{"id":13935313,"url":"https://github.com/SkullTech/aws-solutions-architect-associate-notes","last_synced_at":"2025-07-19T20:31:53.530Z","repository":{"id":37271182,"uuid":"199846310","full_name":"skulltech/aws-solutions-architect-associate-notes","owner":"skulltech","description":"My notes for AWS Solutions Architect Associate.","archived":false,"fork":false,"pushed_at":"2023-07-26T13:45:55.000Z","size":132,"stargazers_count":1652,"open_issues_count":6,"forks_count":476,"subscribers_count":86,"default_branch":"master","last_synced_at":"2024-11-21T04:11:49.603Z","etag":null,"topics":["aws","aws-solution-architect-associate","notes","study-notes"],"latest_commit_sha":null,"homepage":"https://sumit-ghosh.com/articles/aws-solutions-architect-associate-preparation/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/skulltech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-31T11:52:05.000Z","updated_at":"2024-11-18T16:44:27.000Z","dependencies_parsed_at":"2022-07-12T05:18:28.013Z","dependency_job_id":"2f8ec919-7da9-4eb2-9a59-8a2f243a2c1f","html_url":"https://github.com/skulltech/aws-solutions-architect-associate-notes","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skulltech%2Faws-solutions-architect-associate-notes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skulltech%2Faws-solutions-architect-associate-notes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skulltech%2Faws-solutions-architect-associate-notes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skulltech%2Faws-solutions-architect-associate-notes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/skulltech","download_url":"https://codeload.github.com/skulltech/aws-solutions-architect-associate-notes/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226666695,"owners_count":17665068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-solution-architect-associate","notes","study-notes"],"created_at":"2024-08-07T23:01:35.433Z","updated_at":"2025-07-19T20:31:53.517Z","avatar_url":"https://github.com/skulltech.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# Notes for AWS Certified Solutions Architect Associate\n\nI recently got the AWS solutions architect associate certificate in July 2019, and wanted to share my notes with anyone who might benefit from it. The path I followed was\n\n- Go through the [ACloudGuru course](https://click.linksynergy.com/deeplink?id=aosskmXRdYk\u0026mid=39197\u0026murl=https%3A%2F%2Fwww.udemy.com%2Faws-certified-solutions-architect-associate%2F).\n- Attempt the [Whizlabs practice tests](https://www.whizlabs.com/aws-solutions-architect-associate/). After each test, note down the concepts I had difficulties with. \n- Attempt the [practice tests by Jon Bonso at Udemy](https://click.linksynergy.com/deeplink?id=aosskmXRdYk\u0026mid=39197\u0026murl=https%3A%2F%2Fwww.udemy.com%2Faws-certified-solutions-architect-associate-amazon-practice-exams%2F). Again, after each test, note down the concepts I had difficulties with.\n\nSo you should go through the notes only after you have done a course that explains the basics, such as the one from ACloudGuru. Also, full disclosure, the links to the above courses are referral ones. So if these notes helped you and you're planning to buy the courses or practices tests, please consider going through the links when you're buying.\n\n__Note__ — You can also check out [this blog post](https://sumit-ghosh.com/articles/aws-solutions-architect-associate-preparation/) where I describe my preparation strategy in detail. \n\n## Contents\n\n- [Well-Architected Framework](#well-architected-framework)\n- [Route 53](#route53)\n- [S3](#s3)\n- [RDS, Redshift and ElastiCache](##rds-redshift-and-elasticache)\n- [EBS](#ec2-and-ebs)\n- [EFS](#efs)\n- [ELB and Autoscaling](#elb-and-autoscaling)\n- [SQS](#sqs)\n- [SNS](#sns)\n- [API Gateway](#api-gateway)\n- [Lambda](#lambda)\n- [VPC](#vpc)\n- [DynamoDB](#dynamodb)\n- [ECS](#ecs)\n- [Elastic Beanstalk](#elastic-beanstalk)\n- [Storage Gateway](#storage-gateway)\n- [IAM, Cognito and Directory Services](#iam-cognito-and-directory-services)\n- [KMS and CloudHSM](#kms-and-cloudhsm)\n- [Kinesis](#kinesis)\n- [EMR](#emr)\n- [Misc](#misc)\n\n\n\n# Well-Architected Framework\n\nThe five pillars are —\n\n1. Operational Excellence \n2. Security\n3. Reliability\n4. Performance Efficiency\n5. Cost Optimization\n\n\n## Operational Excellence\n\n### Design Principles\n\n- Perform operations as code\n- Annotate documents\n- Make frequent, small, reversible changes\n- Refine operations procedures frequently\n- Anticipate failure\n- Learn from all operational failures\n\n### Best Practices\n\n- Prepare\n- Operate\n- Evolve\n\n__Key AWS Service__ — AWS CloudFormation.\n\n\n## Security\n\n### Design Principles\n\n- Implement a strong identity foundations\n- Enable traceability\n- Apply security at all layers\n- Automate security best practices\n- Protect data in transit and at rest\n- Keep people away from data\n- Prepare for security events\n\n### Best Practices\n\n- Identity and Access Management\n- Detective Controls\n- Infrastructure Protection\n- Data Protection\n- Incident Response\n\n__Key AWS Service__ — AWS Identity and Access Management (IAM).\n\n\n## Reliability\n\n### Design Principles\n\n- Test recovery procedures\n- Automatically recover from failure\n- Scale horizontally to increase aggregate system availability \n- Stop guessing capacity\n- Manage change in automation\n\n### Best Practices\n\n- Foundations\n- Change Management\n- Failure Management\n\n__Key AWS Service__ — Amazon CloudWatch.\n\n\n## Performance Efficiency\n\n### Design Principles\n\n- Democratize advanced technologies\n- Go global in minutes\n- Use serverless architecture\n- Experiment more often\n- Mechanical sympathy\n\n### Best Practices\n\n- Selection\n    - Compute\n    - Storage\n    - Database\n    - Network\n- Review\n- Monitoring\n- Tradeoffs\n\n__Key AWS Service__ — Amazon CloudWatch.\n\n\n## Cost Optimization\n\n### Design Principles\n\n- Adopt a consumption model\n- Measure overall efficiency\n- Stop spending money on data center operations\n- Analyze and attribute expenditure\n- Use managed and application level services to reduce cost of ownership\n\n### Best Practices\n\n- Expenditure Awareness\n- Cost-Effective Resources\n- Matching Supply and Demand\n- Optimizing Over Time\n\n__Key AWS Service__ — Cost Explorer.\n\n\n\n\n\n# Route53\n\n\n__Main functions of Route53__ —\n1. Register domain names.\n2. Route internet traffic to the resources for your domain.\n3. Check the health of your resources.\n\nIt's not used to _distribute_ traffic.\n\n__CNAME vs ALIAS__ —  \n\n- For routing to S3 bucket // Elastic load balancer use A record with ALIAS.  \n- For routing to RDS instance use CNAME with NO ALIAS // without ALIAS.\n\nALIAS only supports the following services —\n- API Gateway\n- VPC interface endpoint\n- CloudFront distribution\n- Elastic Beanstalk environment\n- ELB load balancer\n- S3 bucket that is configured as a static website\n- Another Route 53 record in the same hosted zone\n\n\nRoute53 does not directly log to S3 bucket, we can forward that from Cloudwatch, but can't do it directly.\n\nTypes of __Route53 health checks__ —\n1. Health checks that monitor __an endpoint__. This __can be on-premise__ too.\n2. Health checks that monitor __other health checks__.\n3. Health checks that monitor __Cloudwatch alarms__. \n\n__Multivalue answer routing policy__ responds with upto 8 healthy records selected at __random__.\n\n__Weighted routing policy__ is a good fit for __blue-green deployments__.\n\n\n\n# S3\n\nIn a newly created S3 bucket, everything // every additional option is turned off by default. Also, no bucket policy exists.\n\n__S3 bucket properties__ are —\n1. Versioning\n2. Server access logging\n3. Static website hosting\n4. Object level logging // Essentially CloudTrail\n5. Transfer acceleration\n6. Events\n\n__Object level properties__—  \nMetadata and Storage class are object level properties. All object level properties are\n1. Storage class\n2. Encryption\n3. Metadata\n4. Tags\n5. Object lock\n\n__DELETE operation__ does not keep a copy unless you have versioning enabled. From the docs\n\u003e The DELETE operation removes the null version (if there is one) of an object and inserts a delete marker, which becomes the current version of the object. If there isn't a null version, Amazon S3 does not remove any objects. \n\nS3 is a __managed service__. It can't be part of a VPC.\n\n__S3 object metadata__—\n1. System metadata\n2. User-defined metadata\n\nUser defined metadatas must start with `x-amz-meta`.\n\nWhen you enable logging on a bucket, the console both enables logging on the source bucket and adds a grant in the target bucket's access control list (ACL) granting write permission to the Log Delivery Group.\n\n__S3 bucket endpoints formats__ —\n1. http://bucket.s3.amazonaws.com\n2. http://bucket.s3.aws-region.amazonaws.com\n3. http://bucket.s3-aws-region.amazonaws.com\n4. http://s3.amazonaws.com/bucket\n5. http://s3.aws-region.amazonaws.com/bucket\n6. http://s3-aws-region.amazonaws.com/bucket\n\n__Update__ — AWS will stop supporting the URL path format for buckets created after September 30, 2020. Read [this](https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/) for details.\n\n__Object sizes__ —\nS3 can store objects of size 0 bytes to 5 TB.\nA single PUT can transfer 5 GB max. For files larger than 100MB, multipart upload is recommended.\n\n__Cross-region replication__ requires that versioning be enabled on both the source bucket and the destination bucket.\n\n__AWS Glacier archive retrieval__ options —\n- Expedited: Costly, 1-5 minutes.\n- Standard: Default, 3-5 hours.\n- Bulk: Cheapest, 5-12 hours.\n\nTo increase performance, we can __prefix each object name with a hash key__ along with the current date. But, according to the new S3 performance announcement, this is __not needed anymore__.\n\n__Increasing performance in S3__ —\n- If workload is mainly GET requests, integrate Cloudfront with S3.\n- If workload consists of PUT requests, use S3 transfer acceleration.\n\nIn the __CORS__ configuration, the __exact URLs__ must be added, with the correct protocol, i.e. __http vs https__.\n\n__S3__ does not support `OPTIONS`, `CONNECT` and `TRACE` __methods__. \n\n__S3 encryptions__ —\n- SSE-S3: Data and master keys managed by S3.\n- SSE-C: The user manages the encryption keys.\n- SSE-KMS: AWS manages the data key, the user manages the master key.\n\nTo make sure that S3 objects are only accessible from Cloudfront, create an __Origin Access Identity (OAI) for Cloudfront__ and grant access to the objects to that OAI.\n\nWe can create __event notification in S3__ to __invoke lambda__ function.\n\n__Customer managed S3 encryption workflow__ —  \nGenerate a data key using Customer managed CMK. Encrypt data using data key and delete data key. Store encrypted data key and data in S3 buckets. For decryption, use CMK to decrypt data key into plain text and then decrypt data using plain text data key.\n\nAWS S3 __performance__ —\n\n- 3,500 requests per second to add data\n- 5,500 requests per second to retrieve data\n\n__Provisioned capacity__ should be used when we want to guarantee the availability of fast expedited retrieval from S3 Glacier within minutes.\n\nFor __S3 static website hosting__, the default provided __URL__ is https://bucket-name.s3-website-aws-region.amazonaws.com.\n\nS3 server side encryption uses __AES 256__.\n\nS3 __event notification targets__ —\n\n- SQS\n- SNS\n- Lambda\n\nAn 80 TB __Snowball__ appliance and 100 TB Snowball Edge appliance only have 72 TB and 83 TB of __usable capacity__ respectively. \n\nFor __static website hosting__ with S3, the name of the bucket must be the same as the domain or subdomain name.\n\n__Preventing accidental deletion__ of S3 objects —\n\n- Enable versioning\n- Enable MFA delete\n\n\n\n# RDS, Redshift and ElastiCache\n\nAmazon __Redshift Enhanced VPC Routing__ provides VPC resources the access to Redshift.\n\nAmazon __ElastiCache__ offers fully managed __Redis and Memcached__. \n\n__Cross-region replication__ can be setup for __Redshift Clusters__.\n\n__Redshift encryption__ —\n- Using AWS KMS to encrypt the underlying data.\n- Using S3 and its encryption.\n\n__RDS data size limits__ —\n- Aurora: 64 TB\n- Others: 16 TB.\n\nDuring automated backup, Amazon RDS performs a storage volume snapshot of entire Database instance. Also, it captures transaction logs every 5 minutes.\n\n__AWS RDS is a service__ whereas __AWS Aurora is a database engine__.\n\nFor __Redshift__, spot instances are not an option.\n\n__Encryption of RDS__ — Have to enable it on database creation. Also, not all instance classes support encryption, we have to choose one which supports it.\n\nTo enable __multi-region replication of RDS__, we have to use __Read Replicas__. Multi-AZ is not the solution here.\n\n__RDS Read Replicas__ are __synced asynchronously__, so it can have __replication lag__.\n\n__Redshift automated snapshot retention period__ — 1 day to 35 days.\n\nWe can't use auto-scaling with __RDS__. To improve __performance__, we should look to __sharding__ instead. Starting from __June 20__, we __can use auto-scaling__ with RDS instances.\n\nWe configure __RDS engine configurations__ using __parameter groups__.\n\nTo use __REDIS AUTH with ElastiCache__, __in-transit encryption__ must be enabled for clusters.\n\nFor RDS, __Enhanced Monitoring__ gathers its metrics from an __agent on the instance__.\n\nIn case of a __failover__, Amazon RDS flips the canonical name record (__CNAME__) for your DB instance to point at the standby.\n\n__Aurora endpoints__, by default — \n\n- A reader endpoint. It load balances all read traffic between instances.\n- A cluster endpoint. For write operations.\n\nWe can create __additional custom endpoints__ that load balance based on specified criteria.\n\nWith __Redshift Spectrum__, we can run complex queries on __data stored in S3__.\n\nWe can use __WLM in the parameter group configuration__ of Redshift to define number of query queues and how queries are routed to those queues.\n\nThe memory and processor __usage by each process__ in an RDS instance can not be monitored by Cloudwatch, we have to use __RDS Enhanced Monitoring__ for that. Because Cloudwatch monitors the hypervisor, not the individual instances.\n\n__IAM DB authentication__ can be used with __MySQL and PostgreSQL__. With this, you don't need to use a password when you connect to a DB instance. Instead, you use an __authentication token__.\n\n\n\n\n# EC2 and EBS\n\n__Instance store__ —\nYou cannot add instance store volume to an instance after it's launched.\nNot all EC2 instance types support instance store volume.\n\nPersistence — Instance store persists during reboots, but not stop or terminate. EBS volumes however persists accross reboot, stop, and terminate.\n\n__EBS volume types__ —\n1. General purpose SSD. For web applications // most use cases.\n2. Provisioned IOPS SSD. For critical high performing databases.\n3. Throughput optimized HDD. For Big Data.\n4. Cold HDD. For infrequently accessed data.\n\nAlso, to note, __HDDs cannot be boot volumes__.\n\nWe can use Amazon __Data Lifecycle Manager__ to automate taking backups // snapshots of EBS volumes, and protect them from accidental or unwanted deletion.\n\n__EBS-optimized EC2 instances__ provide additional, dedicated capacity for EBS IO. Helps squeeze out the last ounce of performance.\n\nEncrypted EBS volumes are not supported on all instance types.\n\n__To get more performance out of EBS volumes__ —\n1. Use a more modern Linux Kernel.\n2. Use RAID 0.\n\nVolumeRemainingSize is not an Cloudwatch metric for EBS volumes.\n\n__EBS volume types__ —\n- For throughput, Throughput optimized HDD.\n- For large number of transaction, i.e. IOPS, Provisioned IOPS SSD.\n\nBy default, __EBS volumes are automatically replicated within their availability zone__, and offers a significant high availability.\n\n__AWS Cloudwatch Logs__ can be used to __monitor and store__ logs from EC2 instances. The instance needs __awslogs log driver__ installed to be able to send logs to CloudWatch. We don't need any database or S3 for storage.\n\nCloudwatch logs agent is __more efficient__ than AWS SSM Agent.\n\nWith __EC2 dedicated hosts__ we have control over __number of cores__, not anywhere else.\n\nPlacement groups —\n- Cluster\n- Spread. Maximum number of instances in an AZ is 7.\n- Partitioned\n\nThe __console does not support placement groups__, have to do it from CLI.\n\n__Cluster Placement groups__ have very __low inter-note latency__.\n\n\n__Hibernation of EC2 instances__ —\n- When EC2 instance is hibernated and brought back up, the public IP4 address is renewed. All the other IP addresses are retained.\n- When EC2 instance is in hibernate, you are only charged for elastic IP address and EBS storage space.\n\n__Default Cloudwatch metrics__ —\n\n- CPU utilization\n- Disk reads and writes\n- Network in and out\n\n__Custom metrics__ —\n\n- Memory utilization\n - Disk swap utilization\n - Disk space utilization\n - Page file utilization\n - Log collection\n\n__Reserved Instances that are terminated__ are **still billed** until the end of their term according to their payment option.\n\nUpon __stopping and starting an EC2 instance__ —\n\n- Elastic IP address is disassociated from the instance if it is an EC2-Classic instance. Otherwise, if it is an EC2-VPC instance, the Elastic IP address remains associated.\n- The underlying physical host is possibly changed.\n\nEBS is __lower-latency__ than EFS.\n\nThe maximum ratio of __provisioned IOPS__ to requested volume size (in GiB) is 50:1.\n\nFor __new accounts__, Amazon has a __soft limit of 20 EC2 instances per region__, which can be removed by contacting Amazon.\n\nYou can attach a network interface (ENI) to an EC2 instance in the following ways —\n\n1. When it's running. Hot attach.\n2. When it's stopped. Warm attach.\n3. When the instance is being launched. Cold attach.\n\nEBS snapshots are more efficient and cost-effective solution compared to __disk mirroring using RAID1__.\n\nEBS volumes can only be attached to an EC2 instance in the __same Availability Zone__.\n\n__EBS snapshot creation__ — In usual scenarios EBS volume snapshots can be created at the same time it's in usage. But when using RAID configurations, there are additional complexities and we should stop every IO operation and flush the cache before taking a snapshot.\n\n__Cloudwatch alarm actions__ can automatically start, stop or reboot EC2 instances based on alarms.\n\nWith __scheduled reserved instances__, we can plan out our future usage and get reserved instances in those planned time-frame only.\n\n__Throughput optimized HDD vs Cold HDD__ — Throughput optimized is used for frequently accessed data, whereas Cold HDD is used for infrequently accessed data. Also the later is more cost-effective.\n\n__RAID0 vs RAID1__ —\n\n- RAID1 is used for mirroring, high-availability and redundancy.\n- RAID0 is used for higher performance, it can combine multiple disk drives together.\n\nLarger EC2 instances have higher disk data throughput. This can be used in conjunction with RAID 0 to __improve EBS performance__.\n\n\n\n# EFS\n\nEFS supports cross availability zone mounting, but it is not recommended. The recommended approach is __creating a mount point in each availability zone__.\n\nYou can mount an EFS file system in only one VPC at a time. If you want to access it or mount it from another VPC, you have to create a __VPC peering connection__. You should note that all of these must be within the same region.\n\n__NFS port 2049__ for EFS.\n\n__Encryption__\n\n1. Encryption at rest must be specified at the creation of file system. If you want to modify it later on, create a new EFS file system with encryption enabled and copy the data over.\n2. Encryption at transit is supported by EFS // NFS, and must be enabled from the client side. It simply uses SSL to encrypt the connection.\n\n__Performance mode__\n\n1. General purpose must be used for most purposes, it has low latency, so ideal for web applications.\n2. Max IO is ideal for big data and parallel connection and processing from a large number of hosts. It has higher latency but large throughput.\n\n__Throughput mode__\n\n1. Bursting is ideal for arbitrary large amount of data, because it scales properly.\n2. But for cases with high throughput to storage ratio, such as common in web applications, provisioned mode is better.\n\n\n\n# ELB and Autoscaling\n\n__Patching an AMI for an auto scaling group__, the procedure is —  \n1. Create an image out of the main patched EC2 instance\n2. Create a new launch configuration with new AMI ID\n3. Update auto scaling group with new launch configuration ID. \n\nNote that AMI ID is set during creation of launch configuration and cannot be modified, so we have to create a new launch configuration.\n\n__Default metric types for a load balancer__ —\n1. Request count per target.\n2. Average CPU utilization.\n3. Network in.\n4. Network out.\n\n\n__Monitoring Application Load Balancers__ —\n1. Cloudwatch metrics\n2. Access logs\n3. Request tracing\n4. Cloudtrail logs.\n\nAdding __lifecycle hooks__ to ASGs put instances in __wait state__ before termination. During this wait state, we can perform custom activities. Default wait period is 1 hour.\n\n\nASG __Dynamic Scaling Policies__ —\n- Target tracking scaling. The __preferred__ one to use, this should be the first one we should consider.\n- Step scaling\n- Simple scaling\n\nIf you are scaling based on a utilization metric that increases or decreases proportionally to the number of instances in an Auto Scaling group, we recommend that you use target tracking scaling policies. Otherwise, we recommend that you use step scaling policies. \n\nThe ELB service does not consume an IP address, it's the nodes that consume one IP address each.\n\n__Auto-scaling__ ensures —\n- Fault tolerance\n- Availability\n\n__ELBs__ can manage traffic within a region and not between regions.\n\n__For unstable scaling behavior__, that is scaling multiple times frequently, the following things can be done —\n\n- Increasing __auto-scaling cooldown timer__ value would give scaling activity sufficient time to stabilize.\n- Modify the __cloudwatch alarm period__ that triggers scaling activity.\n\n__Default cooldown period__ is 300 seconds.\n\n__Port based routing__ is supported by __Application Load Balancer__.\n\n__Network Load Balancer__ can be used to __terminate TLS connections__. For this, NLB uses a security policy which consists of protocols and ciphers. The certificate used can be provided by __AWS Certificate Manager__.\n\n__Connection draining__ enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy. \n\nASG termination policy —\n\n1. Oldest launch configuration.\n2. Closest to next billing hour.\n3. Random.\n\nLoad balancer does not create or terminate instances, that's done by auto scaling group.\n\n\n\n\n# SQS\n\nConsumers must __delete an SQS message__ manually after it has done processing the message. To delete a message, use the ReceiptHandle of a message, not the MessageId.\n\nIncoming messages can __trigger a lambda function__.\n\nWe can use __dead letter queues__ to isolate messages that can't be processed right now.\n\nSQS does not __encrypt__ messages by default.\n\nDefault __visibility timeout__ for SQS is __30 seconds__.\n\nEach __FIFO Queue__ uses —\n- Message Deduplication ID \n- Message Group ID. Message Group ID helps preserve order.\n\nFor application with identical message bodies, use unique deduplication ID, while for unique message bodies, use content-based deduplication ID.\n\nBoth the default and maximum batch size for `ReceiveMessage` call of SQS is 10.\n\nReducing SQS API calls —\n\n- Use long polling.\n- Send `DeleteMessage` requests in batch using `DeleteMessageBatch`. Other batch actions are SendMessageBatch and `ChangeMessageVisibilityBatch`. \n\n__Message retention period__ in SQS — 1 minute to 14 days. The default is 4 days.\n\nLimit on number of __inflight messages__ — 120,000 for standard queue and 20,000 for FIFO queue.\n\n\n\n# SNS\n\n__Available protocols for AWS SNS__ —\n- HTTP // HTTPS\n- Email\n- Email-JSON\n- SQS\n- Application\n- Lambda\n- SMS\n\nWe can add __filter policies__ to individual subscribers in an SNS topic.\n\n__SNS message attributes__ are —\n- Name\n- Type\n- Value\n\nWith __Amazon SNS__, there is a possibility of the client receiving __duplicate messages__.\n\n\n\n\n# API Gateway\n\nAPI Gateway can __integrate with any HTTP based operations__ available on the public internet, as well as other AWS services.\n\n__Integration types__ —\n- Lambda function, can be from __another AWS account__ as well.\n- HTTP\n- Mock\n- AWS Service\n- VPC Link\n\nFor connecting API Gateway to a set of services hosted in an __on-premise network__, we can use\n1. __DirectConnect__ to connect the private network to AWS directly.\n2. Then use __VPCLink__ to set up API Gateway connection.\n\n\n__API Gateway Throttling__ —\n\n- __Burst limit__ refers to the first millisecond.\n- __Steady-state limit__ refers to an one second interval.\n\n__Throttling behaviors__ —\n- If an user exceeds the burst limit but not the steady-state limit, the rest of the requests are throttled over the one second steady-state interval. \n- If an user exceeds the steady-state limit, AWS returns `429 Too Many Requests` error.\n\nWhen it comes to throttling settings, you can __override stage settings on an individual method__ within the stage. That is, there is an option for method level throttling to override stage level throttling.\n\n__Access control mechanisms__ for API Gateway —\n- Resource policies\n- AWS IAM roles and policies\n- CORS or Cross-origin resource sharing\n- Lambda authorizers\n- Amazon Cognito user pools\n- Client side SSL certs\n- Usage plans\n\nAPI Gateway __automatically protects the backend systems from DDoS__ attack.\n\n__Cache properties and settings__ —\n- Cache status\n- Flush entire cache\n- Enable API cache\n- Cache capacity\n- Encrypt cache data\n- Cache TTL\n- Require authorization\n- Handle unauthorized requests\n\n__Monitoring__ API Gateway usage — we can use __CloudWatch__ or __Access logging__. Access logging logs who accessed the API and how the caller accessed the API, CloudWatch does not include this data.\n\n__Protect backend systems__ behind API gateway from __traffic spikes__ —\n\n- Enable throttling.\n- Enable result caching.\n\n\n\n\n# Lambda\n\nLambda functions __can be run within a private VPC__.\n\nLambda can __read events from__ —\n- Amazon Kinesis\n- Amazon DynamoDB\n- Amazon Simple Queue Service\n\nServices that can __invoke Lambda functions__ —\n- Elastic Load Balancing (Application Load Balancer)\n- Amazon Cognito\n- Amazon Lex\n- Amazon Alexa\n- Amazon API Gateway\n- Amazon CloudFront (Lambda@Edge)\n- Amazon Kinesis Data Firehose\n- Amazon Simple Storage Service\n- Amazon Simple Notification Service\n- Amazon Simple Email Service\n- AWS CloudFormation\n- Amazon CloudWatch Logs\n- Amazon CloudWatch Events\n- AWS CodeCommit\n- AWS Config\n\nAWS __CodePipeline__ and AWS __OpsWorks can't invoke lambda__ functions.\n\n__For failures__ we can configure lambda to send non-processed payloads to __SQS Dead letter queue__. Then we can configure __SNS to send a notification__ if we want. Lambda __does not have an in-built mechanism__ for notification upon failure.\n\nA policy on a role defines which API actions can be made on the target, it does not define whether the source can access the target or not.\n\nEach lambda function has an __ephemeral storage of 512 MB__ in the `tmp` directory.  \n\nAWS __CloudWatch rule__ can be configured to trigger a lambda function. While configuration, the following can be used as __input to the target lambda function__ —\n- Matched event\n- Part of the matched event\n- Constant (JSON text)\n\nThe following __CloudFront events can trigger lambda function__ —\n- Viewer request\n- Viewer response\n- Origin request\n- Origin response\n\n__Lambda function update has eventual consistency__. Which means, for a brief window of less than a minute, it may execute either the old version or the new version.\n\nWe can use __alias versions__ to point to another version. This can enable easier upgradation from the viewpoint of a consumer.\n\n__Limits__ —\n- Function memory allocation: 128 MB to 3008 MB, in 64 MB increments.\n- Function timeout: 900 seconds.\n- Deployment package: 50 MB * 5 layers.\n- `tmp` directory storage: 512 MB.\n\nTo grant __cross-account permission to a function__, we have to modify the function policy, not the execution role policy.\n\nThe console doesn't support directly __modifying permissions in a function policy__. You have to do it from the CLI or SDK.\n\nIf we run __lambda functions inside a VPN__, they use __subnet IPs or ENIs__. There should be sufficient ones otherwise it will get throttled.\n\n__ENI capacity__ = Projected peak concurrent executions * (Memory in GB / 3 GB).\n\nThe __lambda console__ provides __encryption and decryption helpers__ for encryption of environment variables. \n\nBy default, the a KMS default service key is used for encryption, which makes the information visible to anyone who has access to the lambda console. For further restriction, create a custom KMS key and use that to encrypt.\n\n__CloudWatch metrics for Lambda__ —\n- Invocations\n- Errors\n- Dead Letter Error\n- Duration\n- Throttles\n- IteratorAge\n- ConcurrentExecutions\n- UnreservedConcurrentExecutions\n\nWe can get the __function version__ within the function using —\n- `getFunctionVersion` from the Context object.\n- `AWS_LAMBDA_FUNCTION_VERSION` environment variable. \n\n__Lambda Retry upon Failure Behavior__ —\n- Event sources that aren't stream-based\n    - Synchronous invocation — Returns error with __status code 200__. Includes __FunctionError__ field and __X-Amz-Function-Error__ header.\n    - Asynchronous invocation — __Retry twice__, then sent to __Dead Letter Queue__.\n- Poll-based and stream-based event source (Kinesis or DynamoDB) — Lambda keeps __retrying until the data expires__. The exception is __blocking__, this ensures the data are processed in order.\n- Poll-based but not stream-based event source (SQS) — On unsuccessful processing or if the function times out of the message, it is __returned to the queue__, and ready for further reprocessing after the visibility timeout period. If the function errors out, it is sent to __Dead Letter Queue__.\n\n__Lambda traffic shifting__ —\n\n- Canary\n- Linear\n- All at once\n\n\n\n# VPC\n\nWe cannot route traffic to a __NAT gateway__ or __VPC gateway endpoints__ through a __VPC peering__ connection, a __VPN connection__, or __AWS Direct Connect__. A NAT gateway or VPC gateway endpoints cannot be used by resources on the other side of these connections. Conversely, a NAT gateway // VPC gateway endpoints cannot send traffic over VPC endpoints, AWS VPN connections, Direct Connect or VPC Peering connections either.\n\nEvery route table contains a __local route__ for communication within the VPC over IPv4. We __cannot modify or delete__ these routes.\n\n__VPC endpoints always take precedence__ over NAT Gateways or Internet Gateways. \n\nNetwork ACL __rules are evaluated in order__, starting with the lowest numbered rule. As soon as a rule matches, it is applied regardless of any higher numbered rule that may contradict it.\n\nSSH connections are between port 22 of the host and __an ephemeral port of the client__. In fact, this is true for any TCP service.\n\nSecurity groups are __stateful__, this means any connection initiated successfully will be completed.\n\nWe can create __S3 proxy server__ for enabling use cases where S3 has to be accessed privately through VPN connection, AWS Direct Connect or VPC peering.\n\nAWS __reserves 5 IPs for every subnet__, not for every VPC.\n\nInstances in __custom VPCs don't get public DNS hosts by default__, we have to set the `enableDnsHostnames` attribute to true. The `enableDnsSupport` is to be set to true too, but that is done by default.\n\nWe can set a __custom route table as the main route table__.\n\nWe can add __secondary CIDR ranges__ to an existing VPC. When a secondary CIDR block is added to a VPC, a route for that block with target as \"local\" is automatically added to the route table.\n\n__VPC peering__ connection route contains Target as `pcx-xxxxxx`.\n__VPN connection__ // __Direct Connect__ connection route contains Target as `vgw-xxxxxx`.\n\n__VPN__ is established over a __Virtual Private Gateway__.\n\nThere are two types of VPC Endpoints —  \n- __Gateway endpoints support only S3 and DynamoDB__. \n- __Interface endpoints__ (Powered by __PrivateLink__) supports Amazon ECR and many other services.\n\n__Difference between DirectConnect and VPN__ — DirectConnect does not involve the Internet, while VPN does.\n\n__AWS Direct Connect__ doesn't __encrypt in transit data__, while __VPN__ does.\n\nTo establish a __VPN connection__, we need —\n- A public IP address on the customer gateway for the on-premise network.\n- A virtual private gateway attached to the VPC.\n\nTo setup __AWS VPN CloudHub__ —\n\n- Each regional site should have non overlapping IP prefixes.\n- BGP ASN should be unique at each site.\n- If BGP ASN are not unique, additional ALLOW-INs will be required.\n\nThe __allowed block size__ in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).\n\n The following __VPC peering connection configurations__ are __not supported__ —\n\n1. Overlapping CIDR Blocks\n2. Transitive Peering\n3. Edge to Edge Routing Through a Gateway or Private Connection\n\nWe can move part of our __on-premise address space to AWS__. This is called BYOIP. For this, we have to acquire a __ROA, Root Origin Authorization__ from the the regional internet registry and submit it to Amazon.\n\n\n\n# DynamoDB\n\nAWS __DynamoDB__ is durable, ACID compliant, can go through multiple schema changes, and changes to the database does not result in any database downtime.\n\n__DynamoDB Global Tables__ can be used to deploy a multi region, multi AZ, fully managed database solution.\n\nWe can create __secondary indexes__ for __DynamoDB__ tables. Always choose DynamoDB when possible.\n\nDynamoDB streams can be used to monitor changes made to a database, and they can trigger lambda functions.\n\nWe can turn on __autoscaling for DynamoDB__.\n\nFor __write heavy__ use cases in __DynamoDB__, use partition keys with large number of distinct values.\n\n__DynamoDB Accelerator, DAX__ is an __in-memory cache for DynamoDB__ that reduces response time from milliseconds to microseconds.\n\n\n\n# ECS\n\nLaunch types —\n\n- Fargate\n- EC2\n\nAll types of instances, i.e. __on-demand, spot and reserved can be used with ECS__.\n\nDocker containers and ECS are particularly __suited for batch job workloads__ as they can get embarassingly parallel. \n\nAmazon ECS enables you to __inject sensitive data into your containers__ by storing your sensitive data in either —\n\n- AWS Secrets Manager secrets\n- AWS Systems Manager Parameter Store parameters\n\n\n\n# Elastic Beanstalk\n\nAWS __Elastic Beanstalk__ can be used to create —\n\n- Web application using DB\n- Capacity provisioning and load balancing of websites\n- Long running worker process\n- Static website\n\nIt should not be used to create tasks which are run once or on a nightly basis, because the infrastructure is provisioned and will be running 24/7.\n\n__Elastic Beanstalk__ can be used to host __Docker containers__.\n\n\n\n# Storage Gateway\n\n__AWS Storage Gateways__—\n\n1. File gateway\n2. Volume gateway: Cached volumes\n3. Volume gateway: Stored volumes\n4. Tape gateway\n\n\n\n# IAM, Cognito and Directory Services\n\n__Amazon Cognito__ has two __authentication methods__, __independent__ of one another —\n\n- Sign in via third party federation\n- Cognito user pools\n\n__AWS Directory Service__ options —\n\n- AWS Managed Microsoft AD\n- AD Connector\n- Simple AD\n- Amazon Cloud Directory\n- Amazon Cognito\n\nThere is no __default policy__ ever, anywhere. When permissions are checked, roles and policies are considered together, and in the default case there is no policy, so only the role is considered.\n\nWe can configure __IAM policies__ that allows __access to specific tags__.\n\n__Connecting AWS SSO to On-Premise Active Directory__ —\n\n- __Two-way trust relationship__: __Preferred__. Users can do everything from both portals.\n- __AD connector__: SSO does not cache user credentials. Users can't reset password from SSO portal, have to do it from on-premise portal.\n\nFor __two-step verification__, SSO sends __code to registered email__. It can set to be either —\n\n- Always-on\n- Context-aware\n\n__Cross-account IAM roles__ allow customers to securely grant access to AWS resources in their account to a third party.\n\nIf our identity store is not compatible with SAML, we can develop a custom application on-premise and use it with STS.\n\n__Microsoft Active Directory__ supports __SAML__. \n\n\n\n# KMS and CloudHSM\n\n__KMS__ master keys are region specific.\n\n__CloudHSM backup procedure__ — Ephemeral backup key (EBK) is used to encrypt data and Persistent backup key (PBK) is used to encrypt EBK before saving it to an S3 bucket in the same region as that of AWS CloudHSM cluster.\n\nWith __AWS CoudHSM__, we can control the entire lifecycle around the keys.\n\nAWS KMS API can be used to encrypt data.\n\n\n\n# Kinesis\n\n__Kinesis stream data retention period__ — 24 hours (default) to 168 hours.\n\nFor __Kinesis__, we have to use __VPC Interface Endpoint__, powered by __AWS PrivateLink__.\n\nAmazon __Kinesis Scaling Utility__ is a __less cost-effective__ solution compared to doing it with __Cloudwatch alarms + API Gateway + Lambda function__.\n\n__Kinesis data streams__ store the data, by default for 24 hours and upto 7 days. Whereas __Kinesis Firehose__ stream the data directly into either —\n\n- S3\n- Redshift\n- Amazon Elasticsearch Service\n- Splunk\n\nKinesis — If ShardIterator expires immediately and data is lost, we have to increase the write capacity assigned to the Shard table.\n\n\n\n# EMR\n\n__AWS EMR__ — AWS Elastic MapReduce, Hadoop based big data analytics.\n\n__AWS EMR__ is preferred for __processing log files__.\n\n__EMR__ can use __spot instances__ as underlying nodes.\n\nWe can access the underlying EC2 instances in AWS EMR cluster.\n\n\n\n# Misc\n\nAWS STS — The __policy of the temporary credentials__ generated by STS are defined by the intersection of your IAM user policies and the policy that you pass as argument.\n\nAWS __VM Import__ // Export can be used to transfer virtual machines from local infrastructure to AWS and vice-versa.\n\nAWS __Trusted Advisor__ is a resource that helps users with cost management, performance and security.\n\nWe can create a __CloudTrail log across all regions__.\n\n__CloudFormation Drift Detection__ can be used to detect changes in the environment. Drift Detection only __checks property values which are explicitly set__ by stack templates or by specifying template parameters. It does not determine drift for property values which are set by default.\n\n__AWS Server Migration Service (SMS)__ is an agentless service which makes it easier and faster for you to migrate thousands of on-premise workloads to AWS.\n\n__AWS Athena__ is a managed service which can be used to make interactive __search queries to S3 data__.\n\n__Amazon Inspector__ is a security assessment service, which helps improve security and compliance of applications.\n\n__AWS Opsworks__ is a configuration management service for Chef and Puppet. With __Opsworks Stacks__, we can model our application as __a stack containing different layers__.\n\nBy default, __CloudTrail logs are encrypted__ using S3 server-side encryption (SSE). We can also choose to encrypt with AWS KMS.\n\n__Amazon ECS for Kubernetes (EKS)__ exists, it's a managed service.\n\nChanges to __CloudTrail global service event logs__ can only be done via the CLI or the SDKs, not the console.\n\nFor __CloudFront query string__ forwarding, the parameter names and values used are __case sensitive__.\n\n__AWS Polly__ — Lexicons are specific to a region. For a single text appearing multiple times, we can create alias using multiple Lexicons.\n\nAmazon __Quicksight__ is a managed service for __creating dashboards__ with data visualization.\n\nAWS __Athena pricing__ is based upon per query and amount of data scanned in each query. To __reduce price__ —\n- Partition data based on different parameters so that amount of data scanned gets reduced.\n- Create separate workgroups based upon user groups.\n\n\n__AWS CloudSearch__ helps us add search to our website or application. __Like Elasticsearch__.\n\n__AWS Glue__ is a fully __managed ETL service__ for data. It __keeps a track of processed data using Job Bookmark__. Enabling Job Bookmark will help to __scan only changes since last bookmark__ and prevent processing of whole data again.\n\n__AWS X-Ray__ — Helps debug and __analyze microservices architecture__.\n\n__Reducing cost with AWS X-Ray__ — Sampling at a lower rate.\n\n__Amazon WorkDocs__ has a __poweruser__ facility, which on enabling restricts sharing of documents to that user only.\n\n__AWS Data Pipeline__ can automate the movement and transformation of data for data-driven workflows. For example, transferring older data to S3 from DynamoDB.\n\n\n__Disaster recovery solutions__ —\n- Backup and Restore. Cheapest.\n- Pilot Light\n- Warm Standby\n- Multi-Site\n- Multiple AWS Regions. Costliest.\n\nWith __AWS Config__, we can get a snapshot of the current configuration of our AWS account.\n\nFor __queue based processing__, scaling EC2 instances based on the size of the queue is a preferred architecture.\n\nIt's best practice to launch Amazon __RDS instance outside an Elastic Beanstalk environment__.\n\n__AWS Athena is simpler__ and requires less effort to set up __than AWS Quicksight__.\n\n__RI Coverage Budget__ reports number of instances that are part of Reserved Instance. For an organisation using default IAM policy, each member account owner needs to create a budget policy for individual accounts and not by master account.\n\n__Consolidated Billing__ in AWS Organisations combines usage from all accounts and billing is generated based upon total usage. Services like __EC2 and S3 have volume pricing tiers__ where with more usage volume the overall charge decreases.\n\nTo automatically trigger __CodePipeline__ with changes in source __S3__ bucket, use __CloudWatch Events rule__ and __CloudTrail trail__.\n\n__Amazon Data Lifecycle Manager__ can be used for creation, retention and deletion of EBS snapshots.\n\nWith __AWS Organizations__, we can centrally manage policies across multiple AWS accounts. With __Service Control Policies (SCPs)__, we can ensure security policies are in place.\n\n__AWS WAF__ is a web application firewall.\n\nIn __AWS Managed Blockchain network__, the format for __resource endpoint__ is — `ResourceID.MemberID.NetworkID.managedblockchain.us-east-1.amazonaws.com:PortNumber`.\n\nWhen you want to keep your expenditure within a budget, use __AWS Budgets__, not AWS Cost Explorer.\n\n__Cloudwatch monitoring schemes__ —\n\n- Basic. 5 minutes.\n- Detailed. 1 minute.\n- Custom. Can be down to 1 second.\n\n__Transferring data__ from an EC2 instance to Amazon S3, Amazon Glacier, Amazon DynamoDB, Amazon SES, Amazon SQS, or Amazon SimpleDB __in the same AWS Region has no cost at all__.\n\nWe can use __signed URLs and signed cookies with Cloudfront__ to protect resources.\n\n__Amazon MQ__ is a message queue which supports industry standard messaging protocols.\n\nSlower login time and 504 errors in front of Cloudfront can be optimized by —\n\n- Lambda @ Edge.\n- Setting up an Origin Failover Policy.\n\n__AWS Shield__ is a service that protects resources against DDoS attacks to EC2, ELB, Cloudfront and Route53.\n\n__AWS IoT Core__ is a managed service that lets IoT devices connect and interact with AWS applications and resources.\n\nThe following storage have __encryption at rest by default__ —\n\n- AWS Glacier\n- Storage Gateway in S3\n\n__Perfect Forward Secrecy__ is supported by —\n\n- Cloudfront\n- Elastic Load Balancing\n\nEnabling __multiple domains to serve HTTPS__ over same IP address —- Generate an SSL cert with AWS Certificate Manager and create a Cloudfront distribution. Associate cert with distribution and enable Server Name Indication (SNI).\n\nClassic Load Balancer does not support __SNI__, we have to use Application Load Balancer or Cloudfront.\n\nThe following services enable us to __run SQL queries directly against S3 data__ —\n\n- AWS Athena\n- Redshift Spectrum\n- S3 Select\n\nBy default, each workflow execution can run for a __maximum of 1 year__ in Amazon SWF. \n\nIn __AWS SWF__, a __decision task__ tells the decider the state of the workflow execution.\n\n__Third party SSL cert__ can be imported into —\n\n- AWS Certificate Manager\n- IAM Certificate Store\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSkullTech%2Faws-solutions-architect-associate-notes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSkullTech%2Faws-solutions-architect-associate-notes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSkullTech%2Faws-solutions-architect-associate-notes/lists"}