517

Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us
Page 2: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

CertifiedSolutionsArchitectOfficial

Page 3: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

StudyGuide-AssociateExam

JoeBaron,HishamBaz,TimBixler,BiffGaut,KevinE.Kelly,SeanSenior,JohnStamper

Page 4: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SeniorAcquisitionsEditor:KenyonBrownProjectEditor:GarySchwartzProductionEditor:DassiZeidelCopyEditor:KeziaEndsleyEditorialManager:MaryBethWakefieldProductionManager:KathleenWisorExecutiveEditor:JimMinatelBookDesigners:JudyFungandBillGibsonProofreader:NancyCarrascoIndexer:JohnnavanHooseDinseProjectCoordinator,Cover:BrentSavageCoverDesigner:WileyCoverImage:©GettyImages,Inc./JeremyWoodhouse

Copyright©2017byAWS

PublishedbyJohnWiley&Sons,Inc.Indianapolis,Indiana

PublishedsimultaneouslyinCanada

ISBN:978-1-119-13855-6

ISBN:978-1-119-13955-3(ebk.)

ISBN:978-1-119-13954-6(ebk.)

ManufacturedintheUnitedStatesofAmerica

Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.

Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)572-4002.

Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.

LibraryofCongressControlNumber:2016949703

TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.AWSisaregisteredtrademarkofAmazonTechnologies,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.

Page 5: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FortheoriginalAWSinstructor,MikeCulver,whotaughtushowtoteach,lead,andinspirewithtenacityandkindness.

Page 6: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

CONTENTSAcknowledgments

AbouttheAuthors

Foreword

Introduction

AssessmentTest

AnswerstoAssessmentTest

Chapter1IntroductiontoAWS

WhatIsCloudComputing?

AWSFundamentals

AWSCloudComputingPlatform

Summary

ExamEssentials

ReviewQuestions

Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage

Introduction

ObjectStorageversusTraditionalBlockandFileStorage

AmazonSimpleStorageService(AmazonS3)Basics

Buckets

AmazonS3AdvancedFeatures

AmazonGlacier

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)

Introduction

AmazonElasticComputeCloud(AmazonEC2)

AmazonElasticBlockStore(AmazonEBS)

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter4AmazonVirtualPrivateCloud(AmazonVPC)

Introduction

Page 7: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonVirtualPrivateCloud(AmazonVPC)

Subnets

RouteTables

InternetGateways

DynamicHostConfigurationProtocol(DHCP)OptionSets

ElasticIPAddresses(EIPs)

ElasticNetworkInterfaces(ENIs)

Endpoints

Peering

SecurityGroups

NetworkAccessControlLists(ACLs)

NetworkAddressTranslation(NAT)InstancesandNATGateways

VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling

Introduction

ElasticLoadBalancing

AmazonCloudWatch

AutoScaling

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter6AWSIdentityandAccessManagement(IAM)

Principals

Authentication

Authorization

OtherKeyFeatures

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter7DatabasesandAWS

Page 8: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DatabasePrimer

AmazonRelationalDatabaseService(AmazonRDS)

AmazonRedshift

AmazonDynamoDB

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter8SQS,SWF,andSNS

AmazonSimpleQueueService(AmazonSQS)

AmazonSimpleWorkflowService(AmazonSWF)

AmazonSimpleNotificationService(AmazonSNS)

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter9DomainNameSystem(DNS)andAmazonRoute53

DomainNameSystem(DNS)

AmazonRoute53Overview

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter10AmazonElastiCache

Introduction

In-MemoryCaching

AmazonElastiCache

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter11AdditionalKeyServices

Introduction

StorageandContentDelivery

Security

Analytics

DevOps

Page 9: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Summary

ExamEssentials

ReviewQuestions

Chapter12SecurityonAWS

Introduction

SharedResponsibilityModel

AWSComplianceProgram

AWSGlobalInfrastructureSecurity

AWSAccountSecurityFeatures

AWSCloudService-SpecificSecurity

Summary

ExamEssentials

Exercises

ReviewQuestions

Chapter13AWSRiskandCompliance

Introduction

OverviewofComplianceinAWS

EvaluatingandIntegratingAWSControls

AWSRiskandComplianceProgram

AWSReports,Certifications,andThird-PartyAttestations

Summary

ExamEssentials

ReviewQuestions

Chapter14ArchitectureBestPractices

Introduction

DesignforFailureandNothingFails

ImplementElasticity

LeverageDifferentStorageOptions

BuildSecurityinEveryLayer

ThinkParallel

LooseCouplingSetsYouFree

Don’tFearConstraints

Summary

ExamEssentials

Exercises

ReviewQuestions

AppendixAAnswerstoReviewQuestions

Page 10: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter1:IntroductiontoAWS

Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage

Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)

Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)

Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling

Chapter6:AWSIdentityandAccessManagement(IAM)

Chapter7:DatabasesandAWS

Chapter8:SQS,SWF,andSNS

Chapter9:DomainNameSystem(DNS)andAmazonRoute53

Chapter10:AmazonElastiCache

Chapter11:AdditionalKeyServices

Chapter12:SecurityonAWS

Chapter13:AWSRiskandCompliance

Chapter14:ArchitectureBestPractices

Advert

EULA

Page 11: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ListofTablesChapter3

TABLE3.1

TABLE3.2

TABLE3.3

TABLE3.4

TABLE3.5

TABLE3.6

Chapter4

TABLE4.1

TABLE4.2

TABLE4.3

TABLE4.4

TABLE4.5

Chapter6

TABLE6.1

TABLE6.2

TABLE6.3

Chapter7

TABLE7.1

TABLE7.2

TABLE7.3

TABLE7.4

TABLE7.5

Chapter12

TABLE12.1

Chapter14

TABLE14.1

Page 12: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ListofIllustrationsChapter1

FIGURE1.1Sixadvantagesofcloudcomputing

FIGURE1.2AWSCloudcomputingplatform

FIGURE1.3Autoscalingcapacity

FIGURE1.4AWSCloudFormationworkflowsummary

Chapter3

FIGURE3.1MemoryandvCPUsforthem4instancefamily

FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances

Chapter4

FIGURE4.1VPC,subnets,andaroutetable

FIGURE4.2VPC,subnet,routetable,andanInternetgateway

FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting

FIGURE4.4VPCwithVPNconnectiontoacustomernetwork

Chapter5

FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer

FIGURE5.2AutoScalinggroupwithpolicy

FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout

Chapter6

FIGURE6.1DifferentidentitiesauthenticatingwithAWS

FIGURE6.2AssociatingIAMuserswithpolicies

Chapter7

FIGURE7.1Multi-AZAmazonRDSarchitecture

FIGURE7.2AmazonRedshiftclusterarchitecture

FIGURE7.3Table,items,attributesrelationship

FIGURE7.4Tablepartitioning

Chapter8

FIGURE8.1Messagelifecycle

FIGURE8.2Diagramofvisibilitytimeout

FIGURE8.3AmazonSWFworkflowillustration

FIGURE8.4Diagramoftopicdelivery

FIGURE8.5Diagramoffanoutscenario

Page 13: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter9

FIGURE9.1FQDNcomponents

Chapter10

FIGURE10.1Commoncachingarchitecture

FIGURE10.2Redisreplicationgroup

Chapter11

FIGURE11.1Deliveringstaticanddynamiccontent

FIGURE11.2HighavailabilityCloudHSMarchitecture

FIGURE11.3AmazonKinesisFirehose

FIGURE11.4AmazonKinesisStreams

FIGURE11.5Examplepipeline

FIGURE11.6Simpleapplicationserverstack

FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks

FIGURE11.8Creatingastackworkflow

FIGURE11.9Updatingastackworkflow

FIGURE11.10AWSTrustedAdvisorConsoledashboard

Chapter12

FIGURE12.1Thesharedresponsibilitymodel

FIGURE12.2AmazonWebServicesregions

FIGURE12.3AmazonEC2multiplelayersofsecurity

FIGURE12.4AmazonEC2securitygroupfirewall

FIGURE12.5AmazonVPCnetworkarchitecture

FIGURE12.6Flexiblenetworkarchitectures

Chapter13

FIGURE13.1Sharedresponsibilitymodel

Chapter14

FIGURE14.1Simplewebapplicationarchitecture

FIGURE14.2Updatedwebapplicationarchitecturewithredundancy

FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling

FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront

FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB

Page 14: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE14.6Tightandloosecoupling

FIGURE14.7Samplewebapplicationforchapterexercises

Page 15: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AcknowledgmentsTheauthorswouldliketothankafewpeoplewhohelpedusdevelopandwritethisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExam.

First,thankstoallourfamilieswhoputupwithusspendingweekendsandeveningscreatingcontent,writingquestions,andreviewingeachother'schapters.Theirpatienceandsupportmadethisbookpossible.

NiamhO'Byrne,AWSCertificationManager,whointroducedalloftheauthorsandmanymoresolutionsarchitectsatAWStocertificationtestingandgotthisbookstartedbychallengingsomeofustoextendourreachandhelpmorecloudpractitionersgetcertified.

NathanBowerandVictoriaSteidel,amazingtechnicalwritersatAWSwhoreviewedandeditedallthecontentandeveryquestionandgentlymadeusbetterwritersandcommunicators.Theyweretirelessinreviewingandhelpingushoneandfocusourcontent.

PatrickShumate,afellowAWSsolutionsarchitectwhocontributedtestquestionsrightwhenweneededthehelptogetusoverthefinishline.

WecouldnothavewrittenthisbookwithoutthehelpofourfriendsatWiley.KenyonBrown,SeniorAcquisitionsEditor,corralledusandfocusedusontheendgoal.Additionally,wewereguidedbyGarySchwartz,ProjectEditor;KeziaEndsley,Copyeditor;andDassiZeidel,ProductionEditorwhotookoutputfromdifferentauthorsandturneditintoacohesiveandcompletefinishedproduct.

Lastly,wewanttothankallthesolutionsarchitectsatAWSwhoparticipatedincertificationblueprintdevelopment,questionwriting,andreviewsessions,andthedevelopmentofaworld-classcertificationprogramforcloudpractitionersthatissettingthestandardforourindustry.

Page 16: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AbouttheAuthors

JoeBaron,PrincipalSolutionsArchitectforAWS,iscurrentlyworkingwithcustomersintheSoutheasternUnitedStates.JoejoinedAWSin2009asoneofthefirstsolutionsarchitects,andintheyearssincehehashelpedcustomersofallsizes,fromsmallstartupstosomeofthelargestenterprisesintheworld,toarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.HewasalsoanearlycontributortotheAWSAssociateandProfessionalCertifiedSolutionsArchitectprograms.JoeholdsaBSdegreeinengineeringphysicsfromCornellUniversityandisproudtobean“expertgeneralist.”PriortojoiningAWS,Joehad25yearsofexperienceintechnology,withrolesindatacenterautomation,virtualization,lifesciences,high-performancecomputing,3Dvisualization,hardwareandsoftwaredevelopment,andIndependentSoftwareVendor(ISV)programmanagement.HeisalsoadedicatedhusbandtoCarolandfatheroftwochildren,MattandJessie.Whennothelpingcustomersmigrateallthethingstothecloud,Joeisanamateurclassicalpianistandcollectoroftraditionalwoodworkingtools.HelivesintheRaleigh,NCarea.

HishamBazisapassionatesoftwareengineerandsystemsarchitectwithexpertisebuildingdistributedapplicationsandhigh-performance,mission-criticalsystems.Since2013,HishamhasbeenasolutionsarchitectwithAWSworkingwithcustomerslikePinterest,Airbnb,andGeneralElectrictobuildresilientarchitecturesinthecloudwithafocusonbigdataandanalytics.PriortoAmazon,Hishamfoundedtwoearly-stagestartups,modernizedthecommunicationsnetworkconnectingcriticaltransportationinfrastructure,andimprovedcellularnetworkswithlarge-scaledataanalytics.HishamisbasedinSanFrancisco,CAandliveswithhiswife,Suki.Theycanoftenbefoundhikingtheredwoods.

Page 17: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TimBixler,CommercialAmericasSoutheastAreaSolutionsArchitectureLeaderforAWS,leadsteamsofsolutionsarchitectswhoprovideAWStechnicalenablement,evangelism,andknowledgetransfertocustomerslikeCapitalOne,TheCoca-ColaCompany,AOL,KochIndustries,CoxAutomotive,NASCAR,Emdeon,andNeustar.Timhasover20yearsofexperienceinimprovingsystemsandoperationalperformance,productivity,andcustomersatisfactionforprivateandpublicglobalcorporationsaswellasgovernmentagencies.HeisalsoapublicspeakerforAmazonandenjoyshelpingcustomersadoptinnovativesolutionsonAWS.Butifyouaskhis7-year-oldsonTJwhathedoes,hemightsaythatdaddyisabuilderandafixer.Whennototherwisetasked,youcanfindhimburrowedinhislabbuildingrobotsdrivenbymicrocontrollersoratthelocalBrickFairadmiringthecreationsthathehasnotimetobuild.

BiffGautstartedwritingprogramsforalivingonCP/MontheOsborne1.Sincethoseearlydays,heobtainedaBSinengineeringfromVirginiaTechwhilewritingCcodeonMS-DOS,marriedhiswife,Holly,whilewritinghisfirstGUIapps,andraisedtwochildrenwhiletransitioningfromCOMobjectsinC++towebappsin.NET.Alongtheway,heleddevelopmentteamsfrom1to50membersforcompaniesincludingNASDAQ,ThomsonReuters,Verizon,Microsoft,FINRA,andMarriott.Hehascollaboratedontwobooksandspokenatcountlessconferences,includingWindowsWorldandtheMicrosoftPDC.BiffiscurrentlyasolutionsarchitectatAWS,helpingcustomersacrossthecountryrealizethebenefitsofthecloudbydeployingsecure,available,efficientworkloadsonAWS.Andyes,that’shisrealname.

Page 18: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

KevinE.Kelly,SolutionsArchitectureManagerandearlycontributortotheAWSSolutionsArchitectureCertificationexams,hasbeenatAWSforoversevenyearshelpingcompaniesarchitecttheirinfrastructuresandmigratetheirapplicationstothecloud.KevinhasaBSincomputersciencefromMercerUniversityandaMasterofInformationSystemsinbusinessfromtheUniversityofMontana.BeforejoiningAmazon,KevinwasanAirForceofficer,aprogrammer—includingembeddedprogramming—andatechnicalpresalesleader.KevinhasbeenthechairmanoftheWorldwideWebConsortium(W3C)CompoundDocumentFormatWorkingGroupandledthatopen-standardsworkinggroupindevelopingtheWebInteractiveCompoundDocument(WICD)profileformobileanddesktopdevices.HehasalsoservedastheW3CAdvisoryCouncilRepresentativeforHealthLevel7(HL7).KevinlivesinVirginiawithhiswife,Laurie,andtheirtwodaughters,CarolineandAmelia.Kevinisanamateurviolinandmandolinplayerandazymurgist.

SeanSeniorisasolutionsarchitectatAWS.Seanisabuilderatheartandthrivesinafast-pacedenvironmentwithcontinuouschallenges.SeanhasaBSincomputerinformationandsciencesfromtheUniversityofMarylandUniversityCollege.Seanisadevotedhusbandandfatherofabeautifulgirl.HeisaU.S.Navyveteran,avidsportsfan,andgymrat.Heloathestalkingabouthimselfinthethirdperson,butcanbepersuadedtodosoforagoodreason.

Page 19: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

JohnStamper,PrincipalSolutionsArchitectatAWS,isaco-inventorformultipleAWSpatentsandisparticularlyfondofdistributedsystemsatscale.JohnholdsaBSinmathematicsfromJamesMadisonUniversity(94)andanMSinInformationSystemsfromGeorgeMasonUniversity(04).Inadditiontobuildingsystemsonthecloudandhelpingcustomersreimaginetheirbusinesses,Johnisadedicatedhusbandandfatherofthreechildren.HeisaCrossFitathlete,youthsportscoach,andvocalsupporterofthearts.

Page 20: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ForewordThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamhasbeenwrittentohelpyoupreparefortheAWSCertifiedSolutionsArchitect–Associateexam.Thiscertificationisbecominganincreasinglyimportantcredentialthateveryinformationtechnologyprofessionalandcloudpractitionerwhoplans,designs,andbuildsapplicationarchitecturesfordeploymentonAWSshouldobtain.PassingtheAWSCertifiedSolutionsArchitect–Associateexamdemonstratestoyourcolleagues,employers,andtheindustryatlargethatyouknowhowtobuildanddeployAWSsolutionsthatarehighlyavailable,secure,performant,andcosteffective.

ThisstudyguidewaswrittenbyAWSsolutionsarchitectswhowroteandreviewedexamquestionsfortheAWSCertifiedSolutionsArchitectexams.Althoughnothingreplaceshands-onexperiencebuildinganddeployingavarietyofcloudapplicationsandcontrolsonAWS,thisstudyguide,andthequestionsandexercisesineachchapter,provideyouwithcoverageofthebasicAWSCloudservicescombinedwitharchitecturalrecommendationsandbestpracticesthatwillhelpprepareyoufortheexam.Combiningthisstudyguidewithproductionapplicationdeploymentexperienceandtakingthepracticeexamsonlinewillprepareyouwellandallowyoutotaketheexamwithconfidence.AddingtheAWSCertifiedSolutionsArchitect—Associatecertificationtoyourcredentialswillestablishyouasanindustry-recognizedsolutionsarchitectfortheAWSplatform!

—KevinE.KellyAmericasSolutionsArchitectureLead

AWSCertifiedSolutionsArchitect–AssociateAWSCertifiedSolutionsArchitect–Professional

Herndon,VA

Page 21: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionStudyingforanycertificationexamcanseemdaunting.ThisAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamwasdesignedanddevelopedwithrelevanttopics,questions,andexercisestoenableacloudpractitionertofocustheirpreciousstudytimeandeffortonthegermanesetoftopicstargetedattherightlevelofabstractionsotheycanconfidentlytaketheAWSCertifiedSolutionsArchitect–Associateexam.

Thisstudyguidepresentsasetoftopicsneededtoroundoutacloudpractitioner’shands-onexperienceswithAWSbycoveringthebasicAWSCloudservicesandconceptswithinthescopeoftheAWSCertifiedSolutionsArchitect–Associateexam.ThisstudyguidebeginswithanintroductiontoAWS,whichisthenfollowedbychaptersonspecificAWSCloudservices.Inadditiontotheserviceschapters,thetopicsofsecurity,riskandcompliance,andarchitecturebestpracticesarecovered,providingthereaderwithasolidbaseforunderstandinghowtobuildanddeployapplicationsontheAWSplatform.Furthermore,theAWSarchitecturalbestpracticesandprinciplesarereinforcedineverychapterandreflectedintheself-studyquestionsandexamplestohighlightthedevelopmentanddeploymentofapplicationsforAWSthataresecure,highlyavailable,performant,andcosteffective.Eachchapterincludesspecificinformationontheserviceortopiccovered,followedbyanExamEssentialssectionthatcontainskeyinformationneededinyourexampreparation.TheExamEssentialssectionisfollowedbyanExercisesectionwithexercisesdesignedtohelpreinforcethetopicofthechapterwithhands-onlearning.Next,eachchaptercontainssamplequestionstogetyouaccustomedtoansweringquestionsaboutAWSCloudservicesandarchitecturetopics.Thebookalsocontainsaself-assessmentexamwith25questions,twopracticeexams,with50questionseachtohelpyougaugeyourreadinesstotaketheexam,andflashcardstohelpyoulearnandretainkeyfactsneededtopreparefortheexam.

Ifyouarelookingforatargetedbookwrittenbysolutionsarchitectswhowrote,reviewed,anddevelopedtheAWSCertifiedSolutionsArchitect–Associateexam,thenthisisthebookforyou.

Page 22: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

WhatDoesThisBookCover?ThisbookcoverstopicsyouneedtoknowtopreparefortheAmazonWebServices(AWS)CertifiedSolutionsArchitect–Associateexam:

Chapter1:IntroductiontoAWSThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.

Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageThischapterprovidesyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.TheseservicesareusedtostoreobjectsonAWS.

Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)Inthischapter,youwilllearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.

Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)ThischapterdescribesAmazonVirtualPrivateCloud(AmazonVPC),whichisacustom-definedvirtualnetworkwithinAWS.YouwilllearnhowtodesignsecurearchitecturesusingAmazonVPCtoprovisionyourownlogicallyisolatedsectionofAWS.

Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.

Chapter6:AWSIdentityandAccessManagement(IAM)ThischaptercoversAWSIdentityandAccessManagement(IAM),whichisusedtosecuretransactionswiththeAWSresourcesinyourAWSaccount.

Chapter7:DatabasesandAWSThischaptercoversessentialdatabaseconceptsandintroducesthreeofAWSmanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.

Chapter8:SQS,SWF,andSNSThischapterfocusesonapplicationservicesinAWS,specificallyAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(SWF),andAmazonSimpleNotificationService(AmazonSNS).ItalsocoversarchitecturalguidanceonusingtheseservicesandtheuseofAmazonSNSinmobileapplications.

Chapter9:DomainNameSystem(DNS)andAmazonRoute53Inthischapter,youwilllearnaboutDomainNameSystem(DNS)andtheAmazonRoute53service,whichisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.

Chapter10:AmazonElastiCacheThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.

Chapter11:AdditionalKeyServicesAdditionalservicesnotcoveredinotherchaptersare

Page 23: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

coveredinthischapter.TopicsincludeAmazonCloudFront,AWSStorageGateway,AWSDirectoryService,AWSKeyManagementService(KMS),AWSCloudHSM,AWSCloudTrail,AmazonKinesis,AmazonElasticMapReduce(AmazonEMR),AWSDataPipeline,AWSImport/Export,AWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,AWSTrustedAdvisor,andAWSConfig.

Chapter12:SecurityonAWSThischaptercoverstherelevantsecuritytopicsthatarewithinscopefortheAWSCertifiedSolutionsArchitect–Associateexam.

Chapter13:AWSRiskandComplianceThischaptercoverstopicsassociatedwithriskandcompliance,riskmitigation,andthesharedresponsibilitymodelofusingAWS.

Chapter14:ArchitectureBestPracticesThefinalchaptercoverstheAWS-recommendeddesignprinciplesandbestpracticesforarchitectingsystemsandapplicationsfortheCloud.

Page 24: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

InteractiveOnlineLearningEnvironmentandTestBankTheauthorshaveworkedhardtoprovidesomereallygreattoolstohelpyouwithyourcertificationprocess.TheinteractiveonlinelearningenvironmentthataccompaniestheAWSCertifiedSolutionsArchitectOfficialStudyGuide:AssociateExamprovidesatestbankwithstudytoolstohelpyouprepareforthecertificationexam—andincreaseyourchancesofpassingitthefirsttime!Thetestbankincludesthefollowing:

SampleTestsAllthequestionsinthisbookareprovided,includingtheassessmenttestattheendofthisIntroductionandthechapterteststhatincludethereviewquestionsattheendofeachchapter.Inaddition,therearetwopracticeexamswith50questionseach.Usethesequestionstotestyourknowledgeofthestudyguidematerial.Theonlinetestbankrunsonmultipledevices.

FlashcardsTheonlinetextbanksinclude100flashcardsspecificallywrittentohityouhard,sodon’tgetdiscouragedifyoudon’taceyourwaythroughthematfirst.They’retheretoensurethatyou’rereallyreadyfortheexam.Andnoworries—armedwiththereviewquestions,practiceexams,andflashcards,you’llbemorethanpreparedwhenexamdaycomes.Questionsareprovidedindigitalflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusetheflashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam.

GlossaryAglossaryofkeytermsfromthisbookisavailableasafullysearchablePDF.

Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothisinteractiveonlinelearningenvironmentandtestbankwithstudytools.

Page 25: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamObjectivesTheAWSCertifiedSolutionsArchitect—AssociateexamisintendedforpeoplewhohaveexperienceindesigningdistributedapplicationsandsystemsontheAWSplatform.Herearesomeofthekeyexamtopicsthatyoushouldunderstandforthisexam:

Designinganddeployingscalable,highlyavailable,andfault-tolerantsystemsonAWS

Migratingexistingon-premisesapplicationstoAWS

IngressandegressofdatatoandfromAWS

SelectingtheappropriateAWSservicebasedondata,compute,database,orsecurityrequirements

IdentifyingappropriateuseofAWSarchitecturalbestpractices

EstimatingAWScostsandidentifyingcostcontrolmechanisms

Ingeneral,candidatesshouldhavethefollowing:

Oneormoreyearsofhands-onexperiencedesigninghighlyavailable,costefficient,secure,faulttolerant,andscalabledistributedsystemsonAWS

In-depthknowledgeofatleastonehigh-levelprogramminglanguage

AbilitytoidentifyanddefinerequirementsforanAWS-basedapplication

Experiencewithdeployinghybridsystemswithon-premisesandAWScomponents

CapabilitytoprovidebestpracticesforbuildingsecureandreliableapplicationsontheAWSplatform

Theexamcoversfourdifferentdomains,witheachdomainbrokendownintoobjectivesandsubobjectives.

ObjectiveMapThefollowingtablelistseachdomainanditsweightingintheexam,alongwiththechaptersinthebookwherethatdomain’sobjectivesandsubobjectivesarecovered.

Domain PercentageofExam

Chapter

1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

60%

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

1,2,3,4,5,7,8,9,10,11,14

Contentmayincludethefollowing:

Howtodesigncloudservices 1,2,3,4,8,9,11,14

Page 26: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Planninganddesign 1,2,3,4,7,8,9,10,11,14

Monitoringandlogging 2,3,8,9,11

Familiaritywith:

BestpracticesforAWSarchitecture 1,2,4,7,8,9,10,14

Developingtoclientspecifications,includingpricing/cost(e.g.,onDemandvs.Reservedvs.Spot;RTOandRPODRDesign)

2,7,9

Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService(RDS)vs.installingyourowndatabaseonAmazonElasticComputeCloud(EC2))

2,4,7,8,9,10

HybridITarchitectures(e.g.,DirectConnect,StorageGateway,VPC,DirectoryServices)

1,2,4,14

Elasticityandscalability(e.g.,AutoScaling,SQS,ELB,CloudFront) 1,2,5,7,8,9,10,14

2Domain2.0:Implementation/Deployment 10%

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

1,2,3,4,5,6,8,11,13

Contentmayincludethefollowing:

ConfigureanAmazonMachineImage(AMI). 2,3,11

OperateandextendservicemanagementinahybridITarchitecture. 1,4

Configureservicestosupportcompliancerequirementsinthecloud. 2,3,4,11,13

LaunchinstancesacrosstheAWSglobalinfrastructure. 1,2,3,5,8,11

ConfigureIAMpoliciesandbestpractices. 2,6

3Domain3.0:DataSecurity 20%

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

2,4,10,12,13

Contentmayincludethefollowing:

AWSsharedresponsibilitymodel 12,13

AWSplatformcompliance 11,12,13

AWSsecurityattributes(customerworkloadsdowntophysicallayer) 4,11,12,

Page 27: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

13

AWSadministrationandsecurityservices 7,10,11,12

AWSIdentityandAccessManagement(IAM) 6,12

AmazonVirtualPrivateCloud(VPC) 4,12

AWSCloudTrail 11,12

Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit 11,12

“Core”AmazonEC2andS3securityfeaturesets 2,4,12

Incorporatingcommonconventionalsecurityproducts(Firewall,VPN)

4,12

Designpatterns 7,13

DDoSmitigation 12

Encryptionsolutions(e.g.,keyservices) 2,11,12

Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,etc.)

2,12

AmazonCloudWatchforthesecurityarchitect 5

TrustedAdvisor 11

CloudWatchLogs 5

3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.

3,7,9,10

Contentmayincludethefollowing:

Disasterrecovery 3

Recoverytimeobjective 7

Recoverypointobjective 7

AmazonElasticBlockStore 3

AWSImport/Export 11

AWSStorageGateway 11

AmazonRoute53 9

Validationofdatarecoverymethod 3

4Domain4.0:Troubleshooting 10%

Contentmayincludethefollowing:

Generaltroubleshootinginformationandquestions 5,8

Page 28: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AssessmentTest1. UnderasingleAWSaccount,youhavesetupanAutoScalinggroupwithamaximumcapacityof50AmazonElasticComputeCloud(AmazonEC2)instancesinus-west-2.Whenyouscaleout,however,itonlyincreasesto20AmazonEC2instances.Whatisthelikelycause?

A. AutoScalinghasahardlimitof20AmazonEC2instances.

B. Ifnotspecified,theAutoScalinggroupmaximumcapacitydefaultsto20AmazonEC2instances.

C. TheAutoScalinggroupdesiredcapacityissetto20,soAutoScalingstoppedat20AmazonEC2instances.

D. YouhaveexceededthedefaultAmazonEC2instancelimitof20perregion.

2. ElasticLoadBalancingallowsyoutodistributetrafficacrosswhichofthefollowing?

A. OnlywithinasingleAvailabilityZone

B. MultipleAvailabilityZoneswithinaregion

C. MultipleAvailabilityZoneswithinandbetweenregions

D. MultipleAvailabilityZoneswithinandbetweenregionsandon-premisesvirtualizedinstancesrunningOpenStack

3. AmazonCloudWatchofferswhichtypesofmonitoringplans?(Choose2answers)

A. Basic

B. Detailed

C. Diagnostic

D. Precognitive

E. Retroactive

4. AnAmazonElasticComputeCloud(AmazonEC2)instanceinanAmazonVirtualPrivateCloud(AmazonVPC)subnetcansendandreceivetrafficfromtheInternetwhenwhichofthefollowingconditionsaremet?(Choose3answers)

A. NetworkAccessControlLists(ACLs)andsecuritygrouprulesdisallowalltrafficexceptrelevantInternettraffic.

B. NetworkACLsandsecuritygrouprulesallowrelevantInternettraffic.

C. AttachanInternetGateway(IGW)totheAmazonVPCandcreateasubnetroutetabletosendallnon-localtraffictothatIGW.

D. AttachaVirtualPrivateGateway(VPG)totheAmazonVPCandcreatesubnetroutestosendallnon-localtraffictothatVPG.

E. TheAmazonEC2instancehasapublicIPaddressorElasticIP(EIP)address.

F. TheAmazonEC2instancedoesnotneedapublicIPorElasticIPwhenusing

Page 29: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonVPC.

5. IfyoulaunchfiveAmazonElasticComputeCloud(AmazonEC2)instancesinanAmazonVirtualPrivateCloud(AmazonVPC)withoutspecifyingasecuritygroup,theinstanceswillbelaunchedintoadefaultsecuritygroupthatprovideswhichofthefollowing?(Choose3answers)

A. ThefiveAmazonEC2instancescancommunicatewitheachother.

B. ThefiveAmazonEC2instancescannotcommunicatewitheachother.

C. AllinboundtrafficwillbeallowedtothefiveAmazonEC2instances.

D. NoinboundtrafficwillbeallowedtothefiveAmazonEC2instances.

E. AlloutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.

F. NooutboundtrafficwillbeallowedfromthefiveAmazonEC2instances.

6. YourcompanywantstohostitssecurewebapplicationinAWS.Theinternalsecuritypoliciesconsideranyconnectionstoorfromthewebserverasinsecureandrequireapplicationdataprotection.Whatapproachesshouldyouusetoprotectdataintransitfortheapplication?(Choose2answers)

A. UseBitLockertoencryptdata.

B. UseHTTPSwithservercertificateauthentication.

C. UseanAWSIdentityandAccessManagement(IAM)role.

D. UseSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)fordatabaseconnection.

E. UseXMLfordatatransferfromclienttoserver.

7. YouhaveanapplicationthatwillrunonanAmazonElasticComputeCloud(AmazonEC2)instance.TheapplicationwillmakerequeststoAmazonSimpleStorageService(AmazonS3)andAmazonDynamoDB.Usingbestpractices,whattypeofAWSIdentityandAccessManagement(IAM)identityshouldyoucreateforyourapplicationtoaccesstheidentifiedservices?

A. IAMrole

B. IAMuser

C. IAMgroup

D. IAMdirectory

8. WhenarequestismadetoanAWSCloudservice,therequestisevaluatedtodecidewhetheritshouldbeallowedordenied.Theevaluationlogicfollowswhichofthefollowingrules?(Choose3answers)

A. Anexplicitallowoverridesanydenies.

B. Bydefault,allrequestsaredenied.

C. Anexplicitallowoverridesthedefault.

D. Anexplicitdenyoverridesanyallows.

Page 30: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

E. Bydefault,allrequestsareallowed.

9. WhatisthedataprocessingenginebehindAmazonElasticMapReduce(AmazonEMR)?

A. ApacheHadoop

B. ApacheHive

C. ApachePig

D. ApacheHBase

10. WhattypeofAWSElasticBeanstalkenvironmenttierprovisionsresourcestosupportawebapplicationthathandlesbackgroundprocessingtasks?

A. Webserverenvironmenttier

B. Workerenvironmenttier

C. Databaseenvironmenttier

D. Batchenvironmenttier

11. WhatAmazonRelationalDatabaseService(AmazonRDS)featureprovidesthehighavailabilityforyourdatabase?

A. Regularmaintenancewindows

B. Securitygroups

C. Automatedbackups

D. Multi-AZdeployment

12. WhatadministrativetasksarehandledbyAWSforAmazonRelationalDatabaseService(AmazonRDS)databases?(Choose3answers)

A. Regularbackupsofthedatabase

B. Deployingvirtualinfrastructure

C. Deployingtheschema(forexample,tablesandstoredprocedures)

D. Patchingtheoperatingsystemanddatabasesoftware

E. Settingupnon-admindatabaseaccountsandprivileges

13. WhichofthefollowingusecasesiswellsuitedforAmazonRedshift?

A. A500TBdatawarehouseusedformarketanalytics

B. ANoSQL,unstructureddatabaseworkload

C. Ahightraffic,e-commercewebapplication

D. Anin-memorycache

14. WhichofthefollowingstatementsaboutAmazonDynamoDBsecondaryindexesistrue?

A. Therecanbemanypertable,andtheycanbecreatedatanytime.

B. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.

C. Therecanbemanypertable,andtheycanbecreatedatanytime.

Page 31: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. Therecanonlybeonepertable,anditmustbecreatedwhenthetableiscreated.

15. WhatistheprimaryusecaseofAmazonKinesisFirehose?

A. Ingesthugestreamsofdataandallowcustomprocessingofdatainflight.

B. IngesthugestreamsofdataandstoreittoAmazonSimpleStorageService(AmazonS3),AmazonRedshift,orAmazonElasticsearchService.

C. GenerateahugestreamofdatafromanAmazonS3bucket.

D. GenerateahugestreamofdatafromAmazonDynamoDB.

16. Yourcompanyhas17TBoffinancialtradingrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanayearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcost-efficientmanner?

A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumeattachedtot2.largeinstances.

B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyear,anddeletetheobjectaftersevenyears.

C. StorethedatainAmazonDynamoDB,anddeletedataolderthansevenyears.

D. StorethedatainanAmazonGlacierVaultLock.

17. WhatmustyoudotocreatearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere?

A. EnableAmazonCloudWatchlogs.

B. Enableversioningonthebucket.

C. Enablewebsitehostingonthebucket.

D. Enableserveraccesslogsonthebucket.

E. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.

18. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?

A. GETafterPUTofanewobject

B. GETorLISTafteraDELETE

C. GETafteroverwritePUT(PUTtoanexistingkey)

D. DELETEafterGETofnewobject

19. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?

A. Dataisautomaticallyreplicatedtootherregions.

B. DataisautomaticallyreplicatedtodifferentAvailabilityZoneswithinaregion.

C. Dataisreplicatedonlyifversioningisenabledonthebucket.

Page 32: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. Dataisautomaticallybackedupontapeandrestoredifneeded.

20. Yourcompanyneedstoprovidestreamingaccesstovideostoauthenticatedusersaroundtheworld.Whatisagoodwaytoaccomplishthis?

A. UseAmazonSimpleStorageService(AmazonS3)bucketsineachregionwithwebsitehostingenabled.

B. StorethevideosonAmazonElasticBlockStore(AmazonEBS)volumes.

C. EnableAmazonCloudFrontwithgeolocationandsignedURLs.

D. RunafleetofAmazonElasticComputeCloud(AmazonEC2)instancestohostthevideos.

21. WhichofthefollowingaretrueabouttheAWSsharedresponsibilitymodel?(Choose3answers)

A. AWSisresponsibleforallinfrastructurecomponents(thatis,AWSCloudservices)thatsupportcustomerdeployments.

B. Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).

C. ThecustomermayrelyonAWStomanagethesecurityoftheirworkloadsdeployedonAWS.

D. WhileAWSmanagessecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.

E. ThecustomermustaudittheAWSdatacenterspersonallytoconfirmthecomplianceofAWSsystemsandservices.

22. WhichprocessinanAmazonSimpleWorkflowService(AmazonSWF)workflowimplementsatask?

A. Decider

B. Activityworker

C. Workflowstarter

D. Businessrule

23. WhichofthefollowingistrueifyoustopanAmazonElasticComputeCloud(AmazonEC2)instancewithanElasticIPaddressinanAmazonVirtualPrivateCloud(AmazonVPC)?

A. TheinstanceisdisassociatedfromitsElasticIPaddressandmustbere-attachedwhentheinstanceisrestarted.

B. TheinstanceremainsassociatedwithitsElasticIPaddress.

C. TheElasticIPaddressisreleasedfromyouraccount.

D. TheinstanceisdisassociatedfromtheElasticIPaddresstemporarilywhileyourestarttheinstance.

24. WhichAmazonElasticComputeCloud(AmazonEC2)pricingmodelallowsyoutopaya

Page 33: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

sethourlypriceforcompute,givingyoufullcontroloverwhentheinstancelaunchesandterminates?

A. Spotinstances

B. Reservedinstance

C. OnDemandinstances

D. Dedicatedinstances

25. UnderwhatcircumstanceswillAmazonElasticComputeCloud(AmazonEC2)instancestoredatanotbepreserved?

A. Theassociatedsecuritygroupsarechanged.

B. Theinstanceisstoppedorrebooted.

C. Theinstanceisrebootedorterminated.

D. Theinstanceisstoppedorterminated.

E. Noneoftheabove

Page 34: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AnswerstoAssessmentTest1. D.AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.

2. B.TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonElasticComputeCloud(AmazonEC2)instancesinoneormoreAvailabilityZoneswithinaregion.

3. AandB.AmazonCloudWatchhastwoplans:basicanddetailed.Therearenodiagnostic,precognitive,orretroactivemonitoringplansforAmazonCloudWatch.

4. B,C,andE.YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:

AttachanIGWtoyourAmazonVPC.

Createasubnetroutetableruletosendallnon-localtraffic(forexample,0.0.0.0/0)totheIGW.

ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.

YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:

AssignapublicIPaddressorEIPaddress.

5. A,D,andE.Ifasecuritygroupisnotspecifiedatlaunch,thenanAmazonEC2instancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.

6. BandD.Toprotectdataintransitfromtheclientstothewebapplication,HTTPSwithservercertificateauthenticationshouldbeused.Toprotectdataintransitfromthewebapplicationtothedatabase,SSL/TLSfordatabaseconnectionshouldbeused.

7. A.Don'tcreateanIAMuser(oranIAMgroup)andpasstheuser'scredentialstotheapplicationorembedthecredentialsintheapplication.Instead,createanIAMrolethatyouattachtotheAmazonEC2instancetogiveapplicationsrunningontheinstancetemporarysecuritycredentials.Thecredentialshavethepermissionsspecifiedinthepoliciesattachedtotherole.AdirectoryisnotanidentityobjectinIAM.

8. B,C,andD.Whenarequestismade,theAWSservicedecideswhetheragivenrequestshouldbeallowedordenied.Theevaluationlogicfollowstheserules:

1)Bydefault,allrequestsaredenied(ingeneral,requestsmadeusingtheaccountcredentialsforresourcesintheaccountarealwaysallowed).

2)Anexplicitallowoverridesthisdefault.

3)Anexplicitdenyoverridesanyallows.

9. A.AmazonEMRusesApacheHadoopasitsdistributeddataprocessingengine.Hadoopisanopensource,Javasoftwareframeworkthatsupportsdata-intensivedistributed

Page 35: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

applicationsrunningonlargeclustersofcommodityhardware.Hive,Pig,andHBasearepackagesthatrunontopofHadoop.

10. B.Anenvironmenttierwhosewebapplicationrunsbackgroundjobsisknownasaworkertier.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Databaseandbatcharenotvalidenvironmenttiers.

11. D.Multi-AZdeploymentusessynchronousreplicationtoadifferentAvailabilityZonesothatoperationscancontinueonthereplicaifthemasterdatabasestopsrespondingforanyreason.Automatedbackupsprovidedisasterrecovery,nothighavailability.Securitygroups,whileimportant,havenoeffectonavailability.Maintenancewindowsareactuallytimeswhenthedatabasemaynotbeavailable.

12. A,B,andD.AmazonRDSwilllaunchAmazonElasticComputeCloud(AmazonEC2)instances,installthedatabasesoftware,handleallpatching,andperformregularbackups.Anythingwithinthedatabasesoftware(schema,useraccounts,andsoon)istheresponsibilityofthecustomer.

13. A.AmazonRedshiftisapetabyte-scaledatawarehouse.ItisnotwellsuitedforunstructuredNoSQLdataorhighlydynamictransactionaldata.Itisinnowayacache.

14. D.Therecanbeonesecondaryindexpertable,anditmustbecreatedwhenthetableiscreated.

15. B.TheAmazonKinesisfamilyofservicesprovidesfunctionalitytoingestlargestreamsofdata.AmazonKinesisFirehoseisspecificallydesignedtoingestastreamandsaveittoanyofthethreestorageserviceslistedinResponseB.

16. B.AmazonS3andAmazonGlacierarethemostcost-effectivestorageservices.Afterayear,whentheobjectsareunlikelytobeaccessed,youcansavecostsbytransferringtheobjectstoAmazonGlacierwheretheretrievaltimeisthreetofivehours.

17. D.ServeraccesslogsprovidearecordofanyaccesstoanobjectinAmazonS3.

18. C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).ResponseCchangestheexistingobjectsothatasubsequentGETmayfetchthepreviousandinconsistentobject.

19. B.AWSwillnevertransferdatabetweenregionsunlessdirectedtobyyou.DurabilityinAmazonS3isachievedbyreplicatingyourdatageographicallytodifferentAvailabilityZonesregardlessoftheversioningconfiguration.AWSdoesn'tusetapes.

20. C.AmazonCloudFrontprovidesthebestuserexperiencebydeliveringthedatafromageographicallyadvantageousedgelocation.SignedURLsallowyoutocontrolaccesstoauthenticatedusers.

21. A,B,andD.IntheAWSsharedresponsibilitymodel,customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.

22. B.Anactivityworkerisaprocessorthreadthatperformstheactivitytasksthatarepartofyourworkflow.EachactivityworkerpollsAmazonSWFfornewtasksthatare

Page 36: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

appropriateforthatactivityworkertoperform;certaintaskscanbeperformedonlybycertainactivityworkers.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreportstoAmazonSWFthatthetaskwascompletedandprovidestheresult.Theactivitytaskrepresentsoneofthetasksthatyouidentifiedinyourapplication.

23. B.InanAmazonVPC,aninstance'sElasticIPaddressremainsassociatedwithaninstancewhentheinstanceisstopped.

24. C.YoupayasethourlypriceforanOnDemandinstancefromwhenyoulaunchituntilyouexplicitlystoporterminateit.Spotinstancescanbeterminatedwhenthespotpricegoesaboveyourbidprice.Reservedinstancesinvolvepayingforaninstanceoveraone-orthree-yearterm.Dedicatedinstancesrunonhardwarededicatedtoyouraccountandarenotapricingmodel.

25. D.Thedatainaninstancestorepersistsonlyduringthelifetimeofitsassociatedinstance.Ifaninstanceisstoppedorterminated,thentheinstancestoredoesnotpersist.Rebootinganinstancedoesnotshutdowntheinstance;ifaninstancereboots(intentionallyorunintentionally),dataontheinstancestorepersists.Securitygroupshavenothingtodowiththelifetimeofaninstanceandhavenoeffecthere.

Page 37: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter1IntroductiontoAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Familiaritywith:

BestpracticesforAWSarchitecture

HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)

Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

OperateandextendservicemanagementinahybridITarchitecture.

Configureservicestosupportcompliancerequirementsinthecloud.

LaunchinstancesacrosstheAWSglobalinfrastructure.

In2006,AmazonWebServices,Inc.(AWS)beganofferingITinfrastructureservicestobusinessesintheformofwebservices,nowcommonlyknownascloud

Page 38: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

computing.Oneofthekeybenefitsofcloudcomputingistheopportunitytoreplaceup-frontcapitalinfrastructureexpenseswithlowvariablecoststhatscalewithyourbusiness.Withthecloud,businessesnolongerneedtoplanforandprocureserversandotherITinfrastructureweeksormonthsinadvance.Instead,theycaninstantlyspinuphundredsorthousandsofserversinminutesanddeliverresultsfaster.

Today,AWSprovidesahighlyreliable,scalable,andlow-costinfrastructureplatforminthecloudthatpowershundredsofthousandsofbusinessesinmorethan190countriesaroundtheworld.

ThischapterprovidesanintroductiontotheAWSCloudcomputingplatform.ItdiscussestheadvantagesofcloudcomputingandthefundamentalsofAWS.ItprovidesanoverviewoftheAWSCloudservicesthatarefundamentallyimportantfortheexam.

Page 39: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

WhatIsCloudComputing?Cloudcomputingistheon-demanddeliveryofITresourcesandapplicationsviatheInternetwithpay-as-you-gopricing.Whetheryourunapplicationsthatsharephotostomillionsofmobileusersordeliverservicesthatsupportthecriticaloperationsofyourbusiness,thecloudprovidesrapidaccesstoflexibleandlow-costITresources.Withcloudcomputing,youdon’tneedtomakelargeup-frontinvestmentsinhardwareandspendalotoftimemanagingthathardware.Instead,youcanprovisionexactlytherighttypeandsizeofcomputingresourcesyouneedtopoweryournewestbrightideaoroperateyourITdepartment.Withcloudcomputing,youcanaccessasmanyresourcesasyouneed,almostinstantly,andonlypayforwhatyouuse.

Initssimplestform,cloudcomputingprovidesaneasywaytoaccessservers,storage,databases,andabroadsetofapplicationservicesovertheInternet.CloudcomputingproviderssuchasAWSownandmaintainthenetwork-connectedhardwarerequiredfortheseapplicationservices,whileyouprovisionandusewhatyouneedforyourworkloads.

AdvantagesofCloudComputingCloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andinhoworganizationsbudgetandpayfortechnologyservices.Withtheabilitytoreconfigurethecomputingenvironmentquicklytoadapttochangingbusinessrequirements,organizationscanoptimizespending.Capacitycanbeautomaticallyscaledupordowntomeetfluctuatingusagepatterns.Servicescanbetemporarilytakenofflineorshutdownpermanentlyasbusinessdemandsdictate.Inaddition,withpay-per-usebilling,AWSCloudservicesbecomeanoperationalexpenseinsteadofacapitalexpense.

Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain,asillustratedinFigure1.1.

Page 40: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE1.1Sixadvantagesofcloudcomputing

Variablevs.CapitalExpenseLet’sbeginwiththeabilitytotradecapitalexpenseforvariableoperationalexpense.Insteadofhavingtoinvestheavilyindatacentersandserversbeforeknowinghowyou’regoingtousethem,youcanpayonlywhenyouconsumecomputingresourcesandpayonlyforhowmuchyouconsume.

EconomiesofScaleAnotheradvantageofcloudcomputingisthatorganizationsbenefitfrommassiveeconomiesofscale.Byusingcloudcomputing,youcanachievealowervariablecostthanyouwouldgetonyourown.Becauseusagefromhundredsofthousandsofcustomersisaggregatedinthecloud,providerssuchasAWScanachievehighereconomiesofscale,whichtranslatesintolowerprices.

StopGuessingCapacityWhenyoumakeacapacitydecisionpriortodeployinganapplication,youoftenendupeithersittingonexpensiveidleresourcesordealingwithlimitedcapacity.Withcloudcomputing,organizationscanstopguessingaboutcapacityrequirementsfortheinfrastructurenecessarytomeettheirbusinessneeds.Theycanaccessasmuchoraslittleastheyneedandscaleupordownasrequiredwithonlyafewminutes’notice.

IncreaseSpeedandAgilityInacloudcomputingenvironment,newITresourcesareoneclickaway,whichallows

Page 41: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

organizationstoreducethetimeittakestomakethoseresourcesavailabletodevelopersfromweekstojustminutes.Thisresultsinadramaticincreaseinspeedandagilityfortheorganization,becausethecostandtimeittakestoexperimentanddevelopissignificantlylower.

FocusonBusinessDifferentiatorsCloudcomputingallowsorganizationstofocusontheirbusinesspriorities,insteadofontheheavyliftingofracking,stacking,andpoweringservers.Byembracingthisparadigmshift,organizationscanstopspendingmoneyonrunningandmaintainingdatacenters.Thisallowsorganizationstofocusonprojectsthatdifferentiatetheirbusinesses,suchasanalyzingpetabytesofdata,deliveringvideocontent,buildinggreatmobileapplications,orevenexploringMars.

GoGlobalinMinutesAnotheradvantageofcloudcomputingistheabilitytogoglobalinminutes.Organizationscaneasilydeploytheirapplicationstomultiplelocationsaroundtheworldwithjustafewclicks.Thisallowsorganizationstoprovideredundancyacrosstheglobeandtodeliverlowerlatencyandbetterexperiencestotheircustomersatminimalcost.Goingglobalusedtobesomethingonlythelargestenterprisescouldaffordtodo,butcloudcomputingdemocratizesthisability,makingitpossibleforanyorganization.

Whilespecificquestionsontheseadvantagesofcloudcomputingareunlikelytobeontheexam,havingexposuretothesebenefitscanhelprationalizetheappropriateanswers.

CloudComputingDeploymentModelsThetwoprimarycloudcomputingdeploymentmodelsthattheexamfocusesonare“all-in”cloud-baseddeploymentsandhybriddeployments.Itisimportanttounderstandhoweachstrategyappliestoarchitecturaloptionsanddecisions.

Anall-incloud-basedapplicationisfullydeployedinthecloud,withallcomponentsoftheapplicationrunninginthecloud.Applicationsinthecloudhaveeitherbeencreatedinthecloudorhavebeenmigratedfromanexistinginfrastructuretotakeadvantageofthebenefitsofcloudcomputing.Cloud-basedapplicationscanbebuiltonlow-levelinfrastructurepiecesorcanusehigher-levelservicesthatprovideabstractionfromthemanagement,architecting,andscalingrequirementsofcoreinfrastructure.

Ahybriddeploymentisacommonapproachtakenbymanyenterprisesthatconnectsinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresources,typicallyinanexistingdatacenter.Themostcommonmethodofhybriddeploymentisbetweenthecloudandexistingon-premisesinfrastructuretoextendandgrowanorganization’sinfrastructurewhileconnectingcloudresourcestointernalsystems.Choosingbetweenanexistinginvestmentininfrastructureandmovingtotheclouddoesnotneedtobeabinarydecision.Leveragingdedicatedconnectivity,identityfederation,andintegratedtoolsallowsorganizationstorunhybridapplicationsacrosson-premisesandcloudservices.

Page 42: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSFundamentalsAtitscore,AWSprovideson-demanddeliveryofITresourcesviatheInternetonasecurecloudservicesplatform,offeringcomputepower,storage,databases,contentdelivery,andotherfunctionalitytohelpbusinessesscaleandgrow.UsingAWSresourcesinsteadofyourownislikepurchasingelectricityfromapowercompanyinsteadofrunningyourowngenerator,anditprovidesthekeyadvantagesofcloudcomputing:Capacityexactlymatchesyourneed,youpayonlyforwhatyouuse,economiesofscaleresultinlowercosts,andtheserviceisprovidedbyavendorexperiencedinrunninglarge-scalenetworks.

AWSglobalinfrastructureandAWSapproachtosecurityandcompliancearekeyfoundationalconceptstounderstandasyoupreparefortheexam.

GlobalInfrastructureAWSservesoveronemillionactivecustomersinmorethan190countries,anditcontinuestoexpanditsglobalinfrastructuresteadilytohelporganizationsachievelowerlatencyandhigherthroughputfortheirbusinessneeds.

AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionisaseparategeographicarea.Eachregionhasmultiple,isolatedlocationsknownasAvailabilityZones.AWSenablestheplacementofresourcesanddatainmultiplelocations.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.

Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.EachAvailabilityZoneisalsoisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.AvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower-riskfloodplains(specificfloodzonecategorizationvariesbyregion).Inadditiontousingadiscreteuninterruptablepowersupply(UPS)andon-sitebackupgenerators,theyareeachfedviadifferentgridsfromindependentutilities(whenavailable)toreducesinglepointsoffailurefurther.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.ByplacingresourcesinseparateAvailabilityZones,youcanprotectyourwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.

YoucanachievehighavailabilitybydeployingyourapplicationacrossmultipleAvailabilityZones.Redundantinstancesforeachtier(forexample,web,application,anddatabase)ofanapplicationshouldbeplacedindistinctAvailabilityZones,therebycreatingamultisitesolution.Ataminimum,thegoalistohaveanindependentcopyofeachapplicationstackintwoormoreAvailabilityZones.

SecurityandComplianceWhetheron-premisesoronAWS,informationsecurityisofparamountimportanceto

Page 43: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

organizationsrunningcriticalworkloads.Securityisacorefunctionalrequirementthatprotectsmission-criticalinformationfromaccidentalordeliberatetheft,leakage,integritycompromise,anddeletion.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingyourtrustandconfidence.

ThissectionisintendedtoprovideaverybriefintroductiontoAWSapproachtosecurityandcompliance.Chapter12,“SecurityonAWS,”andChapter13,“AWSRiskandCompliance,”willaddressthesetopicsingreaterdetail,includingtheimportanceofeachontheexam.

SecurityCloudsecurityatAWSisthenumberonepriority.AllAWScustomersbenefitfromdatacenterandnetworkarchitecturesbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersofferhundredsoftoolsandfeaturestohelporganizationsmeettheirsecurityobjectivesforvisibility,auditability,controllability,andagility.Thismeansthatorganizationscanhavethesecuritytheyneed,butwithoutthecapitaloutlayandwithmuchloweroperationaloverheadthaninanon-premisesenvironment.

OrganizationsleveragingAWSinheritallthebestpracticesofAWSpolicies,architecture,andoperationalprocessesbuilttosatisfytherequirementsofthemostsecurity-sensitivecustomers.TheAWSinfrastructurehasbeendesignedtoprovidethehighestavailabilitywhileputtingstrongsafeguardsinplaceregardingcustomerprivacyandsegregation.WhendeployingsystemsontheAWSCloudcomputingplatform,AWShelpsbysharingthesecurityresponsibilitieswiththeorganization.AWSmanagestheunderlyinginfrastructure,andtheorganizationcansecureanythingitdeploysonAWS.Thisaffordseachorganizationtheflexibilityandagilitytheyneedinsecuritycontrols.

Thisinfrastructureisbuiltandmanagednotonlyaccordingtosecuritybestpracticesandstandards,butalsowiththeuniqueneedsofthecloudinmind.AWSusesredundantandlayeredcontrols,continuousvalidationandtesting,andasubstantialamountofautomationtoensurethattheunderlyinginfrastructureismonitoredandprotected24/7.AWSensuresthatthesecontrolsareconsistentlyappliedineverynewdatacenterorservice.

ComplianceWhencustomersmovetheirproductionworkloadstotheAWSCloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Customersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.CustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWSenablescustomerstobuildontraditionalcomplianceprograms.ThishelpsorganizationsestablishandoperateinanAWSsecuritycontrolenvironment.

Organizationsretaincompletecontrolandownershipovertheregioninwhichtheirdataisphysicallylocated,allowingthemtomeetregionalcomplianceanddataresidencyrequirements.

Page 44: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TheITinfrastructurethatAWSprovidestoorganizationsisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards.ThefollowingisapartiallistofthemanycertificationsandstandardswithwhichAWScomplies:

ServiceOrganizationControls(SOC)1/InternationalStandardonAssuranceEngagements(ISAE)3402,SOC2,andSOC3

FederalInformationSecurityManagementAct(FISMA),DepartmentofDefenseInformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)

PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1

InternationalOrganizationforStandardization(ISO)9001,ISO27001,andISO27018

AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttohelporganizationsachieveregulatorycommitmentsintheformofreports,certifications,accreditations,andotherthird-partyattestations.

Page 45: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSCloudComputingPlatformAWSprovidesmanycloudservicesthatyoucancombinetomeetbusinessororganizationalneeds(seeFigure1.2).Whilebeingknowledgeableaboutalltheplatformserviceswillallowyoutobeawell-roundedsolutionsarchitect,understandingtheservicesandfundamentalconceptsoutlinedinthisbookwillhelpprepareyoufortheAWSCertifiedSolutionsArchitect–Associateexam.

FIGURE1.2AWSCloudcomputingplatform

ThissectionintroducesthemajorAWSCloudservicesbycategory.Subsequentchaptersprovideadeeperviewoftheservicespertinenttotheexam.

AccessingthePlatformToaccessAWSCloudservices,youcanusetheAWSManagementConsole,theAWSCommandLineInterface(CLI),ortheAWSSoftwareDevelopmentKits(SDKs).

TheAWSManagementConsoleisawebapplicationformanagingAWSCloudservices.Theconsoleprovidesanintuitiveuserinterfaceforperformingmanytasks.Eachservicehasitsownconsole,whichcanbeaccessedfromtheAWSManagementConsole.Theconsolealsoprovidesinformationabouttheaccountandbilling.

TheAWSCommandLineInterface(CLI)isaunifiedtoolusedtomanageAWSCloudservices.Withjustonetooltodownloadandconfigure,youcancontrolmultipleservicesfromthecommandlineandautomatethemthroughscripts.

TheAWSSoftwareDevelopmentKits(SDKs)provideanapplicationprogramminginterface(API)thatinteractswiththewebservicesthatfundamentallymakeuptheAWSplatform.TheSDKsprovidesupportformanydifferentprogramminglanguagesandplatformstoallowyoutoworkwithyourpreferredlanguage.WhileyoucancertainlymakeHTTPcallsdirectly

Page 46: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

tothewebserviceendpoints,usingtheSDKscantakethecomplexityoutofcodingbyprovidingprogrammaticaccessformanyoftheservices.

ComputeandNetworkingServicesAWSprovidesavarietyofcomputeandnetworkingservicestodelivercorefunctionalityforbusinessestodevelopandruntheirworkloads.Thesecomputeandnetworkingservicescanbeleveragedwiththestorage,database,andapplicationservicestoprovideacompletesolutionforcomputing,queryprocessing,andstorageacrossawiderangeofapplications.Thissectionoffersahigh-leveldescriptionofthecorecomputingandnetworkingservices.

AmazonElasticComputeCloud(AmazonEC2)AmazonElasticComputeCloud(AmazonEC2)isawebservicethatprovidesresizablecomputecapacityinthecloud.ItallowsorganizationstoobtainandconfigurevirtualserversinAmazon’sdatacentersandtoharnessthoseresourcestobuildandhostsoftwaresystems.Organizationscanselectfromavarietyofoperatingsystemsandresourceconfigurations(memory,CPU,storage,andsoon)thatareoptimalfortheapplicationprofileofeachworkload.AmazonEC2presentsatruevirtualcomputingenvironment,allowingorganizationstolaunchcomputeresourceswithavarietyofoperatingsystems,loadthemwithcustomapplications,andmanagenetworkaccesspermissionswhilemaintainingcompletecontrol.

AWSLambdaAWSLambdaisazero-administrationcomputeplatformforback-endwebdevelopersthatrunsyourcodeforyouontheAWSCloudandprovidesyouwithafine-grainedpricingstructure.AWSLambdarunsyourback-endcodeonitsownAWScomputefleetofAmazonEC2instancesacrossmultipleAvailabilityZonesinaregion,whichprovidesthehighavailability,security,performance,andscalabilityoftheAWSinfrastructure.

AutoScalingAutoScalingallowsorganizationstoscaleAmazonEC2capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload(seeFigure1.3).NotonlycanitbeusedtohelpmaintainapplicationavailabilityandensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.Insteadofprovisioningforpeakload,organizationscanoptimizecostsanduseonlythecapacitythatisactuallyneeded.

Page 47: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE1.3Autoscalingcapacity

AutoScalingiswellsuitedbothtoapplicationsthathavestabledemandpatternsandtoapplicationsthatexperiencehourly,daily,orweeklyvariabilityinusage.

ElasticLoadBalancingElasticLoadBalancingautomaticallydistributesincomingapplicationtrafficacrossmultipleAmazonEC2instancesinthecloud.Itenablesorganizationstoachievegreaterlevelsoffaulttoleranceintheirapplications,seamlesslyprovidingtherequiredamountofloadbalancingcapacityneededtodistributeapplicationtraffic.

AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetawebapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.Itprovidessupportforavarietyofplatforms,includingPHP,Java,Python,Ruby,Node.js,.NET,andGo.WithAWSElasticBeanstalk,organizationsretainfullcontrolovertheAWSresourcespoweringtheapplicationandcanaccesstheunderlyingresourcesatanytime.

AmazonVirtualPrivateCloud(AmazonVPC)AmazonVirtualPrivateCloud(AmazonVPC)letsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.Organizationshavecompletecontroloverthevirtualenvironment,includingselectionoftheIPaddressrange,creationofsubnets,andconfigurationofroutetablesand

Page 48: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

networkgateways.Inaddition,organizationscanextendtheircorporatedatacenternetworkstoAWSbyusinghardwareorsoftwarevirtualprivatenetwork(VPN)connectionsordedicatedcircuitsbyusingAWSDirectConnect.

AWSDirectConnectAWSDirectConnectallowsorganizationstoestablishadedicatednetworkconnectionfromtheirdatacentertoAWS.UsingAWSDirectConnect,organizationscanestablishprivateconnectivitybetweenAWSandtheirdatacenter,office,orcolocationenvironment,whichinmanycasescanreducenetworkcosts,increasebandwidththroughput,andprovideamoreconsistentnetworkexperiencethanInternet-basedVPNconnections.

AmazonRoute53AmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)webservice.Itisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplicationsbytranslatinghumanreadablenames,suchaswww.example.com,intothenumericIPaddresses,suchas192.0.2.1,thatcomputersusetoconnecttoeachother.AmazonRoute53alsoservesasdomainregistrar,allowingyoutopurchaseandmanagedomainsdirectlyfromAWS.

StorageandContentDeliveryAWSprovidesavarietyofservicestomeetyourstorageneeds,suchasAmazonSimpleStorageService,AmazonCloudFront,andAmazonElasticBlockStore.Thissectionprovidesanoverviewofthestorageandcontentdeliveryservices.

AmazonSimpleStorageService(AmazonS3)AmazonSimpleStorageService(AmazonS3)providesdevelopersandITteamswithhighlydurableandscalableobjectstoragethathandlesvirtuallyunlimitedamountsofdataandlargenumbersofconcurrentusers.Organizationscanstoreanynumberofobjectsofanytype,suchasHTMLpages,sourcecodefiles,imagefiles,andencrypteddata,andaccessthemusingHTTP-basedprotocols.AmazonS3providescost-effectiveobjectstorageforawidevarietyofusecases,includingbackupandrecovery,nearlinearchive,bigdataanalytics,disasterrecovery,cloudapplications,andcontentdistribution.

AmazonGlacierAmazonGlacierisasecure,durable,andextremelylow-coststorageservicefordataarchivingandlong-termbackup.Organizationscanreliablystorelargeorsmallamountsofdataforaverylowcostpergigabytepermonth.Tokeepcostslowforcustomers,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.AmazonS3integratescloselywithAmazonGlaciertoalloworganizationstochoosetherightstoragetierfortheirworkloads.

AmazonElasticBlockStore(AmazonEBS)AmazonElasticBlockStore(AmazonEBS)providespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectorganizationsfromcomponentfailure,offeringhigh

Page 49: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

availabilityanddurability.Bydeliveringconsistentandlow-latencyperformance,AmazonEBSprovidesthediskstorageneededtorunawidevarietyofworkloads.

AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandtheAWSstorageinfrastructure.Theservicesupportsindustry-standardstorageprotocolsthatworkwithexistingapplications.Itprovideslow-latencyperformancebymaintainingacacheoffrequentlyaccesseddataon-premiseswhilesecurelystoringallofyourdataencryptedinAmazonS3orAmazonGlacier.

AmazonCloudFrontAmazonCloudFrontisacontentdeliverywebservice.ItintegrateswithotherAWSCloudservicestogivedevelopersandbusinessesaneasywaytodistributecontenttousersacrosstheworldwithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AmazonCloudFrontcanbeusedtodeliveryourentirewebsite,includingdynamic,static,streaming,andinteractivecontent,usingaglobalnetworkofedgelocations.Requestsforcontentareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformancetoendusersaroundtheglobe.

DatabaseServicesAWSprovidesfullymanagedrelationalandNoSQLdatabaseservices,andin-memorycachingasaserviceandapetabyte-scaledatawarehousesolution.Thissectionprovidesanoverviewoftheproductsthatthedatabaseservicescomprise.

AmazonRelationalDatabaseService(AmazonRDS)AmazonRelationalDatabaseService(AmazonRDS)providesafullymanagedrelationaldatabasewithsupportformanypopularopensourceandcommercialdatabaseengines.It’sacost-efficientservicethatallowsorganizationstolaunchsecure,highlyavailable,fault-tolerant,production-readydatabasesinminutes.BecauseAmazonRDSmanagestime-consumingadministrationtasks,includingbackups,softwarepatching,monitoring,scaling,andreplication,organizationalresourcescanfocusonrevenue-generatingapplicationsandbusinessinsteadofmundaneoperationaltasks.

AmazonDynamoDBAmazonDynamoDBisafastandflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.Itisafullymanageddatabaseandsupportsbothdocumentandkey/valuedatamodels.Itsflexibledatamodelandreliableperformancemakeitagreatfitformobile,web,gaming,ad-tech,InternetofThings,andmanyotherapplications.

AmazonRedshiftAmazonRedshiftisafast,fullymanaged,petabyte-scaledatawarehouseservicethatmakesitsimpleandcosteffectivetoanalyzestructureddata.AmazonRedshiftprovidesastandardSQLinterfacethatletsorganizationsuseexistingbusinessintelligencetools.Byleveraging

Page 50: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

columnarstoragetechnologythatimprovesI/Oefficiencyandparallelizingqueriesacrossmultiplenodes,AmazonRedshiftisabletodeliverfastqueryperformance.TheAmazonRedshiftarchitectureallowsorganizationstoautomatemostofthecommonadministrativetasksassociatedwithprovisioning,configuring,andmonitoringaclouddatawarehouse.

AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesdeployment,operation,andscalingofanin-memorycacheinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingorganizationstoretrieveinformationfromfast,managed,in-memorycaches,insteadofrelyingentirelyonslower,disk-baseddatabases.Asofthiswriting,AmazonElastiCachesupportsMemcachedandRediscacheengines.

ManagementToolsAWSprovidesavarietyoftoolsthathelporganizationsmanageyourAWSresources.ThissectionprovidesanoverviewofthemanagementtoolsthatAWSprovidestoorganizations.

AmazonCloudWatchAmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsrunningonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.ByleveragingAmazonCloudWatch,organizationscangainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth.Byusingtheseinsights,organizationscanreact,asnecessary,tokeepapplicationsrunningsmoothly.

AWSCloudFormationAWSCloudFormationgivesdevelopersandsystemsadministratorsaneffectivewaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.AWSCloudFormationdefinesaJSON-basedtemplatinglanguagethatcanbeusedtodescribealltheAWSresourcesthatarenecessaryforaworkload.TemplatescanbesubmittedtoAWSCloudFormationandtheservicewilltakecareofprovisioningandconfiguringthoseresourcesinappropriateorder(seeFigure1.4).

FIGURE1.4AWSCloudFormationworkflowsummary

Page 51: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforanaccountanddeliverslogfilesforauditandreview.TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheservice.

AWSConfigAWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistingAWSresources,exportaninventoryoftheirAWSresourceswithallconfigurationdetails,anddeterminehowaresourcewasconfiguredatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

SecurityandIdentityAWSprovidessecurityandidentityservicesthathelporganizationssecuretheirdataandsystemsonthecloud.Thefollowingsectionexplorestheseservicesatahighlevel.

AWSIdentityandAccessManagement(IAM)AWSIdentityandAccessManagement(IAM)enablesorganizationstosecurelycontrolaccesstoAWSCloudservicesandresourcesfortheirusers.UsingIAM,organizationscancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresources.

AWSKeyManagementService(KMS)AWSKeyManagementService(KMS)isamanagedservicethatmakesiteasyfororganizationstocreateandcontroltheencryptionkeysusedtoencrypttheirdataandusesHardwareSecurityModules(HSMs)toprotectthesecurityofyourkeys.AWSKMSisintegratedwithseveralotherAWSCloudservicestohelpprotectdatastoredwiththeseservices.

AWSDirectoryServiceAWSDirectoryServiceallowsorganizationstosetupandrunMicrosoftActiveDirectoryontheAWSCloudorconnecttheirAWSresourceswithanexistingon-premisesMicrosoftActiveDirectory.Organizationscanuseittomanageusersandgroups,providesinglesign-ontoapplicationsandservices,createandapplyGroupPolicies,domainjoinAmazonEC2instances,andsimplifythedeploymentandmanagementofcloud-basedLinuxandMicrosoftWindowsworkloads.

AWSCertificateManagerAWSCertificateManagerisaservicethatletsorganizationseasilyprovision,manage,anddeploySecureSocketsLayer/TransportLayerSecurity(SSL/TLS)certificatesforusewithAWSCloudservices.Itremovesthetime-consumingmanualprocessofpurchasing,uploading,andrenewingSSL/TLScertificates.WithAWSCertificateManager,organizations

Page 52: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

canquicklyrequestacertificate,deployitonAWSresourcessuchasElasticLoadBalancingorAmazonCloudFrontdistributions,andletAWSCertificateManagerhandlecertificaterenewals.

AWSWebApplicationFirewall(WAF)AWSWebApplicationFirewall(WAF)helpsprotectwebapplicationsfromcommonattacksandexploitsthatcouldaffectapplicationavailability,compromisesecurity,orconsumeexcessiveresources.AWSWAFgivesorganizationscontroloverwhichtraffictoalloworblocktotheirwebapplicationsbydefiningcustomizablewebsecurityrules.

ApplicationServicesAWSprovidesavarietyofmanagedservicestousewithapplications.Thefollowingsectionexplorestheapplicationservicesatahighlevel.

AmazonAPIGatewayAmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.OrganizationscancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromback-endservices,suchasworkloadsrunningonAmazonEC2,coderunningonAWSLambda,oranywebapplication.AmazonAPIGatewayhandlesallthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.

AmazonElasticTranscoderAmazonElasticTranscoderismediatranscodinginthecloud.Itisdesignedtobeahighlyscalableandcost-effectivewayfordevelopersandbusinessestoconvert(ortranscode)mediafilesfromtheirsourceformatsintoversionsthatwillplaybackondeviceslikesmartphones,tablets,andPCs.

AmazonSimpleNotificationService(AmazonSNS)AmazonSimpleNotificationService(AmazonSNS)isawebservicethatcoordinatesandmanagesthedeliveryorsendingofmessagestorecipients.InAmazonSNS,therearetwotypesofclients—publishersandsubscribers—alsoreferredtoasproducersandconsumers.Publisherscommunicateasynchronouslywithsubscribersbyproducingandsendingamessagetoatopic,whichisalogicalaccesspointandcommunicationchannel.Subscribersconsumeorreceivethemessageornotificationoveroneofthesupportedprotocolswhentheyaresubscribedtothetopic.

AmazonSimpleEmailService(AmazonSES)AmazonSimpleEmailService(AmazonSES)isacost-effectiveemailservicethatorganizationscanusetosendtransactionalemail,marketingmessages,oranyothertypeofcontenttotheircustomers.AmazonSEScanalsobeusedtoreceivemessagesanddeliverthemtoanAmazonS3bucket,callcustomcodeviaanAWSLambdafunction,orpublishnotificationstoAmazonSNS.

Page 53: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSimpleWorkflowService(AmazonSWF)AmazonSimpleWorkflowService(AmazonSWF)helpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonSWFcanbethoughtofasafullymanagedstatetrackerandtaskcoordinatoronthecloud.Incommonarchitecturalpatterns,ifyourapplication’sstepstakemorethan500millisecondstocomplete,itisvitallyimportanttotrackthestateofprocessingandtoprovidetheabilitytorecoverorretryifataskfails.AmazonSWFhelpsorganizationsachievethisreliability.

AmazonSimpleQueueService(AmazonSQS)AmazonSimpleQueueService(AmazonSQS)isafast,reliable,scalable,fullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.

Page 54: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryTheterm“cloudcomputing”referstotheon-demanddeliveryofITresourcesviatheInternetwithpay-as-you-gopricing.Insteadofbuying,owning,andmaintainingdatacentersandservers,organizationscanacquiretechnologysuchascomputepower,storage,databases,andotherservicesonanas-neededbasis.Withcloudcomputing,AWSmanagesandmaintainsthetechnologyinfrastructureinasecureenvironmentandbusinessesaccesstheseresourcesviatheInternettodevelopandruntheirapplications.Capacitycangroworshrinkinstantlyandbusinessespayonlyforwhattheyuse.

Cloudcomputingintroducesarevolutionaryshiftinhowtechnologyisobtained,used,andmanaged,andhoworganizationsbudgetandpayfortechnologyservices.Whileeachorganizationexperiencesauniquejourneytothecloudwithnumerousbenefits,sixadvantagesbecomeapparenttimeandtimeagain.Understandingtheseadvantagesallowsarchitectstoshapesolutionsthatdelivercontinuousbenefitstoorganizations.

AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Thisenablesorganizationstoplaceresourcesanddatainmultiplelocationsaroundtheglobe.Helpingtoprotecttheconfidentiality,integrity,andavailabilityofsystemsanddataisoftheutmostimportancetoAWS,asismaintainingthetrustandconfidenceoforganizationsaroundtheworld.

AWSoffersabroadsetofglobalcompute,storage,database,analytics,application,anddeploymentservicesthathelporganizationsmovefaster,lowerITcosts,andscaleapplications.HavingabroadunderstandingoftheseservicesallowssolutionsarchitectstodesigneffectivedistributedapplicationsandsystemsontheAWSplatform.

Page 55: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandtheglobalinfrastructure.AWSprovidesahighlyavailabletechnologyinfrastructureplatformwithmultiplelocationsworldwide.TheselocationsarecomposedofregionsandAvailabilityZones.Eachregionislocatedinaseparategeographicareaandhasmultiple,isolatedlocationsknownasAvailabilityZones.

Understandregions.AnAWSregionisaphysicalgeographiclocationthatconsistsofaclusterofdatacenters.AWSregionsenabletheplacementofresourcesanddatainmultiplelocationsaroundtheglobe.Eachregioniscompletelyindependentandisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.Resourcesaren’treplicatedacrossregionsunlessorganizationschoosetodoso.

UnderstandAvailabilityZones.AnAvailabilityZoneisoneormoredatacenterswithinaregionthataredesignedtobeisolatedfromfailuresinotherAvailabilityZones.AvailabilityZonesprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.ByplacingresourcesinseparateAvailabilityZones,organizationscanprotecttheirwebsiteorapplicationfromaservicedisruptionimpactingasinglelocation.

Understandthehybriddeploymentmodel.Ahybriddeploymentmodelisanarchitecturalpatternprovidingconnectivityforinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.

Page 56: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichofthefollowingdescribesaphysicallocationaroundtheworldwhereAWSclustersdatacenters?

A. Endpoint

B. Collection

C. Fleet

D. Region

2. EachAWSregioniscomposedoftwoormorelocationsthatofferorganizationstheabilitytooperateproductionsystemsthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.Whataretheselocationscalled?

A. AvailabilityZones

B. Replicationareas

C. Geographicdistricts

D. Computecenters

3. Whatisthedeploymenttermforanenvironmentthatextendsanexistingon-premisesinfrastructureintothecloudtoconnectcloudresourcestointernalsystems?

A. All-indeployment

B. Hybriddeployment

C. On-premisesdeployment

D. Scatterdeployment

4. WhichAWSCloudserviceallowsorganizationstogainsystem-widevisibilityintoresourceutilization,applicationperformance,andoperationalhealth?

A. AWSIdentityandAccessManagement(IAM)

B. AmazonSimpleNotificationService(AmazonSNS)

C. AmazonCloudWatch

D. AWSCloudFormation

5. WhichofthefollowingAWSCloudservicesisafullymanagedNoSQLdatabaseservice?

A. AmazonSimpleQueueService(AmazonSQS)

B. AmazonDynamoDB

C. AmazonElastiCache

D. AmazonRelationalDatabaseService(AmazonRDS)

6. Yourcompanyexperiencesfluctuationsintrafficpatternstotheire-commercewebsite

Page 57: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

basedonflashsales.Whatservicecanhelpyourcompanydynamicallymatchtherequiredcomputecapacitytothespikeintrafficduringflashsales?

A. AutoScaling

B. AmazonGlacier

C. AmazonSimpleNotificationService(AmazonSNS)

D. AmazonVirtualPrivateCloud(AmazonVPC)

7. Yourcompanyprovidesanonlinephotosharingservice.Thedevelopmentteamislookingforwaystodeliverimagefileswiththelowestlatencytoenduserssothewebsitecontentisdeliveredwiththebestpossibleperformance.Whatservicecanhelpspeedupdistributionoftheseimagefilestoendusersaroundtheworld?

A. AmazonElasticComputeCloud(AmazonEC2)

B. AmazonRoute53

C. AWSStorageGateway

D. AmazonCloudFront

8. YourcompanyrunsanAmazonElasticComputeCloud(AmazonEC2)instanceperiodicallytoperformabatchprocessingjobonalargeandgrowingfilesystem.Attheendofthebatchjob,youshutdowntheAmazonEC2instancetosavemoneybutneedtopersistthefilesystemontheAmazonEC2instancefromthepreviousbatchruns.WhatAWSCloudservicecanyouleveragetomeettheserequirements?

A. AmazonElasticBlockStore(AmazonEBS)

B. AmazonDynamoDB

C. AmazonGlacier

D. AWSCloudFormation

9. WhatAWSCloudserviceprovidesalogicallyisolatedsectionoftheAWSCloudwhereorganizationscanlaunchAWSresourcesinavirtualnetworkthattheydefine?

A. AmazonSimpleWorkflowService(AmazonSWF)

B. AmazonRoute53

C. AmazonVirtualPrivateCloud(AmazonVPC)

D. AWSCloudFormation

10. YourcompanyprovidesamobilevotingapplicationforapopularTVshow,and5to25millionviewersallvoteina15-secondtimespan.Whatmechanismcanyouusetodecouplethevotingapplicationfromyourback-endservicesthattallythevotes?

A. AWSCloudTrail

B. AmazonSimpleQueueService(AmazonSQS)

C. AmazonRedshift

D. AmazonSimpleNotificationService(AmazonSNS)

Page 58: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter2AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorageTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Monitoringandlogging

Familiaritywith:

BestpracticesforAWSarchitecture

Developingtoclientspecifications,includingpricing/cost(e.g.,OnDemandvs.Reservedvs.Spot;RecoveryTimeObjective[RTO]andRecoveryPointObjective[RPO]disasterrecoverydesign)

Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost)

HybridITarchitectures

Elasticityandscalability

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonSimpleStorageService(AmazonS3)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

Configureservicestosupportcompliancerequirementsinthecloud.

LaunchinstancesacrosstheAWSglobalinfrastructure.

ConfigureAWSIdentityandAccessManagement(IAM)policiesandbestpractices.

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance

Contentmayincludethefollowing:

Page 59: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SecurityArchitecturewithAWS

“Core”AmazonS3securityfeaturesets

Encryptionsolutions(e.g.,keyservices)

Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)

Page 60: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionThischapterisintendedtoprovideyouwithabasicunderstandingofthecoreobjectstorageservicesavailableonAWS:AmazonSimpleStorageService(AmazonS3)andAmazonGlacier.

AmazonS3providesdevelopersandITteamswithsecure,durable,andhighly-scalablecloudstorage.AmazonS3iseasy-to-useobjectstoragewithasimplewebserviceinterfacethatyoucanusetostoreandretrieveanyamountofdatafromanywhereontheweb.AmazonS3alsoallowsyoutopayonlyforthestorageyouactuallyuse,whicheliminatesthecapacityplanningandcapacityconstraintsassociatedwithtraditionalstorage.

AmazonS3isoneoffirstservicesintroducedbyAWS,anditservesasoneofthefoundationalwebservices—nearlyanyapplicationrunninginAWSusesAmazonS3,eitherdirectlyorindirectly.AmazonS3canbeusedaloneorinconjunctionwithotherAWSservices,anditoffersaveryhighlevelofintegrationwithmanyotherAWScloudservices.Forexample,AmazonS3servesasthedurabletargetstorageforAmazonKinesisandAmazonElasticMapReduce(AmazonEMR),itisusedasthestorageforAmazonElasticBlockStore(AmazonEBS)andAmazonRelationalDatabaseService(AmazonRDS)snapshots,anditisusedasadatastagingorloadingstoragemechanismforAmazonRedshiftandAmazonDynamoDB,amongmanyotherfunctions.BecauseAmazonS3issoflexible,sohighlyintegrated,andsocommonlyused,itisimportanttounderstandthisserviceindetail.

CommonusecasesforAmazonS3storageinclude:

Backupandarchiveforon-premisesorclouddata

Content,media,andsoftwarestorageanddistribution

Bigdataanalytics

Staticwebsitehosting

Cloud-nativemobileandInternetapplicationhosting

Disasterrecovery

Tosupporttheseusecasesandmanymore,AmazonS3offersarangeofstorageclassesdesignedforvariousgenericusecases:generalpurpose,infrequentaccess,andarchive.Tohelpmanagedatathroughitslifecycle,AmazonS3offersconfigurablelifecyclepolicies.Byusinglifecyclepolicies,youcanhaveyourdataautomaticallymigratetothemostappropriatestorageclass,withoutmodifyingyourapplicationcode.Inordertocontrolwhohasaccesstoyourdata,AmazonS3providesarichsetofpermissions,accesscontrols,andencryptionoptions.

AmazonGlacierisanothercloudstorageservicerelatedtoAmazonS3,butoptimizedfordataarchivingandlong-termbackupatextremelylowcost.AmazonGlacierissuitablefor“colddata,”whichisdatathatisrarelyaccessedandforwhicharetrievaltimeofthreetofivehoursisacceptable.AmazonGlaciercanbeusedbothasastorageclassofAmazonS3(seeStorageClassesandObjectLifecycleManagementtopicsintheAmazonS3AdvancedFeaturessection),andasanindependentarchivalstorageservice(seetheAmazonGlaciersection).

Page 61: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ObjectStorageversusTraditionalBlockandFileStorageIntraditionalITenvironments,twokindsofstoragedominate:blockstorageandfilestorage.Blockstorageoperatesatalowerlevel—therawstoragedevicelevel—andmanagesdataasasetofnumbered,fixed-sizeblocks.Filestorageoperatesatahigherlevel—theoperatingsystemlevel—andmanagesdataasanamedhierarchyoffilesandfolders.BlockandfilestorageareoftenaccessedoveranetworkintheformofaStorageAreaNetwork(SAN)forblockstorage,usingprotocolssuchasiSCSIorFibreChannel,orasaNetworkAttachedStorage(NAS)fileserveror“filer”forfilestorage,usingprotocolssuchasCommonInternetFileSystem(CIFS)orNetworkFileSystem(NFS).Whetherdirectly-attachedornetwork-attached,blockorfile,thiskindofstorageisverycloselyassociatedwiththeserverandtheoperatingsystemthatisusingthestorage.

AmazonS3objectstorageissomethingquitedifferent.AmazonS3iscloudobjectstorage.Insteadofbeingcloselyassociatedwithaserver,AmazonS3storageisindependentofaserverandisaccessedovertheInternet.InsteadofmanagingdataasblocksorfilesusingSCSI,CIFS,orNFSprotocols,dataismanagedasobjectsusinganApplicationProgramInterface(API)builtonstandardHTTPverbs.

EachAmazonS3objectcontainsbothdataandmetadata.Objectsresideincontainerscalledbuckets,andeachobjectisidentifiedbyauniqueuser-specifiedkey(filename).Bucketsareasimpleflatfolderwithnofilesystemhierarchy.Thatis,youcanhavemultiplebuckets,butyoucan’thaveasub-bucketwithinabucket.Eachbucketcanholdanunlimitednumberofobjects.

ItiseasytothinkofanAmazonS3object(orthedataportionofanobject)asafile,andthekeyasthefilename.However,keepinmindthatAmazonS3isnotatraditionalfilesystemanddiffersinsignificantways.InAmazonS3,youGETanobjectorPUTanobject,operatingonthewholeobjectatonce,insteadofincrementallyupdatingportionsoftheobjectasyouwouldwithafile.Youcan’t“mount”abucket,“open”anobject,installanoperatingsystemonAmazonS3,orrunadatabaseonit.

Insteadofafilesystem,AmazonS3ishighly-durableandhighly-scalableobjectstoragethatisoptimizedforreadsandisbuiltwithanintentionallyminimalisticfeatureset.Itprovidesasimpleandrobustabstractionforfilestoragethatfreesyoufrommanyunderlyingdetailsthatyounormallydohavetodealwithintraditionalstorage.Forexample,withAmazonS3youdon’thavetoworryaboutdeviceorfilesystemstoragelimitsandcapacityplanning—asinglebucketcanstoreanunlimitednumberoffiles.Youalsodon’tneedtoworryaboutdatadurabilityorreplicationacrossavailabilityzones—AmazonS3objectsareautomaticallyreplicatedonmultipledevicesinmultiplefacilitieswithinaregion.Thesamewithscalability—ifyourrequestrategrowssteadily,AmazonS3automaticallypartitionsbucketstosupportveryhighrequestratesandsimultaneousaccessbymanyclients.

Page 62: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IfyouneedtraditionalblockorfilestorageinadditiontoAmazonS3storage,AWSprovidesoptions.TheAmazonEBSserviceprovidesblocklevelstorageforAmazonElasticComputeCloud(AmazonEC2)instances.AmazonElasticFileSystem(AWSEFS)providesnetwork-attachedsharedfilestorage(NASstorage)usingtheNFSv4protocol.

Page 63: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSimpleStorageService(AmazonS3)BasicsNowthatyouhaveanunderstandingofsomeofthekeydifferencesbetweentraditionalblockandfilestorageversuscloudobjectstorage,wecanexplorethebasicsofAmazonS3inmoredetail.

Page 64: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

BucketsAbucketisacontainer(webfolder)forobjects(files)storedinAmazonS3.EveryAmazonS3objectiscontainedinabucket.Bucketsformthetop-levelnamespaceforAmazonS3,andbucketnamesareglobal.ThismeansthatyourbucketnamesmustbeuniqueacrossallAWSaccounts,muchlikeDomainNameSystem(DNS)domainnames,notjustwithinyourownaccount.Bucketnamescancontainupto63lowercaseletters,numbers,hyphens,andperiods.Youcancreateandusemultiplebuckets;youcanhaveupto100peraccountbydefault.

ItisabestpracticetousebucketnamesthatcontainyourdomainnameandconformtotherulesforDNSnames.Thisensuresthatyourbucketnamesareyourown,canbeusedinallregions,andcanhoststaticwebsites.

AWSRegionsEventhoughthenamespaceforAmazonS3bucketsisglobal,eachAmazonS3bucketiscreatedinaspecificregionthatyouchoose.Thisletsyoucontrolwhereyourdataisstored.Youcancreateandusebucketsthatarelocatedclosetoaparticularsetofendusersorcustomersinordertominimizelatency,orlocatedinaparticularregiontosatisfydatalocalityandsovereigntyconcerns,orlocatedfarawayfromyourprimaryfacilitiesinordertosatisfydisasterrecoveryandcomplianceneeds.Youcontrolthelocationofyourdata;datainanAmazonS3bucketisstoredinthatregionunlessyouexplicitlycopyittoanotherbucketlocatedinadifferentregion.

ObjectsObjectsaretheentitiesorfilesstoredinAmazonS3buckets.Anobjectcanstorevirtuallyanykindofdatainanyformat.Objectscanrangeinsizefrom0bytesupto5TB,andasinglebucketcanstoreanunlimitednumberofobjects.ThismeansthatAmazonS3canstoreavirtuallyunlimitedamountofdata.

Eachobjectconsistsofdata(thefileitself)andmetadata(dataaboutthefile).ThedataportionofanAmazonS3objectisopaquetoAmazonS3.Thismeansthatanobject’sdataistreatedassimplyastreamofbytes—AmazonS3doesn’tknoworcarewhattypeofdatayouarestoring,andtheservicedoesn’tactdifferentlyfortextdataversusbinarydata.

ThemetadataassociatedwithanAmazonS3objectisasetofname/valuepairsthatdescribetheobject.Therearetwotypesofmetadata:systemmetadataandusermetadata.SystemmetadataiscreatedandusedbyAmazonS3itself,anditincludesthingslikethedatelastmodified,objectsize,MD5digest,andHTTPContent-Type.Usermetadataisoptional,anditcanonlybespecifiedatthetimeanobjectiscreated.Youcanusecustommetadatatotagyourdatawithattributesthataremeaningfultoyou.

Keys

Page 65: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EveryobjectstoredinanS3bucketisidentifiedbyauniqueidentifiercalledakey.Youcanthinkofthekeyasafilename.Akeycanbeupto1024bytesofUnicodeUTF-8characters,includingembeddedslashes,backslashes,dots,anddashes.

Keysmustbeuniquewithinasinglebucket,butdifferentbucketscancontainobjectswiththesamekey.Thecombinationofbucket,key,andoptionalversionIDuniquelyidentifiesanAmazonS3object.

ObjectURLAmazonS3isstoragefortheInternet,andeveryAmazonS3objectcanbeaddressedbyauniqueURLformedusingthewebservicesendpoint,thebucketname,andtheobjectkey.Forexample,withtheURL:http://mybucket.s3.amazonaws.com/jack.doc

mybucketistheS3bucketname,andjack.docisthekeyorfilename.Ifanotherobjectiscreated,forinstance:http://mybucket.s3.amazonaws.com/fee/fi/fo/fum/jack.doc

thenthebucketnameisstillmybucket,butnowthekeyorfilenameisthestringfee/fi/fo/fum/jack.doc.AkeymaycontaindelimitercharacterslikeslashesorbackslashestohelpyounameandlogicallyorganizeyourAmazonS3objects,buttoAmazonS3itissimplyalongkeynameinaflatnamespace.Thereisnoactualfileandfolderhierarchy.Seethetopic“PrefixesandDelimiters”inthe“AmazonS3AdvancedFeatures”sectionthatfollowsformoreinformation.

Forconvenience,theAmazonS3consoleandthePrefixandDelimiterfeatureallowyoutonavigatewithinanAmazonS3bucketasiftherewereafolderhierarchy.However,rememberthatabucketisasingleflatnamespaceofkeyswithnostructure.

AmazonS3OperationsTheAmazonS3APIisintentionallysimple,withonlyahandfulofcommonoperations.Theyinclude:

Create/deleteabucket

Writeanobject

Readanobject

Deleteanobject

Listkeysinabucket

RESTInterfaceThenativeinterfaceforAmazonS3isaREST(RepresentationalStateTransfer)API.WiththeRESTinterface,youusestandardHTTPorHTTPSrequeststocreateanddeletebuckets,listkeys,andreadandwriteobjects.RESTmapsstandardHTTP“verbs”(HTTPmethods)to

Page 66: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

thefamiliarCRUD(Create,Read,Update,Delete)operations.CreateisHTTPPUT(andsometimesPOST);readisHTTPGET;deleteisHTTPDELETE;andupdateisHTTPPOST(orsometimesPUT).

AlwaysuseHTTPSforAmazonS3APIrequeststoensurethatyourrequestsanddataaresecure.

Inmostcases,usersdonotusetheRESTinterfacedirectly,butinsteadinteractwithAmazonS3usingoneofthehigher-levelinterfacesavailable.TheseincludetheAWSSoftwareDevelopmentKits(SDKs)(wrapperlibraries)foriOS,Android,JavaScript,Java,.NET,Node.js,PHP,Python,Ruby,Go,andC++,theAWSCommandLineInterface(CLI),andtheAWSManagementConsole.

AmazonS3originallysupportedaSOAP(SimpleObjectAccessProtocol)APIinadditiontotheRESTAPI,butyoushouldusetheRESTAPI.ThelegacyHTTPSendpointisstillavailable,butnewfeaturesarenotsupported.

DurabilityandAvailabilityDatadurabilityandavailabilityarerelatedbutslightlydifferentconcepts.Durabilityaddressesthequestion,“Willmydatastillbethereinthefuture?”Availabilityaddressesthequestion,“CanIaccessmydatarightnow?”AmazonS3isdesignedtoprovidebothveryhighdurabilityandveryhighavailabilityforyourdata.

AmazonS3standardstorageisdesignedfor99.999999999%durabilityand99.99%availabilityofobjectsoveragivenyear.Forexample,ifyoustore10,000objectswithAmazonS3,youcanonaverageexpecttoincuralossofasingleobjectonceevery10,000,000years.AmazonS3achieveshighdurabilitybyautomaticallystoringdataredundantlyonmultipledevicesinmultiplefacilitieswithinaregion.Itisdesignedtosustaintheconcurrentlossofdataintwofacilitieswithoutlossofuserdata.AmazonS3providesahighlydurablestorageinfrastructuredesignedformission-criticalandprimarydatastorage.

Ifyouneedtostorenon-criticaloreasilyreproduciblederiveddata(suchasimagethumbnails)thatdoesn’trequirethishighlevelofdurability,youcanchoosetouseReducedRedundancyStorage(RRS)atalowercost.RRSoffers99.99%durabilitywithalowercostofstoragethantraditionalAmazonS3storage.

EventhoughAmazonS3storageoffersveryhighdurabilityattheinfrastructurelevel,itisstillabestpracticetoprotectagainstuser-levelaccidentaldeletionoroverwritingofdatabyusingadditionalfeaturessuchasversioning,cross-regionreplication,andMFADelete.

Page 67: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DataConsistencyAmazonS3isaneventuallyconsistentsystem.Becauseyourdataisautomaticallyreplicatedacrossmultipleserversandlocationswithinaregion,changesinyourdatamaytakesometimetopropagatetoalllocations.Asaresult,therearesomesituationswhereinformationthatyoureadimmediatelyafteranupdatemayreturnstaledata.

ForPUTstonewobjects,thisisnotaconcern—inthiscase,AmazonS3providesread-after-writeconsistency.However,forPUTstoexistingobjects(objectoverwritetoanexistingkey)andforobjectDELETEs,AmazonS3provideseventualconsistency.

EventualconsistencymeansthatifyouPUTnewdatatoanexistingkey,asubsequentGETmightreturntheolddata.Similarly,ifyouDELETEanobject,asubsequentGETforthatobjectmightstillreadthedeletedobject.Inallcases,updatestoasinglekeyareatomic—foreventually-consistentreads,youwillgetthenewdataortheolddata,butneveraninconsistentmixofdata.

AccessControlAmazonS3issecurebydefault;whenyoucreateabucketorobjectinAmazonS3,onlyyouhaveaccess.Toallowyoutogivecontrolledaccesstoothers,AmazonS3providesbothcoarse-grainedaccesscontrols(AmazonS3AccessControlLists[ACLs]),andfine-grainedaccesscontrols(AmazonS3bucketpolicies,AWSIdentityandAccessManagement[IAM]policies,andquery-stringauthentication).

AmazonS3ACLsallowyoutograntcertaincoarse-grainedpermissions:READ,WRITE,orFULL-CONTROLattheobjectorbucketlevel.ACLsarealegacyaccesscontrolmechanism,createdbeforeIAMexisted.ACLsarebestusedtodayforalimitedsetofusecases,suchasenablingbucketloggingormakingabucketthathostsastaticwebsitebeworld-readable.

AmazonS3bucketpoliciesaretherecommendedaccesscontrolmechanismforAmazonS3andprovidemuchfiner-grainedcontrol.AmazonS3bucketpoliciesareverysimilartoIAMpolicies,whichwerediscussedinChapter6,“AWSIdentityandAccessManagement(IAM),”butaresubtlydifferentinthat:

TheyareassociatedwiththebucketresourceinsteadofanIAMprincipal.

TheyincludeanexplicitreferencetotheIAMprincipalinthepolicy.ThisprincipalcanbeassociatedwithadifferentAWSaccount,soAmazonS3bucketpoliciesallowyoutoassigncross-accountaccesstoAmazonS3resources.

UsinganAmazonS3bucketpolicy,youcanspecifywhocanaccessthebucket,fromwhere(byClasslessInter-DomainRouting[CIDR]blockorIPaddress),andduringwhattimeofday.

Finally,IAMpoliciesmaybeassociateddirectlywithIAMprincipalsthatgrantaccesstoanAmazonS3bucket,justasitcangrantaccesstoanyAWSserviceandresource.Obviously,youcanonlyassignIAMpoliciestoprincipalsinAWSaccountsthatyoucontrol.

StaticWebsiteHostingAverycommonusecaseforAmazonS3storageisstaticwebsitehosting.Manywebsites,particularlymicro-sites,don’tneedtheservicesofafullwebserver.Astaticwebsitemeans

Page 68: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

thatallofthepagesofthewebsitecontainonlystaticcontentanddonotrequireserver-sideprocessingsuchasPHP,ASP.NET,orJSP.(Notethatthisdoesnotmeanthatthewebsitecannotbeinteractiveanddynamic;thiscanbeaccomplishedwithclient-sidescripts,suchasJavaScriptembeddedinstaticHTMLwebpages.)Staticwebsiteshavemanyadvantages:theyareveryfast,veryscalable,andcanbemoresecurethanatypicaldynamicwebsite.IfyouhostastaticwebsiteonAmazonS3,youcanalsoleveragethesecurity,durability,availability,andscalabilityofAmazonS3.

BecauseeveryAmazonS3objecthasaURL,itisrelativelystraightforwardtoturnabucketintoawebsite.Tohostastaticwebsite,yousimplyconfigureabucketforwebsitehostingandthenuploadthecontentofthestaticwebsitetothebucket.

ToconfigureanAmazonS3bucketforstaticwebsitehosting:

1. Createabucketwiththesamenameasthedesiredwebsitehostname.

2. Uploadthestaticfilestothebucket.

3. Makeallthefilespublic(worldreadable).

4. Enablestaticwebsitehostingforthebucket.ThisincludesspecifyinganIndexdocumentandanErrordocument.

5. ThewebsitewillnowbeavailableattheS3websiteURL:

<bucket-name>.s3-website-<AWS-region>.amazonaws.com.

6. CreateafriendlyDNSnameinyourowndomainforthewebsiteusingaDNSCNAME,oranAmazonRoute53aliasthatresolvestotheAmazonS3websiteURL.

7. Thewebsitewillnowbeavailableatyourwebsitedomainname.

Page 69: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonS3AdvancedFeaturesBeyondthebasics,therearesomeadvancedfeaturesofAmazonS3thatyoushouldalsobefamiliarwith.

PrefixesandDelimitersWhileAmazonS3usesaflatstructureinabucket,itsupportstheuseofprefixanddelimiterparameterswhenlistingkeynames.Thisfeatureletsyouorganize,browse,andretrievetheobjectswithinabuckethierarchically.Typically,youwoulduseaslash(/)orbackslash(\)asadelimiterandthenusekeynameswithembeddeddelimiterstoemulateafileandfolderhierarchywithintheflatobjectkeynamespaceofabucket.

Forexample,youmightwanttostoreaseriesofserverlogsbyservername(suchasserver42),butorganizedbyyearandmonth,likeso:

logs/2016/January/server42.log

logs/2016/February/server42.log

logs/2016/March/server42.log

TheRESTAPI,wrapperSDKs,AWSCLI,andtheAmazonManagementConsoleallsupporttheuseofdelimitersandprefixes.Thisfeatureletsyoulogicallyorganizenewdataandeasilymaintainthehierarchicalfolder-and-filestructureofexistingdatauploadedorbackedupfromtraditionalfilesystems.UsedtogetherwithIAMorAmazonS3bucketpolicies,prefixesanddelimitersalsoallowyoutocreatetheequivalentofdepartmental“subdirectories”oruser“homedirectories”withinasinglebucket,restrictingorsharingaccesstothese“subdirectories”(definedbyprefixes)asneeded.

UsedelimitersandobjectprefixestohierarchicallyorganizetheobjectsinyourAmazonS3buckets,butalwaysrememberthatAmazonS3isnotreallyafilesystem.

StorageClassesAmazonS3offersarangeofstorageclassessuitableforvarioususecases.

AmazonS3Standardoffershighdurability,highavailability,lowlatency,andhighperformanceobjectstorageforgeneralpurposeuse.Becauseitdeliverslowfirst-bytelatencyandhighthroughput,Standardiswell-suitedforshort-termorlong-termstorageoffrequentlyaccesseddata.Formostgeneralpurposeusecases,AmazonS3Standardistheplacetostart.

AmazonS3Standard–InfrequentAccess(Standard-IA)offersthesamedurability,lowlatency,andhighthroughputasAmazonS3Standard,butisdesignedforlong-lived,lessfrequentlyaccesseddata.Standard-IAhasalowerperGB-monthstoragecostthanStandard,butthepricemodelalsoincludesaminimumobjectsize(128KB),minimumduration(30days),andper-GBretrievalcosts,soitisbestsuitedforinfrequentlyaccesseddatathatisstoredforlongerthan30days.

Page 70: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonS3ReducedRedundancyStorage(RRS)offersslightlylowerdurability(4nines)thanStandardorStandard-IAatareducedcost.Itismostappropriateforderiveddatathatcanbeeasilyreproduced,suchasimagethumbnails.

Finally,theAmazonGlacierstorageclassofferssecure,durable,andextremelylow-costcloudstoragefordatathatdoesnotrequirereal-timeaccess,suchasarchivesandlong-termbackups.Tokeepcostslow,AmazonGlacierisoptimizedforinfrequentlyaccesseddatawherearetrievaltimeofseveralhoursissuitable.ToretrieveanAmazonGlacierobject,youissuearestorecommandusingoneoftheAmazonS3APIs;threetofivehourslater,theAmazonGlacierobjectiscopiedtoAmazonS3RRS.NotethattherestoresimplycreatesacopyinAmazonS3RRS;theoriginaldataobjectremainsinAmazonGlacieruntilexplicitlydeleted.AlsobeawarethatAmazonGlacierallowsyoutoretrieveupto5%oftheAmazonS3datastoredinAmazonGlacierforfreeeachmonth;restoresbeyondthedailyrestoreallowanceincurarestorefee.RefertotheAmazonGlacierpricingpageontheAWSwebsiteforfulldetails.

InadditiontoactingasastoragetierinAmazonS3,AmazonGlacierisalsoastandalonestorageservicewithaseparateAPIandsomeuniquecharacteristics.However,whenyouuseAmazonGlacierasastorageclassofAmazonS3,youalwaysinteractwiththedataviatheAmazonS3APIs.RefertotheAmazonGlaciersectionformoredetails.

SetadataretrievalpolicytolimitrestorestothefreetierortoamaximumGB-per-hourlimittoavoidorminimizeAmazonGlacierrestorefees.

ObjectLifecycleManagementAmazonS3ObjectLifecycleManagementisroughlyequivalenttoautomatedstoragetieringintraditionalITstorageinfrastructures.Inmanycases,datahasanaturallifecycle,startingoutas“hot”(frequentlyaccessed)data,movingto“warm”(lessfrequentlyaccessed)dataasitages,andendingitslifeas“cold”(long-termbackuporarchive)databeforeeventualdeletion.

Forexample,manybusinessdocumentsarefrequentlyaccessedwhentheyarecreated,thenbecomemuchlessfrequentlyaccessedovertime.Inmanycases,however,compliancerulesrequirebusinessdocumentstobearchivedandkeptaccessibleforyears.Similarly,studiesshowthatfile,operatingsystem,anddatabasebackupsaremostfrequentlyaccessedinthefirstfewdaysaftertheyarecreated,usuallytorestoreafteraninadvertenterror.Afteraweekortwo,thesebackupsremainacriticalasset,buttheyaremuchlesslikelytobeaccessedforarestore.Inmanycases,compliancerulesrequirethatacertainnumberofbackupsbekeptforseveralyears.

UsingAmazonS3lifecycleconfigurationrules,youcansignificantlyreduceyourstoragecostsbyautomaticallytransitioningdatafromonestorageclasstoanotherorevenautomaticallydeletingdataafteraperiodoftime.Forexample,thelifecyclerulesforbackupdatamightbe:

StorebackupdatainitiallyinAmazonS3Standard.

After30days,transitiontoAmazonStandard-IA.

After90days,transitiontoAmazonGlacier.

Page 71: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

After3years,delete.

Lifecycleconfigurationsareattachedtothebucketandcanapplytoallobjectsinthebucketoronlytoobjectsspecifiedbyaprefix.

EncryptionItisstronglyrecommendedthatallsensitivedatastoredinAmazonS3beencrypted,bothinflightandatrest.

ToencryptyourAmazonS3datainflight,youcanusetheAmazonS3SecureSocketsLayer(SSL)APIendpoints.ThisensuresthatalldatasenttoandfromAmazonS3isencryptedwhileintransitusingtheHTTPSprotocol.

ToencryptyourAmazonS3dataatrest,youcanuseseveralvariationsofServer-SideEncryption(SSE).AmazonS3encryptsyourdataattheobjectlevelasitwritesittodisksinitsdatacentersanddecryptsitforyouwhenyouaccessit.AllSSEperformedbyAmazonS3andAWSKeyManagementService(AmazonKMS)usesthe256-bitAdvancedEncryptionStandard(AES).YoucanalsoencryptyourAmazonS3dataatrestusingClient-SideEncryption,encryptingyourdataontheclientbeforesendingittoAmazonS3.

SSE-S3(AWS-ManagedKeys)Thisisafullyintegrated“check-box-style”encryptionsolutionwhereAWShandlesthekeymanagementandkeyprotectionforAmazonS3.Everyobjectisencryptedwithauniquekey.Theactualobjectkeyitselfisthenfurtherencryptedbyaseparatemasterkey.Anewmasterkeyisissuedatleastmonthly,withAWSrotatingthekeys.Encrypteddata,encryptionkeys,andmasterkeysareallstoredseparatelyonsecurehosts,furtherenhancingprotection.

SSE-KMS(AWSKMSKeys)ThisisafullyintegratedsolutionwhereAmazonhandlesyourkeymanagementandprotectionforAmazonS3,butwhereyoumanagethekeys.SSE-KMSoffersseveraladditionalbenefitscomparedtoSSE-S3.UsingSSE-KMS,thereareseparatepermissionsforusingthemasterkey,whichprovideprotectionagainstunauthorizedaccesstoyourobjectsstoredinAmazonS3andanadditionallayerofcontrol.AWSKMSalsoprovidesauditing,soyoucanseewhousedyourkeytoaccesswhichobjectandwhentheytriedtoaccessthisobject.AWSKMSalsoallowsyoutoviewanyfailedattemptstoaccessdatafromuserswhodidnothavepermissiontodecryptthedata.

SSE-C(Customer-ProvidedKeys)Thisisusedwhenyouwanttomaintainyourownencryptionkeysbutdon’twanttomanageorimplementyourownclient-sideencryptionlibrary.WithSSE-C,AWSwilldotheencryption/decryptionofyourobjectswhileyoumaintainfullcontrolofthekeysusedtoencrypt/decrypttheobjectsinAmazonS3.

Client-SideEncryptionClient-sideencryptionreferstoencryptingdataontheclientsideofyourapplicationbeforesendingittoAmazonS3.Youhavethefollowingtwooptionsforusingdataencryptionkeys:

Page 72: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

UseanAWSKMS-managedcustomermasterkey.

Useaclient-sidemasterkey.

Whenusingclient-sideencryption,youretainend-to-endcontroloftheencryptionprocess,includingmanagementoftheencryptionkeys.

Formaximumsimplicityandeaseofuse,useserver-sideencryptionwithAWS-managedkeys(SSE-S3orSSE-KMS).

VersioningAmazonS3versioninghelpsprotectsyourdataagainstaccidentalormaliciousdeletionbykeepingmultipleversionsofeachobjectinthebucket,identifiedbyauniqueversionID.Versioningallowsyoutopreserve,retrieve,andrestoreeveryversionofeveryobjectstoredinyourAmazonS3bucket.IfausermakesanaccidentalchangeorevenmaliciouslydeletesanobjectinyourS3bucket,youcanrestoretheobjecttoitsoriginalstatesimplybyreferencingtheversionIDinadditiontothebucketandobjectkey.Versioningisturnedonatthebucketlevel.Onceenabled,versioningcannotberemovedfromabucket;itcanonlybesuspended.

MFADeleteMFADeleteaddsanotherlayerofdataprotectionontopofbucketversioning.MFADeleterequiresadditionalauthenticationinordertopermanentlydeleteanobjectversionorchangetheversioningstateofabucket.Inadditiontoyournormalsecuritycredentials,MFADeleterequiresanauthenticationcode(atemporary,one-timepassword)generatedbyahardwareorvirtualMulti-FactorAuthentication(MFA)device.NotethatMFADeletecanonlybeenabledbytherootaccount.

Pre-SignedURLsAllAmazonS3objectsbydefaultareprivate,meaningthatonlytheownerhasaccess.However,theobjectownercanoptionallyshareobjectswithothersbycreatingapre-signedURL,usingtheirownsecuritycredentialstogranttime-limitedpermissiontodownloadtheobjects.Whenyoucreateapre-signedURLforyourobject,youmustprovideyoursecuritycredentialsandspecifyabucketname,anobjectkey,theHTTPmethod(GETtodownloadtheobject),andanexpirationdateandtime.Thepre-signedURLsarevalidonlyforthespecifiedduration.Thisisparticularlyusefultoprotectagainst“contentscraping”ofwebcontentsuchasmediafilesstoredinAmazonS3.

MultipartUploadTobettersupportuploadingorcopyingoflargeobjects,AmazonS3providestheMultipartUploadAPI.Thisallowsyoutouploadlargeobjectsasasetofparts,whichgenerallygivesbetternetworkutilization(throughparalleltransfers),theabilitytopauseandresume,andtheabilitytouploadobjectswherethesizeisinitiallyunknown.

Multipartuploadisathree-stepprocess:initiation,uploadingtheparts,andcompletion(or

Page 73: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

abort).Partscanbeuploadedindependentlyinarbitraryorder,withretransmissionifneeded.Afterallofthepartsareuploaded,AmazonS3assemblesthepartsinordertocreateanobject.

Ingeneral,youshouldusemultipartuploadforobjectslargerthan100Mbytes,andyoumustusemultipartuploadforobjectslargerthan5GB.Whenusingthelow-levelAPIs,youmustbreakthefiletobeuploadedintopartsandkeeptrackoftheparts.Whenusingthehigh-levelAPIsandthehigh-levelAmazonS3commandsintheAWSCLI(awss3cp,awss3mv,andawss3sync),multipartuploadisautomaticallyperformedforlargeobjects.

Youcansetanobjectlifecyclepolicyonabuckettoabortincompletemultipartuploadsafteraspecifiednumberofdays.Thiswillminimizethestoragecostsassociatedwithmultipartuploadsthatwerenotcompleted.

RangeGETsItispossibletodownload(GET)onlyaportionofanobjectinbothAmazonS3andAmazonGlacierbyusingsomethingcalledaRangeGET.UsingtheRangeHTTPheaderintheGETrequestorequivalentparametersinoneoftheSDKwrapperlibraries,youspecifyarangeofbytesoftheobject.ThiscanbeusefulindealingwithlargeobjectswhenyouhavepoorconnectivityortodownloadonlyaknownportionofalargeAmazonGlacierbackup.

Cross-RegionReplicationCross-regionreplicationisafeatureofAmazonS3thatallowsyoutoasynchronouslyreplicateallnewobjectsinthesourcebucketinoneAWSregiontoatargetbucketinanotherregion.AnymetadataandACLsassociatedwiththeobjectarealsopartofthereplication.Afteryousetupcross-regionreplicationonyoursourcebucket,anychangestothedata,metadata,orACLsonanobjecttriggeranewreplicationtothedestinationbucket.Toenablecross-regionreplication,versioningmustbeturnedonforbothsourceanddestinationbuckets,andyoumustuseanIAMpolicytogiveAmazonS3permissiontoreplicateobjectsonyourbehalf.

Cross-regionreplicationiscommonlyusedtoreducethelatencyrequiredtoaccessobjectsinAmazonS3byplacingobjectsclosertoasetofusersortomeetrequirementstostorebackupdataatacertaindistancefromtheoriginalsourcedata.

Ifturnedoninanexistingbucket,cross-regionreplicationwillonlyreplicatenewobjects.Existingobjectswillnotbereplicatedandmustbecopiedtothenewbucketviaaseparatecommand.

LoggingInordertotrackrequeststoyourAmazonS3bucket,youcanenableAmazonS3serveraccesslogs.Loggingisoffbydefault,butitcaneasilybeenabled.Whenyouenableloggingfora

Page 74: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

bucket(thesourcebucket),youmustchoosewherethelogswillbestored(thetargetbucket).Youcanstoreaccesslogsinthesamebucketorinadifferentbucket.Eitherway,itisoptional(butabestpractice)tospecifyaprefix,suchaslogs/oryourbucketname/logs/,sothatyoucanmoreeasilyidentifyyourlogs.

Onceenabled,logsaredeliveredonabest-effortbasiswithaslightdelay.Logsincludeinformationsuchas:

RequestoraccountandIPaddress

Bucketname

Requesttime

Action(GET,PUT,LIST,andsoforth)

Responsestatusorerrorcode

EventNotificationsAmazonS3eventnotificationscanbesentinresponsetoactionstakenonobjectsuploadedorstoredinAmazonS3.Eventnotificationsenableyoutorunworkflows,sendalerts,orperformotheractionsinresponsetochangesinyourobjectsstoredinAmazonS3.YoucanuseAmazonS3eventnotificationstosetuptriggerstoperformactions,suchastranscodingmediafileswhentheyareuploaded,processingdatafileswhentheybecomeavailable,andsynchronizingAmazonS3objectswithotherdatastores.

AmazonS3eventnotificationsaresetupatthebucketlevel,andyoucanconfigurethemthroughtheAmazonS3console,throughtheRESTAPI,orbyusinganAWSSDK.AmazonS3canpublishnotificationswhennewobjectsarecreated(byaPUT,POST,COPY,ormultipartuploadcompletion),whenobjectsareremoved(byaDELETE),orwhenAmazonS3detectsthatanRRSobjectwaslost.Youcanalsosetupeventnotificationsbasedonobjectnameprefixesandsuffixes.NotificationmessagescanbesentthrougheitherAmazonSimpleNotificationService(AmazonSNS)orAmazonSimpleQueueService(AmazonSQS)ordelivereddirectlytoAWSLambdatoinvokeAWSLambdafunctions.

BestPractices,Patterns,andPerformanceItisacommonpatterntouseAmazonS3storageinhybridITenvironmentsandapplications.Forexample,datainon-premisesfilesystems,databases,andcompliancearchivescaneasilybebackedupovertheInternettoAmazonS3orAmazonGlacier,whiletheprimaryapplicationordatabasestorageremainson-premises.

AnothercommonpatternistouseAmazonS3asbulk“blob”storagefordata,whilekeepinganindextothatdatainanotherservice,suchasAmazonDynamoDBorAmazonRDS.Thisallowsquicksearchesandcomplexqueriesonkeynameswithoutlistingkeyscontinually.

AmazonS3willscaleautomaticallytosupportveryhighrequestrates,automaticallyre-partitioningyourbucketsasneeded.Ifyouneedrequestrateshigherthan100requestspersecond,youmaywanttoreviewtheAmazonS3bestpracticesguidelinesintheDeveloperGuide.Tosupporthigherrequestrates,itisbesttoensuresomelevelofrandomdistributionofkeys,forexamplebyincludingahashasaprefixtokeynames.

Page 75: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IfyouareusingAmazonS3inaGET-intensivemode,suchasastaticwebsitehosting,forbestperformanceyoushouldconsiderusinganAmazonCloudFrontdistributionasacachinglayerinfrontofyourAmazonS3bucket.

Page 76: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonGlacierAmazonGlacierisanextremelylow-coststorageservicethatprovidesdurable,secure,andflexiblestoragefordataarchivingandonlinebackup.Tokeepcostslow,AmazonGlacierisdesignedforinfrequentlyaccesseddatawherearetrievaltimeofthreetofivehoursisacceptable.

AmazonGlaciercanstoreanunlimitedamountofvirtuallyanykindofdata,inanyformat.CommonusecasesforAmazonGlacierincludereplacementoftraditionaltapesolutionsforlong-termbackupandarchiveandstorageofdatarequiredforcompliancepurposes.Inmostcases,thedatastoredinAmazonGlacierconsistsoflargeTAR(TapeArchive)orZIPfiles.

LikeAmazonS3,AmazonGlacierisextremelydurable,storingdataonmultipledevicesacrossmultiplefacilitiesinaregion.AmazonGlacierisdesignedfor99.999999999%durabilityofobjectsoveragivenyear.

ArchivesInAmazonGlacier,dataisstoredinarchives.Anarchivecancontainupto40TBofdata,andyoucanhaveanunlimitednumberofarchives.EacharchiveisassignedauniquearchiveIDatthetimeofcreation.(UnlikeanAmazonS3objectkey,youcannotspecifyauser-friendlyarchivename.)Allarchivesareautomaticallyencrypted,andarchivesareimmutable—afteranarchiveiscreated,itcannotbemodified.

VaultsVaultsarecontainersforarchives.EachAWSaccountcanhaveupto1,000vaults.YoucancontrolaccesstoyourvaultsandtheactionsallowedusingIAMpoliciesorvaultaccesspolicies.

VaultsLocksYoucaneasilydeployandenforcecompliancecontrolsforindividualAmazonGlaciervaultswithavaultlockpolicy.YoucanspecifycontrolssuchasWriteOnceReadMany(WORM)inavaultlockpolicyandlockthepolicyfromfutureedits.Oncelocked,thepolicycannolongerbechanged.

DataRetrievalYoucanretrieveupto5%ofyourdatastoredinAmazonGlacierforfreeeachmonth,calculatedonadailyproratedbasis.Ifyouretrievemorethan5%,youwillincurretrievalfeesbasedonyourmaximumretrievalrate.Toeliminateorminimizethosefees,youcansetadataretrievalpolicyonavaulttolimityourretrievalstothefreetierortoaspecifieddatarate.

AmazonGlacierversusAmazonSimpleStorageService(AmazonS3)AmazonGlacierissimilartoAmazonS3,butitdiffersinseveralkeyaspects.AmazonGlaciersupports40TBarchivesversus5TBobjectsinAmazonS3.ArchivesinAmazonGlacierare

Page 77: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

identifiedbysystem-generatedarchiveIDs,whileAmazonS3letsyouuse“friendly”keynames.AmazonGlacierarchivesareautomaticallyencrypted,whileencryptionatrestisoptionalinAmazonS3.However,byusingAmazonGlacierasanAmazonS3storageclasstogetherwithobjectlifecyclepolicies,youcanusetheAmazonS3interfacetogetmostofthebenefitsofAmazonGlacierwithoutlearninganewinterface.

Page 78: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryAmazonS3isthecoreobjectstorageserviceonAWS,allowingyoutostoreanunlimitedamountofdatawithveryhighdurability.

CommonAmazonS3usecasesincludebackupandarchive,webcontent,bigdataanalytics,staticwebsitehosting,mobileandcloud-nativeapplicationhosting,anddisasterrecovery.

AmazonS3isintegratedwithmanyotherAWScloudservices,includingAWSIAM,AWSKMS,AmazonEC2,AmazonEBS,AmazonEMR,AmazonDynamoDB,AmazonRedshift,AmazonSQS,AWSLambda,andAmazonCloudFront.

Objectstoragediffersfromtraditionalblockandfilestorage.Blockstoragemanagesdataatadevicelevelasaddressableblocks,whilefilestoragemanagesdataattheoperatingsystemlevelasfilesandfolders.Objectstoragemanagesdataasobjectsthatcontainbothdataandmetadata,manipulatedbyanAPI.

AmazonS3bucketsarecontainersforobjectsstoredinAmazonS3.Bucketnamesmustbegloballyunique.Eachbucketiscreatedinaspecificregion,anddatadoesnotleavetheregionunlessexplicitlycopiedbytheuser.

AmazonS3objectsarefilesstoredinbuckets.Objectscanbeupto5TBandcancontainanykindofdata.Objectscontainbothdataandmetadataandareidentifiedbykeys.EachAmazonS3objectcanbeaddressedbyauniqueURLformedbythewebservicesendpoint,thebucketname,andtheobjectkey.

AmazonS3hasaminimalisticAPI—create/deleteabucket,read/write/deleteobjects,listkeysinabucket—andusesaRESTinterfacebasedonstandardHTTPverbs—GET,PUT,POST,andDELETE.YoucanalsouseSDKwrapperlibraries,theAWSCLI,andtheAWSManagementConsoletoworkwithAmazonS3.

AmazonS3ishighlydurableandhighlyavailable,designedfor11ninesofdurabilityofobjectsinagivenyearandfourninesofavailability.

AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyfornewobjectPUTs.

AmazonS3objectsareprivatebydefault,accessibleonlytotheowner.Objectscanbemarkedpublicreadabletomakethemaccessibleontheweb.ControlledaccessmaybeprovidedtoothersusingACLsandAWSIAMandAmazonS3bucketpolicies.

StaticwebsitescanbehostedinanAmazonS3bucket.

Prefixesanddelimitersmaybeusedinkeynamestoorganizeandnavigatedatahierarchicallymuchlikeatraditionalfilesystem.

AmazonS3offersseveralstorageclassessuitedtodifferentusecases:Standardisdesignedforgeneral-purposedataneedinghighperformanceandlowlatency.Standard-IAisforlessfrequentlyaccesseddata.RRSofferslowerredundancyatlowercostforeasilyreproduceddata.AmazonGlacierofferslow-costdurablestorageforarchiveandlong-termbackupsthatcanarerarelyaccessedandcanacceptathree-tofive-hourretrievaltime.

Objectlifecyclemanagementpoliciescanbeusedtoautomaticallymovedatabetween

Page 79: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

storageclassesbasedontime.

AmazonS3datacanbeencryptedusingserver-sideorclient-sideencryption,andencryptionkeyscanbemanagedwithAmazonKMS.

VersioningandMFADeletecanbeusedtoprotectagainstaccidentaldeletion.

Cross-regionreplicationcanbeusedtoautomaticallycopynewobjectsfromasourcebucketinoneregiontoatargetbucketinanotherregion.

Pre-signedURLsgranttime-limitedpermissiontodownloadobjectsandcanbeusedtoprotectmediaandotherwebcontentfromunauthorized“webscraping.”

Multipartuploadcanbeusedtouploadlargeobjects,andRangeGETscanbeusedtodownloadportionsofanAmazonS3objectorAmazonGlacierarchive.

Serveraccesslogscanbeenabledonabuckettotrackrequestor,object,action,andresponse.

AmazonS3eventnotificationscanbeusedtosendanAmazonSQSorAmazonSNSmessageortotriggeranAWSLambdafunctionwhenanobjectiscreatedordeleted.

AmazonGlaciercanbeusedasastandaloneserviceorasastorageclassinAmazonS3.

AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Youcanhaveupto1,000vaults,andeachvaultcanstoreanunlimitednumberofarchives.

AmazonGlaciervaultscanbelockedforcompliancepurposes.

Page 80: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowwhatamazons3isandwhatitiscommonlyusedfor.AmazonS3issecure,durable,andhighlyscalablecloudstoragethatcanbeusedtostoreanunlimitedamountofdatainalmostanyformatusingasimplewebservicesinterface.Commonusecasesincludebackupandarchive,contentstorageanddistribution,bigdataanalytics,staticwebsitehosting,cloud-nativeapplicationhosting,anddisasterrecovery.

Understandhowobjectstoragediffersfromblockandfilestorage.AmazonS3cloudobjectstoragemanagesdataattheapplicationlevelasobjectsusingaRESTAPIbuiltonHTTP.BlockstoragemanagesdataattheoperatingsystemlevelasnumberedaddressableblocksusingprotocolssuchasSCSIorFibreChannel.FilestoragemanagesdataassharedfilesattheoperatingsystemlevelusingaprotocolsuchasCIFSorNFS.

UnderstandthebasicsofAmazonS3.AmazonS3storesdatainobjectsthatcontaindataandmetadata.Objectsareidentifiedbyauser-definedkeyandarestoredinasimpleflatfoldercalledabucket.InterfacesincludeanativeRESTinterface,SDKsformanylanguages,anAWSCLI,andtheAWSManagementConsole.

Knowhowtocreateabucket;howtoupload,download,anddeleteobjects;howtomakeobjectspublic;andhowtoopenanobjectURL.

Understandthedurability,availability,anddataconsistencymodelofAmazonS3.AmazonS3standardstorageisdesignedfor11ninesdurabilityandfourninesavailabilityofobjectsoverayear.Otherstorageclassesdiffer.AmazonS3iseventuallyconsistent,butoffersread-after-writeconsistencyforPUTstonewobjects.

KnowhowtoenablestaticwebsitehostingonAmazonS3.TocreateastaticwebsiteonAmazonS3,youmustcreateabucketwiththewebsitehostname,uploadyourstaticcontentandmakeitpublic,enablestaticwebsitehostingonthebucket,andindicatetheindexanderrorpageobjects.

KnowhowtoprotectyourdataonAmazonS3.EncryptdatainflightusingHTTPSandatrestusingSSEorclient-sideencryption.Enableversioningtokeepmultipleversionsofanobjectinabucket.EnableMFADeletetoprotectagainstaccidentaldeletion.UseACLsAmazonS3bucketpoliciesandAWSIAMpoliciesforaccesscontrol.Usepre-signedURLsfortime-limiteddownloadaccess.Usecross-regionreplicationtoautomaticallyreplicatedatatoanotherregion.

KnowtheusecaseforeachoftheAmazonS3storageclasses.Standardisforgeneralpurposedatathatneedshighdurability,highperformance,andlowlatencyaccess.Standard-IAisfordatathatislessfrequentlyaccessed,butthatneedsthesameperformanceandavailabilitywhenaccessed.RRSofferslowerdurabilityatlowercostforeasilyreplicateddata.AmazonGlacierisforstoringrarelyaccessedarchivaldataatlowestcost,whenthree-tofive-hourretrievaltimeisacceptable.

Knowhowtouselifecycleconfigurationrules.LifecyclerulescanbeconfiguredintheAWSManagementConsoleortheAPIs.Lifecycleconfigurationrulesdefineactionstotransitionobjectsfromonestorageclasstoanotherbasedontime.

KnowhowtouseAmazonS3eventnotifications.Eventnotificationsaresetatthe

Page 81: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

bucketlevelandcantriggeramessageinAmazonSNSorAmazonSQSoranactioninAWSLambdainresponsetoanuploadoradeleteofanobject.

Knowthebasicsofamazonglacierasastandaloneservice.Dataisstoredinencryptedarchivesthatcanbeaslargeas40TB.ArchivestypicallycontainTARorZIPfiles.Vaultsarecontainersforarchives,andvaultscanbelockedforcompliance.

Page 82: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesForassistanceincompletingthefollowingexercises,referencethefollowingdocumentation:

GettingstartedwithAmazonS3:http://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html

Settingupastaticwebsite:http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html

Usingversioning:http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html

ObjectLifecycleManagement:http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

EXERCISE2.1

CreateanAmazonSimpleStorageService(AmazonS3)BucketInthisexercise,youwillcreateanewAmazonS3bucketinyourselectedregion.Youwillusethisbucketinthefollowingexercises.

1. LogintotheAWSManagementConsole.

2. Chooseanappropriateregion,suchasUSWest(Oregon).

3. NavigatetotheAmazonS3console.NoticethattheregionindicatornowsaysGlobal.RememberthatAmazonS3bucketsformaglobalnamespace,eventhougheachbucketiscreatedinaspecificregion.

4. Startthecreatebucketprocess.

5. WhenpromptedforBucketName,usemynewbucket.

6. Choosearegion,suchasUSWest(Oregon).

7. Trytocreatethebucket.Youalmostsurelywillgetamessagethattherequestedbucketnameisnotavailable.Rememberthatabucketnamemustbeuniqueglobally.

8. Tryagainusingyoursurnamefollowedbyahyphenandthentoday’sdateinasix-digitformatasthebucketname(abucketnamethatisnotlikelytoexistalready).

YoushouldnowhaveanewAmazonS3bucket.

EXERCISE2.2

Upload,MakePublic,Rename,andDeleteObjectsinYourBucket

Inthisexercise,youwilluploadanewobjecttoyourbucket.Youwillthenmakethisobjectpublicandviewtheobjectinyourbrowser.Youwillthenrenametheobjectandfinallydeleteitfromthebucket.

Page 83: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

UploadanObject1. LoadyournewbucketintheAmazonS3console.

2. SelectUpload,thenAddFiles.

3. LocateafileonyourPCthatyouareokaywithuploadingtoAmazonS3andmakingpublictotheInternet.(Wesuggestusinganon-personalimagefileforthepurposesofthisexercise.)

4. Selectasuitablefile,thenStartUpload.YouwillseethestatusofyourfileintheTransferssection.

5. Afteryourfileisuploaded,thestatusshouldchangetoDone.

ThefileyouuploadedisnowstoredasanAmazonS3objectandshouldbenowlistedinthecontentsofyourbucket.

OpentheAmazonS3URL6. Nowopenthepropertiesfortheobject.Thepropertiesshouldincludebucket,name,

andlink.

7. CopytheAmazonS3URLfortheobject.

8. PastetheURLintheaddressbarofanewbrowserwindowortab.

YoushouldgetamessagewithanXMLerrorcodeAccessDenied.EventhoughtheobjecthasaURL,itisprivatebydefault,soitcannotbeaccessedbyawebbrowser.

MaketheObjectPublic9. GobacktotheAmazonS3ConsoleandselectMakePublic.(Equivalently,youcan

changetheobject’spermissionsandaddgranteeEveryoneandpermissionsOpen/Download.)

10. CopytheAmazonS3URLagainandtrytoopenitinabrowserortab.Yourpublicimagefileshouldnowdisplayinthebrowserorbrowsertab.

RenameObject11. IntheAmazonS3console,selectRename.

12. Renametheobject,butkeepthesamefileextension.

13. CopythenewAmazonS3URLandtrytoopenitinabrowserortab.Youshouldseethesameimagefile.

DeletetheObject14. IntheAmazonS3console,selectDelete.SelectOKwhenpromptedifyouwantto

deletetheobject.

15. Theobjecthasnowbeendeleted.

16. Toverify,trytoreloadthedeletedobject’sAmazonS3URL.

YoushouldonceagaingettheXMLAccessDeniederrormessage.

Page 84: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE2.3

EnableVersionControl

Inthisexercise,youwillenableversioncontrolonyournewlycreatedbucket.

EnableVersioning1. IntheAmazonS3console,loadthepropertiesofyourbucket.Don’topenthebucket.

2. EnableversioninginthepropertiesandselectOKtoverify.Yourbucketnowhasversioningenabled.(Notethatversioningcanbesuspended,butnotturnedoff.)

CreateMultipleVersionsofanObject3. Createatextfilenamedfoo.txtonyourcomputerandwritethewordblueinthe

textfile.

4. Savethetextfiletoalocationofyourchoosing.

5. Uploadthetextfiletoyourbucket.Thiswillbeversion1.

6. Afteryouhaveuploadedthetextfiletoyourbucket,openthecopyonyourlocalcomputerandchangethewordbluetored.Savethetextfilewiththeoriginalfilename.

7. Uploadthemodifiedfiletoyourbucket.

8. SelectShowVersionsontheuploadedobject.

YouwillnowseetwodifferentversionsoftheobjectwithdifferentVersionIDsandpossiblydifferentsizes.NotethatwhenyouselectShowVersion,theAmazonS3URLnowincludestheversionIDinthequerystringaftertheobjectname.

Page 85: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE2.4

DeleteanObjectandThenRestoreIt

Inthisexercise,youwilldeleteanobjectinyourAmazonS3bucketandthenrestoreit.

DeleteanObject1. Openthebucketcontainingthetextfileforwhichyounowhavetwoversions.

2. SelectHideVersions.

3. SelectDelete,andthenselectOKtoverify.

4. Yourobjectwillnowbedeleted,andyoucannolongerseetheobject.

5. SelectShowVersions.

BothversionsoftheobjectnowshowtheirversionIDs.

RestoreanObject6. Openyourbucket.

7. SelectShowVersions.

8. Selecttheoldestversionanddownloadtheobject.Notethatthefilenameissimplyfoo.txtwithnoversionindicator.

9. Uploadfoo.txttothesamebucket.

10. SelectHideVersions,andthefilefoo.txtshouldre-appear.

Torestoreaversion,youcopythedesiredversionintothesamebucket.IntheAmazonS3console,thisrequiresadownloadthenre-uploadoftheobject.UsingAPIs,SDKs,orAWSCLI,youcancopyaversiondirectlywithoutdownloadingandre-uploading.

Page 86: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE2.5

LifecycleManagementInthisexercise,youwillexplorethevariousoptionsforlifecyclemanagement.

1. SelectyourbucketintheAmazonS3console.

2. UnderProperties,addaLifecycleRule.

3. Explorethevariousoptionstoaddlifecyclerulestoobjectsinthisbucket.Itisrecommendedthatyoudonotimplementanyoftheseoptions,asyoumayincuradditionalcosts.Afteryouhavefinished,clicktheCancelbutton.

Mostlifecyclerulesrequiresomenumberofdaystoexpirebeforethetransitiontakeseffect.Forexample,ittakesaminimumof30daystotransitionfromAmazonS3StandardtoAmazonS3Standard-IA.Thismakesitimpracticaltocreatealifecycleruleandseetheactualresultinanexercise.

EXERCISE2.6

EnableStaticHostingonYourBucketInthisexercise,youwillenablestatichostingonyournewlycreatedbucket.

1. SelectyourbucketintheAmazonS3console.

2. InthePropertiessection,selectEnableWebsiteHosting.

3. Fortheindexdocumentname,enterindex.txt,andfortheerrordocumentname,entererror.txt.

4. Useatexteditortocreatetwotextfilesandsavethemasindex.txtanderror.txt.Intheindex.txtfile,writethephrase“HelloWorld,”andintheerror.txtfile,writethephrase“ErrorPage.”Savebothtextfilesanduploadthemtoyourbucket.

5. Makethetwoobjectspublic.

6. CopytheEndpoint:linkunderStaticWebsiteHostingandpasteitinabrowserwindowortab.Youshouldnowseethephrase"HelloWorld"displayed.

7. Intheaddressbarinyourbrowser,tryaddingaforwardslashfollowedbyamade-upfilename(forexample,/test.html).Youshouldnowseethephrase"ErrorPage"displayed.

8. Tocleanup,deletealloftheobjectsinyourbucketandthendeletethebucketitself.

Page 87: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. InwhatwaysdoesAmazonSimpleStorageService(AmazonS3)objectstoragedifferfromblockandfilestorage?(Choose2answers)

A. AmazonS3storesdatainfixedsizeblocks.

B. Objectsareidentifiedbyanumberedaddress.

C. Objectscanbeanysize.

D. Objectscontainbothdataandmetadata.

E. Objectsarestoredinbuckets.

2. WhichofthefollowingarenotappropriatesusecasesforAmazonSimpleStorageService(AmazonS3)?(Choose2answers)

A. Storingwebcontent

B. StoringafilesystemmountedtoanAmazonElasticComputeCloud(AmazonEC2)instance

C. Storingbackupsforarelationaldatabase

D. Primarystorageforadatabase

E. Storinglogsforanalytics

3. WhataresomeofthekeycharacteristicsofAmazonSimpleStorageService(AmazonS3)?(Choose3answers)

A. AllobjectshaveaURL.

B. AmazonS3canstoreunlimitedamountsofdata.

C. Objectsareworld-readablebydefault.

D. AmazonS3usesaREST(RepresentationalStateTransfer)ApplicationProgramInterface(API).

E. Youmustpre-allocatethestorageinabucket.

4. WhichfeaturescanbeusedtorestrictaccesstoAmazonSimpleStorageService(AmazonS3)data?(Choose3answers)

A. Enablestaticwebsitehostingonthebucket.

B. Createapre-signedURLforanobject.

C. UseanAmazonS3AccessControlList(ACL)onabucketorobject.

D. Usealifecyclepolicy.

E. UseanAmazonS3bucketpolicy.

5. YourapplicationstorescriticaldatainAmazonSimpleStorageService(AmazonS3),whichmustbeprotectedagainstinadvertentorintentionaldeletion.Howcanthisdatabeprotected?(Choose2answers)

Page 88: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. Usecross-regionreplicationtocopydatatoanotherbucketautomatically.

B. Setavaultlock.

C. Enableversioningonthebucket.

D. UsealifecyclepolicytomigratedatatoAmazonGlacier.

E. EnableMFADeleteonthebucket.

6. YourcompanystoresdocumentsinAmazonSimpleStorageService(AmazonS3),butitwantstominimizecost.Mostdocumentsareusedactivelyforonlyaboutamonth,thenmuchlessfrequently.However,alldataneedstobeavailablewithinminuteswhenrequested.Howcanyoumeettheserequirements?

A. MigratethedatatoAmazonS3ReducedRedundancyStorage(RRS)after30days.

B. MigratethedatatoAmazonGlacierafter30days.

C. MigratethedatatoAmazonS3Standard–InfrequentAccess(IA)after30days.

D. Turnonversioning,thenmigratetheolderversiontoAmazonGlacier.

7. HowisdatastoredinAmazonSimpleStorageService(AmazonS3)forhighdurability?

A. Dataisautomaticallyreplicatedtootherregions.

B. Dataisautomaticallyreplicatedwithinaregion.

C. Dataisreplicatedonlyifversioningisenabledonthebucket.

D. Dataisautomaticallybackedupontapeandrestoredifneeded.

8. BasedonthefollowingAmazonSimpleStorageService(AmazonS3)URL,whichoneofthefollowingstatementsiscorrect?

https://bucket1.abc.com.s3.amazonaws.com/folderx/myfile.doc

A. Theobject“myfile.doc”isstoredinthefolder“folderx”inthebucket“bucket1.abc.com.”

B. Theobject“myfile.doc”isstoredinthebucket“bucket1.abc.com.”

C. Theobject“folderx/myfile.doc”isstoredinthebucket“bucket1.abc.com.”

D. Theobject“myfile.doc”isstoredinthebucket“bucket1.”

9. TohavearecordofwhoaccessedyourAmazonSimpleStorageService(AmazonS3)dataandfromwhere,youshoulddowhat?

A. Enableversioningonthebucket.

B. Enablewebsitehostingonthebucket.

C. Enableserveraccesslogsonthebucket.

D. CreateanAWSIdentityandAccessManagement(IAM)bucketpolicy.

E. EnableAmazonCloudWatchlogs.

10. Whataresomereasonstoenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)

Page 89: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. Youwantabackupofyourdataincaseofaccidentaldeletion.

B. Youhaveasetofusersorcustomerswhocanaccessthesecondbucketwithlowerlatency.

C. Forcompliancereasons,youneedtostoredatainalocationatleast300milesawayfromthefirstregion.

D. Yourdataneedsatleastfiveninesofdurability.

11. Yourcompanyrequiresthatalldatasenttoexternalstoragebeencryptedbeforebeingsent.WhichAmazonSimpleStorageService(AmazonS3)encryptionsolutionwillmeetthisrequirement?

A. Server-SideEncryption(SSE)withAWS-managedkeys(SSE-S3)

B. SSEwithcustomer-providedkeys(SSE-C)

C. Client-sideencryptionwithcustomer-managedkeys

D. Server-sideencryptionwithAWSKeyManagementService(AWSKMS)keys(SSE-KMS)

12. YouhaveapopularwebapplicationthataccessesdatastoredinanAmazonSimpleStorageService(AmazonS3)bucket.Youexpecttheaccesstobeveryread-intensive,withexpectedrequestratesofupto500GETspersecondfrommanyclients.HowcanyouincreasetheperformanceandscalabilityofAmazonS3inthiscase?

A. Turnoncross-regionreplicationtoensurethatdataisservedfrommultiplelocations.

B. Ensurerandomnessinthenamespacebyincludingahashprefixtokeynames.

C. Turnonserveraccesslogging.

D. Ensurethatkeynamesaresequentialtoenablepre-fetch.

13. Whatisneededbeforeyoucanenablecross-regionreplicationonanAmazonSimpleStorageService(AmazonS3)bucket?(Choose2answers)

A. Enableversioningonthebucket.

B. Enablealifecycleruletomigratedatatothesecondregion.

C. Enablestaticwebsitehosting.

D. CreateanAWSIdentityandAccessManagement(IAM)policytoallowAmazonS3toreplicateobjectsonyourbehalf.

14. Yourcompanyhas100TBoffinancialrecordsthatneedtobestoredforsevenyearsbylaw.Experiencehasshownthatanyrecordmorethanone-yearoldisunlikelytobeaccessed.Whichofthefollowingstorageplansmeetstheseneedsinthemostcostefficientmanner?

A. StorethedataonAmazonElasticBlockStore(AmazonEBS)volumesattachedtot2.microinstances.

B. StorethedataonAmazonSimpleStorageService(AmazonS3)withlifecyclepoliciesthatchangethestorageclasstoAmazonGlacierafteroneyearanddeletetheobject

Page 90: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

aftersevenyears.

C. StorethedatainAmazonDynamoDBandrundailyscripttodeletedataolderthansevenyears.

D. StorethedatainAmazonElasticMapReduce(AmazonEMR).

15. AmazonSimpleStorageService(S3)bucketpoliciescanrestrictaccesstoanAmazonS3bucketandobjectsbywhichofthefollowing?(Choose3answers)

A. Companyname

B. IPaddressrange

C. AWSaccount

D. Countryoforigin

E. Objectswithaspecificprefix

16. AmazonSimpleStorageService(AmazonS3)isaneventuallyconsistentstoragesystem.Forwhatkindsofoperationsisitpossibletogetstaledataasaresultofeventualconsistency?(Choose2answers)

A. GETafterPUTofanewobject

B. GETorLISTafteraDELETE

C. GETafteroverwritePUT(PUTtoanexistingkey)

D. DELETEafterPUTofnewobject

17. WhatmustbedonetohostastaticwebsiteinanAmazonSimpleStorageService(AmazonS3)bucket?(Choose3answers)

A. Configurethebucketforstatichostingandspecifyanindexanderrordocument.

B. Createabucketwiththesamenameasthewebsite.

C. EnableFileTransferProtocol(FTP)onthebucket.

D. Maketheobjectsinthebucketworld-readable.

E. EnableHTTPonthebucket.

18. YouhavevaluablemediafileshostedonAWSandwantthemtobeservedonlytoauthenticatedusersofyourwebapplication.Youareconcernedthatyourcontentcouldbestolenanddistributedforfree.Howcanyouprotectyourcontent?

A. Usestaticwebhosting.

B. Generatepre-signedURLsforcontentinthewebapplication.

C. UseAWSIdentityandAccessManagement(IAM)policiestorestrictaccess.

D. Useloggingtotrackyourcontent.

19. AmazonGlacieriswell-suitedtodatathatiswhichofthefollowing?(Choose2answers)

A. Isinfrequentlyorrarelyaccessed

B. Mustbeimmediatelyavailablewhenneeded

Page 91: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

C. Isavailableafterathree-tofive-hourrestoreperiod

D. Isfrequentlyerasedwithin30days

20. WhichstatementsaboutAmazonGlacieraretrue?(Choose3answers)

A. AmazonGlacierstoresdatainobjectsthatliveinarchives.

B. AmazonGlacierarchivesareidentifiedbyuser-specifiedkeynames.

C. AmazonGlacierarchivestakethreetofivehourstorestore.

D. AmazonGlaciervaultscanbelocked.

E. AmazonGlaciercanbeusedasastandaloneserviceandasanAmazonS3storageclass.

Page 92: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter3AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Monitoringandlogging

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

ConfigureanAmazonMachineImage(AMI)

Configureservicestosupportcompliancerequirementsinthecloud

LaunchinstancesacrosstheAWSglobalinfrastructure

Domain3.0:DataSecurity

3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.

Contentmayincludethefollowing:

Disasterrecovery

AmazonEB

Page 93: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us
Page 94: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionInthischapter,youlearnhowAmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)providethebasicelementsofcomputeandblock-levelstoragetorunyourworkloadsonAWS.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:

HowinstancetypesandAmazonMachineImages(AMIs)definethecapabilitiesofinstancesyoulaunchonthecloud

Howtosecurelyaccessyourinstancesrunningonthecloud

Howtoprotectyourinstanceswithvirtualfirewallscalledsecuritygroups

Howtohaveyourinstancesconfigurethemselvesforunattendedlaunch

Howtomonitorandmanageyourinstancesonthecloud

Howtochangethecapabilitiesofanexistinginstance

Thepaymentoptionsavailableforthebestmixofaffordabilityandflexibility

Howtenancyoptionsandplacementgroupsprovideoptionstooptimizecomplianceandperformance

HowinstancestoresdifferfromAmazonEBSvolumesandwhentheyareeffective

WhattypesofvolumesareavailablethroughAmazonEBS

HowtoprotectyourdataonAmazonEBS

Page 95: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonElasticComputeCloud(AmazonEC2)AmazonEC2isAWSprimarywebservicethatprovidesresizablecomputecapacityinthecloud.

ComputeBasicsComputereferstotheamountofcomputationalpowerrequiredtofulfillyourworkload.Ifyourworkloadisverysmall,suchasawebsitethatreceivesfewvisitors,thenyourcomputeneedsareverysmall.Alargeworkload,suchasscreeningtenmillioncompoundsagainstacommoncancertarget,mightrequireagreatdealofcompute.Theamountofcomputeyouneedmightchangedrasticallyovertime.

AmazonEC2allowsyoutoacquirecomputethroughthelaunchingofvirtualserverscalledinstances.Whenyoulaunchaninstance,youcanmakeuseofthecomputeasyouwish,justasyouwouldwithanon-premisesserver.Becauseyouarepayingforthecomputingpoweroftheinstance,youarechargedperhourwhiletheinstanceisrunning.Whenyoustoptheinstance,youarenolongercharged.

TherearetwoconceptsthatarekeytolaunchinginstancesonAWS:(1)theamountofvirtualhardwarededicatedtotheinstanceand(2)thesoftwareloadedontheinstance.Thesetwodimensionsofnewinstancesarecontrolled,respectively,bytheinstancetypeandtheAMI.

InstanceTypesTheinstancetypedefinesthevirtualhardwaresupportinganAmazonEC2instance.Therearedozensofinstancetypesavailable,varyinginthefollowingdimensions:

VirtualCPUs(vCPUs)

Memory

Storage(sizeandtype)

Networkperformance

Instancetypesaregroupedintofamiliesbasedontheratioofthesevaluestoeachother.Forinstance,them4familyprovidesabalanceofcompute,memory,andnetworkresources,anditisagoodchoiceformanyapplications.Withineachfamilythereareseveralchoicesthatscaleuplinearlyinsize.Figure3.1showsthefourinstancesizesinthem4family.NotethattheratioofvCPUstomemoryisconstantasthesizesscalelinearly.Thehourlypriceforeachsizescaleslinearlyaswell.Forexample,anm4.xlargeinstancecoststwiceasmuchasthem4.largeinstance.

Page 96: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE3.1MemoryandvCPUsforthem4instancefamily

Differentinstancetypefamiliestilttheratiotoaccommodatedifferenttypesofworkloads,buttheyallexhibitthislinearscaleupbehaviorwithinthefamily.Table3.1listssomeofthefamiliesavailable.

TABLE3.1SampleInstanceTypeFamilies

Family

c4 Computeoptimized—Forworkloadsrequiringsignificantprocessing

r3 Memoryoptimized—Formemory-intensiveworkloads

i2 Storageoptimized—ForworkloadsrequiringhighamountsoffastSSDstorage

g2 GPU-basedinstances—Intendedforgraphicsandgeneral-purposeGPUcomputeworkloads

Inresponsetocustomerdemandandtotakeadvantageofnewprocessortechnology,AWSoccasionallyintroducesnewinstancefamilies.ChecktheAWSwebsiteforthecurrentlist.

Anothervariabletoconsiderwhenchoosinganinstancetypeisnetworkperformance.Formostinstancetypes,AWSpublishesarelativemeasureofnetworkperformance:low,moderate,orhigh.Someinstancetypesspecifyanetworkperformanceof10Gbps.The

Page 97: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

networkperformanceincreaseswithinafamilyastheinstancetypegrows.

Forworkloadsrequiringgreaternetworkperformance,manyinstancetypessupportenhancednetworking.EnhancednetworkingreducestheimpactofvirtualizationonnetworkperformancebyenablingacapabilitycalledSingleRootI/OVirtualization(SR-IOV).ThisresultsinmorePacketsPerSecond(PPS),lowerlatency,andlessjitter.Atthetimeofthiswriting,thereareinstancetypesthatsupportenhancednetworkingintheC3,C4,D2,I2,M4,andR3families(consulttheAWSdocumentationforacurrentlist).Enablingenhancednetworkingonaninstanceinvolvesensuringthecorrectdriversareinstalledandmodifyinganinstanceattribute.EnhancednetworkingisavailableonlyforinstanceslaunchedinanAmazonVirtualPrivateCloud(AmazonVPC),whichisdiscussedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”

AmazonMachineImages(AMIs)TheAmazonMachineImage(AMI)definestheinitialsoftwarethatwillbeonaninstancewhenitislaunched.AnAMIdefineseveryaspectofthesoftwarestateatinstancelaunch,including:

TheOperatingSystem(OS)anditsconfiguration

Theinitialstateofanypatches

Applicationorsystemsoftware

AllAMIsarebasedonx86OSs,eitherLinuxorWindows.

TherearefoursourcesofAMIs:

PublishedbyAWS—AWSpublishesAMIswithversionsofmanydifferentOSs,bothLinuxandWindows.TheseincludemultipledistributionsofLinux(includingUbuntu,RedHat,andAmazon’sowndistribution)andWindows2008andWindows2012.LaunchinganinstancebasedononeoftheseAMIswillresultinthedefaultOSsettings,similartoinstallinganOSfromthestandardOSISOimage.AswithanyOSinstallation,youshouldimmediatelyapplyallappropriatepatchesuponlaunch.

TheAWSMarketplace—AWSMarketplaceisanonlinestorethathelpscustomersfind,buy,andimmediatelystartusingthesoftwareandservicesthatrunonAmazonEC2.ManyAWSpartnershavemadetheirsoftwareavailableintheAWSMarketplace.Thisprovidestwobenefits:thecustomerdoesnotneedtoinstallthesoftware,andthelicenseagreementisappropriateforthecloud.InstanceslaunchedfromanAWSMarketplaceAMIincurthestandardhourlycostoftheinstancetypeplusanadditionalper-hourchargefortheadditionalsoftware(someopen-sourceAWSMarketplacepackageshavenoadditionalsoftwarecharge).

GeneratedfromExistingInstances—AnAMIcanbecreatedfromanexistingAmazonEC2instance.ThisisaverycommonsourceofAMIs.CustomerslaunchaninstancefromapublishedAMI,andthentheinstanceisconfiguredtomeetallthecustomer’scorporatestandardsforupdates,management,security,andsoon.AnAMIisthengeneratedfromtheconfiguredinstanceandusedtogenerateallinstancesofthatOS.Inthisway,allnewinstancesfollowthecorporatestandardanditismoredifficultforindividualprojectstolaunchnon-conforminginstances.

Page 98: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

UploadedVirtualServers—UsingAWSVMImport/Exportservice,customerscancreateimagesfromvariousvirtualizationformats,includingraw,VHD,VMDK,andOVA.ThecurrentlistofsupportedOSs(LinuxandWindows)canbefoundintheAWSdocumentation.ItisincumbentonthecustomerstoremaincompliantwiththelicensingtermsoftheirOSvendor.

SecurelyUsinganInstanceOncelaunched,instancescanbemanagedovertheInternet.AWShasseveralservicesandfeaturestoensurethatthismanagementcanbedonesimplyandsecurely.

AddressinganInstanceThereareseveralwaysthataninstancemaybeaddressedoverthewebuponcreation:

PublicDomainNameSystem(DNS)Name—Whenyoulaunchaninstance,AWScreatesaDNSnamethatcanbeusedtoaccesstheinstance.ThisDNSnameisgeneratedautomaticallyandcannotbespecifiedbythecustomer.ThenamecanbefoundintheDescriptiontaboftheAWSManagementConsoleorviatheCommandLineInterface(CLI)orApplicationProgrammingInterface(API).ThisDNSnamepersistsonlywhiletheinstanceisrunningandcannotbetransferredtoanotherinstance.

PublicIP—AlaunchedinstancemayalsohaveapublicIPaddressassigned.ThisIPaddressisassignedfromtheaddressesreservedbyAWSandcannotbespecified.ThisIPaddressisuniqueontheInternet,persistsonlywhiletheinstanceisrunning,andcannotbetransferredtoanotherinstance.

ElasticIP—AnelasticIPaddressisanaddressuniqueontheInternetthatyoureserveindependentlyandassociatewithanAmazonEC2instance.WhilesimilartoapublicIP,therearesomekeydifferences.ThisIPaddresspersistsuntilthecustomerreleasesitandisnottiedtothelifetimeorstateofanindividualinstance.Becauseitcanbetransferredtoareplacementinstanceintheeventofaninstancefailure,itisapublicaddressthatcanbesharedexternallywithoutcouplingclientstoaparticularinstance.

PrivateIPaddressesandElasticNetworkInterfaces(ENIs)areadditionalmethodsofaddressinginstancesthatareavailableinthecontextofanAmazonVPC.ThesearediscussedinChapter4.

InitialAccessAmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdataandanassociatedprivatekeytodecryptthedata.Thesetwokeystogetherarecalledakeypair.KeypairscanbecreatedthroughtheAWSManagementConsole,CLI,orAPI,orcustomerscanuploadtheirownkeypairs.AWSstoresthepublickey,andtheprivatekeyiskeptbythecustomer.Theprivatekeyisessentialtoacquiringsecureaccesstoaninstanceforthefirsttime.

Page 99: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Storeyourprivatekeyssecurely.WhenAmazonEC2launchesaLinuxinstance,thepublickeyisstoredinthe /.ssh/authorized_keysfileontheinstanceandaninitialuseriscreated.TheinitialusercanvarydependingontheOS.Forexample,theAmazonLinuxdistributioninitialuserisec2-user.Initialaccesstotheinstanceisobtainedbyusingtheec2-userandtheprivatekeytologinviaSSH.Atthispoint,youcanconfigureotherusersandenrollinadirectorysuchasLDAP.

WhenlaunchingaWindowsinstance,AmazonEC2generatesarandompasswordforthelocaladministratoraccountandencryptsthepasswordusingthepublickey.Initialaccesstotheinstanceisobtainedbydecryptingthepasswordwiththeprivatekey,eitherintheconsoleorthroughtheAPI.ThedecryptedpasswordcanbeusedtologintotheinstancewiththelocaladministratoraccountviaRDP.Atthispoint,youcancreateotherlocalusersand/orconnecttoanActiveDirectorydomain.

Itisabestpracticetochangetheinitiallocaladministratorpassword.

VirtualFirewallProtectionAWSallowsyoutocontroltrafficinandoutofyourinstancesthroughvirtualfirewallscalledsecuritygroups.Securitygroupsallowyoutocontroltrafficbasedonport,protocol,andsource/destination.SecuritygroupshavedifferentcapabilitiesdependingonwhethertheyareassociatedwithanAmazonVPCorAmazonEC2-Classic.Table3.2comparesthesedifferentcapabilities(AmazonVPCisdiscussedinChapter4).

TABLE3.2DifferentSecurityGroups

TypeofSecurityGroup Capabilities

EC2-ClassicSecurityGroups Controloutgoinginstancetraffic

VPCSecurityGroups Controloutgoingandincominginstancetraffic

Securitygroupsareassociatedwithinstanceswhentheyarelaunched.Everyinstancemusthaveatleastonesecuritygroupbutcanhavemore.

Asecuritygroupisdefaultdeny;thatis,itdoesnotallowanytrafficthatisnotexplicitlyallowedbyasecuritygrouprule.AruleisdefinedbythethreeattributesinTable3.3.Whenaninstanceisassociatedwithmultiplesecuritygroups,therulesareaggregatedandalltrafficallowedbyeachoftheindividualgroupsisallowed.Forexample,ifsecuritygroupAallowsRDPtrafficfrom72.58.0.0/16andsecuritygroupBallowsHTTPandHTTPStrafficfrom0.0.0.0/0andyourinstanceisassociatedwithbothgroups,thenboththeRDPandHTTP/Strafficwillbeallowedintoyourinstance.

Page 100: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE3.3SecurityGroupRuleAttributes

Attribute Meaning

Port Theportnumberaffectedbythisrule.Forinstance,port80forHTTPtraffic.

Protocol Thecommunicationsstandardforthetrafficaffectedbythisrule.

Source/Destination Identifiestheotherendofthecommunication,thesourceforincomingtrafficrules,orthedestinationforoutgoingtrafficrules.Thesource/destinationcanbedefinedintwoways:CIDRblock—Anx.x.x.x/xstyledefinitionthatdefinesaspecificrangeofIPaddresses.Securitygroup—Includesanyinstancethatisassociatedwiththegivensecuritygroup.ThishelpspreventcouplingsecuritygroupruleswithspecificIPaddresses.

Asecuritygroupisastatefulfirewall;thatis,anoutgoingmessageisrememberedsothattheresponseisallowedthroughthesecuritygroupwithoutanexplicitinboundrulebeingrequired.

Securitygroupsareappliedattheinstancelevel,asopposedtoatraditionalon-premisesfirewallthatprotectsattheperimeter.Theeffectofthisisthatinsteadofhavingtobreachasingleperimetertoaccessalltheinstancesinyoursecuritygroup,anattackerwouldhavetobreachthesecuritygrouprepeatedlyforeachindividualinstance.

TheLifecycleofInstancesAmazonEC2hasseveralfeaturesandservicesthatfacilitatethemanagementofAmazonEC2instancesovertheirentirelifecycle.

LaunchingThereareseveraladditionalservicesthatareusefulwhenlaunchingnewAmazonEC2instances.

BootstrappingAgreatbenefitofthecloudistheabilitytoscriptvirtualhardwaremanagementinamannerthatisnotpossiblewithon-premiseshardware.Inordertorealizethevalueofthis,therehastobesomewaytoconfigureinstancesandinstallapplicationsprogrammaticallywhenaninstanceislaunched.Theprocessofprovidingcodetoberunonaninstanceatlaunchiscalledbootstrapping.

OneoftheparameterswhenaninstanceislaunchedisastringvaluecalledUserData.Thisstringispassedtotheoperatingsystemtobeexecutedaspartofthelaunchprocessthefirsttimetheinstanceisbooted.OnLinuxinstancesthiscanbeshellscript,andonWindowsinstancesthiscanbeabatchstylescriptoraPowerShellscript.Thescriptcanperformtaskssuchas:

ApplyingpatchesandupdatestotheOS

Enrollinginadirectoryservice

Installingapplicationsoftware

Page 101: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Copyingalongerscriptorprogramfromstoragetoberunontheinstance

InstallingCheforPuppetandassigningtheinstancearolesotheconfigurationmanagementsoftwarecanconfiguretheinstance

UserDataisstoredwiththeinstanceandisnotencrypted,soitisimportanttonotincludeanysecretssuchaspasswordsorkeysintheUserData.

VMImport/ExportInadditiontoimportingvirtualinstancesasAMIs,VMImport/ExportenablesyoutoeasilyimportVirtualMachines(VMs)fromyourexistingenvironmentasanAmazonEC2instanceandexportthembacktoyouron-premisesenvironment.YoucanonlyexportpreviouslyimportedAmazonEC2instances.InstanceslaunchedwithinAWSfromAMIscannotbeexported.

InstanceMetadataInstancemetadataisdataaboutyourinstancethatyoucanusetoconfigureormanagetherunninginstance.ThisisuniqueinthatitisamechanismtoobtainAWSpropertiesoftheinstancefromwithintheOSwithoutmakingacalltotheAWSAPI.AnHTTPcalltohttp://169.254.169.254/latest/meta-data/willreturnthetopnodeoftheinstancemetadatatree.Instancemetadataincludesawidevarietyofattributes,including:

Theassociatedsecuritygroups

TheinstanceID

Theinstancetype

TheAMIusedtolaunchtheinstance

Thisonlybeginstoscratchthesurfaceoftheinformationavailableinthemetadata.ConsulttheAWSdocumentationforafulllist.

ManagingInstancesWhenthenumberofinstancesinyouraccountstartstoclimb,itcanbecomedifficulttokeeptrackofthem.TagscanhelpyoumanagenotjustyourAmazonEC2instances,butalsomanyofyourAWSCloudservices.Tagsarekey/valuepairsyoucanassociatewithyourinstanceorotherservice.Tagscanbeusedtoidentifyattributesofaninstancelikeproject,environment(dev,test,andsoon),billabledepartment,andsoforth.Youcanapplyupto10tagsperinstance.Table3.4showssometagsuggestions.

TABLE3.4SampleTags

Key Value

Project TimeEntry

Environment Production

BillingCode 4004

MonitoringInstancesAWSoffersaservicecalledAmazonCloudWatchthatprovidesmonitoringandalertingfor

Page 102: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonEC2instances,andalsootherAWSinfrastructure.AmazonCloudWatchisdiscussedindetailinChapter5,“ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling.”

ModifyinganInstanceThereareseveralaspectsofaninstancethatcanbemodifiedafterlaunch.

InstanceTypeTheabilitytochangetheinstancetypeofaninstancecontributesgreatlytotheagilityofrunningworkloadsinthecloud.Insteadofcommittingtoacertainhardwareconfigurationmonthsbeforeaworkloadislaunched,theworkloadcanbelaunchedusingabestestimatefortheinstancetype.Ifthecomputeneedsprovetobehigherorlowerthanexpected,theinstancescanbechangedtoadifferentsizemoreappropriatetotheworkload.

InstancescanberesizedusingtheAWSManagementConsole,CLI,orAPI.Toresizeaninstance,setthestatetoStopped.Choosethe“ChangeInstanceType”functioninthetoolofyourchoice(theinstancetypeislistedasanInstanceSettingintheconsoleandanInstanceAttributeintheCLI)andselectthedesiredinstancetype.Restarttheinstanceandtheprocessiscomplete.

SecurityGroupsIfaninstanceisrunninginanAmazonVPC(discussedinChapter4),youcanchangewhichsecuritygroupsareassociatedwithaninstancewhiletheinstanceisrunning.ForinstancesoutsideofanAmazonVPC(calledEC2-Classic),theassociationofthesecuritygroupscannotbechangedafterlaunch.

TerminationProtectionWhenanAmazonEC2instanceisnolongerneeded,thestatecanbesettoTerminatedandtheinstancewillbeshutdownandremovedfromtheAWSinfrastructure.InordertopreventterminationviatheAWSManagementConsole,CLI,orAPI,terminationprotectioncanbeenabledforaninstance.Whileenabled,callstoterminatetheinstancewillfailuntilterminationprotectionisdisabled.Thishelpstopreventaccidentalterminationthroughhumanerror.

NotethatthisjustprotectsfromterminationcallsfromtheAWSManagementConsole,CLI,orAPI.ItdoesnotpreventterminationtriggeredbyanOSshutdowncommand,terminationfromanAutoScalinggroup(discussedinChapter5),orterminationofaSpotInstanceduetoSpotpricechanges(discussedinthenextsection).

OptionsThereareseveraladditionaloptionsavailableinAmazonEC2toimprovecostoptimization,security,andperformancethatareimportanttoknowfortheexam.

PricingOptionsYouarechargedforAmazonEC2instancesforeachhourthattheyareinarunningstate,buttheamountyouarechargedperhourcanvarybasedonthreepricingoptions:On-DemandInstances,ReservedInstances,andSpotInstances.

On-DemandInstancesThepriceperhourforeachinstancetypepublishedontheAWSwebsiterepresentsthepriceforOn-DemandInstances.Thisisthemostflexiblepricingoption,asitrequiresnoup-frontcommitment,andthecustomerhascontroloverwhenthe

Page 103: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

instanceislaunchedandwhenitisterminated.Itistheleastcosteffectiveofthethreepricingoptionspercomputehour,butitsflexibilityallowscustomerstosavebyprovisioningavariablelevelofcomputeforunpredictableworkloads.

ReservedInstancesTheReservedInstancepricingoptionenablescustomerstomakecapacityreservationsforpredictableworkloads.ByusingReservedInstancesfortheseworkloads,customerscansaveupto75percentovertheon-demandhourlyrate.Whenpurchasingareservation,thecustomerspecifiestheinstancetypeandAvailabilityZoneforthatReservedInstanceandachievesalowereffectivehourlypriceforthatinstanceforthedurationofthereservation.AnadditionalbenefitisthatcapacityintheAWSdatacentersisreservedforthatcustomer.Therearetwofactorsthatdeterminethecostofthereservation:thetermcommitmentandthepaymentoption.

Thetermcommitmentisthedurationofthereservationandcanbeeitheroneorthreeyears.Thelongerthecommitment,thebiggerthediscount.

TherearethreedifferentpaymentoptionsforReservedInstances:

AllUpfront—Payfortheentirereservationupfront.Thereisnomonthlychargeforthecustomerduringtheterm.

PartialUpfront—Payaportionofthereservationchargeupfrontandtherestinmonthlyinstallmentsforthedurationoftheterm.

NoUpfront—Paytheentirereservationchargeinmonthlyinstallmentsforthedurationoftheterm.

Theamountofthediscountisgreaterthemorethecustomerpaysupfront.

Forexample,let’slookattheeffectofanallupfront,three-yearreservationontheeffectivehourlycostofanm4.2xlargeinstance.Thecostofrunningoneinstancecontinuouslyforthreeyears(or26,280hours)atbothpricingoptionsisshowninTable3.5.

TABLE3.5ReservedInstancePricingExample

PricingOption EffectiveHourlyCost TotalThree-YearCost

On-Demand $0.479/hour $0.479/hour*26280hours=$12588.12

Three-YearAllUpfrontReservation

$4694/26280hours=$0.1786/hour

$4694

Savings 63%

Thisexampleusesthepublishedpricesatthetimeofthiswriting.AWShasloweredpricesmanytimestodate,sochecktheAWSwebsiteforcurrentpricinginformation.

Whenyourcomputingneedschange,youcanmodifyyourReservedInstancesandcontinuetobenefitfromyourcapacityreservation.ModificationdoesnotchangetheremainingtermofyourReservedInstances;theirenddatesremainthesame.Thereisnofee,andyoudonot

Page 104: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

receiveanynewbillsorinvoices.Modificationisseparatefrompurchasinganddoesnotaffecthowyouuse,purchase,orsellReservedInstances.Youcanmodifyyourwholereservation,orjustasubset,inoneormoreofthefollowingways:

SwitchAvailabilityZoneswithinthesameregion.

ChangebetweenEC2-VPCandEC2-Classic.

Changetheinstancetypewithinthesameinstancefamily(Linuxinstancesonly).

SpotInstancesForworkloadsthatarenottimecriticalandaretolerantofinterruption,SpotInstancesofferthegreatestdiscount.WithSpotInstances,customersspecifythepricetheyarewillingtopayforacertaininstancetype.Whenthecustomer’sbidpriceisabovethecurrentSpotprice,thecustomerwillreceivetherequestedinstance(s).TheseinstanceswilloperatelikeallotherAmazonEC2instances,andthecustomerwillonlypaytheSpotpriceforthehoursthatinstance(s)run.Theinstanceswillrununtil:

Thecustomerterminatesthem.

TheSpotpricegoesabovethecustomer’sbidprice.

ThereisnotenoughunusedcapacitytomeetthedemandforSpotInstances.

IfAmazonEC2needstoterminateaSpotInstance,theinstancewillreceiveaterminationnoticeprovidingatwo-minutewarningpriortoAmazonEC2terminatingtheinstance.

Becauseofthepossibilityofinterruption,SpotInstancesshouldonlybeusedforworkloadstolerantofinterruption.Thiscouldincludeanalytics,financialmodeling,bigdata,mediaencoding,scientificcomputing,andtesting.

ArchitectureswithDifferentPricingModelsFortheexam,it’simportanttoknowhowtotakeadvantageofthedifferentpricingmodelstocreateacost-efficientarchitecture.Suchanarchitecturemayincludedifferentpricingmodelswithinthesameworkload.Forinstance,awebsitethataverages5,000visitsaday,butrampsupto20,000visitsadayduringperiodicpeaks,maypurchasetwoReservedInstancestohandletheaveragetraffic,butdependonOn-DemandInstancestofulfillcomputeneedsduringthepeaktimes.Figure3.2showssuchanarchitecture.

Page 105: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE3.2AworkloadusingamixofOn-DemandandReservedInstances

TenancyOptionsThereareseveraltenancyoptionsforAmazonEC2instancesthatcanhelpcustomersachievesecurityandcompliancegoals.

SharedTenancySharedtenancyisthedefaulttenancymodelforallAmazonEC2instances,regardlessofinstancetype,pricingmodel,andsoforth.Sharedtenancymeansthatasinglehostmachinemayhouseinstancesfromdifferentcustomers.AsAWSdoesnotuseoverprovisioningandfullyisolatesinstancesfromotherinstancesonthesamehost,thisisasecuretenancymodel.

DedicatedInstancesDedicatedInstancesrunonhardwarethat’sdedicatedtoasinglecustomer.AsacustomerrunsmoreDedicatedInstances,moreunderlyinghardwaremaybededicatedtotheiraccount.Otherinstancesintheaccount(thosenotdesignatedasdedicated)willrunonsharedtenancyandwillbeisolatedatthehardwarelevelfromtheDedicatedInstancesintheaccount.

DedicatedHostAnAmazonEC2DedicatedHostisaphysicalserverwithAmazonEC2instancecapacityfullydedicatedtoasinglecustomer’suse.DedicatedHostscanhelpyouaddresslicensingrequirementsandreducecostsbyallowingyoutouseyourexistingserver-boundsoftwarelicenses.Thecustomerhascompletecontroloverwhichspecifichostrunsaninstanceatlaunch.ThisdiffersfromDedicatedInstancesinthataDedicatedInstancecanlaunchonanyhardwarethathasbeendedicatedtotheaccount.

PlacementGroupsAplacementgroupisalogicalgroupingofinstanceswithinasingleAvailabilityZone.Placementgroupsenableapplicationstoparticipateinalow-latency,10Gbpsnetwork.Placementgroupsarerecommendedforapplicationsthatbenefitfromlownetworklatency,highnetworkthroughput,orboth.Rememberthatthisrepresentsnetworkconnectivitybetweeninstances.Tofullyusethisnetworkperformanceforyourplacementgroup,chooseaninstancetypethatsupportsenhancednetworkingand10Gbpsnetworkperformance.

Page 106: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

InstanceStoresAninstancestore(sometimesreferredtoasephemeralstorage)providestemporaryblock-levelstorageforyourinstance.Thisstorageislocatedondisksthatarephysicallyattachedtothehostcomputer.Aninstancestoreisidealfortemporarystorageofinformationthatchangesfrequently,suchasbuffers,caches,scratchdata,andothertemporarycontent,orfordatathatisreplicatedacrossafleetofinstances,suchasaload-balancedpoolofwebservers.

ThesizeandtypeofinstancestoresavailablewithanAmazonEC2instancedependontheinstancetype.Atthiswriting,storageavailablewithvariousinstancetypesrangesfromnoinstancestoresupto242TBinstancestores.Theinstancetypealsodeterminesthetypeofhardwarefortheinstancestorevolumes.WhilesomeprovideHardDiskDrive(HDD)instancestores,otherinstancetypesuseSolidStateDrives(SSDs)todeliververyhighrandomI/Operformance.

InstancestoresareincludedinthecostofanAmazonEC2instance,sotheyareaverycost-effectivesolutionforappropriateworkloads.Thekeyaspectofinstancestoresisthattheyaretemporary.Dataintheinstancestoreislostwhen:

Theunderlyingdiskdrivefails.

Theinstancestops(thedatawillpersistifaninstancereboots).

Theinstanceterminates.

Therefore,donotrelyoninstancestoresforvaluable,long-termdata.Instead,buildadegreeofredundancyviaRAIDoruseafilesystemthatsupportsredundancyandfaulttolerancesuchasHadoop’sHDFS.BackupthedatatomoredurabledatastoragesolutionssuchasAmazonSimpleStorageService(AmazonS3)orAmazonEBSoftenenoughtomeetrecoverypointobjectives.

Page 107: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonElasticBlockStore(AmazonEBS)Whileinstancestoresareaneconomicalwaytofulfillappropriateworkloads,theirlimitedpersistencemakesthemill-suitedformanyotherworkloads.Forworkloadsrequiringmoredurableblockstorage,AmazonprovidesAmazonEBS.

ElasticBlockStoreBasicsAmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instances.EachAmazonEBSvolumeisautomaticallyreplicatedwithinitsAvailabilityZonetoprotectyoufromcomponentfailure,offeringhighavailabilityanddurability.AmazonEBSvolumesareavailableinavarietyoftypesthatdifferinperformancecharacteristicsandprice.MultipleAmazonEBSvolumescanbeattachedtoasingleAmazonEC2instance,althoughavolumecanonlybeattachedtoasingleinstanceatatime.

TypesofAmazonEBSVolumesAmazonEBSvolumesareavailableinseveraldifferenttypes.Typesvaryinareassuchasunderlyinghardware,performance,andcost.Itisimportanttoknowthepropertiesofthedifferenttypessoyoucanspecifythemostcost-efficienttypethatmeetsaworkload’sperformancedemandsontheexam.

MagneticVolumesMagneticvolumeshavethelowestperformancecharacteristicsofallAmazonEBSvolumetypes.Assuch,theycostthelowestpergigabyte.Theyareanexcellent,cost-effectivesolutionforappropriateworkloads.

AmagneticAmazonEBSvolumecanrangeinsizefrom1GBto1TBandwillaverage100IOPS,buthastheabilitytobursttohundredsofIOPS.Theyarebestsuitedfor:

Workloadswheredataisaccessedinfrequently

Sequentialreads

Situationswherelow-coststorageisarequirement

Magneticvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.

General-PurposeSSDGeneral-purposeSSDvolumesoffercost-effectivestoragethatisidealforabroadrangeofworkloads.Theydeliverstrongperformanceatamoderatepricepointthatissuitableforawiderangeofworkloads.

Ageneral-purposeSSDvolumecanrangeinsizefrom1GBto16TBandprovidesabaselineperformanceofthreeIOPSpergigabyteprovisioned,cappingat10,000IOPS.Forinstance,ifyouprovisiona1TBvolume,youcanexpectabaselineperformanceof3,000IOPS.A5TBvolumewillnotprovidea15,000IOPSbaseline,asitwouldhitthecapat10,000IOPS.

General-purposeSSDvolumesunder1TBalsofeaturetheabilitytobursttoupto3,000

Page 108: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IOPSforextendedperiodsoftime.Forinstance,ifyouhavea500GBvolumeyoucanexpectabaselineof1,500IOPS.WheneveryouarenotusingtheseIOPS,theyareaccumulatedasI/Ocredits.Whenyourvolumethenhasheavytraffic,itwillusetheI/Ocreditsatarateofupto3,000IOPSuntiltheyaredepleted.Atthatpoint,yourperformancerevertsto1,500IOPS.At1TB,thebaselineperformanceofthevolumeisalreadyat3,000IOPS,soburstingbehaviordoesnotapply.

General-purposeSSDvolumesarebilledbasedontheamountofdataspaceprovisioned,regardlessofhowmuchdatayouactuallystoreonthevolume.Theyaresuitedforawiderangeofworkloadswheretheveryhighestdiskperformanceisnotcritical,suchas:

Systembootvolumes

Small-tomedium-sizeddatabases

Developmentandtestenvironments

ProvisionedIOPSSSDProvisionedIOPSSSDvolumesaredesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloadsthataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.WhiletheyarethemostexpensiveAmazonEBSvolumetypepergigabyte,theyprovidethehighestperformanceofanyAmazonEBSvolumetypeinapredictablemanner.

AProvisionedIOPSSSDvolumecanrangeinsizefrom4GBto16TB.WhenyouprovisionaProvisionedIOPSSSDvolume,youspecifynotjustthesize,butalsothedesirednumberofIOPS,uptothelowerofthemaximumof30timesthenumberofGBofthevolume,or20,000IOPS.YoucanstripemultiplevolumestogetherinaRAID0configurationforlargersizeandgreaterperformance.AmazonEBSdeliverswithin10percentoftheprovisionedIOPSperformance99.9percentofthetimeoveragivenyear.

PricingisbasedonthesizeofthevolumeandtheamountofIOPSreserved.Thecostpergigabyteisslightlymorethanthatofgeneral-purposeSSDvolumesandisappliedbasedonthesizeofthevolume,nottheamountofthevolumeusedtostoredata.AnadditionalmonthlyfeeisappliedbasedonthenumberofIOPSprovisioned,whethertheyareconsumedornot.

ProvisionedIOPSSSDvolumesprovidepredictable,highperformanceandarewellsuitedfor:

CriticalbusinessapplicationsthatrequiresustainedIOPSperformance

Largedatabaseworkloads

Table3.6comparestheseAmazonEBSvolumetypes.

Page 109: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE3.6EBSVolumeTypeComparison

Characteristic General-PurposeSSD ProvisionedIOPSSSD Magnetic

Usecases Systembootvolumes

Virtualdesktops

Small-to-mediumsizeddatabases

Developmentandtestenvironments

CriticalbusinessapplicationsthatrequiresustainedIOPSperformanceormorethan10,000IOPSor160MBofthroughputpervolume

Largedatabaseworkloads

Coldworkloadswheredataisinfrequentlyaccessed

Scenarioswheretheloweststoragecostisimportant

Volumesize 1GiB–16TiB 4GiB–16TiB 1GiB–1TiB

Maximumthroughput

160MB 320MB 40–90MB

IOPSperformance

Baselineperformanceof3IOPS/GiB(upto10,000IOPS)withtheabilitytoburstto3,000IOPSforvolumesunder1,000GiB

Consistentlyperformsatprovisionedlevel,upto20,000IOPSmaximum

Averages100IOPS,withtheabilitytobursttohundredsofIOPS

Atthetimeofthiswriting,AWSreleasedtwonewHDDvolumetypes:Throughput-OptimizedHDDandColdHDD.Overtime,itisexpectedthatthesenewtypeswilleclipsethecurrentmagneticvolumetype,fulfillingtheneedsofanyworkloadrequiringHDDperformance.

Throughput-OptimizedHDDvolumesarelow-costHDDvolumesdesignedforfrequent-access,throughput-intensiveworkloadssuchasbigdata,datawarehouses,andlogprocessing.Volumescanbeupto16TBwithamaximumIOPSof500andmaximumthroughputof500MB/s.Thesevolumesaresignificantlylessexpensivethangeneral-purposeSSDvolumes.

ColdHDDvolumesaredesignedforlessfrequentlyaccessedworkloads,suchascolderdatarequiringfewerscansperday.Volumescanbeupto16TBwithamaximumIOPSof250andmaximumthroughputof250MB/s.ThesevolumesaresignificantlylessexpensivethanThroughput-OptimizedHDDvolumes.

AmazonEBS-OptimizedInstancesWhenusinganyvolumetypeotherthanmagneticandAmazonEBSI/Oisofconsequence,itisimportanttouseAmazonEBS-optimizedinstancestoensurethattheAmazonEC2instanceispreparedtotakeadvantageoftheI/OoftheAmazonEBSvolume.AnAmazon

Page 110: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EBS-optimizedinstanceusesanoptimizedconfigurationstackandprovidesadditional,dedicatedcapacityforAmazonEBSI/O.ThisoptimizationprovidesthebestperformanceforyourAmazonEBSvolumesbyminimizingcontentionbetweenAmazonEBSI/Oandothertrafficfromyourinstance.WhenyouselectAmazonEBS-optimizedforaninstance,youpayanadditionalhourlychargeforthatinstance.ChecktheAWSdocumentationtoconfirmwhichinstancetypesareavailableasAmazonEBS-optimizedinstance.

ProtectingDataOverthelifecycleofanAmazonEBSvolume,thereareseveralpracticesandservicesthatyoushouldknowaboutwhentakingtheexam.

Backup/Recovery(Snapshots)YoucanbackupthedataonyourAmazonEBSvolumes,regardlessofvolumetype,bytakingpoint-in-timesnapshots.Snapshotsareincrementalbackups,whichmeansthatonlytheblocksonthedevicethathavechangedsinceyourmostrecentsnapshotaresaved.

TakingSnapshotsYoucantakesnapshotsinmanyways:

ThroughtheAWSManagementConsole

ThroughtheCLI

ThroughtheAPI

Bysettingupascheduleofregularsnapshots

DataforthesnapshotisstoredusingAmazonS3technology.Theactionoftakingasnapshotisfree.Youpayonlythestoragecostsforthesnapshotdata.

Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.

It’simportanttoknowthatwhilesnapshotsarestoredusingAmazonS3technology,theyarestoredinAWS-controlledstorageandnotinyouraccount’sAmazonS3buckets.ThismeansyoucannotmanipulatethemlikeotherAmazonS3objects.Rather,youmustusetheAmazonEBSsnapshotfeaturestomanagethem.Snapshotsareconstrainedtotheregioninwhichtheyarecreated,meaningyoucanusethemtocreatenewvolumesonlyinthesameregion.Ifyouneedtorestoreasnapshotinadifferentregion,youcancopyasnapshottoanotherregion.

CreatingaVolumefromaSnapshotTouseasnapshot,youcreateanewAmazonEBSvolumefromthesnapshot.Whenyoudothis,thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.Becauseofthis,itisabestpracticetoinitializeavolumecreatedfromasnapshotbyaccessingalltheblocksinthevolume.

SnapshotscanalsobeusedtoincreasethesizeofanAmazonEBSvolume.ToincreasethesizeofanAmazonEBSvolume,takeasnapshotofthevolume,thencreateanewvolumeofthedesiredsizefromthesnapshot.Replacetheoriginalvolumewiththenewvolume.

Page 111: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

RecoveringVolumesBecauseAmazonEBSvolumespersistbeyondthelifetimeofaninstance,itispossibletorecoverdataifaninstancefails.IfanAmazonEBS-backedinstancefailsandthereisdataonthebootdrive,itisrelativelystraightforwardtodetachthevolumefromtheinstance.UnlesstheDeleteOnTerminationflagforthevolumehasbeensettofalse,thevolumeshouldbedetachedbeforetheinstanceisterminated.Thevolumecanthenbeattachedasadatavolumetoanotherinstanceandthedatareadandrecovered.

EncryptionOptionsManyworkloadshaverequirementsthatdatabeencryptedatrest,eitherbecauseofcomplianceregulationsorinternalcorporatestandards.AmazonEBSoffersnativeencryptiononallvolumetypes.

WhenyoulaunchanencryptedAmazonEBSvolume,AmazonusestheAWSKeyManagementService(KMS)tohandlekeymanagement.Anewmasterkeywillbecreatedunlessyouselectamasterkeythatyoucreatedseparatelyintheservice.Yourdataandassociatedkeysareencryptedusingtheindustry-standardAES-256algorithm.TheencryptionoccursontheserversthathostAmazonEC2instances,sothedataisactuallyencryptedintransitbetweenthehostandthestoragemediaandalsoonthemedia.(ConsulttheAWSdocumentationforalistofinstancetypesthatsupportAmazonEBSencryption.)Encryptionistransparent,soalldataaccessisthesameasunencryptedvolumes,andyoucanexpectthesameIOPSperformanceonencryptedvolumesasyouwouldwithunencryptedvolumes,withaminimaleffectonlatency.Snapshotsthataretakenfromencryptedvolumesareautomaticallyencrypted,asarevolumesthatarecreatedfromencryptedsnapshots.

Page 112: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryComputeistheamountofcomputationalpowerrequiredtofulfillyourworkload.AmazonEC2istheprimaryserviceforprovidingcomputetocustomers.

Theinstancetypedefinesthevirtualhardwaresupportingtheinstance.AvailableinstancetypesvaryinvCPUs,memory,storage,andnetworkperformancetoaddressnearlyanyworkload.

AnAMIdefinestheinitialsoftwarestateoftheinstance,bothOSandapplications.TherearefoursourcesofAMIs:AWSpublishedgenericOSs,partner-publishedAMIsintheAWSMarketplacewithsoftwarepackagespreinstalled,customer-generatedAMIsfromexistingAmazonEC2instances,anduploadedAMIsfromvirtualservers.

InstancescanbeaddressedbypublicDNSname,publicIPaddress,orelasticIPaddress.ToaccessanewlylaunchedLinuxinstance,usetheprivatehalfofthekeypairtoconnecttotheinstanceviaSSH.ToaccessanewlycreatedWindowsinstance,usetheprivatehalfofthekeypairtodecrypttherandomlyinitializedlocaladministratorpassword.

Networktrafficinandoutofaninstancecanbecontrolledbyavirtualfirewallcalledasecuritygroup.Asecuritygroupallowsrulesthatblocktrafficbasedondirection,port,protocol,andsource/destinationaddress.

BootstrappingallowsyoutorunascripttoinitializeyourinstancewithOSconfigurationsandapplications.Thisfeatureallowsinstancestoconfigurethemselvesuponlaunch.Onceaninstanceislaunched,youcanchangeitsinstancetypeor,forAmazonVPCinstances,thesecuritygroupswithwhichitisassociated.

ThethreepricingoptionsforinstancesareOn-Demand,ReservedInstance,andSpot.On-Demandhasthehighestperhourcost,requiringnoup-frontcommitmentandgivingyoucompletecontroloverthelifetimeoftheinstance.ReservedInstancesrequireacommitmentandprovideareducedoverallcostoverthelifetimeofthereservation.SpotInstancesareidlecomputecapacitythatAWSmakesavailablebasedonbidpricesfromcustomers.Thesavingsontheper-hourcostcanbesignificant,butinstancescanbeshutdownwhenthebidpriceexceedsthecustomer’scurrentbid.

Instancestoresareblockstorageincludedwiththehourlycostoftheinstance.Theamountandtypeofstorageavailablevarieswiththeinstancetype.Instancestoresterminatewhentheassociatedinstanceisstopped,sotheyshouldonlybeusedfortemporarydataorinarchitecturesprovidingredundancysuchasHadoop’sHDFS.

AmazonEBSprovidesdurableblockstorageinseveraltypes.Magnetichasthelowestcostpergigabyteanddeliversmodestperformance.General-purposeSSDiscost-effectivestoragethatcanprovideupto10,000IOPS.ProvisionedIOPSSSDhasthehighestcostpergigabyteandiswellsuitedforI/O-intensiveworkloadssensitivetostorageperformance.SnapshotsareincrementalbackupsofAmazonEBSvolumesstoredinAmazonS3.AmazonEBSvolumescanbeencrypted.

Page 113: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowthebasicsoflaunchinganAmazonec2instance.Tolaunchaninstance,youmustspecifyanAMI,whichdefinesthesoftwareontheinstanceatlaunch,andaninstancetype,whichdefinesthevirtualhardwaresupportingtheinstance(memory,vCPUs,andsoon).

KnowwhatarchitecturesaresuitedforwhatAmazonec2pricingoptions.SpotInstancesarebestsuitedforworkloadsthatcanaccommodateinterruption.ReservedInstancesarebestforconsistent,long-termcomputeneeds.On-DemandInstancesprovideflexiblecomputetorespondtoscalingneeds.

Knowhowtocombinemultiplepricingoptionsthatresultincostoptimizationandscalability.On-DemandInstancescanbeusedtoscaleupawebapplicationrunningonReservedInstancesinresponsetoatemporarytrafficspike.ForaworkloadwithseveralReservedInstancesreadingfromaqueue,it’spossibletouseSpotInstancestoalleviateheavytrafficinacost-effectiveway.Thesearejusttwoofcountlessexampleswhereaworkloadmayusedifferentpricingoptions.

Knowthebenefitsofenhancednetworking.EnhancednetworkingenablesyoutogetsignificantlyhigherPPSperformance,lowernetworkjitter,andlowerlatencies.

Knowthecapabilitiesofvmimport/export.VMImport/ExportallowsyoutoimportexistingVMstoAWSasAmazonEC2instancesorAMIs.AmazonEC2instancesthatwereimportedthroughVMImport/Exportcanalsobeexportedbacktoavirtualenvironment.

Knowthemethodsforaccessinganinstanceovertheinternet.YoucanaccessanAmazonEC2instanceoverthewebviapublicIPaddress,elasticIPaddress,orpublicDNSname.ThereareadditionalwaystoaccessaninstancewithinanAmazonVPC,includingprivateIPaddressesandENIs.

Knowthelifetimeofaninstancestore.Dataonaninstancestoreislostwhentheinstanceisstoppedorterminated.InstancestoredatasurvivesanOSreboot.

KnowthepropertiesoftheAmazonEC2pricingoptions.On-DemandInstancesrequirenoup-frontcommitment,canbelaunchedanytime,andarebilledbythehour.ReservedInstancesrequireanup-frontcommitmentandvaryincostdependingonwhethertheyarepaidallupfront,partiallyupfront,ornotupfront.SpotInstancesarelaunchedwhenyourbidpriceexceedsthecurrentspotprice.SpotInstanceswillrununtilthespotpriceexceedsyourbidprice,inwhichcasetheinstancewillgetatwo-minutewarningandterminate.

Knowwhatdeterminesnetworkperformance.Everyinstancetypeisratedforlow,moderate,high,or10Gbpsnetworkperformance,withlargerinstancetypesgenerallyhavinghigherratings.Additionally,someinstancetypesofferenhancednetworking,whichprovidesadditionalimprovementinnetworkperformance.

Knowwhatinstancemetadataisandhowit’sobtained.MetadataisinformationaboutanAmazonEC2instance,suchasinstanceID,instancetype,andsecuritygroups,thatisavailablefromwithintheinstance.ItcanbeobtainedthroughanHTTPcalltoaspecificIPaddress.

Page 114: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Knowhowsecuritygroupsprotectinstances.SecuritygroupsarevirtualfirewallscontrollingtrafficinandoutofyourAmazonEC2instances.Theyaredenybydefault,andyoucanallowtrafficbyaddingrulesspecifyingtrafficdirection,port,protocol,anddestinationaddress(viaClasslessInter-DomainRouting[CIDR]block).Theyareappliedattheinstancelevel,meaningthattrafficbetweeninstancesinthesamesecuritygroupmustadheretotherulesofthatsecuritygroup.Theyarestateful,meaningthatanoutgoingrulewillallowtheresponsewithoutacorrelatingincomingrule.

Knowhowtointerprettheeffectofsecuritygroups.Whenaninstanceisamemberofmultiplesecuritygroups,theeffectisaunionofalltherulesinallthegroups.

KnowthedifferentAmazonebsvolumetypes,theircharacteristics,andtheirappropriateworkloads.Magneticvolumesprovideanaverageperformanceof100IOPSandcanbeprovisionedupto1TB.Theyaregoodforcoldandinfrequentlyaccesseddata.General-purposeSSDvolumesprovidethreeIOPS/GBupto10,000IOPS,withsmallervolumesabletoburst3,000IOPS.Theycanbeprovisionedupto16TBandareappropriatefordev/testenvironments,smalldatabases,andsoforth.ProvisionedIOPSSSDcanprovideupto20,000consistentIOPSforvolumesupto16TB.Theyarethebestchoiceforworkloadssuchaslargedatabasesexecutingmanytransactions.

KnowhowtoencryptanAmazonebsvolume.Anyvolumetypecanbeencryptedatlaunch.EncryptionisbasedonAWSKMSandistransparenttoapplicationsontheattachedinstances.

Understandtheconceptandprocessofsnapshots.Snapshotsprovideapoint-in-timebackupofanAmazonEBSvolumeandarestoredinAmazonS3.Subsequentsnapshotsareincremental—theyonlystoredeltas.Whenyourequestasnapshot,thepoint-in-timesnapshotiscreatedimmediatelyandthevolumemaycontinuetobeused,butthesnapshotmayremaininpendingstatusuntilallthemodifiedblockshavebeentransferredtoAmazonS3.Snapshotsmaybecopiedbetweenregions.

KnowhowAmazonebs-optimizedinstancesaffectAmazonebsperformance.InadditiontotheIOPSthatcontroltheperformanceinandoutoftheAmazonEBSvolume,useAmazonEBS-optimizedinstancestoensureadditional,dedicatedcapacityforAmazonEBSI/O.

Page 115: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesForassistanceincompletingtheseexercises,refertotheseuserguides:

AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/

concepts.html

AmazonEC2(Windows)—http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html

AmazonEBS—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

EXERCISE3.1

LaunchandConnecttoaLinuxInstanceInthisexercise,youwilllaunchanewLinuxinstance,loginwithSSH,andinstallanysecurityupdates.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheAmazonLinuxAMI.

3. Choosethet2.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. AddatagtotheinstanceofKey:Name,Value:Exercise3.1.

7. CreateanewsecuritygroupcalledCertBook.

8. AddaruletoCertBookallowingSSHaccessfromtheIPaddressofyourworkstation(www.WhatsMyIP.orgisagoodwaytodetermineyourIPaddress).

9. Launchtheinstance.

10. Whenpromptedforakeypair,chooseakeypairyoualreadyhaveorcreateanewoneanddownloadtheprivateportion.

Amazongeneratesakeyname.pemfile,andyouwillneedakeyname.ppkfiletoconnecttotheinstanceviaSSH.Puttygen.exeisoneutilitythatwillcreatea.ppkfilefroma.pemfile.

11. SSHintotheinstanceusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.

12. Fromthecommand-lineprompt,runsudoyumupdate—security-y.

13. ClosetheSSHwindowandterminatetheinstance.

Page 116: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.2

LaunchaWindowsInstancewithBootstrappingInthisexercise,youwilllaunchaWindowsinstanceandspecifyaverysimplebootstrapscript.Youwillthenconfirmthatthebootstrapscriptwasexecutedontheinstance.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheMicrosoftWindowsServer2012BaseAMI.

3. Choosethet2.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. IntheAdvancedDetailssection,enterthefollowingtextasUserData:

<script>

mdc:\temp

</script>

7. AddatagtotheinstanceofKey:Name,Value:Exercise3.2.

8. UsetheCertBooksecuritygroupfromExercise3.1.

9. Launchtheinstance.

10. UsethekeypairfromExercise3.1.

11. OntheConnectInstanceUI,decrypttheadministratorpasswordandthendownloadtheRDPfiletoattempttoconnecttotheinstance.YourattemptshouldfailbecausetheCertBooksecuritygroupdoesnotallowRDPaccess.

12. OpentheCertBooksecuritygroupandaddarulethatallowsRDPaccessfromyourIPaddress.

13. AttempttoaccesstheinstanceviaRDPagain.

14. OncetheRDPsessionisconnected,openWindowsExplorerandconfirmthatthec:\tempfolderhasbeencreated.

15. EndtheRDPsessionandterminatetheinstance.

Page 117: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.3

ConfirmThatInstanceStoresAreLostWhenanInstanceIsStoppedInthisexercise,youwillobservethatthedataonanAmazonEC2instancestoreislostwhentheinstanceisstopped.

1. LaunchaninstanceintheAmazonManagementConsole.

2. ChoosetheMicrosoftWindowsServer2012BaseAMI.

3. Choosethem3.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. AddatagtotheinstanceofKey:Name,Value:Exercise3.3.

7. UsetheCertBooksecuritygroupasupdatedinExercise3.2.

8. Launchtheinstance.

9. UsethekeypairfromExercise3.1.

10. DecrypttheadministratorpasswordlogintotheinstanceviaRDP.

11. OncetheRDPsessionisconnected,openWindowsExplorer.

12. Createanewfoldernamedz:\temp.

13. LogoutoftheRDPsession.

14. Intheconsole,setthestateoftheinstancetoStopped.

15. Oncetheinstanceisstopped,startitagain.

16. LogbackintotheinstanceusingRDP.

17. OpenWindowsExplorerandconfirmthatthez:\tempfolderisgone.

18. EndtheRDPsessionandterminatetheinstance.

Page 118: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.4

LaunchaSpotInstanceInthisexercise,youwillcreateaSpotInstance.

1. IntheAmazonEC2console,gototheSpotRequestpage.

2. Lookatthepricinghistoryform3.medium,especiallytherecentprice.

3. MakeanoteofthemostrecentpriceandAvailabilityZone.

4. LaunchaninstanceintheAmazonEC2console.

5. ChoosetheAmazonLinuxAMI.

6. Choosethet2.mediuminstancetype.

7. OntheConfigureInstancepage,requestaSpotInstance.

8. LaunchtheinstanceineithertheDefaultVPCorEC2-Classic.(NotetheDefaultVPCwilldefinetheAvailabilityZonefortheinstance.)

9. AssigntheinstanceapublicIPaddress.

10. RequestaSpotInstanceandenterabidafewcentsabovetherecordedSpotprice.

11. Finishlaunchingtheinstance.

12. GobacktotheSpotRequestpage.

Watchyourrequest.Ifyourbidwashighenough,youshouldseeitchangetoActiveandaninstanceIDappear.

13. FindtheinstanceontheinstancespageoftheAmazonEC2console.

NotetheLifecyclefieldintheDescriptionthatsaysSpot.

14. Oncetheinstanceisrunning,terminateit.

Page 119: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.5

AccessMetadataInthisexercise,youwillaccesstheinstancemetadatafromtheOS.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheAmazonLinuxAMI.

3. Choosethet2.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. AddatagtotheinstanceofKey:Name,Value:Exercise3.5.

7. UsetheCertBooksecuritygroup.

8. Launchtheinstance.

9. UsethekeypairfromExercise3.1.

10. ConnecttheinstanceviaSSHusingthepublicIPaddress,theusernameec2-user,andthekeyname.ppkfile.

11. AttheLinuxcommandprompt,retrievealistoftheavailablemetadatabytyping:

curlhttp://169.254.169.254/latest/meta-data/

12. Toseeavalue,addthenametotheendoftheURL.Forexample,toseethesecuritygroups,type:

curlhttp://169.254.169.254/latest/meta-data/security-groups

13. Tryothervaluesaswell.Namesthatendwitha/indicatealongerlistofsub-values.

14. ClosetheSSHwindowandterminatetheinstance.

Page 120: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.6

CreateanAmazonEBSVolumeandShowThatItRemainsAftertheInstanceIsTerminatedInthisexercise,youwillseehowanAmazonEBSvolumepersistsbeyondthelifeofaninstance.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheAmazonLinuxAMI.

3. Choosethet2.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. AddasecondAmazonEBSvolumeofsize50GB.NotethattheRootVolumeissettoDeleteonTermination.

7. AddatagtotheinstanceofKey:Name,Value:Exercise3.6.

8. UsetheCertBooksecuritygroupfromearlierexercises.

9. Launchtheinstance.

10. FindthetwoAmazonEBSvolumesontheAmazonEBSconsole.NamethembothExercise3.6.

11. Terminatetheinstance.

Noticethatthebootdriveisdestroyed,buttheadditionalAmazonEBSvolumeremainsandnowsaysAvailable.DonotdeletetheAvailablevolume.

Page 121: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.7

TakeaSnapshotandRestoreThisexerciseguidesyouthroughtakingasnapshotandrestoringitinthreedifferentways.

1. FindthevolumeyoucreatedinExercise3.6intheAmazonEBSconsole.

2. Takeasnapshotofthatvolume.NamethesnapshotExercise3.7.

3. Onthesnapshotconsole,waitforthesnapshottobecompleted.(Asthevolumewasempty,thisshouldbeveryquick.)

4. OnthesnapshotpageintheAWSManagementConsole,choosethenewsnapshotandselectCreateVolume.

5. Createthevolumewithallthedefaults.

6. LocatethesnapshotagainandagainchooseCreateVolume,settingthesizeofthenewvolumeto100GB(takingasnapshotandrestoringthesnapshottoanew,largervolumeishowyouaddresstheproblemofincreasingthesizeofanexistingvolume).LocatethesnapshotagainandchooseCopy.Copythesnapshottoanotherregion.MakethedescriptionExercise3.7.

7. Gototheotherregionandwaitforthesnapshottobecomeavailable.

8. Createavolumefromthesnapshotinthenewregion.ThisishowyoushareanAmazonEBSvolumebetweenregions;thatis,bytakingasnapshotandcopyingthesnapshot.

9. Deleteallfourvolumes.

Page 122: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE3.8

LaunchanEncryptedVolumeInthisexercise,youwilllaunchanAmazonEC2instancewithanencryptedAmazonEBSvolumeandstoresomedataonittoconfirmthattheencryptionistransparenttotheinstanceitself.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheMicrosoftWindowsServer2012BaseAMI.

3. Choosethem3.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

6. Onthestoragepage,adda50GBencryptedAmazonEBSvolume.

7. AddatagtotheinstanceofKey:Name,Value:Exercise3.8.

8. UsetheCertBooksecuritygroupasupdatedinExercise3.2.

9. Launchtheinstance.

10. ChoosethekeypairfromExercise3.1.

11. DecrypttheadministratorpasswordandlogintotheinstanceusingRDP.

12. OncetheRDPsessionisconnected,openNotepad.

13. TypesomerandominformationintoNotepad,saveitatd:\testfile.txt,andthencloseNotepad.

14. Findd:\testfile.txtinWindowsExplorerandopenitwithNotepad.ConfirmthatthedataisnotencryptedinNotepad.

15. Logout.

16. Terminatetheinstance.

EXERCISE3.9

DetachaBootDriveandReattachtoAnotherInstanceInthisexercise,youwillpracticeremovinganAmazonEBSvolumefromastoppeddriveandattachingtoanotherinstancetorecoverthedata.

1. LaunchaninstanceintheAmazonEC2console.

2. ChoosetheMicrosoftWindowsServer2012BaseAMI.

3. Choosethet2.mediuminstancetype.

4. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

5. AssigntheinstanceapublicIPaddress.

Page 123: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

6. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Source.

7. UsetheCertBooksecuritygroupfromearlierexercises.

8. LaunchtheinstancewiththekeypairfromExercise3.1.

9. LaunchasecondinstanceintheAmazonEC2Console.

10. ChoosetheMicrosoftWindowsServer2012BaseAMI.

11. Choosethet2.mediuminstancetype.

12. LaunchtheinstanceineitherthedefaultVPCorEC2-Classic.

13. AssigntheinstanceapublicIPaddress.

14. AddatagtotheinstanceofKey:Name,Value:Exercise3.9Destination.

15. UsetheCertBooksecuritygroupfromearlierexercises.

16. LaunchtheinstancewiththekeypairyouusedinExercise3.1.

17. Oncebothinstancesarerunning,stopthefirstinstance(Source).MakeanoteoftheinstanceID.

18. GototheAmazonEBSpageintheAmazonEC2consoleandfindthevolumeattachedtotheSourceinstanceviatheinstanceID.Detachtheinstance.

19. WhenthevolumebecomesAvailable,attachtheinstancetothesecondinstance(Destination).

20. LogintotheDestinationinstanceviaRDPusingtheadministratoraccount.

21. Openacommandwindow(cmd.exe).

22. Atthecommandprompt,typethefollowingcommands:

C:\Users\Administrator>diskpart

DISKPART>selectdisk1

DISKPART>onlinedisk

DISKPART>exit

C:\Users\Administrator>dire:

ThevolumeremovedfromthestoppedsourcedrivecannowbereadastheE:driveonthedestinationinstance,soitsdatacanberetrieved.

23. Terminatealltheinstancesandensurethevolumesaredeletedintheprocess.

Page 124: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. Yourwebapplicationneedsfourinstancestosupportsteadytrafficnearlyallofthetime.Onthelastdayofeachmonth,thetraffictriples.Whatisacost-effectivewaytohandlethistrafficpattern?

A. Run12ReservedInstancesallofthetime.

B. RunfourOn-DemandInstancesconstantly,thenaddeightmoreOn-DemandInstancesonthelastdayofeachmonth.

C. RunfourReservedInstancesconstantly,thenaddeightOn-DemandInstancesonthelastdayofeachmonth.

D. RunfourOn-DemandInstancesconstantly,thenaddeightReservedInstancesonthelastdayofeachmonth.

2. Yourorder-processingapplicationprocessesordersextractedfromaqueuewithtwoReservedInstancesprocessing10orders/minute.Ifanorderfailsduringprocessing,thenitisreturnedtothequeuewithoutpenalty.Duetoaweekendsale,thequeueshaveseveralhundredordersbackedup.Whilethebackupisnotcatastrophic,youwouldliketodrainitsothatcustomersgettheirconfirmationemailsfaster.Whatisacost-effectivewaytodrainthequeuefororders?

A. Createmorequeues.

B. DeployadditionalSpotInstancestoassistinprocessingtheorders.

C. DeployadditionalReservedInstancestoassistinprocessingtheorders.

D. DeployadditionalOn-DemandInstancestoassistinprocessingtheorders.

3. WhichofthefollowingmustbespecifiedwhenlaunchinganewAmazonElasticComputeCloud(AmazonEC2)Windowsinstance?(Choose2answers)

A. TheAmazonEC2instanceID

B. Passwordfortheadministratoraccount

C. AmazonEC2instancetype

D. AmazonMachineImage(AMI)

4. Youhavepurchasedanm3.xlargeLinuxReservedinstanceinus-east-1a.Inwhichwayscanyoumodifythisreservation?(Choose2answers)

A. Changeitintotwom3.largeinstances.

B. ChangeittoaWindowsinstance.

C. Moveittous-east-1b.

D. Changeittoanm4.xlarge.

5. Yourinstanceisassociatedwithtwosecuritygroups.ThefirstallowsRemoteDesktopProtocol(RDP)accessoverport3389fromClasslessInter-DomainRouting(CIDR)block72.14.0.0/16.ThesecondallowsHTTPaccessoverport80fromCIDRblock

Page 125: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

0.0.0.0/0.Whattrafficcanreachyourinstance?

A. RDPandHTTPaccessfromCIDRblock0.0.0.0/0

B. Notrafficisallowed.

C. RDPandHTTPtrafficfrom72.14.0.0/16

D. RDPtrafficoverport3389from72.14.0.0/16andHTTPtrafficoverport80from0.0.00/0

6. Whichofthefollowingarefeaturesofenhancednetworking?(Choose3answers)

A. MorePacketsPerSecond(PPS)

B. Lowerlatency

C. Multiplenetworkinterfaces

D. BorderGatewayProtocol(BGP)routing

E. Lessjitter

7. YouarecreatingaHigh-PerformanceComputing(HPC)clusterandneedverylowlatencyandhighbandwidthbetweeninstances.Whatcombinationofthefollowingwillallowthis?(Choose3answers)

A. Useaninstancetypewith10Gbpsnetworkperformance.

B. Puttheinstancesinaplacementgroup.

C. UseDedicatedInstances.

D. Enableenhancednetworkingontheinstances.

E. UseReservedInstances.

8. WhichAmazonElasticComputeCloud(AmazonEC2)featureensuresthatyourinstanceswillnotshareaphysicalhostwithinstancesfromanyotherAWScustomer?

A. AmazonVirtualPrivateCloud(VPC)

B. Placementgroups

C. DedicatedInstances

D. ReservedInstances

9. Whichofthefollowingaretrueofinstancestores?(Choose2answers)

A. Automaticbackups

B. Dataislostwhentheinstancestops.

C. VeryhighIOPS

D. Chargeisbasedonthetotalamountofstorageprovisioned.

10. WhichofthefollowingarefeaturesofAmazonElasticBlockStore(AmazonEBS)?(Choose2answers)

A. DatastoredonAmazonEBSisautomaticallyreplicatedwithinanAvailabilityZone.

Page 126: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. AmazonEBSdataisautomaticallybackeduptotape.

C. AmazonEBSvolumescanbeencryptedtransparentlytoworkloadsontheattachedinstance.

D. DataonanAmazonEBSvolumeislostwhentheattachedinstanceisstopped.

11. YouneedtotakeasnapshotofanAmazonElasticBlockStore(AmazonEBS)volume.Howlongwillthevolumebeunavailable?

A. Itdependsontheprovisionedsizeofthevolume.

B. Thevolumewillbeavailableimmediately.

C. Itdependsontheamountofdatastoredonthevolume.

D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.

12. YouarerestoringanAmazonElasticBlockStore(AmazonEBS)volumefromasnapshot.Howlongwillitbebeforethedataisavailable?

A. Itdependsontheprovisionedsizeofthevolume.

B. Thedatawillbeavailableimmediately.

C. Itdependsontheamountofdatastoredonthevolume.

D. ItdependsonwhethertheattachedinstanceisanAmazonEBS-optimizedinstance.

13. Youhaveaworkloadthatrequires15,000consistentIOPSfordatathatmustbedurable.Whatcombinationofthefollowingstepsdoyouneed?(Choose2answers)

A. UseanAmazonElasticBlockStore(AmazonEBS)-optimizedinstance.

B. Useaninstancestore.

C. UseaProvisionedIOPSSSDvolume.

D. Useamagneticvolume.

14. Whichofthefollowingcanbeaccomplishedthroughbootstrapping?

A. Installthemostcurrentsecurityupdates.

B. Installthecurrentversionoftheapplication.

C. ConfigureOperatingSystem(OS)services.

D. Alloftheabove.

15. HowcanyouconnecttoanewLinuxinstanceusingSSH?

A. Decrypttherootpassword.

B. Usingacertificate

C. Usingtheprivatehalfoftheinstance’skeypair

D. UsingMulti-FactorAuthentication(MFA)

16. VMImport/Exportcanimportexistingvirtualmachinesas:(Choose2answers)

A. AmazonElasticBlockStore(AmazonEBS)volumes

Page 127: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. AmazonElasticComputeCloud(AmazonEC2)instances

C. AmazonMachineImages(AMIs)

D. Securitygroups

17. WhichofthefollowingcanbeusedtoaddressanAmazonElasticComputeCloud(AmazonEC2)instanceovertheweb?(Choose2answers)

A. Windowsmachinename

B. PublicDNSname

C. AmazonEC2instanceID

D. ElasticIPaddress

18. UsingthecorrectlydecryptedAdministratorpasswordandRDP,youcannotlogintoaWindowsinstanceyoujustlaunched.Whichofthefollowingisapossiblereason?

A. ThereisnosecuritygrouprulethatallowsRDPaccessoverport3389fromyourIPaddress.

B. TheinstanceisaReservedInstance.

C. Theinstanceisnotusingenhancednetworking.

D. TheinstanceisnotanAmazonEBS-optimizedinstance.

19. Youhaveaworkloadthatrequires1TBofdurableblockstorageat1,500IOPSduringnormaluse.EverynightthereisanExtract,Transform,Load(ETL)taskthatrequires3,000IOPSfor15minutes.Whatisthemostappropriatevolumetypeforthisworkload?

A. UseaProvisionedIOPSSSDvolumeat3,000IOPS.

B. Useaninstancestore.

C. Useageneral-purposeSSDvolume.

D. Useamagneticvolume.

20. HowareyoubilledforelasticIPaddresses?

A. Hourlywhentheyareassociatedwithaninstance

B. Hourlywhentheyarenotassociatedwithaninstance

C. Basedonthedatathatflowsthroughthem

D. Basedontheinstancetypetowhichtheyareattached

Page 128: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter4AmazonVirtualPrivateCloud(AmazonVPC)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Familiaritywith:

BestpracticesforAWSarchitecture

Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)

HybridITarchitectures(forexample,DirectConnect,StorageGateway,VPC,DirectoryServices)

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

OperateandextendservicemanagementinahybridITarchitecture

Configureservicestosupportcompliancerequirementsinthecloud

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

AWSsecurityattributes(customerworkloadsdowntothephysicallayer)

AmazonVirtualPrivateCloud(VPC)

Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit

Page 129: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

“Core”AmazonEC2andS3securityfeaturesets

Incorporatingcommonconventionalsecurityproducts(FirewallandVPNs)

Complexaccesscontrols(buildingsophisticatedsecuritygroups,ACLs,andsoon)

Page 130: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionTheAmazonVirtualPrivateCloud(AmazonVPC)isacustom-definedvirtualnetworkwithintheAWSCloud.YoucanprovisionyourownlogicallyisolatedsectionofAWS,similartodesigningandimplementingaseparateindependentnetworkthatwouldoperateinanon-premisesdatacenter.ThischapterexploresthecorecomponentsofAmazonVPCand,intheexercises,youlearnhowtobuildyourownAmazonVPCinthecloud.AstrongunderstandingofAmazonVPCtopologyandtroubleshootingisrequiredtopasstheexam,andwehighlyrecommendthatyoucompletetheexercisesinthischapter.

Page 131: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCisthenetworkinglayerforAmazonElasticComputeCloud(AmazonEC2),anditallowsyoutobuildyourownvirtualnetworkwithinAWS.YoucontrolvariousaspectsofyourAmazonVPC,includingselectingyourownIPaddressrange;creatingyourownsubnets;andconfiguringyourownroutetables,networkgateways,andsecuritysettings.Withinaregion,youcancreatemultipleAmazonVPCs,andeachAmazonVPCislogicallyisolatedevenifitsharesitsIPaddressspace.

WhenyoucreateanAmazonVPC,youmustspecifytheIPv4addressrangebychoosingaClasslessInter-DomainRouting(CIDR)block,suchas10.0.0.0/16.TheaddressrangeoftheAmazonVPCcannotbechangedaftertheAmazonVPCiscreated.AnAmazonVPCaddressrangemaybeaslargeas/16(65,536availableaddresses)orassmallas/28(16availableaddresses)andshouldnotoverlapanyothernetworkwithwhichtheyaretobeconnected.

TheAmazonVPCservicewasreleasedaftertheAmazonEC2service;becauseofthis,therearetwodifferentnetworkingplatformsavailablewithinAWS:EC2-ClassicandEC2-VPC.AmazonEC2originallylaunchedwithasingle,flatnetworksharedwithotherAWScustomerscalledEC2-Classic.Assuch,AWSaccountscreatedpriortothearrivaloftheAmazonVPCservicecanlaunchinstancesintotheEC2-ClassicnetworkandEC2-VPC.AWSaccountscreatedafterDecember2013onlysupportlaunchinginstancesusingEC2-VPC.AWSaccountsthatsupportEC2-VPCwillhaveadefaultVPCcreatedineachregionwithadefaultsubnetcreatedineachAvailabilityZone.TheassignedCIDRblockoftheVPCwillbe172.31.0.0/16.

Figure4.1illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,twosubnetswithdifferentaddressranges(10.0.0.0/24and10.0.1.0/24)placedindifferentAvailabilityZones,andaroutetablewiththelocalroutespecified.

Page 132: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE4.1VPC,subnets,andaroutetable

AnAmazonVPCconsistsofthefollowingcomponents:

Subnets

Routetables

DynamicHostConfigurationProtocol(DHCP)optionsets

Securitygroups

NetworkAccessControlLists(ACLs)

AnAmazonVPChasthefollowingoptionalcomponents:

InternetGateways(IGWs)

ElasticIP(EIP)addresses

ElasticNetworkInterfaces(ENIs)

Endpoints

Peering

NetworkAddressTranslation(NATs)instancesandNATgateways

Page 133: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

VirtualPrivateGateway(VPG),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)

Page 134: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SubnetsAsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanlaunchAmazonEC2instances,AmazonRelationalDatabaseService(AmazonRDS)databases,andotherAWSresources.CIDRblocksdefinesubnets(forexample,10.0.1.0/24and192.168.0.0/24).Thesmallestsubnetthatyoucancreateisa/28(16IPaddresses).AWSreservesthefirstfourIPaddressesandthelastIPaddressofeverysubnetforinternalnetworkingpurposes.Forexample,asubnetdefinedasa/28has16availableIPaddresses;subtractthe5IPsneededbyAWStoyield11IPaddressesforyourusewithinthesubnet.

AftercreatinganAmazonVPC,youcanaddoneormoresubnetsineachAvailabilityZone.SubnetsresidewithinoneAvailabilityZoneandcannotspanzones.Thisisanimportantpointthatcancomeupintheexam,sorememberthatonesubnetequalsoneAvailabilityZone.Youcan,however,havemultiplesubnetsinoneAvailabilityZone.

Subnetscanbeclassifiedaspublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetable(discussedlater)directsthesubnet’straffictotheAmazonVPC’sIGW(alsodiscussedlater).Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPG(discussedlater)anddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(thatis,non-routableontheInternet).

DefaultAmazonVPCscontainonepublicsubnetineveryAvailabilityZonewithintheregion,withanetmaskof/20.

Page 135: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

RouteTablesAroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).

Eachroutetablecontainsadefaultroutecalledthelocalroute,whichenablescommunicationwithintheAmazonVPC,andthisroutecannotbemodifiedorremoved.AdditionalroutescanbeaddedtodirecttraffictoexittheAmazonVPCviatheIGW(discussedlater),theVPG(discussedlater),ortheNATinstance(discussedlater).Intheexercisesattheendofthischapter,youcanpracticehowthisisaccomplished.

Youshouldrememberthefollowingpointsaboutroutetables:

YourVPChasanimplicitrouter.

YourVPCautomaticallycomeswithamainroutetablethatyoucanmodify.

YoucancreateadditionalcustomroutetablesforyourVPC.

Eachsubnetmustbeassociatedwitharoutetable,whichcontrolstheroutingforthesubnet.Ifyoudon’texplicitlyassociateasubnetwithaparticularroutetable,thesubnetusesthemainroutetable.

Youcanreplacethemainroutetablewithacustomtablethatyou’vecreatedsothateachnewsubnetisautomaticallyassociatedwithit.

EachrouteinatablespecifiesadestinationCIDRandatarget;forexample,trafficdestinedfor172.16.0.0/12istargetedfortheVPG.AWSusesthemostspecificroutethatmatchesthetraffictodeterminehowtoroutethetraffic.

Page 136: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

InternetGatewaysAnInternetGateway(IGW)isahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.

AmazonEC2instanceswithinanAmazonVPCareonlyawareoftheirprivateIPaddresses.WhentrafficissentfromtheinstancetotheInternet,theIGWtranslatesthereplyaddresstotheinstance’spublicIPaddress(orEIPaddress,coveredlater)andmaintainstheone-to-onemapoftheinstanceprivateIPaddressandpublicIPaddress.WhenaninstancereceivestrafficfromtheInternet,theIGWtranslatesthedestinationaddress(publicIPaddress)totheinstance’sprivateIPaddressandforwardsthetraffictotheAmazonVPC.

YoumustdothefollowingtocreateapublicsubnetwithInternetaccess:

AttachanIGWtoyourAmazonVPC.

Createasubnetroutetableruletosendallnon-localtraffic(0.0.0.0/0)totheIGW.

ConfigureyournetworkACLsandsecuritygrouprulestoallowrelevanttraffictoflowtoandfromyourinstance.

YoumustdothefollowingtoenableanAmazonEC2instancetosendandreceivetrafficfromtheInternet:

AssignapublicIPaddressorEIPaddress.

Youcanscopetheroutetoalldestinationsnotexplicitlyknowntotheroutetable(0.0.0.0/0),oryoucanscopetheroutetoanarrowerrangeofIPaddresses,suchasthepublicIPaddressesofyourcompany’spublicendpointsoutsideofAWSortheEIPaddressesofotherAmazonEC2instancesoutsideyourAmazonVPC.

Figure4.2illustratesanAmazonVPCwithanaddressspaceof10.0.0.0/16,onesubnetwithanaddressrangeof10.0.0.0/24,aroutetable,anattachedIGW,andasingleAmazonEC2instancewithaprivateIPaddressandanEIPaddress.Theroutetablecontainstworoutes:thelocalroutethatpermitsinter-VPCcommunicationandaroutethatsendsallnon-localtraffictotheIGW(igw-id).NotethattheAmazonEC2instancehasapublicIPaddress(EIP=198.51.100.2);thisinstancecanbeaccessedfromtheInternet,andtrafficmayoriginateandreturntothisinstance.

Page 137: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE4.2VPC,subnet,routetable,andanInternetgateway

Page 138: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DynamicHostConfigurationProtocol(DHCP)OptionSetsDynamicHostConfigurationProtocol(DHCP)providesastandardforpassingconfigurationinformationtohostsonaTCP/IPnetwork.TheoptionsfieldofaDHCPmessagecontainstheconfigurationparameters.Someofthoseparametersarethedomainname,domainnameserver,andthenetbios-node-type.

AWSautomaticallycreatesandassociatesaDHCPoptionsetforyourAmazonVPCuponcreationandsetstwooptions:domain-name-servers(defaultedtoAmazonProvidedDNS)anddomain-name(defaultedtothedomainnameforyourregion).AmazonProvidedDNSisanAmazonDomainNameSystem(DNS)server,andthisoptionenablesDNSforinstancesthatneedtocommunicateovertheAmazonVPC’sIGW.

TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmentstoyourownresources.Toassignyourowndomainnametoyourinstances,createacustomDHCPoptionsetandassignittoyourAmazonVPC.YoucanconfigurethefollowingvalueswithinaDHCPoptionset:

domain-name-servers—TheIPaddressesofuptofourdomainnameservers,separatedbycommas.ThedefaultisAmazonProvidedDNS.

domain-name—Specifythedesireddomainnamehere(forexample,mycompany.com).

ntp-servers—TheIPaddressesofuptofourNetworkTimeProtocol(NTP)servers,separatedbycommas

netbios-name-servers—TheIPaddressesofuptofourNetBIOSnameservers,separatedbycommas

netbios-node-type—Setthisvalueto2.

EveryAmazonVPCmusthaveonlyoneDHCPoptionsetassignedtoit.

Page 139: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ElasticIPAddresses(EIPs)AWSmaintainsapoolofpublicIPaddressesineachregionandmakesthemavailableforyoutoassociatetoresourceswithinyourAmazonVPCs.AnElasticIPAddresses(EIP)isastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.HerearetheimportantpointstounderstandaboutEIPsfortheexam:

YoumustfirstallocateanEIPforusewithinaVPCandthenassignittoaninstance.

EIPsarespecifictoaregion(thatis,anEIPinoneregioncannotbeassignedtoaninstancewithinanAmazonVPCinadifferentregion).

Thereisaone-to-onerelationshipbetweennetworkinterfacesandEIPs.

YoucanmoveEIPsfromoneinstancetoanother,eitherinthesameAmazonVPCoradifferentAmazonVPCwithinthesameregion.

EIPsremainassociatedwithyourAWSaccountuntilyouexplicitlyreleasethem.

TherearechargesforEIPsallocatedtoyouraccount,evenwhentheyarenotassociatedwitharesource.

Page 140: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ElasticNetworkInterfaces(ENIs)AnElasticNetworkInterface(ENI)isavirtualnetworkinterfacethatyoucanattachtoaninstanceinanAmazonVPC.ENIsareonlyavailablewithinanAmazonVPC,andtheyareassociatedwithasubnetuponcreation.TheycanhaveonepublicIPaddressandmultipleprivateIPaddresses.IftherearemultipleprivateIPaddresses,oneofthemisprimary.AssigningasecondnetworkinterfacetoaninstanceviaanENIallowsittobedual-homed(havenetworkpresenceindifferentsubnets).AnENIcreatedindependentlyofaparticularinstancepersistsregardlessofthelifetimeofanyinstancetowhichitisattached;ifanunderlyinginstancefails,theIPaddressmaybepreservedbyattachingtheENItoareplacementinstance.

ENIsallowyoutocreateamanagementnetwork,usenetworkandsecurityappliancesinyourAmazonVPC,createdual-homedinstanceswithworkloads/rolesondistinctsubnets,orcreatealow-budget,high-availabilitysolution.

Page 141: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EndpointsAnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.

AmazonVPCendpointscurrentlysupportcommunicationwithAmazonSimpleStorageService(AmazonS3),andotherservicesareexpectedtobeaddedinthefuture.

YoumustdothefollowingtocreateanAmazonVPCendpoint:

SpecifytheAmazonVPC.

Specifytheservice.Aserviceisidentifiedbyaprefixlistoftheformcom.amazonaws.<region>.<service>.

Specifythepolicy.Youcanallowfullaccessorcreateacustompolicy.Thispolicycanbechangedatanytime.

Specifytheroutetables.Aroutewillbeaddedtoeachspecifiedroutetable,whichwillstatetheserviceasthedestinationandtheendpointasthetarget.

Table4.1isanexampleroutetablethathasanexistingroutethatdirectsallInternettraffic(0.0.0.0/0)toanIGW.AnytrafficfromthesubnetthatisdestinedforanotherAWSservice(forexample,AmazonS3orAmazonDynamoDB)willbesenttotheIGWinordertoreachthatservice.

TABLE4.1RouteTablewithanIGWRoutingRule

Destination Target10.0.0.0/16 Local

0.0.0.0/0 igw-1a2b3c4d

Table4.2isanexampleroutetablethathasexistingroutesdirectingallInternettraffictoanIGWandallAmazonS3traffictotheAmazonVPCendpoint.

TABLE4.2RouteTablewithanIGWRoutingRuleandVPCEndpointRule

Destination Target10.0.0.0/16 Local

0.0.0.0/0 igw-1a2b3c4d

pl-1a2b3c4d vpce-11bb22cc

TheroutetabledepictedinTable4.2willdirectanytrafficfromthesubnetthat’sdestinedforAmazonS3inthesameregiontotheendpoint.AllotherInternettrafficgoestoyourIGW,includingtrafficthat’sdestinedforotherservicesandforAmazonS3inotherregions.

Page 142: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

PeeringAnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoranAmazonVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.

Peeringconnectionsarecreatedthrougharequest/acceptprotocol.TheowneroftherequestingAmazonVPCsendsarequesttopeertotheownerofthepeerAmazonVPC.IfthepeerAmazonVPCiswithinthesameaccount,itisidentifiedbyitsVPCID.IfthepeerVPCiswithinadifferentaccount,itisidentifiedbyAccountIDandVPCID.TheownerofthepeerAmazonVPChasoneweektoacceptorrejecttherequesttopeerwiththerequestingAmazonVPCbeforethepeeringrequestexpires.

AnAmazonVPCmayhavemultiplepeeringconnections,andpeeringisaone-to-onerelationshipbetweenAmazonVPCs,meaningtwoAmazonVPCscannothavetwopeeringagreementsbetweenthem.Also,peeringconnectionsdonotsupporttransitiverouting.Figure4.3depictstransitiverouting.

FIGURE4.3VPCpeeringconnectionsdonotsupporttransitiverouting

InFigure4.3,VPCAhastwopeeringconnectionswithtwodifferentVPCs:VPCBandVPCC.Therefore,VPCAcancommunicatedirectlywithVPCsBandC.Becausepeeringconnectionsdonotsupporttransitiverouting,VPCAcannotbeatransitpointfortrafficbetweenVPCsBandC.InorderforVPCsBandCtocommunicatewitheachother,apeeringconnectionmustbeexplicitlycreatedbetweenthem.

Herearetheimportantpointstounderstandaboutpeeringfortheexam:

Page 143: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

YoucannotcreateapeeringconnectionbetweenAmazonVPCsthathavematchingoroverlappingCIDRblocks.

YoucannotcreateapeeringconnectionbetweenAmazonVPCsindifferentregions.

AmazonVPCpeeringconnectionsdonotsupporttransitiverouting.

YoucannothavemorethanonepeeringconnectionbetweenthesametwoAmazonVPCsatthesametime.

Page 144: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SecurityGroupsAsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundnetworktraffictoAWSresourcesandAmazonEC2instances.AllAmazonEC2instancesmustbelaunchedintoasecuritygroup.Ifasecuritygroupisnotspecifiedatlaunch,thentheinstancewillbelaunchedintothedefaultsecuritygroupfortheAmazonVPC.Thedefaultsecuritygroupallowscommunicationbetweenallresourceswithinthesecuritygroup,allowsalloutboundtraffic,anddeniesallothertraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.Table4.3describesthesettingsofthedefaultsecuritygroup.

TABLE4.3SecurityGroupRules

Inbound

Source Protocol PortRange

Comments

sg-xxxxxxxx All All Allowinboundtrafficfrominstanceswithinthesamesecuritygroup.

Outbound

Destination Protocol PortRange

Comments

0.0.0.0/0 All All Allowalloutboundtraffic.

Foreachsecuritygroup,youaddrulesthatcontroltheinboundtraffictoinstancesandaseparatesetofrulesthatcontroltheoutboundtraffic.Forexample,Table4.4describesasecuritygroupforwebservers.

Page 145: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE4.4SecurityGroupRulesforaWebServer

Inbound

Source Protocol PortRange

Comments

0.0.0.0/0 TCP 80 AllowinboundtrafficfromtheInternettoport80.

Yournetwork’spublicIPaddressrange

TCP 22 AllowSecureShell(SSH)trafficfromyourcompanynetwork.

Yournetwork’spublicIPaddressrange

TCP 3389 AllowRemoteDesktopProtocol(RDP)trafficfromyourcompanynetwork.

Outbound

Destination Protocol PortRange

Comments

TheIDofthesecuritygroupforyourMySQLdatabaseservers

TCP 3306 AllowoutboundMySQLaccesstoinstancesinthespecifiedsecuritygroup.

TheIDofthesecuritygroupforyourMicrosoftSQLServerdatabaseservers

TCP 1433 AllowoutboundMicrosoftSQLServeraccesstoinstancesinthespecifiedsecuritygroup.

Herearetheimportantpointstounderstandaboutsecuritygroupsfortheexam:

Youcancreateupto500securitygroupsforeachAmazonVPC.

Youcanaddupto50inboundand50outboundrulestoeachsecuritygroup.Ifyouneedtoapplymorethan100rulestoaninstance,youcanassociateuptofivesecuritygroupswitheachnetworkinterface.

Youcanspecifyallowrules,butnotdenyrules.ThisisanimportantdifferencebetweensecuritygroupsandACLs.

Youcanspecifyseparaterulesforinboundandoutboundtraffic.

Bydefault,noinboundtrafficisalloweduntilyouaddinboundrulestothesecuritygroup.

Bydefault,newsecuritygroupshaveanoutboundrulethatallowsalloutboundtraffic.Youcanremovetheruleandaddoutboundrulesthatallowspecificoutboundtrafficonly.

Securitygroupsarestateful.Thismeansthatresponsestoallowedinboundtrafficareallowedtoflowoutboundregardlessofoutboundrulesandviceversa.ThisisanimportantdifferencebetweensecuritygroupsandnetworkACLs.

Instancesassociatedwiththesamesecuritygroupcan’ttalktoeachotherunlessyouaddrulesallowingit(withtheexceptionbeingthedefaultsecuritygroup).

Youcanchangethesecuritygroupswithwhichaninstanceisassociatedafterlaunch,

Page 146: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

andthechangeswilltakeeffectimmediately.

Page 147: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

NetworkAccessControlLists(ACLs)Anetworkaccesscontrollist(ACL)isanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AnetworkACLisanumberedlistofrulesthatAWSevaluatesinorder,startingwiththelowestnumberedrule,todeterminewhethertrafficisallowedinoroutofanysubnetassociatedwiththenetworkACL.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.WhenyoucreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreaterulesthatallowotherwise.YoumaysetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddalayerofsecuritytoyourAmazonVPC,oryoumaychoosetousethedefaultnetworkACLthatdoesnotfiltertraffictraversingthesubnetboundary.Overall,everysubnetmustbeassociatedwithanetworkACL.

Table4.5explainsthedifferencesbetweenasecuritygroupandanetworkACL.YoushouldrememberthefollowingdifferencesbetweensecuritygroupsandnetworkACLsfortheexam.

TABLE4.5ComparisonofSecurityGroupsandNetworkACLs

SecurityGroup NetworkACL

Operatesattheinstancelevel(firstlayerofdefense)

Operatesatthesubnetlevel(secondlayerofdefense)

Supportsallowrulesonly Supportsallowrulesanddenyrules

Stateful:Returntrafficisautomaticallyallowed,regardlessofanyrules

Stateless:Returntrafficmustbeexplicitlyallowedbyrules.

AWSevaluatesallrulesbeforedecidingwhethertoallowtraffic

AWSprocessesrulesinnumberorderwhendecidingwhethertoallowtraffic.

Appliedselectivelytoindividualinstances

Automaticallyappliedtoallinstancesintheassociatedsubnets;thisisabackuplayerofdefense,soyoudon’thavetorelyonsomeonespecifyingthesecuritygroup.

Page 148: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

NetworkAddressTranslation(NAT)InstancesandNATGatewaysBydefault,anyinstancethatyoulaunchintoaprivatesubnetinanAmazonVPCisnotabletocommunicatewiththeInternetthroughtheIGW.ThisisproblematiciftheinstanceswithinprivatesubnetsneeddirectaccesstotheInternetfromtheAmazonVPCinordertoapplysecurityupdates,downloadpatches,orupdateapplicationsoftware.AWSprovidesNATinstancesandNATgatewaystoallowinstancesdeployedinprivatesubnetstogainInternetaccess.Forcommonusecases,werecommendthatyouuseaNATgatewayinsteadofaNATinstance.TheNATgatewayprovidesbetteravailabilityandhigherbandwidth,andrequireslessadministrativeeffortthanNATinstances.

NATInstanceAnetworkaddresstranslation(NAT)instanceisanAmazonLinuxAmazonMachineImage(AMI)thatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.Theseinstanceshavethestringamzn-ami-vpc-natintheirnames,whichissearchableintheAmazonEC2console.

ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATinstance,youmustdothefollowing:

CreateasecuritygroupfortheNATwithoutboundrulesthatspecifytheneededInternetresourcesbyport,protocol,andIPaddress.

LaunchanAmazonLinuxNATAMIasaninstanceinapublicsubnetandassociateitwiththeNATsecuritygroup.

DisabletheSource/DestinationCheckattributeoftheNAT.

ConfiguretheroutetableassociatedwithaprivatesubnettodirectInternet-boundtraffictotheNATinstance(forexample,i-1a2b3c4d).

AllocateanEIPandassociateitwiththeNATinstance.

ThisconfigurationallowsinstancesinprivatesubnetstosendoutboundInternetcommunication,butitpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.

NATGatewayANATgatewayisanAmazonmanagedresourcethatisdesignedtooperatejustlikeaNATinstance,butitissimplertomanageandhighlyavailablewithinanAvailabilityZone.

ToallowinstanceswithinaprivatesubnettoaccessInternetresourcesthroughtheIGWviaaNATgateway,youmustdothefollowing:

ConfiguretheroutetableassociatedwiththeprivatesubnettodirectInternet-bound

Page 149: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

traffictotheNATgateway(forexample,nat-1a2b3c4d).

AllocateanEIPandassociateitwiththeNATgateway.

LikeaNATinstance,thismanagedserviceallowsoutboundInternetcommunicationandpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.

TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.

TheexerciseswilldemonstratehowaNATgatewayworks.

Page 150: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

VirtualPrivateGateways(VPGs),CustomerGateways(CGWs),andVirtualPrivateNetworks(VPNs)YoucanconnectanexistingdatacentertoAmazonVPCusingeitherhardwareorsoftwareVPNconnections,whichwillmakeAmazonVPCanextensionofthedatacenter.AmazonVPCofferstwowaystoconnectacorporatenetworktoaVPC:VPGandCGW.

Avirtualprivategateway(VPG)isthevirtualprivatenetwork(VPN)concentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.Acustomergateway(CGW)representsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthecustomer’ssideoftheVPNconnection.Figure4.4illustratesasingleVPNconnectionbetweenacorporatenetworkandanAmazonVPC.

FIGURE4.4VPCwithVPNconnectiontoacustomernetwork

YoumustspecifythetypeofroutingthatyouplantousewhenyoucreateaVPNconnection.IftheCGWsupportsBorderGatewayProtocol(BGP),thenconfiguretheVPNconnectionfordynamicrouting.Otherwise,configuretheconnectionsforstaticrouting.Ifyouwillbeusingstaticrouting,youmustentertheroutesforyournetworkthatshouldbecommunicatedtotheVPG.RouteswillbepropagatedtotheAmazonVPCtoallowyourresourcestoroutenetworktrafficbacktothecorporatenetworkthroughtheVGWandacrosstheVPNtunnel.

AmazonVPCalsosupportsmultipleCGWs,eachhavingaVPNconnectiontoasingleVPG(many-to-onedesign).Inordertosupportthistopology,theCGWIPaddressesmustbeuniquewithintheregion.

Page 151: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonVPCwillprovidetheinformationneededbythenetworkadministratortoconfiguretheCGWandestablishtheVPNconnectionwiththeVPG.TheVPNconnectionconsistsoftwoInternetProtocolSecurity(IPSec)tunnelsforhigheravailabilitytotheAmazonVPC.

FollowingaretheimportantpointstounderstandaboutVPGs,CGWs,andVPNsfortheexam:

TheVPGistheAWSendoftheVPNtunnel.

TheCGWisahardwareorsoftwareapplicationonthecustomer’ssideoftheVPNtunnel.

YoumustinitiatetheVPNtunnelfromtheCGWtotheVPG.

VPGssupportbothdynamicroutingwithBGPandstaticrouting.

TheVPNconnectionconsistsoftwotunnelsforhigheravailabilitytotheVPC.

Page 152: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedthatAmazonVPCisthenetworkinglayerforAmazonEC2,anditallowsyoutocreateyourownprivatevirtualnetworkwithinthecloud.YoucanprovisionyourownlogicallyisolatedsectionofAWSsimilartodesigningandimplementingaseparateindependentnetworkthatyou’doperateinaphysicaldatacenter.

AVPCconsistsofthefollowingcomponents:

Subnets

Routetables

DHCPoptionsets

Securitygroups

NetworkACLs

AVPChasthefollowingoptionalcomponents:

IGWs

EIPaddresses

Endpoints

Peering

NATinstanceandNATgateway

VPG,CGW,andVPN

Subnetscanbepublic,private,orVPN-only.Apublicsubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sIGW.Aprivatesubnetisoneinwhichtheassociatedroutetabledoesnotdirectthesubnet’straffictotheAmazonVPC’sIGW.AVPN-onlysubnetisoneinwhichtheassociatedroutetabledirectsthesubnet’straffictotheAmazonVPC’sVPGanddoesnothavearoutetotheIGW.Regardlessofthetypeofsubnet,theinternalIPaddressrangeofthesubnetisalwaysprivate(non-routableontheInternet).

AroutetableisalogicalconstructwithinanAmazonVPCthatcontainsasetofrules(calledroutes)thatareappliedtothesubnetandusedtodeterminewherenetworktrafficisdirected.Aroutetable’sroutesarewhatpermitAmazonEC2instanceswithindifferentsubnetswithinanAmazonVPCtocommunicatewitheachother.Youcanmodifyroutetablesandaddyourowncustomroutes.Youcanalsouseroutetablestospecifywhichsubnetsarepublic(bydirectingInternettraffictotheIGW)andwhichsubnetsareprivate(bynothavingaroutethatdirectstraffictotheIGW).AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletraffic,anditperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.

TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2host

Page 153: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

nameassignmenttoyourownresources.Inorderforyoutoassignyourowndomainnametoyourinstances,youcreateacustomDHCPoptionsetandassignittoyourAmazonVPC.

AnEIPaddressisastatic,publicIPaddressinthepoolfortheregionthatyoucanallocatetoyouraccount(pullfromthepool)andrelease(returntothepool).EIPsallowyoutomaintainasetofIPaddressesthatremainfixedwhiletheunderlyinginfrastructuremaychangeovertime.

AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,VPNconnection,orAWSDirectConnect.Youcancreatemultipleendpointsforasingleservice,andyoucanusedifferentroutetablestoenforcedifferentaccesspoliciesfromdifferentsubnetstothesameservice.

AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheywerewithinthesamenetwork.YoucancreateanAmazonVPCpeeringconnectionbetweenyourownAmazonVPCsorwithanAmazonVPCinanotherAWSaccountwithinasingleregion.ApeeringconnectionisneitheragatewaynoraVPNconnectionanddoesnotintroduceasinglepointoffailureforcommunication.

AsecuritygroupisavirtualstatefulfirewallthatcontrolsinboundandoutboundtraffictoAmazonEC2instances.WhenyoufirstlaunchanAmazonEC2instanceintoanAmazonVPC,youmustspecifythesecuritygroupwithwhichitwillbeassociated.AWSprovidesadefaultsecuritygroupforyouruse,whichhasrulesthatallowallinstancesassociatedwiththesecuritygrouptocommunicatewitheachotherandallowalloutboundtraffic.Youmaychangetherulesforthedefaultsecuritygroup,butyoumaynotdeletethedefaultsecuritygroup.

AnetworkACLisanotherlayerofsecuritythatactsasastatelessfirewallonasubnetlevel.AmazonVPCsarecreatedwithamodifiabledefaultnetworkACLassociatedwitheverysubnetthatallowsallinboundandoutboundtraffic.IfyouwanttocreateacustomnetworkACL,itsinitialconfigurationwilldenyallinboundandoutboundtrafficuntilyoucreatearulethatstatesotherwise.

ANATinstanceisacustomer-managedinstancethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATinstance,andforwardthetraffictotheIGW.Inaddition,theNATinstancemaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.

ANATgatewayisanAWS-managedservicethatisdesignedtoaccepttrafficfrominstanceswithinaprivatesubnet,translatethesourceIPaddresstothepublicIPaddressoftheNATgateway,andforwardthetraffictotheIGW.Inaddition,theNATgatewaymaintainsthestateoftheforwardedtrafficinordertoreturnresponsetrafficfromtheInternettotheproperinstanceintheprivatesubnet.

AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWisaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.AfterthesetwoelementsofanAmazonVPChavebeencreated,thelaststepistocreateaVPNtunnel.TheVPNtunnelisestablishedaftertrafficisgeneratedfromthe

Page 154: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

customer’ssideoftheVPNconnection.

Page 155: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandwhataVPCisanditscoreandoptionalcomponents.AnAmazonVPCisalogicallyisolatednetworkintheAWSCloud.AnAmazonVPCismadeupofthefollowingcoreelements:subnets(public,private,andVPN-only),routetables,DHCPoptionsets,securitygroups,andnetworkACLs.OptionalelementsincludeanIGW,EIPaddresses,endpoints,peeringconnections,NATinstances,VPGs,CGWs,andVPNconnections.

Understandthepurposeofasubnet.AsubnetisasegmentofanAmazonVPC’sIPaddressrangewhereyoucanplacegroupsofisolatedresources.SubnetsaredefinedbyCIDRblocks—forexample,10.0.1.0/24and10.0.2.0/24—andarecontainedwithinanAvailabilityZone.

Identifythedifferencebetweenapublicsubnet,aprivatesubnet,andaVPN-Onlysubnet.Ifasubnet’strafficisroutedtoanIGW,thesubnetisknownasapublicsubnet.Ifasubnetdoesn’thavearoutetotheIGW,thesubnetisknownasaprivatesubnet.Ifasubnetdoesn’thavearoutetotheIGW,buthasitstrafficroutedtoaVPG,thesubnetisknownasaVPN-onlysubnet.

Understandthepurposeofaroutetable.Aroutetableisasetofrules(calledroutes)thatareusedtodeterminewherenetworktrafficisdirected.AroutetableallowsAmazonEC2instanceswithindifferentsubnetstocommunicatewitheachother(withinthesameAmazonVPC).TheAmazonVPCrouteralsoenablessubnets,IGWs,andVPGstocommunicatewitheachother.

UnderstandthepurposeofanIGW.AnIGWisahorizontallyscaled,redundant,andhighlyavailableAmazonVPCcomponentthatallowscommunicationbetweeninstancesinyourAmazonVPCandtheInternet.IGWsarefullyredundantandhavenobandwidthconstraints.AnIGWprovidesatargetinyourAmazonVPCroutetablesforInternet-routabletrafficandperformsnetworkaddresstranslationforinstancesthathavebeenassignedpublicIPaddresses.

UnderstandwhatDHCPoptionsetsprovidetoanAmazonVPC.TheDHCPoptionsetselementofanAmazonVPCallowsyoutodirectAmazonEC2hostnameassignmenttoyourownresources.YoucanspecifythedomainnameforinstanceswithinanAmazonVPCandidentifytheIPaddressesofcustomDNSservers,NTPservers,andNetBIOSservers.

KnowthedifferencebetweenanAmazonVPCpublicIPaddressandanEIPaddress.ApublicIPaddressisanAWS-ownedIPthatcanbeautomaticallyassignedtoinstanceslaunchedwithinasubnet.AnEIPaddressisanAWS-ownedpublicIPaddressthatyouallocatetoyouraccountandassigntoinstancesornetworkinterfacesondemand.

UnderstandwhatendpointsprovidetoanAmazonVPC.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATinstance,aVPNconnection,orAWSDirectConnect.Endpointssupportserviceswithintheregiononly.

UnderstandAmazonVPCpeering.AnAmazonVPCpeeringconnectionisanetworkingconnectionbetweentwoAmazonVPCsthatenablesinstancesineitherAmazonVPCtocommunicatewitheachotherasiftheyarewithinthesamenetwork.Peeringconnections

Page 156: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

arecreatedthrougharequest/acceptprotocol.Transitivepeeringisnotsupported,andpeeringisonlyavailablebetweenAmazonVPCswithinthesameregion.

KnowthedifferencebetweenasecuritygroupandanetworkACL.Asecuritygroupappliesattheinstancelevel.Youcanhavemultipleinstancesinmultiplesubnetsthataremembersofthesamesecuritygroups.Securitygroupsarestateful,whichmeansthatreturntrafficisautomaticallyallowed,regardlessofanyoutboundrules.AnetworkACLisappliedonasubnetlevel,andtrafficisstateless.YouneedtoallowbothinboundandoutboundtrafficonthenetworkACLinorderforAmazonEC2instancesinasubnettobeabletocommunicateoveraparticularprotocol.

UnderstandwhataNATprovidestoanAmazonVPC.ANATinstanceorNATgatewayenablesinstancesinaprivatesubnettoinitiateoutboundtraffictotheInternet.ThisallowsoutboundInternetcommunicationtodownloadpatchesandupdates,forexample,butpreventstheinstancesfromreceivinginboundtrafficinitiatedbysomeoneontheInternet.

UnderstandthecomponentsneededtoestablishaVPNconnectionfromanetworktoanAmazonVPC.AVPGistheVPNconcentratorontheAWSsideoftheVPNconnectionbetweenthetwonetworks.ACGWrepresentsaphysicaldeviceorasoftwareapplicationonthecustomer’ssideoftheVPNconnection.TheVPNconnectionmustbeinitiatedfromtheCGWside,andtheconnectionconsistsoftwoIPSectunnels.

Page 157: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesThebestwaytobecomefamiliarwithAmazonVPCistobuildyourowncustomAmazonVPCandthendeployAmazonEC2instancesintoit,whichiswhatyou’llbedoinginthissection.YoushouldrepeattheseexercisesuntilyoucancreateanddecommissionAmazonVPCswithconfidence.

Forassistancecompletingtheseexercises,refertotheAmazonVPCUserGuidelocatedathttp://aws.amazon.com/documentation/vpc/.

EXERCISE4.1

CreateaCustomAmazonVPC1. SignintotheAWSManagementConsoleasanadministratororpoweruser.

2. SelecttheAmazonVPCicontolaunchtheAmazonVPCDashboard.

3. CreateanAmazonVPCwithaCIDRblockequalto192.168.0.0/16,anametagofMyFirstVPC,anddefaulttenancy.

YouhavecreatedyourfirstcustomVPC.

EXERCISE4.2

CreateTwoSubnetsforYourCustomAmazonVPC1. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofMy

FirstPublicSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).

2. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofMyFirstPrivateSubnet.CreatethesubnetintheAmazonVPCfromExercise4.1,andspecifyadifferentAvailabilityZoneforthesubnetthanpreviouslyspecified(forexample,US-East-1b).

Youhavenowcreatedtwonewsubnets,eachinitsownAvailabilityZone.It’simportanttorememberthatonesubnetequalsoneAvailabilityZone.YoucannotstretchasubnetacrossmultipleAvailabilityZones.

Page 158: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE4.3

ConnectYourCustomAmazonVPCtotheInternetandEstablishRoutingForassistancewiththisexercise,refertotheAmazonEC2keypairdocumentationat:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Foradditionalassistancewiththisexercise,refertotheNATinstancesdocumentationat:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance

.html#NATInstance

1. CreateanAmazonEC2keypairinthesameregionasyourcustomAmazonVPC.

2. CreateanIGWwithanametagofMyFirstIGWandattachittoyourcustomAmazonVPC.

3. AddaroutetothemainroutetableforyourcustomAmazonVPCthatdirectsInternettraffic(0.0.0.0/0)totheIGW.

4. CreateaNATgateway,placeitinthepublicsubnetofyourcustomAmazonVPC,andassignitanEIP.

5. CreateanewroutetablewithanametagofMyFirstPrivateRouteTableandplaceitwithinyourcustomAmazonVPC.AddaroutetoitthatdirectsInternettraffic(0.0.0.0/0)totheNATgatewayandassociateitwiththeprivatesubnet.

YouhavenowcreatedaconnectiontotheInternetforresourceswithinyourAmazonVPC.YouestablishedroutingrulesthatdirectInternettraffictotheIGWregardlessoftheoriginatingsubnet.

Page 159: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE4.4

LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet1. Launchat2.microAmazonLinuxAMIasanAmazonEC2instanceintothepublicsubnetofyourcustomAmazonVPC,giveitanametagofMyFirstPublicInstance,andselectthenewly-createdkeypairforsecureaccesstotheinstance.

2. SecurelyaccesstheAmazonEC2instanceinthepublicsubnetviaSSHwiththenewly-createdkeypair.

3. Executeanupdatetotheoperatingsysteminstancelibrariesbyexecutingthefollowingcommand:

#sudoyumupdate-y

4. YoushouldseeoutputshowingtheinstancedownloadingsoftwarefromtheInternetandinstallingit.

YouhavenowprovisionedanAmazonEC2instanceinapublicsubnet.YoucanapplypatchestotheAmazonEC2instanceinthepublicsubnet,andyouhavedemonstratedconnectivitytotheInternet.

Page 160: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhatistheminimumsizesubnetthatyoucanhaveinanAmazonVPC?

A. /24

B. /26

C. /28

D. /30

2. YouareasolutionsarchitectworkingforalargetravelcompanythatismigratingitsexistingserverestatetoAWS.YouhaverecommendedthattheyuseacustomAmazonVPC,andtheyhaveagreedtoproceed.Theywillneedapublicsubnetfortheirwebserversandaprivatesubnetinwhichtoplacetheirdatabases.Theyalsorequirethatthewebserversanddatabaseserversbehighlyavailableandthattherebeaminimumoftwowebserversandtwodatabaseserverseach.Howmanysubnetsshouldyouhavetomaintainhighavailability?

A. 2

B. 3

C. 4

D. 1

3. WhichofthefollowingisanoptionalsecuritycontrolthatcanbeappliedatthesubnetlayerofaVPC?

A. NetworkACL

B. SecurityGroup

C. Firewall

D. Webapplicationfirewall

4. WhatisthemaximumsizeIPaddressrangethatyoucanhaveinanAmazonVPC?

A. /16

B. /24

C. /28

D. /30

5. YoucreateanewsubnetandthenaddaroutetoyourroutetablethatroutestrafficoutfromthatsubnettotheInternetusinganIGW.Whattypeofsubnethaveyoucreated?

A. Aninternalsubnet

B. Aprivatesubnet

C. Anexternalsubnet

D. Apublicsubnet

Page 161: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

6. WhathappenswhenyoucreateanewAmazonVPC?

A. Amainroutetableiscreatedbydefault.

B. Threesubnetsarecreatedbydefault—oneforeachAvailabilityZone.

C. ThreesubnetsarecreatedbydefaultinoneAvailabilityZone.

D. AnIGWiscreatedbydefault.

7. YoucreateanewVPCinUS-East-1andprovisionthreesubnetsinsidethisAmazonVPC.Whichofthefollowingstatementsistrue?

A. Bydefault,thesesubnetswillnotbeabletocommunicatewitheachother;youwillneedtocreateroutes.

B. Allsubnetsarepublicbydefault.

C. Allsubnetswillbeabletocommunicatewitheachotherbydefault.

D. EachsubnetwillhaveidenticalCIDRblocks.

8. HowmanyIGWscanyouattachtoanAmazonVPCatanyonetime?

A. 1

B. 2

C. 3

D. 4

9. WhataspectofanAmazonVPCisstateful?

A. NetworkACLs

B. Securitygroups

C. AmazonDynamoDB

D. AmazonS3

10. YouhavecreatedacustomAmazonVPCwithbothprivateandpublicsubnets.YouhavecreatedaNATinstanceanddeployedthisinstancetoapublicsubnet.YouhaveattachedanEIPaddressandaddedyourNATtotheroutetable.Unfortunately,instancesinyourprivatesubnetstillcannotaccesstheInternet.Whatmaybethecauseofthis?

A. YourNATisinapublicsubnet,butitneedstobeinaprivatesubnet.

B. YourNATshouldbebehindanElasticLoadBalancer.

C. Youshoulddisablesource/destinationchecksontheNAT.

D. YourNAThasbeendeployedonaWindowsinstance,butyourotherinstancesareLinux.YoushouldredeploytheNATontoaLinuxinstance.

11. WhichofthefollowingwilloccurwhenanAmazonElasticBlockStore(AmazonEBS)-backedAmazonEC2instanceinanAmazonVPCwithanassociatedEIPisstoppedandstarted?(Choose2answers)

A. TheEIPwillbedissociatedfromtheinstance.

Page 162: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. Alldataoninstance-storedeviceswillbelost.

C. AlldataonAmazonEBSdeviceswillbelost.

D. TheENIisdetached.

E. Theunderlyinghostfortheinstanceischanged.

12. HowmanyVPCPeeringconnectionsarerequiredforfourVPCslocatedwithinthesameAWSregiontobeabletosendtraffictoeachoftheothers?

A. 3

B. 4

C. 5

D. 6

13. WhichofthefollowingAWSresourceswouldyouuseinorderforanEC2-VPCinstancetoresolveDNSnamesoutsideofAWS?

A. AVPCpeeringconnection

B. ADHCPoptionset

C. Aroutingrule

D. AnIGW

14. WhichofthefollowingistheAmazonsideofanAmazonVPNconnection?

A. AnEIP

B. ACGW

C. AnIGW

D. AVPG

15. WhatisthedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregion?

A. 5

B. 6

C. 7

D. ThereisnodefaultmaximumnumberofVPCswithinaregion.

16. Youareresponsibleforyourcompany’sAWSresources,andyounoticeasignificantamountoftrafficfromanIPaddressinaforeigncountryinwhichyourcompanydoesnothavecustomers.FurtherinvestigationofthetrafficindicatesthesourceofthetrafficisscanningforopenportsonyourEC2-VPCinstances.Whichoneofthefollowingresourcescandenythetrafficfromreachingtheinstances?

A. Securitygroup

B. NetworkACL

C. NATinstance

Page 163: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. AnAmazonVPCendpoint

17. WhichofthefollowingisthesecurityprotocolsupportedbyAmazonVPC?

A. SSH

B. AdvancedEncryptionStandard(AES)

C. Point-to-PointTunnelingProtocol(PPTP)

D. IPsec

18. WhichofthefollowingAmazonVPCresourceswouldyouuseinorderforEC2-VPCinstancestosendtrafficdirectlytoAmazonS3?

A. AmazonS3gateway

B. IGW

C. CGW

D. VPCendpoint

19. WhatpropertiesofanAmazonVPCmustbespecifiedatthetimeofcreation?(Choose2answers)

A. TheCIDRblockrepresentingtheIPaddressrange

B. OneormoresubnetsfortheAmazonVPC

C. TheregionfortheAmazonVPC

D. AmazonVPCPeeringrelationships

20. WhichAmazonVPCfeatureallowsyoutocreateadual-homedinstance?

A. EIPaddress

B. ENI

C. Securitygroups

D. CGW

Page 164: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter5ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-effective,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Elasticityandscalability

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

LaunchinstancesacrosstheAWSglobalinfrastructure

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

CloudWatchLogs

Domain4.0:Troubleshooting

Contentmayincludethefollowing:

Generaltroubleshootinginformationandquestions

Page 165: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionInthischapter,youwilllearnhowElasticLoadBalancing,AmazonCloudWatch,andAutoScalingworkbothindependentlyandtogethertohelpyouefficientlyandcost-effectivelydeployhighlyavailableandoptimizedworkloadsonAWS.

ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonElasticComputeCloud(AmazonEC2)instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.

AmazonCloudWatchisaservicethatmonitorsAWSCloudresourcesandapplicationsrunningonAWS.Itcollectsandtracksmetrics,collectsandmonitorslogfiles,andsetsalarms.AmazonCloudWatchhasabasiclevelofmonitoringfornocostandamoredetailedlevelofmonitoringforanadditionalcost.

AutoScalingisaservicethatallowsyoutomaintaintheavailabilityofyourapplicationsbyscalingAmazonEC2capacityupordowninaccordancewithconditionsyouset.

Thischaptercoversallthreeservicesseparately,butitalsohighlightshowtheycanworktogethertobuildmorerobustandhighlyavailablearchitecturesonAWS.

Page 166: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ElasticLoadBalancingAnadvantageofhavingaccesstoalargenumberofserversinthecloud,suchasAmazonEC2instancesonAWS,istheabilitytoprovideamoreconsistentexperiencefortheenduser.Onewaytoensureconsistencyistobalancetherequestloadacrossmorethanoneserver.AloadbalancerisamechanismthatautomaticallydistributestrafficacrossmultipleAmazonEC2instances.YoucaneithermanageyourownvirtualloadbalancersonAmazonEC2instancesorleverageanAWSCloudservicecalledElasticLoadBalancing,whichprovidesamanagedloadbalancerforyou.

TheElasticLoadBalancingserviceallowsyoutodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZones,enablingyoutoachievehighavailabilityinyourapplications.ElasticLoadBalancingsupportsroutingandloadbalancingofHypertextTransferProtocol(HTTP),HypertextTransferProtocolSecure(HTTPS),TransmissionControlProtocol(TCP),andSecureSocketsLayer(SSL)traffictoAmazonEC2instances.ElasticLoadBalancingprovidesastable,singleCanonicalNamerecord(CNAME)entrypointforDomainNameSystem(DNS)configurationandsupportsbothInternet-facingandinternalapplication-facingloadbalancers.ElasticLoadBalancingsupportshealthchecksforAmazonEC2instancestoensuretrafficisnotroutedtounhealthyorfailinginstances.Also,ElasticLoadBalancingcanautomaticallyscalebasedoncollectedmetrics.

ThereareseveraladvantagesofusingElasticLoadBalancing.BecauseElasticLoadBalancingisamanagedservice,itscalesinandoutautomaticallytomeetthedemandsofincreasedapplicationtrafficandishighlyavailablewithinaregionitselfasaservice.ElasticLoadBalancinghelpsyouachievehighavailabilityforyourapplicationsbydistributingtrafficacrosshealthyinstancesinmultipleAvailabilityZones.Additionally,ElasticLoadBalancingseamlesslyintegrateswiththeAutoScalingservicetoautomaticallyscaletheAmazonEC2instancesbehindtheloadbalancer.Finally,ElasticLoadBalancingissecure,workingwithAmazonVirtualPrivateCloud(AmazonVPC)toroutetrafficinternallybetweenapplicationtiers,allowingyoutoexposeonlyInternet-facingpublicIPaddresses.ElasticLoadBalancingalsosupportsintegratedcertificatemanagementandSSLtermination.

ElasticLoadBalancingisahighlyavailableserviceitselfandcanbeusedtohelpbuildhighlyavailablearchitectures.

TypesofLoadBalancersElasticLoadBalancingprovidesseveraltypesofloadbalancersforhandlingdifferentkindsofconnectionsincludingInternet-facing,internal,andloadbalancersthatsupportencryptedconnections.

Internet-FacingLoadBalancersAnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.

Page 167: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Whenyouconfigurealoadbalancer,itreceivesapublicDNSnamethatclientscanusetosendrequeststoyourapplication.TheDNSserversresolvetheDNSnametoyourloadbalancer’spublicIPaddress,whichcanbevisibletoclientapplications.

AnAWSrecommendedbestpracticeisalwaystoreferencealoadbalancerbyitsDNSname,insteadofbytheIPaddressoftheloadbalancer,inordertoprovideasingle,stableentrypoint.

BecauseElasticLoadBalancingscalesinandouttomeettrafficdemand,itisnotrecommendedtobindanapplicationtoanIPaddressthatmaynolongerbepartofaloadbalancer’spoolofresources.

ElasticLoadBalancinginAmazonVPCsupportsIPv4addressesonly.ElasticLoadBalancinginEC2-ClassicsupportsbothIPv4andIPv6addresses.

InternalLoadBalancersInamulti-tierapplication,itisoftenusefultoloadbalancebetweenthetiersoftheapplication.Forexample,anInternet-facingloadbalancermightreceiveandbalanceexternaltraffictothepresentationorwebtierwhoseAmazonEC2instancesthensenditsrequeststoaloadbalancersittinginfrontoftheapplicationtier.YoucanuseinternalloadbalancerstoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.

HTTPSLoadBalancersYoucancreatealoadbalancerthatusestheSSL/TransportLayerSecurity(TLS)protocolforencryptedconnections(alsoknownasSSLoffload).ThisfeatureenablestrafficencryptionbetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessions,andforconnectionsbetweenyourloadbalancerandyourback-endinstances.ElasticLoadBalancingprovidessecuritypoliciesthathavepredefinedSSLnegotiationconfigurationstousetonegotiateconnectionsbetweenclientsandtheloadbalancer.InordertouseSSL,youmustinstallanSSLcertificateontheloadbalancerthatitusestoterminatetheconnectionandthendecryptrequestsfromclientsbeforesendingrequeststotheback-endAmazonEC2instances.Youcanoptionallychoosetoenableauthenticationonyourback-endinstances.

ElasticLoadBalancingdoesnotsupportServerNameIndication(SNI)onyourloadbalancer.ThismeansthatifyouwanttohostmultiplewebsitesonafleetofAmazonEC2instancesbehindElasticLoadBalancingwithasingleSSLcertificate,youwillneedtoaddaSubjectAlternativeName(SAN)foreachwebsitetothecertificatetoavoidsiteusersseeingawarningmessagewhenthesiteisaccessed.

ListenersEveryloadbalancermusthaveoneormorelistenersconfigured.Alistenerisaprocessthatchecksforconnectionrequests—forexample,aCNAMEconfiguredtotheArecordnameoftheloadbalancer.Everylistenerisconfiguredwithaprotocolandaport(clienttoloadbalancer)forafront-endconnectionandaprotocolandaportfortheback-end(loadbalancertoAmazonEC2instance)connection.ElasticLoadBalancingsupportsthefollowing

Page 168: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

protocols:

HTTP

HTTPS

TCP

SSL

ElasticLoadBalancingsupportsprotocolsoperatingattwodifferentOpenSystemInterconnection(OSI)layers.IntheOSImodel,Layer4isthetransportlayerthatdescribestheTCPconnectionbetweentheclientandyourback-endinstancethroughtheloadbalancer.Layer4isthelowestlevelthatisconfigurableforyourloadbalancer.Layer7istheapplicationlayerthatdescribestheuseofHTTPandHTTPSconnectionsfromclientstotheloadbalancerandfromtheloadbalancertoyourback-endinstance.

TheSSLprotocolisprimarilyusedtoencryptconfidentialdataoverinsecurenetworkssuchastheInternet.TheSSLprotocolestablishesasecureconnectionbetweenaclientandtheback-endserverandensuresthatallthedatapassedbetweenyourclientandyourserverisprivate.

ConfiguringElasticLoadBalancingElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.ConfigurationsettingscanbemodifiedusingeithertheAWSManagementConsoleoraCommandLineInterface(CLI).Someoftheoptionsaredescribednext.

IdleConnectionTimeoutForeachrequestthataclientmakesthroughaloadbalancer,theloadbalancermaintainstwoconnections.Oneconnectioniswiththeclientandtheotherconnectionistotheback-endinstance.Foreachconnection,theloadbalancermanagesanidletimeoutthatistriggeredwhennodataissentovertheconnectionforaspecifiedtimeperiod.Aftertheidletimeoutperiodhaselapsed,ifnodatahasbeensentorreceived,theloadbalancerclosestheconnection.

Bydefault,ElasticLoadBalancingsetstheidletimeoutto60secondsforbothconnections.IfanHTTPrequestdoesn’tcompletewithintheidletimeoutperiod,theloadbalancerclosestheconnection,evenifdataisstillbeingtransferred.Youcanchangetheidletimeoutsettingfortheconnectionstoensurethatlengthyoperations,suchasfileuploads,havetimetocomplete.

IfyouuseHTTPandHTTPSlisteners,werecommendthatyouenablethekeep-aliveoptionforyourAmazonEC2instances.Youcanenablekeep-aliveinyourwebserversettingsorinthekernelsettingsforyourAmazonEC2instances.Keep-alive,whenenabled,allowstheloadbalancertoreuseconnectionstoyourback-endinstance,whichreducesCPUutilization.

Page 169: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Toensurethattheloadbalancerisresponsibleforclosingtheconnectionstoyourback-endinstance,makesurethatthevalueyousetforthekeep-alivetimeisgreaterthantheidletimeoutsettingonyourloadbalancer.

Cross-ZoneLoadBalancingToensurethatrequesttrafficisroutedevenlyacrossallback-endinstancesforyourloadbalancer,regardlessoftheAvailabilityZoneinwhichtheyarelocated,youshouldenablecross-zoneloadbalancingonyourloadbalancer.Cross-zoneloadbalancingreducestheneedtomaintainequivalentnumbersofback-endinstancesineachAvailabilityZoneandimprovesyourapplication’sabilitytohandlethelossofoneormoreback-endinstances.However,itisstillrecommendedthatyoumaintainapproximatelyequivalentnumbersofinstancesineachAvailabilityZoneforhigherfaulttolerance.

ForenvironmentswhereclientscacheDNSlookups,incomingrequestsmightfavoroneoftheAvailabilityZones.Usingcross-zoneloadbalancing,thisimbalanceintherequestloadisspreadacrossallavailableback-endinstancesintheregion,reducingtheimpactofmisconfiguredclients.

ConnectionDrainingYoushouldenableconnectiondrainingtoensurethattheloadbalancerstopssendingrequeststoinstancesthatarederegisteringorunhealthy,whilekeepingtheexistingconnectionsopen.Thisenablestheloadbalancertocompletein-flightrequestsmadetotheseinstances.

Whenyouenableconnectiondraining,youcanspecifyamaximumtimefortheloadbalancertokeepconnectionsalivebeforereportingtheinstanceasderegistered.Themaximumtimeoutvaluecanbesetbetween1and3,600seconds(thedefaultis300seconds).Whenthemaximumtimelimitisreached,theloadbalancerforciblyclosesconnectionstothederegisteringinstance.

ProxyProtocolWhenyouuseTCPorSSLforbothfront-endandback-endconnections,yourloadbalancerforwardsrequeststotheback-endinstanceswithoutmodifyingtherequestheaders.IfyouenableProxyProtocol,ahuman-readableheaderisaddedtotherequestheaderwithconnectioninformationsuchasthesourceIPaddress,destinationIPaddress,andportnumbers.Theheaderisthensenttotheback-endinstanceaspartoftherequest.

BeforeusingProxyProtocol,verifythatyourloadbalancerisnotbehindaproxyserverwithProxyProtocolenabled.IfProxyProtocolisenabledonboththeproxyserverandtheloadbalancer,theloadbalanceraddsanotherheadertotherequest,whichalreadyhasaheaderfromtheproxyserver.Dependingonhowyourback-endinstanceisconfigured,thisduplicationmightresultinerrors.

StickySessionsBydefault,aloadbalancerrouteseachrequestindependentlytotheregisteredinstancewith

Page 170: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

thesmallestload.However,youcanusethestickysessionfeature(alsoknownassessionaffinity),whichenablestheloadbalancertobindauser’ssessiontoaspecificinstance.Thisensuresthatallrequestsfromtheuserduringthesessionaresenttothesameinstance.

Thekeytomanagingstickysessionsistodeterminehowlongyourloadbalancershouldconsistentlyroutetheuser’srequesttothesameinstance.Ifyourapplicationhasitsownsessioncookie,youcanconfigureElasticLoadBalancingsothatthesessioncookiefollowsthedurationspecifiedbytheapplication’ssessioncookie.Ifyourapplicationdoesnothaveitsownsessioncookie,youcanconfigureElasticLoadBalancingtocreateasessioncookiebyspecifyingyourownstickinessduration.ElasticLoadBalancingcreatesacookienamedAWSELBthatisusedtomapthesessiontotheinstance.

HealthChecksElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.ThestatusoftheinstancesthatarehealthyatthetimeofthehealthcheckisInService.ThestatusofanyinstancesthatareunhealthyatthetimeofthehealthcheckisOutOfService.Theloadbalancerperformshealthchecksonallregisteredinstancestodeterminewhethertheinstanceisinahealthystateoranunhealthystate.Ahealthcheckisaping,aconnectionattempt,orapagethatischeckedperiodically.Youcansetthetimeintervalbetweenhealthchecksandalsotheamountoftimetowaittorespondincasethehealthcheckpageincludesacomputationalaspect.Finally,youcansetathresholdforthenumberofconsecutivehealthcheckfailuresbeforeaninstanceismarkedasunhealthy.

UpdatesBehindanElasticLoadBalancingLoadBalancer

Long-runningapplicationswilleventuallyneedtobemaintainedandupdatedwithanewerversionoftheapplication.WhenusingAmazonEC2instancesrunningbehindanElasticLoadBalancingloadbalancer,youmayderegistertheselong-runningAmazonEC2instancesassociatedwithaloadbalancermanuallyandthenregisternewlylaunchedAmazonEC2instancesthatyouhavestartedwiththenewupdatesinstalled.

Page 171: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonCloudWatchAmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.

Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.

Youcanspecifyparametersforametricoveratimeperiodandconfigurealarmsandautomatedactionswhenathresholdisreached.AmazonCloudWatchsupportsmultipletypesofactionssuchassendinganotificationtoanAmazonSimpleNotificationService(AmazonSNS)topicorexecutinganAutoScalingpolicy.

AmazonCloudWatchofferseitherbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforanadditionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.

AmazonCloudWatchsupportsmonitoringandspecificmetricsformostAWSCloudservices,including:AutoScaling,AmazonCloudFront,AmazonCloudSearch,AmazonDynamoDB,AmazonEC2,AmazonEC2ContainerService(AmazonECS),AmazonElastiCache,AmazonElasticBlockStore(AmazonEBS),ElasticLoadBalancing,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,AmazonKinesisStreams,AmazonKinesisFirehose,AWSLambda,AmazonMachineLearning,AWSOpsWorks,AmazonRedshift,AmazonRelationalDatabaseService(AmazonRDS),AmazonRoute53,AmazonSNS,AmazonSimpleQueueService(AmazonSQS),AmazonS3,AWSSimpleWorkflowService(AmazonSWF),AWSStorageGateway,AWSWAF,andAmazonWorkSpaces.

ReadAlert

YoumayhaveanapplicationthatleveragesAmazonDynamoDB,andyouwanttoknowwhenreadrequestsreachacertainthresholdandalertyourselfwithanemail.YoucandothisbyusingProvisionedReadCapacityUnitsfortheAmazonDynamoDBtableforwhichyouwanttosetanalarm.Yousimplysetathresholdvalueduringanumberofconsecutiveperiodsandthenspecifyemailasthenotificationtype.Now,whenthethresholdissustainedoverthenumberofperiods,yourspecifiedemailwillalertyoutothereadactivity.

AmazonCloudWatchmetricscanberetrievedbyperformingaGETrequest.Whenyouusedetailedmonitoring,youcanalsoaggregatemetricsacrossalengthoftimeyouspecify.AmazonCloudWatchdoesnotaggregatedataacrossregionsbutcanaggregateacross

Page 172: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AvailabilityZoneswithinaregion.

AWSprovidesarichsetofmetricsincludedwitheachservice,butyoucanalsodefinecustommetricstomonitorresourcesandeventsAWSdoesnothavevisibilityinto—forexample,AmazonEC2instancememoryconsumptionanddiskmetricsthatarevisibletotheoperatingsystemoftheAmazonEC2instancebutnotvisibletoAWSorapplication-specificthresholdsrunningoninstancesthatarenotknowntoAWS.AmazonCloudWatchsupportsanApplicationProgrammingInterface(API)thatallowsprogramsandscriptstoPUTmetricsintoAmazonCloudWatchasname-valuepairsthatcanthenbeusedtocreateeventsandtriggeralarmsinthesamemannerasthedefaultAmazonCloudWatchmetrics.

AmazonCloudWatchLogscanbeusedtomonitor,store,andaccesslogfilesfromAmazonEC2instances,AWSCloudTrail,andothersources.Youcanthenretrievethelogdataandmonitorinrealtimeforevents—forexample,youcantrackthenumberoferrorsinyourapplicationlogsandsendanotificationifanerrorrateexceedsathreshold.AmazonCloudWatchLogscanalsobeusedtostoreyourlogsinAmazonS3orAmazonGlacier.Logscanberetainedindefinitelyoraccordingtoanagingpolicythatwilldeleteolderlogsasnolongerneeded.

ACloudWatchLogsagentisavailablethatprovidesanautomatedwaytosendlogdatatoCloudWatchLogsforAmazonEC2instancesrunningAmazonLinuxorUbuntu.YoucanusetheAmazonCloudWatchLogsagentinstalleronanexistingAmazonEC2instancetoinstallandconfiguretheCloudWatchLogsagent.Afterinstallationiscomplete,theagentconfirmsthatithasstartedanditstaysrunninguntilyoudisableit.

AmazonCloudWatchhassomelimitsthatyoushouldkeepinmindwhenusingtheservice.EachAWSaccountislimitedto5,000alarmsperAWSaccount,andmetricsdataisretainedfortwoweeksbydefault(atthetimeofthiswriting).Ifyouwanttokeepthedatalonger,youwillneedtomovethelogstoapersistentstorelikeAmazonS3orAmazonGlacier.YoushouldfamiliarizeyourselfwiththelimitsforAmazonCloudWatchintheAmazonCloudWatchDeveloperGuide.

Page 173: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AutoScalingAdistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.Examplesincludeawebsiteforaspecificsportingevent,anend-of-monthdata-inputsystem,aretailshoppingsitesupportingflashsales,amusicartistwebsiteduringthereleaseofnewsongs,acompanywebsiteannouncingsuccessfulearnings,oranightlyprocessingruntocalculatedailyactivity.

AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.

EmbracetheSpike

Manywebapplicationshaveunplannedloadincreasesbasedoneventsoutsideofyourcontrol.Forexample,yourcompanymaygetmentionedonapopularblogortelevisionprogramdrivingmanymorepeopletovisityoursitethanexpected.SettingupAutoScalinginadvancewillallowyoutoembraceandsurvivethiskindoffastincreaseinthenumberofrequests.AutoScalingwillscaleupyoursitetomeettheincreaseddemandandthenscaledownwhentheeventsubsides.

AutoScalingPlansAutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.

MaintainCurrentInstanceLevelsYoucanconfigureyourAutoScalinggrouptomaintainaminimumorspecifiednumberofrunninginstancesatalltimes.Tomaintainthecurrentinstancelevels,AutoScalingperformsaperiodichealthcheckonrunninginstanceswithinanAutoScalinggroup.WhenAutoScalingfindsanunhealthyinstance,itterminatesthatinstanceandlaunchesanewone.

SteadystateworkloadsthatneedaconsistentnumberofAmazonEC2instancesatalltimescanuseAutoScalingtomonitorandkeepthatspecificnumberofAmazonEC2instancesrunning.

ManualScalingManualscalingisthemostbasicwaytoscaleyourresources.Youonlyneedtospecifythechangeinthemaximum,minimum,ordesiredcapacityofyourAutoScalinggroup.Auto

Page 174: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Scalingmanagestheprocessofcreatingorterminatinginstancestomaintaintheupdatedcapacity.

Manualscalingoutcanbeveryusefultoincreaseresourcesforaninfrequentevent,suchasthereleaseofanewgameversionthatwillbeavailablefordownloadandrequireauserregistration.Forextremelylarge-scaleevents,eventheElasticLoadBalancingloadbalancerscanbepre-warmedbyworkingwithyourlocalsolutionsarchitectorAWSSupport.

ScheduledScalingSometimesyouknowexactlywhenyouwillneedtoincreaseordecreasethenumberofinstancesinyourgroup,simplybecausethatneedarisesonapredictableschedule.Examplesincludeperiodiceventssuchasend-of-month,end-of-quarter,orend-of-yearprocessing,andalsootherpredictable,recurringevents.Scheduledscalingmeansthatscalingactionsareperformedautomaticallyasafunctionoftimeanddate.

Recurringeventssuchasend-of-month,quarter,oryearprocessing,orscheduledandrecurringautomatedloadandperformancetesting,canbeanticipatedandAutoScalingcanberampedupappropriatelyatthetimeofthescheduledevent.

DynamicScalingDynamicscalingletsyoudefineparametersthatcontroltheAutoScalingprocessinascalingpolicy.Forexample,youmightcreateapolicythataddsmoreAmazonEC2instancestothewebtierwhenthenetworkbandwidth,measuredbyAmazonCloudWatch,reachesacertainthreshold.

AutoScalingComponentsAutoScalinghasseveralcomponentsthatneedtobeconfiguredtoworkproperly:alaunchconfiguration,anAutoScalinggroup,andanoptionalscalingpolicy.

LaunchConfigurationAlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstances,anditiscomposedoftheconfigurationname,AmazonMachineImage(AMI),AmazonEC2instancetype,securitygroup,andinstancekeypair.EachAutoScalinggroupcanhaveonlyonelaunchconfigurationatatime.

TheCLIcommandthatfollowswillcreatealaunchconfigurationwiththefollowingattributes:

Name:myLC

AMI:ami-0535d66c

Page 175: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Instancetype:m3.medium

Securitygroups:sg-f57cde9d

Instancekeypair:myKeyPair

>awsautoscalingcreate-launch-configuration-–launch-configuration-namemyLC--

image-idami-0535d66c--instance-typem3.medium--security-groupssg-f57cde9d--

key-namemyKeyPair

SecuritygroupsforinstanceslaunchedinEC2-Classicmaybereferencedbysecuritygroupnamesuchas“SSH”or“Web”ifthatiswhattheyarenamed,oryoucanreferencethesecuritygroupIDs,suchassg-f57cde9d.IfyoulaunchedtheinstancesinAmazonVPC,whichisrecommended,youmustusethesecuritygroupIDstoreferencethesecuritygroupsyouwantassociatedwiththeinstancesinanAutoScalinglaunchconfiguration.

Thedefaultlimitforlaunchconfigurationsis100perregion.Ifyouexceedthislimit,thecalltocreate-launch-configurationwillfail.Youmayviewandupdatethislimitbyrunningdescribe-account-limitsatthecommandline,asshownhere.

>awsautoscalingdescribe-account-limits

AutoScalingmaycauseyoutoreachlimitsofotherservices,suchasthedefaultnumberofAmazonEC2instancesyoucancurrentlylaunchwithinaregion,whichis20.WhenbuildingmorecomplexarchitectureswithAWS,itisimportanttokeepinmindtheservicelimitsforallAWSCloudservicesyouareusing.

WhenyourunacommandusingtheCLIanditfails,checkyoursyntaxfirst.Ifthatchecksout,verifythelimitsforthecommandyouareattempting,andchecktoseethatyouhavenotexceededalimit.Somelimitscanberaisedandusuallydefaultedtoareasonablevaluetolimitaracecondition,anerrantscriptrunninginaloop,orothersimilarautomationthatmightcauseunintendedhighusageandbillingofAWSresources.AWSservicelimitscanbeviewedintheAWSGeneralReferenceGuideunderAWSServiceLimits.YoucanraiseyourlimitsbycreatingasupportcaseattheAWSSupportCenteronlineandthenchoosingServiceLimitIncreaseunderRegarding.Thenfillintheappropriateserviceandlimittoincreasevalueintheonlineform.

AutoScalingGroupAnAutoScalinggroupisacollectionofAmazonEC2instancesmanagedbytheAutoScalingservice.EachAutoScalinggroupcontainsconfigurationoptionsthatcontrolwhenAutoScalingshouldlaunchnewinstancesandterminateexistinginstances.AnAutoScalinggroupmustcontainanameandaminimumandmaximumnumberofinstancesthatcanbeinthegroup.Youcanoptionallyspecifydesiredcapacity,whichisthenumberofinstancesthatthegroupmusthaveatalltimes.Ifyoudon’tspecifyadesiredcapacity,thedefaultdesiredcapacityistheminimumnumberofinstancesthatyouspecify.

TheCLIcommandthatfollowswillcreateanAutoScalinggroupthatreferencesthepreviouslaunchconfigurationandincludesthefollowingspecifications:

Page 176: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Name:myASG

Launchconfiguration:myLC

AvailabilityZones:us-east-1aandus-east-1c

Minimumsize:1

Desiredcapacity:3

Maximumcapacity:10

Loadbalancers:myELB

>awsautoscalingcreate-auto-scaling-group--auto–scaling-group-namemyASG--

launch-configuration-namemyLC--availability-zonesus-east-1a,us-east-1c--min-

size1--max-size10--desired-capacity3--load-balancer-namesmyELB

Figure5.1depictsdeployedAWSresourcesafteraloadbalancernamedmyELBiscreatedandthelaunchconfigurationmyLCandAutoScalingGroupmyASGaresetup.

FIGURE5.1AutoScalinggroupbehindanElasticLoadBalancingloadbalancer

AnAutoScalinggroupcanuseeitherOn-DemandorSpotInstancesastheAmazonEC2instancesitmanages.On-Demandisthedefault,butSpotInstancescanbeusedbyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.YoumaychangethebidpricebycreatinganewlaunchconfigurationwiththenewbidpriceandthenassociatingitwithyourAutoScalinggroup.Ifinstancesareavailableatorbelowyourbidprice,theywillbelaunchedinyourAutoScalinggroup.SpotInstancesinanAutoScalinggroupfollowthesameguidelinesasSpot

Page 177: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

InstancesoutsideanAutoScalinggroupandrequireapplicationsthatareflexibleandcantolerateAmazonEC2instancesthatareterminatedwithshortnotice,forexample,whentheSpotpricerisesabovethebidpriceyousetinthelaunchconfiguration.AlaunchconfigurationcanreferenceOn-DemandInstancesorSpotInstances,butnotboth.

SpotOn!

AutoScalingsupportsusingcost-effectiveSpotInstances.Thiscanbeveryusefulwhenyouarehostingsiteswhereyouwanttoprovideadditionalcomputecapacitybutarepriceconstrained.Anexampleisa“freemium”sitemodelwhereyoumayoffersomebasicfunctionalitytousersforfreeandadditionalfunctionalityforpremiumuserswhopayforuse.SpotInstancescanbeusedforprovidingthebasicfunctionalitywhenavailablebyreferencingamaximumbidpriceinthelaunchconfiguration(—spot-price"0.15")associatedwiththeAutoScalinggroup.

ScalingPolicyYoucanassociateAmazonCloudWatchalarmsandscalingpolicieswithanAutoScalinggrouptoadjustAutoScalingdynamically.Whenathresholdiscrossed,AmazonCloudWatchsendsalarmstotriggerchanges(scalinginorout)tothenumberofAmazonEC2instancescurrentlyreceivingtrafficbehindaloadbalancer.AftertheAmazonCloudWatchalarmsendsamessagetotheAutoScalinggroup,AutoScalingexecutestheassociatedpolicytoscaleyourgroup.ThepolicyisasetofinstructionsthattellsAutoScalingwhethertoscaleout,launchingnewAmazonEC2instancesreferencedintheassociatedlaunchconfiguration,ortoscaleinandterminateinstances.

Thereareseveralwaystoconfigureascalingpolicy:Youcanincreaseordecreasebyaspecificnumberofinstances,suchasaddingtwoinstances;youcantargetaspecificnumberofinstances,suchasamaximumoffivetotalAmazonEC2instances;oryoucanadjustbasedonapercentage.Youcanalsoscalebystepsandincreaseordecreasethecurrentcapacityofthegroupbasedonasetofscalingadjustmentsthatvarybasedonthesizeofthealarmthresholdtrigger.

YoucanassociatemorethanonescalingpolicywithanAutoScalinggroup.Forexample,youcancreateapolicyusingthetriggerforCPUutilization,calledCPULoad,andtheCloudWatchmetricCPUUtilizationtospecifyscalingoutifCPUutilizationisgreaterthan75percentfortwominutes.YoucouldattachanotherpolicytothesameAutoScalinggrouptoscaleinifCPUutilizationislessthan40percentfor20minutes.

ThefollowingCLIcommandswillcreatethescalingpolicyjustdescribed.

>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG--policy-name

CPULoadScaleOut--scaling-adjustment1--adjustment-typeChangeInCapacity--

cooldown30>awsautoscalingput-scaling-policy--auto-scaling-group-namemyASG-

-policy-nameCPULoadScaleIn--scaling-adjustment-1--adjustment-type

ChangeInCapacity--cooldown600

ThefollowingCLIcommandswillassociateAmazonCloudWatchalarmsforscalingoutandscalinginwiththescalingpolicy,asshowninFigure5.2.Inthisexample,theAmazonCloudWatchalarmsreferencethescalingpolicybyAmazonResourceName(ARN).

Page 178: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE5.2AutoScalinggroupwithpolicy

>awscloudwatchput-metric-alarm--alarmnamecapacityAdd--metric-name

CPUUtilization--namespaceAWS/EC2--statisticAverage–-period300--threshold75

--comparison-operatorGreaterThanOrEqualToThreshold--dimensions

"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:12345678-90ab-cdef-

1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleOut--unitPercent

>awscloudwatchput-metric-alarm--alarmnamecapacityReduce--metric-name

CPUUtilization--namespaceAWS/EC2--statisticAverage--period1200--threshold40

--comparison-operatorGreaterThanOrEqualToThreshold--dimensions

"Name=AutoScalingGroupName,Value=myASG"--evaluation-periods1--alarm-actions

arn:aws:autoscaling:us-east-1:123456789011:scalingPolicy:11345678-90ab-cdef-

1234567890ab:autoScalingGroupName/myASG:policyName/CPULoadScaleIn--unitPercent

IfthescalingpolicydefinedinthepreviousparagraphisassociatedwiththeAutoScalinggroupnamedmyASG,andtheCPUutilizationisover75percentformorethanfiveminutes,asshowninFigure5.3,anewAmazonEC2instancewillbelaunchedandattachedtotheloadbalancernamedmyELB.

Page 179: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE5.3AmazonCloudWatchalarmtriggeringscalingout

ArecommendedbestpracticeistoscaleoutquicklyandscaleinslowlysoyoucanrespondtoburstsorspikesbutavoidinadvertentlyterminatingAmazonEC2instancestooquickly,onlyhavingtolaunchmoreAmazonEC2instancesiftheburstissustained.AutoScalingalsosupportsacooldownperiod,whichisaconfigurablesettingthatdetermineswhentosuspendscalingactivitiesforashorttimeforanAutoScalinggroup.

IfyoustartanAmazonEC2instance,youwillbebilledforonefullhourofrunningtime.Partialinstancehoursconsumedarebilledasfullhours.Thismeansthatifyouhaveapermissivescalingpolicythatlaunches,terminates,andrelaunchesmanyinstancesanhour,youarebillingafullhourforeachandeveryinstanceyoulaunch,evenifyouterminatesomeofthoseinstancesinlessthanhour.ArecommendedbestpracticeforcosteffectivenessistoscaleoutquicklywhenneededbutscaleinmoreslowlytoavoidhavingtorelaunchnewandseparateAmazonEC2instancesforaspikeinworkloaddemandthatfluctuatesupanddownwithinminutesbutgenerallycontinuestoneedmoreresourceswithinanhour.

Scaleoutquickly;scaleinslowly.

ItisimportanttoconsiderbootstrappingforAmazonEC2instanceslaunchedusingAutoScaling.IttakestimetoconfigureeachnewlylaunchedAmazonEC2instancebeforetheinstanceishealthyandcapableofacceptingtraffic.Instancesthatstartandareavailableforloadfastercanjointhecapacitypoolmorequickly.Furthermore,instancesthataremorestatelessinsteadofstatefulwillmoregracefullyenterandexitanAutoScalinggroup.

Page 180: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

RollingOutaPatchatScale

InlargedeploymentsofAmazonEC2instances,AutoScalingcanbeusedtomakerollingoutapatchtoyourinstanceseasy.ThelaunchconfigurationassociatedwiththeAutoScalinggroupmaybemodifiedtoreferenceanewAMIandevenanewAmazonEC2instanceifneeded.Thenyoucanderegisterorterminateinstancesoneatatimeorinsmallgroups,andthenewAmazonEC2instanceswillreferencethenewpatchedAMI.

Page 181: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryThischapterintroducedthreeservices:

ElasticLoadBalancing,whichisusedtodistributetrafficacrossagroupofAmazonEC2instancesinoneormoreAvailabilityZonestoachievegreaterlevelsoffaulttoleranceforyourapplications.

AmazonCloudWatch,whichmonitorsresourcesandapplications.AmazonCloudWatchisusedtocollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestoresourcesbeingmonitoredbasedonrulesyoudefine.

AutoScaling,whichallowsyoutoautomaticallyscaleyourAmazonEC2capacityoutandinusingcriteriathatyoudefine.

ThesethreeservicescanbeusedveryeffectivelytogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.

Page 182: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandwhattheElasticLoadBalancingserviceprovides.ElasticLoadBalancingisahighlyavailableservicethatdistributestrafficacrossAmazonEC2instancesandincludesoptionsthatprovideflexibilityandcontrolofincomingrequeststoAmazonEC2instances.

KnowthetypesofloadbalancerstheElasticLoadBalancingserviceprovidesandwhentouseeachone.AnInternet-facingloadbalanceris,asthenameimplies,aloadbalancerthattakesrequestsfromclientsovertheInternetanddistributesthemtoAmazonEC2instancesthatareregisteredwiththeloadbalancer.

AninternalloadbalancerisusedtoroutetraffictoyourAmazonEC2instancesinVPCswithprivatesubnets.

AnHTTPSloadbalancerisusedwhenyouwanttoencryptdatabetweenyourloadbalancerandtheclientsthatinitiateHTTPSsessionsandforconnectionsbetweenyourloadbalancerandyourback-endinstances.

KnowthetypesoflistenerstheElasticLoadBalancingserviceprovidesandtheusecaseandrequirementsforusingeachone.Alistenerisaprocessthatchecksforconnectionrequests.Itisconfiguredwithaprotocolandaportforfront-end(clienttoloadbalancer)connectionsandaprotocolandaportforback-end(loadbalancertoback-endinstance)connections.

UnderstandtheconfigurationoptionsforElasticLoadBalancing.ElasticLoadBalancingallowsyoutoconfiguremanyaspectsoftheloadbalancer,includingidleconnectiontimeout,cross-zoneloadbalancing,connectiondraining,proxyprotocol,stickysessions,andhealthchecks.

KnowwhatanElasticLoadBalancinghealthcheckisandwhyitisimportant.ElasticLoadBalancingsupportshealthcheckstotestthestatusoftheAmazonEC2instancesbehindanElasticLoadBalancingloadbalancer.

UnderstandwhattheamazonCloudWatchserviceprovidesandwhatusecasesthereareforusingit.AmazonCloudWatchisaservicethatyoucanusetomonitoryourAWSresourcesandyourapplicationsinrealtime.WithAmazonCloudWatch,youcancollectandtrackmetrics,createalarmsthatsendnotifications,andmakechangestotheresourcesbeingmonitoredbasedonrulesyoudefine.

Forexample,youmightchoosetomonitorCPUutilizationtodecidewhentoaddorremoveAmazonEC2instancesinanapplicationtier.Or,ifaparticularapplication-specificmetricthatisnotvisibletoAWSisthebestindicatorforassessingyourscalingneeds,youcanperformaPUTrequesttopushthatmetricintoAmazonCloudWatch.Youcanthenusethiscustommetrictomanagecapacity.

Knowthedifferencesbetweenthetwotypesofmonitoring—basicanddetailed—forAmazonCloudWatch.AmazonCloudWatchoffersbasicordetailedmonitoringforsupportedAWSproducts.BasicmonitoringsendsdatapointstoAmazonCloudWatcheveryfiveminutesforalimitednumberofpreselectedmetricsatnocharge.DetailedmonitoringsendsdatapointstoAmazonCloudWatcheveryminuteandallowsdataaggregationforan

Page 183: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

additionalcharge.Ifyouwanttousedetailedmonitoring,youmustenableit—basicisthedefault.

UnderstandAutoScalingandwhyitisanimportantadvantageoftheAWSCloud.Adistinctadvantageofdeployingapplicationstothecloudistheabilitytolaunchandthenreleaseserversinresponsetovariableworkloads.Provisioningserversondemandandthenreleasingthemwhentheyarenolongerneededcanprovidesignificantcostsavingsforworkloadsthatarenotsteadystate.

KnowwhenandwhytouseAutoScaling.AutoScalingisaservicethatallowsyoutoscaleyourAmazonEC2capacityautomaticallybyscalingoutandscalinginaccordingtocriteriathatyoudefine.WithAutoScaling,youcanensurethatthenumberofrunningAmazonEC2instancesincreasesduringdemandspikesorpeakdemandperiodstomaintainapplicationperformanceanddecreasesautomaticallyduringdemandlullsortroughstominimizecosts.

KnowthesupportedAutoScalingplans.AutoScalinghasseveralschemesorplansthatyoucanusetocontrolhowyouwantAutoScalingtoperform.TheAutoScalingplansarenamedMaintainCurrentInstantLevels,ManualScaling,ScheduledScaling,andDynamicScaling.

UnderstandhowtobuildanAutoScalinglaunchconfigurationandanAutoScalinggroupandwhateachisusedfor.AlaunchconfigurationisthetemplatethatAutoScalingusestocreatenewinstancesandiscomposedoftheconfigurationname,AMI,AmazonEC2instancetype,securitygroup,andinstancekeypair.

Knowwhatascalingpolicyisandwhatusecasestouseitfor.AscalingpolicyisusedbyAutoScalingwithCloudWatchalarmstodeterminewhenyourAutoScalinggroupshouldscaleoutorscalein.EachCloudWatchalarmwatchesasinglemetricandsendsmessagestoAutoScalingwhenthemetricbreachesathresholdthatyouspecifyinyourpolicy.

UnderstandhowElasticLoadBalancing,amazonCloudWatch,andAutoScalingareusedtogethertoprovidedynamicscaling.ElasticLoadBalancing,AmazonCloudWatch,andAutoScalingcanbeusedtogethertocreateahighlyavailableapplicationwitharesilientarchitectureonAWS.

Page 184: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesForassistanceincompletingthefollowingexercises,refertotheElasticLoadBalancingDeveloperGuidelocatedathttp://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-

balancing.html,theAmazonCloudWatchDeveloperGuideathttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html

andtheAutoScalingUserGuideathttp://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html.

EXERCISE5.1

CreateanElasticLoadBalancingLoadBalancerInthisexercise,youwillusetheAWSManagementConsoletocreateanElasticLoadBalancingloadbalancer.

1. LaunchanAmazonEC2instanceusinganAMIwithawebserveronit,orinstallandconfigureawebserver.

2. CreateastaticpagetodisplayandahealthcheckpagethatreturnsHTTP200.ConfiguretheAmazonEC2instancetoaccepttrafficoverport80.

3. RegistertheAmazonEC2instancewiththeElasticLoadBalancingloadbalancer,andconfigureittousethehealthcheckpagetoevaluatethehealthoftheinstance.

EXERCISE5.2

UseanAmazonCloudWatchMetric1. LaunchanAmazonEC2instance.

2. UseanexistingAmazonCloudWatchmetrictomonitoravalue.

EXERCISE5.3

CreateaCustomAmazonCloudWatchMetric1. CreateacustomAmazonCloudWatchmetricformemoryconsumption.

2. UsetheCLItoPUTvaluesintothemetric.

Page 185: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE5.4

CreateaLaunchConfigurationandAutoScalingGroup1. UsingtheAWSManagementConsole,createalaunchconfigurationusinganexistingAMI.

2. CreateanAutoScalinggroupusingthislaunchconfigurationwithagroupsizeoffourandspanningtwoAvailabilityZones.Donotuseascalingpolicy.Keepthegroupatitsinitialsize.

3. ManuallyterminateanAmazonEC2instance,andobserveAutoScalinglaunchanewAmazonEC2instance.

EXERCISE5.5

CreateaScalingPolicy1. CreateanAmazonCloudWatchmetricandalarmforCPUutilizationusingtheAWSManagementConsole.

2. UsingtheAutoScalinggroupfromExercise5.4,edittheAutoScalinggrouptoincludeapolicythatusestheCPUutilizationalarm.

3. DriveCPUutilizationonthemonitoredAmazonEC2instance(s)uptoobserveAutoScaling.

EXERCISE5.6

CreateaWebApplicationThatScales1. CreateasmallwebapplicationarchitectedwithanElasticLoadBalancingloadbalancer,anAutoScalinggroupspanningtwoAvailabilityZonesthatusesanAmazonCloudWatchmetric,andanalarmattachedtoascalingpolicyusedbytheAutoScalinggroup.

2. VerifythatAutoScalingisoperatingcorrectlybyremovinginstancesanddrivingthemetricupanddowntoforceAutoScaling.

Page 186: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichofthefollowingarerequiredelementsofanAutoScalinggroup?(Choose2answers)

A. Minimumsize

B. Healthchecks

C. Desiredcapacity

D. Launchconfiguration

2. YouhavecreatedanElasticLoadBalancingloadbalancerlisteningonport80,andyouregistereditwithasingleAmazonElasticComputeCloud(AmazonEC2)instancealsolisteningonport80.Aclientmakesarequesttotheloadbalancerwiththecorrectprotocolandportfortheloadbalancer.Inthisscenario,howmanyconnectionsdoesthebalancermaintain?

A. 1

B. 2

C. 3

D. 4

3. HowlongdoesAmazonCloudWatchkeepmetricdata?

A. 1day

B. 2days

C. 1week

D. 2weeks

4. WhichofthefollowingaretheminimumrequiredelementstocreateanAutoScalinglaunchconfiguration?

A. Launchconfigurationname,AmazonMachineImage(AMI),andinstancetype

B. Launchconfigurationname,AMI,instancetype,andkeypair

C. Launchconfigurationname,AMI,instancetype,keypair,andsecuritygroup

D. Launchconfigurationname,AMI,instancetype,keypair,securitygroup,andblockdevicemapping

5. Youareresponsiblefortheapplicationloggingsolutionforyourcompany’sexistingapplicationsrunningonmultipleAmazonEC2instances.WhichofthefollowingisthebestapproachforaggregatingtheapplicationlogswithinAWS?

A. AmazonCloudWatchcustommetrics

B. AmazonCloudWatchLogsAgent

C. AnElasticLoadBalancinglistener

Page 187: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. AninternalElasticLoadBalancingloadbalancer

6. WhichofthefollowingmustbeconfiguredonanElasticLoadBalancingloadbalancertoacceptincomingtraffic?

A. Aport

B. Anetworkinterface

C. Alistener

D. Aninstance

7. YoucreateanAutoScalinggroupinanewregionthatisconfiguredwithaminimumsizevalueof10,amaximumsizevalueof100,andadesiredcapacityvalueof50.However,younoticethat30oftheAmazonElasticComputeCloud(AmazonEC2)instanceswithintheAutoScalinggroupfailtolaunch.Whichofthefollowingisthecauseofthisbehavior?

A. YoucannotdefineanAutoScalinggrouplargerthan20.

B. TheAutoScalinggroupmaximumvaluecannotbemorethan20.

C. YoudidnotattachanElasticLoadBalancingloadbalancertotheAutoScalinggroup.

D. YouhavenotraisedyourdefaultAmazonEC2capacity(20)forthenewregion.

8. YouwanttohostmultipleHypertextTransferProtocolSecure(HTTPS)websitesonafleetofAmazonEC2instancesbehindanElasticLoadBalancingloadbalancerwithasingleX.509certificate.HowmustyouconfiguretheSecureSocketsLayer(SSL)certificatesothatclientsconnectingtotheloadbalancerarenotpresentedwithawarningwhentheyconnect?

A. CreateoneSSLcertificatewithaSubjectAlternativeName(SAN)valueforeachwebsitename.

B. CreateoneSSLcertificatewiththeServerNameIndication(SNI)valuechecked.

C. CreatemultipleSSLcertificateswithaSANvalueforeachwebsitename.

D. CreateSSLcertificatesforeachAvailabilityZonewithaSANvalueforeachwebsitename.

9. YourwebapplicationfrontendconsistsofmultipleAmazonComputeCloud(AmazonEC2)instancesbehindanElasticLoadBalancingloadbalancer.YouhaveconfiguredtheloadbalancertoperformhealthchecksontheseAmazonEC2instances.Ifaninstancefailstopasshealthchecks,whichstatementwillbetrue?

A. Theinstanceisreplacedautomaticallybytheloadbalancer.

B. Theinstanceisterminatedautomaticallybytheloadbalancer.

C. Theloadbalancerstopssendingtraffictotheinstancethatfaileditshealthcheck.

D. Theinstanceisquarantinedbytheloadbalancerforrootcauseanalysis.

10. InthebasicmonitoringpackageforAmazonElasticComputeCloud(AmazonEC2),whatAmazonCloudWatchmetricsareavailable?

Page 188: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. Webservervisiblemetricssuchasnumberoffailedtransactionrequests

B. Operatingsystemvisiblemetricssuchasmemoryutilization

C. Databasevisiblemetricssuchasnumberofconnections

D. HypervisorvisiblemetricssuchasCPUutilization

11. Acellphonecompanyisrunningdynamic-contenttelevisioncommercialsforacontest.Theywanttheirwebsitetohandletrafficspikesthatcomeafteracommercialairs.Thewebsiteisinteractive,offeringpersonalizedcontenttoeachvisitorbasedonlocation,purchasehistory,andthecurrentcommercialairing.WhicharchitecturewillconfigureAutoScalingtoscaleouttorespondtospikesofdemand,whileminimizingcostsduringquietperiods?

A. SettheminimumsizeoftheAutoScalinggroupsothatitcanhandlehightrafficvolumeswithoutneedingtoscaleout.

B. CreateanAutoScalinggrouplargeenoughtohandlepeaktrafficloads,andthenstopsomeinstances.ConfigureAutoScalingtoscaleoutwhentrafficincreasesusingthestoppedinstances,sonewcapacitywillcomeonlinequickly.

C. ConfigureAutoScalingtoscaleoutastrafficincreases.ConfigurethelaunchconfigurationtostartnewinstancesfromapreconfiguredAmazonMachineImage(AMI).

D. UseAmazonCloudFrontandAmazonSimpleStorageService(AmazonS3)tocachechangingcontent,withtheAutoScalinggroupsetastheorigin.ConfigureAutoScalingtohavesufficientinstancesnecessarytoinitiallypopulateCloudFrontandAmazonElastiCache,andthenscaleinafterthecacheisfullypopulated.

12. Foranapplicationrunningintheap-northeast-1regionwiththreeAvailabilityZones(ap-northeast-1a,ap-northeast-1b,andap-northeast-1c),whichinstancedeploymentprovideshighavailabilityfortheapplicationthatnormallyrequiresninerunningAmazonElasticComputeCloud(AmazonEC2)instancesbutcanrunonaminimumof65percentcapacitywhileAutoScalinglaunchesreplacementinstancesintheremainingAvailabilityZones?

A. Deploytheapplicationonfourserversinap-northeast-1aandfiveserversinap-northeast-1b,andkeepfivestoppedinstancesinap-northeast-1aasreserve.

B. Deploytheapplicationonthreeserversinap-northeast-1a,threeserversinap-northeast-1b,andthreeserversinap-northeast-1c.

C. Deploytheapplicationonsixserversinap-northeast-1bandthreeserversinap-northeast-1c.

D. Deploytheapplicationonnineserversinap-northeast-1b,andkeepninestoppedinstancesinap-northeast-1aasreserve.

13. WhichofthefollowingarecharacteristicsoftheAutoScalingserviceonAWS?(Choose3answers)

A. Sendstraffictohealthyinstances

B. RespondstochangingconditionsbyaddingorterminatingAmazonElasticCompute

Page 189: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Cloud(AmazonEC2)instances

C. Collectsandtracksmetricsandsetsalarms

D. Deliverspushnotifications

E. LaunchesinstancesfromaspecifiedAmazonMachineImage(AMI)

F. EnforcesaminimumnumberofrunningAmazonEC2instances

14. WhyisthelaunchconfigurationreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup?

A. ItallowsyoutochangetheAmazonElasticComputeCloud(AmazonEC2)instancetypeandAmazonMachineImage(AMI)withoutdisruptingtheAutoScalinggroup.

B. ItfacilitatesrollingoutapatchtoanexistingsetofinstancesmanagedbyanAutoScalinggroup.

C. ItallowsyoutochangesecuritygroupsassociatedwiththeinstanceslaunchedwithouthavingtomakechangestotheAutoScalinggroup.

D. Alloftheabove

E. Noneoftheabove

15. AnAutoScalinggroupmayuse:(Choose2answers)

A. On-DemandInstances

B. Stoppedinstances

C. SpotInstances

D. On-premisesinstances

E. AlreadyrunninginstancesiftheyusethesameAmazonMachineImage(AMI)astheAutoScalinggroup’slaunchconfigurationandarenotalreadypartofanotherAutoScalinggroup

16. AmazonCloudWatchsupportswhichtypesofmonitoringplans?(Choose2answers)

A. Basicmonitoring,whichisfree

B. Basicmonitoring,whichhasanadditionalcost

C. Adhocmonitoring,whichisfree

D. Adhocmonitoring,whichhasanadditionalcost

E. Detailedmonitoring,whichisfree

F. Detailedmonitoring,whichhasanadditionalcost

17. ElasticLoadBalancinghealthchecksmaybe:(Choose3answers)

A. Aping

B. Akeypairverification

C. Aconnectionattempt

D. Apagerequest

Page 190: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

E. AnAmazonElasticComputeCloud(AmazonEC2)instancestatuscheck

18. WhenanAmazonElasticComputeCloud(AmazonEC2)instanceregisteredwithanElasticLoadBalancingloadbalancerusingconnectiondrainingisderegisteredorunhealthy,whichofthefollowingwillhappen?(Choose2answers)

A. Immediatelycloseallexistingconnectionstothatinstance.

B. Keeptheconnectionsopentothatinstance,andattempttocompletein-flightrequests.

C. Redirecttherequeststoauser-definederrorpagelike“Oopsthisisembarrassing”or“UnderConstruction.”

D. Forciblycloseallconnectionstothatinstanceafteratimeoutperiod.

E. Leavetheconnectionsopenaslongastheloadbalancerisrunning.

19. ElasticLoadBalancingsupportswhichofthefollowingtypesofloadbalancers?(Choose3answers)

A. Cross-region

B. Internet-facing

C. Interim

D. Itinerant

E. Internal

F. HypertextTransferProtocolSecure(HTTPS)usingSecureSocketsLayer(SSL)

20. AutoScalingsupportswhichofthefollowingplansforAutoScalinggroups?(Choose3answers)

A. Predictive

B. Manual

C. Preemptive

D. Scheduled

E. Dynamic

F. End-userrequestdriven

G. Optimistic

Page 191: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter6AWSIdentityandAccessManagement(IAM)THEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonS3,ElasticBeanstalk,CloudFormation,AmazonVirtualPrivateCloud(VPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

ConfigureIAMpoliciesandbestpractices

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

AWSIdentityandAccessManagement(IAM)

IntroductionInthischapter,youwilllearnhowAWSIdentityandAccessManagement(IAM)securesinteractionswiththeAWSresourcesinyouraccount,including:

WhichprincipalsinteractwithAWSthroughtheAWSManagementConsole,CommandLineInterface(CLI),andSoftwareDevelopmentKits(SDKs)

Howeachprincipalisauthenticated

HowIAMpoliciesarewrittentospecifytheaccessprivilegesofprincipals

HowIAMpoliciesareassociatedwithprincipals

HowtosecureyourinfrastructurefurtherthroughMulti-FactorAuthentication(MFA)andkeyrotation

HowIAMrolescanbeusedtodelegatepermissionsandfederateusers

Page 192: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Howtoresolvemultiple,possiblyconflictingIAMpermissions

IAMisapowerfulservicethatallowsyoutocontrolhowpeopleandprogramsareallowedtomanipulateyourAWSinfrastructure.IAMusestraditionalidentityconceptssuchasusers,groups,andaccesscontrolpoliciestocontrolwhocanuseyourAWSaccount,whatservicesandresourcestheycanuse,andhowtheycanusethem.ThecontrolprovidedbyIAMisgranularenoughtolimitasingleusertotheabilitytoperformasingleactiononaspecificresourcefromaspecificIPaddressduringaspecifictimewindow.ApplicationscanbegrantedaccesstoAWSresourceswhethertheyarerunningon-premisesorinthecloud.ThisflexibilitycreatesaverypowerfulsystemthatwillgiveyouallthepoweryouneedtoensurethatyourAWSaccountusershavetheabilitytomeetyourbusinessneedswhileaddressingallofthesecurityconcernsofyourorganization.

ThischapterwillcoverthedifferentprincipalsthatcaninteractwithAWSandhowtheyareauthenticated.Itwillthendiscusshowtowritepoliciesthatdefinepermittedaccesstoservices,actions,andresourcesandassociatethesepolicieswithauthenticatedprincipals.Finally,itwillcoveradditionalfeaturesofIAMthatwillhelpyousecureyourinfrastructure,includingMFA,rotatingkeys,federation,resolvingmultiplepermissions,andusingIAMroles.

AsimportantasitistoknowwhatIAMisexactly,itisequallyimportanttounderstandwhatitisnot:

First,IAMisnotanidentitystore/authorizationsystemforyourapplications.ThepermissionsthatyouassignarepermissionstomanipulateAWSinfrastructure,notpermissionswithinyourapplication.Ifyouaremigratinganexistingon-premisesapplicationthatalreadyhasitsownuserrepositoryandauthentication/authorizationmechanism,thenthatshouldcontinuetoworkwhenyoudeployonAWSandisprobablytherightchoice.IfyourapplicationidentitiesarebasedonActiveDirectory,youron-premisesActiveDirectorycanbeextendedintothecloudtocontinuetofillthatneed.AgreatsolutionforusingActiveDirectoryinthecloudisAWSDirectoryService,whichisanActiveDirectory-compatibledirectoryservicethatcanworkonitsownorintegratewithyouron-premisesActiveDirectory.Finally,ifyouareworkingwithamobileapp,considerAmazonCognitoforidentitymanagementformobileapplications.

Second,IAMisnotoperatingsystemidentitymanagement.Rememberthatunderthesharedresponsibilitymodel,youareincontrolofyouroperatingsystemconsoleandconfiguration.WhatevermechanismyoucurrentlyusetocontrolaccesstoyourserverinfrastructurewillcontinuetoworkonAmazonElasticComputeCloud(AmazonEC2)instances,whetherthatismanagingindividualmachineloginaccountsoradirectoryservicesuchasActiveDirectoryorLightweightDirectoryAccessProtocol(LDAP).YoucanrunanActiveDirectoryorLDAPserveronAmazonEC2,oryoucanextendyouron-premisessystemintothecloud.AWSDirectoryServicewillalsoworkwelltoprovideActiveDirectoryfunctionalityinthecloudasaservice,whetherstandaloneorintegratedwithyourexistingActiveDirectory.

Table6.1summarizestherolethatdifferentauthenticationsystemscanplayinyourAWSenvironment.

Page 193: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE6.1AuthenticationTechnologies

UseCase TechnologySolutions

OperatingSystemAccess ActiveDirectoryLDAPMachine-specificaccounts

ApplicationAccess ActiveDirectoryApplicationUserRepositoriesAmazonCognito

AWSResources IAM

IAMiscontrolledlikemostotherAWSCloudservices:

ThroughtheAWSManagementConsole—Likeotherservices,theAWSManagementConsoleistheeasiestwaytostartlearningaboutandmanipulatingaservice.

WiththeCLI—Asyoulearnthesystem,youcanstartscriptingrepeatedtasksusingtheCLI.

ViatheAWSSDKs—EventuallyyoumaystartwritingyourowntoolsandcomplexprocessesbymanipulatingIAMdirectlythroughtheRESTAPIviaoneofseveralSDKs.

AllofthesemethodsworktocontrolIAMjustastheyworkwithotherservices.Inaddition,theAWSPartnerNetwork(APN)includesarichecosystemoftoolstomanageandextendIAM.

Page 194: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

PrincipalsThefirstIAMconcepttounderstandisprincipals.AprincipalisanIAMentitythatisallowedtointeractwithAWSresources.Aprincipalcanbepermanentortemporary,anditcanrepresentahumanoranapplication.Therearethreetypesofprincipals:rootusers,IAMusers,androles/temporarysecuritytokens.

RootUserWhenyoufirstcreateanAWSaccount,youbeginwithonlyasinglesign-inprincipalthathascompleteaccesstoallAWSCloudservicesandresourcesintheaccount.Thisprincipaliscalledtherootuser.AslongasyouhaveanopenaccountwithAWS,therootuserforthatrelationshipwillpersist.TherootusercanbeusedforbothconsoleandprogrammaticaccesstoAWSresources.

TherootuserissimilarinconcepttotheUNIXrootorWindowsAdministratoraccount—ithasfullprivilegestodoanythingintheaccount,includingclosingtheaccount.Itisstronglyrecommendedthatyoudonotusetherootuserforyoureverydaytasks,eventheadministrativeones.Instead,adheretothebestpracticeofusingtherootuseronlytocreateyourfirstIAMuserandthensecurelylockingawaytherootusercredentials.

IAMUsersUsersarepersistentidentitiessetupthroughtheIAMservicetorepresentindividualpeopleorapplications.YoumaycreateseparateIAMusersforeachmemberofyouroperationsteamsotheycaninteractwiththeconsoleandusetheCLI.Youmightalsocreatedev,test,andproductionusersforapplicationsthatneedtoaccessAWSCloudservices(althoughyouwillseelaterinthischapterthatIAMrolesmaybeabettersolutionforthatusecase).

IAMuserscanbecreatedbyprincipalswithIAMadministrativeprivilegesatanytimethroughtheAWSManagementConsole,CLI,orSDKs.Usersarepersistentinthatthereisnoexpirationperiod;theyarepermanententitiesthatexistuntilanIAMadministratortakesanactiontodeletethem.

Usersareanexcellentwaytoenforcetheprincipleofleastprivilege;thatis,theconceptofallowingapersonorprocessinteractingwithyourAWSresourcestoperformexactlythetaskstheyneedbutnothingelse.Userscanbeassociatedwithverygranularpoliciesthatdefinethesepermissions.Policieswillbecoveredinalatersection.

Roles/TemporarySecurityTokensRolesandtemporarysecuritytokensareveryimportantforadvancedIAMusage,butmanyAWSusersfindthemconfusing.Rolesareusedtograntspecificprivilegestospecificactorsforasetdurationoftime.TheseactorscanbeauthenticatedbyAWSorsometrustedexternalsystem.Whenoneoftheseactorsassumesarole,AWSprovidestheactorwithatemporarysecuritytokenfromtheAWSSecurityTokenService(STS)thattheactorcanusetoaccess

Page 195: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSCloudservices.Requestingatemporarysecuritytokenrequiresspecifyinghowlongthetokenwillexistbeforeitexpires.Therangeofatemporarysecuritytokenlifetimeis15minutesto36hours.

Rolesandtemporarysecuritytokensenableanumberofusecases:

AmazonEC2Roles—GrantingpermissionstoapplicationsrunningonanAmazonEC2instance.

Cross-AccountAccess—GrantingpermissionstousersfromotherAWSaccounts,whetheryoucontrolthoseaccountsornot.

Federation—Grantingpermissionstousersauthenticatedbyatrustedexternalsystem.

AmazonEC2RolesGrantingpermissionstoanapplicationisalwaystricky,asitusuallyrequiresconfiguringtheapplicationwithsomesortofcredentialuponinstallation.Thisleadstoissuesaroundsecurelystoringthecredentialpriortouse,howtoaccessitsafelyduringinstallation,andhowtosecureitintheconfiguration.SupposethatanapplicationrunningonanAmazonEC2instanceneedstoaccessanAmazonSimpleStorageService(AmazonS3)bucket.ApolicygrantingpermissiontoreadandwritethatbucketcanbecreatedandassignedtoanIAMuser,andtheapplicationcanusetheaccesskeyforthatIAMusertoaccesstheAmazonS3bucket.Theproblemwiththisapproachisthattheaccesskeyfortheusermustbeaccessibletotheapplication,probablybystoringitinsomesortofconfigurationfile.Theprocessforobtainingtheaccesskeyandstoringitencryptedintheconfigurationisusuallycomplicatedandahindrancetoagiledevelopment.Additionally,theaccesskeyisatriskwhenbeingpassedaround.Finally,whenthetimecomestorotatetheaccesskey,therotationinvolvesperformingthatwholeprocessagain.

UsingIAMrolesforAmazonEC2removestheneedtostoreAWScredentialsinaconfigurationfile.

AnalternativeistocreateanIAMrolethatgrantstherequiredaccesstotheAmazonS3bucket.WhentheAmazonEC2instanceislaunched,theroleisassignedtotheinstance.WhentheapplicationrunningontheinstanceusestheApplicationProgrammingInterface(API)toaccesstheAmazonS3bucket,itassumestheroleassignedtotheinstanceandobtainsatemporarytokenthatitsendstotheAPI.TheprocessofobtainingthetemporarytokenandpassingittotheAPIishandledautomaticallybymostoftheAWSSDKs,allowingtheapplicationtomakeacalltoaccesstheAmazonS3bucketwithoutworryingaboutauthentication.Inadditiontobeingeasyforthedeveloper,thisremovesanyneedtostoreanaccesskeyinaconfigurationfile.Also,becausetheAPIaccessusesatemporarytoken,thereisnofixedaccesskeythatmustberotated.

Cross-AccountAccessAnothercommonusecaseforIAMrolesistograntaccesstoAWSresourcestoIAMusersinotherAWSaccounts.TheseaccountsmaybeotherAWSaccountscontrolledbyyourcompanyoroutsideagentslikecustomersorsuppliers.YoucansetupanIAMrolewiththe

Page 196: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

permissionsyouwanttogranttousersintheotheraccount,thenusersintheotheraccountcanassumethatroletoaccessyourresources.Thisishighlyrecommendedasabestpractice,asopposedtodistributingaccesskeysoutsideyourorganization.

FederationManyorganizationsalreadyhaveanidentityrepositoryoutsideofAWSandwouldratherleveragethatrepositorythancreateanewandlargelyduplicaterepositoryofIAMusers.Similarly,web-basedapplicationsmaywanttoleverageweb-basedidentitiessuchasFacebook,Google,orLoginwithAmazon.IAMIdentityProvidersprovidetheabilitytofederatetheseoutsideidentitieswithIAMandassignprivilegestothoseusersauthenticatedoutsideofIAM.

IAMcanintegratewithtwodifferenttypesofoutsideIdentityProviders(IdP).ForfederatingwebidentitiessuchasFacebook,Google,orLoginwithAmazon,IAMsupportsintegrationviaOpenIDConnect(OIDC).ThisallowsIAMtograntprivilegestousersauthenticatedwithsomeofthemajorweb-basedIdPs.Forfederatinginternalidentities,suchasActiveDirectoryorLDAP,IAMsupportsintegrationviaSecurityAssertionMarkupLanguage2.0(SAML).ASAML-compliantIdPsuchasActiveDirectoryFederationServices(ADFS)isusedtofederatetheinternaldirectorytoIAM.(InstructionsforconfiguringmanycompatibleproductscanbefoundontheAWSwebsite.)Ineachcase,federationworksbyreturningatemporarytokenassociatedwitharoletotheIdPfortheauthenticatedidentitytouseforcallstotheAWSAPI.TheactualrolereturnedisdeterminedviainformationreceivedfromtheIdP,eitherattributesoftheuserintheon-premisesidentitystoreortheusernameandauthenticatingserviceofthewebidentitystore.

ThethreetypesofprincipalsandtheirgeneraltraitsarelistedinTable6.2.

TABLE6.2TraitsofAWSPrincipals

Principal Traits

RootUser CannotbelimitedPermanent

IAMUsers AccesscontrolledbypolicyDurableCanberemovedbyIAMadministrator

Roles/TemporarySecurityTokens AccesscontrolledbypolicyTemporaryExpireafterspecifictimeinterval

Page 197: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AuthenticationTherearethreewaysthatIAMauthenticatesaprincipal:

UserName/Password—Whenaprincipalrepresentsahumaninteractingwiththeconsole,thehumanwillprovideausername/passwordpairtoverifytheiridentity.IAMallowsyoutocreateapasswordpolicyenforcingpasswordcomplexityandexpiration.

AccessKey—AnaccesskeyisacombinationofanaccesskeyID(20characters)andanaccesssecretkey(40characters).WhenaprogramismanipulatingtheAWSinfrastructureviatheAPI,itwillusethesevaluestosigntheunderlyingRESTcallstotheservices.TheAWSSDKsandtoolshandlealltheintricaciesofsigningtheRESTcalls,sousinganaccesskeywillalmostalwaysbeamatterofprovidingthevaluestotheSDKortool.

AccessKey/SessionToken—Whenaprocessoperatesunderanassumedrole,thetemporarysecuritytokenprovidesanaccesskeyforauthentication.Inadditiontotheaccesskey(rememberthatitconsistsoftwoparts),thetokenalsoincludesasessiontoken.CallstoAWSmustincludeboththetwo-partaccesskeyandthesessiontokentoauthenticate.

ItisimportanttonotethatwhenanIAMuseriscreated,ithasneitheranaccesskeynorapassword,andtheIAMadministratorcansetupeitherorboth.ThisaddsanextralayerofsecurityinthatconsoleuserscannotusetheircredentialstorunaprogramthataccessesyourAWSinfrastructure.

Figure6.1showsasummaryofthedifferentauthenticationmethods.

Page 198: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE6.1DifferentidentitiesauthenticatingwithAWS

Page 199: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AuthorizationAfterIAMhasauthenticatedaprincipal,itmustthenmanagetheaccessofthatprincipaltoprotectyourAWSinfrastructure.Theprocessofspecifyingexactlywhatactionsaprincipalcanandcannotperformiscalledauthorization.AuthorizationishandledinIAMbydefiningspecificprivilegesinpoliciesandassociatingthosepolicieswithprincipals.

PoliciesUnderstandinghowaccessmanagementworksunderIAMbeginswithunderstandingpolicies.ApolicyisaJSONdocumentthatfullydefinesasetofpermissionstoaccessandmanipulateAWSresources.Policydocumentscontainoneormorepermissions,witheachpermissiondefining:

Effect—Asingleword:AlloworDeny.

Service—Forwhatservicedoesthispermissionapply?MostAWSCloudservicessupportgrantingaccessthroughIAM,includingIAMitself.

Resource—TheresourcevaluespecifiesthespecificAWSinfrastructureforwhichthispermissionapplies.ThisisspecifiedasanAmazonResourceName(ARN).TheformatforanARNvariesslightlybetweenservices,butthebasicformatis:

"arn:aws:service:region:account-id:[resourcetype:]resource"

Forsomeservices,wildcardvaluesareallowed;forinstance,anAmazonS3ARNcouldhavearesourceoffoldername\*toindicateallobjectsinthespecifiedfolder.Table6.3displayssomesampleARNs.

TABLE6.3SampleARNs

Resource ARNFormat

AmazonS3Bucket arn:aws:s3:us-east-1:123456789012:my_corporate_bucket/*

IAMUser arn:aws:iam:us-east-1:123456789012:user/David

AmazonDynamoDBTable arn:aws:dynamodb:us-east-1:123456789012:table/tablename

Action—Theactionvaluespecifiesthesubsetofactionswithinaservicethatthepermissionallowsordenies.Forinstance,apermissionmaygrantaccesstoanyread-basedactionforAmazonS3.Asetofactionscanbespecifiedwithanenumeratedlistorbyusingwildcards(Read*).

Condition—Theconditionvalueoptionallydefinesoneormoreadditionalrestrictionsthatlimittheactionsallowedbythepermission.Forinstance,thepermissionmightcontainaconditionthatlimitstheabilitytoaccessaresourcetocallsthatcomefromaspecificIPaddressrange.Anotherconditioncouldrestrictthepermissiononlytoapplyduringaspecifictimeinterval.Therearemanytypesofpermissionsthatallowarichvarietyoffunctionalitythatvariesbetweenservices.SeetheIAMdocumentationforlistsofsupportedconditionsforeachservice.

Asamplepolicyisshowninthefollowinglisting.Thispolicyallowsaprincipaltolistthe

Page 200: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

objectsinaspecificbucketandtoretrievethoseobjects,butonlyifthecallcomesfromaspecificIPaddress.

{

"Version":"2012–10–17",

"Statement":[

{

"Sid":"Stmt1441716043000",

"Effect":"Allow", <-Thispolicygrantsaccess

"Action":[<-Allowsidentitiestolist

"s3:GetObject",<-andgetobjectsin

"s3:ListBucket"<-theS3bucket

],

"Condition":{

"IpAddress":{ <-Onlyfromaspecific

"aws:SourceIp":"192.168.0.1" <-IPAddress

}

},

"Resource":[

"arn:aws:s3:::my_public_bucket/*" <-Onlythisbucket

]

}

]

}

AssociatingPolicieswithPrincipalsThereareseveralwaystoassociateapolicywithanIAMuser;thissectionwillonlycoverthemostcommon.

ApolicycanbeassociateddirectlywithanIAMuserinoneoftwoways:

UserPolicy—Thesepoliciesexistonlyinthecontextoftheusertowhichtheyareattached.Intheconsole,auserpolicyisenteredintotheuserinterfaceontheIAMuserpage.

ManagedPolicies—ThesepoliciesarecreatedinthePoliciestabontheIAMpage(orthroughtheCLI,andsoforth)andexistindependentlyofanyindividualuser.Inthisway,thesamepolicycanbeassociatedwithmanyusersorgroupsofusers.TherearealargenumberofpredefinedmanagedpoliciesthatyoucanreviewonthePoliciestaboftheIAMpageintheAWSManagementConsole.Inaddition,youcanwriteyourownpoliciesspecifictoyourusecases.

Usingpredefinedmanagedpoliciesensuresthatwhennewpermissionsareaddedfornewfeatures,youruserswillstillhavethecorrectaccess.

TheothercommonmethodforassociatingpolicieswithusersiswiththeIAMgroupsfeature.Groupssimplifymanagingpermissionsforlargenumbersofusers.Afterapolicyisassignedtoagroup,anyuserwhoisamemberofthatgroupassumesthosepermissions.Thismakesitsimplertoassignpoliciestoanentireteaminyourorganization.Forinstance,ifyoucreatean“Operations”groupwitheveryIAMuserforyouroperationsteamassignedtothatgroup,thenitisasimplemattertoassociatetheneededpermissionstothegroup,andallofthe

Page 201: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

team’sIAMuserswillassumethosepermissions.NewIAMuserscanthenbeassigneddirectlytothegroup.

ThisisamuchsimplermanagementprocessthanhavingtoreviewwhatpoliciesanewIAMuserfortheoperationsteamshouldreceiveandmanuallyaddingthosepoliciestotheuser.TherearetwowaysapolicycanbeassociatedwithanIAMgroup:

GroupPolicy—Thesepoliciesexistonlyinthecontextofthegrouptowhichtheyareattached.IntheAWSManagementConsole,agrouppolicyisenteredintotheuserinterfaceontheIAMGrouppage.

ManagedPolicies—Inthesamewaythatmanagedpolicies(discussedinthe“Authorization”section)canbeassociatedwithIAMusers,theycanalsobeassociatedwithIAMgroups.

Figure6.2showsthedifferentwaysthatpolicescanbeassociatedwithanIAMUser.

FIGURE6.2AssociatingIAMuserswithpolicies

Page 202: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AgoodfirststepistousetherootusertocreateanewIAMgroupcalled“IAMAdministrators”andassignthemanagedpolicy,“IAMFullAccess.”ThencreateanewIAMusercalled“Administrator,”assignapassword,andaddittotheIAMAdministratorsgroup.Atthispoint,youcanlogoffastherootuserandperformallfurtheradministrationwiththeIAMuseraccount.

Thefinalwayanactorcanbeassociatedwithapolicyisbyassumingarole.Inthiscase,theactorcanbe:

AnauthenticatedIAMuser(personorprocess).Inthiscase,theIAMusermusthavetherightstoassumetherole.

ApersonorprocessauthenticatedbyatrustedserviceoutsideofAWS,suchasanon-premisesLDAPdirectoryorawebauthenticationservice.Inthissituation,anAWSCloudservicewillassumetheroleontheactor’sbehalfandreturnatokentotheactor.

Afteranactorhasassumedarole,itisprovidedwithatemporarysecuritytokenassociatedwiththepoliciesofthatrole.ThetokencontainsalltheinformationrequiredtoauthenticateAPIcalls.Thisinformationincludesastandardaccesskeyplusanadditionalsessiontokenrequiredforauthenticatingcallsunderanassumedrole.

Page 203: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

OtherKeyFeaturesBeyondthecriticalconceptsofprincipals,authentication,andauthorization,thereareseveralotherfeaturesoftheIAMservicethatareimportanttounderstandtorealizethefullbenefitsofIAM.

Multi-FactorAuthentication(MFA)Multi-FactorAuthentication(MFA)canaddanextralayerofsecuritytoyourinfrastructurebyaddingasecondmethodofauthenticationbeyondjustapasswordoraccesskey.WithMFA,authenticationalsorequiresenteringaOne-TimePassword(OTP)fromasmalldevice.TheMFAdevicecanbeeitherasmallhardwaredeviceyoucarrywithyouoravirtualdeviceviaanapponyoursmartphone(forexample,theAWSVirtualMFAapp).

MFArequiresyoutoverifyyouridentitywithbothsomethingyouknowandsomethingyouhave.

MFAcanbeassignedtoanyIAMuseraccount,whethertheaccountrepresentsapersonorapplication.WhenapersonusinganIAMuserconfiguredwithMFAattemptstoaccesstheAWSManagementConsole,afterprovidingtheirpasswordtheywillbepromptedtoenterthecurrentcodedisplayedontheirMFAdevicebeforebeinggrantedaccess.AnapplicationusinganIAMuserconfiguredwithMFAmustquerytheapplicationusertoprovidethecurrentcode,whichtheapplicationwillthenpasstotheAPI.

ItisstronglyrecommendedthatAWScustomersaddMFAprotectiontotheirrootuser.

RotatingKeysThesecurityriskofanycredentialincreaseswiththeageofthecredential.Tothisend,itisasecuritybestpracticetorotateaccesskeysassociatedwithyourIAMusers.IAMfacilitatesthisprocessbyallowingtwoactiveaccesskeysatatime.Theprocesstorotatekeyscanbeconductedviatheconsole,CLI,orSDKs:

1. Createanewaccesskeyfortheuser.

2. Reconfigureallapplicationstousethenewaccesskey.

3. Disabletheoriginalaccesskey(disablinginsteadofdeletingatthisstageiscritical,asitallowsrollbacktotheoriginalkeyifthereareissueswiththerotation).

4. Verifytheoperationofallapplications.

5. Deletetheoriginalaccesskey.

Accesskeysshouldberotatedonaregularschedule.

ResolvingMultiplePermissions

Page 204: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Occasionally,multiplepermissionswillbeapplicablewhendeterminingwhetheraprincipalhastheprivilegetoperformsomeaction.ThesepermissionsmaycomefrommultiplepoliciesassociatedwithaprincipalorresourcepoliciesattachedtotheAWSresourceinquestion.Itisimportanttoknowhowconflictsbetweenthesepermissionsareresolved:

1. Initiallytherequestisdeniedbydefault.

2. Alltheappropriatepoliciesareevaluated;ifthereisanexplicit“deny”foundinanypolicy,therequestisdeniedandevaluationstops.

3. Ifnoexplicit“deny”isfoundandanexplicit“allow”isfoundinanypolicy,therequestisallowed.

4. Iftherearenoexplicit“allow”or“deny”permissionsfound,thenthedefault“deny”ismaintainedandtherequestisdenied.

TheonlyexceptiontothisruleisifanAssumeRolecallincludesaroleandapolicy,thepolicycannotexpandtheprivilegesoftherole(forexample,thepolicycannotoverrideanypermissionthatisdeniedbydefaultintherole).

Page 205: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryIAMisapowerfulservicethatgivesyoutheabilitytocontrolwhichpeopleandapplicationscanaccessyourAWSaccountataverygranularlevel.BecausetherootuserinanAWSaccountcannotbelimited,youshouldsetupIAMusersandtemporarysecuritytokensforyourpeopleandprocessestointeractwithAWS.

Policiesdefinewhatactionscanandcannotbetaken.PoliciesareassociatedwithIAMuserseitherdirectlyorthroughgroupmembership.AtemporarysecuritytokenisassociatedwithapolicybyassuminganIAMrole.YoucanwriteyourownpoliciesoruseoneofthemanagedpoliciesprovidedbyAWS.

CommonusecasesforIAMrolesincludefederatingidentitiesfromexternalIdPs,assigningprivilegestoanAmazonEC2instancewheretheycanbeassumedbyapplicationsrunningontheinstance,andcross-accountaccess.

IAMuseraccountscanbefurthersecuredbyrotatingkeys,implementingMFA,andaddingconditionstopolicies.MFAensuresthatauthenticationisbasedonsomethingyouhaveinadditiontosomethingyouknow,andconditionscanaddfurtherrestrictionssuchaslimitingclientIPaddressrangesorsettingaparticulartimeinterval.

Page 206: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowthedifferentprincipalsinIAM.ThethreeprincipalsthatcanauthenticateandinteractwithAWSresourcesaretherootuser,IAMusers,androles.TherootuserisassociatedwiththeactualAWSaccountandcannotberestrictedinanyway.IAMusersarepersistentidentitiesthatcanbecontrolledthroughIAM.Rolesallowpeopleorprocessestheabilitytooperatetemporarilywithadifferentidentity.Peopleorprocessesassumearolebybeinggrantedatemporarysecuritytokenthatwillexpireafteraspecifiedperiodoftime.

KnowhowprincipalsareauthenticatedinIAM.WhenyoulogintotheAWSManagementConsoleasanIAMuserorrootuser,youuseausername/passwordcombination.AprogramthataccessestheAPIwithanIAMuserorrootuserusesatwo-partaccesskey.Atemporarysecuritytokenauthenticateswithanaccesskeyplusanadditionalsessiontokenuniquetothattemporarysecuritytoken.

Knowthepartsofapolicy.ApolicyisaJSONdocumentthatdefinesoneormorepermissionstointeractwithAWSresources.Eachpermissionincludestheeffect,service,action,andresource.Itmayalsoincludeoneormoreconditions.AWSmakesmanypredefinedpoliciesavailableasmanagedpolicies.

Knowhowapolicyisassociatedwithaprincipal.Anauthenticatedprincipalisassociatedwithzerotomanypolicies.ForanIAMuser,thesepoliciesmaybeattacheddirectlytotheuseraccountorattachedtoanIAMgroupofwhichtheuseraccountisamember.AtemporarysecuritytokenisassociatedwithpoliciesbyassuminganIAMrole.

UnderstandMFA.MFAincreasesthesecurityofanAWSaccountbyaugmentingthepassword(somethingyouknow)witharotatingOTPfromasmalldevice(somethingyouhave),ensuringthatanyoneauthenticatingtheaccounthasbothknowledgeofthepasswordandpossessionofthedevice.AWSsupportsbothGemaltohardwareMFAdevicesandanumberofvirtualMFAapps.

Understandkeyrotation.ToprotectyourAWSinfrastructure,accesskeysshouldberotatedregularly.AWSallowstwoaccesskeystobevalidsimultaneouslytomaketherotationprocessstraightforward:Generateanewaccesskey,configureyourapplicationtousethenewaccesskey,test,disabletheoriginalaccesskey,test,deletetheoriginalaccesskey,andtestagain.

UnderstandIAMrolesandfederation.IAMrolesareprepackagedsetsofpermissionsthathavenocredentials.Principalscanassumearoleandthenusetheassociatedpermissions.Whenatemporarysecuritytokeniscreated,itassumesarolethatdefinesthepermissionsassignedtothetoken.WhenanAmazonEC2instanceisassociatedwithanIAMrole,SDKcallsacquireatemporarysecuritytokenbasedontheroleassociatedwiththeinstanceandusethattokentoaccessAWSresources.

RolesarethebasisforfederatingexternalIdPswithAWS.YouconfigureanIAMIdPtointeractwiththeexternalIdP,theauthenticatedidentityfromtheIdPismappedtoarole,andatemporarysecuritytokenisreturnedthathasassumedthatrole.AWSsupportsbothSAMLandOIDCIdPs.

Knowhowtoresolveconflictingpermissions.Resolvingmultiplepermissionsis

Page 207: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

relativelystraightforward.Ifanactiononaresourcehasnotbeenexplicitlyallowedbyapolicy,itisdenied.Iftwopoliciescontradicteachother;thatis,ifonepolicyallowsanactiononaresourceandanotherpolicydeniesthataction,theactionisdenied.Whilethissoundsimprobable,itmayoccurduetoscopedifferencesinapolicy.OnepolicymayexposeanentirefleetofAmazonEC2instances,andasecondpolicymayexplicitlylockdownoneparticularinstance.

Page 208: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesForassistanceincompletingthefollowingexercises,refertotheIAMUserGuideathttp://docs.aws.amazon.com/IAM/latest/UserGuide/.

EXERCISE6.1

CreateanIAMGroupInthisexercise,youwillcreateagroupforallIAMadministratorusersandassigntheproperpermissionstothenewgroup.Thiswillallowyoutoavoidassigningpoliciesdirectlytoauserlaterintheseexercises.

1. Loginastherootuser.

2. CreateanIAMgroupcalledAdministrators.

3. Attachthemanagedpolicy,IAMFullAccess,totheAdministratorsgroup.

EXERCISE6.2

CreateaCustomizedSign-InLinkandPasswordPolicyInthisexercise,youwillsetupyouraccountwithsomebasicIAMsafeguards.Thepasswordpolicyisarecommendedsecuritypractice,andthesign-inlinkmakesiteasierforyouruserstologintotheAWSManagementConsole.

1. Customizeasign-inlink,andwritedownthenewlinknameinfull.

2. Createapasswordpolicyforyouraccount.

EXERCISE6.3

CreateanIAMUserInthisexercise,youwillcreateanIAMuserwhocanperformalladministrativeIAMfunctions.Thenyouwillloginasthatusersothatyounolongerneedtousetherootuserlogin.Usingtherootuserloginonlywhenexplicitlyrequiredisarecommendedsecuritypractice(alongwithaddingMFAtoyourrootuser).

1. Whileloggedinastherootuser,createanewIAMusercalledAdministrator.

2. AddyournewusertotheAdministratorsgroup.

3. OntheDetailspagefortheadministratoruser,createapassword.

4. Logoutastherootuser.

5. Usethecustomizedsign-inlinktosigninasAdministrator.

Page 209: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE6.4

CreateandUseanIAMRoleInthisexercise,youwillcreateanIAMrole,associateitwithanewinstance,andverifythatapplicationsrunningontheinstanceassumethepermissionsoftherole.IAMrolesallowyoutoavoidstoringaccesskeysonyourAmazonEC2instances.

1. Whilesignedinasadministrator,createanAmazonEC2-typerolenamedS3Client.

2. Attachthemanagedpolicy,AmazonS3ReadOnlyAccess,toS3Client.

3. LaunchanAmazonLinuxEC2instancewiththenewroleattached(AmazonLinuxAMIscomewithCLIinstalled).

4. SSHintothenewinstance,andusetheCLItolistthecontentsofanAmazonS3bucket.

EXERCISE6.5

RotateKeysInthisexercise,youwillgothroughtheprocessofrotatingaccesskeys,arecommendedsecuritypractice.

1. Selecttheadministrator,andcreateatwo-partaccesskey.

2. Downloadtheaccesskey.

3. DownloadandinstalltheCLItoyourdesktop.

4. ConfiguretheCLItousetheaccesskeywiththeAWSConfigurecommand.

5. UsetheCLItolistthecontentsofanAmazonS3bucket.

6. Returntotheconsole,andcreateanewaccesskeyfortheadministratoraccount.

7. Downloadtheaccesskey,andreconfiguretheCLItousethenewaccesskey.

8. Intheconsole,maketheoriginalaccesskeyinactive.

9. ConfirmthatyouareusingthenewaccesskeybyonceagainlistingthecontentsoftheAmazonS3bucket.

10. Deletetheoriginalaccesskey.

Page 210: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE6.6

SetUpMFAInthisexercise,youwilladdMFAtoyourIAMadministrator.YouwilluseavirtualMFAapplicationforyourphone.MFAisasecurityrecommendationonpowerfulaccountssuchasIAMadministrators.

1. DownloadtheAWSVirtualMFAapptoyourphone.

2. Selecttheadministratoruser,andmanagetheMFAdevice.

3. GothroughthestepstoactivateaVirtualMFAdevice.

4. Logoffasadministrator.

5. Loginasadministrator,andentertheMFAvaluetocompletetheauthenticationprocess.

EXERCISE6.7

ResolveConflictingPermissionsInthisexercise,youwilladdapolicytoyourIAMadministratoruserwithaconflictingpermission.YouwillthenattemptactionsthatverifyhowIAMresolvesconflictingpermissions.

1. Usethepolicygeneratortocreateanewpolicy.

2. CreatethepolicywithEffect:Deny;AWSService:AmazonS3;Actions:*;andARN:*.

3. AttachthenewpolicytotheAdministratorsgroup.

4. UsetheCLItoattempttolistthecontentsofanAmazonS3bucket.Thepolicythatallowsaccessandthepolicythatdeniesaccessshouldresolvetodenyaccess.

Page 211: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichofthefollowingmethodswillallowanapplicationusinganAWSSDKtobeauthenticatedasaprincipaltoaccessAWSCloudservices?(Choose2answers)

A. CreateanIAMuserandstoretheusernameandpasswordfortheuserintheapplication’sconfiguration.

B. CreateanIAMuserandstorebothpartsoftheaccesskeyfortheuserintheapplication’sconfiguration.

C. RuntheapplicationonanAmazonEC2instancewithanassignedIAMrole.

D. MakealltheAPIcallsoveranSSLconnection.

2. WhichofthefollowingarefoundinanIAMpolicy?(Choose2answers)

A. ServiceName

B. Region

C. Action

D. Password

3. YourAWSaccountadministratorleftyourcompanytoday.TheadministratorhadaccesstotherootuserandapersonalIAMadministratoraccount.Withtheseaccounts,hegeneratedotherIAMaccountsandkeys.WhichofthefollowingshouldyoudotodaytoprotectyourAWSinfrastructure?(Choose4answers)

A. ChangethepasswordandaddMFAtotherootuser.

B. PutanIPrestrictionontherootuser.

C. RotatekeysandchangepasswordsforIAMaccounts.

D. DeleteallIAMaccounts.

E. Deletetheadministrator’spersonalIAMaccount.

F. RelaunchallAmazonEC2instanceswithnewroles.

4. WhichofthefollowingactionscanbeauthorizedbyIAM?(Choose2answers)

A. InstallingASP.NETonaWindowsServer

B. LaunchinganAmazonLinuxEC2instance

C. QueryinganOracledatabase

D. AddingamessagetoanAmazonSimpleQueueService(AmazonSQS)queue

5. WhichofthefollowingareIAMsecurityfeatures?(Choose2answers)

A. Passwordpolicies

B. AmazonDynamoDBglobalsecondaryindexes

C. MFA

Page 212: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. ConsolidatedBilling

6. WhichofthefollowingarebenefitsofusingAmazonEC2roles?(Choose2answers)

A. Nopoliciesarerequired.

B. CredentialsdonotneedtobestoredontheAmazonEC2instance.

C. Keyrotationisnotnecessary.

D. IntegrationwithActiveDirectoryisautomatic.

7. Whichofthefollowingarebasedontemporarysecuritytokens?(Choose2answers)

A. AmazonEC2roles

B. MFA

C. Rootuser

D. Federation

8. YoursecurityteamisveryconcernedaboutthevulnerabilityoftheIAMadministratoruseraccounts(theaccountsusedtoconfigureallIAMfeaturesandaccounts).Whatstepscanbetakentolockdowntheseaccounts?(Choose3answers)

A. Addmulti-factorauthentication(MFA)totheaccounts.

B. LimitloginstoaparticularU.S.state.

C. ImplementapasswordpolicyontheAWSaccount.

D. ApplyasourceIPaddressconditiontothepolicythatonlygrantspermissionswhentheuserisonthecorporatenetwork.

E. AddaCAPTCHAtesttotheaccounts.

9. YouwanttogranttheindividualsonyournetworkteamtheabilitytofullymanipulateAmazonEC2instances.Whichofthefollowingaccomplishthisgoal?(Choose2answers)

A. CreateanewpolicyallowingEC2:*actions,andnamethepolicyNetworkTeam.

B. Assignthemanagedpolicy,EC2FullAccess,toagroupnamedNetworkTeam,andassignalltheteammembers’IAMuseraccountstothatgroup.

C. CreateanewpolicythatgrantsEC2:*actionsonallresources,andassignthatpolicytoeachindividual’sIAMuseraccountonthenetworkteam.

D. CreateaNetworkTeamIAMgroup,andhaveeachteammemberlogintotheAWSManagementConsoleusingtheusername/passwordforthegroup.

10. WhatistheformatofanIAMpolicy?

A. XML

B. Key/valuepairs

C. JSON

D. Tab-delimitedtext

Page 213: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter7DatabasesandAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Planninganddesign

Architecturaltrade-offdecisions(AmazonRelationalDatabaseService[AmazonRDS]vs.installingonAmazonElasticComputeCloud[AmazonEC2])

BestpracticesforAWSarchitecture

RecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)DisasterRecovery(DR)design

Elasticityandscalability

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

AWSadministrationandsecurityservices

Designpatterns

3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.

ThischapterwillcoveressentialdatabaseconceptsandintroducethreeofAmazon’smanageddatabaseservices:AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonRedshift.Thesemanagedservicessimplifythesetupandoperationofrelationaldatabases,NoSQLdatabases,anddatawarehouses.

Thischapterfocusesonkeytopicsyouneedtounderstandfortheexam,including:

Page 214: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Thedifferencesamongarelationaldatabase,aNoSQLdatabase,andadatawarehouse

ThebenefitsandtradeoffsbetweenrunningadatabaseonAmazonEC2oronAmazonRDS

Howtodeploydatabaseenginesintothecloud

HowtobackupandrecoveryourdatabaseandmeetyourRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements

Howtobuildhighlyavailabledatabasearchitectures

Howtoscaleyourdatabasecomputeandstoragevertically

Howtoselecttherighttypeofstoragevolume

Howtousereadreplicastoscalehorizontally

HowtodesignandscaleanAmazonDynamoDBtable

HowtoreadandwritefromanAmazonDynamoDBtable

Howtousesecondaryindexestospeedqueries

HowtodesignanAmazonRedshifttable

HowtoloadandqueryanAmazonRedshiftdatawarehouse

Howtosecureyourdatabases,tables,andclusters

Page 215: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DatabasePrimerAlmosteveryapplicationreliesonadatabasetostoreimportantdataandrecordsforitsusers.Adatabaseengineallowsyourapplicationtoaccess,manage,andsearchlargevolumesofdatarecords.Inawell-architectedapplication,thedatabasewillneedtomeettheperformancedemands,theavailabilityneeds,andtherecoverabilitycharacteristicsofthesystem.

Databasesystemsandenginescanbegroupedintotwobroadcategories:RelationalDatabaseManagementSystems(RDBMS)andNoSQL(ornon-relational)databases.ItisnotuncommontobuildanapplicationusingacombinationofRDBMSandNoSQLdatabases.Astrongunderstandingofessentialdatabaseconcepts,AmazonRDS,andAmazonDynamoDBarerequiredtopassthisexam.

RelationalDatabasesThemostcommontypeofdatabaseinusetodayistherelationaldatabase.Therelationaldatabasehasrootsgoingbacktothe1970swhenEdgarF.Codd,workingforIBM,developedtheconceptsoftherelationalmodel.Today,relationaldatabasespoweralltypesofapplicationsfromsocialmediaapps,e-commercewebsites,andblogstocomplexenterpriseapplications.CommonlyusedrelationaldatabasesoftwarepackagesincludeMySQL,PostgreSQL,MicrosoftSQLServer,andOracle.

RelationaldatabasesprovideacommoninterfacethatletsusersreadandwritefromthedatabaseusingcommandsorquerieswrittenusingStructuredQueryLanguage(SQL).Arelationaldatabaseconsistsofoneormoretables,andatableconsistsofcolumnsandrowssimilartoaspreadsheet.Adatabasecolumncontainsaspecificattributeoftherecord,suchasaperson’sname,address,andtelephonenumber.Eachattributeisassignedadatatypesuchastext,number,ordate,andthedatabaseenginewillrejectinvalidinputs.

Adatabaserowcomprisesanindividualrecord,suchasthedetailsaboutastudentwhoattendsaschool.ConsidertheexampleinTable7.1.

TABLE7.1StudentsTable

StudentID FirstName LastName Gender Age

1001 Joe Dusty M 29

1002 Andrea Romanov F 20

1003 Ben Johnson M 30

1004 Beth Roberts F 30

Thisisanexampleofabasictablethatwouldsitinarelationaldatabase.Therearefivefieldswithdifferentdatatypes:

StudentID=Numberorinteger

FirstName=String

LastName=String

Page 216: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Gender=String(CharacterLength=1)

Age=Integer

Thissampletablehasfourrecords,witheachrecordrepresentinganindividualstudent.EachstudenthasaStudentIDfield,whichisusuallyauniquenumberperstudent.Auniquenumberthatidentifieseachstudentcanbecalledaprimarykey.

Onerecordinatablecanrelatetoarecordinanothertablebyreferencingtheprimarykeyofarecord.Thispointerorreferenceiscalledaforeignkey.Forexample,theGradestablethatrecordsscoresforeachstudentwouldhaveitsownprimarykeyandanadditionalcolumnknownasaforeignkeythatreferstotheprimarykeyofthestudentrecord.Byreferencingtheprimarykeysofothertables,relationaldatabasesminimizeduplicationofdatainassociatedtables.Withrelationaldatabases,itisimportanttonotethatthestructureofthetable(suchasthenumberofcolumnsanddatatypeofeachcolumn)mustbedefinedpriortodatabeingaddedtothetable.

ArelationaldatabasecanbecategorizedaseitheranOnlineTransactionProcessing(OLTP)orOnlineAnalyticalProcessing(OLAP)databasesystem,dependingonhowthetablesareorganizedandhowtheapplicationusestherelationaldatabase.OLTPreferstotransaction-orientedapplicationsthatarefrequentlywritingandchangingdata(forexample,dataentryande-commerce).OLAPistypicallythedomainofdatawarehousesandreferstoreportingoranalyzinglargedatasets.LargeapplicationsoftenhaveamixofbothOLTPandOLAPdatabases.

AmazonRelationalDatabaseService(AmazonRDS)significantlysimplifiesthesetupandmaintenanceofOLTPandOLAPdatabases.AmazonRDSprovidessupportforsixpopularrelationaldatabaseengines:MySQL,Oracle,PostgreSQL,MicrosoftSQLServer,MariaDB,andAmazonAurora.YoucanalsochoosetorunnearlyanydatabaseengineusingWindowsorLinuxAmazonElasticComputeCloud(AmazonEC2)instancesandmanagetheinstallationandadministrationyourself.

DataWarehousesAdatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositoryisoftenaspecializedtypeofrelationaldatabasethatcanbeusedforreportingandanalysisviaOLAP.Organizationstypicallyusedatawarehousestocompilereportsandsearchthedatabaseusinghighlycomplexqueries.

Datawarehousesarealsotypicallyupdatedonabatchschedulemultipletimesperdayorperhour,comparedtoanOLTPrelationaldatabasethatcanbeupdatedthousandsoftimespersecond.Manyorganizationssplittheirrelationaldatabasesintotwodifferentdatabases:onedatabaseastheirmainproductiondatabaseforOLTPtransactions,andtheotherdatabaseastheirdatawarehouseforOLAP.OLTPtransactionsoccurfrequentlyandarerelativelysimple.OLAPtransactionsoccurmuchlessfrequentlybutaremuchmorecomplex.

AmazonRDSisoftenusedforOLTPworkloads,butitcanalsobeusedforOLAP.AmazonRedshiftisahigh-performancedatawarehousedesignedspecificallyforOLAPusecases.ItisalsocommontocombineAmazonRDSwithAmazonRedshiftinthesameapplicationandperiodicallyextractrecenttransactionsandloadthemintoareportingdatabase.

Page 217: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

NoSQLDatabasesNoSQLdatabaseshavegainedsignificantpopularityinrecentyearsbecausetheyareoftensimplertouse,moreflexible,andcanachieveperformancelevelsthataredifficultorimpossiblewithtraditionalrelationaldatabases.Traditionalrelationaldatabasesaredifficulttoscalebeyondasingleserverwithoutsignificantengineeringandcost,butaNoSQLarchitectureallowsforhorizontalscalabilityoncommodityhardware.

NoSQLdatabasesarenon-relationalanddonothavethesametableandcolumnsemanticsofarelationaldatabase.NoSQLdatabasesareinsteadoftenkey/valuestoresordocumentstoreswithflexibleschemasthatcanevolveovertimeorvary.Contrastthattoarelationaldatabase,whichrequiresaveryrigidschema.

ManyoftheconceptsofNoSQLarchitecturestracetheirfoundationalconceptsbacktowhitepaperspublishedin2006and2007thatdescribeddistributedsystemslikeDynamoatAmazon.Today,manyapplicationteamsuseHbase,MongoDB,Cassandra,CouchDB,Riak,andAmazonDynamoDBtostorelargevolumesofdatawithhightransactionrates.Manyofthesedatabaseenginessupportclusteringandscalehorizontallyacrossmanymachinesforperformanceandfaulttolerance.AcommonusecaseforNoSQLismanagingusersessionstate,userprofiles,shoppingcartdata,ortime-seriesdata.

YoucanrunanytypeofNoSQLdatabaseonAWSusingAmazonEC2,oryoucanchooseamanagedservicelikeAmazonDynamoDBtodealwiththeheavyliftinginvolvedwithbuildingadistributedclusterspanningmultipledatacenters.

Page 218: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonRelationalDatabaseService(AmazonRDS)AmazonRDSisaservicethatsimplifiesthesetup,operations,andscalingofarelationaldatabaseonAWS.WithAmazonRDS,youcanspendmoretimefocusingontheapplicationandtheschemaandletAmazonRDSoffloadcommontaskslikebackups,patching,scaling,andreplication.

AmazonRDShelpsyoutostreamlinetheinstallationofthedatabasesoftwareandalsotheprovisioningofinfrastructurecapacity.Withinafewminutes,AmazonRDScanlaunchoneofmanypopulardatabaseenginesthatisreadytostarttakingSQLtransactions.Aftertheinitiallaunch,AmazonRDSsimplifiesongoingmaintenancebyautomatingcommonadministrativetasksonarecurringbasis.

WithAmazonRDS,youcanaccelerateyourdevelopmenttimelinesandestablishaconsistentoperatingmodelformanagingrelationaldatabases.Forexample,AmazonRDSmakesiteasytoreplicateyourdatatoincreaseavailability,improvedurability,orscaleuporbeyondasingledatabaseinstanceforread-heavydatabaseworkloads.

AmazonRDSexposesadatabaseendpointtowhichclientsoftwarecanconnectandexecuteSQL.AmazonRDSdoesnotprovideshellaccesstoDatabase(DB)Instances,anditrestrictsaccesstocertainsystemproceduresandtablesthatrequireadvancedprivileges.WithAmazonRDS,youcantypicallyusethesametoolstoquery,analyze,modify,andadministerthedatabase.Forexample,currentExtract,Transform,Load(ETL)toolsandreportingtoolscanconnecttoAmazonRDSdatabasesinthesamewaywiththesamedrivers,andoftenallittakestoreconfigureischangingthehostnameintheconnectionstring.

Database(DB)InstancesTheAmazonRDSserviceitselfprovidesanApplicationProgrammingInterface(API)thatletsyoucreateandmanageoneormoreDBInstances.ADBInstanceisanisolateddatabaseenvironmentdeployedinyourprivatenetworksegmentsinthecloud.EachDBInstancerunsandmanagesapopularcommercialoropensourcedatabaseengineonyourbehalf.AmazonRDScurrentlysupportsthefollowingdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.

YoucanlaunchanewDBInstancebycallingtheCreateDBInstanceAPIorbyusingtheAWSManagementConsole.ExistingDBInstancescanbechangedorresizedusingtheModifyDBInstanceAPI.ADBInstancecancontainmultipledifferentdatabases,allofwhichyoucreateandmanagewithintheDBInstanceitselfbyexecutingSQLcommandswiththeAmazonRDSendpoint.Thedifferentdatabasescanbecreated,accessed,andmanagedusingthesameSQLclienttoolsandapplicationsthatyouusetoday.

ThecomputeandmemoryresourcesofaDBInstancearedeterminedbyitsDBInstanceclass.YoucanselecttheDBInstanceclassthatbestmeetsyourneedsforcomputeandmemory.TherangeofDBInstanceclassesextendsfromadb.t2.microwith1virtualCPU(vCPU)and1GBofmemory,uptoadb.r3.8xlargewith32vCPUsand244GBofmemory.Asyourneedschangeovertime,youcanchangetheinstanceclassandthebalanceofcomputeofmemory,andAmazonRDSwillmigrateyourdatatoalargerorsmallerinstanceclass.IndependentfromtheDBInstanceclassthatyouselect,youcanalsocontrolthesizeand

Page 219: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

performancecharacteristicsofthestorageused.

AmazonRDSsupportsalargevarietyofengines,versions,andfeaturecombinations.ChecktheAmazonRDSdocumentationtodeterminesupportforspecificfeatures.ManyfeaturesandcommonconfigurationsettingsareexposedandmanagedusingDBparametergroupsandDBoptiongroups.ADBparametergroupactsasacontainerforengineconfigurationvaluesthatcanbeappliedtooneormoreDBInstances.YoumaychangetheDBparametergroupforanexistinginstance,butarebootisrequired.ADBoptiongroupactsasacontainerforenginefeatures,whichisemptybydefault.InordertoenablespecificfeaturesofaDBengine(forexample,OracleStatspack,MicrosoftSQLServerMirroring),youcreateanewDBoptiongroupandconfigurethesettingsaccordingly.

ExistingdatabasescanbemigratedtoAmazonRDSusingnativetoolsandtechniquesthatvarydependingontheengine.ForexamplewithMySQL,youcanexportabackupusingmysqldumpandimportthefileintoAmazonRDSMySQL.YoucanalsousetheAWSDatabaseMigrationService,whichgivesyouagraphicalinterfacethatsimplifiesthemigrationofbothschemaanddatabetweendatabases.AWSDatabaseMigrationServicealsohelpsconvertdatabasesfromonedatabaseenginetoanother.

OperationalBenefitsAmazonRDSincreasestheoperationalreliabilityofyourdatabasesbyapplyingaveryconsistentdeploymentandoperationalmodel.Thislevelofconsistencyisachievedinpartbylimitingthetypesofchangesthatcanbemadetotheunderlyinginfrastructureandthroughtheextensiveuseofautomation.ForexamplewithAmazonRDS,youcannotuseSecureShell(SSH)tologintothehostinstanceandinstallacustompieceofsoftware.Youcan,however,connectusingSQLadministratortoolsoruseDBoptiongroupsandDBparametergroupstochangethebehaviororfeatureconfigurationforaDBInstance.IfyouwantfullcontroloftheOperatingSystem(OS)orrequireelevatedpermissionstorun,thenconsiderinstallingyourdatabaseonAmazonEC2insteadofAmazonRDS.

AmazonRDSisdesignedtosimplifythecommontasksrequiredtooperatearelationaldatabaseinareliablemanner.It’susefultocomparetheresponsibilitiesofanadministratorwhenoperatingarelationaldatabaseinyourdatacenter,onAmazonEC2,orwithAmazonRDS(seeTable7.2).

Page 220: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE7.2ComparisonofOperationalResponsibilities

Responsibility DatabaseOn-Premise

DatabaseonAmazonEC2

DatabaseonAmazonRDS

AppOptimization

You You You

Scaling You You AWS

HighAvailability You You AWS

Backups You You AWS

DBEnginePatches

You You AWS

SoftwareInstallation

You You AWS

OSPatches You You AWS

OSInstallation You AWS AWS

ServerMaintenance

You AWS AWS

RackandStack You AWS AWS

PowerandCooling

You AWS AWS

DatabaseEnginesAmazonRDSsupportssixdatabaseengines:MySQL,PostgreSQL,MariaDB,Oracle,SQLServer,andAmazonAurora.Featuresandcapabilitiesvaryslightlydependingontheenginethatyouselect.

MySQLMySQLisoneofthemostpopularopensourcedatabasesintheworld,anditisusedtopowerawiderangeofapplications,fromsmallpersonalblogstosomeofthelargestwebsitesintheworld.Asofthetimeofthiswriting,AmazonRDSforMySQLcurrentlysupportsMySQL5.7,5.6,5.5,and5.1.TheengineisrunningtheopensourceCommunityEditionwithInnoDBasthedefaultandrecommendeddatabasestorageengine.AmazonRDSMySQLallowsyoutoconnectusingstandardMySQLtoolssuchasMySQLWorkbenchorSQLWorkbench/J.AmazonRDSMySQLsupportsMulti-AZdeploymentsforhighavailabilityandreadreplicasforhorizontalscaling.

PostgreSQLPostgreSQLisawidelyusedopensourcedatabaseenginewithaveryrichsetoffeaturesandadvancedfunctionality.AmazonRDSsupportsDBInstancesrunningseveralversionsofPostgreSQL.Asofthetimeofthiswriting,AmazonRDSsupportsmultiplereleasesofPostgreSQL,including9.5.x,9.4.x,and9.3.x.AmazonRDSPostgreSQLcanbemanagedusingstandardtoolslikepgAdminandsupportsstandardJDBC/ODBCdrivers.AmazonRDSPostgreSQLalsosupportsMulti-AZdeploymentforhighavailabilityandreadreplicasfor

Page 221: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

horizontalscaling.

MariaDBAmazonRDSrecentlyaddedsupportforDBInstancesrunningMariaDB.MariaDBisapopularopensourcedatabaseenginebuiltbythecreatorsofMySQLandenhancedwithenterprisetoolsandfunctionality.MariaDBaddsfeaturesthatenhancetheperformance,availability,andscalabilityofMySQL.Asofthetimeofthiswriting,AWSsupportsMariaDBversion10.0.17.AmazonRDSfullysupportstheXtraDBstorageengineforMariaDBDBInstancesand,likeAmazonRDSMySQLandPostgreSQL,hassupportforMulti-AZdeploymentandreadreplicas.

OracleOracleisoneofthemostpopularrelationaldatabasesusedintheenterpriseandisfullysupportedbyAmazonRDS.Asofthetimeofthiswriting,AmazonRDSsupportsDBInstancesrunningseveraleditionsofOracle11gandOracle12c.AmazonRDSsupportsaccesstoschemasonaDBInstanceusinganystandardSQLclientapplication,suchasOracleSQLPlus.

AmazonRDSOraclesupportsthreedifferenteditionsofthepopulardatabaseengine:StandardEditionOne,StandardEdition,andEnterpriseEdition.Table7.3outlinessomeofthemajordifferencesbetweeneditions:

TABLE7.3AmazonRDSOracleEditionsCompared

Edition Performance Multi-AZ Encryption

StandardOne ++++ Yes KMS

Standard ++++++++ Yes KMS

Enterprise ++++++++ Yes KMSandTDE

MicrosoftSQLServerMicrosoftSQLServerisanotherverypopularrelationaldatabaseusedintheenterprise.AmazonRDSallowsDatabaseAdministrators(DBAs)toconnecttotheirSQLServerDBInstanceinthecloudusingnativetoolslikeSQLServerManagementStudio.Asofthetimeofthiswriting,AmazonRDSprovidessupportforseveralversionsofMicrosoftSQLServer,includingSQLServer2008R2,SQLServer2012,andSQLServer2014.

AmazonRDSSQLServeralsosupportsfourdifferenteditionsofSQLServer:ExpressEdition,WebEdition,StandardEdition,andEnterpriseEdition.Table7.4highlightstherelativeperformance,availability,andencryptiondifferencesamongtheseeditions.

Page 222: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE7.4AmazonRDSSQLServerEditionsCompared

Edition Performance Multi-AZ Encryption

Express + No KMS

Web ++++ No KMS

Standard ++++ Yes KMS

Enterprise ++++++++ Yes KMSandTDE

LicensingAmazonRDSOracleandMicrosoftSQLServerarecommercialsoftwareproductsthatrequireappropriatelicensestooperateinthecloud.AWSofferstwolicensingmodels:LicenseIncludedandBringYourOwnLicense(BYOL).

LicenseIncludedIntheLicenseIncludedmodel,thelicenseisheldbyAWSandisincludedintheAmazonRDSinstanceprice.ForOracle,LicenseIncludedprovideslicensingforStandardEditionOne.ForSQLServer,LicenseIncludedprovideslicensingforSQLServerExpressEdition,WebEdition,andStandardEdition.

BringYourOwnLicense(BYOL)IntheBYOLmodel,youprovideyourownlicense.ForOracle,youmusthavetheappropriateOracleDatabaselicensefortheDBInstanceclassandOracleDatabaseeditionyouwanttorun.YoucanbringoverStandardEditionOne,StandardEdition,andEnterpriseEdition.

ForSQLServer,youprovideyourownlicenseundertheMicrosoftLicenseMobilityprogram.YoucanbringoverMicrosoftSQLStandardEditionandalsoEnterpriseEdition.Youareresponsiblefortrackingandmanaginghowlicensesareallocated.

AmazonAuroraAmazonAuroraoffersenterprise-gradecommercialdatabasetechnologywhileofferingthesimplicityandcosteffectivenessofanopensourcedatabase.ThisisachievedbyredesigningtheinternalcomponentsofMySQLtotakeamoreservice-orientedapproach.

LikeotherAmazonRDSengines,AmazonAuroraisafullymanagedservice,isMySQL-compatibleoutofthebox,andprovidesforincreasedreliabilityandperformanceoverstandardMySQLdeployments.AmazonAuroracandeliveruptofivetimestheperformanceofMySQLwithoutrequiringchangestomostofyourexistingwebapplications.Youcanusethesamecode,tools,andapplicationsthatyouusewithyourexistingMySQLdatabaseswithAmazonAurora.

WhenyoufirstcreateanAmazonAurorainstance,youcreateaDBcluster.ADBclusterhasoneormoreinstancesandincludesaclustervolumethatmanagesthedataforthoseinstances.AnAmazonAuroraclustervolumeisavirtualdatabasestoragevolumethatspansmultipleAvailabilityZones,witheachAvailabilityZonehavingacopyoftheclusterdata.AnAmazonAuroraDBclusterconsistsoftwodifferenttypesofinstances:

PrimaryInstanceThisisthemaininstance,whichsupportsbothreadandwriteworkloads.Whenyoumodifyyourdata,youaremodifyingtheprimaryinstance.EachAmazonAuroraDBclusterhasoneprimaryinstance.

Page 223: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonAuroraReplicaThisisasecondaryinstancethatsupportsonlyreadoperations.EachDBclustercanhaveupto15AmazonAuroraReplicasinadditiontotheprimaryinstance.ByusingmultipleAmazonAuroraReplicas,youcandistributethereadworkloadamongvariousinstances,increasingperformance.YoucanalsolocateyourAmazonAuroraReplicasinmultipleAvailabilityZonestoincreaseyourdatabaseavailability.

StorageOptionsAmazonRDSisbuiltusingAmazonElasticBlockStore(AmazonEBS)andallowsyoutoselecttherightstorageoptionbasedonyourperformanceandcostrequirements.Dependingonthedatabaseengineandworkload,youcanscaleupto4to6TBinprovisionedstorageandupto30,000IOPS.AmazonRDSsupportsthreestoragetypes:Magnetic,GeneralPurpose(SolidStateDrive[SSD]),andProvisionedIOPS(SSD).Table7.5highlightstherelativesize,performance,andcostdifferencesbetweentypes.

TABLE7.5AmazonRDSStorageTypes

Magnetic GeneralPurpose(SSD) ProvisionedIOPS(SSD)

Size +++ +++++ +++++

Performance + +++ +++++

Cost ++ +++ +++++

MagneticMagneticstorage,alsocalledstandardstorage,offerscost-effectivestoragethatisidealforapplicationswithlightI/Orequirements.

GeneralPurpose(SSD)Generalpurpose(SSD)-backedstorage,alsocalledgp2,canprovidefasteraccessthanmagneticstorage.Thisstoragetypecanprovideburstperformancetomeetspikesandisexcellentforsmall-tomedium-sizeddatabases.

ProvisionedIOPS(SSD)ProvisionedIOPS(SSD)storageisdesignedtomeettheneedsofI/O-intensiveworkloads,particularlydatabaseworkloads,thataresensitivetostorageperformanceandconsistencyinrandomaccessI/Othroughput.

Formostapplications,GeneralPurpose(SSD)isthebestoptionandprovidesagoodmixoflower-costandhigher-performancecharacteristics.

BackupandRecoveryAmazonRDSprovidesaconsistentoperationalmodelforbackupandrecoveryproceduresacrossthedifferentdatabaseengines.AmazonRDSprovidestwomechanismsforbackingupthedatabase:automatedbackupsandmanualsnapshots.Byusingacombinationofbothtechniques,youcandesignabackuprecoverymodeltoprotectyourapplicationdata.

EachorganizationtypicallywilldefineaRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)forimportantapplicationsbasedonthecriticalityoftheapplicationandtheexpectationsoftheusers.It’scommonforenterprisesystemstohaveanRPOmeasuredinminutesandanRTOmeasuredinhoursorevendays,whilesomecriticalapplicationsmayhavemuchlowertolerances.

Page 224: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

RPOisdefinedasthemaximumperiodofdatalossthatisacceptableintheeventofafailureorincident.Forexample,manysystemsbackuptransactionlogsevery15minutestoallowthemtominimizedatalossintheeventofanaccidentaldeletionorhardwarefailure.

RTOisdefinedasthemaximumamountofdowntimethatispermittedtorecoverfrombackupandtoresumeprocessing.Forlargedatabasesinparticular,itcantakehourstorestorefromafullbackup.Intheeventofahardwarefailure,youcanreduceyourRTOtominutesbyfailingovertoasecondarynode.Youshouldcreatearecoveryplanthat,ataminimum,letsyourecoverfromarecentbackup.

AutomatedBackupsAnautomatedbackupisanAmazonRDSfeaturethatcontinuouslytrackschangesandbacksupyourdatabase.AmazonRDScreatesastoragevolumesnapshotofyourDBInstance,backinguptheentireDBInstanceandnotjustindividualdatabases.YoucansetthebackupretentionperiodwhenyoucreateaDBInstance.Onedayofbackupswillberetainedbydefault,butyoucanmodifytheretentionperioduptoamaximumof35days.KeepinmindthatwhenyoudeleteaDBInstance,allautomatedbackupsnapshotsaredeletedandcannotberecovered.Manualsnapshots,however,arenotdeleted.

Automatedbackupswilloccurdailyduringaconfigurable30-minutemaintenancewindowcalledthebackupwindow.Automatedbackupsarekeptforaconfigurablenumberofdays,calledthebackupretentionperiod.YoucanrestoreyourDBInstancetoanyspecifictimeduringthisretentionperiod,creatinganewDBInstance.

ManualDBSnapshotsInadditiontoautomatedbackups,youcanperformmanualDBsnapshotsatanytime.ADBsnapshotisinitiatedbyyouandcanbecreatedasfrequentlyasyouwant.YoucanthenrestoretheDBInstancetothespecificstateintheDBsnapshotatanytime.DBsnapshotscanbecreatedwiththeAmazonRDSconsoleortheCreateDBSnapshotaction.Unlikeautomatedsnapshotsthataredeletedaftertheretentionperiod,manualDBsnapshotsarekeptuntilyouexplicitlydeletethemwiththeAmazonRDSconsoleortheDeleteDBSnapshotaction.

Forbusydatabases,useMulti-AZtominimizetheperformanceimpactofasnapshot.Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup,andyoumayexperienceelevatedlatency.ThisI/Osuspensiontypicallylastsforthedurationofthesnapshot.ThisperiodofI/OsuspensionisshorterforMulti-AZDBdeploymentsbecausethebackupistakenfromthestandby,butlatencycanoccurduringthebackupprocess.

RecoveryAmazonRDSallowsyoutorecoveryourdatabasequicklywhetheryouareperformingautomatedbackupsormanualDBsnapshots.YoucannotrestorefromaDBsnapshottoanexistingDBInstance;anewDBInstanceiscreatedwhenyourestore.WhenyourestoreaDBInstance,onlythedefaultDBparameterandsecuritygroupsareassociatedwiththerestored

Page 225: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

instance.Assoonastherestoreiscomplete,youshouldassociateanycustomDBparameterorsecuritygroupsusedbytheinstancefromwhichyourestored.Whenusingautomatedbackups,AmazonRDScombinesthedailybackupsperformedduringyourpredefinedmaintenancewindowinconjunctionwithtransactionlogstoenableyoutorestoreyourDBInstancetoanypointduringyourretentionperiod,typicallyuptothelastfiveminutes.

HighAvailabilitywithMulti-AZOneofthemostpowerfulfeaturesofAmazonRDSisMulti-AZdeployments,whichallowsyoutocreateadatabaseclusteracrossmultipleAvailabilityZones.Settinguparelationaldatabasetoruninahighlyavailableandfault-tolerantfashionisachallengingtask.WithAmazonRDSMulti-AZ,youcanreducethecomplexityinvolvedwiththiscommonadministrativetask;withasingleoption,AmazonRDScanincreasetheavailabilityofyourdatabaseusingreplication.Multi-AZletsyoumeetthemostdemandingRPOandRTOtargetsbyusingsynchronousreplicationtominimizeRPOandfastfailovertominimizeRTOtominutes.

Multi-AZallowsyoutoplaceasecondarycopyofyourdatabaseinanotherAvailabilityZonefordisasterrecoverypurposes.Multi-AZdeploymentsareavailableforalltypesofAmazonRDSdatabaseengines.WhenyoucreateaMulti-AZDBInstance,aprimaryinstanceiscreatedinoneAvailabilityZoneandasecondaryinstanceiscreatedinanotherAvailabilityZone.Youareassignedadatabaseinstanceendpointsuchasthefollowing:

my_app_db.ch6fe7ykq1zd.us-west-2.rds.amazonaws.com

ThisendpointisaDomainNameSystem(DNS)namethatAWStakesresponsibilityforresolvingtoaspecificIPaddress.YouusethisDNSnamewhencreatingtheconnectiontoyourdatabase.Figure7.1illustratesatypicalMulti-AZdeploymentspanningtwoAvailabilityZones.

Page 226: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE7.1Multi-AZAmazonRDSarchitecture

AmazonRDSautomaticallyreplicatesthedatafromthemasterdatabaseorprimaryinstancetotheslavedatabaseorsecondaryinstanceusingsynchronousreplication.EachAvailabilityZonerunsonitsownphysicallydistinct,independentinfrastructureandisengineeredtobehighlyreliable.AmazonRDSdetectsandautomaticallyrecoversfromthemostcommonfailurescenariosforMulti-AZdeploymentssothatyoucanresumedatabaseoperationsasquicklyaspossiblewithoutadministrativeintervention.AmazonRDSautomaticallyperformsafailoverintheeventofanyofthefollowing:

LossofavailabilityinprimaryAvailabilityZone

Lossofnetworkconnectivitytoprimarydatabase

Computeunitfailureonprimarydatabase

Storagefailureonprimarydatabase

AmazonRDSwillautomaticallyfailovertothestandbyinstancewithoutuserintervention.TheDNSnameremainsthesame,buttheAmazonRDSservicechangestheCNAMEtopointtothestandby.TheprimaryDBInstanceswitchesoverautomaticallytothestandbyreplicaiftherewasanAvailabilityZoneservicedisruption,iftheprimaryDBInstancefails,oriftheinstancetypeischanged.YoucanalsoperformamanualfailoveroftheDBInstance.Failover

Page 227: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

betweentheprimaryandthesecondaryinstanceisfast,andthetimeautomaticfailovertakestocompleteistypicallyonetotwominutes.

ItisimportanttorememberthatMulti-AZdeploymentsarefordisasterrecoveryonly;theyarenotmeanttoenhancedatabaseperformance.ThestandbyDBInstanceisnotavailabletoofflinequeriesfromtheprimarymasterDBInstance.ToimprovedatabaseperformanceusingmultipleDBInstances,usereadreplicasorotherDBcachingtechnologiessuchasAmazonElastiCache.

ScalingUpandOutAsthenumberoftransactionsincreasetoarelationaldatabase,scalingup,orvertically,bygettingalargermachineallowsyoutoprocessmorereadsandwrites.Scalingout,orhorizontally,isalsopossible,butitisoftenmoredifficult.AmazonRDSallowsyoutoscalecomputeandstoragevertically,andforsomeDBengines,youcanscalehorizontally.

VerticalScalabilityAddingadditionalcompute,memory,orstorageresourcestoyourdatabaseallowsyoutoprocessmoretransactions,runmorequeries,andstoremoredata.AmazonRDSmakesiteasytoscaleupordownyourdatabasetiertomeetthedemandsofyourapplication.ChangescanbescheduledtooccurduringthenextmaintenancewindowortobeginimmediatelyusingtheModifyDBInstanceaction.

Tochangetheamountofcomputeandmemory,youcanselectadifferentDBInstanceclassofthedatabase.AfteryouselectalargerorsmallerDBInstanceclass,AmazonRDSautomatesthemigrationprocesstoanewclasswithonlyashortdisruptionandminimaleffort.

Youcanalsoincreasetheamountofstorage,thestorageclass,andthestorageperformanceforanAmazonRDSInstance.Eachdatabaseinstancecanscalefrom5GBupto6TBinprovisionedstoragedependingonthestoragetypeandengine.StorageforAmazonRDScanbeincreasedovertimeasneedsgrowwithminimalimpacttotherunningdatabase.StorageexpansionissupportedforallofthedatabaseenginesexceptforSQLServer.

HorizontalScalabilitywithPartitioningArelationaldatabasecanbescaledverticallyonlysomuchbeforeyoureachthemaximuminstancesize.Partitioningalargerelationaldatabaseintomultipleinstancesorshardsisacommontechniqueforhandlingmorerequestsbeyondthecapabilitiesofasingleinstance.

Partitioning,orsharding,allowsyoutoscalehorizontallytohandlemoreusersandrequestsbutrequiresadditionallogicintheapplicationlayer.Theapplicationneedstodecidehowtoroutedatabaserequeststothecorrectshardandbecomeslimitedinthetypesofqueriesthatcanbeperformedacrossserverboundaries.NoSQLdatabaseslikeAmazonDynamoDBorCassandraaredesignedtoscalehorizontally.

HorizontalScalabilitywithReadReplicas

Page 228: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Anotherimportantscalingtechniqueistousereadreplicastooffloadreadtransactionsfromtheprimarydatabaseandincreasetheoverallnumberoftransactions.AmazonRDSsupportsreadreplicasthatallowyoutoscaleoutelasticallybeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads.

ThereareavarietyofusecaseswheredeployingoneormorereadreplicaDBInstancesishelpful.Somecommonscenariosinclude:

ScalebeyondthecapacityofasingleDBInstanceforread-heavyworkloads.

HandlereadtrafficwhilethesourceDBInstanceisunavailable.Forexample,duetoI/Osuspensionforbackupsorscheduledmaintenance,youcandirectreadtraffictoareplica.

OffloadreportingordatawarehousingscenariosagainstareplicainsteadoftheprimaryDBInstance.

Forexample,abloggingwebsitemayhaveverylittlewriteactivityexceptfortheoccasionalcomment,andthevastmajorityofdatabaseactivitywillberead-only.Byoffloadingsomeorallofthereadactivitytooneormorereadreplicas,theprimarydatabaseinstancecanfocusonhandlingthewritesandreplicatingthedataouttothereplicas.

ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,MariaDB,andAmazonAurora.AmazonRDSusestheMySQL,MariaDB,andPostgreSQLDBengines’built-inreplicationfunctionalitytocreateaspecialtypeofDBInstance,calledareadreplica,fromasourceDBInstance.UpdatesmadetothesourceDBInstanceareasynchronouslycopiedtothereadreplica.YoucanreducetheloadonyoursourceDBInstancebyroutingreadqueriesfromyourapplicationstothereadreplica.

YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.Toenhanceyourdisasterrecoverycapabilitiesorreducegloballatencies,youcanusecross-regionreadreplicastoservereadtrafficfromaregionclosesttoyourglobalusersormigrateyourdatabasesacrossAWSRegions.

SecuritySecuringyourAmazonRDSDBInstancesandrelationaldatabasesrequiresacomprehensiveplanthataddressesthemanylayerscommonlyfoundindatabase-drivensystems.Thisincludestheinfrastructureresources,thedatabase,andthenetwork.

ProtectaccesstoyourinfrastructureresourcesusingAWSIdentityandAccessManagement(IAM)policiesthatlimitwhichactionsAWSadministratorscanperform.Forexample,somekeyadministratoractionsthatcanbecontrolledinIAMincludeCreateDBInstanceandDeleteDBInstance.

AnothersecuritybestpracticeistodeployyourAmazonRDSDBInstancesintoaprivatesubnetwithinanAmazonVirtualPrivateCloud(AmazonVPC)thatlimitsnetworkaccesstotheDBInstance.BeforeyoucandeployintoanAmazonVPC,youmustfirstcreateaDBsubnetgroupthatpredefineswhichsubnetsareavailableforAmazonRDSdeployments.Further,restrictnetworkaccessusingnetworkAccessControlLists(ACLs)andsecuritygroupstolimitinboundtraffictoashortlistofsourceIPaddresses.

Page 229: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Atthedatabaselevel,youwillalsoneedtocreateusersandgrantthempermissionstoreadandwritetoyourdatabases.Accesstothedatabaseiscontrolledusingthedatabaseengine-specificaccesscontrolandusermanagementmechanisms.Createusersatthedatabaselevelwithstrongpasswordsthatyourotatefrequently.

Finally,protecttheconfidentialityofyourdataintransitandatrestwithmultipleencryptioncapabilitiesprovidedwithAmazonRDS.Securityfeaturesvaryslightlyfromoneenginetoanother,butallenginessupportsomeformofin-transitencryptionandalsoat-restencryption.YoucansecurelyconnectaclienttoarunningDBInstanceusingSecureSocketsLayer(SSL)toprotectdataintransit.EncryptionatrestispossibleforallenginesusingtheAmazonKeyManagementService(KMS)orTransparentDataEncryption(TDE).Alllogs,backups,andsnapshotsareencryptedforanencryptedAmazonRDSinstance.

Page 230: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonRedshiftAmazonRedshiftisafast,powerful,fullymanaged,petabyte-scaledatawarehouseserviceinthecloud.AmazonRedshiftisarelationaldatabasedesignedforOLAPscenariosandoptimizedforhigh-performanceanalysisandreportingofverylargedatasets.Traditionaldatawarehousesaredifficultandexpensivetomanage,especiallyforlargedatasets.AmazonRedshiftnotonlysignificantlylowersthecostofadatawarehouse,butitalsomakesiteasytoanalyzelargeamountsofdataveryquickly.

AmazonRedshiftgivesyoufastqueryingcapabilitiesoverstructureddatausingstandardSQLcommandstosupportinteractivequeryingoverlargedatasets.WithconnectivityviaODBCorJDBC,AmazonRedshiftintegrateswellwithvariousdataloading,reporting,datamining,andanalyticstools.AmazonRedshiftisbasedonindustry-standardPostgreSQL,somostexistingSQLclientapplicationswillworkwithonlyminimalchanges.

AmazonRedshiftmanagestheworkneededtosetup,operate,andscaleadatawarehouse,fromprovisioningtheinfrastructurecapacitytoautomatingongoingadministrativetaskssuchasbackupsandpatching.AmazonRedshiftautomaticallymonitorsyournodesanddrivestohelpyourecoverfromfailures.

ClustersandNodesThekeycomponentofanAmazonRedshiftdatawarehouseisacluster.Aclusteriscomposedofaleadernodeandoneormorecomputenodes.Theclientapplicationinteractsdirectlyonlywiththeleadernode,andthecomputenodesaretransparenttoexternalapplications.

AmazonRedshiftcurrentlyhassupportforsixdifferentnodetypesandeachhasadifferentmixofCPU,memory,andstorage.Thesixnodetypesaregroupedintotwocategories:DenseComputeandDenseStorage.TheDenseComputenodetypessupportclustersupto326TBusingfastSSDs,whiletheDenseStoragenodessupportclustersupto2PBusinglargemagneticdisks.Eachclusterconsistsofoneleadernodeandoneormorecomputenodes.Figure7.2showstheinternalcomponentsofanAmazonRedshiftdatawarehousecluster.

Page 231: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE7.2AmazonRedshiftclusterarchitecture

Eachclustercontainsoneormoredatabases.Userdataforeachtableisdistributedacrossthecomputenodes.YourapplicationorSQLclientcommunicateswithAmazonRedshiftusingstandardJDBCorODBCconnectionswiththeleadernode,whichinturncoordinatesqueryexecutionwiththecomputenodes.Yourapplicationdoesnotinteractdirectlywiththecomputenodes.

Thediskstorageforacomputenodeisdividedintoanumberofslices.Thenumberofslicespernodedependsonthenodesizeoftheclusterandtypicallyvariesbetween2and16.Thenodesallparticipateinparallelqueryexecution,workingondatathatisdistributedasevenlyaspossibleacrosstheslices.

Youcanincreasequeryperformancebyaddingmultiplenodestoacluster.Whenyousubmitaquery,AmazonRedshiftdistributesandexecutesthequeryinparallelacrossallofacluster’scomputenodes.AmazonRedshiftalsospreadsyourtabledataacrossallcomputenodesinaclusterbasedonadistributionstrategythatyouspecify.Thispartitioningofdataacrossmultiplecomputeresourcesallowsyoutoachievehighlevelsofperformance.

AmazonRedshiftallowsyoutoresizeaclustertoaddstorageandcomputecapacityovertimeasyourneedsevolve.Youcanalsochangethenodetypeofaclusterandkeeptheoverallsizethesame.Wheneveryouperformaresizeoperation,AmazonRedshiftwillcreateanew

Page 232: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

clusterandmigratedatafromtheoldclustertothenewone.Duringaresizeoperation,thedatabasewillbecomeread-onlyuntiltheoperationisfinished.

TableDesignEachAmazonRedshiftclustercansupportoneormoredatabases,andeachdatabasecancontainmanytables.LikemostSQL-baseddatabases,youcancreateatableusingtheCREATETABLEcommand.Thiscommandspecifiesthenameofthetable,thecolumns,andtheirdatatypes.Inadditiontocolumnsanddatatypes,theAmazonRedshiftCREATETABLEcommandalsosupportsspecifyingcompressionencodings,distributionstrategy,andsortkeys.

DataTypesAmazonRedshiftcolumnssupportawiderangeofdatatypes.ThisincludescommonnumericdatatypeslikeINTEGER,DECIMAL,andDOUBLE,textdatatypeslikeCHARandVARCHAR,anddatedatatypeslikeDATEandTIMESTAMP.AdditionalcolumnscanbeaddedtoatableusingtheALTERTABLEcommand;however,existingcolumnscannotbemodified.

CompressionEncodingOneofthekeyperformanceoptimizationsusedbyAmazonRedshiftisdatacompression.Whenloadingdataforthefirsttimeintoanemptytable,AmazonRedshiftwillautomaticallysampleyourdataandselectthebestcompressionschemeforeachcolumn.Alternatively,youcanspecifycompressionencodingonaper-columnbasisaspartoftheCREATETABLEcommand.

DistributionStrategyOneoftheprimarydecisionswhencreatingatableinAmazonRedshiftishowtodistributetherecordsacrossthenodesandslicesinacluster.YoucanconfigurethedistributionstyleofatabletogiveAmazonRedshifthintsastohowthedatashouldbepartitionedtobestmeetyourquerypatterns.Whenyourunaquery,theoptimizershiftstherowstothecomputenodesasneededtoperformanyjoinsandaggregates.Thegoalinselectingatabledistributionstyleistominimizetheimpactoftheredistributionstepbyputtingthedatawhereitneedstobebeforethequeryisperformed.

Thedatadistributionstylethatyouselectforyourdatabasehasabigimpactonqueryperformance,storagerequirements,dataloading,andmaintenance.Bychoosingthebestdistributionstrategyforeachtable,youcanbalanceyourdatadistributionandsignificantlyimproveoverallsystemperformance.Whencreatingatable,youcanchoosebetweenoneofthreedistributionstyles:EVEN,KEY,orALL.

EVENdistributionThisisthedefaultoptionandresultsinthedatabeingdistributedacrosstheslicesinauniformfashionregardlessofthedata.

KEYdistributionWithKEYdistribution,therowsaredistributedaccordingtothevaluesinonecolumn.Theleadernodewillstorematchingvaluesclosetogetherandincreasequeryperformanceforjoins.

ALLdistributionWithALL,afullcopyoftheentiretableisdistributedtoeverynode.Thisisusefulforlookuptablesandotherlargetablesthatarenotupdatedfrequently.

Page 233: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SortKeysAnotherimportantdecisiontomakeduringthecreationofatableiswhethertospecifyoneormorecolumnsassortkeys.Sortingenablesefficienthandlingofrange-restrictedpredicates.Ifaqueryusesarange-restrictedpredicate,thequeryprocessorcanrapidlyskipoverlargenumbersofblocksduringtablescans.

Thesortkeysforatablecanbeeithercompoundorinterleaved.Acompoundsortkeyismoreefficientwhenquerypredicatesuseaprefix,whichisasubsetofthesortkeycolumnsinorder.Aninterleavedsortkeygivesequalweighttoeachcolumninthesortkey,soquerypredicatescanuseanysubsetofthecolumnsthatmakeupthesortkey,inanyorder.

LoadingDataAmazonRedshiftsupportsstandardSQLcommandslikeINSERTandUPDATEtocreateandmodifyrecordsinatable.Forbulkoperations,however,AmazonRedshiftprovidestheCOPYcommandasamuchmoreefficientalternativethanrepeatedlycallingINSERT.

ACOPYcommandcanloaddataintoatableinthemostefficientmanner,anditsupportsmultipletypesofinputdatasources.ThefastestwaytoloaddataintoAmazonRedshiftisdoingbulkdataloadsfromflatfilesstoredinanAmazonSimpleStorageService(AmazonS3)bucketorfromanAmazonDynamoDBtable.

WhenloadingdatafromAmazonS3,theCOPYcommandcanreadfrommultiplefilesatthesametime.AmazonRedshiftcandistributetheworkloadtothenodesandperformtheloadprocessinparallel.Insteadofhavingonesinglelargefilewithyourdata,youcanenableparallelprocessingbyhavingaclusterwithmultiplenodesandmultipleinputfiles.

Aftereachbulkdataloadthatmodifiesasignificantamountofdata,youwillneedtoperformaVACUUMcommandtoreorganizeyourdataandreclaimspaceafterdeletes.ItisalsorecommendedtorunanANALYZEcommandtoupdatetablestatistics.

DatacanalsobeexportedoutofAmazonRedshiftusingtheUNLOADcommand.ThiscommandcanbeusedtogeneratedelimitedtextfilesandstoretheminAmazonS3.

QueryingDataAmazonRedshiftallowsyoutowritestandardSQLcommandstoqueryyourtables.BysupportingcommandslikeSELECTtoqueryandjointables,analystscanquicklybecomeproductiveusingAmazonRedshiftorintegrateiteasily.Forcomplexqueries,youcananalyzethequeryplantobetteroptimizeyouraccesspattern.YoucanmonitortheperformanceoftheclusterandspecificqueriesusingAmazonCloudWatchandtheAmazonRedshiftwebconsole.

ForlargeAmazonRedshiftclusterssupportingmanyusers,youcanconfigureWorkloadManagement(WLM)toqueueandprioritizequeries.WLMallowsyoudefinemultiplequeuesandsettheconcurrencylevelforeachqueue.Forexample,youmightwanttohaveonequeuesetupforlong-runningqueriesandlimittheconcurrencyandanotherqueueforshort-runningqueriesandallowhigherlevelsofconcurrency.

Page 234: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SnapshotsSimilartoAmazonRDS,youcancreatepoint-in-timesnapshotsofyourAmazonRedshiftcluster.AsnapshotcanthenbeusedtorestoreacopyorcreateacloneofyouroriginalAmazonRedshiftcluster.SnapshotsaredurablystoredinternallyinAmazonS3byAmazonRedshift.

AmazonRedshiftsupportsbothautomatedsnapshotsandmanualsnapshots.Withautomatedsnapshots,AmazonRedshiftwillperiodicallytakesnapshotsofyourclusterandkeepacopyforaconfigurableretentionperiod.YoucanalsoperformmanualsnapshotsandsharethemacrossregionsorevenwithotherAWSaccounts.Manualsnapshotsareretaineduntilyouexplicitlydeletethem.

SecuritySecuringyourAmazonRedshiftclusterissimilartosecuringotherdatabasesrunninginthecloud.Yoursecurityplanshouldincludecontrolstoprotecttheinfrastructureresources,thedatabaseschema,therecordsinthetable,andnetworkaccess.Byaddressingsecurityateverylevel,youcansecurelyoperateanAmazonRedshiftdatawarehouseinthecloud.

ThefirstlayerofsecuritycomesattheinfrastructurelevelusingIAMpoliciesthatlimittheactionsAWSadministratorscanperform.WithIAM,youcancreatepoliciesthatgrantotherAWSusersthepermissiontocreateandmanagethelifecycleofacluster,includingscaling,backup,andrecoveryoperations.

Atthenetworklevel,AmazonRedshiftclusterscanbedeployedwithintheprivateIPaddressspaceofyourAmazonVPCtorestrictoverallnetworkconnectivity.Fine-grainednetworkaccesscanbefurtherrestrictedusingsecuritygroupsandnetworkACLsatthesubnetlevel.

Inadditiontocontrollinginfrastructureaccessattheinfrastructurelevel,youmustprotectaccessatthedatabaselevel.WhenyouinitiallycreateanAmazonRedshiftcluster,youwillcreateamasteruseraccountandpassword.ThemasteraccountcanbeusedtologintotheAmazonRedshiftdatabaseandtocreatemoreusersandgroups.Eachdatabaseusercanbegrantedpermissiontoschemas,tables,andotherdatabaseobjects.ThesepermissionsareindependentfromtheIAMpoliciesusedtocontrolaccesstotheinfrastructureresourcesandtheAmazonRedshiftclusterconfiguration.

ProtectingthedatastoredinAmazonRedshiftisanotherimportantaspectofyoursecuritydesign.AmazonRedshiftsupportsencryptionofdataintransitusingSSL-encryptedconnections,andalsoencryptionofdataatrestusingmultipletechniques.Toencryptdataatrest,AmazonRedshiftintegrateswithKMSandAWSCloudHSMforencryptionkeymanagementservices.Encryptionatrestandintransitassistsinmeetingcompliancerequirements,suchasfortheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCIDSS),andprovidesadditionalprotectionsforyourdata.

Page 235: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonDynamoDBAmazonDynamoDBisafullymanagedNoSQLdatabaseservicethatprovidesfastandlow-latencyperformancethatscaleswithease.AmazonDynamoDBletsyouoffloadtheadministrativeburdensofoperatingadistributedNoSQLdatabaseandfocusontheapplication.AmazonDynamoDBsignificantlysimplifiesthehardwareprovisioning,setupandconfiguration,replication,softwarepatching,andclusterscalingofNoSQLdatabases.

AmazonDynamoDBisdesignedtosimplifydatabaseandclustermanagement,provideconsistentlyhighlevelsofperformance,simplifyscalabilitytasks,andimprovereliabilitywithautomaticreplication.DeveloperscancreateatableinAmazonDynamoDBandwriteanunlimitednumberofitemswithconsistentlatency.

AmazonDynamoDBcanprovideconsistentperformancelevelsbyautomaticallydistributingthedataandtrafficforatableovermultiplepartitions.Afteryouconfigureacertainreadorwritecapacity,AmazonDynamoDBwillautomaticallyaddenoughinfrastructurecapacitytosupporttherequestedthroughputlevels.Asyourdemandchangesovertime,youcanadjustthereadorwritecapacityafteratablehasbeencreated,andAmazonDynamoDBwilladdorremoveinfrastructureandadjusttheinternalpartitioningaccordingly.

Tohelpmaintainconsistent,fastperformancelevels,alltabledataisstoredonhigh-performanceSSDdiskdrives.Performancemetrics,includingtransactionsrates,canbemonitoredusingAmazonCloudWatch.Inadditiontoprovidinghigh-performancelevels,AmazonDynamoDBalsoprovidesautomatichigh-availabilityanddurabilityprotectionsbyreplicatingdataacrossmultipleAvailabilityZoneswithinanAWSRegion.

DataModelThebasiccomponentsoftheAmazonDynamoDBdatamodelincludetables,items,andattributes.AsdepictedinFigure7.3,atableisacollectionofitemsandeachitemisacollectionofoneormoreattributes.Eachitemalsohasaprimarykeythatuniquelyidentifiestheitem.

Page 236: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE7.3Table,items,attributesrelationship

Inarelationaldatabase,atablehasapredefinedschemasuchasthetablename,primarykey,listofitscolumnnames,andtheirdatatypes.Allrecordsstoredinthetablemusthavethesamesetofcolumns.Incontrast,AmazonDynamoDBonlyrequiresthatatablehaveaprimarykey,butitdoesnotrequireyoutodefinealloftheattributenamesanddatatypesinadvance.IndividualitemsinanAmazonDynamoDBtablecanhaveanynumberofattributes,althoughthereisalimitof400KBontheitemsize.

Eachattributeinanitemisaname/valuepair.Anattributecanbeasingle-valuedormulti-valuedset.Forexample,abookitemcanhavetitleandauthorsattributes.Eachbookhasonetitlebutcanhavemanyauthors.Themulti-valuedattributeisaset;duplicatevaluesarenotallowed.DataisstoredinAmazonDynamoDBinkey/valuepairssuchasthefollowing:

{

Id=101

ProductName="Book101Title"

ISBN="123–1234567890"

Authors=["Author1","Author2"]

Price=2.88

Dimensions="8.5x11.0x0.5"

PageCount=500

InPublication=1

ProductCategory="Book"

}

ApplicationscanconnecttotheAmazonDynamoDBserviceendpointandsubmitrequestsoverHTTP/Storeadandwriteitemstoatableoreventocreateanddeletetables.DynamoDBprovidesawebserviceAPIthatacceptsrequestsinJSONformat.WhileyoucouldprogramdirectlyagainstthewebserviceAPIendpoints,mostdeveloperschoosetousetheAWSSoftwareDevelopmentKit(SDK)tointeractwiththeiritemsandtables.TheAWSSDKisavailableinmanydifferentlanguagesandprovidesasimplified,high-levelprogramminginterface.

DataTypes

Page 237: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonDynamoDBgivesyoualotofflexibilitywithyourdatabaseschema.Unlikeatraditionalrelationaldatabasethatrequiresyoutodefineyourcolumntypesaheadoftime,DynamoDBonlyrequiresaprimarykeyattribute.Eachitemthatisaddedtothetablecanthenaddadditionalattributes.Thisgivesyouflexibilityovertimetoexpandyourschemawithouthavingtorebuildtheentiretableanddealwithrecordversiondifferenceswithapplicationlogic.

Whenyoucreateatableorasecondaryindex,youmustspecifythenamesanddatatypesofeachprimarykeyattribute(partitionkeyandsortkey).AmazonDynamoDBsupportsawiderangeofdatatypesforattributes.Datatypesfallintothreemajorcategories:Scalar,Set,orDocument.

ScalarDataTypesAscalartyperepresentsexactlyonevalue.AmazonDynamoDBsupportsthefollowingfivescalartypes:

StringTextandvariablelengthcharactersupto400KB.SupportsUnicodewithUTF8encoding

NumberPositiveornegativenumberwithupto38digitsofprecision

BinaryBinarydata,images,compressedobjectsupto400KBinsize

BooleanBinaryflagrepresentingatrueorfalsevalue

NullRepresentsablank,empty,orunknownstate.String,Number,Binary,Booleancannotbeempty.

SetDataTypesSetsareusefultorepresentauniquelistofoneormorescalarvalues.Eachvalueinasetneedstobeuniqueandmustbethesamedatatype.Setsdonotguaranteeorder.AmazonDynamoDBsupportsthreesettypes:StringSet,NumberSet,andBinarySet.

StringSetUniquelistofStringattributes

NumberSetUniquelistofNumberattributes

BinarySetUniquelistofBinaryattributes

DocumentDataTypesDocumenttypeisusefultorepresentmultiplenestedattributes,similartothestructureofaJSONfile.AmazonDynamoDBsupportstwodocumenttypes:ListandMap.MultipleListsandMapscanbecombinedandnestedtocreatecomplexstructures.

ListEachListcanbeusedtostoreanorderedlistofattributesofdifferentdatatypes.

MapEachMapcanbeusedtostoreanunorderedlistofkey/valuepairs.MapscanbeusedtorepresentthestructureofanyJSONobject.

PrimaryKeyWhenyoucreateatable,youmustspecifytheprimarykeyofthetableinadditiontothetablename.Likearelationaldatabase,theprimarykeyuniquelyidentifieseachiteminthetable.Aprimarykeywillpointtoexactlyoneitem.AmazonDynamoDBsupportstwotypesofprimarykeys,andthisconfigurationcannotbechangedafteratablehasbeencreated:

PartitionKeyTheprimarykeyismadeofoneattribute,apartition(orhash)key.AmazonDynamoDBbuildsanunorderedhashindexonthisprimarykeyattribute.

Page 238: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

PartitionandSortKeyTheprimarykeyismadeoftwoattributes.Thefirstattributeisthepartitionkeyandthesecondoneisthesort(orrange)key.Eachiteminthetableisuniquelyidentifiedbythecombinationofitspartitionandsortkeyvalues.Itispossiblefortwoitemstohavethesamepartitionkeyvalue,butthosetwoitemsmusthavedifferentsortkeyvalues.

Furthermore,eachprimarykeyattributemustbedefinedastypestring,number,orbinary.AmazonDynamoDBusesthepartitionkeytodistributetherequesttotherightpartition.

Ifyouareperformingmanyreadsorwritespersecondonthesameprimarykey,youwillnotbeabletofullyusethecomputecapacityoftheAmazonDynamoDBcluster.Abestpracticeistomaximizeyourthroughputbydistributingrequestsacrossthefullrangeofpartitionkeys.

ProvisionedCapacityWhenyoucreateanAmazonDynamoDBtable,youarerequiredtoprovisionacertainamountofreadandwritecapacitytohandleyourexpectedworkloads.Basedonyourconfigurationsettings,DynamoDBwillthenprovisiontherightamountofinfrastructurecapacitytomeetyourrequirementswithsustained,low-latencyresponsetimes.Overallcapacityismeasuredinreadandwritecapacityunits.ThesevaluescanlaterbescaledupordownbyusinganUpdateTableaction.

EachoperationagainstanAmazonDynamoDBtablewillconsumesomeoftheprovisionedcapacityunits.Thespecificamountofcapacityunitsconsumeddependslargelyonthesizeoftheitem,butalsoonotherfactors.Forreadoperations,theamountofcapacityconsumedalsodependsonthereadconsistencyselectedintherequest.Readmoreabouteventualandstrongconsistencylaterinthischapter.

Forexample,givenatablewithoutalocalsecondaryindex,youwillconsume1capacityunitifyoureadanitemthatis4KBorsmaller.Similarly,forwriteoperationsyouwillconsume1capacityunitifyouwriteanitemthatis1KBorsmaller.Thismeansthatifyoureadanitemthatis110KB,youwillconsume28capacityunits,or110/4=27.5roundedupto28.Forreadoperationsthatarestronglyconsistent,theywillusetwicethenumberofcapacityunits,or56inthisexample.

YoucanuseAmazonCloudWatchtomonitoryourAmazonDynamoDBcapacityandmakescalingdecisions.Thereisarichsetofmetrics,includingConsumedReadCapacityUnitsandConsumedWriteCapacityUnits.Ifyoudoexceedyourprovisionedcapacityforaperiodoftime,requestswillbethrottledandcanberetriedlater.YoucanmonitorandalertontheThrottledRequestsmetricusingAmazonCloudWatchtonotifyyouofchangingusagepatterns.

SecondaryIndexesWhenyoucreateatablewithapartitionandsortkey(formerlyknownasahashandrangekey),youcanoptionallydefineoneormoresecondaryindexesonthattable.Asecondaryindexletsyouquerythedatainthetableusinganalternatekey,inadditiontoqueriesagainsttheprimarykey.AmazonDynamoDBsupportstwodifferentkindsofindexes:

Page 239: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

GlobalSecondaryIndexTheglobalsecondaryindexisanindexwithapartitionandsortkeythatcanbedifferentfromthoseonthetable.Youcancreateordeleteaglobalsecondaryindexonatableatanytime.

LocalSecondaryIndexThelocalsecondaryindexisanindexthathasthesamepartitionkeyattributeastheprimarykeyofthetable,butadifferentsortkey.Youcanonlycreatealocalsecondaryindexwhenyoucreateatable.

Secondaryindexesallowyoutosearchalargetableefficientlyandavoidanexpensivescanoperationtofinditemswithspecificattributes.Theseindexesallowyoutosupportdifferentqueryaccesspatternsandusecasesbeyondwhatispossiblewithonlyaprimarykey.Whileatablecanonlyhaveonelocalsecondaryindex,youcanhavemultipleglobalsecondaryindexes.

AmazonDynamoDBupdateseachsecondaryindexwhenanitemismodified.Theseupdatesconsumewritecapacityunits.Foralocalsecondaryindex,itemupdateswillconsumewritecapacityunitsfromthemaintable,whileglobalsecondaryindexesmaintaintheirownprovisionedthroughputsettingsseparatefromthetable.

WritingandReadingDataAfteryoucreateatablewithaprimarykeyandindexes,youcanbeginwritingandreadingitemstothetable.AmazonDynamoDBprovidesmultipleoperationsthatletyoucreate,update,anddeleteindividualitems.AmazonDynamoDBalsoprovidesmultiplequeryingoptionsthatletyousearchatableoranindexorretrievebackaspecificitemorabatchofitems.

WritingItemsAmazonDynamoDBprovidesthreeprimaryAPIactionstocreate,update,anddeleteitems:PutItem,UpdateItem,andDeleteItem.UsingthePutItemaction,youcancreateanewitemwithoneormoreattributes.CallstoPutItemwillupdateanexistingitemiftheprimarykeyalreadyexists.PutItemonlyrequiresatablenameandaprimarykey;anyadditionalattributesareoptional.

TheUpdateItemactionwillfindexistingitemsbasedontheprimarykeyandreplacetheattributes.Thisoperationcanbeusefultoonlyupdateasingleattributeandleavetheotherattributesunchanged.UpdateItemcanalsobeusedtocreateitemsiftheydon’talreadyexist.Finally,youcanremoveanitemfromatablebyusingDeleteItemandspecifyingaspecificprimarykey.

TheUpdateItemactionalsoprovidessupportforatomiccounters.Atomiccountersallowyoutoincrementanddecrementavalueandareguaranteedtobeconsistentacrossmultipleconcurrentrequests.Forexample,acounterattributeusedtotracktheoverallscoreofamobilegamecanbeupdatedbymanyclientsatthesametime.

Thesethreeactionsalsosupportconditionalexpressionsthatallowyoutoperformvalidationbeforeanactionisapplied.Forexample,youcanapplyaconditionalexpressiononPutItemthatchecksthatcertainconditionsaremetbeforetheitemiscreated.Thiscanbeusefultopreventaccidentaloverwritesortoenforcesometypeofbusinesslogicchecks.

ReadingItems

Page 240: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Afteranitemhasbeencreated,itcanberetrievedthroughadirectlookupbycallingtheGetItemactionorthroughasearchusingtheQueryorScanaction.GetItemallowsyoutoretrieveanitembasedonitsprimarykey.Alloftheitem’sattributesarereturnedbydefault,andyouhavetheoptiontoselectindividualattributestofilterdowntheresults.

Ifaprimarykeyiscomposedofapartitionkey,theentirepartitionkeyneedstobespecifiedtoretrievetheitem.Iftheprimarykeyisacompositeofapartitionkeyandasortkey,GetItemwillrequireboththepartitionandsortkeyaswell.EachcalltoGetItemconsumesreadcapacityunitsbasedonthesizeoftheitemandtheconsistencyoptionselected.

Bydefault,aGetItemoperationperformsaneventuallyconsistentread.Youcanoptionallyrequestastronglyconsistentreadinstead;thiswillconsumeadditionalreadcapacityunits,butitwillreturnthemostup-to-dateversionoftheitem.

EventualConsistencyWhenreadingitemsfromAmazonDynamoDB,theoperationcanbeeithereventuallyconsistentorstronglyconsistent.AmazonDynamoDBisadistributedsystemthatstoresmultiplecopiesofanitemacrossanAWSRegiontoprovidehighavailabilityandincreaseddurability.WhenanitemisupdatedinAmazonDynamoDB,itstartsreplicatingacrossmultipleservers.BecauseAmazonDynamoDBisadistributedsystem,thereplicationcantakesometimetocomplete.Becauseofthiswerefertothedataasbeingeventuallyconsistent,meaningthatareadrequestimmediatelyafterawriteoperationmightnotshowthelatestchange.Insomecases,theapplicationneedstoguaranteethatthedataisthelatestandAmazonDynamoDBoffersanoptionforstronglyconsistentreads.

EventuallyConsistentReadsWhenyoureaddata,theresponsemightnotreflecttheresultsofarecentlycompletedwriteoperation.Theresponsemightincludesomestaledata.Consistencyacrossallcopiesofthedataisusuallyreachedwithinasecond;ifyourepeatyourreadrequestafterashorttime,theresponsereturnsthelatestdata.

StronglyConsistentReadsWhenyouissueastronglyconsistentreadrequest,AmazonDynamoDBreturnsaresponsewiththemostup-to-datedatathatreflectsupdatesbyallpriorrelatedwriteoperationstowhichAmazonDynamoDBreturnedasuccessfulresponse.Astronglyconsistentreadmightbelessavailableinthecaseofanetworkdelayoroutage.Youcanrequestastronglyconsistentreadresultbyspecifyingoptionalparametersinyourrequest.

BatchOperationsAmazonDynamoDBalsoprovidesseveraloperationsdesignedforworkingwithlargebatchesofitems,includingBatchGetItemandBatchWriteItem.UsingtheBatchWriteItemaction,youcanperformupto25itemcreatesorupdateswithasingleoperation.Thisallowsyoutominimizetheoverheadofeachindividualcallwhenprocessinglargenumbersofitems.

SearchingItemsAmazonDynamoDBalsogivesyoutwooperations,QueryandScan,thatcanbeusedtosearchatableoranindex.AQueryoperationistheprimarysearchoperationyoucanusetofinditemsinatableorasecondaryindexusingonlyprimarykeyattributevalues.EachQueryrequiresapartitionkeyattributenameandadistinctvaluetosearch.Youcanoptionally

Page 241: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

provideasortkeyvalueanduseacomparisonoperatortorefinethesearchresults.Resultsareautomaticallysortedbytheprimarykeyandarelimitedto1MB.

IncontrasttoaQuery,aScanoperationwillreadeveryiteminatableorasecondaryindex.Bydefault,aScanoperationreturnsallofthedataattributesforeveryiteminthetableorindex.Eachrequestcanreturnupto1MBofdata.Itemscanbefilteredoutusingexpressions,butthiscanbearesource-intensiveoperation.IftheresultsetforaQueryoraScanexceeds1MB,youcanpagethroughtheresultsin1MBincrements.

Formostoperations,performingaQueryoperationinsteadofaScanoperationwillbethemostefficientoption.PerformingaScanoperationwillresultinafullscanoftheentiretableorsecondaryindex,thenitfiltersoutvaluestoprovidethedesiredresult.UseaQueryoperationwhenpossibleandavoidaScanonalargetableorindexforonlyasmallnumberofitems.

ScalingandPartitioningAmazonDynamoDBisafullymanagedservicethatabstractsawaymostofthecomplexityinvolvedinbuildingandscalingaNoSQLcluster.Youcancreatetablesthatcanscaleuptoholdavirtuallyunlimitednumberofitemswithconsistentlow-latencyperformance.AnAmazonDynamoDBtablecanscalehorizontallythroughtheuseofpartitionstomeetthestorageandperformancerequirementsofyourapplication.Eachindividualpartitionrepresentsaunitofcomputeandstoragecapacity.Awell-designedapplicationwilltakethepartitionstructureofatableintoaccounttodistributereadandwritetransactionsevenlyandachievehightransactionratesatlowlatencies.

AmazonDynamoDBstoresitemsforasingletableacrossmultiplepartitions,asrepresentedinFigure7.4.AmazonDynamoDBdecideswhichpartitiontostoretheiteminbasedonthepartitionkey.Thepartitionkeyisusedtodistributethenewitemamongalloftheavailablepartitions,anditemswiththesamepartitionkeywillbestoredonthesamepartition.

FIGURE7.4Tablepartitioning

Page 242: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Asthenumberofitemsinatablegrows,additionalpartitionscanbeaddedbysplittinganexistingpartition.Theprovisionedthroughputconfiguredforatableisalsodividedevenlyamongthepartitions.Provisionedthroughputallocatedtoapartitionisentirelydedicatedtothatpartition,andthereisnosharingofprovisionedthroughputacrosspartitions.

Whenatableiscreated,AmazonDynamoDBconfiguresthetable’spartitionsbasedonthedesiredreadandwritecapacity.Onesinglepartitioncanholdabout10GBofdataandsupportsamaximumof3,000readcapacityunitsor1,000writecapacityunits.Forpartitionsthatarenotfullyusingtheirprovisionedcapacity,AmazonDynamoDBprovidessomeburstcapacitytohandlespikesintraffic.Aportionofyourunusedcapacitywillbereservedtohandleburstsforshortperiods.

Asstorageorcapacityrequirementschange,AmazonDynamoDBcansplitapartitiontoaccommodatemoredataorhigherprovisionedrequestrates.Afterapartitionissplit,however,itcannotbemergedbacktogether.Keepthisinmindwhenplanningtoincreaseprovisionedcapacitytemporarilyandthenloweritagain.Witheachadditionalpartitionadded,itsshareoftheprovisionedcapacityisreduced.

Toachievethefullamountofrequestthroughputprovisionedforatable,keepyourworkloadspreadevenlyacrossthepartitionkeyvalues.Distributingrequestsacrosspartitionkeyvaluesdistributestherequestsacrosspartitions.Forexample,ifatablehas10,000readcapacityunitsconfiguredbutallofthetrafficishittingonepartitionkey,youwillnotbeabletogetmorethanthe3,000maximumreadcapacityunitsthatonepartitioncansupport.

TomaximizeAmazonDynamoDBthroughput,createtableswithapartitionkeythathasalargenumberofdistinctvaluesandensurethatthevaluesarerequestedfairlyuniformly.Addingarandomelementthatcanbecalculatedorhashedisonecommontechniquetoimprovepartitiondistribution.

SecurityAmazonDynamoDBgivesyougranularcontrolovertheaccessrightsandpermissionsforusersandadministrators.AmazonDynamoDBintegrateswiththeIAMservicetoprovidestrongcontroloverpermissionsusingpolicies.Youcancreateoneormorepoliciesthatallowordenyspecificoperationsonspecifictables.Youcanalsouseconditionstorestrictaccesstoindividualitemsorattributes.

Alloperationsmustfirstbeauthenticatedasavaliduserorusersession.ApplicationsthatneedtoreadandwritefromAmazonDynamoDBneedtoobtainasetoftemporaryorpermanentaccesscontrolkeys.Whilethesekeyscouldbestoredinaconfigurationfile,abestpracticeisforapplicationsrunningonAWStouseIAMAmazonEC2instanceprofilestomanagecredentials.IAMAmazonEC2instanceprofilesorrolesallowyoutoavoidstoringsensitivekeysinconfigurationfilesthatmustthenbesecured.

Page 243: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Formobileapplications,abestpracticeistouseacombinationofwebidentityfederationwiththeAWSSecurityTokenService(AWSSTS)toissuetemporarykeysthatexpireafterashortperiod.

AmazonDynamoDBalsoprovidessupportforfine-grainedaccesscontrolthatcanrestrictaccesstospecificitemswithinatableorevenspecificattributeswithinanitem.Forexample,youmaywanttolimitausertoonlyaccesshisorheritemswithinatableandpreventaccesstoitemsassociatedwithadifferentuser.UsingconditionsinanIAMpolicyallowsyoutorestrictwhichactionsausercanperform,onwhichtables,andtowhichattributesausercanreadorwrite.

AmazonDynamoDBStreamsAcommonrequirementformanyapplicationsistokeeptrackofrecentchangesandthenperformsomekindofprocessingonthechangedrecords.AmazonDynamoDBStreamsmakesiteasytogetalistofitemmodificationsforthelast24-hourperiod.Forexample,youmightneedtocalculatemetricsonarollingbasisandupdateadashboard,ormaybesynchronizetwotablesorlogactivityandchangestoanaudittrail.WithAmazonDynamoDBStreams,thesetypesofapplicationsbecomeeasiertobuild.

AmazonDynamoDBStreamsallowsyoutoextendapplicationfunctionalitywithoutmodifyingtheoriginalapplication.Byreadingthelogofactivitychangesfromthestream,youcanbuildnewintegrationsorsupportnewreportingrequirementsthatweren’tpartoftheoriginaldesign.

Eachitemchangeisbufferedinatime-orderedsequenceorstreamthatcanbereadbyotherapplications.Changesareloggedtothestreaminnearreal-timeandallowyoutorespondquicklyorchaintogetherasequenceofeventsbasedonamodification.

StreamscanbeenabledordisabledforanAmazonDynamoDBtableusingtheAWSManagementConsole,CommandLineInterface(CLI),orSDK.Astreamconsistsofstreamrecords.EachstreamrecordrepresentsasingledatamodificationintheAmazonDynamoDBtabletowhichthestreambelongs.Eachstreamrecordisassignedasequencenumber,reflectingtheorderinwhichtherecordwaspublishedtothestream.

Streamrecordsareorganizedintogroups,alsoreferredtoasshards.Eachshardactsasacontainerformultiplestreamrecordsandcontainsinformationonaccessinganditeratingthroughtherecords.Shardsliveforamaximumof24hoursand,withfluctuatingloadlevels,couldbesplitoneormoretimesbeforetheyareeventuallyclosed.

Tobuildanapplicationthatreadsfromashard,itisrecommendedtousetheAmazonDynamoDBStreamsKinesisAdapter.TheKinesisClientLibrary(KCL)simplifiestheapplicationlogicrequiredtoprocessreadingrecordsfromstreamsandshards.

Page 244: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedthebasicconceptsofrelationaldatabases,datawarehouses,andNoSQLdatabases.YoualsolearnedaboutthebenefitsandfeaturesofAWSmanageddatabaseservicesAmazonRDS,AmazonRedshift,andAmazonDynamoDB.

AmazonRDSmanagestheheavyliftinginvolvedinadministeringadatabaseinfrastructureandsoftwareandletsyoufocusonbuildingtherelationalschemasthatbestfityourusecaseandtheperformancetuningtooptimizeyourqueries.

AmazonRDSsupportspopularopen-sourceandcommercialdatabaseenginesandprovidesaconsistentoperationalmodelforcommonadministrativetasks.Increaseyouravailabilitybyrunningamaster-slaveconfigurationacrossAvailabilityZonesusingMulti-AZdeployment.Scaleyourapplicationandincreaseyourdatabasereadperformanceusingreadreplicas.

AmazonRedshiftallowsyoutodeployadatawarehouseclusterthatisoptimizedforanalyticsandreportingworkloadswithinminutes.AmazonRedshiftdistributesyourrecordsusingcolumnarstorageandparallelizesyourqueryexecutionacrossmultiplecomputenodestodeliverfastqueryperformance.AmazonRedshiftclusterscanbescaledupordowntosupportlarge,petabyte-scaledatabasesusingSSDormagneticdiskstorage.

ConnecttoAmazonRedshiftclustersusingstandardSQLclientswithJDBC/ODBCdriversandexecuteSQLqueriesusingmanyofthesameanalyticsandETLtoolsthatyouusetoday.LoaddataintoyourAmazonRedshiftclustersusingtheCOPYcommandtobulkimportflatfilesstoredinAmazonS3,thenrunstandardSELECTcommandstosearchandquerythetable.

BackupbothyourAmazonRDSdatabasesandAmazonRedshiftclustersusingautomatedandmanualsnapshotstoallowforpoint-in-timerecovery.SecureyourAmazonRDSandAmazonRedshiftdatabasesusingacombinationofIAM,database-levelaccesscontrol,network-levelaccesscontrol,anddataencryptiontechniques.

AmazonDynamoDBsimplifiestheadministrationandoperationsofaNoSQLdatabaseinthecloud.AmazonDynamoDBallowsyoutocreatetablesquicklythatcanscaletoanunlimitednumberofitemsandconfigureveryhighlevelsofprovisionedreadandwritecapacity.

AmazonDynamoDBtablesprovideaflexibledatastoragemechanismthatonlyrequiresaprimarykeyandallowsforoneormoreattributes.AmazonDynamoDBsupportsbothsimplescalardatatypeslikeStringandNumber,andalsomorecomplexstructuresusingListandMap.SecureyourAmazonDynamoDBtablesusingIAMandrestrictaccesstoitemsandattributesusingfine-grainedaccesscontrol.

AmazonDynamoDBwillhandlethedifficulttaskofclusterandpartitionmanagementandprovideyouwithahighlyavailabledatabasetablethatreplicatesdataacrossAvailabilityZonesforincreaseddurability.TrackandprocessrecentchangesbytappingintoAmazonDynamoDBStreams.

Page 245: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowwhatarelationaldatabaseis.Arelationaldatabaseconsistsofoneormoretables.CommunicationtoandfromrelationaldatabasesusuallyinvolvessimpleSQLqueries,suchas“Addanewrecord,”or“Whatisthecostofproductx?”ThesesimplequeriesareoftenreferredtoasOLTP.

UnderstandwhichdatabasesaresupportedbyAmazonRDS.AmazonRDScurrentlysupportssixrelationaldatabaseengines:

MicrosoftSQLServer

MySQLServer

Oracle

PostgreSQL

MariaDB

AmazonAurora

UnderstandtheoperationalbenefitsofusingAmazonRDS.AmazonRDSisamanagedserviceprovidedbyAWS.AWSisresponsibleforpatching,antivirus,andmanagementoftheunderlyingguestOSforAmazonRDS.AmazonRDSgreatlysimplifiestheprocessofsettingasecondaryslavewithreplicationforfailoverandsettingupreadreplicastooffloadqueries.

RememberthatyoucannotaccesstheunderlyingOSforAmazonRDSDBinstances.YoucannotuseRemoteDesktopProtocol(RDP)orSSHtoconnecttotheunderlyingOS.IfyouneedtoaccesstheOS,installcustomsoftwareoragents,orwanttouseadatabaseenginenotsupportedbyAmazonRDS,considerrunningyourdatabaseonAmazonEC2instead.

KnowthatyoucanincreaseavailabilityusingAmazonRDSMulti-AZdeployment.AddfaulttolerancetoyourAmazonRDSdatabaseusingMulti-AZdeployment.YoucanquicklysetupasecondaryDBInstanceinanotherAvailabilityZonewithMulti-AZforrapidfailover.

UnderstandtheimportanceofRPOandRTO.EachapplicationshouldsetRPOandRTOtargetstodefinetheamountofacceptabledatalossandalsotheamountoftimerequiredtorecoverfromanincident.AmazonRDScanbeusedtomeetawiderangeofRPOandRTOrequirements.

UnderstandthatAmazonRDShandlesMulti-AZfailoverforyou.IfyourprimaryAmazonRDSInstancebecomesunavailable,AWSfailsovertoyoursecondaryinstanceinanotherAvailabilityZoneautomatically.ThisfailoverisdonebypointingyourexistingdatabaseendpointtoanewIPaddress.Youdonothavetochangetheconnectionstringmanually;AWShandlestheDNSchangeautomatically.

RememberthatAmazonRDSreadreplicasareusedforscalingoutandincreasedperformance.Thisreplicationfeaturemakesiteasytoscaleoutyourread-intensivedatabases.ReadreplicasarecurrentlysupportedinAmazonRDSforMySQL,PostgreSQL,

Page 246: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

andAmazonAurora.YoucancreateoneormorereplicasofadatabasewithinasingleAWSRegionoracrossmultipleAWSRegions.AmazonRDSusesnativereplicationtopropagatechangesmadetoasourceDBInstancetoanyassociatedreadreplicas.AmazonRDSalsosupportscross-regionreadreplicastoreplicatechangesasynchronouslytoanothergeographyorAWSRegion.

KnowwhataNoSQLdatabaseis.NoSQLdatabasesarenon-relationaldatabases,meaningthatyoudonothavetohaveanexistingtablecreatedinwhichtostoreyourdata.NoSQLdatabasescomeinthefollowingformats:

Documentdatabases

Graphstores

Key/valuestores

Wide-columnstores

RememberthatAmazonDynamoDBisAWSNoSQLservice.YoushouldrememberthatforNoSQLdatabases,AWSprovidesafullymanagedservicecalledAmazonDynamoDB.AmazonDynamoDBisanextremelyfastNoSQLdatabasewithpredictableperformanceandhighscalability.YoucanuseAmazonDynamoDBtocreateatablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofpartitionstohandletherequestcapacityspecifiedbythecustomerandtheamountofdatastored,whilemaintainingconsistentandfastperformance.

Knowwhatadatawarehouseis.Adatawarehouseisacentralrepositoryfordatathatcancomefromoneormoresources.ThisdatarepositorywouldbeusedforqueryandanalysisusingOLAP.Anorganization’smanagementtypicallyusesadatawarehousetocompilereportsonspecificdata.Datawarehousesareusuallyqueriedwithhighlycomplexqueries.

RememberthatAmazonRedshiftisAWSdatawarehouseservice.YoushouldrememberthatAmazonRedshiftisAmazon’sdatawarehouseservice.AmazonRedshiftorganizesthedatabycolumninsteadofstoringdataasaseriesofrows.Becauseonlythecolumnsinvolvedinthequeriesareprocessedandcolumnardataisstoredsequentiallyonthestoragemedia,column-basedsystemsrequirefarfewerI/Os,whichgreatlyimprovesqueryperformance.Anotheradvantageofcolumnardatastorageistheincreasedcompression,whichcanfurtherreduceoverallI/O.

Page 247: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesInordertopasstheexam,youshouldpracticedeployingdatabasesandcreatingtablesusingAmazonRDS,AmazonDynamoDB,andAmazonRedshift.Remembertodeleteanyresourcesyouprovisiontominimizeanycharges.

EXERCISE7.1

CreateaMySQLAmazonRDSInstance1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRDSConsole.

2. LaunchanewAmazonRDSDBInstance,andselectMySQLCommunityEditioninstanceasthedatabaseengine.

3. ConfiguretheDBInstancetouseMulti-AZandGeneralPurpose(SSD)storage.

Warning:ThisisnoteligibleforAWSFreeTier;youwillincurasmallchargebyprovisioningthisinstance.

4. SettheDBInstanceidentifieranddatabasenametoMySQL123,andconfigurethemasterusernameandpassword.

5. Validatetheconfigurationsettings,andlaunchtheDBInstance.

6. ReturntothelistoftheAmazonRDSinstances.YouwillseethestatusofyourAmazonRDSdatabaseasCreating.Itmaytakeupto20minutestocreateyournewAmazonRDSinstance.

YouhaveprovisionedyourfirstAmazonRDSinstanceusingMulti-AZ.

EXERCISE7.2

SimulateaFailoverfromOneAZtoAnotherInthisexercise,youwilluseMulti-AZfailovertosimulateafailoverfromoneAvailabilityZonetoanother.

1. IntheAmazonRDSConsole,viewthelistofDBInstances.

2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.

3. Selecttheinstance,andissueaRebootcommandfromtheactionsmenu.

4. Confirmthereboot.

YouhavenowsimulatedafailoverfromoneAvailabilityZonetoanotherusingMulti-AZfailover.Thefailovershouldtakeapproximatelytwoorthreeminutes.

Page 248: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE7.3

CreateaReadReplicaInthisexercise,youwillcreateareadreplicaofyourexistingMySQL123DBserver.

1. IntheAmazonRDSConsole,viewthelistofDBInstances.

2. FindyourDBInstancecalledMySQL123,andcheckitsstatus.WhenitsstatusisAvailable,proceedtothenextstep.

3. Selecttheinstance,andissueaCreateReadReplicacommandfromthelistofactions.

4. Configurethenameofthereadreplicaandanyothersettings.Createthereplica.

5. Waitforthereplicatobecreated,whichcantypicallytakeseveralminutes.Whenitiscomplete,deleteboththeMySQL123andMySQLReadReplicadatabasesbyclickingthecheckboxesnexttothem,clickingtheInstanceActionsdrop-downbox,andthenclickingDelete.

Intheprecedingexercises,youcreatedanewAmazonRDSMySQLinstancewithMulti-AZenabled.YouthensimulatedafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstance.Afterthat,youscaledyourAmazonRDSinstanceoutbycreatingareadreplicaoftheprimarydatabase.DeletetheDBInstance.

EXERCISE7.4

ReadandWritefromaDynamoDBTableInthisexercise,youwillcreateanAmazonDynamoDBtableandthenreadandwritetoitusingtheAWSManagementConsole.

1. LogintotheAWSManagementConsole,andviewtheAmazonDynamoDBconsole.

2. CreateanewtablenamedUserProfilewithapartitionkeyofuserIDoftypeString.

3. Afterthetablehasbeencreated,viewthelistofitemsinthetable.

4. UsingtheAmazonDynamoDBconsole,createandsaveanewiteminthetable.SettheuserIDtoU01,andappendanotherStringattributecallednamewithavalueofJoe.

5. Performascanonthetabletoretrievethenewitem.

YouhavenowcreatedasimpleAmazonDynamoDBtable,putanewitem,andretrieveditusingScan.DeletetheDynamoDBtable.

Page 249: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE7.5

LaunchaRedshiftClusterInthisexercise,youwillcreateadatawarehouseusingAmazonRedshiftandthenreadandwritetoitusingtheAWSManagementConsole.

1. LogintotheAWSManagementConsole,andviewtheAmazonRedshiftConsole.

2. Createanewcluster,configuringthedatabasename,username,andpassword.

3. ConfiguretheclustertobesinglenodeusingoneSSD-backedstoragenode.

4. LaunchtheclusterintoanAmazonVPCusingtheappropriatesecuritygroup.

5. InstallandconfigureSQLWorkbenchonyourlocalcomputer,andconnecttothenewcluster.

6. CreateanewtableandloaddatausingtheCOPYcommand.

YouhavenowcreatedanAmazonRedshiftclusterandconnectedtoitusingastandardSQLclient.Deletetheclusterwhenyouhavecompletedtheexercise.

Page 250: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichAWSdatabaseserviceisbestsuitedfortraditionalOnlineTransactionProcessing(OLTP)?

A. AmazonRedshift

B. AmazonRelationalDatabaseService(AmazonRDS)

C. AmazonGlacier

D. ElasticDatabase

2. WhichAWSdatabaseserviceisbestsuitedfornon-relationaldatabases?

A. AmazonRedshift

B. AmazonRelationalDatabaseService(AmazonRDS)

C. AmazonGlacier

D. AmazonDynamoDB

3. YouareasolutionsarchitectworkingforamediacompanythathostsitswebsiteonAWS.Currently,thereisasingleAmazonElasticComputeCloud(AmazonEC2)InstanceonAWSwithMySQLinstalledlocallytothatAmazonEC2Instance.Youhavebeenaskedtomakethecompany’sproductionenvironmentmoreresilientandtoincreaseperformance.YousuggestthatthecompanysplitouttheMySQLdatabaseontoanAmazonRDSInstancewithMulti-AZenabled.Thisaddressesthecompany’sincreasedresiliencyrequirements.Nowyouneedtosuggesthowyoucanincreaseperformance.Ninety-ninepercentofthecompany’sendusersaremagazinesubscriberswhowillbereadingadditionalarticlesonthewebsite,soonlyonepercentofenduserswillneedtowritedatatothesite.Whatshouldyousuggesttoincreaseperformance?

A. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentothesecondarycopyoftheMulti-AZdatabase.

B. Altertheconnectionstringsothatifauserisgoingtowritedata,itiswrittentotheprimarycopyoftheMulti-AZdatabase.

C. Recommendthatthecompanyusereadreplicas,anddistributethetrafficacrossmultiplereadreplicas.

D. MigratetheMySQLdatabasetoAmazonRedshifttotakeadvantageofcolumnarstorageandmaximizeperformance.

4. WhichAWSCloudserviceisbestsuitedforOnlineAnalyticsProcessing(OLAP)?

A. AmazonRedshift

B. AmazonRelationalDatabaseService(AmazonRDS)

C. AmazonGlacier

D. AmazonDynamoDB

5. YouhavebeenusingAmazonRelationalDatabaseService(AmazonRDS)forthelast

Page 251: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

yeartorunanimportantapplicationwithautomatedbackupsenabled.Oneofyourteammembersisperformingroutinemaintenanceandaccidentallydropsanimportanttable,causinganoutage.Howcanyourecoverthemissingdatawhileminimizingthedurationoftheoutage?

A. Performanundooperationandrecoverthetable.

B. RestorethedatabasefromarecentautomatedDBsnapshot.

C. RestoreonlythedroppedtablefromtheDBsnapshot.

D. Thedatacannotberecovered.

6. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportMulti-AZ?

A. Allofthem

B. MicrosoftSQLServer,MySQL,andOracle

C. Oracle,AmazonAurora,andPostgreSQL

D. MySQL

7. WhichAmazonRelationalDatabaseService(AmazonRDS)databaseenginessupportreadreplicas?

A. MicrosoftSQLServerandOracle

B. MySQL,MariaDB,PostgreSQL,andAurora

C. Aurora,MicrosoftSQLServer,andOracle

D. MySQLandPostgreSQL

8. YourteamisbuildinganorderprocessingsystemthatwillspanmultipleAvailabilityZones.Duringtesting,theteamwantedtotesthowtheapplicationwillreacttoadatabasefailover.Howcanyouenablethistypeoftest?

A. ForceaMulti-AZfailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceusingtheAmazonRDSconsole.

B. TerminatetheDBinstance,andcreateanewone.Updatetheconnectionstring.

C. Createasupportcaseaskingforafailover.

D. Itisnotpossibletotestafailover.

9. YouareasystemadministratorwhosecompanyhasmoveditsproductiondatabasetoAWS.YourcompanymonitorsitsestateusingAmazonCloudWatch,whichsendsalarmsusingAmazonSimpleNotificationService(AmazonSNS)toyourmobilephone.Onenight,yougetanalertthatyourprimaryAmazonRelationalDatabaseService(AmazonRDS)Instancehasgonedown.YouhaveMulti-AZenabledonthisinstance.Whatshouldyoudotoensurethefailoverhappensquickly?

A. UpdateyourDomainNameSystem(DNS)topointtothesecondaryinstance’snewIPaddress,forcingyourapplicationtofailovertothesecondaryinstance.

B. ConnecttoyourserverusingSecureShell(SSH)andupdateyourconnectionstrings

Page 252: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

sothatyourapplicationcancommunicatetothesecondaryinstanceinsteadofthefailedprimaryinstance.

C. Takeasnapshotofthesecondaryinstanceandcreateanewinstanceusingthissnapshot,thenupdateyourconnectionstringtopointtothenewinstance.

D. Noactionisnecessary.Yourconnectionstringpointstothedatabaseendpoint,andAWSautomaticallyupdatesthisendpointtopointtoyoursecondaryinstance.

10. Youareworkingforasmallorganizationwithoutadedicateddatabaseadministratoronstaff.YouneedtoinstallMicrosoftSQLServerEnterpriseeditionquicklytosupportanaccountingbackofficeapplicationonAmazonRelationalDatabaseService(AmazonRDS).Whatshouldyoudo?

A. LaunchanAmazonRDSDBInstance,andselectMicrosoftSQLServerEnterpriseEditionundertheBringYourOwnLicense(BYOL)model.

B. ProvisionSQLServerEnterpriseEditionusingtheLicenseIncludedoptionfromtheAmazonRDSConsole.

C. SQLServerEnterpriseeditionisonlyavailableviatheCommandLineInterface(CLI).Installthecommand-linetoolsonyourlaptop,andthenprovisionyournewAmazonRDSInstanceusingtheCLI.

D. YoucannotuseSQLServerEnterpriseeditiononAmazonRDS.YoushouldinstallthisontoadedicatedAmazonElasticComputeCloud(AmazonEC2)Instance.

11. Youarebuildingthedatabasetierforanenterpriseapplicationthatgetsoccasionalactivitythroughouttheday.Whichstoragetypeshouldyouselectasyourdefaultoption?

A. Magneticstorage

B. GeneralPurposeSolidStateDrive(SSD)

C. ProvisionedIOPS(SSD)

D. StorageAreaNetwork(SAN)-attached

12. Youaredesigningane-commercewebapplicationthatwillscaletopotentiallyhundredsofthousandsofconcurrentusers.Whichdatabasetechnologyisbestsuitedtoholdthesessionstateforlargenumbersofconcurrentusers?

A. RelationaldatabaseusingAmazonRelationalDatabaseService(AmazonRDS)

B. NoSQLdatabasetableusingAmazonDynamoDB

C. DatawarehouseusingAmazonRedshift

D. AmazonSimpleStorageService(AmazonS3)

13. WhichofthefollowingtechniquescanyouusetohelpyoumeetRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)requirements?(Choose3answers)

A. DBsnapshots

B. DBoptiongroups

C. Readreplica

Page 253: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. Multi-AZdeployment

14. WhenusingAmazonRelationalDatabaseService(AmazonRDS)Multi-AZ,howcanyouoffloadreadrequestsfromtheprimary?(Choose2answers)

A. Configuretheconnectionstringoftheclientstoconnecttothesecondarynodeandperformreadswhiletheprimaryisusedforwrites.

B. AmazonRDSautomaticallysendswritestotheprimaryandsendsreadstothesecondary.

C. AddareadreplicaDBinstance,andconfiguretheclient’sapplicationlogictousearead-replica.

D. CreateacachingenvironmentusingElastiCachetocachefrequentlyuseddata.Updatetheapplicationlogictoread/writefromthecache.

15. Youarebuildingalargeorderprocessingsystemandareresponsibleforsecuringthedatabase.Whichactionswillyoutaketoprotectthedata?(Choose3answers)

A. AdjustAWSIdentityandAccessManagement(IAM)permissionsforadministrators.

B. ConfiguresecuritygroupsandnetworkAccessControlLists(ACLs)tolimitnetworkaccess.

C. Configuredatabaseusers,andgrantpermissionstodatabaseobjects.

D. Installanti-virussoftwareontheAmazonRDSDBInstance.

16. YourteammanagesapopularwebsiterunningAmazonRelationalDatabaseService(AmazonRDS)MySQLbackend.TheMarketingdepartmenthasjustinformedyouaboutanupcomingtelevisioncommercialthatwilldrivethousandsofnewvisitorstothewebsite.Howcanyouprepareyourdatabasetohandletheload?(Choose3answers)

A. VerticallyscaletheDBInstancebyselectingamorepowerfulinstanceclass.

B. Createreadreplicastooffloadreadrequestsandupdateyourapplication.

C. UpgradethestoragefromMagneticvolumestoGeneralPurposeSolidStateDrive(SSD)volumes.

D. UpgradetoAmazonRedshiftforfastercolumnarstorage.

17. YouarebuildingaphotomanagementapplicationthatmaintainsmetadataonmillionsofimagesinanAmazonDynamoDBtable.Whenaphotoisretrieved,youwanttodisplaythemetadatanexttotheimage.WhichAmazonDynamoDBoperationwillyouusetoretrievethemetadataattributesfromthetable?

A. Scanoperation

B. Searchoperation

C. Queryoperation

D. Findoperation

18. YouarecreatinganAmazonDynamoDBtablethatwillcontainmessagesforasocialchatapplication.Thistablewillhavethefollowingattributes:Username(String),Timestamp(Number),Message(String).Whichattributeshouldyouuseasthepartitionkey?The

Page 254: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

sortkey?

A. Username,Timestamp

B. Username,Message

C. Timestamp,Message

D. Message,Timestamp

19. WhichofthefollowingstatementsaboutAmazonDynamoDBtablesaretrue?(Choose2answers)

A. Globalsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.

B. Localsecondaryindexescanonlybecreatedwhenthetableisbeingcreated.

C. Youcanonlyhaveoneglobalsecondaryindex.

D. Youcanonlyhaveonelocalsecondaryindex.

20. WhichofthefollowingworkloadsareagoodfitforrunningonAmazonRedshift?(Choose2answers)

A. Transactionaldatabasesupportingabusye-commerceorderprocessingwebsite

B. Reportingdatabasesupportingback-officeanalytics

C. Datawarehouseusedtoaggregatemultipledisparatedatasources

D. Managesessionstateanduserprofiledataforthousandsofconcurrentusers

Page 255: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter8SQS,SWF,andSNSTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:1Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Monitoringandlogging

Familiaritywith:

BestpracticesforAWSarchitecture

Architecturaltrade-offdecisions(e.g.,highavailabilityvs.cost,AmazonRelationalDatabaseService[AmazonRDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud[AmazonEC2])

Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVPC,andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Domain4.0:Troubleshooting

Contentmayincludethefollowing:

Generaltroubleshootinginformationandquestions

ThereareanumberofservicesundertheApplicationandMobileServicessectionoftheAWSManagementConsole.Atthetimeofwritingthischapter,application

Page 256: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

servicesincludeAmazonSimpleQueueService(AmazonSQS),AmazonSimpleWorkflowService(AmazonSWF),AmazonAppStream,AmazonElasticTranscoder,AmazonSimpleEmailService(AmazonSES),AmazonCloudSearch,andAmazonAPIGateway.MobileservicesincludeAmazonCognito,AmazonSimpleNotificationService(AmazonSNS),AWSDeviceFarm,andAmazonMobileAnalytics.Thischapterfocusesonthecoreservicesyouarerequiredtobefamiliarwithtopasstheexam:AmazonSQS,AmazonSWF,andAmazonSNS.

Page 257: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSimpleQueueService(AmazonSQS)AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcosteffectivetodecouplethecomponentsofacloudapplication.YoucanuseAmazonSQStotransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobecontinuouslyavailable.

WithAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.UsingAmazonSQS,youcanstoreapplicationmessagesonreliableandscalableinfrastructure,enablingyoutomovedatabetweendistributedcomponentstoperformdifferenttasksasneeded.

AnAmazonSQSqueueisbasicallyabufferbetweentheapplicationcomponentsthatreceivedataandthosecomponentsthatprocessthedatainyoursystem.Ifyourprocessingserverscannotprocesstheworkfastenough(perhapsduetoaspikeintraffic),theworkisqueuedsothattheprocessingserverscangettoitwhentheyareready.Thismeansthatworkisnotlostduetoinsufficientresources.

AmazonSQSensuresdeliveryofeachmessageatleastonceandsupportsmultiplereadersandwritersinteractingwiththesamequeue.Asinglequeuecanbeusedsimultaneouslybymanydistributedapplicationcomponents,withnoneedforthosecomponentstocoordinatewithoneanothertosharethequeue.Althoughmostofthetimeeachmessagewillbedeliveredtoyourapplicationexactlyonce,youshoulddesignyoursystemtobeidempotent(thatis,itmustnotbeadverselyaffectedifitprocessesthesamemessagemorethanonce).

AmazonSQSisengineeredtobehighlyavailableandtodelivermessagesreliablyandefficiently;however,theservicedoesnotguaranteeFirstIn,FirstOut(FIFO)deliveryofmessages.Formanydistributedapplications,eachmessagecanstandonitsownand,ifallmessagesaredelivered,theorderisnotimportant.Ifyoursystemrequiresthatorderbepreserved,youcanplacesequencinginformationineachmessagesothatyoucanreorderthemessageswhentheyareretrievedfromthequeue.

MessageLifecycleThediagramandprocessshowninFigure8.1describesthelifecycleofanAmazonSQSmessage,calledMessageA,fromcreationtodeletion.Assumethataqueuealreadyexists.

Page 258: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE8.1Messagelifecycle

1. Component1sendsMessageAtoaqueue,andthemessageisredundantlydistributedacrosstheAmazonSQSservers.

2. WhenComponent2isreadytoprocessamessage,itretrievesmessagesfromthequeue,andMessageAisreturned.WhileMessageAisbeingprocessed,itremainsinthequeueandisnotreturnedtosubsequentlyreceiverequestsforthedurationofthevisibilitytimeout.

3. Component2deletesMessageAfromthequeuetopreventthemessagefrombeingreceivedandprocessedagainafterthevisibilitytimeoutexpires.

DelayQueuesandVisibilityTimeoutsDelayqueuesallowyoutopostponethedeliveryofnewmessagesinaqueueforaspecificnumberofseconds.Ifyoucreateadelayqueue,anymessagethatyousendtothatqueuewillbeinvisibletoconsumersforthedurationofthedelayperiod.Tocreateadelayqueue,useCreateQueueandsettheDelaySecondsattributetoanyvaluebetween0and900(15minutes).YoucanalsoturnanexistingqueueintoadelayqueuebyusingSetQueueAttributestosetthequeue’sDelaySecondsattribute.ThedefaultvalueforDelaySecondsis0.

Delayqueuesaresimilartovisibilitytimeoutsinthatbothfeaturesmakemessages

Page 259: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

unavailabletoconsumersforaspecificperiodoftime.Thedifferenceisthatadelayqueuehidesamessagewhenitisfirstaddedtothequeue,whereasavisibilitytimeouthidesamessageonlyafterthatmessageisretrievedfromthequeue.Figure8.2illustratesthefunctioningofavisibilitytimeout.

FIGURE8.2Diagramofvisibilitytimeout

Whenamessageisinthequeuebutisneitherdelayednorinavisibilitytimeout,itisconsideredtobe“inflight.”Youcanhaveupto120,000messagesinflightatanygiventime.AmazonSQSsupportsupto12hours’maximumvisibilitytimeout.

SeparateThroughputfromLatency

LikemanyotherAWSCloudservices,AmazonSQSisaccessedthroughHTTPrequest-response,andatypicalAmazonSQSrequest-responsetakesabitlessthan20msfromAmazonElasticComputeCloud(AmazonEC2).Thismeansthatfromasinglethread,youcan,onaverage,issue50+ApplicationProgrammingInterface(API)requestspersecond(abitfewerforbatchAPIrequests,butthosedomorework).Thethroughputscaleshorizontally,sothemorethreadsandhostsyouadd,thehigherthethroughput.Usingthisscalingmodel,someAWScustomershavequeuesthatprocessthousandsofmessageseverysecond.

QueueOperations,UniqueIDs,andMetadataThedefinedoperationsforAmazonSQSqueuesareCreateQueue,ListQueues,DeleteQueue,SendMessage,SendMessageBatch,ReceiveMessage,DeleteMessage,DeleteMessageBatch,PurgeQueue,ChangeMessageVisibility,ChangeMessageVisibilityBatch,SetQueueAttributes,GetQueueAttributes,GetQueueUrl,ListDeadLetterSourceQueues,AddPermission,andRemovePermission.OnlytheAWSaccountowneroranAWSidentitythathasbeengrantedtheproperpermissionscanperformoperations.

YourmessagesareidentifiedviaagloballyuniqueIDthatAmazonSQSreturnswhenthemessageisdeliveredtothequeue.TheIDisn’trequiredinordertoperformanyfurtheractionsonthemessage,butit’susefulfortrackingwhetheraparticularmessageinthequeuehasbeenreceived.Whenyoureceiveamessagefromthequeue,theresponseincludesa

Page 260: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

receipthandle,whichyoumustprovidewhendeletingthemessage.

QueueandMessageIdentifiersAmazonSQSusesthreeidentifiersthatyouneedtobefamiliarwith:queueURLs,messageIDs,andreceipthandles.

Whencreatinganewqueue,youmustprovideaqueuenamethatisuniquewithinthescopeofallofyourqueues.AmazonSQSassignseachqueueanidentifiercalledaqueueURL,whichincludesthequeuenameandothercomponentsthatAmazonSQSdetermines.Wheneveryouwanttoperformanactiononaqueue,youmustprovideitsqueueURL.

AmazonSQSassignseachmessageauniqueIDthatitreturnstoyouintheSendMessageresponse.Thisidentifierisusefulforidentifyingmessages,butnotethattodeleteamessage,youneedthemessage’sreceipthandleinsteadofthemessageID.ThemaximumlengthofamessageIDis100characters.

Eachtimeyoureceiveamessagefromaqueue,youreceiveareceipthandleforthatmessage.Thehandleisassociatedwiththeactofreceivingthemessage,notwiththemessageitself.Asstatedpreviously,todeletethemessageortochangethemessagevisibility,youmustprovidethereceipthandleandnotthemessageID.Thismeansyoumustalwaysreceiveamessagebeforeyoucandeleteit(thatis,youcan’tputamessageintothequeueandthenrecallit).Themaximumlengthofareceipthandleis1,024characters.

MessageAttributesAmazonSQSprovidessupportformessageattributes.Messageattributesallowyoutoprovidestructuredmetadataitems(suchastimestamps,geospatialdata,signatures,andidentifiers)aboutthemessage.Messageattributesareoptionalandseparatefrom,butsentalongwith,themessagebody.Thereceiverofthemessagecanusethisinformationtohelpdecidehowtohandlethemessagewithouthavingtoprocessthemessagebodyfirst.Eachmessagecanhaveupto10attributes.Tospecifymessageattributes,youcanusetheAWSManagementConsole,AWSSoftwareDevelopmentKits(SDKs),oraqueryAPI.

LongPollingWhenyourapplicationqueriestheAmazonSQSqueueformessages,itcallsthefunctionReceiveMessage.ReceiveMessagewillcheckfortheexistenceofamessageinthequeueandreturnimmediately,eitherwithorwithoutamessage.Ifyourcodemakesperiodiccallstothequeue,thispatternissufficient.IfyourSQSclientisjustaloopthatrepeatedlychecksfornewmessages,however,thenthispatternbecomesproblematic,astheconstantcallstoReceiveMessageburnCPUcyclesandtieupathread.

Inthissituation,youwillwanttouselongpolling.Withlongpolling,yousendaWaitTimeSecondsargumenttoReceiveMessageofupto20seconds.Ifthereisnomessageinthequeue,thenthecallwillwaituptoWaitTimeSecondsforamessagetoappearbeforereturning.Ifamessageappearsbeforethetimeexpires,thecallwillreturnthemessagerightaway.Longpollingdrasticallyreducestheamountofloadonyourclient.

DeadLetterQueues

Page 261: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSQSprovidessupportfordeadletterqueues.Adeadletterqueueisaqueuethatother(source)queuescantargettosendmessagesthatforsomereasoncouldnotbesuccessfullyprocessed.Aprimarybenefitofusingadeadletterqueueistheabilitytosidelineandisolatetheunsuccessfullyprocessedmessages.Youcanthenanalyzeanymessagessenttothedeadletterqueuetotrytodeterminethecauseoffailure.

Messagescanbesenttoandreceivedfromadeadletterqueue,justlikeanyotherAmazonSQSqueue.YoucancreateadeadletterqueuefromtheAmazonSQSAPIandtheAmazonSQSconsole.

AccessControlWhileIAMcanbeusedtocontroltheinteractionsofdifferentAWSidentitieswithqueues,thereareoftentimeswhenyouwillwanttoexposequeuestootheraccounts.Thesesituationsmayinclude:

YouwanttograntanotherAWSaccountaparticulartypeofaccesstoyourqueue(forexample,SendMessage).

YouwanttograntanotherAWSaccountaccesstoyourqueueforaspecificperiodoftime.

YouwanttograntanotherAWSaccountaccesstoyourqueueonlyiftherequestscomefromyourAmazonEC2instances.

YouwanttodenyanotherAWSaccountaccesstoyourqueue.

WhileclosecoordinationbetweenaccountsmayallowthesetypesofactionsthroughtheuseofIAMroles,thatlevelofcoordinationisfrequentlyunfeasible.

AmazonSQSAccessControlallowsyoutoassignpoliciestoqueuesthatgrantspecificinteractionstootheraccountswithoutthataccounthavingtoassumeIAMrolesfromyouraccount.ThesepoliciesarewritteninthesameJSONlanguageasIAM.Forexample,thefollowingsamplepolicygivesthedeveloperwithAWSaccountnumber111122223333theSendMessagepermissionforthequeuenamed444455556666/queue1intheUSEast(N.Virginia)region.

{

"Version":"2012&#x02013;10–17",

"Id":"Queue1_Policy_UUID",

"Statement":[

{

"Sid":"Queue1_SendMessage",

"Effect":"Allow",

"Principal":{

"AWS":"111122223333"

},

"Action":"sqs:SendMessage",

"Resource":"arn:aws:sqs:us-east-1:444455556666:queue1"

}

]

}

Page 262: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TradeoffMessageDurabilityandLatency

AmazonSQSdoesnotreturnsuccesstoaSendMessageAPIcalluntilthemessageisdurablystoredinAmazonSQS.Thismakestheprogrammingmodelverysimplewithnodoubtaboutthesafetyofmessages,unlikethesituationwithanasynchronousmessagingmodel.Ifyoudon’tneedadurablemessagingsystem,however,youcanbuildanasynchronous,client-sidebatchingontopofAmazonSQSlibrariesthatdelaysenqueueofmessagestoAmazonSQSandtransmitsasetofmessagesinabatch.Pleasebeawarethatwithaclient-sidebatchingapproach,youcouldpotentiallylosemessageswhenyourclientprocessorclienthostdiesforanyreason.

Page 263: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSimpleWorkflowService(AmazonSWF)AmazonSWFmakesiteasytobuildapplicationsthatcoordinateworkacrossdistributedcomponents.InAmazonSWF,ataskrepresentsalogicalunitofworkthatisperformedbyacomponentofyourapplication.Coordinatingtasksacrosstheapplicationinvolvesmanaginginter-taskdependencies,scheduling,andconcurrencyinaccordancewiththelogicalflowoftheapplication.AmazonSWFgivesyoufullcontroloverimplementingandcoordinatingtaskswithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.

WhenusingAmazonSWF,youimplementworkerstoperformtasks.Theseworkerscanruneitheroncloudinfrastructure,suchasAmazonEC2,oronyourownpremises.Youcancreatelong-runningtasksthatmightfail,timeout,orrequirerestarts,ortasksthatcancompletewithvaryingthroughputandlatency.AmazonSWFstorestasks,assignsthemtoworkerswhentheyareready,monitorstheirprogress,andmaintainstheirstate,includingdetailsontheircompletion.Tocoordinatetasks,youwriteaprogramthatgetsthelateststateofeachtaskfromAmazonSWFandusesittoinitiatesubsequenttasks.AmazonSWFmaintainsanapplication’sexecutionstatedurablysothattheapplicationisresilienttofailuresinindividualcomponents.WithAmazonSWF,youcanimplement,deploy,scale,andmodifytheseapplicationcomponentsindependently.

WorkflowsUsingAmazonSWF,youcanimplementdistributed,asynchronousapplicationsasworkflows.Workflowscoordinateandmanagetheexecutionofactivitiesthatcanberunasynchronouslyacrossmultiplecomputingdevicesandthatcanfeaturebothsequentialandparallelprocessing.

Whendesigningaworkflow,analyzeyourapplicationtoidentifyitscomponenttasks,whicharerepresentedinAmazonSWFasactivities.Theworkflow’scoordinationlogicdeterminestheorderinwhichactivitiesareexecuted.

WorkflowDomainsDomainsprovideawayofscopingAmazonSWFresourceswithinyourAWSaccount.Youmustspecifyadomainforallthecomponentsofaworkflow,suchastheworkflowtypeandactivitytypes.Itispossibletohavemorethanoneworkflowinadomain;however,workflowsindifferentdomainscannotinteractwithoneanother.

WorkflowHistoryTheworkflowhistoryisadetailed,complete,andconsistentrecordofeveryeventthatoccurredsincetheworkflowexecutionstarted.Aneventrepresentsadiscretechangeinyourworkflowexecution’sstate,suchasscheduledandcompletedactivities,tasktimeouts,andsignals.

ActorsAmazonSWFconsistsofanumberofdifferenttypesofprogrammaticfeaturesknownas

Page 264: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

actors.Actorscanbeworkflowstarters,deciders,oractivityworkers.TheseactorscommunicatewithAmazonSWFthroughitsAPI.Youcandevelopactorsinanyprogramminglanguage.

Aworkflowstarterisanyapplicationthatcaninitiateworkflowexecutions.Forexample,oneworkflowstartercouldbeane-commercewebsitewhereacustomerplacesanorder.Anotherworkflowstartercouldbeamobileapplicationwhereacustomerorderstakeoutfoodorrequestsataxi.

Activitieswithinaworkflowcanrunsequentially,inparallel,synchronously,orasynchronously.Thelogicthatcoordinatesthetasksinaworkflowiscalledthedecider.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.

Anactivityworkerisasinglecomputerprocess(orthread)thatperformstheactivitytasksinyourworkflow.Differenttypesofactivityworkersprocesstasksofdifferentactivitytypes,andmultipleactivityworkerscanprocessthesametypeoftask.Whenanactivityworkerisreadytoprocessanewactivitytask,itpollsAmazonSWFfortasksthatareappropriateforthatactivityworker.Afterreceivingatask,theactivityworkerprocessesthetasktocompletionandthenreturnsthestatusandresulttoAmazonSWF.Theactivityworkerthenpollsforanewtask.

TasksAmazonSWFprovidesactivityworkersanddeciderswithworkassignments,givenasoneofthreetypesoftasks:activitytasks,AWSLambdatasks,anddecisiontasks.

Anactivitytasktellsanactivityworkertoperformitsfunction,suchastocheckinventoryorchargeacreditcard.Theactivitytaskcontainsalltheinformationthattheactivityworkerneedstoperformitsfunction.

AnAWSLambdataskissimilartoanactivitytask,butexecutesanAWSLambdafunctioninsteadofatraditionalAmazonSWFactivity.FormoreinformationabouthowtodefineanAWSLambdatask,seetheAWSdocumentationonAWSLambdatasks.

Adecisiontasktellsadeciderthatthestateoftheworkflowexecutionhaschangedsothatthedecidercandeterminethenextactivitythatneedstobeperformed.Thedecisiontaskcontainsthecurrentworkflowhistory.

AmazonSWFschedulesadecisiontaskwhentheworkflowstartsandwheneverthestateoftheworkflowchanges,suchaswhenanactivitytaskcompletes.Eachdecisiontaskcontainsapaginatedviewoftheentireworkflowexecutionhistory.ThedecideranalyzestheworkflowexecutionhistoryandrespondsbacktoAmazonSWFwithasetofdecisionsthatspecifywhatshouldoccurnextintheworkflowexecution.Essentially,everydecisiontaskgivesthedecideranopportunitytoassesstheworkflowandprovidedirectionbacktoAmazonSWF.

TaskListsTasklistsprovideawayoforganizingthevarioustasksassociatedwithaworkflow.Youcouldthinkoftasklistsassimilartodynamicqueues.WhenataskisscheduledinAmazonSWF,youcanspecifyaqueue(tasklist)toputitin.Similarly,whenyoupollAmazonSWFfora

Page 265: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

task,youdeterminewhichqueue(tasklist)togetthetaskfrom.

Tasklistsprovideaflexiblemechanismtoroutetaskstoworkersasyourusecasenecessitates.Tasklistsaredynamicinthatyoudon’tneedtoregisteratasklistorexplicitlycreateitthroughanaction—simplyschedulingataskcreatesthetasklistifitdoesn’talreadyexist.

LongPollingDecidersandactivityworkerscommunicatewithAmazonSWFusinglongpolling.ThedecideroractivityworkerperiodicallyinitiatescommunicationwithAmazonSWF,notifyingAmazonSWFofitsavailabilitytoacceptatask,andthenspecifiesatasklisttogettasksfrom.Longpollingworkswellforhigh-volumetaskprocessing.Decidersandactivityworkerscanmanagetheirowncapacity.

ObjectIdentifiersAmazonSWFobjectsareuniquelyidentifiedbyworkflowtype,activitytype,decisionandactivitytasks,andworkflowexecution:

Aregisteredworkflowtypeisidentifiedbyitsdomain,name,andversion.WorkflowtypesarespecifiedinthecalltoRegisterWorkflowType.

Aregisteredactivitytypeisidentifiedbyitsdomain,name,andversion.ActivitytypesarespecifiedinthecalltoRegisterActivityType.

Eachdecisiontaskandactivitytaskisidentifiedbyauniquetasktoken.ThetasktokenisgeneratedbyAmazonSWFandisreturnedwithotherinformationaboutthetaskintheresponsefromPollForDecisionTaskorPollForActivityTask.Althoughthetokenismostcommonlyusedbytheprocessthatreceivedthetask,thatprocesscouldpassthetokentoanotherprocess,whichcouldthenreportthecompletionorfailureofthetask.

Asingleexecutionofaworkflowisidentifiedbythedomain,workflowID,andrunID.ThefirsttwoareparametersthatarepassedtoStartWorkflowExecution.TherunIDisreturnedbyStartWorkflowExecution.

WorkflowExecutionClosureAfteryoustartaworkflowexecution,itisopen.Anopenworkflowexecutioncanbeclosedascompleted,canceled,failed,ortimedout.Itcanalsobecontinuedasanewexecution,oritcanbeterminated.Thedecider,thepersonadministeringtheworkflow,orAmazonSWFcancloseaworkflowexecution.

LifecycleofaWorkflowExecutionFromthestartofaworkflowexecutiontoitscompletion,AmazonSWFinteractswithactorsbyassigningthemappropriatetasks:eitheractivitytasksordecisiontasks.

Figure8.3showsthelifecycleofanorder-processingworkflowexecutionfromtheperspectiveofcomponentsthatactonit.

Page 266: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE8.3AmazonSWFworkflowillustration

Thefollowing20stepsdescribetheworkflowdetailedinFigure8.3:

1. AworkflowstartercallsanAmazonSWFactiontostarttheworkflowexecutionforanorder,providingorderinformation.

2. AmazonSWFreceivesthestartworkflowexecutionrequestandthenschedulesthefirstdecisiontask.

3. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,andappliesthecoordinationlogictodeterminethatnopreviousactivitiesoccurred.ItthenmakesadecisiontoscheduletheVerifyOrderactivitywiththeinformationtheactivityworkerneedstoprocessthetaskandreturnsthedecisiontoAmazonSWF.

4. AmazonSWFreceivesthedecision,schedulestheVerifyOrderactivitytask,andwaitsfortheactivitytasktocompleteortimeout.

5. AnactivityworkerthatcanperformtheVerifyOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.

6. AmazonSWFreceivestheresultsoftheVerifyOrderactivity,addsthemtotheworkflowhistory,andschedulesadecisiontask.

7. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaChargeCreditCardactivitytaskwithinformationtheactivityworkerneedstoprocessthetask,andreturnsthedecisiontoAmazonSWF.

8. AmazonSWFreceivesthedecision,schedulestheChargeCreditCardactivitytask,andwaitsforittocompleteortimeout.

9. AnactivityworkeractivityreceivestheChargeCreditCardtask,performsit,andreturnstheresultstoAmazonSWF.

10. AmazonSWFreceivestheresultsoftheChargeCreditCardactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.

11. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaShipOrderactivitytaskwiththeinformationtheactivityworkerneedstoperformthetask,andreturnsthedecisiontoAmazonSWF.

12. AmazonSWFreceivesthedecision,schedulesaShipOrderactivitytask,andwaitsforit

Page 267: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

tocompleteortimeout.

13. AnactivityworkerthatcanperformtheShipOrderactivityreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.

14. AmazonSWFreceivestheresultsoftheShipOrderactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.

15. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoscheduleaRecordCompletionactivitytaskwiththeinformationtheactivityworkerneeds,performsthetask,andreturnsthedecisiontoAmazonSWF.

16. AmazonSWFreceivesthedecision,schedulesaRecordCompletionactivitytask,andwaitsforittocompleteortimeout.

17. AnactivityworkerRecordCompletionreceivesthetask,performsit,andreturnstheresultstoAmazonSWF.

18. AmazonSWFreceivestheresultsoftheRecordCompletionactivitytask,addsthemtotheworkflowhistory,andschedulesadecisiontask.

19. ThedeciderreceivesthetaskfromAmazonSWF,reviewsthehistory,appliesthecoordinationlogic,makesadecisiontoclosetheworkflowexecution,andreturnsthedecisionalongwithanyresultstoAmazonSWF.

20. AmazonSWFclosestheworkflowexecutionandarchivesthehistoryforfuturereference.

Page 268: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSimpleNotificationService(AmazonSNS)AmazonSNSisawebserviceformobileandenterprisemessagingthatenablesyoutosetup,operate,andsendnotifications.Itisdesignedtomakeweb-scalecomputingeasierfordevelopers.AmazonSNSfollowsthepublish-subscribe(pub-sub)messagingparadigm,withnotificationsbeingdeliveredtoclientsusingapushmechanismthateliminatestheneedtocheckperiodically(orpoll)fornewinformationandupdates.Forexample,youcansendnotificationstoApple,Android,FireOS,andWindowsdevices.InChina,youcansendmessagestoAndroiddeviceswithBaiduCloudPush.YoucanuseAmazonSNStosendShortMessageService(SMS)messagestomobiledeviceusersintheUnitedStatesortoemailrecipientsworldwide.

AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.

Figure8.4showsthisprocessatahighlevel.Apublisherissuesamessageonatopic.Themessageisthendeliveredtothesubscribersofthattopicusingdifferentmethods,suchasAmazonSQS,HTTP,HTTPS,email,SMS,andAWSLambda.

FIGURE8.4Diagramoftopicdelivery

WhenusingAmazonSNS,you(astheowner)createatopicandcontrolaccesstoitbydefiningpoliciesthatdeterminewhichpublishersandsubscriberscancommunicatewiththetopicandviawhichtechnologies.Publisherssendmessagestotopicsthattheycreatedorthat

Page 269: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

theyhavepermissiontopublishto.Insteadofincludingaspecificdestinationaddressineachmessage,apublishersendsamessagetothetopic,andAmazonSNSdeliversthemessagetoeachsubscriberforthattopic.EachtopichasauniquenamethatidentifiestheAmazonSNSendpointwherepublisherspostmessagesandsubscribersregisterfornotifications.Subscribersreceiveallmessagespublishedtothetopicstowhichtheysubscribe,andallsubscriberstoatopicreceivethesamemessages.

CommonAmazonSNSScenariosAmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.Forexample,youcanuseAmazonSNStorelayeventsinworkflowsystemsamongdistributedcomputerapplications,movedatabetweendatastores,orupdaterecordsinbusinesssystems.Eventupdatesandnotificationsconcerningvalidation,approval,inventorychanges,andshipmentstatusareimmediatelydeliveredtorelevantsystemcomponentsandendusers.AnotherexampleuseforAmazonSNSistorelaytime-criticaleventstomobileapplicationsanddevices.BecauseAmazonSNSisbothhighlyreliableandscalable,itprovidessignificantadvantagestodeveloperswhobuildapplicationsthatrelyonreal-timeevents.

Tohelpillustrate,thefollowingsectionsdescribesomecommonAmazonSNSscenarios,includingfanoutscenarios,applicationandsystemalerts,pushemailandtextmessaging,andmobilepushnotifications.

FanoutAfanoutscenarioiswhenanAmazonSNSmessageissenttoatopicandthenreplicatedandpushedtomultipleAmazonSQSqueues,HTTPendpoints,oremailaddresses(seeFigure8.5).Thisallowsforparallelasynchronousprocessing.Forexample,youcandevelopanapplicationthatsendsanAmazonSNSmessagetoatopicwheneveranorderisplacedforaproduct.ThentheAmazonSQSqueuesthataresubscribedtothattopicwillreceiveidenticalnotificationsfortheneworder.AnAmazonEC2instanceattachedtooneofthequeueshandlestheprocessingorfulfillmentoftheorder,whileanAmazonEC2instanceattachedtoaparallelqueuesendsorderdatatoadatawarehouseapplication/serviceforanalysis.

Page 270: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE8.5Diagramoffanoutscenario

Anotherwaytousefanoutistoreplicatedatasenttoyourproductionenvironmentandintegrateitwithyourdevelopmentenvironment.Expandinguponthepreviousexample,youcansubscribeyetanotherqueuetothesametopicfornewincomingorders.Then,byattachingthisnewqueuetoyourdevelopmentenvironment,youcancontinuetoimproveandtestyourapplicationusingdatareceivedfromyourproductionenvironment.

ApplicationandSystemAlertsApplicationandsystemalertsareSMSand/oremailnotificationsthataretriggeredbypredefinedthresholds.Forexample,becausemanyAWSCloudservicesuseAmazonSNS,youcanreceiveimmediatenotificationwhenaneventoccurs,suchasaspecificchangetoyourAutoScalinggroupinAWS.

PushEmailandTextMessagingPushemailandtextmessagingaretwowaystotransmitmessagestoindividualsorgroupsviaemailand/orSMS.Forexample,youcanuseAmazonSNStopushtargetednewsheadlinestosubscribersbyemailorSMS.UponreceivingtheemailorSMStext,interestedreaderscanthenchoosetolearnmorebyvisitingawebsiteorlaunchinganapplication.

MobilePushNotificationsMobilepushnotificationsenableyoutosendmessagesdirectlytomobileapplications.Forexample,youcanuseAmazonSNSforsendingnotificationstoanapplication,indicatingthatanupdateisavailable.Thenotificationmessagecanincludealinktodownloadandinstalltheupdate.

Page 271: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedaboutthecoreapplicationandmobileservicesthatyouwillbetestedoninyourAWSCertifiedSolutionsArchitect–Associateexam.

AmazonSQSisauniqueservicedesignedbyAmazontohelpyoudecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweendistributedcomponentsofyourapplicationsthatperformdifferenttasks,withoutlosingmessagesorrequiringeachcomponenttobecontinuouslyavailable.

UnderstandAmazonSQSqueueoperations,uniqueIDs,andmetadata.BefamiliarwithqueueandmessageidentifierssuchasqueueURLs,messageIDs,andreceipthandles.Understandrelatedconceptssuchasdelayqueues,messageattributes,longpolling,messagetimers,deadletterqueues,accesscontrol,andtheoverallmessagelifecycle.

AmazonSWFallowsyoutocreateapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatdifferentcomponentsofyourapplicationperform.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.AmazonSWFsimplifiesthecoordinationofworkflowtasks,givingyoufullcontrolovertheirimplementationwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.

YoumustbefamiliarwiththefollowingAmazonSWFcomponentsandthelifecycleofaworkflowexecution:

Workers,starters,anddeciders

Workflows

Workflowhistory

Actors

Tasks

Domains

Objectidentifiers

Tasklists

Workflowexecutionclosure

Longpolling

AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.Atopicissimplyalogicalaccesspoint/communicationchannelthatcontainsalistofsubscribersandthemethodsusedtocommunicatetothem.Whenyousendamessagetoatopic,itisautomaticallyforwardedtoeachsubscriberofthattopicusingthecommunicationmethodconfiguredforthatsubscriber.

Page 272: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSNScansupportawidevarietyofneeds,includingmonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyotherapplicationthatgeneratesorconsumesnotifications.UnderstandsomecommonAmazonSNSscenarios,including:

Fanout

Applicationandsystemalerts

Pushemailandtextmessaging

Mobilepushnotifications

Page 273: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowhowtouseAmazonSQS.AmazonSQSisauniqueservicedesignedbyAmazontohelpyoutodecoupleyourinfrastructure.UsingAmazonSQS,youcanstoremessagesonreliableandscalableinfrastructureastheytravelbetweenyourservers.Thisallowsyoutomovedatabetweendistributedcomponentsofyourapplicationsthatperformdifferenttaskswithoutlosingmessagesorrequiringeachcomponentalwaystobeavailable.

UnderstandAmazonSQSvisibilitytimeouts.VisibilitytimeoutisaperiodoftimeduringwhichAmazonSQSpreventsothercomponentsfromreceivingandprocessingamessagebecauseanothercomponentisalreadyprocessingit.Bydefault,themessagevisibilitytimeoutissetto30seconds,andthemaximumthatitcanbeis12hours.

KnowhowtouseAmazonSQSlongpolling.LongpollingallowsyourAmazonSQSclienttopollanAmazonSQSqueue.Ifnothingisthere,ReceiveMessagewaitsbetween1and20seconds.Ifamessagearrivesinthattime,itisreturnedtothecallerassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.ThishelpsyouavoidpollingintightloopsandpreventsyoufromburningthroughCPUcycles,keepingcostslow.

KnowhowtouseAmazonSWF.AmazonSWFallowsyoutomakeapplicationsthatcoordinateworkacrossdistributedcomponents.AmazonSWFisdrivenbytasks,whicharelogicalunitsofworkthatpartofyourapplicationperforms.Tomanagetasksacrossyourapplication,youneedtobeawareofinter-taskdependencies,schedulingoftasks,andusingtasksconcurrently.ThisiswhereAmazonSWFcanhelpyou.Itgivesyoufullcontroloverimplementingtasksandcoordinatingthemwithoutworryingaboutunderlyingcomplexitiessuchastrackingtheirprogressandmaintainingtheirstate.

KnowthebasicsofanAmazonSWFworkflow.Aworkflowisacollectionofactivities(coordinatedbylogic)thatcarryoutaspecificgoal.Forexample,aworkflowreceivesacustomerorderandtakeswhateveractionsarenecessarytofulfillit.EachworkflowrunsinanAWSresourcecalledadomain,whichcontrolsthescopeoftheworkflow.AnAWSaccountcanhavemultipledomains,eachofwhichcancontainmultipleworkflows,butworkflowsindifferentdomainscannotinteract.

UnderstandthedifferentAmazonSWFactors.AmazonSWFinteractswithanumberofdifferenttypesofprogrammaticactors.Actorscanbeactivityworkers,workflowstarters,ordeciders.

UnderstandAmazonSNSbasics.AmazonSNSisapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.AmazonSNSconsistsoftwotypesofclients:publishersandsubscribers(sometimesknownasproducersandconsumers).Publisherscommunicatetosubscribersasynchronouslybysendingamessagetoatopic.

KnowthedifferentprotocolsusedwithAmazonSNS.YoucanusethefollowingprotocolswithAmazonSNS:HTTP,HTTPS,SMS,email,email-JSON,AmazonSQS,andAWSLambda.

Page 274: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesInthissection,youcreateatopicandsubscriptioninAmazonSNSandthenpublishamessagetoyourtopic.

EXERCISE8.1

CreateanAmazonSNSTopicInthisexercise,youwillcreateanAmazonSNSmessage.

1. Openabrowser,andnavigatetotheAWSManagementConsole.SignintoyourAWSaccount.

2. NavigatetoMobileServicesandthenAmazonSNStoloadtheAmazonSNSdashboard.

3. Createanewtopic,anduseMyTopicforboththetopicnameandthedisplayname.

4. NotethatanAmazonResourceName(ARN)isspecifiedimmediately.

Congratulations!Youhavecreatedyourfirsttopic.

EXERCISE8.2

CreateaSubscriptiontoYourTopicInthisexercise,youwillcreateasubscriptiontothenewlycreatedtopicusingyouremailaddress.Thenyouconfirmyouremailaddress.

1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.

2. SelecttheARNthatyoujustcreated.CreateaSubscriptionwiththeprotocolofEmail,andenteryouremailaddress.

3. CreatetheSubscription.

4. Theservicesendsaconfirmationemailtoyouremailaddress.Beforethissubscriptioncangolive,youneedtoclickonthelinkintheemailthatAWSsentyoutoconfirmyouremailaddress.Checkyouremail,andconfirmyouraddress.

Congratulations!Youhavenowconfirmedyouremailaddressandcreatedasubscriptiontoatopic.

Page 275: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE8.3

PublishtoaTopicInthisexercise,youwillpublishamessagetoyournewlycreatedtopic.

1. IntheAmazonSNSdashboardoftheAWSManagementConsole,navigatetoTopics.

2. NavigatetotheARNlinkforyournewlycreatedtopic.

3. UpdatethesubjectwithMyTestMessage,leavethemessageformattosettoRaw,anduseaTimetoLive(TTL)fieldto300.

4. Publishthemessage.

5. Youshouldreceiveanemailfromyourtopicnamewiththesubjectthatyouspecified.Ifyoudonotreceivethisemail,checkyourjunkfolder.

Congratulations!Inthisexercise,youcreatedanewtopic,addedanewsubscription,andthenpublishedamessagetoyournewtopic.Notethedifferentformatsinwhichyoucanpublishmessages,includingHTTPandAWSLambda.Deleteyournewlycreatedtopicandsubscriptionsafteryouarefinished.

EXERCISE8.4

CreateQueue1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.

2. Createanewqueuewithinputasthequeuename,60secondsforthedefaultvisibility,and5minutesforthemessageretentionperiod.Leavetheremainingdefaultvaluesforthisexercise.

3. Createthequeue.

Congratulations!Inthisexercise,youcreatedanewqueue.Youwillpublishtothisqueueinthefollowingexercise.

Page 276: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE8.5

SubscribeQueuetoSNSTopic1. IntheAWSManagementConsole,navigatetoApplicationServicesandthentoAmazonSQStoloadtheAmazonSQSdashboard.

2. SubscribeyourqueuetoyourAmazonSNStopic.

3. NowreturntotheAmazonSNSdashboard(intheAWSManagementConsoleunderMobileServices).

4. Publishtoyournewtopic,andusethedefaults.

5. ReturntotheAmazonSQSdashboard(intheAWSManagementConsoleunderApplicationServices).

6. Youwillnoticethereis“1MessageAvailable”intheinputqueue.Checktheinputboxtotheleftoftheinputqueuename.

7. Startpollingformessages.YoushouldseetheAmazonSNSmessageinyourqueue.

8. ClicktheMoreDetailslinktoseethedetailsofthemessage.

9. Reviewyourmessage,andclickClose.

10. Deleteyourmessage.

Congratulations!Inthisexercise,yousubscribedyourinputqueuetoanAmazonSNStopicandviewedyourmessageinyourAmazonSQSqueueinadditiontoreceivingthemessageinsubscribedemail.

Page 277: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichofthefollowingisnotasupportedAmazonSimpleNotificationService(AmazonSNS)protocol?

A. HTTPS

B. AWSLambda

C. Email-JSON

D. AmazonDynamoDB

2. WhenyoucreateanewAmazonSimpleNotificationService(AmazonSNS)topic,whichofthefollowingiscreatedautomatically?

A. AnAmazonResourceName(ARN)

B. Asubscriber

C. AnAmazonSimpleQueueService(AmazonSQS)queuetodeliveryourAmazonSNStopic

D. Amessage

3. WhichofthefollowingarefeaturesofAmazonSimpleNotificationService(AmazonSNS)?(Choose3answers)

A. Publishers

B. Readers

C. Subscribers

D. Topic

4. WhatisthedefaulttimeforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?

A. 30seconds

B. 60seconds

C. 1hour

D. 12hours

5. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)visibilitytimeout?

A. 30seconds

B. 60seconds

C. 1hour

D. 12hours

6. WhichofthefollowingoptionsarevalidpropertiesofanAmazonSimpleQueueService

Page 278: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

(AmazonSQS)message?(Choose2answers)

A. Destination

B. MessageID

C. Type

D. Body

7. YouareasolutionsarchitectwhoisworkingforamobileapplicationcompanythatwantstouseAmazonSimpleWorkflowService(AmazonSWF)fortheirnewtakeoutorderingapplication.Theywillhavemultipleworkflowsthatwillneedtointeract.WhatshouldyouadvisethemtodoinstructuringthedesignoftheirAmazonSWFenvironment?

A. Usemultipledomains,eachcontainingasingleworkflow,anddesigntheworkflowstointeractacrossthedifferentdomains.

B. Useasingledomaincontainingmultipleworkflows.Inthismanner,theworkflowswillbeabletointeract.

C. Useasingledomainwithasingleworkflowandcollapseallactivitiestowithinthissingleworkflow.

D. Workflowscannotinteractwitheachother;theywouldbebetteroffusingAmazonSimpleQueueService(AmazonSQS)andAmazonSimpleNotificationService(AmazonSNS)fortheirapplication.

8. InAmazonSimpleWorkflowService(AmazonSWF),whichofthefollowingareactors?(Choose3answers)

A. Activityworkers

B. Workflowstarters

C. Deciders

D. Activitytasks

9. Youaredesigninganewapplication,andyouneedtoensurethatthecomponentsofyourapplicationarenottightlycoupled.YouaretryingtodecidebetweenthedifferentAWSCloudservicestousetoachievethisgoal.Yourrequirementsarethatmessagesbetweenyourapplicationcomponentsmaynotbedeliveredmorethanonce,tasksmustbecompletedineitherasynchronousorasynchronousfashion,andtheremustbesomeformofapplicationlogicthatdecideswhatdowhentaskshavebeencompleted.Whatapplicationserviceshouldyouuse?

A. AmazonSimpleQueueService(AmazonSQS)

B. AmazonSimpleWorkflowService(AmazonSWF)

C. AmazonSimpleStorageService(AmazonS3)

D. AmazonSimpleEmailService(AmazonSES)

10. HowdoesAmazonSimpleQueueService(AmazonSQS)delivermessages?

A. LastIn,FirstOut(LIFO)

Page 279: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. FirstIn,FirstOut(FIFO)

C. Sequentially

D. AmazonSQSdoesn’tguaranteedeliveryofyourmessagesinanyparticularorder.

11. Ofthefollowingoptions,whatisanefficientwaytofanoutasingleAmazonSimpleNotificationService(AmazonSNS)messagetomultipleAmazonSimpleQueueService(AmazonSQS)queues?

A. CreateanAmazonSNStopicusingAmazonSNS.ThencreateandsubscribemultipleAmazonSQSqueuessenttotheAmazonSNStopic.

B. CreateoneAmazonSQSqueuethatsubscribestomultipleAmazonSNStopics.

C. AmazonSNSallowsexactlyonesubscribertoeachtopic,sofanoutisnotpossible.

D. CreateanAmazonSNStopicusingAmazonSNS.Createanapplicationthatsubscribestothattopicandduplicatesthemessage.SendcopiestomultipleAmazonSQSqueues.

12. YourapplicationpollsanAmazonSimpleQueueService(AmazonSQS)queuefrequentlyandreturnsimmediately,oftenwithemptyReceiveMessageResponses.WhatisonethingthatcanbedonetoreduceAmazonSQScosts?

A. PricingonAmazonSQSdoesnotincludeacostforservicerequests;therefore,thereisnoconcern.

B. Increasethetimeoutvalueforshortpollingtowaitformessageslongerbeforereturningaresponse.

C. Changethemessagevisibilityvaluetoahighernumber.

D. UselongpollingbysupplyingaWaitTimeSecondsofgreaterthan0secondswhencallingReceiveMessage.

13. WhatisthelongesttimeavailableforanAmazonSimpleQueueService(AmazonSQS)longpollingtimeout?

A. 10seconds

B. 20seconds

C. 30seconds

D. 1hour

14. WhatisthelongestconfigurablemessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?

A. 30minutes

B. 4days

C. 30seconds

D. 14days

15. WhatisthedefaultmessageretentionperiodforAmazonSimpleQueueService(AmazonSQS)?

Page 280: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. 30minutes

B. 4days

C. 30seconds

D. 14days

16. AmazonSimpleNotificationService(AmazonSNS)isapushnotificationservicethatletsyousendindividualormultiplemessagestolargenumbersofrecipients.Whattypesofclientsaresupported?

A. JavaandJavaScriptclientsthatsupportpublisherandsubscribertypes

B. ProducersandconsumerssupportedbyCandC++clients

C. MobileandAMQPsupportforpublisherandsubscriberclienttypes

D. Publisherandsubscriberclienttypes

17. InAmazonSimpleWorkflowService(AmazonSWF),adeciderisresponsibleforwhat?

A. Executingeachstepofthework

B. Definingworkcoordinationlogicbyspecifyingworksequencing,timing,andfailureconditions

C. Executingyourworkflow

D. RegisteringactivitiesandworkflowwithAmazonSWF

18. CananAmazonSimpleNotificationService(AmazonSNS)topicberecreatedwithapreviouslyusedtopicname?

A. Yes.Thetopicnameshouldtypicallybeavailableafter24hoursaftertheprevioustopicwiththesamenamehasbeendeleted.

B. Yes.Thetopicnameshouldtypicallybeavailableafter1–3hoursaftertheprevioustopicwiththesamenamehasbeendeleted.

C. Yes.Thetopicnameshouldtypicallybeavailableafter30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.

D. Atthistime,thisfeatureisnotsupported.

19. WhatshouldyoudoinordertograntadifferentAWSaccountpermissiontoyourAmazonSimpleQueueService(AmazonSQS)queue?

A. SharecredentialstoyourAWSaccountandhavetheotheraccount’sapplicationsuseyouraccount’scredentialstoaccesstheAmazonSQSqueue.

B. CreateauserforthataccountinAWSIdentityandAccessManagement(IAM)andestablishanIAMpolicythatgrantsaccesstothequeue.

C. CreateanAmazonSQSpolicythatgrantstheotheraccountaccess.

D. AmazonVirtualPrivateCloud(AmazonVPC)peeringmustbeusedtoachievethis.

20. CananAmazonSimpleNotificationService(AmazonSNS)messagebedeletedafterbeingpublishedtoatopic?

Page 281: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. Onlyifasubscriber(s)has/havenotreadthemessageyet

B. OnlyiftheAmazonSNSrecallmessageparameterhasbeenset

C. No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.

D. Yes.HoweveritcanbedeletedonlyifthesubscribersareAmazonSQSqueues.

Page 282: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter9DomainNameSystem(DNS)andAmazonRoute53THEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,scalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Monitoringandlogging

Familiaritywith:

BestpracticesforAWSarchitecture

Developingtoclientspecifications,includingpricing/cost(forexample,on-demandvs.reservedvs.spot;RTOandRPODRdesign)

Architecturaltrade-offdecisions(forexample,highavailabilityvs.cost,AmazonRelationalDatabaseService[RDS]vs.installingyourowndatabaseonAmazonElasticComputeCloud—EC2)

Elasticityandscalability(forexample,auto-scaling,SQS,ELB,CloudFront)

Domain3.0:DataSecurity

3.1Recognizeandimplementsecureproceduresforoptimumclouddeploymentandmaintenance.

3.2Recognizecriticaldisaster-recoverytechniquesandtheirimplementation.

AmazonRoute53

Page 283: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DomainNameSystem(DNS)TheDomainNameSystem(DNS)issometimesadifficultconcepttounderstandbecauseitissoubiquitouslyusedinmakingtheInternetwork.Beforewegetintothedetails,let’sstartwithasimpleanalogy.TheInternetProtocol(IP)addressofyourwebsiteislikeyourphonenumber—itcouldchangeifyoumovetoanewarea(atleastyourlandlinecouldchange).DNSislikethephonebook.Ifsomeonewantstocallyouatyournewhouseorlocation,theymightlookyouupbynameinthephonebook.Iftheirphonebookhasn’tbeenupdatedsinceyoumoved,however,theymightcallyouroldhouse.Whenavisitorwantstoaccessyourwebsite,theircomputertakesthedomainnametypedin(www.amazon.com,forexample)andlooksuptheIPaddressforthatdomainusingDNS.

Morespecifically,DNSisaglobally-distributedservicethatisfoundationaltothewaypeopleusetheInternet.DNSusesahierarchicalnamestructure,anddifferentlevelsinthehierarchyareeachseparatedwithadot(.).Considerthedomainnameswww.amazon.comandaws.amazon.com.Inboththeseexamples,comistheTop-LevelDomain(TLD)andamazonistheSecond-LevelDomain(SLD).Therecanbeanynumberoflowerlevels(forexample,wwwandaws)belowtheSLD.

ComputersusetheDNShierarchytotranslatehumanreadablenames(forexample,www.amazon.com)intotheIPaddresses(forexample,192.0.2.1)thatcomputersusetoconnecttooneanother.Everytimeyouuseadomainname,aDNSservicemusttranslatethenameintothecorrespondingIPaddress.Insummary,ifyou’veusedtheInternet,you’veusedDNS.

AmazonRoute53isanauthoritativeDNSsystem.AnauthoritativeDNSsystemprovidesanupdatemechanismthatdevelopersusetomanagetheirpublicDNSnames.ItthenanswersDNSqueries,translatingdomainnamesintoIPaddressessothatcomputerscancommunicatewitheachother.

ThischapterisintendedtoprovideyouwithabaselineunderstandingofDNSandtheAmazonRoute53servicethatisdesignedtohelpusersfindyourwebsiteorapplicationovertheInternet.

DomainNameSystem(DNS)ConceptsThissectionofthechapterdefinesDNSterms,describeshowDNSworks,andexplainscommonlyusedrecordtypes.

Top-LevelDomains(TLDs)ATop-LevelDomain(TLD)isthemostgeneralpartofthedomain.TheTLDisthefarthestportiontotheright(asseparatedbyadot).CommonTLDsare.com,.net,.org,.gov,.edu,and.io.

TLDsareatthetopofthehierarchyintermsofdomainnames.CertainpartiesaregivenmanagementcontroloverTLDsbytheInternetCorporationforAssignedNamesandNumbers(ICANN).ThesepartiescanthendistributedomainnamesundertheTLD,usuallythroughadomainregistrar.ThesedomainsareregisteredwiththeNetworkInformationCenter(InterNIC),aserviceofICANN,whichenforcestheuniquenessofdomainnames

Page 284: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

acrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.

DomainNamesAdomainnameisthehuman-friendlynamethatweareusedtoassociatingwithanInternetresource.Forinstance,amazon.comisadomainname.Somepeoplewillsaythattheamazonportionisthedomain,butwecangenerallyrefertothecombinedformasthedomainname.

TheURLaws.amazon.comisassociatedwiththeserversownedbyAWS.TheDNSallowsuserstoreachtheAWSserverswhentheytypeaws.amazon.comintotheirbrowsers.

IPAddressesAnIPaddressisanetworkaddressablelocation.EachIPaddressmustbeuniquewithinitsnetwork.Forpublicwebsites,thisnetworkistheentireInternet.

IPv4addresses,themostcommonformofaddresses,consistoffoursetsofnumbersseparatedbyadot,witheachsethavinguptothreedigits.Forexample,111.222.111.222couldbeavalidIPv4IPaddress.WithDNS,wemapanametothataddresssothatyoudonothavetorememberacomplicatedsetofnumbersforeachplaceyouwanttovisitonanetwork.

DuetothetremendousgrowthoftheInternetandthenumberofdevicesconnectedtoit,theIPv4addressrangehasquicklybeendepleted.IPv6wascreatedtosolvethisdepletionissue,andithasanaddressspaceof128bits,whichallowsfor340,282,366,920,938,463,463,374,607,431,768,211,456,or340undecillion,uniqueaddresses.Forhumanbeings,thisnumberisdifficulttoimagine,soconsiderthis:IfeachIPv4addresswereonegrainofsand,youwouldhaveenoughaddressestofillapproximatelyonedumptruckwithsand.IfeachIPv6addresswereonegrainofsand,youwouldhaveenoughsandtoequaltheapproximatesizeofthesun.Today,mostdevicesandnetworksstillcommunicateusingIPv4,butmigrationtoIPv6isproceedinggraduallyovertime.

HostsWithinadomain,thedomainownercandefineindividualhosts,whichrefertoseparatecomputersorservicesaccessiblethroughadomain.Forinstance,mostdomainownersmaketheirwebserversaccessiblethroughthebasedomain(example.com)andalsothroughthehostdefinitionwww(asinwww.example.com).

Youcanhaveotherhostdefinitionsunderthegeneraldomain,suchasApplicationProgramInterface(API)accessthroughanAPIhost(api.example.com)orFileTransferProtocol(FTP)accesswithahostdefinitionofFTPorfiles(ftp.example.comorfiles.example.com).Thehostnamescanbearbitraryiftheyareuniqueforthedomain.

SubdomainsDNSworksinahierarchalmannerandallowsalargedomaintobepartitionedorextendedintomultiplesubdomains.TLDscanhavemanysubdomainsunderthem.Forinstance,zappos.comandaudible.comarebothsubdomainsofthe.comTLD(althoughtheyaretypicallyjustcalleddomains).ThezapposoraudibleportioncanbereferredtoasanSLD.

Page 285: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Likewise,eachSLDcanhavesubdomainslocatedunderit.Forinstance,theURLforthehistorydepartmentofaschoolcouldbewww.history.school.edu.Thehistoryportionisasubdomain.

Thedifferencebetweenahostnameandasubdomainisthatahostdefinesacomputerorresource,whileasubdomainextendstheparentdomain.Subdomainsareamethodofsubdividingthedomainitself.

Whethertalkingaboutsubdomainsorhosts,youcanseethattheleft-mostportionsofadomainarethemostspecific.ThisishowDNSworks:frommosttoleastspecificasyoureadfromlefttoright.

FullyQualifiedDomainName(FQDN)DomainlocationsinaDNScanberelativetooneanotherand,assuch,canbesomewhatambiguous.AFullyQualifiedDomainName(FQDN),alsoreferredtoasanabsolutedomainname,specifiesadomain’slocationinrelationtotheabsoluterootoftheDNS.

ThismeansthattheFQDNspecifieseachparentdomainincludingtheTLD.AproperFQDNendswithadot,indicatingtherootoftheDNShierarchy.Forexample,mail.amazon.comisanFQDN.Sometimes,softwarethatcallsforanFQDNdoesnotrequiretheendingdot,butitisrequiredtoconformtoICANNstandards.

InFigure9.1,youcanseethattheentirestringistheFQDN,whichiscomposedofthedomainname,subdomain,root,TLD,SLDandhost.

FIGURE9.1FQDNcomponents

NameServersAnameserverisacomputerdesignatedtotranslatedomainnamesintoIPaddresses.These

Page 286: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

serversdomostoftheworkintheDNS.Becausethetotalnumberofdomaintranslationsistoomuchforanyoneserver,eachservermayredirectrequeststoothernameserversordelegateresponsibilityforthesubsetofsubdomainsforwhichtheyareresponsible.

Nameserverscanbeauthoritative,meaningthattheygiveanswerstoqueriesaboutdomainsundertheircontrol.Otherwise,theymaypointtootherserversorservecachedcopiesofothernameservers’data.

ZoneFilesAzonefileisasimpletextfilethatcontainsthemappingsbetweendomainnamesandIPaddresses.ThisishowaDNSserverfinallyidentifieswhichIPaddressshouldbecontactedwhenauserrequestsacertaindomainname.

Zonefilesresideinnameserversandgenerallydefinetheresourcesavailableunderaspecificdomain,ortheplacewhereonecangotogetthatinformation.

Top-LevelDomain(TLD)NameRegistrarsBecauseallofthenamesinagivendomainmustbeunique,thereneedstobeawaytoorganizethemsothatdomainnamesaren’tduplicated.Thisiswheredomainnameregistrarscomein.AdomainnameregistrarisanorganizationorcommercialentitythatmanagesthereservationofInternetdomainnames.AdomainnameregistrarmustbeaccreditedbyagenericTLD(gTLD)registryand/oracountrycodeTLD(ccTLD)registry.Themanagementisdoneinaccordancewiththeguidelinesofthedesignateddomainnameregistries.

StepsInvolvedinDomainNameSystem(DNS)ResolutionWhenyoutypeadomainnameintoyourbrowser,yourcomputerfirstchecksitshostfiletoseeifithasthatdomainnamestoredlocally.Ifitdoesnot,itwillcheckitsDNScachetoseeifyouhavevisitedthesitebefore.Ifitstilldoesnothavearecordofthatdomainname,itwillcontactaDNSservertoresolvethedomainname.

DNSis,atitscore,ahierarchicalsystem.Atthetopofthissystemarerootservers.ICANNdelegatesthecontroloftheseserverstovariousorganizations.

Asofthiswriting,thereare13rootserversinoperation.RootservershandlerequestsforinformationaboutTLDs.Whenarequestcomesinforadomainthatalower-levelnameservercannotresolve,aqueryismadetotherootserverforthedomain.

Inordertohandletheincrediblevolumeofresolutionsthathappeneveryday,theserootserversaremirroredandreplicated.Whenrequestsaremadetoacertainrootserver,therequestwillberoutedtothenearestmirrorofthatrootserver.

Therootserverswon’tactuallyknowwherethedomainishosted.Theywill,however,beabletodirecttherequestertothenameserversthathandlethespecifically-requestedTLD.

Forexample,ifarequestforwww.wikipedia.orgismadetotherootserver,itwillcheckitszonefilesforalistingthatmatchesthatdomainname,butitwillnotfindoneinitsrecords.Itwillinsteadfindarecordforthe.orgTLDandgivetherequestingentitytheaddressofthenameserverresponsiblefor.orgaddresses.

Page 287: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Top-LevelDomain(TLD)ServersAfterarootserverreturnstheIPaddressoftheappropriateserverthatisresponsiblefortheTLDofarequest,therequesterthensendsanewrequesttothataddress.

Tocontinuetheexamplefromtheprevioussection,therequestingentitywouldsendarequesttothenameserverresponsibleforknowingabout.orgdomainstoseeifitcanlocatewww.wikipedia.org.

Onceagain,whenthenameserversearchesitszonefilesforawww.wikipedia.orglisting,itwillnotfindoneinitsrecords.However,itwillfindalistingfortheIPaddressofthenameserverresponsibleforwikipedia.org.ThisisgettingmuchclosertothecorrectIPaddress.

Domain-LevelNameServersAtthispoint,therequesterhastheIPaddressofthenameserverthatisresponsibleforknowingtheactualIPaddressoftheresource.Itsendsanewrequesttothenameserverasking,onceagain,ifitcanresolvewww.wikipedia.org.

Thenameserverchecksitszonefiles,anditfindsazonefileassociatedwithwikipedia.org.Insideofthisfile,thereisarecordthatcontainstheIPaddressforthe.wwwhost.Thenameserverreturnsthefinaladdresstotherequester.

ResolvingNameServersInthepreviousscenario,wereferredtoarequester.Whatistherequesterinthissituation?

Inalmostallcases,therequesterwillbewhatiscalledaresolvingnameserver,whichisaserverthatisconfiguredtoaskotherserversquestions.Itsprimaryfunctionistoactasanintermediaryforauser,cachingpreviousqueryresultstoimprovespeedandprovidingtheaddressesofappropriaterootserverstoresolvenewrequests.

Auserwillusuallyhaveafewresolvingnameserversconfiguredontheircomputersystem.TheresolvingnameserversaretypicallyprovidedbyanInternetServiceProvider(ISP)orotherorganization.ThereareseveralpublicresolvingDNSserversthatyoucanquery.Thesecanbeconfiguredinyourcomputereitherautomaticallyormanually.

WhenyoutypeaURLintheaddressbarofyourbrowser,yourcomputerfirstlookstoseeifitcanfindtheresource’slocationlocally.Itchecksthehostfileonthecomputerandanylocallystoredcache.ItthensendstherequesttotheresolvingnameserverandwaitstoreceivetheIPaddressoftheresource.

Theresolvingnameserverthenchecksitscachefortheanswer.Ifitdoesn’tfindit,itgoesthroughthestepsoutlinedintheprevioussections.

Resolvingnameserverscompresstherequestingprocessfortheenduser.Theclientssimplyhavetoknowtoasktheresolvingnameserverswherearesourceislocated,andtheresolvingnameserverswilldotheworktoinvestigateandreturnthefinalanswer.

MoreAboutZoneFilesZonefilesarethewaythatnameserversstoreinformationaboutthedomainstheyknow.Themorezonefilesthatanameserverhas,themorerequestsitwillbeabletoanswerauthoritatively.Mostrequeststotheaveragenameserver,however,arefordomainsthatare

Page 288: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

notinthelocalzonefile.

Iftheserverisconfiguredtohandlerecursivequeries,likearesolvingnameserver,itwillfindtheanswerandreturnit.Otherwise,itwilltelltherequestingentitywheretolooknext.

AzonefiledescribesaDNSzone,whichisasubsetoftheentireDNS.Zonefilesaregenerallyusedtoconfigureasingledomain,andtheycancontainanumberofrecordsthatdefinewhereresourcesareforthedomaininquestion.

Thezonefile’s$ORIGINdirectiveisaparameterequaltothezone’shighestlevelofauthoritybydefault.Ifazonefileisusedtoconfiguretheexample.comdomain,the$ORIGINwouldbesettoexample.com.

ThisparameteriseitherconfiguredatthetopofthezonefileordefinedintheDNSserver’sconfigurationfilethatreferencesthezonefile.Eitherway,thisparameterdefineswhatauthoritativerecordsthezonegoverns.

Similarly,the$TTLdirectiveconfiguresthedefaultTimetoLive(TTL)valueforresourcerecordsinthezone.Thisvaluedefinesthelengthoftimethatpreviouslyqueriedresultsareavailabletoacachingnameserverbeforetheyexpire.

RecordTypesEachzonefilecontainsrecords.Initssimplestform,arecordisasinglemappingbetweenaresourceandaname.ThesecanmapadomainnametoanIPaddressordefineresourcesforthedomain,suchasnameserversormailservers.Thissectiondescribeseachrecordtypeindetail.

StartofAuthority(SOA)RecordAStartofAuthority(SOA)recordismandatoryinallzonefiles,anditidentifiesthebaseDNSinformationaboutthedomain.EachzonecontainsasingleSOArecord.

TheSOArecordstoresinformationaboutthefollowing:

ThenameoftheDNSserverforthatzone

Theadministratorofthezone

Thecurrentversionofthedatafile

Thenumberofsecondsthatasecondarynameservershouldwaitbeforecheckingforupdates

Thenumberofsecondsthatasecondarynameservershouldwaitbeforeretryingafailedzonetransfer

Themaximumnumberofsecondsthatasecondarynameservercanusedatabeforeitmusteitherberefreshedorexpire

ThedefaultTTLvalue(inseconds)forresourcerecordsinthezone

AandAAAABothtypesofaddressrecordsmapahosttoanIPaddress.TheArecordisusedtomapahosttoanIPv4IPaddress,whileAAAArecordsareusedtomapahosttoanIPv6address.

Page 289: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

CanonicalName(CNAME)ACanonicalName(CNAME)recordisatypeofresourcerecordintheDNSthatdefinesanaliasfortheCNAMEforyourserver(thedomainnamedefinedinanAorAAAArecord).

MailExchange(MX)MailExchange(MX)recordsareusedtodefinethemailserversusedforadomainandensurethatemailmessagesareroutedcorrectly.TheMXrecordshouldpointtoahostdefinedbyanAorAAAArecordandnotonedefinedbyaCNAME.

NameServer(NS)NameServer(NS)recordsareusedbyTLDserverstodirecttraffictotheDNSserverthatcontainstheauthoritativeDNSrecords.

Pointer(PTR)APointer(PTR)recordisessentiallythereverseofanArecord.PTRrecordsmapanIPaddresstoaDNSname,andtheyaremainlyusedtocheckiftheservernameisassociatedwiththeIPaddressfromwheretheconnectionwasinitiated.

SenderPolicyFramework(SPF)SenderPolicyFramework(SPF)recordsareusedbymailserverstocombatspam.AnSPFrecordtellsamailserverwhatIPaddressesareauthorizedtosendanemailfromyourdomainname.Forexample,ifyouwantedtoensurethatonlyyourmailserversendsemailsfromyourcompany’sdomain,suchasexample.com,youwouldcreateanSPFrecordwiththeIPaddressofyourmailserver.Thatway,anemailsentfromyourdomain,[email protected],wouldneedtohaveanoriginatingIPaddressofyourcompanymailserverinordertobeaccepted.Thispreventspeoplefromspoofingemailsfromyourdomainname.

Text(TXT)Text(TXT)recordsareusedtoholdtextinformation.Thisrecordprovidestheabilitytoassociatesomearbitraryandunformattedtextwithahostorothername,suchashumanreadableinformationaboutaserver,network,datacenter,andotheraccountinginformation.

Service(SRV)AService(SRV)recordisaspecificationofdataintheDNSdefiningthelocation(thehostnameandportnumber)ofserversforspecifiedservices.TheideabehindSRVisthat,givenadomainname(forexample,example.com)andaservicename(forexample,web[HTTP],whichrunsonaprotocol[TCP]),aDNSquerymaybeissuedtofindthehostnamethatprovidessuchaserviceforthedomain,whichmayormaynotbewithinthedomain.

Page 290: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonRoute53OverviewNowthatyouhaveafoundationalunderstandingofDNSandthedifferentDNSrecordtypes,youcanexploreAmazonRoute53.AmazonRoute53isahighlyavailableandscalablecloudDNSwebservicethatisdesignedtogivedevelopersandbusinessesanextremelyreliableandcost-effectivewaytorouteenduserstoInternetapplications.

AmazonRoute53performsthreemainfunctions:

Domainregistration—AmazonRoute53letsyouregisterdomainnames,suchasexample.com.

DNSservice—AmazonRoute53translatesfriendlydomainnameslikewww.example.comintoIPaddresseslike192.0.2.1.AmazonRoute53respondstoDNSqueriesusingaglobalnetworkofauthoritativeDNSservers,whichreduceslatency.TocomplywithDNSstandards,responsessentoverUserDatagramProtocol(UDP)arelimitedto512bytesinsize.Responsesexceeding512bytesaretruncated,andtheresolvermustre-issuetherequestoverTCP.

Healthchecking—AmazonRoute53sendsautomatedrequestsovertheInternettoyourapplicationtoverifythatit’sreachable,available,andfunctional.

Youcanuseanycombinationofthesefunctions.Forexample,youcanuseAmazonRoute53asbothyourregistrarandyourDNSservice,oryoucanuseAmazonRoute53astheDNSserviceforadomainthatyouregisteredwithanotherdomainregistrar.

DomainRegistrationIfyouwanttocreateawebsite,youfirstneedtoregisterthedomainname.Ifyoualreadyregisteredadomainnamewithanotherregistrar,youhavetheoptiontotransferthedomainregistrationtoAmazonRoute53.Itisn’trequiredtouseAmazonRoute53asyourDNSserviceortoconfigurehealthcheckingforyourresources.

AmazonRoute53supportsdomainregistrationforawidevarietyofgenericTLDs(forexample,.comand.org)andgeographicTLDs(forexample,.beand.us).ForacompletelistofsupportedTLDs,refertotheAmazonRoute53DeveloperGuideathttps://docs.aws.amazon.com/Route53/latest/DeveloperGuide/.

DomainNameSystem(DNS)ServiceAsstatedpreviously,AmazonRoute53isanauthoritativeDNSservicethatroutesInternettraffictoyourwebsitebytranslatingfriendlydomainnamesintoIPaddresses.Whensomeoneentersyourdomainnameinabrowserorsendsyouanemail,aDNSrequestisforwardedtothenearestAmazonRoute53DNSserverinaglobalnetworkofauthoritativeDNSservers.AmazonRoute53respondswiththeIPaddressthatyouspecified.

IfyouregisteranewdomainnamewithAmazonRoute53,AmazonRoute53willbeautomaticallyconfiguredastheDNSserviceforthedomain,andahostedzonewillbecreatedforyourdomain.Youaddresourcerecordsetstothehostedzone,whichdefinehowyouwantAmazonRoute53torespondtoDNSqueriesforyourdomain(forexample,withtheIPaddressforawebserver,theIPaddressforthenearestAmazonCloudFrontedgelocation,or

Page 291: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

theIPaddressforanElasticLoadBalancingloadbalancer).

Ifyouregisteredyourdomainwithanotherdomainregistrar,thatregistrarisprobablyprovidingtheDNSserviceforyourdomain.YoucantransferDNSservicetoAmazonRoute53,withorwithouttransferringregistrationforthedomain.

Ifyou’reusingAmazonCloudFront,AmazonSimpleStorageService(AmazonS3),orElasticLoadBalancing,youcanconfigureAmazonRoute53torouteInternettraffictothoseresources.

HostedZonesAhostedzoneisacollectionofresourcerecordsetshostedbyAmazonRoute53.LikeatraditionalDNSzonefile,ahostedzonerepresentsresourcerecordsetsthataremanagedtogetherunderasingledomainname.Eachhostedzonehasitsownmetadataandconfigurationinformation.

Therearetwotypesofhostedzones:privateandpublic.AprivatehostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficforadomainanditssubdomainswithinoneormoreAmazonVirtualPrivateClouds(AmazonVPCs).ApublichostedzoneisacontainerthatholdsinformationabouthowyouwanttoroutetrafficontheInternetforadomain(forexample,example.com)anditssubdomains(forexample,apex.example.comandacme.example.com).

Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.Forexample,theexample.comhostedzonecancontainresourcerecordsetsforthewww.example.comandwww.aws.example.comsubdomains,butitcannotcontainresourcerecordsetsforawww.example.casubdomain.

YoucanuseAmazonS3tohostyourstaticwebsiteatthehostedzone(forexample,domain.com)andredirectallrequeststoasubdomain(forexample,www.domain.com).Then,inAmazonRoute53,youcancreateanaliasresourcerecordthatsendsrequestsfortherootdomaintotheAmazonS3bucket.

Useanaliasrecord,notaCNAME,foryourhostedzone.CNAMEsarenotallowedforhostedzonesinAmazonRoute53.

DonotuseArecordsforsubdomains(forexample,www.domain.com),astheyrefertohardcodedIPaddresses.Instead,useAmazonRoute53aliasrecordsortraditionalCNAMErecordstoalwayspointtotherightresource,whereveryoursiteishosted,evenwhenthephysicalserverhaschangeditsIPaddress.

Page 292: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SupportedRecordTypesAmazonRoute53supportsthefollowingDNSresourcerecordtypes.WhenyouaccessAmazonRoute53usingtheAPI,youwillseeexamplesofhowtoformattheValueelementforeachrecordtype.Supportedrecordtypesinclude:

A

AAAA

CNAME

MX

NS

PTR

SOA

SPF

SRV

TXT

RoutingPolicies

Whenyoucreatearesourcerecordset,youchoosearoutingpolicy,whichdetermineshowAmazonRoute53respondstoqueries.Routingpolicyoptionsaresimple,weighted,latency-based,failover,andgeolocation.Whenspecified,AmazonRoute53evaluatesaresource’srelativeweight,theclient’snetworklatencytotheresource,ortheclient’sgeographicallocationwhendecidingwhichresourcetosendbackinaDNSresponse.

Routingpoliciescanbeassociatedwithhealthchecks,soresourcehealthstatusisconsideredbeforeitevenbecomesacandidateinaconditionaldecisiontree.Adescriptionofpossibleroutingpoliciesandmoreonhealthcheckingiscoveredinthissection.

SimpleThisisthedefaultroutingpolicywhenyoucreateanewresource.Useasimpleroutingpolicywhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain(forexample,onewebserverthatservescontentfortheexample.comwebsite).Inthiscase,AmazonRoute53respondstoDNSqueriesbasedonlyonthevaluesintheresourcerecordset(forexample,theIPaddressinanArecord).

WeightedWithweightedDNS,youcanassociatemultipleresources(suchasAmazonElasticComputeCloud[AmazonEC2]instancesorElasticLoadBalancingloadbalancers)withasingleDNSname.

Usetheweightedroutingpolicywhenyouhavemultipleresourcesthatperformthesamefunction(suchaswebserversthatservethesamewebsite),andyouwantAmazonRoute53toroutetraffictothoseresourcesinproportionsthatyouspecify.Forexample,youmayusethisforloadbalancingbetweendifferentAWSregionsortotestnewversionsofyourwebsite

Page 293: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

(youcansend10percentoftraffictothetestenvironmentand90percentoftraffictotheolderversionofyourwebsite).

Tocreateagroupofweightedresourcerecordsets,youneedtocreatetwoormoreresourcerecordsetsthathavethesameDNSnameandtype.Youthenassigneachresourcerecordsetauniqueidentifierandarelativeweight.

WhenprocessingaDNSquery,AmazonRoute53searchesforaresourcerecordsetoragroupofresourcerecordsetsthathavethesamenameandDNSrecordtype(suchasanArecord).AmazonRoute53thenselectsonerecordfromthegroup.Theprobabilityofanyresourcerecordsetbeingselectedisgovernedbythefollowingformula:

Latency-BasedLatency-basedroutingallowsyoutorouteyourtrafficbasedonthelowestnetworklatencyforyourenduser(forexample,usingtheAWSregionthatwillgivethemthefastestresponsetime).

UsethelatencyroutingpolicywhenyouhaveresourcesthatperformthesamefunctioninmultipleAWSAvailabilityZonesorregionsandyouwantAmazonRoute53torespondtoDNSqueriesusingtheresourcesthatprovidethebestlatency.Forexample,supposeyouhaveElasticLoadBalancingloadbalancersintheU.S.West(Oregon)regionandintheAsiaPacific(Singapore)region,andyoucreatedalatencyresourcerecordsetinAmazonRoute53foreachloadbalancer.AuserinLondonentersthenameofyourdomaininabrowser,andDNSroutestherequesttoanAmazonRoute53nameserver.AmazonRoute53referstoitsdataonlatencybetweenLondonandtheSingaporeregionandbetweenLondonandtheOregonregion.IflatencyislowerbetweenLondonandtheOregonregion,AmazonRoute53respondstotheuser’srequestwiththeIPaddressofyourloadbalancerinOregon.IflatencyislowerbetweenLondonandtheSingaporeregion,AmazonRoute53respondswiththeIPaddressofyourloadbalancerinSingapore.

FailoverUseafailoverroutingpolicytoconfigureactive-passivefailover,inwhichoneresourcetakesallthetrafficwhenit’savailableandtheotherresourcetakesallthetrafficwhenthefirstresourceisn’tavailable.Notethatyoucan’tcreatefailoverresourcerecordsetsforprivatehostedzones.

Forexample,youmightwantyourprimaryresourcerecordsettobeinU.S.West(N.California)andyoursecondary,DisasterRecovery(DR),resource(s)tobeinU.S.East(N.Virginia).AmazonRoute53willmonitorthehealthofyourprimaryresourceendpointsusingahealthcheck.

AhealthchecktellsAmazonRoute53howtosendrequeststotheendpointwhosehealthyouwanttocheck:whichprotocoltouse(HTTP,HTTPS,orTCP),whichIPaddressandporttouse,and,forHTTP/HTTPShealthchecks,adomainnameandpath.

Page 294: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Afteryouhaveconfiguredahealthcheck,AmazonwillmonitorthehealthofyourselectedDNSendpoint.Ifyourhealthcheckfails,thenfailoverroutingpolicieswillbeappliedandyourDNSwillfailovertoyourDRsite.

GeolocationGeolocationroutingletsyouchoosewhereAmazonRoute53willsendyourtrafficbasedonthegeographiclocationofyourusers(thelocationfromwhichDNSqueriesoriginate).Forexample,youmightwantallqueriesfromEuropetoberoutedtoafleetofAmazonEC2instancesthatarespecificallyconfiguredforyourEuropeancustomers,withlocallanguagesandpricinginEuros.

Youcanalsousegeolocationroutingtorestrictdistributionofcontenttoonlythelocationsinwhichyouhavedistributionrights.Anotherpossibleuseisforbalancingloadacrossendpointsinapredictable,easy-to-managewaysothateachuserlocationisconsistentlyroutedtothesameendpoint.

Youcanspecifygeographiclocationsbycontinent,bycountry,orevenbystateintheUnitedStates.Youcanalsocreateseparateresourcerecordsetsforoverlappinggeographicregions,andprioritygoestothesmallestgeographicregion.Forexample,youmighthaveoneresourcerecordsetforEuropeandonefortheUnitedKingdom.Thisallowsyoutoroutesomequeriesforselectedcountries(inthisexample,theUnitedKingdom)tooneresourceandtoroutequeriesfortherestofthecontinent(inthisexample,Europe)toadifferentresource.

GeolocationworksbymappingIPaddressestolocations.Youshouldbecautious,however,assomeIPaddressesaren’tmappedtogeographiclocations.Evenifyoucreategeolocationresourcerecordsetsthatcoverallsevencontinents,AmazonRoute53willreceivesomeDNSqueriesfromlocationsthatitcan’tidentify.

Inthiscase,youcancreateadefaultresourcerecordsetthathandlesbothqueriesfromIPaddressesthataren’tmappedtoanylocationandqueriesthatcomefromlocationsforwhichyouhaven’tcreatedgeolocationresourcerecordsets.Ifyoudon’tcreateadefaultresourcerecordset,AmazonRoute53returnsa“noanswer”responseforqueriesfromthoselocations.

Youcannotcreatetwogeolocationresourcerecordsetsthatspecifythesamegeographiclocation.Youalsocannotcreategeolocationresourcerecordsetsthathavethesamevaluesfor“Name”and“Type”asthe“Name”and“Type”ofnon-geolocationresourcerecordsets.

MoreonHealthCheckingAmazonRoute53healthchecksmonitorthehealthofyourresourcessuchaswebserversandemailservers.YoucanconfigureAmazonCloudWatchalarmsforyourhealthcheckssothatyoureceivenotificationwhenaresourcebecomesunavailable.YoucanalsoconfigureAmazonRoute53torouteInternettrafficawayfromresourcesthatareunavailable.

HealthchecksandDNSfailoveraremajortoolsintheAmazonRoute53featuresetthathelpmakeyourapplicationhighlyavailableandresilienttofailures.IfyoudeployanapplicationinmultipleAvailabilityZonesandmultipleAWSregions,withAmazonRoute53healthchecksattachedtoeveryendpoint,AmazonRoute53cansendbackalistofhealthyendpointsonly.Healthcheckscanautomaticallyswitchtoahealthyendpointwithminimal

Page 295: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

disruptiontoyourclientsandwithoutanyconfigurationchanges.Youcanusethisautomaticrecoveryscenarioinactive-activeoractive-passivesetups,dependingonwhetheryouradditionalendpointsarealwayshitbylivetrafficoronlyafterallprimaryendpointshavefailed.Usinghealthchecksandautomaticfailovers,AmazonRoute53improvesyourserviceuptime,especiallywhencomparedtothetraditionalmonitor-alert-restartapproachofaddressingfailures.

AmazonRoute53healthchecksarenottriggeredbyDNSqueries;theyarerunperiodicallybyAWS,andresultsarepublishedtoallDNSservers.Thisway,nameserverscanbeawareofanunhealthyendpointandroutedifferentlywithinapproximately30secondsofaproblem(afterthreefailedtestsinarow),andnewDNSresultswillbeknowntoclientsaminutelater(assumingyourTTLis60seconds),bringingcompleterecoverytimetoaboutaminuteandahalfintotalinthisscenario.

The2014AWSre:InventsessionSDD408,“AmazonRoute53DeepDive:DeliveringResiliency,MinimizingLatency,”introducedasetofbestpracticesforAmazonRoute53.ExplorethosebestpracticestohelpyougetstartedusingAmazonRoute53asabuildingblocktodeliverhighly-availableandresilientapplicationsonAWS.

AmazonRoute53EnablesResiliencyWhenpullingtheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures,considerthesebuildingblocks:

IneveryAWSregion,anElasticLoadBalancingloadbalancerissetupwithcross-zoneloadbalancingandconnectiondraining.ThisdistributestheloadevenlyacrossallinstancesinallAvailabilityZones,anditensuresrequestsinflightarefullyservedbeforeanAmazonEC2instanceisdisconnectedfromanElasticLoadBalancingloadbalancerforanyreason.

EachElasticLoadBalancingloadbalancerdelegatesrequeststoAmazonEC2instancesrunninginmultipleAvailabilityZonesinanauto-scalinggroup.ThisprotectstheapplicationfromAvailabilityZoneoutages,ensuresthataminimalamountofinstancesisalwaysrunning,andrespondstochangesinloadbyproperlyscalingeachgroup’sAmazonEC2instances.

EachElasticLoadBalancingloadbalancerhashealthchecksdefinedtoensurethatitdelegatesrequestsonlytohealthyinstances.

EachElasticLoadBalancingloadbalanceralsohasanAmazonRoute53healthcheckassociatedwithittoensurethatrequestsareroutedonlytoloadbalancersthathavehealthyAmazonEC2instances.

Theapplication’sproductionenvironment(forexample,prod.domain.com)hasAmazonRoute53aliasrecordsthatpointtoElasticLoadBalancingloadbalancers.Theproductionenvironmentalsousesalatency-basedroutingpolicythatisassociatedwithElasticLoadBalancinghealthchecks.Thisensuresthatrequestsareroutedtoahealthyloadbalancer,therebyprovidingminimallatencytoaclient.

Page 296: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Theapplication’sfailoverenvironment(forexample,fail.domain.com)hasanAmazonRoute53aliasrecordthatpointstoanAmazonCloudFrontdistributionofanAmazonS3buckethostingastaticversionoftheapplication.

Theapplication’ssubdomain(forexample,www.domain.com)hasanAmazonRoute53aliasrecordthatpointstoprod.domain.com(asprimarytarget)andfail.domain.com(assecondarytarget)usingafailoverroutingpolicy.Thisensureswww.domain.comroutestotheproductionloadbalancersifatleastoneofthemishealthyorthe“failwhale”ifallofthemappeartobeunhealthy.

Theapplication’shostedzone(forexample,domain.com)hasanAmazonRoute53aliasrecordthatredirectsrequeststowww.domain.comusinganAmazonS3bucketofthesamename.

Applicationcontent(bothstaticanddynamic)canbeservedusingAmazonCloudFront.ThisensuresthatthecontentisdeliveredtoclientsfromAmazonCloudFrontedgelocationsspreadallovertheworldtoprovideminimallatency.ServingdynamiccontentfromaContentDeliveryNetwork(CDN),whereitiscachedforshortperiodsoftime(thatis,severalseconds),takestheloadoffoftheapplicationandfurtherimprovesitslatencyandresponsiveness.

TheapplicationisdeployedinmultipleAWSregions,protectingitfromaregionaloutage.

Page 297: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedthefundamentalsofDNS,whichisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).

DNSstartswithTLDs(forexample,.com,.edu).TheInternetAssignedNumbersAuthority(IANA)controlstheTLDsinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.

DNSnamesareregisteredwithadomainregistrar.AregistrarisanauthoritythatcanassigndomainnamesdirectlyunderoneormoreTLDs.ThesedomainsareregisteredwithInterNIC,aserviceofICANN,whichenforcestheuniquenessofdomainnamesacrosstheInternet.Eachdomainnamebecomesregisteredinacentraldatabase,knownastheWhoISdatabase.

DNSconsistsofanumberofdifferentrecordtypes,includingbutnotlimitedtothefollowing:

A

AAAA

CNAME

MX

NS

PTR

SOA

SPF

TXT

AmazonRoute53isahighlyavailableandhighlyscalableAWS-providedDNSservice.AmazonRoute53connectsuserrequeststoinfrastructurerunningonAWS(forexample,AmazonEC2instancesandElasticLoadBalancingloadbalancers).ItcanalsobeusedtorouteuserstoinfrastructureoutsideofAWS.

WithAmazonRoute53,yourDNSrecordsareorganizedintohostedzonesthatyouconfigurewiththeAmazonRoute53API.Ahostedzonesimplystoresrecordsforyourdomain.TheserecordscanconsistofA,CNAME,MX,andothersupportedrecordtypes.

AmazonRoute53allowsyoutohaveseveraldifferentroutingpolicies,includingthefollowing:

Simple—Mostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain

Weighted—Usedwhenyouwanttorouteapercentageofyourtraffictooneparticularresourceorresources

Latency-Based—Usedtorouteyourtrafficbasedonthelowestlatencysothatyour

Page 298: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

usersgetthefastestresponsetimes

Failover—UsedforDRandtorouteyourtrafficfromyourresourcesinaprimarylocationtoastandbylocation

Geolocation—Usedtorouteyourtrafficbasedonyourenduser’slocation

Remembertopulltheseconceptstogethertobuildanapplicationthatishighlyavailableandresilienttofailures.UseElasticLoadBalancingloadbalancersacrossAvailabilityZoneswithconnectiondrainingenabled,usehealthchecksdefinedtoensurethattheapplicationdelegatesrequestsonlytohealthyAmazonEC2instances,andusealatency-basedroutingpolicywithElasticLoadBalancinghealthcheckstoensurerequestsareroutedwithminimallatencytoclients.UseAmazonCloudFrontedgelocationstospreadcontentallovertheworldwithminimalclientlatency.DeploytheapplicationinmultipleAWSregions,protectingitfromaregionaloutage.

Page 299: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandwhatDNSis.DNSisthemethodologythatcomputersusetoconverthuman-friendlydomainnames(forexample,amazon.com)intoIPaddresses(suchas192.0.2.1).

KnowhowDNSregistrationworks.DomainsareregisteredwithdomainregistrarsthatinturnregisterthedomainnamewithInterNIC,aserviceofICANN.ICANNenforcesuniquenessofdomainnamesacrosstheInternet.EachdomainnamebecomesregisteredinacentraldatabaseknownastheWhoISdatabase.DomainsaredefinedbytheirTLDs.TLDsarecontrolledbyIANAinarootzonedatabase,whichisessentiallyadatabaseofallavailableTLDs.

RememberthestepsinvolvedinDNSresolution.YourbrowseraskstheresolvingDNSserverwhattheIPaddressisforamazon.com.Theresolvingserverdoesnotknowtheaddress,soitasksarootserverthesamequestion.Thereare13rootserversaroundtheworld,andthesearemanagedbyICANN.Therootserverrepliesthatitdoesnotknowtheanswertothis,butitcangiveanaddresstoaTLDserverthatknowsabout.comdomainnames.TheresolvingserverthencontactstheTLDserver.TheTLDserverdoesnotknowtheaddressofthedomainnameeither,butitdoesknowtheaddressoftheresolvingnameserver.Theresolvingserverthenqueriestheresolvingnameserver.Theresolvingnameservercontainstheauthoritativerecordsandsendsthesetotheresolvingserver,whichthensavestheserecordslocallysoitdoesnothavetoperformthesestepsagaininthenearfuture.Theresolvingnameserverreturnsthisinformationtotheuser’swebbrowser,whichalsocachestheinformation.

Rememberthedifferentrecordtypes.DNSconsistsofthefollowingdifferentrecordtypes:A(addressrecord),AAAA(IPv6addressrecord),CNAME(canonicalnamerecordoralias),MX(mailexchangerecord),NS(nameserverrecord),PTR(pointerrecord),SOA(startofauthorityrecord),SPF(senderpolicyframework),SRV(servicelocator),andTXT(textrecord).Youshouldknowthedifferencesamongeachrecordtype.

Rememberthedifferentroutingpolicies.WithAmazonRoute53,youcanhavedifferentroutingpolicies.Thesimpleroutingpolicyismostcommonlyusedwhenyouhaveasingleresourcethatperformsagivenfunctionforyourdomain.Weightedroutingisusedwhenyouwanttorouteapercentageofyourtraffictoaparticularresourceorresources.Latency-basedroutingisusedtorouteyourtrafficbasedonthelowestlatencysothatyourusersgetthefastestresponsetimes.FailoverroutingisusedforDRandtorouteyourtrafficfromaprimaryresourcetoastandbyresource.Geolocationroutingisusedtorouteyourtrafficbasedonyourenduser’slocation.

Page 300: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesInthissection,youexplorethedifferenttypesofDNSroutingpoliciesthatyoucancreateusingAWS.Forspecificstep-by-stepinstructions,refertotheAmazonRoute53informationanddocumentationathttp://aws.amazon.com/route53/.Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnotAWSFreeTiereligible.HostingazoneonAmazonRoute53shouldcostyouaminimalamountpermonthperhostedzone,andadditionalchargeswillbelevieddependingontheroutingpolicyyouuse.ForcurrentinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.

EXERCISE9.1

CreateaNewZone1. LogintotheAWSManagementConsole.

2. NavigatetoAmazonRoute53,andcreateahostedzone.

3. Enteryourdomainname,andcreateyournewzonefile.

4. Inthenewzonefile,youwillseetheSOArecordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsite,andupdatethenameserverswithyourAWSnameservers.

5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.

YouhavenowcreatedyourfirstAmazonRoute53zone.

EXERCISE9.2

CreateTwoWebServersinTwoDifferentRegionsInthisexercise,youwillcreatetwonewAmazonEC2webserversindifferentAWSregions.YouwillusetheseinthefollowingexerciseswhensettingupAmazonRoute53toaccessthewebservers.

CreateanAmazonEC2Instance1. LogintotheAWSManagementConsole.

2. ChangeyourregiontoAsiaPacific(Sydney).

3. IntheComputesection,loadtheAmazonEC2dashboard.Launchaninstance,andselectthefirstAmazonLinuxAmazonMachineImage(AMI).

4. Selecttheinstancetype,andconfigureyourinstancedetails.Takeacloselookatthedifferentoptionsavailabletoyou,andchangeyourinstance’sstoragedevicesettingsasnecessary.

Page 301: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

5. NametheinstanceSydney,andaddasecuritygroupthatallowsHTTP.

6. LaunchyournewAmazonEC2instance,andverifythatithaslaunchedproperly.

ConnecttoYourAmazonEC2Instance7. NavigatetotheAmazonEC2instanceintheAWSManagementConsole,andcopy

thepublicIPaddresstoyourclipboard.

8. UsingaSecureShell(SSH)clientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.

9. Whenpromptedabouttheauthenticityofthehost,typeYes,andcontinue.

10. YoushouldnowbeconnectedtoyourAmazonEC2instance.Elevateyourprivilegestorootbytyping#sudosu.

11. Whileyou’reloggedinastherootusertoyourAmazonEC2instance,runthefollowingcommandtoinstallApachehttpd:

#yuminstallhttpd-y

12. Aftertheinstallationhascompleted,runthecommand#servicehttpdstartfollowedby#chkconfighttpdon.

13. NavigatetotheEC2instance,andtype:cd/var/www/html

14. Type#nanoindex.htmlandpressEnter.

15. InNano,typeThisistheSydneyServerandthenpressCtrl+X.

16. TypeYtoconfirmthatyouwanttosavethechanges,andthenpressEnter.

17. Type#ls.Youshouldnowseeyournewlycreatedindex.htmlfile.

18. Inyourbrowser,navigatetohttp://yourpublicipaddress/index.html.

Youshouldnowseeyour“ThisistheSydneyServer”homepage.Ifyoudonotseethis,checkyoursecuritygrouptomakesureyouallowedaccessforport80.

CreateanElasticLoadBalancingLoadBalancer19. ReturntotheAWSManagementConsole,andnavigatetotheAmazonEC2

dashboard.

20. CreatealoadbalancernamedSydney,leavingthesettingsattheirdefaultvalues.

21. Createyoursecuritygroup,andallowalltrafficinonport80.

22. Configurehealthcheck,leavingthesettingsattheirdefaultvalues.

23. Selectyournewlyaddedinstance.Addtagshereifyouwanttotagyourinstances.

24. ClickCreatetoprovisionyourloadbalancer.

CreateTheseResourcesinaSecondRegion25. ReturntotheAWSManagementConsole,andchangeyourregiontoSouthAmerica

(SaoPaulo).

Page 302: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

26. RepeatthethreeproceduresinthissectiontoaddasecondAmazonEC2instanceandaloadbalancerinthisnewregion.

YouhavenowcreatedtwowebserversindifferentregionsoftheworldandplacedtheseregionsbehindElasticLoadBalancingloadbalancers.

EXERCISE9.3

CreateanAliasARecordwithaSimpleRoutingPolicy1. LogintotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.

2. Selectyournewly-createdzonedomainname,andcreatearecordsetwiththenameA−IPv4Address

3. Createanalias,leavingyourroutingpolicysettoSimple.

4. Inyourwebbrowser,navigatetoyourdomainname.YoushouldnowseeawelcomescreenfortheSydneyregion.Ifyoudonotseethis,checkthatyourAmazonEC2instanceisattachedtoyourloadbalancerandthattheinstanceisinservice.Iftheinstanceisnotinservice,thismeansthatitisfailingitshealthcheck.CheckthatApacheHTTPServer(HTTPD)isrunningandthatyourindex.htmldocumentisaccessible.

YouhavenowcreatedyourfirstAliasArecordforthezoneapexusingthesimpleroutingpolicy.

Page 303: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE9.4

CreateaWeightedRoutingPolicy1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.

2. Navigatetohostedzones,andselectyournewly-createdzonedomainname.

3. Createarecordsetwithtypesettodeveloper.Thiswillcreateasubdomainofdeveloper.yourdomainname.com.

4. SelectyourSydneyloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andatypeofSydney.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.

5. Createanotherrecordsetwithtypesettodeveloper.Thiswilladdanewrecordwiththesamenameyoucreatedearlier.Bothrecordswillworktogether.

6. SelectyourSaoPauloloadbalancer.ChangetheroutingpolicytoWeightedwithavalueof50andtypeofSaoPaulo.Leavetheothervaluesattheirdefaults.ClickCreate.Youwillnowseeyournewly-createdDNSentry.

7. TestyourDNSbyvisitinghttp://developer.yourdomainname.comandrefreshingthepage.YoushouldbeaccessingtheSydneyserver50percentofthetimeandtheSaoPauloservertheother50percentofthetime.

YouhavenowcreatedaweightedDNSroutingpolicy.Youcancontinuetoexperimentwithotherroutingpoliciesbyfollowingthedocumentationathttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html.

EXERCISE9.5

CreateaHostedZoneforAmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCdetailsarecoveredinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC).”

CreateaPrivateHostedZone1. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53dashboard.

2. Createahostedzone,andenteryourprivatedomainname.

3. SelectthedefaultAmazonVPCthatyouusedinExercise9.2todeploythefirstserverintheAsiaPacific(Sydney)region.ClickCreate.Thiswillcreateanewzonefile.

VerifyAmazonVPCConfiguration4. ReturntotheAWSManagementConsole,andchangeyourregiontoAsiaPacific

Page 304: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

(Sydney).

5. IntheAmazonVPCdashboard,chooseyourAmazonVPC.

6. ClickonthedefaultAmazonVPCfromthelist.EnsurethatbothDNSresolutionandDNShostnamesareenabled.Thesesettingsneedtouseprivatehostedzones.

CreateResourceRecordSets7. ReturntotheAWSManagementConsole,andnavigatetotheAmazonRoute53

dashboard.

8. Selectyournewly-createdprivatezonedomainname,andcreatearecordset.

9. EnterthenameyouwanttogivetoyourAmazonEC2instance(forexample,webserver1),andselectIPv4addresswithnoalias.

10. EntertheinternalIPaddressofyourAmazonEC2instancethatyounotedinExercise9.2.

11. LeaveyourroutingpolicysettoSimple,andclickCreate.

ConnecttoYourAmazonEC2Instance12. OntheAmazonEC2instancesscreen,waituntilyouseeyourvirtualmachine’s

instancestateasrunning.CopythepublicIPaddresstoyourclipboard.

13. UsinganSSHclientofyourchoice,connecttoyourAmazonEC2instanceusingthepublicIPaddress,theusernameec2-user,andyourprivatekey.Forexample,ifyou’reusingTerminalinOSX,youwouldtypethefollowingcommand:

[email protected]

14. Whenpromptedabouttheauthenticityofthehost,typeYesandcontinue.YoushouldnowbeconnectedtoyourAmazonEC2instance.

15. Whileyou’reloggedintoyourAmazonEC2instance,runthefollowingcommandtocheckifthehostnamesinAmazonRoute53areresolving:

nslookupwebserver1.yourprivatehostedzone.com

16. Youshouldreceiveanon-authoritativeanswerwiththehostnameandIPaddressfortherecordsetthatyoucreatedinAmazonRoute53.

YouhavenowcreatedaprivatehostedzoneinAmazonRoute53andassociateditwithanAmazonVPC.YoucancontinuetoaddinstancesinAmazonVPCandcreateresourcerecordsetsfortheminAmazonRoute53.Thesenewinstanceswouldbeabletointer-communicatewiththeinstancesinthesameAmazonVPCusingthedomainnamethatyoucreated.

RemembertodeleteyourAmazonEC2instancesandElasticLoadBalancingloadbalancersafteryou’vefinishedexperimentingwithyourdifferentroutingpolicies.Youmayalsowanttodeletethezoneifyouarenolongerusingit.

Page 305: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichtypeofrecordiscommonlyusedtoroutetraffictoanIPv6address?

A. AnArecord

B. ACNAME

C. AnAAAArecord

D. AnMXrecord

2. Wheredoyouregisteradomainname?

A. Withyourlocalgovernmentauthority

B. Withadomainregistrar

C. WithInterNICdirectly

D. WiththeInternetAssignedNumbersAuthority(IANA)

3. YouhaveanapplicationthatforlegalreasonsmustbehostedintheUnitedStateswhenU.S.citizensaccessit.TheapplicationmustbehostedintheEuropeanUnionwhencitizensoftheEUaccessit.Forallothercitizensoftheworld,theapplicationmustbehostedinSydney.Whichroutingpolicyshouldyouchooseinordertoachievethis?

A. Latency-basedrouting

B. Simplerouting

C. Geolocationrouting

D. Failoverrouting

4. WhichtypeofDNSrecordshouldyouusetoresolveanIPaddresstoadomainname?

A. AnArecord

B. ACName

C. AnSPFrecord

D. APTRrecord

5. YouhostawebapplicationacrossmultipleAWSregionsintheworld,andyouneedtoconfigureyourDNSsothatyourenduserswillgetthefastestnetworkperformancepossible.Whichroutingpolicyshouldyouapply?

A. Geolocationrouting

B. Latency-basedrouting

C. Simplerouting

D. Weightedrouting

6. WhichDNSrecordshouldyouusetoconfigurethetransmissionofemailtoyourintendedmailserver?

Page 306: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. SPFrecords

B. Arecords

C. MXrecords

D. SOArecord

7. WhichDNSrecordsarecommonlyusedtostopemailspoofingandspam?

A. MXrecords

B. SPFrecords

C. Arecords

D. Cnames

8. YouarerollingoutAandBtestversionsofawebapplicationtoseewhichversionresultsinthemostsales.Youneed10percentofyourtraffictogotoversionA,10percenttogotoversionB,andtheresttogotoyourcurrentproductionversion.Whichroutingpolicyshouldyouchoosetoachievethis?

A. Simplerouting

B. Weightedrouting

C. Geolocationrouting

D. Failoverrouting

9. WhichDNSrecordmustallzoneshavebydefault?

A. SPF

B. TXT

C. MX

D. SOA

10. YourcompanyhasitsprimaryproductionsiteinWesternEuropeanditsDRsiteintheAsiaPacific.YouneedtoconfigureDNSsothatifyourprimarysitebecomesunavailable,youcanfailDNSovertothesecondarysite.WhichDNSroutingpolicywouldbestachievethis?

A. Weightedrouting

B. Geolocationrouting

C. Simplerouting

D. Failoverrouting

11. WhichtypeofDNSrecordshouldyouusetoresolveadomainnametoanotherdomainname?

A. AnArecord

B. ACNAMErecord

C. AnSPFrecord

Page 307: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. APTRrecord

12. WhichisafunctionthatAmazonRoute53doesnotperform?

A. Domainregistration

B. DNSservice

C. Loadbalancing

D. Healthchecks

13. WhichDNSrecordcanbeusedtostorehuman-readableinformationaboutaserver,network,andotheraccountingdatawithahost?

A. ATXTrecord

B. AnMXrecord

C. AnSPFrecord

D. APTRrecord

14. Whichresourcerecordsetwouldnotbeallowedforthehostedzoneexample.com?

A. www.example.com

B. www.aws.example.com

C. www.example.ca

D. www.beta.example.com

15. WhichportnumberisusedtoserverequestsbyDNS?

A. 22

B. 53

C. 161

D. 389

16. WhichprotocolisprimarilyusedbyDNStoserverequests?

A. TransmissionControlProtocol(TCP)

B. HyperTextTransferProtocol(HTTP)

C. FileTransferProtocol(FTP)

D. UserDatagramProtocol(UDP)

17. WhichprotocolisusedbyDNSwhenresponsedatasizeexceeds512bytes?

A. TransmissionControlProtocol(TCP)

B. HyperTextTransferProtocol(HTTP)

C. FileTransferProtocol(FTP)

D. UserDatagramProtocol(UDP)

18. WhatarethedifferenthostedzonesthatcanbecreatedinAmazonRoute53?

Page 308: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

1. Publichostedzone

2. Globalhostedzone

3. Privatehostedzone

A. 1and2

B. 1and3

C. 2and3

D. 1,2,and3

19. AmazonRoute53cannotroutequeriestowhichAWSresource?

A. AmazonCloudFrontdistribution

B. ElasticLoadBalancingloadbalancer

C. AmazonEC2

D. AWSOpsWorks

20. WhenconfiguringAmazonRoute53asyourDNSserviceforanexistingdomain,whichisthefirststepthatneedstobeperformed?

A. Createhostedzones.

B. Createresourcerecordsets.

C. RegisteradomainwithAmazonRoute53.

D. TransferdomainregistrationfromcurrentregistrartoAmazonRoute53.

Page 309: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter10AmazonElastiCacheTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems

Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Planninganddesign

Architecturaltrade-offdecisions

BestpracticesforAWSarchitecture

Elasticityandscalability

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

AWSadministrationandsecurityservices

3.2Recognizecriticaldisasterrecoverytechniquesandtheirimplementation.

Page 310: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionThischapterfocusesonbuildinghigh-performanceapplicationsusingin-memorycachingtechnologiesandAmazonElastiCache.ByusingtheAmazonElastiCacheservice,youcanoffloadtheheavyliftinginvolvedinthedeploymentandoperationofcacheenvironmentsrunningMemcachedorRedis.Itfocusesonkeytopicsyouneedtounderstandfortheexam,including:

Howtoimproveapplicationperformanceusingcaching

Howtolaunchcacheenvironmentsinthecloud

WhatarethebasicdifferencesandusecasesforMemcachedandRedis?

Howtoscaleyourclustervertically

HowtoscaleyourMemcachedclusterhorizontallyusingadditionalcachenodes

HowtoscaleyourRedisclusterhorizontallyusingreplicationgroups

HowtobackupandrecoveryourRediscluster

Howtoapplyalayeredsecuritymodel

Page 311: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

In-MemoryCachingOneofthecommoncharacteristicsofasuccessfulapplicationisafastandresponsiveuserexperience.Researchhasshownthatuserswillgetfrustratedandleaveawebsiteorappwhenitisslowtorespond.In2007,testingofAmazon.com’sretailsiteshowedthatforevery100msincreaseinloadtimes,salesdecreasedby1%.Round-tripsbackandforthtoadatabaseanditsunderlyingstoragecanaddsignificantdelaysandareoftenthetopcontributortoapplicationlatency.

Cachingfrequently-useddataisoneofthemostimportantperformanceoptimizationsyoucanmakeinyourapplications.Comparedtoretrievingdatafromanin-memorycache,queryingadatabaseisanexpensiveoperation.Bystoringormovingfrequentlyaccesseddatain-memory,applicationdeveloperscansignificantlyimprovetheperformanceandresponsivenessofread-heavyapplications.Forexample,theapplicationsessionstateforalargewebsitecanbestoredinanin-memorycachingengine,insteadofstoringthesessiondatainthedatabase.

Formanyyears,developershavebeenbuildingapplicationsthatusecacheengineslikeMemcachedorRedistostoredatain-memorytogetblazingfastapplicationperformance.Memcachedisasimple-to-usein-memorykey/valuestorethatcanbeusedtostorearbitrarytypesofdata.Itisoneofthemostpopularcacheengines.Redisisaflexiblein-memorydatastructurestorethatcanbeusedasacache,database,orevenasamessagebroker.AmazonElastiCacheallowsdeveloperstoeasilydeployandmanagecacheenvironmentsrunningeitherMemcachedorRedis.

Page 312: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonElastiCacheAmazonElastiCacheisawebservicethatsimplifiesthesetupandmanagementofdistributedin-memorycachingenvironments.Thisservicemakesiteasyandcosteffectivetoprovideahigh-performanceandscalablecachingsolutionforyourcloudapplications.YoucanuseAmazonElastiCacheinyourapplicationstospeedthedeploymentofcacheclustersandreducetheadministrationrequiredforadistributedcacheenvironment.

WithAmazonElastiCache,youcanchoosefromaMemcachedorRedisprotocol-compliantcacheengineandquicklylaunchaclusterwithinminutes.BecauseAmazonElastiCacheisamanagedservice,youcanstartusingtheservicetodaywithveryfewornomodificationstoyourexistingapplicationsthatuseMemcachedorRedis.BecauseAmazonElastiCacheisprotocol-compliantwithbothoftheseengines,youonlyneedtochangetheendpointinyourconfigurationfiles.

UsingAmazonElastiCache,youcanimplementanynumberofcachingpatterns.Themostcommonpatternisthecache-asidepatterndepictedinFigure10.1.Inthisscenario,theappserverchecksthecachefirsttoseeifitcontainsthedataitneeds.Ifthedatadoesnotexistinthecachenode,itwillquerythedatabaseandserializeandwritethequeryresultstothecache.Thenextuserrequestwillthenbeabletoreadthedatadirectlyfromthecacheinsteadofqueryingthedatabase.

Page 313: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE10.1Commoncachingarchitecture

WhileitiscertainlypossibletobuildandmanageacacheclusteryourselfonAmazonElasticComputeCloud(AmazonEC2),AmazonElastiCacheallowsyoutooffloadtheheavyliftingofinstallation,patchmanagement,andmonitoringtoAWSsoyoucanfocusonyourapplicationinstead.AmazonElastiCachealsoprovidesanumberoffeaturestoenhancethereliabilityofcriticaldeployments.Whileitisrare,theunderlyingAmazonEC2instancescanbecomeimpaired.AmazonElastiCachecanautomaticallydetectandrecoverfromthefailureofacachenode.WiththeRedisengine,AmazonElastiCachemakesiteasytosetupreadreplicasandfailoverfromtheprimarytoareplicaintheeventofaproblem.

DataAccessPatternsRetrievingaflatkeyfromanin-memorycachewillalwaysbefasterthanthemostoptimizeddatabasequery.Youshouldevaluatetheaccesspatternofthedatabeforeyoudecidetostoreitincache.Agoodexampleofsomethingtocacheisthelistofproductsinacatalog.Forabusywebsite,thelistofitemscouldberetrievedthousandsoftimespersecond.Whileitmakessensetocachethemostheavilyrequesteditems,youcanalsobenefitfromcachingitemsthatarenotfrequentlyrequested.

Therearealsosomedataitemsthatshouldnotbecached.Forexample,ifyougenerateauniquepageeveryrequest,youprobablyshouldnotcachethepageresults.However,even

Page 314: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

thoughthepagechangeseverytime,itdoesmakesensetocachethecomponentsofthepagethatdonotchange.

CacheEnginesAmazonElastiCacheallowsyoutoquicklydeployclustersoftwodifferenttypesofpopularcacheengines:MemcachedandRedis.Atahighlevel,MemcachedandRedismayseemsimilar,buttheysupportavarietyofdifferentusecasesandprovidedifferentfunctionality.

MemcachedMemcachedprovidesaverysimpleinterfacethatallowsyoutowriteandreadobjectsintoin-memorykey/valuedatastores.WithAmazonElastiCache,youcanelasticallygrowandshrinkaclusterofMemcachednodestomeetyourdemands.Youcanpartitionyourclusterintoshardsandsupportparallelizedoperationsforveryhighperformancethroughput.Memcacheddealswithobjectsasblobsthatcanberetrievedusingauniquekey.Whatyouputintotheobjectisuptoyou,anditistypicallytheserializedresultsfromadatabasequery.Thiscouldbesimplestringvaluesorbinarydata.

AmazonElastiCachesupportsanumberofrecentversionsofMemcached.Asofearly2016,theservicesupportsMemcachedversion1.4.24,andalsoolderversionsgoingbackto1.4.5.WhenanewversionofMemcachedisreleased,AmazonElastiCachesimplifiestheupgradeprocessbyallowingyoutospinupanewclusterwiththelatestversion.

RedisInlate2013,AmazonElastiCacheaddedsupporttodeployRedisclusters.Atthetimeofthiswriting,theservicesupportsthedeploymentofRedisversion2.8.24,andalsoanumberofolderversions.BeyondtheobjectsupportprovidedinMemcached,Redissupportsarichsetofdatatypeslikesstrings,lists,andsets.

UnlikeMemcached,Redissupportstheabilitytopersistthein-memorydataontodisk.Thisallowsyoutocreatesnapshotsthatbackupyourdataandthenrecoverorreplicatefromthebackups.Redisclustersalsocansupportuptofivereadreplicastooffloadreadrequests.Intheeventoffailureoftheprimarynode,areadreplicacanbepromotedandbecomethenewmasterusingMulti-AZreplicationgroups.

Redisalsohasadvancedfeaturesthatmakeiteasytosortandrankdata.Somecommonusecasesincludebuildingaleaderboardforamobileapplicationorservingasahigh-speedmessagebrokerinadistributedsystem.WithaRediscluster,youcanleverageapublishandsubscribemessagingabstractionthatallowsyoutodecouplethecomponentsofyourapplications.Apublishandsubscribemessagingarchitecturegivesyoutheflexibilitytochangehowyouconsumethemessagesinthefuturewithoutaffectingthecomponentthatisproducingthemessagesinthefirstplace.

NodesandClustersEachdeploymentofAmazonElastiCacheconsistsofoneormorenodesinacluster.Therearemanydifferenttypesofnodesavailabletochoosefrombasedonyourusecaseandthenecessaryresources.AsingleMemcachedclustercancontainupto20nodes.Redisclustersarealwaysmadeupofasinglenode;however,multipleclusterscanbegroupedintoaRedisreplicationgroup.

TheindividualnodetypesarederivedfromasubsetoftheAmazonEC2instancetypefamilies,liket2,m3,andr3.Thespecificnodetypesmaychangeovertime,buttodaythey

Page 315: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

rangefromat2.micronodetypewith555MBofmemoryuptoanr3.8xlargewith237GBofmemory,withmanychoicesinbetween.Thet2cachenodefamilyisidealfordevelopmentandlow-volumeapplicationswithoccasionalbursts,butcertainfeaturesmaynotbeavailable.Them3familyisagoodblendofcomputeandmemory,whilether3familyisoptimizedformemory-intensiveworkloads.

Dependingonyourneeds,youmaychoosetohaveafewlargenodesormanysmallernodesinyourclusterorreplicationgroup.Asdemandforyourapplicationchanges,youmayalsoaddorremovenodesfromtimetotime.Eachnodetypecomeswithapreconfiguredamountofmemory,withasmallamountofthememoryallocatedtothecachingengineandoperatingsystemitself.

DesignforFailure

Whileitisunlikely,youshouldplanforthepotentialfailureofanindividualcachenode.ForMemcachedclusters,youcandecreasetheimpactofthefailureofacachenodebyusingalargernumberofnodeswithasmallercapacity,insteadofafewlargenodes.

IntheeventthatAmazonElastiCachedetectsthefailureofanode,itwillprovisionareplacementandadditbacktothecluster.Duringthistime,yourdatabasewillexperienceincreasedload,becauseanyrequeststhatwouldhavebeencachedwillnowneedtobereadfromthedatabase.ForRedisclusters,AmazonElastiCachewilldetectfailureandreplacetheprimarynode.IfaMulti-AZreplicationgroupisenabled,areadreplicacanbeautomaticallypromotedtoprimary.

MemcachedAutoDiscoveryForMemcachedclusterspartitionedacrossmultiplenodes,AmazonElastiCachesupportsAutoDiscoverywiththeprovidedclientlibrary.AutoDiscoverysimplifiesyourapplicationcodebynolongerneedingawarenessoftheinfrastructuretopologyofthecacheclusterinyourapplicationlayer.

UsingAutoDiscovery

TheAutoDiscoveryclientgivesyourapplicationstheabilitytoidentifyautomaticallyallofthenodesinacacheclusterandtoinitiateandmaintainconnectionstoallofthesenodes.TheAutoDiscoveryclientisavailablefor.NET,Java,andPHPplatforms.

ScalingAmazonElastiCacheallowsyoutoadjustthesizeofyourenvironmenttomeettheneedsofworkloadsastheyevolveovertime.Addingadditionalcachenodesallowsyoutoeasilyexpandhorizontallyandmeethigherlevelsofreadorwriteperformance.Youcanalsoselectdifferentclassesofcachenodestoscalevertically.

HorizontalScalingAmazonElastiCachealsoaddsadditionalfunctionalitythatallowsyoutoscalehorizontallythesizeofyourcacheenvironment.Thisfunctionalitydiffersdepending

Page 316: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

onthecacheengineyouhaveselected.WithMemcached,youcanpartitionyourdataandscalehorizontallyto20nodesormore.WithAutoDiscovery,yourapplicationcandiscoverMemcachednodesthatareaddedorremovedfromacluster.

ARedisclusterconsistsofasinglecachenodethatishandlingreadandwritetransactions.AdditionalclusterscanbecreatedandgroupedintoaRedisreplicationgroup.Whileyoucanonlyhaveonenodehandlingwritecommands,youcanhaveuptofivereadreplicashandlingread-onlyrequests.

VerticalScalingSupportforverticalscalingismorelimitedwithAmazonElastiCache.Ifyouliketochangethecachenodetypeandscalethecomputeresourcesvertically,theservicedoesnotdirectlyallowyoutoresizeyourclusterinthismanner.Youcan,however,quicklyspinupanewclusterwiththedesiredcachenodetypesandstartredirectingtraffictothenewcluster.It’simportanttounderstandthatanewMemcachedclusteralwaysstartsempty,whileaRedisclustercanbeinitializedfromabackup.

ReplicationandMulti-AZReplicationisausefultechniquetoproviderapidrecoveryintheeventofanodefailure,andalsotoserveupveryhighvolumesofreadqueriesbeyondthecapabilitiesofasinglenode.AmazonElastiCacheclustersrunningRedissupportbothofthesedesignrequirements.UnlikeRedis,cacheclustersrunningMemcachedarestandalonein-memoryserviceswithoutanyredundantdataprotectionservices.

CacheclustersrunningRedissupporttheconceptofreplicationgroups.Areplicationgroupconsistsofuptosixclusters,withfiveofthemdesignatedasreadreplicas.Thisallowsyoutoscalehorizontallybywritingcodeinyourapplicationtooffloadreadstooneofthefiveclones(seeFigure10.2).

Page 317: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE10.2Redisreplicationgroup

Multi-AZReplicationGroupsYoucanalsocreateaMulti-AZreplicationgroupthatallowsyoutoincreaseavailabilityandminimizethelossofdata.Multi-AZsimplifiestheprocessofdealingwithafailurebyautomatingthereplacementandfailoverfromtheprimarynode.

Intheeventtheprimarynodefailsorcan’tbereached,Multi-AZwillselectandpromoteareadreplicatobecomethenewprimary,andanewnodewillbeprovisionedtoreplacethefailedone.AmazonElastiCachewillthenupdatetheDomainNameSystem(DNS)entryofthenewprimarynodetoallowyourapplicationtocontinueprocessingwithoutanyconfigurationchangeandwithonlyashortdisruption.

UnderstandThatReplicationIsAsynchronous

It’simportanttokeepinmindthatreplicationbetweentheclustersisperformedasynchronouslyandtherewillbeasmalldelaybeforedataisavailableonallclusternodes.

BackupandRecoveryAmazonElastiCacheclustersrunningRedisallowyoutopersistyourdatafromin-memoryto

Page 318: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

diskandcreateasnapshot.Eachsnapshotisafullcloneofthedatathatcanbeusedtorecovertoaspecificpointintimeortocreateacopyforotherpurposes.SnapshotscannotbecreatedforclustersusingtheMemcachedenginebecauseitisapurelyin-memorykey/valuestoreandalwaysstartsempty.AmazonElastiCacheusesthenativebackupcapabilitiesofRedisandwillgenerateastandardRedisdatabasebackupfilethatgetsstoredinAmazonSimpleStorageService(AmazonS3).

Snapshotsrequirecomputeandmemoryresourcestoperformandcanpotentiallyhaveaperformanceimpactonheavilyusedclusters.AmazonElastiCachewilltrydifferentbackuptechniquesdependingontheamountofmemorycurrentlyavailable.Abestpracticeistosetupareplicationgroupandperformasnapshotagainstoneofthereadreplicasinsteadoftheprimarynode.

Inadditiontomanuallyinitiatedsnapshots,snapshotscanbecreatedautomaticallybasedonaschedule.Youcanalsoconfigureawindowforthesnapshotoperationtobecompletedandspecifyhowmanydaysofbackupsyouwanttostore.Manualsnapshotsarestoredindefinitelyuntilyoudeletethem.

BackupRedisClusters

UseacombinationofautomaticandmanualsnapshotstomeetyourrecoveryobjectivesforyourRediscluster.Memcachedispurelyin-memoryanddoesnothavenativebackupcapabilities.

Whetherthesnapshotwascreatedautomaticallyormanually,thesnapshotcanthenbeusedtocreateanewclusteratanytime.Bydefault,thenewclusterwillhavethesameconfigurationasthesourcecluster,butyoucanoverridethesesettings.YoucanalsorestorefromanRDBfilegeneratedfromanyothercompatibleRediscluster.

AccessControlAccesstoyourAmazonElastiCacheclusteriscontrolledprimarilybyrestrictinginboundnetworkaccesstoyourcluster.Inboundnetworktrafficisrestrictedthroughtheuseofsecuritygroups.Eachsecuritygroupdefinesoneormoreinboundrulesthatrestrictthesourcetraffic.WhendeployedinsideofaVirtualPrivateCloud(VPC),eachnodewillbeissuedaprivateIPaddresswithinoneormoresubnetsthatyouselect.IndividualnodescanneverbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheVPC.YoucanfurtherrestrictnetworkingressatthesubnetlevelbymodifyingthenetworkAccessControlLists(ACLs).

AccesstomanagetheconfigurationandinfrastructureoftheclusteriscontrolledseparatelyfromaccesstotheactualMemcachedorRedisserviceendpoint.UsingtheAWSIdentityandAccessManagement(IAM)service,youcandefinepoliciesthatcontrolwhichAWSuserscanmanagetheAmazonElastiCacheinfrastructureitself.

SomeofthekeyactionsanadministratorcanperformincludeCreateCacheCluster,ModifyCacheCluster,orDeleteCacheCluster.RedisclustersalsosupportCreateReplicationGroupandCreateSnapshotactions,amongothers.

Page 319: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedaboutcachingenvironmentswithinthecloudusingAmazonElastiCache.YoucanquicklylaunchclustersrunningMemcachedorRedistostorefrequentlyuseddatain-memory.Cachingcanspeeduptheresponsetimeofyourapplications,reduceloadonyourback-enddatastores,andimprovetheuserexperience.

WithAmazonElastiCache,youcanoffloadtheadministrativetasksforprovisioningandoperatingclustersandfocusontheapplication.Eachcacheclustercontainsoneormorenodes.Selectfromarangeofnodetypestogivetherightmixofcomputeandmemoryresourcesforyourusecase.

YoucanexpandbothMemcachedandRedisclustersverticallybyselectingalargerorsmallernodetypetomatchyourneeds.WithAmazonElastiCacheandtheMemcachedengine,youcanalsoscaleyourclusterhorizontallybyaddingorremovingnodes.WithAmazonElastiCacheandtheRedisengine,youcanalsoscalehorizontallybycreatingareplicationgroupthatwillautomaticallyreplicateacrossmultiplereadreplicas.

StreamlineyourbackupandrecoveryprocessforRedisclusterswithAmazonElastiCache’sconsistentoperationalmodel.WhileMemcachedclustersarein-memoryonlyandcannotbepersisted,Redisclusterssupportbothautomatedandmanualsnapshots.Asnapshotcanthenberestoredtorecoverfromafailureortocloneanenvironment.

YoucansecureyourcacheenvironmentsatthenetworklevelwithsecuritygroupsandnetworkACLs,andattheinfrastructurelevelusingIAMpolicies.Securitygroupswillserveasyourprimaryaccesscontrolmechanismtorestrictinboundaccessforactiveclusters.

Youshouldanalyzeyourdatausagepatternsandidentifyfrequentlyrunqueriesorotherexpensiveoperationsthatcouldbecandidatesforcaching.Youcanrelievepressurefromyourdatabasebyoffloadingreadrequeststothecachetier.Dataelementsthatareaccessedoneverypageload,orwitheveryrequestbutdonotchange,areoftenprimecandidatesforcaching.Evendatathatchangesfrequentlycanoftenbenefitfrombeingcachedwithverylargerequestvolumes.

Page 320: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowhowtouseAmazonElastiCache.ImprovetheperformanceofyourapplicationbydeployingAmazonElastiCacheclustersaspartofyourapplicationandoffloadingreadrequestsforfrequentlyaccesseddata.Usethecache-asidepatterninyourapplicationfirsttocheckthecacheforyourqueryresultsbeforecheckingthedatabase.

Understandwhentouseaspecificcacheengine.AmazonElastiCachegivesyouthechoiceofcacheenginetosuityourrequirements.UseMemcachedwhenyouneedasimple,in-memoryobjectstorethatcanbeeasilypartitionedandscaledhorizontally.UseRediswhenyouneedtobackupandrestoreyourdata,needmanyclonesorreadreplicas,orarelookingforadvancedfunctionalitylikesortandrankorleaderboardsthatRedisnativelysupports.

UnderstandhowtoscaleaRedisclusterhorizontally.AnAmazonElastiCacheclusterrunningRediscanbescaledhorizontallyfirstbycreatingareplicationgroup,thenbycreatingadditionalclustersandaddingthemtothereplicationgroup.

UnderstandhowtoscaleaMemcachedclusterhorizontally.AnAmazonElastiCacheclusterrunningMemcachedcanbescaledhorizontallybyaddingorremovingadditionalcachenodestothecluster.TheAmazonElastiCacheclientlibrarysupportsAutoDiscoveryandcandiscovernewnodesaddedorremovedfromtheclusterwithouthavingtohardcodethelistofnodes.

KnowhowtobackupyourAmazonElastiCachecluster.YoucancreateasnapshottobackupyourAmazonElastiCacheclustersrunningtheRedisengine.Snapshotscanbecreatedautomaticallyonadailybasisormanuallyondemand.AmazonElastiCacheclustersrunningMemcacheddonotsupportbackupandrestorenatively.

Page 321: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesInthissection,youwillcreateacacheclusterusingAmazonElastiCache,expandtheclusterwithadditionalnodes,andfinallycreateareplicationgroupwithanAmazonElastiCacheRediscluster.

EXERCISE10.1

CreateanAmazonElastiCacheClusterRunningMemcachedInthisexercise,youwillcreateanAmazonElastiCacheclusterusingtheMemcachedengine.

1. WhilesignedintotheAWSManagementConsole,opentheAmazonElastiCacheservicedashboard.

2. BeginthelaunchandconfigurationprocesstocreateanewAmazonElastiCachecluster.

3. SelecttheMemcachedcacheengine,andconfiguretheclustername,numberofnodes,andnodetype.

4. Optionallyconfigurethesecuritygroupandmaintenancewindowasneeded.

5. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.

6. ConnecttotheclusterwithanyMemcachedclientusingtheDNSnameofthecluster.

YouhavenowcreatedyourfirstAmazonElastiCachecluster.

Page 322: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE10.2

ExpandtheSizeofaMemcachedClusterInthisexercise,youwillexpandthesizeofanexistingAmazonElastiCacheMemcachedcluster.

1. LaunchaMemcachedclusterusingthestepsdefinedinExercise10.1.

2. GototheAmazonElastiCachedashboard,andviewthedetailsofyourexistingcluster.

3. Viewthelistofnodescurrentlyprovisioned,andthenaddoneadditionalnodebyincreasingthenumberofnodes.

4. Applytheconfigurationchange,andwaitforthenewnodetofinishtheprovisioningprocess.

5. Verifythatthenewnodehasbeencreated,andconnecttothenodeusingaMemcachedclient.

Inthisexercise,youhavehorizontallyscaledanexistingAmazonElastiCacheclusterbyaddingacachenode.

Page 323: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE10.3

CreateanAmazonElastiCacheClusterandRedisReplicationGroupInthisexercise,youwillcreateanAmazonElastiCacheclusterusingRedisnodes,createareplicationgroup,andsetupareadreplica.

1. SignintotheAWSManagementConsole,andnavigatetotheAmazonElastiCacheservicedashboard.

2. BegintheconfigurationandlaunchprocessforanewAmazonElastiCachecluster.

3. SelecttheRediscacheengine,andthenconfigureareplicationgroupandthenodetype.

4. Configureareadreplicabysettingthenumberofreadreplicasto1,andverifythatEnableReplicationandMulti-AZareselected.

5. AdjusttheAvailabilityZonesfortheprimaryandreadreplicaclusters,securitygroups,andmaintenancewindow,asneeded.

6. Reviewtheclusterconfiguration,andbeginprovisioningthecluster.

7. ConnecttotheprimarynodeandthereadreplicanodewithaRedisclientlibrary.Performasimplesetoperationontheprimarynode,andthenperformagetoperationwiththesamekeyonthereplica.

YouhavenowcreatedanAmazonElastiCacheclusterusingtheRedisengineandconfiguredareadreplica.

Page 324: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. Whichofthefollowingobjectsaregoodcandidatestostoreinacache?(Choose3answers)

A. Sessionstate

B. Shoppingcart

C. Productcatalog

D. Bankaccountbalance

2. WhichofthefollowingcacheenginesaresupportedbyAmazonElastiCache?(Choose2answers)

A. MySQL

B. Memcached

C. Redis

D. Couchbase

3. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningMemcached?

A. 1

B. 5

C. 20

D. 100

4. HowmanynodescanyouaddtoanAmazonElastiCacheclusterrunningRedis?

A. 1

B. 5

C. 20

D. 100

5. AnapplicationcurrentlyusesMemcachedtocachefrequentlyuseddatabasequeries.WhichstepsarerequiredtomigratetheapplicationtouseAmazonElastiCachewithminimalchanges?(Choose2answers)

A. RecompiletheapplicationtousetheAmazonElastiCachelibraries.

B. UpdatetheconfigurationfilewiththeendpointfortheAmazonElastiCachecluster.

C. Configureasecuritygrouptoallowaccessfromtheapplicationservers.

D. ConnecttotheAmazonElastiCachenodesusingSecureShell(SSH)andinstallthelatestversionofMemcached.

6. HowcanyoubackupdatastoredinAmazonElastiCacherunningRedis?(Choose2answers)

Page 325: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. CreateanimageoftheAmazonElasticComputeCloud(AmazonEC2)instance.

B. Configureautomaticsnapshotstobackupthecacheenvironmenteverynight.

C. Createasnapshotmanually.

D. Redisclusterscannotbebackedup.

7. HowcanyousecureanAmazonElastiCachecluster?(Choose3answers)

A. ChangetheMemcachedrootpassword.

B. RestrictApplicationProgrammingInterface(API)actionsusingAWSIdentityandAccessManagement(IAM)policies.

C. Restrictnetworkaccessusingsecuritygroups.

D. RestrictnetworkaccessusinganetworkAccessControlList(ACL).

8. Youareworkingonamobilegamingapplicationandarebuildingtheleaderboardfeaturetotrackthetopscoresacrossmillionsofusers.WhichAWSservicesarebestsuitedforthisusecase?

A. AmazonRedshift

B. AmazonElastiCacheusingMemcached

C. AmazonElastiCacheusingRedis

D. AmazonSimpleStorageService(S3)

9. YouhavebuiltalargewebapplicationthatusesAmazonElastiCacheusingMemcachedtostorefrequentqueryresults.Youplantoexpandboththewebfleetandthecachefleetmultipletimesoverthenextyeartoaccommodateincreasedusertraffic.Howdoyouminimizetheamountofchangesrequiredwhenascalingeventoccurs?

A. ConfigureAutoDiscoveryontheclientside

B. ConfigureAutoDiscoveryontheserverside

C. Updatetheconfigurationfileeachtimeanewcluster

D. UseanElasticLoadBalancertoproxytherequests

10. WhichcacheenginesdoesAmazonElastiCachesupport?(Choose2answers)

A. Memcached

B. Redis

C. Membase

D. Couchbase

Page 326: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter11AdditionalKeyServicesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMTOPICSOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Monitoringandlogging

Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonElasticComputeCloud(AmazonEC2),AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

Configureservicestosupportcompliancerequirementsinthecloud

LaunchinstancesacrosstheAWSglobalinfrastructure

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

AWSplatformcompliance

AWSsecurityattributes(customerworkloadsdowntophysicallayer)

AWSadministrationandsecurityservices

AWSCloudTrail

Ingressvs.egressfilteringandwhichAWScloudservicesandfeaturesfit

Encryptionsolutions(e.g.,keyservices)

AWSTrustedAdvisor

3.2Recognizecriticaldisasterrecoverytechniquesandtheir

Page 327: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

implementation.

Contentmayincludethefollowing:

AWSImport/Export

AWSStorageGateway

Page 328: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionBecauseSolutionsArchitectsareofteninvolvedinsolutionsacrossawidevarietyofbusinessverticalsandusecases,itisimportanttounderstandthebasicsofallAWScloudserviceofferings.ThischapterfocusesonadditionalkeyAWSservicesthatyoushouldknowatahighleveltobesuccessfulontheexam.Theseservicesaregroupedintofourcategories:StorageandContentDelivery,Security,Analytics,andDevOps.

Beforearchitectinganysystem,foundationalpracticesthatinfluencesecurityshouldbeinplace;forexample,providingdirectoriesthatcontainorganizationalinformationorhowencryptionprotectsdatabywayofrenderingitunintelligibletounauthorizedaccess.AsaSolutionsArchitect,understandingtheAWScloudservicesavailabletosupportanorganization’sdirectoriesandencryptionareimportantbecausetheysupportobjectivessuchasidentitymanagementorcomplyingwithregulatoryobligations.

Architectinganalyticalsolutionsiscriticalbecausetheamountofdatathatcompaniesneedtounderstandcontinuestogrowtorecordsizes.AWSprovidesanalyticservicesthatcanscaletoverylargedatastoresefficientlyandcost-effectively.UnderstandingtheseservicesallowsSolutionsArchitectstobuildvirtuallyanybigdataapplicationandsupportanyworkloadregardlessofvolume,velocity,andvarietyofdata.

DevOpsbecomesanimportantconceptasthepaceofinnovationacceleratesandcustomerneedsrapidlyevolve,forcingbusinessestobecomeincreasinglyagile.Timetomarketiskey,andtofacilitateoverallbusinessgoals,ITdepartmentsneedtobeagile.UnderstandingtheDevOpsoptionsthatareavailableonAWSwillhelpSolutionsArchitectsmeetthedemandsofagilebusinessesthatneedIToperationstodeployapplicationsinaconsistent,repeatable,andreliablemanner.

Understandingtheseadditionalserviceswillnotonlyhelpinyourexampreparation,butitwillalsohelpyouestablishafoundationforgrowingasaSolutionsArchitectontheAWSplatform.

Page 329: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

StorageandContentDeliveryThissectioncoverstwoadditionalstorageandcontentdeliveryservicesthatareimportantforaSolutionsArchitecttounderstand:AmazonCloudFrontandAWSStorageGateway.

AmazonCloudFrontAmazonCloudFrontisaglobalContentDeliveryNetwork(CDN)service.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.

OverviewAContentDeliveryNetwork(CDN)isagloballydistributednetworkofcachingserversthatspeedupthedownloadingofwebpagesandothercontent.CDNsuseDomainNameSystem(DNS)geo-locationtodeterminethegeographiclocationofeachrequestforawebpageorothercontent,thentheyservethatcontentfromedgecachingserversclosesttothatlocationinsteadoftheoriginalwebserver.ACDNallowsyoutoincreasethescalabilityofawebsiteormobileapplicationeasilyinresponsetopeaktrafficspikes.Inmostcases,usingaCDNiscompletelytransparent—enduserssimplyexperiencebetterwebsiteperformance,whiletheloadonyouroriginalwebsiteisreduced.

AmazonCloudFrontisAWSCDN.ItcanbeusedtodeliveryourwebcontentusingAmazon’sglobalnetworkofedgelocations.Whenauserrequestscontentthatyou’reservingwithAmazonCloudFront,theuserisroutedtotheedgelocationthatprovidesthelowestlatency(timedelay),socontentisdeliveredwiththebestpossibleperformance.Ifthecontentisalreadyintheedgelocationwiththelowestlatency,AmazonCloudFrontdeliversitimmediately.Ifthecontentisnotcurrentlyinthatedgelocation,AmazonCloudFrontretrievesitfromtheoriginserver,suchasanAmazonSimpleStorageService(AmazonS3)bucketorawebserver,whichstorestheoriginal,definitiveversionsofyourfiles.

AmazonCloudFrontisoptimizedtoworkwithotherAWScloudservicesastheoriginserver,includingAmazonS3buckets,AmazonS3staticwebsites,AmazonElasticComputeCloud(AmazonEC2),andElasticLoadBalancing.AmazonCloudFrontalsoworksseamlesslywithanynon-AWSoriginserver,suchasanexistingon-premiseswebserver.AmazonCloudFrontalsointegrateswithAmazonRoute53.

AmazonCloudFrontsupportsallcontentthatcanbeservedoverHTTPorHTTPS.Thisincludesanypopularstaticfilesthatareapartofyourwebapplication,suchasHTMLfiles,images,JavaScript,andCSSfiles,andalsoaudio,video,mediafiles,orsoftwaredownloads.AmazonCloudFrontalsosupportsservingdynamicwebpages,soitcanactuallybeusedtodeliveryourentirewebsite.Finally,AmazonCloudFrontsupportsmediastreaming,usingbothHTTPandRTMP.

AmazonCloudFrontBasicsTherearethreecoreconceptsthatyouneedtounderstandinordertostartusingCloudFront:distributions,origins,andcachecontrol.Withtheseconcepts,youcaneasilyuseCloudFronttospeedupdeliveryofstaticcontentfromyourwebsites.

Page 330: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DistributionsTouseAmazonCloudFront,youstartbycreatingadistribution,whichisidentifiedbyaDNSdomainnamesuchasd111111abcdef8.cloudfront.net.ToservefilesfromAmazonCloudFront,yousimplyusethedistributiondomainnameinplaceofyourwebsite’sdomainname;therestofthefilepathsstayunchanged.YoucanusetheAmazonCloudFrontdistributiondomainnameas-is,oryoucancreateauser-friendlyDNSnameinyourowndomainbycreatingaCNAMErecordinAmazonRoute53oranotherDNSservice.TheCNAMEisautomaticallyredirectedtoyourAmazonCloudFrontdistributiondomainname.

OriginsWhenyoucreateadistribution,youmustspecifytheDNSdomainnameoftheorigin—theAmazonS3bucketorHTTPserver—fromwhichyouwantAmazonCloudFronttogetthedefinitiveversionofyourobjects(webfiles).Forexample:

AmazonS3bucket:myawsbucket.s3.amazonaws.com

AmazonEC2instance:ec2–203–0–113–25.compute-1.amazonaws.com

ElasticLoadBalancingloadbalancer:my-load-balancer-1234567890.us-west-2.elb.amazonaws.com

WebsiteURL:mywebserver.mycompanydomain.com

CacheControlOncerequestedandservedfromanedgelocation,objectsstayinthecacheuntiltheyexpireorareevictedtomakeroomformorefrequentlyrequestedcontent.Bydefault,objectsexpirefromthecacheafter24hours.Onceanobjectexpires,thenextrequestresultsinAmazonCloudFrontforwardingtherequesttotheorigintoverifythattheobjectisunchangedortofetchanewversionifithaschanged.

Optionally,youcancontrolhowlongobjectsstayinanAmazonCloudFrontcachebeforeexpiring.Todothis,youcanchoosetouseCache-Controlheaderssetbyyouroriginserveroryoucansettheminimum,maximum,anddefaultTimetoLive(TTL)forobjectsinyourAmazonCloudFrontdistribution.

YoucanalsoremovecopiesofanobjectfromallAmazonCloudFrontedgelocationsatanytimebycallingtheinvalidationApplicationProgramInterface(API).ThisfeatureremovestheobjectfromeveryAmazonCloudFrontedgelocationregardlessoftheexpirationperiodyousetforthatobjectonyouroriginserver.Theinvalidationfeatureisdesignedtobeusedinunexpectedcircumstances,suchastocorrectanerrorortomakeanunanticipatedupdatetoawebsite,notaspartofyoureverydayworkflow.

Insteadofinvalidatingobjectsmanuallyorprogrammatically,itisabestpracticetouseaversionidentifieraspartoftheobject(file)pathname.Forexample:

Oldfile:assets/v1/css/narrow.css

Newfile:assets/v2/css/narrow.css

Whenusingversioning,usersalwaysseethelatestcontentthroughAmazonCloudFrontwhenyouupdateyoursitewithoutusinginvalidation.Oldversionswillexpirefromthecacheautomatically.

AmazonCloudFrontAdvancedFeaturesCloudFrontcandomuchmorethansimplyservestaticwebfiles.TostartusingCloudFront’sadvancedfeatures,youwillneedtounderstandhowtousecachebehaviors,andhowto

Page 331: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

restrictaccesstosensitivecontent.

DynamicContent,MultipleOrigins,andCacheBehaviorsServingstaticassets,suchasdescribedpreviously,isacommonwaytouseaCDN.AnAmazonCloudFrontdistribution,however,caneasilybesetuptoservedynamiccontentinadditiontostaticcontentandtousemorethanoneoriginserver.Youcontrolwhichrequestsareservedbywhichoriginandhowrequestsarecachedusingafeaturecalledcachebehaviors.

AcachebehaviorletsyouconfigureavarietyofAmazonCloudFrontfunctionalitiesforagivenURLpathpatternforfilesonyourwebsite.ForexampleseeFigure11.1.OnecachebehaviorappliestoallPHPfilesinawebserver(dynamiccontent),usingthepathpattern*.php,whileanotherbehaviorappliestoallJPEGimagesinanotheroriginserver(staticcontent),usingthepathpattern*.jpg.

FIGURE11.1Deliveringstaticanddynamiccontent

Thefunctionalityyoucanconfigureforeachcachebehaviorincludesthefollowing:

Thepathpattern

Whichorigintoforwardyourrequeststo

Whethertoforwardquerystringstoyourorigin

WhetheraccessingthespecifiedfilesrequiressignedURLs

WhethertorequireHTTPSaccess

TheamountoftimethatthosefilesstayintheAmazonCloudFrontcache(regardlessofthevalueofanyCache-Controlheadersthatyouroriginaddstothefiles)

Cachebehaviorsareappliedinorder;ifarequestdoesnotmatchthefirstpathpattern,itdropsdowntothenextpathpattern.Normallythelastpathpatternspecifiedis*tomatchallfiles.

Page 332: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

WholeWebsiteUsingcachebehaviorsandmultipleorigins,youcaneasilyuseAmazonCloudFronttoserveyourwholewebsiteandtosupportdifferentbehaviorsfordifferentclientdevices.

PrivateContentInmanycases,youmaywanttorestrictaccesstocontentinAmazonCloudFronttoonlyselectedrequestors,suchaspaidsubscribersortoapplicationsorusersinyourcompanynetwork.AmazonCloudFrontprovidesseveralmechanismstoallowyoutoserveprivatecontent.Theseinclude:

SignedURLsUseURLsthatarevalidonlybetweencertaintimesandoptionallyfromcertainIPaddresses.

SignedCookiesRequireauthenticationviapublicandprivatekeypairs.

OriginAccessIdentities(OAI)RestrictaccesstoanAmazonS3bucketonlytoaspecialAmazonCloudFrontuserassociatedwithyourdistribution.ThisistheeasiestwaytoensurethatcontentinabucketisonlyaccessedbyAmazonCloudFront.

UseCasesThereareseveralusecaseswhereAmazonCloudFrontisanexcellentchoice,including,butnotlimitedto:

ServingtheStaticAssetsofPopularWebsitesStaticassetssuchasimages,CSS,andJavaScripttraditionallymakeupthebulkofrequeststotypicalwebsites.UsingAmazonCloudFrontwillspeeduptheuserexperienceandreduceloadonthewebsiteitself.

ServingaWholeWebsiteorWebApplicationAmazonCloudFrontcanserveawholewebsitecontainingbothdynamicandstaticcontentbyusingmultipleorigins,cachebehaviors,andshortTTLsfordynamiccontent.

ServingContenttoUsersWhoAreWidelyDistributedGeographicallyAmazonCloudFrontwillimprovesiteperformance,especiallyfordistantusers,andreducetheloadonyouroriginserver.

DistributingSoftwareorOtherLargeFilesAmazonCloudFrontwillhelpspeedupthedownloadofthesefilestoendusers.

ServingStreamingMediaAmazonCloudFronthelpsservestreamingmedia,suchasaudioandvideo.

TherearealsousecaseswhereCloudFrontisnotappropriate,including:

AllorMostRequestsComeFromaSingleLocationIfallormostofyourrequestscomefromasinglegeographiclocation,suchasalargecorporatecampus,youwillnottakeadvantageofmultipleedgelocations.

AllorMostRequestsComeThroughaCorporateVPNSimilarly,ifyourusersconnectviaacorporateVirtualPrivateNetwork(VPN),eveniftheyaredistributed,userrequestsappeartoCloudFronttooriginatefromoneorafewlocations.TheseusecaseswillgenerallynotseebenefitfromusingAmazonCloudFront.

AWSStorageGatewayAWSStorageGatewayisaserviceconnectinganon-premisessoftwareappliancewithcloud-

Page 333: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

basedstoragetoprovideseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutostoredatasecurelyontheAWScloudinascalableandcost-effectivemanner.AWSStorageGatewaysupportsindustry-standardstorageprotocolsthatworkwithyourexistingapplications.Itprovideslow-latencyperformancebycachingfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.

OverviewAWSStorageGateway’ssoftwareapplianceisavailablefordownloadasaVirtualMachine(VM)imagethatyouinstallonahostinyourdatacenterandthenregisterwithyourAWSaccountthroughtheAWSManagementConsole.ThestorageassociatedwiththeapplianceisexposedasaniSCSIdevicethatcanbemountedbyyouron-premisesapplications.

TherearethreeconfigurationsforAWSStorageGateway:Gateway-Cachedvolumes,Gateway-Storedvolumes,andGateway-VirtualTapeLibraries(VTL).

Gateway-CachedVolumesGateway-CachedvolumesallowyoutoexpandyourlocalstoragecapacityintoAmazonS3.AlldatastoredonaGateway-CachedvolumeismovedtoAmazonS3,whilerecentlyreaddataisretainedinlocalstoragetoprovidelow-latencyaccess.Whileeachvolumeislimitedtoamaximumsizeof32TB,asinglegatewaycansupportupto32volumesforamaximumstorageof1PB.

Point-in-timesnapshotscanbetakentobackupyourAWSStorageGateway.Thesesnapshotsareperformedincrementally,andonlythedatathathaschangedsincethelastsnapshotisstored.

AllGateway-CachedvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSecureSocketsLayer(SSL)connections.ItisencryptedatrestinAmazonS3usingServer-SideEncryption(SSE).However,youcannotdirectlyaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console;insteadyoumustaccessitthroughtheAWSStorageGatewayservice.

Gateway-StoredVolumesGateway-Storedvolumesallowyoutostoreyourdataonyouron-premisesstorageandasynchronouslybackupthatdatatoAmazonS3.Thisprovideslow-latencyaccesstoalldata,whilealsoprovidingoff-sitebackupstakingadvantageofthedurabilityofAmazonS3.ThedataisbackedupintheformofAmazonElasticBlockStore(AmazonEBS)snapshots.Whileeachvolumeislimitedtoamaximumsizeof16TB,asinglegatewaycansupportupto32volumesforamaximumstorageof512TB.

SimilartoGateway-Cachedvolumes,youcantakesnapshotsofyourGateway-Storedvolumes.ThegatewaystoresthesesnapshotsinAmazonS3asAmazonEBSsnapshots.Whenyoutakeanewsnapshot,onlythedatathathaschangedsinceyourlastsnapshotisstored.Youcaninitiatesnapshotsonascheduledorone-timebasis.BecausethesesnapshotsarestoredasAmazonEBSsnapshots,youcancreateanewAmazonEBSvolumefromaGateway-Storedvolume.

AllGateway-StoredvolumedataandsnapshotdataistransferredtoAmazonS3overencryptedSSLconnections.ItisencryptedatrestinAmazonS3usingSSE.However,youcannotaccessthisdatawiththeAmazonS3APIorothertoolssuchastheAmazonS3console.

Page 334: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Ifyouron-premisesapplianceorevenentiredatacenterbecomesunavailable,thedatainAWSStorageGatewaycanstillberetrieved.Ifit’sonlytheappliancethatisunavailable,anewappliancecanbelaunchedinthedatacenterandattachedtotheexistingAWSStorageGateway.AnewappliancecanalsobelaunchedinanotherdatacenterorevenonanAmazonEC2instanceonthecloud.

GatewayVirtualTapeLibraries(VTL)Gateway-VTLoffersadurable,cost-effectivesolutiontoarchiveyourdataontheAWScloud.TheVTLinterfaceletsyouleverageyourexistingtape-basedbackupapplicationinfrastructuretostoredataonvirtualtapecartridgesthatyoucreateonyourGateway-VTL.

Avirtualtapeisanalogoustoaphysicaltapecartridge,exceptthedataisstoredontheAWScloud.Tapesarecreatedblankthroughtheconsoleorprogrammaticallyandthenfilledwithbackedupdata.Agatewaycancontainupto1,500tapes(1PB)oftotaltapedata.Virtualtapesappearinyourgateway’sVTL,avirtualizedversionofaphysicaltapelibrary.Virtualtapesarediscoveredbyyourbackupapplicationusingitsstandardmediainventoryprocedure.

Whenyourtapesoftwareejectsatape,itisarchivedonaVirtualTapeShelf(VTS)andstoredinAmazonGlacier.You’reallowed1VTSperAWSregion,butmultiplegatewaysinthesameregioncanshareaVTS.

UseCasesThereareseveralusecaseswhereAWSStorageGatewayisanexcellentchoice,including,butnotlimitedto:

Gateway-CachedvolumesenableyoutoexpandlocalstoragehardwaretoAmazonS3,allowingyoutostoremuchmoredatawithoutdrasticallyincreasingyourstoragehardwareorchangingyourstorageprocesses.

Gateway-Storedvolumesprovideseamless,asynchronous,andsecurebackupofyouron-premisesstoragewithoutnewprocessesorhardware.

Gateway-VTLsenableyoutokeepyourcurrenttapebackupsoftwareandprocesseswhilestoringyourdatamorecost-effectivelyandsimplyonthecloud.

Page 335: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SecurityCloudsecurityatAWSisthehighestpriority.AWScustomersbenefitfromdatacentersandnetworkarchitecturesbuilttomeettherequirementsofthemostsecurity-sensitiveorganizations.

AnadvantageoftheAWScloudisthatitallowscustomerstoscaleandinnovatewhilemaintainingasecureenvironment.Cloudsecurityismuchlikesecurityinyouron-premisesdatacenters,onlywithoutthecostsofmaintainingfacilitiesandhardware.Inthecloud,youdon’thavetomanagephysicalserversorstoragedevices.Instead,youusesoftware-basedsecuritytoolstomonitorandprotecttheflowofinformationintoandofoutofyourcloudresources.

ThissectionwillfocusonfourAWSservicesthataredirectlyrelatedtothespecificsecuritypurposes:AWSDirectoryServiceforidentitymanagement,AWSKeyManagementService(KMS),AWSCloudHSMforkeymanagement,andAWSCloudTrailforauditing.

AWSDirectoryServiceAWSDirectoryServiceisamanagedserviceofferingthatprovidesdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.

OverviewYoucanchoosefromthreedirectorytypes:

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD

SimpleAD

ADConnector

Asamanagedoffering,AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.Thereisnoneedtobuildoutyourowncomplex,highly-availabledirectorytopologybecauseeachdirectoryisdeployedacrossmultipleAvailabilityZones,andmonitoringautomaticallydetectsandreplacesdomaincontrollersthatfail.Inaddition,datareplicationandautomateddailysnapshotsareconfiguredforyou.Thereisnosoftwaretoinstall,andAWShandlesallofthepatchingandsoftwareupdates.

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)isamanagedMicrosoftActiveDirectoryhostedontheAWScloud.ItprovidesmuchofthefunctionalityofferedbyMicrosoftActiveDirectoryplusintegrationwithAWSapplications.WiththeadditionalActiveDirectoryfunctionality,youcan,forexample,easilysetuptrustrelationshipswithyourexistingActiveDirectorydomainstoextendthosedirectoriestoAWScloudservices.

SimpleADSimpleADisaMicrosoftActiveDirectory-compatibledirectoryfromAWSDirectoryServicethatispoweredbySamba4.SimpleADsupportscommonlyusedActive

Page 336: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Directoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonEC2instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.ThismakesiteveneasiertomanageAmazonEC2instancesrunningLinuxandWindowsanddeployWindowsapplicationsontheAWScloud.

ManyoftheapplicationsandtoolsyouusetodaythatrequireMicrosoftActiveDirectorysupportcanbeusedwithSimpleAD.UseraccountsinSimpleADcanalsoaccessAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.TheycanalsouseAWSIAMrolestoaccesstheAWSManagementConsoleandmanageAWSresources.Finally,SimpleADprovidesdailyautomatedsnapshotstoenablepoint-in-timerecovery.

NotethatyoucannotsetuptrustrelationshipsbetweenSimpleADandotherActiveDirectorydomains.OtherfeaturesnotsupportedatthetimeofthiswritingbySimpleADincludeDNSdynamicupdate,schemaextensions,Multi-FactorAuthentication(MFA),communicationoverLightweightDirectoryAccessProtocol(LDAP),PowerShellADcmdlets,andthetransferofFlexibleSingle-MasterOperations(FSMO)roles.

ADConnectorADConnectorisaproxyserviceforconnectingyouron-premisesMicrosoftActiveDirectorytotheAWScloudwithoutrequiringcomplexdirectorysynchronizationorthecostandcomplexityofhostingafederationinfrastructure.

ADConnectorforwardssign-inrequeststoyourActiveDirectorydomaincontrollersforauthenticationandprovidestheabilityforapplicationstoquerythedirectoryfordata.Aftersetup,youruserscanusetheirexistingcorporatecredentialstologontoAWSapplications,suchasAmazonWorkSpaces,AmazonWorkDocs,orAmazonWorkMail.WiththeproperIAMpermissions,theycanalsoaccesstheAWSManagementConsoleandmanageAWSresourcessuchasAmazonEC2instancesorAmazonS3buckets.YoucanalsouseADConnectortoenableMFAbyintegratingitwithyourexistingRemoteAuthenticationDial-UpService(RADIUS)-basedMFAinfrastructuretoprovideanadditionallayerofsecuritywhenusersaccessAWSapplications.

WithADConnector,youcontinuetomanageyourActiveDirectoryasusual.Forexample,addingnewusers,addingnewgroups,orupdatingpasswordsareallaccomplishedusingstandarddirectoryadministrationtoolswithyouron-premisesdirectory.Thus,inadditiontoprovidingastreamlinedexperienceforyourusers,ADConnectorenablesconsistentenforcementofyourexistingsecuritypolicies,suchaspasswordexpiration,passwordhistory,andaccountlockouts,whetherusersareaccessingresourceson-premisesorontheAWScloud.

UseCasesAWSDirectoryServiceprovidesmultiplewaystouseMicrosoftActiveDirectorywithotherAWScloudservices.Youcanchoosethedirectoryservicewiththefeaturesyouneedatacostthatfitsyourbudget.

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition)ThisDirectoryServiceisyourbestchoiceifyouhavemorethan5,000usersandneedatrustrelationshipsetupbetweenanAWS-hosteddirectoryandyouron-premisesdirectories.

SimpleADInmostcases,SimpleADistheleastexpensiveoptionandyourbestchoiceif

Page 337: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

youhave5,000orfewerusersanddon’tneedthemoreadvancedMicrosoftActiveDirectoryfeatures.

ADConnectorADConnectorisyourbestchoicewhenyouwanttouseyourexistingon-premisesdirectorywithAWScloudservices.

AWSKeyManagementService(KMS)andAWSCloudHSMKeymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.

OverviewAWSofferstwoservicesthatprovideyouwiththeabilitytomanageyourownsymmetricorasymmetriccryptographickeys:

AWSKMS:Aserviceenablingyoutogenerate,store,enable/disable,anddeletesymmetrickeys

AWSCloudHSM:AserviceprovidingyouwithsecurecryptographickeystoragebymakingHardwareSecurityModules(HSMs)availableontheAWScloud

AWSKeyManagementService(AWSKMS)AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.

ByusingAWSKMS,yougainmorecontroloveraccesstodatayouencrypt.YoucanusethekeymanagementandcryptographicfeaturesdirectlyinyourapplicationsorthroughAWScloudservicesthatareintegratedwithAWSKMS.WhetheryouarewritingapplicationsforAWSorusingAWScloudservices,AWSKMSenablesyoutomaintaincontroloverwhocanuseyourkeysandgainaccesstoyourencrypteddata.

Page 338: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

CustomerManagedKeysAWSKMSusesatypeofkeycalledaCustomerMasterKey(CMK)toencryptanddecryptdata.CMKsarethefundamentalresourcesthatAWSKMSmanages.TheycanbeusedinsideofAWSKMStoencryptordecryptupto4KBofdatadirectly.Theycanalsobeusedtoencryptgenerateddatakeysthatarethenusedtoencryptordecryptlargeramountsofdataoutsideoftheservice.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscanleavetheserviceunencrypted.

DataKeysYouusedatakeystoencryptlargedataobjectswithinyourownapplicationoutsideAWSKMS.WhenyoucallGenerateDataKey,AWSKMSreturnsaplaintextversionofthekeyandciphertextthatcontainsthekeyencryptedunderthespecifiedCMK.AWSKMStrackswhichCMKwasusedtoencryptthedatakey.Youusetheplaintextdatakeyinyourapplicationtoencryptdata,andyoutypicallystoretheencryptedkeyalongsideyourencrypteddata.Securitybestpracticessuggestthatyoushouldremovetheplaintextkeyfrommemoryassoonasispracticalafteruse.Todecryptdatainyourapplication,passtheencrypteddatakeytotheDecryptfunction.AWSKMSusestheassociatedCMKtodecryptandretrieveyourplaintextdatakey.Usetheplaintextkeytodecryptyourdata,andthenremovethekeyfrommemory.

EnvelopeEncryptionAWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCMK,andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Thekeyshouldberemovedfrommemoryassoonasispracticalafteruse.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.

EncryptionContextAllAWSKMScryptographicoperationsacceptanoptionalkey/valuemapofadditionalcontextualinformationcalledanencryptioncontext.Thespecifiedcontextmustbethesameforboththeencryptanddecryptoperationsordecryptionwillnotsucceed.Theencryptioncontextislogged,canbeusedforadditionalauditing,andisavailableascontextintheAWSpolicylanguageforfine-grainedpolicy-basedauthorization.

AWSCloudHSMAWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.HSMsaredesignedtosecurelystorecryptographickeymaterialandusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.

TherecommendedconfigurationforusingAWSCloudHSMistousetwoHSMsconfiguredinahigh-availabilityconfiguration,asillustratedinFigure11.2.

Page 339: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.2HighavailabilityCloudHSMarchitecture

AWSCloudHSMallowsyoutoprotectyourencryptionkeyswithinHSMsthataredesignedandvalidatedtogovernmentstandardsforsecurekeymanagement.Youcansecurelygenerate,store,andmanagethecryptographickeysusedfordataencryptioninawaythatensuresthatonlyyouhaveaccesstothekeys.AWSCloudHSMhelpsyoucomplywithstrictkeymanagementrequirementswithintheAWScloudwithoutsacrificingapplicationperformance.

UseCasesTheAWSkeymanagementservicesaddressseveralsecurityneedsthatwouldrequireextensiveefforttodeployandmanageotherwise,including,butnotlimitedto:

ScalableSymmetricKeyDistributionSymmetricencryptionalgorithmsrequirethatthesamekeybeusedforbothencryptinganddecryptingthedata.Thisisproblematicbecausetransferringthekeyfromthesendertothereceivermustbedoneeitherthroughaknownsecurechannelorsome“outofband”process.

Government-ValidatedCryptographyCertaintypesofdata(forexample,PaymentCardIndustry—PCI—orhealthinformationrecords)mustbeprotectedwithcryptographythathasbeenvalidatedbyanoutsidepartyasconformingtothealgorithm(s)assertedbytheclaimingparty.

AWSCloudTrailAWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.

Overview

Page 340: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSCloudTrailcapturesAWSAPIcallsandrelatedeventsmadebyoronbehalfofanAWSaccountanddeliverslogfilestoanAmazonS3bucketthatyouspecify.Optionally,youcanconfigureAWSCloudTrailtodelivereventstoaloggroupmonitoredbyAmazonCloudWatchLogs.YoucanalsochoosetoreceiveAmazonSimpleNotificationService(AmazonSNS)notificationseachtimealogfileisdeliveredtoyourbucket.YoucancreateatrailwiththeAWSCloudTrailconsole,theAWSCommandLineInterface(CLI),ortheAWSCloudTrailAPI.AtrailisaconfigurationthatenablesloggingoftheAWSAPIactivityandrelatedeventsinyouraccount.

Youcancreatetwotypesoftrails:

ATrailThatAppliestoAllRegionsWhenyoucreateatrailthatappliestoallAWSregions,AWSCloudTrailcreatesthesametrailineachregion,recordsthelogfilesineachregion,anddeliversthelogfilestothesingleAmazonS3bucket(andoptionallytotheAmazonCloudWatchLogsloggroup)thatyouspecify.ThisisthedefaultoptionwhenyoucreateatrailusingtheAWSCloudTrailconsole.IfyouchoosetoreceiveAmazonSNSnotificationsforlogfiledeliveries,oneAmazonSNStopicwillsufficeforallregions.IfyouchoosetohaveAWSCloudTrailsendeventsfromatrailthatappliestoallregionstoanAmazonCloudWatchLogsloggroup,eventsfromallregionswillbesenttothesingleloggroup.

ATrailThatAppliestoOneRegionYouspecifyabucketthatreceiveseventsonlyfromthatregion.Thebucketcanbeinanyregionthatyouspecify.Ifyoucreateadditionalindividualtrailsthatapplytospecificregions,youcanhavethosetrailsdelivereventlogstoasingleAmazonS3bucket.

Bydefault,yourlogfilesareencryptedusingAmazonS3SSE.Youcanstoreyourlogfilesinyourbucketforaslongasyouwant,butyoucanalsodefineAmazonS3lifecyclerulestoarchiveordeletelogfilesautomatically.

AWSCloudTrailtypicallydeliverslogfileswithin15minutesofanAPIcall.Inaddition,theservicepublishesnewlogfilesmultipletimesanhour,usuallyabouteveryfiveminutes.TheselogfilescontainAPIcallsfromalloftheaccount’sservicesthatsupportAWSCloudTrail.

EnableAWSCloudTrailonallofyourAWSaccounts.Insteadofconfiguringatrailforoneregion,youshouldenabletrailsforallregions.

UseCasesAWSCloudTrailisbeneficialforseveralusecases:

ExternalComplianceAuditsYourbusinessmustdemonstratecompliancetoasetofregulationspertinenttosomeoralldatabeingtransmitted,processed,andstoredwithinyourAWSaccounts.EventsfromAWSCloudTrailcanbeusedtoshowthedegreetowhichyouarecompliantwiththeregulations.

UnauthorizedAccesstoYourAWSAccountAWSCloudTrailrecordsallsign-onattemptstoyourAWSaccount,includingAWSManagementConsoleloginattempts,AWS

Page 341: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SoftwareDevelopmentKit(SDK)APIcalls,andAWSCLIAPIcalls.RoutineexaminationofAWSCloudTraileventswillprovidetheneededinformationtodetermineifyourAWSaccountisbeingtargetedforunauthorizedaccess.

Page 342: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AnalyticsAnalytics,andtheassociatedbigdatathatitrequires,presentsauniquelistofchallengestoaSolutionsArchitect.Thebigdatamustbeingestedataveryhighrate,storedinveryhighvolume,andprocessedwithatremendousamountofcompute.Often,theneedtoperformanalyticsonthebigdataissporadic,withagreatdealofcomputeinfrastructureneededregularlyforverysmalltimeperiods.Thecloud,withitseasyaccesstocomputeandnearlylimitlessstoragecapacity,isideallysuitedtoaddresstheseanalyticschallenges.ThissectioncoversseveralAWScloudservicesthatwillhelpyouaddressanalyticsandbigdataissuesontheexam.

AmazonKinesisAmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.

OverviewAmazonKinesisisastreamingdataplatformconsistingofthreeservicesaddressingdifferentreal-timestreamingdatachallenges:

AmazonKinesisFirehose:AserviceenablingyoutoloadmassivevolumesofstreamingdataintoAWS

AmazonKinesisStreams:Aserviceenablingyoutobuildcustomapplicationsformorecomplexanalysisofstreamingdatainrealtime

AmazonKinesisAnalytics:AserviceenablingyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL

Eachoftheseservicescanscaletohandlevirtuallylimitlessdatastreams.

AmazonKinesisFirehoseAmazonKinesisFirehosereceivesstreamdataandstoresitinAmazonS3,AmazonRedshift,orAmazonElasticsearch.Youdonotneedtowriteanycode;justcreateadeliverystreamandconfigurethedestinationforyourdata.ClientswritedatatothestreamusinganAWSAPIcallandthedataisautomaticallysenttotheproperdestination.ThevariousdestinationoptionsareshowninFigure11.3.

Page 343: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.3AmazonKinesisFirehose

WhenconfiguredtosaveastreamtoAmazonS3,AmazonKinesisFirehosesendsthedatadirectlytoAmazonS3.ForanAmazonRedshiftdestination,thedataisfirstwrittentoAmazonS3,andthenanAmazonRedshiftCOPYcommandisexecutedtoloadthedataintoAmazonRedshift.AmazonKinesisFirehosecanalsowritedataouttoAmazonElasticsearch,withtheoptiontobackthedataupconcurrentlytoAmazonS3.

AmazonKinesisStreamsAmazonKinesisStreamsenableyoutocollectandprocesslargestreamsofdatarecordsinrealtime.UsingAWSSDKs,youcancreateanAmazonKinesisStreamsapplicationthatprocessesthedataasitmovesthroughthestream.Becauseresponsetimefordataintakeandprocessingisinnearrealtime,theprocessingistypicallylightweight.AmazonKinesisStreamscanscaletosupportnearlylimitlessdatastreamsbydistributingincomingdataacrossanumberofshards.Ifanyshardbecomestoobusy,itcanbefurtherdividedintomoreshardstodistributetheloadfurther.Theprocessingisthenexecutedonconsumers,whichreaddatafromtheshardsandruntheAmazonKinesisStreamsapplication.ThisarchitectureisshowninFigure11.4.

Page 344: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.4AmazonKinesisStreams

AmazonKinesisAnalyticsAtthetimeofthiswriting,AmazonKinesisAnalyticshasbeenannouncedbutnotyetreleased.

UseCasesTheAmazonKinesisservicessupportmanystrategicworkloadsthatwouldotherwiserequireextensiveefforttodeployandmanage,including,butnotlimitedto:

DataIngestionThefirstchallengewithahugestreamofdataisacceptingitreliably.Whetheritisuserdatafromhighlytraffickedwebsites,inputdatafromthousandsofmonitoringdevices,oranyothersourcesofhugestreams,AmazonKinesisFirehoseisanexcellentchoicetoensurethatallofyourdataissuccessfullystoredinyourAWSinfrastructure.

Real-TimeProcessingofMassiveDataStreamsCompaniesoftenneedtoactonknowledgegleanedfromabigdatastreamrightaway,whethertofeedadashboardapplication,alteradvertisingstrategiesbasedonsocialmediatrends,allocateassetsbasedonreal-timesituations,orahostofotherscenarios.AmazonKinesisStreamsenablesyoutogatherthisknowledgefromthedatainyourstreamonareal-timebasis.

It’sgoodtorememberthatwhileAmazonKinesisisideallysuitedforingestingandprocessingstreamsofdata,itislessappropriateforbatchjobssuchasnightlyExtract,Transform,Load(ETL)processes.Forthosetypesofworkloads,considerAWSDataPipeline,whichisdescribedlaterinthischapter.

AmazonElasticMapReduce(AmazonEMR)AmazonElasticMapReduce(AmazonEMR)providesyouwithafullymanaged,on-demandHadoopframework.AmazonEMRreducesthecomplexityandup-frontcostsofsettingupHadoopand,combinedwiththescaleofAWS,givesyoutheabilitytospinuplargeHadoopclustersinstantlyandstartprocessingwithinminutes.

Page 345: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

OverviewWhenyoulaunchanAmazonEMRcluster,youspecifyseveraloptions,themostimportantbeing:

Theinstancetypeofthenodesinyourcluster

Thenumberofnodesinyourcluster

TheversionofHadoopyouwanttorun(AmazonEMRsupportsseveralrecentversionsofApacheHadoop,andalsoseveralversionsofMapRHadoop.)

AdditionaltoolsorapplicationslikeHive,Pig,Spark,orPresto

TherearetwotypesofstoragethatcanbeusedwithAmazonEMR:

HadoopDistributedFileSystem(HDFS)HDFSisthestandardfilesystemthatcomeswithHadoop.Alldataisreplicatedacrossmultipleinstancestoensuredurability.AmazonEMRcanuseAmazonEC2instancestorageorAmazonEBSforHDFS.Whenaclusterisshutdown,instancestorageislostandthedatadoesnotpersist.HDFScanalsomakeuseofAmazonEBSstorage,tradinginthecosteffectivenessofinstancestoragefortheabilitytoshutdownaclusterwithoutlosingdata.

EMRFileSystem(EMRFS)EMRFSisanimplementationofHDFSthatallowsclusterstostoredataonAmazonS3.EMRFSallowsyoutogetthedurabilityandlowcostofAmazonS3whilepreservingyourdataeveniftheclusterisshutdown.

Akeyfactordrivingthetypeofstorageaclusterusesiswhethertheclusterispersistentortransient.Apersistentclustercontinuestorun24×7afteritislaunched.Persistentclustersareappropriatewhencontinuousanalysisisgoingtoberunonthedata.Forpersistentclusters,HDFSisacommonchoice.PersistentclusterstakeadvantageofthelowlatencyofHDFS,especiallyoninstancestorage,whenconstantoperationmeansnodatalostwhenshuttingdownacluster.Inothersituations,bigdataworkloadsarefrequentlyruninconsistently,anditcanbecost-effectivetoturntheclusteroffwhennotinuse.Clustersthatarestartedwhenneededandthenimmediatelystoppedwhendonearecalledtransientclusters.EMRFSiswellsuitedfortransientclusters,asthedatapersistsindependentofthelifetimeofthecluster.YoucanalsochoosetouseacombinationoflocalHDFSandEMRFStomeetyourworkloadneeds.

BecauseAmazonEMRisaninstanceofApacheHadoop,youcanusetheextensiveecosystemoftoolsthatworkontopofHadoop,suchasHive,Pig,andSpark.Manyofthesetoolsarenativelysupportedandcanbeincludedautomaticallywhenyoulaunchyourcluster,whileotherscanbeinstalledthroughbootstrapactions.

UseCasesAmazonEMRiswellsuitedforalargenumberofusecases,including,butnotlimitedto:

LogProcessingAmazonEMRcanbeusedtoprocesslogsgeneratedbywebandmobileapplications.AmazonEMRhelpscustomersturnpetabytesofunstructuredorsemi-structureddataintousefulinsightsabouttheirapplicationsorusers.

ClickstreamAnalysisAmazonEMRcanbeusedtoanalyzeclickstreamdatainordertosegmentusersandunderstanduserpreferences.Advertiserscanalsoanalyzeclickstreams

Page 346: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

andadvertisingimpressionlogstodelivermoreeffectiveads.

GenomicsandLifeSciencesAmazonEMRcanbeusedtoprocessvastamountsofgenomicdataandotherlargescientificdatasetsquicklyandefficiently.Processesthatrequireyearsofcomputecanbecompletedinadaywhenscaledacrosslargeclusters.

AWSDataPipelineAWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRelationalDatabaseService(AmazonRDS),AmazonDynamoDB,andAmazonEMR.

OverviewEverythinginAWSDataPipelinestartswiththepipelineitself.Apipelineschedulesandrunstasksaccordingtothepipelinedefinition.Theschedulingisflexibleandcanrunevery15minutes,everyday,everyweek,andsoforth.

Thepipelineinteractswithdatastoredindatanodes.Datanodesarelocationswherethepipelinereadsinputdataorwritesoutputdata,suchasAmazonS3,aMySQLdatabase,oranAmazonRedshiftcluster.DatanodescanbeonAWSoronyourpremises.

Thepipelinewillexecuteactivitiesthatrepresentcommonscenarios,suchasmovingdatafromonelocationtoanother,runningHivequeries,andsoforth.Activitiesmayrequireadditionalresourcestorun,suchasanAmazonEMRclusteroranAmazonEC2instance.Inthesesituations,AWSDataPipelinewillautomaticallylaunchtherequiredresourcesandtearthemdownwhentheactivityiscompleted.

Distributeddataflowsoftenhavedependencies;justbecauseanactivityisscheduledtorundoesnotmeanthatthereisdatawaitingtobeprocessed.Forsituationslikethis,AWSDataPipelinesupportspreconditions,whichareconditionalstatementsthatmustbetruebeforeanactivitycanrun.TheseincludescenariossuchaswhetheranAmazonS3keyispresent,whetheranAmazonDynamoDBtablecontainsanydata,andsoforth.

Ifanactivityfails,retryisautomatic.Theactivitywillcontinuetoretryuptothelimityouconfigure.Youcandefineactionstotakeintheeventwhentheactivityreachesthatlimitwithoutsucceeding.

UseCasesAWSDataPipelinecanbeusedforvirtuallyanybatchmodeETLprocess.AsimpleexampleisshowninFigure11.5.

Page 347: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.5Examplepipeline

ThepipelineinFigure11.5isperformingthefollowingworkflow:

Everyhouranactivitybeginstoextractlogdatafromon-premisesstoragetoAmazonS3.Apreconditionchecksthatthereisdatatobetransferredbeforeactuallystartingtheactivity.

ThenextactivitylaunchesatransientAmazonEMRclusterthatusestheextracteddatasetasinput,validatesandtransformsit,andthenoutputsthedatatoanAmazonS3bucket.

ThefinalactivitymovesthetransformeddatafromAmazonS3toAmazonRedshiftviaanAmazonRedshiftCOPYcommand.

AWSDataPipelineisbestforregularbatchprocessesinsteadofforcontinuousdatastreams;useAmazonKinesisfordatastreams.

AWSImport/ExportOnekeychallengeofbigdataontheAWScloudisgettinghugedatasetstothecloudinthefirstplace,orretrievingthembacktoon-premiseswhennecessary.Regardlessofhowmuchbandwidthyouconfigureoutofyourdatacenter,therearetimeswhenthereismoredatatotransferthancanmoveovertheconnectioninareasonableperiodoftime.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource(yourdatacenteroranAWSregion),shippedviastandardshippingmechanisms,andthencopiedtothedestination(yourdatacenteroranAWSregion).

OverviewAWSImport/ExporthastwofeaturesthatsupportshippingdataintoandoutofyourAWSinfrastructure:AWSImport/ExportSnowball(AWSSnowball)andAWSImport/ExportDisk.

AWSSnowballAWSSnowballusesAmazon-providedshippablestorageappliancesshipped

Page 348: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

throughUPS.EachAWSSnowballisprotectedbyAWSKMSandmadephysicallyruggedtosecureandprotectyourdatawhilethedeviceisintransit.Atthetimeofthiswriting,AWSSnowballscomeintwosizes:50TBand80TB,andtheavailabilityofeachvariesbyregion.

AWSSnowballprovidesthefollowingfeatures:

Youcanimportandexportdatabetweenyouron-premisesdatastoragelocationsandAmazonS3.

Encryptionisenforced,protectingyourdataatrestandinphysicaltransit.

Youdon’thavetobuyormaintainyourownhardwaredevices.

YoucanmanageyourjobsthroughtheAWSSnowballconsole.

TheAWSSnowballisitsownshippingcontainer,andtheshippinglabelisanEInkdisplaythatautomaticallyshowsthecorrectaddresswhentheAWSSnowballisreadytoship.YoucandropitoffwithUPS,noboxrequired.

WithAWSSnowball,youcanimportorexportterabytesorevenpetabytesofdata.

AWSImport/ExportDiskAWSImport/ExportDisksupportstransfersdatadirectlyontoandoffofstoragedevicesyouownusingtheAmazonhigh-speedinternalnetwork.

ImportantthingstounderstandaboutAWSImport/ExportDiskinclude:

YoucanimportyourdataintoAmazonGlacierandAmazonEBS,inadditiontoAmazonS3.

YoucanexportdatafromAmazonS3.

Encryptionisoptionalandnotenforced.

Youbuyandmaintainyourownhardwaredevices.

Youcan’tmanageyourjobsthroughtheAWSSnowballconsole.

UnlikeAWSSnowball,AWSImport/ExportDiskhasanupperlimitof16TB.

UseCasesAWSImport/ExportcanbeusedforjustaboutanysituationwhereyouhavemoredatatomovethanyoucangetthroughyourInternetconnectioninareasonabletime,including,butnotlimitedto:

StorageMigrationWhencompaniesshutdownadatacenter,theyoftenneedtomovemassiveamountsofstoragetoanotherlocation.AWSImport/Exportisasuitabletechnologyforthisrequirement.

MigratingApplicationsMigratinganapplicationtothecloudofteninvolvesmovinghugeamountsofdata.ThiscanbeacceleratedusingAWSImport/Export.

Page 349: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DevOpsAsorganizationscreatedincreasinglycomplexsoftwareapplications,ITdevelopmentteamsevolvedtheirsoftwarecreationpracticesformoreflexibility,movingfromwaterfallmodelstoagileorleandevelopmentpractices.Thischangealsopropagatedtooperationsteams,whichblurredthelinesbetweentraditionaldevelopmentandoperationsteams.AWSprovidesaflexibleenvironmentthatfacilitatedthesuccessesoforganizationslikeNetflix,Airbnb,GeneralElectric,andmanyothersthatembracedDevOps.ThissectionreviewselementsofAWScloudservicesthatsupportDevOpspractices.

AWSOpsWorksAWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorkswillworkwithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponent,includingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.

AWSOpsWorkssupportsbothLinuxorWindowsservers,includingexistingAmazonEC2instancesorserversrunninginyourowndatacenter.Thisallowsorganizationstouseasingleconfigurationmanagementservicetodeployandoperateapplicationsacrosshybridarchitectures.

OverviewManysolutionsonAWSusuallyinvolvegroupsofresources,suchasAmazonEC2instancesandAmazonRDSinstances,whichmustbecreatedandmanagedcollectively.Forexample,thesearchitecturestypicallyrequireapplicationservers,databaseservers,loadbalancers,andsoon.Thisgroupofresourcesistypicallycalledastack.AsimpleapplicationserverstackmightbearrangedsomethinglikeinFigure11.6.

Page 350: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.6Simpleapplicationserverstack

Inadditiontocreatingtheinstancesandinstallingthenecessarypackages,youtypicallyneedawaytodistributeapplicationstotheapplicationservers,monitorthestack’sperformance,managesecurityandpermissions,andsoon.AWSOpsWorksprovidesasimpleandflexiblewaytocreateandmanagestacksandapplications.Figure11.7depictshowasimpleapplicationserverstackmightlookwithAWSOpsWorks.Althoughrelativelysimple,thisstackshowsthekeyAWSOpsWorksfeatures.

Page 351: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.7SimpleapplicationserverstackwithAWSOpsWorks

ThestackisthecoreAWSOpsWorkscomponent.ItisbasicallyacontainerforAWSresources—AmazonEC2instances,AmazonRDSdatabaseinstances,andsoon—thathaveacommonpurposeandmakesensetobelogicallymanagedtogether.Thestackhelpsyoumanagetheseresourcesasagroupanddefinessomedefaultconfigurationsettings,suchastheAmazonEC2instances’operatingsystemandAWSregion.Ifyouwanttoisolatesomestackcomponentsfromdirectuserinteraction,youcanrunthestackinanAmazonVirtualPrivateCloud(AmazonVPC).Eachstackletsyougrantuserspermissiontoaccessthestackandspecifywhatactionstheycantake.

YoucanuseAWSOpsWorksorIAMtomanageuserpermissions.Notethatthetwooptionsarenotmutuallyexclusive;itissometimesdesirabletouseboth.

Youdefinetheelementsofastackbyaddingoneormorelayers.Alayerrepresentsasetofresourcesthatserveaparticularpurpose,suchasloadbalancing,webapplications,orhostingadatabaseserver.YoucancustomizeorextendlayersbymodifyingthedefaultconfigurationsoraddingChefrecipestoperformtaskssuchasinstallingadditionalpackages.Layersgiveyoucompletecontroloverwhichpackagesareinstalled,howtheyareconfigured,howapplicationsaredeployed,andmore.

LayersdependonChefrecipestohandletaskssuchasinstallingpackagesoninstances,

Page 352: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

deployingapplications,andrunningscripts.OneofthekeyAWSOpsWorksfeaturesisasetoflifecycleeventsthatautomaticallyrunaspecifiedsetofrecipesattheappropriatetimeoneachinstance.

Aninstancerepresentsasinglecomputingresource,suchasanAmazonEC2instance.Itdefinestheresource’sbasicconfiguration,suchasoperatingsystemandsize.Otherconfigurationsettings,suchasElasticIPaddressesorAmazonEBSvolumes,aredefinedbytheinstance’slayers.Thelayer’srecipescompletetheconfigurationbyperformingtasks,suchasinstallingandconfiguringpackagesanddeployingapplications.

Youstoreapplicationsandrelatedfilesinarepository,suchasanAmazonS3bucketorGitrepo.Eachapplicationisrepresentedbyanapp,whichspecifiestheapplicationtypeandcontainstheinformationthatisneededtodeploytheapplicationfromtherepositorytoyourinstances,suchastherepositoryURLandpassword.Whenyoudeployanapp,AWSOpsWorkstriggersaDeployevent,whichrunstheDeployrecipesonthestack’sinstances.

Usingtheconceptsofstacks,layers,andapps,youcanmodelandvisualizeyourapplicationandresourcesinanorganizedfashion.

Finally,AWSOpsWorkssendsallofyourresourcemetricstoAmazonCloudWatch,makingiteasytoviewgraphsandsetalarmstohelpyoutroubleshootandtakeautomatedactionbasedonthestateofyourresources.AWSOpsWorksprovidesmanycustommetrics,suchasCPUidle,memorytotal,averageloadforoneminute,andmore.Eachinstanceinthestackhasdetailedmonitoringtoprovideinsightsintoyourworkload.

UseCasesAWSOpsWorkssupportsmanyDevOpsefforts,including,butnotlimitedto:

HostMulti-TierWebApplicationsAWSOpsWorksletsyoumodelandvisualizeyourapplicationwithlayersthatdefinehowtoconfigureasetofresourcesthataremanagedtogether.BecauseAWSOpsWorksusestheChefframework,youcanbringyourownrecipesorleveragehundredsofcommunity-builtconfigurations.

SupportContinuousIntegrationAWSOpsWorkssupportsDevOpsprinciples,suchascontinuousintegration.Everythinginyourenvironmentcanbeautomated.

AWSCloudFormationAWSCloudFormationisaservicethathelpsyoumodelandsetupyourAWSresourcessothatyoucanspendlesstimemanagingthoseresourcesandmoretimefocusingonyourapplicationsthatruninAWS.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.

OverviewAWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderly

Page 353: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

andpredictablefashion.WhenyouuseAWSCloudFormation,youworkwithtemplatesandstacks.

YoucreateAWSCloudFormationtemplatestodefineyourAWSresourcesandtheirproperties.AtemplateisatextfilewhoseformatcomplieswiththeJSONstandard.AWSCloudFormationusesthesetemplatesasblueprintsforbuildingyourAWSresources.

WhenyouuseAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonce,andthenprovisionthesameresourcesoverandoverinmultipleregions.

WhenyouuseAWSCloudFormation,youmanagerelatedresourcesasasingleunitcalledastack.Youcreate,update,anddeleteacollectionofresourcesbycreating,updating,anddeletingstacks.Alloftheresourcesinastackaredefinedbythestack’sAWSCloudFormationtemplate.SupposeyoucreatedatemplatethatincludesanAutoScalinggroup,ElasticLoadBalancingloadbalancer,andanAmazonRDSdatabaseinstance.Tocreatethoseresources,youcreateastackbysubmittingyourtemplatethatdefinesthoseresources,andAWSCloudFormationhandlesalloftheprovisioningforyou.Afteralloftheresourceshavebeencreated,AWSCloudFormationreportsthatyourstackhasbeencreated.Youcanthenstartusingtheresourcesinyourstack.Ifstackcreationfails,AWSCloudFormationrollsbackyourchangesbydeletingtheresourcesthatitcreated.

Oftenyouwillneedtolaunchstacksfromthesametemplate,butwithminorvariations,suchaswithinadifferentAmazonVPCorusingAMIsfromadifferentregion.Thesevariationscanbeaddressedusingparameters.Youcanuseparameterstocustomizeaspectsofyourtemplateatruntime,whenthestackisbuilt.Forexample,youcanpasstheAmazonRDSdatabasesize,AmazonEC2instancetypes,database,andwebserverportnumberstoAWSCloudFormationwhenyoucreateastack.Byleveragingtemplateparameters,youcanuseasingletemplateformanyinfrastructuredeploymentswithdifferentconfigurationvalues.Forexample,yourAmazonEC2instancetypes,AmazonCloudWatchalarmthresholds,andAmazonRDSread-replicasettingsmaydifferamongAWSregionsifyoureceivemorecustomertrafficintheUnitedStatesthaninEurope.Youcanusetemplateparameterstotunethesettingsandthresholdsineachregionseparatelyandstillbesurethattheapplicationisdeployedconsistentlyacrosstheregions.

Figure11.8depictstheAWSCloudFormationworkflowforcreatingstacks.

Page 354: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.8Creatingastackworkflow

Becauseenvironmentsaredynamicinnature,youinevitablywillneedtoupdateyourstack’sresourcesfromtimetotime.Thereisnoneedtocreateanewstackanddeletetheoldone;youcansimplymodifytheexistingstack’stemplate.Toupdateastack,createachangesetbysubmittingamodifiedversionoftheoriginalstacktemplate,differentinputparametervalues,orboth.AWSCloudFormationcomparesthemodifiedtemplatewiththeoriginaltemplateandgeneratesachangeset.Thechangesetliststheproposedchanges.Afterreviewingthechanges,youcanexecutethechangesettoupdateyourstack.Figure11.9depictstheworkflowforupdatingastack.

FIGURE11.9Updatingastackworkflow

Whenthetimecomesandyouneedtodeleteastack,AWSCloudFormationdeletesthestackandalloftheresourcesinthatstack.

Ifyouwanttodeleteastackbutstillretainsomeresourcesinthatstack,youcanuseadeletionpolicytoretainthoseresources.Ifaresourcehasnodeletionpolicy,AWSCloudFormationdeletestheresourcebydefault.

Page 355: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Afteralloftheresourceshavebeendeleted,AWSCloudFormationsignalsthatyourstackhasbeensuccessfullydeleted.IfAWSCloudFormationcannotdeletearesource,thestackwillnotbedeleted.Anyresourcesthathaven’tbeendeletedwillremainuntilyoucansuccessfullydeletethestack.

UseCaseByallowingyoutoreplicateyourentireinfrastructurestackeasilyandquickly,AWSCloudFormationenablesavarietyofusecases,including,butnotlimitedto:

QuicklyLaunchNewTestEnvironmentsAWSCloudFormationletstestingteamsquicklycreateacleanenvironmenttoruntestswithoutdisturbingongoingeffortsinotherenvironments.

ReliablyReplicateConfigurationBetweenEnvironmentsBecauseAWSCloudFormationscriptstheentireenvironment,humanerroriseliminatedwhencreatingnewstacks.

LaunchApplicationsinNewAWSRegionsAsinglescriptcanbeusedacrossmultipleregionstolaunchstacksreliablyindifferentmarkets.

AWSElasticBeanstalkAWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetails,suchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.

OverviewAWScomprisesdozensofbuildingblockservices,eachofwhichexposesanareaoffunctionality.WhilethevarietyofservicesoffersflexibilityforhoworganizationswanttomanagetheirAWSinfrastructure,itcanbechallengingtofigureoutwhichservicestouseandhowtoprovisionthem.WithAWSElasticBeanstalk,youcanquicklydeployandmanageapplicationsontheAWScloudwithoutworryingabouttheinfrastructurethatrunsthoseapplications.AWSElasticBeanstalkreducesmanagementcomplexitywithoutrestrictingchoiceorcontrol.

TherearekeycomponentsthatcompriseAWSElasticBeanstalkandworktogethertoprovidethenecessaryservicestodeployandmanageapplicationseasilyinthecloud.AnAWSElasticBeanstalkapplicationisthelogicalcollectionoftheseAWSElasticBeanstalkcomponents,whichincludesenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.

Anapplicationversionreferstoaspecific,labelediterationofdeployablecodeforawebapplication.AnapplicationversionpointstoanAmazonS3objectthatcontainsthedeployablecode.Applicationscanhavemanyversionsandeachapplicationversionisunique.Inarunningenvironment,organizationscandeployanyapplicationversiontheyalreadyuploadedtotheapplication,ortheycanuploadandimmediatelydeployanewapplicationversion.Organizationsmightuploadmultipleapplicationversionstotestdifferencesbetweenoneversionoftheirwebapplicationandanother.

Page 356: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AnenvironmentisanapplicationversionthatisdeployedontoAWSresources.Eachenvironmentrunsonlyasingleapplicationversionatatime;however,thesameversionordifferentversionscanruninasmanyenvironmentsatthesametimeasneeded.Whenanenvironmentiscreated,AWSElasticBeanstalkprovisionstheresourcesneededtoruntheapplicationversionthatisspecified.

Anenvironmentconfigurationidentifiesacollectionofparametersandsettingsthatdefinehowanenvironmentanditsassociatedresourcesbehave.Whenanenvironment’sconfigurationsettingsareupdated,AWSElasticBeanstalkautomaticallyappliesthechangestoexistingresourcesordeletesanddeploysnewresourcesdependingonthetypeofchange.

WhenanAWSElasticBeanstalkenvironmentislaunched,theenvironmenttier,platform,andenvironmenttypearespecified.TheenvironmenttierthatischosendetermineswhetherAWSElasticBeanstalkprovisionsresourcestosupportawebapplicationthathandlesHTTP(S)requestsoranapplicationthathandlesbackground-processingtasks.Anenvironmenttierwhosewebapplicationprocesseswebrequestsisknownasawebservertier.Anenvironmenttierwhoseapplicationrunsbackgroundjobsisknownasaworkertier.

Atthetimeofthiswriting,AWSElasticBeanstalkprovidesplatformsupportfortheprogramminglanguagesJava,Node.js,PHP,Python,Ruby,andGowithsupportforthewebcontainersTomcat,Passenger,Puma,andDocker.

UseCasesAcompanyprovidesawebsiteforprospectivehomebuyers,sellers,andrenterstobrowsehomeandapartmentlistingsformorethan110millionhomes.Thewebsiteprocessesmorethanthreemillionnewimagesdaily.Itreceivesmorethan17,000imagerequestspersecondonitswebsiteduringpeaktrafficfrombothdesktopandmobileclients.

Thecompanywaslookingforwaystobemoreagilewithdeploymentsandempoweritsdeveloperstofocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks.ItbeganusingAWSElasticBeanstalkastheservicefordeployingandscalingthewebapplicationsandservices.DeveloperswereempoweredtouploadcodetoAWSElasticBeanstalk,whichthenautomaticallyhandledthedeployment,fromcapacityprovisioning,loadbalancing,andAutoScaling,toapplicationhealthmonitoring.

Becausethecompanyingestsdatainahaphazardway,runningfeedsthatdumpatonofworkintotheimageprocessingsystemallatonce,itneedstoscaleupitsimageconverterfleettomeetpeakdemand.ThecompanydeterminedthatanAWSElasticBeanstalkworkerfleettorunaPythonImagingLibrarywithcustomcodewasthesimplestwaytomeettherequirement.Thiseliminatedtheneedtohaveanumberofstaticinstancesor,worse,tryingtowritetheirownAutoScalingconfiguration.

BymakingthemovetoAWSElasticBeanstalk,thecompanywasabletoreduceoperatingcostswhileincreasingagilityandscalabilityforitsimageprocessinganddeliverysystem.

KeyFeaturesAWSElasticBeanstalkprovidesseveralmanagementfeaturesthateasedeploymentandmanagementofapplicationsonAWS.Organizationshaveaccesstobuilt-inAmazonCloudWatchmonitoringmetricssuchasaverageCPUutilization,requestcount,andaverage

Page 357: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

latency.TheycanreceiveemailnotificationsthroughAmazonSNSwhenapplicationhealthchangesorapplicationserversareaddedorremoved.Serverlogsfortheapplicationserverscanbeaccessedwithoutneedingtologin.OrganizationscanevenelecttohaveupdatesappliedautomaticallytotheunderlyingplatformrunningtheapplicationsuchastheAMI,operatingsystem,languageandframework,andapplicationorproxyserver.

Additionally,developersretainfullcontrolovertheAWSresourcespoweringtheirapplicationandcanperformavarietyoffunctionsbysimplyadjustingtheconfigurationsettings.Theseincludesettingssuchas:

SelectingthemostappropriateAmazonEC2instancetypethatmatchestheCPUandmemoryrequirementsoftheirapplication

ChoosingtherightdatabaseandstorageoptionssuchasAmazonRDS,AmazonDynamoDB,MicrosoftSQLServer,andOracle

EnablingloginaccesstoAmazonEC2instancesforimmediateanddirecttroubleshooting

EnhancingapplicationsecuritybyenablingHTTPSprotocolontheloadbalancer

Adjustingapplicationserversettings(forexample,JVMsettings)andpassingenvironmentvariables

AdjustAutoScalingsettingstocontrolthemetricsandthresholdsusedtodeterminewhentoaddorremoveinstancesfromanenvironment

WithAWSElasticBeanstalk,organizationscandeployanapplicationquicklywhileretainingasmuchcontrolastheywanttohaveovertheunderlyinginfrastructure.

AWSTrustedAdvisorAWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservingoveramillionAWScustomers.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.YoucanviewtheoverallstatusofyourAWSresourcesandsavingsestimationsontheAWSTrustedAdvisordashboard.

AWSTrustedAdvisorisaccessedintheAWSManagementConsole.Additionally,programmaticaccesstoAWSTrustedAdvisorisavailablewiththeAWSSupportAPI.

AWSTrustedAdvisorprovidesbestpracticesinfourcategories:costoptimization,security,faulttolerance,andperformanceimprovement.Thestatusofthecheckisshownbyusingcolorcodingonthedashboardpage,asdepictedinFigure11.10.

Page 358: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE11.10AWSTrustedAdvisorConsoledashboard

Thecolorcodingreflectsthefollowinginformation:

Red:Actionrecommended

Yellow:Investigationrecommended

Green:Noproblemdetected

Foreachcheck,youcanreviewadetaileddescriptionoftherecommendedbestpractice,asetofalertcriteria,guidelinesforaction,andalistofusefulresourcesonthetopic.

AllAWScustomershaveaccesstofourAWSTrustedAdvisorchecksatnocost.ThefourstandardAWSTrustedAdvisorchecksare:

ServiceLimitsChecksforusagethatismorethan80percentoftheservicelimit.Thesevaluesarebasedonasnapshot,socurrentusagemightdifferandcantakeupto24hourstoreflectchanges.

SecurityGroups–SpecificPortsUnrestrictedCheckssecuritygroupsforrulesthatallowunrestrictedaccess(0.0.0.0/0)tospecificports

IAMUseChecksforyouruseofAWSIAM

MFAonRootAccountCheckstherootaccountandwarnsifMFAisnotenabled

CustomerswithaBusinessorEnterpriseAWSSupportplancanviewallAWSTrustedAdvisorchecks—over50checks.

TheremaybeoccasionswhenaparticularcheckisnotrelevanttosomeresourcesinyourAWSenvironment.Youhavetheabilitytoexcludeitemsfromacheckandoptionallyrestorethemlateratanytime.AWSTrustedAdvisoractslikeacustomizedcloudexpert,andithelpsorganizationsprovisiontheirresourcesbyfollowingbestpracticeswhileidentifyinginefficiencies,waste,potentialcostsavings,andsecurityissues.

Page 359: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSConfigAWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

OverviewAWSConfigprovidesadetailedviewoftheconfigurationofAWSresourcesinyourAWSaccount.Thisincludeshowtheresourcesarerelatedandhowtheywereconfiguredinthepastsothatyoucanseehowtheconfigurationsandrelationshipschangeovertime.AWSConfigdefinesaresourceasanentityyoucanworkwithinAWS,suchasanAmazonEC2instance,anAmazonEBSvolume,asecuritygroup,oranAmazonVPC.

WhenyouturnonAWSConfig,itfirstdiscoversthesupportedAWSresourcesthatexistinyouraccountandgeneratesaconfigurationitemforeachresource.Aconfigurationitemrepresentsapoint-in-timeviewofthevariousattributesofasupportedAWSresourcethatexistsinyouraccount.Thecomponentsofaconfigurationitemincludemetadata,attributes,relationships,currentconfiguration,andrelatedevents.

AWSConfigwillgenerateconfigurationitemswhentheconfigurationofaresourcechanges,anditmaintainshistoricalrecordsoftheconfigurationitemsofyourresourcesfromthetimeyoustarttheconfigurationrecorder.Theconfigurationrecorderstorestheconfigurationsofthesupportedresourcesinyouraccountasconfigurationitems.Bydefault,AWSConfigcreatesconfigurationitemsforeverysupportedresourceintheregion.Ifyoudon’twantAWSConfigtocreateconfigurationitemsforallsupportedresources,youcanspecifytheresourcetypesthatyouwantittotrack.

Organizationsoftenneedtoassesstheoverallcomplianceandriskstatusfromaconfigurationperspective,viewcompliancetrendsovertime,andpinpointwhichconfigurationchangecausedaresourcetodriftoutofcompliance.AnAWSConfigRulerepresentsdesiredconfigurationsettingsforspecificAWSresourcesorforanentireAWSaccount.WhileAWSConfigcontinuouslytracksyourresourceconfigurationchanges,itcheckswhetherthesechangesviolateanyoftheconditionsinyourrules.Ifaresourceviolatesarule,AWSConfigflagstheresourceandtheruleasnoncompliantandnotifiesyouthroughAmazonSNS.

AWSConfigmakesiteasytotrackresourceconfigurationwithouttheneedforup-frontinvestmentsandwhileavoidingthecomplexityofinstallingandupdatingagentsfordatacollectionormaintaininglargedatabases.OnceAWSConfigisenabled,organizationscanviewcontinuouslyupdateddetailsofallconfigurationattributesassociatedwithAWSresources.

UseCasesSomeoftheinfrastructuremanagementtasksAWSConfigenablesinclude:

DiscoveryAWSConfigwilldiscoverresourcesthatexistinyouraccount,recordtheir

Page 360: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

currentconfiguration,andcaptureanychangestotheseconfigurations.AWSConfigwillalsoretainconfigurationdetailsforresourcesthathavebeendeleted.Acomprehensivesnapshotofallresourcesandtheirconfigurationattributesprovidesacompleteinventoryofresourcesinyouraccount.

ChangeManagementWhenyourresourcesarecreated,updated,ordeleted,AWSConfigstreamstheseconfigurationchangestoAmazonSNSsothatyouarenotifiedofallconfigurationchanges.AWSConfigrepresentsrelationshipsbetweenresources,soyoucanassesshowachangetooneresourcemayaffectotherresources.

ContinuousAuditandComplianceAWSConfigandAWSConfigRulesaredesignedtohelpyouassesscompliancewithinternalpoliciesandregulatorystandardsbyprovidingvisibilityintotheconfigurationofaresourceatanytimeandevaluatingrelevantconfigurationchangesagainstrulesthatyoucandefine.

TroubleshootingUsingAWSConfig,youcanquicklytroubleshootoperationalissuesbyidentifyingtherecentconfigurationchangestoyourresources.

SecurityandIncidentAnalysisProperlyconfiguredresourcesimproveyoursecurityposture.DatafromAWSConfigenablesyoutomonitortheconfigurationsofyourresourcescontinuouslyandevaluatetheseconfigurationsforpotentialsecurityweaknesses.Afterapotentialsecurityevent,AWSConfigenablesyoutoexaminetheconfigurationofyourresourcesatanysinglepointinthepast.

KeyFeaturesInthepast,organizationsneededtopollresourceAPIsandmaintaintheirownexternaldatabaseforchangemanagement.AWSConfigresolvesthispreviousneedandautomaticallyrecordsresourceconfigurationinformationandwillevaluateanyrulesthataretriggeredbyachange.Theconfigurationoftheresourceanditsoverallcomplianceagainstrulesarepresentedinadashboard.

AWSConfigintegrateswithAWSCloudTrail,aservicethatrecordsAWSAPIcallsforanaccountanddeliversAPIusagelogfilestoanAmazonS3bucket.IftheconfigurationchangeofaresourcewastheresultofanAPIcall,AWSConfigalsorecordstheAWSCloudTraileventIDthatcorrespondstotheAPIcallthatchangedtheresource’sconfiguration.OrganizationscanthenleveragetheAWSCloudTraillogstoobtaindetailsoftheAPIcallthatwasmade—includingwhomadetheAPIcall,atwhattime,andfromwhichIPaddress—tousefortroubleshootingpurposes.

WhenaconfigurationchangeismadetoaresourceorwhenthecomplianceofanAWSConfigrulechanges,anotificationmessageisdeliveredthatcontainstheupdatedconfigurationoftheresourceorcompliancestateoftheruleandkeyinformationsuchastheoldandnewvaluesforeachchangedattribute.Additionally,AWSConfigsendsnotificationswhenaConfigurationHistoryfileisdeliveredtoAmazonS3andwhenthecustomerinitiatesaConfigurationSnapshot.ThesemessagesareallstreamedtoanAmazonSNStopicthatyouspecify.

OrganizationscanusetheAWSManagementConsole,API,orAWSCLItoobtaindetailsofwhataresource’sconfigurationlookedlikeatanypointinthepast.AWSConfigwillalsoautomaticallydeliverahistoryfiletotheAmazonS3bucketyouspecifyeverysixhoursthat

Page 361: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

containsallchangestoyourresourceconfigurations.

Page 362: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedaboutadditionalkeyAWScloudservices,manyofwhichwillbecoveredonyourAWSCertifiedSolutionsArchitect–Associateexam.Theseservicesaregroupedintofourcategoriesofservices:storageandcontentdelivery,security,analytics,andDevOps.

Inthestorageandcontentdeliverygroup,wecoveredAmazonCloudFrontandAWSStorageGateway.AmazonCloudFrontisaglobalCDNservice.ItintegrateswithotherAWSproductstogivedevelopersandbusinessesaneasywaytodistributecontenttoenduserswithlowlatency,highdatatransferspeeds,andnominimumusagecommitments.AWSStorageGatewayisaservicethatconnectsanon-premisessoftwareappliancewithcloud-basedstorage.Itprovidesseamlessandsecureintegrationbetweenanorganization’son-premisesITenvironmentandAWSstorageinfrastructure.TheAWSStorageGatewayappliancemaintainsfrequentlyaccesseddataon-premiseswhileencryptingandstoringallofyourdatainAmazonS3orAmazonGlacier.

TheserviceswecoveredinsecurityfocusedonIdentityManagement(AWSDirectoryService),KeyManagement(AWSKMSAWSCloudHSM),andAudit(AWSCloudTrail).AWSDirectoryServiceisamanagedserviceoffering,providingdirectoriesthatcontaininformationaboutyourorganization,includingusers,groups,computers,andotherresources.AWSDirectoryServiceisofferedinthreetypes:AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),SimpleAD,andADConnector.

Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,andreplacementofkeys.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontroltheencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandthatcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedHSMapplianceswithintheAWScloud.AnHSMisahardwareappliancethatprovidessecurekeystorageandcryptographicoperationswithinatamper-resistanthardwaremodule.

RoundingoutthesecurityservicesisAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.

Theanalyticsservicescoveredhelpyouovercometheuniquelistofchallengesassociatedwithbigdataintoday’sITworld.AmazonKinesisisaplatformforhandlingmassivestreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdataandalsoprovidingtheabilityforyoutobuildcustomstreamingdataapplicationsforspecializedneeds.AmazonEMRprovidesyouwithafullymanaged,on-demandHadoopframework.Thereductionofcomplexityandup-frontcostscombinedwiththescaleofAWSmeansyoucaninstantlyspinuplargeHadoopclustersandstartprocessing

Page 363: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

withinminutes.

Tosupplementthebigdatachallenges,orchestratingdatamovementcomeswithitsownchallenges.AWSDataPipelineisawebservicethathelpsyoureliablyprocessandmovedatabetweendifferentAWScomputeandstorageservices,andalsoon-premisesdatasources,atspecifiedintervals.WithAWSDataPipeline,youcanregularlyaccessyourdatawhereit’sstored,transformandprocessitatscale,andefficientlytransfertheresultstoAWSservicessuchasAmazonS3,AmazonRDS,AmazonDynamoDB,andAmazonEMR.Additionally,AWSImport/Exporthelpswhenyou’refacedwiththechallengeofgettinghugedatasetsintoAWSinthefirstplaceorretrievingthembacktoon-premiseswhennecessary.AWSImport/ExportisaservicethatacceleratestransferringlargeamountsofdataintoandoutofAWSusingphysicalstorageappliances,bypassingtheInternet.Thedataiscopiedtoadeviceatthesource,shippedviastandardshippingmechanisms,andthencopiedtothedestination.

AWScontinuestoevolveservicesinsupportoforganizationsembracingDevOps.ServicessuchasAWSOpsWorks,AWSCloudFormation,AWSElasticBeanstalk,andAWSConfigareleadingthewayforDevOpsonAWS.AWSOpsWorksprovidesaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsusingChef.AWSOpsWorksworkswithapplicationsofanylevelofcomplexityandisindependentofanyparticulararchitecturalpattern.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayonewoulddowithsoftware.AWSElasticBeanstalkallowsdeveloperstosimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallofthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.AWSConfigdeliversafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationshavetheinformationnecessaryforcomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

Thekeyadditionalservicescoveredinthischapterwillhelpyouformaknowledgebasetounderstandthenecessitiesfortheexam.AsyoucontinuetogrowasaSolutionsArchitect,divingdeeperintotheAWScloudservicesasawholewillexpandyourabilitytodefinewellarchitectedsolutionsacrossawidevarietyofbusinessverticalsandusecases.

Page 364: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsKnowthebasicusecasesforamazonCloudFront.KnowwhentouseAmazonCloudFront(forpopularstaticanddynamiccontentwithgeographicallydistributedusers)andwhennotto(allusersatasinglelocationorconnectingthroughacorporateVPN).

KnowhowamazonCloudFrontworks.AmazonCloudFrontoptimizesdownloadsbyusinggeolocationtoidentifythegeographicallocationofusers,thenservingandcachingcontentattheedgelocationclosesttoeachusertomaximizeperformance.

KnowhowtocreateanamazonCloudFrontdistributionandwhattypesoforiginsaresupported.Tocreateadistribution,youspecifyanoriginandthetypeofdistribution,andAmazonCloudFrontcreatesanewdomainnameforthedistribution.OriginssupportedincludeAmazonS3bucketsorstaticAmazonS3websitesandHTTPserverslocatedinAmazonEC2orinyourowndatacenter.

KnowhowtouseamazonCloudFrontfordynamiccontentandmultipleorigins.Understandhowtospecifymultipleoriginsfordifferenttypesofcontentandhowtousecachebehaviorsandpathstringstocontrolwhatcontentisservedbywhichorigin.

KnowwhatmechanismsareavailabletoserveprivatecontentthroughamazonCloudFront.AmazonCloudFrontcanserveprivatecontentusingAmazonS3OriginAccessIdentifiers,signedURLs,andsignedcookies.

KnowthethreeconfigurationsofAWSstoragegatewayandtheirusecases.Gateway-Cachedvolumesexpandyouron-premisesstorageintoAmazonS3andcachefrequentlyusedfileslocally.Gateway-StoredvalueskeepallyourdataavailablelocallyatalltimesandalsoreplicateitasynchronouslytoAmazonS3.Gateway-VTLenablesyoutokeepyourcurrentbackuptapesoftwareandprocesseswhileeliminatingphysicaltapesbystoringyourdatainthecloud.

UnderstandthevalueofAWSDirectoryService.AWSDirectoryServiceisdesignedtoreduceidentitymanagementtasks,therebyallowingyoutofocusmoreofyourtimeandresourcesonyourbusiness.

KnowtheAWSDirectoryServiceDirectorytypes.AWSDirectoryServiceoffersthreedirectorytypes:

AWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition),alsoreferredtoasMicrosoftAD

SimpleAD

ADConnector

KnowwhenyoushoulduseAWSDirectoryServiceforMicrosoftActiveDirectory.YoushoulduseMicrosoftActiveDirectoryifyouhavemorethan5,000usersorneedatrustrelationshipsetupbetweenanAWShosteddirectoryandyouron-premisesdirectories.

Understandkeymanagement.Keymanagementisthemanagementofcryptographickeyswithinacryptosystem.Thisincludesdealingwiththegeneration,exchange,storage,use,

Page 365: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

andreplacementofkeys.

UnderstandwhenyoushoulduseAWSKMS.AWSKMSisamanagedservicethatmakesiteasyforyoutocreateandcontrolthesymmetricencryptionkeysusedtoencryptyourdata.AWSKMSletsyoucreatekeysthatcanneverbeexportedfromtheserviceandwhichcanbeusedtoencryptanddecryptdatabasedonpoliciesyoudefine.

UnderstandwhenyoushoulduseAWSCloudHSM.AWSCloudHSMhelpsyoumeetcorporate,contractual,andregulatorycompliancerequirementsfordatasecuritybyusingdedicatedhardwaresecuritymoduleapplianceswithintheAWScloud.

UnderstandthevalueofAWSCloudTrail.AWSCloudTrailprovidesvisibilityintouseractivitybyrecordingAPIcallsmadeonyouraccount.ThishelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.

KnowthethreeservicesofAmazonkinesisandtheirusecases.AmazonKinesisFirehoseallowsyoutoloadmassivevolumesofstreamingdataintoAWS.AmazonKinesisAnalyticsenablesyoutoeasilyanalyzestreamingdatarealtimewithstandardSQL.AmazonKinesisStreamsenablesyoutobuildcustomapplicationsthatprocessoranalyzestreamingdatarealtimeforspecializedneeds.

KnowwhatserviceAmazonEMRprovides.AmazonEMRprovidesamanagedHadoopserviceonAWSthatallowsyoutospinuplargeHadoopclustersinminutes.

Knowthedifferencebetweenpersistentandtransientclusters.Persistentclustersruncontinuously,sotheydonotlosedatastoredoninstance-basedHDFS.Transientclustersarelaunchedforaspecifictask,thenterminated,sotheyaccessdataonAmazonS3viaEMRFS.

KnowtheusecasesforAmazonEMR.AmazonEMRisusefulforbigdataanalyticsinvirtuallyanyindustry,including,butnotlimitedto,logprocessing,clickstreamanalysis,andgenomicsandlifesciences.

KnowtheusecasesforAWSdatapipeline.AWSDataPipelinecanmanagebatchETLprocessesatscaleonthecloud,accessingdatabothinAWSandon-premises.ItcantakeadvantageofAWScloudservicesbyspinningupresourcesrequiredfortheprocess,suchasAmazonEC2instancesorAmazonEMRclusters.

KnowthetypesofAWSimport/exportservicesandthepossiblesources/destinationsofeach.AWSSnowballisAmazonshippableappliancessuppliedreadytoship.Itcantransferdatatoandfromyouron-premisesstorageandtoandfromAmazonS3.AWSImport/ExportDiskusesyourstoragedevicesand,inadditiontotransferringdatainandoutofyouron-premisesstorage,canimportdatatoAmazonS3,AmazonEBS,andAmazonS3;itcanonlyexportdatafromAmazonS3.

UnderstandthebasicsofAWSopsworks.AWSOpsWorksisaconfigurationmanagementservicethathelpsyouconfigureandoperateapplicationsofallshapesandsizesusingChef.Youcandefineanapplication’sarchitectureandthespecificationofeachcomponentincludingpackageinstallation,softwareconfiguration,andresourcessuchasstorage.

UnderstandthevalueofAWScloudformation.AWSCloudFormationisaservicethat

Page 366: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

helpsyoumodelandsetupyourAWSresources.AWSCloudFormationallowsorganizationstodeploy,modify,andupdateresourcesinacontrolledandpredictableway,ineffectapplyingversioncontroltoAWSinfrastructurethesamewayyouwoulddowithsoftware.

UnderstandthevalueofAWSelasticbeanstalk.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.

UnderstandthecomponentsofAWSelasticbeanstalk.AnAWSElasticBeanstalkapplicationisthelogicalcollectionofenvironments,versions,andenvironmentconfigurations.InAWSElasticBeanstalk,anapplicationisconceptuallysimilartoafolder.

UnderstandthevalueofAWSconfig.AWSConfigisafullymanagedservicethatprovidesorganizationswithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,organizationscandiscoverexistinganddeletedAWSresources,determinetheiroverallcomplianceagainstrulesanddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing,securityanalysis,resourcechangetracking,andtroubleshooting.

Page 367: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhatoriginserversaresupportedbyAmazonCloudFront?(Choose3answers)

A. AnAmazonRoute53HostedZone

B. AnAmazonSimpleStorageService(AmazonS3)bucket

C. AnHTTPserverrunningonAmazonElasticComputeCloud(AmazonEC2)

D. AnAmazonEC2AutoScalingGroup

E. AnHTTPserverrunningon-premises

2. WhichofthefollowingaregoodusecasesforAmazonCloudFront?(Choose2answers)

A. Apopularsoftwaredownloadsitethatsupportsusersaroundtheworld,withdynamiccontentthatchangesrapidly

B. Acorporatewebsitethatservestrainingvideostoemployees.Mostemployeesarelocatedintwocorporatecampusesinthesamecity.

C. Aheavilyusedvideoandmusicstreamingservicethatrequirescontenttobedeliveredonlytopaidsubscribers

D. AcorporateHRwebsitethatsupportsaglobalworkforce.Becausethesitecontainssensitivedata,allusersmustconnectthroughacorporateVirtualPrivateNetwork(VPN).

3. YouhaveawebapplicationthatcontainsbothstaticcontentinanAmazonSimpleStorageService(AmazonS3)bucket—primarilyimagesandCSSfiles—andalsodynamiccontentcurrentlyservedbyaPHPwebapprunningonAmazonElasticComputeCloud(AmazonEC2).WhatfeaturesofAmazonCloudFrontcanbeusedtosupportthisapplicationwithasingleAmazonCloudFrontdistribution?

4. (Choose2answers)

A. MultipleOriginAccessIdentifiers

B. MultiplesignedURLs

C. Multipleorigins

D. Multipleedgelocations

E. Multiplecachebehaviors

5. Youarebuildingamedia-sharingwebapplicationthatservesvideofilestoendusersonbothPCsandmobiledevices.ThemediafilesarestoredasobjectsinanAmazonSimpleStorageService(AmazonS3)bucket,butaretobedeliveredthroughAmazonCloudFront.WhatisthesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstotheobjectsintheAmazonS3bucket?

A. CreateSignedURLsforeachAmazonS3object.

B. UseanAmazonCloudFrontOriginAccessIdentifier(OAI).

Page 368: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

C. Usepublicandprivatekeyswithsignedcookies.

D. UseanAWSIdentityandAccessManagement(IAM)bucketpolicy.

6. Yourcompanydatacenteriscompletelyfull,butthesalesgrouphasdeterminedaneedtostore200TBofproductvideo.Thevideoswerecreatedoverthelastseveralyears,withthemostrecentbeingaccessedbysalesthemostoften.Thedatamustbeaccessedlocally,butthereisnospaceinthedatacentertoinstalllocalstoragedevicestostorethisdata.WhatAWScloudservicewillmeetsales’requirements?

A. AWSStorageGatewayGateway-Storedvolumes

B. AmazonElasticComputeCloud(AmazonEC2)instanceswithattachedAmazonEBSVolumes

C. AWSStorageGatewayGateway-Cachedvolumes

D. AWSImport/ExportDisk

7. YourcompanywantstoextendtheirexistingMicrosoftActiveDirectorycapabilityintoanAmazonVirtualPrivateCloud(AmazonVPC)withoutestablishingatrustrelationshipwiththeexistingon-premisesActiveDirectory.Whichofthefollowingisthebestapproachtoachievethisgoal?

A. CreateandconnectanAWSDirectoryServiceADConnector.

B. CreateandconnectanAWSDirectoryServiceSimpleAD.

C. CreateandconnectanAWSDirectoryServiceforMicrosoftActiveDirectory(EnterpriseEdition).

D. Noneoftheabove

8. WhichofthefollowingareAWSKeyManagementService(AWSKMS)keysthatwillneverexitAWSunencrypted?

A. AWSKMSdatakeys

B. Envelopeencryptionkeys

C. AWSKMSCustomerMasterKeys(CMKs)

D. AandC

9. WhichcryptographicmethodisusedbyAWSKeyManagementService(AWSKMS)toencryptdata?

A. Password-basedencryption

B. Asymmetric

C. Sharedsecret

D. Envelopeencryption

10. WhichAWSservicerecordsApplicationProgramInterface(API)callsmadeonyouraccountanddeliverslogfilestoyourAmazonSimpleStorageService(AmazonS3)bucket?

A. AWSCloudTrail

Page 369: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. AmazonCloudWatch

C. AmazonKinesis

D. AWSDataPipeline

11. YouaretryingtodecryptciphertextwithAWSKMSandthedecryptionoperationisfailing.Whichofthefollowingarepossiblecauses?(Choose2answers)

A. Theprivatekeydoesnotmatchthepublickeyintheciphertext.

B. Theplaintextwasencryptedalongwithanencryptioncontext,andyouarenotprovidingtheidenticalencryptioncontextwhencallingtheDecryptAPI.

C. Theciphertextyouaretryingtodecryptisnotvalid.

D. YouarenotprovidingthecorrectsymmetrickeytotheDecryptAPI.

12. Yourcompanyhas30yearsoffinancialrecordsthattakeup15TBofon-premisesstorage.Itisregulatedthatyoumaintaintheserecords,butintheyearyouhaveworkedforthecompanynoonehaseverrequestedanyofthisdata.GiventhatthecompanydatacenterisalreadyfillingthebandwidthofitsInternetconnection,whatisanalternativewaytostorethedataonthemostappropriatecloudstorage?

A. AWSImport/ExporttoAmazonSimpleStorageService(AmazonS3)

B. AWSImport/ExporttoAmazonGlacier

C. AmazonKinesis

D. AmazonElasticMapReduce(AWSEMR)

13. Yourcompanycollectsinformationfromthepointofsaleregistersatallofitsfranchiselocations.Eachmonththeseprocessescollect200TBofinformationstoredinAmazonSimpleStorageService(AmazonS3).Analyticsjobstaking24hoursareperformedtogatherknowledgefromthisdata.Whichofthefollowingwillallowyoutoperformtheseanalyticsinacost-effectiveway?

A. CopythedatatoapersistentAmazonElasticMapReduce(AmazonEMR)cluster,andruntheMapReducejobs.

B. CreateanapplicationthatreadstheinformationoftheAmazonS3bucketandrunsitthroughanAmazonKinesisstream.

C. RunatransientAmazonEMRcluster,andruntheMapReducejobsagainstthedatadirectlyinAmazonS3.

D. Launchad2.8xlarge(32vCPU,244GBRAM)AmazonElasticComputeCloud(AmazonEC2)instance,andrunanapplicationtoreadandprocesseachobjectsequentially.

14. Whichserviceallowsyoutoprocessnearlylimitlessstreamsofdatainflight?

A. AmazonKinesisFirehose

B. AmazonElasticMapReduce(AmazonEMR)

C. AmazonRedshift

Page 370: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. AmazonKinesisStreams

15. Whatcombinationofservicesenableyoutocopydaily50TBofdatatoAmazonstorage,processthedatainHadoop,andstoretheresultsinalargedatawarehouse?

A. AmazonKinesis,AmazonDataPipeline,AmazonElasticMapReduce(AmazonEMR),andAmazonElasticComputeCloud(AmazonEC2)

B. AmazonElasticBlockStore(AmazonEBS),AmazonDataPipeline,AmazonEMR,andAmazonRedshift

C. AmazonSimpleStorageService(AmazonS3),AmazonDataPipeline,AmazonEMR,andAmazonRedshift

D. AmazonS3,AmazonSimpleWorkflow,AmazonEMR,andAmazonDynamoDB

16. Yourcompanyhas50,000weatherstationsaroundthecountrythatsendupdatesevery2seconds.WhatservicewillenableyoutoingestthisstreamofdataandstoreittoAmazonSimpleStorageService(AmazonS3)forfutureprocessing?

A. AmazonSimpleQueueService(AmazonSQS)

B. AmazonKinesisFirehose

C. AmazonElasticComputeCloud(AmazonEC2)

D. AmazonDataPipeline

17. YourorganizationusesChefheavilyforitsdeploymentautomation.WhatAWScloudserviceprovidesintegrationwithChefrecipestostartnewapplicationserverinstances,configureapplicationserversoftware,anddeployapplications?

A. AWSElasticBeanstalk

B. AmazonKinesis

C. AWSOpsWorks

D. AWSCloudFormation

18. AfirmismovingitstestingplatformtoAWStoprovidedeveloperswithinstantaccesstocleantestanddevelopmentenvironments.Theprimaryrequirementforthefirmistomakeenvironmentseasilyreproducibleandfungible.Whatservicewillhelpthefirmmeettheirrequirements?

A. AWSCloudFormation

B. AWSConfig

C. AmazonRedshift

D. AWSTrustedAdvisor

19. Yourcompany’sITmanagementteamislookingforanonlinetooltoproviderecommendationstosavemoney,improvesystemavailabilityandperformance,andtohelpclosesecuritygaps.Whatcanhelpthemanagementteam?

A. Cloud-init

B. AWSTrustedAdvisor

Page 371: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

C. AWSConfig

D. ConfigurationRecorder

20. YourcompanyworkswithdatathatrequiresfrequentauditsofyourAWSenvironmenttoensurecompliancewithinternalpoliciesandbestpractices.Inordertoperformtheseaudits,youneedaccesstohistoricalconfigurationsofyourresourcestoevaluaterelevantconfigurationchanges.Whichservicewillprovidethenecessaryinformationforyouraudits?

A. AWSConfig

B. AWSKeyManagementService(AWSKMS)

C. AWSCloudTrail

D. AWSOpsWorks

21. Allofthewebsitedeploymentsarecurrentlydonebyyourcompany’sdevelopmentteam.Withasurgeinwebsitepopularity,thecompanyislookingforwaystobemoreagilewithdeployments.WhatAWScloudservicecanhelpthedevelopersfocusmoreonwritingcodeinsteadofspendingtimemanagingandconfiguringservers,databases,loadbalancers,firewalls,andnetworks?

A. AWSConfig

B. AWSTrustedAdvisor

C. AmazonKinesis

D. AWSElasticBeanstalk

Page 372: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter12SecurityonAWSTHEAWSCERTIFIEDSOLUTIONSARCHITECTEXAMTOPICSCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

AWSsharedresponsibilitymodel

AWSplatformcompliance

AWSsecurityattributes(customerworkloadsdowntophysicallayer)

AWSadministrationandsecurityservices

AWSIdentityandAccessManagement(IAM)

AmazonVirtualPrivateCloud(AmazonVPC)

AWSCloudTrail

Ingressvs.egressfiltering,andwhichAWSservicesandfeaturesfit

CoreAmazonElasticComputeCloud(AmazonEC2)andAmazonSimpleStorageService(AmazonS3)securityfeaturesets

Incorporatingcommonconventionalsecurityproducts(Firewall,VirtualPrivateNetwork[VPN])

DenialofService(DoS)mitigation

Encryptionsolutions(e.g.,keyservices)

Complexaccesscontrols(buildingsophisticatedsecuritygroups,AccessControlLists[ACLs],etc.)

Page 373: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionCloudsecurityisthefirstpriorityatAWS.AllAWScustomersbenefitfromadatacenterandnetworkarchitecturethatisbuilttosatisfytherequirementsofthemostsecurity-sensitiveorganizations.AWSanditspartnersoffertoolsandfeaturestohelpyoumeetyoursecurityobjectivesaroundvisibility,auditability,controllability,andagility.Thismeansthatyoucanhavethesecurityyouneed,butwithoutthecapitaloutlayandatamuchloweroperationaloverheadthaninanon-premisesoratraditionaldatacenterenvironment.ThischapterwillcovertherelevantsecuritytopicsthatarewithinscopeoftheAWSCertifiedSolutionsArchitect–Associateexam.

Page 374: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SharedResponsibilityModelBeforewegointothedetailsofhowAWSsecuresitsresources,weshouldtalkabouthowsecurityinthecloudisslightlydifferentthansecurityinyouron-premisesdatacenters.Whenyoumovecomputersystemsanddatatothecloud,securityresponsibilitiesbecomesharedbetweenyouandyourcloudserviceprovider.Inthiscase,AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.Thissharedresponsibilitymodelcanreduceyouroperationalburdeninmanyways,andinsomecasesitmayevenimproveyourdefaultsecurityposturewithoutadditionalactiononyourpart.Figure12.1illustratesAWSresponsibilitiesversusthoseofthecustomer.Essentially,AWSisresponsibleforsecurityofthecloud,andcustomersareresponsibleforsecurityinthecloud.

FIGURE12.1Thesharedresponsibilitymodel

Page 375: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSComplianceProgramAWScomplianceenablescustomerstounderstandtherobustcontrolsinplaceatAWStomaintainsecurityanddataprotectioninthecloud.AsyoubuildsystemsontopofAWSCloudinfrastructure,yousharecomplianceresponsibilitieswithAWS.Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWScomplianceenablersbuildontraditionalprograms,helpingyoutoestablishandoperateinanAWSsecuritycontrolenvironment.TheITinfrastructurethatAWSprovidesisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards,including(atthetimeofthiswriting):

ServiceOrganizationControl(SOC)1/StatementonStandardsforAttestationEngagements(SSAE)16/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE)3402(formerlyStatementonAuditingStandards[SAS]70)

SOC2

SOC3

FederalInformationSecurityManagementAct(FISMA),DepartmentofDefense(DoD)InformationAssuranceCertificationandAccreditationProcess(DIACAP),andFederalRiskandAuthorizationManagementProgram(FedRAMP)

DoDCloudComputingSecurityRequirementsGuide(SRG)Levels2and4

PaymentCardIndustryDataSecurityStandard(PCIDSS)Level1

InternationalOrganizationforStandardization(ISO)9001andISO27001

InternationalTrafficinArmsRegulations(ITAR)

FederalInformationProcessingStandard(FIPS)140-2

Inaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeetseveralindustry-specificstandards,including:

CriminalJusticeInformationServices(CJIS)

CloudSecurityAlliance(CSA)

FamilyEducationalRightsandPrivacyAct(FERPA)

HealthInsurancePortabilityandAccountabilityAct(HIPAA)

MotionPictureAssociationofAmerica(MPAA)

AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,reports,certifications,accreditations,andotherthird-partyattestations.ToaidinpreparationforyourAWSCertifiedSolutionsArchitectAssociateexam,seeChapter13,“AWSRiskandCompliance.”Moreinformationisavailableinthe“AWSRiskandCompliance”whitepaperavailableontheAWSwebsite.

Page 376: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSGlobalInfrastructureSecurityAWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchasprocessingandstorage.TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperationalsoftware(forexample,hostoperatingsystemandvirtualizationsoftware)thatsupporttheprovisioninganduseoftheseresources.TheAWSglobalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecuritycompliancestandards.AsanAWScustomer,youcanbeassuredthatyou’rebuildingwebarchitecturesontopofsomeofthemostsecurecomputinginfrastructureintheworld.

PhysicalandEnvironmentalSecurityAWSdatacentersarestateoftheart,usinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffusingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.

AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAWS.AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.

FireDetectionandSuppressionAWSdatacentershaveautomaticfiredetectionandsuppressionequipmenttoreducerisk.Thefiredetectionsystemusessmokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerroomsandgeneratorequipmentrooms.Theseareasareprotectedbywet-pipe,double-interlockedpre-action,orgaseoussprinklersystems.

PowerAWSdatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,and7daysaweek.UninterruptiblePowerSupply(UPS)unitsprovidebackuppowerintheeventofanelectricalfailureforcriticalandessentialloadsinthefacility.AWSdatacentersusegeneratorstoprovidebackuppowerfortheentirefacility.

ClimateandTemperatureClimatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,whichpreventsoverheatingandreducesthepossibilityofserviceoutages.

Page 377: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSdatacentersarebuilttomaintainatmosphericconditionsatoptimallevels.Personnelandsystemsmonitorandcontroltemperatureandhumidityatappropriatelevels.

ManagementAWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediatelyidentified.AWSstaffperformspreventativemaintenancetomaintainthecontinuedoperabilityofequipment.

StorageDeviceDecommissioningWhenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatisdesignedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.

BusinessContinuityManagementAmazon’sinfrastructurehasahighlevelofavailabilityandprovidescustomerswiththefeaturestodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.DatacenterBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.

AvailabilityDatacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris“cold.”Incaseoffailure,automatedprocessesmovedatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.

AWSprovidesitscustomerswiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsandalsoacrossmultipleAvailabilityZoneswithineachregion.EachAvailabilityZoneisdesignedasanindependentfailurezone.ThismeansthatAvailabilityZonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlowerriskfloodplains(specificfloodzonecategorizationvariesbyregion).InadditiontohavingdiscreteUPSandon-sitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiestofurtherreducesinglepointsoffailure.AvailabilityZonesareallredundantlyconnectedtomultipletier-1transitproviders.Figure12.2illustrateshowAWSregionsarecomprisedofAvailabilityZones.

Page 378: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE12.2AmazonWebServicesregions

YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.

IncidentResponseTheAmazonIncidentManagementteamemploysindustry-standarddiagnosticprocedurestodriveresolutionduringbusiness-impactingevents.Staffoperatorsprovide24×7×365coveragetodetectincidentsandtomanagetheimpactandresolution.

CommunicationAWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheirindividualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.Thesemethodsincludeorientationandtrainingprogramsfornewlyhiredemployees,regularmanagementmeetingsforupdatesonbusinessperformanceandothermatters,andelectronicsmeanssuchasvideoconferencing,electronicmailmessages,andthepostingofinformationviatheAmazonintranet.

AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthecommunity.Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthatimpactthecustomerexperience.AServiceHealthDashboardisavailableandmaintainedbythecustomersupportteamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.TheAWSSecurityCenterisavailableto

Page 379: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

provideyouwithsecurityandcompliancedetailsaboutAWS.CustomerscanalsosubscribetoAWSSupportofferingsthatincludedirectcommunicationwiththecustomersupportteamandproactivealertstoanycustomer-impactingissues.

NetworkSecurityTheAWSnetworkhasbeenarchitectedtopermityoutoselectthelevelofsecurityandresiliencyappropriateforyourworkload.Toenableyoutobuildgeographicallydispersed,fault-tolerantwebarchitectureswithcloudresources,AWShasimplementedaworld-classnetworkinfrastructurethatiscarefullymonitoredandmanaged.

SecureNetworkArchitectureNetworkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACLs),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.

ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.Thesepoliciesareautomaticallypushedtoensurethesemanagedinterfacesenforcethemostup-to-dateACLs.

SecureAccessPointsAWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledApplicationProgrammingInterface(API)endpoints,andtheypermitsecureHTTPaccess(HTTPS),whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.TosupportcustomerswithFederalInformationProcessingStandard(FIPS)cryptographicrequirements,theSecureSocketsLayer(SSL)-terminatingloadbalancersinAWSGovCloud(US)areFIPS140-2compliant.

Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachInternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.

TransmissionProtectionYoucanconnecttoanAWSaccesspointviaHTTPorHTTPSusingSSL,acryptographicprotocolthatisdesignedtoprotectagainsteavesdropping,tampering,andmessageforgery.Forcustomerswhorequireadditionallayersofnetworksecurity,AWSofferstheAmazonVirtualPrivateCloud(AmazonVPC)(asreferencedinChapter4,“AmazonVirtualPrivateCloud(AmazonVPC),”whichprovidesaprivatesubnetwithintheAWSCloudandtheabilitytouseanIPsecVirtualPrivateNetwork(VPN)devicetoprovideanencryptedtunnelbetweentheAmazonVPCandyourdatacenter.

NetworkMonitoringandProtection

Page 380: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TheAWSnetworkprovidessignificantprotectionagainsttraditionalnetworksecurityissues,andyoucanimplementfurtherprotection.Thefollowingareafewexamples:

DistributedDenialofService(DDoS)AttacksAWSAPIendpointsarehostedonalarge,Internet-scale,world-classinfrastructurethatbenefitsfromthesameengineeringexpertisethathasbuiltAmazonintotheworld’slargestonlineretailer.ProprietaryDDoSmitigationtechniquesareused.Additionally,AWSnetworksaremulti-homedacrossanumberofproviderstoachieveInternetaccessdiversity.

ManintheMiddle(MITM)AttacksAlloftheAWSAPIsareavailableviaSSL-protectedendpointsthatprovideserverauthentication.AmazonElasticComputeCloud(AmazonEC2)AMIsautomaticallygeneratenewSecureShell(SSH)hostcertificatesonfirstbootandlogthemtotheinstance’sconsole.YoucanthenusethesecureAPIstocalltheconsoleandaccessthehostcertificatesbeforeloggingintotheinstanceforthefirsttime.AWSencouragesyoutouseSSLforallofyourinteractions.

IPSpoofingAmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMachineAccessControl(MAC)addressotherthanitsown.

PortScanningUnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.CustomerscanreportsuspectedabuseviathecontactsavailableontheAWSwebsite.WhenunauthorizedportscanningisdetectedbyAWS,itisstoppedandblocked.PortscansofAmazonEC2instancesaregenerallyineffectivebecause,bydefault,allinboundportsonAmazonEC2instancesareclosedandareonlyopenedbythecustomer.Strictmanagementofsecuritygroupscanfurthermitigatethethreatofportscans.Ifyouconfigurethesecuritygrouptoallowtrafficfromanysourcetoaspecificport,thatspecificportwillbevulnerabletoaportscan.Inthesecases,youmustuseappropriatesecuritymeasurestoprotectlisteningservicesthatmaybeessentialtotheirapplicationfrombeingdiscoveredbyanunauthorizedportscan.Forexample,awebservermustclearlyhaveport80(HTTP)opentotheworld,andtheadministratorofthisserverisresponsibleforthesecurityoftheHTTPserversoftware,suchasApache.Youmayrequestpermissiontoconductvulnerabilityscansasrequiredtomeetyourspecificcompliancerequirements.ThesescansmustbelimitedtoyourowninstancesandmustnotviolatetheAWSAcceptableUsePolicy.AdvancedapprovalforthesetypesofscanscanbeinitiatedbysubmittingarequestviatheAWSwebsite.

PacketSniffingbyOtherTenantsWhileyoucanplaceyourinterfacesintopromiscuousmode,thehypervisorwillnotdeliveranytraffictothemthatisnotaddressedtothem.Eventwovirtualinstancesthatareownedbythesamecustomerlocatedonthesamephysicalhostcannotlistentoeachother’straffic.WhileAmazonEC2doesprovideampleprotectionagainstonecustomerinadvertentlyormaliciouslyattemptingtoviewanothercustomer’sdata,asastandardpracticeyoushouldencryptsensitivetraffic.

Itisnotpossibleforavirtualinstancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.

Page 381: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AttackssuchasAddressResolutionProtocol(ARP)cachepoisoningdonotworkwithinAmazonEC2andAmazonVPC.

Page 382: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSAccountSecurityFeaturesAWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSaccountandresourcessafefromunauthorizeduse.Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,thecreationofseparateAWSIdentityandAccessManagement(IAM)useraccounts,anduseractivityloggingforsecuritymonitoring.YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSservicesyouselect.

AWSCredentialsTohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources,AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMulti-FactorAuthentication(MFA)tologintoyourAWSAccountorIAMuseraccounts.Table12.1highlightsthevariousAWScredentialsandtheiruses.

Page 383: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

TABLE12.1AWSCredentials

CredentialType

Use Description

Passwords AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole

AstringofcharactersusedtologintoyourAWSaccountorIAMaccount.AWSpasswordsmustbeaminimumof6charactersandmaybeupto128characters.

Multi-FactorAuthentication(MFA)

AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole

Asix-digit,single-usecodethatisrequiredinadditiontoyourpasswordtologintoyourAWSaccountorIAMuseraccount.

AccessKeys Digitally-signedrequeststoAWSAPIs(usingtheAWSSoftwareDevelopmentKit[SDK],CommandLineInterface[CLI],orREST/QueryAPIs)

IncludesanaccesskeyIDandasecretaccesskey.YouuseaccesskeystosignprogrammaticrequestsdigitallythatyoumaketoAWS.

KeyPairs SSHlogintoAmazonEC2instancesAmazonCloudFront-signedURLs

AkeypairisrequiredtoconnecttoanAmazonEC2instancelaunchedfromapublicAMI.ThekeysthatAmazonEC2usesare1024-bitSSH-2RSAkeys.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstance,oryoucanuploadyourown.

X.509Certificates

DigitallysignedSOAPrequeststoAWSAPIsSSLservercertificatesforHTTPS

X.509certificatesareonlyusedtosignSOAP-basedrequests(currentlyusedonlywithAmazonSimpleStorageService[AmazonS3]).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.

Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorre-downloadthem.However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.Tohelpyoudothiswithoutpotentialimpacttoyourapplication’savailability,AWSsupportsmultipleconcurrentaccesskeysandcertificates.Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetoyourapplication.Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.

TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSaccountandalsoforIAMuseraccounts.

PasswordsPasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWS

Page 384: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,givingyoutheabilitytocreateverystrongpasswords.

YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyarechangedoften.ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.

AWSMulti-FactorAuthentication(AWSMFA)AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.ThisisMFAbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).YoucanenableMFAdevicesforyourAWSaccountandfortheusersyouhavecreatedunderyourAWSaccountwithAWSIAM.Inaddition,youcanaddMFAprotectionforaccessacrossAWSaccounts,forwhenyouwanttoallowauseryou’vecreatedunderoneAWSaccounttouseanIAMroletoaccessresourcesunderanotherAWSaccount.YoucanrequiretheusertouseMFAbeforeassumingtheroleasanadditionallayerofsecurity.

AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.VirtualMFAdevicesusethesameprotocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTime-BasedOne-TimePassword(TOTP)standard,asdescribedinRFC6238.MostvirtualMFAapplicationsallowyoutohostmorethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.However,youshouldbeawarethatbecauseavirtualMFAmayberunonalesssecuredevicesuchasasmartphone,avirtualMFAmightnotprovidethesamelevelofsecurityasahardwareMFAdevice.

YoucanalsoenforceMFAauthenticationforAWSCloudserviceAPIsinordertoprovideanextralayerofprotectionoverpowerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.YoudothisbyaddinganMFArequirementtoanIAMaccesspolicy.YoucanattachtheseaccesspoliciestoIAMusers,IAMgroups,orresourcesthatsupportACLslikeAmazonS3buckets,AmazonSimpleQueueService(AmazonSQS)queues,andAmazonSimpleNotificationService(AmazonSNS)topics.

AccessKeysAccesskeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.

Page 385: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisintransit,butitalsohelpsprotectagainstpotentialreplayattacks.ArequestmustreachAWSwithin15minutesofthetimestampintherequest.Otherwise,AWSdeniestherequest.

ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHashedMessageAuthenticationMode(HMAC)-SecureHashAlgorithm(SHA)-256protocol.Version4providesanadditionalmeasureofprotectionoverpreviousversionsbyrequiringthatyousignthemessageusingakeythatisderivedfromyourSAKinsteadofusingtheSAKitself.Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographicisolationofthesigningkey.

Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandtonotembedtheminyourcode.ForcustomerswithlargefleetsofelasticallyscalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.

IAMrolesprovidetemporarycredentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultipletimesaday.

AmazonEC2usesanInstanceProfileasacontainerforanIAMrole.WhenyoucreateanIAMroleusingtheAWSManagementConsole,theconsolecreatesaninstanceprofileautomaticallyandgivesitthesamenameastheroletowhichitcorresponds.IfyouusetheAWSCLI,API,oranAWSSDKtocreatearole,youcreatetheroleandinstanceprofileasseparateactions,andyoumightgivethemdifferentnames.TolaunchaninstancewithanIAMrole,youspecifythenameofitsinstanceprofile.WhenyoulaunchaninstanceusingtheAmazonEC2console,youcanselectaroletoassociatewiththeinstance;however,thelistthat’sdisplayedisactuallyalistofinstanceprofilenames.

KeypairsAmazonEC2supportsRSA2048SSHkeysforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.Thepublickeyisembeddedinyourinstance,andyouusetheprivatekeytosigninsecurelywithoutapassword.AfteryoucreateyourownAMIs,youcanchooseothermechanismstologintoyournewinstancessecurely.Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstanceoryoucanuploadyourown.Savetheprivatekeyinasafeplaceonyoursystemandrecordthelocationwhereyousavedit.

ForAmazonCloudFront,youusekeypairstocreatesignedURLsforprivatecontent,suchaswhenyouwanttodistributerestrictedcontentthatsomeonepaidfor.YoucreateAmazonCloudFrontkeypairsbyusingtheSecurityCredentialspage.AmazonCloudFrontkeypairscanbecreatedonlybytherootaccountandcannotbecreatedbyIAMusers.

Page 386: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

X.509CertificatesX.509certificatesareusedtosignSOAP-basedrequests.X.509certificatescontainapublickeythatisassociatedwithaprivatekey.Whenyoucreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,alongwithyourcertificate.AWSverifiesthatyou’rethesenderbydecryptingthesignaturewiththepublickeythatisinyourcertificate.AWSalsoverifiesthatthecertificatethatyousentmatchesthecertificatethatyouuploadedtoAWS.

ForyourAWSaccount,youcanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.ForIAMusers,youmustcreatetheX.509certificate(signingcertificate)byusingthird-partysoftware.Incontrasttorootaccountcredentials,AWScannotcreateanX.509certificateforIAMusers.Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.

InadditiontoSOAPrequests,X.509certificatesareusedasSSL/TransportLayerSecurity(TLS)servercertificatesforcustomerswhowanttouseHTTPStoencrypttheirtransmissions.TousethemforHTTPS,youcanuseanopen-sourcetoollikeOpenSSLtocreateauniqueprivatekey.You’llneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoaCertificateAuthority(CA)toobtaintheservercertificate.You’llthenusetheAWSCLItouploadthecertificate,privatekey,andcertificatechaintoIAM.

YouwillalsoneedanX.509certificatetocreateacustomizedLinuxAMIforAmazonEC2instances.Thecertificateisonlyrequiredtocreateaninstance-backedAMI(asopposedtoanAmazonElasticBlockStore[AmazonEBS]-backedAMI).YoucanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.

AWSCloudTrailAWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.AWSCloudTrailrecordsthefollowinginformationabouteachAPIcall:

ThenameoftheAPI

Theidentityofthecaller

ThetimeoftheAPIcall

Therequestparameters

TheresponseelementsreturnedbytheAWSCloudservice

ThisinformationhelpsyoutotrackchangesmadetoyourAWSresourcesandtotroubleshootoperationalissues.AWSCloudTrailmakesiteasiertoensurecompliancewithinternalpoliciesandregulatorystandards.

AWSCloudTrailsupportslogfileintegrity,whichmeansyoucanprovetothirdparties(forexample,auditors)thatthelogfilesentbyAWSCloudTrailhasnotbeenaltered.Validatedlogfilesareinvaluableinsecurityandforensicinvestigations.Thisfeatureisbuiltusing

Page 387: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

industrystandardalgorithms:SHA-256forhashingandSHA-256withRSAfordigitalsigning.Thismakesitcomputationallyunfeasibletomodify,delete,orforgeAWSCloudTraillogfileswithoutdetection.

Page 388: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSCloudService-SpecificSecurityNotonlyissecuritybuiltintoeverylayeroftheAWSinfrastructure,butalsointoeachoftheservicesavailableonthatinfrastructure.AWSCloudservicesarearchitectedtoworkefficientlyandsecurelywithallAWSnetworksandplatforms.Eachserviceprovidesadditionalsecurityfeaturestoenableyoutoprotectsensitivedataandapplications.

ComputeServicesAWSprovidesavarietyofcloud-basedcomputingservicesthatincludeawideselectionofcomputeinstancesthatcanscaleupanddownautomaticallytomeettheneedsofyourapplicationorenterprise.

AmazonElasticComputeCloud(AmazonEC2)SecurityAmazonEC2isakeycomponentinAmazon’sInfrastructureasaService(IaaS),providingresizablecomputingcapacityusingserverinstancesinAWSdatacenters.AmazonEC2isdesignedtomakeweb-scalecomputingeasierbyenablingyoutoobtainandconfigurecapacitywithminimalfriction.Youcreateandlaunchinstances,whicharecollectionsofplatformhardwareandsoftware.

MultipleLevelsofSecuritySecuritywithinAmazonEC2isprovidedonmultiplelevels:theoperatingsystem(OS)ofthehostplatform,thevirtualinstanceOSorguestOS,afirewall,andsignedAPIcalls.Eachoftheseitemsbuildsonthecapabilitiesoftheothers.ThegoalistopreventdatacontainedwithinAmazonEC2frombeinginterceptedbyunauthorizedsystemsorusersandtomakeAmazonEC2instancesthemselvesassecureaspossiblewithoutsacrificingtheflexibilityinconfigurationthatcustomersdemand.

TheHypervisorAmazonEC2currentlyusesahighlycustomizedversionoftheXenhypervisor,takingadvantageofparavirtualization(inthecaseofLinuxguests).Becauseparavirtualizedguestsrelyonthehypervisortoprovidesupportforoperationsthatnormallyrequireprivilegedaccess,theguestOShasnoelevatedaccesstotheCPU.TheCPUprovidesfourseparateprivilegemodes:0–3,calledrings.Ring0isthemostprivilegedand3theleast.ThehostOSexecutesinRing0.However,insteadofexecutinginRing0asmostOSsdo,theguestOSrunsinlesser-privilegedRing1,andapplicationsintheleastprivilegedinRing3.Thisexplicitvirtualizationofthephysicalresourcesleadstoaclearseparationbetweenguestandhypervisor,resultinginadditionalsecurityseparationbetweenthetwo.

InstanceIsolationDifferentinstancesrunningonthesamephysicalmachineareisolatedfromeachotherviatheXenhypervisor.AmazonisactiveintheXencommunity,whichprovidesAWSwithawarenessofthelatestdevelopments.Inaddition,theAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance’svirtualinterface.Allpacketsmustpassthroughthislayer;thus,aninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternetandcanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Customerinstanceshavenoaccesstorawdiskdevices,butinsteadarepresentedwithvirtualizeddisks.TheAWSproprietarydiskvirtualizationlayerautomaticallyresetseveryblockofstorageusedbythecustomer,sothatonecustomer’sdataisnever

Page 389: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

unintentionallyexposedtoanothercustomer.Inaddition,memoryallocatedtoguestsisscrubbed(settozero)bythehypervisorwhenitisunallocatedtoaguest.Thememoryisnotreturnedtothepooloffreememoryavailablefornewallocationsuntilthememoryscrubbingiscompleted.Figure12.3depictsinstanceisolationwithinAmazonEC2.

FIGURE12.3AmazonEC2multiplelayersofsecurity

HostOperatingSystemAdministratorswithabusinessneedtoaccessthemanagementplanearerequiredtouseMFAtogainaccesstopurpose-builtadministrationhosts.Theseadministrativehostsaresystemsthatarespecificallydesigned,built,configured,andhardenedtoprotectthemanagementplaneofthecloud.Allsuchaccessisloggedandaudited.Whenanemployeenolongerhasabusinessneedtoaccessthemanagementplane,theprivilegesandaccesstothesehostsandrelevantsystemscanberevoked.

GuestOperatingSystemVirtualinstancesarecompletelycontrolledbyyou,thecustomer.Youhavefullrootaccessoradministrativecontroloveraccounts,services,andapplications.AWSdoesnothaveanyaccessrightstoyourinstancesortheguestOS.AWSrecommendsabasesetofsecuritybestpracticestoincludedisablingpassword-onlyaccesstoyourguests,andusingsomeformofMFAtogainaccesstoyourinstances(orataminimumcertificate-basedSSHVersion2access).Additionally,youshouldemployaprivilegeescalationmechanismwithloggingonaper-userbasis.Forexample,iftheguestOSisLinux,afterhardening,yourinstanceyoushouldusecertificate-basedSSHv2toaccessthevirtualinstance,disableremoterootlogin,usecommand-linelogging,andusesudoforprivilegeescalation.YoushouldgenerateyourownkeypairsinordertoguaranteethattheyareuniqueandnotsharedwithothercustomersorwithAWS.AWSalsosupportstheuseoftheSSHnetworkprotocoltoenableyoutologinsecurelytoyourUNIX/LinuxAmazonEC2instances.

Page 390: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AuthenticationforSSHusedwithAWSisviaapublic/privatekeypairtoreducetheriskofunauthorizedaccesstoyourinstance.YoucanalsoconnectremotelytoyourWindowsinstancesusingRemoteDesktopProtocol(RDP)byusinganRDPcertificategeneratedforyourinstance.YoualsocontroltheupdatingandpatchingofyourguestOS,includingsecurityupdates.Amazon-providedWindowsandLinux-basedAMIsareupdatedregularlywiththelatestpatches,soifyoudonotneedtopreservedataorcustomizationsonyourrunningAmazonAMIinstances,youcansimplyrelaunchnewinstanceswiththelatestupdatedAMI.Inaddition,updatesareprovidedfortheAmazonLinuxAMIviatheAmazonLinuxyumrepositories.

FirewallAmazonEC2providesamandatoryinboundfirewallthatisconfiguredinadefaultdeny-allmode;AmazonEC2customersmustexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficmayberestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting[CIDR]block).

Thefirewallcanbeconfiguredingroups,permittingdifferentclassesofinstancestohavedifferentrules.Consider,forexample,thecaseofatraditionalthree-tieredwebapplication.Thegroupforthewebserverswouldhaveport80(HTTP)and/orport443(HTTPS)opentotheInternet.Thegroupfortheapplicationserverswouldhaveport8000(applicationspecific)accessibleonlytothewebservergroup.Thegroupforthedatabaseserverswouldhaveport3306(MySQL)openonlytotheapplicationservergroup.Allthreegroupswouldpermitadministrativeaccessonport22(SSH),butonlyfromthecustomer’scorporatenetwork.Highlysecureapplicationscanbedeployedusingthisapproach,whichisalsodepictedinFigure12.4.

Page 391: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE12.4AmazonEC2securitygroupfirewall

Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewallandVPNs.Thiscanrestrictbothinboundandoutboundtraffic.

Thedefaultstateistodenyallincomingtraffic,andyoushouldcarefullyplanwhatyouwillopenwhenbuildingandsecuringyourapplications.

APIAccessAPIcallstolaunchandterminateinstances,changefirewallparameters,andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonEC2APIcallscannotbemadeonyourbehalf.APIcallscanalsobeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.

AmazonElasticBlockStorage(AmazonEBS)SecurityAmazonEBSallowsyoutocreatestoragevolumesfrom1GBto16TBthatcanbemountedasdevicesbyAmazonEC2

Page 392: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

instances.Storagevolumesbehavelikeraw,unformattedblockdevices,withuser-supplieddevicenamesandablockdeviceinterface.YoucancreateafilesystemontopofAmazonEBSvolumesorusetheminanyotherwayyouwoulduseablockdevice(likeaharddrive).AmazonEBSvolumeaccessisrestrictedtotheAWSaccountthatcreatedthevolumeandtotheusersundertheAWSaccountcreatedwithAWSIAM(iftheuserhasbeengrantedaccesstotheEBSoperations).AllotherAWSaccountsandusersaredeniedthepermissiontovieworaccessthevolume.

DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationsaspartofnormaloperationofthoseservicesandatnoadditionalcharge.However,AmazonEBSreplicationisstoredwithinthesameAvailabilityZone,notacrossmultiplezones;therefore,itishighlyrecommendedthatyouconductregularsnapshotstoAmazonS3forlong-termdatadurability.ForcustomerswhohavearchitectedcomplextransactionaldatabasesusingAmazonEBS,itisrecommendedthatbackupstoAmazonS3beperformedthroughthedatabasemanagementsystemsothatdistributedtransactionsandlogscanbecheckpointed.AWSdoesnotautomaticallyperformbackupsofdatathataremaintainedonvirtualdisksattachedtorunninginstancesonAmazonEC2.

YoucanmakeAmazonEBSvolumesnapshotspubliclyavailabletootherAWSaccountstouseasthebasisforcreatingduplicatevolumes.SharingAmazonEBSvolumesnapshotsdoesnotprovideotherAWSaccountswiththepermissiontoalterordeletetheoriginalsnapshot,asthatrightisexplicitlyreservedfortheAWSaccountthatcreatedthevolume.AnAmazonEBSsnapshotisablock-levelviewofanentireAmazonEBSvolume.Notethatdatathatisnotvisiblethroughthefilesystemonthevolume,suchasfilesthathavebeendeleted,maybepresentintheAmazonEBSsnapshot.Ifyouwanttocreatesharedsnapshots,youshoulddosocarefully.Ifavolumehasheldsensitivedataorhashadfilesdeletedfromit,youshouldcreateanewAmazonEBSvolumetoshare.Thedatatobecontainedinthesharedsnapshotshouldbecopiedtothenewvolume,andthesnapshotcreatedfromthenewvolume.

AmazonEBSvolumesarepresentedtoyouasrawunformattedblockdevicesthathavebeenwipedpriortobeingmadeavailableforuse.Wipingoccursimmediatelybeforereusesothatyoucanbeassuredthatthewipeprocessiscompleted.Ifyouhaveproceduresrequiringthatalldatabewipedviaaspecificmethod,youhavetheabilitytodosoonAmazonEBS.Youshouldconductaspecializedwipeprocedurepriortodeletingthevolumeforcompliancewithyourestablishedrequirements.

Encryptionofsensitivedataisgenerallyagoodsecuritypractice,andAWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAdvancedEncryptionStandard(AES)-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.Inordertobeabletodothisefficientlyandwithlowlatency,theAmazonEBSencryptionfeatureisonlyavailableonAmazonEC2’smorepowerfulinstancetypes.

NetworkingAWSprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthatyoudefine,establishaprivatenetworkconnectiontotheAWSCloud,useahighlyavailableandscalableDomainNameSystem(DNS)service,anddelivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliveryweb

Page 393: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

service.

ElasticLoadBalancingSecurityElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallAvailabilityZoneswithinaregion.ElasticLoadBalancinghasalloftheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefits:

TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyontheloadbalancer.

Offersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyournetwork.

WhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyourElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptions.

Supportsend-to-endtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP(HTTPS)connections.WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbemanagedcentrallyontheloadbalancer,insteadofoneveryindividualinstance.

HTTPS/TLSusesalong-termsecretkeytogenerateashort-termsessionkeytobeusedbetweentheserverandthebrowsertocreatetheencryptedmessage.ElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(forexample,PaymentCardIndustryDataSecurityStandard[PCIDSS],Sarbanes-OxleyAct[SOX])fromclientstoensurethatstandardsaremet.Inthesecases,ElasticLoadBalancingprovidesoptionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.Youcanchoosetoenableordisabletheciphersdependingonyourspecificrequirements.

Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfiguretheloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclient-servernegotiation.WhentheServerOrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserver’sprioritizationofciphersuitesinsteadoftheclient’s.Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnecttoyourloadbalancer.

Forevengreatercommunicationprivacy,ElasticLoadBalancingallowstheuseofPerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.Thispreventsthedecodingofcaptureddata,evenifthesecretlong-termkeyitselfiscompromised.

ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.Typically,clientconnectioninformation,suchasIPaddressandport,islostwhenrequestsareproxiedthroughaloadbalancer.Thisisbecausetheloadbalancersendsrequeststotheserveron

Page 394: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

behalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.HavingtheoriginatingclientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnectionstatistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.

ElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourloadbalancer.ThisincludestheIPaddressandportoftherequestingclient,theback-endIPaddressoftheinstancethatprocessedtherequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,GEThttp://www.example.com:80/HTTP/1.1).Allrequestssenttotheloadbalancerarelogged,includingrequeststhatnevermakeittoback-endinstances.

AmazonVirtualPrivateCloud(AmazonVPC)SecurityNormally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2addressspace.AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice(forexample,10.0.0.0/16).YoucandefinesubnetswithinyourAmazonVPC,groupingsimilarkindsofinstancesbasedonIPaddressrangeandthensetuproutingandsecuritytocontroltheflowoftrafficinandoutoftheinstancesandsubnets.

SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.AmazonEC2instancesrunningwithinanAmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.Note,however,thatyoumustcreatesecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2securitygroupsyouhavecreatedwillnotworkinsideyourAmazonVPC.Inaddition,AmazonVPCsecuritygroupshaveadditionalcapabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupaftertheinstanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,UserDatagramProtocol[UDP],orInternetControlMessageProtocol[ICMP]).

EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolatedfromallotherAmazonVPCs.Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.YoumaycreateandattachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothefollowingcontrols.

APIAccessCallstocreateanddeleteAmazonVPCs;changerouting,securitygroup,andnetworkACLparameters;andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSaccount’sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonVPCAPIcallscannotbemadeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.AWSrecommendsalwaysusingSSL-protectedAPIendpoints.AWSIAMalsoenablesacustomertofurthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.

SubnetsandRouteTablesYoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedintheAmazonVPCisconnectedtoonesubnet.TraditionalLayer2

Page 395: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

securityattacks,includingMACspoofingandARPspoofing,areblocked.EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessedbytheroutingtabletodeterminethedestination.

Firewall(SecurityGroups)LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolution,enablingfilteringonbothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIPprotocol,byserviceport,andsource/destinationIPaddress(individualIPorCIDRblock).Thefirewallisn’tcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopenandforwhatdurationandpurpose.Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewall.Figure12.5illustratesanAmazonVPCwithtwotypesofsubnets—publicandprivate—andtwonetworkpathswithtwodifferentnetworks—acustomerdatacenterandtheInternet.

FIGURE12.5AmazonVPCnetworkarchitecture

Page 396: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

NetworkACLsToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.TheseACLscancontainorderedrulestoallowordenytrafficbasedonIPprotocol,byserviceport,andsource/destinationIPaddress.

Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionandenablingadditionalsecuritythroughseparationofduties.Figure12.6depictshowthesecuritycontrolsaboveinterrelatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.

FIGURE12.6Flexiblenetworkarchitectures

VirtualPrivateGatewayAvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanothernetwork.Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtualprivategateways.YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyourpremises.EachconnectionissecuredbyapresharedkeyinconjunctionwiththeIPaddressofthecustomergatewaydevice.

InternetGatewayAnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,otherAWSservices,andtheInternet.EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithitorroutetrafficthroughaNetwork

Page 397: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AddressTranslation(NAT)instance.Additionally,networkroutesareconfiguredtodirecttraffictotheInternetgateway(seeFigure12.6).AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacketinspection,applicationlayerfiltering,orothersecuritycontrols.

ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,enablingyoutoimplementadditionalsecuritythroughseparationofduties.

DedicatedInstancesWithinanAmazonVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(thatis,theywillrunonsingle-tenanthardware).AnAmazonVPCcanbecreatedwith“dedicated”tenancy,sothatallinstanceslaunchedintotheAmazonVPCwillusethisfeature.Alternatively,anAmazonVPCmaybecreatedwith“default”tenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.

AmazonCloudFrontSecurityAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.Requestsforcustomers’objectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformance.AmazonCloudFrontisoptimizedtoworkwithotherAWSserviceslikeAmazonS3,AmazonEC2,ElasticLoadBalancing,andAmazonRoute53.Italsoworksseamlesslywithanynon-AWSoriginserverthatstorestheoriginal,definitiveversionsofyourfiles.

AmazonCloudFrontrequiresthateveryrequestmadetoitscontrolAPIisauthenticatedsoonlyauthorizeduserscancreate,modify,ordeletetheirownAmazonCloudFrontdistributions.RequestsaresignedwithanHMAC-SHA-1signaturecalculatedfromtherequestandtheuser’sprivatekey.Additionally,theAmazonCloudFrontcontrolAPIisonlyaccessibleviaSSL-enabledendpoints.

ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.Theservicemaysometimesremoveobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.DurabilityisprovidedbyAmazonS3,whichworksastheoriginserverforAmazonCloudFrontbyholdingtheoriginal,definitivecopiesofobjectsdeliveredbyAmazonCloudFront.

IfyouwantcontroloverwhocandownloadcontentfromAmazonCloudFront,youcanenabletheservice’sprivatecontentfeature.Thisfeaturehastwocomponents.ThefirstcontrolshowcontentisdeliveredfromtheAmazonCloudFrontedgelocationtoviewersontheInternet.ThesecondcontrolshowtheAmazonCloudFrontedgelocationsaccessobjectsinAmazonS3.AmazonCloudFrontalsosupportsgeorestriction,whichrestrictsaccesstoyourcontentbasedonthegeographiclocationofyourviewers.

TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.WhenanOriginAccessIdentityisassociatedwithanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.YoucanthenuseAmazonS3’sACLfeature,whichlimitsaccesstothatOriginAccessIdentityso

Page 398: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

theoriginalcopyoftheobjectisnotpubliclyreadable.

TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.Tousethissystem,youfirstcreateapublic-privatekeypairanduploadthepublickeytoyouraccountviatheAWSManagementConsole.YouthenconfigureyourAmazonCloudFrontdistributiontoindicatewhichaccountsyouwouldauthorizetosignrequests—youcanindicateuptofiveAWSaccountsthatyoutrusttosignrequests.Asyoureceiverequests,youwillcreatepolicydocumentsindicatingtheconditionsunderwhichyouwantAmazonCloudFronttoserveyourcontent.Thesepolicydocumentscanspecifythenameoftheobjectthatisrequested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.YouthencalculatetheSHA-1hashofyourpolicydocumentandsignthisusingyourprivatekey.Finally,youincludeboththeencodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.WhenAmazonCloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.AmazonCloudFrontwillonlyserverequeststhathaveavalidpolicydocumentandmatchingsignature.

NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourAmazonCloudFrontdistribution.Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.

AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).Bydefault,AmazonCloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.However,youcanalsoconfigureAmazonCloudFronttorequireHTTPSforallrequestsorhaveAmazonCloudFrontredirectHTTPrequeststoHTTPS.YoucanevenconfigureAmazonCloudFrontdistributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.

StorageAWSprovideslow-costdatastoragewithhighdurabilityandavailability.AWSoffersstoragechoicesforbackup,archiving,anddisasterrecovery,andalsoforblockandobjectstorage.

AmazonSimpleStorageService(AmazonS3)SecurityAmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AmazonS3storesdataasobjectswithinbuckets.Anobjectcanbeanykindoffile:atextfile,aphoto,avideo,andmore.WhenyouaddafiletoAmazonS3,youhavetheoptionofincludingmetadatawiththefileandsettingpermissionstocontrolaccesstothefile.Foreachbucket,youcancontrolaccesstothebucket(whocancreate,delete,andlistobjectsinthebucket),viewaccesslogsforthebucketanditsobjects,andchoosethegeographicalregionwhereAmazonS3willstorethebucketanditscontents.

DataAccessAccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.(Notethatabucket/objectowneristheAWSaccountowner,nottheuserwhocreatedthebucket/object.)Therearemultiplewaystocontrolaccesstobucketsandobjects:

IAMPoliciesAWSIAMenablesorganizationswithmanyemployeestocreateandmanage

Page 399: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

multipleusersunderasingleAWSaccount.IAMpoliciesareattachedtotheusers,enablingcentralizedcontrolofpermissionsforusersunderyourAWSaccounttoaccessbucketsorobjects.WithIAMpolicies,youcanonlygrantuserswithinyourownAWSaccountpermissiontoaccessyourAmazonS3resources.

ACLsWithinAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.WithACLs,youcanonlygrantotherAWSaccounts(notspecificusers)accesstoyourAmazonS3resources.

BucketPoliciesBucketpoliciesinAmazonS3canbeusedtoaddordenypermissionsacrosssomeoralloftheobjectswithinasinglebucket.Policiescanbeattachedtousers,groups,orAmazonS3buckets,enablingcentralizedmanagementofpermissions.Withbucketpolicies,youcangrantuserswithinyourAWSaccountorotherAWSaccountsaccesstoyourAmazonS3resources.

QueryStringAuthenticationYoucanuseaquerystringtoexpressarequestentirelyinaURL.Inthiscase,youusequeryparameterstoproviderequestinformation,includingtheauthenticationinformation.BecausetherequestsignatureispartoftheURL,thistypeofURLisoftenreferredtoasapre-signedURL.Youcanusepre-signedURLstoembedclickablelinks,whichcanbevalidforuptosevendays,inHTML.

Youcanfurtherrestrictaccesstospecificresourcesbasedoncertainconditions.Forexample,youcanrestrictaccessbasedonrequesttime(DateCondition),whethertherequestwassentusingSSL(BooleanConditions),arequester’sIPaddress(IPAddressCondition),ortherequester’sclientapplication(StringConditions).Toidentifytheseconditions,youusepolicykeys.

AmazonS3alsogivesdeveloperstheoptiontousequerystringauthentication,whichallowsthemtoshareAmazonS3objectsthroughURLsthatarevalidforapredefinedperiodoftime.QuerystringauthenticationisusefulforgivingHTTPforbrowseraccesstoresourcesthatwouldnormallyrequireauthentication.Thesignatureinthequerystringsecurestherequest.

DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonS3viatheSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.

DataStorageAmazonS3providesmultipleoptionsforprotectingdataatrest.Forcustomerswhoprefertomanagetheirownencryption,theycanuseaclientencryptionlibraryliketheAmazonS3EncryptionClienttoencryptdatabeforeuploadingtoAmazonS3.Alternatively,youcanuseAmazonS3ServerSideEncryption(SSE)ifyouprefertohaveAmazonS3managetheencryptionprocessforyou.DataisencryptedwithakeygeneratedbyAWSorwithakeyyousupply,dependingonyourrequirements.WithAmazonS3SSE,youcanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.Decryptionhappensautomaticallywhendataisretrieved.Notethatmetadata,whichyoucanincludewithyourobject,isnotencrypted.

Page 400: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSrecommendsthatcustomersnotplacesensitiveinformationinAmazonS3metadata.

AmazonS3SSEusesoneofthestrongestblockciphersavailable:AES-256.WithAmazonS3SSE,everyprotectedobjectisencryptedwithauniqueencryptionkey.Thisobjectkeyitselfisthenencryptedwitharegularlyrotatedmasterkey.AmazonS3SSEprovidesadditionalsecuritybystoringtheencrypteddataandencryptionkeysindifferenthosts.AmazonS3SSEalsomakesitpossibleforyoutoenforceencryptionrequirements.Forexample,youcancreateandapplybucketpoliciesthatrequirethatonlyencrypteddatacanbeuploadedtoyourbuckets.

WhenanobjectisdeletedfromAmazonS3,removalofthemappingfromthepublicnametotheobjectstartsimmediatelyandisgenerallyprocessedacrossthedistributedsystemwithinseveralseconds.Afterthemappingisremoved,thereisnoremoteaccesstothedeletedobject.Theunderlyingstorageareaisthenreclaimedforusebythesystem.

AmazonS3Standardisdesignedtoprovide99.999999999percentdurabilityofobjectsoveragivenyear.Thisdurabilitylevelcorrespondstoanaverageannualexpectedlossof0.000000001percentofobjects.Forexample,ifyoustore10,000objectswithAmazonS3,youcan,onaverage,expecttoincuralossofasingleobjectonceevery10,000,000years.Inaddition,AmazonS3isdesignedtosustaintheconcurrentlossofdataintwofacilities.

AccessLogsAnAmazonS3bucketcanbeconfiguredtologaccesstothebucketandobjectswithinit.Theaccesslogcontainsdetailsabouteachaccessrequestincludingrequesttype,therequestedresource,therequestor’sIP,andthetimeanddateoftherequest.Whenloggingisenabledforabucket,logrecordsareperiodicallyaggregatedintologfilesanddeliveredtothespecifiedAmazonS3bucket.

Cross-OriginResourceSharing(CORS)AWScustomerswhouseAmazonS3tohoststaticwebpagesorstoreobjectsusedbyotherwebpagescanloadcontentsecurelybyconfiguringanAmazonS3buckettoexplicitlyenablecross-originrequests.ModernbrowsersusetheSameOriginpolicytoblockJavaScriptorHTML5fromallowingrequeststoloadcontentfromanothersiteordomainasawaytohelpensurethatmaliciouscontentisnotloadedfromalessreputablesource(suchasduringcross-sitescriptingattacks).WiththeCross-OriginResourceSharing(CORS)policyenabled,assetssuchaswebfontsandimagesstoredinanAmazonS3bucketcanbesafelyreferencedbyexternalwebpages,stylesheets,andHTML5applications.

AmazonGlacierSecurityLikeAmazonS3,theAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.WhereAmazonS3isdesignedforrapidretrieval,however,AmazonGlacierismeanttobeusedasanarchivalservicefordatathatisnotaccessedoftenandforwhichretrievaltimesofseveralhoursaresuitable.

Page 401: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonGlacierstoresfilesasarchiveswithinvaults.Archivescanbeanydatasuchasaphoto,video,ordocument,andcancontainoneorseveralfiles.Youcanstoreanunlimitednumberofarchivesinasinglevaultandcancreateupto1,000vaultsperregion.Eacharchivecancontainupto40TBofdata.

DataTransferFormaximumsecurity,youcansecurelyupload/downloaddatatoAmazonGlacierviatheSSLencryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.

DataRetrievalRetrievingarchivesfromAmazonGlacierrequirestheinitiationofaretrievaljob,whichisgenerallycompletedinthreetofivehours.YoucanthenaccessthedataviaHTTPGETrequests.Thedatawillremainavailabletoyoufor24hours.Youcanretrieveanentirearchiveorseveralfilesfromanarchive.Ifyouwanttoretrieveonlyasubsetofanarchive,youcanuseoneretrievalrequesttospecifytherangeofthearchivethatcontainsthefilesinwhichyouareinterestedoryoucaninitiatemultipleretrievalrequests,eachwitharangeforoneormorefiles.

Youcanalsolimitthenumberofvaultinventoryitemsretrievedbyfilteringonanarchivecreationdaterangeorbysettingamaximumitemslimit.Whichevermethodyouchoose,whenyouretrieveportionsofyourarchive,youcanusethesuppliedchecksumtohelpensuretheintegrityofthefilesprovidedthattherangethatisretrievedisalignedwiththetreehashoftheoverallarchive.

DataStorageAmazonGlacierautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.AmazonGlacierisdesignedtoprovideaverageannualdurabilityof99.999999999percentforanarchive.Itstoreseacharchiveinmultiplefacilitiesandmultipledevices.Unliketraditionalsystems,whichcanrequirelaboriousdataverificationandmanualrepair,AmazonGlacierperformsregular,systematicdataintegritychecksandisbuilttobeself-healing.

DataAccessOnlyyouraccountcanaccessyourdatainAmazonGlacier.TocontrolaccesstoyourdatainAmazonGlacier,youcanuseAWSIAMtospecifywhichuserswithinyouraccounthaverightstooperationsonagivenvault.

AWSStorageGatewaySecurityTheAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.TheserviceenablesyoutouploaddatasecurelytoAWSscalable,reliable,andsecureAmazonS3storageserviceforcost-effectivebackupandrapiddisasterrecovery.

Page 402: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DataTransferDataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSL.

DataStorageThedataisstoredencryptedinAmazonS3usingAES256,asymmetrickeyencryptionstandardusing256-bitencryptionkeys.TheAWSStorageGatewayonlyuploadsdatathathaschanged,minimizingtheamountofdatasentovertheInternet.

DatabaseAWSprovidesanumberofdatabasesolutionsfordevelopersandbusinessesfrommanagedrelationalandNoSQLdatabaseservices,toin-memorycachingasaserviceandpetabyte-scaledatawarehouseservice.

AmazonDynamoDBSecurityAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.AmazonDynamoDBenablesyoutooffloadtheadministrativeburdensofoperatingandscalingdistributeddatabasestoAWS,soyoudon’thavetoworryabouthardwareprovisioning,setupandconfiguration,replication,softwarepatching,orclusterscaling.

Youcancreateadatabasetablethatcanstoreandretrieveanyamountofdataandserveanylevelofrequesttraffic.AmazonDynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofserverstohandletherequestcapacityyouspecifiedandtheamountofdatastored,whilemaintainingconsistent,fastperformance.AlldataitemsarestoredonSolidStateDrives(SSDs)andareautomaticallyreplicatedacrossmultipleAvailabilityZonesinaregiontoprovidebuilt-inhighavailabilityanddatadurability.

YoucansetupautomaticbackupsusingaspecialtemplateinAWSDataPipelinethatwascreatedjustforcopyingAmazonDynamoDBtables.Youcanchoosefullorincrementalbackupstoatableinthesameregionoradifferentregion.YoucanusethecopyfordisasterrecoveryintheeventthatanerrorinyourcodedamagestheoriginaltableortofederateAmazonDynamoDBdataacrossregionstosupportamulti-regionapplication.

TocontrolwhocanusetheAmazonDynamoDBresourcesandAPI,yousetuppermissionsinAWSIAM.Inadditiontocontrollingaccessattheresource-levelwithIAM,youcanalsocontrolaccessatthedatabaselevel—youcancreatedatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.Thesedatabase-levelpermissionsarecalledfine-grainedaccesscontrols,andyoucreatethemusinganIAMpolicythatspecifiesunderwhatcircumstancesauserorapplicationcanaccessanAmazonDynamoDBtable.TheIAMpolicycanrestrictaccesstoindividualitemsinatable,accesstotheattributesinthoseitems,orbothatthesametime.

Inadditiontorequiringdatabaseanduserpermissions,eachrequesttotheAmazonDynamoDBservicemustcontainavalidHMAC-SHA-256signatureortherequestisrejected.TheAWSSDKsautomaticallysignyourrequests;however,ifyouwanttowriteyourownHTTPPOSTrequests,youmustprovidethesignatureintheheaderofyourrequesttoAmazonDynamoDB.Tocalculatethesignature,youmustrequesttemporarysecuritycredentialsfrom

Page 403: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

theAWSSecurityTokenService.UsethetemporarysecuritycredentialstosignyourrequeststoAmazonDynamoDB.AmazonDynamoDBisaccessibleviaSSL-encryptedendpoints,andtheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.

AmazonRelationalDatabaseService(AmazonRDS)SecurityAmazonRelationalDatabaseService(AmazonRDS)allowsyoutoquicklycreatearelationalDatabaseInstance(DBInstance)andflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSmanagesthedatabaseinstanceonyourbehalfbyperformingbackups,handlingfailover,andmaintainingthedatabasesoftware.Asofthetimeofthiswriting,AmazonRDSisavailableforMySQL,Oracle,MicrosoftSQLServer,MariaDB,AmazonAurora,andPostgreSQLdatabaseengines.

AmazonRDShasmultiplefeaturesthatenhancereliabilityforcriticalproductiondatabases,includingDBsecuritygroups,permissions,SSLconnections,automatedbackups,DBsnapshots,andmultipleAvailabilityZone(Multi-AZ)deployments.DBInstancescanalsobedeployedinanAmazonVPCforadditionalnetworkisolation.

AccessControlWhenyoufirstcreateaDBInstancewithinAmazonRDS,youwillcreateamasteruseraccount,whichisusedonlywithinthecontextofAmazonRDStocontrolaccesstoyourDBInstance(s).ThemasteruseraccountisanativedatabaseuseraccountthatallowsyoutologontoyourDBInstancewithalldatabaseprivileges.YoucanspecifythemasterusernameandpasswordyouwantassociatedwitheachDBInstancewhenyoucreatetheDBInstance.AfteryouhavecreatedyourDBInstance,youcanconnecttothedatabaseusingthemasterusercredentials.Subsequently,youcancreateadditionaluseraccountssothatyoucanrestrictwhocanaccessyourDBInstance.

YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whicharesimilartoAmazonEC2securitygroupsbutnotinterchangeable.DBsecuritygroupsactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.DBsecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.Therearetwowaysofdoingthis:

AuthorizinganetworkIPrange

AuthorizinganexistingAmazonEC2securitygroup

DBsecuritygroupsonlyallowaccesstothedatabaseserverport(allothersareblocked)andcanbeupdatedwithoutrestartingtheAmazonRDSDBInstance,whichgivesyouseamlesscontroloftheirdatabaseaccess.

UsingAWSIAM,youcanfurthercontrolaccesstoyourAmazonRDSDBinstances.AWSIAMenablesyoutocontrolwhatAmazonRDSoperationseachindividualAWSIAMuserhaspermissiontocall.

NetworkIsolationForadditionalnetworkaccesscontrol,youcanrunyourDBInstancesinanAmazonVPC.AmazonVPCenablesyoutoisolateyourDBInstancesbyspecifyingtheIPrangeyouwanttouseandconnecttoyourexistingITinfrastructurethroughindustry-standardencryptedIPsecVPN.RunningAmazonRDSinaVPCenablesyoutohaveaDBinstancewithinaprivatesubnet.YoucanalsosetupavirtualprivategatewaythatextendsyourcorporatenetworkintoyourVPC,andallowsaccesstotheRDSDBinstanceinthatVPC.

ForMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregion,willallow

Page 404: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucancreateDBsubnetgroups,whicharecollectionsofsubnetsthatyoumaywanttodesignateforyourAmazonRDSDBInstancesinanAmazonVPC.EachDBsubnetgroupshouldhaveatleastonesubnetforeveryAvailabilityZoneinagivenregion.Inthiscase,whenyoucreateaDBInstanceinanAmazonVPC,youselectaDBsubnetgroup;AmazonRDSthenusesthatDBsubnetgroupandyourpreferredAvailabilityZonetoselectasubnetandanIPaddresswithinthatsubnet.AmazonRDScreatesandassociatesanElasticNetworkInterfacetoyourDBInstancewiththatIPaddress.

DBInstancesdeployedwithinanAmazonVPCcanbeaccessedfromtheInternetorfromAmazonEC2instancesoutsidetheAmazonVPCviaVPNorbastionhoststhatyoucanlaunchinyourpublicsubnet.Touseabastionhost,youwillneedtosetupapublicsubnetwithanAmazonEC2instancethatactsasaSSHBastion.ThispublicsubnetmusthaveanInternetgatewayandroutingrulesthatallowtraffictobedirectedviatheSSHhost,whichmustthenforwardrequeststotheprivateIPaddressofyourAmazonRDSDBInstance.

DBsecuritygroupscanbeusedtohelpsecureDBInstanceswithinanAmazonVPC.Inaddition,networktrafficenteringandexitingeachsubnetcanbeallowedordeniedvianetworkACLs.AllnetworktrafficenteringorexitingyourAmazonVPCviayourIPsecVPNconnectioncanbeinspectedbyyouron-premisessecurityinfrastructure,includingnetworkfirewallsandintrusiondetectionsystems.

EncryptionYoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL.ForMySQLandSQLServer,AmazonRDScreatesanSSLcertificateandinstallsthecertificateontheDBInstancewhentheinstanceisprovisioned.ForMySQL,youlaunchtheMySQLclientusingthe--ssl_caparametertoreferencethepublickeyinordertoencryptconnections.ForSQLServer,downloadthepublickeyandimportthecertificateintoyourWindowsoperatingsystem.OracleRDSusesOraclenativenetworkencryptionwithaDBInstance.YousimplyaddthenativenetworkencryptionoptiontoanoptiongroupandassociatethatoptiongroupwiththeDBInstance.Afteranencryptedconnectionisestablished,datatransferredbetweentheDBInstanceandyourapplicationwillbeencryptedduringtransfer.YoucanalsorequireyourDBInstancetoacceptonlyencryptedconnections.

AmazonRDSsupportsTransparentDataEncryption(TDE)forSQLServer(SQLServerEnterpriseEdition)andOracle(partoftheOracleAdvancedSecurityoptionavailableinOracleEnterpriseEdition).TheTDEfeatureautomaticallyencryptsdatabeforeitiswrittentostorageandautomaticallydecryptsdatawhenitisreadfromstorage.IfyourequireyourMySQLdatatobeencryptedwhileatrestinthedatabase,yourapplicationmustmanagetheencryptionanddecryptionofdata.

NotethatSSLsupportwithinAmazonRDSisforencryptingtheconnectionbetweenyourapplicationandyourDBInstance;itshouldnotbereliedonforauthenticatingtheDBInstanceitself.WhileSSLofferssecuritybenefits,beawarethatSSLencryptionisacomputeintensiveoperationandwillincreasethelatencyofyourdatabaseconnection.

AutomatedBackupsandDBSnapshotsAmazonRDSprovidestwodifferentmethodsforbackingupandrestoringyourDBInstance(s):automatedbackupsandDatabaseSnapshots(DBSnapshots).Turnedonbydefault,theautomatedbackupfeatureofAmazonRDSenablespoint-in-timerecoveryforyourDBInstance.AmazonRDSwillbackupyourdatabaseandtransactionlogsandstorebothforauser-specifiedretentionperiod.Thisallows

Page 405: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

youtorestoreyourDBInstancetoanysecondduringyourretentionperiod,uptothelastfiveminutes.Yourautomaticbackupretentionperiodcanbeconfiguredtoupto35days.

DBSnapshotsareuser-initiatedbackupsofyourDBInstance.ThesefulldatabasebackupsarestoredbyAmazonRDSuntilyouexplicitlydeletethem.YoucancopyDBsnapshotsofanysizeandmovethembetweenanyofAWSpublicregions,orcopythesamesnapshottomultipleregionssimultaneously.YoucanthencreateanewDBInstancefromaDBSnapshotwheneveryoudesire.

Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup.ThisI/Osuspensiontypicallylastsafewminutes.ThisI/OsuspensionisavoidedwithMulti-AZDBdeployments,becausethebackupistakenfromthestandby.

DBInstanceReplicationAWSCloudcomputingresourcesarehousedinhighlyavailabledatacenterfacilitiesindifferentregionsoftheworld,andeachregioncontainsmultipledistinctlocationscalledAvailabilityZones.EachAvailabilityZoneisengineeredtobeisolatedfromfailuresinotherAvailabilityZonesandprovideinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.

ToarchitectforhighavailabilityofyourOracle,PostgreSQL,orMySQLdatabases,youcanrunyourAmazonRDSDBInstanceinseveralAvailabilityZones,anoptioncalledaMulti-AZdeployment.Whenyouselectthisoption,AWSautomaticallyprovisionsandmaintainsasynchronousstandbyreplicaofyourDBInstanceinadifferentAvailabilityZone.TheprimaryDBInstanceissynchronouslyreplicatedacrossAvailabilityZonestothestandbyreplica.IntheeventofDBInstanceorAvailabilityZonefailure,AmazonRDSwillautomaticallyfailovertothestandbysothatdatabaseoperationscanresumequicklywithoutadministrativeintervention.

ForcustomerswhouseMySQLandneedtoscalebeyondthecapacityconstraintsofasingleDBInstanceforread-heavydatabaseworkloads,AmazonRDSprovidesareadreplicaoption.Afteryoucreateareadreplica,databaseupdatesonthesourceDBInstancearereplicatedtothereadreplicausingMySQL’snative,asynchronousreplication.YoucancreatemultiplereadreplicasforagivensourceDBinstanceanddistributeyourapplication’sreadtrafficamongthem.ReadreplicascanbecreatedwithMulti-AZdeploymentstogainreadscalingbenefitsinadditiontotheenhanceddatabasewriteavailabilityanddatadurabilityprovidedbyMulti-AZdeployments.

AutomaticSoftwarePatchingAmazonRDSwillmakesurethattherelationaldatabasesoftwarepoweringyourdeploymentstaysup-to-datewiththelatestpatches.Whennecessary,patchesareappliedduringamaintenancewindowthatyoucancontrol.YoucanthinkoftheAmazonRDSmaintenancewindowasanopportunitytocontrolwhenDBInstancemodifications(suchasscalingDBInstanceclass)andsoftwarepatchingoccur,intheeventeitherarerequestedorrequired.Ifamaintenanceeventisscheduledforagivenweek,itwillbeinitiatedandcompletedatsomepointduringthe30-minutemaintenancewindowyouidentify.

TheonlymaintenanceeventsthatrequireAmazonRDStotakeyourDBInstanceofflinearescalecomputeoperations(whichgenerallytakeonlyafewminutesfromstarttofinish)orrequiredsoftwarepatching.Requiredpatchingisautomaticallyscheduledonlyforpatchesthatarerelatedtosecurityanddurability.Suchpatchingoccursinfrequently(typicallyonceeveryfewmonths)andshouldseldomrequiremorethanafractionofyourmaintenance

Page 406: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

window.IfyoudonotspecifyapreferredweeklymaintenancewindowwhencreatingyourDBInstance,a30-minutedefaultvalueisassigned.Ifyouwanttomodifywhenmaintenanceisperformedonyourbehalf,youcandosobymodifyingyourDBInstanceintheAWSManagementConsoleorbyusingtheModifyDBInstanceAPI.EachofyourDBInstancescanhavedifferentpreferredmaintenancewindows,ifyousochoose.

RunningyourDBInstanceinaMulti-AZdeploymentcanfurtherreducetheimpactofamaintenanceevent,asAmazonRDSwillconductmaintenanceviathefollowingsteps:

1. Performmaintenanceonstandby.

2. Promotestandbytoprimary.

3. Performmaintenanceonoldprimary,whichbecomesthenewstandby.

WhenanAmazonRDSDBInstancedeletionAPI(DeleteDBInstance)isrun,theDBInstanceismarkedfordeletion.Aftertheinstancenolongerindicatesdeletingstatus,ithasbeenremoved.Atthispoint,theinstanceisnolongeraccessible,andunlessafinalsnapshotcopywasaskedfor,itcannotberestoredandwillnotbelistedbyanyofthetoolsorAPIs.

AmazonRedshiftSecurityAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theservicehasbeenarchitectednotonlytoscaleupordownrapidly,butalsotoimprovequeryspeedssignificantlyevenonextremelylargedatasets.Toincreaseperformance,AmazonRedshiftusestechniquessuchascolumnarstorage,datacompression,andzonemapstoreducetheamountofI/Oneededtoperformqueries.ItalsohasaMassivelyParallelProcessing(MPP)architecture,parallelizinganddistributingSQLoperationstotakeadvantageofallavailableresources.

ClusterAccessBydefault,clustersthatyoucreateareclosedtoeveryone.AmazonRedshiftenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.YoucanalsorunAmazonRedshiftinsideanAmazonVPCtoisolateyourdatawarehouseclusterinyourownvirtualnetworkandconnectittoyourexistingITinfrastructureusingindustry-standardencryptedIPsecVPN.

TheAWSaccountthatcreatestheclusterhasfullaccesstothecluster.WithinyourAWSaccount,youcanuseAWSIAMtocreateuseraccountsandmanagepermissionsforthoseaccounts.ByusingIAM,youcangrantdifferentuserspermissiontoperformonlytheclusteroperationsthatarenecessaryfortheirwork.Likealldatabases,youmustgrantpermissioninAmazonRedshiftatthedatabaselevelinadditiontograntingaccessattheresourcelevel.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.However,userscanseedataonlyinthetablerowsthatweregeneratedbytheirownactivities;rowsgeneratedbyotherusersarenotvisibletothem.

Theuserwhocreatesadatabaseobjectisitsowner.Bydefault,onlyasuperuserortheownerofanobjectcanquery,modify,orgrantpermissionsontheobject.Foruserstouseanobject,youmustgrantthenecessarypermissionstotheuserorthegroupthatcontainstheuser.Inaddition,onlytheownerofanobjectcanmodifyordeleteit.

Page 407: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DataBackupsAmazonRedshiftdistributesyourdataacrossallcomputenodesinacluster.Whenyourunaclusterwithatleasttwocomputenodes,dataoneachnodewillalwaysbemirroredondisksonanothernode,reducingtheriskofdataloss.Inaddition,alldatawrittentoanodeinyourclusteriscontinuouslybackeduptoAmazonS3usingsnapshots.AmazonRedshiftstoresyoursnapshotsforauser-definedperiod,whichcanbefrom1to35days.Youcanalsotakeyourownsnapshotsatanytime;thesesnapshotsleverageallexistingsystemsnapshotsandareretaineduntilyouexplicitlydeletethem.

AmazonRedshiftcontinuouslymonitorsthehealthoftheclusterandautomaticallyre-replicatesdatafromfaileddrivesandreplacesnodesasnecessary.Allofthishappenswithoutanyeffortonyourpart,althoughyoumayseeaslightperformancedegradationduringthere-replicationprocess.

YoucanuseanysystemorusersnapshottorestoreyourclusterusingtheAWSManagementConsoleortheAmazonRedshiftAPIs.Yourclusterisavailableassoonasthesystemmetadatahasbeenrestored,andyoucanstartrunningquerieswhileuserdataisspooleddowninthebackground.

DataEncryptionWhencreatingacluster,youcanchoosetoencryptitinordertoprovideadditionalprotectionforyourdataatrest.Whenyouenableencryptioninyourcluster,AmazonRedshiftstoresalldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandanybackups.

AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.

Dataencryptionkeysencryptdatablocksinthecluster.Eachdatablockisassignedarandomly-generatedAES256key.Thesekeysareencryptedbyusingthedatabasekeyforthecluster.

Thedatabasekeyencryptsdataencryptionkeysinthecluster.Thedatabasekeyisarandomly-generatedAES-256key.ItisstoredondiskinaseparatenetworkfromtheAmazonRedshiftclusterandencryptedbyamasterkey.AmazonRedshiftpassesthedatabasekeyacrossasecurechannelandkeepsitinmemoryinthecluster.

TheclusterkeyencryptsthedatabasekeyfortheAmazonRedshiftcluster.YoucanuseeitherAWSoraHardwareSecurityModule(HSM)tostoretheclusterkey.HSMsprovidedirectcontrolofkeygenerationandmanagementandmakekeymanagementseparateanddistinctfromtheapplicationandthedatabase.

ThemasterkeyencryptstheclusterkeyifitisstoredinAWS.Themasterkeyencryptsthecluster-key-encrypteddatabasekeyiftheclusterkeyisstoredinanHSM.

YoucanhaveAmazonRedshiftrotatetheencryptionkeysforyourencryptedclustersatanytime.Aspartoftherotationprocess,keysarealsoupdatedforallofthecluster’sautomaticandmanualsnapshots.Notethatenablingencryptioninyourclusterwillimpactperformance,eventhoughitishardwareaccelerated.

Encryptionalsoappliestobackups.Whenyou’rerestoringfromanencryptedsnapshot,thenewclusterwillbeencryptedaswell.

ToencryptyourtableloaddatafileswhenyouuploadthemtoAmazonS3,youcanuse

Page 408: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonS3server-sideencryption.WhenyouloadthedatafromAmazonS3,theCOPYcommandwilldecryptthedataasitloadsthetable.

DatabaseAuditLoggingAmazonRedshiftlogsallSQLoperations,includingconnectionattempts,queries,andchangestoyourdatabase.YoucanaccesstheselogsusingSQLqueriesagainstsystemtablesorchoosetohavethemdownloadedtoasecureAmazonS3bucket.Youcanthenusetheseauditlogstomonitoryourclusterforsecurityandtroubleshootingpurposes.

AutomaticSoftwarePatchingAmazonRedshiftmanagesalltheworkofsettingup,operating,andscalingyourdatawarehouse,includingprovisioningcapacity,monitoringthecluster,andapplyingpatchesandupgradestotheAmazonRedshiftengine.Patchesareappliedonlyduringspecifiedmaintenancewindows.

SSLConnectionsToprotectyourdataintransitwithintheAWSCloud,AmazonRedshiftuseshardware-acceleratedSSLtocommunicatewithAmazonS3orAmazonDynamoDBforCOPY,UNLOAD,backup,andrestoreoperations.YoucanencrypttheconnectionbetweenyourclientandtheclusterbyspecifyingSSLintheparametergroupassociatedwiththecluster.TohaveyourclientsalsoauthenticatetheAmazonRedshiftserver,youcaninstallthepublickey(.pemfile)fortheSSLcertificateonyourclientandusethekeytoconnecttoyourclusters.

AmazonRedshiftoffersthenewer,strongerciphersuitesthatusetheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocol.ECDHEallowsSSLclientstoprovidePerfectForwardSecrecybetweentheclientandtheAmazonRedshiftcluster.PerfectForwardSecrecyusessessionkeysthatareephemeralandnotstoredanywhere,whichpreventsthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.YoudonotneedtoconfigureanythinginAmazonRedshifttoenableECDHE;ifyouconnectfromanSQLclienttoolthatusesECDHEtoencryptcommunicationbetweentheclientandserver,AmazonRedshiftwillusetheprovidedcipherlisttomaketheappropriateconnection.

AmazonElastiCacheSecurityAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieveinformationfromafast,managed,in-memorycachingsystem,insteadofrelyingentirelyonslowerdisk-baseddatabases.Itcanbeusedtoimprovelatencyandthroughputsignificantlyformanyread-heavyapplicationworkloads(suchassocialnetworking,gaming,mediasharing,andQandAportals)orcompute-intensiveworkloads(suchasarecommendationengine).Cachingimprovesapplicationperformancebystoringcriticalpiecesofdatainmemoryforlow-latencyaccess.CachedinformationmayincludetheresultsofI/O-intensivedatabasequeriesortheresultsofcomputationally-intensivecalculations.

TheAmazonElastiCacheserviceautomatestime-consumingmanagementtasksforin-memorycacheenvironments,suchaspatchmanagement,failuredetection,andrecovery.ItworksinconjunctionwithotherAWSCloudservices(suchasAmazonEC2,AmazonCloudWatch,andAmazonSNS)toprovideasecure,high-performance,andmanagedin-memorycache.Forexample,anapplicationrunninginAmazonEC2cansecurelyaccessanAmazonElastiCacheclusterinthesameregionwithverylowlatency.

Page 409: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

UsingtheAmazonElastiCacheservice,youcreateaCacheCluster,whichisacollectionofoneormoreCacheNodes,eachrunninganinstanceoftheMemcachedservice.ACacheNodeisafixed-sizechunkofsecure,network-attachedRAM.EachCacheNoderunsaninstanceoftheMemcachedserviceandhasitsownDNSnameandport.MultipletypesofCacheNodesaresupported,eachwithvaryingamountsofassociatedmemory.ACacheClustercanbesetupwithaspecificnumberofCacheNodesandaCacheParameterGroupthatcontrolsthepropertiesforeachCacheNode.AllCacheNodeswithinaCacheClusteraredesignedtobeofthesameNodeTypeandhavethesameparameterandsecuritygroupsettings.

DataAccessAmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.Bydefault,networkaccessisturnedofftoyourCacheClusters.IfyouwantyourapplicationstoaccessyourCacheCluster,youmustexplicitlyenableaccessfromhostsinspecificAmazonEC2securitygroups.Afteringressrulesareconfigured,thesamerulesapplytoallCacheClustersassociatedwiththatCacheSecurityGroup.

ToallownetworkaccesstoyourCacheCluster,createaCacheSecurityGroupandusetheAuthorizeCacheSecurityGroupIngressAPIorCLIcommandtoauthorizethedesiredAmazonEC2securitygroup(whichinturnspecifiestheAmazonEC2instancesallowed).IP-rangebasedaccesscontroliscurrentlynotenabledforCacheClusters.AllclientstoaCacheClustermustbewithintheAmazonEC2network,andauthorizedviaCacheSecurityGroups.

AmazonElastiCacheforRedisprovidesbackupandrestorefunctionality,whereyoucancreateasnapshotofyourentireRedisclusterasitexistsataspecificpointintime.Youcanscheduleautomatic,recurringdailysnapshots,oryoucancreateamanualsnapshotatanytime.Forautomaticsnapshots,youspecifyaretentionperiod;manualsnapshotsareretaineduntilyoudeletethem.ThesnapshotsarestoredinAmazonS3withhighdurability,andcanbeusedforwarmstarts,backups,andarchiving.

ApplicationServicesAWSoffersavarietyofmanagedservicestousewithyourapplications,includingservicesthatprovideapplicationstreaming,queueing,pushnotification,emaildelivery,search,andtranscoding.

AmazonSimpleQueueService(AmazonSQS)SecurityAmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2instancesoracombinationofboth.WithAmazonSQS,youcansendanynumberofmessagestoanAmazonSQSqueueatanytimefromanycomponent.Themessagescanberetrievedfromthesamecomponentoradifferentone,rightawayoratalatertime(within14days).Messagesarehighlydurable;eachmessageispersistentlystoredinhighlyavailable,highlyreliablequeues.Multipleprocessescanread/writefrom/toanAmazonSQSqueueatthesametimewithoutinterferingwitheachother.

DataAccessAmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandqueuesforwhichtheyhavebeen

Page 410: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

grantedaccessviapolicy.Bydefault,accesstoeachindividualqueueisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoaqueue,usingeitheranAmazonSQS-generatedpolicyorapolicyyouwrite.

EncryptionAmazonSQSisaccessibleviaSSL-encryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.EncryptingmessagesbeforesendingthemtoAmazonSQShelpsprotectagainstaccesstosensitivecustomerdatabyunauthorizedpersons,includingAWS.

AmazonSimpleNotificationService(AmazonSNS)SecurityAmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSprovidesasimplewebservicesinterfacethatcanbeusedtocreatetopicsthatcustomerswanttonotifyapplications(orpeople)about,subscribeclientstothesetopics,publishmessages,andhavethesemessagesdeliveredoverclients’protocolofchoice(forexample,HTTP/HTTPS,email).

AmazonSNSdeliversnotificationstoclientsusingapushmechanismthateliminatestheneedtocheckorpollfornewinformationandupdatesperiodically.AmazonSNScanbeleveragedtobuildhighlyreliable,event-drivenworkflowsandmessagingapplicationswithouttheneedforcomplexmiddlewareandapplicationmanagement.ThepotentialusesforAmazonSNSincludemonitoringapplications,workflowsystems,time-sensitiveinformationupdates,mobileapplications,andmanyothers.

DataAccessAmazonSNSprovidesaccesscontrolmechanismssothattopicsandmessagesaresecuredagainstunauthorizedaccess.Topicownerscansetpoliciesforatopicthatrestrictswhocanpublishorsubscribetoatopic.Additionally,topicownerscanencrypttransmissionbyspecifyingthatthedeliverymechanismmustbeHTTPS.AmazonSNSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.Afteritisauthenticated,theAWSaccounthasfullaccesstoalluseroperations.AnIAMuser,however,onlyhasaccesstotheoperationsandtopicsforwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualtopicisrestrictedtotheAWSaccountthatcreatedit.However,youcanallowotheraccesstoAmazonSNS,usingeitheranAmazonSNS-generatedpolicyorapolicyyouwrite.

AnalyticsServicesAWSprovidescloud-basedanalyticsservicestohelpyouprocessandanalyzeanyvolumeofdata,whetheryourneedisformanagedHadoopclusters,real-timestreamingdata,petabytescaledatawarehousing,ororchestration.

AmazonElasticMapReduce(AmazonEMR)SecurityAmazonElasticMapReduce(AmazonEMR)isamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamong

Page 411: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

severalservers.ItusesanenhancedversionoftheApacheHadoopframeworkrunningontheweb-scaleinfrastructureofAmazonEC2andAmazonS3.YousimplyuploadyourinputdataandadataprocessingapplicationintoAmazonS3.AmazonEMRthenlaunchesthenumberofAmazonEC2instancesyouspecify.TheservicebeginsthejobflowexecutionwhilepullingtheinputdatafromAmazonS3intothelaunchedAmazonEC2instances.Afterthejobflowisfinished,AmazonEMRtransferstheoutputdatatoAmazonS3,whereyoucanthenretrieveitoruseitasinputinanotherjobflow.

Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutoSSHintotheinstancesusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptonotallowaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupswithinyouraccount,youcanreconfigurethemusingthestandardEC2toolsordashboard.Toprotectcustomerinputandoutputdatasets,AmazonEMRtransfersdatatoandfromAmazonS3usingSSL.

AmazonEMRprovidesseveralwaystocontrolaccesstotheresourcesofyourcluster.YoucanuseAWSIAMtocreateuseraccountsandrolesandconfigurepermissionsthatcontrolwhichAWSfeaturesthoseusersandrolescanaccess.Whenyoulaunchacluster,youcanassociateanAmazonEC2keypairwiththecluster,whichyoucanthenusewhenyouconnecttotheclusterusingSSH.YoucanalsosetpermissionsthatallowusersotherthanthedefaultHadoopusertosubmitjobstoyourcluster.

Bydefault,ifanIAMuserlaunchesacluster,thatclusterishiddenfromotherIAMusersontheAWSaccount.ThisfilteringoccursonallAmazonEMRinterfaces(theAWSManagementConsole,CLI,API,andSDKs)andhelpspreventIAMusersfromaccessingandinadvertentlychangingclusterscreatedbyotherIAMusers.

Foranadditionallayerofprotection,youcanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.Thisallowsyoutocontrolaccesstotheentiresubnet.YoucanalsolaunchtheclusterintoanAmazonVPCandenabletheclustertoaccessresourcesonyourinternalnetworkusingaVPNconnection.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.

AmazonKinesisSecurityAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.Itcanacceptanyamountofdata,fromanynumberofsources,scalingupanddownasneeded.YoucanuseAmazonKinesisinsituationsthatcallforlarge-scale,real-timedataingestionandprocessing,suchasserverlogs,socialmedia,ormarketdatafeeds,andwebclickstreamdata.ApplicationsreadandwritedatarecordstoAmazonKinesisinstreams.YoucancreateanynumberofAmazonKinesisstreamstocapture,store,andtransportdata.

YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsby

Page 412: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

creatingusersunderyourAWSaccountusingAWSIAM,andcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TofacilitaterunningyourproducerorconsumerapplicationsonanAmazonEC2instance,youcanconfigurethatinstancewithanIAMrole.Thatway,AWScredentialsthatreflectthepermissionsassociatedwiththeIAMrolearemadeavailabletoapplicationsontheinstance,whichmeansyoudon’thavetouseyourlong-termAWSsecuritycredentials.Roleshavetheaddedbenefitofprovidingtemporarycredentialsthatexpirewithinashorttimeframe,whichaddsanadditionalmeasureofprotection.

TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpoint(kinesis.us-east-1.amazonaws.com)tohelpensuresecuretransmissionofyourdatatoAWS.YoumustconnecttothatendpointtoaccessAmazonKinesis,butyoucanthenusetheAPItodirectAmazonKinesistocreateastreaminanyAWSregion.

DeploymentandManagementServicesAWSprovidesavarietyoftoolstohelpwiththedeploymentandmanagementofyourapplications.ThisincludesservicesthatallowyoutocreateindividualuseraccountswithcredentialsforaccesstoAWSservices.ItalsoincludesservicesforcreatingandupdatingstacksofAWSresources,deployingapplicationsonthoseresources,andmonitoringthehealthofthoseAWSresources.OthertoolshelpyoumanagecryptographickeysusingHSMsandlogAWSAPIactivityforsecurityandcompliancepurposes.

AWSIdentityandAccessManagement(IAM)SecurityAWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMeliminatestheneedtosharepasswordsorkeysandmakesiteasytoenableordisableauser’saccessasappropriate.

AWSIAMenablesyoutoimplementsecuritybestpractices,suchasleastprivilege,bygrantinguniquecredentialstoeveryuserwithinyourAWSaccountandonlygrantingpermissiontoaccesstheAWSCloudservicesandresourcesrequiredfortheuserstoperformtheirjobs.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.

AWSIAMisalsointegratedwithAWSMarketplacesothatyoucancontrolwhoinyourorganizationcansubscribetothesoftwareandservicesofferedinAWSMarketplace.BecausesubscribingtocertainsoftwareinAWSMarketplacelaunchesanAmazonEC2instancetorunthesoftware,thisisanimportantaccesscontrolfeature.UsingIAMtocontrolaccesstoAWSMarketplacealsoenablesAWSaccountownerstohavefine-grainedcontroloverusageandsoftwarecosts.

AWSIAMenablesyoutominimizetheuseofyourAWSaccountcredentials.AfteryoucreateIAMuseraccounts,allinteractionswithAWSCloudservicesandresourcesshouldoccurwithIAMusersecuritycredentials.

RolesAnIAMroleusestemporarysecuritycredentialstoallowyoutodelegateaccesstousersorservicesthatnormallydon’thaveaccesstoyourAWSresources.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecific

Page 413: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IAMuserorgroup.Anauthorizedentity(forexample,mobileuserorAmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.Thiscanbeparticularlyusefulinprovidinglimited,controlledaccessincertainsituations:

Page 414: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Federated(Non-AWS)UserAccessFederatedusersareusers(orapplications)whodonothaveAWSaccounts.Withroles,youcangivethemaccesstoyourAWSresourcesforalimitedamountoftime.Thisisusefulifyouhavenon-AWSusersthatyoucanauthenticatewithanexternalservice,suchasMicrosoftActiveDirectory,LightweightDirectoryAccessProtocol(LDAP),orKerberos.ThetemporaryAWScredentialsusedwiththerolesprovideidentityfederationbetweenAWSandyournon-AWSusersinyourcorporateidentityandauthorizationsystem.

SecurityAssertionMarkupLanguage(SAML)2.0IfyourorganizationsupportsSAML2.0,youcancreatetrustbetweenyourorganizationasanIdentityProvider(IdP)andotherorganizationsasserviceproviders.InAWS,youcanconfigureAWSastheserviceprovideranduseSAMLtoprovideyouruserswithfederatedSingle-SignOn(SSO)totheAWSManagementConsoleortogetfederatedaccesstocallAWSAPIs.

Rolesarealsousefulifyoucreateamobileorweb-basedapplicationthataccessesAWSresources.AWSresourcesrequiresecuritycredentialsforprogrammaticrequests;however,youshouldn’tembedlong-termsecuritycredentialsinyourapplicationbecausetheyareaccessibletotheapplication’susersandcanbedifficulttorotate.Instead,youcanletuserssignintoyourapplicationusingLoginwithAmazon,Facebook,orGoogleandthenusetheirauthenticationinformationtoassumearoleandgettemporarysecuritycredentials.

Cross-AccountAccessFororganizationsthatusemultipleAWSaccountstomanagetheirresources,youcansetuprolestoprovideuserswhohavepermissionsinoneaccounttoaccessresourcesunderanotheraccount.Fororganizationsthathavepersonnelwhoonlyrarelyneedaccesstoresourcesunderanotheraccount,usingroleshelpstoensurethatcredentialsareprovidedtemporarilyandonlyasneeded.

ApplicationsRunningonEC2InstancesThatNeedtoAccessAWSResourcesIfanapplicationrunsonanAmazonEC2instanceandneedstomakerequestsforAWSresources,suchasAmazonS3bucketsoraDynamoDBtable,itmusthavesecuritycredentials.UsingrolesinsteadofcreatingindividualIAMaccountsforeachapplicationoneachinstancecansavesignificanttimeforcustomerswhomanagealargenumberofinstancesoranelasticallyscalingfleetusingAWSAutoScaling.

Thetemporarycredentialsincludeasecuritytoken,anAccessKeyID,andaSecretAccessKey.Togiveauseraccesstocertainresources,youdistributethetemporarysecuritycredentialstotheusertowhomyouaregrantingtemporaryaccess.Whentheusermakescallstoyourresources,theuserpassesinthetokenandAccessKeyIDandsignstherequestwiththeSecretAccessKey.Thetokenwillnotworkwithdifferentaccesskeys.

Theuseoftemporarycredentialsprovidesadditionalprotectionforyoubecauseyoudon’thavetomanageordistributelong-termcredentialstotemporaryusers.Inaddition,thetemporarycredentialsgetautomaticallyloadedtothetargetinstancesoyoudon’thavetoembedthemsomewhereunsafelikeyourcode.Temporarycredentialsareautomaticallyrotatedorchangedmultipletimesadaywithoutanyactiononyourpartandarestoredsecurelybydefault.

MobileServices

Page 415: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSmobileservicesmakeiteasierforyoutobuild,ship,run,monitor,optimize,andscalecloud-poweredapplicationsformobiledevices.Theseservicesalsohelpyouauthenticateuserstoyourmobileapplication,synchronizedata,andcollectandanalyzeapplicationusage.

AmazonCognitoSecurityAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Itsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.Itprovidestemporary,limited-privilegecredentialsforbothauthenticatedandunauthenticateduserswithouthavingtomanageanyback-endinfrastructure.

AmazonCognitoworkswithwell-knownidentityproviderslikeGoogle,Facebook,andAmazontoauthenticateendusersofyourmobileandwebapplications.Youcantakeadvantageoftheidentificationandauthorizationfeaturesprovidedbytheseservicesinsteadofhavingtobuildandmaintainyourown.Yourapplicationauthenticateswithoneoftheseidentityprovidersusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfromtheproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.

TobeginusingAmazonCognito,youcreateanidentitypoolthroughtheAmazonCognitoconsole.TheidentitypoolisastoreofuseridentityinformationthatisspecifictoyourAWSaccount.Duringthecreationoftheidentitypool,youwillbeaskedtocreateanewIAMroleorpickanexistingoneforyourendusers.AnIAMroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity(forexample,mobileuser,AmazonEC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.

TheroleyouselecthasanimpactonwhichAWSCloudservicesyourenduserswillbeabletoaccesswiththetemporarycredentials.Bydefault,AmazonCognitocreatesanewrolewithlimitedpermissions;endusersonlyhaveaccesstotheAmazonCognitoSyncserviceandAmazonMobileAnalytics.IfyourapplicationneedsaccesstootherAWSresources,suchasAmazonS3orAmazonDynamoDB,youcanmodifyyourrolesdirectlyfromtheIAMconsole.

WithAmazonCognito,thereisnoneedtocreateindividualAWSaccountsorevenIAMaccountsforeveryoneofyourweb/mobileapplicationenduserswhowillneedtoaccessyourAWSresources.InconjunctionwithIAMroles,mobileuserscansecurelyaccessAWSresourcesandapplicationfeaturesandevensavedatatotheAWSCloudwithouthavingtocreateanaccountorlogin.Iftheychoosetocreateanaccountorloginlater,AmazonCognitowillmergedataandidentificationinformation.

BecauseAmazonCognitostoresdatalocallyandalsointheservice,yourenduserscancontinuetointeractwiththeirdataevenwhentheyareoffline.Theirofflinedatamaybestale,buttheycanimmediatelyretrieveanythingtheyputintothedatasetwhetherornottheyareonline.TheclientSDKmanagesalocalSQLitestoresothattheapplicationcanworkevenwhenitisnotconnected.TheSQLitestorefunctionsasacacheandisthetargetofallreadandwriteoperations.AmazonCognito’ssyncfacilitycomparesthelocalversionofthe

Page 416: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

datatothecloudversionandpushesuporpullsdowndeltasasneeded.Notethatinordertosyncdataacrossdevices,youridentitypoolmustsupportauthenticatedidentities.Unauthenticatedidentitiesaretiedtothedevice,sounlessanenduserauthenticates,nodatacanbesyncedacrossmultipledevices.

WithAmazonCognito,yourapplicationcommunicatesdirectlywithasupportedpublicidentityprovider(Amazon,Facebook,orGoogle)toauthenticateusers.AmazonCognitodoesnotreceiveorstoreusercredentials,onlytheOAuthorOpenIDConnecttokenreceivedfromtheidentityprovider.AfterAmazonCognitoreceivesthetoken,itreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.EachAmazonCognitoidentityhasaccessonlytoitsowndatainthesyncstore,andthisdataisencryptedwhenstored.Inaddition,allidentitydataistransmittedoverHTTPS.TheuniqueAmazonCognitoidentifieronthedeviceisstoredintheappropriatesecurelocation.ForexampleoniOS,theAmazonCognitoidentifierisstoredintheiOSkeychain.UserdataiscachedinalocalSQLitedatabasewithintheapplication’ssandbox;ifyourequireadditionalsecurity,youcanencryptthisidentitydatainthelocalcachebyimplementingencryptioninyourapplication.

ApplicationsAWSapplicationsaremanagedservicesthatenableyoutoprovideyouruserswithsecure,centralizedstorageandworkareasinthecloud.

AmazonWorkSpacesSecurityAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.SimplychooseaWindows7bundlethatbestmeetstheneedsofyourusersandthenumberofWorkSpacesthatyouwanttolaunch.AftertheWorkSpacesareready,usersreceiveanemailinformingthemwheretheycandownloadtherelevantclientandlogintotheirWorkSpace.Theycanthenaccesstheircloud-baseddesktopsfromavarietyofendpointdevices,includingPCs,laptops,andmobiledevices.However,yourorganization’sdataisneversenttoorstoredontheend-userdevicebecauseAmazonWorkSpacesusesPC-over-IP(PCoIP),whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheusers’desktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.

InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.WhenyouintegrateAmazonWorkSpaceswithyourcorporateActiveDirectory,eachWorkSpacejoinsyourActiveDirectorydomainandcanbemanagedjustlikeanyotherdesktopinyourorganization.ThismeansthatyoucanuseActiveDirectoryGroupPoliciestomanageyourusersWorkSpacestospecifyconfigurationoptionsthatcontrolthedesktop.IfyouchoosenottouseActiveDirectoryorothertypeofon-premisesdirectorytomanageyouruserWorkSpaces,youcancreateaprivateclouddirectorywithinAmazonWorkSpacesthatyoucanuseforadministration.

Toprovideanadditionallayerofsecurity,youcanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRemoteAuthenticationDialInUserService(RADIUS)serveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-

Page 417: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.

EachWorkSpaceresidesonitsownAmazonEC2instancewithinanAmazonVPC.YoucancreateWorkSpacesinanAmazonVPCyoualreadyownorhavetheAmazonWorkSpacesservicecreateoneforyouautomaticallyusingtheAmazonWorkSpacesQuickStartoption.WhenyouusetheQuickStartoption,AmazonWorkSpacesnotonlycreatestheAmazonVPC,butitalsoperformsseveralotherprovisioningandconfigurationtasksforyou,suchascreatinganInternetGatewayfortheAmazonVPC,settingupadirectorywithintheAmazonVPCthatisusedtostoreuserandWorkSpaceinformation,creatingadirectoryadministratoraccount,creatingthespecifieduseraccountsandaddingthemtothedirectory,andcreatingtheAmazonWorkSpacesinstances.OrtheAmazonVPCcanbeconnectedtoanon-premisesnetworkusingasecureVPNconnectiontoallowaccesstoanexistingon-premisesActiveDirectoryandotherintranetresources.YoucanaddasecuritygroupthatyoucreateinyourAmazonVPCtoalloftheWorkSpacesthatbelongtoyourActiveDirectory.ThisallowsyoutocontrolnetworkaccessfromAmazonWorkSpacesinyourAmazonVPCtootherresourcesinyourAmazonVPCandon-premisesnetwork.

PersistentstorageforAmazonWorkSpacesisprovidedbyAmazonEBSandisautomaticallybackeduptwiceadaytoAmazonS3.IfAmazonWorkSpacesSyncisenabledonaWorkSpace,thefolderauserchoosestosyncwillbecontinuouslybackedupandstoredinAmazonS3.YoucanalsouseAmazonWorkSpacesSynconaMacorPCtosyncdocumentstoorfromyourWorkSpacesothatyoucanalwayshaveaccesstoyourdataregardlessofthedesktopcomputeryouareusing.

Becauseitisamanagedservice,AWStakescareofseveralsecurityandmaintenancetaskslikedailybackupsandpatching.UpdatesaredeliveredautomaticallytoyourWorkSpacesduringaweeklymaintenancewindow.Youcancontrolhowpatchingisconfiguredforauser’sWorkSpace.Bydefault,WindowsUpdateisturnedon,butyouhavetheabilitytocustomizethesesettingsoruseanalternativepatchmanagementapproachifyoudesire.FortheunderlyingOS,WindowsUpdateisenabledbydefaultonAmazonWorkSpacesandconfiguredtoinstallupdatesonaweeklybasis.YoucanuseanalternativepatchingapproachorconfigureWindowsUpdatetoperformupdatesatatimeofyourchoosing.YoucanuseIAMtocontrolwhoonyourteamcanperformadministrativefunctionslikecreatingordeletingWorkSpacesorsettingupuserdirectories.YoucanalsosetupaWorkSpacefordirectoryadministration,installyourfavoriteActiveDirectoryadministrationtools,andcreateorganizationalunitsandGroupPoliciesinordertoapplyActiveDirectorychangesmoreeasilyforallofyourAmazonWorkSpacesusers.

Page 418: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryInthischapter,youlearnedthatthefirstpriorityatAWSisCloudsecurity.SecuritywithinAWSisbasedona“defenseindepth”modelwherenoone,singleelementisusedtosecuresystemsonAWS.Rather,AWSusesamultitudeofelements—eachactingatdifferentlayersofasystem—intotaltosecurethesystem.AWSisresponsibleforsomelayersofthismodel,andcustomersareresponsibleforothers.AWSalsoofferssecuritytoolsandfeaturesofservicesforcustomerstouseattheirdiscretion.Severaloftheseconcepts,tools,andfeatureswerediscussedinthischapter.

SecurityModelThesharedresponsibilitymodelisthesecuritymodelwhereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andthecustomerisresponsibleforsecuringworkloadsdeployedinAWS.CustomersbenefitfromadatacenterandnetworkarchitecturebuilttosatisfytherequirementsofAWSmostsecurity-sensitivecustomers.Thismeansthatcustomersgetaresilientinfrastructure,designedforhighsecurity,withoutthecapitaloutlayandoperationaloverheadofatraditionaldatacenter.

AccountLevelSecurityAWScredentialshelpensurethatonlyauthorizedusersandprocessesaccessyourAWSaccountandresources.AWSusesseveraltypesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.AWSalsoprovidestheoptionofrequiringMFAtologintoyourAWSaccountorIAMuseraccounts.

PasswordsarerequiredtoaccessyourAWSaccount,individualIAMuseraccounts,AWSDiscussionForums,andtheAWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.

AWSMFAisanadditionallayerofsecurityforaccessingAWSCloudservices.Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digit,single-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSaccountsettingsorAWSCloudservicesandresources.Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.Thisismulti-factorbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).AnMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.

AccessKeysarecreatedbyAWSIAManddeliveredasapair:theAccessKeyID(AKI)andtheSecretAccessKey(SAK).AWSrequiresthatallAPIrequestsbesignedbytheSAK;thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignaturecalculationisdoneforyou.ThemostrecentversionofthedigitalsignaturecalculationprocessatthetimeofthiswritingisSignatureVersion4,whichcalculatesthesignatureusingtheHMAC-SHA-256protocol.

Page 419: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.

Service-SpecificSecurityInadditiontotheSharedResponsibilityModelandAccountLevelsecurity,AWSofferssecurityfeaturesforeachoftheservicesitprovides.Thesesecurityfeaturesareoutlinedbelowbytechnologydomain.

ComputeAmazonElasticComputeCloud(AmazonEC2)AmazonEC2supportsRSA2048SSH-2KeypairsforgainingfirstaccesstoanAmazonEC2instance.OnaLinuxinstance,accessisgrantedthroughshowingpossessionoftheSSHprivatekey.OnaWindowsinstance,accessisgrantedbyshowingpossessionoftheSSHprivatekeyinordertodecrypttheadministratorpassword.

AmazonElasticBlockStore(AmazonEBS)DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationswithinthesameAvailabilityZoneaspartofnormaloperationofthatserviceandatnoadditionalcharge.AWSprovidestheabilitytoencryptAmazonEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheAmazonEC2instances,providingencryptionofdataasitmovesbetweenAmazonEC2instancesandAmazonEBSstorage.

NetworkingElasticLoadBalancingElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.ElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou’reusingHTTPSorTCPloadbalancing.

AmazonVirtualPrivateCloud(AmazonVPC)AmazonVPCenablesyoutocreateanisolatedportionoftheAWSCloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice.SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Eachoftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.

AmazonCloudFrontAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormoreOriginAccessIdentitiesandassociatethesewithyourdistributions.TocontrolwhocandownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.

Storage

Page 420: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AmazonSimpleStorageService(AmazonS3)AmazonS3allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.AccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazonS3resourcestheycreate.YoucansecurelyuploadanddownloaddatatoAmazonS3viatheSSL-encryptedendpoints.AmazonS3supportsseveralmethodstoencryptdataatrest.

AmazonGlacierAmazonGlacierserviceprovideslow-cost,secure,anddurablestorage.YoucansecurelyuploadanddownloaddatatoAmazonGlacierviatheSSL-encryptedendpoints,andtheserviceautomaticallyencryptsthedatausingAES-256andstoresitdurablyinanimmutableform.

AWSStorageGatewayAWSStorageGatewayserviceconnectsyouron-premisessoftwareappliancewithcloud-basedstoragetoprovideseamlessandsecureintegrationbetweenyourITenvironmentandAWSstorageinfrastructure.Dataisasynchronouslytransferredfromyouron-premisesstoragehardwaretoAWSoverSSLandstoredencryptedinAmazonS3usingAES-256.

DatabaseAmazonDynamoDBAmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamlessscalability.Youcancontrolaccessatthedatabaselevelbycreatingdatabase-levelpermissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.

AmazonRelationalDatabaseService(RDS)AmazonRDSallowsyoutoquicklycreatearelationalDBInstanceandflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.YoucancontrolAmazonRDSDBInstanceaccessviaDBsecuritygroups,whichactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.Databasesecuritygroupsdefaulttodenyallaccessmode,andcustomersmustspecificallyauthorizenetworkingress.AmazonRDSissupportedwithinanAmazonVPC,andforMulti-AZdeployments,definingasubnetforallAvailabilityZonesinaregionwillallowAmazonRDStocreateanewstandbyinanotherAvailabilityZoneshouldtheneedarise.YoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL,andyoucanencryptdataatrestwithinAmazonRDSinstancesforalldatabaseengines.

AmazonRedshiftAmazonRedshiftisapetabyte-scaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWScomputeandstorageresources.Theserviceenablesyoutoconfigurefirewallrules(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.DatabaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhentheylogintoAmazonRedshift.InAmazonRedshift,yougrantdatabaseuserpermissionsonaper-clusterbasisinsteadofonaper-tablebasis.YoumaychooseforAmazonRedshifttostorealldatainuser-createdtablesinanencryptedformatusinghardware-acceleratedAES-256blockencryptionkeys.Thisincludesalldatawrittentodiskandalsoanybackups.AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,adatabasekey,aclusterkey,andamasterkey.

AmazonElastiCacheAmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.AmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.

Page 421: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ACacheSecurityGroupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.

ApplicationServicesAmazonSimpleQueueService(SQS)AmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.AmazonSQSaccessisgrantedbasedonanAWSaccountorausercreatedwithAWSIAM.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencryptdatabeforeitisuploadedtoAmazonSQS,providedthattheapplicationusingthequeuehasameanstodecryptthemessagewhenit’sretrieved.

AmazonSimpleNotificationService(SNS)AmazonSNSisawebservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcost-effectivecapabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.AmazonSNSallowstopicownerstosetpoliciesforatopicthatrestrictwhocanpublishorsubscribetoatopic.

AnalyticsAmazonElasticMapReduce(AmazonEMR)AmazonEMRisamanagedwebserviceyoucanusetorunHadoopclustersthatprocessvastamountsofdatabydistributingtheworkanddataamongseveralservers.Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemasternodesandanotherfortheslaves.YoucanlaunchtheAmazonEC2instancesofyourAmazonEMRclusterintoanAmazonVPC,whichislikelaunchingitintoaprivatesubnet.YoucanencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencryptthedatabeforeitisuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazonEMRfetchesthedatafromAmazonS3.

AmazonKinesisAmazonKinesisisamanagedservicedesignedtohandlereal-timestreamingofbigdata.YoucancontrollogicalaccesstoAmazonKinesisresourcesandmanagementfunctionsbycreatingusersunderyourAWSaccountusingAWSIAMandcontrollingwhichAmazonKinesisoperationstheseusershavepermissiontoperform.TheAmazonKinesisAPIisonlyaccessibleviaanSSL-encryptedendpointtohelpensuresecuretransmissionofyourdatatoAWS.

DeploymentandManagementAWSIdentityandAccessManagement(IAM)AWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSaccount.Auserisanidentity(withinanAWSaccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWSCloudservices.IAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsareexplicitlygranted.AroleisasetofpermissionstoaccessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.

MobileServicesAmazonCognitoAmazonCognitoprovidesidentityandsyncservicesformobileandweb-basedapplications.Yourapplicationauthenticateswithoneofthewell-knownidentityproviderssuchasGoogle,Facebook,andAmazonusingtheprovider’sSDK.Aftertheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnecttokenreturnedfrom

Page 422: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

theproviderispassedbyyourapplicationtoAmazonCognito,whichreturnsanewAmazonCognitoIDfortheuserandasetoftemporary,limited-privilegeAWScredentials.

ApplicationsAmazonWorkspacesAmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloud-baseddesktopsforyourusers.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheuser’sdesktopcomputingexperienceandtransmitsaspixelsonlyacrossanystandardIPnetworktoend-userdevices.InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.YoucanalsorequiretheuseofMFAuponsign-inintheformofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganon-premisesRADIUSserveroranysecurityproviderthatsupportsRADIUSauthentication.ItcurrentlysupportsthePAP,CHAP,MS-CHAP1,andMS-CHAP2protocols,alongwithRADIUSproxies.

Page 423: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandthesharedresponsibilitymodel.AWSisresponsibleforsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyou’reresponsibleforanythingyouputonthecloudorconnecttothecloud.

UnderstandregionsandAvailabilityZones.Eachregioniscompletelyindependent.Eachregionisdesignedtobecompletelyisolatedfromtheotherregions.Thisachievesthegreatestpossiblefaulttoleranceandstability.RegionsareacollectionofAvailabilityZones.EachAvailabilityZoneisisolated,buttheAvailabilityZonesinaregionareconnectedthroughlow-latencylinks.

UnderstandHigh-AvailabilitySystemDesignwithinAWS.YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.

UnderstandthenetworksecurityofAWS.Networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,ACLs,andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.

AWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowHTTPSaccess,whichallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.

AmazonEC2instancescannotsendspoofednetworktraffic.TheAWS-controlled,host-basedfirewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.

UnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUsePolicy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationisinvestigated.

ItisnotpossibleforanAmazonEC2instancerunninginpromiscuousmodetoreceiveor“sniff”trafficthatisintendedforadifferentvirtualinstance.

UnderstandtheuseofcredentialsonAWS.AWSemploysseveralcredentialsinordertopositivelyidentifyapersonorauthorizeanAPIcalltotheplatform.Credentialsinclude:

Passwords

AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole

Multi-FactorAuthentication(MFA)

AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsole

AccessKeys

Page 424: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DigitallysignedrequeststoAWSAPIs(usingtheAWSSDK,CLI,orREST/QueryAPIs)

Understandtheproperuseofaccesskeys.Becauseaccesskeyscanbemisusediftheyfallintothewronghands,AWSencouragesyoutosavetheminasafeplaceandnottoembedtheminyourcode.Forcustomerswithlargefleetsofelastically-scalingAmazonEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.

UnderstandthevalueofAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallsmadeonyouraccountanddeliverslogfilestoyourAmazonS3bucket.AWSCloudTrail’sbenefitisvisibilityintoaccountactivitybyrecordingAPIcallsmadeonyouraccount.

UnderstandthesecurityfeaturesofAmazonEC2.AmazonEC2usespublic-keycryptographytoencryptanddecryptlogininformation.Public-keycryptographyusesapublickeytoencryptapieceofdata,suchasapassword,andthentherecipientusestheprivatekeytodecryptthedata.Thepublicandprivatekeysareknownasakeypair.

Tologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.

Asecuritygroupactsasavirtualfirewallthatcontrolsthetrafficforoneormoreinstances.Whenyoulaunchaninstance,youassociateoneormoresecuritygroupswiththeinstance.Youaddrulestoeachsecuritygroupthatallowtraffictoorfromitsassociatedinstances.Youcanmodifytherulesforasecuritygroupatanytime;thenewrulesareautomaticallyappliedtoallinstancesthatareassociatedwiththesecuritygroup.

UnderstandAWSuseofencryptionofdataintransit.AllserviceendpointssupportencryptionofdataintransitviaHTTPS.

Knowwhichservicesofferencryptionofdataatrestasafeature.Thefollowingservicesofferafeaturetoencryptdataatrest:

AmazonS3

AmazonEBS

AmazonGlacier

AWSStorageGateway

AmazonRDS

AmazonRedshift

AmazonWorkSpaces

Page 425: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesThebestwaytobecomefamiliarwiththesecurityfeaturesofAWSistodotheexercisesforeachchapterandinspectthesecurityfeaturesofferedbytheservice.TakealookatthislistofAWSCloudservicescoveredindifferentchaptersandtheirsecurityfeatures:

Chapter6,AWSIAM

Exercise6.1:CreateanIAMGroup

Exercise6.2:CreateaCustomizedSign-InLinkandPasswordPolicy

Exercise6.3:CreateanIAMUser

Exercise6.4:CreateandUseanIAMRole

Exercise6.5:RotateKeys

Exercise6.6:SetUpMFA

Exercise6.7:ResolveConflictingPermissions

Chapter3,AmazonEC2

Exercise3.1:LaunchandConnecttoaLinuxInstance

Exercise3.2:LaunchaWindowsInstancewithBootstrapping

Chapter3,AmazonEBS

Exercise3.8:LaunchanEncryptedVolume

Chapter2,AmazonS3

Exercise2.1:CreateanAmazonSimpleStorageService(AmazonS3)Bucket

Exercise2.2:Upload,MakePublic,Rename,andDeleteObjectsinYourBucket

Chapter4,AmazonVPC

Exercise4.1:CreateaCustomAmazonVPC

Exercise4.2:CreateTwoSubnetsforYourCustomAmazonVPC

Exercise4.3:ConnectYourAmazonVPCtotheInternetandEstablishRouting

Exercise4.4:LaunchanAmazonEC2InstanceandTesttheConnectiontotheInternet.

Chapter7,AmazonRDS

Exercise7.1:CreateaMySQLAmazonRDSInstance

Exercise7.2:SimulateaFailoverfromOneAZtoAnother

Page 426: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. WhichisanoperationalprocessperformedbyAWSfordatasecurity?

A. AdvancedEncryptionStandard(AES)-256encryptionofdatastoredonanysharedstoragedevice

B. Decommissioningofstoragedevicesusingindustry-standardpractices

C. BackgroundvirusscansofAmazonElasticBlockStore(AmazonEBS)volumesandAmazonEBSsnapshots

D. ReplicationofdataacrossmultipleAWSregions

E. SecurewipingofAmazonEBSdatawhenanAmazonEBSvolumeisunmounted

2. YouhavelaunchedaWindowsAmazonElasticComputeCloud(AmazonEC2)instanceandspecifiedanAmazonEC2keypairfortheinstanceatlaunch.Whichofthefollowingaccuratelydescribeshowtologintotheinstance?

A. UsetheAmazonEC2keypairtosecurelyconnecttotheinstanceviaSecureShell(SSH).

B. UseyourAWSIdentityandAccessManagement(IAM)userX.509certificatetologintotheinstance.

C. UsetheAmazonEC2keypairtodecrypttheadministratorpasswordandthensecurelyconnecttotheinstanceviaRemoteDesktopProtocol(RDP)astheadministrator.

D. Akeypairisnotneeded.SecurelyconnecttotheinstanceviaRDP.

3. ADatabasesecuritygroupcontrolsnetworkaccesstoadatabaseinstancethatisinsideaVirtualPrivateCloud(VPC)andbydefaultallowsaccessfrom?

A. AccessfromanyIPaddressforthestandardportsthatthedatabaseusesisprovidedbydefault.

B. AccessfromanyIPaddressforanyportisprovidedbydefaultintheDBsecuritygroup.

C. Noaccessisprovidedbydefault,andanyaccessmustbeexplicitlyaddedwitharuletotheDBsecuritygroup.

D. AccessforthedatabaseconnectionstringisprovidedbydefaultintheDBsecuritygroup.

4. WhichencryptionalgorithmisusedbyAmazonSimpleStorageService(AmazonS3)toencryptdataatrestwithService-SideEncryption(SSE)?

A. AdvancedEncryptionStandard(AES)-256

B. RSA1024

C. RSA2048

D. AES-128

Page 427: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

5. HowmanyaccesskeysmayanAWSIdentityandAccessManagement(IAM)userhaveactiveatonetime?

A. 0

B. 1

C. 2

D. 3

6. WhichofthefollowingisthenameofthesecuritymodelemployedbyAWSwithitscustomers?

A. Thesharedsecretmodel

B. Thesharedresponsibilitymodel

C. Thesharedsecretkeymodel

D. Thesecretkeyresponsibilitymodel

7. WhichofthefollowingdescribestheschemeusedbyanAmazonRedshiftclusterleveragingAWSKeyManagementService(AWSKMS)toencryptdata-at-rest?

A. AmazonRedshiftusesaone-tier,key-basedarchitectureforencryption.

B. AmazonRedshiftusesatwo-tier,key-basedarchitectureforencryption.

C. AmazonRedshiftusesathree-tier,key-basedarchitectureforencryption.

D. AmazonRedshiftusesafour-tier,key-basedarchitectureforencryption.

8. WhichofthefollowingElasticLoadBalancingoptionsensurethattheloadbalancerdetermineswhichcipherisusedforaSecureSocketsLayer(SSL)connection?

A. ClientServerCipherSuite

B. ServerCipherOnly

C. FirstServerCipher

D. ServerOrderPreference

9. WhichtechnologydoesAmazonWorkSpacesusetoprovidedatasecurity?

A. SecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)

B. AdvancedEncryptionStandard(AES)-256

C. PC-over-IP(PCoIP)

D. AES-128

10. AsaSolutionsArchitect,howshouldyouarchitectsystemsonAWS?

A. Youshouldarchitectforleastcost.

B. YoushouldarchitectyourAWSusagetotakeadvantageofAmazonSimpleStorageService’s(AmazonS3)durability.

C. YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandAvailabilityZones.

Page 428: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

D. YoushouldarchitectwithAmazonElasticComputeCloud(AmazonEC2)AutoScalingtoensurecapacityisavailablewhenneeded.

11. WhichsecurityschemeisusedbytheAWSMulti-FactorAuthentication(AWSMFA)token?

A. Time-BasedOne-TimePassword(TOTP)

B. PerfectForwardSecrecy(PFC)

C. EphemeralDiffieHellman(EDH)

D. Split-KeyEncryption(SKE)

12. DynamoDBtablesmaycontainsensitivedatathatneedstobeprotected.WhichofthefollowingisawayforyoutoprotectDynamoDBtablecontent?(Choose2answers)

A. DynamoDBencryptsalldataserver-sidebydefaultsonothingisrequired.

B. DynamoDBcanstoredataencryptedwithaclient-sideencryptionlibrarysolutionbeforestoringthedatainDynamoDB.

C. DynamoDBobfuscatesalldatastoredsoencryptionisnotrequired.

D. DynamoDBcanbeusedwiththeAWSKeyManagementServicetoencryptthedatabeforestoringthedatainDynamoDB.

E. DynamoDBshouldnotbeusedtostoresensitiveinformationrequiringprotection.

13. YouhavelaunchedanAmazonLinuxElasticComputeCloud(AmazonEC2)instanceintoEC2-Classic,andtheinstancehassuccessfullypassedtheSystemStatusCheckandInstanceStatusCheck.YouattempttosecurelyconnecttotheinstanceviaSecureShell(SSH)andreceivetheresponse,“WARNING:UNPROTECTEDPRIVATEKEYFILE,”afterwhichtheloginfails.Whichofthefollowingisthecauseofthefailedlogin?

A. Youareusingthewrongprivatekey.

B. Thepermissionsfortheprivatekeyaretooinsecureforthekeytobetrusted.

C. Asecuritygroupruleisblockingtheconnection.

D. Asecuritygrouprulehasnotbeenassociatedwiththeprivatekey.

14. WhichofthefollowingpublicidentityprovidersaresupportedbyAmazonCognitoIdentity?

A. Amazon

B. Google

C. Facebook

D. Alloftheabove

15. WhichfeatureofAWSisdesignedtopermitcallstotheplatformfromanAmazonElasticComputeCloud(AmazonEC2)instancewithoutneedingaccesskeysplacedontheinstance?

A. AWSIdentityandAccessManagement(IAM)instanceprofile

Page 429: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. IAMgroups

C. IAMroles

D. AmazonEC2keypairs

16. WhichofthefollowingAmazonVirtualPrivateCloud(AmazonVPC)elementsactsasastatelessfirewall?

A. Securitygroup

B. NetworkAccessControlList(ACL)

C. NetworkAddressTranslation(NAT)instance

D. AnAmazonVPCendpoint

17. WhichofthefollowingisthemostrecentversionoftheAWSdigitalsignaturecalculationprocess?

A. SignatureVersion1

B. SignatureVersion2

C. SignatureVersion3

D. SignatureVersion4

18. WhichofthefollowingisthenameofthefeaturewithinAmazonVirtualPrivateCloud(AmazonVPC)thatallowsyoutolaunchAmazonElasticComputeCloud(AmazonEC2)instancesonhardwarededicatedtoasinglecustomer?

A. AmazonVPC-basedtenancy

B. Dedicatedtenancy

C. Defaulttenancy

D. Host-basedtenancy

19. WhichofthefollowingdescribeshowAmazonElasticMapReduce(AmazonEMR)protectsaccesstothecluster?

A. ThemasternodeandtheslavenodesarelaunchedintoanAmazonVirtualPrivateCloud(AmazonVPC).

B. ThemasternodesupportsaVirtualPrivateNetwork(VPN)connectionfromthekeyspecifiedatclusterlaunch.

C. ThemasternodeislaunchedintoasecuritygroupthatallowsSecureShell(SSH)andserviceaccess,whiletheslavenodesarelaunchedintoaseparatesecuritygroupthatonlypermitscommunicationwiththemasternode.

D. ThemasternodeandslavenodesarelaunchedintoasecuritygroupthatallowsSSHandserviceaccess.

20. Tohelppreventdatalossduetothefailureofanysinglehardwarecomponent,AmazonElasticBlockStorage(AmazonEBS)automaticallyreplicatesEBSvolumedatatowhichofthefollowing?

Page 430: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. AmazonEBSreplicatesEBSvolumedatawithinthesameAvailabilityZoneinaregion.

B. AmazonEBSreplicatesEBSvolumedataacrossotherAvailabilityZoneswithinthesameregion.

C. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesinoneotherregion.

D. AmazonEBSreplicatesEBSvolumedataacrossAvailabilityZonesinthesameregionandinAvailabilityZonesineveryotherregion.

Page 431: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter13AWSRiskandComplianceTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain2.0:Implementation/Deployment

2.1IdentifytheappropriatetechniquesandmethodsusingAmazonEC2,AmazonSimpleStorageService(AmazonS3),AWSElasticBeanstalk,AWSCloudFormation,AWSOpsWorks,AmazonVirtualPrivateCloud(AmazonVPC),andAWSIdentityandAccessManagement(IAM)tocodeandimplementacloudsolution.

Contentmayincludethefollowing:

Configureservicestosupportcompliancerequirementsinthecloud

Domain3.0:DataSecurity

3.1Recognizeandimplementsecurepracticesforoptimumclouddeploymentandmaintenance.

Contentmayincludethefollowing:

Sharedsecurityresponsibilitymodel

SecurityArchitecturewithAWS

AWSplatformcompliance

AWSsecurityattributes

Designpatterns

Page 432: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionAWSanditscustomerssharecontrolovertheITenvironment,sobothpartieshaveresponsibilityformanagingthatenvironment.AWSpartinthissharedresponsibilityincludesprovidingitsservicesonahighlysecureandcontrolledplatformandprovidingawidearrayofsecurityfeaturescustomerscanuse.

ThecustomerisresponsibleforconfiguringtheirITenvironmentinasecureandcontrolledmannerfortheirpurposes.Whilecustomersdon’tcommunicatetheiruseandconfigurationstoAWS,AWSdoescommunicatewithcustomersregardingitssecurityandcontrolenvironment,asrelevant.AWSdisseminatesthisinformationusingthreeprimarymechanisms.First,AWSworksdiligentlytoobtainindustrycertificationsandindependentthird-partyattestations.Second,AWSopenlypublishesinformationaboutitssecurityandcontrolpracticesinwhitepapersandwebsitecontent.Finally,AWSprovidescertificates,reports,andotherdocumentationdirectlytoitscustomersunderNon-DisclosureAgreements(NDAs)asrequired.

Page 433: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

OverviewofComplianceinAWSWhencustomersmovetheirproductionworkloadstotheAWScloud,bothpartiesbecomeresponsibleformanagingtheITenvironment.Thecustomersareresponsibleforsettinguptheirenvironmentinasecureandcontrolledmanner.ThecustomersalsoneedtomaintainadequategovernanceovertheirentireITcontrolenvironment.ThissectiondescribestheAWSsharedresponsibilitymodelandgivesadviceforhowtoestablishstrongcompliance.

SharedResponsibilityModelAsmentionedinChapter12,“SecurityonAWS,”ascustomersmigratetheirITenvironmentstoAWS,theycreateamodelofsharedresponsibilitybetweenthemselvesandAWS.Thissharedresponsibilitymodelcanhelplessenacustomer’sIToperationalburden,asitisAWSresponsibilitytomanagethecomponentsfromthehostoperatingsystemandvirtualizationlayerdowntothephysicalsecurityofthedatacentersinwhichtheseservicesoperate.Thecustomerisresponsibleforthecomponentsfromtheguestoperatingsystemupward(includingupdates,securitypatches,andantivirussoftware).Thecustomerisalsoresponsibleforanyotherapplicationsoftware,aswellastheconfigurationofsecuritygroups,VirtualPrivateClouds(VPCs),andsoon.

WhileAWSmanagesthesecurityofthecloud,securityinthecloudistheresponsibilityofthecustomer.Customersretaincontrolofwhatsecuritytheychoosetoimplementtoprotecttheirowncontent,platform,applications,systems,andnetworks,nodifferentlythantheywouldforapplicationsinanon-sitedatacenter.Figure13.1illustratesthedemarcationbetweencustomerandAWSresponsibilities.

Page 434: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE13.1Sharedresponsibilitymodel

Customersneedtobeawareofanyapplicablelawsandregulationswithwhichtheyhavetocomply,andthentheymustconsiderwhethertheservicesthattheyconsumeonAWSarecompliantwiththeselaws.Insomecases,itmaybenecessarytoenhanceanexistingplatformonAWSwithadditionalsecuritymeasures(suchasdeployingawebapplicationfirewall,IntrusionDetectionSystem[IDS],orIntrusionPreventionSystem[IPS],orusingsomeformofencryptionfordataatrest).

Thiscustomer/AWSsharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations,butitalsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.BeforemovingtotheAWSCloud,customerswereresponsibleformanagingalloftheITcontrolsintheirenvironments.AWSmanagesthecontrolsforthephysicalinfrastructure,therebytakingtheundifferentiatedheavyliftingfromcustomers,allowingthemtofocusonmanagingtherelevantITcontrols.BecauseeverycustomerisdeployeddifferentlyinAWS,customerscanshiftmanagementofcertainITcontrolstoAWS.ThischangeinmanagementofITcontrolsresultsinanew,distributedcontrolenvironment.CustomerscanthenusetheAWScontrolandcompliancedocumentationavailabletothemtoperformtheircontrolevaluationandverificationproceduresasrequired.

StrongComplianceGovernanceItisstillthecustomers’responsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(whetheritison-premises,onthecloud,orpartofahybridenvironment).BydeployingtotheAWSCloud,customershave

Page 435: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

optionstoapplydifferenttypesofcontrolsandvariousverificationmethods.

Toachievestrongcomplianceandgovernance,customersmaywanttofollowthisbasicmethodology:

1. Takeaholisticapproach.ReviewtheinformationavailablefromAWStogetherwithallotherinformationtounderstandasmuchoftheITenvironmentastheycan.Afterthisiscomplete,documentallcompliancerequirements.

2. Designandimplementcontrolobjectivestomeettheorganization’scompliancerequirements.

3. Identifyanddocumentcontrolsownedbyallthirdparties.

4. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.

Byusingthisbasicmethodology,customerscangainabetterunderstandingoftheircontrolenvironment.Ultimately,thiswillstreamlinetheprocessandhelpseparateanyverificationactivitiesthatneedtobeperformed.

Page 436: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EvaluatingandIntegratingAWSControlsAWSprovidescustomerswithawiderangeofinformationregardingitsITcontrolenvironmentthroughwhitepapers,reports,certifications,andotherthird-partyattestations.ThisdocumentationassistscustomersinunderstandingthecontrolsinplacerelevanttotheAWSCloudservicestheyuseandhowthosecontrolshavebeenvalidated.ThisinformationalsoassistscustomersintheireffortstoaccountforandvalidatethatcontrolsintheirextendedITenvironmentareoperatingeffectively.

Traditionally,thedesignandoperatingeffectivenessofcontrolsandcontrolobjectivesarevalidatedbyinternaland/orexternalauditorsviaprocesswalkthroughsandevidenceevaluation.Directobservationandverification,bythecustomerorcustomer’sexternalauditor,isgenerallyperformedtovalidatecontrols.InthecasewhereserviceproviderssuchasAWSareused,companiesrequestandevaluatethird-partyattestationsandcertificationsinordertogainreasonableassuranceofthedesignandoperatingeffectivenessofcontrolsandcontrolobjectives.Asaresult,althoughacustomer’skeycontrolsmaybemanagedbyAWS,thecontrolenvironmentcanstillbeaunifiedframeworkinwhichallcontrolsareaccountedforandareverifiedasoperatingeffectively.AWSthird-partyattestationsandcertificationsnotonlyprovideahigherlevelofvalidationofthecontrolenvironment,butmayalsorelievecustomersoftherequirementtoperformcertainvalidationworkthemselves.

AWSITControlInformationAWSprovidesITcontrolinformationtocustomersinthefollowingtwoways.

SpecificControlDefinitionAWScustomerscanidentifykeycontrolsmanagedbyAWS.Keycontrolsarecriticaltothecustomer’scontrolenvironmentandrequireanexternalattestationoftheoperatingeffectivenessofthesekeycontrolsinordertomeetcompliancerequirements(forexample,anannualfinancialaudit).Forthispurpose,AWSpublishesawiderangeofspecificITcontrolsinitsServiceOrganizationControls1(SOC1)TypeIIreport.TheSOC1TypeIIreport,formerlytheStatementonAuditingStandards(SAS)No.70,isawidelyrecognizedauditingstandarddevelopedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA).TheSOC1auditisanin-depthauditofboththedesignandoperatingeffectivenessofAWSdefinedcontrolobjectivesandcontrolactivities(whichincludecontrolobjectivesandcontrolactivitiesoverthepartoftheinfrastructurethatAWSmanages).“TypeII”referstothefactthateachofthecontrolsdescribedinthereportarenotonlyevaluatedforadequacyofdesign,butarealsotestedforoperatingeffectivenessbytheexternalauditor.BecauseoftheindependenceandcompetenceofAWSexternalauditor,controlsidentifiedinthereportshouldprovidecustomerswithahighlevelofconfidenceinAWScontrolenvironment.

AWScontrolscanbeconsideredeffectivelydesignedandoperatingformanycompliancepurposes,includingSarbanes-Oxley(SOX)Section404financialstatementaudits.LeveragingSOC1TypeIIreportsisalsogenerallypermittedbyotherexternalcertifyingbodies.Forexample,InternationalOrganizationforStandardization(ISO)27001auditorsmayrequestaSOC1TypeIIreportinordertocompletetheirevaluationsforcustomers.

Page 437: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

GeneralControlStandardComplianceIfanAWScustomerrequiresabroadsetofcontrolobjectivestobemet,evaluationofAWSindustrycertificationsmaybeperformed.WiththeISO27001certification,AWScomplieswithabroad,comprehensivesecuritystandardandfollowsbestpracticesinmaintainingasecureenvironment.WiththePaymentCardIndustry(PCI)DataSecurityStandard(DSS)certification,AWScomplieswithasetofcontrolsimportanttocompaniesthathandlecreditcardinformation.AWScompliancewithFederalInformationSecurityManagementAct(FISMA)standardsmeansthatAWScomplieswithawiderangeofspecificcontrolsrequiredbyU.S.governmentagencies.AWScompliancewiththesegeneralstandardsprovidescustomerswithin-depthinformationonthecomprehensivenatureofthecontrolsandsecurityprocessesinplaceintheAWSCloud.

AWSGlobalRegionsTheAWSCloudinfrastructureisbuiltaroundregionsandavailabilityzones.AregionisaphysicallocationintheworldwherewehavemultipleAvailabilityZones.AvailabilityZonesconsistofoneormorediscretedatacenters,eachwithredundantpower,networking,andconnectivity,housedinseparatefacilities.TheseAvailabilityZonesoffercustomerstheabilitytooperateproductionapplicationsanddatabasesthataremorehighlyavailable,faulttolerant,andscalablethanwouldbepossibleusingasingledatacenter.

Asofthiswriting,theAWSCloudoperates33AvailabilityZoneswithin12geographicregionsaroundtheworld.The12regionsareUSEast(NorthernVirginia),USWest(Oregon),USWest(NorthernCalifornia),AWSGovCloud(US)(Oregon),EU(Frankfurt),EU(Ireland),AsiaPacific(Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney),AsiaPacific(Seoul),China(Beijing),andSouthAmerica(SaoPaulo).

Page 438: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSRiskandComplianceProgramAWSRiskandComplianceisdesignedtobuildontraditionalprogramsandhelpcustomersestablishandoperateinanAWSsecuritycontrolenvironment.AWSprovidesdetailedinformationaboutitsriskandcomplianceprogramtoenablecustomerstoincorporateAWScontrolsintotheirgovernanceframeworks.ThisinformationcanassistcustomersindocumentingcompletecontrolandgovernanceframeworksinwhichAWSisincludedasanimportantpart.

Thethreecoreareasoftheriskandcomplianceprogram—riskmanagement,controlenvironment,andinformationsecurity—aredescribednext.

RiskManagementAWShasdevelopedastrategicbusinessplanthatincludesriskidentificationandtheimplementationofcontrolstomitigateormanagerisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.

TheAWScontrolenvironmentissubjecttoadditionalinternalandexternalriskassessments.TheAWScomplianceandsecurityteamshaveestablishedaninformationsecurityframeworkandpoliciesbasedontheControlObjectivesforInformationandRelatedTechnology(COBIT)framework,andtheyhaveeffectivelyintegratedtheISO27001certifiableframeworkbasedonISO27002controls,AICPATrustServicesPrinciples,PCIDSSv3.1,andtheNationalInstituteofStandardsandTechnology(NIST)Publication800–53,Revision3,RecommendedSecurityControlsforFederalInformationSystems.AWSmaintainsthesecuritypolicyandprovidessecuritytrainingtoitsemployees.Additionally,AWSperformsregularapplicationsecurityreviewstoassesstheconfidentiality,integrity,andavailabilityofdata,andconformancetotheinformationsecuritypolicy.

TheAWSsecurityteamregularlyscansanypublic-facingendpointIPaddressesforvulnerabilities.Itisimportanttounderstandthatthesescansdonotincludecustomerinstances.AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.Inaddition,independentsecurityfirmsregularlyperformexternalvulnerabilitythreatassessments.FindingsandrecommendationsresultingfromtheseassessmentsarecategorizedanddeliveredtoAWSleadership.ThesescansaredoneinamannerforthehealthandviabilityoftheunderlyingAWSinfrastructureandarenotmeanttoreplacethecustomer’sownvulnerabilityscansthatarerequiredtomeettheirspecificcompliancerequirements.

AsmentionedinChapter12,customerscanrequestpermissiontoconducttheirownvulnerabilityscansontheirownenvironments.ThesevulnerabilityscansmustnotviolatetheAWSacceptableusepolicy,andtheymustberequestedinadvanceofthescan.

ControlEnvironmentAWSmanagesacomprehensivecontrolenvironmentthatconsistsofpolicies,processes,andcontrolactivities.ThiscontrolenvironmentisinplaceforthesecuredeliveryofAWSservice

Page 439: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

offerings.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.AWShasintegratedapplicable,cloud-specificcontrolsidentifiedbyleadingcloudcomputingindustrybodiesintotheAWScontrolframework.AWScontinuestomonitortheseindustrygroupsforideasonwhichleadingpracticescanbeimplementedtobetterassistcustomerswithmanagingtheircontrolenvironments.

ThecontrolenvironmentatAWSbeginsatthehighestlevelofthecompany.Executiveandseniorleadershipplayimportantrolesinestablishingthecompany’stoneandcorevalues.Everyemployeeisprovidedwiththecompany’scodeofbusinessconductandethicsandcompletesperiodictraining.Complianceauditsareperformedsothatemployeesunderstandandfollowtheestablishedpolicies.

TheAWSorganizationalstructureprovidesaframeworkforplanning,executing,andcontrollingbusinessoperations.Theorganizationalstructureassignsrolesandresponsibilitiestoprovideforadequatestaffing,efficiencyofoperations,andthesegregationofduties.Managementhasalsoestablishedauthorityandappropriatelinesofreportingforkeypersonnel.Includedaspartofthecompany’shiringverificationprocessesareeducation,previousemployment,and,insomecases,backgroundchecksaspermittedbylawforemployeescommensuratewiththeemployee’spositionandlevelofaccesstoAWSfacilities.ThecompanyfollowsastructuredonboardingprocesstofamiliarizenewemployeeswithAmazontools,processes,systems,policies,andprocedures.

InformationSecurityAWSusesaformalinformationsecurityprogramthatisdesignedtoprotecttheconfidentiality,integrity,andavailabilityofcustomers’systemsanddata.AWSpublishesseveralsecuritywhitepapersthatareavailableonthemainAWSwebsite.ThesewhitepapersarerecommendedreadingpriortotakingtheAWSSolutionsArchitectAssociateexam.

Page 440: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AWSReports,Certifications,andThird-PartyAttestationsAWSengageswithexternalcertifyingbodiesandindependentauditorstoprovidecustomerswithconsiderableinformationregardingthepolicies,processes,andcontrolsestablishedandoperatedbyAWS.Ahigh-leveldescriptionofthevariousAWSreports,certifications,andattestationsisprovidedhere.

CriminalJusticeInformationServices(CJIS)—AWScomplieswiththeFederalBureauofInvestigation’s(FBI)CJISstandard.AWSsignsCJISsecurityagreementswithAWScustomers,whichincludeallowingorperforminganyrequiredemployeebackgroundchecksaccordingtotheCJISsecuritypolicy.

CloudSecurityAlliance(CSA)—In2011,theCSAlaunchedtheSecurity,Trust,&AssuranceRegistry(STAR),aninitiativetoencouragetransparencyofsecuritypracticeswithincloudproviders.CSASTARisafree,publiclyaccessibleregistrythatdocumentsthesecuritycontrolsprovidedbyvariouscloudcomputingofferings,therebyhelpingusersassessthesecurityofcloudproviderstheycurrentlyuseorwithwhomtheyareconsideringcontracting.AWSisaCSASTARregistrantandhascompletedtheCSAConsensusAssessmentsInitiativeQuestionnaire(CAIQ).

CyberEssentialsPlus—CyberEssentialsPlusisaUKgovernment-backed,industry-supportedcertificationschemaintroducedintheUKtohelporganizationsdemonstrateoperationalsecurityagainstcommoncyber-attacks.ItdemonstratesthebaselinecontrolsthatAWSimplementstomitigatetheriskfromcommonInternet-basedthreatswithinthecontextoftheUKgovernment’s“10StepstoCyberSecurity.”Itisbackedbyindustry,includingtheFederationofSmallBusinesses,theConfederationofBritishIndustry,andanumberofinsuranceorganizationsthatofferincentivesforbusinessesholdingthiscertification.

DepartmentofDefense(DoD)CloudSecurityModel(SRG)—TheDoDSRGprovidesaformalizedassessmentandauthorizationprocessforCloudServiceProviders(CSPs)togainaDoDprovisionalauthorization,whichcansubsequentlybeleveragedbyDoDcustomers.AprovisionalauthorizationundertheSRGprovidesareusablecertificationthatatteststoAWScompliancewithDoDstandards,reducingthetimenecessaryforaDoDmissionownertoassessandauthorizeoneoftheirsystemsforoperationonAWS.Asofthiswriting,AWSholdsprovisionalauthorizationsatLevels2(allAWSUS-basedregions)and4(AWSGovCloud[US])oftheSRG.

FederalRiskandAuthorizationManagementProgram(FedRAMP)—AWSisaFedRAMP-compliantCSP.AWShascompletedthetestingperformedbyaFedRAMP-accreditedthird-partyassessmentorganization(3PAO)andhasbeengrantedtwoAgencyAuthoritytoOperate(ATOs)bytheU.S.DepartmentofHealthandHumanServices(HHS)afterdemonstratingcompliancewithFedRAMPrequirementsatthemoderateimpactlevel.

FamilyEducationalRightsandPrivacyAct(FERPA)—FERPA(20U.S.C.§1232g;34CFRPart99)isafederallawthatprotectstheprivacyofstudenteducationrecords.ThelawappliestoallschoolsthatreceivefundsunderanapplicableprogramoftheU.S.DepartmentofEducation.FERPAgivesparentscertainrightswithrespectto

Page 441: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

theirchildren’seducationrecords.Theserightstransfertothestudentwhenheorshereachestheageof18orattendsaschoolbeyondthehighschoollevel.Studentstowhomtherightshavetransferredare“eligiblestudents.”AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoFERPAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectededucationinformation.

FederalInformationProcessingStandard(FIPS)140–2—FIPSPublication140–2isaUSgovernmentsecuritystandardthatspecifiesthesecurityrequirementsforcryptographicmodulesprotectingsensitiveinformation.TosupportcustomerswithFIPS140–2requirements,SecureSocketsLayer(SSL)terminationsinAWSGovCloud(US)operateusingFIPS140–2-validatedhardware.AWSworkswithAWSGovCloud(US)customerstoprovidetheinformationtheyneedtohelpmanagecompliancewhenusingtheAWSGovCloud(US)environment.

FISMAandDoDInformationAssuranceCertificationandAccreditationProcess(DIACAP)—AWSenablesU.S.governmentagenciestoachieveandsustaincompliancewithFISMA.TheAWSinfrastructurehasbeenevaluatedbyindependentassessorsforavarietyofgovernmentsystemsaspartoftheirsystemowners’approvalprocess.NumerousfederalcivilianandDoDorganizationshavesuccessfullyachievedsecurityauthorizationsforsystemshostedonAWSinaccordancewiththeRiskManagementFramework(RMF)processdefinedinNIST800–37andDIACAP.

HealthInsurancePortabilityandAccountabilityAct(HIPAA)—AWSenablescoveredentitiesandtheirbusinessassociatessubjecttoHIPAAtoleveragethesecureAWSenvironmenttoprocess,maintain,andstoreprotectedhealthinformation.AWSsignsbusinessassociateagreementswithsuchcustomers.

InformationSecurityRegisteredAssessorsProgram(IRAP)—IRAPenablesAustraliangovernmentcustomerstovalidatethatappropriatecontrolsareinplaceanddeterminetheappropriateresponsibilitymodelforaddressingtheneedsoftheAustralianSignalsDirectorate(ASD)InformationSecurityManual(ISM).AWShascompletedanindependentassessmentthathasdeterminedthatallapplicableISMcontrolsareinplacerelatingtotheprocessing,storage,andtransmissionofUnclassifiedDisseminationLimitingMarker(DLM)workloadsfortheAsiaPacific(Sydney)region.

ISO9001—AWShasachievedISO9001certification.AWSISO9001certificationdirectlysupportscustomerswhodevelop,migrate,andoperatetheirquality-controlledITsystemsintheAWSCloud.CustomerscanleverageAWScompliancereportsasevidencefortheirownISO9001programsandindustry-specificqualityprograms,suchasGoodLaboratory,Clinical,orManufacturingPractices(GxP)inlifesciences,ISO13485inmedicaldevices,AS9100inaerospace,andISOTechnicalSpecification(ISO/TS)16949intheautomotiveindustry.AWScustomerswhodon’thavequalitysystemrequirementscanstillbenefitfromtheadditionalassuranceandtransparencythatanISO9001certificationprovides.

ISO27001—AWShasachievedISO27001certificationoftheInformationSecurityManagementSystem(ISMS)coveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.

ISO27017—ISO27017isthenewestcodeofpracticereleasedbyISO.Itprovidesimplementationguidanceoninformationsecuritycontrolsthatspecificallyrelateto

Page 442: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

cloudservices.AWShasachievedISO27017certificationoftheISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.

ISO27018—Thisisthefirstinternationalcodeofpracticethatfocusesonprotectionofpersonaldatainthecloud.ItisbasedonISOinformationsecuritystandard27002,anditprovidesimplementationguidanceonISO27002controlsapplicabletopubliccloud-relatedPersonallyIdentifiableInformation(PII).ItalsoprovidesasetofcontrolsandassociatedguidanceintendedtoaddresspubliccloudPIIprotectionrequirementsnotaddressedbytheexistingISO27002controlset.AWShasachievedISO27018certificationoftheAWSISMScoveringAWSinfrastructure,datacenters,andservicesthataredetailedintheAWSRiskandCompliancewhitepaper,availableontheAWSwebsite.

U.S.InternationalTrafficinArmsRegulations(ITAR)—TheAWSGovCloud(US)regionsupportsITARcompliance.AsapartofmanagingacomprehensiveITARcomplianceprogram,companiessubjecttoITARexportregulationsmustcontrolunintendedexportsbyrestrictingaccesstoprotecteddatatoU.S.personsandrestrictingphysicallocationofthatdatatotheU.S.AWSGovCloud(US)providesanenvironmentphysicallylocatedintheUnitedStateswhereaccessbyAWSpersonnelislimitedtoU.S.persons,therebyallowingqualifiedcompaniestotransmit,process,andstoreprotectedarticlesanddatasubjecttoITARrestrictions.TheAWSGovCloud(US)environmenthasbeenauditedbyanindependentthirdpartytovalidatethatthepropercontrolsareinplacetosupportcustomerexportcomplianceprogramsforthisrequirement.

MotionPictureAssociationofAmerica(MPAA)—MPAAhasestablishedasetofbestpracticesforsecurelystoring,processing,anddeliveringprotectedmediaandcontent.Mediacompaniesusethesebestpracticesasawaytoassessriskandsecurityoftheircontentandinfrastructure.AWShasdemonstratedalignmentwiththeMPAAbestpractices,andtheAWSinfrastructureiscompliantwithallapplicableMPAAinfrastructurecontrols.WhileMPAAdoesnotofferacertification,mediaindustrycustomerscanusetheAWSMPAAdocumentationtoaugmenttheirriskassessmentandevaluationofMPAA-typecontentonAWS.

Multi-TierCloudSecurity(MTCS)Tier3Certification—MTCSisanoperationalSingaporesecuritymanagementstandard(SPRINGSS584:2013)basedontheISO27001/02ISMSstandards.

NIST—InJune2015,NISTreleasedguideline800–171,FinalGuidelinesforProtectingSensitiveGovernmentInformationHeldbyContractors.ThisguidanceisapplicabletotheprotectionofControlledUnclassifiedInformation(CUI)onnon-federalsystems.AWSisalreadycompliantwiththeseguidelines,andcustomerscaneffectivelycomplywithNIST800–171immediately.NIST800–171outlinesasubsetoftheNIST800–53requirements,aguidelineunderwhichAWShasalreadybeenauditedundertheFedRAMPprogram.TheFedRAMPmoderatesecuritycontrolbaselineismorerigorousthantherecommendedrequirementsestablishedinNIST800–171,anditincludesasignificantnumberofsecuritycontrolsaboveandbeyondthoserequiredofFISMAmoderatesystemsthatprotectCUIdata.

PCIDSSLevel1—AWSisLevel1-compliantunderPCIDSS.Customerscanrun

Page 443: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

applicationsontheAWSPCI-complianttechnologyinfrastructureforstoring,processing,andtransmittingcreditcardinformationinthecloud.InFebruary2013,thePCISecurityStandardsCouncilreleasedthePCIDSScloudcomputingguidelines.TheseguidelinesprovidecustomerswhoaremanagingacardholderdataenvironmentwithconsiderationsformaintainingPCIDSScontrolsinthecloud.AWShasincorporatedthePCIDSScloudcomputingguidelinesintotheAWSPCIcompliancepackageforcustomers.

SOC1/InternationalStandardsforAssuranceEngagementsNo.3402(ISAE3402)—AWSpublishesaSOC1,TypeIIreport.TheauditforthisreportisconductedinaccordancewithAICPA:AT801(formerlyStatementonStandardsforAttestationEngagementsNo.16[SSAE16])andISAE3402).Thisdual-standardreportisintendedtomeetabroadrangeoffinancialauditingrequirementsforU.S.andinternationalauditingbodies.TheSOC1reportauditatteststhatAWScontrolobjectivesareappropriatelydesignedandthattheindividualcontrolsdefinedtosafeguardcustomerdataareoperatingeffectively.ThisreportisthereplacementoftheSAS70,TypeIIauditreport.

SOC2—InadditiontotheSOC1report,AWSpublishesaSOC2,TypeIIreport.SimilartoSOC1intheevaluationofcontrols,theSOC2reportisanattestationreportthatexpandstheevaluationofcontrolstothecriteriasetforthbyAICPAtrustservicesprinciples.Theseprinciplesdefineleadingpracticecontrolsrelevanttosecurity,availability,processingintegrity,confidentiality,andprivacyapplicabletoserviceorganizationssuchasAWS.TheAWSSOC2isanevaluationofthedesignandoperatingeffectivenessofAWScontrolsthatmeetthecriteriaforthesecurityandavailabilityprinciplessetforthintheAICPAtrustservicesprinciplescriteria.ThereportprovidesadditionaltransparencyintoAWSsecurityandavailabilitybasedonapredefinedindustrystandardofleadingpracticesandfurtherdemonstratesAWScommitmenttoprotectingcustomerdata.TheSOC2reportscopecoversthesameservicescoveredintheSOC1report.

SOC3—AWSpublishesaSOC3report.TheSOC3reportisapubliclyavailablesummaryoftheAWSSOC2report.Thereportincludestheexternalauditor’sopinionoftheoperationofcontrols(basedontheAICPAsecuritytrustprinciplesincludedintheSOC2report),theassertionfromAWSmanagementregardingtheeffectivenessofcontrols,andanoverviewofAWSinfrastructureandservices.TheAWSSOC3reportincludesallAWSdatacentersworldwidethatsupportin-scopeservices.ThisisagreatresourceforcustomerstovalidatethatAWShasobtainedexternalauditorassurancewithoutgoingthroughtheprocessofrequestingaSOC2report.TheSOC3reportcoversthesameservicescoveredintheSOC1report.

Page 444: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryAWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughthefollowingmechanisms:

Obtainingindustrycertificationsandindependentthird-partyattestations

PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs

Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)

Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestothephysicalinfrastructure,andthecustomermanagesthesecontrolsfortheguestoperatingsystemsandupward(dependingontheservice).

Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowtheirITisdeployed(on-premises,cloud,orhybrid).BydeployingtotheAWSCloud,customershavedifferentoptionsforapplyingdifferenttypesofcontrolsandvariousverificationmethodsthatalignwiththeirbusinessrequirements.

ThecontrolenvironmentforAWScontainsalargevolumeofinformation.Thisinformationisprovidedtocustomersthroughwhitepapers,reports,certifications,andotherthird-partyattestations.AWSprovidesITcontrolinformationtocustomersintwoways:specificcontroldefinitionandgeneralcontrolstandardcompliance.

AWSprovidesdocumentationaboutitsriskandcomplianceprogram.ThisdocumentationcanenablecustomerstoincludeAWScontrolsintheirgovernanceframeworks.Thethreecoreareasoftheriskandcomplianceprogramareriskmanagement,controlenvironment,andinformationsecurity.

AWShasachievedanumberofinternationallyrecognizedcertificationsandaccreditationsthatdemonstrateAWScompliancewiththird-partyassuranceframeworks,including:

FedRAMP

FIPS140–2

FISMAandDIACAP

HIPAA

ISO9001

ISO27001

ITAR

PCIDSSLevel1

SOC1/ISAE3402

SOC2

Page 445: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SOC3

AWSisconstantlylisteningtocustomersandexaminingothercertificationsforthefuture.

Page 446: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandthesharedresponsibilitymodel.Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.Forexample,themanagement,operation,andverificationofITcontrolsaresharedbetweenAWSandthecustomer.AWSmanagesthesecontrolswhereitrelatestophysicalinfrastructure.

RememberthatITgovernanceisthecustomer’sresponsibility.Itisthecustomer’sresponsibilitytomaintainadequategovernanceovertheentireITcontrolenvironment,regardlessofhowitsITisdeployed(on-premises,cloud,orhybrid).

UnderstandhowAWSprovidescontrolinformation.AWSprovidesITcontrolinformationtocustomersintwoways:viaspecificcontroldefinitionandthroughamoregeneralcontrolstandardcompliance.

RememberthatAWSisveryproactiveaboutriskmanagement.AWStakesriskmanagementveryseriously,soithasdevelopedabusinessplantoidentifyanyrisksandtoimplementcontrolstomitigateormanagethoserisks.AnAWSmanagementteamreevaluatesthebusinessriskplanatleasttwiceayear.Asapartofthisprocess,managementteammembersarerequiredtoidentifyriskswithintheirspecificareasofresponsibilityandthenimplementcontrolsdesignedtoaddressandperhapseveneliminatethoserisks.

Rememberthatthecontrolenvironmentisnotjustabouttechnology.TheAWScontrolenvironmentconsistsofpolicies,processes,andcontrolactivities.Thiscontrolenvironmentincludespeople,processes,andtechnology.

Rememberthekeyreports,certifications,andthird-partyattestations.Thekeyreports,certifications,andthird-partyattestationsinclude,butarenotlimitedto,thefollowing:

FedRAMP

FIPS140–2

FISMAandDIACAP

HIPAA

ISO9001

ISO27001

ITAR

PCIDSSLevel1

SOC1/ISAE3402

SOC2

SOC3

Page 447: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. AWScommunicateswithcustomersregardingitssecurityandcontrolenvironmentthroughavarietyofdifferentmechanisms.Whichofthefollowingarevalidmechanisms?(Choose3answers)

A. Obtainingindustrycertificationsandindependentthird-partyattestations

B. PublishinginformationaboutsecurityandAWScontrolpracticesviathewebsite,whitepapers,andblogs

C. Directlyprovidingcustomerswithcertificates,reports,andotherdocumentation(underNDAinsomecases)

D. Allowingcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,andseniorstaff

2. WhichofthefollowingstatementsistruewhenitcomestotheAWSsharedresponsibilitymodel?

A. Thesharedresponsibilitymodelislimitedtosecurityconsiderationsonly;itdoesnotextendtoITcontrols.

B. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithSOC1TypeII.

C. Thesharedresponsibilitymodelisnotjustlimitedtosecurityconsiderations;italsoextendstoITcontrols.

D. ThesharedresponsibilitymodelisonlyapplicableforcustomerswhowanttobecompliantwithISO27001.

3. AWSprovidesITcontrolinformationtocustomersinwhichofthefollowingways?

A. Byusingspecificcontroldefinitionsorthroughgeneralcontrolstandardcompliance

B. ByusingspecificcontroldefinitionsorthroughSAS70

C. ByusinggeneralcontrolstandardcomplianceandbycomplyingwithISO27001

D. BycomplyingwithISO27001andSOC1TypeII

4. Whichofthefollowingisavalidreport,certification,orthird-partyattestationforAWS?(Choose3answers)

A. SOC1

B. PCIDSSLevel1

C. SOC4

D. ISO27001

5. Whichofthefollowingstatementsistrue?

A. ITgovernanceisstillthecustomer’sresponsibility,despitedeployingtheirITestateontotheAWSplatform.

Page 448: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

B. TheAWSplatformisPCIDSS-complianttoLevel1.Customerscandeploytheirwebapplicationstothisplatform,andtheywillbePCIDSS-compliantautomatically.

C. ThesharedresponsibilitymodelappliestoITsecurityonly;itdoesnotrelatetogovernance.

D. AWSdoesn’ttakeriskmanagementveryseriously,andit’suptothecustomertomitigateriskstotheAWSinfrastructure.

6. WhichofthefollowingstatementsistruewhenitcomestotheriskandcomplianceadvantagesoftheAWSenvironment?

A. WorkloadsmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations.

B. ThecriticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthenon-criticalcomponentsdonot.

C. Thenon-criticalcomponentsofaworkloadmustbemovedentirelyintotheAWSCloudinordertobecompliantwithvariouscertificationsandthird-partyattestations,butthecriticalcomponentsdonot.

D. Few,many,orallcomponentsofaworkloadcanbemovedtotheAWSCloud,butitisthecustomer’sresponsibilitytoensurethattheirentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.

7. WhichofthefollowingstatementsbestdescribesanAvailabilityZone?

A. EachAvailabilityZoneconsistsofasinglediscretedatacenterwithredundantpowerandnetworking/connectivity.

B. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithredundantpowerandnetworking/connectivity.

C. EachAvailabilityZoneconsistsofmultiplediscreteregions,eachwithasingledatacenterwithredundantpowerandnetworking/connectivity.

D. EachAvailabilityZoneconsistsofmultiplediscretedatacenterswithsharedpowerandredundantnetworking/connectivity.

8. WithregardtovulnerabilityscansandthreatassessmentsoftheAWSplatform,whichofthefollowingstatementsaretrue?(Choose2answers)

A. AWSregularlyperformsscansofpublic-facingendpointIPaddressesforvulnerabilities.

B. ScansperformedbyAWSincludecustomerinstances.

C. AWSsecuritynotifiestheappropriatepartiestoremediateanyidentifiedvulnerabilities.

D. Customerscanperformtheirownscansatanytimewithoutadvancenotice.

9. WhichofthefollowingbestdescribestheriskandcompliancecommunicationresponsibilitiesofcustomerstoAWS?

A. AWSandcustomersbothcommunicatetheirsecurityandcontrolenvironment

Page 449: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

informationtoeachotheratalltimes.

B. AWSpublishesinformationabouttheAWSsecurityandcontrolpracticesonline,anddirectlytocustomersunderNDA.CustomersdonotneedtocommunicatetheiruseandconfigurationstoAWS.

C. CustomerscommunicatetheiruseandconfigurationstoAWSatalltimes.AWSdoesnotcommunicateAWSsecurityandcontrolpracticestocustomersforsecurityreasons.

D. BothcustomersandAWSkeeptheirsecurityandcontrolpracticesentirelyconfidentialanddonotsharetheminordertoensurethegreatestsecurityforallparties.

10. Whenitcomestoriskmanagement,whichofthefollowingistrue?

A. AWSdoesnotdevelopastrategicbusinessplan;riskmanagementandmitigationisentirelytheresponsibilityofthecustomer.

B. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandimplementedcontrolstomitigateormanagethoserisks.Customersdonotneedtodevelopandmaintaintheirownriskmanagementplans.

C. AWShasdevelopedastrategicbusinessplantoidentifyanyrisksandhasimplementedcontrolstomitigateormanagethoserisks.Customersshouldalsodevelopandmaintaintheirownriskmanagementplanstoensuretheyarecompliantwithanyrelevantcontrolsandcertifications.

D. NeitherAWSnorthecustomerneedstoworryaboutriskmanagement,sonoplanisneededfromeitherparty.

11. TheAWScontrolenvironmentisinplaceforthesecuredeliveryofAWSCloudserviceofferings.WhichofthefollowingdoesthecollectivecontrolenvironmentNOTexplicitlyinclude?

A. People

B. Energy

C. Technology

D. Processes

12. WhoisresponsiblefortheconfigurationofsecuritygroupsinanAWSenvironment?

A. ThecustomerandAWSarebothjointlyresponsibleforensuringthatsecuritygroupsarecorrectlyandsecurelyconfigured.

B. AWSisresponsibleforensuringthatallsecuritygroupsarecorrectlyandsecurelyconfigured.Customersdonotneedtoworryaboutsecuritygroupconfiguration.

C. NeitherAWSnorthecustomerisresponsiblefortheconfigurationofsecuritygroups;securitygroupsareintelligentlyandautomaticallyconfiguredusingtrafficheuristics.

D. AWSprovidesthesecuritygroupfunctionalityasaservice,butthecustomerisresponsibleforcorrectlyandsecurelyconfiguringtheirownsecuritygroups.

Page 450: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

13. WhichofthefollowingisNOTarecommendedapproachforcustomerstryingtoachievestrongcomplianceandgovernanceoveranentireITcontrolenvironment?

A. Takeaholisticapproach:reviewinformationavailablefromAWStogetherwithallotherinformation,anddocumentallcompliancerequirements.

B. Verifythatallcontrolobjectivesaremetandallkeycontrolsaredesignedandoperatingeffectively.

C. Implementgenericcontrolobjectivesthatarenotspecificallydesignedtomeettheirorganization’scompliancerequirements.

D. Identifyanddocumentcontrolsownedbyallthirdparties.

Page 451: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter14ArchitectureBestPracticesTHEAWSCERTIFIEDSOLUTIONSARCHITECTASSOCIATEEXAMOBJECTIVESCOVEREDINTHISCHAPTERMAYINCLUDE,BUTARENOTLIMITEDTO,THEFOLLOWING:Domain1.0:Designinghighlyavailable,cost-efficient,fault-tolerant,andscalablesystems

1.1Identifyandrecognizecloudarchitectureconsiderations,suchasfundamentalcomponentsandeffectivedesigns.

Contentmayincludethefollowing:

Howtodesigncloudservices

Planninganddesign

Familiaritywith:

BestpracticesforAWSarchitecture

HybridITarchitectures(e.g.,AWSDirectConnect,AWSStorageGateway,AmazonVirtualPrivateCloud[AmazonVPC],AWSDirectoryService)

Elasticityandscalability(e.g.,AutoScaling,AmazonSimpleQueueService[AmazonSQS],ElasticLoadBalancing,AmazonCloudFront)

Page 452: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

IntroductionForseveralyears,softwarearchitectshavecreatedandimplementedpatternsandbestpracticestobuildhighlyscalableapplications.Whethermigratingexistingapplicationstothecloudorbuildingnewapplicationsonthecloud,theseconceptsareevenmoreimportantbecauseofever-growingdatasets,unpredictabletrafficpatterns,andthedemandforfasterresponsetimes.

MigratingapplicationstoAWS,evenwithoutsignificantchanges,providesorganizationswiththebenefitsofasecuredandcost-efficientinfrastructure.Tomakethemostoftheelasticityandagilitypossiblewithcloudcomputing,however,SolutionsArchitectsneedtoevolvetheirarchitecturestotakefulladvantageofAWScapabilities.

Fornewapplications,AWScustomershavebeendiscoveringcloud-specificITarchitecturepatternsthatdriveevenmoreefficiencyandscalabilityfortheirsolutions.Thosenewarchitecturescansupportanythingfromreal-timeanalyticsofInternet-scaledatatoapplicationswithunpredictabletrafficfromthousandsofconnectedInternetofThings(IoT)ormobiledevices.ThisleavesendlesspossibilitiesforapplicationsarchitectedusingAWSbestpractices.

ThischapterhighlightsthetenetsofarchitecturebestpracticestoconsiderwhetheryouaremigratingexistingapplicationstoAWSordesigningnewapplicationsforthecloud.Thesetenetsinclude:

Designforfailureandnothingwillfail.

Implementelasticity.

Leveragedifferentstorageoptions.

Buildsecurityineverylayer.

Thinkparallel.

Loosecouplingsetsyoufree.

Don’tfearconstraints.

Understandingtheservicescoveredinthisbookinthecontextofthesepracticesiskeytosucceedingontheexam.

Page 453: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

DesignforFailureandNothingFailsThefirstarchitecturebestpracticeforAWSisthefundamentalprincipleofdesigningforfailure.

Everythingfails,allthetime

—WernerVogels,CTO,AWS

Typically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.Asanexample,onegoalwhendesigningforfailurewouldbetoensureanapplicationsurviveswhentheunderlyingphysicalhardwareforoneoftheserversfails.

Let’stakealookatthesimplewebapplicationillustratedinFigure14.1.Thisapplicationhassomefundamentaldesignissuesforprotectingagainstcomponentfailures.Tostart,thereisnoredundancyorfailover,whichresultsinsinglepointsoffailure.

FIGURE14.1Simplewebapplicationarchitecture

Page 454: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Ifthesinglewebserverfails,thesystemfails.

Ifthesingledatabasefails,thesystemfails.

IftheAvailabilityZone(AZ)fails,thesystemfails.

Bottomline,therearetoomanyeggsinonebasket.

Nowlet’swalkthroughtransformingthissimpleapplicationintoamoreresilientarchitecture.Tobegin,wearegoingtoaddressthesinglepointsoffailureinthecurrentarchitecture.Singlepointsoffailurecanberemovedbyintroducingredundancy,whichishavingmultipleresourcesforthesametask.Redundancycanbeimplementedineitherstandbyoractivemode.

Instandbyredundancywhenaresourcefails,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Thesecondaryresourcecaneitherbelaunchedautomaticallyonlywhenneeded(toreducecost),oritcanbealreadyrunningidle(toacceleratefailoverandminimizedisruption).Standbyredundancyisoftenusedforstatefulcomponentssuchasrelationaldatabases.

Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,itcanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.

Toaddresstheredundancyissues,wewilladdanotherwebinstanceandaddastandbyinstanceforAmazonRelationalDatabaseService(AmazonRDS)toprovidehighavailabilityandautomaticfailover.ThekeyisthatwearegoingtoaddthenewresourcesinanotherAZ.AnAZconsistsofoneormorediscretedatacenters.AZswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherAZsinthesameregion.Thisallowsourapplicationtoreplicatedataacrossdatacentersinasynchronousmannersothatfailovercanbeautomatedandbetransparentfortheusers.

Additionally,wearegoingtoimplementactiveredundancybyswappingouttheElasticIPAddress(EIP)onourwebinstancewithanElasticLoadBalancer(ELB).TheELBallowsinboundrequeststobedistributedbetweenthewebinstances.NotonlywilltheELBhelpwithdistributingloadbetweenmultipleinstances,itwillalsostopsendingtraffictotheaffectedwebnodeifaninstancefailsitshealthchecks.Figure14.2showstheupdatedarchitecturewithredundancyforthewebapplication.

Page 455: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE14.2Updatedwebapplicationarchitecturewithredundancy

ThisMulti-AZarchitecturehelpstoensurethattheapplicationisisolatedfromfailuresinasingleAvailabilityZone.Infact,manyofthehigherlevelservicesonAWSareinherentlydesignedaccordingtotheMulti-AZprinciple.Forexample,AmazonSimpleStorageService(AmazonS3)andAmazonDynamoDBensurethatdataisredundantlystoredacrossmultiplefacilities.

Oneruleofthumbtokeepinmindwhendesigningarchitecturesinthecloudistobeapessimist;thatis,assumethingswillfail.Inotherwords,alwaysdesign,implement,anddeployforautomatedrecoveryfromfailure.

Page 456: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ImplementElasticityElasticityistheabilityofasystemtogrowtohandleincreasedload,whethergraduallyovertimeorinresponsetoasuddenchangeinbusinessneeds.Toachieveelasticity,itisimportantthatthesystembebuiltonascalablearchitecture.Sucharchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Thesearchitecturesshouldprovidescaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.

ScalingVerticallyVerticalscalingtakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddrive,morememory,orafasterCPU).OnAmazonElasticComputeCloud(AmazonEC2),thiscaneasilybeachievedbystoppinganinstanceandresizingittoaninstancetypethathasmoreRAM,CPU,I/O,ornetworkingcapabilities.Verticalscalingwilleventuallyhitalimit,anditisnotalwaysacost-efficientorhighlyavailableapproach.Evenso,itisveryeasytoimplementandcanbesufficientformanyusecases,especiallyintheshortterm.

ScalingHorizontallyHorizontalscalingtakesplacethroughanincreaseinthenumberofresources(forexample,addingmoreharddrivestoastoragearrayoraddingmoreserverstosupportanapplication).ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Notallarchitecturesaredesignedtodistributetheirworkloadtomultipleresources,anditisimportanttounderstandsystemcharacteristicsthatcanaffectasystem’sabilitytoscalehorizontally.Onekeycharacteristicistheimpactofstatelessandstatefularchitectures.

StatelessApplicationsWhenusersorservicesinteractwithanapplication,theywilloftenperformaseriesofinteractionsthatformasession.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontally,becauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.Becausenosessiondataneedstobesharedbetweensystemresources,computeresourcescanbeaddedasneeded.Whenexcesscapacityisnolongerrequired,anyindividualresourcecanbesafelyterminated.Thoseresourcesdonotneedtobeawareofthepresenceoftheirpeers;allthatisrequiredisawaytodistributetheworkloadtothem.

Let’sassumethatthewebapplicationweusedintheprevioussectionisastatelessapplicationwithunpredictabledemand.Inorderforourwebinstancestomeetthepeaksandvalleysassociatedwithourdemandprofile,weneedtoscaleelastically.Agreatwayto

Page 457: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

introduceelasticityandhorizontalscalingisbyleveragingAutoScalingforwebinstances.AnAutoScalinggroupcanautomaticallyaddAmazonEC2instancestoanapplicationinresponsetoheavytrafficandremovethemwhentrafficslows.Figure14.3showsourwebapplicationarchitectureaftertheintroductionofanAutoScalinggroup.

FIGURE14.3Updatedwebapplicationarchitecturewithautoscaling

StatelessComponentsInpractice,mostapplicationsneedtomaintainsomekindofstateinformation.Forexample,webapplicationsneedtotrackwhetherauserissignedin,orelsetheymightpresentpersonalizedcontentbasedonpreviousactions.Youcanstillmakeaportionofthesearchitecturesstatelessbynotstoringstateinformationlocallyonahorizontally-scalingresource,asthoseresourcescanappearanddisappearasthesystemscalesupanddown.

Forexample,webapplicationscanuseHTTPcookiestostoreinformationaboutasessionattheclient’sbrowser(suchasitemsintheshoppingcart).Thebrowserpassesthatinformationbacktotheserverateachsubsequentrequestsothattheapplicationdoesnotneedtostoreit.However,therearetwodrawbackswiththisapproach.First,thecontentoftheHTTPcookiescanbetamperedwithattheclientside,soyoushouldalwaystreatthemasuntrusteddatathatneedstobevalidated.Second,HTTPcookiesaretransmittedwitheveryrequest,whichmeansthatyoushouldkeeptheirsizetoaminimumtoavoidunnecessary

Page 458: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

latency.

ConsideronlystoringauniquesessionidentifierinaHTTPcookieandstoringmoredetailedusersessioninformationserver-side.Mostprogrammingplatformsprovideanativesessionmanagementmechanismthatworksthisway;however,thesemanagementmechanismsoftenstorethesessioninformationlocallybydefault.Thiswouldresultinastatefularchitecture.Acommonsolutiontothisproblemistostoreusersessioninformationinadatabase.AmazonDynamoDBisagreatchoiceduetoitsscalability,highavailability,anddurabilitycharacteristics.Formanyplatforms,thereareopensource,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.

StatefulComponentsInevitably,therewillbelayersofyourarchitecturethatyouwon’tturnintostatelesscomponents.First,bydefinition,databasesarestateful.Inaddition,manylegacyapplicationsweredesignedtorunonasingleserverbyrelyingonlocalcomputeresources.Otherusecasesmightrequireclientdevicestomaintainaconnectiontoaspecificserverforprolongedperiodsoftime.Forexample,real-timemultiplayergamingmustoffermultipleplayersaconsistentviewofthegameworldwithverylowlatency.Thisismuchsimplertoachieveinanon-distributedimplementationwhereparticipantsareconnectedtothesameserver.

DeploymentAutomationWhetheryouaredeployinganewenvironmentfortestingorincreasingcapacityofanexistingsystemtocopewithextraload,youwillnotwanttosetupnewresourcesmanuallywiththeirconfigurationandcode.Itisimportantthatyoumakethisanautomatedandrepeatableprocessthatavoidslongleadtimesandisnotpronetohumanerror.Automatingthedeploymentprocessandstreamliningtheconfigurationandbuildprocessiskeytoimplementingelasticity.Thiswillensurethatthesystemcanscalewithoutanyhumanintervention.

AutomateYourInfrastructureOneofthemostimportantbenefitsofusingacloudenvironmentistheabilitytousethecloud’sApplicationProgramInterfaces(APIs)toautomateyourdeploymentprocess.Itisrecommendedthatyoutakethetimetocreateanautomateddeploymentprocessearlyonduringthemigrationprocessandnotwaituntiltheend.Creatinganautomatedandrepeatabledeploymentprocesswillhelpreduceerrorsandfacilitateanefficientandscalableupdateprocess.

BootstrapYourInstancesWhenyoulaunchanAWSresourcelikeanAmazonEC2instance,youstartwithadefaultconfiguration.YoucanthenexecuteautomatedbootstrappingactionsasdescribedinChapter3,“AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS).”Letyourinstancesaskaquestionatboot:“WhoamIandwhatismyrole?”Everyinstanceshouldhavearoletoplayintheenvironment(suchasdatabaseserver,applicationserver,orslaveserverinthecaseofawebapplication).RolesmaybeappliedduringlaunchandcaninstructtheAMIonthestepstotakeafterithasbooted.Onboot,aninstanceshouldgrabthenecessaryresources(forexample,code,scripts,orconfiguration)basedontherole

Page 459: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

and“attach”itselftoaclustertoserveitsfunction.

Benefitsofbootstrappingyourinstancesinclude:

Recreateenvironments(forexample,development,staging,production)withfewclicksandminimaleffort.

Maintainmorecontroloveryourabstract,cloud-basedresources.

Reducehuman-induceddeploymenterrors.

Createaself-healingandself-discoverableenvironmentthatismoreresilienttohardwarefailure.

Designingintelligentelasticcloudarchitectures,whereinfrastructurerunsonlywhenyouneedit,isanart.AsaSolutionsArchitect,elasticityshouldbeoneofthefundamentaldesignrequirementswhendefiningyourarchitectures.Herearesomequestionstokeepinmindwhendesigningcloudarchitectures:

Whatcomponentsorlayersinmyapplicationarchitecturecanbecomeelastic?

Whatwillittaketomakethatcomponentelastic?

Whatwillbetheimpactofimplementingelasticitytomyoverallsystemarchitecture?

Page 460: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

LeverageDifferentStorageOptionsAWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Forexample,serviceslikeAmazonElasticBlockStorage(AmazonEBS),AmazonS3,AmazonRDS,andAmazonCloudFrontprovideawiderangeofchoicestomeetdifferentstorageneeds.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.

OneSizeDoesNotFitAllYourworkloadandusecaseshoulddictatewhatstorageoptiontoleverageinAWS.Noonestorageoptionissuitableforallsituations.Table14.1providesalistofsomestoragescenariosandwhichAWSstorageoptionyoushouldconsidertomeettheidentifiedneed.Thistableisnotmeanttobeanall-encompassingcaptureofscenarios,butanexampleguide.

TABLE14.1StorageScenariosandAWSStorageOptions

SampleScenario StorageOption

Yourwebapplicationneedslarge-scalestoragecapacityandperformance.

-or- AmazonS3

Youneedcloudstoragewithhighdatadurabilitytosupportbackupandactivearchivesfordisasterrecovery.

Yourequirecloudstoragefordataarchivingandlong-termbackup. AmazonGlacier

Yourequireacontentdeliverynetworktodeliverentirewebsites,includingdynamic,static,streaming,andinteractivecontentusingaglobalnetworkofedgelocations.

AmazonCloudFront

YourequireafastandflexibleNoSQLdatabasewithaflexibledatamodelandreliableperformance.

AmazonDynamoDB

Youneedreliableblockstoragetorunmission-criticalapplicationssuchasOracle,SAP,MicrosoftExchange,andMicrosoftSharePoint.

AmazonEBS

Youneedahighlyavailable,scalable,andsecureMySQLdatabasewithoutthetime-consumingadministrativetasks.

AmazonRDS

Youneedafast,powerful,fully-managed,petabyte-scaledatawarehousetosupportbusinessanalyticsofyoure-commerceapplication.

AmazonRedshift

YouneedaRedisclustertostoresessioninformationforyourwebapplication.

AmazonElastiCache

YouneedacommonfilesystemforyourapplicationthatissharedbetweenmorethanoneAmazonEC2instance.

AmazonElasticFileSystem(AmazonEFS)

Let’sreturntooursamplewebapplicationarchitectureandshowhowdifferentstorageoptionscanbeleveragedtooptimizecostandarchitecture.WecanstartbymovinganystaticassetsfromourwebinstancestoAmazonS3,andthenservethoseobjectsviaAmazon

Page 461: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

CloudFront.Thesestaticassetswouldincludealloftheimages,videos,CSS,JavaScript,andanyotherheavystaticcontentthatiscurrentlydeliveredviathewebinstances.ByservingthesefilesviaanAmazonS3originwithglobalcachinganddistributionviaAmazonCloudFront,theloadwillbereducedonthewebinstancesandallowthewebtierfootprinttobereduced.Figure14.4showstheupdatedarchitectureforoursamplewebapplication.

FIGURE14.4UpdatedwebapplicationarchitecturewithAmazonS3andAmazonCloudFront

Tofurtheroptimizeourstorageoptions,thesessioninformationforoursamplewebapplicationcanbemovedtoAmazonDynamoDBoreventoAmazonElastiCache.Forourscenario,wewilluseAmazonDynamoDBtostorethesessioninformationbecausetheAWSSoftwareDevelopmentKits(SDK)provideconnectorsformanypopularwebdevelopmentframeworksthatmakestoringsessioninformationinAmazonDynamoDBeasy.Byremovingsessionstatefromourwebtier,thewebinstancesdonotlosesessioninformationwhenhorizontalscalingfromAutoScalinghappens.Additionally,wewillleverageAmazonElastiCachetostorecommondatabasequeryresults,therebytakingtheloadoffofourdatabasetier.Figure14.5showstheadditionofAmazonElastiCacheandAmazonDynamoDBtoourwebapplicationarchitecture.

Page 462: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE14.5UpdatedwebapplicationarchitecturewithAmazonElastiCacheandAmazonDynamoDB

AsaSolutionsArchitect,youwillultimatelycometoapointwhereyouneedtodecideanddefinewhatyourstoragerequirementsareforthedatathatyouneedtostoreonAWS.Thereareavarietyofoptionstochoosefromdependingonyourneeds,eachwithdifferentattributesrangingfromdatabasestorage,blockstorage,highlyavailableobject-basedstorage,andevencoldarchivalstorage.Ultimately,yourworkloadrequirementswilldictatewhichstorageoptionmakessenseforyourusecase.

Page 463: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

BuildSecurityinEveryLayerWithtraditionalIT,infrastructuresecurityauditingwouldoftenbeaperiodicandmanualprocess.TheAWSCloudinsteadprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.

BestPractice

Inventoryyourdata,prioritizeitbyvalue,andapplytheappropriatelevelofencryptionforthedataintransitandatrest.

MostofthesecuritytoolsandtechniqueswithwhichyoumightalreadybefamiliarinatraditionalITinfrastructurecanbeusedinthecloud.Atthesametime,AWSallowsyoutoimproveyoursecurityinavarietyofways.AWSisaplatformthatallowsyoutoformalizethedesignofsecuritycontrolsintheplatformitself.ItsimplifiessystemuseforadministratorsandthoserunningITandmakesyourenvironmentmucheasiertoauditinacontinuousmanner.

UseAWSFeaturesforDefenseinDepthAWSprovidesawealthoffeaturesthathelpSolutionsArchitectsbuilddefenseindepth.Startingatthenetworklevel,youcanbuildanAmazonVirtualPrivateCloud(AmazonVPC)topologythatisolatespartsoftheinfrastructurethroughtheuseofsubnets,securitygroups,androutingcontrols.ServiceslikeAWSWebApplicationFirewall(AWSWAF)canhelpprotectyourwebapplicationsfromSQLinjectionandothervulnerabilitiesinyourapplicationcode.Foraccesscontrol,youcanuseAWSIdentityandAccessManagement(IAM)todefineagranularsetofpoliciesandassignthemtousers,groups,andAWSresources.Finally,theAWSplatformoffersabreadthofoptionsforprotectingdatawithencryption,whetherthedataisintransitoratrest.

UnderstandingthesecurityfeaturesofferedbyAWSisimportantfortheexam,anditiscoveredindetailinChapter12,“SecurityonAWS.”

OffloadSecurityResponsibilitytoAWSAWSoperatesunderasharedresponsibilitymodel,whereAWSisresponsibleforthesecurityoftheunderlyingcloudinfrastructure,andyouareresponsibleforsecuringtheworkloadsyoudeployonAWS.Thisway,youcanreducethescopeofyourresponsibilityandfocusonyourcorecompetenciesthroughtheuseofAWSmanagedservices.Forexample,whenyou

Page 464: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

usemanagedservicessuchasAmazonRDS,AmazonElastiCache,AmazonCloudSearch,andothers,securitypatchesbecometheresponsibilityofAWS.Thisnotonlyreducesoperationaloverheadforyourteam,butitcouldalsoreduceyourexposuretovulnerabilities.

ReducePrivilegedAccessAnothercommonsourceofsecurityriskistheuseofserviceaccounts.Inatraditionalenvironment,serviceaccountswouldoftenbeassignedlong-termcredentialsstoredinaconfigurationfile.OnAWS,youcaninsteaduseIAMrolestograntpermissionstoapplicationsrunningonAmazonEC2instancesthroughtheuseoftemporarysecuritytokens.Thosecredentialsareautomaticallydistributedandrotated.Formobileapplications,theuseofAmazonCognitoallowsclientdevicestogetcontrolledaccesstoAWSresourcesviatemporarytokens.ForAWSManagementConsoleusers,youcansimilarlyprovidefederatedaccessthroughtemporarytokensinsteadofcreatingIAMusersinyourAWSaccount.Inthatway,anemployeewholeavesyourorganizationandisremovedfromyourorganization’sidentitydirectorywillalsoloseaccesstoyourAWSaccount.

BestPractice

Followthestandardsecuritypracticeofgrantingleastprivilege—thatis,grantingonlythepermissionsrequiredtoperformatask—toIAMusers,groups,roles,andpolicies.

SecurityasCodeTraditionalsecurityframeworks,regulations,andorganizationalpoliciesdefinesecurityrequirementsrelatedtothingssuchasfirewallrules,networkaccesscontrols,internal/externalsubnets,andoperatingsystemhardening.YoucanimplementtheseinanAWSenvironmentaswell,butyounowhavetheopportunitytocapturethemallinascriptthatdefinesa“GoldenEnvironment.”ThismeansthatyoucancreateanAWSCloudFormationscriptthatcapturesandreliablydeploysyoursecuritypolicies.Securitybestpracticescannowbereusedamongmultipleprojectsandbecomepartofyourcontinuousintegrationpipeline.Youcanperformsecuritytestingaspartofyourreleasecycleandautomaticallydiscoverapplicationgapsanddriftfromyoursecuritypolicies.

Additionally,forgreatercontrolandsecurity,AWSCloudFormationtemplatescanbeimportedas“products”intoAWSServiceCatalog.Thisenablescentralizedmanagementofresourcestosupportconsistentgovernance,security,andcompliancerequirementswhileenablinguserstodeployquicklyonlytheapprovedITservicestheyneed.YouapplyIAMpermissionstocontrolwhocanviewandmodifyyourproducts,andyoudefineconstraintstorestrictthewaysthatspecificAWSresourcescanbedeployedforaproduct.

Real-TimeAuditingTestingandauditingyourenvironmentiskeytomovingfastwhilestayingsafe.Traditionalapproachesthatinvolveperiodic(andoftenmanualorsample-based)checksarenotsufficient,especiallyinagileenvironmentswherechangeisconstant.OnAWS,youcanimplementcontinuousmonitoringandautomationofcontrolstominimizeexposuretosecurityrisks.ServiceslikeAWSConfigRules,AmazonInspector,andAWSTrustedAdvisor

Page 465: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

continuallymonitorforcomplianceorvulnerabilitiesgivingyouaclearoverviewofwhichITresourcesareorarenotincompliance.WithAWSConfigRules,youwillalsoknowifsomecomponentwasoutofcomplianceevenforabriefperiodoftime,makingbothpoint-in-timeandperiod-in-timeauditsveryeffective.YoucanimplementextensiveloggingforyourapplicationsusingAmazonCloudWatchLogsandfortheactualAWSAPIcallsbyenablingAWSCloudTrail.AWSCloudTrailisawebservicethatrecordsAPIcallstosupportedAWSCloudservicesinyourAWSaccountandcreatesalogfile.AWSCloudTraillogsarestoredinanimmutablemannertoanAmazonS3bucketofyourchoice.Theselogscanthenbeautomaticallyprocessedeithertonotifyoreventakeactiononyourbehalf,protectingyourorganizationfromnon-compliance.YoucanuseAWSLambda,AmazonElasticMapReduce(AmazonEMR),AmazonElasticsearchService,orthird-partytoolsfromtheAWSMarketplacetoscanlogstodetectthingslikeunusedpermissions,overuseofprivilegedaccounts,usageofkeys,anomalouslogins,policyviolations,andsystemabuse.

WhileAWSprovidesanexcellentservicemanagementlayeraroundinfrastructureorplatformservices,organizationsarestillresponsibleforprotectingtheconfidentiality,integrity,andavailabilityoftheirdatainthecloud.AWSprovidesarangeofsecurityservicesandarchitecturalconceptsthatorganizationscanusetomanagesecurityoftheirassetsanddatainthecloud.

Page 466: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ThinkParallelThecloudmakesparallelizationeffortless.Whetheritisrequestingdatafromthecloud,storingdatatothecloud,orprocessingdatainthecloud,asaSolutionsArchitectyouneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.

Whenitcomestoaccessing(retrievingandstoring)data,thecloudisdesignedtohandlemassivelyparalleloperations.Inordertoachievemaximumperformanceandthroughput,youshouldleveragerequestparallelization.Multi-threadingyourrequestsbyusingmultipleconcurrentthreadswillstoreorfetchthedatafasterthanrequestingitsequentially.Hence,ageneralbestpracticefordevelopingcloudapplicationsistodesigntheprocessesforleveragingmulti-threading.

Whenitcomestoprocessingorexecutingrequestsinthecloud,itbecomesevenmoreimportanttoleverageparallelization.Ageneralbestpractice,inthecaseofawebapplication,istodistributetheincomingrequestsacrossmultipleasynchronouswebserversusingaloadbalancer.Inthecaseofabatchprocessingapplication,youcanleverageamasternodewithmultipleslaveworkernodesthatprocessestasksinparallel(asindistributedprocessingframeworkslikeHadoop).

Thebeautyofthecloudshineswhenyoucombineelasticityandparallelization.YourcloudapplicationcanbringupaclusterofcomputeinstancesthatareprovisionedwithinminuteswithjustafewAPIcalls,performajobbyexecutingtasksinparallel,storetheresults,andthenterminatealloftheinstances.

Page 467: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

LooseCouplingSetsYouFreeAsapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.

BestPractice

Designsystemarchitectureswithindependentcomponentsthatare“blackboxes.”Themorelooselysystemcomponentsarecoupled,thelargertheyscale.

Awaytoreduceinterdependenciesinasystemistoallowthevariouscomponentstointeractwitheachotheronlythroughspecific,technology-agnosticinterfaces(suchasRESTfulAPIs).Inthisway,thetechnicalimplementationdetailsarehiddensothatteamscanmodifytheunderlyingimplementationwithoutaffectingothercomponents.Aslongasthoseinterfacesmaintainbackwardcompatibility,thedifferentcomponentsthatanoverallsystemiscomprisedofremaindecoupled.

AmazonAPIGatewayprovidesawaytoexposewell-definedinterfaces.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstocreate,publish,maintain,monitor,andsecureAPIsatanyscale.IthandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.

Asynchronousintegrationisacommonpatternforimplementingloosecouplingbetweenservices.Thismodelissuitableforanyinteractionthatdoesnotneedanimmediateresponseandwhereanacknowledgementthatarequesthasbeenregisteredwillsuffice.Itinvolvesonecomponentthatgenerateseventsandanotherthatconsumesthem.Thetwocomponentsdonotintegratethroughdirectpoint-to-pointinteraction,butusuallythroughanintermediatedurablestoragelayer,suchasanAmazonSimpleQueueService(AmazonSQS)queueorastreamingdataplatformlikeAmazonKinesis.Figure14.6showsthelogicalflowfortightandlooselycoupledarchitectures.

Page 468: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

FIGURE14.6Tightandloosecoupling

Leveragingasynchronousintegrationdecouplesthetwocomponentsandintroducesadditionalresiliency.Forexample,ifaprocessthatisreadingmessagesfromthequeuefails,messagescanstillbeaddedtothequeuetobeprocessedwhenthesystemrecovers.Italsoallowsyoutoprotectalessscalableback-endservicefromfront-endspikesandfindtherighttradeoffbetweencostandprocessinglag.Forexample,youcandecidethatyoudon’tneedtoscaleyourdatabasetoaccommodateforanoccasionalpeakofwritequeriesifyoueventuallyprocessthosequeriesasynchronouslywithsomedelay.Finally,bymovingslowoperationsoffofinteractiverequestpaths,youcanalsoimprovetheend-userexperience.

Page 469: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SampleLooselyCoupledArchitecture

Acompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Theserviceprovidesenduserswithaneasy-to-usewebsitetosubmitvideosfortranscoding.ThevideosarestoredinAmazonS3,andamessage(“therequestmessage”)isplacedinanAmazonSQSqueue(“theincomingqueue”)withapointertothevideoandtothetargetvideoformatinthemessage.Thetranscodingengine,runningonasetofAmazonEC2instances,readstherequestmessagefromtheincomingqueue,retrievesthevideofromAmazonS3usingthepointer,andtranscodesthevideointothetargetformat.TheconvertedvideoisputbackintoAmazonS3andanothermessage(“theresponsemessage”)isplacedinanotherAmazonSQSqueue(“theoutgoingqueue”)withapointertotheconvertedvideo.Atthesametime,metadataaboutthevideo(suchasformat,datecreated,andlength)canbeindexedintoAmazonDynamoDBforeasyquerying.Duringthiswholeworkflow,adedicatedAmazonEC2instancecanconstantlymonitortheincomingqueueand,basedonthenumberofmessagesintheincomingqueue,candynamicallyadjustthenumberoftranscodingAmazonEC2instancestomeetcustomers’responsetimerequirements.

Applicationsthataredeployedasasetofsmallerserviceswilldependontheabilityofthoseservicestointeractwitheachother.Becauseeachofthoseservicescouldberunningacrossmultiplecomputeresources,thereneedstobeawayforeachservicetobeaddressed.Forexample,inatraditionalinfrastructure,ifyourfront-endwebserviceneededtoconnectwithyourback-endwebservice,youcouldhardcodetheIPaddressofthecomputeresourcewherethisservicewasrunning.Althoughthisapproachcanstillworkoncloudcomputing,ifthoseservicesaremeanttobelooselycoupled,theyshouldbeabletobeconsumedwithoutpriorknowledgeoftheirnetworktopologydetails.Apartfromhidingcomplexity,thisalsoallowsinfrastructuredetailstochangeatanytime.Inordertoachievethisagility,youwillneedsomewayofimplementingservicediscovery.Servicediscoverymanageshowprocessesandservicesinanenvironmentcanfindandtalktooneanother.Itinvolvesadirectoryofservices,registeringservicesinthatdirectory,andthenbeingabletolookupandconnecttoservicesinthatdirectory.

Loosecouplingisacrucialelementifyouwanttotakeadvantageoftheelasticityofcloudcomputing,wherenewresourcescanbelaunchedorterminatedatanypointintime.Byarchitectingsystemcomponentswithouttightdependenciesoneachother,applicationsarepositionedtotakefulladvantageofthecloud’sscale.

Page 470: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Don’tFearConstraintsWhenorganizationsdecidetomoveapplicationstothecloudandtrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveonpremises.Forexample,observationsmayinclude“ClouddoesnotprovideXamountofRAMinaserver”or“MydatabaseneedstohavemoreIOPSthanwhatIcangetinasingleinstance.”

Youshouldunderstandthatthecloudprovidesabstractresourcesthatbecomepowerfulwhenyoucombinethemwiththeon-demandprovisioningmodel.Youshouldnotbeafraidandconstrainedwhenusingcloudresourcesbecauseevenifyoumightnotgetanexactreplicaofyouron-premiseshardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.

Whenyoupushupagainstaconstraint,thinkaboutwhatit’stellingyouaboutapossibleunderlyingarchitecturalissue.Forexample,ifAWSdoesnothaveanAmazonRDSinstancetypewithenoughRAM,considerwhetheryouhaveinadvertentlytrappedyourselfinascale-upparadigm.ConsiderchangingtheunderlyingtechnologyandusingascalabledistributedcachelikeAmazonElastiCacheorshardingyourdataacrossmultipleservers.Ifitisaread-heavyapplication,youcandistributethereadloadacrossafleetofsynchronizedslaves.

Organizationsarechallengedwithdeveloping,managing,andoperatingapplicationsatscalewithawidevarietyofunderlyingtechnologycomponents.WithtraditionalITinfrastructure,companieswouldhavetobuildandoperateallofthosecomponents.Whilethesecomponentsmaynotmapdirectlyintoacloudenvironment,AWSoffersabroadsetofcomplementaryservicesthathelporganizationsovercometheseconstraintsandtosupportagilityandlowerITcosts.

OnAWS,thereisasetofmanagedservicesthatprovidesbuildingblocksfordeveloperstoleverageforpoweringtheirapplications.Thesemanagedservicesincludedatabases,machinelearning,analytics,queuing,search,email,notifications,andmore.Forexample,withAmazonSQS,youcanoffloadtheadministrativeburdenofoperatingandscalingahighlyavailablemessagingclusterwhilepayingalowpriceforonlywhatyouuse.ThesameappliestoAmazonS3,whereyoucanstoreasmuchdataasrequiredandaccessitwhenneededwithouthavingtothinkaboutcapacity,harddiskconfigurations,replication,andotherhardware-basedconsiderations.

TherearemanyotherexamplesofmanagedservicesonAWS,suchasAmazonCloudFrontforcontentdelivery,ElasticLoadBalancingforloadbalancing,AmazonDynamoDBforNoSQLdatabases,AmazonCloudSearchforsearchworkloads,AmazonElasticTranscoderforvideoencoding,AmazonSimpleEmailService(AmazonSES)forsendingandreceivingemails,andmore.

ArchitecturesthatdonotleveragethebreadthofAWSCloudservices(forexample,theyuseonlyAmazonEC2)mightbeself-constrainingtheabilitytomakethemostofcloudcomputing.Thisoversightoftenleadstomissingkeyopportunitiestoincreasedeveloperproductivityandoperationalefficiency.Whenorganizationscombineon-demandprovisioning,managedservices,andtheinherentflexibilityofthecloud,theyrealizethatapparentconstraintscanactuallybebrokendowninwaysthatwillactuallyimprovethe

Page 471: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

scalabilityandoverallperformanceoftheirsystems.

Page 472: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

SummaryTypically,productionsystemscomewithdefinedorimplicitrequirementsintermsofuptime.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.

Traditionalinfrastructuregenerallynecessitatespredictingtheamountofcomputingresourcesyourapplicationwilluseoveraperiodofseveralyears.Ifyouunderestimate,yourapplicationswillnothavethehorsepowertohandleunexpectedtraffic,potentiallyresultingincustomerdissatisfaction.Ifyouoverestimate,you’rewastingmoneywithsuperfluousresources.Theon-demandandelasticnatureofthecloudenablestheinfrastructuretobecloselyalignedwiththeactualdemand,therebyincreasingoverallutilizationandreducingcost.Whilecloudcomputingprovidesvirtuallyunlimitedon-demandcapacity,systemarchitecturesneedtobeabletotakeadvantageofthoseresourcesseamlessly.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.

TheAWSCloudprovidesgovernancecapabilitiesthatenablecontinuousmonitoringofconfigurationchangestoyourITresources.BecauseAWSassetsareprogrammableresources,yoursecuritypolicycanbeformalizedandembeddedwiththedesignofyourinfrastructure.Withtheabilitytospinuptemporaryenvironments,securitytestingcannowbecomepartofyourcontinuousdeliverypipeline.SolutionsArchitectscanleverageaplethoraofnativeAWSsecurityandencryptionfeaturesthatcanhelpachievehigherlevelsofdataprotectionandcomplianceateverylayerofcloudarchitectures.

BecauseAWSmakesparallelizationeffortless,SolutionsArchitectsneedtointernalizetheconceptofparallelizationwhendesigningarchitecturesinthecloud.Itisadvisablenotonlytoimplementparallelizationwhereverpossible,butalsotoautomateitbecausethecloudallowsyoutocreatearepeatableprocessveryeasily.

Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.SolutionsArchitectsshoulddesignsystemsinawaythatreducesinterdependencies,sothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.

Whenorganizationstrytomaptheirexistingsystemspecificationstothoseavailableinthecloud,theynoticethatthecloudmightnothavetheexactspecificationoftheresourcethattheyhaveon-premises.Organizationsshouldnotbeafraidandfeelconstrainedwhenusingcloudresources.Evenifyoumightnotgetanexactreplicaofyourhardwareinthecloudenvironment,youhavetheabilitytogetmoreofthoseresourcesinthecloudtocompensate.

Byfocusingonconceptsandbestpractices—likedesigningforfailure,decouplingtheapplicationcomponents,understandingandimplementingelasticity,combiningitwithparallelization,andintegratingsecurityineveryaspectoftheapplicationarchitecture—SolutionsArchitectscanunderstandthedesignconsiderationsnecessaryforbuildinghighlyscalablecloudapplications.

Aseachusecaseisunique,SolutionsArchitectsneedtoremaindiligentinevaluatinghowbestpracticesandpatternscanbeappliedtoeachimplementation.Thetopicofcloudcomputingarchitecturesisbroadandcontinuouslyevolving.

Page 473: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExamEssentialsUnderstandhighlyavailablearchitectures.Asystemishighlyavailablewhenitcanwithstandthefailureofanindividualormultiplecomponents.Ifyoudesignarchitecturesaroundtheassumptionthatanycomponentwilleventuallyfail,systemswon’tfailwhenanindividualcomponentdoes.

Understandredundancy.Redundancycanbeimplementedineitherstandbyoractivemode.Whenaresourcefailsinstandbyredundancy,functionalityisrecoveredonasecondaryresourceusingaprocesscalledfailover.Thefailoverwilltypicallyrequiresometimebeforeitiscompleted,andduringthatperiodtheresourceremainsunavailable.Inactiveredundancy,requestsaredistributedtomultipleredundantcomputeresources,andwhenoneofthemfails,therestcansimplyabsorbalargershareoftheworkload.Comparedtostandbyredundancy,activeredundancycanachievebetterutilizationandaffectasmallerpopulationwhenthereisafailure.

Understandelasticity.Elasticarchitecturescansupportgrowthinusers,traffic,ordatasizewithnodropinperformance.Itisimportanttobuildelasticsystemsontopofascalablearchitecture.Thesearchitecturesshouldscaleinalinearmanner,whereaddingextraresourcesresultsinatleastaproportionalincreaseinabilitytoserveadditionalsystemload.Thegrowthinresourcesshouldintroduceeconomiesofscale,andcostshouldfollowthesamedimensionthatgeneratesbusinessvalueoutofthatsystem.TherearegenerallytwowaystoscaleanITarchitecture:verticallyandhorizontally.

Understandverticalscaling.Scalingverticallytakesplacethroughanincreaseinthespecificationsofanindividualresource(forexample,upgradingaserverwithalargerharddriveorafasterCPU).Thiswayofscalingcaneventuallyhitalimit,anditisnotalwaysacostefficientorhighlyavailableapproach.

Understandhorizontalscaling.Scalinghorizontallytakesplacethroughanincreaseinthenumberofresources.ThisisagreatwaytobuildInternet-scaleapplicationsthatleveragetheelasticityofcloudcomputing.Itisimportanttounderstandtheimpactofstatelessandstatefularchitecturesbeforeimplementinghorizontalscaling.

Understandstatelessapplications.Astatelessapplicationneedsnoknowledgeofthepreviousinteractionsandstoresnosessioninformation.Astatelessapplicationcanscalehorizontallybecauseanyrequestcanbeservicedbyanyoftheavailablesystemcomputeresources.

Understandloosecoupling.Asapplicationcomplexityincreases,adesirablecharacteristicofanITsystemisthatitcanbebrokenintosmaller,looselycoupledcomponents.ThismeansthatITsystemsshouldbedesignedas“blackboxes”toreduceinterdependenciessothatachangeorafailureinonecomponentdoesnotcascadetoothercomponents.Themorelooselysystemcomponentsarecoupled,thelargertheyscale.

UnderstandthedifferentstorageoptionsinAWS.AWSoffersabroadrangeofstoragechoicesforbackup,archiving,anddisasterrecovery,aswellasblock,file,andobjectstoragetosuitaplethoraofusecases.Itisimportantfromacost,performance,andfunctionalaspecttoleveragedifferentstorageoptionsavailableinAWSfordifferenttypesofdatasets.

Page 474: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ExercisesInthissection,youwillimplementaresilientapplicationleveragingsomeofthebestpracticesoutlinedinthischapter.YouwillbuildthearchitecturedepictedinFigure14.7inthefollowingseriesofexercises.

FIGURE14.7Samplewebapplicationforchapterexercises

Forassistanceincompletingthefollowingexercises,referencethefollowinguserguides:

AmazonVPC—http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/

GetStarted.html

AmazonEC2(Linux)—http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

AmazonRDS(MySQL)—http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.CreatingConnecting.MySQL.html

Page 475: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.1

CreateaCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateanAmazonVPCwithaClasslessInter-DomainRouting(CIDR)blockequalto192.168.0.0/16,anametagofCh14—VPC,anddefaulttenancy.

EXERCISE14.2

CreateanInternetGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateanInternetgatewaywithanametagofCh14–IGW.

4. AttachtheCh14–IGWInternetgatewaytotheAmazonVPCfromExercise14.1.

EXERCISE14.3

UpdatetheMainRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetoAmazonVPCconsole.

3. LocatethemainroutetablefortheAmazonVPCfromExercise14.1.

4. UpdatetheroutetablenametagtoavalueofCh14—MainRouteTable.

5. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheInternetgatewayfromExercise14.2.

Page 476: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.4

CreatePublicSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateasubnetwithaCIDRblockequalto192.168.1.0/24andanametagofCh14—PublicSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnet(forexample,US-East-1a).

4. CreateasubnetwithaCIDRblockequalto192.168.3.0/24andanametagofCh14—PublicSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifyanAvailabilityZoneforthesubnetthatisdifferentfromtheonepreviouslyspecified(forexample,US-East-1b).

EXERCISE14.5

CreateaNATGatewayforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateaNetworkAddressTranslation(NAT)gatewayintheAmazonVPCfromExercise14.1withintheCh14—PublicSubnet1subnetfromExercise14.4.

EXERCISE14.6

CreateaPrivateRouteTableforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreatearoutetablefortheAmazonVPCfromExercise14.1withanametagofCh14—PrivateRouteTable.

4. Updatetheroutetableroutesbyaddingadestinationof0.0.0.0/0withatargetoftheNATgatewayfromExercise14.5.

Page 477: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.7

CreatePrivateSubnetsforYourCustomAmazonVPC1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateasubnetwithaCIDRblockequalto192.168.2.0/24andanametagofCh14—PrivateSubnet1.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet1(forexample,US-East-1a).

4. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.

5. CreateasubnetwithaCIDRblockequalto192.168.4.0/24andanametagofCh14—PrivateSubnet2.CreatethesubnetintheAmazonVPCfromExercise14.1,andspecifythesameAvailabilityZoneforthesubnetthatwasusedinExercise14.4fortheCh14—PublicSubnet2(forexample,US-East-1b).

6. UpdatetheroutetableforthecreatedsubnettotheCh14—PrivateRouteTablefromExercise14.6.

Page 478: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.8

CreateSecurityGroupsforEachApplicationTier1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonVPCconsole.

3. CreateanAmazonVPCsecuritygroupfortheELBwithanametagandgrouptabofCh14-ELB-SGandadescriptionofLoadbalancersecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceof0.0.0.0/0.

4. CreateanAmazonVPCsecuritygroupforthewebserverswithanametagandgrouptabofCh14-WebServer-SGandadescriptionofWebserversecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeHTTP,aprotocolofTCP,aportrangeof80,andasourceoftheCh14-ELB-SGsecuritygroup.YoumaywanttoaddanotherinboundruleofTypeSSH,aprotocolofTCP,aportrangeof22,andasourceofyourIPaddresstoprovidesecureaccesstomanagetheservers.

5. CreateanAmazonVPCsecuritygroupfortheAmazonRDSMySQLdatabasewithanametagandgrouptabofCh14-DB-SGandadescriptionofDatabasesecuritygroupforCh14exercises.CreatethesecuritygroupintheAmazonVPCfromExercise14.1withaninboundruleofTypeMYSQL/Aurora,aprotocolofTCP,aportrangeof3306,andasourceoftheCh14-WebServer-SGsecuritygroup.

Page 479: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.9

CreateaMySQLMulti-AZAmazonRDSInstance1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonRDSconsole.

3. CreateaDBsubnetgroupwithanameofCh14-SubnetGroupandadescriptionofSubnetgroupforCh14exercises.CreatetheDBsubnetgroupintheAmazonVPCfromExercise14.1withtheprivatesubnetsfromExercise14.7.

4. LaunchaMySQLAmazonRDSinstancewiththefollowingcharacteristics:

DBInstanceClass:db.t2.small

Multi-AZDeployment:yes

AllocatedStorage:nolessthan5GB

DBInstanceIdentifier:ch14db

MasterUserName:yourchoice

MasterPassword:yourchoice

VPC:theAmazonVPCfromExercise14.1

DBSecurityGroup:Ch14-SubnetGroup

PubliclyAccessible:No

VPCSecurityGroup:Ch14-DB-SG

DatabaseName:appdb

DatabasePort:3306

Page 480: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.10

CreateanElasticLoadBalancer(ELB)1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonEC2console.

3. CreateanELBwithaloadbalancernameofCh14-WebServer-ELB.CreatetheELBintheAmazonVPCfromExercise14.1withalistenerconfigurationofthefollowing:

LoadBalancerProtocol:HTTP

LoadBalancerPort:80

InstanceProtocol:HTTP

InstancePort:80

4. AddthepublicsubnetscreatedinExercise14.4.

5. AssigntheexistingsecuritygroupofCh14-ELB-SGcreatedinExercise14.8.

6. ConfigurethehealthcheckwithapingprotocolofHTTP,apingportof80,andapingpathof/index.html.

7. AddatagwithakeyofNameandvalueofCh14-WebServer-ELB.

8. UpdatetheELBportconfigurationtoenableload-balancergeneratedcookiestickinesswithanexpirationperiodof30seconds.

Page 481: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.11

CreateaWebServerAutoScalingGroup1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonEC2console.

3. CreatealaunchconfigurationforthewebserverAutoScalinggroupwiththefollowingcharacteristics:

AMI:latestAmazonLinuxAMI

InstanceType:t2.small

Name:Ch14-WebServer-LC

Userdata:

#!/bin/bash

yumupdate–y

yuminstall-yphp

yuminstall-yphp-mysql

yuminstall-ymysql

yuminstall-yhttpd

echo"<html><body><h1>poweredbyAWS</h1></body></html>">

/var/www/html/index.html

servicehttpdstart

SecurityGroup:Ch14-WebServer-SG

KeyPair:existingornewkeypairforyouraccount

4. CreateanAutoScalinggroupforthewebserversfromthelaunchconfigurationCh14-WebServer-LCwithagroupnameofCh14-WebServer-AG.CreatetheAutoScalinggroupintheAmazonVPCfromExercise14.1withthepublicsubnetscreatedinExercise14.4andagroupsizeof2.

5. AssociatetheloadbalancerCh14-WebServer-ELBcreatedinExercise14.10totheAutoScalinggroup.

6. AddanametagwithakeyofNameandvalueofCh14-WebServer-AGtotheAutoScalinggroup.

Youwillneedyourowndomainnametocompletethissection,andyoushouldbeawarethatAmazonRoute53isnoteligibleforAWSFreeTier.HostingazoneonAmazonRoute53willcostapproximately$0.50permonthperhostedzone,andadditionalchargeswillbelevieddependingonwhatroutingpolicyyouchoose.FormoreinformationonAmazonRoute53pricing,refertohttp://aws.amazon.com/route53/pricing/.

Page 482: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.12

CreateaRoute53HostedZone1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonRoute53consoleandcreateahostedzone.

3. Enteryourdomainnameandcreateyournewzonefile.

4. Inthenewzonefile,youwillseetheStartofAuthority(SOA)recordandnameservers.Youwillneedtologintoyourdomainregistrar’swebsiteandupdatethenameserverswithyourAWSnameservers.

IftheregistrarhasamethodtochangetheTimeToLive(TTL)settingsfortheirnameservers,itisrecommendedthatyouresetthesettingsto900seconds.Thislimitsthetimeduringwhichclientrequestswilltrytoresolvedomainnamesusingobsoletenameservers.YouwillneedtowaitforthedurationofthepreviousTTLforresolversandclientstostopcachingtheDNSrecordswiththeirpreviousvalues.

5. Afteryouupdateyournameserverswithyourdomainregistrars,AmazonRoute53willbeconfiguredtoserveDNSrequestsforyourdomain.

EXERCISE14.13

CreateanAliasARecord1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonRoute53console.

3. SelectyourRoute53hostedzonecreatedinExercise14.12.CreatearecordsetwithanameofwwwandatypeofA—IPv4Address.

4. CreateanaliaswithanaliastargetoftheELBCh14-WebServer-ELBcreatedinExercise14.10andleaveyourroutingpolicyassimple.

Page 483: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

EXERCISE14.14

TestYourConfiguration1. LogintotheAWSManagementConsole.

2. NavigatetotheAmazonEC2console.

3. VerifythattheELBcreatedinExercise14.11has2of2instancesinservice.

4. Inawebbrowser,navigatetothewebfarm(www.example.com)usingtheHostedZoneArecordcreatedinExercise14.13.YoushouldseethepoweredbyAWSonthewebpage.

Page 484: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ReviewQuestions1. Whendesigningalooselycoupledsystem,whichAWSservicesprovideanintermediatedurablestoragelayerbetweencomponents?(Choose2answers)

A. AmazonCloudFront

B. AmazonKinesis

C. AmazonRoute53

D. AWSCloudFormation

E. AmazonSimpleQueueService(AmazonSQS)

2. Whichofthefollowingoptionswillhelpincreasetheavailabilityofawebserverfarm?(Choose2answers)

A. UseAmazonCloudFronttodelivercontenttotheenduserswithlowlatencyandhighdatatransferspeeds.

B. LaunchthewebserverinstancesacrossmultipleAvailabilityZones.

C. LeverageAutoScalingtorecoverfromfailedinstances.

D. DeploytheinstancesinanAmazonVirtualPrivateCloud(AmazonVPC).

E. AddmoreCPUandRAMtoeachinstance.

3. WhichofthefollowingAWSCloudservicesaredesignedaccordingtotheMulti-AZprinciple?(Choose2answers)

A. AmazonDynamoDB

B. AmazonElastiCache

C. ElasticLoadBalancing

D. AmazonVirtualPrivateCloud(AmazonVPC)

E. AmazonSimpleStorageService(AmazonS3)

4. Youre-commercesitewasdesignedtobestatelessandcurrentlyrunsonafleetofAmazonElasticComputeCloud(AmazonEC2)instances.Inanefforttocontrolcostandincreaseavailability,youhavearequirementtoscalethefleetbasedonCPUandnetworkutilizationtomatchthedemandcurveforyoursite.Whatservicesdoyouneedtomeetthisrequirement?(Choose2answers)

A. AmazonCloudWatch

B. AmazonDynamoDB

C. ElasticLoadBalancing

D. AutoScaling

E. AmazonSimpleStorageService(AmazonS3)

5. YourcompliancedepartmenthasmandatedanewrequirementthatalldataonAmazon

Page 485: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ElasticBlockStorage(AmazonEBS)volumesmustbeencrypted.WhichofthefollowingstepswouldyoufollowforyourexistingAmazonEBSvolumestocomplywiththenewrequirement?(Choose3answers)

A. MovetheexistingAmazonEBSvolumeintoanAmazonVirtualPrivateCloud(AmazonVPC).

B. CreateanewAmazonEBSvolumewithencryptionenabled.

C. ModifytheexistingAmazonEBSvolumepropertiestoenableencryption.

D. AttachanAmazonEBSvolumewithencryptionenabledtotheinstancethathoststhedata,thenmigratethedatatotheencryption-enabledAmazonEBSvolume.

E. CopythedatafromtheunencryptedAmazonEBSvolumetotheAmazonEBSvolumewithencryptionenabled.

6. WhenbuildingaDistributedDenialofService(DDoS)-resilientarchitecture,howdoesAmazonVirtualPrivateCloud(AmazonVPC)helpminimizetheattacksurfacearea?(Choose3answers)

A. ReducesthenumberofnecessaryInternetentrypoints

B. Combinesendusertrafficwithmanagementtraffic

C. ObfuscatesnecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem

D. Addsnon-criticalInternetentrypointstothearchitecture

E. ScalesthenetworktoabsorbDDoSattacks

7. Youre-commerceapplicationprovidesdailyandadhocreportingtovariousbusinessunitsoncustomerpurchases.ThisisresultinginanextremelyhighlevelofreadtraffictoyourMySQLAmazonRelationalDatabaseService(AmazonRDS)instance.Whatcanyoudotoscaleupreadtrafficwithoutimpactingyourdatabase’sperformance?

A. IncreasetheallocatedstoragefortheAmazonRDSinstance.

B. ModifytheAmazonRDSinstancetobeaMulti-AZdeployment.

C. CreateareadreplicaforanAmazonRDSinstance.

D. ChangetheAmazonRDSinstanceDBengineversion.

8. YourwebsiteishostedonafleetofwebserversthatareloadbalancedacrossmultipleAvailabilityZonesusinganElasticLoadBalancer(ELB).WhattypeofrecordsetinAmazonRoute53canbeusedtopointmyawesomeapp.comtoyourwebsite?

A. TypeAAliasresourcerecordset

B. MXrecordset

C. TXTrecordset

D. CNAMErecordset

9. YouneedasecurewaytodistributeyourAWScredentialstoanapplicationrunningonAmazonElasticComputeCloud(AmazonEC2)instancesinordertoaccess

Page 486: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

supplementaryAWSCloudservices.Whatapproachprovidesyourapplicationaccesstouseshort-termcredentialsforsigningrequestswhileprotectingthosecredentialsfromotherusers?

A. AddyourcredentialstotheUserDataparameterofeachAmazonEC2instance.

B. UseaconfigurationfiletostoreyouraccessandsecretkeysontheAmazonEC2instances.

C. Specifyyouraccessandsecretkeysdirectlyinyourapplication.

D. ProvisiontheAmazonEC2instanceswithaninstanceprofilethathastheappropriateprivileges.

10. YouarerunningasuiteofmicroservicesonAWSLambdathatprovidethebusinesslogicandaccesstodatastoredinAmazonDynamoDBforyourtaskmanagementsystem.Youneedtocreatewell-definedRESTfulApplicationProgramInterfaces(APIs)forthesemicroservicesthatwillscalewithtraffictosupportanewmobileapplication.WhatAWSCloudservicecanyouusetocreatethenecessaryRESTfulAPIs?

A. AmazonKinesis

B. AmazonAPIGateway

C. AmazonCognito

D. AmazonElasticComputeCloud(AmazonEC2)ContainerRegistry

11. YourWordPresswebsiteishostedonafleetofAmazonElasticComputeCloud(AmazonEC2)instancesthatleverageAutoScalingtoprovidehighavailability.ToensurethatthecontentoftheWordPresssiteissustainedthroughscaleupandscaledownevents,youneedacommonfilesystemthatissharedbetweenmorethanoneAmazonEC2instance.WhichAWSCloudservicecanmeetthisrequirement?

A. AmazonCloudFront

B. AmazonElastiCache

C. AmazonElasticFileSystem(AmazonEFS)

D. AmazonElasticBeanstalk

12. YouarechangingyourapplicationtomovesessionstateinformationofftheindividualAmazonElasticComputeCloud(AmazonEC2)instancestotakeadvantageoftheelasticityandcostbenefitsprovidedbyAutoScaling.WhichofthefollowingAWSCloudservicesisbestsuitedasanalternativeforstoringsessionstateinformation?

A. AmazonDynamoDB

B. AmazonRedshift

C. AmazonStorageGateway

D. AmazonKinesis

13. Amediasharingapplicationisproducingaveryhighvolumeofdatainaveryshortperiodoftime.Yourback-endservicesareunabletomanagethelargevolumeoftransactions.Whatoptionprovidesawaytomanagetheflowoftransactionstoyour

Page 487: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

back-endservices?

A. StoretheinboundtransactionsinanAmazonRelationalDatabaseService(AmazonRDS)instancesothatyourback-endservicescanretrievethemastimepermits.

B. UseanAmazonSimpleQueueService(AmazonSQS)queuetobuffertheinboundtransactions.

C. UseanAmazonSimpleNotificationService(AmazonSNS)topictobuffertheinboundtransactions.

D. StoretheinboundtransactionsinanAmazonElasticMapReduce(AmazonEMR)clustersothatyourback-endservicescanretrievethemastimepermits.

14. WhichofthefollowingarebestpracticesformanagingAWSIdentityandAccessManagement(IAM)useraccesskeys?(Choose3answers)

A. Embedaccesskeysdirectlyintoapplicationcode.

B. Usedifferentaccesskeysfordifferentapplications.

C. Rotateaccesskeysperiodically.

D. Keepunusedaccesskeysforanindefiniteperiodoftime.

E. ConfigureMulti-FactorAuthentication(MFA)foryourmostsensitiveoperations.

15. YouneedtoimplementaservicetoscanApplicationProgramInterface(API)callsandrelatedevents’historytoyourAWSaccount.Thisservicewilldetectthingslikeunusedpermissions,overuseofprivilegedaccounts,andanomalouslogins.WhichofthefollowingAWSCloudservicescanbeleveragedtoimplementthisservice?(Choose3answers)

A. AWSCloudTrail

B. AmazonSimpleStorageService(AmazonS3)

C. AmazonRoute53

D. AutoScaling

E. AWSLambda

16. Governmentregulationsrequirethatyourcompanymaintainallcorrespondenceforaperiodofsevenyearsforcompliancereasons.Whatisthebeststoragemechanismtokeepthisdatasecureinacost-effectivemanner?

A. AmazonS3

B. AmazonGlacier

C. AmazonEBS

D. AmazonEFS

17. YourcompanyprovidesmediacontentviatheInternettocustomersthroughapaidsubscriptionmodel.YouleverageAmazonCloudFronttodistributecontenttoyourcustomerswithlowlatency.Whatapproachcanyouusetoservethisprivatecontentsecurelytoyourpaidsubscribers?

Page 488: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

A. ProvidesignedAmazonCloudFrontURLstoauthenticateduserstoaccessthepaidcontent.

B. UseHTTPSrequeststoensurethatyourobjectsareencryptedwhenAmazonCloudFrontservesthemtoviewers.

C. ConfigureAmazonCloudFronttocompressthemediafilesautomaticallyforpaidsubscribers.

D. UsetheAmazonCloudFrontgeorestrictionfeaturetorestrictaccesstoallofthepaidsubscriptionmediaatthecountrylevel.

18. Yourcompanyprovidestranscodingservicesforamateurproducerstoformattheirshortfilmstoavarietyofvideoformats.Whichserviceprovidesthebestoptionforstoringthevideos?

A. AmazonGlacier

B. AmazonSimpleStorageService(AmazonS3)

C. AmazonRelationalDatabaseService(AmazonRDS)

D. AWSStorageGateway

19. AweekbeforeCyberMondaylastyear,yourcorporatedatacenterexperiencedafailedairconditioningunitthatcausedfloodingintotheserverracks.Theresultingoutagecostyourcompanysignificantrevenue.YourCIOmandatedamovetothecloud,butheisstillconcernedaboutcatastrophicfailuresinadatacenter.Whatcanyoudotoalleviatehisconcerns?

A. DistributethearchitectureacrossmultipleAvailabilityZones.

B. UseanAmazonVirtualPrivateCloud(AmazonVPC)withsubnets.

C. Launchthecomputefortheprocessingservicesinaplacementgroup.

D. PurchaseReservedInstancesfortheprocessingservicesinstances.

20. YourAmazonVirtualPrivateCloud(AmazonVPC)includesmultipleprivatesubnets.Theinstancesintheseprivatesubnetsmustaccessthird-partypaymentApplicationProgramInterfaces(APIs)overtheInternet.WhichoptionwillprovidehighlyavailableInternetaccesstotheinstancesintheprivatesubnets?

A. CreateanAWSStorageGatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheAWSStorageGatewayinthesameAvailabilityZone.

B. CreateacustomergatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethecustomergatewayinthesameAvailabilityZone.

C. CreateaNetworkAddressTranslation(NAT)gatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.

D. CreateaNATgatewayinoneAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusethatNATgatewayinalltheAvailabilityZones.

Page 489: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

AppendixAAnswerstoReviewQuestions

Page 490: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter1:IntroductiontoAWS1. D.AregionisanamedsetofAWSresourcesinthesamegeographicalarea.AregioncomprisesatleasttwoAvailabilityZones.Endpoint,Collection,andFleetdonotdescribeaphysicallocationaroundtheworldwhereAWSclustersdatacenters.

2. A.AnAvailabilityZoneisadistinctlocationwithinaregionthatisinsulatedfromfailuresinotherAvailabilityZonesandprovidesinexpensive,low-latencynetworkconnectivitytootherAvailabilityZonesinthesameregion.Replicationareas,geographicdistricts,andcomputecentersarenottermsusedtodescribeAWSdatacenterlocations.

3. B.Ahybriddeploymentisawaytoconnectinfrastructureandapplicationsbetweencloud-basedresourcesandexistingresourcesthatarenotlocatedinthecloud.Anall-indeploymentreferstoanenvironmentthatexclusivelyrunsinthecloud.Anon-premisesdeploymentreferstoanenvironmentthatrunsexclusivelyinanorganization’sdatacenter.

4. C.AmazonCloudWatchisamonitoringserviceforAWSCloudresourcesandtheapplicationsorganizationsrunonAWS.Itallowsorganizationstocollectandtrackmetrics,collectandmonitorlogfiles,andsetalarms.AWSIAM,AmazonSNS,andAWSCloudFormationdonotprovidevisibilityintoresourceutilization,applicationperformance,andtheoperationalhealthofyourAWSresources.

5. B.AmazonDynamoDBisafullymanaged,fast,andflexibleNoSQLdatabaseserviceforallapplicationsthatneedconsistent,single-digitmillisecondlatencyatanyscale.AmazonSQS,AmazonElastiCache,andAmazonRDSdonotprovideaNoSQLdatabaseservice.AmazonSQSisamanagedmessagequeuingservice.AmazonElastiCacheisaservicethatprovidesin-memorycacheinthecloud.Finally,AmazonRDSprovidesmanagedrelationaldatabases.

6. A.AutoScalinghelpsmaintainapplicationavailabilityandallowsorganizationstoscaleAmazonElasticComputeCloud(AmazonEC2)capacityupordownautomaticallyaccordingtoconditionsdefinedfortheparticularworkload.NotonlycanitbeusedtohelpensurethatthedesirednumberofAmazonEC2instancesarerunning,butitalsoallowsresourcestoscaleinandouttomatchthedemandsofdynamicworkloads.AmazonGlacier,AmazonSNS,andAmazonVPCdonotprovideservicestoscalecomputecapacityautomatically.

7. D.AmazonCloudFrontisawebservicethatprovidesaCDNtospeedupdistributionofyourstaticanddynamicwebcontent—forexample,.html,.css,.php,image,andmediafiles—toendusers.AmazonCloudFrontdeliverscontentthroughaworldwidenetworkofedgelocations.AmazonEC2,AmazonRoute53,andAWSStorageGatewaydonotprovideCDNservicesthatarerequiredtomeettheneedsforthephotosharingservice.

8. A.AmazonEBSprovidespersistentblock-levelstoragevolumesforusewithAmazonEC2instancesontheAWSCloud.AmazonDynamoDB,AmazonGlacier,andAWSCloudFormationdonotprovidepersistentblock-levelstorageforAmazonEC2instances.AmazonDynamoDBprovidesmanagedNoSQLdatabases.AmazonGlacierprovideslow-costarchivalstorage.AWSCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.

Page 491: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

9. C.AmazonVPCletsorganizationsprovisionalogicallyisolatedsectionoftheAWSCloudwheretheycanlaunchAWSresourcesinavirtualnetworkthattheydefine.AmazonSWF,AmazonRoute53,andAWSCloudFormationdonotprovideavirtualnetwork.AmazonSWFhelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.AmazonRoute53providesahighlyavailableandscalablecloudDomainNameSystem(DNS)webservice.AmazonCloudFormationgivesdevelopersandsystemsadministratorsaneasywaytocreateandmanageacollectionofrelatedAWSresources.

10. B.AmazonSQSisafast,reliable,scalable,fullymanagedmessagequeuingservicethatallowsorganizationstodecouplethecomponentsofacloudapplication.WithAmazonSQS,organizationscantransmitanyvolumeofdata,atanylevelofthroughput,withoutlosingmessagesorrequiringotherservicestobealwaysavailable.AWSCloudTrailrecordsAWSAPIcalls,andAmazonRedshiftisadatawarehouse,neitherofwhichwouldbeusefulasanarchitecturecomponentfordecouplingcomponents.AmazonSNSprovidesamessagingbuscomplementtoAmazonSQS;however,itdoesn’tprovidethedecouplingofcomponentsnecessaryforthisscenario.

Page 492: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter2:AmazonSimpleStorageService(AmazonS3)andAmazonGlacierStorage1. D,E.Objectsarestoredinbuckets,andobjectscontainbothdataandmetadata.

2. B,D.AmazonS3cannotbemountedtoanAmazonEC2instancelikeafilesystemandshouldnotserveasprimarydatabasestorage.

3. A,B,D.CandEareincorrect—objectsareprivatebydefault,andstorageinabucketdoesnotneedtobepre-allocated.

4. B,C,E.Staticwebsitehostingdoesnotrestrictdataaccess,andneitherdoesanAmazonS3lifecyclepolicy.

5. C,E.Versioningprotectsdataagainstinadvertentorintentionaldeletionbystoringallversionsoftheobject,andMFADeleterequiresaone-timecodefromaMulti-FactorAuthentication(MFA)devicetodeleteobjects.Cross-regionreplicationandmigrationtotheAmazonGlacierstorageclassdonotprotectagainstdeletion.VaultlocksareafeatureofAmazonGlacier,notafeatureofAmazonS3.

6. C.MigratingthedatatoAmazonS3Standard-IAafter30daysusingalifecyclepolicyiscorrect.AmazonS3RRSshouldonlybeusedforeasilyreplicateddata,notcriticaldata.MigrationtoAmazonGlaciermightminimizestoragecostsifretrievalsareinfrequent,butdocumentswouldnotbeavailableinminuteswhenneeded.

7. B.Dataisautomaticallyreplicatedwithinaregion.Replicationtootherregionsandversioningareoptional.AmazonS3dataisnotbackeduptotape.

8. C.InaURL,thebucketnameprecedesthestring“s3.amazonaws.com/,”andtheobjectkeyiseverythingafterthat.ThereisnofolderstructureinAmazonS3.

9. C.AmazonS3serveraccesslogsstorearecordofwhatrequestoraccessedtheobjectsinyourbucket,includingtherequestingIPaddress.

10. B,C.Cross-regionreplicationcanhelplowerlatencyandsatisfycompliancerequirementsondistance.AmazonS3isdesignedforelevenninesdurabilityforobjectsinasingleregion,soasecondregiondoesnotsignificantlyincreasedurability.Cross-regionreplicationdoesnotprotectagainstaccidentaldeletion.

11. C.IfdatamustbeencryptedbeforebeingsenttoAmazonS3,client-sideencryptionmustbeused.

12. B.AmazonS3scalesautomatically,butforrequestratesover100GETSpersecond,ithelpstomakesurethereissomerandomnessinthekeyspace.Replicationandloggingwillnotaffectperformanceorscalability.Usingsequentialkeynamescouldhaveanegativeeffectonperformanceorscalability.

13. A,D.Youmustenableversioningbeforeyoucanenablecross-regionreplication,andAmazonS3musthaveIAMpermissionstoperformthereplication.Lifecyclerulesmigratedatafromonestorageclasstoanother,notfromonebuckettoanother.Staticwebsitehostingisnotaprerequisiteforreplication.

14. B.AmazonS3isthemostcosteffectivestorageonAWS,andlifecyclepoliciesarea

Page 493: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

simpleandeffectivefeaturetoaddressthebusinessrequirements.

15. B,C,E.AmazonS3bucketpoliciescannotspecifyacompanynameoracountryororigin,buttheycanspecifyrequestIPrange,AWSaccount,andaprefixforobjectsthatcanbeaccessed.

16. B,C.AmazonS3providesread-after-writeconsistencyforPUTstonewobjects(newkey),buteventualconsistencyforGETsandDELETEsofexistingobjects(existingkey).

17. A,B,D.A,B,andDarerequired,andnormallyyoualsosetafriendlyCNAMEtothebucketURL.AmazonS3doesnotsupportFTPtransfers,andHTTPdoesnotneedtobeenabled.

18. B.Pre-signedURLsallowyoutogranttime-limitedpermissiontodownloadobjectsfromanAmazonSimpleStorageService(AmazonS3)bucket.Staticwebhostinggenerallyrequiresworld-readaccesstoallcontent.AWSIAMpoliciesdonotknowwhotheauthenticatedusersofthewebappare.Loggingcanhelptrackcontentloss,butnotpreventit.

19. A,C.AmazonGlacierisoptimizedforlong-termarchivalstorageandisnotsuitedtodatathatneedsimmediateaccessorshort-liveddatathatiserasedwithin90days.

20. C,D,E.AmazonGlacierstoresdatainarchives,whicharecontainedinvaults.Archivesareidentifiedbysystem-createdarchiveIDs,notkeynames.

Page 494: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter3:AmazonElasticComputeCloud(AmazonEC2)andAmazonElasticBlockStore(AmazonEBS)1. C.ReservedInstancesprovidecostsavingswhenyoucancommittorunninginstancesfulltime,suchastohandlethebasetraffic.On-DemandInstancesprovidetheflexibilitytohandletrafficspikes,suchasonthelastdayofthemonth.

2. B.SpotInstancesareaverycost-effectivewaytoaddresstemporarycomputeneedsthatarenoturgentandaretolerantofinterruption.That’sexactlytheworkloaddescribedhere.ReservedInstancesareinappropriatefortemporaryworkloads.On-DemandInstancesaregoodfortemporaryworkloads,butdon’tofferthecostsavingsofSpotInstances.Addingmorequeuesisanon-responsiveanswerasitwouldnotaddresstheproblem.

3. C,D.TheAmazonEC2instanceIDwillbeassignedbyAWSaspartofthelaunchprocess.TheadministratorpasswordisassignedbyAWSandencryptedviathepublickey.TheinstancetypedefinesthevirtualhardwareandtheAMIdefinestheinitialsoftwarestate.Youmustspecifybothuponlaunch.

4. A,C.Youcanchangetheinstancetypeonlywithinthesameinstancetypefamily,oryoucanchangetheAvailabilityZone.Youcannotchangetheoperatingsystemnortheinstancetypefamily.

5. D.Whentherearemultiplesecuritygroupsassociatedwithaninstance,alltherulesareaggregated.

6. A,B,E.Thesearethebenefitsofenhancednetworking.

7. A,B,D.Theotheranswershavenothingtodowithnetworking.

8. C.DedicatedInstanceswillnotsharehostswithotheraccounts.

9. B,C.Instancestoresarelow-durability,high-IOPSstoragethatisincludedforfreewiththehourlycostofaninstance.

10. A,C.TherearenotapesintheAWSinfrastructure.AmazonEBSvolumespersistwhentheinstanceisstopped.ThedataisautomaticallyreplicatedwithinanAvailabilityZone.AmazonEBSvolumescanbeencrypteduponcreationandusedbyaninstanceinthesamemannerasiftheywerenotencrypted.

11. B.Thereisnodelayinprocessingwhencommencingasnapshot.

12. B.Thevolumeiscreatedimmediatelybutthedataisloadedlazily.Thismeansthatthevolumecanbeaccesseduponcreation,andifthedatabeingrequestedhasnotyetbeenrestored,itwillberestoreduponfirstrequest.

13. A,C.BandDareincorrectbecauseaninstancestorewillnotbedurableandamagneticvolumeoffersanaverageof100IOPS.AmazonEBS-optimizedinstancesreservenetworkbandwidthontheinstanceforIO,andProvisionedIOPSSSDvolumesprovidethehighestconsistentIOPS.

14. D.Bootstrappingrunstheprovidedscript,soanythingyoucanaccomplishinascriptyoucanaccomplishduringbootstrapping.

Page 495: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

15. C.Thepublichalfofthekeypairisstoredontheinstance,andtheprivatehalfcanthenbeusedtoconnectviaSSH.

16. B,C.ThesearethepossibleoutputsofVMImport/Export.

17. B,D.NeithertheWindowsmachinenamenortheAmazonEC2instanceIDcanberesolvedintoanIPaddresstoaccesstheinstance.

18. A.Noneoftheotheroptionswillhaveanyeffectontheabilitytoconnect.

19. C.Ashortperiodofheavytrafficisexactlytheusecasefortheburstingnatureofgeneral-purposeSSDvolumes—therestofthedayismorethanenoughtimetobuildupenoughIOPScreditstohandlethenightlytask.Instancestoresarenotdurable,magneticvolumescannotprovideenoughIOPS,andtosetupaProvisionedIOPSSSDvolumetohandlethepeakwouldmeanspendingmoneyformoreIOPSthanyouneed.

20. B.ThereisaverysmallhourlychargeforallocatedelasticIPaddressesthatarenotassociatedwithaninstance.

Page 496: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter4:AmazonVirtualPrivateCloud(AmazonVPC)1. C.TheminimumsizesubnetthatyoucanhaveinanAmazonVPCis/28.

2. C.Youneedtwopublicsubnets(oneforeachAvailabilityZone)andtwoprivatesubnets(oneforeachAvailabilityZone).Therefore,youneedfoursubnets.

3. A.NetworkACLsareassociatedtoaVPCsubnettocontroltrafficflow.

4. A.ThemaximumsizesubnetthatyoucanhaveinaVPCis/16.

5. D.BycreatingarouteouttotheInternetusinganIGW,youhavemadethissubnetpublic.

6. A.WhenyoucreateanAmazonVPC,aroutetableiscreatedbydefault.YoumustmanuallycreatesubnetsandanIGW.

7. C.WhenyouprovisionanAmazonVPC,allsubnetscancommunicatewitheachotherbydefault.

8. A.YoumayonlyhaveoneIGWforeachAmazonVPC.

9. B.Securitygroupsarestateful,whereasnetworkACLsarestateless.

10. C.Youshoulddisablesource/destinationchecksontheNAT.

11. B,E.IntheEC2-Classicnetwork,theEIPwillbedisassociatedwiththeinstance;intheEC2-VPCnetwork,theEIPremainsassociatedwiththeinstance.Regardlessoftheunderlyingnetwork,astop/startofanAmazonEBS-backedAmazonEC2instancealwayschangesthehostcomputer.

12. D.SixVPCPeeringconnectionsareneededforeachofthefourVPCstosendtraffictotheother.

13. B.ADHCPoptionsetallowscustomerstodefineDNSserversforDNSnameresolution,establishdomainnamesforinstanceswithinanAmazonVPC,defineNTPservers,anddefinetheNetBIOSnameservers.

14. D.ACGWisthecustomersideofaVPNconnection,andanIGWconnectsanetworktotheInternet.AVPGistheAmazonsideofaVPNconnection.

15. A.ThedefaultlimitforthenumberofAmazonVPCsthatacustomermayhaveinaregionis5.

16. B.NetworkACLrulescandenytraffic.

17. D.IPsecisthesecurityprotocolsupportedbyAmazonVPC.

18. D.AnAmazonVPCendpointenablesyoutocreateaprivateconnectionbetweenyourAmazonVPCandanotherAWSservicewithoutrequiringaccessovertheInternetorthroughaNATdevice,VPNconnection,orAWSDirectConnect.

19. A,C.TheCIDRblockisspecifieduponcreationandcannotbechanged.AnAmazonVPCisassociatedwithexactlyoneregionwhichmustbespecifieduponcreation.YoucanaddasubnettoanAmazonVPCanytimeafterithasbeencreated,provideditsaddressrangefallswithintheAmazonVPCCIDRblockanddoesnotoverlapwiththeaddressrangeof

Page 497: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

anyexistingCIDRblock.YoucansetuppeeringrelationshipsbetweenAmazonVPCsaftertheyhavebeencreated.

20. B.AttachinganENIassociatedwithadifferentsubnettoaninstancecanmaketheinstancedual-homed.

Page 498: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter5:ElasticLoadBalancing,AmazonCloudWatch,andAutoScaling1. A,D.AnAutoScalinggroupmusthaveaminimumsizeandalaunchconfigurationdefinedinordertobecreated.Healthchecksandadesiredcapacityareoptional.

2. B.Theloadbalancermaintainstwoseparateconnections:oneconnectionwiththeclientandoneconnectionwiththeAmazonEC2instance.

3. D.AmazonCloudWatchmetricdataiskeptfor2weeks.

4. A.Onlythelaunchconfigurationname,AMI,andinstancetypeareneededtocreateanAutoScalinglaunchconfiguration.Identifyingakeypair,securitygroup,andablockdevicemappingareoptionalelementsforanAutoScalinglaunchconfiguration.

5. B.YoucanusetheAmazonCloudWatchLogsAgentinstalleronexistingAmazonEC2instancestoinstallandconfiguretheCloudWatchLogsAgent.

6. C.Youconfigureyourloadbalancertoacceptincomingtrafficbyspecifyingoneormorelisteners.

7. D.ThedefaultAmazonEC2instancelimitforallregionsis20.

8. A.AnSSLcertificatemustspecifythenameofthewebsiteineitherthesubjectnameorlistedasavalueintheSANextensionofthecertificateinorderforconnectingclientstonotreceiveawarning.

9. C.WhenAmazonEC2instancesfailtherequisitenumberofconsecutivehealthchecks,theloadbalancerstopssendingtraffictotheAmazonEC2instance.

10. D.AmazonCloudWatchmetricsprovidehypervisorvisiblemetrics.

11. C.AutoScalingisdesignedtoscaleoutbasedonaneventlikeincreasedtrafficwhilebeingcosteffectivewhennotneeded.

12. B.AutoScalingwillprovidehighavailabilityacrossthreeAvailabilityZoneswiththreeAmazonEC2instancesineachandkeepcapacityabovetherequiredminimumcapacity,evenintheeventofanentireAvailabilityZonebecomingunavailable.

13. B,E,F.AutoScalingrespondstochangingconditionsbyaddingorterminatinginstances,launchesinstancesfromanAMIspecifiedinthelaunchconfigurationassociatedwiththeAutoScalinggroup,andenforcesaminimumnumberofinstancesinthemin-sizeparameteroftheAutoScalinggroup.

14. D.A,B,andCarealltruestatementsaboutlaunchconfigurationsbeinglooselycoupledandreferencedbytheAutoScalinggroupinsteadofbeingpartoftheAutoScalinggroup.

15. A,C.AnAutoScalinggroupmayuseOn-DemandandSpotInstances.AnAutoScalinggroupmaynotusealreadystoppedinstances,instancesrunningsomeplaceotherthanAWS,andalreadyrunninginstancesnotstartedbytheAutoScalinggroupitself.

16. A,F.AmazonCloudWatchhastwoplans:basic,whichisfree,anddetailed,whichhasanadditionalcost.ThereisnoadhocplanforAmazonCloudWatch.

Page 499: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

17. A,C,D.AnElasticLoadBalancinghealthcheckmaybeaping,aconnectionattempt,orapagethatischecked.

18. B,C.Whenconnectiondrainingisenabled,theloadbalancerwillstopsendingrequeststoaderegisteredorunhealthyinstanceandattempttocompletein-flightrequestsuntilaconnectiondrainingtimeoutperiodisreached,whichis300secondsbydefault.

19. B,E,F.ElasticLoadBalancingsupportsInternet-facing,internal,andHTTPSloadbalancers.

20. B,D,E.AutoScalingsupportsmaintainingthecurrentsizeofanAutoScalinggroupusingfourplans:maintaincurrentlevels,manualscaling,scheduledscaling,anddynamicscaling.

Page 500: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter6:AWSIdentityandAccessManagement(IAM)1. B,C.Programmaticaccessisauthenticatedwithanaccesskey,notwithusernames/passwords.IAMrolesprovideatemporarysecuritytokentoanapplicationusinganSDK.

2. A,C.IAMpoliciesareindependentofregion,sonoregionisspecifiedinthepolicy.IAMpoliciesareaboutauthorizationforanalready-authenticatedprincipal,sonopasswordisneeded.

3. A,B,C,E.Lockingdownyourrootuserandallaccountstowhichtheadministratorhadaccessisthekeyhere.DeletingallIAMaccountsisnotnecessary,anditwouldcausegreatdisruptiontoyouroperations.AmazonEC2rolesusetemporarysecuritytokens,sorelaunchingAmazonEC2instancesisnotnecessary.

4. B,D.IAMcontrolsaccesstoAWSresourcesonly.InstallingASP.NETwillrequireWindowsoperatingsystemauthorization,andqueryinganOracledatabasewillrequireOracleauthorization.

5. A,C.AmazonDynamoDBglobalsecondaryindexesareaperformancefeatureofAmazonDynamoDB;ConsolidatedBillingisanaccountingfeatureallowingallbillstorollupunderasingleaccount.Whilebothareveryvaluablefeatures,neitherisasecurityfeature.

6. B,C.AmazonEC2rolesmuststillbeassignedapolicy.IntegrationwithActiveDirectoryinvolvesintegrationbetweenActiveDirectoryandIAMviaSAML.

7. A,D.AmazonEC2rolesprovideatemporarytokentoapplicationsrunningontheinstance;federationmapspoliciestoidentitiesfromothersourcesviatemporarytokens.

8. A,C,D.NeitherBnorEarefeaturessupportedbyIAM.

9. B,C.Accessrequiresanappropriatepolicyassociatedwithaprincipal.ResponseAismerelyapolicywithnoprincipal,andresponseDisnotaprincipalasIAMgroupsdonothaveusernamesandpasswords.ResponseBisthebestsolution;responseCwillalsoworkbutitismuchhardertomanage.

10. C.AnIAMpolicyisaJSONdocument.

Page 501: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter7:DatabasesandAWS1. B.AmazonRDSisbestsuitedfortraditionalOLTPtransactions.AmazonRedshift,ontheotherhand,isdesignedforOLAPworkloads.AmazonGlacierisdesignedforcoldarchivalstorage.

2. D.AmazonDynamoDBisbestsuitedfornon-relationaldatabases.AmazonRDSandAmazonRedshiftarebothstructuredrelationaldatabases.

3. C.Inthisscenario,thebestideaistousereadreplicastoscaleoutthedatabaseandthusmaximizereadperformance.WhenusingMulti-AZ,thesecondarydatabaseisnotaccessibleandallreadsandwritesmustgototheprimaryoranyreadreplicas.

4. A.AmazonRedshiftisbestsuitedfortraditionalOLAPtransactions.WhileAmazonRDScanalsobeusedforOLAP,AmazonRedshiftispurpose-builtasanOLAPdatawarehouse.

5. B.DBSnapshotscanbeusedtorestoreacompletecopyofthedatabaseataspecificpointintime.Individualtablescannotbeextractedfromasnapshot.

6. A.AllAmazonRDSdatabaseenginessupportMulti-AZdeployment.

7. B.ReadreplicasaresupportedbyMySQL,MariaDB,PostgreSQL,andAurora.

8. A.YoucanforceafailoverfromoneAvailabilityZonetoanotherbyrebootingtheprimaryinstanceintheAWSManagementConsole.Thisisoftenhowpeopletestafailoverintherealworld.Thereisnoneedtocreateasupportcase.

9. D.MonitortheenvironmentwhileAmazonRDSattemptstorecoverautomatically.AWSwillupdatetheDBendpointtopointtothesecondaryinstanceautomatically.

10. A.AmazonRDSsupportsMicrosoftSQLServerEnterpriseeditionandthelicenseisavailableonlyundertheBYOLmodel.

11. B.GeneralPurpose(SSD)volumesaregenerallytherightchoicefordatabasesthathaveburstsofactivity.

12. B.NoSQLdatabaseslikeAmazonDynamoDBexcelatscalingtohundredsofthousandsofrequestswithkey/valueaccesstouserprofileandsession.

13. A,C,D.DBsnapshotsallowyoutobackupandrecoveryourdata,whilereadreplicasandaMulti-AZdeploymentallowyoutoreplicateyourdataandreducethetimetofailover.

14. C,D.AmazonRDSallowsforthecreationofoneormoreread-replicasformanyenginesthatcanbeusedtohandlereads.AnothercommonpatternistocreateacacheusingMemcachedandAmazonElastiCachetostorefrequentlyusedqueries.ThesecondaryslaveDBInstanceisnotaccessibleandcannotbeusedtooffloadqueries.

15. A,B,C.Protectingyourdatabaserequiresamultilayeredapproachthatsecurestheinfrastructure,thenetwork,andthedatabaseitself.AmazonRDSisamanagedserviceanddirectaccesstotheOSisnotavailable.

16. A,B,C.Verticallyscalingupisoneofthesimpleroptionsthatcangiveyouadditionalprocessingpowerwithoutmakinganyarchitecturalchanges.Readreplicasrequiresome

Page 502: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

applicationchangesbutletyouscaleprocessingpowerhorizontally.Finally,busydatabasesareoftenI/O-bound,soupgradingstoragetoGeneralPurpose(SSD)orProvisionedIOPS(SSD)canoftenallowforadditionalrequestprocessing.

17. C.Queryisthemostefficientoperationtofindasingleiteminalargetable.

18. A.UsingtheUsernameasapartitionkeywillevenlyspreadyourusersacrossthepartitions.Messagesareoftenfiltereddownbytimerange,soTimestampmakessenseasasortkey.

19. B,D.Youcanonlyhaveasinglelocalsecondaryindex,anditmustbecreatedatthesametimethetableiscreated.Youcancreatemanyglobalsecondaryindexesafterthetablehasbeencreated.

20. B,C.AmazonRedshiftisanOnlineAnalyticalProcessing(OLAP)datawarehousedesignedforanalytics,Extract,Transform,Load(ETL),andhigh-speedquerying.Itisnotwellsuitedforrunningtransactionalapplicationsthatrequirehighvolumesofsmallinsertsorupdates.

Page 503: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter8:SQS,SWF,andSNS1. D.AmazonDynamoDBisnotasupportedAmazonSNSprotocol.

2. A.WhenyoucreateanewAmazonSNStopic,anAmazonARNiscreatedautomatically.

3. A,C,D.Publishers,subscribers,andtopicsarethecorrectanswers.YouhavesubscriberstoanAmazonSNStopic,notreaders.

4. A.ThedefaulttimeforanAmazonSQSvisibilitytimeoutis30seconds.

5. D.ThemaximumtimeforanAmazonSQSvisibilitytimeoutis12hours.

6. B,D.ThevalidpropertiesofanSQSmessageareMessageIDandBody.Eachmessagereceivesasystem-assignedMessageIDthatAmazonSQSreturnstoyouintheSendMessageresponse.TheMessageBodyiscomposedofname/valuepairsandtheunstructured,uninterpretedcontent.

7. B.Useasingledomainwithmultipleworkflows.Workflowswithinseparatedomainscannotinteract.

8. A,B,C.InAmazonSWF,actorscanbeactivityworkers,workflowstarters,ordeciders.

9. B.AmazonSWFwouldbestserveyourpurposeinthisscenariobecauseithelpsdevelopersbuild,run,andscalebackgroundjobsthathaveparallelorsequentialsteps.YoucanthinkofAmazonSWFasafully-managedstatetrackerandtaskcoordinatorintheCloud.

10. D.AmazonSQSdoesnotguaranteeinwhatorderyourmessageswillbedelivered.

11. A.MultiplequeuescansubscribetoanAmazonSNStopic,whichcanenableparallelasynchronousprocessing.

12. D.Longpollingallowsyourapplicationtopollthequeue,and,ifnothingisthere,AmazonElasticComputeCloud(AmazonEC2)waitsforanamountoftimeyouspecify(between1and20seconds).Ifamessagearrivesinthattime,itisdeliveredtoyourapplicationassoonaspossible.Ifamessagedoesnotarriveinthattime,youneedtoexecutetheReceiveMessagefunctionagain.

13. B.ThemaximumtimeforanAmazonSQSlongpollingtimeoutis20seconds.

14. D.ThelongestconfigurablemessageretentionperiodforAmazonSQSis14days.

15. B.ThedefaultmessageretentionperiodthatcanbesetinAmazonSQSisfourdays.

16. D.WithAmazonSNS,yousendindividualormultiplemessagestolargenumbersofrecipientsusingpublisherandsubscriberclienttypes.

17. B.Thedeciderschedulestheactivitytasksandprovidesinputdatatotheactivityworkers.Thedecideralsoprocesseseventsthatarrivewhiletheworkflowisinprogressandclosestheworkflowwhentheobjectivehasbeencompleted.

18. C.Topicnamesshouldtypicallybeavailableforreuseapproximately30–60secondsaftertheprevioustopicwiththesamenamehasbeendeleted.Theexacttimewilldependonthenumberofsubscriptionsactiveonthetopic;topicswithafewsubscriberswillbe

Page 504: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

availableinstantlyforreuse,whiletopicswithlargersubscriberlistsmaytakelonger.

19. C.ThemaindifferencebetweenAmazonSQSpoliciesandIAMpoliciesisthatanAmazonSQSpolicyenablesyoutograntadifferentAWSaccountpermissiontoyourAmazonSQSqueues,butanIAMpolicydoesnot.

20. C.No.Afteramessagehasbeensuccessfullypublishedtoatopic,itcannotberecalled.

Page 505: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter9:DomainNameSystem(DNS)andAmazonRoute531. C.AnAAAArecordisusedtoroutetraffictoanIPv6address,whereasanArecordisusedtoroutetraffictoanIPv4address.

2. B.Domainnamesareregisteredwithadomainregistrar,whichthenregistersthenametoInterNIC.

3. C.Youshouldrouteyourtrafficbasedonwhereyourendusersarelocated.Thebestroutingpolicytoachievethisisgeolocationrouting.

4. D.APTRrecordisusedtoresolveanIPaddresstoadomainname,anditiscommonlyreferredtoas“reverseDNS.”

5. B.Youwantyouruserstohavethefastestnetworkaccesspossible.Todothis,youwoulduselatency-basedrouting.Geolocationroutingwouldnotachievethisaswellaslatency-basedrouting,whichisspecificallygearedtowardmeasuringthelatencyandthuswoulddirectyoutotheAWSregioninwhichyouwouldhavethelowestlatency.

6. C.YouwoulduseMaileXchange(MX)recordstodefinewhichinbounddestinationmailservershouldbeused.

7. B.SPFrecordsareusedtoverifyauthorizedsendersofmailfromyourdomain.

8. B.Weightedroutingwouldbestachievethisobjectivebecauseitallowsyoutospecifywhichpercentageoftrafficisdirectedtoeachendpoint.

9. D.ThestartofazoneisdefinedbytheSOA;therefore,allzonesmusthaveanSOArecordbydefault.

10. D.Failover-basedroutingwouldbestachievethisobjective.

11. B.TheCNAMErecordmapsanametoanothername.Itshouldbeusedonlywhentherearenootherrecordsonthatname.

12. C.AmazonRoute53performsthreemainfunctions:domainregistration,DNSservice,andhealthchecking.

13. A.ATXTrecordisusedtostorearbitraryandunformattedtextwithahost.

14. C.Theresourcerecordsetscontainedinahostedzonemustsharethesamesuffix.

15. B.DNSusesportnumber53toserverequests.

16. D.DNSprimarilyusesUDPtoserverequests.

17. A.TheTCPprotocolisusedbyDNSserverwhentheresponsedatasizeexceeds512bytesorfortaskssuchaszonetransfers.

18. B.UsingAmazonRoute53,youcancreatetwotypesofhostedzones:publichostedzonesandprivatehostedzones.

19. D.AmazonRoute53canroutequeriestoavarietyofAWSresourcessuchasanAmazonCloudFrontdistribution,anElasticLoadBalancingloadbalancer,anAmazonEC2instance,awebsitehostedinanAmazonS3bucket,andanAmazonRelationalDatabase(AmazonRDS).

Page 506: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

20. D.YoumustfirsttransfertheexistingdomainregistrationfromanotherregistrartoAmazonRoute53toconfigureitasyourDNSservice.

Page 507: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter10:AmazonElastiCache1. A,B,C.Manytypesofobjectsaregoodcandidatestocachebecausetheyhavethepotentialtobeaccessedbynumeroususersrepeatedly.Eventhebalanceofabankaccountcouldbecachedforshortperiodsoftimeiftheback-enddatabasequeryisslowtorespond.

2. B,C.AmazonElastiCachesupportsMemcachedandRediscacheengines.MySQLisnotacacheengine,andCouchbaseisnotsupported.

3. C.Thedefaultlimitis20nodespercluster.

4. A.Redisclusterscanonlycontainasinglenode;however,youcangroupmultipleclusterstogetherintoareplicationgroup.

5. B,C.AmazonElastiCacheisApplicationProgrammingInterface(API)-compatiblewithexistingMemcachedclientsanddoesnotrequiretheapplicationtoberecompiledorlinkedagainstthelibraries.AmazonElastiCachemanagesthedeploymentoftheAmazonElastiCachebinaries.

6. B,C.AmazonElastiCachewiththeRedisengineallowsforbothmanualandautomaticsnapshots.Memcacheddoesnothaveabackupfunction.

7. B,C,D.LimitaccessatthenetworklevelusingsecuritygroupsornetworkACLs,andlimitinfrastructurechangesusingIAM.

8. C.AmazonElastiCachewithRedisprovidesnativefunctionsthatsimplifythedevelopmentofleaderboards.WithMemcached,itismoredifficulttosortandranklargedatasets.AmazonRedshiftandAmazonS3arenotdesignedforhighvolumesofsmallreadsandwrites,typicalofamobilegame.

9. A.WhentheclientsareconfiguredtouseAutoDiscovery,theycandiscovernewcachenodesastheyareaddedorremoved.AutoDiscoverymustbeconfiguredoneachclientandisnotactiveserverside.Updatingtheconfigurationfileeachtimewillbeverydifficulttomanage.UsinganElasticLoadBalancerisnotrecommendedforthisscenario.

10. A,B.AmazonElastiCachesupportsbothMemcachedandRedis.Youcanrunself-managedinstallationsofMembaseandCouchbaseusingAmazonElasticComputeCloud(AmazonEC2).

Page 508: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter11:AdditionalKeyServices1. B,C,E.AmazonCloudFrontcanuseanAmazonS3bucketoranyHTTPserver,whetherornotitisrunninginAmazonEC2.ARoute53HostedZoneisasetofDNSresourcerecords,whileanAutoScalingGrouplaunchesorterminatesAmazonEC2instancesautomatically.Neithercanbespecifiedasanoriginserverforadistribution.

2. A,C.ThesiteinAis“popular”andsupports“usersaroundtheworld,”keyindicatorsthatCloudFrontisappropriate.Similarly,thesiteinCis“heavilyused,”andrequiresprivatecontent,whichissupportedbyAmazonCloudFront.BothBandDarecorporateusecaseswheretherequestscomefromasinglegeographiclocationorappeartocomefromone(becauseoftheVPN).TheseusecaseswillgenerallynotseebenefitfromAmazonCloudFront.

3. C,E.Usingmultipleoriginsandsettingmultiplecachebehaviorsallowyoutoservestaticanddynamiccontentfromthesamedistribution.OriginAccessIdentifiersandsignedURLssupportservingprivatecontentfromAmazonCloudFront,whilemultipleedgelocationsaresimplyhowAmazonCloudFrontservesanycontent.

4. B.AmazonCloudFrontOAIisaspecialidentitythatcanbeusedtorestrictaccesstoanAmazonS3bucketonlytoanAmazonCloudFrontdistribution.SignedURLs,signedcookies,andIAMbucketpoliciescanhelptoprotectcontentservedthroughAmazonCloudFront,butOAIsarethesimplestwaytoensurethatonlyAmazonCloudFronthasaccesstoabucket.

5. C.AWSStorageGatewayallowsyoutoaccessdatainAmazonS3locally,withtheGateway-CachedvolumeconfigurationallowingyoutoexpandarelativelysmallamountoflocalstorageintoAmazonS3.

6. B.SimpleADisaMicrosoftActiveDirectory-compatibledirectorythatispoweredbySamba4.SimpleADsupportscommonlyusedActiveDirectoryfeaturessuchasuseraccounts,groupmemberships,domain-joiningAmazonElasticComputeCloud(AmazonEC2)instancesrunningLinuxandMicrosoftWindows,Kerberos-basedSingleSign-On(SSO),andgrouppolicies.

7. C.AWSKMSCMKsarethefundamentalresourcesthatAWSKMSmanages.CMKscanneverleaveAWSKMSunencrypted,butdatakeyscan.

8. D.AWSKMSusesenvelopeencryptiontoprotectdata.AWSKMScreatesadatakey,encryptsitunderaCustomerMasterKey(CMK),andreturnsplaintextandencryptedversionsofthedatakeytoyou.Youusetheplaintextkeytoencryptdataandstoretheencryptedkeyalongsidetheencrypteddata.Youcanretrieveaplaintextdatakeyonlyifyouhavetheencrypteddatakeyandyouhavepermissiontousethecorrespondingmasterkey.

9. A.AWSCloudTrailrecordsimportantinformationabouteachAPIcall,includingthenameoftheAPI,theidentityofthecaller,thetimeoftheAPIcall,therequestparameters,andtheresponseelementsreturnedbytheAWSCloudservice.

10. B,C.Encryptioncontextisasetofkey/valuepairsthatyoucanpasstoAWSKMSwhenyoucalltheEncrypt,Decrypt,ReEncrypt,GenerateDataKey,and

Page 509: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

GenerateDataKeyWithoutPlaintextAPIs.Althoughtheencryptioncontextisnotincludedintheciphertext,itiscryptographicallyboundtotheciphertextduringencryptionandmustbepassedagainwhenyoucalltheDecrypt(orReEncrypt)API.InvalidciphertextfordecryptionisplaintextthathasbeenencryptedinadifferentAWSaccountorciphertextthathasbeenalteredsinceitwasoriginallyencrypted.

11. B.BecausetheInternetconnectionisfull,thebestsolutionwillbebasedonusingAWSImport/Exporttoshipthedata.Themostappropriatestoragelocationfordatathatmustbestored,butisveryrarelyaccessed,isAmazonGlacier.

12. C.Becausethejobisrunmonthly,apersistentclusterwillincurunnecessarycomputecostsduringtherestofthemonth.AmazonKinesisisnotappropriatebecausethecompanyisrunninganalyticsasabatchjobandnotonastream.Asinglelargeinstancedoesnotscaleouttoaccommodatethelargecomputeneeds.

13. D.TheAmazonKinesisservicesenableyoutoworkwithlargedatastreams.WithintheAmazonKinesisfamilyofservices,AmazonKinesisFirehosesavesstreamstoAWSstorageservices,whileAmazonKinesisStreamsprovidetheabilitytoprocessthedatainthestream.

14. C.AmazonDataPipelineallowsyoutorunregularExtract,Transform,Load(ETL)jobsonAmazonandon-premisesdatasources.ThebeststorageforlargedataisAmazonS3,andAmazonRedshiftisalarge-scaledatawarehouseservice.

15. B.AmazonKinesisFirehoseallowsyoutoingestmassivestreamsofdataandstorethedataonAmazonS3(aswellasAmazonRedshiftandAmazonElasticsearch).

16. C.AWSOpsWorksusesChefrecipestostartnewappserverinstances,configureapplicationserversoftware,anddeployapplications.OrganizationscanleverageChefrecipestoautomateoperationslikesoftwareconfigurations,packageinstallations,databasesetups,serverscaling,andcodedeployment.

17. A.WithAWSCloudFormation,youcanreuseyourtemplatetosetupyourresourcesconsistentlyandrepeatedly.Justdescribeyourresourcesonceandthenprovisionthesameresourcesoverandoverinmultiplestacks.

18. B.AWSTrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesexisttosavemoney,improvesystemavailabilityandperformance,orhelpclosesecuritygaps.AWSTrustedAdvisordrawsuponbestpracticeslearnedfromtheaggregatedoperationalhistoryofservinghundredsofthousandsofAWScustomers.

19. A.AWSConfigisafullymanagedservicethatprovidesyouwithanAWSresourceinventory,configurationhistory,andconfigurationchangenotificationstoenablesecurityandgovernance.WithAWSConfig,youcandiscoverexistinganddeletedAWSresources,determineyouroverallcomplianceagainstrules,anddiveintoconfigurationdetailsofaresourceatanypointintime.Thesecapabilitiesenablecomplianceauditing.

20. D.AWSElasticBeanstalkisthefastestandsimplestwaytogetanapplicationupandrunningonAWS.Developerscansimplyuploadtheirapplicationcode,andtheserviceautomaticallyhandlesallthedetailssuchasresourceprovisioning,loadbalancing,AutoScaling,andmonitoring.

Page 510: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter12:SecurityonAWS1. B.Alldecommissionedmagneticstoragedevicesaredegaussedandphysicallydestroyedinaccordancewithindustry-standardpractices.

2. C.Theadministratorpasswordisencryptedwiththepublickeyofthekeypair,andyouprovidetheprivatekeytodecryptthepassword.Thenlogintotheinstanceastheadministratorwiththedecryptedpassword.

3. C.Bydefault,networkaccessisturnedofftoaDBInstance.YoucanspecifyrulesinasecuritygroupthatallowsaccessfromanIPaddressrange,port,orAmazonElasticComputeCloud(AmazonEC2)securitygroup.

4. A.AmazonS3SSEusesoneofthestrongestblockciphersavailable,256-bitAES.

5. C.IAMpermitsuserstohavenomorethantwoactiveaccesskeysatonetime.

6. B.ThesharedresponsibilitymodelisthenameofthemodelemployedbyAWSwithitscustomers.

7. D.WhenyouchooseAWSKMSforkeymanagementwithAmazonRedshift,thereisafour-tierhierarchyofencryptionkeys.Thesekeysarethemasterkey,aclusterkey,adatabasekey,anddataencryptionkeys.

8. D.ElasticLoadBalancingsupportstheServerOrderPreferenceoptionfornegotiatingconnectionsbetweenaclientandaloadbalancer.DuringtheSSLconnectionnegotiationprocess,theclientandtheloadbalancerpresentalistofciphersandprotocolsthattheyeachsupport,inorderofpreference.Bydefault,thefirstcipherontheclient’slistthatmatchesanyoneoftheloadbalancer’sciphersisselectedfortheSSLconnection.IftheloadbalancerisconfiguredtosupportServerOrderPreference,thentheloadbalancerselectsthefirstcipherinitslistthatisintheclient’slistofciphers.ThisensuresthattheloadbalancerdetermineswhichcipherisusedforSSLconnection.IfyoudonotenableServerOrderPreference,theorderofcipherspresentedbytheclientisusedtonegotiateconnectionsbetweentheclientandtheloadbalancer.

9. C.AmazonWorkSpacesusesPCoIP,whichprovidesaninteractivevideostreamwithouttransmittingactualdata.

10. C.DistributingapplicationsacrossmultipleAvailabilityZonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.

11. A.AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTOTPstandard,asdescribedinRFC6238.

12. B,D.AmazonDynamoDBdoesnothaveaserver-sidefeaturetoencryptitemswithinatable.YouneedtouseasolutionoutsideofDynamoDBsuchasaclient-sidelibrarytoencryptitemsbeforestoringthem,orakeymanagementservicelikeAWSKeyManagementServicetomanagekeysthatareusedtoencryptitemsbeforestoringtheminDynamoDB.

Page 511: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

13. B.Ifyourprivatekeycanbereadorwrittentobyanyonebutyou,thenSSHignoresyourkey.

14. D.AmazonCognitoIdentitysupportspublicidentityproviders—Amazon,Facebook,andGoogle—aswellasunauthenticatedidentities.

15. A.AninstanceprofileisacontainerforanIAMrolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.

16. B.AnetworkACLisanoptionallayerofsecurityforyourAmazonVPCthatactsasafirewallforcontrollingtrafficinandoutofoneormoresubnets.YoumightsetupnetworkACLswithrulessimilartoyoursecuritygroupsinordertoaddanadditionallayerofsecuritytoyourAmazonVPC.

17. D.TheSignatureVersion4signingprocessdescribeshowtoaddauthenticationinformationtoAWSrequests.Forsecurity,mostrequeststoAWSmustbesignedwithanaccesskey(AccessKeyID[AKI]andSecretAccessKey[SAK]).IfyouusetheAWSCommandLineInterface(AWSCLI)oroneoftheAWSSoftwareDevelopmentKits(SDKs),thosetoolsautomaticallysignrequestsforyoubasedoncredentialsthatyouspecifywhenyouconfigurethetools.However,ifyoumakedirectHTTPorHTTPScallstoAWS,youmustsigntherequestsyourself.

18. B.Dedicatedinstancesarephysicallyisolatedatthehosthardwarelevelfromyourinstancesthataren’tdedicatedinstancesandfrominstancesthatbelongtootherAWSaccounts.

19. C.AmazonEMRstartsyourinstancesintwoAmazonElasticComputeCloud(AmazonEC2)securitygroups,oneforthemasterandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.ItalsohastheSSHportopentoallowyoutosecurelyconnecttotheinstancesviaSSHusingthekeyspecifiedatstartup.Theslavesstartinaseparatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefault,bothsecuritygroupsaresetuptopreventaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Becausethesearesecuritygroupsinyouraccount,youcanreconfigurethemusingthestandardAmazonEC2toolsordashboard.

20. A.WhenyoucreateanAmazonEBSvolumeinanAvailabilityZone,itisautomaticallyreplicatedwithinthatAvailabilityZonetopreventdatalossduetofailureofanysinglehardwarecomponent.AnEBSSnapshotcreatesacopyofanEBSvolumetoAmazonS3sothatcopiesofthevolumecanresideindifferentAvailabilityZoneswithinaregion.

Page 512: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter13:AWSRiskandCompliance1. A,B,C.AnswersAthroughCdescribevalidmechanismsthatAWSusestocommunicatewithcustomersregardingitssecurityandcontrolenvironment.AWSdoesnotallowcustomers’auditorsdirectaccesstoAWSdatacenters,infrastructure,orstaff.

2. C.ThesharedresponsibilitymodelcanincludeITcontrols,anditisnotjustlimitedtosecurityconsiderations.Therefore,answerCiscorrect.

3. A.AWSprovidesITcontrolinformationtocustomersthrougheitherspecificcontroldefinitionsorgeneralcontrolstandardcompliance.

4. A,B,D.ThereisnosuchthingasaSOC4report,thereforeanswerCisincorrect.

5. A.ITgovernanceisstillthecustomer’sresponsibility.

6. D.AnynumberofcomponentsofaworkloadcanbemovedintoAWS,butitisthecustomer’sresponsibilitytoensurethattheentireworkloadremainscompliantwithvariouscertificationsandthird-partyattestations.

7. B.AnAvailabilityZoneconsistsofmultiplediscretedatacenters,eachwiththeirownredundantpowerandnetworking/connectivity,thereforeanswerBiscorrect.

8. A,C.AWSregularlyscanspublic-facing,non-customerendpointIPaddressesandnotifiesappropriateparties.AWSdoesnotscancustomerinstances,andcustomersmustrequesttheabilitytoperformtheirownscansinadvance,thereforeanswersAandCarecorrect.

9. B.AWSpublishesinformationpubliclyonlineanddirectlytocustomersunderNDA,butcustomersarenotrequiredtosharetheiruseandconfigurationinformationwithAWS,thereforeanswerBiscorrect.

10. C.AWShasdevelopedastrategicbusinessplan,andcustomersshouldalsodevelopandmaintaintheirownriskmanagementplans,thereforeanswerCiscorrect.

11. B.Thecollectivecontrolenvironmentincludespeople,processes,andtechnologynecessarytoestablishandmaintainanenvironmentthatsupportstheoperatingeffectivenessofAWScontrolframework.Energyisnotadiscretelyidentifiedpartofthecontrolenvironment,thereforeBisthecorrectanswer.

12. D.Customersareresponsibleforensuringalloftheirsecuritygroupconfigurationsareappropriatefortheirownapplications,thereforeanswerDiscorrect.

13. C.Customersshouldensurethattheyimplementcontrolobjectivesthataredesignedtomeettheirorganization’sownuniquecompliancerequirements,thereforeanswerCiscorrect.

Page 513: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

Chapter14:ArchitectureBestPractices1. B,E.AmazonKinesisisaplatformforstreamingdataonAWS,offeringpowerfulservicestomakeiteasytoloadandanalyzestreamingdata.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSmakesitsimpleandcost-effectivetodecouplethecomponentsofacloudapplication.

2. B,C.LaunchinginstancesacrossmultipleAvailabilityZoneshelpsensuretheapplicationisisolatedfromfailuresinasingleAvailabilityZone,allowingtheapplicationtoachievehigheravailability.WhetheryouarerunningoneAmazonEC2instanceorthousands,youcanuseAutoScalingtodetectimpairedAmazonEC2instancesandunhealthyapplicationsandreplacetheinstanceswithoutyourintervention.Thisensuresthatyourapplicationisgettingthecomputecapacitythatyouexpect,therebymaintainingyouravailability.

3. A,E.AmazonDynamoDBrunsacrossAWSproven,high-availabilitydatacenters.TheservicereplicatesdataacrossthreefacilitiesinanAWSregiontoprovidefaulttoleranceintheeventofaserverfailureorAvailabilityZoneoutage.AmazonS3providesdurableinfrastructuretostoreimportantdataandisdesignedfordurabilityof99.999999999%ofobjects.Yourdataisredundantlystoredacrossmultiplefacilitiesandmultipledevicesineachfacility.WhileElasticLoadBalancingandAmazonElastiCachecanbedeployedacrossmultipleAvailabilityZones,youmustexplicitlytakesuchstepswhencreatingthem.

4. A,D.AutoScalingenablesyoutofollowthedemandcurveforyourapplicationsclosely,reducingtheneedtoprovisionAmazonEC2capacitymanuallyinadvance.Forexample,youcansetaconditiontoaddnewAmazonEC2instancesinincrementstotheAutoScalinggroupwhentheaverageCPUandnetworkutilizationofyourAmazonEC2fleetmonitoredinAmazonCloudWatchishigh;similarly,youcansetaconditiontoremoveinstancesinthesameincrementswhenCPUandnetworkutilizationarelow.

5. B,D,E.Thereisnodirectwaytoencryptanexistingunencryptedvolume.However,youcanmigratedatabetweenencryptedandunencryptedvolumes.

6. A,C,D.TheattacksurfaceiscomposedofthedifferentInternetentrypointsthatallowaccesstoyourapplication.Thestrategytominimizetheattacksurfaceareaisto(a)reducethenumberofnecessaryInternetentrypoints,(b)eliminatenon-criticalInternetentrypoints,(c)separateendusertrafficfrommanagementtraffic,(d)obfuscatenecessaryInternetentrypointstothelevelthatuntrustedenduserscannotaccessthem,and(e)decoupleInternetentrypointstominimizetheeffectsofattacks.ThisstrategycanbeaccomplishedwithAmazonVPC.

7. C.AmazonRDSreadreplicasprovideenhancedperformanceanddurabilityforAmazonRDSinstances.ThisreplicationfeaturemakesiteasytoscaleoutelasticallybeyondthecapacityconstraintsofasingleAmazonRDSinstanceforread-heavydatabaseworkloads.YoucancreateoneormorereplicasofagivensourceAmazonRDSinstanceandservehigh-volumeapplicationreadtrafficfrommultiplecopiesofyourdata,therebyincreasingaggregatereadthroughput.

8. A.AnaliasresourcerecordsetcanpointtoanELB.YoucannotcreateaCNAMErecord

Page 514: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

atthetopnodeofaDomainNameService(DNS)namespace,alsoknownasthezoneapex,asthecaseinthisexample.AliasresourcerecordsetscansaveyoutimebecauseAmazonRoute53automaticallyrecognizeschangesintheresourcerecordsetstowhichthealiasresourcerecordsetrefers.

9. D.AninstanceprofileisacontainerforanAWSIdentityandAccessManagement(IAM)rolethatyoucanusetopassroleinformationtoanAmazonEC2instancewhentheinstancestarts.TheIAMroleshouldhaveapolicyattachedthatonlyallowsaccesstotheAWSCloudservicesnecessarytoperformitsfunction.

10. B.AmazonAPIGatewayisafullymanagedservicethatmakesiteasyfordeveloperstopublish,maintain,monitor,andsecureAPIsatanyscale.YoucancreateanAPIthatactsasa“frontdoor”forapplicationstoaccessdata,businesslogic,orfunctionalityfromyourcoderunningonAWSLambda.AmazonAPIGatewayhandlesallofthetasksinvolvedinacceptingandprocessinguptohundredsofthousandsofconcurrentAPIcalls,includingtrafficmanagement,authorizationandaccesscontrol,monitoring,andAPIversionmanagement.

11. C.AmazonEFSisafilestorageserviceforAmazonEC2instances.MultipleAmazonEC2instancescanaccessanAmazonEFSfilesystematthesametime,providingacommondatasourceforthecontentoftheWordPresssiterunningonmorethanoneinstance.

12. A.AmazonDynamoDBisaNoSQLdatabasestorethatisagreatchoiceasanalternativeduetoitsscalability,high-availability,anddurabilitycharacteristics.Manyplatformsprovideopen-source,drop-inreplacementlibrariesthatallowyoutostorenativesessionsinAmazonDynamoDB.AmazonDynamoDBisagreatcandidateforasessionstoragesolutioninashare-nothing,distributedarchitecture.

13. B.AmazonSQSisafast,reliable,scalable,andfullymanagedmessagequeuingservice.AmazonSQSshouldbeusedtodecouplethelargevolumeofinboundtransactions,allowingtheback-endservicestomanagethelevelofthroughputwithoutlosingmessages.

14. B,C,E.YoushouldprotectAWSuseraccesskeyslikeyouwouldyourcreditcardnumbersoranyothersensitivesecret.Usedifferentaccesskeysfordifferentapplicationssothatyoucanisolatethepermissionsandrevoketheaccesskeysforindividualapplicationsifanaccesskeyisexposed.Remembertochangeaccesskeysonaregularbasis.Forincreasedsecurity,itisrecommendedtoconfigureMFAforanysensitiveoperations.RemembertoremoveanyIAMusersthatarenolongerneededsothattheuser’saccesstoyourresourcesisremoved.Alwaysavoidhavingtoembedaccesskeysinanapplication.

15. A,B,E.YoucanenableAWSCloudTrailinyourAWSaccounttogetlogsofAPIcallsandrelatedevents’historyinyouraccount.AWSCloudTrailrecordsalloftheAPIaccesseventsasobjectsinanAmazonS3bucketthatyouspecifyatthetimeyouenableAWSCloudTrail.YoucantakeadvantageofAmazonS3’sbucketnotificationfeaturebydirectingAmazonS3topublishobject-createdeventstoAWSLambda.WheneverAWSCloudTrailwriteslogstoyourAmazonS3bucket,AmazonS3cantheninvokeyourAWSLambdafunctionbypassingtheAmazonS3object-createdeventasaparameter.TheAWSLambdafunctioncodecanreadthelogobjectandprocesstheaccessrecordsloggedbyAWSCloudTrail.

Page 515: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

16. B.AmazonGlacierenablesbusinessesandorganizationstoretaindataformonths,years,ordecades,easilyandcosteffectively.WithAmazonGlacier,customerscanretainmoreoftheirdataforfutureanalysisorreference,andtheycanfocusontheirbusinessinsteadofoperatingandmaintainingtheirstorageinfrastructure.CustomerscanalsouseAmazonGlacierVaultLocktomeetregulatoryandcompliancearchivingrequirements.

17. A.ManycompaniesthatdistributecontentviatheInternetwanttorestrictaccesstodocuments,businessdata,mediastreams,orcontentthatisintendedforselectedusers,suchasuserswhohavepaidafee.ToservethisprivatecontentsecurelyusingAmazonCloudFront,youcanrequirethatusersaccessyourprivatecontentbyusingspecialAmazonCloudFront-signedURLsorsignedcookies.

18. B.AmazonS3provideshighlydurableandavailablestorageforavarietyofcontent.AmazonS3canbeusedasabigdataobjectstoreforallofthevideos.AmazonS3’slowcostcombinedwithitsdesignfordurabilityof99.999999999%andforupto99.99%availabilitymakeitagreatstoragechoicefortranscodingservices.

19. A.AnAvailabilityZoneconsistsofoneormorephysicaldatacenters.Availabilityzoneswithinaregionprovideinexpensive,low-latencynetworkconnectivitytootherzonesinthesameregion.Thisallowsyoutodistributeyourapplicationacrossdatacenters.Intheeventofacatastrophicfailureinadatacenter,theapplicationwillcontinuetohandlerequests.

20. C.YoucanuseaNATgatewaytoenableinstancesinaprivatesubnettoconnecttotheInternetorotherAWSservices,butpreventtheInternetfrominitiatingaconnectionwiththoseinstances.IfyouhaveresourcesinmultipleAvailabilityZonesandtheyshareoneNATgateway,resourcesintheotherAvailabilityZonesloseInternetaccessintheeventthattheNATgateway’sAvailabilityZoneisdown.TocreateanAvailabilityZone-independentarchitecture,createaNATgatewayineachAvailabilityZoneandconfigureyourroutingtoensurethatresourcesusetheNATgatewayinthesameAvailabilityZone.

Page 516: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

ComprehensiveOnlineLearningEnvironmentRegisteronSybex.comtogainaccesstothecomprehensiveonlineinteractivelearning

environmentandtestbanktohelpyoustudyforyourAWSCertifiedSolutionsArchitect-Associateexam.

Theonlinetestbankincludes:

AssessmentTesttohelpyoufocusyourstudytospecificobjectives

ChapterTeststoreinforcewhatyou'velearned

PracticeExamstotestyourknowledgeofthematerial

DigitalFlashcardstoreinforceyourlearningandprovidelast-minutetestprepbeforetheexam

SearchableGlossarytodefinethekeytermsyou'llneedtoknowfortheexam

Gotohttp://www.wiley.com/go/sybextestpreptoregisterandgainaccesstothiscomprehensivestudytoolpackage.

Page 517: Certified Solutions Architect Official - WordPress.com · Certified Solutions Architect Official Study Guide: Associate Exam. First, thanks to all our families who put up with us

WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.