SECTION 1

Welcome
 SOA-C02 Exam Guide

© Digital Cloud Training | https://digitalcloud.training

 Who should take this exam?
• Minimum of 1 year of hands-on experience with
AWS technology
• Experience in deploying, managing, and operating
workloads on AWS
• Understanding of the AWS Well-Architected
Framework
• Hands-on experience with the AWS Management
Console and the AWS CLI
• Understanding of AWS networking and security
services
• Hands-on experience in implementing security
controls and compliance requirements

© Digital Cloud Training | https://digitalcloud.training

 Format of the Exam
• 180 minutes
• 65 ‘scoring opportunities’ from:
• Multiple choice / multiple response questions
• Exam labs – new to the SOA-C02
• My experience:
• 50 questions
• 3 exam labs
• Delivery through Pearson VUE testing center or
online proctored exam
• You get your results within 5 business days (just 1
day for me)

© Digital Cloud Training | https://digitalcloud.training

 Exam Labs

Instructions
relating to the
task will be
included here

© Digital Cloud Training | https://digitalcloud.training

 Content Outline

Domain % of Examination
Domain 1: Monitoring, Logging, and Remediation 20%

Domain 2: Reliability and Business Continuity 16%

Domain 3: Deployment, Provisioning, and Automation 18%
Domain 4: Security and Compliance 16%
Domain 5: Networking and Content Delivery 18%
Domain 6: Cost and Performance Optimization 12%
TOTAL: 100%

© Digital Cloud Training | https://digitalcloud.training

 My recommendations
• Do the Solutions Architect and Developer
Associate before the SysOps
• Make sure you get plenty of hands-on practice
with AWS (exam labs are 20% of final score)
• Practice tests are very important

© Digital Cloud Training | https://digitalcloud.training

 SECTION 2
Getting Started
AWS IAM Users, Groups, Roles, and Policies

AWS Identity and Access Management (IAM)

Policies are documents

that define permissions An IAM user is an
and can be applied to entity that represents
IAM Policy IAM User a person or service
users, groups and roles

Groups are collections of

users and have policies
attached to them
IAM Policy
IAM Group
Roles are “assumed” by
trusted entities and can
be used for delegation

IAM Policy IAM Role

Authentication Methods
Consists of an Access key
ID and secret access key

Used for programmatic

access to the API
Access Key
API

EJPx!*21p9%

Password AWS Management Console

IAM User

Used for authenticating to

the AWS Management
X.509 certificate for console
securing access to certain
AWS product interfaces

Signing Certificate Some AWS services

 A VPC is a logically
Amazon Virtual Private Cloud (VPC) isolated portion of the
AWS cloud within a
region

Region

VPC
Main Route Table
Subnets are
created within
Availability Zone Destination Target
AZs Public subnet
172.31.0.0/16 Local
0.0.0.0/0 igw-id
EC2 Instance

Availability Zone The route table is used

Router Internet to configure the VPC
Private subnet gateway
router
You can launch virtual servers
EC2 Instance
into your VPC subnets

An Internet Gateway is
used to connect to the
Internet
Multiple VPCs

Each VPC has a different

CIDR stands for Classless
block of IP addresses
Interdomain Routing
Region

VPC VPC
CIDR 172.31.0.0/16 CIDR 10.0.0.0/16

Availability Zone Availability Zone Availability Zone Availability Zone

Public subnet Public subnet Public subnet Public subnet

Private subnet Private subnet Private subnet Private subnet

Each subnet has a block

of IP addresses from the
CIDR block You can create multiple
VPCs within each region
 A VPC endpoint provides
AWS Public and Private Services a private connection to a
public services
AWS Cloud

VPC
S3 Gateway Endpoint

Availability Zone

Public subnet
Private services can
Amazon DynamoDB Amazon S3 have public IP
addresses but exist
within the VPC

Public services have EC2 Instance Amazon RDS

public IP addresses /
endpoints Private subnet
Internet
Public Internet gateway

EC2 Instance Amazon Elastic File

System

Amazon Route 53 Amazon CloudFront

Security Groups & Network Access Control Lists (NACLs)
VPC

Availability Zone

Private subnet Public subnet

Security Security
NACLs apply at
Group B Group A
the subnet level
Security Groups
apply at the
Instance level
Network ACL Network ACL

Availability Zone
Router
Private subnet Public subnet
Security Security
Group B Group A
Security Security
Group A Groups can be
applied to Network ACL
Network ACL
instances in
any subnet
Stateful vs Stateless Firewalls

PROTOCOL SOURCE IP DESTINATION IP SOURCE PORT DESTINATION PORT

HTTP 10.1.1.1 10.2.1.10 65188 80
HTTP 10.2.1.10 10.1.1.1 80 65188

Src Port: 80 Dest Port: 65188

Dest Port: 80 Src Port: 65188

Web Server Firewall Client
(10.2.1.10) (10.1.1.1)
A stateful firewall A stateless firewall
allows the return checks for an allow
traffic automatically rule for both
connections
Security Groups & Network Access Control Lists (NACLs)

Security Group Network ACL

Operates at the instance (interface) level Operates at the subnet level
Supports allow rules only Supports allow and deny rules
Stateful Stateless
Evaluates all rules Processes rules in order
Applies to an instance only if associated Automatically applies to all instances in
with a group the subnets its associated with
The Shared Responsibility Model
The Shared Responsibility Model - Examples
CUSTOMER RESPONSIBILITY

Bucket with Role Multi-Factor Patch Auto Scaling

objects Authentication Security Group management

Staff training Data encryption IAM User Network ACL SSL encryption EC2 Instance Elastic load
balancer

AWS RESPONSIBILITY

Data center Database

Data center
security Server
Network switch Storage

Server
Network router Disk drive
 SECTION 3
Compute: Amazon EC2
and AWS Lambda
Amazon Elastic Compute Cloud

EC2 instances
run Windows or
Linux OS
An EC2 instance
is a virtual server

EC2 Instance EC2 Instance EC2 Instance Website

EC2 hosts are Windows OS

managed by AWS
EC2 Instance EC2 Instance EC2 Instance

EC2 Instance EC2 Instance EC2 Instance

EC2 Host Server

Launching an Amazon EC2 instance

Amazon Machine Instance Type

Image (AMI)
Family Type vCPUs Memory (GiB)
General purpose t2.micro 1 1
Compute optimized c5n.large 2 5.25

EBS Snapshot
Memory optimized r5ad.large 2 16
Storage optimized d2.xlarge 4 30.5
GPU instances g2.2xlarge 8 15

Linux Microsoft
Windows
Amazon EC2 Reserved Instances

Burstable instances
Ø T3, T3a, and T2 instances, are designed to provide a baseline level of CPU
performance with the ability to burst to a higher level when required
Ø Burstable performance instances are the only instance types that use
credits for CPU usage
Ø A CPU credit provides for 100% utilization of a full CPU core for one
minute
Ø Each burstable performance instance continuously earns (at a
millisecond-level resolution) a set rate of CPU credits per hour, depending
on the instance size
Amazon EC2 Reserved Instances

T2/T3 Unlimited
Ø T2 instances are a low-cost, general purpose instance type that provides a
baseline level of CPU performance with the ability to burst above the
baseline when needed
Ø T2 Unlimited instances can sustain high CPU performance for as long as a
workload needs it
Ø The baseline performance and ability to burst are governed by CPU Credits
Ø T2 instances accumulate CPU Credits when they are idle, and consume CPU
Credits when they are active
Launching an Amazon EC2 instance
Shutdown behavior
Ø Configure to Stop or Terminate (applies to OS-level shutdown)
Ø Can additionally enable hibernation (stores contents of RAM on the root volume)

Termination Protection
Ø You can protect instances from being accidentally terminated
Ø Once enabled, you won't be able to terminate the instance via the API or the AWS
Management Console until termination protection has been disabled
How to Change the EC2 Instance Type

Select “Change Instance Type”

Stop the Instance Choose the new instance type

You can change instance

types for EBS backed
instances only
Amazon EC2 Placement Groups

Ø Cluster – packs instances close together inside an Availability Zone. This strategy enables
workloads to achieve the low-latency network performance necessary for tightly-coupled
node-to-node communication that is typical of HPC applications.

Ø Partition – spreads your instances across logical partitions such that groups of instances in
one partition do not share the underlying hardware with groups of instances in different
partitions. This strategy is typically used by large distributed and replicated workloads, such
as Hadoop, Cassandra, and Kafka.

Ø Spread – strictly places a small group of instances across distinct underlying hardware to
reduce correlated failures.
Cluster Placement Groups

Region

VPC

Availability Zone

Cluster Placement Group

Uses enhanced networking,

EC2 Instances low network latency and high
throughput for inter-instance
traffic
Partition Placement Groups

Region

VPC
Each partition is located on a
Availability Zone separate AWS rack Availability Zone

Partition 1 Partition 2 Partition 3

Partitions can be in
multiple AZs
(up to 7 per AZ)
EC2 Instances EC2 Instances EC2 Instances
Spread Placement Groups

Region

VPC

Availability Zone Each instance is located on a Availability Zone

separate AWS rack
Amazon EC2 Placement Groups

Clustered Spread Partition

What Instances are placed into a low- Instances are spread across Instances are grouped into logical
latency group within a single underlying hardware segments called partitions which use
AZ distinct hardware
When Need low network latency Reduce the risk of Need control and visibility into instance
and/or high network simultaneous instance failure if placement
throughput underlying hardware fails
Pros Get the most out of enhanced Can span multiple AZs Reduces likelihood of correlated failures
networking Instances for large workloads.
Cons Finite capacity: recommend Maximum of 7 instances Partition placement groups are not
launching all you might need running per group, per AZ supported for Dedicated Hosts
up front
Amazon EC2 Pricing Models

On-Demand Reserved Instances Savings Plans Spot

No upfront fee Options: No upfront, Options: No upfront, No upfront fee
partial upfront or all partial upfront or all
upfront upfront
Charged by hour or Charged by hour or Charged based on Charged by hour or
second second $/hour second
No commitment 1-year or 3-year 1-year or 3-year No commitment
commitment commitment
Ideal for short term Ideal for steady-state More flexibility: Applies Ideal for cost-sensitive,
needs or workloads and across Regions and compute intensive use
unpredictable predictable usage instance families/types cases that can withstand
workloads interruption
Amazon EC2 Reserved Instances

A Reserved Instance has four instance attributes that determine its price:
Ø Instance type: For example, m4.large
Ø Region: The Region in which the Reserved Instance is purchased
Ø Tenancy: Whether your instance runs on shared (default) or single-tenant
(dedicated) hardware
Ø Platform: The operating system; for example, Windows or Linux/Unix
Amazon EC2 Reserved Instances

Term commitment:
Ø One-year: A year is defined as 31536000 seconds (365 days)
Ø Three-year: Three years is defined as 94608000 seconds (1095 days)
Amazon EC2 Reserved Instances

Payment Options
Ø All Upfront: Full payment is made at the start of the term, with no other costs or
additional hourly charges incurred for the remainder of the term, regardless of hours
used
Ø Partial Upfront: A portion of the cost must be paid upfront and the remaining hours
in the term are billed at a discounted hourly rate, regardless of whether the Reserved
Instance is being used
Ø No Upfront: You are billed a discounted hourly rate for every hour within the term,
regardless of whether the Reserved Instance is being used
Amazon EC2 Reserved Instances

Offering class:
Ø Standard: These provide the most significant discount but can only be modified
Ø Convertible: These provide a lower discount than Standard Reserved Instances but
can be exchanged for another Convertible Reserved Instance with different instance
attributes
Amazon EC2 Reserved Instances

Standard Reserved Instance Convertible Reserved Instance

Some attributes, such as instance size, can be Can be exchanged during the term for another
modified during the term; however, the Convertible Reserved Instance with new attributes
instance family cannot be modified. You including instance family, instance type, platform, scope,
cannot exchange a Standard Reserved or tenancy. You can also modify some attributes of a
Instance, only modify it. Convertible Reserved Instance.
Can be sold in the Reserved Instance Cannot be sold in the Reserved Instance Marketplace.
Marketplace.
Amazon EC2 Dedicated Instances and Hosts

Characteristic Dedicated Instances Dedicated Hosts

Enables the use of dedicated physical servers X X
Per instance billing (subject to a $2 per region fee) X
Per host billing X
Visibility of sockets, cores, host ID X
Affinity between a host and instance X
Targeted instance placement X
Automatic instance placement X X
Add capacity using an allocation request X
Public, Private, and Elastic IP addresses
Name Description
Public IP address Lost when the instance is stopped

Used in Public Subnets

No charge

Associated with a private IP address on the instance

Cannot be moved between instances

Private IP address Retained when the instance is stopped

Used in Public and Private Subnets

Elastic IP address Static Public IP address

You are charged if not used

Associated with a private IP address on the instance

Can be moved between instances and Elastic Network Adapters

Public, Private and Elastic IPs

IGW performs 1:1 NAT

EC2 Instance

Data Packets

Src: 3.104.75.244
Linux OS
Dest: 172.31.32.63

Internet
eth0 Private-IP – e.g. 172.31.32.63 gateway
Public / Elastic IP – e.g. 3.104.75.244

The public IP / EIP is

associated with the instance
Public, Private and Elastic IPs – Additional ENI

EC2 Instance
IGW performs 1:1 NAT

Linux OS Data Packets

Src: 3.104.75.244

eth0 Private-IP – e.g. 172.31.32.63 Dest: 172.31.10.10

Internet
eth1 Private-IP – e.g. 172.31.10.10
gateway
Public / Elastic IP – e.g. 3.104.75.244

Additional Elastic Network

Interface (ENI) attached
Accessing other AWS Services Using Access Keys

AWS Cloud

The access key is VPC

associated with an
IAM account Availability Zone

Public subnet
AWS CLI configured
with access keys

S3 Bucket IAM User EC2 Instance

Private subnet

The access key will

use any permissions
Policy
assigned to the IAM
user
Accessing other AWS Services Using IAM Roles

AWS Cloud
VPC

The role is assumed Availability Zone

by the EC2 instance
Public subnet
No credentials are
stored on the instance

IAM Role
S3 Bucket EC2 Instance

Private subnet

Policy
IAM Instance Profiles
Ø An instance profile is a container for an IAM role that you can use to
pass role information to an EC2 instance when the instance starts
Ø An instance profile can contain only one IAM role, although a role
can be included in multiple instance profiles
EC2 Instance

Application

Amazon Simple Storage

Service
Instance Profile

IAM Role
IAM Instance Profiles

You can use the following AWS CLI commands to work with instance profiles:
Ø Create an instance profile: aws iam create-instance-profile
Ø Add a role to an instance profile: aws iam add-role-to-instance-
profile
Ø List instance profiles: aws iam list-instance-profiles, aws iam
list-instance-profiles-for-role
Ø Get information about an instance profile: aws iam get-instance-profile
Ø Remove a role from an instance profile: aws iam remove-role-from-
instance-profile
Ø Delete an instance profile: aws iam delete-instance-profile
Private Subnets and Bastion Hosts

Region

VPC Public Subnet Route Table

Availability Zone Destination Target

Public subnet
Public-IP
172.31.0.0/16 Local
EC2 Instance
0.0.0.0/0 igw-id
Security groups must Private-IP

allow traffic (SSH/RDP)

Private subnet Internet Internet Client

Private-IP
gateway

Private Subnet Route Table

EC2 Instance

Destination Target
172.31.0.0/16 Local
NAT Instance vs NAT Gateway

NAT Instance NAT Gateway

Managed by you (e.g. software updates) Managed by AWS
Scale up (instance type) manually and use Elastic scalability up to 45 Gbps
enhanced networking
No high availability – scripted/auto-scaled Provides automatic high availability within an AZ
HA possible using multiple NATs in multiple and can be placed in multiple AZs
subnets
Need to assign Security Group No Security Groups
Can use as a bastion host Cannot access through SSH
Use an Elastic IP address or a public IP Choose the Elastic IP address to associate with a
address with a NAT instance NAT gateway at creation
Can implement port forwarding through Does not support port forwarding
manual customisation
Private Subnet with NAT Gateway

Region The NAT gateway is created

in the public subnet
VPC Public Subnet Route Table

Availability Zone Destination Target

Public subnet
172.31.0.0/16 Local
NAT gateway Elastic-IP
0.0.0.0/0 igw-id
Private-IP

Private Subnet Route Table

Private subnet Internet

Private-IP Destination Target
gateway
172.31.0.0/16 Local
0.0.0.0/0 nat-gateway-id
EC2 Instance

The NAT gateway ID must

be specified in the private
subnet RT
Private Subnet with NAT Instance

Region Must disable

source/destination checks
VPC Public Subnet Route Table

Availability Zone Destination Target

Public subnet
172.31.0.0/16 Local
NAT Instance Elastic-IP
0.0.0.0/0 igw-id
Private-IP
Private Subnet Route Table

Private subnet Destination Target

Private-IP Internet
gateway 172.31.0.0/16 Local
0.0.0.0/0 nat-instance-id
EC2 Instance

The NAT instance ID must

be specified in the private
subnet RT
Standard Amazon CloudWatch Metrics for EC2

There are NO metrics for

memory or disk utilization
Custom Amazon CloudWatch Metrics for EC2

Ø Can publish metrics using the API or AWS CLI

Ø Example CLI command: aws cloudwatch put-metric-data --metric-name TEST --
namespace MyNameSpace --unit Bytes --value 231434333 --dimensions
InstanceId=1-23456789,InstanceType=m1.small
Ø Or you can use the Unified Amazon CloudWatch Agent
Ø Collects system-level metrics from EC2 and on-premises servers
Custom Amazon CloudWatch Metrics for EC2
The unified CloudWatch agent enables you to do the following:
Ø Collect more system-level metrics from Amazon EC2 instances across
operating systems. The metrics can include in-guest metrics, in addition to
the metrics for EC2 instances
Ø Collect system-level metrics from on-premises servers. These can include
servers in a hybrid environment as well as servers not managed by AWS
Ø Retrieve custom metrics from your applications or services using
the StatsD and collectd protocols.
Ø Collect logs from Amazon EC2 instances and on-premises servers, running
either Linux or Windows Server
Ø You can download and install the CloudWatch agent manually using the
command line, or you can integrate it with SSM
IAM Policy Example – Allow Full EC2 access in the us-east-2 Region
IAM Policy Example – Limit Terminating EC2 Instances to an IP Address Range
AWS Lambda

Code is executed

Developer uploads
some code

Event occurs: Source

can be CLI, API,
SDK or a trigger

Lambda function Developer

AWS Lambda
Ø Lambda is an event-driven compute service where AWS Lambda runs code
in response to events such as a changes to data in an S3 bucket or a
DynamoDB table
Ø Lambda scales concurrently executing functions up to your default limit
(1000)
Ø Lambda allocates CPU power proportional to the memory you specify
using the same ratio as a general purpose EC2 instance type
Ø The maximum execution timeout is 15 minutes (900 seconds), default is 3
mins
Ø You can configure your Lambda function to access resources inside an
Amazon VPC
AWS Lambda - Concurrency

Additional functions are

initialized up to the
burst or account limit

Function is
Function invocation executed

Lambda
AWS Lambda in a Virtual Private Cloud (VPC)

Region

VPC

Availability Zone

AWS Lambda Private subnet Public subnet

Elastic network NAT Gateway

interface Instance

Availability Zone Internet

Private subnet Public subnet Gateway

Elastic network
interface Instance
Invoke Lambda Function with Amazon SNS

Amazon CloudWatch

Event is written to
CloudWatch Logs

Amazon SNS Topic AWS Lambda Function

Submit notification
to SNS Topic

User
Invoke Lambda Function on a Schedule

Event is scheduled Amazon CloudWatch Logs

to invoke Lambda
every 1 minute Event is written to
CloudWatch Logs

Amazon CloudWatch Events AWS Lambda Function

Exam Scenarios

Exam Scenario Solution

Administrator needs to check if any EC2 instances will Check the AWS Personal Health Dashboard
be affected by scheduled hardware maintenance

Scheduled hardware maintenance will affect a critical Stop and start the instance to move it to different
EC2 instance underlying hardware

When launching an EC2 instance the This means AWS does not currently have enough
InsufficientInstanceCapacity error is capacity to service the request for that instance type.
experienced Try a different AZ or instance type

The error InstanceLimitExceeded is experienced EC2 instance limits have been reached, need to
when launching EC2 instances contact support to request an increased limit
Exam Scenarios

Exam Scenario Solution

System status checks are failing for an EC2 instance Stop and start again to move to a new host

For security and compliance reasons EC2 instances Launch them in a private subnet without a NAT
must not be able to access the internet gateway or NAT instance

EC2 instances must communicate with an internet- Place the instances behind a NAT gateway as the
based service which whitelists a single source IP device will have a single elastic IP address that can be
address whitelisted

A distributed app is running on EC2 and can handle Use Spot instances as the application can handle it if
processing interruptions. Determine the best pricing the instances are terminated
model to use
Exam Scenarios

Exam Scenario Solution

Define AWS’ responsibilities for EC2 hardware AWS are responsible for managing the health of the
according to the AWS Shared Responsibility Model underlying hosts

A nightly job runs on EC2 and stores results in S3. Request a Spot block for time period required
Takes 2 hours using multiple on-demand instances. If
it fails, it must start again. Determine the best pricing
model to use

An asynchronous process runs on EC2 and feeds data Use Spot instances as the asynchronous nature of the
to a data warehouse for weekly/monthly reporting. reporting means the app can handle interruption if
Determine the best pricing model to use AWS need the capacity back

Need to track EC2 and on-premise computer memory Install the unified CloudWatch agent on both EC2 and
utilization on-premises servers
Exam Scenarios

Exam Scenario Solution

Amazon EC2 Auto Scaling automatically terminates Install the CloudWatch agent to stream logs to
unhealthy instances but Administrator needs to keep CloudWatch Logs
the logs for subsequent analysis

There is a suspected memory leak on an Amazon EC2 Install the CloudWatch agent to monitor memory
instance utilization

An AWS Lambda function is expected to see a large Ensure the concurrency limit is higher than the
increase in traffic and must scale expected simultaneous executions

Need to invoke an AWS Lambda function every 15 Create an event rule in Amazon CloudWatch events to
minutes execute the function periodically
 SECTION 4
Scaling Compute: Elastic
Load Balancing and Auto
Scaling
Elastic Load Balancing (ELB) Concepts

Availability Zone
Public subnet

ELB takes instance 1

Instance 1 out of service (failed
health check) User 1

Instance 2

Availability Zone User 2

Public subnet
Elastic Load
Balancer

Instance 3 User 3
User 1 is
connected to
instance 4
Instance 4
Elastic Load Balancing (ELB) Types

Application Load Balancer

• Operates at the request level

Instance Protocol: Load Balancer Protocol: • Routes based on the content of the request (layer 7)
HTTP, HTTPS HTTP, HTTPS
• Supports path-based routing, host-based routing, query string
parameter-based routing, and source IP address-based
Internet Client
routing
Application Load Balancer • Supports instances, IP addresses, Lambda functions and
containers as targets

Network Load Balancer

Instance Protocol: Load Balancer Protocol: • Operates at the connection level
TCP, TCP_UDP TCP, TLS, UDP, TCP_UDP • Routes connections based on IP protocol data (layer 4)
• Offers ultra high performance, low latency and TLS offloading
at scale
Network Load Balancer Internet Client • Can have a static IP / Elastic IP
• Supports UDP and static IP addresses as targets
Network Load Balancer (Internet-Facing)

Region

VPC

Availability Zone

Private subnet Public subnet With NLB you can

assign an EIP per AZ
Private-IP

Public-IPs /
EC2 Instance 1
Elastic IP

TCP, TLS
Target Group
Availability Zone
Network Load Internet Internet Client
Private subnet Public subnet Balancer gateway
Public-IPs /
Private-IP Elastic IP

EC2 Instance 2
Application Load Balancer (Internet-Facing)

Region

VPC

Availability Zone

Private subnet Public subnet

Private-IP

EC2 Instance 1
Public-IPs
HTTP, HTTPS
Target Group
Availability Zone
Application Internet Internet Client
Private subnet Public subnet Load gateway
Balancer
Private-IP
Public-IPs

EC2 Instance 2
Application Load Balancer with Targets in Private Subnet

Region
ELB must be
VPC configured with public
subnet in same AZ as
Availability Zone private subnet
Private subnet Public subnet

Private-IP

EC2 Instance 1 Public-IPs

Target Group HTTP, HTTPS

Availability Zone
Application Internet Internet Client
Private subnet Public subnet Load gateway
Balancer
Public-IPs
Private-IP

EC2 Instance 2
ELB Health Checks

You must define a

Target Group
health check for each
target group
Health Check Config
Instance
Protocol is
HTTP/HTTPS for ALB
Instance and can also be TCP
for NLB
Application Load
Balancer
Instance

Instance
ELB Health Checks

Ø Each load balancer node checks the health of each target, using the health
check settings for the target groups with which the target is registered
Ø Each load balancer node routes requests only to the healthy targets in the
enabled Availability Zones for the load balancer
Ø If a target group contains only unhealthy registered targets, the load
balancer nodes route requests across its unhealthy targets
ELB Health Checks Settings

Setting Description
HealthCheckProtocol The protocol the load balancer uses when performing health checks
on targets.
HealthCheckPort The port the load balancer uses when performing health checks on
targets.
HealthCheckPath The ping path that is the destination on the targets for health
checks. Specify a valid URI (/path?query). The default is /.
HealthCheckTimeoutSe The amount of time, in seconds, during which no response from a
conds target means a failed health check.
HealthCheckIntervalSec The approximate amount of time, in seconds, between health
onds checks of an individual target.
HealthyThresholdCount The number of consecutive successful health checks required
before considering an unhealthy target healthy.
UnhealthyThresholdCo The number of consecutive failed health checks required before
unt considering a target unhealthy.
Matcher The HTTP codes to use when checking for a successful response
from a target. The possible values are from 200 to 499.
ELB Health Checks – Status Checks

Value Description
initial The load balancer is in the process of registering the target or performing the initial
health checks on the target

healthy The target is healthy

unhealthy The target did not respond to a health check or failed the health check

unused The target is not registered with a target group, the target group is not used in a
listener rule, the target is in an Availability Zone that is not enabled, or the target is in
the stopped or terminated state

draining The target is deregistering and connection draining is in process

unavailable Health checks are disabled for the target group

Application Load Balancer – Path-based Routing

Application Load Balancer

HTTP

Internet Client
Requests for
Listener HTTP:80
https://dctlabs.com go to
Target Group 1
Rule (default) Rule (/orders)

Requests for
https://dctlabs.com/orders
go to Target Group 2

Instance 1 Instance 2 Instance 3 Instance 4

Target Group 1 Target Group 2

Application Load Balancer – Host-based Routing

Application Load Balancer

HTTP

Internet Client

Requests for Listener

https://dctlabs.com go to
Rule
Target Group 1 Rule (default) (shop.dctlabs.com)
Requests for
https://shop.dctlabs.com
go to Target Group 2

Instance 1 Instance 2 Instance 3 Instance 4

Target Group 1 Target Group 2

ELB Sticky Sessions

Availability Zone
Public subnet
Client 1 connects
and is bound to Cookie expires and
Instance 1
Instance 1 for the ELB routes client to
New request from cookie lifetime Instance 4
Instance 2
Client 3 is routed
to Instance 3
Instance 3
EC2 Web Servers
Client 1

Availability Zone Elastic Load Balancer Client 2

Public subnet

Instance 4 Client 3

Client 3 connects and

Instance 6 becomes Instance 5
is bound to Instance 6
unhealthy for the cookie lifetime
Instance 6

EC2 Web Servers

Sticky Sessions

Name Supported? Load Balancer Generated Cookie Application Generated

Cookie
ALB Yes Yes, “AWSALB” Not supported

NLB No N/A N/A

Sticky Session Configuration Options (ALB)
There are now two configuration options for sticky sessions:
Ø Duration-based cookies – always uses AWSALB
Ø Application-based cookies - set a custom app cookie name
Ø Both types are generated by the load balancer (not the application)
Ø For application-based cookies, cookie names have to be specified
individually for each target group
Ø For duration-based cookies, AWSALB is the only name used across all
target groups
Sticky Session Configuration Options (ALB)
Public ALB with Private Instances– Security Groups
VPC Public subnet(s)

Security group – PublicALB

Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0
Outbound: Protocol/Port HTTPS:80 Destination: PrivateEC2 Internet-facing
ALB

Private subnet(s)

Security group – PrivateEC2

Inbound: Protocol/Port HTTP/80 Source: PublicALB

Web Front-End
Multi-Tier Web Architecture
Region

VPC

Availability Zone
NAT Gateway
Private subnet Public subnet

Internal
ALB
Auto Scaling Auto Scaling HTTP, HTTPS
group group
Availability Zone
Internet Internet Client
Private subnet Public subnet gateway

Application Layer Web Front-End

Multi-Tier Web Architecture – Security Groups
VPC Public subnet(s)

Security group – PublicALB

Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0
Outbound: Protocol/Port HTTPS:80 Destination: PublicEC2 Internet-facing
ALB

Security group – PublicEC2

Inbound: Protocol/Port HTTP/80 Source: PublicALB

Outbound: Protocol/Port HTTPS/8080 Destination: PrivateALB Web Front-End

Private subnet(s)

Security group – PrivateALB

Inbound: Protocol/Port HTTP/8080 Source: PublicEC2
Outbound: Protocol/Port HTTPS/8080 Destination: PrivateEC2 Internal ALB

Security group – PrivateEC2

Inbound: Protocol/Port HTTP/8080 Source: PrivateALB
Application
Layer
Amazon EC2 Auto Scaling

Auto Scaling
launches extra
instance

Availability Zone Availability Zone

Public subnet Public subnet

EC2 Status
EC2 Instances Auto Scaling group EC2 Instances
Checks fail

CloudWatch
notifies Auto
Scaling to scale
ASG replaces
failed instance

Metric reports Metrics Metrics

CPU > 80% Amazon CloudWatch
Amazon Elastic Load Balancing with EC2 Auto Scaling

Availability Zone
Public subnet

EC2 Auto Scaling

terminates instance 1 ELB takes instance 1
Instance 1
out of service (failed
health check) User 1

Instance 2
Auto Scaling
Availability Zone User 2
Public subnet
Elastic Load
Balancer

Instance 3 User 3
User 1 is
connected to
instance 4
Instance 4
Amazon Elastic Load Balancing with EC2 Auto Scaling

Availability Zone
Public subnet

EC2 Auto Scaling

Launches instance 5
Instance 5 User 1

Instance 2
Auto Scaling User 2
Availability Zone
Public subnet
Elastic Load
Balancer
User 3
Instance 3

Instance 4 User 4

This architecture includes high availability and fault tolerance

EC2 Auto Scaling – Launch Configuration

Specifies the AMI and

instance type

Roles, monitoring,
tenancy etc.

And also storage and

security groups
EC2 Auto Scaling – Launch Templates

Similar to a Launch Configuration but offers some additional features:

Ø Can have multiple versions of a template (launch configurations cannot
be edited)
Ø Use dedicated hosts
Ø Use both Spot and On-demand instances
Ø Use multiple instances types
Ø Configure advanced settings such as termination protection, shutdown
behavior, placement groups etc.
Ø And more.. We’ll see in the console
EC2 and ELB Health Checks
ELB Health Checks are an optional
(recommended) setting in ASG

ELB Health Checks ELB Health Checks

Availability Zone Availability Zone

Elastic Load Balancing
Public subnet Public subnet
If ELB Health Checks
are enabled in ASG,
both types are used

Amazon EC2 Auto Scaling

EC2 Status Checks EC2 Status Checks

Amazon EC2
By default, ASG uses
EC2 Status Checks
EC2 Auto Scaling – Types of Scaling

Scheduled Scaling
Ø Scaling based on a schedule allows you to scale your application ahead of
known load changes
Ø For example, every week the traffic to your web application starts to
increase on Wednesday, remains high on Thursday, and starts to decrease
on Friday
Ø You can plan your scaling activities based on the known traffic patterns of
your web application
EC2 Auto Scaling – Types of Scaling

Dynamic Scaling
Ø Amazon EC2 Auto Scaling enables you to follow the demand curve for
your applications closely, reducing the need to manually provision
Amazon EC2 capacity in advance
Ø Amazon EC2 Auto Scaling will then automatically adjust the number of
EC2 instances as needed to maintain your target
EC2 Auto Scaling – Types of Scaling

Predictive Scaling
Ø Predictive Scaling, a feature of AWS Auto Scaling uses machine learning to
schedule the right number of EC2 instances in anticipation of approaching
traffic changes
Ø Predictive Scaling predicts future traffic, including regularly-occurring
spikes, and provisions the right number of EC2 instances in advance
Ø Configured through AWS Auto Scaling – it’s a layer on top of EC2 Auto
Scaling
Ø Probably won’t be on the exam yet
Auto Scaling Termination Policies – Default Policies

1. Determine which AZ has the most instances

2. Determine which instance to terminate so as to align the remaining Availability Zone

instances to the allocation strategy for the On-Demand or Spot Public subnet

Instance that is terminating and your current selection of instance

types
Auto Scaling
3. Determine whether any of the instances use the oldest launch group
Availability Zone
Public subnet
template
4. Determine whether any of the instances use the oldest launch
configuration
5. After applying all of the criteria in 2 through 4, if there are multiple
unprotected instances to terminate, determine which instances are
closest to the next billing hour
EC2 Auto Scaling – Types of Scaling

Scaling What it is When to use

Maintain Ensures the required number of Use when you always need a known number
instances are running of instances running at all times
Manual Manually change desired capacity via Use when your needs change rarely enough
the console or CLI that you’re OK to make manual changes
Scheduled Adjust min/max instances on specific Use when you know when your busy and
dates/times or recurring time periods quiet times are. Useful for ensuring enough
instances are available before very busy times
Dynamic Scale in response to system load or Useful for changing capacity based on system
other triggers using metrics utilization, e.g. CPU hits 80%
EC2 Auto Scaling – Types of Scaling

Scaling What it is When to use

Target Tracking The scaling policy adds or removes A use case is that you want to keep the aggregate CPU
Policy capacity as required to keep the metric usage of your ASG at 70%
at, or close to, the specified target value
Simple Scaling Waits until health check and cool down This is a more conservative way to add/remove instances.
Policy period expires before re-evaluating Useful when load is erratic. AWS recommend step scaling
instead of simple in most cases
Step Scaling Policy Increase or decrease the current capacity Useful when you want to vary adjustments based on the
of your Auto Scaling group based on a set size of the alarm breach
of scaling adjustments, known as step
adjustments
Auto Scaling Lifecycle Hooks

A lifecycle hook puts a launching or terminating instance into a

Pending:Wait or Terminating:Wait state
Auto Scaling Lifecycle Hooks

Ø You can perform a custom action using

one or more of the following options:
Ø Define an EventBridge target to
invoke a Lambda function when a
lifecycle action occurs
Ø Define a notification target for the
lifecycle hook.
Ø Create a script that runs on the
instance as the instance starts
Elastic Load Balancing – Monitoring and Logging
Ø CloudWatch – every 1 minute:
Ø ELB service only sends information when requests are active
Elastic Load Balancing – Monitoring and Logging
Ø Some of the key metrics reported for load balancers are:
Ø BackendConnectionErrors
Ø HealthyHostCount / UnhealthyHostCount
Ø HTTPCode_Backend_2XX - Successful request
Ø HTTPCode_Backend_3XX - Redirected request
Ø HTTPCode_ELB_4XX client error
Ø HTTPCode_ELB_5XX server error (generated by ELB)
Ø Latency
Ø RequestCount
Ø SurgeQueueLength - the total number of requests (HTTP listener) or connections (TCP listener) that
are pending routing to a healthy instance
Ø SpilloverCount - the total number of requests that were rejected because the surge queue is full
Elastic Load Balancing – Monitoring and Logging
Ø Access Logs:
Ø Disabled by default
Ø Includes information about the clients (not included in CloudWatch metrics):
Ø Time
Ø Client IP address
Ø Latencies
Ø Request paths
Ø Server response
Ø Trace ID
Ø Can be optionally stored and retained in S3
Elastic Load Balancing – Monitoring and Logging
Ø CloudTrail:
Ø Can be used to capture API calls to the ELB
Ø Logs can be stored in an S3 bucket
Auto Scaling – Monitoring
EC2 Auto Scaling – Monitoring
Ø Basic monitoring sends EC2 metrics to CloudWatch about ASG instances every
5 minutes
Ø Detailed can be enabled and sends metrics every 1 minute (chargeable)
Ø When the launch configuration is created from the console basic monitoring of
EC2 instances is enabled by default
Ø When the launch configuration is created from the CLI detailed monitoring of
EC2 instances is enabled by default
Exam Scenarios

Exam Scenario Solution

Design required for highly available and secure Launch ALB in public subnets, web servers in private
website on EC2 with ALB, and DB on EC2 subnets and DB layer in private subnets – all layers
across AZs

HealthyHostCount metrics for an ALB have dropped The health checks on target EC2 instances are failing
from 6 to 2. Need to determine the cause

An instance attached to an ALB exceeded Health checks will continue and the ALB will take the
the UnhealthyThresholdCount for consecutive health instance out of service
check failures. What will happen?
Exam Scenarios

Exam Scenario Solution

Requirement to track the source IP of clients and the Check the ALB access logs for this information
instance that processes the request

Requirement to trigger an alarm when all instances Use Amazon CloudWatch with the condition:
are unhealthy "AWS/ApplicationELB HealthyHostCount <= 0"

Need to check why users cannot connect to web Check the VPC Flow Logs
server public IP and port (behind ALB)
Exam Scenarios

Exam Scenario Solution

HTTPCode_ELB_5XX_Count Amazon CloudWatch The target group may not contain any healthy
metrics are noticed for an ALB instances

CloudWatch shows 4XX errors for app with ALB but Use ELB access logs to retrieve info from S3 bucket to
the Instances have already been terminated and need find the originators of the requests
to analyze the root cause

Need a load balancer where specific static public IP Use a Network Load Balancer (NLB)
addresses can be whitelisted by clients
Exam Scenarios

Exam Scenario Solution

Poor performance has been experienced for an Use EC2 Auto Scaling to dynamically scale
application running on Amazon EC2

503 and 504 errors experienced and instances have Use EC2 Auto Scaling to dynamically scale
high CPU utilization

ASG does not launch instances during busy periods Could be due to service limits (check Trusted Advisor)
despite max capacity not being reached or check for RunInstances requests in CloudTrail in
case they are failing

Need to analyze instances before they are terminated Use Auto Scaling lifecycle hooks to pause termination
Exam Scenarios

Exam Scenario Solution

Auto Scaling scales based on queue depth but at Create a scheduled scaling policy
beginning of day app slows down

Create highly available EC2 Auto Scaling group for a Use at least 3 AZs, min size of 2, desired capacity of 2,
single instance app and max of 2

Elastic Beanstalk worker node reads messages from Update ASG to scale on queue depth
SQS queue. Auto Scaling scales instances. App slows
down when number of messages in queue increases

ALB is expecting a large spike in traffic and the Use the RequestCountPerTarget metric to control
application is memory heavy scaling
Exam Scenarios

Exam Scenario Solution

New instances in an Auto Scaling group are not Likely due to the warm-up period having not yet
showing up in the aggregated metrics. Step scaling is expired
used
 SECTION 5
Storage: Amazon EBS,
EFS, and AWS Storage
Gateway
Amazon Elastic Block Store (EBS) - Block-based Storage

The Operating System

Disk Management (OS) sees a volume. A
Hard drives are
block-based volume can be partitioned
storage systems D:Volume E: and formatted
1000
800 GB GB 200 GB

Hard Disk Drive

(HDD)
Amazon EBS - HDDs and SSDs

Hard Disk Drive (HDD) Solid State Drive (SSD)

Ø Also known as magnetic Ø Uses flash memory

drives Ø Newer technology
Ø Older technology Ø MUCH faster than HDD
Ø Much slower than SSD Ø More expensive than HDD
Ø Much cheaper than SSD
Amazon Elastic Block Store (EBS)

Amazon Elastic Block

EBS is a block- Store (EBS)
based storage
Availability Zone Volumes are
system
either HDD
or SDD
Volume

Volumes are
attached over
a network
/dev/xvdf Mounted as a
volume in the
instance OS
EC2 Instance
Amazon EBS Deployment

Amazon Elastic Block

Store (EBS)
Availability Zone Availability Zone
EBS volumes are
replicated within
an AZ
EBS Volume EBS Volume EBS Volume EBS Volume

Limited support for

attaching multiple
instances*

EC2 instances
must be in the
same AZ as the
EBS volume
EC2 Instance EC2 Instance EC2 Instance
Amazon EBS Multi-Attach
Must be within
a single AZ
May not be on the
exam yet
Availability Zone

Must be a
Provisioned IOPS
io1 volume EBS Volume

Up to 16 instances
can be attached to
Available for Nitro a single volume
system-based
EC2 instances

EC2 Instance EC2 Instance EC2 Instance

Amazon EBS
Ø Termination protection is turned off by default and must be manually
enabled (keeps the volume/data when the instance is terminated)
Ø Root EBS volumes are deleted on termination by default
Ø Extra non-boot volumes are not deleted on termination by default
Ø The behaviour can be changed by altering the "DeleteOnTermination"
attribute
Ø Volume sizes and types can be upgraded without downtime (except for
magnetic standard)
Ø Elastic Volumes allow you to increase volume size, adjust performance,
or change the volume type while the volume is in use
Amazon EBS Volume Types

Solid State Drives (SSD) Hard Disk Drives (HDD)

Volume Type EBS Provisioned IOPS SSD EBS General Purpose SSD (gp2) Throughput Optimized HDD Cold HDD (sc1)
(io1) (st1)
Short Description Highest performance SSD General Purpose SSD volume Low cost HDD volume designed Lowest cost HDD volume designed
volume designed for that balances price performance for frequently accessed, for less frequently accessed
latency-sensitive for a wide variety of throughput intensive workloads
transactional workloads transactional workloads workloads
Use Cases I/O-Intensive NoSQL and Boot volumes, low-latency Big data, data warehouses, log Colder data requiring fewer scans
relational databases interactive apps, dev & test processing per day
Volume Size 4GB – 16TB 1 GB – 16 TB 500 GB – 16 TB 500 GB – 16 TB

Max IOPS/Volume 64,000 16,000 500 250

Max Throughput/Volume 1,000 MB/s 250 MB/s 500 MB/s 250 MB/s
Amazon EBS Snapshots
Region

Availability Zone A

Amazon S3

Volume
EC2 Instance
Snap A Snap B Snap C

Availability Zone B

Volume
EC2 Instance
Take Snapshot, Create AMI, Launch New Instance
Region

Availability Zone A

Amazon S3

Volume
EC2 Instance
Snapshot

Availability Zone B

AMI

Volume
EC2 Instance
 • Can change encryption
Amazon EBS Copying, Sharing and Encryption key
• Can change AZ
• Encryption state retained Encrypted Encrypted
• Same region Snapshot Volume

Volume Snapshot
• Block devices remain encrypted
Copy • Can be encrypted • Cannot be shared with other
• Can change regions accounts if using AWS CMK
Encrypted Encrypted
Snapshot • Cannot be shared publicly
Unencrypted Encrypted AMI
Snapshot Snapshot
Copy
• Block devices remain encrypted
• Can change regions
• Can be encrypted
Encrypted AMI Encrypted
• Can change AZ
Unencrypted Encrypted AMI
Snapshot Volume • Can change encryption
key
• Cannot be encrypted • Can change AZ
• Can be shared with Encrypted AMI
other accounts EC2 Instance
Unencrypted AMI • Can be shared publicly
Snapshot • Can change encryption
state
Copy • Can change encryption • Can change AZ
Unencrypted
key AMI EC2 Instance
• Can change regions
Encrypted Encrypted
Snapshot Snapshot
Amazon EBS vs Instance Store

Amazon Elastic Block

Store (EBS)

Availability Zone

EBS volumes are

attached over the
network
EBS Volume

EBS Volume

Instance Store
volumes are
physically attached
EC2 Host Server to the host
Amazon EBS Instance Stores
Ø Instance store volumes are high performance local disks that are
physically attached to the host computer on which an EC2 instance
runs
Ø Instance stores are ephemeral which means the data is lost when
powered off (non-persistent)
Ø Instances stores are ideal for temporary storage of information that
changes frequently, such as buffers, caches, or scratch data
Ø Instance store volume root devices are created from AMI templates
stored on S3
Ø Instance store volumes cannot be detached/reattached
Using RAID with Amazon EBS
Ø RAID stands for Redundant Array of Independent disks
Ø Not provided by AWS, you must configure through your operating
system
Ø RAID 0 and RAID 1 are potential options on EBS
Ø RAID 5 and RAID 6 are not recommended by AWS
Using RAID with Amazon EBS
Ø RAID 0 is used for striping data across disks (performance)
Ø Use 2 or more disks
Ø If one disk fails, the entire RAID set fails

Data writes

Block 1 Block 2

Block 3 Block 4

Block 5 Block 6

Block 7 Block 8

EBS Volume EBS Volume

Using RAID with Amazon EBS
Ø RAID 1 is used for mirroring data across disks (redundancy
/ fault tolerance)
Ø If one disk fails, the other disk is still working
Ø Data gets sent to 2 EBS volumes at the same time
Data writes

Block 1 Block 1

Block 2 Block 2

Block 3 Block 3

Block 4 Block 4

EBS Volume EBS Volume

Amazon EBS Encryption

Availability Zone Snapshots of

Data at rest encrypted volumes
is encrypted are encrypted
Volume Volume Snapshot

C: D: Volumes created from

an encrypted snapshot
Data in transit is
are encrypted
encrypted
/dev/xvdf Volume

EC2 Instance
Amazon EBS Encryption
Ø Expect the same IOPS performance on encrypted volumes as on unencrypted
volumes
Ø EBS encrypts your volume with a data key using the industry-standard AES-
256 algorithm
Ø Your data key is stored on-disk with your encrypted data, but not before EBS
encrypts it with your CMK. Your data key never appears on disk in plaintext
Ø The same data key is shared by snapshots of the volume and any subsequent
volumes created from those snapshots
Ø You can share snapshots, but if they're encrypted it must be with a custom
CMK key
Ø You can check the encryption status of your EBS volumes with AWS Config
CloudWatch Metrics for EBS
A few specific metrics to understand for the exam:
Ø DiskReadBytes / DiskWriteBytes:
Ø Relates to Instance Store volumes NOT to EBS
Ø Included in the AWS/EC2 namespace
Ø VolumeReadBytes / VolumeWriteBytes:
Ø Relates to the EBS volume
Ø Included in the AWS/EBS namespace
Amazon Data Lifecycle Manager
Automate the creation, retention, and deletion of EBS snapshots and
EBS-backed AMIs
Ø Protect valuable data by enforcing a regular backup schedule
Ø Create standardized AMIs that can be refreshed at regular intervals
Ø Retain backups as required by auditors or internal compliance
Ø Reduce storage costs by deleting outdated backups
Ø Create disaster recovery backup policies that back up data to
isolated accounts
Network Attached Storage

The Operating System (OS)

sees a filesystem that is
mapped to a local drive letter

The NAS “shares”

filesystems over the
File Management network

NIC
Network Attached
Storage Server (NAS)

NAS devices are file-based storage systems

Amazon Elastic File System (EFS) Overview
Region
VPC
Availability Zone
Can connect
Can simultaneously instances from
connect thousands other VPCs
of instances
Corporate data center
VPC
Peering

On-premises
EFS File system VPN or Direct client
Connect connection
NFS Protocol
is used
On-premises
Availability Zone Availability Zone computers can
/efs-mnt /efs-mnt be connected
EFS is only available
for Linux instances
EC2 Instance EC2 Instance
Amazon EFS Backups and Lifecycle Management

Ø Automatic backups are enabled by default and use AWS Backup

Ø Lifecycle management moves files that have not been accessed for a period
of time to the EFS Infrequent Access Storage class
Amazon EFS Performance
Ø There are two performance modes:
Ø “General purpose” – suitable for most use cases
Ø “Max I/O” – Scales to higher levels of aggregate throughput and operations per second

Ø There are two throughput modes:

Ø “Bursting” – throughput scales with file system size
Ø “Provisioned” – Throughput is fixed at the specified amount
Amazon EFS Encryption

Ø EFS offers the ability to encrypt data at rest and in transit

Ø Encryption at rest is enabled by default and can be enabled in the EFS
console or by using the AWS CLI or SDKs

Ø Encryption keys are managed by the AWS Key Management Service

(KMS)
Ø Encryption of data at rest and of data in transit can be configured
together or separately
Amazon EFS Access Control
Ø When you create a file system, you create endpoints in your VPC called
“mount targets”
Ø The file system’s DNS name resolves to a mount target’s IP address

Ø You can control file system admin using IAM (user-based and resource-based
policies)
Ø You can control the NFS clients access to file systems (resource-based
policies).
Ø You can control access to files and directories with POSIX-compliant user and group-
level permissions
Amazon Elastic File System (EFS)

Region

VPC

EFS File system

Availability Zone Availability Zone

/efs-mnt /efs-mnt

EC2 Instance EC2 Instance

IAM Policy Example - Allow a User to Perform All Amazon EFS Actions
IAM Policy Example - Allow a User to Create a Mount Target and Tags on an Existing File System
IAM Policy Example (resource-based) - Grant Read and Write Access to all IAM Principals
Amazon EFS Encryption

Encryption In Transit

HTTPS Connection

SSL SSL
EC2 Instance EFS File system
Enabled when
mounting the
file system

Encryption At Rest Can be combined

with encryption in
transit

Must be enabled
at file system
creation time EFS File system
AWS Storage Gateway
AWS Storage Gateway – File Gateway

Corporate AWS Cloud

data center

The file system is

mounted using
NFS or SMB
Files are stored S3 Standard
as objects in S3

Server S3 Standard IA
AWS Storage Gateway
Can store data
in multiple S3
A local cache provides A virtual gateway storage classes
low latency access to appliance runs on
recently used data S3 One Zone IA
Hyper-V, VMware,
or EC2
AWS Storage Gateway – File Gateway

Ø File gateway provides a virtual on-premises file server, which enables you to store
and retrieve files as objects in Amazon S3
Ø Can be used for on-premises applications, and for Amazon EC2-resident
applications that need file storage in S3 for object based workloads
Ø Used for flat files only, stored directly on S3
Ø File gateway offers SMB or NFS-based access to data in Amazon S3 with local
caching
Ø File gateway supports Amazon S3 Standard, S3 Standard – Infrequent Access (S3
Standard – IA) and S3 One Zone – IA
AWS Storage Gateway – Volume Gateway

Corporate A cache of the AWS Cloud

data center most recently used
data on-premise

CACHED VOLUME MODE Entire data set

iSCSI
is stored in S3

Server S3 Standard
AWS Storage Gateway

Data backed up
STORED VOLUME MODE as EBS point-in-
iSCSI
time snapshots
Asynchronous replication
Server S3 Standard
AWS Storage Gateway

Entire data set is

stored on-premise
AWS Storage Gateway – Volume Gateway
Ø The volume gateway represents the family of gateways that support block-based volumes, previously
referred to as gateway-cached and gateway-stored modes
Ø Block storage – iSCSI based
Ø Cached Volume mode – the entire dataset is stored on S3 and a cache of the most frequently
accessed data is cached on-site
Ø Stored Volume mode – the entire dataset is stored on-site and is asynchronously backed up to S3
(EBS point-in-time snapshots). Snapshots are incremental and compressed
Ø Each volume gateway can support up to 32 volumes
Ø In cached mode, each volume can be up to 32 TB for a maximum of 1 PB of data per gateway (32
volumes, each 32 TB in size)
Ø In stored mode, each volume can be up to 16 TB for a maximum of 512 TB of data per gateway (32
volumes, each 16 TB in size)
AWS Storage Gateway – Tape Gateway

Corporate AWS Cloud

data center

Once tapes are

S3 Glacier ejected from the
backup app,
iSCSI
they are stored
in one of these
classes
Backup Server S3 Glacier
AWS Storage Gateway
Deep Archive

S3 standard is
Backup server can
used when
use many common S3 Standard writing to tapes
backup applications
AWS Storage Gateway – Tape Gateway

Ø Used for backup with popular backup software

Ø Each gateway is preconfigured with a media changer and tape drives. Supported by NetBackup,
Backup Exec, Veeam etc.
Ø When creating virtual tapes, you select one of the following sizes: 100 GB, 200 GB, 400 GB, 800 GB,
1.5 TB, and 2.5 TB
Ø A tape gateway can have up to 1,500 virtual tapes with a maximum aggregate capacity of 1 PB
Ø All data transferred between the gateway and AWS storage is encrypted using SSL
Ø all data stored by tape gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption
Keys (SSE-S3)
Exam Scenarios

Exam Scenario Solution

User deleted some data in an Amazon EBS volume Can create a new EBS volume from the snapshot and
and there's a recent snapshot attach it to an instance and copy the delete file across

EBS volume runs out of space and need to prevent it Use CloudWatch agent on EC2 and monitor disk
happening again metrics with CloudWatch alarm

Most cost-effective option for big data app that stores Cold HDD (sc1)
sequentially and infrequent access

EBS volume capacity is increased but cannot see the Need to extend the volume's file system to gain
space access to extra space
Exam Scenarios

Exam Scenario Solution

Need to replace user-shared drives. Must support Use Amazon EFS

POSIX permissions and NFS protocols and be
accessible from on-premise servers and EC2

Low latency access required for image files in an Use an AWS Storage Gateway volume gateway
office location with synchronized backup to offsite configured as a stored volume
location. Local access required and disaster recovery

Performance issues with iSCSI drives in volume Create a larger disk for cached volume and select it in
gateway. CacheHitPercent metric is below 55% and management console
CachePerecentUsed is above 95%

Tape archival system needs replacement Use an AWS Storage Gateway tape gateway
 SECTION 6
Operations: AWS
Systems Manager and
OpsWorks
AWS Systems Manager

Ø AWS Systems Manager provides a unified interface through which you can view operational data
from multiple AWS services

Ø With Systems Manager, you can group resources by application, view operational data for
monitoring and troubleshooting, and take action on your groups of resources
AWS Systems Manager

Ø Manages many AWS resources including Amazon EC2, Amazon S3,

Amazon RDS etc.
Ø You can create logical groups of resources such as applications, different
layers of an application stack, or production vs development environments
AWS Systems Manager

Ø Systems Manager Components (in scope for the exam):

Ø Automation
Ø Run Command
Ø Inventory
Ø Patch Manager
Ø Session Manager
Ø Parameter Store
AWS Tags

Ø A tag is a label that you assign to an AWS resource

Ø Each tag consists of a key and an optional value
Ø Tags enable you to categorize your AWS resources in different ways, for
example, by purpose, owner, or environment
AWS Resource Groups

Ø Resource groups can be used to organize AWS resources

Ø Resource groups make it easier to manage and automate tasks on large
numbers of resources at one time
AWS Systems Manager – Automation

Documents define the Automates IT operations

actions to perform and management tasks
(YAML or JSON) across AWS resources

Documents Automation Amazon RDS

This automation, takes a

snapshot of an RDS DB
instance
AWS Systems Manager – Run Command

Document types include

command, automation, Runs commands on
package etc. managed EC2 instances

Documents Run Command Amazon EC2

This command checks

for missing updates
AWS Systems Manager – Inventory

Inventory
AWS Systems Manager – Patch Manager

Ø AWS Systems Manager helps you select and deploy operating system
and software patches automatically across large groups of Amazon EC2
or on-premises instances
Ø Patch baselines:
Ø Set rules to auto-approve select categories of patches to be
installed
Patch Manager
Ø Specify a list of patches that override these rules and are
automatically approved or rejected
Ø You can also schedule maintenance windows for your patches so that
they are only applied during predefined times
Ø Systems Manager helps ensure that your software is up-to-date and
meets your compliance policies
AWS Systems Manager – Configuration Compliance

Ø AWS Systems Manager lets you scan your managed instances for patch
compliance and configuration inconsistencies
Ø You can collect and aggregate data from multiple AWS accounts and
Regions, and then drill down into specific resources that aren’t
compliant
Ø By default, AWS Systems Manager displays data about patching and
associations
Ø You can also customize the service and create your own compliance
types based on your requirements (must use the AWS CLI, AWS Tools for
Windows PowerShell, or the SDKs)
AWS Systems Manager – Session Manager

Ø Secure remote management of your instances at scale Doesn’t

require port
without logging into your servers 22,5985/5986

Ø Replaces the need for bastion hosts, SSH, or remote

PowerShell
Ø Integrates with AWS Identity and Access Management
(IAM) for granular permissions No need for
bastion hosts
Ø All actions taken with Systems Manager are recorded
by AWS CloudTrail
Ø Can store session logs in an Amazon S3 bucket (optional
Amazon EC2 Amazon EC2
(Linux) (Windows)
encryption)
Ø Can send session output to CloudWatch Logs (optional
encryption)
AWS Systems Manager – Session Manager

Ø Requires IAM permissions for EC2 instance to access Doesn’t

require port
SSM, S3, and CloudWatch Logs 22,5985/5986

No need for
bastion hosts

Amazon EC2 Amazon EC2

(Linux) (Windows)
AWS Systems Manager Parameter Store
Ø AWS Systems Manager Parameter Store provides secure,
hierarchical storage for configuration data management
and secrets management
Ø It is highly scalable, available, and durable
Ø You can store data such as passwords, database strings, Parameter
Store
Amazon EC2
and license codes as parameter values
Ø You can store values as plaintext (unencrypted data) or Retrieve database
connection string
ciphertext (encrypted data)
Ø You can then reference values by using the unique name
that you specified when you created the parameter
Amazon RDS
AWS Systems Manager Parameter Store
Ø No native rotation of keys (difference with AWS
Secrets Manager which does it automatically)
Ø There are two tiers:
Ø Standard – limit of 10,000 parameters, up to 4 KB,
no additional charges Parameter
Store
Amazon EC2
Ø Advanced – more than 10,000 parameters, up to
8 KB, charges apply Retrieve database
connection string

Amazon RDS
AWS Systems Manager Parameter Store

AWS Lambda Function Parameter Store

Retrieve database
connection string

Amazon RDS
AWS Secrets Manager
Ø Stores and rotate secrets safely without the need for code
deployments
AWS Secrets Manager
Ø Secrets Manager offers automatic rotation of credentials AWS Lambda

(built-in) for:
Ø Amazon RDS (MySQL, PostgreSQL, and Amazon Aurora)
Ø Amazon Redshift
Secrets automatically
Ø Amazon DocumentDB rotated periodically
Ø For other services you can write your own AWS Lambda
Amazon RDS
function for automatic rotation
AWS Secrets Manager vs SSM Parameter Store

Secrets Manager SSM Parameter Store

Automatic Key Yes, built-in for some services, No native key rotation
Rotation use Lambda for others
Key/Value Type Encrypted only String, StringList, SecureString
(encrypted)
Change history No Yes

Price Charges apply per secret Free for standard, charges for
advanced
AWS OpsWorks
Ø AWS OpsWorks is a configuration management service that provides
managed instances of Chef and Puppet
Ø Updates include patching, updating, backup, configuration and
compliance management
Instance

Instances are
Instance configured by
OpsWorks using
SysOps Admin AWS OpsWorks
Chef/Puppet
Instance

Configuration
Instance
changes are
submitted to
OpsWorks
Exam Scenarios

Exam Scenario Solution

Application running on EC2 needs login credentials Create an IAM role for the instance and grant
for a DB that are stored as secure strings in SSM permission to read the parameters
Parameter Store

Linux instances are patched with Systems Manager Change maintenance window to patch 10% of
Patch Manager. Application slows down whilst instances in the patch group at a time
updates are happening

Custom Linux AMI used with AWS Systems Manager. Need to add permissions to instance profile and
Can't find instances in Session Manager console install the SSM agent on the instances
Exam Scenarios

Exam Scenario Solution

Multiple environments require authentication Store credentials in SSM Parameter Store and pass an
credentials for external service. Deployed using environment tag as a parameter in CloudFormation
CloudFormation template

IAM access keys used to manage EC2 instances using Use an AWS Config rule to identify noncompliant
the CLI. Company policy mandates that access keys keys. Create a custom AWS Systems Manager
are automatically disabled after 60 days Automation document for remediation
 SECTION 7
Automation: AWS Elastic
Beanstalk
AWS Elastic Beanstalk

Region
VPC
Elastic Beanstalk environment

AWS Elastic Beanstalk Developer

Client
Availability Zone
Public subnet
Everything within
the EB environment Upload source
is launched and code in ZIP file
managed by EB
Instance
Auto Scaling
group
Availability Zone
Application
Public subnet Load
Balancer
Instance
AWS Elastic Beanstalk
There are several layers: APPLICATION
Applications:
Ø Contain environments, environment
configurations, and application
versions
Ø You can have multiple application
versions held within an application
AWS Elastic Beanstalk
Application version APPLICATION
Ø A specific reference to a section of
deployable code
Ø The application version will point
typically to an Amazon S3 bucket
containing the code Version 4
Versions can be Version 3
applied to any
environment Version 2

Version 1

S3 Bucket
AWS Elastic Beanstalk
Environments: APPLICATION
Ø An application version that has been
DEVELOPMENT PRODUCTION
deployed on AWS resources
Ø The resources are configured and
provisioned by AWS Elastic Beanstalk
Ø The environment is comprised of all Version 4
Versions can be Version 3
the resources created by Elastic applied to any
environment Version 2
Beanstalk and not just an EC2 instance
Version 1
with your uploaded code

S3 Bucket
AWS Elastic Beanstalk – Create Single Environment

Elastic Beanstalk application

AWS Elastic Beanstalk

Launch a single
environment
Environment

Web Server
Administrator
AWS Elastic Beanstalk – Troubleshooting errors

Elastic Beanstalk application

AWS Elastic Beanstalk Upload a new version

of the code
Environment

Web Server
Administrator
Error occurs
AWS Elastic Beanstalk – Upload Prod App v1

Elastic Beanstalk application

AWS Elastic Beanstalk Upload working code

version
Prod App v1 Environment

Web Server
Administrator
AWS Elastic Beanstalk Deployment Policies
Ø All at once:
Ø Deploys the new version to all instances simultaneously
Ø Rolling:
Ø Update a batch of instances, and then move onto the next batch once the first batch is
healthy
Ø Rolling with additional batch:
Ø Like Rolling but launches new instances in a batch ensuring that there is full availability
Ø Immutable:
Ø Launches new instances in a new ASG and deploys the version update to these instances
before swapping traffic to these instances once healthy
Ø Blue/green:
Ø Create a new "stage" environment and deploy updates there
AWS Elastic Beanstalk – All at Once Update

Elastic Beanstalk application

Environment

Application Versions
Instance
Update is applied
Version 2 to all instances
simultaneously
Version 1
Instance
AWS Elastic Beanstalk – All at Once Update
Ø Deploys the new version to all instances simultaneously
Ø All of your instances are out of service while the deployment takes place
Ø Fastest deployment
Ø Good for quick iterations in development environment
Ø You will experience an outage while the deployment is taking place - not ideal for mission-critical
systems
Ø If the update fails, you need to roll back the changes by re-deploying the original version to all of
your instances
Ø No additional cost
AWS Elastic Beanstalk – Rolling Update

Elastic Beanstalk application

Environment

Instance Update is applied

Application Versions to a batch of
instances
Version 2
Instance
Version 1

Instance

Instance
AWS Elastic Beanstalk – Rolling Update
Ø Update a few instances at a time (batch), and then move onto the next batch once the first batch
is healthy (downtime for 1 batch at a time)
Ø Application is running both versions simultaneously
Ø Each batch of instances is taken out of service while the deployment takes place
Ø Your environment capacity will be reduced by the number of instances in a batch while the
deployment takes place
Ø Not ideal for performance-sensitive systems
Ø If the update fails, you need to perform an additional rolling update to roll back the changes.
Ø No additional cost
Ø Long deployment time
AWS Elastic Beanstalk – Rolling with Additional Batch Update

Elastic Beanstalk application

Environment

Instance Instance
Application Versions

Version 2
Instance Instance
Version 1

Instance

Instance
AWS Elastic Beanstalk – Rolling with Additional Batch Update
Ø Like Rolling but launches new instances in a batch ensuring that there is full availability.
Ø Application is running at capacity
Ø Can set the batch size
Ø Application is running both versions simultaneously
Ø Small additional cost
Ø Additional batch is removed at the end of the deployment
Ø Longer deployment
Ø Good for production environments
AWS Elastic Beanstalk – Immutable Update
Elastic Beanstalk application
Environment

Auto Scaling group Auto Scaling group

Instance Instance
Application Versions

Version 2
Instance Instance
Version 1

Instance Instance

Instance Instance
AWS Elastic Beanstalk – Immutable Update
Ø Launches new instances in a new ASG and deploys the version update to these instances before
swapping traffic to these instances once healthy
Ø Zero downtime
Ø New code is deployed to new instances using an ASG
Ø High cost as double the number of instances running during updates
Ø Longest deployment
Ø Quick rollback in case of failures
Ø Great for production environments
AWS Elastic Beanstalk – Blue/green
Elastic Beanstalk application
Environment

V1 V1
80%
Instance Instance

20% Environment
Amazon Route 53

V2 V2
Instance Instance
AWS Elastic Beanstalk – Blue/Green Update
Ø This is not a feature within Elastic Beanstalk
Ø You create a new "staging" environment and deploy updates there
Ø The new environment (green) can be validated independently and you can roll back if there are
issues
Ø Route 53 can be setup using weighted policies to redirect a a percentage of traffic to the staging
environment
Ø Using Elastic Beanstalk, you can "swap URLs" when done with the environment test
Ø Zero downtime
AWS Elastic Beanstalk - Multiple Environments

Elastic Beanstalk application

Swap URLs from the AWS Elastic Beanstalk

console
App v1 Environment

mynodeapp-prod.eba-yphz4gg2.ap-
southeast-2.elasticbeanstalk.com
Create additional
Web Server
environment for our
Dev App v2
App v2 Environment

mynodeapp-dev.eba-yphz4gg2.ap-
southeast-2.elasticbeanstalk.com
Web Server
Administrator
AWS Elastic Beanstalk - Multiple Environments

Elastic Beanstalk application

Swap URLs from the AWS Elastic Beanstalk

console
App v1 Environment

mynodeapp-dev.eba-yphz4gg2.ap-
southeast-2.elasticbeanstalk.com
Create additional
Web Server
environment for our
Prod App v2
App v2 Environment

mynodeapp-prod.eba-yphz4gg2.ap-
southeast-2.elasticbeanstalk.com
Web Server
Administrator
AWS Elastic Beanstalk Web Servers and Workers
Elastic Beanstalk application

AWS Elastic Beanstalk

Web server
Amazon Simple Queue places message
Web Server Environment
Service in the queue

Queue
Web Server

Worker Environment Inbound traffic

on port 80/443

Worker
The worker polls
the queue
AWS Elastic Beanstalk Environment Tiers
Ø Determines how Elastic Beanstalk provisions resources based on what
the application is designed to do
Ø Consists of Web Servers and Workers:
Ø Web servers are standard applications that listen for and then
process HTTP requests, typically over port 80
Ø Workers are specialized applications that have a background
processing task that listens for messages on an Amazon SQS queue.
Ø Workers should be used for long-running tasks
AWS Elastic Beanstalk – High Availability
Region
VPC
Elastic Beanstalk environment

AWS Elastic Beanstalk

Availability Zone
Public subnet

Instance
Auto Scaling
group
Availability Zone
Application
Public subnet Load
Balancer
Instance
 SECTION 8
Infrastructure
Automation: AWS
CloudFormation
AWS CloudFormation
Ø AWS CloudFormation is a service that
allows you to manage, configure and
provision your AWS infrastructure as
code
Ø AWS CloudFormation provides a
common language for you to describe
and provision all the infrastructure
resources in your cloud environment
Ø Resources are defined using a
CloudFormation template
AWS CloudFormation
Ø CloudFormation can be used to provision a
broad range of AWS resources
Ø Think of CloudFormation as deploying
infrastructure as code
AWS CloudFormation – Key Benefits
Ø Infrastructure is provisioned consistently, with fewer mistakes
(human error)
Ø Less time and effort than configuring resources manually
Ø You can use version control and peer review for your
CloudFormation templates
Free to use (you're only charged for the resources provisioned)
Ø Can be used to manage updates and dependencies
Ø Can be used to rollback and delete the entire stack as well
AWS CloudFormation – Key Concepts

Component Description
Templates The JSON or YAML text file that contains the instructions for building out
the AWS environment
Stacks The entire environment described by the template and created, updated,
and deleted as a single unit
StackSets AWS CloudFormation StackSets extends the functionality of stacks by
enabling you to create, update, or delete stacks across multiple accounts
and regions with a single operation
Change Sets A summary of proposed changes to your stack that will allow you to see
how those changes might impact your existing resources before
implementing them
AWS CloudFormation – Templates
Ø A template is a YAML or JSON template used to describe the end-
state of the infrastructure you are either provisioning or changing
Ø After creating the template, you upload it to CloudFormation
directly or using Amazon S3
Ø CloudFormation reads the template and makes the API calls on your
behalf.
Ø The resulting resources are called a "Stack"
Ø Logical IDs are used to reference resources within the template
Ø Physical IDs identify resources outside of AWS CloudFormation
templates, but only after the resources have been created
AWS CloudFormation – Stacks
Ø Deployed resources based on templates
Ø Create, update and delete stacks using templates
Ø Deployed through the Management Console, CLI or APIs
Ø Stack creation errors:
Ø Automatic rollback on error is enabled by default
Ø You will be charged for resources provisioned even if there is
an error
AWS CloudFormation – StackSets
Ø AWS CloudFormation StackSets extends the functionality of stacks by
enabling you to create, update, or delete stacks across multiple accounts
and regions with a single operation
Ø Using an administrator account, you define and manage an AWS
CloudFormation template, and use the template as the basis for provisioning
stacks into selected target accounts across specified regions
Ø An administrator account is the AWS account in which you create stack sets.
Ø A stack set is managed by signing into the AWS administrator account in
which it was created
Ø A target account is the account into which you create, update, or delete one
or more stacks in your stack set
Intrinsic Functions - Ref
Ø The intrinsic function Ref returns the value of the specified parameter or resource
Ø When you specify a parameter’s logical name, it returns the value of the parameter
Ø When you specify a resource’s logical name, it returns a value that you can typically
use to refer to that resource, such as a physical ID
Ø The following resource declaration for an Elastic IP address needs the instance ID of
an EC2 instance and uses the Ref function to specify the instance ID of the
MyEC2Instance resource:
Intrinsic Functions - Fn::FindInMap
Ø The intrinsic function Fn::FindInMap returns the value
corresponding to keys in a two-level map that is declared in
the Mappings section
Ø Full syntax (YAML): Fn::FindInMap: [ MapName, TopLevelKey,
SecondLevelKey ]
Ø Short form (YAML): !FindInMap [ MapName, TopLevelKey,
SecondLevelKey ]
Intrinsic Functions - Fn::FindInMap
Ø The following example shows how to use Fn::FindInMap for a template with a
Mappings section that contains a single map, RegionMap, that associates
AMIs with AWS regions:
AWS CloudFormation – Resources
Ø Resources - the required Resources section declares the AWS
resources that you want to include in the stack, such as an Amazon
EC2 instance or an Amazon S3 bucket
Ø Mandatory
Ø Resources are declared and can reference each other
AWS CloudFormation – Parameters
Ø Parameters – use the optional Parameters section to customize
your templates
Ø Parameters enable you to input custom values to your template
each time you create or update a stack
Ø Useful for template reuse
AWS CloudFormation – Mappings
Ø Mappings – the optional Mappings section matches a key to a
corresponding set of named values

Ø Exam tip: with mappings you can, for example, set values based on a
region You can create a mapping that uses the region name as a key
and contains the values you want to specify for each specific region
AWS CloudFormation – Outputs
Ø Outputs – the optional Outputs section declares output values that
you can import into other stacks (to create cross-stack references),
return in response (to describe stack calls), or view on the AWS
CloudFormation console
Ø In the following example YAML code, the output named StackVPC
returns the ID of a VPC, and then exports the value for cross-stack
referencing with the name VPCID appended to the stack’s name
AWS CloudFormation – Nested Stacks
Ø Nested stacks allow re-use of CloudFormation
code for common use cases
Ø For example standard configuration for a load
balancer, web server, application server etc.
Ø Instead of copying out the code each time,
create a standard template for each common
use case and reference from within your
CloudFormation template
AWS CloudFormation – Change Sets
Ø AWS CloudFormation provides two methods for updating stacks:
direct update or creating and executing change sets
Ø When you directly update a stack, you submit changes and AWS
CloudFormation immediately deploys them
Ø Use direct updates when you want to quickly deploy your updates
Ø With change sets, you can preview the changes AWS
CloudFormation will make to your stack, and then decide whether to
apply those changes
AWS CloudFormation – Drift Detection
Ø Drift detection enables detects whether a stack's actual configuration
differs, or has drifted, from its expected configuration

Ø You can perform drift detection on stacks with the following

statuses: CREATE_COMPLETE, UPDATE_COMPLETE,
UPDATE_ROLLBACK_COMPLETE, and UPDATE_ROLLBACK_FAILED
AWS CloudFormation – UserData Property
Ø User data can be included in a CloudFormation template
Ø The script is passed into Fn::Base64
Ø The user data script logs are stored in /var/log/cloud-init-output.log
AWS CloudFormation – Helper Scripts (cfn-init)
The cfn-init helper script reads template metadata from the
AWS::CloudFormation::Init key and acts accordingly to:
Ø Fetch and parse metadata from AWS CloudFormation
Ø Install packages
Ø Write files to disk
Ø Enable/disable and start/stop services
Ø Logs go to /var/log/cfn-init.log
AWS CloudFormation – Helper Scripts (cfn-init)
Ø To install the applications the UserData property and Metadata
property can be added to a template
AWS CloudFormation – Helper Scripts (cfn-signal)
Ø The cfn-signal helper script signals AWS CloudFormation to indicate whether
Amazon EC2 instances have been successfully created or updated
Ø After installing software on EC2 instances, you can signal AWS
CloudFormation when those software applications are ready
Ø You use the cfn-signal script in conjunction with a CreationPolicy or an Auto
Scaling group with a WaitOnResourceSignals update policy
AWS CloudFormation – Helper Scripts (cfn-signal)
Ø In the UserData property, the template runs the cfn-signal script to send a
success signal with an exit code if all the services are configured and started
successfully
AWS CloudFormation – Helper Scripts (cfn-init and cfn-signal)
Troubleshooting errors:
Ø Make sure the AMI has the CloudFormation helper scripts included
Ø Check that the cfn-init and cfn-signal commands have run successfully
AWS CloudFormation – CreationPolicy
Ø Use the CreationPolicy attribute when you want to wait on resource
configuration actions before stack creation proceeds
Ø You can associate the CreationPolicy attribute with a resource to prevent its
status from reaching create complete until AWS CloudFormation receives a
specified number of success signals or the timeout period is exceeded.
Ø To signal a resource, you can use the cfn-signal helper script
or SignalResource API
Ø AWS CloudFormation publishes valid signals to the stack events so that you
track the number of signals sent
AWS CloudFormation – CreationPolicy
The following CloudFormation resources support creation policies:
Ø AWS::AutoScaling::AutoScalingGroup
Ø AWS::EC2::Instance
Ø AWS::CloudFormation::WaitCondition
AWS CloudFormation –DeletionPolicy
Ø With the DeletionPolicy attribute you can preserve or (in some cases) backup
a resource when its stack is deleted.
Ø You specify a DeletionPolicy attribute for each resource that you want to
control
Ø If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes
the resource by default
Ø Deletion policies can be specified as:
Ø DeletionPolicy=Retain – preserves the resources
Ø DeletionPolicy=Snapshot – takes a snapshot (e.g. for EC2, ElastiCache,
RDS)
Ø DeletionPolicy=Delete – default, attempts to delete the resources
AWS CloudFormation – DependsOn
Ø With the DependsOn attribute you can specify that the creation of a specific
resource follows another
Ø When you add a DependsOn attribute to a resource, that resource is created
only after the creation of the resource specified in the DependsOn attribute
AWS CloudFormation – WaitCondition
Ø Use a WaitCondition to ensure resources are ready
Ø You can use a wait condition for situations like the following:
Ø To coordinate stack resource creation with configuration actions that are
external to the stack creation
Ø To track the status of a configuration process
Ø Note: For Amazon EC2 and Auto Scaling resources, AWS recommends that
you use a CreationPolicy attribute instead of wait conditions
AWS CloudFormation – UpdatePolicy and UpdateReplacePolicy
Ø Use the UpdatePolicy attribute to specify how AWS CloudFormation handles
updates to the following resources:
Ø AWS::AutoScaling::AutoScalingGroup,
Ø AWS::ElastiCache::ReplicationGroup
Ø AWS::Elasticsearch::Domain
Ø AWS::Lambda::Alias
Ø Use the UpdateReplacePolicy attribute to retain or (in some cases) backup
the existing physical instance of a resource when it is replaced during a stack
update operation
AWS CloudFormation – Rollbacks and Stack Creation Failures
Stack creation failures:
Ø By default everything will be deleted
Ø Can modify the OnFailure attribute for a stack
Ø OnFailure must be one of:
Ø DO_NOTHING – leaves the resources in place (good for
troubleshooting)
Ø ROLLBACK – rolls the stack back
Ø DELETE – deletes the resources
AWS CloudFormation – Rollbacks and Stack Creation Failures
Stack update failures:
Ø A stack goes into the UPDATE_ROLLBACK_FAILED state when AWS
CloudFormation cannot roll back all changes during an update
Ø The stack will automatically roll back to the previous known working state
Ø When a stack is in the UPDATE_ROLLBACK_FAILED state, you can continue
to roll it back to a working state (UPDATE_ROLLBACK_COMPLETE)
Ø You can't update a stack that is in the UPDATE_ROLLBACK_FAILED state
Ø However, if you can continue to roll it back, you can return the stack to its
original settings and then try to update it again
Exam Scenarios

Exam Scenario Solution

Need to review updates to a CloudFormation stack Use change sets

before deploying them in production

Stack deployed and manual changes were made. Use drift detection and use output to update
Need to capture changes and update template template and redeploy the stack

Need to update new version of app on EC2 and ALB. Update template with AutoScalingReplacingUpdate
Must avoid DNS changes and be able to rollback policy and perform an update

Need to write a single template that can be deployed Use parameters to enter custom values and use Ref
across several environments / Region intrinsic function to reference the parameter

Tried to launch instance in a different region from a Probably due to incorrect AMI ID
working template and it fails
Exam Scenarios

Exam Scenario Solution

CloudFormation stack created for first time and fails To continue administrator must relaunch the
with ROLLBACK_COMPLETE status template to create a new stack

Template for infrastructure in one region used to Template likely referenced an AMI that doesn't exist
deploy in another and fails in the new region and/or services that don't exist

CloudFormation stack fails and returns Fix the error that caused the rollback to fail and then
UPDATE_ROLLBACK_FAILED select "Continue update rollback" in the console

Need to deploy a single CloudFormation template Use StackSets

across multiple accounts

CloudFormation deploys stack with separate VPC for May have reached the default limit for VPCs in the
each app. Fails to deploy account
Exam Scenarios

Exam Scenario Solution

Would like to manually address any issues with Set the OnFailure parameter to "DO_NOTHING”
CloudFormation stack creation

CloudFormation fails with "The image id ‘[ami- Most likely the template is being run in a different
2a69aa47]’ does not exist" region where the AMI does not exist

When creating Stack a wait condition error is Check instance has a route through NAT device and in
experienced: ""received 0 signals out of the 1 the cfn logs confirm that the cfn-signal command ran
expected from the EC2 instance"." successfully
 SECTION 9
Networking: Amazon
Virtual Private Cloud
(VPC)
 A VPC is a logically
Amazon Virtual Private Cloud (VPC) isolated portion of the
AWS cloud within a
region

Region

VPC
Main Route Table
Subnets are
created within
Availability Zone Destination Target
AZs Public subnet
172.31.0.0/16 Local
0.0.0.0/0 igw-id
EC2 Instance

Availability Zone The route table is used

Router Internet to configure the VPC
Private subnet gateway
router
You can launch virtual servers
EC2 Instance
into your VPC subnets

An Internet Gateway is
used to connect to the
Internet
Multiple VPCs

Each VPC has a different

CIDR stands for Classless
block of IP addresses
Interdomain Routing
Region

VPC VPC
CIDR 172.31.0.0/16 CIDR 10.0.0.0/16

Availability Zone Availability Zone Availability Zone Availability Zone

Public subnet Public subnet Public subnet Public subnet

Private subnet Private subnet Private subnet Private subnet

Each subnet has a block

of IP addresses from the
CIDR block You can create multiple
VPCs within each region
AWS Public and Private Services

AWS Cloud
VPC

Availability Zone

Public subnet
Private services can
Amazon DynamoDB Amazon S3 have public IP
addresses but exist
within the VPC

Public services have EC2 Instance Amazon RDS

public IP addresses /
endpoints Private subnet
Internet
Public Internet gateway

EC2 Instance Amazon Elastic File

System

Amazon Route 53 Amazon CloudFront

Availability Zone IDs (AZ ID)
Ø Availability Zones are mapped differently across accounts
Ø For example, us-east-1a may map to a different location across
two different accounts
Ø To identify exactly where your resources are running, use the AZ ID
Ø For example, us-east-1a maps to the AZ ID use1-az1
Amazon VPC – CIDR Blocks and IP Subnets
Ø When you create a VPC, you must specify a range of IPv4 addresses for the VPC
in the form of a Classless Inter-Domain Routing (CIDR) block

Ø You can then define ranges of IP addresses within the VPC CIDR that can be
assigned to subnets. AWS resources obtain addresses from these IP ranges
Amazon VPC – CIDR Blocks and IP Subnets
Ø AWS recommend that CIDR blocks of /16 or smaller are used
Ø It is recommended these come from the private IP ranges specified in RFC 1918
Ø 10.0.0.0 - 10.255.255.255 (10/8 prefix)
Ø 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
Ø 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Ø However, it is possible to create a VPC with publicly routable CIDR block
Ø The allowed block size is between a /28 netmask and /16 netmask
Ø The CIDR blocks of the subnets within a VPC cannot overlap
Amazon VPC – CIDR Blocks and IP Subnets
Ø The first four IP addresses and the last IP address in each subnet CIDR block are
not available for you to use
Ø For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP
addresses are reserved:
Ø 10.0.0.0: Network address
Ø 10.0.0.1: Reserved by AWS for the VPC router
Ø 10.0.0.2: Reserved by AWS
Ø 10.0.0.3: Reserved by AWS for future use
Ø 10.0.0.255: Network broadcast address (broadcast not supported)
Creating a Custom VPC
Region
Public Route Table
VPC
Destination Target

Availability Zone 10.0.0.0/16 Local

0.0.0.0/0 igw-id
Private subnet Public subnet

NAT gateway

Availability Zone
Private subnet Public subnet

Internet
Route table Route table gateway Private Route Table

Destination Target
Availability Zone 10.0.0.0/16 Local

Private subnet Public subnet 0.0.0.0/0 nat-gateway-id

Private Subnet with NAT Gateway

Region The NAT gateway is created

in the public subnet
VPC Public Subnet Route Table

Availability Zone Destination Target

Public subnet
172.31.0.0/16 Local
NAT gateway Elastic-IP
0.0.0.0/0 igw-id
Private-IP

Private Subnet Route Table

Private subnet Internet

Private-IP Destination Target
gateway
172.31.0.0/16 Local
0.0.0.0/0 nat-gateway-id
EC2 Instance

The NAT gateway ID must

be specified in the private
subnet RT
Private Subnet with NAT Instance

Region Must disable

source/destination checks
VPC Public Subnet Route Table

Availability Zone Destination Target

Public subnet
172.31.0.0/16 Local
NAT Instance Elastic-IP
0.0.0.0/0 igw-id
Private-IP
Private Subnet Route Table

Private subnet Destination Target

Private-IP Internet
gateway 172.31.0.0/16 Local
0.0.0.0/0 nat-instance-id
EC2 Instance

The NAT instance ID must

be specified in the private
subnet RT
NAT Instance vs NAT Gateway

NAT Instance NAT Gateway

Managed by you (e.g. software updates) Managed by AWS
Scale up (instance type) manually and use Elastic scalability up to 45 Gbps
enhanced networking
No high availability – scripted/auto-scaled Provides automatic high availability within an AZ
HA possible using multiple NATs in multiple and can be placed in multiple AZs
subnets
Need to assign Security Group No Security Groups
Can use as a bastion host Cannot access through SSH
Use an Elastic IP address or a public IP Choose the Elastic IP address to associate with a
address with a NAT instance NAT gateway at creation
Can implement port forwarding through Does not support port forwarding
manual customisation
Security Groups & Network Access Control Lists (NACLs)
VPC

Availability Zone

Private subnet Public subnet

Security Security
NACLs apply at
Group B Group A
the subnet level
Security Groups
apply at the
Instance level
Network ACL Network ACL

Availability Zone
Router
Private subnet Public subnet
Security Security
Group B Group A
Security Security
Group A Groups can be
applied to Network ACL
Network ACL
instances in
any subnet
Security Groups
Ø Security groups act like a firewall at the instance level
Ø Specifically security groups operate at the network interface level
Ø Can only assign permit/allow rules in a security group,
Ø You cannot assign deny rules
Ø There is an implicit deny rule at the end of the security group
Ø All rules are evaluated until a permit is encountered or continues until the
implicit deny
Ø Can control ingress and egress traffic with security groups
Ø Security groups are stateful
Stateful (Security Groups) vs Stateless (Network ACLs) Firewalls

PROTOCOL SOURCE IP DESTINATION IP SOURCE PORT DESTINATION PORT

HTTP 10.1.1.1 10.2.1.10 65188 80
HTTP 10.2.1.10 10.1.1.1 80 65188

Src Port: 80 Dest Port: 65188

Dest Port: 80 Src Port: 65188

Web Server Firewall Client
(10.2.1.10) (10.1.1.1)
A stateful firewall A stateless firewall
allows the return checks for an allow
traffic automatically rule for both
connections
Security Groups
Ø You can use security group names/IDs as the source or destination in
other security groups
Ø You can use the security group name/ID as a source in its own inbound
rules
Ø Security group members can be within any AZ or subnet within the VPC
Ø Security group membership can be changed whilst instances are running
Ø Any changes made will take effect immediately
Ø Up to 5 security groups can be added per EC2 instance interface.
Ø There is no limit on the number of EC2 instances within a security
group.
Ø You cannot block specific IP addresses using security groups, use NACLs
instead
Security Group Best Practice

VPC

Availability Zone

Private subnet Public subnet

MySQL (3306) HTTP, HTTPS

Amazon RDS Amazon EC2 Internet Client

Security group (DBSG) Security group (WebSG)

Inbound
Inbound
Type Protocol Port Source
Type Protocol Port Source
HTTP TCP 80 0.0.0.0/0
MySQL TCP 3306 WebSG
HTTPS TCP 443 0.0.0.0/0

Outbound
Type Protocol Port Destination
MySQL TCP 3306 DB-SG
Network Access Control Lists (NACLs)
Default NACL
VPC
Inbound:
Protocol Port Source Action
Availability Zone All All 0.0.0.0/0 ALLOW

All All ::/0 ALLOW

Private subnet Public subnet
Security Security
Outbound:
Group B Group A
Protocol Port Source Action
All All 0.0.0.0/0 ALLOW

Network ACL Network ACL All All ::/0 ALLOW

Custom NACL

Inbound:
Availability Zone
Protocol Port Source Action
Router
All All 0.0.0.0/0 DENY
Private subnet Public subnet
Security Security All All ::/0 DENY
Group B Group A
Outbound:
Security
Group A Protocol Port Source Action

Network ACL Network ACL All All 0.0.0.0/0 DENY

All All ::/0 DENY

Network ACLs
Ø Network ACL’s function at the subnet level
Ø With NACLs you can have permit and deny rules
Ø Network ACLs contain a numbered list of rules that are evaluated in order from
the lowest number until the explicit deny
Ø Network ACLs have separate inbound and outbound rules and each rule can
allow or deny traffic.
Ø Network ACLs are stateless so responses are subject to the rules for the direction
of traffic.
Ø NACLs only apply to traffic that is ingress or egress to the subnet not to traffic
within the subnet
Network ACLs
Ø Each subnet in your VPC must be associated with a network ACL. If you don’t do
this manually it will be associated with the default network ACL
Ø You can associate a network ACL with multiple subnets; however a subnet can
only be associated with one network ACL at a time
Ø Network ACLs do not filter traffic between instances in the same subnet
Ø NACLs are the preferred option for blocking specific IPs or ranges
Ø Security groups cannot be used to block specific ranges of IPs
Ø NACL is the first line of defence, the security group is the second line
Security Groups & Network Access Control Lists (NACLs)

Security Group Network ACL

Operates at the instance (interface) level Operates at the subnet level
Supports allow rules only Supports allow and deny rules
Stateful Stateless
Evaluates all rules Processes rules in order
Applies to an instance only if associated Automatically applies to all instances in
with a group the subnets its associated with
Amazon VPC Endpoints
Ø Enables private connectivity from a VPC to supported AWS services and VPC
endpoint services powered by AWS PrivateLink
Ø Does not require an internet gateway, NAT device, VPN connection, or AWS
Direct Connect connection
Ø Endpoints are virtual devices
Ø They are horizontally scaled, redundant, and highly available
Amazon VPC Endpoints
Ø There are two types of VPC endpoints: interface endpoints and gateway
endpoints.
Ø An interface endpoint is an elastic network interface with a private IP address
that serves as an entry point for traffic destined to a supported service
Ø With an interface endpoint you remove the need for an internet gateway, NAT
device, or virtual private gateway.
Ø A gateway endpoint is a gateway that you specify as a target for a route in your
route table for traffic destined to a supported AWS service.
Ø The following AWS services are supported:
Ø Amazon S3
Ø DynamoDB
Amazon VPC Endpoint Services

An ENI is created in
the subnet
Each interface endpoint
VPC
can connect to one of
Private subnet AWS CloudFormation many AWS services

EC2 Instance Endpoint ENI AWS CodeDeploy

EC2 instance connects

to public AWS service Or you can connect to
using a private IP an AWS PrivateLink
AWS PrivateLink
powered service
Amazon S3 Gateway Endpoints

EC2 instance connects

VPC to S3 using a private IP IAM policies
can be applied
Private subnet
to endpoints

Exam tip: Bucket

policies can limit
EC2 Instance S3 Gateway Amazon S3 access to
Endpoint endpoint source

Route Table
Destination Target
pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24, 52.95.128.0/21) vpce-ID

A route table entry is

required with the prefix
list for S3 and the
gateway ID
Amazon S3 Gateway Endpoint Policy Example
Ø Restricting access to a specific bucket
Amazon S3 Bucket Policy Example
Ø Restricting access to a specific endpoint
Amazon VPC Endpoints

Interface Endpoint Gateway Endpoint

What Elastic Network Interface with a Private IP A gateway that is a target for a specific route

How Uses DNS entries to redirect traffic Uses prefix lists in the route table to redirect
traffic
Which API Gateway, CloudFormation, Amazon S3, DynamoDB
services CloudWatch etc.
Security Security Groups VPC Endpoint Policies
Amazon VPC Peering
Region 1 Region 2

VPC CIDR: 10.0.0.0/16 VPC CIDR: 10.1.0.0/16

Public subnet Public subnet

EC2 Instance Peering EC2 Instance

Security group (Region1-SG) Security group (Region2-SG)

Protocol Port Source Protocol Port Source

ICMP All 10.1.0.0/16 ICMP All 10.0.0.0/16
TCP 22 0.0.0.0/0 TCP 22 0.0.0.0/0

Route Table Route Table

Destination Target Destination Target
10.1.0.0/16 peering-id 10.0.0.0/16 peering-id
Amazon VPC Peering
Ø A VPC peering enables you to route traffic between VPCs using private IPv4
addresses or IPv6 addresses
Ø Instances in either VPC can communicate with each other as if they are within
the same network
Ø You can create a VPC peering connection between your own VPCs, or with a VPC
in another AWS account
Ø The VPCs can be in different regions (also known as an inter-region VPC peering
connection)
Ø Data sent between VPCs in different regions is encrypted (traffic charges apply)
Amazon VPC Peering
Ø Cannot have overlapping CIDR ranges
Ø You can create multiple VPC peering connections for each VPC that you own, but
transitive peering relationships are not supported
Ø Must update route tables to configure routing

Ø Must update the inbound and outbound rules for VPC security group to
reference security groups in the peered VPC
Amazon VPC Peering
Ø When creating a VPC peering connection with another account you need to
enter the account ID and VPC ID from the other account
Amazon VPC Peering

What AWS-provided network connectivity between two VPCs

When Multiple VPCs need to communicate or access each other’s resources

Pros Uses AWS backbone without traversing the Internet

Cons Transitive peering is not supported

How VPC peering request made; accepter accepts request (either within or across
accounts)
Amazon Virtual Private Networks (VPN)
VPNs are quick and
easy to deploy
VPC
CIDR: 10.0.0.0/16
Public subnet
A VGW is
deployed on
the AWS site Corporate data center

CIDR: 192.168.0.0/16

Private subnet Virtual Private VPN connection Customer

Gateway (VGW) gateway
Route Table

Destination Target
192.168.0.0/16 vgw-id A customer gateway is
deployed on the
customer side
Route table points
to the VGW
AWS Managed VPN

What AWS Managed IPSec VPN Connection over your existing Internet
When Quick and usually simple way to establish a secure tunnelled connection
to a VPC; redundant link for Direct Connect or other VPC VPN

Pros Supports static routes or BGP peering and routing

Cons Dependent on your Internet connection
How Create a Virtual Private Gateway (VPG) on AWS, and a Customer Gateway
on the on-premises side
AWS Direct Connect
Direct Connect can
take weeks to months
AWS Cloud
to deploy
Region

VPC
Corporate data center
AWS Direct Connect location
Public subnet

Private VIF AWS cage Customer /

partner cage
VPN gateway
Private subnet

Public VIF AWS Direct Customer / Customer Router

Connect partner router
endpoint

Direct Connect
Connect to offers consistent,
public services low-latency access
over a public VIF to AWS
Amazon Simple Storage
Amazon EC2
Service (S3)
AWS Direct Connect

What Dedicated network connection over private lines straight into the AWS
backbone
When Requires a large network link into AWS; lots of resources and services being
provided on AWS to your corporate users

Pros More predictable network performance; potential bandwidth cost reduction;

up to 10 Gbps provisioned connections; supports BGP peering and routing
Cons May require additional telecom and hosting provider relationships and/or
network circuits; costly
How Work with your existing data networking provider; create Virtual Interfaces
(VIFs) to connect to VPCs (private VIFs) or other AWS services like S3 or
Glacier (public VIFs)
AWS Direct Connect Gateway
Direct Connect Gateway
Region enables multi-region
connectivity
VPC
Public subnet

Corporate data center

AWS Direct Connect location
Private VIF
Private subnet VPN gateway AWS cage Customer /
partner cage
Private VIF

Direct Connect
Gateway
AWS Direct Customer / Customer Router
Connect partner router
Region endpoint

VPC Private VIF

Public subnet

Private subnet VPN gateway

Amazon VPC Flow Logs
Flow Logs can be
created at the VPC,
subnet or interface
Flow Logs capture VPC level
data about IP traffic Public subnet
going to and from
networking
interfaces in a VPC
Flow logs

Private subnet Flow logs

2 1243434343 eni-123….. ACCEPT OK
2 1243434343 eni-123….. REJECT OK

EC2 Instance Flow logs

Flow log data can be
published to
CloudWatch Logs or
Amazon S3
Amazon VPC Flow Logs vs ELB Access Logs

VPC Flow Log

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 55112233445eni-0f5… 11.200.185.200 10.0.1.15 52933 22 6 1 40 1599… 1599… ACCEPT OK
2 55112233445eni-0f5… 10.0.1.15 11.200.185.200 22 52933 6 1 40 1599… 1599… ACCEPT OK
2 55112233445eni-0f5… 11.200.185.200 10.0.1.15 3624 80 6 1 44 1599… 1599… REJECT OK
2 55112233445eni-0f5… 11.200.185.200 10.0.1.15 3624 80 6 1 44 1599… 1599… REJECT OK

ELB Access Log

Exam Scenarios

Exam Scenario Solution

Need to identify the instances that are generating the Use VPC flow logs on the NAT gateway ENI and use
most traffic using a NAT gateway CloudWatch insights to filter based on source IP
address

Latency on a NAT instance has increased, need a Swap with a NAT gateway
solution that scales with demand cost-efficiently

NAT gateway is NOT highly available across AZs, only Use multiple NAT gateways for HA across AZs
within an AZ

NAT instance deployed but not working Make sure to disable source/destination checks

Need to enable access to S3 without the instances Use a NAT gateway or VPC endpoint
using public IP addresses
Exam Scenarios

Exam Scenario Solution

EC2 instance in private subnet cannot reach the Indicates the NAT gateway has been deleted
Internet. Route table has a route to a NAT gateway
with a status of "Blackhole"

Need to connect to S3 from EC2 using private Create a VPC endpoint and a bucket policy with a
network only. Must also ensure that only the Condition that limits S3 actions to the VPC endpoint
instances can access the bucket as the source

VPC endpoint setup to allow private IP address Make sure the subnet has a target in the route table
connectivity to S3 bucket, permissions configured, for the VPC endpoint
but instances still can't connect
Exam Scenarios

Exam Scenario Solution

Need to manage EC2 instances in a private subnet Add a VGW and configure routing in the VPC and
from an office using SSH but instances cannot have establish a VPN to the office
internet access

Need encryption in-transit and at-rest for hybrid Use an AWS VPN and use KMS keys for data
environment encryption

Network change was made that resulted in Analyze using VPC Flow Logs
application to DB connection issues

Inbound and outbound internet connectivity required Need to attach an internet gateway to the VPC and
for EC2 instances add an entry in the route table for the subnet that
points to the internet gateway
Exam Scenarios

Exam Scenario Solution

Web application has EC2 with public IPs behind an Need to create an attach an IGW to the VPC and
ALB. EC2 instances cannot connect to external service update the route table

VPC peering connection setup between two different Make sure the route tables are updated
VPCs. Instances in private subnets still can't
communicate

A company has configured a VPC peering connection Configure the VPC route tables with routes pointing
between two VPCs and needs to set up connectivity to the address range of the other VPC
between instances in private subnets

Company backing up one VPC to another in different Use inter-region VPC peering which encrypts across
region. All data must be private and encrypted the AWS global network
Exam Scenarios

Exam Scenario Solution

Malicious IP identified and must be blocked from all Add a rule to a network ACL for all affected subnets
ingress and egress connectivity

VPC connected to data center by VPN. User pings Modify the network ACL to allow outbound traffic
private subnet instance from on-prem computer and
fails. VPC Flow Logs show accept for inbound but
reject for outbound traffic

Malicious traffic coming from a single IP address Use a NACL for the web server subnet to deny IP
address

Admin has setup instance for remote access and can Most likely reason is that the instance's security
SSH from internet but cannot ping group does not have a rule allowing ICMP
Exam Scenarios

Exam Scenario Solution

Admin connecting to EC2 instance using SSH from Most likely doesn't have the home network IP range
office but gets connection timeout from home in the security group allow rule for SSH
 SECTION 10
DNS: Amazon Route 53
Amazon Route 53 Overview

Amazon Route 53

Health Checks Traffic Flow

Domain Registration Hosted zone

.net example.com
.com dctlabs.com
.org
EC2 Instances
DNS Resolution

User enters website

address in browser

Name Type Value

mycompany.local A 192.168.0.1

emailserver.local MX 192.168.0.2

DNS Server

Domain name is resolved

to the IP address of the
webserver

Computer connects to Web Server

192.168.0.1
DNS Resolution with AWS Route 53

Amazon Route 53
A hosted zone represents a
set of records belonging to a
domain
What’s the address for
example.com? example.com

Region

VPC
Address is 8.1.2.1
Availability Zone
Public subnet

HTTP GET to 8.1.2.1 Web Server:

8.1.2.1
Amazon Route 53 DNS Record Types

CNAME Alias
Supported DNS records Route 53 charges for CNAME queries Route 53 doesn’t charge for alias queries
• A (address record) to AWS resources
• AAAA (IPv6 address record)
• CNAME (canonical name record)
• Alias (an Amazon Route 53-specific You can’t create a CNAME record at the top You can create an alias record at the zone
virtual record) node of a DNS namespace (zone apex) apex (however you can’t route to a
• CAA (certification authority
authorization) CNAME at the zone apex)
• MX (mail exchange record)
• NAPTR (name authority pointer
record) A CNAME can point to any DNS record that is An alias record can only point to a
• NS (name server record) hosted anywhere CloudFront distribution, Elastic Beanstalk
• PTR (pointer record)
environment, ELB, S3 bucket as a static
• SOA (start of authority record)
• SPF (sender policy framework) website, or to another record in the same
• SRV (service locator) hosted zone that you’re creating the alias
• TXT (text record)
record in
Using Alias and CNAME Records

Alias to an Elastic Load Balancer

Zone apex can be

used (dctlabs.com)

Alias to an Amazon S3 bucket (static website)

CNAME of subdomain to another DNS name

The CNAME must

be a subdomain or
you get this error
Route 53 DNS Routing Policies

Routing Policy What it does

Simple Simple DNS response providing the IP address associated with a name
Failover If primary is down (based on health checks), routes to secondary destination
Geolocation Uses geographic location you’re in (e.g. Europe) to route you to the closest
region
Geoproximity Routes you to the closest region within a geographic area
Latency Directs you based on the lowest latency route to resources
Multivalue answer Returns several IP addresses and functions as a basic load balancer
Weighted Uses the relative weights assigned to resources to determine which to route to
Amazon Route 53 - Simple Routing Policy

Name Type Value TTL

simple.dctlabs.com A 1.1.1.1 60

2.2.2.2
simple2.dctlabs.com A 3.3.3.3 60
Amazon Route 53

2
Region

DNS query
Amazon Route 53 - Simple Routing Policy
Ø With simple routing, you typically route traffic to a single resource such as a
webserver
Ø You can't create multiple records that have the same name and type, but you can
specify multiple values in the same record, such as multiple IP addresses
Ø When using multiple values in a record:
Ø Route 53 returns all values to the recursive resolver in random order, and the
resolver returns the values to the client
Ø The client then chooses a value and resubmits the query
Amazon Route 53 - Weighted Routing Policy

Name Type Value Health Weight

weighted.dctlabs.com A 1.1.1.1 ID 60 Optional Health

Checks
weighted.dctlabs.com A 2.2.2.2 ID 20
Region
weighted.dctlabs.com A 3.3.3.3 ID 20
Amazon Route 53

1.1.1.1
60%
1

2
Region

20%
3
2.2.2.2
20%

DNS query 3.3.3.3

Amazon Route 53 - Weighted Routing Policy
Ø Create records that have the same name and type for each of your resources
Ø Assign each record a relative weight that corresponds with how much traffic you
want to send to each resource
Ø Route 53 sends traffic to a resource based on the weight that you assign to the
record as a proportion of the total weight for all records in the group
Ø Uses an integer between 0 and 255
Ø To disable routing to a resource, set Weight to 0
Ø If you set Weight to 0 for all of the records in the group, traffic is routed to all
resources with equal probability
Amazon Route 53 - Latency Routing Policy Region – ap-southeast-1

Optional Health
Name Type Value Health Region Checks
latency.dctlabs.com A 1.1.1.1 ID ap-southeast-1

latency.dctlabs.com A 2.2.2.2 ID us-east-1 1.1.1.1

latency.dctlabs.com A alb-id ID ap-southeast-2 Amazon Route 53

Region – us-east-1
Singapore

DNS query 2.2.2.2

New York
Region – ap-southeast-2
Sydney

DNS query

ALB
DNS query
Amazon Route 53 - Latency Routing Policy
Ø When Route 53 receives a DNS query for a domain it determines which AWS
Regions you've created latency records for, determines which region gives the
user the lowest latency, and then selects a latency record for that region
Ø Route 53 responds with the value from the selected record, such as the IP
address for a web server
Amazon Route 53 - Failover Routing Policy Corporate data center

Name Type Value Health Record Type

failover.dctlabs.com A 1.1.1.1 ID Primary

Health Check
required on Traditional
failover.dctlabs.com A alb-id Secondary
server
Primary
Amazon Route 53

Region – us-east-1

1.1.1.1

Region – ap-southeast-2

DNS query

ALB
Amazon Route 53 - Failover Routing Policy
Ø When responding to queries, Route 53 includes only the healthy primary
resources
Ø If all the primary resources are unhealthy, Route 53 begins to include only the
healthy secondary resources in response to DNS queries
Ø If you're routing traffic to any AWS resources that you can create alias records
for, don't create health checks for those resources. When you create the alias
records, you set Evaluate Target Health to Yes instead
Amazon Route 53 - Geolocation Routing Policy Region – ap-southeast-1

Optional Health
Name Type Value Health Geolocation Checks
geolocation.dctlabs.com A 1.1.1.1 ID Singapore

geolocation.dctlabs.com A 2.2.2.2 ID Default 1.1.1.1

geolocation.dctlabs.com A alb-id ID Oceania Amazon Route 53

Region – us-east-1
Singapore

DNS query 2.2.2.2

Mexico
Region – ap-southeast-2
New Zealand

DNS query

ALB
DNS query
Amazon Route 53 - Geoproximity Routing Policy
Ø To use geoproximity routing, you must use Route 53 traffic flow
Ø You create geoproximity rules for your resources and specify one of the
following values for each rule:
Ø If you're using AWS resources, the AWS Region that you created the
resource in
Ø If you're using non-AWS resources, the latitude and longitude of the
resource
Amazon Route 53 - Geoproximity Routing Policy

Traffic originating
within a geographical
area is routed to the
numbered AWS
Regions
Amazon Route 53 - Multivalue Routing Policy
Name Type Value Health Multi Value

multivalue.dctlabs.com A 1.1.1.1 ID Yes

multivalue.dctlabs.com A 2.2.2.2 ID Yes

multivalue.dctlabs.com A 3.3.3.3 ID Yes Amazon Route 53

Health Checks:
returns healthy
records only

2
Region

DNS query
Amazon Route 53 - Multivalue Routing Policy
Ø To route traffic approximately randomly to multiple resources, such as
web servers, you create one multivalue answer record for each
resource
Ø Can optionally associate a Route 53 health check with each record
Ø Route 53 responds to DNS queries with up to eight healthy records
and gives different answers to different DNS resolvers
Amazon Route 53 – Health Checks
There are three types of Amazon Route 53 health checks:
Ø Health checks that monitor an endpoint
Ø Health checks that monitor other health checks (calculated health
checks)
Ø Health checks that monitor CloudWatch alarms
Exam Scenarios

Exam Scenario Solution

Use Route 53 to direct based on health checks with Need to create an A record for each server and a
(2xx) traffic to primary and other responses to HTTP (not TCP) health check
secondary

Route 53 health check uses string matching for The search string must appear entirely within the first
"/html". Alert shows health check fails 5,120 bytes of the response body

Need to make a website promotion visible to users Use Route 53 geolocation routing policy
from a specific country only
Exam Scenarios

Exam Scenario Solution

New website runs on EC2 behind ALB. Need to create Use an alias record
record in Route 53 to point to the domain apex (e.g.
example.com)

Hosted zone in Account A and ALB in Account B. Need Create an Alias record in Account A that points to ALB
the most cost-effective and efficient solution for in Account B
pointing to the ALB
 SECTION 11
Object Storage and
Content Delivery: S3 and
CloudFront
Amazon Simple Storage Service (S3)
EC2 instances
connect using
private addresses
A bucket is a container
for objects
Bucket Private Connection
http://bucket.s3.aws-region.amazonaws.com Amazon S3
http://s3.aws-region.amazonaws.com/bucket
VPC
S3 Gateway Endpoint
Public subnet

Object
Internet EC2 Instance
An objects consists of: gateway
Ø Key (name of objects) Public Internet
Ø Version ID EC2 instances Private subnet

Ø Value (actual data) connect using

Ø Metadata public addresses
Ø Subresources EC2 Instance
Ø Access control information

Internet Client
Block, File, and Object Storage

Amazon Elastic Block Amazon Elastic File

Store (EBS) System Corporate data center Amazon S3
http://s3.aws-region.amazonaws.com/bucket/object
Availability Zone

HDD/SSD
File system On-premises client
Volume
REST API: GET, PUT,
Uses the NFS POST, SELECT, DELETE
Protocol
Linux only

/dev/xvdf Object
Availability Zone Availability Zone
or C:
/efs-mnt /efs-mnt

EC2 Instance EC2 Instance EC2 Instance Internet Client

S3 Storage Classes

S3 Standard S3 Intelligent Tiering S3 Standard-IA S3 One Zone-IA S3 Glacier S3 Glacier Deep Archive

Designed for durability 99.999999999% 99.999999999% 99.999999999% 99.999999999% 99.999999999% 99.999999999%

Designed for availability 99.99% 99.9% 99.9% 99.5% 99.99% 99.99%
Availability SLA 99.9% 99% 99% 99% 99.9% 99.9%
Availability Zones ³3 ³3 ³3 1 ³3 ³3
Minimum capacity charge N/A N/A 128KB 128KB 40KB 40KB
per object
Minimum storage N/A 30 days 30 days 30 days 90 days 180 days
duration charge
Retrieval fee N/A N/A Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved
First byte latency milliseconds milliseconds milliseconds milliseconds select minutes or select hours
hours
Storage type Object Object Object Object Object Object
Lifecycle transitions Yes Yes Yes Yes Yes Yes
S3 Versioning
Ø Versioning is a means of keeping multiple variants of an object in the same
bucket
Ø Use versioning to preserve, retrieve, and restore every version of every
object stored in your Amazon S3 bucket
Ø Versioning-enabled buckets enable you to recover objects from accidental
deletion or overwrite
S3 Multi-Factor Authentication Delete (MFA Delete)
Ø Adds another layer of security by configuring a bucket to enable an
additional authentication for the following operations:
Ø Changing the versioning state of a bucket
Ø Permanently deleting an object version
Ø The x-amz-mfa request header must be included in the above
requests
Ø MFA Delete requires a second factor (in addition to security
credentials)
Ø The second factor is a token generated by a hardware device or
software program
Ø Requires versioning to be enabled on the bucket
S3 Multi-Factor Authentication Delete (MFA Delete)
Ø The bucket owner, the AWS account that created the bucket
(root account), and all authorized IAM users can enable
versioning
Ø Only the bucket owner (root account) can enable MFA Delete
MFA-Protected API Access
Ø Used to enforce another authentication factor (MFA code) when
accessing sensitive Amazon S3 resources
Ø Enforce MFA using the aws:MultiFactorAuthAge key in a bucket policy:

Denies any API

operation that is not
authenticated using
MFA
S3 Lifecycle Management
There are two types of actions:
Ø Transition actions - Define when objects transition to another storage class
Ø Expiration actions - Define when objects expire (get deleted by S3)
S3 Lifecycle Management: Supported Transitions
You can transition from the following:
Ø The S3 Standard storage class to any other storage
class
Ø Any storage class to the S3 Glacier or S3 Glacier
Deep Archive storage classes
Ø The S3 Standard-IA storage class to the S3
Intelligent-Tiering or S3 One Zone-IA storage
classes
Ø The S3 Intelligent-Tiering storage class to the S3
One Zone-IA storage class
Ø The S3 Glacier storage class to the S3 Glacier Deep
Archive storage class
S3 Lifecycle Management: Unsupported Transitions
You can't transition from the following:
Ø Any storage class to the S3 Standard storage class
Ø Any storage class to the Reduced Redundancy
storage class
Ø The S3 Intelligent-Tiering storage class to the S3
Standard-IA storage class
Ø The S3 One Zone-IA storage class to the S3
Standard-IA or S3 Intelligent-Tiering storage classes
S3 Lifecycle Management
Ø Can create a lifecycle policy through the console or CLI/API
Ø When configured using the CLI/API an XML or JSON file must be supplied
Ø API actions to create/update/delete lifecycle policies:
Ø PutBucketLifecycleConfiguration - Creates a new lifecycle configuration
for the bucket or replaces an existing lifecycle configuration
Ø GetBucketLifecycleConfiguration - Returns the lifecycle configuration
information set on the bucket
Ø DeleteBucketLifecycle - Deletes the lifecycle configuration from the
specified bucket
Example S3 Lifecycle Policy (XML)
Amazon S3 – Replication
Cross-Region Replication (CRR)

Region Region

Buckets must have

Bucket Bucket versioning enabled

Account Account

Region
Same-Region
Replication (SRR)

Bucket Bucket
Amazon S3 –Replication
Ø You can replicate objects between different AWS Regions or within the
same AWS Region
Ø Cross-Region replication (CRR) is used to copy objects across Amazon S3
buckets in different AWS Regions
Ø Same-Region replication (SRR) is used to copy objects across Amazon S3
buckets in the same AWS Region
How:
Ø Enable the AWS Region in the account
Ø Enable versioning on source and destination buckets
Ø Ensure S3 has permissions to both buckets
Ø Configure replication
Access Control Options

Identity-based policies Resource-based policy

Example identity-
based policy

IAM Role Policy Bucket Policy

IAM User Policy Example bucket

policy

IAM Group Policy

Example Policy - Allow IAM users access to their S3 home directory
Access Control Options

S3 Predefined • Authenticated Users Example ACL

Group • All Users
• Log Delivery Group

Bucket ACL AWS Account

Object ACL
Access Control List Permissions

Permissions When granted on a bucket When granted on an object

READ Allows grantee to list the objects in the bucket Allows grantee to read the object data and its metadata
WRITE Allows grantee to create, overwrite, and delete Not applicable
any object in the bucket
READ _ACP Allows grantee to read the bucket ACL Allows grantee to read the object ACL

WRITE_ACP Allows grantee to write the ACL for the Allows grantee to write the ACL for the applicable object
applicable bucket
FULL_CONTROL Allows grantee the READ, WRITE, READ_ACP, Allows grantee the READ, READ_ACP, and WRITE_ACP
and WRITE_ACP permissions on the bucket permissions on the object
S3 Encryption

Server-side encryption with Server-side encryption with Client-side encryption

Server-side encryption with AWS
S3 managed keys (SSE-S3) KMS managed keys (SSE-KMS) client provided keys (SSE-C)
• S3 managed keys
• Unique object keys • KMS managed keys
• Master key • Customer master keys
• AES 256 • CMK can be customer generated
Encryption /
decryption

Encryption / Encryption /
decryption decryption

Encryption /
decryption

• Client managed keys

• Not stored on AWS
• Client managed keys
• Not stored on AWS
S3 Default Encryption
Ø Amazon S3 default encryption provides a way to set the default
encryption behavior for an S3 bucket
Ø You can set default encryption on a bucket so that all new objects are
encrypted when they are stored in the bucket
Ø The objects are encrypted using server-side encryption
Ø Amazon S3 encrypts objects before saving them to disk and decrypts
them when the objects are downloaded
Ø There is no change to the encryption of objects that existed in the
bucket before default encryption was enabled
Prevent uploads of unencrypted objects

Enforces encryption
using SSE-S3

For SSE-KMS use

"aws:kms"

Example PUT request

S3 Presigned URLs

AWS S3 CLI command to

generate a presigned URL

aws s3 presign s3://dct-data-bucket/cool_image.jpeg

https://dct-data-bucket.s3.ap-southeast-
2.amazonaws.com/cool_image.jpeg?X-Amz-Algorithm=AWS4-HMAC-
SHA256&X-Amz-Credential=AKIA3KSVPHP6MAHNW5YH%2F20200909%2Fap-
southeast-2%2Fs3%2Faws4_request&X-Amz-Date=20200909T053538Z&X-
Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-
Signature=8b74653beee371da07a73dfdb4ff6883742383afa528aecd5c95
c326c97764db

This is the response; the

URL expires after 1 hour
S3 Static Websites

Must enable public

access and use a
Webpages include bucket policy that
static content and grants s3:GetObject
can include client-
side scripts
S3 Transfer Acceleration

Uses a different
endpoint
http://bucket.s3.aws-region.amazonaws.com
http://s3.aws-region.amazonaws.com/bucket
http://bucketname.s3-accelerate.amazonaws.com Bucket

http://bucketname.s3-accelerate.dualstack.amazonaws.com

CloudFront Edge location

You’re not charged if
there’s no speed
advantage (may be
bypassed

User
S3 Server Access Logging
Ø Provides detailed records for the requests that are made
to a bucket
Ø Details include the requester, bucket name, request time,
request action, response status, and error code (if
applicable)
Ø Disabled by default
Ø Only pay for the storage space used
Ø Must configure a separate bucket as the destination (can
specify a prefix)
Ø Must grant write permissions to the Amazon S3 Log
Delivery group on destination bucket
S3 Event Notifications
Ø Sends notifications when events happen in buckets
Ø Destinations include:
Ø Amazon Simple Notification Service (SNS) topics
Ø Amazon Simple Queue Service (SQS) queues
Ø AWS Lambda
S3 Glacier Vault Lock and Vault Access Policies
S3 Glacier Vault Lock:
Ø S3 Glacier Vault Lock enforces compliance controls for S3 Glacier vaults with
a vault lock policy
Ø Can specify controls such as “write once read many” (WORM) in a vault lock
policy and lock the policy from future edits
Ø Once locked, the policy can no longer be changed
S3 Glacier Vault Access Policy:
Ø Cannot be locked to prevent future changes
Ø Use for access controls that are not compliance related, temporary, and
subject to frequent modification
Ø Can be used with a vault lock policy
S3 Select and Glacier Select SQL expression to retrieve
individual file from zip archive

Expression= "select * from s3object s where … "

AWS Lambda

Single file is retrieved

S3 Bucket

"Expression": "SELECT * FROM archive"

AWS Lambda

Single file is retrieved

Archive
Amazon CloudFront
CloudFront Origins
Content is pushed Region
from the origin and
cached

Users Amazon S3 Amazon EC2

Edge location Users

Edge location

Edge locations are

distributed around
the world
Edge location Users are directed
to the nearest edge
Edge location Users
location

Edge location

Edge location
Users
Users Edge location
Users
Users
CloudFront Distribution and Origins
S3 Origin

S3 Bucket Distribution

Custom Origin
Users
Distribution Amazon CloudFront

S3 Static
Website
Web Distribution:
Custom Origin • Static and dynamic content
• HTTP/HTTPS
• Add/update/delete objects + webforms
• Real time live streaming
RTMP Distribution:
EC2 Instance
• Uses Adobe Flash Media RTMP protocol
• Can play media file before downloaded
Application • Must use S3 origin
Load Balancer
EC2 Instance
CloudFront with S3 Static Website

Region

Custom Origin

Origin Access Identity (OAI)

S3 Bucket configured Bucket Policy Users

as static website Amazon CloudFront
Improving the Cache Hit Ratio
Ø A good cache hit ratio means more requests are served from the
cache
Ø Methods of improving the cache hit ratio include:
Ø Use the Cache-Control max-age directive to increase the time objects remain in
the cache
Ø Use Origin Shield
Ø Forward only the query string parameters for which your origin will return
unique objects
Ø Configure CloudFront to forward only specified cookies instead of forwarding all
cookies
Ø Configure CloudFront to forward and cache based on only specified headers
instead of forwarding and caching based on all headers
Exam Scenarios

Exam Scenario Solution

Static website on Amazon S3 with custom domain Requires that the bucket name matches the DNS
name name / record set name in Route 53

503 errors experienced with new site and thousands Request rate is too high
of user

Discrepancy with number of objects in bucket console Use Amazon S3 Inventory to properly determine the
vs CloudWatch number of objects in a bucket

Need to enforce encryption on all objects uploaded Use a bucket policy with a "Condition": { "Bool": {
to bucket "aws:SecureTransport": "false" statement for
PutObject and with the resource set to the bucket
Exam Scenarios

Exam Scenario Solution

Unauthorized users tried to connect to S3 buckets. Use S3 server access logs and Athena to query for
Need to know which buckets are targeted and who is HTTP 403 errors and look for IAM user or role making
trying to get access requests

Need to provide access to third-party to S3 bucket Use a pre-signed URL allowing access to the specific
and must limit amount of access. List of users files
changes a lot

Need to protect S3 data from ransomware attacks Enable S3 versioning

that encrypt data

After enabling MFA on a bucket, what operations will Permanently removing object versions and
require MFA authentication? suspending versioning on the bucket
Exam Scenarios

Exam Scenario Solution

Files are downloaded from S3, edited and uploaded To allow recovery enable versioning on the bucket
with same file name. Sometimes they are accidentally
modified or deleted

Existing application uses EC2, RDS, EFS and S3. Need Can enable encryption only on S3 (as already
to enable encryption deployed)

Static website deployed but "HTTP 403 Forbidden" Add bucket policy granting everyone read access to
message received objects

Application on EC2 must save files to Amazon S3 and Create an IAM role for S3 access and attach to EC2
needs access instance
Exam Scenarios

Exam Scenario Solution

History of revisions to files stored in an S3 bucket Implement S3 versioning

must be maintained

Large volume of log files stored in S3 bucket and Most cost-effective option is S3 standard
processed daily

Need to restrict S3 bucket access to same account Change ACL to restrict only to bucket owner
after previously shared with other account

Static content is served from Amazon S3 with long Use CloudFront to cache for better performance
loading times

Need to use custom domain name with CloudFront Create an alias record in Route 53 pointing to the
distribution URL
Exam Scenarios

Exam Scenario Solution

CloudFront in front of ALB and EC2 and logging Check ALB access logs and CloudFront access logs
enabled. Need to view logs for HTTP layer 7 status
codes

App running on EC2 with RDS multi-AZ has static Use CloudFront to cache the content
content on S3. Need to improve performance as load
testing slowed it down

Need to secure S3 bucket that is used with Use an OAI and grant permissions to read objects in
CloudFront the bucket

Website with dynamic content and need to restrict Use Amazon CloudFront geo-restriction and Amazon
access from certain countries and regions Route 53 geolocation routing
 SECTION 12
Databases: Amazon RDS
and ElastiCache
Amazon Relational Database Service (RDS)
Ø Managed relational database
service including:
Ø Backups
RDS runs on EC2
Ø Software patching RDS is a managed, instances, so you choose
relational database an instance type
Ø Automatic failure detection
Ø Recovery
Ø Backup options include automated
Amazon RDS EC2 Amazon Aurora

backups and manual snapshots Supported DB engines

Proprietary DB engine
MySQL
MariaDB
PostgreSQL
Oracle
Microsoft SQL Server
Scaling Vertically with Amazon RDS
Ø RDS runs on Amazon EC2 instances
Ø Must choose an instance type
Ø For writes, RDS only scales vertically

db.m4.2xlarge 4
M4 Instance vCPUs, 32 GiB
RAM

M4 instance
db.m4.large 2
vCPUs, 8 GiB
RAM
Amazon RDS – Disaster Recovery (DR) and Scaling Out (horizontally)

Region

VPC
Application servers can
Availability Zone
read from the read replica
and write to the master
Multi-AZ creates a
Writes
passive standby.
Primarily used for RDS Standby Writes EC2 App Server EC2 App Server
disaster recovery
Synchronous
replication
Availability Zone Reads only

Asynchronous
replication
Read Replicas are used
RDS Master RDS Read Replica for scaling database
queries (reads)
Amazon RDS – Multi-AZ and Read Replicas

Multi-AZ Deployments Read Replicas

Synchronous replication – highly durable Asynchronous replication – highly scalable

Only database engine on primary instance is active All read replicas are accessible and can be used for read scaling

Automated backups are taken from standby No backups configured by default

Always span two Availability Zones within a single Region Can be within an Availability Zone, Cross-AZ, or Cross-Region

Database engine version upgrades happen on primary Database engine version upgrade is independent from source
instance
Automatic failover to standby when a problem is detected Can be manually promoted to a standalone database instance
Amazon RDS Read Replicas

Region

VPC

Availability Zone

RDS Standby
EC2 App Server EC2 App Server
Synchronous Reads and writes
replication
Availability Zone Reads only

RDS Master RDS Read Replica Endpoint address:

ro-digitalcloud.cp4nicjx1son.ap-southeast-2.rds.amazonaws.com
Amazon RDS Multi-AZ
Endpoint address:
digitalcloud.cp4nicjx1son.ap-southeast-2.rds.amazonaws.com

Region

VPC

Availability Zone

RDS Master EC2 App Server

Synchronous
replication
Availability Zone

No endpoint address, gets remapped

on failover
RDS Standby
Amazon RDS – Multi-AZ Failover
Failover occurs in the following situations:
Ø An Availability Zone outage
Ø The primary DB instance fails
Ø The DB instance's server type is changed
Ø The operating system of the DB instance is undergoing software
patching
Ø A manual failover of the DB instance was initiated using Reboot
with failover
Amazon RDS Multi-AZ Read Replicas
Endpoint address:
digitalcloud.cp4nicjx1son.ap-southeast-2.rds.amazonaws.com

Region

VPC

Availability Zone

RDS (master) RDS Read

Asynchronous
replication
Replica (standby) Endpoint address:
digitalcloud-rr.cp4nicjx1son.ap-southeast-2.rds.amazonaws.com
Synchronous Synchronous
replication replication
Availability Zone

RDS (standby) RDS Read

Replica (master)
Amazon RDS – Automated Backups
Ø Creates a point in time snapshot of the
database
Ø Backup retention is 0 days to 35 days,
default is 7 days
Ø 0 days switches automated backups off
Ø You can restore to any point in time
during the retention period
Ø Restoring from backup creates a new DB
instance
Ø You can configure the backup window
(cannot overlap with the maintenance
window)
Amazon RDS – Snapshots
Ø Backs up the entire DB instance, not just individual databases
Ø For single-AZ DB instances there is a brief suspension of I/O
Ø For Multi-AZ SQL Server, I/O activity is briefly suspended on
primary
Ø For Multi-AZ MariaDB, MySQL, Oracle and PostgreSQL the
snapshot is taken from the standby
Ø Snapshots do not expire (no retention period)
Amazon RDS – Maintenance Windows
Ø Operating system and DB patching can require taking the database offline
Ø These tasks take place during a maintenance window
Ø By default a weekly maintenance window is configured
Ø You can choose your own maintenance window

Ø Required patching includes security and reliability updates

Ø Deferred DB instance modifications also take place during the
maintenance window
Amazon RDS – Maintenance for Multi-AZ Deployments
Ø For Multi-AZ deployments maintenance uses the following
process:
1. Perform maintenance on standby
2. Promote standby to primary
3. Perform maintenance on the old primary (new standby)
Ø Modifying the DB engine affects both primary and secondary at
the same time
Amazon RDS Encryption

Ø Encryption at rest can be enabled – includes DB storage, backups, read

replicas and snapshots
Ø You can only enable encryption for an Amazon RDS DB instance when you
create it, not after the DB instance is created
Ø DB instances that are encrypted can't be modified to disable encryption
Ø Uses AES 256 encryption and encryption is transparent with minimal
performance impact
Ø RDS for Oracle and SQL Server is also supported using Transparent Data
Encryption (TDE) (may have performance impact)
Ø AWS KMS is used for managing encryption keys
Amazon RDS Encryption

Ø You can't have an encrypted read replica of an unencrypted DB instance

or an unencrypted read replica of an encrypted DB instance
Ø Read replicas of encrypted master instances are encrypted
Ø The same key is used if in the same Region as the master
Ø If the read replica is in a different Region, a different key is used
Ø You can't restore an unencrypted backup or snapshot to an encrypted
DB instance
Encrypting an unencrypted RDS DB instance
Region

New instance with

new endpoint

RDS (unencrypted) RDS (encrypted)

EBS Volume EBS Volume

(unencrypted) (encrypted)
Restore from
snapshot
COPY

Snapshot Snapshot
(unencrypted) (encrypted)
Amazon RDS Monitoring

Ø Amazon RDS monitoring tools include:

Ø Amazon RDS Events – notifications for changes to DB instance, DB
snapshot, DB parameter group, or DB security group
Ø Database log files – View, download, or watch database log files using the
Amazon RDS console or Amazon RDS API operations
Ø Amazon RDS Enhanced Monitoring — Look at metrics in real time for the
operating system
Ø Amazon RDS Performance Insights — Assess the load on your database,
and determine when and where to take action
Ø Amazon RDS Recommendations — Look at automated recommendations
for database resources, such as DB instances, read replicas, and DB
parameter groups
Amazon RDS Monitoring

Ø Additional monitoring tools include:

Ø Amazon CloudWatch Metrics – Amazon RDS automatically sends metrics to
CloudWatch every minute for each active database
Ø Amazon CloudWatch Alarms – You can watch a single Amazon RDS metric over a
specific time period
Ø Amazon CloudWatch Logs – Most DB engines enable you to monitor, store, and access
your database log files in CloudWatch Logs
Ø Amazon CloudWatch Events and Amazon EventBridge – You can automate AWS
services and respond to system events such as application availability issues or
resource changes
Ø AWS CloudTrail – You can view a record of actions taken by a user, role, or an AWS
service in Amazon RDS
Amazon RDS Monitoring

Ø Enhanced Monitoring:
Ø Provides metrics in real time for the operating system (OS) that the DB instance runs
on
Ø Installs an agent on the DB instance to collect the metrics
Ø Metrics can be viewed in the console
Amazon Aurora Key Features
Aurora Feature Benefit

Offers high performance, self-healing storage that scales up to 64TB, point-in-time recovery
High performance and scalability
and continuous backup to S3

DB compatibility Compatible with existing MySQL and PostgreSQL open source databases

Aurora Replicas In-region read scaling and failover target – up to 15 (can use Auto Scaling)

Cross-region cluster with read scaling and failover target – up to 5 (each can have up to 15
MySQL Read Replicas
Aurora Replicas)

Cross-region cluster with read scaling (fast replication / low latency reads). Can remove
Global Database
secondary and promote

Multi-Master Scales out writes within a region. In preview currently and will not appear on the exam

On-demand, autoscaling configuration for Amazon Aurora - does not support read replicas
Serverless
or public IPs (can only access through VPC or Direct Connect - not VPN)
Amazon RDS Aurora Replicas
Feature Aurora Replica MySQL Replica

Number of replicas Up to 15 Up to 5

Replication type Asynchronous (milliseconds) Asynchronous (seconds)

Performance impact on primary Low High

Replica location In-region Cross-region

Yes (potentially minutes of

Act as failover target Yes (no data loss)
data loss)

Automated failover Yes No

Support for user-defined replication delay No Yes

Support for different data or schema vs. primary No Yes

Aurora Fault Tolerance and Aurora Replicas
Region
Aurora Fault Tolerance
Availability Zone Availability Zone Availability Zone • Fault tolerance across 3 AZs
• Single logical volume
• Aurora Replicas scale-out read
requests
• Up to 15 Aurora Replicas with sub-
10ms replica lag
Primary Replica Replica Replica • Aurora Replicas are independent
endpoints
Reads Reads Reads • Can promote Aurora Replica to be a
new primary or create new primary
• Set priority (tiers) on Aurora
Reads Writes Writes Writes Replicas to control order of
promotion
• Can use Auto Scaling to add
Single Logical Volume replicas

Data Copies Data Copies Data Copies

Cross-Region Replica with Aurora MySQL
Region Primary Region

Availability Availability Availability

Zone Zone Zone Region

Availability Availability Availability

Writes Writes Zone Zone Zone

Asynchronous
replication Reads Reads

Asynchronous
replication

Region

Availability Availability Availability

Zone Zone Zone

Reads Reads
Aurora Auto Scaling
Ø Dynamically adjusts the number of Aurora Replicas provisioned
Ø Scaling policy defines min and max replicas
Ø Uses CloudWatch metrics to adjust number of replicas
Ø Application should use the Aurora reader endpoint

Primary Replica Replica Replica

Amazon CloudWatch Amazon RDS

Amazon ElastiCache Overview
Ø Fully managed implementations Redis and Memcached
Ø ElastiCache is a key/value store
Ø In-memory database offering high performance and low latency
Ø Can be put in front of databases such as RDS and DynamoDB

Load data Cache hit

Amazon RDS ElastiCache Instance

Node

Database write
Amazon ElastiCache Overview
Ø Good solution if your database is particularly read-heavy and the data does not change
frequently
Ø ElastiCache can be used for storing session state
Ø Provides push-button scalability for memory, writes and reads
Ø Runs on Amazon EC2 instances
Ø ElastiCache EC2 nodes cannot be accessed from the Internet, nor can they be accessed by EC2
instances in other VPCs
Amazon ElastiCache Overview

Feature Memcached Redis (cluster mode disabled) Redis (cluster mode enabled)

Data persistence No Yes Yes

Data types Simple Complex Complex

Data partitioning Yes No Yes

Encryption No Yes Yes

High availability (replication) No Yes Yes

Yes, place nodes in multiple AZs. Yes, with auto-failover. Uses read replicas (0-5 Yes, with auto-failover. Uses read replicas (0-5
Multi-AZ
No failover or replication per shard) per shard)

Scaling Up (node type); out (add nodes) Up (node type); out (add replica) Up (node type); out (add shards)

Multithreaded Yes No No

Backup and restore No (and no snapshots) Yes, automatic and manual snapshots Yes, automatic and manual snapshots
Amazon ElastiCache - Scalability
Scaling options are dependent on the database engine:
Memcached
Ø Add nodes to a cluster
Ø Scale vertically (node type) – must create a new cluster manually
Redis
Ø Cluster mode disabled:
Ø Add replica or change node type – creates a new cluster and migrates data
Ø Cluster mode enabled:
Ø Online resharding to add or remove shards; vertical scaling to change node
type
Ø Offline resharding to add or remove shards change node type or upgrade
engine (more flexible than online)
Amazon ElastiCache Memcached
Region A

Availability Zone A Availability Zone B

ElastiCache Memcached Cluster

Node 1 Node 3 Node 5

Node 2 Node 4 Node n Each node is a

partition of data
Amazon ElastiCache Redis (Cluster mode enabled)
Region A

Availability Zone A Availability Zone B

ElastiCache Redis Cluster

Shard Shard Shard

Primary Primary Primary

Replica 1 Replica 2 Replica 1 Replica 2 Replica 1 Replica 2

Amazon ElastiCache Redis (Cluster mode disabled)
Region A

Availability Zone A Availability Zone B

ElastiCache Redis Cluster

Shard
Can failover to a
replica
Primary

Replica Replica Replica

Amazon ElastiCache – Backup
Ø Backup and restore is only supported for Redis
Ø ElastiCache does not offer backup/restore for Memcached
Ø Redis cluster mode enabled - supports cluster level backup only (not shard level)
Ø Redis cluster mode disabled – backup/restore not supported for cache.t1.micro
nodes
Amazon ElastiCache – Monitoring
Useful metrics (Redis, slightly different for Memcached):
Ø CacheHits – The number of successful read-only key lookups
Ø CacheMisses – The number of unsuccessful read-only key lookups
Ø CacheHitRate - Indicates the usage efficiency of the Redis instance. If the cache
ratio is lower than ~0.8, it means that a significant amount of keys are evicted,
expired or do not exist
Ø DatabaseMemoryUsagePercentage – Percentage of the memory available for the
cluster that is in use
Ø EngineCPUUtilization – Provides CPU utilization of the Redis engine thread
Ø Evictions – The number of keys that have been evicted due to the maxmemory
limit
Amazon ElastiCache Metrics
AWS recommend you monitor and set alarms for the following
metrics
Ø CPUUtilization – Host-level metric reported as a percentage
Ø SwapUsage – Host-level metric reported in bytes
Ø Evictions – Cache engine metric; higher evictions indicates scaling
may be required
Ø CurrConnections – Cache-engine metric; increasing connections
could indicate application issues
 Amazon DynamoDB

• Fully managed NoSQL database service

• Key/value store and document store

• It is a non-relational database

• Fully serverless service

• Push button scaling (horizontal)

DynamoDB Table

© Digital Cloud Training | https://digitalcloud.training

 Amazon DynamoDB

• DynamoDB is made up of:

• Tables
• Items
• Attributes userid orderid book price date

user001 1000092 ISBN100.. 9.99 2020.04..

user002 1000102 ISBN100.. 24.99 2020.03..

user003 1000168 ISBN2X0.. 12.50 2020.04..

© Digital Cloud Training | https://digitalcloud.training

 Amazon DynamoDB Key Features

DynamoDB Feature Benefit

Serverless Fully managed, fault tolerant, service

Highly available 99.99% availability SLA – 99.999% for Global Tables!

NoSQL type of database with Name / Value

Flexible schema, good for when data is not well structured or unpredictable
structure

Horizontal scaling Seamless scalability to any scale with push button scaling or Auto Scaling

DynamoDB Accelerator (DAX) Fully managed in-memory cache for DynamoDB that increases performance (microsecond latency)

Backup Point-in-time recovery down to the second in last 35 days; On-demand backup and restore

Global Tables Fully managed multi-region, multi-master solution

Captures a time-ordered sequence of item-level modifications in any DynamoDB table and stores this
DynamoDB Streams
information in a log for up to 24 hours

© Digital Cloud Training | https://digitalcloud.training

Amazon Elasticsearch
Ø Use Elasticsearch to search, analyze and visualize log data
Ø Fully managed service
Ø Supports queries using SQL syntax
Ø Integrates with open-source tools
Ø Built-in Kibana integration
Ø Up to 3 PB of data per cluster
Ø Scale by adding or removing instances
Ø Availability in up to three Availability Zones
Ø Backup using snapshots
Ø Encryption at-rest and in-transit
Amazon Elasticsearch
Ø Access controlled through:
Ø Resource-based policies – often called a domain access
policy
Ø Identity-based policies – attached to users or roles
(principals)
Ø IP-based policies - Restrict access to one or more IP
addresses or CIDR blocks; basically a condition in a resource-
based policy
Exam Scenarios

Exam Scenario Solution

Automated failover of a multi-AZ DB occurred This may be due to storage failure on primary DB or
the instance type could have been changed

Need to encrypt unencrypted RDS database Take a snapshot, encrypt it, then restore a new
encrypted instance from the snapshot

RDS DB query latency is high and CPU utilization is at Scale up with larger instance type
100%

Need to share RDS DB snapshots across different Use an AWS KMS key for encryption and update key
accounts. Data must be encrypted policy to grant accounts with access then share
snapshot
Exam Scenarios

Exam Scenario Solution

DB needs to be made HA to protect against failure Change to Multi-AZ outside of business hours
and updates cannot impact users in business hours

Need to protect RDS databases against table Enable automated backups and set the appropriate
corruption within a 30 day window of protection retention period

Shared Responsibility Model AWS is responsible for maintenance, patches and

other updates for Aurora DB

AuroraReplicaLagMaximum is high for DB on may result in cart not updating correctly

eCommerce site. What affect could this have? (inconsistency)
Exam Scenarios

Exam Scenario Solution

EC2 connects to RDS instance and fails with: "Error Web server may be using certificate validation and
Establishing a Database Connection” RDS does not trust the certificate. Or, the DB security
group does not have the correct ingress rule

Aurora DB is hitting 100% CPU. Read-heavy app with Add Aurora Replicas and use a Reader Endpoint for
many lookups product table lookups

Database is running MySQL on Amazon EC2. Need to Use Aurora MySQL and configure an Aurora Replica in
increase availability and durability without changing another AZ
application

Reporting job runs against RDS instance and is Create a read replica and point the reporting job to
causing performance issues the read replica endpoint
Exam Scenarios

Exam Scenario Solution

Backup of RDS instance must be copied regularly to Create a snapshot with create-db-snapshot CLI, share
another account for testing with other account, then create a copy in that
account

MySQL database on RDS must be patched due to a AWS is responsible for patching Amazon RDS
security vulnerability. Who is responsible? database instances

Reporting job runs against RDS instance and is Create a read replica and point the reporting job to
causing performance issues the read replica endpoint
Exam Scenarios

Exam Scenario Solution

How can a Redis cluster be scaled to improve read Scale horizontally by adding shards
times

High CPU on a Memcached cluster Options are to add additional nodes to cluster or
vertically scale the node types

ElastiCache Memcached storing session state. Scale the cluster by adding additional nodes
Performance poor, eviction count metrics are high

A Memcached cluster is experiencing increased Create a new cache cluster with the new node type
traffic, need to change to larger node type using the CreateCacheCluster API
 SECTION 13
Management,
Governance and Billing
AWS Organizations

Ø AWS organizations allows you to consolidate multiple AWS

accounts into an organization that you create and centrally
manage Root

Ø Available in two feature sets:

Ø Consolidated Billing
Master Account
Ø All features
Ø Consolidated billing includes:
Organizational Unit 1
Ø Paying Account – independent and cannot access resources
of other accounts; you get one bill for multiple accounts
Account A Account B
Ø Linked Accounts – all linked accounts are independent Organizational Unit 2
AWS Organizations API

Ø The AWS Organizations API can be used to automate organization and

account creation
Ø The following API actions are useful to know:
Ø CreateOrganization – creates an organization
Ø CreateAccount – creates an account that is a member of the
organization
Ø CreatePolicy – creates a policy that can be attached to a root,
OU, or individual AWS account
Ø AttachPolicy - Attaches a policy to a root, an organizational unit
(OU), or an individual account
Ø InviteAccountToOrganization - Sends an invitation to another
account to join your organization as a member account
AWS Organizations – SCPs and Tag Policies

SCPs define the AWS

API actions that are
available for use

Service AWS Organizations Tag Policy

Control Policy
(SCP)

Tag Policies enforce

rules around tagging
Organizational unit 1 Organizational unit 2 Organizational unit 3
across accounts and
OUs

SCPs control the

available API actions; Account A Account B Account C Account D
permissions still
required
AWS Organizations – Service Control Policies

Ø Service Control Policies (SCPs) control the available permissions in

accounts within an organization
Ø Specifically, the control the API actions that are available for use
Ø Must have all features enabled in the AWS Organization
Ø Examples of what you can control are:
Ø Limit the ec2:RunInstances API action to allow launching
t2.micro instances only
Ø Deny the s3:DeleteBucket API action to prevent deletion of
buckets
Ø Users and roles must still be granted permissions with appropriate IAM
permission policies
AWS Organizations – SCP Effects

Ø SCPs affect only principals that are managed by accounts that are part
of the organization
Ø An SCP restricts permissions for principals in member accounts,
including each AWS account root user (except in the master account)
Ø Users and roles must still be granted permissions with appropriate IAM
permission policies
Ø Users / roles must have permissions through IAM and be allowed (or
not denied) through an SCP to perform an action
Ø SCPs do not affect any service-linked roles
AWS Organizations – SCP Effects on Permissions

Service
Root Control Policy
(SCP)

{
"Version": "2012-10-17",
“Statement": [
Master Account {
Service “Effect": "Allow",
Control Policy "Action": "*",
(SCP) "Resource": "*"
}
]
Service }
Organizational unit 1
Control Policy
(SCP)
Effect: Deny
Action: EC2RunInstances
Resource: ec2* Account A Organizational unit 2
StringNotEquals
EC2InstanceType: t2.micro
Effect: Allow
Action: EC2RunInstances
Resource: ec2*
Account B
Amazon CloudWatch – Examples of Functionality

Dashboard
Metrics:
Logs:
ConsumedReadCapacityUnits,
Application logs ConsumedWriteCapacityUnits
System logs
Amazon DynamoDB
Amazon EC2

Events:
Metrics: ECS Task State Change
ECS Container Instance
CPU Utilization State Change
Amazon CloudWatch
Alarms:
Initiate scaling event
Event triggers Amazon Elastic Container
AWS Auto Scaling function Service

Lambda function
Amazon CloudWatch Overview
Ø Amazon CloudWatch monitors AWS resources and applications in
real-time
Ø CloudWatch collects and tracks metrics
Ø Metrics are data points that are published to CloudWatch
Amazon EC2
Ø CloudWatch alarms monitor metrics and automatically initiate
actions Metrics

Ø CloudWatch Logs centralizes logs from systems, applications and

AWS services
Ø CloudWatch Events delivers a stream of system events that describe
Amazon CloudWatch
changes in AWS resources
Amazon CloudWatch - Metrics

ConsumedReadCapacityUnits,
ConsumedWriteCapacityUnits
CPUUtilization, DiskReadOps,
NetworkIn, StatusCheckFailed
Amazon DynamoDB
Amazon EC2

BucketSizeBytes, NumberOfObjects,
ReadLatency, FreeStorageSpace,
GetRequests, PutRequests
WriteIOPS, WriteLatency

Amazon CloudWatch

Amazon Simple Storage

Amazon RDS Service (S3)
Amazon CloudWatch – Key Terminology and Concepts
Metrics:
Ø Metrics are the fundamental concept in CloudWatch
Ø A metric represents a time-ordered set of data points that are published
to CloudWatch
Amazon EC2
Ø AWS services send metrics to CloudWatch
Ø You can also send your own custom metrics to CloudWatch Metrics

Ø Metrics exist within a region

Ø Metrics cannot be deleted but automatically expire after 15 months
Ø Metrics are uniquely defined by a name, a namespace, and zero or more
Amazon CloudWatch
dimensions
Ø Time stamps can be up to two weeks in the past and up to two hours
into the future
Amazon CloudWatch Metrics – Useful API Actions
Ø GetMetricData
Ø Retrieve as many as 500 different metrics in a single request
Ø PutMetricData
Ø Publishes metric data points to Amazon CloudWatch
Ø CloudWatch associates the data points with the specified metric
Ø If the specified metric does not exist, CloudWatch creates the metric
Ø GetMetricStatistics
Ø Gets statistics for the specified metric
Ø CloudWatch aggregates data points based on the length of the period
that you specify
Ø Maximum number of data points returned from a single call is 1,440
Amazon CloudWatch – Key Terminology and Concepts
Namespace:
Ø A namespace is a container for
Service Namespace
CloudWatch metrics Amazon API Gateway AWS/ApiGateway

Ø Metrics in different namespaces are Amazon CloudFront AWS/CloudFront

isolated from each other, so that AWS CloudHSM AWS/CloudHSM

metrics from different applications are Amazon CloudWatch Logs AWS/Logs

not mistakenly aggregated into the AWS CodeBuild AWS/CodeBuild

same statistics Amazon Cognito AWS/Cognito

Amazon DynamoDB AWS/DynamoDB

Amazon EC2 AWS/EC2

AWS Elastic Beanstalk AWS/ElasticBeanstalk

Amazon CloudWatch – Key Terminology and Concepts
Dimensions:
Ø A dimension is a name/value pair
that is part of the identity of a
These are
metric namespaces
Ø You can assign up to 10 dimensions
to a metric
Ø Dimensions are categories for the
characteristics of each metric

These are
dimensions
Amazon CloudWatch – Key Terminology and Concepts
Statistics:
Ø Statistics are metric data aggregations over specified periods of time
Ø CloudWatch provides statistics based on the metric data points provided
by your custom data or provided by other AWS services to CloudWatch
Amazon CloudWatch – Key Terminology and Concepts
Alarms:
Ø You can use an alarm to automatically initiate actions on your behalf
Ø An alarm watches a single metric over a specified time period, and performs
one or more specified actions, based on the value of the metric relative to a
threshold over time
Ø The action is a notification sent to an Amazon SNS topic or an Auto Scaling
policy
Ø Alarms invoke actions for sustained state changes only
Ø CloudWatch alarms do not invoke actions simply because they are in a
particular state
Ø The state must have changed and be maintained for a specified period
Amazon CloudWatch Alarms – Useful API Actions
Ø PutMetricAlarm
Ø Creates or updates an alarm and associates it with the specified
metric, metric math expression, or anomaly detection model
Ø Alarms based on anomaly detection models cannot have Auto Scaling
actions
Ø SetAlarmState
Ø Temporarily sets the state of an alarm for testing purposes
Amazon CloudWatch Logs

Dashboard

CloudWatch
Agent installed
Application logs Application logs
System logs System logs
CloudWatch
Agent installed
Amazon EC2 Amazon CloudWatch
On-premises
servers

AWS Lambda
Amazon CloudWatch Logs
Ø CloudWatch Logs enables you to centralize the logs from all of your systems,
applications, and AWS services.
Ø Features:
Ø Monitor logs from Amazon EC2 instances - monitors application and
system logs and can trigger notifications
Ø Monitor CloudTrail Logged Events – alarms can be created in CloudWatch
based on API activity captured by CloudTrail
Ø Log retention – by default, logs are retained indefinitely. Configurable per
log group from 1 day to 10 years
Amazon CloudWatch Logs Agent
Ø The CloudWatch Logs agent provides an automated way to send
log data to CloudWatch Logs from Amazon EC2 instances
Ø There is now a unified CloudWatch agent that collects both logs
and metrics
Ø The unified CloudWatch agent includes metrics such as memory
and disk utilization
Amazon CloudWatch Agent
Ø The unified CloudWatch agent enables you to do the following:
Ø Collect more system-level metrics from Amazon EC2 instances across
operating systems. The metrics can include in-guest metrics, in addition
to the metrics for EC2 instances
Ø Collect system-level metrics from on-premises servers. These can
include servers in a hybrid environment as well as servers not managed
by AWS
Ø Retrieve custom metrics from your applications or services using the
StatsD and collectd protocols
Amazon CloudWatch Events

Dashboard

Events: Events:
EC2 Instance State- ECS Task State Change
change Notification ECS Container Instance
EBS Volume Notification State Change

Amazon Elastic Container

Amazon EC2 Amazon CloudWatch
Service
Events:
EC2 Instance Launch
Successful
EC2 Instance Terminate
Successful

Amazon EC2 Auto Scaling

Amazon CloudWatch Events
Ø Amazon CloudWatch Events delivers a near real-time stream of
system events that describe changes in AWS resources
Ø Can use CloudWatch Events to schedule automated actions that
self-trigger at certain times using cron or rate expressions
Ø Can match events and route them to one or more target
functions or streams
Amazon CloudWatch Events
Ø Targets include:
Ø Amazon EC2 instances Ø Pipelines in CodePipeline

Ø AWS Lambda functions Ø CodeBuild projects

Ø Streams in Amazon Kinesis Data Streams Ø Amazon Inspector assessment templates

Ø Delivery streams in Amazon Kinesis Data Ø Amazon SNS topics

Firehose Ø Amazon SQS queues

Ø Log groups in Amazon CloudWatch Logs

Ø Amazon ECS tasks
Ø Systems Manager Run Command
Ø Systems Manager Automation
Ø AWS Batch jobs
Ø Step Functions state machines
Amazon CloudWatch Events
Specify event source: Specify event target:
Amazon CloudWatch Events Example

Event source:
EC2 Instance State-
Topic sends a
change Notification Event target message

EC2 Instance Amazon CloudWatch Amazon SNS Topic

Auditing with AWS CloudTrail

SetQueueAttributes
RunInstances DeleteQueue
TerminateInstances
Amazon EC2 Amazon Simple Queue
Service

CreateFunction DeleteTable
UpdateFunctionCode AWS CloudTrail UpdateTable

Amazon DynamoDB
AWS Lambda
Amazon CloudTrail
Ø AWS CloudTrail is a web service that records API activity made on AWS
accounts
Ø A CloudTrail trail can be created which delivers log files to an Amazon S3
bucket
Ø Enables governance, compliance, and operational and risk auditing of
your AWS account
Ø Events include actions taken in the AWS Management Console, AWS
Command Line Interface, and AWS SDKs and APIs
Ø CloudTrail is enabled on your AWS account when you create it
Ø Can use Athena to query logs
Amazon CloudTrail
You can create two types of trails for an AWS account:
Ø A trail that applies to all regions - records events in all regions and
delivers to an S3 bucket
Ø A trail that applies to a single region – records events in a single region
and delivers to an S3 bucket. Additional single trails can use the same
or different bucket
Amazon CloudTrail – Management Events
Ø Management events provide information about management operations
that are performed on resources in your AWS account. These are also
known as control plane operations
Ø Example management events include:
Ø Configuring security (for example IAM AttachRolePolicy API
operations)
Ø Registering devices (for example, CreateDefaultVpc API operations)
Ø Configuring rules for routing data (for example CreateSubnet API
operations)
Ø Setting up logging (for example, AWS CloudTrail CreateTrail API
operations)
Amazon CloudTrail – Data Events
Ø Data events provide information about the resource operations
performed on or in a resource
Ø These are also known as data plane operations
Ø Data events are often high-volume activities.
Ø Example data events include:
Ø Amazon S3 object-level API activity (for example, GetObject,
DeleteObject, and PutObject API operations)

Ø AWS Lambda function execution activity (the Invoke API)

AWS Config
AWS Config evaluates the
configuration against desired
configurations
Example Services:

Amazon EC2 AWS Config Amazon Simple Notification

Service

Evaluations are displayed on

a dashboard and can also be
Elastic Load Balancing
sent via SNS

Amazon Simple Storage

Service
Configuration
Amazon RDS changes occur and
information is sent
to AWS Config
AWS Config
Ø AWS Config is a fully managed service that provides you with an AWS
resource inventory, configuration history, and configuration change
notifications to enable security and governance
Ø You can discover existing AWS resources, export a complete inventory of
your AWS resources with all configuration details, and determine how a
resource was configured at any point in time
Ø These capabilities enable compliance auditing, security analysis, resource
change tracking, and troubleshooting
Ø Allow you to assess, audit and evaluate configurations of your AWS
resources
Ø Very useful for Configuration Management as part of an ITIL program
AWS Service Catalog
Ø AWS Service Catalog allows organizations to create and manage catalogs
of IT services that are approved for use on AWS
Ø These IT services can include everything from virtual machine images,
servers, software, and databases to complete multi-tier application
architectures
Ø AWS Service Catalog allows you to centrally manage commonly deployed
IT services
Ø Helps to achieve consistent governance and meet compliance
requirements
Ø Enables users to quickly deploy only the approved IT services they need
AWS Service Catalog- Sharing Portfolios
Ø You can share portfolios across accounts in AWS Organizations
Ø Either share a reference to the catalog or deploy a copy of the catalog
Ø With copies you must redeploy any updates
Ø CloudFormation StackSets can be used to deploy a catalog to multiple
accounts at the same time
Ø Check reference link for more information on the behavior
AWS Trusted Advisor
Ø Trusted Advisor is an online resource that helps to reduce cost,
increase performance and improve security by optimizing your
AWS environment
Ø Trusted Advisor provides real time guidance to help you provision
your resources following best practices
Ø Advisor will advise you on Cost Optimization, Performance,
Security, and Fault Tolerance
AWS Personal Health Dashboard

Ø AWS Personal Health Dashboard provides alerts and remediation guidance

when AWS is experiencing events that may impact you
Ø Personal Health Dashboard gives you a personalized view into the
performance and availability of the AWS services underlying your AWS
resources
Ø Provides a personalized view of AWS issues that may impact you
Ø The dashboard displays relevant and timely information to help you manage
events in progress
Ø Also provides proactive notification to help you plan for scheduled activities
Ø Alerts are triggered by changes in the health of AWS resources, giving you
event visibility, and guidance to help quickly diagnose and resolve issues
Service Health Dashboard

Not personalized
information so
may not be
relevant to you Shows current status
information on
service availability

No proactive
notification of
scheduled
activities
AWS Cost Explorer

Ø The AWS Cost Explorer is a free tool that allows you to view charts of
your costs
Ø You can view cost data for the past 13 months and forecast how much
you are likely to spend over the next three months
Ø Cost Explorer can be used to discover patterns in how much you spend
on AWS resources over time and to identify cost problem areas
Ø Cost Explorer can help you to identify service usage statistics such as:
Ø Which services you use the most
Ø View metrics for which AZ has the most traffic
Ø Which linked account is used the most
AWS Cost Allocation Tags

Ø A tag is a label that you or AWS assigns to an AWS resource

Ø Each tag consists of a key and a value
Ø You can use tags to organize your resources, and cost allocation tags to
track your AWS costs on a detailed level
Ø Must activate the tags in the Billing and Cost Management console
AWS Cost and Usage Report

Ø AWS Cost and Usage reports provides a detailed data set about your
AWS billing, delivered to an S3 bucket
Ø This is small excerpt:
AWS Budgets

Ø AWS Budgets gives you the ability to set custom budgets that alert you
when your costs or usage exceed (or are forecasted to exceed) your
budgeted amount
Exam Scenarios

Exam Scenario Solution

Audit requests to AWS Organizations for creating new use CloudTrail and look for the federated identity user
accounts by federated users name

Employees have created individual AWS accounts not Send each account an invitation from the central
under control. Security team need them in AWS organization
Organizations

Need to restrict ability to launch specific instance Use an organizations SCP to deny launches unless the
types for a specific team/account instance type is T2, create an IAM group in the
account granting access to T2 instances to the
relevant users
Exam Scenarios

Exam Scenario Solution

Need to ensure that S3 buckets are NEVER deleted in Use an SCP to deny the s3:DeleteBucket API action
a production account

Need to create user-defined cost allocation tags for Use Tag Editor in new account to create user-defined
new account tags and then use the billing and cost management
console in the payer account to mark them as cost
allocation tags

Separate departments must operate in isolation and Use AWS Organizations to create accounts
only use pre-approved services (Organizations API) and SCPs to control the services
available for use
Exam Scenarios

Exam Scenario Solution

Developers can manipulate IAM policies/roles and Use an SCP to block those services
need to block them from some services

AWS bill is increasing and unauthorized services are Use AWS Organizations with an SCP to restrict the
being used across accounts unauthorized services

Configuring AWS SSO for an Organizations master Next step is to create a permission set and associate
account. Directory created and full access enabled with directory users and groups

Process to create a custom dashboard in CloudWatch Create metric filters and select custom metrics
for custom metrics after installing agent on EC2
Exam Scenarios

Exam Scenario Solution

Need to test notification settings for CloudWatch Use the set-alarm-state CLI command to test
alarm with SNS

App with EC2 and RDS is running slowly and Use CloudWatch metrics to examine resource usage
suspected high CPU

Site uses CloudFront and S3. Users accessing content Check the 4XXErrorRate metric in CloudWatch to
that does not exist or they don't have access to understand the extent of the issue

Script generates custom CloudWatch metrics from CloudWatch will accept the custom metric data and
EC2 instance and clock is configured incorrectly by 30 record it
mins
Exam Scenarios

Exam Scenario Solution

Need to collect logs from many EC2 instances Use the unified CloudWatch Agent

External auditor needs to check for unauthorized Create an IAM user, assign an IAM policy with read
changes to AWS account access to CloudTrail logs on Amazon S3

Need to identify who is creating EIPs and not using Use CloudTrail and query logs using Athena to search
them for EIP address events

S3 bucket holds sensitive data. Must monitor object Use AWS CloudTrail and enable data event logging
upload / download activity including AWS account
and IAM user account of caller and time of API call
Exam Scenarios

Exam Scenario Solution

Need to record any modifications or deletions of Enable CloudTrail log file integrity validation and
CloudTrail logs in an S3 bucket enabled MFA delete on the bucket

Large increase in requests to SQS. Need to determine Use CloudTrail to audit API calls
the source of the calls

Need to ensure that S3 buckets have logging enabled Auto remediate with AWS Config managed rule
without stopping users creating them S3_BUCKET_LOGGING_ENABLE

Need to provide real-time compliance reporting for Use the AWS Config restricted-common-ports rule
security groups to check that port 80 is not being and add port 80
used
Exam Scenarios

Exam Scenario Solution

Company wants to limit the AMIs that are used. Need Create an AWS Config rule to check that only
to review compliance with the policy approved AMIs are used

Need to automatically disable access keys that are Use Config rule to identify noncompliant keys and use
greater than 90 days old Systems Manager Automation to remediate

Need to address concerns about exposing sensitive Use AWS Config rules to identify public buckets and
data in buckets without restricting ability to create send SNS notification to security team
them

Need to ensure CloudFormation deployment changes Use AWS Config

are tracked for governance
Exam Scenarios

Exam Scenario Solution

Company needs to verify that specific KMS CMK is Use AWS Config with the encrypted-volumes
used to encrypted EBS volumes managed rule and specify the key ID of the CMK

Need to create replica of existing infrastructure in Most efficient option is to share the portfolio with the
new account. AWS Service Catalog is used new accounts and import into those other accounts

Users have a specialized EC2 instance config and don't Use CloudFormation template with AWS Service
want to configure EC2 settings but need to Catalog portfolio and grant permissions to users
launch/terminate instances. Special instance must
only be available to them

Shared portfolio is imported into a second AWS Admin can add products from the imported portfolio
account controlled by a different administrator to a local portfolio
Exam Scenarios

Exam Scenario Solution

Need to monitor costs per user in an account Activate the createdBy tag and analyze with AWS Cost
Explorer

How to check for underutilized EC2 instances? Use AWS Cost Explorer to generate resource
optimization recommendations

Bill is increasing over time, need to determine the Use AWS Cost Explorer
cause of increased cost

Need breakdown of costs per project in a single Do this by activating cost allocation tags and creating
account using Cost Explorer and applying resource tags
Exam Scenarios

Exam Scenario Solution

Need to check that security best practices are being Use AWS Trusted Advisor security checks to review
followed for the AWS account root user configuration of root user

Costs rising and need to be alerted when a specific Use AWS Budgets
spending limit is forecast to be exceeded

Company needs to track the allocation of reserved Use the AWS Cost and Usage report
instances in consolidated bill

Company needs to integrate AWS maintenance Use the AWS Health API
events that may affect their resources into an
operations dashboard
 SECTION 14
Security and Compliance
Multi-Factor Authentication in AWS

Something you know: Something you have:

e.g. Google Authenticator on

your smart phone
Virtual MFA

IAM User
Physical MFA
EJPx!*21p9%

Password
AWS Managed Policies
Ø An AWS managed policy is a standalone policy that is created and
administered by AWS
Ø Standalone policy means that the policy has its own Amazon Resource Name
(ARN) that includes the policy name
Ø AWS managed policies are designed to provide permissions for many
common use cases
Ø You cannot change the permissions defined in AWS managed policies
AWS Managed Policies
Ø Some AWS managed policies are designed for specific job functions
Ø The job-specific AWS managed policies include:
Ø Administrator
Ø Billing
Ø Database Administrator
Ø Data Scientist
Ø Developer Power User
Ø Network Administrator
Ø Security Auditor
Ø Support User
Ø System Administrator
Ø View-Only User
Customer Managed Policies
Ø You can create standalone policies that you administer in your own AWS
account, which we refer to as customer managed policies
Ø You can then attach the policies to multiple principal entities in your AWS
account
Ø When you attach a policy to a principal entity, you give the entity the
permissions that are defined in the policy
Allowing access to an S3 bucket from IPv4 and IPv6 Addresses
Grant access to instances with a specific tag
Grant user permission to pass an IAM role
Ø To pass a role (and its permissions) to an AWS service, a user must have
permissions to pass the role to the service.
IAM Policy Evaluation Logic
Ø Identity-based policies – Identity-based policies are attached to an IAM identity
(user, group of users, or role) and grant permissions to IAM entities (users and
roles)
Ø Resource-based policies – Resource-based policies grant permissions to the
principal (account, user, role, or federated user) specified as the principal
Ø IAM permissions boundaries – Permissions boundaries are an advanced feature
that sets the maximum permissions that an identity-based policy can grant to
an IAM entity (user or role)
Ø AWS Organizations service control policies (SCPs) – Organizations SCPs specify
the maximum permissions for an organization or organizational unit (OU)
Ø Session policies – Session policies are advanced policies that you pass as
parameters when you programmatically create a temporary session for a role or
federated user
IAM Policy Evaluation Logic
Ø By default, all requests are implicitly denied. (Alternatively, by default,
the AWS account root user has full access.)
Ø An explicit allow in an identity-based or resource-based policy overrides
this default
Ø If a permissions boundary, Organizations SCP, or session policy is
present, it might override the allow with an implicit deny
Ø An explicit deny in any policy overrides any allows
IAM Policy Evaluation Logic
Amazon Inspector
Ø Inspector is an automated security assessment service that helps improve
the security and compliance of applications deployed on AWS
Ø Inspector automatically assesses applications for vulnerabilities or
deviations from best practices
Ø Uses an agent installed on EC2 instances
Ø Instances must be tagged
Encryption – In Transit vs At Rest

Encryption In Transit

HTTPS Connection
Unencrypted
SSL Object SSL
Amazon Simple Storage
Developer
Service

Data is protected
Encryption At Rest by SSL/TLS in
transit or “in-flight”
Amazon S3 encrypts
the object as it is
written to the bucket Data encryption key

Unencrypted Encryption process Encrypted

Object bucket
Symmetric Encryption Encryption

Data encryption key

Encryption process Encrypted data

Plaintext data

Decryption
The same key is used
for both encryption and
decryption
Data encryption key

Encrypted data Encryption process Plaintext data

Asymmetric Encryption
Ø Asymmetric encryption is also known as public key cryptography
Ø Messages encrypted with the public key can only be decrypted
with the private key
Ø Messages encrypted with the private key can be decrypted with
the public key
Ø Examples include SSL/TLS and SSH
Public key Private key

Encryption Decryption
Encrypted data
Plaintext data Plaintext data
AWS Key Management Service (KMS)
Ø AWS KMS is a service for creating and controlling encryption keys
Ø The customer master keys (CMKs) are protected by hardware
security modules (HSMs)
AWS KMS

Customer Managed Keys

Developer creates
customer managed
CMK CMK CMK CMK
Developer customer master keys
(CMKs) in AWS KMS
AWS Managed Keys

aws/sqs aws/acm aws/ebs aws/fsx

AWS Key Management Service (KMS)
With AWS KMS you can also perform the following cryptographic
functions using master keys:
Ø Encrypt, decrypt, and re-encrypt data
Ø Generate data encryption keys that you can export from the service in
plaintext or encrypted under a master key that doesn't leave the
service
AWS KMS – Customer Master Keys (CMKs)
Ø Customer master keys are the primary resources in AWS KMS
Ø The CMK also contains the key material used to encrypt and
decrypt data
AWS KMS
Ø AWS KMS supports symmetric and asymmetric CMKs
Customer Managed Keys
Ø CMKs are created in AWS KMS. Symmetric CMKs and the private
keys of asymmetric CMKs never leave AWS KMS unencrypted
CMK CMK CMK CMK
Ø By default, AWS KMS creates the key material for a CMK
AWS Managed Keys
Ø Can also import your own key material
Ø A CMK can encrypt data up to 4KB in size aws/sqs aws/acm aws/ebs aws/fsx

Ø A CMK can generate, encrypt and decrypt Data Encryption Keys

(DEKs)
AWS KMS – AWS Managed CMKs
Ø These are created, managed, and used on your
behalf by an AWS service that is integrated with AWS
KMS
Ø You cannot manage these CMKs, rotate them, or
change their key policies
Ø You also cannot use AWS managed CMKs in
cryptographic operations directly; the service that
creates them uses them on your behalf
Ø You do not pay a monthly fee for AWS managed
CMKs. They can be subject to fees for use in excess of
the free tier, but some AWS services cover these
costs for you.
AWS KMS – Customer Master Keys (CMKs)

Type of CMK Can view Can manage Used only for my AWS account Automatic rotation
Customer managed CMK Yes Yes Yes Optional. Every 365 days

AWS managed CMK Yes No Yes Required. Every 1095 days

AWS owned CMK No No No Varies

AWS KMS – Data Encryption Keys
Ø Data keys are encryption keys that you can use to encrypt data,
including large amounts of data and other data encryption keys
Ø You can use AWS KMS customer master keys (CMKs) to generate,
AWS KMS
encrypt, and decrypt data keys
GenerateDataKey API

CMK
User

Ø AWS KMS does not store, manage, or track your data keys, or perform
cryptographic operations with data keys
Plaintext data key
Ø You must use and manage data keys outside of AWS KMS Encryption
Algorithm

Encrypted data key

AWS CloudHSM
Ø AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to
easily generate and use your own encryption keys on the AWS Cloud
Ø You can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.
Ø CloudHSM runs in your VPC
CloudHSM AWS KMS
Tenancy Single-tenant HSM Multi-tenant AWS service

Availability Customer-managed durability and Highly available and durable key storage
available and management
Root of Trust Customer managed root of trust AWS managed root of trust

FIPS 140-2 Level 3 Level 2 / Level 3 in some areas

3rd Party Support Broad 3rd Party Support Broad AWS service support
AWS CloudHSM
Benefits:
Ø FIPS 140-2 level 3 validated HSMs
Ø You can configure AWS Key Management Service (KMS) to use your AWS CloudHSM
cluster as a custom key store rather than the default KMS key store
Ø Managed service and automatically scales
Ø Retain control of your encryption keys - you control access (and AWS has no visibility of
your encryption keys)
AWS Certificate Manager (ACM)
Ø ACM is used for creating and managing public SSL/TLS certificates
Ø You can use public certificates provided by ACM (ACM certificates) or
certificates that you import into ACM
Ø ACM certificates can secure multiple domain names and multiple names
within a domain
Ø You can also use ACM to create wildcard SSL certificates that can protect an
unlimited number of subdomains
Certificate Renewal with ACM
Ø Managed renewal for SSL/TLS certificates
Ø Automatic if using DNS validation; email notification otherwise
Ø Provided for both public and private ACM certificates
Certificate Renewal with ACM
Ø At 60 days prior to expiration, ACM checks for the renewal
criteria:
Ø The certificate is currently in use by an AWS service
Ø A valid DNS record for the apex domain exists
Ø The required CNAME token is present and accessible in the
DNS record
Ø Each domain and subdomain that is named in the certificate
is present in the DNS record
Ø If all of these criteria are met, ACM considers the domain
names validated and renews the certificate
AWS Web Application Firewall (WAF)
Ø AWS WAF is a web application firewall
Ø WAF lets you create rules to filter web traffic based on conditions that include IP
addresses, HTTP headers and body, or custom URIs
Ø WAF makes it easy to create rules that block common web exploits like SQL
injection and cross site scripting
Ø WAF can be used to protect CloudFront distributions, ALBs (and the resources
behind them), and API Gateway APIs
AWS Web Application Firewall (WAF)
Ø Web ACLs - You use a web access control list (ACL) to protect a set of AWS
resources
Ø Rules - Each rule contains a statement that defines the inspection criteria, and
an action to take if a web request meets the criteria
Ø Rules groups – You can use rules individually or in reusable rule groups
AWS Web Application Firewall (WAF)
Ø IP Sets - An IP set provides a collection of IP addresses and IP address ranges
that you want to use together in a rule statement
Ø Regex pattern set - A regex pattern set provides a collection of regular
expressions that you want to use together in a rule statement
AWS Web Application Firewall (WAF)
A rule action tells AWS WAF what to do with a web request when it
matches the criteria defined in the rule:
Ø Count – AWS WAF counts the request but doesn't determine whether
to allow it or block it. With this action, AWS WAF continues processing
the remaining rules in the web ACL
Ø Allow – AWS WAF allows the request to be forwarded to the AWS
resource for processing and response
Ø Block – AWS WAF blocks the request and the AWS resource responds
with an HTTP 403 (Forbidden) status code
AWS Web Application Firewall (WAF)
Match statements compare the web request or its origin against
conditions that you provide

Match Statement Description

Geographic match Inspects the request's country of origin

IP set match Inspects the request against a set of IP addresses and address ranges

Regex pattern set Compares regex patterns against a specified request component

Size constraint Checks size constraints against a specified request component

SQLi attack Inspects for malicious SQL code in a specified request component

String match Compares a string to a specified request component.

XSS scripting attack Inspects for cross-site scripting attacks in a specified request component
AWS Shield
Ø AWS Shield is a managed Distributed Denial of Service (DDoS)
protection service
Ø Safeguards web application running on AWS with always-on detection
and automatic inline mitigations
Ø Helps to minimize application downtime and latency
Ø Two tiers – Standard and Advanced
Ø Integrated with Amazon CloudFront
AWS Artifact
Ø AWS Artifact is your go-to, central resource for compliance-related
information that matters to you
Ø It provides on-demand access to AWS’ security and compliance reports and
select online agreements
Ø Reports available in AWS Artifact include our Service Organization Control
(SOC) reports, Payment Card Industry (PCI) reports, and certifications from
accreditation bodies across geographies and compliance verticals that validate
the implementation and operating effectiveness of AWS security controls
Ø Agreements available in AWS Artifact include the Business Associate
Addendum (BAA) and the Nondisclosure Agreement (NDA)
Identity Providers and Federation

SAML 2.0 compatible

LDAP source (AD in
this case)
Active Directory
(self-managed)

AWS IAM

Social
Authenticated and
Providers
authorized users can
access AWS services
Web Identity Federation
for mobile apps uses
OpenID Connect (OIDC) –
AWS recommend to use
Cognito for this use case
AWS Single Sign-on (SSO)

Identity sources can be AWS SSO,

Active Directory and standard
providers using SAML 2.0

AWS Organizations

Active Directory AWS Directory Service

(self-managed) AWS Single Sign-On AWS Account A AWS Account B

Azure AD
(self-managed) AWS Account C

Built-in SSO integrations AWS Account D

to business applications
AWS Directory Service - AWS Managed Microsoft AD
AWS Directory Service - AWS Managed Microsoft AD
Ø Fully managed AWS services on AWS infrastructure
Ø Best choice if you have more than 5000 users and/or need a trust
relationship set up
Ø Runs on a Windows Server
Ø You can setup trust relationships to extend authentication from on-
premises Active Directories into the AWS cloud
Ø On-premise users and groups can access resources in either domain using
SSO
Ø Requires a VPN or Direct Connect connection
Ø Can be used as a standalone AD in the AWS cloud
AWS Directory Service - Simple AD
Ø An inexpensive Active Directory-compatible service with common
directory features.
Ø Standalone, fully managed, directory on the AWS cloud
Ø Simple AD is generally the least expensive option
Ø Best choice for less than 5000 users and don’t need advanced AD
features
AWS Directory Service - AD Connector

Amazon WorkSpaces
Connection over VPN Seamlessly join
or Direct Connect Windows EC2
instances to on-
premise AD domain

Active Directory Amazon EC2

(self-managed) AD Connector

AWS Management Console

Provides federated sign-in to the
AWS Management Console by
mapping Active Directory
identities to AWS Identity and
Access Management (IAM) roles
AWS Directory Service – AD Connector

Ø AD Connector is a directory gateway for redirecting directory requests to your

on-premise Active Directory
Ø Connects your existing on-premise AD to AWS
Ø Best choice when you want to use an existing Active Directory with AWS
services
Ø You can also join EC2 instances to your on-premise AD through AD Connecto.
Ø You can also login to the AWS Management Console using your on-premise
AD DCs for authentication
AWS Directory Service – AD Connector vs Simple AD

Directory Service Service Description Use Case

AWS Directory Service AWS-managed full Microsoft AD running on Enterprises that want hosted Microsoft AD
for Microsoft Active Windows Server 2012 R2 or you need LDAP for Linux apps
Directory
AD Connector Allows on-premises users to log into AWS Single sign-on for on-premises employees
services with their existing AD credentials. and for adding EC2 instances to the domain
Also allows EC2 instances to join AD domain
Simple AD Low scale, low cost, AD implementation Simple user directory, or you need LDAP
based on Samba. Can also join EC2 compatibility.
instances to the domain
Exam Scenarios

Exam Scenario Solution

Company wishes to force users to change their Create an IAM password policy and enabled password
passwords regularly expiration

Need to restrict access to a bucket based on source IP Use bucket policy with "Condition": "NotIpAddress":
range statement

Need to control access to group of EC2 instances with Use an IAM policy with a condition element granting
specific tags access based on the tag and attach an IAM policy to
the user or groups that require access

IAM policy for SQS queue allows too much access. According the AWS shared responsibility mode, this is
Who is responsible for correcting the issue? a customer responsibility
Exam Scenarios

Exam Scenario Solution

Data is encrypted with AWS KMS customer-managed Just enable key rotation in AWS KMS for the CMK
CMKs. Need to enable rotation ensuring the data (backing key is rotated, data key is not changed)
remains readable

Company must rotate encryption keys once a year Use customer-managed CMK and enabled automatic
with least effort key rotation

App uses KMS CMK with imported key material and To rotate, create a new CMK with new imported
references the CMK by alias in the application. Must material and update the key alias to point to new
be rotated every 6 months CMK
Exam Scenarios

Exam Scenario Solution

Certificate request rejected by ACM Submit a request for a certificate using the correct
domain name NOT the ALB FQDN

Security findings are missing in Amazon Inspector Verify agent installed on affected instances and
restart agent

Security team need to verify vulnerabilities and Use Amazon Inspector and perform regular
exposures are addressed for EC2 instances regularly assessments

There may be a vulnerable version of software Create and run an Amazon Inspector assessment
installed on EC2 instances and need to check template
Exam Scenarios

Exam Scenario Solution

Need to use information in request header to count Use a string match statement
requests from each front-end server

Large amount of suspicious HTTP requests hitting an Block the traffic using AWS WAF with a rate-based
ALB from various source IPs rule and a defined threshold

Many 404 errors being sent to one IP address every Use AWS WAF to block the activity
minute. Bot may be collecting info

Website has been deployed and penetration testing Use AWS WAF to mitigate cross-site scripting attacks
shows its vulnerable to cross-site scripting
Exam Scenarios

Exam Scenario Solution

Application is under repeated DDoS attacks. Need to Setup AWS Shield Advanced
minimize downtime and require 24/7 support

Company needs to understand the PCI status of the Use AWS Artifact to locate this information
AWS infrastructure
Exam Scenarios

Exam Scenario Solution

Company uses LDAP and needs to implement access Need to configure SAM federation of IAM users and
control in AWS as part of an integration between groups with the LDAP DB and map LDAP user and
internal and cloud groups to IAM roles

Permissions policy for cross-account access must be According to the AWS shared responsibility model,
created and attached. Who is responsible for doing this is a customer responsibility
this?

Company wishes to move from IAM user accounts to Configure a VPN tunnel and use Active Directory
using on-premises Active Directory accounts for AWS Connector
management console access
 THE END
Hope you enjoyed the
course!