AWS SAA study notes 05

15 May, 2021

Back

Index

S3 Features
EBS data access
VPC endpoints
Data transfer cost
Aurora Failovers
Scaling on Aurora Provision DB Cluster vs Aurora Serverless
Routing in Load Balancers
Scaling Kinesis Data Streams
Reserved Instance
Optimized instances
Elastic network interface
Monitoring instances
Accessing resources
CloudHSM
KMS vs CloudHSM
RDS Encryption
Other Notes

S3 Features

Versioning

When S3 versioning is enabled, a delete marker is placed on the object but the actual object remains there.
For cross-region replication, versioning needs to be enabled on the Source and Destination buckets.

Storage types

You can only transition data to Standard IA and One Zone-IA after 30 days, not less.
Glacier has Expedited retrieval. Glacier Deep Archive does not.
Glacier retrieval time. AWS Ref:
- Expedited - 1 to 5 mins.
- Standard - 3 to 5 hours.
- Bulk - 5 to 12 hours.
Glacier Deep Archive retrieval time. AWS Ref:
- Standard - 12 hours.
- Bulk - 48 hours.

EBS data access

You can use EBS volumes while snapshots are being taken.
You can also use EBS volumes as they are being restored from snapshots. Data requested but not yet available can be downloaded and restore resumes after that.

VPC endpoints

There are two types of endpoints, which you must choose based on the service that supports it.

Gateway endpoint is the target for a route table to point to. Used for S3 and DynamoDB.
Interface endpoint is an ENI with a private IP to connect to. Used for most other AWS services.
VPC endpoint service is a different type of endpoint that allows you to connect your VPC to services hosted in another VPC of a different AWS account via AWS PrivateLink. You are the service consumer and the other AWS account where the VPC endpoint service originates is the service provider.

Data transfer cost

EC2 data transfer will incur cost:

Inter-AZ
Over the Internet
Region to Region

S3 data transfer will incur cost:

Region to Region

To avoidance strategies:

Using private IP addresses instead of public IPs, which means you perform intra-AZ transfers is free.
Placing an EC2 and S3 in the same region is free.
Data transfer between ALB and EC2 in the same region is free.
Multi-AZ replication using Aurora, RDS, and Neptune is free.
Avoiding NAT instances which charges per GB rate.
CloudFront transfer to the Internet may be cheaper than transferring out from a region.

AWS Ref.

Ref.

Aurora Failovers

There are three types of Aurora deployment and all of them failover differently.

Aurora Replica will failover by flipping over the CNAME record to point to a healthy replica which becomes the new primary.
Aurora Serverless will failover by automatically recreate the instance in a different AZ.
Aurora single instance (with no Replica or Serverless enabled) will failover by attempting to spin up a new instance in the same AZ. Will still fail if there is an AZ outage.

Scaling on Aurora Provision DB Cluster vs Aurora Serverless

Use Aurora Provisioned DB Cluster when workloads are predictable. You control the instance class size and number of replicas.
Use Aurora Serverless for unpredictable workloads that require dynamic scaling. You set the min and max capacity for the cluster. The cluster is accessed by an endpoint so that scaling happens automatically.

Routing in Load Balancers

Most on-prem load balancers route traffic by pointing to the IP address.
In AWS ELB, an A record is aliased to the DNS name instead because the IP address of the ELB can change.

Scaling Kinesis Data Streams

In Kinesis Data Streams, you need to scale two things:

The shards

The instances that processes streams from the shards

Resharding adjusts the number of shards you have by shard splitting to increase and shard merging to decrease the number of shards.

Reserved Instance

You can exchange a Convertible Reserved Instance type and tenancy.
You can't exchange the same for Standard Reserved Instances.
Standard has more discounts than Convertible.

Optimized instances

Storage Optimized Instances provide high sequential read and write access for large data sets on local storage. Optimized for low latency and high I/O operation apps.
Compute Optimized Instances provide high-performance processors for apps like batch processing and media transcoding.
Memory Optimized Instances provide fast performance on memory intensive workloads. Does not provide performance boost on local storage like Storage Optimized Instances.
General Purpose Instances provide balanced networking, compute, and memory performance.

Elastic network interface

Every instance in a VPC has a default primary network interface (eth0). This is non-detachable.
Instances can have more than one ENI, depending on the instance type. The additional ENI will provide the instance with a secondary private IP(s). This doesn't however, double the bandwidth. Use ENA or EFA instead.
ENI can be attached cross-subnet, but in the same AZ.
ENI can be:

Hot attached while instance is running.

Warm attached while instance is stopped.

Cold attached while instance is being launched.

You can have more than one Public IP. For a secondary public IP, create a secondary ENI and attach it to the instance. Create an EIP and associate that with the secondary ENI.

Ref.

Monitoring instances

CloudWatch gathers CPU utilization metrics from the hypervisor.
You need to install a CloudWatch agent for memory utilization and disk space.
RDS Enhanced monitoring gathers metrics from an agent installed in an instance.
You can view metrics using CloudWatch logs.

Accessing resources

Bucket policies vs user policies ref.
Security Token Service provides short-lived access tokens for users to temporarily access AWS resources.

Identity Accesss Management

IAM DB Auth provides you with an authentication token (a unique string) that lasts for 15 minutes to access MySQL and PostgresSQL in RDS. You don't need to use passwords or store credentials in instances.
IAM policies can be defined by tags.
IAM roles are global services. You can assign roles to resources in another region. No need to duplicate them or create new roles.
Access Keys consists of an access key ID and a secret access key. They are long-term credentials that are attached to an IAM user to grant access to APIs, AWS CLI, PowerShell, and SDKs. By default, new IAM users have no access keys. Access keys are attached to the IAM user or the AWS account root user, not IAM Policy.
IAM cross-access account allows you to cross-access resources from different AWS accounts.

CloudHSM

There are scenarios where you can lose all key material in CloudHSM.
Admin accounts that login with a wrong password twice will zeroize (wipeout) the HSM.
Physical barrier breach of the HSM hardware will also trigger key deletion.
Store encryption keys in production HSM Clusters in different AZs to avoid losing encryption keys in AZ failure and when a HSM zeroized.
The customer is solely responsible for durability of key material.

KMS vs CloudHSM

Consider CloudHSM if your keys are allowed to be stored in third-party HSM (AWS in this case) that are under your exclusive control.
Consider KMS if you want a managed key service.

RDS Encryption

RDS Encryption is a enabled at the region level. Instances that support encryption will be encrypted. You can't enable or disable RDS encryption for individual instances.
Transparent Data Encryption is and SQL Server feature in RDS to encrypt data at rest. AWS Ref.

Other Notes

Launch configuration specifies AMI, instance type, key pair, security group, EBS volume, resource tags (optional), network interfaces (optional), and user data (optional).
You cannot scale a DynamoDB table.
The S3 bucket name and registered domain name must be the same to be hosted on Route53.
You can't set priorities in SQS. You need to set two SQS if you want to prioritize urgent vs non-urgent processing.
You can set filter policies for topics in SNS. Subscribers will only receive messages they subscribe to.

Back