoffersomebasicfunctionalitytousersforfreeandadditionalfunctionalityforpremiumuserswhopayforuse.SpotInstancescanbeusedforprovidingthebasicfunctionalitywhenavailablebyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.
ScalingPolicyYoucanassociateAmazonCloudWatchalarmsandscalingpolicieswithanAutoScalinggrouptoadjustAutoScalingdynamically.Whenathresholdiscrossed,AmazonCloudWatchsendsalarmstotriggerchanges(scalinginorout)tothenumberofAmazonEC2instancescurrentlyreceivingtrafficbehindaloadbalancer.AftertheAmazonCloudWatchalarmsendsamessagetotheAutoScalinggroup,AutoScalingexecutestheassociatedpolicytoscaleyourgroup.ThepolicyisasetofinstructionsthattellsAutoScalingwhethertoscaleout,launchingnewAmazonEC2instancesreferencedintheassociatedlaunchconfiguration,ortoscaleinandterminateinstances.
Thereareseveralwaystoconfigureascalingpolicy:Youcanincreaseordecreasebyaspecificnumberofinstances,suchasaddingtwoinstances;youcantargetaspecificnumberofinstances,suchasamaximumoffivetotalAmazonEC2instances;oryoucanadjustbasedonapercentage.Youcanalsoscalebystepsandincreaseordecreasethecurrentcapacityofthegroupbasedonasetofscalingadjustmentsthatvarybasedonthesizeofthealarmthresholdtrigger.
YoucanassociatemorethanonescalingpolicywithanAutoScalinggroup.Forexample,youcancreateapolicyusingthetriggerforCPUutilization,calledCPULoad,andtheCloudWatchmetricCPUUtilizationtospecifyscalingoutifCPUutilizationisgreaterthan75percentfortwominutes.YoucouldattachanotherpolicytothesameAutoScalinggrouptoscaleinifCPUutilizationislessthan40percentfor20minutes.
ThefollowingCLIcommandswillcreatethescalingpolicyjustdescribed.
>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG--policy-name
CPULoadScaleOut--scaling-adjustment1--adjustment-typeChangeInCapacity--
cooldown30>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG-
-policy-nameCPULoadScaleIn--scaling-adjustment-1--adjustment-type
ChangeInCapacity--cooldown600
ThefollowingCLIcommandswillassociateAmazonCloudWatchalarmsforscalingoutandscalinginwiththescalingpolicy,asshowninFigure5.2.Inthisexample,theAmazonCloudWatchalarmsreferencethescalingpolicybyAmazonResourceName(ARN).
![Page 178: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/178.jpg)
FIGURE5.2AutoScalinggroupwithpolicy
>awscloudwatchput-metric-alarm--alarmnamecapacityAdd--metric-name
CPUUtilization--namespaceAWS/EC2--statisticAverage–-period300--threshold75
--comparison-operatorGreaterThanOrEqualToThreshold--dimensions
"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:12345678-90ab-cdef-
1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleOut--unitPercent
>awscloudwatchput-metric-alarm--alarmnamecapacityReduce--metric-name
CPUUtilization--namespaceAWS/EC2--statisticAverage--period1200--threshold40
--comparison-operatorGreaterThanOrEqualToThreshold--dimensions
"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions
arn:aws:autoscaling:us-east-1:123456789011:scalingPolicy:11345678-90ab-cdef-
1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleIn--unitPercent
IfthescalingpolicydefinedinthepreviousparagraphisassociatedwiththeAutoScalinggroupnamedmyASG,andtheCPUutilizationisover75percentformorethanfiveminutes,asshowninFigure5.3,anewAmazonEC2instancewillbelaunchedandattachedtotheloadbalancernamedmyELB.
![Page 179: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/179.jpg)
FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout
ArecommendedbestpracticeistoscaleoutquicklyandscaleinslowlysoyoucanrespondtoburstsorspikesbutavoidinadvertentlyterminatingAmazonEC2instancestooquickly,onlyhavingtolaunchmoreAmazonEC2instancesiftheburstissustained.AutoScalingalsosupportsacooldownperiod,whichisaconfigurablesettingthatdetermineswhentosuspendscalingactivitiesforashorttimeforanAutoScalinggroup.
IfyoustartanAmazonEC2instance,youwillbebilledforonefullhourofrunningtime.Partialinstancehoursconsumedarebilledasfullhours.Thismeansthatifyouhaveapermissivescalingpolicythatlaunches,terminates,andrelaunchesmanyinstancesanhour,youarebillingafullhourforeachandeveryinstanceyoulaunch,evenifyouterminatesomeofthoseinstancesinlessthanhour.ArecommendedbestpracticeforcosteffectivenessistoscaleoutquicklywhenneededbutscaleinmoreslowlytoavoidhavingtorelaunchnewandseparateAmazonEC2instancesforaspikeinworkloaddemandthatfluctuatesupanddownwithinminutesbutgenerallycontinuestoneedmoreresourceswithinanhour.
Scaleoutquickly;scaleinslowly.
ItisimportanttoconsiderbootstrappingforAmazonEC2instanceslaunchedusingAutoScaling.IttakestimetoconfigureeachnewlylaunchedAmazonEC2instancebeforetheinstanceishealthyandcapableofacceptingtraffic.Instancesthatstartandareavailableforloadfastercanjointhecapacitypoolmorequickly.Furthermore,instancesthataremorestatelessinsteadofstatefulwillmoregracefullyenterandexitanAutoScalinggroup.
![Page 180: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/180.jpg)
RollingOutaPatchatScale
InlargedeploymentsofAmazonEC2instances,AutoScalingcanbeusedtomakerollingoutapatchtoyourinstanceseasy.ThelaunchconfigurationassociatedwiththeAutoScalinggroupmaybemodifiedtoreferenceanewAMIandevenanewAmazonEC2instanceifneeded.Thenyoucanderegisterorterminateinstancesoneatatimeorinsmallgroups,andthenewAmazonEC2instanceswillreferencethenewpatchedAMI.
![Page 181: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/181.jpg)
SummaryThischapterintroducedthreeservices:
ElasticLoadBalancing,whichisusedtodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZonestoachievegreaterlevelsoffaulttoleranceforyourapplications.
AmazonCloudWatch,whichmonitorsresourcesandapplications.AmazonCloudWatchisusedtocollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestoresourcesbeingmonitoredbasedonrulesyoudefine.
AutoScaling,whichallowsyoutoautomaticallyscaleyourAmazonEC2capacityoutandinusingcriteriathatyoudefine.
ThesethreeservicescanbeusedveryeffectivelytogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.
![Page 182: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/182.jpg)
ExamEssentialsUnderstandwhattheElasticLoadBalancingserviceprovides.ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonEC2instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.
KnowthetypesofloadbalancerstheElasticLoadBalancingserviceprovidesandwhentouseeachone.AnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.
AninternalloadbalancerisusedtoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.
AnHTTPSloadbalancerisusedwhenyouwanttoencryptdatabetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessionsandforconnectionsbetweenyourloadbalancerandyourback-endinstances.
KnowthetypesoflistenerstheElasticLoadBalancingserviceprovidesandtheusecaseandrequirementsforusingeachone.Alistenerisaprocessthatchecksforconnectionrequests.Itisconfiguredwithaprotocolandaportforfront-end(clienttoloadbalancer)connectionsandaprotocolandaportforback-end(loadbalancertoback-endinstance)connections.
UnderstandtheconfigurationoptionsforElasticLoadBalancing.ElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.
KnowwhatanElasticLoadBalancinghealthcheckisandwhyitisimportant.ElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.
UnderstandwhattheamazonCloudWatchserviceprovidesandwhatusecasesthereareforusingit.AmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.
Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.
Knowthedifferencesbetweenthetwotypesofmonitoring—basicanddetailed—forAmazonCloudWatch.AmazonCloudWatchoffersbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforan
![Page 183: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/183.jpg)
additionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.
UnderstandAutoScalingandwhyitisanimportantadvantageoftheAWSCloud.Adistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.
KnowwhenandwhytouseAutoScaling.AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.
KnowthesupportedAutoScalingplans.AutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.TheAutoScalingplansarenamedMaintainCurrentInstantLevels,ManualScaling,ScheduledScaling,andDynamicScaling.
UnderstandhowtobuildanAutoScalinglaunchconfigurationandanAutoScalinggroupandwhateachisusedfor.AlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstancesandiscomposedoftheconfigurationname,AMI,AmazonEC2instancetype,securitygroup,andinstancekeypair.
Knowwhatascalingpolicyisandwhatusecasestouseitfor.AscalingpolicyisusedbyAutoScalingwithCloudWatchalarmstodeterminewhenyourAutoScalinggroupshouldscaleoutorscalein.EachCloudWatchalarmwatchesasinglemetricandsendsmessagestoAutoScalingwhenthemetricbreachesathresholdthatyouspecifyinyourpolicy.
UnderstandhowElasticLoadBalancing,amazonCloudWatch,andAutoScalingareusedtogethertoprovidedynamicscaling.ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingcanbeusedtogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.
![Page 184: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/184.jpg)
ExercisesForassistanceincompletingthefollowingexercises,refertotheElasticLoadBalancingDeveloperGuidelocatedathttp://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-
balancing.html,theAmazonCloudWatchDeveloperGuideathttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html
andtheAutoScalingUserGuideathttp://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html.
EXERCISE5.1
CreateanElasticLoadBalancingLoadBalancerInthisexercise,youwillusetheAWSManagementConsoletocreateanElasticLoadBalancingloadbalancer.
1. LaunchanAmazonEC2instanceusinganAMIwithawebserveronit,orinstallandconfigureawebserver.
2. CreateastaticpagetodisplayandahealthcheckpagethatreturnsHTTP200.ConfiguretheAmazonEC2instancetoaccepttrafficoverport80.
3. RegistertheAmazonEC2instancewiththeElasticLoadBalancingloadbalancer,andconfigureittousethehealthcheckpagetoevaluatethehealthoftheinstance.
EXERCISE5.2
UseanAmazonCloudWatchMetric1. LaunchanAmazonEC2instance.
2. UseanexistingAmazonCloudWatchmetrictomonitoravalue.
EXERCISE5.3
CreateaCustomAmazonCloudWatchMetric1. CreateacustomAmazonCloudWatchmetricformemoryconsumption.
2. UsetheCLItoPUTvaluesintothemetric.
![Page 185: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/185.jpg)
EXERCISE5.4
CreateaLaunchConfigurationandAutoScalingGroup1. UsingtheAWSManagementConsole,createalaunchconfigurationusinganexistingAMI.
2. CreateanAutoScalinggroupusingthislaunchconfigurationwithagroupsizeoffourandspanningtwoAvailabilityZones.Donotuseascalingpolicy.Keepthegroupatitsinitialsize.
3. ManuallyterminateanAmazonEC2instance,andobserveAutoScalinglaunchanewAmazonEC2instance.
EXERCISE5.5
CreateaScalingPolicy1. CreateanAmazonCloudWatchmetricandalarmforCPUutilizationusingtheAWSManagementConsole.
2. UsingtheAutoScalinggroupfromExercise5.4,edittheAutoScalinggrouptoincludeapolicythatusestheCPUutilizationalarm.
3. DriveCPUutilizationonthemonitoredAmazonEC2instance(s)uptoobserveAutoScaling.
EXERCISE5.6
CreateaWebApplicationThatScales1. CreateasmallwebapplicationarchitectedwithanElasticLoadBalancingloadbalancer,anAutoScalinggroupspanningtwoAvailabilityZonesthatusesanAmazonCloudWatchmetric,andanalarmattachedtoascalingpolicyusedbytheAutoScalinggroup.
2. VerifythatAutoScalingisoperatingcorrectlybyremovinginstancesanddrivingthemetricupanddowntoforceAutoScaling.
![Page 186: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/186.jpg)
ReviewQuestions1. WhichofthefollowingarerequiredelementsofanAutoScalinggroup?(Choose2answers)
A. Minimumsize
B. Healthchecks
C. Desiredcapacity
D. Launchconfiguration
2. YouhavecreatedanElasticLoadBalancingloadbalancerlisteningonport80,andyouregistereditwithasingleAmazonElasticComputeCloud(AmazonEC2)instancealsolisteningonport80.Aclientmakesarequesttotheloadbalancerwiththecorrectprotocolandportfortheloadbalancer.Inthisscenario,howmanyconnectionsdoesthebalancermaintain?
A. 1
B. 2
C. 3
D. 4
3. HowlongdoesAmazonCloudWatchkeepmetricdata?
A. 1day
B. 2days
C. 1week
D. 2weeks
4. WhichofthefollowingaretheminimumrequiredelementstocreateanAutoScalinglaunchconfiguration?
A. Launchconfigurationname,AmazonMachineImage(AMI),andinstancetype
B. Launchconfigurationname,AMI,instancetype,andkeypair
C. Launchconfigurationname,AMI,instancetype,keypair,andsecuritygroup
D. Launchconfigurationname,AMI,instancetype,keypair,securitygroup,andblockdevicemapping
5. Youareresponsiblefortheapplicationloggingsolutionforyourcompany’sexistingapplicationsrunningonmultipleAmazonEC2instances.WhichofthefollowingisthebestapproachforaggregatingtheapplicationlogswithinAWS?
A. AmazonCloudWatchcustommetrics
B. AmazonCloudWatchLogsAgent
C. AnElasticLoadBalancinglistener
![Page 187: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/187.jpg)
D. AninternalElasticLoadBalancingloadbalancer
6. WhichofthefollowingmustbeconfiguredonanElasticLoadBalancingloadbalancertoacceptincomingtraffic?
A. Aport
B. Anetworkinterface
C. Alistener
D. Aninstance
7. YoucreateanAutoScalinggroupinanewregionthatisconfiguredwithaminimumsizevalueof10,amaximumsizevalueof100,andadesiredcapacityvalueof50.However,younoticethat30oftheAmazonElasticComputeCloud(AmazonEC2)instanceswithintheAutoScalinggroupfailtolaunch.Whichofthefollowingisthecauseofthisbehavior?
A. YoucannotdefineanAutoScalinggrouplargerthan20.
B. TheAutoScalinggroupmaximumvaluecannotbemorethan20.
C. YoudidnotattachanElasticLoadBalancingloadbalancertotheAutoScalinggroup.
D. YouhavenotraisedyourdefaultAmazonEC2capacity(20)forthenewregion.
8. YouwanttohostmultipleHypertextTransferProtocolSecure(HTTPS)websitesonafleetofAmazonEC2instancesbehindanElasticLoadBalancingloadbalancerwithasingleX.509certificate.HowmustyouconfiguretheSecureSocketsLayer(SSL)certificatesothatclientsconnectingtotheloadbalancerarenotpresentedwithawarningwhentheyconnect?
A. CreateoneSSLcertificatewithaSubjectAlternativeName(SAN)valueforeachwebsitename.
B. CreateoneSSLcertificatewiththeServerNameIndication(SNI)valuechecked.
C. CreatemultipleSSLcertificateswithaSANvalueforeachwebsitename.
D. CreateSSLcertificatesforeachAvailabilityZonewithaSANvalueforeachwebsitename.
9. YourwebapplicationfrontendconsistsofmultipleAmazonComputeCloud(AmazonEC2)instancesbehindanElasticLoadBalancingloadbalancer.YouhaveconfiguredtheloadbalancertoperformhealthchecksontheseAmazonEC2instances.Ifaninstancefailstopasshealthchecks,whichstatementwillbetrue?
A. Theinstanceisreplacedautomaticallybytheloadbalancer.
B. Theinstanceisterminatedautomaticallybytheloadbalancer.
C. Theloadbalancerstopssendingtraffictotheinstancethatfaileditshealthcheck.
D. Theinstanceisquarantinedbytheloadbalancerforrootcauseanalysis.
10. InthebasicmonitoringpackageforAmazonElasticComputeCloud(AmazonEC2),whatAmazonCloudWatchmetricsareavailable?
![Page 188: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/188.jpg)
A. Webservervisiblemetricssuchasnumberoffailedtransactionrequests
B. Operatingsystemvisiblemetricssuchasmemoryutilization
C. Databasevisiblemetricssuchasnumberofconnections
D. HypervisorvisiblemetricssuchasCPUutilization
11. Acellphonecompanyisrunningdynamic-contenttelevisioncommercialsforacontest.Theywanttheirwebsitetohandletrafficspikesthatcomeafteracommercialairs.Thewebsiteisinteractive,offeringpersonalizedcontenttoeachvisitorbasedonlocation,purchasehistory,andthecurrentcommercialairing.WhicharchitecturewillconfigureAutoScalingtoscaleouttorespondtospikesofdemand,whileminimizingcostsduringquietperiods?
A. SettheminimumsizeoftheAutoScalinggroupsothatitcanhandlehightrafficvolumeswithoutneedingtoscaleout.
B. CreateanAutoScalinggrouplargeenoughtohandlepeaktrafficloads,andthenstopsomeinstances.ConfigureAutoScalingtoscaleoutwhentrafficincreasesusingthestoppedinstances,sonewcapacitywillcomeonlinequickly.
C. ConfigureAutoScalingtoscaleoutastrafficincreases.ConfigurethelaunchconfigurationtostartnewinstancesfromapreconfiguredAmazonMachineImage(AMI).
D. UseAmazonCloudFrontandAmazonSimpleStorageService(AmazonS3)tocachechangingcontent,withtheAutoScalinggroupsetastheorigin.ConfigureAutoScalingtohavesufficientinstancesnecessarytoinitiallypopulateCloudFrontandAmazonElastiCache,andthenscaleinafterthecacheisfullypopulated.
12. Foranapplicationrunningintheap-northeast-1regionwiththreeAvailabilityZones(ap-northeast-1a,ap-northeast-1b,andap-northeast-1c),whichinstancedeploymentprovideshighavailabilityfortheapplicationthatnormallyrequiresninerunningAmazonElasticComputeCloud(AmazonEC2)instancesbutcanrunonaminimumof65percentcapacitywhileAutoScalinglaunchesreplacementinstancesintheremainingAvailabilityZones?
A. Deploytheapplicationonfourserversinap-northeast-1aandfiveserversinap-northeast-1b,andkeepfivestoppedinstancesinap-northeast-1aasreserve.
B. Deploytheapplicationonthreeserversinap-northeast-1a,threeserversinap-northeast-1b,andthreeserversinap-northeast-1c.
C. Deploytheapplicationonsixserversinap-northeast-1bandthreeserversinap-northeast-1c.
D. Deploytheapplicationonnineserversinap-northeast-1b,andkeepninestoppedinstancesinap-northeast-1aasreserve.
13. WhichofthefollowingarecharacteristicsoftheAutoScalingserviceonAWS?(Choose3answers)
A. Sendstraffictohealthyinstances
B. RespondstochangingconditionsbyaddingorterminatingAmazonElasticCompute
![Page 189: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/189.jpg)
Cloud(AmazonEC2)instances
C. Collectsandtracksmetricsandsetsalarms
D. Deliverspushnotifications
E. LaunchesinstancesfromaspecifiedAmazonMachineImage(AMI)
F. EnforcesaminimumnumberofrunningAmazonEC2instances
14. WhyisthelaunchconfigurationreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup?
A. ItallowsyoutochangetheAmazonElasticComputeCloud(AmazonEC2)instancetypeandAmazonMachineImage(AMI)withoutdisruptingtheAutoScalinggroup.
B. ItfacilitatesrollingoutapatchtoanexistingsetofinstancesmanagedbyanAutoScalinggroup.
C. ItallowsyoutochangesecuritygroupsassociatedwiththeinstanceslaunchedwithouthavingtomakechangestotheAutoScalinggroup.
D. Alloftheabove
E. Noneoftheabove
15. AnAutoScalinggroupmayuse:(Choose2answers)
A. On-DemandInstances
B. Stoppedinstances
C. SpotInstances
D. On-premisesinstances
E. AlreadyrunninginstancesiftheyusethesameAmazonMachineImage(AMI)astheAutoScalinggroup’slaunchconfigurationandarenotalreadypartofanotherAutoScalinggroup
16. AmazonCloudWatchsupportswhichtypesofmonitoringplans?(Choose2answers)
A. Basicmonitoring,whichisfree
B. Basicmonitoring,whichhasanadditionalcost
C. Adhocmonitoring,whichisfree
D. Adhocmonitoring,whichhasanadditionalcost
E. Detailedmonitoring,whichisfree
F. Detailedmonitoring,whichhasanadditionalcost
17. ElasticLoadBalancinghealthchecksmaybe:(Choose3answers)
A. Aping
B. Akeypairverification
C. Aconnectionattempt
D. Apagerequest
![Page 190: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/190.jpg)
E. AnAmazonElasticComputeCloud(AmazonEC2)instancestatuscheck
18. WhenanAmazonElasticComputeCloud(AmazonEC2)instanceregisteredwithanElasticLoadBalancingloadbalancerusingconnectiondrainingisderegisteredorunhealthy,whichofthefollowingwillhappen?(Choose2answers)
A. Immediatelycloseallexistingconnectionstothatinstance.
B. Keeptheconnectionsopentothatinstance,andattempttocompletein-flightrequests.
C. Redirecttherequeststoauser-definederrorpagelike“Oopsthisisembarrassing”or“UnderConstruction.”
D. Forciblycloseallconnectionstothatinstanceafteratimeoutperiod.
E. Leavetheconnectionsopenaslongastheloadbalancerisrunning.
19. ElasticLoadBalancingsupportswhichofthefollowingtypesofloadbalancers?(Choose3answers)
A. Cross-region
B. Internet-facing
C. Interim
D. Itinerant
E. Internal
F. HypertextTransferProtocolSecure(HTTPS)usingSecureSocketsLayer(SSL)
20. AutoScalingsupportswhichofthefollowingplansforAutoScalinggroups?(Choose3answers)
A. Predictive
B. Manual
C. Preemptive
D. Scheduled
E. Dynamic
F. End-userrequestdriven
G. Optimistic
![Page 191: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/191.jpg)
Chapter6AWSIdentityandAccessManagement(IAM)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,ElasticBeanstalk,CloudFormation,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
ConfigureIAMpoliciesandbestpractices
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSIdentityandAccessManagement(IAM)
IntroductionInthischapter,youwilllearnhowAWSIdentityandAccessManagement(IAM)securesinteractionswiththeAWSresourcesinyouraccount,including:
WhichprincipalsinteractwithAWSthroughtheAWSManagementConsole,CommandLineInterface(CLI),andSoftwareDevelopmentKits(SDKs)
Howeachprincipalisauthenticated
HowIAMpoliciesarewrittentospecifytheaccessprivilegesofprincipals
HowIAMpoliciesareassociatedwithprincipals
HowtosecureyourinfrastructurefurtherthroughMulti-FactorAuthentication(MFA)andkeyrotation
HowIAMrolescanbeusedtodelegatepermissionsandfederateusers
![Page 192: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/192.jpg)
Howtoresolvemultiple,possiblyconflictingIAMpermissions
IAMisapowerfulservicethatallowsyoutocontrolhowpeopleandprogramsareallowedtomanipulateyourAWSinfrastructure.IAMusestraditionalidentityconceptssuchasusers,groups,andaccesscontrolpoliciestocontrolwhocanuseyourAWSaccount,whatservicesandresourcestheycanuse,andhowtheycanusethem.ThecontrolprovidedbyIAMisgranularenoughtolimitasingleusertotheabilitytoperformasingleactiononaspecificresourcefromaspecificIPaddressduringaspecifictimewindow.ApplicationscanbegrantedaccesstoAWSresourceswhethertheyarerunningon-premisesorinthecloud.ThisflexibilitycreatesaverypowerfulsystemthatwillgiveyouallthepoweryouneedtoensurethatyourAWSaccountusershavetheabilitytomeetyourbusinessneedswhileaddressingallofthesecurityconcernsofyourorganization.
ThischapterwillcoverthedifferentprincipalsthatcaninteractwithAWSandhowtheyareauthenticated.Itwillthendiscusshowtowritepoliciesthatdefinepermittedaccesstoservices,actions,andresourcesandassociatethesepolicieswithauthenticatedprincipals.Finally,itwillcoveradditionalfeaturesofIAMthatwillhelpyousecureyourinfrastructure,includingMFA,rotatingkeys,federation,resolvingmultiplepermissions,andusingIAMroles.
AsimportantasitistoknowwhatIAMisexactly,itisequallyimportanttounderstandwhatitisnot:
First,IAMisnotanidentitystore/authorizationsystemforyourapplications.ThepermissionsthatyouassignarepermissionstomanipulateAWSinfrastructure,notpermissionswithinyourapplication.Ifyouaremigratinganexistingon-premisesapplicationthatalreadyhasitsownuserrepositoryandauthentication/authorizationmechanism,thenthatshouldcontinuetoworkwhenyoudeployonAWSandisprobablytherightchoice.IfyourapplicationidentitiesarebasedonActiveDirectory,youron-premisesActiveDirectorycanbeextendedintothecloudtocontinuetofillthatneed.AgreatsolutionforusingActiveDirectoryinthecloudisAWSDirectoryService,whichisanActiveDirectory-compatibledirectoryservicethatcanworkonitsownorintegratewithyouron-premisesActiveDirectory.Finally,ifyouareworkingwithamobileapp,considerAmazonCognitoforidentitymanagementformobileapplications.
Second,IAMisnotoperatingsystemidentitymanagement.Rememberthatunderthesharedresponsibilitymodel,youareincontrolofyouroperatingsystemconsoleandconfiguration.WhatevermechanismyoucurrentlyusetocontrolaccesstoyourserverinfrastructurewillcontinuetoworkonAmazonElasticComputeCloud(AmazonEC2)instances,whetherthatismanagingindividualmachineloginaccountsoradirectoryservicesuchasActiveDirectoryorLightweightDirectoryAccessProtocol(LDAP).YoucanrunanActiveDirectoryorLDAPserveronAmazonEC2,oryoucanextendyouron-premisessystemintothecloud.AWSDirectoryServicewillalsoworkwelltoprovideActiveDirectoryfunctionalityinthecloudasaservice,whetherstandaloneorintegratedwithyourexistingActiveDirectory.
Table6.1summarizestherolethatdifferentauthenticationsystemscanplayinyourAWSenvironment.
![Page 193: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/193.jpg)
TABLE6.1AuthenticationTechnologies
UseCase TechnologySolutions
OperatingSystemAccess ActiveDirectoryLDAPMachine-specificaccounts
ApplicationAccess ActiveDirectoryApplicationUserRepositoriesAmazonCognito
AWSResources IAM
IAMiscontrolledlikemostotherAWSCloudservices:
ThroughtheAWSManagementConsole—Likeotherservices,theAWSManagementConsoleistheeasiestwaytostartlearningaboutandmanipulatingaservice.
WiththeCLI—Asyoulearnthesystem,youcanstartscriptingrepeatedtasksusingtheCLI.
ViatheAWSSDKs—EventuallyyoumaystartwritingyourowntoolsandcomplexprocessesbymanipulatingIAMdirectlythroughtheRESTAPIviaoneofseveralSDKs.
AllofthesemethodsworktocontrolIAMjustastheyworkwithotherservices.Inaddition,theAWSPartnerNetwork(APN)includesarichecosystemoftoolstomanageandextendIAM.
![Page 194: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/194.jpg)
PrincipalsThefirstIAMconcepttounderstandisprincipals.AprincipalisanIAMentitythatisallowedtointeractwithAWSresources.Aprincipalcanbepermanentortemporary,anditcanrepresentahumanoranapplication.Therearethreetypesofprincipals:rootusers,IAMusers,androles/temporarysecuritytokens.
RootUserWhenyoufirstcreateanAWSaccount,youbeginwithonlyasinglesign-inprincipalthathascompleteaccesstoallAWSCloudservicesandresourcesintheaccount.Thisprincipaliscalledtherootuser.AslongasyouhaveanopenaccountwithAWS,therootuserforthatrelationshipwillpersist.TherootusercanbeusedforbothconsoleandprogrammaticaccesstoAWSresources.
TherootuserissimilarinconcepttotheUNIXrootorWindowsAdministratoraccount—ithasfullprivilegestodoanythingintheaccount,includingclosingtheaccount.Itisstronglyrecommendedthatyoudonotusetherootuserforyoureverydaytasks,eventheadministrativeones.Instead,adheretothebestpracticeofusingtherootuseronlytocreateyourfirstIAMuserandthensecurelylockingawaytherootusercredentials.
IAMUsersUsersarepersistentidentitiessetupthroughtheIAMservicetorepresentindividualpeopleorapplications.YoumaycreateseparateIAMusersforeachmemberofyouroperationsteamsotheycaninteractwiththeconsoleandusetheCLI.Youmightalsocreatedev,test,andproductionusersforapplicationsthatneedtoaccessAWSCloudservices(althoughyouwillseelaterinthischapterthatIAMrolesmaybeabettersolutionforthatusecase).
IAMuserscanbecreatedbyprincipalswithIAMadministrativeprivilegesatanytimethroughtheAWSManagementConsole,CLI,orSDKs.Usersarepersistentinthatthereisnoexpirationperiod;theyarepermanententitiesthatexistuntilanIAMadministratortakesanactiontodeletethem.
Usersareanexcellentwaytoenforcetheprincipleofleastprivilege;thatis,theconceptofallowingapersonorprocessinteractingwithyourAWSresourcestoperformexactlythetaskstheyneedbutnothingelse.Userscanbeassociatedwithverygranularpoliciesthatdefinethesepermissions.Policieswillbecoveredinalatersection.
Roles/TemporarySecurityTokensRolesandtemporarysecuritytokensareveryimportantforadvancedIAMusage,butmanyAWSusersfindthemconfusing.Rolesareusedtograntspecificprivilegestospecificactorsforasetdurationoftime.TheseactorscanbeauthenticatedbyAWSorsometrustedexternalsystem.Whenoneoftheseactorsassumesarole,AWSprovidestheactorwithatemporarysecuritytokenfromtheAWSSecurityTokenService(STS)thattheactorcanusetoaccess
![Page 195: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/195.jpg)
AWSCloudservices.Requestingatemporarysecuritytokenrequiresspecifyinghowlongthetokenwillexistbeforeitexpires.Therangeofatemporarysecuritytokenlifetimeis15minutesto36hours.
Rolesandtemporarysecuritytokensenableanumberofusecases:
AmazonEC2Roles—GrantingpermissionstoapplicationsrunningonanAmazonEC2instance.
Cross-AccountAccess—GrantingpermissionstousersfromotherAWSaccounts,whetheryoucontrolthoseaccountsornot.
Federation—Grantingpermissionstousersauthenticatedbyatrustedexternalsystem.
AmazonEC2RolesGrantingpermissionstoanapplicationisalwaystricky,asitusuallyrequiresconfiguringtheapplicationwithsomesortofcredentialuponinstallation.Thisleadstoissuesaroundsecurelystoringthecredentialpriortouse,howtoaccessitsafelyduringinstallation,andhowtosecureitintheconfiguration.SupposethatanapplicationrunningonanAmazonEC2instanceneedstoaccessanAmazonSimpleStorageService(AmazonS3)bucket.ApolicygrantingpermissiontoreadandwritethatbucketcanbecreatedandassignedtoanIAMuser,andtheapplicationcanusetheaccesskeyforthatIAMusertoaccesstheAmazonS3bucket.Theproblemwiththisapproachisthattheaccesskeyfortheusermustbeaccessibletotheapplication,probablybystoringitinsomesortofconfigurationfile.Theprocessforobtainingtheaccesskeyandstoringitencryptedintheconfigurationisusuallycomplicatedandahindrancetoagiledevelopment.Additionally,theaccesskeyisatriskwhenbeingpassedaround.Finally,whenthetimecomestorotatetheaccesskey,therotationinvolvesperformingthatwholeprocessagain.
UsingIAMrolesforAmazonEC2removestheneedtostoreAWScredentialsinaconfigurationfile.
AnalternativeistocreateanIAMrolethatgrantstherequiredaccesstotheAmazonS3bucket.WhentheAmazonEC2instanceislaunched,theroleisassignedtotheinstance.WhentheapplicationrunningontheinstanceusestheApplicationProgrammingInterface(API)toaccesstheAmazonS3bucket,itassumestheroleassignedtotheinstanceandobtainsatemporarytokenthatitsendstotheAPI.TheprocessofobtainingthetemporarytokenandpassingittotheAPIishandledautomaticallybymostoftheAWSSDKs,allowingtheapplicationtomakeacalltoaccesstheAmazonS3bucketwithoutworryingaboutauthentication.Inadditiontobeingeasyforthedeveloper,thisremovesanyneedtostoreanaccesskeyinaconfigurationfile.Also,becausetheAPIaccessusesatemporarytoken,thereisnofixedaccesskeythatmustberotated.
Cross-AccountAccessAnothercommonusecaseforIAMrolesistograntaccesstoAWSresourcestoIAMusersinotherAWSaccounts.TheseaccountsmaybeotherAWSaccountscontrolledbyyourcompanyoroutsideagentslikecustomersorsuppliers.YoucansetupanIAMrolewiththe
![Page 196: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/196.jpg)
permissionsyouwanttogranttousersintheotheraccount,thenusersintheotheraccountcanassumethatroletoaccessyourresources.Thisishighlyrecommendedasabestpractice,asopposedtodistributingaccesskeysoutsideyourorganization.
FederationManyorganizationsalreadyhaveanidentityrepositoryoutsideofAWSandwouldratherleveragethatrepositorythancreateanewandlargelyduplicaterepositoryofIAMusers.Similarly,web-basedapplicationsmaywanttoleverageweb-basedidentitiessuchasFacebook,Google,orLoginwithAmazon.IAMIdentityProvidersprovidetheabilitytofederatetheseoutsideidentitieswithIAMandassignprivilegestothoseusersauthenticatedoutsideofIAM.
IAMcanintegratewithtwodifferenttypesofoutsideIdentityProviders(IdP).ForfederatingwebidentitiessuchasFacebook,Google,orLoginwithAmazon,IAMsupportsintegrationviaOpenIDConnect(OIDC).ThisallowsIAMtograntprivilegestousersauthenticatedwithsomeofthemajorweb-basedIdPs.Forfederatinginternalidentities,suchasActiveDirectoryorLDAP,IAMsupportsintegrationviaSecurityAssertionMarkupLanguage2.0(SAML).ASAML-compliantIdPsuchasActiveDirectoryFederationServices(ADFS)isusedtofederatetheinternaldirectorytoIAM.(InstructionsforconfiguringmanycompatibleproductscanbefoundontheAWSwebsite.)Ineachcase,federationworksbyreturningatemporarytokenassociatedwitharoletotheIdPfortheauthenticatedidentitytouseforcallstotheAWSAPI.TheactualrolereturnedisdeterminedviainformationreceivedfromtheIdP,eitherattributesoftheuserintheon-premisesidentitystoreortheusernameandauthenticatingserviceofthewebidentitystore.
ThethreetypesofprincipalsandtheirgeneraltraitsarelistedinTable6.2.
TABLE6.2TraitsofAWSPrincipals
Principal Traits
RootUser CannotbelimitedPermanent
IAMUsers AccesscontrolledbypolicyDurableCanberemovedbyIAMadministrator
Roles/TemporarySecurityTokens AccesscontrolledbypolicyTemporaryExpireafterspecifictimeinterval
![Page 197: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/197.jpg)
AuthenticationTherearethreewaysthatIAMauthenticatesaprincipal:
UserName/Password—Whenaprincipalrepresentsahumaninteractingwiththeconsole,thehumanwillprovideausername/passwordpairtoverifytheiridentity.IAMallowsyoutocreateapasswordpolicyenforcingpasswordcomplexityandexpiration.
AccessKey—AnaccesskeyisacombinationofanaccesskeyID(20characters)andanaccesssecretkey(40characters).WhenaprogramismanipulatingtheAWSinfrastructureviatheAPI,itwillusethesevaluestosigntheunderlyingRESTcallstotheservices.TheAWSSDKsandtoolshandlealltheintricaciesofsigningtheRESTcalls,sousinganaccesskeywillalmostalwaysbeamatterofprovidingthevaluestotheSDKortool.
AccessKey/SessionToken—Whenaprocessoperatesunderanassumedrole,thetemporarysecuritytokenprovidesanaccesskeyforauthentication.Inadditiontotheaccesskey(rememberthatitconsistsoftwoparts),thetokenalsoincludesasessiontoken.CallstoAWSmustincludeboththetwo-partaccesskeyandthesessiontokentoauthenticate.
ItisimportanttonotethatwhenanIAMuseriscreated,ithasneitheranaccesskeynorapassword,andtheIAMadministratorcansetupeitherorboth.ThisaddsanextralayerofsecurityinthatconsoleuserscannotusetheircredentialstorunaprogramthataccessesyourAWSinfrastructure.
Figure6.1showsasummaryofthedifferentauthenticationmethods.
![Page 198: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/198.jpg)
FIGURE6.1DifferentidentitiesauthenticatingwithAWS
![Page 199: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/199.jpg)
AuthorizationAfterIAMhasauthenticatedaprincipal,itmustthenmanagetheaccessofthatprincipaltoprotectyourAWSinfrastructure.Theprocessofspecifyingexactlywhatactionsaprincipalcanandcannotperformiscalledauthorization.AuthorizationishandledinIAMbydefiningspecificprivilegesinpoliciesandassociatingthosepolicieswithprincipals.
PoliciesUnderstandinghowaccessmanagementworksunderIAMbeginswithunderstandingpolicies.ApolicyisaJSONdocumentthatfullydefinesasetofpermissionstoaccessandmanipulateAWSresources.Policydocumentscontainoneormorepermissions,witheachpermissiondefining:
Effect—Asingleword:AlloworDeny.
Service—Forwhatservicedoesthispermissionapply?MostAWSCloudservicessupportgrantingaccessthroughIAM,includingIAMitself.
Resource—TheresourcevaluespecifiesthespecificAWSinfrastructureforwhichthispermissionapplies.ThisisspecifiedasanAmazonResourceName(ARN).TheformatforanARNvariesslightlybetweenservices,butthebasicformatis:
"arn:aws:service:region:account-id:[resourcetype:]resource"
Forsomeservices,wildcardvaluesareallowed;forinstance,anAmazonS3ARNcouldhavearesourceoffoldername\*toindicateallobjectsinthespecifiedfolder.Table6.3displayssomesampleARNs.
TABLE6.3SampleARNs
Resource ARNFormat
AmazonS3Bucket arn:aws:s3:us-east-1:123456789012:my_corporate_bucket/*
IAMUser arn:aws:iam:us-east-1:123456789012:user/David
AmazonDynamoDBTable arn:aws:dynamodb:us-east-1:123456789012:table/tablename
Action—Theactionvaluespecifiesthesubsetofactionswithinaservicethatthepermissionallowsordenies.Forinstance,apermissionmaygrantaccesstoanyread-basedactionforAmazonS3.Asetofactionscanbespecifiedwithanenumeratedlistorbyusingwildcards(Read*).
Condition—Theconditionvalueoptionallydefinesoneormoreadditionalrestrictionsthatlimittheactionsallowedbythepermission.Forinstance,thepermissionmightcontainaconditionthatlimitstheabilitytoaccessaresourcetocallsthatcomefromaspecificIPaddressrange.Anotherconditioncouldrestrictthepermissiononlytoapplyduringaspecifictimeinterval.Therearemanytypesofpermissionsthatallowarichvarietyoffunctionalitythatvariesbetweenservices.SeetheIAMdocumentationforlistsofsupportedconditionsforeachservice.
Asamplepolicyisshowninthefollowinglisting.Thispolicyallowsaprincipaltolistthe
![Page 200: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/200.jpg)
objectsinaspecificbucketandtoretrievethoseobjects,butonlyifthecallcomesfromaspecificIPaddress.
{
"Version":"2012–10–17",
"Statement":[
{
"Sid":"Stmt1441716043000",
"Effect":"Allow", <-Thispolicygrantsaccess
"Action":[<-Allowsidentitiestolist
"s3:GetObject",<-andgetobjectsin
"s3:ListBucket"<-theS3bucket
],
"Condition":{
"IpAddress":{ <-Onlyfromaspecific
"aws:SourceIp":"192.168.0.1" <-IPAddress
}
},
"Resource":[
"arn:aws:s3:::my_public_bucket/*" <-Onlythisbucket
]
}
]
}
AssociatingPolicieswithPrincipalsThereareseveralwaystoassociateapolicywithanIAMuser;thissectionwillonlycoverthemostcommon.
ApolicycanbeassociateddirectlywithanIAMuserinoneoftwoways:
UserPolicy—Thesepoliciesexistonlyinthecontextoftheusertowhichtheyareattached.Intheconsole,auserpolicyisenteredintotheuserinterfaceontheIAMuserpage.
ManagedPolicies—ThesepoliciesarecreatedinthePoliciestabontheIAMpage(orthroughtheCLI,andsoforth)andexistindependentlyofanyindividualuser.Inthisway,thesamepolicycanbeassociatedwithmanyusersorgroupsofusers.TherearealargenumberofpredefinedmanagedpoliciesthatyoucanreviewonthePoliciestaboftheIAMpageintheAWSManagementConsole.Inaddition,youcanwriteyourownpoliciesspecifictoyourusecases.
Usingpredefinedmanagedpoliciesensuresthatwhennewpermissionsareaddedfornewfeatures,youruserswillstillhavethecorrectaccess.
TheothercommonmethodforassociatingpolicieswithusersiswiththeIAMgroupsfeature.Groupssimplifymanagingpermissionsforlargenumbersofusers.Afterapolicyisassignedtoagroup,anyuserwhoisamemberofthatgroupassumesthosepermissions.Thismakesitsimplertoassignpoliciestoanentireteaminyourorganization.Forinstance,ifyoucreatean“Operations”groupwitheveryIAMuserforyouroperationsteamassignedtothatgroup,thenitisasimplemattertoassociatetheneededpermissionstothegroup,andallofthe
![Page 201: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/201.jpg)
team’sIAMuserswillassumethosepermissions.NewIAMuserscanthenbeassigneddirectlytothegroup.
ThisisamuchsimplermanagementprocessthanhavingtoreviewwhatpoliciesanewIAMuserfortheoperationsteamshouldreceiveandmanuallyaddingthosepoliciestotheuser.TherearetwowaysapolicycanbeassociatedwithanIAMgroup:
GroupPolicy—Thesepoliciesexistonlyinthecontextofthegrouptowhichtheyareattached.IntheAWSManagementConsole,agrouppolicyisenteredintotheuserinterfaceontheIAMGrouppage.
ManagedPolicies—Inthesamewaythatmanagedpolicies(discussedinthe“Authorization”section)canbeassociatedwithIAMusers,theycanalsobeassociatedwithIAMgroups.
Figure6.2showsthedifferentwaysthatpolicescanbeassociatedwithanIAMUser.
FIGURE6.2AssociatingIAMuserswithpolicies
![Page 202: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/202.jpg)
AgoodfirststepistousetherootusertocreateanewIAMgroupcalled“IAMAdministrators”andassignthemanagedpolicy,“IAMFullAccess.”ThencreateanewIAMusercalled“Administrator,”assignapassword,andaddittotheIAMAdministratorsgroup.Atthispoint,youcanlogoffastherootuserandperformallfurtheradministrationwiththeIAMuseraccount.
Thefinalwayanactorcanbeassociatedwithapolicyisbyassumingarole.Inthiscase,theactorcanbe:
AnauthenticatedIAMuser(personorprocess).Inthiscase,theIAMusermusthavetherightstoassumetherole.
ApersonorprocessauthenticatedbyatrustedserviceoutsideofAWS,suchasanon-premisesLDAPdirectoryorawebauthenticationservice.Inthissituation,anAWSCloudservicewillassumetheroleontheactor’sbehalfandreturnatokentotheactor.
Afteranactorhasassumedarole,itisprovidedwithatemporarysecuritytokenassociatedwiththepoliciesofthatrole.ThetokencontainsalltheinformationrequiredtoauthenticateAPIcalls.Thisinformationincludesastandardaccesskeyplusanadditionalsessiontokenrequiredforauthenticatingcallsunderanassumedrole.
![Page 203: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/203.jpg)
OtherKeyFeaturesBeyondthecriticalconceptsofprincipals,authentication,andauthorization,thereareseveralotherfeaturesoftheIAMservicethatareimportanttounderstandtorealizethefullbenefitsofIAM.
Multi-FactorAuthentication(MFA)Multi-FactorAuthentication(MFA)canaddanextralayerofsecuritytoyourinfrastructurebyaddingasecondmethodofauthenticationbeyondjustapasswordoraccesskey.WithMFA,authenticationalsorequiresenteringaOne-TimePassword(OTP)fromasmalldevice.TheMFAdevicecanbeeitherasmallhardwaredeviceyoucarrywithyouoravirtualdeviceviaanapponyoursmartphone(forexample,theAWSVirtualMFAapp).
MFArequiresyoutoverifyyouridentitywithbothsomethingyouknowandsomethingyouhave.
MFAcanbeassignedtoanyIAMuseraccount,whethertheaccountrepresentsapersonorapplication.WhenapersonusinganIAMuserconfiguredwithMFAattemptstoaccesstheAWSManagementConsole,afterprovidingtheirpasswordtheywillbepromptedtoenterthecurrentcodedisplayedontheirMFAdevicebeforebeinggrantedaccess.AnapplicationusinganIAMuserconfiguredwithMFAmustquerytheapplicationusertoprovidethecurrentcode,whichtheapplicationwillthenpasstotheAPI.
ItisstronglyrecommendedthatAWScustomersaddMFAprotectiontotheirrootuser.
RotatingKeysThesecurityriskofanycredentialincreaseswiththeageofthecredential.Tothisend,itisasecuritybestpracticetorotateaccesskeysassociatedwithyourIAMusers.IAMfacilitatesthisprocessbyallowingtwoactiveaccesskeysatatime.Theprocesstorotatekeyscanbeconductedviatheconsole,CLI,orSDKs:
1. Createanewaccesskeyfortheuser.
2. Reconfigureallapplicationstousethenewaccesskey.
3. Disabletheoriginalaccesskey(disablinginsteadofdeletingatthisstageiscritical,asitallowsrollbacktotheoriginalkeyifthereareissueswiththerotation).
4. Verifytheoperationofallapplications.
5. Deletetheoriginalaccesskey.
Accesskeysshouldberotatedonaregularschedule.
ResolvingMultiplePermissions
![Page 204: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/204.jpg)
Occasionally,multiplepermissionswillbeapplicablewhendeterminingwhetheraprincipalhastheprivilegetoperformsomeaction.ThesepermissionsmaycomefrommultiplepoliciesassociatedwithaprincipalorresourcepoliciesattachedtotheAWSresourceinquestion.Itisimportanttoknowhowconflictsbetweenthesepermissionsareresolved:
1. Initiallytherequestisdeniedbydefault.
2. Alltheappropriatepoliciesareevaluated;ifthereisanexplicit“deny”foundinanypolicy,therequestisdeniedandevaluationstops.
3. Ifnoexplicit“deny”isfoundandanexplicit“allow”isfoundinanypolicy,therequestisallowed.
4. Iftherearenoexplicit“allow”or“deny”permissionsfound,thenthedefault“deny”ismaintainedandtherequestisdenied.
TheonlyexceptiontothisruleisifanAssumeRolecallincludesaroleandapolicy,thepolicycannotexpandtheprivilegesoftherole(forexample,thepolicycannotoverrideanypermissionthatisdeniedbydefaultintherole).
![Page 205: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/205.jpg)
SummaryIAMisapowerfulservicethatgivesyoutheabilitytocontrolwhichpeopleandapplicationscanaccessyourAWSaccountataverygranularlevel.BecausetherootuserinanAWSaccountcannotbelimited,youshouldsetupIAMusersandtemporarysecuritytokensforyourpeopleandprocessestointeractwithAWS.
Policiesdefinewhatactionscanandcannotbetaken.PoliciesareassociatedwithIAMuserseitherdirectlyorthroughgroupmembership.AtemporarysecuritytokenisassociatedwithapolicybyassuminganIAMrole.YoucanwriteyourownpoliciesoruseoneofthemanagedpoliciesprovidedbyAWS.
CommonusecasesforIAMrolesincludefederatingidentitiesfromexternalIdPs,assigningprivilegestoanAmazonEC2instancewheretheycanbeassumedbyapplicationsrunningontheinstance,andcross-accountaccess.
IAMuseraccountscanbefurthersecuredbyrotatingkeys,implementingMFA,andaddingconditionstopolicies.MFAensuresthatauthenticationisbasedonsomethingyouhaveinadditiontosomethingyouknow,andconditionscanaddfurtherrestrictionssuchaslimitingclientIPaddressrangesorsettingaparticulartimeinterval.
![Page 206: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/206.jpg)
ExamEssentialsKnowthedifferentprincipalsinIAM.ThethreeprincipalsthatcanauthenticateandinteractwithAWSresourcesaretherootuser,IAMusers,androles.TherootuserisassociatedwiththeactualAWSaccountandcannotberestrictedinanyway.IAMusersarepersistentidentitiesthatcanbecontrolledthroughIAM.Rolesallowpeopleorprocessestheabilitytooperatetemporarilywithadifferentidentity.Peopleorprocessesassumearolebybeinggrantedatemporarysecuritytokenthatwillexpireafteraspecifiedperiodoftime.
KnowhowprincipalsareauthenticatedinIAM.WhenyoulogintotheAWSManagementConsoleasanIAMuserorrootuser,youuseausername/passwordcombination.AprogramthataccessestheAPIwithanIAMuserorrootuserusesatwo-partaccesskey.Atemporarysecuritytokenauthenticateswithanaccesskeyplusanadditionalsessiontokenuniquetothattemporarysecuritytoken.
Knowthepartsofapolicy.ApolicyisaJSONdocumentthatdefinesoneormorepermissionstointeractwithAWSresources.Eachpermissionincludestheeffect,service,action,andresource.Itmayalsoincludeoneormoreconditions.AWSmakesmanypredefinedpoliciesavailableasmanagedpolicies.
Knowhowapolicyisassociatedwithaprincipal.Anauthenticatedprincipalisassociatedwithzerotomanypolicies.ForanIAMuser,thesepoliciesmaybeattacheddirectlytotheuseraccountorattachedtoanIAMgroupofwhichtheuseraccountisamember.AtemporarysecuritytokenisassociatedwithpoliciesbyassuminganIAMrole.
UnderstandMFA.MFAincreasesthesecurityofanAWSaccountbyaugmentingthepassword(somethingyouknow)witharotatingOTPfromasmalldevice(somethingyouhave),ensuringthatanyoneauthenticatingtheaccounthasbothknowledgeofthepasswordandpossessionofthedevice.AWSsupportsbothGemaltohardwareMFAdevicesandanumberofvirtualMFAapps.
Understandkeyrotation.ToprotectyourAWSinfrastructure,accesskeysshouldberotatedregularly.AWSallowstwoaccesskeystobevalidsimultaneouslytomaketherotationprocessstraightforward:Generateanewaccesskey,configureyourapplicationtousethenewaccesskey,test,disabletheoriginalaccesskey,test,deletetheoriginalaccesskey,andtestagain.
UnderstandIAMrolesandfederation.IAMrolesareprepackagedsetsofpermissionsthathavenocredentials.Principalscanassumearoleandthenusetheassociatedpermissions.Whenatemporarysecuritytokeniscreated,itassumesarolethatdefinesthepermissionsassignedtothetoken.WhenanAmazonEC2instanceisassociatedwithanIAMrole,SDKcallsacquireatemporarysecuritytokenbasedontheroleassociatedwiththeinstanceandusethattokentoaccessAWSresources.
RolesarethebasisforfederatingexternalIdPswithAWS.YouconfigureanIAMIdPtointeractwiththeexternalIdP,theauthenticatedidentityfromtheIdPismappedtoarole,andatemporarysecuritytokenisreturnedthathasassumedthatrole.AWSsupportsbothSAMLandOIDCIdPs.
Knowhowtoresolveconflictingpermissions.Resolvingmultiplepermissionsis
![Page 207: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/207.jpg)
relativelystraightforward.Ifanactiononaresourcehasnotbeenexplicitlyallowedbyapolicy,itisdenied.Iftwopoliciescontradicteachother;thatis,ifonepolicyallowsanactiononaresourceandanotherpolicydeniesthataction,theactionisdenied.Whilethissoundsimprobable,itmayoccurduetoscopedifferencesinapolicy.OnepolicymayexposeanentirefleetofAmazonEC2instances,andasecondpolicymayexplicitlylockdownoneparticularinstance.
![Page 208: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/208.jpg)
ExercisesForassistanceincompletingthefollowingexercises,refertotheIAMUserGuideathttp://docs.aws.amazon.com/IAM/latest/UserGuide/.
EXERCISE6.1
CreateanIAMGroupInthisexercise,youwillcreateagroupforallIAMadministratorusersandassigntheproperpermissionstothenewgroup.Thiswillallowyoutoavoidassigningpoliciesdirectlytoauserlaterintheseexercises.
1. Loginastherootuser.
2. CreateanIAMgroupcalledAdministrators.
3. Attachthemanagedpolicy,IAMFullAccess,totheAdministratorsgroup.
EXERCISE6.2
CreateaCustomizedSign-InLinkandPasswordPolicyInthisexercise,youwillsetupyouraccountwithsomebasicIAMsafeguards.Thepasswordpolicyisarecommendedsecuritypractice,andthesign-inlinkmakesiteasierforyouruserstologintotheAWSManagementConsole.
1. Customizeasign-inlink,andwritedownthenewlinknameinfull.
2. Createapasswordpolicyforyouraccount.
EXERCISE6.3
CreateanIAMUserInthisexercise,youwillcreateanIAMuserwhocanperformalladministrativeIAMfunctions.Thenyouwillloginasthatusersothatyounolongerneedtousetherootuserlogin.Usingtherootuserloginonlywhenexplicitlyrequiredisarecommendedsecuritypractice(alongwithaddingMFAtoyourrootuser).
1. Whileloggedinastherootuser,createanewIAMusercalledAdministrator.
2. AddyournewusertotheAdministratorsgroup.
3. OntheDetailspagefortheadministratoruser,createapassword.
4. Logoutastherootuser.
5. Usethecustomizedsign-inlinktosigninasAdministrator.
![Page 209: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/209.jpg)
EXERCISE6.4
CreateandUseanIAMRoleInthisexercise,youwillcreateanIAMrole,associateitwithanewinstance,andverifythatapplicationsrunningontheinstanceassumethepermissionsoftherole.IAMrolesallowyoutoavoidstoringaccesskeysonyourAmazonEC2instances.
1. Whilesignedinasadministrator,createanAmazonEC2-typerolenamedS3Client.
2. Attachthemanagedpolicy,AmazonS3ReadOnlyAccess,toS3Client.
3. LaunchanAmazonLinuxEC2instancewiththenewroleattached(AmazonLinuxAMIscomewithCLIinstalled).
4. SSHintothenewinstance,andusetheCLItolistthecontentsofanAmazonS3bucket.
EXERCISE6.5
RotateKeysInthisexercise,youwillgothroughtheprocessofrotatingaccesskeys,arecommendedsecuritypractice.
1. Selecttheadministrator,andcreateatwo-partaccesskey.
2. Downloadtheaccesskey.
3. DownloadandinstalltheCLItoyourdesktop.
4. ConfiguretheCLItousetheaccesskeywiththeAWSConfigurecommand.
5. UsetheCLItolistthecontentsofanAmazonS3bucket.
6. Returntotheconsole,andcreateanewaccesskeyfortheadministratoraccount.
7. Downloadtheaccesskey,andreconfiguretheCLItousethenewaccesskey.
8. Intheconsole,maketheoriginalaccesskeyinactive.
9. ConfirmthatyouareusingthenewaccesskeybyonceagainlistingthecontentsoftheAmazonS3bucket.
10. Deletetheoriginalaccesskey.
![Page 210: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/210.jpg)
EXERCISE6.6
SetUpMFAInthisexercise,youwilladdMFAtoyourIAMadministrator.YouwilluseavirtualMFAapplicationforyourphone.MFAisasecurityrecommendationonpowerfulaccountssuchasIAMadministrators.
1. DownloadtheAWSVirtualMFAapptoyourphone.
2. Selecttheadministratoruser,andmanagetheMFAdevice.
3. GothroughthestepstoactivateaVirtualMFAdevice.
4. Logoffasadministrator.
5. Loginasadministrator,andentertheMFAvaluetocompletetheauthenticationprocess.
EXERCISE6.7
ResolveConflictingPermissionsInthisexercise,youwilladdapolicytoyourIAMadministratoruserwithaconflictingpermission.YouwillthenattemptactionsthatverifyhowIAMresolvesconflictingpermissions.
1. Usethepolicygeneratortocreateanewpolicy.
2. CreatethepolicywithEffect:Deny;AWSService:AmazonS3;Actions:*;andARN:*.
3. AttachthenewpolicytotheAdministratorsgroup.
4. UsetheCLItoattempttolistthecontentsofanAmazonS3bucket.Thepolicythatallowsaccessandthepolicythatdeniesaccessshouldresolvetodenyaccess.
![Page 211: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/211.jpg)
ReviewQuestions1. WhichofthefollowingmethodswillallowanapplicationusinganAWSSDKtobeauthenticatedasaprincipaltoaccessAWSCloudservices?(Choose2answers)
A. CreateanIAMuserandstoretheusernameandpasswordfortheuserintheapplication’sconfiguration.
B. CreateanIAMuserandstorebothpartsoftheaccesskeyfortheuserintheapplication’sconfiguration.
C. RuntheapplicationonanAmazonEC2instancewithanassignedIAMrole.
D. MakealltheAPIcallsoveranSSLconnection.
2. WhichofthefollowingarefoundinanIAMpolicy?(Choose2answers)
A. ServiceName
B. Region
C. Action
D. Password
3. YourAWSaccountadministratorleftyourcompanytoday.TheadministratorhadaccesstotherootuserandapersonalIAMadministratoraccount.Withtheseaccounts,hegeneratedotherIAMaccountsandkeys.WhichofthefollowingshouldyoudotodaytoprotectyourAWSinfrastructure?(Choose4answers)
A. ChangethepasswordandaddMFAtotherootuser.
B. PutanIPrestrictionontherootuser.
C. RotatekeysandchangepasswordsforIAMaccounts.
D. DeleteallIAMaccounts.
E. Deletetheadministrator’spersonalIAMaccount.
F. RelaunchallAmazonEC2instanceswithnewroles.
4. WhichofthefollowingactionscanbeauthorizedbyIAM?(Choose2answers)
A. InstallingASP.NETonaWindowsServer
B. LaunchinganAmazonLinuxEC2instance
C. QueryinganOracledatabase
D. AddingamessagetoanAmazonSimpleQueueService(AmazonSQS)queue
5. WhichofthefollowingareIAMsecurityfeatures?(Choose2answers)
A. Passwordpolicies
B. AmazonDynamoDBglobalsecondaryindexes
C. MFA
![Page 212: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/212.jpg)
D. ConsolidatedBilling
6. WhichofthefollowingarebenefitsofusingAmazonEC2roles?(Choose2answers)
A. Nopoliciesarerequired.
B. CredentialsdonotneedtobestoredontheAmazonEC2instance.
C. Keyrotationisnotnecessary.
D. IntegrationwithActiveDirectoryisautomatic.
7. Whichofthefollowingarebasedontemporarysecuritytokens?(Choose2answers)
A. AmazonEC2roles
B. MFA
C. Rootuser
D. Federation
8. YoursecurityteamisveryconcernedaboutthevulnerabilityoftheIAMadministratoruseraccounts(theaccountsusedtoconfigureallIAMfeaturesandaccounts).Whatstepscanbetakentolockdowntheseaccounts?(Choose3answers)
A. Addmulti-factorauthentication(MFA)totheaccounts.
B. LimitloginstoaparticularU.S.state.
C. ImplementapasswordpolicyontheAWSaccount.
D. ApplyasourceIPaddressconditiontothepolicythatonlygrantspermissionswhentheuserisonthecorporatenetwork.
E. AddaCAPTCHAtesttotheaccounts.
9. YouwanttogranttheindividualsonyournetworkteamtheabilitytofullymanipulateAmazonEC2instances.Whichofthefollowingaccomplishthisgoal?(Choose2answers)
A. CreateanewpolicyallowingEC2:*actions,andnamethepolicyNetworkTeam.
B. Assignthemanagedpolicy,EC2FullAccess,toagroupnamedNetworkTeam,andassignalltheteammembers’IAMuseraccountstothatgroup.
C. CreateanewpolicythatgrantsEC2:*actionsonallresources,andassignthatpolicytoeachindividual’sIAMuseraccountonthenetworkteam.
D. CreateaNetworkTeamIAMgroup,andhaveeachteammemberlogintotheAWSManagementConsoleusingtheusername/passwordforthegroup.
10. WhatistheformatofanIAMpolicy?
A. XML
B. Key/valuepairs
C. JSON
D. Tab-delimitedtext
![Page 213: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/213.jpg)
Chapter7DatabasesandAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Planninganddesign
Architecturaltrade-offdecisions(AmazonRelationalDatabaseService[AmazonRDS]vs.installingonAmazonElasticComputeCloud[AmazonEC2])
BestpracticesforAWSarchitecture
RecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)DisasterRecovery(DR)design
Elasticityandscalability
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSadministrationandsecurityservices
Designpatterns
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
ThischapterwillcoveressentialdatabaseconceptsandintroducethreeofAmazon’smanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.
Thischapterfocusesonkeytopicsyouneedtounderstandfortheexam,including:
![Page 214: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/214.jpg)
Thedifferencesamongarelationaldatabase,aNoSQLdatabase,andadatawarehouse
ThebenefitsandtradeoffsbetweenrunningadatabaseonAmazonEC2oronAmazonRDS
Howtodeploydatabaseenginesintothecloud
HowtobackupandrecoveryourdatabaseandmeetyourRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements
Howtobuildhighlyavailabledatabasearchitectures
Howtoscaleyourdatabasecomputeandstoragevertically
Howtoselecttherighttypeofstoragevolume
Howtousereadreplicastoscalehorizontally
HowtodesignandscaleanAmazonDynamoDBtable
HowtoreadandwritefromanAmazonDynamoDBtable
Howtousesecondaryindexestospeedqueries
HowtodesignanAmazonRedshifttable
HowtoloadandqueryanAmazonRedshiftdatawarehouse
Howtosecureyourdatabases,tables,andclusters
![Page 215: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/215.jpg)
DatabasePrimerAlmosteveryapplicationreliesonadatabasetostoreimportantdataandrecordsforitsusers.Adatabaseengineallowsyourapplicationtoaccess,manage,andsearchlargevolumesofdatarecords.Inawell-architectedapplication,thedatabasewillneedtomeettheperformancedemands,theavailabilityneeds,andtherecoverabilitycharacteristicsofthesystem.
Databasesystemsandenginescanbegroupedintotwobroadcategories:RelationalDatabaseManagementSystems(RDBMS)andNoSQL(ornon-relational)databases.ItisnotuncommontobuildanapplicationusingacombinationofRDBMSandNoSQLdatabases.Astrongunderstandingofessentialdatabaseconcepts,AmazonRDS,andAmazonDynamoDBarerequiredtopassthisexam.
RelationalDatabasesThemostcommontypeofdatabaseinusetodayistherelationaldatabase.Therelationaldatabasehasrootsgoingbacktothe1970swhenEdgarF.Codd,workingforIBM,developedtheconceptsoftherelationalmodel.Today,relationaldatabasespoweralltypesofapplicationsfromsocialmediaapps,e-commercewebsites,andblogstocomplexenterpriseapplications.CommonlyusedrelationaldatabasesoftwarepackagesincludeMySQL,PostgreSQL,MicrosoftSQLServer,andOracle.
RelationaldatabasesprovideacommoninterfacethatletsusersreadandwritefromthedatabaseusingcommandsorquerieswrittenusingStructuredQueryLanguage(SQL).Arelationaldatabaseconsistsofoneormoretables,andatableconsistsofcolumnsandrowssimilartoaspreadsheet.Adatabasecolumncontainsaspecificattributeoftherecord,suchasaperson’sname,address,andtelephonenumber.Eachattributeisassignedadatatypesuchastext,number,ordate,andthedatabaseenginewillrejectinvalidinputs.
Adatabaserowcomprisesanindividualrecord,suchasthedetailsaboutastudentwhoattendsaschool.ConsidertheexampleinTable7.1.
TABLE7.1StudentsTable
StudentID FirstName LastName Gender Age
1001 Joe Dusty M 29
1002 Andrea Romanov F 20
1003 Ben Johnson M 30
1004 Beth Roberts F 30
Thisisanexampleofabasictablethatwouldsitinarelationaldatabase.Therearefivefieldswithdifferentdatatypes:
StudentID=Numberorinteger
FirstName=String
LastName=String
![Page 216: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/216.jpg)
Gender=String(CharacterLength=1)
Age=Integer
Thissampletablehasfourrecords,witheachrecordrepresentinganindividualstudent.EachstudenthasaStudentIDfield,whichisusuallyauniquenumberperstudent.Auniquenumberthatidentifieseachstudentcanbecalledaprimarykey.
Onerecordinatablecanrelatetoarecordinanothertablebyreferencingtheprimarykeyofarecord.Thispointerorreferenceiscalledaforeignkey.Forexample,theGradestablethatrecordsscoresforeachstudentwouldhaveitsownprimarykeyandanadditionalcolumnknownasaforeignkeythatreferstotheprimarykeyofthestudentrecord.Byreferencingtheprimarykeysofothertables,relationaldatabasesminimizeduplicationofdatainassociatedtables.Withrelationaldatabases,itisimportanttonotethatthestructureofthetable(suchasthenumberofcolumnsanddatatypeofeachcolumn)mustbedefinedpriortodatabeingaddedtothetable.
ArelationaldatabasecanbecategorizedaseitheranOnlineTransactionProcessing(OLTP)orOnlineAnalyticalProcessing(OLAP)databasesystem,dependingonhowthetablesareorganizedandhowtheapplicationusestherelationaldatabase.OLTPreferstotransaction-orientedapplicationsthatarefrequentlywritingandchangingdata(forexample,dataentryande-commerce).OLAPistypicallythedomainofdatawarehousesandreferstoreportingoranalyzinglargedatasets.LargeapplicationsoftenhaveamixofbothOLTPandOLAPdatabases.
AmazonRelationalDatabaseService(AmazonRDS)significantlysimplifiesthesetupandmaintenanceofOLTPandOLAPdatabases.AmazonRDSprovidessupportforsixpopularrelationaldatabaseengines:MySQL,Oracle,PostgreSQL,MicrosoftSQLServer,MariaDB,andAmazonAurora.YoucanalsochoosetorunnearlyanydatabaseengineusingWindowsorLinuxAmazonElasticComputeCloud(AmazonEC2)instancesandmanagetheinstallationandadministrationyourself.
DataWarehousesAdatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositoryisoftenaspecializedtypeofrelationaldatabasethatcanbeusedforreportingandanalysisviaOLAP.Organizationstypicallyusedatawarehousestocompilereportsandsearchthedatabaseusinghighlycomplexqueries.
Datawarehousesarealsotypicallyupdatedonabatchschedulemultipletimesperdayorperhour,comparedtoanOLTPrelationaldatabasethatcanbeupdatedthousandsoftimespersecond.Manyorganizationssplittheirrelationaldatabasesintotwodifferentdatabases:onedatabaseastheirmainproductiondatabaseforOLTPtransactions,andtheotherdatabaseastheirdatawarehouseforOLAP.OLTPtransactionsoccurfrequentlyandarerelativelysimple.OLAPtransactionsoccurmuchlessfrequentlybutaremuchmorecomplex.
AmazonRDSisoftenusedforOLTPworkloads,butitcanalsobeusedforOLAP.AmazonRedshiftisahigh-performancedatawarehousedesignedspecificallyforOLAPusecases.ItisalsocommontocombineAmazonRDSwithAmazonRedshiftinthesameapplicationandperiodicallyextractrecenttransactionsandloadthemintoareportingdatabase.
![Page 217: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/217.jpg)
NoSQLDatabasesNoSQLdatabaseshavegainedsignificantpopularityinrecentyearsbecausetheyareoftensimplertouse,moreflexible,andcanachieveperformancelevelsthataredifficultorimpossiblewithtraditionalrelationaldatabases.Traditionalrelationaldatabasesaredifficulttoscalebeyondasingleserverwithoutsignificantengineeringandcost,butaNoSQLarchitectureallowsforhorizontalscalabilityoncommodityhardware.
NoSQLdatabasesarenon-relationalanddonothavethesametableandcolumnsemanticsofarelationaldatabase.NoSQLdatabasesareinsteadoftenkey/valuestoresordocumentstoreswithflexibleschemasthatcanevolveovertimeorvary.Contrastthattoarelationaldatabase,whichrequiresaveryrigidschema.
ManyoftheconceptsofNoSQLarchitecturestracetheirfoundationalconceptsbacktowhitepaperspublishedin2006and2007thatdescribeddistributedsystemslikeDynamoatAmazon.Today,manyapplicationteamsuseHbase,MongoDB,Cassandra,CouchDB,Riak,andAmazonDynamoDBtostorelargevolumesofdatawithhightransactionrates.Manyofthesedatabaseenginessupportclusteringandscalehorizontallyacrossmanymachinesforperformanceandfaulttolerance.AcommonusecaseforNoSQLismanagingusersessionstate,userprofiles,shoppingcartdata,ortime-seriesdata.
YoucanrunanytypeofNoSQLdatabaseonAWSusingAmazonEC2,oryoucanchooseamanagedservicelikeAmazonDynamoDBtodealwiththeheavyliftinginvolvedwithbuildingadistributedclusterspanningmultipledatacenters.
![Page 218: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/218.jpg)
AmazonRelationalDatabaseService(AmazonRDS)AmazonRDSisaservicethatsimplifiesthesetup,operations,andscalingofarelationaldatabaseonAWS.WithAmazonRDS,youcanspendmoretimefocusingontheapplicationandtheschemaandletAmazonRDSoffloadcommontaskslikebackups,patching,scaling,andreplication.
AmazonRDShelpsyoutostreamlinetheinstallationofthedatabasesoftwareandalsotheprovisioningofinfrastructurecapacity.Withinafewminutes,AmazonRDScanlaunchoneofmanypopulardatabaseenginesthatisreadytostarttakingSQLtransactions.Aftertheinitiallaunch,AmazonRDSsimplifiesongoingmaintenancebyautomatingcommonadministrativetasksonarecurringbasis.
WithAmazonRDS,youcanaccelerateyourdevelopmenttimelinesandestablishaconsistentoperatingmodelformanagingrelationaldatabases.Forexample,AmazonRDSmakesiteasytoreplicateyourdatatoincreaseavailability,improvedurability,orscaleuporbeyondasingledatabaseinstanceforread-heavydatabaseworkloads.
AmazonRDSexposesadatabaseendpointtowhichclientsoftwarecanconnectandexecuteSQL.AmazonRDSdoesnotprovideshellaccesstoDatabase(DB)Instances,anditrestrictsaccesstocertainsystemproceduresandtablesthatrequireadvancedprivileges.WithAmazonRDS,youcantypicallyusethesametoolstoquery,analyze,modify,andadministerthedatabase.Forexample,currentExtract,Transform,Load(ETL)toolsandreportingtoolscanconnecttoAmazonRDSdatabasesinthesamewaywiththesamedrivers,andoftenallittakestoreconfigureischangingthehostnameintheconnectionstring.
Database(DB)InstancesTheAmazonRDSserviceitselfprovidesanApplicationProgrammingInterface(API)thatletsyoucreateandmanageoneormoreDBInstances.ADBInstanceisanisolateddatabaseenvironmentdeployedinyourprivatenetworksegmentsinthecloud.EachDBInstancerunsandmanagesapopularcommercialoropensourcedatabaseengineonyourbehalf.AmazonRDScurrentlysupportsthefollowingdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.
YoucanlaunchanewDBInstancebycallingtheCreateDBInstanceAPIorbyusingtheAWSManagementConsole.ExistingDBInstancescanbechangedorresizedusingtheModifyDBInstanceAPI.ADBInstancecancontainmultipledifferentdatabases,allofwhichyoucreateandmanagewithintheDBInstanceitselfbyexecutingSQLcommandswiththeAmazonRDSendpoint.Thedifferentdatabasescanbecreated,accessed,andmanagedusingthesameSQLclienttoolsandapplicationsthatyouusetoday.
ThecomputeandmemoryresourcesofaDBInstancearedeterminedbyitsDBInstanceclass.YoucanselecttheDBInstanceclassthatbestmeetsyourneedsforcomputeandmemory.TherangeofDBInstanceclassesextendsfromadb.t2.microwith1virtualCPU(vCPU)and1GBofmemory,uptoadb.r3.8xlargewith32vCPUsand244GBofmemory.Asyourneedschangeovertime,youcanchangetheinstanceclassandthebalanceofcomputeofmemory,andAmazonRDSwillmigrateyourdatatoalargerorsmallerinstanceclass.IndependentfromtheDBInstanceclassthatyouselect,youcanalsocontrolthesizeand
![Page 219: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/219.jpg)
performancecharacteristicsofthestorageused.
AmazonRDSsupportsalargevarietyofengines,versions,andfeaturecombinations.ChecktheAmazonRDSdocumentationtodeterminesupportforspecificfeatures.ManyfeaturesandcommonconfigurationsettingsareexposedandmanagedusingDBparametergroupsandDBoptiongroups.ADBparametergroupactsasacontainerforengineconfigurationvaluesthatcanbeappliedtooneormoreDBInstances.YoumaychangetheDBparametergroupforanexistinginstance,butarebootisrequired.ADBoptiongroupactsasacontainerforenginefeatures,whichisemptybydefault.InordertoenablespecificfeaturesofaDBengine(forexample,OracleStatspack,MicrosoftSQLServerMirroring),youcreateanewDBoptiongroupandconfigurethesettingsaccordingly.
ExistingdatabasescanbemigratedtoAmazonRDSusingnativetoolsandtechniquesthatvarydependingontheengine.ForexamplewithMySQL,youcanexportabackupusingmysqldumpandimportthefileintoAmazonRDSMySQL.YoucanalsousetheAWSDatabaseMigrationService,whichgivesyouagraphicalinterfacethatsimplifiesthemigrationofbothschemaanddatabetweendatabases.AWSDatabaseMigrationServicealsohelpsconvertdatabasesfromonedatabaseenginetoanother.
OperationalBenefitsAmazonRDSincreasestheoperationalreliabilityofyourdatabasesbyapplyingaveryconsistentdeploymentandoperationalmodel.Thislevelofconsistencyisachievedinpartbylimitingthetypesofchangesthatcanbemadetotheunderlyinginfrastructureandthroughtheextensiveuseofautomation.ForexamplewithAmazonRDS,youcannotuseSecureShell(SSH)tologintothehostinstanceandinstallacustompieceofsoftware.Youcan,however,connectusingSQLadministratortoolsoruseDBoptiongroupsandDBparametergroupstochangethebehaviororfeatureconfigurationforaDBInstance.IfyouwantfullcontroloftheOperatingSystem(OS)orrequireelevatedpermissionstorun,thenconsiderinstallingyourdatabaseonAmazonEC2insteadofAmazonRDS.
AmazonRDSisdesignedtosimplifythecommontasksrequiredtooperatearelationaldatabaseinareliablemanner.It’susefultocomparetheresponsibilitiesofanadministratorwhenoperatingarelationaldatabaseinyourdatacenter,onAmazonEC2,orwithAmazonRDS(seeTable7.2).
![Page 220: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/220.jpg)
TABLE7.2ComparisonofOperationalResponsibilities
Responsibility DatabaseOn-Premise
DatabaseonAmazonEC2
DatabaseonAmazonRDS
AppOptimization
You You You
Scaling You You AWS
HighAvailability You You AWS
Backups You You AWS
DBEnginePatches
You You AWS
SoftwareInstallation
You You AWS
OSPatches You You AWS
OSInstallation You AWS AWS
ServerMaintenance
You AWS AWS
RackandStack You AWS AWS
PowerandCooling
You AWS AWS
DatabaseEnginesAmazonRDSsupportssixdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.Featuresandcapabilitiesvaryslightlydependingontheenginethatyouselect.
MySQLMySQLisoneofthemostpopularopensourcedatabasesintheworld,anditisusedtopowerawiderangeofapplications,fromsmallpersonalblogstosomeofthelargestwebsitesintheworld.Asofthetimeofthiswriting,AmazonRDSforMySQLcurrentlysupportsMySQL5.7,5.6,5.5,and5.1.TheengineisrunningtheopensourceCommunityEditionwithInnoDBasthedefaultandrecommendeddatabasestorageengine.AmazonRDSMySQLallowsyoutoconnectusingstandardMySQLtoolssuchasMySQLWorkbenchorSQLWorkbench/J.AmazonRDSMySQLsupportsMulti-AZdeploymentsforhighavailabilityandreadreplicasforhorizontalscaling.
PostgreSQLPostgreSQLisawidelyusedopensourcedatabaseenginewithaveryrichsetoffeaturesandadvancedfunctionality.AmazonRDSsupportsDBInstancesrunningseveralversionsofPostgreSQL.Asofthetimeofthiswriting,AmazonRDSsupportsmultiplereleasesofPostgreSQL,including9.5.x,9.4.x,and9.3.x.AmazonRDSPostgreSQLcanbemanagedusingstandardtoolslikepgAdminandsupportsstandardJDBC/ODBCdrivers.AmazonRDSPostgreSQLalsosupportsMulti-AZdeploymentforhighavailabilityandreadreplicasfor
![Page 221: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/221.jpg)
horizontalscaling.
MariaDBAmazonRDSrecentlyaddedsupportforDBInstancesrunningMariaDB.MariaDBisapopularopensourcedatabaseenginebuiltbythecreatorsofMySQLandenhancedwithenterprisetoolsandfunctionality.MariaDBaddsfeaturesthatenhancetheperformance,availability,andscalabilityofMySQL.Asofthetimeofthiswriting,AWSsupportsMariaDBversion10.0.17.AmazonRDSfullysupportstheXtraDBstorageengineforMariaDBDBInstancesand,likeAmazonRDSMySQLandPostgreSQL,hassupportforMulti-AZdeploymentandreadreplicas.
OracleOracleisoneofthemostpopularrelationaldatabasesusedintheenterpriseandisfullysupportedbyAmazonRDS.Asofthetimeofthiswriting,AmazonRDSsupportsDBInstancesrunningseveraleditionsofOracle11gandOracle12c.AmazonRDSsupportsaccesstoschemasonaDBInstanceusinganystandardSQLclientapplication,suchasOracleSQLPlus.
AmazonRDSOraclesupportsthreedifferenteditionsofthepopulardatabaseengine:StandardEditionOne,StandardEdition,andEnterpriseEdition.Table7.3outlinessomeofthemajordifferencesbetweeneditions:
TABLE7.3AmazonRDSOracleEditionsCompared
Edition Performance Multi-AZ Encryption
StandardOne ++++ Yes KMS
Standard ++++++++ Yes KMS
Enterprise ++++++++ Yes KMSandTDE
MicrosoftSQLServerMicrosoftSQLServerisanotherverypopularrelationaldatabaseusedintheenterprise.AmazonRDSallowsDatabaseAdministrators(DBAs)toconnecttotheirSQLServerDBInstanceinthecloudusingnativetoolslikeSQLServerManagementStudio.Asofthetimeofthiswriting,AmazonRDSprovidessupportforseveralversionsofMicrosoftSQLServer,includingSQLServer2008R2,SQLServer2012,andSQLServer2014.
AmazonRDSSQLServeralsosupportsfourdifferenteditionsofSQLServer:ExpressEdition,WebEdition,StandardEdition,andEnterpriseEdition.Table7.4highlightstherelativeperformance,availability,andencryptiondifferencesamongtheseeditions.
![Page 222: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/222.jpg)
TABLE7.4AmazonRDSSQLServerEditionsCompared
Edition Performance Multi-AZ Encryption
Express + No KMS
Web ++++ No KMS
Standard ++++ Yes KMS
Enterprise ++++++++ Yes KMSandTDE
LicensingAmazonRDSOracleandMicrosoftSQLServerarecommercialsoftwareproductsthatrequireappropriatelicensestooperateinthecloud.AWSofferstwolicensingmodels:LicenseIncludedandBringYourOwnLicense(BYOL).
LicenseIncludedIntheLicenseIncludedmodel,thelicenseisheldbyAWSandisincludedintheAmazonRDSinstanceprice.ForOracle,LicenseIncludedprovideslicensingforStandardEditionOne.ForSQLServer,LicenseIncludedprovideslicensingforSQLServerExpressEdition,WebEdition,andStandardEdition.
BringYourOwnLicense(BYOL)IntheBYOLmodel,youprovideyourownlicense.ForOracle,youmusthavetheappropriateOracleDatabaselicensefortheDBInstanceclassandOracleDatabaseeditionyouwanttorun.YoucanbringoverStandardEditionOne,StandardEdition,andEnterpriseEdition.
ForSQLServer,youprovideyourownlicenseundertheMicrosoftLicenseMobilityprogram.YoucanbringoverMicrosoftSQLStandardEditionandalsoEnterpriseEdition.Youareresponsiblefortrackingandmanaginghowlicensesareallocated.
AmazonAuroraAmazonAuroraoffersenterprise-gradecommercialdatabasetechnologywhileofferingthesimplicityandcosteffectivenessofanopensourcedatabase.ThisisachievedbyredesigningtheinternalcomponentsofMySQLtotakeamoreservice-orientedapproach.
LikeotherAmazonRDSengines,AmazonAuroraisafullymanagedservice,isMySQL-compatibleoutofthebox,andprovidesforincreasedreliabilityandperformanceoverstandardMySQLdeployments.AmazonAuroracandeliveruptofivetimestheperformanceofMySQLwithoutrequiringchangestomostofyourexistingwebapplications.Youcanusethesamecode,tools,andapplicationsthatyouusewithyourexistingMySQLdatabaseswithAmazonAurora.
WhenyoufirstcreateanAmazonAurorainstance,youcreateaDBcluster.ADBclusterhasoneormoreinstancesandincludesaclustervolumethatmanagesthedataforthoseinstances.AnAmazonAuroraclustervolumeisavirtualdatabasestoragevolumethatspansmultipleAvailabilityZones,witheachAvailabilityZonehavingacopyoftheclusterdata.AnAmazonAuroraDBclusterconsistsoftwodifferenttypesofinstances:
PrimaryInstanceThisisthemaininstance,whichsupportsbothreadandwriteworkloads.Whenyoumodifyyourdata,youaremodifyingtheprimaryinstance.EachAmazonAuroraDBclusterhasoneprimaryinstance.
![Page 223: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/223.jpg)
AmazonAuroraReplicaThisisasecondaryinstancethatsupportsonlyreadoperations.EachDBclustercanhaveupto15AmazonAuroraReplicasinadditiontotheprimaryinstance.ByusingmultipleAmazonAuroraReplicas,youcandistributethereadworkloadamongvariousinstances,increasingperformance.YoucanalsolocateyourAmazonAuroraReplicasinmultipleAvailabilityZonestoincreaseyourdatabaseavailability.
StorageOptionsAmazonRDSisbuiltusingAmazonElasticBlockStore(AmazonEBS)andallowsyoutoselecttherightstorageoptionbasedonyourperformanceandcostrequirements.Dependingonthedatabaseengineandworkload,youcanscaleupto4to6TBinprovisionedstorageandupto30,000IOPS.AmazonRDSsupportsthreestoragetypes:Magnetic,GeneralPurpose(SolidStateDrive[SSD]),andProvisionedIOPS(SSD).Table7.5highlightstherelativesize,performance,andcostdifferencesbetweentypes.
TABLE7.5AmazonRDSStorageTypes
Magnetic GeneralPurpose(SSD) ProvisionedIOPS(SSD)
Size +++ +++++ +++++
Performance + +++ +++++
Cost ++ +++ +++++
MagneticMagneticstorage,alsocalledstandardstorage,offerscost-effectivestoragethatisidealforapplicationswithlightI/Orequirements.
GeneralPurpose(SSD)Generalpurpose(SSD)-backedstorage,alsocalledgp2,canprovidefasteraccessthanmagneticstorage.Thisstoragetypecanprovideburstperformancetomeetspikesandisexcellentforsmall-tomedium-sizeddatabases.
ProvisionedIOPS(SSD)ProvisionedIOPS(SSD)storageisdesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloads,thataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.
Formostapplications,GeneralPurpose(SSD)isthebestoptionandprovidesagoodmixoflower-costandhigher-performancecharacteristics.
BackupandRecoveryAmazonRDSprovidesaconsistentoperationalmodelforbackupandrecoveryproceduresacrossthedifferentdatabaseengines.AmazonRDSprovidestwomechanismsforbackingupthedatabase:automatedbackupsandmanualsnapshots.Byusingacombinationofbothtechniques,youcandesignabackuprecoverymodeltoprotectyourapplicationdata.
EachorganizationtypicallywilldefineaRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)forimportantapplicationsbasedonthecriticalityoftheapplicationandtheexpectationsoftheusers.It’scommonforenterprisesystemstohaveanRPOmeasuredinminutesandanRTOmeasuredinhoursorevendays,whilesomecriticalapplicationsmayhavemuchlowertolerances.
![Page 224: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/224.jpg)
RPOisdefinedasthemaximumperiodofdatalossthatisacceptableintheeventofafailureorincident.Forexample,manysystemsbackuptransactionlogsevery15minutestoallowthemtominimizedatalossintheeventofanaccidentaldeletionorhardwarefailure.
RTOisdefinedasthemaximumamountofdowntimethatispermittedtorecoverfrombackupandtoresumeprocessing.Forlargedatabasesinparticular,itcantakehourstorestorefromafullbackup.Intheeventofahardwarefailure,youcanreduceyourRTOtominutesbyfailingovertoasecondarynode.Youshouldcreatearecoveryplanthat,ataminimum,letsyourecoverfromarecentbackup.
AutomatedBackupsAnautomatedbackupisanAmazonRDSfeaturethatcontinuouslytrackschangesandbacksupyourdatabase.AmazonRDScreatesastoragevolumesnapshotofyourDBInstance,backinguptheentireDBInstanceandnotjustindividualdatabases.YoucansetthebackupretentionperiodwhenyoucreateaDBInstance.Onedayofbackupswillberetainedbydefault,butyoucanmodifytheretentionperioduptoamaximumof35days.KeepinmindthatwhenyoudeleteaDBInstance,allautomatedbackupsnapshotsaredeletedandcannotberecovered.Manualsnapshots,however,arenotdeleted.
Automatedbackupswilloccurdailyduringaconfigurable30-minutemaintenancewindowcalledthebackupwindow.Automatedbackupsarekeptforaconfigurablenumberofdays,calledthebackupretentionperiod.YoucanrestoreyourDBInstancetoanyspecifictimeduringthisretentionperiod,creatinganewDBInstance.
ManualDBSnapshotsInadditiontoautomatedbackups,youcanperformmanualDBsnapshotsatanytime.ADBsnapshotisinitiatedbyyouandcanbecreatedasfrequentlyasyouwant.YoucanthenrestoretheDBInstancetothespecificstateintheDBsnapshotatanytime.DBsnapshotscanbecreatedwiththeAmazonRDSconsoleortheCreateDBSnapshotaction.Unlikeautomatedsnapshotsthataredeletedaftertheretentionperiod,manualDBsnapshotsarekeptuntilyouexplicitlydeletethemwiththeAmazonRDSconsoleortheDeleteDBSnapshotaction.
Forbusydatabases,useMulti-AZtominimizetheperformanceimpactofasnapshot.Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup,andyoumayexperienceelevatedlatency.ThisI/Osuspensiontypicallylastsforthedurationofthesnapshot.ThisperiodofI/OsuspensionisshorterforMulti-AZDBdeploymentsbecausethebackupistakenfromthestandby,butlatencycanoccurduringthebackupprocess.
RecoveryAmazonRDSallowsyoutorecoveryourdatabasequicklywhetheryouareperformingautomatedbackupsormanualDBsnapshots.YoucannotrestorefromaDBsnapshottoanexistingDBInstance;anewDBInstanceiscreatedwhenyourestore.WhenyourestoreaDBInstance,onlythedefaultDBparameterandsecuritygroupsareassociatedwiththerestored
![Page 225: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/225.jpg)
instance.Assoonastherestoreiscomplete,youshouldassociateanycustomDBparameterorsecuritygroupsusedbytheinstancefromwhichyourestored.Whenusingautomatedbackups,AmazonRDScombinesthedailybackupsperformedduringyourpredefinedmaintenancewindowinconjunctionwithtransactionlogstoenableyoutorestoreyourDBInstancetoanypointduringyourretentionperiod,typicallyuptothelastfiveminutes.
HighAvailabilitywithMulti-AZOneofthemostpowerfulfeaturesofAmazonRDSisMulti-AZdeployments,whichallowsyoutocreateadatabaseclusteracrossmultipleAvailabilityZones.Settinguparelationaldatabasetoruninahighlyavailableandfault-tolerantfashionisachallengingtask.WithAmazonRDSMulti-AZ,youcanreducethecomplexityinvolvedwiththiscommonadministrativetask;withasingleoption,AmazonRDScanincreasetheavailabilityofyourdatabaseusingreplication.Multi-AZletsyoumeetthemostdemandingRPOandRTOtargetsbyusingsynchronousreplicationtominimizeRPOandfastfailovertominimizeRTOtominutes.
Multi-AZallowsyoutoplaceasecondarycopyofyourdatabaseinanotherAvailabilityZonefordisasterrecoverypurposes.Multi-AZdeploymentsareavailableforalltypesofAmazonRDSdatabaseengines.WhenyoucreateaMulti-AZDBInstance,aprimaryinstanceiscreatedinoneAvailabilityZoneandasecondaryinstanceiscreatedinanotherAvailabilityZone.Youareassignedadatabaseinstanceendpointsuchasthefollowing:
my_app_db.ch6fe7ykq1zd.us-west-2.rds.amazonaws.com
ThisendpointisaDomainNameSystem(DNS)namethatAWStakesresponsibilityforresolvingtoaspecificIPaddress.YouusethisDNSnamewhencreatingtheconnectiontoyourdatabase.Figure7.1illustratesatypicalMulti-AZdeploymentspanningtwoAvailabilityZones.
![Page 226: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/226.jpg)
FIGURE7.1Multi-AZAmazonRDSarchitecture
AmazonRDSautomaticallyreplicatesthedatafromthemasterdatabaseorprimaryinstancetotheslavedatabaseorsecondaryinstanceusingsynchronousreplication.EachAvailabilityZonerunsonitsownphysicallydistinct,independentinfrastructureandisengineeredtobehighlyreliable.AmazonRDSdetectsandautomaticallyrecoversfromthemostcommonfailurescenariosforMulti-AZdeploymentssothatyoucanresumedatabaseoperationsasquicklyaspossiblewithoutadministrativeintervention.AmazonRDSautomaticallyperformsafailoverintheeventofanyofthefollowing:
LossofavailabilityinprimaryAvailabilityZone
Lossofnetworkconnectivitytoprimarydatabase
Computeunitfailureonprimarydatabase
Storagefailureonprimarydatabase
AmazonRDSwillautomaticallyfailovertothestandbyinstancewithoutuserintervention.TheDNSnameremainsthesame,buttheAmazonRDSservicechangestheCNAMEtopointtothestandby.TheprimaryDBInstanceswitchesoverautomaticallytothestandbyreplicaiftherewasanAvailabilityZoneservicedisruption,iftheprimaryDBInstancefails,oriftheinstancetypeischanged.YoucanalsoperformamanualfailoveroftheDBInstance.Failover
![Page 227: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/227.jpg)
betweentheprimaryandthesecondaryinstanceisfast,andthetimeautomaticfailovertakestocompleteistypicallyonetotwominutes.
ItisimportanttorememberthatMulti-AZdeploymentsarefordisasterrecoveryonly;theyarenotmeanttoenhancedatabaseperformance.ThestandbyDBInstanceisnotavailabletoofflinequeriesfromtheprimarymasterDBInstance.ToimprovedatabaseperformanceusingmultipleDBInstances,usereadreplicasorotherDBcachingtechnologiessuchasAmazonElastiCache.
ScalingUpandOutAsthenumberoftransactionsincreasetoarelationaldatabase,scalingup,orvertically,bygettingalargermachineallowsyoutoprocessmorereadsandwrites.Scalingout,orhorizontally,isalsopossible,butitisoftenmoredifficult.AmazonRDSallowsyoutoscalecomputeandstoragevertically,andforsomeDBengines,youcanscalehorizontally.
VerticalScalabilityAddingadditionalcompute,memory,orstorageresourcestoyourdatabaseallowsyoutoprocessmoretransactions,runmorequeries,andstoremoredata.AmazonRDSmakesiteasytoscaleupordownyourdatabasetiertomeetthedemandsofyourapplication.ChangescanbescheduledtooccurduringthenextmaintenancewindowortobeginimmediatelyusingtheModifyDBInstanceaction.
Tochangetheamountofcomputeandmemory,youcanselectadifferentDBInstanceclassofthedatabase.AfteryouselectalargerorsmallerDBInstanceclass,AmazonRDSautomatesthemigrationprocesstoanewclasswithonlyashortdisruptionandminimaleffort.
Youcanalsoincreasetheamountofstorage,thestorageclass,andthestorageperformanceforanAmazonRDSInstance.Eachdatabaseinstancecanscalefrom5GBupto6TBinprovisionedstoragedependingonthestoragetypeandengine.StorageforAmazonRDScanbeincreasedovertimeasneedsgrowwithminimalimpacttotherunningdatabase.StorageexpansionissupportedforallofthedatabaseenginesexceptforSQLServer.
HorizontalScalabilitywithPartitioningArelationaldatabasecanbescaledverticallyonlysomuchbeforeyoureachthemaximuminstancesize.Partitioningalargerelationaldatabaseintomultipleinstancesorshardsisacommontechniqueforhandlingmorerequestsbeyondthecapabilitiesofasingleinstance.
Partitioning,orsharding,allowsyoutoscalehorizontallytohandlemoreusersandrequestsbutrequiresadditionallogicintheapplicationlayer.Theapplicationneedstodecidehowtoroutedatabaserequeststothecorrectshardandbecomeslimitedinthetypesofqueriesthatcanbeperformedacrossserverboundaries.NoSQLdatabaseslikeAmazonDynamoDBorCassandraaredesignedtoscalehorizontally.
HorizontalScalabilitywithReadReplicas
![Page 228: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/228.jpg)
Anotherimportantscalingtechniqueistousereadreplicastooffloadreadtransactionsfromtheprimarydatabaseandincreasetheoverallnumberoftransactions.AmazonRDSsupportsreadreplicasthatallowyoutoscaleoutelasticallybeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads.
ThereareavarietyofusecaseswheredeployingoneormorereadreplicaDBInstancesishelpful.Somecommonscenariosinclude:
ScalebeyondthecapacityofasingleDBInstanceforread-heavyworkloads.
HandlereadtrafficwhilethesourceDBInstanceisunavailable.Forexample,duetoI/Osuspensionforbackupsorscheduledmaintenance,youcandirectreadtraffictoareplica.
OffloadreportingordatawarehousingscenariosagainstareplicainsteadoftheprimaryDBInstance.
Forexample,abloggingwebsitemayhaveverylittlewriteactivityexceptfortheoccasionalcomment,andthevastmajorityofdatabaseactivitywillberead-only.Byoffloadingsomeorallofthereadactivitytooneormorereadreplicas,theprimarydatabaseinstancecanfocusonhandlingthewritesandreplicatingthedataouttothereplicas.
ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,MariaDB,andAmazonAurora.AmazonRDSusestheMySQL,MariaDB,andPostgreSQLDBengines’built-inreplicationfunctionalitytocreateaspecialtypeofDBInstance,calledareadreplica,fromasourceDBInstance.UpdatesmadetothesourceDBInstanceareasynchronouslycopiedtothereadreplica.YoucanreducetheloadonyoursourceDBInstancebyroutingreadqueriesfromyourapplicationstothereadreplica.
YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.Toenhanceyourdisasterrecoverycapabilitiesorreducegloballatencies,youcanusecross-regionreadreplicastoservereadtrafficfromaregionclosesttoyourglobalusersormigrateyourdatabasesacrossAWSRegions.
SecuritySecuringyourAmazonRDSDBInstancesandrelationaldatabasesrequiresacomprehensiveplanthataddressesthemanylayerscommonlyfoundindatabase-drivensystems.Thisincludestheinfrastructureresources,thedatabase,andthenetwork.
ProtectaccesstoyourinfrastructureresourcesusingAWSIdentityandAccessManagement(IAM)policiesthatlimitwhichactionsAWSadministratorscanperform.Forexample,somekeyadministratoractionsthatcanbecontrolledinIAMincludeCreateDBInstanceandDeleteDBInstance.
AnothersecuritybestpracticeistodeployyourAmazonRDSDBInstancesintoaprivatesubnetwithinanAmazonVirtualPrivateCloud(AmazonVPC)thatlimitsnetworkaccesstotheDBInstance.BeforeyoucandeployintoanAmazonVPC,youmustfirstcreateaDBsubnetgroupthatpredefineswhichsubnetsareavailableforAmazonRDSdeployments.Further,restrictnetworkaccessusingnetworkAccessControlLists(ACLs)andsecuritygroupstolimitinboundtraffictoashortlistofsourceIPaddresses.
![Page 229: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/229.jpg)
Atthedatabaselevel,youwillalsoneedtocreateusersandgrantthempermissionstoreadandwritetoyourdatabases.Accesstothedatabaseiscontrolledusingthedatabaseengine-specificaccesscontrolandusermanagementmechanisms.Createusersatthedatabaselevelwithstrongpasswordsthatyourotatefrequently.
Finally,protecttheconfidentialityofyourdataintransitandatrestwithmultipleencryptioncapabilitiesprovidedwithAmazonRDS.Securityfeaturesvaryslightlyfromoneenginetoanother,butallenginessupportsomeformofin-transitencryptionandalsoat-restencryption.YoucansecurelyconnectaclienttoarunningDBInstanceusingSecureSocketsLayer(SSL)toprotectdataintransit.EncryptionatrestispossibleforallenginesusingtheAmazonKeyManagementService(KMS)orTransparentDataEncryption(TDE).Alllogs,backups,andsnapshotsareencryptedforanencryptedAmazonRDSinstance.
![Page 230: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/230.jpg)
AmazonRedshiftAmazonRedshiftisafast,powerful,fullymanaged,petabyte-scaledatawarehouseserviceinthecloud.AmazonRedshiftisarelationaldatabasedesignedforOLAPscenariosandoptimizedforhigh-performanceanalysisandreportingofverylargedatasets.Traditionaldatawarehousesaredifficultandexpensivetomanage,especiallyforlargedatasets.AmazonRedshiftnotonlysignificantlylowersthecostofadatawarehouse,butitalsomakesiteasytoanalyzelargeamountsofdataveryquickly.
AmazonRedshiftgivesyoufastqueryingcapabilitiesoverstructureddatausingstandardSQLcommandstosupportinteractivequeryingoverlargedatasets.WithconnectivityviaODBCorJDBC,AmazonRedshiftintegrateswellwithvariousdataloading,reporting,datamining,andanalyticstools.AmazonRedshiftisbasedonindustry-standardPostgreSQL,somostexistingSQLclientapplicationswillworkwithonlyminimalchanges.
AmazonRedshiftmanagestheworkneededtosetup,operate,andscaleadatawarehouse,fromprovisioningtheinfrastructurecapacitytoautomatingongoingadministrativetaskssuchasbackupsandpatching.AmazonRedshiftautomaticallymonitorsyournodesanddrivestohelpyourecoverfromfailures.
ClustersandNodesThekeycomponentofanAmazonRedshiftdatawarehouseisacluster.Aclusteriscomposedofaleadernodeandoneormorecomputenodes.Theclientapplicationinteractsdirectlyonlywiththeleadernode,andthecomputenodesaretransparenttoexternalapplications.
AmazonRedshiftcurrentlyhassupportforsixdifferentnodetypesandeachhasadifferentmixofCPU,memory,andstorage.Thesixnodetypesaregroupedintotwocategories:DenseComputeandDenseStorage.TheDenseComputenodetypessupportclustersupto326TBusingfastSSDs,whiletheDenseStoragenodessupportclustersupto2PBusinglargemagneticdisks.Eachclusterconsistsofoneleadernodeandoneormorecomputenodes.Figure7.2showstheinternalcomponentsofanAmazonRedshiftdatawarehousecluster.
![Page 231: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/231.jpg)
FIGURE7.2AmazonRedshiftclusterarchitecture
Eachclustercontainsoneormoredatabases.Userdataforeachtableisdistributedacrossthecomputenodes.YourapplicationorSQLclientcommunicateswithAmazonRedshiftusingstandardJDBCorODBCconnectionswiththeleadernode,whichinturncoordinatesqueryexecutionwiththecomputenodes.Yourapplicationdoesnotinteractdirectlywiththecomputenodes.
Thediskstorageforacomputenodeisdividedintoanumberofslices.Thenumberofslicespernodedependsonthenodesizeoftheclusterandtypicallyvariesbetween2and16.Thenodesallparticipateinparallelqueryexecution,workingondatathatisdistributedasevenlyaspossibleacrosstheslices.
Youcanincreasequeryperformancebyaddingmultiplenodestoacluster.Whenyousubmitaquery,AmazonRedshiftdistributesandexecutesthequeryinparallelacrossallofacluster’scomputenodes.AmazonRedshiftalsospreadsyourtabledataacrossallcomputenodesinaclusterbasedonadistributionstrategythatyouspecify.Thispartitioningofdataacrossmultiplecomputeresourcesallowsyoutoachievehighlevelsofperformance.
AmazonRedshiftallowsyoutoresizeaclustertoaddstorageandcomputecapacityovertimeasyourneedsevolve.Youcanalsochangethenodetypeofaclusterandkeeptheoverallsizethesame.Wheneveryouperformaresizeoperation,AmazonRedshiftwillcreateanew
![Page 232: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/232.jpg)
clusterandmigratedatafromtheoldclustertothenewone.Duringaresizeoperation,thedatabasewillbecomeread-onlyuntiltheoperationisfinished.
TableDesignEachAmazonRedshiftclustercansupportoneormoredatabases,andeachdatabasecancontainmanytables.LikemostSQL-baseddatabases,youcancreateatableusingtheCREATETABLEcommand.Thiscommandspecifiesthenameofthetable,thecolumns,andtheirdatatypes.Inadditiontocolumnsanddatatypes,theAmazonRedshiftCREATETABLEcommandalsosupportsspecifyingcompressionencodings,distributionstrategy,andsortkeys.
DataTypesAmazonRedshiftcolumnssupportawiderangeofdatatypes.ThisincludescommonnumericdatatypeslikeINTEGER,DECIMAL,andDOUBLE,textdatatypeslikeCHARandVARCHAR,anddatedatatypeslikeDATEandTIMESTAMP.AdditionalcolumnscanbeaddedtoatableusingtheALTERTABLEcommand;however,existingcolumnscannotbemodified.
CompressionEncodingOneofthekeyperformanceoptimizationsusedbyAmazonRedshiftisdatacompression.Whenloadingdataforthefirsttimeintoanemptytable,AmazonRedshiftwillautomaticallysampleyourdataandselectthebestcompressionschemeforeachcolumn.Alternatively,youcanspecifycompressionencodingonaper-columnbasisaspartoftheCREATETABLEcommand.
DistributionStrategyOneoftheprimarydecisionswhencreatingatableinAmazonRedshiftishowtodistributetherecordsacrossthenodesandslicesinacluster.YoucanconfigurethedistributionstyleofatabletogiveAmazonRedshifthintsastohowthedatashouldbepartitionedtobestmeetyourquerypatterns.Whenyourunaquery,theoptimizershiftstherowstothecomputenodesasneededtoperformanyjoinsandaggregates.Thegoalinselectingatabledistributionstyleistominimizetheimpactoftheredistributionstepbyputtingthedatawhereitneedstobebeforethequeryisperformed.
Thedatadistributionstylethatyouselectforyourdatabasehasabigimpactonqueryperformance,storagerequirements,dataloading,andmaintenance.Bychoosingthebestdistributionstrategyforeachtable,youcanbalanceyourdatadistributionandsignificantlyimproveoverallsystemperformance.Whencreatingatable,youcanchoosebetweenoneofthreedistributionstyles:EVEN,KEY,orALL.
EVENdistributionThisisthedefaultoptionandresultsinthedatabeingdistributedacrosstheslicesinauniformfashionregardlessofthedata.
KEYdistributionWithKEYdistribution,therowsaredistributedaccordingtothevaluesinonecolumn.Theleadernodewillstorematchingvaluesclosetogetherandincreasequeryperformanceforjoins.
ALLdistributionWithALL,afullcopyoftheentiretableisdistributedtoeverynode.Thisisusefulforlookuptablesandotherlargetablesthatarenotupdatedfrequently.
![Page 233: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/233.jpg)
SortKeysAnotherimportantdecisiontomakeduringthecreationofatableiswhethertospecifyoneormorecolumnsassortkeys.Sortingenablesefficienthandlingofrange-restrictedpredicates.Ifaqueryusesarange-restrictedpredicate,thequeryprocessorcanrapidlyskipoverlargenumbersofblocksduringtablescans.
Thesortkeysforatablecanbeeithercompoundorinterleaved.Acompoundsortkeyismoreefficientwhenquerypredicatesuseaprefix,whichisasubsetofthesortkeycolumnsinorder.Aninterleavedsortkeygivesequalweighttoeachcolumninthesortkey,soquerypredicatescanuseanysubsetofthecolumnsthatmakeupthesortkey,inanyorder.
LoadingDataAmazonRedshiftsupportsstandardSQLcommandslikeINSERTandUPDATEtocreateandmodifyrecordsinatable.Forbulkoperations,however,AmazonRedshiftprovidestheCOPYcommandasamuchmoreefficientalternativethanrepeatedlycallingINSERT.
ACOPYcommandcanloaddataintoatableinthemostefficientmanner,anditsupportsmultipletypesofinputdatasources.ThefastestwaytoloaddataintoAmazonRedshiftisdoingbulkdataloadsfromflatfilesstoredinanAmazonSimpleStorageService(AmazonS3)bucketorfromanAmazonDynamoDBtable.
WhenloadingdatafromAmazonS3,theCOPYcommandcanreadfrommultiplefilesatthesametime.AmazonRedshiftcandistributetheworkloadtothenodesandperformtheloadprocessinparallel.Insteadofhavingonesinglelargefilewithyourdata,youcanenableparallelprocessingbyhavingaclusterwithmultiplenodesandmultipleinputfiles.
Aftereachbulkdataloadthatmodifiesasignificantamountofdata,youwillneedtoperformaVACUUMcommandtoreorganizeyourdataandreclaimspaceafterdeletes.ItisalsorecommendedtorunanANALYZEcommandtoupdatetablestatistics.
DatacanalsobeexportedoutofAmazonRedshiftusingtheUNLOADcommand.ThiscommandcanbeusedtogeneratedelimitedtextfilesandstoretheminAmazonS3.
QueryingDataAmazonRedshiftallowsyoutowritestandardSQLcommandstoqueryyourtables.BysupportingcommandslikeSELECTtoqueryandjointables,analystscanquicklybecomeproductiveusingAmazonRedshiftorintegrateiteasily.Forcomplexqueries,youcananalyzethequeryplantobetteroptimizeyouraccesspattern.YoucanmonitortheperformanceoftheclusterandspecificqueriesusingAmazonCloudWatchandtheAmazonRedshiftwebconsole.
ForlargeAmazonRedshiftclusterssupportingmanyusers,youcanconfigureWorkloadManagement(WLM)toqueueandprioritizequeries.WLMallowsyoudefinemultiplequeuesandsettheconcurrencylevelforeachqueue.Forexample,youmightwanttohaveonequeuesetupforlong-runningqueriesandlimittheconcurrencyandanotherqueueforshort-runningqueriesandallowhigherlevelsofconcurrency.
![Page 234: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/234.jpg)
SnapshotsSimilartoAmazonRDS,youcancreatepoint-in-timesnapshotsofyourAmazonRedshiftcluster.AsnapshotcanthenbeusedtorestoreacopyorcreateacloneofyouroriginalAmazonRedshiftcluster.SnapshotsaredurablystoredinternallyinAmazonS3byAmazonRedshift.
AmazonRedshiftsupportsbothautomatedsnapshotsandmanualsnapshots.Withautomatedsnapshots,AmazonRedshiftwillperiodicallytakesnapshotsofyourclusterandkeepacopyforaconfigurableretentionperiod.YoucanalsoperformmanualsnapshotsandsharethemacrossregionsorevenwithotherAWSaccounts.Manualsnapshotsareretaineduntilyouexplicitlydeletethem.
SecuritySecuringyourAmazonRedshiftclusterissimilartosecuringotherdatabasesrunninginthecloud.Yoursecurityplanshouldincludecontrolstoprotecttheinfrastructureresources,thedatabaseschema,therecordsinthetable,andnetworkaccess.Byaddressingsecurityateverylevel,youcansecurelyoperateanAmazonRedshiftdatawarehouseinthecloud.
ThefirstlayerofsecuritycomesattheinfrastructurelevelusingIAMpoliciesthatlimittheactionsAWSadministratorscanperform.WithIAM,youcancreatepoliciesthatgrantotherAWSusersthepermissiontocreateandmanagethelifecycleofacluster,includingscaling,backup,andrecoveryoperations.
Atthenetworklevel,AmazonRedshiftclusterscanbedeployedwithintheprivateIPaddressspaceofyourAmazonVPCtorestrictoverallnetworkconnectivity.Fine-grainednetworkaccesscanbefurtherrestrictedusingsecuritygroupsandnetworkACLsatthesubnetlevel.
Inadditiontocontrollinginfrastructureaccessattheinfrastructurelevel,youmustprotectaccessatthedatabaselevel.WhenyouinitiallycreateanAmazonRedshiftcluster,youwillcreateamasteruseraccountandpassword.ThemasteraccountcanbeusedtologintotheAmazonRedshiftdatabaseandtocreatemoreusersandgroups.Eachdatabaseusercanbegrantedpermissiontoschemas,tables,andotherdatabaseobjects.ThesepermissionsareindependentfromtheIAMpoliciesusedtocontrolaccesstotheinfrastructureresourcesandtheAmazonRedshiftclusterconfiguration.
ProtectingthedatastoredinAmazonRedshiftisanotherimportantaspectofyoursecuritydesign.AmazonRedshiftsupportsencryptionofdataintransitusingSSL-encryptedconnections,andalsoencryptionofdataatrestusingmultipletechniques.Toencryptdataatrest,AmazonRedshiftintegrateswithKMSandAWSCloudHSMforencryptionkeymanagementservices.Encryptionatrestandintransitassistsinmeetingcompliancerequirements,suchasfortheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCIDSS),andprovidesadditionalprotectionsforyourdata.
![Page 235: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/235.jpg)
AmazonDynamoDBAmazonDynamoDBisafullymanagedNoSQLdatabaseservicethatprovidesfastandlow-latencyperformancethatscaleswithease.AmazonDynamoDBletsyouoffloadtheadministrativeburdensofoperatingadistributedNoSQLdatabaseandfocusontheapplication.AmazonDynamoDBsignificantlysimplifiesthehardwareprovisioning,setupandconfiguration,replication,softwarepatching,andclusterscalingofNoSQLdatabases.
AmazonDynamoDBisdesignedtosimplifydatabaseandclustermanagement,provideconsistentlyhighlevelsofperformance,simplifyscalabilitytasks,andimprovereliabilitywithautomaticreplication.DeveloperscancreateatableinAmazonDynamoDBandwriteanunlimitednumberofitemswithconsistentlatency.
AmazonDynamoDBcanprovideconsistentperformancelevelsbyautomaticallydistributingthedataandtrafficforatableovermultiplepartitions.Afteryouconfigureacertainreadorwritecapacity,AmazonDynamoDBwillautomaticallyaddenoughinfrastructurecapacitytosupporttherequestedthroughputlevels.Asyourdemandchangesovertime,youcanadjustthereadorwritecapacityafteratablehasbeencreated,andAmazonDynamoDBwilladdorremoveinfrastructureandadjusttheinternalpartitioningaccordingly.
Tohelpmaintainconsistent,fastperformancelevels,alltabledataisstoredonhigh-performanceSSDdiskdrives.Performancemetrics,includingtransactionsrates,canbemonitoredusingAmazonCloudWatch.Inadditiontoprovidinghigh-performancelevels,AmazonDynamoDBalsoprovidesautomatichigh-availabilityanddurabilityprotectionsbyreplicatingdataacrossmultipleAvailabilityZoneswithinanAWSRegion.
DataModelThebasiccomponentsoftheAmazonDynamoDBdatamodelincludetables,items,andattributes.AsdepictedinFigure7.3,atableisacollectionofitemsandeachitemisacollectionofoneormoreattributes.Eachitemalsohasaprimarykeythatuniquelyidentifiestheitem.
![Page 236: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/236.jpg)
FIGURE7.3Table,items,attributesrelationship
Inarelationaldatabase,atablehasapredefinedschemasuchasthetablename,primarykey,listofitscolumnnames,andtheirdatatypes.Allrecordsstoredinthetablemusthavethesamesetofcolumns.Incontrast,AmazonDynamoDBonlyrequiresthatatablehaveaprimarykey,butitdoesnotrequireyoutodefinealloftheattributenamesanddatatypesinadvance.IndividualitemsinanAmazonDynamoDBtablecanhaveanynumberofattributes,althoughthereisalimitof400KBontheitemsize.
Eachattributeinanitemisaname/valuepair.Anattributecanbeasingle-valuedormulti-valuedset.Forexample,abookitemcanhavetitleandauthorsattributes.Eachbookhasonetitlebutcanhavemanyauthors.Themulti-valuedattributeisaset;duplicatevaluesarenotallowed.DataisstoredinAmazonDynamoDBinkey/valuepairssuchasthefollowing:
{
Id=101
ProductName="Book101Title"
ISBN="123–1234567890"
Authors=["Author1","Author2"]
Price=2.88
Dimensions="8.5x11.0x0.5"
PageCount=500
InPublication=1
ProductCategory="Book"
}
ApplicationscanconnecttotheAmazonDynamoDBserviceendpointandsubmitrequestsoverHTTP/Storeadandwriteitemstoatableoreventocreateanddeletetables.DynamoDBprovidesawebserviceAPIthatacceptsrequestsinJSONformat.WhileyoucouldprogramdirectlyagainstthewebserviceAPIendpoints,mostdeveloperschoosetousetheAWSSoftwareDevelopmentKit(SDK)tointeractwiththeiritemsandtables.TheAWSSDKisavailableinmanydifferentlanguagesandprovidesasimplified,high-levelprogramminginterface.
DataTypes
![Page 237: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/237.jpg)
AmazonDynamoDBgivesyoualotofflexibilitywithyourdatabaseschema.Unlikeatraditionalrelationaldatabasethatrequiresyoutodefineyourcolumntypesaheadoftime,DynamoDBonlyrequiresaprimarykeyattribute.Eachitemthatisaddedtothetablecanthenaddadditionalattributes.Thisgivesyouflexibilityovertimetoexpandyourschemawithouthavingtorebuildtheentiretableanddealwithrecordversiondifferenceswithapplicationlogic.
Whenyoucreateatableorasecondaryindex,youmustspecifythenamesanddatatypesofeachprimarykeyattribute(partitionkeyandsortkey).AmazonDynamoDBsupportsawiderangeofdatatypesforattributes.Datatypesfallintothreemajorcategories:Scalar,Set,orDocument.
ScalarDataTypesAscalartyperepresentsexactlyonevalue.AmazonDynamoDBsupportsthefollowingfivescalartypes:
StringTextandvariablelengthcharactersupto400KB.SupportsUnicodewithUTF8encoding
NumberPositiveornegativenumberwithupto38digitsofprecision
BinaryBinarydata,images,compressedobjectsupto400KBinsize
BooleanBinaryflagrepresentingatrueorfalsevalue
NullRepresentsablank,empty,orunknownstate.String,Number,Binary,Booleancannotbeempty.
SetDataTypesSetsareusefultorepresentauniquelistofoneormorescalarvalues.Eachvalueinasetneedstobeuniqueandmustbethesamedatatype.Setsdonotguaranteeorder.AmazonDynamoDBsupportsthreesettypes:StringSet,NumberSet,andBinarySet.
StringSetUniquelistofStringattributes
NumberSetUniquelistofNumberattributes
BinarySetUniquelistofBinaryattributes
DocumentDataTypesDocumenttypeisusefultorepresentmultiplenestedattributes,similartothestructureofaJSONfile.AmazonDynamoDBsupportstwodocumenttypes:ListandMap.MultipleListsandMapscanbecombinedandnestedtocreatecomplexstructures.
ListEachListcanbeusedtostoreanorderedlistofattributesofdifferentdatatypes.
MapEachMapcanbeusedtostoreanunorderedlistofkey/valuepairs.MapscanbeusedtorepresentthestructureofanyJSONobject.
PrimaryKeyWhenyoucreateatable,youmustspecifytheprimarykeyofthetableinadditiontothetablename.Likearelationaldatabase,theprimarykeyuniquelyidentifieseachiteminthetable.Aprimarykeywillpointtoexactlyoneitem.AmazonDynamoDBsupportstwotypesofprimarykeys,andthisconfigurationcannotbechangedafteratablehasbeencreated:
PartitionKeyTheprimarykeyismadeofoneattribute,apartition(orhash)key.AmazonDynamoDBbuildsanunorderedhashindexonthisprimarykeyattribute.
![Page 238: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/238.jpg)
PartitionandSortKeyTheprimarykeyismadeoftwoattributes.Thefirstattributeisthepartitionkeyandthesecondoneisthesort(orrange)key.Eachiteminthetableisuniquelyidentifiedbythecombinationofitspartitionandsortkeyvalues.Itispossiblefortwoitemstohavethesamepartitionkeyvalue,butthosetwoitemsmusthavedifferentsortkeyvalues.
Furthermore,eachprimarykeyattributemustbedefinedastypestring,number,orbinary.AmazonDynamoDBusesthepartitionkeytodistributetherequesttotherightpartition.
Ifyouareperformingmanyreadsorwritespersecondonthesameprimarykey,youwillnotbeabletofullyusethecomputecapacityoftheAmazonDynamoDBcluster.Abestpracticeistomaximizeyourthroughputbydistributingrequestsacrossthefullrangeofpartitionkeys.
ProvisionedCapacityWhenyoucreateanAmazonDynamoDBtable,youarerequiredtoprovisionacertainamountofreadandwritecapacitytohandleyourexpectedworkloads.Basedonyourconfigurationsettings,DynamoDBwillthenprovisiontherightamountofinfrastructurecapacitytomeetyourrequirementswithsustained,low-latencyresponsetimes.Overallcapacityismeasuredinreadandwritecapacityunits.ThesevaluescanlaterbescaledupordownbyusinganUpdateTableaction.
EachoperationagainstanAmazonDynamoDBtablewillconsumesomeoftheprovisionedcapacityunits.Thespecificamountofcapacityunitsconsumeddependslargelyonthesizeoftheitem,butalsoonotherfactors.Forreadoperations,theamountofcapacityconsumedalsodependsonthereadconsistencyselectedintherequest.Readmoreabouteventualandstrongconsistencylaterinthischapter.
Forexample,givenatablewithoutalocalsecondaryindex,youwillconsume1capacityunitifyoureadanitemthatis4KBorsmaller.Similarly,forwriteoperationsyouwillconsume1capacityunitifyouwriteanitemthatis1KBorsmaller.Thismeansthatifyoureadanitemthatis110KB,youwillconsume28capacityunits,or110/4=27.5roundedupto28.Forreadoperationsthatarestronglyconsistent,theywillusetwicethenumberofcapacityunits,or56inthisexample.
YoucanuseAmazonCloudWatchtomonitoryourAmazonDynamoDBcapacityandmakescalingdecisions.Thereisarichsetofmetrics,includingConsumedReadCapacityUnitsandConsumedWriteCapacityUnits.Ifyoudoexceedyourprovisionedcapacityforaperiodoftime,requestswillbethrottledandcanberetriedlater.YoucanmonitorandalertontheThrottledRequestsmetricusingAmazonCloudWatchtonotifyyouofchangingusagepatterns.
SecondaryIndexesWhenyoucreateatablewithapartitionandsortkey(formerlyknownasahashandrangekey),youcanoptionallydefineoneormoresecondaryindexesonthattable.Asecondaryindexletsyouquerythedatainthetableusinganalternatekey,inadditiontoqueriesagainsttheprimarykey.AmazonDynamoDBsupportstwodifferentkindsofindexes:
![Page 239: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/239.jpg)
GlobalSecondaryIndexTheglobalsecondaryindexisanindexwithapartitionandsortkeythatcanbedifferentfromthoseonthetable.Youcancreateordeleteaglobalsecondaryindexonatableatanytime.
LocalSecondaryIndexThelocalsecondaryindexisanindexthathasthesamepartitionkeyattributeastheprimarykeyofthetable,butadifferentsortkey.Youcanonlycreatealocalsecondaryindexwhenyoucreateatable.
Secondaryindexesallowyoutosearchalargetableefficientlyandavoidanexpensivescanoperationtofinditemswithspecificattributes.Theseindexesallowyoutosupportdifferentqueryaccesspatternsandusecasesbeyondwhatispossiblewithonlyaprimarykey.Whileatablecanonlyhaveonelocalsecondaryindex,youcanhavemultipleglobalsecondaryindexes.
AmazonDynamoDBupdateseachsecondaryindexwhenanitemismodified.Theseupdatesconsumewritecapacityunits.Foralocalsecondaryindex,itemupdateswillconsumewritecapacityunitsfromthemaintable,whileglobalsecondaryindexesmaintaintheirownprovisionedthroughputsettingsseparatefromthetable.
WritingandReadingDataAfteryoucreateatablewithaprimarykeyandindexes,youcanbeginwritingandreadingitemstothetable.AmazonDynamoDBprovidesmultipleoperationsthatletyoucreate,update,anddeleteindividualitems.AmazonDynamoDBalsoprovidesmultiplequeryingoptionsthatletyousearchatableoranindexorretrievebackaspecificitemorabatchofitems.
WritingItemsAmazonDynamoDBprovidesthreeprimaryAPIactionstocreate,update,anddeleteitems:PutItem,UpdateItem,andDeleteItem.UsingthePutItemaction,youcancreateanewitemwithoneormoreattributes.CallstoPutItemwillupdateanexistingitemiftheprimarykeyalreadyexists.PutItemonlyrequiresatablenameandaprimarykey;anyadditionalattributesareoptional.
TheUpdateItemactionwillfindexistingitemsbasedontheprimarykeyandreplacetheattributes.Thisoperationcanbeusefultoonlyupdateasingleattributeandleavetheotherattributesunchanged.UpdateItemcanalsobeusedtocreateitemsiftheydon’talreadyexist.Finally,youcanremoveanitemfromatablebyusingDeleteItemandspecifyingaspecificprimarykey.
TheUpdateItemactionalsoprovidessupportforatomiccounters.Atomiccountersallowyoutoincrementanddecrementavalueandareguaranteedtobeconsistentacrossmultipleconcurrentrequests.Forexample,acounterattributeusedtotracktheoverallscoreofamobilegamecanbeupdatedbymanyclientsatthesametime.
Thesethreeactionsalsosupportconditionalexpressionsthatallowyoutoperformvalidationbeforeanactionisapplied.Forexample,youcanapplyaconditionalexpressiononPutItemthatchecksthatcertainconditionsaremetbeforetheitemiscreated.Thiscanbeusefultopreventaccidentaloverwritesortoenforcesometypeofbusinesslogicchecks.
ReadingItems
![Page 240: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/240.jpg)
Afteranitemhasbeencreated,itcanberetrievedthroughadirectlookupbycallingtheGetItemactionorthroughasearchusingtheQueryorScanaction.GetItemallowsyoutoretrieveanitembasedonitsprimarykey.Alloftheitem’sattributesarereturnedbydefault,andyouhavetheoptiontoselectindividualattributestofilterdowntheresults.
Ifaprimarykeyiscomposedofapartitionkey,theentirepartitionkeyneedstobespecifiedtoretrievetheitem.Iftheprimarykeyisacompositeofapartitionkeyandasortkey,GetItemwillrequireboththepartitionandsortkeyaswell.EachcalltoGetItemconsumesreadcapacityunitsbasedonthesizeoftheitemandtheconsistencyoptionselected.
Bydefault,aGetItemoperationperformsaneventuallyconsistentread.Youcanoptionallyrequestastronglyconsistentreadinstead;thiswillconsumeadditionalreadcapacityunits,butitwillreturnthemostup-to-dateversionoftheitem.
EventualConsistencyWhenreadingitemsfromAmazonDynamoDB,theoperationcanbeeithereventuallyconsistentorstronglyconsistent.AmazonDynamoDBisadistributedsystemthatstoresmultiplecopiesofanitemacrossanAWSRegiontoprovidehighavailabilityandincreaseddurability.WhenanitemisupdatedinAmazonDynamoDB,itstartsreplicatingacrossmultipleservers.BecauseAmazonDynamoDBisadistributedsystem,thereplicationcantakesometimetocomplete.Becauseofthiswerefertothedataasbeingeventuallyconsistent,meaningthatareadrequestimmediatelyafterawriteoperationmightnotshowthelatestchange.Insomecases,theapplicationneedstoguaranteethatthedataisthelatestandAmazonDynamoDBoffersanoptionforstronglyconsistentreads.
EventuallyConsistentReadsWhenyoureaddata,theresponsemightnotreflecttheresultsofarecentlycompletedwriteoperation.Theresponsemightincludesomestaledata.Consistencyacrossallcopiesofthedataisusuallyreachedwithinasecond;ifyourepeatyourreadrequestafterashorttime,theresponsereturnsthelatestdata.
StronglyConsistentReadsWhenyouissueastronglyconsistentreadrequest,AmazonDynamoDBreturnsaresponsewiththemostup-to-datedatathatreflectsupdatesbyallpriorrelatedwriteoperationstowhichAmazonDynamoDBreturnedasuccessfulresponse.Astronglyconsistentreadmightbelessavailableinthecaseofanetworkdelayoroutage.Youcanrequestastronglyconsistentreadresultbyspecifyingoptionalparametersinyourrequest.
BatchOperationsAmazonDynamoDBalsoprovidesseveraloperationsdesignedforworkingwithlargebatchesofitems,includingBatchGetItemandBatchWriteItem.UsingtheBatchWriteItemaction,youcanperformupto25itemcreatesorupdateswithasingleoperation.Thisallowsyoutominimizetheoverheadofeachindividualcallwhenprocessinglargenumbersofitems.
SearchingItemsAmazonDynamoDBalsogivesyoutwooperations,QueryandScan,thatcanbeusedtosearchatableoranindex.AQueryoperationistheprimarysearchoperationyoucanusetofinditemsinatableorasecondaryindexusingonlyprimarykeyattributevalues.EachQueryrequiresapartitionkeyattributenameandadistinctvaluetosearch.Youcanoptionally
![Page 241: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/241.jpg)
provideasortkeyvalueanduseacomparisonoperatortorefinethesearchresults.Resultsareautomaticallysortedbytheprimarykeyandarelimitedto1MB.
IncontrasttoaQuery,aScanoperationwillreadeveryiteminatableorasecondaryindex.Bydefault,aScanoperationreturnsallofthedataattributesforeveryiteminthetableorindex.Eachrequestcanreturnupto1MBofdata.Itemscanbefilteredoutusingexpressions,butthiscanbearesource-intensiveoperation.IftheresultsetforaQueryoraScanexceeds1MB,youcanpagethroughtheresultsin1MBincrements.
Formostoperations,performingaQueryoperationinsteadofaScanoperationwillbethemostefficientoption.PerformingaScanoperationwillresultinafullscanoftheentiretableorsecondaryindex,thenitfiltersoutvaluestoprovidethedesiredresult.UseaQueryoperationwhenpossibleandavoidaScanonalargetableorindexforonlyasmallnumberofitems.
ScalingandPartitioningAmazonDynamoDBisafullymanagedservicethatabstractsawaymostofthecomplexityinvolvedinbuildingandscalingaNoSQLcluster.Youcancreatetablesthatcanscaleuptoholdavirtuallyunlimitednumberofitemswithconsistentlow-latencyperformance.AnAmazonDynamoDBtablecanscalehorizontallythroughtheuseofpartitionstomeetthestorageandperformancerequirementsofyourapplication.Eachindividualpartitionrepresentsaunitofcomputeandstoragecapacity.Awell-designedapplicationwilltakethepartitionstructureofatableintoaccounttodistributereadandwritetransactionsevenlyandachievehightransactionratesatlowlatencies.
AmazonDynamoDBstoresitemsforasingletableacrossmultiplepartitions,asrepresentedinFigure7.4.AmazonDynamoDBdecideswhichpartitiontostoretheiteminbasedonthepartitionkey.Thepartitionkeyisusedtodistributethenewitemamongalloftheavailablepartitions,anditemswiththesamepartitionkeywillbestoredonthesamepartition.
FIGURE7.4Tablepartitioning
![Page 242: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/242.jpg)
Asthenumberofitemsinatablegrows,additionalpartitionscanbeaddedbysplittinganexistingpartition.Theprovisionedthroughputconfiguredforatableisalsodividedevenlyamongthepartitions.Provisionedthroughputallocatedtoapartitionisentirelydedicatedtothatpartition,andthereisnosharingofprovisionedthroughputacrosspartitions.
Whenatableiscreated,AmazonDynamoDBconfiguresthetable’spartitionsbasedonthedesiredreadandwritecapacity.Onesinglepartitioncanholdabout10GBofdataandsupportsamaximumof3,000readcapacityunitsor1,000writecapacityunits.Forpartitionsthatarenotfullyusingtheirprovisionedcapacity,AmazonDynamoDBprovidessomeburstcapacitytohandlespikesintraffic.Aportionofyourunusedcapacitywillbereservedtohandleburstsforshortperiods.
Asstorageorcapacityrequirementschange,AmazonDynamoDBcansplitapartitiontoaccommodatemoredataorhigherprovisionedrequestrates.Afterapartitionissplit,however,itcannotbemergedbacktogether.Keepthisinmindwhenplanningtoincreaseprovisionedcapacitytemporarilyandthenloweritagain.Witheachadditionalpartitionadded,itsshareoftheprovisionedcapacityisreduced.
Toachievethefullamountofrequestthroughputprovisionedforatable,keepyourworkloadspreadevenlyacrossthepartitionkeyvalues.Distributingrequestsacrosspartitionkeyvaluesdistributestherequestsacrosspartitions.Forexample,ifatablehas10,000readcapacityunitsconfiguredbutallofthetrafficishittingonepartitionkey,youwillnotbeabletogetmorethanthe3,000maximumreadcapacityunitsthatonepartitioncansupport.
TomaximizeAmazonDynamoDBthroughput,createtableswithapartitionkeythathasalargenumberofdistinctvaluesandensurethatthevaluesarerequestedfairlyuniformly.Addingarandomelementthatcanbecalculatedorhashedisonecommontechniquetoimprovepartitiondistribution.
SecurityAmazonDynamoDBgivesyougranularcontrolovertheaccessrightsandpermissionsforusersandadministrators.AmazonDynamoDBintegrateswiththeIAMservicetoprovidestrongcontroloverpermissionsusingpolicies.Youcancreateoneormorepoliciesthatallowordenyspecificoperationsonspecifictables.Youcanalsouseconditionstorestrictaccesstoindividualitemsorattributes.
Alloperationsmustfirstbeauthenticatedasavaliduserorusersession.ApplicationsthatneedtoreadandwritefromAmazonDynamoDBneedtoobtainasetoftemporaryorpermanentaccesscontrolkeys.Whilethesekeyscouldbestoredinaconfigurationfile,abestpracticeisforapplicationsrunningonAWStouseIAMAmazonEC2instanceprofilestomanagecredentials.IAMAmazonEC2instanceprofilesorrolesallowyoutoavoidstoringsensitivekeysinconfigurationfilesthatmustthenbesecured.
![Page 243: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/243.jpg)
Formobileapplications,abestpracticeistouseacombinationofwebidentityfederationwiththeAWSSecurityTokenService(AWSSTS)toissuetemporarykeysthatexpireafterashortperiod.
AmazonDynamoDBalsoprovidessupportforfine-grainedaccesscontrolthatcanrestrictaccesstospecificitemswithinatableorevenspecificattributeswithinanitem.Forexample,youmaywanttolimitausertoonlyaccesshisorheritemswithinatableandpreventaccesstoitemsassociatedwithadifferentuser.UsingconditionsinanIAMpolicyallowsyoutorestrictwhichactionsausercanperform,onwhichtables,andtowhichattributesausercanreadorwrite.
AmazonDynamoDBStreamsAcommonrequirementformanyapplicationsistokeeptrackofrecentchangesandthenperformsomekindofprocessingonthechangedrecords.AmazonDynamoDBStreamsmakesiteasytogetalistofitemmodificationsforthelast24-hourperiod.Forexample,youmightneedtocalculatemetricsonarollingbasisandupdateadashboard,ormaybesynchronizetwotablesorlogactivityandchangestoanaudittrail.WithAmazonDynamoDBStreams,thesetypesofapplicationsbecomeeasiertobuild.
AmazonDynamoDBStreamsallowsyoutoextendapplicationfunctionalitywithoutmodifyingtheoriginalapplication.Byreadingthelogofactivitychangesfromthestream,youcanbuildnewintegrationsorsupportnewreportingrequirementsthatweren’tpartoftheoriginaldesign.
Eachitemchangeisbufferedinatime-orderedsequenceorstreamthatcanbereadbyotherapplications.Changesareloggedtothestreaminnearreal-timeandallowyoutorespondquicklyorchaintogetherasequenceofeventsbasedonamodification.
StreamscanbeenabledordisabledforanAmazonDynamoDBtableusingtheAWSManagementConsole,CommandLineInterface(CLI),orSDK.Astreamconsistsofstreamrecords.EachstreamrecordrepresentsasingledatamodificationintheAmazonDynamoDBtabletowhichthestreambelongs.Eachstreamrecordisassignedasequencenumber,reflectingtheorderinwhichtherecordwaspublishedtothestream.
Streamrecordsareorganizedintogroups,alsoreferredtoasshards.Eachshardactsasacontainerformultiplestreamrecordsandcontainsinformationonaccessinganditeratingthroughtherecords.Shardsliveforamaximumof24hoursand,withfluctuatingloadlevels,couldbesplitoneormoretimesbeforetheyareeventuallyclosed.
Tobuildanapplicationthatreadsfromashard,itisrecommendedtousetheAmazonDynamoDBStreamsKinesisAdapter.TheKinesisClientLibrary(KCL)simplifiestheapplicationlogicrequiredtoprocessreadingrecordsfromstreamsandshards.
![Page 244: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/244.jpg)
SummaryInthischapter,youlearnedthebasicconceptsofrelationaldatabases,datawarehouses,andNoSQLdatabases.YoualsolearnedaboutthebenefitsandfeaturesofAWSmanageddatabaseservicesAmazonRDS,AmazonRedshift,andAmazonDynamoDB.
AmazonRDSmanagestheheavyliftinginvolvedinadministeringadatabaseinfrastructureandsoftwareandletsyoufocusonbuildingtherelationalschemasthatbestfityourusecaseandtheperformancetuningtooptimizeyourqueries.
AmazonRDSsupportspopularopen-sourceandcommercialdatabaseenginesandprovidesaconsistentoperationalmodelforcommonadministrativetasks.Increaseyouravailabilitybyrunningamaster-slaveconfigurationacrossAvailabilityZonesusingMulti-AZdeployment.Scaleyourapplicationandincreaseyourdatabasereadperformanceusingreadreplicas.
AmazonRedshiftallowsyoutodeployadatawarehouseclusterthatisoptimizedforanalyticsandreportingworkloadswithinminutes.AmazonRedshiftdistributesyourrecordsusingcolumnarstorageandparallelizesyourqueryexecutionacrossmultiplecomputenodestodeliverfastqueryperformance.AmazonRedshiftclusterscanbescaledupordowntosupportlarge,petabyte-scaledatabasesusingSSDormagneticdiskstorage.
ConnecttoAmazonRedshiftclustersusingstandardSQLclientswithJDBC/ODBCdriversandexecuteSQLqueriesusingmanyofthesameanalyticsandETLtoolsthatyouusetoday.LoaddataintoyourAmazonRedshiftclustersusingtheCOPYcommandtobulkimportflatfilesstoredinAmazonS3,thenrunstandardSELECTcommandstosearchandquerythetable.
BackupbothyourAmazonRDSdatabasesandAmazonRedshiftclustersusingautomatedandmanualsnapshotstoallowforpoint-in-timerecovery.SecureyourAmazonRDSandAmazonRedshiftdatabasesusingacombinationofIAM,database-levelaccesscontrol,network-levelaccesscontrol,anddataencryptiontechniques.
AmazonDynamoDBsimplifiestheadministrationandoperationsofaNoSQLdatabaseinthecloud.AmazonDynamoDBallowsyoutocreatetablesquicklythatcanscaletoanunlimitednumberofitemsandconfigureveryhighlevelsofprovisionedreadandwritecapacity.
AmazonDynamoDBtablesprovideaflexibledatastoragemechanismthatonlyrequiresaprimarykeyandallowsforoneormoreattributes.AmazonDynamoDBsupportsbothsimplescalardatatypeslikeStringandNumber,andalsomorecomplexstructuresusingListandMap.SecureyourAmazonDynamoDBtablesusingIAMandrestrictaccesstoitemsandattributesusingfine-grainedaccesscontrol.
AmazonDynamoDBwillhandlethedifficulttaskofclusterandpartitionmanagementandprovideyouwithahighlyavailabledatabasetablethatreplicatesdataacrossAvailabilityZonesforincreaseddurability.TrackandprocessrecentchangesbytappingintoAmazonDynamoDBStreams.
![Page 245: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/245.jpg)
ExamEssentialsKnowwhatarelationaldatabaseis.Arelationaldatabaseconsistsofoneormoretables.CommunicationtoandfromrelationaldatabasesusuallyinvolvessimpleSQLqueries,suchas“Addanewrecord,”or“Whatisthecostofproductx?”ThesesimplequeriesareoftenreferredtoasOLTP.
UnderstandwhichdatabasesaresupportedbyAmazonRDS.AmazonRDScurrentlysupportssixrelationaldatabaseengines:
MicrosoftSQLServer
MySQLServer
Oracle
PostgreSQL
MariaDB
AmazonAurora
UnderstandtheoperationalbenefitsofusingAmazonRDS.AmazonRDSisamanagedserviceprovidedbyAWS.AWSisresponsibleforpatching,antivirus,andmanagementoftheunderlyingguestOSforAmazonRDS.AmazonRDSgreatlysimplifiestheprocessofsettingasecondaryslavewithreplicationforfailoverandsettingupreadreplicastooffloadqueries.
RememberthatyoucannotaccesstheunderlyingOSforAmazonRDSDBinstances.YoucannotuseRemoteDesktopProtocol(RDP)orSSHtoconnecttotheunderlyingOS.IfyouneedtoaccesstheOS,installcustomsoftwareoragents,orwanttouseadatabaseenginenotsupportedbyAmazonRDS,considerrunningyourdatabaseonAmazonEC2instead.
KnowthatyoucanincreaseavailabilityusingAmazonRDSMulti-AZdeployment.AddfaulttolerancetoyourAmazonRDSdatabaseusingMulti-AZdeployment.YoucanquicklysetupasecondaryDBInstanceinanotherAvailabilityZonewithMulti-AZforrapidfailover.
UnderstandtheimportanceofRPOandRTO.EachapplicationshouldsetRPOandRTOtargetstodefinetheamountofacceptabledatalossandalsotheamountoftimerequiredtorecoverfromanincident.AmazonRDScanbeusedtomeetawiderangeofRPOandRTOrequirements.
UnderstandthatAmazonRDShandlesMulti-AZfailoverforyou.IfyourprimaryAmazonRDSInstancebecomesunavailable,AWSfailsovertoyoursecondaryinstanceinanotherAvailabilityZoneautomatically.ThisfailoverisdonebypointingyourexistingdatabaseendpointtoanewIPaddress.Youdonothavetochangetheconnectionstringmanually;AWShandlestheDNSchangeautomatically.
RememberthatAmazonRDSreadreplicasareusedforscalingoutandincreasedperformance.Thisreplicationfeaturemakesiteasytoscaleoutyourread-intensivedatabases.ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,
![Page 246: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/246.jpg)
andAmazonAurora.YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.AmazonRDSusesnativereplicationtopropagatechangesmadetoasourceDBInstancetoanyassociatedreadreplicas.AmazonRDSalsosupportscross-regionreadreplicastoreplicatechangesasynchronouslytoanothergeographyorAWSRegion.
KnowwhataNoSQLdatabaseis.NoSQLdatabasesarenon-relationaldatabases,meaningthatyoudonothavetohaveanexistingtablecreatedinwhichtostoreyourdata.NoSQLdatabasescomeinthefollowingformats:
Documentdatabases
Graphstores
Key/valuestores
Wide-columnstores
RememberthatAmazonDynamoDBisAWSNoSQLservice.YoushouldrememberthatforNoSQLdatabases,AWSprovidesafullymanagedservicecalledAmazonDynamoDB.AmazonDynamoDBisanextremelyfastNoSQLdatabasewithpredictableperformanceandhighscalability.YoucanuseAmazonDynamoDBtocreateatablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofpartitionstohandletherequestcapacityspecifiedbythecustomerandtheamountofdatastored,whilemaintainingconsistentandfastperformance.
Knowwhatadatawarehouseis.Adatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositorywouldbeusedforqueryandanalysisusingOLAP.Anorganization’smanagementtypicallyusesadatawarehousetocompilereportsonspecificdata.Datawarehousesareusuallyqueriedwithhighlycomplexqueries.
RememberthatAmazonRedshiftisAWSdatawarehouseservice.YoushouldrememberthatAmazonRedshiftisAmazon’sdatawarehouseservice.AmazonRedshiftorganizesthedatabycolumninsteadofstoringdataasaseriesofrows.Becauseonlythecolumnsinvolvedinthequeriesareprocessedandcolumnardataisstoredsequentiallyonthestoragemedia,column-basedsystemsrequirefarfewerI/Os,whichgreatlyimprovesqueryperformance.Anotheradvantageofcolumnardatastorageistheincreasedcompression,whichcanfurtherreduceoverallI/O.
![Page 247: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/247.jpg)
ExercisesInordertopasstheexam,youshouldpracticedeployingdatabasesandcreatingtablesusingAmazonRDS,AmazonDynamoDB,andAmazonRedshift.Remembertodeleteanyresourcesyouprovisiontominimizeanycharges.
EXERCISE7.1
CreateaMySQLAmazonRDSInstance1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRDSConsole.
2. LaunchanewAmazonRDSDBInstance,andselectMySQLCommunityEditioninstanceasthedatabaseengine.
3. ConfiguretheDBInstancetouseMulti-AZandGeneralPurpose(SSD)storage.
Warning:ThisisnoteligibleforAWSFreeTier;youwillincurasmallchargebyprovisioningthisinstance.
4. SettheDBInstanceidentifieranddatabasenametoMySQL123,andconfigurethemasterusernameandpassword.
5. Validatetheconfigurationsettings,andlaunchtheDBInstance.
6. ReturntothelistoftheAmazonRDSinstances.YouwillseethestatusofyourAmazonRDSdatabaseasCreating.Itmaytakeupto20minutestocreateyournewAmazonRDSinstance.
YouhaveprovisionedyourfirstAmazonRDSinstanceusingMulti-AZ.
EXERCISE7.2
SimulateaFailoverfromOneAZtoAnotherInthisexercise,youwilluseMulti-AZfailovertosimulateafailoverfromoneAvailabilityZonetoanother.
1. IntheAmazonRDSConsole,viewthelistofDBInstances.
2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.
3. Selecttheinstance,andissueaRebootcommandfromtheactionsmenu.
4. Confirmthereboot.
YouhavenowsimulatedafailoverfromoneAvailabilityZonetoanotherusingMulti-AZfailover.Thefailovershouldtakeapproximatelytwoorthreeminutes.
![Page 248: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/248.jpg)
EXERCISE7.3
CreateaReadReplicaInthisexercise,youwillcreateareadreplicaofyourexistingMySQL123DBserver.
1. IntheAmazonRDSConsole,viewthelistofDBInstances.
2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.
3. Selecttheinstance,andissueaCreateReadReplicacommandfromthelistofactions.
4. Configurethenameofthereadreplicaandanyothersettings.Createthereplica.
5. Waitforthereplicatobecreated,whichcantypicallytakeseveralminutes.Whenitiscomplete,deleteboththeMySQL123andMySQLReadReplicadatabasesbyclickingthecheckboxesnexttothem,clickingtheInstanceActionsdrop-downbox,andthenclickingDelete.
Intheprecedingexercises,youcreatedanewAmazonRDSMySQLinstancewithMulti-AZenabled.YouthensimulatedafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstance.Afterthat,youscaledyourAmazonRDSinstanceoutbycreatingareadreplicaoftheprimarydatabase.DeletetheDBInstance.
EXERCISE7.4
ReadandWritefromaDynamoDBTableInthisexercise,youwillcreateanAmazonDynamoDBtableandthenreadandwritetoitusingtheAWSManagementConsole.
1. LogintotheAWSManagementConsole,andviewtheAmazonDynamoDBconsole.
2. CreateanewtablenamedUserProfilewithapartitionkeyofuserIDoftypeString.
3. Afterthetablehasbeencreated,viewthelistofitemsinthetable.
4. UsingtheAmazonDynamoDBconsole,createandsaveanewiteminthetable.SettheuserIDtoU01,andappendanotherStringattributecallednamewithavalueofJoe.
5. Performascanonthetabletoretrievethenewitem.
YouhavenowcreatedasimpleAmazonDynamoDBtable,putanewitem,andretrieveditusingScan.DeletetheDynamoDBtable.
![Page 249: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/249.jpg)
EXERCISE7.5
LaunchaRedshiftClusterInthisexercise,youwillcreateadatawarehouseusingAmazonRedshiftandthenreadandwritetoitusingtheAWSManagementConsole.
1. LogintotheAWSManagementConsole,andviewtheAmazonRedshiftConsole.
2. Createanewcluster,configuringthedatabasename,username,andpassword.
3. ConfiguretheclustertobesinglenodeusingoneSSD-backedstoragenode.
4. LaunchtheclusterintoanAmazonVPCusingtheappropriatesecuritygroup.
5. InstallandconfigureSQLWorkbenchonyourlocalcomputer,andconnecttothenewcluster.
6. CreateanewtableandloaddatausingtheCOPYcommand.
YouhavenowcreatedanAmazonRedshiftclusterandconnectedtoitusingastandardSQLclient.Deletetheclusterwhenyouhavecompletedtheexercise.
![Page 250: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/250.jpg)
ReviewQuestions1. WhichAWSdatabaseserviceisbestsuitedfortraditionalOnlineTransactionProcessing(OLTP)?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. ElasticDatabase
2. WhichAWSdatabaseserviceisbestsuitedfornon-relationaldatabases?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. AmazonDynamoDB
3. YouareasolutionsarchitectworkingforamediacompanythathostsitswebsiteonAWS.Currently,thereisasingleAmazonElasticComputeCloud(AmazonEC2)InstanceonAWSwithMySQLinstalledlocallytothatAmazonEC2Instance.Youhavebeenaskedtomakethecompany’sproductionenvironmentmoreresilientandtoincreaseperformance.YousuggestthatthecompanysplitouttheMySQLdatabaseontoanAmazonRDSInstancewithMulti-AZenabled.Thisaddressesthecompany’sincreasedresiliencyrequirements.Nowyouneedtosuggesthowyoucanincreaseperformance.Ninety-ninepercentofthecompany’sendusersaremagazinesubscriberswhowillbereadingadditionalarticlesonthewebsite,soonlyonepercentofenduserswillneedtowritedatatothesite.Whatshouldyousuggesttoincreaseperformance?
A. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentothesecondarycopyoftheMulti-AZdatabase.
B. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentotheprimarycopyoftheMulti-AZdatabase.
C. Recommendthatthecompanyusereadreplicas,anddistributethetrafficacrossmultiplereadreplicas.
D. MigratetheMySQLdatabasetoAmazonRedshifttotakeadvantageofcolumnarstorageandmaximizeperformance.
4. WhichAWSCloudserviceisbestsuitedforOnlineAnalyticsProcessing(OLAP)?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. AmazonDynamoDB
5. YouhavebeenusingAmazonRelationalDatabaseService(AmazonRDS)forthelast
![Page 251: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/251.jpg)
yeartorunanimportantapplicationwithautomatedbackupsenabled.Oneofyourteammembersisperformingroutinemaintenanceandaccidentallydropsanimportanttable,causinganoutage.Howcanyourecoverthemissingdatawhileminimizingthedurationoftheoutage?
A. Performanundooperationandrecoverthetable.
B. RestorethedatabasefromarecentautomatedDBsnapshot.
C. RestoreonlythedroppedtablefromtheDBsnapshot.
D. Thedatacannotberecovered.
6. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportMulti-AZ?
A. Allofthem
B. MicrosoftSQLServer,MySQL,andOracle
C. Oracle,AmazonAurora,andPostgreSQL
D. MySQL
7. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportreadreplicas?
A. MicrosoftSQLServerandOracle
B. MySQL,MariaDB,PostgreSQL,andAurora
C. Aurora,MicrosoftSQLServer,andOracle
D. MySQLandPostgreSQL
8. YourteamisbuildinganorderprocessingsystemthatwillspanmultipleAvailabilityZones.Duringtesting,theteamwantedtotesthowtheapplicationwillreacttoadatabasefailover.Howcanyouenablethistypeoftest?
A. ForceaMulti-AZfailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceusingtheAmazonRDSconsole.
B. TerminatetheDBinstance,andcreateanewone.Updatetheconnectionstring.
C. Createasupportcaseaskingforafailover.
D. Itisnotpossibletotestafailover.
9. YouareasystemadministratorwhosecompanyhasmoveditsproductiondatabasetoAWS.YourcompanymonitorsitsestateusingAmazonCloudWatch,whichsendsalarmsusingAmazonSimpleNotificationService(AmazonSNS)toyourmobilephone.Onenight,yougetanalertthatyourprimaryAmazonRelationalDatabaseService(AmazonRDS)Instancehasgonedown.YouhaveMulti-AZenabledonthisinstance.Whatshouldyoudotoensurethefailoverhappensquickly?
A. UpdateyourDomainNameSystem(DNS)topointtothesecondaryinstance’snewIPaddress,forcingyourapplicationtofailovertothesecondaryinstance.
B. ConnecttoyourserverusingSecureShell(SSH)andupdateyourconnectionstrings
![Page 252: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/252.jpg)
sothatyourapplicationcancommunicatetothesecondaryinstanceinsteadofthefailedprimaryinstance.
C. Takeasnapshotofthesecondaryinstanceandcreateanewinstanceusingthissnapshot,thenupdateyourconnectionstringtopointtothenewinstance.
D. Noactionisnecessary.Yourconnectionstringpointstothedatabaseendpoint,andAWSautomaticallyupdatesthisendpointtopointtoyoursecondaryinstance.
10. Youareworkingforasmallorganizationwithoutadedicateddatabaseadministratoronstaff.YouneedtoinstallMicrosoftSQLServerEnterpriseeditionquicklytosupportanaccountingbackofficeapplicationonAmazonRelationalDatabaseService(AmazonRDS).Whatshouldyoudo?
A. LaunchanAmazonRDSDBInstance,andselectMicrosoftSQLServerEnterpriseEditionundertheBringYourOwnLicense(BYOL)model.
B. ProvisionSQLServerEnterpriseEditionusingtheLicenseIncludedoptionfromtheAmazonRDSConsole.
C. SQLServerEnterpriseeditionisonlyavailableviatheCommandLineInterface(CLI).Installthecommand-linetoolsonyourlaptop,andthenprovisionyournewAmazonRDSInstanceusingtheCLI.
D. YoucannotuseSQLServerEnterpriseeditiononAmazonRDS.YoushouldinstallthisontoadedicatedAmazonElasticComputeCloud(AmazonEC2)Instance.
11. Youarebuildingthedatabasetierforanenterpriseapplicationthatgetsoccasionalactivitythroughouttheday.Whichstoragetypeshouldyouselectasyourdefaultoption?
A. Magneticstorage
B. GeneralPurposeSolidStateDrive(SSD)
C. ProvisionedIOPS(SSD)
D. StorageAreaNetwork(SAN)-attached
12. Youaredesigningane-commercewebapplicationthatwillscaletopotentiallyhundredsofthousandsofconcurrentusers.Whichdatabasetechnologyisbestsuitedtoholdthesessionstateforlargenumbersofconcurrentusers?
A. RelationaldatabaseusingAmazonRelationalDatabaseService(AmazonRDS)
B. NoSQLdatabasetableusingAmazonDynamoDB
C. DatawarehouseusingAmazonRedshift
D. AmazonSimpleStorageService(AmazonS3)
13. WhichofthefollowingtechniquescanyouusetohelpyoumeetRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements?(Choose3answers)
A. DBsnapshots
B. DBoptiongroups
C. Readreplica
![Page 253: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/253.jpg)
D. Multi-AZdeployment
14. WhenusingAmazonRelationalDatabaseService(AmazonRDS)Multi-AZ,howcanyouoffloadreadrequestsfromtheprimary?(Choose2answers)
A. Configuretheconnectionstringoftheclientstoconnecttothesecondarynodeandperformreadswhiletheprimaryisusedforwrites.
B. AmazonRDSautomaticallysendswritestotheprimaryandsendsreadstothesecondary.
C. AddareadreplicaDBinstance,andconfiguretheclient’sapplicationlogictousearead-replica.
D. CreateacachingenvironmentusingElastiCachetocachefrequentlyuseddata.Updatetheapplicationlogictoread/writefromthecache.
15. Youarebuildingalargeorderprocessingsystemandareresponsibleforsecuringthedatabase.Whichactionswillyoutaketoprotectthedata?(Choose3answers)
A. AdjustAWSIdentityandAccessManagement(IAM)permissionsforadministrators.
B. ConfiguresecuritygroupsandnetworkAccessControlLists(ACLs)tolimitnetworkaccess.
C. Configuredatabaseusers,andgrantpermissionstodatabaseobjects.
D. Installanti-virussoftwareontheAmazonRDSDBInstance.
16. YourteammanagesapopularwebsiterunningAmazonRelationalDatabaseService(AmazonRDS)MySQLbackend.TheMarketingdepartmenthasjustinformedyouaboutanupcomingtelevisioncommercialthatwilldrivethousandsofnewvisitorstothewebsite.Howcanyouprepareyourdatabasetohandletheload?(Choose3answers)
A. VerticallyscaletheDBInstancebyselectingamorepowerfulinstanceclass.
B. Createreadreplicastooffloadreadrequestsandupdateyourapplication.
C. UpgradethestoragefromMagneticvolumestoGeneralPurposeSolidStateDrive(SSD)volumes.
D. UpgradetoAmazonRedshiftforfastercolumnarstorage.
17. YouarebuildingaphotomanagementapplicationthatmaintainsmetadataonmillionsofimagesinanAmazonDynamoDBtable.Whenaphotoisretrieved,youwanttodisplaythemetadatanexttotheimage.WhichAmazonDynamoDBoperationwillyouusetoretrievethemetadataattributesfromthetable?
A. Scanoperation
B. Searchoperation
C. Queryoperation
D. Findoperation
18. YouarecreatinganAmazonDynamoDBtablethatwillcontainmessagesforasocialchatapplication.Thistablewillhavethefollowingattributes:Username(String),Timestamp(Number),Message(String).Whichattributeshouldyouuseasthepartitionkey?The
![Page 254: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/254.jpg)
sortkey?
A. Username,Timestamp
B. Username,Message
C. Timestamp,Message
D. Message,Timestamp
19. WhichofthefollowingstatementsaboutAmazonDynamoDBtablesaretrue?(Choose2answers)
A. Globalsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.
B. Localsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.
C. Youcanonlyhaveoneglobalsecondaryindex.
D. Youcanonlyhaveonelocalsecondaryindex.
20. WhichofthefollowingworkloadsareagoodfitforrunningonAmazonRedshift?(Choose2answers)
A. Transactionaldatabasesupportingabusye-commerceorderprocessingwebsite
B. Reportingdatabasesupportingback-officeanalytics
C. Datawarehouseusedtoaggregatemultipledisparatedatasources
D. Managesessionstateanduserprofiledataforthousandsofconcurrentusers
![Page 255: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/255.jpg)
Chapter8SQS,SWF,andSNSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService[AmazonRDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud[AmazonEC2])
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Domain4.0:Troubleshooting
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions
ThereareanumberofservicesundertheApplicationandMobileServicessectionoftheAWSManagementConsole.Atthetimeofwritingthischapter,application
![Page 256: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/256.jpg)
servicesincludeAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(AmazonSWF),AmazonAppStream,AmazonElasticTranscoder,AmazonSimpleEmailService(AmazonSES),AmazonCloudSearch,andAmazonAPIGateway.MobileservicesincludeAmazonCognito,AmazonSimpleNotificationService(AmazonSNS),AWSDeviceFarm,andAmazonMobileAnalytics.Thischapterfocusesonthecoreservicesyouarerequiredtobefamiliarwithtopasstheexam:AmazonSQS,AmazonSWF,andAmazonSNS.
![Page 257: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/257.jpg)
AmazonSimpleQueueService(AmazonSQS)AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.YoucanuseAmazonSQStotransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobecontinuouslyavailable.
WithAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.UsingAmazonSQS,youcanstoreapplicationmessagesonreliableandscalableinfrastructure,enablingyoutomovedatabetweendistributedcomponentstoperformdifferenttasksasneeded.
AnAmazonSQSqueueisbasicallyabufferbetweentheapplicationcomponentsthatreceivedataandthosecomponentsthatprocessthedatainyoursystem.Ifyourprocessingserverscannotprocesstheworkfastenough(perhapsduetoaspikeintraffic),theworkisqueuedsothattheprocessingserverscangettoitwhentheyareready.Thismeansthatworkisnotlostduetoinsufficientresources.
AmazonSQSensuresdeliveryofeachmessageatleastonceandsupportsmultiplereadersandwritersinteractingwiththesamequeue.Asinglequeuecanbeusedsimultaneouslybymanydistributedapplicationcomponents,withnoneedforthosecomponentstocoordinatewithoneanothertosharethequeue.Althoughmostofthetimeeachmessagewillbedeliveredtoyourapplicationexactlyonce,youshoulddesignyoursystemtobeidempotent(thatis,itmustnotbeadverselyaffectedifitprocessesthesamemessagemorethanonce).
AmazonSQSisengineeredtobehighlyavailableandtodelivermessagesreliablyandefficiently;however,theservicedoesnotguaranteeFirstIn,FirstOut(FIFO)deliveryofmessages.Formanydistributedapplications,eachmessagecanstandonitsownand,ifallmessagesaredelivered,theorderisnotimportant.Ifyoursystemrequiresthatorderbepreserved,youcanplacesequencinginformationineachmessagesothatyoucanreorderthemessageswhentheyareretrievedfromthequeue.
MessageLifecycleThediagramandprocessshowninFigure8.1describesthelifecycleofanAmazonSQSmessage,calledMessageA,fromcreationtodeletion.Assumethataqueuealreadyexists.
![Page 258: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/258.jpg)
FIGURE8.1Messagelifecycle
1. Component1sendsMessageAtoaqueue,andthemessageisredundantlydistributedacrosstheAmazonSQSservers.
2. WhenComponent2isreadytoprocessamessage,itretrievesmessagesfromthequeue,andMessageAisreturned.WhileMessageAisbeingprocessed,itremainsinthequeueandisnotreturnedtosubsequentlyreceiverequestsforthedurationofthevisibilitytimeout.
3. Component2deletesMessageAfromthequeuetopreventthemessagefrombeingreceivedandprocessedagainafterthevisibilitytimeoutexpires.
DelayQueuesandVisibilityTimeoutsDelayqueuesallowyoutopostponethedeliveryofnewmessagesinaqueueforaspecificnumberofseconds.Ifyoucreateadelayqueue,anymessagethatyousendtothatqueuewillbeinvisibletoconsumersforthedurationofthedelayperiod.Tocreateadelayqueue,useCreateQueueandsettheDelaySecondsattributetoanyvaluebetween0and900(15minutes).YoucanalsoturnanexistingqueueintoadelayqueuebyusingSetQueueAttributestosetthequeue’sDelaySecondsattribute.ThedefaultvalueforDelaySecondsis0.
Delayqueuesaresimilartovisibilitytimeoutsinthatbothfeaturesmakemessages
![Page 259: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/259.jpg)
unavailabletoconsumersforaspecificperiodoftime.Thedifferenceisthatadelayqueuehidesamessagewhenitisfirstaddedtothequeue,whereasavisibilitytimeouthidesamessageonlyafterthatmessageisretrievedfromthequeue.Figure8.2illustratesthefunctioningofavisibilitytimeout.
FIGURE8.2Diagramofvisibilitytimeout
Whenamessageisinthequeuebutisneitherdelayednorinavisibilitytimeout,itisconsideredtobe“inflight.”Youcanhaveupto120,000messagesinflightatanygiventime.AmazonSQSsupportsupto12hours’maximumvisibilitytimeout.
SeparateThroughputfromLatency
LikemanyotherAWSCloudservices,AmazonSQSisaccessedthroughHTTPrequest-response,andatypicalAmazonSQSrequest-responsetakesabitlessthan20msfromAmazonElasticComputeCloud(AmazonEC2).Thismeansthatfromasinglethread,youcan,onaverage,issue50+ApplicationProgrammingInterface(API)requestspersecond(abitfewerforbatchAPIrequests,butthosedomorework).Thethroughputscaleshorizontally,sothemorethreadsandhostsyouadd,thehigherthethroughput.Usingthisscalingmodel,someAWScustomershavequeuesthatprocessthousandsofmessageseverysecond.
QueueOperations,UniqueIDs,andMetadataThedefinedoperationsforAmazonSQSqueuesareCreateQueue,ListQueues,DeleteQueue,SendMessage,SendMessageBatch,ReceiveMessage,DeleteMessage,DeleteMessageBatch,PurgeQueue,ChangeMessageVisibility,ChangeMessageVisibilityBatch,SetQueueAttributes,GetQueueAttributes,GetQueueUrl,ListDeadLetterSourceQueues,AddPermission,andRemovePermission.OnlytheAWSaccountowneroranAWSidentitythathasbeengrantedtheproperpermissionscanperformoperations.
YourmessagesareidentifiedviaagloballyuniqueIDthatAmazonSQSreturnswhenthemessageisdeliveredtothequeue.TheIDisn’trequiredinordertoperformanyfurtheractionsonthemessage,butit’susefulfortrackingwhetheraparticularmessageinthequeuehasbeenreceived.Whenyoureceiveamessagefromthequeue,theresponseincludesa
![Page 260: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/260.jpg)
receipthandle,whichyoumustprovidewhendeletingthemessage.
QueueandMessageIdentifiersAmazonSQSusesthreeidentifiersthatyouneedtobefamiliarwith:queueURLs,messageIDs,andreceipthandles.
Whencreatinganewqueue,youmustprovideaqueuenamethatisuniquewithinthescopeofallofyourqueues.AmazonSQSassignseachqueueanidentifiercalledaqueueURL,whichincludesthequeuenameandothercomponentsthatAmazonSQSdetermines.Wheneveryouwanttoperformanactiononaqueue,youmustprovideitsqueueURL.
AmazonSQSassignseachmessageauniqueIDthatitreturnstoyouintheSendMessageresponse.Thisidentifierisusefulforidentifyingmessages,butnotethattodeleteamessage,youneedthemessage’sreceipthandleinsteadofthemessageID.ThemaximumlengthofamessageIDis100characters.
Eachtimeyoureceiveamessagefromaqueue,youreceiveareceipthandleforthatmessage.Thehandleisassociatedwiththeactofreceivingthemessage,notwiththemessageitself.Asstatedpreviously,todeletethemessageortochangethemessagevisibility,youmustprovidethereceipthandleandnotthemessageID.Thismeansyoumustalwaysreceiveamessagebeforeyoucandeleteit(thatis,youcan’tputamessageintothequeueandthenrecallit).Themaximumlengthofareceipthandleis1,024characters.
MessageAttributesAmazonSQSprovidessupportformessageattributes.Messageattributesallowyoutoprovidestructuredmetadataitems(suchastimestamps,geospatialdata,signatures,andidentifiers)aboutthemessage.Messageattributesareoptionalandseparatefrom,butsentalongwith,themessagebody.Thereceiverofthemessagecanusethisinformationtohelpdecidehowtohandlethemessagewithouthavingtoprocessthemessagebodyfirst.Eachmessagecanhaveupto10attributes.Tospecifymessageattributes,youcanusetheAWSManagementConsole,AWSSoftwareDevelopmentKits(SDKs),oraqueryAPI.
LongPollingWhenyourapplicationqueriestheAmazonSQSqueueformessages,itcallsthefunctionReceiveMessage.ReceiveMessagewillcheckfortheexistenceofamessageinthequeueandreturnimmediately,eitherwithorwithoutamessage.Ifyourcodemakesperiodiccallstothequeue,thispatternissufficient.IfyourSQSclientisjustaloopthatrepeatedlychecksfornewmessages,however,thenthispatternbecomesproblematic,astheconstantcallstoReceiveMessageburnCPUcyclesandtieupathread.
Inthissituation,youwillwanttouselongpolling.Withlongpolling,yousendaWaitTimeSecondsargumenttoReceiveMessageofupto20seconds.Ifthereisnomessageinthequeue,thenthecallwillwaituptoWaitTimeSecondsforamessagetoappearbeforereturning.Ifamessageappearsbeforethetimeexpires,thecallwillreturnthemessagerightaway.Longpollingdrasticallyreducestheamountofloadonyourclient.
DeadLetterQueues
![Page 261: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/261.jpg)
AmazonSQSprovidessupportfordeadletterqueues.Adeadletterqueueisaqueuethatother(source)queuescantargettosendmessagesthatforsomereasoncouldnotbesuccessfullyprocessed.Aprimarybenefitofusingadeadletterqueueistheabilitytosidelineandisolatetheunsuccessfullyprocessedmessages.Youcanthenanalyzeanymessagessenttothedeadletterqueuetotrytodeterminethecauseoffailure.
Messagescanbesenttoandreceivedfromadeadletterqueue,justlikeanyotherAmazonSQSqueue.YoucancreateadeadletterqueuefromtheAmazonSQSAPIandtheAmazonSQSconsole.
AccessControlWhileIAMcanbeusedtocontroltheinteractionsofdifferentAWSidentitieswithqueues,thereareoftentimeswhenyouwillwanttoexposequeuestootheraccounts.Thesesituationsmayinclude:
YouwanttograntanotherAWSaccountaparticulartypeofaccesstoyourqueue(forexample,SendMessage).
YouwanttograntanotherAWSaccountaccesstoyourqueueforaspecificperiodoftime.
YouwanttograntanotherAWSaccountaccesstoyourqueueonlyiftherequestscomefromyourAmazonEC2instances.
YouwanttodenyanotherAWSaccountaccesstoyourqueue.
WhileclosecoordinationbetweenaccountsmayallowthesetypesofactionsthroughtheuseofIAMroles,thatlevelofcoordinationisfrequentlyunfeasible.
AmazonSQSAccessControlallowsyoutoassignpoliciestoqueuesthatgrantspecificinteractionstootheraccountswithoutthataccounthavingtoassumeIAMrolesfromyouraccount.ThesepoliciesarewritteninthesameJSONlanguageasIAM.Forexample,thefollowingsamplepolicygivesthedeveloperwithAWSaccountnumber111122223333theSendMessagepermissionforthequeuenamed444455556666/queue1intheUSEast(N.Virginia)region.
{
"Version":"2012–10–17",
"Id":"Queue1_Policy_UUID",
"Statement":[
{
"Sid":"Queue1_SendMessage",
"Effect":"Allow",
"Principal":{
"AWS":"111122223333"
},
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sqs:us-east-1:444455556666:queue1"
}
]
}
![Page 262: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/262.jpg)
TradeoffMessageDurabilityandLatency
AmazonSQSdoesnotreturnsuccesstoaSendMessageAPIcalluntilthemessageisdurablystoredinAmazonSQS.Thismakestheprogrammingmodelverysimplewithnodoubtaboutthesafetyofmessages,unlikethesituationwithanasynchronousmessagingmodel.Ifyoudon’tneedadurablemessagingsystem,however,youcanbuildanasynchronous,client-sidebatchingontopofAmazonSQSlibrariesthatdelaysenqueueofmessagestoAmazonSQSandtransmitsasetofmessagesinabatch.Pleasebeawarethatwithaclient-sidebatchingapproach,youcouldpotentiallylosemessageswhenyourclientprocessorclienthostdiesforanyreason.
![Page 263: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/263.jpg)
AmazonSimpleWorkflowService(AmazonSWF)AmazonSWFmakesiteasytobuildapplicationsthatcoordinateworkacrossdistributedcomponents.InAmazonSWF,ataskrepresentsalogicalunitofworkthatisperformedbyacomponentofyourapplication.Coordinatingtasksacrosstheapplicationinvolvesmanaginginter-taskdependencies,scheduling,andconcurrencyinaccordancewiththelogicalflowoftheapplication.AmazonSWFgivesyoufullcontroloverimplementingandcoordinatingtaskswithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
WhenusingAmazonSWF,youimplementworkerstoperformtasks.Theseworkerscanruneitheroncloudinfrastructure,suchasAmazonEC2,oronyourownpremises.Youcancreatelong-runningtasksthatmightfail,timeout,orrequirerestarts,ortasksthatcancompletewithvaryingthroughputandlatency.AmazonSWFstorestasks,assignsthemtoworkerswhentheyareready,monitorstheirprogress,andmaintainstheirstate,includingdetailsontheircompletion.Tocoordinatetasks,youwriteaprogramthatgetsthelateststateofeachtaskfromAmazonSWFandusesittoinitiatesubsequenttasks.AmazonSWFmaintainsanapplication’sexecutionstatedurablysothattheapplicationisresilienttofailuresinindividualcomponents.WithAmazonSWF,youcanimplement,deploy,scale,andmodifytheseapplicationcomponentsindependently.
WorkflowsUsingAmazonSWF,youcanimplementdistributed,asynchronousapplicationsasworkflows.Workflowscoordinateandmanagetheexecutionofactivitiesthatcanberunasynchronouslyacrossmultiplecomputingdevicesandthatcanfeaturebothsequentialandparallelprocessing.
Whendesigningaworkflow,analyzeyourapplicationtoidentifyitscomponenttasks,whicharerepresentedinAmazonSWFasactivities.Theworkflow’scoordinationlogicdeterminestheorderinwhichactivitiesareexecuted.
WorkflowDomainsDomainsprovideawayofscopingAmazonSWFresourceswithinyourAWSaccount.Youmustspecifyadomainforallthecomponentsofaworkflow,suchastheworkflowtypeandactivitytypes.Itispossibletohavemorethanoneworkflowinadomain;however,workflowsindifferentdomainscannotinteractwithoneanother.
WorkflowHistoryTheworkflowhistoryisadetailed,complete,andconsistentrecordofeveryeventthatoccurredsincetheworkflowexecutionstarted.Aneventrepresentsadiscretechangeinyourworkflowexecution’sstate,suchasscheduledandcompletedactivities,tasktimeouts,andsignals.
ActorsAmazonSWFconsistsofanumberofdifferenttypesofprogrammaticfeaturesknownas
![Page 264: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/264.jpg)
actors.Actorscanbeworkflowstarters,deciders,oractivityworkers.TheseactorscommunicatewithAmazonSWFthroughitsAPI.Youcandevelopactorsinanyprogramminglanguage.
Aworkflowstarterisanyapplicationthatcaninitiateworkflowexecutions.Forexample,oneworkflowstartercouldbeane-commercewebsitewhereacustomerplacesanorder.Anotherworkflowstartercouldbeamobileapplicationwhereacustomerorderstakeoutfoodorrequestsataxi.
Activitieswithinaworkflowcanrunsequentially,inparallel,synchronously,orasynchronously.Thelogicthatcoordinatesthetasksinaworkflowiscalledthedecider.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.
Anactivityworkerisasinglecomputerprocess(orthread)thatperformstheactivitytasksinyourworkflow.Differenttypesofactivityworkersprocesstasksofdifferentactivitytypes,andmultipleactivityworkerscanprocessthesametypeoftask.Whenanactivityworkerisreadytoprocessanewactivitytask,itpollsAmazonSWFfortasksthatareappropriateforthatactivityworker.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreturnsthestatusandresulttoAmazonSWF.Theactivityworkerthenpollsforanewtask.
TasksAmazonSWFprovidesactivityworkersanddeciderswithworkassignments,givenasoneofthreetypesoftasks:activitytasks,AWSLambdatasks,anddecisiontasks.
Anactivitytasktellsanactivityworkertoperformitsfunction,suchastocheckinventoryorchargeacreditcard.Theactivitytaskcontainsalltheinformationthattheactivityworkerneedstoperformitsfunction.
AnAWSLambdataskissimilartoanactivitytask,butexecutesanAWSLambdafunctioninsteadofatraditionalAmazonSWFactivity.FormoreinformationabouthowtodefineanAWSLambdatask,seetheAWSdocumentationonAWSLambdatasks.
Adecisiontasktellsadeciderthatthestateoftheworkflowexecutionhaschangedsothatthedecidercandeterminethenextactivitythatneedstobeperformed.Thedecisiontaskcontainsthecurrentworkflowhistory.
AmazonSWFschedulesadecisiontaskwhentheworkflowstartsandwheneverthestateoftheworkflowchanges,suchaswhenanactivitytaskcompletes.Eachdecisiontaskcontainsapaginatedviewoftheentireworkflowexecutionhistory.ThedecideranalyzestheworkflowexecutionhistoryandrespondsbacktoAmazonSWFwithasetofdecisionsthatspecifywhatshouldoccurnextintheworkflowexecution.Essentially,everydecisiontaskgivesthedecideranopportunitytoassesstheworkflowandprovidedirectionbacktoAmazonSWF.
TaskListsTasklistsprovideawayoforganizingthevarioustasksassociatedwithaworkflow.Youcouldthinkoftasklistsassimilartodynamicqueues.WhenataskisscheduledinAmazonSWF,youcanspecifyaqueue(tasklist)toputitin.Similarly,whenyoupollAmazonSWFfora
![Page 265: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/265.jpg)
task,youdeterminewhichqueue(tasklist)togetthetaskfrom.
Tasklistsprovideaflexiblemechanismtoroutetaskstoworkersasyourusecasenecessitates.Tasklistsaredynamicinthatyoudon’tneedtoregisteratasklistorexplicitlycreateitthroughanaction—simplyschedulingataskcreatesthetasklistifitdoesn’talreadyexist.
LongPollingDecidersandactivityworkerscommunicatewithAmazonSWFusinglongpolling.ThedecideroractivityworkerperiodicallyinitiatescommunicationwithAmazonSWF,notifyingAmazonSWFofitsavailabilitytoacceptatask,andthenspecifiesatasklisttogettasksfrom.Longpollingworkswellforhigh-volumetaskprocessing.Decidersandactivityworkerscanmanagetheirowncapacity.
ObjectIdentifiersAmazonSWFobjectsareuniquelyidentifiedbyworkflowtype,activitytype,decisionandactivitytasks,andworkflowexecution:
Aregisteredworkflowtypeisidentifiedbyitsdomain,name,andversion.WorkflowtypesarespecifiedinthecalltoRegisterWorkflowType.
Aregisteredactivitytypeisidentifiedbyitsdomain,name,andversion.ActivitytypesarespecifiedinthecalltoRegisterActivityType.
Eachdecisiontaskandactivitytaskisidentifiedbyauniquetasktoken.ThetasktokenisgeneratedbyAmazonSWFandisreturnedwithotherinformationaboutthetaskintheresponsefromPollForDecisionTaskorPollForActivityTask.Althoughthetokenismostcommonlyusedbytheprocessthatreceivedthetask,thatprocesscouldpassthetokentoanotherprocess,whichcouldthenreportthecompletionorfailureofthetask.
Asingleexecutionofaworkflowisidentifiedbythedomain,workflowID,andrunID.ThefirsttwoareparametersthatarepassedtoStartWorkflowExecution.TherunIDisreturnedbyStartWorkflowExecution.
WorkflowExecutionClosureAfteryoustartaworkflowexecution,itisopen.Anopenworkflowexecutioncanbeclosedascompleted,canceled,failed,ortimedout.Itcanalsobecontinuedasanewexecution,oritcanbeterminated.Thedecider,thepersonadministeringtheworkflow,orAmazonSWFcancloseaworkflowexecution.
LifecycleofaWorkflowExecutionFromthestartofaworkflowexecutiontoitscompletion,AmazonSWFinteractswithactorsbyassigningthemappropriatetasks:eitheractivitytasksordecisiontasks.
Figure8.3showsthelifecycleofanorder-processingworkflowexecutionfromtheperspectiveofcomponentsthatactonit.
![Page 266: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/266.jpg)
FIGURE8.3AmazonSWFworkflowillustration
Thefollowing20stepsdescribetheworkflowdetailedinFigure8.3:
1. AworkflowstartercallsanAmazonSWFactiontostarttheworkflowexecutionforanorder,providingorderinformation.
2. AmazonSWFreceivesthestartworkflowexecutionrequestandthenschedulesthefirstdecisiontask.
3. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,andappliesthecoordinationlogictodeterminethatnopreviousactivitiesoccurred.ItthenmakesadecisiontoscheduletheVerifyOrderactivitywiththeinformationtheactivityworkerneedstoprocessthetaskandreturnsthedecisiontoAmazonSWF.
4. AmazonSWFreceivesthedecision,schedulestheVerifyOrderactivitytask,andwaitsfortheactivitytasktocompleteortimeout.
5. AnactivityworkerthatcanperformtheVerifyOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
6. AmazonSWFreceivestheresultsoftheVerifyOrderactivity,addsthemtotheworkflowhistory,andschedulesadecisiontask.
7. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaChargeCreditCardactivitytaskwithinformationtheactivityworkerneedstoprocessthetask,andreturnsthedecisiontoAmazonSWF.
8. AmazonSWFreceivesthedecision,schedulestheChargeCreditCardactivitytask,andwaitsforittocompleteortimeout.
9. AnactivityworkeractivityreceivestheChargeCreditCardtask,performsit,andreturnstheresultstoAmazonSWF.
10. AmazonSWFreceivestheresultsoftheChargeCreditCardactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
11. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaShipOrderactivitytaskwiththeinformationtheactivityworkerneedstoperformthetask,andreturnsthedecisiontoAmazonSWF.
12. AmazonSWFreceivesthedecision,schedulesaShipOrderactivitytask,andwaitsforit
![Page 267: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/267.jpg)
tocompleteortimeout.
13. AnactivityworkerthatcanperformtheShipOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
14. AmazonSWFreceivestheresultsoftheShipOrderactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
15. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaRecordCompletionactivitytaskwiththeinformationtheactivityworkerneeds,performsthetask,andreturnsthedecisiontoAmazonSWF.
16. AmazonSWFreceivesthedecision,schedulesaRecordCompletionactivitytask,andwaitsforittocompleteortimeout.
17. AnactivityworkerRecordCompletionreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
18. AmazonSWFreceivestheresultsoftheRecordCompletionactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
19. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoclosetheworkflowexecution,andreturnsthedecisionalongwithanyresultstoAmazonSWF.
20. AmazonSWFclosestheworkflowexecutionandarchivesthehistoryforfuturereference.
![Page 268: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/268.jpg)
AmazonSimpleNotificationService(AmazonSNS)AmazonSNSisawebserviceformobileandenterprisemessagingthatenablesyoutosetup,operate,andsendnotifications.Itisdesignedtomakeweb-scalecomputingeasierfordevelopers.AmazonSNSfollowsthepublish-subscribe(pub-sub)messagingparadigm,withnotificationsbeingdeliveredtoclientsusingapushmechanismthateliminatestheneedtocheckperiodically(orpoll)fornewinformationandupdates.Forexample,youcansendnotificationstoApple,Android,FireOS,andWindowsdevices.InChina,youcansendmessagestoAndroiddeviceswithBaiduCloudPush.YoucanuseAmazonSNStosendShortMessageService(SMS)messagestomobiledeviceusersintheUnitedStatesortoemailrecipientsworldwide.
AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.
Figure8.4showsthisprocessatahighlevel.Apublisherissuesamessageonatopic.Themessageisthendeliveredtothesubscribersofthattopicusingdifferentmethods,suchasAmazonSQS,HTTP,HTTPS,email,SMS,andAWSLambda.
FIGURE8.4Diagramoftopicdelivery
WhenusingAmazonSNS,you(astheowner)createatopicandcontrolaccesstoitbydefiningpoliciesthatdeterminewhichpublishersandsubscriberscancommunicatewiththetopicandviawhichtechnologies.Publisherssendmessagestotopicsthattheycreatedorthat
![Page 269: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/269.jpg)
theyhavepermissiontopublishto.Insteadofincludingaspecificdestinationaddressineachmessage,apublishersendsamessagetothetopic,andAmazonSNSdeliversthemessagetoeachsubscriberforthattopic.EachtopichasauniquenamethatidentifiestheAmazonSNSendpointwherepublisherspostmessagesandsubscribersregisterfornotifications.Subscribersreceiveallmessagespublishedtothetopicstowhichtheysubscribe,andallsubscriberstoatopicreceivethesamemessages.
CommonAmazonSNSScenariosAmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.Forexample,youcanuseAmazonSNStorelayeventsinworkflowsystemsamongdistributedcomputerapplications,movedatabetweendatastores,orupdaterecordsinbusinesssystems.Eventupdatesandnotificationsconcerningvalidation,approval,inventorychanges,andshipmentstatusareimmediatelydeliveredtorelevantsystemcomponentsandendusers.AnotherexampleuseforAmazonSNSistorelaytime-criticaleventstomobileapplicationsanddevices.BecauseAmazonSNSisbothhighlyreliableandscalable,itprovidessignificantadvantagestodeveloperswhobuildapplicationsthatrelyonreal-timeevents.
Tohelpillustrate,thefollowingsectionsdescribesomecommonAmazonSNSscenarios,includingfanoutscenarios,applicationandsystemalerts,pushemailandtextmessaging,andmobilepushnotifications.
FanoutAfanoutscenarioiswhenanAmazonSNSmessageissenttoatopicandthenreplicatedandpushedtomultipleAmazonSQSqueues,HTTPendpoints,oremailaddresses(seeFigure8.5).Thisallowsforparallelasynchronousprocessing.Forexample,youcandevelopanapplicationthatsendsanAmazonSNSmessagetoatopicwheneveranorderisplacedforaproduct.ThentheAmazonSQSqueuesthataresubscribedtothattopicwillreceiveidenticalnotificationsfortheneworder.AnAmazonEC2instanceattachedtooneofthequeueshandlestheprocessingorfulfillmentoftheorder,whileanAmazonEC2instanceattachedtoaparallelqueuesendsorderdatatoadatawarehouseapplication/serviceforanalysis.
![Page 270: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/270.jpg)
FIGURE8.5Diagramoffanoutscenario
Anotherwaytousefanoutistoreplicatedatasenttoyourproductionenvironmentandintegrateitwithyourdevelopmentenvironment.Expandinguponthepreviousexample,youcansubscribeyetanotherqueuetothesametopicfornewincomingorders.Then,byattachingthisnewqueuetoyourdevelopmentenvironment,youcancontinuetoimproveandtestyourapplicationusingdatareceivedfromyourproductionenvironment.
ApplicationandSystemAlertsApplicationandsystemalertsareSMSand/oremailnotificationsthataretriggeredbypredefinedthresholds.Forexample,becausemanyAWSCloudservicesuseAmazonSNS,youcanreceiveimmediatenotificationwhenaneventoccurs,suchasaspecificchangetoyourAutoScalinggroupinAWS.
PushEmailandTextMessagingPushemailandtextmessagingaretwowaystotransmitmessagestoindividualsorgroupsviaemailand/orSMS.Forexample,youcanuseAmazonSNStopushtargetednewsheadlinestosubscribersbyemailorSMS.UponreceivingtheemailorSMStext,interestedreaderscanthenchoosetolearnmorebyvisitingawebsiteorlaunchinganapplication.
MobilePushNotificationsMobilepushnotificationsenableyoutosendmessagesdirectlytomobileapplications.Forexample,youcanuseAmazonSNSforsendingnotificationstoanapplication,indicatingthatanupdateisavailable.Thenotificationmessagecanincludealinktodownloadandinstalltheupdate.
![Page 271: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/271.jpg)
SummaryInthischapter,youlearnedaboutthecoreapplicationandmobileservicesthatyouwillbetestedoninyourAWSCertifiedSolutionsArchitect–Associateexam.
AmazonSQSisauniqueservicedesignedbyAmazontohelpyoudecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweendistributedcomponentsofyourapplicationsthatperformdifferenttasks,withoutlosingmessagesorrequiringeachcomponenttobecontinuouslyavailable.
UnderstandAmazonSQSqueueoperations,uniqueIDs,andmetadata.BefamiliarwithqueueandmessageidentifierssuchasqueueURLs,messageIDs,andreceipthandles.Understandrelatedconceptssuchasdelayqueues,messageattributes,longpolling,messagetimers,deadletterqueues,accesscontrol,andtheoverallmessagelifecycle.
AmazonSWFallowsyoutocreateapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatdifferentcomponentsofyourapplicationperform.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.AmazonSWFsimplifiesthecoordinationofworkflowtasks,givingyoufullcontrolovertheirimplementationwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
YoumustbefamiliarwiththefollowingAmazonSWFcomponentsandthelifecycleofaworkflowexecution:
Workers,starters,anddeciders
Workflows
Workflowhistory
Actors
Tasks
Domains
Objectidentifiers
Tasklists
Workflowexecutionclosure
Longpolling
AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.
![Page 272: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/272.jpg)
AmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.UnderstandsomecommonAmazonSNSscenarios,including:
Fanout
Applicationandsystemalerts
Pushemailandtextmessaging
Mobilepushnotifications
![Page 273: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/273.jpg)
ExamEssentialsKnowhowtouseAmazonSQS.AmazonSQSisauniqueservicedesignedbyAmazontohelpyoutodecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweenyourservers.Thisallowsyoutomovedatabetweendistributedcomponentsofyourapplicationsthatperformdifferenttaskswithoutlosingmessagesorrequiringeachcomponentalwaystobeavailable.
UnderstandAmazonSQSvisibilitytimeouts.VisibilitytimeoutisaperiodoftimeduringwhichAmazonSQSpreventsothercomponentsfromreceivingandprocessingamessagebecauseanothercomponentisalreadyprocessingit.Bydefault,themessagevisibilitytimeoutissetto30seconds,andthemaximumthatitcanbeis12hours.
KnowhowtouseAmazonSQSlongpolling.LongpollingallowsyourAmazonSQSclienttopollanAmazonSQSqueue.Ifnothingisthere,ReceiveMessagewaitsbetween1and20seconds.Ifamessagearrivesinthattime,itisreturnedtothecallerassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.ThishelpsyouavoidpollingintightloopsandpreventsyoufromburningthroughCPUcycles,keepingcostslow.
KnowhowtouseAmazonSWF.AmazonSWFallowsyoutomakeapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatpartofyourapplicationperforms.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.ThisiswhereAmazonSWFcanhelpyou.Itgivesyoufullcontroloverimplementingtasksandcoordinatingthemwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
KnowthebasicsofanAmazonSWFworkflow.Aworkflowisacollectionofactivities(coordinatedbylogic)thatcarryoutaspecificgoal.Forexample,aworkflowreceivesacustomerorderandtakeswhateveractionsarenecessarytofulfillit.EachworkflowrunsinanAWSresourcecalledadomain,whichcontrolsthescopeoftheworkflow.AnAWSaccountcanhavemultipledomains,eachofwhichcancontainmultipleworkflows,butworkflowsindifferentdomainscannotinteract.
UnderstandthedifferentAmazonSWFactors.AmazonSWFinteractswithanumberofdifferenttypesofprogrammaticactors.Actorscanbeactivityworkers,workflowstarters,ordeciders.
UnderstandAmazonSNSbasics.AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.
KnowthedifferentprotocolsusedwithAmazonSNS.YoucanusethefollowingprotocolswithAmazonSNS:HTTP,HTTPS,SMS,email,email-JSON,AmazonSQS,andAWSLambda.
![Page 274: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/274.jpg)
ExercisesInthissection,youcreateatopicandsubscriptioninAmazonSNSandthenpublishamessagetoyourtopic.
EXERCISE8.1
CreateanAmazonSNSTopicInthisexercise,youwillcreateanAmazonSNSmessage.
1. Openabrowser,andnavigatetotheAWSManagementConsole.SignintoyourAWSaccount.
2. NavigatetoMobileServicesandthenAmazonSNStoloadtheAmazonSNSdashboard.
3. Createanewtopic,anduseMyTopicforboththetopicnameandthedisplayname.
4. NotethatanAmazonResourceName(ARN)isspecifiedimmediately.
Congratulations!Youhavecreatedyourfirsttopic.
EXERCISE8.2
CreateaSubscriptiontoYourTopicInthisexercise,youwillcreateasubscriptiontothenewlycreatedtopicusingyouremailaddress.Thenyouconfirmyouremailaddress.
1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.
2. SelecttheARNthatyoujustcreated.CreateaSubscriptionwiththeprotocolofEmail,andenteryouremailaddress.
3. CreatetheSubscription.
4. Theservicesendsaconfirmationemailtoyouremailaddress.Beforethissubscriptioncangolive,youneedtoclickonthelinkintheemailthatAWSsentyoutoconfirmyouremailaddress.Checkyouremail,andconfirmyouraddress.
Congratulations!Youhavenowconfirmedyouremailaddressandcreatedasubscriptiontoatopic.
![Page 275: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/275.jpg)
EXERCISE8.3
PublishtoaTopicInthisexercise,youwillpublishamessagetoyournewlycreatedtopic.
1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.
2. NavigatetotheARNlinkforyournewlycreatedtopic.
3. UpdatethesubjectwithMyTestMessage,leavethemessageformattosettoRaw,anduseaTimetoLive(TTL)fieldto300.
4. Publishthemessage.
5. Youshouldreceiveanemailfromyourtopicnamewiththesubjectthatyouspecified.Ifyoudonotreceivethisemail,checkyourjunkfolder.
Congratulations!Inthisexercise,youcreatedanewtopic,addedanewsubscription,andthenpublishedamessagetoyournewtopic.Notethedifferentformatsinwhichyoucanpublishmessages,includingHTTPandAWSLambda.Deleteyournewlycreatedtopicandsubscriptionsafteryouarefinished.
EXERCISE8.4
CreateQueue1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.
2. Createanewqueuewithinputasthequeuename,60secondsforthedefaultvisibility,and5minutesforthemessageretentionperiod.Leavetheremainingdefaultvaluesforthisexercise.
3. Createthequeue.
Congratulations!Inthisexercise,youcreatedanewqueue.Youwillpublishtothisqueueinthefollowingexercise.
![Page 276: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/276.jpg)
EXERCISE8.5
SubscribeQueuetoSNSTopic1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.
2. SubscribeyourqueuetoyourAmazonSNStopic.
3. NowreturntotheAmazonSNSdashboard(intheAWSManagementConsoleunderMobileServices).
4. Publishtoyournewtopic,andusethedefaults.
5. ReturntotheAmazonSQSdashboard(intheAWSManagementConsoleunderApplicationServices).
6. Youwillnoticethereis“1MessageAvailable”intheinputqueue.Checktheinputboxtotheleftoftheinputqueuename.
7. Startpollingformessages.YoushouldseetheAmazonSNSmessageinyourqueue.
8. ClicktheMoreDetailslinktoseethedetailsofthemessage.
9. Reviewyourmessage,andclickClose.
10. Deleteyourmessage.
Congratulations!Inthisexercise,yousubscribedyourinputqueuetoanAmazonSNStopicandviewedyourmessageinyourAmazonSQSqueueinadditiontoreceivingthemessageinsubscribedemail.
![Page 277: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/277.jpg)
ReviewQuestions1. WhichofthefollowingisnotasupportedAmazonSimpleNotificationService(AmazonSNS)protocol?
A. HTTPS
B. AWSLambda
C. Email-JSON
D. AmazonDynamoDB
2. WhenyoucreateanewAmazonSimpleNotificationService(AmazonSNS)topic,whichofthefollowingiscreatedautomatically?
A. AnAmazonResourceName(ARN)
B. Asubscriber
C. AnAmazonSimpleQueueService(AmazonSQS)queuetodeliveryourAmazonSNStopic
D. Amessage
3. WhichofthefollowingarefeaturesofAmazonSimpleNotificationService(AmazonSNS)?(Choose3answers)
A. Publishers
B. Readers
C. Subscribers
D. Topic
4. WhatisthedefaulttimeforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?
A. 30seconds
B. 60seconds
C. 1hour
D. 12hours
5. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?
A. 30seconds
B. 60seconds
C. 1hour
D. 12hours
6. WhichofthefollowingoptionsarevalidpropertiesofanAmazonSimpleQueueService
![Page 278: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/278.jpg)
(AmazonSQS)message?(Choose2answers)
A. Destination
B. MessageID
C. Type
D. Body
7. YouareasolutionsarchitectwhoisworkingforamobileapplicationcompanythatwantstouseAmazonSimpleWorkflowService(AmazonSWF)fortheirnewtakeoutorderingapplication.Theywillhavemultipleworkflowsthatwillneedtointeract.WhatshouldyouadvisethemtodoinstructuringthedesignoftheirAmazonSWFenvironment?
A. Usemultipledomains,eachcontainingasingleworkflow,anddesigntheworkflowstointeractacrossthedifferentdomains.
B. Useasingledomaincontainingmultipleworkflows.Inthismanner,theworkflowswillbeabletointeract.
C. Useasingledomainwithasingleworkflowandcollapseallactivitiestowithinthissingleworkflow.
D. Workflowscannotinteractwitheachother;theywouldbebetteroffusingAmazonSimpleQueueService(AmazonSQS)andAmazonSimpleNotificationService(AmazonSNS)fortheirapplication.
8. InAmazonSimpleWorkflowService(AmazonSWF),whichofthefollowingareactors?(Choose3answers)
A. Activityworkers
B. Workflowstarters
C. Deciders
D. Activitytasks
9. Youaredesigninganewapplication,andyouneedtoensurethatthecomponentsofyourapplicationarenottightlycoupled.YouaretryingtodecidebetweenthedifferentAWSCloudservicestousetoachievethisgoal.Yourrequirementsarethatmessagesbetweenyourapplicationcomponentsmaynotbedeliveredmorethanonce,tasksmustbecompletedineitherasynchronousorasynchronousfashion,andtheremustbesomeformofapplicationlogicthatdecideswhatdowhentaskshavebeencompleted.Whatapplicationserviceshouldyouuse?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonSimpleWorkflowService(AmazonSWF)
C. AmazonSimpleStorageService(AmazonS3)
D. AmazonSimpleEmailService(AmazonSES)
10. HowdoesAmazonSimpleQueueService(AmazonSQS)delivermessages?
A. LastIn,FirstOut(LIFO)
![Page 279: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/279.jpg)
B. FirstIn,FirstOut(FIFO)
C. Sequentially
D. AmazonSQSdoesn’tguaranteedeliveryofyourmessagesinanyparticularorder.
11. Ofthefollowingoptions,whatisanefficientwaytofanoutasingleAmazonSimpleNotificationService(AmazonSNS)messagetomultipleAmazonSimpleQueueService(AmazonSQS)queues?
A. CreateanAmazonSNStopicusingAmazonSNS.ThencreateandsubscribemultipleAmazonSQSqueuessenttotheAmazonSNStopic.
B. CreateoneAmazonSQSqueuethatsubscribestomultipleAmazonSNStopics.
C. AmazonSNSallowsexactlyonesubscribertoeachtopic,sofanoutisnotpossible.
D. CreateanAmazonSNStopicusingAmazonSNS.Createanapplicationthatsubscribestothattopicandduplicatesthemessage.SendcopiestomultipleAmazonSQSqueues.
12. YourapplicationpollsanAmazonSimpleQueueService(AmazonSQS)queuefrequentlyandreturnsimmediately,oftenwithemptyReceiveMessageResponses.WhatisonethingthatcanbedonetoreduceAmazonSQScosts?
A. PricingonAmazonSQSdoesnotincludeacostforservicerequests;therefore,thereisnoconcern.
B. Increasethetimeoutvalueforshortpollingtowaitformessageslongerbeforereturningaresponse.
C. Changethemessagevisibilityvaluetoahighernumber.
D. UselongpollingbysupplyingaWaitTimeSecondsofgreaterthan0secondswhencallingReceiveMessage.
13. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)longpollingtimeout?
A. 10seconds
B. 20seconds
C. 30seconds
D. 1hour
14. WhatisthelongestconfigurablemessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?
A. 30minutes
B. 4days
C. 30seconds
D. 14days
15. WhatisthedefaultmessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?
![Page 280: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/280.jpg)
A. 30minutes
B. 4days
C. 30seconds
D. 14days
16. AmazonSimpleNotificationService(AmazonSNS)isapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.Whattypesofclientsaresupported?
A. JavaandJavaScriptclientsthatsupportpublisherandsubscribertypes
B. ProducersandconsumerssupportedbyCandC++clients
C. MobileandAMQPsupportforpublisherandsubscriberclienttypes
D. Publisherandsubscriberclienttypes
17. InAmazonSimpleWorkflowService(AmazonSWF),adeciderisresponsibleforwhat?
A. Executingeachstepofthework
B. Definingworkcoordinationlogicbyspecifyingworksequencing,timing,andfailureconditions
C. Executingyourworkflow
D. RegisteringactivitiesandworkflowwithAmazonSWF
18. CananAmazonSimpleNotificationService(AmazonSNS)topicberecreatedwithapreviouslyusedtopicname?
A. Yes.Thetopicnameshouldtypicallybeavailableafter24hoursaftertheprevioustopicwiththesamenamehasbeendeleted.
B. Yes.Thetopicnameshouldtypicallybeavailableafter1–3hoursaftertheprevioustopicwiththesamenamehasbeendeleted.
C. Yes.Thetopicnameshouldtypicallybeavailableafter30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.
D. Atthistime,thisfeatureisnotsupported.
19. WhatshouldyoudoinordertograntadifferentAWSaccountpermissiontoyourAmazonSimpleQueueService(AmazonSQS)queue?
A. SharecredentialstoyourAWSaccountandhavetheotheraccount’sapplicationsuseyouraccount’scredentialstoaccesstheAmazonSQSqueue.
B. CreateauserforthataccountinAWSIdentityandAccessManagement(IAM)andestablishanIAMpolicythatgrantsaccesstothequeue.
C. CreateanAmazonSQSpolicythatgrantstheotheraccountaccess.
D. AmazonVirtualPrivateCloud(AmazonVPC)peeringmustbeusedtoachievethis.
20. CananAmazonSimpleNotificationService(AmazonSNS)messagebedeletedafterbeingpublishedtoatopic?
![Page 281: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/281.jpg)
A. Onlyifasubscriber(s)has/havenotreadthemessageyet
B. OnlyiftheAmazonSNSrecallmessageparameterhasbeenset
C. No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.
D. Yes.HoweveritcanbedeletedonlyifthesubscribersareAmazonSQSqueues.
![Page 282: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/282.jpg)
Chapter9DomainNameSystem(DNS)andAmazonRoute53THEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Developingtoclientspecifications,includingpricing/cost(forexample,on-demandvs.reservedvs.spot;RTOandRPODRdesign)
Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)
Elasticityandscalability(forexample,auto-scaling,SQS,ELB,CloudFront)
Domain3.0:DataSecurity
3.1Recognizeandimplementsecureproceduresforoptimumclouddeploymentandmaintenance.
3.2Recognizecriticaldisaster-recoverytechniquesandtheirimplementation.
AmazonRoute53
![Page 283: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/283.jpg)
DomainNameSystem(DNS)TheDomainNameSystem(DNS)issometimesadifficultconcepttounderstandbecauseitissoubiquitouslyusedinmakingtheInternetwork.Beforewegetintothedetails,let’sstartwithasimpleanalogy.TheInternetProtocol(IP)addressofyourwebsiteislikeyourphonenumber—itcouldchangeifyoumovetoanewarea(atleastyourlandlinecouldchange).DNSislikethephonebook.Ifsomeonewantstocallyouatyournewhouseorlocation,theymightlookyouupbynameinthephonebook.Iftheirphonebookhasn’tbeenupdatedsinceyoumoved,however,theymightcallyouroldhouse.Whenavisitorwantstoaccessyourwebsite,theircomputertakesthedomainnametypedin(www.amazon.com,forexample)andlooksuptheIPaddressforthatdomainusingDNS.
Morespecifically,DNSisaglobally-distributedservicethatisfoundationaltothewaypeopleusetheInternet.DNSusesahierarchicalnamestructure,anddifferentlevelsinthehierarchyareeachseparatedwithadot(.).Considerthedomainnameswww.amazon.comandaws.amazon.com.Inboththeseexamples,comistheTop-LevelDomain(TLD)andamazonistheSecond-LevelDomain(SLD).Therecanbeanynumberoflowerlevels(forexample,wwwandaws)belowtheSLD.
ComputersusetheDNShierarchytotranslatehumanreadablenames(forexample,www.amazon.com)intotheIPaddresses(forexample,192.0.2.1)thatcomputersusetoconnecttooneanother.Everytimeyouuseadomainname,aDNSservicemusttranslatethenameintothecorrespondingIPaddress.Insummary,ifyou’veusedtheInternet,you’veusedDNS.
AmazonRoute53isanauthoritativeDNSsystem.AnauthoritativeDNSsystemprovidesanupdatemechanismthatdevelopersusetomanagetheirpublicDNSnames.ItthenanswersDNSqueries,translatingdomainnamesintoIPaddressessothatcomputerscancommunicatewitheachother.
ThischapterisintendedtoprovideyouwithabaselineunderstandingofDNSandtheAmazonRoute53servicethatisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.
DomainNameSystem(DNS)ConceptsThissectionofthechapterdefinesDNSterms,describeshowDNSworks,andexplainscommonlyusedrecordtypes.
Top-LevelDomains(TLDs)ATop-LevelDomain(TLD)isthemostgeneralpartofthedomain.TheTLDisthefarthestportiontotheright(asseparatedbyadot).CommonTLDsare.com,.net,.org,.gov,.edu,and.io.
TLDsareatthetopofthehierarchyintermsofdomainnames.CertainpartiesaregivenmanagementcontroloverTLDsbytheInternetCorporationforAssignedNamesandNumbers(ICANN).ThesepartiescanthendistributedomainnamesundertheTLD,usuallythroughadomainregistrar.ThesedomainsareregisteredwiththeNetworkInformationCenter(InterNIC),aserviceofICANN,whichenforcestheuniquenessofdomainnames
![Page 284: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/284.jpg)
acrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.
DomainNamesAdomainnameisthehuman-friendlynamethatweareusedtoassociatingwithanInternetresource.Forinstance,amazon.comisadomainname.Somepeoplewillsaythattheamazonportionisthedomain,butwecangenerallyrefertothecombinedformasthedomainname.
TheURLaws.amazon.comisassociatedwiththeserversownedbyAWS.TheDNSallowsuserstoreachtheAWSserverswhentheytypeaws.amazon.comintotheirbrowsers.
IPAddressesAnIPaddressisanetworkaddressablelocation.EachIPaddressmustbeuniquewithinitsnetwork.Forpublicwebsites,thisnetworkistheentireInternet.
IPv4addresses,themostcommonformofaddresses,consistoffoursetsofnumbersseparatedbyadot,witheachsethavinguptothreedigits.Forexample,111.222.111.222couldbeavalidIPv4IPaddress.WithDNS,wemapanametothataddresssothatyoudonothavetorememberacomplicatedsetofnumbersforeachplaceyouwanttovisitonanetwork.
DuetothetremendousgrowthoftheInternetandthenumberofdevicesconnectedtoit,theIPv4addressrangehasquicklybeendepleted.IPv6wascreatedtosolvethisdepletionissue,andithasanaddressspaceof128bits,whichallowsfor340,282,366,920,938,463,463,374,607,431,768,211,456,or340undecillion,uniqueaddresses.Forhumanbeings,thisnumberisdifficulttoimagine,soconsiderthis:IfeachIPv4addresswereonegrainofsand,youwouldhaveenoughaddressestofillapproximatelyonedumptruckwithsand.IfeachIPv6addresswereonegrainofsand,youwouldhaveenoughsandtoequaltheapproximatesizeofthesun.Today,mostdevicesandnetworksstillcommunicateusingIPv4,butmigrationtoIPv6isproceedinggraduallyovertime.
HostsWithinadomain,thedomainownercandefineindividualhosts,whichrefertoseparatecomputersorservicesaccessiblethroughadomain.Forinstance,mostdomainownersmaketheirwebserversaccessiblethroughthebasedomain(example.com)andalsothroughthehostdefinitionwww(asinwww.example.com).
Youcanhaveotherhostdefinitionsunderthegeneraldomain,suchasApplicationProgramInterface(API)accessthroughanAPIhost(api.example.com)orFileTransferProtocol(FTP)accesswithahostdefinitionofFTPorfiles(ftp.example.comorfiles.example.com).Thehostnamescanbearbitraryiftheyareuniqueforthedomain.
SubdomainsDNSworksinahierarchalmannerandallowsalargedomaintobepartitionedorextendedintomultiplesubdomains.TLDscanhavemanysubdomainsunderthem.Forinstance,zappos.comandaudible.comarebothsubdomainsofthe.comTLD(althoughtheyaretypicallyjustcalleddomains).ThezapposoraudibleportioncanbereferredtoasanSLD.
![Page 285: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/285.jpg)
Likewise,eachSLDcanhavesubdomainslocatedunderit.Forinstance,theURLforthehistorydepartmentofaschoolcouldbewww.history.school.edu.Thehistoryportionisasubdomain.
Thedifferencebetweenahostnameandasubdomainisthatahostdefinesacomputerorresource,whileasubdomainextendstheparentdomain.Subdomainsareamethodofsubdividingthedomainitself.
Whethertalkingaboutsubdomainsorhosts,youcanseethattheleft-mostportionsofadomainarethemostspecific.ThisishowDNSworks:frommosttoleastspecificasyoureadfromlefttoright.
FullyQualifiedDomainName(FQDN)DomainlocationsinaDNScanberelativetooneanotherand,assuch,canbesomewhatambiguous.AFullyQualifiedDomainName(FQDN),alsoreferredtoasanabsolutedomainname,specifiesadomain’slocationinrelationtotheabsoluterootoftheDNS.
ThismeansthattheFQDNspecifieseachparentdomainincludingtheTLD.AproperFQDNendswithadot,indicatingtherootoftheDNShierarchy.Forexample,mail.amazon.comisanFQDN.Sometimes,softwarethatcallsforanFQDNdoesnotrequiretheendingdot,butitisrequiredtoconformtoICANNstandards.
InFigure9.1,youcanseethattheentirestringistheFQDN,whichiscomposedofthedomainname,subdomain,root,TLD,SLDandhost.
FIGURE9.1FQDNcomponents
NameServersAnameserverisacomputerdesignatedtotranslatedomainnamesintoIPaddresses.These
![Page 286: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/286.jpg)
serversdomostoftheworkintheDNS.Becausethetotalnumberofdomaintranslationsistoomuchforanyoneserver,eachservermayredirectrequeststoothernameserversordelegateresponsibilityforthesubsetofsubdomainsforwhichtheyareresponsible.
Nameserverscanbeauthoritative,meaningthattheygiveanswerstoqueriesaboutdomainsundertheircontrol.Otherwise,theymaypointtootherserversorservecachedcopiesofothernameservers’data.
ZoneFilesAzonefileisasimpletextfilethatcontainsthemappingsbetweendomainnamesandIPaddresses.ThisishowaDNSserverfinallyidentifieswhichIPaddressshouldbecontactedwhenauserrequestsacertaindomainname.
Zonefilesresideinnameserversandgenerallydefinetheresourcesavailableunderaspecificdomain,ortheplacewhereonecangotogetthatinformation.
Top-LevelDomain(TLD)NameRegistrarsBecauseallofthenamesinagivendomainmustbeunique,thereneedstobeawaytoorganizethemsothatdomainnamesaren’tduplicated.Thisiswheredomainnameregistrarscomein.AdomainnameregistrarisanorganizationorcommercialentitythatmanagesthereservationofInternetdomainnames.AdomainnameregistrarmustbeaccreditedbyagenericTLD(gTLD)registryand/oracountrycodeTLD(ccTLD)registry.Themanagementisdoneinaccordancewiththeguidelinesofthedesignateddomainnameregistries.
StepsInvolvedinDomainNameSystem(DNS)ResolutionWhenyoutypeadomainnameintoyourbrowser,yourcomputerfirstchecksitshostfiletoseeifithasthatdomainnamestoredlocally.Ifitdoesnot,itwillcheckitsDNScachetoseeifyouhavevisitedthesitebefore.Ifitstilldoesnothavearecordofthatdomainname,itwillcontactaDNSservertoresolvethedomainname.
DNSis,atitscore,ahierarchicalsystem.Atthetopofthissystemarerootservers.ICANNdelegatesthecontroloftheseserverstovariousorganizations.
Asofthiswriting,thereare13rootserversinoperation.RootservershandlerequestsforinformationaboutTLDs.Whenarequestcomesinforadomainthatalower-levelnameservercannotresolve,aqueryismadetotherootserverforthedomain.
Inordertohandletheincrediblevolumeofresolutionsthathappeneveryday,theserootserversaremirroredandreplicated.Whenrequestsaremadetoacertainrootserver,therequestwillberoutedtothenearestmirrorofthatrootserver.
Therootserverswon’tactuallyknowwherethedomainishosted.Theywill,however,beabletodirecttherequestertothenameserversthathandlethespecifically-requestedTLD.
Forexample,ifarequestforwww.wikipedia.orgismadetotherootserver,itwillcheckitszonefilesforalistingthatmatchesthatdomainname,butitwillnotfindoneinitsrecords.Itwillinsteadfindarecordforthe.orgTLDandgivetherequestingentitytheaddressofthenameserverresponsiblefor.orgaddresses.
![Page 287: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/287.jpg)
Top-LevelDomain(TLD)ServersAfterarootserverreturnstheIPaddressoftheappropriateserverthatisresponsiblefortheTLDofarequest,therequesterthensendsanewrequesttothataddress.
Tocontinuetheexamplefromtheprevioussection,therequestingentitywouldsendarequesttothenameserverresponsibleforknowingabout.orgdomainstoseeifitcanlocatewww.wikipedia.org.
Onceagain,whenthenameserversearchesitszonefilesforawww.wikipedia.orglisting,itwillnotfindoneinitsrecords.However,itwillfindalistingfortheIPaddressofthenameserverresponsibleforwikipedia.org.ThisisgettingmuchclosertothecorrectIPaddress.
Domain-LevelNameServersAtthispoint,therequesterhastheIPaddressofthenameserverthatisresponsibleforknowingtheactualIPaddressoftheresource.Itsendsanewrequesttothenameserverasking,onceagain,ifitcanresolvewww.wikipedia.org.
Thenameserverchecksitszonefiles,anditfindsazonefileassociatedwithwikipedia.org.Insideofthisfile,thereisarecordthatcontainstheIPaddressforthe.wwwhost.Thenameserverreturnsthefinaladdresstotherequester.
ResolvingNameServersInthepreviousscenario,wereferredtoarequester.Whatistherequesterinthissituation?
Inalmostallcases,therequesterwillbewhatiscalledaresolvingnameserver,whichisaserverthatisconfiguredtoaskotherserversquestions.Itsprimaryfunctionistoactasanintermediaryforauser,cachingpreviousqueryresultstoimprovespeedandprovidingtheaddressesofappropriaterootserverstoresolvenewrequests.
Auserwillusuallyhaveafewresolvingnameserversconfiguredontheircomputersystem.TheresolvingnameserversaretypicallyprovidedbyanInternetServiceProvider(ISP)orotherorganization.ThereareseveralpublicresolvingDNSserversthatyoucanquery.Thesecanbeconfiguredinyourcomputereitherautomaticallyormanually.
WhenyoutypeaURLintheaddressbarofyourbrowser,yourcomputerfirstlookstoseeifitcanfindtheresource’slocationlocally.Itchecksthehostfileonthecomputerandanylocallystoredcache.ItthensendstherequesttotheresolvingnameserverandwaitstoreceivetheIPaddressoftheresource.
Theresolvingnameserverthenchecksitscachefortheanswer.Ifitdoesn’tfindit,itgoesthroughthestepsoutlinedintheprevioussections.
Resolvingnameserverscompresstherequestingprocessfortheenduser.Theclientssimplyhavetoknowtoasktheresolvingnameserverswherearesourceislocated,andtheresolvingnameserverswilldotheworktoinvestigateandreturnthefinalanswer.
MoreAboutZoneFilesZonefilesarethewaythatnameserversstoreinformationaboutthedomainstheyknow.Themorezonefilesthatanameserverhas,themorerequestsitwillbeabletoanswerauthoritatively.Mostrequeststotheaveragenameserver,however,arefordomainsthatare
![Page 288: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/288.jpg)
notinthelocalzonefile.
Iftheserverisconfiguredtohandlerecursivequeries,likearesolvingnameserver,itwillfindtheanswerandreturnit.Otherwise,itwilltelltherequestingentitywheretolooknext.
AzonefiledescribesaDNSzone,whichisasubsetoftheentireDNS.Zonefilesaregenerallyusedtoconfigureasingledomain,andtheycancontainanumberofrecordsthatdefinewhereresourcesareforthedomaininquestion.
Thezonefile’s$ORIGINdirectiveisaparameterequaltothezone’shighestlevelofauthoritybydefault.Ifazonefileisusedtoconfiguretheexample.comdomain,the$ORIGINwouldbesettoexample.com.
ThisparameteriseitherconfiguredatthetopofthezonefileordefinedintheDNSserver’sconfigurationfilethatreferencesthezonefile.Eitherway,thisparameterdefineswhatauthoritativerecordsthezonegoverns.
Similarly,the$TTLdirectiveconfiguresthedefaultTimetoLive(TTL)valueforresourcerecordsinthezone.Thisvaluedefinesthelengthoftimethatpreviouslyqueriedresultsareavailabletoacachingnameserverbeforetheyexpire.
RecordTypesEachzonefilecontainsrecords.Initssimplestform,arecordisasinglemappingbetweenaresourceandaname.ThesecanmapadomainnametoanIPaddressordefineresourcesforthedomain,suchasnameserversormailservers.Thissectiondescribeseachrecordtypeindetail.
StartofAuthority(SOA)RecordAStartofAuthority(SOA)recordismandatoryinallzonefiles,anditidentifiesthebaseDNSinformationaboutthedomain.EachzonecontainsasingleSOArecord.
TheSOArecordstoresinformationaboutthefollowing:
ThenameoftheDNSserverforthatzone
Theadministratorofthezone
Thecurrentversionofthedatafile
Thenumberofsecondsthatasecondarynameservershouldwaitbeforecheckingforupdates
Thenumberofsecondsthatasecondarynameservershouldwaitbeforeretryingafailedzonetransfer
Themaximumnumberofsecondsthatasecondarynameservercanusedatabeforeitmusteitherberefreshedorexpire
ThedefaultTTLvalue(inseconds)forresourcerecordsinthezone
AandAAAABothtypesofaddressrecordsmapahosttoanIPaddress.TheArecordisusedtomapahosttoanIPv4IPaddress,whileAAAArecordsareusedtomapahosttoanIPv6address.
![Page 289: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/289.jpg)
CanonicalName(CNAME)ACanonicalName(CNAME)recordisatypeofresourcerecordintheDNSthatdefinesanaliasfortheCNAMEforyourserver(thedomainnamedefinedinanAorAAAArecord).
MailExchange(MX)MailExchange(MX)recordsareusedtodefinethemailserversusedforadomainandensurethatemailmessagesareroutedcorrectly.TheMXrecordshouldpointtoahostdefinedbyanAorAAAArecordandnotonedefinedbyaCNAME.
NameServer(NS)NameServer(NS)recordsareusedbyTLDserverstodirecttraffictotheDNSserverthatcontainstheauthoritativeDNSrecords.
Pointer(PTR)APointer(PTR)recordisessentiallythereverseofanArecord.PTRrecordsmapanIPaddresstoaDNSname,andtheyaremainlyusedtocheckiftheservernameisassociatedwiththeIPaddressfromwheretheconnectionwasinitiated.
SenderPolicyFramework(SPF)SenderPolicyFramework(SPF)recordsareusedbymailserverstocombatspam.AnSPFrecordtellsamailserverwhatIPaddressesareauthorizedtosendanemailfromyourdomainname.Forexample,ifyouwantedtoensurethatonlyyourmailserversendsemailsfromyourcompany’sdomain,suchasexample.com,youwouldcreateanSPFrecordwiththeIPaddressofyourmailserver.Thatway,anemailsentfromyourdomain,[email protected],wouldneedtohaveanoriginatingIPaddressofyourcompanymailserverinordertobeaccepted.Thispreventspeoplefromspoofingemailsfromyourdomainname.
Text(TXT)Text(TXT)recordsareusedtoholdtextinformation.Thisrecordprovidestheabilitytoassociatesomearbitraryandunformattedtextwithahostorothername,suchashumanreadableinformationaboutaserver,network,datacenter,andotheraccountinginformation.
Service(SRV)AService(SRV)recordisaspecificationofdataintheDNSdefiningthelocation(thehostnameandportnumber)ofserversforspecifiedservices.TheideabehindSRVisthat,givenadomainname(forexample,example.com)andaservicename(forexample,web[HTTP],whichrunsonaprotocol[TCP]),aDNSquerymaybeissuedtofindthehostnamethatprovidessuchaserviceforthedomain,whichmayormaynotbewithinthedomain.
![Page 290: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/290.jpg)
AmazonRoute53OverviewNowthatyouhaveafoundationalunderstandingofDNSandthedifferentDNSrecordtypes,youcanexploreAmazonRoute53.AmazonRoute53isahighlyavailableandscalablecloudDNSwebservicethatisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplications.
AmazonRoute53performsthreemainfunctions:
Domainregistration—AmazonRoute53letsyouregisterdomainnames,suchasexample.com.
DNSservice—AmazonRoute53translatesfriendlydomainnameslikewww.example.comintoIPaddresseslike192.0.2.1.AmazonRoute53respondstoDNSqueriesusingaglobalnetworkofauthoritativeDNSservers,whichreduceslatency.TocomplywithDNSstandards,responsessentoverUserDatagramProtocol(UDP)arelimitedto512bytesinsize.Responsesexceeding512bytesaretruncated,andtheresolvermustre-issuetherequestoverTCP.
Healthchecking—AmazonRoute53sendsautomatedrequestsovertheInternettoyourapplicationtoverifythatit’sreachable,available,andfunctional.
Youcanuseanycombinationofthesefunctions.Forexample,youcanuseAmazonRoute53asbothyourregistrarandyourDNSservice,oryoucanuseAmazonRoute53astheDNSserviceforadomainthatyouregisteredwithanotherdomainregistrar.
DomainRegistrationIfyouwanttocreateawebsite,youfirstneedtoregisterthedomainname.Ifyoualreadyregisteredadomainnamewithanotherregistrar,youhavetheoptiontotransferthedomainregistrationtoAmazonRoute53.Itisn’trequiredtouseAmazonRoute53asyourDNSserviceortoconfigurehealthcheckingforyourresources.
AmazonRoute53supportsdomainregistrationforawidevarietyofgenericTLDs(forexample,.comand.org)andgeographicTLDs(forexample,.beand.us).ForacompletelistofsupportedTLDs,refertotheAmazonRoute53DeveloperGuideathttps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/.
DomainNameSystem(DNS)ServiceAsstatedpreviously,AmazonRoute53isanauthoritativeDNSservicethatroutesInternettraffictoyourwebsitebytranslatingfriendlydomainnamesintoIPaddresses.Whensomeoneentersyourdomainnameinabrowserorsendsyouanemail,aDNSrequestisforwardedtothenearestAmazonRoute53DNSserverinaglobalnetworkofauthoritativeDNSservers.AmazonRoute53respondswiththeIPaddressthatyouspecified.
IfyouregisteranewdomainnamewithAmazonRoute53,AmazonRoute53willbeautomaticallyconfiguredastheDNSserviceforthedomain,andahostedzonewillbecreatedforyourdomain.Youaddresourcerecordsetstothehostedzone,whichdefinehowyouwantAmazonRoute53torespondtoDNSqueriesforyourdomain(forexample,withtheIPaddressforawebserver,theIPaddressforthenearestAmazonCloudFrontedgelocation,or
![Page 291: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/291.jpg)
theIPaddressforanElasticLoadBalancingloadbalancer).
Ifyouregisteredyourdomainwithanotherdomainregistrar,thatregistrarisprobablyprovidingtheDNSserviceforyourdomain.YoucantransferDNSservicetoAmazonRoute53,withorwithouttransferringregistrationforthedomain.
Ifyou’reusingAmazonCloudFront,AmazonSimpleStorageService(AmazonS3),orElasticLoadBalancing,youcanconfigureAmazonRoute53torouteInternettraffictothoseresources.
HostedZonesAhostedzoneisacollectionofresourcerecordsetshostedbyAmazonRoute53.LikeatraditionalDNSzonefile,ahostedzonerepresentsresourcerecordsetsthataremanagedtogetherunderasingledomainname.Eachhostedzonehasitsownmetadataandconfigurationinformation.
Therearetwotypesofhostedzones:privateandpublic.AprivatehostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficforadomainanditssubdomainswithinoneormoreAmazonVirtualPrivateClouds(AmazonVPCs).ApublichostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficontheInternetforadomain(forexample,example.com)anditssubdomains(forexample,apex.example.comandacme.example.com).
Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.Forexample,theexample.comhostedzonecancontainresourcerecordsetsforthewww.example.comandwww.aws.example.comsubdomains,butitcannotcontainresourcerecordsetsforawww.example.casubdomain.
YoucanuseAmazonS3tohostyourstaticwebsiteatthehostedzone(forexample,domain.com)andredirectallrequeststoasubdomain(forexample,www.domain.com).Then,inAmazonRoute53,youcancreateanaliasresourcerecordthatsendsrequestsfortherootdomaintotheAmazonS3bucket.
Useanaliasrecord,notaCNAME,foryourhostedzone.CNAMEsarenotallowedforhostedzonesinAmazonRoute53.
DonotuseArecordsforsubdomains(forexample,www.domain.com),astheyrefertohardcodedIPaddresses.Instead,useAmazonRoute53aliasrecordsortraditionalCNAMErecordstoalwayspointtotherightresource,whereveryoursiteishosted,evenwhenthephysicalserverhaschangeditsIPaddress.
![Page 292: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/292.jpg)
SupportedRecordTypesAmazonRoute53supportsthefollowingDNSresourcerecordtypes.WhenyouaccessAmazonRoute53usingtheAPI,youwillseeexamplesofhowtoformattheValueelementforeachrecordtype.Supportedrecordtypesinclude:
A
AAAA
CNAME
MX
NS
PTR
SOA
SPF
SRV
TXT
RoutingPolicies
Whenyoucreatearesourcerecordset,youchoosearoutingpolicy,whichdetermineshowAmazonRoute53respondstoqueries.Routingpolicyoptionsaresimple,weighted,latency-based,failover,andgeolocation.Whenspecified,AmazonRoute53evaluatesaresource’srelativeweight,theclient’snetworklatencytotheresource,ortheclient’sgeographicallocationwhendecidingwhichresourcetosendbackinaDNSresponse.
Routingpoliciescanbeassociatedwithhealthchecks,soresourcehealthstatusisconsideredbeforeitevenbecomesacandidateinaconditionaldecisiontree.Adescriptionofpossibleroutingpoliciesandmoreonhealthcheckingiscoveredinthissection.
SimpleThisisthedefaultroutingpolicywhenyoucreateanewresource.Useasimpleroutingpolicywhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain(forexample,onewebserverthatservescontentfortheexample.comwebsite).Inthiscase,AmazonRoute53respondstoDNSqueriesbasedonlyonthevaluesintheresourcerecordset(forexample,theIPaddressinanArecord).
WeightedWithweightedDNS,youcanassociatemultipleresources(suchasAmazonElasticComputeCloud[AmazonEC2]instancesorElasticLoadBalancingloadbalancers)withasingleDNSname.
Usetheweightedroutingpolicywhenyouhavemultipleresourcesthatperformthesamefunction(suchaswebserversthatservethesamewebsite),andyouwantAmazonRoute53toroutetraffictothoseresourcesinproportionsthatyouspecify.Forexample,youmayusethisforloadbalancingbetweendifferentAWSregionsortotestnewversionsofyourwebsite
![Page 293: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/293.jpg)
(youcansend10percentoftraffictothetestenvironmentand90percentoftraffictotheolderversionofyourwebsite).
Tocreateagroupofweightedresourcerecordsets,youneedtocreatetwoormoreresourcerecordsetsthathavethesameDNSnameandtype.Youthenassigneachresourcerecordsetauniqueidentifierandarelativeweight.
WhenprocessingaDNSquery,AmazonRoute53searchesforaresourcerecordsetoragroupofresourcerecordsetsthathavethesamenameandDNSrecordtype(suchasanArecord).AmazonRoute53thenselectsonerecordfromthegroup.Theprobabilityofanyresourcerecordsetbeingselectedisgovernedbythefollowingformula:
Latency-BasedLatency-basedroutingallowsyoutorouteyourtrafficbasedonthelowestnetworklatencyforyourenduser(forexample,usingtheAWSregionthatwillgivethemthefastestresponsetime).
UsethelatencyroutingpolicywhenyouhaveresourcesthatperformthesamefunctioninmultipleAWSAvailabilityZonesorregionsandyouwantAmazonRoute53torespondtoDNSqueriesusingtheresourcesthatprovidethebestlatency.Forexample,supposeyouhaveElasticLoadBalancingloadbalancersintheU.S.West(Oregon)regionandintheAsiaPacific(Singapore)region,andyoucreatedalatencyresourcerecordsetinAmazonRoute53foreachloadbalancer.AuserinLondonentersthenameofyourdomaininabrowser,andDNSroutestherequesttoanAmazonRoute53nameserver.AmazonRoute53referstoitsdataonlatencybetweenLondonandtheSingaporeregionandbetweenLondonandtheOregonregion.IflatencyislowerbetweenLondonandtheOregonregion,AmazonRoute53respondstotheuser’srequestwiththeIPaddressofyourloadbalancerinOregon.IflatencyislowerbetweenLondonandtheSingaporeregion,AmazonRoute53respondswiththeIPaddressofyourloadbalancerinSingapore.
FailoverUseafailoverroutingpolicytoconfigureactive-passivefailover,inwhichoneresourcetakesallthetrafficwhenit’savailableandtheotherresourcetakesallthetrafficwhenthefirstresourceisn’tavailable.Notethatyoucan’tcreatefailoverresourcerecordsetsforprivatehostedzones.
Forexample,youmightwantyourprimaryresourcerecordsettobeinU.S.West(N.California)andyoursecondary,DisasterRecovery(DR),resource(s)tobeinU.S.East(N.Virginia).AmazonRoute53willmonitorthehealthofyourprimaryresourceendpointsusingahealthcheck.
AhealthchecktellsAmazonRoute53howtosendrequeststotheendpointwhosehealthyouwanttocheck:whichprotocoltouse(HTTP,HTTPS,orTCP),whichIPaddressandporttouse,and,forHTTP/HTTPShealthchecks,adomainnameandpath.
![Page 294: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/294.jpg)
Afteryouhaveconfiguredahealthcheck,AmazonwillmonitorthehealthofyourselectedDNSendpoint.Ifyourhealthcheckfails,thenfailoverroutingpolicieswillbeappliedandyourDNSwillfailovertoyourDRsite.
GeolocationGeolocationroutingletsyouchoosewhereAmazonRoute53willsendyourtrafficbasedonthegeographiclocationofyourusers(thelocationfromwhichDNSqueriesoriginate).Forexample,youmightwantallqueriesfromEuropetoberoutedtoafleetofAmazonEC2instancesthatarespecificallyconfiguredforyourEuropeancustomers,withlocallanguagesandpricinginEuros.
Youcanalsousegeolocationroutingtorestrictdistributionofcontenttoonlythelocationsinwhichyouhavedistributionrights.Anotherpossibleuseisforbalancingloadacrossendpointsinapredictable,easy-to-managewaysothateachuserlocationisconsistentlyroutedtothesameendpoint.
Youcanspecifygeographiclocationsbycontinent,bycountry,orevenbystateintheUnitedStates.Youcanalsocreateseparateresourcerecordsetsforoverlappinggeographicregions,andprioritygoestothesmallestgeographicregion.Forexample,youmighthaveoneresourcerecordsetforEuropeandonefortheUnitedKingdom.Thisallowsyoutoroutesomequeriesforselectedcountries(inthisexample,theUnitedKingdom)tooneresourceandtoroutequeriesfortherestofthecontinent(inthisexample,Europe)toadifferentresource.
GeolocationworksbymappingIPaddressestolocations.Youshouldbecautious,however,assomeIPaddressesaren’tmappedtogeographiclocations.Evenifyoucreategeolocationresourcerecordsetsthatcoverallsevencontinents,AmazonRoute53willreceivesomeDNSqueriesfromlocationsthatitcan’tidentify.
Inthiscase,youcancreateadefaultresourcerecordsetthathandlesbothqueriesfromIPaddressesthataren’tmappedtoanylocationandqueriesthatcomefromlocationsforwhichyouhaven’tcreatedgeolocationresourcerecordsets.Ifyoudon’tcreateadefaultresourcerecordset,AmazonRoute53returnsa“noanswer”responseforqueriesfromthoselocations.
Youcannotcreatetwogeolocationresourcerecordsetsthatspecifythesamegeographiclocation.Youalsocannotcreategeolocationresourcerecordsetsthathavethesamevaluesfor“Name”and“Type”asthe“Name”and“Type”ofnon-geolocationresourcerecordsets.
MoreonHealthCheckingAmazonRoute53healthchecksmonitorthehealthofyourresourcessuchaswebserversandemailservers.YoucanconfigureAmazonCloudWatchalarmsforyourhealthcheckssothatyoureceivenotificationwhenaresourcebecomesunavailable.YoucanalsoconfigureAmazonRoute53torouteInternettrafficawayfromresourcesthatareunavailable.
HealthchecksandDNSfailoveraremajortoolsintheAmazonRoute53featuresetthathelpmakeyourapplicationhighlyavailableandresilienttofailures.IfyoudeployanapplicationinmultipleAvailabilityZonesandmultipleAWSregions,withAmazonRoute53healthchecksattachedtoeveryendpoint,AmazonRoute53cansendbackalistofhealthyendpointsonly.Healthcheckscanautomaticallyswitchtoahealthyendpointwithminimal
![Page 295: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/295.jpg)
disruptiontoyourclientsandwithoutanyconfigurationchanges.Youcanusethisautomaticrecoveryscenarioinactive-activeoractive-passivesetups,dependingonwhetheryouradditionalendpointsarealwayshitbylivetrafficoronlyafterallprimaryendpointshavefailed.Usinghealthchecksandautomaticfailovers,AmazonRoute53improvesyourserviceuptime,especiallywhencomparedtothetraditionalmonitor-alert-restartapproachofaddressingfailures.
AmazonRoute53healthchecksarenottriggeredbyDNSqueries;theyarerunperiodicallybyAWS,andresultsarepublishedtoallDNSservers.Thisway,nameserverscanbeawareofanunhealthyendpointandroutedifferentlywithinapproximately30secondsofaproblem(afterthreefailedtestsinarow),andnewDNSresultswillbeknowntoclientsaminutelater(assumingyourTTLis60seconds),bringingcompleterecoverytimetoaboutaminuteandahalfintotalinthisscenario.
The2014AWSre:InventsessionSDD408,“AmazonRoute53DeepDive:DeliveringResiliency,MinimizingLatency,”introducedasetofbestpracticesforAmazonRoute53.ExplorethosebestpracticestohelpyougetstartedusingAmazonRoute53asabuildingblocktodeliverhighly-availableandresilientapplicationsonAWS.
AmazonRoute53EnablesResiliencyWhenpullingtheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures,considerthesebuildingblocks:
IneveryAWSregion,anElasticLoadBalancingloadbalancerissetupwithcross-zoneloadbalancingandconnectiondraining.ThisdistributestheloadevenlyacrossallinstancesinallAvailabilityZones,anditensuresrequestsinflightarefullyservedbeforeanAmazonEC2instanceisdisconnectedfromanElasticLoadBalancingloadbalancerforanyreason.
EachElasticLoadBalancingloadbalancerdelegatesrequeststoAmazonEC2instancesrunninginmultipleAvailabilityZonesinanauto-scalinggroup.ThisprotectstheapplicationfromAvailabilityZoneoutages,ensuresthataminimalamountofinstancesisalwaysrunning,andrespondstochangesinloadbyproperlyscalingeachgroup’sAmazonEC2instances.
EachElasticLoadBalancingloadbalancerhashealthchecksdefinedtoensurethatitdelegatesrequestsonlytohealthyinstances.
EachElasticLoadBalancingloadbalanceralsohasanAmazonRoute53healthcheckassociatedwithittoensurethatrequestsareroutedonlytoloadbalancersthathavehealthyAmazonEC2instances.
Theapplication’sproductionenvironment(forexample,prod.domain.com)hasAmazonRoute53aliasrecordsthatpointtoElasticLoadBalancingloadbalancers.Theproductionenvironmentalsousesalatency-basedroutingpolicythatisassociatedwithElasticLoadBalancinghealthchecks.Thisensuresthatrequestsareroutedtoahealthyloadbalancer,therebyprovidingminimallatencytoaclient.
![Page 296: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/296.jpg)
Theapplication’sfailoverenvironment(forexample,fail.domain.com)hasanAmazonRoute53aliasrecordthatpointstoanAmazonCloudFrontdistributionofanAmazonS3buckethostingastaticversionoftheapplication.
Theapplication’ssubdomain(forexample,www.domain.com)hasanAmazonRoute53aliasrecordthatpointstoprod.domain.com(asprimarytarget)andfail.domain.com(assecondarytarget)usingafailoverroutingpolicy.Thisensureswww.domain.comroutestotheproductionloadbalancersifatleastoneofthemishealthyorthe“failwhale”ifallofthemappeartobeunhealthy.
Theapplication’shostedzone(forexample,domain.com)hasanAmazonRoute53aliasrecordthatredirectsrequeststowww.domain.comusinganAmazonS3bucketofthesamename.
Applicationcontent(bothstaticanddynamic)canbeservedusingAmazonCloudFront.ThisensuresthatthecontentisdeliveredtoclientsfromAmazonCloudFrontedgelocationsspreadallovertheworldtoprovideminimallatency.ServingdynamiccontentfromaContentDeliveryNetwork(CDN),whereitiscachedforshortperiodsoftime(thatis,severalseconds),takestheloadoffoftheapplicationandfurtherimprovesitslatencyandresponsiveness.
TheapplicationisdeployedinmultipleAWSregions,protectingitfromaregionaloutage.
![Page 297: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/297.jpg)
SummaryInthischapter,youlearnedthefundamentalsofDNS,whichisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).
DNSstartswithTLDs(forexample,.com,.edu).TheInternetAssignedNumbersAuthority(IANA)controlstheTLDsinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.
DNSnamesareregisteredwithadomainregistrar.AregistrarisanauthoritythatcanassigndomainnamesdirectlyunderoneormoreTLDs.ThesedomainsareregisteredwithInterNIC,aserviceofICANN,whichenforcestheuniquenessofdomainnamesacrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.
DNSconsistsofanumberofdifferentrecordtypes,includingbutnotlimitedtothefollowing:
A
AAAA
CNAME
MX
NS
PTR
SOA
SPF
TXT
AmazonRoute53isahighlyavailableandhighlyscalableAWS-providedDNSservice.AmazonRoute53connectsuserrequeststoinfrastructurerunningonAWS(forexample,AmazonEC2instancesandElasticLoadBalancingloadbalancers).ItcanalsobeusedtorouteuserstoinfrastructureoutsideofAWS.
WithAmazonRoute53,yourDNSrecordsareorganizedintohostedzonesthatyouconfigurewiththeAmazonRoute53API.Ahostedzonesimplystoresrecordsforyourdomain.TheserecordscanconsistofA,CNAME,MX,andothersupportedrecordtypes.
AmazonRoute53allowsyoutohaveseveraldifferentroutingpolicies,includingthefollowing:
Simple—Mostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain
Weighted—Usedwhenyouwanttorouteapercentageofyourtraffictooneparticularresourceorresources
Latency-Based—Usedtorouteyourtrafficbasedonthelowestlatencysothatyour
![Page 298: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/298.jpg)
usersgetthefastestresponsetimes
Failover—UsedforDRandtorouteyourtrafficfromyourresourcesinaprimarylocationtoastandbylocation
Geolocation—Usedtorouteyourtrafficbasedonyourenduser’slocation
Remembertopulltheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures.UseElasticLoadBalancingloadbalancersacrossAvailabilityZoneswithconnectiondrainingenabled,usehealthchecksdefinedtoensurethattheapplicationdelegatesrequestsonlytohealthyAmazonEC2instances,andusealatency-basedroutingpolicywithElasticLoadBalancinghealthcheckstoensurerequestsareroutedwithminimallatencytoclients.UseAmazonCloudFrontedgelocationstospreadcontentallovertheworldwithminimalclientlatency.DeploytheapplicationinmultipleAWSregions,protectingitfromaregionaloutage.
![Page 299: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/299.jpg)
ExamEssentialsUnderstandwhatDNSis.DNSisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).
KnowhowDNSregistrationworks.DomainsareregisteredwithdomainregistrarsthatinturnregisterthedomainnamewithInterNIC,aserviceofICANN.ICANNenforcesuniquenessofdomainnamesacrosstheInternet.EachdomainnamebecomesregisteredinacentraldatabaseknownastheWhoISdatabase.DomainsaredefinedbytheirTLDs.TLDsarecontrolledbyIANAinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.
RememberthestepsinvolvedinDNSresolution.YourbrowseraskstheresolvingDNSserverwhattheIPaddressisforamazon.com.Theresolvingserverdoesnotknowtheaddress,soitasksarootserverthesamequestion.Thereare13rootserversaroundtheworld,andthesearemanagedbyICANN.Therootserverrepliesthatitdoesnotknowtheanswertothis,butitcangiveanaddresstoaTLDserverthatknowsabout.comdomainnames.TheresolvingserverthencontactstheTLDserver.TheTLDserverdoesnotknowtheaddressofthedomainnameeither,butitdoesknowtheaddressoftheresolvingnameserver.Theresolvingserverthenqueriestheresolvingnameserver.Theresolvingnameservercontainstheauthoritativerecordsandsendsthesetotheresolvingserver,whichthensavestheserecordslocallysoitdoesnothavetoperformthesestepsagaininthenearfuture.Theresolvingnameserverreturnsthisinformationtotheuser’swebbrowser,whichalsocachestheinformation.
Rememberthedifferentrecordtypes.DNSconsistsofthefollowingdifferentrecordtypes:A(addressrecord),AAAA(IPv6addressrecord),CNAME(canonicalnamerecordoralias),MX(mailexchangerecord),NS(nameserverrecord),PTR(pointerrecord),SOA(startofauthorityrecord),SPF(senderpolicyframework),SRV(servicelocator),andTXT(textrecord).Youshouldknowthedifferencesamongeachrecordtype.
Rememberthedifferentroutingpolicies.WithAmazonRoute53,youcanhavedifferentroutingpolicies.Thesimpleroutingpolicyismostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain.Weightedroutingisusedwhenyouwanttorouteapercentageofyourtraffictoaparticularresourceorresources.Latency-basedroutingisusedtorouteyourtrafficbasedonthelowestlatencysothatyourusersgetthefastestresponsetimes.FailoverroutingisusedforDRandtorouteyourtrafficfromaprimaryresourcetoastandbyresource.Geolocationroutingisusedtorouteyourtrafficbasedonyourenduser’slocation.
![Page 300: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/300.jpg)
ExercisesInthissection,youexplorethedifferenttypesofDNSroutingpoliciesthatyoucancreateusingAWS.Forspecificstep-by-stepinstructions,refertotheAmazonRoute53informationanddocumentationathttp://aws.amazon.com/route53/.Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnotAWSFreeTiereligible.HostingazoneonAmazonRoute53shouldcostyouaminimalamountpermonthperhostedzone,andadditionalchargeswillbelevieddependingontheroutingpolicyyouuse.ForcurrentinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.
EXERCISE9.1
CreateaNewZone1. LogintotheAWSManagementConsole.
2. NavigatetoAmazonRoute53,andcreateahostedzone.
3. Enteryourdomainname,andcreateyournewzonefile.
4. Inthenewzonefile,youwillseetheSOArecordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsite,andupdatethenameserverswithyourAWSnameservers.
5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.
YouhavenowcreatedyourfirstAmazonRoute53zone.
EXERCISE9.2
CreateTwoWebServersinTwoDifferentRegionsInthisexercise,youwillcreatetwonewAmazonEC2webserversindifferentAWSregions.YouwillusetheseinthefollowingexerciseswhensettingupAmazonRoute53toaccessthewebservers.
CreateanAmazonEC2Instance1. LogintotheAWSManagementConsole.
2. ChangeyourregiontoAsiaPacific(Sydney).
3. IntheComputesection,loadtheAmazonEC2dashboard.Launchaninstance,andselectthefirstAmazonLinuxAmazonMachineImage(AMI).
4. Selecttheinstancetype,andconfigureyourinstancedetails.Takeacloselookatthedifferentoptionsavailabletoyou,andchangeyourinstance’sstoragedevicesettingsasnecessary.
![Page 301: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/301.jpg)
5. NametheinstanceSydney,andaddasecuritygroupthatallowsHTTP.
6. LaunchyournewAmazonEC2instance,andverifythatithaslaunchedproperly.
ConnecttoYourAmazonEC2Instance7. NavigatetotheAmazonEC2instanceintheAWSManagementConsole,andcopy
thepublicIPaddresstoyourclipboard.
8. UsingaSecureShell(SSH)clientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.
9. Whenpromptedabouttheauthenticityofthehost,typeYes,andcontinue.
10. YoushouldnowbeconnectedtoyourAmazonEC2instance.Elevateyourprivilegestorootbytyping#sudosu.
11. Whileyou’reloggedinastherootusertoyourAmazonEC2instance,runthefollowingcommandtoinstallApachehttpd:
#yuminstallhttpd-y
12. Aftertheinstallationhascompleted,runthecommand#servicehttpdstartfollowedby#chkconfighttpdon.
13. NavigatetotheEC2instance,andtype:cd/var/www/html
14. Type#nanoindex.htmlandpressEnter.
15. InNano,typeThisistheSydneyServerandthenpressCtrl+X.
16. TypeYtoconfirmthatyouwanttosavethechanges,andthenpressEnter.
17. Type#ls.Youshouldnowseeyournewlycreatedindex.htmlfile.
18. Inyourbrowser,navigatetohttp://yourpublicipaddress/index.html.
Youshouldnowseeyour“ThisistheSydneyServer”homepage.Ifyoudonotseethis,checkyoursecuritygrouptomakesureyouallowedaccessforport80.
CreateanElasticLoadBalancingLoadBalancer19. ReturntotheAWSManagementConsole,andnavigatetotheAmazonEC2
dashboard.
20. CreatealoadbalancernamedSydney,leavingthesettingsattheirdefaultvalues.
21. Createyoursecuritygroup,andallowalltrafficinonport80.
22. Configurehealthcheck,leavingthesettingsattheirdefaultvalues.
23. Selectyournewlyaddedinstance.Addtagshereifyouwanttotagyourinstances.
24. ClickCreatetoprovisionyourloadbalancer.
CreateTheseResourcesinaSecondRegion25. ReturntotheAWSManagementConsole,andchangeyourregiontoSouthAmerica
(SaoPaulo).
![Page 302: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/302.jpg)
26. RepeatthethreeproceduresinthissectiontoaddasecondAmazonEC2instanceandaloadbalancerinthisnewregion.
YouhavenowcreatedtwowebserversindifferentregionsoftheworldandplacedtheseregionsbehindElasticLoadBalancingloadbalancers.
EXERCISE9.3
CreateanAliasARecordwithaSimpleRoutingPolicy1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Selectyournewly-createdzonedomainname,andcreatearecordsetwiththenameA−IPv4Address
3. Createanalias,leavingyourroutingpolicysettoSimple.
4. Inyourwebbrowser,navigatetoyourdomainname.YoushouldnowseeawelcomescreenfortheSydneyregion.Ifyoudonotseethis,checkthatyourAmazonEC2instanceisattachedtoyourloadbalancerandthattheinstanceisinservice.Iftheinstanceisnotinservice,thismeansthatitisfailingitshealthcheck.CheckthatApacheHTTPServer(HTTPD)isrunningandthatyourindex.htmldocumentisaccessible.
YouhavenowcreatedyourfirstAliasArecordforthezoneapexusingthesimpleroutingpolicy.
![Page 303: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/303.jpg)
EXERCISE9.4
CreateaWeightedRoutingPolicy1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Navigatetohostedzones,andselectyournewly-createdzonedomainname.
3. Createarecordsetwithtypesettodeveloper.Thiswillcreateasubdomainofdeveloper.yourdomainname.com.
4. SelectyourSydneyloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andatypeofSydney.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.
5. Createanotherrecordsetwithtypesettodeveloper.Thiswilladdanewrecordwiththesamenameyoucreatedearlier.Bothrecordswillworktogether.
6. SelectyourSaoPauloloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andtypeofSaoPaulo.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.
7. TestyourDNSbyvisitinghttp://developer.yourdomainname.comandrefreshingthepage.YoushouldbeaccessingtheSydneyserver50percentofthetimeandtheSaoPauloservertheother50percentofthetime.
YouhavenowcreatedaweightedDNSroutingpolicy.Youcancontinuetoexperimentwithotherroutingpoliciesbyfollowingthedocumentationathttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html.
EXERCISE9.5
CreateaHostedZoneforAmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCdetailsarecoveredinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”
CreateaPrivateHostedZone1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Createahostedzone,andenteryourprivatedomainname.
3. SelectthedefaultAmazonVPCthatyouusedinExercise9.2todeploythefirstserverintheAsiaPacific(Sydney)region.ClickCreate.Thiswillcreateanewzonefile.
VerifyAmazonVPCConfiguration4. ReturntotheAWSManagementConsole,andchangeyourregiontoAsiaPacific
![Page 304: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/304.jpg)
(Sydney).
5. IntheAmazonVPCdashboard,chooseyourAmazonVPC.
6. ClickonthedefaultAmazonVPCfromthelist.EnsurethatbothDNSresolutionandDNShostnamesareenabled.Thesesettingsneedtouseprivatehostedzones.
CreateResourceRecordSets7. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53
dashboard.
8. Selectyournewly-createdprivatezonedomainname,andcreatearecordset.
9. EnterthenameyouwanttogivetoyourAmazonEC2instance(forexample,webserver1),andselectIPv4addresswithnoalias.
10. EntertheinternalIPaddressofyourAmazonEC2instancethatyounotedinExercise9.2.
11. LeaveyourroutingpolicysettoSimple,andclickCreate.
ConnecttoYourAmazonEC2Instance12. OntheAmazonEC2instancesscreen,waituntilyouseeyourvirtualmachine’s
instancestateasrunning.CopythepublicIPaddresstoyourclipboard.
13. UsinganSSHclientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.Forexample,ifyou’reusingTerminalinOSX,youwouldtypethefollowingcommand:
14. Whenpromptedabouttheauthenticityofthehost,typeYesandcontinue.YoushouldnowbeconnectedtoyourAmazonEC2instance.
15. Whileyou’reloggedintoyourAmazonEC2instance,runthefollowingcommandtocheckifthehostnamesinAmazonRoute53areresolving:
nslookupwebserver1.yourprivatehostedzone.com
16. Youshouldreceiveanon-authoritativeanswerwiththehostnameandIPaddressfortherecordsetthatyoucreatedinAmazonRoute53.
YouhavenowcreatedaprivatehostedzoneinAmazonRoute53andassociateditwithanAmazonVPC.YoucancontinuetoaddinstancesinAmazonVPCandcreateresourcerecordsetsfortheminAmazonRoute53.Thesenewinstanceswouldbeabletointer-communicatewiththeinstancesinthesameAmazonVPCusingthedomainnamethatyoucreated.
RemembertodeleteyourAmazonEC2instancesandElasticLoadBalancingloadbalancersafteryou’vefinishedexperimentingwithyourdifferentroutingpolicies.Youmayalsowanttodeletethezoneifyouarenolongerusingit.
![Page 305: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/305.jpg)
ReviewQuestions1. WhichtypeofrecordiscommonlyusedtoroutetraffictoanIPv6address?
A. AnArecord
B. ACNAME
C. AnAAAArecord
D. AnMXrecord
2. Wheredoyouregisteradomainname?
A. Withyourlocalgovernmentauthority
B. Withadomainregistrar
C. WithInterNICdirectly
D. WiththeInternetAssignedNumbersAuthority(IANA)
3. YouhaveanapplicationthatforlegalreasonsmustbehostedintheUnitedStateswhenU.S.citizensaccessit.TheapplicationmustbehostedintheEuropeanUnionwhencitizensoftheEUaccessit.Forallothercitizensoftheworld,theapplicationmustbehostedinSydney.Whichroutingpolicyshouldyouchooseinordertoachievethis?
A. Latency-basedrouting
B. Simplerouting
C. Geolocationrouting
D. Failoverrouting
4. WhichtypeofDNSrecordshouldyouusetoresolveanIPaddresstoadomainname?
A. AnArecord
B. ACName
C. AnSPFrecord
D. APTRrecord
5. YouhostawebapplicationacrossmultipleAWSregionsintheworld,andyouneedtoconfigureyourDNSsothatyourenduserswillgetthefastestnetworkperformancepossible.Whichroutingpolicyshouldyouapply?
A. Geolocationrouting
B. Latency-basedrouting
C. Simplerouting
D. Weightedrouting
6. WhichDNSrecordshouldyouusetoconfigurethetransmissionofemailtoyourintendedmailserver?
![Page 306: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/306.jpg)
A. SPFrecords
B. Arecords
C. MXrecords
D. SOArecord
7. WhichDNSrecordsarecommonlyusedtostopemailspoofingandspam?
A. MXrecords
B. SPFrecords
C. Arecords
D. Cnames
8. YouarerollingoutAandBtestversionsofawebapplicationtoseewhichversionresultsinthemostsales.Youneed10percentofyourtraffictogotoversionA,10percenttogotoversionB,andtheresttogotoyourcurrentproductionversion.Whichroutingpolicyshouldyouchoosetoachievethis?
A. Simplerouting
B. Weightedrouting
C. Geolocationrouting
D. Failoverrouting
9. WhichDNSrecordmustallzoneshavebydefault?
A. SPF
B. TXT
C. MX
D. SOA
10. YourcompanyhasitsprimaryproductionsiteinWesternEuropeanditsDRsiteintheAsiaPacific.YouneedtoconfigureDNSsothatifyourprimarysitebecomesunavailable,youcanfailDNSovertothesecondarysite.WhichDNSroutingpolicywouldbestachievethis?
A. Weightedrouting
B. Geolocationrouting
C. Simplerouting
D. Failoverrouting
11. WhichtypeofDNSrecordshouldyouusetoresolveadomainnametoanotherdomainname?
A. AnArecord
B. ACNAMErecord
C. AnSPFrecord
![Page 307: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/307.jpg)
D. APTRrecord
12. WhichisafunctionthatAmazonRoute53doesnotperform?
A. Domainregistration
B. DNSservice
C. Loadbalancing
D. Healthchecks
13. WhichDNSrecordcanbeusedtostorehuman-readableinformationaboutaserver,network,andotheraccountingdatawithahost?
A. ATXTrecord
B. AnMXrecord
C. AnSPFrecord
D. APTRrecord
14. Whichresourcerecordsetwouldnotbeallowedforthehostedzoneexample.com?
A. www.example.com
B. www.aws.example.com
C. www.example.ca
D. www.beta.example.com
15. WhichportnumberisusedtoserverequestsbyDNS?
A. 22
B. 53
C. 161
D. 389
16. WhichprotocolisprimarilyusedbyDNStoserverequests?
A. TransmissionControlProtocol(TCP)
B. HyperTextTransferProtocol(HTTP)
C. FileTransferProtocol(FTP)
D. UserDatagramProtocol(UDP)
17. WhichprotocolisusedbyDNSwhenresponsedatasizeexceeds512bytes?
A. TransmissionControlProtocol(TCP)
B. HyperTextTransferProtocol(HTTP)
C. FileTransferProtocol(FTP)
D. UserDatagramProtocol(UDP)
18. WhatarethedifferenthostedzonesthatcanbecreatedinAmazonRoute53?
![Page 308: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/308.jpg)
1. Publichostedzone
2. Globalhostedzone
3. Privatehostedzone
A. 1and2
B. 1and3
C. 2and3
D. 1,2,and3
19. AmazonRoute53cannotroutequeriestowhichAWSresource?
A. AmazonCloudFrontdistribution
B. ElasticLoadBalancingloadbalancer
C. AmazonEC2
D. AWSOpsWorks
20. WhenconfiguringAmazonRoute53asyourDNSserviceforanexistingdomain,whichisthefirststepthatneedstobeperformed?
A. Createhostedzones.
B. Createresourcerecordsets.
C. RegisteradomainwithAmazonRoute53.
D. TransferdomainregistrationfromcurrentregistrartoAmazonRoute53.
![Page 309: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/309.jpg)
Chapter10AmazonElastiCacheTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Planninganddesign
Architecturaltrade-offdecisions
BestpracticesforAWSarchitecture
Elasticityandscalability
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSadministrationandsecurityservices
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
![Page 310: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/310.jpg)
IntroductionThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.ByusingtheAmazonElastiCacheservice,youcanoffloadtheheavyliftinginvolvedinthedeploymentandoperationofcacheenvironmentsrunningMemcachedorRedis.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:
Howtoimproveapplicationperformanceusingcaching
Howtolaunchcacheenvironmentsinthecloud
WhatarethebasicdifferencesandusecasesforMemcachedandRedis?
Howtoscaleyourclustervertically
HowtoscaleyourMemcachedclusterhorizontallyusingadditionalcachenodes
HowtoscaleyourRedisclusterhorizontallyusingreplicationgroups
HowtobackupandrecoveryourRediscluster
Howtoapplyalayeredsecuritymodel
![Page 311: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/311.jpg)
In-MemoryCachingOneofthecommoncharacteristicsofasuccessfulapplicationisafastandresponsiveuserexperience.Researchhasshownthatuserswillgetfrustratedandleaveawebsiteorappwhenitisslowtorespond.In2007,testingofAmazon.com’sretailsiteshowedthatforevery100msincreaseinloadtimes,salesdecreasedby1%.Round-tripsbackandforthtoadatabaseanditsunderlyingstoragecanaddsignificantdelaysandareoftenthetopcontributortoapplicationlatency.
Cachingfrequently-useddataisoneofthemostimportantperformanceoptimizationsyoucanmakeinyourapplications.Comparedtoretrievingdatafromanin-memorycache,queryingadatabaseisanexpensiveoperation.Bystoringormovingfrequentlyaccesseddatain-memory,applicationdeveloperscansignificantlyimprovetheperformanceandresponsivenessofread-heavyapplications.Forexample,theapplicationsessionstateforalargewebsitecanbestoredinanin-memorycachingengine,insteadofstoringthesessiondatainthedatabase.
Formanyyears,developershavebeenbuildingapplicationsthatusecacheengineslikeMemcachedorRedistostoredatain-memorytogetblazingfastapplicationperformance.Memcachedisasimple-to-usein-memorykey/valuestorethatcanbeusedtostorearbitrarytypesofdata.Itisoneofthemostpopularcacheengines.Redisisaflexiblein-memorydatastructurestorethatcanbeusedasacache,database,orevenasamessagebroker.AmazonElastiCacheallowsdeveloperstoeasilydeployandmanagecacheenvironmentsrunningeitherMemcachedorRedis.
![Page 312: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/312.jpg)
AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesthesetupandmanagementofdistributedin-memorycachingenvironments.Thisservicemakesiteasyandcosteffectivetoprovideahigh-performanceandscalablecachingsolutionforyourcloudapplications.YoucanuseAmazonElastiCacheinyourapplicationstospeedthedeploymentofcacheclustersandreducetheadministrationrequiredforadistributedcacheenvironment.
WithAmazonElastiCache,youcanchoosefromaMemcachedorRedisprotocol-compliantcacheengineandquicklylaunchaclusterwithinminutes.BecauseAmazonElastiCacheisamanagedservice,youcanstartusingtheservicetodaywithveryfewornomodificationstoyourexistingapplicationsthatuseMemcachedorRedis.BecauseAmazonElastiCacheisprotocol-compliantwithbothoftheseengines,youonlyneedtochangetheendpointinyourconfigurationfiles.
UsingAmazonElastiCache,youcanimplementanynumberofcachingpatterns.Themostcommonpatternisthecache-asidepatterndepictedinFigure10.1.Inthisscenario,theappserverchecksthecachefirsttoseeifitcontainsthedataitneeds.Ifthedatadoesnotexistinthecachenode,itwillquerythedatabaseandserializeandwritethequeryresultstothecache.Thenextuserrequestwillthenbeabletoreadthedatadirectlyfromthecacheinsteadofqueryingthedatabase.
![Page 313: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/313.jpg)
FIGURE10.1Commoncachingarchitecture
WhileitiscertainlypossibletobuildandmanageacacheclusteryourselfonAmazonElasticComputeCloud(AmazonEC2),AmazonElastiCacheallowsyoutooffloadtheheavyliftingofinstallation,patchmanagement,andmonitoringtoAWSsoyoucanfocusonyourapplicationinstead.AmazonElastiCachealsoprovidesanumberoffeaturestoenhancethereliabilityofcriticaldeployments.Whileitisrare,theunderlyingAmazonEC2instancescanbecomeimpaired.AmazonElastiCachecanautomaticallydetectandrecoverfromthefailureofacachenode.WiththeRedisengine,AmazonElastiCachemakesiteasytosetupreadreplicasandfailoverfromtheprimarytoareplicaintheeventofaproblem.
DataAccessPatternsRetrievingaflatkeyfromanin-memorycachewillalwaysbefasterthanthemostoptimizeddatabasequery.Youshouldevaluatetheaccesspatternofthedatabeforeyoudecidetostoreitincache.Agoodexampleofsomethingtocacheisthelistofproductsinacatalog.Forabusywebsite,thelistofitemscouldberetrievedthousandsoftimespersecond.Whileitmakessensetocachethemostheavilyrequesteditems,youcanalsobenefitfromcachingitemsthatarenotfrequentlyrequested.
Therearealsosomedataitemsthatshouldnotbecached.Forexample,ifyougenerateauniquepageeveryrequest,youprobablyshouldnotcachethepageresults.However,even
![Page 314: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/314.jpg)
thoughthepagechangeseverytime,itdoesmakesensetocachethecomponentsofthepagethatdonotchange.
CacheEnginesAmazonElastiCacheallowsyoutoquicklydeployclustersoftwodifferenttypesofpopularcacheengines:MemcachedandRedis.Atahighlevel,MemcachedandRedismayseemsimilar,buttheysupportavarietyofdifferentusecasesandprovidedifferentfunctionality.
MemcachedMemcachedprovidesaverysimpleinterfacethatallowsyoutowriteandreadobjectsintoin-memorykey/valuedatastores.WithAmazonElastiCache,youcanelasticallygrowandshrinkaclusterofMemcachednodestomeetyourdemands.Youcanpartitionyourclusterintoshardsandsupportparallelizedoperationsforveryhighperformancethroughput.Memcacheddealswithobjectsasblobsthatcanberetrievedusingauniquekey.Whatyouputintotheobjectisuptoyou,anditistypicallytheserializedresultsfromadatabasequery.Thiscouldbesimplestringvaluesorbinarydata.
AmazonElastiCachesupportsanumberofrecentversionsofMemcached.Asofearly2016,theservicesupportsMemcachedversion1.4.24,andalsoolderversionsgoingbackto1.4.5.WhenanewversionofMemcachedisreleased,AmazonElastiCachesimplifiestheupgradeprocessbyallowingyoutospinupanewclusterwiththelatestversion.
RedisInlate2013,AmazonElastiCacheaddedsupporttodeployRedisclusters.Atthetimeofthiswriting,theservicesupportsthedeploymentofRedisversion2.8.24,andalsoanumberofolderversions.BeyondtheobjectsupportprovidedinMemcached,Redissupportsarichsetofdatatypeslikesstrings,lists,andsets.
UnlikeMemcached,Redissupportstheabilitytopersistthein-memorydataontodisk.Thisallowsyoutocreatesnapshotsthatbackupyourdataandthenrecoverorreplicatefromthebackups.Redisclustersalsocansupportuptofivereadreplicastooffloadreadrequests.Intheeventoffailureoftheprimarynode,areadreplicacanbepromotedandbecomethenewmasterusingMulti-AZreplicationgroups.
Redisalsohasadvancedfeaturesthatmakeiteasytosortandrankdata.Somecommonusecasesincludebuildingaleaderboardforamobileapplicationorservingasahigh-speedmessagebrokerinadistributedsystem.WithaRediscluster,youcanleverageapublishandsubscribemessagingabstractionthatallowsyoutodecouplethecomponentsofyourapplications.Apublishandsubscribemessagingarchitecturegivesyoutheflexibilitytochangehowyouconsumethemessagesinthefuturewithoutaffectingthecomponentthatisproducingthemessagesinthefirstplace.
NodesandClustersEachdeploymentofAmazonElastiCacheconsistsofoneormorenodesinacluster.Therearemanydifferenttypesofnodesavailabletochoosefrombasedonyourusecaseandthenecessaryresources.AsingleMemcachedclustercancontainupto20nodes.Redisclustersarealwaysmadeupofasinglenode;however,multipleclusterscanbegroupedintoaRedisreplicationgroup.
TheindividualnodetypesarederivedfromasubsetoftheAmazonEC2instancetypefamilies,liket2,m3,andr3.Thespecificnodetypesmaychangeovertime,buttodaythey
![Page 315: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/315.jpg)
rangefromat2.micronodetypewith555MBofmemoryuptoanr3.8xlargewith237GBofmemory,withmanychoicesinbetween.Thet2cachenodefamilyisidealfordevelopmentandlow-volumeapplicationswithoccasionalbursts,butcertainfeaturesmaynotbeavailable.Them3familyisagoodblendofcomputeandmemory,whilether3familyisoptimizedformemory-intensiveworkloads.
Dependingonyourneeds,youmaychoosetohaveafewlargenodesormanysmallernodesinyourclusterorreplicationgroup.Asdemandforyourapplicationchanges,youmayalsoaddorremovenodesfromtimetotime.Eachnodetypecomeswithapreconfiguredamountofmemory,withasmallamountofthememoryallocatedtothecachingengineandoperatingsystemitself.
DesignforFailure
Whileitisunlikely,youshouldplanforthepotentialfailureofanindividualcachenode.ForMemcachedclusters,youcandecreasetheimpactofthefailureofacachenodebyusingalargernumberofnodeswithasmallercapacity,insteadofafewlargenodes.
IntheeventthatAmazonElastiCachedetectsthefailureofanode,itwillprovisionareplacementandadditbacktothecluster.Duringthistime,yourdatabasewillexperienceincreasedload,becauseanyrequeststhatwouldhavebeencachedwillnowneedtobereadfromthedatabase.ForRedisclusters,AmazonElastiCachewilldetectfailureandreplacetheprimarynode.IfaMulti-AZreplicationgroupisenabled,areadreplicacanbeautomaticallypromotedtoprimary.
MemcachedAutoDiscoveryForMemcachedclusterspartitionedacrossmultiplenodes,AmazonElastiCachesupportsAutoDiscoverywiththeprovidedclientlibrary.AutoDiscoverysimplifiesyourapplicationcodebynolongerneedingawarenessoftheinfrastructuretopologyofthecacheclusterinyourapplicationlayer.
UsingAutoDiscovery
TheAutoDiscoveryclientgivesyourapplicationstheabilitytoidentifyautomaticallyallofthenodesinacacheclusterandtoinitiateandmaintainconnectionstoallofthesenodes.TheAutoDiscoveryclientisavailablefor.NET,Java,andPHPplatforms.
ScalingAmazonElastiCacheallowsyoutoadjustthesizeofyourenvironmenttomeettheneedsofworkloadsastheyevolveovertime.Addingadditionalcachenodesallowsyoutoeasilyexpandhorizontallyandmeethigherlevelsofreadorwriteperformance.Youcanalsoselectdifferentclassesofcachenodestoscalevertically.
HorizontalScalingAmazonElastiCachealsoaddsadditionalfunctionalitythatallowsyoutoscalehorizontallythesizeofyourcacheenvironment.Thisfunctionalitydiffersdepending
![Page 316: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/316.jpg)
onthecacheengineyouhaveselected.WithMemcached,youcanpartitionyourdataandscalehorizontallyto20nodesormore.WithAutoDiscovery,yourapplicationcandiscoverMemcachednodesthatareaddedorremovedfromacluster.
ARedisclusterconsistsofasinglecachenodethatishandlingreadandwritetransactions.AdditionalclusterscanbecreatedandgroupedintoaRedisreplicationgroup.Whileyoucanonlyhaveonenodehandlingwritecommands,youcanhaveuptofivereadreplicashandlingread-onlyrequests.
VerticalScalingSupportforverticalscalingismorelimitedwithAmazonElastiCache.Ifyouliketochangethecachenodetypeandscalethecomputeresourcesvertically,theservicedoesnotdirectlyallowyoutoresizeyourclusterinthismanner.Youcan,however,quicklyspinupanewclusterwiththedesiredcachenodetypesandstartredirectingtraffictothenewcluster.It’simportanttounderstandthatanewMemcachedclusteralwaysstartsempty,whileaRedisclustercanbeinitializedfromabackup.
ReplicationandMulti-AZReplicationisausefultechniquetoproviderapidrecoveryintheeventofanodefailure,andalsotoserveupveryhighvolumesofreadqueriesbeyondthecapabilitiesofasinglenode.AmazonElastiCacheclustersrunningRedissupportbothofthesedesignrequirements.UnlikeRedis,cacheclustersrunningMemcachedarestandalonein-memoryserviceswithoutanyredundantdataprotectionservices.
CacheclustersrunningRedissupporttheconceptofreplicationgroups.Areplicationgroupconsistsofuptosixclusters,withfiveofthemdesignatedasreadreplicas.Thisallowsyoutoscalehorizontallybywritingcodeinyourapplicationtooffloadreadstooneofthefiveclones(seeFigure10.2).
![Page 317: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/317.jpg)
FIGURE10.2Redisreplicationgroup
Multi-AZReplicationGroupsYoucanalsocreateaMulti-AZreplicationgroupthatallowsyoutoincreaseavailabilityandminimizethelossofdata.Multi-AZsimplifiestheprocessofdealingwithafailurebyautomatingthereplacementandfailoverfromtheprimarynode.
Intheeventtheprimarynodefailsorcan’tbereached,Multi-AZwillselectandpromoteareadreplicatobecomethenewprimary,andanewnodewillbeprovisionedtoreplacethefailedone.AmazonElastiCachewillthenupdatetheDomainNameSystem(DNS)entryofthenewprimarynodetoallowyourapplicationtocontinueprocessingwithoutanyconfigurationchangeandwithonlyashortdisruption.
UnderstandThatReplicationIsAsynchronous
It’simportanttokeepinmindthatreplicationbetweentheclustersisperformedasynchronouslyandtherewillbeasmalldelaybeforedataisavailableonallclusternodes.
BackupandRecoveryAmazonElastiCacheclustersrunningRedisallowyoutopersistyourdatafromin-memoryto
![Page 318: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/318.jpg)
diskandcreateasnapshot.Eachsnapshotisafullcloneofthedatathatcanbeusedtorecovertoaspecificpointintimeortocreateacopyforotherpurposes.SnapshotscannotbecreatedforclustersusingtheMemcachedenginebecauseitisapurelyin-memorykey/valuestoreandalwaysstartsempty.AmazonElastiCacheusesthenativebackupcapabilitiesofRedisandwillgenerateastandardRedisdatabasebackupfilethatgetsstoredinAmazonSimpleStorageService(AmazonS3).
Snapshotsrequirecomputeandmemoryresourcestoperformandcanpotentiallyhaveaperformanceimpactonheavilyusedclusters.AmazonElastiCachewilltrydifferentbackuptechniquesdependingontheamountofmemorycurrentlyavailable.Abestpracticeistosetupareplicationgroupandperformasnapshotagainstoneofthereadreplicasinsteadoftheprimarynode.
Inadditiontomanuallyinitiatedsnapshots,snapshotscanbecreatedautomaticallybasedonaschedule.Youcanalsoconfigureawindowforthesnapshotoperationtobecompletedandspecifyhowmanydaysofbackupsyouwanttostore.Manualsnapshotsarestoredindefinitelyuntilyoudeletethem.
BackupRedisClusters
UseacombinationofautomaticandmanualsnapshotstomeetyourrecoveryobjectivesforyourRediscluster.Memcachedispurelyin-memoryanddoesnothavenativebackupcapabilities.
Whetherthesnapshotwascreatedautomaticallyormanually,thesnapshotcanthenbeusedtocreateanewclusteratanytime.Bydefault,thenewclusterwillhavethesameconfigurationasthesourcecluster,butyoucanoverridethesesettings.YoucanalsorestorefromanRDBfilegeneratedfromanyothercompatibleRediscluster.
AccessControlAccesstoyourAmazonElastiCacheclusteriscontrolledprimarilybyrestrictinginboundnetworkaccesstoyourcluster.Inboundnetworktrafficisrestrictedthroughtheuseofsecuritygroups.Eachsecuritygroupdefinesoneormoreinboundrulesthatrestrictthesourcetraffic.WhendeployedinsideofaVirtualPrivateCloud(VPC),eachnodewillbeissuedaprivateIPaddresswithinoneormoresubnetsthatyouselect.IndividualnodescanneverbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheVPC.YoucanfurtherrestrictnetworkingressatthesubnetlevelbymodifyingthenetworkAccessControlLists(ACLs).
AccesstomanagetheconfigurationandinfrastructureoftheclusteriscontrolledseparatelyfromaccesstotheactualMemcachedorRedisserviceendpoint.UsingtheAWSIdentityandAccessManagement(IAM)service,youcandefinepoliciesthatcontrolwhichAWSuserscanmanagetheAmazonElastiCacheinfrastructureitself.
SomeofthekeyactionsanadministratorcanperformincludeCreateCacheCluster,ModifyCacheCluster,orDeleteCacheCluster.RedisclustersalsosupportCreateReplicationGroupandCreateSnapshotactions,amongothers.
![Page 319: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/319.jpg)
SummaryInthischapter,youlearnedaboutcachingenvironmentswithinthecloudusingAmazonElastiCache.YoucanquicklylaunchclustersrunningMemcachedorRedistostorefrequentlyuseddatain-memory.Cachingcanspeeduptheresponsetimeofyourapplications,reduceloadonyourback-enddatastores,andimprovetheuserexperience.
WithAmazonElastiCache,youcanoffloadtheadministrativetasksforprovisioningandoperatingclustersandfocusontheapplication.Eachcacheclustercontainsoneormorenodes.Selectfromarangeofnodetypestogivetherightmixofcomputeandmemoryresourcesforyourusecase.
YoucanexpandbothMemcachedandRedisclustersverticallybyselectingalargerorsmallernodetypetomatchyourneeds.WithAmazonElastiCacheandtheMemcachedengine,youcanalsoscaleyourclusterhorizontallybyaddingorremovingnodes.WithAmazonElastiCacheandtheRedisengine,youcanalsoscalehorizontallybycreatingareplicationgroupthatwillautomaticallyreplicateacrossmultiplereadreplicas.
StreamlineyourbackupandrecoveryprocessforRedisclusterswithAmazonElastiCache’sconsistentoperationalmodel.WhileMemcachedclustersarein-memoryonlyandcannotbepersisted,Redisclusterssupportbothautomatedandmanualsnapshots.Asnapshotcanthenberestoredtorecoverfromafailureortocloneanenvironment.
YoucansecureyourcacheenvironmentsatthenetworklevelwithsecuritygroupsandnetworkACLs,andattheinfrastructurelevelusingIAMpolicies.Securitygroupswillserveasyourprimaryaccesscontrolmechanismtorestrictinboundaccessforactiveclusters.
Youshouldanalyzeyourdatausagepatternsandidentifyfrequentlyrunqueriesorotherexpensiveoperationsthatcouldbecandidatesforcaching.Youcanrelievepressurefromyourdatabasebyoffloadingreadrequeststothecachetier.Dataelementsthatareaccessedoneverypageload,orwitheveryrequestbutdonotchange,areoftenprimecandidatesforcaching.Evendatathatchangesfrequentlycanoftenbenefitfrombeingcachedwithverylargerequestvolumes.
![Page 320: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/320.jpg)
ExamEssentialsKnowhowtouseAmazonElastiCache.ImprovetheperformanceofyourapplicationbydeployingAmazonElastiCacheclustersaspartofyourapplicationandoffloadingreadrequestsforfrequentlyaccesseddata.Usethecache-asidepatterninyourapplicationfirsttocheckthecacheforyourqueryresultsbeforecheckingthedatabase.
Understandwhentouseaspecificcacheengine.AmazonElastiCachegivesyouthechoiceofcacheenginetosuityourrequirements.UseMemcachedwhenyouneedasimple,in-memoryobjectstorethatcanbeeasilypartitionedandscaledhorizontally.UseRediswhenyouneedtobackupandrestoreyourdata,needmanyclonesorreadreplicas,orarelookingforadvancedfunctionalitylikesortandrankorleaderboardsthatRedisnativelysupports.
UnderstandhowtoscaleaRedisclusterhorizontally.AnAmazonElastiCacheclusterrunningRediscanbescaledhorizontallyfirstbycreatingareplicationgroup,thenbycreatingadditionalclustersandaddingthemtothereplicationgroup.
UnderstandhowtoscaleaMemcachedclusterhorizontally.AnAmazonElastiCacheclusterrunningMemcachedcanbescaledhorizontallybyaddingorremovingadditionalcachenodestothecluster.TheAmazonElastiCacheclientlibrarysupportsAutoDiscoveryandcandiscovernewnodesaddedorremovedfromtheclusterwithouthavingtohardcodethelistofnodes.
KnowhowtobackupyourAmazonElastiCachecluster.YoucancreateasnapshottobackupyourAmazonElastiCacheclustersrunningtheRedisengine.Snapshotscanbecreatedautomaticallyonadailybasisormanuallyondemand.AmazonElastiCacheclustersrunningMemcacheddonotsupportbackupandrestorenatively.
![Page 321: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/321.jpg)
ExercisesInthissection,youwillcreateacacheclusterusingAmazonElastiCache,expandtheclusterwithadditionalnodes,andfinallycreateareplicationgroupwithanAmazonElastiCacheRediscluster.
EXERCISE10.1
CreateanAmazonElastiCacheClusterRunningMemcachedInthisexercise,youwillcreateanAmazonElastiCacheclusterusingtheMemcachedengine.
1. WhilesignedintotheAWSManagementConsole,opentheAmazonElastiCacheservicedashboard.
2. BeginthelaunchandconfigurationprocesstocreateanewAmazonElastiCachecluster.
3. SelecttheMemcachedcacheengine,andconfiguretheclustername,numberofnodes,andnodetype.
4. Optionallyconfigurethesecuritygroupandmaintenancewindowasneeded.
5. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.
6. ConnecttotheclusterwithanyMemcachedclientusingtheDNSnameofthecluster.
YouhavenowcreatedyourfirstAmazonElastiCachecluster.
![Page 322: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/322.jpg)
EXERCISE10.2
ExpandtheSizeofaMemcachedClusterInthisexercise,youwillexpandthesizeofanexistingAmazonElastiCacheMemcachedcluster.
1. LaunchaMemcachedclusterusingthestepsdefinedinExercise10.1.
2. GototheAmazonElastiCachedashboard,andviewthedetailsofyourexistingcluster.
3. Viewthelistofnodescurrentlyprovisioned,andthenaddoneadditionalnodebyincreasingthenumberofnodes.
4. Applytheconfigurationchange,andwaitforthenewnodetofinishtheprovisioningprocess.
5. Verifythatthenewnodehasbeencreated,andconnecttothenodeusingaMemcachedclient.
Inthisexercise,youhavehorizontallyscaledanexistingAmazonElastiCacheclusterbyaddingacachenode.
![Page 323: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/323.jpg)
EXERCISE10.3
CreateanAmazonElastiCacheClusterandRedisReplicationGroupInthisexercise,youwillcreateanAmazonElastiCacheclusterusingRedisnodes,createareplicationgroup,andsetupareadreplica.
1. SignintotheAWSManagementConsole,andnavigatetotheAmazonElastiCacheservicedashboard.
2. BegintheconfigurationandlaunchprocessforanewAmazonElastiCachecluster.
3. SelecttheRediscacheengine,andthenconfigureareplicationgroupandthenodetype.
4. Configureareadreplicabysettingthenumberofreadreplicasto1,andverifythatEnableReplicationandMulti-AZareselected.
5. AdjusttheAvailabilityZonesfortheprimaryandreadreplicaclusters,securitygroups,andmaintenancewindow,asneeded.
6. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.
7. ConnecttotheprimarynodeandthereadreplicanodewithaRedisclientlibrary.Performasimplesetoperationontheprimarynode,andthenperformagetoperationwiththesamekeyonthereplica.
YouhavenowcreatedanAmazonElastiCacheclusterusingtheRedisengineandconfiguredareadreplica.
![Page 324: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/324.jpg)
ReviewQuestions1. Whichofthefollowingobjectsaregoodcandidatestostoreinacache?(Choose3answers)
A. Sessionstate
B. Shoppingcart
C. Productcatalog
D. Bankaccountbalance
2. WhichofthefollowingcacheenginesaresupportedbyAmazonElastiCache?(Choose2answers)
A. MySQL
B. Memcached
C. Redis
D. Couchbase
3. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningMemcached?
A. 1
B. 5
C. 20
D. 100
4. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningRedis?
A. 1
B. 5
C. 20
D. 100
5. AnapplicationcurrentlyusesMemcachedtocachefrequentlyuseddatabasequeries.WhichstepsarerequiredtomigratetheapplicationtouseAmazonElastiCachewithminimalchanges?(Choose2answers)
A. RecompiletheapplicationtousetheAmazonElastiCachelibraries.
B. UpdatetheconfigurationfilewiththeendpointfortheAmazonElastiCachecluster.
C. Configureasecuritygrouptoallowaccessfromtheapplicationservers.
D. ConnecttotheAmazonElastiCachenodesusingSecureShell(SSH)andinstallthelatestversionofMemcached.
6. HowcanyoubackupdatastoredinAmazonElastiCacherunningRedis?(Choose2answers)
![Page 325: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/325.jpg)
A. CreateanimageoftheAmazonElasticComputeCloud(AmazonEC2)instance.
B. Configureautomaticsnapshotstobackupthecacheenvironmenteverynight.
C. Createasnapshotmanually.
D. Redisclusterscannotbebackedup.
7. HowcanyousecureanAmazonElastiCachecluster?(Choose3answers)
A. ChangetheMemcachedrootpassword.
B. RestrictApplicationProgrammingInterface(API)actionsusingAWSIdentityandAccessManagement(IAM)policies.
C. Restrictnetworkaccessusingsecuritygroups.
D. RestrictnetworkaccessusinganetworkAccessControlList(ACL).
8. Youareworkingonamobilegamingapplicationandarebuildingtheleaderboardfeaturetotrackthetopscoresacrossmillionsofusers.WhichAWSservicesarebestsuitedforthisusecase?
A. AmazonRedshift
B. AmazonElastiCacheusingMemcached
C. AmazonElastiCacheusingRedis
D. AmazonSimpleStorageService(S3)
9. YouhavebuiltalargewebapplicationthatusesAmazonElastiCacheusingMemcachedtostorefrequentqueryresults.Youplantoexpandboththewebfleetandthecachefleetmultipletimesoverthenextyeartoaccommodateincreasedusertraffic.Howdoyouminimizetheamountofchangesrequiredwhenascalingeventoccurs?
A. ConfigureAutoDiscoveryontheclientside
B. ConfigureAutoDiscoveryontheserverside
C. Updatetheconfigurationfileeachtimeanewcluster
D. UseanElasticLoadBalancertoproxytherequests
10. WhichcacheenginesdoesAmazonElastiCachesupport?(Choose2answers)
A. Memcached
B. Redis
C. Membase
D. Couchbase
![Page 326: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/326.jpg)
Chapter11AdditionalKeyServicesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMTOPICSOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSplatformcompliance
AWSsecurityattributes(customerworkloadsdowntophysicallayer)
AWSadministrationandsecurityservices
AWSCloudTrail
Ingressvs.egressfilteringandwhichAWScloudservicesandfeaturesfit
Encryptionsolutions(e.g.,keyservices)
AWSTrustedAdvisor
3.2Recognizecriticaldisasterrecoverytechniquesandtheir
![Page 327: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/327.jpg)
implementation.
Contentmayincludethefollowing:
AWSImport/Export
AWSStorageGateway
![Page 328: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/328.jpg)
IntroductionBecauseSolutionsArchitectsareofteninvolvedinsolutionsacrossawidevarietyofbusinessverticalsandusecases,itisimportanttounderstandthebasicsofallAWScloudserviceofferings.ThischapterfocusesonadditionalkeyAWSservicesthatyoushouldknowatahighleveltobesuccessfulontheexam.Theseservicesaregroupedintofourcategories:StorageandContentDelivery,Security,Analytics,andDevOps.
Beforearchitectinganysystem,foundationalpracticesthatinfluencesecurityshouldbeinplace;forexample,providingdirectoriesthatcontainorganizationalinformationorhowencryptionprotectsdatabywayofrenderingitunintelligibletounauthorizedaccess.AsaSolutionsArchitect,understandingtheAWScloudservicesavailabletosupportanorganization’sdirectoriesandencryptionareimportantbecausetheysupportobjectivessuchasidentitymanagementorcomplyingwithregulatoryobligations.
Architectinganalyticalsolutionsiscriticalbecausetheamountofdatathatcompaniesneedtounderstandcontinuestogrowtorecordsizes.AWSprovidesanalyticservicesthatcanscaletoverylargedatastoresefficientlyandcost-effectively.UnderstandingtheseservicesallowsSolutionsArchitectstobuildvirtuallyanybigdataapplicationandsupportanyworkloadregardlessofvolume,velocity,andvarietyofdata.
DevOpsbecomesanimportantconceptasthepaceofinnovationacceleratesandcustomerneedsrapidlyevolve,forcingbusinessestobecomeincreasinglyagile.Timetomarketiskey,andtofacilitateoverallbusinessgoals,ITdepartmentsneedtobeagile.UnderstandingtheDevOpsoptionsthatareavailableonAWSwillhelpSolutionsArchitectsmeetthedemandsofagilebusinessesthatneedIToperationstodeployapplicationsinaconsistent,repeatable,andreliablemanner.
Understandingtheseadditionalserviceswillnotonlyhelpinyourexampreparation,butitwillalsohelpyouestablishafoundationforgrowingasaSolutionsArchitectontheAWSplatform.
![Page 329: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/329.jpg)
StorageandContentDeliveryThissectioncoverstwoadditionalstorageandcontentdeliveryservicesthatareimportantforaSolutionsArchitecttounderstand:AmazonCloudFrontandAWSStorageGateway.
AmazonCloudFrontAmazonCloudFrontisaglobalContentDeliveryNetwork(CDN)service.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.
OverviewAContentDeliveryNetwork(CDN)isagloballydistributednetworkofcachingserversthatspeedupthedownloadingofwebpagesandothercontent.CDNsuseDomainNameSystem(DNS)geo-locationtodeterminethegeographiclocationofeachrequestforawebpageorothercontent,thentheyservethatcontentfromedgecachingserversclosesttothatlocationinsteadoftheoriginalwebserver.ACDNallowsyoutoincreasethescalabilityofawebsiteormobileapplicationeasilyinresponsetopeaktrafficspikes.Inmostcases,usingaCDNiscompletelytransparent—enduserssimplyexperiencebetterwebsiteperformance,whiletheloadonyouroriginalwebsiteisreduced.
AmazonCloudFrontisAWSCDN.ItcanbeusedtodeliveryourwebcontentusingAmazon’sglobalnetworkofedgelocations.Whenauserrequestscontentthatyou’reservingwithAmazonCloudFront,theuserisroutedtotheedgelocationthatprovidesthelowestlatency(timedelay),socontentisdeliveredwiththebestpossibleperformance.Ifthecontentisalreadyintheedgelocationwiththelowestlatency,AmazonCloudFrontdeliversitimmediately.Ifthecontentisnotcurrentlyinthatedgelocation,AmazonCloudFrontretrievesitfromtheoriginserver,suchasanAmazonSimpleStorageService(AmazonS3)bucketorawebserver,whichstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontisoptimizedtoworkwithotherAWScloudservicesastheoriginserver,includingAmazonS3buckets,AmazonS3staticwebsites,AmazonElasticComputeCloud(AmazonEC2),andElasticLoadBalancing.AmazonCloudFrontalsoworksseamlesslywithanynon-AWSoriginserver,suchasanexistingon-premiseswebserver.AmazonCloudFrontalsointegrateswithAmazonRoute53.
AmazonCloudFrontsupportsallcontentthatcanbeservedoverHTTPorHTTPS.Thisincludesanypopularstaticfilesthatareapartofyourwebapplication,suchasHTMLfiles,images,JavaScript,andCSSfiles,andalsoaudio,video,mediafiles,orsoftwaredownloads.AmazonCloudFrontalsosupportsservingdynamicwebpages,soitcanactuallybeusedtodeliveryourentirewebsite.Finally,AmazonCloudFrontsupportsmediastreaming,usingbothHTTPandRTMP.
AmazonCloudFrontBasicsTherearethreecoreconceptsthatyouneedtounderstandinordertostartusingCloudFront:distributions,origins,andcachecontrol.Withtheseconcepts,youcaneasilyuseCloudFronttospeedupdeliveryofstaticcontentfromyourwebsites.
![Page 330: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/330.jpg)
DistributionsTouseAmazonCloudFront,youstartbycreatingadistribution,whichisidentifiedbyaDNSdomainnamesuchasd111111abcdef8.cloudfront.net.ToservefilesfromAmazonCloudFront,yousimplyusethedistributiondomainnameinplaceofyourwebsite’sdomainname;therestofthefilepathsstayunchanged.YoucanusetheAmazonCloudFrontdistributiondomainnameas-is,oryoucancreateauser-friendlyDNSnameinyourowndomainbycreatingaCNAMErecordinAmazonRoute53oranotherDNSservice.TheCNAMEisautomaticallyredirectedtoyourAmazonCloudFrontdistributiondomainname.
OriginsWhenyoucreateadistribution,youmustspecifytheDNSdomainnameoftheorigin—theAmazonS3bucketorHTTPserver—fromwhichyouwantAmazonCloudFronttogetthedefinitiveversionofyourobjects(webfiles).Forexample:
AmazonS3bucket:myawsbucket.s3.amazonaws.com
AmazonEC2instance:ec2–203–0–113–25.compute-1.amazonaws.com
ElasticLoadBalancingloadbalancer:my-load-balancer-1234567890.us-west-2.elb.amazonaws.com
WebsiteURL:mywebserver.mycompanydomain.com
CacheControlOncerequestedandservedfromanedgelocation,objectsstayinthecacheuntiltheyexpireorareevictedtomakeroomformorefrequentlyrequestedcontent.Bydefault,objectsexpirefromthecacheafter24hours.Onceanobjectexpires,thenextrequestresultsinAmazonCloudFrontforwardingtherequesttotheorigintoverifythattheobjectisunchangedortofetchanewversionifithaschanged.
Optionally,youcancontrolhowlongobjectsstayinanAmazonCloudFrontcachebeforeexpiring.Todothis,youcanchoosetouseCache-Controlheaderssetbyyouroriginserveroryoucansettheminimum,maximum,anddefaultTimetoLive(TTL)forobjectsinyourAmazonCloudFrontdistribution.
YoucanalsoremovecopiesofanobjectfromallAmazonCloudFrontedgelocationsatanytimebycallingtheinvalidationApplicationProgramInterface(API).ThisfeatureremovestheobjectfromeveryAmazonCloudFrontedgelocationregardlessoftheexpirationperiodyousetforthatobjectonyouroriginserver.Theinvalidationfeatureisdesignedtobeusedinunexpectedcircumstances,suchastocorrectanerrorortomakeanunanticipatedupdatetoawebsite,notaspartofyoureverydayworkflow.
Insteadofinvalidatingobjectsmanuallyorprogrammatically,itisabestpracticetouseaversionidentifieraspartoftheobject(file)pathname.Forexample:
Oldfile:assets/v1/css/narrow.css
Newfile:assets/v2/css/narrow.css
Whenusingversioning,usersalwaysseethelatestcontentthroughAmazonCloudFrontwhenyouupdateyoursitewithoutusinginvalidation.Oldversionswillexpirefromthecacheautomatically.
AmazonCloudFrontAdvancedFeaturesCloudFrontcandomuchmorethansimplyservestaticwebfiles.TostartusingCloudFront’sadvancedfeatures,youwillneedtounderstandhowtousecachebehaviors,andhowto
![Page 331: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/331.jpg)
restrictaccesstosensitivecontent.
DynamicContent,MultipleOrigins,andCacheBehaviorsServingstaticassets,suchasdescribedpreviously,isacommonwaytouseaCDN.AnAmazonCloudFrontdistribution,however,caneasilybesetuptoservedynamiccontentinadditiontostaticcontentandtousemorethanoneoriginserver.Youcontrolwhichrequestsareservedbywhichoriginandhowrequestsarecachedusingafeaturecalledcachebehaviors.
AcachebehaviorletsyouconfigureavarietyofAmazonCloudFrontfunctionalitiesforagivenURLpathpatternforfilesonyourwebsite.ForexampleseeFigure11.1.OnecachebehaviorappliestoallPHPfilesinawebserver(dynamiccontent),usingthepathpattern*.php,whileanotherbehaviorappliestoallJPEGimagesinanotheroriginserver(staticcontent),usingthepathpattern*.jpg.
FIGURE11.1Deliveringstaticanddynamiccontent
Thefunctionalityyoucanconfigureforeachcachebehaviorincludesthefollowing:
Thepathpattern
Whichorigintoforwardyourrequeststo
Whethertoforwardquerystringstoyourorigin
WhetheraccessingthespecifiedfilesrequiressignedURLs
WhethertorequireHTTPSaccess
TheamountoftimethatthosefilesstayintheAmazonCloudFrontcache(regardlessofthevalueofanyCache-Controlheadersthatyouroriginaddstothefiles)
Cachebehaviorsareappliedinorder;ifarequestdoesnotmatchthefirstpathpattern,itdropsdowntothenextpathpattern.Normallythelastpathpatternspecifiedis*tomatchallfiles.
![Page 332: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/332.jpg)
WholeWebsiteUsingcachebehaviorsandmultipleorigins,youcaneasilyuseAmazonCloudFronttoserveyourwholewebsiteandtosupportdifferentbehaviorsfordifferentclientdevices.
PrivateContentInmanycases,youmaywanttorestrictaccesstocontentinAmazonCloudFronttoonlyselectedrequestors,suchaspaidsubscribersortoapplicationsorusersinyourcompanynetwork.AmazonCloudFrontprovidesseveralmechanismstoallowyoutoserveprivatecontent.Theseinclude:
SignedURLsUseURLsthatarevalidonlybetweencertaintimesandoptionallyfromcertainIPaddresses.
SignedCookiesRequireauthenticationviapublicandprivatekeypairs.
OriginAccessIdentities(OAI)RestrictaccesstoanAmazonS3bucketonlytoaspecialAmazonCloudFrontuserassociatedwithyourdistribution.ThisistheeasiestwaytoensurethatcontentinabucketisonlyaccessedbyAmazonCloudFront.
UseCasesThereareseveralusecaseswhereAmazonCloudFrontisanexcellentchoice,including,butnotlimitedto:
ServingtheStaticAssetsofPopularWebsitesStaticassetssuchasimages,CSS,andJavaScripttraditionallymakeupthebulkofrequeststotypicalwebsites.UsingAmazonCloudFrontwillspeeduptheuserexperienceandreduceloadonthewebsiteitself.
ServingaWholeWebsiteorWebApplicationAmazonCloudFrontcanserveawholewebsitecontainingbothdynamicandstaticcontentbyusingmultipleorigins,cachebehaviors,andshortTTLsfordynamiccontent.
ServingContenttoUsersWhoAreWidelyDistributedGeographicallyAmazonCloudFrontwillimprovesiteperformance,especiallyfordistantusers,andreducetheloadonyouroriginserver.
DistributingSoftwareorOtherLargeFilesAmazonCloudFrontwillhelpspeedupthedownloadofthesefilestoendusers.
ServingStreamingMediaAmazonCloudFronthelpsservestreamingmedia,suchasaudioandvideo.
TherearealsousecaseswhereCloudFrontisnotappropriate,including:
AllorMostRequestsComeFromaSingleLocationIfallormostofyourrequestscomefromasinglegeographiclocation,suchasalargecorporatecampus,youwillnottakeadvantageofmultipleedgelocations.
AllorMostRequestsComeThroughaCorporateVPNSimilarly,ifyourusersconnectviaacorporateVirtualPrivateNetwork(VPN),eveniftheyaredistributed,userrequestsappeartoCloudFronttooriginatefromoneorafewlocations.TheseusecaseswillgenerallynotseebenefitfromusingAmazonCloudFront.
AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-
![Page 333: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/333.jpg)
basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutostoredatasecurelyontheAWScloudinascalableandcost-effectivemanner.AWSStorageGatewaysupportsindustry-standardstorageprotocolsthatworkwithyourexistingapplications.Itprovideslow-latencyperformancebycachingfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.
OverviewAWSStorageGateway’ssoftwareapplianceisavailablefordownloadasaVirtualMachine(VM)imagethatyouinstallonahostinyourdatacenterandthenregisterwithyourAWSaccountthroughtheAWSManagementConsole.ThestorageassociatedwiththeapplianceisexposedasaniSCSIdevicethatcanbemountedbyyouron-premisesapplications.
TherearethreeconfigurationsforAWSStorageGateway:Gateway-Cachedvolumes,Gateway-Storedvolumes,andGateway-VirtualTapeLibraries(VTL).
Gateway-CachedVolumesGateway-CachedvolumesallowyoutoexpandyourlocalstoragecapacityintoAmazonS3.AlldatastoredonaGateway-CachedvolumeismovedtoAmazonS3,whilerecentlyreaddataisretainedinlocalstoragetoprovidelow-latencyaccess.Whileeachvolumeislimitedtoamaximumsizeof32TB,asinglegatewaycansupportupto32volumesforamaximumstorageof1PB.
Point-in-timesnapshotscanbetakentobackupyourAWSStorageGateway.Thesesnapshotsareperformedincrementally,andonlythedatathathaschangedsincethelastsnapshotisstored.
AllGateway-CachedvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSecureSocketsLayer(SSL)connections.ItisencryptedatrestinAmazonS3usingServer-SideEncryption(SSE).However,youcannotdirectlyaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console;insteadyoumustaccessitthroughtheAWSStorageGatewayservice.
Gateway-StoredVolumesGateway-Storedvolumesallowyoutostoreyourdataonyouron-premisesstorageandasynchronouslybackupthatdatatoAmazonS3.Thisprovideslow-latencyaccesstoalldata,whilealsoprovidingoff-sitebackupstakingadvantageofthedurabilityofAmazonS3.ThedataisbackedupintheformofAmazonElasticBlockStore(AmazonEBS)snapshots.Whileeachvolumeislimitedtoamaximumsizeof16TB,asinglegatewaycansupportupto32volumesforamaximumstorageof512TB.
SimilartoGateway-Cachedvolumes,youcantakesnapshotsofyourGateway-Storedvolumes.ThegatewaystoresthesesnapshotsinAmazonS3asAmazonEBSsnapshots.Whenyoutakeanewsnapshot,onlythedatathathaschangedsinceyourlastsnapshotisstored.Youcaninitiatesnapshotsonascheduledorone-timebasis.BecausethesesnapshotsarestoredasAmazonEBSsnapshots,youcancreateanewAmazonEBSvolumefromaGateway-Storedvolume.
AllGateway-StoredvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSSLconnections.ItisencryptedatrestinAmazonS3usingSSE.However,youcannotaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console.
![Page 334: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/334.jpg)
Ifyouron-premisesapplianceorevenentiredatacenterbecomesunavailable,thedatainAWSStorageGatewaycanstillberetrieved.Ifit’sonlytheappliancethatisunavailable,anewappliancecanbelaunchedinthedatacenterandattachedtotheexistingAWSStorageGateway.AnewappliancecanalsobelaunchedinanotherdatacenterorevenonanAmazonEC2instanceonthecloud.
GatewayVirtualTapeLibraries(VTL)Gateway-VTLoffersadurable,cost-effectivesolutiontoarchiveyourdataontheAWScloud.TheVTLinterfaceletsyouleverageyourexistingtape-basedbackupapplicationinfrastructuretostoredataonvirtualtapecartridgesthatyoucreateonyourGateway-VTL.
Avirtualtapeisanalogoustoaphysicaltapecartridge,exceptthedataisstoredontheAWScloud.Tapesarecreatedblankthroughtheconsoleorprogrammaticallyandthenfilledwithbackedupdata.Agatewaycancontainupto1,500tapes(1PB)oftotaltapedata.Virtualtapesappearinyourgateway’sVTL,avirtualizedversionofaphysicaltapelibrary.Virtualtapesarediscoveredbyyourbackupapplicationusingitsstandardmediainventoryprocedure.
Whenyourtapesoftwareejectsatape,itisarchivedonaVirtualTapeShelf(VTS)andstoredinAmazonGlacier.You’reallowed1VTSperAWSregion,butmultiplegatewaysinthesameregioncanshareaVTS.
UseCasesThereareseveralusecaseswhereAWSStorageGatewayisanexcellentchoice,including,butnotlimitedto:
Gateway-CachedvolumesenableyoutoexpandlocalstoragehardwaretoAmazonS3,allowingyoutostoremuchmoredatawithoutdrasticallyincreasingyourstoragehardwareorchangingyourstorageprocesses.
Gateway-Storedvolumesprovideseamless,asynchronous,andsecurebackupofyouron-premisesstoragewithoutnewprocessesorhardware.
Gateway-VTLsenableyoutokeepyourcurrenttapebackupsoftwareandprocesseswhilestoringyourdatamorecost-effectivelyandsimplyonthecloud.
![Page 335: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/335.jpg)
SecurityCloudsecurityatAWSisthehighestpriority.AWScustomersbenefitfromdatacentersandnetworkarchitecturesbuilttomeettherequirementsofthemostsecurity-sensitiveorganizations.
AnadvantageoftheAWScloudisthatitallowscustomerstoscaleandinnovatewhilemaintainingasecureenvironment.Cloudsecurityismuchlikesecurityinyouron-premisesdatacenters,onlywithoutthecostsofmaintainingfacilitiesandhardware.Inthecloud,youdon’thavetomanagephysicalserversorstoragedevices.Instead,youusesoftware-basedsecuritytoolstomonitorandprotecttheflowofinformationintoandofoutofyourcloudresources.
ThissectionwillfocusonfourAWSservicesthataredirectlyrelatedtothespecificsecuritypurposes:AWSDirectoryServiceforidentitymanagement,AWSKeyManagementService(KMS),AWSCloudHSMforkeymanagement,andAWSCloudTrailforauditing.
AWSDirectoryServiceAWSDirectoryServiceisamanagedserviceofferingthatprovidesdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.
OverviewYoucanchoosefromthreedirectorytypes:
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD
SimpleAD
ADConnector
Asamanagedoffering,AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.Thereisnoneedtobuildoutyourowncomplex,highly-availabledirectorytopologybecauseeachdirectoryisdeployedacrossmultipleAvailabilityZones,andmonitoringautomaticallydetectsandreplacesdomaincontrollersthatfail.Inaddition,datareplicationandautomateddailysnapshotsareconfiguredforyou.Thereisnosoftwaretoinstall,andAWShandlesallofthepatchingandsoftwareupdates.
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)isamanagedMicrosoftActiveDirectoryhostedontheAWScloud.ItprovidesmuchofthefunctionalityofferedbyMicrosoftActiveDirectoryplusintegrationwithAWSapplications.WiththeadditionalActiveDirectoryfunctionality,youcan,forexample,easilysetuptrustrelationshipswithyourexistingActiveDirectorydomainstoextendthosedirectoriestoAWScloudservices.
SimpleADSimpleADisaMicrosoftActiveDirectory-compatibledirectoryfromAWSDirectoryServicethatispoweredbySamba4.SimpleADsupportscommonlyusedActive
![Page 336: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/336.jpg)
Directoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonEC2instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.ThismakesiteveneasiertomanageAmazonEC2instancesrunningLinuxandWindowsanddeployWindowsapplicationsontheAWScloud.
ManyoftheapplicationsandtoolsyouusetodaythatrequireMicrosoftActiveDirectorysupportcanbeusedwithSimpleAD.UseraccountsinSimpleADcanalsoaccessAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.TheycanalsouseAWSIAMrolestoaccesstheAWSManagementConsoleandmanageAWSresources.Finally,SimpleADprovidesdailyautomatedsnapshotstoenablepoint-in-timerecovery.
NotethatyoucannotsetuptrustrelationshipsbetweenSimpleADandotherActiveDirectorydomains.OtherfeaturesnotsupportedatthetimeofthiswritingbySimpleADincludeDNSdynamicupdate,schemaextensions,Multi-FactorAuthentication(MFA),communicationoverLightweightDirectoryAccessProtocol(LDAP),PowerShellADcmdlets,andthetransferofFlexibleSingle-MasterOperations(FSMO)roles.
ADConnectorADConnectorisaproxyserviceforconnectingyouron-premisesMicrosoftActiveDirectorytotheAWScloudwithoutrequiringcomplexdirectorysynchronizationorthecostandcomplexityofhostingafederationinfrastructure.
ADConnectorforwardssign-inrequeststoyourActiveDirectorydomaincontrollersforauthenticationandprovidestheabilityforapplicationstoquerythedirectoryfordata.Aftersetup,youruserscanusetheirexistingcorporatecredentialstologontoAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.WiththeproperIAMpermissions,theycanalsoaccesstheAWSManagementConsoleandmanageAWSresourcessuchasAmazonEC2instancesorAmazonS3buckets.YoucanalsouseADConnectortoenableMFAbyintegratingitwithyourexistingRemoteAuthenticationDial-UpService(RADIUS)-basedMFAinfrastructuretoprovideanadditionallayerofsecuritywhenusersaccessAWSapplications.
WithADConnector,youcontinuetomanageyourActiveDirectoryasusual.Forexample,addingnewusers,addingnewgroups,orupdatingpasswordsareallaccomplishedusingstandarddirectoryadministrationtoolswithyouron-premisesdirectory.Thus,inadditiontoprovidingastreamlinedexperienceforyourusers,ADConnectorenablesconsistentenforcementofyourexistingsecuritypolicies,suchaspasswordexpiration,passwordhistory,andaccountlockouts,whetherusersareaccessingresourceson-premisesorontheAWScloud.
UseCasesAWSDirectoryServiceprovidesmultiplewaystouseMicrosoftActiveDirectorywithotherAWScloudservices.Youcanchoosethedirectoryservicewiththefeaturesyouneedatacostthatfitsyourbudget.
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)ThisDirectoryServiceisyourbestchoiceifyouhavemorethan5,000usersandneedatrustrelationshipsetupbetweenanAWS-hosteddirectoryandyouron-premisesdirectories.
SimpleADInmostcases,SimpleADistheleastexpensiveoptionandyourbestchoiceif
![Page 337: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/337.jpg)
youhave5,000orfewerusersanddon’tneedthemoreadvancedMicrosoftActiveDirectoryfeatures.
ADConnectorADConnectorisyourbestchoicewhenyouwanttouseyourexistingon-premisesdirectorywithAWScloudservices.
AWSKeyManagementService(KMS)andAWSCloudHSMKeymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.
OverviewAWSofferstwoservicesthatprovideyouwiththeabilitytomanageyourownsymmetricorasymmetriccryptographickeys:
AWSKMS:Aserviceenablingyoutogenerate,store,enable/disable,anddeletesymmetrickeys
AWSCloudHSM:AserviceprovidingyouwithsecurecryptographickeystoragebymakingHardwareSecurityModules(HSMs)availableontheAWScloud
AWSKeyManagementService(AWSKMS)AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.
ByusingAWSKMS,yougainmorecontroloveraccesstodatayouencrypt.YoucanusethekeymanagementandcryptographicfeaturesdirectlyinyourapplicationsorthroughAWScloudservicesthatareintegratedwithAWSKMS.WhetheryouarewritingapplicationsforAWSorusingAWScloudservices,AWSKMSenablesyoutomaintaincontroloverwhocanuseyourkeysandgainaccesstoyourencrypteddata.
![Page 338: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/338.jpg)
CustomerManagedKeysAWSKMSusesatypeofkeycalledaCustomerMasterKey(CMK)toencryptanddecryptdata.CMKsarethefundamentalresourcesthatAWSKMSmanages.TheycanbeusedinsideofAWSKMStoencryptordecryptupto4KBofdatadirectly.Theycanalsobeusedtoencryptgenerateddatakeysthatarethenusedtoencryptordecryptlargeramountsofdataoutsideoftheservice.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscanleavetheserviceunencrypted.
DataKeysYouusedatakeystoencryptlargedataobjectswithinyourownapplicationoutsideAWSKMS.WhenyoucallGenerateDataKey,AWSKMSreturnsaplaintextversionofthekeyandciphertextthatcontainsthekeyencryptedunderthespecifiedCMK.AWSKMStrackswhichCMKwasusedtoencryptthedatakey.Youusetheplaintextdatakeyinyourapplicationtoencryptdata,andyoutypicallystoretheencryptedkeyalongsideyourencrypteddata.Securitybestpracticessuggestthatyoushouldremovetheplaintextkeyfrommemoryassoonasispracticalafteruse.Todecryptdatainyourapplication,passtheencrypteddatakeytotheDecryptfunction.AWSKMSusestheassociatedCMKtodecryptandretrieveyourplaintextdatakey.Usetheplaintextkeytodecryptyourdata,andthenremovethekeyfrommemory.
EnvelopeEncryptionAWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCMK,andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Thekeyshouldberemovedfrommemoryassoonasispracticalafteruse.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.
EncryptionContextAllAWSKMScryptographicoperationsacceptanoptionalkey/valuemapofadditionalcontextualinformationcalledanencryptioncontext.Thespecifiedcontextmustbethesameforboththeencryptanddecryptoperationsordecryptionwillnotsucceed.Theencryptioncontextislogged,canbeusedforadditionalauditing,andisavailableascontextintheAWSpolicylanguageforfine-grainedpolicy-basedauthorization.
AWSCloudHSMAWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.HSMsaredesignedtosecurelystorecryptographickeymaterialandusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.
TherecommendedconfigurationforusingAWSCloudHSMistousetwoHSMsconfiguredinahigh-availabilityconfiguration,asillustratedinFigure11.2.
![Page 339: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/339.jpg)
FIGURE11.2HighavailabilityCloudHSMarchitecture
AWSCloudHSMallowsyoutoprotectyourencryptionkeyswithinHSMsthataredesignedandvalidatedtogovernmentstandardsforsecurekeymanagement.Youcansecurelygenerate,store,andmanagethecryptographickeysusedfordataencryptioninawaythatensuresthatonlyyouhaveaccesstothekeys.AWSCloudHSMhelpsyoucomplywithstrictkeymanagementrequirementswithintheAWScloudwithoutsacrificingapplicationperformance.
UseCasesTheAWSkeymanagementservicesaddressseveralsecurityneedsthatwouldrequireextensiveefforttodeployandmanageotherwise,including,butnotlimitedto:
ScalableSymmetricKeyDistributionSymmetricencryptionalgorithmsrequirethatthesamekeybeusedforbothencryptinganddecryptingthedata.Thisisproblematicbecausetransferringthekeyfromthesendertothereceivermustbedoneeitherthroughaknownsecurechannelorsome“outofband”process.
Government-ValidatedCryptographyCertaintypesofdata(forexample,PaymentCardIndustry—PCI—orhealthinformationrecords)mustbeprotectedwithcryptographythathasbeenvalidatedbyanoutsidepartyasconformingtothealgorithm(s)assertedbytheclaimingparty.
AWSCloudTrailAWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
Overview
![Page 340: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/340.jpg)
AWSCloudTrailcapturesAWSAPIcallsandrelatedeventsmadebyoronbehalfofanAWSaccountanddeliverslogfilestoanAmazonS3bucketthatyouspecify.Optionally,youcanconfigureAWSCloudTrailtodelivereventstoaloggroupmonitoredbyAmazonCloudWatchLogs.YoucanalsochoosetoreceiveAmazonSimpleNotificationService(AmazonSNS)notificationseachtimealogfileisdeliveredtoyourbucket.YoucancreateatrailwiththeAWSCloudTrailconsole,theAWSCommandLineInterface(CLI),ortheAWSCloudTrailAPI.AtrailisaconfigurationthatenablesloggingoftheAWSAPIactivityandrelatedeventsinyouraccount.
Youcancreatetwotypesoftrails:
ATrailThatAppliestoAllRegionsWhenyoucreateatrailthatappliestoallAWSregions,AWSCloudTrailcreatesthesametrailineachregion,recordsthelogfilesineachregion,anddeliversthelogfilestothesingleAmazonS3bucket(andoptionallytotheAmazonCloudWatchLogsloggroup)thatyouspecify.ThisisthedefaultoptionwhenyoucreateatrailusingtheAWSCloudTrailconsole.IfyouchoosetoreceiveAmazonSNSnotificationsforlogfiledeliveries,oneAmazonSNStopicwillsufficeforallregions.IfyouchoosetohaveAWSCloudTrailsendeventsfromatrailthatappliestoallregionstoanAmazonCloudWatchLogsloggroup,eventsfromallregionswillbesenttothesingleloggroup.
ATrailThatAppliestoOneRegionYouspecifyabucketthatreceiveseventsonlyfromthatregion.Thebucketcanbeinanyregionthatyouspecify.Ifyoucreateadditionalindividualtrailsthatapplytospecificregions,youcanhavethosetrailsdelivereventlogstoasingleAmazonS3bucket.
Bydefault,yourlogfilesareencryptedusingAmazonS3SSE.Youcanstoreyourlogfilesinyourbucketforaslongasyouwant,butyoucanalsodefineAmazonS3lifecyclerulestoarchiveordeletelogfilesautomatically.
AWSCloudTrailtypicallydeliverslogfileswithin15minutesofanAPIcall.Inaddition,theservicepublishesnewlogfilesmultipletimesanhour,usuallyabouteveryfiveminutes.TheselogfilescontainAPIcallsfromalloftheaccount’sservicesthatsupportAWSCloudTrail.
EnableAWSCloudTrailonallofyourAWSaccounts.Insteadofconfiguringatrailforoneregion,youshouldenabletrailsforallregions.
UseCasesAWSCloudTrailisbeneficialforseveralusecases:
ExternalComplianceAuditsYourbusinessmustdemonstratecompliancetoasetofregulationspertinenttosomeoralldatabeingtransmitted,processed,andstoredwithinyourAWSaccounts.EventsfromAWSCloudTrailcanbeusedtoshowthedegreetowhichyouarecompliantwiththeregulations.
UnauthorizedAccesstoYourAWSAccountAWSCloudTrailrecordsallsign-onattemptstoyourAWSaccount,includingAWSManagementConsoleloginattempts,AWS
![Page 341: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/341.jpg)
SoftwareDevelopmentKit(SDK)APIcalls,andAWSCLIAPIcalls.RoutineexaminationofAWSCloudTraileventswillprovidetheneededinformationtodetermineifyourAWSaccountisbeingtargetedforunauthorizedaccess.
![Page 342: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/342.jpg)
AnalyticsAnalytics,andtheassociatedbigdatathatitrequires,presentsauniquelistofchallengestoaSolutionsArchitect.Thebigdatamustbeingestedataveryhighrate,storedinveryhighvolume,andprocessedwithatremendousamountofcompute.Often,theneedtoperformanalyticsonthebigdataissporadic,withagreatdealofcomputeinfrastructureneededregularlyforverysmalltimeperiods.Thecloud,withitseasyaccesstocomputeandnearlylimitlessstoragecapacity,isideallysuitedtoaddresstheseanalyticschallenges.ThissectioncoversseveralAWScloudservicesthatwillhelpyouaddressanalyticsandbigdataissuesontheexam.
AmazonKinesisAmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.
OverviewAmazonKinesisisastreamingdataplatformconsistingofthreeservicesaddressingdifferentreal-timestreamingdatachallenges:
AmazonKinesisFirehose:AserviceenablingyoutoloadmassivevolumesofstreamingdataintoAWS
AmazonKinesisStreams:Aserviceenablingyoutobuildcustomapplicationsformorecomplexanalysisofstreamingdatainrealtime
AmazonKinesisAnalytics:AserviceenablingyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL
Eachoftheseservicescanscaletohandlevirtuallylimitlessdatastreams.
AmazonKinesisFirehoseAmazonKinesisFirehosereceivesstreamdataandstoresitinAmazonS3,AmazonRedshift,orAmazonElasticsearch.Youdonotneedtowriteanycode;justcreateadeliverystreamandconfigurethedestinationforyourdata.ClientswritedatatothestreamusinganAWSAPIcallandthedataisautomaticallysenttotheproperdestination.ThevariousdestinationoptionsareshowninFigure11.3.
![Page 343: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/343.jpg)
FIGURE11.3AmazonKinesisFirehose
WhenconfiguredtosaveastreamtoAmazonS3,AmazonKinesisFirehosesendsthedatadirectlytoAmazonS3.ForanAmazonRedshiftdestination,thedataisfirstwrittentoAmazonS3,andthenanAmazonRedshiftCOPYcommandisexecutedtoloadthedataintoAmazonRedshift.AmazonKinesisFirehosecanalsowritedataouttoAmazonElasticsearch,withtheoptiontobackthedataupconcurrentlytoAmazonS3.
AmazonKinesisStreamsAmazonKinesisStreamsenableyoutocollectandprocesslargestreamsofdatarecordsinrealtime.UsingAWSSDKs,youcancreateanAmazonKinesisStreamsapplicationthatprocessesthedataasitmovesthroughthestream.Becauseresponsetimefordataintakeandprocessingisinnearrealtime,theprocessingistypicallylightweight.AmazonKinesisStreamscanscaletosupportnearlylimitlessdatastreamsbydistributingincomingdataacrossanumberofshards.Ifanyshardbecomestoobusy,itcanbefurtherdividedintomoreshardstodistributetheloadfurther.Theprocessingisthenexecutedonconsumers,whichreaddatafromtheshardsandruntheAmazonKinesisStreamsapplication.ThisarchitectureisshowninFigure11.4.
![Page 344: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/344.jpg)
FIGURE11.4AmazonKinesisStreams
AmazonKinesisAnalyticsAtthetimeofthiswriting,AmazonKinesisAnalyticshasbeenannouncedbutnotyetreleased.
UseCasesTheAmazonKinesisservicessupportmanystrategicworkloadsthatwouldotherwiserequireextensiveefforttodeployandmanage,including,butnotlimitedto:
DataIngestionThefirstchallengewithahugestreamofdataisacceptingitreliably.Whetheritisuserdatafromhighlytraffickedwebsites,inputdatafromthousandsofmonitoringdevices,oranyothersourcesofhugestreams,AmazonKinesisFirehoseisanexcellentchoicetoensurethatallofyourdataissuccessfullystoredinyourAWSinfrastructure.
Real-TimeProcessingofMassiveDataStreamsCompaniesoftenneedtoactonknowledgegleanedfromabigdatastreamrightaway,whethertofeedadashboardapplication,alteradvertisingstrategiesbasedonsocialmediatrends,allocateassetsbasedonreal-timesituations,orahostofotherscenarios.AmazonKinesisStreamsenablesyoutogatherthisknowledgefromthedatainyourstreamonareal-timebasis.
It’sgoodtorememberthatwhileAmazonKinesisisideallysuitedforingestingandprocessingstreamsofdata,itislessappropriateforbatchjobssuchasnightlyExtract,Transform,Load(ETL)processes.Forthosetypesofworkloads,considerAWSDataPipeline,whichisdescribedlaterinthischapter.
AmazonElasticMapReduce(AmazonEMR)AmazonElasticMapReduce(AmazonEMR)providesyouwithafullymanaged,on-demandHadoopframework.AmazonEMRreducesthecomplexityandup-frontcostsofsettingupHadoopand,combinedwiththescaleofAWS,givesyoutheabilitytospinuplargeHadoopclustersinstantlyandstartprocessingwithinminutes.
![Page 345: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/345.jpg)
OverviewWhenyoulaunchanAmazonEMRcluster,youspecifyseveraloptions,themostimportantbeing:
Theinstancetypeofthenodesinyourcluster
Thenumberofnodesinyourcluster
TheversionofHadoopyouwanttorun(AmazonEMRsupportsseveralrecentversionsofApacheHadoop,andalsoseveralversionsofMapRHadoop.)
AdditionaltoolsorapplicationslikeHive,Pig,Spark,orPresto
TherearetwotypesofstoragethatcanbeusedwithAmazonEMR:
HadoopDistributedFileSystem(HDFS)HDFSisthestandardfilesystemthatcomeswithHadoop.Alldataisreplicatedacrossmultipleinstancestoensuredurability.AmazonEMRcanuseAmazonEC2instancestorageorAmazonEBSforHDFS.Whenaclusterisshutdown,instancestorageislostandthedatadoesnotpersist.HDFScanalsomakeuseofAmazonEBSstorage,tradinginthecosteffectivenessofinstancestoragefortheabilitytoshutdownaclusterwithoutlosingdata.
EMRFileSystem(EMRFS)EMRFSisanimplementationofHDFSthatallowsclusterstostoredataonAmazonS3.EMRFSallowsyoutogetthedurabilityandlowcostofAmazonS3whilepreservingyourdataeveniftheclusterisshutdown.
Akeyfactordrivingthetypeofstorageaclusterusesiswhethertheclusterispersistentortransient.Apersistentclustercontinuestorun24×7afteritislaunched.Persistentclustersareappropriatewhencontinuousanalysisisgoingtoberunonthedata.Forpersistentclusters,HDFSisacommonchoice.PersistentclusterstakeadvantageofthelowlatencyofHDFS,especiallyoninstancestorage,whenconstantoperationmeansnodatalostwhenshuttingdownacluster.Inothersituations,bigdataworkloadsarefrequentlyruninconsistently,anditcanbecost-effectivetoturntheclusteroffwhennotinuse.Clustersthatarestartedwhenneededandthenimmediatelystoppedwhendonearecalledtransientclusters.EMRFSiswellsuitedfortransientclusters,asthedatapersistsindependentofthelifetimeofthecluster.YoucanalsochoosetouseacombinationoflocalHDFSandEMRFStomeetyourworkloadneeds.
BecauseAmazonEMRisaninstanceofApacheHadoop,youcanusetheextensiveecosystemoftoolsthatworkontopofHadoop,suchasHive,Pig,andSpark.Manyofthesetoolsarenativelysupportedandcanbeincludedautomaticallywhenyoulaunchyourcluster,whileotherscanbeinstalledthroughbootstrapactions.
UseCasesAmazonEMRiswellsuitedforalargenumberofusecases,including,butnotlimitedto:
LogProcessingAmazonEMRcanbeusedtoprocesslogsgeneratedbywebandmobileapplications.AmazonEMRhelpscustomersturnpetabytesofunstructuredorsemi-structureddataintousefulinsightsabouttheirapplicationsorusers.
ClickstreamAnalysisAmazonEMRcanbeusedtoanalyzeclickstreamdatainordertosegmentusersandunderstanduserpreferences.Advertiserscanalsoanalyzeclickstreams
![Page 346: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/346.jpg)
andadvertisingimpressionlogstodelivermoreeffectiveads.
GenomicsandLifeSciencesAmazonEMRcanbeusedtoprocessvastamountsofgenomicdataandotherlargescientificdatasetsquicklyandefficiently.Processesthatrequireyearsofcomputecanbecompletedinadaywhenscaledacrosslargeclusters.
AWSDataPipelineAWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonEMR.
OverviewEverythinginAWSDataPipelinestartswiththepipelineitself.Apipelineschedulesandrunstasksaccordingtothepipelinedefinition.Theschedulingisflexibleandcanrunevery15minutes,everyday,everyweek,andsoforth.
Thepipelineinteractswithdatastoredindatanodes.Datanodesarelocationswherethepipelinereadsinputdataorwritesoutputdata,suchasAmazonS3,aMySQLdatabase,oranAmazonRedshiftcluster.DatanodescanbeonAWSoronyourpremises.
Thepipelinewillexecuteactivitiesthatrepresentcommonscenarios,suchasmovingdatafromonelocationtoanother,runningHivequeries,andsoforth.Activitiesmayrequireadditionalresourcestorun,suchasanAmazonEMRclusteroranAmazonEC2instance.Inthesesituations,AWSDataPipelinewillautomaticallylaunchtherequiredresourcesandtearthemdownwhentheactivityiscompleted.
Distributeddataflowsoftenhavedependencies;justbecauseanactivityisscheduledtorundoesnotmeanthatthereisdatawaitingtobeprocessed.Forsituationslikethis,AWSDataPipelinesupportspreconditions,whichareconditionalstatementsthatmustbetruebeforeanactivitycanrun.TheseincludescenariossuchaswhetheranAmazonS3keyispresent,whetheranAmazonDynamoDBtablecontainsanydata,andsoforth.
Ifanactivityfails,retryisautomatic.Theactivitywillcontinuetoretryuptothelimityouconfigure.Youcandefineactionstotakeintheeventwhentheactivityreachesthatlimitwithoutsucceeding.
UseCasesAWSDataPipelinecanbeusedforvirtuallyanybatchmodeETLprocess.AsimpleexampleisshowninFigure11.5.
![Page 347: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/347.jpg)
FIGURE11.5Examplepipeline
ThepipelineinFigure11.5isperformingthefollowingworkflow:
Everyhouranactivitybeginstoextractlogdatafromon-premisesstoragetoAmazonS3.Apreconditionchecksthatthereisdatatobetransferredbeforeactuallystartingtheactivity.
ThenextactivitylaunchesatransientAmazonEMRclusterthatusestheextracteddatasetasinput,validatesandtransformsit,andthenoutputsthedatatoanAmazonS3bucket.
ThefinalactivitymovesthetransformeddatafromAmazonS3toAmazonRedshiftviaanAmazonRedshiftCOPYcommand.
AWSDataPipelineisbestforregularbatchprocessesinsteadofforcontinuousdatastreams;useAmazonKinesisfordatastreams.
AWSImport/ExportOnekeychallengeofbigdataontheAWScloudisgettinghugedatasetstothecloudinthefirstplace,orretrievingthembacktoon-premiseswhennecessary.Regardlessofhowmuchbandwidthyouconfigureoutofyourdatacenter,therearetimeswhenthereismoredatatotransferthancanmoveovertheconnectioninareasonableperiodoftime.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource(yourdatacenteroranAWSregion),shippedviastandardshippingmechanisms,andthencopiedtothedestination(yourdatacenteroranAWSregion).
OverviewAWSImport/ExporthastwofeaturesthatsupportshippingdataintoandoutofyourAWSinfrastructure:AWSImport/ExportSnowball(AWSSnowball)andAWSImport/ExportDisk.
AWSSnowballAWSSnowballusesAmazon-providedshippablestorageappliancesshipped
![Page 348: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/348.jpg)
throughUPS.EachAWSSnowballisprotectedbyAWSKMSandmadephysicallyruggedtosecureandprotectyourdatawhilethedeviceisintransit.Atthetimeofthiswriting,AWSSnowballscomeintwosizes:50TBand80TB,andtheavailabilityofeachvariesbyregion.
AWSSnowballprovidesthefollowingfeatures:
Youcanimportandexportdatabetweenyouron-premisesdatastoragelocationsandAmazonS3.
Encryptionisenforced,protectingyourdataatrestandinphysicaltransit.
Youdon’thavetobuyormaintainyourownhardwaredevices.
YoucanmanageyourjobsthroughtheAWSSnowballconsole.
TheAWSSnowballisitsownshippingcontainer,andtheshippinglabelisanEInkdisplaythatautomaticallyshowsthecorrectaddresswhentheAWSSnowballisreadytoship.YoucandropitoffwithUPS,noboxrequired.
WithAWSSnowball,youcanimportorexportterabytesorevenpetabytesofdata.
AWSImport/ExportDiskAWSImport/ExportDisksupportstransfersdatadirectlyontoandoffofstoragedevicesyouownusingtheAmazonhigh-speedinternalnetwork.
ImportantthingstounderstandaboutAWSImport/ExportDiskinclude:
YoucanimportyourdataintoAmazonGlacierandAmazonEBS,inadditiontoAmazonS3.
YoucanexportdatafromAmazonS3.
Encryptionisoptionalandnotenforced.
Youbuyandmaintainyourownhardwaredevices.
Youcan’tmanageyourjobsthroughtheAWSSnowballconsole.
UnlikeAWSSnowball,AWSImport/ExportDiskhasanupperlimitof16TB.
UseCasesAWSImport/ExportcanbeusedforjustaboutanysituationwhereyouhavemoredatatomovethanyoucangetthroughyourInternetconnectioninareasonabletime,including,butnotlimitedto:
StorageMigrationWhencompaniesshutdownadatacenter,theyoftenneedtomovemassiveamountsofstoragetoanotherlocation.AWSImport/Exportisasuitabletechnologyforthisrequirement.
MigratingApplicationsMigratinganapplicationtothecloudofteninvolvesmovinghugeamountsofdata.ThiscanbeacceleratedusingAWSImport/Export.
![Page 349: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/349.jpg)
DevOpsAsorganizationscreatedincreasinglycomplexsoftwareapplications,ITdevelopmentteamsevolvedtheirsoftwarecreationpracticesformoreflexibility,movingfromwaterfallmodelstoagileorleandevelopmentpractices.Thischangealsopropagatedtooperationsteams,whichblurredthelinesbetweentraditionaldevelopmentandoperationsteams.AWSprovidesaflexibleenvironmentthatfacilitatedthesuccessesoforganizationslikeNetflix,Airbnb,GeneralElectric,andmanyothersthatembracedDevOps.ThissectionreviewselementsofAWScloudservicesthatsupportDevOpspractices.
AWSOpsWorksAWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorkswillworkwithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponent,includingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.
AWSOpsWorkssupportsbothLinuxorWindowsservers,includingexistingAmazonEC2instancesorserversrunninginyourowndatacenter.Thisallowsorganizationstouseasingleconfigurationmanagementservicetodeployandoperateapplicationsacrosshybridarchitectures.
OverviewManysolutionsonAWSusuallyinvolvegroupsofresources,suchasAmazonEC2instancesandAmazonRDSinstances,whichmustbecreatedandmanagedcollectively.Forexample,thesearchitecturestypicallyrequireapplicationservers,databaseservers,loadbalancers,andsoon.Thisgroupofresourcesistypicallycalledastack.AsimpleapplicationserverstackmightbearrangedsomethinglikeinFigure11.6.
![Page 350: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/350.jpg)
FIGURE11.6Simpleapplicationserverstack
Inadditiontocreatingtheinstancesandinstallingthenecessarypackages,youtypicallyneedawaytodistributeapplicationstotheapplicationservers,monitorthestack’sperformance,managesecurityandpermissions,andsoon.AWSOpsWorksprovidesasimpleandflexiblewaytocreateandmanagestacksandapplications.Figure11.7depictshowasimpleapplicationserverstackmightlookwithAWSOpsWorks.Althoughrelativelysimple,thisstackshowsthekeyAWSOpsWorksfeatures.
![Page 351: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/351.jpg)
FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks
ThestackisthecoreAWSOpsWorkscomponent.ItisbasicallyacontainerforAWSresources—AmazonEC2instances,AmazonRDSdatabaseinstances,andsoon—thathaveacommonpurposeandmakesensetobelogicallymanagedtogether.Thestackhelpsyoumanagetheseresourcesasagroupanddefinessomedefaultconfigurationsettings,suchastheAmazonEC2instances’operatingsystemandAWSregion.Ifyouwanttoisolatesomestackcomponentsfromdirectuserinteraction,youcanrunthestackinanAmazonVirtualPrivateCloud(AmazonVPC).Eachstackletsyougrantuserspermissiontoaccessthestackandspecifywhatactionstheycantake.
YoucanuseAWSOpsWorksorIAMtomanageuserpermissions.Notethatthetwooptionsarenotmutuallyexclusive;itissometimesdesirabletouseboth.
Youdefinetheelementsofastackbyaddingoneormorelayers.Alayerrepresentsasetofresourcesthatserveaparticularpurpose,suchasloadbalancing,webapplications,orhostingadatabaseserver.YoucancustomizeorextendlayersbymodifyingthedefaultconfigurationsoraddingChefrecipestoperformtaskssuchasinstallingadditionalpackages.Layersgiveyoucompletecontroloverwhichpackagesareinstalled,howtheyareconfigured,howapplicationsaredeployed,andmore.
LayersdependonChefrecipestohandletaskssuchasinstallingpackagesoninstances,
![Page 352: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/352.jpg)
deployingapplications,andrunningscripts.OneofthekeyAWSOpsWorksfeaturesisasetoflifecycleeventsthatautomaticallyrunaspecifiedsetofrecipesattheappropriatetimeoneachinstance.
Aninstancerepresentsasinglecomputingresource,suchasanAmazonEC2instance.Itdefinestheresource’sbasicconfiguration,suchasoperatingsystemandsize.Otherconfigurationsettings,suchasElasticIPaddressesorAmazonEBSvolumes,aredefinedbytheinstance’slayers.Thelayer’srecipescompletetheconfigurationbyperformingtasks,suchasinstallingandconfiguringpackagesanddeployingapplications.
Youstoreapplicationsandrelatedfilesinarepository,suchasanAmazonS3bucketorGitrepo.Eachapplicationisrepresentedbyanapp,whichspecifiestheapplicationtypeandcontainstheinformationthatisneededtodeploytheapplicationfromtherepositorytoyourinstances,suchastherepositoryURLandpassword.Whenyoudeployanapp,AWSOpsWorkstriggersaDeployevent,whichrunstheDeployrecipesonthestack’sinstances.
Usingtheconceptsofstacks,layers,andapps,youcanmodelandvisualizeyourapplicationandresourcesinanorganizedfashion.
Finally,AWSOpsWorkssendsallofyourresourcemetricstoAmazonCloudWatch,makingiteasytoviewgraphsandsetalarmstohelpyoutroubleshootandtakeautomatedactionbasedonthestateofyourresources.AWSOpsWorksprovidesmanycustommetrics,suchasCPUidle,memorytotal,averageloadforoneminute,andmore.Eachinstanceinthestackhasdetailedmonitoringtoprovideinsightsintoyourworkload.
UseCasesAWSOpsWorkssupportsmanyDevOpsefforts,including,butnotlimitedto:
HostMulti-TierWebApplicationsAWSOpsWorksletsyoumodelandvisualizeyourapplicationwithlayersthatdefinehowtoconfigureasetofresourcesthataremanagedtogether.BecauseAWSOpsWorksusestheChefframework,youcanbringyourownrecipesorleveragehundredsofcommunity-builtconfigurations.
SupportContinuousIntegrationAWSOpsWorkssupportsDevOpsprinciples,suchascontinuousintegration.Everythinginyourenvironmentcanbeautomated.
AWSCloudFormationAWSCloudFormationisaservicethathelpsyoumodelandsetupyourAWSresourcessothatyoucanspendlesstimemanagingthoseresourcesandmoretimefocusingonyourapplicationsthatruninAWS.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.
OverviewAWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderly
![Page 353: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/353.jpg)
andpredictablefashion.WhenyouuseAWSCloudFormation,youworkwithtemplatesandstacks.
YoucreateAWSCloudFormationtemplatestodefineyourAWSresourcesandtheirproperties.AtemplateisatextfilewhoseformatcomplieswiththeJSONstandard.AWSCloudFormationusesthesetemplatesasblueprintsforbuildingyourAWSresources.
WhenyouuseAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonce,andthenprovisionthesameresourcesoverandoverinmultipleregions.
WhenyouuseAWSCloudFormation,youmanagerelatedresourcesasasingleunitcalledastack.Youcreate,update,anddeleteacollectionofresourcesbycreating,updating,anddeletingstacks.Alloftheresourcesinastackaredefinedbythestack’sAWSCloudFormationtemplate.SupposeyoucreatedatemplatethatincludesanAutoScalinggroup,ElasticLoadBalancingloadbalancer,andanAmazonRDSdatabaseinstance.Tocreatethoseresources,youcreateastackbysubmittingyourtemplatethatdefinesthoseresources,andAWSCloudFormationhandlesalloftheprovisioningforyou.Afteralloftheresourceshavebeencreated,AWSCloudFormationreportsthatyourstackhasbeencreated.Youcanthenstartusingtheresourcesinyourstack.Ifstackcreationfails,AWSCloudFormationrollsbackyourchangesbydeletingtheresourcesthatitcreated.
Oftenyouwillneedtolaunchstacksfromthesametemplate,butwithminorvariations,suchaswithinadifferentAmazonVPCorusingAMIsfromadifferentregion.Thesevariationscanbeaddressedusingparameters.Youcanuseparameterstocustomizeaspectsofyourtemplateatruntime,whenthestackisbuilt.Forexample,youcanpasstheAmazonRDSdatabasesize,AmazonEC2instancetypes,database,andwebserverportnumberstoAWSCloudFormationwhenyoucreateastack.Byleveragingtemplateparameters,youcanuseasingletemplateformanyinfrastructuredeploymentswithdifferentconfigurationvalues.Forexample,yourAmazonEC2instancetypes,AmazonCloudWatchalarmthresholds,andAmazonRDSread-replicasettingsmaydifferamongAWSregionsifyoureceivemorecustomertrafficintheUnitedStatesthaninEurope.Youcanusetemplateparameterstotunethesettingsandthresholdsineachregionseparatelyandstillbesurethattheapplicationisdeployedconsistentlyacrosstheregions.
Figure11.8depictstheAWSCloudFormationworkflowforcreatingstacks.
![Page 354: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/354.jpg)
FIGURE11.8Creatingastackworkflow
Becauseenvironmentsaredynamicinnature,youinevitablywillneedtoupdateyourstack’sresourcesfromtimetotime.Thereisnoneedtocreateanewstackanddeletetheoldone;youcansimplymodifytheexistingstack’stemplate.Toupdateastack,createachangesetbysubmittingamodifiedversionoftheoriginalstacktemplate,differentinputparametervalues,orboth.AWSCloudFormationcomparesthemodifiedtemplatewiththeoriginaltemplateandgeneratesachangeset.Thechangesetliststheproposedchanges.Afterreviewingthechanges,youcanexecutethechangesettoupdateyourstack.Figure11.9depictstheworkflowforupdatingastack.
FIGURE11.9Updatingastackworkflow
Whenthetimecomesandyouneedtodeleteastack,AWSCloudFormationdeletesthestackandalloftheresourcesinthatstack.
Ifyouwanttodeleteastackbutstillretainsomeresourcesinthatstack,youcanuseadeletionpolicytoretainthoseresources.Ifaresourcehasnodeletionpolicy,AWSCloudFormationdeletestheresourcebydefault.
![Page 355: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/355.jpg)
Afteralloftheresourceshavebeendeleted,AWSCloudFormationsignalsthatyourstackhasbeensuccessfullydeleted.IfAWSCloudFormationcannotdeletearesource,thestackwillnotbedeleted.Anyresourcesthathaven’tbeendeletedwillremainuntilyoucansuccessfullydeletethestack.
UseCaseByallowingyoutoreplicateyourentireinfrastructurestackeasilyandquickly,AWSCloudFormationenablesavarietyofusecases,including,butnotlimitedto:
QuicklyLaunchNewTestEnvironmentsAWSCloudFormationletstestingteamsquicklycreateacleanenvironmenttoruntestswithoutdisturbingongoingeffortsinotherenvironments.
ReliablyReplicateConfigurationBetweenEnvironmentsBecauseAWSCloudFormationscriptstheentireenvironment,humanerroriseliminatedwhencreatingnewstacks.
LaunchApplicationsinNewAWSRegionsAsinglescriptcanbeusedacrossmultipleregionstolaunchstacksreliablyindifferentmarkets.
AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
OverviewAWScomprisesdozensofbuildingblockservices,eachofwhichexposesanareaoffunctionality.WhilethevarietyofservicesoffersflexibilityforhoworganizationswanttomanagetheirAWSinfrastructure,itcanbechallengingtofigureoutwhichservicestouseandhowtoprovisionthem.WithAWSElasticBeanstalk,youcanquicklydeployandmanageapplicationsontheAWScloudwithoutworryingabouttheinfrastructurethatrunsthoseapplications.AWSElasticBeanstalkreducesmanagementcomplexitywithoutrestrictingchoiceorcontrol.
TherearekeycomponentsthatcompriseAWSElasticBeanstalkandworktogethertoprovidethenecessaryservicestodeployandmanageapplicationseasilyinthecloud.AnAWSElasticBeanstalkapplicationisthelogicalcollectionoftheseAWSElasticBeanstalkcomponents,whichincludesenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.
Anapplicationversionreferstoaspecific,labelediterationofdeployablecodeforawebapplication.AnapplicationversionpointstoanAmazonS3objectthatcontainsthedeployablecode.Applicationscanhavemanyversionsandeachapplicationversionisunique.Inarunningenvironment,organizationscandeployanyapplicationversiontheyalreadyuploadedtotheapplication,ortheycanuploadandimmediatelydeployanewapplicationversion.Organizationsmightuploadmultipleapplicationversionstotestdifferencesbetweenoneversionoftheirwebapplicationandanother.
![Page 356: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/356.jpg)
AnenvironmentisanapplicationversionthatisdeployedontoAWSresources.Eachenvironmentrunsonlyasingleapplicationversionatatime;however,thesameversionordifferentversionscanruninasmanyenvironmentsatthesametimeasneeded.Whenanenvironmentiscreated,AWSElasticBeanstalkprovisionstheresourcesneededtoruntheapplicationversionthatisspecified.
Anenvironmentconfigurationidentifiesacollectionofparametersandsettingsthatdefinehowanenvironmentanditsassociatedresourcesbehave.Whenanenvironment’sconfigurationsettingsareupdated,AWSElasticBeanstalkautomaticallyappliesthechangestoexistingresourcesordeletesanddeploysnewresourcesdependingonthetypeofchange.
WhenanAWSElasticBeanstalkenvironmentislaunched,theenvironmenttier,platform,andenvironmenttypearespecified.TheenvironmenttierthatischosendetermineswhetherAWSElasticBeanstalkprovisionsresourcestosupportawebapplicationthathandlesHTTP(S)requestsoranapplicationthathandlesbackground-processingtasks.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Anenvironmenttierwhoseapplicationrunsbackgroundjobsisknownasaworkertier.
Atthetimeofthiswriting,AWSElasticBeanstalkprovidesplatformsupportfortheprogramminglanguagesJava,Node.js,PHP,Python,Ruby,andGowithsupportforthewebcontainersTomcat,Passenger,Puma,andDocker.
UseCasesAcompanyprovidesawebsiteforprospectivehomebuyers,sellers,andrenterstobrowsehomeandapartmentlistingsformorethan110millionhomes.Thewebsiteprocessesmorethanthreemillionnewimagesdaily.Itreceivesmorethan17,000imagerequestspersecondonitswebsiteduringpeaktrafficfrombothdesktopandmobileclients.
Thecompanywaslookingforwaystobemoreagilewithdeploymentsandempoweritsdeveloperstofocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks.ItbeganusingAWSElasticBeanstalkastheservicefordeployingandscalingthewebapplicationsandservices.DeveloperswereempoweredtouploadcodetoAWSElasticBeanstalk,whichthenautomaticallyhandledthedeployment,fromcapacityprovisioning,loadbalancing,andAutoScaling,toapplicationhealthmonitoring.
Becausethecompanyingestsdatainahaphazardway,runningfeedsthatdumpatonofworkintotheimageprocessingsystemallatonce,itneedstoscaleupitsimageconverterfleettomeetpeakdemand.ThecompanydeterminedthatanAWSElasticBeanstalkworkerfleettorunaPythonImagingLibrarywithcustomcodewasthesimplestwaytomeettherequirement.Thiseliminatedtheneedtohaveanumberofstaticinstancesor,worse,tryingtowritetheirownAutoScalingconfiguration.
BymakingthemovetoAWSElasticBeanstalk,thecompanywasabletoreduceoperatingcostswhileincreasingagilityandscalabilityforitsimageprocessinganddeliverysystem.
KeyFeaturesAWSElasticBeanstalkprovidesseveralmanagementfeaturesthateasedeploymentandmanagementofapplicationsonAWS.Organizationshaveaccesstobuilt-inAmazonCloudWatchmonitoringmetricssuchasaverageCPUutilization,requestcount,andaverage
![Page 357: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/357.jpg)
latency.TheycanreceiveemailnotificationsthroughAmazonSNSwhenapplicationhealthchangesorapplicationserversareaddedorremoved.Serverlogsfortheapplicationserverscanbeaccessedwithoutneedingtologin.OrganizationscanevenelecttohaveupdatesappliedautomaticallytotheunderlyingplatformrunningtheapplicationsuchastheAMI,operatingsystem,languageandframework,andapplicationorproxyserver.
Additionally,developersretainfullcontrolovertheAWSresourcespoweringtheirapplicationandcanperformavarietyoffunctionsbysimplyadjustingtheconfigurationsettings.Theseincludesettingssuchas:
SelectingthemostappropriateAmazonEC2instancetypethatmatchestheCPUandmemoryrequirementsoftheirapplication
ChoosingtherightdatabaseandstorageoptionssuchasAmazonRDS,AmazonDynamoDB,MicrosoftSQLServer,andOracle
EnablingloginaccesstoAmazonEC2instancesforimmediateanddirecttroubleshooting
EnhancingapplicationsecuritybyenablingHTTPSprotocolontheloadbalancer
Adjustingapplicationserversettings(forexample,JVMsettings)andpassingenvironmentvariables
AdjustAutoScalingsettingstocontrolthemetricsandthresholdsusedtodeterminewhentoaddorremoveinstancesfromanenvironment
WithAWSElasticBeanstalk,organizationscandeployanapplicationquicklywhileretainingasmuchcontrolastheywanttohaveovertheunderlyinginfrastructure.
AWSTrustedAdvisorAWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservingoveramillionAWScustomers.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.YoucanviewtheoverallstatusofyourAWSresourcesandsavingsestimationsontheAWSTrustedAdvisordashboard.
AWSTrustedAdvisorisaccessedintheAWSManagementConsole.Additionally,programmaticaccesstoAWSTrustedAdvisorisavailablewiththeAWSSupportAPI.
AWSTrustedAdvisorprovidesbestpracticesinfourcategories:costoptimization,security,faulttolerance,andperformanceimprovement.Thestatusofthecheckisshownbyusingcolorcodingonthedashboardpage,asdepictedinFigure11.10.
![Page 358: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/358.jpg)
FIGURE11.10AWSTrustedAdvisorConsoledashboard
Thecolorcodingreflectsthefollowinginformation:
Red:Actionrecommended
Yellow:Investigationrecommended
Green:Noproblemdetected
Foreachcheck,youcanreviewadetaileddescriptionoftherecommendedbestpractice,asetofalertcriteria,guidelinesforaction,andalistofusefulresourcesonthetopic.
AllAWScustomershaveaccesstofourAWSTrustedAdvisorchecksatnocost.ThefourstandardAWSTrustedAdvisorchecksare:
ServiceLimitsChecksforusagethatismorethan80percentoftheservicelimit.Thesevaluesarebasedonasnapshot,socurrentusagemightdifferandcantakeupto24hourstoreflectchanges.
SecurityGroups–SpecificPortsUnrestrictedCheckssecuritygroupsforrulesthatallowunrestrictedaccess(0.0.0.0/0)tospecificports
IAMUseChecksforyouruseofAWSIAM
MFAonRootAccountCheckstherootaccountandwarnsifMFAisnotenabled
CustomerswithaBusinessorEnterpriseAWSSupportplancanviewallAWSTrustedAdvisorchecks—over50checks.
TheremaybeoccasionswhenaparticularcheckisnotrelevanttosomeresourcesinyourAWSenvironment.Youhavetheabilitytoexcludeitemsfromacheckandoptionallyrestorethemlateratanytime.AWSTrustedAdvisoractslikeacustomizedcloudexpert,andithelpsorganizationsprovisiontheirresourcesbyfollowingbestpracticeswhileidentifyinginefficiencies,waste,potentialcostsavings,andsecurityissues.
![Page 359: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/359.jpg)
AWSConfigAWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
OverviewAWSConfigprovidesadetailedviewoftheconfigurationofAWSresourcesinyourAWSaccount.Thisincludeshowtheresourcesarerelatedandhowtheywereconfiguredinthepastsothatyoucanseehowtheconfigurationsandrelationshipschangeovertime.AWSConfigdefinesaresourceasanentityyoucanworkwithinAWS,suchasanAmazonEC2instance,anAmazonEBSvolume,asecuritygroup,oranAmazonVPC.
WhenyouturnonAWSConfig,itfirstdiscoversthesupportedAWSresourcesthatexistinyouraccountandgeneratesaconfigurationitemforeachresource.Aconfigurationitemrepresentsapoint-in-timeviewofthevariousattributesofasupportedAWSresourcethatexistsinyouraccount.Thecomponentsofaconfigurationitemincludemetadata,attributes,relationships,currentconfiguration,andrelatedevents.
AWSConfigwillgenerateconfigurationitemswhentheconfigurationofaresourcechanges,anditmaintainshistoricalrecordsoftheconfigurationitemsofyourresourcesfromthetimeyoustarttheconfigurationrecorder.Theconfigurationrecorderstorestheconfigurationsofthesupportedresourcesinyouraccountasconfigurationitems.Bydefault,AWSConfigcreatesconfigurationitemsforeverysupportedresourceintheregion.Ifyoudon’twantAWSConfigtocreateconfigurationitemsforallsupportedresources,youcanspecifytheresourcetypesthatyouwantittotrack.
Organizationsoftenneedtoassesstheoverallcomplianceandriskstatusfromaconfigurationperspective,viewcompliancetrendsovertime,andpinpointwhichconfigurationchangecausedaresourcetodriftoutofcompliance.AnAWSConfigRulerepresentsdesiredconfigurationsettingsforspecificAWSresourcesorforanentireAWSaccount.WhileAWSConfigcontinuouslytracksyourresourceconfigurationchanges,itcheckswhetherthesechangesviolateanyoftheconditionsinyourrules.Ifaresourceviolatesarule,AWSConfigflagstheresourceandtheruleasnoncompliantandnotifiesyouthroughAmazonSNS.
AWSConfigmakesiteasytotrackresourceconfigurationwithouttheneedforup-frontinvestmentsandwhileavoidingthecomplexityofinstallingandupdatingagentsfordatacollectionormaintaininglargedatabases.OnceAWSConfigisenabled,organizationscanviewcontinuouslyupdateddetailsofallconfigurationattributesassociatedwithAWSresources.
UseCasesSomeoftheinfrastructuremanagementtasksAWSConfigenablesinclude:
DiscoveryAWSConfigwilldiscoverresourcesthatexistinyouraccount,recordtheir
![Page 360: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/360.jpg)
currentconfiguration,andcaptureanychangestotheseconfigurations.AWSConfigwillalsoretainconfigurationdetailsforresourcesthathavebeendeleted.Acomprehensivesnapshotofallresourcesandtheirconfigurationattributesprovidesacompleteinventoryofresourcesinyouraccount.
ChangeManagementWhenyourresourcesarecreated,updated,ordeleted,AWSConfigstreamstheseconfigurationchangestoAmazonSNSsothatyouarenotifiedofallconfigurationchanges.AWSConfigrepresentsrelationshipsbetweenresources,soyoucanassesshowachangetooneresourcemayaffectotherresources.
ContinuousAuditandComplianceAWSConfigandAWSConfigRulesaredesignedtohelpyouassesscompliancewithinternalpoliciesandregulatorystandardsbyprovidingvisibilityintotheconfigurationofaresourceatanytimeandevaluatingrelevantconfigurationchangesagainstrulesthatyoucandefine.
TroubleshootingUsingAWSConfig,youcanquicklytroubleshootoperationalissuesbyidentifyingtherecentconfigurationchangestoyourresources.
SecurityandIncidentAnalysisProperlyconfiguredresourcesimproveyoursecurityposture.DatafromAWSConfigenablesyoutomonitortheconfigurationsofyourresourcescontinuouslyandevaluatetheseconfigurationsforpotentialsecurityweaknesses.Afterapotentialsecurityevent,AWSConfigenablesyoutoexaminetheconfigurationofyourresourcesatanysinglepointinthepast.
KeyFeaturesInthepast,organizationsneededtopollresourceAPIsandmaintaintheirownexternaldatabaseforchangemanagement.AWSConfigresolvesthispreviousneedandautomaticallyrecordsresourceconfigurationinformationandwillevaluateanyrulesthataretriggeredbyachange.Theconfigurationoftheresourceanditsoverallcomplianceagainstrulesarepresentedinadashboard.
AWSConfigintegrateswithAWSCloudTrail,aservicethatrecordsAWSAPIcallsforanaccountanddeliversAPIusagelogfilestoanAmazonS3bucket.IftheconfigurationchangeofaresourcewastheresultofanAPIcall,AWSConfigalsorecordstheAWSCloudTraileventIDthatcorrespondstotheAPIcallthatchangedtheresource’sconfiguration.OrganizationscanthenleveragetheAWSCloudTraillogstoobtaindetailsoftheAPIcallthatwasmade—includingwhomadetheAPIcall,atwhattime,andfromwhichIPaddress—tousefortroubleshootingpurposes.
WhenaconfigurationchangeismadetoaresourceorwhenthecomplianceofanAWSConfigrulechanges,anotificationmessageisdeliveredthatcontainstheupdatedconfigurationoftheresourceorcompliancestateoftheruleandkeyinformationsuchastheoldandnewvaluesforeachchangedattribute.Additionally,AWSConfigsendsnotificationswhenaConfigurationHistoryfileisdeliveredtoAmazonS3andwhenthecustomerinitiatesaConfigurationSnapshot.ThesemessagesareallstreamedtoanAmazonSNStopicthatyouspecify.
OrganizationscanusetheAWSManagementConsole,API,orAWSCLItoobtaindetailsofwhataresource’sconfigurationlookedlikeatanypointinthepast.AWSConfigwillalsoautomaticallydeliverahistoryfiletotheAmazonS3bucketyouspecifyeverysixhoursthat
![Page 361: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/361.jpg)
containsallchangestoyourresourceconfigurations.
![Page 362: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/362.jpg)
SummaryInthischapter,youlearnedaboutadditionalkeyAWScloudservices,manyofwhichwillbecoveredonyourAWSCertifiedSolutionsArchitect–Associateexam.Theseservicesaregroupedintofourcategoriesofservices:storageandcontentdelivery,security,analytics,andDevOps.
Inthestorageandcontentdeliverygroup,wecoveredAmazonCloudFrontandAWSStorageGateway.AmazonCloudFrontisaglobalCDNservice.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AWSStorageGatewayisaservicethatconnectsanon-premisessoftwareappliancewithcloud-basedstorage.Itprovidesseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheAWSStorageGatewayappliancemaintainsfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.
TheserviceswecoveredinsecurityfocusedonIdentityManagement(AWSDirectoryService),KeyManagement(AWSKMSAWSCloudHSM),andAudit(AWSCloudTrail).AWSDirectoryServiceisamanagedserviceoffering,providingdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.AWSDirectoryServiceisofferedinthreetypes:AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),SimpleAD,andADConnector.
Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.
RoundingoutthesecurityservicesisAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.
Theanalyticsservicescoveredhelpyouovercometheuniquelistofchallengesassociatedwithbigdataintoday’sITworld.AmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.AmazonEMRprovidesyouwithafullymanaged,on-demandHadoopframework.Thereductionofcomplexityandup-frontcostscombinedwiththescaleofAWSmeansyoucaninstantlyspinuplargeHadoopclustersandstartprocessing
![Page 363: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/363.jpg)
withinminutes.
Tosupplementthebigdatachallenges,orchestratingdatamovementcomeswithitsownchallenges.AWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRDS,AmazonDynamoDB,andAmazonEMR.Additionally,AWSImport/Exporthelpswhenyou’refacedwiththechallengeofgettinghugedatasetsintoAWSinthefirstplaceorretrievingthembacktoon-premiseswhennecessary.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource,shippedviastandardshippingmechanisms,andthencopiedtothedestination.
AWScontinuestoevolveservicesinsupportoforganizationsembracingDevOps.ServicessuchasAWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,andAWSConfigareleadingthewayforDevOpsonAWS.AWSOpsWorksprovidesaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorksworkswithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.AWSElasticBeanstalkallowsdeveloperstosimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.AWSConfigdeliversafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationshavetheinformationnecessaryforcomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
Thekeyadditionalservicescoveredinthischapterwillhelpyouformaknowledgebasetounderstandthenecessitiesfortheexam.AsyoucontinuetogrowasaSolutionsArchitect,divingdeeperintotheAWScloudservicesasawholewillexpandyourabilitytodefinewellarchitectedsolutionsacrossawidevarietyofbusinessverticalsandusecases.
![Page 364: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/364.jpg)
ExamEssentialsKnowthebasicusecasesforamazonCloudFront.KnowwhentouseAmazonCloudFront(forpopularstaticanddynamiccontentwithgeographicallydistributedusers)andwhennotto(allusersatasinglelocationorconnectingthroughacorporateVPN).
KnowhowamazonCloudFrontworks.AmazonCloudFrontoptimizesdownloadsbyusinggeolocationtoidentifythegeographicallocationofusers,thenservingandcachingcontentattheedgelocationclosesttoeachusertomaximizeperformance.
KnowhowtocreateanamazonCloudFrontdistributionandwhattypesoforiginsaresupported.Tocreateadistribution,youspecifyanoriginandthetypeofdistribution,andAmazonCloudFrontcreatesanewdomainnameforthedistribution.OriginssupportedincludeAmazonS3bucketsorstaticAmazonS3websitesandHTTPserverslocatedinAmazonEC2orinyourowndatacenter.
KnowhowtouseamazonCloudFrontfordynamiccontentandmultipleorigins.Understandhowtospecifymultipleoriginsfordifferenttypesofcontentandhowtousecachebehaviorsandpathstringstocontrolwhatcontentisservedbywhichorigin.
KnowwhatmechanismsareavailabletoserveprivatecontentthroughamazonCloudFront.AmazonCloudFrontcanserveprivatecontentusingAmazonS3OriginAccessIdentifiers,signedURLs,andsignedcookies.
KnowthethreeconfigurationsofAWSstoragegatewayandtheirusecases.Gateway-Cachedvolumesexpandyouron-premisesstorageintoAmazonS3andcachefrequentlyusedfileslocally.Gateway-StoredvalueskeepallyourdataavailablelocallyatalltimesandalsoreplicateitasynchronouslytoAmazonS3.Gateway-VTLenablesyoutokeepyourcurrentbackuptapesoftwareandprocesseswhileeliminatingphysicaltapesbystoringyourdatainthecloud.
UnderstandthevalueofAWSDirectoryService.AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.
KnowtheAWSDirectoryServiceDirectorytypes.AWSDirectoryServiceoffersthreedirectorytypes:
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD
SimpleAD
ADConnector
KnowwhenyoushoulduseAWSDirectoryServiceforMicrosoftActiveDirectory.YoushoulduseMicrosoftActiveDirectoryifyouhavemorethan5,000usersorneedatrustrelationshipsetupbetweenanAWShosteddirectoryandyouron-premisesdirectories.
Understandkeymanagement.Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,
![Page 365: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/365.jpg)
andreplacementofkeys.
UnderstandwhenyoushoulduseAWSKMS.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontrolthesymmetricencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandwhichcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.
UnderstandwhenyoushoulduseAWSCloudHSM.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedhardwaresecuritymoduleapplianceswithintheAWScloud.
UnderstandthevalueofAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.ThishelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
KnowthethreeservicesofAmazonkinesisandtheirusecases.AmazonKinesisFirehoseallowsyoutoloadmassivevolumesofstreamingdataintoAWS.AmazonKinesisAnalyticsenablesyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL.AmazonKinesisStreamsenablesyoutobuildcustomapplicationsthatprocessoranalyzestreamingdatarealtimeforspecializedneeds.
KnowwhatserviceAmazonEMRprovides.AmazonEMRprovidesamanagedHadoopserviceonAWSthatallowsyoutospinuplargeHadoopclustersinminutes.
Knowthedifferencebetweenpersistentandtransientclusters.Persistentclustersruncontinuously,sotheydonotlosedatastoredoninstance-basedHDFS.Transientclustersarelaunchedforaspecifictask,thenterminated,sotheyaccessdataonAmazonS3viaEMRFS.
KnowtheusecasesforAmazonEMR.AmazonEMRisusefulforbigdataanalyticsinvirtuallyanyindustry,including,butnotlimitedto,logprocessing,clickstreamanalysis,andgenomicsandlifesciences.
KnowtheusecasesforAWSdatapipeline.AWSDataPipelinecanmanagebatchETLprocessesatscaleonthecloud,accessingdatabothinAWSandon-premises.ItcantakeadvantageofAWScloudservicesbyspinningupresourcesrequiredfortheprocess,suchasAmazonEC2instancesorAmazonEMRclusters.
KnowthetypesofAWSimport/exportservicesandthepossiblesources/destinationsofeach.AWSSnowballisAmazonshippableappliancessuppliedreadytoship.Itcantransferdatatoandfromyouron-premisesstorageandtoandfromAmazonS3.AWSImport/ExportDiskusesyourstoragedevicesand,inadditiontotransferringdatainandoutofyouron-premisesstorage,canimportdatatoAmazonS3,AmazonEBS,andAmazonS3;itcanonlyexportdatafromAmazonS3.
UnderstandthebasicsofAWSopsworks.AWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsofallshapesandsizesusingChef.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponentincludingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.
UnderstandthevalueofAWScloudformation.AWSCloudFormationisaservicethat
![Page 366: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/366.jpg)
helpsyoumodelandsetupyourAWSresources.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayyouwoulddowithsoftware.
UnderstandthevalueofAWSelasticbeanstalk.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
UnderstandthecomponentsofAWSelasticbeanstalk.AnAWSElasticBeanstalkapplicationisthelogicalcollectionofenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.
UnderstandthevalueofAWSconfig.AWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistinganddeletedAWSresources,determinetheiroverallcomplianceagainstrulesanddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
![Page 367: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/367.jpg)
ReviewQuestions1. WhatoriginserversaresupportedbyAmazonCloudFront?(Choose3answers)
A. AnAmazonRoute53HostedZone
B. AnAmazonSimpleStorageService(AmazonS3)bucket
C. AnHTTPserverrunningonAmazonElasticComputeCloud(AmazonEC2)
D. AnAmazonEC2AutoScalingGroup
E. AnHTTPserverrunningon-premises
2. WhichofthefollowingaregoodusecasesforAmazonCloudFront?(Choose2answers)
A. Apopularsoftwaredownloadsitethatsupportsusersaroundtheworld,withdynamiccontentthatchangesrapidly
B. Acorporatewebsitethatservestrainingvideostoemployees.Mostemployeesarelocatedintwocorporatecampusesinthesamecity.
C. Aheavilyusedvideoandmusicstreamingservicethatrequirescontenttobedeliveredonlytopaidsubscribers
D. AcorporateHRwebsitethatsupportsaglobalworkforce.Becausethesitecontainssensitivedata,allusersmustconnectthroughacorporateVirtualPrivateNetwork(VPN).
3. YouhaveawebapplicationthatcontainsbothstaticcontentinanAmazonSimpleStorageService(AmazonS3)bucket—primarilyimagesandCSSfiles—andalsodynamiccontentcurrentlyservedbyaPHPwebapprunningonAmazonElasticComputeCloud(AmazonEC2).WhatfeaturesofAmazonCloudFrontcanbeusedtosupportthisapplicationwithasingleAmazonCloudFrontdistribution?
4. (Choose2answers)
A. MultipleOriginAccessIdentifiers
B. MultiplesignedURLs
C. Multipleorigins
D. Multipleedgelocations
E. Multiplecachebehaviors
5. Youarebuildingamedia-sharingwebapplicationthatservesvideofilestoendusersonbothPCsandmobiledevices.ThemediafilesarestoredasobjectsinanAmazonSimpleStorageService(AmazonS3)bucket,butaretobedeliveredthroughAmazonCloudFront.WhatisthesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstotheobjectsintheAmazonS3bucket?
A. CreateSignedURLsforeachAmazonS3object.
B. UseanAmazonCloudFrontOriginAccessIdentifier(OAI).
![Page 368: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/368.jpg)
C. Usepublicandprivatekeyswithsignedcookies.
D. UseanAWSIdentityandAccessManagement(IAM)bucketpolicy.
6. Yourcompanydatacenteriscompletelyfull,butthesalesgrouphasdeterminedaneedtostore200TBofproductvideo.Thevideoswerecreatedoverthelastseveralyears,withthemostrecentbeingaccessedbysalesthemostoften.Thedatamustbeaccessedlocally,butthereisnospaceinthedatacentertoinstalllocalstoragedevicestostorethisdata.WhatAWScloudservicewillmeetsales’requirements?
A. AWSStorageGatewayGateway-Storedvolumes
B. AmazonElasticComputeCloud(AmazonEC2)instanceswithattachedAmazonEBSVolumes
C. AWSStorageGatewayGateway-Cachedvolumes
D. AWSImport/ExportDisk
7. YourcompanywantstoextendtheirexistingMicrosoftActiveDirectorycapabilityintoanAmazonVirtualPrivateCloud(AmazonVPC)withoutestablishingatrustrelationshipwiththeexistingon-premisesActiveDirectory.Whichofthefollowingisthebestapproachtoachievethisgoal?
A. CreateandconnectanAWSDirectoryServiceADConnector.
B. CreateandconnectanAWSDirectoryServiceSimpleAD.
C. CreateandconnectanAWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition).
D. Noneoftheabove
8. WhichofthefollowingareAWSKeyManagementService(AWSKMS)keysthatwillneverexitAWSunencrypted?
A. AWSKMSdatakeys
B. Envelopeencryptionkeys
C. AWSKMSCustomerMasterKeys(CMKs)
D. AandC
9. WhichcryptographicmethodisusedbyAWSKeyManagementService(AWSKMS)toencryptdata?
A. Password-basedencryption
B. Asymmetric
C. Sharedsecret
D. Envelopeencryption
10. WhichAWSservicerecordsApplicationProgramInterface(API)callsmadeonyouraccountanddeliverslogfilestoyourAmazonSimpleStorageService(AmazonS3)bucket?
A. AWSCloudTrail
![Page 369: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/369.jpg)
B. AmazonCloudWatch
C. AmazonKinesis
D. AWSDataPipeline
11. YouaretryingtodecryptciphertextwithAWSKMSandthedecryptionoperationisfailing.Whichofthefollowingarepossiblecauses?(Choose2answers)
A. Theprivatekeydoesnotmatchthepublickeyintheciphertext.
B. Theplaintextwasencryptedalongwithanencryptioncontext,andyouarenotprovidingtheidenticalencryptioncontextwhencallingtheDecryptAPI.
C. Theciphertextyouaretryingtodecryptisnotvalid.
D. YouarenotprovidingthecorrectsymmetrickeytotheDecryptAPI.
12. Yourcompanyhas30yearsoffinancialrecordsthattakeup15TBofon-premisesstorage.Itisregulatedthatyoumaintaintheserecords,butintheyearyouhaveworkedforthecompanynoonehaseverrequestedanyofthisdata.GiventhatthecompanydatacenterisalreadyfillingthebandwidthofitsInternetconnection,whatisanalternativewaytostorethedataonthemostappropriatecloudstorage?
A. AWSImport/ExporttoAmazonSimpleStorageService(AmazonS3)
B. AWSImport/ExporttoAmazonGlacier
C. AmazonKinesis
D. AmazonElasticMapReduce(AWSEMR)
13. Yourcompanycollectsinformationfromthepointofsaleregistersatallofitsfranchiselocations.Eachmonththeseprocessescollect200TBofinformationstoredinAmazonSimpleStorageService(AmazonS3).Analyticsjobstaking24hoursareperformedtogatherknowledgefromthisdata.Whichofthefollowingwillallowyoutoperformtheseanalyticsinacost-effectiveway?
A. CopythedatatoapersistentAmazonElasticMapReduce(AmazonEMR)cluster,andruntheMapReducejobs.
B. CreateanapplicationthatreadstheinformationoftheAmazonS3bucketandrunsitthroughanAmazonKinesisstream.
C. RunatransientAmazonEMRcluster,andruntheMapReducejobsagainstthedatadirectlyinAmazonS3.
D. Launchad2.8xlarge(32vCPU,244GBRAM)AmazonElasticComputeCloud(AmazonEC2)instance,andrunanapplicationtoreadandprocesseachobjectsequentially.
14. Whichserviceallowsyoutoprocessnearlylimitlessstreamsofdatainflight?
A. AmazonKinesisFirehose
B. AmazonElasticMapReduce(AmazonEMR)
C. AmazonRedshift
![Page 370: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/370.jpg)
D. AmazonKinesisStreams
15. Whatcombinationofservicesenableyoutocopydaily50TBofdatatoAmazonstorage,processthedatainHadoop,andstoretheresultsinalargedatawarehouse?
A. AmazonKinesis,AmazonDataPipeline,AmazonElasticMapReduce(AmazonEMR),andAmazonElasticComputeCloud(AmazonEC2)
B. AmazonElasticBlockStore(AmazonEBS),AmazonDataPipeline,AmazonEMR,andAmazonRedshift
C. AmazonSimpleStorageService(AmazonS3),AmazonDataPipeline,AmazonEMR,andAmazonRedshift
D. AmazonS3,AmazonSimpleWorkflow,AmazonEMR,andAmazonDynamoDB
16. Yourcompanyhas50,000weatherstationsaroundthecountrythatsendupdatesevery2seconds.WhatservicewillenableyoutoingestthisstreamofdataandstoreittoAmazonSimpleStorageService(AmazonS3)forfutureprocessing?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonKinesisFirehose
C. AmazonElasticComputeCloud(AmazonEC2)
D. AmazonDataPipeline
17. YourorganizationusesChefheavilyforitsdeploymentautomation.WhatAWScloudserviceprovidesintegrationwithChefrecipestostartnewapplicationserverinstances,configureapplicationserversoftware,anddeployapplications?
A. AWSElasticBeanstalk
B. AmazonKinesis
C. AWSOpsWorks
D. AWSCloudFormation
18. AfirmismovingitstestingplatformtoAWStoprovidedeveloperswithinstantaccesstocleantestanddevelopmentenvironments.Theprimaryrequirementforthefirmistomakeenvironmentseasilyreproducibleandfungible.Whatservicewillhelpthefirmmeettheirrequirements?
A. AWSCloudFormation
B. AWSConfig
C. AmazonRedshift
D. AWSTrustedAdvisor
19. Yourcompany’sITmanagementteamislookingforanonlinetooltoproviderecommendationstosavemoney,improvesystemavailabilityandperformance,andtohelpclosesecuritygaps.Whatcanhelpthemanagementteam?
A. Cloud-init
B. AWSTrustedAdvisor
![Page 371: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/371.jpg)
C. AWSConfig
D. ConfigurationRecorder
20. YourcompanyworkswithdatathatrequiresfrequentauditsofyourAWSenvironmenttoensurecompliancewithinternalpoliciesandbestpractices.Inordertoperformtheseaudits,youneedaccesstohistoricalconfigurationsofyourresourcestoevaluaterelevantconfigurationchanges.Whichservicewillprovidethenecessaryinformationforyouraudits?
A. AWSConfig
B. AWSKeyManagementService(AWSKMS)
C. AWSCloudTrail
D. AWSOpsWorks
21. Allofthewebsitedeploymentsarecurrentlydonebyyourcompany’sdevelopmentteam.Withasurgeinwebsitepopularity,thecompanyislookingforwaystobemoreagilewithdeployments.WhatAWScloudservicecanhelpthedevelopersfocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks?
A. AWSConfig
B. AWSTrustedAdvisor
C. AmazonKinesis
D. AWSElasticBeanstalk
![Page 372: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/372.jpg)
Chapter12SecurityonAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSsharedresponsibilitymodel
AWSplatformcompliance
AWSsecurityattributes(customerworkloadsdowntophysicallayer)
AWSadministrationandsecurityservices
AWSIdentityandAccessManagement(IAM)
AmazonVirtualPrivateCloud(AmazonVPC)
AWSCloudTrail
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit
CoreAmazonElasticComputeCloud(AmazonEC2)andAmazonSimpleStorageService(AmazonS3)securityfeaturesets
Incorporatingcommonconventionalsecurityproducts(Firewall,VirtualPrivateNetwork[VPN])
DenialofService(DoS)mitigation
Encryptionsolutions(e.g.,keyservices)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)
![Page 373: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/373.jpg)
IntroductionCloudsecurityisthefirstpriorityatAWS.AllAWScustomersbenefitfromadatacenterandnetworkarchitecturethatisbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersoffertoolsandfeaturestohelpyoumeetyoursecurityobjectivesaroundvisibility,auditability,controllability,andagility.Thismeansthatyoucanhavethesecurityyouneed,butwithoutthecapitaloutlayandatamuchloweroperationaloverheadthaninanon-premisesoratraditionaldatacenterenvironment.ThischapterwillcovertherelevantsecuritytopicsthatarewithinscopeoftheAWSCertifiedSolutionsArchitect–Associateexam.
![Page 374: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/374.jpg)
SharedResponsibilityModelBeforewegointothedetailsofhowAWSsecuresitsresources,weshouldtalkabouthowsecurityinthecloudisslightlydifferentthansecurityinyouron-premisesdatacenters.Whenyoumovecomputersystemsanddatatothecloud,securityresponsibilitiesbecomesharedbetweenyouandyourcloudserviceprovider.Inthiscase,AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.Thissharedresponsibilitymodelcanreduceyouroperationalburdeninmanyways,andinsomecasesitmayevenimproveyourdefaultsecurityposturewithoutadditionalactiononyourpart.Figure12.1illustratesAWSresponsibilitiesversusthoseofthecustomer.Essentially,AWSisresponsibleforsecurityofthecloud,andcustomersareresponsibleforsecurityinthecloud.
FIGURE12.1Thesharedresponsibilitymodel
![Page 375: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/375.jpg)
AWSComplianceProgramAWScomplianceenablescustomerstounderstandtherobustcontrolsinplaceatAWStomaintainsecurityanddataprotectioninthecloud.AsyoubuildsystemsontopofAWSCloudinfrastructure,yousharecomplianceresponsibilitieswithAWS.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWScomplianceenablersbuildontraditionalprograms,helpingyoutoestablishandoperateinanAWSsecuritycontrolenvironment.TheITinfrastructurethatAWSprovidesisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards,including(atthetimeofthiswriting):
ServiceOrganizationControl(SOC)1/StatementonStandardsforAttestationEngagements(SSAE)16/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE)3402(formerlyStatementonAuditingStandards[SAS]70)
SOC2
SOC3
FederalInformationSecurityManagementAct(FISMA),DepartmentofDefense(DoD)InformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)
DoDCloudComputingSecurityRequirementsGuide(SRG)Levels2and4
PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1
InternationalOrganizationforStandardization(ISO)9001andISO27001
InternationalTrafficinArmsRegulations(ITAR)
FederalInformationProcessingStandard(FIPS)140-2
Inaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeetseveralindustry-specificstandards,including:
CriminalJusticeInformationServices(CJIS)
CloudSecurityAlliance(CSA)
FamilyEducationalRightsandPrivacyAct(FERPA)
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
MotionPictureAssociationofAmerica(MPAA)
AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,reports,certifications,accreditations,andotherthird-partyattestations.ToaidinpreparationforyourAWSCertifiedSolutionsArchitectAssociateexam,seeChapter13,“AWSRiskandCompliance.”Moreinformationisavailableinthe“AWSRiskandCompliance”whitepaperavailableontheAWSwebsite.
![Page 376: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/376.jpg)
AWSGlobalInfrastructureSecurityAWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchasprocessingandstorage.TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperationalsoftware(forexample,hostoperatingsystemandvirtualizationsoftware)thatsupporttheprovisioninganduseoftheseresources.TheAWSglobalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecuritycompliancestandards.AsanAWScustomer,youcanbeassuredthatyou’rebuildingwebarchitecturesontopofsomeofthemostsecurecomputinginfrastructureintheworld.
PhysicalandEnvironmentalSecurityAWSdatacentersarestateoftheart,usinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffusingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAWS.AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.
FireDetectionandSuppressionAWSdatacentershaveautomaticfiredetectionandsuppressionequipmenttoreducerisk.Thefiredetectionsystemusessmokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerroomsandgeneratorequipmentrooms.Theseareasareprotectedbywet-pipe,double-interlockedpre-action,orgaseoussprinklersystems.
PowerAWSdatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,and7daysaweek.UninterruptiblePowerSupply(UPS)unitsprovidebackuppowerintheeventofanelectricalfailureforcriticalandessentialloadsinthefacility.AWSdatacentersusegeneratorstoprovidebackuppowerfortheentirefacility.
ClimateandTemperatureClimatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,whichpreventsoverheatingandreducesthepossibilityofserviceoutages.
![Page 377: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/377.jpg)
AWSdatacentersarebuilttomaintainatmosphericconditionsatoptimallevels.Personnelandsystemsmonitorandcontroltemperatureandhumidityatappropriatelevels.
ManagementAWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediatelyidentified.AWSstaffperformspreventativemaintenancetomaintainthecontinuedoperabilityofequipment.
StorageDeviceDecommissioningWhenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatisdesignedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.
BusinessContinuityManagementAmazon’sinfrastructurehasahighlevelofavailabilityandprovidescustomerswiththefeaturestodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.DatacenterBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.
AvailabilityDatacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris“cold.”Incaseoffailure,automatedprocessesmovedatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.
AWSprovidesitscustomerswiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsandalsoacrossmultipleAvailabilityZoneswithineachregion.EachAvailabilityZoneisdesignedasanindependentfailurezone.ThismeansthatAvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlowerriskfloodplains(specificfloodzonecategorizationvariesbyregion).InadditiontohavingdiscreteUPSandon-sitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiestofurtherreducesinglepointsoffailure.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.Figure12.2illustrateshowAWSregionsarecomprisedofAvailabilityZones.
![Page 378: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/378.jpg)
FIGURE12.2AmazonWebServicesregions
YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
IncidentResponseTheAmazonIncidentManagementteamemploysindustry-standarddiagnosticprocedurestodriveresolutionduringbusiness-impactingevents.Staffoperatorsprovide24×7×365coveragetodetectincidentsandtomanagetheimpactandresolution.
CommunicationAWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheirindividualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.Thesemethodsincludeorientationandtrainingprogramsfornewlyhiredemployees,regularmanagementmeetingsforupdatesonbusinessperformanceandothermatters,andelectronicsmeanssuchasvideoconferencing,electronicmailmessages,andthepostingofinformationviatheAmazonintranet.
AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthecommunity.Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthatimpactthecustomerexperience.AServiceHealthDashboardisavailableandmaintainedbythecustomersupportteamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.TheAWSSecurityCenterisavailableto
![Page 379: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/379.jpg)
provideyouwithsecurityandcompliancedetailsaboutAWS.CustomerscanalsosubscribetoAWSSupportofferingsthatincludedirectcommunicationwiththecustomersupportteamandproactivealertstoanycustomer-impactingissues.
NetworkSecurityTheAWSnetworkhasbeenarchitectedtopermityoutoselectthelevelofsecurityandresiliencyappropriateforyourworkload.Toenableyoutobuildgeographicallydispersed,fault-tolerantwebarchitectureswithcloudresources,AWShasimplementedaworld-classnetworkinfrastructurethatiscarefullymonitoredandmanaged.
SecureNetworkArchitectureNetworkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACLs),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.Thesepoliciesareautomaticallypushedtoensurethesemanagedinterfacesenforcethemostup-to-dateACLs.
SecureAccessPointsAWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledApplicationProgrammingInterface(API)endpoints,andtheypermitsecureHTTPaccess(HTTPS),whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.TosupportcustomerswithFederalInformationProcessingStandard(FIPS)cryptographicrequirements,theSecureSocketsLayer(SSL)-terminatingloadbalancersinAWSGovCloud(US)areFIPS140-2compliant.
Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachInternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.
TransmissionProtectionYoucanconnecttoanAWSaccesspointviaHTTPorHTTPSusingSSL,acryptographicprotocolthatisdesignedtoprotectagainsteavesdropping,tampering,andmessageforgery.Forcustomerswhorequireadditionallayersofnetworksecurity,AWSofferstheAmazonVirtualPrivateCloud(AmazonVPC)(asreferencedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC),”whichprovidesaprivatesubnetwithintheAWSCloudandtheabilitytouseanIPsecVirtualPrivateNetwork(VPN)devicetoprovideanencryptedtunnelbetweentheAmazonVPCandyourdatacenter.
NetworkMonitoringandProtection
![Page 380: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/380.jpg)
TheAWSnetworkprovidessignificantprotectionagainsttraditionalnetworksecurityissues,andyoucanimplementfurtherprotection.Thefollowingareafewexamples:
DistributedDenialofService(DDoS)AttacksAWSAPIendpointsarehostedonalarge,Internet-scale,world-classinfrastructurethatbenefitsfromthesameengineeringexpertisethathasbuiltAmazonintotheworld’slargestonlineretailer.ProprietaryDDoSmitigationtechniquesareused.Additionally,AWSnetworksaremulti-homedacrossanumberofproviderstoachieveInternetaccessdiversity.
ManintheMiddle(MITM)AttacksAlloftheAWSAPIsareavailableviaSSL-protectedendpointsthatprovideserverauthentication.AmazonElasticComputeCloud(AmazonEC2)AMIsautomaticallygeneratenewSecureShell(SSH)hostcertificatesonfirstbootandlogthemtotheinstance’sconsole.YoucanthenusethesecureAPIstocalltheconsoleandaccessthehostcertificatesbeforeloggingintotheinstanceforthefirsttime.AWSencouragesyoutouseSSLforallofyourinteractions.
IPSpoofingAmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMachineAccessControl(MAC)addressotherthanitsown.
PortScanningUnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.CustomerscanreportsuspectedabuseviathecontactsavailableontheAWSwebsite.WhenunauthorizedportscanningisdetectedbyAWS,itisstoppedandblocked.PortscansofAmazonEC2instancesaregenerallyineffectivebecause,bydefault,allinboundportsonAmazonEC2instancesareclosedandareonlyopenedbythecustomer.Strictmanagementofsecuritygroupscanfurthermitigatethethreatofportscans.Ifyouconfigurethesecuritygrouptoallowtrafficfromanysourcetoaspecificport,thatspecificportwillbevulnerabletoaportscan.Inthesecases,youmustuseappropriatesecuritymeasurestoprotectlisteningservicesthatmaybeessentialtotheirapplicationfrombeingdiscoveredbyanunauthorizedportscan.Forexample,awebservermustclearlyhaveport80(HTTP)opentotheworld,andtheadministratorofthisserverisresponsibleforthesecurityoftheHTTPserversoftware,suchasApache.Youmayrequestpermissiontoconductvulnerabilityscansasrequiredtomeetyourspecificcompliancerequirements.ThesescansmustbelimitedtoyourowninstancesandmustnotviolatetheAWSAcceptableUsePolicy.AdvancedapprovalforthesetypesofscanscanbeinitiatedbysubmittingarequestviatheAWSwebsite.
PacketSniffingbyOtherTenantsWhileyoucanplaceyourinterfacesintopromiscuousmode,thehypervisorwillnotdeliveranytraffictothemthatisnotaddressedtothem.Eventwovirtualinstancesthatareownedbythesamecustomerlocatedonthesamephysicalhostcannotlistentoeachother’straffic.WhileAmazonEC2doesprovideampleprotectionagainstonecustomerinadvertentlyormaliciouslyattemptingtoviewanothercustomer’sdata,asastandardpracticeyoushouldencryptsensitivetraffic.
Itisnotpossibleforavirtualinstancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.
![Page 381: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/381.jpg)
AttackssuchasAddressResolutionProtocol(ARP)cachepoisoningdonotworkwithinAmazonEC2andAmazonVPC.
![Page 382: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/382.jpg)
AWSAccountSecurityFeaturesAWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSaccountandresourcessafefromunauthorizeduse.Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,thecreationofseparateAWSIdentityandAccessManagement(IAM)useraccounts,anduseractivityloggingforsecuritymonitoring.YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSservicesyouselect.
AWSCredentialsTohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources,AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMulti-FactorAuthentication(MFA)tologintoyourAWSAccountorIAMuseraccounts.Table12.1highlightsthevariousAWScredentialsandtheiruses.
![Page 383: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/383.jpg)
TABLE12.1AWSCredentials
CredentialType
Use Description
Passwords AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
AstringofcharactersusedtologintoyourAWSaccountorIAMaccount.AWSpasswordsmustbeaminimumof6charactersandmaybeupto128characters.
Multi-FactorAuthentication(MFA)
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
Asix-digit,single-usecodethatisrequiredinadditiontoyourpasswordtologintoyourAWSaccountorIAMuseraccount.
AccessKeys Digitally-signedrequeststoAWSAPIs(usingtheAWSSoftwareDevelopmentKit[SDK],CommandLineInterface[CLI],orREST/QueryAPIs)
IncludesanaccesskeyIDandasecretaccesskey.YouuseaccesskeystosignprogrammaticrequestsdigitallythatyoumaketoAWS.
KeyPairs SSHlogintoAmazonEC2instancesAmazonCloudFront-signedURLs
AkeypairisrequiredtoconnecttoanAmazonEC2instancelaunchedfromapublicAMI.ThekeysthatAmazonEC2usesare1024-bitSSH-2RSAkeys.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstance,oryoucanuploadyourown.
X.509Certificates
DigitallysignedSOAPrequeststoAWSAPIsSSLservercertificatesforHTTPS
X.509certificatesareonlyusedtosignSOAP-basedrequests(currentlyusedonlywithAmazonSimpleStorageService[AmazonS3]).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorre-downloadthem.However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.Tohelpyoudothiswithoutpotentialimpacttoyourapplication’savailability,AWSsupportsmultipleconcurrentaccesskeysandcertificates.Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetoyourapplication.Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.
TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSaccountandalsoforIAMuseraccounts.
PasswordsPasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWS
![Page 384: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/384.jpg)
DiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,givingyoutheabilitytocreateverystrongpasswords.
YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyarechangedoften.ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.
AWSMulti-FactorAuthentication(AWSMFA)AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.ThisisMFAbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).YoucanenableMFAdevicesforyourAWSaccountandfortheusersyouhavecreatedunderyourAWSaccountwithAWSIAM.Inaddition,youcanaddMFAprotectionforaccessacrossAWSaccounts,forwhenyouwanttoallowauseryou’vecreatedunderoneAWSaccounttouseanIAMroletoaccessresourcesunderanotherAWSaccount.YoucanrequiretheusertouseMFAbeforeassumingtheroleasanadditionallayerofsecurity.
AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.VirtualMFAdevicesusethesameprotocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTime-BasedOne-TimePassword(TOTP)standard,asdescribedinRFC6238.MostvirtualMFAapplicationsallowyoutohostmorethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.However,youshouldbeawarethatbecauseavirtualMFAmayberunonalesssecuredevicesuchasasmartphone,avirtualMFAmightnotprovidethesamelevelofsecurityasahardwareMFAdevice.
YoucanalsoenforceMFAauthenticationforAWSCloudserviceAPIsinordertoprovideanextralayerofprotectionoverpowerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.YoudothisbyaddinganMFArequirementtoanIAMaccesspolicy.YoucanattachtheseaccesspoliciestoIAMusers,IAMgroups,orresourcesthatsupportACLslikeAmazonS3buckets,AmazonSimpleQueueService(AmazonSQS)queues,andAmazonSimpleNotificationService(AmazonSNS)topics.
AccessKeysAccesskeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.
![Page 385: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/385.jpg)
Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisintransit,butitalsohelpsprotectagainstpotentialreplayattacks.ArequestmustreachAWSwithin15minutesofthetimestampintherequest.Otherwise,AWSdeniestherequest.
ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHashedMessageAuthenticationMode(HMAC)-SecureHashAlgorithm(SHA)-256protocol.Version4providesanadditionalmeasureofprotectionoverpreviousversionsbyrequiringthatyousignthemessageusingakeythatisderivedfromyourSAKinsteadofusingtheSAKitself.Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographicisolationofthesigningkey.
Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandtonotembedtheminyourcode.ForcustomerswithlargefleetsofelasticallyscalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
IAMrolesprovidetemporarycredentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultipletimesaday.
AmazonEC2usesanInstanceProfileasacontainerforanIAMrole.WhenyoucreateanIAMroleusingtheAWSManagementConsole,theconsolecreatesaninstanceprofileautomaticallyandgivesitthesamenameastheroletowhichitcorresponds.IfyouusetheAWSCLI,API,oranAWSSDKtocreatearole,youcreatetheroleandinstanceprofileasseparateactions,andyoumightgivethemdifferentnames.TolaunchaninstancewithanIAMrole,youspecifythenameofitsinstanceprofile.WhenyoulaunchaninstanceusingtheAmazonEC2console,youcanselectaroletoassociatewiththeinstance;however,thelistthat’sdisplayedisactuallyalistofinstanceprofilenames.
KeypairsAmazonEC2supportsRSA2048SSHkeysforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.Thepublickeyisembeddedinyourinstance,andyouusetheprivatekeytosigninsecurelywithoutapassword.AfteryoucreateyourownAMIs,youcanchooseothermechanismstologintoyournewinstancessecurely.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstanceoryoucanuploadyourown.Savetheprivatekeyinasafeplaceonyoursystemandrecordthelocationwhereyousavedit.
ForAmazonCloudFront,youusekeypairstocreatesignedURLsforprivatecontent,suchaswhenyouwanttodistributerestrictedcontentthatsomeonepaidfor.YoucreateAmazonCloudFrontkeypairsbyusingtheSecurityCredentialspage.AmazonCloudFrontkeypairscanbecreatedonlybytherootaccountandcannotbecreatedbyIAMusers.
![Page 386: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/386.jpg)
X.509CertificatesX.509certificatesareusedtosignSOAP-basedrequests.X.509certificatescontainapublickeythatisassociatedwithaprivatekey.Whenyoucreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,alongwithyourcertificate.AWSverifiesthatyou’rethesenderbydecryptingthesignaturewiththepublickeythatisinyourcertificate.AWSalsoverifiesthatthecertificatethatyousentmatchesthecertificatethatyouuploadedtoAWS.
ForyourAWSaccount,youcanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.ForIAMusers,youmustcreatetheX.509certificate(signingcertificate)byusingthird-partysoftware.Incontrasttorootaccountcredentials,AWScannotcreateanX.509certificateforIAMusers.Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.
InadditiontoSOAPrequests,X.509certificatesareusedasSSL/TransportLayerSecurity(TLS)servercertificatesforcustomerswhowanttouseHTTPStoencrypttheirtransmissions.TousethemforHTTPS,youcanuseanopen-sourcetoollikeOpenSSLtocreateauniqueprivatekey.You’llneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoaCertificateAuthority(CA)toobtaintheservercertificate.You’llthenusetheAWSCLItouploadthecertificate,privatekey,andcertificatechaintoIAM.
YouwillalsoneedanX.509certificatetocreateacustomizedLinuxAMIforAmazonEC2instances.Thecertificateisonlyrequiredtocreateaninstance-backedAMI(asopposedtoanAmazonElasticBlockStore[AmazonEBS]-backedAMI).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsthefollowinginformationabouteachAPIcall:
ThenameoftheAPI
Theidentityofthecaller
ThetimeoftheAPIcall
Therequestparameters
TheresponseelementsreturnedbytheAWSCloudservice
ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
AWSCloudTrailsupportslogfileintegrity,whichmeansyoucanprovetothirdparties(forexample,auditors)thatthelogfilesentbyAWSCloudTrailhasnotbeenaltered.Validatedlogfilesareinvaluableinsecurityandforensicinvestigations.Thisfeatureisbuiltusing
![Page 387: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/387.jpg)
industrystandardalgorithms:SHA-256forhashingandSHA-256withRSAfordigitalsigning.Thismakesitcomputationallyunfeasibletomodify,delete,orforgeAWSCloudTraillogfileswithoutdetection.
![Page 388: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/388.jpg)
AWSCloudService-SpecificSecurityNotonlyissecuritybuiltintoeverylayeroftheAWSinfrastructure,butalsointoeachoftheservicesavailableonthatinfrastructure.AWSCloudservicesarearchitectedtoworkefficientlyandsecurelywithallAWSnetworksandplatforms.Eachserviceprovidesadditionalsecurityfeaturestoenableyoutoprotectsensitivedataandapplications.
ComputeServicesAWSprovidesavarietyofcloud-basedcomputingservicesthatincludeawideselectionofcomputeinstancesthatcanscaleupanddownautomaticallytomeettheneedsofyourapplicationorenterprise.
AmazonElasticComputeCloud(AmazonEC2)SecurityAmazonEC2isakeycomponentinAmazon’sInfrastructureasaService(IaaS),providingresizablecomputingcapacityusingserverinstancesinAWSdatacenters.AmazonEC2isdesignedtomakeweb-scalecomputingeasierbyenablingyoutoobtainandconfigurecapacitywithminimalfriction.Youcreateandlaunchinstances,whicharecollectionsofplatformhardwareandsoftware.
MultipleLevelsofSecuritySecuritywithinAmazonEC2isprovidedonmultiplelevels:theoperatingsystem(OS)ofthehostplatform,thevirtualinstanceOSorguestOS,afirewall,andsignedAPIcalls.Eachoftheseitemsbuildsonthecapabilitiesoftheothers.ThegoalistopreventdatacontainedwithinAmazonEC2frombeinginterceptedbyunauthorizedsystemsorusersandtomakeAmazonEC2instancesthemselvesassecureaspossiblewithoutsacrificingtheflexibilityinconfigurationthatcustomersdemand.
TheHypervisorAmazonEC2currentlyusesahighlycustomizedversionoftheXenhypervisor,takingadvantageofparavirtualization(inthecaseofLinuxguests).Becauseparavirtualizedguestsrelyonthehypervisortoprovidesupportforoperationsthatnormallyrequireprivilegedaccess,theguestOShasnoelevatedaccesstotheCPU.TheCPUprovidesfourseparateprivilegemodes:0–3,calledrings.Ring0isthemostprivilegedand3theleast.ThehostOSexecutesinRing0.However,insteadofexecutinginRing0asmostOSsdo,theguestOSrunsinlesser-privilegedRing1,andapplicationsintheleastprivilegedinRing3.Thisexplicitvirtualizationofthephysicalresourcesleadstoaclearseparationbetweenguestandhypervisor,resultinginadditionalsecurityseparationbetweenthetwo.
InstanceIsolationDifferentinstancesrunningonthesamephysicalmachineareisolatedfromeachotherviatheXenhypervisor.AmazonisactiveintheXencommunity,whichprovidesAWSwithawarenessofthelatestdevelopments.Inaddition,theAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance’svirtualinterface.Allpacketsmustpassthroughthislayer;thus,aninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternetandcanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Customerinstanceshavenoaccesstorawdiskdevices,butinsteadarepresentedwithvirtualizeddisks.TheAWSproprietarydiskvirtualizationlayerautomaticallyresetseveryblockofstorageusedbythecustomer,sothatonecustomer’sdataisnever
![Page 389: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/389.jpg)
unintentionallyexposedtoanothercustomer.Inaddition,memoryallocatedtoguestsisscrubbed(settozero)bythehypervisorwhenitisunallocatedtoaguest.Thememoryisnotreturnedtothepooloffreememoryavailablefornewallocationsuntilthememoryscrubbingiscompleted.Figure12.3depictsinstanceisolationwithinAmazonEC2.
FIGURE12.3AmazonEC2multiplelayersofsecurity
HostOperatingSystemAdministratorswithabusinessneedtoaccessthemanagementplanearerequiredtouseMFAtogainaccesstopurpose-builtadministrationhosts.Theseadministrativehostsaresystemsthatarespecificallydesigned,built,configured,andhardenedtoprotectthemanagementplaneofthecloud.Allsuchaccessisloggedandaudited.Whenanemployeenolongerhasabusinessneedtoaccessthemanagementplane,theprivilegesandaccesstothesehostsandrelevantsystemscanberevoked.
GuestOperatingSystemVirtualinstancesarecompletelycontrolledbyyou,thecustomer.Youhavefullrootaccessoradministrativecontroloveraccounts,services,andapplications.AWSdoesnothaveanyaccessrightstoyourinstancesortheguestOS.AWSrecommendsabasesetofsecuritybestpracticestoincludedisablingpassword-onlyaccesstoyourguests,andusingsomeformofMFAtogainaccesstoyourinstances(orataminimumcertificate-basedSSHVersion2access).Additionally,youshouldemployaprivilegeescalationmechanismwithloggingonaper-userbasis.Forexample,iftheguestOSisLinux,afterhardening,yourinstanceyoushouldusecertificate-basedSSHv2toaccessthevirtualinstance,disableremoterootlogin,usecommand-linelogging,andusesudoforprivilegeescalation.YoushouldgenerateyourownkeypairsinordertoguaranteethattheyareuniqueandnotsharedwithothercustomersorwithAWS.AWSalsosupportstheuseoftheSSHnetworkprotocoltoenableyoutologinsecurelytoyourUNIX/LinuxAmazonEC2instances.
![Page 390: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/390.jpg)
AuthenticationforSSHusedwithAWSisviaapublic/privatekeypairtoreducetheriskofunauthorizedaccesstoyourinstance.YoucanalsoconnectremotelytoyourWindowsinstancesusingRemoteDesktopProtocol(RDP)byusinganRDPcertificategeneratedforyourinstance.YoualsocontroltheupdatingandpatchingofyourguestOS,includingsecurityupdates.Amazon-providedWindowsandLinux-basedAMIsareupdatedregularlywiththelatestpatches,soifyoudonotneedtopreservedataorcustomizationsonyourrunningAmazonAMIinstances,youcansimplyrelaunchnewinstanceswiththelatestupdatedAMI.Inaddition,updatesareprovidedfortheAmazonLinuxAMIviatheAmazonLinuxyumrepositories.
FirewallAmazonEC2providesamandatoryinboundfirewallthatisconfiguredinadefaultdeny-allmode;AmazonEC2customersmustexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficmayberestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting[CIDR]block).
Thefirewallcanbeconfiguredingroups,permittingdifferentclassesofinstancestohavedifferentrules.Consider,forexample,thecaseofatraditionalthree-tieredwebapplication.Thegroupforthewebserverswouldhaveport80(HTTP)and/orport443(HTTPS)opentotheInternet.Thegroupfortheapplicationserverswouldhaveport8000(applicationspecific)accessibleonlytothewebservergroup.Thegroupforthedatabaseserverswouldhaveport3306(MySQL)openonlytotheapplicationservergroup.Allthreegroupswouldpermitadministrativeaccessonport22(SSH),butonlyfromthecustomer’scorporatenetwork.Highlysecureapplicationscanbedeployedusingthisapproach,whichisalsodepictedinFigure12.4.
![Page 391: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/391.jpg)
FIGURE12.4AmazonEC2securitygroupfirewall
Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewallandVPNs.Thiscanrestrictbothinboundandoutboundtraffic.
Thedefaultstateistodenyallincomingtraffic,andyoushouldcarefullyplanwhatyouwillopenwhenbuildingandsecuringyourapplications.
APIAccessAPIcallstolaunchandterminateinstances,changefirewallparameters,andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonEC2APIcallscannotbemadeonyourbehalf.APIcallscanalsobeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.
AmazonElasticBlockStorage(AmazonEBS)SecurityAmazonEBSallowsyoutocreatestoragevolumesfrom1GBto16TBthatcanbemountedasdevicesbyAmazonEC2
![Page 392: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/392.jpg)
instances.Storagevolumesbehavelikeraw,unformattedblockdevices,withuser-supplieddevicenamesandablockdeviceinterface.YoucancreateafilesystemontopofAmazonEBSvolumesorusetheminanyotherwayyouwoulduseablockdevice(likeaharddrive).AmazonEBSvolumeaccessisrestrictedtotheAWSaccountthatcreatedthevolumeandtotheusersundertheAWSaccountcreatedwithAWSIAM(iftheuserhasbeengrantedaccesstotheEBSoperations).AllotherAWSaccountsandusersaredeniedthepermissiontovieworaccessthevolume.
DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationsaspartofnormaloperationofthoseservicesandatnoadditionalcharge.However,AmazonEBSreplicationisstoredwithinthesameAvailabilityZone,notacrossmultiplezones;therefore,itishighlyrecommendedthatyouconductregularsnapshotstoAmazonS3forlong-termdatadurability.ForcustomerswhohavearchitectedcomplextransactionaldatabasesusingAmazonEBS,itisrecommendedthatbackupstoAmazonS3beperformedthroughthedatabasemanagementsystemsothatdistributedtransactionsandlogscanbecheckpointed.AWSdoesnotautomaticallyperformbackupsofdatathataremaintainedonvirtualdisksattachedtorunninginstancesonAmazonEC2.
YoucanmakeAmazonEBSvolumesnapshotspubliclyavailabletootherAWSaccountstouseasthebasisforcreatingduplicatevolumes.SharingAmazonEBSvolumesnapshotsdoesnotprovideotherAWSaccountswiththepermissiontoalterordeletetheoriginalsnapshot,asthatrightisexplicitlyreservedfortheAWSaccountthatcreatedthevolume.AnAmazonEBSsnapshotisablock-levelviewofanentireAmazonEBSvolume.Notethatdatathatisnotvisiblethroughthefilesystemonthevolume,suchasfilesthathavebeendeleted,maybepresentintheAmazonEBSsnapshot.Ifyouwanttocreatesharedsnapshots,youshoulddosocarefully.Ifavolumehasheldsensitivedataorhashadfilesdeletedfromit,youshouldcreateanewAmazonEBSvolumetoshare.Thedatatobecontainedinthesharedsnapshotshouldbecopiedtothenewvolume,andthesnapshotcreatedfromthenewvolume.
AmazonEBSvolumesarepresentedtoyouasrawunformattedblockdevicesthathavebeenwipedpriortobeingmadeavailableforuse.Wipingoccursimmediatelybeforereusesothatyoucanbeassuredthatthewipeprocessiscompleted.Ifyouhaveproceduresrequiringthatalldatabewipedviaaspecificmethod,youhavetheabilitytodosoonAmazonEBS.Youshouldconductaspecializedwipeprocedurepriortodeletingthevolumeforcompliancewithyourestablishedrequirements.
Encryptionofsensitivedataisgenerallyagoodsecuritypractice,andAWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAdvancedEncryptionStandard(AES)-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.Inordertobeabletodothisefficientlyandwithlowlatency,theAmazonEBSencryptionfeatureisonlyavailableonAmazonEC2’smorepowerfulinstancetypes.
NetworkingAWSprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthatyoudefine,establishaprivatenetworkconnectiontotheAWSCloud,useahighlyavailableandscalableDomainNameSystem(DNS)service,anddelivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliveryweb
![Page 393: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/393.jpg)
service.
ElasticLoadBalancingSecurityElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallAvailabilityZoneswithinaregion.ElasticLoadBalancinghasalloftheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefits:
TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyontheloadbalancer.
Offersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyournetwork.
WhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyourElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptions.
Supportsend-to-endtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP(HTTPS)connections.WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbemanagedcentrallyontheloadbalancer,insteadofoneveryindividualinstance.
HTTPS/TLSusesalong-termsecretkeytogenerateashort-termsessionkeytobeusedbetweentheserverandthebrowsertocreatetheencryptedmessage.ElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(forexample,PaymentCardIndustryDataSecurityStandard[PCIDSS],Sarbanes-OxleyAct[SOX])fromclientstoensurethatstandardsaremet.Inthesecases,ElasticLoadBalancingprovidesoptionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.Youcanchoosetoenableordisabletheciphersdependingonyourspecificrequirements.
Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfiguretheloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclient-servernegotiation.WhentheServerOrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserver’sprioritizationofciphersuitesinsteadoftheclient’s.Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnecttoyourloadbalancer.
Forevengreatercommunicationprivacy,ElasticLoadBalancingallowstheuseofPerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.Thispreventsthedecodingofcaptureddata,evenifthesecretlong-termkeyitselfiscompromised.
ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.Typically,clientconnectioninformation,suchasIPaddressandport,islostwhenrequestsareproxiedthroughaloadbalancer.Thisisbecausetheloadbalancersendsrequeststotheserveron
![Page 394: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/394.jpg)
behalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.HavingtheoriginatingclientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnectionstatistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.
ElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourloadbalancer.ThisincludestheIPaddressandportoftherequestingclient,theback-endIPaddressoftheinstancethatprocessedtherequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,GEThttp://www.example.com:80/HTTP/1.1).Allrequestssenttotheloadbalancerarelogged,includingrequeststhatnevermakeittoback-endinstances.
AmazonVirtualPrivateCloud(AmazonVPC)SecurityNormally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2addressspace.AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice(forexample,10.0.0.0/16).YoucandefinesubnetswithinyourAmazonVPC,groupingsimilarkindsofinstancesbasedonIPaddressrangeandthensetuproutingandsecuritytocontroltheflowoftrafficinandoutoftheinstancesandsubnets.
SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.AmazonEC2instancesrunningwithinanAmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.Note,however,thatyoumustcreatesecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2securitygroupsyouhavecreatedwillnotworkinsideyourAmazonVPC.Inaddition,AmazonVPCsecuritygroupshaveadditionalcapabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupaftertheinstanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,UserDatagramProtocol[UDP],orInternetControlMessageProtocol[ICMP]).
EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolatedfromallotherAmazonVPCs.Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.YoumaycreateandattachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothefollowingcontrols.
APIAccessCallstocreateanddeleteAmazonVPCs;changerouting,securitygroup,andnetworkACLparameters;andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonVPCAPIcallscannotbemadeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.AWSIAMalsoenablesacustomertofurthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.
SubnetsandRouteTablesYoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedintheAmazonVPCisconnectedtoonesubnet.TraditionalLayer2
![Page 395: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/395.jpg)
securityattacks,includingMACspoofingandARPspoofing,areblocked.EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessedbytheroutingtabletodeterminethedestination.
Firewall(SecurityGroups)LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolution,enablingfilteringonbothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIPprotocol,byserviceport,andsource/destinationIPaddress(individualIPorCIDRblock).Thefirewallisn’tcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewall.Figure12.5illustratesanAmazonVPCwithtwotypesofsubnets—publicandprivate—andtwonetworkpathswithtwodifferentnetworks—acustomerdatacenterandtheInternet.
FIGURE12.5AmazonVPCnetworkarchitecture
![Page 396: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/396.jpg)
NetworkACLsToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.TheseACLscancontainorderedrulestoallowordenytrafficbasedonIPprotocol,byserviceport,andsource/destinationIPaddress.
Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionandenablingadditionalsecuritythroughseparationofduties.Figure12.6depictshowthesecuritycontrolsaboveinterrelatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.
FIGURE12.6Flexiblenetworkarchitectures
VirtualPrivateGatewayAvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanothernetwork.Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtualprivategateways.YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyourpremises.EachconnectionissecuredbyapresharedkeyinconjunctionwiththeIPaddressofthecustomergatewaydevice.
InternetGatewayAnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,otherAWSservices,andtheInternet.EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithitorroutetrafficthroughaNetwork
![Page 397: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/397.jpg)
AddressTranslation(NAT)instance.Additionally,networkroutesareconfiguredtodirecttraffictotheInternetgateway(seeFigure12.6).AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacketinspection,applicationlayerfiltering,orothersecuritycontrols.
ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,enablingyoutoimplementadditionalsecuritythroughseparationofduties.
DedicatedInstancesWithinanAmazonVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(thatis,theywillrunonsingle-tenanthardware).AnAmazonVPCcanbecreatedwith“dedicated”tenancy,sothatallinstanceslaunchedintotheAmazonVPCwillusethisfeature.Alternatively,anAmazonVPCmaybecreatedwith“default”tenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.
AmazonCloudFrontSecurityAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.Requestsforcustomers’objectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformance.AmazonCloudFrontisoptimizedtoworkwithotherAWSserviceslikeAmazonS3,AmazonEC2,ElasticLoadBalancing,andAmazonRoute53.Italsoworksseamlesslywithanynon-AWSoriginserverthatstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontrequiresthateveryrequestmadetoitscontrolAPIisauthenticatedsoonlyauthorizeduserscancreate,modify,ordeletetheirownAmazonCloudFrontdistributions.RequestsaresignedwithanHMAC-SHA-1signaturecalculatedfromtherequestandtheuser’sprivatekey.Additionally,theAmazonCloudFrontcontrolAPIisonlyaccessibleviaSSL-enabledendpoints.
ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.Theservicemaysometimesremoveobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.DurabilityisprovidedbyAmazonS3,whichworksastheoriginserverforAmazonCloudFrontbyholdingtheoriginal,definitivecopiesofobjectsdeliveredbyAmazonCloudFront.
IfyouwantcontroloverwhocandownloadcontentfromAmazonCloudFront,youcanenabletheservice’sprivatecontentfeature.Thisfeaturehastwocomponents.ThefirstcontrolshowcontentisdeliveredfromtheAmazonCloudFrontedgelocationtoviewersontheInternet.ThesecondcontrolshowtheAmazonCloudFrontedgelocationsaccessobjectsinAmazonS3.AmazonCloudFrontalsosupportsgeorestriction,whichrestrictsaccesstoyourcontentbasedonthegeographiclocationofyourviewers.
TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.WhenanOriginAccessIdentityisassociatedwithanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.YoucanthenuseAmazonS3’sACLfeature,whichlimitsaccesstothatOriginAccessIdentityso
![Page 398: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/398.jpg)
theoriginalcopyoftheobjectisnotpubliclyreadable.
TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.Tousethissystem,youfirstcreateapublic-privatekeypairanduploadthepublickeytoyouraccountviatheAWSManagementConsole.YouthenconfigureyourAmazonCloudFrontdistributiontoindicatewhichaccountsyouwouldauthorizetosignrequests—youcanindicateuptofiveAWSaccountsthatyoutrusttosignrequests.Asyoureceiverequests,youwillcreatepolicydocumentsindicatingtheconditionsunderwhichyouwantAmazonCloudFronttoserveyourcontent.Thesepolicydocumentscanspecifythenameoftheobjectthatisrequested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.YouthencalculatetheSHA-1hashofyourpolicydocumentandsignthisusingyourprivatekey.Finally,youincludeboththeencodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.WhenAmazonCloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.AmazonCloudFrontwillonlyserverequeststhathaveavalidpolicydocumentandmatchingsignature.
NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourAmazonCloudFrontdistribution.Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.
AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).Bydefault,AmazonCloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.However,youcanalsoconfigureAmazonCloudFronttorequireHTTPSforallrequestsorhaveAmazonCloudFrontredirectHTTPrequeststoHTTPS.YoucanevenconfigureAmazonCloudFrontdistributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.
StorageAWSprovideslow-costdatastoragewithhighdurabilityandavailability.AWSoffersstoragechoicesforbackup,archiving,anddisasterrecovery,andalsoforblockandobjectstorage.
AmazonSimpleStorageService(AmazonS3)SecurityAmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AmazonS3storesdataasobjectswithinbuckets.Anobjectcanbeanykindoffile:atextfile,aphoto,avideo,andmore.WhenyouaddafiletoAmazonS3,youhavetheoptionofincludingmetadatawiththefileandsettingpermissionstocontrolaccesstothefile.Foreachbucket,youcancontrolaccesstothebucket(whocancreate,delete,andlistobjectsinthebucket),viewaccesslogsforthebucketanditsobjects,andchoosethegeographicalregionwhereAmazonS3willstorethebucketanditscontents.
DataAccessAccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.(Notethatabucket/objectowneristheAWSaccountowner,nottheuserwhocreatedthebucket/object.)Therearemultiplewaystocontrolaccesstobucketsandobjects:
IAMPoliciesAWSIAMenablesorganizationswithmanyemployeestocreateandmanage
![Page 399: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/399.jpg)
multipleusersunderasingleAWSaccount.IAMpoliciesareattachedtotheusers,enablingcentralizedcontrolofpermissionsforusersunderyourAWSaccounttoaccessbucketsorobjects.WithIAMpolicies,youcanonlygrantuserswithinyourownAWSaccountpermissiontoaccessyourAmazonS3resources.
ACLsWithinAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.WithACLs,youcanonlygrantotherAWSaccounts(notspecificusers)accesstoyourAmazonS3resources.
BucketPoliciesBucketpoliciesinAmazonS3canbeusedtoaddordenypermissionsacrosssomeoralloftheobjectswithinasinglebucket.Policiescanbeattachedtousers,groups,orAmazonS3buckets,enablingcentralizedmanagementofpermissions.Withbucketpolicies,youcangrantuserswithinyourAWSaccountorotherAWSaccountsaccesstoyourAmazonS3resources.
QueryStringAuthenticationYoucanuseaquerystringtoexpressarequestentirelyinaURL.Inthiscase,youusequeryparameterstoproviderequestinformation,includingtheauthenticationinformation.BecausetherequestsignatureispartoftheURL,thistypeofURLisoftenreferredtoasapre-signedURL.Youcanusepre-signedURLstoembedclickablelinks,whichcanbevalidforuptosevendays,inHTML.
Youcanfurtherrestrictaccesstospecificresourcesbasedoncertainconditions.Forexample,youcanrestrictaccessbasedonrequesttime(DateCondition),whethertherequestwassentusingSSL(BooleanConditions),arequester’sIPaddress(IPAddressCondition),ortherequester’sclientapplication(StringConditions).Toidentifytheseconditions,youusepolicykeys.
AmazonS3alsogivesdeveloperstheoptiontousequerystringauthentication,whichallowsthemtoshareAmazonS3objectsthroughURLsthatarevalidforapredefinedperiodoftime.QuerystringauthenticationisusefulforgivingHTTPforbrowseraccesstoresourcesthatwouldnormallyrequireauthentication.Thesignatureinthequerystringsecurestherequest.
DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonS3viatheSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataStorageAmazonS3providesmultipleoptionsforprotectingdataatrest.Forcustomerswhoprefertomanagetheirownencryption,theycanuseaclientencryptionlibraryliketheAmazonS3EncryptionClienttoencryptdatabeforeuploadingtoAmazonS3.Alternatively,youcanuseAmazonS3ServerSideEncryption(SSE)ifyouprefertohaveAmazonS3managetheencryptionprocessforyou.DataisencryptedwithakeygeneratedbyAWSorwithakeyyousupply,dependingonyourrequirements.WithAmazonS3SSE,youcanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.Decryptionhappensautomaticallywhendataisretrieved.Notethatmetadata,whichyoucanincludewithyourobject,isnotencrypted.
![Page 400: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/400.jpg)
AWSrecommendsthatcustomersnotplacesensitiveinformationinAmazonS3metadata.
AmazonS3SSEusesoneofthestrongestblockciphersavailable:AES-256.WithAmazonS3SSE,everyprotectedobjectisencryptedwithauniqueencryptionkey.Thisobjectkeyitselfisthenencryptedwitharegularlyrotatedmasterkey.AmazonS3SSEprovidesadditionalsecuritybystoringtheencrypteddataandencryptionkeysindifferenthosts.AmazonS3SSEalsomakesitpossibleforyoutoenforceencryptionrequirements.Forexample,youcancreateandapplybucketpoliciesthatrequirethatonlyencrypteddatacanbeuploadedtoyourbuckets.
WhenanobjectisdeletedfromAmazonS3,removalofthemappingfromthepublicnametotheobjectstartsimmediatelyandisgenerallyprocessedacrossthedistributedsystemwithinseveralseconds.Afterthemappingisremoved,thereisnoremoteaccesstothedeletedobject.Theunderlyingstorageareaisthenreclaimedforusebythesystem.
AmazonS3Standardisdesignedtoprovide99.999999999percentdurabilityofobjectsoveragivenyear.Thisdurabilitylevelcorrespondstoanaverageannualexpectedlossof0.000000001percentofobjects.Forexample,ifyoustore10,000objectswithAmazonS3,youcan,onaverage,expecttoincuralossofasingleobjectonceevery10,000,000years.Inaddition,AmazonS3isdesignedtosustaintheconcurrentlossofdataintwofacilities.
AccessLogsAnAmazonS3bucketcanbeconfiguredtologaccesstothebucketandobjectswithinit.Theaccesslogcontainsdetailsabouteachaccessrequestincludingrequesttype,therequestedresource,therequestor’sIP,andthetimeanddateoftherequest.Whenloggingisenabledforabucket,logrecordsareperiodicallyaggregatedintologfilesanddeliveredtothespecifiedAmazonS3bucket.
Cross-OriginResourceSharing(CORS)AWScustomerswhouseAmazonS3tohoststaticwebpagesorstoreobjectsusedbyotherwebpagescanloadcontentsecurelybyconfiguringanAmazonS3buckettoexplicitlyenablecross-originrequests.ModernbrowsersusetheSameOriginpolicytoblockJavaScriptorHTML5fromallowingrequeststoloadcontentfromanothersiteordomainasawaytohelpensurethatmaliciouscontentisnotloadedfromalessreputablesource(suchasduringcross-sitescriptingattacks).WiththeCross-OriginResourceSharing(CORS)policyenabled,assetssuchaswebfontsandimagesstoredinanAmazonS3bucketcanbesafelyreferencedbyexternalwebpages,stylesheets,andHTML5applications.
AmazonGlacierSecurityLikeAmazonS3,theAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.WhereAmazonS3isdesignedforrapidretrieval,however,AmazonGlacierismeanttobeusedasanarchivalservicefordatathatisnotaccessedoftenandforwhichretrievaltimesofseveralhoursaresuitable.
![Page 401: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/401.jpg)
AmazonGlacierstoresfilesasarchiveswithinvaults.Archivescanbeanydatasuchasaphoto,video,ordocument,andcancontainoneorseveralfiles.Youcanstoreanunlimitednumberofarchivesinasinglevaultandcancreateupto1,000vaultsperregion.Eacharchivecancontainupto40TBofdata.
DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonGlacierviatheSSLencryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataRetrievalRetrievingarchivesfromAmazonGlacierrequirestheinitiationofaretrievaljob,whichisgenerallycompletedinthreetofivehours.YoucanthenaccessthedataviaHTTPGETrequests.Thedatawillremainavailabletoyoufor24hours.Youcanretrieveanentirearchiveorseveralfilesfromanarchive.Ifyouwanttoretrieveonlyasubsetofanarchive,youcanuseoneretrievalrequesttospecifytherangeofthearchivethatcontainsthefilesinwhichyouareinterestedoryoucaninitiatemultipleretrievalrequests,eachwitharangeforoneormorefiles.
Youcanalsolimitthenumberofvaultinventoryitemsretrievedbyfilteringonanarchivecreationdaterangeorbysettingamaximumitemslimit.Whichevermethodyouchoose,whenyouretrieveportionsofyourarchive,youcanusethesuppliedchecksumtohelpensuretheintegrityofthefilesprovidedthattherangethatisretrievedisalignedwiththetreehashoftheoverallarchive.
DataStorageAmazonGlacierautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.AmazonGlacierisdesignedtoprovideaverageannualdurabilityof99.999999999percentforanarchive.Itstoreseacharchiveinmultiplefacilitiesandmultipledevices.Unliketraditionalsystems,whichcanrequirelaboriousdataverificationandmanualrepair,AmazonGlacierperformsregular,systematicdataintegritychecksandisbuilttobeself-healing.
DataAccessOnlyyouraccountcanaccessyourdatainAmazonGlacier.TocontrolaccesstoyourdatainAmazonGlacier,youcanuseAWSIAMtospecifywhichuserswithinyouraccounthaverightstooperationsonagivenvault.
AWSStorageGatewaySecurityTheAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutouploaddatasecurelytoAWSscalable,reliable,andsecureAmazonS3storageserviceforcost-effectivebackupandrapiddisasterrecovery.
![Page 402: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/402.jpg)
DataTransferDataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSL.
DataStorageThedataisstoredencryptedinAmazonS3usingAES256,asymmetrickeyencryptionstandardusing256-bitencryptionkeys.TheAWSStorageGatewayonlyuploadsdatathathaschanged,minimizingtheamountofdatasentovertheInternet.
DatabaseAWSprovidesanumberofdatabasesolutionsfordevelopersandbusinessesfrommanagedrelationalandNoSQLdatabaseservices,toin-memorycachingasaserviceandpetabyte-scaledatawarehouseservice.
AmazonDynamoDBSecurityAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.AmazonDynamoDBenablesyoutooffloadtheadministrativeburdensofoperatingandscalingdistributeddatabasestoAWS,soyoudon’thavetoworryabouthardwareprovisioning,setupandconfiguration,replication,softwarepatching,orclusterscaling.
Youcancreateadatabasetablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofserverstohandletherequestcapacityyouspecifiedandtheamountofdatastored,whilemaintainingconsistent,fastperformance.AlldataitemsarestoredonSolidStateDrives(SSDs)andareautomaticallyreplicatedacrossmultipleAvailabilityZonesinaregiontoprovidebuilt-inhighavailabilityanddatadurability.
YoucansetupautomaticbackupsusingaspecialtemplateinAWSDataPipelinethatwascreatedjustforcopyingAmazonDynamoDBtables.Youcanchoosefullorincrementalbackupstoatableinthesameregionoradifferentregion.YoucanusethecopyfordisasterrecoveryintheeventthatanerrorinyourcodedamagestheoriginaltableortofederateAmazonDynamoDBdataacrossregionstosupportamulti-regionapplication.
TocontrolwhocanusetheAmazonDynamoDBresourcesandAPI,yousetuppermissionsinAWSIAM.Inadditiontocontrollingaccessattheresource-levelwithIAM,youcanalsocontrolaccessatthedatabaselevel—youcancreatedatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.Thesedatabase-levelpermissionsarecalledfine-grainedaccesscontrols,andyoucreatethemusinganIAMpolicythatspecifiesunderwhatcircumstancesauserorapplicationcanaccessanAmazonDynamoDBtable.TheIAMpolicycanrestrictaccesstoindividualitemsinatable,accesstotheattributesinthoseitems,orbothatthesametime.
Inadditiontorequiringdatabaseanduserpermissions,eachrequesttotheAmazonDynamoDBservicemustcontainavalidHMAC-SHA-256signatureortherequestisrejected.TheAWSSDKsautomaticallysignyourrequests;however,ifyouwanttowriteyourownHTTPPOSTrequests,youmustprovidethesignatureintheheaderofyourrequesttoAmazonDynamoDB.Tocalculatethesignature,youmustrequesttemporarysecuritycredentialsfrom
![Page 403: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/403.jpg)
theAWSSecurityTokenService.UsethetemporarysecuritycredentialstosignyourrequeststoAmazonDynamoDB.AmazonDynamoDBisaccessibleviaSSL-encryptedendpoints,andtheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.
AmazonRelationalDatabaseService(AmazonRDS)SecurityAmazonRelationalDatabaseService(AmazonRDS)allowsyoutoquicklycreatearelationalDatabaseInstance(DBInstance)andflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSmanagesthedatabaseinstanceonyourbehalfbyperformingbackups,handlingfailover,andmaintainingthedatabasesoftware.Asofthetimeofthiswriting,AmazonRDSisavailableforMySQL,Oracle,MicrosoftSQLServer,MariaDB,AmazonAurora,andPostgreSQLdatabaseengines.
AmazonRDShasmultiplefeaturesthatenhancereliabilityforcriticalproductiondatabases,includingDBsecuritygroups,permissions,SSLconnections,automatedbackups,DBsnapshots,andmultipleAvailabilityZone(Multi-AZ)deployments.DBInstancescanalsobedeployedinanAmazonVPCforadditionalnetworkisolation.
AccessControlWhenyoufirstcreateaDBInstancewithinAmazonRDS,youwillcreateamasteruseraccount,whichisusedonlywithinthecontextofAmazonRDStocontrolaccesstoyourDBInstance(s).ThemasteruseraccountisanativedatabaseuseraccountthatallowsyoutologontoyourDBInstancewithalldatabaseprivileges.YoucanspecifythemasterusernameandpasswordyouwantassociatedwitheachDBInstancewhenyoucreatetheDBInstance.AfteryouhavecreatedyourDBInstance,youcanconnecttothedatabaseusingthemasterusercredentials.Subsequently,youcancreateadditionaluseraccountssothatyoucanrestrictwhocanaccessyourDBInstance.
YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whicharesimilartoAmazonEC2securitygroupsbutnotinterchangeable.DBsecuritygroupsactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.DBsecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.Therearetwowaysofdoingthis:
AuthorizinganetworkIPrange
AuthorizinganexistingAmazonEC2securitygroup
DBsecuritygroupsonlyallowaccesstothedatabaseserverport(allothersareblocked)andcanbeupdatedwithoutrestartingtheAmazonRDSDBInstance,whichgivesyouseamlesscontroloftheirdatabaseaccess.
UsingAWSIAM,youcanfurthercontrolaccesstoyourAmazonRDSDBinstances.AWSIAMenablesyoutocontrolwhatAmazonRDSoperationseachindividualAWSIAMuserhaspermissiontocall.
NetworkIsolationForadditionalnetworkaccesscontrol,youcanrunyourDBInstancesinanAmazonVPC.AmazonVPCenablesyoutoisolateyourDBInstancesbyspecifyingtheIPrangeyouwanttouseandconnecttoyourexistingITinfrastructurethroughindustry-standardencryptedIPsecVPN.RunningAmazonRDSinaVPCenablesyoutohaveaDBinstancewithinaprivatesubnet.YoucanalsosetupavirtualprivategatewaythatextendsyourcorporatenetworkintoyourVPC,andallowsaccesstotheRDSDBinstanceinthatVPC.
ForMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregion,willallow
![Page 404: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/404.jpg)
AmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucancreateDBsubnetgroups,whicharecollectionsofsubnetsthatyoumaywanttodesignateforyourAmazonRDSDBInstancesinanAmazonVPC.EachDBsubnetgroupshouldhaveatleastonesubnetforeveryAvailabilityZoneinagivenregion.Inthiscase,whenyoucreateaDBInstanceinanAmazonVPC,youselectaDBsubnetgroup;AmazonRDSthenusesthatDBsubnetgroupandyourpreferredAvailabilityZonetoselectasubnetandanIPaddresswithinthatsubnet.AmazonRDScreatesandassociatesanElasticNetworkInterfacetoyourDBInstancewiththatIPaddress.
DBInstancesdeployedwithinanAmazonVPCcanbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheAmazonVPCviaVPNorbastionhoststhatyoucanlaunchinyourpublicsubnet.Touseabastionhost,youwillneedtosetupapublicsubnetwithanAmazonEC2instancethatactsasaSSHBastion.ThispublicsubnetmusthaveanInternetgatewayandroutingrulesthatallowtraffictobedirectedviatheSSHhost,whichmustthenforwardrequeststotheprivateIPaddressofyourAmazonRDSDBInstance.
DBsecuritygroupscanbeusedtohelpsecureDBInstanceswithinanAmazonVPC.Inaddition,networktrafficenteringandexitingeachsubnetcanbeallowedordeniedvianetworkACLs.AllnetworktrafficenteringorexitingyourAmazonVPCviayourIPsecVPNconnectioncanbeinspectedbyyouron-premisessecurityinfrastructure,includingnetworkfirewallsandintrusiondetectionsystems.
EncryptionYoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL.ForMySQLandSQLServer,AmazonRDScreatesanSSLcertificateandinstallsthecertificateontheDBInstancewhentheinstanceisprovisioned.ForMySQL,youlaunchtheMySQLclientusingthe--ssl_caparametertoreferencethepublickeyinordertoencryptconnections.ForSQLServer,downloadthepublickeyandimportthecertificateintoyourWindowsoperatingsystem.OracleRDSusesOraclenativenetworkencryptionwithaDBInstance.YousimplyaddthenativenetworkencryptionoptiontoanoptiongroupandassociatethatoptiongroupwiththeDBInstance.Afteranencryptedconnectionisestablished,datatransferredbetweentheDBInstanceandyourapplicationwillbeencryptedduringtransfer.YoucanalsorequireyourDBInstancetoacceptonlyencryptedconnections.
AmazonRDSsupportsTransparentDataEncryption(TDE)forSQLServer(SQLServerEnterpriseEdition)andOracle(partoftheOracleAdvancedSecurityoptionavailableinOracleEnterpriseEdition).TheTDEfeatureautomaticallyencryptsdatabeforeitiswrittentostorageandautomaticallydecryptsdatawhenitisreadfromstorage.IfyourequireyourMySQLdatatobeencryptedwhileatrestinthedatabase,yourapplicationmustmanagetheencryptionanddecryptionofdata.
NotethatSSLsupportwithinAmazonRDSisforencryptingtheconnectionbetweenyourapplicationandyourDBInstance;itshouldnotbereliedonforauthenticatingtheDBInstanceitself.WhileSSLofferssecuritybenefits,beawarethatSSLencryptionisacomputeintensiveoperationandwillincreasethelatencyofyourdatabaseconnection.
AutomatedBackupsandDBSnapshotsAmazonRDSprovidestwodifferentmethodsforbackingupandrestoringyourDBInstance(s):automatedbackupsandDatabaseSnapshots(DBSnapshots).Turnedonbydefault,theautomatedbackupfeatureofAmazonRDSenablespoint-in-timerecoveryforyourDBInstance.AmazonRDSwillbackupyourdatabaseandtransactionlogsandstorebothforauser-specifiedretentionperiod.Thisallows
![Page 405: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/405.jpg)
youtorestoreyourDBInstancetoanysecondduringyourretentionperiod,uptothelastfiveminutes.Yourautomaticbackupretentionperiodcanbeconfiguredtoupto35days.
DBSnapshotsareuser-initiatedbackupsofyourDBInstance.ThesefulldatabasebackupsarestoredbyAmazonRDSuntilyouexplicitlydeletethem.YoucancopyDBsnapshotsofanysizeandmovethembetweenanyofAWSpublicregions,orcopythesamesnapshottomultipleregionssimultaneously.YoucanthencreateanewDBInstancefromaDBSnapshotwheneveryoudesire.
Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup.ThisI/Osuspensiontypicallylastsafewminutes.ThisI/OsuspensionisavoidedwithMulti-AZDBdeployments,becausethebackupistakenfromthestandby.
DBInstanceReplicationAWSCloudcomputingresourcesarehousedinhighlyavailabledatacenterfacilitiesindifferentregionsoftheworld,andeachregioncontainsmultipledistinctlocationscalledAvailabilityZones.EachAvailabilityZoneisengineeredtobeisolatedfromfailuresinotherAvailabilityZonesandprovideinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.
ToarchitectforhighavailabilityofyourOracle,PostgreSQL,orMySQLdatabases,youcanrunyourAmazonRDSDBInstanceinseveralAvailabilityZones,anoptioncalledaMulti-AZdeployment.Whenyouselectthisoption,AWSautomaticallyprovisionsandmaintainsasynchronousstandbyreplicaofyourDBInstanceinadifferentAvailabilityZone.TheprimaryDBInstanceissynchronouslyreplicatedacrossAvailabilityZonestothestandbyreplica.IntheeventofDBInstanceorAvailabilityZonefailure,AmazonRDSwillautomaticallyfailovertothestandbysothatdatabaseoperationscanresumequicklywithoutadministrativeintervention.
ForcustomerswhouseMySQLandneedtoscalebeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads,AmazonRDSprovidesareadreplicaoption.Afteryoucreateareadreplica,databaseupdatesonthesourceDBInstancearereplicatedtothereadreplicausingMySQL’snative,asynchronousreplication.YoucancreatemultiplereadreplicasforagivensourceDBinstanceanddistributeyourapplication’sreadtrafficamongthem.ReadreplicascanbecreatedwithMulti-AZdeploymentstogainreadscalingbenefitsinadditiontotheenhanceddatabasewriteavailabilityanddatadurabilityprovidedbyMulti-AZdeployments.
AutomaticSoftwarePatchingAmazonRDSwillmakesurethattherelationaldatabasesoftwarepoweringyourdeploymentstaysup-to-datewiththelatestpatches.Whennecessary,patchesareappliedduringamaintenancewindowthatyoucancontrol.YoucanthinkoftheAmazonRDSmaintenancewindowasanopportunitytocontrolwhenDBInstancemodifications(suchasscalingDBInstanceclass)andsoftwarepatchingoccur,intheeventeitherarerequestedorrequired.Ifamaintenanceeventisscheduledforagivenweek,itwillbeinitiatedandcompletedatsomepointduringthe30-minutemaintenancewindowyouidentify.
TheonlymaintenanceeventsthatrequireAmazonRDStotakeyourDBInstanceofflinearescalecomputeoperations(whichgenerallytakeonlyafewminutesfromstarttofinish)orrequiredsoftwarepatching.Requiredpatchingisautomaticallyscheduledonlyforpatchesthatarerelatedtosecurityanddurability.Suchpatchingoccursinfrequently(typicallyonceeveryfewmonths)andshouldseldomrequiremorethanafractionofyourmaintenance
![Page 406: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/406.jpg)
window.IfyoudonotspecifyapreferredweeklymaintenancewindowwhencreatingyourDBInstance,a30-minutedefaultvalueisassigned.Ifyouwanttomodifywhenmaintenanceisperformedonyourbehalf,youcandosobymodifyingyourDBInstanceintheAWSManagementConsoleorbyusingtheModifyDBInstanceAPI.EachofyourDBInstancescanhavedifferentpreferredmaintenancewindows,ifyousochoose.
RunningyourDBInstanceinaMulti-AZdeploymentcanfurtherreducetheimpactofamaintenanceevent,asAmazonRDSwillconductmaintenanceviathefollowingsteps:
1. Performmaintenanceonstandby.
2. Promotestandbytoprimary.
3. Performmaintenanceonoldprimary,whichbecomesthenewstandby.
WhenanAmazonRDSDBInstancedeletionAPI(DeleteDBInstance)isrun,theDBInstanceismarkedfordeletion.Aftertheinstancenolongerindicatesdeletingstatus,ithasbeenremoved.Atthispoint,theinstanceisnolongeraccessible,andunlessafinalsnapshotcopywasaskedfor,itcannotberestoredandwillnotbelistedbyanyofthetoolsorAPIs.
AmazonRedshiftSecurityAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theservicehasbeenarchitectednotonlytoscaleupordownrapidly,butalsotoimprovequeryspeedssignificantlyevenonextremelylargedatasets.Toincreaseperformance,AmazonRedshiftusestechniquessuchascolumnarstorage,datacompression,andzonemapstoreducetheamountofI/Oneededtoperformqueries.ItalsohasaMassivelyParallelProcessing(MPP)architecture,parallelizinganddistributingSQLoperationstotakeadvantageofallavailableresources.
ClusterAccessBydefault,clustersthatyoucreateareclosedtoeveryone.AmazonRedshiftenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.YoucanalsorunAmazonRedshiftinsideanAmazonVPCtoisolateyourdatawarehouseclusterinyourownvirtualnetworkandconnectittoyourexistingITinfrastructureusingindustry-standardencryptedIPsecVPN.
TheAWSaccountthatcreatestheclusterhasfullaccesstothecluster.WithinyourAWSaccount,youcanuseAWSIAMtocreateuseraccountsandmanagepermissionsforthoseaccounts.ByusingIAM,youcangrantdifferentuserspermissiontoperformonlytheclusteroperationsthatarenecessaryfortheirwork.Likealldatabases,youmustgrantpermissioninAmazonRedshiftatthedatabaselevelinadditiontograntingaccessattheresourcelevel.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.However,userscanseedataonlyinthetablerowsthatweregeneratedbytheirownactivities;rowsgeneratedbyotherusersarenotvisibletothem.
Theuserwhocreatesadatabaseobjectisitsowner.Bydefault,onlyasuperuserortheownerofanobjectcanquery,modify,orgrantpermissionsontheobject.Foruserstouseanobject,youmustgrantthenecessarypermissionstotheuserorthegroupthatcontainstheuser.Inaddition,onlytheownerofanobjectcanmodifyordeleteit.
![Page 407: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/407.jpg)
DataBackupsAmazonRedshiftdistributesyourdataacrossallcomputenodesinacluster.Whenyourunaclusterwithatleasttwocomputenodes,dataoneachnodewillalwaysbemirroredondisksonanothernode,reducingtheriskofdataloss.Inaddition,alldatawrittentoanodeinyourclusteriscontinuouslybackeduptoAmazonS3usingsnapshots.AmazonRedshiftstoresyoursnapshotsforauser-definedperiod,whichcanbefrom1to35days.Youcanalsotakeyourownsnapshotsatanytime;thesesnapshotsleverageallexistingsystemsnapshotsandareretaineduntilyouexplicitlydeletethem.
AmazonRedshiftcontinuouslymonitorsthehealthoftheclusterandautomaticallyre-replicatesdatafromfaileddrivesandreplacesnodesasnecessary.Allofthishappenswithoutanyeffortonyourpart,althoughyoumayseeaslightperformancedegradationduringthere-replicationprocess.
YoucanuseanysystemorusersnapshottorestoreyourclusterusingtheAWSManagementConsoleortheAmazonRedshiftAPIs.Yourclusterisavailableassoonasthesystemmetadatahasbeenrestored,andyoucanstartrunningquerieswhileuserdataisspooleddowninthebackground.
DataEncryptionWhencreatingacluster,youcanchoosetoencryptitinordertoprovideadditionalprotectionforyourdataatrest.Whenyouenableencryptioninyourcluster,AmazonRedshiftstoresalldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandanybackups.
AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.
Dataencryptionkeysencryptdatablocksinthecluster.Eachdatablockisassignedarandomly-generatedAES256key.Thesekeysareencryptedbyusingthedatabasekeyforthecluster.
Thedatabasekeyencryptsdataencryptionkeysinthecluster.Thedatabasekeyisarandomly-generatedAES-256key.ItisstoredondiskinaseparatenetworkfromtheAmazonRedshiftclusterandencryptedbyamasterkey.AmazonRedshiftpassesthedatabasekeyacrossasecurechannelandkeepsitinmemoryinthecluster.
TheclusterkeyencryptsthedatabasekeyfortheAmazonRedshiftcluster.YoucanuseeitherAWSoraHardwareSecurityModule(HSM)tostoretheclusterkey.HSMsprovidedirectcontrolofkeygenerationandmanagementandmakekeymanagementseparateanddistinctfromtheapplicationandthedatabase.
ThemasterkeyencryptstheclusterkeyifitisstoredinAWS.Themasterkeyencryptsthecluster-key-encrypteddatabasekeyiftheclusterkeyisstoredinanHSM.
YoucanhaveAmazonRedshiftrotatetheencryptionkeysforyourencryptedclustersatanytime.Aspartoftherotationprocess,keysarealsoupdatedforallofthecluster’sautomaticandmanualsnapshots.Notethatenablingencryptioninyourclusterwillimpactperformance,eventhoughitishardwareaccelerated.
Encryptionalsoappliestobackups.Whenyou’rerestoringfromanencryptedsnapshot,thenewclusterwillbeencryptedaswell.
ToencryptyourtableloaddatafileswhenyouuploadthemtoAmazonS3,youcanuse
![Page 408: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/408.jpg)
AmazonS3server-sideencryption.WhenyouloadthedatafromAmazonS3,theCOPYcommandwilldecryptthedataasitloadsthetable.
DatabaseAuditLoggingAmazonRedshiftlogsallSQLoperations,includingconnectionattempts,queries,andchangestoyourdatabase.YoucanaccesstheselogsusingSQLqueriesagainstsystemtablesorchoosetohavethemdownloadedtoasecureAmazonS3bucket.Youcanthenusetheseauditlogstomonitoryourclusterforsecurityandtroubleshootingpurposes.
AutomaticSoftwarePatchingAmazonRedshiftmanagesalltheworkofsettingup,operating,andscalingyourdatawarehouse,includingprovisioningcapacity,monitoringthecluster,andapplyingpatchesandupgradestotheAmazonRedshiftengine.Patchesareappliedonlyduringspecifiedmaintenancewindows.
SSLConnectionsToprotectyourdataintransitwithintheAWSCloud,AmazonRedshiftuseshardware-acceleratedSSLtocommunicatewithAmazonS3orAmazonDynamoDBforCOPY,UNLOAD,backup,andrestoreoperations.YoucanencrypttheconnectionbetweenyourclientandtheclusterbyspecifyingSSLintheparametergroupassociatedwiththecluster.TohaveyourclientsalsoauthenticatetheAmazonRedshiftserver,youcaninstallthepublickey(.pemfile)fortheSSLcertificateonyourclientandusethekeytoconnecttoyourclusters.
AmazonRedshiftoffersthenewer,strongerciphersuitesthatusetheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocol.ECDHEallowsSSLclientstoprovidePerfectForwardSecrecybetweentheclientandtheAmazonRedshiftcluster.PerfectForwardSecrecyusessessionkeysthatareephemeralandnotstoredanywhere,whichpreventsthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.YoudonotneedtoconfigureanythinginAmazonRedshifttoenableECDHE;ifyouconnectfromanSQLclienttoolthatusesECDHEtoencryptcommunicationbetweentheclientandserver,AmazonRedshiftwillusetheprovidedcipherlisttomaketheappropriateconnection.
AmazonElastiCacheSecurityAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieveinformationfromafast,managed,in-memorycachingsystem,insteadofrelyingentirelyonslowerdisk-baseddatabases.Itcanbeusedtoimprovelatencyandthroughputsignificantlyformanyread-heavyapplicationworkloads(suchassocialnetworking,gaming,mediasharing,andQandAportals)orcompute-intensiveworkloads(suchasarecommendationengine).Cachingimprovesapplicationperformancebystoringcriticalpiecesofdatainmemoryforlow-latencyaccess.CachedinformationmayincludetheresultsofI/O-intensivedatabasequeriesortheresultsofcomputationally-intensivecalculations.
TheAmazonElastiCacheserviceautomatestime-consumingmanagementtasksforin-memorycacheenvironments,suchaspatchmanagement,failuredetection,andrecovery.ItworksinconjunctionwithotherAWSCloudservices(suchasAmazonEC2,AmazonCloudWatch,andAmazonSNS)toprovideasecure,high-performance,andmanagedin-memorycache.Forexample,anapplicationrunninginAmazonEC2cansecurelyaccessanAmazonElastiCacheclusterinthesameregionwithverylowlatency.
![Page 409: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/409.jpg)
UsingtheAmazonElastiCacheservice,youcreateaCacheCluster,whichisacollectionofoneormoreCacheNodes,eachrunninganinstanceoftheMemcachedservice.ACacheNodeisafixed-sizechunkofsecure,network-attachedRAM.EachCacheNoderunsaninstanceoftheMemcachedserviceandhasitsownDNSnameandport.MultipletypesofCacheNodesaresupported,eachwithvaryingamountsofassociatedmemory.ACacheClustercanbesetupwithaspecificnumberofCacheNodesandaCacheParameterGroupthatcontrolsthepropertiesforeachCacheNode.AllCacheNodeswithinaCacheClusteraredesignedtobeofthesameNodeTypeandhavethesameparameterandsecuritygroupsettings.
DataAccessAmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.Bydefault,networkaccessisturnedofftoyourCacheClusters.IfyouwantyourapplicationstoaccessyourCacheCluster,youmustexplicitlyenableaccessfromhostsinspecificAmazonEC2securitygroups.Afteringressrulesareconfigured,thesamerulesapplytoallCacheClustersassociatedwiththatCacheSecurityGroup.
ToallownetworkaccesstoyourCacheCluster,createaCacheSecurityGroupandusetheAuthorizeCacheSecurityGroupIngressAPIorCLIcommandtoauthorizethedesiredAmazonEC2securitygroup(whichinturnspecifiestheAmazonEC2instancesallowed).IP-rangebasedaccesscontroliscurrentlynotenabledforCacheClusters.AllclientstoaCacheClustermustbewithintheAmazonEC2network,andauthorizedviaCacheSecurityGroups.
AmazonElastiCacheforRedisprovidesbackupandrestorefunctionality,whereyoucancreateasnapshotofyourentireRedisclusterasitexistsataspecificpointintime.Youcanscheduleautomatic,recurringdailysnapshots,oryoucancreateamanualsnapshotatanytime.Forautomaticsnapshots,youspecifyaretentionperiod;manualsnapshotsareretaineduntilyoudeletethem.ThesnapshotsarestoredinAmazonS3withhighdurability,andcanbeusedforwarmstarts,backups,andarchiving.
ApplicationServicesAWSoffersavarietyofmanagedservicestousewithyourapplications,includingservicesthatprovideapplicationstreaming,queueing,pushnotification,emaildelivery,search,andtranscoding.
AmazonSimpleQueueService(AmazonSQS)SecurityAmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2instancesoracombinationofboth.WithAmazonSQS,youcansendanynumberofmessagestoanAmazonSQSqueueatanytimefromanycomponent.Themessagescanberetrievedfromthesamecomponentoradifferentone,rightawayoratalatertime(within14days).Messagesarehighlydurable;eachmessageispersistentlystoredinhighlyavailable,highlyreliablequeues.Multipleprocessescanread/writefrom/toanAmazonSQSqueueatthesametimewithoutinterferingwitheachother.
DataAccessAmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandqueuesforwhichtheyhavebeen
![Page 410: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/410.jpg)
grantedaccessviapolicy.Bydefault,accesstoeachindividualqueueisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoaqueue,usingeitheranAmazonSQS-generatedpolicyorapolicyyouwrite.
EncryptionAmazonSQSisaccessibleviaSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.EncryptingmessagesbeforesendingthemtoAmazonSQShelpsprotectagainstaccesstosensitivecustomerdatabyunauthorizedpersons,includingAWS.
AmazonSimpleNotificationService(AmazonSNS)SecurityAmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSprovidesasimplewebservicesinterfacethatcanbeusedtocreatetopicsthatcustomerswanttonotifyapplications(orpeople)about,subscribeclientstothesetopics,publishmessages,andhavethesemessagesdeliveredoverclients’protocolofchoice(forexample,HTTP/HTTPS,email).
AmazonSNSdeliversnotificationstoclientsusingapushmechanismthateliminatestheneedtocheckorpollfornewinformationandupdatesperiodically.AmazonSNScanbeleveragedtobuildhighlyreliable,event-drivenworkflowsandmessagingapplicationswithouttheneedforcomplexmiddlewareandapplicationmanagement.ThepotentialusesforAmazonSNSincludemonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andmanyothers.
DataAccessAmazonSNSprovidesaccesscontrolmechanismssothattopicsandmessagesaresecuredagainstunauthorizedaccess.Topicownerscansetpoliciesforatopicthatrestrictswhocanpublishorsubscribetoatopic.Additionally,topicownerscanencrypttransmissionbyspecifyingthatthedeliverymechanismmustbeHTTPS.AmazonSNSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandtopicsforwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualtopicisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoAmazonSNS,usingeitheranAmazonSNS-generatedpolicyorapolicyyouwrite.
AnalyticsServicesAWSprovidescloud-basedanalyticsservicestohelpyouprocessandanalyzeanyvolumeofdata,whetheryourneedisformanagedHadoopclusters,real-timestreamingdata,petabytescaledatawarehousing,ororchestration.
AmazonElasticMapReduce(AmazonEMR)SecurityAmazonElasticMapReduce(AmazonEMR)isamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamong
![Page 411: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/411.jpg)
severalservers.ItusesanenhancedversionoftheApacheHadoopframeworkrunningontheweb-scaleinfrastructureofAmazonEC2andAmazonS3.YousimplyuploadyourinputdataandadataprocessingapplicationintoAmazonS3.AmazonEMRthenlaunchesthenumberofAmazonEC2instancesyouspecify.TheservicebeginsthejobflowexecutionwhilepullingtheinputdatafromAmazonS3intothelaunchedAmazonEC2instances.Afterthejobflowisfinished,AmazonEMRtransferstheoutputdatatoAmazonS3,whereyoucanthenretrieveitoruseitasinputinanotherjobflow.
Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutoSSHintotheinstancesusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptonotallowaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupswithinyouraccount,youcanreconfigurethemusingthestandardEC2toolsordashboard.Toprotectcustomerinputandoutputdatasets,AmazonEMRtransfersdatatoandfromAmazonS3usingSSL.
AmazonEMRprovidesseveralwaystocontrolaccesstotheresourcesofyourcluster.YoucanuseAWSIAMtocreateuseraccountsandrolesandconfigurepermissionsthatcontrolwhichAWSfeaturesthoseusersandrolescanaccess.Whenyoulaunchacluster,youcanassociateanAmazonEC2keypairwiththecluster,whichyoucanthenusewhenyouconnecttotheclusterusingSSH.YoucanalsosetpermissionsthatallowusersotherthanthedefaultHadoopusertosubmitjobstoyourcluster.
Bydefault,ifanIAMuserlaunchesacluster,thatclusterishiddenfromotherIAMusersontheAWSaccount.ThisfilteringoccursonallAmazonEMRinterfaces(theAWSManagementConsole,CLI,API,andSDKs)andhelpspreventIAMusersfromaccessingandinadvertentlychangingclusterscreatedbyotherIAMusers.
Foranadditionallayerofprotection,youcanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.Thisallowsyoutocontrolaccesstotheentiresubnet.YoucanalsolaunchtheclusterintoanAmazonVPCandenabletheclustertoaccessresourcesonyourinternalnetworkusingaVPNconnection.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.
AmazonKinesisSecurityAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.Itcanacceptanyamountofdata,fromanynumberofsources,scalingupanddownasneeded.YoucanuseAmazonKinesisinsituationsthatcallforlarge-scale,real-timedataingestionandprocessing,suchasserverlogs,socialmedia,ormarketdatafeeds,andwebclickstreamdata.ApplicationsreadandwritedatarecordstoAmazonKinesisinstreams.YoucancreateanynumberofAmazonKinesisstreamstocapture,store,andtransportdata.
YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsby
![Page 412: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/412.jpg)
creatingusersunderyourAWSaccountusingAWSIAM,andcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TofacilitaterunningyourproducerorconsumerapplicationsonanAmazonEC2instance,youcanconfigurethatinstancewithanIAMrole.Thatway,AWScredentialsthatreflectthepermissionsassociatedwiththeIAMrolearemadeavailabletoapplicationsontheinstance,whichmeansyoudon’thavetouseyourlong-termAWSsecuritycredentials.Roleshavetheaddedbenefitofprovidingtemporarycredentialsthatexpirewithinashorttimeframe,whichaddsanadditionalmeasureofprotection.
TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpoint(kinesis.us-east-1.amazonaws.com)tohelpensuresecuretransmissionofyourdatatoAWS.YoumustconnecttothatendpointtoaccessAmazonKinesis,butyoucanthenusetheAPItodirectAmazonKinesistocreateastreaminanyAWSregion.
DeploymentandManagementServicesAWSprovidesavarietyoftoolstohelpwiththedeploymentandmanagementofyourapplications.ThisincludesservicesthatallowyoutocreateindividualuseraccountswithcredentialsforaccesstoAWSservices.ItalsoincludesservicesforcreatingandupdatingstacksofAWSresources,deployingapplicationsonthoseresources,andmonitoringthehealthofthoseAWSresources.OthertoolshelpyoumanagecryptographickeysusingHSMsandlogAWSAPIactivityforsecurityandcompliancepurposes.
AWSIdentityandAccessManagement(IAM)SecurityAWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMeliminatestheneedtosharepasswordsorkeysandmakesiteasytoenableordisableauser’saccessasappropriate.
AWSIAMenablesyoutoimplementsecuritybestpractices,suchasleastprivilege,bygrantinguniquecredentialstoeveryuserwithinyourAWSaccountandonlygrantingpermissiontoaccesstheAWSCloudservicesandresourcesrequiredfortheuserstoperformtheirjobs.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.
AWSIAMisalsointegratedwithAWSMarketplacesothatyoucancontrolwhoinyourorganizationcansubscribetothesoftwareandservicesofferedinAWSMarketplace.BecausesubscribingtocertainsoftwareinAWSMarketplacelaunchesanAmazonEC2instancetorunthesoftware,thisisanimportantaccesscontrolfeature.UsingIAMtocontrolaccesstoAWSMarketplacealsoenablesAWSaccountownerstohavefine-grainedcontroloverusageandsoftwarecosts.
AWSIAMenablesyoutominimizetheuseofyourAWSaccountcredentials.AfteryoucreateIAMuseraccounts,allinteractionswithAWSCloudservicesandresourcesshouldoccurwithIAMusersecuritycredentials.
RolesAnIAMroleusestemporarysecuritycredentialstoallowyoutodelegateaccesstousersorservicesthatnormallydon’thaveaccesstoyourAWSresources.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecific
![Page 413: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/413.jpg)
IAMuserorgroup.Anauthorizedentity(forexample,mobileuserorAmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.Thiscanbeparticularlyusefulinprovidinglimited,controlledaccessincertainsituations:
![Page 414: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/414.jpg)
Federated(Non-AWS)UserAccessFederatedusersareusers(orapplications)whodonothaveAWSaccounts.Withroles,youcangivethemaccesstoyourAWSresourcesforalimitedamountoftime.Thisisusefulifyouhavenon-AWSusersthatyoucanauthenticatewithanexternalservice,suchasMicrosoftActiveDirectory,LightweightDirectoryAccessProtocol(LDAP),orKerberos.ThetemporaryAWScredentialsusedwiththerolesprovideidentityfederationbetweenAWSandyournon-AWSusersinyourcorporateidentityandauthorizationsystem.
SecurityAssertionMarkupLanguage(SAML)2.0IfyourorganizationsupportsSAML2.0,youcancreatetrustbetweenyourorganizationasanIdentityProvider(IdP)andotherorganizationsasserviceproviders.InAWS,youcanconfigureAWSastheserviceprovideranduseSAMLtoprovideyouruserswithfederatedSingle-SignOn(SSO)totheAWSManagementConsoleortogetfederatedaccesstocallAWSAPIs.
Rolesarealsousefulifyoucreateamobileorweb-basedapplicationthataccessesAWSresources.AWSresourcesrequiresecuritycredentialsforprogrammaticrequests;however,youshouldn’tembedlong-termsecuritycredentialsinyourapplicationbecausetheyareaccessibletotheapplication’susersandcanbedifficulttorotate.Instead,youcanletuserssignintoyourapplicationusingLoginwithAmazon,Facebook,orGoogleandthenusetheirauthenticationinformationtoassumearoleandgettemporarysecuritycredentials.
Cross-AccountAccessFororganizationsthatusemultipleAWSaccountstomanagetheirresources,youcansetuprolestoprovideuserswhohavepermissionsinoneaccounttoaccessresourcesunderanotheraccount.Fororganizationsthathavepersonnelwhoonlyrarelyneedaccesstoresourcesunderanotheraccount,usingroleshelpstoensurethatcredentialsareprovidedtemporarilyandonlyasneeded.
ApplicationsRunningonEC2InstancesThatNeedtoAccessAWSResourcesIfanapplicationrunsonanAmazonEC2instanceandneedstomakerequestsforAWSresources,suchasAmazonS3bucketsoraDynamoDBtable,itmusthavesecuritycredentials.UsingrolesinsteadofcreatingindividualIAMaccountsforeachapplicationoneachinstancecansavesignificanttimeforcustomerswhomanagealargenumberofinstancesoranelasticallyscalingfleetusingAWSAutoScaling.
Thetemporarycredentialsincludeasecuritytoken,anAccessKeyID,andaSecretAccessKey.Togiveauseraccesstocertainresources,youdistributethetemporarysecuritycredentialstotheusertowhomyouaregrantingtemporaryaccess.Whentheusermakescallstoyourresources,theuserpassesinthetokenandAccessKeyIDandsignstherequestwiththeSecretAccessKey.Thetokenwillnotworkwithdifferentaccesskeys.
Theuseoftemporarycredentialsprovidesadditionalprotectionforyoubecauseyoudon’thavetomanageordistributelong-termcredentialstotemporaryusers.Inaddition,thetemporarycredentialsgetautomaticallyloadedtothetargetinstancesoyoudon’thavetoembedthemsomewhereunsafelikeyourcode.Temporarycredentialsareautomaticallyrotatedorchangedmultipletimesadaywithoutanyactiononyourpartandarestoredsecurelybydefault.
MobileServices
![Page 415: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/415.jpg)
AWSmobileservicesmakeiteasierforyoutobuild,ship,run,monitor,optimize,andscalecloud-poweredapplicationsformobiledevices.Theseservicesalsohelpyouauthenticateuserstoyourmobileapplication,synchronizedata,andcollectandanalyzeapplicationusage.
AmazonCognitoSecurityAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Itsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.Itprovidestemporary,limited-privilegecredentialsforbothauthenticatedandunauthenticateduserswithouthavingtomanageanyback-endinfrastructure.
AmazonCognitoworkswithwell-knownidentityproviderslikeGoogle,Facebook,andAmazontoauthenticateendusersofyourmobileandwebapplications.Youcantakeadvantageoftheidentificationandauthorizationfeaturesprovidedbytheseservicesinsteadofhavingtobuildandmaintainyourown.Yourapplicationauthenticateswithoneoftheseidentityprovidersusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfromtheproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.
TobeginusingAmazonCognito,youcreateanidentitypoolthroughtheAmazonCognitoconsole.TheidentitypoolisastoreofuseridentityinformationthatisspecifictoyourAWSaccount.Duringthecreationoftheidentitypool,youwillbeaskedtocreateanewIAMroleorpickanexistingoneforyourendusers.AnIAMroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity(forexample,mobileuser,AmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.
TheroleyouselecthasanimpactonwhichAWSCloudservicesyourenduserswillbeabletoaccesswiththetemporarycredentials.Bydefault,AmazonCognitocreatesanewrolewithlimitedpermissions;endusersonlyhaveaccesstotheAmazonCognitoSyncserviceandAmazonMobileAnalytics.IfyourapplicationneedsaccesstootherAWSresources,suchasAmazonS3orAmazonDynamoDB,youcanmodifyyourrolesdirectlyfromtheIAMconsole.
WithAmazonCognito,thereisnoneedtocreateindividualAWSaccountsorevenIAMaccountsforeveryoneofyourweb/mobileapplicationenduserswhowillneedtoaccessyourAWSresources.InconjunctionwithIAMroles,mobileuserscansecurelyaccessAWSresourcesandapplicationfeaturesandevensavedatatotheAWSCloudwithouthavingtocreateanaccountorlogin.Iftheychoosetocreateanaccountorloginlater,AmazonCognitowillmergedataandidentificationinformation.
BecauseAmazonCognitostoresdatalocallyandalsointheservice,yourenduserscancontinuetointeractwiththeirdataevenwhentheyareoffline.Theirofflinedatamaybestale,buttheycanimmediatelyretrieveanythingtheyputintothedatasetwhetherornottheyareonline.TheclientSDKmanagesalocalSQLitestoresothattheapplicationcanworkevenwhenitisnotconnected.TheSQLitestorefunctionsasacacheandisthetargetofallreadandwriteoperations.AmazonCognito’ssyncfacilitycomparesthelocalversionofthe
![Page 416: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/416.jpg)
datatothecloudversionandpushesuporpullsdowndeltasasneeded.Notethatinordertosyncdataacrossdevices,youridentitypoolmustsupportauthenticatedidentities.Unauthenticatedidentitiesaretiedtothedevice,sounlessanenduserauthenticates,nodatacanbesyncedacrossmultipledevices.
WithAmazonCognito,yourapplicationcommunicatesdirectlywithasupportedpublicidentityprovider(Amazon,Facebook,orGoogle)toauthenticateusers.AmazonCognitodoesnotreceiveorstoreusercredentials,onlytheOAuthorOpenIDConnecttokenreceivedfromtheidentityprovider.AfterAmazonCognitoreceivesthetoken,itreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.EachAmazonCognitoidentityhasaccessonlytoitsowndatainthesyncstore,andthisdataisencryptedwhenstored.Inaddition,allidentitydataistransmittedoverHTTPS.TheuniqueAmazonCognitoidentifieronthedeviceisstoredintheappropriatesecurelocation.ForexampleoniOS,theAmazonCognitoidentifierisstoredintheiOSkeychain.UserdataiscachedinalocalSQLitedatabasewithintheapplication’ssandbox;ifyourequireadditionalsecurity,youcanencryptthisidentitydatainthelocalcachebyimplementingencryptioninyourapplication.
ApplicationsAWSapplicationsaremanagedservicesthatenableyoutoprovideyouruserswithsecure,centralizedstorageandworkareasinthecloud.
AmazonWorkSpacesSecurityAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.SimplychooseaWindows7bundlethatbestmeetstheneedsofyourusersandthenumberofWorkSpacesthatyouwanttolaunch.AftertheWorkSpacesareready,usersreceiveanemailinformingthemwheretheycandownloadtherelevantclientandlogintotheirWorkSpace.Theycanthenaccesstheircloud-baseddesktopsfromavarietyofendpointdevices,includingPCs,laptops,andmobiledevices.However,yourorganization’sdataisneversenttoorstoredontheend-userdevicebecauseAmazonWorkSpacesusesPC-over-IP(PCoIP),whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheusers’desktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.
InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.WhenyouintegrateAmazonWorkSpaceswithyourcorporateActiveDirectory,eachWorkSpacejoinsyourActiveDirectorydomainandcanbemanagedjustlikeanyotherdesktopinyourorganization.ThismeansthatyoucanuseActiveDirectoryGroupPoliciestomanageyourusersWorkSpacestospecifyconfigurationoptionsthatcontrolthedesktop.IfyouchoosenottouseActiveDirectoryorothertypeofon-premisesdirectorytomanageyouruserWorkSpaces,youcancreateaprivateclouddirectorywithinAmazonWorkSpacesthatyoucanuseforadministration.
Toprovideanadditionallayerofsecurity,youcanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRemoteAuthenticationDialInUserService(RADIUS)serveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-
![Page 417: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/417.jpg)
CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.
EachWorkSpaceresidesonitsownAmazonEC2instancewithinanAmazonVPC.YoucancreateWorkSpacesinanAmazonVPCyoualreadyownorhavetheAmazonWorkSpacesservicecreateoneforyouautomaticallyusingtheAmazonWorkSpacesQuickStartoption.WhenyouusetheQuickStartoption,AmazonWorkSpacesnotonlycreatestheAmazonVPC,butitalsoperformsseveralotherprovisioningandconfigurationtasksforyou,suchascreatinganInternetGatewayfortheAmazonVPC,settingupadirectorywithintheAmazonVPCthatisusedtostoreuserandWorkSpaceinformation,creatingadirectoryadministratoraccount,creatingthespecifieduseraccountsandaddingthemtothedirectory,andcreatingtheAmazonWorkSpacesinstances.OrtheAmazonVPCcanbeconnectedtoanon-premisesnetworkusingasecureVPNconnectiontoallowaccesstoanexistingon-premisesActiveDirectoryandotherintranetresources.YoucanaddasecuritygroupthatyoucreateinyourAmazonVPCtoalloftheWorkSpacesthatbelongtoyourActiveDirectory.ThisallowsyoutocontrolnetworkaccessfromAmazonWorkSpacesinyourAmazonVPCtootherresourcesinyourAmazonVPCandon-premisesnetwork.
PersistentstorageforAmazonWorkSpacesisprovidedbyAmazonEBSandisautomaticallybackeduptwiceadaytoAmazonS3.IfAmazonWorkSpacesSyncisenabledonaWorkSpace,thefolderauserchoosestosyncwillbecontinuouslybackedupandstoredinAmazonS3.YoucanalsouseAmazonWorkSpacesSynconaMacorPCtosyncdocumentstoorfromyourWorkSpacesothatyoucanalwayshaveaccesstoyourdataregardlessofthedesktopcomputeryouareusing.
Becauseitisamanagedservice,AWStakescareofseveralsecurityandmaintenancetaskslikedailybackupsandpatching.UpdatesaredeliveredautomaticallytoyourWorkSpacesduringaweeklymaintenancewindow.Youcancontrolhowpatchingisconfiguredforauser’sWorkSpace.Bydefault,WindowsUpdateisturnedon,butyouhavetheabilitytocustomizethesesettingsoruseanalternativepatchmanagementapproachifyoudesire.FortheunderlyingOS,WindowsUpdateisenabledbydefaultonAmazonWorkSpacesandconfiguredtoinstallupdatesonaweeklybasis.YoucanuseanalternativepatchingapproachorconfigureWindowsUpdatetoperformupdatesatatimeofyourchoosing.YoucanuseIAMtocontrolwhoonyourteamcanperformadministrativefunctionslikecreatingordeletingWorkSpacesorsettingupuserdirectories.YoucanalsosetupaWorkSpacefordirectoryadministration,installyourfavoriteActiveDirectoryadministrationtools,andcreateorganizationalunitsandGroupPoliciesinordertoapplyActiveDirectorychangesmoreeasilyforallofyourAmazonWorkSpacesusers.
![Page 418: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/418.jpg)
SummaryInthischapter,youlearnedthatthefirstpriorityatAWSisCloudsecurity.SecuritywithinAWSisbasedona“defenseindepth”modelwherenoone,singleelementisusedtosecuresystemsonAWS.Rather,AWSusesamultitudeofelements—eachactingatdifferentlayersofasystem—intotaltosecurethesystem.AWSisresponsibleforsomelayersofthismodel,andcustomersareresponsibleforothers.AWSalsoofferssecuritytoolsandfeaturesofservicesforcustomerstouseattheirdiscretion.Severaloftheseconcepts,tools,andfeatureswerediscussedinthischapter.
SecurityModelThesharedresponsibilitymodelisthesecuritymodelwhereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andthecustomerisresponsibleforsecuringworkloadsdeployedinAWS.CustomersbenefitfromadatacenterandnetworkarchitecturebuilttosatisfytherequirementsofAWSmostsecurity-sensitivecustomers.Thismeansthatcustomersgetaresilientinfrastructure,designedforhighsecurity,withoutthecapitaloutlayandoperationaloverheadofatraditionaldatacenter.
AccountLevelSecurityAWScredentialshelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources.AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMFAtologintoyourAWSaccountorIAMuseraccounts.
PasswordsarerequiredtoaccessyourAWSaccount,individualIAMuseraccounts,AWSDiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.
AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.Thisismulti-factorbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).AnMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.
AccessKeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHMAC-SHA-256protocol.
![Page 419: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/419.jpg)
AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.
Service-SpecificSecurityInadditiontotheSharedResponsibilityModelandAccountLevelsecurity,AWSofferssecurityfeaturesforeachoftheservicesitprovides.Thesesecurityfeaturesareoutlinedbelowbytechnologydomain.
ComputeAmazonElasticComputeCloud(AmazonEC2)AmazonEC2supportsRSA2048SSH-2KeypairsforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.
AmazonElasticBlockStore(AmazonEBS)DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationswithinthesameAvailabilityZoneaspartofnormaloperationofthatserviceandatnoadditionalcharge.AWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.
NetworkingElasticLoadBalancingElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice.SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.
AmazonCloudFrontAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.
Storage
![Page 420: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/420.jpg)
AmazonSimpleStorageService(AmazonS3)AmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.YoucansecurelyuploadanddownloaddatatoAmazonS3viatheSSL-encryptedendpoints.AmazonS3supportsseveralmethodstoencryptdataatrest.
AmazonGlacierAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.YoucansecurelyuploadanddownloaddatatoAmazonGlacierviatheSSL-encryptedendpoints,andtheserviceautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.
AWSStorageGatewayAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.Dataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSLandstoredencryptedinAmazonS3usingAES-256.
DatabaseAmazonDynamoDBAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.Youcancontrolaccessatthedatabaselevelbycreatingdatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.
AmazonRelationalDatabaseService(RDS)AmazonRDSallowsyoutoquicklycreatearelationalDBInstanceandflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whichactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.Databasesecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.AmazonRDSissupportedwithinanAmazonVPC,andforMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregionwillallowAmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL,andyoucanencryptdataatrestwithinAmazonRDSinstancesforalldatabaseengines.
AmazonRedshiftAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theserviceenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.YoumaychooseforAmazonRedshifttostorealldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandalsoanybackups.AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.
AmazonElastiCacheAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.AmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.
![Page 421: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/421.jpg)
ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.
ApplicationServicesAmazonSimpleQueueService(SQS)AmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.AmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.
AmazonSimpleNotificationService(SNS)AmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSallowstopicownerstosetpoliciesforatopicthatrestrictwhocanpublishorsubscribetoatopic.
AnalyticsAmazonElasticMapReduce(AmazonEMR)AmazonEMRisamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamongseveralservers.Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.YoucanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.
AmazonKinesisAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsbycreatingusersunderyourAWSaccountusingAWSIAMandcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpointtohelpensuresecuretransmissionofyourdatatoAWS.
DeploymentandManagementAWSIdentityandAccessManagement(IAM)AWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.
MobileServicesAmazonCognitoAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Yourapplicationauthenticateswithoneofthewell-knownidentityproviderssuchasGoogle,Facebook,andAmazonusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfrom
![Page 422: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/422.jpg)
theproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.
ApplicationsAmazonWorkspacesAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheuser’sdesktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.YoucanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRADIUSserveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.
![Page 423: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/423.jpg)
ExamEssentialsUnderstandthesharedresponsibilitymodel.AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.
UnderstandregionsandAvailabilityZones.Eachregioniscompletelyindependent.Eachregionisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.RegionsareacollectionofAvailabilityZones.EachAvailabilityZoneisisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.
UnderstandHigh-AvailabilitySystemDesignwithinAWS.YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
UnderstandthenetworksecurityofAWS.Networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,ACLs,andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
AWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowHTTPSaccess,whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.
AmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.
UnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.
ItisnotpossibleforanAmazonEC2instancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.
UnderstandtheuseofcredentialsonAWS.AWSemploysseveralcredentialsinordertopositivelyidentifyapersonorauthorizeanAPIcalltotheplatform.Credentialsinclude:
Passwords
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
Multi-FactorAuthentication(MFA)
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
AccessKeys
![Page 424: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/424.jpg)
DigitallysignedrequeststoAWSAPIs(usingtheAWSSDK,CLI,orREST/QueryAPIs)
Understandtheproperuseofaccesskeys.Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandnottoembedtheminyourcode.Forcustomerswithlargefleetsofelastically-scalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
UnderstandthevalueofAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.
UnderstandthesecurityfeaturesofAmazonEC2.AmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdata,suchasapassword,andthentherecipientusestheprivatekeytodecryptthedata.Thepublicandprivatekeysareknownasakeypair.
Tologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.
Asecuritygroupactsasavirtualfirewallthatcontrolsthetrafficforoneormoreinstances.Whenyoulaunchaninstance,youassociateoneormoresecuritygroupswiththeinstance.Youaddrulestoeachsecuritygroupthatallowtraffictoorfromitsassociatedinstances.Youcanmodifytherulesforasecuritygroupatanytime;thenewrulesareautomaticallyappliedtoallinstancesthatareassociatedwiththesecuritygroup.
UnderstandAWSuseofencryptionofdataintransit.AllserviceendpointssupportencryptionofdataintransitviaHTTPS.
Knowwhichservicesofferencryptionofdataatrestasafeature.Thefollowingservicesofferafeaturetoencryptdataatrest:
AmazonS3
AmazonEBS
AmazonGlacier
AWSStorageGateway
AmazonRDS
AmazonRedshift
AmazonWorkSpaces
![Page 425: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/425.jpg)
ExercisesThebestwaytobecomefamiliarwiththesecurityfeaturesofAWSistodotheexercisesforeachchapterandinspectthesecurityfeaturesofferedbytheservice.TakealookatthislistofAWSCloudservicescoveredindifferentchaptersandtheirsecurityfeatures:
Chapter6,AWSIAM
Exercise6.1:CreateanIAMGroup
Exercise6.2:CreateaCustomizedSign-InLinkandPasswordPolicy
Exercise6.3:CreateanIAMUser
Exercise6.4:CreateandUseanIAMRole
Exercise6.5:RotateKeys
Exercise6.6:SetUpMFA
Exercise6.7:ResolveConflictingPermissions
Chapter3,AmazonEC2
Exercise3.1:LaunchandConnecttoaLinuxInstance
Exercise3.2:LaunchaWindowsInstancewithBootstrapping
Chapter3,AmazonEBS
Exercise3.8:LaunchanEncryptedVolume
Chapter2,AmazonS3
Exercise2.1:CreateanAmazonSimpleStorageService(AmazonS3)Bucket
Exercise2.2:Upload,MakePublic,Rename,andDeleteObjectsinYourBucket
Chapter4,AmazonVPC
Exercise4.1:CreateaCustomAmazonVPC
Exercise4.2:CreateTwoSubnetsforYourCustomAmazonVPC
Exercise4.3:ConnectYourAmazonVPCtotheInternetandEstablishRouting
Exercise4.4:LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet.
Chapter7,AmazonRDS
Exercise7.1:CreateaMySQLAmazonRDSInstance
Exercise7.2:SimulateaFailoverfromOneAZtoAnother
![Page 426: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/426.jpg)
ReviewQuestions1. WhichisanoperationalprocessperformedbyAWSfordatasecurity?
A. AdvancedEncryptionStandard(AES)-256encryptionofdatastoredonanysharedstoragedevice
B. Decommissioningofstoragedevicesusingindustry-standardpractices
C. BackgroundvirusscansofAmazonElasticBlockStore(AmazonEBS)volumesandAmazonEBSsnapshots
D. ReplicationofdataacrossmultipleAWSregions
E. SecurewipingofAmazonEBSdatawhenanAmazonEBSvolumeisunmounted
2. YouhavelaunchedaWindowsAmazonElasticComputeCloud(AmazonEC2)instanceandspecifiedanAmazonEC2keypairfortheinstanceatlaunch.Whichofthefollowingaccuratelydescribeshowtologintotheinstance?
A. UsetheAmazonEC2keypairtosecurelyconnecttotheinstanceviaSecureShell(SSH).
B. UseyourAWSIdentityandAccessManagement(IAM)userX.509certificatetologintotheinstance.
C. UsetheAmazonEC2keypairtodecrypttheadministratorpasswordandthensecurelyconnecttotheinstanceviaRemoteDesktopProtocol(RDP)astheadministrator.
D. Akeypairisnotneeded.SecurelyconnecttotheinstanceviaRDP.
3. ADatabasesecuritygroupcontrolsnetworkaccesstoadatabaseinstancethatisinsideaVirtualPrivateCloud(VPC)andbydefaultallowsaccessfrom?
A. AccessfromanyIPaddressforthestandardportsthatthedatabaseusesisprovidedbydefault.
B. AccessfromanyIPaddressforanyportisprovidedbydefaultintheDBsecuritygroup.
C. Noaccessisprovidedbydefault,andanyaccessmustbeexplicitlyaddedwitharuletotheDBsecuritygroup.
D. AccessforthedatabaseconnectionstringisprovidedbydefaultintheDBsecuritygroup.
4. WhichencryptionalgorithmisusedbyAmazonSimpleStorageService(AmazonS3)toencryptdataatrestwithService-SideEncryption(SSE)?
A. AdvancedEncryptionStandard(AES)-256
B. RSA1024
C. RSA2048
D. AES-128
![Page 427: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/427.jpg)
5. HowmanyaccesskeysmayanAWSIdentityandAccessManagement(IAM)userhaveactiveatonetime?
A. 0
B. 1
C. 2
D. 3
6. WhichofthefollowingisthenameofthesecuritymodelemployedbyAWSwithitscustomers?
A. Thesharedsecretmodel
B. Thesharedresponsibilitymodel
C. Thesharedsecretkeymodel
D. Thesecretkeyresponsibilitymodel
7. WhichofthefollowingdescribestheschemeusedbyanAmazonRedshiftclusterleveragingAWSKeyManagementService(AWSKMS)toencryptdata-at-rest?
A. AmazonRedshiftusesaone-tier,key-basedarchitectureforencryption.
B. AmazonRedshiftusesatwo-tier,key-basedarchitectureforencryption.
C. AmazonRedshiftusesathree-tier,key-basedarchitectureforencryption.
D. AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.
8. WhichofthefollowingElasticLoadBalancingoptionsensurethattheloadbalancerdetermineswhichcipherisusedforaSecureSocketsLayer(SSL)connection?
A. ClientServerCipherSuite
B. ServerCipherOnly
C. FirstServerCipher
D. ServerOrderPreference
9. WhichtechnologydoesAmazonWorkSpacesusetoprovidedatasecurity?
A. SecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)
B. AdvancedEncryptionStandard(AES)-256
C. PC-over-IP(PCoIP)
D. AES-128
10. AsaSolutionsArchitect,howshouldyouarchitectsystemsonAWS?
A. Youshouldarchitectforleastcost.
B. YoushouldarchitectyourAWSusagetotakeadvantageofAmazonSimpleStorageService’s(AmazonS3)durability.
C. YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.
![Page 428: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/428.jpg)
D. YoushouldarchitectwithAmazonElasticComputeCloud(AmazonEC2)AutoScalingtoensurecapacityisavailablewhenneeded.
11. WhichsecurityschemeisusedbytheAWSMulti-FactorAuthentication(AWSMFA)token?
A. Time-BasedOne-TimePassword(TOTP)
B. PerfectForwardSecrecy(PFC)
C. EphemeralDiffieHellman(EDH)
D. Split-KeyEncryption(SKE)
12. DynamoDBtablesmaycontainsensitivedatathatneedstobeprotected.WhichofthefollowingisawayforyoutoprotectDynamoDBtablecontent?(Choose2answers)
A. DynamoDBencryptsalldataserver-sidebydefaultsonothingisrequired.
B. DynamoDBcanstoredataencryptedwithaclient-sideencryptionlibrarysolutionbeforestoringthedatainDynamoDB.
C. DynamoDBobfuscatesalldatastoredsoencryptionisnotrequired.
D. DynamoDBcanbeusedwiththeAWSKeyManagementServicetoencryptthedatabeforestoringthedatainDynamoDB.
E. DynamoDBshouldnotbeusedtostoresensitiveinformationrequiringprotection.
13. YouhavelaunchedanAmazonLinuxElasticComputeCloud(AmazonEC2)instanceintoEC2-Classic,andtheinstancehassuccessfullypassedtheSystemStatusCheckandInstanceStatusCheck.YouattempttosecurelyconnecttotheinstanceviaSecureShell(SSH)andreceivetheresponse,“WARNING:UNPROTECTEDPRIVATEKEYFILE,”afterwhichtheloginfails.Whichofthefollowingisthecauseofthefailedlogin?
A. Youareusingthewrongprivatekey.
B. Thepermissionsfortheprivatekeyaretooinsecureforthekeytobetrusted.
C. Asecuritygroupruleisblockingtheconnection.
D. Asecuritygrouprulehasnotbeenassociatedwiththeprivatekey.
14. WhichofthefollowingpublicidentityprovidersaresupportedbyAmazonCognitoIdentity?
A. Amazon
B. Google
C. Facebook
D. Alloftheabove
15. WhichfeatureofAWSisdesignedtopermitcallstotheplatformfromanAmazonElasticComputeCloud(AmazonEC2)instancewithoutneedingaccesskeysplacedontheinstance?
A. AWSIdentityandAccessManagement(IAM)instanceprofile
![Page 429: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/429.jpg)
B. IAMgroups
C. IAMroles
D. AmazonEC2keypairs
16. WhichofthefollowingAmazonVirtualPrivateCloud(AmazonVPC)elementsactsasastatelessfirewall?
A. Securitygroup
B. NetworkAccessControlList(ACL)
C. NetworkAddressTranslation(NAT)instance
D. AnAmazonVPCendpoint
17. WhichofthefollowingisthemostrecentversionoftheAWSdigitalsignaturecalculationprocess?
A. SignatureVersion1
B. SignatureVersion2
C. SignatureVersion3
D. SignatureVersion4
18. WhichofthefollowingisthenameofthefeaturewithinAmazonVirtualPrivateCloud(AmazonVPC)thatallowsyoutolaunchAmazonElasticComputeCloud(AmazonEC2)instancesonhardwarededicatedtoasinglecustomer?
A. AmazonVPC-basedtenancy
B. Dedicatedtenancy
C. Defaulttenancy
D. Host-basedtenancy
19. WhichofthefollowingdescribeshowAmazonElasticMapReduce(AmazonEMR)protectsaccesstothecluster?
A. ThemasternodeandtheslavenodesarelaunchedintoanAmazonVirtualPrivateCloud(AmazonVPC).
B. ThemasternodesupportsaVirtualPrivateNetwork(VPN)connectionfromthekeyspecifiedatclusterlaunch.
C. ThemasternodeislaunchedintoasecuritygroupthatallowsSecureShell(SSH)andserviceaccess,whiletheslavenodesarelaunchedintoaseparatesecuritygroupthatonlypermitscommunicationwiththemasternode.
D. ThemasternodeandslavenodesarelaunchedintoasecuritygroupthatallowsSSHandserviceaccess.
20. Tohelppreventdatalossduetothefailureofanysinglehardwarecomponent,AmazonElasticBlockStorage(AmazonEBS)automaticallyreplicatesEBSvolumedatatowhichofthefollowing?
![Page 430: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/430.jpg)
A. AmazonEBSreplicatesEBSvolumedatawithinthesameAvailabilityZoneinaregion.
B. AmazonEBSreplicatesEBSvolumedataacrossotherAvailabilityZoneswithinthesameregion.
C. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesinoneotherregion.
D. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesineveryotherregion.
![Page 431: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/431.jpg)
Chapter13AWSRiskandComplianceTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
Sharedsecurityresponsibilitymodel
SecurityArchitecturewithAWS
AWSplatformcompliance
AWSsecurityattributes
Designpatterns
![Page 432: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/432.jpg)
IntroductionAWSanditscustomerssharecontrolovertheITenvironment,sobothpartieshaveresponsibilityformanagingthatenvironment.AWSpartinthissharedresponsibilityincludesprovidingitsservicesonahighlysecureandcontrolledplatformandprovidingawidearrayofsecurityfeaturescustomerscanuse.
ThecustomerisresponsibleforconfiguringtheirITenvironmentinasecureandcontrolledmannerfortheirpurposes.Whilecustomersdon’tcommunicatetheiruseandconfigurationstoAWS,AWSdoescommunicatewithcustomersregardingitssecurityandcontrolenvironment,asrelevant.AWSdisseminatesthisinformationusingthreeprimarymechanisms.First,AWSworksdiligentlytoobtainindustrycertificationsandindependentthird-partyattestations.Second,AWSopenlypublishesinformationaboutitssecurityandcontrolpracticesinwhitepapersandwebsitecontent.Finally,AWSprovidescertificates,reports,andotherdocumentationdirectlytoitscustomersunderNon-DisclosureAgreements(NDAs)asrequired.
![Page 433: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/433.jpg)
OverviewofComplianceinAWSWhencustomersmovetheirproductionworkloadstotheAWScloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Thecustomersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.ThecustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.ThissectiondescribestheAWSsharedresponsibilitymodelandgivesadviceforhowtoestablishstrongcompliance.
SharedResponsibilityModelAsmentionedinChapter12,“SecurityonAWS,”ascustomersmigratetheirITenvironmentstoAWS,theycreateamodelofsharedresponsibilitybetweenthemselvesandAWS.Thissharedresponsibilitymodelcanhelplessenacustomer’sIToperationalburden,asitisAWSresponsibilitytomanagethecomponentsfromthehostoperatingsystemandvirtualizationlayerdowntothephysicalsecurityofthedatacentersinwhichtheseservicesoperate.Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).Thecustomerisalsoresponsibleforanyotherapplicationsoftware,aswellastheconfigurationofsecuritygroups,VirtualPrivateClouds(VPCs),andsoon.
WhileAWSmanagesthesecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.Customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.Figure13.1illustratesthedemarcationbetweencustomerandAWSresponsibilities.
![Page 434: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/434.jpg)
FIGURE13.1Sharedresponsibilitymodel
Customersneedtobeawareofanyapplicablelawsandregulationswithwhichtheyhavetocomply,andthentheymustconsiderwhethertheservicesthattheyconsumeonAWSarecompliantwiththeselaws.Insomecases,itmaybenecessarytoenhanceanexistingplatformonAWSwithadditionalsecuritymeasures(suchasdeployingawebapplicationfirewall,IntrusionDetectionSystem[IDS],orIntrusionPreventionSystem[IPS],orusingsomeformofencryptionfordataatrest).
Thiscustomer/AWSsharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations,butitalsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.BeforemovingtotheAWSCloud,customerswereresponsibleformanagingalloftheITcontrolsintheirenvironments.AWSmanagesthecontrolsforthephysicalinfrastructure,therebytakingtheundifferentiatedheavyliftingfromcustomers,allowingthemtofocusonmanagingtherelevantITcontrols.BecauseeverycustomerisdeployeddifferentlyinAWS,customerscanshiftmanagementofcertainITcontrolstoAWS.ThischangeinmanagementofITcontrolsresultsinanew,distributedcontrolenvironment.CustomerscanthenusetheAWScontrolandcompliancedocumentationavailabletothemtoperformtheircontrolevaluationandverificationproceduresasrequired.
StrongComplianceGovernanceItisstillthecustomers’responsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(whetheritison-premises,onthecloud,orpartofahybridenvironment).BydeployingtotheAWSCloud,customershave
![Page 435: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/435.jpg)
optionstoapplydifferenttypesofcontrolsandvariousverificationmethods.
Toachievestrongcomplianceandgovernance,customersmaywanttofollowthisbasicmethodology:
1. Takeaholisticapproach.ReviewtheinformationavailablefromAWStogetherwithallotherinformationtounderstandasmuchoftheITenvironmentastheycan.Afterthisiscomplete,documentallcompliancerequirements.
2. Designandimplementcontrolobjectivestomeettheorganization’scompliancerequirements.
3. Identifyanddocumentcontrolsownedbyallthirdparties.
4. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.
Byusingthisbasicmethodology,customerscangainabetterunderstandingoftheircontrolenvironment.Ultimately,thiswillstreamlinetheprocessandhelpseparateanyverificationactivitiesthatneedtobeperformed.
![Page 436: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/436.jpg)
EvaluatingandIntegratingAWSControlsAWSprovidescustomerswithawiderangeofinformationregardingitsITcontrolenvironmentthroughwhitepapers,reports,certifications,andotherthird-partyattestations.ThisdocumentationassistscustomersinunderstandingthecontrolsinplacerelevanttotheAWSCloudservicestheyuseandhowthosecontrolshavebeenvalidated.ThisinformationalsoassistscustomersintheireffortstoaccountforandvalidatethatcontrolsintheirextendedITenvironmentareoperatingeffectively.
Traditionally,thedesignandoperatingeffectivenessofcontrolsandcontrolobjectivesarevalidatedbyinternaland/orexternalauditorsviaprocesswalkthroughsandevidenceevaluation.Directobservationandverification,bythecustomerorcustomer’sexternalauditor,isgenerallyperformedtovalidatecontrols.InthecasewhereserviceproviderssuchasAWSareused,companiesrequestandevaluatethird-partyattestationsandcertificationsinordertogainreasonableassuranceofthedesignandoperatingeffectivenessofcontrolsandcontrolobjectives.Asaresult,althoughacustomer’skeycontrolsmaybemanagedbyAWS,thecontrolenvironmentcanstillbeaunifiedframeworkinwhichallcontrolsareaccountedforandareverifiedasoperatingeffectively.AWSthird-partyattestationsandcertificationsnotonlyprovideahigherlevelofvalidationofthecontrolenvironment,butmayalsorelievecustomersoftherequirementtoperformcertainvalidationworkthemselves.
AWSITControlInformationAWSprovidesITcontrolinformationtocustomersinthefollowingtwoways.
SpecificControlDefinitionAWScustomerscanidentifykeycontrolsmanagedbyAWS.Keycontrolsarecriticaltothecustomer’scontrolenvironmentandrequireanexternalattestationoftheoperatingeffectivenessofthesekeycontrolsinordertomeetcompliancerequirements(forexample,anannualfinancialaudit).Forthispurpose,AWSpublishesawiderangeofspecificITcontrolsinitsServiceOrganizationControls1(SOC1)TypeIIreport.TheSOC1TypeIIreport,formerlytheStatementonAuditingStandards(SAS)No.70,isawidelyrecognizedauditingstandarddevelopedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA).TheSOC1auditisanin-depthauditofboththedesignandoperatingeffectivenessofAWSdefinedcontrolobjectivesandcontrolactivities(whichincludecontrolobjectivesandcontrolactivitiesoverthepartoftheinfrastructurethatAWSmanages).“TypeII”referstothefactthateachofthecontrolsdescribedinthereportarenotonlyevaluatedforadequacyofdesign,butarealsotestedforoperatingeffectivenessbytheexternalauditor.BecauseoftheindependenceandcompetenceofAWSexternalauditor,controlsidentifiedinthereportshouldprovidecustomerswithahighlevelofconfidenceinAWScontrolenvironment.
AWScontrolscanbeconsideredeffectivelydesignedandoperatingformanycompliancepurposes,includingSarbanes-Oxley(SOX)Section404financialstatementaudits.LeveragingSOC1TypeIIreportsisalsogenerallypermittedbyotherexternalcertifyingbodies.Forexample,InternationalOrganizationforStandardization(ISO)27001auditorsmayrequestaSOC1TypeIIreportinordertocompletetheirevaluationsforcustomers.
![Page 437: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/437.jpg)
GeneralControlStandardComplianceIfanAWScustomerrequiresabroadsetofcontrolobjectivestobemet,evaluationofAWSindustrycertificationsmaybeperformed.WiththeISO27001certification,AWScomplieswithabroad,comprehensivesecuritystandardandfollowsbestpracticesinmaintainingasecureenvironment.WiththePaymentCardIndustry(PCI)DataSecurityStandard(DSS)certification,AWScomplieswithasetofcontrolsimportanttocompaniesthathandlecreditcardinformation.AWScompliancewithFederalInformationSecurityManagementAct(FISMA)standardsmeansthatAWScomplieswithawiderangeofspecificcontrolsrequiredbyU.S.governmentagencies.AWScompliancewiththesegeneralstandardsprovidescustomerswithin-depthinformationonthecomprehensivenatureofthecontrolsandsecurityprocessesinplaceintheAWSCloud.
AWSGlobalRegionsTheAWSCloudinfrastructureisbuiltaroundregionsandavailabilityzones.AregionisaphysicallocationintheworldwherewehavemultipleAvailabilityZones.AvailabilityZonesconsistofoneormorediscretedatacenters,eachwithredundantpower,networking,andconnectivity,housedinseparatefacilities.TheseAvailabilityZonesoffercustomerstheabilitytooperateproductionapplicationsanddatabasesthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.
Asofthiswriting,theAWSCloudoperates33AvailabilityZoneswithin12geographicregionsaroundtheworld.The12regionsareUSEast(NorthernVirginia),USWest(Oregon),USWest(NorthernCalifornia),AWSGovCloud(US)(Oregon),EU(Frankfurt),EU(Ireland),AsiaPacific(Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney),AsiaPacific(Seoul),China(Beijing),andSouthAmerica(SaoPaulo).
![Page 438: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/438.jpg)
AWSRiskandComplianceProgramAWSRiskandComplianceisdesignedtobuildontraditionalprogramsandhelpcustomersestablishandoperateinanAWSsecuritycontrolenvironment.AWSprovidesdetailedinformationaboutitsriskandcomplianceprogramtoenablecustomerstoincorporateAWScontrolsintotheirgovernanceframeworks.ThisinformationcanassistcustomersindocumentingcompletecontrolandgovernanceframeworksinwhichAWSisincludedasanimportantpart.
Thethreecoreareasoftheriskandcomplianceprogram—riskmanagement,controlenvironment,andinformationsecurity—aredescribednext.
RiskManagementAWShasdevelopedastrategicbusinessplanthatincludesriskidentificationandtheimplementationofcontrolstomitigateormanagerisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.
TheAWScontrolenvironmentissubjecttoadditionalinternalandexternalriskassessments.TheAWScomplianceandsecurityteamshaveestablishedaninformationsecurityframeworkandpoliciesbasedontheControlObjectivesforInformationandRelatedTechnology(COBIT)framework,andtheyhaveeffectivelyintegratedtheISO27001certifiableframeworkbasedonISO27002controls,AICPATrustServicesPrinciples,PCIDSSv3.1,andtheNationalInstituteofStandardsandTechnology(NIST)Publication800–53,Revision3,RecommendedSecurityControlsforFederalInformationSystems.AWSmaintainsthesecuritypolicyandprovidessecuritytrainingtoitsemployees.Additionally,AWSperformsregularapplicationsecurityreviewstoassesstheconfidentiality,integrity,andavailabilityofdata,andconformancetotheinformationsecuritypolicy.
TheAWSsecurityteamregularlyscansanypublic-facingendpointIPaddressesforvulnerabilities.Itisimportanttounderstandthatthesescansdonotincludecustomerinstances.AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.Inaddition,independentsecurityfirmsregularlyperformexternalvulnerabilitythreatassessments.FindingsandrecommendationsresultingfromtheseassessmentsarecategorizedanddeliveredtoAWSleadership.ThesescansaredoneinamannerforthehealthandviabilityoftheunderlyingAWSinfrastructureandarenotmeanttoreplacethecustomer’sownvulnerabilityscansthatarerequiredtomeettheirspecificcompliancerequirements.
AsmentionedinChapter12,customerscanrequestpermissiontoconducttheirownvulnerabilityscansontheirownenvironments.ThesevulnerabilityscansmustnotviolatetheAWSacceptableusepolicy,andtheymustberequestedinadvanceofthescan.
ControlEnvironmentAWSmanagesacomprehensivecontrolenvironmentthatconsistsofpolicies,processes,andcontrolactivities.ThiscontrolenvironmentisinplaceforthesecuredeliveryofAWSservice
![Page 439: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/439.jpg)
offerings.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.AWShasintegratedapplicable,cloud-specificcontrolsidentifiedbyleadingcloudcomputingindustrybodiesintotheAWScontrolframework.AWScontinuestomonitortheseindustrygroupsforideasonwhichleadingpracticescanbeimplementedtobetterassistcustomerswithmanagingtheircontrolenvironments.
ThecontrolenvironmentatAWSbeginsatthehighestlevelofthecompany.Executiveandseniorleadershipplayimportantrolesinestablishingthecompany’stoneandcorevalues.Everyemployeeisprovidedwiththecompany’scodeofbusinessconductandethicsandcompletesperiodictraining.Complianceauditsareperformedsothatemployeesunderstandandfollowtheestablishedpolicies.
TheAWSorganizationalstructureprovidesaframeworkforplanning,executing,andcontrollingbusinessoperations.Theorganizationalstructureassignsrolesandresponsibilitiestoprovideforadequatestaffing,efficiencyofoperations,andthesegregationofduties.Managementhasalsoestablishedauthorityandappropriatelinesofreportingforkeypersonnel.Includedaspartofthecompany’shiringverificationprocessesareeducation,previousemployment,and,insomecases,backgroundchecksaspermittedbylawforemployeescommensuratewiththeemployee’spositionandlevelofaccesstoAWSfacilities.ThecompanyfollowsastructuredonboardingprocesstofamiliarizenewemployeeswithAmazontools,processes,systems,policies,andprocedures.
InformationSecurityAWSusesaformalinformationsecurityprogramthatisdesignedtoprotecttheconfidentiality,integrity,andavailabilityofcustomers’systemsanddata.AWSpublishesseveralsecuritywhitepapersthatareavailableonthemainAWSwebsite.ThesewhitepapersarerecommendedreadingpriortotakingtheAWSSolutionsArchitectAssociateexam.
![Page 440: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/440.jpg)
AWSReports,Certifications,andThird-PartyAttestationsAWSengageswithexternalcertifyingbodiesandindependentauditorstoprovidecustomerswithconsiderableinformationregardingthepolicies,processes,andcontrolsestablishedandoperatedbyAWS.Ahigh-leveldescriptionofthevariousAWSreports,certifications,andattestationsisprovidedhere.
CriminalJusticeInformationServices(CJIS)—AWScomplieswiththeFederalBureauofInvestigation’s(FBI)CJISstandard.AWSsignsCJISsecurityagreementswithAWScustomers,whichincludeallowingorperforminganyrequiredemployeebackgroundchecksaccordingtotheCJISsecuritypolicy.
CloudSecurityAlliance(CSA)—In2011,theCSAlaunchedtheSecurity,Trust,&AssuranceRegistry(STAR),aninitiativetoencouragetransparencyofsecuritypracticeswithincloudproviders.CSASTARisafree,publiclyaccessibleregistrythatdocumentsthesecuritycontrolsprovidedbyvariouscloudcomputingofferings,therebyhelpingusersassessthesecurityofcloudproviderstheycurrentlyuseorwithwhomtheyareconsideringcontracting.AWSisaCSASTARregistrantandhascompletedtheCSAConsensusAssessmentsInitiativeQuestionnaire(CAIQ).
CyberEssentialsPlus—CyberEssentialsPlusisaUKgovernment-backed,industry-supportedcertificationschemaintroducedintheUKtohelporganizationsdemonstrateoperationalsecurityagainstcommoncyber-attacks.ItdemonstratesthebaselinecontrolsthatAWSimplementstomitigatetheriskfromcommonInternet-basedthreatswithinthecontextoftheUKgovernment’s“10StepstoCyberSecurity.”Itisbackedbyindustry,includingtheFederationofSmallBusinesses,theConfederationofBritishIndustry,andanumberofinsuranceorganizationsthatofferincentivesforbusinessesholdingthiscertification.
DepartmentofDefense(DoD)CloudSecurityModel(SRG)—TheDoDSRGprovidesaformalizedassessmentandauthorizationprocessforCloudServiceProviders(CSPs)togainaDoDprovisionalauthorization,whichcansubsequentlybeleveragedbyDoDcustomers.AprovisionalauthorizationundertheSRGprovidesareusablecertificationthatatteststoAWScompliancewithDoDstandards,reducingthetimenecessaryforaDoDmissionownertoassessandauthorizeoneoftheirsystemsforoperationonAWS.Asofthiswriting,AWSholdsprovisionalauthorizationsatLevels2(allAWSUS-basedregions)and4(AWSGovCloud[US])oftheSRG.
FederalRiskandAuthorizationManagementProgram(FedRAMP)—AWSisaFedRAMP-compliantCSP.AWShascompletedthetestingperformedbyaFedRAMP-accreditedthird-partyassessmentorganization(3PAO)andhasbeengrantedtwoAgencyAuthoritytoOperate(ATOs)bytheU.S.DepartmentofHealthandHumanServices(HHS)afterdemonstratingcompliancewithFedRAMPrequirementsatthemoderateimpactlevel.
FamilyEducationalRightsandPrivacyAct(FERPA)—FERPA(20U.S.C.§1232g;34CFRPart99)isafederallawthatprotectstheprivacyofstudenteducationrecords.ThelawappliestoallschoolsthatreceivefundsunderanapplicableprogramoftheU.S.DepartmentofEducation.FERPAgivesparentscertainrightswithrespectto
![Page 441: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/441.jpg)
theirchildren’seducationrecords.Theserightstransfertothestudentwhenheorshereachestheageof18orattendsaschoolbeyondthehighschoollevel.Studentstowhomtherightshavetransferredare“eligiblestudents.”AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoFERPAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectededucationinformation.
FederalInformationProcessingStandard(FIPS)140–2—FIPSPublication140–2isaUSgovernmentsecuritystandardthatspecifiesthesecurityrequirementsforcryptographicmodulesprotectingsensitiveinformation.TosupportcustomerswithFIPS140–2requirements,SecureSocketsLayer(SSL)terminationsinAWSGovCloud(US)operateusingFIPS140–2-validatedhardware.AWSworkswithAWSGovCloud(US)customerstoprovidetheinformationtheyneedtohelpmanagecompliancewhenusingtheAWSGovCloud(US)environment.
FISMAandDoDInformationAssuranceCertificationandAccreditationProcess(DIACAP)—AWSenablesU.S.governmentagenciestoachieveandsustaincompliancewithFISMA.TheAWSinfrastructurehasbeenevaluatedbyindependentassessorsforavarietyofgovernmentsystemsaspartoftheirsystemowners’approvalprocess.NumerousfederalcivilianandDoDorganizationshavesuccessfullyachievedsecurityauthorizationsforsystemshostedonAWSinaccordancewiththeRiskManagementFramework(RMF)processdefinedinNIST800–37andDIACAP.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)—AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoHIPAAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectedhealthinformation.AWSsignsbusinessassociateagreementswithsuchcustomers.
InformationSecurityRegisteredAssessorsProgram(IRAP)—IRAPenablesAustraliangovernmentcustomerstovalidatethatappropriatecontrolsareinplaceanddeterminetheappropriateresponsibilitymodelforaddressingtheneedsoftheAustralianSignalsDirectorate(ASD)InformationSecurityManual(ISM).AWShascompletedanindependentassessmentthathasdeterminedthatallapplicableISMcontrolsareinplacerelatingtotheprocessing,storage,andtransmissionofUnclassifiedDisseminationLimitingMarker(DLM)workloadsfortheAsiaPacific(Sydney)region.
ISO9001—AWShasachievedISO9001certification.AWSISO9001certificationdirectlysupportscustomerswhodevelop,migrate,andoperatetheirquality-controlledITsystemsintheAWSCloud.CustomerscanleverageAWScompliancereportsasevidencefortheirownISO9001programsandindustry-specificqualityprograms,suchasGoodLaboratory,Clinical,orManufacturingPractices(GxP)inlifesciences,ISO13485inmedicaldevices,AS9100inaerospace,andISOTechnicalSpecification(ISO/TS)16949intheautomotiveindustry.AWScustomerswhodon’thavequalitysystemrequirementscanstillbenefitfromtheadditionalassuranceandtransparencythatanISO9001certificationprovides.
ISO27001—AWShasachievedISO27001certificationoftheInformationSecurityManagementSystem(ISMS)coveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
ISO27017—ISO27017isthenewestcodeofpracticereleasedbyISO.Itprovidesimplementationguidanceoninformationsecuritycontrolsthatspecificallyrelateto
![Page 442: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/442.jpg)
cloudservices.AWShasachievedISO27017certificationoftheISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
ISO27018—Thisisthefirstinternationalcodeofpracticethatfocusesonprotectionofpersonaldatainthecloud.ItisbasedonISOinformationsecuritystandard27002,anditprovidesimplementationguidanceonISO27002controlsapplicabletopubliccloud-relatedPersonallyIdentifiableInformation(PII).ItalsoprovidesasetofcontrolsandassociatedguidanceintendedtoaddresspubliccloudPIIprotectionrequirementsnotaddressedbytheexistingISO27002controlset.AWShasachievedISO27018certificationoftheAWSISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
U.S.InternationalTrafficinArmsRegulations(ITAR)—TheAWSGovCloud(US)regionsupportsITARcompliance.AsapartofmanagingacomprehensiveITARcomplianceprogram,companiessubjecttoITARexportregulationsmustcontrolunintendedexportsbyrestrictingaccesstoprotecteddatatoU.S.personsandrestrictingphysicallocationofthatdatatotheU.S.AWSGovCloud(US)providesanenvironmentphysicallylocatedintheUnitedStateswhereaccessbyAWSpersonnelislimitedtoU.S.persons,therebyallowingqualifiedcompaniestotransmit,process,andstoreprotectedarticlesanddatasubjecttoITARrestrictions.TheAWSGovCloud(US)environmenthasbeenauditedbyanindependentthirdpartytovalidatethatthepropercontrolsareinplacetosupportcustomerexportcomplianceprogramsforthisrequirement.
MotionPictureAssociationofAmerica(MPAA)—MPAAhasestablishedasetofbestpracticesforsecurelystoring,processing,anddeliveringprotectedmediaandcontent.Mediacompaniesusethesebestpracticesasawaytoassessriskandsecurityoftheircontentandinfrastructure.AWShasdemonstratedalignmentwiththeMPAAbestpractices,andtheAWSinfrastructureiscompliantwithallapplicableMPAAinfrastructurecontrols.WhileMPAAdoesnotofferacertification,mediaindustrycustomerscanusetheAWSMPAAdocumentationtoaugmenttheirriskassessmentandevaluationofMPAA-typecontentonAWS.
Multi-TierCloudSecurity(MTCS)Tier3Certification—MTCSisanoperationalSingaporesecuritymanagementstandard(SPRINGSS584:2013)basedontheISO27001/02ISMSstandards.
NIST—InJune2015,NISTreleasedguideline800–171,FinalGuidelinesforProtectingSensitiveGovernmentInformationHeldbyContractors.ThisguidanceisapplicabletotheprotectionofControlledUnclassifiedInformation(CUI)onnon-federalsystems.AWSisalreadycompliantwiththeseguidelines,andcustomerscaneffectivelycomplywithNIST800–171immediately.NIST800–171outlinesasubsetoftheNIST800–53requirements,aguidelineunderwhichAWShasalreadybeenauditedundertheFedRAMPprogram.TheFedRAMPmoderatesecuritycontrolbaselineismorerigorousthantherecommendedrequirementsestablishedinNIST800–171,anditincludesasignificantnumberofsecuritycontrolsaboveandbeyondthoserequiredofFISMAmoderatesystemsthatprotectCUIdata.
PCIDSSLevel1—AWSisLevel1-compliantunderPCIDSS.Customerscanrun
![Page 443: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/443.jpg)
applicationsontheAWSPCI-complianttechnologyinfrastructureforstoring,processing,andtransmittingcreditcardinformationinthecloud.InFebruary2013,thePCISecurityStandardsCouncilreleasedthePCIDSScloudcomputingguidelines.TheseguidelinesprovidecustomerswhoaremanagingacardholderdataenvironmentwithconsiderationsformaintainingPCIDSScontrolsinthecloud.AWShasincorporatedthePCIDSScloudcomputingguidelinesintotheAWSPCIcompliancepackageforcustomers.
SOC1/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE3402)—AWSpublishesaSOC1,TypeIIreport.TheauditforthisreportisconductedinaccordancewithAICPA:AT801(formerlyStatementonStandardsforAttestationEngagementsNo.16[SSAE16])andISAE3402).Thisdual-standardreportisintendedtomeetabroadrangeoffinancialauditingrequirementsforU.S.andinternationalauditingbodies.TheSOC1reportauditatteststhatAWScontrolobjectivesareappropriatelydesignedandthattheindividualcontrolsdefinedtosafeguardcustomerdataareoperatingeffectively.ThisreportisthereplacementoftheSAS70,TypeIIauditreport.
SOC2—InadditiontotheSOC1report,AWSpublishesaSOC2,TypeIIreport.SimilartoSOC1intheevaluationofcontrols,theSOC2reportisanattestationreportthatexpandstheevaluationofcontrolstothecriteriasetforthbyAICPAtrustservicesprinciples.Theseprinciplesdefineleadingpracticecontrolsrelevanttosecurity,availability,processingintegrity,confidentiality,andprivacyapplicabletoserviceorganizationssuchasAWS.TheAWSSOC2isanevaluationofthedesignandoperatingeffectivenessofAWScontrolsthatmeetthecriteriaforthesecurityandavailabilityprinciplessetforthintheAICPAtrustservicesprinciplescriteria.ThereportprovidesadditionaltransparencyintoAWSsecurityandavailabilitybasedonapredefinedindustrystandardofleadingpracticesandfurtherdemonstratesAWScommitmenttoprotectingcustomerdata.TheSOC2reportscopecoversthesameservicescoveredintheSOC1report.
SOC3—AWSpublishesaSOC3report.TheSOC3reportisapubliclyavailablesummaryoftheAWSSOC2report.Thereportincludestheexternalauditor’sopinionoftheoperationofcontrols(basedontheAICPAsecuritytrustprinciplesincludedintheSOC2report),theassertionfromAWSmanagementregardingtheeffectivenessofcontrols,andanoverviewofAWSinfrastructureandservices.TheAWSSOC3reportincludesallAWSdatacentersworldwidethatsupportin-scopeservices.ThisisagreatresourceforcustomerstovalidatethatAWShasobtainedexternalauditorassurancewithoutgoingthroughtheprocessofrequestingaSOC2report.TheSOC3reportcoversthesameservicescoveredintheSOC1report.
![Page 444: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/444.jpg)
SummaryAWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughthefollowingmechanisms:
Obtainingindustrycertificationsandindependentthird-partyattestations
PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs
Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)
Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestothephysicalinfrastructure,andthecustomermanagesthesecontrolsfortheguestoperatingsystemsandupward(dependingontheservice).
Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(on-premises,cloud,orhybrid).BydeployingtotheAWSCloud,customershavedifferentoptionsforapplyingdifferenttypesofcontrolsandvariousverificationmethodsthatalignwiththeirbusinessrequirements.
ThecontrolenvironmentforAWScontainsalargevolumeofinformation.Thisinformationisprovidedtocustomersthroughwhitepapers,reports,certifications,andotherthird-partyattestations.AWSprovidesITcontrolinformationtocustomersintwoways:specificcontroldefinitionandgeneralcontrolstandardcompliance.
AWSprovidesdocumentationaboutitsriskandcomplianceprogram.ThisdocumentationcanenablecustomerstoincludeAWScontrolsintheirgovernanceframeworks.Thethreecoreareasoftheriskandcomplianceprogramareriskmanagement,controlenvironment,andinformationsecurity.
AWShasachievedanumberofinternationallyrecognizedcertificationsandaccreditationsthatdemonstrateAWScompliancewiththird-partyassuranceframeworks,including:
FedRAMP
FIPS140–2
FISMAandDIACAP
HIPAA
ISO9001
ISO27001
ITAR
PCIDSSLevel1
SOC1/ISAE3402
SOC2
![Page 445: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/445.jpg)
SOC3
AWSisconstantlylisteningtocustomersandexaminingothercertificationsforthefuture.
![Page 446: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/446.jpg)
ExamEssentialsUnderstandthesharedresponsibilitymodel.Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestophysicalinfrastructure.
RememberthatITgovernanceisthecustomer’sresponsibility.Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowitsITisdeployed(on-premises,cloud,orhybrid).
UnderstandhowAWSprovidescontrolinformation.AWSprovidesITcontrolinformationtocustomersintwoways:viaspecificcontroldefinitionandthroughamoregeneralcontrolstandardcompliance.
RememberthatAWSisveryproactiveaboutriskmanagement.AWStakesriskmanagementveryseriously,soithasdevelopedabusinessplantoidentifyanyrisksandtoimplementcontrolstomitigateormanagethoserisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandthenimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.
Rememberthatthecontrolenvironmentisnotjustabouttechnology.TheAWScontrolenvironmentconsistsofpolicies,processes,andcontrolactivities.Thiscontrolenvironmentincludespeople,processes,andtechnology.
Rememberthekeyreports,certifications,andthird-partyattestations.Thekeyreports,certifications,andthird-partyattestationsinclude,butarenotlimitedto,thefollowing:
FedRAMP
FIPS140–2
FISMAandDIACAP
HIPAA
ISO9001
ISO27001
ITAR
PCIDSSLevel1
SOC1/ISAE3402
SOC2
SOC3
![Page 447: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/447.jpg)
ReviewQuestions1. AWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughavarietyofdifferentmechanisms.Whichofthefollowingarevalidmechanisms?(Choose3answers)
A. Obtainingindustrycertificationsandindependentthird-partyattestations
B. PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs
C. Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)
D. Allowingcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,andseniorstaff
2. WhichofthefollowingstatementsistruewhenitcomestotheAWSsharedresponsibilitymodel?
A. Thesharedresponsibilitymodelislimitedtosecurityconsiderationsonly;itdoesnotextendtoITcontrols.
B. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithSOC1TypeII.
C. Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.
D. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithISO27001.
3. AWSprovidesITcontrolinformationtocustomersinwhichofthefollowingways?
A. Byusingspecificcontroldefinitionsorthroughgeneralcontrolstandardcompliance
B. ByusingspecificcontroldefinitionsorthroughSAS70
C. ByusinggeneralcontrolstandardcomplianceandbycomplyingwithISO27001
D. BycomplyingwithISO27001andSOC1TypeII
4. Whichofthefollowingisavalidreport,certification,orthird-partyattestationforAWS?(Choose3answers)
A. SOC1
B. PCIDSSLevel1
C. SOC4
D. ISO27001
5. Whichofthefollowingstatementsistrue?
A. ITgovernanceisstillthecustomer’sresponsibility,despitedeployingtheirITestateontotheAWSplatform.
![Page 448: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/448.jpg)
B. TheAWSplatformisPCIDSS-complianttoLevel1.Customerscandeploytheirwebapplicationstothisplatform,andtheywillbePCIDSS-compliantautomatically.
C. ThesharedresponsibilitymodelappliestoITsecurityonly;itdoesnotrelatetogovernance.
D. AWSdoesn’ttakeriskmanagementveryseriously,andit’suptothecustomertomitigateriskstotheAWSinfrastructure.
6. WhichofthefollowingstatementsistruewhenitcomestotheriskandcomplianceadvantagesoftheAWSenvironment?
A. WorkloadsmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations.
B. ThecriticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthenon-criticalcomponentsdonot.
C. Thenon-criticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthecriticalcomponentsdonot.
D. Few,many,orallcomponentsofaworkloadcanbemovedtotheAWSCloud,butitisthecustomer’sresponsibilitytoensurethattheirentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.
7. WhichofthefollowingstatementsbestdescribesanAvailabilityZone?
A. EachAvailabilityZoneconsistsofasinglediscretedatacenterwithredundantpowerandnetworking/connectivity.
B. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithredundantpowerandnetworking/connectivity.
C. EachAvailabilityZoneconsistsofmultiplediscreteregions,eachwithasingledatacenterwithredundantpowerandnetworking/connectivity.
D. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithsharedpowerandredundantnetworking/connectivity.
8. WithregardtovulnerabilityscansandthreatassessmentsoftheAWSplatform,whichofthefollowingstatementsaretrue?(Choose2answers)
A. AWSregularlyperformsscansofpublic-facingendpointIPaddressesforvulnerabilities.
B. ScansperformedbyAWSincludecustomerinstances.
C. AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.
D. Customerscanperformtheirownscansatanytimewithoutadvancenotice.
9. WhichofthefollowingbestdescribestheriskandcompliancecommunicationresponsibilitiesofcustomerstoAWS?
A. AWSandcustomersbothcommunicatetheirsecurityandcontrolenvironment
![Page 449: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/449.jpg)
informationtoeachotheratalltimes.
B. AWSpublishesinformationabouttheAWSsecurityandcontrolpracticesonline,anddirectlytocustomersunderNDA.CustomersdonotneedtocommunicatetheiruseandconfigurationstoAWS.
C. CustomerscommunicatetheiruseandconfigurationstoAWSatalltimes.AWSdoesnotcommunicateAWSsecurityandcontrolpracticestocustomersforsecurityreasons.
D. BothcustomersandAWSkeeptheirsecurityandcontrolpracticesentirelyconfidentialanddonotsharetheminordertoensurethegreatestsecurityforallparties.
10. Whenitcomestoriskmanagement,whichofthefollowingistrue?
A. AWSdoesnotdevelopastrategicbusinessplan;riskmanagementandmitigationisentirelytheresponsibilityofthecustomer.
B. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandimplementedcontrolstomitigateormanagethoserisks.Customersdonotneedtodevelopandmaintaintheirownriskmanagementplans.
C. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandhasimplementedcontrolstomitigateormanagethoserisks.Customersshouldalsodevelopandmaintaintheirownriskmanagementplanstoensuretheyarecompliantwithanyrelevantcontrolsandcertifications.
D. NeitherAWSnorthecustomerneedstoworryaboutriskmanagement,sonoplanisneededfromeitherparty.
11. TheAWScontrolenvironmentisinplaceforthesecuredeliveryofAWSCloudserviceofferings.WhichofthefollowingdoesthecollectivecontrolenvironmentNOTexplicitlyinclude?
A. People
B. Energy
C. Technology
D. Processes
12. WhoisresponsiblefortheconfigurationofsecuritygroupsinanAWSenvironment?
A. ThecustomerandAWSarebothjointlyresponsibleforensuringthatsecuritygroupsarecorrectlyandsecurelyconfigured.
B. AWSisresponsibleforensuringthatallsecuritygroupsarecorrectlyandsecurelyconfigured.Customersdonotneedtoworryaboutsecuritygroupconfiguration.
C. NeitherAWSnorthecustomerisresponsiblefortheconfigurationofsecuritygroups;securitygroupsareintelligentlyandautomaticallyconfiguredusingtrafficheuristics.
D. AWSprovidesthesecuritygroupfunctionalityasaservice,butthecustomerisresponsibleforcorrectlyandsecurelyconfiguringtheirownsecuritygroups.
![Page 450: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/450.jpg)
13. WhichofthefollowingisNOTarecommendedapproachforcustomerstryingtoachievestrongcomplianceandgovernanceoveranentireITcontrolenvironment?
A. Takeaholisticapproach:reviewinformationavailablefromAWStogetherwithallotherinformation,anddocumentallcompliancerequirements.
B. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.
C. Implementgenericcontrolobjectivesthatarenotspecificallydesignedtomeettheirorganization’scompliancerequirements.
D. Identifyanddocumentcontrolsownedbyallthirdparties.
![Page 451: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/451.jpg)
Chapter14ArchitectureBestPracticesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
![Page 452: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/452.jpg)
IntroductionForseveralyears,softwarearchitectshavecreatedandimplementedpatternsandbestpracticestobuildhighlyscalableapplications.Whethermigratingexistingapplicationstothecloudorbuildingnewapplicationsonthecloud,theseconceptsareevenmoreimportantbecauseofever-growingdatasets,unpredictabletrafficpatterns,andthedemandforfasterresponsetimes.
MigratingapplicationstoAWS,evenwithoutsignificantchanges,providesorganizationswiththebenefitsofasecuredandcost-efficientinfrastructure.Tomakethemostoftheelasticityandagilitypossiblewithcloudcomputing,however,SolutionsArchitectsneedtoevolvetheirarchitecturestotakefulladvantageofAWScapabilities.
Fornewapplications,AWScustomershavebeendiscoveringcloud-specificITarchitecturepatternsthatdriveevenmoreefficiencyandscalabilityfortheirsolutions.Thosenewarchitecturescansupportanythingfromreal-timeanalyticsofInternet-scaledatatoapplicationswithunpredictabletrafficfromthousandsofconnectedInternetofThings(IoT)ormobiledevices.ThisleavesendlesspossibilitiesforapplicationsarchitectedusingAWSbestpractices.
ThischapterhighlightsthetenetsofarchitecturebestpracticestoconsiderwhetheryouaremigratingexistingapplicationstoAWSordesigningnewapplicationsforthecloud.Thesetenetsinclude:
Designforfailureandnothingwillfail.
Implementelasticity.
Leveragedifferentstorageoptions.
Buildsecurityineverylayer.
Thinkparallel.
Loosecouplingsetsyoufree.
Don’tfearconstraints.
Understandingtheservicescoveredinthisbookinthecontextofthesepracticesiskeytosucceedingontheexam.
![Page 453: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/453.jpg)
DesignforFailureandNothingFailsThefirstarchitecturebestpracticeforAWSisthefundamentalprincipleofdesigningforfailure.
Everythingfails,allthetime
—WernerVogels,CTO,AWS
Typically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.Asanexample,onegoalwhendesigningforfailurewouldbetoensureanapplicationsurviveswhentheunderlyingphysicalhardwareforoneoftheserversfails.
Let’stakealookatthesimplewebapplicationillustratedinFigure14.1.Thisapplicationhassomefundamentaldesignissuesforprotectingagainstcomponentfailures.Tostart,thereisnoredundancyorfailover,whichresultsinsinglepointsoffailure.
FIGURE14.1Simplewebapplicationarchitecture
![Page 454: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/454.jpg)
Ifthesinglewebserverfails,thesystemfails.
Ifthesingledatabasefails,thesystemfails.
IftheAvailabilityZone(AZ)fails,thesystemfails.
Bottomline,therearetoomanyeggsinonebasket.
Nowlet’swalkthroughtransformingthissimpleapplicationintoamoreresilientarchitecture.Tobegin,wearegoingtoaddressthesinglepointsoffailureinthecurrentarchitecture.Singlepointsoffailurecanberemovedbyintroducingredundancy,whichishavingmultipleresourcesforthesametask.Redundancycanbeimplementedineitherstandbyoractivemode.
Instandbyredundancywhenaresourcefails,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Thesecondaryresourcecaneitherbelaunchedautomaticallyonlywhenneeded(toreducecost),oritcanbealreadyrunningidle(toacceleratefailoverandminimizedisruption).Standbyredundancyisoftenusedforstatefulcomponentssuchasrelationaldatabases.
Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,itcanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.
Toaddresstheredundancyissues,wewilladdanotherwebinstanceandaddastandbyinstanceforAmazonRelationalDatabaseService(AmazonRDS)toprovidehighavailabilityandautomaticfailover.ThekeyisthatwearegoingtoaddthenewresourcesinanotherAZ.AnAZconsistsofoneormorediscretedatacenters.AZswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherAZsinthesameregion.Thisallowsourapplicationtoreplicatedataacrossdatacentersinasynchronousmannersothatfailovercanbeautomatedandbetransparentfortheusers.
Additionally,wearegoingtoimplementactiveredundancybyswappingouttheElasticIPAddress(EIP)onourwebinstancewithanElasticLoadBalancer(ELB).TheELBallowsinboundrequeststobedistributedbetweenthewebinstances.NotonlywilltheELBhelpwithdistributingloadbetweenmultipleinstances,itwillalsostopsendingtraffictotheaffectedwebnodeifaninstancefailsitshealthchecks.Figure14.2showstheupdatedarchitecturewithredundancyforthewebapplication.
![Page 455: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/455.jpg)
FIGURE14.2Updatedwebapplicationarchitecturewithredundancy
ThisMulti-AZarchitecturehelpstoensurethattheapplicationisisolatedfromfailuresinasingleAvailabilityZone.Infact,manyofthehigherlevelservicesonAWSareinherentlydesignedaccordingtotheMulti-AZprinciple.Forexample,AmazonSimpleStorageService(AmazonS3)andAmazonDynamoDBensurethatdataisredundantlystoredacrossmultiplefacilities.
Oneruleofthumbtokeepinmindwhendesigningarchitecturesinthecloudistobeapessimist;thatis,assumethingswillfail.Inotherwords,alwaysdesign,implement,anddeployforautomatedrecoveryfromfailure.
![Page 456: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/456.jpg)
ImplementElasticityElasticityistheabilityofasystemtogrowtohandleincreasedload,whethergraduallyovertimeorinresponsetoasuddenchangeinbusinessneeds.Toachieveelasticity,itisimportantthatthesystembebuiltonascalablearchitecture.Sucharchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Thesearchitecturesshouldprovidescaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
ScalingVerticallyVerticalscalingtakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddrive,morememory,orafasterCPU).OnAmazonElasticComputeCloud(AmazonEC2),thiscaneasilybeachievedbystoppinganinstanceandresizingittoaninstancetypethathasmoreRAM,CPU,I/O,ornetworkingcapabilities.Verticalscalingwilleventuallyhitalimit,anditisnotalwaysacost-efficientorhighlyavailableapproach.Evenso,itisveryeasytoimplementandcanbesufficientformanyusecases,especiallyintheshortterm.
ScalingHorizontallyHorizontalscalingtakesplacethroughanincreaseinthenumberofresources(forexample,addingmoreharddrivestoastoragearrayoraddingmoreserverstosupportanapplication).ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Notallarchitecturesaredesignedtodistributetheirworkloadtomultipleresources,anditisimportanttounderstandsystemcharacteristicsthatcanaffectasystem’sabilitytoscalehorizontally.Onekeycharacteristicistheimpactofstatelessandstatefularchitectures.
StatelessApplicationsWhenusersorservicesinteractwithanapplication,theywilloftenperformaseriesofinteractionsthatformasession.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontally,becauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.Becausenosessiondataneedstobesharedbetweensystemresources,computeresourcescanbeaddedasneeded.Whenexcesscapacityisnolongerrequired,anyindividualresourcecanbesafelyterminated.Thoseresourcesdonotneedtobeawareofthepresenceoftheirpeers;allthatisrequiredisawaytodistributetheworkloadtothem.
Let’sassumethatthewebapplicationweusedintheprevioussectionisastatelessapplicationwithunpredictabledemand.Inorderforourwebinstancestomeetthepeaksandvalleysassociatedwithourdemandprofile,weneedtoscaleelastically.Agreatwayto
![Page 457: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/457.jpg)
introduceelasticityandhorizontalscalingisbyleveragingAutoScalingforwebinstances.AnAutoScalinggroupcanautomaticallyaddAmazonEC2instancestoanapplicationinresponsetoheavytrafficandremovethemwhentrafficslows.Figure14.3showsourwebapplicationarchitectureaftertheintroductionofanAutoScalinggroup.
FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling
StatelessComponentsInpractice,mostapplicationsneedtomaintainsomekindofstateinformation.Forexample,webapplicationsneedtotrackwhetherauserissignedin,orelsetheymightpresentpersonalizedcontentbasedonpreviousactions.Youcanstillmakeaportionofthesearchitecturesstatelessbynotstoringstateinformationlocallyonahorizontally-scalingresource,asthoseresourcescanappearanddisappearasthesystemscalesupanddown.
Forexample,webapplicationscanuseHTTPcookiestostoreinformationaboutasessionattheclient’sbrowser(suchasitemsintheshoppingcart).Thebrowserpassesthatinformationbacktotheserverateachsubsequentrequestsothattheapplicationdoesnotneedtostoreit.However,therearetwodrawbackswiththisapproach.First,thecontentoftheHTTPcookiescanbetamperedwithattheclientside,soyoushouldalwaystreatthemasuntrusteddatathatneedstobevalidated.Second,HTTPcookiesaretransmittedwitheveryrequest,whichmeansthatyoushouldkeeptheirsizetoaminimumtoavoidunnecessary
![Page 458: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/458.jpg)
latency.
ConsideronlystoringauniquesessionidentifierinaHTTPcookieandstoringmoredetailedusersessioninformationserver-side.Mostprogrammingplatformsprovideanativesessionmanagementmechanismthatworksthisway;however,thesemanagementmechanismsoftenstorethesessioninformationlocallybydefault.Thiswouldresultinastatefularchitecture.Acommonsolutiontothisproblemistostoreusersessioninformationinadatabase.AmazonDynamoDBisagreatchoiceduetoitsscalability,highavailability,anddurabilitycharacteristics.Formanyplatforms,thereareopensource,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.
StatefulComponentsInevitably,therewillbelayersofyourarchitecturethatyouwon’tturnintostatelesscomponents.First,bydefinition,databasesarestateful.Inaddition,manylegacyapplicationsweredesignedtorunonasingleserverbyrelyingonlocalcomputeresources.Otherusecasesmightrequireclientdevicestomaintainaconnectiontoaspecificserverforprolongedperiodsoftime.Forexample,real-timemultiplayergamingmustoffermultipleplayersaconsistentviewofthegameworldwithverylowlatency.Thisismuchsimplertoachieveinanon-distributedimplementationwhereparticipantsareconnectedtothesameserver.
DeploymentAutomationWhetheryouaredeployinganewenvironmentfortestingorincreasingcapacityofanexistingsystemtocopewithextraload,youwillnotwanttosetupnewresourcesmanuallywiththeirconfigurationandcode.Itisimportantthatyoumakethisanautomatedandrepeatableprocessthatavoidslongleadtimesandisnotpronetohumanerror.Automatingthedeploymentprocessandstreamliningtheconfigurationandbuildprocessiskeytoimplementingelasticity.Thiswillensurethatthesystemcanscalewithoutanyhumanintervention.
AutomateYourInfrastructureOneofthemostimportantbenefitsofusingacloudenvironmentistheabilitytousethecloud’sApplicationProgramInterfaces(APIs)toautomateyourdeploymentprocess.Itisrecommendedthatyoutakethetimetocreateanautomateddeploymentprocessearlyonduringthemigrationprocessandnotwaituntiltheend.Creatinganautomatedandrepeatabledeploymentprocesswillhelpreduceerrorsandfacilitateanefficientandscalableupdateprocess.
BootstrapYourInstancesWhenyoulaunchanAWSresourcelikeanAmazonEC2instance,youstartwithadefaultconfiguration.YoucanthenexecuteautomatedbootstrappingactionsasdescribedinChapter3,“AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS).”Letyourinstancesaskaquestionatboot:“WhoamIandwhatismyrole?”Everyinstanceshouldhavearoletoplayintheenvironment(suchasdatabaseserver,applicationserver,orslaveserverinthecaseofawebapplication).RolesmaybeappliedduringlaunchandcaninstructtheAMIonthestepstotakeafterithasbooted.Onboot,aninstanceshouldgrabthenecessaryresources(forexample,code,scripts,orconfiguration)basedontherole
![Page 459: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/459.jpg)
and“attach”itselftoaclustertoserveitsfunction.
Benefitsofbootstrappingyourinstancesinclude:
Recreateenvironments(forexample,development,staging,production)withfewclicksandminimaleffort.
Maintainmorecontroloveryourabstract,cloud-basedresources.
Reducehuman-induceddeploymenterrors.
Createaself-healingandself-discoverableenvironmentthatismoreresilienttohardwarefailure.
Designingintelligentelasticcloudarchitectures,whereinfrastructurerunsonlywhenyouneedit,isanart.AsaSolutionsArchitect,elasticityshouldbeoneofthefundamentaldesignrequirementswhendefiningyourarchitectures.Herearesomequestionstokeepinmindwhendesigningcloudarchitectures:
Whatcomponentsorlayersinmyapplicationarchitecturecanbecomeelastic?
Whatwillittaketomakethatcomponentelastic?
Whatwillbetheimpactofimplementingelasticitytomyoverallsystemarchitecture?
![Page 460: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/460.jpg)
LeverageDifferentStorageOptionsAWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Forexample,serviceslikeAmazonElasticBlockStorage(AmazonEBS),AmazonS3,AmazonRDS,andAmazonCloudFrontprovideawiderangeofchoicestomeetdifferentstorageneeds.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.
OneSizeDoesNotFitAllYourworkloadandusecaseshoulddictatewhatstorageoptiontoleverageinAWS.Noonestorageoptionissuitableforallsituations.Table14.1providesalistofsomestoragescenariosandwhichAWSstorageoptionyoushouldconsidertomeettheidentifiedneed.Thistableisnotmeanttobeanall-encompassingcaptureofscenarios,butanexampleguide.
TABLE14.1StorageScenariosandAWSStorageOptions
SampleScenario StorageOption
Yourwebapplicationneedslarge-scalestoragecapacityandperformance.
-or- AmazonS3
Youneedcloudstoragewithhighdatadurabilitytosupportbackupandactivearchivesfordisasterrecovery.
Yourequirecloudstoragefordataarchivingandlong-termbackup. AmazonGlacier
Yourequireacontentdeliverynetworktodeliverentirewebsites,includingdynamic,static,streaming,andinteractivecontentusingaglobalnetworkofedgelocations.
AmazonCloudFront
YourequireafastandflexibleNoSQLdatabasewithaflexibledatamodelandreliableperformance.
AmazonDynamoDB
Youneedreliableblockstoragetorunmission-criticalapplicationssuchasOracle,SAP,MicrosoftExchange,andMicrosoftSharePoint.
AmazonEBS
Youneedahighlyavailable,scalable,andsecureMySQLdatabasewithoutthetime-consumingadministrativetasks.
AmazonRDS
Youneedafast,powerful,fully-managed,petabyte-scaledatawarehousetosupportbusinessanalyticsofyoure-commerceapplication.
AmazonRedshift
YouneedaRedisclustertostoresessioninformationforyourwebapplication.
AmazonElastiCache
YouneedacommonfilesystemforyourapplicationthatissharedbetweenmorethanoneAmazonEC2instance.
AmazonElasticFileSystem(AmazonEFS)
Let’sreturntooursamplewebapplicationarchitectureandshowhowdifferentstorageoptionscanbeleveragedtooptimizecostandarchitecture.WecanstartbymovinganystaticassetsfromourwebinstancestoAmazonS3,andthenservethoseobjectsviaAmazon
![Page 461: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/461.jpg)
CloudFront.Thesestaticassetswouldincludealloftheimages,videos,CSS,JavaScript,andanyotherheavystaticcontentthatiscurrentlydeliveredviathewebinstances.ByservingthesefilesviaanAmazonS3originwithglobalcachinganddistributionviaAmazonCloudFront,theloadwillbereducedonthewebinstancesandallowthewebtierfootprinttobereduced.Figure14.4showstheupdatedarchitectureforoursamplewebapplication.
FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront
Tofurtheroptimizeourstorageoptions,thesessioninformationforoursamplewebapplicationcanbemovedtoAmazonDynamoDBoreventoAmazonElastiCache.Forourscenario,wewilluseAmazonDynamoDBtostorethesessioninformationbecausetheAWSSoftwareDevelopmentKits(SDK)provideconnectorsformanypopularwebdevelopmentframeworksthatmakestoringsessioninformationinAmazonDynamoDBeasy.Byremovingsessionstatefromourwebtier,thewebinstancesdonotlosesessioninformationwhenhorizontalscalingfromAutoScalinghappens.Additionally,wewillleverageAmazonElastiCachetostorecommondatabasequeryresults,therebytakingtheloadoffofourdatabasetier.Figure14.5showstheadditionofAmazonElastiCacheandAmazonDynamoDBtoourwebapplicationarchitecture.
![Page 462: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/462.jpg)
FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB
AsaSolutionsArchitect,youwillultimatelycometoapointwhereyouneedtodecideanddefinewhatyourstoragerequirementsareforthedatathatyouneedtostoreonAWS.Thereareavarietyofoptionstochoosefromdependingonyourneeds,eachwithdifferentattributesrangingfromdatabasestorage,blockstorage,highlyavailableobject-basedstorage,andevencoldarchivalstorage.Ultimately,yourworkloadrequirementswilldictatewhichstorageoptionmakessenseforyourusecase.
![Page 463: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/463.jpg)
BuildSecurityinEveryLayerWithtraditionalIT,infrastructuresecurityauditingwouldoftenbeaperiodicandmanualprocess.TheAWSCloudinsteadprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.
BestPractice
Inventoryyourdata,prioritizeitbyvalue,andapplytheappropriatelevelofencryptionforthedataintransitandatrest.
MostofthesecuritytoolsandtechniqueswithwhichyoumightalreadybefamiliarinatraditionalITinfrastructurecanbeusedinthecloud.Atthesametime,AWSallowsyoutoimproveyoursecurityinavarietyofways.AWSisaplatformthatallowsyoutoformalizethedesignofsecuritycontrolsintheplatformitself.ItsimplifiessystemuseforadministratorsandthoserunningITandmakesyourenvironmentmucheasiertoauditinacontinuousmanner.
UseAWSFeaturesforDefenseinDepthAWSprovidesawealthoffeaturesthathelpSolutionsArchitectsbuilddefenseindepth.Startingatthenetworklevel,youcanbuildanAmazonVirtualPrivateCloud(AmazonVPC)topologythatisolatespartsoftheinfrastructurethroughtheuseofsubnets,securitygroups,androutingcontrols.ServiceslikeAWSWebApplicationFirewall(AWSWAF)canhelpprotectyourwebapplicationsfromSQLinjectionandothervulnerabilitiesinyourapplicationcode.Foraccesscontrol,youcanuseAWSIdentityandAccessManagement(IAM)todefineagranularsetofpoliciesandassignthemtousers,groups,andAWSresources.Finally,theAWSplatformoffersabreadthofoptionsforprotectingdatawithencryption,whetherthedataisintransitoratrest.
UnderstandingthesecurityfeaturesofferedbyAWSisimportantfortheexam,anditiscoveredindetailinChapter12,“SecurityonAWS.”
OffloadSecurityResponsibilitytoAWSAWSoperatesunderasharedresponsibilitymodel,whereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andyouareresponsibleforsecuringtheworkloadsyoudeployonAWS.Thisway,youcanreducethescopeofyourresponsibilityandfocusonyourcorecompetenciesthroughtheuseofAWSmanagedservices.Forexample,whenyou
![Page 464: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/464.jpg)
usemanagedservicessuchasAmazonRDS,AmazonElastiCache,AmazonCloudSearch,andothers,securitypatchesbecometheresponsibilityofAWS.Thisnotonlyreducesoperationaloverheadforyourteam,butitcouldalsoreduceyourexposuretovulnerabilities.
ReducePrivilegedAccessAnothercommonsourceofsecurityriskistheuseofserviceaccounts.Inatraditionalenvironment,serviceaccountswouldoftenbeassignedlong-termcredentialsstoredinaconfigurationfile.OnAWS,youcaninsteaduseIAMrolestograntpermissionstoapplicationsrunningonAmazonEC2instancesthroughtheuseoftemporarysecuritytokens.Thosecredentialsareautomaticallydistributedandrotated.Formobileapplications,theuseofAmazonCognitoallowsclientdevicestogetcontrolledaccesstoAWSresourcesviatemporarytokens.ForAWSManagementConsoleusers,youcansimilarlyprovidefederatedaccessthroughtemporarytokensinsteadofcreatingIAMusersinyourAWSaccount.Inthatway,anemployeewholeavesyourorganizationandisremovedfromyourorganization’sidentitydirectorywillalsoloseaccesstoyourAWSaccount.
BestPractice
Followthestandardsecuritypracticeofgrantingleastprivilege—thatis,grantingonlythepermissionsrequiredtoperformatask—toIAMusers,groups,roles,andpolicies.
SecurityasCodeTraditionalsecurityframeworks,regulations,andorganizationalpoliciesdefinesecurityrequirementsrelatedtothingssuchasfirewallrules,networkaccesscontrols,internal/externalsubnets,andoperatingsystemhardening.YoucanimplementtheseinanAWSenvironmentaswell,butyounowhavetheopportunitytocapturethemallinascriptthatdefinesa“GoldenEnvironment.”ThismeansthatyoucancreateanAWSCloudFormationscriptthatcapturesandreliablydeploysyoursecuritypolicies.Securitybestpracticescannowbereusedamongmultipleprojectsandbecomepartofyourcontinuousintegrationpipeline.Youcanperformsecuritytestingaspartofyourreleasecycleandautomaticallydiscoverapplicationgapsanddriftfromyoursecuritypolicies.
Additionally,forgreatercontrolandsecurity,AWSCloudFormationtemplatescanbeimportedas“products”intoAWSServiceCatalog.Thisenablescentralizedmanagementofresourcestosupportconsistentgovernance,security,andcompliancerequirementswhileenablinguserstodeployquicklyonlytheapprovedITservicestheyneed.YouapplyIAMpermissionstocontrolwhocanviewandmodifyyourproducts,andyoudefineconstraintstorestrictthewaysthatspecificAWSresourcescanbedeployedforaproduct.
Real-TimeAuditingTestingandauditingyourenvironmentiskeytomovingfastwhilestayingsafe.Traditionalapproachesthatinvolveperiodic(andoftenmanualorsample-based)checksarenotsufficient,especiallyinagileenvironmentswherechangeisconstant.OnAWS,youcanimplementcontinuousmonitoringandautomationofcontrolstominimizeexposuretosecurityrisks.ServiceslikeAWSConfigRules,AmazonInspector,andAWSTrustedAdvisor
![Page 465: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/465.jpg)
continuallymonitorforcomplianceorvulnerabilitiesgivingyouaclearoverviewofwhichITresourcesareorarenotincompliance.WithAWSConfigRules,youwillalsoknowifsomecomponentwasoutofcomplianceevenforabriefperiodoftime,makingbothpoint-in-timeandperiod-in-timeauditsveryeffective.YoucanimplementextensiveloggingforyourapplicationsusingAmazonCloudWatchLogsandfortheactualAWSAPIcallsbyenablingAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallstosupportedAWSCloudservicesinyourAWSaccountandcreatesalogfile.AWSCloudTraillogsarestoredinanimmutablemannertoanAmazonS3bucketofyourchoice.Theselogscanthenbeautomaticallyprocessedeithertonotifyoreventakeactiononyourbehalf,protectingyourorganizationfromnon-compliance.YoucanuseAWSLambda,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,orthird-partytoolsfromtheAWSMarketplacetoscanlogstodetectthingslikeunusedpermissions,overuseofprivilegedaccounts,usageofkeys,anomalouslogins,policyviolations,andsystemabuse.
WhileAWSprovidesanexcellentservicemanagementlayeraroundinfrastructureorplatformservices,organizationsarestillresponsibleforprotectingtheconfidentiality,integrity,andavailabilityoftheirdatainthecloud.AWSprovidesarangeofsecurityservicesandarchitecturalconceptsthatorganizationscanusetomanagesecurityoftheirassetsanddatainthecloud.
![Page 466: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/466.jpg)
ThinkParallelThecloudmakesparallelizationeffortless.Whetheritisrequestingdatafromthecloud,storingdatatothecloud,orprocessingdatainthecloud,asaSolutionsArchitectyouneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.
Whenitcomestoaccessing(retrievingandstoring)data,thecloudisdesignedtohandlemassivelyparalleloperations.Inordertoachievemaximumperformanceandthroughput,youshouldleveragerequestparallelization.Multi-threadingyourrequestsbyusingmultipleconcurrentthreadswillstoreorfetchthedatafasterthanrequestingitsequentially.Hence,ageneralbestpracticefordevelopingcloudapplicationsistodesigntheprocessesforleveragingmulti-threading.
Whenitcomestoprocessingorexecutingrequestsinthecloud,itbecomesevenmoreimportanttoleverageparallelization.Ageneralbestpractice,inthecaseofawebapplication,istodistributetheincomingrequestsacrossmultipleasynchronouswebserversusingaloadbalancer.Inthecaseofabatchprocessingapplication,youcanleverageamasternodewithmultipleslaveworkernodesthatprocessestasksinparallel(asindistributedprocessingframeworkslikeHadoop).
Thebeautyofthecloudshineswhenyoucombineelasticityandparallelization.YourcloudapplicationcanbringupaclusterofcomputeinstancesthatareprovisionedwithinminuteswithjustafewAPIcalls,performajobbyexecutingtasksinparallel,storetheresults,andthenterminatealloftheinstances.
![Page 467: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/467.jpg)
LooseCouplingSetsYouFreeAsapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.
BestPractice
Designsystemarchitectureswithindependentcomponentsthatare“blackboxes.”Themorelooselysystemcomponentsarecoupled,thelargertheyscale.
Awaytoreduceinterdependenciesinasystemistoallowthevariouscomponentstointeractwitheachotheronlythroughspecific,technology-agnosticinterfaces(suchasRESTfulAPIs).Inthisway,thetechnicalimplementationdetailsarehiddensothatteamscanmodifytheunderlyingimplementationwithoutaffectingothercomponents.Aslongasthoseinterfacesmaintainbackwardcompatibility,thedifferentcomponentsthatanoverallsystemiscomprisedofremaindecoupled.
AmazonAPIGatewayprovidesawaytoexposewell-definedinterfaces.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.IthandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
Asynchronousintegrationisacommonpatternforimplementingloosecouplingbetweenservices.Thismodelissuitableforanyinteractionthatdoesnotneedanimmediateresponseandwhereanacknowledgementthatarequesthasbeenregisteredwillsuffice.Itinvolvesonecomponentthatgenerateseventsandanotherthatconsumesthem.Thetwocomponentsdonotintegratethroughdirectpoint-to-pointinteraction,butusuallythroughanintermediatedurablestoragelayer,suchasanAmazonSimpleQueueService(AmazonSQS)queueorastreamingdataplatformlikeAmazonKinesis.Figure14.6showsthelogicalflowfortightandlooselycoupledarchitectures.
![Page 468: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/468.jpg)
FIGURE14.6Tightandloosecoupling
Leveragingasynchronousintegrationdecouplesthetwocomponentsandintroducesadditionalresiliency.Forexample,ifaprocessthatisreadingmessagesfromthequeuefails,messagescanstillbeaddedtothequeuetobeprocessedwhenthesystemrecovers.Italsoallowsyoutoprotectalessscalableback-endservicefromfront-endspikesandfindtherighttradeoffbetweencostandprocessinglag.Forexample,youcandecidethatyoudon’tneedtoscaleyourdatabasetoaccommodateforanoccasionalpeakofwritequeriesifyoueventuallyprocessthosequeriesasynchronouslywithsomedelay.Finally,bymovingslowoperationsoffofinteractiverequestpaths,youcanalsoimprovetheend-userexperience.
![Page 469: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/469.jpg)
SampleLooselyCoupledArchitecture
Acompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Theserviceprovidesenduserswithaneasy-to-usewebsitetosubmitvideosfortranscoding.ThevideosarestoredinAmazonS3,andamessage(“therequestmessage”)isplacedinanAmazonSQSqueue(“theincomingqueue”)withapointertothevideoandtothetargetvideoformatinthemessage.Thetranscodingengine,runningonasetofAmazonEC2instances,readstherequestmessagefromtheincomingqueue,retrievesthevideofromAmazonS3usingthepointer,andtranscodesthevideointothetargetformat.TheconvertedvideoisputbackintoAmazonS3andanothermessage(“theresponsemessage”)isplacedinanotherAmazonSQSqueue(“theoutgoingqueue”)withapointertotheconvertedvideo.Atthesametime,metadataaboutthevideo(suchasformat,datecreated,andlength)canbeindexedintoAmazonDynamoDBforeasyquerying.Duringthiswholeworkflow,adedicatedAmazonEC2instancecanconstantlymonitortheincomingqueueand,basedonthenumberofmessagesintheincomingqueue,candynamicallyadjustthenumberoftranscodingAmazonEC2instancestomeetcustomers’responsetimerequirements.
Applicationsthataredeployedasasetofsmallerserviceswilldependontheabilityofthoseservicestointeractwitheachother.Becauseeachofthoseservicescouldberunningacrossmultiplecomputeresources,thereneedstobeawayforeachservicetobeaddressed.Forexample,inatraditionalinfrastructure,ifyourfront-endwebserviceneededtoconnectwithyourback-endwebservice,youcouldhardcodetheIPaddressofthecomputeresourcewherethisservicewasrunning.Althoughthisapproachcanstillworkoncloudcomputing,ifthoseservicesaremeanttobelooselycoupled,theyshouldbeabletobeconsumedwithoutpriorknowledgeoftheirnetworktopologydetails.Apartfromhidingcomplexity,thisalsoallowsinfrastructuredetailstochangeatanytime.Inordertoachievethisagility,youwillneedsomewayofimplementingservicediscovery.Servicediscoverymanageshowprocessesandservicesinanenvironmentcanfindandtalktooneanother.Itinvolvesadirectoryofservices,registeringservicesinthatdirectory,andthenbeingabletolookupandconnecttoservicesinthatdirectory.
Loosecouplingisacrucialelementifyouwanttotakeadvantageoftheelasticityofcloudcomputing,wherenewresourcescanbelaunchedorterminatedatanypointintime.Byarchitectingsystemcomponentswithouttightdependenciesoneachother,applicationsarepositionedtotakefulladvantageofthecloud’sscale.
![Page 470: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/470.jpg)
Don’tFearConstraintsWhenorganizationsdecidetomoveapplicationstothecloudandtrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveonpremises.Forexample,observationsmayinclude“ClouddoesnotprovideXamountofRAMinaserver”or“MydatabaseneedstohavemoreIOPSthanwhatIcangetinasingleinstance.”
Youshouldunderstandthatthecloudprovidesabstractresourcesthatbecomepowerfulwhenyoucombinethemwiththeon-demandprovisioningmodel.Youshouldnotbeafraidandconstrainedwhenusingcloudresourcesbecauseevenifyoumightnotgetanexactreplicaofyouron-premiseshardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.
Whenyoupushupagainstaconstraint,thinkaboutwhatit’stellingyouaboutapossibleunderlyingarchitecturalissue.Forexample,ifAWSdoesnothaveanAmazonRDSinstancetypewithenoughRAM,considerwhetheryouhaveinadvertentlytrappedyourselfinascale-upparadigm.ConsiderchangingtheunderlyingtechnologyandusingascalabledistributedcachelikeAmazonElastiCacheorshardingyourdataacrossmultipleservers.Ifitisaread-heavyapplication,youcandistributethereadloadacrossafleetofsynchronizedslaves.
Organizationsarechallengedwithdeveloping,managing,andoperatingapplicationsatscalewithawidevarietyofunderlyingtechnologycomponents.WithtraditionalITinfrastructure,companieswouldhavetobuildandoperateallofthosecomponents.Whilethesecomponentsmaynotmapdirectlyintoacloudenvironment,AWSoffersabroadsetofcomplementaryservicesthathelporganizationsovercometheseconstraintsandtosupportagilityandlowerITcosts.
OnAWS,thereisasetofmanagedservicesthatprovidesbuildingblocksfordeveloperstoleverageforpoweringtheirapplications.Thesemanagedservicesincludedatabases,machinelearning,analytics,queuing,search,email,notifications,andmore.Forexample,withAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.ThesameappliestoAmazonS3,whereyoucanstoreasmuchdataasrequiredandaccessitwhenneededwithouthavingtothinkaboutcapacity,harddiskconfigurations,replication,andotherhardware-basedconsiderations.
TherearemanyotherexamplesofmanagedservicesonAWS,suchasAmazonCloudFrontforcontentdelivery,ElasticLoadBalancingforloadbalancing,AmazonDynamoDBforNoSQLdatabases,AmazonCloudSearchforsearchworkloads,AmazonElasticTranscoderforvideoencoding,AmazonSimpleEmailService(AmazonSES)forsendingandreceivingemails,andmore.
ArchitecturesthatdonotleveragethebreadthofAWSCloudservices(forexample,theyuseonlyAmazonEC2)mightbeself-constrainingtheabilitytomakethemostofcloudcomputing.Thisoversightoftenleadstomissingkeyopportunitiestoincreasedeveloperproductivityandoperationalefficiency.Whenorganizationscombineon-demandprovisioning,managedservices,andtheinherentflexibilityofthecloud,theyrealizethatapparentconstraintscanactuallybebrokendowninwaysthatwillactuallyimprovethe
![Page 471: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/471.jpg)
scalabilityandoverallperformanceoftheirsystems.
![Page 472: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/472.jpg)
SummaryTypically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.
Traditionalinfrastructuregenerallynecessitatespredictingtheamountofcomputingresourcesyourapplicationwilluseoveraperiodofseveralyears.Ifyouunderestimate,yourapplicationswillnothavethehorsepowertohandleunexpectedtraffic,potentiallyresultingincustomerdissatisfaction.Ifyouoverestimate,you’rewastingmoneywithsuperfluousresources.Theon-demandandelasticnatureofthecloudenablestheinfrastructuretobecloselyalignedwiththeactualdemand,therebyincreasingoverallutilizationandreducingcost.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
TheAWSCloudprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.
BecauseAWSmakesparallelizationeffortless,SolutionsArchitectsneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.
Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.SolutionsArchitectsshoulddesignsystemsinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.
Whenorganizationstrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveon-premises.Organizationsshouldnotbeafraidandfeelconstrainedwhenusingcloudresources.Evenifyoumightnotgetanexactreplicaofyourhardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.
Byfocusingonconceptsandbestpractices—likedesigningforfailure,decouplingtheapplicationcomponents,understandingandimplementingelasticity,combiningitwithparallelization,andintegratingsecurityineveryaspectoftheapplicationarchitecture—SolutionsArchitectscanunderstandthedesignconsiderationsnecessaryforbuildinghighlyscalablecloudapplications.
Aseachusecaseisunique,SolutionsArchitectsneedtoremaindiligentinevaluatinghowbestpracticesandpatternscanbeappliedtoeachimplementation.Thetopicofcloudcomputingarchitecturesisbroadandcontinuouslyevolving.
![Page 473: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/473.jpg)
ExamEssentialsUnderstandhighlyavailablearchitectures.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.
Understandredundancy.Redundancycanbeimplementedineitherstandbyoractivemode.Whenaresourcefailsinstandbyredundancy,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,activeredundancycanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.
Understandelasticity.Elasticarchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Itisimportanttobuildelasticsystemsontopofascalablearchitecture.Thesearchitecturesshouldscaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
Understandverticalscaling.Scalingverticallytakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddriveorafasterCPU).Thiswayofscalingcaneventuallyhitalimit,anditisnotalwaysacostefficientorhighlyavailableapproach.
Understandhorizontalscaling.Scalinghorizontallytakesplacethroughanincreaseinthenumberofresources.ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Itisimportanttounderstandtheimpactofstatelessandstatefularchitecturesbeforeimplementinghorizontalscaling.
Understandstatelessapplications.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontallybecauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.
Understandloosecoupling.Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedas“blackboxes”toreduceinterdependenciessothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.Themorelooselysystemcomponentsarecoupled,thelargertheyscale.
UnderstandthedifferentstorageoptionsinAWS.AWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.
![Page 474: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/474.jpg)
ExercisesInthissection,youwillimplementaresilientapplicationleveragingsomeofthebestpracticesoutlinedinthischapter.YouwillbuildthearchitecturedepictedinFigure14.7inthefollowingseriesofexercises.
FIGURE14.7Samplewebapplicationforchapterexercises
Forassistanceincompletingthefollowingexercises,referencethefollowinguserguides:
AmazonVPC—http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/
GetStarted.html
AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
AmazonRDS(MySQL)—http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html
![Page 475: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/475.jpg)
EXERCISE14.1
CreateaCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanAmazonVPCwithaClasslessInter-DomainRouting(CIDR)blockequalto192.168.0.0/16,anametagofCh14—VPC,anddefaulttenancy.
EXERCISE14.2
CreateanInternetGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanInternetgatewaywithanametagofCh14–IGW.
4. AttachtheCh14–IGWInternetgatewaytotheAmazonVPCfromExercise14.1.
EXERCISE14.3
UpdatetheMainRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetoAmazonVPCconsole.
3. LocatethemainroutetablefortheAmazonVPCfromExercise14.1.
4. UpdatetheroutetablenametagtoavalueofCh14—MainRouteTable.
5. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheInternetgatewayfromExercise14.2.
![Page 476: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/476.jpg)
EXERCISE14.4
CreatePublicSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofCh14—PublicSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).
4. CreateasubnetwithaCIDRblockequalto192.168.3.0/24andanametagofCh14—PublicSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnetthatisdifferentfromtheonepreviouslyspecified(forexample,US-East-1b).
EXERCISE14.5
CreateaNATGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateaNetworkAddressTranslation(NAT)gatewayintheAmazonVPCfromExercise14.1withintheCh14—PublicSubnet1subnetfromExercise14.4.
EXERCISE14.6
CreateaPrivateRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreatearoutetablefortheAmazonVPCfromExercise14.1withanametagofCh14—PrivateRouteTable.
4. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheNATgatewayfromExercise14.5.
![Page 477: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/477.jpg)
EXERCISE14.7
CreatePrivateSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofCh14—PrivateSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet1(forexample,US-East-1a).
4. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.
5. CreateasubnetwithaCIDRblockequalto192.168.4.0/24andanametagofCh14—PrivateSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet2(forexample,US-East-1b).
6. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.
![Page 478: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/478.jpg)
EXERCISE14.8
CreateSecurityGroupsforEachApplicationTier1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanAmazonVPCsecuritygroupfortheELBwithanametagandgrouptabofCh14-ELB-SGandadescriptionofLoadbalancersecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceof0.0.0.0/0.
4. CreateanAmazonVPCsecuritygroupforthewebserverswithanametagandgrouptabofCh14-WebServer-SGandadescriptionofWebserversecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceoftheCh14-ELB-SGsecuritygroup.YoumaywanttoaddanotherinboundruleofTypeSSH,aprotocolofTCP,aportrangeof22,andasourceofyourIPaddresstoprovidesecureaccesstomanagetheservers.
5. CreateanAmazonVPCsecuritygroupfortheAmazonRDSMySQLdatabasewithanametagandgrouptabofCh14-DB-SGandadescriptionofDatabasesecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeMYSQL/Aurora,aprotocolofTCP,aportrangeof3306,andasourceoftheCh14-WebServer-SGsecuritygroup.
![Page 479: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/479.jpg)
EXERCISE14.9
CreateaMySQLMulti-AZAmazonRDSInstance1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRDSconsole.
3. CreateaDBsubnetgroupwithanameofCh14-SubnetGroupandadescriptionofSubnetgroupforCh14exercises.CreatetheDBsubnetgroupintheAmazonVPCfromExercise14.1withtheprivatesubnetsfromExercise14.7.
4. LaunchaMySQLAmazonRDSinstancewiththefollowingcharacteristics:
DBInstanceClass:db.t2.small
Multi-AZDeployment:yes
AllocatedStorage:nolessthan5GB
DBInstanceIdentifier:ch14db
MasterUserName:yourchoice
MasterPassword:yourchoice
VPC:theAmazonVPCfromExercise14.1
DBSecurityGroup:Ch14-SubnetGroup
PubliclyAccessible:No
VPCSecurityGroup:Ch14-DB-SG
DatabaseName:appdb
DatabasePort:3306
![Page 480: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/480.jpg)
EXERCISE14.10
CreateanElasticLoadBalancer(ELB)1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. CreateanELBwithaloadbalancernameofCh14-WebServer-ELB.CreatetheELBintheAmazonVPCfromExercise14.1withalistenerconfigurationofthefollowing:
LoadBalancerProtocol:HTTP
LoadBalancerPort:80
InstanceProtocol:HTTP
InstancePort:80
4. AddthepublicsubnetscreatedinExercise14.4.
5. AssigntheexistingsecuritygroupofCh14-ELB-SGcreatedinExercise14.8.
6. ConfigurethehealthcheckwithapingprotocolofHTTP,apingportof80,andapingpathof/index.html.
7. AddatagwithakeyofNameandvalueofCh14-WebServer-ELB.
8. UpdatetheELBportconfigurationtoenableload-balancergeneratedcookiestickinesswithanexpirationperiodof30seconds.
![Page 481: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/481.jpg)
EXERCISE14.11
CreateaWebServerAutoScalingGroup1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. CreatealaunchconfigurationforthewebserverAutoScalinggroupwiththefollowingcharacteristics:
AMI:latestAmazonLinuxAMI
InstanceType:t2.small
Name:Ch14-WebServer-LC
Userdata:
#!/bin/bash
yumupdate–y
yuminstall-yphp
yuminstall-yphp-mysql
yuminstall-ymysql
yuminstall-yhttpd
echo"<html><body><h1>poweredbyAWS</h1></body></html>">
/var/www/html/index.html
servicehttpdstart
SecurityGroup:Ch14-WebServer-SG
KeyPair:existingornewkeypairforyouraccount
4. CreateanAutoScalinggroupforthewebserversfromthelaunchconfigurationCh14-WebServer-LCwithagroupnameofCh14-WebServer-AG.CreatetheAutoScalinggroupintheAmazonVPCfromExercise14.1withthepublicsubnetscreatedinExercise14.4andagroupsizeof2.
5. AssociatetheloadbalancerCh14-WebServer-ELBcreatedinExercise14.10totheAutoScalinggroup.
6. AddanametagwithakeyofNameandvalueofCh14-WebServer-AGtotheAutoScalinggroup.
Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnoteligibleforAWSFreeTier.HostingazoneonAmazonRoute53willcostapproximately$0.50permonthperhostedzone,andadditionalchargeswillbelevieddependingonwhatroutingpolicyyouchoose.FormoreinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.
![Page 482: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/482.jpg)
EXERCISE14.12
CreateaRoute53HostedZone1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRoute53consoleandcreateahostedzone.
3. Enteryourdomainnameandcreateyournewzonefile.
4. Inthenewzonefile,youwillseetheStartofAuthority(SOA)recordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsiteandupdatethenameserverswithyourAWSnameservers.
IftheregistrarhasamethodtochangetheTimeToLive(TTL)settingsfortheirnameservers,itisrecommendedthatyouresetthesettingsto900seconds.Thislimitsthetimeduringwhichclientrequestswilltrytoresolvedomainnamesusingobsoletenameservers.YouwillneedtowaitforthedurationofthepreviousTTLforresolversandclientstostopcachingtheDNSrecordswiththeirpreviousvalues.
5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.
EXERCISE14.13
CreateanAliasARecord1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRoute53console.
3. SelectyourRoute53hostedzonecreatedinExercise14.12.CreatearecordsetwithanameofwwwandatypeofA—IPv4Address.
4. CreateanaliaswithanaliastargetoftheELBCh14-WebServer-ELBcreatedinExercise14.10andleaveyourroutingpolicyassimple.
![Page 483: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/483.jpg)
EXERCISE14.14
TestYourConfiguration1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. VerifythattheELBcreatedinExercise14.11has2of2instancesinservice.
4. Inawebbrowser,navigatetothewebfarm(www.example.com)usingtheHostedZoneArecordcreatedinExercise14.13.YoushouldseethepoweredbyAWSonthewebpage.
![Page 484: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/484.jpg)
ReviewQuestions1. Whendesigningalooselycoupledsystem,whichAWSservicesprovideanintermediatedurablestoragelayerbetweencomponents?(Choose2answers)
A. AmazonCloudFront
B. AmazonKinesis
C. AmazonRoute53
D. AWSCloudFormation
E. AmazonSimpleQueueService(AmazonSQS)
2. Whichofthefollowingoptionswillhelpincreasetheavailabilityofawebserverfarm?(Choose2answers)
A. UseAmazonCloudFronttodelivercontenttotheenduserswithlowlatencyandhighdatatransferspeeds.
B. LaunchthewebserverinstancesacrossmultipleAvailabilityZones.
C. LeverageAutoScalingtorecoverfromfailedinstances.
D. DeploytheinstancesinanAmazonVirtualPrivateCloud(AmazonVPC).
E. AddmoreCPUandRAMtoeachinstance.
3. WhichofthefollowingAWSCloudservicesaredesignedaccordingtotheMulti-AZprinciple?(Choose2answers)
A. AmazonDynamoDB
B. AmazonElastiCache
C. ElasticLoadBalancing
D. AmazonVirtualPrivateCloud(AmazonVPC)
E. AmazonSimpleStorageService(AmazonS3)
4. Youre-commercesitewasdesignedtobestatelessandcurrentlyrunsonafleetofAmazonElasticComputeCloud(AmazonEC2)instances.Inanefforttocontrolcostandincreaseavailability,youhavearequirementtoscalethefleetbasedonCPUandnetworkutilizationtomatchthedemandcurveforyoursite.Whatservicesdoyouneedtomeetthisrequirement?(Choose2answers)
A. AmazonCloudWatch
B. AmazonDynamoDB
C. ElasticLoadBalancing
D. AutoScaling
E. AmazonSimpleStorageService(AmazonS3)
5. YourcompliancedepartmenthasmandatedanewrequirementthatalldataonAmazon
![Page 485: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/485.jpg)
ElasticBlockStorage(AmazonEBS)volumesmustbeencrypted.WhichofthefollowingstepswouldyoufollowforyourexistingAmazonEBSvolumestocomplywiththenewrequirement?(Choose3answers)
A. MovetheexistingAmazonEBSvolumeintoanAmazonVirtualPrivateCloud(AmazonVPC).
B. CreateanewAmazonEBSvolumewithencryptionenabled.
C. ModifytheexistingAmazonEBSvolumepropertiestoenableencryption.
D. AttachanAmazonEBSvolumewithencryptionenabledtotheinstancethathoststhedata,thenmigratethedatatotheencryption-enabledAmazonEBSvolume.
E. CopythedatafromtheunencryptedAmazonEBSvolumetotheAmazonEBSvolumewithencryptionenabled.
6. WhenbuildingaDistributedDenialofService(DDoS)-resilientarchitecture,howdoesAmazonVirtualPrivateCloud(AmazonVPC)helpminimizetheattacksurfacearea?(Choose3answers)
A. ReducesthenumberofnecessaryInternetentrypoints
B. Combinesendusertrafficwithmanagementtraffic
C. ObfuscatesnecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem
D. Addsnon-criticalInternetentrypointstothearchitecture
E. ScalesthenetworktoabsorbDDoSattacks
7. Youre-commerceapplicationprovidesdailyandadhocreportingtovariousbusinessunitsoncustomerpurchases.ThisisresultinginanextremelyhighlevelofreadtraffictoyourMySQLAmazonRelationalDatabaseService(AmazonRDS)instance.Whatcanyoudotoscaleupreadtrafficwithoutimpactingyourdatabase’sperformance?
A. IncreasetheallocatedstoragefortheAmazonRDSinstance.
B. ModifytheAmazonRDSinstancetobeaMulti-AZdeployment.
C. CreateareadreplicaforanAmazonRDSinstance.
D. ChangetheAmazonRDSinstanceDBengineversion.
8. YourwebsiteishostedonafleetofwebserversthatareloadbalancedacrossmultipleAvailabilityZonesusinganElasticLoadBalancer(ELB).WhattypeofrecordsetinAmazonRoute53canbeusedtopointmyawesomeapp.comtoyourwebsite?
A. TypeAAliasresourcerecordset
B. MXrecordset
C. TXTrecordset
D. CNAMErecordset
9. YouneedasecurewaytodistributeyourAWScredentialstoanapplicationrunningonAmazonElasticComputeCloud(AmazonEC2)instancesinordertoaccess
![Page 486: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/486.jpg)
supplementaryAWSCloudservices.Whatapproachprovidesyourapplicationaccesstouseshort-termcredentialsforsigningrequestswhileprotectingthosecredentialsfromotherusers?
A. AddyourcredentialstotheUserDataparameterofeachAmazonEC2instance.
B. UseaconfigurationfiletostoreyouraccessandsecretkeysontheAmazonEC2instances.
C. Specifyyouraccessandsecretkeysdirectlyinyourapplication.
D. ProvisiontheAmazonEC2instanceswithaninstanceprofilethathastheappropriateprivileges.
10. YouarerunningasuiteofmicroservicesonAWSLambdathatprovidethebusinesslogicandaccesstodatastoredinAmazonDynamoDBforyourtaskmanagementsystem.Youneedtocreatewell-definedRESTfulApplicationProgramInterfaces(APIs)forthesemicroservicesthatwillscalewithtraffictosupportanewmobileapplication.WhatAWSCloudservicecanyouusetocreatethenecessaryRESTfulAPIs?
A. AmazonKinesis
B. AmazonAPIGateway
C. AmazonCognito
D. AmazonElasticComputeCloud(AmazonEC2)ContainerRegistry
11. YourWordPresswebsiteishostedonafleetofAmazonElasticComputeCloud(AmazonEC2)instancesthatleverageAutoScalingtoprovidehighavailability.ToensurethatthecontentoftheWordPresssiteissustainedthroughscaleupandscaledownevents,youneedacommonfilesystemthatissharedbetweenmorethanoneAmazonEC2instance.WhichAWSCloudservicecanmeetthisrequirement?
A. AmazonCloudFront
B. AmazonElastiCache
C. AmazonElasticFileSystem(AmazonEFS)
D. AmazonElasticBeanstalk
12. YouarechangingyourapplicationtomovesessionstateinformationofftheindividualAmazonElasticComputeCloud(AmazonEC2)instancestotakeadvantageoftheelasticityandcostbenefitsprovidedbyAutoScaling.WhichofthefollowingAWSCloudservicesisbestsuitedasanalternativeforstoringsessionstateinformation?
A. AmazonDynamoDB
B. AmazonRedshift
C. AmazonStorageGateway
D. AmazonKinesis
13. Amediasharingapplicationisproducingaveryhighvolumeofdatainaveryshortperiodoftime.Yourback-endservicesareunabletomanagethelargevolumeoftransactions.Whatoptionprovidesawaytomanagetheflowoftransactionstoyour
![Page 487: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/487.jpg)
back-endservices?
A. StoretheinboundtransactionsinanAmazonRelationalDatabaseService(AmazonRDS)instancesothatyourback-endservicescanretrievethemastimepermits.
B. UseanAmazonSimpleQueueService(AmazonSQS)queuetobuffertheinboundtransactions.
C. UseanAmazonSimpleNotificationService(AmazonSNS)topictobuffertheinboundtransactions.
D. StoretheinboundtransactionsinanAmazonElasticMapReduce(AmazonEMR)clustersothatyourback-endservicescanretrievethemastimepermits.
14. WhichofthefollowingarebestpracticesformanagingAWSIdentityandAccessManagement(IAM)useraccesskeys?(Choose3answers)
A. Embedaccesskeysdirectlyintoapplicationcode.
B. Usedifferentaccesskeysfordifferentapplications.
C. Rotateaccesskeysperiodically.
D. Keepunusedaccesskeysforanindefiniteperiodoftime.
E. ConfigureMulti-FactorAuthentication(MFA)foryourmostsensitiveoperations.
15. YouneedtoimplementaservicetoscanApplicationProgramInterface(API)callsandrelatedevents’historytoyourAWSaccount.Thisservicewilldetectthingslikeunusedpermissions,overuseofprivilegedaccounts,andanomalouslogins.WhichofthefollowingAWSCloudservicescanbeleveragedtoimplementthisservice?(Choose3answers)
A. AWSCloudTrail
B. AmazonSimpleStorageService(AmazonS3)
C. AmazonRoute53
D. AutoScaling
E. AWSLambda
16. Governmentregulationsrequirethatyourcompanymaintainallcorrespondenceforaperiodofsevenyearsforcompliancereasons.Whatisthebeststoragemechanismtokeepthisdatasecureinacost-effectivemanner?
A. AmazonS3
B. AmazonGlacier
C. AmazonEBS
D. AmazonEFS
17. YourcompanyprovidesmediacontentviatheInternettocustomersthroughapaidsubscriptionmodel.YouleverageAmazonCloudFronttodistributecontenttoyourcustomerswithlowlatency.Whatapproachcanyouusetoservethisprivatecontentsecurelytoyourpaidsubscribers?
![Page 488: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/488.jpg)
A. ProvidesignedAmazonCloudFrontURLstoauthenticateduserstoaccessthepaidcontent.
B. UseHTTPSrequeststoensurethatyourobjectsareencryptedwhenAmazonCloudFrontservesthemtoviewers.
C. ConfigureAmazonCloudFronttocompressthemediafilesautomaticallyforpaidsubscribers.
D. UsetheAmazonCloudFrontgeorestrictionfeaturetorestrictaccesstoallofthepaidsubscriptionmediaatthecountrylevel.
18. Yourcompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Whichserviceprovidesthebestoptionforstoringthevideos?
A. AmazonGlacier
B. AmazonSimpleStorageService(AmazonS3)
C. AmazonRelationalDatabaseService(AmazonRDS)
D. AWSStorageGateway
19. AweekbeforeCyberMondaylastyear,yourcorporatedatacenterexperiencedafailedairconditioningunitthatcausedfloodingintotheserverracks.Theresultingoutagecostyourcompanysignificantrevenue.YourCIOmandatedamovetothecloud,butheisstillconcernedaboutcatastrophicfailuresinadatacenter.Whatcanyoudotoalleviatehisconcerns?
A. DistributethearchitectureacrossmultipleAvailabilityZones.
B. UseanAmazonVirtualPrivateCloud(AmazonVPC)withsubnets.
C. Launchthecomputefortheprocessingservicesinaplacementgroup.
D. PurchaseReservedInstancesfortheprocessingservicesinstances.
20. YourAmazonVirtualPrivateCloud(AmazonVPC)includesmultipleprivatesubnets.Theinstancesintheseprivatesubnetsmustaccessthird-partypaymentApplicationProgramInterfaces(APIs)overtheInternet.WhichoptionwillprovidehighlyavailableInternetaccesstotheinstancesintheprivatesubnets?
A. CreateanAWSStorageGatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheAWSStorageGatewayinthesameAvailabilityZone.
B. CreateacustomergatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethecustomergatewayinthesameAvailabilityZone.
C. CreateaNetworkAddressTranslation(NAT)gatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
D. CreateaNATgatewayinoneAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethatNATgatewayinalltheAvailabilityZones.
![Page 489: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/489.jpg)
AppendixAAnswerstoReviewQuestions
![Page 490: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/490.jpg)
Chapter1:IntroductiontoAWS1. D.AregionisanamedsetofAWSresourcesinthesamegeographicalarea.AregioncomprisesatleasttwoAvailabilityZones.Endpoint,Collection,andFleetdonotdescribeaphysicallocationaroundtheworldwhereAWSclustersdatacenters.
2. A.AnAvailabilityZoneisadistinctlocationwithinaregionthatisinsulatedfromfailuresinotherAvailabilityZonesandprovidesinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.Replicationareas,geographicdistricts,andcomputecentersarenottermsusedtodescribeAWSdatacenterlocations.
3. B.Ahybriddeploymentisawaytoconnectinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.Anall-indeploymentreferstoanenvironmentthatexclusivelyrunsinthecloud.Anon-premisesdeploymentreferstoanenvironmentthatrunsexclusivelyinanorganization’sdatacenter.
4. C.AmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsorganizationsrunonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.AWSIAM,AmazonSNS,andAWSCloudFormationdonotprovidevisibilityintoresourceutilization,applicationperformance,andtheoperationalhealthofyourAWSresources.
5. B.AmazonDynamoDBisafullymanaged,fast,andflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.AmazonSQS,AmazonElastiCache,andAmazonRDSdonotprovideaNoSQLdatabaseservice.AmazonSQSisamanagedmessagequeuingservice.AmazonElastiCacheisaservicethatprovidesin-memorycacheinthecloud.Finally,AmazonRDSprovidesmanagedrelationaldatabases.
6. A.AutoScalinghelpsmaintainapplicationavailabilityandallowsorganizationstoscaleAmazonElasticComputeCloud(AmazonEC2)capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload.NotonlycanitbeusedtohelpensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.AmazonGlacier,AmazonSNS,andAmazonVPCdonotprovideservicestoscalecomputecapacityautomatically.
7. D.AmazonCloudFrontisawebservicethatprovidesaCDNtospeedupdistributionofyourstaticanddynamicwebcontent—forexample,.html,.css,.php,image,andmediafiles—toendusers.AmazonCloudFrontdeliverscontentthroughaworldwidenetworkofedgelocations.AmazonEC2,AmazonRoute53,andAWSStorageGatewaydonotprovideCDNservicesthatarerequiredtomeettheneedsforthephotosharingservice.
8. A.AmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instancesontheAWSCloud.AmazonDynamoDB,AmazonGlacier,andAWSCloudFormationdonotprovidepersistentblock-levelstorageforAmazonEC2instances.AmazonDynamoDBprovidesmanagedNoSQLdatabases.AmazonGlacierprovideslow-costarchivalstorage.AWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.
![Page 491: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/491.jpg)
9. C.AmazonVPCletsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.AmazonSWF,AmazonRoute53,andAWSCloudFormationdonotprovideavirtualnetwork.AmazonSWFhelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonRoute53providesahighlyavailableandscalablecloudDomainNameSystem(DNS)webservice.AmazonCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.
10. B.AmazonSQSisafast,reliable,scalable,fullymanagedmessagequeuingservicethatallowsorganizationstodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.AWSCloudTrailrecordsAWSAPIcalls,andAmazonRedshiftisadatawarehouse,neitherofwhichwouldbeusefulasanarchitecturecomponentfordecouplingcomponents.AmazonSNSprovidesamessagingbuscomplementtoAmazonSQS;however,itdoesn’tprovidethedecouplingofcomponentsnecessaryforthisscenario.
![Page 492: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/492.jpg)
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage1. D,E.Objectsarestoredinbuckets,andobjectscontainbothdataandmetadata.
2. B,D.AmazonS3cannotbemountedtoanAmazonEC2instancelikeafilesystemandshouldnotserveasprimarydatabasestorage.
3. A,B,D.CandEareincorrect—objectsareprivatebydefault,andstorageinabucketdoesnotneedtobepre-allocated.
4. B,C,E.Staticwebsitehostingdoesnotrestrictdataaccess,andneitherdoesanAmazonS3lifecyclepolicy.
5. C,E.Versioningprotectsdataagainstinadvertentorintentionaldeletionbystoringallversionsoftheobject,andMFADeleterequiresaone-timecodefromaMulti-FactorAuthentication(MFA)devicetodeleteobjects.Cross-regionreplicationandmigrationtotheAmazonGlacierstorageclassdonotprotectagainstdeletion.VaultlocksareafeatureofAmazonGlacier,notafeatureofAmazonS3.
6. C.MigratingthedatatoAmazonS3Standard-IAafter30daysusingalifecyclepolicyiscorrect.AmazonS3RRSshouldonlybeusedforeasilyreplicateddata,notcriticaldata.MigrationtoAmazonGlaciermightminimizestoragecostsifretrievalsareinfrequent,butdocumentswouldnotbeavailableinminuteswhenneeded.
7. B.Dataisautomaticallyreplicatedwithinaregion.Replicationtootherregionsandversioningareoptional.AmazonS3dataisnotbackeduptotape.
8. C.InaURL,thebucketnameprecedesthestring“s3.amazonaws.com/,”andtheobjectkeyiseverythingafterthat.ThereisnofolderstructureinAmazonS3.
9. C.AmazonS3serveraccesslogsstorearecordofwhatrequestoraccessedtheobjectsinyourbucket,includingtherequestingIPaddress.
10. B,C.Cross-regionreplicationcanhelplowerlatencyandsatisfycompliancerequirementsondistance.AmazonS3isdesignedforelevenninesdurabilityforobjectsinasingleregion,soasecondregiondoesnotsignificantlyincreasedurability.Cross-regionreplicationdoesnotprotectagainstaccidentaldeletion.
11. C.IfdatamustbeencryptedbeforebeingsenttoAmazonS3,client-sideencryptionmustbeused.
12. B.AmazonS3scalesautomatically,butforrequestratesover100GETSpersecond,ithelpstomakesurethereissomerandomnessinthekeyspace.Replicationandloggingwillnotaffectperformanceorscalability.Usingsequentialkeynamescouldhaveanegativeeffectonperformanceorscalability.
13. A,D.Youmustenableversioningbeforeyoucanenablecross-regionreplication,andAmazonS3musthaveIAMpermissionstoperformthereplication.Lifecyclerulesmigratedatafromonestorageclasstoanother,notfromonebuckettoanother.Staticwebsitehostingisnotaprerequisiteforreplication.
14. B.AmazonS3isthemostcosteffectivestorageonAWS,andlifecyclepoliciesarea
![Page 493: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/493.jpg)
simpleandeffectivefeaturetoaddressthebusinessrequirements.
15. B,C,E.AmazonS3bucketpoliciescannotspecifyacompanynameoracountryororigin,buttheycanspecifyrequestIPrange,AWSaccount,andaprefixforobjectsthatcanbeaccessed.
16. B,C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).
17. A,B,D.A,B,andDarerequired,andnormallyyoualsosetafriendlyCNAMEtothebucketURL.AmazonS3doesnotsupportFTPtransfers,andHTTPdoesnotneedtobeenabled.
18. B.Pre-signedURLsallowyoutogranttime-limitedpermissiontodownloadobjectsfromanAmazonSimpleStorageService(AmazonS3)bucket.Staticwebhostinggenerallyrequiresworld-readaccesstoallcontent.AWSIAMpoliciesdonotknowwhotheauthenticatedusersofthewebappare.Loggingcanhelptrackcontentloss,butnotpreventit.
19. A,C.AmazonGlacierisoptimizedforlong-termarchivalstorageandisnotsuitedtodatathatneedsimmediateaccessorshort-liveddatathatiserasedwithin90days.
20. C,D,E.AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Archivesareidentifiedbysystem-createdarchiveIDs,notkeynames.
![Page 494: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/494.jpg)
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)1. C.ReservedInstancesprovidecostsavingswhenyoucancommittorunninginstancesfulltime,suchastohandlethebasetraffic.On-DemandInstancesprovidetheflexibilitytohandletrafficspikes,suchasonthelastdayofthemonth.
2. B.SpotInstancesareaverycost-effectivewaytoaddresstemporarycomputeneedsthatarenoturgentandaretolerantofinterruption.That’sexactlytheworkloaddescribedhere.ReservedInstancesareinappropriatefortemporaryworkloads.On-DemandInstancesaregoodfortemporaryworkloads,butdon’tofferthecostsavingsofSpotInstances.Addingmorequeuesisanon-responsiveanswerasitwouldnotaddresstheproblem.
3. C,D.TheAmazonEC2instanceIDwillbeassignedbyAWSaspartofthelaunchprocess.TheadministratorpasswordisassignedbyAWSandencryptedviathepublickey.TheinstancetypedefinesthevirtualhardwareandtheAMIdefinestheinitialsoftwarestate.Youmustspecifybothuponlaunch.
4. A,C.Youcanchangetheinstancetypeonlywithinthesameinstancetypefamily,oryoucanchangetheAvailabilityZone.Youcannotchangetheoperatingsystemnortheinstancetypefamily.
5. D.Whentherearemultiplesecuritygroupsassociatedwithaninstance,alltherulesareaggregated.
6. A,B,E.Thesearethebenefitsofenhancednetworking.
7. A,B,D.Theotheranswershavenothingtodowithnetworking.
8. C.DedicatedInstanceswillnotsharehostswithotheraccounts.
9. B,C.Instancestoresarelow-durability,high-IOPSstoragethatisincludedforfreewiththehourlycostofaninstance.
10. A,C.TherearenotapesintheAWSinfrastructure.AmazonEBSvolumespersistwhentheinstanceisstopped.ThedataisautomaticallyreplicatedwithinanAvailabilityZone.AmazonEBSvolumescanbeencrypteduponcreationandusedbyaninstanceinthesamemannerasiftheywerenotencrypted.
11. B.Thereisnodelayinprocessingwhencommencingasnapshot.
12. B.Thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.
13. A,C.BandDareincorrectbecauseaninstancestorewillnotbedurableandamagneticvolumeoffersanaverageof100IOPS.AmazonEBS-optimizedinstancesreservenetworkbandwidthontheinstanceforIO,andProvisionedIOPSSSDvolumesprovidethehighestconsistentIOPS.
14. D.Bootstrappingrunstheprovidedscript,soanythingyoucanaccomplishinascriptyoucanaccomplishduringbootstrapping.
![Page 495: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/495.jpg)
15. C.Thepublichalfofthekeypairisstoredontheinstance,andtheprivatehalfcanthenbeusedtoconnectviaSSH.
16. B,C.ThesearethepossibleoutputsofVMImport/Export.
17. B,D.NeithertheWindowsmachinenamenortheAmazonEC2instanceIDcanberesolvedintoanIPaddresstoaccesstheinstance.
18. A.Noneoftheotheroptionswillhaveanyeffectontheabilitytoconnect.
19. C.Ashortperiodofheavytrafficisexactlytheusecasefortheburstingnatureofgeneral-purposeSSDvolumes—therestofthedayismorethanenoughtimetobuildupenoughIOPScreditstohandlethenightlytask.Instancestoresarenotdurable,magneticvolumescannotprovideenoughIOPS,andtosetupaProvisionedIOPSSSDvolumetohandlethepeakwouldmeanspendingmoneyformoreIOPSthanyouneed.
20. B.ThereisaverysmallhourlychargeforallocatedelasticIPaddressesthatarenotassociatedwithaninstance.
![Page 496: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/496.jpg)
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)1. C.TheminimumsizesubnetthatyoucanhaveinanAmazonVPCis/28.
2. C.Youneedtwopublicsubnets(oneforeachAvailabilityZone)andtwoprivatesubnets(oneforeachAvailabilityZone).Therefore,youneedfoursubnets.
3. A.NetworkACLsareassociatedtoaVPCsubnettocontroltrafficflow.
4. A.ThemaximumsizesubnetthatyoucanhaveinaVPCis/16.
5. D.BycreatingarouteouttotheInternetusinganIGW,youhavemadethissubnetpublic.
6. A.WhenyoucreateanAmazonVPC,aroutetableiscreatedbydefault.YoumustmanuallycreatesubnetsandanIGW.
7. C.WhenyouprovisionanAmazonVPC,allsubnetscancommunicatewitheachotherbydefault.
8. A.YoumayonlyhaveoneIGWforeachAmazonVPC.
9. B.Securitygroupsarestateful,whereasnetworkACLsarestateless.
10. C.Youshoulddisablesource/destinationchecksontheNAT.
11. B,E.IntheEC2-Classicnetwork,theEIPwillbedisassociatedwiththeinstance;intheEC2-VPCnetwork,theEIPremainsassociatedwiththeinstance.Regardlessoftheunderlyingnetwork,astop/startofanAmazonEBS-backedAmazonEC2instancealwayschangesthehostcomputer.
12. D.SixVPCPeeringconnectionsareneededforeachofthefourVPCstosendtraffictotheother.
13. B.ADHCPoptionsetallowscustomerstodefineDNSserversforDNSnameresolution,establishdomainnamesforinstanceswithinanAmazonVPC,defineNTPservers,anddefinetheNetBIOSnameservers.
14. D.ACGWisthecustomersideofaVPNconnection,andanIGWconnectsanetworktotheInternet.AVPGistheAmazonsideofaVPNconnection.
15. A.ThedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregionis5.
16. B.NetworkACLrulescandenytraffic.
17. D.IPsecisthesecurityprotocolsupportedbyAmazonVPC.
18. D.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATdevice,VPNconnection,orAWSDirectConnect.
19. A,C.TheCIDRblockisspecifieduponcreationandcannotbechanged.AnAmazonVPCisassociatedwithexactlyoneregionwhichmustbespecifieduponcreation.YoucanaddasubnettoanAmazonVPCanytimeafterithasbeencreated,provideditsaddressrangefallswithintheAmazonVPCCIDRblockanddoesnotoverlapwiththeaddressrangeof
![Page 497: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/497.jpg)
anyexistingCIDRblock.YoucansetuppeeringrelationshipsbetweenAmazonVPCsaftertheyhavebeencreated.
20. B.AttachinganENIassociatedwithadifferentsubnettoaninstancecanmaketheinstancedual-homed.
![Page 498: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/498.jpg)
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling1. A,D.AnAutoScalinggroupmusthaveaminimumsizeandalaunchconfigurationdefinedinordertobecreated.Healthchecksandadesiredcapacityareoptional.
2. B.Theloadbalancermaintainstwoseparateconnections:oneconnectionwiththeclientandoneconnectionwiththeAmazonEC2instance.
3. D.AmazonCloudWatchmetricdataiskeptfor2weeks.
4. A.Onlythelaunchconfigurationname,AMI,andinstancetypeareneededtocreateanAutoScalinglaunchconfiguration.Identifyingakeypair,securitygroup,andablockdevicemappingareoptionalelementsforanAutoScalinglaunchconfiguration.
5. B.YoucanusetheAmazonCloudWatchLogsAgentinstalleronexistingAmazonEC2instancestoinstallandconfiguretheCloudWatchLogsAgent.
6. C.Youconfigureyourloadbalancertoacceptincomingtrafficbyspecifyingoneormorelisteners.
7. D.ThedefaultAmazonEC2instancelimitforallregionsis20.
8. A.AnSSLcertificatemustspecifythenameofthewebsiteineitherthesubjectnameorlistedasavalueintheSANextensionofthecertificateinorderforconnectingclientstonotreceiveawarning.
9. C.WhenAmazonEC2instancesfailtherequisitenumberofconsecutivehealthchecks,theloadbalancerstopssendingtraffictotheAmazonEC2instance.
10. D.AmazonCloudWatchmetricsprovidehypervisorvisiblemetrics.
11. C.AutoScalingisdesignedtoscaleoutbasedonaneventlikeincreasedtrafficwhilebeingcosteffectivewhennotneeded.
12. B.AutoScalingwillprovidehighavailabilityacrossthreeAvailabilityZoneswiththreeAmazonEC2instancesineachandkeepcapacityabovetherequiredminimumcapacity,evenintheeventofanentireAvailabilityZonebecomingunavailable.
13. B,E,F.AutoScalingrespondstochangingconditionsbyaddingorterminatinginstances,launchesinstancesfromanAMIspecifiedinthelaunchconfigurationassociatedwiththeAutoScalinggroup,andenforcesaminimumnumberofinstancesinthemin-sizeparameteroftheAutoScalinggroup.
14. D.A,B,andCarealltruestatementsaboutlaunchconfigurationsbeinglooselycoupledandreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup.
15. A,C.AnAutoScalinggroupmayuseOn-DemandandSpotInstances.AnAutoScalinggroupmaynotusealreadystoppedinstances,instancesrunningsomeplaceotherthanAWS,andalreadyrunninginstancesnotstartedbytheAutoScalinggroupitself.
16. A,F.AmazonCloudWatchhastwoplans:basic,whichisfree,anddetailed,whichhasanadditionalcost.ThereisnoadhocplanforAmazonCloudWatch.
![Page 499: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/499.jpg)
17. A,C,D.AnElasticLoadBalancinghealthcheckmaybeaping,aconnectionattempt,orapagethatischecked.
18. B,C.Whenconnectiondrainingisenabled,theloadbalancerwillstopsendingrequeststoaderegisteredorunhealthyinstanceandattempttocompletein-flightrequestsuntilaconnectiondrainingtimeoutperiodisreached,whichis300secondsbydefault.
19. B,E,F.ElasticLoadBalancingsupportsInternet-facing,internal,andHTTPSloadbalancers.
20. B,D,E.AutoScalingsupportsmaintainingthecurrentsizeofanAutoScalinggroupusingfourplans:maintaincurrentlevels,manualscaling,scheduledscaling,anddynamicscaling.
![Page 500: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/500.jpg)
Chapter6:AWSIdentityandAccessManagement(IAM)1. B,C.Programmaticaccessisauthenticatedwithanaccesskey,notwithusernames/passwords.IAMrolesprovideatemporarysecuritytokentoanapplicationusinganSDK.
2. A,C.IAMpoliciesareindependentofregion,sonoregionisspecifiedinthepolicy.IAMpoliciesareaboutauthorizationforanalready-authenticatedprincipal,sonopasswordisneeded.
3. A,B,C,E.Lockingdownyourrootuserandallaccountstowhichtheadministratorhadaccessisthekeyhere.DeletingallIAMaccountsisnotnecessary,anditwouldcausegreatdisruptiontoyouroperations.AmazonEC2rolesusetemporarysecuritytokens,sorelaunchingAmazonEC2instancesisnotnecessary.
4. B,D.IAMcontrolsaccesstoAWSresourcesonly.InstallingASP.NETwillrequireWindowsoperatingsystemauthorization,andqueryinganOracledatabasewillrequireOracleauthorization.
5. A,C.AmazonDynamoDBglobalsecondaryindexesareaperformancefeatureofAmazonDynamoDB;ConsolidatedBillingisanaccountingfeatureallowingallbillstorollupunderasingleaccount.Whilebothareveryvaluablefeatures,neitherisasecurityfeature.
6. B,C.AmazonEC2rolesmuststillbeassignedapolicy.IntegrationwithActiveDirectoryinvolvesintegrationbetweenActiveDirectoryandIAMviaSAML.
7. A,D.AmazonEC2rolesprovideatemporarytokentoapplicationsrunningontheinstance;federationmapspoliciestoidentitiesfromothersourcesviatemporarytokens.
8. A,C,D.NeitherBnorEarefeaturessupportedbyIAM.
9. B,C.Accessrequiresanappropriatepolicyassociatedwithaprincipal.ResponseAismerelyapolicywithnoprincipal,andresponseDisnotaprincipalasIAMgroupsdonothaveusernamesandpasswords.ResponseBisthebestsolution;responseCwillalsoworkbutitismuchhardertomanage.
10. C.AnIAMpolicyisaJSONdocument.
![Page 501: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/501.jpg)
Chapter7:DatabasesandAWS1. B.AmazonRDSisbestsuitedfortraditionalOLTPtransactions.AmazonRedshift,ontheotherhand,isdesignedforOLAPworkloads.AmazonGlacierisdesignedforcoldarchivalstorage.
2. D.AmazonDynamoDBisbestsuitedfornon-relationaldatabases.AmazonRDSandAmazonRedshiftarebothstructuredrelationaldatabases.
3. C.Inthisscenario,thebestideaistousereadreplicastoscaleoutthedatabaseandthusmaximizereadperformance.WhenusingMulti-AZ,thesecondarydatabaseisnotaccessibleandallreadsandwritesmustgototheprimaryoranyreadreplicas.
4. A.AmazonRedshiftisbestsuitedfortraditionalOLAPtransactions.WhileAmazonRDScanalsobeusedforOLAP,AmazonRedshiftispurpose-builtasanOLAPdatawarehouse.
5. B.DBSnapshotscanbeusedtorestoreacompletecopyofthedatabaseataspecificpointintime.Individualtablescannotbeextractedfromasnapshot.
6. A.AllAmazonRDSdatabaseenginessupportMulti-AZdeployment.
7. B.ReadreplicasaresupportedbyMySQL,MariaDB,PostgreSQL,andAurora.
8. A.YoucanforceafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceintheAWSManagementConsole.Thisisoftenhowpeopletestafailoverintherealworld.Thereisnoneedtocreateasupportcase.
9. D.MonitortheenvironmentwhileAmazonRDSattemptstorecoverautomatically.AWSwillupdatetheDBendpointtopointtothesecondaryinstanceautomatically.
10. A.AmazonRDSsupportsMicrosoftSQLServerEnterpriseeditionandthelicenseisavailableonlyundertheBYOLmodel.
11. B.GeneralPurpose(SSD)volumesaregenerallytherightchoicefordatabasesthathaveburstsofactivity.
12. B.NoSQLdatabaseslikeAmazonDynamoDBexcelatscalingtohundredsofthousandsofrequestswithkey/valueaccesstouserprofileandsession.
13. A,C,D.DBsnapshotsallowyoutobackupandrecoveryourdata,whilereadreplicasandaMulti-AZdeploymentallowyoutoreplicateyourdataandreducethetimetofailover.
14. C,D.AmazonRDSallowsforthecreationofoneormoreread-replicasformanyenginesthatcanbeusedtohandlereads.AnothercommonpatternistocreateacacheusingMemcachedandAmazonElastiCachetostorefrequentlyusedqueries.ThesecondaryslaveDBInstanceisnotaccessibleandcannotbeusedtooffloadqueries.
15. A,B,C.Protectingyourdatabaserequiresamultilayeredapproachthatsecurestheinfrastructure,thenetwork,andthedatabaseitself.AmazonRDSisamanagedserviceanddirectaccesstotheOSisnotavailable.
16. A,B,C.Verticallyscalingupisoneofthesimpleroptionsthatcangiveyouadditionalprocessingpowerwithoutmakinganyarchitecturalchanges.Readreplicasrequiresome
![Page 502: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/502.jpg)
applicationchangesbutletyouscaleprocessingpowerhorizontally.Finally,busydatabasesareoftenI/O-bound,soupgradingstoragetoGeneralPurpose(SSD)orProvisionedIOPS(SSD)canoftenallowforadditionalrequestprocessing.
17. C.Queryisthemostefficientoperationtofindasingleiteminalargetable.
18. A.UsingtheUsernameasapartitionkeywillevenlyspreadyourusersacrossthepartitions.Messagesareoftenfiltereddownbytimerange,soTimestampmakessenseasasortkey.
19. B,D.Youcanonlyhaveasinglelocalsecondaryindex,anditmustbecreatedatthesametimethetableiscreated.Youcancreatemanyglobalsecondaryindexesafterthetablehasbeencreated.
20. B,C.AmazonRedshiftisanOnlineAnalyticalProcessing(OLAP)datawarehousedesignedforanalytics,Extract,Transform,Load(ETL),andhigh-speedquerying.Itisnotwellsuitedforrunningtransactionalapplicationsthatrequirehighvolumesofsmallinsertsorupdates.
![Page 503: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/503.jpg)
Chapter8:SQS,SWF,andSNS1. D.AmazonDynamoDBisnotasupportedAmazonSNSprotocol.
2. A.WhenyoucreateanewAmazonSNStopic,anAmazonARNiscreatedautomatically.
3. A,C,D.Publishers,subscribers,andtopicsarethecorrectanswers.YouhavesubscriberstoanAmazonSNStopic,notreaders.
4. A.ThedefaulttimeforanAmazonSQSvisibilitytimeoutis30seconds.
5. D.ThemaximumtimeforanAmazonSQSvisibilitytimeoutis12hours.
6. B,D.ThevalidpropertiesofanSQSmessageareMessageIDandBody.Eachmessagereceivesasystem-assignedMessageIDthatAmazonSQSreturnstoyouintheSendMessageresponse.TheMessageBodyiscomposedofname/valuepairsandtheunstructured,uninterpretedcontent.
7. B.Useasingledomainwithmultipleworkflows.Workflowswithinseparatedomainscannotinteract.
8. A,B,C.InAmazonSWF,actorscanbeactivityworkers,workflowstarters,ordeciders.
9. B.AmazonSWFwouldbestserveyourpurposeinthisscenariobecauseithelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.YoucanthinkofAmazonSWFasafully-managedstatetrackerandtaskcoordinatorintheCloud.
10. D.AmazonSQSdoesnotguaranteeinwhatorderyourmessageswillbedelivered.
11. A.MultiplequeuescansubscribetoanAmazonSNStopic,whichcanenableparallelasynchronousprocessing.
12. D.Longpollingallowsyourapplicationtopollthequeue,and,ifnothingisthere,AmazonElasticComputeCloud(AmazonEC2)waitsforanamountoftimeyouspecify(between1and20seconds).Ifamessagearrivesinthattime,itisdeliveredtoyourapplicationassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.
13. B.ThemaximumtimeforanAmazonSQSlongpollingtimeoutis20seconds.
14. D.ThelongestconfigurablemessageretentionperiodforAmazonSQSis14days.
15. B.ThedefaultmessageretentionperiodthatcanbesetinAmazonSQSisfourdays.
16. D.WithAmazonSNS,yousendindividualormultiplemessagestolargenumbersofrecipientsusingpublisherandsubscriberclienttypes.
17. B.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.
18. C.Topicnamesshouldtypicallybeavailableforreuseapproximately30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.Theexacttimewilldependonthenumberofsubscriptionsactiveonthetopic;topicswithafewsubscriberswillbe
![Page 504: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/504.jpg)
availableinstantlyforreuse,whiletopicswithlargersubscriberlistsmaytakelonger.
19. C.ThemaindifferencebetweenAmazonSQSpoliciesandIAMpoliciesisthatanAmazonSQSpolicyenablesyoutograntadifferentAWSaccountpermissiontoyourAmazonSQSqueues,butanIAMpolicydoesnot.
20. C.No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.
![Page 505: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/505.jpg)
Chapter9:DomainNameSystem(DNS)andAmazonRoute531. C.AnAAAArecordisusedtoroutetraffictoanIPv6address,whereasanArecordisusedtoroutetraffictoanIPv4address.
2. B.Domainnamesareregisteredwithadomainregistrar,whichthenregistersthenametoInterNIC.
3. C.Youshouldrouteyourtrafficbasedonwhereyourendusersarelocated.Thebestroutingpolicytoachievethisisgeolocationrouting.
4. D.APTRrecordisusedtoresolveanIPaddresstoadomainname,anditiscommonlyreferredtoas“reverseDNS.”
5. B.Youwantyouruserstohavethefastestnetworkaccesspossible.Todothis,youwoulduselatency-basedrouting.Geolocationroutingwouldnotachievethisaswellaslatency-basedrouting,whichisspecificallygearedtowardmeasuringthelatencyandthuswoulddirectyoutotheAWSregioninwhichyouwouldhavethelowestlatency.
6. C.YouwoulduseMaileXchange(MX)recordstodefinewhichinbounddestinationmailservershouldbeused.
7. B.SPFrecordsareusedtoverifyauthorizedsendersofmailfromyourdomain.
8. B.Weightedroutingwouldbestachievethisobjectivebecauseitallowsyoutospecifywhichpercentageoftrafficisdirectedtoeachendpoint.
9. D.ThestartofazoneisdefinedbytheSOA;therefore,allzonesmusthaveanSOArecordbydefault.
10. D.Failover-basedroutingwouldbestachievethisobjective.
11. B.TheCNAMErecordmapsanametoanothername.Itshouldbeusedonlywhentherearenootherrecordsonthatname.
12. C.AmazonRoute53performsthreemainfunctions:domainregistration,DNSservice,andhealthchecking.
13. A.ATXTrecordisusedtostorearbitraryandunformattedtextwithahost.
14. C.Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.
15. B.DNSusesportnumber53toserverequests.
16. D.DNSprimarilyusesUDPtoserverequests.
17. A.TheTCPprotocolisusedbyDNSserverwhentheresponsedatasizeexceeds512bytesorfortaskssuchaszonetransfers.
18. B.UsingAmazonRoute53,youcancreatetwotypesofhostedzones:publichostedzonesandprivatehostedzones.
19. D.AmazonRoute53canroutequeriestoavarietyofAWSresourcessuchasanAmazonCloudFrontdistribution,anElasticLoadBalancingloadbalancer,anAmazonEC2instance,awebsitehostedinanAmazonS3bucket,andanAmazonRelationalDatabase(AmazonRDS).
![Page 506: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/506.jpg)
20. D.YoumustfirsttransfertheexistingdomainregistrationfromanotherregistrartoAmazonRoute53toconfigureitasyourDNSservice.
![Page 507: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/507.jpg)
Chapter10:AmazonElastiCache1. A,B,C.Manytypesofobjectsaregoodcandidatestocachebecausetheyhavethepotentialtobeaccessedbynumeroususersrepeatedly.Eventhebalanceofabankaccountcouldbecachedforshortperiodsoftimeiftheback-enddatabasequeryisslowtorespond.
2. B,C.AmazonElastiCachesupportsMemcachedandRediscacheengines.MySQLisnotacacheengine,andCouchbaseisnotsupported.
3. C.Thedefaultlimitis20nodespercluster.
4. A.Redisclusterscanonlycontainasinglenode;however,youcangroupmultipleclusterstogetherintoareplicationgroup.
5. B,C.AmazonElastiCacheisApplicationProgrammingInterface(API)-compatiblewithexistingMemcachedclientsanddoesnotrequiretheapplicationtoberecompiledorlinkedagainstthelibraries.AmazonElastiCachemanagesthedeploymentoftheAmazonElastiCachebinaries.
6. B,C.AmazonElastiCachewiththeRedisengineallowsforbothmanualandautomaticsnapshots.Memcacheddoesnothaveabackupfunction.
7. B,C,D.LimitaccessatthenetworklevelusingsecuritygroupsornetworkACLs,andlimitinfrastructurechangesusingIAM.
8. C.AmazonElastiCachewithRedisprovidesnativefunctionsthatsimplifythedevelopmentofleaderboards.WithMemcached,itismoredifficulttosortandranklargedatasets.AmazonRedshiftandAmazonS3arenotdesignedforhighvolumesofsmallreadsandwrites,typicalofamobilegame.
9. A.WhentheclientsareconfiguredtouseAutoDiscovery,theycandiscovernewcachenodesastheyareaddedorremoved.AutoDiscoverymustbeconfiguredoneachclientandisnotactiveserverside.Updatingtheconfigurationfileeachtimewillbeverydifficulttomanage.UsinganElasticLoadBalancerisnotrecommendedforthisscenario.
10. A,B.AmazonElastiCachesupportsbothMemcachedandRedis.Youcanrunself-managedinstallationsofMembaseandCouchbaseusingAmazonElasticComputeCloud(AmazonEC2).
![Page 508: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/508.jpg)
Chapter11:AdditionalKeyServices1. B,C,E.AmazonCloudFrontcanuseanAmazonS3bucketoranyHTTPserver,whetherornotitisrunninginAmazonEC2.ARoute53HostedZoneisasetofDNSresourcerecords,whileanAutoScalingGrouplaunchesorterminatesAmazonEC2instancesautomatically.Neithercanbespecifiedasanoriginserverforadistribution.
2. A,C.ThesiteinAis“popular”andsupports“usersaroundtheworld,”keyindicatorsthatCloudFrontisappropriate.Similarly,thesiteinCis“heavilyused,”andrequiresprivatecontent,whichissupportedbyAmazonCloudFront.BothBandDarecorporateusecaseswheretherequestscomefromasinglegeographiclocationorappeartocomefromone(becauseoftheVPN).TheseusecaseswillgenerallynotseebenefitfromAmazonCloudFront.
3. C,E.Usingmultipleoriginsandsettingmultiplecachebehaviorsallowyoutoservestaticanddynamiccontentfromthesamedistribution.OriginAccessIdentifiersandsignedURLssupportservingprivatecontentfromAmazonCloudFront,whilemultipleedgelocationsaresimplyhowAmazonCloudFrontservesanycontent.
4. B.AmazonCloudFrontOAIisaspecialidentitythatcanbeusedtorestrictaccesstoanAmazonS3bucketonlytoanAmazonCloudFrontdistribution.SignedURLs,signedcookies,andIAMbucketpoliciescanhelptoprotectcontentservedthroughAmazonCloudFront,butOAIsarethesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstoabucket.
5. C.AWSStorageGatewayallowsyoutoaccessdatainAmazonS3locally,withtheGateway-CachedvolumeconfigurationallowingyoutoexpandarelativelysmallamountoflocalstorageintoAmazonS3.
6. B.SimpleADisaMicrosoftActiveDirectory-compatibledirectorythatispoweredbySamba4.SimpleADsupportscommonlyusedActiveDirectoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonElasticComputeCloud(AmazonEC2)instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.
7. C.AWSKMSCMKsarethefundamentalresourcesthatAWSKMSmanages.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscan.
8. D.AWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCustomerMasterKey(CMK),andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.
9. A.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSCloudservice.
10. B,C.Encryptioncontextisasetofkey/valuepairsthatyoucanpasstoAWSKMSwhenyoucalltheEncrypt,Decrypt,ReEncrypt,GenerateDataKey,and
![Page 509: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/509.jpg)
GenerateDataKeyWithoutPlaintextAPIs.Althoughtheencryptioncontextisnotincludedintheciphertext,itiscryptographicallyboundtotheciphertextduringencryptionandmustbepassedagainwhenyoucalltheDecrypt(orReEncrypt)API.InvalidciphertextfordecryptionisplaintextthathasbeenencryptedinadifferentAWSaccountorciphertextthathasbeenalteredsinceitwasoriginallyencrypted.
11. B.BecausetheInternetconnectionisfull,thebestsolutionwillbebasedonusingAWSImport/Exporttoshipthedata.Themostappropriatestoragelocationfordatathatmustbestored,butisveryrarelyaccessed,isAmazonGlacier.
12. C.Becausethejobisrunmonthly,apersistentclusterwillincurunnecessarycomputecostsduringtherestofthemonth.AmazonKinesisisnotappropriatebecausethecompanyisrunninganalyticsasabatchjobandnotonastream.Asinglelargeinstancedoesnotscaleouttoaccommodatethelargecomputeneeds.
13. D.TheAmazonKinesisservicesenableyoutoworkwithlargedatastreams.WithintheAmazonKinesisfamilyofservices,AmazonKinesisFirehosesavesstreamstoAWSstorageservices,whileAmazonKinesisStreamsprovidetheabilitytoprocessthedatainthestream.
14. C.AmazonDataPipelineallowsyoutorunregularExtract,Transform,Load(ETL)jobsonAmazonandon-premisesdatasources.ThebeststorageforlargedataisAmazonS3,andAmazonRedshiftisalarge-scaledatawarehouseservice.
15. B.AmazonKinesisFirehoseallowsyoutoingestmassivestreamsofdataandstorethedataonAmazonS3(aswellasAmazonRedshiftandAmazonElasticsearch).
16. C.AWSOpsWorksusesChefrecipestostartnewappserverinstances,configureapplicationserversoftware,anddeployapplications.OrganizationscanleverageChefrecipestoautomateoperationslikesoftwareconfigurations,packageinstallations,databasesetups,serverscaling,andcodedeployment.
17. A.WithAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonceandthenprovisionthesameresourcesoverandoverinmultiplestacks.
18. B.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.AWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservinghundredsofthousandsofAWScustomers.
19. A.AWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing.
20. D.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
![Page 510: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/510.jpg)
Chapter12:SecurityonAWS1. B.Alldecommissionedmagneticstoragedevicesaredegaussedandphysicallydestroyedinaccordancewithindustry-standardpractices.
2. C.Theadministratorpasswordisencryptedwiththepublickeyofthekeypair,andyouprovidetheprivatekeytodecryptthepassword.Thenlogintotheinstanceastheadministratorwiththedecryptedpassword.
3. C.Bydefault,networkaccessisturnedofftoaDBInstance.YoucanspecifyrulesinasecuritygroupthatallowsaccessfromanIPaddressrange,port,orAmazonElasticComputeCloud(AmazonEC2)securitygroup.
4. A.AmazonS3SSEusesoneofthestrongestblockciphersavailable,256-bitAES.
5. C.IAMpermitsuserstohavenomorethantwoactiveaccesskeysatonetime.
6. B.ThesharedresponsibilitymodelisthenameofthemodelemployedbyAWSwithitscustomers.
7. D.WhenyouchooseAWSKMSforkeymanagementwithAmazonRedshift,thereisafour-tierhierarchyofencryptionkeys.Thesekeysarethemasterkey,aclusterkey,adatabasekey,anddataencryptionkeys.
8. D.ElasticLoadBalancingsupportstheServerOrderPreferenceoptionfornegotiatingconnectionsbetweenaclientandaloadbalancer.DuringtheSSLconnectionnegotiationprocess,theclientandtheloadbalancerpresentalistofciphersandprotocolsthattheyeachsupport,inorderofpreference.Bydefault,thefirstcipherontheclient’slistthatmatchesanyoneoftheloadbalancer’sciphersisselectedfortheSSLconnection.IftheloadbalancerisconfiguredtosupportServerOrderPreference,thentheloadbalancerselectsthefirstcipherinitslistthatisintheclient’slistofciphers.ThisensuresthattheloadbalancerdetermineswhichcipherisusedforSSLconnection.IfyoudonotenableServerOrderPreference,theorderofcipherspresentedbytheclientisusedtonegotiateconnectionsbetweentheclientandtheloadbalancer.
9. C.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.
10. C.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
11. A.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.
12. B,D.AmazonDynamoDBdoesnothaveaserver-sidefeaturetoencryptitemswithinatable.YouneedtouseasolutionoutsideofDynamoDBsuchasaclient-sidelibrarytoencryptitemsbeforestoringthem,orakeymanagementservicelikeAWSKeyManagementServicetomanagekeysthatareusedtoencryptitemsbeforestoringtheminDynamoDB.
![Page 511: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/511.jpg)
13. B.Ifyourprivatekeycanbereadorwrittentobyanyonebutyou,thenSSHignoresyourkey.
14. D.AmazonCognitoIdentitysupportspublicidentityproviders—Amazon,Facebook,andGoogle—aswellasunauthenticatedidentities.
15. A.AninstanceprofileisacontainerforanIAMrolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.
16. B.AnetworkACLisanoptionallayerofsecurityforyourAmazonVPCthatactsasafirewallforcontrollingtrafficinandoutofoneormoresubnets.YoumightsetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddanadditionallayerofsecuritytoyourAmazonVPC.
17. D.TheSignatureVersion4signingprocessdescribeshowtoaddauthenticationinformationtoAWSrequests.Forsecurity,mostrequeststoAWSmustbesignedwithanaccesskey(AccessKeyID[AKI]andSecretAccessKey[SAK]).IfyouusetheAWSCommandLineInterface(AWSCLI)oroneoftheAWSSoftwareDevelopmentKits(SDKs),thosetoolsautomaticallysignrequestsforyoubasedoncredentialsthatyouspecifywhenyouconfigurethetools.However,ifyoumakedirectHTTPorHTTPScallstoAWS,youmustsigntherequestsyourself.
18. B.Dedicatedinstancesarephysicallyisolatedatthehosthardwarelevelfromyourinstancesthataren’tdedicatedinstancesandfrominstancesthatbelongtootherAWSaccounts.
19. C.AmazonEMRstartsyourinstancesintwoAmazonElasticComputeCloud(AmazonEC2)securitygroups,oneforthemasterandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutosecurelyconnecttotheinstancesviaSSHusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptopreventaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupsinyouraccount,youcanreconfigurethemusingthestandardAmazonEC2toolsordashboard.
20. A.WhenyoucreateanAmazonEBSvolumeinanAvailabilityZone,itisautomaticallyreplicatedwithinthatAvailabilityZonetopreventdatalossduetofailureofanysinglehardwarecomponent.AnEBSSnapshotcreatesacopyofanEBSvolumetoAmazonS3sothatcopiesofthevolumecanresideindifferentAvailabilityZoneswithinaregion.
![Page 512: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/512.jpg)
Chapter13:AWSRiskandCompliance1. A,B,C.AnswersAthroughCdescribevalidmechanismsthatAWSusestocommunicatewithcustomersregardingitssecurityandcontrolenvironment.AWSdoesnotallowcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,orstaff.
2. C.ThesharedresponsibilitymodelcanincludeITcontrols,anditisnotjustlimitedtosecurityconsiderations.Therefore,answerCiscorrect.
3. A.AWSprovidesITcontrolinformationtocustomersthrougheitherspecificcontroldefinitionsorgeneralcontrolstandardcompliance.
4. A,B,D.ThereisnosuchthingasaSOC4report,thereforeanswerCisincorrect.
5. A.ITgovernanceisstillthecustomer’sresponsibility.
6. D.AnynumberofcomponentsofaworkloadcanbemovedintoAWS,butitisthecustomer’sresponsibilitytoensurethattheentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.
7. B.AnAvailabilityZoneconsistsofmultiplediscretedatacenters,eachwiththeirownredundantpowerandnetworking/connectivity,thereforeanswerBiscorrect.
8. A,C.AWSregularlyscanspublic-facing,non-customerendpointIPaddressesandnotifiesappropriateparties.AWSdoesnotscancustomerinstances,andcustomersmustrequesttheabilitytoperformtheirownscansinadvance,thereforeanswersAandCarecorrect.
9. B.AWSpublishesinformationpubliclyonlineanddirectlytocustomersunderNDA,butcustomersarenotrequiredtosharetheiruseandconfigurationinformationwithAWS,thereforeanswerBiscorrect.
10. C.AWShasdevelopedastrategicbusinessplan,andcustomersshouldalsodevelopandmaintaintheirownriskmanagementplans,thereforeanswerCiscorrect.
11. B.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.Energyisnotadiscretelyidentifiedpartofthecontrolenvironment,thereforeBisthecorrectanswer.
12. D.Customersareresponsibleforensuringalloftheirsecuritygroupconfigurationsareappropriatefortheirownapplications,thereforeanswerDiscorrect.
13. C.Customersshouldensurethattheyimplementcontrolobjectivesthataredesignedtomeettheirorganization’sownuniquecompliancerequirements,thereforeanswerCiscorrect.
![Page 513: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/513.jpg)
Chapter14:ArchitectureBestPractices1. B,E.AmazonKinesisisaplatformforstreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdata.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcost-effectivetodecouplethecomponentsofacloudapplication.
2. B,C.LaunchinginstancesacrossmultipleAvailabilityZoneshelpsensuretheapplicationisisolatedfromfailuresinasingleAvailabilityZone,allowingtheapplicationtoachievehigheravailability.WhetheryouarerunningoneAmazonEC2instanceorthousands,youcanuseAutoScalingtodetectimpairedAmazonEC2instancesandunhealthyapplicationsandreplacetheinstanceswithoutyourintervention.Thisensuresthatyourapplicationisgettingthecomputecapacitythatyouexpect,therebymaintainingyouravailability.
3. A,E.AmazonDynamoDBrunsacrossAWSproven,high-availabilitydatacenters.TheservicereplicatesdataacrossthreefacilitiesinanAWSregiontoprovidefaulttoleranceintheeventofaserverfailureorAvailabilityZoneoutage.AmazonS3providesdurableinfrastructuretostoreimportantdataandisdesignedfordurabilityof99.999999999%ofobjects.Yourdataisredundantlystoredacrossmultiplefacilitiesandmultipledevicesineachfacility.WhileElasticLoadBalancingandAmazonElastiCachecanbedeployedacrossmultipleAvailabilityZones,youmustexplicitlytakesuchstepswhencreatingthem.
4. A,D.AutoScalingenablesyoutofollowthedemandcurveforyourapplicationsclosely,reducingtheneedtoprovisionAmazonEC2capacitymanuallyinadvance.Forexample,youcansetaconditiontoaddnewAmazonEC2instancesinincrementstotheAutoScalinggroupwhentheaverageCPUandnetworkutilizationofyourAmazonEC2fleetmonitoredinAmazonCloudWatchishigh;similarly,youcansetaconditiontoremoveinstancesinthesameincrementswhenCPUandnetworkutilizationarelow.
5. B,D,E.Thereisnodirectwaytoencryptanexistingunencryptedvolume.However,youcanmigratedatabetweenencryptedandunencryptedvolumes.
6. A,C,D.TheattacksurfaceiscomposedofthedifferentInternetentrypointsthatallowaccesstoyourapplication.Thestrategytominimizetheattacksurfaceareaisto(a)reducethenumberofnecessaryInternetentrypoints,(b)eliminatenon-criticalInternetentrypoints,(c)separateendusertrafficfrommanagementtraffic,(d)obfuscatenecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem,and(e)decoupleInternetentrypointstominimizetheeffectsofattacks.ThisstrategycanbeaccomplishedwithAmazonVPC.
7. C.AmazonRDSreadreplicasprovideenhancedperformanceanddurabilityforAmazonRDSinstances.ThisreplicationfeaturemakesiteasytoscaleoutelasticallybeyondthecapacityconstraintsofasingleAmazonRDSinstanceforread-heavydatabaseworkloads.YoucancreateoneormorereplicasofagivensourceAmazonRDSinstanceandservehigh-volumeapplicationreadtrafficfrommultiplecopiesofyourdata,therebyincreasingaggregatereadthroughput.
8. A.AnaliasresourcerecordsetcanpointtoanELB.YoucannotcreateaCNAMErecord
![Page 514: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/514.jpg)
atthetopnodeofaDomainNameService(DNS)namespace,alsoknownasthezoneapex,asthecaseinthisexample.AliasresourcerecordsetscansaveyoutimebecauseAmazonRoute53automaticallyrecognizeschangesintheresourcerecordsetstowhichthealiasresourcerecordsetrefers.
9. D.AninstanceprofileisacontainerforanAWSIdentityandAccessManagement(IAM)rolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.TheIAMroleshouldhaveapolicyattachedthatonlyallowsaccesstotheAWSCloudservicesnecessarytoperformitsfunction.
10. B.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstopublish,maintain,monitor,andsecureAPIsatanyscale.YoucancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromyourcoderunningonAWSLambda.AmazonAPIGatewayhandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
11. C.AmazonEFSisafilestorageserviceforAmazonEC2instances.MultipleAmazonEC2instancescanaccessanAmazonEFSfilesystematthesametime,providingacommondatasourceforthecontentoftheWordPresssiterunningonmorethanoneinstance.
12. A.AmazonDynamoDBisaNoSQLdatabasestorethatisagreatchoiceasanalternativeduetoitsscalability,high-availability,anddurabilitycharacteristics.Manyplatformsprovideopen-source,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.AmazonDynamoDBisagreatcandidateforasessionstoragesolutioninashare-nothing,distributedarchitecture.
13. B.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSshouldbeusedtodecouplethelargevolumeofinboundtransactions,allowingtheback-endservicestomanagethelevelofthroughputwithoutlosingmessages.
14. B,C,E.YoushouldprotectAWSuseraccesskeyslikeyouwouldyourcreditcardnumbersoranyothersensitivesecret.Usedifferentaccesskeysfordifferentapplicationssothatyoucanisolatethepermissionsandrevoketheaccesskeysforindividualapplicationsifanaccesskeyisexposed.Remembertochangeaccesskeysonaregularbasis.Forincreasedsecurity,itisrecommendedtoconfigureMFAforanysensitiveoperations.RemembertoremoveanyIAMusersthatarenolongerneededsothattheuser’saccesstoyourresourcesisremoved.Alwaysavoidhavingtoembedaccesskeysinanapplication.
15. A,B,E.YoucanenableAWSCloudTrailinyourAWSaccounttogetlogsofAPIcallsandrelatedevents’historyinyouraccount.AWSCloudTrailrecordsalloftheAPIaccesseventsasobjectsinanAmazonS3bucketthatyouspecifyatthetimeyouenableAWSCloudTrail.YoucantakeadvantageofAmazonS3’sbucketnotificationfeaturebydirectingAmazonS3topublishobject-createdeventstoAWSLambda.WheneverAWSCloudTrailwriteslogstoyourAmazonS3bucket,AmazonS3cantheninvokeyourAWSLambdafunctionbypassingtheAmazonS3object-createdeventasaparameter.TheAWSLambdafunctioncodecanreadthelogobjectandprocesstheaccessrecordsloggedbyAWSCloudTrail.
![Page 515: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/515.jpg)
16. B.AmazonGlacierenablesbusinessesandorganizationstoretaindataformonths,years,ordecades,easilyandcosteffectively.WithAmazonGlacier,customerscanretainmoreoftheirdataforfutureanalysisorreference,andtheycanfocusontheirbusinessinsteadofoperatingandmaintainingtheirstorageinfrastructure.CustomerscanalsouseAmazonGlacierVaultLocktomeetregulatoryandcompliancearchivingrequirements.
17. A.ManycompaniesthatdistributecontentviatheInternetwanttorestrictaccesstodocuments,businessdata,mediastreams,orcontentthatisintendedforselectedusers,suchasuserswhohavepaidafee.ToservethisprivatecontentsecurelyusingAmazonCloudFront,youcanrequirethatusersaccessyourprivatecontentbyusingspecialAmazonCloudFront-signedURLsorsignedcookies.
18. B.AmazonS3provideshighlydurableandavailablestorageforavarietyofcontent.AmazonS3canbeusedasabigdataobjectstoreforallofthevideos.AmazonS3’slowcostcombinedwithitsdesignfordurabilityof99.999999999%andforupto99.99%availabilitymakeitagreatstoragechoicefortranscodingservices.
19. A.AnAvailabilityZoneconsistsofoneormorephysicaldatacenters.Availabilityzoneswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.Thisallowsyoutodistributeyourapplicationacrossdatacenters.Intheeventofacatastrophicfailureinadatacenter,theapplicationwillcontinuetohandlerequests.
20. C.YoucanuseaNATgatewaytoenableinstancesinaprivatesubnettoconnecttotheInternetorotherAWSservices,butpreventtheInternetfrominitiatingaconnectionwiththoseinstances.IfyouhaveresourcesinmultipleAvailabilityZonesandtheyshareoneNATgateway,resourcesintheotherAvailabilityZonesloseInternetaccessintheeventthattheNATgateway’sAvailabilityZoneisdown.TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
![Page 516: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/516.jpg)
ComprehensiveOnlineLearningEnvironmentRegisteronSybex.comtogainaccesstothecomprehensiveonlineinteractivelearning
environmentandtestbanktohelpyoustudyforyourAWSCertifiedSolutionsArchitect-Associateexam.
Theonlinetestbankincludes:
AssessmentTesttohelpyoufocusyourstudytospecificobjectives
ChapterTeststoreinforcewhatyou'velearned
PracticeExamstotestyourknowledgeofthematerial
DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam
SearchableGlossarytodefinethekeytermsyou'llneedtoknowfortheexam
Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothiscomprehensivestudytoolpackage.
![Page 517: Certified Solutions Architect Official Guide/AWS Certified... · Chapter 1: Introduction to AWS Chapter 2: Amazon Simple Storage Service (Amazon S3) and Amazon Glacier Storage Chapter](https://reader034.vdocuments.us/reader034/viewer/2022051812/602c405cb445ae68a568d84c/html5/thumbnails/517.jpg)
WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.