AWS Global Accelerator endpoint
Security Groups
· cannot block traffic by country
· cannot create deny rules
· do not apply to S3 buckets
· specify rules that allows access from an IP address range, port, or Elastic
Compute Cloud (EC2) security group
Service Control Policy
(SCP)
· offer central control over the maximum
available permissions for all accounts in your organization
· apply restrictions across multiple member accounts
· SCPs alone are not sufficient for allowing access in the accounts. Attaching
an SCP to an AWS Organizations entity (root, OU, or account) to actually grant
permission to them
· they don't grant any permissions
IAM Roles
· you cannot add multiple IAM roles to a single
EC2 instance
· if you need to attach multiple policies you must attach them to a single IAM
role
IAM Role Tasks
· specify permissions for specific task on
Amazon ECS
· taskRoleArm parameter is used to specify the policy
· can only apply one IAM role to a Task Definition so you must create a
separate Task Definition
IAM Role Task
execution
· AmazonECSTask ExecutionRolePolicy is used by
the container agent to be able to pull container images, write log file etc
Origin Access Identity
(OAI)
· Only use OAI to restrict access to content in
S3 but not EC2 or ELB
S3 Transfer
Acceleration
· Used for speeding up uploads of data to S3 by
using the CloudFront network
· Not used for downloading data
VPC
· By default, it allows all inbound and outbound
IPv4 traffic
VPC Peering
· Networking connection between 2 VPCs that
enable you to route traffic between them using private IPv4 addresses or IPv6
addresses
VPC Gateway endpoint
· configure your route table to point to the
endpoint
· all traffic will go through the VPC endpoint straight to DynamoDB using
private IP addresses
VPC Interface Endpoint
· use an ENI in the VPC
Egress-Only Internet
Gateway
· horizontally scaled, redundant, and highly
available VPC component that allows outbound communication over IPv6 from
instances in your VPC to the Internet, and prevents the Internet from
initiating an IPv6 connection with your instances
- must be attached to the VPC to facilitate outbound connections
NAT Gateway
· used for enabling Internet connectivity using
IPv4 protocol only
· highly available in each AZ into which they are deployed
· not associated with any security groups and can scale automatically up to
45Gbps
· managed by AWS
NAT Instances
· managed by you
· must be scaled manually and do not provide HA
· can be used as bastion hosts and cab be assigned to security groups
· runs on EC2 instance you must launch, configure and manage and therefore
involves more ongoing systems management effort
VPN
· CGW is customer side of VPN connection
· IGW connects a network to the Internet
VPG.
· Used to setup an AWS VPN which you can use in
combination with Direct Connect to encrypt all data that traverses the Direct
Connect link
S3
· support gateway endpoints, not interface
endpoints
· not a storage layer that can be mounted and accessed concurrently
· does not support FTP transfers
· only host static websites, not dynamic websites
· can only connect to S3 static websites using HTTP
· can only connect to S3 static websites using HTTP
S3 Storage Class
· S3 Intelligent-Tiering
- designed to optimize costs by automatically moving data to the most cost-effective
access tier, without performance impact or operational overhead
- additional fee for using this service and for short-term requirement may not
be beneficial
S3 Standard-Infrequent Access (S3 Standard-IA) - if data is accessed there are
retrieval fees
- immediate access and 99.9% availability
S3 One Zone-Infrequent Access (S3 One Zone-IA)
- immediate access, 99.5% availability
- if data is accessed there are retrieval fees
- minimum capacity charge per object (128 KB) and a per GB retrieval fee
Deep_Archive has a minimum storage duration of 180 days
Retrieve Archive
· expedited - within 1-5 minutes
· Standard - 3 -5 hours
· Bulk - lowest-cost option, 5-12 hours
Vault Lock - deploy and enforce compliance controls on individual Glacier
vaults via a lockable policy (Vault Lock policy)
EC2 Placement Groups
· Spread Placement Group
· Recommended for applications that have a small number of critical instances
that should be kept separate from each other
· Reduces the risk of simultaneous failure that might occur when instances
share the same underlying hardware
Cluster Placement Group
· Logical grouping of instances within a single Availability Zone
· Recommended for applications that benefit from low network latency, high
network throughput, or both, and if the majority of the network traffic is
between the instances in the group.
· Typical of HPC applications
Partition Placement Group
· Spreads your instances across logical partitions such that groups of
instances in one partition do not share the underlying hardware with groups of
instances in different partitions
· Typically used by large distributed and replicated workloads, such as Hadoop,
Cassandra and Kafka
Encryption
· SSE-C - Server-side encryption with
customer-provided encryption keys
· SSE-S3 - Server-side encryption with Amazon managed master key
· SSE-KMS
· keys are managed in Amazon Key Management Service
· requires that AWS manage the data key but you manage the customer master key
(CMK) in AWS KMS
· you have full control over these CMKs, including establishing and maintaining
their key policies
· 4-tier hierarchy of encryption keys: master key, cluster key, database key
and data encryption keys
· AWS CloudHSM - keys are held in AWS in a hardware security module. Dedicated
service and charged on an hourly basis.
Network ACL
· block IP address ranges associated with
specific countries would be extremely difficult to manage
EFS
· only supports Linux system, NFSv4 protocol
· no lifecycle policy available for deleting files on EFS
· filesystem not block device
· designed to burst to allow high throughput levels for periods of time
· offers the ability to encrypt data at rest and in transit
Elastic Block Store
(EBS)
· block level storage devices, data is
persistent
· Not a fully managed solution and doesn't grow automatically - you would need
to increase the volume size and then extend your filesystem.
· must be attached to EC2 instances
· cannot copy EBS volumes directly from EBS to Amazon S3
· EBS volumes cannot be shared between instances across AZs
· no lifecycle policy available for deleting files on EBS
· when create EBS volume in an AZ, it is automatically replicated within that
AZ to prevent data loss due to failure of any single hardware component
· Amazon Data Lifecycle Manager (DLM) feature automates the creation,
retention, and deletion of EBS snapshots but not the individual files within an
EBS volume
· EBS snapshot creates a copy of an EBS volume to S3 so that copies of the
volume can reside in different AZs within a region
· EBS from snapshot data is loaded lazily, the volume can be accessed upon
creation, and if the data being requested has not yet been restored, it will be
restored upon first request
· EBS volumes are single points of failure which are not shared with other
instances
EBS Volume Types
· SSD, General Purpose - gp2
· Volume size 1GB - 16TB
· Max IOPS/Volume 16,000
SSD, Provisioned IOPS - i01
· Volume size 4GB - 16TB
· Max IOPS/Volume 64,000
HDD, Throughput Optimized - st1
· Volume size 500GB - 16TB
HDD, Cold - sc1
· Volume size 500GB - 16TB
Network Load Balancer
(NLB)
· operates at Layer 4 - only understands TCP
& UDP
· supports IP addresses as targets as well as instance IDs as targets
· using IP addresses as targets allows load balancing any application hosted in
AWS or on-premise using IP addresses of the application back-ends as targets
Application Load
Balancer (ALB)
· operates on Layer 7 - understands HTTP/S
· only put ALB in front of the web tier, no the DB tier
· supports IP addresses as targets as well as instance IDs as targets
· using IP addresses as targets allows load balancing any application hosted in
AWS or on-premise using IP addresses of the application back-ends as targets
Elastic Load Balancer
(ELB)
· distributing inbound connection requests to
EC2 instances (only return traffic goes back through the ELB)
· configure sticky sessions
- target group
Web Application
Firewall (WAF)
· Layer 7 (HTTP/S) Firewall
· Protects against complex Layer 7 attacks/exploits
· SQL Injections, Cross-Site Scripting, Geo Blocks, Rate Awareness
· Web Access Contol List (WEBACL) integrated with ALB, API Gateway and
CloudFront
· Classic you create "IP match conditions"
· WAF (new version) you create "IP set match statements" - look for
wording in exam
· protects applications from malicious attacks
· it does not improve performance
· available on the Application Load Balancer (ALB), both internally and
externally in a VPC, to protect your websites and web services
AWS Shield
· protect against DDoS attacks
- Shield standard - free with Route53 and CloudFront
AWS Transit Gateway
· connect on-premise networks to VPCs
· you can manage a single connection for multiple VPCs or VPNs that are in the
same Region by associating a Direct Connect gateway to a transit gateway
· hub and spoke topology with Transit Gateway that supports transitive routing
AWS Global Accelerator
· Used for improving availability and
performance for EC2 instances or Elastic Load Balancers (ALB and NLB), it is
not used for improving S3 performance
· service to improve availability and performance of your applications for
local and global users
· directs traffic to optimal endpoints over the AWS global network
· can be used for NON HTTP/S (TCP/UDP) - * difference from Cloudfront*
AWS Global Accelerator
endpoint
· service used for directing users to different
instances of the application in different regions based on latency
Auto Scaling group
· cost effective, will ensure the right number
of instances are running based on demand
· cannot launch instances in multiple Regions from a single Auto Scaling group
· 4 plans: maintain current levels, manual scaling, scheduled scaling, and
dynamic scaling
· Target tracking action is recommended in place of step scaling for most cases
USA 
India