Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official...
Transcript of Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official...
![Page 1: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/1.jpg)
![Page 2: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/2.jpg)
CertifiedSolutionsArchitectOfficial
![Page 3: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/3.jpg)
StudyGuide-AssociateExam
JoeBaron,HishamBaz,TimBixler,BiffGaut,KevinE.Kelly,SeanSenior,JohnStamper
![Page 4: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/4.jpg)
SeniorAcquisitionsEditor:KenyonBrownProjectEditor:GarySchwartzProductionEditor:DassiZeidelCopyEditor:KeziaEndsleyEditorialManager:MaryBethWakefieldProductionManager:KathleenWisorExecutiveEditor:JimMinatelBookDesigners:JudyFungandBillGibsonProofreader:NancyCarrascoIndexer:JohnnavanHooseDinseProjectCoordinator,Cover:BrentSavageCoverDesigner:WileyCoverImage:©GettyImages,Inc./JeremyWoodhouse
Copyright©2017byAWS
PublishedbyJohnWiley&Sons,Inc.Indianapolis,Indiana
PublishedsimultaneouslyinCanada
ISBN:978-1-119-13855-6
ISBN:978-1-119-13955-3(ebk.)
ISBN:978-1-119-13954-6(ebk.)
ManufacturedintheUnitedStatesofAmerica
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.
Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressControlNumber:2016949703
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.AWSisaregisteredtrademarkofAmazonTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.
![Page 5: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/5.jpg)
FortheoriginalAWSinstructor,MikeCulver,whotaughtushowtoteach,lead,andinspirewithtenacityandkindness.
![Page 6: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/6.jpg)
CONTENTSAcknowledgments
AbouttheAuthors
Foreword
Introduction
AssessmentTest
AnswerstoAssessmentTest
Chapter1IntroductiontoAWS
WhatIsCloudComputing?
AWSFundamentals
AWSCloudComputingPlatform
Summary
ExamEssentials
ReviewQuestions
Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage
Introduction
ObjectStorageversusTraditionalBlockandFileStorage
AmazonSimpleStorageService(AmazonS3)Basics
Buckets
AmazonS3AdvancedFeatures
AmazonGlacier
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)
Introduction
AmazonElasticComputeCloud(AmazonEC2)
AmazonElasticBlockStore(AmazonEBS)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter4AmazonVirtualPrivateCloud(AmazonVPC)
Introduction
![Page 7: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/7.jpg)
AmazonVirtualPrivateCloud(AmazonVPC)
Subnets
RouteTables
InternetGateways
DynamicHostConfigurationProtocol(DHCP)OptionSets
ElasticIPAddresses(EIPs)
ElasticNetworkInterfaces(ENIs)
Endpoints
Peering
SecurityGroups
NetworkAccessControlLists(ACLs)
NetworkAddressTranslation(NAT)InstancesandNATGateways
VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling
Introduction
ElasticLoadBalancing
AmazonCloudWatch
AutoScaling
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter6AWSIdentityandAccessManagement(IAM)
Principals
Authentication
Authorization
OtherKeyFeatures
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter7DatabasesandAWS
![Page 8: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/8.jpg)
DatabasePrimer
AmazonRelationalDatabaseService(AmazonRDS)
AmazonRedshift
AmazonDynamoDB
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter8SQS,SWF,andSNS
AmazonSimpleQueueService(AmazonSQS)
AmazonSimpleWorkflowService(AmazonSWF)
AmazonSimpleNotificationService(AmazonSNS)
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter9DomainNameSystem(DNS)andAmazonRoute53
DomainNameSystem(DNS)
AmazonRoute53Overview
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter10AmazonElastiCache
Introduction
In-MemoryCaching
AmazonElastiCache
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter11AdditionalKeyServices
Introduction
StorageandContentDelivery
Security
Analytics
DevOps
![Page 9: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/9.jpg)
Summary
ExamEssentials
ReviewQuestions
Chapter12SecurityonAWS
Introduction
SharedResponsibilityModel
AWSComplianceProgram
AWSGlobalInfrastructureSecurity
AWSAccountSecurityFeatures
AWSCloudService-SpecificSecurity
Summary
ExamEssentials
Exercises
ReviewQuestions
Chapter13AWSRiskandCompliance
Introduction
OverviewofComplianceinAWS
EvaluatingandIntegratingAWSControls
AWSRiskandComplianceProgram
AWSReports,Certifications,andThird-PartyAttestations
Summary
ExamEssentials
ReviewQuestions
Chapter14ArchitectureBestPractices
Introduction
DesignforFailureandNothingFails
ImplementElasticity
LeverageDifferentStorageOptions
BuildSecurityinEveryLayer
ThinkParallel
LooseCouplingSetsYouFree
Don’tFearConstraints
Summary
ExamEssentials
Exercises
ReviewQuestions
AppendixAAnswerstoReviewQuestions
![Page 10: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/10.jpg)
Chapter1:IntroductiontoAWS
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling
Chapter6:AWSIdentityandAccessManagement(IAM)
Chapter7:DatabasesandAWS
Chapter8:SQS,SWF,andSNS
Chapter9:DomainNameSystem(DNS)andAmazonRoute53
Chapter10:AmazonElastiCache
Chapter11:AdditionalKeyServices
Chapter12:SecurityonAWS
Chapter13:AWSRiskandCompliance
Chapter14:ArchitectureBestPractices
Advert
EULA
![Page 11: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/11.jpg)
ListofTablesChapter3
TABLE3.1
TABLE3.2
TABLE3.3
TABLE3.4
TABLE3.5
TABLE3.6
Chapter4
TABLE4.1
TABLE4.2
TABLE4.3
TABLE4.4
TABLE4.5
Chapter6
TABLE6.1
TABLE6.2
TABLE6.3
Chapter7
TABLE7.1
TABLE7.2
TABLE7.3
TABLE7.4
TABLE7.5
Chapter12
TABLE12.1
Chapter14
TABLE14.1
![Page 12: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/12.jpg)
ListofIllustrationsChapter1
FIGURE1.1Sixadvantagesofcloudcomputing
FIGURE1.2AWSCloudcomputingplatform
FIGURE1.3Autoscalingcapacity
FIGURE1.4AWSCloudFormationworkflowsummary
Chapter3
FIGURE3.1MemoryandvCPUsforthem4instancefamily
FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances
Chapter4
FIGURE4.1VPC,subnets,andaroutetable
FIGURE4.2VPC,subnet,routetable,andanInternetgateway
FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting
FIGURE4.4VPCwithVPNconnectiontoacustomernetwork
Chapter5
FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer
FIGURE5.2AutoScalinggroupwithpolicy
FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout
Chapter6
FIGURE6.1DifferentidentitiesauthenticatingwithAWS
FIGURE6.2AssociatingIAMuserswithpolicies
Chapter7
FIGURE7.1Multi-AZAmazonRDSarchitecture
FIGURE7.2AmazonRedshiftclusterarchitecture
FIGURE7.3Table,items,attributesrelationship
FIGURE7.4Tablepartitioning
Chapter8
FIGURE8.1Messagelifecycle
FIGURE8.2Diagramofvisibilitytimeout
FIGURE8.3AmazonSWFworkflowillustration
FIGURE8.4Diagramoftopicdelivery
FIGURE8.5Diagramoffanoutscenario
![Page 13: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/13.jpg)
Chapter9
FIGURE9.1FQDNcomponents
Chapter10
FIGURE10.1Commoncachingarchitecture
FIGURE10.2Redisreplicationgroup
Chapter11
FIGURE11.1Deliveringstaticanddynamiccontent
FIGURE11.2HighavailabilityCloudHSMarchitecture
FIGURE11.3AmazonKinesisFirehose
FIGURE11.4AmazonKinesisStreams
FIGURE11.5Examplepipeline
FIGURE11.6Simpleapplicationserverstack
FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks
FIGURE11.8Creatingastackworkflow
FIGURE11.9Updatingastackworkflow
FIGURE11.10AWSTrustedAdvisorConsoledashboard
Chapter12
FIGURE12.1Thesharedresponsibilitymodel
FIGURE12.2AmazonWebServicesregions
FIGURE12.3AmazonEC2multiplelayersofsecurity
FIGURE12.4AmazonEC2securitygroupfirewall
FIGURE12.5AmazonVPCnetworkarchitecture
FIGURE12.6Flexiblenetworkarchitectures
Chapter13
FIGURE13.1Sharedresponsibilitymodel
Chapter14
FIGURE14.1Simplewebapplicationarchitecture
FIGURE14.2Updatedwebapplicationarchitecturewithredundancy
FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling
FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront
FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB
![Page 14: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/14.jpg)
FIGURE14.6Tightandloosecoupling
FIGURE14.7Samplewebapplicationforchapterexercises
![Page 15: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/15.jpg)
AcknowledgmentsTheauthorswouldliketothankafewpeoplewhohelpedusdevelopandwritethisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExam.
First,thankstoallourfamilieswhoputupwithusspendingweekendsandeveningscreatingcontent,writingquestions,andreviewingeachother'schapters.Theirpatienceandsupportmadethisbookpossible.
NiamhO'Byrne,AWSCertificationManager,whointroducedalloftheauthorsandmanymoresolutionsarchitectsatAWStocertificationtestingandgotthisbookstartedbychallengingsomeofustoextendourreachandhelpmorecloudpractitionersgetcertified.
NathanBowerandVictoriaSteidel,amazingtechnicalwritersatAWSwhoreviewedandeditedallthecontentandeveryquestionandgentlymadeusbetterwritersandcommunicators.Theyweretirelessinreviewingandhelpingushoneandfocusourcontent.
PatrickShumate,afellowAWSsolutionsarchitectwhocontributedtestquestionsrightwhenweneededthehelptogetusoverthefinishline.
WecouldnothavewrittenthisbookwithoutthehelpofourfriendsatWiley.KenyonBrown,SeniorAcquisitionsEditor,corralledusandfocusedusontheendgoal.Additionally,wewereguidedbyGarySchwartz,ProjectEditor;KeziaEndsley,Copyeditor;andDassiZeidel,ProductionEditorwhotookoutputfromdifferentauthorsandturneditintoacohesiveandcompletefinishedproduct.
Lastly,wewanttothankallthesolutionsarchitectsatAWSwhoparticipatedincertificationblueprintdevelopment,questionwriting,andreviewsessions,andthedevelopmentofaworld-classcertificationprogramforcloudpractitionersthatissettingthestandardforourindustry.
![Page 16: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/16.jpg)
AbouttheAuthors
JoeBaron,PrincipalSolutionsArchitectforAWS,iscurrentlyworkingwithcustomersintheSoutheasternUnitedStates.JoejoinedAWSin2009asoneofthefirstsolutionsarchitects,andintheyearssincehehashelpedcustomersofallsizes,fromsmallstartupstosomeofthelargestenterprisesintheworld,toarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.HewasalsoanearlycontributortotheAWSAssociateandProfessionalCertifiedSolutionsArchitectprograms.JoeholdsaBSdegreeinengineeringphysicsfromCornellUniversityandisproudtobean“expertgeneralist.”PriortojoiningAWS,Joehad25yearsofexperienceintechnology,withrolesindatacenterautomation,virtualization,lifesciences,high-performancecomputing,3Dvisualization,hardwareandsoftwaredevelopment,andIndependentSoftwareVendor(ISV)programmanagement.HeisalsoadedicatedhusbandtoCarolandfatheroftwochildren,MattandJessie.Whennothelpingcustomersmigrateallthethingstothecloud,Joeisanamateurclassicalpianistandcollectoroftraditionalwoodworkingtools.HelivesintheRaleigh,NCarea.
HishamBazisapassionatesoftwareengineerandsystemsarchitectwithexpertisebuildingdistributedapplicationsandhigh-performance,mission-criticalsystems.Since2013,HishamhasbeenasolutionsarchitectwithAWSworkingwithcustomerslikePinterest,Airbnb,andGeneralElectrictobuildresilientarchitecturesinthecloudwithafocusonbigdataandanalytics.PriortoAmazon,Hishamfoundedtwoearly-stagestartups,modernizedthecommunicationsnetworkconnectingcriticaltransportationinfrastructure,andimprovedcellularnetworkswithlarge-scaledataanalytics.HishamisbasedinSanFrancisco,CAandliveswithhiswife,Suki.Theycanoftenbefoundhikingtheredwoods.
![Page 17: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/17.jpg)
TimBixler,CommercialAmericasSoutheastAreaSolutionsArchitectureLeaderforAWS,leadsteamsofsolutionsarchitectswhoprovideAWStechnicalenablement,evangelism,andknowledgetransfertocustomerslikeCapitalOne,TheCoca-ColaCompany,AOL,KochIndustries,CoxAutomotive,NASCAR,Emdeon,andNeustar.Timhasover20yearsofexperienceinimprovingsystemsandoperationalperformance,productivity,andcustomersatisfactionforprivateandpublicglobalcorporationsaswellasgovernmentagencies.HeisalsoapublicspeakerforAmazonandenjoyshelpingcustomersadoptinnovativesolutionsonAWS.Butifyouaskhis7-year-oldsonTJwhathedoes,hemightsaythatdaddyisabuilderandafixer.Whennototherwisetasked,youcanfindhimburrowedinhislabbuildingrobotsdrivenbymicrocontrollersoratthelocalBrickFairadmiringthecreationsthathehasnotimetobuild.
BiffGautstartedwritingprogramsforalivingonCP/MontheOsborne1.Sincethoseearlydays,heobtainedaBSinengineeringfromVirginiaTechwhilewritingCcodeonMS-DOS,marriedhiswife,Holly,whilewritinghisfirstGUIapps,andraisedtwochildrenwhiletransitioningfromCOMobjectsinC++towebappsin.NET.Alongtheway,heleddevelopmentteamsfrom1to50membersforcompaniesincludingNASDAQ,ThomsonReuters,Verizon,Microsoft,FINRA,andMarriott.Hehascollaboratedontwobooksandspokenatcountlessconferences,includingWindowsWorldandtheMicrosoftPDC.BiffiscurrentlyasolutionsarchitectatAWS,helpingcustomersacrossthecountryrealizethebenefitsofthecloudbydeployingsecure,available,efficientworkloadsonAWS.Andyes,that’shisrealname.
![Page 18: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/18.jpg)
KevinE.Kelly,SolutionsArchitectureManagerandearlycontributortotheAWSSolutionsArchitectureCertificationexams,hasbeenatAWSforoversevenyearshelpingcompaniesarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.KevinhasaBSincomputersciencefromMercerUniversityandaMasterofInformationSystemsinbusinessfromtheUniversityofMontana.BeforejoiningAmazon,KevinwasanAirForceofficer,aprogrammer—includingembeddedprogramming—andatechnicalpresalesleader.KevinhasbeenthechairmanoftheWorldwideWebConsortium(W3C)CompoundDocumentFormatWorkingGroupandledthatopen-standardsworkinggroupindevelopingtheWebInteractiveCompoundDocument(WICD)profileformobileanddesktopdevices.HehasalsoservedastheW3CAdvisoryCouncilRepresentativeforHealthLevel7(HL7).KevinlivesinVirginiawithhiswife,Laurie,andtheirtwodaughters,CarolineandAmelia.Kevinisanamateurviolinandmandolinplayerandazymurgist.
SeanSeniorisasolutionsarchitectatAWS.Seanisabuilderatheartandthrivesinafast-pacedenvironmentwithcontinuouschallenges.SeanhasaBSincomputerinformationandsciencesfromtheUniversityofMarylandUniversityCollege.Seanisadevotedhusbandandfatherofabeautifulgirl.HeisaU.S.Navyveteran,avidsportsfan,andgymrat.Heloathestalkingabouthimselfinthethirdperson,butcanbepersuadedtodosoforagoodreason.
![Page 19: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/19.jpg)
JohnStamper,PrincipalSolutionsArchitectatAWS,isaco-inventorformultipleAWSpatentsandisparticularlyfondofdistributedsystemsatscale.JohnholdsaBSinmathematicsfromJamesMadisonUniversity(94)andanMSinInformationSystemsfromGeorgeMasonUniversity(04).Inadditiontobuildingsystemsonthecloudandhelpingcustomersreimaginetheirbusinesses,Johnisadedicatedhusbandandfatherofthreechildren.HeisaCrossFitathlete,youthsportscoach,andvocalsupporterofthearts.
![Page 20: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/20.jpg)
ForewordThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamhasbeenwrittentohelpyoupreparefortheAWSCertifiedSolutionsArchitect–Associateexam.Thiscertificationisbecominganincreasinglyimportantcredentialthateveryinformationtechnologyprofessionalandcloudpractitionerwhoplans,designs,andbuildsapplicationarchitecturesfordeploymentonAWSshouldobtain.PassingtheAWSCertifiedSolutionsArchitect–Associateexamdemonstratestoyourcolleagues,employers,andtheindustryatlargethatyouknowhowtobuildanddeployAWSsolutionsthatarehighlyavailable,secure,performant,andcosteffective.
ThisstudyguidewaswrittenbyAWSsolutionsarchitectswhowroteandreviewedexamquestionsfortheAWSCertifiedSolutionsArchitectexams.Althoughnothingreplaceshands-onexperiencebuildinganddeployingavarietyofcloudapplicationsandcontrolsonAWS,thisstudyguide,andthequestionsandexercisesineachchapter,provideyouwithcoverageofthebasicAWSCloudservicescombinedwitharchitecturalrecommendationsandbestpracticesthatwillhelpprepareyoufortheexam.Combiningthisstudyguidewithproductionapplicationdeploymentexperienceandtakingthepracticeexamsonlinewillprepareyouwellandallowyoutotaketheexamwithconfidence.AddingtheAWSCertifiedSolutionsArchitect—Associatecertificationtoyourcredentialswillestablishyouasanindustry-recognizedsolutionsarchitectfortheAWSplatform!
—KevinE.KellyAmericasSolutionsArchitectureLead
AWSCertifiedSolutionsArchitect–AssociateAWSCertifiedSolutionsArchitect–Professional
Herndon,VA
![Page 21: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/21.jpg)
IntroductionStudyingforanycertificationexamcanseemdaunting.ThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamwasdesignedanddevelopedwithrelevanttopics,questions,andexercisestoenableacloudpractitionertofocustheirpreciousstudytimeandeffortonthegermanesetoftopicstargetedattherightlevelofabstractionsotheycanconfidentlytaketheAWSCertifiedSolutionsArchitect–Associateexam.
Thisstudyguidepresentsasetoftopicsneededtoroundoutacloudpractitioner’shands-onexperienceswithAWSbycoveringthebasicAWSCloudservicesandconceptswithinthescopeoftheAWSCertifiedSolutionsArchitect–Associateexam.ThisstudyguidebeginswithanintroductiontoAWS,whichisthenfollowedbychaptersonspecificAWSCloudservices.Inadditiontotheserviceschapters,thetopicsofsecurity,riskandcompliance,andarchitecturebestpracticesarecovered,providingthereaderwithasolidbaseforunderstandinghowtobuildanddeployapplicationsontheAWSplatform.Furthermore,theAWSarchitecturalbestpracticesandprinciplesarereinforcedineverychapterandreflectedintheself-studyquestionsandexamplestohighlightthedevelopmentanddeploymentofapplicationsforAWSthataresecure,highlyavailable,performant,andcosteffective.Eachchapterincludesspecificinformationontheserviceortopiccovered,followedbyanExamEssentialssectionthatcontainskeyinformationneededinyourexampreparation.TheExamEssentialssectionisfollowedbyanExercisesectionwithexercisesdesignedtohelpreinforcethetopicofthechapterwithhands-onlearning.Next,eachchaptercontainssamplequestionstogetyouaccustomedtoansweringquestionsaboutAWSCloudservicesandarchitecturetopics.Thebookalsocontainsaself-assessmentexamwith25questions,twopracticeexams,with50questionseachtohelpyougaugeyourreadinesstotaketheexam,andflashcardstohelpyoulearnandretainkeyfactsneededtopreparefortheexam.
Ifyouarelookingforatargetedbookwrittenbysolutionsarchitectswhowrote,reviewed,anddevelopedtheAWSCertifiedSolutionsArchitect–Associateexam,thenthisisthebookforyou.
![Page 22: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/22.jpg)
WhatDoesThisBookCover?ThisbookcoverstopicsyouneedtoknowtopreparefortheAmazonWebServices(AWS)CertifiedSolutionsArchitect–Associateexam:
Chapter1:IntroductiontoAWSThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageThischapterprovidesyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.TheseservicesareusedtostoreobjectsonAWS.
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)Inthischapter,youwilllearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)ThischapterdescribesAmazonVirtualPrivateCloud(AmazonVPC),whichisacustom-definedvirtualnetworkwithinAWS.YouwilllearnhowtodesignsecurearchitecturesusingAmazonVPCtoprovisionyourownlogicallyisolatedsectionofAWS.
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.
Chapter6:AWSIdentityandAccessManagement(IAM)ThischaptercoversAWSIdentityandAccessManagement(IAM),whichisusedtosecuretransactionswiththeAWSresourcesinyourAWSaccount.
Chapter7:DatabasesandAWSThischaptercoversessentialdatabaseconceptsandintroducesthreeofAWSmanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.
Chapter8:SQS,SWF,andSNSThischapterfocusesonapplicationservicesinAWS,specificallyAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(SWF),andAmazonSimpleNotificationService(AmazonSNS).ItalsocoversarchitecturalguidanceonusingtheseservicesandtheuseofAmazonSNSinmobileapplications.
Chapter9:DomainNameSystem(DNS)andAmazonRoute53Inthischapter,youwilllearnaboutDomainNameSystem(DNS)andtheAmazonRoute53service,whichisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.
Chapter10:AmazonElastiCacheThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.
Chapter11:AdditionalKeyServicesAdditionalservicesnotcoveredinotherchaptersare
![Page 23: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/23.jpg)
coveredinthischapter.TopicsincludeAmazonCloudFront,AWSStorageGateway,AWSDirectoryService,AWSKeyManagementService(KMS),AWSCloudHSM,AWSCloudTrail,AmazonKinesis,AmazonElasticMapReduce(AmazonEMR),AWSDataPipeline,AWSImport/Export,AWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,AWSTrustedAdvisor,andAWSConfig.
Chapter12:SecurityonAWSThischaptercoverstherelevantsecuritytopicsthatarewithinscopefortheAWSCertifiedSolutionsArchitect–Associateexam.
Chapter13:AWSRiskandComplianceThischaptercoverstopicsassociatedwithriskandcompliance,riskmitigation,andthesharedresponsibilitymodelofusingAWS.
Chapter14:ArchitectureBestPracticesThefinalchaptercoverstheAWS-recommendeddesignprinciplesandbestpracticesforarchitectingsystemsandapplicationsfortheCloud.
![Page 24: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/24.jpg)
InteractiveOnlineLearningEnvironmentandTestBankTheauthorshaveworkedhardtoprovidesomereallygreattoolstohelpyouwithyourcertificationprocess.TheinteractiveonlinelearningenvironmentthataccompaniestheAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamprovidesatestbankwithstudytoolstohelpyouprepareforthecertificationexam—andincreaseyourchancesofpassingitthefirsttime!Thetestbankincludesthefollowing:
SampleTestsAllthequestionsinthisbookareprovided,includingtheassessmenttestattheendofthisIntroductionandthechapterteststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwopracticeexamswith50questionseach.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.
FlashcardsTheonlinetextbanksinclude100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst.They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes.Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.
GlossaryAglossaryofkeytermsfromthisbookisavailableasafullysearchablePDF.
Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothisinteractiveonlinelearningenvironmentandtestbankwithstudytools.
![Page 25: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/25.jpg)
ExamObjectivesTheAWSCertifiedSolutionsArchitect—AssociateexamisintendedforpeoplewhohaveexperienceindesigningdistributedapplicationsandsystemsontheAWSplatform.Herearesomeofthekeyexamtopicsthatyoushouldunderstandforthisexam:
Designinganddeployingscalable,highlyavailable,andfault-tolerantsystemsonAWS
Migratingexistingon-premisesapplicationstoAWS
IngressandegressofdatatoandfromAWS
SelectingtheappropriateAWSservicebasedondata,compute,database,orsecurityrequirements
IdentifyingappropriateuseofAWSarchitecturalbestpractices
EstimatingAWScostsandidentifyingcostcontrolmechanisms
Ingeneral,candidatesshouldhavethefollowing:
Oneormoreyearsofhands-onexperiencedesigninghighlyavailable,costefficient,secure,faulttolerant,andscalabledistributedsystemsonAWS
In-depthknowledgeofatleastonehigh-levelprogramminglanguage
AbilitytoidentifyanddefinerequirementsforanAWS-basedapplication
Experiencewithdeployinghybridsystemswithon-premisesandAWScomponents
CapabilitytoprovidebestpracticesforbuildingsecureandreliableapplicationsontheAWSplatform
Theexamcoversfourdifferentdomains,witheachdomainbrokendownintoobjectivesandsubobjectives.
ObjectiveMapThefollowingtablelistseachdomainanditsweightingintheexam,alongwiththechaptersinthebookwherethatdomain’sobjectivesandsubobjectivesarecovered.
Domain PercentageofExam
Chapter
1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
60%
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
1,2,3,4,5,7,8,9,10,11,14
Contentmayincludethefollowing:
Howtodesigncloudservices 1,2,3,4,8,9,11,14
![Page 26: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/26.jpg)
Planninganddesign 1,2,3,4,7,8,9,10,11,14
Monitoringandlogging 2,3,8,9,11
Familiaritywith:
BestpracticesforAWSarchitecture 1,2,4,7,8,9,10,14
Developingtoclientspecifications,includingpricing/cost(e.g.,onDemandvs.Reservedvs.Spot;RTOandRPODRDesign)
2,7,9
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService(RDS)vs.installingyourowndatabaseonAmazonElasticComputeCloud(EC2))
2,4,7,8,9,10
HybridITarchitectures(e.g.,DirectConnect,StorageGateway,VPC,DirectoryServices)
1,2,4,14
Elasticityandscalability(e.g.,AutoScaling,SQS,ELB,CloudFront) 1,2,5,7,8,9,10,14
2Domain2.0:Implementation/Deployment 10%
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
1,2,3,4,5,6,8,11,13
Contentmayincludethefollowing:
ConfigureanAmazonMachineImage(AMI). 2,3,11
OperateandextendservicemanagementinahybridITarchitecture. 1,4
Configureservicestosupportcompliancerequirementsinthecloud. 2,3,4,11,13
LaunchinstancesacrosstheAWSglobalinfrastructure. 1,2,3,5,8,11
ConfigureIAMpoliciesandbestpractices. 2,6
3Domain3.0:DataSecurity 20%
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
2,4,10,12,13
Contentmayincludethefollowing:
AWSsharedresponsibilitymodel 12,13
AWSplatformcompliance 11,12,13
AWSsecurityattributes(customerworkloadsdowntophysicallayer) 4,11,12,
![Page 27: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/27.jpg)
13
AWSadministrationandsecurityservices 7,10,11,12
AWSIdentityandAccessManagement(IAM) 6,12
AmazonVirtualPrivateCloud(VPC) 4,12
AWSCloudTrail 11,12
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit 11,12
“Core”AmazonEC2andS3securityfeaturesets 2,4,12
Incorporatingcommonconventionalsecurityproducts(Firewall,VPN)
4,12
Designpatterns 7,13
DDoSmitigation 12
Encryptionsolutions(e.g.,keyservices) 2,11,12
Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,etc.)
2,12
AmazonCloudWatchforthesecurityarchitect 5
TrustedAdvisor 11
CloudWatchLogs 5
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
3,7,9,10
Contentmayincludethefollowing:
Disasterrecovery 3
Recoverytimeobjective 7
Recoverypointobjective 7
AmazonElasticBlockStore 3
AWSImport/Export 11
AWSStorageGateway 11
AmazonRoute53 9
Validationofdatarecoverymethod 3
4Domain4.0:Troubleshooting 10%
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions 5,8
![Page 28: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/28.jpg)
AssessmentTest1. UnderasingleAWSaccount,youhavesetupanAutoScalinggroupwithamaximumcapacityof50AmazonElasticComputeCloud(AmazonEC2)instancesinus-west-2.Whenyouscaleout,however,itonlyincreasesto20AmazonEC2instances.Whatisthelikelycause?
A. AutoScalinghasahardlimitof20AmazonEC2instances.
B. Ifnotspecified,theAutoScalinggroupmaximumcapacitydefaultsto20AmazonEC2instances.
C. TheAutoScalinggroupdesiredcapacityissetto20,soAutoScalingstoppedat20AmazonEC2instances.
D. YouhaveexceededthedefaultAmazonEC2instancelimitof20perregion.
2. ElasticLoadBalancingallowsyoutodistributetrafficacrosswhichofthefollowing?
A. OnlywithinasingleAvailabilityZone
B. MultipleAvailabilityZoneswithinaregion
C. MultipleAvailabilityZoneswithinandbetweenregions
D. MultipleAvailabilityZoneswithinandbetweenregionsandon-premisesvirtualizedinstancesrunningOpenStack
3. AmazonCloudWatchofferswhichtypesofmonitoringplans?(Choose2answers)
A. Basic
B. Detailed
C. Diagnostic
D. Precognitive
E. Retroactive
4. AnAmazonElasticComputeCloud(AmazonEC2)instanceinanAmazonVirtualPrivateCloud(AmazonVPC)subnetcansendandreceivetrafficfromtheInternetwhenwhichofthefollowingconditionsaremet?(Choose3answers)
A. NetworkAccessControlLists(ACLs)andsecuritygrouprulesdisallowalltrafficexceptrelevantInternettraffic.
B. NetworkACLsandsecuritygrouprulesallowrelevantInternettraffic.
C. AttachanInternetGateway(IGW)totheAmazonVPCandcreateasubnetroutetabletosendallnon-localtraffictothatIGW.
D. AttachaVirtualPrivateGateway(VPG)totheAmazonVPCandcreatesubnetroutestosendallnon-localtraffictothatVPG.
E. TheAmazonEC2instancehasapublicIPaddressorElasticIP(EIP)address.
F. TheAmazonEC2instancedoesnotneedapublicIPorElasticIPwhenusing
![Page 29: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/29.jpg)
AmazonVPC.
5. IfyoulaunchfiveAmazonElasticComputeCloud(AmazonEC2)instancesinanAmazonVirtualPrivateCloud(AmazonVPC)withoutspecifyingasecuritygroup,theinstanceswillbelaunchedintoadefaultsecuritygroupthatprovideswhichofthefollowing?(Choose3answers)
A. ThefiveAmazonEC2instancescancommunicatewitheachother.
B. ThefiveAmazonEC2instancescannotcommunicatewitheachother.
C. AllinboundtrafficwillbeallowedtothefiveAmazonEC2instances.
D. NoinboundtrafficwillbeallowedtothefiveAmazonEC2instances.
E. AlloutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.
F. NooutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.
6. YourcompanywantstohostitssecurewebapplicationinAWS.Theinternalsecuritypoliciesconsideranyconnectionstoorfromthewebserverasinsecureandrequireapplicationdataprotection.Whatapproachesshouldyouusetoprotectdataintransitfortheapplication?(Choose2answers)
A. UseBitLockertoencryptdata.
B. UseHTTPSwithservercertificateauthentication.
C. UseanAWSIdentityandAccessManagement(IAM)role.
D. UseSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)fordatabaseconnection.
E. UseXMLfordatatransferfromclienttoserver.
7. YouhaveanapplicationthatwillrunonanAmazonElasticComputeCloud(AmazonEC2)instance.TheapplicationwillmakerequeststoAmazonSimpleStorageService(AmazonS3)andAmazonDynamoDB.Usingbestpractices,whattypeofAWSIdentityandAccessManagement(IAM)identityshouldyoucreateforyourapplicationtoaccesstheidentifiedservices?
A. IAMrole
B. IAMuser
C. IAMgroup
D. IAMdirectory
8. WhenarequestismadetoanAWSCloudservice,therequestisevaluatedtodecidewhetheritshouldbeallowedordenied.Theevaluationlogicfollowswhichofthefollowingrules?(Choose3answers)
A. Anexplicitallowoverridesanydenies.
B. Bydefault,allrequestsaredenied.
C. Anexplicitallowoverridesthedefault.
D. Anexplicitdenyoverridesanyallows.
![Page 30: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/30.jpg)
E. Bydefault,allrequestsareallowed.
9. WhatisthedataprocessingenginebehindAmazonElasticMapReduce(AmazonEMR)?
A. ApacheHadoop
B. ApacheHive
C. ApachePig
D. ApacheHBase
10. WhattypeofAWSElasticBeanstalkenvironmenttierprovisionsresourcestosupportawebapplicationthathandlesbackgroundprocessingtasks?
A. Webserverenvironmenttier
B. Workerenvironmenttier
C. Databaseenvironmenttier
D. Batchenvironmenttier
11. WhatAmazonRelationalDatabaseService(AmazonRDS)featureprovidesthehighavailabilityforyourdatabase?
A. Regularmaintenancewindows
B. Securitygroups
C. Automatedbackups
D. Multi-AZdeployment
12. WhatadministrativetasksarehandledbyAWSforAmazonRelationalDatabaseService(AmazonRDS)databases?(Choose3answers)
A. Regularbackupsofthedatabase
B. Deployingvirtualinfrastructure
C. Deployingtheschema(forexample,tablesandstoredprocedures)
D. Patchingtheoperatingsystemanddatabasesoftware
E. Settingupnon-admindatabaseaccountsandprivileges
13. WhichofthefollowingusecasesiswellsuitedforAmazonRedshift?
A. A500TBdatawarehouseusedformarketanalytics
B. ANoSQL,unstructureddatabaseworkload
C. Ahightraffic,e-commercewebapplication
D. Anin-memorycache
14. WhichofthefollowingstatementsaboutAmazonDynamoDBsecondaryindexesistrue?
A. Therecanbemanypertable,andtheycanbecreatedatanytime.
B. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.
C. Therecanbemanypertable,andtheycanbecreatedatanytime.
![Page 31: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/31.jpg)
D. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.
15. WhatistheprimaryusecaseofAmazonKinesisFirehose?
A. Ingesthugestreamsofdataandallowcustomprocessingofdatainflight.
B. IngesthugestreamsofdataandstoreittoAmazonSimpleStorageService(AmazonS3),AmazonRedshift,orAmazonElasticsearchService.
C. GenerateahugestreamofdatafromanAmazonS3bucket.
D. GenerateahugestreamofdatafromAmazonDynamoDB.
16. Yourcompanyhas17TBoffinancialtradingrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanayearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcost-efficientmanner?
A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumeattachedtot2.largeinstances.
B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyear,anddeletetheobjectaftersevenyears.
C. StorethedatainAmazonDynamoDB,anddeletedataolderthansevenyears.
D. StorethedatainanAmazonGlacierVaultLock.
17. WhatmustyoudotocreatearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere?
A. EnableAmazonCloudWatchlogs.
B. Enableversioningonthebucket.
C. Enablewebsitehostingonthebucket.
D. Enableserveraccesslogsonthebucket.
E. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.
18. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?
A. GETafterPUTofanewobject
B. GETorLISTafteraDELETE
C. GETafteroverwritePUT(PUTtoanexistingkey)
D. DELETEafterGETofnewobject
19. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?
A. Dataisautomaticallyreplicatedtootherregions.
B. DataisautomaticallyreplicatedtodifferentAvailabilityZoneswithinaregion.
C. Dataisreplicatedonlyifversioningisenabledonthebucket.
![Page 32: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/32.jpg)
D. Dataisautomaticallybackedupontapeandrestoredifneeded.
20. Yourcompanyneedstoprovidestreamingaccesstovideostoauthenticatedusersaroundtheworld.Whatisagoodwaytoaccomplishthis?
A. UseAmazonSimpleStorageService(AmazonS3)bucketsineachregionwithwebsitehostingenabled.
B. StorethevideosonAmazonElasticBlockStore(AmazonEBS)volumes.
C. EnableAmazonCloudFrontwithgeolocationandsignedURLs.
D. RunafleetofAmazonElasticComputeCloud(AmazonEC2)instancestohostthevideos.
21. WhichofthefollowingaretrueabouttheAWSsharedresponsibilitymodel?(Choose3answers)
A. AWSisresponsibleforallinfrastructurecomponents(thatis,AWSCloudservices)thatsupportcustomerdeployments.
B. Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).
C. ThecustomermayrelyonAWStomanagethesecurityoftheirworkloadsdeployedonAWS.
D. WhileAWSmanagessecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.
E. ThecustomermustaudittheAWSdatacenterspersonallytoconfirmthecomplianceofAWSsystemsandservices.
22. WhichprocessinanAmazonSimpleWorkflowService(AmazonSWF)workflowimplementsatask?
A. Decider
B. Activityworker
C. Workflowstarter
D. Businessrule
23. WhichofthefollowingistrueifyoustopanAmazonElasticComputeCloud(AmazonEC2)instancewithanElasticIPaddressinanAmazonVirtualPrivateCloud(AmazonVPC)?
A. TheinstanceisdisassociatedfromitsElasticIPaddressandmustbere-attachedwhentheinstanceisrestarted.
B. TheinstanceremainsassociatedwithitsElasticIPaddress.
C. TheElasticIPaddressisreleasedfromyouraccount.
D. TheinstanceisdisassociatedfromtheElasticIPaddresstemporarilywhileyourestarttheinstance.
24. WhichAmazonElasticComputeCloud(AmazonEC2)pricingmodelallowsyoutopaya
![Page 33: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/33.jpg)
sethourlypriceforcompute,givingyoufullcontroloverwhentheinstancelaunchesandterminates?
A. Spotinstances
B. Reservedinstance
C. OnDemandinstances
D. Dedicatedinstances
25. UnderwhatcircumstanceswillAmazonElasticComputeCloud(AmazonEC2)instancestoredatanotbepreserved?
A. Theassociatedsecuritygroupsarechanged.
B. Theinstanceisstoppedorrebooted.
C. Theinstanceisrebootedorterminated.
D. Theinstanceisstoppedorterminated.
E. Noneoftheabove
![Page 34: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/34.jpg)
AnswerstoAssessmentTest1. D.AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.
2. B.TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonElasticComputeCloud(AmazonEC2)instancesinoneormoreAvailabilityZoneswithinaregion.
3. AandB.AmazonCloudWatchhastwoplans:basicanddetailed.Therearenodiagnostic,precognitive,orretroactivemonitoringplansforAmazonCloudWatch.
4. B,C,andE.YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:
AttachanIGWtoyourAmazonVPC.
Createasubnetroutetableruletosendallnon-localtraffic(forexample,0.0.0.0/0)totheIGW.
ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.
YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:
AssignapublicIPaddressorEIPaddress.
5. A,D,andE.Ifasecuritygroupisnotspecifiedatlaunch,thenanAmazonEC2instancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.
6. BandD.Toprotectdataintransitfromtheclientstothewebapplication,HTTPSwithservercertificateauthenticationshouldbeused.Toprotectdataintransitfromthewebapplicationtothedatabase,SSL/TLSfordatabaseconnectionshouldbeused.
7. A.Don'tcreateanIAMuser(oranIAMgroup)andpasstheuser'scredentialstotheapplicationorembedthecredentialsintheapplication.Instead,createanIAMrolethatyouattachtotheAmazonEC2instancetogiveapplicationsrunningontheinstancetemporarysecuritycredentials.Thecredentialshavethepermissionsspecifiedinthepoliciesattachedtotherole.AdirectoryisnotanidentityobjectinIAM.
8. B,C,andD.Whenarequestismade,theAWSservicedecideswhetheragivenrequestshouldbeallowedordenied.Theevaluationlogicfollowstheserules:
1)Bydefault,allrequestsaredenied(ingeneral,requestsmadeusingtheaccountcredentialsforresourcesintheaccountarealwaysallowed).
2)Anexplicitallowoverridesthisdefault.
3)Anexplicitdenyoverridesanyallows.
9. A.AmazonEMRusesApacheHadoopasitsdistributeddataprocessingengine.Hadoopisanopensource,Javasoftwareframeworkthatsupportsdata-intensivedistributed
![Page 35: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/35.jpg)
applicationsrunningonlargeclustersofcommodityhardware.Hive,Pig,andHBasearepackagesthatrunontopofHadoop.
10. B.Anenvironmenttierwhosewebapplicationrunsbackgroundjobsisknownasaworkertier.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Databaseandbatcharenotvalidenvironmenttiers.
11. D.Multi-AZdeploymentusessynchronousreplicationtoadifferentAvailabilityZonesothatoperationscancontinueonthereplicaifthemasterdatabasestopsrespondingforanyreason.Automatedbackupsprovidedisasterrecovery,nothighavailability.Securitygroups,whileimportant,havenoeffectonavailability.Maintenancewindowsareactuallytimeswhenthedatabasemaynotbeavailable.
12. A,B,andD.AmazonRDSwilllaunchAmazonElasticComputeCloud(AmazonEC2)instances,installthedatabasesoftware,handleallpatching,andperformregularbackups.Anythingwithinthedatabasesoftware(schema,useraccounts,andsoon)istheresponsibilityofthecustomer.
13. A.AmazonRedshiftisapetabyte-scaledatawarehouse.ItisnotwellsuitedforunstructuredNoSQLdataorhighlydynamictransactionaldata.Itisinnowayacache.
14. D.Therecanbeonesecondaryindexpertable,anditmustbecreatedwhenthetableiscreated.
15. B.TheAmazonKinesisfamilyofservicesprovidesfunctionalitytoingestlargestreamsofdata.AmazonKinesisFirehoseisspecificallydesignedtoingestastreamandsaveittoanyofthethreestorageserviceslistedinResponseB.
16. B.AmazonS3andAmazonGlacierarethemostcost-effectivestorageservices.Afterayear,whentheobjectsareunlikelytobeaccessed,youcansavecostsbytransferringtheobjectstoAmazonGlacierwheretheretrievaltimeisthreetofivehours.
17. D.ServeraccesslogsprovidearecordofanyaccesstoanobjectinAmazonS3.
18. C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).ResponseCchangestheexistingobjectsothatasubsequentGETmayfetchthepreviousandinconsistentobject.
19. B.AWSwillnevertransferdatabetweenregionsunlessdirectedtobyyou.DurabilityinAmazonS3isachievedbyreplicatingyourdatageographicallytodifferentAvailabilityZonesregardlessoftheversioningconfiguration.AWSdoesn'tusetapes.
20. C.AmazonCloudFrontprovidesthebestuserexperiencebydeliveringthedatafromageographicallyadvantageousedgelocation.SignedURLsallowyoutocontrolaccesstoauthenticatedusers.
21. A,B,andD.IntheAWSsharedresponsibilitymodel,customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.
22. B.Anactivityworkerisaprocessorthreadthatperformstheactivitytasksthatarepartofyourworkflow.EachactivityworkerpollsAmazonSWFfornewtasksthatare
![Page 36: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/36.jpg)
appropriateforthatactivityworkertoperform;certaintaskscanbeperformedonlybycertainactivityworkers.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreportstoAmazonSWFthatthetaskwascompletedandprovidestheresult.Theactivitytaskrepresentsoneofthetasksthatyouidentifiedinyourapplication.
23. B.InanAmazonVPC,aninstance'sElasticIPaddressremainsassociatedwithaninstancewhentheinstanceisstopped.
24. C.YoupayasethourlypriceforanOnDemandinstancefromwhenyoulaunchituntilyouexplicitlystoporterminateit.Spotinstancescanbeterminatedwhenthespotpricegoesaboveyourbidprice.Reservedinstancesinvolvepayingforaninstanceoveraone-orthree-yearterm.Dedicatedinstancesrunonhardwarededicatedtoyouraccountandarenotapricingmodel.
25. D.Thedatainaninstancestorepersistsonlyduringthelifetimeofitsassociatedinstance.Ifaninstanceisstoppedorterminated,thentheinstancestoredoesnotpersist.Rebootinganinstancedoesnotshutdowntheinstance;ifaninstancereboots(intentionallyorunintentionally),dataontheinstancestorepersists.Securitygroupshavenothingtodowiththelifetimeofaninstanceandhavenoeffecthere.
![Page 37: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/37.jpg)
Chapter1IntroductiontoAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
OperateandextendservicemanagementinahybridITarchitecture.
Configureservicestosupportcompliancerequirementsinthecloud.
LaunchinstancesacrosstheAWSglobalinfrastructure.
In2006,AmazonWebServices,Inc.(AWS)beganofferingITinfrastructureservicestobusinessesintheformofwebservices,nowcommonlyknownascloud
![Page 38: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/38.jpg)
computing.Oneofthekeybenefitsofcloudcomputingistheopportunitytoreplaceup-frontcapitalinfrastructureexpenseswithlowvariablecoststhatscalewithyourbusiness.Withthecloud,businessesnolongerneedtoplanforandprocureserversandotherITinfrastructureweeksormonthsinadvance.Instead,theycaninstantlyspinuphundredsorthousandsofserversinminutesanddeliverresultsfaster.
Today,AWSprovidesahighlyreliable,scalable,andlow-costinfrastructureplatforminthecloudthatpowershundredsofthousandsofbusinessesinmorethan190countriesaroundtheworld.
ThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.
![Page 39: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/39.jpg)
WhatIsCloudComputing?Cloudcomputingistheon-demanddeliveryofITresourcesandapplicationsviatheInternetwithpay-as-you-gopricing.Whetheryourunapplicationsthatsharephotostomillionsofmobileusersordeliverservicesthatsupportthecriticaloperationsofyourbusiness,thecloudprovidesrapidaccesstoflexibleandlow-costITresources.Withcloudcomputing,youdon’tneedtomakelargeup-frontinvestmentsinhardwareandspendalotoftimemanagingthathardware.Instead,youcanprovisionexactlytherighttypeandsizeofcomputingresourcesyouneedtopoweryournewestbrightideaoroperateyourITdepartment.Withcloudcomputing,youcanaccessasmanyresourcesasyouneed,almostinstantly,andonlypayforwhatyouuse.
Initssimplestform,cloudcomputingprovidesaneasywaytoaccessservers,storage,databases,andabroadsetofapplicationservicesovertheInternet.CloudcomputingproviderssuchasAWSownandmaintainthenetwork-connectedhardwarerequiredfortheseapplicationservices,whileyouprovisionandusewhatyouneedforyourworkloads.
AdvantagesofCloudComputingCloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andinhoworganizationsbudgetandpayfortechnologyservices.Withtheabilitytoreconfigurethecomputingenvironmentquicklytoadapttochangingbusinessrequirements,organizationscanoptimizespending.Capacitycanbeautomaticallyscaledupordowntomeetfluctuatingusagepatterns.Servicescanbetemporarilytakenofflineorshutdownpermanentlyasbusinessdemandsdictate.Inaddition,withpay-per-usebilling,AWSCloudservicesbecomeanoperationalexpenseinsteadofacapitalexpense.
Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain,asillustratedinFigure1.1.
![Page 40: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/40.jpg)
FIGURE1.1Sixadvantagesofcloudcomputing
Variablevs.CapitalExpenseLet’sbeginwiththeabilitytotradecapitalexpenseforvariableoperationalexpense.Insteadofhavingtoinvestheavilyindatacentersandserversbeforeknowinghowyou’regoingtousethem,youcanpayonlywhenyouconsumecomputingresourcesandpayonlyforhowmuchyouconsume.
EconomiesofScaleAnotheradvantageofcloudcomputingisthatorganizationsbenefitfrommassiveeconomiesofscale.Byusingcloudcomputing,youcanachievealowervariablecostthanyouwouldgetonyourown.Becauseusagefromhundredsofthousandsofcustomersisaggregatedinthecloud,providerssuchasAWScanachievehighereconomiesofscale,whichtranslatesintolowerprices.
StopGuessingCapacityWhenyoumakeacapacitydecisionpriortodeployinganapplication,youoftenendupeithersittingonexpensiveidleresourcesordealingwithlimitedcapacity.Withcloudcomputing,organizationscanstopguessingaboutcapacityrequirementsfortheinfrastructurenecessarytomeettheirbusinessneeds.Theycanaccessasmuchoraslittleastheyneedandscaleupordownasrequiredwithonlyafewminutes’notice.
IncreaseSpeedandAgilityInacloudcomputingenvironment,newITresourcesareoneclickaway,whichallows
![Page 41: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/41.jpg)
organizationstoreducethetimeittakestomakethoseresourcesavailabletodevelopersfromweekstojustminutes.Thisresultsinadramaticincreaseinspeedandagilityfortheorganization,becausethecostandtimeittakestoexperimentanddevelopissignificantlylower.
FocusonBusinessDifferentiatorsCloudcomputingallowsorganizationstofocusontheirbusinesspriorities,insteadofontheheavyliftingofracking,stacking,andpoweringservers.Byembracingthisparadigmshift,organizationscanstopspendingmoneyonrunningandmaintainingdatacenters.Thisallowsorganizationstofocusonprojectsthatdifferentiatetheirbusinesses,suchasanalyzingpetabytesofdata,deliveringvideocontent,buildinggreatmobileapplications,orevenexploringMars.
GoGlobalinMinutesAnotheradvantageofcloudcomputingistheabilitytogoglobalinminutes.Organizationscaneasilydeploytheirapplicationstomultiplelocationsaroundtheworldwithjustafewclicks.Thisallowsorganizationstoprovideredundancyacrosstheglobeandtodeliverlowerlatencyandbetterexperiencestotheircustomersatminimalcost.Goingglobalusedtobesomethingonlythelargestenterprisescouldaffordtodo,butcloudcomputingdemocratizesthisability,makingitpossibleforanyorganization.
Whilespecificquestionsontheseadvantagesofcloudcomputingareunlikelytobeontheexam,havingexposuretothesebenefitscanhelprationalizetheappropriateanswers.
CloudComputingDeploymentModelsThetwoprimarycloudcomputingdeploymentmodelsthattheexamfocusesonare“all-in”cloud-baseddeploymentsandhybriddeployments.Itisimportanttounderstandhoweachstrategyappliestoarchitecturaloptionsanddecisions.
Anall-incloud-basedapplicationisfullydeployedinthecloud,withallcomponentsoftheapplicationrunninginthecloud.Applicationsinthecloudhaveeitherbeencreatedinthecloudorhavebeenmigratedfromanexistinginfrastructuretotakeadvantageofthebenefitsofcloudcomputing.Cloud-basedapplicationscanbebuiltonlow-levelinfrastructurepiecesorcanusehigher-levelservicesthatprovideabstractionfromthemanagement,architecting,andscalingrequirementsofcoreinfrastructure.
Ahybriddeploymentisacommonapproachtakenbymanyenterprisesthatconnectsinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresources,typicallyinanexistingdatacenter.Themostcommonmethodofhybriddeploymentisbetweenthecloudandexistingon-premisesinfrastructuretoextendandgrowanorganization’sinfrastructurewhileconnectingcloudresourcestointernalsystems.Choosingbetweenanexistinginvestmentininfrastructureandmovingtotheclouddoesnotneedtobeabinarydecision.Leveragingdedicatedconnectivity,identityfederation,andintegratedtoolsallowsorganizationstorunhybridapplicationsacrosson-premisesandcloudservices.
![Page 42: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/42.jpg)
AWSFundamentalsAtitscore,AWSprovideson-demanddeliveryofITresourcesviatheInternetonasecurecloudservicesplatform,offeringcomputepower,storage,databases,contentdelivery,andotherfunctionalitytohelpbusinessesscaleandgrow.UsingAWSresourcesinsteadofyourownislikepurchasingelectricityfromapowercompanyinsteadofrunningyourowngenerator,anditprovidesthekeyadvantagesofcloudcomputing:Capacityexactlymatchesyourneed,youpayonlyforwhatyouuse,economiesofscaleresultinlowercosts,andtheserviceisprovidedbyavendorexperiencedinrunninglarge-scalenetworks.
AWSglobalinfrastructureandAWSapproachtosecurityandcompliancearekeyfoundationalconceptstounderstandasyoupreparefortheexam.
GlobalInfrastructureAWSservesoveronemillionactivecustomersinmorethan190countries,anditcontinuestoexpanditsglobalinfrastructuresteadilytohelporganizationsachievelowerlatencyandhigherthroughputfortheirbusinessneeds.
AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionisaseparategeographicarea.Eachregionhasmultiple,isolatedlocationsknownasAvailabilityZones.AWSenablestheplacementofresourcesanddatainmultiplelocations.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.
Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.EachAvailabilityZoneisalsoisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.AvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower-riskfloodplains(specificfloodzonecategorizationvariesbyregion).Inadditiontousingadiscreteuninterruptablepowersupply(UPS)andon-sitebackupgenerators,theyareeachfedviadifferentgridsfromindependentutilities(whenavailable)toreducesinglepointsoffailurefurther.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.ByplacingresourcesinseparateAvailabilityZones,youcanprotectyourwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.
YoucanachievehighavailabilitybydeployingyourapplicationacrossmultipleAvailabilityZones.Redundantinstancesforeachtier(forexample,web,application,anddatabase)ofanapplicationshouldbeplacedindistinctAvailabilityZones,therebycreatingamultisitesolution.Ataminimum,thegoalistohaveanindependentcopyofeachapplicationstackintwoormoreAvailabilityZones.
SecurityandComplianceWhetheron-premisesoronAWS,informationsecurityisofparamountimportanceto
![Page 43: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/43.jpg)
organizationsrunningcriticalworkloads.Securityisacorefunctionalrequirementthatprotectsmission-criticalinformationfromaccidentalordeliberatetheft,leakage,integritycompromise,anddeletion.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingyourtrustandconfidence.
ThissectionisintendedtoprovideaverybriefintroductiontoAWSapproachtosecurityandcompliance.Chapter12,“SecurityonAWS,”andChapter13,“AWSRiskandCompliance,”willaddressthesetopicsingreaterdetail,includingtheimportanceofeachontheexam.
SecurityCloudsecurityatAWSisthenumberonepriority.AllAWScustomersbenefitfromdatacenterandnetworkarchitecturesbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersofferhundredsoftoolsandfeaturestohelporganizationsmeettheirsecurityobjectivesforvisibility,auditability,controllability,andagility.Thismeansthatorganizationscanhavethesecuritytheyneed,butwithoutthecapitaloutlayandwithmuchloweroperationaloverheadthaninanon-premisesenvironment.
OrganizationsleveragingAWSinheritallthebestpracticesofAWSpolicies,architecture,andoperationalprocessesbuilttosatisfytherequirementsofthemostsecurity-sensitivecustomers.TheAWSinfrastructurehasbeendesignedtoprovidethehighestavailabilitywhileputtingstrongsafeguardsinplaceregardingcustomerprivacyandsegregation.WhendeployingsystemsontheAWSCloudcomputingplatform,AWShelpsbysharingthesecurityresponsibilitieswiththeorganization.AWSmanagestheunderlyinginfrastructure,andtheorganizationcansecureanythingitdeploysonAWS.Thisaffordseachorganizationtheflexibilityandagilitytheyneedinsecuritycontrols.
Thisinfrastructureisbuiltandmanagednotonlyaccordingtosecuritybestpracticesandstandards,butalsowiththeuniqueneedsofthecloudinmind.AWSusesredundantandlayeredcontrols,continuousvalidationandtesting,andasubstantialamountofautomationtoensurethattheunderlyinginfrastructureismonitoredandprotected24/7.AWSensuresthatthesecontrolsareconsistentlyappliedineverynewdatacenterorservice.
ComplianceWhencustomersmovetheirproductionworkloadstotheAWSCloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Customersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.CustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWSenablescustomerstobuildontraditionalcomplianceprograms.ThishelpsorganizationsestablishandoperateinanAWSsecuritycontrolenvironment.
Organizationsretaincompletecontrolandownershipovertheregioninwhichtheirdataisphysicallylocated,allowingthemtomeetregionalcomplianceanddataresidencyrequirements.
![Page 44: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/44.jpg)
TheITinfrastructurethatAWSprovidestoorganizationsisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards.ThefollowingisapartiallistofthemanycertificationsandstandardswithwhichAWScomplies:
ServiceOrganizationControls(SOC)1/InternationalStandardonAssuranceEngagements(ISAE)3402,SOC2,andSOC3
FederalInformationSecurityManagementAct(FISMA),DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)
PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1
InternationalOrganizationforStandardization(ISO)9001,ISO27001,andISO27018
AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttohelporganizationsachieveregulatorycommitmentsintheformofreports,certifications,accreditations,andotherthird-partyattestations.
![Page 45: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/45.jpg)
AWSCloudComputingPlatformAWSprovidesmanycloudservicesthatyoucancombinetomeetbusinessororganizationalneeds(seeFigure1.2).Whilebeingknowledgeableaboutalltheplatformserviceswillallowyoutobeawell-roundedsolutionsarchitect,understandingtheservicesandfundamentalconceptsoutlinedinthisbookwillhelpprepareyoufortheAWSCertifiedSolutionsArchitect–Associateexam.
FIGURE1.2AWSCloudcomputingplatform
ThissectionintroducesthemajorAWSCloudservicesbycategory.Subsequentchaptersprovideadeeperviewoftheservicespertinenttotheexam.
AccessingthePlatformToaccessAWSCloudservices,youcanusetheAWSManagementConsole,theAWSCommandLineInterface(CLI),ortheAWSSoftwareDevelopmentKits(SDKs).
TheAWSManagementConsoleisawebapplicationformanagingAWSCloudservices.Theconsoleprovidesanintuitiveuserinterfaceforperformingmanytasks.Eachservicehasitsownconsole,whichcanbeaccessedfromtheAWSManagementConsole.Theconsolealsoprovidesinformationabouttheaccountandbilling.
TheAWSCommandLineInterface(CLI)isaunifiedtoolusedtomanageAWSCloudservices.Withjustonetooltodownloadandconfigure,youcancontrolmultipleservicesfromthecommandlineandautomatethemthroughscripts.
TheAWSSoftwareDevelopmentKits(SDKs)provideanapplicationprogramminginterface(API)thatinteractswiththewebservicesthatfundamentallymakeuptheAWSplatform.TheSDKsprovidesupportformanydifferentprogramminglanguagesandplatformstoallowyoutoworkwithyourpreferredlanguage.WhileyoucancertainlymakeHTTPcallsdirectly
![Page 46: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/46.jpg)
tothewebserviceendpoints,usingtheSDKscantakethecomplexityoutofcodingbyprovidingprogrammaticaccessformanyoftheservices.
ComputeandNetworkingServicesAWSprovidesavarietyofcomputeandnetworkingservicestodelivercorefunctionalityforbusinessestodevelopandruntheirworkloads.Thesecomputeandnetworkingservicescanbeleveragedwiththestorage,database,andapplicationservicestoprovideacompletesolutionforcomputing,queryprocessing,andstorageacrossawiderangeofapplications.Thissectionoffersahigh-leveldescriptionofthecorecomputingandnetworkingservices.
AmazonElasticComputeCloud(AmazonEC2)AmazonElasticComputeCloud(AmazonEC2)isawebservicethatprovidesresizablecomputecapacityinthecloud.ItallowsorganizationstoobtainandconfigurevirtualserversinAmazon’sdatacentersandtoharnessthoseresourcestobuildandhostsoftwaresystems.Organizationscanselectfromavarietyofoperatingsystemsandresourceconfigurations(memory,CPU,storage,andsoon)thatareoptimalfortheapplicationprofileofeachworkload.AmazonEC2presentsatruevirtualcomputingenvironment,allowingorganizationstolaunchcomputeresourceswithavarietyofoperatingsystems,loadthemwithcustomapplications,andmanagenetworkaccesspermissionswhilemaintainingcompletecontrol.
AWSLambdaAWSLambdaisazero-administrationcomputeplatformforback-endwebdevelopersthatrunsyourcodeforyouontheAWSCloudandprovidesyouwithafine-grainedpricingstructure.AWSLambdarunsyourback-endcodeonitsownAWScomputefleetofAmazonEC2instancesacrossmultipleAvailabilityZonesinaregion,whichprovidesthehighavailability,security,performance,andscalabilityoftheAWSinfrastructure.
AutoScalingAutoScalingallowsorganizationstoscaleAmazonEC2capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload(seeFigure1.3).NotonlycanitbeusedtohelpmaintainapplicationavailabilityandensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.Insteadofprovisioningforpeakload,organizationscanoptimizecostsanduseonlythecapacitythatisactuallyneeded.
![Page 47: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/47.jpg)
FIGURE1.3Autoscalingcapacity
AutoScalingiswellsuitedbothtoapplicationsthathavestabledemandpatternsandtoapplicationsthatexperiencehourly,daily,orweeklyvariabilityinusage.
ElasticLoadBalancingElasticLoadBalancingautomaticallydistributesincomingapplicationtrafficacrossmultipleAmazonEC2instancesinthecloud.Itenablesorganizationstoachievegreaterlevelsoffaulttoleranceintheirapplications,seamlesslyprovidingtherequiredamountofloadbalancingcapacityneededtodistributeapplicationtraffic.
AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetawebapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.Itprovidessupportforavarietyofplatforms,includingPHP,Java,Python,Ruby,Node.js,.NET,andGo.WithAWSElasticBeanstalk,organizationsretainfullcontrolovertheAWSresourcespoweringtheapplicationandcanaccesstheunderlyingresourcesatanytime.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVirtualPrivateCloud(AmazonVPC)letsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.Organizationshavecompletecontroloverthevirtualenvironment,includingselectionoftheIPaddressrange,creationofsubnets,andconfigurationofroutetablesand
![Page 48: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/48.jpg)
networkgateways.Inaddition,organizationscanextendtheircorporatedatacenternetworkstoAWSbyusinghardwareorsoftwarevirtualprivatenetwork(VPN)connectionsordedicatedcircuitsbyusingAWSDirectConnect.
AWSDirectConnectAWSDirectConnectallowsorganizationstoestablishadedicatednetworkconnectionfromtheirdatacentertoAWS.UsingAWSDirectConnect,organizationscanestablishprivateconnectivitybetweenAWSandtheirdatacenter,office,orcolocationenvironment,whichinmanycasescanreducenetworkcosts,increasebandwidththroughput,andprovideamoreconsistentnetworkexperiencethanInternet-basedVPNconnections.
AmazonRoute53AmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)webservice.Itisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplicationsbytranslatinghumanreadablenames,suchaswww.example.com,intothenumericIPaddresses,suchas192.0.2.1,thatcomputersusetoconnecttoeachother.AmazonRoute53alsoservesasdomainregistrar,allowingyoutopurchaseandmanagedomainsdirectlyfromAWS.
StorageandContentDeliveryAWSprovidesavarietyofservicestomeetyourstorageneeds,suchasAmazonSimpleStorageService,AmazonCloudFront,andAmazonElasticBlockStore.Thissectionprovidesanoverviewofthestorageandcontentdeliveryservices.
AmazonSimpleStorageService(AmazonS3)AmazonSimpleStorageService(AmazonS3)providesdevelopersandITteamswithhighlydurableandscalableobjectstoragethathandlesvirtuallyunlimitedamountsofdataandlargenumbersofconcurrentusers.Organizationscanstoreanynumberofobjectsofanytype,suchasHTMLpages,sourcecodefiles,imagefiles,andencrypteddata,andaccessthemusingHTTP-basedprotocols.AmazonS3providescost-effectiveobjectstorageforawidevarietyofusecases,includingbackupandrecovery,nearlinearchive,bigdataanalytics,disasterrecovery,cloudapplications,andcontentdistribution.
AmazonGlacierAmazonGlacierisasecure,durable,andextremelylow-coststorageservicefordataarchivingandlong-termbackup.Organizationscanreliablystorelargeorsmallamountsofdataforaverylowcostpergigabytepermonth.Tokeepcostslowforcustomers,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.AmazonS3integratescloselywithAmazonGlaciertoalloworganizationstochoosetherightstoragetierfortheirworkloads.
AmazonElasticBlockStore(AmazonEBS)AmazonElasticBlockStore(AmazonEBS)providespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectorganizationsfromcomponentfailure,offeringhigh
![Page 49: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/49.jpg)
availabilityanddurability.Bydeliveringconsistentandlow-latencyperformance,AmazonEBSprovidesthediskstorageneededtorunawidevarietyofworkloads.
AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandtheAWSstorageinfrastructure.Theservicesupportsindustry-standardstorageprotocolsthatworkwithexistingapplications.Itprovideslow-latencyperformancebymaintainingacacheoffrequentlyaccesseddataon-premiseswhilesecurelystoringallofyourdataencryptedinAmazonS3orAmazonGlacier.
AmazonCloudFrontAmazonCloudFrontisacontentdeliverywebservice.ItintegrateswithotherAWSCloudservicestogivedevelopersandbusinessesaneasywaytodistributecontenttousersacrosstheworldwithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AmazonCloudFrontcanbeusedtodeliveryourentirewebsite,includingdynamic,static,streaming,andinteractivecontent,usingaglobalnetworkofedgelocations.Requestsforcontentareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformancetoendusersaroundtheglobe.
DatabaseServicesAWSprovidesfullymanagedrelationalandNoSQLdatabaseservices,andin-memorycachingasaserviceandapetabyte-scaledatawarehousesolution.Thissectionprovidesanoverviewoftheproductsthatthedatabaseservicescomprise.
AmazonRelationalDatabaseService(AmazonRDS)AmazonRelationalDatabaseService(AmazonRDS)providesafullymanagedrelationaldatabasewithsupportformanypopularopensourceandcommercialdatabaseengines.It’sacost-efficientservicethatallowsorganizationstolaunchsecure,highlyavailable,fault-tolerant,production-readydatabasesinminutes.BecauseAmazonRDSmanagestime-consumingadministrationtasks,includingbackups,softwarepatching,monitoring,scaling,andreplication,organizationalresourcescanfocusonrevenue-generatingapplicationsandbusinessinsteadofmundaneoperationaltasks.
AmazonDynamoDBAmazonDynamoDBisafastandflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.Itisafullymanageddatabaseandsupportsbothdocumentandkey/valuedatamodels.Itsflexibledatamodelandreliableperformancemakeitagreatfitformobile,web,gaming,ad-tech,InternetofThings,andmanyotherapplications.
AmazonRedshiftAmazonRedshiftisafast,fullymanaged,petabyte-scaledatawarehouseservicethatmakesitsimpleandcosteffectivetoanalyzestructureddata.AmazonRedshiftprovidesastandardSQLinterfacethatletsorganizationsuseexistingbusinessintelligencetools.Byleveraging
![Page 50: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/50.jpg)
columnarstoragetechnologythatimprovesI/Oefficiencyandparallelizingqueriesacrossmultiplenodes,AmazonRedshiftisabletodeliverfastqueryperformance.TheAmazonRedshiftarchitectureallowsorganizationstoautomatemostofthecommonadministrativetasksassociatedwithprovisioning,configuring,andmonitoringaclouddatawarehouse.
AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesdeployment,operation,andscalingofanin-memorycacheinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingorganizationstoretrieveinformationfromfast,managed,in-memorycaches,insteadofrelyingentirelyonslower,disk-baseddatabases.Asofthiswriting,AmazonElastiCachesupportsMemcachedandRediscacheengines.
ManagementToolsAWSprovidesavarietyoftoolsthathelporganizationsmanageyourAWSresources.ThissectionprovidesanoverviewofthemanagementtoolsthatAWSprovidestoorganizations.
AmazonCloudWatchAmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsrunningonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.ByleveragingAmazonCloudWatch,organizationscangainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth.Byusingtheseinsights,organizationscanreact,asnecessary,tokeepapplicationsrunningsmoothly.
AWSCloudFormationAWSCloudFormationgivesdevelopersandsystemsadministratorsaneffectivewaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.AWSCloudFormationdefinesaJSON-basedtemplatinglanguagethatcanbeusedtodescribealltheAWSresourcesthatarenecessaryforaworkload.TemplatescanbesubmittedtoAWSCloudFormationandtheservicewilltakecareofprovisioningandconfiguringthoseresourcesinappropriateorder(seeFigure1.4).
FIGURE1.4AWSCloudFormationworkflowsummary
![Page 51: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/51.jpg)
AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforanaccountanddeliverslogfilesforauditandreview.TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheservice.
AWSConfigAWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistingAWSresources,exportaninventoryoftheirAWSresourceswithallconfigurationdetails,anddeterminehowaresourcewasconfiguredatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
SecurityandIdentityAWSprovidessecurityandidentityservicesthathelporganizationssecuretheirdataandsystemsonthecloud.Thefollowingsectionexplorestheseservicesatahighlevel.
AWSIdentityandAccessManagement(IAM)AWSIdentityandAccessManagement(IAM)enablesorganizationstosecurelycontrolaccesstoAWSCloudservicesandresourcesfortheirusers.UsingIAM,organizationscancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresources.
AWSKeyManagementService(KMS)AWSKeyManagementService(KMS)isamanagedservicethatmakesiteasyfororganizationstocreateandcontroltheencryptionkeysusedtoencrypttheirdataandusesHardwareSecurityModules(HSMs)toprotectthesecurityofyourkeys.AWSKMSisintegratedwithseveralotherAWSCloudservicestohelpprotectdatastoredwiththeseservices.
AWSDirectoryServiceAWSDirectoryServiceallowsorganizationstosetupandrunMicrosoftActiveDirectoryontheAWSCloudorconnecttheirAWSresourceswithanexistingon-premisesMicrosoftActiveDirectory.Organizationscanuseittomanageusersandgroups,providesinglesign-ontoapplicationsandservices,createandapplyGroupPolicies,domainjoinAmazonEC2instances,andsimplifythedeploymentandmanagementofcloud-basedLinuxandMicrosoftWindowsworkloads.
AWSCertificateManagerAWSCertificateManagerisaservicethatletsorganizationseasilyprovision,manage,anddeploySecureSocketsLayer/TransportLayerSecurity(SSL/TLS)certificatesforusewithAWSCloudservices.Itremovesthetime-consumingmanualprocessofpurchasing,uploading,andrenewingSSL/TLScertificates.WithAWSCertificateManager,organizations
![Page 52: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/52.jpg)
canquicklyrequestacertificate,deployitonAWSresourcessuchasElasticLoadBalancingorAmazonCloudFrontdistributions,andletAWSCertificateManagerhandlecertificaterenewals.
AWSWebApplicationFirewall(WAF)AWSWebApplicationFirewall(WAF)helpsprotectwebapplicationsfromcommonattacksandexploitsthatcouldaffectapplicationavailability,compromisesecurity,orconsumeexcessiveresources.AWSWAFgivesorganizationscontroloverwhichtraffictoalloworblocktotheirwebapplicationsbydefiningcustomizablewebsecurityrules.
ApplicationServicesAWSprovidesavarietyofmanagedservicestousewithapplications.Thefollowingsectionexplorestheapplicationservicesatahighlevel.
AmazonAPIGatewayAmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.OrganizationscancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromback-endservices,suchasworkloadsrunningonAmazonEC2,coderunningonAWSLambda,oranywebapplication.AmazonAPIGatewayhandlesallthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
AmazonElasticTranscoderAmazonElasticTranscoderismediatranscodinginthecloud.Itisdesignedtobeahighlyscalableandcost-effectivewayfordevelopersandbusinessestoconvert(ortranscode)mediafilesfromtheirsourceformatsintoversionsthatwillplaybackondeviceslikesmartphones,tablets,andPCs.
AmazonSimpleNotificationService(AmazonSNS)AmazonSimpleNotificationService(AmazonSNS)isawebservicethatcoordinatesandmanagesthedeliveryorsendingofmessagestorecipients.InAmazonSNS,therearetwotypesofclients—publishersandsubscribers—alsoreferredtoasproducersandconsumers.Publisherscommunicateasynchronouslywithsubscribersbyproducingandsendingamessagetoatopic,whichisalogicalaccesspointandcommunicationchannel.Subscribersconsumeorreceivethemessageornotificationoveroneofthesupportedprotocolswhentheyaresubscribedtothetopic.
AmazonSimpleEmailService(AmazonSES)AmazonSimpleEmailService(AmazonSES)isacost-effectiveemailservicethatorganizationscanusetosendtransactionalemail,marketingmessages,oranyothertypeofcontenttotheircustomers.AmazonSEScanalsobeusedtoreceivemessagesanddeliverthemtoanAmazonS3bucket,callcustomcodeviaanAWSLambdafunction,orpublishnotificationstoAmazonSNS.
![Page 53: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/53.jpg)
AmazonSimpleWorkflowService(AmazonSWF)AmazonSimpleWorkflowService(AmazonSWF)helpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonSWFcanbethoughtofasafullymanagedstatetrackerandtaskcoordinatoronthecloud.Incommonarchitecturalpatterns,ifyourapplication’sstepstakemorethan500millisecondstocomplete,itisvitallyimportanttotrackthestateofprocessingandtoprovidetheabilitytorecoverorretryifataskfails.AmazonSWFhelpsorganizationsachievethisreliability.
AmazonSimpleQueueService(AmazonSQS)AmazonSimpleQueueService(AmazonSQS)isafast,reliable,scalable,fullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.
![Page 54: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/54.jpg)
SummaryTheterm“cloudcomputing”referstotheon-demanddeliveryofITresourcesviatheInternetwithpay-as-you-gopricing.Insteadofbuying,owning,andmaintainingdatacentersandservers,organizationscanacquiretechnologysuchascomputepower,storage,databases,andotherservicesonanas-neededbasis.Withcloudcomputing,AWSmanagesandmaintainsthetechnologyinfrastructureinasecureenvironmentandbusinessesaccesstheseresourcesviatheInternettodevelopandruntheirapplications.Capacitycangroworshrinkinstantlyandbusinessespayonlyforwhattheyuse.
Cloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andhoworganizationsbudgetandpayfortechnologyservices.Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain.Understandingtheseadvantagesallowsarchitectstoshapesolutionsthatdelivercontinuousbenefitstoorganizations.
AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Thisenablesorganizationstoplaceresourcesanddatainmultiplelocationsaroundtheglobe.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingthetrustandconfidenceoforganizationsaroundtheworld.
AWSoffersabroadsetofglobalcompute,storage,database,analytics,application,anddeploymentservicesthathelporganizationsmovefaster,lowerITcosts,andscaleapplications.HavingabroadunderstandingoftheseservicesallowssolutionsarchitectstodesigneffectivedistributedapplicationsandsystemsontheAWSplatform.
![Page 55: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/55.jpg)
ExamEssentialsUnderstandtheglobalinfrastructure.AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionislocatedinaseparategeographicareaandhasmultiple,isolatedlocationsknownasAvailabilityZones.
Understandregions.AnAWSregionisaphysicalgeographiclocationthatconsistsofaclusterofdatacenters.AWSregionsenabletheplacementofresourcesanddatainmultiplelocationsaroundtheglobe.Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.
UnderstandAvailabilityZones.AnAvailabilityZoneisoneormoredatacenterswithinaregionthataredesignedtobeisolatedfromfailuresinotherAvailabilityZones.AvailabilityZonesprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.ByplacingresourcesinseparateAvailabilityZones,organizationscanprotecttheirwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.
Understandthehybriddeploymentmodel.Ahybriddeploymentmodelisanarchitecturalpatternprovidingconnectivityforinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.
![Page 56: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/56.jpg)
ReviewQuestions1. WhichofthefollowingdescribesaphysicallocationaroundtheworldwhereAWSclustersdatacenters?
A. Endpoint
B. Collection
C. Fleet
D. Region
2. EachAWSregioniscomposedoftwoormorelocationsthatofferorganizationstheabilitytooperateproductionsystemsthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.Whataretheselocationscalled?
A. AvailabilityZones
B. Replicationareas
C. Geographicdistricts
D. Computecenters
3. Whatisthedeploymenttermforanenvironmentthatextendsanexistingon-premisesinfrastructureintothecloudtoconnectcloudresourcestointernalsystems?
A. All-indeployment
B. Hybriddeployment
C. On-premisesdeployment
D. Scatterdeployment
4. WhichAWSCloudserviceallowsorganizationstogainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth?
A. AWSIdentityandAccessManagement(IAM)
B. AmazonSimpleNotificationService(AmazonSNS)
C. AmazonCloudWatch
D. AWSCloudFormation
5. WhichofthefollowingAWSCloudservicesisafullymanagedNoSQLdatabaseservice?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonDynamoDB
C. AmazonElastiCache
D. AmazonRelationalDatabaseService(AmazonRDS)
6. Yourcompanyexperiencesfluctuationsintrafficpatternstotheire-commercewebsite
![Page 57: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/57.jpg)
basedonflashsales.Whatservicecanhelpyourcompanydynamicallymatchtherequiredcomputecapacitytothespikeintrafficduringflashsales?
A. AutoScaling
B. AmazonGlacier
C. AmazonSimpleNotificationService(AmazonSNS)
D. AmazonVirtualPrivateCloud(AmazonVPC)
7. Yourcompanyprovidesanonlinephotosharingservice.Thedevelopmentteamislookingforwaystodeliverimagefileswiththelowestlatencytoenduserssothewebsitecontentisdeliveredwiththebestpossibleperformance.Whatservicecanhelpspeedupdistributionoftheseimagefilestoendusersaroundtheworld?
A. AmazonElasticComputeCloud(AmazonEC2)
B. AmazonRoute53
C. AWSStorageGateway
D. AmazonCloudFront
8. YourcompanyrunsanAmazonElasticComputeCloud(AmazonEC2)instanceperiodicallytoperformabatchprocessingjobonalargeandgrowingfilesystem.Attheendofthebatchjob,youshutdowntheAmazonEC2instancetosavemoneybutneedtopersistthefilesystemontheAmazonEC2instancefromthepreviousbatchruns.WhatAWSCloudservicecanyouleveragetomeettheserequirements?
A. AmazonElasticBlockStore(AmazonEBS)
B. AmazonDynamoDB
C. AmazonGlacier
D. AWSCloudFormation
9. WhatAWSCloudserviceprovidesalogicallyisolatedsectionoftheAWSCloudwhereorganizationscanlaunchAWSresourcesinavirtualnetworkthattheydefine?
A. AmazonSimpleWorkflowService(AmazonSWF)
B. AmazonRoute53
C. AmazonVirtualPrivateCloud(AmazonVPC)
D. AWSCloudFormation
10. YourcompanyprovidesamobilevotingapplicationforapopularTVshow,and5to25millionviewersallvoteina15-secondtimespan.Whatmechanismcanyouusetodecouplethevotingapplicationfromyourback-endservicesthattallythevotes?
A. AWSCloudTrail
B. AmazonSimpleQueueService(AmazonSQS)
C. AmazonRedshift
D. AmazonSimpleNotificationService(AmazonSNS)
![Page 58: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/58.jpg)
Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Developingtoclientspecifications,includingpricing/cost(e.g.,OnDemandvs.Reservedvs.Spot;RecoveryTimeObjective[RTO]andRecoveryPointObjective[RPO]disasterrecoverydesign)
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost)
HybridITarchitectures
Elasticityandscalability
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonSimpleStorageService(AmazonS3)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud.
LaunchinstancesacrosstheAWSglobalinfrastructure.
ConfigureAWSIdentityandAccessManagement(IAM)policiesandbestpractices.
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance
Contentmayincludethefollowing:
![Page 59: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/59.jpg)
SecurityArchitecturewithAWS
“Core”AmazonS3securityfeaturesets
Encryptionsolutions(e.g.,keyservices)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)
![Page 60: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/60.jpg)
IntroductionThischapterisintendedtoprovideyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.
AmazonS3providesdevelopersandITteamswithsecure,durable,andhighly-scalablecloudstorage.AmazonS3iseasy-to-useobjectstoragewithasimplewebserviceinterfacethatyoucanusetostoreandretrieveanyamountofdatafromanywhereontheweb.AmazonS3alsoallowsyoutopayonlyforthestorageyouactuallyuse,whicheliminatesthecapacityplanningandcapacityconstraintsassociatedwithtraditionalstorage.
AmazonS3isoneoffirstservicesintroducedbyAWS,anditservesasoneofthefoundationalwebservices—nearlyanyapplicationrunninginAWSusesAmazonS3,eitherdirectlyorindirectly.AmazonS3canbeusedaloneorinconjunctionwithotherAWSservices,anditoffersaveryhighlevelofintegrationwithmanyotherAWScloudservices.Forexample,AmazonS3servesasthedurabletargetstorageforAmazonKinesisandAmazonElasticMapReduce(AmazonEMR),itisusedasthestorageforAmazonElasticBlockStore(AmazonEBS)andAmazonRelationalDatabaseService(AmazonRDS)snapshots,anditisusedasadatastagingorloadingstoragemechanismforAmazonRedshiftandAmazonDynamoDB,amongmanyotherfunctions.BecauseAmazonS3issoflexible,sohighlyintegrated,andsocommonlyused,itisimportanttounderstandthisserviceindetail.
CommonusecasesforAmazonS3storageinclude:
Backupandarchiveforon-premisesorclouddata
Content,media,andsoftwarestorageanddistribution
Bigdataanalytics
Staticwebsitehosting
Cloud-nativemobileandInternetapplicationhosting
Disasterrecovery
Tosupporttheseusecasesandmanymore,AmazonS3offersarangeofstorageclassesdesignedforvariousgenericusecases:generalpurpose,infrequentaccess,andarchive.Tohelpmanagedatathroughitslifecycle,AmazonS3offersconfigurablelifecyclepolicies.Byusinglifecyclepolicies,youcanhaveyourdataautomaticallymigratetothemostappropriatestorageclass,withoutmodifyingyourapplicationcode.Inordertocontrolwhohasaccesstoyourdata,AmazonS3providesarichsetofpermissions,accesscontrols,andencryptionoptions.
AmazonGlacierisanothercloudstorageservicerelatedtoAmazonS3,butoptimizedfordataarchivingandlong-termbackupatextremelylowcost.AmazonGlacierissuitablefor“colddata,”whichisdatathatisrarelyaccessedandforwhicharetrievaltimeofthreetofivehoursisacceptable.AmazonGlaciercanbeusedbothasastorageclassofAmazonS3(seeStorageClassesandObjectLifecycleManagementtopicsintheAmazonS3AdvancedFeaturessection),andasanindependentarchivalstorageservice(seetheAmazonGlaciersection).
![Page 61: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/61.jpg)
ObjectStorageversusTraditionalBlockandFileStorageIntraditionalITenvironments,twokindsofstoragedominate:blockstorageandfilestorage.Blockstorageoperatesatalowerlevel—therawstoragedevicelevel—andmanagesdataasasetofnumbered,fixed-sizeblocks.Filestorageoperatesatahigherlevel—theoperatingsystemlevel—andmanagesdataasanamedhierarchyoffilesandfolders.BlockandfilestorageareoftenaccessedoveranetworkintheformofaStorageAreaNetwork(SAN)forblockstorage,usingprotocolssuchasiSCSIorFibreChannel,orasaNetworkAttachedStorage(NAS)fileserveror“filer”forfilestorage,usingprotocolssuchasCommonInternetFileSystem(CIFS)orNetworkFileSystem(NFS).Whetherdirectly-attachedornetwork-attached,blockorfile,thiskindofstorageisverycloselyassociatedwiththeserverandtheoperatingsystemthatisusingthestorage.
AmazonS3objectstorageissomethingquitedifferent.AmazonS3iscloudobjectstorage.Insteadofbeingcloselyassociatedwithaserver,AmazonS3storageisindependentofaserverandisaccessedovertheInternet.InsteadofmanagingdataasblocksorfilesusingSCSI,CIFS,orNFSprotocols,dataismanagedasobjectsusinganApplicationProgramInterface(API)builtonstandardHTTPverbs.
EachAmazonS3objectcontainsbothdataandmetadata.Objectsresideincontainerscalledbuckets,andeachobjectisidentifiedbyauniqueuser-specifiedkey(filename).Bucketsareasimpleflatfolderwithnofilesystemhierarchy.Thatis,youcanhavemultiplebuckets,butyoucan’thaveasub-bucketwithinabucket.Eachbucketcanholdanunlimitednumberofobjects.
ItiseasytothinkofanAmazonS3object(orthedataportionofanobject)asafile,andthekeyasthefilename.However,keepinmindthatAmazonS3isnotatraditionalfilesystemanddiffersinsignificantways.InAmazonS3,youGETanobjectorPUTanobject,operatingonthewholeobjectatonce,insteadofincrementallyupdatingportionsoftheobjectasyouwouldwithafile.Youcan’t“mount”abucket,“open”anobject,installanoperatingsystemonAmazonS3,orrunadatabaseonit.
Insteadofafilesystem,AmazonS3ishighly-durableandhighly-scalableobjectstoragethatisoptimizedforreadsandisbuiltwithanintentionallyminimalisticfeatureset.Itprovidesasimpleandrobustabstractionforfilestoragethatfreesyoufrommanyunderlyingdetailsthatyounormallydohavetodealwithintraditionalstorage.Forexample,withAmazonS3youdon’thavetoworryaboutdeviceorfilesystemstoragelimitsandcapacityplanning—asinglebucketcanstoreanunlimitednumberoffiles.Youalsodon’tneedtoworryaboutdatadurabilityorreplicationacrossavailabilityzones—AmazonS3objectsareautomaticallyreplicatedonmultipledevicesinmultiplefacilitieswithinaregion.Thesamewithscalability—ifyourrequestrategrowssteadily,AmazonS3automaticallypartitionsbucketstosupportveryhighrequestratesandsimultaneousaccessbymanyclients.
![Page 62: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/62.jpg)
IfyouneedtraditionalblockorfilestorageinadditiontoAmazonS3storage,AWSprovidesoptions.TheAmazonEBSserviceprovidesblocklevelstorageforAmazonElasticComputeCloud(AmazonEC2)instances.AmazonElasticFileSystem(AWSEFS)providesnetwork-attachedsharedfilestorage(NASstorage)usingtheNFSv4protocol.
![Page 63: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/63.jpg)
AmazonSimpleStorageService(AmazonS3)BasicsNowthatyouhaveanunderstandingofsomeofthekeydifferencesbetweentraditionalblockandfilestorageversuscloudobjectstorage,wecanexplorethebasicsofAmazonS3inmoredetail.
![Page 64: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/64.jpg)
BucketsAbucketisacontainer(webfolder)forobjects(files)storedinAmazonS3.EveryAmazonS3objectiscontainedinabucket.Bucketsformthetop-levelnamespaceforAmazonS3,andbucketnamesareglobal.ThismeansthatyourbucketnamesmustbeuniqueacrossallAWSaccounts,muchlikeDomainNameSystem(DNS)domainnames,notjustwithinyourownaccount.Bucketnamescancontainupto63lowercaseletters,numbers,hyphens,andperiods.Youcancreateandusemultiplebuckets;youcanhaveupto100peraccountbydefault.
ItisabestpracticetousebucketnamesthatcontainyourdomainnameandconformtotherulesforDNSnames.Thisensuresthatyourbucketnamesareyourown,canbeusedinallregions,andcanhoststaticwebsites.
AWSRegionsEventhoughthenamespaceforAmazonS3bucketsisglobal,eachAmazonS3bucketiscreatedinaspecificregionthatyouchoose.Thisletsyoucontrolwhereyourdataisstored.Youcancreateandusebucketsthatarelocatedclosetoaparticularsetofendusersorcustomersinordertominimizelatency,orlocatedinaparticularregiontosatisfydatalocalityandsovereigntyconcerns,orlocatedfarawayfromyourprimaryfacilitiesinordertosatisfydisasterrecoveryandcomplianceneeds.Youcontrolthelocationofyourdata;datainanAmazonS3bucketisstoredinthatregionunlessyouexplicitlycopyittoanotherbucketlocatedinadifferentregion.
ObjectsObjectsaretheentitiesorfilesstoredinAmazonS3buckets.Anobjectcanstorevirtuallyanykindofdatainanyformat.Objectscanrangeinsizefrom0bytesupto5TB,andasinglebucketcanstoreanunlimitednumberofobjects.ThismeansthatAmazonS3canstoreavirtuallyunlimitedamountofdata.
Eachobjectconsistsofdata(thefileitself)andmetadata(dataaboutthefile).ThedataportionofanAmazonS3objectisopaquetoAmazonS3.Thismeansthatanobject’sdataistreatedassimplyastreamofbytes—AmazonS3doesn’tknoworcarewhattypeofdatayouarestoring,andtheservicedoesn’tactdifferentlyfortextdataversusbinarydata.
ThemetadataassociatedwithanAmazonS3objectisasetofname/valuepairsthatdescribetheobject.Therearetwotypesofmetadata:systemmetadataandusermetadata.SystemmetadataiscreatedandusedbyAmazonS3itself,anditincludesthingslikethedatelastmodified,objectsize,MD5digest,andHTTPContent-Type.Usermetadataisoptional,anditcanonlybespecifiedatthetimeanobjectiscreated.Youcanusecustommetadatatotagyourdatawithattributesthataremeaningfultoyou.
Keys
![Page 65: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/65.jpg)
EveryobjectstoredinanS3bucketisidentifiedbyauniqueidentifiercalledakey.Youcanthinkofthekeyasafilename.Akeycanbeupto1024bytesofUnicodeUTF-8characters,includingembeddedslashes,backslashes,dots,anddashes.
Keysmustbeuniquewithinasinglebucket,butdifferentbucketscancontainobjectswiththesamekey.Thecombinationofbucket,key,andoptionalversionIDuniquelyidentifiesanAmazonS3object.
ObjectURLAmazonS3isstoragefortheInternet,andeveryAmazonS3objectcanbeaddressedbyauniqueURLformedusingthewebservicesendpoint,thebucketname,andtheobjectkey.Forexample,withtheURL:http://mybucket.s3.amazonaws.com/jack.doc
mybucketistheS3bucketname,andjack.docisthekeyorfilename.Ifanotherobjectiscreated,forinstance:http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc
thenthebucketnameisstillmybucket,butnowthekeyorfilenameisthestringfee/fi/fo/fum/jack.doc.AkeymaycontaindelimitercharacterslikeslashesorbackslashestohelpyounameandlogicallyorganizeyourAmazonS3objects,buttoAmazonS3itissimplyalongkeynameinaflatnamespace.Thereisnoactualfileandfolderhierarchy.Seethetopic“PrefixesandDelimiters”inthe“AmazonS3AdvancedFeatures”sectionthatfollowsformoreinformation.
Forconvenience,theAmazonS3consoleandthePrefixandDelimiterfeatureallowyoutonavigatewithinanAmazonS3bucketasiftherewereafolderhierarchy.However,rememberthatabucketisasingleflatnamespaceofkeyswithnostructure.
AmazonS3OperationsTheAmazonS3APIisintentionallysimple,withonlyahandfulofcommonoperations.Theyinclude:
Create/deleteabucket
Writeanobject
Readanobject
Deleteanobject
Listkeysinabucket
RESTInterfaceThenativeinterfaceforAmazonS3isaREST(RepresentationalStateTransfer)API.WiththeRESTinterface,youusestandardHTTPorHTTPSrequeststocreateanddeletebuckets,listkeys,andreadandwriteobjects.RESTmapsstandardHTTP“verbs”(HTTPmethods)to
![Page 66: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/66.jpg)
thefamiliarCRUD(Create,Read,Update,Delete)operations.CreateisHTTPPUT(andsometimesPOST);readisHTTPGET;deleteisHTTPDELETE;andupdateisHTTPPOST(orsometimesPUT).
AlwaysuseHTTPSforAmazonS3APIrequeststoensurethatyourrequestsanddataaresecure.
Inmostcases,usersdonotusetheRESTinterfacedirectly,butinsteadinteractwithAmazonS3usingoneofthehigher-levelinterfacesavailable.TheseincludetheAWSSoftwareDevelopmentKits(SDKs)(wrapperlibraries)foriOS,Android,JavaScript,Java,.NET,Node.js,PHP,Python,Ruby,Go,andC++,theAWSCommandLineInterface(CLI),andtheAWSManagementConsole.
AmazonS3originallysupportedaSOAP(SimpleObjectAccessProtocol)APIinadditiontotheRESTAPI,butyoushouldusetheRESTAPI.ThelegacyHTTPSendpointisstillavailable,butnewfeaturesarenotsupported.
DurabilityandAvailabilityDatadurabilityandavailabilityarerelatedbutslightlydifferentconcepts.Durabilityaddressesthequestion,“Willmydatastillbethereinthefuture?”Availabilityaddressesthequestion,“CanIaccessmydatarightnow?”AmazonS3isdesignedtoprovidebothveryhighdurabilityandveryhighavailabilityforyourdata.
AmazonS3standardstorageisdesignedfor99.999999999%durabilityand99.99%availabilityofobjectsoveragivenyear.Forexample,ifyoustore10,000objectswithAmazonS3,youcanonaverageexpecttoincuralossofasingleobjectonceevery10,000,000years.AmazonS3achieveshighdurabilitybyautomaticallystoringdataredundantlyonmultipledevicesinmultiplefacilitieswithinaregion.Itisdesignedtosustaintheconcurrentlossofdataintwofacilitieswithoutlossofuserdata.AmazonS3providesahighlydurablestorageinfrastructuredesignedformission-criticalandprimarydatastorage.
Ifyouneedtostorenon-criticaloreasilyreproduciblederiveddata(suchasimagethumbnails)thatdoesn’trequirethishighlevelofdurability,youcanchoosetouseReducedRedundancyStorage(RRS)atalowercost.RRSoffers99.99%durabilitywithalowercostofstoragethantraditionalAmazonS3storage.
EventhoughAmazonS3storageoffersveryhighdurabilityattheinfrastructurelevel,itisstillabestpracticetoprotectagainstuser-levelaccidentaldeletionoroverwritingofdatabyusingadditionalfeaturessuchasversioning,cross-regionreplication,andMFADelete.
![Page 67: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/67.jpg)
DataConsistencyAmazonS3isaneventuallyconsistentsystem.Becauseyourdataisautomaticallyreplicatedacrossmultipleserversandlocationswithinaregion,changesinyourdatamaytakesometimetopropagatetoalllocations.Asaresult,therearesomesituationswhereinformationthatyoureadimmediatelyafteranupdatemayreturnstaledata.
ForPUTstonewobjects,thisisnotaconcern—inthiscase,AmazonS3providesread-after-writeconsistency.However,forPUTstoexistingobjects(objectoverwritetoanexistingkey)andforobjectDELETEs,AmazonS3provideseventualconsistency.
EventualconsistencymeansthatifyouPUTnewdatatoanexistingkey,asubsequentGETmightreturntheolddata.Similarly,ifyouDELETEanobject,asubsequentGETforthatobjectmightstillreadthedeletedobject.Inallcases,updatestoasinglekeyareatomic—foreventually-consistentreads,youwillgetthenewdataortheolddata,butneveraninconsistentmixofdata.
AccessControlAmazonS3issecurebydefault;whenyoucreateabucketorobjectinAmazonS3,onlyyouhaveaccess.Toallowyoutogivecontrolledaccesstoothers,AmazonS3providesbothcoarse-grainedaccesscontrols(AmazonS3AccessControlLists[ACLs]),andfine-grainedaccesscontrols(AmazonS3bucketpolicies,AWSIdentityandAccessManagement[IAM]policies,andquery-stringauthentication).
AmazonS3ACLsallowyoutograntcertaincoarse-grainedpermissions:READ,WRITE,orFULL-CONTROLattheobjectorbucketlevel.ACLsarealegacyaccesscontrolmechanism,createdbeforeIAMexisted.ACLsarebestusedtodayforalimitedsetofusecases,suchasenablingbucketloggingormakingabucketthathostsastaticwebsitebeworld-readable.
AmazonS3bucketpoliciesaretherecommendedaccesscontrolmechanismforAmazonS3andprovidemuchfiner-grainedcontrol.AmazonS3bucketpoliciesareverysimilartoIAMpolicies,whichwerediscussedinChapter6,“AWSIdentityandAccessManagement(IAM),”butaresubtlydifferentinthat:
TheyareassociatedwiththebucketresourceinsteadofanIAMprincipal.
TheyincludeanexplicitreferencetotheIAMprincipalinthepolicy.ThisprincipalcanbeassociatedwithadifferentAWSaccount,soAmazonS3bucketpoliciesallowyoutoassigncross-accountaccesstoAmazonS3resources.
UsinganAmazonS3bucketpolicy,youcanspecifywhocanaccessthebucket,fromwhere(byClasslessInter-DomainRouting[CIDR]blockorIPaddress),andduringwhattimeofday.
Finally,IAMpoliciesmaybeassociateddirectlywithIAMprincipalsthatgrantaccesstoanAmazonS3bucket,justasitcangrantaccesstoanyAWSserviceandresource.Obviously,youcanonlyassignIAMpoliciestoprincipalsinAWSaccountsthatyoucontrol.
StaticWebsiteHostingAverycommonusecaseforAmazonS3storageisstaticwebsitehosting.Manywebsites,particularlymicro-sites,don’tneedtheservicesofafullwebserver.Astaticwebsitemeans
![Page 68: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/68.jpg)
thatallofthepagesofthewebsitecontainonlystaticcontentanddonotrequireserver-sideprocessingsuchasPHP,ASP.NET,orJSP.(Notethatthisdoesnotmeanthatthewebsitecannotbeinteractiveanddynamic;thiscanbeaccomplishedwithclient-sidescripts,suchasJavaScriptembeddedinstaticHTMLwebpages.)Staticwebsiteshavemanyadvantages:theyareveryfast,veryscalable,andcanbemoresecurethanatypicaldynamicwebsite.IfyouhostastaticwebsiteonAmazonS3,youcanalsoleveragethesecurity,durability,availability,andscalabilityofAmazonS3.
BecauseeveryAmazonS3objecthasaURL,itisrelativelystraightforwardtoturnabucketintoawebsite.Tohostastaticwebsite,yousimplyconfigureabucketforwebsitehostingandthenuploadthecontentofthestaticwebsitetothebucket.
ToconfigureanAmazonS3bucketforstaticwebsitehosting:
1. Createabucketwiththesamenameasthedesiredwebsitehostname.
2. Uploadthestaticfilestothebucket.
3. Makeallthefilespublic(worldreadable).
4. Enablestaticwebsitehostingforthebucket.ThisincludesspecifyinganIndexdocumentandanErrordocument.
5. ThewebsitewillnowbeavailableattheS3websiteURL:
<bucket-name>.s3-website-<AWS-region>.amazonaws.com.
6. CreateafriendlyDNSnameinyourowndomainforthewebsiteusingaDNSCNAME,oranAmazonRoute53aliasthatresolvestotheAmazonS3websiteURL.
7. Thewebsitewillnowbeavailableatyourwebsitedomainname.
![Page 69: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/69.jpg)
AmazonS3AdvancedFeaturesBeyondthebasics,therearesomeadvancedfeaturesofAmazonS3thatyoushouldalsobefamiliarwith.
PrefixesandDelimitersWhileAmazonS3usesaflatstructureinabucket,itsupportstheuseofprefixanddelimiterparameterswhenlistingkeynames.Thisfeatureletsyouorganize,browse,andretrievetheobjectswithinabuckethierarchically.Typically,youwoulduseaslash(/)orbackslash(\)asadelimiterandthenusekeynameswithembeddeddelimiterstoemulateafileandfolderhierarchywithintheflatobjectkeynamespaceofabucket.
Forexample,youmightwanttostoreaseriesofserverlogsbyservername(suchasserver42),butorganizedbyyearandmonth,likeso:
logs/2016/January/server42.log
logs/2016/February/server42.log
logs/2016/March/server42.log
TheRESTAPI,wrapperSDKs,AWSCLI,andtheAmazonManagementConsoleallsupporttheuseofdelimitersandprefixes.Thisfeatureletsyoulogicallyorganizenewdataandeasilymaintainthehierarchicalfolder-and-filestructureofexistingdatauploadedorbackedupfromtraditionalfilesystems.UsedtogetherwithIAMorAmazonS3bucketpolicies,prefixesanddelimitersalsoallowyoutocreatetheequivalentofdepartmental“subdirectories”oruser“homedirectories”withinasinglebucket,restrictingorsharingaccesstothese“subdirectories”(definedbyprefixes)asneeded.
UsedelimitersandobjectprefixestohierarchicallyorganizetheobjectsinyourAmazonS3buckets,butalwaysrememberthatAmazonS3isnotreallyafilesystem.
StorageClassesAmazonS3offersarangeofstorageclassessuitableforvarioususecases.
AmazonS3Standardoffershighdurability,highavailability,lowlatency,andhighperformanceobjectstorageforgeneralpurposeuse.Becauseitdeliverslowfirst-bytelatencyandhighthroughput,Standardiswell-suitedforshort-termorlong-termstorageoffrequentlyaccesseddata.Formostgeneralpurposeusecases,AmazonS3Standardistheplacetostart.
AmazonS3Standard–InfrequentAccess(Standard-IA)offersthesamedurability,lowlatency,andhighthroughputasAmazonS3Standard,butisdesignedforlong-lived,lessfrequentlyaccesseddata.Standard-IAhasalowerperGB-monthstoragecostthanStandard,butthepricemodelalsoincludesaminimumobjectsize(128KB),minimumduration(30days),andper-GBretrievalcosts,soitisbestsuitedforinfrequentlyaccesseddatathatisstoredforlongerthan30days.
![Page 70: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/70.jpg)
AmazonS3ReducedRedundancyStorage(RRS)offersslightlylowerdurability(4nines)thanStandardorStandard-IAatareducedcost.Itismostappropriateforderiveddatathatcanbeeasilyreproduced,suchasimagethumbnails.
Finally,theAmazonGlacierstorageclassofferssecure,durable,andextremelylow-costcloudstoragefordatathatdoesnotrequirereal-timeaccess,suchasarchivesandlong-termbackups.Tokeepcostslow,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.ToretrieveanAmazonGlacierobject,youissuearestorecommandusingoneoftheAmazonS3APIs;threetofivehourslater,theAmazonGlacierobjectiscopiedtoAmazonS3RRS.NotethattherestoresimplycreatesacopyinAmazonS3RRS;theoriginaldataobjectremainsinAmazonGlacieruntilexplicitlydeleted.AlsobeawarethatAmazonGlacierallowsyoutoretrieveupto5%oftheAmazonS3datastoredinAmazonGlacierforfreeeachmonth;restoresbeyondthedailyrestoreallowanceincurarestorefee.RefertotheAmazonGlacierpricingpageontheAWSwebsiteforfulldetails.
InadditiontoactingasastoragetierinAmazonS3,AmazonGlacierisalsoastandalonestorageservicewithaseparateAPIandsomeuniquecharacteristics.However,whenyouuseAmazonGlacierasastorageclassofAmazonS3,youalwaysinteractwiththedataviatheAmazonS3APIs.RefertotheAmazonGlaciersectionformoredetails.
SetadataretrievalpolicytolimitrestorestothefreetierortoamaximumGB-per-hourlimittoavoidorminimizeAmazonGlacierrestorefees.
ObjectLifecycleManagementAmazonS3ObjectLifecycleManagementisroughlyequivalenttoautomatedstoragetieringintraditionalITstorageinfrastructures.Inmanycases,datahasanaturallifecycle,startingoutas“hot”(frequentlyaccessed)data,movingto“warm”(lessfrequentlyaccessed)dataasitages,andendingitslifeas“cold”(long-termbackuporarchive)databeforeeventualdeletion.
Forexample,manybusinessdocumentsarefrequentlyaccessedwhentheyarecreated,thenbecomemuchlessfrequentlyaccessedovertime.Inmanycases,however,compliancerulesrequirebusinessdocumentstobearchivedandkeptaccessibleforyears.Similarly,studiesshowthatfile,operatingsystem,anddatabasebackupsaremostfrequentlyaccessedinthefirstfewdaysaftertheyarecreated,usuallytorestoreafteraninadvertenterror.Afteraweekortwo,thesebackupsremainacriticalasset,buttheyaremuchlesslikelytobeaccessedforarestore.Inmanycases,compliancerulesrequirethatacertainnumberofbackupsbekeptforseveralyears.
UsingAmazonS3lifecycleconfigurationrules,youcansignificantlyreduceyourstoragecostsbyautomaticallytransitioningdatafromonestorageclasstoanotherorevenautomaticallydeletingdataafteraperiodoftime.Forexample,thelifecyclerulesforbackupdatamightbe:
StorebackupdatainitiallyinAmazonS3Standard.
After30days,transitiontoAmazonStandard-IA.
After90days,transitiontoAmazonGlacier.
![Page 71: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/71.jpg)
After3years,delete.
Lifecycleconfigurationsareattachedtothebucketandcanapplytoallobjectsinthebucketoronlytoobjectsspecifiedbyaprefix.
EncryptionItisstronglyrecommendedthatallsensitivedatastoredinAmazonS3beencrypted,bothinflightandatrest.
ToencryptyourAmazonS3datainflight,youcanusetheAmazonS3SecureSocketsLayer(SSL)APIendpoints.ThisensuresthatalldatasenttoandfromAmazonS3isencryptedwhileintransitusingtheHTTPSprotocol.
ToencryptyourAmazonS3dataatrest,youcanuseseveralvariationsofServer-SideEncryption(SSE).AmazonS3encryptsyourdataattheobjectlevelasitwritesittodisksinitsdatacentersanddecryptsitforyouwhenyouaccessit.AllSSEperformedbyAmazonS3andAWSKeyManagementService(AmazonKMS)usesthe256-bitAdvancedEncryptionStandard(AES).YoucanalsoencryptyourAmazonS3dataatrestusingClient-SideEncryption,encryptingyourdataontheclientbeforesendingittoAmazonS3.
SSE-S3(AWS-ManagedKeys)Thisisafullyintegrated“check-box-style”encryptionsolutionwhereAWShandlesthekeymanagementandkeyprotectionforAmazonS3.Everyobjectisencryptedwithauniquekey.Theactualobjectkeyitselfisthenfurtherencryptedbyaseparatemasterkey.Anewmasterkeyisissuedatleastmonthly,withAWSrotatingthekeys.Encrypteddata,encryptionkeys,andmasterkeysareallstoredseparatelyonsecurehosts,furtherenhancingprotection.
SSE-KMS(AWSKMSKeys)ThisisafullyintegratedsolutionwhereAmazonhandlesyourkeymanagementandprotectionforAmazonS3,butwhereyoumanagethekeys.SSE-KMSoffersseveraladditionalbenefitscomparedtoSSE-S3.UsingSSE-KMS,thereareseparatepermissionsforusingthemasterkey,whichprovideprotectionagainstunauthorizedaccesstoyourobjectsstoredinAmazonS3andanadditionallayerofcontrol.AWSKMSalsoprovidesauditing,soyoucanseewhousedyourkeytoaccesswhichobjectandwhentheytriedtoaccessthisobject.AWSKMSalsoallowsyoutoviewanyfailedattemptstoaccessdatafromuserswhodidnothavepermissiontodecryptthedata.
SSE-C(Customer-ProvidedKeys)Thisisusedwhenyouwanttomaintainyourownencryptionkeysbutdon’twanttomanageorimplementyourownclient-sideencryptionlibrary.WithSSE-C,AWSwilldotheencryption/decryptionofyourobjectswhileyoumaintainfullcontrolofthekeysusedtoencrypt/decrypttheobjectsinAmazonS3.
Client-SideEncryptionClient-sideencryptionreferstoencryptingdataontheclientsideofyourapplicationbeforesendingittoAmazonS3.Youhavethefollowingtwooptionsforusingdataencryptionkeys:
![Page 72: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/72.jpg)
UseanAWSKMS-managedcustomermasterkey.
Useaclient-sidemasterkey.
Whenusingclient-sideencryption,youretainend-to-endcontroloftheencryptionprocess,includingmanagementoftheencryptionkeys.
Formaximumsimplicityandeaseofuse,useserver-sideencryptionwithAWS-managedkeys(SSE-S3orSSE-KMS).
VersioningAmazonS3versioninghelpsprotectsyourdataagainstaccidentalormaliciousdeletionbykeepingmultipleversionsofeachobjectinthebucket,identifiedbyauniqueversionID.Versioningallowsyoutopreserve,retrieve,andrestoreeveryversionofeveryobjectstoredinyourAmazonS3bucket.IfausermakesanaccidentalchangeorevenmaliciouslydeletesanobjectinyourS3bucket,youcanrestoretheobjecttoitsoriginalstatesimplybyreferencingtheversionIDinadditiontothebucketandobjectkey.Versioningisturnedonatthebucketlevel.Onceenabled,versioningcannotberemovedfromabucket;itcanonlybesuspended.
MFADeleteMFADeleteaddsanotherlayerofdataprotectionontopofbucketversioning.MFADeleterequiresadditionalauthenticationinordertopermanentlydeleteanobjectversionorchangetheversioningstateofabucket.Inadditiontoyournormalsecuritycredentials,MFADeleterequiresanauthenticationcode(atemporary,one-timepassword)generatedbyahardwareorvirtualMulti-FactorAuthentication(MFA)device.NotethatMFADeletecanonlybeenabledbytherootaccount.
Pre-SignedURLsAllAmazonS3objectsbydefaultareprivate,meaningthatonlytheownerhasaccess.However,theobjectownercanoptionallyshareobjectswithothersbycreatingapre-signedURL,usingtheirownsecuritycredentialstogranttime-limitedpermissiontodownloadtheobjects.Whenyoucreateapre-signedURLforyourobject,youmustprovideyoursecuritycredentialsandspecifyabucketname,anobjectkey,theHTTPmethod(GETtodownloadtheobject),andanexpirationdateandtime.Thepre-signedURLsarevalidonlyforthespecifiedduration.Thisisparticularlyusefultoprotectagainst“contentscraping”ofwebcontentsuchasmediafilesstoredinAmazonS3.
MultipartUploadTobettersupportuploadingorcopyingoflargeobjects,AmazonS3providestheMultipartUploadAPI.Thisallowsyoutouploadlargeobjectsasasetofparts,whichgenerallygivesbetternetworkutilization(throughparalleltransfers),theabilitytopauseandresume,andtheabilitytouploadobjectswherethesizeisinitiallyunknown.
Multipartuploadisathree-stepprocess:initiation,uploadingtheparts,andcompletion(or
![Page 73: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/73.jpg)
abort).Partscanbeuploadedindependentlyinarbitraryorder,withretransmissionifneeded.Afterallofthepartsareuploaded,AmazonS3assemblesthepartsinordertocreateanobject.
Ingeneral,youshouldusemultipartuploadforobjectslargerthan100Mbytes,andyoumustusemultipartuploadforobjectslargerthan5GB.Whenusingthelow-levelAPIs,youmustbreakthefiletobeuploadedintopartsandkeeptrackoftheparts.Whenusingthehigh-levelAPIsandthehigh-levelAmazonS3commandsintheAWSCLI(awss3cp,awss3mv,andawss3sync),multipartuploadisautomaticallyperformedforlargeobjects.
Youcansetanobjectlifecyclepolicyonabuckettoabortincompletemultipartuploadsafteraspecifiednumberofdays.Thiswillminimizethestoragecostsassociatedwithmultipartuploadsthatwerenotcompleted.
RangeGETsItispossibletodownload(GET)onlyaportionofanobjectinbothAmazonS3andAmazonGlacierbyusingsomethingcalledaRangeGET.UsingtheRangeHTTPheaderintheGETrequestorequivalentparametersinoneoftheSDKwrapperlibraries,youspecifyarangeofbytesoftheobject.ThiscanbeusefulindealingwithlargeobjectswhenyouhavepoorconnectivityortodownloadonlyaknownportionofalargeAmazonGlacierbackup.
Cross-RegionReplicationCross-regionreplicationisafeatureofAmazonS3thatallowsyoutoasynchronouslyreplicateallnewobjectsinthesourcebucketinoneAWSregiontoatargetbucketinanotherregion.AnymetadataandACLsassociatedwiththeobjectarealsopartofthereplication.Afteryousetupcross-regionreplicationonyoursourcebucket,anychangestothedata,metadata,orACLsonanobjecttriggeranewreplicationtothedestinationbucket.Toenablecross-regionreplication,versioningmustbeturnedonforbothsourceanddestinationbuckets,andyoumustuseanIAMpolicytogiveAmazonS3permissiontoreplicateobjectsonyourbehalf.
Cross-regionreplicationiscommonlyusedtoreducethelatencyrequiredtoaccessobjectsinAmazonS3byplacingobjectsclosertoasetofusersortomeetrequirementstostorebackupdataatacertaindistancefromtheoriginalsourcedata.
Ifturnedoninanexistingbucket,cross-regionreplicationwillonlyreplicatenewobjects.Existingobjectswillnotbereplicatedandmustbecopiedtothenewbucketviaaseparatecommand.
LoggingInordertotrackrequeststoyourAmazonS3bucket,youcanenableAmazonS3serveraccesslogs.Loggingisoffbydefault,butitcaneasilybeenabled.Whenyouenableloggingfora
![Page 74: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/74.jpg)
bucket(thesourcebucket),youmustchoosewherethelogswillbestored(thetargetbucket).Youcanstoreaccesslogsinthesamebucketorinadifferentbucket.Eitherway,itisoptional(butabestpractice)tospecifyaprefix,suchaslogs/oryourbucketname/logs/,sothatyoucanmoreeasilyidentifyyourlogs.
Onceenabled,logsaredeliveredonabest-effortbasiswithaslightdelay.Logsincludeinformationsuchas:
RequestoraccountandIPaddress
Bucketname
Requesttime
Action(GET,PUT,LIST,andsoforth)
Responsestatusorerrorcode
EventNotificationsAmazonS3eventnotificationscanbesentinresponsetoactionstakenonobjectsuploadedorstoredinAmazonS3.Eventnotificationsenableyoutorunworkflows,sendalerts,orperformotheractionsinresponsetochangesinyourobjectsstoredinAmazonS3.YoucanuseAmazonS3eventnotificationstosetuptriggerstoperformactions,suchastranscodingmediafileswhentheyareuploaded,processingdatafileswhentheybecomeavailable,andsynchronizingAmazonS3objectswithotherdatastores.
AmazonS3eventnotificationsaresetupatthebucketlevel,andyoucanconfigurethemthroughtheAmazonS3console,throughtheRESTAPI,orbyusinganAWSSDK.AmazonS3canpublishnotificationswhennewobjectsarecreated(byaPUT,POST,COPY,ormultipartuploadcompletion),whenobjectsareremoved(byaDELETE),orwhenAmazonS3detectsthatanRRSobjectwaslost.Youcanalsosetupeventnotificationsbasedonobjectnameprefixesandsuffixes.NotificationmessagescanbesentthrougheitherAmazonSimpleNotificationService(AmazonSNS)orAmazonSimpleQueueService(AmazonSQS)ordelivereddirectlytoAWSLambdatoinvokeAWSLambdafunctions.
BestPractices,Patterns,andPerformanceItisacommonpatterntouseAmazonS3storageinhybridITenvironmentsandapplications.Forexample,datainon-premisesfilesystems,databases,andcompliancearchivescaneasilybebackedupovertheInternettoAmazonS3orAmazonGlacier,whiletheprimaryapplicationordatabasestorageremainson-premises.
AnothercommonpatternistouseAmazonS3asbulk“blob”storagefordata,whilekeepinganindextothatdatainanotherservice,suchasAmazonDynamoDBorAmazonRDS.Thisallowsquicksearchesandcomplexqueriesonkeynameswithoutlistingkeyscontinually.
AmazonS3willscaleautomaticallytosupportveryhighrequestrates,automaticallyre-partitioningyourbucketsasneeded.Ifyouneedrequestrateshigherthan100requestspersecond,youmaywanttoreviewtheAmazonS3bestpracticesguidelinesintheDeveloperGuide.Tosupporthigherrequestrates,itisbesttoensuresomelevelofrandomdistributionofkeys,forexamplebyincludingahashasaprefixtokeynames.
![Page 75: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/75.jpg)
IfyouareusingAmazonS3inaGET-intensivemode,suchasastaticwebsitehosting,forbestperformanceyoushouldconsiderusinganAmazonCloudFrontdistributionasacachinglayerinfrontofyourAmazonS3bucket.
![Page 76: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/76.jpg)
AmazonGlacierAmazonGlacierisanextremelylow-coststorageservicethatprovidesdurable,secure,andflexiblestoragefordataarchivingandonlinebackup.Tokeepcostslow,AmazonGlacierisdesignedforinfrequentlyaccesseddatawherearetrievaltimeofthreetofivehoursisacceptable.
AmazonGlaciercanstoreanunlimitedamountofvirtuallyanykindofdata,inanyformat.CommonusecasesforAmazonGlacierincludereplacementoftraditionaltapesolutionsforlong-termbackupandarchiveandstorageofdatarequiredforcompliancepurposes.Inmostcases,thedatastoredinAmazonGlacierconsistsoflargeTAR(TapeArchive)orZIPfiles.
LikeAmazonS3,AmazonGlacierisextremelydurable,storingdataonmultipledevicesacrossmultiplefacilitiesinaregion.AmazonGlacierisdesignedfor99.999999999%durabilityofobjectsoveragivenyear.
ArchivesInAmazonGlacier,dataisstoredinarchives.Anarchivecancontainupto40TBofdata,andyoucanhaveanunlimitednumberofarchives.EacharchiveisassignedauniquearchiveIDatthetimeofcreation.(UnlikeanAmazonS3objectkey,youcannotspecifyauser-friendlyarchivename.)Allarchivesareautomaticallyencrypted,andarchivesareimmutable—afteranarchiveiscreated,itcannotbemodified.
VaultsVaultsarecontainersforarchives.EachAWSaccountcanhaveupto1,000vaults.YoucancontrolaccesstoyourvaultsandtheactionsallowedusingIAMpoliciesorvaultaccesspolicies.
VaultsLocksYoucaneasilydeployandenforcecompliancecontrolsforindividualAmazonGlaciervaultswithavaultlockpolicy.YoucanspecifycontrolssuchasWriteOnceReadMany(WORM)inavaultlockpolicyandlockthepolicyfromfutureedits.Oncelocked,thepolicycannolongerbechanged.
DataRetrievalYoucanretrieveupto5%ofyourdatastoredinAmazonGlacierforfreeeachmonth,calculatedonadailyproratedbasis.Ifyouretrievemorethan5%,youwillincurretrievalfeesbasedonyourmaximumretrievalrate.Toeliminateorminimizethosefees,youcansetadataretrievalpolicyonavaulttolimityourretrievalstothefreetierortoaspecifieddatarate.
AmazonGlacierversusAmazonSimpleStorageService(AmazonS3)AmazonGlacierissimilartoAmazonS3,butitdiffersinseveralkeyaspects.AmazonGlaciersupports40TBarchivesversus5TBobjectsinAmazonS3.ArchivesinAmazonGlacierare
![Page 77: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/77.jpg)
identifiedbysystem-generatedarchiveIDs,whileAmazonS3letsyouuse“friendly”keynames.AmazonGlacierarchivesareautomaticallyencrypted,whileencryptionatrestisoptionalinAmazonS3.However,byusingAmazonGlacierasanAmazonS3storageclasstogetherwithobjectlifecyclepolicies,youcanusetheAmazonS3interfacetogetmostofthebenefitsofAmazonGlacierwithoutlearninganewinterface.
![Page 78: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/78.jpg)
SummaryAmazonS3isthecoreobjectstorageserviceonAWS,allowingyoutostoreanunlimitedamountofdatawithveryhighdurability.
CommonAmazonS3usecasesincludebackupandarchive,webcontent,bigdataanalytics,staticwebsitehosting,mobileandcloud-nativeapplicationhosting,anddisasterrecovery.
AmazonS3isintegratedwithmanyotherAWScloudservices,includingAWSIAM,AWSKMS,AmazonEC2,AmazonEBS,AmazonEMR,AmazonDynamoDB,AmazonRedshift,AmazonSQS,AWSLambda,andAmazonCloudFront.
Objectstoragediffersfromtraditionalblockandfilestorage.Blockstoragemanagesdataatadevicelevelasaddressableblocks,whilefilestoragemanagesdataattheoperatingsystemlevelasfilesandfolders.Objectstoragemanagesdataasobjectsthatcontainbothdataandmetadata,manipulatedbyanAPI.
AmazonS3bucketsarecontainersforobjectsstoredinAmazonS3.Bucketnamesmustbegloballyunique.Eachbucketiscreatedinaspecificregion,anddatadoesnotleavetheregionunlessexplicitlycopiedbytheuser.
AmazonS3objectsarefilesstoredinbuckets.Objectscanbeupto5TBandcancontainanykindofdata.Objectscontainbothdataandmetadataandareidentifiedbykeys.EachAmazonS3objectcanbeaddressedbyauniqueURLformedbythewebservicesendpoint,thebucketname,andtheobjectkey.
AmazonS3hasaminimalisticAPI—create/deleteabucket,read/write/deleteobjects,listkeysinabucket—andusesaRESTinterfacebasedonstandardHTTPverbs—GET,PUT,POST,andDELETE.YoucanalsouseSDKwrapperlibraries,theAWSCLI,andtheAWSManagementConsoletoworkwithAmazonS3.
AmazonS3ishighlydurableandhighlyavailable,designedfor11ninesofdurabilityofobjectsinagivenyearandfourninesofavailability.
AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyfornewobjectPUTs.
AmazonS3objectsareprivatebydefault,accessibleonlytotheowner.Objectscanbemarkedpublicreadabletomakethemaccessibleontheweb.ControlledaccessmaybeprovidedtoothersusingACLsandAWSIAMandAmazonS3bucketpolicies.
StaticwebsitescanbehostedinanAmazonS3bucket.
Prefixesanddelimitersmaybeusedinkeynamestoorganizeandnavigatedatahierarchicallymuchlikeatraditionalfilesystem.
AmazonS3offersseveralstorageclassessuitedtodifferentusecases:Standardisdesignedforgeneral-purposedataneedinghighperformanceandlowlatency.Standard-IAisforlessfrequentlyaccesseddata.RRSofferslowerredundancyatlowercostforeasilyreproduceddata.AmazonGlacierofferslow-costdurablestorageforarchiveandlong-termbackupsthatcanarerarelyaccessedandcanacceptathree-tofive-hourretrievaltime.
Objectlifecyclemanagementpoliciescanbeusedtoautomaticallymovedatabetween
![Page 79: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/79.jpg)
storageclassesbasedontime.
AmazonS3datacanbeencryptedusingserver-sideorclient-sideencryption,andencryptionkeyscanbemanagedwithAmazonKMS.
VersioningandMFADeletecanbeusedtoprotectagainstaccidentaldeletion.
Cross-regionreplicationcanbeusedtoautomaticallycopynewobjectsfromasourcebucketinoneregiontoatargetbucketinanotherregion.
Pre-signedURLsgranttime-limitedpermissiontodownloadobjectsandcanbeusedtoprotectmediaandotherwebcontentfromunauthorized“webscraping.”
Multipartuploadcanbeusedtouploadlargeobjects,andRangeGETscanbeusedtodownloadportionsofanAmazonS3objectorAmazonGlacierarchive.
Serveraccesslogscanbeenabledonabuckettotrackrequestor,object,action,andresponse.
AmazonS3eventnotificationscanbeusedtosendanAmazonSQSorAmazonSNSmessageortotriggeranAWSLambdafunctionwhenanobjectiscreatedordeleted.
AmazonGlaciercanbeusedasastandaloneserviceorasastorageclassinAmazonS3.
AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Youcanhaveupto1,000vaults,andeachvaultcanstoreanunlimitednumberofarchives.
AmazonGlaciervaultscanbelockedforcompliancepurposes.
![Page 80: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/80.jpg)
ExamEssentialsKnowwhatamazons3isandwhatitiscommonlyusedfor.AmazonS3issecure,durable,andhighlyscalablecloudstoragethatcanbeusedtostoreanunlimitedamountofdatainalmostanyformatusingasimplewebservicesinterface.Commonusecasesincludebackupandarchive,contentstorageanddistribution,bigdataanalytics,staticwebsitehosting,cloud-nativeapplicationhosting,anddisasterrecovery.
Understandhowobjectstoragediffersfromblockandfilestorage.AmazonS3cloudobjectstoragemanagesdataattheapplicationlevelasobjectsusingaRESTAPIbuiltonHTTP.BlockstoragemanagesdataattheoperatingsystemlevelasnumberedaddressableblocksusingprotocolssuchasSCSIorFibreChannel.FilestoragemanagesdataassharedfilesattheoperatingsystemlevelusingaprotocolsuchasCIFSorNFS.
UnderstandthebasicsofAmazonS3.AmazonS3storesdatainobjectsthatcontaindataandmetadata.Objectsareidentifiedbyauser-definedkeyandarestoredinasimpleflatfoldercalledabucket.InterfacesincludeanativeRESTinterface,SDKsformanylanguages,anAWSCLI,andtheAWSManagementConsole.
Knowhowtocreateabucket;howtoupload,download,anddeleteobjects;howtomakeobjectspublic;andhowtoopenanobjectURL.
Understandthedurability,availability,anddataconsistencymodelofAmazonS3.AmazonS3standardstorageisdesignedfor11ninesdurabilityandfourninesavailabilityofobjectsoverayear.Otherstorageclassesdiffer.AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyforPUTstonewobjects.
KnowhowtoenablestaticwebsitehostingonAmazonS3.TocreateastaticwebsiteonAmazonS3,youmustcreateabucketwiththewebsitehostname,uploadyourstaticcontentandmakeitpublic,enablestaticwebsitehostingonthebucket,andindicatetheindexanderrorpageobjects.
KnowhowtoprotectyourdataonAmazonS3.EncryptdatainflightusingHTTPSandatrestusingSSEorclient-sideencryption.Enableversioningtokeepmultipleversionsofanobjectinabucket.EnableMFADeletetoprotectagainstaccidentaldeletion.UseACLsAmazonS3bucketpoliciesandAWSIAMpoliciesforaccesscontrol.Usepre-signedURLsfortime-limiteddownloadaccess.Usecross-regionreplicationtoautomaticallyreplicatedatatoanotherregion.
KnowtheusecaseforeachoftheAmazonS3storageclasses.Standardisforgeneralpurposedatathatneedshighdurability,highperformance,andlowlatencyaccess.Standard-IAisfordatathatislessfrequentlyaccessed,butthatneedsthesameperformanceandavailabilitywhenaccessed.RRSofferslowerdurabilityatlowercostforeasilyreplicateddata.AmazonGlacierisforstoringrarelyaccessedarchivaldataatlowestcost,whenthree-tofive-hourretrievaltimeisacceptable.
Knowhowtouselifecycleconfigurationrules.LifecyclerulescanbeconfiguredintheAWSManagementConsoleortheAPIs.Lifecycleconfigurationrulesdefineactionstotransitionobjectsfromonestorageclasstoanotherbasedontime.
KnowhowtouseAmazonS3eventnotifications.Eventnotificationsaresetatthe
![Page 81: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/81.jpg)
bucketlevelandcantriggeramessageinAmazonSNSorAmazonSQSoranactioninAWSLambdainresponsetoanuploadoradeleteofanobject.
Knowthebasicsofamazonglacierasastandaloneservice.Dataisstoredinencryptedarchivesthatcanbeaslargeas40TB.ArchivestypicallycontainTARorZIPfiles.Vaultsarecontainersforarchives,andvaultscanbelockedforcompliance.
![Page 82: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/82.jpg)
ExercisesForassistanceincompletingthefollowingexercises,referencethefollowingdocumentation:
GettingstartedwithAmazonS3:http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html
Settingupastaticwebsite:http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html
Usingversioning:http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
ObjectLifecycleManagement:http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
EXERCISE2.1
CreateanAmazonSimpleStorageService(AmazonS3)BucketInthisexercise,youwillcreateanewAmazonS3bucketinyourselectedregion.Youwillusethisbucketinthefollowingexercises.
1. LogintotheAWSManagementConsole.
2. Chooseanappropriateregion,suchasUSWest(Oregon).
3. NavigatetotheAmazonS3console.NoticethattheregionindicatornowsaysGlobal.RememberthatAmazonS3bucketsformaglobalnamespace,eventhougheachbucketiscreatedinaspecificregion.
4. Startthecreatebucketprocess.
5. WhenpromptedforBucketName,usemynewbucket.
6. Choosearegion,suchasUSWest(Oregon).
7. Trytocreatethebucket.Youalmostsurelywillgetamessagethattherequestedbucketnameisnotavailable.Rememberthatabucketnamemustbeuniqueglobally.
8. Tryagainusingyoursurnamefollowedbyahyphenandthentoday’sdateinasix-digitformatasthebucketname(abucketnamethatisnotlikelytoexistalready).
YoushouldnowhaveanewAmazonS3bucket.
EXERCISE2.2
Upload,MakePublic,Rename,andDeleteObjectsinYourBucket
Inthisexercise,youwilluploadanewobjecttoyourbucket.Youwillthenmakethisobjectpublicandviewtheobjectinyourbrowser.Youwillthenrenametheobjectandfinallydeleteitfromthebucket.
![Page 83: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/83.jpg)
UploadanObject1. LoadyournewbucketintheAmazonS3console.
2. SelectUpload,thenAddFiles.
3. LocateafileonyourPCthatyouareokaywithuploadingtoAmazonS3andmakingpublictotheInternet.(Wesuggestusinganon-personalimagefileforthepurposesofthisexercise.)
4. Selectasuitablefile,thenStartUpload.YouwillseethestatusofyourfileintheTransferssection.
5. Afteryourfileisuploaded,thestatusshouldchangetoDone.
ThefileyouuploadedisnowstoredasanAmazonS3objectandshouldbenowlistedinthecontentsofyourbucket.
OpentheAmazonS3URL6. Nowopenthepropertiesfortheobject.Thepropertiesshouldincludebucket,name,
andlink.
7. CopytheAmazonS3URLfortheobject.
8. PastetheURLintheaddressbarofanewbrowserwindowortab.
YoushouldgetamessagewithanXMLerrorcodeAccessDenied.EventhoughtheobjecthasaURL,itisprivatebydefault,soitcannotbeaccessedbyawebbrowser.
MaketheObjectPublic9. GobacktotheAmazonS3ConsoleandselectMakePublic.(Equivalently,youcan
changetheobject’spermissionsandaddgranteeEveryoneandpermissionsOpen/Download.)
10. CopytheAmazonS3URLagainandtrytoopenitinabrowserortab.Yourpublicimagefileshouldnowdisplayinthebrowserorbrowsertab.
RenameObject11. IntheAmazonS3console,selectRename.
12. Renametheobject,butkeepthesamefileextension.
13. CopythenewAmazonS3URLandtrytoopenitinabrowserortab.Youshouldseethesameimagefile.
DeletetheObject14. IntheAmazonS3console,selectDelete.SelectOKwhenpromptedifyouwantto
deletetheobject.
15. Theobjecthasnowbeendeleted.
16. Toverify,trytoreloadthedeletedobject’sAmazonS3URL.
YoushouldonceagaingettheXMLAccessDeniederrormessage.
![Page 84: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/84.jpg)
EXERCISE2.3
EnableVersionControl
Inthisexercise,youwillenableversioncontrolonyournewlycreatedbucket.
EnableVersioning1. IntheAmazonS3console,loadthepropertiesofyourbucket.Don’topenthebucket.
2. EnableversioninginthepropertiesandselectOKtoverify.Yourbucketnowhasversioningenabled.(Notethatversioningcanbesuspended,butnotturnedoff.)
CreateMultipleVersionsofanObject3. Createatextfilenamedfoo.txtonyourcomputerandwritethewordblueinthe
textfile.
4. Savethetextfiletoalocationofyourchoosing.
5. Uploadthetextfiletoyourbucket.Thiswillbeversion1.
6. Afteryouhaveuploadedthetextfiletoyourbucket,openthecopyonyourlocalcomputerandchangethewordbluetored.Savethetextfilewiththeoriginalfilename.
7. Uploadthemodifiedfiletoyourbucket.
8. SelectShowVersionsontheuploadedobject.
YouwillnowseetwodifferentversionsoftheobjectwithdifferentVersionIDsandpossiblydifferentsizes.NotethatwhenyouselectShowVersion,theAmazonS3URLnowincludestheversionIDinthequerystringaftertheobjectname.
![Page 85: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/85.jpg)
EXERCISE2.4
DeleteanObjectandThenRestoreIt
Inthisexercise,youwilldeleteanobjectinyourAmazonS3bucketandthenrestoreit.
DeleteanObject1. Openthebucketcontainingthetextfileforwhichyounowhavetwoversions.
2. SelectHideVersions.
3. SelectDelete,andthenselectOKtoverify.
4. Yourobjectwillnowbedeleted,andyoucannolongerseetheobject.
5. SelectShowVersions.
BothversionsoftheobjectnowshowtheirversionIDs.
RestoreanObject6. Openyourbucket.
7. SelectShowVersions.
8. Selecttheoldestversionanddownloadtheobject.Notethatthefilenameissimplyfoo.txtwithnoversionindicator.
9. Uploadfoo.txttothesamebucket.
10. SelectHideVersions,andthefilefoo.txtshouldre-appear.
Torestoreaversion,youcopythedesiredversionintothesamebucket.IntheAmazonS3console,thisrequiresadownloadthenre-uploadoftheobject.UsingAPIs,SDKs,orAWSCLI,youcancopyaversiondirectlywithoutdownloadingandre-uploading.
![Page 86: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/86.jpg)
EXERCISE2.5
LifecycleManagementInthisexercise,youwillexplorethevariousoptionsforlifecyclemanagement.
1. SelectyourbucketintheAmazonS3console.
2. UnderProperties,addaLifecycleRule.
3. Explorethevariousoptionstoaddlifecyclerulestoobjectsinthisbucket.Itisrecommendedthatyoudonotimplementanyoftheseoptions,asyoumayincuradditionalcosts.Afteryouhavefinished,clicktheCancelbutton.
Mostlifecyclerulesrequiresomenumberofdaystoexpirebeforethetransitiontakeseffect.Forexample,ittakesaminimumof30daystotransitionfromAmazonS3StandardtoAmazonS3Standard-IA.Thismakesitimpracticaltocreatealifecycleruleandseetheactualresultinanexercise.
EXERCISE2.6
EnableStaticHostingonYourBucketInthisexercise,youwillenablestatichostingonyournewlycreatedbucket.
1. SelectyourbucketintheAmazonS3console.
2. InthePropertiessection,selectEnableWebsiteHosting.
3. Fortheindexdocumentname,enterindex.txt,andfortheerrordocumentname,entererror.txt.
4. Useatexteditortocreatetwotextfilesandsavethemasindex.txtanderror.txt.Intheindex.txtfile,writethephrase“HelloWorld,”andintheerror.txtfile,writethephrase“ErrorPage.”Savebothtextfilesanduploadthemtoyourbucket.
5. Makethetwoobjectspublic.
6. CopytheEndpoint:linkunderStaticWebsiteHostingandpasteitinabrowserwindowortab.Youshouldnowseethephrase"HelloWorld"displayed.
7. Intheaddressbarinyourbrowser,tryaddingaforwardslashfollowedbyamade-upfilename(forexample,/test.html).Youshouldnowseethephrase"ErrorPage"displayed.
8. Tocleanup,deletealloftheobjectsinyourbucketandthendeletethebucketitself.
![Page 87: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/87.jpg)
ReviewQuestions1. InwhatwaysdoesAmazonSimpleStorageService(AmazonS3)objectstoragedifferfromblockandfilestorage?(Choose2answers)
A. AmazonS3storesdatainfixedsizeblocks.
B. Objectsareidentifiedbyanumberedaddress.
C. Objectscanbeanysize.
D. Objectscontainbothdataandmetadata.
E. Objectsarestoredinbuckets.
2. WhichofthefollowingarenotappropriatesusecasesforAmazonSimpleStorageService(AmazonS3)?(Choose2answers)
A. Storingwebcontent
B. StoringafilesystemmountedtoanAmazonElasticComputeCloud(AmazonEC2)instance
C. Storingbackupsforarelationaldatabase
D. Primarystorageforadatabase
E. Storinglogsforanalytics
3. WhataresomeofthekeycharacteristicsofAmazonSimpleStorageService(AmazonS3)?(Choose3answers)
A. AllobjectshaveaURL.
B. AmazonS3canstoreunlimitedamountsofdata.
C. Objectsareworld-readablebydefault.
D. AmazonS3usesaREST(RepresentationalStateTransfer)ApplicationProgramInterface(API).
E. Youmustpre-allocatethestorageinabucket.
4. WhichfeaturescanbeusedtorestrictaccesstoAmazonSimpleStorageService(AmazonS3)data?(Choose3answers)
A. Enablestaticwebsitehostingonthebucket.
B. Createapre-signedURLforanobject.
C. UseanAmazonS3AccessControlList(ACL)onabucketorobject.
D. Usealifecyclepolicy.
E. UseanAmazonS3bucketpolicy.
5. YourapplicationstorescriticaldatainAmazonSimpleStorageService(AmazonS3),whichmustbeprotectedagainstinadvertentorintentionaldeletion.Howcanthisdatabeprotected?(Choose2answers)
![Page 88: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/88.jpg)
A. Usecross-regionreplicationtocopydatatoanotherbucketautomatically.
B. Setavaultlock.
C. Enableversioningonthebucket.
D. UsealifecyclepolicytomigratedatatoAmazonGlacier.
E. EnableMFADeleteonthebucket.
6. YourcompanystoresdocumentsinAmazonSimpleStorageService(AmazonS3),butitwantstominimizecost.Mostdocumentsareusedactivelyforonlyaboutamonth,thenmuchlessfrequently.However,alldataneedstobeavailablewithinminuteswhenrequested.Howcanyoumeettheserequirements?
A. MigratethedatatoAmazonS3ReducedRedundancyStorage(RRS)after30days.
B. MigratethedatatoAmazonGlacierafter30days.
C. MigratethedatatoAmazonS3Standard–InfrequentAccess(IA)after30days.
D. Turnonversioning,thenmigratetheolderversiontoAmazonGlacier.
7. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?
A. Dataisautomaticallyreplicatedtootherregions.
B. Dataisautomaticallyreplicatedwithinaregion.
C. Dataisreplicatedonlyifversioningisenabledonthebucket.
D. Dataisautomaticallybackedupontapeandrestoredifneeded.
8. BasedonthefollowingAmazonSimpleStorageService(AmazonS3)URL,whichoneofthefollowingstatementsiscorrect?
https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc
A. Theobject“myfile.doc”isstoredinthefolder“folderx”inthebucket“bucket1.abc.com.”
B. Theobject“myfile.doc”isstoredinthebucket“bucket1.abc.com.”
C. Theobject“folderx/myfile.doc”isstoredinthebucket“bucket1.abc.com.”
D. Theobject“myfile.doc”isstoredinthebucket“bucket1.”
9. TohavearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere,youshoulddowhat?
A. Enableversioningonthebucket.
B. Enablewebsitehostingonthebucket.
C. Enableserveraccesslogsonthebucket.
D. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.
E. EnableAmazonCloudWatchlogs.
10. Whataresomereasonstoenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)
![Page 89: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/89.jpg)
A. Youwantabackupofyourdataincaseofaccidentaldeletion.
B. Youhaveasetofusersorcustomerswhocanaccessthesecondbucketwithlowerlatency.
C. Forcompliancereasons,youneedtostoredatainalocationatleast300milesawayfromthefirstregion.
D. Yourdataneedsatleastfiveninesofdurability.
11. Yourcompanyrequiresthatalldatasenttoexternalstoragebeencryptedbeforebeingsent.WhichAmazonSimpleStorageService(AmazonS3)encryptionsolutionwillmeetthisrequirement?
A. Server-SideEncryption(SSE)withAWS-managedkeys(SSE-S3)
B. SSEwithcustomer-providedkeys(SSE-C)
C. Client-sideencryptionwithcustomer-managedkeys
D. Server-sideencryptionwithAWSKeyManagementService(AWSKMS)keys(SSE-KMS)
12. YouhaveapopularwebapplicationthataccessesdatastoredinanAmazonSimpleStorageService(AmazonS3)bucket.Youexpecttheaccesstobeveryread-intensive,withexpectedrequestratesofupto500GETspersecondfrommanyclients.HowcanyouincreasetheperformanceandscalabilityofAmazonS3inthiscase?
A. Turnoncross-regionreplicationtoensurethatdataisservedfrommultiplelocations.
B. Ensurerandomnessinthenamespacebyincludingahashprefixtokeynames.
C. Turnonserveraccesslogging.
D. Ensurethatkeynamesaresequentialtoenablepre-fetch.
13. Whatisneededbeforeyoucanenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)
A. Enableversioningonthebucket.
B. Enablealifecycleruletomigratedatatothesecondregion.
C. Enablestaticwebsitehosting.
D. CreateanAWSIdentityandAccessManagement(IAM)policytoallowAmazonS3toreplicateobjectsonyourbehalf.
14. Yourcompanyhas100TBoffinancialrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanone-yearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcostefficientmanner?
A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumesattachedtot2.microinstances.
B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyearanddeletetheobject
![Page 90: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/90.jpg)
aftersevenyears.
C. StorethedatainAmazonDynamoDBandrundailyscripttodeletedataolderthansevenyears.
D. StorethedatainAmazonElasticMapReduce(AmazonEMR).
15. AmazonSimpleStorageService(S3)bucketpoliciescanrestrictaccesstoanAmazonS3bucketandobjectsbywhichofthefollowing?(Choose3answers)
A. Companyname
B. IPaddressrange
C. AWSaccount
D. Countryoforigin
E. Objectswithaspecificprefix
16. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?(Choose2answers)
A. GETafterPUTofanewobject
B. GETorLISTafteraDELETE
C. GETafteroverwritePUT(PUTtoanexistingkey)
D. DELETEafterPUTofnewobject
17. WhatmustbedonetohostastaticwebsiteinanAmazonSimpleStorageService(AmazonS3)bucket?(Choose3answers)
A. Configurethebucketforstatichostingandspecifyanindexanderrordocument.
B. Createabucketwiththesamenameasthewebsite.
C. EnableFileTransferProtocol(FTP)onthebucket.
D. Maketheobjectsinthebucketworld-readable.
E. EnableHTTPonthebucket.
18. YouhavevaluablemediafileshostedonAWSandwantthemtobeservedonlytoauthenticatedusersofyourwebapplication.Youareconcernedthatyourcontentcouldbestolenanddistributedforfree.Howcanyouprotectyourcontent?
A. Usestaticwebhosting.
B. Generatepre-signedURLsforcontentinthewebapplication.
C. UseAWSIdentityandAccessManagement(IAM)policiestorestrictaccess.
D. Useloggingtotrackyourcontent.
19. AmazonGlacieriswell-suitedtodatathatiswhichofthefollowing?(Choose2answers)
A. Isinfrequentlyorrarelyaccessed
B. Mustbeimmediatelyavailablewhenneeded
![Page 91: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/91.jpg)
C. Isavailableafterathree-tofive-hourrestoreperiod
D. Isfrequentlyerasedwithin30days
20. WhichstatementsaboutAmazonGlacieraretrue?(Choose3answers)
A. AmazonGlacierstoresdatainobjectsthatliveinarchives.
B. AmazonGlacierarchivesareidentifiedbyuser-specifiedkeynames.
C. AmazonGlacierarchivestakethreetofivehourstorestore.
D. AmazonGlaciervaultscanbelocked.
E. AmazonGlaciercanbeusedasastandaloneserviceandasanAmazonS3storageclass.
![Page 92: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/92.jpg)
Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
ConfigureanAmazonMachineImage(AMI)
Configureservicestosupportcompliancerequirementsinthecloud
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
Contentmayincludethefollowing:
Disasterrecovery
AmazonEB
![Page 93: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/93.jpg)
![Page 94: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/94.jpg)
IntroductionInthischapter,youlearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:
HowinstancetypesandAmazonMachineImages(AMIs)definethecapabilitiesofinstancesyoulaunchonthecloud
Howtosecurelyaccessyourinstancesrunningonthecloud
Howtoprotectyourinstanceswithvirtualfirewallscalledsecuritygroups
Howtohaveyourinstancesconfigurethemselvesforunattendedlaunch
Howtomonitorandmanageyourinstancesonthecloud
Howtochangethecapabilitiesofanexistinginstance
Thepaymentoptionsavailableforthebestmixofaffordabilityandflexibility
Howtenancyoptionsandplacementgroupsprovideoptionstooptimizecomplianceandperformance
HowinstancestoresdifferfromAmazonEBSvolumesandwhentheyareeffective
WhattypesofvolumesareavailablethroughAmazonEBS
HowtoprotectyourdataonAmazonEBS
![Page 95: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/95.jpg)
AmazonElasticComputeCloud(AmazonEC2)AmazonEC2isAWSprimarywebservicethatprovidesresizablecomputecapacityinthecloud.
ComputeBasicsComputereferstotheamountofcomputationalpowerrequiredtofulfillyourworkload.Ifyourworkloadisverysmall,suchasawebsitethatreceivesfewvisitors,thenyourcomputeneedsareverysmall.Alargeworkload,suchasscreeningtenmillioncompoundsagainstacommoncancertarget,mightrequireagreatdealofcompute.Theamountofcomputeyouneedmightchangedrasticallyovertime.
AmazonEC2allowsyoutoacquirecomputethroughthelaunchingofvirtualserverscalledinstances.Whenyoulaunchaninstance,youcanmakeuseofthecomputeasyouwish,justasyouwouldwithanon-premisesserver.Becauseyouarepayingforthecomputingpoweroftheinstance,youarechargedperhourwhiletheinstanceisrunning.Whenyoustoptheinstance,youarenolongercharged.
TherearetwoconceptsthatarekeytolaunchinginstancesonAWS:(1)theamountofvirtualhardwarededicatedtotheinstanceand(2)thesoftwareloadedontheinstance.Thesetwodimensionsofnewinstancesarecontrolled,respectively,bytheinstancetypeandtheAMI.
InstanceTypesTheinstancetypedefinesthevirtualhardwaresupportinganAmazonEC2instance.Therearedozensofinstancetypesavailable,varyinginthefollowingdimensions:
VirtualCPUs(vCPUs)
Memory
Storage(sizeandtype)
Networkperformance
Instancetypesaregroupedintofamiliesbasedontheratioofthesevaluestoeachother.Forinstance,them4familyprovidesabalanceofcompute,memory,andnetworkresources,anditisagoodchoiceformanyapplications.Withineachfamilythereareseveralchoicesthatscaleuplinearlyinsize.Figure3.1showsthefourinstancesizesinthem4family.NotethattheratioofvCPUstomemoryisconstantasthesizesscalelinearly.Thehourlypriceforeachsizescaleslinearlyaswell.Forexample,anm4.xlargeinstancecoststwiceasmuchasthem4.largeinstance.
![Page 96: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/96.jpg)
FIGURE3.1MemoryandvCPUsforthem4instancefamily
Differentinstancetypefamiliestilttheratiotoaccommodatedifferenttypesofworkloads,buttheyallexhibitthislinearscaleupbehaviorwithinthefamily.Table3.1listssomeofthefamiliesavailable.
TABLE3.1SampleInstanceTypeFamilies
Family
c4 Computeoptimized—Forworkloadsrequiringsignificantprocessing
r3 Memoryoptimized—Formemory-intensiveworkloads
i2 Storageoptimized—ForworkloadsrequiringhighamountsoffastSSDstorage
g2 GPU-basedinstances—Intendedforgraphicsandgeneral-purposeGPUcomputeworkloads
Inresponsetocustomerdemandandtotakeadvantageofnewprocessortechnology,AWSoccasionallyintroducesnewinstancefamilies.ChecktheAWSwebsiteforthecurrentlist.
Anothervariabletoconsiderwhenchoosinganinstancetypeisnetworkperformance.Formostinstancetypes,AWSpublishesarelativemeasureofnetworkperformance:low,moderate,orhigh.Someinstancetypesspecifyanetworkperformanceof10Gbps.The
![Page 97: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/97.jpg)
networkperformanceincreaseswithinafamilyastheinstancetypegrows.
Forworkloadsrequiringgreaternetworkperformance,manyinstancetypessupportenhancednetworking.EnhancednetworkingreducestheimpactofvirtualizationonnetworkperformancebyenablingacapabilitycalledSingleRootI/OVirtualization(SR-IOV).ThisresultsinmorePacketsPerSecond(PPS),lowerlatency,andlessjitter.Atthetimeofthiswriting,thereareinstancetypesthatsupportenhancednetworkingintheC3,C4,D2,I2,M4,andR3families(consulttheAWSdocumentationforacurrentlist).Enablingenhancednetworkingonaninstanceinvolvesensuringthecorrectdriversareinstalledandmodifyinganinstanceattribute.EnhancednetworkingisavailableonlyforinstanceslaunchedinanAmazonVirtualPrivateCloud(AmazonVPC),whichisdiscussedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”
AmazonMachineImages(AMIs)TheAmazonMachineImage(AMI)definestheinitialsoftwarethatwillbeonaninstancewhenitislaunched.AnAMIdefineseveryaspectofthesoftwarestateatinstancelaunch,including:
TheOperatingSystem(OS)anditsconfiguration
Theinitialstateofanypatches
Applicationorsystemsoftware
AllAMIsarebasedonx86OSs,eitherLinuxorWindows.
TherearefoursourcesofAMIs:
PublishedbyAWS—AWSpublishesAMIswithversionsofmanydifferentOSs,bothLinuxandWindows.TheseincludemultipledistributionsofLinux(includingUbuntu,RedHat,andAmazon’sowndistribution)andWindows2008andWindows2012.LaunchinganinstancebasedononeoftheseAMIswillresultinthedefaultOSsettings,similartoinstallinganOSfromthestandardOSISOimage.AswithanyOSinstallation,youshouldimmediatelyapplyallappropriatepatchesuponlaunch.
TheAWSMarketplace—AWSMarketplaceisanonlinestorethathelpscustomersfind,buy,andimmediatelystartusingthesoftwareandservicesthatrunonAmazonEC2.ManyAWSpartnershavemadetheirsoftwareavailableintheAWSMarketplace.Thisprovidestwobenefits:thecustomerdoesnotneedtoinstallthesoftware,andthelicenseagreementisappropriateforthecloud.InstanceslaunchedfromanAWSMarketplaceAMIincurthestandardhourlycostoftheinstancetypeplusanadditionalper-hourchargefortheadditionalsoftware(someopen-sourceAWSMarketplacepackageshavenoadditionalsoftwarecharge).
GeneratedfromExistingInstances—AnAMIcanbecreatedfromanexistingAmazonEC2instance.ThisisaverycommonsourceofAMIs.CustomerslaunchaninstancefromapublishedAMI,andthentheinstanceisconfiguredtomeetallthecustomer’scorporatestandardsforupdates,management,security,andsoon.AnAMIisthengeneratedfromtheconfiguredinstanceandusedtogenerateallinstancesofthatOS.Inthisway,allnewinstancesfollowthecorporatestandardanditismoredifficultforindividualprojectstolaunchnon-conforminginstances.
![Page 98: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/98.jpg)
UploadedVirtualServers—UsingAWSVMImport/Exportservice,customerscancreateimagesfromvariousvirtualizationformats,includingraw,VHD,VMDK,andOVA.ThecurrentlistofsupportedOSs(LinuxandWindows)canbefoundintheAWSdocumentation.ItisincumbentonthecustomerstoremaincompliantwiththelicensingtermsoftheirOSvendor.
SecurelyUsinganInstanceOncelaunched,instancescanbemanagedovertheInternet.AWShasseveralservicesandfeaturestoensurethatthismanagementcanbedonesimplyandsecurely.
AddressinganInstanceThereareseveralwaysthataninstancemaybeaddressedoverthewebuponcreation:
PublicDomainNameSystem(DNS)Name—Whenyoulaunchaninstance,AWScreatesaDNSnamethatcanbeusedtoaccesstheinstance.ThisDNSnameisgeneratedautomaticallyandcannotbespecifiedbythecustomer.ThenamecanbefoundintheDescriptiontaboftheAWSManagementConsoleorviatheCommandLineInterface(CLI)orApplicationProgrammingInterface(API).ThisDNSnamepersistsonlywhiletheinstanceisrunningandcannotbetransferredtoanotherinstance.
PublicIP—AlaunchedinstancemayalsohaveapublicIPaddressassigned.ThisIPaddressisassignedfromtheaddressesreservedbyAWSandcannotbespecified.ThisIPaddressisuniqueontheInternet,persistsonlywhiletheinstanceisrunning,andcannotbetransferredtoanotherinstance.
ElasticIP—AnelasticIPaddressisanaddressuniqueontheInternetthatyoureserveindependentlyandassociatewithanAmazonEC2instance.WhilesimilartoapublicIP,therearesomekeydifferences.ThisIPaddresspersistsuntilthecustomerreleasesitandisnottiedtothelifetimeorstateofanindividualinstance.Becauseitcanbetransferredtoareplacementinstanceintheeventofaninstancefailure,itisapublicaddressthatcanbesharedexternallywithoutcouplingclientstoaparticularinstance.
PrivateIPaddressesandElasticNetworkInterfaces(ENIs)areadditionalmethodsofaddressinginstancesthatareavailableinthecontextofanAmazonVPC.ThesearediscussedinChapter4.
InitialAccessAmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdataandanassociatedprivatekeytodecryptthedata.Thesetwokeystogetherarecalledakeypair.KeypairscanbecreatedthroughtheAWSManagementConsole,CLI,orAPI,orcustomerscanuploadtheirownkeypairs.AWSstoresthepublickey,andtheprivatekeyiskeptbythecustomer.Theprivatekeyisessentialtoacquiringsecureaccesstoaninstanceforthefirsttime.
![Page 99: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/99.jpg)
Storeyourprivatekeyssecurely.WhenAmazonEC2launchesaLinuxinstance,thepublickeyisstoredinthe /.ssh/authorized_keysfileontheinstanceandaninitialuseriscreated.TheinitialusercanvarydependingontheOS.Forexample,theAmazonLinuxdistributioninitialuserisec2-user.Initialaccesstotheinstanceisobtainedbyusingtheec2-userandtheprivatekeytologinviaSSH.Atthispoint,youcanconfigureotherusersandenrollinadirectorysuchasLDAP.
WhenlaunchingaWindowsinstance,AmazonEC2generatesarandompasswordforthelocaladministratoraccountandencryptsthepasswordusingthepublickey.Initialaccesstotheinstanceisobtainedbydecryptingthepasswordwiththeprivatekey,eitherintheconsoleorthroughtheAPI.ThedecryptedpasswordcanbeusedtologintotheinstancewiththelocaladministratoraccountviaRDP.Atthispoint,youcancreateotherlocalusersand/orconnecttoanActiveDirectorydomain.
Itisabestpracticetochangetheinitiallocaladministratorpassword.
VirtualFirewallProtectionAWSallowsyoutocontroltrafficinandoutofyourinstancesthroughvirtualfirewallscalledsecuritygroups.Securitygroupsallowyoutocontroltrafficbasedonport,protocol,andsource/destination.SecuritygroupshavedifferentcapabilitiesdependingonwhethertheyareassociatedwithanAmazonVPCorAmazonEC2-Classic.Table3.2comparesthesedifferentcapabilities(AmazonVPCisdiscussedinChapter4).
TABLE3.2DifferentSecurityGroups
TypeofSecurityGroup Capabilities
EC2-ClassicSecurityGroups Controloutgoinginstancetraffic
VPCSecurityGroups Controloutgoingandincominginstancetraffic
Securitygroupsareassociatedwithinstanceswhentheyarelaunched.Everyinstancemusthaveatleastonesecuritygroupbutcanhavemore.
Asecuritygroupisdefaultdeny;thatis,itdoesnotallowanytrafficthatisnotexplicitlyallowedbyasecuritygrouprule.AruleisdefinedbythethreeattributesinTable3.3.Whenaninstanceisassociatedwithmultiplesecuritygroups,therulesareaggregatedandalltrafficallowedbyeachoftheindividualgroupsisallowed.Forexample,ifsecuritygroupAallowsRDPtrafficfrom72.58.0.0/16andsecuritygroupBallowsHTTPandHTTPStrafficfrom0.0.0.0/0andyourinstanceisassociatedwithbothgroups,thenboththeRDPandHTTP/Strafficwillbeallowedintoyourinstance.
![Page 100: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/100.jpg)
TABLE3.3SecurityGroupRuleAttributes
Attribute Meaning
Port Theportnumberaffectedbythisrule.Forinstance,port80forHTTPtraffic.
Protocol Thecommunicationsstandardforthetrafficaffectedbythisrule.
Source/Destination Identifiestheotherendofthecommunication,thesourceforincomingtrafficrules,orthedestinationforoutgoingtrafficrules.Thesource/destinationcanbedefinedintwoways:CIDRblock—Anx.x.x.x/xstyledefinitionthatdefinesaspecificrangeofIPaddresses.Securitygroup—Includesanyinstancethatisassociatedwiththegivensecuritygroup.ThishelpspreventcouplingsecuritygroupruleswithspecificIPaddresses.
Asecuritygroupisastatefulfirewall;thatis,anoutgoingmessageisrememberedsothattheresponseisallowedthroughthesecuritygroupwithoutanexplicitinboundrulebeingrequired.
Securitygroupsareappliedattheinstancelevel,asopposedtoatraditionalon-premisesfirewallthatprotectsattheperimeter.Theeffectofthisisthatinsteadofhavingtobreachasingleperimetertoaccessalltheinstancesinyoursecuritygroup,anattackerwouldhavetobreachthesecuritygrouprepeatedlyforeachindividualinstance.
TheLifecycleofInstancesAmazonEC2hasseveralfeaturesandservicesthatfacilitatethemanagementofAmazonEC2instancesovertheirentirelifecycle.
LaunchingThereareseveraladditionalservicesthatareusefulwhenlaunchingnewAmazonEC2instances.
BootstrappingAgreatbenefitofthecloudistheabilitytoscriptvirtualhardwaremanagementinamannerthatisnotpossiblewithon-premiseshardware.Inordertorealizethevalueofthis,therehastobesomewaytoconfigureinstancesandinstallapplicationsprogrammaticallywhenaninstanceislaunched.Theprocessofprovidingcodetoberunonaninstanceatlaunchiscalledbootstrapping.
OneoftheparameterswhenaninstanceislaunchedisastringvaluecalledUserData.Thisstringispassedtotheoperatingsystemtobeexecutedaspartofthelaunchprocessthefirsttimetheinstanceisbooted.OnLinuxinstancesthiscanbeshellscript,andonWindowsinstancesthiscanbeabatchstylescriptoraPowerShellscript.Thescriptcanperformtaskssuchas:
ApplyingpatchesandupdatestotheOS
Enrollinginadirectoryservice
Installingapplicationsoftware
![Page 101: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/101.jpg)
Copyingalongerscriptorprogramfromstoragetoberunontheinstance
InstallingCheforPuppetandassigningtheinstancearolesotheconfigurationmanagementsoftwarecanconfiguretheinstance
UserDataisstoredwiththeinstanceandisnotencrypted,soitisimportanttonotincludeanysecretssuchaspasswordsorkeysintheUserData.
VMImport/ExportInadditiontoimportingvirtualinstancesasAMIs,VMImport/ExportenablesyoutoeasilyimportVirtualMachines(VMs)fromyourexistingenvironmentasanAmazonEC2instanceandexportthembacktoyouron-premisesenvironment.YoucanonlyexportpreviouslyimportedAmazonEC2instances.InstanceslaunchedwithinAWSfromAMIscannotbeexported.
InstanceMetadataInstancemetadataisdataaboutyourinstancethatyoucanusetoconfigureormanagetherunninginstance.ThisisuniqueinthatitisamechanismtoobtainAWSpropertiesoftheinstancefromwithintheOSwithoutmakingacalltotheAWSAPI.AnHTTPcalltohttp://169.254.169.254/latest/meta-data/willreturnthetopnodeoftheinstancemetadatatree.Instancemetadataincludesawidevarietyofattributes,including:
Theassociatedsecuritygroups
TheinstanceID
Theinstancetype
TheAMIusedtolaunchtheinstance
Thisonlybeginstoscratchthesurfaceoftheinformationavailableinthemetadata.ConsulttheAWSdocumentationforafulllist.
ManagingInstancesWhenthenumberofinstancesinyouraccountstartstoclimb,itcanbecomedifficulttokeeptrackofthem.TagscanhelpyoumanagenotjustyourAmazonEC2instances,butalsomanyofyourAWSCloudservices.Tagsarekey/valuepairsyoucanassociatewithyourinstanceorotherservice.Tagscanbeusedtoidentifyattributesofaninstancelikeproject,environment(dev,test,andsoon),billabledepartment,andsoforth.Youcanapplyupto10tagsperinstance.Table3.4showssometagsuggestions.
TABLE3.4SampleTags
Key Value
Project TimeEntry
Environment Production
BillingCode 4004
MonitoringInstancesAWSoffersaservicecalledAmazonCloudWatchthatprovidesmonitoringandalertingfor
![Page 102: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/102.jpg)
AmazonEC2instances,andalsootherAWSinfrastructure.AmazonCloudWatchisdiscussedindetailinChapter5,“ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling.”
ModifyinganInstanceThereareseveralaspectsofaninstancethatcanbemodifiedafterlaunch.
InstanceTypeTheabilitytochangetheinstancetypeofaninstancecontributesgreatlytotheagilityofrunningworkloadsinthecloud.Insteadofcommittingtoacertainhardwareconfigurationmonthsbeforeaworkloadislaunched,theworkloadcanbelaunchedusingabestestimatefortheinstancetype.Ifthecomputeneedsprovetobehigherorlowerthanexpected,theinstancescanbechangedtoadifferentsizemoreappropriatetotheworkload.
InstancescanberesizedusingtheAWSManagementConsole,CLI,orAPI.Toresizeaninstance,setthestatetoStopped.Choosethe“ChangeInstanceType”functioninthetoolofyourchoice(theinstancetypeislistedasanInstanceSettingintheconsoleandanInstanceAttributeintheCLI)andselectthedesiredinstancetype.Restarttheinstanceandtheprocessiscomplete.
SecurityGroupsIfaninstanceisrunninginanAmazonVPC(discussedinChapter4),youcanchangewhichsecuritygroupsareassociatedwithaninstancewhiletheinstanceisrunning.ForinstancesoutsideofanAmazonVPC(calledEC2-Classic),theassociationofthesecuritygroupscannotbechangedafterlaunch.
TerminationProtectionWhenanAmazonEC2instanceisnolongerneeded,thestatecanbesettoTerminatedandtheinstancewillbeshutdownandremovedfromtheAWSinfrastructure.InordertopreventterminationviatheAWSManagementConsole,CLI,orAPI,terminationprotectioncanbeenabledforaninstance.Whileenabled,callstoterminatetheinstancewillfailuntilterminationprotectionisdisabled.Thishelpstopreventaccidentalterminationthroughhumanerror.
NotethatthisjustprotectsfromterminationcallsfromtheAWSManagementConsole,CLI,orAPI.ItdoesnotpreventterminationtriggeredbyanOSshutdowncommand,terminationfromanAutoScalinggroup(discussedinChapter5),orterminationofaSpotInstanceduetoSpotpricechanges(discussedinthenextsection).
OptionsThereareseveraladditionaloptionsavailableinAmazonEC2toimprovecostoptimization,security,andperformancethatareimportanttoknowfortheexam.
PricingOptionsYouarechargedforAmazonEC2instancesforeachhourthattheyareinarunningstate,buttheamountyouarechargedperhourcanvarybasedonthreepricingoptions:On-DemandInstances,ReservedInstances,andSpotInstances.
On-DemandInstancesThepriceperhourforeachinstancetypepublishedontheAWSwebsiterepresentsthepriceforOn-DemandInstances.Thisisthemostflexiblepricingoption,asitrequiresnoup-frontcommitment,andthecustomerhascontroloverwhenthe
![Page 103: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/103.jpg)
instanceislaunchedandwhenitisterminated.Itistheleastcosteffectiveofthethreepricingoptionspercomputehour,butitsflexibilityallowscustomerstosavebyprovisioningavariablelevelofcomputeforunpredictableworkloads.
ReservedInstancesTheReservedInstancepricingoptionenablescustomerstomakecapacityreservationsforpredictableworkloads.ByusingReservedInstancesfortheseworkloads,customerscansaveupto75percentovertheon-demandhourlyrate.Whenpurchasingareservation,thecustomerspecifiestheinstancetypeandAvailabilityZoneforthatReservedInstanceandachievesalowereffectivehourlypriceforthatinstanceforthedurationofthereservation.AnadditionalbenefitisthatcapacityintheAWSdatacentersisreservedforthatcustomer.Therearetwofactorsthatdeterminethecostofthereservation:thetermcommitmentandthepaymentoption.
Thetermcommitmentisthedurationofthereservationandcanbeeitheroneorthreeyears.Thelongerthecommitment,thebiggerthediscount.
TherearethreedifferentpaymentoptionsforReservedInstances:
AllUpfront—Payfortheentirereservationupfront.Thereisnomonthlychargeforthecustomerduringtheterm.
PartialUpfront—Payaportionofthereservationchargeupfrontandtherestinmonthlyinstallmentsforthedurationoftheterm.
NoUpfront—Paytheentirereservationchargeinmonthlyinstallmentsforthedurationoftheterm.
Theamountofthediscountisgreaterthemorethecustomerpaysupfront.
Forexample,let’slookattheeffectofanallupfront,three-yearreservationontheeffectivehourlycostofanm4.2xlargeinstance.Thecostofrunningoneinstancecontinuouslyforthreeyears(or26,280hours)atbothpricingoptionsisshowninTable3.5.
TABLE3.5ReservedInstancePricingExample
PricingOption EffectiveHourlyCost TotalThree-YearCost
On-Demand $0.479/hour $0.479/hour*26280hours=$12588.12
Three-YearAllUpfrontReservation
$4694/26280hours=$0.1786/hour
$4694
Savings 63%
Thisexampleusesthepublishedpricesatthetimeofthiswriting.AWShasloweredpricesmanytimestodate,sochecktheAWSwebsiteforcurrentpricinginformation.
Whenyourcomputingneedschange,youcanmodifyyourReservedInstancesandcontinuetobenefitfromyourcapacityreservation.ModificationdoesnotchangetheremainingtermofyourReservedInstances;theirenddatesremainthesame.Thereisnofee,andyoudonot
![Page 104: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/104.jpg)
receiveanynewbillsorinvoices.Modificationisseparatefrompurchasinganddoesnotaffecthowyouuse,purchase,orsellReservedInstances.Youcanmodifyyourwholereservation,orjustasubset,inoneormoreofthefollowingways:
SwitchAvailabilityZoneswithinthesameregion.
ChangebetweenEC2-VPCandEC2-Classic.
Changetheinstancetypewithinthesameinstancefamily(Linuxinstancesonly).
SpotInstancesForworkloadsthatarenottimecriticalandaretolerantofinterruption,SpotInstancesofferthegreatestdiscount.WithSpotInstances,customersspecifythepricetheyarewillingtopayforacertaininstancetype.Whenthecustomer’sbidpriceisabovethecurrentSpotprice,thecustomerwillreceivetherequestedinstance(s).TheseinstanceswilloperatelikeallotherAmazonEC2instances,andthecustomerwillonlypaytheSpotpriceforthehoursthatinstance(s)run.Theinstanceswillrununtil:
Thecustomerterminatesthem.
TheSpotpricegoesabovethecustomer’sbidprice.
ThereisnotenoughunusedcapacitytomeetthedemandforSpotInstances.
IfAmazonEC2needstoterminateaSpotInstance,theinstancewillreceiveaterminationnoticeprovidingatwo-minutewarningpriortoAmazonEC2terminatingtheinstance.
Becauseofthepossibilityofinterruption,SpotInstancesshouldonlybeusedforworkloadstolerantofinterruption.Thiscouldincludeanalytics,financialmodeling,bigdata,mediaencoding,scientificcomputing,andtesting.
ArchitectureswithDifferentPricingModelsFortheexam,it’simportanttoknowhowtotakeadvantageofthedifferentpricingmodelstocreateacost-efficientarchitecture.Suchanarchitecturemayincludedifferentpricingmodelswithinthesameworkload.Forinstance,awebsitethataverages5,000visitsaday,butrampsupto20,000visitsadayduringperiodicpeaks,maypurchasetwoReservedInstancestohandletheaveragetraffic,butdependonOn-DemandInstancestofulfillcomputeneedsduringthepeaktimes.Figure3.2showssuchanarchitecture.
![Page 105: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/105.jpg)
FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances
TenancyOptionsThereareseveraltenancyoptionsforAmazonEC2instancesthatcanhelpcustomersachievesecurityandcompliancegoals.
SharedTenancySharedtenancyisthedefaulttenancymodelforallAmazonEC2instances,regardlessofinstancetype,pricingmodel,andsoforth.Sharedtenancymeansthatasinglehostmachinemayhouseinstancesfromdifferentcustomers.AsAWSdoesnotuseoverprovisioningandfullyisolatesinstancesfromotherinstancesonthesamehost,thisisasecuretenancymodel.
DedicatedInstancesDedicatedInstancesrunonhardwarethat’sdedicatedtoasinglecustomer.AsacustomerrunsmoreDedicatedInstances,moreunderlyinghardwaremaybededicatedtotheiraccount.Otherinstancesintheaccount(thosenotdesignatedasdedicated)willrunonsharedtenancyandwillbeisolatedatthehardwarelevelfromtheDedicatedInstancesintheaccount.
DedicatedHostAnAmazonEC2DedicatedHostisaphysicalserverwithAmazonEC2instancecapacityfullydedicatedtoasinglecustomer’suse.DedicatedHostscanhelpyouaddresslicensingrequirementsandreducecostsbyallowingyoutouseyourexistingserver-boundsoftwarelicenses.Thecustomerhascompletecontroloverwhichspecifichostrunsaninstanceatlaunch.ThisdiffersfromDedicatedInstancesinthataDedicatedInstancecanlaunchonanyhardwarethathasbeendedicatedtotheaccount.
PlacementGroupsAplacementgroupisalogicalgroupingofinstanceswithinasingleAvailabilityZone.Placementgroupsenableapplicationstoparticipateinalow-latency,10Gbpsnetwork.Placementgroupsarerecommendedforapplicationsthatbenefitfromlownetworklatency,highnetworkthroughput,orboth.Rememberthatthisrepresentsnetworkconnectivitybetweeninstances.Tofullyusethisnetworkperformanceforyourplacementgroup,chooseaninstancetypethatsupportsenhancednetworkingand10Gbpsnetworkperformance.
![Page 106: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/106.jpg)
InstanceStoresAninstancestore(sometimesreferredtoasephemeralstorage)providestemporaryblock-levelstorageforyourinstance.Thisstorageislocatedondisksthatarephysicallyattachedtothehostcomputer.Aninstancestoreisidealfortemporarystorageofinformationthatchangesfrequently,suchasbuffers,caches,scratchdata,andothertemporarycontent,orfordatathatisreplicatedacrossafleetofinstances,suchasaload-balancedpoolofwebservers.
ThesizeandtypeofinstancestoresavailablewithanAmazonEC2instancedependontheinstancetype.Atthiswriting,storageavailablewithvariousinstancetypesrangesfromnoinstancestoresupto242TBinstancestores.Theinstancetypealsodeterminesthetypeofhardwarefortheinstancestorevolumes.WhilesomeprovideHardDiskDrive(HDD)instancestores,otherinstancetypesuseSolidStateDrives(SSDs)todeliververyhighrandomI/Operformance.
InstancestoresareincludedinthecostofanAmazonEC2instance,sotheyareaverycost-effectivesolutionforappropriateworkloads.Thekeyaspectofinstancestoresisthattheyaretemporary.Dataintheinstancestoreislostwhen:
Theunderlyingdiskdrivefails.
Theinstancestops(thedatawillpersistifaninstancereboots).
Theinstanceterminates.
Therefore,donotrelyoninstancestoresforvaluable,long-termdata.Instead,buildadegreeofredundancyviaRAIDoruseafilesystemthatsupportsredundancyandfaulttolerancesuchasHadoop’sHDFS.BackupthedatatomoredurabledatastoragesolutionssuchasAmazonSimpleStorageService(AmazonS3)orAmazonEBSoftenenoughtomeetrecoverypointobjectives.
![Page 107: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/107.jpg)
AmazonElasticBlockStore(AmazonEBS)Whileinstancestoresareaneconomicalwaytofulfillappropriateworkloads,theirlimitedpersistencemakesthemill-suitedformanyotherworkloads.Forworkloadsrequiringmoredurableblockstorage,AmazonprovidesAmazonEBS.
ElasticBlockStoreBasicsAmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectyoufromcomponentfailure,offeringhighavailabilityanddurability.AmazonEBSvolumesareavailableinavarietyoftypesthatdifferinperformancecharacteristicsandprice.MultipleAmazonEBSvolumescanbeattachedtoasingleAmazonEC2instance,althoughavolumecanonlybeattachedtoasingleinstanceatatime.
TypesofAmazonEBSVolumesAmazonEBSvolumesareavailableinseveraldifferenttypes.Typesvaryinareassuchasunderlyinghardware,performance,andcost.Itisimportanttoknowthepropertiesofthedifferenttypessoyoucanspecifythemostcost-efficienttypethatmeetsaworkload’sperformancedemandsontheexam.
MagneticVolumesMagneticvolumeshavethelowestperformancecharacteristicsofallAmazonEBSvolumetypes.Assuch,theycostthelowestpergigabyte.Theyareanexcellent,cost-effectivesolutionforappropriateworkloads.
AmagneticAmazonEBSvolumecanrangeinsizefrom1GBto1TBandwillaverage100IOPS,buthastheabilitytobursttohundredsofIOPS.Theyarebestsuitedfor:
Workloadswheredataisaccessedinfrequently
Sequentialreads
Situationswherelow-coststorageisarequirement
Magneticvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.
General-PurposeSSDGeneral-purposeSSDvolumesoffercost-effectivestoragethatisidealforabroadrangeofworkloads.Theydeliverstrongperformanceatamoderatepricepointthatissuitableforawiderangeofworkloads.
Ageneral-purposeSSDvolumecanrangeinsizefrom1GBto16TBandprovidesabaselineperformanceofthreeIOPSpergigabyteprovisioned,cappingat10,000IOPS.Forinstance,ifyouprovisiona1TBvolume,youcanexpectabaselineperformanceof3,000IOPS.A5TBvolumewillnotprovidea15,000IOPSbaseline,asitwouldhitthecapat10,000IOPS.
General-purposeSSDvolumesunder1TBalsofeaturetheabilitytobursttoupto3,000
![Page 108: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/108.jpg)
IOPSforextendedperiodsoftime.Forinstance,ifyouhavea500GBvolumeyoucanexpectabaselineof1,500IOPS.WheneveryouarenotusingtheseIOPS,theyareaccumulatedasI/Ocredits.Whenyourvolumethenhasheavytraffic,itwillusetheI/Ocreditsatarateofupto3,000IOPSuntiltheyaredepleted.Atthatpoint,yourperformancerevertsto1,500IOPS.At1TB,thebaselineperformanceofthevolumeisalreadyat3,000IOPS,soburstingbehaviordoesnotapply.
General-purposeSSDvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.Theyaresuitedforawiderangeofworkloadswheretheveryhighestdiskperformanceisnotcritical,suchas:
Systembootvolumes
Small-tomedium-sizeddatabases
Developmentandtestenvironments
ProvisionedIOPSSSDProvisionedIOPSSSDvolumesaredesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloadsthataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.WhiletheyarethemostexpensiveAmazonEBSvolumetypepergigabyte,theyprovidethehighestperformanceofanyAmazonEBSvolumetypeinapredictablemanner.
AProvisionedIOPSSSDvolumecanrangeinsizefrom4GBto16TB.WhenyouprovisionaProvisionedIOPSSSDvolume,youspecifynotjustthesize,butalsothedesirednumberofIOPS,uptothelowerofthemaximumof30timesthenumberofGBofthevolume,or20,000IOPS.YoucanstripemultiplevolumestogetherinaRAID0configurationforlargersizeandgreaterperformance.AmazonEBSdeliverswithin10percentoftheprovisionedIOPSperformance99.9percentofthetimeoveragivenyear.
PricingisbasedonthesizeofthevolumeandtheamountofIOPSreserved.Thecostpergigabyteisslightlymorethanthatofgeneral-purposeSSDvolumesandisappliedbasedonthesizeofthevolume,nottheamountofthevolumeusedtostoredata.AnadditionalmonthlyfeeisappliedbasedonthenumberofIOPSprovisioned,whethertheyareconsumedornot.
ProvisionedIOPSSSDvolumesprovidepredictable,highperformanceandarewellsuitedfor:
CriticalbusinessapplicationsthatrequiresustainedIOPSperformance
Largedatabaseworkloads
Table3.6comparestheseAmazonEBSvolumetypes.
![Page 109: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/109.jpg)
TABLE3.6EBSVolumeTypeComparison
Characteristic General-PurposeSSD ProvisionedIOPSSSD Magnetic
Usecases Systembootvolumes
Virtualdesktops
Small-to-mediumsizeddatabases
Developmentandtestenvironments
CriticalbusinessapplicationsthatrequiresustainedIOPSperformanceormorethan10,000IOPSor160MBofthroughputpervolume
Largedatabaseworkloads
Coldworkloadswheredataisinfrequentlyaccessed
Scenarioswheretheloweststoragecostisimportant
Volumesize 1GiB–16TiB 4GiB–16TiB 1GiB–1TiB
Maximumthroughput
160MB 320MB 40–90MB
IOPSperformance
Baselineperformanceof3IOPS/GiB(upto10,000IOPS)withtheabilitytoburstto3,000IOPSforvolumesunder1,000GiB
Consistentlyperformsatprovisionedlevel,upto20,000IOPSmaximum
Averages100IOPS,withtheabilitytobursttohundredsofIOPS
Atthetimeofthiswriting,AWSreleasedtwonewHDDvolumetypes:Throughput-OptimizedHDDandColdHDD.Overtime,itisexpectedthatthesenewtypeswilleclipsethecurrentmagneticvolumetype,fulfillingtheneedsofanyworkloadrequiringHDDperformance.
Throughput-OptimizedHDDvolumesarelow-costHDDvolumesdesignedforfrequent-access,throughput-intensiveworkloadssuchasbigdata,datawarehouses,andlogprocessing.Volumescanbeupto16TBwithamaximumIOPSof500andmaximumthroughputof500MB/s.Thesevolumesaresignificantlylessexpensivethangeneral-purposeSSDvolumes.
ColdHDDvolumesaredesignedforlessfrequentlyaccessedworkloads,suchascolderdatarequiringfewerscansperday.Volumescanbeupto16TBwithamaximumIOPSof250andmaximumthroughputof250MB/s.ThesevolumesaresignificantlylessexpensivethanThroughput-OptimizedHDDvolumes.
AmazonEBS-OptimizedInstancesWhenusinganyvolumetypeotherthanmagneticandAmazonEBSI/Oisofconsequence,itisimportanttouseAmazonEBS-optimizedinstancestoensurethattheAmazonEC2instanceispreparedtotakeadvantageoftheI/OoftheAmazonEBSvolume.AnAmazon
![Page 110: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/110.jpg)
EBS-optimizedinstanceusesanoptimizedconfigurationstackandprovidesadditional,dedicatedcapacityforAmazonEBSI/O.ThisoptimizationprovidesthebestperformanceforyourAmazonEBSvolumesbyminimizingcontentionbetweenAmazonEBSI/Oandothertrafficfromyourinstance.WhenyouselectAmazonEBS-optimizedforaninstance,youpayanadditionalhourlychargeforthatinstance.ChecktheAWSdocumentationtoconfirmwhichinstancetypesareavailableasAmazonEBS-optimizedinstance.
ProtectingDataOverthelifecycleofanAmazonEBSvolume,thereareseveralpracticesandservicesthatyoushouldknowaboutwhentakingtheexam.
Backup/Recovery(Snapshots)YoucanbackupthedataonyourAmazonEBSvolumes,regardlessofvolumetype,bytakingpoint-in-timesnapshots.Snapshotsareincrementalbackups,whichmeansthatonlytheblocksonthedevicethathavechangedsinceyourmostrecentsnapshotaresaved.
TakingSnapshotsYoucantakesnapshotsinmanyways:
ThroughtheAWSManagementConsole
ThroughtheCLI
ThroughtheAPI
Bysettingupascheduleofregularsnapshots
DataforthesnapshotisstoredusingAmazonS3technology.Theactionoftakingasnapshotisfree.Youpayonlythestoragecostsforthesnapshotdata.
Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.
It’simportanttoknowthatwhilesnapshotsarestoredusingAmazonS3technology,theyarestoredinAWS-controlledstorageandnotinyouraccount’sAmazonS3buckets.ThismeansyoucannotmanipulatethemlikeotherAmazonS3objects.Rather,youmustusetheAmazonEBSsnapshotfeaturestomanagethem.Snapshotsareconstrainedtotheregioninwhichtheyarecreated,meaningyoucanusethemtocreatenewvolumesonlyinthesameregion.Ifyouneedtorestoreasnapshotinadifferentregion,youcancopyasnapshottoanotherregion.
CreatingaVolumefromaSnapshotTouseasnapshot,youcreateanewAmazonEBSvolumefromthesnapshot.Whenyoudothis,thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.Becauseofthis,itisabestpracticetoinitializeavolumecreatedfromasnapshotbyaccessingalltheblocksinthevolume.
SnapshotscanalsobeusedtoincreasethesizeofanAmazonEBSvolume.ToincreasethesizeofanAmazonEBSvolume,takeasnapshotofthevolume,thencreateanewvolumeofthedesiredsizefromthesnapshot.Replacetheoriginalvolumewiththenewvolume.
![Page 111: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/111.jpg)
RecoveringVolumesBecauseAmazonEBSvolumespersistbeyondthelifetimeofaninstance,itispossibletorecoverdataifaninstancefails.IfanAmazonEBS-backedinstancefailsandthereisdataonthebootdrive,itisrelativelystraightforwardtodetachthevolumefromtheinstance.UnlesstheDeleteOnTerminationflagforthevolumehasbeensettofalse,thevolumeshouldbedetachedbeforetheinstanceisterminated.Thevolumecanthenbeattachedasadatavolumetoanotherinstanceandthedatareadandrecovered.
EncryptionOptionsManyworkloadshaverequirementsthatdatabeencryptedatrest,eitherbecauseofcomplianceregulationsorinternalcorporatestandards.AmazonEBSoffersnativeencryptiononallvolumetypes.
WhenyoulaunchanencryptedAmazonEBSvolume,AmazonusestheAWSKeyManagementService(KMS)tohandlekeymanagement.Anewmasterkeywillbecreatedunlessyouselectamasterkeythatyoucreatedseparatelyintheservice.Yourdataandassociatedkeysareencryptedusingtheindustry-standardAES-256algorithm.TheencryptionoccursontheserversthathostAmazonEC2instances,sothedataisactuallyencryptedintransitbetweenthehostandthestoragemediaandalsoonthemedia.(ConsulttheAWSdocumentationforalistofinstancetypesthatsupportAmazonEBSencryption.)Encryptionistransparent,soalldataaccessisthesameasunencryptedvolumes,andyoucanexpectthesameIOPSperformanceonencryptedvolumesasyouwouldwithunencryptedvolumes,withaminimaleffectonlatency.Snapshotsthataretakenfromencryptedvolumesareautomaticallyencrypted,asarevolumesthatarecreatedfromencryptedsnapshots.
![Page 112: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/112.jpg)
SummaryComputeistheamountofcomputationalpowerrequiredtofulfillyourworkload.AmazonEC2istheprimaryserviceforprovidingcomputetocustomers.
Theinstancetypedefinesthevirtualhardwaresupportingtheinstance.AvailableinstancetypesvaryinvCPUs,memory,storage,andnetworkperformancetoaddressnearlyanyworkload.
AnAMIdefinestheinitialsoftwarestateoftheinstance,bothOSandapplications.TherearefoursourcesofAMIs:AWSpublishedgenericOSs,partner-publishedAMIsintheAWSMarketplacewithsoftwarepackagespreinstalled,customer-generatedAMIsfromexistingAmazonEC2instances,anduploadedAMIsfromvirtualservers.
InstancescanbeaddressedbypublicDNSname,publicIPaddress,orelasticIPaddress.ToaccessanewlylaunchedLinuxinstance,usetheprivatehalfofthekeypairtoconnecttotheinstanceviaSSH.ToaccessanewlycreatedWindowsinstance,usetheprivatehalfofthekeypairtodecrypttherandomlyinitializedlocaladministratorpassword.
Networktrafficinandoutofaninstancecanbecontrolledbyavirtualfirewallcalledasecuritygroup.Asecuritygroupallowsrulesthatblocktrafficbasedondirection,port,protocol,andsource/destinationaddress.
BootstrappingallowsyoutorunascripttoinitializeyourinstancewithOSconfigurationsandapplications.Thisfeatureallowsinstancestoconfigurethemselvesuponlaunch.Onceaninstanceislaunched,youcanchangeitsinstancetypeor,forAmazonVPCinstances,thesecuritygroupswithwhichitisassociated.
ThethreepricingoptionsforinstancesareOn-Demand,ReservedInstance,andSpot.On-Demandhasthehighestperhourcost,requiringnoup-frontcommitmentandgivingyoucompletecontroloverthelifetimeoftheinstance.ReservedInstancesrequireacommitmentandprovideareducedoverallcostoverthelifetimeofthereservation.SpotInstancesareidlecomputecapacitythatAWSmakesavailablebasedonbidpricesfromcustomers.Thesavingsontheper-hourcostcanbesignificant,butinstancescanbeshutdownwhenthebidpriceexceedsthecustomer’scurrentbid.
Instancestoresareblockstorageincludedwiththehourlycostoftheinstance.Theamountandtypeofstorageavailablevarieswiththeinstancetype.Instancestoresterminatewhentheassociatedinstanceisstopped,sotheyshouldonlybeusedfortemporarydataorinarchitecturesprovidingredundancysuchasHadoop’sHDFS.
AmazonEBSprovidesdurableblockstorageinseveraltypes.Magnetichasthelowestcostpergigabyteanddeliversmodestperformance.General-purposeSSDiscost-effectivestoragethatcanprovideupto10,000IOPS.ProvisionedIOPSSSDhasthehighestcostpergigabyteandiswellsuitedforI/O-intensiveworkloadssensitivetostorageperformance.SnapshotsareincrementalbackupsofAmazonEBSvolumesstoredinAmazonS3.AmazonEBSvolumescanbeencrypted.
![Page 113: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/113.jpg)
ExamEssentialsKnowthebasicsoflaunchinganAmazonec2instance.Tolaunchaninstance,youmustspecifyanAMI,whichdefinesthesoftwareontheinstanceatlaunch,andaninstancetype,whichdefinesthevirtualhardwaresupportingtheinstance(memory,vCPUs,andsoon).
KnowwhatarchitecturesaresuitedforwhatAmazonec2pricingoptions.SpotInstancesarebestsuitedforworkloadsthatcanaccommodateinterruption.ReservedInstancesarebestforconsistent,long-termcomputeneeds.On-DemandInstancesprovideflexiblecomputetorespondtoscalingneeds.
Knowhowtocombinemultiplepricingoptionsthatresultincostoptimizationandscalability.On-DemandInstancescanbeusedtoscaleupawebapplicationrunningonReservedInstancesinresponsetoatemporarytrafficspike.ForaworkloadwithseveralReservedInstancesreadingfromaqueue,it’spossibletouseSpotInstancestoalleviateheavytrafficinacost-effectiveway.Thesearejusttwoofcountlessexampleswhereaworkloadmayusedifferentpricingoptions.
Knowthebenefitsofenhancednetworking.EnhancednetworkingenablesyoutogetsignificantlyhigherPPSperformance,lowernetworkjitter,andlowerlatencies.
Knowthecapabilitiesofvmimport/export.VMImport/ExportallowsyoutoimportexistingVMstoAWSasAmazonEC2instancesorAMIs.AmazonEC2instancesthatwereimportedthroughVMImport/Exportcanalsobeexportedbacktoavirtualenvironment.
Knowthemethodsforaccessinganinstanceovertheinternet.YoucanaccessanAmazonEC2instanceoverthewebviapublicIPaddress,elasticIPaddress,orpublicDNSname.ThereareadditionalwaystoaccessaninstancewithinanAmazonVPC,includingprivateIPaddressesandENIs.
Knowthelifetimeofaninstancestore.Dataonaninstancestoreislostwhentheinstanceisstoppedorterminated.InstancestoredatasurvivesanOSreboot.
KnowthepropertiesoftheAmazonEC2pricingoptions.On-DemandInstancesrequirenoup-frontcommitment,canbelaunchedanytime,andarebilledbythehour.ReservedInstancesrequireanup-frontcommitmentandvaryincostdependingonwhethertheyarepaidallupfront,partiallyupfront,ornotupfront.SpotInstancesarelaunchedwhenyourbidpriceexceedsthecurrentspotprice.SpotInstanceswillrununtilthespotpriceexceedsyourbidprice,inwhichcasetheinstancewillgetatwo-minutewarningandterminate.
Knowwhatdeterminesnetworkperformance.Everyinstancetypeisratedforlow,moderate,high,or10Gbpsnetworkperformance,withlargerinstancetypesgenerallyhavinghigherratings.Additionally,someinstancetypesofferenhancednetworking,whichprovidesadditionalimprovementinnetworkperformance.
Knowwhatinstancemetadataisandhowit’sobtained.MetadataisinformationaboutanAmazonEC2instance,suchasinstanceID,instancetype,andsecuritygroups,thatisavailablefromwithintheinstance.ItcanbeobtainedthroughanHTTPcalltoaspecificIPaddress.
![Page 114: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/114.jpg)
Knowhowsecuritygroupsprotectinstances.SecuritygroupsarevirtualfirewallscontrollingtrafficinandoutofyourAmazonEC2instances.Theyaredenybydefault,andyoucanallowtrafficbyaddingrulesspecifyingtrafficdirection,port,protocol,anddestinationaddress(viaClasslessInter-DomainRouting[CIDR]block).Theyareappliedattheinstancelevel,meaningthattrafficbetweeninstancesinthesamesecuritygroupmustadheretotherulesofthatsecuritygroup.Theyarestateful,meaningthatanoutgoingrulewillallowtheresponsewithoutacorrelatingincomingrule.
Knowhowtointerprettheeffectofsecuritygroups.Whenaninstanceisamemberofmultiplesecuritygroups,theeffectisaunionofalltherulesinallthegroups.
KnowthedifferentAmazonebsvolumetypes,theircharacteristics,andtheirappropriateworkloads.Magneticvolumesprovideanaverageperformanceof100IOPSandcanbeprovisionedupto1TB.Theyaregoodforcoldandinfrequentlyaccesseddata.General-purposeSSDvolumesprovidethreeIOPS/GBupto10,000IOPS,withsmallervolumesabletoburst3,000IOPS.Theycanbeprovisionedupto16TBandareappropriatefordev/testenvironments,smalldatabases,andsoforth.ProvisionedIOPSSSDcanprovideupto20,000consistentIOPSforvolumesupto16TB.Theyarethebestchoiceforworkloadssuchaslargedatabasesexecutingmanytransactions.
KnowhowtoencryptanAmazonebsvolume.Anyvolumetypecanbeencryptedatlaunch.EncryptionisbasedonAWSKMSandistransparenttoapplicationsontheattachedinstances.
Understandtheconceptandprocessofsnapshots.Snapshotsprovideapoint-in-timebackupofanAmazonEBSvolumeandarestoredinAmazonS3.Subsequentsnapshotsareincremental—theyonlystoredeltas.Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.Snapshotsmaybecopiedbetweenregions.
KnowhowAmazonebs-optimizedinstancesaffectAmazonebsperformance.InadditiontotheIOPSthatcontroltheperformanceinandoutoftheAmazonEBSvolume,useAmazonEBS-optimizedinstancestoensureadditional,dedicatedcapacityforAmazonEBSI/O.
![Page 115: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/115.jpg)
ExercisesForassistanceincompletingtheseexercises,refertotheseuserguides:
AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
concepts.html
AmazonEC2(Windows)—http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html
AmazonEBS—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
EXERCISE3.1
LaunchandConnecttoaLinuxInstanceInthisexercise,youwilllaunchanewLinuxinstance,loginwithSSH,andinstallanysecurityupdates.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.1.
7. CreateanewsecuritygroupcalledCertBook.
8. AddaruletoCertBookallowingSSHaccessfromtheIPaddressofyourworkstation(www.WhatsMyIP.orgisagoodwaytodetermineyourIPaddress).
9. Launchtheinstance.
10. Whenpromptedforakeypair,chooseakeypairyoualreadyhaveorcreateanewoneanddownloadtheprivateportion.
Amazongeneratesakeyname.pemfile,andyouwillneedakeyname.ppkfiletoconnecttotheinstanceviaSSH.Puttygen.exeisoneutilitythatwillcreatea.ppkfilefroma.pemfile.
11. SSHintotheinstanceusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.
12. Fromthecommand-lineprompt,runsudoyumupdate—security-y.
13. ClosetheSSHwindowandterminatetheinstance.
![Page 116: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/116.jpg)
EXERCISE3.2
LaunchaWindowsInstancewithBootstrappingInthisexercise,youwilllaunchaWindowsinstanceandspecifyaverysimplebootstrapscript.Youwillthenconfirmthatthebootstrapscriptwasexecutedontheinstance.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. IntheAdvancedDetailssection,enterthefollowingtextasUserData:
<script>
mdc:\temp
</script>
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.2.
8. UsetheCertBooksecuritygroupfromExercise3.1.
9. Launchtheinstance.
10. UsethekeypairfromExercise3.1.
11. OntheConnectInstanceUI,decrypttheadministratorpasswordandthendownloadtheRDPfiletoattempttoconnecttotheinstance.YourattemptshouldfailbecausetheCertBooksecuritygroupdoesnotallowRDPaccess.
12. OpentheCertBooksecuritygroupandaddarulethatallowsRDPaccessfromyourIPaddress.
13. AttempttoaccesstheinstanceviaRDPagain.
14. OncetheRDPsessionisconnected,openWindowsExplorerandconfirmthatthec:\tempfolderhasbeencreated.
15. EndtheRDPsessionandterminatetheinstance.
![Page 117: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/117.jpg)
EXERCISE3.3
ConfirmThatInstanceStoresAreLostWhenanInstanceIsStoppedInthisexercise,youwillobservethatthedataonanAmazonEC2instancestoreislostwhentheinstanceisstopped.
1. LaunchaninstanceintheAmazonManagementConsole.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethem3.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.3.
7. UsetheCertBooksecuritygroupasupdatedinExercise3.2.
8. Launchtheinstance.
9. UsethekeypairfromExercise3.1.
10. DecrypttheadministratorpasswordlogintotheinstanceviaRDP.
11. OncetheRDPsessionisconnected,openWindowsExplorer.
12. Createanewfoldernamedz:\temp.
13. LogoutoftheRDPsession.
14. Intheconsole,setthestateoftheinstancetoStopped.
15. Oncetheinstanceisstopped,startitagain.
16. LogbackintotheinstanceusingRDP.
17. OpenWindowsExplorerandconfirmthatthez:\tempfolderisgone.
18. EndtheRDPsessionandterminatetheinstance.
![Page 118: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/118.jpg)
EXERCISE3.4
LaunchaSpotInstanceInthisexercise,youwillcreateaSpotInstance.
1. IntheAmazonEC2console,gototheSpotRequestpage.
2. Lookatthepricinghistoryform3.medium,especiallytherecentprice.
3. MakeanoteofthemostrecentpriceandAvailabilityZone.
4. LaunchaninstanceintheAmazonEC2console.
5. ChoosetheAmazonLinuxAMI.
6. Choosethet2.mediuminstancetype.
7. OntheConfigureInstancepage,requestaSpotInstance.
8. LaunchtheinstanceineithertheDefaultVPCorEC2-Classic.(NotetheDefaultVPCwilldefinetheAvailabilityZonefortheinstance.)
9. AssigntheinstanceapublicIPaddress.
10. RequestaSpotInstanceandenterabidafewcentsabovetherecordedSpotprice.
11. Finishlaunchingtheinstance.
12. GobacktotheSpotRequestpage.
Watchyourrequest.Ifyourbidwashighenough,youshouldseeitchangetoActiveandaninstanceIDappear.
13. FindtheinstanceontheinstancespageoftheAmazonEC2console.
NotetheLifecyclefieldintheDescriptionthatsaysSpot.
14. Oncetheinstanceisrunning,terminateit.
![Page 119: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/119.jpg)
EXERCISE3.5
AccessMetadataInthisexercise,youwillaccesstheinstancemetadatafromtheOS.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.5.
7. UsetheCertBooksecuritygroup.
8. Launchtheinstance.
9. UsethekeypairfromExercise3.1.
10. ConnecttheinstanceviaSSHusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.
11. AttheLinuxcommandprompt,retrievealistoftheavailablemetadatabytyping:
curlhttp://169.254.169.254/latest/meta-data/
12. Toseeavalue,addthenametotheendoftheURL.Forexample,toseethesecuritygroups,type:
curlhttp://169.254.169.254/latest/meta-data/security-groups
13. Tryothervaluesaswell.Namesthatendwitha/indicatealongerlistofsub-values.
14. ClosetheSSHwindowandterminatetheinstance.
![Page 120: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/120.jpg)
EXERCISE3.6
CreateanAmazonEBSVolumeandShowThatItRemainsAftertheInstanceIsTerminatedInthisexercise,youwillseehowanAmazonEBSvolumepersistsbeyondthelifeofaninstance.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheAmazonLinuxAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. AddasecondAmazonEBSvolumeofsize50GB.NotethattheRootVolumeissettoDeleteonTermination.
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.6.
8. UsetheCertBooksecuritygroupfromearlierexercises.
9. Launchtheinstance.
10. FindthetwoAmazonEBSvolumesontheAmazonEBSconsole.NamethembothExercise3.6.
11. Terminatetheinstance.
Noticethatthebootdriveisdestroyed,buttheadditionalAmazonEBSvolumeremainsandnowsaysAvailable.DonotdeletetheAvailablevolume.
![Page 121: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/121.jpg)
EXERCISE3.7
TakeaSnapshotandRestoreThisexerciseguidesyouthroughtakingasnapshotandrestoringitinthreedifferentways.
1. FindthevolumeyoucreatedinExercise3.6intheAmazonEBSconsole.
2. Takeasnapshotofthatvolume.NamethesnapshotExercise3.7.
3. Onthesnapshotconsole,waitforthesnapshottobecompleted.(Asthevolumewasempty,thisshouldbeveryquick.)
4. OnthesnapshotpageintheAWSManagementConsole,choosethenewsnapshotandselectCreateVolume.
5. Createthevolumewithallthedefaults.
6. LocatethesnapshotagainandagainchooseCreateVolume,settingthesizeofthenewvolumeto100GB(takingasnapshotandrestoringthesnapshottoanew,largervolumeishowyouaddresstheproblemofincreasingthesizeofanexistingvolume).LocatethesnapshotagainandchooseCopy.Copythesnapshottoanotherregion.MakethedescriptionExercise3.7.
7. Gototheotherregionandwaitforthesnapshottobecomeavailable.
8. Createavolumefromthesnapshotinthenewregion.ThisishowyoushareanAmazonEBSvolumebetweenregions;thatis,bytakingasnapshotandcopyingthesnapshot.
9. Deleteallfourvolumes.
![Page 122: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/122.jpg)
EXERCISE3.8
LaunchanEncryptedVolumeInthisexercise,youwilllaunchanAmazonEC2instancewithanencryptedAmazonEBSvolumeandstoresomedataonittoconfirmthattheencryptionistransparenttotheinstanceitself.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethem3.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
6. Onthestoragepage,adda50GBencryptedAmazonEBSvolume.
7. AddatagtotheinstanceofKey:Name,Value:Exercise3.8.
8. UsetheCertBooksecuritygroupasupdatedinExercise3.2.
9. Launchtheinstance.
10. ChoosethekeypairfromExercise3.1.
11. DecrypttheadministratorpasswordandlogintotheinstanceusingRDP.
12. OncetheRDPsessionisconnected,openNotepad.
13. TypesomerandominformationintoNotepad,saveitatd:\testfile.txt,andthencloseNotepad.
14. Findd:\testfile.txtinWindowsExplorerandopenitwithNotepad.ConfirmthatthedataisnotencryptedinNotepad.
15. Logout.
16. Terminatetheinstance.
EXERCISE3.9
DetachaBootDriveandReattachtoAnotherInstanceInthisexercise,youwillpracticeremovinganAmazonEBSvolumefromastoppeddriveandattachingtoanotherinstancetorecoverthedata.
1. LaunchaninstanceintheAmazonEC2console.
2. ChoosetheMicrosoftWindowsServer2012BaseAMI.
3. Choosethet2.mediuminstancetype.
4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
5. AssigntheinstanceapublicIPaddress.
![Page 123: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/123.jpg)
6. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Source.
7. UsetheCertBooksecuritygroupfromearlierexercises.
8. LaunchtheinstancewiththekeypairfromExercise3.1.
9. LaunchasecondinstanceintheAmazonEC2Console.
10. ChoosetheMicrosoftWindowsServer2012BaseAMI.
11. Choosethet2.mediuminstancetype.
12. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.
13. AssigntheinstanceapublicIPaddress.
14. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Destination.
15. UsetheCertBooksecuritygroupfromearlierexercises.
16. LaunchtheinstancewiththekeypairyouusedinExercise3.1.
17. Oncebothinstancesarerunning,stopthefirstinstance(Source).MakeanoteoftheinstanceID.
18. GototheAmazonEBSpageintheAmazonEC2consoleandfindthevolumeattachedtotheSourceinstanceviatheinstanceID.Detachtheinstance.
19. WhenthevolumebecomesAvailable,attachtheinstancetothesecondinstance(Destination).
20. LogintotheDestinationinstanceviaRDPusingtheadministratoraccount.
21. Openacommandwindow(cmd.exe).
22. Atthecommandprompt,typethefollowingcommands:
C:\Users\Administrator>diskpart
DISKPART>selectdisk1
DISKPART>onlinedisk
DISKPART>exit
C:\Users\Administrator>dire:
ThevolumeremovedfromthestoppedsourcedrivecannowbereadastheE:driveonthedestinationinstance,soitsdatacanberetrieved.
23. Terminatealltheinstancesandensurethevolumesaredeletedintheprocess.
![Page 124: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/124.jpg)
ReviewQuestions1. Yourwebapplicationneedsfourinstancestosupportsteadytrafficnearlyallofthetime.Onthelastdayofeachmonth,thetraffictriples.Whatisacost-effectivewaytohandlethistrafficpattern?
A. Run12ReservedInstancesallofthetime.
B. RunfourOn-DemandInstancesconstantly,thenaddeightmoreOn-DemandInstancesonthelastdayofeachmonth.
C. RunfourReservedInstancesconstantly,thenaddeightOn-DemandInstancesonthelastdayofeachmonth.
D. RunfourOn-DemandInstancesconstantly,thenaddeightReservedInstancesonthelastdayofeachmonth.
2. Yourorder-processingapplicationprocessesordersextractedfromaqueuewithtwoReservedInstancesprocessing10orders/minute.Ifanorderfailsduringprocessing,thenitisreturnedtothequeuewithoutpenalty.Duetoaweekendsale,thequeueshaveseveralhundredordersbackedup.Whilethebackupisnotcatastrophic,youwouldliketodrainitsothatcustomersgettheirconfirmationemailsfaster.Whatisacost-effectivewaytodrainthequeuefororders?
A. Createmorequeues.
B. DeployadditionalSpotInstancestoassistinprocessingtheorders.
C. DeployadditionalReservedInstancestoassistinprocessingtheorders.
D. DeployadditionalOn-DemandInstancestoassistinprocessingtheorders.
3. WhichofthefollowingmustbespecifiedwhenlaunchinganewAmazonElasticComputeCloud(AmazonEC2)Windowsinstance?(Choose2answers)
A. TheAmazonEC2instanceID
B. Passwordfortheadministratoraccount
C. AmazonEC2instancetype
D. AmazonMachineImage(AMI)
4. Youhavepurchasedanm3.xlargeLinuxReservedinstanceinus-east-1a.Inwhichwayscanyoumodifythisreservation?(Choose2answers)
A. Changeitintotwom3.largeinstances.
B. ChangeittoaWindowsinstance.
C. Moveittous-east-1b.
D. Changeittoanm4.xlarge.
5. Yourinstanceisassociatedwithtwosecuritygroups.ThefirstallowsRemoteDesktopProtocol(RDP)accessoverport3389fromClasslessInter-DomainRouting(CIDR)block72.14.0.0/16.ThesecondallowsHTTPaccessoverport80fromCIDRblock
![Page 125: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/125.jpg)
0.0.0.0/0.Whattrafficcanreachyourinstance?
A. RDPandHTTPaccessfromCIDRblock0.0.0.0/0
B. Notrafficisallowed.
C. RDPandHTTPtrafficfrom72.14.0.0/16
D. RDPtrafficoverport3389from72.14.0.0/16andHTTPtrafficoverport80from0.0.00/0
6. Whichofthefollowingarefeaturesofenhancednetworking?(Choose3answers)
A. MorePacketsPerSecond(PPS)
B. Lowerlatency
C. Multiplenetworkinterfaces
D. BorderGatewayProtocol(BGP)routing
E. Lessjitter
7. YouarecreatingaHigh-PerformanceComputing(HPC)clusterandneedverylowlatencyandhighbandwidthbetweeninstances.Whatcombinationofthefollowingwillallowthis?(Choose3answers)
A. Useaninstancetypewith10Gbpsnetworkperformance.
B. Puttheinstancesinaplacementgroup.
C. UseDedicatedInstances.
D. Enableenhancednetworkingontheinstances.
E. UseReservedInstances.
8. WhichAmazonElasticComputeCloud(AmazonEC2)featureensuresthatyourinstanceswillnotshareaphysicalhostwithinstancesfromanyotherAWScustomer?
A. AmazonVirtualPrivateCloud(VPC)
B. Placementgroups
C. DedicatedInstances
D. ReservedInstances
9. Whichofthefollowingaretrueofinstancestores?(Choose2answers)
A. Automaticbackups
B. Dataislostwhentheinstancestops.
C. VeryhighIOPS
D. Chargeisbasedonthetotalamountofstorageprovisioned.
10. WhichofthefollowingarefeaturesofAmazonElasticBlockStore(AmazonEBS)?(Choose2answers)
A. DatastoredonAmazonEBSisautomaticallyreplicatedwithinanAvailabilityZone.
![Page 126: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/126.jpg)
B. AmazonEBSdataisautomaticallybackeduptotape.
C. AmazonEBSvolumescanbeencryptedtransparentlytoworkloadsontheattachedinstance.
D. DataonanAmazonEBSvolumeislostwhentheattachedinstanceisstopped.
11. YouneedtotakeasnapshotofanAmazonElasticBlockStore(AmazonEBS)volume.Howlongwillthevolumebeunavailable?
A. Itdependsontheprovisionedsizeofthevolume.
B. Thevolumewillbeavailableimmediately.
C. Itdependsontheamountofdatastoredonthevolume.
D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.
12. YouarerestoringanAmazonElasticBlockStore(AmazonEBS)volumefromasnapshot.Howlongwillitbebeforethedataisavailable?
A. Itdependsontheprovisionedsizeofthevolume.
B. Thedatawillbeavailableimmediately.
C. Itdependsontheamountofdatastoredonthevolume.
D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.
13. Youhaveaworkloadthatrequires15,000consistentIOPSfordatathatmustbedurable.Whatcombinationofthefollowingstepsdoyouneed?(Choose2answers)
A. UseanAmazonElasticBlockStore(AmazonEBS)-optimizedinstance.
B. Useaninstancestore.
C. UseaProvisionedIOPSSSDvolume.
D. Useamagneticvolume.
14. Whichofthefollowingcanbeaccomplishedthroughbootstrapping?
A. Installthemostcurrentsecurityupdates.
B. Installthecurrentversionoftheapplication.
C. ConfigureOperatingSystem(OS)services.
D. Alloftheabove.
15. HowcanyouconnecttoanewLinuxinstanceusingSSH?
A. Decrypttherootpassword.
B. Usingacertificate
C. Usingtheprivatehalfoftheinstance’skeypair
D. UsingMulti-FactorAuthentication(MFA)
16. VMImport/Exportcanimportexistingvirtualmachinesas:(Choose2answers)
A. AmazonElasticBlockStore(AmazonEBS)volumes
![Page 127: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/127.jpg)
B. AmazonElasticComputeCloud(AmazonEC2)instances
C. AmazonMachineImages(AMIs)
D. Securitygroups
17. WhichofthefollowingcanbeusedtoaddressanAmazonElasticComputeCloud(AmazonEC2)instanceovertheweb?(Choose2answers)
A. Windowsmachinename
B. PublicDNSname
C. AmazonEC2instanceID
D. ElasticIPaddress
18. UsingthecorrectlydecryptedAdministratorpasswordandRDP,youcannotlogintoaWindowsinstanceyoujustlaunched.Whichofthefollowingisapossiblereason?
A. ThereisnosecuritygrouprulethatallowsRDPaccessoverport3389fromyourIPaddress.
B. TheinstanceisaReservedInstance.
C. Theinstanceisnotusingenhancednetworking.
D. TheinstanceisnotanAmazonEBS-optimizedinstance.
19. Youhaveaworkloadthatrequires1TBofdurableblockstorageat1,500IOPSduringnormaluse.EverynightthereisanExtract,Transform,Load(ETL)taskthatrequires3,000IOPSfor15minutes.Whatisthemostappropriatevolumetypeforthisworkload?
A. UseaProvisionedIOPSSSDvolumeat3,000IOPS.
B. Useaninstancestore.
C. Useageneral-purposeSSDvolume.
D. Useamagneticvolume.
20. HowareyoubilledforelasticIPaddresses?
A. Hourlywhentheyareassociatedwithaninstance
B. Hourlywhentheyarenotassociatedwithaninstance
C. Basedonthedatathatflowsthroughthem
D. Basedontheinstancetypetowhichtheyareattached
![Page 128: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/128.jpg)
Chapter4AmazonVirtualPrivateCloud(AmazonVPC)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)
HybridITarchitectures(forexample,DirectConnect,StorageGateway,VPC,DirectoryServices)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
OperateandextendservicemanagementinahybridITarchitecture
Configureservicestosupportcompliancerequirementsinthecloud
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSsecurityattributes(customerworkloadsdowntothephysicallayer)
AmazonVirtualPrivateCloud(VPC)
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit
![Page 129: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/129.jpg)
“Core”AmazonEC2andS3securityfeaturesets
Incorporatingcommonconventionalsecurityproducts(FirewallandVPNs)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,andsoon)
![Page 130: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/130.jpg)
IntroductionTheAmazonVirtualPrivateCloud(AmazonVPC)isacustom-definedvirtualnetworkwithintheAWSCloud.YoucanprovisionyourownlogicallyisolatedsectionofAWS,similartodesigningandimplementingaseparateindependentnetworkthatwouldoperateinanon-premisesdatacenter.ThischapterexploresthecorecomponentsofAmazonVPCand,intheexercises,youlearnhowtobuildyourownAmazonVPCinthecloud.AstrongunderstandingofAmazonVPCtopologyandtroubleshootingisrequiredtopasstheexam,andwehighlyrecommendthatyoucompletetheexercisesinthischapter.
![Page 131: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/131.jpg)
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCisthenetworkinglayerforAmazonElasticComputeCloud(AmazonEC2),anditallowsyoutobuildyourownvirtualnetworkwithinAWS.YoucontrolvariousaspectsofyourAmazonVPC,includingselectingyourownIPaddressrange;creatingyourownsubnets;andconfiguringyourownroutetables,networkgateways,andsecuritysettings.Withinaregion,youcancreatemultipleAmazonVPCs,andeachAmazonVPCislogicallyisolatedevenifitsharesitsIPaddressspace.
WhenyoucreateanAmazonVPC,youmustspecifytheIPv4addressrangebychoosingaClasslessInter-DomainRouting(CIDR)block,suchas10.0.0.0/16.TheaddressrangeoftheAmazonVPCcannotbechangedaftertheAmazonVPCiscreated.AnAmazonVPCaddressrangemaybeaslargeas/16(65,536availableaddresses)orassmallas/28(16availableaddresses)andshouldnotoverlapanyothernetworkwithwhichtheyaretobeconnected.
TheAmazonVPCservicewasreleasedaftertheAmazonEC2service;becauseofthis,therearetwodifferentnetworkingplatformsavailablewithinAWS:EC2-ClassicandEC2-VPC.AmazonEC2originallylaunchedwithasingle,flatnetworksharedwithotherAWScustomerscalledEC2-Classic.Assuch,AWSaccountscreatedpriortothearrivaloftheAmazonVPCservicecanlaunchinstancesintotheEC2-ClassicnetworkandEC2-VPC.AWSaccountscreatedafterDecember2013onlysupportlaunchinginstancesusingEC2-VPC.AWSaccountsthatsupportEC2-VPCwillhaveadefaultVPCcreatedineachregionwithadefaultsubnetcreatedineachAvailabilityZone.TheassignedCIDRblockoftheVPCwillbe172.31.0.0/16.
Figure4.1illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,twosubnetswithdifferentaddressranges(10.0.0.0/24and10.0.1.0/24)placedindifferentAvailabilityZones,andaroutetablewiththelocalroutespecified.
![Page 132: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/132.jpg)
FIGURE4.1VPC,subnets,andaroutetable
AnAmazonVPCconsistsofthefollowingcomponents:
Subnets
Routetables
DynamicHostConfigurationProtocol(DHCP)optionsets
Securitygroups
NetworkAccessControlLists(ACLs)
AnAmazonVPChasthefollowingoptionalcomponents:
InternetGateways(IGWs)
ElasticIP(EIP)addresses
ElasticNetworkInterfaces(ENIs)
Endpoints
Peering
NetworkAddressTranslation(NATs)instancesandNATgateways
![Page 133: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/133.jpg)
VirtualPrivateGateway(VPG),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)
![Page 134: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/134.jpg)
SubnetsAsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanlaunchAmazonEC2instances,AmazonRelationalDatabaseService(AmazonRDS)databases,andotherAWSresources.CIDRblocksdefinesubnets(forexample,10.0.1.0/24and192.168.0.0/24).Thesmallestsubnetthatyoucancreateisa/28(16IPaddresses).AWSreservesthefirstfourIPaddressesandthelastIPaddressofeverysubnetforinternalnetworkingpurposes.Forexample,asubnetdefinedasa/28has16availableIPaddresses;subtractthe5IPsneededbyAWStoyield11IPaddressesforyourusewithinthesubnet.
AftercreatinganAmazonVPC,youcanaddoneormoresubnetsineachAvailabilityZone.SubnetsresidewithinoneAvailabilityZoneandcannotspanzones.Thisisanimportantpointthatcancomeupintheexam,sorememberthatonesubnetequalsoneAvailabilityZone.Youcan,however,havemultiplesubnetsinoneAvailabilityZone.
Subnetscanbeclassifiedaspublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetable(discussedlater)directsthesubnet’straffictotheAmazonVPC’sIGW(alsodiscussedlater).Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPG(discussedlater)anddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(thatis,non-routableontheInternet).
DefaultAmazonVPCscontainonepublicsubnetineveryAvailabilityZonewithintheregion,withanetmaskof/20.
![Page 135: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/135.jpg)
RouteTablesAroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).
Eachroutetablecontainsadefaultroutecalledthelocalroute,whichenablescommunicationwithintheAmazonVPC,andthisroutecannotbemodifiedorremoved.AdditionalroutescanbeaddedtodirecttraffictoexittheAmazonVPCviatheIGW(discussedlater),theVPG(discussedlater),ortheNATinstance(discussedlater).Intheexercisesattheendofthischapter,youcanpracticehowthisisaccomplished.
Youshouldrememberthefollowingpointsaboutroutetables:
YourVPChasanimplicitrouter.
YourVPCautomaticallycomeswithamainroutetablethatyoucanmodify.
YoucancreateadditionalcustomroutetablesforyourVPC.
Eachsubnetmustbeassociatedwitharoutetable,whichcontrolstheroutingforthesubnet.Ifyoudon’texplicitlyassociateasubnetwithaparticularroutetable,thesubnetusesthemainroutetable.
Youcanreplacethemainroutetablewithacustomtablethatyou’vecreatedsothateachnewsubnetisautomaticallyassociatedwithit.
EachrouteinatablespecifiesadestinationCIDRandatarget;forexample,trafficdestinedfor172.16.0.0/12istargetedfortheVPG.AWSusesthemostspecificroutethatmatchesthetraffictodeterminehowtoroutethetraffic.
![Page 136: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/136.jpg)
InternetGatewaysAnInternetGateway(IGW)isahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
AmazonEC2instanceswithinanAmazonVPCareonlyawareoftheirprivateIPaddresses.WhentrafficissentfromtheinstancetotheInternet,theIGWtranslatesthereplyaddresstotheinstance’spublicIPaddress(orEIPaddress,coveredlater)andmaintainstheone-to-onemapoftheinstanceprivateIPaddressandpublicIPaddress.WhenaninstancereceivestrafficfromtheInternet,theIGWtranslatesthedestinationaddress(publicIPaddress)totheinstance’sprivateIPaddressandforwardsthetraffictotheAmazonVPC.
YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:
AttachanIGWtoyourAmazonVPC.
Createasubnetroutetableruletosendallnon-localtraffic(0.0.0.0/0)totheIGW.
ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.
YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:
AssignapublicIPaddressorEIPaddress.
Youcanscopetheroutetoalldestinationsnotexplicitlyknowntotheroutetable(0.0.0.0/0),oryoucanscopetheroutetoanarrowerrangeofIPaddresses,suchasthepublicIPaddressesofyourcompany’spublicendpointsoutsideofAWSortheEIPaddressesofotherAmazonEC2instancesoutsideyourAmazonVPC.
Figure4.2illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,onesubnetwithanaddressrangeof10.0.0.0/24,aroutetable,anattachedIGW,andasingleAmazonEC2instancewithaprivateIPaddressandanEIPaddress.Theroutetablecontainstworoutes:thelocalroutethatpermitsinter-VPCcommunicationandaroutethatsendsallnon-localtraffictotheIGW(igw-id).NotethattheAmazonEC2instancehasapublicIPaddress(EIP=198.51.100.2);thisinstancecanbeaccessedfromtheInternet,andtrafficmayoriginateandreturntothisinstance.
![Page 137: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/137.jpg)
FIGURE4.2VPC,subnet,routetable,andanInternetgateway
![Page 138: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/138.jpg)
DynamicHostConfigurationProtocol(DHCP)OptionSetsDynamicHostConfigurationProtocol(DHCP)providesastandardforpassingconfigurationinformationtohostsonaTCP/IPnetwork.TheoptionsfieldofaDHCPmessagecontainstheconfigurationparameters.Someofthoseparametersarethedomainname,domainnameserver,andthenetbios-node-type.
AWSautomaticallycreatesandassociatesaDHCPoptionsetforyourAmazonVPCuponcreationandsetstwooptions:domain-name-servers(defaultedtoAmazonProvidedDNS)anddomain-name(defaultedtothedomainnameforyourregion).AmazonProvidedDNSisanAmazonDomainNameSystem(DNS)server,andthisoptionenablesDNSforinstancesthatneedtocommunicateovertheAmazonVPC’sIGW.
TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmentstoyourownresources.Toassignyourowndomainnametoyourinstances,createacustomDHCPoptionsetandassignittoyourAmazonVPC.YoucanconfigurethefollowingvalueswithinaDHCPoptionset:
domain-name-servers—TheIPaddressesofuptofourdomainnameservers,separatedbycommas.ThedefaultisAmazonProvidedDNS.
domain-name—Specifythedesireddomainnamehere(forexample,mycompany.com).
ntp-servers—TheIPaddressesofuptofourNetworkTimeProtocol(NTP)servers,separatedbycommas
netbios-name-servers—TheIPaddressesofuptofourNetBIOSnameservers,separatedbycommas
netbios-node-type—Setthisvalueto2.
EveryAmazonVPCmusthaveonlyoneDHCPoptionsetassignedtoit.
![Page 139: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/139.jpg)
ElasticIPAddresses(EIPs)AWSmaintainsapoolofpublicIPaddressesineachregionandmakesthemavailableforyoutoassociatetoresourceswithinyourAmazonVPCs.AnElasticIPAddresses(EIP)isastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.HerearetheimportantpointstounderstandaboutEIPsfortheexam:
YoumustfirstallocateanEIPforusewithinaVPCandthenassignittoaninstance.
EIPsarespecifictoaregion(thatis,anEIPinoneregioncannotbeassignedtoaninstancewithinanAmazonVPCinadifferentregion).
Thereisaone-to-onerelationshipbetweennetworkinterfacesandEIPs.
YoucanmoveEIPsfromoneinstancetoanother,eitherinthesameAmazonVPCoradifferentAmazonVPCwithinthesameregion.
EIPsremainassociatedwithyourAWSaccountuntilyouexplicitlyreleasethem.
TherearechargesforEIPsallocatedtoyouraccount,evenwhentheyarenotassociatedwitharesource.
![Page 140: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/140.jpg)
ElasticNetworkInterfaces(ENIs)AnElasticNetworkInterface(ENI)isavirtualnetworkinterfacethatyoucanattachtoaninstanceinanAmazonVPC.ENIsareonlyavailablewithinanAmazonVPC,andtheyareassociatedwithasubnetuponcreation.TheycanhaveonepublicIPaddressandmultipleprivateIPaddresses.IftherearemultipleprivateIPaddresses,oneofthemisprimary.AssigningasecondnetworkinterfacetoaninstanceviaanENIallowsittobedual-homed(havenetworkpresenceindifferentsubnets).AnENIcreatedindependentlyofaparticularinstancepersistsregardlessofthelifetimeofanyinstancetowhichitisattached;ifanunderlyinginstancefails,theIPaddressmaybepreservedbyattachingtheENItoareplacementinstance.
ENIsallowyoutocreateamanagementnetwork,usenetworkandsecurityappliancesinyourAmazonVPC,createdual-homedinstanceswithworkloads/rolesondistinctsubnets,orcreatealow-budget,high-availabilitysolution.
![Page 141: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/141.jpg)
EndpointsAnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.
AmazonVPCendpointscurrentlysupportcommunicationwithAmazonSimpleStorageService(AmazonS3),andotherservicesareexpectedtobeaddedinthefuture.
YoumustdothefollowingtocreateanAmazonVPCendpoint:
SpecifytheAmazonVPC.
Specifytheservice.Aserviceisidentifiedbyaprefixlistoftheformcom.amazonaws.<region>.<service>.
Specifythepolicy.Youcanallowfullaccessorcreateacustompolicy.Thispolicycanbechangedatanytime.
Specifytheroutetables.Aroutewillbeaddedtoeachspecifiedroutetable,whichwillstatetheserviceasthedestinationandtheendpointasthetarget.
Table4.1isanexampleroutetablethathasanexistingroutethatdirectsallInternettraffic(0.0.0.0/0)toanIGW.AnytrafficfromthesubnetthatisdestinedforanotherAWSservice(forexample,AmazonS3orAmazonDynamoDB)willbesenttotheIGWinordertoreachthatservice.
TABLE4.1RouteTablewithanIGWRoutingRule
Destination Target10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
Table4.2isanexampleroutetablethathasexistingroutesdirectingallInternettraffictoanIGWandallAmazonS3traffictotheAmazonVPCendpoint.
TABLE4.2RouteTablewithanIGWRoutingRuleandVPCEndpointRule
Destination Target10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
pl-1a2b3c4d vpce-11bb22cc
TheroutetabledepictedinTable4.2willdirectanytrafficfromthesubnetthat’sdestinedforAmazonS3inthesameregiontotheendpoint.AllotherInternettrafficgoestoyourIGW,includingtrafficthat’sdestinedforotherservicesandforAmazonS3inotherregions.
![Page 142: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/142.jpg)
PeeringAnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoranAmazonVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.
Peeringconnectionsarecreatedthrougharequest/acceptprotocol.TheowneroftherequestingAmazonVPCsendsarequesttopeertotheownerofthepeerAmazonVPC.IfthepeerAmazonVPCiswithinthesameaccount,itisidentifiedbyitsVPCID.IfthepeerVPCiswithinadifferentaccount,itisidentifiedbyAccountIDandVPCID.TheownerofthepeerAmazonVPChasoneweektoacceptorrejecttherequesttopeerwiththerequestingAmazonVPCbeforethepeeringrequestexpires.
AnAmazonVPCmayhavemultiplepeeringconnections,andpeeringisaone-to-onerelationshipbetweenAmazonVPCs,meaningtwoAmazonVPCscannothavetwopeeringagreementsbetweenthem.Also,peeringconnectionsdonotsupporttransitiverouting.Figure4.3depictstransitiverouting.
FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting
InFigure4.3,VPCAhastwopeeringconnectionswithtwodifferentVPCs:VPCBandVPCC.Therefore,VPCAcancommunicatedirectlywithVPCsBandC.Becausepeeringconnectionsdonotsupporttransitiverouting,VPCAcannotbeatransitpointfortrafficbetweenVPCsBandC.InorderforVPCsBandCtocommunicatewitheachother,apeeringconnectionmustbeexplicitlycreatedbetweenthem.
Herearetheimportantpointstounderstandaboutpeeringfortheexam:
![Page 143: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/143.jpg)
YoucannotcreateapeeringconnectionbetweenAmazonVPCsthathavematchingoroverlappingCIDRblocks.
YoucannotcreateapeeringconnectionbetweenAmazonVPCsindifferentregions.
AmazonVPCpeeringconnectionsdonotsupporttransitiverouting.
YoucannothavemorethanonepeeringconnectionbetweenthesametwoAmazonVPCsatthesametime.
![Page 144: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/144.jpg)
SecurityGroupsAsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundnetworktraffictoAWSresourcesandAmazonEC2instances.AllAmazonEC2instancesmustbelaunchedintoasecuritygroup.Ifasecuritygroupisnotspecifiedatlaunch,thentheinstancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.Table4.3describesthesettingsofthedefaultsecuritygroup.
TABLE4.3SecurityGroupRules
Inbound
Source Protocol PortRange
Comments
sg-xxxxxxxx All All Allowinboundtrafficfrominstanceswithinthesamesecuritygroup.
Outbound
Destination Protocol PortRange
Comments
0.0.0.0/0 All All Allowalloutboundtraffic.
Foreachsecuritygroup,youaddrulesthatcontroltheinboundtraffictoinstancesandaseparatesetofrulesthatcontroltheoutboundtraffic.Forexample,Table4.4describesasecuritygroupforwebservers.
![Page 145: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/145.jpg)
TABLE4.4SecurityGroupRulesforaWebServer
Inbound
Source Protocol PortRange
Comments
0.0.0.0/0 TCP 80 AllowinboundtrafficfromtheInternettoport80.
Yournetwork’spublicIPaddressrange
TCP 22 AllowSecureShell(SSH)trafficfromyourcompanynetwork.
Yournetwork’spublicIPaddressrange
TCP 3389 AllowRemoteDesktopProtocol(RDP)trafficfromyourcompanynetwork.
Outbound
Destination Protocol PortRange
Comments
TheIDofthesecuritygroupforyourMySQLdatabaseservers
TCP 3306 AllowoutboundMySQLaccesstoinstancesinthespecifiedsecuritygroup.
TheIDofthesecuritygroupforyourMicrosoftSQLServerdatabaseservers
TCP 1433 AllowoutboundMicrosoftSQLServeraccesstoinstancesinthespecifiedsecuritygroup.
Herearetheimportantpointstounderstandaboutsecuritygroupsfortheexam:
Youcancreateupto500securitygroupsforeachAmazonVPC.
Youcanaddupto50inboundand50outboundrulestoeachsecuritygroup.Ifyouneedtoapplymorethan100rulestoaninstance,youcanassociateuptofivesecuritygroupswitheachnetworkinterface.
Youcanspecifyallowrules,butnotdenyrules.ThisisanimportantdifferencebetweensecuritygroupsandACLs.
Youcanspecifyseparaterulesforinboundandoutboundtraffic.
Bydefault,noinboundtrafficisalloweduntilyouaddinboundrulestothesecuritygroup.
Bydefault,newsecuritygroupshaveanoutboundrulethatallowsalloutboundtraffic.Youcanremovetheruleandaddoutboundrulesthatallowspecificoutboundtrafficonly.
Securitygroupsarestateful.Thismeansthatresponsestoallowedinboundtrafficareallowedtoflowoutboundregardlessofoutboundrulesandviceversa.ThisisanimportantdifferencebetweensecuritygroupsandnetworkACLs.
Instancesassociatedwiththesamesecuritygroupcan’ttalktoeachotherunlessyouaddrulesallowingit(withtheexceptionbeingthedefaultsecuritygroup).
Youcanchangethesecuritygroupswithwhichaninstanceisassociatedafterlaunch,
![Page 146: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/146.jpg)
andthechangeswilltakeeffectimmediately.
![Page 147: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/147.jpg)
NetworkAccessControlLists(ACLs)Anetworkaccesscontrollist(ACL)isanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AnetworkACLisanumberedlistofrulesthatAWSevaluatesinorder,startingwiththelowestnumberedrule,todeterminewhethertrafficisallowedinoroutofanysubnetassociatedwiththenetworkACL.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.WhenyoucreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreaterulesthatallowotherwise.YoumaysetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddalayerofsecuritytoyourAmazonVPC,oryoumaychoosetousethedefaultnetworkACLthatdoesnotfiltertraffictraversingthesubnetboundary.Overall,everysubnetmustbeassociatedwithanetworkACL.
Table4.5explainsthedifferencesbetweenasecuritygroupandanetworkACL.YoushouldrememberthefollowingdifferencesbetweensecuritygroupsandnetworkACLsfortheexam.
TABLE4.5ComparisonofSecurityGroupsandNetworkACLs
SecurityGroup NetworkACL
Operatesattheinstancelevel(firstlayerofdefense)
Operatesatthesubnetlevel(secondlayerofdefense)
Supportsallowrulesonly Supportsallowrulesanddenyrules
Stateful:Returntrafficisautomaticallyallowed,regardlessofanyrules
Stateless:Returntrafficmustbeexplicitlyallowedbyrules.
AWSevaluatesallrulesbeforedecidingwhethertoallowtraffic
AWSprocessesrulesinnumberorderwhendecidingwhethertoallowtraffic.
Appliedselectivelytoindividualinstances
Automaticallyappliedtoallinstancesintheassociatedsubnets;thisisabackuplayerofdefense,soyoudon’thavetorelyonsomeonespecifyingthesecuritygroup.
![Page 148: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/148.jpg)
NetworkAddressTranslation(NAT)InstancesandNATGatewaysBydefault,anyinstancethatyoulaunchintoaprivatesubnetinanAmazonVPCisnotabletocommunicatewiththeInternetthroughtheIGW.ThisisproblematiciftheinstanceswithinprivatesubnetsneeddirectaccesstotheInternetfromtheAmazonVPCinordertoapplysecurityupdates,downloadpatches,orupdateapplicationsoftware.AWSprovidesNATinstancesandNATgatewaystoallowinstancesdeployedinprivatesubnetstogainInternetaccess.Forcommonusecases,werecommendthatyouuseaNATgatewayinsteadofaNATinstance.TheNATgatewayprovidesbetteravailabilityandhigherbandwidth,andrequireslessadministrativeeffortthanNATinstances.
NATInstanceAnetworkaddresstranslation(NAT)instanceisanAmazonLinuxAmazonMachineImage(AMI)thatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.Theseinstanceshavethestringamzn-ami-vpc-natintheirnames,whichissearchableintheAmazonEC2console.
ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATinstance,youmustdothefollowing:
CreateasecuritygroupfortheNATwithoutboundrulesthatspecifytheneededInternetresourcesbyport,protocol,andIPaddress.
LaunchanAmazonLinuxNATAMIasaninstanceinapublicsubnetandassociateitwiththeNATsecuritygroup.
DisabletheSource/DestinationCheckattributeoftheNAT.
ConfiguretheroutetableassociatedwithaprivatesubnettodirectInternet-boundtraffictotheNATinstance(forexample,i-1a2b3c4d).
AllocateanEIPandassociateitwiththeNATinstance.
ThisconfigurationallowsinstancesinprivatesubnetstosendoutboundInternetcommunication,butitpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
NATGatewayANATgatewayisanAmazonmanagedresourcethatisdesignedtooperatejustlikeaNATinstance,butitissimplertomanageandhighlyavailablewithinanAvailabilityZone.
ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATgateway,youmustdothefollowing:
ConfiguretheroutetableassociatedwiththeprivatesubnettodirectInternet-bound
![Page 149: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/149.jpg)
traffictotheNATgateway(forexample,nat-1a2b3c4d).
AllocateanEIPandassociateitwiththeNATgateway.
LikeaNATinstance,thismanagedserviceallowsoutboundInternetcommunicationandpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
TheexerciseswilldemonstratehowaNATgatewayworks.
![Page 150: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/150.jpg)
VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)YoucanconnectanexistingdatacentertoAmazonVPCusingeitherhardwareorsoftwareVPNconnections,whichwillmakeAmazonVPCanextensionofthedatacenter.AmazonVPCofferstwowaystoconnectacorporatenetworktoaVPC:VPGandCGW.
Avirtualprivategateway(VPG)isthevirtualprivatenetwork(VPN)concentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.Acustomergateway(CGW)representsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthecustomer’ssideoftheVPNconnection.Figure4.4illustratesasingleVPNconnectionbetweenacorporatenetworkandanAmazonVPC.
FIGURE4.4VPCwithVPNconnectiontoacustomernetwork
YoumustspecifythetypeofroutingthatyouplantousewhenyoucreateaVPNconnection.IftheCGWsupportsBorderGatewayProtocol(BGP),thenconfiguretheVPNconnectionfordynamicrouting.Otherwise,configuretheconnectionsforstaticrouting.Ifyouwillbeusingstaticrouting,youmustentertheroutesforyournetworkthatshouldbecommunicatedtotheVPG.RouteswillbepropagatedtotheAmazonVPCtoallowyourresourcestoroutenetworktrafficbacktothecorporatenetworkthroughtheVGWandacrosstheVPNtunnel.
AmazonVPCalsosupportsmultipleCGWs,eachhavingaVPNconnectiontoasingleVPG(many-to-onedesign).Inordertosupportthistopology,theCGWIPaddressesmustbeuniquewithintheregion.
![Page 151: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/151.jpg)
AmazonVPCwillprovidetheinformationneededbythenetworkadministratortoconfiguretheCGWandestablishtheVPNconnectionwiththeVPG.TheVPNconnectionconsistsoftwoInternetProtocolSecurity(IPSec)tunnelsforhigheravailabilitytotheAmazonVPC.
FollowingaretheimportantpointstounderstandaboutVPGs,CGWs,andVPNsfortheexam:
TheVPGistheAWSendoftheVPNtunnel.
TheCGWisahardwareorsoftwareapplicationonthecustomer’ssideoftheVPNtunnel.
YoumustinitiatetheVPNtunnelfromtheCGWtotheVPG.
VPGssupportbothdynamicroutingwithBGPandstaticrouting.
TheVPNconnectionconsistsoftwotunnelsforhigheravailabilitytotheVPC.
![Page 152: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/152.jpg)
SummaryInthischapter,youlearnedthatAmazonVPCisthenetworkinglayerforAmazonEC2,anditallowsyoutocreateyourownprivatevirtualnetworkwithinthecloud.YoucanprovisionyourownlogicallyisolatedsectionofAWSsimilartodesigningandimplementingaseparateindependentnetworkthatyou’doperateinaphysicaldatacenter.
AVPCconsistsofthefollowingcomponents:
Subnets
Routetables
DHCPoptionsets
Securitygroups
NetworkACLs
AVPChasthefollowingoptionalcomponents:
IGWs
EIPaddresses
Endpoints
Peering
NATinstanceandNATgateway
VPG,CGW,andVPN
Subnetscanbepublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sIGW.Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPGanddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(non-routableontheInternet).
AroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2host
![Page 153: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/153.jpg)
nameassignmenttoyourownresources.Inorderforyoutoassignyourowndomainnametoyourinstances,youcreateacustomDHCPoptionsetandassignittoyourAmazonVPC.
AnEIPaddressisastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.
AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.
AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheywerewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoraVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.
AsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundtraffictoAmazonEC2instances.WhenyoufirstlaunchanAmazonEC2instanceintoanAmazonVPC,youmustspecifythesecuritygroupwithwhichitwillbeassociated.AWSprovidesadefaultsecuritygroupforyouruse,whichhasrulesthatallowallinstancesassociatedwiththesecuritygrouptocommunicatewitheachotherandallowalloutboundtraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.
AnetworkACLisanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.IfyouwanttocreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreatearulethatstatesotherwise.
ANATinstanceisacustomer-managedinstancethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.
ANATgatewayisanAWS-managedservicethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATgateway,andforwardthetraffictotheIGW.Inaddition,theNATgatewaymaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.
AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWisaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthe
![Page 154: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/154.jpg)
customer’ssideoftheVPNconnection.
![Page 155: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/155.jpg)
ExamEssentialsUnderstandwhataVPCisanditscoreandoptionalcomponents.AnAmazonVPCisalogicallyisolatednetworkintheAWSCloud.AnAmazonVPCismadeupofthefollowingcoreelements:subnets(public,private,andVPN-only),routetables,DHCPoptionsets,securitygroups,andnetworkACLs.OptionalelementsincludeanIGW,EIPaddresses,endpoints,peeringconnections,NATinstances,VPGs,CGWs,andVPNconnections.
Understandthepurposeofasubnet.AsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanplacegroupsofisolatedresources.SubnetsaredefinedbyCIDRblocks—forexample,10.0.1.0/24and10.0.2.0/24—andarecontainedwithinanAvailabilityZone.
Identifythedifferencebetweenapublicsubnet,aprivatesubnet,andaVPN-Onlysubnet.Ifasubnet’strafficisroutedtoanIGW,thesubnetisknownasapublicsubnet.Ifasubnetdoesn’thavearoutetotheIGW,thesubnetisknownasaprivatesubnet.Ifasubnetdoesn’thavearoutetotheIGW,buthasitstrafficroutedtoaVPG,thesubnetisknownasaVPN-onlysubnet.
Understandthepurposeofaroutetable.Aroutetableisasetofrules(calledroutes)thatareusedtodeterminewherenetworktrafficisdirected.AroutetableallowsAmazonEC2instanceswithindifferentsubnetstocommunicatewitheachother(withinthesameAmazonVPC).TheAmazonVPCrouteralsoenablessubnets,IGWs,andVPGstocommunicatewitheachother.
UnderstandthepurposeofanIGW.AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletrafficandperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.
UnderstandwhatDHCPoptionsetsprovidetoanAmazonVPC.TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmenttoyourownresources.YoucanspecifythedomainnameforinstanceswithinanAmazonVPCandidentifytheIPaddressesofcustomDNSservers,NTPservers,andNetBIOSservers.
KnowthedifferencebetweenanAmazonVPCpublicIPaddressandanEIPaddress.ApublicIPaddressisanAWS-ownedIPthatcanbeautomaticallyassignedtoinstanceslaunchedwithinasubnet.AnEIPaddressisanAWS-ownedpublicIPaddressthatyouallocatetoyouraccountandassigntoinstancesornetworkinterfacesondemand.
UnderstandwhatendpointsprovidetoanAmazonVPC.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,aVPNconnection,orAWSDirectConnect.Endpointssupportserviceswithintheregiononly.
UnderstandAmazonVPCpeering.AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.Peeringconnections
![Page 156: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/156.jpg)
arecreatedthrougharequest/acceptprotocol.Transitivepeeringisnotsupported,andpeeringisonlyavailablebetweenAmazonVPCswithinthesameregion.
KnowthedifferencebetweenasecuritygroupandanetworkACL.Asecuritygroupappliesattheinstancelevel.Youcanhavemultipleinstancesinmultiplesubnetsthataremembersofthesamesecuritygroups.Securitygroupsarestateful,whichmeansthatreturntrafficisautomaticallyallowed,regardlessofanyoutboundrules.AnetworkACLisappliedonasubnetlevel,andtrafficisstateless.YouneedtoallowbothinboundandoutboundtrafficonthenetworkACLinorderforAmazonEC2instancesinasubnettobeabletocommunicateoveraparticularprotocol.
UnderstandwhataNATprovidestoanAmazonVPC.ANATinstanceorNATgatewayenablesinstancesinaprivatesubnettoinitiateoutboundtraffictotheInternet.ThisallowsoutboundInternetcommunicationtodownloadpatchesandupdates,forexample,butpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.
UnderstandthecomponentsneededtoestablishaVPNconnectionfromanetworktoanAmazonVPC.AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWrepresentsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.TheVPNconnectionmustbeinitiatedfromtheCGWside,andtheconnectionconsistsoftwoIPSectunnels.
![Page 157: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/157.jpg)
ExercisesThebestwaytobecomefamiliarwithAmazonVPCistobuildyourowncustomAmazonVPCandthendeployAmazonEC2instancesintoit,whichiswhatyou’llbedoinginthissection.YoushouldrepeattheseexercisesuntilyoucancreateanddecommissionAmazonVPCswithconfidence.
Forassistancecompletingtheseexercises,refertotheAmazonVPCUserGuidelocatedathttp://aws.amazon.com/documentation/vpc/.
EXERCISE4.1
CreateaCustomAmazonVPC1. SignintotheAWSManagementConsoleasanadministratororpoweruser.
2. SelecttheAmazonVPCicontolaunchtheAmazonVPCDashboard.
3. CreateanAmazonVPCwithaCIDRblockequalto192.168.0.0/16,anametagofMyFirstVPC,anddefaulttenancy.
YouhavecreatedyourfirstcustomVPC.
EXERCISE4.2
CreateTwoSubnetsforYourCustomAmazonVPC1. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofMy
FirstPublicSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).
2. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofMyFirstPrivateSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyadifferentAvailabilityZoneforthesubnetthanpreviouslyspecified(forexample,US-East-1b).
Youhavenowcreatedtwonewsubnets,eachinitsownAvailabilityZone.It’simportanttorememberthatonesubnetequalsoneAvailabilityZone.YoucannotstretchasubnetacrossmultipleAvailabilityZones.
![Page 158: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/158.jpg)
EXERCISE4.3
ConnectYourCustomAmazonVPCtotheInternetandEstablishRoutingForassistancewiththisexercise,refertotheAmazonEC2keypairdocumentationat:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Foradditionalassistancewiththisexercise,refertotheNATinstancesdocumentationat:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance
.html#NATInstance
1. CreateanAmazonEC2keypairinthesameregionasyourcustomAmazonVPC.
2. CreateanIGWwithanametagofMyFirstIGWandattachittoyourcustomAmazonVPC.
3. AddaroutetothemainroutetableforyourcustomAmazonVPCthatdirectsInternettraffic(0.0.0.0/0)totheIGW.
4. CreateaNATgateway,placeitinthepublicsubnetofyourcustomAmazonVPC,andassignitanEIP.
5. CreateanewroutetablewithanametagofMyFirstPrivateRouteTableandplaceitwithinyourcustomAmazonVPC.AddaroutetoitthatdirectsInternettraffic(0.0.0.0/0)totheNATgatewayandassociateitwiththeprivatesubnet.
YouhavenowcreatedaconnectiontotheInternetforresourceswithinyourAmazonVPC.YouestablishedroutingrulesthatdirectInternettraffictotheIGWregardlessoftheoriginatingsubnet.
![Page 159: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/159.jpg)
EXERCISE4.4
LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet1. Launchat2.microAmazonLinuxAMIasanAmazonEC2instanceintothepublicsubnetofyourcustomAmazonVPC,giveitanametagofMyFirstPublicInstance,andselectthenewly-createdkeypairforsecureaccesstotheinstance.
2. SecurelyaccesstheAmazonEC2instanceinthepublicsubnetviaSSHwiththenewly-createdkeypair.
3. Executeanupdatetotheoperatingsysteminstancelibrariesbyexecutingthefollowingcommand:
#sudoyumupdate-y
4. YoushouldseeoutputshowingtheinstancedownloadingsoftwarefromtheInternetandinstallingit.
YouhavenowprovisionedanAmazonEC2instanceinapublicsubnet.YoucanapplypatchestotheAmazonEC2instanceinthepublicsubnet,andyouhavedemonstratedconnectivitytotheInternet.
![Page 160: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/160.jpg)
ReviewQuestions1. WhatistheminimumsizesubnetthatyoucanhaveinanAmazonVPC?
A. /24
B. /26
C. /28
D. /30
2. YouareasolutionsarchitectworkingforalargetravelcompanythatismigratingitsexistingserverestatetoAWS.YouhaverecommendedthattheyuseacustomAmazonVPC,andtheyhaveagreedtoproceed.Theywillneedapublicsubnetfortheirwebserversandaprivatesubnetinwhichtoplacetheirdatabases.Theyalsorequirethatthewebserversanddatabaseserversbehighlyavailableandthattherebeaminimumoftwowebserversandtwodatabaseserverseach.Howmanysubnetsshouldyouhavetomaintainhighavailability?
A. 2
B. 3
C. 4
D. 1
3. WhichofthefollowingisanoptionalsecuritycontrolthatcanbeappliedatthesubnetlayerofaVPC?
A. NetworkACL
B. SecurityGroup
C. Firewall
D. Webapplicationfirewall
4. WhatisthemaximumsizeIPaddressrangethatyoucanhaveinanAmazonVPC?
A. /16
B. /24
C. /28
D. /30
5. YoucreateanewsubnetandthenaddaroutetoyourroutetablethatroutestrafficoutfromthatsubnettotheInternetusinganIGW.Whattypeofsubnethaveyoucreated?
A. Aninternalsubnet
B. Aprivatesubnet
C. Anexternalsubnet
D. Apublicsubnet
![Page 161: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/161.jpg)
6. WhathappenswhenyoucreateanewAmazonVPC?
A. Amainroutetableiscreatedbydefault.
B. Threesubnetsarecreatedbydefault—oneforeachAvailabilityZone.
C. ThreesubnetsarecreatedbydefaultinoneAvailabilityZone.
D. AnIGWiscreatedbydefault.
7. YoucreateanewVPCinUS-East-1andprovisionthreesubnetsinsidethisAmazonVPC.Whichofthefollowingstatementsistrue?
A. Bydefault,thesesubnetswillnotbeabletocommunicatewitheachother;youwillneedtocreateroutes.
B. Allsubnetsarepublicbydefault.
C. Allsubnetswillbeabletocommunicatewitheachotherbydefault.
D. EachsubnetwillhaveidenticalCIDRblocks.
8. HowmanyIGWscanyouattachtoanAmazonVPCatanyonetime?
A. 1
B. 2
C. 3
D. 4
9. WhataspectofanAmazonVPCisstateful?
A. NetworkACLs
B. Securitygroups
C. AmazonDynamoDB
D. AmazonS3
10. YouhavecreatedacustomAmazonVPCwithbothprivateandpublicsubnets.YouhavecreatedaNATinstanceanddeployedthisinstancetoapublicsubnet.YouhaveattachedanEIPaddressandaddedyourNATtotheroutetable.Unfortunately,instancesinyourprivatesubnetstillcannotaccesstheInternet.Whatmaybethecauseofthis?
A. YourNATisinapublicsubnet,butitneedstobeinaprivatesubnet.
B. YourNATshouldbebehindanElasticLoadBalancer.
C. Youshoulddisablesource/destinationchecksontheNAT.
D. YourNAThasbeendeployedonaWindowsinstance,butyourotherinstancesareLinux.YoushouldredeploytheNATontoaLinuxinstance.
11. WhichofthefollowingwilloccurwhenanAmazonElasticBlockStore(AmazonEBS)-backedAmazonEC2instanceinanAmazonVPCwithanassociatedEIPisstoppedandstarted?(Choose2answers)
A. TheEIPwillbedissociatedfromtheinstance.
![Page 162: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/162.jpg)
B. Alldataoninstance-storedeviceswillbelost.
C. AlldataonAmazonEBSdeviceswillbelost.
D. TheENIisdetached.
E. Theunderlyinghostfortheinstanceischanged.
12. HowmanyVPCPeeringconnectionsarerequiredforfourVPCslocatedwithinthesameAWSregiontobeabletosendtraffictoeachoftheothers?
A. 3
B. 4
C. 5
D. 6
13. WhichofthefollowingAWSresourceswouldyouuseinorderforanEC2-VPCinstancetoresolveDNSnamesoutsideofAWS?
A. AVPCpeeringconnection
B. ADHCPoptionset
C. Aroutingrule
D. AnIGW
14. WhichofthefollowingistheAmazonsideofanAmazonVPNconnection?
A. AnEIP
B. ACGW
C. AnIGW
D. AVPG
15. WhatisthedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregion?
A. 5
B. 6
C. 7
D. ThereisnodefaultmaximumnumberofVPCswithinaregion.
16. Youareresponsibleforyourcompany’sAWSresources,andyounoticeasignificantamountoftrafficfromanIPaddressinaforeigncountryinwhichyourcompanydoesnothavecustomers.FurtherinvestigationofthetrafficindicatesthesourceofthetrafficisscanningforopenportsonyourEC2-VPCinstances.Whichoneofthefollowingresourcescandenythetrafficfromreachingtheinstances?
A. Securitygroup
B. NetworkACL
C. NATinstance
![Page 163: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/163.jpg)
D. AnAmazonVPCendpoint
17. WhichofthefollowingisthesecurityprotocolsupportedbyAmazonVPC?
A. SSH
B. AdvancedEncryptionStandard(AES)
C. Point-to-PointTunnelingProtocol(PPTP)
D. IPsec
18. WhichofthefollowingAmazonVPCresourceswouldyouuseinorderforEC2-VPCinstancestosendtrafficdirectlytoAmazonS3?
A. AmazonS3gateway
B. IGW
C. CGW
D. VPCendpoint
19. WhatpropertiesofanAmazonVPCmustbespecifiedatthetimeofcreation?(Choose2answers)
A. TheCIDRblockrepresentingtheIPaddressrange
B. OneormoresubnetsfortheAmazonVPC
C. TheregionfortheAmazonVPC
D. AmazonVPCPeeringrelationships
20. WhichAmazonVPCfeatureallowsyoutocreateadual-homedinstance?
A. EIPaddress
B. ENI
C. Securitygroups
D. CGW
![Page 164: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/164.jpg)
Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-effective,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Elasticityandscalability
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
CloudWatchLogs
Domain4.0:Troubleshooting
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions
![Page 165: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/165.jpg)
IntroductionInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkbothindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.
ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonElasticComputeCloud(AmazonEC2)instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.
AmazonCloudWatchisaservicethatmonitorsAWSCloudresourcesandapplicationsrunningonAWS.Itcollectsandtracksmetrics,collectsandmonitorslogfiles,andsetsalarms.AmazonCloudWatchhasabasiclevelofmonitoringfornocostandamoredetailedlevelofmonitoringforanadditionalcost.
AutoScalingisaservicethatallowsyoutomaintaintheavailabilityofyourapplicationsbyscalingAmazonEC2capacityupordowninaccordancewithconditionsyouset.
Thischaptercoversallthreeservicesseparately,butitalsohighlightshowtheycanworktogethertobuildmorerobustandhighlyavailablearchitecturesonAWS.
![Page 166: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/166.jpg)
ElasticLoadBalancingAnadvantageofhavingaccesstoalargenumberofserversinthecloud,suchasAmazonEC2instancesonAWS,istheabilitytoprovideamoreconsistentexperiencefortheenduser.Onewaytoensureconsistencyistobalancetherequestloadacrossmorethanoneserver.AloadbalancerisamechanismthatautomaticallydistributestrafficacrossmultipleAmazonEC2instances.YoucaneithermanageyourownvirtualloadbalancersonAmazonEC2instancesorleverageanAWSCloudservicecalledElasticLoadBalancing,whichprovidesamanagedloadbalancerforyou.
TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZones,enablingyoutoachievehighavailabilityinyourapplications.ElasticLoadBalancingsupportsroutingandloadbalancingofHypertextTransferProtocol(HTTP),HypertextTransferProtocolSecure(HTTPS),TransmissionControlProtocol(TCP),andSecureSocketsLayer(SSL)traffictoAmazonEC2instances.ElasticLoadBalancingprovidesastable,singleCanonicalNamerecord(CNAME)entrypointforDomainNameSystem(DNS)configurationandsupportsbothInternet-facingandinternalapplication-facingloadbalancers.ElasticLoadBalancingsupportshealthchecksforAmazonEC2instancestoensuretrafficisnotroutedtounhealthyorfailinginstances.Also,ElasticLoadBalancingcanautomaticallyscalebasedoncollectedmetrics.
ThereareseveraladvantagesofusingElasticLoadBalancing.BecauseElasticLoadBalancingisamanagedservice,itscalesinandoutautomaticallytomeetthedemandsofincreasedapplicationtrafficandishighlyavailablewithinaregionitselfasaservice.ElasticLoadBalancinghelpsyouachievehighavailabilityforyourapplicationsbydistributingtrafficacrosshealthyinstancesinmultipleAvailabilityZones.Additionally,ElasticLoadBalancingseamlesslyintegrateswiththeAutoScalingservicetoautomaticallyscaletheAmazonEC2instancesbehindtheloadbalancer.Finally,ElasticLoadBalancingissecure,workingwithAmazonVirtualPrivateCloud(AmazonVPC)toroutetrafficinternallybetweenapplicationtiers,allowingyoutoexposeonlyInternet-facingpublicIPaddresses.ElasticLoadBalancingalsosupportsintegratedcertificatemanagementandSSLtermination.
ElasticLoadBalancingisahighlyavailableserviceitselfandcanbeusedtohelpbuildhighlyavailablearchitectures.
TypesofLoadBalancersElasticLoadBalancingprovidesseveraltypesofloadbalancersforhandlingdifferentkindsofconnectionsincludingInternet-facing,internal,andloadbalancersthatsupportencryptedconnections.
Internet-FacingLoadBalancersAnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.
![Page 167: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/167.jpg)
Whenyouconfigurealoadbalancer,itreceivesapublicDNSnamethatclientscanusetosendrequeststoyourapplication.TheDNSserversresolvetheDNSnametoyourloadbalancer’spublicIPaddress,whichcanbevisibletoclientapplications.
AnAWSrecommendedbestpracticeisalwaystoreferencealoadbalancerbyitsDNSname,insteadofbytheIPaddressoftheloadbalancer,inordertoprovideasingle,stableentrypoint.
BecauseElasticLoadBalancingscalesinandouttomeettrafficdemand,itisnotrecommendedtobindanapplicationtoanIPaddressthatmaynolongerbepartofaloadbalancer’spoolofresources.
ElasticLoadBalancinginAmazonVPCsupportsIPv4addressesonly.ElasticLoadBalancinginEC2-ClassicsupportsbothIPv4andIPv6addresses.
InternalLoadBalancersInamulti-tierapplication,itisoftenusefultoloadbalancebetweenthetiersoftheapplication.Forexample,anInternet-facingloadbalancermightreceiveandbalanceexternaltraffictothepresentationorwebtierwhoseAmazonEC2instancesthensenditsrequeststoaloadbalancersittinginfrontoftheapplicationtier.YoucanuseinternalloadbalancerstoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.
HTTPSLoadBalancersYoucancreatealoadbalancerthatusestheSSL/TransportLayerSecurity(TLS)protocolforencryptedconnections(alsoknownasSSLoffload).ThisfeatureenablestrafficencryptionbetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessions,andforconnectionsbetweenyourloadbalancerandyourback-endinstances.ElasticLoadBalancingprovidessecuritypoliciesthathavepredefinedSSLnegotiationconfigurationstousetonegotiateconnectionsbetweenclientsandtheloadbalancer.InordertouseSSL,youmustinstallanSSLcertificateontheloadbalancerthatitusestoterminatetheconnectionandthendecryptrequestsfromclientsbeforesendingrequeststotheback-endAmazonEC2instances.Youcanoptionallychoosetoenableauthenticationonyourback-endinstances.
ElasticLoadBalancingdoesnotsupportServerNameIndication(SNI)onyourloadbalancer.ThismeansthatifyouwanttohostmultiplewebsitesonafleetofAmazonEC2instancesbehindElasticLoadBalancingwithasingleSSLcertificate,youwillneedtoaddaSubjectAlternativeName(SAN)foreachwebsitetothecertificatetoavoidsiteusersseeingawarningmessagewhenthesiteisaccessed.
ListenersEveryloadbalancermusthaveoneormorelistenersconfigured.Alistenerisaprocessthatchecksforconnectionrequests—forexample,aCNAMEconfiguredtotheArecordnameoftheloadbalancer.Everylistenerisconfiguredwithaprotocolandaport(clienttoloadbalancer)forafront-endconnectionandaprotocolandaportfortheback-end(loadbalancertoAmazonEC2instance)connection.ElasticLoadBalancingsupportsthefollowing
![Page 168: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/168.jpg)
protocols:
HTTP
HTTPS
TCP
SSL
ElasticLoadBalancingsupportsprotocolsoperatingattwodifferentOpenSystemInterconnection(OSI)layers.IntheOSImodel,Layer4isthetransportlayerthatdescribestheTCPconnectionbetweentheclientandyourback-endinstancethroughtheloadbalancer.Layer4isthelowestlevelthatisconfigurableforyourloadbalancer.Layer7istheapplicationlayerthatdescribestheuseofHTTPandHTTPSconnectionsfromclientstotheloadbalancerandfromtheloadbalancertoyourback-endinstance.
TheSSLprotocolisprimarilyusedtoencryptconfidentialdataoverinsecurenetworkssuchastheInternet.TheSSLprotocolestablishesasecureconnectionbetweenaclientandtheback-endserverandensuresthatallthedatapassedbetweenyourclientandyourserverisprivate.
ConfiguringElasticLoadBalancingElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.ConfigurationsettingscanbemodifiedusingeithertheAWSManagementConsoleoraCommandLineInterface(CLI).Someoftheoptionsaredescribednext.
IdleConnectionTimeoutForeachrequestthataclientmakesthroughaloadbalancer,theloadbalancermaintainstwoconnections.Oneconnectioniswiththeclientandtheotherconnectionistotheback-endinstance.Foreachconnection,theloadbalancermanagesanidletimeoutthatistriggeredwhennodataissentovertheconnectionforaspecifiedtimeperiod.Aftertheidletimeoutperiodhaselapsed,ifnodatahasbeensentorreceived,theloadbalancerclosestheconnection.
Bydefault,ElasticLoadBalancingsetstheidletimeoutto60secondsforbothconnections.IfanHTTPrequestdoesn’tcompletewithintheidletimeoutperiod,theloadbalancerclosestheconnection,evenifdataisstillbeingtransferred.Youcanchangetheidletimeoutsettingfortheconnectionstoensurethatlengthyoperations,suchasfileuploads,havetimetocomplete.
IfyouuseHTTPandHTTPSlisteners,werecommendthatyouenablethekeep-aliveoptionforyourAmazonEC2instances.Youcanenablekeep-aliveinyourwebserversettingsorinthekernelsettingsforyourAmazonEC2instances.Keep-alive,whenenabled,allowstheloadbalancertoreuseconnectionstoyourback-endinstance,whichreducesCPUutilization.
![Page 169: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/169.jpg)
Toensurethattheloadbalancerisresponsibleforclosingtheconnectionstoyourback-endinstance,makesurethatthevalueyousetforthekeep-alivetimeisgreaterthantheidletimeoutsettingonyourloadbalancer.
Cross-ZoneLoadBalancingToensurethatrequesttrafficisroutedevenlyacrossallback-endinstancesforyourloadbalancer,regardlessoftheAvailabilityZoneinwhichtheyarelocated,youshouldenablecross-zoneloadbalancingonyourloadbalancer.Cross-zoneloadbalancingreducestheneedtomaintainequivalentnumbersofback-endinstancesineachAvailabilityZoneandimprovesyourapplication’sabilitytohandlethelossofoneormoreback-endinstances.However,itisstillrecommendedthatyoumaintainapproximatelyequivalentnumbersofinstancesineachAvailabilityZoneforhigherfaulttolerance.
ForenvironmentswhereclientscacheDNSlookups,incomingrequestsmightfavoroneoftheAvailabilityZones.Usingcross-zoneloadbalancing,thisimbalanceintherequestloadisspreadacrossallavailableback-endinstancesintheregion,reducingtheimpactofmisconfiguredclients.
ConnectionDrainingYoushouldenableconnectiondrainingtoensurethattheloadbalancerstopssendingrequeststoinstancesthatarederegisteringorunhealthy,whilekeepingtheexistingconnectionsopen.Thisenablestheloadbalancertocompletein-flightrequestsmadetotheseinstances.
Whenyouenableconnectiondraining,youcanspecifyamaximumtimefortheloadbalancertokeepconnectionsalivebeforereportingtheinstanceasderegistered.Themaximumtimeoutvaluecanbesetbetween1and3,600seconds(thedefaultis300seconds).Whenthemaximumtimelimitisreached,theloadbalancerforciblyclosesconnectionstothederegisteringinstance.
ProxyProtocolWhenyouuseTCPorSSLforbothfront-endandback-endconnections,yourloadbalancerforwardsrequeststotheback-endinstanceswithoutmodifyingtherequestheaders.IfyouenableProxyProtocol,ahuman-readableheaderisaddedtotherequestheaderwithconnectioninformationsuchasthesourceIPaddress,destinationIPaddress,andportnumbers.Theheaderisthensenttotheback-endinstanceaspartoftherequest.
BeforeusingProxyProtocol,verifythatyourloadbalancerisnotbehindaproxyserverwithProxyProtocolenabled.IfProxyProtocolisenabledonboththeproxyserverandtheloadbalancer,theloadbalanceraddsanotherheadertotherequest,whichalreadyhasaheaderfromtheproxyserver.Dependingonhowyourback-endinstanceisconfigured,thisduplicationmightresultinerrors.
StickySessionsBydefault,aloadbalancerrouteseachrequestindependentlytotheregisteredinstancewith
![Page 170: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/170.jpg)
thesmallestload.However,youcanusethestickysessionfeature(alsoknownassessionaffinity),whichenablestheloadbalancertobindauser’ssessiontoaspecificinstance.Thisensuresthatallrequestsfromtheuserduringthesessionaresenttothesameinstance.
Thekeytomanagingstickysessionsistodeterminehowlongyourloadbalancershouldconsistentlyroutetheuser’srequesttothesameinstance.Ifyourapplicationhasitsownsessioncookie,youcanconfigureElasticLoadBalancingsothatthesessioncookiefollowsthedurationspecifiedbytheapplication’ssessioncookie.Ifyourapplicationdoesnothaveitsownsessioncookie,youcanconfigureElasticLoadBalancingtocreateasessioncookiebyspecifyingyourownstickinessduration.ElasticLoadBalancingcreatesacookienamedAWSELBthatisusedtomapthesessiontotheinstance.
HealthChecksElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.ThestatusoftheinstancesthatarehealthyatthetimeofthehealthcheckisInService.ThestatusofanyinstancesthatareunhealthyatthetimeofthehealthcheckisOutOfService.Theloadbalancerperformshealthchecksonallregisteredinstancestodeterminewhethertheinstanceisinahealthystateoranunhealthystate.Ahealthcheckisaping,aconnectionattempt,orapagethatischeckedperiodically.Youcansetthetimeintervalbetweenhealthchecksandalsotheamountoftimetowaittorespondincasethehealthcheckpageincludesacomputationalaspect.Finally,youcansetathresholdforthenumberofconsecutivehealthcheckfailuresbeforeaninstanceismarkedasunhealthy.
UpdatesBehindanElasticLoadBalancingLoadBalancer
Long-runningapplicationswilleventuallyneedtobemaintainedandupdatedwithanewerversionoftheapplication.WhenusingAmazonEC2instancesrunningbehindanElasticLoadBalancingloadbalancer,youmayderegistertheselong-runningAmazonEC2instancesassociatedwithaloadbalancermanuallyandthenregisternewlylaunchedAmazonEC2instancesthatyouhavestartedwiththenewupdatesinstalled.
![Page 171: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/171.jpg)
AmazonCloudWatchAmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.
Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.
Youcanspecifyparametersforametricoveratimeperiodandconfigurealarmsandautomatedactionswhenathresholdisreached.AmazonCloudWatchsupportsmultipletypesofactionssuchassendinganotificationtoanAmazonSimpleNotificationService(AmazonSNS)topicorexecutinganAutoScalingpolicy.
AmazonCloudWatchofferseitherbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforanadditionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.
AmazonCloudWatchsupportsmonitoringandspecificmetricsformostAWSCloudservices,including:AutoScaling,AmazonCloudFront,AmazonCloudSearch,AmazonDynamoDB,AmazonEC2,AmazonEC2ContainerService(AmazonECS),AmazonElastiCache,AmazonElasticBlockStore(AmazonEBS),ElasticLoadBalancing,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,AmazonKinesisStreams,AmazonKinesisFirehose,AWSLambda,AmazonMachineLearning,AWSOpsWorks,AmazonRedshift,AmazonRelationalDatabaseService(AmazonRDS),AmazonRoute53,AmazonSNS,AmazonSimpleQueueService(AmazonSQS),AmazonS3,AWSSimpleWorkflowService(AmazonSWF),AWSStorageGateway,AWSWAF,andAmazonWorkSpaces.
ReadAlert
YoumayhaveanapplicationthatleveragesAmazonDynamoDB,andyouwanttoknowwhenreadrequestsreachacertainthresholdandalertyourselfwithanemail.YoucandothisbyusingProvisionedReadCapacityUnitsfortheAmazonDynamoDBtableforwhichyouwanttosetanalarm.Yousimplysetathresholdvalueduringanumberofconsecutiveperiodsandthenspecifyemailasthenotificationtype.Now,whenthethresholdissustainedoverthenumberofperiods,yourspecifiedemailwillalertyoutothereadactivity.
AmazonCloudWatchmetricscanberetrievedbyperformingaGETrequest.Whenyouusedetailedmonitoring,youcanalsoaggregatemetricsacrossalengthoftimeyouspecify.AmazonCloudWatchdoesnotaggregatedataacrossregionsbutcanaggregateacross
![Page 172: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/172.jpg)
AvailabilityZoneswithinaregion.
AWSprovidesarichsetofmetricsincludedwitheachservice,butyoucanalsodefinecustommetricstomonitorresourcesandeventsAWSdoesnothavevisibilityinto—forexample,AmazonEC2instancememoryconsumptionanddiskmetricsthatarevisibletotheoperatingsystemoftheAmazonEC2instancebutnotvisibletoAWSorapplication-specificthresholdsrunningoninstancesthatarenotknowntoAWS.AmazonCloudWatchsupportsanApplicationProgrammingInterface(API)thatallowsprogramsandscriptstoPUTmetricsintoAmazonCloudWatchasname-valuepairsthatcanthenbeusedtocreateeventsandtriggeralarmsinthesamemannerasthedefaultAmazonCloudWatchmetrics.
AmazonCloudWatchLogscanbeusedtomonitor,store,andaccesslogfilesfromAmazonEC2instances,AWSCloudTrail,andothersources.Youcanthenretrievethelogdataandmonitorinrealtimeforevents—forexample,youcantrackthenumberoferrorsinyourapplicationlogsandsendanotificationifanerrorrateexceedsathreshold.AmazonCloudWatchLogscanalsobeusedtostoreyourlogsinAmazonS3orAmazonGlacier.Logscanberetainedindefinitelyoraccordingtoanagingpolicythatwilldeleteolderlogsasnolongerneeded.
ACloudWatchLogsagentisavailablethatprovidesanautomatedwaytosendlogdatatoCloudWatchLogsforAmazonEC2instancesrunningAmazonLinuxorUbuntu.YoucanusetheAmazonCloudWatchLogsagentinstalleronanexistingAmazonEC2instancetoinstallandconfiguretheCloudWatchLogsagent.Afterinstallationiscomplete,theagentconfirmsthatithasstartedanditstaysrunninguntilyoudisableit.
AmazonCloudWatchhassomelimitsthatyoushouldkeepinmindwhenusingtheservice.EachAWSaccountislimitedto5,000alarmsperAWSaccount,andmetricsdataisretainedfortwoweeksbydefault(atthetimeofthiswriting).Ifyouwanttokeepthedatalonger,youwillneedtomovethelogstoapersistentstorelikeAmazonS3orAmazonGlacier.YoushouldfamiliarizeyourselfwiththelimitsforAmazonCloudWatchintheAmazonCloudWatchDeveloperGuide.
![Page 173: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/173.jpg)
AutoScalingAdistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.Examplesincludeawebsiteforaspecificsportingevent,anend-of-monthdata-inputsystem,aretailshoppingsitesupportingflashsales,amusicartistwebsiteduringthereleaseofnewsongs,acompanywebsiteannouncingsuccessfulearnings,oranightlyprocessingruntocalculatedailyactivity.
AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.
EmbracetheSpike
Manywebapplicationshaveunplannedloadincreasesbasedoneventsoutsideofyourcontrol.Forexample,yourcompanymaygetmentionedonapopularblogortelevisionprogramdrivingmanymorepeopletovisityoursitethanexpected.SettingupAutoScalinginadvancewillallowyoutoembraceandsurvivethiskindoffastincreaseinthenumberofrequests.AutoScalingwillscaleupyoursitetomeettheincreaseddemandandthenscaledownwhentheeventsubsides.
AutoScalingPlansAutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.
MaintainCurrentInstanceLevelsYoucanconfigureyourAutoScalinggrouptomaintainaminimumorspecifiednumberofrunninginstancesatalltimes.Tomaintainthecurrentinstancelevels,AutoScalingperformsaperiodichealthcheckonrunninginstanceswithinanAutoScalinggroup.WhenAutoScalingfindsanunhealthyinstance,itterminatesthatinstanceandlaunchesanewone.
SteadystateworkloadsthatneedaconsistentnumberofAmazonEC2instancesatalltimescanuseAutoScalingtomonitorandkeepthatspecificnumberofAmazonEC2instancesrunning.
ManualScalingManualscalingisthemostbasicwaytoscaleyourresources.Youonlyneedtospecifythechangeinthemaximum,minimum,ordesiredcapacityofyourAutoScalinggroup.Auto
![Page 174: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/174.jpg)
Scalingmanagestheprocessofcreatingorterminatinginstancestomaintaintheupdatedcapacity.
Manualscalingoutcanbeveryusefultoincreaseresourcesforaninfrequentevent,suchasthereleaseofanewgameversionthatwillbeavailablefordownloadandrequireauserregistration.Forextremelylarge-scaleevents,eventheElasticLoadBalancingloadbalancerscanbepre-warmedbyworkingwithyourlocalsolutionsarchitectorAWSSupport.
ScheduledScalingSometimesyouknowexactlywhenyouwillneedtoincreaseordecreasethenumberofinstancesinyourgroup,simplybecausethatneedarisesonapredictableschedule.Examplesincludeperiodiceventssuchasend-of-month,end-of-quarter,orend-of-yearprocessing,andalsootherpredictable,recurringevents.Scheduledscalingmeansthatscalingactionsareperformedautomaticallyasafunctionoftimeanddate.
Recurringeventssuchasend-of-month,quarter,oryearprocessing,orscheduledandrecurringautomatedloadandperformancetesting,canbeanticipatedandAutoScalingcanberampedupappropriatelyatthetimeofthescheduledevent.
DynamicScalingDynamicscalingletsyoudefineparametersthatcontroltheAutoScalingprocessinascalingpolicy.Forexample,youmightcreateapolicythataddsmoreAmazonEC2instancestothewebtierwhenthenetworkbandwidth,measuredbyAmazonCloudWatch,reachesacertainthreshold.
AutoScalingComponentsAutoScalinghasseveralcomponentsthatneedtobeconfiguredtoworkproperly:alaunchconfiguration,anAutoScalinggroup,andanoptionalscalingpolicy.
LaunchConfigurationAlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstances,anditiscomposedoftheconfigurationname,AmazonMachineImage(AMI),AmazonEC2instancetype,securitygroup,andinstancekeypair.EachAutoScalinggroupcanhaveonlyonelaunchconfigurationatatime.
TheCLIcommandthatfollowswillcreatealaunchconfigurationwiththefollowingattributes:
Name:myLC
AMI:ami-0535d66c
![Page 175: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/175.jpg)
Instancetype:m3.medium
Securitygroups:sg-f57cde9d
Instancekeypair:myKeyPair
>awsautoscalingcreate-launch-configuration-–launch-configuration-namemyLC--
image-idami-0535d66c--instance-typem3.medium--security-groupssg-f57cde9d--
key-namemyKeyPair
SecuritygroupsforinstanceslaunchedinEC2-Classicmaybereferencedbysecuritygroupnamesuchas“SSH”or“Web”ifthatiswhattheyarenamed,oryoucanreferencethesecuritygroupIDs,suchassg-f57cde9d.IfyoulaunchedtheinstancesinAmazonVPC,whichisrecommended,youmustusethesecuritygroupIDstoreferencethesecuritygroupsyouwantassociatedwiththeinstancesinanAutoScalinglaunchconfiguration.
Thedefaultlimitforlaunchconfigurationsis100perregion.Ifyouexceedthislimit,thecalltocreate-launch-configurationwillfail.Youmayviewandupdatethislimitbyrunningdescribe-account-limitsatthecommandline,asshownhere.
>awsautoscalingdescribe-account-limits
AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.WhenbuildingmorecomplexarchitectureswithAWS,itisimportanttokeepinmindtheservicelimitsforallAWSCloudservicesyouareusing.
WhenyourunacommandusingtheCLIanditfails,checkyoursyntaxfirst.Ifthatchecksout,verifythelimitsforthecommandyouareattempting,andchecktoseethatyouhavenotexceededalimit.Somelimitscanberaisedandusuallydefaultedtoareasonablevaluetolimitaracecondition,anerrantscriptrunninginaloop,orothersimilarautomationthatmightcauseunintendedhighusageandbillingofAWSresources.AWSservicelimitscanbeviewedintheAWSGeneralReferenceGuideunderAWSServiceLimits.YoucanraiseyourlimitsbycreatingasupportcaseattheAWSSupportCenteronlineandthenchoosingServiceLimitIncreaseunderRegarding.Thenfillintheappropriateserviceandlimittoincreasevalueintheonlineform.
AutoScalingGroupAnAutoScalinggroupisacollectionofAmazonEC2instancesmanagedbytheAutoScalingservice.EachAutoScalinggroupcontainsconfigurationoptionsthatcontrolwhenAutoScalingshouldlaunchnewinstancesandterminateexistinginstances.AnAutoScalinggroupmustcontainanameandaminimumandmaximumnumberofinstancesthatcanbeinthegroup.Youcanoptionallyspecifydesiredcapacity,whichisthenumberofinstancesthatthegroupmusthaveatalltimes.Ifyoudon’tspecifyadesiredcapacity,thedefaultdesiredcapacityistheminimumnumberofinstancesthatyouspecify.
TheCLIcommandthatfollowswillcreateanAutoScalinggroupthatreferencesthepreviouslaunchconfigurationandincludesthefollowingspecifications:
![Page 176: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/176.jpg)
Name:myASG
Launchconfiguration:myLC
AvailabilityZones:us-east-1aandus-east-1c
Minimumsize:1
Desiredcapacity:3
Maximumcapacity:10
Loadbalancers:myELB
>awsautoscalingcreate-auto-scaling-group--auto–scaling-group-namemyASG--
launch-configuration-namemyLC--availability-zonesus-east-1a,us-east-1c--min-
size1--max-size10--desired-capacity3--load-balancer-namesmyELB
Figure5.1depictsdeployedAWSresourcesafteraloadbalancernamedmyELBiscreatedandthelaunchconfigurationmyLCandAutoScalingGroupmyASGaresetup.
FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer
AnAutoScalinggroupcanuseeitherOn-DemandorSpotInstancesastheAmazonEC2instancesitmanages.On-Demandisthedefault,butSpotInstancescanbeusedbyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.YoumaychangethebidpricebycreatinganewlaunchconfigurationwiththenewbidpriceandthenassociatingitwithyourAutoScalinggroup.Ifinstancesareavailableatorbelowyourbidprice,theywillbelaunchedinyourAutoScalinggroup.SpotInstancesinanAutoScalinggroupfollowthesameguidelinesasSpot
![Page 177: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/177.jpg)
InstancesoutsideanAutoScalinggroupandrequireapplicationsthatareflexibleandcantolerateAmazonEC2instancesthatareterminatedwithshortnotice,forexample,whentheSpotpricerisesabovethebidpriceyousetinthelaunchconfiguration.AlaunchconfigurationcanreferenceOn-DemandInstancesorSpotInstances,butnotboth.
SpotOn!
AutoScalingsupportsusingcost-effectiveSpotInstances.Thiscanbeveryusefulwhenyouarehostingsiteswhereyouwanttoprovideadditionalcomputecapacitybutarepriceconstrained.Anexampleisa“freemium”sitemodelwhereyoumayoffersomebasicfunctionalitytousersforfreeandadditionalfunctionalityforpremiumuserswhopayforuse.SpotInstancescanbeusedforprovidingthebasicfunctionalitywhenavailablebyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.
ScalingPolicyYoucanassociateAmazonCloudWatchalarmsandscalingpolicieswithanAutoScalinggrouptoadjustAutoScalingdynamically.Whenathresholdiscrossed,AmazonCloudWatchsendsalarmstotriggerchanges(scalinginorout)tothenumberofAmazonEC2instancescurrentlyreceivingtrafficbehindaloadbalancer.AftertheAmazonCloudWatchalarmsendsamessagetotheAutoScalinggroup,AutoScalingexecutestheassociatedpolicytoscaleyourgroup.ThepolicyisasetofinstructionsthattellsAutoScalingwhethertoscaleout,launchingnewAmazonEC2instancesreferencedintheassociatedlaunchconfiguration,ortoscaleinandterminateinstances.
Thereareseveralwaystoconfigureascalingpolicy:Youcanincreaseordecreasebyaspecificnumberofinstances,suchasaddingtwoinstances;youcantargetaspecificnumberofinstances,suchasamaximumoffivetotalAmazonEC2instances;oryoucanadjustbasedonapercentage.Youcanalsoscalebystepsandincreaseordecreasethecurrentcapacityofthegroupbasedonasetofscalingadjustmentsthatvarybasedonthesizeofthealarmthresholdtrigger.
YoucanassociatemorethanonescalingpolicywithanAutoScalinggroup.Forexample,youcancreateapolicyusingthetriggerforCPUutilization,calledCPULoad,andtheCloudWatchmetricCPUUtilizationtospecifyscalingoutifCPUutilizationisgreaterthan75percentfortwominutes.YoucouldattachanotherpolicytothesameAutoScalinggrouptoscaleinifCPUutilizationislessthan40percentfor20minutes.
ThefollowingCLIcommandswillcreatethescalingpolicyjustdescribed.
>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG--policy-name
CPULoadScaleOut--scaling-adjustment1--adjustment-typeChangeInCapacity--
cooldown30>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG-
-policy-nameCPULoadScaleIn--scaling-adjustment-1--adjustment-type
ChangeInCapacity--cooldown600
ThefollowingCLIcommandswillassociateAmazonCloudWatchalarmsforscalingoutandscalinginwiththescalingpolicy,asshowninFigure5.2.Inthisexample,theAmazonCloudWatchalarmsreferencethescalingpolicybyAmazonResourceName(ARN).
![Page 178: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/178.jpg)
FIGURE5.2AutoScalinggroupwithpolicy
>awscloudwatchput-metric-alarm--alarmnamecapacityAdd--metric-name
CPUUtilization--namespaceAWS/EC2--statisticAverage–-period300--threshold75
--comparison-operatorGreaterThanOrEqualToThreshold--dimensions
"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:12345678-90ab-cdef-
1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleOut--unitPercent
>awscloudwatchput-metric-alarm--alarmnamecapacityReduce--metric-name
CPUUtilization--namespaceAWS/EC2--statisticAverage--period1200--threshold40
--comparison-operatorGreaterThanOrEqualToThreshold--dimensions
"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions
arn:aws:autoscaling:us-east-1:123456789011:scalingPolicy:11345678-90ab-cdef-
1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleIn--unitPercent
IfthescalingpolicydefinedinthepreviousparagraphisassociatedwiththeAutoScalinggroupnamedmyASG,andtheCPUutilizationisover75percentformorethanfiveminutes,asshowninFigure5.3,anewAmazonEC2instancewillbelaunchedandattachedtotheloadbalancernamedmyELB.
![Page 179: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/179.jpg)
FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout
ArecommendedbestpracticeistoscaleoutquicklyandscaleinslowlysoyoucanrespondtoburstsorspikesbutavoidinadvertentlyterminatingAmazonEC2instancestooquickly,onlyhavingtolaunchmoreAmazonEC2instancesiftheburstissustained.AutoScalingalsosupportsacooldownperiod,whichisaconfigurablesettingthatdetermineswhentosuspendscalingactivitiesforashorttimeforanAutoScalinggroup.
IfyoustartanAmazonEC2instance,youwillbebilledforonefullhourofrunningtime.Partialinstancehoursconsumedarebilledasfullhours.Thismeansthatifyouhaveapermissivescalingpolicythatlaunches,terminates,andrelaunchesmanyinstancesanhour,youarebillingafullhourforeachandeveryinstanceyoulaunch,evenifyouterminatesomeofthoseinstancesinlessthanhour.ArecommendedbestpracticeforcosteffectivenessistoscaleoutquicklywhenneededbutscaleinmoreslowlytoavoidhavingtorelaunchnewandseparateAmazonEC2instancesforaspikeinworkloaddemandthatfluctuatesupanddownwithinminutesbutgenerallycontinuestoneedmoreresourceswithinanhour.
Scaleoutquickly;scaleinslowly.
ItisimportanttoconsiderbootstrappingforAmazonEC2instanceslaunchedusingAutoScaling.IttakestimetoconfigureeachnewlylaunchedAmazonEC2instancebeforetheinstanceishealthyandcapableofacceptingtraffic.Instancesthatstartandareavailableforloadfastercanjointhecapacitypoolmorequickly.Furthermore,instancesthataremorestatelessinsteadofstatefulwillmoregracefullyenterandexitanAutoScalinggroup.
![Page 180: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/180.jpg)
RollingOutaPatchatScale
InlargedeploymentsofAmazonEC2instances,AutoScalingcanbeusedtomakerollingoutapatchtoyourinstanceseasy.ThelaunchconfigurationassociatedwiththeAutoScalinggroupmaybemodifiedtoreferenceanewAMIandevenanewAmazonEC2instanceifneeded.Thenyoucanderegisterorterminateinstancesoneatatimeorinsmallgroups,andthenewAmazonEC2instanceswillreferencethenewpatchedAMI.
![Page 181: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/181.jpg)
SummaryThischapterintroducedthreeservices:
ElasticLoadBalancing,whichisusedtodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZonestoachievegreaterlevelsoffaulttoleranceforyourapplications.
AmazonCloudWatch,whichmonitorsresourcesandapplications.AmazonCloudWatchisusedtocollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestoresourcesbeingmonitoredbasedonrulesyoudefine.
AutoScaling,whichallowsyoutoautomaticallyscaleyourAmazonEC2capacityoutandinusingcriteriathatyoudefine.
ThesethreeservicescanbeusedveryeffectivelytogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.
![Page 182: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/182.jpg)
ExamEssentialsUnderstandwhattheElasticLoadBalancingserviceprovides.ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonEC2instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.
KnowthetypesofloadbalancerstheElasticLoadBalancingserviceprovidesandwhentouseeachone.AnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.
AninternalloadbalancerisusedtoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.
AnHTTPSloadbalancerisusedwhenyouwanttoencryptdatabetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessionsandforconnectionsbetweenyourloadbalancerandyourback-endinstances.
KnowthetypesoflistenerstheElasticLoadBalancingserviceprovidesandtheusecaseandrequirementsforusingeachone.Alistenerisaprocessthatchecksforconnectionrequests.Itisconfiguredwithaprotocolandaportforfront-end(clienttoloadbalancer)connectionsandaprotocolandaportforback-end(loadbalancertoback-endinstance)connections.
UnderstandtheconfigurationoptionsforElasticLoadBalancing.ElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.
KnowwhatanElasticLoadBalancinghealthcheckisandwhyitisimportant.ElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.
UnderstandwhattheamazonCloudWatchserviceprovidesandwhatusecasesthereareforusingit.AmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.
Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.
Knowthedifferencesbetweenthetwotypesofmonitoring—basicanddetailed—forAmazonCloudWatch.AmazonCloudWatchoffersbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforan
![Page 183: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/183.jpg)
additionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.
UnderstandAutoScalingandwhyitisanimportantadvantageoftheAWSCloud.Adistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.
KnowwhenandwhytouseAutoScaling.AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.
KnowthesupportedAutoScalingplans.AutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.TheAutoScalingplansarenamedMaintainCurrentInstantLevels,ManualScaling,ScheduledScaling,andDynamicScaling.
UnderstandhowtobuildanAutoScalinglaunchconfigurationandanAutoScalinggroupandwhateachisusedfor.AlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstancesandiscomposedoftheconfigurationname,AMI,AmazonEC2instancetype,securitygroup,andinstancekeypair.
Knowwhatascalingpolicyisandwhatusecasestouseitfor.AscalingpolicyisusedbyAutoScalingwithCloudWatchalarmstodeterminewhenyourAutoScalinggroupshouldscaleoutorscalein.EachCloudWatchalarmwatchesasinglemetricandsendsmessagestoAutoScalingwhenthemetricbreachesathresholdthatyouspecifyinyourpolicy.
UnderstandhowElasticLoadBalancing,amazonCloudWatch,andAutoScalingareusedtogethertoprovidedynamicscaling.ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingcanbeusedtogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.
![Page 184: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/184.jpg)
ExercisesForassistanceincompletingthefollowingexercises,refertotheElasticLoadBalancingDeveloperGuidelocatedathttp://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-
balancing.html,theAmazonCloudWatchDeveloperGuideathttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html
andtheAutoScalingUserGuideathttp://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html.
EXERCISE5.1
CreateanElasticLoadBalancingLoadBalancerInthisexercise,youwillusetheAWSManagementConsoletocreateanElasticLoadBalancingloadbalancer.
1. LaunchanAmazonEC2instanceusinganAMIwithawebserveronit,orinstallandconfigureawebserver.
2. CreateastaticpagetodisplayandahealthcheckpagethatreturnsHTTP200.ConfiguretheAmazonEC2instancetoaccepttrafficoverport80.
3. RegistertheAmazonEC2instancewiththeElasticLoadBalancingloadbalancer,andconfigureittousethehealthcheckpagetoevaluatethehealthoftheinstance.
EXERCISE5.2
UseanAmazonCloudWatchMetric1. LaunchanAmazonEC2instance.
2. UseanexistingAmazonCloudWatchmetrictomonitoravalue.
EXERCISE5.3
CreateaCustomAmazonCloudWatchMetric1. CreateacustomAmazonCloudWatchmetricformemoryconsumption.
2. UsetheCLItoPUTvaluesintothemetric.
![Page 185: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/185.jpg)
EXERCISE5.4
CreateaLaunchConfigurationandAutoScalingGroup1. UsingtheAWSManagementConsole,createalaunchconfigurationusinganexistingAMI.
2. CreateanAutoScalinggroupusingthislaunchconfigurationwithagroupsizeoffourandspanningtwoAvailabilityZones.Donotuseascalingpolicy.Keepthegroupatitsinitialsize.
3. ManuallyterminateanAmazonEC2instance,andobserveAutoScalinglaunchanewAmazonEC2instance.
EXERCISE5.5
CreateaScalingPolicy1. CreateanAmazonCloudWatchmetricandalarmforCPUutilizationusingtheAWSManagementConsole.
2. UsingtheAutoScalinggroupfromExercise5.4,edittheAutoScalinggrouptoincludeapolicythatusestheCPUutilizationalarm.
3. DriveCPUutilizationonthemonitoredAmazonEC2instance(s)uptoobserveAutoScaling.
EXERCISE5.6
CreateaWebApplicationThatScales1. CreateasmallwebapplicationarchitectedwithanElasticLoadBalancingloadbalancer,anAutoScalinggroupspanningtwoAvailabilityZonesthatusesanAmazonCloudWatchmetric,andanalarmattachedtoascalingpolicyusedbytheAutoScalinggroup.
2. VerifythatAutoScalingisoperatingcorrectlybyremovinginstancesanddrivingthemetricupanddowntoforceAutoScaling.
![Page 186: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/186.jpg)
ReviewQuestions1. WhichofthefollowingarerequiredelementsofanAutoScalinggroup?(Choose2answers)
A. Minimumsize
B. Healthchecks
C. Desiredcapacity
D. Launchconfiguration
2. YouhavecreatedanElasticLoadBalancingloadbalancerlisteningonport80,andyouregistereditwithasingleAmazonElasticComputeCloud(AmazonEC2)instancealsolisteningonport80.Aclientmakesarequesttotheloadbalancerwiththecorrectprotocolandportfortheloadbalancer.Inthisscenario,howmanyconnectionsdoesthebalancermaintain?
A. 1
B. 2
C. 3
D. 4
3. HowlongdoesAmazonCloudWatchkeepmetricdata?
A. 1day
B. 2days
C. 1week
D. 2weeks
4. WhichofthefollowingaretheminimumrequiredelementstocreateanAutoScalinglaunchconfiguration?
A. Launchconfigurationname,AmazonMachineImage(AMI),andinstancetype
B. Launchconfigurationname,AMI,instancetype,andkeypair
C. Launchconfigurationname,AMI,instancetype,keypair,andsecuritygroup
D. Launchconfigurationname,AMI,instancetype,keypair,securitygroup,andblockdevicemapping
5. Youareresponsiblefortheapplicationloggingsolutionforyourcompany’sexistingapplicationsrunningonmultipleAmazonEC2instances.WhichofthefollowingisthebestapproachforaggregatingtheapplicationlogswithinAWS?
A. AmazonCloudWatchcustommetrics
B. AmazonCloudWatchLogsAgent
C. AnElasticLoadBalancinglistener
![Page 187: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/187.jpg)
D. AninternalElasticLoadBalancingloadbalancer
6. WhichofthefollowingmustbeconfiguredonanElasticLoadBalancingloadbalancertoacceptincomingtraffic?
A. Aport
B. Anetworkinterface
C. Alistener
D. Aninstance
7. YoucreateanAutoScalinggroupinanewregionthatisconfiguredwithaminimumsizevalueof10,amaximumsizevalueof100,andadesiredcapacityvalueof50.However,younoticethat30oftheAmazonElasticComputeCloud(AmazonEC2)instanceswithintheAutoScalinggroupfailtolaunch.Whichofthefollowingisthecauseofthisbehavior?
A. YoucannotdefineanAutoScalinggrouplargerthan20.
B. TheAutoScalinggroupmaximumvaluecannotbemorethan20.
C. YoudidnotattachanElasticLoadBalancingloadbalancertotheAutoScalinggroup.
D. YouhavenotraisedyourdefaultAmazonEC2capacity(20)forthenewregion.
8. YouwanttohostmultipleHypertextTransferProtocolSecure(HTTPS)websitesonafleetofAmazonEC2instancesbehindanElasticLoadBalancingloadbalancerwithasingleX.509certificate.HowmustyouconfiguretheSecureSocketsLayer(SSL)certificatesothatclientsconnectingtotheloadbalancerarenotpresentedwithawarningwhentheyconnect?
A. CreateoneSSLcertificatewithaSubjectAlternativeName(SAN)valueforeachwebsitename.
B. CreateoneSSLcertificatewiththeServerNameIndication(SNI)valuechecked.
C. CreatemultipleSSLcertificateswithaSANvalueforeachwebsitename.
D. CreateSSLcertificatesforeachAvailabilityZonewithaSANvalueforeachwebsitename.
9. YourwebapplicationfrontendconsistsofmultipleAmazonComputeCloud(AmazonEC2)instancesbehindanElasticLoadBalancingloadbalancer.YouhaveconfiguredtheloadbalancertoperformhealthchecksontheseAmazonEC2instances.Ifaninstancefailstopasshealthchecks,whichstatementwillbetrue?
A. Theinstanceisreplacedautomaticallybytheloadbalancer.
B. Theinstanceisterminatedautomaticallybytheloadbalancer.
C. Theloadbalancerstopssendingtraffictotheinstancethatfaileditshealthcheck.
D. Theinstanceisquarantinedbytheloadbalancerforrootcauseanalysis.
10. InthebasicmonitoringpackageforAmazonElasticComputeCloud(AmazonEC2),whatAmazonCloudWatchmetricsareavailable?
![Page 188: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/188.jpg)
A. Webservervisiblemetricssuchasnumberoffailedtransactionrequests
B. Operatingsystemvisiblemetricssuchasmemoryutilization
C. Databasevisiblemetricssuchasnumberofconnections
D. HypervisorvisiblemetricssuchasCPUutilization
11. Acellphonecompanyisrunningdynamic-contenttelevisioncommercialsforacontest.Theywanttheirwebsitetohandletrafficspikesthatcomeafteracommercialairs.Thewebsiteisinteractive,offeringpersonalizedcontenttoeachvisitorbasedonlocation,purchasehistory,andthecurrentcommercialairing.WhicharchitecturewillconfigureAutoScalingtoscaleouttorespondtospikesofdemand,whileminimizingcostsduringquietperiods?
A. SettheminimumsizeoftheAutoScalinggroupsothatitcanhandlehightrafficvolumeswithoutneedingtoscaleout.
B. CreateanAutoScalinggrouplargeenoughtohandlepeaktrafficloads,andthenstopsomeinstances.ConfigureAutoScalingtoscaleoutwhentrafficincreasesusingthestoppedinstances,sonewcapacitywillcomeonlinequickly.
C. ConfigureAutoScalingtoscaleoutastrafficincreases.ConfigurethelaunchconfigurationtostartnewinstancesfromapreconfiguredAmazonMachineImage(AMI).
D. UseAmazonCloudFrontandAmazonSimpleStorageService(AmazonS3)tocachechangingcontent,withtheAutoScalinggroupsetastheorigin.ConfigureAutoScalingtohavesufficientinstancesnecessarytoinitiallypopulateCloudFrontandAmazonElastiCache,andthenscaleinafterthecacheisfullypopulated.
12. Foranapplicationrunningintheap-northeast-1regionwiththreeAvailabilityZones(ap-northeast-1a,ap-northeast-1b,andap-northeast-1c),whichinstancedeploymentprovideshighavailabilityfortheapplicationthatnormallyrequiresninerunningAmazonElasticComputeCloud(AmazonEC2)instancesbutcanrunonaminimumof65percentcapacitywhileAutoScalinglaunchesreplacementinstancesintheremainingAvailabilityZones?
A. Deploytheapplicationonfourserversinap-northeast-1aandfiveserversinap-northeast-1b,andkeepfivestoppedinstancesinap-northeast-1aasreserve.
B. Deploytheapplicationonthreeserversinap-northeast-1a,threeserversinap-northeast-1b,andthreeserversinap-northeast-1c.
C. Deploytheapplicationonsixserversinap-northeast-1bandthreeserversinap-northeast-1c.
D. Deploytheapplicationonnineserversinap-northeast-1b,andkeepninestoppedinstancesinap-northeast-1aasreserve.
13. WhichofthefollowingarecharacteristicsoftheAutoScalingserviceonAWS?(Choose3answers)
A. Sendstraffictohealthyinstances
B. RespondstochangingconditionsbyaddingorterminatingAmazonElasticCompute
![Page 189: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/189.jpg)
Cloud(AmazonEC2)instances
C. Collectsandtracksmetricsandsetsalarms
D. Deliverspushnotifications
E. LaunchesinstancesfromaspecifiedAmazonMachineImage(AMI)
F. EnforcesaminimumnumberofrunningAmazonEC2instances
14. WhyisthelaunchconfigurationreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup?
A. ItallowsyoutochangetheAmazonElasticComputeCloud(AmazonEC2)instancetypeandAmazonMachineImage(AMI)withoutdisruptingtheAutoScalinggroup.
B. ItfacilitatesrollingoutapatchtoanexistingsetofinstancesmanagedbyanAutoScalinggroup.
C. ItallowsyoutochangesecuritygroupsassociatedwiththeinstanceslaunchedwithouthavingtomakechangestotheAutoScalinggroup.
D. Alloftheabove
E. Noneoftheabove
15. AnAutoScalinggroupmayuse:(Choose2answers)
A. On-DemandInstances
B. Stoppedinstances
C. SpotInstances
D. On-premisesinstances
E. AlreadyrunninginstancesiftheyusethesameAmazonMachineImage(AMI)astheAutoScalinggroup’slaunchconfigurationandarenotalreadypartofanotherAutoScalinggroup
16. AmazonCloudWatchsupportswhichtypesofmonitoringplans?(Choose2answers)
A. Basicmonitoring,whichisfree
B. Basicmonitoring,whichhasanadditionalcost
C. Adhocmonitoring,whichisfree
D. Adhocmonitoring,whichhasanadditionalcost
E. Detailedmonitoring,whichisfree
F. Detailedmonitoring,whichhasanadditionalcost
17. ElasticLoadBalancinghealthchecksmaybe:(Choose3answers)
A. Aping
B. Akeypairverification
C. Aconnectionattempt
D. Apagerequest
![Page 190: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/190.jpg)
E. AnAmazonElasticComputeCloud(AmazonEC2)instancestatuscheck
18. WhenanAmazonElasticComputeCloud(AmazonEC2)instanceregisteredwithanElasticLoadBalancingloadbalancerusingconnectiondrainingisderegisteredorunhealthy,whichofthefollowingwillhappen?(Choose2answers)
A. Immediatelycloseallexistingconnectionstothatinstance.
B. Keeptheconnectionsopentothatinstance,andattempttocompletein-flightrequests.
C. Redirecttherequeststoauser-definederrorpagelike“Oopsthisisembarrassing”or“UnderConstruction.”
D. Forciblycloseallconnectionstothatinstanceafteratimeoutperiod.
E. Leavetheconnectionsopenaslongastheloadbalancerisrunning.
19. ElasticLoadBalancingsupportswhichofthefollowingtypesofloadbalancers?(Choose3answers)
A. Cross-region
B. Internet-facing
C. Interim
D. Itinerant
E. Internal
F. HypertextTransferProtocolSecure(HTTPS)usingSecureSocketsLayer(SSL)
20. AutoScalingsupportswhichofthefollowingplansforAutoScalinggroups?(Choose3answers)
A. Predictive
B. Manual
C. Preemptive
D. Scheduled
E. Dynamic
F. End-userrequestdriven
G. Optimistic
![Page 191: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/191.jpg)
Chapter6AWSIdentityandAccessManagement(IAM)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,ElasticBeanstalk,CloudFormation,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
ConfigureIAMpoliciesandbestpractices
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSIdentityandAccessManagement(IAM)
IntroductionInthischapter,youwilllearnhowAWSIdentityandAccessManagement(IAM)securesinteractionswiththeAWSresourcesinyouraccount,including:
WhichprincipalsinteractwithAWSthroughtheAWSManagementConsole,CommandLineInterface(CLI),andSoftwareDevelopmentKits(SDKs)
Howeachprincipalisauthenticated
HowIAMpoliciesarewrittentospecifytheaccessprivilegesofprincipals
HowIAMpoliciesareassociatedwithprincipals
HowtosecureyourinfrastructurefurtherthroughMulti-FactorAuthentication(MFA)andkeyrotation
HowIAMrolescanbeusedtodelegatepermissionsandfederateusers
![Page 192: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/192.jpg)
Howtoresolvemultiple,possiblyconflictingIAMpermissions
IAMisapowerfulservicethatallowsyoutocontrolhowpeopleandprogramsareallowedtomanipulateyourAWSinfrastructure.IAMusestraditionalidentityconceptssuchasusers,groups,andaccesscontrolpoliciestocontrolwhocanuseyourAWSaccount,whatservicesandresourcestheycanuse,andhowtheycanusethem.ThecontrolprovidedbyIAMisgranularenoughtolimitasingleusertotheabilitytoperformasingleactiononaspecificresourcefromaspecificIPaddressduringaspecifictimewindow.ApplicationscanbegrantedaccesstoAWSresourceswhethertheyarerunningon-premisesorinthecloud.ThisflexibilitycreatesaverypowerfulsystemthatwillgiveyouallthepoweryouneedtoensurethatyourAWSaccountusershavetheabilitytomeetyourbusinessneedswhileaddressingallofthesecurityconcernsofyourorganization.
ThischapterwillcoverthedifferentprincipalsthatcaninteractwithAWSandhowtheyareauthenticated.Itwillthendiscusshowtowritepoliciesthatdefinepermittedaccesstoservices,actions,andresourcesandassociatethesepolicieswithauthenticatedprincipals.Finally,itwillcoveradditionalfeaturesofIAMthatwillhelpyousecureyourinfrastructure,includingMFA,rotatingkeys,federation,resolvingmultiplepermissions,andusingIAMroles.
AsimportantasitistoknowwhatIAMisexactly,itisequallyimportanttounderstandwhatitisnot:
First,IAMisnotanidentitystore/authorizationsystemforyourapplications.ThepermissionsthatyouassignarepermissionstomanipulateAWSinfrastructure,notpermissionswithinyourapplication.Ifyouaremigratinganexistingon-premisesapplicationthatalreadyhasitsownuserrepositoryandauthentication/authorizationmechanism,thenthatshouldcontinuetoworkwhenyoudeployonAWSandisprobablytherightchoice.IfyourapplicationidentitiesarebasedonActiveDirectory,youron-premisesActiveDirectorycanbeextendedintothecloudtocontinuetofillthatneed.AgreatsolutionforusingActiveDirectoryinthecloudisAWSDirectoryService,whichisanActiveDirectory-compatibledirectoryservicethatcanworkonitsownorintegratewithyouron-premisesActiveDirectory.Finally,ifyouareworkingwithamobileapp,considerAmazonCognitoforidentitymanagementformobileapplications.
Second,IAMisnotoperatingsystemidentitymanagement.Rememberthatunderthesharedresponsibilitymodel,youareincontrolofyouroperatingsystemconsoleandconfiguration.WhatevermechanismyoucurrentlyusetocontrolaccesstoyourserverinfrastructurewillcontinuetoworkonAmazonElasticComputeCloud(AmazonEC2)instances,whetherthatismanagingindividualmachineloginaccountsoradirectoryservicesuchasActiveDirectoryorLightweightDirectoryAccessProtocol(LDAP).YoucanrunanActiveDirectoryorLDAPserveronAmazonEC2,oryoucanextendyouron-premisessystemintothecloud.AWSDirectoryServicewillalsoworkwelltoprovideActiveDirectoryfunctionalityinthecloudasaservice,whetherstandaloneorintegratedwithyourexistingActiveDirectory.
Table6.1summarizestherolethatdifferentauthenticationsystemscanplayinyourAWSenvironment.
![Page 193: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/193.jpg)
TABLE6.1AuthenticationTechnologies
UseCase TechnologySolutions
OperatingSystemAccess ActiveDirectoryLDAPMachine-specificaccounts
ApplicationAccess ActiveDirectoryApplicationUserRepositoriesAmazonCognito
AWSResources IAM
IAMiscontrolledlikemostotherAWSCloudservices:
ThroughtheAWSManagementConsole—Likeotherservices,theAWSManagementConsoleistheeasiestwaytostartlearningaboutandmanipulatingaservice.
WiththeCLI—Asyoulearnthesystem,youcanstartscriptingrepeatedtasksusingtheCLI.
ViatheAWSSDKs—EventuallyyoumaystartwritingyourowntoolsandcomplexprocessesbymanipulatingIAMdirectlythroughtheRESTAPIviaoneofseveralSDKs.
AllofthesemethodsworktocontrolIAMjustastheyworkwithotherservices.Inaddition,theAWSPartnerNetwork(APN)includesarichecosystemoftoolstomanageandextendIAM.
![Page 194: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/194.jpg)
PrincipalsThefirstIAMconcepttounderstandisprincipals.AprincipalisanIAMentitythatisallowedtointeractwithAWSresources.Aprincipalcanbepermanentortemporary,anditcanrepresentahumanoranapplication.Therearethreetypesofprincipals:rootusers,IAMusers,androles/temporarysecuritytokens.
RootUserWhenyoufirstcreateanAWSaccount,youbeginwithonlyasinglesign-inprincipalthathascompleteaccesstoallAWSCloudservicesandresourcesintheaccount.Thisprincipaliscalledtherootuser.AslongasyouhaveanopenaccountwithAWS,therootuserforthatrelationshipwillpersist.TherootusercanbeusedforbothconsoleandprogrammaticaccesstoAWSresources.
TherootuserissimilarinconcepttotheUNIXrootorWindowsAdministratoraccount—ithasfullprivilegestodoanythingintheaccount,includingclosingtheaccount.Itisstronglyrecommendedthatyoudonotusetherootuserforyoureverydaytasks,eventheadministrativeones.Instead,adheretothebestpracticeofusingtherootuseronlytocreateyourfirstIAMuserandthensecurelylockingawaytherootusercredentials.
IAMUsersUsersarepersistentidentitiessetupthroughtheIAMservicetorepresentindividualpeopleorapplications.YoumaycreateseparateIAMusersforeachmemberofyouroperationsteamsotheycaninteractwiththeconsoleandusetheCLI.Youmightalsocreatedev,test,andproductionusersforapplicationsthatneedtoaccessAWSCloudservices(althoughyouwillseelaterinthischapterthatIAMrolesmaybeabettersolutionforthatusecase).
IAMuserscanbecreatedbyprincipalswithIAMadministrativeprivilegesatanytimethroughtheAWSManagementConsole,CLI,orSDKs.Usersarepersistentinthatthereisnoexpirationperiod;theyarepermanententitiesthatexistuntilanIAMadministratortakesanactiontodeletethem.
Usersareanexcellentwaytoenforcetheprincipleofleastprivilege;thatis,theconceptofallowingapersonorprocessinteractingwithyourAWSresourcestoperformexactlythetaskstheyneedbutnothingelse.Userscanbeassociatedwithverygranularpoliciesthatdefinethesepermissions.Policieswillbecoveredinalatersection.
Roles/TemporarySecurityTokensRolesandtemporarysecuritytokensareveryimportantforadvancedIAMusage,butmanyAWSusersfindthemconfusing.Rolesareusedtograntspecificprivilegestospecificactorsforasetdurationoftime.TheseactorscanbeauthenticatedbyAWSorsometrustedexternalsystem.Whenoneoftheseactorsassumesarole,AWSprovidestheactorwithatemporarysecuritytokenfromtheAWSSecurityTokenService(STS)thattheactorcanusetoaccess
![Page 195: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/195.jpg)
AWSCloudservices.Requestingatemporarysecuritytokenrequiresspecifyinghowlongthetokenwillexistbeforeitexpires.Therangeofatemporarysecuritytokenlifetimeis15minutesto36hours.
Rolesandtemporarysecuritytokensenableanumberofusecases:
AmazonEC2Roles—GrantingpermissionstoapplicationsrunningonanAmazonEC2instance.
Cross-AccountAccess—GrantingpermissionstousersfromotherAWSaccounts,whetheryoucontrolthoseaccountsornot.
Federation—Grantingpermissionstousersauthenticatedbyatrustedexternalsystem.
AmazonEC2RolesGrantingpermissionstoanapplicationisalwaystricky,asitusuallyrequiresconfiguringtheapplicationwithsomesortofcredentialuponinstallation.Thisleadstoissuesaroundsecurelystoringthecredentialpriortouse,howtoaccessitsafelyduringinstallation,andhowtosecureitintheconfiguration.SupposethatanapplicationrunningonanAmazonEC2instanceneedstoaccessanAmazonSimpleStorageService(AmazonS3)bucket.ApolicygrantingpermissiontoreadandwritethatbucketcanbecreatedandassignedtoanIAMuser,andtheapplicationcanusetheaccesskeyforthatIAMusertoaccesstheAmazonS3bucket.Theproblemwiththisapproachisthattheaccesskeyfortheusermustbeaccessibletotheapplication,probablybystoringitinsomesortofconfigurationfile.Theprocessforobtainingtheaccesskeyandstoringitencryptedintheconfigurationisusuallycomplicatedandahindrancetoagiledevelopment.Additionally,theaccesskeyisatriskwhenbeingpassedaround.Finally,whenthetimecomestorotatetheaccesskey,therotationinvolvesperformingthatwholeprocessagain.
UsingIAMrolesforAmazonEC2removestheneedtostoreAWScredentialsinaconfigurationfile.
AnalternativeistocreateanIAMrolethatgrantstherequiredaccesstotheAmazonS3bucket.WhentheAmazonEC2instanceislaunched,theroleisassignedtotheinstance.WhentheapplicationrunningontheinstanceusestheApplicationProgrammingInterface(API)toaccesstheAmazonS3bucket,itassumestheroleassignedtotheinstanceandobtainsatemporarytokenthatitsendstotheAPI.TheprocessofobtainingthetemporarytokenandpassingittotheAPIishandledautomaticallybymostoftheAWSSDKs,allowingtheapplicationtomakeacalltoaccesstheAmazonS3bucketwithoutworryingaboutauthentication.Inadditiontobeingeasyforthedeveloper,thisremovesanyneedtostoreanaccesskeyinaconfigurationfile.Also,becausetheAPIaccessusesatemporarytoken,thereisnofixedaccesskeythatmustberotated.
Cross-AccountAccessAnothercommonusecaseforIAMrolesistograntaccesstoAWSresourcestoIAMusersinotherAWSaccounts.TheseaccountsmaybeotherAWSaccountscontrolledbyyourcompanyoroutsideagentslikecustomersorsuppliers.YoucansetupanIAMrolewiththe
![Page 196: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/196.jpg)
permissionsyouwanttogranttousersintheotheraccount,thenusersintheotheraccountcanassumethatroletoaccessyourresources.Thisishighlyrecommendedasabestpractice,asopposedtodistributingaccesskeysoutsideyourorganization.
FederationManyorganizationsalreadyhaveanidentityrepositoryoutsideofAWSandwouldratherleveragethatrepositorythancreateanewandlargelyduplicaterepositoryofIAMusers.Similarly,web-basedapplicationsmaywanttoleverageweb-basedidentitiessuchasFacebook,Google,orLoginwithAmazon.IAMIdentityProvidersprovidetheabilitytofederatetheseoutsideidentitieswithIAMandassignprivilegestothoseusersauthenticatedoutsideofIAM.
IAMcanintegratewithtwodifferenttypesofoutsideIdentityProviders(IdP).ForfederatingwebidentitiessuchasFacebook,Google,orLoginwithAmazon,IAMsupportsintegrationviaOpenIDConnect(OIDC).ThisallowsIAMtograntprivilegestousersauthenticatedwithsomeofthemajorweb-basedIdPs.Forfederatinginternalidentities,suchasActiveDirectoryorLDAP,IAMsupportsintegrationviaSecurityAssertionMarkupLanguage2.0(SAML).ASAML-compliantIdPsuchasActiveDirectoryFederationServices(ADFS)isusedtofederatetheinternaldirectorytoIAM.(InstructionsforconfiguringmanycompatibleproductscanbefoundontheAWSwebsite.)Ineachcase,federationworksbyreturningatemporarytokenassociatedwitharoletotheIdPfortheauthenticatedidentitytouseforcallstotheAWSAPI.TheactualrolereturnedisdeterminedviainformationreceivedfromtheIdP,eitherattributesoftheuserintheon-premisesidentitystoreortheusernameandauthenticatingserviceofthewebidentitystore.
ThethreetypesofprincipalsandtheirgeneraltraitsarelistedinTable6.2.
TABLE6.2TraitsofAWSPrincipals
Principal Traits
RootUser CannotbelimitedPermanent
IAMUsers AccesscontrolledbypolicyDurableCanberemovedbyIAMadministrator
Roles/TemporarySecurityTokens AccesscontrolledbypolicyTemporaryExpireafterspecifictimeinterval
![Page 197: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/197.jpg)
AuthenticationTherearethreewaysthatIAMauthenticatesaprincipal:
UserName/Password—Whenaprincipalrepresentsahumaninteractingwiththeconsole,thehumanwillprovideausername/passwordpairtoverifytheiridentity.IAMallowsyoutocreateapasswordpolicyenforcingpasswordcomplexityandexpiration.
AccessKey—AnaccesskeyisacombinationofanaccesskeyID(20characters)andanaccesssecretkey(40characters).WhenaprogramismanipulatingtheAWSinfrastructureviatheAPI,itwillusethesevaluestosigntheunderlyingRESTcallstotheservices.TheAWSSDKsandtoolshandlealltheintricaciesofsigningtheRESTcalls,sousinganaccesskeywillalmostalwaysbeamatterofprovidingthevaluestotheSDKortool.
AccessKey/SessionToken—Whenaprocessoperatesunderanassumedrole,thetemporarysecuritytokenprovidesanaccesskeyforauthentication.Inadditiontotheaccesskey(rememberthatitconsistsoftwoparts),thetokenalsoincludesasessiontoken.CallstoAWSmustincludeboththetwo-partaccesskeyandthesessiontokentoauthenticate.
ItisimportanttonotethatwhenanIAMuseriscreated,ithasneitheranaccesskeynorapassword,andtheIAMadministratorcansetupeitherorboth.ThisaddsanextralayerofsecurityinthatconsoleuserscannotusetheircredentialstorunaprogramthataccessesyourAWSinfrastructure.
Figure6.1showsasummaryofthedifferentauthenticationmethods.
![Page 198: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/198.jpg)
FIGURE6.1DifferentidentitiesauthenticatingwithAWS
![Page 199: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/199.jpg)
AuthorizationAfterIAMhasauthenticatedaprincipal,itmustthenmanagetheaccessofthatprincipaltoprotectyourAWSinfrastructure.Theprocessofspecifyingexactlywhatactionsaprincipalcanandcannotperformiscalledauthorization.AuthorizationishandledinIAMbydefiningspecificprivilegesinpoliciesandassociatingthosepolicieswithprincipals.
PoliciesUnderstandinghowaccessmanagementworksunderIAMbeginswithunderstandingpolicies.ApolicyisaJSONdocumentthatfullydefinesasetofpermissionstoaccessandmanipulateAWSresources.Policydocumentscontainoneormorepermissions,witheachpermissiondefining:
Effect—Asingleword:AlloworDeny.
Service—Forwhatservicedoesthispermissionapply?MostAWSCloudservicessupportgrantingaccessthroughIAM,includingIAMitself.
Resource—TheresourcevaluespecifiesthespecificAWSinfrastructureforwhichthispermissionapplies.ThisisspecifiedasanAmazonResourceName(ARN).TheformatforanARNvariesslightlybetweenservices,butthebasicformatis:
"arn:aws:service:region:account-id:[resourcetype:]resource"
Forsomeservices,wildcardvaluesareallowed;forinstance,anAmazonS3ARNcouldhavearesourceoffoldername\*toindicateallobjectsinthespecifiedfolder.Table6.3displayssomesampleARNs.
TABLE6.3SampleARNs
Resource ARNFormat
AmazonS3Bucket arn:aws:s3:us-east-1:123456789012:my_corporate_bucket/*
IAMUser arn:aws:iam:us-east-1:123456789012:user/David
AmazonDynamoDBTable arn:aws:dynamodb:us-east-1:123456789012:table/tablename
Action—Theactionvaluespecifiesthesubsetofactionswithinaservicethatthepermissionallowsordenies.Forinstance,apermissionmaygrantaccesstoanyread-basedactionforAmazonS3.Asetofactionscanbespecifiedwithanenumeratedlistorbyusingwildcards(Read*).
Condition—Theconditionvalueoptionallydefinesoneormoreadditionalrestrictionsthatlimittheactionsallowedbythepermission.Forinstance,thepermissionmightcontainaconditionthatlimitstheabilitytoaccessaresourcetocallsthatcomefromaspecificIPaddressrange.Anotherconditioncouldrestrictthepermissiononlytoapplyduringaspecifictimeinterval.Therearemanytypesofpermissionsthatallowarichvarietyoffunctionalitythatvariesbetweenservices.SeetheIAMdocumentationforlistsofsupportedconditionsforeachservice.
Asamplepolicyisshowninthefollowinglisting.Thispolicyallowsaprincipaltolistthe
![Page 200: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/200.jpg)
objectsinaspecificbucketandtoretrievethoseobjects,butonlyifthecallcomesfromaspecificIPaddress.
{
"Version":"2012–10–17",
"Statement":[
{
"Sid":"Stmt1441716043000",
"Effect":"Allow", <-Thispolicygrantsaccess
"Action":[<-Allowsidentitiestolist
"s3:GetObject",<-andgetobjectsin
"s3:ListBucket"<-theS3bucket
],
"Condition":{
"IpAddress":{ <-Onlyfromaspecific
"aws:SourceIp":"192.168.0.1" <-IPAddress
}
},
"Resource":[
"arn:aws:s3:::my_public_bucket/*" <-Onlythisbucket
]
}
]
}
AssociatingPolicieswithPrincipalsThereareseveralwaystoassociateapolicywithanIAMuser;thissectionwillonlycoverthemostcommon.
ApolicycanbeassociateddirectlywithanIAMuserinoneoftwoways:
UserPolicy—Thesepoliciesexistonlyinthecontextoftheusertowhichtheyareattached.Intheconsole,auserpolicyisenteredintotheuserinterfaceontheIAMuserpage.
ManagedPolicies—ThesepoliciesarecreatedinthePoliciestabontheIAMpage(orthroughtheCLI,andsoforth)andexistindependentlyofanyindividualuser.Inthisway,thesamepolicycanbeassociatedwithmanyusersorgroupsofusers.TherearealargenumberofpredefinedmanagedpoliciesthatyoucanreviewonthePoliciestaboftheIAMpageintheAWSManagementConsole.Inaddition,youcanwriteyourownpoliciesspecifictoyourusecases.
Usingpredefinedmanagedpoliciesensuresthatwhennewpermissionsareaddedfornewfeatures,youruserswillstillhavethecorrectaccess.
TheothercommonmethodforassociatingpolicieswithusersiswiththeIAMgroupsfeature.Groupssimplifymanagingpermissionsforlargenumbersofusers.Afterapolicyisassignedtoagroup,anyuserwhoisamemberofthatgroupassumesthosepermissions.Thismakesitsimplertoassignpoliciestoanentireteaminyourorganization.Forinstance,ifyoucreatean“Operations”groupwitheveryIAMuserforyouroperationsteamassignedtothatgroup,thenitisasimplemattertoassociatetheneededpermissionstothegroup,andallofthe
![Page 201: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/201.jpg)
team’sIAMuserswillassumethosepermissions.NewIAMuserscanthenbeassigneddirectlytothegroup.
ThisisamuchsimplermanagementprocessthanhavingtoreviewwhatpoliciesanewIAMuserfortheoperationsteamshouldreceiveandmanuallyaddingthosepoliciestotheuser.TherearetwowaysapolicycanbeassociatedwithanIAMgroup:
GroupPolicy—Thesepoliciesexistonlyinthecontextofthegrouptowhichtheyareattached.IntheAWSManagementConsole,agrouppolicyisenteredintotheuserinterfaceontheIAMGrouppage.
ManagedPolicies—Inthesamewaythatmanagedpolicies(discussedinthe“Authorization”section)canbeassociatedwithIAMusers,theycanalsobeassociatedwithIAMgroups.
Figure6.2showsthedifferentwaysthatpolicescanbeassociatedwithanIAMUser.
FIGURE6.2AssociatingIAMuserswithpolicies
![Page 202: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/202.jpg)
AgoodfirststepistousetherootusertocreateanewIAMgroupcalled“IAMAdministrators”andassignthemanagedpolicy,“IAMFullAccess.”ThencreateanewIAMusercalled“Administrator,”assignapassword,andaddittotheIAMAdministratorsgroup.Atthispoint,youcanlogoffastherootuserandperformallfurtheradministrationwiththeIAMuseraccount.
Thefinalwayanactorcanbeassociatedwithapolicyisbyassumingarole.Inthiscase,theactorcanbe:
AnauthenticatedIAMuser(personorprocess).Inthiscase,theIAMusermusthavetherightstoassumetherole.
ApersonorprocessauthenticatedbyatrustedserviceoutsideofAWS,suchasanon-premisesLDAPdirectoryorawebauthenticationservice.Inthissituation,anAWSCloudservicewillassumetheroleontheactor’sbehalfandreturnatokentotheactor.
Afteranactorhasassumedarole,itisprovidedwithatemporarysecuritytokenassociatedwiththepoliciesofthatrole.ThetokencontainsalltheinformationrequiredtoauthenticateAPIcalls.Thisinformationincludesastandardaccesskeyplusanadditionalsessiontokenrequiredforauthenticatingcallsunderanassumedrole.
![Page 203: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/203.jpg)
OtherKeyFeaturesBeyondthecriticalconceptsofprincipals,authentication,andauthorization,thereareseveralotherfeaturesoftheIAMservicethatareimportanttounderstandtorealizethefullbenefitsofIAM.
Multi-FactorAuthentication(MFA)Multi-FactorAuthentication(MFA)canaddanextralayerofsecuritytoyourinfrastructurebyaddingasecondmethodofauthenticationbeyondjustapasswordoraccesskey.WithMFA,authenticationalsorequiresenteringaOne-TimePassword(OTP)fromasmalldevice.TheMFAdevicecanbeeitherasmallhardwaredeviceyoucarrywithyouoravirtualdeviceviaanapponyoursmartphone(forexample,theAWSVirtualMFAapp).
MFArequiresyoutoverifyyouridentitywithbothsomethingyouknowandsomethingyouhave.
MFAcanbeassignedtoanyIAMuseraccount,whethertheaccountrepresentsapersonorapplication.WhenapersonusinganIAMuserconfiguredwithMFAattemptstoaccesstheAWSManagementConsole,afterprovidingtheirpasswordtheywillbepromptedtoenterthecurrentcodedisplayedontheirMFAdevicebeforebeinggrantedaccess.AnapplicationusinganIAMuserconfiguredwithMFAmustquerytheapplicationusertoprovidethecurrentcode,whichtheapplicationwillthenpasstotheAPI.
ItisstronglyrecommendedthatAWScustomersaddMFAprotectiontotheirrootuser.
RotatingKeysThesecurityriskofanycredentialincreaseswiththeageofthecredential.Tothisend,itisasecuritybestpracticetorotateaccesskeysassociatedwithyourIAMusers.IAMfacilitatesthisprocessbyallowingtwoactiveaccesskeysatatime.Theprocesstorotatekeyscanbeconductedviatheconsole,CLI,orSDKs:
1. Createanewaccesskeyfortheuser.
2. Reconfigureallapplicationstousethenewaccesskey.
3. Disabletheoriginalaccesskey(disablinginsteadofdeletingatthisstageiscritical,asitallowsrollbacktotheoriginalkeyifthereareissueswiththerotation).
4. Verifytheoperationofallapplications.
5. Deletetheoriginalaccesskey.
Accesskeysshouldberotatedonaregularschedule.
ResolvingMultiplePermissions
![Page 204: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/204.jpg)
Occasionally,multiplepermissionswillbeapplicablewhendeterminingwhetheraprincipalhastheprivilegetoperformsomeaction.ThesepermissionsmaycomefrommultiplepoliciesassociatedwithaprincipalorresourcepoliciesattachedtotheAWSresourceinquestion.Itisimportanttoknowhowconflictsbetweenthesepermissionsareresolved:
1. Initiallytherequestisdeniedbydefault.
2. Alltheappropriatepoliciesareevaluated;ifthereisanexplicit“deny”foundinanypolicy,therequestisdeniedandevaluationstops.
3. Ifnoexplicit“deny”isfoundandanexplicit“allow”isfoundinanypolicy,therequestisallowed.
4. Iftherearenoexplicit“allow”or“deny”permissionsfound,thenthedefault“deny”ismaintainedandtherequestisdenied.
TheonlyexceptiontothisruleisifanAssumeRolecallincludesaroleandapolicy,thepolicycannotexpandtheprivilegesoftherole(forexample,thepolicycannotoverrideanypermissionthatisdeniedbydefaultintherole).
![Page 205: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/205.jpg)
SummaryIAMisapowerfulservicethatgivesyoutheabilitytocontrolwhichpeopleandapplicationscanaccessyourAWSaccountataverygranularlevel.BecausetherootuserinanAWSaccountcannotbelimited,youshouldsetupIAMusersandtemporarysecuritytokensforyourpeopleandprocessestointeractwithAWS.
Policiesdefinewhatactionscanandcannotbetaken.PoliciesareassociatedwithIAMuserseitherdirectlyorthroughgroupmembership.AtemporarysecuritytokenisassociatedwithapolicybyassuminganIAMrole.YoucanwriteyourownpoliciesoruseoneofthemanagedpoliciesprovidedbyAWS.
CommonusecasesforIAMrolesincludefederatingidentitiesfromexternalIdPs,assigningprivilegestoanAmazonEC2instancewheretheycanbeassumedbyapplicationsrunningontheinstance,andcross-accountaccess.
IAMuseraccountscanbefurthersecuredbyrotatingkeys,implementingMFA,andaddingconditionstopolicies.MFAensuresthatauthenticationisbasedonsomethingyouhaveinadditiontosomethingyouknow,andconditionscanaddfurtherrestrictionssuchaslimitingclientIPaddressrangesorsettingaparticulartimeinterval.
![Page 206: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/206.jpg)
ExamEssentialsKnowthedifferentprincipalsinIAM.ThethreeprincipalsthatcanauthenticateandinteractwithAWSresourcesaretherootuser,IAMusers,androles.TherootuserisassociatedwiththeactualAWSaccountandcannotberestrictedinanyway.IAMusersarepersistentidentitiesthatcanbecontrolledthroughIAM.Rolesallowpeopleorprocessestheabilitytooperatetemporarilywithadifferentidentity.Peopleorprocessesassumearolebybeinggrantedatemporarysecuritytokenthatwillexpireafteraspecifiedperiodoftime.
KnowhowprincipalsareauthenticatedinIAM.WhenyoulogintotheAWSManagementConsoleasanIAMuserorrootuser,youuseausername/passwordcombination.AprogramthataccessestheAPIwithanIAMuserorrootuserusesatwo-partaccesskey.Atemporarysecuritytokenauthenticateswithanaccesskeyplusanadditionalsessiontokenuniquetothattemporarysecuritytoken.
Knowthepartsofapolicy.ApolicyisaJSONdocumentthatdefinesoneormorepermissionstointeractwithAWSresources.Eachpermissionincludestheeffect,service,action,andresource.Itmayalsoincludeoneormoreconditions.AWSmakesmanypredefinedpoliciesavailableasmanagedpolicies.
Knowhowapolicyisassociatedwithaprincipal.Anauthenticatedprincipalisassociatedwithzerotomanypolicies.ForanIAMuser,thesepoliciesmaybeattacheddirectlytotheuseraccountorattachedtoanIAMgroupofwhichtheuseraccountisamember.AtemporarysecuritytokenisassociatedwithpoliciesbyassuminganIAMrole.
UnderstandMFA.MFAincreasesthesecurityofanAWSaccountbyaugmentingthepassword(somethingyouknow)witharotatingOTPfromasmalldevice(somethingyouhave),ensuringthatanyoneauthenticatingtheaccounthasbothknowledgeofthepasswordandpossessionofthedevice.AWSsupportsbothGemaltohardwareMFAdevicesandanumberofvirtualMFAapps.
Understandkeyrotation.ToprotectyourAWSinfrastructure,accesskeysshouldberotatedregularly.AWSallowstwoaccesskeystobevalidsimultaneouslytomaketherotationprocessstraightforward:Generateanewaccesskey,configureyourapplicationtousethenewaccesskey,test,disabletheoriginalaccesskey,test,deletetheoriginalaccesskey,andtestagain.
UnderstandIAMrolesandfederation.IAMrolesareprepackagedsetsofpermissionsthathavenocredentials.Principalscanassumearoleandthenusetheassociatedpermissions.Whenatemporarysecuritytokeniscreated,itassumesarolethatdefinesthepermissionsassignedtothetoken.WhenanAmazonEC2instanceisassociatedwithanIAMrole,SDKcallsacquireatemporarysecuritytokenbasedontheroleassociatedwiththeinstanceandusethattokentoaccessAWSresources.
RolesarethebasisforfederatingexternalIdPswithAWS.YouconfigureanIAMIdPtointeractwiththeexternalIdP,theauthenticatedidentityfromtheIdPismappedtoarole,andatemporarysecuritytokenisreturnedthathasassumedthatrole.AWSsupportsbothSAMLandOIDCIdPs.
Knowhowtoresolveconflictingpermissions.Resolvingmultiplepermissionsis
![Page 207: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/207.jpg)
relativelystraightforward.Ifanactiononaresourcehasnotbeenexplicitlyallowedbyapolicy,itisdenied.Iftwopoliciescontradicteachother;thatis,ifonepolicyallowsanactiononaresourceandanotherpolicydeniesthataction,theactionisdenied.Whilethissoundsimprobable,itmayoccurduetoscopedifferencesinapolicy.OnepolicymayexposeanentirefleetofAmazonEC2instances,andasecondpolicymayexplicitlylockdownoneparticularinstance.
![Page 208: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/208.jpg)
ExercisesForassistanceincompletingthefollowingexercises,refertotheIAMUserGuideathttp://docs.aws.amazon.com/IAM/latest/UserGuide/.
EXERCISE6.1
CreateanIAMGroupInthisexercise,youwillcreateagroupforallIAMadministratorusersandassigntheproperpermissionstothenewgroup.Thiswillallowyoutoavoidassigningpoliciesdirectlytoauserlaterintheseexercises.
1. Loginastherootuser.
2. CreateanIAMgroupcalledAdministrators.
3. Attachthemanagedpolicy,IAMFullAccess,totheAdministratorsgroup.
EXERCISE6.2
CreateaCustomizedSign-InLinkandPasswordPolicyInthisexercise,youwillsetupyouraccountwithsomebasicIAMsafeguards.Thepasswordpolicyisarecommendedsecuritypractice,andthesign-inlinkmakesiteasierforyouruserstologintotheAWSManagementConsole.
1. Customizeasign-inlink,andwritedownthenewlinknameinfull.
2. Createapasswordpolicyforyouraccount.
EXERCISE6.3
CreateanIAMUserInthisexercise,youwillcreateanIAMuserwhocanperformalladministrativeIAMfunctions.Thenyouwillloginasthatusersothatyounolongerneedtousetherootuserlogin.Usingtherootuserloginonlywhenexplicitlyrequiredisarecommendedsecuritypractice(alongwithaddingMFAtoyourrootuser).
1. Whileloggedinastherootuser,createanewIAMusercalledAdministrator.
2. AddyournewusertotheAdministratorsgroup.
3. OntheDetailspagefortheadministratoruser,createapassword.
4. Logoutastherootuser.
5. Usethecustomizedsign-inlinktosigninasAdministrator.
![Page 209: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/209.jpg)
EXERCISE6.4
CreateandUseanIAMRoleInthisexercise,youwillcreateanIAMrole,associateitwithanewinstance,andverifythatapplicationsrunningontheinstanceassumethepermissionsoftherole.IAMrolesallowyoutoavoidstoringaccesskeysonyourAmazonEC2instances.
1. Whilesignedinasadministrator,createanAmazonEC2-typerolenamedS3Client.
2. Attachthemanagedpolicy,AmazonS3ReadOnlyAccess,toS3Client.
3. LaunchanAmazonLinuxEC2instancewiththenewroleattached(AmazonLinuxAMIscomewithCLIinstalled).
4. SSHintothenewinstance,andusetheCLItolistthecontentsofanAmazonS3bucket.
EXERCISE6.5
RotateKeysInthisexercise,youwillgothroughtheprocessofrotatingaccesskeys,arecommendedsecuritypractice.
1. Selecttheadministrator,andcreateatwo-partaccesskey.
2. Downloadtheaccesskey.
3. DownloadandinstalltheCLItoyourdesktop.
4. ConfiguretheCLItousetheaccesskeywiththeAWSConfigurecommand.
5. UsetheCLItolistthecontentsofanAmazonS3bucket.
6. Returntotheconsole,andcreateanewaccesskeyfortheadministratoraccount.
7. Downloadtheaccesskey,andreconfiguretheCLItousethenewaccesskey.
8. Intheconsole,maketheoriginalaccesskeyinactive.
9. ConfirmthatyouareusingthenewaccesskeybyonceagainlistingthecontentsoftheAmazonS3bucket.
10. Deletetheoriginalaccesskey.
![Page 210: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/210.jpg)
EXERCISE6.6
SetUpMFAInthisexercise,youwilladdMFAtoyourIAMadministrator.YouwilluseavirtualMFAapplicationforyourphone.MFAisasecurityrecommendationonpowerfulaccountssuchasIAMadministrators.
1. DownloadtheAWSVirtualMFAapptoyourphone.
2. Selecttheadministratoruser,andmanagetheMFAdevice.
3. GothroughthestepstoactivateaVirtualMFAdevice.
4. Logoffasadministrator.
5. Loginasadministrator,andentertheMFAvaluetocompletetheauthenticationprocess.
EXERCISE6.7
ResolveConflictingPermissionsInthisexercise,youwilladdapolicytoyourIAMadministratoruserwithaconflictingpermission.YouwillthenattemptactionsthatverifyhowIAMresolvesconflictingpermissions.
1. Usethepolicygeneratortocreateanewpolicy.
2. CreatethepolicywithEffect:Deny;AWSService:AmazonS3;Actions:*;andARN:*.
3. AttachthenewpolicytotheAdministratorsgroup.
4. UsetheCLItoattempttolistthecontentsofanAmazonS3bucket.Thepolicythatallowsaccessandthepolicythatdeniesaccessshouldresolvetodenyaccess.
![Page 211: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/211.jpg)
ReviewQuestions1. WhichofthefollowingmethodswillallowanapplicationusinganAWSSDKtobeauthenticatedasaprincipaltoaccessAWSCloudservices?(Choose2answers)
A. CreateanIAMuserandstoretheusernameandpasswordfortheuserintheapplication’sconfiguration.
B. CreateanIAMuserandstorebothpartsoftheaccesskeyfortheuserintheapplication’sconfiguration.
C. RuntheapplicationonanAmazonEC2instancewithanassignedIAMrole.
D. MakealltheAPIcallsoveranSSLconnection.
2. WhichofthefollowingarefoundinanIAMpolicy?(Choose2answers)
A. ServiceName
B. Region
C. Action
D. Password
3. YourAWSaccountadministratorleftyourcompanytoday.TheadministratorhadaccesstotherootuserandapersonalIAMadministratoraccount.Withtheseaccounts,hegeneratedotherIAMaccountsandkeys.WhichofthefollowingshouldyoudotodaytoprotectyourAWSinfrastructure?(Choose4answers)
A. ChangethepasswordandaddMFAtotherootuser.
B. PutanIPrestrictionontherootuser.
C. RotatekeysandchangepasswordsforIAMaccounts.
D. DeleteallIAMaccounts.
E. Deletetheadministrator’spersonalIAMaccount.
F. RelaunchallAmazonEC2instanceswithnewroles.
4. WhichofthefollowingactionscanbeauthorizedbyIAM?(Choose2answers)
A. InstallingASP.NETonaWindowsServer
B. LaunchinganAmazonLinuxEC2instance
C. QueryinganOracledatabase
D. AddingamessagetoanAmazonSimpleQueueService(AmazonSQS)queue
5. WhichofthefollowingareIAMsecurityfeatures?(Choose2answers)
A. Passwordpolicies
B. AmazonDynamoDBglobalsecondaryindexes
C. MFA
![Page 212: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/212.jpg)
D. ConsolidatedBilling
6. WhichofthefollowingarebenefitsofusingAmazonEC2roles?(Choose2answers)
A. Nopoliciesarerequired.
B. CredentialsdonotneedtobestoredontheAmazonEC2instance.
C. Keyrotationisnotnecessary.
D. IntegrationwithActiveDirectoryisautomatic.
7. Whichofthefollowingarebasedontemporarysecuritytokens?(Choose2answers)
A. AmazonEC2roles
B. MFA
C. Rootuser
D. Federation
8. YoursecurityteamisveryconcernedaboutthevulnerabilityoftheIAMadministratoruseraccounts(theaccountsusedtoconfigureallIAMfeaturesandaccounts).Whatstepscanbetakentolockdowntheseaccounts?(Choose3answers)
A. Addmulti-factorauthentication(MFA)totheaccounts.
B. LimitloginstoaparticularU.S.state.
C. ImplementapasswordpolicyontheAWSaccount.
D. ApplyasourceIPaddressconditiontothepolicythatonlygrantspermissionswhentheuserisonthecorporatenetwork.
E. AddaCAPTCHAtesttotheaccounts.
9. YouwanttogranttheindividualsonyournetworkteamtheabilitytofullymanipulateAmazonEC2instances.Whichofthefollowingaccomplishthisgoal?(Choose2answers)
A. CreateanewpolicyallowingEC2:*actions,andnamethepolicyNetworkTeam.
B. Assignthemanagedpolicy,EC2FullAccess,toagroupnamedNetworkTeam,andassignalltheteammembers’IAMuseraccountstothatgroup.
C. CreateanewpolicythatgrantsEC2:*actionsonallresources,andassignthatpolicytoeachindividual’sIAMuseraccountonthenetworkteam.
D. CreateaNetworkTeamIAMgroup,andhaveeachteammemberlogintotheAWSManagementConsoleusingtheusername/passwordforthegroup.
10. WhatistheformatofanIAMpolicy?
A. XML
B. Key/valuepairs
C. JSON
D. Tab-delimitedtext
![Page 213: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/213.jpg)
Chapter7DatabasesandAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Planninganddesign
Architecturaltrade-offdecisions(AmazonRelationalDatabaseService[AmazonRDS]vs.installingonAmazonElasticComputeCloud[AmazonEC2])
BestpracticesforAWSarchitecture
RecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)DisasterRecovery(DR)design
Elasticityandscalability
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSadministrationandsecurityservices
Designpatterns
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
ThischapterwillcoveressentialdatabaseconceptsandintroducethreeofAmazon’smanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.
Thischapterfocusesonkeytopicsyouneedtounderstandfortheexam,including:
![Page 214: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/214.jpg)
Thedifferencesamongarelationaldatabase,aNoSQLdatabase,andadatawarehouse
ThebenefitsandtradeoffsbetweenrunningadatabaseonAmazonEC2oronAmazonRDS
Howtodeploydatabaseenginesintothecloud
HowtobackupandrecoveryourdatabaseandmeetyourRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements
Howtobuildhighlyavailabledatabasearchitectures
Howtoscaleyourdatabasecomputeandstoragevertically
Howtoselecttherighttypeofstoragevolume
Howtousereadreplicastoscalehorizontally
HowtodesignandscaleanAmazonDynamoDBtable
HowtoreadandwritefromanAmazonDynamoDBtable
Howtousesecondaryindexestospeedqueries
HowtodesignanAmazonRedshifttable
HowtoloadandqueryanAmazonRedshiftdatawarehouse
Howtosecureyourdatabases,tables,andclusters
![Page 215: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/215.jpg)
DatabasePrimerAlmosteveryapplicationreliesonadatabasetostoreimportantdataandrecordsforitsusers.Adatabaseengineallowsyourapplicationtoaccess,manage,andsearchlargevolumesofdatarecords.Inawell-architectedapplication,thedatabasewillneedtomeettheperformancedemands,theavailabilityneeds,andtherecoverabilitycharacteristicsofthesystem.
Databasesystemsandenginescanbegroupedintotwobroadcategories:RelationalDatabaseManagementSystems(RDBMS)andNoSQL(ornon-relational)databases.ItisnotuncommontobuildanapplicationusingacombinationofRDBMSandNoSQLdatabases.Astrongunderstandingofessentialdatabaseconcepts,AmazonRDS,andAmazonDynamoDBarerequiredtopassthisexam.
RelationalDatabasesThemostcommontypeofdatabaseinusetodayistherelationaldatabase.Therelationaldatabasehasrootsgoingbacktothe1970swhenEdgarF.Codd,workingforIBM,developedtheconceptsoftherelationalmodel.Today,relationaldatabasespoweralltypesofapplicationsfromsocialmediaapps,e-commercewebsites,andblogstocomplexenterpriseapplications.CommonlyusedrelationaldatabasesoftwarepackagesincludeMySQL,PostgreSQL,MicrosoftSQLServer,andOracle.
RelationaldatabasesprovideacommoninterfacethatletsusersreadandwritefromthedatabaseusingcommandsorquerieswrittenusingStructuredQueryLanguage(SQL).Arelationaldatabaseconsistsofoneormoretables,andatableconsistsofcolumnsandrowssimilartoaspreadsheet.Adatabasecolumncontainsaspecificattributeoftherecord,suchasaperson’sname,address,andtelephonenumber.Eachattributeisassignedadatatypesuchastext,number,ordate,andthedatabaseenginewillrejectinvalidinputs.
Adatabaserowcomprisesanindividualrecord,suchasthedetailsaboutastudentwhoattendsaschool.ConsidertheexampleinTable7.1.
TABLE7.1StudentsTable
StudentID FirstName LastName Gender Age
1001 Joe Dusty M 29
1002 Andrea Romanov F 20
1003 Ben Johnson M 30
1004 Beth Roberts F 30
Thisisanexampleofabasictablethatwouldsitinarelationaldatabase.Therearefivefieldswithdifferentdatatypes:
StudentID=Numberorinteger
FirstName=String
LastName=String
![Page 216: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/216.jpg)
Gender=String(CharacterLength=1)
Age=Integer
Thissampletablehasfourrecords,witheachrecordrepresentinganindividualstudent.EachstudenthasaStudentIDfield,whichisusuallyauniquenumberperstudent.Auniquenumberthatidentifieseachstudentcanbecalledaprimarykey.
Onerecordinatablecanrelatetoarecordinanothertablebyreferencingtheprimarykeyofarecord.Thispointerorreferenceiscalledaforeignkey.Forexample,theGradestablethatrecordsscoresforeachstudentwouldhaveitsownprimarykeyandanadditionalcolumnknownasaforeignkeythatreferstotheprimarykeyofthestudentrecord.Byreferencingtheprimarykeysofothertables,relationaldatabasesminimizeduplicationofdatainassociatedtables.Withrelationaldatabases,itisimportanttonotethatthestructureofthetable(suchasthenumberofcolumnsanddatatypeofeachcolumn)mustbedefinedpriortodatabeingaddedtothetable.
ArelationaldatabasecanbecategorizedaseitheranOnlineTransactionProcessing(OLTP)orOnlineAnalyticalProcessing(OLAP)databasesystem,dependingonhowthetablesareorganizedandhowtheapplicationusestherelationaldatabase.OLTPreferstotransaction-orientedapplicationsthatarefrequentlywritingandchangingdata(forexample,dataentryande-commerce).OLAPistypicallythedomainofdatawarehousesandreferstoreportingoranalyzinglargedatasets.LargeapplicationsoftenhaveamixofbothOLTPandOLAPdatabases.
AmazonRelationalDatabaseService(AmazonRDS)significantlysimplifiesthesetupandmaintenanceofOLTPandOLAPdatabases.AmazonRDSprovidessupportforsixpopularrelationaldatabaseengines:MySQL,Oracle,PostgreSQL,MicrosoftSQLServer,MariaDB,andAmazonAurora.YoucanalsochoosetorunnearlyanydatabaseengineusingWindowsorLinuxAmazonElasticComputeCloud(AmazonEC2)instancesandmanagetheinstallationandadministrationyourself.
DataWarehousesAdatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositoryisoftenaspecializedtypeofrelationaldatabasethatcanbeusedforreportingandanalysisviaOLAP.Organizationstypicallyusedatawarehousestocompilereportsandsearchthedatabaseusinghighlycomplexqueries.
Datawarehousesarealsotypicallyupdatedonabatchschedulemultipletimesperdayorperhour,comparedtoanOLTPrelationaldatabasethatcanbeupdatedthousandsoftimespersecond.Manyorganizationssplittheirrelationaldatabasesintotwodifferentdatabases:onedatabaseastheirmainproductiondatabaseforOLTPtransactions,andtheotherdatabaseastheirdatawarehouseforOLAP.OLTPtransactionsoccurfrequentlyandarerelativelysimple.OLAPtransactionsoccurmuchlessfrequentlybutaremuchmorecomplex.
AmazonRDSisoftenusedforOLTPworkloads,butitcanalsobeusedforOLAP.AmazonRedshiftisahigh-performancedatawarehousedesignedspecificallyforOLAPusecases.ItisalsocommontocombineAmazonRDSwithAmazonRedshiftinthesameapplicationandperiodicallyextractrecenttransactionsandloadthemintoareportingdatabase.
![Page 217: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/217.jpg)
NoSQLDatabasesNoSQLdatabaseshavegainedsignificantpopularityinrecentyearsbecausetheyareoftensimplertouse,moreflexible,andcanachieveperformancelevelsthataredifficultorimpossiblewithtraditionalrelationaldatabases.Traditionalrelationaldatabasesaredifficulttoscalebeyondasingleserverwithoutsignificantengineeringandcost,butaNoSQLarchitectureallowsforhorizontalscalabilityoncommodityhardware.
NoSQLdatabasesarenon-relationalanddonothavethesametableandcolumnsemanticsofarelationaldatabase.NoSQLdatabasesareinsteadoftenkey/valuestoresordocumentstoreswithflexibleschemasthatcanevolveovertimeorvary.Contrastthattoarelationaldatabase,whichrequiresaveryrigidschema.
ManyoftheconceptsofNoSQLarchitecturestracetheirfoundationalconceptsbacktowhitepaperspublishedin2006and2007thatdescribeddistributedsystemslikeDynamoatAmazon.Today,manyapplicationteamsuseHbase,MongoDB,Cassandra,CouchDB,Riak,andAmazonDynamoDBtostorelargevolumesofdatawithhightransactionrates.Manyofthesedatabaseenginessupportclusteringandscalehorizontallyacrossmanymachinesforperformanceandfaulttolerance.AcommonusecaseforNoSQLismanagingusersessionstate,userprofiles,shoppingcartdata,ortime-seriesdata.
YoucanrunanytypeofNoSQLdatabaseonAWSusingAmazonEC2,oryoucanchooseamanagedservicelikeAmazonDynamoDBtodealwiththeheavyliftinginvolvedwithbuildingadistributedclusterspanningmultipledatacenters.
![Page 218: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/218.jpg)
AmazonRelationalDatabaseService(AmazonRDS)AmazonRDSisaservicethatsimplifiesthesetup,operations,andscalingofarelationaldatabaseonAWS.WithAmazonRDS,youcanspendmoretimefocusingontheapplicationandtheschemaandletAmazonRDSoffloadcommontaskslikebackups,patching,scaling,andreplication.
AmazonRDShelpsyoutostreamlinetheinstallationofthedatabasesoftwareandalsotheprovisioningofinfrastructurecapacity.Withinafewminutes,AmazonRDScanlaunchoneofmanypopulardatabaseenginesthatisreadytostarttakingSQLtransactions.Aftertheinitiallaunch,AmazonRDSsimplifiesongoingmaintenancebyautomatingcommonadministrativetasksonarecurringbasis.
WithAmazonRDS,youcanaccelerateyourdevelopmenttimelinesandestablishaconsistentoperatingmodelformanagingrelationaldatabases.Forexample,AmazonRDSmakesiteasytoreplicateyourdatatoincreaseavailability,improvedurability,orscaleuporbeyondasingledatabaseinstanceforread-heavydatabaseworkloads.
AmazonRDSexposesadatabaseendpointtowhichclientsoftwarecanconnectandexecuteSQL.AmazonRDSdoesnotprovideshellaccesstoDatabase(DB)Instances,anditrestrictsaccesstocertainsystemproceduresandtablesthatrequireadvancedprivileges.WithAmazonRDS,youcantypicallyusethesametoolstoquery,analyze,modify,andadministerthedatabase.Forexample,currentExtract,Transform,Load(ETL)toolsandreportingtoolscanconnecttoAmazonRDSdatabasesinthesamewaywiththesamedrivers,andoftenallittakestoreconfigureischangingthehostnameintheconnectionstring.
Database(DB)InstancesTheAmazonRDSserviceitselfprovidesanApplicationProgrammingInterface(API)thatletsyoucreateandmanageoneormoreDBInstances.ADBInstanceisanisolateddatabaseenvironmentdeployedinyourprivatenetworksegmentsinthecloud.EachDBInstancerunsandmanagesapopularcommercialoropensourcedatabaseengineonyourbehalf.AmazonRDScurrentlysupportsthefollowingdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.
YoucanlaunchanewDBInstancebycallingtheCreateDBInstanceAPIorbyusingtheAWSManagementConsole.ExistingDBInstancescanbechangedorresizedusingtheModifyDBInstanceAPI.ADBInstancecancontainmultipledifferentdatabases,allofwhichyoucreateandmanagewithintheDBInstanceitselfbyexecutingSQLcommandswiththeAmazonRDSendpoint.Thedifferentdatabasescanbecreated,accessed,andmanagedusingthesameSQLclienttoolsandapplicationsthatyouusetoday.
ThecomputeandmemoryresourcesofaDBInstancearedeterminedbyitsDBInstanceclass.YoucanselecttheDBInstanceclassthatbestmeetsyourneedsforcomputeandmemory.TherangeofDBInstanceclassesextendsfromadb.t2.microwith1virtualCPU(vCPU)and1GBofmemory,uptoadb.r3.8xlargewith32vCPUsand244GBofmemory.Asyourneedschangeovertime,youcanchangetheinstanceclassandthebalanceofcomputeofmemory,andAmazonRDSwillmigrateyourdatatoalargerorsmallerinstanceclass.IndependentfromtheDBInstanceclassthatyouselect,youcanalsocontrolthesizeand
![Page 219: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/219.jpg)
performancecharacteristicsofthestorageused.
AmazonRDSsupportsalargevarietyofengines,versions,andfeaturecombinations.ChecktheAmazonRDSdocumentationtodeterminesupportforspecificfeatures.ManyfeaturesandcommonconfigurationsettingsareexposedandmanagedusingDBparametergroupsandDBoptiongroups.ADBparametergroupactsasacontainerforengineconfigurationvaluesthatcanbeappliedtooneormoreDBInstances.YoumaychangetheDBparametergroupforanexistinginstance,butarebootisrequired.ADBoptiongroupactsasacontainerforenginefeatures,whichisemptybydefault.InordertoenablespecificfeaturesofaDBengine(forexample,OracleStatspack,MicrosoftSQLServerMirroring),youcreateanewDBoptiongroupandconfigurethesettingsaccordingly.
ExistingdatabasescanbemigratedtoAmazonRDSusingnativetoolsandtechniquesthatvarydependingontheengine.ForexamplewithMySQL,youcanexportabackupusingmysqldumpandimportthefileintoAmazonRDSMySQL.YoucanalsousetheAWSDatabaseMigrationService,whichgivesyouagraphicalinterfacethatsimplifiesthemigrationofbothschemaanddatabetweendatabases.AWSDatabaseMigrationServicealsohelpsconvertdatabasesfromonedatabaseenginetoanother.
OperationalBenefitsAmazonRDSincreasestheoperationalreliabilityofyourdatabasesbyapplyingaveryconsistentdeploymentandoperationalmodel.Thislevelofconsistencyisachievedinpartbylimitingthetypesofchangesthatcanbemadetotheunderlyinginfrastructureandthroughtheextensiveuseofautomation.ForexamplewithAmazonRDS,youcannotuseSecureShell(SSH)tologintothehostinstanceandinstallacustompieceofsoftware.Youcan,however,connectusingSQLadministratortoolsoruseDBoptiongroupsandDBparametergroupstochangethebehaviororfeatureconfigurationforaDBInstance.IfyouwantfullcontroloftheOperatingSystem(OS)orrequireelevatedpermissionstorun,thenconsiderinstallingyourdatabaseonAmazonEC2insteadofAmazonRDS.
AmazonRDSisdesignedtosimplifythecommontasksrequiredtooperatearelationaldatabaseinareliablemanner.It’susefultocomparetheresponsibilitiesofanadministratorwhenoperatingarelationaldatabaseinyourdatacenter,onAmazonEC2,orwithAmazonRDS(seeTable7.2).
![Page 220: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/220.jpg)
TABLE7.2ComparisonofOperationalResponsibilities
Responsibility DatabaseOn-Premise
DatabaseonAmazonEC2
DatabaseonAmazonRDS
AppOptimization
You You You
Scaling You You AWS
HighAvailability You You AWS
Backups You You AWS
DBEnginePatches
You You AWS
SoftwareInstallation
You You AWS
OSPatches You You AWS
OSInstallation You AWS AWS
ServerMaintenance
You AWS AWS
RackandStack You AWS AWS
PowerandCooling
You AWS AWS
DatabaseEnginesAmazonRDSsupportssixdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.Featuresandcapabilitiesvaryslightlydependingontheenginethatyouselect.
MySQLMySQLisoneofthemostpopularopensourcedatabasesintheworld,anditisusedtopowerawiderangeofapplications,fromsmallpersonalblogstosomeofthelargestwebsitesintheworld.Asofthetimeofthiswriting,AmazonRDSforMySQLcurrentlysupportsMySQL5.7,5.6,5.5,and5.1.TheengineisrunningtheopensourceCommunityEditionwithInnoDBasthedefaultandrecommendeddatabasestorageengine.AmazonRDSMySQLallowsyoutoconnectusingstandardMySQLtoolssuchasMySQLWorkbenchorSQLWorkbench/J.AmazonRDSMySQLsupportsMulti-AZdeploymentsforhighavailabilityandreadreplicasforhorizontalscaling.
PostgreSQLPostgreSQLisawidelyusedopensourcedatabaseenginewithaveryrichsetoffeaturesandadvancedfunctionality.AmazonRDSsupportsDBInstancesrunningseveralversionsofPostgreSQL.Asofthetimeofthiswriting,AmazonRDSsupportsmultiplereleasesofPostgreSQL,including9.5.x,9.4.x,and9.3.x.AmazonRDSPostgreSQLcanbemanagedusingstandardtoolslikepgAdminandsupportsstandardJDBC/ODBCdrivers.AmazonRDSPostgreSQLalsosupportsMulti-AZdeploymentforhighavailabilityandreadreplicasfor
![Page 221: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/221.jpg)
horizontalscaling.
MariaDBAmazonRDSrecentlyaddedsupportforDBInstancesrunningMariaDB.MariaDBisapopularopensourcedatabaseenginebuiltbythecreatorsofMySQLandenhancedwithenterprisetoolsandfunctionality.MariaDBaddsfeaturesthatenhancetheperformance,availability,andscalabilityofMySQL.Asofthetimeofthiswriting,AWSsupportsMariaDBversion10.0.17.AmazonRDSfullysupportstheXtraDBstorageengineforMariaDBDBInstancesand,likeAmazonRDSMySQLandPostgreSQL,hassupportforMulti-AZdeploymentandreadreplicas.
OracleOracleisoneofthemostpopularrelationaldatabasesusedintheenterpriseandisfullysupportedbyAmazonRDS.Asofthetimeofthiswriting,AmazonRDSsupportsDBInstancesrunningseveraleditionsofOracle11gandOracle12c.AmazonRDSsupportsaccesstoschemasonaDBInstanceusinganystandardSQLclientapplication,suchasOracleSQLPlus.
AmazonRDSOraclesupportsthreedifferenteditionsofthepopulardatabaseengine:StandardEditionOne,StandardEdition,andEnterpriseEdition.Table7.3outlinessomeofthemajordifferencesbetweeneditions:
TABLE7.3AmazonRDSOracleEditionsCompared
Edition Performance Multi-AZ Encryption
StandardOne ++++ Yes KMS
Standard ++++++++ Yes KMS
Enterprise ++++++++ Yes KMSandTDE
MicrosoftSQLServerMicrosoftSQLServerisanotherverypopularrelationaldatabaseusedintheenterprise.AmazonRDSallowsDatabaseAdministrators(DBAs)toconnecttotheirSQLServerDBInstanceinthecloudusingnativetoolslikeSQLServerManagementStudio.Asofthetimeofthiswriting,AmazonRDSprovidessupportforseveralversionsofMicrosoftSQLServer,includingSQLServer2008R2,SQLServer2012,andSQLServer2014.
AmazonRDSSQLServeralsosupportsfourdifferenteditionsofSQLServer:ExpressEdition,WebEdition,StandardEdition,andEnterpriseEdition.Table7.4highlightstherelativeperformance,availability,andencryptiondifferencesamongtheseeditions.
![Page 222: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/222.jpg)
TABLE7.4AmazonRDSSQLServerEditionsCompared
Edition Performance Multi-AZ Encryption
Express + No KMS
Web ++++ No KMS
Standard ++++ Yes KMS
Enterprise ++++++++ Yes KMSandTDE
LicensingAmazonRDSOracleandMicrosoftSQLServerarecommercialsoftwareproductsthatrequireappropriatelicensestooperateinthecloud.AWSofferstwolicensingmodels:LicenseIncludedandBringYourOwnLicense(BYOL).
LicenseIncludedIntheLicenseIncludedmodel,thelicenseisheldbyAWSandisincludedintheAmazonRDSinstanceprice.ForOracle,LicenseIncludedprovideslicensingforStandardEditionOne.ForSQLServer,LicenseIncludedprovideslicensingforSQLServerExpressEdition,WebEdition,andStandardEdition.
BringYourOwnLicense(BYOL)IntheBYOLmodel,youprovideyourownlicense.ForOracle,youmusthavetheappropriateOracleDatabaselicensefortheDBInstanceclassandOracleDatabaseeditionyouwanttorun.YoucanbringoverStandardEditionOne,StandardEdition,andEnterpriseEdition.
ForSQLServer,youprovideyourownlicenseundertheMicrosoftLicenseMobilityprogram.YoucanbringoverMicrosoftSQLStandardEditionandalsoEnterpriseEdition.Youareresponsiblefortrackingandmanaginghowlicensesareallocated.
AmazonAuroraAmazonAuroraoffersenterprise-gradecommercialdatabasetechnologywhileofferingthesimplicityandcosteffectivenessofanopensourcedatabase.ThisisachievedbyredesigningtheinternalcomponentsofMySQLtotakeamoreservice-orientedapproach.
LikeotherAmazonRDSengines,AmazonAuroraisafullymanagedservice,isMySQL-compatibleoutofthebox,andprovidesforincreasedreliabilityandperformanceoverstandardMySQLdeployments.AmazonAuroracandeliveruptofivetimestheperformanceofMySQLwithoutrequiringchangestomostofyourexistingwebapplications.Youcanusethesamecode,tools,andapplicationsthatyouusewithyourexistingMySQLdatabaseswithAmazonAurora.
WhenyoufirstcreateanAmazonAurorainstance,youcreateaDBcluster.ADBclusterhasoneormoreinstancesandincludesaclustervolumethatmanagesthedataforthoseinstances.AnAmazonAuroraclustervolumeisavirtualdatabasestoragevolumethatspansmultipleAvailabilityZones,witheachAvailabilityZonehavingacopyoftheclusterdata.AnAmazonAuroraDBclusterconsistsoftwodifferenttypesofinstances:
PrimaryInstanceThisisthemaininstance,whichsupportsbothreadandwriteworkloads.Whenyoumodifyyourdata,youaremodifyingtheprimaryinstance.EachAmazonAuroraDBclusterhasoneprimaryinstance.
![Page 223: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/223.jpg)
AmazonAuroraReplicaThisisasecondaryinstancethatsupportsonlyreadoperations.EachDBclustercanhaveupto15AmazonAuroraReplicasinadditiontotheprimaryinstance.ByusingmultipleAmazonAuroraReplicas,youcandistributethereadworkloadamongvariousinstances,increasingperformance.YoucanalsolocateyourAmazonAuroraReplicasinmultipleAvailabilityZonestoincreaseyourdatabaseavailability.
StorageOptionsAmazonRDSisbuiltusingAmazonElasticBlockStore(AmazonEBS)andallowsyoutoselecttherightstorageoptionbasedonyourperformanceandcostrequirements.Dependingonthedatabaseengineandworkload,youcanscaleupto4to6TBinprovisionedstorageandupto30,000IOPS.AmazonRDSsupportsthreestoragetypes:Magnetic,GeneralPurpose(SolidStateDrive[SSD]),andProvisionedIOPS(SSD).Table7.5highlightstherelativesize,performance,andcostdifferencesbetweentypes.
TABLE7.5AmazonRDSStorageTypes
Magnetic GeneralPurpose(SSD) ProvisionedIOPS(SSD)
Size +++ +++++ +++++
Performance + +++ +++++
Cost ++ +++ +++++
MagneticMagneticstorage,alsocalledstandardstorage,offerscost-effectivestoragethatisidealforapplicationswithlightI/Orequirements.
GeneralPurpose(SSD)Generalpurpose(SSD)-backedstorage,alsocalledgp2,canprovidefasteraccessthanmagneticstorage.Thisstoragetypecanprovideburstperformancetomeetspikesandisexcellentforsmall-tomedium-sizeddatabases.
ProvisionedIOPS(SSD)ProvisionedIOPS(SSD)storageisdesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloads,thataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.
Formostapplications,GeneralPurpose(SSD)isthebestoptionandprovidesagoodmixoflower-costandhigher-performancecharacteristics.
BackupandRecoveryAmazonRDSprovidesaconsistentoperationalmodelforbackupandrecoveryproceduresacrossthedifferentdatabaseengines.AmazonRDSprovidestwomechanismsforbackingupthedatabase:automatedbackupsandmanualsnapshots.Byusingacombinationofbothtechniques,youcandesignabackuprecoverymodeltoprotectyourapplicationdata.
EachorganizationtypicallywilldefineaRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)forimportantapplicationsbasedonthecriticalityoftheapplicationandtheexpectationsoftheusers.It’scommonforenterprisesystemstohaveanRPOmeasuredinminutesandanRTOmeasuredinhoursorevendays,whilesomecriticalapplicationsmayhavemuchlowertolerances.
![Page 224: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/224.jpg)
RPOisdefinedasthemaximumperiodofdatalossthatisacceptableintheeventofafailureorincident.Forexample,manysystemsbackuptransactionlogsevery15minutestoallowthemtominimizedatalossintheeventofanaccidentaldeletionorhardwarefailure.
RTOisdefinedasthemaximumamountofdowntimethatispermittedtorecoverfrombackupandtoresumeprocessing.Forlargedatabasesinparticular,itcantakehourstorestorefromafullbackup.Intheeventofahardwarefailure,youcanreduceyourRTOtominutesbyfailingovertoasecondarynode.Youshouldcreatearecoveryplanthat,ataminimum,letsyourecoverfromarecentbackup.
AutomatedBackupsAnautomatedbackupisanAmazonRDSfeaturethatcontinuouslytrackschangesandbacksupyourdatabase.AmazonRDScreatesastoragevolumesnapshotofyourDBInstance,backinguptheentireDBInstanceandnotjustindividualdatabases.YoucansetthebackupretentionperiodwhenyoucreateaDBInstance.Onedayofbackupswillberetainedbydefault,butyoucanmodifytheretentionperioduptoamaximumof35days.KeepinmindthatwhenyoudeleteaDBInstance,allautomatedbackupsnapshotsaredeletedandcannotberecovered.Manualsnapshots,however,arenotdeleted.
Automatedbackupswilloccurdailyduringaconfigurable30-minutemaintenancewindowcalledthebackupwindow.Automatedbackupsarekeptforaconfigurablenumberofdays,calledthebackupretentionperiod.YoucanrestoreyourDBInstancetoanyspecifictimeduringthisretentionperiod,creatinganewDBInstance.
ManualDBSnapshotsInadditiontoautomatedbackups,youcanperformmanualDBsnapshotsatanytime.ADBsnapshotisinitiatedbyyouandcanbecreatedasfrequentlyasyouwant.YoucanthenrestoretheDBInstancetothespecificstateintheDBsnapshotatanytime.DBsnapshotscanbecreatedwiththeAmazonRDSconsoleortheCreateDBSnapshotaction.Unlikeautomatedsnapshotsthataredeletedaftertheretentionperiod,manualDBsnapshotsarekeptuntilyouexplicitlydeletethemwiththeAmazonRDSconsoleortheDeleteDBSnapshotaction.
Forbusydatabases,useMulti-AZtominimizetheperformanceimpactofasnapshot.Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup,andyoumayexperienceelevatedlatency.ThisI/Osuspensiontypicallylastsforthedurationofthesnapshot.ThisperiodofI/OsuspensionisshorterforMulti-AZDBdeploymentsbecausethebackupistakenfromthestandby,butlatencycanoccurduringthebackupprocess.
RecoveryAmazonRDSallowsyoutorecoveryourdatabasequicklywhetheryouareperformingautomatedbackupsormanualDBsnapshots.YoucannotrestorefromaDBsnapshottoanexistingDBInstance;anewDBInstanceiscreatedwhenyourestore.WhenyourestoreaDBInstance,onlythedefaultDBparameterandsecuritygroupsareassociatedwiththerestored
![Page 225: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/225.jpg)
instance.Assoonastherestoreiscomplete,youshouldassociateanycustomDBparameterorsecuritygroupsusedbytheinstancefromwhichyourestored.Whenusingautomatedbackups,AmazonRDScombinesthedailybackupsperformedduringyourpredefinedmaintenancewindowinconjunctionwithtransactionlogstoenableyoutorestoreyourDBInstancetoanypointduringyourretentionperiod,typicallyuptothelastfiveminutes.
HighAvailabilitywithMulti-AZOneofthemostpowerfulfeaturesofAmazonRDSisMulti-AZdeployments,whichallowsyoutocreateadatabaseclusteracrossmultipleAvailabilityZones.Settinguparelationaldatabasetoruninahighlyavailableandfault-tolerantfashionisachallengingtask.WithAmazonRDSMulti-AZ,youcanreducethecomplexityinvolvedwiththiscommonadministrativetask;withasingleoption,AmazonRDScanincreasetheavailabilityofyourdatabaseusingreplication.Multi-AZletsyoumeetthemostdemandingRPOandRTOtargetsbyusingsynchronousreplicationtominimizeRPOandfastfailovertominimizeRTOtominutes.
Multi-AZallowsyoutoplaceasecondarycopyofyourdatabaseinanotherAvailabilityZonefordisasterrecoverypurposes.Multi-AZdeploymentsareavailableforalltypesofAmazonRDSdatabaseengines.WhenyoucreateaMulti-AZDBInstance,aprimaryinstanceiscreatedinoneAvailabilityZoneandasecondaryinstanceiscreatedinanotherAvailabilityZone.Youareassignedadatabaseinstanceendpointsuchasthefollowing:
my_app_db.ch6fe7ykq1zd.us-west-2.rds.amazonaws.com
ThisendpointisaDomainNameSystem(DNS)namethatAWStakesresponsibilityforresolvingtoaspecificIPaddress.YouusethisDNSnamewhencreatingtheconnectiontoyourdatabase.Figure7.1illustratesatypicalMulti-AZdeploymentspanningtwoAvailabilityZones.
![Page 226: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/226.jpg)
FIGURE7.1Multi-AZAmazonRDSarchitecture
AmazonRDSautomaticallyreplicatesthedatafromthemasterdatabaseorprimaryinstancetotheslavedatabaseorsecondaryinstanceusingsynchronousreplication.EachAvailabilityZonerunsonitsownphysicallydistinct,independentinfrastructureandisengineeredtobehighlyreliable.AmazonRDSdetectsandautomaticallyrecoversfromthemostcommonfailurescenariosforMulti-AZdeploymentssothatyoucanresumedatabaseoperationsasquicklyaspossiblewithoutadministrativeintervention.AmazonRDSautomaticallyperformsafailoverintheeventofanyofthefollowing:
LossofavailabilityinprimaryAvailabilityZone
Lossofnetworkconnectivitytoprimarydatabase
Computeunitfailureonprimarydatabase
Storagefailureonprimarydatabase
AmazonRDSwillautomaticallyfailovertothestandbyinstancewithoutuserintervention.TheDNSnameremainsthesame,buttheAmazonRDSservicechangestheCNAMEtopointtothestandby.TheprimaryDBInstanceswitchesoverautomaticallytothestandbyreplicaiftherewasanAvailabilityZoneservicedisruption,iftheprimaryDBInstancefails,oriftheinstancetypeischanged.YoucanalsoperformamanualfailoveroftheDBInstance.Failover
![Page 227: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/227.jpg)
betweentheprimaryandthesecondaryinstanceisfast,andthetimeautomaticfailovertakestocompleteistypicallyonetotwominutes.
ItisimportanttorememberthatMulti-AZdeploymentsarefordisasterrecoveryonly;theyarenotmeanttoenhancedatabaseperformance.ThestandbyDBInstanceisnotavailabletoofflinequeriesfromtheprimarymasterDBInstance.ToimprovedatabaseperformanceusingmultipleDBInstances,usereadreplicasorotherDBcachingtechnologiessuchasAmazonElastiCache.
ScalingUpandOutAsthenumberoftransactionsincreasetoarelationaldatabase,scalingup,orvertically,bygettingalargermachineallowsyoutoprocessmorereadsandwrites.Scalingout,orhorizontally,isalsopossible,butitisoftenmoredifficult.AmazonRDSallowsyoutoscalecomputeandstoragevertically,andforsomeDBengines,youcanscalehorizontally.
VerticalScalabilityAddingadditionalcompute,memory,orstorageresourcestoyourdatabaseallowsyoutoprocessmoretransactions,runmorequeries,andstoremoredata.AmazonRDSmakesiteasytoscaleupordownyourdatabasetiertomeetthedemandsofyourapplication.ChangescanbescheduledtooccurduringthenextmaintenancewindowortobeginimmediatelyusingtheModifyDBInstanceaction.
Tochangetheamountofcomputeandmemory,youcanselectadifferentDBInstanceclassofthedatabase.AfteryouselectalargerorsmallerDBInstanceclass,AmazonRDSautomatesthemigrationprocesstoanewclasswithonlyashortdisruptionandminimaleffort.
Youcanalsoincreasetheamountofstorage,thestorageclass,andthestorageperformanceforanAmazonRDSInstance.Eachdatabaseinstancecanscalefrom5GBupto6TBinprovisionedstoragedependingonthestoragetypeandengine.StorageforAmazonRDScanbeincreasedovertimeasneedsgrowwithminimalimpacttotherunningdatabase.StorageexpansionissupportedforallofthedatabaseenginesexceptforSQLServer.
HorizontalScalabilitywithPartitioningArelationaldatabasecanbescaledverticallyonlysomuchbeforeyoureachthemaximuminstancesize.Partitioningalargerelationaldatabaseintomultipleinstancesorshardsisacommontechniqueforhandlingmorerequestsbeyondthecapabilitiesofasingleinstance.
Partitioning,orsharding,allowsyoutoscalehorizontallytohandlemoreusersandrequestsbutrequiresadditionallogicintheapplicationlayer.Theapplicationneedstodecidehowtoroutedatabaserequeststothecorrectshardandbecomeslimitedinthetypesofqueriesthatcanbeperformedacrossserverboundaries.NoSQLdatabaseslikeAmazonDynamoDBorCassandraaredesignedtoscalehorizontally.
HorizontalScalabilitywithReadReplicas
![Page 228: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/228.jpg)
Anotherimportantscalingtechniqueistousereadreplicastooffloadreadtransactionsfromtheprimarydatabaseandincreasetheoverallnumberoftransactions.AmazonRDSsupportsreadreplicasthatallowyoutoscaleoutelasticallybeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads.
ThereareavarietyofusecaseswheredeployingoneormorereadreplicaDBInstancesishelpful.Somecommonscenariosinclude:
ScalebeyondthecapacityofasingleDBInstanceforread-heavyworkloads.
HandlereadtrafficwhilethesourceDBInstanceisunavailable.Forexample,duetoI/Osuspensionforbackupsorscheduledmaintenance,youcandirectreadtraffictoareplica.
OffloadreportingordatawarehousingscenariosagainstareplicainsteadoftheprimaryDBInstance.
Forexample,abloggingwebsitemayhaveverylittlewriteactivityexceptfortheoccasionalcomment,andthevastmajorityofdatabaseactivitywillberead-only.Byoffloadingsomeorallofthereadactivitytooneormorereadreplicas,theprimarydatabaseinstancecanfocusonhandlingthewritesandreplicatingthedataouttothereplicas.
ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,MariaDB,andAmazonAurora.AmazonRDSusestheMySQL,MariaDB,andPostgreSQLDBengines’built-inreplicationfunctionalitytocreateaspecialtypeofDBInstance,calledareadreplica,fromasourceDBInstance.UpdatesmadetothesourceDBInstanceareasynchronouslycopiedtothereadreplica.YoucanreducetheloadonyoursourceDBInstancebyroutingreadqueriesfromyourapplicationstothereadreplica.
YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.Toenhanceyourdisasterrecoverycapabilitiesorreducegloballatencies,youcanusecross-regionreadreplicastoservereadtrafficfromaregionclosesttoyourglobalusersormigrateyourdatabasesacrossAWSRegions.
SecuritySecuringyourAmazonRDSDBInstancesandrelationaldatabasesrequiresacomprehensiveplanthataddressesthemanylayerscommonlyfoundindatabase-drivensystems.Thisincludestheinfrastructureresources,thedatabase,andthenetwork.
ProtectaccesstoyourinfrastructureresourcesusingAWSIdentityandAccessManagement(IAM)policiesthatlimitwhichactionsAWSadministratorscanperform.Forexample,somekeyadministratoractionsthatcanbecontrolledinIAMincludeCreateDBInstanceandDeleteDBInstance.
AnothersecuritybestpracticeistodeployyourAmazonRDSDBInstancesintoaprivatesubnetwithinanAmazonVirtualPrivateCloud(AmazonVPC)thatlimitsnetworkaccesstotheDBInstance.BeforeyoucandeployintoanAmazonVPC,youmustfirstcreateaDBsubnetgroupthatpredefineswhichsubnetsareavailableforAmazonRDSdeployments.Further,restrictnetworkaccessusingnetworkAccessControlLists(ACLs)andsecuritygroupstolimitinboundtraffictoashortlistofsourceIPaddresses.
![Page 229: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/229.jpg)
Atthedatabaselevel,youwillalsoneedtocreateusersandgrantthempermissionstoreadandwritetoyourdatabases.Accesstothedatabaseiscontrolledusingthedatabaseengine-specificaccesscontrolandusermanagementmechanisms.Createusersatthedatabaselevelwithstrongpasswordsthatyourotatefrequently.
Finally,protecttheconfidentialityofyourdataintransitandatrestwithmultipleencryptioncapabilitiesprovidedwithAmazonRDS.Securityfeaturesvaryslightlyfromoneenginetoanother,butallenginessupportsomeformofin-transitencryptionandalsoat-restencryption.YoucansecurelyconnectaclienttoarunningDBInstanceusingSecureSocketsLayer(SSL)toprotectdataintransit.EncryptionatrestispossibleforallenginesusingtheAmazonKeyManagementService(KMS)orTransparentDataEncryption(TDE).Alllogs,backups,andsnapshotsareencryptedforanencryptedAmazonRDSinstance.
![Page 230: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/230.jpg)
AmazonRedshiftAmazonRedshiftisafast,powerful,fullymanaged,petabyte-scaledatawarehouseserviceinthecloud.AmazonRedshiftisarelationaldatabasedesignedforOLAPscenariosandoptimizedforhigh-performanceanalysisandreportingofverylargedatasets.Traditionaldatawarehousesaredifficultandexpensivetomanage,especiallyforlargedatasets.AmazonRedshiftnotonlysignificantlylowersthecostofadatawarehouse,butitalsomakesiteasytoanalyzelargeamountsofdataveryquickly.
AmazonRedshiftgivesyoufastqueryingcapabilitiesoverstructureddatausingstandardSQLcommandstosupportinteractivequeryingoverlargedatasets.WithconnectivityviaODBCorJDBC,AmazonRedshiftintegrateswellwithvariousdataloading,reporting,datamining,andanalyticstools.AmazonRedshiftisbasedonindustry-standardPostgreSQL,somostexistingSQLclientapplicationswillworkwithonlyminimalchanges.
AmazonRedshiftmanagestheworkneededtosetup,operate,andscaleadatawarehouse,fromprovisioningtheinfrastructurecapacitytoautomatingongoingadministrativetaskssuchasbackupsandpatching.AmazonRedshiftautomaticallymonitorsyournodesanddrivestohelpyourecoverfromfailures.
ClustersandNodesThekeycomponentofanAmazonRedshiftdatawarehouseisacluster.Aclusteriscomposedofaleadernodeandoneormorecomputenodes.Theclientapplicationinteractsdirectlyonlywiththeleadernode,andthecomputenodesaretransparenttoexternalapplications.
AmazonRedshiftcurrentlyhassupportforsixdifferentnodetypesandeachhasadifferentmixofCPU,memory,andstorage.Thesixnodetypesaregroupedintotwocategories:DenseComputeandDenseStorage.TheDenseComputenodetypessupportclustersupto326TBusingfastSSDs,whiletheDenseStoragenodessupportclustersupto2PBusinglargemagneticdisks.Eachclusterconsistsofoneleadernodeandoneormorecomputenodes.Figure7.2showstheinternalcomponentsofanAmazonRedshiftdatawarehousecluster.
![Page 231: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/231.jpg)
FIGURE7.2AmazonRedshiftclusterarchitecture
Eachclustercontainsoneormoredatabases.Userdataforeachtableisdistributedacrossthecomputenodes.YourapplicationorSQLclientcommunicateswithAmazonRedshiftusingstandardJDBCorODBCconnectionswiththeleadernode,whichinturncoordinatesqueryexecutionwiththecomputenodes.Yourapplicationdoesnotinteractdirectlywiththecomputenodes.
Thediskstorageforacomputenodeisdividedintoanumberofslices.Thenumberofslicespernodedependsonthenodesizeoftheclusterandtypicallyvariesbetween2and16.Thenodesallparticipateinparallelqueryexecution,workingondatathatisdistributedasevenlyaspossibleacrosstheslices.
Youcanincreasequeryperformancebyaddingmultiplenodestoacluster.Whenyousubmitaquery,AmazonRedshiftdistributesandexecutesthequeryinparallelacrossallofacluster’scomputenodes.AmazonRedshiftalsospreadsyourtabledataacrossallcomputenodesinaclusterbasedonadistributionstrategythatyouspecify.Thispartitioningofdataacrossmultiplecomputeresourcesallowsyoutoachievehighlevelsofperformance.
AmazonRedshiftallowsyoutoresizeaclustertoaddstorageandcomputecapacityovertimeasyourneedsevolve.Youcanalsochangethenodetypeofaclusterandkeeptheoverallsizethesame.Wheneveryouperformaresizeoperation,AmazonRedshiftwillcreateanew
![Page 232: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/232.jpg)
clusterandmigratedatafromtheoldclustertothenewone.Duringaresizeoperation,thedatabasewillbecomeread-onlyuntiltheoperationisfinished.
TableDesignEachAmazonRedshiftclustercansupportoneormoredatabases,andeachdatabasecancontainmanytables.LikemostSQL-baseddatabases,youcancreateatableusingtheCREATETABLEcommand.Thiscommandspecifiesthenameofthetable,thecolumns,andtheirdatatypes.Inadditiontocolumnsanddatatypes,theAmazonRedshiftCREATETABLEcommandalsosupportsspecifyingcompressionencodings,distributionstrategy,andsortkeys.
DataTypesAmazonRedshiftcolumnssupportawiderangeofdatatypes.ThisincludescommonnumericdatatypeslikeINTEGER,DECIMAL,andDOUBLE,textdatatypeslikeCHARandVARCHAR,anddatedatatypeslikeDATEandTIMESTAMP.AdditionalcolumnscanbeaddedtoatableusingtheALTERTABLEcommand;however,existingcolumnscannotbemodified.
CompressionEncodingOneofthekeyperformanceoptimizationsusedbyAmazonRedshiftisdatacompression.Whenloadingdataforthefirsttimeintoanemptytable,AmazonRedshiftwillautomaticallysampleyourdataandselectthebestcompressionschemeforeachcolumn.Alternatively,youcanspecifycompressionencodingonaper-columnbasisaspartoftheCREATETABLEcommand.
DistributionStrategyOneoftheprimarydecisionswhencreatingatableinAmazonRedshiftishowtodistributetherecordsacrossthenodesandslicesinacluster.YoucanconfigurethedistributionstyleofatabletogiveAmazonRedshifthintsastohowthedatashouldbepartitionedtobestmeetyourquerypatterns.Whenyourunaquery,theoptimizershiftstherowstothecomputenodesasneededtoperformanyjoinsandaggregates.Thegoalinselectingatabledistributionstyleistominimizetheimpactoftheredistributionstepbyputtingthedatawhereitneedstobebeforethequeryisperformed.
Thedatadistributionstylethatyouselectforyourdatabasehasabigimpactonqueryperformance,storagerequirements,dataloading,andmaintenance.Bychoosingthebestdistributionstrategyforeachtable,youcanbalanceyourdatadistributionandsignificantlyimproveoverallsystemperformance.Whencreatingatable,youcanchoosebetweenoneofthreedistributionstyles:EVEN,KEY,orALL.
EVENdistributionThisisthedefaultoptionandresultsinthedatabeingdistributedacrosstheslicesinauniformfashionregardlessofthedata.
KEYdistributionWithKEYdistribution,therowsaredistributedaccordingtothevaluesinonecolumn.Theleadernodewillstorematchingvaluesclosetogetherandincreasequeryperformanceforjoins.
ALLdistributionWithALL,afullcopyoftheentiretableisdistributedtoeverynode.Thisisusefulforlookuptablesandotherlargetablesthatarenotupdatedfrequently.
![Page 233: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/233.jpg)
SortKeysAnotherimportantdecisiontomakeduringthecreationofatableiswhethertospecifyoneormorecolumnsassortkeys.Sortingenablesefficienthandlingofrange-restrictedpredicates.Ifaqueryusesarange-restrictedpredicate,thequeryprocessorcanrapidlyskipoverlargenumbersofblocksduringtablescans.
Thesortkeysforatablecanbeeithercompoundorinterleaved.Acompoundsortkeyismoreefficientwhenquerypredicatesuseaprefix,whichisasubsetofthesortkeycolumnsinorder.Aninterleavedsortkeygivesequalweighttoeachcolumninthesortkey,soquerypredicatescanuseanysubsetofthecolumnsthatmakeupthesortkey,inanyorder.
LoadingDataAmazonRedshiftsupportsstandardSQLcommandslikeINSERTandUPDATEtocreateandmodifyrecordsinatable.Forbulkoperations,however,AmazonRedshiftprovidestheCOPYcommandasamuchmoreefficientalternativethanrepeatedlycallingINSERT.
ACOPYcommandcanloaddataintoatableinthemostefficientmanner,anditsupportsmultipletypesofinputdatasources.ThefastestwaytoloaddataintoAmazonRedshiftisdoingbulkdataloadsfromflatfilesstoredinanAmazonSimpleStorageService(AmazonS3)bucketorfromanAmazonDynamoDBtable.
WhenloadingdatafromAmazonS3,theCOPYcommandcanreadfrommultiplefilesatthesametime.AmazonRedshiftcandistributetheworkloadtothenodesandperformtheloadprocessinparallel.Insteadofhavingonesinglelargefilewithyourdata,youcanenableparallelprocessingbyhavingaclusterwithmultiplenodesandmultipleinputfiles.
Aftereachbulkdataloadthatmodifiesasignificantamountofdata,youwillneedtoperformaVACUUMcommandtoreorganizeyourdataandreclaimspaceafterdeletes.ItisalsorecommendedtorunanANALYZEcommandtoupdatetablestatistics.
DatacanalsobeexportedoutofAmazonRedshiftusingtheUNLOADcommand.ThiscommandcanbeusedtogeneratedelimitedtextfilesandstoretheminAmazonS3.
QueryingDataAmazonRedshiftallowsyoutowritestandardSQLcommandstoqueryyourtables.BysupportingcommandslikeSELECTtoqueryandjointables,analystscanquicklybecomeproductiveusingAmazonRedshiftorintegrateiteasily.Forcomplexqueries,youcananalyzethequeryplantobetteroptimizeyouraccesspattern.YoucanmonitortheperformanceoftheclusterandspecificqueriesusingAmazonCloudWatchandtheAmazonRedshiftwebconsole.
ForlargeAmazonRedshiftclusterssupportingmanyusers,youcanconfigureWorkloadManagement(WLM)toqueueandprioritizequeries.WLMallowsyoudefinemultiplequeuesandsettheconcurrencylevelforeachqueue.Forexample,youmightwanttohaveonequeuesetupforlong-runningqueriesandlimittheconcurrencyandanotherqueueforshort-runningqueriesandallowhigherlevelsofconcurrency.
![Page 234: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/234.jpg)
SnapshotsSimilartoAmazonRDS,youcancreatepoint-in-timesnapshotsofyourAmazonRedshiftcluster.AsnapshotcanthenbeusedtorestoreacopyorcreateacloneofyouroriginalAmazonRedshiftcluster.SnapshotsaredurablystoredinternallyinAmazonS3byAmazonRedshift.
AmazonRedshiftsupportsbothautomatedsnapshotsandmanualsnapshots.Withautomatedsnapshots,AmazonRedshiftwillperiodicallytakesnapshotsofyourclusterandkeepacopyforaconfigurableretentionperiod.YoucanalsoperformmanualsnapshotsandsharethemacrossregionsorevenwithotherAWSaccounts.Manualsnapshotsareretaineduntilyouexplicitlydeletethem.
SecuritySecuringyourAmazonRedshiftclusterissimilartosecuringotherdatabasesrunninginthecloud.Yoursecurityplanshouldincludecontrolstoprotecttheinfrastructureresources,thedatabaseschema,therecordsinthetable,andnetworkaccess.Byaddressingsecurityateverylevel,youcansecurelyoperateanAmazonRedshiftdatawarehouseinthecloud.
ThefirstlayerofsecuritycomesattheinfrastructurelevelusingIAMpoliciesthatlimittheactionsAWSadministratorscanperform.WithIAM,youcancreatepoliciesthatgrantotherAWSusersthepermissiontocreateandmanagethelifecycleofacluster,includingscaling,backup,andrecoveryoperations.
Atthenetworklevel,AmazonRedshiftclusterscanbedeployedwithintheprivateIPaddressspaceofyourAmazonVPCtorestrictoverallnetworkconnectivity.Fine-grainednetworkaccesscanbefurtherrestrictedusingsecuritygroupsandnetworkACLsatthesubnetlevel.
Inadditiontocontrollinginfrastructureaccessattheinfrastructurelevel,youmustprotectaccessatthedatabaselevel.WhenyouinitiallycreateanAmazonRedshiftcluster,youwillcreateamasteruseraccountandpassword.ThemasteraccountcanbeusedtologintotheAmazonRedshiftdatabaseandtocreatemoreusersandgroups.Eachdatabaseusercanbegrantedpermissiontoschemas,tables,andotherdatabaseobjects.ThesepermissionsareindependentfromtheIAMpoliciesusedtocontrolaccesstotheinfrastructureresourcesandtheAmazonRedshiftclusterconfiguration.
ProtectingthedatastoredinAmazonRedshiftisanotherimportantaspectofyoursecuritydesign.AmazonRedshiftsupportsencryptionofdataintransitusingSSL-encryptedconnections,andalsoencryptionofdataatrestusingmultipletechniques.Toencryptdataatrest,AmazonRedshiftintegrateswithKMSandAWSCloudHSMforencryptionkeymanagementservices.Encryptionatrestandintransitassistsinmeetingcompliancerequirements,suchasfortheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCIDSS),andprovidesadditionalprotectionsforyourdata.
![Page 235: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/235.jpg)
AmazonDynamoDBAmazonDynamoDBisafullymanagedNoSQLdatabaseservicethatprovidesfastandlow-latencyperformancethatscaleswithease.AmazonDynamoDBletsyouoffloadtheadministrativeburdensofoperatingadistributedNoSQLdatabaseandfocusontheapplication.AmazonDynamoDBsignificantlysimplifiesthehardwareprovisioning,setupandconfiguration,replication,softwarepatching,andclusterscalingofNoSQLdatabases.
AmazonDynamoDBisdesignedtosimplifydatabaseandclustermanagement,provideconsistentlyhighlevelsofperformance,simplifyscalabilitytasks,andimprovereliabilitywithautomaticreplication.DeveloperscancreateatableinAmazonDynamoDBandwriteanunlimitednumberofitemswithconsistentlatency.
AmazonDynamoDBcanprovideconsistentperformancelevelsbyautomaticallydistributingthedataandtrafficforatableovermultiplepartitions.Afteryouconfigureacertainreadorwritecapacity,AmazonDynamoDBwillautomaticallyaddenoughinfrastructurecapacitytosupporttherequestedthroughputlevels.Asyourdemandchangesovertime,youcanadjustthereadorwritecapacityafteratablehasbeencreated,andAmazonDynamoDBwilladdorremoveinfrastructureandadjusttheinternalpartitioningaccordingly.
Tohelpmaintainconsistent,fastperformancelevels,alltabledataisstoredonhigh-performanceSSDdiskdrives.Performancemetrics,includingtransactionsrates,canbemonitoredusingAmazonCloudWatch.Inadditiontoprovidinghigh-performancelevels,AmazonDynamoDBalsoprovidesautomatichigh-availabilityanddurabilityprotectionsbyreplicatingdataacrossmultipleAvailabilityZoneswithinanAWSRegion.
DataModelThebasiccomponentsoftheAmazonDynamoDBdatamodelincludetables,items,andattributes.AsdepictedinFigure7.3,atableisacollectionofitemsandeachitemisacollectionofoneormoreattributes.Eachitemalsohasaprimarykeythatuniquelyidentifiestheitem.
![Page 236: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/236.jpg)
FIGURE7.3Table,items,attributesrelationship
Inarelationaldatabase,atablehasapredefinedschemasuchasthetablename,primarykey,listofitscolumnnames,andtheirdatatypes.Allrecordsstoredinthetablemusthavethesamesetofcolumns.Incontrast,AmazonDynamoDBonlyrequiresthatatablehaveaprimarykey,butitdoesnotrequireyoutodefinealloftheattributenamesanddatatypesinadvance.IndividualitemsinanAmazonDynamoDBtablecanhaveanynumberofattributes,althoughthereisalimitof400KBontheitemsize.
Eachattributeinanitemisaname/valuepair.Anattributecanbeasingle-valuedormulti-valuedset.Forexample,abookitemcanhavetitleandauthorsattributes.Eachbookhasonetitlebutcanhavemanyauthors.Themulti-valuedattributeisaset;duplicatevaluesarenotallowed.DataisstoredinAmazonDynamoDBinkey/valuepairssuchasthefollowing:
{
Id=101
ProductName="Book101Title"
ISBN="123–1234567890"
Authors=["Author1","Author2"]
Price=2.88
Dimensions="8.5x11.0x0.5"
PageCount=500
InPublication=1
ProductCategory="Book"
}
ApplicationscanconnecttotheAmazonDynamoDBserviceendpointandsubmitrequestsoverHTTP/Storeadandwriteitemstoatableoreventocreateanddeletetables.DynamoDBprovidesawebserviceAPIthatacceptsrequestsinJSONformat.WhileyoucouldprogramdirectlyagainstthewebserviceAPIendpoints,mostdeveloperschoosetousetheAWSSoftwareDevelopmentKit(SDK)tointeractwiththeiritemsandtables.TheAWSSDKisavailableinmanydifferentlanguagesandprovidesasimplified,high-levelprogramminginterface.
DataTypes
![Page 237: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/237.jpg)
AmazonDynamoDBgivesyoualotofflexibilitywithyourdatabaseschema.Unlikeatraditionalrelationaldatabasethatrequiresyoutodefineyourcolumntypesaheadoftime,DynamoDBonlyrequiresaprimarykeyattribute.Eachitemthatisaddedtothetablecanthenaddadditionalattributes.Thisgivesyouflexibilityovertimetoexpandyourschemawithouthavingtorebuildtheentiretableanddealwithrecordversiondifferenceswithapplicationlogic.
Whenyoucreateatableorasecondaryindex,youmustspecifythenamesanddatatypesofeachprimarykeyattribute(partitionkeyandsortkey).AmazonDynamoDBsupportsawiderangeofdatatypesforattributes.Datatypesfallintothreemajorcategories:Scalar,Set,orDocument.
ScalarDataTypesAscalartyperepresentsexactlyonevalue.AmazonDynamoDBsupportsthefollowingfivescalartypes:
StringTextandvariablelengthcharactersupto400KB.SupportsUnicodewithUTF8encoding
NumberPositiveornegativenumberwithupto38digitsofprecision
BinaryBinarydata,images,compressedobjectsupto400KBinsize
BooleanBinaryflagrepresentingatrueorfalsevalue
NullRepresentsablank,empty,orunknownstate.String,Number,Binary,Booleancannotbeempty.
SetDataTypesSetsareusefultorepresentauniquelistofoneormorescalarvalues.Eachvalueinasetneedstobeuniqueandmustbethesamedatatype.Setsdonotguaranteeorder.AmazonDynamoDBsupportsthreesettypes:StringSet,NumberSet,andBinarySet.
StringSetUniquelistofStringattributes
NumberSetUniquelistofNumberattributes
BinarySetUniquelistofBinaryattributes
DocumentDataTypesDocumenttypeisusefultorepresentmultiplenestedattributes,similartothestructureofaJSONfile.AmazonDynamoDBsupportstwodocumenttypes:ListandMap.MultipleListsandMapscanbecombinedandnestedtocreatecomplexstructures.
ListEachListcanbeusedtostoreanorderedlistofattributesofdifferentdatatypes.
MapEachMapcanbeusedtostoreanunorderedlistofkey/valuepairs.MapscanbeusedtorepresentthestructureofanyJSONobject.
PrimaryKeyWhenyoucreateatable,youmustspecifytheprimarykeyofthetableinadditiontothetablename.Likearelationaldatabase,theprimarykeyuniquelyidentifieseachiteminthetable.Aprimarykeywillpointtoexactlyoneitem.AmazonDynamoDBsupportstwotypesofprimarykeys,andthisconfigurationcannotbechangedafteratablehasbeencreated:
PartitionKeyTheprimarykeyismadeofoneattribute,apartition(orhash)key.AmazonDynamoDBbuildsanunorderedhashindexonthisprimarykeyattribute.
![Page 238: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/238.jpg)
PartitionandSortKeyTheprimarykeyismadeoftwoattributes.Thefirstattributeisthepartitionkeyandthesecondoneisthesort(orrange)key.Eachiteminthetableisuniquelyidentifiedbythecombinationofitspartitionandsortkeyvalues.Itispossiblefortwoitemstohavethesamepartitionkeyvalue,butthosetwoitemsmusthavedifferentsortkeyvalues.
Furthermore,eachprimarykeyattributemustbedefinedastypestring,number,orbinary.AmazonDynamoDBusesthepartitionkeytodistributetherequesttotherightpartition.
Ifyouareperformingmanyreadsorwritespersecondonthesameprimarykey,youwillnotbeabletofullyusethecomputecapacityoftheAmazonDynamoDBcluster.Abestpracticeistomaximizeyourthroughputbydistributingrequestsacrossthefullrangeofpartitionkeys.
ProvisionedCapacityWhenyoucreateanAmazonDynamoDBtable,youarerequiredtoprovisionacertainamountofreadandwritecapacitytohandleyourexpectedworkloads.Basedonyourconfigurationsettings,DynamoDBwillthenprovisiontherightamountofinfrastructurecapacitytomeetyourrequirementswithsustained,low-latencyresponsetimes.Overallcapacityismeasuredinreadandwritecapacityunits.ThesevaluescanlaterbescaledupordownbyusinganUpdateTableaction.
EachoperationagainstanAmazonDynamoDBtablewillconsumesomeoftheprovisionedcapacityunits.Thespecificamountofcapacityunitsconsumeddependslargelyonthesizeoftheitem,butalsoonotherfactors.Forreadoperations,theamountofcapacityconsumedalsodependsonthereadconsistencyselectedintherequest.Readmoreabouteventualandstrongconsistencylaterinthischapter.
Forexample,givenatablewithoutalocalsecondaryindex,youwillconsume1capacityunitifyoureadanitemthatis4KBorsmaller.Similarly,forwriteoperationsyouwillconsume1capacityunitifyouwriteanitemthatis1KBorsmaller.Thismeansthatifyoureadanitemthatis110KB,youwillconsume28capacityunits,or110/4=27.5roundedupto28.Forreadoperationsthatarestronglyconsistent,theywillusetwicethenumberofcapacityunits,or56inthisexample.
YoucanuseAmazonCloudWatchtomonitoryourAmazonDynamoDBcapacityandmakescalingdecisions.Thereisarichsetofmetrics,includingConsumedReadCapacityUnitsandConsumedWriteCapacityUnits.Ifyoudoexceedyourprovisionedcapacityforaperiodoftime,requestswillbethrottledandcanberetriedlater.YoucanmonitorandalertontheThrottledRequestsmetricusingAmazonCloudWatchtonotifyyouofchangingusagepatterns.
SecondaryIndexesWhenyoucreateatablewithapartitionandsortkey(formerlyknownasahashandrangekey),youcanoptionallydefineoneormoresecondaryindexesonthattable.Asecondaryindexletsyouquerythedatainthetableusinganalternatekey,inadditiontoqueriesagainsttheprimarykey.AmazonDynamoDBsupportstwodifferentkindsofindexes:
![Page 239: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/239.jpg)
GlobalSecondaryIndexTheglobalsecondaryindexisanindexwithapartitionandsortkeythatcanbedifferentfromthoseonthetable.Youcancreateordeleteaglobalsecondaryindexonatableatanytime.
LocalSecondaryIndexThelocalsecondaryindexisanindexthathasthesamepartitionkeyattributeastheprimarykeyofthetable,butadifferentsortkey.Youcanonlycreatealocalsecondaryindexwhenyoucreateatable.
Secondaryindexesallowyoutosearchalargetableefficientlyandavoidanexpensivescanoperationtofinditemswithspecificattributes.Theseindexesallowyoutosupportdifferentqueryaccesspatternsandusecasesbeyondwhatispossiblewithonlyaprimarykey.Whileatablecanonlyhaveonelocalsecondaryindex,youcanhavemultipleglobalsecondaryindexes.
AmazonDynamoDBupdateseachsecondaryindexwhenanitemismodified.Theseupdatesconsumewritecapacityunits.Foralocalsecondaryindex,itemupdateswillconsumewritecapacityunitsfromthemaintable,whileglobalsecondaryindexesmaintaintheirownprovisionedthroughputsettingsseparatefromthetable.
WritingandReadingDataAfteryoucreateatablewithaprimarykeyandindexes,youcanbeginwritingandreadingitemstothetable.AmazonDynamoDBprovidesmultipleoperationsthatletyoucreate,update,anddeleteindividualitems.AmazonDynamoDBalsoprovidesmultiplequeryingoptionsthatletyousearchatableoranindexorretrievebackaspecificitemorabatchofitems.
WritingItemsAmazonDynamoDBprovidesthreeprimaryAPIactionstocreate,update,anddeleteitems:PutItem,UpdateItem,andDeleteItem.UsingthePutItemaction,youcancreateanewitemwithoneormoreattributes.CallstoPutItemwillupdateanexistingitemiftheprimarykeyalreadyexists.PutItemonlyrequiresatablenameandaprimarykey;anyadditionalattributesareoptional.
TheUpdateItemactionwillfindexistingitemsbasedontheprimarykeyandreplacetheattributes.Thisoperationcanbeusefultoonlyupdateasingleattributeandleavetheotherattributesunchanged.UpdateItemcanalsobeusedtocreateitemsiftheydon’talreadyexist.Finally,youcanremoveanitemfromatablebyusingDeleteItemandspecifyingaspecificprimarykey.
TheUpdateItemactionalsoprovidessupportforatomiccounters.Atomiccountersallowyoutoincrementanddecrementavalueandareguaranteedtobeconsistentacrossmultipleconcurrentrequests.Forexample,acounterattributeusedtotracktheoverallscoreofamobilegamecanbeupdatedbymanyclientsatthesametime.
Thesethreeactionsalsosupportconditionalexpressionsthatallowyoutoperformvalidationbeforeanactionisapplied.Forexample,youcanapplyaconditionalexpressiononPutItemthatchecksthatcertainconditionsaremetbeforetheitemiscreated.Thiscanbeusefultopreventaccidentaloverwritesortoenforcesometypeofbusinesslogicchecks.
ReadingItems
![Page 240: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/240.jpg)
Afteranitemhasbeencreated,itcanberetrievedthroughadirectlookupbycallingtheGetItemactionorthroughasearchusingtheQueryorScanaction.GetItemallowsyoutoretrieveanitembasedonitsprimarykey.Alloftheitem’sattributesarereturnedbydefault,andyouhavetheoptiontoselectindividualattributestofilterdowntheresults.
Ifaprimarykeyiscomposedofapartitionkey,theentirepartitionkeyneedstobespecifiedtoretrievetheitem.Iftheprimarykeyisacompositeofapartitionkeyandasortkey,GetItemwillrequireboththepartitionandsortkeyaswell.EachcalltoGetItemconsumesreadcapacityunitsbasedonthesizeoftheitemandtheconsistencyoptionselected.
Bydefault,aGetItemoperationperformsaneventuallyconsistentread.Youcanoptionallyrequestastronglyconsistentreadinstead;thiswillconsumeadditionalreadcapacityunits,butitwillreturnthemostup-to-dateversionoftheitem.
EventualConsistencyWhenreadingitemsfromAmazonDynamoDB,theoperationcanbeeithereventuallyconsistentorstronglyconsistent.AmazonDynamoDBisadistributedsystemthatstoresmultiplecopiesofanitemacrossanAWSRegiontoprovidehighavailabilityandincreaseddurability.WhenanitemisupdatedinAmazonDynamoDB,itstartsreplicatingacrossmultipleservers.BecauseAmazonDynamoDBisadistributedsystem,thereplicationcantakesometimetocomplete.Becauseofthiswerefertothedataasbeingeventuallyconsistent,meaningthatareadrequestimmediatelyafterawriteoperationmightnotshowthelatestchange.Insomecases,theapplicationneedstoguaranteethatthedataisthelatestandAmazonDynamoDBoffersanoptionforstronglyconsistentreads.
EventuallyConsistentReadsWhenyoureaddata,theresponsemightnotreflecttheresultsofarecentlycompletedwriteoperation.Theresponsemightincludesomestaledata.Consistencyacrossallcopiesofthedataisusuallyreachedwithinasecond;ifyourepeatyourreadrequestafterashorttime,theresponsereturnsthelatestdata.
StronglyConsistentReadsWhenyouissueastronglyconsistentreadrequest,AmazonDynamoDBreturnsaresponsewiththemostup-to-datedatathatreflectsupdatesbyallpriorrelatedwriteoperationstowhichAmazonDynamoDBreturnedasuccessfulresponse.Astronglyconsistentreadmightbelessavailableinthecaseofanetworkdelayoroutage.Youcanrequestastronglyconsistentreadresultbyspecifyingoptionalparametersinyourrequest.
BatchOperationsAmazonDynamoDBalsoprovidesseveraloperationsdesignedforworkingwithlargebatchesofitems,includingBatchGetItemandBatchWriteItem.UsingtheBatchWriteItemaction,youcanperformupto25itemcreatesorupdateswithasingleoperation.Thisallowsyoutominimizetheoverheadofeachindividualcallwhenprocessinglargenumbersofitems.
SearchingItemsAmazonDynamoDBalsogivesyoutwooperations,QueryandScan,thatcanbeusedtosearchatableoranindex.AQueryoperationistheprimarysearchoperationyoucanusetofinditemsinatableorasecondaryindexusingonlyprimarykeyattributevalues.EachQueryrequiresapartitionkeyattributenameandadistinctvaluetosearch.Youcanoptionally
![Page 241: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/241.jpg)
provideasortkeyvalueanduseacomparisonoperatortorefinethesearchresults.Resultsareautomaticallysortedbytheprimarykeyandarelimitedto1MB.
IncontrasttoaQuery,aScanoperationwillreadeveryiteminatableorasecondaryindex.Bydefault,aScanoperationreturnsallofthedataattributesforeveryiteminthetableorindex.Eachrequestcanreturnupto1MBofdata.Itemscanbefilteredoutusingexpressions,butthiscanbearesource-intensiveoperation.IftheresultsetforaQueryoraScanexceeds1MB,youcanpagethroughtheresultsin1MBincrements.
Formostoperations,performingaQueryoperationinsteadofaScanoperationwillbethemostefficientoption.PerformingaScanoperationwillresultinafullscanoftheentiretableorsecondaryindex,thenitfiltersoutvaluestoprovidethedesiredresult.UseaQueryoperationwhenpossibleandavoidaScanonalargetableorindexforonlyasmallnumberofitems.
ScalingandPartitioningAmazonDynamoDBisafullymanagedservicethatabstractsawaymostofthecomplexityinvolvedinbuildingandscalingaNoSQLcluster.Youcancreatetablesthatcanscaleuptoholdavirtuallyunlimitednumberofitemswithconsistentlow-latencyperformance.AnAmazonDynamoDBtablecanscalehorizontallythroughtheuseofpartitionstomeetthestorageandperformancerequirementsofyourapplication.Eachindividualpartitionrepresentsaunitofcomputeandstoragecapacity.Awell-designedapplicationwilltakethepartitionstructureofatableintoaccounttodistributereadandwritetransactionsevenlyandachievehightransactionratesatlowlatencies.
AmazonDynamoDBstoresitemsforasingletableacrossmultiplepartitions,asrepresentedinFigure7.4.AmazonDynamoDBdecideswhichpartitiontostoretheiteminbasedonthepartitionkey.Thepartitionkeyisusedtodistributethenewitemamongalloftheavailablepartitions,anditemswiththesamepartitionkeywillbestoredonthesamepartition.
FIGURE7.4Tablepartitioning
![Page 242: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/242.jpg)
Asthenumberofitemsinatablegrows,additionalpartitionscanbeaddedbysplittinganexistingpartition.Theprovisionedthroughputconfiguredforatableisalsodividedevenlyamongthepartitions.Provisionedthroughputallocatedtoapartitionisentirelydedicatedtothatpartition,andthereisnosharingofprovisionedthroughputacrosspartitions.
Whenatableiscreated,AmazonDynamoDBconfiguresthetable’spartitionsbasedonthedesiredreadandwritecapacity.Onesinglepartitioncanholdabout10GBofdataandsupportsamaximumof3,000readcapacityunitsor1,000writecapacityunits.Forpartitionsthatarenotfullyusingtheirprovisionedcapacity,AmazonDynamoDBprovidessomeburstcapacitytohandlespikesintraffic.Aportionofyourunusedcapacitywillbereservedtohandleburstsforshortperiods.
Asstorageorcapacityrequirementschange,AmazonDynamoDBcansplitapartitiontoaccommodatemoredataorhigherprovisionedrequestrates.Afterapartitionissplit,however,itcannotbemergedbacktogether.Keepthisinmindwhenplanningtoincreaseprovisionedcapacitytemporarilyandthenloweritagain.Witheachadditionalpartitionadded,itsshareoftheprovisionedcapacityisreduced.
Toachievethefullamountofrequestthroughputprovisionedforatable,keepyourworkloadspreadevenlyacrossthepartitionkeyvalues.Distributingrequestsacrosspartitionkeyvaluesdistributestherequestsacrosspartitions.Forexample,ifatablehas10,000readcapacityunitsconfiguredbutallofthetrafficishittingonepartitionkey,youwillnotbeabletogetmorethanthe3,000maximumreadcapacityunitsthatonepartitioncansupport.
TomaximizeAmazonDynamoDBthroughput,createtableswithapartitionkeythathasalargenumberofdistinctvaluesandensurethatthevaluesarerequestedfairlyuniformly.Addingarandomelementthatcanbecalculatedorhashedisonecommontechniquetoimprovepartitiondistribution.
SecurityAmazonDynamoDBgivesyougranularcontrolovertheaccessrightsandpermissionsforusersandadministrators.AmazonDynamoDBintegrateswiththeIAMservicetoprovidestrongcontroloverpermissionsusingpolicies.Youcancreateoneormorepoliciesthatallowordenyspecificoperationsonspecifictables.Youcanalsouseconditionstorestrictaccesstoindividualitemsorattributes.
Alloperationsmustfirstbeauthenticatedasavaliduserorusersession.ApplicationsthatneedtoreadandwritefromAmazonDynamoDBneedtoobtainasetoftemporaryorpermanentaccesscontrolkeys.Whilethesekeyscouldbestoredinaconfigurationfile,abestpracticeisforapplicationsrunningonAWStouseIAMAmazonEC2instanceprofilestomanagecredentials.IAMAmazonEC2instanceprofilesorrolesallowyoutoavoidstoringsensitivekeysinconfigurationfilesthatmustthenbesecured.
![Page 243: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/243.jpg)
Formobileapplications,abestpracticeistouseacombinationofwebidentityfederationwiththeAWSSecurityTokenService(AWSSTS)toissuetemporarykeysthatexpireafterashortperiod.
AmazonDynamoDBalsoprovidessupportforfine-grainedaccesscontrolthatcanrestrictaccesstospecificitemswithinatableorevenspecificattributeswithinanitem.Forexample,youmaywanttolimitausertoonlyaccesshisorheritemswithinatableandpreventaccesstoitemsassociatedwithadifferentuser.UsingconditionsinanIAMpolicyallowsyoutorestrictwhichactionsausercanperform,onwhichtables,andtowhichattributesausercanreadorwrite.
AmazonDynamoDBStreamsAcommonrequirementformanyapplicationsistokeeptrackofrecentchangesandthenperformsomekindofprocessingonthechangedrecords.AmazonDynamoDBStreamsmakesiteasytogetalistofitemmodificationsforthelast24-hourperiod.Forexample,youmightneedtocalculatemetricsonarollingbasisandupdateadashboard,ormaybesynchronizetwotablesorlogactivityandchangestoanaudittrail.WithAmazonDynamoDBStreams,thesetypesofapplicationsbecomeeasiertobuild.
AmazonDynamoDBStreamsallowsyoutoextendapplicationfunctionalitywithoutmodifyingtheoriginalapplication.Byreadingthelogofactivitychangesfromthestream,youcanbuildnewintegrationsorsupportnewreportingrequirementsthatweren’tpartoftheoriginaldesign.
Eachitemchangeisbufferedinatime-orderedsequenceorstreamthatcanbereadbyotherapplications.Changesareloggedtothestreaminnearreal-timeandallowyoutorespondquicklyorchaintogetherasequenceofeventsbasedonamodification.
StreamscanbeenabledordisabledforanAmazonDynamoDBtableusingtheAWSManagementConsole,CommandLineInterface(CLI),orSDK.Astreamconsistsofstreamrecords.EachstreamrecordrepresentsasingledatamodificationintheAmazonDynamoDBtabletowhichthestreambelongs.Eachstreamrecordisassignedasequencenumber,reflectingtheorderinwhichtherecordwaspublishedtothestream.
Streamrecordsareorganizedintogroups,alsoreferredtoasshards.Eachshardactsasacontainerformultiplestreamrecordsandcontainsinformationonaccessinganditeratingthroughtherecords.Shardsliveforamaximumof24hoursand,withfluctuatingloadlevels,couldbesplitoneormoretimesbeforetheyareeventuallyclosed.
Tobuildanapplicationthatreadsfromashard,itisrecommendedtousetheAmazonDynamoDBStreamsKinesisAdapter.TheKinesisClientLibrary(KCL)simplifiestheapplicationlogicrequiredtoprocessreadingrecordsfromstreamsandshards.
![Page 244: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/244.jpg)
SummaryInthischapter,youlearnedthebasicconceptsofrelationaldatabases,datawarehouses,andNoSQLdatabases.YoualsolearnedaboutthebenefitsandfeaturesofAWSmanageddatabaseservicesAmazonRDS,AmazonRedshift,andAmazonDynamoDB.
AmazonRDSmanagestheheavyliftinginvolvedinadministeringadatabaseinfrastructureandsoftwareandletsyoufocusonbuildingtherelationalschemasthatbestfityourusecaseandtheperformancetuningtooptimizeyourqueries.
AmazonRDSsupportspopularopen-sourceandcommercialdatabaseenginesandprovidesaconsistentoperationalmodelforcommonadministrativetasks.Increaseyouravailabilitybyrunningamaster-slaveconfigurationacrossAvailabilityZonesusingMulti-AZdeployment.Scaleyourapplicationandincreaseyourdatabasereadperformanceusingreadreplicas.
AmazonRedshiftallowsyoutodeployadatawarehouseclusterthatisoptimizedforanalyticsandreportingworkloadswithinminutes.AmazonRedshiftdistributesyourrecordsusingcolumnarstorageandparallelizesyourqueryexecutionacrossmultiplecomputenodestodeliverfastqueryperformance.AmazonRedshiftclusterscanbescaledupordowntosupportlarge,petabyte-scaledatabasesusingSSDormagneticdiskstorage.
ConnecttoAmazonRedshiftclustersusingstandardSQLclientswithJDBC/ODBCdriversandexecuteSQLqueriesusingmanyofthesameanalyticsandETLtoolsthatyouusetoday.LoaddataintoyourAmazonRedshiftclustersusingtheCOPYcommandtobulkimportflatfilesstoredinAmazonS3,thenrunstandardSELECTcommandstosearchandquerythetable.
BackupbothyourAmazonRDSdatabasesandAmazonRedshiftclustersusingautomatedandmanualsnapshotstoallowforpoint-in-timerecovery.SecureyourAmazonRDSandAmazonRedshiftdatabasesusingacombinationofIAM,database-levelaccesscontrol,network-levelaccesscontrol,anddataencryptiontechniques.
AmazonDynamoDBsimplifiestheadministrationandoperationsofaNoSQLdatabaseinthecloud.AmazonDynamoDBallowsyoutocreatetablesquicklythatcanscaletoanunlimitednumberofitemsandconfigureveryhighlevelsofprovisionedreadandwritecapacity.
AmazonDynamoDBtablesprovideaflexibledatastoragemechanismthatonlyrequiresaprimarykeyandallowsforoneormoreattributes.AmazonDynamoDBsupportsbothsimplescalardatatypeslikeStringandNumber,andalsomorecomplexstructuresusingListandMap.SecureyourAmazonDynamoDBtablesusingIAMandrestrictaccesstoitemsandattributesusingfine-grainedaccesscontrol.
AmazonDynamoDBwillhandlethedifficulttaskofclusterandpartitionmanagementandprovideyouwithahighlyavailabledatabasetablethatreplicatesdataacrossAvailabilityZonesforincreaseddurability.TrackandprocessrecentchangesbytappingintoAmazonDynamoDBStreams.
![Page 245: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/245.jpg)
ExamEssentialsKnowwhatarelationaldatabaseis.Arelationaldatabaseconsistsofoneormoretables.CommunicationtoandfromrelationaldatabasesusuallyinvolvessimpleSQLqueries,suchas“Addanewrecord,”or“Whatisthecostofproductx?”ThesesimplequeriesareoftenreferredtoasOLTP.
UnderstandwhichdatabasesaresupportedbyAmazonRDS.AmazonRDScurrentlysupportssixrelationaldatabaseengines:
MicrosoftSQLServer
MySQLServer
Oracle
PostgreSQL
MariaDB
AmazonAurora
UnderstandtheoperationalbenefitsofusingAmazonRDS.AmazonRDSisamanagedserviceprovidedbyAWS.AWSisresponsibleforpatching,antivirus,andmanagementoftheunderlyingguestOSforAmazonRDS.AmazonRDSgreatlysimplifiestheprocessofsettingasecondaryslavewithreplicationforfailoverandsettingupreadreplicastooffloadqueries.
RememberthatyoucannotaccesstheunderlyingOSforAmazonRDSDBinstances.YoucannotuseRemoteDesktopProtocol(RDP)orSSHtoconnecttotheunderlyingOS.IfyouneedtoaccesstheOS,installcustomsoftwareoragents,orwanttouseadatabaseenginenotsupportedbyAmazonRDS,considerrunningyourdatabaseonAmazonEC2instead.
KnowthatyoucanincreaseavailabilityusingAmazonRDSMulti-AZdeployment.AddfaulttolerancetoyourAmazonRDSdatabaseusingMulti-AZdeployment.YoucanquicklysetupasecondaryDBInstanceinanotherAvailabilityZonewithMulti-AZforrapidfailover.
UnderstandtheimportanceofRPOandRTO.EachapplicationshouldsetRPOandRTOtargetstodefinetheamountofacceptabledatalossandalsotheamountoftimerequiredtorecoverfromanincident.AmazonRDScanbeusedtomeetawiderangeofRPOandRTOrequirements.
UnderstandthatAmazonRDShandlesMulti-AZfailoverforyou.IfyourprimaryAmazonRDSInstancebecomesunavailable,AWSfailsovertoyoursecondaryinstanceinanotherAvailabilityZoneautomatically.ThisfailoverisdonebypointingyourexistingdatabaseendpointtoanewIPaddress.Youdonothavetochangetheconnectionstringmanually;AWShandlestheDNSchangeautomatically.
RememberthatAmazonRDSreadreplicasareusedforscalingoutandincreasedperformance.Thisreplicationfeaturemakesiteasytoscaleoutyourread-intensivedatabases.ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,
![Page 246: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/246.jpg)
andAmazonAurora.YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.AmazonRDSusesnativereplicationtopropagatechangesmadetoasourceDBInstancetoanyassociatedreadreplicas.AmazonRDSalsosupportscross-regionreadreplicastoreplicatechangesasynchronouslytoanothergeographyorAWSRegion.
KnowwhataNoSQLdatabaseis.NoSQLdatabasesarenon-relationaldatabases,meaningthatyoudonothavetohaveanexistingtablecreatedinwhichtostoreyourdata.NoSQLdatabasescomeinthefollowingformats:
Documentdatabases
Graphstores
Key/valuestores
Wide-columnstores
RememberthatAmazonDynamoDBisAWSNoSQLservice.YoushouldrememberthatforNoSQLdatabases,AWSprovidesafullymanagedservicecalledAmazonDynamoDB.AmazonDynamoDBisanextremelyfastNoSQLdatabasewithpredictableperformanceandhighscalability.YoucanuseAmazonDynamoDBtocreateatablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofpartitionstohandletherequestcapacityspecifiedbythecustomerandtheamountofdatastored,whilemaintainingconsistentandfastperformance.
Knowwhatadatawarehouseis.Adatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositorywouldbeusedforqueryandanalysisusingOLAP.Anorganization’smanagementtypicallyusesadatawarehousetocompilereportsonspecificdata.Datawarehousesareusuallyqueriedwithhighlycomplexqueries.
RememberthatAmazonRedshiftisAWSdatawarehouseservice.YoushouldrememberthatAmazonRedshiftisAmazon’sdatawarehouseservice.AmazonRedshiftorganizesthedatabycolumninsteadofstoringdataasaseriesofrows.Becauseonlythecolumnsinvolvedinthequeriesareprocessedandcolumnardataisstoredsequentiallyonthestoragemedia,column-basedsystemsrequirefarfewerI/Os,whichgreatlyimprovesqueryperformance.Anotheradvantageofcolumnardatastorageistheincreasedcompression,whichcanfurtherreduceoverallI/O.
![Page 247: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/247.jpg)
ExercisesInordertopasstheexam,youshouldpracticedeployingdatabasesandcreatingtablesusingAmazonRDS,AmazonDynamoDB,andAmazonRedshift.Remembertodeleteanyresourcesyouprovisiontominimizeanycharges.
EXERCISE7.1
CreateaMySQLAmazonRDSInstance1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRDSConsole.
2. LaunchanewAmazonRDSDBInstance,andselectMySQLCommunityEditioninstanceasthedatabaseengine.
3. ConfiguretheDBInstancetouseMulti-AZandGeneralPurpose(SSD)storage.
Warning:ThisisnoteligibleforAWSFreeTier;youwillincurasmallchargebyprovisioningthisinstance.
4. SettheDBInstanceidentifieranddatabasenametoMySQL123,andconfigurethemasterusernameandpassword.
5. Validatetheconfigurationsettings,andlaunchtheDBInstance.
6. ReturntothelistoftheAmazonRDSinstances.YouwillseethestatusofyourAmazonRDSdatabaseasCreating.Itmaytakeupto20minutestocreateyournewAmazonRDSinstance.
YouhaveprovisionedyourfirstAmazonRDSinstanceusingMulti-AZ.
EXERCISE7.2
SimulateaFailoverfromOneAZtoAnotherInthisexercise,youwilluseMulti-AZfailovertosimulateafailoverfromoneAvailabilityZonetoanother.
1. IntheAmazonRDSConsole,viewthelistofDBInstances.
2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.
3. Selecttheinstance,andissueaRebootcommandfromtheactionsmenu.
4. Confirmthereboot.
YouhavenowsimulatedafailoverfromoneAvailabilityZonetoanotherusingMulti-AZfailover.Thefailovershouldtakeapproximatelytwoorthreeminutes.
![Page 248: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/248.jpg)
EXERCISE7.3
CreateaReadReplicaInthisexercise,youwillcreateareadreplicaofyourexistingMySQL123DBserver.
1. IntheAmazonRDSConsole,viewthelistofDBInstances.
2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.
3. Selecttheinstance,andissueaCreateReadReplicacommandfromthelistofactions.
4. Configurethenameofthereadreplicaandanyothersettings.Createthereplica.
5. Waitforthereplicatobecreated,whichcantypicallytakeseveralminutes.Whenitiscomplete,deleteboththeMySQL123andMySQLReadReplicadatabasesbyclickingthecheckboxesnexttothem,clickingtheInstanceActionsdrop-downbox,andthenclickingDelete.
Intheprecedingexercises,youcreatedanewAmazonRDSMySQLinstancewithMulti-AZenabled.YouthensimulatedafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstance.Afterthat,youscaledyourAmazonRDSinstanceoutbycreatingareadreplicaoftheprimarydatabase.DeletetheDBInstance.
EXERCISE7.4
ReadandWritefromaDynamoDBTableInthisexercise,youwillcreateanAmazonDynamoDBtableandthenreadandwritetoitusingtheAWSManagementConsole.
1. LogintotheAWSManagementConsole,andviewtheAmazonDynamoDBconsole.
2. CreateanewtablenamedUserProfilewithapartitionkeyofuserIDoftypeString.
3. Afterthetablehasbeencreated,viewthelistofitemsinthetable.
4. UsingtheAmazonDynamoDBconsole,createandsaveanewiteminthetable.SettheuserIDtoU01,andappendanotherStringattributecallednamewithavalueofJoe.
5. Performascanonthetabletoretrievethenewitem.
YouhavenowcreatedasimpleAmazonDynamoDBtable,putanewitem,andretrieveditusingScan.DeletetheDynamoDBtable.
![Page 249: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/249.jpg)
EXERCISE7.5
LaunchaRedshiftClusterInthisexercise,youwillcreateadatawarehouseusingAmazonRedshiftandthenreadandwritetoitusingtheAWSManagementConsole.
1. LogintotheAWSManagementConsole,andviewtheAmazonRedshiftConsole.
2. Createanewcluster,configuringthedatabasename,username,andpassword.
3. ConfiguretheclustertobesinglenodeusingoneSSD-backedstoragenode.
4. LaunchtheclusterintoanAmazonVPCusingtheappropriatesecuritygroup.
5. InstallandconfigureSQLWorkbenchonyourlocalcomputer,andconnecttothenewcluster.
6. CreateanewtableandloaddatausingtheCOPYcommand.
YouhavenowcreatedanAmazonRedshiftclusterandconnectedtoitusingastandardSQLclient.Deletetheclusterwhenyouhavecompletedtheexercise.
![Page 250: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/250.jpg)
ReviewQuestions1. WhichAWSdatabaseserviceisbestsuitedfortraditionalOnlineTransactionProcessing(OLTP)?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. ElasticDatabase
2. WhichAWSdatabaseserviceisbestsuitedfornon-relationaldatabases?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. AmazonDynamoDB
3. YouareasolutionsarchitectworkingforamediacompanythathostsitswebsiteonAWS.Currently,thereisasingleAmazonElasticComputeCloud(AmazonEC2)InstanceonAWSwithMySQLinstalledlocallytothatAmazonEC2Instance.Youhavebeenaskedtomakethecompany’sproductionenvironmentmoreresilientandtoincreaseperformance.YousuggestthatthecompanysplitouttheMySQLdatabaseontoanAmazonRDSInstancewithMulti-AZenabled.Thisaddressesthecompany’sincreasedresiliencyrequirements.Nowyouneedtosuggesthowyoucanincreaseperformance.Ninety-ninepercentofthecompany’sendusersaremagazinesubscriberswhowillbereadingadditionalarticlesonthewebsite,soonlyonepercentofenduserswillneedtowritedatatothesite.Whatshouldyousuggesttoincreaseperformance?
A. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentothesecondarycopyoftheMulti-AZdatabase.
B. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentotheprimarycopyoftheMulti-AZdatabase.
C. Recommendthatthecompanyusereadreplicas,anddistributethetrafficacrossmultiplereadreplicas.
D. MigratetheMySQLdatabasetoAmazonRedshifttotakeadvantageofcolumnarstorageandmaximizeperformance.
4. WhichAWSCloudserviceisbestsuitedforOnlineAnalyticsProcessing(OLAP)?
A. AmazonRedshift
B. AmazonRelationalDatabaseService(AmazonRDS)
C. AmazonGlacier
D. AmazonDynamoDB
5. YouhavebeenusingAmazonRelationalDatabaseService(AmazonRDS)forthelast
![Page 251: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/251.jpg)
yeartorunanimportantapplicationwithautomatedbackupsenabled.Oneofyourteammembersisperformingroutinemaintenanceandaccidentallydropsanimportanttable,causinganoutage.Howcanyourecoverthemissingdatawhileminimizingthedurationoftheoutage?
A. Performanundooperationandrecoverthetable.
B. RestorethedatabasefromarecentautomatedDBsnapshot.
C. RestoreonlythedroppedtablefromtheDBsnapshot.
D. Thedatacannotberecovered.
6. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportMulti-AZ?
A. Allofthem
B. MicrosoftSQLServer,MySQL,andOracle
C. Oracle,AmazonAurora,andPostgreSQL
D. MySQL
7. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportreadreplicas?
A. MicrosoftSQLServerandOracle
B. MySQL,MariaDB,PostgreSQL,andAurora
C. Aurora,MicrosoftSQLServer,andOracle
D. MySQLandPostgreSQL
8. YourteamisbuildinganorderprocessingsystemthatwillspanmultipleAvailabilityZones.Duringtesting,theteamwantedtotesthowtheapplicationwillreacttoadatabasefailover.Howcanyouenablethistypeoftest?
A. ForceaMulti-AZfailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceusingtheAmazonRDSconsole.
B. TerminatetheDBinstance,andcreateanewone.Updatetheconnectionstring.
C. Createasupportcaseaskingforafailover.
D. Itisnotpossibletotestafailover.
9. YouareasystemadministratorwhosecompanyhasmoveditsproductiondatabasetoAWS.YourcompanymonitorsitsestateusingAmazonCloudWatch,whichsendsalarmsusingAmazonSimpleNotificationService(AmazonSNS)toyourmobilephone.Onenight,yougetanalertthatyourprimaryAmazonRelationalDatabaseService(AmazonRDS)Instancehasgonedown.YouhaveMulti-AZenabledonthisinstance.Whatshouldyoudotoensurethefailoverhappensquickly?
A. UpdateyourDomainNameSystem(DNS)topointtothesecondaryinstance’snewIPaddress,forcingyourapplicationtofailovertothesecondaryinstance.
B. ConnecttoyourserverusingSecureShell(SSH)andupdateyourconnectionstrings
![Page 252: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/252.jpg)
sothatyourapplicationcancommunicatetothesecondaryinstanceinsteadofthefailedprimaryinstance.
C. Takeasnapshotofthesecondaryinstanceandcreateanewinstanceusingthissnapshot,thenupdateyourconnectionstringtopointtothenewinstance.
D. Noactionisnecessary.Yourconnectionstringpointstothedatabaseendpoint,andAWSautomaticallyupdatesthisendpointtopointtoyoursecondaryinstance.
10. Youareworkingforasmallorganizationwithoutadedicateddatabaseadministratoronstaff.YouneedtoinstallMicrosoftSQLServerEnterpriseeditionquicklytosupportanaccountingbackofficeapplicationonAmazonRelationalDatabaseService(AmazonRDS).Whatshouldyoudo?
A. LaunchanAmazonRDSDBInstance,andselectMicrosoftSQLServerEnterpriseEditionundertheBringYourOwnLicense(BYOL)model.
B. ProvisionSQLServerEnterpriseEditionusingtheLicenseIncludedoptionfromtheAmazonRDSConsole.
C. SQLServerEnterpriseeditionisonlyavailableviatheCommandLineInterface(CLI).Installthecommand-linetoolsonyourlaptop,andthenprovisionyournewAmazonRDSInstanceusingtheCLI.
D. YoucannotuseSQLServerEnterpriseeditiononAmazonRDS.YoushouldinstallthisontoadedicatedAmazonElasticComputeCloud(AmazonEC2)Instance.
11. Youarebuildingthedatabasetierforanenterpriseapplicationthatgetsoccasionalactivitythroughouttheday.Whichstoragetypeshouldyouselectasyourdefaultoption?
A. Magneticstorage
B. GeneralPurposeSolidStateDrive(SSD)
C. ProvisionedIOPS(SSD)
D. StorageAreaNetwork(SAN)-attached
12. Youaredesigningane-commercewebapplicationthatwillscaletopotentiallyhundredsofthousandsofconcurrentusers.Whichdatabasetechnologyisbestsuitedtoholdthesessionstateforlargenumbersofconcurrentusers?
A. RelationaldatabaseusingAmazonRelationalDatabaseService(AmazonRDS)
B. NoSQLdatabasetableusingAmazonDynamoDB
C. DatawarehouseusingAmazonRedshift
D. AmazonSimpleStorageService(AmazonS3)
13. WhichofthefollowingtechniquescanyouusetohelpyoumeetRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements?(Choose3answers)
A. DBsnapshots
B. DBoptiongroups
C. Readreplica
![Page 253: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/253.jpg)
D. Multi-AZdeployment
14. WhenusingAmazonRelationalDatabaseService(AmazonRDS)Multi-AZ,howcanyouoffloadreadrequestsfromtheprimary?(Choose2answers)
A. Configuretheconnectionstringoftheclientstoconnecttothesecondarynodeandperformreadswhiletheprimaryisusedforwrites.
B. AmazonRDSautomaticallysendswritestotheprimaryandsendsreadstothesecondary.
C. AddareadreplicaDBinstance,andconfiguretheclient’sapplicationlogictousearead-replica.
D. CreateacachingenvironmentusingElastiCachetocachefrequentlyuseddata.Updatetheapplicationlogictoread/writefromthecache.
15. Youarebuildingalargeorderprocessingsystemandareresponsibleforsecuringthedatabase.Whichactionswillyoutaketoprotectthedata?(Choose3answers)
A. AdjustAWSIdentityandAccessManagement(IAM)permissionsforadministrators.
B. ConfiguresecuritygroupsandnetworkAccessControlLists(ACLs)tolimitnetworkaccess.
C. Configuredatabaseusers,andgrantpermissionstodatabaseobjects.
D. Installanti-virussoftwareontheAmazonRDSDBInstance.
16. YourteammanagesapopularwebsiterunningAmazonRelationalDatabaseService(AmazonRDS)MySQLbackend.TheMarketingdepartmenthasjustinformedyouaboutanupcomingtelevisioncommercialthatwilldrivethousandsofnewvisitorstothewebsite.Howcanyouprepareyourdatabasetohandletheload?(Choose3answers)
A. VerticallyscaletheDBInstancebyselectingamorepowerfulinstanceclass.
B. Createreadreplicastooffloadreadrequestsandupdateyourapplication.
C. UpgradethestoragefromMagneticvolumestoGeneralPurposeSolidStateDrive(SSD)volumes.
D. UpgradetoAmazonRedshiftforfastercolumnarstorage.
17. YouarebuildingaphotomanagementapplicationthatmaintainsmetadataonmillionsofimagesinanAmazonDynamoDBtable.Whenaphotoisretrieved,youwanttodisplaythemetadatanexttotheimage.WhichAmazonDynamoDBoperationwillyouusetoretrievethemetadataattributesfromthetable?
A. Scanoperation
B. Searchoperation
C. Queryoperation
D. Findoperation
18. YouarecreatinganAmazonDynamoDBtablethatwillcontainmessagesforasocialchatapplication.Thistablewillhavethefollowingattributes:Username(String),Timestamp(Number),Message(String).Whichattributeshouldyouuseasthepartitionkey?The
![Page 254: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/254.jpg)
sortkey?
A. Username,Timestamp
B. Username,Message
C. Timestamp,Message
D. Message,Timestamp
19. WhichofthefollowingstatementsaboutAmazonDynamoDBtablesaretrue?(Choose2answers)
A. Globalsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.
B. Localsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.
C. Youcanonlyhaveoneglobalsecondaryindex.
D. Youcanonlyhaveonelocalsecondaryindex.
20. WhichofthefollowingworkloadsareagoodfitforrunningonAmazonRedshift?(Choose2answers)
A. Transactionaldatabasesupportingabusye-commerceorderprocessingwebsite
B. Reportingdatabasesupportingback-officeanalytics
C. Datawarehouseusedtoaggregatemultipledisparatedatasources
D. Managesessionstateanduserprofiledataforthousandsofconcurrentusers
![Page 255: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/255.jpg)
Chapter8SQS,SWF,andSNSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService[AmazonRDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud[AmazonEC2])
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Domain4.0:Troubleshooting
Contentmayincludethefollowing:
Generaltroubleshootinginformationandquestions
ThereareanumberofservicesundertheApplicationandMobileServicessectionoftheAWSManagementConsole.Atthetimeofwritingthischapter,application
![Page 256: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/256.jpg)
servicesincludeAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(AmazonSWF),AmazonAppStream,AmazonElasticTranscoder,AmazonSimpleEmailService(AmazonSES),AmazonCloudSearch,andAmazonAPIGateway.MobileservicesincludeAmazonCognito,AmazonSimpleNotificationService(AmazonSNS),AWSDeviceFarm,andAmazonMobileAnalytics.Thischapterfocusesonthecoreservicesyouarerequiredtobefamiliarwithtopasstheexam:AmazonSQS,AmazonSWF,andAmazonSNS.
![Page 257: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/257.jpg)
AmazonSimpleQueueService(AmazonSQS)AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.YoucanuseAmazonSQStotransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobecontinuouslyavailable.
WithAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.UsingAmazonSQS,youcanstoreapplicationmessagesonreliableandscalableinfrastructure,enablingyoutomovedatabetweendistributedcomponentstoperformdifferenttasksasneeded.
AnAmazonSQSqueueisbasicallyabufferbetweentheapplicationcomponentsthatreceivedataandthosecomponentsthatprocessthedatainyoursystem.Ifyourprocessingserverscannotprocesstheworkfastenough(perhapsduetoaspikeintraffic),theworkisqueuedsothattheprocessingserverscangettoitwhentheyareready.Thismeansthatworkisnotlostduetoinsufficientresources.
AmazonSQSensuresdeliveryofeachmessageatleastonceandsupportsmultiplereadersandwritersinteractingwiththesamequeue.Asinglequeuecanbeusedsimultaneouslybymanydistributedapplicationcomponents,withnoneedforthosecomponentstocoordinatewithoneanothertosharethequeue.Althoughmostofthetimeeachmessagewillbedeliveredtoyourapplicationexactlyonce,youshoulddesignyoursystemtobeidempotent(thatis,itmustnotbeadverselyaffectedifitprocessesthesamemessagemorethanonce).
AmazonSQSisengineeredtobehighlyavailableandtodelivermessagesreliablyandefficiently;however,theservicedoesnotguaranteeFirstIn,FirstOut(FIFO)deliveryofmessages.Formanydistributedapplications,eachmessagecanstandonitsownand,ifallmessagesaredelivered,theorderisnotimportant.Ifyoursystemrequiresthatorderbepreserved,youcanplacesequencinginformationineachmessagesothatyoucanreorderthemessageswhentheyareretrievedfromthequeue.
MessageLifecycleThediagramandprocessshowninFigure8.1describesthelifecycleofanAmazonSQSmessage,calledMessageA,fromcreationtodeletion.Assumethataqueuealreadyexists.
![Page 258: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/258.jpg)
FIGURE8.1Messagelifecycle
1. Component1sendsMessageAtoaqueue,andthemessageisredundantlydistributedacrosstheAmazonSQSservers.
2. WhenComponent2isreadytoprocessamessage,itretrievesmessagesfromthequeue,andMessageAisreturned.WhileMessageAisbeingprocessed,itremainsinthequeueandisnotreturnedtosubsequentlyreceiverequestsforthedurationofthevisibilitytimeout.
3. Component2deletesMessageAfromthequeuetopreventthemessagefrombeingreceivedandprocessedagainafterthevisibilitytimeoutexpires.
DelayQueuesandVisibilityTimeoutsDelayqueuesallowyoutopostponethedeliveryofnewmessagesinaqueueforaspecificnumberofseconds.Ifyoucreateadelayqueue,anymessagethatyousendtothatqueuewillbeinvisibletoconsumersforthedurationofthedelayperiod.Tocreateadelayqueue,useCreateQueueandsettheDelaySecondsattributetoanyvaluebetween0and900(15minutes).YoucanalsoturnanexistingqueueintoadelayqueuebyusingSetQueueAttributestosetthequeue’sDelaySecondsattribute.ThedefaultvalueforDelaySecondsis0.
Delayqueuesaresimilartovisibilitytimeoutsinthatbothfeaturesmakemessages
![Page 259: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/259.jpg)
unavailabletoconsumersforaspecificperiodoftime.Thedifferenceisthatadelayqueuehidesamessagewhenitisfirstaddedtothequeue,whereasavisibilitytimeouthidesamessageonlyafterthatmessageisretrievedfromthequeue.Figure8.2illustratesthefunctioningofavisibilitytimeout.
FIGURE8.2Diagramofvisibilitytimeout
Whenamessageisinthequeuebutisneitherdelayednorinavisibilitytimeout,itisconsideredtobe“inflight.”Youcanhaveupto120,000messagesinflightatanygiventime.AmazonSQSsupportsupto12hours’maximumvisibilitytimeout.
SeparateThroughputfromLatency
LikemanyotherAWSCloudservices,AmazonSQSisaccessedthroughHTTPrequest-response,andatypicalAmazonSQSrequest-responsetakesabitlessthan20msfromAmazonElasticComputeCloud(AmazonEC2).Thismeansthatfromasinglethread,youcan,onaverage,issue50+ApplicationProgrammingInterface(API)requestspersecond(abitfewerforbatchAPIrequests,butthosedomorework).Thethroughputscaleshorizontally,sothemorethreadsandhostsyouadd,thehigherthethroughput.Usingthisscalingmodel,someAWScustomershavequeuesthatprocessthousandsofmessageseverysecond.
QueueOperations,UniqueIDs,andMetadataThedefinedoperationsforAmazonSQSqueuesareCreateQueue,ListQueues,DeleteQueue,SendMessage,SendMessageBatch,ReceiveMessage,DeleteMessage,DeleteMessageBatch,PurgeQueue,ChangeMessageVisibility,ChangeMessageVisibilityBatch,SetQueueAttributes,GetQueueAttributes,GetQueueUrl,ListDeadLetterSourceQueues,AddPermission,andRemovePermission.OnlytheAWSaccountowneroranAWSidentitythathasbeengrantedtheproperpermissionscanperformoperations.
YourmessagesareidentifiedviaagloballyuniqueIDthatAmazonSQSreturnswhenthemessageisdeliveredtothequeue.TheIDisn’trequiredinordertoperformanyfurtheractionsonthemessage,butit’susefulfortrackingwhetheraparticularmessageinthequeuehasbeenreceived.Whenyoureceiveamessagefromthequeue,theresponseincludesa
![Page 260: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/260.jpg)
receipthandle,whichyoumustprovidewhendeletingthemessage.
QueueandMessageIdentifiersAmazonSQSusesthreeidentifiersthatyouneedtobefamiliarwith:queueURLs,messageIDs,andreceipthandles.
Whencreatinganewqueue,youmustprovideaqueuenamethatisuniquewithinthescopeofallofyourqueues.AmazonSQSassignseachqueueanidentifiercalledaqueueURL,whichincludesthequeuenameandothercomponentsthatAmazonSQSdetermines.Wheneveryouwanttoperformanactiononaqueue,youmustprovideitsqueueURL.
AmazonSQSassignseachmessageauniqueIDthatitreturnstoyouintheSendMessageresponse.Thisidentifierisusefulforidentifyingmessages,butnotethattodeleteamessage,youneedthemessage’sreceipthandleinsteadofthemessageID.ThemaximumlengthofamessageIDis100characters.
Eachtimeyoureceiveamessagefromaqueue,youreceiveareceipthandleforthatmessage.Thehandleisassociatedwiththeactofreceivingthemessage,notwiththemessageitself.Asstatedpreviously,todeletethemessageortochangethemessagevisibility,youmustprovidethereceipthandleandnotthemessageID.Thismeansyoumustalwaysreceiveamessagebeforeyoucandeleteit(thatis,youcan’tputamessageintothequeueandthenrecallit).Themaximumlengthofareceipthandleis1,024characters.
MessageAttributesAmazonSQSprovidessupportformessageattributes.Messageattributesallowyoutoprovidestructuredmetadataitems(suchastimestamps,geospatialdata,signatures,andidentifiers)aboutthemessage.Messageattributesareoptionalandseparatefrom,butsentalongwith,themessagebody.Thereceiverofthemessagecanusethisinformationtohelpdecidehowtohandlethemessagewithouthavingtoprocessthemessagebodyfirst.Eachmessagecanhaveupto10attributes.Tospecifymessageattributes,youcanusetheAWSManagementConsole,AWSSoftwareDevelopmentKits(SDKs),oraqueryAPI.
LongPollingWhenyourapplicationqueriestheAmazonSQSqueueformessages,itcallsthefunctionReceiveMessage.ReceiveMessagewillcheckfortheexistenceofamessageinthequeueandreturnimmediately,eitherwithorwithoutamessage.Ifyourcodemakesperiodiccallstothequeue,thispatternissufficient.IfyourSQSclientisjustaloopthatrepeatedlychecksfornewmessages,however,thenthispatternbecomesproblematic,astheconstantcallstoReceiveMessageburnCPUcyclesandtieupathread.
Inthissituation,youwillwanttouselongpolling.Withlongpolling,yousendaWaitTimeSecondsargumenttoReceiveMessageofupto20seconds.Ifthereisnomessageinthequeue,thenthecallwillwaituptoWaitTimeSecondsforamessagetoappearbeforereturning.Ifamessageappearsbeforethetimeexpires,thecallwillreturnthemessagerightaway.Longpollingdrasticallyreducestheamountofloadonyourclient.
DeadLetterQueues
![Page 261: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/261.jpg)
AmazonSQSprovidessupportfordeadletterqueues.Adeadletterqueueisaqueuethatother(source)queuescantargettosendmessagesthatforsomereasoncouldnotbesuccessfullyprocessed.Aprimarybenefitofusingadeadletterqueueistheabilitytosidelineandisolatetheunsuccessfullyprocessedmessages.Youcanthenanalyzeanymessagessenttothedeadletterqueuetotrytodeterminethecauseoffailure.
Messagescanbesenttoandreceivedfromadeadletterqueue,justlikeanyotherAmazonSQSqueue.YoucancreateadeadletterqueuefromtheAmazonSQSAPIandtheAmazonSQSconsole.
AccessControlWhileIAMcanbeusedtocontroltheinteractionsofdifferentAWSidentitieswithqueues,thereareoftentimeswhenyouwillwanttoexposequeuestootheraccounts.Thesesituationsmayinclude:
YouwanttograntanotherAWSaccountaparticulartypeofaccesstoyourqueue(forexample,SendMessage).
YouwanttograntanotherAWSaccountaccesstoyourqueueforaspecificperiodoftime.
YouwanttograntanotherAWSaccountaccesstoyourqueueonlyiftherequestscomefromyourAmazonEC2instances.
YouwanttodenyanotherAWSaccountaccesstoyourqueue.
WhileclosecoordinationbetweenaccountsmayallowthesetypesofactionsthroughtheuseofIAMroles,thatlevelofcoordinationisfrequentlyunfeasible.
AmazonSQSAccessControlallowsyoutoassignpoliciestoqueuesthatgrantspecificinteractionstootheraccountswithoutthataccounthavingtoassumeIAMrolesfromyouraccount.ThesepoliciesarewritteninthesameJSONlanguageasIAM.Forexample,thefollowingsamplepolicygivesthedeveloperwithAWSaccountnumber111122223333theSendMessagepermissionforthequeuenamed444455556666/queue1intheUSEast(N.Virginia)region.
{
"Version":"2012–10–17",
"Id":"Queue1_Policy_UUID",
"Statement":[
{
"Sid":"Queue1_SendMessage",
"Effect":"Allow",
"Principal":{
"AWS":"111122223333"
},
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sqs:us-east-1:444455556666:queue1"
}
]
}
![Page 262: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/262.jpg)
TradeoffMessageDurabilityandLatency
AmazonSQSdoesnotreturnsuccesstoaSendMessageAPIcalluntilthemessageisdurablystoredinAmazonSQS.Thismakestheprogrammingmodelverysimplewithnodoubtaboutthesafetyofmessages,unlikethesituationwithanasynchronousmessagingmodel.Ifyoudon’tneedadurablemessagingsystem,however,youcanbuildanasynchronous,client-sidebatchingontopofAmazonSQSlibrariesthatdelaysenqueueofmessagestoAmazonSQSandtransmitsasetofmessagesinabatch.Pleasebeawarethatwithaclient-sidebatchingapproach,youcouldpotentiallylosemessageswhenyourclientprocessorclienthostdiesforanyreason.
![Page 263: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/263.jpg)
AmazonSimpleWorkflowService(AmazonSWF)AmazonSWFmakesiteasytobuildapplicationsthatcoordinateworkacrossdistributedcomponents.InAmazonSWF,ataskrepresentsalogicalunitofworkthatisperformedbyacomponentofyourapplication.Coordinatingtasksacrosstheapplicationinvolvesmanaginginter-taskdependencies,scheduling,andconcurrencyinaccordancewiththelogicalflowoftheapplication.AmazonSWFgivesyoufullcontroloverimplementingandcoordinatingtaskswithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
WhenusingAmazonSWF,youimplementworkerstoperformtasks.Theseworkerscanruneitheroncloudinfrastructure,suchasAmazonEC2,oronyourownpremises.Youcancreatelong-runningtasksthatmightfail,timeout,orrequirerestarts,ortasksthatcancompletewithvaryingthroughputandlatency.AmazonSWFstorestasks,assignsthemtoworkerswhentheyareready,monitorstheirprogress,andmaintainstheirstate,includingdetailsontheircompletion.Tocoordinatetasks,youwriteaprogramthatgetsthelateststateofeachtaskfromAmazonSWFandusesittoinitiatesubsequenttasks.AmazonSWFmaintainsanapplication’sexecutionstatedurablysothattheapplicationisresilienttofailuresinindividualcomponents.WithAmazonSWF,youcanimplement,deploy,scale,andmodifytheseapplicationcomponentsindependently.
WorkflowsUsingAmazonSWF,youcanimplementdistributed,asynchronousapplicationsasworkflows.Workflowscoordinateandmanagetheexecutionofactivitiesthatcanberunasynchronouslyacrossmultiplecomputingdevicesandthatcanfeaturebothsequentialandparallelprocessing.
Whendesigningaworkflow,analyzeyourapplicationtoidentifyitscomponenttasks,whicharerepresentedinAmazonSWFasactivities.Theworkflow’scoordinationlogicdeterminestheorderinwhichactivitiesareexecuted.
WorkflowDomainsDomainsprovideawayofscopingAmazonSWFresourceswithinyourAWSaccount.Youmustspecifyadomainforallthecomponentsofaworkflow,suchastheworkflowtypeandactivitytypes.Itispossibletohavemorethanoneworkflowinadomain;however,workflowsindifferentdomainscannotinteractwithoneanother.
WorkflowHistoryTheworkflowhistoryisadetailed,complete,andconsistentrecordofeveryeventthatoccurredsincetheworkflowexecutionstarted.Aneventrepresentsadiscretechangeinyourworkflowexecution’sstate,suchasscheduledandcompletedactivities,tasktimeouts,andsignals.
ActorsAmazonSWFconsistsofanumberofdifferenttypesofprogrammaticfeaturesknownas
![Page 264: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/264.jpg)
actors.Actorscanbeworkflowstarters,deciders,oractivityworkers.TheseactorscommunicatewithAmazonSWFthroughitsAPI.Youcandevelopactorsinanyprogramminglanguage.
Aworkflowstarterisanyapplicationthatcaninitiateworkflowexecutions.Forexample,oneworkflowstartercouldbeane-commercewebsitewhereacustomerplacesanorder.Anotherworkflowstartercouldbeamobileapplicationwhereacustomerorderstakeoutfoodorrequestsataxi.
Activitieswithinaworkflowcanrunsequentially,inparallel,synchronously,orasynchronously.Thelogicthatcoordinatesthetasksinaworkflowiscalledthedecider.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.
Anactivityworkerisasinglecomputerprocess(orthread)thatperformstheactivitytasksinyourworkflow.Differenttypesofactivityworkersprocesstasksofdifferentactivitytypes,andmultipleactivityworkerscanprocessthesametypeoftask.Whenanactivityworkerisreadytoprocessanewactivitytask,itpollsAmazonSWFfortasksthatareappropriateforthatactivityworker.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreturnsthestatusandresulttoAmazonSWF.Theactivityworkerthenpollsforanewtask.
TasksAmazonSWFprovidesactivityworkersanddeciderswithworkassignments,givenasoneofthreetypesoftasks:activitytasks,AWSLambdatasks,anddecisiontasks.
Anactivitytasktellsanactivityworkertoperformitsfunction,suchastocheckinventoryorchargeacreditcard.Theactivitytaskcontainsalltheinformationthattheactivityworkerneedstoperformitsfunction.
AnAWSLambdataskissimilartoanactivitytask,butexecutesanAWSLambdafunctioninsteadofatraditionalAmazonSWFactivity.FormoreinformationabouthowtodefineanAWSLambdatask,seetheAWSdocumentationonAWSLambdatasks.
Adecisiontasktellsadeciderthatthestateoftheworkflowexecutionhaschangedsothatthedecidercandeterminethenextactivitythatneedstobeperformed.Thedecisiontaskcontainsthecurrentworkflowhistory.
AmazonSWFschedulesadecisiontaskwhentheworkflowstartsandwheneverthestateoftheworkflowchanges,suchaswhenanactivitytaskcompletes.Eachdecisiontaskcontainsapaginatedviewoftheentireworkflowexecutionhistory.ThedecideranalyzestheworkflowexecutionhistoryandrespondsbacktoAmazonSWFwithasetofdecisionsthatspecifywhatshouldoccurnextintheworkflowexecution.Essentially,everydecisiontaskgivesthedecideranopportunitytoassesstheworkflowandprovidedirectionbacktoAmazonSWF.
TaskListsTasklistsprovideawayoforganizingthevarioustasksassociatedwithaworkflow.Youcouldthinkoftasklistsassimilartodynamicqueues.WhenataskisscheduledinAmazonSWF,youcanspecifyaqueue(tasklist)toputitin.Similarly,whenyoupollAmazonSWFfora
![Page 265: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/265.jpg)
task,youdeterminewhichqueue(tasklist)togetthetaskfrom.
Tasklistsprovideaflexiblemechanismtoroutetaskstoworkersasyourusecasenecessitates.Tasklistsaredynamicinthatyoudon’tneedtoregisteratasklistorexplicitlycreateitthroughanaction—simplyschedulingataskcreatesthetasklistifitdoesn’talreadyexist.
LongPollingDecidersandactivityworkerscommunicatewithAmazonSWFusinglongpolling.ThedecideroractivityworkerperiodicallyinitiatescommunicationwithAmazonSWF,notifyingAmazonSWFofitsavailabilitytoacceptatask,andthenspecifiesatasklisttogettasksfrom.Longpollingworkswellforhigh-volumetaskprocessing.Decidersandactivityworkerscanmanagetheirowncapacity.
ObjectIdentifiersAmazonSWFobjectsareuniquelyidentifiedbyworkflowtype,activitytype,decisionandactivitytasks,andworkflowexecution:
Aregisteredworkflowtypeisidentifiedbyitsdomain,name,andversion.WorkflowtypesarespecifiedinthecalltoRegisterWorkflowType.
Aregisteredactivitytypeisidentifiedbyitsdomain,name,andversion.ActivitytypesarespecifiedinthecalltoRegisterActivityType.
Eachdecisiontaskandactivitytaskisidentifiedbyauniquetasktoken.ThetasktokenisgeneratedbyAmazonSWFandisreturnedwithotherinformationaboutthetaskintheresponsefromPollForDecisionTaskorPollForActivityTask.Althoughthetokenismostcommonlyusedbytheprocessthatreceivedthetask,thatprocesscouldpassthetokentoanotherprocess,whichcouldthenreportthecompletionorfailureofthetask.
Asingleexecutionofaworkflowisidentifiedbythedomain,workflowID,andrunID.ThefirsttwoareparametersthatarepassedtoStartWorkflowExecution.TherunIDisreturnedbyStartWorkflowExecution.
WorkflowExecutionClosureAfteryoustartaworkflowexecution,itisopen.Anopenworkflowexecutioncanbeclosedascompleted,canceled,failed,ortimedout.Itcanalsobecontinuedasanewexecution,oritcanbeterminated.Thedecider,thepersonadministeringtheworkflow,orAmazonSWFcancloseaworkflowexecution.
LifecycleofaWorkflowExecutionFromthestartofaworkflowexecutiontoitscompletion,AmazonSWFinteractswithactorsbyassigningthemappropriatetasks:eitheractivitytasksordecisiontasks.
Figure8.3showsthelifecycleofanorder-processingworkflowexecutionfromtheperspectiveofcomponentsthatactonit.
![Page 266: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/266.jpg)
FIGURE8.3AmazonSWFworkflowillustration
Thefollowing20stepsdescribetheworkflowdetailedinFigure8.3:
1. AworkflowstartercallsanAmazonSWFactiontostarttheworkflowexecutionforanorder,providingorderinformation.
2. AmazonSWFreceivesthestartworkflowexecutionrequestandthenschedulesthefirstdecisiontask.
3. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,andappliesthecoordinationlogictodeterminethatnopreviousactivitiesoccurred.ItthenmakesadecisiontoscheduletheVerifyOrderactivitywiththeinformationtheactivityworkerneedstoprocessthetaskandreturnsthedecisiontoAmazonSWF.
4. AmazonSWFreceivesthedecision,schedulestheVerifyOrderactivitytask,andwaitsfortheactivitytasktocompleteortimeout.
5. AnactivityworkerthatcanperformtheVerifyOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
6. AmazonSWFreceivestheresultsoftheVerifyOrderactivity,addsthemtotheworkflowhistory,andschedulesadecisiontask.
7. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaChargeCreditCardactivitytaskwithinformationtheactivityworkerneedstoprocessthetask,andreturnsthedecisiontoAmazonSWF.
8. AmazonSWFreceivesthedecision,schedulestheChargeCreditCardactivitytask,andwaitsforittocompleteortimeout.
9. AnactivityworkeractivityreceivestheChargeCreditCardtask,performsit,andreturnstheresultstoAmazonSWF.
10. AmazonSWFreceivestheresultsoftheChargeCreditCardactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
11. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaShipOrderactivitytaskwiththeinformationtheactivityworkerneedstoperformthetask,andreturnsthedecisiontoAmazonSWF.
12. AmazonSWFreceivesthedecision,schedulesaShipOrderactivitytask,andwaitsforit
![Page 267: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/267.jpg)
tocompleteortimeout.
13. AnactivityworkerthatcanperformtheShipOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
14. AmazonSWFreceivestheresultsoftheShipOrderactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
15. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaRecordCompletionactivitytaskwiththeinformationtheactivityworkerneeds,performsthetask,andreturnsthedecisiontoAmazonSWF.
16. AmazonSWFreceivesthedecision,schedulesaRecordCompletionactivitytask,andwaitsforittocompleteortimeout.
17. AnactivityworkerRecordCompletionreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.
18. AmazonSWFreceivestheresultsoftheRecordCompletionactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.
19. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoclosetheworkflowexecution,andreturnsthedecisionalongwithanyresultstoAmazonSWF.
20. AmazonSWFclosestheworkflowexecutionandarchivesthehistoryforfuturereference.
![Page 268: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/268.jpg)
AmazonSimpleNotificationService(AmazonSNS)AmazonSNSisawebserviceformobileandenterprisemessagingthatenablesyoutosetup,operate,andsendnotifications.Itisdesignedtomakeweb-scalecomputingeasierfordevelopers.AmazonSNSfollowsthepublish-subscribe(pub-sub)messagingparadigm,withnotificationsbeingdeliveredtoclientsusingapushmechanismthateliminatestheneedtocheckperiodically(orpoll)fornewinformationandupdates.Forexample,youcansendnotificationstoApple,Android,FireOS,andWindowsdevices.InChina,youcansendmessagestoAndroiddeviceswithBaiduCloudPush.YoucanuseAmazonSNStosendShortMessageService(SMS)messagestomobiledeviceusersintheUnitedStatesortoemailrecipientsworldwide.
AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.
Figure8.4showsthisprocessatahighlevel.Apublisherissuesamessageonatopic.Themessageisthendeliveredtothesubscribersofthattopicusingdifferentmethods,suchasAmazonSQS,HTTP,HTTPS,email,SMS,andAWSLambda.
FIGURE8.4Diagramoftopicdelivery
WhenusingAmazonSNS,you(astheowner)createatopicandcontrolaccesstoitbydefiningpoliciesthatdeterminewhichpublishersandsubscriberscancommunicatewiththetopicandviawhichtechnologies.Publisherssendmessagestotopicsthattheycreatedorthat
![Page 269: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/269.jpg)
theyhavepermissiontopublishto.Insteadofincludingaspecificdestinationaddressineachmessage,apublishersendsamessagetothetopic,andAmazonSNSdeliversthemessagetoeachsubscriberforthattopic.EachtopichasauniquenamethatidentifiestheAmazonSNSendpointwherepublisherspostmessagesandsubscribersregisterfornotifications.Subscribersreceiveallmessagespublishedtothetopicstowhichtheysubscribe,andallsubscriberstoatopicreceivethesamemessages.
CommonAmazonSNSScenariosAmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.Forexample,youcanuseAmazonSNStorelayeventsinworkflowsystemsamongdistributedcomputerapplications,movedatabetweendatastores,orupdaterecordsinbusinesssystems.Eventupdatesandnotificationsconcerningvalidation,approval,inventorychanges,andshipmentstatusareimmediatelydeliveredtorelevantsystemcomponentsandendusers.AnotherexampleuseforAmazonSNSistorelaytime-criticaleventstomobileapplicationsanddevices.BecauseAmazonSNSisbothhighlyreliableandscalable,itprovidessignificantadvantagestodeveloperswhobuildapplicationsthatrelyonreal-timeevents.
Tohelpillustrate,thefollowingsectionsdescribesomecommonAmazonSNSscenarios,includingfanoutscenarios,applicationandsystemalerts,pushemailandtextmessaging,andmobilepushnotifications.
FanoutAfanoutscenarioiswhenanAmazonSNSmessageissenttoatopicandthenreplicatedandpushedtomultipleAmazonSQSqueues,HTTPendpoints,oremailaddresses(seeFigure8.5).Thisallowsforparallelasynchronousprocessing.Forexample,youcandevelopanapplicationthatsendsanAmazonSNSmessagetoatopicwheneveranorderisplacedforaproduct.ThentheAmazonSQSqueuesthataresubscribedtothattopicwillreceiveidenticalnotificationsfortheneworder.AnAmazonEC2instanceattachedtooneofthequeueshandlestheprocessingorfulfillmentoftheorder,whileanAmazonEC2instanceattachedtoaparallelqueuesendsorderdatatoadatawarehouseapplication/serviceforanalysis.
![Page 270: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/270.jpg)
FIGURE8.5Diagramoffanoutscenario
Anotherwaytousefanoutistoreplicatedatasenttoyourproductionenvironmentandintegrateitwithyourdevelopmentenvironment.Expandinguponthepreviousexample,youcansubscribeyetanotherqueuetothesametopicfornewincomingorders.Then,byattachingthisnewqueuetoyourdevelopmentenvironment,youcancontinuetoimproveandtestyourapplicationusingdatareceivedfromyourproductionenvironment.
ApplicationandSystemAlertsApplicationandsystemalertsareSMSand/oremailnotificationsthataretriggeredbypredefinedthresholds.Forexample,becausemanyAWSCloudservicesuseAmazonSNS,youcanreceiveimmediatenotificationwhenaneventoccurs,suchasaspecificchangetoyourAutoScalinggroupinAWS.
PushEmailandTextMessagingPushemailandtextmessagingaretwowaystotransmitmessagestoindividualsorgroupsviaemailand/orSMS.Forexample,youcanuseAmazonSNStopushtargetednewsheadlinestosubscribersbyemailorSMS.UponreceivingtheemailorSMStext,interestedreaderscanthenchoosetolearnmorebyvisitingawebsiteorlaunchinganapplication.
MobilePushNotificationsMobilepushnotificationsenableyoutosendmessagesdirectlytomobileapplications.Forexample,youcanuseAmazonSNSforsendingnotificationstoanapplication,indicatingthatanupdateisavailable.Thenotificationmessagecanincludealinktodownloadandinstalltheupdate.
![Page 271: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/271.jpg)
SummaryInthischapter,youlearnedaboutthecoreapplicationandmobileservicesthatyouwillbetestedoninyourAWSCertifiedSolutionsArchitect–Associateexam.
AmazonSQSisauniqueservicedesignedbyAmazontohelpyoudecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweendistributedcomponentsofyourapplicationsthatperformdifferenttasks,withoutlosingmessagesorrequiringeachcomponenttobecontinuouslyavailable.
UnderstandAmazonSQSqueueoperations,uniqueIDs,andmetadata.BefamiliarwithqueueandmessageidentifierssuchasqueueURLs,messageIDs,andreceipthandles.Understandrelatedconceptssuchasdelayqueues,messageattributes,longpolling,messagetimers,deadletterqueues,accesscontrol,andtheoverallmessagelifecycle.
AmazonSWFallowsyoutocreateapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatdifferentcomponentsofyourapplicationperform.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.AmazonSWFsimplifiesthecoordinationofworkflowtasks,givingyoufullcontrolovertheirimplementationwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
YoumustbefamiliarwiththefollowingAmazonSWFcomponentsandthelifecycleofaworkflowexecution:
Workers,starters,anddeciders
Workflows
Workflowhistory
Actors
Tasks
Domains
Objectidentifiers
Tasklists
Workflowexecutionclosure
Longpolling
AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.
![Page 272: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/272.jpg)
AmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.UnderstandsomecommonAmazonSNSscenarios,including:
Fanout
Applicationandsystemalerts
Pushemailandtextmessaging
Mobilepushnotifications
![Page 273: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/273.jpg)
ExamEssentialsKnowhowtouseAmazonSQS.AmazonSQSisauniqueservicedesignedbyAmazontohelpyoutodecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweenyourservers.Thisallowsyoutomovedatabetweendistributedcomponentsofyourapplicationsthatperformdifferenttaskswithoutlosingmessagesorrequiringeachcomponentalwaystobeavailable.
UnderstandAmazonSQSvisibilitytimeouts.VisibilitytimeoutisaperiodoftimeduringwhichAmazonSQSpreventsothercomponentsfromreceivingandprocessingamessagebecauseanothercomponentisalreadyprocessingit.Bydefault,themessagevisibilitytimeoutissetto30seconds,andthemaximumthatitcanbeis12hours.
KnowhowtouseAmazonSQSlongpolling.LongpollingallowsyourAmazonSQSclienttopollanAmazonSQSqueue.Ifnothingisthere,ReceiveMessagewaitsbetween1and20seconds.Ifamessagearrivesinthattime,itisreturnedtothecallerassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.ThishelpsyouavoidpollingintightloopsandpreventsyoufromburningthroughCPUcycles,keepingcostslow.
KnowhowtouseAmazonSWF.AmazonSWFallowsyoutomakeapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatpartofyourapplicationperforms.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.ThisiswhereAmazonSWFcanhelpyou.Itgivesyoufullcontroloverimplementingtasksandcoordinatingthemwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.
KnowthebasicsofanAmazonSWFworkflow.Aworkflowisacollectionofactivities(coordinatedbylogic)thatcarryoutaspecificgoal.Forexample,aworkflowreceivesacustomerorderandtakeswhateveractionsarenecessarytofulfillit.EachworkflowrunsinanAWSresourcecalledadomain,whichcontrolsthescopeoftheworkflow.AnAWSaccountcanhavemultipledomains,eachofwhichcancontainmultipleworkflows,butworkflowsindifferentdomainscannotinteract.
UnderstandthedifferentAmazonSWFactors.AmazonSWFinteractswithanumberofdifferenttypesofprogrammaticactors.Actorscanbeactivityworkers,workflowstarters,ordeciders.
UnderstandAmazonSNSbasics.AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.
KnowthedifferentprotocolsusedwithAmazonSNS.YoucanusethefollowingprotocolswithAmazonSNS:HTTP,HTTPS,SMS,email,email-JSON,AmazonSQS,andAWSLambda.
![Page 274: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/274.jpg)
ExercisesInthissection,youcreateatopicandsubscriptioninAmazonSNSandthenpublishamessagetoyourtopic.
EXERCISE8.1
CreateanAmazonSNSTopicInthisexercise,youwillcreateanAmazonSNSmessage.
1. Openabrowser,andnavigatetotheAWSManagementConsole.SignintoyourAWSaccount.
2. NavigatetoMobileServicesandthenAmazonSNStoloadtheAmazonSNSdashboard.
3. Createanewtopic,anduseMyTopicforboththetopicnameandthedisplayname.
4. NotethatanAmazonResourceName(ARN)isspecifiedimmediately.
Congratulations!Youhavecreatedyourfirsttopic.
EXERCISE8.2
CreateaSubscriptiontoYourTopicInthisexercise,youwillcreateasubscriptiontothenewlycreatedtopicusingyouremailaddress.Thenyouconfirmyouremailaddress.
1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.
2. SelecttheARNthatyoujustcreated.CreateaSubscriptionwiththeprotocolofEmail,andenteryouremailaddress.
3. CreatetheSubscription.
4. Theservicesendsaconfirmationemailtoyouremailaddress.Beforethissubscriptioncangolive,youneedtoclickonthelinkintheemailthatAWSsentyoutoconfirmyouremailaddress.Checkyouremail,andconfirmyouraddress.
Congratulations!Youhavenowconfirmedyouremailaddressandcreatedasubscriptiontoatopic.
![Page 275: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/275.jpg)
EXERCISE8.3
PublishtoaTopicInthisexercise,youwillpublishamessagetoyournewlycreatedtopic.
1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.
2. NavigatetotheARNlinkforyournewlycreatedtopic.
3. UpdatethesubjectwithMyTestMessage,leavethemessageformattosettoRaw,anduseaTimetoLive(TTL)fieldto300.
4. Publishthemessage.
5. Youshouldreceiveanemailfromyourtopicnamewiththesubjectthatyouspecified.Ifyoudonotreceivethisemail,checkyourjunkfolder.
Congratulations!Inthisexercise,youcreatedanewtopic,addedanewsubscription,andthenpublishedamessagetoyournewtopic.Notethedifferentformatsinwhichyoucanpublishmessages,includingHTTPandAWSLambda.Deleteyournewlycreatedtopicandsubscriptionsafteryouarefinished.
EXERCISE8.4
CreateQueue1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.
2. Createanewqueuewithinputasthequeuename,60secondsforthedefaultvisibility,and5minutesforthemessageretentionperiod.Leavetheremainingdefaultvaluesforthisexercise.
3. Createthequeue.
Congratulations!Inthisexercise,youcreatedanewqueue.Youwillpublishtothisqueueinthefollowingexercise.
![Page 276: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/276.jpg)
EXERCISE8.5
SubscribeQueuetoSNSTopic1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.
2. SubscribeyourqueuetoyourAmazonSNStopic.
3. NowreturntotheAmazonSNSdashboard(intheAWSManagementConsoleunderMobileServices).
4. Publishtoyournewtopic,andusethedefaults.
5. ReturntotheAmazonSQSdashboard(intheAWSManagementConsoleunderApplicationServices).
6. Youwillnoticethereis“1MessageAvailable”intheinputqueue.Checktheinputboxtotheleftoftheinputqueuename.
7. Startpollingformessages.YoushouldseetheAmazonSNSmessageinyourqueue.
8. ClicktheMoreDetailslinktoseethedetailsofthemessage.
9. Reviewyourmessage,andclickClose.
10. Deleteyourmessage.
Congratulations!Inthisexercise,yousubscribedyourinputqueuetoanAmazonSNStopicandviewedyourmessageinyourAmazonSQSqueueinadditiontoreceivingthemessageinsubscribedemail.
![Page 277: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/277.jpg)
ReviewQuestions1. WhichofthefollowingisnotasupportedAmazonSimpleNotificationService(AmazonSNS)protocol?
A. HTTPS
B. AWSLambda
C. Email-JSON
D. AmazonDynamoDB
2. WhenyoucreateanewAmazonSimpleNotificationService(AmazonSNS)topic,whichofthefollowingiscreatedautomatically?
A. AnAmazonResourceName(ARN)
B. Asubscriber
C. AnAmazonSimpleQueueService(AmazonSQS)queuetodeliveryourAmazonSNStopic
D. Amessage
3. WhichofthefollowingarefeaturesofAmazonSimpleNotificationService(AmazonSNS)?(Choose3answers)
A. Publishers
B. Readers
C. Subscribers
D. Topic
4. WhatisthedefaulttimeforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?
A. 30seconds
B. 60seconds
C. 1hour
D. 12hours
5. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?
A. 30seconds
B. 60seconds
C. 1hour
D. 12hours
6. WhichofthefollowingoptionsarevalidpropertiesofanAmazonSimpleQueueService
![Page 278: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/278.jpg)
(AmazonSQS)message?(Choose2answers)
A. Destination
B. MessageID
C. Type
D. Body
7. YouareasolutionsarchitectwhoisworkingforamobileapplicationcompanythatwantstouseAmazonSimpleWorkflowService(AmazonSWF)fortheirnewtakeoutorderingapplication.Theywillhavemultipleworkflowsthatwillneedtointeract.WhatshouldyouadvisethemtodoinstructuringthedesignoftheirAmazonSWFenvironment?
A. Usemultipledomains,eachcontainingasingleworkflow,anddesigntheworkflowstointeractacrossthedifferentdomains.
B. Useasingledomaincontainingmultipleworkflows.Inthismanner,theworkflowswillbeabletointeract.
C. Useasingledomainwithasingleworkflowandcollapseallactivitiestowithinthissingleworkflow.
D. Workflowscannotinteractwitheachother;theywouldbebetteroffusingAmazonSimpleQueueService(AmazonSQS)andAmazonSimpleNotificationService(AmazonSNS)fortheirapplication.
8. InAmazonSimpleWorkflowService(AmazonSWF),whichofthefollowingareactors?(Choose3answers)
A. Activityworkers
B. Workflowstarters
C. Deciders
D. Activitytasks
9. Youaredesigninganewapplication,andyouneedtoensurethatthecomponentsofyourapplicationarenottightlycoupled.YouaretryingtodecidebetweenthedifferentAWSCloudservicestousetoachievethisgoal.Yourrequirementsarethatmessagesbetweenyourapplicationcomponentsmaynotbedeliveredmorethanonce,tasksmustbecompletedineitherasynchronousorasynchronousfashion,andtheremustbesomeformofapplicationlogicthatdecideswhatdowhentaskshavebeencompleted.Whatapplicationserviceshouldyouuse?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonSimpleWorkflowService(AmazonSWF)
C. AmazonSimpleStorageService(AmazonS3)
D. AmazonSimpleEmailService(AmazonSES)
10. HowdoesAmazonSimpleQueueService(AmazonSQS)delivermessages?
A. LastIn,FirstOut(LIFO)
![Page 279: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/279.jpg)
B. FirstIn,FirstOut(FIFO)
C. Sequentially
D. AmazonSQSdoesn’tguaranteedeliveryofyourmessagesinanyparticularorder.
11. Ofthefollowingoptions,whatisanefficientwaytofanoutasingleAmazonSimpleNotificationService(AmazonSNS)messagetomultipleAmazonSimpleQueueService(AmazonSQS)queues?
A. CreateanAmazonSNStopicusingAmazonSNS.ThencreateandsubscribemultipleAmazonSQSqueuessenttotheAmazonSNStopic.
B. CreateoneAmazonSQSqueuethatsubscribestomultipleAmazonSNStopics.
C. AmazonSNSallowsexactlyonesubscribertoeachtopic,sofanoutisnotpossible.
D. CreateanAmazonSNStopicusingAmazonSNS.Createanapplicationthatsubscribestothattopicandduplicatesthemessage.SendcopiestomultipleAmazonSQSqueues.
12. YourapplicationpollsanAmazonSimpleQueueService(AmazonSQS)queuefrequentlyandreturnsimmediately,oftenwithemptyReceiveMessageResponses.WhatisonethingthatcanbedonetoreduceAmazonSQScosts?
A. PricingonAmazonSQSdoesnotincludeacostforservicerequests;therefore,thereisnoconcern.
B. Increasethetimeoutvalueforshortpollingtowaitformessageslongerbeforereturningaresponse.
C. Changethemessagevisibilityvaluetoahighernumber.
D. UselongpollingbysupplyingaWaitTimeSecondsofgreaterthan0secondswhencallingReceiveMessage.
13. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)longpollingtimeout?
A. 10seconds
B. 20seconds
C. 30seconds
D. 1hour
14. WhatisthelongestconfigurablemessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?
A. 30minutes
B. 4days
C. 30seconds
D. 14days
15. WhatisthedefaultmessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?
![Page 280: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/280.jpg)
A. 30minutes
B. 4days
C. 30seconds
D. 14days
16. AmazonSimpleNotificationService(AmazonSNS)isapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.Whattypesofclientsaresupported?
A. JavaandJavaScriptclientsthatsupportpublisherandsubscribertypes
B. ProducersandconsumerssupportedbyCandC++clients
C. MobileandAMQPsupportforpublisherandsubscriberclienttypes
D. Publisherandsubscriberclienttypes
17. InAmazonSimpleWorkflowService(AmazonSWF),adeciderisresponsibleforwhat?
A. Executingeachstepofthework
B. Definingworkcoordinationlogicbyspecifyingworksequencing,timing,andfailureconditions
C. Executingyourworkflow
D. RegisteringactivitiesandworkflowwithAmazonSWF
18. CananAmazonSimpleNotificationService(AmazonSNS)topicberecreatedwithapreviouslyusedtopicname?
A. Yes.Thetopicnameshouldtypicallybeavailableafter24hoursaftertheprevioustopicwiththesamenamehasbeendeleted.
B. Yes.Thetopicnameshouldtypicallybeavailableafter1–3hoursaftertheprevioustopicwiththesamenamehasbeendeleted.
C. Yes.Thetopicnameshouldtypicallybeavailableafter30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.
D. Atthistime,thisfeatureisnotsupported.
19. WhatshouldyoudoinordertograntadifferentAWSaccountpermissiontoyourAmazonSimpleQueueService(AmazonSQS)queue?
A. SharecredentialstoyourAWSaccountandhavetheotheraccount’sapplicationsuseyouraccount’scredentialstoaccesstheAmazonSQSqueue.
B. CreateauserforthataccountinAWSIdentityandAccessManagement(IAM)andestablishanIAMpolicythatgrantsaccesstothequeue.
C. CreateanAmazonSQSpolicythatgrantstheotheraccountaccess.
D. AmazonVirtualPrivateCloud(AmazonVPC)peeringmustbeusedtoachievethis.
20. CananAmazonSimpleNotificationService(AmazonSNS)messagebedeletedafterbeingpublishedtoatopic?
![Page 281: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/281.jpg)
A. Onlyifasubscriber(s)has/havenotreadthemessageyet
B. OnlyiftheAmazonSNSrecallmessageparameterhasbeenset
C. No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.
D. Yes.HoweveritcanbedeletedonlyifthesubscribersareAmazonSQSqueues.
![Page 282: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/282.jpg)
Chapter9DomainNameSystem(DNS)andAmazonRoute53THEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Familiaritywith:
BestpracticesforAWSarchitecture
Developingtoclientspecifications,includingpricing/cost(forexample,on-demandvs.reservedvs.spot;RTOandRPODRdesign)
Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)
Elasticityandscalability(forexample,auto-scaling,SQS,ELB,CloudFront)
Domain3.0:DataSecurity
3.1Recognizeandimplementsecureproceduresforoptimumclouddeploymentandmaintenance.
3.2Recognizecriticaldisaster-recoverytechniquesandtheirimplementation.
AmazonRoute53
![Page 283: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/283.jpg)
DomainNameSystem(DNS)TheDomainNameSystem(DNS)issometimesadifficultconcepttounderstandbecauseitissoubiquitouslyusedinmakingtheInternetwork.Beforewegetintothedetails,let’sstartwithasimpleanalogy.TheInternetProtocol(IP)addressofyourwebsiteislikeyourphonenumber—itcouldchangeifyoumovetoanewarea(atleastyourlandlinecouldchange).DNSislikethephonebook.Ifsomeonewantstocallyouatyournewhouseorlocation,theymightlookyouupbynameinthephonebook.Iftheirphonebookhasn’tbeenupdatedsinceyoumoved,however,theymightcallyouroldhouse.Whenavisitorwantstoaccessyourwebsite,theircomputertakesthedomainnametypedin(www.amazon.com,forexample)andlooksuptheIPaddressforthatdomainusingDNS.
Morespecifically,DNSisaglobally-distributedservicethatisfoundationaltothewaypeopleusetheInternet.DNSusesahierarchicalnamestructure,anddifferentlevelsinthehierarchyareeachseparatedwithadot(.).Considerthedomainnameswww.amazon.comandaws.amazon.com.Inboththeseexamples,comistheTop-LevelDomain(TLD)andamazonistheSecond-LevelDomain(SLD).Therecanbeanynumberoflowerlevels(forexample,wwwandaws)belowtheSLD.
ComputersusetheDNShierarchytotranslatehumanreadablenames(forexample,www.amazon.com)intotheIPaddresses(forexample,192.0.2.1)thatcomputersusetoconnecttooneanother.Everytimeyouuseadomainname,aDNSservicemusttranslatethenameintothecorrespondingIPaddress.Insummary,ifyou’veusedtheInternet,you’veusedDNS.
AmazonRoute53isanauthoritativeDNSsystem.AnauthoritativeDNSsystemprovidesanupdatemechanismthatdevelopersusetomanagetheirpublicDNSnames.ItthenanswersDNSqueries,translatingdomainnamesintoIPaddressessothatcomputerscancommunicatewitheachother.
ThischapterisintendedtoprovideyouwithabaselineunderstandingofDNSandtheAmazonRoute53servicethatisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.
DomainNameSystem(DNS)ConceptsThissectionofthechapterdefinesDNSterms,describeshowDNSworks,andexplainscommonlyusedrecordtypes.
Top-LevelDomains(TLDs)ATop-LevelDomain(TLD)isthemostgeneralpartofthedomain.TheTLDisthefarthestportiontotheright(asseparatedbyadot).CommonTLDsare.com,.net,.org,.gov,.edu,and.io.
TLDsareatthetopofthehierarchyintermsofdomainnames.CertainpartiesaregivenmanagementcontroloverTLDsbytheInternetCorporationforAssignedNamesandNumbers(ICANN).ThesepartiescanthendistributedomainnamesundertheTLD,usuallythroughadomainregistrar.ThesedomainsareregisteredwiththeNetworkInformationCenter(InterNIC),aserviceofICANN,whichenforcestheuniquenessofdomainnames
![Page 284: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/284.jpg)
acrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.
DomainNamesAdomainnameisthehuman-friendlynamethatweareusedtoassociatingwithanInternetresource.Forinstance,amazon.comisadomainname.Somepeoplewillsaythattheamazonportionisthedomain,butwecangenerallyrefertothecombinedformasthedomainname.
TheURLaws.amazon.comisassociatedwiththeserversownedbyAWS.TheDNSallowsuserstoreachtheAWSserverswhentheytypeaws.amazon.comintotheirbrowsers.
IPAddressesAnIPaddressisanetworkaddressablelocation.EachIPaddressmustbeuniquewithinitsnetwork.Forpublicwebsites,thisnetworkistheentireInternet.
IPv4addresses,themostcommonformofaddresses,consistoffoursetsofnumbersseparatedbyadot,witheachsethavinguptothreedigits.Forexample,111.222.111.222couldbeavalidIPv4IPaddress.WithDNS,wemapanametothataddresssothatyoudonothavetorememberacomplicatedsetofnumbersforeachplaceyouwanttovisitonanetwork.
DuetothetremendousgrowthoftheInternetandthenumberofdevicesconnectedtoit,theIPv4addressrangehasquicklybeendepleted.IPv6wascreatedtosolvethisdepletionissue,andithasanaddressspaceof128bits,whichallowsfor340,282,366,920,938,463,463,374,607,431,768,211,456,or340undecillion,uniqueaddresses.Forhumanbeings,thisnumberisdifficulttoimagine,soconsiderthis:IfeachIPv4addresswereonegrainofsand,youwouldhaveenoughaddressestofillapproximatelyonedumptruckwithsand.IfeachIPv6addresswereonegrainofsand,youwouldhaveenoughsandtoequaltheapproximatesizeofthesun.Today,mostdevicesandnetworksstillcommunicateusingIPv4,butmigrationtoIPv6isproceedinggraduallyovertime.
HostsWithinadomain,thedomainownercandefineindividualhosts,whichrefertoseparatecomputersorservicesaccessiblethroughadomain.Forinstance,mostdomainownersmaketheirwebserversaccessiblethroughthebasedomain(example.com)andalsothroughthehostdefinitionwww(asinwww.example.com).
Youcanhaveotherhostdefinitionsunderthegeneraldomain,suchasApplicationProgramInterface(API)accessthroughanAPIhost(api.example.com)orFileTransferProtocol(FTP)accesswithahostdefinitionofFTPorfiles(ftp.example.comorfiles.example.com).Thehostnamescanbearbitraryiftheyareuniqueforthedomain.
SubdomainsDNSworksinahierarchalmannerandallowsalargedomaintobepartitionedorextendedintomultiplesubdomains.TLDscanhavemanysubdomainsunderthem.Forinstance,zappos.comandaudible.comarebothsubdomainsofthe.comTLD(althoughtheyaretypicallyjustcalleddomains).ThezapposoraudibleportioncanbereferredtoasanSLD.
![Page 285: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/285.jpg)
Likewise,eachSLDcanhavesubdomainslocatedunderit.Forinstance,theURLforthehistorydepartmentofaschoolcouldbewww.history.school.edu.Thehistoryportionisasubdomain.
Thedifferencebetweenahostnameandasubdomainisthatahostdefinesacomputerorresource,whileasubdomainextendstheparentdomain.Subdomainsareamethodofsubdividingthedomainitself.
Whethertalkingaboutsubdomainsorhosts,youcanseethattheleft-mostportionsofadomainarethemostspecific.ThisishowDNSworks:frommosttoleastspecificasyoureadfromlefttoright.
FullyQualifiedDomainName(FQDN)DomainlocationsinaDNScanberelativetooneanotherand,assuch,canbesomewhatambiguous.AFullyQualifiedDomainName(FQDN),alsoreferredtoasanabsolutedomainname,specifiesadomain’slocationinrelationtotheabsoluterootoftheDNS.
ThismeansthattheFQDNspecifieseachparentdomainincludingtheTLD.AproperFQDNendswithadot,indicatingtherootoftheDNShierarchy.Forexample,mail.amazon.comisanFQDN.Sometimes,softwarethatcallsforanFQDNdoesnotrequiretheendingdot,butitisrequiredtoconformtoICANNstandards.
InFigure9.1,youcanseethattheentirestringistheFQDN,whichiscomposedofthedomainname,subdomain,root,TLD,SLDandhost.
FIGURE9.1FQDNcomponents
NameServersAnameserverisacomputerdesignatedtotranslatedomainnamesintoIPaddresses.These
![Page 286: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/286.jpg)
serversdomostoftheworkintheDNS.Becausethetotalnumberofdomaintranslationsistoomuchforanyoneserver,eachservermayredirectrequeststoothernameserversordelegateresponsibilityforthesubsetofsubdomainsforwhichtheyareresponsible.
Nameserverscanbeauthoritative,meaningthattheygiveanswerstoqueriesaboutdomainsundertheircontrol.Otherwise,theymaypointtootherserversorservecachedcopiesofothernameservers’data.
ZoneFilesAzonefileisasimpletextfilethatcontainsthemappingsbetweendomainnamesandIPaddresses.ThisishowaDNSserverfinallyidentifieswhichIPaddressshouldbecontactedwhenauserrequestsacertaindomainname.
Zonefilesresideinnameserversandgenerallydefinetheresourcesavailableunderaspecificdomain,ortheplacewhereonecangotogetthatinformation.
Top-LevelDomain(TLD)NameRegistrarsBecauseallofthenamesinagivendomainmustbeunique,thereneedstobeawaytoorganizethemsothatdomainnamesaren’tduplicated.Thisiswheredomainnameregistrarscomein.AdomainnameregistrarisanorganizationorcommercialentitythatmanagesthereservationofInternetdomainnames.AdomainnameregistrarmustbeaccreditedbyagenericTLD(gTLD)registryand/oracountrycodeTLD(ccTLD)registry.Themanagementisdoneinaccordancewiththeguidelinesofthedesignateddomainnameregistries.
StepsInvolvedinDomainNameSystem(DNS)ResolutionWhenyoutypeadomainnameintoyourbrowser,yourcomputerfirstchecksitshostfiletoseeifithasthatdomainnamestoredlocally.Ifitdoesnot,itwillcheckitsDNScachetoseeifyouhavevisitedthesitebefore.Ifitstilldoesnothavearecordofthatdomainname,itwillcontactaDNSservertoresolvethedomainname.
DNSis,atitscore,ahierarchicalsystem.Atthetopofthissystemarerootservers.ICANNdelegatesthecontroloftheseserverstovariousorganizations.
Asofthiswriting,thereare13rootserversinoperation.RootservershandlerequestsforinformationaboutTLDs.Whenarequestcomesinforadomainthatalower-levelnameservercannotresolve,aqueryismadetotherootserverforthedomain.
Inordertohandletheincrediblevolumeofresolutionsthathappeneveryday,theserootserversaremirroredandreplicated.Whenrequestsaremadetoacertainrootserver,therequestwillberoutedtothenearestmirrorofthatrootserver.
Therootserverswon’tactuallyknowwherethedomainishosted.Theywill,however,beabletodirecttherequestertothenameserversthathandlethespecifically-requestedTLD.
Forexample,ifarequestforwww.wikipedia.orgismadetotherootserver,itwillcheckitszonefilesforalistingthatmatchesthatdomainname,butitwillnotfindoneinitsrecords.Itwillinsteadfindarecordforthe.orgTLDandgivetherequestingentitytheaddressofthenameserverresponsiblefor.orgaddresses.
![Page 287: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/287.jpg)
Top-LevelDomain(TLD)ServersAfterarootserverreturnstheIPaddressoftheappropriateserverthatisresponsiblefortheTLDofarequest,therequesterthensendsanewrequesttothataddress.
Tocontinuetheexamplefromtheprevioussection,therequestingentitywouldsendarequesttothenameserverresponsibleforknowingabout.orgdomainstoseeifitcanlocatewww.wikipedia.org.
Onceagain,whenthenameserversearchesitszonefilesforawww.wikipedia.orglisting,itwillnotfindoneinitsrecords.However,itwillfindalistingfortheIPaddressofthenameserverresponsibleforwikipedia.org.ThisisgettingmuchclosertothecorrectIPaddress.
Domain-LevelNameServersAtthispoint,therequesterhastheIPaddressofthenameserverthatisresponsibleforknowingtheactualIPaddressoftheresource.Itsendsanewrequesttothenameserverasking,onceagain,ifitcanresolvewww.wikipedia.org.
Thenameserverchecksitszonefiles,anditfindsazonefileassociatedwithwikipedia.org.Insideofthisfile,thereisarecordthatcontainstheIPaddressforthe.wwwhost.Thenameserverreturnsthefinaladdresstotherequester.
ResolvingNameServersInthepreviousscenario,wereferredtoarequester.Whatistherequesterinthissituation?
Inalmostallcases,therequesterwillbewhatiscalledaresolvingnameserver,whichisaserverthatisconfiguredtoaskotherserversquestions.Itsprimaryfunctionistoactasanintermediaryforauser,cachingpreviousqueryresultstoimprovespeedandprovidingtheaddressesofappropriaterootserverstoresolvenewrequests.
Auserwillusuallyhaveafewresolvingnameserversconfiguredontheircomputersystem.TheresolvingnameserversaretypicallyprovidedbyanInternetServiceProvider(ISP)orotherorganization.ThereareseveralpublicresolvingDNSserversthatyoucanquery.Thesecanbeconfiguredinyourcomputereitherautomaticallyormanually.
WhenyoutypeaURLintheaddressbarofyourbrowser,yourcomputerfirstlookstoseeifitcanfindtheresource’slocationlocally.Itchecksthehostfileonthecomputerandanylocallystoredcache.ItthensendstherequesttotheresolvingnameserverandwaitstoreceivetheIPaddressoftheresource.
Theresolvingnameserverthenchecksitscachefortheanswer.Ifitdoesn’tfindit,itgoesthroughthestepsoutlinedintheprevioussections.
Resolvingnameserverscompresstherequestingprocessfortheenduser.Theclientssimplyhavetoknowtoasktheresolvingnameserverswherearesourceislocated,andtheresolvingnameserverswilldotheworktoinvestigateandreturnthefinalanswer.
MoreAboutZoneFilesZonefilesarethewaythatnameserversstoreinformationaboutthedomainstheyknow.Themorezonefilesthatanameserverhas,themorerequestsitwillbeabletoanswerauthoritatively.Mostrequeststotheaveragenameserver,however,arefordomainsthatare
![Page 288: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/288.jpg)
notinthelocalzonefile.
Iftheserverisconfiguredtohandlerecursivequeries,likearesolvingnameserver,itwillfindtheanswerandreturnit.Otherwise,itwilltelltherequestingentitywheretolooknext.
AzonefiledescribesaDNSzone,whichisasubsetoftheentireDNS.Zonefilesaregenerallyusedtoconfigureasingledomain,andtheycancontainanumberofrecordsthatdefinewhereresourcesareforthedomaininquestion.
Thezonefile’s$ORIGINdirectiveisaparameterequaltothezone’shighestlevelofauthoritybydefault.Ifazonefileisusedtoconfiguretheexample.comdomain,the$ORIGINwouldbesettoexample.com.
ThisparameteriseitherconfiguredatthetopofthezonefileordefinedintheDNSserver’sconfigurationfilethatreferencesthezonefile.Eitherway,thisparameterdefineswhatauthoritativerecordsthezonegoverns.
Similarly,the$TTLdirectiveconfiguresthedefaultTimetoLive(TTL)valueforresourcerecordsinthezone.Thisvaluedefinesthelengthoftimethatpreviouslyqueriedresultsareavailabletoacachingnameserverbeforetheyexpire.
RecordTypesEachzonefilecontainsrecords.Initssimplestform,arecordisasinglemappingbetweenaresourceandaname.ThesecanmapadomainnametoanIPaddressordefineresourcesforthedomain,suchasnameserversormailservers.Thissectiondescribeseachrecordtypeindetail.
StartofAuthority(SOA)RecordAStartofAuthority(SOA)recordismandatoryinallzonefiles,anditidentifiesthebaseDNSinformationaboutthedomain.EachzonecontainsasingleSOArecord.
TheSOArecordstoresinformationaboutthefollowing:
ThenameoftheDNSserverforthatzone
Theadministratorofthezone
Thecurrentversionofthedatafile
Thenumberofsecondsthatasecondarynameservershouldwaitbeforecheckingforupdates
Thenumberofsecondsthatasecondarynameservershouldwaitbeforeretryingafailedzonetransfer
Themaximumnumberofsecondsthatasecondarynameservercanusedatabeforeitmusteitherberefreshedorexpire
ThedefaultTTLvalue(inseconds)forresourcerecordsinthezone
AandAAAABothtypesofaddressrecordsmapahosttoanIPaddress.TheArecordisusedtomapahosttoanIPv4IPaddress,whileAAAArecordsareusedtomapahosttoanIPv6address.
![Page 289: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/289.jpg)
CanonicalName(CNAME)ACanonicalName(CNAME)recordisatypeofresourcerecordintheDNSthatdefinesanaliasfortheCNAMEforyourserver(thedomainnamedefinedinanAorAAAArecord).
MailExchange(MX)MailExchange(MX)recordsareusedtodefinethemailserversusedforadomainandensurethatemailmessagesareroutedcorrectly.TheMXrecordshouldpointtoahostdefinedbyanAorAAAArecordandnotonedefinedbyaCNAME.
NameServer(NS)NameServer(NS)recordsareusedbyTLDserverstodirecttraffictotheDNSserverthatcontainstheauthoritativeDNSrecords.
Pointer(PTR)APointer(PTR)recordisessentiallythereverseofanArecord.PTRrecordsmapanIPaddresstoaDNSname,andtheyaremainlyusedtocheckiftheservernameisassociatedwiththeIPaddressfromwheretheconnectionwasinitiated.
SenderPolicyFramework(SPF)SenderPolicyFramework(SPF)recordsareusedbymailserverstocombatspam.AnSPFrecordtellsamailserverwhatIPaddressesareauthorizedtosendanemailfromyourdomainname.Forexample,ifyouwantedtoensurethatonlyyourmailserversendsemailsfromyourcompany’sdomain,suchasexample.com,youwouldcreateanSPFrecordwiththeIPaddressofyourmailserver.Thatway,anemailsentfromyourdomain,[email protected],wouldneedtohaveanoriginatingIPaddressofyourcompanymailserverinordertobeaccepted.Thispreventspeoplefromspoofingemailsfromyourdomainname.
Text(TXT)Text(TXT)recordsareusedtoholdtextinformation.Thisrecordprovidestheabilitytoassociatesomearbitraryandunformattedtextwithahostorothername,suchashumanreadableinformationaboutaserver,network,datacenter,andotheraccountinginformation.
Service(SRV)AService(SRV)recordisaspecificationofdataintheDNSdefiningthelocation(thehostnameandportnumber)ofserversforspecifiedservices.TheideabehindSRVisthat,givenadomainname(forexample,example.com)andaservicename(forexample,web[HTTP],whichrunsonaprotocol[TCP]),aDNSquerymaybeissuedtofindthehostnamethatprovidessuchaserviceforthedomain,whichmayormaynotbewithinthedomain.
![Page 290: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/290.jpg)
AmazonRoute53OverviewNowthatyouhaveafoundationalunderstandingofDNSandthedifferentDNSrecordtypes,youcanexploreAmazonRoute53.AmazonRoute53isahighlyavailableandscalablecloudDNSwebservicethatisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplications.
AmazonRoute53performsthreemainfunctions:
Domainregistration—AmazonRoute53letsyouregisterdomainnames,suchasexample.com.
DNSservice—AmazonRoute53translatesfriendlydomainnameslikewww.example.comintoIPaddresseslike192.0.2.1.AmazonRoute53respondstoDNSqueriesusingaglobalnetworkofauthoritativeDNSservers,whichreduceslatency.TocomplywithDNSstandards,responsessentoverUserDatagramProtocol(UDP)arelimitedto512bytesinsize.Responsesexceeding512bytesaretruncated,andtheresolvermustre-issuetherequestoverTCP.
Healthchecking—AmazonRoute53sendsautomatedrequestsovertheInternettoyourapplicationtoverifythatit’sreachable,available,andfunctional.
Youcanuseanycombinationofthesefunctions.Forexample,youcanuseAmazonRoute53asbothyourregistrarandyourDNSservice,oryoucanuseAmazonRoute53astheDNSserviceforadomainthatyouregisteredwithanotherdomainregistrar.
DomainRegistrationIfyouwanttocreateawebsite,youfirstneedtoregisterthedomainname.Ifyoualreadyregisteredadomainnamewithanotherregistrar,youhavetheoptiontotransferthedomainregistrationtoAmazonRoute53.Itisn’trequiredtouseAmazonRoute53asyourDNSserviceortoconfigurehealthcheckingforyourresources.
AmazonRoute53supportsdomainregistrationforawidevarietyofgenericTLDs(forexample,.comand.org)andgeographicTLDs(forexample,.beand.us).ForacompletelistofsupportedTLDs,refertotheAmazonRoute53DeveloperGuideathttps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/.
DomainNameSystem(DNS)ServiceAsstatedpreviously,AmazonRoute53isanauthoritativeDNSservicethatroutesInternettraffictoyourwebsitebytranslatingfriendlydomainnamesintoIPaddresses.Whensomeoneentersyourdomainnameinabrowserorsendsyouanemail,aDNSrequestisforwardedtothenearestAmazonRoute53DNSserverinaglobalnetworkofauthoritativeDNSservers.AmazonRoute53respondswiththeIPaddressthatyouspecified.
IfyouregisteranewdomainnamewithAmazonRoute53,AmazonRoute53willbeautomaticallyconfiguredastheDNSserviceforthedomain,andahostedzonewillbecreatedforyourdomain.Youaddresourcerecordsetstothehostedzone,whichdefinehowyouwantAmazonRoute53torespondtoDNSqueriesforyourdomain(forexample,withtheIPaddressforawebserver,theIPaddressforthenearestAmazonCloudFrontedgelocation,or
![Page 291: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/291.jpg)
theIPaddressforanElasticLoadBalancingloadbalancer).
Ifyouregisteredyourdomainwithanotherdomainregistrar,thatregistrarisprobablyprovidingtheDNSserviceforyourdomain.YoucantransferDNSservicetoAmazonRoute53,withorwithouttransferringregistrationforthedomain.
Ifyou’reusingAmazonCloudFront,AmazonSimpleStorageService(AmazonS3),orElasticLoadBalancing,youcanconfigureAmazonRoute53torouteInternettraffictothoseresources.
HostedZonesAhostedzoneisacollectionofresourcerecordsetshostedbyAmazonRoute53.LikeatraditionalDNSzonefile,ahostedzonerepresentsresourcerecordsetsthataremanagedtogetherunderasingledomainname.Eachhostedzonehasitsownmetadataandconfigurationinformation.
Therearetwotypesofhostedzones:privateandpublic.AprivatehostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficforadomainanditssubdomainswithinoneormoreAmazonVirtualPrivateClouds(AmazonVPCs).ApublichostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficontheInternetforadomain(forexample,example.com)anditssubdomains(forexample,apex.example.comandacme.example.com).
Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.Forexample,theexample.comhostedzonecancontainresourcerecordsetsforthewww.example.comandwww.aws.example.comsubdomains,butitcannotcontainresourcerecordsetsforawww.example.casubdomain.
YoucanuseAmazonS3tohostyourstaticwebsiteatthehostedzone(forexample,domain.com)andredirectallrequeststoasubdomain(forexample,www.domain.com).Then,inAmazonRoute53,youcancreateanaliasresourcerecordthatsendsrequestsfortherootdomaintotheAmazonS3bucket.
Useanaliasrecord,notaCNAME,foryourhostedzone.CNAMEsarenotallowedforhostedzonesinAmazonRoute53.
DonotuseArecordsforsubdomains(forexample,www.domain.com),astheyrefertohardcodedIPaddresses.Instead,useAmazonRoute53aliasrecordsortraditionalCNAMErecordstoalwayspointtotherightresource,whereveryoursiteishosted,evenwhenthephysicalserverhaschangeditsIPaddress.
![Page 292: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/292.jpg)
SupportedRecordTypesAmazonRoute53supportsthefollowingDNSresourcerecordtypes.WhenyouaccessAmazonRoute53usingtheAPI,youwillseeexamplesofhowtoformattheValueelementforeachrecordtype.Supportedrecordtypesinclude:
A
AAAA
CNAME
MX
NS
PTR
SOA
SPF
SRV
TXT
RoutingPolicies
Whenyoucreatearesourcerecordset,youchoosearoutingpolicy,whichdetermineshowAmazonRoute53respondstoqueries.Routingpolicyoptionsaresimple,weighted,latency-based,failover,andgeolocation.Whenspecified,AmazonRoute53evaluatesaresource’srelativeweight,theclient’snetworklatencytotheresource,ortheclient’sgeographicallocationwhendecidingwhichresourcetosendbackinaDNSresponse.
Routingpoliciescanbeassociatedwithhealthchecks,soresourcehealthstatusisconsideredbeforeitevenbecomesacandidateinaconditionaldecisiontree.Adescriptionofpossibleroutingpoliciesandmoreonhealthcheckingiscoveredinthissection.
SimpleThisisthedefaultroutingpolicywhenyoucreateanewresource.Useasimpleroutingpolicywhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain(forexample,onewebserverthatservescontentfortheexample.comwebsite).Inthiscase,AmazonRoute53respondstoDNSqueriesbasedonlyonthevaluesintheresourcerecordset(forexample,theIPaddressinanArecord).
WeightedWithweightedDNS,youcanassociatemultipleresources(suchasAmazonElasticComputeCloud[AmazonEC2]instancesorElasticLoadBalancingloadbalancers)withasingleDNSname.
Usetheweightedroutingpolicywhenyouhavemultipleresourcesthatperformthesamefunction(suchaswebserversthatservethesamewebsite),andyouwantAmazonRoute53toroutetraffictothoseresourcesinproportionsthatyouspecify.Forexample,youmayusethisforloadbalancingbetweendifferentAWSregionsortotestnewversionsofyourwebsite
![Page 293: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/293.jpg)
(youcansend10percentoftraffictothetestenvironmentand90percentoftraffictotheolderversionofyourwebsite).
Tocreateagroupofweightedresourcerecordsets,youneedtocreatetwoormoreresourcerecordsetsthathavethesameDNSnameandtype.Youthenassigneachresourcerecordsetauniqueidentifierandarelativeweight.
WhenprocessingaDNSquery,AmazonRoute53searchesforaresourcerecordsetoragroupofresourcerecordsetsthathavethesamenameandDNSrecordtype(suchasanArecord).AmazonRoute53thenselectsonerecordfromthegroup.Theprobabilityofanyresourcerecordsetbeingselectedisgovernedbythefollowingformula:
Latency-BasedLatency-basedroutingallowsyoutorouteyourtrafficbasedonthelowestnetworklatencyforyourenduser(forexample,usingtheAWSregionthatwillgivethemthefastestresponsetime).
UsethelatencyroutingpolicywhenyouhaveresourcesthatperformthesamefunctioninmultipleAWSAvailabilityZonesorregionsandyouwantAmazonRoute53torespondtoDNSqueriesusingtheresourcesthatprovidethebestlatency.Forexample,supposeyouhaveElasticLoadBalancingloadbalancersintheU.S.West(Oregon)regionandintheAsiaPacific(Singapore)region,andyoucreatedalatencyresourcerecordsetinAmazonRoute53foreachloadbalancer.AuserinLondonentersthenameofyourdomaininabrowser,andDNSroutestherequesttoanAmazonRoute53nameserver.AmazonRoute53referstoitsdataonlatencybetweenLondonandtheSingaporeregionandbetweenLondonandtheOregonregion.IflatencyislowerbetweenLondonandtheOregonregion,AmazonRoute53respondstotheuser’srequestwiththeIPaddressofyourloadbalancerinOregon.IflatencyislowerbetweenLondonandtheSingaporeregion,AmazonRoute53respondswiththeIPaddressofyourloadbalancerinSingapore.
FailoverUseafailoverroutingpolicytoconfigureactive-passivefailover,inwhichoneresourcetakesallthetrafficwhenit’savailableandtheotherresourcetakesallthetrafficwhenthefirstresourceisn’tavailable.Notethatyoucan’tcreatefailoverresourcerecordsetsforprivatehostedzones.
Forexample,youmightwantyourprimaryresourcerecordsettobeinU.S.West(N.California)andyoursecondary,DisasterRecovery(DR),resource(s)tobeinU.S.East(N.Virginia).AmazonRoute53willmonitorthehealthofyourprimaryresourceendpointsusingahealthcheck.
AhealthchecktellsAmazonRoute53howtosendrequeststotheendpointwhosehealthyouwanttocheck:whichprotocoltouse(HTTP,HTTPS,orTCP),whichIPaddressandporttouse,and,forHTTP/HTTPShealthchecks,adomainnameandpath.
![Page 294: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/294.jpg)
Afteryouhaveconfiguredahealthcheck,AmazonwillmonitorthehealthofyourselectedDNSendpoint.Ifyourhealthcheckfails,thenfailoverroutingpolicieswillbeappliedandyourDNSwillfailovertoyourDRsite.
GeolocationGeolocationroutingletsyouchoosewhereAmazonRoute53willsendyourtrafficbasedonthegeographiclocationofyourusers(thelocationfromwhichDNSqueriesoriginate).Forexample,youmightwantallqueriesfromEuropetoberoutedtoafleetofAmazonEC2instancesthatarespecificallyconfiguredforyourEuropeancustomers,withlocallanguagesandpricinginEuros.
Youcanalsousegeolocationroutingtorestrictdistributionofcontenttoonlythelocationsinwhichyouhavedistributionrights.Anotherpossibleuseisforbalancingloadacrossendpointsinapredictable,easy-to-managewaysothateachuserlocationisconsistentlyroutedtothesameendpoint.
Youcanspecifygeographiclocationsbycontinent,bycountry,orevenbystateintheUnitedStates.Youcanalsocreateseparateresourcerecordsetsforoverlappinggeographicregions,andprioritygoestothesmallestgeographicregion.Forexample,youmighthaveoneresourcerecordsetforEuropeandonefortheUnitedKingdom.Thisallowsyoutoroutesomequeriesforselectedcountries(inthisexample,theUnitedKingdom)tooneresourceandtoroutequeriesfortherestofthecontinent(inthisexample,Europe)toadifferentresource.
GeolocationworksbymappingIPaddressestolocations.Youshouldbecautious,however,assomeIPaddressesaren’tmappedtogeographiclocations.Evenifyoucreategeolocationresourcerecordsetsthatcoverallsevencontinents,AmazonRoute53willreceivesomeDNSqueriesfromlocationsthatitcan’tidentify.
Inthiscase,youcancreateadefaultresourcerecordsetthathandlesbothqueriesfromIPaddressesthataren’tmappedtoanylocationandqueriesthatcomefromlocationsforwhichyouhaven’tcreatedgeolocationresourcerecordsets.Ifyoudon’tcreateadefaultresourcerecordset,AmazonRoute53returnsa“noanswer”responseforqueriesfromthoselocations.
Youcannotcreatetwogeolocationresourcerecordsetsthatspecifythesamegeographiclocation.Youalsocannotcreategeolocationresourcerecordsetsthathavethesamevaluesfor“Name”and“Type”asthe“Name”and“Type”ofnon-geolocationresourcerecordsets.
MoreonHealthCheckingAmazonRoute53healthchecksmonitorthehealthofyourresourcessuchaswebserversandemailservers.YoucanconfigureAmazonCloudWatchalarmsforyourhealthcheckssothatyoureceivenotificationwhenaresourcebecomesunavailable.YoucanalsoconfigureAmazonRoute53torouteInternettrafficawayfromresourcesthatareunavailable.
HealthchecksandDNSfailoveraremajortoolsintheAmazonRoute53featuresetthathelpmakeyourapplicationhighlyavailableandresilienttofailures.IfyoudeployanapplicationinmultipleAvailabilityZonesandmultipleAWSregions,withAmazonRoute53healthchecksattachedtoeveryendpoint,AmazonRoute53cansendbackalistofhealthyendpointsonly.Healthcheckscanautomaticallyswitchtoahealthyendpointwithminimal
![Page 295: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/295.jpg)
disruptiontoyourclientsandwithoutanyconfigurationchanges.Youcanusethisautomaticrecoveryscenarioinactive-activeoractive-passivesetups,dependingonwhetheryouradditionalendpointsarealwayshitbylivetrafficoronlyafterallprimaryendpointshavefailed.Usinghealthchecksandautomaticfailovers,AmazonRoute53improvesyourserviceuptime,especiallywhencomparedtothetraditionalmonitor-alert-restartapproachofaddressingfailures.
AmazonRoute53healthchecksarenottriggeredbyDNSqueries;theyarerunperiodicallybyAWS,andresultsarepublishedtoallDNSservers.Thisway,nameserverscanbeawareofanunhealthyendpointandroutedifferentlywithinapproximately30secondsofaproblem(afterthreefailedtestsinarow),andnewDNSresultswillbeknowntoclientsaminutelater(assumingyourTTLis60seconds),bringingcompleterecoverytimetoaboutaminuteandahalfintotalinthisscenario.
The2014AWSre:InventsessionSDD408,“AmazonRoute53DeepDive:DeliveringResiliency,MinimizingLatency,”introducedasetofbestpracticesforAmazonRoute53.ExplorethosebestpracticestohelpyougetstartedusingAmazonRoute53asabuildingblocktodeliverhighly-availableandresilientapplicationsonAWS.
AmazonRoute53EnablesResiliencyWhenpullingtheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures,considerthesebuildingblocks:
IneveryAWSregion,anElasticLoadBalancingloadbalancerissetupwithcross-zoneloadbalancingandconnectiondraining.ThisdistributestheloadevenlyacrossallinstancesinallAvailabilityZones,anditensuresrequestsinflightarefullyservedbeforeanAmazonEC2instanceisdisconnectedfromanElasticLoadBalancingloadbalancerforanyreason.
EachElasticLoadBalancingloadbalancerdelegatesrequeststoAmazonEC2instancesrunninginmultipleAvailabilityZonesinanauto-scalinggroup.ThisprotectstheapplicationfromAvailabilityZoneoutages,ensuresthataminimalamountofinstancesisalwaysrunning,andrespondstochangesinloadbyproperlyscalingeachgroup’sAmazonEC2instances.
EachElasticLoadBalancingloadbalancerhashealthchecksdefinedtoensurethatitdelegatesrequestsonlytohealthyinstances.
EachElasticLoadBalancingloadbalanceralsohasanAmazonRoute53healthcheckassociatedwithittoensurethatrequestsareroutedonlytoloadbalancersthathavehealthyAmazonEC2instances.
Theapplication’sproductionenvironment(forexample,prod.domain.com)hasAmazonRoute53aliasrecordsthatpointtoElasticLoadBalancingloadbalancers.Theproductionenvironmentalsousesalatency-basedroutingpolicythatisassociatedwithElasticLoadBalancinghealthchecks.Thisensuresthatrequestsareroutedtoahealthyloadbalancer,therebyprovidingminimallatencytoaclient.
![Page 296: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/296.jpg)
Theapplication’sfailoverenvironment(forexample,fail.domain.com)hasanAmazonRoute53aliasrecordthatpointstoanAmazonCloudFrontdistributionofanAmazonS3buckethostingastaticversionoftheapplication.
Theapplication’ssubdomain(forexample,www.domain.com)hasanAmazonRoute53aliasrecordthatpointstoprod.domain.com(asprimarytarget)andfail.domain.com(assecondarytarget)usingafailoverroutingpolicy.Thisensureswww.domain.comroutestotheproductionloadbalancersifatleastoneofthemishealthyorthe“failwhale”ifallofthemappeartobeunhealthy.
Theapplication’shostedzone(forexample,domain.com)hasanAmazonRoute53aliasrecordthatredirectsrequeststowww.domain.comusinganAmazonS3bucketofthesamename.
Applicationcontent(bothstaticanddynamic)canbeservedusingAmazonCloudFront.ThisensuresthatthecontentisdeliveredtoclientsfromAmazonCloudFrontedgelocationsspreadallovertheworldtoprovideminimallatency.ServingdynamiccontentfromaContentDeliveryNetwork(CDN),whereitiscachedforshortperiodsoftime(thatis,severalseconds),takestheloadoffoftheapplicationandfurtherimprovesitslatencyandresponsiveness.
TheapplicationisdeployedinmultipleAWSregions,protectingitfromaregionaloutage.
![Page 297: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/297.jpg)
SummaryInthischapter,youlearnedthefundamentalsofDNS,whichisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).
DNSstartswithTLDs(forexample,.com,.edu).TheInternetAssignedNumbersAuthority(IANA)controlstheTLDsinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.
DNSnamesareregisteredwithadomainregistrar.AregistrarisanauthoritythatcanassigndomainnamesdirectlyunderoneormoreTLDs.ThesedomainsareregisteredwithInterNIC,aserviceofICANN,whichenforcestheuniquenessofdomainnamesacrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.
DNSconsistsofanumberofdifferentrecordtypes,includingbutnotlimitedtothefollowing:
A
AAAA
CNAME
MX
NS
PTR
SOA
SPF
TXT
AmazonRoute53isahighlyavailableandhighlyscalableAWS-providedDNSservice.AmazonRoute53connectsuserrequeststoinfrastructurerunningonAWS(forexample,AmazonEC2instancesandElasticLoadBalancingloadbalancers).ItcanalsobeusedtorouteuserstoinfrastructureoutsideofAWS.
WithAmazonRoute53,yourDNSrecordsareorganizedintohostedzonesthatyouconfigurewiththeAmazonRoute53API.Ahostedzonesimplystoresrecordsforyourdomain.TheserecordscanconsistofA,CNAME,MX,andothersupportedrecordtypes.
AmazonRoute53allowsyoutohaveseveraldifferentroutingpolicies,includingthefollowing:
Simple—Mostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain
Weighted—Usedwhenyouwanttorouteapercentageofyourtraffictooneparticularresourceorresources
Latency-Based—Usedtorouteyourtrafficbasedonthelowestlatencysothatyour
![Page 298: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/298.jpg)
usersgetthefastestresponsetimes
Failover—UsedforDRandtorouteyourtrafficfromyourresourcesinaprimarylocationtoastandbylocation
Geolocation—Usedtorouteyourtrafficbasedonyourenduser’slocation
Remembertopulltheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures.UseElasticLoadBalancingloadbalancersacrossAvailabilityZoneswithconnectiondrainingenabled,usehealthchecksdefinedtoensurethattheapplicationdelegatesrequestsonlytohealthyAmazonEC2instances,andusealatency-basedroutingpolicywithElasticLoadBalancinghealthcheckstoensurerequestsareroutedwithminimallatencytoclients.UseAmazonCloudFrontedgelocationstospreadcontentallovertheworldwithminimalclientlatency.DeploytheapplicationinmultipleAWSregions,protectingitfromaregionaloutage.
![Page 299: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/299.jpg)
ExamEssentialsUnderstandwhatDNSis.DNSisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).
KnowhowDNSregistrationworks.DomainsareregisteredwithdomainregistrarsthatinturnregisterthedomainnamewithInterNIC,aserviceofICANN.ICANNenforcesuniquenessofdomainnamesacrosstheInternet.EachdomainnamebecomesregisteredinacentraldatabaseknownastheWhoISdatabase.DomainsaredefinedbytheirTLDs.TLDsarecontrolledbyIANAinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.
RememberthestepsinvolvedinDNSresolution.YourbrowseraskstheresolvingDNSserverwhattheIPaddressisforamazon.com.Theresolvingserverdoesnotknowtheaddress,soitasksarootserverthesamequestion.Thereare13rootserversaroundtheworld,andthesearemanagedbyICANN.Therootserverrepliesthatitdoesnotknowtheanswertothis,butitcangiveanaddresstoaTLDserverthatknowsabout.comdomainnames.TheresolvingserverthencontactstheTLDserver.TheTLDserverdoesnotknowtheaddressofthedomainnameeither,butitdoesknowtheaddressoftheresolvingnameserver.Theresolvingserverthenqueriestheresolvingnameserver.Theresolvingnameservercontainstheauthoritativerecordsandsendsthesetotheresolvingserver,whichthensavestheserecordslocallysoitdoesnothavetoperformthesestepsagaininthenearfuture.Theresolvingnameserverreturnsthisinformationtotheuser’swebbrowser,whichalsocachestheinformation.
Rememberthedifferentrecordtypes.DNSconsistsofthefollowingdifferentrecordtypes:A(addressrecord),AAAA(IPv6addressrecord),CNAME(canonicalnamerecordoralias),MX(mailexchangerecord),NS(nameserverrecord),PTR(pointerrecord),SOA(startofauthorityrecord),SPF(senderpolicyframework),SRV(servicelocator),andTXT(textrecord).Youshouldknowthedifferencesamongeachrecordtype.
Rememberthedifferentroutingpolicies.WithAmazonRoute53,youcanhavedifferentroutingpolicies.Thesimpleroutingpolicyismostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain.Weightedroutingisusedwhenyouwanttorouteapercentageofyourtraffictoaparticularresourceorresources.Latency-basedroutingisusedtorouteyourtrafficbasedonthelowestlatencysothatyourusersgetthefastestresponsetimes.FailoverroutingisusedforDRandtorouteyourtrafficfromaprimaryresourcetoastandbyresource.Geolocationroutingisusedtorouteyourtrafficbasedonyourenduser’slocation.
![Page 300: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/300.jpg)
ExercisesInthissection,youexplorethedifferenttypesofDNSroutingpoliciesthatyoucancreateusingAWS.Forspecificstep-by-stepinstructions,refertotheAmazonRoute53informationanddocumentationathttp://aws.amazon.com/route53/.Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnotAWSFreeTiereligible.HostingazoneonAmazonRoute53shouldcostyouaminimalamountpermonthperhostedzone,andadditionalchargeswillbelevieddependingontheroutingpolicyyouuse.ForcurrentinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.
EXERCISE9.1
CreateaNewZone1. LogintotheAWSManagementConsole.
2. NavigatetoAmazonRoute53,andcreateahostedzone.
3. Enteryourdomainname,andcreateyournewzonefile.
4. Inthenewzonefile,youwillseetheSOArecordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsite,andupdatethenameserverswithyourAWSnameservers.
5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.
YouhavenowcreatedyourfirstAmazonRoute53zone.
EXERCISE9.2
CreateTwoWebServersinTwoDifferentRegionsInthisexercise,youwillcreatetwonewAmazonEC2webserversindifferentAWSregions.YouwillusetheseinthefollowingexerciseswhensettingupAmazonRoute53toaccessthewebservers.
CreateanAmazonEC2Instance1. LogintotheAWSManagementConsole.
2. ChangeyourregiontoAsiaPacific(Sydney).
3. IntheComputesection,loadtheAmazonEC2dashboard.Launchaninstance,andselectthefirstAmazonLinuxAmazonMachineImage(AMI).
4. Selecttheinstancetype,andconfigureyourinstancedetails.Takeacloselookatthedifferentoptionsavailabletoyou,andchangeyourinstance’sstoragedevicesettingsasnecessary.
![Page 301: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/301.jpg)
5. NametheinstanceSydney,andaddasecuritygroupthatallowsHTTP.
6. LaunchyournewAmazonEC2instance,andverifythatithaslaunchedproperly.
ConnecttoYourAmazonEC2Instance7. NavigatetotheAmazonEC2instanceintheAWSManagementConsole,andcopy
thepublicIPaddresstoyourclipboard.
8. UsingaSecureShell(SSH)clientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.
9. Whenpromptedabouttheauthenticityofthehost,typeYes,andcontinue.
10. YoushouldnowbeconnectedtoyourAmazonEC2instance.Elevateyourprivilegestorootbytyping#sudosu.
11. Whileyou’reloggedinastherootusertoyourAmazonEC2instance,runthefollowingcommandtoinstallApachehttpd:
#yuminstallhttpd-y
12. Aftertheinstallationhascompleted,runthecommand#servicehttpdstartfollowedby#chkconfighttpdon.
13. NavigatetotheEC2instance,andtype:cd/var/www/html
14. Type#nanoindex.htmlandpressEnter.
15. InNano,typeThisistheSydneyServerandthenpressCtrl+X.
16. TypeYtoconfirmthatyouwanttosavethechanges,andthenpressEnter.
17. Type#ls.Youshouldnowseeyournewlycreatedindex.htmlfile.
18. Inyourbrowser,navigatetohttp://yourpublicipaddress/index.html.
Youshouldnowseeyour“ThisistheSydneyServer”homepage.Ifyoudonotseethis,checkyoursecuritygrouptomakesureyouallowedaccessforport80.
CreateanElasticLoadBalancingLoadBalancer19. ReturntotheAWSManagementConsole,andnavigatetotheAmazonEC2
dashboard.
20. CreatealoadbalancernamedSydney,leavingthesettingsattheirdefaultvalues.
21. Createyoursecuritygroup,andallowalltrafficinonport80.
22. Configurehealthcheck,leavingthesettingsattheirdefaultvalues.
23. Selectyournewlyaddedinstance.Addtagshereifyouwanttotagyourinstances.
24. ClickCreatetoprovisionyourloadbalancer.
CreateTheseResourcesinaSecondRegion25. ReturntotheAWSManagementConsole,andchangeyourregiontoSouthAmerica
(SaoPaulo).
![Page 302: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/302.jpg)
26. RepeatthethreeproceduresinthissectiontoaddasecondAmazonEC2instanceandaloadbalancerinthisnewregion.
YouhavenowcreatedtwowebserversindifferentregionsoftheworldandplacedtheseregionsbehindElasticLoadBalancingloadbalancers.
EXERCISE9.3
CreateanAliasARecordwithaSimpleRoutingPolicy1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Selectyournewly-createdzonedomainname,andcreatearecordsetwiththenameA−IPv4Address
3. Createanalias,leavingyourroutingpolicysettoSimple.
4. Inyourwebbrowser,navigatetoyourdomainname.YoushouldnowseeawelcomescreenfortheSydneyregion.Ifyoudonotseethis,checkthatyourAmazonEC2instanceisattachedtoyourloadbalancerandthattheinstanceisinservice.Iftheinstanceisnotinservice,thismeansthatitisfailingitshealthcheck.CheckthatApacheHTTPServer(HTTPD)isrunningandthatyourindex.htmldocumentisaccessible.
YouhavenowcreatedyourfirstAliasArecordforthezoneapexusingthesimpleroutingpolicy.
![Page 303: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/303.jpg)
EXERCISE9.4
CreateaWeightedRoutingPolicy1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Navigatetohostedzones,andselectyournewly-createdzonedomainname.
3. Createarecordsetwithtypesettodeveloper.Thiswillcreateasubdomainofdeveloper.yourdomainname.com.
4. SelectyourSydneyloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andatypeofSydney.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.
5. Createanotherrecordsetwithtypesettodeveloper.Thiswilladdanewrecordwiththesamenameyoucreatedearlier.Bothrecordswillworktogether.
6. SelectyourSaoPauloloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andtypeofSaoPaulo.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.
7. TestyourDNSbyvisitinghttp://developer.yourdomainname.comandrefreshingthepage.YoushouldbeaccessingtheSydneyserver50percentofthetimeandtheSaoPauloservertheother50percentofthetime.
YouhavenowcreatedaweightedDNSroutingpolicy.Youcancontinuetoexperimentwithotherroutingpoliciesbyfollowingthedocumentationathttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html.
EXERCISE9.5
CreateaHostedZoneforAmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCdetailsarecoveredinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”
CreateaPrivateHostedZone1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.
2. Createahostedzone,andenteryourprivatedomainname.
3. SelectthedefaultAmazonVPCthatyouusedinExercise9.2todeploythefirstserverintheAsiaPacific(Sydney)region.ClickCreate.Thiswillcreateanewzonefile.
VerifyAmazonVPCConfiguration4. ReturntotheAWSManagementConsole,andchangeyourregiontoAsiaPacific
![Page 304: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/304.jpg)
(Sydney).
5. IntheAmazonVPCdashboard,chooseyourAmazonVPC.
6. ClickonthedefaultAmazonVPCfromthelist.EnsurethatbothDNSresolutionandDNShostnamesareenabled.Thesesettingsneedtouseprivatehostedzones.
CreateResourceRecordSets7. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53
dashboard.
8. Selectyournewly-createdprivatezonedomainname,andcreatearecordset.
9. EnterthenameyouwanttogivetoyourAmazonEC2instance(forexample,webserver1),andselectIPv4addresswithnoalias.
10. EntertheinternalIPaddressofyourAmazonEC2instancethatyounotedinExercise9.2.
11. LeaveyourroutingpolicysettoSimple,andclickCreate.
ConnecttoYourAmazonEC2Instance12. OntheAmazonEC2instancesscreen,waituntilyouseeyourvirtualmachine’s
instancestateasrunning.CopythepublicIPaddresstoyourclipboard.
13. UsinganSSHclientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.Forexample,ifyou’reusingTerminalinOSX,youwouldtypethefollowingcommand:
14. Whenpromptedabouttheauthenticityofthehost,typeYesandcontinue.YoushouldnowbeconnectedtoyourAmazonEC2instance.
15. Whileyou’reloggedintoyourAmazonEC2instance,runthefollowingcommandtocheckifthehostnamesinAmazonRoute53areresolving:
nslookupwebserver1.yourprivatehostedzone.com
16. Youshouldreceiveanon-authoritativeanswerwiththehostnameandIPaddressfortherecordsetthatyoucreatedinAmazonRoute53.
YouhavenowcreatedaprivatehostedzoneinAmazonRoute53andassociateditwithanAmazonVPC.YoucancontinuetoaddinstancesinAmazonVPCandcreateresourcerecordsetsfortheminAmazonRoute53.Thesenewinstanceswouldbeabletointer-communicatewiththeinstancesinthesameAmazonVPCusingthedomainnamethatyoucreated.
RemembertodeleteyourAmazonEC2instancesandElasticLoadBalancingloadbalancersafteryou’vefinishedexperimentingwithyourdifferentroutingpolicies.Youmayalsowanttodeletethezoneifyouarenolongerusingit.
![Page 305: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/305.jpg)
ReviewQuestions1. WhichtypeofrecordiscommonlyusedtoroutetraffictoanIPv6address?
A. AnArecord
B. ACNAME
C. AnAAAArecord
D. AnMXrecord
2. Wheredoyouregisteradomainname?
A. Withyourlocalgovernmentauthority
B. Withadomainregistrar
C. WithInterNICdirectly
D. WiththeInternetAssignedNumbersAuthority(IANA)
3. YouhaveanapplicationthatforlegalreasonsmustbehostedintheUnitedStateswhenU.S.citizensaccessit.TheapplicationmustbehostedintheEuropeanUnionwhencitizensoftheEUaccessit.Forallothercitizensoftheworld,theapplicationmustbehostedinSydney.Whichroutingpolicyshouldyouchooseinordertoachievethis?
A. Latency-basedrouting
B. Simplerouting
C. Geolocationrouting
D. Failoverrouting
4. WhichtypeofDNSrecordshouldyouusetoresolveanIPaddresstoadomainname?
A. AnArecord
B. ACName
C. AnSPFrecord
D. APTRrecord
5. YouhostawebapplicationacrossmultipleAWSregionsintheworld,andyouneedtoconfigureyourDNSsothatyourenduserswillgetthefastestnetworkperformancepossible.Whichroutingpolicyshouldyouapply?
A. Geolocationrouting
B. Latency-basedrouting
C. Simplerouting
D. Weightedrouting
6. WhichDNSrecordshouldyouusetoconfigurethetransmissionofemailtoyourintendedmailserver?
![Page 306: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/306.jpg)
A. SPFrecords
B. Arecords
C. MXrecords
D. SOArecord
7. WhichDNSrecordsarecommonlyusedtostopemailspoofingandspam?
A. MXrecords
B. SPFrecords
C. Arecords
D. Cnames
8. YouarerollingoutAandBtestversionsofawebapplicationtoseewhichversionresultsinthemostsales.Youneed10percentofyourtraffictogotoversionA,10percenttogotoversionB,andtheresttogotoyourcurrentproductionversion.Whichroutingpolicyshouldyouchoosetoachievethis?
A. Simplerouting
B. Weightedrouting
C. Geolocationrouting
D. Failoverrouting
9. WhichDNSrecordmustallzoneshavebydefault?
A. SPF
B. TXT
C. MX
D. SOA
10. YourcompanyhasitsprimaryproductionsiteinWesternEuropeanditsDRsiteintheAsiaPacific.YouneedtoconfigureDNSsothatifyourprimarysitebecomesunavailable,youcanfailDNSovertothesecondarysite.WhichDNSroutingpolicywouldbestachievethis?
A. Weightedrouting
B. Geolocationrouting
C. Simplerouting
D. Failoverrouting
11. WhichtypeofDNSrecordshouldyouusetoresolveadomainnametoanotherdomainname?
A. AnArecord
B. ACNAMErecord
C. AnSPFrecord
![Page 307: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/307.jpg)
D. APTRrecord
12. WhichisafunctionthatAmazonRoute53doesnotperform?
A. Domainregistration
B. DNSservice
C. Loadbalancing
D. Healthchecks
13. WhichDNSrecordcanbeusedtostorehuman-readableinformationaboutaserver,network,andotheraccountingdatawithahost?
A. ATXTrecord
B. AnMXrecord
C. AnSPFrecord
D. APTRrecord
14. Whichresourcerecordsetwouldnotbeallowedforthehostedzoneexample.com?
A. www.example.com
B. www.aws.example.com
C. www.example.ca
D. www.beta.example.com
15. WhichportnumberisusedtoserverequestsbyDNS?
A. 22
B. 53
C. 161
D. 389
16. WhichprotocolisprimarilyusedbyDNStoserverequests?
A. TransmissionControlProtocol(TCP)
B. HyperTextTransferProtocol(HTTP)
C. FileTransferProtocol(FTP)
D. UserDatagramProtocol(UDP)
17. WhichprotocolisusedbyDNSwhenresponsedatasizeexceeds512bytes?
A. TransmissionControlProtocol(TCP)
B. HyperTextTransferProtocol(HTTP)
C. FileTransferProtocol(FTP)
D. UserDatagramProtocol(UDP)
18. WhatarethedifferenthostedzonesthatcanbecreatedinAmazonRoute53?
![Page 308: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/308.jpg)
1. Publichostedzone
2. Globalhostedzone
3. Privatehostedzone
A. 1and2
B. 1and3
C. 2and3
D. 1,2,and3
19. AmazonRoute53cannotroutequeriestowhichAWSresource?
A. AmazonCloudFrontdistribution
B. ElasticLoadBalancingloadbalancer
C. AmazonEC2
D. AWSOpsWorks
20. WhenconfiguringAmazonRoute53asyourDNSserviceforanexistingdomain,whichisthefirststepthatneedstobeperformed?
A. Createhostedzones.
B. Createresourcerecordsets.
C. RegisteradomainwithAmazonRoute53.
D. TransferdomainregistrationfromcurrentregistrartoAmazonRoute53.
![Page 309: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/309.jpg)
Chapter10AmazonElastiCacheTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Planninganddesign
Architecturaltrade-offdecisions
BestpracticesforAWSarchitecture
Elasticityandscalability
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSadministrationandsecurityservices
3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.
![Page 310: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/310.jpg)
IntroductionThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.ByusingtheAmazonElastiCacheservice,youcanoffloadtheheavyliftinginvolvedinthedeploymentandoperationofcacheenvironmentsrunningMemcachedorRedis.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:
Howtoimproveapplicationperformanceusingcaching
Howtolaunchcacheenvironmentsinthecloud
WhatarethebasicdifferencesandusecasesforMemcachedandRedis?
Howtoscaleyourclustervertically
HowtoscaleyourMemcachedclusterhorizontallyusingadditionalcachenodes
HowtoscaleyourRedisclusterhorizontallyusingreplicationgroups
HowtobackupandrecoveryourRediscluster
Howtoapplyalayeredsecuritymodel
![Page 311: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/311.jpg)
In-MemoryCachingOneofthecommoncharacteristicsofasuccessfulapplicationisafastandresponsiveuserexperience.Researchhasshownthatuserswillgetfrustratedandleaveawebsiteorappwhenitisslowtorespond.In2007,testingofAmazon.com’sretailsiteshowedthatforevery100msincreaseinloadtimes,salesdecreasedby1%.Round-tripsbackandforthtoadatabaseanditsunderlyingstoragecanaddsignificantdelaysandareoftenthetopcontributortoapplicationlatency.
Cachingfrequently-useddataisoneofthemostimportantperformanceoptimizationsyoucanmakeinyourapplications.Comparedtoretrievingdatafromanin-memorycache,queryingadatabaseisanexpensiveoperation.Bystoringormovingfrequentlyaccesseddatain-memory,applicationdeveloperscansignificantlyimprovetheperformanceandresponsivenessofread-heavyapplications.Forexample,theapplicationsessionstateforalargewebsitecanbestoredinanin-memorycachingengine,insteadofstoringthesessiondatainthedatabase.
Formanyyears,developershavebeenbuildingapplicationsthatusecacheengineslikeMemcachedorRedistostoredatain-memorytogetblazingfastapplicationperformance.Memcachedisasimple-to-usein-memorykey/valuestorethatcanbeusedtostorearbitrarytypesofdata.Itisoneofthemostpopularcacheengines.Redisisaflexiblein-memorydatastructurestorethatcanbeusedasacache,database,orevenasamessagebroker.AmazonElastiCacheallowsdeveloperstoeasilydeployandmanagecacheenvironmentsrunningeitherMemcachedorRedis.
![Page 312: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/312.jpg)
AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesthesetupandmanagementofdistributedin-memorycachingenvironments.Thisservicemakesiteasyandcosteffectivetoprovideahigh-performanceandscalablecachingsolutionforyourcloudapplications.YoucanuseAmazonElastiCacheinyourapplicationstospeedthedeploymentofcacheclustersandreducetheadministrationrequiredforadistributedcacheenvironment.
WithAmazonElastiCache,youcanchoosefromaMemcachedorRedisprotocol-compliantcacheengineandquicklylaunchaclusterwithinminutes.BecauseAmazonElastiCacheisamanagedservice,youcanstartusingtheservicetodaywithveryfewornomodificationstoyourexistingapplicationsthatuseMemcachedorRedis.BecauseAmazonElastiCacheisprotocol-compliantwithbothoftheseengines,youonlyneedtochangetheendpointinyourconfigurationfiles.
UsingAmazonElastiCache,youcanimplementanynumberofcachingpatterns.Themostcommonpatternisthecache-asidepatterndepictedinFigure10.1.Inthisscenario,theappserverchecksthecachefirsttoseeifitcontainsthedataitneeds.Ifthedatadoesnotexistinthecachenode,itwillquerythedatabaseandserializeandwritethequeryresultstothecache.Thenextuserrequestwillthenbeabletoreadthedatadirectlyfromthecacheinsteadofqueryingthedatabase.
![Page 313: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/313.jpg)
FIGURE10.1Commoncachingarchitecture
WhileitiscertainlypossibletobuildandmanageacacheclusteryourselfonAmazonElasticComputeCloud(AmazonEC2),AmazonElastiCacheallowsyoutooffloadtheheavyliftingofinstallation,patchmanagement,andmonitoringtoAWSsoyoucanfocusonyourapplicationinstead.AmazonElastiCachealsoprovidesanumberoffeaturestoenhancethereliabilityofcriticaldeployments.Whileitisrare,theunderlyingAmazonEC2instancescanbecomeimpaired.AmazonElastiCachecanautomaticallydetectandrecoverfromthefailureofacachenode.WiththeRedisengine,AmazonElastiCachemakesiteasytosetupreadreplicasandfailoverfromtheprimarytoareplicaintheeventofaproblem.
DataAccessPatternsRetrievingaflatkeyfromanin-memorycachewillalwaysbefasterthanthemostoptimizeddatabasequery.Youshouldevaluatetheaccesspatternofthedatabeforeyoudecidetostoreitincache.Agoodexampleofsomethingtocacheisthelistofproductsinacatalog.Forabusywebsite,thelistofitemscouldberetrievedthousandsoftimespersecond.Whileitmakessensetocachethemostheavilyrequesteditems,youcanalsobenefitfromcachingitemsthatarenotfrequentlyrequested.
Therearealsosomedataitemsthatshouldnotbecached.Forexample,ifyougenerateauniquepageeveryrequest,youprobablyshouldnotcachethepageresults.However,even
![Page 314: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/314.jpg)
thoughthepagechangeseverytime,itdoesmakesensetocachethecomponentsofthepagethatdonotchange.
CacheEnginesAmazonElastiCacheallowsyoutoquicklydeployclustersoftwodifferenttypesofpopularcacheengines:MemcachedandRedis.Atahighlevel,MemcachedandRedismayseemsimilar,buttheysupportavarietyofdifferentusecasesandprovidedifferentfunctionality.
MemcachedMemcachedprovidesaverysimpleinterfacethatallowsyoutowriteandreadobjectsintoin-memorykey/valuedatastores.WithAmazonElastiCache,youcanelasticallygrowandshrinkaclusterofMemcachednodestomeetyourdemands.Youcanpartitionyourclusterintoshardsandsupportparallelizedoperationsforveryhighperformancethroughput.Memcacheddealswithobjectsasblobsthatcanberetrievedusingauniquekey.Whatyouputintotheobjectisuptoyou,anditistypicallytheserializedresultsfromadatabasequery.Thiscouldbesimplestringvaluesorbinarydata.
AmazonElastiCachesupportsanumberofrecentversionsofMemcached.Asofearly2016,theservicesupportsMemcachedversion1.4.24,andalsoolderversionsgoingbackto1.4.5.WhenanewversionofMemcachedisreleased,AmazonElastiCachesimplifiestheupgradeprocessbyallowingyoutospinupanewclusterwiththelatestversion.
RedisInlate2013,AmazonElastiCacheaddedsupporttodeployRedisclusters.Atthetimeofthiswriting,theservicesupportsthedeploymentofRedisversion2.8.24,andalsoanumberofolderversions.BeyondtheobjectsupportprovidedinMemcached,Redissupportsarichsetofdatatypeslikesstrings,lists,andsets.
UnlikeMemcached,Redissupportstheabilitytopersistthein-memorydataontodisk.Thisallowsyoutocreatesnapshotsthatbackupyourdataandthenrecoverorreplicatefromthebackups.Redisclustersalsocansupportuptofivereadreplicastooffloadreadrequests.Intheeventoffailureoftheprimarynode,areadreplicacanbepromotedandbecomethenewmasterusingMulti-AZreplicationgroups.
Redisalsohasadvancedfeaturesthatmakeiteasytosortandrankdata.Somecommonusecasesincludebuildingaleaderboardforamobileapplicationorservingasahigh-speedmessagebrokerinadistributedsystem.WithaRediscluster,youcanleverageapublishandsubscribemessagingabstractionthatallowsyoutodecouplethecomponentsofyourapplications.Apublishandsubscribemessagingarchitecturegivesyoutheflexibilitytochangehowyouconsumethemessagesinthefuturewithoutaffectingthecomponentthatisproducingthemessagesinthefirstplace.
NodesandClustersEachdeploymentofAmazonElastiCacheconsistsofoneormorenodesinacluster.Therearemanydifferenttypesofnodesavailabletochoosefrombasedonyourusecaseandthenecessaryresources.AsingleMemcachedclustercancontainupto20nodes.Redisclustersarealwaysmadeupofasinglenode;however,multipleclusterscanbegroupedintoaRedisreplicationgroup.
TheindividualnodetypesarederivedfromasubsetoftheAmazonEC2instancetypefamilies,liket2,m3,andr3.Thespecificnodetypesmaychangeovertime,buttodaythey
![Page 315: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/315.jpg)
rangefromat2.micronodetypewith555MBofmemoryuptoanr3.8xlargewith237GBofmemory,withmanychoicesinbetween.Thet2cachenodefamilyisidealfordevelopmentandlow-volumeapplicationswithoccasionalbursts,butcertainfeaturesmaynotbeavailable.Them3familyisagoodblendofcomputeandmemory,whilether3familyisoptimizedformemory-intensiveworkloads.
Dependingonyourneeds,youmaychoosetohaveafewlargenodesormanysmallernodesinyourclusterorreplicationgroup.Asdemandforyourapplicationchanges,youmayalsoaddorremovenodesfromtimetotime.Eachnodetypecomeswithapreconfiguredamountofmemory,withasmallamountofthememoryallocatedtothecachingengineandoperatingsystemitself.
DesignforFailure
Whileitisunlikely,youshouldplanforthepotentialfailureofanindividualcachenode.ForMemcachedclusters,youcandecreasetheimpactofthefailureofacachenodebyusingalargernumberofnodeswithasmallercapacity,insteadofafewlargenodes.
IntheeventthatAmazonElastiCachedetectsthefailureofanode,itwillprovisionareplacementandadditbacktothecluster.Duringthistime,yourdatabasewillexperienceincreasedload,becauseanyrequeststhatwouldhavebeencachedwillnowneedtobereadfromthedatabase.ForRedisclusters,AmazonElastiCachewilldetectfailureandreplacetheprimarynode.IfaMulti-AZreplicationgroupisenabled,areadreplicacanbeautomaticallypromotedtoprimary.
MemcachedAutoDiscoveryForMemcachedclusterspartitionedacrossmultiplenodes,AmazonElastiCachesupportsAutoDiscoverywiththeprovidedclientlibrary.AutoDiscoverysimplifiesyourapplicationcodebynolongerneedingawarenessoftheinfrastructuretopologyofthecacheclusterinyourapplicationlayer.
UsingAutoDiscovery
TheAutoDiscoveryclientgivesyourapplicationstheabilitytoidentifyautomaticallyallofthenodesinacacheclusterandtoinitiateandmaintainconnectionstoallofthesenodes.TheAutoDiscoveryclientisavailablefor.NET,Java,andPHPplatforms.
ScalingAmazonElastiCacheallowsyoutoadjustthesizeofyourenvironmenttomeettheneedsofworkloadsastheyevolveovertime.Addingadditionalcachenodesallowsyoutoeasilyexpandhorizontallyandmeethigherlevelsofreadorwriteperformance.Youcanalsoselectdifferentclassesofcachenodestoscalevertically.
HorizontalScalingAmazonElastiCachealsoaddsadditionalfunctionalitythatallowsyoutoscalehorizontallythesizeofyourcacheenvironment.Thisfunctionalitydiffersdepending
![Page 316: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/316.jpg)
onthecacheengineyouhaveselected.WithMemcached,youcanpartitionyourdataandscalehorizontallyto20nodesormore.WithAutoDiscovery,yourapplicationcandiscoverMemcachednodesthatareaddedorremovedfromacluster.
ARedisclusterconsistsofasinglecachenodethatishandlingreadandwritetransactions.AdditionalclusterscanbecreatedandgroupedintoaRedisreplicationgroup.Whileyoucanonlyhaveonenodehandlingwritecommands,youcanhaveuptofivereadreplicashandlingread-onlyrequests.
VerticalScalingSupportforverticalscalingismorelimitedwithAmazonElastiCache.Ifyouliketochangethecachenodetypeandscalethecomputeresourcesvertically,theservicedoesnotdirectlyallowyoutoresizeyourclusterinthismanner.Youcan,however,quicklyspinupanewclusterwiththedesiredcachenodetypesandstartredirectingtraffictothenewcluster.It’simportanttounderstandthatanewMemcachedclusteralwaysstartsempty,whileaRedisclustercanbeinitializedfromabackup.
ReplicationandMulti-AZReplicationisausefultechniquetoproviderapidrecoveryintheeventofanodefailure,andalsotoserveupveryhighvolumesofreadqueriesbeyondthecapabilitiesofasinglenode.AmazonElastiCacheclustersrunningRedissupportbothofthesedesignrequirements.UnlikeRedis,cacheclustersrunningMemcachedarestandalonein-memoryserviceswithoutanyredundantdataprotectionservices.
CacheclustersrunningRedissupporttheconceptofreplicationgroups.Areplicationgroupconsistsofuptosixclusters,withfiveofthemdesignatedasreadreplicas.Thisallowsyoutoscalehorizontallybywritingcodeinyourapplicationtooffloadreadstooneofthefiveclones(seeFigure10.2).
![Page 317: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/317.jpg)
FIGURE10.2Redisreplicationgroup
Multi-AZReplicationGroupsYoucanalsocreateaMulti-AZreplicationgroupthatallowsyoutoincreaseavailabilityandminimizethelossofdata.Multi-AZsimplifiestheprocessofdealingwithafailurebyautomatingthereplacementandfailoverfromtheprimarynode.
Intheeventtheprimarynodefailsorcan’tbereached,Multi-AZwillselectandpromoteareadreplicatobecomethenewprimary,andanewnodewillbeprovisionedtoreplacethefailedone.AmazonElastiCachewillthenupdatetheDomainNameSystem(DNS)entryofthenewprimarynodetoallowyourapplicationtocontinueprocessingwithoutanyconfigurationchangeandwithonlyashortdisruption.
UnderstandThatReplicationIsAsynchronous
It’simportanttokeepinmindthatreplicationbetweentheclustersisperformedasynchronouslyandtherewillbeasmalldelaybeforedataisavailableonallclusternodes.
BackupandRecoveryAmazonElastiCacheclustersrunningRedisallowyoutopersistyourdatafromin-memoryto
![Page 318: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/318.jpg)
diskandcreateasnapshot.Eachsnapshotisafullcloneofthedatathatcanbeusedtorecovertoaspecificpointintimeortocreateacopyforotherpurposes.SnapshotscannotbecreatedforclustersusingtheMemcachedenginebecauseitisapurelyin-memorykey/valuestoreandalwaysstartsempty.AmazonElastiCacheusesthenativebackupcapabilitiesofRedisandwillgenerateastandardRedisdatabasebackupfilethatgetsstoredinAmazonSimpleStorageService(AmazonS3).
Snapshotsrequirecomputeandmemoryresourcestoperformandcanpotentiallyhaveaperformanceimpactonheavilyusedclusters.AmazonElastiCachewilltrydifferentbackuptechniquesdependingontheamountofmemorycurrentlyavailable.Abestpracticeistosetupareplicationgroupandperformasnapshotagainstoneofthereadreplicasinsteadoftheprimarynode.
Inadditiontomanuallyinitiatedsnapshots,snapshotscanbecreatedautomaticallybasedonaschedule.Youcanalsoconfigureawindowforthesnapshotoperationtobecompletedandspecifyhowmanydaysofbackupsyouwanttostore.Manualsnapshotsarestoredindefinitelyuntilyoudeletethem.
BackupRedisClusters
UseacombinationofautomaticandmanualsnapshotstomeetyourrecoveryobjectivesforyourRediscluster.Memcachedispurelyin-memoryanddoesnothavenativebackupcapabilities.
Whetherthesnapshotwascreatedautomaticallyormanually,thesnapshotcanthenbeusedtocreateanewclusteratanytime.Bydefault,thenewclusterwillhavethesameconfigurationasthesourcecluster,butyoucanoverridethesesettings.YoucanalsorestorefromanRDBfilegeneratedfromanyothercompatibleRediscluster.
AccessControlAccesstoyourAmazonElastiCacheclusteriscontrolledprimarilybyrestrictinginboundnetworkaccesstoyourcluster.Inboundnetworktrafficisrestrictedthroughtheuseofsecuritygroups.Eachsecuritygroupdefinesoneormoreinboundrulesthatrestrictthesourcetraffic.WhendeployedinsideofaVirtualPrivateCloud(VPC),eachnodewillbeissuedaprivateIPaddresswithinoneormoresubnetsthatyouselect.IndividualnodescanneverbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheVPC.YoucanfurtherrestrictnetworkingressatthesubnetlevelbymodifyingthenetworkAccessControlLists(ACLs).
AccesstomanagetheconfigurationandinfrastructureoftheclusteriscontrolledseparatelyfromaccesstotheactualMemcachedorRedisserviceendpoint.UsingtheAWSIdentityandAccessManagement(IAM)service,youcandefinepoliciesthatcontrolwhichAWSuserscanmanagetheAmazonElastiCacheinfrastructureitself.
SomeofthekeyactionsanadministratorcanperformincludeCreateCacheCluster,ModifyCacheCluster,orDeleteCacheCluster.RedisclustersalsosupportCreateReplicationGroupandCreateSnapshotactions,amongothers.
![Page 319: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/319.jpg)
SummaryInthischapter,youlearnedaboutcachingenvironmentswithinthecloudusingAmazonElastiCache.YoucanquicklylaunchclustersrunningMemcachedorRedistostorefrequentlyuseddatain-memory.Cachingcanspeeduptheresponsetimeofyourapplications,reduceloadonyourback-enddatastores,andimprovetheuserexperience.
WithAmazonElastiCache,youcanoffloadtheadministrativetasksforprovisioningandoperatingclustersandfocusontheapplication.Eachcacheclustercontainsoneormorenodes.Selectfromarangeofnodetypestogivetherightmixofcomputeandmemoryresourcesforyourusecase.
YoucanexpandbothMemcachedandRedisclustersverticallybyselectingalargerorsmallernodetypetomatchyourneeds.WithAmazonElastiCacheandtheMemcachedengine,youcanalsoscaleyourclusterhorizontallybyaddingorremovingnodes.WithAmazonElastiCacheandtheRedisengine,youcanalsoscalehorizontallybycreatingareplicationgroupthatwillautomaticallyreplicateacrossmultiplereadreplicas.
StreamlineyourbackupandrecoveryprocessforRedisclusterswithAmazonElastiCache’sconsistentoperationalmodel.WhileMemcachedclustersarein-memoryonlyandcannotbepersisted,Redisclusterssupportbothautomatedandmanualsnapshots.Asnapshotcanthenberestoredtorecoverfromafailureortocloneanenvironment.
YoucansecureyourcacheenvironmentsatthenetworklevelwithsecuritygroupsandnetworkACLs,andattheinfrastructurelevelusingIAMpolicies.Securitygroupswillserveasyourprimaryaccesscontrolmechanismtorestrictinboundaccessforactiveclusters.
Youshouldanalyzeyourdatausagepatternsandidentifyfrequentlyrunqueriesorotherexpensiveoperationsthatcouldbecandidatesforcaching.Youcanrelievepressurefromyourdatabasebyoffloadingreadrequeststothecachetier.Dataelementsthatareaccessedoneverypageload,orwitheveryrequestbutdonotchange,areoftenprimecandidatesforcaching.Evendatathatchangesfrequentlycanoftenbenefitfrombeingcachedwithverylargerequestvolumes.
![Page 320: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/320.jpg)
ExamEssentialsKnowhowtouseAmazonElastiCache.ImprovetheperformanceofyourapplicationbydeployingAmazonElastiCacheclustersaspartofyourapplicationandoffloadingreadrequestsforfrequentlyaccesseddata.Usethecache-asidepatterninyourapplicationfirsttocheckthecacheforyourqueryresultsbeforecheckingthedatabase.
Understandwhentouseaspecificcacheengine.AmazonElastiCachegivesyouthechoiceofcacheenginetosuityourrequirements.UseMemcachedwhenyouneedasimple,in-memoryobjectstorethatcanbeeasilypartitionedandscaledhorizontally.UseRediswhenyouneedtobackupandrestoreyourdata,needmanyclonesorreadreplicas,orarelookingforadvancedfunctionalitylikesortandrankorleaderboardsthatRedisnativelysupports.
UnderstandhowtoscaleaRedisclusterhorizontally.AnAmazonElastiCacheclusterrunningRediscanbescaledhorizontallyfirstbycreatingareplicationgroup,thenbycreatingadditionalclustersandaddingthemtothereplicationgroup.
UnderstandhowtoscaleaMemcachedclusterhorizontally.AnAmazonElastiCacheclusterrunningMemcachedcanbescaledhorizontallybyaddingorremovingadditionalcachenodestothecluster.TheAmazonElastiCacheclientlibrarysupportsAutoDiscoveryandcandiscovernewnodesaddedorremovedfromtheclusterwithouthavingtohardcodethelistofnodes.
KnowhowtobackupyourAmazonElastiCachecluster.YoucancreateasnapshottobackupyourAmazonElastiCacheclustersrunningtheRedisengine.Snapshotscanbecreatedautomaticallyonadailybasisormanuallyondemand.AmazonElastiCacheclustersrunningMemcacheddonotsupportbackupandrestorenatively.
![Page 321: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/321.jpg)
ExercisesInthissection,youwillcreateacacheclusterusingAmazonElastiCache,expandtheclusterwithadditionalnodes,andfinallycreateareplicationgroupwithanAmazonElastiCacheRediscluster.
EXERCISE10.1
CreateanAmazonElastiCacheClusterRunningMemcachedInthisexercise,youwillcreateanAmazonElastiCacheclusterusingtheMemcachedengine.
1. WhilesignedintotheAWSManagementConsole,opentheAmazonElastiCacheservicedashboard.
2. BeginthelaunchandconfigurationprocesstocreateanewAmazonElastiCachecluster.
3. SelecttheMemcachedcacheengine,andconfiguretheclustername,numberofnodes,andnodetype.
4. Optionallyconfigurethesecuritygroupandmaintenancewindowasneeded.
5. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.
6. ConnecttotheclusterwithanyMemcachedclientusingtheDNSnameofthecluster.
YouhavenowcreatedyourfirstAmazonElastiCachecluster.
![Page 322: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/322.jpg)
EXERCISE10.2
ExpandtheSizeofaMemcachedClusterInthisexercise,youwillexpandthesizeofanexistingAmazonElastiCacheMemcachedcluster.
1. LaunchaMemcachedclusterusingthestepsdefinedinExercise10.1.
2. GototheAmazonElastiCachedashboard,andviewthedetailsofyourexistingcluster.
3. Viewthelistofnodescurrentlyprovisioned,andthenaddoneadditionalnodebyincreasingthenumberofnodes.
4. Applytheconfigurationchange,andwaitforthenewnodetofinishtheprovisioningprocess.
5. Verifythatthenewnodehasbeencreated,andconnecttothenodeusingaMemcachedclient.
Inthisexercise,youhavehorizontallyscaledanexistingAmazonElastiCacheclusterbyaddingacachenode.
![Page 323: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/323.jpg)
EXERCISE10.3
CreateanAmazonElastiCacheClusterandRedisReplicationGroupInthisexercise,youwillcreateanAmazonElastiCacheclusterusingRedisnodes,createareplicationgroup,andsetupareadreplica.
1. SignintotheAWSManagementConsole,andnavigatetotheAmazonElastiCacheservicedashboard.
2. BegintheconfigurationandlaunchprocessforanewAmazonElastiCachecluster.
3. SelecttheRediscacheengine,andthenconfigureareplicationgroupandthenodetype.
4. Configureareadreplicabysettingthenumberofreadreplicasto1,andverifythatEnableReplicationandMulti-AZareselected.
5. AdjusttheAvailabilityZonesfortheprimaryandreadreplicaclusters,securitygroups,andmaintenancewindow,asneeded.
6. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.
7. ConnecttotheprimarynodeandthereadreplicanodewithaRedisclientlibrary.Performasimplesetoperationontheprimarynode,andthenperformagetoperationwiththesamekeyonthereplica.
YouhavenowcreatedanAmazonElastiCacheclusterusingtheRedisengineandconfiguredareadreplica.
![Page 324: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/324.jpg)
ReviewQuestions1. Whichofthefollowingobjectsaregoodcandidatestostoreinacache?(Choose3answers)
A. Sessionstate
B. Shoppingcart
C. Productcatalog
D. Bankaccountbalance
2. WhichofthefollowingcacheenginesaresupportedbyAmazonElastiCache?(Choose2answers)
A. MySQL
B. Memcached
C. Redis
D. Couchbase
3. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningMemcached?
A. 1
B. 5
C. 20
D. 100
4. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningRedis?
A. 1
B. 5
C. 20
D. 100
5. AnapplicationcurrentlyusesMemcachedtocachefrequentlyuseddatabasequeries.WhichstepsarerequiredtomigratetheapplicationtouseAmazonElastiCachewithminimalchanges?(Choose2answers)
A. RecompiletheapplicationtousetheAmazonElastiCachelibraries.
B. UpdatetheconfigurationfilewiththeendpointfortheAmazonElastiCachecluster.
C. Configureasecuritygrouptoallowaccessfromtheapplicationservers.
D. ConnecttotheAmazonElastiCachenodesusingSecureShell(SSH)andinstallthelatestversionofMemcached.
6. HowcanyoubackupdatastoredinAmazonElastiCacherunningRedis?(Choose2answers)
![Page 325: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/325.jpg)
A. CreateanimageoftheAmazonElasticComputeCloud(AmazonEC2)instance.
B. Configureautomaticsnapshotstobackupthecacheenvironmenteverynight.
C. Createasnapshotmanually.
D. Redisclusterscannotbebackedup.
7. HowcanyousecureanAmazonElastiCachecluster?(Choose3answers)
A. ChangetheMemcachedrootpassword.
B. RestrictApplicationProgrammingInterface(API)actionsusingAWSIdentityandAccessManagement(IAM)policies.
C. Restrictnetworkaccessusingsecuritygroups.
D. RestrictnetworkaccessusinganetworkAccessControlList(ACL).
8. Youareworkingonamobilegamingapplicationandarebuildingtheleaderboardfeaturetotrackthetopscoresacrossmillionsofusers.WhichAWSservicesarebestsuitedforthisusecase?
A. AmazonRedshift
B. AmazonElastiCacheusingMemcached
C. AmazonElastiCacheusingRedis
D. AmazonSimpleStorageService(S3)
9. YouhavebuiltalargewebapplicationthatusesAmazonElastiCacheusingMemcachedtostorefrequentqueryresults.Youplantoexpandboththewebfleetandthecachefleetmultipletimesoverthenextyeartoaccommodateincreasedusertraffic.Howdoyouminimizetheamountofchangesrequiredwhenascalingeventoccurs?
A. ConfigureAutoDiscoveryontheclientside
B. ConfigureAutoDiscoveryontheserverside
C. Updatetheconfigurationfileeachtimeanewcluster
D. UseanElasticLoadBalancertoproxytherequests
10. WhichcacheenginesdoesAmazonElastiCachesupport?(Choose2answers)
A. Memcached
B. Redis
C. Membase
D. Couchbase
![Page 326: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/326.jpg)
Chapter11AdditionalKeyServicesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMTOPICSOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Monitoringandlogging
Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud
LaunchinstancesacrosstheAWSglobalinfrastructure
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSplatformcompliance
AWSsecurityattributes(customerworkloadsdowntophysicallayer)
AWSadministrationandsecurityservices
AWSCloudTrail
Ingressvs.egressfilteringandwhichAWScloudservicesandfeaturesfit
Encryptionsolutions(e.g.,keyservices)
AWSTrustedAdvisor
3.2Recognizecriticaldisasterrecoverytechniquesandtheir
![Page 327: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/327.jpg)
implementation.
Contentmayincludethefollowing:
AWSImport/Export
AWSStorageGateway
![Page 328: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/328.jpg)
IntroductionBecauseSolutionsArchitectsareofteninvolvedinsolutionsacrossawidevarietyofbusinessverticalsandusecases,itisimportanttounderstandthebasicsofallAWScloudserviceofferings.ThischapterfocusesonadditionalkeyAWSservicesthatyoushouldknowatahighleveltobesuccessfulontheexam.Theseservicesaregroupedintofourcategories:StorageandContentDelivery,Security,Analytics,andDevOps.
Beforearchitectinganysystem,foundationalpracticesthatinfluencesecurityshouldbeinplace;forexample,providingdirectoriesthatcontainorganizationalinformationorhowencryptionprotectsdatabywayofrenderingitunintelligibletounauthorizedaccess.AsaSolutionsArchitect,understandingtheAWScloudservicesavailabletosupportanorganization’sdirectoriesandencryptionareimportantbecausetheysupportobjectivessuchasidentitymanagementorcomplyingwithregulatoryobligations.
Architectinganalyticalsolutionsiscriticalbecausetheamountofdatathatcompaniesneedtounderstandcontinuestogrowtorecordsizes.AWSprovidesanalyticservicesthatcanscaletoverylargedatastoresefficientlyandcost-effectively.UnderstandingtheseservicesallowsSolutionsArchitectstobuildvirtuallyanybigdataapplicationandsupportanyworkloadregardlessofvolume,velocity,andvarietyofdata.
DevOpsbecomesanimportantconceptasthepaceofinnovationacceleratesandcustomerneedsrapidlyevolve,forcingbusinessestobecomeincreasinglyagile.Timetomarketiskey,andtofacilitateoverallbusinessgoals,ITdepartmentsneedtobeagile.UnderstandingtheDevOpsoptionsthatareavailableonAWSwillhelpSolutionsArchitectsmeetthedemandsofagilebusinessesthatneedIToperationstodeployapplicationsinaconsistent,repeatable,andreliablemanner.
Understandingtheseadditionalserviceswillnotonlyhelpinyourexampreparation,butitwillalsohelpyouestablishafoundationforgrowingasaSolutionsArchitectontheAWSplatform.
![Page 329: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/329.jpg)
StorageandContentDeliveryThissectioncoverstwoadditionalstorageandcontentdeliveryservicesthatareimportantforaSolutionsArchitecttounderstand:AmazonCloudFrontandAWSStorageGateway.
AmazonCloudFrontAmazonCloudFrontisaglobalContentDeliveryNetwork(CDN)service.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.
OverviewAContentDeliveryNetwork(CDN)isagloballydistributednetworkofcachingserversthatspeedupthedownloadingofwebpagesandothercontent.CDNsuseDomainNameSystem(DNS)geo-locationtodeterminethegeographiclocationofeachrequestforawebpageorothercontent,thentheyservethatcontentfromedgecachingserversclosesttothatlocationinsteadoftheoriginalwebserver.ACDNallowsyoutoincreasethescalabilityofawebsiteormobileapplicationeasilyinresponsetopeaktrafficspikes.Inmostcases,usingaCDNiscompletelytransparent—enduserssimplyexperiencebetterwebsiteperformance,whiletheloadonyouroriginalwebsiteisreduced.
AmazonCloudFrontisAWSCDN.ItcanbeusedtodeliveryourwebcontentusingAmazon’sglobalnetworkofedgelocations.Whenauserrequestscontentthatyou’reservingwithAmazonCloudFront,theuserisroutedtotheedgelocationthatprovidesthelowestlatency(timedelay),socontentisdeliveredwiththebestpossibleperformance.Ifthecontentisalreadyintheedgelocationwiththelowestlatency,AmazonCloudFrontdeliversitimmediately.Ifthecontentisnotcurrentlyinthatedgelocation,AmazonCloudFrontretrievesitfromtheoriginserver,suchasanAmazonSimpleStorageService(AmazonS3)bucketorawebserver,whichstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontisoptimizedtoworkwithotherAWScloudservicesastheoriginserver,includingAmazonS3buckets,AmazonS3staticwebsites,AmazonElasticComputeCloud(AmazonEC2),andElasticLoadBalancing.AmazonCloudFrontalsoworksseamlesslywithanynon-AWSoriginserver,suchasanexistingon-premiseswebserver.AmazonCloudFrontalsointegrateswithAmazonRoute53.
AmazonCloudFrontsupportsallcontentthatcanbeservedoverHTTPorHTTPS.Thisincludesanypopularstaticfilesthatareapartofyourwebapplication,suchasHTMLfiles,images,JavaScript,andCSSfiles,andalsoaudio,video,mediafiles,orsoftwaredownloads.AmazonCloudFrontalsosupportsservingdynamicwebpages,soitcanactuallybeusedtodeliveryourentirewebsite.Finally,AmazonCloudFrontsupportsmediastreaming,usingbothHTTPandRTMP.
AmazonCloudFrontBasicsTherearethreecoreconceptsthatyouneedtounderstandinordertostartusingCloudFront:distributions,origins,andcachecontrol.Withtheseconcepts,youcaneasilyuseCloudFronttospeedupdeliveryofstaticcontentfromyourwebsites.
![Page 330: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/330.jpg)
DistributionsTouseAmazonCloudFront,youstartbycreatingadistribution,whichisidentifiedbyaDNSdomainnamesuchasd111111abcdef8.cloudfront.net.ToservefilesfromAmazonCloudFront,yousimplyusethedistributiondomainnameinplaceofyourwebsite’sdomainname;therestofthefilepathsstayunchanged.YoucanusetheAmazonCloudFrontdistributiondomainnameas-is,oryoucancreateauser-friendlyDNSnameinyourowndomainbycreatingaCNAMErecordinAmazonRoute53oranotherDNSservice.TheCNAMEisautomaticallyredirectedtoyourAmazonCloudFrontdistributiondomainname.
OriginsWhenyoucreateadistribution,youmustspecifytheDNSdomainnameoftheorigin—theAmazonS3bucketorHTTPserver—fromwhichyouwantAmazonCloudFronttogetthedefinitiveversionofyourobjects(webfiles).Forexample:
AmazonS3bucket:myawsbucket.s3.amazonaws.com
AmazonEC2instance:ec2–203–0–113–25.compute-1.amazonaws.com
ElasticLoadBalancingloadbalancer:my-load-balancer-1234567890.us-west-2.elb.amazonaws.com
WebsiteURL:mywebserver.mycompanydomain.com
CacheControlOncerequestedandservedfromanedgelocation,objectsstayinthecacheuntiltheyexpireorareevictedtomakeroomformorefrequentlyrequestedcontent.Bydefault,objectsexpirefromthecacheafter24hours.Onceanobjectexpires,thenextrequestresultsinAmazonCloudFrontforwardingtherequesttotheorigintoverifythattheobjectisunchangedortofetchanewversionifithaschanged.
Optionally,youcancontrolhowlongobjectsstayinanAmazonCloudFrontcachebeforeexpiring.Todothis,youcanchoosetouseCache-Controlheaderssetbyyouroriginserveroryoucansettheminimum,maximum,anddefaultTimetoLive(TTL)forobjectsinyourAmazonCloudFrontdistribution.
YoucanalsoremovecopiesofanobjectfromallAmazonCloudFrontedgelocationsatanytimebycallingtheinvalidationApplicationProgramInterface(API).ThisfeatureremovestheobjectfromeveryAmazonCloudFrontedgelocationregardlessoftheexpirationperiodyousetforthatobjectonyouroriginserver.Theinvalidationfeatureisdesignedtobeusedinunexpectedcircumstances,suchastocorrectanerrorortomakeanunanticipatedupdatetoawebsite,notaspartofyoureverydayworkflow.
Insteadofinvalidatingobjectsmanuallyorprogrammatically,itisabestpracticetouseaversionidentifieraspartoftheobject(file)pathname.Forexample:
Oldfile:assets/v1/css/narrow.css
Newfile:assets/v2/css/narrow.css
Whenusingversioning,usersalwaysseethelatestcontentthroughAmazonCloudFrontwhenyouupdateyoursitewithoutusinginvalidation.Oldversionswillexpirefromthecacheautomatically.
AmazonCloudFrontAdvancedFeaturesCloudFrontcandomuchmorethansimplyservestaticwebfiles.TostartusingCloudFront’sadvancedfeatures,youwillneedtounderstandhowtousecachebehaviors,andhowto
![Page 331: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/331.jpg)
restrictaccesstosensitivecontent.
DynamicContent,MultipleOrigins,andCacheBehaviorsServingstaticassets,suchasdescribedpreviously,isacommonwaytouseaCDN.AnAmazonCloudFrontdistribution,however,caneasilybesetuptoservedynamiccontentinadditiontostaticcontentandtousemorethanoneoriginserver.Youcontrolwhichrequestsareservedbywhichoriginandhowrequestsarecachedusingafeaturecalledcachebehaviors.
AcachebehaviorletsyouconfigureavarietyofAmazonCloudFrontfunctionalitiesforagivenURLpathpatternforfilesonyourwebsite.ForexampleseeFigure11.1.OnecachebehaviorappliestoallPHPfilesinawebserver(dynamiccontent),usingthepathpattern*.php,whileanotherbehaviorappliestoallJPEGimagesinanotheroriginserver(staticcontent),usingthepathpattern*.jpg.
FIGURE11.1Deliveringstaticanddynamiccontent
Thefunctionalityyoucanconfigureforeachcachebehaviorincludesthefollowing:
Thepathpattern
Whichorigintoforwardyourrequeststo
Whethertoforwardquerystringstoyourorigin
WhetheraccessingthespecifiedfilesrequiressignedURLs
WhethertorequireHTTPSaccess
TheamountoftimethatthosefilesstayintheAmazonCloudFrontcache(regardlessofthevalueofanyCache-Controlheadersthatyouroriginaddstothefiles)
Cachebehaviorsareappliedinorder;ifarequestdoesnotmatchthefirstpathpattern,itdropsdowntothenextpathpattern.Normallythelastpathpatternspecifiedis*tomatchallfiles.
![Page 332: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/332.jpg)
WholeWebsiteUsingcachebehaviorsandmultipleorigins,youcaneasilyuseAmazonCloudFronttoserveyourwholewebsiteandtosupportdifferentbehaviorsfordifferentclientdevices.
PrivateContentInmanycases,youmaywanttorestrictaccesstocontentinAmazonCloudFronttoonlyselectedrequestors,suchaspaidsubscribersortoapplicationsorusersinyourcompanynetwork.AmazonCloudFrontprovidesseveralmechanismstoallowyoutoserveprivatecontent.Theseinclude:
SignedURLsUseURLsthatarevalidonlybetweencertaintimesandoptionallyfromcertainIPaddresses.
SignedCookiesRequireauthenticationviapublicandprivatekeypairs.
OriginAccessIdentities(OAI)RestrictaccesstoanAmazonS3bucketonlytoaspecialAmazonCloudFrontuserassociatedwithyourdistribution.ThisistheeasiestwaytoensurethatcontentinabucketisonlyaccessedbyAmazonCloudFront.
UseCasesThereareseveralusecaseswhereAmazonCloudFrontisanexcellentchoice,including,butnotlimitedto:
ServingtheStaticAssetsofPopularWebsitesStaticassetssuchasimages,CSS,andJavaScripttraditionallymakeupthebulkofrequeststotypicalwebsites.UsingAmazonCloudFrontwillspeeduptheuserexperienceandreduceloadonthewebsiteitself.
ServingaWholeWebsiteorWebApplicationAmazonCloudFrontcanserveawholewebsitecontainingbothdynamicandstaticcontentbyusingmultipleorigins,cachebehaviors,andshortTTLsfordynamiccontent.
ServingContenttoUsersWhoAreWidelyDistributedGeographicallyAmazonCloudFrontwillimprovesiteperformance,especiallyfordistantusers,andreducetheloadonyouroriginserver.
DistributingSoftwareorOtherLargeFilesAmazonCloudFrontwillhelpspeedupthedownloadofthesefilestoendusers.
ServingStreamingMediaAmazonCloudFronthelpsservestreamingmedia,suchasaudioandvideo.
TherearealsousecaseswhereCloudFrontisnotappropriate,including:
AllorMostRequestsComeFromaSingleLocationIfallormostofyourrequestscomefromasinglegeographiclocation,suchasalargecorporatecampus,youwillnottakeadvantageofmultipleedgelocations.
AllorMostRequestsComeThroughaCorporateVPNSimilarly,ifyourusersconnectviaacorporateVirtualPrivateNetwork(VPN),eveniftheyaredistributed,userrequestsappeartoCloudFronttooriginatefromoneorafewlocations.TheseusecaseswillgenerallynotseebenefitfromusingAmazonCloudFront.
AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-
![Page 333: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/333.jpg)
basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutostoredatasecurelyontheAWScloudinascalableandcost-effectivemanner.AWSStorageGatewaysupportsindustry-standardstorageprotocolsthatworkwithyourexistingapplications.Itprovideslow-latencyperformancebycachingfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.
OverviewAWSStorageGateway’ssoftwareapplianceisavailablefordownloadasaVirtualMachine(VM)imagethatyouinstallonahostinyourdatacenterandthenregisterwithyourAWSaccountthroughtheAWSManagementConsole.ThestorageassociatedwiththeapplianceisexposedasaniSCSIdevicethatcanbemountedbyyouron-premisesapplications.
TherearethreeconfigurationsforAWSStorageGateway:Gateway-Cachedvolumes,Gateway-Storedvolumes,andGateway-VirtualTapeLibraries(VTL).
Gateway-CachedVolumesGateway-CachedvolumesallowyoutoexpandyourlocalstoragecapacityintoAmazonS3.AlldatastoredonaGateway-CachedvolumeismovedtoAmazonS3,whilerecentlyreaddataisretainedinlocalstoragetoprovidelow-latencyaccess.Whileeachvolumeislimitedtoamaximumsizeof32TB,asinglegatewaycansupportupto32volumesforamaximumstorageof1PB.
Point-in-timesnapshotscanbetakentobackupyourAWSStorageGateway.Thesesnapshotsareperformedincrementally,andonlythedatathathaschangedsincethelastsnapshotisstored.
AllGateway-CachedvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSecureSocketsLayer(SSL)connections.ItisencryptedatrestinAmazonS3usingServer-SideEncryption(SSE).However,youcannotdirectlyaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console;insteadyoumustaccessitthroughtheAWSStorageGatewayservice.
Gateway-StoredVolumesGateway-Storedvolumesallowyoutostoreyourdataonyouron-premisesstorageandasynchronouslybackupthatdatatoAmazonS3.Thisprovideslow-latencyaccesstoalldata,whilealsoprovidingoff-sitebackupstakingadvantageofthedurabilityofAmazonS3.ThedataisbackedupintheformofAmazonElasticBlockStore(AmazonEBS)snapshots.Whileeachvolumeislimitedtoamaximumsizeof16TB,asinglegatewaycansupportupto32volumesforamaximumstorageof512TB.
SimilartoGateway-Cachedvolumes,youcantakesnapshotsofyourGateway-Storedvolumes.ThegatewaystoresthesesnapshotsinAmazonS3asAmazonEBSsnapshots.Whenyoutakeanewsnapshot,onlythedatathathaschangedsinceyourlastsnapshotisstored.Youcaninitiatesnapshotsonascheduledorone-timebasis.BecausethesesnapshotsarestoredasAmazonEBSsnapshots,youcancreateanewAmazonEBSvolumefromaGateway-Storedvolume.
AllGateway-StoredvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSSLconnections.ItisencryptedatrestinAmazonS3usingSSE.However,youcannotaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console.
![Page 334: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/334.jpg)
Ifyouron-premisesapplianceorevenentiredatacenterbecomesunavailable,thedatainAWSStorageGatewaycanstillberetrieved.Ifit’sonlytheappliancethatisunavailable,anewappliancecanbelaunchedinthedatacenterandattachedtotheexistingAWSStorageGateway.AnewappliancecanalsobelaunchedinanotherdatacenterorevenonanAmazonEC2instanceonthecloud.
GatewayVirtualTapeLibraries(VTL)Gateway-VTLoffersadurable,cost-effectivesolutiontoarchiveyourdataontheAWScloud.TheVTLinterfaceletsyouleverageyourexistingtape-basedbackupapplicationinfrastructuretostoredataonvirtualtapecartridgesthatyoucreateonyourGateway-VTL.
Avirtualtapeisanalogoustoaphysicaltapecartridge,exceptthedataisstoredontheAWScloud.Tapesarecreatedblankthroughtheconsoleorprogrammaticallyandthenfilledwithbackedupdata.Agatewaycancontainupto1,500tapes(1PB)oftotaltapedata.Virtualtapesappearinyourgateway’sVTL,avirtualizedversionofaphysicaltapelibrary.Virtualtapesarediscoveredbyyourbackupapplicationusingitsstandardmediainventoryprocedure.
Whenyourtapesoftwareejectsatape,itisarchivedonaVirtualTapeShelf(VTS)andstoredinAmazonGlacier.You’reallowed1VTSperAWSregion,butmultiplegatewaysinthesameregioncanshareaVTS.
UseCasesThereareseveralusecaseswhereAWSStorageGatewayisanexcellentchoice,including,butnotlimitedto:
Gateway-CachedvolumesenableyoutoexpandlocalstoragehardwaretoAmazonS3,allowingyoutostoremuchmoredatawithoutdrasticallyincreasingyourstoragehardwareorchangingyourstorageprocesses.
Gateway-Storedvolumesprovideseamless,asynchronous,andsecurebackupofyouron-premisesstoragewithoutnewprocessesorhardware.
Gateway-VTLsenableyoutokeepyourcurrenttapebackupsoftwareandprocesseswhilestoringyourdatamorecost-effectivelyandsimplyonthecloud.
![Page 335: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/335.jpg)
SecurityCloudsecurityatAWSisthehighestpriority.AWScustomersbenefitfromdatacentersandnetworkarchitecturesbuilttomeettherequirementsofthemostsecurity-sensitiveorganizations.
AnadvantageoftheAWScloudisthatitallowscustomerstoscaleandinnovatewhilemaintainingasecureenvironment.Cloudsecurityismuchlikesecurityinyouron-premisesdatacenters,onlywithoutthecostsofmaintainingfacilitiesandhardware.Inthecloud,youdon’thavetomanagephysicalserversorstoragedevices.Instead,youusesoftware-basedsecuritytoolstomonitorandprotecttheflowofinformationintoandofoutofyourcloudresources.
ThissectionwillfocusonfourAWSservicesthataredirectlyrelatedtothespecificsecuritypurposes:AWSDirectoryServiceforidentitymanagement,AWSKeyManagementService(KMS),AWSCloudHSMforkeymanagement,andAWSCloudTrailforauditing.
AWSDirectoryServiceAWSDirectoryServiceisamanagedserviceofferingthatprovidesdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.
OverviewYoucanchoosefromthreedirectorytypes:
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD
SimpleAD
ADConnector
Asamanagedoffering,AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.Thereisnoneedtobuildoutyourowncomplex,highly-availabledirectorytopologybecauseeachdirectoryisdeployedacrossmultipleAvailabilityZones,andmonitoringautomaticallydetectsandreplacesdomaincontrollersthatfail.Inaddition,datareplicationandautomateddailysnapshotsareconfiguredforyou.Thereisnosoftwaretoinstall,andAWShandlesallofthepatchingandsoftwareupdates.
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)isamanagedMicrosoftActiveDirectoryhostedontheAWScloud.ItprovidesmuchofthefunctionalityofferedbyMicrosoftActiveDirectoryplusintegrationwithAWSapplications.WiththeadditionalActiveDirectoryfunctionality,youcan,forexample,easilysetuptrustrelationshipswithyourexistingActiveDirectorydomainstoextendthosedirectoriestoAWScloudservices.
SimpleADSimpleADisaMicrosoftActiveDirectory-compatibledirectoryfromAWSDirectoryServicethatispoweredbySamba4.SimpleADsupportscommonlyusedActive
![Page 336: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/336.jpg)
Directoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonEC2instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.ThismakesiteveneasiertomanageAmazonEC2instancesrunningLinuxandWindowsanddeployWindowsapplicationsontheAWScloud.
ManyoftheapplicationsandtoolsyouusetodaythatrequireMicrosoftActiveDirectorysupportcanbeusedwithSimpleAD.UseraccountsinSimpleADcanalsoaccessAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.TheycanalsouseAWSIAMrolestoaccesstheAWSManagementConsoleandmanageAWSresources.Finally,SimpleADprovidesdailyautomatedsnapshotstoenablepoint-in-timerecovery.
NotethatyoucannotsetuptrustrelationshipsbetweenSimpleADandotherActiveDirectorydomains.OtherfeaturesnotsupportedatthetimeofthiswritingbySimpleADincludeDNSdynamicupdate,schemaextensions,Multi-FactorAuthentication(MFA),communicationoverLightweightDirectoryAccessProtocol(LDAP),PowerShellADcmdlets,andthetransferofFlexibleSingle-MasterOperations(FSMO)roles.
ADConnectorADConnectorisaproxyserviceforconnectingyouron-premisesMicrosoftActiveDirectorytotheAWScloudwithoutrequiringcomplexdirectorysynchronizationorthecostandcomplexityofhostingafederationinfrastructure.
ADConnectorforwardssign-inrequeststoyourActiveDirectorydomaincontrollersforauthenticationandprovidestheabilityforapplicationstoquerythedirectoryfordata.Aftersetup,youruserscanusetheirexistingcorporatecredentialstologontoAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.WiththeproperIAMpermissions,theycanalsoaccesstheAWSManagementConsoleandmanageAWSresourcessuchasAmazonEC2instancesorAmazonS3buckets.YoucanalsouseADConnectortoenableMFAbyintegratingitwithyourexistingRemoteAuthenticationDial-UpService(RADIUS)-basedMFAinfrastructuretoprovideanadditionallayerofsecuritywhenusersaccessAWSapplications.
WithADConnector,youcontinuetomanageyourActiveDirectoryasusual.Forexample,addingnewusers,addingnewgroups,orupdatingpasswordsareallaccomplishedusingstandarddirectoryadministrationtoolswithyouron-premisesdirectory.Thus,inadditiontoprovidingastreamlinedexperienceforyourusers,ADConnectorenablesconsistentenforcementofyourexistingsecuritypolicies,suchaspasswordexpiration,passwordhistory,andaccountlockouts,whetherusersareaccessingresourceson-premisesorontheAWScloud.
UseCasesAWSDirectoryServiceprovidesmultiplewaystouseMicrosoftActiveDirectorywithotherAWScloudservices.Youcanchoosethedirectoryservicewiththefeaturesyouneedatacostthatfitsyourbudget.
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)ThisDirectoryServiceisyourbestchoiceifyouhavemorethan5,000usersandneedatrustrelationshipsetupbetweenanAWS-hosteddirectoryandyouron-premisesdirectories.
SimpleADInmostcases,SimpleADistheleastexpensiveoptionandyourbestchoiceif
![Page 337: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/337.jpg)
youhave5,000orfewerusersanddon’tneedthemoreadvancedMicrosoftActiveDirectoryfeatures.
ADConnectorADConnectorisyourbestchoicewhenyouwanttouseyourexistingon-premisesdirectorywithAWScloudservices.
AWSKeyManagementService(KMS)andAWSCloudHSMKeymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.
OverviewAWSofferstwoservicesthatprovideyouwiththeabilitytomanageyourownsymmetricorasymmetriccryptographickeys:
AWSKMS:Aserviceenablingyoutogenerate,store,enable/disable,anddeletesymmetrickeys
AWSCloudHSM:AserviceprovidingyouwithsecurecryptographickeystoragebymakingHardwareSecurityModules(HSMs)availableontheAWScloud
AWSKeyManagementService(AWSKMS)AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.
ByusingAWSKMS,yougainmorecontroloveraccesstodatayouencrypt.YoucanusethekeymanagementandcryptographicfeaturesdirectlyinyourapplicationsorthroughAWScloudservicesthatareintegratedwithAWSKMS.WhetheryouarewritingapplicationsforAWSorusingAWScloudservices,AWSKMSenablesyoutomaintaincontroloverwhocanuseyourkeysandgainaccesstoyourencrypteddata.
![Page 338: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/338.jpg)
CustomerManagedKeysAWSKMSusesatypeofkeycalledaCustomerMasterKey(CMK)toencryptanddecryptdata.CMKsarethefundamentalresourcesthatAWSKMSmanages.TheycanbeusedinsideofAWSKMStoencryptordecryptupto4KBofdatadirectly.Theycanalsobeusedtoencryptgenerateddatakeysthatarethenusedtoencryptordecryptlargeramountsofdataoutsideoftheservice.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscanleavetheserviceunencrypted.
DataKeysYouusedatakeystoencryptlargedataobjectswithinyourownapplicationoutsideAWSKMS.WhenyoucallGenerateDataKey,AWSKMSreturnsaplaintextversionofthekeyandciphertextthatcontainsthekeyencryptedunderthespecifiedCMK.AWSKMStrackswhichCMKwasusedtoencryptthedatakey.Youusetheplaintextdatakeyinyourapplicationtoencryptdata,andyoutypicallystoretheencryptedkeyalongsideyourencrypteddata.Securitybestpracticessuggestthatyoushouldremovetheplaintextkeyfrommemoryassoonasispracticalafteruse.Todecryptdatainyourapplication,passtheencrypteddatakeytotheDecryptfunction.AWSKMSusestheassociatedCMKtodecryptandretrieveyourplaintextdatakey.Usetheplaintextkeytodecryptyourdata,andthenremovethekeyfrommemory.
EnvelopeEncryptionAWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCMK,andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Thekeyshouldberemovedfrommemoryassoonasispracticalafteruse.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.
EncryptionContextAllAWSKMScryptographicoperationsacceptanoptionalkey/valuemapofadditionalcontextualinformationcalledanencryptioncontext.Thespecifiedcontextmustbethesameforboththeencryptanddecryptoperationsordecryptionwillnotsucceed.Theencryptioncontextislogged,canbeusedforadditionalauditing,andisavailableascontextintheAWSpolicylanguageforfine-grainedpolicy-basedauthorization.
AWSCloudHSMAWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.HSMsaredesignedtosecurelystorecryptographickeymaterialandusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.
TherecommendedconfigurationforusingAWSCloudHSMistousetwoHSMsconfiguredinahigh-availabilityconfiguration,asillustratedinFigure11.2.
![Page 339: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/339.jpg)
FIGURE11.2HighavailabilityCloudHSMarchitecture
AWSCloudHSMallowsyoutoprotectyourencryptionkeyswithinHSMsthataredesignedandvalidatedtogovernmentstandardsforsecurekeymanagement.Youcansecurelygenerate,store,andmanagethecryptographickeysusedfordataencryptioninawaythatensuresthatonlyyouhaveaccesstothekeys.AWSCloudHSMhelpsyoucomplywithstrictkeymanagementrequirementswithintheAWScloudwithoutsacrificingapplicationperformance.
UseCasesTheAWSkeymanagementservicesaddressseveralsecurityneedsthatwouldrequireextensiveefforttodeployandmanageotherwise,including,butnotlimitedto:
ScalableSymmetricKeyDistributionSymmetricencryptionalgorithmsrequirethatthesamekeybeusedforbothencryptinganddecryptingthedata.Thisisproblematicbecausetransferringthekeyfromthesendertothereceivermustbedoneeitherthroughaknownsecurechannelorsome“outofband”process.
Government-ValidatedCryptographyCertaintypesofdata(forexample,PaymentCardIndustry—PCI—orhealthinformationrecords)mustbeprotectedwithcryptographythathasbeenvalidatedbyanoutsidepartyasconformingtothealgorithm(s)assertedbytheclaimingparty.
AWSCloudTrailAWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
Overview
![Page 340: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/340.jpg)
AWSCloudTrailcapturesAWSAPIcallsandrelatedeventsmadebyoronbehalfofanAWSaccountanddeliverslogfilestoanAmazonS3bucketthatyouspecify.Optionally,youcanconfigureAWSCloudTrailtodelivereventstoaloggroupmonitoredbyAmazonCloudWatchLogs.YoucanalsochoosetoreceiveAmazonSimpleNotificationService(AmazonSNS)notificationseachtimealogfileisdeliveredtoyourbucket.YoucancreateatrailwiththeAWSCloudTrailconsole,theAWSCommandLineInterface(CLI),ortheAWSCloudTrailAPI.AtrailisaconfigurationthatenablesloggingoftheAWSAPIactivityandrelatedeventsinyouraccount.
Youcancreatetwotypesoftrails:
ATrailThatAppliestoAllRegionsWhenyoucreateatrailthatappliestoallAWSregions,AWSCloudTrailcreatesthesametrailineachregion,recordsthelogfilesineachregion,anddeliversthelogfilestothesingleAmazonS3bucket(andoptionallytotheAmazonCloudWatchLogsloggroup)thatyouspecify.ThisisthedefaultoptionwhenyoucreateatrailusingtheAWSCloudTrailconsole.IfyouchoosetoreceiveAmazonSNSnotificationsforlogfiledeliveries,oneAmazonSNStopicwillsufficeforallregions.IfyouchoosetohaveAWSCloudTrailsendeventsfromatrailthatappliestoallregionstoanAmazonCloudWatchLogsloggroup,eventsfromallregionswillbesenttothesingleloggroup.
ATrailThatAppliestoOneRegionYouspecifyabucketthatreceiveseventsonlyfromthatregion.Thebucketcanbeinanyregionthatyouspecify.Ifyoucreateadditionalindividualtrailsthatapplytospecificregions,youcanhavethosetrailsdelivereventlogstoasingleAmazonS3bucket.
Bydefault,yourlogfilesareencryptedusingAmazonS3SSE.Youcanstoreyourlogfilesinyourbucketforaslongasyouwant,butyoucanalsodefineAmazonS3lifecyclerulestoarchiveordeletelogfilesautomatically.
AWSCloudTrailtypicallydeliverslogfileswithin15minutesofanAPIcall.Inaddition,theservicepublishesnewlogfilesmultipletimesanhour,usuallyabouteveryfiveminutes.TheselogfilescontainAPIcallsfromalloftheaccount’sservicesthatsupportAWSCloudTrail.
EnableAWSCloudTrailonallofyourAWSaccounts.Insteadofconfiguringatrailforoneregion,youshouldenabletrailsforallregions.
UseCasesAWSCloudTrailisbeneficialforseveralusecases:
ExternalComplianceAuditsYourbusinessmustdemonstratecompliancetoasetofregulationspertinenttosomeoralldatabeingtransmitted,processed,andstoredwithinyourAWSaccounts.EventsfromAWSCloudTrailcanbeusedtoshowthedegreetowhichyouarecompliantwiththeregulations.
UnauthorizedAccesstoYourAWSAccountAWSCloudTrailrecordsallsign-onattemptstoyourAWSaccount,includingAWSManagementConsoleloginattempts,AWS
![Page 341: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/341.jpg)
SoftwareDevelopmentKit(SDK)APIcalls,andAWSCLIAPIcalls.RoutineexaminationofAWSCloudTraileventswillprovidetheneededinformationtodetermineifyourAWSaccountisbeingtargetedforunauthorizedaccess.
![Page 342: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/342.jpg)
AnalyticsAnalytics,andtheassociatedbigdatathatitrequires,presentsauniquelistofchallengestoaSolutionsArchitect.Thebigdatamustbeingestedataveryhighrate,storedinveryhighvolume,andprocessedwithatremendousamountofcompute.Often,theneedtoperformanalyticsonthebigdataissporadic,withagreatdealofcomputeinfrastructureneededregularlyforverysmalltimeperiods.Thecloud,withitseasyaccesstocomputeandnearlylimitlessstoragecapacity,isideallysuitedtoaddresstheseanalyticschallenges.ThissectioncoversseveralAWScloudservicesthatwillhelpyouaddressanalyticsandbigdataissuesontheexam.
AmazonKinesisAmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.
OverviewAmazonKinesisisastreamingdataplatformconsistingofthreeservicesaddressingdifferentreal-timestreamingdatachallenges:
AmazonKinesisFirehose:AserviceenablingyoutoloadmassivevolumesofstreamingdataintoAWS
AmazonKinesisStreams:Aserviceenablingyoutobuildcustomapplicationsformorecomplexanalysisofstreamingdatainrealtime
AmazonKinesisAnalytics:AserviceenablingyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL
Eachoftheseservicescanscaletohandlevirtuallylimitlessdatastreams.
AmazonKinesisFirehoseAmazonKinesisFirehosereceivesstreamdataandstoresitinAmazonS3,AmazonRedshift,orAmazonElasticsearch.Youdonotneedtowriteanycode;justcreateadeliverystreamandconfigurethedestinationforyourdata.ClientswritedatatothestreamusinganAWSAPIcallandthedataisautomaticallysenttotheproperdestination.ThevariousdestinationoptionsareshowninFigure11.3.
![Page 343: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/343.jpg)
FIGURE11.3AmazonKinesisFirehose
WhenconfiguredtosaveastreamtoAmazonS3,AmazonKinesisFirehosesendsthedatadirectlytoAmazonS3.ForanAmazonRedshiftdestination,thedataisfirstwrittentoAmazonS3,andthenanAmazonRedshiftCOPYcommandisexecutedtoloadthedataintoAmazonRedshift.AmazonKinesisFirehosecanalsowritedataouttoAmazonElasticsearch,withtheoptiontobackthedataupconcurrentlytoAmazonS3.
AmazonKinesisStreamsAmazonKinesisStreamsenableyoutocollectandprocesslargestreamsofdatarecordsinrealtime.UsingAWSSDKs,youcancreateanAmazonKinesisStreamsapplicationthatprocessesthedataasitmovesthroughthestream.Becauseresponsetimefordataintakeandprocessingisinnearrealtime,theprocessingistypicallylightweight.AmazonKinesisStreamscanscaletosupportnearlylimitlessdatastreamsbydistributingincomingdataacrossanumberofshards.Ifanyshardbecomestoobusy,itcanbefurtherdividedintomoreshardstodistributetheloadfurther.Theprocessingisthenexecutedonconsumers,whichreaddatafromtheshardsandruntheAmazonKinesisStreamsapplication.ThisarchitectureisshowninFigure11.4.
![Page 344: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/344.jpg)
FIGURE11.4AmazonKinesisStreams
AmazonKinesisAnalyticsAtthetimeofthiswriting,AmazonKinesisAnalyticshasbeenannouncedbutnotyetreleased.
UseCasesTheAmazonKinesisservicessupportmanystrategicworkloadsthatwouldotherwiserequireextensiveefforttodeployandmanage,including,butnotlimitedto:
DataIngestionThefirstchallengewithahugestreamofdataisacceptingitreliably.Whetheritisuserdatafromhighlytraffickedwebsites,inputdatafromthousandsofmonitoringdevices,oranyothersourcesofhugestreams,AmazonKinesisFirehoseisanexcellentchoicetoensurethatallofyourdataissuccessfullystoredinyourAWSinfrastructure.
Real-TimeProcessingofMassiveDataStreamsCompaniesoftenneedtoactonknowledgegleanedfromabigdatastreamrightaway,whethertofeedadashboardapplication,alteradvertisingstrategiesbasedonsocialmediatrends,allocateassetsbasedonreal-timesituations,orahostofotherscenarios.AmazonKinesisStreamsenablesyoutogatherthisknowledgefromthedatainyourstreamonareal-timebasis.
It’sgoodtorememberthatwhileAmazonKinesisisideallysuitedforingestingandprocessingstreamsofdata,itislessappropriateforbatchjobssuchasnightlyExtract,Transform,Load(ETL)processes.Forthosetypesofworkloads,considerAWSDataPipeline,whichisdescribedlaterinthischapter.
AmazonElasticMapReduce(AmazonEMR)AmazonElasticMapReduce(AmazonEMR)providesyouwithafullymanaged,on-demandHadoopframework.AmazonEMRreducesthecomplexityandup-frontcostsofsettingupHadoopand,combinedwiththescaleofAWS,givesyoutheabilitytospinuplargeHadoopclustersinstantlyandstartprocessingwithinminutes.
![Page 345: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/345.jpg)
OverviewWhenyoulaunchanAmazonEMRcluster,youspecifyseveraloptions,themostimportantbeing:
Theinstancetypeofthenodesinyourcluster
Thenumberofnodesinyourcluster
TheversionofHadoopyouwanttorun(AmazonEMRsupportsseveralrecentversionsofApacheHadoop,andalsoseveralversionsofMapRHadoop.)
AdditionaltoolsorapplicationslikeHive,Pig,Spark,orPresto
TherearetwotypesofstoragethatcanbeusedwithAmazonEMR:
HadoopDistributedFileSystem(HDFS)HDFSisthestandardfilesystemthatcomeswithHadoop.Alldataisreplicatedacrossmultipleinstancestoensuredurability.AmazonEMRcanuseAmazonEC2instancestorageorAmazonEBSforHDFS.Whenaclusterisshutdown,instancestorageislostandthedatadoesnotpersist.HDFScanalsomakeuseofAmazonEBSstorage,tradinginthecosteffectivenessofinstancestoragefortheabilitytoshutdownaclusterwithoutlosingdata.
EMRFileSystem(EMRFS)EMRFSisanimplementationofHDFSthatallowsclusterstostoredataonAmazonS3.EMRFSallowsyoutogetthedurabilityandlowcostofAmazonS3whilepreservingyourdataeveniftheclusterisshutdown.
Akeyfactordrivingthetypeofstorageaclusterusesiswhethertheclusterispersistentortransient.Apersistentclustercontinuestorun24×7afteritislaunched.Persistentclustersareappropriatewhencontinuousanalysisisgoingtoberunonthedata.Forpersistentclusters,HDFSisacommonchoice.PersistentclusterstakeadvantageofthelowlatencyofHDFS,especiallyoninstancestorage,whenconstantoperationmeansnodatalostwhenshuttingdownacluster.Inothersituations,bigdataworkloadsarefrequentlyruninconsistently,anditcanbecost-effectivetoturntheclusteroffwhennotinuse.Clustersthatarestartedwhenneededandthenimmediatelystoppedwhendonearecalledtransientclusters.EMRFSiswellsuitedfortransientclusters,asthedatapersistsindependentofthelifetimeofthecluster.YoucanalsochoosetouseacombinationoflocalHDFSandEMRFStomeetyourworkloadneeds.
BecauseAmazonEMRisaninstanceofApacheHadoop,youcanusetheextensiveecosystemoftoolsthatworkontopofHadoop,suchasHive,Pig,andSpark.Manyofthesetoolsarenativelysupportedandcanbeincludedautomaticallywhenyoulaunchyourcluster,whileotherscanbeinstalledthroughbootstrapactions.
UseCasesAmazonEMRiswellsuitedforalargenumberofusecases,including,butnotlimitedto:
LogProcessingAmazonEMRcanbeusedtoprocesslogsgeneratedbywebandmobileapplications.AmazonEMRhelpscustomersturnpetabytesofunstructuredorsemi-structureddataintousefulinsightsabouttheirapplicationsorusers.
ClickstreamAnalysisAmazonEMRcanbeusedtoanalyzeclickstreamdatainordertosegmentusersandunderstanduserpreferences.Advertiserscanalsoanalyzeclickstreams
![Page 346: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/346.jpg)
andadvertisingimpressionlogstodelivermoreeffectiveads.
GenomicsandLifeSciencesAmazonEMRcanbeusedtoprocessvastamountsofgenomicdataandotherlargescientificdatasetsquicklyandefficiently.Processesthatrequireyearsofcomputecanbecompletedinadaywhenscaledacrosslargeclusters.
AWSDataPipelineAWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonEMR.
OverviewEverythinginAWSDataPipelinestartswiththepipelineitself.Apipelineschedulesandrunstasksaccordingtothepipelinedefinition.Theschedulingisflexibleandcanrunevery15minutes,everyday,everyweek,andsoforth.
Thepipelineinteractswithdatastoredindatanodes.Datanodesarelocationswherethepipelinereadsinputdataorwritesoutputdata,suchasAmazonS3,aMySQLdatabase,oranAmazonRedshiftcluster.DatanodescanbeonAWSoronyourpremises.
Thepipelinewillexecuteactivitiesthatrepresentcommonscenarios,suchasmovingdatafromonelocationtoanother,runningHivequeries,andsoforth.Activitiesmayrequireadditionalresourcestorun,suchasanAmazonEMRclusteroranAmazonEC2instance.Inthesesituations,AWSDataPipelinewillautomaticallylaunchtherequiredresourcesandtearthemdownwhentheactivityiscompleted.
Distributeddataflowsoftenhavedependencies;justbecauseanactivityisscheduledtorundoesnotmeanthatthereisdatawaitingtobeprocessed.Forsituationslikethis,AWSDataPipelinesupportspreconditions,whichareconditionalstatementsthatmustbetruebeforeanactivitycanrun.TheseincludescenariossuchaswhetheranAmazonS3keyispresent,whetheranAmazonDynamoDBtablecontainsanydata,andsoforth.
Ifanactivityfails,retryisautomatic.Theactivitywillcontinuetoretryuptothelimityouconfigure.Youcandefineactionstotakeintheeventwhentheactivityreachesthatlimitwithoutsucceeding.
UseCasesAWSDataPipelinecanbeusedforvirtuallyanybatchmodeETLprocess.AsimpleexampleisshowninFigure11.5.
![Page 347: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/347.jpg)
FIGURE11.5Examplepipeline
ThepipelineinFigure11.5isperformingthefollowingworkflow:
Everyhouranactivitybeginstoextractlogdatafromon-premisesstoragetoAmazonS3.Apreconditionchecksthatthereisdatatobetransferredbeforeactuallystartingtheactivity.
ThenextactivitylaunchesatransientAmazonEMRclusterthatusestheextracteddatasetasinput,validatesandtransformsit,andthenoutputsthedatatoanAmazonS3bucket.
ThefinalactivitymovesthetransformeddatafromAmazonS3toAmazonRedshiftviaanAmazonRedshiftCOPYcommand.
AWSDataPipelineisbestforregularbatchprocessesinsteadofforcontinuousdatastreams;useAmazonKinesisfordatastreams.
AWSImport/ExportOnekeychallengeofbigdataontheAWScloudisgettinghugedatasetstothecloudinthefirstplace,orretrievingthembacktoon-premiseswhennecessary.Regardlessofhowmuchbandwidthyouconfigureoutofyourdatacenter,therearetimeswhenthereismoredatatotransferthancanmoveovertheconnectioninareasonableperiodoftime.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource(yourdatacenteroranAWSregion),shippedviastandardshippingmechanisms,andthencopiedtothedestination(yourdatacenteroranAWSregion).
OverviewAWSImport/ExporthastwofeaturesthatsupportshippingdataintoandoutofyourAWSinfrastructure:AWSImport/ExportSnowball(AWSSnowball)andAWSImport/ExportDisk.
AWSSnowballAWSSnowballusesAmazon-providedshippablestorageappliancesshipped
![Page 348: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/348.jpg)
throughUPS.EachAWSSnowballisprotectedbyAWSKMSandmadephysicallyruggedtosecureandprotectyourdatawhilethedeviceisintransit.Atthetimeofthiswriting,AWSSnowballscomeintwosizes:50TBand80TB,andtheavailabilityofeachvariesbyregion.
AWSSnowballprovidesthefollowingfeatures:
Youcanimportandexportdatabetweenyouron-premisesdatastoragelocationsandAmazonS3.
Encryptionisenforced,protectingyourdataatrestandinphysicaltransit.
Youdon’thavetobuyormaintainyourownhardwaredevices.
YoucanmanageyourjobsthroughtheAWSSnowballconsole.
TheAWSSnowballisitsownshippingcontainer,andtheshippinglabelisanEInkdisplaythatautomaticallyshowsthecorrectaddresswhentheAWSSnowballisreadytoship.YoucandropitoffwithUPS,noboxrequired.
WithAWSSnowball,youcanimportorexportterabytesorevenpetabytesofdata.
AWSImport/ExportDiskAWSImport/ExportDisksupportstransfersdatadirectlyontoandoffofstoragedevicesyouownusingtheAmazonhigh-speedinternalnetwork.
ImportantthingstounderstandaboutAWSImport/ExportDiskinclude:
YoucanimportyourdataintoAmazonGlacierandAmazonEBS,inadditiontoAmazonS3.
YoucanexportdatafromAmazonS3.
Encryptionisoptionalandnotenforced.
Youbuyandmaintainyourownhardwaredevices.
Youcan’tmanageyourjobsthroughtheAWSSnowballconsole.
UnlikeAWSSnowball,AWSImport/ExportDiskhasanupperlimitof16TB.
UseCasesAWSImport/ExportcanbeusedforjustaboutanysituationwhereyouhavemoredatatomovethanyoucangetthroughyourInternetconnectioninareasonabletime,including,butnotlimitedto:
StorageMigrationWhencompaniesshutdownadatacenter,theyoftenneedtomovemassiveamountsofstoragetoanotherlocation.AWSImport/Exportisasuitabletechnologyforthisrequirement.
MigratingApplicationsMigratinganapplicationtothecloudofteninvolvesmovinghugeamountsofdata.ThiscanbeacceleratedusingAWSImport/Export.
![Page 349: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/349.jpg)
DevOpsAsorganizationscreatedincreasinglycomplexsoftwareapplications,ITdevelopmentteamsevolvedtheirsoftwarecreationpracticesformoreflexibility,movingfromwaterfallmodelstoagileorleandevelopmentpractices.Thischangealsopropagatedtooperationsteams,whichblurredthelinesbetweentraditionaldevelopmentandoperationsteams.AWSprovidesaflexibleenvironmentthatfacilitatedthesuccessesoforganizationslikeNetflix,Airbnb,GeneralElectric,andmanyothersthatembracedDevOps.ThissectionreviewselementsofAWScloudservicesthatsupportDevOpspractices.
AWSOpsWorksAWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorkswillworkwithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponent,includingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.
AWSOpsWorkssupportsbothLinuxorWindowsservers,includingexistingAmazonEC2instancesorserversrunninginyourowndatacenter.Thisallowsorganizationstouseasingleconfigurationmanagementservicetodeployandoperateapplicationsacrosshybridarchitectures.
OverviewManysolutionsonAWSusuallyinvolvegroupsofresources,suchasAmazonEC2instancesandAmazonRDSinstances,whichmustbecreatedandmanagedcollectively.Forexample,thesearchitecturestypicallyrequireapplicationservers,databaseservers,loadbalancers,andsoon.Thisgroupofresourcesistypicallycalledastack.AsimpleapplicationserverstackmightbearrangedsomethinglikeinFigure11.6.
![Page 350: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/350.jpg)
FIGURE11.6Simpleapplicationserverstack
Inadditiontocreatingtheinstancesandinstallingthenecessarypackages,youtypicallyneedawaytodistributeapplicationstotheapplicationservers,monitorthestack’sperformance,managesecurityandpermissions,andsoon.AWSOpsWorksprovidesasimpleandflexiblewaytocreateandmanagestacksandapplications.Figure11.7depictshowasimpleapplicationserverstackmightlookwithAWSOpsWorks.Althoughrelativelysimple,thisstackshowsthekeyAWSOpsWorksfeatures.
![Page 351: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/351.jpg)
FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks
ThestackisthecoreAWSOpsWorkscomponent.ItisbasicallyacontainerforAWSresources—AmazonEC2instances,AmazonRDSdatabaseinstances,andsoon—thathaveacommonpurposeandmakesensetobelogicallymanagedtogether.Thestackhelpsyoumanagetheseresourcesasagroupanddefinessomedefaultconfigurationsettings,suchastheAmazonEC2instances’operatingsystemandAWSregion.Ifyouwanttoisolatesomestackcomponentsfromdirectuserinteraction,youcanrunthestackinanAmazonVirtualPrivateCloud(AmazonVPC).Eachstackletsyougrantuserspermissiontoaccessthestackandspecifywhatactionstheycantake.
YoucanuseAWSOpsWorksorIAMtomanageuserpermissions.Notethatthetwooptionsarenotmutuallyexclusive;itissometimesdesirabletouseboth.
Youdefinetheelementsofastackbyaddingoneormorelayers.Alayerrepresentsasetofresourcesthatserveaparticularpurpose,suchasloadbalancing,webapplications,orhostingadatabaseserver.YoucancustomizeorextendlayersbymodifyingthedefaultconfigurationsoraddingChefrecipestoperformtaskssuchasinstallingadditionalpackages.Layersgiveyoucompletecontroloverwhichpackagesareinstalled,howtheyareconfigured,howapplicationsaredeployed,andmore.
LayersdependonChefrecipestohandletaskssuchasinstallingpackagesoninstances,
![Page 352: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/352.jpg)
deployingapplications,andrunningscripts.OneofthekeyAWSOpsWorksfeaturesisasetoflifecycleeventsthatautomaticallyrunaspecifiedsetofrecipesattheappropriatetimeoneachinstance.
Aninstancerepresentsasinglecomputingresource,suchasanAmazonEC2instance.Itdefinestheresource’sbasicconfiguration,suchasoperatingsystemandsize.Otherconfigurationsettings,suchasElasticIPaddressesorAmazonEBSvolumes,aredefinedbytheinstance’slayers.Thelayer’srecipescompletetheconfigurationbyperformingtasks,suchasinstallingandconfiguringpackagesanddeployingapplications.
Youstoreapplicationsandrelatedfilesinarepository,suchasanAmazonS3bucketorGitrepo.Eachapplicationisrepresentedbyanapp,whichspecifiestheapplicationtypeandcontainstheinformationthatisneededtodeploytheapplicationfromtherepositorytoyourinstances,suchastherepositoryURLandpassword.Whenyoudeployanapp,AWSOpsWorkstriggersaDeployevent,whichrunstheDeployrecipesonthestack’sinstances.
Usingtheconceptsofstacks,layers,andapps,youcanmodelandvisualizeyourapplicationandresourcesinanorganizedfashion.
Finally,AWSOpsWorkssendsallofyourresourcemetricstoAmazonCloudWatch,makingiteasytoviewgraphsandsetalarmstohelpyoutroubleshootandtakeautomatedactionbasedonthestateofyourresources.AWSOpsWorksprovidesmanycustommetrics,suchasCPUidle,memorytotal,averageloadforoneminute,andmore.Eachinstanceinthestackhasdetailedmonitoringtoprovideinsightsintoyourworkload.
UseCasesAWSOpsWorkssupportsmanyDevOpsefforts,including,butnotlimitedto:
HostMulti-TierWebApplicationsAWSOpsWorksletsyoumodelandvisualizeyourapplicationwithlayersthatdefinehowtoconfigureasetofresourcesthataremanagedtogether.BecauseAWSOpsWorksusestheChefframework,youcanbringyourownrecipesorleveragehundredsofcommunity-builtconfigurations.
SupportContinuousIntegrationAWSOpsWorkssupportsDevOpsprinciples,suchascontinuousintegration.Everythinginyourenvironmentcanbeautomated.
AWSCloudFormationAWSCloudFormationisaservicethathelpsyoumodelandsetupyourAWSresourcessothatyoucanspendlesstimemanagingthoseresourcesandmoretimefocusingonyourapplicationsthatruninAWS.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.
OverviewAWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderly
![Page 353: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/353.jpg)
andpredictablefashion.WhenyouuseAWSCloudFormation,youworkwithtemplatesandstacks.
YoucreateAWSCloudFormationtemplatestodefineyourAWSresourcesandtheirproperties.AtemplateisatextfilewhoseformatcomplieswiththeJSONstandard.AWSCloudFormationusesthesetemplatesasblueprintsforbuildingyourAWSresources.
WhenyouuseAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonce,andthenprovisionthesameresourcesoverandoverinmultipleregions.
WhenyouuseAWSCloudFormation,youmanagerelatedresourcesasasingleunitcalledastack.Youcreate,update,anddeleteacollectionofresourcesbycreating,updating,anddeletingstacks.Alloftheresourcesinastackaredefinedbythestack’sAWSCloudFormationtemplate.SupposeyoucreatedatemplatethatincludesanAutoScalinggroup,ElasticLoadBalancingloadbalancer,andanAmazonRDSdatabaseinstance.Tocreatethoseresources,youcreateastackbysubmittingyourtemplatethatdefinesthoseresources,andAWSCloudFormationhandlesalloftheprovisioningforyou.Afteralloftheresourceshavebeencreated,AWSCloudFormationreportsthatyourstackhasbeencreated.Youcanthenstartusingtheresourcesinyourstack.Ifstackcreationfails,AWSCloudFormationrollsbackyourchangesbydeletingtheresourcesthatitcreated.
Oftenyouwillneedtolaunchstacksfromthesametemplate,butwithminorvariations,suchaswithinadifferentAmazonVPCorusingAMIsfromadifferentregion.Thesevariationscanbeaddressedusingparameters.Youcanuseparameterstocustomizeaspectsofyourtemplateatruntime,whenthestackisbuilt.Forexample,youcanpasstheAmazonRDSdatabasesize,AmazonEC2instancetypes,database,andwebserverportnumberstoAWSCloudFormationwhenyoucreateastack.Byleveragingtemplateparameters,youcanuseasingletemplateformanyinfrastructuredeploymentswithdifferentconfigurationvalues.Forexample,yourAmazonEC2instancetypes,AmazonCloudWatchalarmthresholds,andAmazonRDSread-replicasettingsmaydifferamongAWSregionsifyoureceivemorecustomertrafficintheUnitedStatesthaninEurope.Youcanusetemplateparameterstotunethesettingsandthresholdsineachregionseparatelyandstillbesurethattheapplicationisdeployedconsistentlyacrosstheregions.
Figure11.8depictstheAWSCloudFormationworkflowforcreatingstacks.
![Page 354: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/354.jpg)
FIGURE11.8Creatingastackworkflow
Becauseenvironmentsaredynamicinnature,youinevitablywillneedtoupdateyourstack’sresourcesfromtimetotime.Thereisnoneedtocreateanewstackanddeletetheoldone;youcansimplymodifytheexistingstack’stemplate.Toupdateastack,createachangesetbysubmittingamodifiedversionoftheoriginalstacktemplate,differentinputparametervalues,orboth.AWSCloudFormationcomparesthemodifiedtemplatewiththeoriginaltemplateandgeneratesachangeset.Thechangesetliststheproposedchanges.Afterreviewingthechanges,youcanexecutethechangesettoupdateyourstack.Figure11.9depictstheworkflowforupdatingastack.
FIGURE11.9Updatingastackworkflow
Whenthetimecomesandyouneedtodeleteastack,AWSCloudFormationdeletesthestackandalloftheresourcesinthatstack.
Ifyouwanttodeleteastackbutstillretainsomeresourcesinthatstack,youcanuseadeletionpolicytoretainthoseresources.Ifaresourcehasnodeletionpolicy,AWSCloudFormationdeletestheresourcebydefault.
![Page 355: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/355.jpg)
Afteralloftheresourceshavebeendeleted,AWSCloudFormationsignalsthatyourstackhasbeensuccessfullydeleted.IfAWSCloudFormationcannotdeletearesource,thestackwillnotbedeleted.Anyresourcesthathaven’tbeendeletedwillremainuntilyoucansuccessfullydeletethestack.
UseCaseByallowingyoutoreplicateyourentireinfrastructurestackeasilyandquickly,AWSCloudFormationenablesavarietyofusecases,including,butnotlimitedto:
QuicklyLaunchNewTestEnvironmentsAWSCloudFormationletstestingteamsquicklycreateacleanenvironmenttoruntestswithoutdisturbingongoingeffortsinotherenvironments.
ReliablyReplicateConfigurationBetweenEnvironmentsBecauseAWSCloudFormationscriptstheentireenvironment,humanerroriseliminatedwhencreatingnewstacks.
LaunchApplicationsinNewAWSRegionsAsinglescriptcanbeusedacrossmultipleregionstolaunchstacksreliablyindifferentmarkets.
AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
OverviewAWScomprisesdozensofbuildingblockservices,eachofwhichexposesanareaoffunctionality.WhilethevarietyofservicesoffersflexibilityforhoworganizationswanttomanagetheirAWSinfrastructure,itcanbechallengingtofigureoutwhichservicestouseandhowtoprovisionthem.WithAWSElasticBeanstalk,youcanquicklydeployandmanageapplicationsontheAWScloudwithoutworryingabouttheinfrastructurethatrunsthoseapplications.AWSElasticBeanstalkreducesmanagementcomplexitywithoutrestrictingchoiceorcontrol.
TherearekeycomponentsthatcompriseAWSElasticBeanstalkandworktogethertoprovidethenecessaryservicestodeployandmanageapplicationseasilyinthecloud.AnAWSElasticBeanstalkapplicationisthelogicalcollectionoftheseAWSElasticBeanstalkcomponents,whichincludesenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.
Anapplicationversionreferstoaspecific,labelediterationofdeployablecodeforawebapplication.AnapplicationversionpointstoanAmazonS3objectthatcontainsthedeployablecode.Applicationscanhavemanyversionsandeachapplicationversionisunique.Inarunningenvironment,organizationscandeployanyapplicationversiontheyalreadyuploadedtotheapplication,ortheycanuploadandimmediatelydeployanewapplicationversion.Organizationsmightuploadmultipleapplicationversionstotestdifferencesbetweenoneversionoftheirwebapplicationandanother.
![Page 356: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/356.jpg)
AnenvironmentisanapplicationversionthatisdeployedontoAWSresources.Eachenvironmentrunsonlyasingleapplicationversionatatime;however,thesameversionordifferentversionscanruninasmanyenvironmentsatthesametimeasneeded.Whenanenvironmentiscreated,AWSElasticBeanstalkprovisionstheresourcesneededtoruntheapplicationversionthatisspecified.
Anenvironmentconfigurationidentifiesacollectionofparametersandsettingsthatdefinehowanenvironmentanditsassociatedresourcesbehave.Whenanenvironment’sconfigurationsettingsareupdated,AWSElasticBeanstalkautomaticallyappliesthechangestoexistingresourcesordeletesanddeploysnewresourcesdependingonthetypeofchange.
WhenanAWSElasticBeanstalkenvironmentislaunched,theenvironmenttier,platform,andenvironmenttypearespecified.TheenvironmenttierthatischosendetermineswhetherAWSElasticBeanstalkprovisionsresourcestosupportawebapplicationthathandlesHTTP(S)requestsoranapplicationthathandlesbackground-processingtasks.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Anenvironmenttierwhoseapplicationrunsbackgroundjobsisknownasaworkertier.
Atthetimeofthiswriting,AWSElasticBeanstalkprovidesplatformsupportfortheprogramminglanguagesJava,Node.js,PHP,Python,Ruby,andGowithsupportforthewebcontainersTomcat,Passenger,Puma,andDocker.
UseCasesAcompanyprovidesawebsiteforprospectivehomebuyers,sellers,andrenterstobrowsehomeandapartmentlistingsformorethan110millionhomes.Thewebsiteprocessesmorethanthreemillionnewimagesdaily.Itreceivesmorethan17,000imagerequestspersecondonitswebsiteduringpeaktrafficfrombothdesktopandmobileclients.
Thecompanywaslookingforwaystobemoreagilewithdeploymentsandempoweritsdeveloperstofocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks.ItbeganusingAWSElasticBeanstalkastheservicefordeployingandscalingthewebapplicationsandservices.DeveloperswereempoweredtouploadcodetoAWSElasticBeanstalk,whichthenautomaticallyhandledthedeployment,fromcapacityprovisioning,loadbalancing,andAutoScaling,toapplicationhealthmonitoring.
Becausethecompanyingestsdatainahaphazardway,runningfeedsthatdumpatonofworkintotheimageprocessingsystemallatonce,itneedstoscaleupitsimageconverterfleettomeetpeakdemand.ThecompanydeterminedthatanAWSElasticBeanstalkworkerfleettorunaPythonImagingLibrarywithcustomcodewasthesimplestwaytomeettherequirement.Thiseliminatedtheneedtohaveanumberofstaticinstancesor,worse,tryingtowritetheirownAutoScalingconfiguration.
BymakingthemovetoAWSElasticBeanstalk,thecompanywasabletoreduceoperatingcostswhileincreasingagilityandscalabilityforitsimageprocessinganddeliverysystem.
KeyFeaturesAWSElasticBeanstalkprovidesseveralmanagementfeaturesthateasedeploymentandmanagementofapplicationsonAWS.Organizationshaveaccesstobuilt-inAmazonCloudWatchmonitoringmetricssuchasaverageCPUutilization,requestcount,andaverage
![Page 357: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/357.jpg)
latency.TheycanreceiveemailnotificationsthroughAmazonSNSwhenapplicationhealthchangesorapplicationserversareaddedorremoved.Serverlogsfortheapplicationserverscanbeaccessedwithoutneedingtologin.OrganizationscanevenelecttohaveupdatesappliedautomaticallytotheunderlyingplatformrunningtheapplicationsuchastheAMI,operatingsystem,languageandframework,andapplicationorproxyserver.
Additionally,developersretainfullcontrolovertheAWSresourcespoweringtheirapplicationandcanperformavarietyoffunctionsbysimplyadjustingtheconfigurationsettings.Theseincludesettingssuchas:
SelectingthemostappropriateAmazonEC2instancetypethatmatchestheCPUandmemoryrequirementsoftheirapplication
ChoosingtherightdatabaseandstorageoptionssuchasAmazonRDS,AmazonDynamoDB,MicrosoftSQLServer,andOracle
EnablingloginaccesstoAmazonEC2instancesforimmediateanddirecttroubleshooting
EnhancingapplicationsecuritybyenablingHTTPSprotocolontheloadbalancer
Adjustingapplicationserversettings(forexample,JVMsettings)andpassingenvironmentvariables
AdjustAutoScalingsettingstocontrolthemetricsandthresholdsusedtodeterminewhentoaddorremoveinstancesfromanenvironment
WithAWSElasticBeanstalk,organizationscandeployanapplicationquicklywhileretainingasmuchcontrolastheywanttohaveovertheunderlyinginfrastructure.
AWSTrustedAdvisorAWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservingoveramillionAWScustomers.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.YoucanviewtheoverallstatusofyourAWSresourcesandsavingsestimationsontheAWSTrustedAdvisordashboard.
AWSTrustedAdvisorisaccessedintheAWSManagementConsole.Additionally,programmaticaccesstoAWSTrustedAdvisorisavailablewiththeAWSSupportAPI.
AWSTrustedAdvisorprovidesbestpracticesinfourcategories:costoptimization,security,faulttolerance,andperformanceimprovement.Thestatusofthecheckisshownbyusingcolorcodingonthedashboardpage,asdepictedinFigure11.10.
![Page 358: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/358.jpg)
FIGURE11.10AWSTrustedAdvisorConsoledashboard
Thecolorcodingreflectsthefollowinginformation:
Red:Actionrecommended
Yellow:Investigationrecommended
Green:Noproblemdetected
Foreachcheck,youcanreviewadetaileddescriptionoftherecommendedbestpractice,asetofalertcriteria,guidelinesforaction,andalistofusefulresourcesonthetopic.
AllAWScustomershaveaccesstofourAWSTrustedAdvisorchecksatnocost.ThefourstandardAWSTrustedAdvisorchecksare:
ServiceLimitsChecksforusagethatismorethan80percentoftheservicelimit.Thesevaluesarebasedonasnapshot,socurrentusagemightdifferandcantakeupto24hourstoreflectchanges.
SecurityGroups–SpecificPortsUnrestrictedCheckssecuritygroupsforrulesthatallowunrestrictedaccess(0.0.0.0/0)tospecificports
IAMUseChecksforyouruseofAWSIAM
MFAonRootAccountCheckstherootaccountandwarnsifMFAisnotenabled
CustomerswithaBusinessorEnterpriseAWSSupportplancanviewallAWSTrustedAdvisorchecks—over50checks.
TheremaybeoccasionswhenaparticularcheckisnotrelevanttosomeresourcesinyourAWSenvironment.Youhavetheabilitytoexcludeitemsfromacheckandoptionallyrestorethemlateratanytime.AWSTrustedAdvisoractslikeacustomizedcloudexpert,andithelpsorganizationsprovisiontheirresourcesbyfollowingbestpracticeswhileidentifyinginefficiencies,waste,potentialcostsavings,andsecurityissues.
![Page 359: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/359.jpg)
AWSConfigAWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
OverviewAWSConfigprovidesadetailedviewoftheconfigurationofAWSresourcesinyourAWSaccount.Thisincludeshowtheresourcesarerelatedandhowtheywereconfiguredinthepastsothatyoucanseehowtheconfigurationsandrelationshipschangeovertime.AWSConfigdefinesaresourceasanentityyoucanworkwithinAWS,suchasanAmazonEC2instance,anAmazonEBSvolume,asecuritygroup,oranAmazonVPC.
WhenyouturnonAWSConfig,itfirstdiscoversthesupportedAWSresourcesthatexistinyouraccountandgeneratesaconfigurationitemforeachresource.Aconfigurationitemrepresentsapoint-in-timeviewofthevariousattributesofasupportedAWSresourcethatexistsinyouraccount.Thecomponentsofaconfigurationitemincludemetadata,attributes,relationships,currentconfiguration,andrelatedevents.
AWSConfigwillgenerateconfigurationitemswhentheconfigurationofaresourcechanges,anditmaintainshistoricalrecordsoftheconfigurationitemsofyourresourcesfromthetimeyoustarttheconfigurationrecorder.Theconfigurationrecorderstorestheconfigurationsofthesupportedresourcesinyouraccountasconfigurationitems.Bydefault,AWSConfigcreatesconfigurationitemsforeverysupportedresourceintheregion.Ifyoudon’twantAWSConfigtocreateconfigurationitemsforallsupportedresources,youcanspecifytheresourcetypesthatyouwantittotrack.
Organizationsoftenneedtoassesstheoverallcomplianceandriskstatusfromaconfigurationperspective,viewcompliancetrendsovertime,andpinpointwhichconfigurationchangecausedaresourcetodriftoutofcompliance.AnAWSConfigRulerepresentsdesiredconfigurationsettingsforspecificAWSresourcesorforanentireAWSaccount.WhileAWSConfigcontinuouslytracksyourresourceconfigurationchanges,itcheckswhetherthesechangesviolateanyoftheconditionsinyourrules.Ifaresourceviolatesarule,AWSConfigflagstheresourceandtheruleasnoncompliantandnotifiesyouthroughAmazonSNS.
AWSConfigmakesiteasytotrackresourceconfigurationwithouttheneedforup-frontinvestmentsandwhileavoidingthecomplexityofinstallingandupdatingagentsfordatacollectionormaintaininglargedatabases.OnceAWSConfigisenabled,organizationscanviewcontinuouslyupdateddetailsofallconfigurationattributesassociatedwithAWSresources.
UseCasesSomeoftheinfrastructuremanagementtasksAWSConfigenablesinclude:
DiscoveryAWSConfigwilldiscoverresourcesthatexistinyouraccount,recordtheir
![Page 360: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/360.jpg)
currentconfiguration,andcaptureanychangestotheseconfigurations.AWSConfigwillalsoretainconfigurationdetailsforresourcesthathavebeendeleted.Acomprehensivesnapshotofallresourcesandtheirconfigurationattributesprovidesacompleteinventoryofresourcesinyouraccount.
ChangeManagementWhenyourresourcesarecreated,updated,ordeleted,AWSConfigstreamstheseconfigurationchangestoAmazonSNSsothatyouarenotifiedofallconfigurationchanges.AWSConfigrepresentsrelationshipsbetweenresources,soyoucanassesshowachangetooneresourcemayaffectotherresources.
ContinuousAuditandComplianceAWSConfigandAWSConfigRulesaredesignedtohelpyouassesscompliancewithinternalpoliciesandregulatorystandardsbyprovidingvisibilityintotheconfigurationofaresourceatanytimeandevaluatingrelevantconfigurationchangesagainstrulesthatyoucandefine.
TroubleshootingUsingAWSConfig,youcanquicklytroubleshootoperationalissuesbyidentifyingtherecentconfigurationchangestoyourresources.
SecurityandIncidentAnalysisProperlyconfiguredresourcesimproveyoursecurityposture.DatafromAWSConfigenablesyoutomonitortheconfigurationsofyourresourcescontinuouslyandevaluatetheseconfigurationsforpotentialsecurityweaknesses.Afterapotentialsecurityevent,AWSConfigenablesyoutoexaminetheconfigurationofyourresourcesatanysinglepointinthepast.
KeyFeaturesInthepast,organizationsneededtopollresourceAPIsandmaintaintheirownexternaldatabaseforchangemanagement.AWSConfigresolvesthispreviousneedandautomaticallyrecordsresourceconfigurationinformationandwillevaluateanyrulesthataretriggeredbyachange.Theconfigurationoftheresourceanditsoverallcomplianceagainstrulesarepresentedinadashboard.
AWSConfigintegrateswithAWSCloudTrail,aservicethatrecordsAWSAPIcallsforanaccountanddeliversAPIusagelogfilestoanAmazonS3bucket.IftheconfigurationchangeofaresourcewastheresultofanAPIcall,AWSConfigalsorecordstheAWSCloudTraileventIDthatcorrespondstotheAPIcallthatchangedtheresource’sconfiguration.OrganizationscanthenleveragetheAWSCloudTraillogstoobtaindetailsoftheAPIcallthatwasmade—includingwhomadetheAPIcall,atwhattime,andfromwhichIPaddress—tousefortroubleshootingpurposes.
WhenaconfigurationchangeismadetoaresourceorwhenthecomplianceofanAWSConfigrulechanges,anotificationmessageisdeliveredthatcontainstheupdatedconfigurationoftheresourceorcompliancestateoftheruleandkeyinformationsuchastheoldandnewvaluesforeachchangedattribute.Additionally,AWSConfigsendsnotificationswhenaConfigurationHistoryfileisdeliveredtoAmazonS3andwhenthecustomerinitiatesaConfigurationSnapshot.ThesemessagesareallstreamedtoanAmazonSNStopicthatyouspecify.
OrganizationscanusetheAWSManagementConsole,API,orAWSCLItoobtaindetailsofwhataresource’sconfigurationlookedlikeatanypointinthepast.AWSConfigwillalsoautomaticallydeliverahistoryfiletotheAmazonS3bucketyouspecifyeverysixhoursthat
![Page 361: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/361.jpg)
containsallchangestoyourresourceconfigurations.
![Page 362: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/362.jpg)
SummaryInthischapter,youlearnedaboutadditionalkeyAWScloudservices,manyofwhichwillbecoveredonyourAWSCertifiedSolutionsArchitect–Associateexam.Theseservicesaregroupedintofourcategoriesofservices:storageandcontentdelivery,security,analytics,andDevOps.
Inthestorageandcontentdeliverygroup,wecoveredAmazonCloudFrontandAWSStorageGateway.AmazonCloudFrontisaglobalCDNservice.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AWSStorageGatewayisaservicethatconnectsanon-premisessoftwareappliancewithcloud-basedstorage.Itprovidesseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheAWSStorageGatewayappliancemaintainsfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.
TheserviceswecoveredinsecurityfocusedonIdentityManagement(AWSDirectoryService),KeyManagement(AWSKMSAWSCloudHSM),andAudit(AWSCloudTrail).AWSDirectoryServiceisamanagedserviceoffering,providingdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.AWSDirectoryServiceisofferedinthreetypes:AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),SimpleAD,andADConnector.
Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.
RoundingoutthesecurityservicesisAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.
Theanalyticsservicescoveredhelpyouovercometheuniquelistofchallengesassociatedwithbigdataintoday’sITworld.AmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.AmazonEMRprovidesyouwithafullymanaged,on-demandHadoopframework.Thereductionofcomplexityandup-frontcostscombinedwiththescaleofAWSmeansyoucaninstantlyspinuplargeHadoopclustersandstartprocessing
![Page 363: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/363.jpg)
withinminutes.
Tosupplementthebigdatachallenges,orchestratingdatamovementcomeswithitsownchallenges.AWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRDS,AmazonDynamoDB,andAmazonEMR.Additionally,AWSImport/Exporthelpswhenyou’refacedwiththechallengeofgettinghugedatasetsintoAWSinthefirstplaceorretrievingthembacktoon-premiseswhennecessary.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource,shippedviastandardshippingmechanisms,andthencopiedtothedestination.
AWScontinuestoevolveservicesinsupportoforganizationsembracingDevOps.ServicessuchasAWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,andAWSConfigareleadingthewayforDevOpsonAWS.AWSOpsWorksprovidesaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorksworkswithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.AWSElasticBeanstalkallowsdeveloperstosimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.AWSConfigdeliversafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationshavetheinformationnecessaryforcomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
Thekeyadditionalservicescoveredinthischapterwillhelpyouformaknowledgebasetounderstandthenecessitiesfortheexam.AsyoucontinuetogrowasaSolutionsArchitect,divingdeeperintotheAWScloudservicesasawholewillexpandyourabilitytodefinewellarchitectedsolutionsacrossawidevarietyofbusinessverticalsandusecases.
![Page 364: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/364.jpg)
ExamEssentialsKnowthebasicusecasesforamazonCloudFront.KnowwhentouseAmazonCloudFront(forpopularstaticanddynamiccontentwithgeographicallydistributedusers)andwhennotto(allusersatasinglelocationorconnectingthroughacorporateVPN).
KnowhowamazonCloudFrontworks.AmazonCloudFrontoptimizesdownloadsbyusinggeolocationtoidentifythegeographicallocationofusers,thenservingandcachingcontentattheedgelocationclosesttoeachusertomaximizeperformance.
KnowhowtocreateanamazonCloudFrontdistributionandwhattypesoforiginsaresupported.Tocreateadistribution,youspecifyanoriginandthetypeofdistribution,andAmazonCloudFrontcreatesanewdomainnameforthedistribution.OriginssupportedincludeAmazonS3bucketsorstaticAmazonS3websitesandHTTPserverslocatedinAmazonEC2orinyourowndatacenter.
KnowhowtouseamazonCloudFrontfordynamiccontentandmultipleorigins.Understandhowtospecifymultipleoriginsfordifferenttypesofcontentandhowtousecachebehaviorsandpathstringstocontrolwhatcontentisservedbywhichorigin.
KnowwhatmechanismsareavailabletoserveprivatecontentthroughamazonCloudFront.AmazonCloudFrontcanserveprivatecontentusingAmazonS3OriginAccessIdentifiers,signedURLs,andsignedcookies.
KnowthethreeconfigurationsofAWSstoragegatewayandtheirusecases.Gateway-Cachedvolumesexpandyouron-premisesstorageintoAmazonS3andcachefrequentlyusedfileslocally.Gateway-StoredvalueskeepallyourdataavailablelocallyatalltimesandalsoreplicateitasynchronouslytoAmazonS3.Gateway-VTLenablesyoutokeepyourcurrentbackuptapesoftwareandprocesseswhileeliminatingphysicaltapesbystoringyourdatainthecloud.
UnderstandthevalueofAWSDirectoryService.AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.
KnowtheAWSDirectoryServiceDirectorytypes.AWSDirectoryServiceoffersthreedirectorytypes:
AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD
SimpleAD
ADConnector
KnowwhenyoushoulduseAWSDirectoryServiceforMicrosoftActiveDirectory.YoushoulduseMicrosoftActiveDirectoryifyouhavemorethan5,000usersorneedatrustrelationshipsetupbetweenanAWShosteddirectoryandyouron-premisesdirectories.
Understandkeymanagement.Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,
![Page 365: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/365.jpg)
andreplacementofkeys.
UnderstandwhenyoushoulduseAWSKMS.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontrolthesymmetricencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandwhichcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.
UnderstandwhenyoushoulduseAWSCloudHSM.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedhardwaresecuritymoduleapplianceswithintheAWScloud.
UnderstandthevalueofAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.ThishelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
KnowthethreeservicesofAmazonkinesisandtheirusecases.AmazonKinesisFirehoseallowsyoutoloadmassivevolumesofstreamingdataintoAWS.AmazonKinesisAnalyticsenablesyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL.AmazonKinesisStreamsenablesyoutobuildcustomapplicationsthatprocessoranalyzestreamingdatarealtimeforspecializedneeds.
KnowwhatserviceAmazonEMRprovides.AmazonEMRprovidesamanagedHadoopserviceonAWSthatallowsyoutospinuplargeHadoopclustersinminutes.
Knowthedifferencebetweenpersistentandtransientclusters.Persistentclustersruncontinuously,sotheydonotlosedatastoredoninstance-basedHDFS.Transientclustersarelaunchedforaspecifictask,thenterminated,sotheyaccessdataonAmazonS3viaEMRFS.
KnowtheusecasesforAmazonEMR.AmazonEMRisusefulforbigdataanalyticsinvirtuallyanyindustry,including,butnotlimitedto,logprocessing,clickstreamanalysis,andgenomicsandlifesciences.
KnowtheusecasesforAWSdatapipeline.AWSDataPipelinecanmanagebatchETLprocessesatscaleonthecloud,accessingdatabothinAWSandon-premises.ItcantakeadvantageofAWScloudservicesbyspinningupresourcesrequiredfortheprocess,suchasAmazonEC2instancesorAmazonEMRclusters.
KnowthetypesofAWSimport/exportservicesandthepossiblesources/destinationsofeach.AWSSnowballisAmazonshippableappliancessuppliedreadytoship.Itcantransferdatatoandfromyouron-premisesstorageandtoandfromAmazonS3.AWSImport/ExportDiskusesyourstoragedevicesand,inadditiontotransferringdatainandoutofyouron-premisesstorage,canimportdatatoAmazonS3,AmazonEBS,andAmazonS3;itcanonlyexportdatafromAmazonS3.
UnderstandthebasicsofAWSopsworks.AWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsofallshapesandsizesusingChef.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponentincludingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.
UnderstandthevalueofAWScloudformation.AWSCloudFormationisaservicethat
![Page 366: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/366.jpg)
helpsyoumodelandsetupyourAWSresources.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayyouwoulddowithsoftware.
UnderstandthevalueofAWSelasticbeanstalk.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
UnderstandthecomponentsofAWSelasticbeanstalk.AnAWSElasticBeanstalkapplicationisthelogicalcollectionofenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.
UnderstandthevalueofAWSconfig.AWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistinganddeletedAWSresources,determinetheiroverallcomplianceagainstrulesanddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.
![Page 367: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/367.jpg)
ReviewQuestions1. WhatoriginserversaresupportedbyAmazonCloudFront?(Choose3answers)
A. AnAmazonRoute53HostedZone
B. AnAmazonSimpleStorageService(AmazonS3)bucket
C. AnHTTPserverrunningonAmazonElasticComputeCloud(AmazonEC2)
D. AnAmazonEC2AutoScalingGroup
E. AnHTTPserverrunningon-premises
2. WhichofthefollowingaregoodusecasesforAmazonCloudFront?(Choose2answers)
A. Apopularsoftwaredownloadsitethatsupportsusersaroundtheworld,withdynamiccontentthatchangesrapidly
B. Acorporatewebsitethatservestrainingvideostoemployees.Mostemployeesarelocatedintwocorporatecampusesinthesamecity.
C. Aheavilyusedvideoandmusicstreamingservicethatrequirescontenttobedeliveredonlytopaidsubscribers
D. AcorporateHRwebsitethatsupportsaglobalworkforce.Becausethesitecontainssensitivedata,allusersmustconnectthroughacorporateVirtualPrivateNetwork(VPN).
3. YouhaveawebapplicationthatcontainsbothstaticcontentinanAmazonSimpleStorageService(AmazonS3)bucket—primarilyimagesandCSSfiles—andalsodynamiccontentcurrentlyservedbyaPHPwebapprunningonAmazonElasticComputeCloud(AmazonEC2).WhatfeaturesofAmazonCloudFrontcanbeusedtosupportthisapplicationwithasingleAmazonCloudFrontdistribution?
4. (Choose2answers)
A. MultipleOriginAccessIdentifiers
B. MultiplesignedURLs
C. Multipleorigins
D. Multipleedgelocations
E. Multiplecachebehaviors
5. Youarebuildingamedia-sharingwebapplicationthatservesvideofilestoendusersonbothPCsandmobiledevices.ThemediafilesarestoredasobjectsinanAmazonSimpleStorageService(AmazonS3)bucket,butaretobedeliveredthroughAmazonCloudFront.WhatisthesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstotheobjectsintheAmazonS3bucket?
A. CreateSignedURLsforeachAmazonS3object.
B. UseanAmazonCloudFrontOriginAccessIdentifier(OAI).
![Page 368: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/368.jpg)
C. Usepublicandprivatekeyswithsignedcookies.
D. UseanAWSIdentityandAccessManagement(IAM)bucketpolicy.
6. Yourcompanydatacenteriscompletelyfull,butthesalesgrouphasdeterminedaneedtostore200TBofproductvideo.Thevideoswerecreatedoverthelastseveralyears,withthemostrecentbeingaccessedbysalesthemostoften.Thedatamustbeaccessedlocally,butthereisnospaceinthedatacentertoinstalllocalstoragedevicestostorethisdata.WhatAWScloudservicewillmeetsales’requirements?
A. AWSStorageGatewayGateway-Storedvolumes
B. AmazonElasticComputeCloud(AmazonEC2)instanceswithattachedAmazonEBSVolumes
C. AWSStorageGatewayGateway-Cachedvolumes
D. AWSImport/ExportDisk
7. YourcompanywantstoextendtheirexistingMicrosoftActiveDirectorycapabilityintoanAmazonVirtualPrivateCloud(AmazonVPC)withoutestablishingatrustrelationshipwiththeexistingon-premisesActiveDirectory.Whichofthefollowingisthebestapproachtoachievethisgoal?
A. CreateandconnectanAWSDirectoryServiceADConnector.
B. CreateandconnectanAWSDirectoryServiceSimpleAD.
C. CreateandconnectanAWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition).
D. Noneoftheabove
8. WhichofthefollowingareAWSKeyManagementService(AWSKMS)keysthatwillneverexitAWSunencrypted?
A. AWSKMSdatakeys
B. Envelopeencryptionkeys
C. AWSKMSCustomerMasterKeys(CMKs)
D. AandC
9. WhichcryptographicmethodisusedbyAWSKeyManagementService(AWSKMS)toencryptdata?
A. Password-basedencryption
B. Asymmetric
C. Sharedsecret
D. Envelopeencryption
10. WhichAWSservicerecordsApplicationProgramInterface(API)callsmadeonyouraccountanddeliverslogfilestoyourAmazonSimpleStorageService(AmazonS3)bucket?
A. AWSCloudTrail
![Page 369: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/369.jpg)
B. AmazonCloudWatch
C. AmazonKinesis
D. AWSDataPipeline
11. YouaretryingtodecryptciphertextwithAWSKMSandthedecryptionoperationisfailing.Whichofthefollowingarepossiblecauses?(Choose2answers)
A. Theprivatekeydoesnotmatchthepublickeyintheciphertext.
B. Theplaintextwasencryptedalongwithanencryptioncontext,andyouarenotprovidingtheidenticalencryptioncontextwhencallingtheDecryptAPI.
C. Theciphertextyouaretryingtodecryptisnotvalid.
D. YouarenotprovidingthecorrectsymmetrickeytotheDecryptAPI.
12. Yourcompanyhas30yearsoffinancialrecordsthattakeup15TBofon-premisesstorage.Itisregulatedthatyoumaintaintheserecords,butintheyearyouhaveworkedforthecompanynoonehaseverrequestedanyofthisdata.GiventhatthecompanydatacenterisalreadyfillingthebandwidthofitsInternetconnection,whatisanalternativewaytostorethedataonthemostappropriatecloudstorage?
A. AWSImport/ExporttoAmazonSimpleStorageService(AmazonS3)
B. AWSImport/ExporttoAmazonGlacier
C. AmazonKinesis
D. AmazonElasticMapReduce(AWSEMR)
13. Yourcompanycollectsinformationfromthepointofsaleregistersatallofitsfranchiselocations.Eachmonththeseprocessescollect200TBofinformationstoredinAmazonSimpleStorageService(AmazonS3).Analyticsjobstaking24hoursareperformedtogatherknowledgefromthisdata.Whichofthefollowingwillallowyoutoperformtheseanalyticsinacost-effectiveway?
A. CopythedatatoapersistentAmazonElasticMapReduce(AmazonEMR)cluster,andruntheMapReducejobs.
B. CreateanapplicationthatreadstheinformationoftheAmazonS3bucketandrunsitthroughanAmazonKinesisstream.
C. RunatransientAmazonEMRcluster,andruntheMapReducejobsagainstthedatadirectlyinAmazonS3.
D. Launchad2.8xlarge(32vCPU,244GBRAM)AmazonElasticComputeCloud(AmazonEC2)instance,andrunanapplicationtoreadandprocesseachobjectsequentially.
14. Whichserviceallowsyoutoprocessnearlylimitlessstreamsofdatainflight?
A. AmazonKinesisFirehose
B. AmazonElasticMapReduce(AmazonEMR)
C. AmazonRedshift
![Page 370: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/370.jpg)
D. AmazonKinesisStreams
15. Whatcombinationofservicesenableyoutocopydaily50TBofdatatoAmazonstorage,processthedatainHadoop,andstoretheresultsinalargedatawarehouse?
A. AmazonKinesis,AmazonDataPipeline,AmazonElasticMapReduce(AmazonEMR),andAmazonElasticComputeCloud(AmazonEC2)
B. AmazonElasticBlockStore(AmazonEBS),AmazonDataPipeline,AmazonEMR,andAmazonRedshift
C. AmazonSimpleStorageService(AmazonS3),AmazonDataPipeline,AmazonEMR,andAmazonRedshift
D. AmazonS3,AmazonSimpleWorkflow,AmazonEMR,andAmazonDynamoDB
16. Yourcompanyhas50,000weatherstationsaroundthecountrythatsendupdatesevery2seconds.WhatservicewillenableyoutoingestthisstreamofdataandstoreittoAmazonSimpleStorageService(AmazonS3)forfutureprocessing?
A. AmazonSimpleQueueService(AmazonSQS)
B. AmazonKinesisFirehose
C. AmazonElasticComputeCloud(AmazonEC2)
D. AmazonDataPipeline
17. YourorganizationusesChefheavilyforitsdeploymentautomation.WhatAWScloudserviceprovidesintegrationwithChefrecipestostartnewapplicationserverinstances,configureapplicationserversoftware,anddeployapplications?
A. AWSElasticBeanstalk
B. AmazonKinesis
C. AWSOpsWorks
D. AWSCloudFormation
18. AfirmismovingitstestingplatformtoAWStoprovidedeveloperswithinstantaccesstocleantestanddevelopmentenvironments.Theprimaryrequirementforthefirmistomakeenvironmentseasilyreproducibleandfungible.Whatservicewillhelpthefirmmeettheirrequirements?
A. AWSCloudFormation
B. AWSConfig
C. AmazonRedshift
D. AWSTrustedAdvisor
19. Yourcompany’sITmanagementteamislookingforanonlinetooltoproviderecommendationstosavemoney,improvesystemavailabilityandperformance,andtohelpclosesecuritygaps.Whatcanhelpthemanagementteam?
A. Cloud-init
B. AWSTrustedAdvisor
![Page 371: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/371.jpg)
C. AWSConfig
D. ConfigurationRecorder
20. YourcompanyworkswithdatathatrequiresfrequentauditsofyourAWSenvironmenttoensurecompliancewithinternalpoliciesandbestpractices.Inordertoperformtheseaudits,youneedaccesstohistoricalconfigurationsofyourresourcestoevaluaterelevantconfigurationchanges.Whichservicewillprovidethenecessaryinformationforyouraudits?
A. AWSConfig
B. AWSKeyManagementService(AWSKMS)
C. AWSCloudTrail
D. AWSOpsWorks
21. Allofthewebsitedeploymentsarecurrentlydonebyyourcompany’sdevelopmentteam.Withasurgeinwebsitepopularity,thecompanyislookingforwaystobemoreagilewithdeployments.WhatAWScloudservicecanhelpthedevelopersfocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks?
A. AWSConfig
B. AWSTrustedAdvisor
C. AmazonKinesis
D. AWSElasticBeanstalk
![Page 372: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/372.jpg)
Chapter12SecurityonAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
AWSsharedresponsibilitymodel
AWSplatformcompliance
AWSsecurityattributes(customerworkloadsdowntophysicallayer)
AWSadministrationandsecurityservices
AWSIdentityandAccessManagement(IAM)
AmazonVirtualPrivateCloud(AmazonVPC)
AWSCloudTrail
Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit
CoreAmazonElasticComputeCloud(AmazonEC2)andAmazonSimpleStorageService(AmazonS3)securityfeaturesets
Incorporatingcommonconventionalsecurityproducts(Firewall,VirtualPrivateNetwork[VPN])
DenialofService(DoS)mitigation
Encryptionsolutions(e.g.,keyservices)
Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)
![Page 373: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/373.jpg)
IntroductionCloudsecurityisthefirstpriorityatAWS.AllAWScustomersbenefitfromadatacenterandnetworkarchitecturethatisbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersoffertoolsandfeaturestohelpyoumeetyoursecurityobjectivesaroundvisibility,auditability,controllability,andagility.Thismeansthatyoucanhavethesecurityyouneed,butwithoutthecapitaloutlayandatamuchloweroperationaloverheadthaninanon-premisesoratraditionaldatacenterenvironment.ThischapterwillcovertherelevantsecuritytopicsthatarewithinscopeoftheAWSCertifiedSolutionsArchitect–Associateexam.
![Page 374: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/374.jpg)
SharedResponsibilityModelBeforewegointothedetailsofhowAWSsecuresitsresources,weshouldtalkabouthowsecurityinthecloudisslightlydifferentthansecurityinyouron-premisesdatacenters.Whenyoumovecomputersystemsanddatatothecloud,securityresponsibilitiesbecomesharedbetweenyouandyourcloudserviceprovider.Inthiscase,AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.Thissharedresponsibilitymodelcanreduceyouroperationalburdeninmanyways,andinsomecasesitmayevenimproveyourdefaultsecurityposturewithoutadditionalactiononyourpart.Figure12.1illustratesAWSresponsibilitiesversusthoseofthecustomer.Essentially,AWSisresponsibleforsecurityofthecloud,andcustomersareresponsibleforsecurityinthecloud.
FIGURE12.1Thesharedresponsibilitymodel
![Page 375: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/375.jpg)
AWSComplianceProgramAWScomplianceenablescustomerstounderstandtherobustcontrolsinplaceatAWStomaintainsecurityanddataprotectioninthecloud.AsyoubuildsystemsontopofAWSCloudinfrastructure,yousharecomplianceresponsibilitieswithAWS.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWScomplianceenablersbuildontraditionalprograms,helpingyoutoestablishandoperateinanAWSsecuritycontrolenvironment.TheITinfrastructurethatAWSprovidesisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards,including(atthetimeofthiswriting):
ServiceOrganizationControl(SOC)1/StatementonStandardsforAttestationEngagements(SSAE)16/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE)3402(formerlyStatementonAuditingStandards[SAS]70)
SOC2
SOC3
FederalInformationSecurityManagementAct(FISMA),DepartmentofDefense(DoD)InformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)
DoDCloudComputingSecurityRequirementsGuide(SRG)Levels2and4
PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1
InternationalOrganizationforStandardization(ISO)9001andISO27001
InternationalTrafficinArmsRegulations(ITAR)
FederalInformationProcessingStandard(FIPS)140-2
Inaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeetseveralindustry-specificstandards,including:
CriminalJusticeInformationServices(CJIS)
CloudSecurityAlliance(CSA)
FamilyEducationalRightsandPrivacyAct(FERPA)
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
MotionPictureAssociationofAmerica(MPAA)
AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,reports,certifications,accreditations,andotherthird-partyattestations.ToaidinpreparationforyourAWSCertifiedSolutionsArchitectAssociateexam,seeChapter13,“AWSRiskandCompliance.”Moreinformationisavailableinthe“AWSRiskandCompliance”whitepaperavailableontheAWSwebsite.
![Page 376: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/376.jpg)
AWSGlobalInfrastructureSecurityAWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchasprocessingandstorage.TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperationalsoftware(forexample,hostoperatingsystemandvirtualizationsoftware)thatsupporttheprovisioninganduseoftheseresources.TheAWSglobalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecuritycompliancestandards.AsanAWScustomer,youcanbeassuredthatyou’rebuildingwebarchitecturesontopofsomeofthemostsecurecomputinginfrastructureintheworld.
PhysicalandEnvironmentalSecurityAWSdatacentersarestateoftheart,usinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffusingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAWS.AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.
FireDetectionandSuppressionAWSdatacentershaveautomaticfiredetectionandsuppressionequipmenttoreducerisk.Thefiredetectionsystemusessmokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerroomsandgeneratorequipmentrooms.Theseareasareprotectedbywet-pipe,double-interlockedpre-action,orgaseoussprinklersystems.
PowerAWSdatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,and7daysaweek.UninterruptiblePowerSupply(UPS)unitsprovidebackuppowerintheeventofanelectricalfailureforcriticalandessentialloadsinthefacility.AWSdatacentersusegeneratorstoprovidebackuppowerfortheentirefacility.
ClimateandTemperatureClimatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,whichpreventsoverheatingandreducesthepossibilityofserviceoutages.
![Page 377: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/377.jpg)
AWSdatacentersarebuilttomaintainatmosphericconditionsatoptimallevels.Personnelandsystemsmonitorandcontroltemperatureandhumidityatappropriatelevels.
ManagementAWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediatelyidentified.AWSstaffperformspreventativemaintenancetomaintainthecontinuedoperabilityofequipment.
StorageDeviceDecommissioningWhenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatisdesignedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.
BusinessContinuityManagementAmazon’sinfrastructurehasahighlevelofavailabilityandprovidescustomerswiththefeaturestodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.DatacenterBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.
AvailabilityDatacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris“cold.”Incaseoffailure,automatedprocessesmovedatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.
AWSprovidesitscustomerswiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsandalsoacrossmultipleAvailabilityZoneswithineachregion.EachAvailabilityZoneisdesignedasanindependentfailurezone.ThismeansthatAvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlowerriskfloodplains(specificfloodzonecategorizationvariesbyregion).InadditiontohavingdiscreteUPSandon-sitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiestofurtherreducesinglepointsoffailure.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.Figure12.2illustrateshowAWSregionsarecomprisedofAvailabilityZones.
![Page 378: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/378.jpg)
FIGURE12.2AmazonWebServicesregions
YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
IncidentResponseTheAmazonIncidentManagementteamemploysindustry-standarddiagnosticprocedurestodriveresolutionduringbusiness-impactingevents.Staffoperatorsprovide24×7×365coveragetodetectincidentsandtomanagetheimpactandresolution.
CommunicationAWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheirindividualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.Thesemethodsincludeorientationandtrainingprogramsfornewlyhiredemployees,regularmanagementmeetingsforupdatesonbusinessperformanceandothermatters,andelectronicsmeanssuchasvideoconferencing,electronicmailmessages,andthepostingofinformationviatheAmazonintranet.
AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthecommunity.Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthatimpactthecustomerexperience.AServiceHealthDashboardisavailableandmaintainedbythecustomersupportteamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.TheAWSSecurityCenterisavailableto
![Page 379: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/379.jpg)
provideyouwithsecurityandcompliancedetailsaboutAWS.CustomerscanalsosubscribetoAWSSupportofferingsthatincludedirectcommunicationwiththecustomersupportteamandproactivealertstoanycustomer-impactingissues.
NetworkSecurityTheAWSnetworkhasbeenarchitectedtopermityoutoselectthelevelofsecurityandresiliencyappropriateforyourworkload.Toenableyoutobuildgeographicallydispersed,fault-tolerantwebarchitectureswithcloudresources,AWShasimplementedaworld-classnetworkinfrastructurethatiscarefullymonitoredandmanaged.
SecureNetworkArchitectureNetworkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACLs),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.Thesepoliciesareautomaticallypushedtoensurethesemanagedinterfacesenforcethemostup-to-dateACLs.
SecureAccessPointsAWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledApplicationProgrammingInterface(API)endpoints,andtheypermitsecureHTTPaccess(HTTPS),whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.TosupportcustomerswithFederalInformationProcessingStandard(FIPS)cryptographicrequirements,theSecureSocketsLayer(SSL)-terminatingloadbalancersinAWSGovCloud(US)areFIPS140-2compliant.
Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachInternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.
TransmissionProtectionYoucanconnecttoanAWSaccesspointviaHTTPorHTTPSusingSSL,acryptographicprotocolthatisdesignedtoprotectagainsteavesdropping,tampering,andmessageforgery.Forcustomerswhorequireadditionallayersofnetworksecurity,AWSofferstheAmazonVirtualPrivateCloud(AmazonVPC)(asreferencedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC),”whichprovidesaprivatesubnetwithintheAWSCloudandtheabilitytouseanIPsecVirtualPrivateNetwork(VPN)devicetoprovideanencryptedtunnelbetweentheAmazonVPCandyourdatacenter.
NetworkMonitoringandProtection
![Page 380: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/380.jpg)
TheAWSnetworkprovidessignificantprotectionagainsttraditionalnetworksecurityissues,andyoucanimplementfurtherprotection.Thefollowingareafewexamples:
DistributedDenialofService(DDoS)AttacksAWSAPIendpointsarehostedonalarge,Internet-scale,world-classinfrastructurethatbenefitsfromthesameengineeringexpertisethathasbuiltAmazonintotheworld’slargestonlineretailer.ProprietaryDDoSmitigationtechniquesareused.Additionally,AWSnetworksaremulti-homedacrossanumberofproviderstoachieveInternetaccessdiversity.
ManintheMiddle(MITM)AttacksAlloftheAWSAPIsareavailableviaSSL-protectedendpointsthatprovideserverauthentication.AmazonElasticComputeCloud(AmazonEC2)AMIsautomaticallygeneratenewSecureShell(SSH)hostcertificatesonfirstbootandlogthemtotheinstance’sconsole.YoucanthenusethesecureAPIstocalltheconsoleandaccessthehostcertificatesbeforeloggingintotheinstanceforthefirsttime.AWSencouragesyoutouseSSLforallofyourinteractions.
IPSpoofingAmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMachineAccessControl(MAC)addressotherthanitsown.
PortScanningUnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.CustomerscanreportsuspectedabuseviathecontactsavailableontheAWSwebsite.WhenunauthorizedportscanningisdetectedbyAWS,itisstoppedandblocked.PortscansofAmazonEC2instancesaregenerallyineffectivebecause,bydefault,allinboundportsonAmazonEC2instancesareclosedandareonlyopenedbythecustomer.Strictmanagementofsecuritygroupscanfurthermitigatethethreatofportscans.Ifyouconfigurethesecuritygrouptoallowtrafficfromanysourcetoaspecificport,thatspecificportwillbevulnerabletoaportscan.Inthesecases,youmustuseappropriatesecuritymeasurestoprotectlisteningservicesthatmaybeessentialtotheirapplicationfrombeingdiscoveredbyanunauthorizedportscan.Forexample,awebservermustclearlyhaveport80(HTTP)opentotheworld,andtheadministratorofthisserverisresponsibleforthesecurityoftheHTTPserversoftware,suchasApache.Youmayrequestpermissiontoconductvulnerabilityscansasrequiredtomeetyourspecificcompliancerequirements.ThesescansmustbelimitedtoyourowninstancesandmustnotviolatetheAWSAcceptableUsePolicy.AdvancedapprovalforthesetypesofscanscanbeinitiatedbysubmittingarequestviatheAWSwebsite.
PacketSniffingbyOtherTenantsWhileyoucanplaceyourinterfacesintopromiscuousmode,thehypervisorwillnotdeliveranytraffictothemthatisnotaddressedtothem.Eventwovirtualinstancesthatareownedbythesamecustomerlocatedonthesamephysicalhostcannotlistentoeachother’straffic.WhileAmazonEC2doesprovideampleprotectionagainstonecustomerinadvertentlyormaliciouslyattemptingtoviewanothercustomer’sdata,asastandardpracticeyoushouldencryptsensitivetraffic.
Itisnotpossibleforavirtualinstancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.
![Page 381: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/381.jpg)
AttackssuchasAddressResolutionProtocol(ARP)cachepoisoningdonotworkwithinAmazonEC2andAmazonVPC.
![Page 382: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/382.jpg)
AWSAccountSecurityFeaturesAWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSaccountandresourcessafefromunauthorizeduse.Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,thecreationofseparateAWSIdentityandAccessManagement(IAM)useraccounts,anduseractivityloggingforsecuritymonitoring.YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSservicesyouselect.
AWSCredentialsTohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources,AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMulti-FactorAuthentication(MFA)tologintoyourAWSAccountorIAMuseraccounts.Table12.1highlightsthevariousAWScredentialsandtheiruses.
![Page 383: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/383.jpg)
TABLE12.1AWSCredentials
CredentialType
Use Description
Passwords AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
AstringofcharactersusedtologintoyourAWSaccountorIAMaccount.AWSpasswordsmustbeaminimumof6charactersandmaybeupto128characters.
Multi-FactorAuthentication(MFA)
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
Asix-digit,single-usecodethatisrequiredinadditiontoyourpasswordtologintoyourAWSaccountorIAMuseraccount.
AccessKeys Digitally-signedrequeststoAWSAPIs(usingtheAWSSoftwareDevelopmentKit[SDK],CommandLineInterface[CLI],orREST/QueryAPIs)
IncludesanaccesskeyIDandasecretaccesskey.YouuseaccesskeystosignprogrammaticrequestsdigitallythatyoumaketoAWS.
KeyPairs SSHlogintoAmazonEC2instancesAmazonCloudFront-signedURLs
AkeypairisrequiredtoconnecttoanAmazonEC2instancelaunchedfromapublicAMI.ThekeysthatAmazonEC2usesare1024-bitSSH-2RSAkeys.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstance,oryoucanuploadyourown.
X.509Certificates
DigitallysignedSOAPrequeststoAWSAPIsSSLservercertificatesforHTTPS
X.509certificatesareonlyusedtosignSOAP-basedrequests(currentlyusedonlywithAmazonSimpleStorageService[AmazonS3]).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorre-downloadthem.However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.Tohelpyoudothiswithoutpotentialimpacttoyourapplication’savailability,AWSsupportsmultipleconcurrentaccesskeysandcertificates.Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetoyourapplication.Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.
TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSaccountandalsoforIAMuseraccounts.
PasswordsPasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWS
![Page 384: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/384.jpg)
DiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,givingyoutheabilitytocreateverystrongpasswords.
YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyarechangedoften.ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.
AWSMulti-FactorAuthentication(AWSMFA)AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.ThisisMFAbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).YoucanenableMFAdevicesforyourAWSaccountandfortheusersyouhavecreatedunderyourAWSaccountwithAWSIAM.Inaddition,youcanaddMFAprotectionforaccessacrossAWSaccounts,forwhenyouwanttoallowauseryou’vecreatedunderoneAWSaccounttouseanIAMroletoaccessresourcesunderanotherAWSaccount.YoucanrequiretheusertouseMFAbeforeassumingtheroleasanadditionallayerofsecurity.
AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.VirtualMFAdevicesusethesameprotocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTime-BasedOne-TimePassword(TOTP)standard,asdescribedinRFC6238.MostvirtualMFAapplicationsallowyoutohostmorethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.However,youshouldbeawarethatbecauseavirtualMFAmayberunonalesssecuredevicesuchasasmartphone,avirtualMFAmightnotprovidethesamelevelofsecurityasahardwareMFAdevice.
YoucanalsoenforceMFAauthenticationforAWSCloudserviceAPIsinordertoprovideanextralayerofprotectionoverpowerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.YoudothisbyaddinganMFArequirementtoanIAMaccesspolicy.YoucanattachtheseaccesspoliciestoIAMusers,IAMgroups,orresourcesthatsupportACLslikeAmazonS3buckets,AmazonSimpleQueueService(AmazonSQS)queues,andAmazonSimpleNotificationService(AmazonSNS)topics.
AccessKeysAccesskeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.
![Page 385: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/385.jpg)
Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisintransit,butitalsohelpsprotectagainstpotentialreplayattacks.ArequestmustreachAWSwithin15minutesofthetimestampintherequest.Otherwise,AWSdeniestherequest.
ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHashedMessageAuthenticationMode(HMAC)-SecureHashAlgorithm(SHA)-256protocol.Version4providesanadditionalmeasureofprotectionoverpreviousversionsbyrequiringthatyousignthemessageusingakeythatisderivedfromyourSAKinsteadofusingtheSAKitself.Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographicisolationofthesigningkey.
Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandtonotembedtheminyourcode.ForcustomerswithlargefleetsofelasticallyscalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
IAMrolesprovidetemporarycredentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultipletimesaday.
AmazonEC2usesanInstanceProfileasacontainerforanIAMrole.WhenyoucreateanIAMroleusingtheAWSManagementConsole,theconsolecreatesaninstanceprofileautomaticallyandgivesitthesamenameastheroletowhichitcorresponds.IfyouusetheAWSCLI,API,oranAWSSDKtocreatearole,youcreatetheroleandinstanceprofileasseparateactions,andyoumightgivethemdifferentnames.TolaunchaninstancewithanIAMrole,youspecifythenameofitsinstanceprofile.WhenyoulaunchaninstanceusingtheAmazonEC2console,youcanselectaroletoassociatewiththeinstance;however,thelistthat’sdisplayedisactuallyalistofinstanceprofilenames.
KeypairsAmazonEC2supportsRSA2048SSHkeysforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.Thepublickeyisembeddedinyourinstance,andyouusetheprivatekeytosigninsecurelywithoutapassword.AfteryoucreateyourownAMIs,youcanchooseothermechanismstologintoyournewinstancessecurely.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstanceoryoucanuploadyourown.Savetheprivatekeyinasafeplaceonyoursystemandrecordthelocationwhereyousavedit.
ForAmazonCloudFront,youusekeypairstocreatesignedURLsforprivatecontent,suchaswhenyouwanttodistributerestrictedcontentthatsomeonepaidfor.YoucreateAmazonCloudFrontkeypairsbyusingtheSecurityCredentialspage.AmazonCloudFrontkeypairscanbecreatedonlybytherootaccountandcannotbecreatedbyIAMusers.
![Page 386: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/386.jpg)
X.509CertificatesX.509certificatesareusedtosignSOAP-basedrequests.X.509certificatescontainapublickeythatisassociatedwithaprivatekey.Whenyoucreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,alongwithyourcertificate.AWSverifiesthatyou’rethesenderbydecryptingthesignaturewiththepublickeythatisinyourcertificate.AWSalsoverifiesthatthecertificatethatyousentmatchesthecertificatethatyouuploadedtoAWS.
ForyourAWSaccount,youcanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.ForIAMusers,youmustcreatetheX.509certificate(signingcertificate)byusingthird-partysoftware.Incontrasttorootaccountcredentials,AWScannotcreateanX.509certificateforIAMusers.Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.
InadditiontoSOAPrequests,X.509certificatesareusedasSSL/TransportLayerSecurity(TLS)servercertificatesforcustomerswhowanttouseHTTPStoencrypttheirtransmissions.TousethemforHTTPS,youcanuseanopen-sourcetoollikeOpenSSLtocreateauniqueprivatekey.You’llneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoaCertificateAuthority(CA)toobtaintheservercertificate.You’llthenusetheAWSCLItouploadthecertificate,privatekey,andcertificatechaintoIAM.
YouwillalsoneedanX.509certificatetocreateacustomizedLinuxAMIforAmazonEC2instances.Thecertificateisonlyrequiredtocreateaninstance-backedAMI(asopposedtoanAmazonElasticBlockStore[AmazonEBS]-backedAMI).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsthefollowinginformationabouteachAPIcall:
ThenameoftheAPI
Theidentityofthecaller
ThetimeoftheAPIcall
Therequestparameters
TheresponseelementsreturnedbytheAWSCloudservice
ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.
AWSCloudTrailsupportslogfileintegrity,whichmeansyoucanprovetothirdparties(forexample,auditors)thatthelogfilesentbyAWSCloudTrailhasnotbeenaltered.Validatedlogfilesareinvaluableinsecurityandforensicinvestigations.Thisfeatureisbuiltusing
![Page 387: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/387.jpg)
industrystandardalgorithms:SHA-256forhashingandSHA-256withRSAfordigitalsigning.Thismakesitcomputationallyunfeasibletomodify,delete,orforgeAWSCloudTraillogfileswithoutdetection.
![Page 388: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/388.jpg)
AWSCloudService-SpecificSecurityNotonlyissecuritybuiltintoeverylayeroftheAWSinfrastructure,butalsointoeachoftheservicesavailableonthatinfrastructure.AWSCloudservicesarearchitectedtoworkefficientlyandsecurelywithallAWSnetworksandplatforms.Eachserviceprovidesadditionalsecurityfeaturestoenableyoutoprotectsensitivedataandapplications.
ComputeServicesAWSprovidesavarietyofcloud-basedcomputingservicesthatincludeawideselectionofcomputeinstancesthatcanscaleupanddownautomaticallytomeettheneedsofyourapplicationorenterprise.
AmazonElasticComputeCloud(AmazonEC2)SecurityAmazonEC2isakeycomponentinAmazon’sInfrastructureasaService(IaaS),providingresizablecomputingcapacityusingserverinstancesinAWSdatacenters.AmazonEC2isdesignedtomakeweb-scalecomputingeasierbyenablingyoutoobtainandconfigurecapacitywithminimalfriction.Youcreateandlaunchinstances,whicharecollectionsofplatformhardwareandsoftware.
MultipleLevelsofSecuritySecuritywithinAmazonEC2isprovidedonmultiplelevels:theoperatingsystem(OS)ofthehostplatform,thevirtualinstanceOSorguestOS,afirewall,andsignedAPIcalls.Eachoftheseitemsbuildsonthecapabilitiesoftheothers.ThegoalistopreventdatacontainedwithinAmazonEC2frombeinginterceptedbyunauthorizedsystemsorusersandtomakeAmazonEC2instancesthemselvesassecureaspossiblewithoutsacrificingtheflexibilityinconfigurationthatcustomersdemand.
TheHypervisorAmazonEC2currentlyusesahighlycustomizedversionoftheXenhypervisor,takingadvantageofparavirtualization(inthecaseofLinuxguests).Becauseparavirtualizedguestsrelyonthehypervisortoprovidesupportforoperationsthatnormallyrequireprivilegedaccess,theguestOShasnoelevatedaccesstotheCPU.TheCPUprovidesfourseparateprivilegemodes:0–3,calledrings.Ring0isthemostprivilegedand3theleast.ThehostOSexecutesinRing0.However,insteadofexecutinginRing0asmostOSsdo,theguestOSrunsinlesser-privilegedRing1,andapplicationsintheleastprivilegedinRing3.Thisexplicitvirtualizationofthephysicalresourcesleadstoaclearseparationbetweenguestandhypervisor,resultinginadditionalsecurityseparationbetweenthetwo.
InstanceIsolationDifferentinstancesrunningonthesamephysicalmachineareisolatedfromeachotherviatheXenhypervisor.AmazonisactiveintheXencommunity,whichprovidesAWSwithawarenessofthelatestdevelopments.Inaddition,theAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance’svirtualinterface.Allpacketsmustpassthroughthislayer;thus,aninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternetandcanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Customerinstanceshavenoaccesstorawdiskdevices,butinsteadarepresentedwithvirtualizeddisks.TheAWSproprietarydiskvirtualizationlayerautomaticallyresetseveryblockofstorageusedbythecustomer,sothatonecustomer’sdataisnever
![Page 389: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/389.jpg)
unintentionallyexposedtoanothercustomer.Inaddition,memoryallocatedtoguestsisscrubbed(settozero)bythehypervisorwhenitisunallocatedtoaguest.Thememoryisnotreturnedtothepooloffreememoryavailablefornewallocationsuntilthememoryscrubbingiscompleted.Figure12.3depictsinstanceisolationwithinAmazonEC2.
FIGURE12.3AmazonEC2multiplelayersofsecurity
HostOperatingSystemAdministratorswithabusinessneedtoaccessthemanagementplanearerequiredtouseMFAtogainaccesstopurpose-builtadministrationhosts.Theseadministrativehostsaresystemsthatarespecificallydesigned,built,configured,andhardenedtoprotectthemanagementplaneofthecloud.Allsuchaccessisloggedandaudited.Whenanemployeenolongerhasabusinessneedtoaccessthemanagementplane,theprivilegesandaccesstothesehostsandrelevantsystemscanberevoked.
GuestOperatingSystemVirtualinstancesarecompletelycontrolledbyyou,thecustomer.Youhavefullrootaccessoradministrativecontroloveraccounts,services,andapplications.AWSdoesnothaveanyaccessrightstoyourinstancesortheguestOS.AWSrecommendsabasesetofsecuritybestpracticestoincludedisablingpassword-onlyaccesstoyourguests,andusingsomeformofMFAtogainaccesstoyourinstances(orataminimumcertificate-basedSSHVersion2access).Additionally,youshouldemployaprivilegeescalationmechanismwithloggingonaper-userbasis.Forexample,iftheguestOSisLinux,afterhardening,yourinstanceyoushouldusecertificate-basedSSHv2toaccessthevirtualinstance,disableremoterootlogin,usecommand-linelogging,andusesudoforprivilegeescalation.YoushouldgenerateyourownkeypairsinordertoguaranteethattheyareuniqueandnotsharedwithothercustomersorwithAWS.AWSalsosupportstheuseoftheSSHnetworkprotocoltoenableyoutologinsecurelytoyourUNIX/LinuxAmazonEC2instances.
![Page 390: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/390.jpg)
AuthenticationforSSHusedwithAWSisviaapublic/privatekeypairtoreducetheriskofunauthorizedaccesstoyourinstance.YoucanalsoconnectremotelytoyourWindowsinstancesusingRemoteDesktopProtocol(RDP)byusinganRDPcertificategeneratedforyourinstance.YoualsocontroltheupdatingandpatchingofyourguestOS,includingsecurityupdates.Amazon-providedWindowsandLinux-basedAMIsareupdatedregularlywiththelatestpatches,soifyoudonotneedtopreservedataorcustomizationsonyourrunningAmazonAMIinstances,youcansimplyrelaunchnewinstanceswiththelatestupdatedAMI.Inaddition,updatesareprovidedfortheAmazonLinuxAMIviatheAmazonLinuxyumrepositories.
FirewallAmazonEC2providesamandatoryinboundfirewallthatisconfiguredinadefaultdeny-allmode;AmazonEC2customersmustexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficmayberestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting[CIDR]block).
Thefirewallcanbeconfiguredingroups,permittingdifferentclassesofinstancestohavedifferentrules.Consider,forexample,thecaseofatraditionalthree-tieredwebapplication.Thegroupforthewebserverswouldhaveport80(HTTP)and/orport443(HTTPS)opentotheInternet.Thegroupfortheapplicationserverswouldhaveport8000(applicationspecific)accessibleonlytothewebservergroup.Thegroupforthedatabaseserverswouldhaveport3306(MySQL)openonlytotheapplicationservergroup.Allthreegroupswouldpermitadministrativeaccessonport22(SSH),butonlyfromthecustomer’scorporatenetwork.Highlysecureapplicationscanbedeployedusingthisapproach,whichisalsodepictedinFigure12.4.
![Page 391: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/391.jpg)
FIGURE12.4AmazonEC2securitygroupfirewall
Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewallandVPNs.Thiscanrestrictbothinboundandoutboundtraffic.
Thedefaultstateistodenyallincomingtraffic,andyoushouldcarefullyplanwhatyouwillopenwhenbuildingandsecuringyourapplications.
APIAccessAPIcallstolaunchandterminateinstances,changefirewallparameters,andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonEC2APIcallscannotbemadeonyourbehalf.APIcallscanalsobeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.
AmazonElasticBlockStorage(AmazonEBS)SecurityAmazonEBSallowsyoutocreatestoragevolumesfrom1GBto16TBthatcanbemountedasdevicesbyAmazonEC2
![Page 392: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/392.jpg)
instances.Storagevolumesbehavelikeraw,unformattedblockdevices,withuser-supplieddevicenamesandablockdeviceinterface.YoucancreateafilesystemontopofAmazonEBSvolumesorusetheminanyotherwayyouwoulduseablockdevice(likeaharddrive).AmazonEBSvolumeaccessisrestrictedtotheAWSaccountthatcreatedthevolumeandtotheusersundertheAWSaccountcreatedwithAWSIAM(iftheuserhasbeengrantedaccesstotheEBSoperations).AllotherAWSaccountsandusersaredeniedthepermissiontovieworaccessthevolume.
DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationsaspartofnormaloperationofthoseservicesandatnoadditionalcharge.However,AmazonEBSreplicationisstoredwithinthesameAvailabilityZone,notacrossmultiplezones;therefore,itishighlyrecommendedthatyouconductregularsnapshotstoAmazonS3forlong-termdatadurability.ForcustomerswhohavearchitectedcomplextransactionaldatabasesusingAmazonEBS,itisrecommendedthatbackupstoAmazonS3beperformedthroughthedatabasemanagementsystemsothatdistributedtransactionsandlogscanbecheckpointed.AWSdoesnotautomaticallyperformbackupsofdatathataremaintainedonvirtualdisksattachedtorunninginstancesonAmazonEC2.
YoucanmakeAmazonEBSvolumesnapshotspubliclyavailabletootherAWSaccountstouseasthebasisforcreatingduplicatevolumes.SharingAmazonEBSvolumesnapshotsdoesnotprovideotherAWSaccountswiththepermissiontoalterordeletetheoriginalsnapshot,asthatrightisexplicitlyreservedfortheAWSaccountthatcreatedthevolume.AnAmazonEBSsnapshotisablock-levelviewofanentireAmazonEBSvolume.Notethatdatathatisnotvisiblethroughthefilesystemonthevolume,suchasfilesthathavebeendeleted,maybepresentintheAmazonEBSsnapshot.Ifyouwanttocreatesharedsnapshots,youshoulddosocarefully.Ifavolumehasheldsensitivedataorhashadfilesdeletedfromit,youshouldcreateanewAmazonEBSvolumetoshare.Thedatatobecontainedinthesharedsnapshotshouldbecopiedtothenewvolume,andthesnapshotcreatedfromthenewvolume.
AmazonEBSvolumesarepresentedtoyouasrawunformattedblockdevicesthathavebeenwipedpriortobeingmadeavailableforuse.Wipingoccursimmediatelybeforereusesothatyoucanbeassuredthatthewipeprocessiscompleted.Ifyouhaveproceduresrequiringthatalldatabewipedviaaspecificmethod,youhavetheabilitytodosoonAmazonEBS.Youshouldconductaspecializedwipeprocedurepriortodeletingthevolumeforcompliancewithyourestablishedrequirements.
Encryptionofsensitivedataisgenerallyagoodsecuritypractice,andAWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAdvancedEncryptionStandard(AES)-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.Inordertobeabletodothisefficientlyandwithlowlatency,theAmazonEBSencryptionfeatureisonlyavailableonAmazonEC2’smorepowerfulinstancetypes.
NetworkingAWSprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthatyoudefine,establishaprivatenetworkconnectiontotheAWSCloud,useahighlyavailableandscalableDomainNameSystem(DNS)service,anddelivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliveryweb
![Page 393: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/393.jpg)
service.
ElasticLoadBalancingSecurityElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallAvailabilityZoneswithinaregion.ElasticLoadBalancinghasalloftheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefits:
TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyontheloadbalancer.
Offersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyournetwork.
WhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyourElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptions.
Supportsend-to-endtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP(HTTPS)connections.WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbemanagedcentrallyontheloadbalancer,insteadofoneveryindividualinstance.
HTTPS/TLSusesalong-termsecretkeytogenerateashort-termsessionkeytobeusedbetweentheserverandthebrowsertocreatetheencryptedmessage.ElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(forexample,PaymentCardIndustryDataSecurityStandard[PCIDSS],Sarbanes-OxleyAct[SOX])fromclientstoensurethatstandardsaremet.Inthesecases,ElasticLoadBalancingprovidesoptionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.Youcanchoosetoenableordisabletheciphersdependingonyourspecificrequirements.
Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfiguretheloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclient-servernegotiation.WhentheServerOrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserver’sprioritizationofciphersuitesinsteadoftheclient’s.Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnecttoyourloadbalancer.
Forevengreatercommunicationprivacy,ElasticLoadBalancingallowstheuseofPerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.Thispreventsthedecodingofcaptureddata,evenifthesecretlong-termkeyitselfiscompromised.
ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.Typically,clientconnectioninformation,suchasIPaddressandport,islostwhenrequestsareproxiedthroughaloadbalancer.Thisisbecausetheloadbalancersendsrequeststotheserveron
![Page 394: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/394.jpg)
behalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.HavingtheoriginatingclientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnectionstatistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.
ElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourloadbalancer.ThisincludestheIPaddressandportoftherequestingclient,theback-endIPaddressoftheinstancethatprocessedtherequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,GEThttp://www.example.com:80/HTTP/1.1).Allrequestssenttotheloadbalancerarelogged,includingrequeststhatnevermakeittoback-endinstances.
AmazonVirtualPrivateCloud(AmazonVPC)SecurityNormally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2addressspace.AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice(forexample,10.0.0.0/16).YoucandefinesubnetswithinyourAmazonVPC,groupingsimilarkindsofinstancesbasedonIPaddressrangeandthensetuproutingandsecuritytocontroltheflowoftrafficinandoutoftheinstancesandsubnets.
SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.AmazonEC2instancesrunningwithinanAmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.Note,however,thatyoumustcreatesecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2securitygroupsyouhavecreatedwillnotworkinsideyourAmazonVPC.Inaddition,AmazonVPCsecuritygroupshaveadditionalcapabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupaftertheinstanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,UserDatagramProtocol[UDP],orInternetControlMessageProtocol[ICMP]).
EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolatedfromallotherAmazonVPCs.Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.YoumaycreateandattachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothefollowingcontrols.
APIAccessCallstocreateanddeleteAmazonVPCs;changerouting,securitygroup,andnetworkACLparameters;andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonVPCAPIcallscannotbemadeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.AWSIAMalsoenablesacustomertofurthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.
SubnetsandRouteTablesYoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedintheAmazonVPCisconnectedtoonesubnet.TraditionalLayer2
![Page 395: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/395.jpg)
securityattacks,includingMACspoofingandARPspoofing,areblocked.EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessedbytheroutingtabletodeterminethedestination.
Firewall(SecurityGroups)LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolution,enablingfilteringonbothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIPprotocol,byserviceport,andsource/destinationIPaddress(individualIPorCIDRblock).Thefirewallisn’tcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewall.Figure12.5illustratesanAmazonVPCwithtwotypesofsubnets—publicandprivate—andtwonetworkpathswithtwodifferentnetworks—acustomerdatacenterandtheInternet.
FIGURE12.5AmazonVPCnetworkarchitecture
![Page 396: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/396.jpg)
NetworkACLsToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.TheseACLscancontainorderedrulestoallowordenytrafficbasedonIPprotocol,byserviceport,andsource/destinationIPaddress.
Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionandenablingadditionalsecuritythroughseparationofduties.Figure12.6depictshowthesecuritycontrolsaboveinterrelatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.
FIGURE12.6Flexiblenetworkarchitectures
VirtualPrivateGatewayAvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanothernetwork.Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtualprivategateways.YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyourpremises.EachconnectionissecuredbyapresharedkeyinconjunctionwiththeIPaddressofthecustomergatewaydevice.
InternetGatewayAnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,otherAWSservices,andtheInternet.EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithitorroutetrafficthroughaNetwork
![Page 397: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/397.jpg)
AddressTranslation(NAT)instance.Additionally,networkroutesareconfiguredtodirecttraffictotheInternetgateway(seeFigure12.6).AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacketinspection,applicationlayerfiltering,orothersecuritycontrols.
ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,enablingyoutoimplementadditionalsecuritythroughseparationofduties.
DedicatedInstancesWithinanAmazonVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(thatis,theywillrunonsingle-tenanthardware).AnAmazonVPCcanbecreatedwith“dedicated”tenancy,sothatallinstanceslaunchedintotheAmazonVPCwillusethisfeature.Alternatively,anAmazonVPCmaybecreatedwith“default”tenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.
AmazonCloudFrontSecurityAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.Requestsforcustomers’objectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformance.AmazonCloudFrontisoptimizedtoworkwithotherAWSserviceslikeAmazonS3,AmazonEC2,ElasticLoadBalancing,andAmazonRoute53.Italsoworksseamlesslywithanynon-AWSoriginserverthatstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontrequiresthateveryrequestmadetoitscontrolAPIisauthenticatedsoonlyauthorizeduserscancreate,modify,ordeletetheirownAmazonCloudFrontdistributions.RequestsaresignedwithanHMAC-SHA-1signaturecalculatedfromtherequestandtheuser’sprivatekey.Additionally,theAmazonCloudFrontcontrolAPIisonlyaccessibleviaSSL-enabledendpoints.
ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.Theservicemaysometimesremoveobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.DurabilityisprovidedbyAmazonS3,whichworksastheoriginserverforAmazonCloudFrontbyholdingtheoriginal,definitivecopiesofobjectsdeliveredbyAmazonCloudFront.
IfyouwantcontroloverwhocandownloadcontentfromAmazonCloudFront,youcanenabletheservice’sprivatecontentfeature.Thisfeaturehastwocomponents.ThefirstcontrolshowcontentisdeliveredfromtheAmazonCloudFrontedgelocationtoviewersontheInternet.ThesecondcontrolshowtheAmazonCloudFrontedgelocationsaccessobjectsinAmazonS3.AmazonCloudFrontalsosupportsgeorestriction,whichrestrictsaccesstoyourcontentbasedonthegeographiclocationofyourviewers.
TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.WhenanOriginAccessIdentityisassociatedwithanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.YoucanthenuseAmazonS3’sACLfeature,whichlimitsaccesstothatOriginAccessIdentityso
![Page 398: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/398.jpg)
theoriginalcopyoftheobjectisnotpubliclyreadable.
TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.Tousethissystem,youfirstcreateapublic-privatekeypairanduploadthepublickeytoyouraccountviatheAWSManagementConsole.YouthenconfigureyourAmazonCloudFrontdistributiontoindicatewhichaccountsyouwouldauthorizetosignrequests—youcanindicateuptofiveAWSaccountsthatyoutrusttosignrequests.Asyoureceiverequests,youwillcreatepolicydocumentsindicatingtheconditionsunderwhichyouwantAmazonCloudFronttoserveyourcontent.Thesepolicydocumentscanspecifythenameoftheobjectthatisrequested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.YouthencalculatetheSHA-1hashofyourpolicydocumentandsignthisusingyourprivatekey.Finally,youincludeboththeencodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.WhenAmazonCloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.AmazonCloudFrontwillonlyserverequeststhathaveavalidpolicydocumentandmatchingsignature.
NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourAmazonCloudFrontdistribution.Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.
AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).Bydefault,AmazonCloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.However,youcanalsoconfigureAmazonCloudFronttorequireHTTPSforallrequestsorhaveAmazonCloudFrontredirectHTTPrequeststoHTTPS.YoucanevenconfigureAmazonCloudFrontdistributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.
StorageAWSprovideslow-costdatastoragewithhighdurabilityandavailability.AWSoffersstoragechoicesforbackup,archiving,anddisasterrecovery,andalsoforblockandobjectstorage.
AmazonSimpleStorageService(AmazonS3)SecurityAmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AmazonS3storesdataasobjectswithinbuckets.Anobjectcanbeanykindoffile:atextfile,aphoto,avideo,andmore.WhenyouaddafiletoAmazonS3,youhavetheoptionofincludingmetadatawiththefileandsettingpermissionstocontrolaccesstothefile.Foreachbucket,youcancontrolaccesstothebucket(whocancreate,delete,andlistobjectsinthebucket),viewaccesslogsforthebucketanditsobjects,andchoosethegeographicalregionwhereAmazonS3willstorethebucketanditscontents.
DataAccessAccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.(Notethatabucket/objectowneristheAWSaccountowner,nottheuserwhocreatedthebucket/object.)Therearemultiplewaystocontrolaccesstobucketsandobjects:
IAMPoliciesAWSIAMenablesorganizationswithmanyemployeestocreateandmanage
![Page 399: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/399.jpg)
multipleusersunderasingleAWSaccount.IAMpoliciesareattachedtotheusers,enablingcentralizedcontrolofpermissionsforusersunderyourAWSaccounttoaccessbucketsorobjects.WithIAMpolicies,youcanonlygrantuserswithinyourownAWSaccountpermissiontoaccessyourAmazonS3resources.
ACLsWithinAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.WithACLs,youcanonlygrantotherAWSaccounts(notspecificusers)accesstoyourAmazonS3resources.
BucketPoliciesBucketpoliciesinAmazonS3canbeusedtoaddordenypermissionsacrosssomeoralloftheobjectswithinasinglebucket.Policiescanbeattachedtousers,groups,orAmazonS3buckets,enablingcentralizedmanagementofpermissions.Withbucketpolicies,youcangrantuserswithinyourAWSaccountorotherAWSaccountsaccesstoyourAmazonS3resources.
QueryStringAuthenticationYoucanuseaquerystringtoexpressarequestentirelyinaURL.Inthiscase,youusequeryparameterstoproviderequestinformation,includingtheauthenticationinformation.BecausetherequestsignatureispartoftheURL,thistypeofURLisoftenreferredtoasapre-signedURL.Youcanusepre-signedURLstoembedclickablelinks,whichcanbevalidforuptosevendays,inHTML.
Youcanfurtherrestrictaccesstospecificresourcesbasedoncertainconditions.Forexample,youcanrestrictaccessbasedonrequesttime(DateCondition),whethertherequestwassentusingSSL(BooleanConditions),arequester’sIPaddress(IPAddressCondition),ortherequester’sclientapplication(StringConditions).Toidentifytheseconditions,youusepolicykeys.
AmazonS3alsogivesdeveloperstheoptiontousequerystringauthentication,whichallowsthemtoshareAmazonS3objectsthroughURLsthatarevalidforapredefinedperiodoftime.QuerystringauthenticationisusefulforgivingHTTPforbrowseraccesstoresourcesthatwouldnormallyrequireauthentication.Thesignatureinthequerystringsecurestherequest.
DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonS3viatheSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataStorageAmazonS3providesmultipleoptionsforprotectingdataatrest.Forcustomerswhoprefertomanagetheirownencryption,theycanuseaclientencryptionlibraryliketheAmazonS3EncryptionClienttoencryptdatabeforeuploadingtoAmazonS3.Alternatively,youcanuseAmazonS3ServerSideEncryption(SSE)ifyouprefertohaveAmazonS3managetheencryptionprocessforyou.DataisencryptedwithakeygeneratedbyAWSorwithakeyyousupply,dependingonyourrequirements.WithAmazonS3SSE,youcanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.Decryptionhappensautomaticallywhendataisretrieved.Notethatmetadata,whichyoucanincludewithyourobject,isnotencrypted.
![Page 400: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/400.jpg)
AWSrecommendsthatcustomersnotplacesensitiveinformationinAmazonS3metadata.
AmazonS3SSEusesoneofthestrongestblockciphersavailable:AES-256.WithAmazonS3SSE,everyprotectedobjectisencryptedwithauniqueencryptionkey.Thisobjectkeyitselfisthenencryptedwitharegularlyrotatedmasterkey.AmazonS3SSEprovidesadditionalsecuritybystoringtheencrypteddataandencryptionkeysindifferenthosts.AmazonS3SSEalsomakesitpossibleforyoutoenforceencryptionrequirements.Forexample,youcancreateandapplybucketpoliciesthatrequirethatonlyencrypteddatacanbeuploadedtoyourbuckets.
WhenanobjectisdeletedfromAmazonS3,removalofthemappingfromthepublicnametotheobjectstartsimmediatelyandisgenerallyprocessedacrossthedistributedsystemwithinseveralseconds.Afterthemappingisremoved,thereisnoremoteaccesstothedeletedobject.Theunderlyingstorageareaisthenreclaimedforusebythesystem.
AmazonS3Standardisdesignedtoprovide99.999999999percentdurabilityofobjectsoveragivenyear.Thisdurabilitylevelcorrespondstoanaverageannualexpectedlossof0.000000001percentofobjects.Forexample,ifyoustore10,000objectswithAmazonS3,youcan,onaverage,expecttoincuralossofasingleobjectonceevery10,000,000years.Inaddition,AmazonS3isdesignedtosustaintheconcurrentlossofdataintwofacilities.
AccessLogsAnAmazonS3bucketcanbeconfiguredtologaccesstothebucketandobjectswithinit.Theaccesslogcontainsdetailsabouteachaccessrequestincludingrequesttype,therequestedresource,therequestor’sIP,andthetimeanddateoftherequest.Whenloggingisenabledforabucket,logrecordsareperiodicallyaggregatedintologfilesanddeliveredtothespecifiedAmazonS3bucket.
Cross-OriginResourceSharing(CORS)AWScustomerswhouseAmazonS3tohoststaticwebpagesorstoreobjectsusedbyotherwebpagescanloadcontentsecurelybyconfiguringanAmazonS3buckettoexplicitlyenablecross-originrequests.ModernbrowsersusetheSameOriginpolicytoblockJavaScriptorHTML5fromallowingrequeststoloadcontentfromanothersiteordomainasawaytohelpensurethatmaliciouscontentisnotloadedfromalessreputablesource(suchasduringcross-sitescriptingattacks).WiththeCross-OriginResourceSharing(CORS)policyenabled,assetssuchaswebfontsandimagesstoredinanAmazonS3bucketcanbesafelyreferencedbyexternalwebpages,stylesheets,andHTML5applications.
AmazonGlacierSecurityLikeAmazonS3,theAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.WhereAmazonS3isdesignedforrapidretrieval,however,AmazonGlacierismeanttobeusedasanarchivalservicefordatathatisnotaccessedoftenandforwhichretrievaltimesofseveralhoursaresuitable.
![Page 401: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/401.jpg)
AmazonGlacierstoresfilesasarchiveswithinvaults.Archivescanbeanydatasuchasaphoto,video,ordocument,andcancontainoneorseveralfiles.Youcanstoreanunlimitednumberofarchivesinasinglevaultandcancreateupto1,000vaultsperregion.Eacharchivecancontainupto40TBofdata.
DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonGlacierviatheSSLencryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataRetrievalRetrievingarchivesfromAmazonGlacierrequirestheinitiationofaretrievaljob,whichisgenerallycompletedinthreetofivehours.YoucanthenaccessthedataviaHTTPGETrequests.Thedatawillremainavailabletoyoufor24hours.Youcanretrieveanentirearchiveorseveralfilesfromanarchive.Ifyouwanttoretrieveonlyasubsetofanarchive,youcanuseoneretrievalrequesttospecifytherangeofthearchivethatcontainsthefilesinwhichyouareinterestedoryoucaninitiatemultipleretrievalrequests,eachwitharangeforoneormorefiles.
Youcanalsolimitthenumberofvaultinventoryitemsretrievedbyfilteringonanarchivecreationdaterangeorbysettingamaximumitemslimit.Whichevermethodyouchoose,whenyouretrieveportionsofyourarchive,youcanusethesuppliedchecksumtohelpensuretheintegrityofthefilesprovidedthattherangethatisretrievedisalignedwiththetreehashoftheoverallarchive.
DataStorageAmazonGlacierautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.AmazonGlacierisdesignedtoprovideaverageannualdurabilityof99.999999999percentforanarchive.Itstoreseacharchiveinmultiplefacilitiesandmultipledevices.Unliketraditionalsystems,whichcanrequirelaboriousdataverificationandmanualrepair,AmazonGlacierperformsregular,systematicdataintegritychecksandisbuilttobeself-healing.
DataAccessOnlyyouraccountcanaccessyourdatainAmazonGlacier.TocontrolaccesstoyourdatainAmazonGlacier,youcanuseAWSIAMtospecifywhichuserswithinyouraccounthaverightstooperationsonagivenvault.
AWSStorageGatewaySecurityTheAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutouploaddatasecurelytoAWSscalable,reliable,andsecureAmazonS3storageserviceforcost-effectivebackupandrapiddisasterrecovery.
![Page 402: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/402.jpg)
DataTransferDataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSL.
DataStorageThedataisstoredencryptedinAmazonS3usingAES256,asymmetrickeyencryptionstandardusing256-bitencryptionkeys.TheAWSStorageGatewayonlyuploadsdatathathaschanged,minimizingtheamountofdatasentovertheInternet.
DatabaseAWSprovidesanumberofdatabasesolutionsfordevelopersandbusinessesfrommanagedrelationalandNoSQLdatabaseservices,toin-memorycachingasaserviceandpetabyte-scaledatawarehouseservice.
AmazonDynamoDBSecurityAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.AmazonDynamoDBenablesyoutooffloadtheadministrativeburdensofoperatingandscalingdistributeddatabasestoAWS,soyoudon’thavetoworryabouthardwareprovisioning,setupandconfiguration,replication,softwarepatching,orclusterscaling.
Youcancreateadatabasetablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofserverstohandletherequestcapacityyouspecifiedandtheamountofdatastored,whilemaintainingconsistent,fastperformance.AlldataitemsarestoredonSolidStateDrives(SSDs)andareautomaticallyreplicatedacrossmultipleAvailabilityZonesinaregiontoprovidebuilt-inhighavailabilityanddatadurability.
YoucansetupautomaticbackupsusingaspecialtemplateinAWSDataPipelinethatwascreatedjustforcopyingAmazonDynamoDBtables.Youcanchoosefullorincrementalbackupstoatableinthesameregionoradifferentregion.YoucanusethecopyfordisasterrecoveryintheeventthatanerrorinyourcodedamagestheoriginaltableortofederateAmazonDynamoDBdataacrossregionstosupportamulti-regionapplication.
TocontrolwhocanusetheAmazonDynamoDBresourcesandAPI,yousetuppermissionsinAWSIAM.Inadditiontocontrollingaccessattheresource-levelwithIAM,youcanalsocontrolaccessatthedatabaselevel—youcancreatedatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.Thesedatabase-levelpermissionsarecalledfine-grainedaccesscontrols,andyoucreatethemusinganIAMpolicythatspecifiesunderwhatcircumstancesauserorapplicationcanaccessanAmazonDynamoDBtable.TheIAMpolicycanrestrictaccesstoindividualitemsinatable,accesstotheattributesinthoseitems,orbothatthesametime.
Inadditiontorequiringdatabaseanduserpermissions,eachrequesttotheAmazonDynamoDBservicemustcontainavalidHMAC-SHA-256signatureortherequestisrejected.TheAWSSDKsautomaticallysignyourrequests;however,ifyouwanttowriteyourownHTTPPOSTrequests,youmustprovidethesignatureintheheaderofyourrequesttoAmazonDynamoDB.Tocalculatethesignature,youmustrequesttemporarysecuritycredentialsfrom
![Page 403: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/403.jpg)
theAWSSecurityTokenService.UsethetemporarysecuritycredentialstosignyourrequeststoAmazonDynamoDB.AmazonDynamoDBisaccessibleviaSSL-encryptedendpoints,andtheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.
AmazonRelationalDatabaseService(AmazonRDS)SecurityAmazonRelationalDatabaseService(AmazonRDS)allowsyoutoquicklycreatearelationalDatabaseInstance(DBInstance)andflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSmanagesthedatabaseinstanceonyourbehalfbyperformingbackups,handlingfailover,andmaintainingthedatabasesoftware.Asofthetimeofthiswriting,AmazonRDSisavailableforMySQL,Oracle,MicrosoftSQLServer,MariaDB,AmazonAurora,andPostgreSQLdatabaseengines.
AmazonRDShasmultiplefeaturesthatenhancereliabilityforcriticalproductiondatabases,includingDBsecuritygroups,permissions,SSLconnections,automatedbackups,DBsnapshots,andmultipleAvailabilityZone(Multi-AZ)deployments.DBInstancescanalsobedeployedinanAmazonVPCforadditionalnetworkisolation.
AccessControlWhenyoufirstcreateaDBInstancewithinAmazonRDS,youwillcreateamasteruseraccount,whichisusedonlywithinthecontextofAmazonRDStocontrolaccesstoyourDBInstance(s).ThemasteruseraccountisanativedatabaseuseraccountthatallowsyoutologontoyourDBInstancewithalldatabaseprivileges.YoucanspecifythemasterusernameandpasswordyouwantassociatedwitheachDBInstancewhenyoucreatetheDBInstance.AfteryouhavecreatedyourDBInstance,youcanconnecttothedatabaseusingthemasterusercredentials.Subsequently,youcancreateadditionaluseraccountssothatyoucanrestrictwhocanaccessyourDBInstance.
YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whicharesimilartoAmazonEC2securitygroupsbutnotinterchangeable.DBsecuritygroupsactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.DBsecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.Therearetwowaysofdoingthis:
AuthorizinganetworkIPrange
AuthorizinganexistingAmazonEC2securitygroup
DBsecuritygroupsonlyallowaccesstothedatabaseserverport(allothersareblocked)andcanbeupdatedwithoutrestartingtheAmazonRDSDBInstance,whichgivesyouseamlesscontroloftheirdatabaseaccess.
UsingAWSIAM,youcanfurthercontrolaccesstoyourAmazonRDSDBinstances.AWSIAMenablesyoutocontrolwhatAmazonRDSoperationseachindividualAWSIAMuserhaspermissiontocall.
NetworkIsolationForadditionalnetworkaccesscontrol,youcanrunyourDBInstancesinanAmazonVPC.AmazonVPCenablesyoutoisolateyourDBInstancesbyspecifyingtheIPrangeyouwanttouseandconnecttoyourexistingITinfrastructurethroughindustry-standardencryptedIPsecVPN.RunningAmazonRDSinaVPCenablesyoutohaveaDBinstancewithinaprivatesubnet.YoucanalsosetupavirtualprivategatewaythatextendsyourcorporatenetworkintoyourVPC,andallowsaccesstotheRDSDBinstanceinthatVPC.
ForMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregion,willallow
![Page 404: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/404.jpg)
AmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucancreateDBsubnetgroups,whicharecollectionsofsubnetsthatyoumaywanttodesignateforyourAmazonRDSDBInstancesinanAmazonVPC.EachDBsubnetgroupshouldhaveatleastonesubnetforeveryAvailabilityZoneinagivenregion.Inthiscase,whenyoucreateaDBInstanceinanAmazonVPC,youselectaDBsubnetgroup;AmazonRDSthenusesthatDBsubnetgroupandyourpreferredAvailabilityZonetoselectasubnetandanIPaddresswithinthatsubnet.AmazonRDScreatesandassociatesanElasticNetworkInterfacetoyourDBInstancewiththatIPaddress.
DBInstancesdeployedwithinanAmazonVPCcanbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheAmazonVPCviaVPNorbastionhoststhatyoucanlaunchinyourpublicsubnet.Touseabastionhost,youwillneedtosetupapublicsubnetwithanAmazonEC2instancethatactsasaSSHBastion.ThispublicsubnetmusthaveanInternetgatewayandroutingrulesthatallowtraffictobedirectedviatheSSHhost,whichmustthenforwardrequeststotheprivateIPaddressofyourAmazonRDSDBInstance.
DBsecuritygroupscanbeusedtohelpsecureDBInstanceswithinanAmazonVPC.Inaddition,networktrafficenteringandexitingeachsubnetcanbeallowedordeniedvianetworkACLs.AllnetworktrafficenteringorexitingyourAmazonVPCviayourIPsecVPNconnectioncanbeinspectedbyyouron-premisessecurityinfrastructure,includingnetworkfirewallsandintrusiondetectionsystems.
EncryptionYoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL.ForMySQLandSQLServer,AmazonRDScreatesanSSLcertificateandinstallsthecertificateontheDBInstancewhentheinstanceisprovisioned.ForMySQL,youlaunchtheMySQLclientusingthe--ssl_caparametertoreferencethepublickeyinordertoencryptconnections.ForSQLServer,downloadthepublickeyandimportthecertificateintoyourWindowsoperatingsystem.OracleRDSusesOraclenativenetworkencryptionwithaDBInstance.YousimplyaddthenativenetworkencryptionoptiontoanoptiongroupandassociatethatoptiongroupwiththeDBInstance.Afteranencryptedconnectionisestablished,datatransferredbetweentheDBInstanceandyourapplicationwillbeencryptedduringtransfer.YoucanalsorequireyourDBInstancetoacceptonlyencryptedconnections.
AmazonRDSsupportsTransparentDataEncryption(TDE)forSQLServer(SQLServerEnterpriseEdition)andOracle(partoftheOracleAdvancedSecurityoptionavailableinOracleEnterpriseEdition).TheTDEfeatureautomaticallyencryptsdatabeforeitiswrittentostorageandautomaticallydecryptsdatawhenitisreadfromstorage.IfyourequireyourMySQLdatatobeencryptedwhileatrestinthedatabase,yourapplicationmustmanagetheencryptionanddecryptionofdata.
NotethatSSLsupportwithinAmazonRDSisforencryptingtheconnectionbetweenyourapplicationandyourDBInstance;itshouldnotbereliedonforauthenticatingtheDBInstanceitself.WhileSSLofferssecuritybenefits,beawarethatSSLencryptionisacomputeintensiveoperationandwillincreasethelatencyofyourdatabaseconnection.
AutomatedBackupsandDBSnapshotsAmazonRDSprovidestwodifferentmethodsforbackingupandrestoringyourDBInstance(s):automatedbackupsandDatabaseSnapshots(DBSnapshots).Turnedonbydefault,theautomatedbackupfeatureofAmazonRDSenablespoint-in-timerecoveryforyourDBInstance.AmazonRDSwillbackupyourdatabaseandtransactionlogsandstorebothforauser-specifiedretentionperiod.Thisallows
![Page 405: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/405.jpg)
youtorestoreyourDBInstancetoanysecondduringyourretentionperiod,uptothelastfiveminutes.Yourautomaticbackupretentionperiodcanbeconfiguredtoupto35days.
DBSnapshotsareuser-initiatedbackupsofyourDBInstance.ThesefulldatabasebackupsarestoredbyAmazonRDSuntilyouexplicitlydeletethem.YoucancopyDBsnapshotsofanysizeandmovethembetweenanyofAWSpublicregions,orcopythesamesnapshottomultipleregionssimultaneously.YoucanthencreateanewDBInstancefromaDBSnapshotwheneveryoudesire.
Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup.ThisI/Osuspensiontypicallylastsafewminutes.ThisI/OsuspensionisavoidedwithMulti-AZDBdeployments,becausethebackupistakenfromthestandby.
DBInstanceReplicationAWSCloudcomputingresourcesarehousedinhighlyavailabledatacenterfacilitiesindifferentregionsoftheworld,andeachregioncontainsmultipledistinctlocationscalledAvailabilityZones.EachAvailabilityZoneisengineeredtobeisolatedfromfailuresinotherAvailabilityZonesandprovideinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.
ToarchitectforhighavailabilityofyourOracle,PostgreSQL,orMySQLdatabases,youcanrunyourAmazonRDSDBInstanceinseveralAvailabilityZones,anoptioncalledaMulti-AZdeployment.Whenyouselectthisoption,AWSautomaticallyprovisionsandmaintainsasynchronousstandbyreplicaofyourDBInstanceinadifferentAvailabilityZone.TheprimaryDBInstanceissynchronouslyreplicatedacrossAvailabilityZonestothestandbyreplica.IntheeventofDBInstanceorAvailabilityZonefailure,AmazonRDSwillautomaticallyfailovertothestandbysothatdatabaseoperationscanresumequicklywithoutadministrativeintervention.
ForcustomerswhouseMySQLandneedtoscalebeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads,AmazonRDSprovidesareadreplicaoption.Afteryoucreateareadreplica,databaseupdatesonthesourceDBInstancearereplicatedtothereadreplicausingMySQL’snative,asynchronousreplication.YoucancreatemultiplereadreplicasforagivensourceDBinstanceanddistributeyourapplication’sreadtrafficamongthem.ReadreplicascanbecreatedwithMulti-AZdeploymentstogainreadscalingbenefitsinadditiontotheenhanceddatabasewriteavailabilityanddatadurabilityprovidedbyMulti-AZdeployments.
AutomaticSoftwarePatchingAmazonRDSwillmakesurethattherelationaldatabasesoftwarepoweringyourdeploymentstaysup-to-datewiththelatestpatches.Whennecessary,patchesareappliedduringamaintenancewindowthatyoucancontrol.YoucanthinkoftheAmazonRDSmaintenancewindowasanopportunitytocontrolwhenDBInstancemodifications(suchasscalingDBInstanceclass)andsoftwarepatchingoccur,intheeventeitherarerequestedorrequired.Ifamaintenanceeventisscheduledforagivenweek,itwillbeinitiatedandcompletedatsomepointduringthe30-minutemaintenancewindowyouidentify.
TheonlymaintenanceeventsthatrequireAmazonRDStotakeyourDBInstanceofflinearescalecomputeoperations(whichgenerallytakeonlyafewminutesfromstarttofinish)orrequiredsoftwarepatching.Requiredpatchingisautomaticallyscheduledonlyforpatchesthatarerelatedtosecurityanddurability.Suchpatchingoccursinfrequently(typicallyonceeveryfewmonths)andshouldseldomrequiremorethanafractionofyourmaintenance
![Page 406: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/406.jpg)
window.IfyoudonotspecifyapreferredweeklymaintenancewindowwhencreatingyourDBInstance,a30-minutedefaultvalueisassigned.Ifyouwanttomodifywhenmaintenanceisperformedonyourbehalf,youcandosobymodifyingyourDBInstanceintheAWSManagementConsoleorbyusingtheModifyDBInstanceAPI.EachofyourDBInstancescanhavedifferentpreferredmaintenancewindows,ifyousochoose.
RunningyourDBInstanceinaMulti-AZdeploymentcanfurtherreducetheimpactofamaintenanceevent,asAmazonRDSwillconductmaintenanceviathefollowingsteps:
1. Performmaintenanceonstandby.
2. Promotestandbytoprimary.
3. Performmaintenanceonoldprimary,whichbecomesthenewstandby.
WhenanAmazonRDSDBInstancedeletionAPI(DeleteDBInstance)isrun,theDBInstanceismarkedfordeletion.Aftertheinstancenolongerindicatesdeletingstatus,ithasbeenremoved.Atthispoint,theinstanceisnolongeraccessible,andunlessafinalsnapshotcopywasaskedfor,itcannotberestoredandwillnotbelistedbyanyofthetoolsorAPIs.
AmazonRedshiftSecurityAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theservicehasbeenarchitectednotonlytoscaleupordownrapidly,butalsotoimprovequeryspeedssignificantlyevenonextremelylargedatasets.Toincreaseperformance,AmazonRedshiftusestechniquessuchascolumnarstorage,datacompression,andzonemapstoreducetheamountofI/Oneededtoperformqueries.ItalsohasaMassivelyParallelProcessing(MPP)architecture,parallelizinganddistributingSQLoperationstotakeadvantageofallavailableresources.
ClusterAccessBydefault,clustersthatyoucreateareclosedtoeveryone.AmazonRedshiftenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.YoucanalsorunAmazonRedshiftinsideanAmazonVPCtoisolateyourdatawarehouseclusterinyourownvirtualnetworkandconnectittoyourexistingITinfrastructureusingindustry-standardencryptedIPsecVPN.
TheAWSaccountthatcreatestheclusterhasfullaccesstothecluster.WithinyourAWSaccount,youcanuseAWSIAMtocreateuseraccountsandmanagepermissionsforthoseaccounts.ByusingIAM,youcangrantdifferentuserspermissiontoperformonlytheclusteroperationsthatarenecessaryfortheirwork.Likealldatabases,youmustgrantpermissioninAmazonRedshiftatthedatabaselevelinadditiontograntingaccessattheresourcelevel.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.However,userscanseedataonlyinthetablerowsthatweregeneratedbytheirownactivities;rowsgeneratedbyotherusersarenotvisibletothem.
Theuserwhocreatesadatabaseobjectisitsowner.Bydefault,onlyasuperuserortheownerofanobjectcanquery,modify,orgrantpermissionsontheobject.Foruserstouseanobject,youmustgrantthenecessarypermissionstotheuserorthegroupthatcontainstheuser.Inaddition,onlytheownerofanobjectcanmodifyordeleteit.
![Page 407: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/407.jpg)
DataBackupsAmazonRedshiftdistributesyourdataacrossallcomputenodesinacluster.Whenyourunaclusterwithatleasttwocomputenodes,dataoneachnodewillalwaysbemirroredondisksonanothernode,reducingtheriskofdataloss.Inaddition,alldatawrittentoanodeinyourclusteriscontinuouslybackeduptoAmazonS3usingsnapshots.AmazonRedshiftstoresyoursnapshotsforauser-definedperiod,whichcanbefrom1to35days.Youcanalsotakeyourownsnapshotsatanytime;thesesnapshotsleverageallexistingsystemsnapshotsandareretaineduntilyouexplicitlydeletethem.
AmazonRedshiftcontinuouslymonitorsthehealthoftheclusterandautomaticallyre-replicatesdatafromfaileddrivesandreplacesnodesasnecessary.Allofthishappenswithoutanyeffortonyourpart,althoughyoumayseeaslightperformancedegradationduringthere-replicationprocess.
YoucanuseanysystemorusersnapshottorestoreyourclusterusingtheAWSManagementConsoleortheAmazonRedshiftAPIs.Yourclusterisavailableassoonasthesystemmetadatahasbeenrestored,andyoucanstartrunningquerieswhileuserdataisspooleddowninthebackground.
DataEncryptionWhencreatingacluster,youcanchoosetoencryptitinordertoprovideadditionalprotectionforyourdataatrest.Whenyouenableencryptioninyourcluster,AmazonRedshiftstoresalldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandanybackups.
AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.
Dataencryptionkeysencryptdatablocksinthecluster.Eachdatablockisassignedarandomly-generatedAES256key.Thesekeysareencryptedbyusingthedatabasekeyforthecluster.
Thedatabasekeyencryptsdataencryptionkeysinthecluster.Thedatabasekeyisarandomly-generatedAES-256key.ItisstoredondiskinaseparatenetworkfromtheAmazonRedshiftclusterandencryptedbyamasterkey.AmazonRedshiftpassesthedatabasekeyacrossasecurechannelandkeepsitinmemoryinthecluster.
TheclusterkeyencryptsthedatabasekeyfortheAmazonRedshiftcluster.YoucanuseeitherAWSoraHardwareSecurityModule(HSM)tostoretheclusterkey.HSMsprovidedirectcontrolofkeygenerationandmanagementandmakekeymanagementseparateanddistinctfromtheapplicationandthedatabase.
ThemasterkeyencryptstheclusterkeyifitisstoredinAWS.Themasterkeyencryptsthecluster-key-encrypteddatabasekeyiftheclusterkeyisstoredinanHSM.
YoucanhaveAmazonRedshiftrotatetheencryptionkeysforyourencryptedclustersatanytime.Aspartoftherotationprocess,keysarealsoupdatedforallofthecluster’sautomaticandmanualsnapshots.Notethatenablingencryptioninyourclusterwillimpactperformance,eventhoughitishardwareaccelerated.
Encryptionalsoappliestobackups.Whenyou’rerestoringfromanencryptedsnapshot,thenewclusterwillbeencryptedaswell.
ToencryptyourtableloaddatafileswhenyouuploadthemtoAmazonS3,youcanuse
![Page 408: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/408.jpg)
AmazonS3server-sideencryption.WhenyouloadthedatafromAmazonS3,theCOPYcommandwilldecryptthedataasitloadsthetable.
DatabaseAuditLoggingAmazonRedshiftlogsallSQLoperations,includingconnectionattempts,queries,andchangestoyourdatabase.YoucanaccesstheselogsusingSQLqueriesagainstsystemtablesorchoosetohavethemdownloadedtoasecureAmazonS3bucket.Youcanthenusetheseauditlogstomonitoryourclusterforsecurityandtroubleshootingpurposes.
AutomaticSoftwarePatchingAmazonRedshiftmanagesalltheworkofsettingup,operating,andscalingyourdatawarehouse,includingprovisioningcapacity,monitoringthecluster,andapplyingpatchesandupgradestotheAmazonRedshiftengine.Patchesareappliedonlyduringspecifiedmaintenancewindows.
SSLConnectionsToprotectyourdataintransitwithintheAWSCloud,AmazonRedshiftuseshardware-acceleratedSSLtocommunicatewithAmazonS3orAmazonDynamoDBforCOPY,UNLOAD,backup,andrestoreoperations.YoucanencrypttheconnectionbetweenyourclientandtheclusterbyspecifyingSSLintheparametergroupassociatedwiththecluster.TohaveyourclientsalsoauthenticatetheAmazonRedshiftserver,youcaninstallthepublickey(.pemfile)fortheSSLcertificateonyourclientandusethekeytoconnecttoyourclusters.
AmazonRedshiftoffersthenewer,strongerciphersuitesthatusetheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocol.ECDHEallowsSSLclientstoprovidePerfectForwardSecrecybetweentheclientandtheAmazonRedshiftcluster.PerfectForwardSecrecyusessessionkeysthatareephemeralandnotstoredanywhere,whichpreventsthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.YoudonotneedtoconfigureanythinginAmazonRedshifttoenableECDHE;ifyouconnectfromanSQLclienttoolthatusesECDHEtoencryptcommunicationbetweentheclientandserver,AmazonRedshiftwillusetheprovidedcipherlisttomaketheappropriateconnection.
AmazonElastiCacheSecurityAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieveinformationfromafast,managed,in-memorycachingsystem,insteadofrelyingentirelyonslowerdisk-baseddatabases.Itcanbeusedtoimprovelatencyandthroughputsignificantlyformanyread-heavyapplicationworkloads(suchassocialnetworking,gaming,mediasharing,andQandAportals)orcompute-intensiveworkloads(suchasarecommendationengine).Cachingimprovesapplicationperformancebystoringcriticalpiecesofdatainmemoryforlow-latencyaccess.CachedinformationmayincludetheresultsofI/O-intensivedatabasequeriesortheresultsofcomputationally-intensivecalculations.
TheAmazonElastiCacheserviceautomatestime-consumingmanagementtasksforin-memorycacheenvironments,suchaspatchmanagement,failuredetection,andrecovery.ItworksinconjunctionwithotherAWSCloudservices(suchasAmazonEC2,AmazonCloudWatch,andAmazonSNS)toprovideasecure,high-performance,andmanagedin-memorycache.Forexample,anapplicationrunninginAmazonEC2cansecurelyaccessanAmazonElastiCacheclusterinthesameregionwithverylowlatency.
![Page 409: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/409.jpg)
UsingtheAmazonElastiCacheservice,youcreateaCacheCluster,whichisacollectionofoneormoreCacheNodes,eachrunninganinstanceoftheMemcachedservice.ACacheNodeisafixed-sizechunkofsecure,network-attachedRAM.EachCacheNoderunsaninstanceoftheMemcachedserviceandhasitsownDNSnameandport.MultipletypesofCacheNodesaresupported,eachwithvaryingamountsofassociatedmemory.ACacheClustercanbesetupwithaspecificnumberofCacheNodesandaCacheParameterGroupthatcontrolsthepropertiesforeachCacheNode.AllCacheNodeswithinaCacheClusteraredesignedtobeofthesameNodeTypeandhavethesameparameterandsecuritygroupsettings.
DataAccessAmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.Bydefault,networkaccessisturnedofftoyourCacheClusters.IfyouwantyourapplicationstoaccessyourCacheCluster,youmustexplicitlyenableaccessfromhostsinspecificAmazonEC2securitygroups.Afteringressrulesareconfigured,thesamerulesapplytoallCacheClustersassociatedwiththatCacheSecurityGroup.
ToallownetworkaccesstoyourCacheCluster,createaCacheSecurityGroupandusetheAuthorizeCacheSecurityGroupIngressAPIorCLIcommandtoauthorizethedesiredAmazonEC2securitygroup(whichinturnspecifiestheAmazonEC2instancesallowed).IP-rangebasedaccesscontroliscurrentlynotenabledforCacheClusters.AllclientstoaCacheClustermustbewithintheAmazonEC2network,andauthorizedviaCacheSecurityGroups.
AmazonElastiCacheforRedisprovidesbackupandrestorefunctionality,whereyoucancreateasnapshotofyourentireRedisclusterasitexistsataspecificpointintime.Youcanscheduleautomatic,recurringdailysnapshots,oryoucancreateamanualsnapshotatanytime.Forautomaticsnapshots,youspecifyaretentionperiod;manualsnapshotsareretaineduntilyoudeletethem.ThesnapshotsarestoredinAmazonS3withhighdurability,andcanbeusedforwarmstarts,backups,andarchiving.
ApplicationServicesAWSoffersavarietyofmanagedservicestousewithyourapplications,includingservicesthatprovideapplicationstreaming,queueing,pushnotification,emaildelivery,search,andtranscoding.
AmazonSimpleQueueService(AmazonSQS)SecurityAmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2instancesoracombinationofboth.WithAmazonSQS,youcansendanynumberofmessagestoanAmazonSQSqueueatanytimefromanycomponent.Themessagescanberetrievedfromthesamecomponentoradifferentone,rightawayoratalatertime(within14days).Messagesarehighlydurable;eachmessageispersistentlystoredinhighlyavailable,highlyreliablequeues.Multipleprocessescanread/writefrom/toanAmazonSQSqueueatthesametimewithoutinterferingwitheachother.
DataAccessAmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandqueuesforwhichtheyhavebeen
![Page 410: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/410.jpg)
grantedaccessviapolicy.Bydefault,accesstoeachindividualqueueisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoaqueue,usingeitheranAmazonSQS-generatedpolicyorapolicyyouwrite.
EncryptionAmazonSQSisaccessibleviaSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.EncryptingmessagesbeforesendingthemtoAmazonSQShelpsprotectagainstaccesstosensitivecustomerdatabyunauthorizedpersons,includingAWS.
AmazonSimpleNotificationService(AmazonSNS)SecurityAmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSprovidesasimplewebservicesinterfacethatcanbeusedtocreatetopicsthatcustomerswanttonotifyapplications(orpeople)about,subscribeclientstothesetopics,publishmessages,andhavethesemessagesdeliveredoverclients’protocolofchoice(forexample,HTTP/HTTPS,email).
AmazonSNSdeliversnotificationstoclientsusingapushmechanismthateliminatestheneedtocheckorpollfornewinformationandupdatesperiodically.AmazonSNScanbeleveragedtobuildhighlyreliable,event-drivenworkflowsandmessagingapplicationswithouttheneedforcomplexmiddlewareandapplicationmanagement.ThepotentialusesforAmazonSNSincludemonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andmanyothers.
DataAccessAmazonSNSprovidesaccesscontrolmechanismssothattopicsandmessagesaresecuredagainstunauthorizedaccess.Topicownerscansetpoliciesforatopicthatrestrictswhocanpublishorsubscribetoatopic.Additionally,topicownerscanencrypttransmissionbyspecifyingthatthedeliverymechanismmustbeHTTPS.AmazonSNSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandtopicsforwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualtopicisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoAmazonSNS,usingeitheranAmazonSNS-generatedpolicyorapolicyyouwrite.
AnalyticsServicesAWSprovidescloud-basedanalyticsservicestohelpyouprocessandanalyzeanyvolumeofdata,whetheryourneedisformanagedHadoopclusters,real-timestreamingdata,petabytescaledatawarehousing,ororchestration.
AmazonElasticMapReduce(AmazonEMR)SecurityAmazonElasticMapReduce(AmazonEMR)isamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamong
![Page 411: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/411.jpg)
severalservers.ItusesanenhancedversionoftheApacheHadoopframeworkrunningontheweb-scaleinfrastructureofAmazonEC2andAmazonS3.YousimplyuploadyourinputdataandadataprocessingapplicationintoAmazonS3.AmazonEMRthenlaunchesthenumberofAmazonEC2instancesyouspecify.TheservicebeginsthejobflowexecutionwhilepullingtheinputdatafromAmazonS3intothelaunchedAmazonEC2instances.Afterthejobflowisfinished,AmazonEMRtransferstheoutputdatatoAmazonS3,whereyoucanthenretrieveitoruseitasinputinanotherjobflow.
Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutoSSHintotheinstancesusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptonotallowaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupswithinyouraccount,youcanreconfigurethemusingthestandardEC2toolsordashboard.Toprotectcustomerinputandoutputdatasets,AmazonEMRtransfersdatatoandfromAmazonS3usingSSL.
AmazonEMRprovidesseveralwaystocontrolaccesstotheresourcesofyourcluster.YoucanuseAWSIAMtocreateuseraccountsandrolesandconfigurepermissionsthatcontrolwhichAWSfeaturesthoseusersandrolescanaccess.Whenyoulaunchacluster,youcanassociateanAmazonEC2keypairwiththecluster,whichyoucanthenusewhenyouconnecttotheclusterusingSSH.YoucanalsosetpermissionsthatallowusersotherthanthedefaultHadoopusertosubmitjobstoyourcluster.
Bydefault,ifanIAMuserlaunchesacluster,thatclusterishiddenfromotherIAMusersontheAWSaccount.ThisfilteringoccursonallAmazonEMRinterfaces(theAWSManagementConsole,CLI,API,andSDKs)andhelpspreventIAMusersfromaccessingandinadvertentlychangingclusterscreatedbyotherIAMusers.
Foranadditionallayerofprotection,youcanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.Thisallowsyoutocontrolaccesstotheentiresubnet.YoucanalsolaunchtheclusterintoanAmazonVPCandenabletheclustertoaccessresourcesonyourinternalnetworkusingaVPNconnection.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.
AmazonKinesisSecurityAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.Itcanacceptanyamountofdata,fromanynumberofsources,scalingupanddownasneeded.YoucanuseAmazonKinesisinsituationsthatcallforlarge-scale,real-timedataingestionandprocessing,suchasserverlogs,socialmedia,ormarketdatafeeds,andwebclickstreamdata.ApplicationsreadandwritedatarecordstoAmazonKinesisinstreams.YoucancreateanynumberofAmazonKinesisstreamstocapture,store,andtransportdata.
YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsby
![Page 412: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/412.jpg)
creatingusersunderyourAWSaccountusingAWSIAM,andcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TofacilitaterunningyourproducerorconsumerapplicationsonanAmazonEC2instance,youcanconfigurethatinstancewithanIAMrole.Thatway,AWScredentialsthatreflectthepermissionsassociatedwiththeIAMrolearemadeavailabletoapplicationsontheinstance,whichmeansyoudon’thavetouseyourlong-termAWSsecuritycredentials.Roleshavetheaddedbenefitofprovidingtemporarycredentialsthatexpirewithinashorttimeframe,whichaddsanadditionalmeasureofprotection.
TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpoint(kinesis.us-east-1.amazonaws.com)tohelpensuresecuretransmissionofyourdatatoAWS.YoumustconnecttothatendpointtoaccessAmazonKinesis,butyoucanthenusetheAPItodirectAmazonKinesistocreateastreaminanyAWSregion.
DeploymentandManagementServicesAWSprovidesavarietyoftoolstohelpwiththedeploymentandmanagementofyourapplications.ThisincludesservicesthatallowyoutocreateindividualuseraccountswithcredentialsforaccesstoAWSservices.ItalsoincludesservicesforcreatingandupdatingstacksofAWSresources,deployingapplicationsonthoseresources,andmonitoringthehealthofthoseAWSresources.OthertoolshelpyoumanagecryptographickeysusingHSMsandlogAWSAPIactivityforsecurityandcompliancepurposes.
AWSIdentityandAccessManagement(IAM)SecurityAWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMeliminatestheneedtosharepasswordsorkeysandmakesiteasytoenableordisableauser’saccessasappropriate.
AWSIAMenablesyoutoimplementsecuritybestpractices,suchasleastprivilege,bygrantinguniquecredentialstoeveryuserwithinyourAWSaccountandonlygrantingpermissiontoaccesstheAWSCloudservicesandresourcesrequiredfortheuserstoperformtheirjobs.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.
AWSIAMisalsointegratedwithAWSMarketplacesothatyoucancontrolwhoinyourorganizationcansubscribetothesoftwareandservicesofferedinAWSMarketplace.BecausesubscribingtocertainsoftwareinAWSMarketplacelaunchesanAmazonEC2instancetorunthesoftware,thisisanimportantaccesscontrolfeature.UsingIAMtocontrolaccesstoAWSMarketplacealsoenablesAWSaccountownerstohavefine-grainedcontroloverusageandsoftwarecosts.
AWSIAMenablesyoutominimizetheuseofyourAWSaccountcredentials.AfteryoucreateIAMuseraccounts,allinteractionswithAWSCloudservicesandresourcesshouldoccurwithIAMusersecuritycredentials.
RolesAnIAMroleusestemporarysecuritycredentialstoallowyoutodelegateaccesstousersorservicesthatnormallydon’thaveaccesstoyourAWSresources.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecific
![Page 413: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/413.jpg)
IAMuserorgroup.Anauthorizedentity(forexample,mobileuserorAmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.Thiscanbeparticularlyusefulinprovidinglimited,controlledaccessincertainsituations:
![Page 414: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/414.jpg)
Federated(Non-AWS)UserAccessFederatedusersareusers(orapplications)whodonothaveAWSaccounts.Withroles,youcangivethemaccesstoyourAWSresourcesforalimitedamountoftime.Thisisusefulifyouhavenon-AWSusersthatyoucanauthenticatewithanexternalservice,suchasMicrosoftActiveDirectory,LightweightDirectoryAccessProtocol(LDAP),orKerberos.ThetemporaryAWScredentialsusedwiththerolesprovideidentityfederationbetweenAWSandyournon-AWSusersinyourcorporateidentityandauthorizationsystem.
SecurityAssertionMarkupLanguage(SAML)2.0IfyourorganizationsupportsSAML2.0,youcancreatetrustbetweenyourorganizationasanIdentityProvider(IdP)andotherorganizationsasserviceproviders.InAWS,youcanconfigureAWSastheserviceprovideranduseSAMLtoprovideyouruserswithfederatedSingle-SignOn(SSO)totheAWSManagementConsoleortogetfederatedaccesstocallAWSAPIs.
Rolesarealsousefulifyoucreateamobileorweb-basedapplicationthataccessesAWSresources.AWSresourcesrequiresecuritycredentialsforprogrammaticrequests;however,youshouldn’tembedlong-termsecuritycredentialsinyourapplicationbecausetheyareaccessibletotheapplication’susersandcanbedifficulttorotate.Instead,youcanletuserssignintoyourapplicationusingLoginwithAmazon,Facebook,orGoogleandthenusetheirauthenticationinformationtoassumearoleandgettemporarysecuritycredentials.
Cross-AccountAccessFororganizationsthatusemultipleAWSaccountstomanagetheirresources,youcansetuprolestoprovideuserswhohavepermissionsinoneaccounttoaccessresourcesunderanotheraccount.Fororganizationsthathavepersonnelwhoonlyrarelyneedaccesstoresourcesunderanotheraccount,usingroleshelpstoensurethatcredentialsareprovidedtemporarilyandonlyasneeded.
ApplicationsRunningonEC2InstancesThatNeedtoAccessAWSResourcesIfanapplicationrunsonanAmazonEC2instanceandneedstomakerequestsforAWSresources,suchasAmazonS3bucketsoraDynamoDBtable,itmusthavesecuritycredentials.UsingrolesinsteadofcreatingindividualIAMaccountsforeachapplicationoneachinstancecansavesignificanttimeforcustomerswhomanagealargenumberofinstancesoranelasticallyscalingfleetusingAWSAutoScaling.
Thetemporarycredentialsincludeasecuritytoken,anAccessKeyID,andaSecretAccessKey.Togiveauseraccesstocertainresources,youdistributethetemporarysecuritycredentialstotheusertowhomyouaregrantingtemporaryaccess.Whentheusermakescallstoyourresources,theuserpassesinthetokenandAccessKeyIDandsignstherequestwiththeSecretAccessKey.Thetokenwillnotworkwithdifferentaccesskeys.
Theuseoftemporarycredentialsprovidesadditionalprotectionforyoubecauseyoudon’thavetomanageordistributelong-termcredentialstotemporaryusers.Inaddition,thetemporarycredentialsgetautomaticallyloadedtothetargetinstancesoyoudon’thavetoembedthemsomewhereunsafelikeyourcode.Temporarycredentialsareautomaticallyrotatedorchangedmultipletimesadaywithoutanyactiononyourpartandarestoredsecurelybydefault.
MobileServices
![Page 415: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/415.jpg)
AWSmobileservicesmakeiteasierforyoutobuild,ship,run,monitor,optimize,andscalecloud-poweredapplicationsformobiledevices.Theseservicesalsohelpyouauthenticateuserstoyourmobileapplication,synchronizedata,andcollectandanalyzeapplicationusage.
AmazonCognitoSecurityAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Itsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.Itprovidestemporary,limited-privilegecredentialsforbothauthenticatedandunauthenticateduserswithouthavingtomanageanyback-endinfrastructure.
AmazonCognitoworkswithwell-knownidentityproviderslikeGoogle,Facebook,andAmazontoauthenticateendusersofyourmobileandwebapplications.Youcantakeadvantageoftheidentificationandauthorizationfeaturesprovidedbytheseservicesinsteadofhavingtobuildandmaintainyourown.Yourapplicationauthenticateswithoneoftheseidentityprovidersusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfromtheproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.
TobeginusingAmazonCognito,youcreateanidentitypoolthroughtheAmazonCognitoconsole.TheidentitypoolisastoreofuseridentityinformationthatisspecifictoyourAWSaccount.Duringthecreationoftheidentitypool,youwillbeaskedtocreateanewIAMroleorpickanexistingoneforyourendusers.AnIAMroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity(forexample,mobileuser,AmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.
TheroleyouselecthasanimpactonwhichAWSCloudservicesyourenduserswillbeabletoaccesswiththetemporarycredentials.Bydefault,AmazonCognitocreatesanewrolewithlimitedpermissions;endusersonlyhaveaccesstotheAmazonCognitoSyncserviceandAmazonMobileAnalytics.IfyourapplicationneedsaccesstootherAWSresources,suchasAmazonS3orAmazonDynamoDB,youcanmodifyyourrolesdirectlyfromtheIAMconsole.
WithAmazonCognito,thereisnoneedtocreateindividualAWSaccountsorevenIAMaccountsforeveryoneofyourweb/mobileapplicationenduserswhowillneedtoaccessyourAWSresources.InconjunctionwithIAMroles,mobileuserscansecurelyaccessAWSresourcesandapplicationfeaturesandevensavedatatotheAWSCloudwithouthavingtocreateanaccountorlogin.Iftheychoosetocreateanaccountorloginlater,AmazonCognitowillmergedataandidentificationinformation.
BecauseAmazonCognitostoresdatalocallyandalsointheservice,yourenduserscancontinuetointeractwiththeirdataevenwhentheyareoffline.Theirofflinedatamaybestale,buttheycanimmediatelyretrieveanythingtheyputintothedatasetwhetherornottheyareonline.TheclientSDKmanagesalocalSQLitestoresothattheapplicationcanworkevenwhenitisnotconnected.TheSQLitestorefunctionsasacacheandisthetargetofallreadandwriteoperations.AmazonCognito’ssyncfacilitycomparesthelocalversionofthe
![Page 416: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/416.jpg)
datatothecloudversionandpushesuporpullsdowndeltasasneeded.Notethatinordertosyncdataacrossdevices,youridentitypoolmustsupportauthenticatedidentities.Unauthenticatedidentitiesaretiedtothedevice,sounlessanenduserauthenticates,nodatacanbesyncedacrossmultipledevices.
WithAmazonCognito,yourapplicationcommunicatesdirectlywithasupportedpublicidentityprovider(Amazon,Facebook,orGoogle)toauthenticateusers.AmazonCognitodoesnotreceiveorstoreusercredentials,onlytheOAuthorOpenIDConnecttokenreceivedfromtheidentityprovider.AfterAmazonCognitoreceivesthetoken,itreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.EachAmazonCognitoidentityhasaccessonlytoitsowndatainthesyncstore,andthisdataisencryptedwhenstored.Inaddition,allidentitydataistransmittedoverHTTPS.TheuniqueAmazonCognitoidentifieronthedeviceisstoredintheappropriatesecurelocation.ForexampleoniOS,theAmazonCognitoidentifierisstoredintheiOSkeychain.UserdataiscachedinalocalSQLitedatabasewithintheapplication’ssandbox;ifyourequireadditionalsecurity,youcanencryptthisidentitydatainthelocalcachebyimplementingencryptioninyourapplication.
ApplicationsAWSapplicationsaremanagedservicesthatenableyoutoprovideyouruserswithsecure,centralizedstorageandworkareasinthecloud.
AmazonWorkSpacesSecurityAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.SimplychooseaWindows7bundlethatbestmeetstheneedsofyourusersandthenumberofWorkSpacesthatyouwanttolaunch.AftertheWorkSpacesareready,usersreceiveanemailinformingthemwheretheycandownloadtherelevantclientandlogintotheirWorkSpace.Theycanthenaccesstheircloud-baseddesktopsfromavarietyofendpointdevices,includingPCs,laptops,andmobiledevices.However,yourorganization’sdataisneversenttoorstoredontheend-userdevicebecauseAmazonWorkSpacesusesPC-over-IP(PCoIP),whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheusers’desktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.
InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.WhenyouintegrateAmazonWorkSpaceswithyourcorporateActiveDirectory,eachWorkSpacejoinsyourActiveDirectorydomainandcanbemanagedjustlikeanyotherdesktopinyourorganization.ThismeansthatyoucanuseActiveDirectoryGroupPoliciestomanageyourusersWorkSpacestospecifyconfigurationoptionsthatcontrolthedesktop.IfyouchoosenottouseActiveDirectoryorothertypeofon-premisesdirectorytomanageyouruserWorkSpaces,youcancreateaprivateclouddirectorywithinAmazonWorkSpacesthatyoucanuseforadministration.
Toprovideanadditionallayerofsecurity,youcanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRemoteAuthenticationDialInUserService(RADIUS)serveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-
![Page 417: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/417.jpg)
CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.
EachWorkSpaceresidesonitsownAmazonEC2instancewithinanAmazonVPC.YoucancreateWorkSpacesinanAmazonVPCyoualreadyownorhavetheAmazonWorkSpacesservicecreateoneforyouautomaticallyusingtheAmazonWorkSpacesQuickStartoption.WhenyouusetheQuickStartoption,AmazonWorkSpacesnotonlycreatestheAmazonVPC,butitalsoperformsseveralotherprovisioningandconfigurationtasksforyou,suchascreatinganInternetGatewayfortheAmazonVPC,settingupadirectorywithintheAmazonVPCthatisusedtostoreuserandWorkSpaceinformation,creatingadirectoryadministratoraccount,creatingthespecifieduseraccountsandaddingthemtothedirectory,andcreatingtheAmazonWorkSpacesinstances.OrtheAmazonVPCcanbeconnectedtoanon-premisesnetworkusingasecureVPNconnectiontoallowaccesstoanexistingon-premisesActiveDirectoryandotherintranetresources.YoucanaddasecuritygroupthatyoucreateinyourAmazonVPCtoalloftheWorkSpacesthatbelongtoyourActiveDirectory.ThisallowsyoutocontrolnetworkaccessfromAmazonWorkSpacesinyourAmazonVPCtootherresourcesinyourAmazonVPCandon-premisesnetwork.
PersistentstorageforAmazonWorkSpacesisprovidedbyAmazonEBSandisautomaticallybackeduptwiceadaytoAmazonS3.IfAmazonWorkSpacesSyncisenabledonaWorkSpace,thefolderauserchoosestosyncwillbecontinuouslybackedupandstoredinAmazonS3.YoucanalsouseAmazonWorkSpacesSynconaMacorPCtosyncdocumentstoorfromyourWorkSpacesothatyoucanalwayshaveaccesstoyourdataregardlessofthedesktopcomputeryouareusing.
Becauseitisamanagedservice,AWStakescareofseveralsecurityandmaintenancetaskslikedailybackupsandpatching.UpdatesaredeliveredautomaticallytoyourWorkSpacesduringaweeklymaintenancewindow.Youcancontrolhowpatchingisconfiguredforauser’sWorkSpace.Bydefault,WindowsUpdateisturnedon,butyouhavetheabilitytocustomizethesesettingsoruseanalternativepatchmanagementapproachifyoudesire.FortheunderlyingOS,WindowsUpdateisenabledbydefaultonAmazonWorkSpacesandconfiguredtoinstallupdatesonaweeklybasis.YoucanuseanalternativepatchingapproachorconfigureWindowsUpdatetoperformupdatesatatimeofyourchoosing.YoucanuseIAMtocontrolwhoonyourteamcanperformadministrativefunctionslikecreatingordeletingWorkSpacesorsettingupuserdirectories.YoucanalsosetupaWorkSpacefordirectoryadministration,installyourfavoriteActiveDirectoryadministrationtools,andcreateorganizationalunitsandGroupPoliciesinordertoapplyActiveDirectorychangesmoreeasilyforallofyourAmazonWorkSpacesusers.
![Page 418: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/418.jpg)
SummaryInthischapter,youlearnedthatthefirstpriorityatAWSisCloudsecurity.SecuritywithinAWSisbasedona“defenseindepth”modelwherenoone,singleelementisusedtosecuresystemsonAWS.Rather,AWSusesamultitudeofelements—eachactingatdifferentlayersofasystem—intotaltosecurethesystem.AWSisresponsibleforsomelayersofthismodel,andcustomersareresponsibleforothers.AWSalsoofferssecuritytoolsandfeaturesofservicesforcustomerstouseattheirdiscretion.Severaloftheseconcepts,tools,andfeatureswerediscussedinthischapter.
SecurityModelThesharedresponsibilitymodelisthesecuritymodelwhereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andthecustomerisresponsibleforsecuringworkloadsdeployedinAWS.CustomersbenefitfromadatacenterandnetworkarchitecturebuilttosatisfytherequirementsofAWSmostsecurity-sensitivecustomers.Thismeansthatcustomersgetaresilientinfrastructure,designedforhighsecurity,withoutthecapitaloutlayandoperationaloverheadofatraditionaldatacenter.
AccountLevelSecurityAWScredentialshelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources.AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMFAtologintoyourAWSaccountorIAMuseraccounts.
PasswordsarerequiredtoaccessyourAWSaccount,individualIAMuseraccounts,AWSDiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.
AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.Thisismulti-factorbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).AnMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.
AccessKeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHMAC-SHA-256protocol.
![Page 419: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/419.jpg)
AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.
Service-SpecificSecurityInadditiontotheSharedResponsibilityModelandAccountLevelsecurity,AWSofferssecurityfeaturesforeachoftheservicesitprovides.Thesesecurityfeaturesareoutlinedbelowbytechnologydomain.
ComputeAmazonElasticComputeCloud(AmazonEC2)AmazonEC2supportsRSA2048SSH-2KeypairsforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.
AmazonElasticBlockStore(AmazonEBS)DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationswithinthesameAvailabilityZoneaspartofnormaloperationofthatserviceandatnoadditionalcharge.AWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.
NetworkingElasticLoadBalancingElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.
AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice.SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.
AmazonCloudFrontAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.
Storage
![Page 420: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/420.jpg)
AmazonSimpleStorageService(AmazonS3)AmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.YoucansecurelyuploadanddownloaddatatoAmazonS3viatheSSL-encryptedendpoints.AmazonS3supportsseveralmethodstoencryptdataatrest.
AmazonGlacierAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.YoucansecurelyuploadanddownloaddatatoAmazonGlacierviatheSSL-encryptedendpoints,andtheserviceautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.
AWSStorageGatewayAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.Dataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSLandstoredencryptedinAmazonS3usingAES-256.
DatabaseAmazonDynamoDBAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.Youcancontrolaccessatthedatabaselevelbycreatingdatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.
AmazonRelationalDatabaseService(RDS)AmazonRDSallowsyoutoquicklycreatearelationalDBInstanceandflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whichactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.Databasesecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.AmazonRDSissupportedwithinanAmazonVPC,andforMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregionwillallowAmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL,andyoucanencryptdataatrestwithinAmazonRDSinstancesforalldatabaseengines.
AmazonRedshiftAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theserviceenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.YoumaychooseforAmazonRedshifttostorealldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandalsoanybackups.AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.
AmazonElastiCacheAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.AmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.
![Page 421: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/421.jpg)
ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.
ApplicationServicesAmazonSimpleQueueService(SQS)AmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.AmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.
AmazonSimpleNotificationService(SNS)AmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSallowstopicownerstosetpoliciesforatopicthatrestrictwhocanpublishorsubscribetoatopic.
AnalyticsAmazonElasticMapReduce(AmazonEMR)AmazonEMRisamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamongseveralservers.Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.YoucanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.
AmazonKinesisAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsbycreatingusersunderyourAWSaccountusingAWSIAMandcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpointtohelpensuresecuretransmissionofyourdatatoAWS.
DeploymentandManagementAWSIdentityandAccessManagement(IAM)AWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.
MobileServicesAmazonCognitoAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Yourapplicationauthenticateswithoneofthewell-knownidentityproviderssuchasGoogle,Facebook,andAmazonusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfrom
![Page 422: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/422.jpg)
theproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.
ApplicationsAmazonWorkspacesAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheuser’sdesktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.YoucanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRADIUSserveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.
![Page 423: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/423.jpg)
ExamEssentialsUnderstandthesharedresponsibilitymodel.AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.
UnderstandregionsandAvailabilityZones.Eachregioniscompletelyindependent.Eachregionisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.RegionsareacollectionofAvailabilityZones.EachAvailabilityZoneisisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.
UnderstandHigh-AvailabilitySystemDesignwithinAWS.YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
UnderstandthenetworksecurityofAWS.Networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,ACLs,andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
AWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowHTTPSaccess,whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.
AmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.
UnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.
ItisnotpossibleforanAmazonEC2instancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.
UnderstandtheuseofcredentialsonAWS.AWSemploysseveralcredentialsinordertopositivelyidentifyapersonorauthorizeanAPIcalltotheplatform.Credentialsinclude:
Passwords
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
Multi-FactorAuthentication(MFA)
AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole
AccessKeys
![Page 424: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/424.jpg)
DigitallysignedrequeststoAWSAPIs(usingtheAWSSDK,CLI,orREST/QueryAPIs)
Understandtheproperuseofaccesskeys.Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandnottoembedtheminyourcode.Forcustomerswithlargefleetsofelastically-scalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
UnderstandthevalueofAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.
UnderstandthesecurityfeaturesofAmazonEC2.AmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdata,suchasapassword,andthentherecipientusestheprivatekeytodecryptthedata.Thepublicandprivatekeysareknownasakeypair.
Tologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.
Asecuritygroupactsasavirtualfirewallthatcontrolsthetrafficforoneormoreinstances.Whenyoulaunchaninstance,youassociateoneormoresecuritygroupswiththeinstance.Youaddrulestoeachsecuritygroupthatallowtraffictoorfromitsassociatedinstances.Youcanmodifytherulesforasecuritygroupatanytime;thenewrulesareautomaticallyappliedtoallinstancesthatareassociatedwiththesecuritygroup.
UnderstandAWSuseofencryptionofdataintransit.AllserviceendpointssupportencryptionofdataintransitviaHTTPS.
Knowwhichservicesofferencryptionofdataatrestasafeature.Thefollowingservicesofferafeaturetoencryptdataatrest:
AmazonS3
AmazonEBS
AmazonGlacier
AWSStorageGateway
AmazonRDS
AmazonRedshift
AmazonWorkSpaces
![Page 425: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/425.jpg)
ExercisesThebestwaytobecomefamiliarwiththesecurityfeaturesofAWSistodotheexercisesforeachchapterandinspectthesecurityfeaturesofferedbytheservice.TakealookatthislistofAWSCloudservicescoveredindifferentchaptersandtheirsecurityfeatures:
Chapter6,AWSIAM
Exercise6.1:CreateanIAMGroup
Exercise6.2:CreateaCustomizedSign-InLinkandPasswordPolicy
Exercise6.3:CreateanIAMUser
Exercise6.4:CreateandUseanIAMRole
Exercise6.5:RotateKeys
Exercise6.6:SetUpMFA
Exercise6.7:ResolveConflictingPermissions
Chapter3,AmazonEC2
Exercise3.1:LaunchandConnecttoaLinuxInstance
Exercise3.2:LaunchaWindowsInstancewithBootstrapping
Chapter3,AmazonEBS
Exercise3.8:LaunchanEncryptedVolume
Chapter2,AmazonS3
Exercise2.1:CreateanAmazonSimpleStorageService(AmazonS3)Bucket
Exercise2.2:Upload,MakePublic,Rename,andDeleteObjectsinYourBucket
Chapter4,AmazonVPC
Exercise4.1:CreateaCustomAmazonVPC
Exercise4.2:CreateTwoSubnetsforYourCustomAmazonVPC
Exercise4.3:ConnectYourAmazonVPCtotheInternetandEstablishRouting
Exercise4.4:LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet.
Chapter7,AmazonRDS
Exercise7.1:CreateaMySQLAmazonRDSInstance
Exercise7.2:SimulateaFailoverfromOneAZtoAnother
![Page 426: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/426.jpg)
ReviewQuestions1. WhichisanoperationalprocessperformedbyAWSfordatasecurity?
A. AdvancedEncryptionStandard(AES)-256encryptionofdatastoredonanysharedstoragedevice
B. Decommissioningofstoragedevicesusingindustry-standardpractices
C. BackgroundvirusscansofAmazonElasticBlockStore(AmazonEBS)volumesandAmazonEBSsnapshots
D. ReplicationofdataacrossmultipleAWSregions
E. SecurewipingofAmazonEBSdatawhenanAmazonEBSvolumeisunmounted
2. YouhavelaunchedaWindowsAmazonElasticComputeCloud(AmazonEC2)instanceandspecifiedanAmazonEC2keypairfortheinstanceatlaunch.Whichofthefollowingaccuratelydescribeshowtologintotheinstance?
A. UsetheAmazonEC2keypairtosecurelyconnecttotheinstanceviaSecureShell(SSH).
B. UseyourAWSIdentityandAccessManagement(IAM)userX.509certificatetologintotheinstance.
C. UsetheAmazonEC2keypairtodecrypttheadministratorpasswordandthensecurelyconnecttotheinstanceviaRemoteDesktopProtocol(RDP)astheadministrator.
D. Akeypairisnotneeded.SecurelyconnecttotheinstanceviaRDP.
3. ADatabasesecuritygroupcontrolsnetworkaccesstoadatabaseinstancethatisinsideaVirtualPrivateCloud(VPC)andbydefaultallowsaccessfrom?
A. AccessfromanyIPaddressforthestandardportsthatthedatabaseusesisprovidedbydefault.
B. AccessfromanyIPaddressforanyportisprovidedbydefaultintheDBsecuritygroup.
C. Noaccessisprovidedbydefault,andanyaccessmustbeexplicitlyaddedwitharuletotheDBsecuritygroup.
D. AccessforthedatabaseconnectionstringisprovidedbydefaultintheDBsecuritygroup.
4. WhichencryptionalgorithmisusedbyAmazonSimpleStorageService(AmazonS3)toencryptdataatrestwithService-SideEncryption(SSE)?
A. AdvancedEncryptionStandard(AES)-256
B. RSA1024
C. RSA2048
D. AES-128
![Page 427: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/427.jpg)
5. HowmanyaccesskeysmayanAWSIdentityandAccessManagement(IAM)userhaveactiveatonetime?
A. 0
B. 1
C. 2
D. 3
6. WhichofthefollowingisthenameofthesecuritymodelemployedbyAWSwithitscustomers?
A. Thesharedsecretmodel
B. Thesharedresponsibilitymodel
C. Thesharedsecretkeymodel
D. Thesecretkeyresponsibilitymodel
7. WhichofthefollowingdescribestheschemeusedbyanAmazonRedshiftclusterleveragingAWSKeyManagementService(AWSKMS)toencryptdata-at-rest?
A. AmazonRedshiftusesaone-tier,key-basedarchitectureforencryption.
B. AmazonRedshiftusesatwo-tier,key-basedarchitectureforencryption.
C. AmazonRedshiftusesathree-tier,key-basedarchitectureforencryption.
D. AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.
8. WhichofthefollowingElasticLoadBalancingoptionsensurethattheloadbalancerdetermineswhichcipherisusedforaSecureSocketsLayer(SSL)connection?
A. ClientServerCipherSuite
B. ServerCipherOnly
C. FirstServerCipher
D. ServerOrderPreference
9. WhichtechnologydoesAmazonWorkSpacesusetoprovidedatasecurity?
A. SecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)
B. AdvancedEncryptionStandard(AES)-256
C. PC-over-IP(PCoIP)
D. AES-128
10. AsaSolutionsArchitect,howshouldyouarchitectsystemsonAWS?
A. Youshouldarchitectforleastcost.
B. YoushouldarchitectyourAWSusagetotakeadvantageofAmazonSimpleStorageService’s(AmazonS3)durability.
C. YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.
![Page 428: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/428.jpg)
D. YoushouldarchitectwithAmazonElasticComputeCloud(AmazonEC2)AutoScalingtoensurecapacityisavailablewhenneeded.
11. WhichsecurityschemeisusedbytheAWSMulti-FactorAuthentication(AWSMFA)token?
A. Time-BasedOne-TimePassword(TOTP)
B. PerfectForwardSecrecy(PFC)
C. EphemeralDiffieHellman(EDH)
D. Split-KeyEncryption(SKE)
12. DynamoDBtablesmaycontainsensitivedatathatneedstobeprotected.WhichofthefollowingisawayforyoutoprotectDynamoDBtablecontent?(Choose2answers)
A. DynamoDBencryptsalldataserver-sidebydefaultsonothingisrequired.
B. DynamoDBcanstoredataencryptedwithaclient-sideencryptionlibrarysolutionbeforestoringthedatainDynamoDB.
C. DynamoDBobfuscatesalldatastoredsoencryptionisnotrequired.
D. DynamoDBcanbeusedwiththeAWSKeyManagementServicetoencryptthedatabeforestoringthedatainDynamoDB.
E. DynamoDBshouldnotbeusedtostoresensitiveinformationrequiringprotection.
13. YouhavelaunchedanAmazonLinuxElasticComputeCloud(AmazonEC2)instanceintoEC2-Classic,andtheinstancehassuccessfullypassedtheSystemStatusCheckandInstanceStatusCheck.YouattempttosecurelyconnecttotheinstanceviaSecureShell(SSH)andreceivetheresponse,“WARNING:UNPROTECTEDPRIVATEKEYFILE,”afterwhichtheloginfails.Whichofthefollowingisthecauseofthefailedlogin?
A. Youareusingthewrongprivatekey.
B. Thepermissionsfortheprivatekeyaretooinsecureforthekeytobetrusted.
C. Asecuritygroupruleisblockingtheconnection.
D. Asecuritygrouprulehasnotbeenassociatedwiththeprivatekey.
14. WhichofthefollowingpublicidentityprovidersaresupportedbyAmazonCognitoIdentity?
A. Amazon
B. Google
C. Facebook
D. Alloftheabove
15. WhichfeatureofAWSisdesignedtopermitcallstotheplatformfromanAmazonElasticComputeCloud(AmazonEC2)instancewithoutneedingaccesskeysplacedontheinstance?
A. AWSIdentityandAccessManagement(IAM)instanceprofile
![Page 429: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/429.jpg)
B. IAMgroups
C. IAMroles
D. AmazonEC2keypairs
16. WhichofthefollowingAmazonVirtualPrivateCloud(AmazonVPC)elementsactsasastatelessfirewall?
A. Securitygroup
B. NetworkAccessControlList(ACL)
C. NetworkAddressTranslation(NAT)instance
D. AnAmazonVPCendpoint
17. WhichofthefollowingisthemostrecentversionoftheAWSdigitalsignaturecalculationprocess?
A. SignatureVersion1
B. SignatureVersion2
C. SignatureVersion3
D. SignatureVersion4
18. WhichofthefollowingisthenameofthefeaturewithinAmazonVirtualPrivateCloud(AmazonVPC)thatallowsyoutolaunchAmazonElasticComputeCloud(AmazonEC2)instancesonhardwarededicatedtoasinglecustomer?
A. AmazonVPC-basedtenancy
B. Dedicatedtenancy
C. Defaulttenancy
D. Host-basedtenancy
19. WhichofthefollowingdescribeshowAmazonElasticMapReduce(AmazonEMR)protectsaccesstothecluster?
A. ThemasternodeandtheslavenodesarelaunchedintoanAmazonVirtualPrivateCloud(AmazonVPC).
B. ThemasternodesupportsaVirtualPrivateNetwork(VPN)connectionfromthekeyspecifiedatclusterlaunch.
C. ThemasternodeislaunchedintoasecuritygroupthatallowsSecureShell(SSH)andserviceaccess,whiletheslavenodesarelaunchedintoaseparatesecuritygroupthatonlypermitscommunicationwiththemasternode.
D. ThemasternodeandslavenodesarelaunchedintoasecuritygroupthatallowsSSHandserviceaccess.
20. Tohelppreventdatalossduetothefailureofanysinglehardwarecomponent,AmazonElasticBlockStorage(AmazonEBS)automaticallyreplicatesEBSvolumedatatowhichofthefollowing?
![Page 430: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/430.jpg)
A. AmazonEBSreplicatesEBSvolumedatawithinthesameAvailabilityZoneinaregion.
B. AmazonEBSreplicatesEBSvolumedataacrossotherAvailabilityZoneswithinthesameregion.
C. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesinoneotherregion.
D. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesineveryotherregion.
![Page 431: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/431.jpg)
Chapter13AWSRiskandComplianceTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment
2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.
Contentmayincludethefollowing:
Configureservicestosupportcompliancerequirementsinthecloud
Domain3.0:DataSecurity
3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.
Contentmayincludethefollowing:
Sharedsecurityresponsibilitymodel
SecurityArchitecturewithAWS
AWSplatformcompliance
AWSsecurityattributes
Designpatterns
![Page 432: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/432.jpg)
IntroductionAWSanditscustomerssharecontrolovertheITenvironment,sobothpartieshaveresponsibilityformanagingthatenvironment.AWSpartinthissharedresponsibilityincludesprovidingitsservicesonahighlysecureandcontrolledplatformandprovidingawidearrayofsecurityfeaturescustomerscanuse.
ThecustomerisresponsibleforconfiguringtheirITenvironmentinasecureandcontrolledmannerfortheirpurposes.Whilecustomersdon’tcommunicatetheiruseandconfigurationstoAWS,AWSdoescommunicatewithcustomersregardingitssecurityandcontrolenvironment,asrelevant.AWSdisseminatesthisinformationusingthreeprimarymechanisms.First,AWSworksdiligentlytoobtainindustrycertificationsandindependentthird-partyattestations.Second,AWSopenlypublishesinformationaboutitssecurityandcontrolpracticesinwhitepapersandwebsitecontent.Finally,AWSprovidescertificates,reports,andotherdocumentationdirectlytoitscustomersunderNon-DisclosureAgreements(NDAs)asrequired.
![Page 433: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/433.jpg)
OverviewofComplianceinAWSWhencustomersmovetheirproductionworkloadstotheAWScloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Thecustomersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.ThecustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.ThissectiondescribestheAWSsharedresponsibilitymodelandgivesadviceforhowtoestablishstrongcompliance.
SharedResponsibilityModelAsmentionedinChapter12,“SecurityonAWS,”ascustomersmigratetheirITenvironmentstoAWS,theycreateamodelofsharedresponsibilitybetweenthemselvesandAWS.Thissharedresponsibilitymodelcanhelplessenacustomer’sIToperationalburden,asitisAWSresponsibilitytomanagethecomponentsfromthehostoperatingsystemandvirtualizationlayerdowntothephysicalsecurityofthedatacentersinwhichtheseservicesoperate.Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).Thecustomerisalsoresponsibleforanyotherapplicationsoftware,aswellastheconfigurationofsecuritygroups,VirtualPrivateClouds(VPCs),andsoon.
WhileAWSmanagesthesecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.Customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.Figure13.1illustratesthedemarcationbetweencustomerandAWSresponsibilities.
![Page 434: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/434.jpg)
FIGURE13.1Sharedresponsibilitymodel
Customersneedtobeawareofanyapplicablelawsandregulationswithwhichtheyhavetocomply,andthentheymustconsiderwhethertheservicesthattheyconsumeonAWSarecompliantwiththeselaws.Insomecases,itmaybenecessarytoenhanceanexistingplatformonAWSwithadditionalsecuritymeasures(suchasdeployingawebapplicationfirewall,IntrusionDetectionSystem[IDS],orIntrusionPreventionSystem[IPS],orusingsomeformofencryptionfordataatrest).
Thiscustomer/AWSsharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations,butitalsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.BeforemovingtotheAWSCloud,customerswereresponsibleformanagingalloftheITcontrolsintheirenvironments.AWSmanagesthecontrolsforthephysicalinfrastructure,therebytakingtheundifferentiatedheavyliftingfromcustomers,allowingthemtofocusonmanagingtherelevantITcontrols.BecauseeverycustomerisdeployeddifferentlyinAWS,customerscanshiftmanagementofcertainITcontrolstoAWS.ThischangeinmanagementofITcontrolsresultsinanew,distributedcontrolenvironment.CustomerscanthenusetheAWScontrolandcompliancedocumentationavailabletothemtoperformtheircontrolevaluationandverificationproceduresasrequired.
StrongComplianceGovernanceItisstillthecustomers’responsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(whetheritison-premises,onthecloud,orpartofahybridenvironment).BydeployingtotheAWSCloud,customershave
![Page 435: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/435.jpg)
optionstoapplydifferenttypesofcontrolsandvariousverificationmethods.
Toachievestrongcomplianceandgovernance,customersmaywanttofollowthisbasicmethodology:
1. Takeaholisticapproach.ReviewtheinformationavailablefromAWStogetherwithallotherinformationtounderstandasmuchoftheITenvironmentastheycan.Afterthisiscomplete,documentallcompliancerequirements.
2. Designandimplementcontrolobjectivestomeettheorganization’scompliancerequirements.
3. Identifyanddocumentcontrolsownedbyallthirdparties.
4. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.
Byusingthisbasicmethodology,customerscangainabetterunderstandingoftheircontrolenvironment.Ultimately,thiswillstreamlinetheprocessandhelpseparateanyverificationactivitiesthatneedtobeperformed.
![Page 436: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/436.jpg)
EvaluatingandIntegratingAWSControlsAWSprovidescustomerswithawiderangeofinformationregardingitsITcontrolenvironmentthroughwhitepapers,reports,certifications,andotherthird-partyattestations.ThisdocumentationassistscustomersinunderstandingthecontrolsinplacerelevanttotheAWSCloudservicestheyuseandhowthosecontrolshavebeenvalidated.ThisinformationalsoassistscustomersintheireffortstoaccountforandvalidatethatcontrolsintheirextendedITenvironmentareoperatingeffectively.
Traditionally,thedesignandoperatingeffectivenessofcontrolsandcontrolobjectivesarevalidatedbyinternaland/orexternalauditorsviaprocesswalkthroughsandevidenceevaluation.Directobservationandverification,bythecustomerorcustomer’sexternalauditor,isgenerallyperformedtovalidatecontrols.InthecasewhereserviceproviderssuchasAWSareused,companiesrequestandevaluatethird-partyattestationsandcertificationsinordertogainreasonableassuranceofthedesignandoperatingeffectivenessofcontrolsandcontrolobjectives.Asaresult,althoughacustomer’skeycontrolsmaybemanagedbyAWS,thecontrolenvironmentcanstillbeaunifiedframeworkinwhichallcontrolsareaccountedforandareverifiedasoperatingeffectively.AWSthird-partyattestationsandcertificationsnotonlyprovideahigherlevelofvalidationofthecontrolenvironment,butmayalsorelievecustomersoftherequirementtoperformcertainvalidationworkthemselves.
AWSITControlInformationAWSprovidesITcontrolinformationtocustomersinthefollowingtwoways.
SpecificControlDefinitionAWScustomerscanidentifykeycontrolsmanagedbyAWS.Keycontrolsarecriticaltothecustomer’scontrolenvironmentandrequireanexternalattestationoftheoperatingeffectivenessofthesekeycontrolsinordertomeetcompliancerequirements(forexample,anannualfinancialaudit).Forthispurpose,AWSpublishesawiderangeofspecificITcontrolsinitsServiceOrganizationControls1(SOC1)TypeIIreport.TheSOC1TypeIIreport,formerlytheStatementonAuditingStandards(SAS)No.70,isawidelyrecognizedauditingstandarddevelopedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA).TheSOC1auditisanin-depthauditofboththedesignandoperatingeffectivenessofAWSdefinedcontrolobjectivesandcontrolactivities(whichincludecontrolobjectivesandcontrolactivitiesoverthepartoftheinfrastructurethatAWSmanages).“TypeII”referstothefactthateachofthecontrolsdescribedinthereportarenotonlyevaluatedforadequacyofdesign,butarealsotestedforoperatingeffectivenessbytheexternalauditor.BecauseoftheindependenceandcompetenceofAWSexternalauditor,controlsidentifiedinthereportshouldprovidecustomerswithahighlevelofconfidenceinAWScontrolenvironment.
AWScontrolscanbeconsideredeffectivelydesignedandoperatingformanycompliancepurposes,includingSarbanes-Oxley(SOX)Section404financialstatementaudits.LeveragingSOC1TypeIIreportsisalsogenerallypermittedbyotherexternalcertifyingbodies.Forexample,InternationalOrganizationforStandardization(ISO)27001auditorsmayrequestaSOC1TypeIIreportinordertocompletetheirevaluationsforcustomers.
![Page 437: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/437.jpg)
GeneralControlStandardComplianceIfanAWScustomerrequiresabroadsetofcontrolobjectivestobemet,evaluationofAWSindustrycertificationsmaybeperformed.WiththeISO27001certification,AWScomplieswithabroad,comprehensivesecuritystandardandfollowsbestpracticesinmaintainingasecureenvironment.WiththePaymentCardIndustry(PCI)DataSecurityStandard(DSS)certification,AWScomplieswithasetofcontrolsimportanttocompaniesthathandlecreditcardinformation.AWScompliancewithFederalInformationSecurityManagementAct(FISMA)standardsmeansthatAWScomplieswithawiderangeofspecificcontrolsrequiredbyU.S.governmentagencies.AWScompliancewiththesegeneralstandardsprovidescustomerswithin-depthinformationonthecomprehensivenatureofthecontrolsandsecurityprocessesinplaceintheAWSCloud.
AWSGlobalRegionsTheAWSCloudinfrastructureisbuiltaroundregionsandavailabilityzones.AregionisaphysicallocationintheworldwherewehavemultipleAvailabilityZones.AvailabilityZonesconsistofoneormorediscretedatacenters,eachwithredundantpower,networking,andconnectivity,housedinseparatefacilities.TheseAvailabilityZonesoffercustomerstheabilitytooperateproductionapplicationsanddatabasesthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.
Asofthiswriting,theAWSCloudoperates33AvailabilityZoneswithin12geographicregionsaroundtheworld.The12regionsareUSEast(NorthernVirginia),USWest(Oregon),USWest(NorthernCalifornia),AWSGovCloud(US)(Oregon),EU(Frankfurt),EU(Ireland),AsiaPacific(Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney),AsiaPacific(Seoul),China(Beijing),andSouthAmerica(SaoPaulo).
![Page 438: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/438.jpg)
AWSRiskandComplianceProgramAWSRiskandComplianceisdesignedtobuildontraditionalprogramsandhelpcustomersestablishandoperateinanAWSsecuritycontrolenvironment.AWSprovidesdetailedinformationaboutitsriskandcomplianceprogramtoenablecustomerstoincorporateAWScontrolsintotheirgovernanceframeworks.ThisinformationcanassistcustomersindocumentingcompletecontrolandgovernanceframeworksinwhichAWSisincludedasanimportantpart.
Thethreecoreareasoftheriskandcomplianceprogram—riskmanagement,controlenvironment,andinformationsecurity—aredescribednext.
RiskManagementAWShasdevelopedastrategicbusinessplanthatincludesriskidentificationandtheimplementationofcontrolstomitigateormanagerisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.
TheAWScontrolenvironmentissubjecttoadditionalinternalandexternalriskassessments.TheAWScomplianceandsecurityteamshaveestablishedaninformationsecurityframeworkandpoliciesbasedontheControlObjectivesforInformationandRelatedTechnology(COBIT)framework,andtheyhaveeffectivelyintegratedtheISO27001certifiableframeworkbasedonISO27002controls,AICPATrustServicesPrinciples,PCIDSSv3.1,andtheNationalInstituteofStandardsandTechnology(NIST)Publication800–53,Revision3,RecommendedSecurityControlsforFederalInformationSystems.AWSmaintainsthesecuritypolicyandprovidessecuritytrainingtoitsemployees.Additionally,AWSperformsregularapplicationsecurityreviewstoassesstheconfidentiality,integrity,andavailabilityofdata,andconformancetotheinformationsecuritypolicy.
TheAWSsecurityteamregularlyscansanypublic-facingendpointIPaddressesforvulnerabilities.Itisimportanttounderstandthatthesescansdonotincludecustomerinstances.AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.Inaddition,independentsecurityfirmsregularlyperformexternalvulnerabilitythreatassessments.FindingsandrecommendationsresultingfromtheseassessmentsarecategorizedanddeliveredtoAWSleadership.ThesescansaredoneinamannerforthehealthandviabilityoftheunderlyingAWSinfrastructureandarenotmeanttoreplacethecustomer’sownvulnerabilityscansthatarerequiredtomeettheirspecificcompliancerequirements.
AsmentionedinChapter12,customerscanrequestpermissiontoconducttheirownvulnerabilityscansontheirownenvironments.ThesevulnerabilityscansmustnotviolatetheAWSacceptableusepolicy,andtheymustberequestedinadvanceofthescan.
ControlEnvironmentAWSmanagesacomprehensivecontrolenvironmentthatconsistsofpolicies,processes,andcontrolactivities.ThiscontrolenvironmentisinplaceforthesecuredeliveryofAWSservice
![Page 439: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/439.jpg)
offerings.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.AWShasintegratedapplicable,cloud-specificcontrolsidentifiedbyleadingcloudcomputingindustrybodiesintotheAWScontrolframework.AWScontinuestomonitortheseindustrygroupsforideasonwhichleadingpracticescanbeimplementedtobetterassistcustomerswithmanagingtheircontrolenvironments.
ThecontrolenvironmentatAWSbeginsatthehighestlevelofthecompany.Executiveandseniorleadershipplayimportantrolesinestablishingthecompany’stoneandcorevalues.Everyemployeeisprovidedwiththecompany’scodeofbusinessconductandethicsandcompletesperiodictraining.Complianceauditsareperformedsothatemployeesunderstandandfollowtheestablishedpolicies.
TheAWSorganizationalstructureprovidesaframeworkforplanning,executing,andcontrollingbusinessoperations.Theorganizationalstructureassignsrolesandresponsibilitiestoprovideforadequatestaffing,efficiencyofoperations,andthesegregationofduties.Managementhasalsoestablishedauthorityandappropriatelinesofreportingforkeypersonnel.Includedaspartofthecompany’shiringverificationprocessesareeducation,previousemployment,and,insomecases,backgroundchecksaspermittedbylawforemployeescommensuratewiththeemployee’spositionandlevelofaccesstoAWSfacilities.ThecompanyfollowsastructuredonboardingprocesstofamiliarizenewemployeeswithAmazontools,processes,systems,policies,andprocedures.
InformationSecurityAWSusesaformalinformationsecurityprogramthatisdesignedtoprotecttheconfidentiality,integrity,andavailabilityofcustomers’systemsanddata.AWSpublishesseveralsecuritywhitepapersthatareavailableonthemainAWSwebsite.ThesewhitepapersarerecommendedreadingpriortotakingtheAWSSolutionsArchitectAssociateexam.
![Page 440: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/440.jpg)
AWSReports,Certifications,andThird-PartyAttestationsAWSengageswithexternalcertifyingbodiesandindependentauditorstoprovidecustomerswithconsiderableinformationregardingthepolicies,processes,andcontrolsestablishedandoperatedbyAWS.Ahigh-leveldescriptionofthevariousAWSreports,certifications,andattestationsisprovidedhere.
CriminalJusticeInformationServices(CJIS)—AWScomplieswiththeFederalBureauofInvestigation’s(FBI)CJISstandard.AWSsignsCJISsecurityagreementswithAWScustomers,whichincludeallowingorperforminganyrequiredemployeebackgroundchecksaccordingtotheCJISsecuritypolicy.
CloudSecurityAlliance(CSA)—In2011,theCSAlaunchedtheSecurity,Trust,&AssuranceRegistry(STAR),aninitiativetoencouragetransparencyofsecuritypracticeswithincloudproviders.CSASTARisafree,publiclyaccessibleregistrythatdocumentsthesecuritycontrolsprovidedbyvariouscloudcomputingofferings,therebyhelpingusersassessthesecurityofcloudproviderstheycurrentlyuseorwithwhomtheyareconsideringcontracting.AWSisaCSASTARregistrantandhascompletedtheCSAConsensusAssessmentsInitiativeQuestionnaire(CAIQ).
CyberEssentialsPlus—CyberEssentialsPlusisaUKgovernment-backed,industry-supportedcertificationschemaintroducedintheUKtohelporganizationsdemonstrateoperationalsecurityagainstcommoncyber-attacks.ItdemonstratesthebaselinecontrolsthatAWSimplementstomitigatetheriskfromcommonInternet-basedthreatswithinthecontextoftheUKgovernment’s“10StepstoCyberSecurity.”Itisbackedbyindustry,includingtheFederationofSmallBusinesses,theConfederationofBritishIndustry,andanumberofinsuranceorganizationsthatofferincentivesforbusinessesholdingthiscertification.
DepartmentofDefense(DoD)CloudSecurityModel(SRG)—TheDoDSRGprovidesaformalizedassessmentandauthorizationprocessforCloudServiceProviders(CSPs)togainaDoDprovisionalauthorization,whichcansubsequentlybeleveragedbyDoDcustomers.AprovisionalauthorizationundertheSRGprovidesareusablecertificationthatatteststoAWScompliancewithDoDstandards,reducingthetimenecessaryforaDoDmissionownertoassessandauthorizeoneoftheirsystemsforoperationonAWS.Asofthiswriting,AWSholdsprovisionalauthorizationsatLevels2(allAWSUS-basedregions)and4(AWSGovCloud[US])oftheSRG.
FederalRiskandAuthorizationManagementProgram(FedRAMP)—AWSisaFedRAMP-compliantCSP.AWShascompletedthetestingperformedbyaFedRAMP-accreditedthird-partyassessmentorganization(3PAO)andhasbeengrantedtwoAgencyAuthoritytoOperate(ATOs)bytheU.S.DepartmentofHealthandHumanServices(HHS)afterdemonstratingcompliancewithFedRAMPrequirementsatthemoderateimpactlevel.
FamilyEducationalRightsandPrivacyAct(FERPA)—FERPA(20U.S.C.§1232g;34CFRPart99)isafederallawthatprotectstheprivacyofstudenteducationrecords.ThelawappliestoallschoolsthatreceivefundsunderanapplicableprogramoftheU.S.DepartmentofEducation.FERPAgivesparentscertainrightswithrespectto
![Page 441: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/441.jpg)
theirchildren’seducationrecords.Theserightstransfertothestudentwhenheorshereachestheageof18orattendsaschoolbeyondthehighschoollevel.Studentstowhomtherightshavetransferredare“eligiblestudents.”AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoFERPAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectededucationinformation.
FederalInformationProcessingStandard(FIPS)140–2—FIPSPublication140–2isaUSgovernmentsecuritystandardthatspecifiesthesecurityrequirementsforcryptographicmodulesprotectingsensitiveinformation.TosupportcustomerswithFIPS140–2requirements,SecureSocketsLayer(SSL)terminationsinAWSGovCloud(US)operateusingFIPS140–2-validatedhardware.AWSworkswithAWSGovCloud(US)customerstoprovidetheinformationtheyneedtohelpmanagecompliancewhenusingtheAWSGovCloud(US)environment.
FISMAandDoDInformationAssuranceCertificationandAccreditationProcess(DIACAP)—AWSenablesU.S.governmentagenciestoachieveandsustaincompliancewithFISMA.TheAWSinfrastructurehasbeenevaluatedbyindependentassessorsforavarietyofgovernmentsystemsaspartoftheirsystemowners’approvalprocess.NumerousfederalcivilianandDoDorganizationshavesuccessfullyachievedsecurityauthorizationsforsystemshostedonAWSinaccordancewiththeRiskManagementFramework(RMF)processdefinedinNIST800–37andDIACAP.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)—AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoHIPAAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectedhealthinformation.AWSsignsbusinessassociateagreementswithsuchcustomers.
InformationSecurityRegisteredAssessorsProgram(IRAP)—IRAPenablesAustraliangovernmentcustomerstovalidatethatappropriatecontrolsareinplaceanddeterminetheappropriateresponsibilitymodelforaddressingtheneedsoftheAustralianSignalsDirectorate(ASD)InformationSecurityManual(ISM).AWShascompletedanindependentassessmentthathasdeterminedthatallapplicableISMcontrolsareinplacerelatingtotheprocessing,storage,andtransmissionofUnclassifiedDisseminationLimitingMarker(DLM)workloadsfortheAsiaPacific(Sydney)region.
ISO9001—AWShasachievedISO9001certification.AWSISO9001certificationdirectlysupportscustomerswhodevelop,migrate,andoperatetheirquality-controlledITsystemsintheAWSCloud.CustomerscanleverageAWScompliancereportsasevidencefortheirownISO9001programsandindustry-specificqualityprograms,suchasGoodLaboratory,Clinical,orManufacturingPractices(GxP)inlifesciences,ISO13485inmedicaldevices,AS9100inaerospace,andISOTechnicalSpecification(ISO/TS)16949intheautomotiveindustry.AWScustomerswhodon’thavequalitysystemrequirementscanstillbenefitfromtheadditionalassuranceandtransparencythatanISO9001certificationprovides.
ISO27001—AWShasachievedISO27001certificationoftheInformationSecurityManagementSystem(ISMS)coveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
ISO27017—ISO27017isthenewestcodeofpracticereleasedbyISO.Itprovidesimplementationguidanceoninformationsecuritycontrolsthatspecificallyrelateto
![Page 442: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/442.jpg)
cloudservices.AWShasachievedISO27017certificationoftheISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
ISO27018—Thisisthefirstinternationalcodeofpracticethatfocusesonprotectionofpersonaldatainthecloud.ItisbasedonISOinformationsecuritystandard27002,anditprovidesimplementationguidanceonISO27002controlsapplicabletopubliccloud-relatedPersonallyIdentifiableInformation(PII).ItalsoprovidesasetofcontrolsandassociatedguidanceintendedtoaddresspubliccloudPIIprotectionrequirementsnotaddressedbytheexistingISO27002controlset.AWShasachievedISO27018certificationoftheAWSISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.
U.S.InternationalTrafficinArmsRegulations(ITAR)—TheAWSGovCloud(US)regionsupportsITARcompliance.AsapartofmanagingacomprehensiveITARcomplianceprogram,companiessubjecttoITARexportregulationsmustcontrolunintendedexportsbyrestrictingaccesstoprotecteddatatoU.S.personsandrestrictingphysicallocationofthatdatatotheU.S.AWSGovCloud(US)providesanenvironmentphysicallylocatedintheUnitedStateswhereaccessbyAWSpersonnelislimitedtoU.S.persons,therebyallowingqualifiedcompaniestotransmit,process,andstoreprotectedarticlesanddatasubjecttoITARrestrictions.TheAWSGovCloud(US)environmenthasbeenauditedbyanindependentthirdpartytovalidatethatthepropercontrolsareinplacetosupportcustomerexportcomplianceprogramsforthisrequirement.
MotionPictureAssociationofAmerica(MPAA)—MPAAhasestablishedasetofbestpracticesforsecurelystoring,processing,anddeliveringprotectedmediaandcontent.Mediacompaniesusethesebestpracticesasawaytoassessriskandsecurityoftheircontentandinfrastructure.AWShasdemonstratedalignmentwiththeMPAAbestpractices,andtheAWSinfrastructureiscompliantwithallapplicableMPAAinfrastructurecontrols.WhileMPAAdoesnotofferacertification,mediaindustrycustomerscanusetheAWSMPAAdocumentationtoaugmenttheirriskassessmentandevaluationofMPAA-typecontentonAWS.
Multi-TierCloudSecurity(MTCS)Tier3Certification—MTCSisanoperationalSingaporesecuritymanagementstandard(SPRINGSS584:2013)basedontheISO27001/02ISMSstandards.
NIST—InJune2015,NISTreleasedguideline800–171,FinalGuidelinesforProtectingSensitiveGovernmentInformationHeldbyContractors.ThisguidanceisapplicabletotheprotectionofControlledUnclassifiedInformation(CUI)onnon-federalsystems.AWSisalreadycompliantwiththeseguidelines,andcustomerscaneffectivelycomplywithNIST800–171immediately.NIST800–171outlinesasubsetoftheNIST800–53requirements,aguidelineunderwhichAWShasalreadybeenauditedundertheFedRAMPprogram.TheFedRAMPmoderatesecuritycontrolbaselineismorerigorousthantherecommendedrequirementsestablishedinNIST800–171,anditincludesasignificantnumberofsecuritycontrolsaboveandbeyondthoserequiredofFISMAmoderatesystemsthatprotectCUIdata.
PCIDSSLevel1—AWSisLevel1-compliantunderPCIDSS.Customerscanrun
![Page 443: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/443.jpg)
applicationsontheAWSPCI-complianttechnologyinfrastructureforstoring,processing,andtransmittingcreditcardinformationinthecloud.InFebruary2013,thePCISecurityStandardsCouncilreleasedthePCIDSScloudcomputingguidelines.TheseguidelinesprovidecustomerswhoaremanagingacardholderdataenvironmentwithconsiderationsformaintainingPCIDSScontrolsinthecloud.AWShasincorporatedthePCIDSScloudcomputingguidelinesintotheAWSPCIcompliancepackageforcustomers.
SOC1/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE3402)—AWSpublishesaSOC1,TypeIIreport.TheauditforthisreportisconductedinaccordancewithAICPA:AT801(formerlyStatementonStandardsforAttestationEngagementsNo.16[SSAE16])andISAE3402).Thisdual-standardreportisintendedtomeetabroadrangeoffinancialauditingrequirementsforU.S.andinternationalauditingbodies.TheSOC1reportauditatteststhatAWScontrolobjectivesareappropriatelydesignedandthattheindividualcontrolsdefinedtosafeguardcustomerdataareoperatingeffectively.ThisreportisthereplacementoftheSAS70,TypeIIauditreport.
SOC2—InadditiontotheSOC1report,AWSpublishesaSOC2,TypeIIreport.SimilartoSOC1intheevaluationofcontrols,theSOC2reportisanattestationreportthatexpandstheevaluationofcontrolstothecriteriasetforthbyAICPAtrustservicesprinciples.Theseprinciplesdefineleadingpracticecontrolsrelevanttosecurity,availability,processingintegrity,confidentiality,andprivacyapplicabletoserviceorganizationssuchasAWS.TheAWSSOC2isanevaluationofthedesignandoperatingeffectivenessofAWScontrolsthatmeetthecriteriaforthesecurityandavailabilityprinciplessetforthintheAICPAtrustservicesprinciplescriteria.ThereportprovidesadditionaltransparencyintoAWSsecurityandavailabilitybasedonapredefinedindustrystandardofleadingpracticesandfurtherdemonstratesAWScommitmenttoprotectingcustomerdata.TheSOC2reportscopecoversthesameservicescoveredintheSOC1report.
SOC3—AWSpublishesaSOC3report.TheSOC3reportisapubliclyavailablesummaryoftheAWSSOC2report.Thereportincludestheexternalauditor’sopinionoftheoperationofcontrols(basedontheAICPAsecuritytrustprinciplesincludedintheSOC2report),theassertionfromAWSmanagementregardingtheeffectivenessofcontrols,andanoverviewofAWSinfrastructureandservices.TheAWSSOC3reportincludesallAWSdatacentersworldwidethatsupportin-scopeservices.ThisisagreatresourceforcustomerstovalidatethatAWShasobtainedexternalauditorassurancewithoutgoingthroughtheprocessofrequestingaSOC2report.TheSOC3reportcoversthesameservicescoveredintheSOC1report.
![Page 444: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/444.jpg)
SummaryAWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughthefollowingmechanisms:
Obtainingindustrycertificationsandindependentthird-partyattestations
PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs
Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)
Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestothephysicalinfrastructure,andthecustomermanagesthesecontrolsfortheguestoperatingsystemsandupward(dependingontheservice).
Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(on-premises,cloud,orhybrid).BydeployingtotheAWSCloud,customershavedifferentoptionsforapplyingdifferenttypesofcontrolsandvariousverificationmethodsthatalignwiththeirbusinessrequirements.
ThecontrolenvironmentforAWScontainsalargevolumeofinformation.Thisinformationisprovidedtocustomersthroughwhitepapers,reports,certifications,andotherthird-partyattestations.AWSprovidesITcontrolinformationtocustomersintwoways:specificcontroldefinitionandgeneralcontrolstandardcompliance.
AWSprovidesdocumentationaboutitsriskandcomplianceprogram.ThisdocumentationcanenablecustomerstoincludeAWScontrolsintheirgovernanceframeworks.Thethreecoreareasoftheriskandcomplianceprogramareriskmanagement,controlenvironment,andinformationsecurity.
AWShasachievedanumberofinternationallyrecognizedcertificationsandaccreditationsthatdemonstrateAWScompliancewiththird-partyassuranceframeworks,including:
FedRAMP
FIPS140–2
FISMAandDIACAP
HIPAA
ISO9001
ISO27001
ITAR
PCIDSSLevel1
SOC1/ISAE3402
SOC2
![Page 445: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/445.jpg)
SOC3
AWSisconstantlylisteningtocustomersandexaminingothercertificationsforthefuture.
![Page 446: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/446.jpg)
ExamEssentialsUnderstandthesharedresponsibilitymodel.Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestophysicalinfrastructure.
RememberthatITgovernanceisthecustomer’sresponsibility.Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowitsITisdeployed(on-premises,cloud,orhybrid).
UnderstandhowAWSprovidescontrolinformation.AWSprovidesITcontrolinformationtocustomersintwoways:viaspecificcontroldefinitionandthroughamoregeneralcontrolstandardcompliance.
RememberthatAWSisveryproactiveaboutriskmanagement.AWStakesriskmanagementveryseriously,soithasdevelopedabusinessplantoidentifyanyrisksandtoimplementcontrolstomitigateormanagethoserisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandthenimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.
Rememberthatthecontrolenvironmentisnotjustabouttechnology.TheAWScontrolenvironmentconsistsofpolicies,processes,andcontrolactivities.Thiscontrolenvironmentincludespeople,processes,andtechnology.
Rememberthekeyreports,certifications,andthird-partyattestations.Thekeyreports,certifications,andthird-partyattestationsinclude,butarenotlimitedto,thefollowing:
FedRAMP
FIPS140–2
FISMAandDIACAP
HIPAA
ISO9001
ISO27001
ITAR
PCIDSSLevel1
SOC1/ISAE3402
SOC2
SOC3
![Page 447: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/447.jpg)
ReviewQuestions1. AWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughavarietyofdifferentmechanisms.Whichofthefollowingarevalidmechanisms?(Choose3answers)
A. Obtainingindustrycertificationsandindependentthird-partyattestations
B. PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs
C. Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)
D. Allowingcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,andseniorstaff
2. WhichofthefollowingstatementsistruewhenitcomestotheAWSsharedresponsibilitymodel?
A. Thesharedresponsibilitymodelislimitedtosecurityconsiderationsonly;itdoesnotextendtoITcontrols.
B. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithSOC1TypeII.
C. Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.
D. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithISO27001.
3. AWSprovidesITcontrolinformationtocustomersinwhichofthefollowingways?
A. Byusingspecificcontroldefinitionsorthroughgeneralcontrolstandardcompliance
B. ByusingspecificcontroldefinitionsorthroughSAS70
C. ByusinggeneralcontrolstandardcomplianceandbycomplyingwithISO27001
D. BycomplyingwithISO27001andSOC1TypeII
4. Whichofthefollowingisavalidreport,certification,orthird-partyattestationforAWS?(Choose3answers)
A. SOC1
B. PCIDSSLevel1
C. SOC4
D. ISO27001
5. Whichofthefollowingstatementsistrue?
A. ITgovernanceisstillthecustomer’sresponsibility,despitedeployingtheirITestateontotheAWSplatform.
![Page 448: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/448.jpg)
B. TheAWSplatformisPCIDSS-complianttoLevel1.Customerscandeploytheirwebapplicationstothisplatform,andtheywillbePCIDSS-compliantautomatically.
C. ThesharedresponsibilitymodelappliestoITsecurityonly;itdoesnotrelatetogovernance.
D. AWSdoesn’ttakeriskmanagementveryseriously,andit’suptothecustomertomitigateriskstotheAWSinfrastructure.
6. WhichofthefollowingstatementsistruewhenitcomestotheriskandcomplianceadvantagesoftheAWSenvironment?
A. WorkloadsmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations.
B. ThecriticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthenon-criticalcomponentsdonot.
C. Thenon-criticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthecriticalcomponentsdonot.
D. Few,many,orallcomponentsofaworkloadcanbemovedtotheAWSCloud,butitisthecustomer’sresponsibilitytoensurethattheirentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.
7. WhichofthefollowingstatementsbestdescribesanAvailabilityZone?
A. EachAvailabilityZoneconsistsofasinglediscretedatacenterwithredundantpowerandnetworking/connectivity.
B. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithredundantpowerandnetworking/connectivity.
C. EachAvailabilityZoneconsistsofmultiplediscreteregions,eachwithasingledatacenterwithredundantpowerandnetworking/connectivity.
D. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithsharedpowerandredundantnetworking/connectivity.
8. WithregardtovulnerabilityscansandthreatassessmentsoftheAWSplatform,whichofthefollowingstatementsaretrue?(Choose2answers)
A. AWSregularlyperformsscansofpublic-facingendpointIPaddressesforvulnerabilities.
B. ScansperformedbyAWSincludecustomerinstances.
C. AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.
D. Customerscanperformtheirownscansatanytimewithoutadvancenotice.
9. WhichofthefollowingbestdescribestheriskandcompliancecommunicationresponsibilitiesofcustomerstoAWS?
A. AWSandcustomersbothcommunicatetheirsecurityandcontrolenvironment
![Page 449: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/449.jpg)
informationtoeachotheratalltimes.
B. AWSpublishesinformationabouttheAWSsecurityandcontrolpracticesonline,anddirectlytocustomersunderNDA.CustomersdonotneedtocommunicatetheiruseandconfigurationstoAWS.
C. CustomerscommunicatetheiruseandconfigurationstoAWSatalltimes.AWSdoesnotcommunicateAWSsecurityandcontrolpracticestocustomersforsecurityreasons.
D. BothcustomersandAWSkeeptheirsecurityandcontrolpracticesentirelyconfidentialanddonotsharetheminordertoensurethegreatestsecurityforallparties.
10. Whenitcomestoriskmanagement,whichofthefollowingistrue?
A. AWSdoesnotdevelopastrategicbusinessplan;riskmanagementandmitigationisentirelytheresponsibilityofthecustomer.
B. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandimplementedcontrolstomitigateormanagethoserisks.Customersdonotneedtodevelopandmaintaintheirownriskmanagementplans.
C. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandhasimplementedcontrolstomitigateormanagethoserisks.Customersshouldalsodevelopandmaintaintheirownriskmanagementplanstoensuretheyarecompliantwithanyrelevantcontrolsandcertifications.
D. NeitherAWSnorthecustomerneedstoworryaboutriskmanagement,sonoplanisneededfromeitherparty.
11. TheAWScontrolenvironmentisinplaceforthesecuredeliveryofAWSCloudserviceofferings.WhichofthefollowingdoesthecollectivecontrolenvironmentNOTexplicitlyinclude?
A. People
B. Energy
C. Technology
D. Processes
12. WhoisresponsiblefortheconfigurationofsecuritygroupsinanAWSenvironment?
A. ThecustomerandAWSarebothjointlyresponsibleforensuringthatsecuritygroupsarecorrectlyandsecurelyconfigured.
B. AWSisresponsibleforensuringthatallsecuritygroupsarecorrectlyandsecurelyconfigured.Customersdonotneedtoworryaboutsecuritygroupconfiguration.
C. NeitherAWSnorthecustomerisresponsiblefortheconfigurationofsecuritygroups;securitygroupsareintelligentlyandautomaticallyconfiguredusingtrafficheuristics.
D. AWSprovidesthesecuritygroupfunctionalityasaservice,butthecustomerisresponsibleforcorrectlyandsecurelyconfiguringtheirownsecuritygroups.
![Page 450: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/450.jpg)
13. WhichofthefollowingisNOTarecommendedapproachforcustomerstryingtoachievestrongcomplianceandgovernanceoveranentireITcontrolenvironment?
A. Takeaholisticapproach:reviewinformationavailablefromAWStogetherwithallotherinformation,anddocumentallcompliancerequirements.
B. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.
C. Implementgenericcontrolobjectivesthatarenotspecificallydesignedtomeettheirorganization’scompliancerequirements.
D. Identifyanddocumentcontrolsownedbyallthirdparties.
![Page 451: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/451.jpg)
Chapter14ArchitectureBestPracticesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems
1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.
Contentmayincludethefollowing:
Howtodesigncloudservices
Planninganddesign
Familiaritywith:
BestpracticesforAWSarchitecture
HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)
Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)
![Page 452: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/452.jpg)
IntroductionForseveralyears,softwarearchitectshavecreatedandimplementedpatternsandbestpracticestobuildhighlyscalableapplications.Whethermigratingexistingapplicationstothecloudorbuildingnewapplicationsonthecloud,theseconceptsareevenmoreimportantbecauseofever-growingdatasets,unpredictabletrafficpatterns,andthedemandforfasterresponsetimes.
MigratingapplicationstoAWS,evenwithoutsignificantchanges,providesorganizationswiththebenefitsofasecuredandcost-efficientinfrastructure.Tomakethemostoftheelasticityandagilitypossiblewithcloudcomputing,however,SolutionsArchitectsneedtoevolvetheirarchitecturestotakefulladvantageofAWScapabilities.
Fornewapplications,AWScustomershavebeendiscoveringcloud-specificITarchitecturepatternsthatdriveevenmoreefficiencyandscalabilityfortheirsolutions.Thosenewarchitecturescansupportanythingfromreal-timeanalyticsofInternet-scaledatatoapplicationswithunpredictabletrafficfromthousandsofconnectedInternetofThings(IoT)ormobiledevices.ThisleavesendlesspossibilitiesforapplicationsarchitectedusingAWSbestpractices.
ThischapterhighlightsthetenetsofarchitecturebestpracticestoconsiderwhetheryouaremigratingexistingapplicationstoAWSordesigningnewapplicationsforthecloud.Thesetenetsinclude:
Designforfailureandnothingwillfail.
Implementelasticity.
Leveragedifferentstorageoptions.
Buildsecurityineverylayer.
Thinkparallel.
Loosecouplingsetsyoufree.
Don’tfearconstraints.
Understandingtheservicescoveredinthisbookinthecontextofthesepracticesiskeytosucceedingontheexam.
![Page 453: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/453.jpg)
DesignforFailureandNothingFailsThefirstarchitecturebestpracticeforAWSisthefundamentalprincipleofdesigningforfailure.
Everythingfails,allthetime
—WernerVogels,CTO,AWS
Typically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.Asanexample,onegoalwhendesigningforfailurewouldbetoensureanapplicationsurviveswhentheunderlyingphysicalhardwareforoneoftheserversfails.
Let’stakealookatthesimplewebapplicationillustratedinFigure14.1.Thisapplicationhassomefundamentaldesignissuesforprotectingagainstcomponentfailures.Tostart,thereisnoredundancyorfailover,whichresultsinsinglepointsoffailure.
FIGURE14.1Simplewebapplicationarchitecture
![Page 454: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/454.jpg)
Ifthesinglewebserverfails,thesystemfails.
Ifthesingledatabasefails,thesystemfails.
IftheAvailabilityZone(AZ)fails,thesystemfails.
Bottomline,therearetoomanyeggsinonebasket.
Nowlet’swalkthroughtransformingthissimpleapplicationintoamoreresilientarchitecture.Tobegin,wearegoingtoaddressthesinglepointsoffailureinthecurrentarchitecture.Singlepointsoffailurecanberemovedbyintroducingredundancy,whichishavingmultipleresourcesforthesametask.Redundancycanbeimplementedineitherstandbyoractivemode.
Instandbyredundancywhenaresourcefails,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Thesecondaryresourcecaneitherbelaunchedautomaticallyonlywhenneeded(toreducecost),oritcanbealreadyrunningidle(toacceleratefailoverandminimizedisruption).Standbyredundancyisoftenusedforstatefulcomponentssuchasrelationaldatabases.
Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,itcanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.
Toaddresstheredundancyissues,wewilladdanotherwebinstanceandaddastandbyinstanceforAmazonRelationalDatabaseService(AmazonRDS)toprovidehighavailabilityandautomaticfailover.ThekeyisthatwearegoingtoaddthenewresourcesinanotherAZ.AnAZconsistsofoneormorediscretedatacenters.AZswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherAZsinthesameregion.Thisallowsourapplicationtoreplicatedataacrossdatacentersinasynchronousmannersothatfailovercanbeautomatedandbetransparentfortheusers.
Additionally,wearegoingtoimplementactiveredundancybyswappingouttheElasticIPAddress(EIP)onourwebinstancewithanElasticLoadBalancer(ELB).TheELBallowsinboundrequeststobedistributedbetweenthewebinstances.NotonlywilltheELBhelpwithdistributingloadbetweenmultipleinstances,itwillalsostopsendingtraffictotheaffectedwebnodeifaninstancefailsitshealthchecks.Figure14.2showstheupdatedarchitecturewithredundancyforthewebapplication.
![Page 455: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/455.jpg)
FIGURE14.2Updatedwebapplicationarchitecturewithredundancy
ThisMulti-AZarchitecturehelpstoensurethattheapplicationisisolatedfromfailuresinasingleAvailabilityZone.Infact,manyofthehigherlevelservicesonAWSareinherentlydesignedaccordingtotheMulti-AZprinciple.Forexample,AmazonSimpleStorageService(AmazonS3)andAmazonDynamoDBensurethatdataisredundantlystoredacrossmultiplefacilities.
Oneruleofthumbtokeepinmindwhendesigningarchitecturesinthecloudistobeapessimist;thatis,assumethingswillfail.Inotherwords,alwaysdesign,implement,anddeployforautomatedrecoveryfromfailure.
![Page 456: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/456.jpg)
ImplementElasticityElasticityistheabilityofasystemtogrowtohandleincreasedload,whethergraduallyovertimeorinresponsetoasuddenchangeinbusinessneeds.Toachieveelasticity,itisimportantthatthesystembebuiltonascalablearchitecture.Sucharchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Thesearchitecturesshouldprovidescaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
ScalingVerticallyVerticalscalingtakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddrive,morememory,orafasterCPU).OnAmazonElasticComputeCloud(AmazonEC2),thiscaneasilybeachievedbystoppinganinstanceandresizingittoaninstancetypethathasmoreRAM,CPU,I/O,ornetworkingcapabilities.Verticalscalingwilleventuallyhitalimit,anditisnotalwaysacost-efficientorhighlyavailableapproach.Evenso,itisveryeasytoimplementandcanbesufficientformanyusecases,especiallyintheshortterm.
ScalingHorizontallyHorizontalscalingtakesplacethroughanincreaseinthenumberofresources(forexample,addingmoreharddrivestoastoragearrayoraddingmoreserverstosupportanapplication).ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Notallarchitecturesaredesignedtodistributetheirworkloadtomultipleresources,anditisimportanttounderstandsystemcharacteristicsthatcanaffectasystem’sabilitytoscalehorizontally.Onekeycharacteristicistheimpactofstatelessandstatefularchitectures.
StatelessApplicationsWhenusersorservicesinteractwithanapplication,theywilloftenperformaseriesofinteractionsthatformasession.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontally,becauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.Becausenosessiondataneedstobesharedbetweensystemresources,computeresourcescanbeaddedasneeded.Whenexcesscapacityisnolongerrequired,anyindividualresourcecanbesafelyterminated.Thoseresourcesdonotneedtobeawareofthepresenceoftheirpeers;allthatisrequiredisawaytodistributetheworkloadtothem.
Let’sassumethatthewebapplicationweusedintheprevioussectionisastatelessapplicationwithunpredictabledemand.Inorderforourwebinstancestomeetthepeaksandvalleysassociatedwithourdemandprofile,weneedtoscaleelastically.Agreatwayto
![Page 457: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/457.jpg)
introduceelasticityandhorizontalscalingisbyleveragingAutoScalingforwebinstances.AnAutoScalinggroupcanautomaticallyaddAmazonEC2instancestoanapplicationinresponsetoheavytrafficandremovethemwhentrafficslows.Figure14.3showsourwebapplicationarchitectureaftertheintroductionofanAutoScalinggroup.
FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling
StatelessComponentsInpractice,mostapplicationsneedtomaintainsomekindofstateinformation.Forexample,webapplicationsneedtotrackwhetherauserissignedin,orelsetheymightpresentpersonalizedcontentbasedonpreviousactions.Youcanstillmakeaportionofthesearchitecturesstatelessbynotstoringstateinformationlocallyonahorizontally-scalingresource,asthoseresourcescanappearanddisappearasthesystemscalesupanddown.
Forexample,webapplicationscanuseHTTPcookiestostoreinformationaboutasessionattheclient’sbrowser(suchasitemsintheshoppingcart).Thebrowserpassesthatinformationbacktotheserverateachsubsequentrequestsothattheapplicationdoesnotneedtostoreit.However,therearetwodrawbackswiththisapproach.First,thecontentoftheHTTPcookiescanbetamperedwithattheclientside,soyoushouldalwaystreatthemasuntrusteddatathatneedstobevalidated.Second,HTTPcookiesaretransmittedwitheveryrequest,whichmeansthatyoushouldkeeptheirsizetoaminimumtoavoidunnecessary
![Page 458: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/458.jpg)
latency.
ConsideronlystoringauniquesessionidentifierinaHTTPcookieandstoringmoredetailedusersessioninformationserver-side.Mostprogrammingplatformsprovideanativesessionmanagementmechanismthatworksthisway;however,thesemanagementmechanismsoftenstorethesessioninformationlocallybydefault.Thiswouldresultinastatefularchitecture.Acommonsolutiontothisproblemistostoreusersessioninformationinadatabase.AmazonDynamoDBisagreatchoiceduetoitsscalability,highavailability,anddurabilitycharacteristics.Formanyplatforms,thereareopensource,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.
StatefulComponentsInevitably,therewillbelayersofyourarchitecturethatyouwon’tturnintostatelesscomponents.First,bydefinition,databasesarestateful.Inaddition,manylegacyapplicationsweredesignedtorunonasingleserverbyrelyingonlocalcomputeresources.Otherusecasesmightrequireclientdevicestomaintainaconnectiontoaspecificserverforprolongedperiodsoftime.Forexample,real-timemultiplayergamingmustoffermultipleplayersaconsistentviewofthegameworldwithverylowlatency.Thisismuchsimplertoachieveinanon-distributedimplementationwhereparticipantsareconnectedtothesameserver.
DeploymentAutomationWhetheryouaredeployinganewenvironmentfortestingorincreasingcapacityofanexistingsystemtocopewithextraload,youwillnotwanttosetupnewresourcesmanuallywiththeirconfigurationandcode.Itisimportantthatyoumakethisanautomatedandrepeatableprocessthatavoidslongleadtimesandisnotpronetohumanerror.Automatingthedeploymentprocessandstreamliningtheconfigurationandbuildprocessiskeytoimplementingelasticity.Thiswillensurethatthesystemcanscalewithoutanyhumanintervention.
AutomateYourInfrastructureOneofthemostimportantbenefitsofusingacloudenvironmentistheabilitytousethecloud’sApplicationProgramInterfaces(APIs)toautomateyourdeploymentprocess.Itisrecommendedthatyoutakethetimetocreateanautomateddeploymentprocessearlyonduringthemigrationprocessandnotwaituntiltheend.Creatinganautomatedandrepeatabledeploymentprocesswillhelpreduceerrorsandfacilitateanefficientandscalableupdateprocess.
BootstrapYourInstancesWhenyoulaunchanAWSresourcelikeanAmazonEC2instance,youstartwithadefaultconfiguration.YoucanthenexecuteautomatedbootstrappingactionsasdescribedinChapter3,“AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS).”Letyourinstancesaskaquestionatboot:“WhoamIandwhatismyrole?”Everyinstanceshouldhavearoletoplayintheenvironment(suchasdatabaseserver,applicationserver,orslaveserverinthecaseofawebapplication).RolesmaybeappliedduringlaunchandcaninstructtheAMIonthestepstotakeafterithasbooted.Onboot,aninstanceshouldgrabthenecessaryresources(forexample,code,scripts,orconfiguration)basedontherole
![Page 459: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/459.jpg)
and“attach”itselftoaclustertoserveitsfunction.
Benefitsofbootstrappingyourinstancesinclude:
Recreateenvironments(forexample,development,staging,production)withfewclicksandminimaleffort.
Maintainmorecontroloveryourabstract,cloud-basedresources.
Reducehuman-induceddeploymenterrors.
Createaself-healingandself-discoverableenvironmentthatismoreresilienttohardwarefailure.
Designingintelligentelasticcloudarchitectures,whereinfrastructurerunsonlywhenyouneedit,isanart.AsaSolutionsArchitect,elasticityshouldbeoneofthefundamentaldesignrequirementswhendefiningyourarchitectures.Herearesomequestionstokeepinmindwhendesigningcloudarchitectures:
Whatcomponentsorlayersinmyapplicationarchitecturecanbecomeelastic?
Whatwillittaketomakethatcomponentelastic?
Whatwillbetheimpactofimplementingelasticitytomyoverallsystemarchitecture?
![Page 460: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/460.jpg)
LeverageDifferentStorageOptionsAWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Forexample,serviceslikeAmazonElasticBlockStorage(AmazonEBS),AmazonS3,AmazonRDS,andAmazonCloudFrontprovideawiderangeofchoicestomeetdifferentstorageneeds.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.
OneSizeDoesNotFitAllYourworkloadandusecaseshoulddictatewhatstorageoptiontoleverageinAWS.Noonestorageoptionissuitableforallsituations.Table14.1providesalistofsomestoragescenariosandwhichAWSstorageoptionyoushouldconsidertomeettheidentifiedneed.Thistableisnotmeanttobeanall-encompassingcaptureofscenarios,butanexampleguide.
TABLE14.1StorageScenariosandAWSStorageOptions
SampleScenario StorageOption
Yourwebapplicationneedslarge-scalestoragecapacityandperformance.
-or- AmazonS3
Youneedcloudstoragewithhighdatadurabilitytosupportbackupandactivearchivesfordisasterrecovery.
Yourequirecloudstoragefordataarchivingandlong-termbackup. AmazonGlacier
Yourequireacontentdeliverynetworktodeliverentirewebsites,includingdynamic,static,streaming,andinteractivecontentusingaglobalnetworkofedgelocations.
AmazonCloudFront
YourequireafastandflexibleNoSQLdatabasewithaflexibledatamodelandreliableperformance.
AmazonDynamoDB
Youneedreliableblockstoragetorunmission-criticalapplicationssuchasOracle,SAP,MicrosoftExchange,andMicrosoftSharePoint.
AmazonEBS
Youneedahighlyavailable,scalable,andsecureMySQLdatabasewithoutthetime-consumingadministrativetasks.
AmazonRDS
Youneedafast,powerful,fully-managed,petabyte-scaledatawarehousetosupportbusinessanalyticsofyoure-commerceapplication.
AmazonRedshift
YouneedaRedisclustertostoresessioninformationforyourwebapplication.
AmazonElastiCache
YouneedacommonfilesystemforyourapplicationthatissharedbetweenmorethanoneAmazonEC2instance.
AmazonElasticFileSystem(AmazonEFS)
Let’sreturntooursamplewebapplicationarchitectureandshowhowdifferentstorageoptionscanbeleveragedtooptimizecostandarchitecture.WecanstartbymovinganystaticassetsfromourwebinstancestoAmazonS3,andthenservethoseobjectsviaAmazon
![Page 461: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/461.jpg)
CloudFront.Thesestaticassetswouldincludealloftheimages,videos,CSS,JavaScript,andanyotherheavystaticcontentthatiscurrentlydeliveredviathewebinstances.ByservingthesefilesviaanAmazonS3originwithglobalcachinganddistributionviaAmazonCloudFront,theloadwillbereducedonthewebinstancesandallowthewebtierfootprinttobereduced.Figure14.4showstheupdatedarchitectureforoursamplewebapplication.
FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront
Tofurtheroptimizeourstorageoptions,thesessioninformationforoursamplewebapplicationcanbemovedtoAmazonDynamoDBoreventoAmazonElastiCache.Forourscenario,wewilluseAmazonDynamoDBtostorethesessioninformationbecausetheAWSSoftwareDevelopmentKits(SDK)provideconnectorsformanypopularwebdevelopmentframeworksthatmakestoringsessioninformationinAmazonDynamoDBeasy.Byremovingsessionstatefromourwebtier,thewebinstancesdonotlosesessioninformationwhenhorizontalscalingfromAutoScalinghappens.Additionally,wewillleverageAmazonElastiCachetostorecommondatabasequeryresults,therebytakingtheloadoffofourdatabasetier.Figure14.5showstheadditionofAmazonElastiCacheandAmazonDynamoDBtoourwebapplicationarchitecture.
![Page 462: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/462.jpg)
FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB
AsaSolutionsArchitect,youwillultimatelycometoapointwhereyouneedtodecideanddefinewhatyourstoragerequirementsareforthedatathatyouneedtostoreonAWS.Thereareavarietyofoptionstochoosefromdependingonyourneeds,eachwithdifferentattributesrangingfromdatabasestorage,blockstorage,highlyavailableobject-basedstorage,andevencoldarchivalstorage.Ultimately,yourworkloadrequirementswilldictatewhichstorageoptionmakessenseforyourusecase.
![Page 463: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/463.jpg)
BuildSecurityinEveryLayerWithtraditionalIT,infrastructuresecurityauditingwouldoftenbeaperiodicandmanualprocess.TheAWSCloudinsteadprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.
BestPractice
Inventoryyourdata,prioritizeitbyvalue,andapplytheappropriatelevelofencryptionforthedataintransitandatrest.
MostofthesecuritytoolsandtechniqueswithwhichyoumightalreadybefamiliarinatraditionalITinfrastructurecanbeusedinthecloud.Atthesametime,AWSallowsyoutoimproveyoursecurityinavarietyofways.AWSisaplatformthatallowsyoutoformalizethedesignofsecuritycontrolsintheplatformitself.ItsimplifiessystemuseforadministratorsandthoserunningITandmakesyourenvironmentmucheasiertoauditinacontinuousmanner.
UseAWSFeaturesforDefenseinDepthAWSprovidesawealthoffeaturesthathelpSolutionsArchitectsbuilddefenseindepth.Startingatthenetworklevel,youcanbuildanAmazonVirtualPrivateCloud(AmazonVPC)topologythatisolatespartsoftheinfrastructurethroughtheuseofsubnets,securitygroups,androutingcontrols.ServiceslikeAWSWebApplicationFirewall(AWSWAF)canhelpprotectyourwebapplicationsfromSQLinjectionandothervulnerabilitiesinyourapplicationcode.Foraccesscontrol,youcanuseAWSIdentityandAccessManagement(IAM)todefineagranularsetofpoliciesandassignthemtousers,groups,andAWSresources.Finally,theAWSplatformoffersabreadthofoptionsforprotectingdatawithencryption,whetherthedataisintransitoratrest.
UnderstandingthesecurityfeaturesofferedbyAWSisimportantfortheexam,anditiscoveredindetailinChapter12,“SecurityonAWS.”
OffloadSecurityResponsibilitytoAWSAWSoperatesunderasharedresponsibilitymodel,whereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andyouareresponsibleforsecuringtheworkloadsyoudeployonAWS.Thisway,youcanreducethescopeofyourresponsibilityandfocusonyourcorecompetenciesthroughtheuseofAWSmanagedservices.Forexample,whenyou
![Page 464: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/464.jpg)
usemanagedservicessuchasAmazonRDS,AmazonElastiCache,AmazonCloudSearch,andothers,securitypatchesbecometheresponsibilityofAWS.Thisnotonlyreducesoperationaloverheadforyourteam,butitcouldalsoreduceyourexposuretovulnerabilities.
ReducePrivilegedAccessAnothercommonsourceofsecurityriskistheuseofserviceaccounts.Inatraditionalenvironment,serviceaccountswouldoftenbeassignedlong-termcredentialsstoredinaconfigurationfile.OnAWS,youcaninsteaduseIAMrolestograntpermissionstoapplicationsrunningonAmazonEC2instancesthroughtheuseoftemporarysecuritytokens.Thosecredentialsareautomaticallydistributedandrotated.Formobileapplications,theuseofAmazonCognitoallowsclientdevicestogetcontrolledaccesstoAWSresourcesviatemporarytokens.ForAWSManagementConsoleusers,youcansimilarlyprovidefederatedaccessthroughtemporarytokensinsteadofcreatingIAMusersinyourAWSaccount.Inthatway,anemployeewholeavesyourorganizationandisremovedfromyourorganization’sidentitydirectorywillalsoloseaccesstoyourAWSaccount.
BestPractice
Followthestandardsecuritypracticeofgrantingleastprivilege—thatis,grantingonlythepermissionsrequiredtoperformatask—toIAMusers,groups,roles,andpolicies.
SecurityasCodeTraditionalsecurityframeworks,regulations,andorganizationalpoliciesdefinesecurityrequirementsrelatedtothingssuchasfirewallrules,networkaccesscontrols,internal/externalsubnets,andoperatingsystemhardening.YoucanimplementtheseinanAWSenvironmentaswell,butyounowhavetheopportunitytocapturethemallinascriptthatdefinesa“GoldenEnvironment.”ThismeansthatyoucancreateanAWSCloudFormationscriptthatcapturesandreliablydeploysyoursecuritypolicies.Securitybestpracticescannowbereusedamongmultipleprojectsandbecomepartofyourcontinuousintegrationpipeline.Youcanperformsecuritytestingaspartofyourreleasecycleandautomaticallydiscoverapplicationgapsanddriftfromyoursecuritypolicies.
Additionally,forgreatercontrolandsecurity,AWSCloudFormationtemplatescanbeimportedas“products”intoAWSServiceCatalog.Thisenablescentralizedmanagementofresourcestosupportconsistentgovernance,security,andcompliancerequirementswhileenablinguserstodeployquicklyonlytheapprovedITservicestheyneed.YouapplyIAMpermissionstocontrolwhocanviewandmodifyyourproducts,andyoudefineconstraintstorestrictthewaysthatspecificAWSresourcescanbedeployedforaproduct.
Real-TimeAuditingTestingandauditingyourenvironmentiskeytomovingfastwhilestayingsafe.Traditionalapproachesthatinvolveperiodic(andoftenmanualorsample-based)checksarenotsufficient,especiallyinagileenvironmentswherechangeisconstant.OnAWS,youcanimplementcontinuousmonitoringandautomationofcontrolstominimizeexposuretosecurityrisks.ServiceslikeAWSConfigRules,AmazonInspector,andAWSTrustedAdvisor
![Page 465: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/465.jpg)
continuallymonitorforcomplianceorvulnerabilitiesgivingyouaclearoverviewofwhichITresourcesareorarenotincompliance.WithAWSConfigRules,youwillalsoknowifsomecomponentwasoutofcomplianceevenforabriefperiodoftime,makingbothpoint-in-timeandperiod-in-timeauditsveryeffective.YoucanimplementextensiveloggingforyourapplicationsusingAmazonCloudWatchLogsandfortheactualAWSAPIcallsbyenablingAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallstosupportedAWSCloudservicesinyourAWSaccountandcreatesalogfile.AWSCloudTraillogsarestoredinanimmutablemannertoanAmazonS3bucketofyourchoice.Theselogscanthenbeautomaticallyprocessedeithertonotifyoreventakeactiononyourbehalf,protectingyourorganizationfromnon-compliance.YoucanuseAWSLambda,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,orthird-partytoolsfromtheAWSMarketplacetoscanlogstodetectthingslikeunusedpermissions,overuseofprivilegedaccounts,usageofkeys,anomalouslogins,policyviolations,andsystemabuse.
WhileAWSprovidesanexcellentservicemanagementlayeraroundinfrastructureorplatformservices,organizationsarestillresponsibleforprotectingtheconfidentiality,integrity,andavailabilityoftheirdatainthecloud.AWSprovidesarangeofsecurityservicesandarchitecturalconceptsthatorganizationscanusetomanagesecurityoftheirassetsanddatainthecloud.
![Page 466: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/466.jpg)
ThinkParallelThecloudmakesparallelizationeffortless.Whetheritisrequestingdatafromthecloud,storingdatatothecloud,orprocessingdatainthecloud,asaSolutionsArchitectyouneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.
Whenitcomestoaccessing(retrievingandstoring)data,thecloudisdesignedtohandlemassivelyparalleloperations.Inordertoachievemaximumperformanceandthroughput,youshouldleveragerequestparallelization.Multi-threadingyourrequestsbyusingmultipleconcurrentthreadswillstoreorfetchthedatafasterthanrequestingitsequentially.Hence,ageneralbestpracticefordevelopingcloudapplicationsistodesigntheprocessesforleveragingmulti-threading.
Whenitcomestoprocessingorexecutingrequestsinthecloud,itbecomesevenmoreimportanttoleverageparallelization.Ageneralbestpractice,inthecaseofawebapplication,istodistributetheincomingrequestsacrossmultipleasynchronouswebserversusingaloadbalancer.Inthecaseofabatchprocessingapplication,youcanleverageamasternodewithmultipleslaveworkernodesthatprocessestasksinparallel(asindistributedprocessingframeworkslikeHadoop).
Thebeautyofthecloudshineswhenyoucombineelasticityandparallelization.YourcloudapplicationcanbringupaclusterofcomputeinstancesthatareprovisionedwithinminuteswithjustafewAPIcalls,performajobbyexecutingtasksinparallel,storetheresults,andthenterminatealloftheinstances.
![Page 467: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/467.jpg)
LooseCouplingSetsYouFreeAsapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.
BestPractice
Designsystemarchitectureswithindependentcomponentsthatare“blackboxes.”Themorelooselysystemcomponentsarecoupled,thelargertheyscale.
Awaytoreduceinterdependenciesinasystemistoallowthevariouscomponentstointeractwitheachotheronlythroughspecific,technology-agnosticinterfaces(suchasRESTfulAPIs).Inthisway,thetechnicalimplementationdetailsarehiddensothatteamscanmodifytheunderlyingimplementationwithoutaffectingothercomponents.Aslongasthoseinterfacesmaintainbackwardcompatibility,thedifferentcomponentsthatanoverallsystemiscomprisedofremaindecoupled.
AmazonAPIGatewayprovidesawaytoexposewell-definedinterfaces.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.IthandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
Asynchronousintegrationisacommonpatternforimplementingloosecouplingbetweenservices.Thismodelissuitableforanyinteractionthatdoesnotneedanimmediateresponseandwhereanacknowledgementthatarequesthasbeenregisteredwillsuffice.Itinvolvesonecomponentthatgenerateseventsandanotherthatconsumesthem.Thetwocomponentsdonotintegratethroughdirectpoint-to-pointinteraction,butusuallythroughanintermediatedurablestoragelayer,suchasanAmazonSimpleQueueService(AmazonSQS)queueorastreamingdataplatformlikeAmazonKinesis.Figure14.6showsthelogicalflowfortightandlooselycoupledarchitectures.
![Page 468: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/468.jpg)
FIGURE14.6Tightandloosecoupling
Leveragingasynchronousintegrationdecouplesthetwocomponentsandintroducesadditionalresiliency.Forexample,ifaprocessthatisreadingmessagesfromthequeuefails,messagescanstillbeaddedtothequeuetobeprocessedwhenthesystemrecovers.Italsoallowsyoutoprotectalessscalableback-endservicefromfront-endspikesandfindtherighttradeoffbetweencostandprocessinglag.Forexample,youcandecidethatyoudon’tneedtoscaleyourdatabasetoaccommodateforanoccasionalpeakofwritequeriesifyoueventuallyprocessthosequeriesasynchronouslywithsomedelay.Finally,bymovingslowoperationsoffofinteractiverequestpaths,youcanalsoimprovetheend-userexperience.
![Page 469: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/469.jpg)
SampleLooselyCoupledArchitecture
Acompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Theserviceprovidesenduserswithaneasy-to-usewebsitetosubmitvideosfortranscoding.ThevideosarestoredinAmazonS3,andamessage(“therequestmessage”)isplacedinanAmazonSQSqueue(“theincomingqueue”)withapointertothevideoandtothetargetvideoformatinthemessage.Thetranscodingengine,runningonasetofAmazonEC2instances,readstherequestmessagefromtheincomingqueue,retrievesthevideofromAmazonS3usingthepointer,andtranscodesthevideointothetargetformat.TheconvertedvideoisputbackintoAmazonS3andanothermessage(“theresponsemessage”)isplacedinanotherAmazonSQSqueue(“theoutgoingqueue”)withapointertotheconvertedvideo.Atthesametime,metadataaboutthevideo(suchasformat,datecreated,andlength)canbeindexedintoAmazonDynamoDBforeasyquerying.Duringthiswholeworkflow,adedicatedAmazonEC2instancecanconstantlymonitortheincomingqueueand,basedonthenumberofmessagesintheincomingqueue,candynamicallyadjustthenumberoftranscodingAmazonEC2instancestomeetcustomers’responsetimerequirements.
Applicationsthataredeployedasasetofsmallerserviceswilldependontheabilityofthoseservicestointeractwitheachother.Becauseeachofthoseservicescouldberunningacrossmultiplecomputeresources,thereneedstobeawayforeachservicetobeaddressed.Forexample,inatraditionalinfrastructure,ifyourfront-endwebserviceneededtoconnectwithyourback-endwebservice,youcouldhardcodetheIPaddressofthecomputeresourcewherethisservicewasrunning.Althoughthisapproachcanstillworkoncloudcomputing,ifthoseservicesaremeanttobelooselycoupled,theyshouldbeabletobeconsumedwithoutpriorknowledgeoftheirnetworktopologydetails.Apartfromhidingcomplexity,thisalsoallowsinfrastructuredetailstochangeatanytime.Inordertoachievethisagility,youwillneedsomewayofimplementingservicediscovery.Servicediscoverymanageshowprocessesandservicesinanenvironmentcanfindandtalktooneanother.Itinvolvesadirectoryofservices,registeringservicesinthatdirectory,andthenbeingabletolookupandconnecttoservicesinthatdirectory.
Loosecouplingisacrucialelementifyouwanttotakeadvantageoftheelasticityofcloudcomputing,wherenewresourcescanbelaunchedorterminatedatanypointintime.Byarchitectingsystemcomponentswithouttightdependenciesoneachother,applicationsarepositionedtotakefulladvantageofthecloud’sscale.
![Page 470: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/470.jpg)
Don’tFearConstraintsWhenorganizationsdecidetomoveapplicationstothecloudandtrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveonpremises.Forexample,observationsmayinclude“ClouddoesnotprovideXamountofRAMinaserver”or“MydatabaseneedstohavemoreIOPSthanwhatIcangetinasingleinstance.”
Youshouldunderstandthatthecloudprovidesabstractresourcesthatbecomepowerfulwhenyoucombinethemwiththeon-demandprovisioningmodel.Youshouldnotbeafraidandconstrainedwhenusingcloudresourcesbecauseevenifyoumightnotgetanexactreplicaofyouron-premiseshardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.
Whenyoupushupagainstaconstraint,thinkaboutwhatit’stellingyouaboutapossibleunderlyingarchitecturalissue.Forexample,ifAWSdoesnothaveanAmazonRDSinstancetypewithenoughRAM,considerwhetheryouhaveinadvertentlytrappedyourselfinascale-upparadigm.ConsiderchangingtheunderlyingtechnologyandusingascalabledistributedcachelikeAmazonElastiCacheorshardingyourdataacrossmultipleservers.Ifitisaread-heavyapplication,youcandistributethereadloadacrossafleetofsynchronizedslaves.
Organizationsarechallengedwithdeveloping,managing,andoperatingapplicationsatscalewithawidevarietyofunderlyingtechnologycomponents.WithtraditionalITinfrastructure,companieswouldhavetobuildandoperateallofthosecomponents.Whilethesecomponentsmaynotmapdirectlyintoacloudenvironment,AWSoffersabroadsetofcomplementaryservicesthathelporganizationsovercometheseconstraintsandtosupportagilityandlowerITcosts.
OnAWS,thereisasetofmanagedservicesthatprovidesbuildingblocksfordeveloperstoleverageforpoweringtheirapplications.Thesemanagedservicesincludedatabases,machinelearning,analytics,queuing,search,email,notifications,andmore.Forexample,withAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.ThesameappliestoAmazonS3,whereyoucanstoreasmuchdataasrequiredandaccessitwhenneededwithouthavingtothinkaboutcapacity,harddiskconfigurations,replication,andotherhardware-basedconsiderations.
TherearemanyotherexamplesofmanagedservicesonAWS,suchasAmazonCloudFrontforcontentdelivery,ElasticLoadBalancingforloadbalancing,AmazonDynamoDBforNoSQLdatabases,AmazonCloudSearchforsearchworkloads,AmazonElasticTranscoderforvideoencoding,AmazonSimpleEmailService(AmazonSES)forsendingandreceivingemails,andmore.
ArchitecturesthatdonotleveragethebreadthofAWSCloudservices(forexample,theyuseonlyAmazonEC2)mightbeself-constrainingtheabilitytomakethemostofcloudcomputing.Thisoversightoftenleadstomissingkeyopportunitiestoincreasedeveloperproductivityandoperationalefficiency.Whenorganizationscombineon-demandprovisioning,managedservices,andtheinherentflexibilityofthecloud,theyrealizethatapparentconstraintscanactuallybebrokendowninwaysthatwillactuallyimprovethe
![Page 471: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/471.jpg)
scalabilityandoverallperformanceoftheirsystems.
![Page 472: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/472.jpg)
SummaryTypically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.
Traditionalinfrastructuregenerallynecessitatespredictingtheamountofcomputingresourcesyourapplicationwilluseoveraperiodofseveralyears.Ifyouunderestimate,yourapplicationswillnothavethehorsepowertohandleunexpectedtraffic,potentiallyresultingincustomerdissatisfaction.Ifyouoverestimate,you’rewastingmoneywithsuperfluousresources.Theon-demandandelasticnatureofthecloudenablestheinfrastructuretobecloselyalignedwiththeactualdemand,therebyincreasingoverallutilizationandreducingcost.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
TheAWSCloudprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.
BecauseAWSmakesparallelizationeffortless,SolutionsArchitectsneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.
Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.SolutionsArchitectsshoulddesignsystemsinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.
Whenorganizationstrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveon-premises.Organizationsshouldnotbeafraidandfeelconstrainedwhenusingcloudresources.Evenifyoumightnotgetanexactreplicaofyourhardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.
Byfocusingonconceptsandbestpractices—likedesigningforfailure,decouplingtheapplicationcomponents,understandingandimplementingelasticity,combiningitwithparallelization,andintegratingsecurityineveryaspectoftheapplicationarchitecture—SolutionsArchitectscanunderstandthedesignconsiderationsnecessaryforbuildinghighlyscalablecloudapplications.
Aseachusecaseisunique,SolutionsArchitectsneedtoremaindiligentinevaluatinghowbestpracticesandpatternscanbeappliedtoeachimplementation.Thetopicofcloudcomputingarchitecturesisbroadandcontinuouslyevolving.
![Page 473: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/473.jpg)
ExamEssentialsUnderstandhighlyavailablearchitectures.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.
Understandredundancy.Redundancycanbeimplementedineitherstandbyoractivemode.Whenaresourcefailsinstandbyredundancy,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,activeredundancycanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.
Understandelasticity.Elasticarchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Itisimportanttobuildelasticsystemsontopofascalablearchitecture.Thesearchitecturesshouldscaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.
Understandverticalscaling.Scalingverticallytakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddriveorafasterCPU).Thiswayofscalingcaneventuallyhitalimit,anditisnotalwaysacostefficientorhighlyavailableapproach.
Understandhorizontalscaling.Scalinghorizontallytakesplacethroughanincreaseinthenumberofresources.ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Itisimportanttounderstandtheimpactofstatelessandstatefularchitecturesbeforeimplementinghorizontalscaling.
Understandstatelessapplications.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontallybecauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.
Understandloosecoupling.Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedas“blackboxes”toreduceinterdependenciessothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.Themorelooselysystemcomponentsarecoupled,thelargertheyscale.
UnderstandthedifferentstorageoptionsinAWS.AWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.
![Page 474: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/474.jpg)
ExercisesInthissection,youwillimplementaresilientapplicationleveragingsomeofthebestpracticesoutlinedinthischapter.YouwillbuildthearchitecturedepictedinFigure14.7inthefollowingseriesofexercises.
FIGURE14.7Samplewebapplicationforchapterexercises
Forassistanceincompletingthefollowingexercises,referencethefollowinguserguides:
AmazonVPC—http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/
GetStarted.html
AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
AmazonRDS(MySQL)—http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html
![Page 475: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/475.jpg)
EXERCISE14.1
CreateaCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanAmazonVPCwithaClasslessInter-DomainRouting(CIDR)blockequalto192.168.0.0/16,anametagofCh14—VPC,anddefaulttenancy.
EXERCISE14.2
CreateanInternetGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanInternetgatewaywithanametagofCh14–IGW.
4. AttachtheCh14–IGWInternetgatewaytotheAmazonVPCfromExercise14.1.
EXERCISE14.3
UpdatetheMainRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetoAmazonVPCconsole.
3. LocatethemainroutetablefortheAmazonVPCfromExercise14.1.
4. UpdatetheroutetablenametagtoavalueofCh14—MainRouteTable.
5. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheInternetgatewayfromExercise14.2.
![Page 476: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/476.jpg)
EXERCISE14.4
CreatePublicSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofCh14—PublicSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).
4. CreateasubnetwithaCIDRblockequalto192.168.3.0/24andanametagofCh14—PublicSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnetthatisdifferentfromtheonepreviouslyspecified(forexample,US-East-1b).
EXERCISE14.5
CreateaNATGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateaNetworkAddressTranslation(NAT)gatewayintheAmazonVPCfromExercise14.1withintheCh14—PublicSubnet1subnetfromExercise14.4.
EXERCISE14.6
CreateaPrivateRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreatearoutetablefortheAmazonVPCfromExercise14.1withanametagofCh14—PrivateRouteTable.
4. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheNATgatewayfromExercise14.5.
![Page 477: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/477.jpg)
EXERCISE14.7
CreatePrivateSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofCh14—PrivateSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet1(forexample,US-East-1a).
4. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.
5. CreateasubnetwithaCIDRblockequalto192.168.4.0/24andanametagofCh14—PrivateSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet2(forexample,US-East-1b).
6. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.
![Page 478: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/478.jpg)
EXERCISE14.8
CreateSecurityGroupsforEachApplicationTier1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonVPCconsole.
3. CreateanAmazonVPCsecuritygroupfortheELBwithanametagandgrouptabofCh14-ELB-SGandadescriptionofLoadbalancersecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceof0.0.0.0/0.
4. CreateanAmazonVPCsecuritygroupforthewebserverswithanametagandgrouptabofCh14-WebServer-SGandadescriptionofWebserversecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceoftheCh14-ELB-SGsecuritygroup.YoumaywanttoaddanotherinboundruleofTypeSSH,aprotocolofTCP,aportrangeof22,andasourceofyourIPaddresstoprovidesecureaccesstomanagetheservers.
5. CreateanAmazonVPCsecuritygroupfortheAmazonRDSMySQLdatabasewithanametagandgrouptabofCh14-DB-SGandadescriptionofDatabasesecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeMYSQL/Aurora,aprotocolofTCP,aportrangeof3306,andasourceoftheCh14-WebServer-SGsecuritygroup.
![Page 479: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/479.jpg)
EXERCISE14.9
CreateaMySQLMulti-AZAmazonRDSInstance1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRDSconsole.
3. CreateaDBsubnetgroupwithanameofCh14-SubnetGroupandadescriptionofSubnetgroupforCh14exercises.CreatetheDBsubnetgroupintheAmazonVPCfromExercise14.1withtheprivatesubnetsfromExercise14.7.
4. LaunchaMySQLAmazonRDSinstancewiththefollowingcharacteristics:
DBInstanceClass:db.t2.small
Multi-AZDeployment:yes
AllocatedStorage:nolessthan5GB
DBInstanceIdentifier:ch14db
MasterUserName:yourchoice
MasterPassword:yourchoice
VPC:theAmazonVPCfromExercise14.1
DBSecurityGroup:Ch14-SubnetGroup
PubliclyAccessible:No
VPCSecurityGroup:Ch14-DB-SG
DatabaseName:appdb
DatabasePort:3306
![Page 480: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/480.jpg)
EXERCISE14.10
CreateanElasticLoadBalancer(ELB)1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. CreateanELBwithaloadbalancernameofCh14-WebServer-ELB.CreatetheELBintheAmazonVPCfromExercise14.1withalistenerconfigurationofthefollowing:
LoadBalancerProtocol:HTTP
LoadBalancerPort:80
InstanceProtocol:HTTP
InstancePort:80
4. AddthepublicsubnetscreatedinExercise14.4.
5. AssigntheexistingsecuritygroupofCh14-ELB-SGcreatedinExercise14.8.
6. ConfigurethehealthcheckwithapingprotocolofHTTP,apingportof80,andapingpathof/index.html.
7. AddatagwithakeyofNameandvalueofCh14-WebServer-ELB.
8. UpdatetheELBportconfigurationtoenableload-balancergeneratedcookiestickinesswithanexpirationperiodof30seconds.
![Page 481: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/481.jpg)
EXERCISE14.11
CreateaWebServerAutoScalingGroup1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. CreatealaunchconfigurationforthewebserverAutoScalinggroupwiththefollowingcharacteristics:
AMI:latestAmazonLinuxAMI
InstanceType:t2.small
Name:Ch14-WebServer-LC
Userdata:
#!/bin/bash
yumupdate–y
yuminstall-yphp
yuminstall-yphp-mysql
yuminstall-ymysql
yuminstall-yhttpd
echo"<html><body><h1>poweredbyAWS</h1></body></html>">
/var/www/html/index.html
servicehttpdstart
SecurityGroup:Ch14-WebServer-SG
KeyPair:existingornewkeypairforyouraccount
4. CreateanAutoScalinggroupforthewebserversfromthelaunchconfigurationCh14-WebServer-LCwithagroupnameofCh14-WebServer-AG.CreatetheAutoScalinggroupintheAmazonVPCfromExercise14.1withthepublicsubnetscreatedinExercise14.4andagroupsizeof2.
5. AssociatetheloadbalancerCh14-WebServer-ELBcreatedinExercise14.10totheAutoScalinggroup.
6. AddanametagwithakeyofNameandvalueofCh14-WebServer-AGtotheAutoScalinggroup.
Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnoteligibleforAWSFreeTier.HostingazoneonAmazonRoute53willcostapproximately$0.50permonthperhostedzone,andadditionalchargeswillbelevieddependingonwhatroutingpolicyyouchoose.FormoreinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.
![Page 482: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/482.jpg)
EXERCISE14.12
CreateaRoute53HostedZone1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRoute53consoleandcreateahostedzone.
3. Enteryourdomainnameandcreateyournewzonefile.
4. Inthenewzonefile,youwillseetheStartofAuthority(SOA)recordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsiteandupdatethenameserverswithyourAWSnameservers.
IftheregistrarhasamethodtochangetheTimeToLive(TTL)settingsfortheirnameservers,itisrecommendedthatyouresetthesettingsto900seconds.Thislimitsthetimeduringwhichclientrequestswilltrytoresolvedomainnamesusingobsoletenameservers.YouwillneedtowaitforthedurationofthepreviousTTLforresolversandclientstostopcachingtheDNSrecordswiththeirpreviousvalues.
5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.
EXERCISE14.13
CreateanAliasARecord1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonRoute53console.
3. SelectyourRoute53hostedzonecreatedinExercise14.12.CreatearecordsetwithanameofwwwandatypeofA—IPv4Address.
4. CreateanaliaswithanaliastargetoftheELBCh14-WebServer-ELBcreatedinExercise14.10andleaveyourroutingpolicyassimple.
![Page 483: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/483.jpg)
EXERCISE14.14
TestYourConfiguration1. LogintotheAWSManagementConsole.
2. NavigatetotheAmazonEC2console.
3. VerifythattheELBcreatedinExercise14.11has2of2instancesinservice.
4. Inawebbrowser,navigatetothewebfarm(www.example.com)usingtheHostedZoneArecordcreatedinExercise14.13.YoushouldseethepoweredbyAWSonthewebpage.
![Page 484: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/484.jpg)
ReviewQuestions1. Whendesigningalooselycoupledsystem,whichAWSservicesprovideanintermediatedurablestoragelayerbetweencomponents?(Choose2answers)
A. AmazonCloudFront
B. AmazonKinesis
C. AmazonRoute53
D. AWSCloudFormation
E. AmazonSimpleQueueService(AmazonSQS)
2. Whichofthefollowingoptionswillhelpincreasetheavailabilityofawebserverfarm?(Choose2answers)
A. UseAmazonCloudFronttodelivercontenttotheenduserswithlowlatencyandhighdatatransferspeeds.
B. LaunchthewebserverinstancesacrossmultipleAvailabilityZones.
C. LeverageAutoScalingtorecoverfromfailedinstances.
D. DeploytheinstancesinanAmazonVirtualPrivateCloud(AmazonVPC).
E. AddmoreCPUandRAMtoeachinstance.
3. WhichofthefollowingAWSCloudservicesaredesignedaccordingtotheMulti-AZprinciple?(Choose2answers)
A. AmazonDynamoDB
B. AmazonElastiCache
C. ElasticLoadBalancing
D. AmazonVirtualPrivateCloud(AmazonVPC)
E. AmazonSimpleStorageService(AmazonS3)
4. Youre-commercesitewasdesignedtobestatelessandcurrentlyrunsonafleetofAmazonElasticComputeCloud(AmazonEC2)instances.Inanefforttocontrolcostandincreaseavailability,youhavearequirementtoscalethefleetbasedonCPUandnetworkutilizationtomatchthedemandcurveforyoursite.Whatservicesdoyouneedtomeetthisrequirement?(Choose2answers)
A. AmazonCloudWatch
B. AmazonDynamoDB
C. ElasticLoadBalancing
D. AutoScaling
E. AmazonSimpleStorageService(AmazonS3)
5. YourcompliancedepartmenthasmandatedanewrequirementthatalldataonAmazon
![Page 485: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/485.jpg)
ElasticBlockStorage(AmazonEBS)volumesmustbeencrypted.WhichofthefollowingstepswouldyoufollowforyourexistingAmazonEBSvolumestocomplywiththenewrequirement?(Choose3answers)
A. MovetheexistingAmazonEBSvolumeintoanAmazonVirtualPrivateCloud(AmazonVPC).
B. CreateanewAmazonEBSvolumewithencryptionenabled.
C. ModifytheexistingAmazonEBSvolumepropertiestoenableencryption.
D. AttachanAmazonEBSvolumewithencryptionenabledtotheinstancethathoststhedata,thenmigratethedatatotheencryption-enabledAmazonEBSvolume.
E. CopythedatafromtheunencryptedAmazonEBSvolumetotheAmazonEBSvolumewithencryptionenabled.
6. WhenbuildingaDistributedDenialofService(DDoS)-resilientarchitecture,howdoesAmazonVirtualPrivateCloud(AmazonVPC)helpminimizetheattacksurfacearea?(Choose3answers)
A. ReducesthenumberofnecessaryInternetentrypoints
B. Combinesendusertrafficwithmanagementtraffic
C. ObfuscatesnecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem
D. Addsnon-criticalInternetentrypointstothearchitecture
E. ScalesthenetworktoabsorbDDoSattacks
7. Youre-commerceapplicationprovidesdailyandadhocreportingtovariousbusinessunitsoncustomerpurchases.ThisisresultinginanextremelyhighlevelofreadtraffictoyourMySQLAmazonRelationalDatabaseService(AmazonRDS)instance.Whatcanyoudotoscaleupreadtrafficwithoutimpactingyourdatabase’sperformance?
A. IncreasetheallocatedstoragefortheAmazonRDSinstance.
B. ModifytheAmazonRDSinstancetobeaMulti-AZdeployment.
C. CreateareadreplicaforanAmazonRDSinstance.
D. ChangetheAmazonRDSinstanceDBengineversion.
8. YourwebsiteishostedonafleetofwebserversthatareloadbalancedacrossmultipleAvailabilityZonesusinganElasticLoadBalancer(ELB).WhattypeofrecordsetinAmazonRoute53canbeusedtopointmyawesomeapp.comtoyourwebsite?
A. TypeAAliasresourcerecordset
B. MXrecordset
C. TXTrecordset
D. CNAMErecordset
9. YouneedasecurewaytodistributeyourAWScredentialstoanapplicationrunningonAmazonElasticComputeCloud(AmazonEC2)instancesinordertoaccess
![Page 486: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/486.jpg)
supplementaryAWSCloudservices.Whatapproachprovidesyourapplicationaccesstouseshort-termcredentialsforsigningrequestswhileprotectingthosecredentialsfromotherusers?
A. AddyourcredentialstotheUserDataparameterofeachAmazonEC2instance.
B. UseaconfigurationfiletostoreyouraccessandsecretkeysontheAmazonEC2instances.
C. Specifyyouraccessandsecretkeysdirectlyinyourapplication.
D. ProvisiontheAmazonEC2instanceswithaninstanceprofilethathastheappropriateprivileges.
10. YouarerunningasuiteofmicroservicesonAWSLambdathatprovidethebusinesslogicandaccesstodatastoredinAmazonDynamoDBforyourtaskmanagementsystem.Youneedtocreatewell-definedRESTfulApplicationProgramInterfaces(APIs)forthesemicroservicesthatwillscalewithtraffictosupportanewmobileapplication.WhatAWSCloudservicecanyouusetocreatethenecessaryRESTfulAPIs?
A. AmazonKinesis
B. AmazonAPIGateway
C. AmazonCognito
D. AmazonElasticComputeCloud(AmazonEC2)ContainerRegistry
11. YourWordPresswebsiteishostedonafleetofAmazonElasticComputeCloud(AmazonEC2)instancesthatleverageAutoScalingtoprovidehighavailability.ToensurethatthecontentoftheWordPresssiteissustainedthroughscaleupandscaledownevents,youneedacommonfilesystemthatissharedbetweenmorethanoneAmazonEC2instance.WhichAWSCloudservicecanmeetthisrequirement?
A. AmazonCloudFront
B. AmazonElastiCache
C. AmazonElasticFileSystem(AmazonEFS)
D. AmazonElasticBeanstalk
12. YouarechangingyourapplicationtomovesessionstateinformationofftheindividualAmazonElasticComputeCloud(AmazonEC2)instancestotakeadvantageoftheelasticityandcostbenefitsprovidedbyAutoScaling.WhichofthefollowingAWSCloudservicesisbestsuitedasanalternativeforstoringsessionstateinformation?
A. AmazonDynamoDB
B. AmazonRedshift
C. AmazonStorageGateway
D. AmazonKinesis
13. Amediasharingapplicationisproducingaveryhighvolumeofdatainaveryshortperiodoftime.Yourback-endservicesareunabletomanagethelargevolumeoftransactions.Whatoptionprovidesawaytomanagetheflowoftransactionstoyour
![Page 487: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/487.jpg)
back-endservices?
A. StoretheinboundtransactionsinanAmazonRelationalDatabaseService(AmazonRDS)instancesothatyourback-endservicescanretrievethemastimepermits.
B. UseanAmazonSimpleQueueService(AmazonSQS)queuetobuffertheinboundtransactions.
C. UseanAmazonSimpleNotificationService(AmazonSNS)topictobuffertheinboundtransactions.
D. StoretheinboundtransactionsinanAmazonElasticMapReduce(AmazonEMR)clustersothatyourback-endservicescanretrievethemastimepermits.
14. WhichofthefollowingarebestpracticesformanagingAWSIdentityandAccessManagement(IAM)useraccesskeys?(Choose3answers)
A. Embedaccesskeysdirectlyintoapplicationcode.
B. Usedifferentaccesskeysfordifferentapplications.
C. Rotateaccesskeysperiodically.
D. Keepunusedaccesskeysforanindefiniteperiodoftime.
E. ConfigureMulti-FactorAuthentication(MFA)foryourmostsensitiveoperations.
15. YouneedtoimplementaservicetoscanApplicationProgramInterface(API)callsandrelatedevents’historytoyourAWSaccount.Thisservicewilldetectthingslikeunusedpermissions,overuseofprivilegedaccounts,andanomalouslogins.WhichofthefollowingAWSCloudservicescanbeleveragedtoimplementthisservice?(Choose3answers)
A. AWSCloudTrail
B. AmazonSimpleStorageService(AmazonS3)
C. AmazonRoute53
D. AutoScaling
E. AWSLambda
16. Governmentregulationsrequirethatyourcompanymaintainallcorrespondenceforaperiodofsevenyearsforcompliancereasons.Whatisthebeststoragemechanismtokeepthisdatasecureinacost-effectivemanner?
A. AmazonS3
B. AmazonGlacier
C. AmazonEBS
D. AmazonEFS
17. YourcompanyprovidesmediacontentviatheInternettocustomersthroughapaidsubscriptionmodel.YouleverageAmazonCloudFronttodistributecontenttoyourcustomerswithlowlatency.Whatapproachcanyouusetoservethisprivatecontentsecurelytoyourpaidsubscribers?
![Page 488: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/488.jpg)
A. ProvidesignedAmazonCloudFrontURLstoauthenticateduserstoaccessthepaidcontent.
B. UseHTTPSrequeststoensurethatyourobjectsareencryptedwhenAmazonCloudFrontservesthemtoviewers.
C. ConfigureAmazonCloudFronttocompressthemediafilesautomaticallyforpaidsubscribers.
D. UsetheAmazonCloudFrontgeorestrictionfeaturetorestrictaccesstoallofthepaidsubscriptionmediaatthecountrylevel.
18. Yourcompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Whichserviceprovidesthebestoptionforstoringthevideos?
A. AmazonGlacier
B. AmazonSimpleStorageService(AmazonS3)
C. AmazonRelationalDatabaseService(AmazonRDS)
D. AWSStorageGateway
19. AweekbeforeCyberMondaylastyear,yourcorporatedatacenterexperiencedafailedairconditioningunitthatcausedfloodingintotheserverracks.Theresultingoutagecostyourcompanysignificantrevenue.YourCIOmandatedamovetothecloud,butheisstillconcernedaboutcatastrophicfailuresinadatacenter.Whatcanyoudotoalleviatehisconcerns?
A. DistributethearchitectureacrossmultipleAvailabilityZones.
B. UseanAmazonVirtualPrivateCloud(AmazonVPC)withsubnets.
C. Launchthecomputefortheprocessingservicesinaplacementgroup.
D. PurchaseReservedInstancesfortheprocessingservicesinstances.
20. YourAmazonVirtualPrivateCloud(AmazonVPC)includesmultipleprivatesubnets.Theinstancesintheseprivatesubnetsmustaccessthird-partypaymentApplicationProgramInterfaces(APIs)overtheInternet.WhichoptionwillprovidehighlyavailableInternetaccesstotheinstancesintheprivatesubnets?
A. CreateanAWSStorageGatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheAWSStorageGatewayinthesameAvailabilityZone.
B. CreateacustomergatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethecustomergatewayinthesameAvailabilityZone.
C. CreateaNetworkAddressTranslation(NAT)gatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
D. CreateaNATgatewayinoneAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethatNATgatewayinalltheAvailabilityZones.
![Page 489: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/489.jpg)
AppendixAAnswerstoReviewQuestions
![Page 490: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/490.jpg)
Chapter1:IntroductiontoAWS1. D.AregionisanamedsetofAWSresourcesinthesamegeographicalarea.AregioncomprisesatleasttwoAvailabilityZones.Endpoint,Collection,andFleetdonotdescribeaphysicallocationaroundtheworldwhereAWSclustersdatacenters.
2. A.AnAvailabilityZoneisadistinctlocationwithinaregionthatisinsulatedfromfailuresinotherAvailabilityZonesandprovidesinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.Replicationareas,geographicdistricts,andcomputecentersarenottermsusedtodescribeAWSdatacenterlocations.
3. B.Ahybriddeploymentisawaytoconnectinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.Anall-indeploymentreferstoanenvironmentthatexclusivelyrunsinthecloud.Anon-premisesdeploymentreferstoanenvironmentthatrunsexclusivelyinanorganization’sdatacenter.
4. C.AmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsorganizationsrunonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.AWSIAM,AmazonSNS,andAWSCloudFormationdonotprovidevisibilityintoresourceutilization,applicationperformance,andtheoperationalhealthofyourAWSresources.
5. B.AmazonDynamoDBisafullymanaged,fast,andflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.AmazonSQS,AmazonElastiCache,andAmazonRDSdonotprovideaNoSQLdatabaseservice.AmazonSQSisamanagedmessagequeuingservice.AmazonElastiCacheisaservicethatprovidesin-memorycacheinthecloud.Finally,AmazonRDSprovidesmanagedrelationaldatabases.
6. A.AutoScalinghelpsmaintainapplicationavailabilityandallowsorganizationstoscaleAmazonElasticComputeCloud(AmazonEC2)capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload.NotonlycanitbeusedtohelpensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.AmazonGlacier,AmazonSNS,andAmazonVPCdonotprovideservicestoscalecomputecapacityautomatically.
7. D.AmazonCloudFrontisawebservicethatprovidesaCDNtospeedupdistributionofyourstaticanddynamicwebcontent—forexample,.html,.css,.php,image,andmediafiles—toendusers.AmazonCloudFrontdeliverscontentthroughaworldwidenetworkofedgelocations.AmazonEC2,AmazonRoute53,andAWSStorageGatewaydonotprovideCDNservicesthatarerequiredtomeettheneedsforthephotosharingservice.
8. A.AmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instancesontheAWSCloud.AmazonDynamoDB,AmazonGlacier,andAWSCloudFormationdonotprovidepersistentblock-levelstorageforAmazonEC2instances.AmazonDynamoDBprovidesmanagedNoSQLdatabases.AmazonGlacierprovideslow-costarchivalstorage.AWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.
![Page 491: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/491.jpg)
9. C.AmazonVPCletsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.AmazonSWF,AmazonRoute53,andAWSCloudFormationdonotprovideavirtualnetwork.AmazonSWFhelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonRoute53providesahighlyavailableandscalablecloudDomainNameSystem(DNS)webservice.AmazonCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.
10. B.AmazonSQSisafast,reliable,scalable,fullymanagedmessagequeuingservicethatallowsorganizationstodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.AWSCloudTrailrecordsAWSAPIcalls,andAmazonRedshiftisadatawarehouse,neitherofwhichwouldbeusefulasanarchitecturecomponentfordecouplingcomponents.AmazonSNSprovidesamessagingbuscomplementtoAmazonSQS;however,itdoesn’tprovidethedecouplingofcomponentsnecessaryforthisscenario.
![Page 492: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/492.jpg)
Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage1. D,E.Objectsarestoredinbuckets,andobjectscontainbothdataandmetadata.
2. B,D.AmazonS3cannotbemountedtoanAmazonEC2instancelikeafilesystemandshouldnotserveasprimarydatabasestorage.
3. A,B,D.CandEareincorrect—objectsareprivatebydefault,andstorageinabucketdoesnotneedtobepre-allocated.
4. B,C,E.Staticwebsitehostingdoesnotrestrictdataaccess,andneitherdoesanAmazonS3lifecyclepolicy.
5. C,E.Versioningprotectsdataagainstinadvertentorintentionaldeletionbystoringallversionsoftheobject,andMFADeleterequiresaone-timecodefromaMulti-FactorAuthentication(MFA)devicetodeleteobjects.Cross-regionreplicationandmigrationtotheAmazonGlacierstorageclassdonotprotectagainstdeletion.VaultlocksareafeatureofAmazonGlacier,notafeatureofAmazonS3.
6. C.MigratingthedatatoAmazonS3Standard-IAafter30daysusingalifecyclepolicyiscorrect.AmazonS3RRSshouldonlybeusedforeasilyreplicateddata,notcriticaldata.MigrationtoAmazonGlaciermightminimizestoragecostsifretrievalsareinfrequent,butdocumentswouldnotbeavailableinminuteswhenneeded.
7. B.Dataisautomaticallyreplicatedwithinaregion.Replicationtootherregionsandversioningareoptional.AmazonS3dataisnotbackeduptotape.
8. C.InaURL,thebucketnameprecedesthestring“s3.amazonaws.com/,”andtheobjectkeyiseverythingafterthat.ThereisnofolderstructureinAmazonS3.
9. C.AmazonS3serveraccesslogsstorearecordofwhatrequestoraccessedtheobjectsinyourbucket,includingtherequestingIPaddress.
10. B,C.Cross-regionreplicationcanhelplowerlatencyandsatisfycompliancerequirementsondistance.AmazonS3isdesignedforelevenninesdurabilityforobjectsinasingleregion,soasecondregiondoesnotsignificantlyincreasedurability.Cross-regionreplicationdoesnotprotectagainstaccidentaldeletion.
11. C.IfdatamustbeencryptedbeforebeingsenttoAmazonS3,client-sideencryptionmustbeused.
12. B.AmazonS3scalesautomatically,butforrequestratesover100GETSpersecond,ithelpstomakesurethereissomerandomnessinthekeyspace.Replicationandloggingwillnotaffectperformanceorscalability.Usingsequentialkeynamescouldhaveanegativeeffectonperformanceorscalability.
13. A,D.Youmustenableversioningbeforeyoucanenablecross-regionreplication,andAmazonS3musthaveIAMpermissionstoperformthereplication.Lifecyclerulesmigratedatafromonestorageclasstoanother,notfromonebuckettoanother.Staticwebsitehostingisnotaprerequisiteforreplication.
14. B.AmazonS3isthemostcosteffectivestorageonAWS,andlifecyclepoliciesarea
![Page 493: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/493.jpg)
simpleandeffectivefeaturetoaddressthebusinessrequirements.
15. B,C,E.AmazonS3bucketpoliciescannotspecifyacompanynameoracountryororigin,buttheycanspecifyrequestIPrange,AWSaccount,andaprefixforobjectsthatcanbeaccessed.
16. B,C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).
17. A,B,D.A,B,andDarerequired,andnormallyyoualsosetafriendlyCNAMEtothebucketURL.AmazonS3doesnotsupportFTPtransfers,andHTTPdoesnotneedtobeenabled.
18. B.Pre-signedURLsallowyoutogranttime-limitedpermissiontodownloadobjectsfromanAmazonSimpleStorageService(AmazonS3)bucket.Staticwebhostinggenerallyrequiresworld-readaccesstoallcontent.AWSIAMpoliciesdonotknowwhotheauthenticatedusersofthewebappare.Loggingcanhelptrackcontentloss,butnotpreventit.
19. A,C.AmazonGlacierisoptimizedforlong-termarchivalstorageandisnotsuitedtodatathatneedsimmediateaccessorshort-liveddatathatiserasedwithin90days.
20. C,D,E.AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Archivesareidentifiedbysystem-createdarchiveIDs,notkeynames.
![Page 494: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/494.jpg)
Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)1. C.ReservedInstancesprovidecostsavingswhenyoucancommittorunninginstancesfulltime,suchastohandlethebasetraffic.On-DemandInstancesprovidetheflexibilitytohandletrafficspikes,suchasonthelastdayofthemonth.
2. B.SpotInstancesareaverycost-effectivewaytoaddresstemporarycomputeneedsthatarenoturgentandaretolerantofinterruption.That’sexactlytheworkloaddescribedhere.ReservedInstancesareinappropriatefortemporaryworkloads.On-DemandInstancesaregoodfortemporaryworkloads,butdon’tofferthecostsavingsofSpotInstances.Addingmorequeuesisanon-responsiveanswerasitwouldnotaddresstheproblem.
3. C,D.TheAmazonEC2instanceIDwillbeassignedbyAWSaspartofthelaunchprocess.TheadministratorpasswordisassignedbyAWSandencryptedviathepublickey.TheinstancetypedefinesthevirtualhardwareandtheAMIdefinestheinitialsoftwarestate.Youmustspecifybothuponlaunch.
4. A,C.Youcanchangetheinstancetypeonlywithinthesameinstancetypefamily,oryoucanchangetheAvailabilityZone.Youcannotchangetheoperatingsystemnortheinstancetypefamily.
5. D.Whentherearemultiplesecuritygroupsassociatedwithaninstance,alltherulesareaggregated.
6. A,B,E.Thesearethebenefitsofenhancednetworking.
7. A,B,D.Theotheranswershavenothingtodowithnetworking.
8. C.DedicatedInstanceswillnotsharehostswithotheraccounts.
9. B,C.Instancestoresarelow-durability,high-IOPSstoragethatisincludedforfreewiththehourlycostofaninstance.
10. A,C.TherearenotapesintheAWSinfrastructure.AmazonEBSvolumespersistwhentheinstanceisstopped.ThedataisautomaticallyreplicatedwithinanAvailabilityZone.AmazonEBSvolumescanbeencrypteduponcreationandusedbyaninstanceinthesamemannerasiftheywerenotencrypted.
11. B.Thereisnodelayinprocessingwhencommencingasnapshot.
12. B.Thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.
13. A,C.BandDareincorrectbecauseaninstancestorewillnotbedurableandamagneticvolumeoffersanaverageof100IOPS.AmazonEBS-optimizedinstancesreservenetworkbandwidthontheinstanceforIO,andProvisionedIOPSSSDvolumesprovidethehighestconsistentIOPS.
14. D.Bootstrappingrunstheprovidedscript,soanythingyoucanaccomplishinascriptyoucanaccomplishduringbootstrapping.
![Page 495: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/495.jpg)
15. C.Thepublichalfofthekeypairisstoredontheinstance,andtheprivatehalfcanthenbeusedtoconnectviaSSH.
16. B,C.ThesearethepossibleoutputsofVMImport/Export.
17. B,D.NeithertheWindowsmachinenamenortheAmazonEC2instanceIDcanberesolvedintoanIPaddresstoaccesstheinstance.
18. A.Noneoftheotheroptionswillhaveanyeffectontheabilitytoconnect.
19. C.Ashortperiodofheavytrafficisexactlytheusecasefortheburstingnatureofgeneral-purposeSSDvolumes—therestofthedayismorethanenoughtimetobuildupenoughIOPScreditstohandlethenightlytask.Instancestoresarenotdurable,magneticvolumescannotprovideenoughIOPS,andtosetupaProvisionedIOPSSSDvolumetohandlethepeakwouldmeanspendingmoneyformoreIOPSthanyouneed.
20. B.ThereisaverysmallhourlychargeforallocatedelasticIPaddressesthatarenotassociatedwithaninstance.
![Page 496: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/496.jpg)
Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)1. C.TheminimumsizesubnetthatyoucanhaveinanAmazonVPCis/28.
2. C.Youneedtwopublicsubnets(oneforeachAvailabilityZone)andtwoprivatesubnets(oneforeachAvailabilityZone).Therefore,youneedfoursubnets.
3. A.NetworkACLsareassociatedtoaVPCsubnettocontroltrafficflow.
4. A.ThemaximumsizesubnetthatyoucanhaveinaVPCis/16.
5. D.BycreatingarouteouttotheInternetusinganIGW,youhavemadethissubnetpublic.
6. A.WhenyoucreateanAmazonVPC,aroutetableiscreatedbydefault.YoumustmanuallycreatesubnetsandanIGW.
7. C.WhenyouprovisionanAmazonVPC,allsubnetscancommunicatewitheachotherbydefault.
8. A.YoumayonlyhaveoneIGWforeachAmazonVPC.
9. B.Securitygroupsarestateful,whereasnetworkACLsarestateless.
10. C.Youshoulddisablesource/destinationchecksontheNAT.
11. B,E.IntheEC2-Classicnetwork,theEIPwillbedisassociatedwiththeinstance;intheEC2-VPCnetwork,theEIPremainsassociatedwiththeinstance.Regardlessoftheunderlyingnetwork,astop/startofanAmazonEBS-backedAmazonEC2instancealwayschangesthehostcomputer.
12. D.SixVPCPeeringconnectionsareneededforeachofthefourVPCstosendtraffictotheother.
13. B.ADHCPoptionsetallowscustomerstodefineDNSserversforDNSnameresolution,establishdomainnamesforinstanceswithinanAmazonVPC,defineNTPservers,anddefinetheNetBIOSnameservers.
14. D.ACGWisthecustomersideofaVPNconnection,andanIGWconnectsanetworktotheInternet.AVPGistheAmazonsideofaVPNconnection.
15. A.ThedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregionis5.
16. B.NetworkACLrulescandenytraffic.
17. D.IPsecisthesecurityprotocolsupportedbyAmazonVPC.
18. D.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATdevice,VPNconnection,orAWSDirectConnect.
19. A,C.TheCIDRblockisspecifieduponcreationandcannotbechanged.AnAmazonVPCisassociatedwithexactlyoneregionwhichmustbespecifieduponcreation.YoucanaddasubnettoanAmazonVPCanytimeafterithasbeencreated,provideditsaddressrangefallswithintheAmazonVPCCIDRblockanddoesnotoverlapwiththeaddressrangeof
![Page 497: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/497.jpg)
anyexistingCIDRblock.YoucansetuppeeringrelationshipsbetweenAmazonVPCsaftertheyhavebeencreated.
20. B.AttachinganENIassociatedwithadifferentsubnettoaninstancecanmaketheinstancedual-homed.
![Page 498: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/498.jpg)
Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling1. A,D.AnAutoScalinggroupmusthaveaminimumsizeandalaunchconfigurationdefinedinordertobecreated.Healthchecksandadesiredcapacityareoptional.
2. B.Theloadbalancermaintainstwoseparateconnections:oneconnectionwiththeclientandoneconnectionwiththeAmazonEC2instance.
3. D.AmazonCloudWatchmetricdataiskeptfor2weeks.
4. A.Onlythelaunchconfigurationname,AMI,andinstancetypeareneededtocreateanAutoScalinglaunchconfiguration.Identifyingakeypair,securitygroup,andablockdevicemappingareoptionalelementsforanAutoScalinglaunchconfiguration.
5. B.YoucanusetheAmazonCloudWatchLogsAgentinstalleronexistingAmazonEC2instancestoinstallandconfiguretheCloudWatchLogsAgent.
6. C.Youconfigureyourloadbalancertoacceptincomingtrafficbyspecifyingoneormorelisteners.
7. D.ThedefaultAmazonEC2instancelimitforallregionsis20.
8. A.AnSSLcertificatemustspecifythenameofthewebsiteineitherthesubjectnameorlistedasavalueintheSANextensionofthecertificateinorderforconnectingclientstonotreceiveawarning.
9. C.WhenAmazonEC2instancesfailtherequisitenumberofconsecutivehealthchecks,theloadbalancerstopssendingtraffictotheAmazonEC2instance.
10. D.AmazonCloudWatchmetricsprovidehypervisorvisiblemetrics.
11. C.AutoScalingisdesignedtoscaleoutbasedonaneventlikeincreasedtrafficwhilebeingcosteffectivewhennotneeded.
12. B.AutoScalingwillprovidehighavailabilityacrossthreeAvailabilityZoneswiththreeAmazonEC2instancesineachandkeepcapacityabovetherequiredminimumcapacity,evenintheeventofanentireAvailabilityZonebecomingunavailable.
13. B,E,F.AutoScalingrespondstochangingconditionsbyaddingorterminatinginstances,launchesinstancesfromanAMIspecifiedinthelaunchconfigurationassociatedwiththeAutoScalinggroup,andenforcesaminimumnumberofinstancesinthemin-sizeparameteroftheAutoScalinggroup.
14. D.A,B,andCarealltruestatementsaboutlaunchconfigurationsbeinglooselycoupledandreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup.
15. A,C.AnAutoScalinggroupmayuseOn-DemandandSpotInstances.AnAutoScalinggroupmaynotusealreadystoppedinstances,instancesrunningsomeplaceotherthanAWS,andalreadyrunninginstancesnotstartedbytheAutoScalinggroupitself.
16. A,F.AmazonCloudWatchhastwoplans:basic,whichisfree,anddetailed,whichhasanadditionalcost.ThereisnoadhocplanforAmazonCloudWatch.
![Page 499: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/499.jpg)
17. A,C,D.AnElasticLoadBalancinghealthcheckmaybeaping,aconnectionattempt,orapagethatischecked.
18. B,C.Whenconnectiondrainingisenabled,theloadbalancerwillstopsendingrequeststoaderegisteredorunhealthyinstanceandattempttocompletein-flightrequestsuntilaconnectiondrainingtimeoutperiodisreached,whichis300secondsbydefault.
19. B,E,F.ElasticLoadBalancingsupportsInternet-facing,internal,andHTTPSloadbalancers.
20. B,D,E.AutoScalingsupportsmaintainingthecurrentsizeofanAutoScalinggroupusingfourplans:maintaincurrentlevels,manualscaling,scheduledscaling,anddynamicscaling.
![Page 500: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/500.jpg)
Chapter6:AWSIdentityandAccessManagement(IAM)1. B,C.Programmaticaccessisauthenticatedwithanaccesskey,notwithusernames/passwords.IAMrolesprovideatemporarysecuritytokentoanapplicationusinganSDK.
2. A,C.IAMpoliciesareindependentofregion,sonoregionisspecifiedinthepolicy.IAMpoliciesareaboutauthorizationforanalready-authenticatedprincipal,sonopasswordisneeded.
3. A,B,C,E.Lockingdownyourrootuserandallaccountstowhichtheadministratorhadaccessisthekeyhere.DeletingallIAMaccountsisnotnecessary,anditwouldcausegreatdisruptiontoyouroperations.AmazonEC2rolesusetemporarysecuritytokens,sorelaunchingAmazonEC2instancesisnotnecessary.
4. B,D.IAMcontrolsaccesstoAWSresourcesonly.InstallingASP.NETwillrequireWindowsoperatingsystemauthorization,andqueryinganOracledatabasewillrequireOracleauthorization.
5. A,C.AmazonDynamoDBglobalsecondaryindexesareaperformancefeatureofAmazonDynamoDB;ConsolidatedBillingisanaccountingfeatureallowingallbillstorollupunderasingleaccount.Whilebothareveryvaluablefeatures,neitherisasecurityfeature.
6. B,C.AmazonEC2rolesmuststillbeassignedapolicy.IntegrationwithActiveDirectoryinvolvesintegrationbetweenActiveDirectoryandIAMviaSAML.
7. A,D.AmazonEC2rolesprovideatemporarytokentoapplicationsrunningontheinstance;federationmapspoliciestoidentitiesfromothersourcesviatemporarytokens.
8. A,C,D.NeitherBnorEarefeaturessupportedbyIAM.
9. B,C.Accessrequiresanappropriatepolicyassociatedwithaprincipal.ResponseAismerelyapolicywithnoprincipal,andresponseDisnotaprincipalasIAMgroupsdonothaveusernamesandpasswords.ResponseBisthebestsolution;responseCwillalsoworkbutitismuchhardertomanage.
10. C.AnIAMpolicyisaJSONdocument.
![Page 501: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/501.jpg)
Chapter7:DatabasesandAWS1. B.AmazonRDSisbestsuitedfortraditionalOLTPtransactions.AmazonRedshift,ontheotherhand,isdesignedforOLAPworkloads.AmazonGlacierisdesignedforcoldarchivalstorage.
2. D.AmazonDynamoDBisbestsuitedfornon-relationaldatabases.AmazonRDSandAmazonRedshiftarebothstructuredrelationaldatabases.
3. C.Inthisscenario,thebestideaistousereadreplicastoscaleoutthedatabaseandthusmaximizereadperformance.WhenusingMulti-AZ,thesecondarydatabaseisnotaccessibleandallreadsandwritesmustgototheprimaryoranyreadreplicas.
4. A.AmazonRedshiftisbestsuitedfortraditionalOLAPtransactions.WhileAmazonRDScanalsobeusedforOLAP,AmazonRedshiftispurpose-builtasanOLAPdatawarehouse.
5. B.DBSnapshotscanbeusedtorestoreacompletecopyofthedatabaseataspecificpointintime.Individualtablescannotbeextractedfromasnapshot.
6. A.AllAmazonRDSdatabaseenginessupportMulti-AZdeployment.
7. B.ReadreplicasaresupportedbyMySQL,MariaDB,PostgreSQL,andAurora.
8. A.YoucanforceafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceintheAWSManagementConsole.Thisisoftenhowpeopletestafailoverintherealworld.Thereisnoneedtocreateasupportcase.
9. D.MonitortheenvironmentwhileAmazonRDSattemptstorecoverautomatically.AWSwillupdatetheDBendpointtopointtothesecondaryinstanceautomatically.
10. A.AmazonRDSsupportsMicrosoftSQLServerEnterpriseeditionandthelicenseisavailableonlyundertheBYOLmodel.
11. B.GeneralPurpose(SSD)volumesaregenerallytherightchoicefordatabasesthathaveburstsofactivity.
12. B.NoSQLdatabaseslikeAmazonDynamoDBexcelatscalingtohundredsofthousandsofrequestswithkey/valueaccesstouserprofileandsession.
13. A,C,D.DBsnapshotsallowyoutobackupandrecoveryourdata,whilereadreplicasandaMulti-AZdeploymentallowyoutoreplicateyourdataandreducethetimetofailover.
14. C,D.AmazonRDSallowsforthecreationofoneormoreread-replicasformanyenginesthatcanbeusedtohandlereads.AnothercommonpatternistocreateacacheusingMemcachedandAmazonElastiCachetostorefrequentlyusedqueries.ThesecondaryslaveDBInstanceisnotaccessibleandcannotbeusedtooffloadqueries.
15. A,B,C.Protectingyourdatabaserequiresamultilayeredapproachthatsecurestheinfrastructure,thenetwork,andthedatabaseitself.AmazonRDSisamanagedserviceanddirectaccesstotheOSisnotavailable.
16. A,B,C.Verticallyscalingupisoneofthesimpleroptionsthatcangiveyouadditionalprocessingpowerwithoutmakinganyarchitecturalchanges.Readreplicasrequiresome
![Page 502: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/502.jpg)
applicationchangesbutletyouscaleprocessingpowerhorizontally.Finally,busydatabasesareoftenI/O-bound,soupgradingstoragetoGeneralPurpose(SSD)orProvisionedIOPS(SSD)canoftenallowforadditionalrequestprocessing.
17. C.Queryisthemostefficientoperationtofindasingleiteminalargetable.
18. A.UsingtheUsernameasapartitionkeywillevenlyspreadyourusersacrossthepartitions.Messagesareoftenfiltereddownbytimerange,soTimestampmakessenseasasortkey.
19. B,D.Youcanonlyhaveasinglelocalsecondaryindex,anditmustbecreatedatthesametimethetableiscreated.Youcancreatemanyglobalsecondaryindexesafterthetablehasbeencreated.
20. B,C.AmazonRedshiftisanOnlineAnalyticalProcessing(OLAP)datawarehousedesignedforanalytics,Extract,Transform,Load(ETL),andhigh-speedquerying.Itisnotwellsuitedforrunningtransactionalapplicationsthatrequirehighvolumesofsmallinsertsorupdates.
![Page 503: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/503.jpg)
Chapter8:SQS,SWF,andSNS1. D.AmazonDynamoDBisnotasupportedAmazonSNSprotocol.
2. A.WhenyoucreateanewAmazonSNStopic,anAmazonARNiscreatedautomatically.
3. A,C,D.Publishers,subscribers,andtopicsarethecorrectanswers.YouhavesubscriberstoanAmazonSNStopic,notreaders.
4. A.ThedefaulttimeforanAmazonSQSvisibilitytimeoutis30seconds.
5. D.ThemaximumtimeforanAmazonSQSvisibilitytimeoutis12hours.
6. B,D.ThevalidpropertiesofanSQSmessageareMessageIDandBody.Eachmessagereceivesasystem-assignedMessageIDthatAmazonSQSreturnstoyouintheSendMessageresponse.TheMessageBodyiscomposedofname/valuepairsandtheunstructured,uninterpretedcontent.
7. B.Useasingledomainwithmultipleworkflows.Workflowswithinseparatedomainscannotinteract.
8. A,B,C.InAmazonSWF,actorscanbeactivityworkers,workflowstarters,ordeciders.
9. B.AmazonSWFwouldbestserveyourpurposeinthisscenariobecauseithelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.YoucanthinkofAmazonSWFasafully-managedstatetrackerandtaskcoordinatorintheCloud.
10. D.AmazonSQSdoesnotguaranteeinwhatorderyourmessageswillbedelivered.
11. A.MultiplequeuescansubscribetoanAmazonSNStopic,whichcanenableparallelasynchronousprocessing.
12. D.Longpollingallowsyourapplicationtopollthequeue,and,ifnothingisthere,AmazonElasticComputeCloud(AmazonEC2)waitsforanamountoftimeyouspecify(between1and20seconds).Ifamessagearrivesinthattime,itisdeliveredtoyourapplicationassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.
13. B.ThemaximumtimeforanAmazonSQSlongpollingtimeoutis20seconds.
14. D.ThelongestconfigurablemessageretentionperiodforAmazonSQSis14days.
15. B.ThedefaultmessageretentionperiodthatcanbesetinAmazonSQSisfourdays.
16. D.WithAmazonSNS,yousendindividualormultiplemessagestolargenumbersofrecipientsusingpublisherandsubscriberclienttypes.
17. B.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.
18. C.Topicnamesshouldtypicallybeavailableforreuseapproximately30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.Theexacttimewilldependonthenumberofsubscriptionsactiveonthetopic;topicswithafewsubscriberswillbe
![Page 504: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/504.jpg)
availableinstantlyforreuse,whiletopicswithlargersubscriberlistsmaytakelonger.
19. C.ThemaindifferencebetweenAmazonSQSpoliciesandIAMpoliciesisthatanAmazonSQSpolicyenablesyoutograntadifferentAWSaccountpermissiontoyourAmazonSQSqueues,butanIAMpolicydoesnot.
20. C.No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.
![Page 505: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/505.jpg)
Chapter9:DomainNameSystem(DNS)andAmazonRoute531. C.AnAAAArecordisusedtoroutetraffictoanIPv6address,whereasanArecordisusedtoroutetraffictoanIPv4address.
2. B.Domainnamesareregisteredwithadomainregistrar,whichthenregistersthenametoInterNIC.
3. C.Youshouldrouteyourtrafficbasedonwhereyourendusersarelocated.Thebestroutingpolicytoachievethisisgeolocationrouting.
4. D.APTRrecordisusedtoresolveanIPaddresstoadomainname,anditiscommonlyreferredtoas“reverseDNS.”
5. B.Youwantyouruserstohavethefastestnetworkaccesspossible.Todothis,youwoulduselatency-basedrouting.Geolocationroutingwouldnotachievethisaswellaslatency-basedrouting,whichisspecificallygearedtowardmeasuringthelatencyandthuswoulddirectyoutotheAWSregioninwhichyouwouldhavethelowestlatency.
6. C.YouwoulduseMaileXchange(MX)recordstodefinewhichinbounddestinationmailservershouldbeused.
7. B.SPFrecordsareusedtoverifyauthorizedsendersofmailfromyourdomain.
8. B.Weightedroutingwouldbestachievethisobjectivebecauseitallowsyoutospecifywhichpercentageoftrafficisdirectedtoeachendpoint.
9. D.ThestartofazoneisdefinedbytheSOA;therefore,allzonesmusthaveanSOArecordbydefault.
10. D.Failover-basedroutingwouldbestachievethisobjective.
11. B.TheCNAMErecordmapsanametoanothername.Itshouldbeusedonlywhentherearenootherrecordsonthatname.
12. C.AmazonRoute53performsthreemainfunctions:domainregistration,DNSservice,andhealthchecking.
13. A.ATXTrecordisusedtostorearbitraryandunformattedtextwithahost.
14. C.Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.
15. B.DNSusesportnumber53toserverequests.
16. D.DNSprimarilyusesUDPtoserverequests.
17. A.TheTCPprotocolisusedbyDNSserverwhentheresponsedatasizeexceeds512bytesorfortaskssuchaszonetransfers.
18. B.UsingAmazonRoute53,youcancreatetwotypesofhostedzones:publichostedzonesandprivatehostedzones.
19. D.AmazonRoute53canroutequeriestoavarietyofAWSresourcessuchasanAmazonCloudFrontdistribution,anElasticLoadBalancingloadbalancer,anAmazonEC2instance,awebsitehostedinanAmazonS3bucket,andanAmazonRelationalDatabase(AmazonRDS).
![Page 506: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/506.jpg)
20. D.YoumustfirsttransfertheexistingdomainregistrationfromanotherregistrartoAmazonRoute53toconfigureitasyourDNSservice.
![Page 507: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/507.jpg)
Chapter10:AmazonElastiCache1. A,B,C.Manytypesofobjectsaregoodcandidatestocachebecausetheyhavethepotentialtobeaccessedbynumeroususersrepeatedly.Eventhebalanceofabankaccountcouldbecachedforshortperiodsoftimeiftheback-enddatabasequeryisslowtorespond.
2. B,C.AmazonElastiCachesupportsMemcachedandRediscacheengines.MySQLisnotacacheengine,andCouchbaseisnotsupported.
3. C.Thedefaultlimitis20nodespercluster.
4. A.Redisclusterscanonlycontainasinglenode;however,youcangroupmultipleclusterstogetherintoareplicationgroup.
5. B,C.AmazonElastiCacheisApplicationProgrammingInterface(API)-compatiblewithexistingMemcachedclientsanddoesnotrequiretheapplicationtoberecompiledorlinkedagainstthelibraries.AmazonElastiCachemanagesthedeploymentoftheAmazonElastiCachebinaries.
6. B,C.AmazonElastiCachewiththeRedisengineallowsforbothmanualandautomaticsnapshots.Memcacheddoesnothaveabackupfunction.
7. B,C,D.LimitaccessatthenetworklevelusingsecuritygroupsornetworkACLs,andlimitinfrastructurechangesusingIAM.
8. C.AmazonElastiCachewithRedisprovidesnativefunctionsthatsimplifythedevelopmentofleaderboards.WithMemcached,itismoredifficulttosortandranklargedatasets.AmazonRedshiftandAmazonS3arenotdesignedforhighvolumesofsmallreadsandwrites,typicalofamobilegame.
9. A.WhentheclientsareconfiguredtouseAutoDiscovery,theycandiscovernewcachenodesastheyareaddedorremoved.AutoDiscoverymustbeconfiguredoneachclientandisnotactiveserverside.Updatingtheconfigurationfileeachtimewillbeverydifficulttomanage.UsinganElasticLoadBalancerisnotrecommendedforthisscenario.
10. A,B.AmazonElastiCachesupportsbothMemcachedandRedis.Youcanrunself-managedinstallationsofMembaseandCouchbaseusingAmazonElasticComputeCloud(AmazonEC2).
![Page 508: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/508.jpg)
Chapter11:AdditionalKeyServices1. B,C,E.AmazonCloudFrontcanuseanAmazonS3bucketoranyHTTPserver,whetherornotitisrunninginAmazonEC2.ARoute53HostedZoneisasetofDNSresourcerecords,whileanAutoScalingGrouplaunchesorterminatesAmazonEC2instancesautomatically.Neithercanbespecifiedasanoriginserverforadistribution.
2. A,C.ThesiteinAis“popular”andsupports“usersaroundtheworld,”keyindicatorsthatCloudFrontisappropriate.Similarly,thesiteinCis“heavilyused,”andrequiresprivatecontent,whichissupportedbyAmazonCloudFront.BothBandDarecorporateusecaseswheretherequestscomefromasinglegeographiclocationorappeartocomefromone(becauseoftheVPN).TheseusecaseswillgenerallynotseebenefitfromAmazonCloudFront.
3. C,E.Usingmultipleoriginsandsettingmultiplecachebehaviorsallowyoutoservestaticanddynamiccontentfromthesamedistribution.OriginAccessIdentifiersandsignedURLssupportservingprivatecontentfromAmazonCloudFront,whilemultipleedgelocationsaresimplyhowAmazonCloudFrontservesanycontent.
4. B.AmazonCloudFrontOAIisaspecialidentitythatcanbeusedtorestrictaccesstoanAmazonS3bucketonlytoanAmazonCloudFrontdistribution.SignedURLs,signedcookies,andIAMbucketpoliciescanhelptoprotectcontentservedthroughAmazonCloudFront,butOAIsarethesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstoabucket.
5. C.AWSStorageGatewayallowsyoutoaccessdatainAmazonS3locally,withtheGateway-CachedvolumeconfigurationallowingyoutoexpandarelativelysmallamountoflocalstorageintoAmazonS3.
6. B.SimpleADisaMicrosoftActiveDirectory-compatibledirectorythatispoweredbySamba4.SimpleADsupportscommonlyusedActiveDirectoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonElasticComputeCloud(AmazonEC2)instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.
7. C.AWSKMSCMKsarethefundamentalresourcesthatAWSKMSmanages.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscan.
8. D.AWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCustomerMasterKey(CMK),andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.
9. A.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSCloudservice.
10. B,C.Encryptioncontextisasetofkey/valuepairsthatyoucanpasstoAWSKMSwhenyoucalltheEncrypt,Decrypt,ReEncrypt,GenerateDataKey,and
![Page 509: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/509.jpg)
GenerateDataKeyWithoutPlaintextAPIs.Althoughtheencryptioncontextisnotincludedintheciphertext,itiscryptographicallyboundtotheciphertextduringencryptionandmustbepassedagainwhenyoucalltheDecrypt(orReEncrypt)API.InvalidciphertextfordecryptionisplaintextthathasbeenencryptedinadifferentAWSaccountorciphertextthathasbeenalteredsinceitwasoriginallyencrypted.
11. B.BecausetheInternetconnectionisfull,thebestsolutionwillbebasedonusingAWSImport/Exporttoshipthedata.Themostappropriatestoragelocationfordatathatmustbestored,butisveryrarelyaccessed,isAmazonGlacier.
12. C.Becausethejobisrunmonthly,apersistentclusterwillincurunnecessarycomputecostsduringtherestofthemonth.AmazonKinesisisnotappropriatebecausethecompanyisrunninganalyticsasabatchjobandnotonastream.Asinglelargeinstancedoesnotscaleouttoaccommodatethelargecomputeneeds.
13. D.TheAmazonKinesisservicesenableyoutoworkwithlargedatastreams.WithintheAmazonKinesisfamilyofservices,AmazonKinesisFirehosesavesstreamstoAWSstorageservices,whileAmazonKinesisStreamsprovidetheabilitytoprocessthedatainthestream.
14. C.AmazonDataPipelineallowsyoutorunregularExtract,Transform,Load(ETL)jobsonAmazonandon-premisesdatasources.ThebeststorageforlargedataisAmazonS3,andAmazonRedshiftisalarge-scaledatawarehouseservice.
15. B.AmazonKinesisFirehoseallowsyoutoingestmassivestreamsofdataandstorethedataonAmazonS3(aswellasAmazonRedshiftandAmazonElasticsearch).
16. C.AWSOpsWorksusesChefrecipestostartnewappserverinstances,configureapplicationserversoftware,anddeployapplications.OrganizationscanleverageChefrecipestoautomateoperationslikesoftwareconfigurations,packageinstallations,databasesetups,serverscaling,andcodedeployment.
17. A.WithAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonceandthenprovisionthesameresourcesoverandoverinmultiplestacks.
18. B.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.AWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservinghundredsofthousandsofAWScustomers.
19. A.AWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing.
20. D.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.
![Page 510: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/510.jpg)
Chapter12:SecurityonAWS1. B.Alldecommissionedmagneticstoragedevicesaredegaussedandphysicallydestroyedinaccordancewithindustry-standardpractices.
2. C.Theadministratorpasswordisencryptedwiththepublickeyofthekeypair,andyouprovidetheprivatekeytodecryptthepassword.Thenlogintotheinstanceastheadministratorwiththedecryptedpassword.
3. C.Bydefault,networkaccessisturnedofftoaDBInstance.YoucanspecifyrulesinasecuritygroupthatallowsaccessfromanIPaddressrange,port,orAmazonElasticComputeCloud(AmazonEC2)securitygroup.
4. A.AmazonS3SSEusesoneofthestrongestblockciphersavailable,256-bitAES.
5. C.IAMpermitsuserstohavenomorethantwoactiveaccesskeysatonetime.
6. B.ThesharedresponsibilitymodelisthenameofthemodelemployedbyAWSwithitscustomers.
7. D.WhenyouchooseAWSKMSforkeymanagementwithAmazonRedshift,thereisafour-tierhierarchyofencryptionkeys.Thesekeysarethemasterkey,aclusterkey,adatabasekey,anddataencryptionkeys.
8. D.ElasticLoadBalancingsupportstheServerOrderPreferenceoptionfornegotiatingconnectionsbetweenaclientandaloadbalancer.DuringtheSSLconnectionnegotiationprocess,theclientandtheloadbalancerpresentalistofciphersandprotocolsthattheyeachsupport,inorderofpreference.Bydefault,thefirstcipherontheclient’slistthatmatchesanyoneoftheloadbalancer’sciphersisselectedfortheSSLconnection.IftheloadbalancerisconfiguredtosupportServerOrderPreference,thentheloadbalancerselectsthefirstcipherinitslistthatisintheclient’slistofciphers.ThisensuresthattheloadbalancerdetermineswhichcipherisusedforSSLconnection.IfyoudonotenableServerOrderPreference,theorderofcipherspresentedbytheclientisusedtonegotiateconnectionsbetweentheclientandtheloadbalancer.
9. C.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.
10. C.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
11. A.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.
12. B,D.AmazonDynamoDBdoesnothaveaserver-sidefeaturetoencryptitemswithinatable.YouneedtouseasolutionoutsideofDynamoDBsuchasaclient-sidelibrarytoencryptitemsbeforestoringthem,orakeymanagementservicelikeAWSKeyManagementServicetomanagekeysthatareusedtoencryptitemsbeforestoringtheminDynamoDB.
![Page 511: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/511.jpg)
13. B.Ifyourprivatekeycanbereadorwrittentobyanyonebutyou,thenSSHignoresyourkey.
14. D.AmazonCognitoIdentitysupportspublicidentityproviders—Amazon,Facebook,andGoogle—aswellasunauthenticatedidentities.
15. A.AninstanceprofileisacontainerforanIAMrolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.
16. B.AnetworkACLisanoptionallayerofsecurityforyourAmazonVPCthatactsasafirewallforcontrollingtrafficinandoutofoneormoresubnets.YoumightsetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddanadditionallayerofsecuritytoyourAmazonVPC.
17. D.TheSignatureVersion4signingprocessdescribeshowtoaddauthenticationinformationtoAWSrequests.Forsecurity,mostrequeststoAWSmustbesignedwithanaccesskey(AccessKeyID[AKI]andSecretAccessKey[SAK]).IfyouusetheAWSCommandLineInterface(AWSCLI)oroneoftheAWSSoftwareDevelopmentKits(SDKs),thosetoolsautomaticallysignrequestsforyoubasedoncredentialsthatyouspecifywhenyouconfigurethetools.However,ifyoumakedirectHTTPorHTTPScallstoAWS,youmustsigntherequestsyourself.
18. B.Dedicatedinstancesarephysicallyisolatedatthehosthardwarelevelfromyourinstancesthataren’tdedicatedinstancesandfrominstancesthatbelongtootherAWSaccounts.
19. C.AmazonEMRstartsyourinstancesintwoAmazonElasticComputeCloud(AmazonEC2)securitygroups,oneforthemasterandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutosecurelyconnecttotheinstancesviaSSHusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptopreventaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupsinyouraccount,youcanreconfigurethemusingthestandardAmazonEC2toolsordashboard.
20. A.WhenyoucreateanAmazonEBSvolumeinanAvailabilityZone,itisautomaticallyreplicatedwithinthatAvailabilityZonetopreventdatalossduetofailureofanysinglehardwarecomponent.AnEBSSnapshotcreatesacopyofanEBSvolumetoAmazonS3sothatcopiesofthevolumecanresideindifferentAvailabilityZoneswithinaregion.
![Page 512: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/512.jpg)
Chapter13:AWSRiskandCompliance1. A,B,C.AnswersAthroughCdescribevalidmechanismsthatAWSusestocommunicatewithcustomersregardingitssecurityandcontrolenvironment.AWSdoesnotallowcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,orstaff.
2. C.ThesharedresponsibilitymodelcanincludeITcontrols,anditisnotjustlimitedtosecurityconsiderations.Therefore,answerCiscorrect.
3. A.AWSprovidesITcontrolinformationtocustomersthrougheitherspecificcontroldefinitionsorgeneralcontrolstandardcompliance.
4. A,B,D.ThereisnosuchthingasaSOC4report,thereforeanswerCisincorrect.
5. A.ITgovernanceisstillthecustomer’sresponsibility.
6. D.AnynumberofcomponentsofaworkloadcanbemovedintoAWS,butitisthecustomer’sresponsibilitytoensurethattheentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.
7. B.AnAvailabilityZoneconsistsofmultiplediscretedatacenters,eachwiththeirownredundantpowerandnetworking/connectivity,thereforeanswerBiscorrect.
8. A,C.AWSregularlyscanspublic-facing,non-customerendpointIPaddressesandnotifiesappropriateparties.AWSdoesnotscancustomerinstances,andcustomersmustrequesttheabilitytoperformtheirownscansinadvance,thereforeanswersAandCarecorrect.
9. B.AWSpublishesinformationpubliclyonlineanddirectlytocustomersunderNDA,butcustomersarenotrequiredtosharetheiruseandconfigurationinformationwithAWS,thereforeanswerBiscorrect.
10. C.AWShasdevelopedastrategicbusinessplan,andcustomersshouldalsodevelopandmaintaintheirownriskmanagementplans,thereforeanswerCiscorrect.
11. B.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.Energyisnotadiscretelyidentifiedpartofthecontrolenvironment,thereforeBisthecorrectanswer.
12. D.Customersareresponsibleforensuringalloftheirsecuritygroupconfigurationsareappropriatefortheirownapplications,thereforeanswerDiscorrect.
13. C.Customersshouldensurethattheyimplementcontrolobjectivesthataredesignedtomeettheirorganization’sownuniquecompliancerequirements,thereforeanswerCiscorrect.
![Page 513: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/513.jpg)
Chapter14:ArchitectureBestPractices1. B,E.AmazonKinesisisaplatformforstreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdata.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcost-effectivetodecouplethecomponentsofacloudapplication.
2. B,C.LaunchinginstancesacrossmultipleAvailabilityZoneshelpsensuretheapplicationisisolatedfromfailuresinasingleAvailabilityZone,allowingtheapplicationtoachievehigheravailability.WhetheryouarerunningoneAmazonEC2instanceorthousands,youcanuseAutoScalingtodetectimpairedAmazonEC2instancesandunhealthyapplicationsandreplacetheinstanceswithoutyourintervention.Thisensuresthatyourapplicationisgettingthecomputecapacitythatyouexpect,therebymaintainingyouravailability.
3. A,E.AmazonDynamoDBrunsacrossAWSproven,high-availabilitydatacenters.TheservicereplicatesdataacrossthreefacilitiesinanAWSregiontoprovidefaulttoleranceintheeventofaserverfailureorAvailabilityZoneoutage.AmazonS3providesdurableinfrastructuretostoreimportantdataandisdesignedfordurabilityof99.999999999%ofobjects.Yourdataisredundantlystoredacrossmultiplefacilitiesandmultipledevicesineachfacility.WhileElasticLoadBalancingandAmazonElastiCachecanbedeployedacrossmultipleAvailabilityZones,youmustexplicitlytakesuchstepswhencreatingthem.
4. A,D.AutoScalingenablesyoutofollowthedemandcurveforyourapplicationsclosely,reducingtheneedtoprovisionAmazonEC2capacitymanuallyinadvance.Forexample,youcansetaconditiontoaddnewAmazonEC2instancesinincrementstotheAutoScalinggroupwhentheaverageCPUandnetworkutilizationofyourAmazonEC2fleetmonitoredinAmazonCloudWatchishigh;similarly,youcansetaconditiontoremoveinstancesinthesameincrementswhenCPUandnetworkutilizationarelow.
5. B,D,E.Thereisnodirectwaytoencryptanexistingunencryptedvolume.However,youcanmigratedatabetweenencryptedandunencryptedvolumes.
6. A,C,D.TheattacksurfaceiscomposedofthedifferentInternetentrypointsthatallowaccesstoyourapplication.Thestrategytominimizetheattacksurfaceareaisto(a)reducethenumberofnecessaryInternetentrypoints,(b)eliminatenon-criticalInternetentrypoints,(c)separateendusertrafficfrommanagementtraffic,(d)obfuscatenecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem,and(e)decoupleInternetentrypointstominimizetheeffectsofattacks.ThisstrategycanbeaccomplishedwithAmazonVPC.
7. C.AmazonRDSreadreplicasprovideenhancedperformanceanddurabilityforAmazonRDSinstances.ThisreplicationfeaturemakesiteasytoscaleoutelasticallybeyondthecapacityconstraintsofasingleAmazonRDSinstanceforread-heavydatabaseworkloads.YoucancreateoneormorereplicasofagivensourceAmazonRDSinstanceandservehigh-volumeapplicationreadtrafficfrommultiplecopiesofyourdata,therebyincreasingaggregatereadthroughput.
8. A.AnaliasresourcerecordsetcanpointtoanELB.YoucannotcreateaCNAMErecord
![Page 514: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/514.jpg)
atthetopnodeofaDomainNameService(DNS)namespace,alsoknownasthezoneapex,asthecaseinthisexample.AliasresourcerecordsetscansaveyoutimebecauseAmazonRoute53automaticallyrecognizeschangesintheresourcerecordsetstowhichthealiasresourcerecordsetrefers.
9. D.AninstanceprofileisacontainerforanAWSIdentityandAccessManagement(IAM)rolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.TheIAMroleshouldhaveapolicyattachedthatonlyallowsaccesstotheAWSCloudservicesnecessarytoperformitsfunction.
10. B.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstopublish,maintain,monitor,andsecureAPIsatanyscale.YoucancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromyourcoderunningonAWSLambda.AmazonAPIGatewayhandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.
11. C.AmazonEFSisafilestorageserviceforAmazonEC2instances.MultipleAmazonEC2instancescanaccessanAmazonEFSfilesystematthesametime,providingacommondatasourceforthecontentoftheWordPresssiterunningonmorethanoneinstance.
12. A.AmazonDynamoDBisaNoSQLdatabasestorethatisagreatchoiceasanalternativeduetoitsscalability,high-availability,anddurabilitycharacteristics.Manyplatformsprovideopen-source,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.AmazonDynamoDBisagreatcandidateforasessionstoragesolutioninashare-nothing,distributedarchitecture.
13. B.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSshouldbeusedtodecouplethelargevolumeofinboundtransactions,allowingtheback-endservicestomanagethelevelofthroughputwithoutlosingmessages.
14. B,C,E.YoushouldprotectAWSuseraccesskeyslikeyouwouldyourcreditcardnumbersoranyothersensitivesecret.Usedifferentaccesskeysfordifferentapplicationssothatyoucanisolatethepermissionsandrevoketheaccesskeysforindividualapplicationsifanaccesskeyisexposed.Remembertochangeaccesskeysonaregularbasis.Forincreasedsecurity,itisrecommendedtoconfigureMFAforanysensitiveoperations.RemembertoremoveanyIAMusersthatarenolongerneededsothattheuser’saccesstoyourresourcesisremoved.Alwaysavoidhavingtoembedaccesskeysinanapplication.
15. A,B,E.YoucanenableAWSCloudTrailinyourAWSaccounttogetlogsofAPIcallsandrelatedevents’historyinyouraccount.AWSCloudTrailrecordsalloftheAPIaccesseventsasobjectsinanAmazonS3bucketthatyouspecifyatthetimeyouenableAWSCloudTrail.YoucantakeadvantageofAmazonS3’sbucketnotificationfeaturebydirectingAmazonS3topublishobject-createdeventstoAWSLambda.WheneverAWSCloudTrailwriteslogstoyourAmazonS3bucket,AmazonS3cantheninvokeyourAWSLambdafunctionbypassingtheAmazonS3object-createdeventasaparameter.TheAWSLambdafunctioncodecanreadthelogobjectandprocesstheaccessrecordsloggedbyAWSCloudTrail.
![Page 515: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/515.jpg)
16. B.AmazonGlacierenablesbusinessesandorganizationstoretaindataformonths,years,ordecades,easilyandcosteffectively.WithAmazonGlacier,customerscanretainmoreoftheirdataforfutureanalysisorreference,andtheycanfocusontheirbusinessinsteadofoperatingandmaintainingtheirstorageinfrastructure.CustomerscanalsouseAmazonGlacierVaultLocktomeetregulatoryandcompliancearchivingrequirements.
17. A.ManycompaniesthatdistributecontentviatheInternetwanttorestrictaccesstodocuments,businessdata,mediastreams,orcontentthatisintendedforselectedusers,suchasuserswhohavepaidafee.ToservethisprivatecontentsecurelyusingAmazonCloudFront,youcanrequirethatusersaccessyourprivatecontentbyusingspecialAmazonCloudFront-signedURLsorsignedcookies.
18. B.AmazonS3provideshighlydurableandavailablestorageforavarietyofcontent.AmazonS3canbeusedasabigdataobjectstoreforallofthevideos.AmazonS3’slowcostcombinedwithitsdesignfordurabilityof99.999999999%andforupto99.99%availabilitymakeitagreatstoragechoicefortranscodingservices.
19. A.AnAvailabilityZoneconsistsofoneormorephysicaldatacenters.Availabilityzoneswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.Thisallowsyoutodistributeyourapplicationacrossdatacenters.Intheeventofacatastrophicfailureinadatacenter,theapplicationwillcontinuetohandlerequests.
20. C.YoucanuseaNATgatewaytoenableinstancesinaprivatesubnettoconnecttotheInternetorotherAWSservices,butpreventtheInternetfrominitiatingaconnectionwiththoseinstances.IfyouhaveresourcesinmultipleAvailabilityZonesandtheyshareoneNATgateway,resourcesintheotherAvailabilityZonesloseInternetaccessintheeventthattheNATgateway’sAvailabilityZoneisdown.TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.
![Page 516: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/516.jpg)
ComprehensiveOnlineLearningEnvironmentRegisteronSybex.comtogainaccesstothecomprehensiveonlineinteractivelearning
environmentandtestbanktohelpyoustudyforyourAWSCertifiedSolutionsArchitect-Associateexam.
Theonlinetestbankincludes:
AssessmentTesttohelpyoufocusyourstudytospecificobjectives
ChapterTeststoreinforcewhatyou'velearned
PracticeExamstotestyourknowledgeofthematerial
DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam
SearchableGlossarytodefinethekeytermsyou'llneedtoknowfortheexam
Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothiscomprehensivestudytoolpackage.
![Page 517: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us](https://reader034.fdocuments.in/reader034/viewer/2022051903/5ff3f0af59eac925a1655b52/html5/thumbnails/517.jpg)
WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.